Aiaag Oracle Fusion Middleware Administrator Guide For Access Management 11.1.2.3

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 1662

DownloadAiaag Oracle Fusion Middleware - Administrator Guide For Access Management 11.1.2.3
Open PDF In BrowserView PDF
[1]
Oracle®
Fusion Middleware

Administrator's Guide for Oracle Access Management
11g Release 2 (11.1.2.3) for All Platforms
E54424-04

September 2015

Oracle Fusion Middleware Administrator's Guide for Oracle Access Management, 11g Release 2 (11.1.2.3) for
All Platforms
E54424-04
Copyright © 2000, 2015 Oracle and/or its affiliates. All rights reserved.
Primary Author:

Michael Teger

Contributing Author:

Vinaye Misra, Kevin Kessler, Cathy Tenga, Serge Pomorski

Contributor: Vadim Lander, Vamsi Motokuru, Damien Carru, Peter Povinec, Weifang Xie, Satish
Madawand, Neelima Jadhav, Charles Wesley, Harshal X Shaw, Jeremy Banford, Rey Ong, Ramana Turlapati,
Deepak Ramakrishnan, David Goldsmith, Vishal Parashar, Carlos Subi, Patricia Fuzesy
This software and related documentation are provided under a license agreement containing restrictions on
use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your
license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse
engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it
on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,
any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users
are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and
agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and
adaptation of the programs, including any operating system, integrated software, any programs installed on
the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to
the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management
applications. It is not developed or intended for use in any inherently dangerous applications, including
applications that may create a risk of personal injury. If you use this software or hardware in dangerous
applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other
measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages
caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks
are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD,
Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced
Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content,
products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and
expressly disclaim all warranties of any kind with respect to third-party content, products, and services
unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its
affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of
third-party content, products, or services, except as set forth in an applicable agreement between you and
Oracle.

Content
Preface ............................................................................................................................................................... lvii
What's New in This Guide? .................................................................................................................... lix
Part I

Introduction to Oracle Access Management

1 Introducing Oracle Access Management
1.1
1.2
1.2.1
1.2.2
1.3
1.3.1
1.3.2
1.4
1.5
1.5.1
1.5.2
1.5.3

Understanding Oracle Access Management Services ........................................................... 1-1
Understanding Oracle Access Management Access Manager ............................................. 1-3
About Components in Access Manager ........................................................................... 1-4
Understanding Access Manager Deployments............................................................... 1-5
About Access Manager 11.1.2.3.0 ............................................................................................. 1-7
About the Features Of Access Manager 11.1.2.3.0 .......................................................... 1-7
About Features Not In Access Manager 11.1.2.3.0.......................................................... 1-9
About System Requirements and Certification ...................................................................... 1-9
Understanding Oracle Access Management Installation................................................... 1-10
About Oracle Access Management Installation .......................................................... 1-10
About Oracle Access Management and WebGates ..................................................... 1-10
About Oracle Access Management Post-Installation Tasks ....................................... 1-10

2 Getting Started with Oracle Access Management
2.1
2.1.1
2.1.2
2.1.3
2.2
2.3
2.4
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.5
2.5.1

Starting and Stopping Servers in Your Deployment .............................................................
Starting Node Manager.......................................................................................................
Starting and Stopping WebLogic AdminServer..............................................................
Starting and Stopping Managed WebLogic Servers and Access Manager Servers ...
About Oracle Access Management Administrators ..............................................................
About the Oracle Access Management Console and the Policy Manager Console ..........
Understanding the Oracle Access Management Console.....................................................
About the System Launch Pad...........................................................................................
Accessing the Access Manager Launch Pad ....................................................................
Accessing the Agents Launch Pad ....................................................................................
Accessing the Help Desk Launch Pad ..............................................................................
Accessing the Self Service Launch Pad.............................................................................
Logging Into the Oracle Access Management Console.........................................................
Logging Into The Oracle Access Management Console ................................................

2-1
2-1
2-2
2-2
2-3
2-4
2-5
2-5
2-6
2-6
2-7
2-7
2-7
2-8

iii

2.5.2
2.6
2.6.1
2.6.2
2.6.3
2.7
2.8
2.9
2.9.1
2.9.2
2.9.3

Logging Into the Secure Oracle Access Management Console (HTTPS) .................... 2-8
Using the Oracle Access Management Console ..................................................................... 2-9
Signing Out........................................................................................................................... 2-9
Accessing Online Help..................................................................................................... 2-10
Conducting A Search ....................................................................................................... 2-10
Configuring with the Command-Line Tools ....................................................................... 2-11
Logging, Auditing, Reporting and Monitoring Performance ........................................... 2-11
Configuring Oracle Access Management Login Options .................................................. 2-12
Administering the Forgot Password URL .................................................................... 2-12
Choosing a User Login Language .................................................................................. 2-13
Understanding Persistent Login..................................................................................... 2-16

Part II Managing Common and System Configurations
3 Managing Common Services and Certificate Validation
3.1
3.2
3.3
3.3.1
3.3.2
3.4
3.4.1
3.4.2
3.4.3
3.4.4

Configuring Oracle Access Management................................................................................ 3-1
Enabling or Disabling Available Services ............................................................................... 3-3
Managing Common Settings..................................................................................................... 3-5
Managing Common Settings ............................................................................................. 3-6
Viewing Common Coherence Settings............................................................................. 3-7
Managing Certificate Validation and Revocation .................................................................. 3-7
Enabling the Certificate Revocation List Functionality.................................................. 3-8
Enabling OCSP Certificate Validation ............................................................................. 3-9
Enabling CRL Distribution Point Extensions .................................................................. 3-9
Additional OCSP Configurations................................................................................... 3-10

4 Delegating Administration
4.1
4.2
4.3
4.4
4.5
4.6

Understanding Administrator Roles........................................................................................
Delegating the Identity Store ....................................................................................................
Assigning Roles Using the Administration Console .............................................................
Using the Container Security Framework and MBeans........................................................
Using the Remote Registration Utility .....................................................................................
Auditing Reports.........................................................................................................................

4-1
4-2
4-3
4-3
4-4
4-4

5 Managing Data Sources
5.1
5.1.1
5.1.2
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7

iv

About the Data Sources ............................................................................................................. 5-1
About the oam-config.xml Configuration Data File....................................................... 5-3
About the Default LDAP Group........................................................................................ 5-4
Registering and Managing User Identity Stores ................................................................... 5-4
Understanding User Identity Stores ................................................................................. 5-4
Using the System Store for User Identities ...................................................................... 5-5
Using Multiple Identity Stores........................................................................................... 5-6
Defining the User Identity Store Registration Settings .................................................. 5-8
Registering a New User Identity Store .......................................................................... 5-12
Viewing or Editing a User Identity Store Registration ............................................... 5-13
Deleting a User Identity Store Registration .................................................................. 5-14

5.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.4
5.4.1
5.4.2
5.5
5.5.1
5.5.2
5.5.3
5.6
5.6.1
5.6.2
5.6.3
5.7

Managing the Identity Directory Service User Identity Stores .........................................
Using Identity Directory Services ..................................................................................
Creating an Identity Directory Service Profile .............................................................
Editing or Deleting an Identity Directory Service Profile...........................................
Creating a Form-fill Application Identity Directory Service Profile .........................
Understanding the Pre-Configured Identity Directory Service Profile....................
Creating an Identity Directory Service Repository......................................................
Understanding Administrator Roles.....................................................................................
Adding Administrator Roles...........................................................................................
Managing Administrator Roles ......................................................................................
Managing the Policy and Session Database ........................................................................
About the Database Store for Policy, Password Management, and Sessions ..........
About Database Deployment..........................................................................................
Configuring a Separate Database for Access Manager Sessions ...............................
Introduction to Oracle Access Management Keystores .....................................................
About Access Manager Security Keys and the Embedded Java Keystore ...............
About Access Manager Keystores..................................................................................
About Identity Federation Keystore ..............................................................................
Integrating a Supported LDAP Directory with Oracle Access Manager ........................

5-14
5-15
5-17
5-21
5-24
5-25
5-25
5-26
5-27
5-27
5-29
5-29
5-29
5-30
5-31
5-31
5-32
5-34
5-34

6 Managing Server Registration
6.1
6.2
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.3
6.3.1
6.3.2
6.3.3
6.3.4

Part III

Before You Register ....................................................................................................................
Understanding OAM Server Registration and Management...............................................
About Individual OAM Server Registrations .................................................................
About the Embedded Proxy Server and Backward Compatibility ..............................
About 11g SSO, Legacy 10g SSO in Combination with OSSO 10g...............................
About Communication Between OAM Servers and WebGates ...................................
About Restarting Servers After Configuration Changes ...............................................
Managing Individual OAM Server Registrations .................................................................
About the OAM Server Registration Page ......................................................................
Registering a Fresh OAM Server Instance .......................................................................
Viewing or Editing Individual OAM Server Registrations and Proxy Settings ........
Deleting an Individual Server Registration .....................................................................

6-1
6-1
6-2
6-3
6-3
6-4
6-4
6-5
6-5
6-8
6-9
6-9

Logging, Auditing, Reporting and Monitoring Performance

7 Logging Component Event Messages
7.1
7.2
7.2.1
7.2.2
7.2.3
7.3
7.3.1
7.3.2
7.4

About Oracle Access Management Logging...........................................................................
Logging Component Event Messages .....................................................................................
About Component Loggers................................................................................................
Sample Logger and Log Handler Definition ...................................................................
About Logging Levels.........................................................................................................
Configuring Logging for Access Manager .............................................................................
Modifying the Logger Level for Access Manager...........................................................
Adding an Access Manager-Specific Logger and Log Handler ...................................
Configuring Logging for Security Token Service and Identity Federation........................

7-1
7-1
7-3
7-4
7-5
7-5
7-6
7-7
7-8

v

7.4.1
7.4.2
7.5
7.6
7.7

Configuring Logging for Security Token Service or Identity Federation ................... 7-9
Defining Log Level and Log Details for Security Token Service or Identity Federation ..
7-10
About Mobile and Social Logging ......................................................................................... 7-11
Understanding Logging for the Access Portal Service....................................................... 7-11
Validating Run-time Event Logging Configuration ........................................................... 7-11

8 Auditing Administrative and Run-time Events
8.1
8.2
8.2.1
8.2.2
8.2.3
8.2.4
8.3
8.3.1
8.3.2
8.3.3
8.4
8.4.1
8.4.2
8.5
8.5.1
8.5.2
8.5.3
8.5.4
8.6
8.6.1
8.6.2
8.6.3
8.7
8.7.1
8.7.2
8.7.3
8.7.4
8.8

Introduction to Oracle Fusion Middleware Auditing ........................................................... 8-1
Understanding Oracle Access Management Auditing ......................................................... 8-2
About Oracle Access Management Auditing Configuration ....................................... 8-2
About Audit Record Storage.............................................................................................. 8-3
About Audit Reports and Oracle Business Intelligence Publisher............................... 8-4
About the Audit Log and Data .......................................................................................... 8-5
Access Manager Events You Can Audit.................................................................................. 8-6
Access Manager Administrative Events You Can Audit............................................... 8-6
Access Manager Run-time Events You Can Audit ......................................................... 8-8
Auditing Authentication Events..................................................................................... 8-11
Mobile and Social Events You Can Audit ............................................................................ 8-11
REST Run-Time Audit Events ........................................................................................ 8-11
Mobile and Social Audit Events ..................................................................................... 8-12
Identity Federation Events You Can Audit.......................................................................... 8-14
Session Management Events for Identity Federation.................................................. 8-14
Protocol Flow Events for Identity Federation .............................................................. 8-15
Server Configuration Events for Identity Federation.................................................. 8-15
Security Events for Identity Federation......................................................................... 8-16
Security Token Service Events You Can Audit ................................................................... 8-16
About Audit Record Content Common to All Events ................................................ 8-17
Security Token Service Administrative Events You Can Audit ................................ 8-17
Security Token Service Run-time Events You Can Audit........................................... 8-19
Setting Up Auditing for Oracle Access Management ........................................................ 8-20
Setting Up the Audit Database Store ............................................................................. 8-21
Preparing Oracle Business Intelligence Publisher EE ................................................. 8-21
Using the Oracle Access Management Console for Audit Configuration .............. 8-22
Adding, Viewing, or Editing Audit Settings ............................................................... 8-24
Validating Auditing and Reports ......................................................................................... 8-25

9 Logging WebGate Event Messages
9.1
9.1.1
9.1.2
9.2
9.2.1
9.2.2
9.3
9.4
9.4.1
vi

About Logging, Log Levels, and Log Output......................................................................... 9-1
About Log Levels................................................................................................................. 9-2
About Log Output ............................................................................................................... 9-3
About Log Configuration File Paths and Contents ............................................................... 9-4
Log Configuration File Paths and Names ........................................................................ 9-4
Log Configuration File Contents ....................................................................................... 9-5
About Directing Log Output to a File or the System File ..................................................... 9-9
Structure and Parameters of the Log Configuration File ................................................... 9-10
About The Log Configuration File Header................................................................... 9-11

9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.5
9.5.1
9.6
9.6.1
9.6.2
9.7
9.7.1
9.7.2
9.8

About The Initial Compound List ..................................................................................
About The Simple List and Logging Threshold...........................................................
About The Second Compound List and Log Handlers...............................................
About The List for Per-Module Logging.......................................................................
About The Filter List ........................................................................................................
About XML Element Order.............................................................................................
About Activating and Suppressing Logging Levels...........................................................
About Log Handler Precedence .....................................................................................
Understanding the Mandatory Log-Handler Configuration Parameters .......................
Settings in the Default Log Configuration File ............................................................
Description of the Settings in the Default Log Configuration File ............................
Configuring Different Threshold Levels for Different Types of Data..............................
About the MODULE_CONFIG Section.........................................................................
Configuring a Log Level Threshold for a Function or Module .................................
Filtering Sensitive Attributes..................................................................................................

9-11
9-11
9-13
9-14
9-14
9-15
9-16
9-16
9-17
9-18
9-20
9-22
9-22
9-25
9-26

10 Reporting
10.1
10.2
10.3
10.4
10.4.1
10.4.2
10.4.3
10.5

About the Reports ....................................................................................................................
Accessing Oracle Access Management Reports ..................................................................
Supported Output Formats ....................................................................................................
Reports for Access Manager...................................................................................................
Account Management Reports .......................................................................................
Authentication Reports....................................................................................................
Errors and Exceptions ......................................................................................................
Creating Reports Using Third-Party Software ....................................................................

10-1
10-2
10-2
10-3
10-3
10-3
10-4
10-6

11 Monitoring Performance and Health
11.1
11.2
11.2.1
11.2.2
11.3
11.3.1
11.3.2
11.4
11.4.1
11.4.2
11.5
11.5.1
11.5.2
11.5.3
11.6
11.6.1
11.6.2

Introduction to Performance Monitoring.............................................................................
Monitoring Server Metrics Using Oracle Access Management Console .........................
Monitoring Server Instance Performance .....................................................................
Reviewing Server Metrics................................................................................................
Monitoring SSO Agent Metrics Using Oracle Access Management Console .................
Reviewing WebGate Metrics ..........................................................................................
Reviewing OSSO Agent Metrics.....................................................................................
Introduction to OAM Proxy Metrics and Tuning .............................................................
About OAM Proxy Metrics ...........................................................................................
OAM Proxy Server Tuning Parameters.......................................................................
Monitoring Metrics Using the DMS Console ....................................................................
Monitoring OAM Metrics..............................................................................................
Monitoring Coherence Caches......................................................................................
Monitoring OpenSSO Proxy Metrics ...........................................................................
Monitoring the Health of an Access Manager Server.......................................................
Understanding WebGate and Access Manager Communications ..........................
Monitoring Access Manager Server Health................................................................

11-1
11-2
11-2
11-2
11-6
11-6
11-8
11-10
11-10
11-10
11-11
11-11
11-12
11-12
11-14
11-15
11-15

vii

12 Monitoring Performance and Logs with Fusion Middleware Control
12.1
12.2
12.2.1
12.2.2
12.3
12.3.1
12.3.2
12.3.3
12.4
12.4.1
12.4.2
12.4.3
12.4.4
12.5
12.5.1
12.5.2
12.6
12.6.1
12.6.2
12.7
12.7.1
12.7.2
12.8
12.8.1
12.8.2

Introduction to Fusion Middleware Control ......................................................................
Logging In to and Out of Fusion Middleware Control ......................................................
Logging In To Fusion Middleware Control..................................................................
Logging Out of Fusion Middleware Control................................................................
Displaying Menus and Pages in Fusion Middleware Control .........................................
About the Farm Page in Fusion Middleware Control.................................................
About Context Menus and Pages in Fusion Middleware Control ............................
Displaying Context Menus and Target Details in Fusion Middleware Control .....
Viewing Performance in Fusion Middleware Control .......................................................
About Performance Overview Pages in Fusion Middleware Control .....................
About the Metrics Palette and the Performance Summary Page ............................
Displaying Performance Metrics in Fusion Middleware Control ...........................
Displaying Component-Specific Performance Details ..............................................
Managing Log Level Changes in Fusion Middleware Control.......................................
About Dynamic Log Level Changes ............................................................................
Setting Log Levels Dynamically Using Fusion Middleware Control .....................
Managing Log File Configuration from Fusion Middleware Control ...........................
About Log File Configuration.......................................................................................
Managing Log Files with Fusion Middleware Control.............................................
Viewing Log Messages in Fusion Middleware Control...................................................
About Finding, Viewing, and Exporting Log Messages ...........................................
Viewing Logged Messages With Fusion Middleware Control................................
Displaying MBeans in Fusion Middleware Control .........................................................
About the System MBean Browser...............................................................................
Managing Mbeans ..........................................................................................................

12-1
12-2
12-3
12-3
12-3
12-3
12-5
12-7
12-8
12-9
12-15
12-17
12-19
12-19
12-20
12-24
12-24
12-24
12-27
12-28
12-28
12-32
12-33
12-34
12-36

Part IV Managing Access Manager Settings and Agents
13 Configuring Access Manager Settings
13.1
13.2
13.2.1
13.2.2
13.3
13.3.1
13.3.2
13.4
13.4.1
13.4.2
13.5
13.5.1
13.5.2
13.5.3
13.5.4
13.5.5

viii

Oracle Access Management Overview .................................................................................
Managing Load Balancing .....................................................................................................
About Common Load Balancing Settings ....................................................................
Managing OAM Server Load Balancing Settings ........................................................
Managing Secure Error Modes .............................................................................................
About OAM Server Error Modes ...................................................................................
Managing OAM Server Secure Error Modes................................................................
Managing SSO Tokens and IP Validation ............................................................................
About Access Manager SSO Tokens and IP Validation Settings ...............................
Managing SSO Tokens and IP Validation.....................................................................
Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security ..........
About Simple and Cert Mode Transport Security .......................................................
About the Common OAM Proxy Page for Secure Server Communications ...........
Viewing or Editing Simple or Cert Settings for OAM Proxy ....................................
Configuring 64-bit WebGate in Cert Mode...................................................................
Tuning the Simple Mode WebGate................................................................................

13-1
13-1
13-1
13-2
13-3
13-3
13-5
13-5
13-5
13-6
13-6
13-7
13-8
13-8
13-9
13-9

13.6
Managing Run Time Policy Evaluation Caches .................................................................. 13-9
13.6.1
About Run Time Policy Evaluation Caches.................................................................. 13-9
13.6.2
Managing Run Time Policy Evaluation Caches ......................................................... 13-10

14 Introduction to Agents and Registration
14.1
Introduction to Policy Enforcement Agents ........................................................................ 14-1
14.1.1
About Agent Types and Runtime Processing ........................................................... 14-1
14.1.2
About 11g WebGate Configured as a Detached Credential Collector...................... 14-4
14.1.3
About 11g WebGate Functionality for Mobile and Social ......................................... 14-5
14.1.4
About the Pre-Registered 10g WebGate IAMSuiteAgent .......................................... 14-5
14.2
Introduction to Agent Registration ....................................................................................... 14-5
14.2.1
About Agent Registration, Keys, and Policies ............................................................. 14-6
14.2.2
About File System Changes and Artifacts for Registered Agents ............................. 14-7
14.3
Introduction to Remote Registration..................................................................................... 14-8
14.3.1
Performing In-Band Remote Registration .................................................................... 14-8
14.3.2
Performing Out-of-Band Remote Registration ............................................................ 14-9
14.3.3
Updating Agent Configuration Files ........................................................................... 14-10

15 Registering and Managing OAM 11g Agents
15.1
15.2
15.2.1
15.2.2
15.2.3
15.3
15.4
15.4.1
15.4.2
15.4.3
15.4.4
15.5
15.5.1
15.5.2
15.5.3
15.6
15.6.1
15.7
15.7.1
15.7.2
15.7.3
15.7.4
15.8
15.8.1
15.8.2
15.9

Before Registering and Managing Agents............................................................................ 15-1
Understanding OAM Agent Registration Parameters in the Console............................. 15-2
About Create OAM WebGate Page and Parameters................................................... 15-2
About User-Defined WebGate Parameters................................................................... 15-5
About IP Address Validation for WebGates............................................................... 15-10
Registering an OAM Agent Using the Console................................................................. 15-13
Configuring and Managing Registered OAM Agents Using the Console .................... 15-14
Understanding Registered OAM Agent Configuration Parameters in the Console .........
15-14
Searching for an OAM Agent Registration ................................................................. 15-20
Viewing or Editing an OAM Agent Registration Page in the Console................... 15-22
Deleting OAM Agent Registration Using the Console ............................................. 15-23
Understanding the Remote Registration Tool, Modes, and Process .............................. 15-24
About Remote Registration Command Arguments and Modes ............................. 15-25
Common Elements within Remote Registration Request Templates ..................... 15-26
About Key Use, Generation, Provisioning, and Storage........................................... 15-27
Understanding Remote Registration Templates: OAM Agents...................................... 15-29
OAM Agent Parameters for Remote Registration ..................................................... 15-29
Performing Remote Registration for OAM Agents .......................................................... 15-32
Acquiring and Setting Up the Remote Registration Tool ........................................ 15-33
Creating Your Remote Registration Request.............................................................. 15-34
Performing In-Band Remote Registration .................................................................. 15-34
Performing Out-of-Band Remote Registration .......................................................... 15-35
Introduction to Updating Agents Remotely ...................................................................... 15-37
About Remote Agent Update Modes ......................................................................... 15-37
About Remote 11g OAM Agent Updates Template.................................................. 15-37
Updating Agents Remotely ................................................................................................. 15-38

ix

15.9.1
Updating Agent Registrations Remotely ....................................................................
15.9.2
Validating an Agent Registration Remotely ...............................................................
15.9.3
Removing an Agent Registration Remotely ...............................................................
15.10 Validating Remote Registration and Resource Protection...............................................
15.10.1
Validating Agent Registration using the Oracle Access Management Console....
15.10.2
Verifying Authentication and Access After Remote Registration ..........................
15.11 Replacing the IAMSuiteAgent with an 11g WebGate ......................................................
15.11.1
Registering a Replacement 11g WebGate for IAMSuiteAgent ................................
15.11.2
Installing the Replacement 11g WebGate for IAMSuiteAgent ................................
15.11.3
Updating the WebLogic Server Plug-in Configuration ............................................
15.11.4
Confirming the AutoLogin Host Identifier for an OAM / OIM Integration.........
15.11.5
Configuring OAM Security Providers for WebLogic................................................
15.11.6
Disabling IAMSuiteAgent .............................................................................................
15.11.7
Verifying the Webgate Configuration .........................................................................
15.12 Managing the Preferred Host in 10g WebGates................................................................

15-38
15-39
15-39
15-40
15-40
15-40
15-42
15-43
15-45
15-45
15-46
15-46
15-50
15-51
15-51

setAllowEmptyHostIdentifier.............................................................................................. 15-53

16 Maintaining Access Manager Sessions
16.1
16.2
16.2.1
16.2.2
16.2.3
16.3
16.3.1
16.3.2
16.4
16.4.1
16.4.2
16.4.3
16.4.4
16.5
16.5.1
16.5.2
16.6
16.7
16.8
16.8.1
16.8.2

Introducing Access Manager Session Management ...........................................................
Understanding Server-Side Session Management..............................................................
Securing Access Manager Sessions ................................................................................
Understanding the Access Manager Session Lifecycle, States, and Enforcement...
Access Manager Sessions and the Role of Oracle Coherence.....................................
Server-Side Session Enforcement Examples ........................................................................
Example 1: Single Authentication Scheme....................................................................
Example 2: Multiple Authentication Schemes..............................................................
Configuring the Server-Side Session Lifecycle ...................................................................
About Global Session Lifecycle Settings .......................................................................
About Application-Specific Session Overrides ..........................................................
Viewing or Modifying Global Session Settings..........................................................
Viewing or Modifying Optional Application-Specific Session Overrides .............
Managing Active Server-Side Sessions...............................................................................
About the Session Management Pages........................................................................
Locating and Managing Active Sessions.....................................................................
Validating Server-Side Session Operations........................................................................
Understanding Client-Side Session Management.............................................................
Using WLST To Configure Session Management .............................................................
displaySSOSessionType.................................................................................................
configSSOSessionType...................................................................................................

16-1
16-2
16-2
16-3
16-6
16-7
16-7
16-7
16-8
16-9
16-10
16-11
16-11
16-12
16-12
16-14
16-15
16-16
16-16
16-16
16-16

Part V Implementing Multi-Data Centers
17 Understanding Multi-Data Centers
17.1
Introducing the Multi-Data Center ....................................................................................... 17-1
17.1.1
Understanding Cookies for Multi-Data Center............................................................ 17-3
17.1.2
Understanding Session Adoption During Authorization .......................................... 17-4

x

17.1.3
Understanding Session Indexing ................................................................................... 17-5
17.1.4
Supported Multi-Data Center Topologies..................................................................... 17-5
17.2
Understanding Multi-Data Center Deployments ............................................................... 17-7
17.2.1
Understanding Session Adoption Without Re-authentication, Session Invalidation or
Session Data Retrieval 17-8
17.2.2
Understanding Session Adoption Without Re-authentication But With Session
Invalidation & Session Data Retrieval 17-9
17.2.3
Understanding Session Adoption Without Re-authentication & Session Invalidation
But With On-demand Session Data Retrieval 17-10
17.2.4
Understanding Authentication & Authorization Requests Served By Different Data
Centers 17-10
17.2.5
Understanding Logout and Session Invalidation ...................................................... 17-12
17.2.6
Understanding Stretch Cluster Deployments ............................................................ 17-13
17.3
Deploying Active-Active Multi-Data Center Topology ................................................... 17-14
17.4
Load Balancing Between Access Management Components.......................................... 17-16
17.5
Understanding Time Outs and Session Syncs ................................................................... 17-18
17.5.1
Ensuring Maximum Session Constraints .................................................................... 17-18
17.5.2
Configuring Policies for Idle Timeout ......................................................................... 17-18
17.5.3
Expiring Multi-Data Center Sessions........................................................................... 17-19
17.5.4
Synchronizing Sessions and Multi-Data Center Fail Over ....................................... 17-19
17.6
Replicating a Multi-Data Center Environment.................................................................. 17-22
17.6.1
Replicating Data Using the WLST................................................................................ 17-22
17.6.2
Syncing Data Using Automated Policy Synchronization ......................................... 17-22
17.7
Multi-Data Center Recommendations ................................................................................ 17-22
17.7.1
Using a Common Domain............................................................................................. 17-23
17.7.2
Concerning the DCC and the OAM_GITO ................................................................. 17-23
17.7.3
Using an External Load Balancer ................................................................................. 17-24
17.7.4
Honoring Maximum Sessions....................................................................................... 17-24
17.7.5
WebGate Cookie Cannot Be Refreshed During Authorization ............................... 17-24

18 Configuring Multi-Data Centers
18.1
18.2
18.3
18.3.1
18.3.2
18.4
18.5
18.5.1
18.5.2
18.5.3
18.6
18.6.1
18.6.2
18.6.3
18.6.4
18.6.5

Before Setting Up a Multi-Data Center.................................................................................
Understanding the Primary Use Cases.................................................................................
Setting Up a Multi-Data Center .............................................................................................
Enabling the Master Data Center ...................................................................................
Setting Up the Clone Data Center ..................................................................................
Adding A Second Clone to An Existing Multi-Data Center Setup...................................
Understanding Multi-Data Center Security Modes............................................................
OPEN Security Mode .......................................................................................................
SIMPLE Security Mode ....................................................................................................
CERT Security Mode ........................................................................................................
WLST Commands for Multi-Data Centers.........................................................................
enableMultiDataCentreMode .......................................................................................
disableMultiDataCentreMode ......................................................................................
addPartnerForMultiDataCentre ...................................................................................
removePartnerForMultiDataCentre.............................................................................
setMultiDataCenterType ...............................................................................................

18-1
18-2
18-2
18-3
18-5
18-7
18-7
18-8
18-8
18-9
18-10
18-11
18-12
18-13
18-14
18-15

xi

18.6.6
18.6.7
18.6.8
18.6.9
18.6.10

setMultiDataCenterWrite ..............................................................................................
setMultiDataCentreClusterName ................................................................................
validateMDCConfig .......................................................................................................
exportAccessStore...........................................................................................................
importAccessStore ..........................................................................................................

18-15
18-16
18-16
18-16
18-17

19 Synchronizing Data In A Multi-Data Center
19.1
19.1.1
19.1.2
19.1.3
19.2
19.3
19.3.1
19.3.2
19.3.3
19.4
19.5
19.6
19.6.1
19.6.2
19.6.3
19.7
19.8
19.8.1
19.8.2

Understanding the Multi-Data Center Sync ........................................................................
How Replication Works...................................................................................................
Understanding the Replication Agreement .................................................................
Manually Syncing Data in a Multi-Data Center...........................................................
Enabling Data Replication ......................................................................................................
Syncing Master and Clone Metadata ....................................................................................
Syncing the UDM Metadata............................................................................................
Creating the Replication Agreement .............................................................................
Modifying the Replication Agreement ..........................................................................
Using and Customizing Transformation Rules...................................................................
Modifying a Rule Document ................................................................................................
Using REST API for Replication Agreements....................................................................
Querying for Replication Agreement Details .............................................................
Modifying an Existing Replication Agreement..........................................................
Deleting a Replication Agreement ...............................................................................
Replicating Domains in Identity Manager Deployments ................................................
Best Practices for Replication ...............................................................................................
Enabling Replication Logs.............................................................................................
Changing the User Identifier ........................................................................................

19-1
19-2
19-3
19-4
19-4
19-5
19-5
19-5
19-8
19-9
19-11
19-13
19-13
19-13
19-14
19-14
19-15
19-15
19-15

20 Setting Up the Multi-Data Center: A Sequence
20.1
20.2
20.3
20.4

Part VI

Before You Begin......................................................................................................................
Setting Up a Multi-Data Center .............................................................................................
Enabling Automated Policy Synchronization .....................................................................
Troubleshooting the Multi-Data Center Setup ..................................................................

20-1
20-2
20-9
20-11

Managing Access Manager SSO, Policies, and Testing

21 Understanding Single Sign-On with Access Manager
21.1
Introducing Access Manager Single Sign-On .....................................................................
21.1.1
About Multiple Network Domain SSO .........................................................................
21.1.2
About Application SSO and Access Manager ..............................................................
21.1.3
About Multiple WebLogic Server Domain SSO...........................................................
21.1.4
About Reverse-Proxy SSO ...............................................................................................
21.2
Understanding the Access Manager Policy Model.............................................................
21.3
Anatomy of an Application Domain and Policies ............................................................
21.3.1
About Resource Definitions for Policies......................................................................
21.3.2
About Authentication Policies .....................................................................................
21.3.3
About Authorization Policies........................................................................................

xii

21-1
21-4
21-4
21-5
21-6
21-7
21-10
21-11
21-11
21-12

21.3.4
About Token Issuance Policies .....................................................................................
21.4
Introduction to Policy Conditions and Rules ....................................................................
21.5
Understanding SSO Cookies ................................................................................................
21.5.1
About Single Sign-On Cookies During User Login...................................................
21.5.2
About Single Sign-On Server and Agent Cookies .....................................................
21.6
Introduction to Configuration Tasks for Single Sign-On .................................................

21-13
21-13
21-14
21-14
21-15
21-20

22 Managing Authentication and Shared Policy Components
22.1
22.2
22.3
22.3.1
22.3.2
22.3.3
22.3.4
22.4
22.4.1
22.4.2
22.4.3
22.4.4
22.4.5
22.4.6
22.4.7
22.5
22.5.1
22.5.2
22.5.3
22.6
22.6.1
22.6.2
22.6.3
22.7
22.7.1
22.7.2
22.7.3
22.7.4
22.7.5
22.7.6
22.7.7
22.7.8
22.8
22.8.1
22.8.2
22.8.3
22.8.4

Prerequisites ............................................................................................................................. 22-1
Understanding Authentication and Shared Policy Component Tasks ........................... 22-1
Managing Resource Types...................................................................................................... 22-2
About Resource Types and Their Use ........................................................................... 22-2
About the Resource Type Page....................................................................................... 22-4
Searching for a Specific Resource Type ......................................................................... 22-6
Creating a Custom Resource Type................................................................................. 22-7
Managing Host Identifiers...................................................................................................... 22-7
About Host Identifiers ..................................................................................................... 22-8
About Virtual Web Hosting ......................................................................................... 22-10
About the Host Identifier Page ..................................................................................... 22-14
Creating a Host Identifier .............................................................................................. 22-15
Searching for a Host Identifier Definition................................................................... 22-16
Viewing or Editing a Host Identifier Definition ........................................................ 22-16
Deleting a Host Identifier Definition ........................................................................... 22-17
Understanding Authentication Methods and Credential Collectors ............................. 22-18
About Different Authentication Methods................................................................... 22-18
Comparing Embedded Credential Collector with Detached Credential Collector ...........
22-19
Authentication Event Logging and Auditing ............................................................ 22-23
Managing Native Authentication Modules ....................................................................... 22-23
About Native Access Manager Authentication Modules ........................................ 22-24
Viewing or Editing Native Authentication Modules ................................................ 22-28
Deleting a Native Authentication Module.................................................................. 22-29
Orchestrating Multi-Step Authentication with Plug-in Based Modules ...................... 22-29
Comparing Simple Form and Multi-Factor (Multi-Step) Authentication .............. 22-30
About Plug-ins for Multi-Step Authentication Modules ......................................... 22-31
About Plug-in Based Modules for Multi-Step Authentication ................................ 22-39
Example: Leveraging SubjectAltName Extension Data and Integrating with Multiple
OCSP Endpoints 22-46
Creating and Orchestrating Plug-in Based Multi-Step Authentication Modules . 22-48
Creating and Managing Step-Up Authentication ..................................................... 22-50
Configuring an HTTPToken Extractor Plug-in .......................................................... 22-56
Configuring a JSON Web Token Plug-in .................................................................... 22-56
Deploying and Managing Individual Plug-ins for Authentication................................ 22-58
About Managing Your Own Authentication Plug-ins .............................................. 22-59
Making Custom Authentication Plug-ins Available for Use ................................... 22-62
Checking an Authentication Plug-in's Activation Status.......................................... 22-63
Deleting Your Custom Authentication Plug-ins ........................................................ 22-64

xiii

22.9
Managing Authentication Schemes.....................................................................................
22.9.1
About Authentication Schemes and Pages .................................................................
22.9.2
Understanding Multi-Level and Step-Up Authentication........................................
22.9.3
Creating an Authentication Scheme ............................................................................
22.9.4
Searching for an Authentication Scheme ....................................................................
22.9.5
Viewing, Editing, or Deleting an Authentication Scheme........................................
22.10 Extending Authentication Schemes with Advanced Rules .............................................
22.10.1
Using Advanced Rules...................................................................................................
22.10.2
Using Context Data for Advanced Rules ....................................................................
22.11 Configuring Challenge Parameters for Encrypted Cookies ............................................
22.11.1
About Challenge Parameters for Encrypted Cookies................................................
22.11.2
Configuring Challenge Parameters for Security of Encrypted Cookies .................
22.11.3
Setting Challenge Parameters for Persistence of Encrypted Cookies .....................
22.12 Configuring Authentication POST Data Handling...........................................................
22.12.1
About Authentication Post Data Preservation and Restoration ..............................
22.12.2
About Configuring Authentication POST Data Handling .......................................
22.12.3
About Post Data Size Limits..........................................................................................
22.12.4
Configuring Authentication POST Data Handling ...................................................
22.12.5
Testing POST Data Handling Configuration..............................................................
22.13 Long URL Handling During Authentication.....................................................................
22.13.1
About Long URLs and Authentication Handling......................................................
22.13.2
About Configuring Long URL Handling ....................................................................
22.14 Using Application Initiated Authentication ......................................................................

22-64
22-65
22-79
22-82
22-83
22-83
22-84
22-85
22-86
22-88
22-88
22-89
22-89
22-90
22-90
22-91
22-93
22-94
22-95
22-95
22-95
22-96
22-97

23 Understanding Credential Collection and Login
23.1
23.1.1
23.1.2
23.2
23.3
23.4
23.5
23.5.1
23.5.2
23.5.3
23.5.4
23.6
23.6.1
23.6.2
23.7
23.7.1
23.7.2
23.7.3

Logging In with Access Manager Credential Collection ...................................................
Login with Self-Service Provisioning Applications.....................................................
Login Processing with Access Manager-Protected Resources ...................................
Processing SSO Login with OAM Agents and ECC ...........................................................
Processing SSO Login with OAM Agents and DCC ..........................................................
Processing SSO Login with OSSO Agents (mod_osso) and ECC .....................................
Configuring 11g WebGates and Authentication Policy for DCC ...................................
Enabling DCC Credential Operations .........................................................................
Locating and Updating DCC Forms for Password Policy .......................................
Adding PasswordPolicyValidationScheme to Authentication Policy for DCC ....
Supporting Federation Flows With DCC ....................................................................
Tunneling from DCC to Access Manager Over Oracle Access Protocol .......................
How DCC Tunneling with OAP Works......................................................................
Configuring OAP Tunneling.........................................................................................
Configuring a DCC WebGate for X509 Authentication ...................................................
Configuring the WebLogic Server................................................................................
Configuring a WebGate For DCC ................................................................................
Converting the DCC WebGate to SSL .........................................................................

23-1
23-2
23-2
23-3
23-5
23-9
23-10
23-11
23-12
23-12
23-14
23-14
23-15
23-15
23-16
23-16
23-19
23-20

24 Using Password Policy
24.1
24.2
xiv

Using Password Management ............................................................................................... 24-1
Enabling Password Management .......................................................................................... 24-2

Configuring Password Policy ................................................................................................ 24-3
Specifying Credential Collector URLs with Password Policy........................................... 24-5
Using the Oracle-Provided Password Forms....................................................................... 24-8
Managing Global Password Policy ..................................................................................... 24-10
Defining Your Global Password Policy....................................................................... 24-11
Designating the Default Store for Your Password Policy......................................... 24-12
Adding Key Password Attributes to the Default Store............................................. 24-13
Adding an Administrator to Change User Attributes After a Password Change 24-15
Configuring Password Policy Authentication .................................................................. 24-15
Configuring the Password Policy Validation Authentication Module .................. 24-15
Configuring the PasswordPolicyValidationScheme ................................................ 24-19
Adding Your PasswordPolicyValidationScheme to ECC Authentication Policy . 24-20
Completing Password Policy Configuration ..................................................................... 24-21
Setting the Error Message Mode for Password Policy Messages ............................ 24-21
Overriding Native LDAP Password Policy Validation............................................. 24-21
Disabling ECC Operation and Using DCC Exclusively............................................ 24-22
Testing Your Multi-Step Authentication..................................................................... 24-23
Configuring the IPFUserPasswordPolicyPlugin............................................................... 24-24
Enabling the IPF Password Service.............................................................................. 24-24
Configuring Password Policy for IPF Password Service .......................................... 24-25
Extending the LDAP Definitions.................................................................................. 24-25
Configuring the Password Policy Validation Authentication Module and Scheme .........
24-26
24.9.5
Setting Up the Forgot Password Module .................................................................... 24-26

24.3
24.4
24.5
24.6
24.6.1
24.6.2
24.6.3
24.6.4
24.7
24.7.1
24.7.2
24.7.3
24.8
24.8.1
24.8.2
24.8.3
24.8.4
24.9
24.9.1
24.9.2
24.9.3
24.9.4

25 Managing Policies to Protect Resources and Enable SSO
25.1
25.2
25.2.1
25.2.2
25.2.3
25.3
25.3.1
25.3.2
25.3.3
25.3.4
25.3.5
25.3.6
25.4
25.4.1
25.4.2
25.4.3
25.4.4
25.5
25.5.1
25.5.2
25.5.3

Prerequisites .............................................................................................................................
Introduction to Application Domain and Policy Creation ................................................
Generating Application Domains and Policies Automatically..................................
Managing Application Domains and Policies Remotely ............................................
Creating or Managing an Application Domain and Policies .....................................
Understanding Application Domain and Policy Management ........................................
Navigating the Application Domain Pages ..................................................................
Displaying the Application Domain Summary Page ..................................................
Displaying the Resource Container in an Application Domain ................................
Displaying Authentication Policy Pages .......................................................................
Displaying Authorization Policy Pages.........................................................................
Displaying Token Issuance Policy Pages ....................................................................
Managing Application Domains Using the Console ........................................................
Creating a New Application Domain ..........................................................................
Searching for an Existing Application Domain..........................................................
Viewing or Editing an Application Domain...............................................................
Deleting an Application Domain and Its Contents ...................................................
Adding and Managing Policy Resource Definitions ........................................................
Defining Resources in an Application Domain..........................................................
Defining Resources in an Application Domain..........................................................
Searching for a Resource Definition.............................................................................

25-1
25-2
25-3
25-3
25-3
25-4
25-5
25-5
25-6
25-7
25-8
25-10
25-10
25-11
25-12
25-12
25-13
25-13
25-14
25-27
25-28

xv

25.5.4
Viewing, Editing, or Deleting a Resource Definition ...............................................
25.6
Defining Authentication Policies for Specific Resources .................................................
25.6.1
About the Authentication Policy Page ........................................................................
25.6.2
Creating an Authentication Policy for Specific Resources .......................................
25.6.3
Searching for an Authentication Policy .......................................................................
25.6.4
Viewing or Editing an Authentication Policy.............................................................
25.6.5
Deleting an Authentication Policy ...............................................................................
25.7
Defining Authorization Policies for Specific Resources...................................................
25.7.1
About Authorization Policies for Specific Resources ................................................
25.7.2
Creating an Authorization Policy and Specific Resources .......................................
25.7.3
Searching for an Authorization Policy .......................................................................
25.7.4
Viewing or Editing an Authorization Policy and Resources ...................................
25.7.5
Deleting an Entire Authorization Policy ....................................................................
25.8
Configuring Success and Failure URLs for Authorization Policies................................
25.9
Introduction to Authorization Policy Rules and Conditions ..........................................
25.9.1
About Allow or Deny Rules ..........................................................................................
25.9.2
About Authorization Policy Conditions ....................................................................
25.9.3
About Classifying Users and Groups for Conditions ...............................................
25.9.4
Guidelines for Authorization Responses Based on Conditions...............................
25.10 Defining Authorization Policy Conditions ........................................................................
25.10.1
Choosing a Condition Type ..........................................................................................
25.10.2
Defining Identity Conditions ........................................................................................
25.10.3
Defining IP4 Range Conditions ....................................................................................
25.10.4
Defining Temporal Conditions.....................................................................................
25.10.5
Defining Attribute Conditions......................................................................................
25.10.6
Viewing, Editing, or Deleting Authorization Policy Conditions.............................
25.11 Defining Authorization Policy Rules ..................................................................................
25.11.1
About Defining Rules in an Authorization Policy.....................................................
25.11.2
About Expressions and Expression-Based Policy Evaluation..................................
25.11.3
Defining Rules in an Authorization Policy .................................................................
25.12 Configuring Policy Ordering ...............................................................................................
25.13 Introduction to Policy Responses for SSO..........................................................................
25.13.1
About Authentication and Authorization Policy Responses for SSO.....................
25.13.2
About the Policy Response Language .........................................................................
25.13.3
About the Namespace and Variable Names for Policy Responses .........................
25.13.4
About Constructing a Policy Response for SSO.........................................................
25.13.5
About Policy Response Processing ..............................................................................
25.13.6
About Assertion Claims and Processing .....................................................................
25.14 Adding and Managing Policy Responses for SSO ............................................................
25.14.1
Adding a Policy Response for SSO ..............................................................................
25.14.2
Viewing, Editing, or Deleting a Policy Response for SSO ........................................
25.15 Validating Authentication and Authorization in an Application Domain ...................
25.16 Understanding Remote Policy and Application Domain Management........................
25.16.1
About Managing Policies Remotely.............................................................................
25.16.2
About the Create Policy Request Template ................................................................
25.16.3
About the Update Policy Request Template...............................................................
25.16.4
About Remote Policy Management and Templates ..................................................

xvi

25-30
25-31
25-31
25-33
25-34
25-34
25-35
25-35
25-36
25-37
25-37
25-38
25-38
25-39
25-40
25-40
25-41
25-42
25-43
25-43
25-44
25-45
25-51
25-54
25-55
25-59
25-60
25-60
25-63
25-66
25-67
25-68
25-68
25-70
25-70
25-72
25-74
25-75
25-75
25-75
25-76
25-76
25-77
25-78
25-79
25-80
25-80

25.17
25.18

Managing Policies and Application Domains Remotely ................................................. 25-82
Defining an Application........................................................................................................ 25-82

26 Validating Connectivity and Policies Using the Access Tester
26.1
Prerequisites ............................................................................................................................. 26-1
26.2
Introduction to the Access Tester for Access Manager 11g .............................................. 26-1
26.2.1
About OAM Agent and Server Interoperability .......................................................... 26-3
26.2.2
About Access Tester Security and Processing .............................................................. 26-5
26.2.3
About Access Tester Modes and Administrator Interactions ................................... 26-6
26.3
Installing and Starting the Access Tester.............................................................................. 26-8
26.3.1
Installing the Access Tester ............................................................................................. 26-8
26.3.2
About Access Tester Supported System Properties..................................................... 26-9
26.3.3
Starting the Tester Without System Properties For Use in Tester Console Mode. 26-10
26.3.4
Starting the Access Tester with System Properties For Use in Command Line Mode......
26-11
26.4
Introduction to the Access Tester Console and Navigation ............................................ 26-12
26.4.1
Access Tester Menus and Command Buttons ............................................................ 26-14
26.5
Testing Connectivity and Policies from the Access Tester Console ............................... 26-15
26.5.1
Establishing a Connection Between the Access Tester and the OAM Server ........ 26-16
26.5.2
Validating Resource Protection from the Access Tester Console ............................ 26-18
26.5.3
Testing User Authentication from the Access Tester Console ................................. 26-20
26.5.4
Testing User Authorization from the Access Tester Console .................................. 26-23
26.5.5
Observing Request Latency........................................................................................... 26-24
26.6
Creating and Managing Test Cases and Scripts ................................................................ 26-24
26.6.1
About Test Cases and Test Scripts ............................................................................... 26-25
26.6.2
Capturing Test Cases ..................................................................................................... 26-25
26.6.3
Generating an Input Test Script.................................................................................... 26-26
26.6.4
Personalizing an Input Test Script ............................................................................... 26-27
26.6.5
Executing a Test Script .................................................................................................. 26-28
26.7
Evaluating Scripts, Log File, and Statistics ........................................................................ 26-31
26.7.1
About Evaluating Test Results...................................................................................... 26-31
26.7.2
About the Saved Connection Configuration File ....................................................... 26-32
26.7.3
About the Generated Input Test Script ....................................................................... 26-33
26.7.4
About the Target Output File Containing Test Run Results .................................... 26-34
26.7.5
About the Statistics Document ..................................................................................... 26-36
26.7.6
About the Execution Log ............................................................................................... 26-38

27 Configuring Centralized Logout for Sessions Involving 11g WebGates
27.1
Prerequisites ............................................................................................................................. 27-1
27.2
Introduction to Centralized Logout for Access Manager 11g ........................................... 27-1
27.2.1
About Centralized Logout for 11g WebGates ............................................................. 27-2
27.2.2
About Logout Parameters for 11g WebGates ............................................................... 27-2
27.3
Configuring Centralized Logout for 11g WebGates ........................................................... 27-4
27.3.1
Configuring Centralized Logout for 11g WebGates When the ECC is Used .......... 27-5
27.3.2
Configuring Logout When Using Detached Credential Collector-Enabled WebGate......
27-6

xvii

27.4
Validating Global Sign-On and Centralized Logout .........................................................
27.4.1
Confirming Global Sign-On ............................................................................................
27.4.2
Validating Global Sign-On with Mixed Agent Types .................................................
27.4.3
Observing Centralized Logout .......................................................................................

Part VII

27-6
27-6
27-7
27-8

Registering and Using Agents with Access Manager

28 Registering and Managing Legacy OpenSSO Agents
28.1
28.1.1
28.1.2
28.2
28.3
28.3.1
28.3.2
28.4
28.4.1
28.4.2
28.5
28.5.1
28.5.2
28.5.3
28.5.4
28.6
28.6.1
28.7

Introduction to OpenSSO, Agents, Migration and Co-existence ......................................
About Migration and Co-existence Between OpenSSO and Access Manager .....
About OpenSSO Agent Reliance on Access Manager.................................................
Runtime Processing Between OpenSSO Agents and Access Manager............................
Understanding OpenSSO Agent Registration Parameters ..............................................
About OpenSSO Agent Registration Parameters.......................................................
About the Expanded OpenSSO Agent Page and Parameters ..................................
Registering and Managing OpenSSO Agents Using the Console .................................
Registering an OpenSSO Agent using the Oracle Access Management Console .
Configuring and Managing Registered OpenSSO Agents Using the Console......
Performing Remote Registration for OpenSSO Agents ...................................................
Understanding Request Templates for OpenSSO Agent Remote Registration.....
Reviewing OpenSSO Bootstrap Configuration Mappings .......................................
Performing In-Band Remote Registration with OpenSSO Agents ..........................
Performing Out-of-Band Remote Registration with OpenSSO Agents..................
Updating Registered OpenSSO Agents Remotely ............................................................
Updating OpenSSO Agents Remotely.........................................................................
Locating Other OpenSSO Agent Information ...................................................................

28-1
28-2
28-4
28-6
28-10
28-10
28-12
28-19
28-20
28-21
28-22
28-22
28-24
28-25
28-26
28-27
28-28
28-28

29 Registering and Managing Legacy OSSO Agents
29.1
29.1.1
29.1.2
29.2
29.2.1
29.2.2
29.3
29.3.1
29.3.2
29.3.3
29.3.4
29.4
29.4.1
29.4.2
29.4.3
29.5
29.6
29.6.1

xviii

Understanding OSSO Agents with Access Manager.......................................................... 29-1
About OSSO Agents with Access Manager .................................................................. 29-1
Comparing Access Manager 11g SSO versus OSSO 10g ............................................ 29-2
Registering OSSO Agents Using Oracle Access Management Console........................... 29-6
Understanding the Create OSSO Agent Registration Page and Parameters ........... 29-6
Registering an OSSO Agent (mod_osso) Using the Console ..................................... 29-8
Configuring and Managing Registered OSSO Agents Using the Console...................... 29-9
Understanding the Expanded OSSO Agent Page in the Console.............................. 29-9
Searching for an OSSO Agent (mod_osso) Registration .......................................... 29-10
Viewing or Editing OSSO Agent (mod_osso) Registration ...................................... 29-11
Deleting an OSSO Agent (mod_osso) Registration ................................................... 29-11
Performing Remote Registration for OSSO Agents .......................................................... 29-12
Understanding Request Templates for OSSO Remote Registration ....................... 29-12
Performing In-Band Remote Registration of OSSO Agents ..................................... 29-13
Performing Out-of-Band Remote Registration for OSSO Agents............................ 29-14
Updating Registered OSSO Agents Remotely................................................................... 29-15
Configuring Logout for OSSO Agents with Access Manager 11.1.2.............................. 29-16
About Centralized Logout with OSSO Agents (mod_OSSO) and Access Manager..........
29-17

29.6.2
Removing Custom mod_osso Cookies on Logout..................................................... 29-17
29.7
Locating Other OSSO Agent Information .......................................................................... 29-18

30 Registering and Managing 10g WebGates with Access Manager 11g
30.1
Prerequisites .............................................................................................................................
30.2
Introduction to 10g OAM Agents for Access Manager 11g...............................................
30.2.1
About IAMSuiteAgent: A Pre-Configured 10g WebGate Registered with Access
Manager 30-2
30.2.2
About Legacy Oracle Access Manager 10g Deployments and WebGates ...............
30.2.3
About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2 ............
30.2.4
About Centralized Logout with 10g OAM Agents and 11g OAM Servers..............
30.3
Comparing Access Manager 11.1.2 and 10g ........................................................................
30.3.1
Comparing Access Manager 11g versus 10g ................................................................
30.3.2
Comparing Access Manager 11g versus 10g Policy Model........................................
30.4
Configuring Centralized Logout for IAMSuiteAgent ......................................................
30.5
Registering a 10g WebGate with Access Manager 11g Remotely...................................
30.6
Managing 10g OAM Agents Remotely...............................................................................
30.7
Locating and Installing the Latest 10g WebGate for Access Manager 11g....................
30.7.1
Preparing for a Fresh 10g WebGate Installation with Access Manager 11g ..........
30.7.2
Locating and Downloading 10g WebGates for Use with Access Manager 11g ....
30.7.3
Starting WebGate 10g Installation................................................................................
30.7.4
Specifying a Transport Security Mode ........................................................................
30.7.5
Requesting or Installing Certificates for Secure Communications..........................
30.7.6
Specifying WebGate Configuration Details................................................................
30.7.7
Updating the WebGate Web Server Configuration...................................................
30.7.8
Finishing WebGate Installation ....................................................................................
30.7.9
Installing Artifacts and Certificates .............................................................................
30.7.10
Confirming WebGate Installation ................................................................................
30.8
Configuring Centralized Logout for 10g WebGate with 11g OAM Servers .................
30.8.1
About Centralized Logout Processing for 10g WebGate with 11g OAM Server ..
30.8.2
About the Centralized Logout Script for 10g WebGates with 11g OAM Servers .
30.8.3
Configuring Centralized Logout for 10g WebGates with Access Manager...........
30.9
Removing a 10g WebGate from the Access Manager 11g Deployment ........................

30-1
30-2

30-2
30-3
30-4
30-5
30-5
30-7
30-10
30-11
30-13
30-14
30-14
30-16
30-17
30-18
30-18
30-19
30-19
30-21
30-21
30-22
30-22
30-23
30-24
30-26
30-27

31 Configuring Apache, OHS, IHS for 10g WebGates
31.1
31.2
31.3
31.3.1
31.3.2
31.3.3
31.4
31.5
31.5.1
31.5.2
31.5.3

Prerequisites .............................................................................................................................
About Oracle HTTP Server and Access Manager ...............................................................
About Access Manager with Apache and IHS v2 Webgates.............................................
About the Apache HTTP Server .....................................................................................
About the IBM HTTP Server ...........................................................................................
About the Apache and IBM HTTP Reverse Proxy Server ..........................................
About Apache v2 Architecture and Access Manager.........................................................
Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers ............................
Requirements for IHS2 Web Servers..............................................................................
Requirements for Apache and IHS v2 Reverse Proxy Servers...................................
Requirements for Apache v2 Web Servers....................................................................

31-1
31-1
31-2
31-3
31-3
31-3
31-4
31-5
31-6
31-6
31-6

xix

31.6
Preparing Your Web Server....................................................................................................
31.6.1
Preparing the IHS v2 Web Server ..................................................................................
31.6.2
Preparing Apache and Oracle HTTP Server Web Servers on Linux.......................
31.6.3
Preparing Oracle HTTP Server Web Servers on Linux and Windows Platforms.
31.6.4
Setting Oracle HTTP Server Client Certificates..........................................................
31.6.5
Preparing the Apache v2 Web Server on UNIX.........................................................
31.6.6
Preparing the Apache v2 SSL Web Server on AIX.....................................................
31.6.7
Preparing the Apache v2 Web Server on Windows .................................................
31.7
Activating Reverse Proxy for Apache v2 and IHS v2.......................................................
31.7.1
Activating Reverse Proxy For Apache v2 Web Servers ............................................
31.7.2
Activating Reverse Proxy For IHS v2 Web Servers ...................................................
31.8
Verifying httpd.conf Updates for Webgates ......................................................................
31.8.1
Verifying Webgate Details.............................................................................................
31.8.2
Verifying Language Encoding ......................................................................................
31.9
Tuning Oracle HTTP Server Webgates for Access Manager...........................................
31.10 Tuning OHS /Apache Prefork and Worker MPM Modules for OAM..........................
31.10.1
Tuning Oracle HTTP Server /Apache Prefork MPM Module.................................
31.10.2
Tuning Oracle HTTP Server /Apache Worker MPM Module ................................
31.10.3
Tuning Kernel Parameters.............................................................................................
31.11 Starting and Stopping Oracle HTTP Server Web Servers................................................
31.12 Tuning Apache/IHS v2 Webgates for Access Manager .................................................
31.13 Removing Web Server Configuration Changes After Uninstall.....................................
31.14 Helpful Information .............................................................................................................

31-7
31-8
31-11
31-11
31-12
31-12
31-16
31-17
31-19
31-19
31-20
31-22
31-22
31-24
31-25
31-25
31-26
31-26
31-27
31-27
31-27
31-30
31-30

32 Configuring the ISA Server for 10g WebGates
32.1
32.2
32.3
32.4
32.4.1
32.4.2
32.5
32.5.1
32.5.2
32.5.3
32.6
32.7

33

32-1
32-1
32-2
32-2
32-2
32-3
32-3
32-3
32-4
32-6
32-7
32-7

Configuring the IIS Web Server for 10g WebGates
33.1
33.2
33.2.1
33.3
33.3.1
33.3.2
33.4
33.5

xx

Prerequisites .............................................................................................................................
About Access Manager and the ISA Server ........................................................................
Compatibility and Platform Support ...................................................................................
Installing and Configuring Webgate for the ISA Server ....................................................
Installing Webgate with ISA Server ...............................................................................
Changing /access Directory Permissions ....................................................................
Configuring the ISA Server for the ISAPI Webgate............................................................
Registering Access Manager Plug-ins as ISA Server Web Filters..............................
Configuring ISA Firewall Policies for ISA Web Filters ...............................................
Ordering the ISAPI Filters ...............................................................................................
Starting, Stopping, and Restarting the ISA Server .............................................................
Removing Access Manager Filters Before Webgate Uninstall on ISA Server.................

Prerequisites .............................................................................................................................
WebGate Guidelines for IIS Web Servers ............................................................................
Guidelines for ISAPI WebGates ....................................................................................
Prerequisite for Installing Webgate for IIS 7........................................................................
Prerequisite for Installing Any 10g Webgate for IIS 7.................................................
Prerequisite for Installing a 32-bit Webgate for IIS 7...................................................
Updating IIS 7 Web Server Configuration on Windows 2008...........................................
Completing Webgate Installation with IIS ...........................................................................

33-1
33-1
33-2
33-5
33-5
33-6
33-6
33-7

33.5.1
Enabling Client Certificate Authentication on the IIS Web Server ........................... 33-7
33.5.2
Ordering the ISAPI Filters ............................................................................................... 33-8
33.5.3
Enabling Pass-Through Functionality for POST Data................................................. 33-9
33.5.4
Protecting a Web Site When the Default Site is Not Setup....................................... 33-13
33.6
Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance ........... 33-14
33.6.1
Installing Each IIS 7 Webgate in a Multiple Webgate Scenario ............................... 33-14
33.6.2
Setting the Impersonation DLL for Multiple IIS 7 Webgates ................................... 33-16
33.6.3
Enabling Client Certification for Multiple IIS 7 Webgates ....................................... 33-17
33.6.4
Configuring IIS 7 Webgates for Pass Through Functionality .................................. 33-18
33.6.5
Confirming IIS 7 Webgate Installation ........................................................................ 33-19
33.7
Installing and Configuring Multiple Webgates for a Single IIS 6 Instance ................... 33-19
33.7.1
Installing Each Webgate in a Multiple Webgate Scenario ........................................ 33-20
33.7.2
Setting the Impersonation DLL for Multiple Webgates............................................ 33-22
33.7.3
Enabling SSL and Client Certification for Multiple Webgates................................. 33-23
33.7.4
Confirming Multiple Webgate Installation................................................................. 33-24
33.8
Finishing 64-bit Webgate Installation ................................................................................ 33-24
33.8.1
Setting Access Permissions, ISAPI filters, and Directory Security Authentication ...........
33-25
33.8.2
Setting Client Certificate Authentication .................................................................... 33-25
33.9
Confirming Webgate Installation on IIS ............................................................................. 33-26
33.10 Starting, Stopping, and Restarting the IIS Web Server..................................................... 33-27
33.11 Removing Web Server Configuration Changes Before Uninstall................................... 33-27

34

Configuring Lotus Domino Web Servers for 10g WebGates
34.1
34.2
34.3
34.4
34.5
34.6
34.6.1

Prerequisites .............................................................................................................................
Installing the Domino Web Server ........................................................................................
Setting Up the First Domino Web Server .............................................................................
Starting the Domino Web Server ...........................................................................................
Enabling SSL (Optional)..........................................................................................................
Installing a Domino Security (DSAPI) Filter .......................................................................
Completing the WebGate Installation ..........................................................................

34-1
34-1
34-2
34-3
34-3
34-4
34-5

Part VIII Managing the Adaptive Authentication Service and Oracle Mobile
Authenticator
35 Introducing the Adaptive Authentication Service
35.1
35.2
35.2.1
35.2.2
35.2.3
35.3
35.4
35.4.1
35.4.2
35.4.3

Using the Adaptive Authentication Service ........................................................................
Working with the Adaptive Authentication Service ..........................................................
Understanding the One Time Password Option..........................................................
Understanding the Access Request (Push) Notification Option ...............................
Using the Oracle Mobile Authenticator with OTP And Access Request .................
Understanding Adaptive Authentication Service and OMA Configurations ................
Configuring the Adaptive Authentication Service .............................................................
Generating a Secret Key for the Oracle Mobile Authenticator ..................................
Configuring Mobile OAuth Services to Protect the Secret Key .................................
Configuring the Adaptive Authentication Plug-in......................................................

35-1
35-2
35-3
35-4
35-6
35-6
35-6
35-7
35-7
35-7

xxi

35.4.4
35.4.5
35.4.6
35.4.7

Setting Credentials for UMS, iOS and Android ........................................................... 35-9
Creating a Java KeyStore for iOS Access Request (Push) Notifications ................. 35-10
Configuring Host Name Verifier for Android Access Request (Push) Notifications........
35-11
Configuring Access Manager for VPN Use Case ...................................................... 35-11

36 Configuring the Oracle Mobile Authenticator
36.1
Understanding Oracle Mobile Authenticator Configuration............................................ 36-1
36.2
Using the Oracle Mobile Authenticator App on iOS.......................................................... 36-3
36.2.1
Configuring the Oracle Mobile Authenticator for iOS................................................ 36-3
36.2.2
Initializing the Oracle Mobile Authenticator on iOS................................................... 36-4
36.2.3
Copying a One-Time Password from the Oracle Mobile Authenticator on iOS ..... 36-6
36.2.4
Editing an Account on the Oracle Mobile Authenticator on iOS .............................. 36-6
36.2.5
Deleting an Account on the Oracle Mobile Authenticator on iOS ............................ 36-6
36.2.6
Responding to Access Request (Push) Notifications on iOS ...................................... 36-6
36.2.7
Displaying Access Request (Push) Notifications History on iOS.............................. 36-7
36.2.8
Displaying Service Account Details on iOS .................................................................. 36-7
36.2.9
Displaying Access Manager Registered Accounts on iOS.......................................... 36-7
36.2.10
Displaying the OMA Version on iOS............................................................................. 36-7
36.3
Using the Oracle Mobile Authenticator App on Android ................................................. 36-7
36.3.1
Configuring the Oracle Mobile Authenticator for Android....................................... 36-8
36.3.2
Initializing the Oracle Mobile Authenticator on Android.......................................... 36-8
36.3.3
Copying a One-Time Password from the Oracle Mobile Authenticator on Android .......
36-10
36.3.4
Editing an Account on the Oracle Mobile Authenticator on Android ................... 36-10
36.3.5
Deleting an Account on the Oracle Mobile Authenticator on Android ................. 36-10
36.3.6
Responding to Access Request (Push) Notifications on Android ........................... 36-11
36.3.7
Displaying Access Request (Push) Notifications History on Android ................... 36-11
36.3.8
Displaying Service Account Details on Android ....................................................... 36-11
36.3.9
Displaying Access Manager Registered Accounts on Android............................... 36-11
36.3.10
Displaying the OMA Version on Android.................................................................. 36-12
36.4
Configuring the Google Authenticator App...................................................................... 36-12
36.5
Using a QR Code for Configuration.................................................................................... 36-12

Part IX Managing Oracle Access Management Identity Federation
37 Introducing Identity Federation in Oracle Access Management
37.1
37.2
37.3
37.4
37.4.1
37.4.2
37.4.3
37.4.4
37.4.5
37.4.6
xxii

Integrating Identity Federation with Access Manager.......................................................
Deploying Identity Federation with Oracle Access Management....................................
Understanding How Identity Federation Works ................................................................
Using Identity Federation.......................................................................................................
Achieving SSO...................................................................................................................
Logging Out.......................................................................................................................
Authorizing .......................................................................................................................
Forcing Authentication ....................................................................................................
Indicating a Passive Identity Provider ..........................................................................
User and Assertion Mapping .........................................................................................

37-1
37-2
37-2
37-3
37-4
37-4
37-4
37-4
37-5
37-5

37.4.7
37.5
37.5.1
37.5.2
37.6
37.6.1
37.6.2
37.6.3
37.6.4
37.7
37.8

Platform Dependencies....................................................................................................
Initiating Federation SSO........................................................................................................
IdP Initiated Federation SSO Service .............................................................................
SP Initiated Federation SSO Service...............................................................................
Exchanging Identity Federation Data ...................................................................................
Using SAML 2.0 ................................................................................................................
Using SAML 1.1 ................................................................................................................
Using OpenID 2.0............................................................................................................
Using WS-Federation 1.1 ...............................................................................................
Administrating Identity Federation ....................................................................................
Enabling Identity Federation................................................................................................

37-5
37-5
37-5
37-6
37-6
37-6
37-9
37-11
37-13
37-14
37-15

38 Managing Identity Federation Partners
38.1
38.2
38.3
38.3.1
38.3.2
38.4
38.4.1
38.4.2
38.5
38.5.1
38.5.2
38.6
38.6.1
38.6.2
38.6.3
38.6.4
38.7
38.7.1
38.7.2
38.8
38.9

Understanding Federation And Partners............................................................................. 38-1
Managing Federation Partners .............................................................................................. 38-1
Administering Identity Federation As A Service Provider ............................................... 38-2
Creating Remote Identity Provider Partners ................................................................ 38-2
Managing the Remote Identity Provider Partners....................................................... 38-8
Administering Identity Federation As An Identity Provider.......................................... 38-10
Creating Remote Service Provider Partners ............................................................... 38-10
Managing the Remote Service Provider Partners ...................................................... 38-11
Using Attribute Mapping Profiles....................................................................................... 38-12
Using the SP Attribute Mapping Profile ..................................................................... 38-12
Using the IdP Attribute Mapping Profile.................................................................... 38-14
Mapping Federation Authentication Methods to Access Manager Authentication Schemes.
38-15
Understanding Federation SSO As An IdP................................................................. 38-16
Understanding Federation SSO As An SP .................................................................. 38-17
Configuring an Alternate Authentication Scheme .................................................... 38-17
Using WLST For Mapping Administration ................................................................ 38-18
Using the Attribute Sharing Plug-in for the Attribute Query Service ........................... 38-18
Understanding the Plug-in and Query Service Design............................................. 38-18
Configuring for Attribute Sharing ............................................................................... 38-22
Using the Federation Proxy.................................................................................................. 38-24
Using WLST for Identity Federation Administration ...................................................... 38-25

39 Managing Settings for Identity Federation
39.1
39.2
39.3
39.3.1
39.3.2
39.4
39.4.1
39.4.2
39.5

Prerequisites .............................................................................................................................
Introduction to Federation Settings.......................................................................................
Managing General Federation Settings ................................................................................
About Managing General Federation Settings .............................................................
Managing General Federation Settings .........................................................................
Managing Proxy Settings for Federation..............................................................................
About Proxy Settings for Federation ............................................................................
Managing Proxy Settings for Identity Federation........................................................
Defining Keystore Settings for Federation ...........................................................................

39-1
39-1
39-2
39-2
39-3
39-3
39-3
39-4
39-4

xxiii

39.5.1
About Managing Keytore Settings for Identity Federation ....................................... 39-4
39.5.2
Managing Identity Federation Encryption/Signing Keys.......................................... 39-5
39.6
Exporting Metadata ................................................................................................................. 39-7

40 Managing Federation Schemes and Policies
40.1
40.2
40.2.1
40.2.2
40.2.3
40.2.4
40.3
40.3.1
40.3.2
40.3.3
40.4
40.4.1
40.4.2
40.5
40.6
40.6.1
40.6.2
40.6.3
40.6.4
40.7
40.7.1
40.7.2
40.7.3
40.8
40.9
40.9.1
40.9.2
40.9.3

Using Identity Federation and Access Manager Together ................................................ 40-1
Using Authentication Schemes and Modules for Identity Federation 11g Release 2
(11.1.2.2) 40-2
About the FederationScheme Authentication Scheme................................................ 40-2
About the FederationMTScheme.................................................................................... 40-3
About the FederationPlugin Authentication Module ................................................. 40-3
Managing Authentication with Identity Federation in 11g Release 2 ...................... 40-4
Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1 .
40-6
About Scheme OIFScheme ............................................................................................. 40-7
About the OIFMTLDAPPlugin Authentication Module ............................................ 40-8
Managing Authentication with Oracle Identity Federation Release 11gR1............. 40-8
Managing Access Manager Policies for Use with Identity Federation ............................ 40-9
About Policy Responses with Assertion Attributes for Identity Federation ........... 40-9
Defining Policy Responses with Assertion Attributes for Identity Federation ..... 40-10
Testing Identity Federation Configuration ........................................................................ 40-12
Using the Default Identity Provisioning Plug-in .............................................................. 40-14
Why Use a Provisioning Plug-in? ................................................................................ 40-14
About the Default Provisioning Plug-in...................................................................... 40-14
Using the Default Provisioning Plug-in ...................................................................... 40-14
Switching to a Custom Provisioning Plug-in ............................................................. 40-15
Configuring the Identity Provider Discovery Service ...................................................... 40-15
Using the Bundled IdP Discovery Service .................................................................. 40-15
Creating a custom IdP Discovery Service ................................................................... 40-16
Disabling the use of an IdP Discovery Service ........................................................... 40-18
Configuring the Federation User Self-Registration Module............................................ 40-18
Integrating OAM Identity Provider With Microsoft Office 365 Service Provider ....... 40-20
Configuring Microsoft Office 365 for OAM Integration ........................................... 40-21
Configuring OAM for Microsoft Office 365 Integration ........................................... 40-22
Verifying Federation Single Sign-On........................................................................... 40-23

Part X Managing Oracle Access Management Security Token Service
41 Introducing the Oracle Access Management Security Token Service
41.1
41.2
41.3
41.4
41.5
41.6
41.7
41.7.1
xxiv

Understanding the Security Token Service..........................................................................
Using the Security Token Service .........................................................................................
Security Token Service Key Terms and Concepts...............................................................
Integrating the Oracle Web Services Manager ....................................................................
Architecting the Security Token Service...............................................................................
Security Token Service Supported Token Matrix ...............................................................
Deploying Security Token Service ........................................................................................
Centralized Token Authority Deployment...................................................................

41-1
41-2
41-3
41-6
41-8
41-8
41-9
41-9

41.7.2
Tokens Behind a Firewall Deployment ......................................................................... 41-9
41.7.3
Web Services SSO Deployment .................................................................................... 41-10
41.8
Installing Security Token Service ........................................................................................ 41-11
41.8.1
Security Token Service Cluster in Single WLS Domain............................................ 41-11
41.8.2
Endpoint Exposure through a Web Server Proxy...................................................... 41-11
41.8.3
Interoperability of Requester and Relying Party with Other Oracle WS-Trust based
Clients 41-12
41.8.4
Security Token Service Installation Overview ........................................................... 41-12
41.8.5
Post-Installation Tasks: Security Token Service ........................................................ 41-12
41.9
Administrating the Security Token Service ....................................................................... 41-12

42 Security Token Service Implementation Scenarios
Prerequisites ............................................................................................................................. 42-1
Typical Token Ecosystem ....................................................................................................... 42-1
Scenario: Identity Propagation with the Access Manager Token ..................................... 42-2
Component Processing: Identity Propagation with the OAM Token....................... 42-4
Request Security Token Attributes and Run Time Processing .................................. 42-5
Configuration Requirements: Identity Propagation with the OAM Token............. 42-7
Testing Your Implementation ....................................................................................... 42-15
Scenario: Web Service Security With On Behalf Of Username Token .......................... 42-16
Component interactions for Identity Propagation with Username Token ............ 42-16
RST Attributes and Processing for Identity Propagation with a Username Token ...........
42-16
42.4.3
Configuration Requirements: Identity Propagation with the Username Token... 42-18

42.1
42.2
42.3
42.3.1
42.3.2
42.3.3
42.3.4
42.4
42.4.1
42.4.2

43 Configuring Security Token Service Settings
Prerequisites ............................................................................................................................ 43-1
Introduction to Security Token Service Configuration ...................................................... 43-1
Post-Installation Configuration ...................................................................................... 43-2
About OAM Servers and Security Token Service........................................................ 43-3
About Security Token Service Clients ........................................................................... 43-4
About Agents and Security Token Service ................................................................... 43-4
About Security Token Service End Points and Policies .............................................. 43-5
Enabling and Disabling Security Token Service ................................................................. 43-7
About Security Token Service and the Oracle Access Management Console ......... 43-8
About Enabling Services for Security Token Service ................................................. 43-9
Enabling and Disabling Services for Security Token Service..................................... 43-9
Defining Security Token Service Settings............................................................................. 43-9
About Security Token Service Settings.......................................................................... 43-9
Managing Security Token Service Settings................................................................. 43-12
Using and Managing WSS Policies for Oracle WSM Agents .......................................... 43-12
Using and Modifying Oracle Workspace Studio Policies......................................... 43-13
Managing WSS Policies for Security Token Service: Classpath............................... 43-13
Managing WSS Policies for Security Token Service: Oracle WSM Policy Manager ..........
43-14
43.6
Configuring OWSM for WSS Protocol Communication.................................................. 43-15
43.6.1
About Oracle WSM Agent WS-Security Policies for Security Token Service ........ 43-15

43.1
43.2
43.2.1
43.2.2
43.2.3
43.2.4
43.2.5
43.3
43.3.1
43.3.2
43.3.3
43.4
43.4.1
43.4.2
43.5
43.5.1
43.5.2
43.5.3

xxv

43.6.2
Retrieving the Oracle WSM Keystore Password........................................................
43.6.3
Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate .......
43.6.4
Adding Trusted Certificates to the Oracle WSM Keystore.......................................
43.6.5
Validating Trusted Certificates in the Oracle WSM Keystore..................................
43.6.6
Configuring Oracle WSM Agent for WSS Kerberos Policies ...................................
43.7
Managing and Migrating Security Token Service Policies ..............................................
43.7.1
About Managing and Migrating Security Token Service Policies...........................
43.7.2
Managing Security Token Service Policies .................................................................
43.7.3
Migrating Security Token Service Policies..................................................................
43.8
Logging Security Token Service Messages ........................................................................
43.9
Auditing the Security Token Service .................................................................................
43.9.1
About Security Token Service Audit Record Storage ...............................................
43.9.2
About Audit Reports and Oracle Business Intelligence Publisher..........................
43.9.3
About the Audit Log ......................................................................................................
43.9.4
About Auditing Security Token Service Events.........................................................

43-16
43-16
43-17
43-17
43-18
43-19
43-19
43-19
43-19
43-20
43-21
43-21
43-22
43-22
43-22

44 Managing Security Token Service Certificates and Keys
44.1
Prerequisites .............................................................................................................................
44.2
Introducing the Security Token Service Certificates and Keys .........................................
44.2.1
About Keystores and Security Token Service...............................................................
44.2.2
About the Oracle Web Services Manager Keystore (default-keystore.jks) ..............
44.2.3
About Using the OPSS Keystore for Requester Certificates.......................................
44.3
Managing Security Token Service Encryption/Signing Keys...........................................
44.3.1
Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore)
Password 44-4
44.3.2
Adding a New Key Entry to the System Keystore (.oamkeystore) ...........................
44.3.3
Extracting an Security Token Service Certificate .........................................................
44.4
Managing Partner Keys for WS-Trust Communications ...................................................
44.4.1
About Partner Certificates ...............................................................................................
44.4.2
About Downloading the Relying Party's Certificate at Run Time ............................
44.4.3
Setting the Partner's Signing or Encryption Certificate ..............................................
44.5
Managing Certificate Validation ...........................................................................................
44.5.1
Managing the Trust Anchors Store (amtruststore) ......................................................
44.5.2
Managing Certificate Revocation Lists........................................................................
44.5.3
Using a Custom Trust Anchor Store for Security Token Service.............................

44-1
44-1
44-2
44-3
44-3
44-4

44-5
44-6
44-7
44-7
44-8
44-8
44-9
44-9
44-10
44-10

45 Managing Templates, Endpoints, and Policies
45.1
45.2
45.2.1
45.2.2
45.3
45.3.1
45.3.2
45.4
45.4.1
45.4.2
xxvi

Introduction ..............................................................................................................................
Searching for an Existing Template.......................................................................................
About Template Search Controls ..................................................................................
Searching For a Template ................................................................................................
Managing Token Issuance Templates...................................................................................
About Managing Token Issuance Templates ...............................................................
Managing a Token Issuance Template ........................................................................
Managing Token Validation Templates .............................................................................
About Managing Token Validation Templates..........................................................
Managing Token Validation Templates ......................................................................

45-1
45-2
45-3
45-4
45-5
45-5
45-12
45-13
45-13
45-23

45.5
45.5.1
45.5.2
45.6
45.6.1
45.6.2
45.6.3
45.7
45.7.1
45.7.2
45.8
45.8.1
45.8.2
45.8.3
45.9
45.9.1
45.9.2
45.9.3
45.9.4
45.9.5
45.9.6

Managing Security Token Service Endpoints....................................................................
About Managing Endpoints..........................................................................................
Managing EndPoints ......................................................................................................
Managing Token Issuance Policies, Conditions, and Rules ............................................
About Token Issuance Policies .....................................................................................
About Managing Token Issuance Conditions and Rules .........................................
Managing Token Issuance Policies and Conditions ..................................................
Managing TokenServiceRP Type Resources .....................................................................
About Managing TokenServiceRP Type Resources in Access Manager ................
Managing TokenServiceRP Type Resources in Application Domains ...................
Making Custom Classes Available......................................................................................
About Making Classes Available .................................................................................
About Narrowing a Search for Custom Tokens.........................................................
Managing Custom Tokens ...........................................................................................
Managing a Custom Security Token Service Configuration ...........................................
Creating the Validation Template ................................................................................
Creating the Issuance Template for a Custom Token ...............................................
Adding the Custom Token to a Requester Profile .....................................................
Adding the Custom Token to the Relying Party Profile ...........................................
Mapping the Token to a Requestor..............................................................................
Creating an /wssuser EndPoint ...................................................................................

45-25
45-25
45-26
45-27
45-27
45-27
45-29
45-30
45-32
45-32
45-33
45-33
45-35
45-37
45-38
45-38
45-40
45-42
45-42
45-43
45-44

46 Managing Token Service Partners and Partner Profiles
46.1
46.2
46.2.1
46.2.2
46.3
46.3.1
46.3.2
46.3.3
46.4
46.4.1
46.4.2
46.4.3

Prerequisites .............................................................................................................................
Introduction Token Service Partners and Partner Profiles ................................................
About Token Service Partners ........................................................................................
About Partner Profiles .....................................................................................................
Managing Token Service Partners.........................................................................................
About Managing Token Service Partners .....................................................................
Managing a Token Service Partner ................................................................................
Refining Partner Searches ...............................................................................................
Managing Token Service Partner Profiles ............................................................................
About Managing Partner Profiles ..................................................................................
Managing a Token Service Partner Profile..................................................................
Refining a Profile Search................................................................................................

46-1
46-1
46-1
46-2
46-3
46-3
46-5
46-6
46-7
46-7
46-18
46-19

47 Troubleshooting Security Token Service
47.1
47.2
47.3

Authorization Issues................................................................................................................ 47-1
Endpoint Issues ........................................................................................................................ 47-2
Mapping Operation Issues ..................................................................................................... 47-2

Part XI Managing Oracle Access Management Mobile and Social
48 Understanding Mobile and Social
48.1
Introducing Mobile and Social............................................................................................... 48-1
48.1.1
Installing Mobile and Social ............................................................................................ 48-3

xxvii

48.1.2
Deploying Mobile and Social .......................................................................................... 48-4
48.1.3
Enabling Mobile and Social............................................................................................. 48-5
48.2
Understanding Mobile and Social Services.......................................................................... 48-5
48.2.1
Introducing Authentication Services and Authorization Services ............................ 48-6
48.2.2
Understanding the Mobile and Social Services Authorization Flow........................ 48-7
48.2.3
Understanding Single Sign-on (SSO) for Mobile and Social Services....................... 48-7
48.2.4
Introducing the Mobile and Social Services Client SDK ............................................ 48-9
48.2.5
Introducing User Profile Services................................................................................... 48-9
48.3
Understanding the Mobile and Social Services Processes ............................................... 48-10
48.3.1
Registering a Mobile Device With User Authentication........................................... 48-10
48.3.2
Authenticating a User With a Registered Device....................................................... 48-13
48.3.3
Using REST Calls for User Authentication ................................................................. 48-15
48.3.4
Authenticating the User With a Mobile Browser-Based Web App ......................... 48-16
48.3.5
Authorization Using the Mobile OAuth Authorization Flow ................................. 48-17
48.4
Using Mobile and Social Services ........................................................................................ 48-19
48.4.1
Protecting the Mobile Client Registration Endpoint ................................................. 48-19
48.4.2
Exchanging Credentials ................................................................................................. 48-20
48.4.3
Protecting User Profile Services And Authorization Services ................................. 48-21
48.4.4
Using Mobile and Social Services with Oracle Access Manager ............................. 48-21
48.4.5
Using Mobile and Social Services with Oracle Adaptive Access Manager Services .........
48-22
48.5
Understanding Social Identity ............................................................................................. 48-22
48.6
Understanding Social Identity Processes ........................................................................... 48-23
48.6.1
Authenticating a Returning User With a Local Account .......................................... 48-24
48.6.2
Authenticating a New User With No Local Account ................................................ 48-25
48.6.3
Using OAuth For Access Token Retrieval .................................................................. 48-27
48.6.4
Authenticating a User With Access Manager and Social Identity........................... 48-29
48.6.5
Authenticating a User Locally ...................................................................................... 48-31
48.7
Using Social Identity.............................................................................................................. 48-32
48.7.1
Using Social Identity With Oracle Access Manager .................................................. 48-32
48.7.2
Using Social Identity With Mobile and Social Services............................................. 48-32
48.7.3
Using the Social Identity SDK....................................................................................... 48-33

49 Configuring Mobile and Social Services
49.1
49.2
49.2.1
49.2.2
49.2.3
49.2.4
49.2.5
49.3
49.3.1
49.3.2
49.3.3
49.4
49.4.1

xxviii

Opening the Mobile and Social Services Configuration Page...........................................
Understanding Mobile and Social Services Configuration................................................
Understanding Service Providers ..................................................................................
Understanding Service Profiles ......................................................................................
Understanding Security Handler Plug-ins ...................................................................
Understanding Application Profiles ..............................................................................
Understanding Service Domains....................................................................................
Defining Service Providers .....................................................................................................
Defining, Modifying or Deleting an Authentication Service Provider.....................
Defining, Modifying or Deleting an Authorization Service Provider ....................
Defining, Modifying or Deleting a User Profile Service Provider...........................
Defining Service Profiles.......................................................................................................
Defining, Modifying and Deleting an Authentication Service Profile....................

49-1
49-2
49-2
49-3
49-3
49-4
49-4
49-4
49-5
49-17
49-18
49-22
49-22

49.4.2
49.4.3
49.5
49.5.1
49.5.2
49.5.3
49.6
49.6.1
49.6.2
49.7
49.7.1
49.7.2
49.8
49.8.1
49.8.2
49.9
49.9.1
49.9.2

Defining, Modifying and Deleting an Authorization Service Profile .....................
Defining, Modifying and Deleting a User Profile Service Profile ...........................
Defining Security Handler Plug-ins ....................................................................................
Creating a Security Handler Plug-in............................................................................
Editing or Deleting a Security Handler Plug-in .........................................................
Device Fingerprinting and Device Profile Attributes................................................
Defining Application Profiles ..............................................................................................
Creating an Application Profile....................................................................................
Editing or Deleting an Application Profile .................................................................
Defining Service Domains ....................................................................................................
Creating a Service Domain............................................................................................
Editing or Deleting a Service Domain .........................................................................
Using the Jailbreak Detection Policy ...................................................................................
Adding a New Jailbreak Detection Policy ..................................................................
Editing the Jailbreak Detection Policy .........................................................................
Configuring Mobile and Social Services with Other Oracle Products ...........................
Configuring Mobile and Social Services for Access Manager..................................
Configuring Mobile and Social Services for Oracle Adaptive Access Manager ...

49-24
49-25
49-26
49-27
49-27
49-27
49-28
49-28
49-29
49-30
49-30
49-34
49-34
49-34
49-35
49-36
49-36
49-41

50 Configuring Social Identity
50.1
50.2
50.2.1
50.2.2
50.2.3
50.3
50.3.1
50.3.2
50.3.3
50.3.4
50.4
50.4.1
50.4.2
50.4.3
50.5
50.5.1
50.5.2
50.6
50.7
50.7.1
50.7.2

Opening the Manage Social Identity Page ...........................................................................
Understanding Social Identity Configuration .....................................................................
Understanding Social Identity Providers......................................................................
Understanding Service Provider Interfaces ..................................................................
Understanding Application Profiles ..............................................................................
Defining Social Identity Providers .......................................................................................
Creating a Social Identity Provider ................................................................................
Editing or Deleting a Social Identity Provider .............................................................
Generating the Consumer Key and Consumer Secret for OAuth Providers ...........
Troubleshooting Facebook Social Identity Providers................................................
Defining Service Provider Interfaces ..................................................................................
Creating a Service Provider Interface ..........................................................................
Editing or Deleting an Service Provider Interface .....................................................
Adding a Custom Service Provider Interface Implementation ...............................
Defining Application Profiles ..............................................................................................
Creating an Application Profile....................................................................................
Editing or Deleting an Application Profile .................................................................
Integrating Social Identity With Mobile Applications .....................................................
Linking Social Identity Provider Accounts ........................................................................
Using Social Identity Provider Account Linking .......................................................
Configuring Social Identity Provider Account Linking............................................

50-1
50-2
50-2
50-2
50-2
50-3
50-3
50-7
50-8
50-10
50-11
50-12
50-12
50-12
50-13
50-13
50-16
50-16
50-17
50-18
50-19

51 Configuring Social Identity System Settings
51.1
Accessing the Social Identity Settings Interface .................................................................. 51-1
51.1.1
Understanding the Social Identity Settings Page ........................................................ 51-1
51.2
Logging and Auditing............................................................................................................. 51-2

xxix

51.3
51.4
51.5
51.6
51.7

Part XII

Deploying Mobile and Social With Oracle Access Manager .............................................
Configuring a Webgate to Support Social Identity.............................................................
Configuring Social Identity After Running Test-to-Production Scripts ..........................
Configuring Social Identity for High Availability (HA) ....................................................
Enabling the REST Client to Specify the Tenant Name......................................................

51-2
51-4
51-6
51-7
51-7

Managing the Oracle Access Management OAuth Service

52 Understanding OAuth Services
52.1
52.2
52.2.1
52.2.2
52.3
52.4
52.4.1
52.4.2
52.4.3
52.4.4
52.4.5
52.4.6
52.4.7
52.4.8
52.4.9
52.5
52.5.1
52.5.2
52.5.3
52.6
52.7
52.8
52.8.1
52.8.2
52.8.3
52.9

Using Oracle Access Management OAuth Services ...........................................................
Understanding OAuth Services Authorization for Web Clients ......................................
Understanding 3-Legged Authorization.......................................................................
Understanding 2-Legged Authorization.......................................................................
Understanding OAuth Services Authorization for Mobile Clients ..................................
Understanding the OAuth Services Components.............................................................
Understanding Identity Domains ................................................................................
Understanding Service Profiles ....................................................................................
Understanding Clients ...................................................................................................
Understanding Service Providers ................................................................................
Understanding Resource Servers .................................................................................
Understanding Plug-Ins ................................................................................................
Understanding Server Settings .....................................................................................
Understanding Jailbreak Detection Policy ..................................................................
Understanding Token Life Cycle Management .........................................................
Understanding OAuth Services Tokens .............................................................................
Understanding OAuth Services Access Tokens .........................................................
Understanding OAuth Services Refresh Tokens .......................................................
Understanding Mobile OAuth Services Client Tokens.............................................
Understanding the Authorization and Authentication Endpoints ................................
Enforcing Access Control......................................................................................................
Understanding Mobile OAuth Services Server-Side Single Sign-on..............................
Understanding the Server-Side Single Sign-On Credential Collection Options ..
Understanding Server-Side SSO For Mobile OAuth Services 3-Legged Flows.....
Understanding Server-Side SSO For Mobile OAuth Services 2-Legged Flows.....
Understanding OAuth Services Plug-ins ...........................................................................

52-1
52-2
52-3
52-4
52-5
52-10
52-10
52-10
52-11
52-12
52-13
52-17
52-18
52-18
52-18
52-18
52-19
52-20
52-20
52-20
52-21
52-21
52-22
52-22
52-24
52-25

53 Configuring OAuth Services
53.1
Enabling OAuth Services ........................................................................................................
53.2
Configuring OAuth Services Components in an Identity Domain ..................................
53.3
Configuring OAuth Services Settings ...................................................................................
53.3.1
Configuring Identity Domains ......................................................................................
53.3.2
Configuring Service Profiles ..........................................................................................
53.3.3
Configuring Clients ........................................................................................................
53.3.4
Configuring the Service Provider.................................................................................
53.3.5
Configuring Custom Resource Servers .......................................................................
53.3.6
Configuring User Profile Services ...............................................................................

xxx

53-1
53-2
53-3
53-4
53-6
53-12
53-18
53-20
53-22

53.3.7
Configuring Consent Management Services ..............................................................
53.3.8
Configuring Plug-Ins......................................................................................................
53.3.9
Configuring Server Settings ..........................................................................................
53.3.10
Configuring the Jailbreak Detection Policy ................................................................
53.3.11
Configuring Token Life Cycle Management ..............................................................
53.4
Configuring OAuth Services for Third-Party JWT Bearer Assertions ...........................
53.4.1
Understanding the Default Service Profile Keystore ................................................
53.4.2
Creating a Non-Default Keystore for a Service Profile .............................................
53.4.3
Configuring a Third-Party JWT Trust Issuer..............................................................
53.5
Configuring a WebGate to Protect OAuth Services..........................................................
53.6
Configuring OAM Session Synchronization......................................................................
53.7
Configuring Mobile OAuth for SSO Servlet Authentication...........................................
53.7.1
Configuring OAM and Your App to use the Mobile SSO Servlet...........................
53.7.2
Configuring the MobileSSOServlet Authentication Scheme....................................
53.8
Configuring the Mobile Security Manager Plug-in ..........................................................

53-25
53-27
53-28
53-29
53-30
53-31
53-31
53-32
53-36
53-37
53-39
53-40
53-40
53-41
53-43

Part XIII Managing Oracle Access Management Oracle Access Portal
54 Configuring the Access Portal Service
54.1
Prerequisites for Deploying the Access Portal Service....................................................... 54-1
54.2
Overview of the Access Portal Service Deployment Process ............................................ 54-2
54.3
Deploying the Access Portal Service..................................................................................... 54-3
54.3.1
Deploying the Java Cryptography Extension Policy Files.......................................... 54-4
54.3.2
Creating the Identity Store Configuration File............................................................. 54-4
54.3.3
Creating the Oracle Access Manager Configuration File ........................................... 54-7
54.3.4
Understanding the Access Portal Service Repository Objects ................................. 54-10
54.3.5
Preparing and Enabling the Access Portal Service on an Oracle Repository ........ 54-11
54.3.6
Preparing and Enabling the Access Portal Service on Microsoft Active Directory ..........
54-13
54.3.7
(Active Directory Only) Deploying the OAMAgent Web Application .................. 54-17
54.3.8
Setting the Policy Cache Refresh Interval ................................................................... 54-19
54.3.9
Integrating with Oracle Privileged Account Manager.............................................. 54-19
54.3.10
Deploying the Oracle Traffic Director Administration Server................................. 54-22
54.3.11
Deploying the Webgate Binaries and Secure Trust Artifacts ................................... 54-23
54.3.12
(Optional) Configuring the ESSOProvisioning Plugin ............................................. 54-24
54.3.13
Creating an Oracle Traffic Director Configuration.................................................... 54-24
54.3.14
Protecting the Oracle Traffic Director Instance with the Webgate Plugin ............. 54-25
54.3.15
(Optional) Enabling the Detached Credential Collector for the Target Webgate . 54-26
54.3.16
Configuring Logon Manager for Compatibility with the Access Portal Service... 54-28
54.4
Enabling Form-Fill Single Sign-On for an Application .................................................... 54-29
54.4.1
Configuring a Form-Fill Application Policy ............................................................... 54-29
54.4.2
Configuring Proxy Rules for an Oracle Access Portal Application......................... 54-33
54.4.3
Configuring the Webgate Request Filtering ............................................................... 54-41
54.5
Adding a Federated Partner Provider Application .......................................................... 54-46
54.6
Adding an Oracle SSO Agent Application......................................................................... 54-47
54.7
Creating an Application Configuration Package .............................................................. 54-47
54.7.1
Contents of the Application Configuration Package................................................. 54-47

xxxi

54.7.2
Required Environment-Specific Configuration Data ................................................
54.7.3
Customizing an Application Configuration Package to the Target Environment
54.7.4
Generating the Customized Application Configuration Package...........................
54.7.5
Deploying the Customized Application Configuration Package ............................
54.8
Managing Password Generation Policies...........................................................................
54.8.1
Searching for Password Generation Policies ..............................................................
54.8.2
Creating Password Generation Policies ......................................................................
54.8.3
Managing Policy Subscribers ........................................................................................
54.9
Managing Credential Sharing Groups................................................................................
54.9.1
Searching for Credential Sharing Groups ...................................................................
54.9.2
Creating Credential Sharing Groups ...........................................................................
54.9.3
Managing Applications in Credential Sharing Groups ............................................
54.10 Managing Global Agent Settings.........................................................................................
54.10.1
Searching for Sets of Global Agent Settings................................................................
54.10.2
Importing an INI File with a Global Agent Settings Configuration........................
54.10.3
Creating a Set of Global Agent Settings ......................................................................

54-48
54-48
54-50
54-50
54-51
54-51
54-52
54-54
54-55
54-56
54-56
54-58
54-59
54-60
54-60
54-60

Part XIV Using Identity Context
55 Using Identity Context
55.1
55.2
55.3
55.3.1
55.3.2
55.4
55.5
55.5.1
55.5.2
55.5.3
55.5.4
55.5.5
55.5.6
55.5.7
55.6

Part XV

Introducing Identity Context .................................................................................................
Understanding Identity Context............................................................................................
Working With the Identity Context Service.........................................................................
Using the Identity Context Dictionary ..........................................................................
Understanding Identity Context Runtime ....................................................................
Using the Identity Context API..............................................................................................
Configuring the Identity Context Service Components...................................................
Configuring Oracle Fusion Middleware .....................................................................
Configuring Access Manager........................................................................................
Configuring Oracle Adaptive Access Manager..........................................................
Configuring Web Service Security Manager ..............................................................
Configuring Oracle Entitlements Server .....................................................................
Configuring Oracle Enterprise Single Sign On ..........................................................
Configuring Oracle Access Management Mobile and Social ...................................
Validating Identity Context..................................................................................................

55-1
55-3
55-4
55-4
55-7
55-9
55-11
55-11
55-12
55-13
55-15
55-15
55-16
55-17
55-18

Integrating Access Manager with Other Products

56 Integrating RSA SecurID Authentication with Access Manager
56.1
Introduction to Access Manager and RSA SecurID Authentication ................................
56.2
Components Required for SecurID Authentication ...........................................................
56.2.1
Supported Versions and Platforms ................................................................................
56.2.2
Required RSA Components ............................................................................................
56.2.3
Installation and Configuration Requirements..............................................................
56.3
SecurID Authentication Modes..............................................................................................
56.3.1
Standard SecurID Authentication ..................................................................................

xxxii

56-1
56-3
56-3
56-3
56-4
56-5
56-5

56.3.2
SecurID Next Tokencode Authentication .....................................................................
56.3.3
SecurID New PIN Authentication..................................................................................
56.4
Configuring Access Manager for RSA SecurID Authentication .......................................
56.5
Running a Custom RSA Plug-in ..........................................................................................

56-6
56-6
56-6
56-10

57 Configuring Access Manager for Windows Native Authentication
57.1
Introducing Access Manager with Windows Native Authentication..............................
57.1.1
Understanding Access Manager WNA Login and Fall Back Authentication .........
57.1.2
Understanding Supported Kerberos Authentication Modules .................................
57.2
Preparing Your Active Directory/Kerberos Topology ......................................................
57.3
Confirming Access Manager Operations ...........................................................................
57.4
Enabling the Browser to Return Kerberos Tokens ...........................................................
57.4.1
Enabling Kerberos Tokens in Internet Explorer.........................................................
57.4.2
Enabling Kerberos Tokens in Mozilla Firefox ............................................................
57.5
Integrating KerberosPlugin with Oracle Virtual Directory .............................................
57.5.1
Preparing Oracle Virtual Directory for Integration ...................................................
57.5.2
Registering Oracle Virtual Directory as the Default Store for WNA ......................
57.5.3
Setting Up Authentication with Access Manager KerberosPlugin and OVD .......
57.6
Integrating the KerberosPlugin with Search Failover ......................................................
57.6.1
Registering Microsoft Active Directory Instances with Access Manager ..............
57.6.2
Setting Up the KerberosPlugin for ADGCs ................................................................
57.7
Configuring Access Manager for Windows Native Authentication ..............................
57.7.1
Creating the Authentication Scheme for Windows Native Authentication ..........
57.7.2
Configuring Policies for Windows Native Authentication ......................................
57.7.3
Configuring WNA for NTLM Fallback .......................................................................
57.7.4
Verifying the Access Manager Configuration File.....................................................
57.8
Validating WNA with Access Manager Protected Resources ........................................
57.9
Configuring WNA For Use With DCC ...............................................................................
57.9.1
Initializing the Kerberos Protocol.................................................................................
57.9.2
Configuring Access Manager........................................................................................
57.10 Troubleshooting WNA Configuration................................................................................
57.10.1
Kinit Fails .........................................................................................................................
57.10.2
"An Incorrect Username or Password was Specified" Is Displayed ......................
57.10.3
User Identity Store is Not Registered Correctly.........................................................
57.10.4
Two BASIC Authentication Prompts Are Displayed ................................................

57-1
57-2
57-4
57-5
57-10
57-10
57-10
57-11
57-11
57-11
57-12
57-13
57-14
57-15
57-15
57-17
57-18
57-18
57-19
57-19
57-20
57-20
57-21
57-22
57-23
57-23
57-23
57-24
57-24

58 Integrating JBoss with Access Manager
58.1
Overview of JBoss Integration with Access Manager ........................................................
58.1.1
Understanding the Configuration of and Processing by the JBoss Agent ...............
58.1.2
Understanding the Configuration of and Processing by the Login Module ...........
58.1.3
Understanding the Login Module Process in usernamePassword Mode................
58.1.4
Understanding the Login Module Process in tokenBased Mode ..............................
58.2
Understanding the Integration Topology ...........................................................................
58.2.1
Topology: Access Manager with JBoss Agent .............................................................
58.2.2
Topology: JBoss Agent Behind Web Server Configured with WebGate ..................
58.2.3
Sample Integration Topology .........................................................................................

58-1
58-2
58-3
58-4
58-5
58-5
58-5
58-6
58-6

xxxiii

58.3
58.4
58.5
58.5.1
58.5.2
58.6
58.6.1
58.6.2
58.6.3
58.6.4
58.7
58.8
58.8.1
58.8.2
58.9
58.9.1
58.9.2
58.10
58.11

Preparing Your Environment for JBoss 6.x Integration .....................................................
Preparing Your Environment for JBoss 5.x Integration .....................................................
Protecting JBoss-Specific Resources ....................................................................................
Registering the JBoss Agent with Automatic Policy Creation .................................
Creating a Custom Policy for JBoss Resource Protection .........................................
Protecting Web Applications with the JBoss Agent..........................................................
Creating Configuration Properties for the JBoss Agent............................................
Configuring the Authentication Valve ........................................................................
Mapping the Filter in the Application's web.xml File...............................................
Configuring the JBoss Login Module to Use Access Manager Policies..................
Configuring JBoss Server to Access a Host Name (not localhost) ..................................
Configuring the Login Module to Secure EJBs..................................................................
Configuring the Server to Secure EJBs ........................................................................
Configuring the Client Side for Login Module to Secure EJBs ................................
Configuring the Login Module to Secure Web Service Access .......................................
Configuring the Server to Secure Web Services Access ............................................
Configuring the Client to Secure Web Services Access.............................................
Configuring Logging for the JBoss Agent and Login Module ........................................
Validating Your Configuration ............................................................................................

58-7
58-9
58-10
58-10
58-12
58-13
58-13
58-14
58-15
58-15
58-16
58-16
58-17
58-18
58-19
58-19
58-21
58-21
58-21

59 Integrating Microsoft SharePoint Server with Access Manager
59.1
What is Supported in This Release? ......................................................................................
59.2
Introduction to Integrating With the SharePoint Server ...................................................
59.2.1
About Windows Impersonation .....................................................................................
59.2.2
About Form Based Authentication With This Integration .........................................
59.2.3
About Authentication With Windows Impersonation and SharePoint Server
Integration 59-4
59.2.4
About Access Manager and Windows Native Authentication..................................
59.3
Integration Requirements .......................................................................................................
59.3.1
Confirming Requirements ...............................................................................................
59.3.2
Required Access Manager Components .......................................................................
59.3.3
Required Microsoft Components ...................................................................................
59.4
Preparing for Integration With SharePoint Server..............................................................
59.5
Integrating With Microsoft SharePoint Server ..................................................................
59.5.1
Creating a New Web Application in Microsoft SharePoint Server .........................
59.5.2
Creating a New Site Collection for Microsoft SharePoint Server ............................
59.6
Setting Up Microsoft Windows Impersonation ...............................................................
59.6.1
Creating Trusted User Accounts ..................................................................................
59.6.2
Assigning Rights to the Trusted User..........................................................................
59.6.3
Binding the Trusted User to Your WebGate...............................................................
59.6.4
Adding an Impersonation Response to an Authorization Policy............................
59.6.5
Adding an Impersonation DLL to IIS ..........................................................................
59.6.6
Testing Impersonation ...................................................................................................
59.7
Completing the SharePoint Server Integration..................................................................
59.7.1
Configuring IIS Security ................................................................................................
59.8
Integrating With Microsoft SharePoint Server Configured With LDAP Membership
Provider 59-23

xxxiv

59-1
59-2
59-3
59-3

59-5
59-6
59-6
59-6
59-7
59-8
59-10
59-11
59-13
59-14
59-15
59-15
59-16
59-17
59-18
59-20
59-22
59-23

About Integrating With Microsoft SharePoint Server Configured With LDAP
Membership Provider 59-24
59.8.2
Installing Access Manager for Microsoft SharePoint Server Configured With LDAP
Membership Provider 59-25
59.8.3
Configuring an Authentication Scheme for Use With LDAP Membership Provider .......
59-26
59.8.4
Updating the Application Domain Protecting the SharePoint Web Site................ 59-27
59.8.5
Creating an Authorization Response for Header Variable SP_SSO_UID ............. 59-28
59.8.6
Creating an Authorization Response for the OAMAuthCookie ............................. 59-29
59.8.7
Configuring and Deploying OAMCustomMembershipProvider ........................... 59-29
59.8.8
Enabling Logging for CustomMemberShipProvider ................................................ 59-32
59.8.9
Ensuring Directory Servers are Synchronized ........................................................... 59-32
59.8.10
Testing the Integration ................................................................................................... 59-32
59.9
Configuring Single Sign-On for Office Documents .......................................................... 59-32
59.10 Configuring Single Sign-off for Microsoft SharePoint Server ......................................... 59-33
59.10.1
Configuring a Custom Logout URL in SharePoint Server ....................................... 59-33
59.10.2
Configuring Logout in SharePoint Server With Impersonation.............................. 59-34
59.11 Setting Up Access Manager and Windows Native Authentication ............................... 59-34
59.11.1
Setting Up Access Manager WNA ............................................................................... 59-34
59.11.2
Setting Up WNA With SharePoint Server................................................................... 59-35
59.11.3
Installing Access Manager for WNA and SharePoint Server................................... 59-35
59.11.4
Testing Your WNA Implementation ........................................................................... 59-37
59.12 Synchronizing User Profiles Between Directories ............................................................ 59-37
59.13 Testing Your Integration....................................................................................................... 59-37
59.13.1
Testing the SharePoint Server Integration .................................................................. 59-37
59.13.2
Testing Single Sign-On for the SharePoint Server Integration................................. 59-38
59.14 Troubleshooting ..................................................................................................................... 59-38
59.14.1
Internet Explorer File Downloads Over SSL Might Not Work................................ 59-38
59.8.1

60

Integrating Access Manager with Outlook Web Application
60.1
60.2
60.2.1
60.2.2
60.2.3
60.2.4
60.3
60.3.1
60.3.2
60.3.3
60.3.4
60.3.5
60.3.6
60.3.7
60.4
60.4.1
60.4.2

What is New in This Release? ................................................................................................
Introduction to Integration with Outlook Web Application .............................................
About Impersonation Provided by Microsoft Windows ............................................
About Access Manager 11g Support for Windows Impersonation ..........................
About Single Sign-On for Authenticated Access Manager Users into Exchange ...
About Confirming Requirements...................................................................................
Enabling Impersonation With a Header Variable...............................................................
Requirements for Impersonation with a Header Variable .........................................
Creating an Impersonator as a Trusted User................................................................
Assigning Rights to the Trusted User............................................................................
Binding the Trusted User to Your WebGate.................................................................
Adding an Impersonation Response to An Application Domain .............................
Adding an Impersonation DLL to IIS ............................................................................
Testing Impersonation .....................................................................................................
Setting Up Impersonation for Outlook Web Application (OWA)..................................
Prerequisites to Setting Impersonation for Outlook Web Application...................
Creating a Trusted User Account for Outlook Web Application ............................

60-1
60-1
60-2
60-2
60-2
60-3
60-3
60-3
60-4
60-5
60-6
60-6
60-7
60-8
60-10
60-10
60-11

xxxv

Assigning Rights to the Outlook Web Application Trusted User ...........................
Binding the Trusted Outlook Web Application User to Your WebGate ................
Adding an Impersonation Action to an Application Domain for Outlook Web
Application 60-12
60.4.6
Adding an Impersonation dll to IIS .............................................................................
60.4.7
Configuring IIS Security ................................................................................................
60.4.8
Testing Impersonation for Outlook Web Application ..............................................
60.5
Setting Up Access Manager WNA for Outlook Web Application .................................
60.4.3
60.4.4
60.4.5

60-11
60-11

60-13
60-13
60-14
60-15

61 Integrating Microsoft Forefront Threat Management Gateway 2010 with
Access Manager
61.1
61.2
61.2.1
61.2.2
61.3
61.3.1
61.3.2
61.3.3
61.4
61.4.1
61.4.2
61.5
61.5.1
61.5.2
61.5.3
61.6
61.7
61.8

What is New in This Release? ................................................................................................
Introduction to Integration with TMG Server 2010 ............................................................
About This Integration.....................................................................................................
About Confirming Certification Requirements............................................................
Creating a Forefront TMG Policy and Rules........................................................................
Creating a Custom Policy for Forefront TMG ..............................................................
Creating a Forefront TMG Firewall Policy Rule ..........................................................
Verifying Forefront TMG Proxy Configuration ...........................................................
Installing and Configuring 10g Webgate for Forefront TMG Server ..............................
Installing 10g Webgate with TMG Server .....................................................................
Changing /access Directory Permissions ....................................................................
Configuring the TMG 2010 Server for the ISAPI 10g Webgate.........................................
Registering Access Manager Plug-ins as TMG Server Web Filters ...........................
Ordering the ISAPI Filters ...............................................................................................
Verifying Form-based Authentication...........................................................................
Starting, Stopping, and Restarting the TMG Server ..........................................................
Removing Access Manager Filters Before WebGate Uninstall on TMG Server .............
Troubleshooting .......................................................................................................................

61-1
61-1
61-1
61-2
61-2
61-2
61-3
61-5
61-6
61-6
61-6
61-7
61-7
61-7
61-8
61-8
61-9
61-9

62 Integrating Access Manager with SAP NetWeaver Enterprise Portal
62.1
62.2
62.3
62.3.1
62.4
62.4.1
62.4.2
62.4.3
62.4.4
62.4.5
62.5
62.5.1
62.5.2
62.5.3
62.5.4
62.5.5
xxxvi

What is Supported in This Release? ......................................................................................
Supported Versions and Platforms .......................................................................................
Integration Architecture..........................................................................................................
Process Overview: Integration with SAP NetWeaver Enterprise Portal..................
Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x........
Before You Begin...............................................................................................................
Configuring the Apache HTTP Server as a Proxy ......................................................
Configuring SAP NetWeaver Enterprise Portal for External Authentication .........
Adjusting the Login Module Stacks for using Header Variables ..............................
Configuring Access Manager for SAP Enterprise Portal ...........................................
Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x........
Before You Begin...............................................................................................................
Configuring Access Manager for SAP NetWeaver Enterprise Portal 7.4.x..............
Configuring Apache Web Server 2.0.x or 2.2.x...........................................................
Configuring SAP Enterprise Portal 7.4 for External Authentication ......................
Adjusting the Login Module Stacks for Using Header Variables ...........................

62-1
62-1
62-2
62-2
62-3
62-3
62-4
62-5
62-6
62-7
62-8
62-8
62-8
62-10
62-11
62-13

62.6
62.7

Testing the Integration .......................................................................................................... 62-13
Troubleshooting the Integration .......................................................................................... 62-14

63 Integrating Oracle Access Manager with SAP NetWeaver Enterprise Portal
Using OpenSSO Policy Agent 2.2
63.1
63.2
63.3
63.3.1
63.4
63.5
63.6
63.7
63.8
63.9
63.10
63.11
63.12
63.13

What is Supported in This Release? ......................................................................................
Registering the OpenSSO Agent............................................................................................
Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise Portal ................................
Post-Installation Steps ......................................................................................................
Deploying the Agent Software Delivery Archive ...............................................................
Making a Class Loader Reference to the Login Module ....................................................
Modifying the SAP Enterprise Portal 7.0 / Web Application Server 7.0 Class Path .....
Deploying and Starting the Agentapp.war File ..................................................................
Using Telnet to Create a Reference Between agentapp and Library AmSAPAgent2.2.
Adding the Login Module to the Stack.................................................................................
Modifying the Login Module Stack ......................................................................................
Updating the ume.logoff.redirect.uri....................................................................................
Configuring the AMAgent.properties File...........................................................................
Testing the Integration ...........................................................................................................

63-1
63-2
63-3
63-3
63-4
63-4
63-5
63-5
63-5
63-6
63-6
63-6
63-7
63-7

Part XVI Appendixes
A Integrating Oracle ADF Applications with Access Manager SSO
A.1
A.1.1
A.1.2
A.2
A.2.1
A.2.2
A.3
A.3.1
A.3.2
A.4

Introducing Oracle Platform Security Services and Oracle Application Developer
Framework A-1
Oracle Platform Security Services Single Sign-on Framework .................................... A-1
Oracle Application Developer Framework..................................................................... A-2
Integrating Access Manager With Web Applications Using Oracle ADF Security and the
OPSS SSO Framework A-3
Sample SSO Configuration for Access Manager............................................................ A-4
SSO Provider Configuration Details ................................................................................ A-6
Configuring Centralized Logout for Oracle ADF-Coded Applications ............................ A-7
About Centralized Logout Processing for Applications Coded to Oracle ADF
Standards A-7
Configuring Centralized Logout for ADF-Coded Applications with Access Manager....
A-8
Confirming Application-Driven Authentication During Runtime .................................. A-10

B Internationalization and Multibyte Data Support for 10g WebGates
B.1
B.1.1
B.1.2
B.1.3

Introduction to Internationalization and Multibyte Data Support ....................................
Languages For Localized Messages ................................................................................
Bi-directional Language Support .....................................................................................
UTF-8 Encoding ..................................................................................................................

B-1
B-1
B-3
B-3

C Securing Communication
C.1

Prerequisites ............................................................................................................................... C-1

xxxvii

C.2
C.2.1
C.2.2
C.2.3
C.3
C.4
C.4.1
C.4.2
C.4.3
C.4.4
C.4.5
C.4.6
C.4.7
C.5
C.5.1
C.5.2
C.5.3
C.5.4

Securing Communication Between OAM Servers and WebGates ..................................... C-1
About Certificates, Authorities, and Encryption Keys.................................................. C-3
About Security Modes and X509Scheme Authentication ............................................ C-4
About the Importcert Tool................................................................................................. C-4
Generating Client Keystores for OAM Tester in Cert Mode ............................................... C-5
Configuring Cert Mode Communication for Access Manager ........................................... C-6
About Cert Mode Encryption and Files .......................................................................... C-6
Generating a Certificate Request and Private Key for OAM Server ........................... C-7
Retrieving the OAM Keystore Alias and Password ..................................................... C-7
Importing the Trusted, Signed Certificate Chain Into the Keystore ........................... C-8
Adding Certificate Details to Access Manager Settings.............................................. C-10
Generating a Private Key and Certificate Request for WebGates ............................. C-11
Updating WebGate to Use Certificates.......................................................................... C-12
Configuring Simple Mode Communication with Access Manager ................................. C-13
About Simple Mode, Encryption, and Keys ................................................................. C-14
Retrieving the Global Passphrase for Simple Mode .................................................... C-14
Updating WebGate Registration for Simple Mode...................................................... C-15
Verifying Simple Mode Configuration.......................................................................... C-16

D Reviewing Bundled, Generated, and Migrated Artifacts
D.1
D.1.1
D.1.2
D.1.3
D.1.4
D.1.5
D.2
D.2.1
D.2.2
D.2.3
D.2.4
D.2.5
D.2.6
D.3
D.3.1
D.3.2
D.3.3
D.3.4
D.3.5
D.3.6
D.3.7
D.3.8

Bundled 10g IAMSuiteAgent Artifacts................................................................................... D-1
Pre-Registered 10g IAMSuiteAgent ................................................................................ D-1
IAMSuiteAgent Security Provider Settings, WebLogic Administration Console..... D-2
IAMSuiteAgent Registration............................................................................................. D-2
Resources Protected by IAMSuiteAgent ......................................................................... D-4
Pre-seeded IAM Suite Application Domain and Policies ............................................. D-5
Generated Artifacts: OpenSSO............................................................................................... D-10
Generated OpenSSOAgentAuthPlugin ......................................................................... D-10
Generated Host Identifier: OpenSSOAgent1................................................................ D-11
Generated Application Domain: OpenSSOAgent1 ..................................................... D-11
Generated Resources: OpenSSOAgent1 ........................................................................ D-12
Generated Authentication Policy: OpenSSOAgent Application Domain ................ D-12
Generated Authorization Policy: OpenSSOAgent Application Domain ................. D-13
Migrated Artifacts: OpenSSO................................................................................................. D-13
Migrated User Identity Store: OpenSSOAgent1 .......................................................... D-14
Migrated Agents: OpenSSOAgent1 ............................................................................... D-15
Migrated Authentication Module: OpenSSOAgent1 .................................................. D-16
Migrated Host Identifier: OpenSSOAgent1.................................................................. D-16
Migrated Application Domain: OpenSSOAgent1........................................................ D-16
Migrated Resources: OpenSSOAgent1 .......................................................................... D-17
Migrated Authentication Policy: OpenSSOAgent1 ..................................................... D-17
Migrated Authorization Policy: OpenSSOAgent1....................................................... D-18

E Troubleshooting
E.1
E.1.1
E.1.2
xxxviii

Introduction to Oracle Access Management Troubleshooting ........................................... E-2
About System Analysis and Problem Scenarios ............................................................ E-2
About LDAP Server or Identity Store Issues .................................................................. E-3

E.1.3
E.1.4
E.1.5
E.1.6
E.1.7
E.2
E.3
E.4
E.5
E.6
E.7
E.8
E.9
E.9.1
E.9.2
E.9.3
E.9.4
E.10
E.10.1
E.10.2
E.10.3
E.11
E.12
E.12.1
E.13
E.14
E.15
E.15.1
E.15.2
E.15.3
E.16
E.16.1
E.16.2
E.17
E.17.1
E.17.2
E.17.3
E.18
E.19
E.20
E.20.1
E.20.2
E.20.3
E.20.4
E.20.5
E.21

About OAM Server or Host Issues................................................................................... E-4
About Agent-Side Configuration and Load Issues........................................................ E-4
About Runtime Database (Audit or Session Data) Issues ............................................ E-5
About Change Propagation or Activation Issues .......................................................... E-5
About Policy Store Database Issues ................................................................................. E-6
Using My Oracle Support for Additional Troubleshooting Information .......................... E-6
Administrator Lockout.............................................................................................................. E-6
Error During Federation Configuration After Upgrade from PS1 to PS2 ......................... E-7
Oracle Access Management Console Inconsistent State ...................................................... E-7
AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation
E-8
Agent Naming Not Unique ...................................................................................................... E-8
Application URL Requirements............................................................................................... E-8
Authentication Issues ................................................................................................................ E-9
Anonymous Authentication Issues.................................................................................. E-9
X.509Scheme and SSL Handshake Issues........................................................................ E-9
X.509 Protected Resource and Single Sign Off ............................................................. E-10
X509CredentialExtractor Certificate Validation Error ................................................ E-11
Authorization Issues................................................................................................................ E-11
Authorization Condition Error ....................................................................................... E-11
LDAP Search Filter Test Results ..................................................................................... E-11
Authorization Header Response Names....................................................................... E-12
Cannot Access Authentication LDAP or Database............................................................. E-12
Cannot Find Configuration .................................................................................................... E-12
Configuration Does Not Exist ........................................................................................ E-12
Co-existence Between OSSO and Access Manager............................................................. E-13
Could Not Find Partial Trigger.............................................................................................. E-13
Denial of Service Attacks ........................................................................................................ E-13
Protecting the OAM Server from Crashing Under Load............................................ E-14
Compensating for Network Latency ............................................................................ E-15
Protecting OAM Servers from a Flood of HTTP Requests ......................................... E-15
Deployments with Freshly Installed 10g Webgates............................................................ E-15
Authentication Issues with 10g Webgates .................................................................... E-16
Logout Issues with 10g Webgates .................................................................................. E-16
Diagnosing Initialization and Performance Issues ............................................................. E-16
Diagnosing an Initialization Issue.................................................................................. E-16
Diagnosing a Performance Issue .................................................................................... E-17
Diagnosing Out-of-Memory Issues With a Heap Dump ............................................ E-17
Disabling Windows Challenge/Response Authentication on IIS Web Servers ............. E-18
Changing UserIdentityStore1 Type Can Lock Out Administrators................................. E-18
IIS Web Server Issues .............................................................................................................. E-18
Form Authentication or Pass-Through Not Working ................................................. E-19
IIS and General Web Component Guidelines .............................................................. E-19
Issues with IIS v6 Web Servers ....................................................................................... E-19
Page Cannot Be Displayed Error.................................................................................... E-20
Removing and Reinstalling IIS DLLs............................................................................. E-20
Import and File Upload Limits .............................................................................................. E-21

xxxix

jps Logger Class Instantiation Warning is Logged on Authentication ............................ E-21
Internationalization, Languages, and Translation .............................................................. E-21
Automatically Generated Descriptions Are Not Translated...................................... E-22
Console Looks Messy ...................................................................................................... E-22
Authentication Fails: Users with Non-ASCII Characters ........................................... E-22
Access Tester Does Not Work with Non-ASCII Agent Names ................................. E-22
Locales, Languages, and Oracle Access Management Console Login Page ............ E-22
Login Failure for a Protected Page ........................................................................................ E-23
OAM Metric Persistence Timer IllegalStateException: SafeCluster ................................ E-23
Partial Cluster Failure and Intermittent Login and Logout Failures ............................... E-24
RSA SecurID Issues and Logs ................................................................................................ E-24
Registration Issues ................................................................................................................... E-25
Rowkey does not have any primary key attributes Error.................................................. E-25
SELinux Issues.......................................................................................................................... E-25
Session Issues............................................................................................................................ E-26
Session Impersonation Not Enabled by Default .......................................................... E-26
Sessions with Oracle Access Manager 11.1.1 Integrated with Oracle Identity Federation
11.1.1 E-27
E.32
SSL versus Open Communication......................................................................................... E-27
E.33
Start Up Issues .......................................................................................................................... E-27
E.34
Synchronizing OAM Server Clocks ...................................................................................... E-28
E.35
Using Coherence ..................................................................................................................... E-29
E.36
Validation Errors...................................................................................................................... E-30
E.37
Web Server Issues .................................................................................................................... E-30
E.37.1
Server Fails on an Apache Web Server.......................................................................... E-31
E.37.2
Apache v2 on HP-UX ....................................................................................................... E-31
E.37.3
Apache v2 Bundled with Red Hat Enterprise Linux 4................................................ E-31
E.37.4
Apache v2 Bundled with Security-Enhanced Linux ................................................... E-31
E.37.5
Apache v2 on UNIX with the mpm_worker_module for Webgate .......................... E-32
E.37.6
Domino Web Server Issues.............................................................................................. E-33
E.37.7
Errors, Loss of Access, and Unpredictable Behavior................................................... E-33
E.37.8
Known Issues for ISA Web Server ................................................................................. E-33
E.37.9
Oracle HTTP Server Fails to Start with LinuxThreads................................................ E-34
E.37.10
Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4 ...................... E-34
E.37.11
Oracle HTTP Server Web Server Configuration File Issue......................................... E-35
E.37.12
Issues with IIS v6 Web Servers ....................................................................................... E-35
E.37.13
PCLOSE Error When Starting Sun Web Server............................................................ E-36
E.37.14
Removing and Reinstalling IIS DLLs............................................................................. E-36
E.38
Windows Native Authentication........................................................................................... E-36
E.22
E.23
E.23.1
E.23.2
E.23.3
E.23.4
E.23.5
E.24
E.25
E.26
E.27
E.28
E.29
E.30
E.31
E.31.1
E.31.2

xl

List of Figures
1–1
1–2
1–3
2–1
2–2
2–3
3–1
3–2
3–3
3–4
3–5
3–6
5–1
5–2
5–3
5–4
5–5
5–6
6–1
8–1
8–2
9–1
11–1
11–2
11–3
11–4
11–5
11–6
11–7
11–8
11–9
11–10
11–11
11–12
11–13
12–1
12–2
12–3
12–4
12–5
12–6
12–7
12–8
12–9
12–10
12–11
12–12
12–13
12–14
12–15
12–16
12–17
12–18
12–19

Oracle Access Management Overview .................................................................................... 1-2
Access Manager 11g Components and Services..................................................................... 1-5
Access Manager 11g Component Distribution....................................................................... 1-5
Oracle Access Management Administrator Launch Pad ...................................................... 2-6
Self Service Launch Pad ............................................................................................................. 2-7
SSO Agent Search Page ........................................................................................................... 2-11
Oracle Access Management Configuration Options ............................................................. 3-2
Available Services ....................................................................................................................... 3-3
Common Settings Page (Collapsed View)............................................................................... 3-5
Common Coherence Settings .................................................................................................... 3-7
Certificate Revocation List Dialog Box .................................................................................... 3-8
OCSP/CDP Settings ................................................................................................................... 3-9
Creating User Identity Store Registration .............................................................................. 5-9
System Store Registration ...................................................................................................... 5-12
Identity Directory Service Console Page .............................................................................. 5-16
Create IDS Profile Page ........................................................................................................... 5-18
Create IDS Repository Page ................................................................................................... 5-25
Add System Administrator Roles.......................................................................................... 5-27
OAM Server Registration Page with Proxy Tab Displayed ................................................. 6-5
Audit to Database Architecture ................................................................................................ 8-4
Common Settings: Auditing Configuration......................................................................... 8-23
Log-Level Activation in the Default Log Configuration File ............................................ 9-21
Server Processes Overview Page ........................................................................................... 11-3
OAM Server Metrics: Session Operations Monitoring Page ............................................. 11-4
OAM Server Metrics: Server Operations Tab ...................................................................... 11-5
OAM Server Metrics: WebGates Tab .................................................................................... 11-6
Webgate Metrics: Connectivity Table .................................................................................. 11-7
Webgate Metrics: Operations Overview Table ................................................................... 11-7
Webgate Metrics: Operations Detail Table .......................................................................... 11-7
Webgate Metrics: Detached Information Table .................................................................. 11-8
OSSO Agent Monitoring Page with Operation Details...................................................... 11-8
OSSO Agent Monitoring Process Overview Table ............................................................ 11-9
OSSO Agent Operation Details Table .................................................................................. 11-9
OAM Metrics Table ............................................................................................................... 11-12
Weblogic Metrics.................................................................................................................... 11-12
Fusion Middleware Control (AS-Control) Deployment Architecture ............................ 12-2
OAM Farm Page in Fusion Middleware Control................................................................ 12-4
Farm Navigation Tree in Fusion Middleware Control ...................................................... 12-5
Node Information Page in Fusion Middleware Control .................................................... 12-5
Application Deployment Summary for the Selected Internal Application..................... 12-6
Application Deployment Menu ............................................................................................. 12-6
WebLogic Server Domain Summary with Context Menu Exposed................................. 12-7
Cluster Page ............................................................................................................................. 12-9
Key Metrics for Server Page ................................................................................................ 12-10
Aggregated Access Manager Component Metrics for the Cluster ................................. 12-12
Access Manager Component Metrics for a Single OAM Server Instance ..................... 12-12
Aggregated STS Component Metrics for the Cluster ....................................................... 12-14
STS Component Metrics for an Individual OAM Server Instance ................................. 12-14
Performance Summary Command...................................................................................... 12-15
Performance Summary Page with Metric Palette ............................................................ 12-15
Access Manager Log Levels on the Log Configuration Tab............................................ 12-21
Log Levels for Security Token Service ............................................................................... 12-22
Log Files Configuration Page............................................................................................... 12-25
Typical Log Messages Page in Fusion Middleware Control ........................................... 12-29

xli

12–20
13–1
13–2
13–3
13–4
15–1
15–2
15–3
15–4
15–5
16–1
16–2
17–1
17–2
17–3
17–4
17–5
17–6
17–7
17–8
17–9
17–10
17–11
17–12
19–1
19–2
19–3
19–4
21–1
21–2
21–3
22–1
22–2
22–3
22–4
22–5
22–6
22–7
22–8
22–9
22–10
22–11
22–12
22–13
22–14
22–15
22–16
22–17
22–18
22–19
22–20
22–21
22–22
22–23
22–24

xlii

System MBean Browser and Attributes Tab ......................................................................
Access Manager Settings: Load Balancer .............................................................................
Access Manager Settings: Server Error Mode......................................................................
Access Manager Settings: SSO ...............................................................................................
Common Policy Evaluation Caches ....................................................................................
Create OAM 11g WebGate Page............................................................................................
Load Balanced Deployment .................................................................................................
Expanded 11g WebGate Page with Defaults ....................................................................
WebGate Search Controls and Create Button....................................................................
Key Generation.......................................................................................................................
Global Session Details: Common Settings Page ..................................................................
Common Configuration: Session Management Page.......................................................
Multi-Data Center System Architecture ...............................................................................
Active-Active Deployment Mode..........................................................................................
Active-Active Mode Failover .................................................................................................
Multi-Data Center Deployment .............................................................................................
Requests Served By Different Data Centers.......................................................................
Logout and Session Invalidation .........................................................................................
Stretch Cluster Deployment .................................................................................................
Traditional MDC Deployment .............................................................................................
Active-Active Topology ........................................................................................................
Active-Active Topology Across Multiple Data Centers...................................................
Load Balancing Access Manager Components .................................................................
Global Load Balancer Front Ends Local Load Balancer ...................................................
Replication Flow ......................................................................................................................
EnableMDCReplication Java Property .................................................................................
Starting Sequence Illustrated..................................................................................................
Applying Custom Transformation Rules ...........................................................................
Access Manager 11g Policy Model ......................................................................................
Access Manager Shared Policy Components.......................................................................
Anatomy of Access Manager Policies .................................................................................
Default HTTP Resource Type Definition .............................................................................
Default Resource Type wl_authen ........................................................................................
Default Resource Type TokenServiceRP Resource Type ...................................................
Create Host Identifier Page ..................................................................................................
Native Kerberos Authentication Module ...........................................................................
Native LDAP Authentication Module ................................................................................
Native X.509 Authentication Module .................................................................................
Access Manager Plug-ins for Customized Authentication Modules .............................
Creating Custom Authentication Modules: General .......................................................
Adding a Step and Associating a Plug-in...........................................................................
Plug-in Based Authentication Module Steps and Details ................................................
Steps Orchestration for Plug-in Based Authentication Modules....................................
KerberosPlugin.......................................................................................................................
Default KerberosPlugin Steps and Details .........................................................................
Default KerberosPlugin Steps and Orchestration .............................................................
LDAPPlugin............................................................................................................................
Default LDAPPlugin Steps and Details ..............................................................................
Default Orchestration of Steps for LDAPplugin ...............................................................
X509Plugin ..............................................................................................................................
X509Plugin Default Steps and Details ................................................................................
Default Orchestration for X509Plugin Steps ......................................................................
Password Policy Validation Module Plug-ins ...................................................................
Steps Orchestration: Password Policy Validation Plug-ins .............................................
Plug-ins Page ..........................................................................................................................

12-35
13-2
13-3
13-6
13-10
15-2
15-12
15-15
15-21
15-28
16-9
16-12
17-2
17-6
17-7
17-8
17-12
17-13
17-14
17-14
17-15
17-16
17-17
17-18
19-3
19-4
19-6
19-11
21-7
21-7
21-11
22-4
22-5
22-5
22-14
22-25
22-26
22-27
22-32
22-33
22-34
22-38
22-39
22-40
22-41
22-41
22-42
22-42
22-43
22-43
22-44
22-45
22-45
22-46
22-59

22–25
22–26
23–1
23–2
23–3
23–4
23–5
23–6
23–7
23–8
23–9
23–10
24–1
24–2
24–3
24–4
25–1
25–2
25–3
25–4
25–5
25–6
25–7
25–8
25–9
25–10
25–11
25–12
25–13
25–14
25–15
25–16
25–17
25–18
25–19
25–20
25–21
25–22
25–23
25–24
25–25
25–26
25–27
25–28
25–29
25–30
25–31
25–32
26–1
26–2
26–3
26–4
26–5
26–6
26–7

Plugin Details: Activation Status of Selected Plug-in .......................................................
Default LDAPScheme Page ..................................................................................................
SSO Log-in with Embedded Credential Collector and OAM Agents..............................
Example: Separate Resource WebGate and DCC WebGate Deployment ......................
Combined DCC and WebGate Configuration.....................................................................
SSO Login Processing with OSSO Agents and ECC...........................................................
OAP Tunneling with DCC....................................................................................................
Enable SSL...............................................................................................................................
Keystore Configuration.........................................................................................................
Add Private Key Alias...........................................................................................................
SSL Advanced Options .........................................................................................................
New X509 Scheme..................................................................................................................
Password Policy Configuration Page....................................................................................
Password Policy Validation Authentication Module with Orchestrated Plug-ins ......
Step Orchestration for Password Policy Validation Module...........................................
Server Error Mode for Password Management.................................................................
Application Domains Search Page ........................................................................................
Example Application Domain Summary Page....................................................................
Search Results for Resources in an Application Domain...................................................
Authentication Policies Tab....................................................................................................
Authentication Policy Page: Resources and Responses ....................................................
Authorization Policies Page ...................................................................................................
Individual Authorization Policy Page ..................................................................................
Individual Authorization Policy Resources tab ................................................................
Token Issuance Policies Page ...............................................................................................
Create Resource Page in the Application Domain............................................................
HTTP Resources, Query String Resource URL Controls .................................................
Resource Search within an Application Domain ..............................................................
Sample Authentication Policies Page in the Application Domain .................................
Sample Individual Authentication Policy Page ................................................................
Sample Individual Authorization Policy Page ..................................................................
Individual Authorization Policy Conditions Tab .............................................................
Add Condition Window ......................................................................................................
Condition Containers on the Authorization Policy Page.................................................
Add Identities Window .......................................................................................................
Identity Condition and Details ............................................................................................
Add Search Filter Controls ...................................................................................................
Identity Conditions: Details .................................................................................................
IP4 Range Conditions ............................................................................................................
Temporal Condition Type Details Page .............................................................................
Attribute Conditions Page ....................................................................................................
Add Attribute Condition Dialog ........................................................................................
Authorization Policy Rules Tab: Simple Mode .................................................................
Rules Tab: Expression Rule Mode .......................................................................................
Adding a Resource Prefix for Policy Ordering..................................................................
Authorization Policy Response in the Console .................................................................
Simple Response Samples.....................................................................................................
Complex Response Sample .................................................................................................
OAM Agent (PEP) and OAM Server (PDP) Inter-operability...........................................
User Interactions with the Access Tester..............................................................................
Access Tester Console ...........................................................................................................
Server Connection Panel in the Access Tester ...................................................................
Protected Resource URI Panel in the Access Tester..........................................................
Access Tester User Identity Panel .......................................................................................
Test Case Workflow...............................................................................................................

22-62
22-65
23-4
23-7
23-8
23-9
23-15
23-17
23-17
23-18
23-18
23-22
24-4
24-16
24-16
24-21
25-5
25-6
25-6
25-7
25-8
25-9
25-9
25-10
25-10
25-15
25-25
25-29
25-32
25-32
25-36
25-42
25-44
25-45
25-46
25-47
25-48
25-49
25-53
25-54
25-57
25-57
25-62
25-64
25-67
25-69
25-72
25-73
26-4
26-7
26-13
26-16
26-19
26-21
26-25

xliii

28–1
28–2
28–3
28–4
29–1
29–2
35–1
35–2
35–3
35–4
37–1
38–1
38–2
38–3
38–4
39–1
39–2
40–1
40–2
40–3
40–4
40–5
40–6
40–7
40–8
41–1
41–2
41–3
41–4
41–5
42–1
42–2
42–3
42–4
42–5
42–6
42–7
42–8
42–9
42–10
42–11
42–12
42–13
42–14
43–1
43–2
43–3
45–1
45–2
45–3
45–4
45–5
45–6
45–7
45–8

xliv

Typical Deployment with OpenSSO and Access Manager ...............................................
Create OpenSSO Agent Page ...............................................................................................
Expanded OpenSSO Web Agent Registration Page .........................................................
Expanded OpenSSO J2EE Agent Registration Page .........................................................
Create OSSO Agent Page ........................................................................................................
OSSO Agent Page and Confirmation Window ...................................................................
Second Factor Authentication Preferred Method Page......................................................
One Time Password Login Page............................................................................................
Access Request Notification Preferred Method Page .........................................................
Access Request Notification Wait Screen .............................................................................
Available Services Page.........................................................................................................
New Identity Provider Page, Service Details Loaded from Metadata .............................
New Identity Provider Page, Service Details entered Manually ......................................
Searching for Identity Providers............................................................................................
Attribute Sharing Plug-in Design ........................................................................................
Identity Federation Service Settings Page ............................................................................
Keystore Settings......................................................................................................................
FederationScheme....................................................................................................................
FederationPlugin Steps ...........................................................................................................
FederationPlugin Orchestration ............................................................................................
Setting Up the Authentication Policy with FederationScheme.........................................
OIFScheme ................................................................................................................................
OIFMTLDAPPlugin.................................................................................................................
Authorization Policy Response Tab ....................................................................................
Adding a Federation Response Attribute to an AuthZ Policy ........................................
Security Token Service Architecture .....................................................................................
Security Token Service Token Support.................................................................................
Token Translation at a Centralized Authority.....................................................................
Translating Tokens Behind a Firewall ................................................................................
Web Services SSO...................................................................................................................
Typical Token Ecosystem .......................................................................................................
Identity Propagation with the OAM Token.........................................................................
Process Flow During Identity Propagation..........................................................................
Identity Propagation Deployment.........................................................................................
Identity Propagation Processing ...........................................................................................
Required v1.0 WebLogic Server Identity Assertion Providers .........................................
IAP-Security Token Service Details.....................................................................................
LDAP Provider: IAP-DSEE ..................................................................................................
Default Identity Store Defined in Access Manager...........................................................
Token Issuance Policy for Identity Propagation ..............................................................
/wssuser Endpoint for Identity Assertion .........................................................................
Default Identity Store Defined for Access Manager .........................................................
Token Issuance Policy for Identity Propagation ...............................................................
/wss11user Endpoint for Identity Assertion .....................................................................
Default Endpoints, Policies, and Validation Templates.....................................................
WS-Security 1.0 and 1.1 Policies ............................................................................................
Security Token Service Page.................................................................................................
Validation Templates Search Controls .................................................................................
Issuance Template Search Controls.......................................................................................
Issuance Template: General Details and Defaults...............................................................
Issuance Properties: Username Token Type ........................................................................
Issuance Properties: SAML Token Types .............................................................................
Security Details: SAML Tokens .............................................................................................
New Validation Template page: General Page Defaults..................................................
New Validation Template: General Authentication Details............................................

28-7
28-11
28-13
28-14
29-7
29-9
35-2
35-3
35-5
35-6
37-15
38-3
38-4
38-9
38-19
39-2
39-5
40-2
40-3
40-4
40-6
40-7
40-8
40-10
40-12
41-8
41-8
41-9
41-10
41-11
42-2
42-3
42-3
42-4
42-4
42-9
42-10
42-11
42-12
42-12
42-13
42-19
42-20
42-20
43-5
43-7
43-10
45-3
45-3
45-6
45-6
45-7
45-9
45-14
45-16

45–9
45–10
45–11
45–12
45–13
45–14
45–15
45–16
45–17
45–18
45–19
45–20
45–21
46–1
46–2
46–3
46–4
46–5
46–6
46–7
46–8
46–9
48–1
48–2
48–3
48–4
48–5
48–6
48–7
48–8
48–9
48–10
48–11
48–12
49–1
49–2
49–3
50–1
52–1
52–2
52–3
53–1
53–2
53–3
53–4
54–1
54–2
54–3
54–4
54–5
54–6
54–7
54–8
54–9
55–1

Token Mapping: SAML2 WS-Security Validation Template ..........................................
Token Mapping, username-wstrust-validation-template................................................
Token Mapping: x509-wss-validation-template................................................................
Endpoints Page.......................................................................................................................
Token Issuance Policies and Conditions ............................................................................
Pre-defined Resource Type: TokenServiceRP ...................................................................
Search: Resource Type TokenServiceRP in Application Domain ...................................
New Custom Token Page .....................................................................................................
Custom Tokens Search Page and Controls ........................................................................
General Details: email-wstrust-valid-temp........................................................................
Token Mapping: email-wstrust-valid-temp.......................................................................
General Details: email-issuance-temp ................................................................................
Issuance Properties: email-issuance-temp .........................................................................
New Requester Partner Page..................................................................................................
New Relying Party Partners Page .........................................................................................
Partner Search Controls ..........................................................................................................
Requester Profile: General ......................................................................................................
Requester Profile: Token and Attributes ..............................................................................
Relying Party Profile Token and Attributes.......................................................................
Token and Attributes: Issuing Authority ..........................................................................
Issuing Authority Profile: Token Mapping Tab ................................................................
Search Partner Profiles Page: Requester Profiles...............................................................
First Time Device/Application Registration and Authentication Process....................
Mobile SSO Agent Requests Access Token from Access Manager ................................
Mobile SSO Agent Has Valid Access Token in Credential Store....................................
Mobile SSO Agent Does Not Have Valid Access Token in Credential Store................
User Authentication Using REST ........................................................................................
Authenticating User From Browser-based Web App on Registered Mobile Device...
..................................................................................................................................................
Authenticating a Returning User with a Local Account ..................................................
Authenticating a New User with No Local Account........................................................
Authenticating a User With an OAuth Identity Provider ...............................................
Authenticating a User with Access Manager.....................................................................
Authenticating a User Locally..............................................................................................
Using ODSM to create the PIN attribute in OUD .............................................................
Using ODSM to create the pinperson object class.............................................................
Using the OAM Console to create an IdentityStore..........................................................
Social Identity Account Linking ..........................................................................................
OAuth 3-Legged Flow Diagram ............................................................................................
Using a Split Request to get a Client Verification Code.....................................................
The Complete Mobile App Authorization Request Flow ..................................................
Mobile (top) and Federation (bottom) Identity Domain Screens......................................
Identity Federation DefaultDomain Configuration Page ..................................................
Mobile Security DefaultDomain Configuration Page ........................................................
OAuth Services Service Profile Configuration Page.........................................................
Password Generation Policies Search/Create Tab............................................................
New Password Generation Policy Summary Tab.............................................................
Password Constraints Tab of a Password Generation Policy .........................................
Add Applications Dialog ......................................................................................................
Credential Sharing Groups tab ............................................................................................
New Credential Sharing Group Page .................................................................................
Add Applications Dialog ......................................................................................................
Global Agent Settings Search tab.........................................................................................
New Global Agent Settings Page.........................................................................................
End to End Identity Context Process ....................................................................................

45-18
45-19
45-19
45-25
45-28
45-31
45-32
45-34
45-36
45-39
45-39
45-40
45-41
46-3
46-4
46-7
46-8
46-9
46-10
46-14
46-16
46-20
48-12
48-13
48-14
48-15
48-16
48-17
48-19
48-25
48-27
48-29
48-31
48-32
49-13
49-14
49-15
50-18
52-4
52-6
52-9
53-2
53-3
53-3
53-37
54-51
54-52
54-54
54-55
54-56
54-58
54-59
54-60
54-61
55-3

xlv

55–2
55–3
55–4
58–1
58–2
58–3
59–1
59–2
59–3
59–4
59–5
60–1
60–2
60–3
60–4
C–1
D–1
D–2
D–3
D–4
D–5
D–6
D–7
D–8
D–9
D–10
D–11
D–12
D–13
D–14
D–15
D–16
D–17
D–18
D–19
D–20
D–21
D–22
D–23
D–24

xlvi

End To End Identity Context Process Components ........................................................... 55-3
Identity Context Process Flow ............................................................................................... 55-8
OAM Authentication Provider Configuration .................................................................. 55-18
Various Clients Deployed on JBoss Application Server..................................................... 58-5
JBoss Agent Deployed with an Oracle HTTP Server WebGate ........................................ 58-6
Sample Integration Topology................................................................................................. 58-6
Setting up a Trusted User Account for Windows Impersonation .................................. 59-15
Configuring Rights for the Trusted User in Windows Impersonation .......................... 59-16
Registering the Impersonation Module.............................................................................. 59-19
Verifying Event Viewer Settings.......................................................................................... 59-21
Impersonation Authentication............................................................................................. 59-23
Setting up a Trusted User Account for Windows Impersonation .................................... 60-5
Configuring Rights for the Trusted User in Windows Impersonation ............................ 60-6
Verifying Event Viewer Settings............................................................................................ 60-9
Impersonation Authentication............................................................................................. 60-14
Communication Channels for OAM Servers and WebGates .............................................. C-2
IAMSuiteAgent Settings in the WebLogic Administration Console.................................. D-2
IAMSuiteAgent Registration .................................................................................................... D-3
Resources Protected by the IAMSuiteAgent.......................................................................... D-5
IAMSuite Authentication Policy: OAM Admin Console Policy ......................................... D-6
Protected HigherLevel Policy: Authentication, LDAP Scheme .......................................... D-7
Protected LowerLevel Policy: Authentication, OIMScheme .............................................. D-8
Public Policy: Authentication, AnonymousSheme ............................................................... D-8
IAM Suite Authorization Policy .............................................................................................. D-9
IAM Suite Token Issuance Policy and Resource URLs ........................................................ D-9
Generated Authentication Module: OpenSSOAgentAuthPlugin..................................... D-10
Generated Host Identifier: OpenSSOAgent1 ....................................................................... D-11
Generated Application Domain: OpenSSOAgent1............................................................. D-11
Application Domain Resources: OpenSSOAgent1 ............................................................. D-12
Generated Authentication Policy: OpenSSOAgent Application Domain ....................... D-12
Generated Authorization Policy: OpenSSOAgent Application Domain......................... D-13
Migrated User Identity Store.................................................................................................. D-14
Migrated Agent: OpenSSOAgent1 ........................................................................................ D-15
Migrated Authentication Module: OpenSSOAgent1.......................................................... D-16
Migrated Host Identifier: OpenSSOAgent1 ......................................................................... D-16
Migrated Application Domain: OpenSSOAgent1............................................................... D-16
Migrated Resources: OpenSSOAgent1 ................................................................................. D-17
Migrated Authentication Policy: OpenSSOAgent1 ............................................................ D-17
Migrated Authorization Policy2 Condition: OpenSSOAgent1 ......................................... D-18
Migrated Authorization Policy2: IP Condition Details ...................................................... D-18

xlvii

List of Tables
1–1
1–2
1–3
1–4
2–1
2–2
2–3
2–4
3–1
3–2
3–3
3–4
3–5
4–1
5–1
5–2
5–3
5–4
5–5
5–6
6–1
6–2
6–3
6–4
7–1
7–2
7–3
7–4
7–5
7–6
7–7
8–1
8–2
8–3
8–4
8–5
8–6
8–7
8–8
8–9
8–10
8–11
8–12
8–13
9–1
9–2
9–3
9–4
9–5
9–6
9–7
9–8
10–1

xlviii

Access Manager Deployment Types ....................................................................................... 1-6
Features in Access Manager 11.1.2 .......................................................................................... 1-7
Features Not Available In Access Manager 11.1.2 ................................................................ 1-9
Oracle Access Management Post-Installation Tasks.......................................................... 1-11
Language Codes For Login Pages ........................................................................................ 2-13
Oracle Access Management Language Selection Methods............................................... 2-14
OAM_LANG_PREF Cookie .................................................................................................. 2-15
Application Integration for Language Preference ............................................................. 2-15
Configuration Options .............................................................................................................. 3-2
Common Services ...................................................................................................................... 3-4
Common Settings....................................................................................................................... 3-5
Common Coherence Settings ................................................................................................... 3-7
.................................................................................................................................................... 3-13
Roles for Delegating Administration ...................................................................................... 4-2
Data Sources for Oracle Access Management ....................................................................... 5-1
Data Sources for Oracle Access Management Services ........................................................ 5-2
Components That Use Identity Stores .................................................................................... 5-8
User Identity Store Elements.................................................................................................... 5-9
Access Manager Keys and Storage....................................................................................... 5-32
Keystores for Access Manager and Security Token Service ............................................. 5-32
Conditions Requiring Server Restart ...................................................................................... 6-4
OAM Server Instance Settings ................................................................................................. 6-6
OAM Proxy Settings for an Individual OAM Server ........................................................... 6-6
Default Coherence Settings for Individual OAM Servers.................................................... 6-7
Logging Files............................................................................................................................... 7-2
Logging Defaults........................................................................................................................ 7-2
Oracle Access Management Server-Side Component Loggers ........................................... 7-3
Oracle Access Management Shared-Service Engine Component Loggers ....................... 7-4
Oracle Access Management Foundation API Component Loggers................................... 7-4
Mapping of ODL to Java Levels .............................................................................................. 7-5
Oracle Security Token Service and Identity Federation Loggers ....................................... 7-9
Oracle Business Intelligence Enterprise Edition Reports for OAM.................................... 8-5
Access Manager Administrative Audit Events ..................................................................... 8-6
Access Manager Run-time Audit Events................................................................................ 8-9
REST Run-Time Audit Events............................................................................................... 8-12
Mobile and Social Run-Time Audit Events......................................................................... 8-12
Categories of Audit Events for Identity Federation........................................................... 8-14
Identity Federation Session Management Events .............................................................. 8-14
Protocol Flow Events for Identity Federation..................................................................... 8-15
Server Configuration Identity Federation ........................................................................... 8-15
Security Events for Identity Federation............................................................................... 8-16
Security Token Service Configuration Management Operations .................................... 8-17
Security Token Service-specific Run-time Events .............................................................. 8-19
Audit Configuration Elements.............................................................................................. 8-23
Logging Levels ........................................................................................................................... 9-2
Log Configuration File Names for Components................................................................... 9-5
Log Writers .............................................................................................................................. 9-10
Global Parameters in the First Compound List.................................................................. 9-11
Factors that Determine Whether Logging Is Active .......................................................... 9-16
Mandatory Log Configuration File Parameters ................................................................. 9-17
Log Data File Configuration Parameters............................................................................. 9-18
ParamName Values You Can Configure for Per-Module Logging Threshold.............. 9-23
Accounts_Locked_Out Report Fields .................................................................................. 10-3

10–2
10–3
10–4
10–5
10–6
10–7
10–8
10–9
10–10
11–1
11–2
11–3
11–4
11–5
11–6
11–7
11–8
12–1
12–2
12–3
12–4
12–5
12–6
12–7
12–8
12–9
12–10
12–11
12–12
12–13
13–1
13–2
13–3
13–4
13–5
13–6
13–7
13–8
14–1
14–2
14–3
14–4
14–5
14–6
14–7
14–8
14–9
15–1
15–2
15–3
15–4
15–5
15–6
15–7
15–8

Authentication_statistics Report Fields ...............................................................................
AuthenticationFromIPByUser Report Fields ......................................................................
AuthenticationPerIP Report Fields ......................................................................................
AuthenticationStatisticsPerServer Report Fields ...............................................................
All Errors and Exceptions Report Fields .............................................................................
Authentication Failures Report Fields .................................................................................
Authentication History Report Fields..................................................................................
Authorization History Report Fields ...................................................................................
Multiple Logins From Same IP Report Fields.....................................................................
OAM Server Metrics: Server Processes Overview Tab .....................................................
OAM Server Metrics: Session Operations ...........................................................................
OAM Server Metrics: Server Operations Tab .....................................................................
OAM Proxy Metrics..............................................................................................................
OAM Proxy Tuning Parameters .........................................................................................
OpenSSO Proxy Server Events............................................................................................
OpenSSO Proxy Metrics: Server .........................................................................................
OpenSSO Proxy Metrics: Agent..........................................................................................
Farm Page Sections .................................................................................................................
Resulting Pages for Selected Nodes and Targets ...............................................................
Summary of Performance Overviews in Fusion Middleware Control.........................
Access Manager Component Metrics ................................................................................
STS Component-Specific Metrics........................................................................................
Status and Controls on Performance Summary Pages....................................................
OAM Log Availability and Functions in Fusion Middleware Control.........................
Log Levels Tab on Log Configuration Page......................................................................
Log Files Elements ................................................................................................................
OAM Log Message Search Controls in Fusion Middleware Control............................
System MBean Browser .......................................................................................................
MBeans that Access Manager and Security Token Service Deploy...............................
System MBean Browser .......................................................................................................
Access Manager Settings: Load Balancer ............................................................................
Server Error Mode ..................................................................................................................
Error Trigger Condition, Modes, and Message Codes ......................................................
External Error Codes, Trigger Conditions, and Recommended Messages ....................
Access Manager Settings: SSO ..............................................................................................
Summary: Simple and Cert Mode ........................................................................................
Server Common OAM Proxy Secure Communication Settings.......................................
Policy Evaluation Caches.....................................................................................................
Agent Types.............................................................................................................................
Agent Registration and SSO Support...................................................................................
Run Time Processing Overview for Access Manager........................................................
Keys and Policies Generated During Agent Registration.................................................
Artifacts Associated with Agent Registration ....................................................................
Copying Generated Artifacts ................................................................................................
Remote Registration Methods...............................................................................................
Remote Registration Does Not Support ..............................................................................
Agent Registration and Configuration Update Artifacts................................................
Elements on Create Pages for 11g and 10g OAM Agents .................................................
User-Defined WebGate Parameters .....................................................................................
Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages .....
Agent Search Controls..........................................................................................................
Environment Variables to Set within oamreg...................................................................
Remote Registration Command Arguments: mode ........................................................
Remote Registration Command Samples..........................................................................
Common Elements in Remote Registration Requests .....................................................

10-3
10-4
10-4
10-4
10-5
10-5
10-5
10-6
10-6
11-3
11-4
11-5
11-10
11-11
11-13
11-13
11-14
12-4
12-8
12-10
12-13
12-14
12-15
12-20
12-22
12-26
12-29
12-34
12-34
12-36
13-2
13-3
13-4
13-4
13-6
13-7
13-8
13-10
14-2
14-3
14-4
14-6
14-7
14-7
14-8
14-8
14-10
15-3
15-6
15-16
15-21
15-25
15-25
15-25
15-26

xlix

15–9
15–10
15–11
15–12
15–13
15–14
16–1
16–2
16–3
16–4
16–5
16–6
16–7
16–8
16–9
17–1
17–2
18–1
18–2
18–3
19–1
19–2
21–1
21–2
21–3
21–4
21–5
21–6
22–1
22–2
22–3
22–4
22–5
22–6
22–7
22–8
22–9
22–10
22–11
22–12
22–13
22–14
22–15
22–16
22–17
22–18
22–19
22–20
22–21
22–22
22–23
22–24
22–25
22–26
22–27

l

Remote Registration Request Templates for OAM Agents ............................................
Elements in Extended OAM Agent Remote Registration Requests ..............................
Variables Required for Remote Registration ....................................................................
Files Returned by in-band Administrator to out-of-band Administrator ....................
Remote Agent Update Modes and Input Files .................................................................
Delta: OAM Agent Update versus Registration Request................................................
Session Lifecycle States ..........................................................................................................
Session Checks for State Changes.........................................................................................
Session Removal......................................................................................................................
Application Domain-Specific Overrides..............................................................................
Session Content: Single Authentication Scheme ................................................................
Session Outcomes: Multiple Authentication Schemes ......................................................
Global Session Settings...........................................................................................................
Application-Specific Session Timing Overrides...............................................................
Session Management Controls and the Results Table.....................................................
Multi-Data Center Policy Configurations for Idle Timeout ...........................................
Session Synchronization and Failover Scenarios .............................................................
MDC Use Cases.......................................................................................................................
oamMDC.properties Properties..........................................................................................
partnerInfo.properties Properties.......................................................................................
Replication States ....................................................................................................................
Modifying Replication Agreement Properties..................................................................
Summary: SSO Components .................................................................................................
Introduction to SSO Implementations .................................................................................
Access Manager Global, Shared Policy Components........................................................
Access Manager Policy Components ...................................................................................
Condition Types....................................................................................................................
SSO Cookies ...........................................................................................................................
Comparison: Resource Types for Access Manager versus 10g ........................................
Resource Type Definition ......................................................................................................
Host Identifiers Examples......................................................................................................
Host Identifier Definitions...................................................................................................
Comparing the DCC and ECC ............................................................................................
Native Authentication Modules .........................................................................................
Native Kerberos Authentication Module Definition .......................................................
Native LDAP Authentication Modules Definition ..........................................................
X509 Authentication Module Definition ...........................................................................
Simple Form versus Multi-Step Authentication...............................................................
General tab .............................................................................................................................
Add New Step Entries, Steps Results Table, and Details Section..................................
Parameter Details for Various Plug-ins .............................................................................
Steps Orchestration Tab .......................................................................................................
X509 Step Details (KEY_CERTIFICATE_ATTRIBUTE_TO_EXTRACT) ......................
Steps and Plug-ins in a Customized Step-up Authentication Module .........................
Managing Custom Plug-ins Actions ..................................................................................
Plugins Status Table..............................................................................................................
Example of Plugin Details Extracted from XML Metadata File.....................................
Authentication Scheme Definition .....................................................................................
Pre-configured Authentication Schemes ...........................................................................
Challenge Parameters in Pre-configured Schemes ..........................................................
User-Defined Challenge Parameters for Authentication Schemes................................
Advanced Rules Attributes .................................................................................................
Sample Advanced Rules ......................................................................................................
Request Context Data ...........................................................................................................
Location Context Data..........................................................................................................

15-29
15-30
15-33
15-35
15-37
15-37
16-3
16-4
16-4
16-5
16-7
16-8
16-9
16-10
16-12
17-19
17-20
18-2
18-11
18-13
19-3
19-14
21-2
21-3
21-8
21-9
21-13
21-14
22-3
22-5
22-8
22-15
22-20
22-24
22-25
22-26
22-27
22-31
22-33
22-34
22-35
22-39
22-44
22-51
22-60
22-61
22-62
22-65
22-68
22-75
22-76
22-84
22-85
22-86
22-87

22–28
22–29
22–30
22–31
22–32
22–33
22–34
22–35
22–36
22–37
23–1
23–2
24–1
24–2
24–3
24–4
24–5
24–6
24–7
24–8
24–9
25–1
25–2
25–3
25–4
25–5
25–6
25–7
25–8
25–9
25–10
25–11
25–12
25–13
25–14
25–15
25–16
25–17
25–18
25–19
25–20
25–21
25–22
25–23
25–24
25–25
25–26
25–27
25–28
25–29
25–30
25–31
25–32
25–33
26–1

Session Context Data ............................................................................................................
User Context Data.................................................................................................................
Challenge Parameters for 10g/11g Encrypted Cookies ..................................................
Resource Webgate Support of POST Data Preservation and Restoration....................
Credential Collector Support for POST Data Handling..................................................
Authentication Schemes Supporting POST Data Handling ...........................................
Parameters Required for Authentication POST Data Handling ....................................
ECC and DCC: Long URL Handling .................................................................................
Authentication Schemes Supporting Long URL Handling ............................................
Parameters Required for Long URL Handling.................................................................
Login Processing with Access Manager-Protected Resources .........................................
DCC Deployment Support ....................................................................................................
Password Policy Configuration Parameters .......................................................................
Password Policy Elements.....................................................................................................
Specifying Credential Collectors and Related Forms for Authentication ......................
Credential Collector Password Pages ..................................................................................
Password Management Forms and Functions ...................................................................
Location of Oracle-provided LDIFs for LDAP Providers ...............................................
Key Password Attributes in a Password Policy ...............................................................
User Password Step Details.................................................................................................
Included LDIF Schema Files................................................................................................
Resource Definition Elements .............................................................................................
HTTP Resources Sample URL Values................................................................................
Supported Wildcards in Resource URL Patterns (Precedence Order)..........................
Sample Resource URLs ........................................................................................................
Pattern Matching for Requested URLs ..............................................................................
Query String Matching: Examples .....................................................................................
Resource Evaluation Outcomes ..........................................................................................
Search Elements for a Resource in an Application Domain ...........................................
Authentication Policy Elements and Descriptions...........................................................
Authorization Policy Elements and Descriptions ............................................................
Authorization Policy Condition Tab..................................................................................
Add Condition Window Elements.....................................................................................
Add identities Elements.......................................................................................................
Add Search Filter Elements .................................................................................................
LDAP Search Filter Examples for Access Manager .........................................................
Temporal Condition Details ................................................................................................
Access Conditions that Require Attribute-Type Conditions..........................................
Attribute Condition Elements .............................................................................................
Attribute Names for Request Built-ins ..............................................................................
Attribute Names for Session Built-ins................................................................................
Attribute Condition Data (Aggregation of Conditions)..................................................
Authorization Policy Rules Elements ................................................................................
Rule Tab in Expression Mode .............................................................................................
Operators for Expressions in Authorization Rules ..........................................................
Response Elements ...............................................................................................................
Namespace Request Variables for Single Sign-On...........................................................
Namespace Session Variables for Single Sign-On............................................................
Namespace User Variables ..................................................................................................
Simple Responses and Descriptions...................................................................................
Complex Responses..............................................................................................................
Fresh OSSO Installation: Protected Policy Response (Header)......................................
Remote Policy Management Modes, Templates, and Flags ...........................................
Remote Management Template Elements.........................................................................
User Interactions: Tester Console Mode versus Command Line Mode Operations ....

22-87
22-87
22-88
22-90
22-91
22-92
22-92
22-96
22-96
22-96
23-3
23-6
24-3
24-4
24-6
24-9
24-9
24-13
24-14
24-17
24-25
25-15
25-18
25-19
25-21
25-22
25-23
25-26
25-29
25-32
25-36
25-42
25-44
25-47
25-48
25-49
25-55
25-56
25-57
25-58
25-58
25-59
25-62
25-64
25-64
25-69
25-71
25-71
25-71
25-72
25-73
25-75
25-78
25-81
26-7

li

26–2
26–3
26–4
26–5
26–6
26–7
26–8
26–9
26–10
26–11
26–12
26–13
26–14
27–1
27–2
28–1
28–2
28–3
28–4
28–5
28–6
28–7
28–8
28–9
28–10
28–11
28–12
28–13
29–1
29–2
29–3
29–4
29–5
29–6
29–7
29–8
29–9
30–1
30–2
30–3
30–4
30–5
33–1
35–1
35–2
36–1
36–2
37–1
37–2
37–3
37–4
37–5
37–6
37–7
37–8

lii

Access Tester Supported System Properties .......................................................................
Access Tester Console Panels..............................................................................................
Command Buttons in Access Tester Panels ......................................................................
Additional Access Tester Buttons.......................................................................................
Access Tester Menus.............................................................................................................
Connection Panel Information ............................................................................................
Protected Resource URI Panel Fields and Controls.........................................................
Access Tester User Identity Panel Fields and Controls...................................................
Access Tester Capture Request Options............................................................................
Generate Script Command ..................................................................................................
Test Script Control Parameters ...........................................................................................
Run Test Script Commands.................................................................................................
Mismatched Results Reasons in the Statistics Document ...............................................
Centralized Logout Circumstances ......................................................................................
Logout Details After Registration (ObAccessClient.xml) .................................................
Features: OpenSSO Agents with Access Manager.............................................................
OpenSSO Policy Migration....................................................................................................
OpenSSO Reliance on Access Manager ...............................................................................
Access Manager Processing with OpenSSO .......................................................................
Elements on the New OpenSSO Agent Page ....................................................................
Relocating OpenSSO Artifacts ............................................................................................
Expanded OpenSSO Agent Registration Elements..........................................................
OpenSSO Request Files for Remote Registration.............................................................
OpenSSO Agent Remote Registration Request ................................................................
J2EE Request File Mappings to the Properties File ..........................................................
Mapping the Web Request File to the Properties File .....................................................
Delta: OpenSSO Remote Registration versus Remote Updates.....................................
Other OpenSSO Information in this Guide.......................................................................
OSSO Agents with Access Manager ....................................................................................
11g Access Manager SSO versus OSSO 10g Component Summary ...............................
Create OSSO Agent Page Elements......................................................................................
Relocating OSSO Artifacts .....................................................................................................
Expanded OSSO Agent Elements.........................................................................................
OpenSSO Request Files for Remote Registration.............................................................
OSSO-Specific Elements in a Remote Registration Request ...........................................
Delta: OSSO Remote Registration versus Remote Updates ...........................................
Other OSSO Information in this Guide .............................................................................
Installation Comparison with 10g WebGates .....................................................................
Comparison: Access Manager 11g versus 10g....................................................................
Comparing Access Manager 11g Policy Model versus 10g ..............................................
Preparing for 10g WebGate Installation with Access Manager 11g ..............................
Sample end_url Parameter Specifications .........................................................................
IIS 7 Webgate Windows Server 2008....................................................................................
Adaptive Authentication Plugin Properties .......................................................................
Server Side Configuration for Adaptive Authentication Service ....................................
Location URL Parameter Definitions ...................................................................................
Offline Configuration URL Parameters...............................................................................
Supported SAML 2.0 NameID Formats...............................................................................
SAML 2.0 URLs for Identity Federation Acting As Identity Provider............................
SAML 2.0 URLs for Identity Federation Acting as Service Provider ..............................
Supported SAML 1.1 NameID Formats.............................................................................
SAML 1.1 URLs for Identity Federation Acting As Identity Provider..........................
SAML 1.1 URL for Identity Federation Acting as Service Provider..............................
OpenID 2.0 URLs for Identity Federation Acting As Identity Provider.......................
OpenID 2.0 URLs for Identity Federation Acting as Service Provider .........................

26-9
26-13
26-14
26-14
26-15
26-17
26-19
26-21
26-26
26-27
26-28
26-29
26-32
27-2
27-3
28-2
28-3
28-5
28-8
28-11
28-12
28-15
28-22
28-23
28-24
28-25
28-27
28-29
29-2
29-3
29-7
29-8
29-9
29-12
29-13
29-15
29-18
30-4
30-6
30-8
30-14
30-26
33-6
35-8
35-9
36-2
36-3
37-7
37-9
37-9
37-10
37-11
37-11
37-13
37-13

37–9
37–10
38–1
38–2
38–3
38–4
38–5
38–6
38–7
38–8
38–9
38–10
38–11
38–12
39–1
39–2
39–3
39–4
40–1
40–2
40–3
40–4
40–5
40–6
40–7
40–8
41–1
41–2
41–3
43–1
43–2
44–1
44–2
44–3
44–4
44–5
45–1
45–2
45–3
45–4
45–5
45–6
45–7
45–8
45–9
45–10
45–11
45–12
45–13
45–14
45–15
46–1
46–2
46–3

Configuring Identity Federation Settings.......................................................................... 37-14
Implementing Identity Federation .................................................................................... 37-14
Default Partner Profiles.......................................................................................................... 38-2
Identity Provider Partner Settings........................................................................................ 38-4
Attributes for Google OpenID Partner ............................................................................... 38-7
Attributes for Yahoo OpenID Partner................................................................................. 38-8
Elements Used for IdP Provider Search ............................................................................. 38-9
Service Provider Partner Settings ....................................................................................... 38-10
Sample SP Attribute Mappings........................................................................................... 38-13
Attribute Mapping Value Expressions .............................................................................. 38-13
Sample IdP Attribute Mappings......................................................................................... 38-15
Default Federation Authentication Method and Access Manager Authentication Scheme
Mappings 38-16
Configuration Parameters for Attribute Sharing Plug-in ............................................... 38-22
Session Attributes Accessible To Attribute Sharing Plug-in .......................................... 38-22
Federation Settings in the Console ....................................................................................... 39-2
General Federation Settings .................................................................................................. 39-3
Federation Proxy Settings ...................................................................................................... 39-4
Keystore Settings for Federation........................................................................................... 39-5
FederationScheme Element Definitions............................................................................... 40-2
FederationPlugin Steps .......................................................................................................... 40-4
Orchestration of FederationPlugin...................................................................................... 40-4
OIFScheme Definition ............................................................................................................ 40-7
OIFMTLDAPPlugin Steps ..................................................................................................... 40-8
Policy Response Elements ................................................................................................... 40-10
Message Attribute Mapping................................................................................................ 40-22
Office 365 Service Provider Attribute Values ................................................................... 40-22
Security Token Service 11g Infrastructure .......................................................................... 41-3
Security Token Service Terms ............................................................................................... 41-4
Integrated Oracle Web Services Manager ........................................................................... 41-7
Security Token Service Settings .......................................................................................... 43-10
Configuring a Non-Oracle WSM Client for WSS Kerberos Policies.............................. 43-18
Security Token Service Public Keys Used at Run Time .................................................... 44-2
Keystore Mbeans..................................................................................................................... 44-2
Partner Keys for WS-Trust Communications ..................................................................... 44-7
Conditions for Security Token Service Certificate Validation.......................................... 44-9
Successful Certificate Validation Requirements................................................................. 44-9
Search Validation Template .................................................................................................. 45-4
Issuance Template Requirements ......................................................................................... 45-5
Issuance Template: General Details ..................................................................................... 45-6
Issuance Properties: Username Token Type ....................................................................... 45-6
Issuance Properties: SAML Token Types ............................................................................ 45-8
Security Details: SAML Tokens ............................................................................................ 45-9
Issuance Template: Attribute Mapping, SAML Token ................................................... 45-10
Validation Template Protocols............................................................................................ 45-14
New Validation Template: General Details ...................................................................... 45-15
New Validation Template: Authentication Details.......................................................... 45-16
New Validation Template: Token Mapping ..................................................................... 45-20
Endpoints Page...................................................................................................................... 45-26
Conditions tab: Token Issuance Policy .............................................................................. 45-28
New Custom Token Elements............................................................................................. 45-34
Custom Tokens Search Elements and Controls................................................................ 45-36
Security Token Service Partners ........................................................................................... 46-1
Security Token Service Clients.............................................................................................. 46-2
Security Token Service Partner Entry .................................................................................. 46-2

liii

46–4
46–5
46–6
46–7
46–8
46–9
46–10
46–11
48–1
48–2
48–3
48–4
48–5
49–1
49–2
49–3
49–4
49–5
49–6
49–7
49–8
49–9
49–10
49–11
49–12
49–13
49–14
49–15
49–16
49–17
49–18
49–19
49–20
49–21
49–22
50–1
50–2
50–3
50–4
50–5
50–6
50–7
50–8
51–1
52–1
52–2
53–1
53–2
53–3
53–4
53–5
53–6
55–1

liv

Security Token Service Partner Profile Data....................................................................... 46-2
Partner Elements for Partner Types ..................................................................................... 46-3
Elements for Security Token Service Partners .................................................................... 46-4
Profile: General........................................................................................................................ 46-8
Requester Profile: Token and Attributes ............................................................................. 46-9
Relying Party Profile Requirements................................................................................... 46-11
Token and Attributes Elements: Issuing Authority......................................................... 46-15
Issuing Authority Token Mapping Elements ................................................................... 46-17
Features in Mobile and Social Based on the Companion Services Installed .................. 48-3
Mobile and Non-Mobile Authentication Service Providers in Mobile and Social Services....
48-7
Android, iOS, and Java Features of the Mobile and Social Services Client SDK........... 48-9
Token Requirements for the Mobile and Social Server ................................................... 48-20
Identity Providers That Mobile and Social Natively Supports ...................................... 48-23
Pre-configured Authentication Service Providers ............................................................. 49-6
Access Manager Authentication Service Provider Default Attributes............................ 49-8
Webgate Agent for Authentication Service Provider Default Attributes....................... 49-9
JWT Authentication Service Provider Default Attributes............................................... 49-10
JWT-OAM Authentication Service Provider Default Attributes ................................... 49-10
Access Manager Authorization Service Provider Default Attributes ........................... 49-17
Webgate Agent for Authorization Service Provider Default Attributes ...................... 49-18
User Profile Service Provider Default Attribute Names and Values ............................ 49-19
User Profile Service Provider Default Attribute Names and Values ............................ 49-20
Authentication Service Profile Default General Properties ............................................ 49-23
Token Support and URI Category Information Default Properties .............................. 49-23
Authorization Service Profile Default General Properties.............................................. 49-24
User Profile Service Profile Default General Properties.................................................. 49-25
Security Handler Plug-in General Properties ................................................................... 49-27
Application Profile General Properties.............................................................................. 49-28
Service Domain General Properties ................................................................................... 49-30
Application Profile Selection Properties............................................................................ 49-31
Service Profile Selection Properties .................................................................................... 49-32
User Profile Service Protection Properties ........................................................................ 49-33
Authorization Service Protection Properties .................................................................... 49-33
OAAM Policies Supported By Mobile and Social............................................................ 49-42
Mapping Terms Between OAAM and Mobile and Social .............................................. 49-43
OpenID Protocol Attributes .................................................................................................. 50-4
OAuth Protocol Attributes .................................................................................................... 50-5
User Attributes Returned By Google ................................................................................... 50-6
User Attributes Returned By Yahoo..................................................................................... 50-6
User Profile Attributes Returned By Foursquare............................................................... 50-7
User Profile Attributes Returned By Windows Live ......................................................... 50-7
Service Provider Interface Information Properties .......................................................... 50-12
Account Linking Properties................................................................................................. 50-19
Attribute Settings for an Oracle Access Manager 11gR1 PS1 Authentication Service
Provider 51-2
Default User Profile Services Endpoint Operations ........................................................ 52-14
User Profile Resource Server - Scope Settings .................................................................. 52-15
OAuth Service Profile Configuration Attributes................................................................ 53-8
Web Client Attributes Names and Values ........................................................................ 53-14
OAuth Service Provider Attributes for Access Manager ................................................ 53-19
User Profile Service Attributes............................................................................................ 53-24
OAuth Server Settings Attributes....................................................................................... 53-29
Default OAuth JKS Keystore File and Settings File ......................................................... 53-31
Identity Context Schema Attributes..................................................................................... 55-4

55–2
56–1
56–2
56–3
57–1
58–1
59–1
59–2
59–3
59–4
60–1
62–1
62–2
63–1
63–2
63–3
A–1
B–1
C–1
D–1

Mapping Identity Context Operations ................................................................................ 55-9
Access Manager Support for RSA Features ........................................................................ 56-2
RSA Features Not Supported ................................................................................................ 56-2
Installation and Configuration Guidelines ......................................................................... 56-4
Sample Naming....................................................................................................................... 57-6
JBoss Agent Composition ...................................................................................................... 58-3
Component Requirements..................................................................................................... 59-6
Microsoft Requirements for this Integration....................................................................... 59-7
Create Web Application Options for Microsoft SharePoint Server............................... 59-11
Create a Web Application to Host a Site Collection for SharePoint Server.................. 59-13
Requirements for Impersonation with a Header Variable ............................................... 60-3
Login Module Stacks for using Header Variables ............................................................. 62-6
Login Module Stacks for using Header Variables ........................................................... 62-13
.................................................................................................................................................... 63-3
.................................................................................................................................................... 63-4
Ticket Authentication Values ................................................................................................ 63-6
addOAMSSOProvider Command-line Arguments............................................................. A-4
Languages for Localized Messages ........................................................................................ B-2
importcert Command Syntax.................................................................................................. C-4
Comparing IAMSuiteAgent with 11g and 10g Webgates................................................... D-4

lv

List of Examples
3–1
3–2
7–1
9–1
9–2
9–3
9–4
9–5
9–6
9–7
9–8
15–1
15–2
18–1
18–2
18–3
19–1
19–2
19–3
19–4
26–1
26–2
26–3
26–4
26–5
30–1
38–1
38–2
42–1
42–2
49–1
53–1
53–2
53–3
53–4
53–5
55–1
55–2
55–3
55–4
57–1
59–1
A–1

lvi

Certificate Validation Module Configuration...................................................................... 3-10
Multiple OCSP Responder Configuration ........................................................................... 3-12
Configuring Access Manager Loggers and Log Handlers.................................................... 7-4
The Default Log Configuration File with Comments ........................................................... 9-6
Simple Lists with Global Settings (First Compound List in oblog_config_wg.xml)...... 9-12
FILTER_LIST Masks Sensitive Attributes in Log Files....................................................... 9-15
Valid Name/Value List........................................................................................................... 9-15
Another Valid Name/Value List........................................................................................... 9-15
Opening tag for a Name/Value List ..................................................................................... 9-16
Opening tag for a Name/Value List ..................................................................................... 9-16
A Default Log Configuration File Without Embedded Comments ................................ 9-19
rreg registration Sample Output.......................................................................................... 15-34
Updates for the 11g WebGate in mod_wl_ohs.conf ......................................................... 15-45
DCMaster.properties for Master............................................................................................ 18-4
DCClone1.properties for Clone ............................................................................................. 18-4
Sample oamMDCProperty.properties File......................................................................... 18-12
Default Transformation Rules................................................................................................ 19-9
Modified PrimaryServerList Transformation Rule........................................................... 19-10
Modified Transformation Rule for Different Agents........................................................ 19-11
Replication Rules XML File .................................................................................................. 19-11
Connection Configuration File............................................................................................. 26-32
Generated Input Test Script.................................................................................................. 26-33
Output File Generated During a Test Run ......................................................................... 26-35
Sample Statistics Document ................................................................................................. 26-36
Execution Log ......................................................................................................................... 26-38
logout.html Script .................................................................................................................. 30-24
Sample SOAP Attribute Request ......................................................................................... 38-20
Sample SOAP Attribute Response ...................................................................................... 38-20
Sample exchange: Request Security Token Sent By the Client ....................................... 42-21
Request Security Token Response sent by the Security Token Service ......................... 42-22
Sample merge-creds.xml....................................................................................................... 49-40
Creating the Keystore............................................................................................................ 53-33
Loading the Certificates ........................................................................................................ 53-33
Update jps-config.xml ........................................................................................................... 53-34
Adding the new Service Instance ........................................................................................ 53-34
Creating Credential Store Entries ........................................................................................ 53-35
Working with Identity Context Dictionary.......................................................................... 55-9
Using WLST To Grant Attribute Service Access To Application ................................... 55-10
Working with Identity Context Runtime ........................................................................... 55-10
Custom Function Creating Identity Context ..................................................................... 55-15
oam-config.xml....................................................................................................................... 57-19
Sample .ASP Page Code........................................................................................................ 59-22
Sample SSO Configuration for Access Manager ................................................................... A-5

Preface
This guide provides information on administration and configuration tasks using
Oracle Access Management.

Audience
This document is intended for Administrators who are familiar with:
■

Oracle WebLogic Server concepts and administration

■

LDAP server concepts and administration

■

Database concepts and administration (for policy and session management data)

■

Web server concepts and administration

■

Webgate and mod_osso agents

■

Auditing, logging, and monitoring concepts

■

Security token concepts

■

Integration of the Policy store, Identity store, and familiarity with Oracle Identity
Management and OIS might be required

Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle
Accessibility Program website at
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support
through My Oracle Support. For information, visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing
impaired.

Related Documents
This Preface is for the Oracle Fusion Middleware Administrator's Guide for Oracle Access
Management. It explains how to manage configuration and policies for Access
Manager, Security Token Service, Identity Federation, Access Portal, Mobile and
Social, Adaptive Authentication, Identity Context and other available services. For
more information, see the following documents in the Oracle Fusion Middleware 11g
Release 2 (11.1.2.3) documentation set:
lvii

■
■

■

■

Oracle Access Management 11g Release 2 (11.1.2.3) Release Notes
Oracle Fusion Middleware Installation Guide for Oracle Identity and Access
Management—Explains how to use the Oracle Universal Installer and the
WebLogic Configuration Wizard for initial Access Manager 11g deployment.
Installing 11g WebGates for Access Manager is also covered.
Oracle Fusion Middleware Developer's Guide for Oracle Access Management—Explains
how to write custom applications and plug-ins to functions programmatically, to
create custom Access Clients that protect non-Web-based resources.
Oracle Fusion Middleware Upgrade Guide for Java EE—For information about the
types of Java EE environments available in 10g and instructions for upgrading
those environments to Oracle Fusion Middleware 11g.

■

Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management

■

Oracle Fusion Middleware Migration Guide for Oracle Identity and Access Management

■

Oracle Fusion Middleware Performance and Tuning Guide

■

■

■

■

■

Oracle Fusion Middleware Administrator's Guide—Describes how to manage a secure
Oracle Fusion Middleware environment, including how to change ports, deploy
applications, and how to back up and recover Oracle Fusion Middleware. This
guide also explains how to move data from a test to a production environment.
Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity
Management—For a step-by-step guide to deployment.
Oracle Fusion Middleware High Availability Guide—For high availability conceptual
information as well as administration and configuration procedures for
Administrators, developers, and others whose role is to deploy and manage
Oracle Fusion Middleware with high availability requirements.
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for Identity and
Access Management—Provides details on customized Identity and Access
Management WLST commands.
Oracle Fusion Middleware Security and Administrator's Guide for Web
Services—Describes how to administer and secure Web services.

Conventions
The following text conventions are used in this document:

lviii

Convention

Meaning

boldface

Boldface type indicates graphical user interface elements associated
with an action, or terms defined in text or the glossary.

italic

Italic type indicates book titles, emphasis, or placeholder variables for
which you supply particular values.

monospace

Monospace type indicates commands within a paragraph, URLs, code
in examples, text that appears on the screen, or text that you enter.

What's New in This Guide?
This chapter describes changes and updates to this book. See the following sections for
details.
■

Product Enhancements for Oracle Access Management 11.1.2.3.0

■

Product Enhancements for Oracle Access Management 11.1.2.2.0

■

Product Enhancements for Oracle Access Management 11.1.2.1.0

■

Product Enhancements in Oracle Access Management 11.1.2.0.0

■

Product and Component Name Changes with 11.1.2

Product Enhancements for Oracle Access Management 11.1.2.3.0
This list of enhancements has been developed for this Oracle Access Management
11.1.2.3.0 release. Where applicable, links to the documentation are included.
■

■
■

■
■

■

■

This Oracle Access Management 11g Release 2 (11.1.2.3) release allows for two
console interfaces. The familiar Oracle Access Management Console has been
updated and streamlined, and a new Access Manager Policy Manager Console,
deployable on a WebLogic Managed Server, has been introduced. Additional
information on the two consoles can be found in Section 2.3, "About the Oracle
Access Management Console and the Policy Manager Console."
Integrating OAM Identity Provider With Microsoft Office 365 Service Provider
AP Proxy Application Logon Packaging, see Chapter 54, "Configuring the Access
Portal Service."
New Administrator Roles, see Chapter 4, "Delegating Administration."
The Adaptive Authentication Service now offers multifactor authentication in
addition to the standard user name and password. Additional security is enforced
by adding a One Time Password (OTP) or a Push Notification step as a second
factor in the authentication process. It is configured in tandem with the Oracle
Mobile Authenticator mobile app. For details, see Part VIII, "Managing the
Adaptive Authentication Service and Oracle Mobile Authenticator."
WS-Federation 1.1 support has been implemented in the Federation Service using
WLST commands. See Section 37.6.4, "Using WS-Federation 1.1."
Mobile and Social
–

Mobile Services has been renamed to Mobile and Social Services.

–

Mobile and Social Services (Mobile Services) and OAuth Services now use a
direct connection to communicate with OAM. Prior to version 11.1.2.3, Mobile

lix

and Social only communicated with OAM using TCP/IP (that is, remote
mode). Now communication defaults to local, which is faster. Important! If
Mobile and Social is configured to communicate with OAM 10g in your
environment, set the OAM_LOCAL_MODE attribute to false. For details, see
Section 49.3.1, "Defining, Modifying or Deleting an Authentication Service
Provider" (for Mobile and Social Services) and Section 53.3.4, "Configuring the
Service Provider" (for OAuth Services).
■

DCC Enhancements for the following use cases:
–

Access Manager SSO flows for all OOTB schemes including forms, basic,
WNA, X509, TOTP, and RSA.

–

Unsolicited login where an external custom login page can submit to a DCC
end point instead of the ECC.

–

Converged Federation Service flows for both SP and IDP. DCC is capable of
tunneling SAML tokens to Access Manager.

–

OAAM step-up flows. DCC is capable of redirecting to OAAM and sending
the user’s context, then tunneling the TAP token back to Access Manager.

–

Flows in an MDC set-up.

See Section 22.5, "Understanding Authentication Methods and Credential
Collectors" and Chapter 23, "Understanding Credential Collection and Login."
■

■

■

Multi-Data Centers documentation has been upgraded and expanded. See Part V,
"Implementing Multi-Data Centers."
A JSON Web Token Plug-in has been added. See Chapter 22.7.8, "Configuring a
JSON Web Token Plug-in."
Access to the Forgot Password URL using Access Manager is discussed in
Section 2.9.1, "Administering the Forgot Password URL."

Product Enhancements for Oracle Access Management 11.1.2.2.0
This list of enhancements has been developed for this Oracle Access Management
11.1.2.2.0 release. Where applicable, links to the documentation are included.
■

Understanding Multi-Data Centers

■

Delegating Administration

■

OAuth Service
The Oracle Access Manager OAuth 2.0 Service provides a standards compliant
OAuth 2.0 authorization server with support for both 3-legged and 2-legged
OAuth flows and enables the OAuth 2.0 Client and the OAuth 2.0 Resource Server
roles. It also provides support for mobile OAuth 2.0 clients (such as native
applications on mobile devices) and includes built-in support for mobile
application registration and device identification during the OAM OAuth 2.0
mobile flow ensuring trusted access from mobile devices and built-in server side
single sign-on. It is ideally suited for enterprise scenarios that may require higher
levels of security during an OAuth flow and would benefit from built-in OAM
integrations provided by the OAM OAuth 2.0 service.

lx

■

Introduction to Application Domain and Policy Creation

■

Administering Identity Federation As An Identity Provider

■

Managing Oracle Access Management Oracle Access Portal

■

Understanding the Oracle Access Management Console
Policy Management Enhancements include:

■

–

Right click menu items available for all search result tables

–

Duplicate Resources, Authentication Policies, Authorization Policies and
Token Issuance Policies and create new objects using the duplicate (Copy of)

–

Search for the Host Identifier from the Resource page

–

New Administrator tab in the Application Domain edit screen

–

New Advance Rules tab (with Pre-Authentication and Post-Authentication
sub tabs) in Authentication Policy

For Granular Timeout and cookie-based session management, see Maintaining
Access Manager Sessions

■

SHA2 encryption for all WebGate servers

■

Configuring Policy Ordering

■

Using Application Initiated Authentication

■

Understanding Persistent Login (Remember Me)

■

Coexistence enhancements

■

Support added for Internet Protocol version 6 (IPv6)

Product Enhancements for Oracle Access Management 11.1.2.1.0
The following list outlines the enhancements available with Oracle Access
Management 11.1.2.1.0.
■

■

■

■

■

■

Newly certified integrations described in:
–

Chapter 60: Outlook Web Application (OWA) 2010

–

Chapter 61: Microsoft Forefront Threat Management Gateway (TMG) 2010

–

Chapter 62: SAP Enterprise Portal v6.0 and v7.0

–

Oracle Fusion Middleware Third-Party Application Server Guide for Oracle
Identity and Access Management (WebSphere Portal)

Authentication POST Data preservation and restoration is explained in:
"Configuring Authentication POST Data Handling" on page 22-90.
Long URL handling is explained in "Long URL Handling During Authentication"
on page 22-95.
Step up authentication is described in "Creating and Managing Step-Up
Authentication" on page 22-50.
Language selection on Login page is described in "Choosing a User Login
Language" on page 2-13.
Configurable WebGate Request Context Cookie Expiry Time is explained in:
–

Table 15–2, " User-Defined WebGate Parameters"

–

"OAMRequestContext" on page 21-17

lxi

Product Enhancements in Oracle Access Management 11.1.2.0.0
Oracle Access Management 11.1.2.0.0 provides new functions and enhancements
outlined in following topics.
■

November 2012 Book Refresh

■

August 2012 Book Refresh

■

Access Management Services

■

Access Tester

■

Attribute Type Authorization Condition

■

Deprecation

■

Detached Credential Collection

■

Dynamic Multi-Factor/Multi-Step Authentication

■

Identity Context

■

Integration with Third Party Products

■

LDAP Search Filters in Identity Conditions

■

Leverage SubjectAltName Extension Data/Integrate with Multiple OCSP
Endpoints

■

Mobile and Social

■

Multiple Identity Store Support

■

OpenSSO Support

■

Password Policy Management

■

Query String Name and Value Parameters in a Resource Definition Pattern

■

Resource Type TokenServiceRP for Non-Browser Client-enabled WebGate

■

RESTful Services

■

Shared Secret Key: Access Client and Software Developer Kit Enhancement

■

Token Issuance Policy for Mobile and Social

■

Tuning Performance

■

User-Defined Parameters: 11g WebGate

November 2012 Book Refresh
The following information has been added or updated:
■

Chapter 1: Added "About System Requirements and Certification".

■

Chapter 2: Removal (redundant) has altered chapter numbers.

■

■

lxii

Chapter 3: Moved password policy, refocused for ECC, into Chapter 16 with other
authentication details.
Chapter 6: Added descriptions of loggers to:
–

Table 7–3, " Oracle Access Management Server-Side Component Loggers"

–

Table 7–4, " Oracle Access Management Shared-Service Engine Component
Loggers"

–

Table 7–5, " Oracle Access Management Foundation API Component Loggers"

■

Chapter 12: Re-focused for 11g OAM Agents (WebGates and Access Clients).

■

Chapter 13:

■

–

Combined console and remote registration for 11g OAM Agents.

–

Moved Configuring 11g WebGates and Authentication Policy for DCC to
chapter 20.

Chapter 15:
–

■

■

Added Understanding Credential Collection and Login.

Chapter 16: Relocated authentication details with other shared policy components:
–

Combined console and remote registration for 11g OAM Agents.

–

Added "Understanding Credential Collection and Login"

–

Refocused and moved from chapter 3: "Managing Global Password Policy"

–

Moved "Configuring 11g WebGates and Authentication Policy for DCC" from
chapter 3.

Chapter 17:
–

Added "Understanding Remote Policy and Application Domain
Management".

–

Added "Managing Policies and Application Domains Remotely".

■

Chapter 20: Relocated OpenSSO Agent registration and management details here.

■

Chapter 20: Relocated OSSO Agent registration and management details here.

■

■

Chapter 22: Expanded 10g OAM Agent details to include console and remote
registration updates, and logout with Access Manager.
Appendix A: Relocated to relevant logout configuration details.

August 2012 Book Refresh
This book has been updated to address reported issues. Global updates include
cosmetic changes and updated screens.
See Also:
■

■
■

The following topics are new or updated in this release.

Table 25–31, " Fresh OSSO Installation: Protected Policy Response
(Header)" for details about obtaining subscriber DN information
from Oracle Internet Directory.
Table 22–13, " Parameter Details for Various Plug-ins"
Section 38.3.1, "Creating Remote Identity Provider Partners" for
details about defining OpenID 2.0 IdP partners for federation.

Access Management Services
Several previously separate access products of the Oracle Identity Management
portfolio are combined into one product: Oracle Access Management.

lxiii

See Also:
■

Chapter 1, "Introducing Oracle Access Management"

■

Part IV, "Managing Access Manager Settings and Agents"

■

■

■

Part IX, "Managing Oracle Access Management Identity
Federation"
Part XI, "Managing Oracle Access Management Mobile and
Social"
Part XIV, "Using Identity Context"

Access Tester
The Access Tester can validate the connections in the pool and make cache flush
(SYNC_INFO) requests to be sent over a connection that is already established; instead
of using out-of-band connection for cache flush requests.
See Also: Chapter 26, "Validating Connectivity and Policies Using
the Access Tester"

Attribute Type Authorization Condition
Authorization conditions enable you to implement dynamic security policies and
resulted in changes to the Policy Configuration interface in the Oracle Access
Management Console:
■

Authorization Conditions: The earlier constraint class is renamed as a Condition
Type. Conditions contain no Allow or Deny specification; however, new Rules
specify Allow or Deny access options.
See Also: "Introduction to Authorization Policy Rules and
Conditions" on page 25-40

■

A new condition type: Attribute.
See Also:

■

"About Attribute Conditions" on page 25-56

Use of Implied Constraints option in policies is replace, allowing you to create
particular condition types by instantiating those and selecting rules.
See Also: "Introduction to Authorization Policy Rules and
Conditions" on page 25-40

Deprecation
Standard Authentication Modules (LDAP, Kerberos, and X509) are targeted for
deprecation in future releases. Oracle strongly recommends using native or custom
Plug-ins rather than standard Authentication Modules.
See Also:
■

■

lxiv

Table 22.7, "Orchestrating Multi-Step Authentication with Plug-in
Based Modules" on page 22-29
Oracle Fusion Middleware Developer's Guide for Oracle Access
Management if you want to create custom authentication plug-ins.

Detached Credential Collection
Detached credential collection is an additional capability of the 11g WebGate (OAM
Agent). This is required for secure dynamic multi-factor/multi-step authentication.
You can easily enable the 11g WebGate to use as a DCC; or continue using the
embedded credential collector (ECC) in the OAM Server.
See Also: "Configuring 11g WebGates and Authentication Policy for
DCC"

Dynamic Multi-Factor/Multi-Step Authentication
Multi-factor authentication requires a custom authentication plug-in to transmit
information to the back-end authentication scheme several times during the login
process. All information collected by the plug-in and saved in the context will be
available to the plug-in through the authentication process. Context data can also be
used to set cookies or headers in the user's login page.
See Also:
■

Oracle Fusion Middleware Developer's Guide for Oracle Access
Management

Identity Context
Identity Context leverages the context-aware policy management and authorization
capabilities built into the Oracle Access Management platform. Identity Context
secures access to resources using traditional security controls (roles and groups) as and
dynamic data established during authentication and authorization (strength, risk
levels, device trust, and so on).
See Also:

Chapter 55, "Using Identity Context"

Integration with Third Party Products
Details of integrating Access Manager with third-party products have moved from the
earlier Oracle Fusion Middleware Integration Guide for Oracle Access Manager to this
book. The following integrations are supported:
See Also: Part XV, "Integrating Access Manager with Other
Products"
■

■

■
■

Chapter 56, "Integrating RSA SecurID Authentication with Access
Manager"
Chapter 57, "Configuring Access Manager for Windows Native
Authentication"
Chapter 58, "Integrating JBoss with Access Manager"
Chapter 59, "Integrating Microsoft SharePoint Server with Access
Manager"

LDAP Search Filters in Identity Conditions
Access Manager authorization conditions accept a list of users, groups, and LDAP
search filters as part of allowed or denied identities. LDAP search filters provide a
simple way of specifying a target identity population without having to reorganize or
create new groups in the identity store (directory server). This brings to Access
Manager 11g, parity with Oracle Access Manager 10g.

lxv

See Also: "About LDAP Search Filter Support in Identity
Conditions" on page 25-47

Leverage SubjectAltName Extension Data/Integrate with Multiple OCSP
Endpoints
Access Manager support for personal identity verification (PIV) cards (a United States
Federal smart card), is to use FASC-N and EDIPI attributes from the SubjectaltName
extension to map the user during X.509 authentication. While multiple OCSP
providers are not supported, you can use an OCSP Gateway or write a custom
authentication plug-in that uses the OSDT OCSP APIs to validate against multiple
OCSP providers.
See Also:
■

"Example: Leveraging SubjectAltName Extension Data and
Integrating with Multiple OCSP Endpoints" on page 22-46

Mobile and Social
Mobile and Social serves as an intermediary between a user seeking to access
protected resources, and the back-end Oracle Access Management and Oracle Identity
Management services that protect those resources. Mobile and Social services'
pluggable architecture enables Administrators to add, modify, and remove Identity
and Access Management services without having to update user installed software.
See Also: Part XI, "Managing Oracle Access Management Mobile
and Social"

Multiple Identity Store Support
Administrators can install multiple user identity stores for Access Manager. Each
identity store can rely on a different LDAP provider. Each authentication module (or
plug-in within an authentication step) can be configured to use a specific user identity
store.
See Also:
■
■

"Using Multiple Identity Stores" on page 5-6
"Orchestrating Multi-Step Authentication with Plug-in Based
Modules" on page 22-29

OpenSSO Support
Access Manager supports Web and Java Agents deployed on Web or J2EE containers.
Each OpenSSO Agent is a filter that is plugged into the container (Oracle WebLogic
Server, JBoss, Apache, and so on) that hosts applications.
Access Manager provides an OpenSSO Proxy to handle requests for resources
protected by OpenSSO Agents. The Oracle-provided OpenSSO Proxy facilitates single
sign-on to OpenSSO Agent-protected applications by enabling communication
between the agent and the OAM Server.
See Also:
■
■

lxvi

Chapter 28, "Registering and Managing Legacy OpenSSO Agents"
Oracle Fusion Middleware Upgrade Guide for Oracle Identity and
Access Management

Password Policy Management
Access Manager enables password policy management through the Oracle Access
Management Console. The global password policy applies to Access Manager users
when the Password Policy Validation Module is implemented. The password policy is
stored within the policy store and applies to all resources protected by Access
Manager.
See Also:
■

"Managing Global Password Policy"

■

"Configuring 11g WebGates and Authentication Policy for DCC"

Query String Name and Value Parameters in a Resource Definition Pattern
The Policy Model supports Query String Name and Value Parameters in a Resource
Pattern Definition:
See Also:
■

"About Query String Name and Value Parameters for Resource
Definitions" on page 25-21

Resource Type TokenServiceRP for Non-Browser Client-enabled WebGate
A TokenServiceRP type resource represents resources for, and is based on, the Token
Service Relying Party (required for non-browser clients such as Identity Connect).
See Also: "Managing TokenServiceRP Type Resources in
Application Domains" on page 45-32

RESTful Services
Oracle Access Management supports programmatic RESTful services.
See Also: Oracle Fusion Middleware Developer's Guide for Oracle
Access Management

Shared Secret Key: Access Client and Software Developer Kit
Enhancement
Custom Access Clients developed using the Access Manager 11g Access Software
Developer Kit support the 11g Shared Secret Key Per Agent (WebGate or Access
Client) security feature. Each agent has its own secret key that is shared between the
Access Client and the OAM Server to encrypt or decrypt the host-based
Access-Client-specific OAMAuthnCookie. Even if one Access Client is compromised,
the impact is limited to that particular Access Client; no other Access Clients are
affected.
Note: There is no impact to existing 10g ASDK users. Oblix class
wrappers can be modified to create Access Client instances with 10g
mode transparently. However, to operate in 11g compatible mode,
Oracle java APIs should be used.

Access Manager 11g Pure Java ASDK provides both Oracle Java APIs (in
oracle.security.am.asdk packages) and Oblix Java APIs (in com.oblix.access packages).
Access Manager 11g Pure Java Access Clients:

lxvii

■

■

Communicate with OAM Servers using Oracle Java APIs and either Oracle Access
Protocol version 3 (or version 4 which supports Shared Secret Key Per WebGate
security feature)
Communicate with 10g Servers using Oblix Java APIs and Oracle Access Protocol
version 3 only (with no support for SSKPA)
See Also: Oracle Fusion Middleware Developer's Guide for Oracle
Access Management

Token Issuance Policy for Mobile and Social
A Token Issuance Policy is required for clients for Mobile and Social performing
authentication and authorization.
See Also: Part XI, "Managing Oracle Access Management Mobile
and Social" for details about Mobile and Social Authentication Service

Tuning Performance
A survey of topics is provided to help tune a deployed Oracle Access Management
environment to ensure optimal performance and stability.
See Also: Oracle Fusion Middleware Performance and Tuning
Guide

User-Defined Parameters: 11g WebGate
11g WebGate works with browser clients. However, there are cases where a
non-browser (Representational State Transfer (REST) client needs to access HTTP
resources and perform authentication and authorization.
See Also:
■

■

■

"About 11g WebGate Functionality for Mobile and Social" on
page 14-5
Part XI, "Managing Oracle Access Management Mobile and
Social"
Oracle Fusion Middleware Developer's Guide for Oracle Access
Management

Product and Component Name Changes with 11.1.2
Oracle Access Management provided some product and component name changes, as
shown in the following table.
Item
Services

In Oracle Access Management 11.1.2

In Oracle Access Management 11.1.1

Access Manager

Access Manager

Identity Federation

N/A

Security Token Service

Security Token Service

Mobile and Social

N/A

Identity Context (always enabled)
Agents

lxviii

WebGate (OAM Agent)

WebGate (OAM Agent)

Access Client (OAM Agent)

Access Client (OAM Agent)

OSSO Agent

OSSO Agent

OpenSSO Agent

N/A

Item

In Oracle Access Management 11.1.2

In Oracle Access Management 11.1.1

Console Names

Oracle Access Management Console

Oracle Access Manager Console

Administrators

Administrator or Oracle Access Management
Administrator

Oracle Access Manager Administrator

Agent and Application
Domain Registration

Oracle Access Management Console

Oracle Access Manager Console
Remote registration tool

Policy Creation

Remote registration tool for automated Agent
registration, Application Domain creation with
default security policies.

Authorization

Conditions and Rules

Constraints

lxix

lxx

Part I
Part I

Introduction to Oracle Access Management
Part I provides an introduction to Oracle Access Management. It contains information
on the available services as well as instructions on how to login and start using the
Oracle Access Management Console. This part contains the following chapters.
■

Chapter 1, "Introducing Oracle Access Management"

■

Chapter 2, "Getting Started with Oracle Access Management"

1
Introducing Oracle Access Management
1

This chapter introduces Oracle Access Management, the enterprise-level security
platform. Oracle Access Management includes Oracle Access Management Access
Manager (Access Manager) and many incorporated services including (but not limited
to) Identity Federation, Mobile and Social, Security Token Service, Identity Context
and Access Portal.

[2]

The following sections provide a high-level overview of the Oracle Access
Management architecture and these services.
■

Understanding Oracle Access Management Services

■

Understanding Oracle Access Management Access Manager

■

About Access Manager 11.1.2.3.0

■

About System Requirements and Certification

■

Understanding Oracle Access Management Installation

1.1 Understanding Oracle Access Management Services
Oracle Access Management is a Java, Enterprise Edition (Java EE)-based
enterprise-level security application that provides a full range of Web-perimeter
security functions and Web single sign-on services including identity context,
authentication and authorization; policy administration; testing; logging; auditing; and
more. It leverages shared platform services including session management, Identity
Context, risk analytics, and auditing, and provides restricted access to confidential
information. Many existing access technologies in the Oracle Identity Management
stack converge in the Oracle Access Management stack as illustrated in Figure 1–1.

Introducing Oracle Access Management

1-1

Understanding Oracle Access Management Services

Figure 1–1 Oracle Access Management Overview

Starting with release 11.1.2, Oracle Access Management includes these services.
■

■

■

■

Oracle Access Management Access Manager (Access Manager) is described in
"Understanding Oracle Access Management Access Manager" on page 1-3 and the
following parts of this guide.
–

Part II, "Managing Common and System Configurations"

–

Part III, "Logging, Auditing, Reporting and Monitoring Performance"

–

Part IV, "Managing Access Manager Settings and Agents"

–

Part VI, "Managing Access Manager SSO, Policies, and Testing"

–

Part VII, "Registering and Using Agents with Access Manager"

–

Part XV, "Integrating Access Manager with Other Products"

Oracle Access Management Identity Federation (Identity Federation) provides
cross-domain single sign-on support using open federation protocol standards
such as SAML and OpenID. Beginning with release 11.1.2, Identity Federation has
been incorporated as a part of the Oracle Access Management platform, leveraging
its shared services. This Identity Federation service includes a streamlined user
interface and administration experience. For more information, see the chapters
listed in Part IX, "Managing Oracle Access Management Identity Federation."
Oracle Access Management Security Token Service (Security Token Service)
provides token validation and generation to facilitate access to services across
security domains and beyond organizational boundaries. Essentially the service
acts as a trust-broker that receives and validates client requests and generates
appropriate tokens for a requested resource. For more information, see the
chapters listed in Part X, "Managing Oracle Access Management Security Token
Service."
Oracle Access Management Mobile and Social (Mobile and Social) acts as an
intermediary between a user seeking access to protected resources, and the
back-end Identity and Access Management services that protect the resources.
Mobile and Social extends security and compliance to mobile platforms and
simplifies integration with Social Identity services including Facebook and
Google. Mobile and Social RESTful enables Identity and Access Management

1-2 Administrator's Guide for Oracle Access Management

Understanding Oracle Access Management Access Manager

infrastructure and includes platform-specific developer kits for leading mobile
platforms that enables developers to easily access security services and enable
single sign-on across native and mobile browser-based applications. For more
information, see the chapters listed in Part XI, "Managing Oracle Access
Management Mobile and Social."
■

■

■

■

Oracle Access Portal is a hosted single sign-on proxy service that enables intranet
and extranet applications with Oracle's form-fill single sign-on technology. It also
provides REST interfaces that implement the Web Logon Manager end-user web
application as well as custom front-end applications for user-level management of
application credentials via desktop and mobile Web browsers. With the 11.1.2.2
release, Oracle Access Portal has been incorporated into the Oracle Access
Management platform. For more information, see the chapters listed in Part XIII,
"Managing Oracle Access Management Oracle Access Portal."
The Adaptive Authentication Service is a One Time Password Authenticator that
provides multifactor authentication in addition to the standard user name and
password type authentication. It provides a framework for adding a custom
second factor authentication processor that accepts a PIN from a user. For more
information, see the chapters listed in Part VIII, "Managing the Adaptive
Authentication Service and Oracle Mobile Authenticator."
OAuth Services allows organizations to implement the open OAuth 2.0 Web
authorization protocol in an Access Manager environment. OAuth Services
enables a client to access resources protected by Access Manager that belong to
another resource owner. An OAuth client can be an application or service created
and controlled by your organization, or it can be an application or service created
and controlled by another organization that requires access to resources protected
by Access Manager. For more information, see the chapters listed in Part XII,
"Managing the Oracle Access Management OAuth Service."
Identity Context provides context-aware security policy management that enables
Administrators to control the level of security imposed in an application delivery
environment through security frameworks provided by Oracle Identity
Management. For more information, see the chapters listed in Part XIV, "Using
Identity Context".

OpenSSO 8.0 and Sun Access Manager 7.1 have also converged into Oracle Access
Management 11.1.2. For more information, see:
■

Chapter 28, "Registering and Managing Legacy OpenSSO Agents"

■

Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management

1.2 Understanding Oracle Access Management Access Manager
Oracle Access Management Access Manager (Access Manager) is the former
(standalone) product named Oracle Access Manager. Access Manager provides the
Oracle Fusion Middleware 11g single sign-on (SSO) solution. It operates
independently (as described in this book) but can also operate with the Access
Manager Authentication Provider as described in the Oracle Fusion Middleware
Application Security Guide.

Introducing Oracle Access Management

1-3

Understanding Oracle Access Management Access Manager

For information on the differences between Access Manager
11g, 10g and other software, see:

Note:
■
■

■

"Comparing Access Manager 11.1.2 and 10g" on page 30-5
"Comparing Access Manager 11g SSO versus OSSO 10g" on
page 29-2
"Introduction to OpenSSO, Agents, Migration and Co-existence"
on page 28-1

Access Manager SSO allows users and groups to access multiple applications after
authentication, eliminating the need for multiple sign-on requests. To enable SSO, a
Web server, Application Server, or any third-party application must be protected by a
WebGate (or mod_osso instance) that is registered as an agent with Access Manager.
Administrators then define authentication and authorization policies to protect the
resource. To enforce these authentication policies, the agent acts as a filter for HTTP
requests.
WebGates are agents provided for various Web servers by
Oracle as part of the product. Custom access clients, created using the
Access Manager SDK, can be used with non-Web applications. Unless
explicitly stated, information in this book applies equally to both.

Note:

You can also integrate any Web applications currently using Oracle ADF Security and
the OPSS SSO Framework with Access Manager. (See Appendix A, "Integrating Oracle
ADF Applications with Access Manager SSO.") The following sections contain more
details on Access Manager.
■

About Components in Access Manager

■

Understanding Access Manager Deployments

1.2.1 About Components in Access Manager
Access Manager 11g sits on an instance of Oracle WebLogic Server and is part of the
Oracle Fusion Middleware Access Management architecture. While providing
backward compatibility and co-existence with existing solutions, Access Manager 11g
replaces and converges the earlier technologies Access Manager 10g and Oracle
Application Server SSO (OSSO) 10g. Figure 1–2 illustrates the primary Access
Manager 11g components and services. The Protocol Compatibility Framework
interfaces with OAM WebGates, mod_osso agents, and custom Access Clients created
using the Access Manager Software Developer Kit (SDK).
This section does not illustrate or discuss all Access Manager
components.

Note:

1-4 Administrator's Guide for Oracle Access Management

Understanding Oracle Access Management Access Manager

Figure 1–2 Access Manager 11g Components and Services

Figure 1–3 illustrates the distribution of Access Manager components.
Figure 1–3 Access Manager 11g Component Distribution

The Oracle Access Management Console resides on the Oracle WebLogic
Administration Server (referred to as AdminServer). WebLogic Managed Servers
hosting OAM runtime instances are known as OAM Servers. Information shared
between the two includes:
■

Agent and server configuration data

■

Access Manager policies

■

Session data (shared among all OAM Servers)

Starting in the 11g Release 2 (11.1.2.3), a Policy Manager Console can optionally be
deployed on the WebLogic Managed Servers. See Section 2.3, "About the Oracle Access
Management Console and the Policy Manager Console" for details.

1.2.2 Understanding Access Manager Deployments
Table 1–1 describes the types of deployments in which Access Manager might be
installed by your enterprise.

Introducing Oracle Access Management

1-5

Understanding Oracle Access Management Access Manager

Table 1–1

Access Manager Deployment Types

Deployment Type

Description

Development Deployment

Ideally a sandbox-type setting where the dependency on the
overall deployment is minimal

QA Deployment

Typically a smaller shared deployment used for testing

Pre-production Deployment Typically a shared deployment used for testing with a wider
audience
Production Deployment

Fully shared and available within the enterprise on a daily basis

During initial installation and configuration of Access Manager in your deployment,
you create a new WebLogic Server domain (or extend an existing domain). Regardless
of the deployment size or type, in a new WebLogic Server domain, the following
components are installed using the Oracle Fusion Middleware Configuration Wizard.
■

WebLogic Administration Server
In an existing WebLogic Server domain, the WebLogic
Administration Server is already installed and operational.

Note:

■

Oracle Access Management Console deployed on the WebLogic Administration
Server

■

A WebLogic Managed Server for Oracle Access Management services

■

Application deployed on the Managed Server
See Also: "Understanding Oracle WebLogic Server Domains" in the
Oracle Fusion Middleware Understanding Domain Configuration for Oracle
WebLogic Server guide provides information about Oracle WebLogic
Server administration domains.

Once the domain is configured, additional details are defined for OAM Servers,
Database Schemas, (optional) WebLogic Managed Servers and clusters, and the
following store types:
■

Policy Store: The default policy store is file-based for development and
demonstration purposes, and is not supported in production environments. All
policy operations and configurations are performed directly on the database
configured as the policy store in production environments.
See Also:

■

"Managing the Policy and Session Database" on page 5-29

Identity Store: The default Embedded LDAP data store is set as the primary user
identity store for Access Manager.
See Also: "Registering and Managing User Identity Stores" on
page 5-4

■

Keystore: A Java keystore is configured for certificates for Simple or
Certificate-based communication between OAM Servers and WebGates during
authorization. The keystore bootstrap also occurs on the initial AdminServer
startup after running the Configuration Wizard.
See Also:

"Managing the Policy and Session Database" on page 5-29

1-6 Administrator's Guide for Oracle Access Management

About Access Manager 11.1.2.3.0

1.3 About Access Manager 11.1.2.3.0
The following sections provide details on the features available (and not available) in
Access Manager 11.1.2.3.0.
■

About the Features Of Access Manager 11.1.2.3.0

■

About Features Not In Access Manager 11.1.2.3.0

1.3.1 About the Features Of Access Manager 11.1.2.3.0
Table 1–2 provides an overview of Access Manager 11.1.2. For a list of names that have
changed with 11.1.2, see "Product and Component Name Changes with 11.1.2" on
page lxviii.
Table 1–2

Features in Access Manager 11.1.2

Access Manager 11g

Description

Oracle Identity
Enables secure, central management of enterprise identities.
Management Infrastructure
Policy Enforcement Agents

Resides with the relying parties and delegate authentication and authorization tasks to OAM
Servers.
■

11g OAM Agents, Chapter 15

■

10g OAM Agents and the Pre-configured IAMSuiteAgent (10g OAM Agent), Chapter 30

■

OpenSSO Agents, Chapter 28

■

10g OSSO Agents (mod_osso), Chapter 29

Notes:
Nine Administrator languages are supported.
Unless explicitly stated, the term "Webgate" refers to both an out of the box Webgate or a custom
Access Client.
See Chapter 14 for an introduction to agents.
OAM Server (installed on a WebLogic Managed Sever),

Server-side components

■

Console

Oracle Access Management Console provides access to all services and configuration details.
See Chapter 2.

Protocols for information
exchange on the Internet

Front channel protocols exchanged between Agent and Server: HTTP/HTTPS.

Proxy

Provides support for legacy systems

Back channel protocols: Authenticated clients can perform session operations using enhancements
in the Oracle Access Protocol (OAP).

■

OAM Proxy supports legacy Access Manager implementations by acting as a legacy Access
Server.
"Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security" on page 13-6
"Introduction to OAM Proxy Metrics and Tuning" on page 11-10

■
■

OSSO Proxy supports OSSO Agents by acting as the legacy OSSO Server. See Chapter 29.
Oracle-provided OpenSSO Proxy handles requests for resources protected by OpenSSO
Agents. See Chapter 28.

See Also: About the Embedded Proxy Server and Backward Compatibility and the new Part XIII,
"Managing Oracle Access Management Oracle Access Portal."

Introducing Oracle Access Management

1-7

About Access Manager 11.1.2.3.0

Table 1–2 (Cont.) Features in Access Manager 11.1.2
Access Manager 11g

Description

Cryptographic keys

Note: One key is generated and used per registered mod_osso or 11g Webgate. However, one
single key is generated for all 10g Webgates.
■

■

■

■

Keys storage

During 11g agent registration, one per-agent secret key shared is generated for encrypting and
decrypting SSO cookies between 11g Webgate and OAM Server. See Chapter 15.
During 10g agent registration, a global shared secret key is generated across all of Access
Manager 11g (all Agents and OAM Servers). See Chapter 30.
During OSSO agent registration, One key per partner shared between mod_osso and OSSO
server. See Chapter 29.
OpenSSO Agent Host- or Domain-based key stored locally in Agent bootstrap file on the
Agent host. See Chapter 28.

■

During OAM Server registration, one server key is generated.

■

Agent side: A per-agent key is stored locally in the Oracle Secret Store in a wallet file

■

OAM Server side: Per- agent keys, and server keys, are stored in the credential store on the
server side

Introduces client-side cryptography and ensures that cryptography is performed at both the agent
Encryption / Decryption
(The process of converting and server ends:
encrypted data back into its
1.
Webgate encrypts obrareq.cgi using the agent key.
original form)
Note: obrareq.cgi is the authentication request in the form of a query string redirected from
Webgate to OAM Server.
2.

OAM Server decrypts the request, authenticates, creates the session, and sets the server
cookie.

3.

OAM Server also generates the authentication token for the agent (encrypted using the agent
key), packs it in obrar.cgi with a session token (if using cookie-based session management),
authentication token and other parameters, then encrypts obrar.cgi using the agent key.
Note: obrar.cgi is the authentication response string redirected from the OAM Server to
Webgate.

4.

Webgate decrypts obrar.cgi, extracts the authentication token, and sets a host-based cookie.

Policy Store

Database in production environments; file-based in demonstration and development
environments, as described in "Managing the Policy and Session Database" on page 5-29.

Applications

An application that delegates authentication and authorization to Access Manager and accepts
headers from a registered Agent.
Note: External applications do not delegate authentication. Instead, these display HTML login
forms that ask for application user names and passwords. For example, Yahoo! Mail is an external
application that uses HTML login forms.

SSO Engine

Manages the session lifecycle, facilitates global logout across all relying parties in the valid session,
and provides consistent service across multiple protocols. Uses Agents registered with Access
Manager 11g:
■

■

■

Authentication with the default embedded credential collector occurs across the HTTP
(HTTPS) channel
Authentication with the optional detached credential collector occurs across the Oracle Access
Protocol (OAP) channel
Authorization occurs across the Oracle Access Protocol (OAP) channel

See: Chapter 21
Session Management

■

Global session specifications are enabled for all Application Domains and resources. In
addition, Application Domain-specific session overrides can be configured.

See Chapter 16.
Policies

Registered agents rely on Access Manager authentication, authorization, and token issuance
policies to determine who gets access to protected applications (defined resources).
See: Chapter 25

Client IP

Response token replay
prevention

■

■

Maintains this client's age, and includes it in the host-based cookie: OAMAuthnCookie for 11g
Webgate (or ObSSOCookie for 10g Webgate)
Include RequestTime (the timestamp just before redirect) in obrareq.cgi and copy it to
obrar.cgi (the authentication response string redirected from the OAM Server to Webgate) to
prevent response token replay.

1-8 Administrator's Guide for Oracle Access Management

About System Requirements and Certification

Table 1–2 (Cont.) Features in Access Manager 11.1.2
Access Manager 11g

Description

Multiple network domain
support

Access Manager 11g supports cross-network-domain single sign-on out of the box.

Cookies

Oracle recommends you use Oracle Federation for this situation.
Host-based authentication cookie:
■

11g Webgate, One per agent: OAMAuthnCookie_host:port_random_number set by Webgate
using the authentication token received from the OAM Server after successful authentication.
Note: A valid OAMAuthnCookie is required for a session.

■

■
■

11g Webgate, Transient: OAM_REQ is scoped to the OAM Server. OAM_REQ is set or cleared
by the OAM Server if the Authentication request context cookie is enabled. Protected with
keys known to the OAM Server only. This cookie is configured as a high availability option to
store the state about the user's original request to a protected resource while his credentials
are collected and authentication is performed.
10g Webgate, One ObSSOCookie for all 10g Webgates.
One for the OAM Server: OAM_ID, which is scoped to the OAM Server. OAM_ID is
generated by the OAM Server when the user is challenged for credentials and submitted to
the server on every redirect to the server.

See Chapter 21.
Centralized log-out

■

■

The logOutUrls (10g Webgate configuration parameter) is preserved. 10g logout.html
requires specific details for Access Manager 11g. See Chapter 30.
11g Webgate parameters are new:
Logout Redirect URL
Logout Callback URL
Logout Target URL

See Chapter 27.

1.3.2 About Features Not In Access Manager 11.1.2.3.0
Table 1–3 lists several features provided in Access Manager 10g but not included in
Access Manager 11.1.2.
Table 1–3

Features Not Available In Access Manager 11.1.2

Unavailable or Unsupported Feature
Extensibility framework required for building custom authorization plug-ins.
Authorization for mod_osso-protected resources

1.4 About System Requirements and Certification
Refer to the system requirements and certification documentation on Oracle
Technology Network (OTN) for information about hardware and software
requirements, platforms, databases, and other information.
The system requirements document covers information such as hardware and
software requirements, minimum disk space and memory requirements, and required
system libraries, packages, or patches:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirem
ents-100147.html
The certification document covers supported installation types, platforms, operating
systems, databases, JDKs, and third-party products:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certific
ation-100350.html

Introducing Oracle Access Management

1-9

Understanding Oracle Access Management Installation

1.5 Understanding Oracle Access Management Installation
The following sections contain information and links regarding Access Manager
installation and post-installation tasks.
■

About Oracle Access Management Installation

■

About Oracle Access Management and WebGates

■

About Oracle Access Management Post-Installation Tasks

1.5.1 About Oracle Access Management Installation
The Oracle Fusion Middleware Supported System Configurations document provides
certification information on supported installation types, platforms, operating systems,
databases, JDKs, and third-party products related to Oracle Identity Management 11g.
You can access the Oracle Fusion Middleware Supported System Configurations document
by searching the Oracle Technology Network (OTN) Web site using the document
name, or click the link below.
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-10
0350.html

Using the Oracle Fusion Middleware Configuration Wizard, the following components
are deployed for a new domain:
■
■

WebLogic Administration Server
Oracle Access Management Console deployed on the WebLogic Administration
Server (sometimes referred to as the OAM Administration Server, or simply
AdminServer)

■

A Managed Server for Oracle Access Management

■

An application deployed on the Managed Server

See the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access
Management for details on installation.

1.5.2 About Oracle Access Management and WebGates
OracleAS 10g SSO deployments can be upgraded to use Oracle Access Management
11g SSO. After upgrading and registering OSSO Agents, authentication is based on
Access Manager 11g Authentication Policies. However, only OAM Agents
(WebGates/Access Clients) use Access Manager 11g authorization policies. Over time,
all mod_osso agents in the upgraded environment should be replaced with WebGates
to enable use of 11g authorization policies.
For details about co-existence after the upgrade, see Oracle Fusion Middleware Upgrade
Guide for Oracle Identity and Access Management.

1.5.3 About Oracle Access Management Post-Installation Tasks
Each WebLogic Server domain is a logically related group of Oracle WebLogic Server
resources. WebLogic administration domains include a special Oracle WebLogic Server
instance called the Administration Server. Usually, the domain includes additional
Oracle WebLogic Server instances called Managed Servers, where Web applications
and Web Services are deployed.
During initial deployment, the WebLogic Administrator userID and password are set
for use when signing in to both the Oracle Access Management and WebLogic Server

1-10 Administrator's Guide for Oracle Access Management

Understanding Oracle Access Management Installation

Administration Console. A different Administrator can be assigned for Oracle Access
Management, as described in "About Oracle Access Management Administrators" on
page 2-3. Administrators can log in and use the Oracle Access Management Console
for the post-installation tasks documented in Table 1–4.
Table 1–4

Oracle Access Management Post-Installation Tasks

Service
Access Manager

Requirements
Enable Access Manager Service.
Register:
■

Data Sources

■

OAM Server instances

■

Agents for Access Manager

■

Application domains and policies that protect resources

Configure:
■

Common Settings, including Session-timing

■

Certificate Validation

■

Common Password Policy

Configure Access Manager Settings.
Identity Federation

Enable Identity Federation Service
Configure Federation Settings
Register Identity Provider and Service Provider partners

Security Token Service

Enable Security Token Service Service.
Configure Security Token Service Settings.
Register Endpoints
Create Token Issuance and Validation Templates
Register Partner Profiles and Partners

Mobile and Social

Enable Mobile and Social Service
Configure Mobile and Social

Introducing Oracle Access Management 1-11

Understanding Oracle Access Management Installation

1-12 Administrator's Guide for Oracle Access Management

2
Getting Started with Oracle Access
Management
2

This chapter describes the initial steps needed to start your servers and log in to the
Oracle Access Management Console. All tasks presume that Oracle Access
Management 11.1.2 is deployed as described in the Oracle Fusion Middleware Installation
Guide for Oracle Identity and Access Management.

[3]

This information is organized in the following sections.
■

Starting and Stopping Servers in Your Deployment

■

About Oracle Access Management Administrators

■

About the Oracle Access Management Console and the Policy Manager Console

■

Understanding the Oracle Access Management Console

■

Logging Into the Oracle Access Management Console

■

Using the Oracle Access Management Console

■

Configuring with the Command-Line Tools

■

Logging, Auditing, Reporting and Monitoring Performance

■

Configuring Oracle Access Management Login Options

2.1 Starting and Stopping Servers in Your Deployment
The Oracle Access Management Console is deployed on the WebLogic Administration
Server (AdminServer) thus, Oracle Access Management Administrators can access it
only when the AdminServer is running. If the Oracle Access Management Console is
protected by a WebGate, the OAM Server must also be running. And the Node
Manager must be started before the other servers. The following sections have more
details.
■

Starting Node Manager

■

Starting and Stopping WebLogic AdminServer

■

Starting and Stopping Managed WebLogic Servers and Access Manager Servers

2.1.1 Starting Node Manager
Node Manager is a Java utility that allows you to perform common operations tasks
for a Managed Server, regardless of its location with respect to its Administration
Server. Node Manager must be running before you can start and stop the WebLogic
AdminServer, or WebLogic managed servers hosting OAM Servers.

Getting Started with Oracle Access Management

2-1

Starting and Stopping Servers in Your Deployment

After installing and configuring Oracle Identity Manager, configure the Node
Manager for use with the WebLogic Administration Console (AdminServer) or Oracle
Enterprise Manager Fusion Middleware Control. This configuration is done only once,
as described in "Configuring the Node Manager" in Oracle Fusion Middleware
Administrator's Guide for Oracle Identity Manager.
Following this configuration, ensure that the Node Manager is up by running the
startNodeManager.sh script. Oracle WebLogic Administration Server does not do this
automatically.
$WLS_HOME/server/bin/startNodeManager.sh
See Also:

Oracle WebLogic Server Administrator Guide for details.

1.

Change to your $WLS_HOME/server/bin directory.

2.

Enable Start Scripts: Run setNMProps to start the stack and instruct Node
Manager to enable the use of start scripts (StartScriptEnabled=true):
./setNMProps.sh

3.

Start Node Manager:
./startNodeManager.sh

2.1.2 Starting and Stopping WebLogic AdminServer
Starting the WebLogic AdminServer the first time can take 12-15 minutes or more. This
process must not be interrupted or terminated as policy data might be corrupted. The
following procedure describes starting and stopping the WebLogic AdminServer using
the scripts located in your $DOMAIN_HOME/bin directory.
■

Unix: startWebLogic.sh or stopWebLogic.sh

■

Windows: startWebLogic.cmd or stopWebLogic.cmd
WARNING: If startWebLogic.cmd (Windows) or startWebLogic.sh
(Linux) is stopped for any reason (whether accidently or because of
a system crash or reboot), policy data might be corrupted. This
would require removal and recreation of the domain and running
the RCU again to recreate the OAM schema.

1.

Navigate to your $DOMAIN_HOME/bin.

2.

Start AdminServer:

3.

■

Unix: ./startWebLogic.sh

■

Windows: run startWebLogic.cmd

Stop AdminServer:
■

Unix: ./stopWebLogic.sh

■

Windows: run stopWebLogic.cmd

2.1.3 Starting and Stopping Managed WebLogic Servers and Access Manager Servers
You can perform all start and stop operations for managed WebLogic Servers hosting
Oracle Access Management Servers (OAM Servers) from either a command prompt,
the Oracle WebLogic Server Administration Console, the OAM Policy Manager
2-2 Administrator's Guide for Oracle Access Management

About Oracle Access Management Administrators

Console or the Oracle Enterprise Manager Fusion Middleware Control. When using
the command line scripts (located in the $DOMAIN_HOME/bin directory), the Managed
Server name and the AdminServer URL are required as input.
The Unix system scripts are startManagedWebLogic.sh and stopManagedWebLogic.sh,
and the Windows system scripts are startManagedWebLogic.cmd and
stopManagedWebLogic.cmd. The following procedure describes starting and stopping
the OAM Server using the scripts.
1.

Navigate to $DOMAIN_HOME/bin.

2.

Start OAM Server.
■
■

Unix: ./startManagedWebLogic.sh MANAGED_SERVER_NAME ADMIN_SERVER_URL
Windows: run startManagedWebLogic.cmd MANAGED_SERVER_NAME ADMIN_
SERVER_URL

If the managed server is named oam_server1 and the AdminServer URL is
http://examplewlsadminhost.example.com:7001, the start command run on a Unix
system would be:
startManagedWebLogic.sh oam_server1 http://examplewlsadminhost.example.com:7001
3.

Stop OAM Server.
■
■

Unix: ./stopManagedWebLogic.sh MANAGED_SERVER_NAME ADMIN_SERVER_URL
Windows: run stopManagedWebLogic.cmd MANAGED_SERVER_NAME ADMIN_
SERVER_URL

If the managed server is named oam_server1 and the AdminServer URL is
http://examplewlsadminhost.example.com:7001, the stop command run on a Unix
system would be:
stopManagedWebLogic.sh oam_server1 http://examplewlsadminhost.example.com:7001

2.2 About Oracle Access Management Administrators
A single default LDAP group, the WebLogic Server Administrators group, is set in
the Default User Identity Store (Embedded LDAP) designated as the System Store. The
LDAP group, when assigned to a specified user, grants full system and policy
configuration privileges. Specifying a different LDAP group prohibits WebLogic
Administrators from logging in to Oracle Access Management Console or from using
administrative command-line tools.
Unless explicitly stated, the term Administrator in this guide
refers to the Oracle Access Management System Administrator.

Note:

During initial deployment with the Oracle Fusion Middleware Configuration Wizard,
the System Administrator userID and password are set. These credentials grant access
to the:
■

■

Oracle Access Management Console to register and manage system
configurations, security elements, and policies. See About the Oracle Access
Management Console and the Policy Manager Console for details.
WebLogic Server Administration Console to view the Summary of Server
Configuration (Cluster, Machine, State, Health, and Listening Port) of deployed

Getting Started with Oracle Access Management

2-3

About the Oracle Access Management Console and the Policy Manager Console

OAM Servers within the WebLogic Server domain, and also to Start, Resume,
Suspend, Shutdown, or Restart SSL on these servers. See the Oracle Fusion
Middleware Administrator's Guide for more information.
■

Custom Administrative command-line tools (including the WebLogic Scripting
Tool and Remote Registration Tool) provide an alternative to the Oracle Access
Management Console for a specific set of functions. See Section 2.7, "Configuring
with the Command-Line Tools" for more information.

Initially, a System Administrator user must log in to the Oracle Access Management
Console using the WebLogic Administrator credentials set during initial configuration.
However, your enterprise might require independent sets of Administrators: one set of
users responsible for Oracle Access Management administration and a different set for
WebLogic administration. For information on this, see Section 4.1, "Understanding
Administrator Roles.".

2.3 About the Oracle Access Management Console and the Policy
Manager Console
This Oracle Access Management 11g Release 2 (11.1.2.3) release allows for two console
interfaces.
■

The Oracle Access Management Console is the full-featured graphical interface
deployed on the WebLogic AdminServer. The AdminServer will not display the
Mobile Security Manager (MSM) and Mobile Security Access Server (MSAS) tiles
in the Launch Pads (which will be displayed in the new Access Manager Policy
Manager Console). The Oracle Access Management Console can be accessed at:
http://wlsadminhost.example.com:7001/oamconsole

The Oracle Access Management Console interface has been redesigned for 11g
Release 2 (11.1.2.3). See Understanding the Oracle Access Management Console for
details.
■

The Policy Manager Console can be deployed on one or more WebLogic Managed
Servers and does not contain the full functionality available in the Oracle Access
Management Console deployed on the AdminServer. The new Policy Manager
Console has only the policy administration functionality of the familiar Oracle
Access Management Console. It is deployed when using the Oracle Mobile
Security Suite (OMSS) or when more capacity is needed to support many
delegated administrative users of Access Manager policies. The Policy Manager
Console has mobile end points for the Mobile Security Manager (MSM) and
Mobile Security Access Server (MSAS) components of the OMSS and can be
accessed at:
http://wlsadminhost.example.com:14150/access

OAM customers upgrading from R2PS2 who do not plan on using the OMSS can
continue to use the Oracle Access Management Console on AdminServer. OAM
customers (or ex-Bitzer customers) who plan to use OMSS and are upgrading to 11g
Release 2 (11.1.2.3) will need to use the Policy Manager Console but will also need to
log into the AdminServer console to access the:
■

Identity Directory Store management interface for OMSS, OAM, APS, OIC

■

Certificate Revocation List interface for OAM

■

Authentication Plug-ins interface for OAM

2-4 Administrator's Guide for Oracle Access Management

Understanding the Oracle Access Management Console

REST endpoints, WLST and the RREG servlet are available
only on AdminServer.

Note:

2.4 Understanding the Oracle Access Management Console
The Oracle Access Management Console is a Web-based program that provides
function controls for system and policy configuration. Oracle Access Management
11.1.2.3 introduces a redesigned Oracle Access Management Console. This new
Console displays a Launch Pad and subsequent pages based on the Administration
Role to which a user is assigned a successful login. It is divided into Launch Pads and
page-level tabs with forms and controls.
Any clicked shortcut appears as a named tab next to the Launch Pad. Each page is
displayed only once. No warning is issued if you attempt to open the same page
multiple times. The tab of the active page is white. Only the active page is visible and
generally provides a work space where you can add, view, or modify related settings.
Up to ten pages (tabs) can be open simultaneously. You can see named tabs for each
page and click the tab to access a page that is concealed. See the following sections for
details on the new Launch Pads.
■

About the System Launch Pad

■

Accessing the Access Manager Launch Pad

■

Accessing the Agents Launch Pad

■

Accessing the Help Desk Launch Pad

■

Accessing the Self Service Launch Pad
The Oracle Access Management Console is designed for
optimal display at a resolution of 1024x768.

Note:

2.4.1 About the System Launch Pad
The System Launch Pad will display when the user name entered is the Oracle Access
Management System Administrator as described in About Oracle Access Management
Administrators. This role has access to all functions and features of the Console
including policy creation, system configuration, and services settings (including
Access Manager, Security Token Service, Identity Federation, Access Portal and the
like). When the System Administrator is logged in, access is granted to five Launch
Pads:
1.

Application Security contains the functions generally associated with Oracle
Access Manager and single sign-on (SSO). From this Launch Pad, click the
appropriate link to gain access to agent registration, policy and policy objects
creation, session management, password policy, authentication modules and
plug-ins.

2.

Federation contains functions associated with Identity Federation (including links
to configure and manage Identity and Service Providers), the Security Token
Service, Social Identity, OAuth Services and the Access Portal Service.
Some of these services are disabled by default and would need
to be enabled under the Configuration Launch Pad.

Note:

Getting Started with Oracle Access Management

2-5

Understanding the Oracle Access Management Console

3.

Mobile Security contains functions specific to configuring and managing secure
access to mobile applications and devices. This includes features like Mobile
Security Manager, Mobile Security Access Server, Mobile Authentication and
Mobile OAuth Services.

4.

Configuration contains panels for managing the Oracle Access Management
system settings. This includes enabling and disabling available Access services,
configuring user identity stores and settings, certificate validation, server
instances, and granting administrative permissions.

5.

Self Service contains panels for managing the user’s preferences and
configurations. This also includes sessions and devices.

Figure 2–1 is a screenshot of the Oracle Access Management System Administrator
Console with the Application Security Launch Pad displayed. This is the default login
view. Note the fours disabled tabs on the top right of the screenshot which, when
clicked, will display the other Launch Pads visible by the System Administrator.
Figure 2–1 Oracle Access Management Administrator Launch Pad

2.4.2 Accessing the Access Manager Launch Pad
The Oracle Access Manager Launch Pad and subsequent functionality will display
when the user name entered is assigned the Application Administrator
(appadminuser) Role as described in Section 4.1, "Understanding Administrator
Roles." This role has access to all functions and features of the Console that includes
policy object creation and policy management. When the Application Administrator is
logged in, access is to the Launch Pads is limited to Access Manager and Automated
Policy Synchronization (APS).

2.4.3 Accessing the Agents Launch Pad
The Agents Launch Pad and subsequent functionality will display when the user
name entered is assigned the Oracle Access Management Agent Administrator Role as
described in Section 4.1, "Understanding Administrator Roles." This role has access to

2-6 Administrator's Guide for Oracle Access Management

Logging Into the Oracle Access Management Console

all functions and features of the Console that include management and configuration
of SSO Agents.

2.4.4 Accessing the Help Desk Launch Pad
The Help Desk Launch Pad and subsequent functionality will display when the user
name entered is assigned the Oracle Access Management Help Desk Administrator
Role as described in Section 4.1, "Understanding Administrator Roles." Users with this
role will land on the
http://wlsadminhost.example.com:7001/oamconsole/faces/helpdesk.jspx page after
logging in. The System Administrator can access this console directly by entering the
URL in the browser. Any one without the Help Desk Administrator role cannot access
this page. If OMSS is disabled, only Session Management will be displayed.

2.4.5 Accessing the Self Service Launch Pad
The Self Service Launch Pad and subsequent functionality will display when any
authenticated user without assigned roles is logged in. The user will land on
http://wlsadminhost.example.com:7001/oamconsole/faces/selfservice.jspx after
logging in. It contains panels for managing the user’s preferences and configurations.
This also includes sessions, and devices (if OMSS is enabled for the user) as illustrated
in Figure 2–2.
Figure 2–2 Self Service Launch Pad

2.5 Logging Into the Oracle Access Management Console
When accessing the Oracle Access Management Console, the WebLogic Server
(AdminServer) host and port must be specified in the URL. Let's assume the following
sample URL, https://wlsadminhost.example.com:7001/oamconsole. In this URL, the
following is true.
■

■

■

HTTPS represents the Hypertext Transfer Protocol (HTTP) with the Secure Socket
Layer (SSL) enabled to encrypt and decrypt user page requests and the pages
returned by the Web server
wlsadminhost.example.com refers to fully-qualified domain name of the computer
hosting the Oracle Access Management Console (AdminServer)
7001 refers to the designated bind port for the Oracle Access Management
Console, which is the same as the bind port used for AdminServer (the WebLogic
Server Administration Console)

Getting Started with Oracle Access Management

2-7

Logging Into the Oracle Access Management Console

■

/oamconsole/ refers to the Oracle Access Management Console Log In page
If you specify an OAM Server host and port (as you would to
access the ODSM console), the AdminServer redirects to the managed
server which produces a 404 Not Found error.

Note:

When navigating to the /oamconsole URL, the default Oracle Access Management
Console Log In page is displayed. The following sections have details on logging into
the Oracle Access Management Console.
■

Logging Into The Oracle Access Management Console

■

Logging Into the Secure Oracle Access Management Console (HTTPS)
Ensure that you use the correct administrative credential to log
in. Initially, the LDAP group for the Oracle Access Management
Console Administrator is the same as the LDAP group defined for the
WebLogic Server Administration Console (Administrators) and the
common Default System User Identity Store store is the WebLogic
Embedded LDAP.
Note:

2.5.1 Logging Into The Oracle Access Management Console
Use this procedure to log into the Oracle Access Management Console.
1.

In a browser window, enter the URL to the Oracle Access Management Console
using the appropriate protocol (HTTP or HTTPS). For example:
https://hostname:admin_server_port/oamconsole/

2.

On the Log In page, enter the Oracle Access Management Console Administrator
credentials. For example:
Username: Admin_login_id
Password: Admin_password
Language: English (see "Choosing a User Login Language")

3.

Click the Login button.
■

■

Successful: The Oracle Access Management Console Welcome page is
displayed.
Not Successful: See "Administrator Lockout" on page E-6.
See Also: "About Oracle Access Management Administrators" on
page 2-3

2.5.2 Logging Into the Secure Oracle Access Management Console (HTTPS)
After enabling SSL on the Adminserver and OAM Managed Server, or after
configuring administration port (HTTPS), use the following procedure to add the CA
cert to the libOVD keystore. This will allow logging in without connection issues.
1.

Change to the directory that contains the DemoIdentity.jks.
$ cd $MIDDLEWARE_HOME/wlserver_10.3/server/lib/

2-8 Administrator's Guide for Oracle Access Management

Using the Oracle Access Management Console

2.

Export the CA certificate from the Weblogic keystore using the following
commands.
The -list command prints the contents of the keystore for reference.
DemoIdentityKeyStorePassPhrase is the default password for the keystore
DemoIdentity.jks.
$ keytool -list -keystore DemoIdentity.jks
-storepass DemoIdentityKeyStorePassPhrase
$ keytool -exportcert -keystore DemoIdentity.jks
-storepass DemoIdentityKeyStorePassPhrase -alias demoidentity
-file ~/demoidentity.cer

3.

Change to the directory that contains the libOVD keystore.
cd $DOMAIN_HOME/config/fmwconfig/ovd/default

4.

Import the Weblogic CA certificate to the libOVD keystore.
$ keytool -importcert -keystore adapter.jks -storepass New_Password
-alias demoidentity -file ~/demoidentity.cer

5.

Print the contents of the keystore to verify the import.
$ keytool -list -keystore ./adapter.jks -storepass New_Password

6.

Add the password for the imported keystore to trustStorePassword in the
server.os_xml file.
vim server.os_xml
server.os_xml: keystores/adapters.jks
server.os_xml: keystores/adapters.jks
keystores/adapters.jks
New_Password

7.

Change the value of ADMIN_URL in startManagedServer.sh to point to the SSL
port of the Weblogic server.

8.

Restart both Adminserver and OAM Managed Server.

9.

Log in as documented in Logging Into The Oracle Access Management Console.

2.6 Using the Oracle Access Management Console
The following sections describe common console functionality.
■

Signing Out

■

Accessing Online Help

■

Conducting A Search

2.6.1 Signing Out
The Sign Out link appears in the upper-right corner of the Oracle Access Management
Console. Click the Sign Out link to conclude your session. Oracle recommends that
you also close the browser window after signing out.
Use this procedure to sign out of the Oracle Access Management Console.

Getting Started with Oracle Access Management

2-9

Using the Oracle Access Management Console

1.

Expand the drop down list under the name of the user that is logged in and select
Sign Out.

2.

Close the browser window.

2.6.2 Accessing Online Help
At any time while using the Oracle Access Management Console, you can click the
Help link located in the drop down menu under the user name at the top of the
Launch Pad page to get more information. Online Help topics link to information in an
online version of this book.
Generally speaking, topics that are displayed by selecting Help in the Oracle Access
Management Console appear in only English and Japanese languages. Online Help is
not translated into the ADMIN languages.
You can click the Welcome tab to display a list of topics that describe actions you can
take. For specific help topics, use the following procedure.
Use this procedure to locate a specific help topic in the Oracle Access Management
Console.
1.

From the Oracle Access Management Console, click a tab.

2.

Click Help in the drop down menu under the user name in the upper-right corner.

3.

Review the page that appears in a new window and select one of the following
links to:

4.

–

More—Click this link to view more information.

–

How?—Click this link to see steps to perform a task related to your help
search.

–

Contents—In the left Help pane, expand Contents to see all help topics as well
as all topics in the online manual.

–

Search—Displays a search window where you can enter your help search
criteria.

Click the following buttons, as needed:
–

View—Displays a set of viewing options.

–

Arrows—Return to the previous page or go forward to the next page.

–

Printer Icon—Prints the page.

–

Envelope Icon—Emails the page.

2.6.3 Conducting A Search
The Oracle Access Management Console provides search controls for specific elements
such as Agents, Application Domains, and Resources. Figure 2–3 is a screen shot of a
Search page used for SSO Agent searches.

2-10 Administrator's Guide for Oracle Access Management

Logging, Auditing, Reporting and Monitoring Performance

Figure 2–3 SSO Agent Search Page

Search pages differ depending on the entity you are trying to find. In all searches, you
can leave a field blank to display everything or use a wildcard (*) character if you do
not know the exact name you seek. Some search controls include the ability to save
your search criteria. From the search results table, you can choose an item to open for
viewing or editing.
Note:

The search tool is case insensitive.

2.7 Configuring with the Command-Line Tools
Several command-line tools are available to perform various tasks using the keyboard
rather than the Oracle Access Management Console. After using these commands, the
configurations will be available in the console.
■

Remote registration tool, oamreg, enables remote registration of Agents, and
creation of default Application Domains.
See Also:

■

Chapter 15, "Registering and Managing OAM 11g Agents"

Upgrade Assistant (UA) enables you to transfer OSSO 10g configuration to Oracle
Access Management
See Also:
■

■

Oracle Fusion Middleware Upgrade Guide for Oracle Identity and
Access Management

Oracle WebLogic Scripting Tool (WLST) provides a number of custom OAM
command-line alternatives for tasks you can perform in the Oracle Access
Management Console.
See Also: Oracle Fusion Middleware WebLogic Scripting Tool
Command Reference

2.8 Logging, Auditing, Reporting and Monitoring Performance
Logging is the mechanism by which components write messages to a file. These
messages can be logged at different levels of granularity. Oracle Access Management
components use the same logging infrastructure and guidelines as any other
component in Oracle Fusion Middleware 11g. Administrators can monitor
performance and log messages for Access Manager and Security Token Service using
Oracle Fusion Middleware Control.

Getting Started with Oracle Access Management 2-11

Configuring Oracle Access Management Login Options

In Oracle Fusion Middleware, auditing provides a measure of accountability and
answers to the "who has done what and when" types of questions. Oracle Access
Management uses the Oracle Fusion Middleware Common Audit Framework to
support auditing for a large number of user authentication and authorization run-time
events, and administrative events (changes to the system). The Oracle Fusion
Middleware Common Audit Framework provides uniform logging and exception
handling and diagnostics for all audit events. For more information, see Part III,
"Logging, Auditing, Reporting and Monitoring Performance".
See Also: Oracle Fusion Middleware Performance and Tuning
Guide

2.9 Configuring Oracle Access Management Login Options
The following sections contain information on configuring user login options.
■

Administering the Forgot Password URL

■

Choosing a User Login Language

■

Understanding Persistent Login

2.9.1 Administering the Forgot Password URL
When a user clicks the Forgot Password link on the Oracle Access Management login
page, the user is taken to an Oracle Access Management Forgot Password page where
a new password can be set in the case of a forgotten one. The following sections
contain procedures for administering the Forgot Password URL.
■

Setting a Forgot Password URL

■

Retrieving a Forgot Password URL

2.9.1.1 Setting a Forgot Password URL
To set a new Forgot Password URL, run the following command:
curl

--user weblogic:password
-w "%{http_code}"
-i -H
"Content-Type:application/json"
-H "Accept: */*"
-X PUT
-d

'{"forgotPasswordURL":"http://oam-host:7777/identity/faces/forgotpassword"}'
http://host:7001/oam/admin/api/v1/configurationService/forgotPassword

If successful, the "Forgot Password URL configured successfully" message is displayed
in the output. If there is already a URL set for Forgot Password, running the command
overwrites the previous Forgot Password URL.

2.9.1.2 Retrieving a Forgot Password URL
To retrieve the Forgot Password URL, run the following command:
curl --user weblogic:password
-w “%{http_code}” \
-i \
http://host:7001/oam/admin/api/v1/configurationService/forgotPassword

2-12 Administrator's Guide for Oracle Access Management

Configuring Oracle Access Management Login Options

2.9.2 Choosing a User Login Language
Oracle Access Management supports language selection through a drop down list of
languages on the login form combined with use of the OAM_LANG_PREF language
preference cookie. Table 2–1 lists the supported languages and applicable language
codes. The Administrators column refers to languages supported by the Oracle Access
Management Console and the Language column refers to languages supported by the
Login Pages. If the language is supported by the Login Page, simply change the
browser's language and users should see a translated page.
Table 2–1

Language Codes For Login Pages

Language Code

Language

Administrators

ar

Arabic

cs

Czech

da

Danish

de

German

el

Greek

en

English

English

es

Spanish

Spanish

fi

Finnish

fr

French

fr-CA

Canadian French

he

Hebrew

hr

Croatian

hu

Hungarian

it

Italian

Italian

ja

Japanese

Japanese

ko

Korean

Korean

nl

Dutch

no

Norwegian

pl

Polish

pt-BR

Brazilian Portuguese

pt

Portuguese

ro

Romanian

ru

Russian

sk

Slovak

sv

Swedish

th

Thai

tr

Turkish

zh-CN

Simplified Chinese

Simplified Chinese

zh-TW

Traditional Chinese

Traditional Chinese

German

French

Brazilian Portuguese

Getting Started with Oracle Access Management 2-13

Configuring Oracle Access Management Login Options

To accomplish a very specific login experience, implement a custom login page using
the customization facilities in Oracle Access Management as described in Oracle Fusion
Middleware Developer's Guide for Oracle Access Management.
Prior to the release of 11.1.2.1, Oracle Access Manager relied
on the Browser Language preference (Accept-Language HTTP
Header) to determine the language in which the login page was
rendered. The default, if the language could not determined, was
English (en-us). This behavior is supported going forward until
existing applications have migrated to the 11.1.2.1 model.

Note:

This section provides the following topics:
■

Selecting A Language for Oracle Access Management Login

■

Understanding the Language Preference Cookie

■

Propagating Language Preference and Application Integration

2.9.2.1 Selecting A Language for Oracle Access Management Login
Oracle Access Management provides the language selection methods described in
Table 2–2. The order of these items in the table illustrate the preference order. Use the
configOAMLoginPagePref WebLogic Scripting Tool (WLST) command to configure the
login page language preferences. Information regarding this WLST command can be
found in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
Table 2–2

Oracle Access Management Language Selection Methods

Method

Description

Server Override

Allows the OAM Server to determine the language. It is
intended to support scenarios where the User Agent cannot
reliably indicate its language preference(s) or where the
administrator needs to override other selection mechanisms for
operational reasons.

Preference Cookie

A domain cookie (similar to ORA_FUSION_PREFS) that
contains the user's language preferences. It is intended to allow
lang preferences maintained by an application(s) personalization
facilities to be used.
Note: Multiple DNS domain support for the Preference Cookie
is a limitation today. The solution will include Resource
Webgates using the OAM Front-Channel protocol in
combination with local resource cookie enhancements to
manage preference cookie semantics across DNS domains.
See Also: "Understanding the Language Preference Cookie"

Browser Language

Allows User Agents (Browsers, REST Clients, HTTP Clients) to
specify the user's language preference via an HTTP
Accept-Language header.

Default Language

Used if Oracle Access Management cannot determine the user's
language preference based on the specified selection
mechanisms.

Language preferences are disabled until explicitly enabled. By default, the login form
does not include the list of language values until the application locales are specified.

2-14 Administrator's Guide for Oracle Access Management

Configuring Oracle Access Management Login Options

Language Selection is only available in the ECC login page; it
is not currently available in the DCC login page.

Note:

2.9.2.2 Understanding the Language Preference Cookie
The language preference cookie, OAM_LANG_PREF is a domain scoped cookie as
described in Table 2–3.
Table 2–3

OAM_LANG_PREF Cookie

Parameters

Description

Name

OAM_LANG_PREF

Domain

Domain-scoped cookie

Path

/

Value

[Cookie version] [separator] [UTF-8 BASE64(name-value pairs)]
For example:
v1.0~kqhkiG9w0BAQQFADCB0TELM

ExpirationTime

Persistent | Session (default) – Specified in OAM configuration

Secure Flag

No

preferredLanguage

BCP47/RFC4647. Specifically, the value space should conform to what is
formally called the "language priority list".

defaultLanguageMarker

true (reconcile cookie with application maintained preferences) |false
(read from cookie).

Cookie Lifecycle

Oracle Access Management and other applications can perform create,
read, update, and delete operations.

2.9.2.3 Propagating Language Preference and Application Integration
Oracle Access Management will propagate the language selected by the user to
applications as described in Table 2–4.
Table 2–4

Application Integration for Language Preference

Method

Description

HTTP Accept-Language Header

This enables application to integration without code change. This is a
major advantage over the other options. We can expect this to be good
for most applications that respond to the browser locale setting. This
is the standard practice in internationalizing a Web application. We
expect this to be able to become the standard option for all ADF based
products, as well as any application that responds to browser locale.
Note: OAM Agents ensure that the Accept-Language reflects the
language selected. Also, ServletFilters could be used to make this
happen.

Access Manager Policy Response

Access Manager stores the language selection in the attribute langPref
in the session namespace. For instance: $session.langPref.
This attribute can be passed to downstream applications using an
HTTP Header and/or Cookie through the Access Manager Policy
Response. The name of the Header and/or Cookie is a deployment
time assignment.

Preference Cookie

When the language selected during login differs from the value stored
in the Preference Cookie, Oracle Access Management will update the
"preferredLanaguage" parameter in the Preference Cookie with the
newly selected language and set the defaultLanguageMarker"
parameter to "false".

Getting Started with Oracle Access Management 2-15

Configuring Oracle Access Management Login Options

Table 2–4 (Cont.) Application Integration for Language Preference
Method

Description

IdentityContext

The language preference can be propagated as a custom claim in the
IdentityContext. Select "oracle:idm:claims:session:attributes" as the
claim name and then specify the session attribute using the following
notation: "preferredLanguage=$session.langPref.
The claim will be created with the name of
"oracle:idm:claims:session:attributes:preferredLanguage" and
value equal to the session's langPref attribute.

2.9.3 Understanding Persistent Login
With Access Manager, a user needs to re-authenticate after a period of session
inactivity defined by the Idle Timeout parameter (default is 15 minutes) and once the
session expires, due to the value of the Session Lifetime parameter (default is 8 hours).
The Persistent Login functionality offers administrators the option to skip user
re-authentication for a considerably longer period of time should the user opt in allowing a user two weeks or a month significantly improves convenience. Persistent
Login (sometimes referred to as Remember Me or Keep Me Signed In) can be enabled
or disabled with the period of time being configurable. It is disabled by default.
Persistent Login is enabled in the oam-config.xml global configuration file. The
appropriate Application Domain must also explicitly allow Persistent Login. When
enabled globally, the user login page will have a Keep Me Signed In checkbox and,
when checked, the user receives an RMToken. Once the user's session expires or times
out, a user with an RMToken will not be challenged if the resource is in the
Application Domain that allows Persistent Login and if its authentication level is
adequate. If the user tries to access a resource in an Application Domain that has not
opted in, the user will be challenged for credentials even if the authentication level is
adequate. (If the user does not opt in when logging in, reauthentication will be
prompted after a session expiration or inactive timeout.)
If the Application Domain 'Session Idle Timeout' is specified,
Persistent Login cannot be enabled.

Note:

The following behaviors are pertinent to the Persistent Login functionality.
■

If enabled for the user logged in to Access Manager from a device browser, closing
and reopening the browser does not require reauthentication within the defined
Persistent Login time period

■

Session activities will be reflected in the Audit data.

■

When the time period expires, the end user is asked to authenticate again.

■

■

■

When attempting to access applications from a different device (or even a different
process/browser in the same device), the end user will be asked to authenticate
again.
When the user clicks log out, the OAM_RM token is deleted and they user must
log in again. Session termination by an administrator will have the same effect.
As the OAM_RM token is based on credentials entered at the time of token
creation, any event that changes the password status will invalidate the token and
force the user to re-authenticate. This includes:
–

Password expiration

–

Password reset by administrator

2-16 Administrator's Guide for Oracle Access Management

Configuring Oracle Access Management Login Options

■

■

■

■

–

Password changed by the user on a different device

–

User deleted or locked by the administrator

To address a stolen device scenario, the administrator can terminate all sessions for
all devices/browsers of a user. The user will need to re-authenticate but has the
option to enable Persistent Login on the login page
Application triggered re-authentication forces the user to re-authenticate even if
Persistent Login is enabled as the application is intentionally challenging the user
before doing a sensitive operation.
When a user navigates from an application which allows Persistent Login to one
that does not, although the user is logged in automatically, the application which
does not allow Persistent Login will challenge the user to enter credentials.
Persistent Login is not available in application triggered login pages.

The following sections have additional details.
■

Enabling Persistent Login

■

Troubleshooting Persistent Login

2.9.3.1 Enabling Persistent Login
Follow this procedure to enable Persistent Login globally. The feature is not enabled by
default.
1.

Connect to WebLogic Server using connect().
Provide the username and password when prompted.

2.

Run:
configurePersistentLogin(enable="true", validityInDays="30",
maxAuthnLevel="2", userAttribute="obPSFTID")

3.

Create a new Authentication Scheme for Persistent Login using the values in the
following table.
Details can be found in Section 22.9, "Managing Authentication Schemes." The
'Keep me signed in' check box will be displayed only when accessing a resource
protected by this scheme.

Attribute

Value

Name

PersistentLoginScheme (or any name)

Description

any description

Authentication Level

2

Challenge Method

FORM

Challenge Redirect URL

/oam/server/

Authentication Module

LDAPPlugin

Challenge URL

/pages/login.jsp

Context Type

default

Context Value

/oam

Challenge Parameters

enablePersistentLogin=true

4.

Click the Application Domains link in the Launch Pad.
Getting Started with Oracle Access Management 2-17

Configuring Oracle Access Management Login Options

5.

Click the Application Domain for which you will use this PersistentLoginScheme
and change its Authentication Scheme as documented in this sub procedure.
Details are in Section 25.6, "Defining Authentication Policies for Specific
Resources."
a.

Click the Authentication Policies tab in the appropriate Application Domain.

b.

Change the Authentication Scheme for the Protected Resource Policy to
PersistentLoginScheme. This allows persistent login for this policy.
Note:

6.

The Public Resource Policy should not be modified.

Click the Application Domain under which you will create a Response for all
configured Authorization Policies as documented in this sub procedure.
There may be multiple authorization policies and this needs to be done for all.
Details are in Section 25.13.4, "About Constructing a Policy Response for SSO."
a.

Click the Authorization Policies tab in the appropriate Application Domain.

b.

One at a time, click an Authorization Policy in this Application Domain to
open its configuration tab.

c.

Click Responses.

d.

Click Add to create an Authorization Response in the Application Domain.

e.

Enter the following values in the displayed Add Response pop-up and click
Add.

Attribute

Value

Type

Session

Name

allowPersistentLogin

Value

true
NOTE: To disable Persistent Login for an Application Domain you

must disable Authorization Responses by changing the value of the
Value attribute in the Add Response pop-up to false.
Perform this procedure for all Authorization Policies before moving on to the
next step.
7.

Access a resource protected by this scheme.
The 'Keep me signed in' checkbox is displayed on the login page.

8.

Provide valid credentials and select 'Keep me signed in'.

9.

Close and re-open the browser.

10. Access the same resource.

You will be logged in automatically without asking for credentials.
Note: Persistent Login can also be enabled and disabled using WLST.
See the Oracle Fusion Middleware WebLogic Scripting Tool Command
Reference for details on the configurePersistentLogin command.

2-18 Administrator's Guide for Oracle Access Management

Configuring Oracle Access Management Login Options

2.9.3.2 Troubleshooting Persistent Login
When enabling Persistent Login using WLST, an LDAP attribute named obpsftid is
defined to store the Persistent Login properties. When the user is locked, this attribute
needs to be updated but the oamSoftwareUser does not have sufficient LDAP rights
over it. Use the following procedure to give oamSoftwareUser permission.
1.

Copy the LDIF data below and paste it into a file that you will save as oam_user_
write_acl_users_obpsftid_template.ldif.
##############################################################################
# Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
#
# NAME: idm_idstore_groups_acl_template.ldif
#
#
# DESCRIPTION:
#
# This file provides appropriate ACLs to user and group containers.
#
#
# SUBSTITUTION VARIABLES:
#
# %s_UsersContainerDN% : The container in which users reside
# %s_GroupsContainerDN% : The container in which groups reside
#
##############################################################################
dn: %s_UsersContainerDN%
changetype: modify
delete: orclaci
orclaci: access to attr=(obUserAccountControl, obLoginTryCount, obLockoutTime,
oblastsuccessfullogin, oblastfailedlogin, obpasswordexpirydate, obver,
obLastLoginAttemptDate, oblockedon) by
group="cn=orclFAOAMUserWritePrivilegeGroup,%s_GroupsContainerDN%"
(search,read,compare,write) by group="cn=orclFAUserReadPrivilegeGroup,%s_
GroupsContainerDN%" (search,read,compare) by
group="cn=orclFAUserWritePrivilegeGroup,%s_GroupsContainerDN%"
(search,read,compare,write)
add: orclaci
orclaci: access to attr=(obUserAccountControl, obLoginTryCount, obLockoutTime,
oblastsuccessfullogin, oblastfailedlogin, obpasswordexpirydate, obver,
obLastLoginAttemptDate, oblockedon, obpsftid) by
group="cn=orclFAOAMUserWritePrivilegeGroup,%s_GroupsContainerDN%"
(search,read,compare,write) by group="cn=orclFAUserReadPrivilegeGroup,%s_
GroupsContainerDN%" (search,read,compare) by
group="cn=orclFAUserWritePrivilegeGroup,%s_GroupsContainerDN%"
(search,read,compare,write)

2.

3.

Do the following in the created oam_user_write_acl_users_obpsftid_
template.ldif.
■

Replace %s_UsersContainerDN% with User Search Base.

■

Replace %s_GroupsContainerDN% with Group Search Base.

Change to the OID directory and run ldapmodify.
$ setenv ORACLE_HOME 
$ cd $ORACLE_HOME/bin
$ ./ldapmodify -h  -p  -D  -w 
-v -f oam_user_write_acl_users_obpsftid_template.ldif

Getting Started with Oracle Access Management 2-19

Configuring Oracle Access Management Login Options

2-20 Administrator's Guide for Oracle Access Management

Part II
Part II

Managing Common and System
Configurations

Part II provides information about managing common system-wide configuration
details for Oracle Access Management. This part contains the following chapters.
■

Chapter 3, "Managing Common Services and Certificate Validation"

■

Chapter 4, "Delegating Administration"

■

Chapter 5, "Managing Data Sources"

■

Chapter 6, "Managing Server Registration"

3
Managing Common Services and Certificate
Validation
3

This chapter explains how to configure properties that are used in common by the
services integrated into Oracle Access Management.

[4]

This chapter contains the following sections:
■

Configuring Oracle Access Management

■

Enabling or Disabling Available Services

■

Managing Common Settings

■

Managing Certificate Validation and Revocation

3.1 Configuring Oracle Access Management
This section introduces the Oracle Access Management options and settings
collectively called Configuration. Unless explicitly stated, these Configuration options
are shared by all Access Manager servers and services in the domain. Figure 3–1 shows
the Configuration options defined in the new Oracle Access Management Console.
You can access these settings by clicking Configuration at the top of the Console.

Managing Common Services and Certificate Validation 3-1

Configuring Oracle Access Management

Figure 3–1 Oracle Access Management Configuration Options

Table 3–1 describes the Configuration options. The items listed apply to all services in
the suite.
Table 3–1

Configuration Options

Node

Description

Available Services

See "Enabling or Disabling Available Services" on page 3-3.

User Identity Stores

See "Registering and Managing User Identity Stores" in Chapter 5,
"Managing Data Sources."

Administration

See Chapter 4, "Delegating Administration."

Certificate Validation

Provides access to the certificate revocation list and OCSP/CDP
settings.
See: "Managing Certificate Validation and Revocation" on page 3-7.

Server Instances

Provides access to all registered OAM Server instances.
See: Chapter 6, "Managing Server Registration"

Settings > Common
Settings

Provides configurations that apply to all Oracle Access
Management services including Session properties, Oracle
Coherence, Auditing, and Default and System Identity Stores.
See: "Managing Common Settings" on page 3-5.

Settings > Access
Manager

Provides access to Access Manager operation configurations.

Settings > Social Identity

Provides access to configurations for the Social Identity features of
Oracle Access Management Mobile and Social.

See "Managing Common and System Configurations"

See "Managing Oracle Access Management Mobile and Social"

3-2 Administrator's Guide for Oracle Access Management

Enabling or Disabling Available Services

Table 3–1 (Cont.) Configuration Options
Node

Description

Settings > Federation

Provides access to configurations for Oracle Access Management
Identity Federation.
See Chapter 38, "Managing Identity Federation Partners,"
Chapter 39, "Managing Settings for Identity Federation" and
Chapter 40, "Managing Federation Schemes and Policies."

Settings > Security Token Provides access to configurations for Oracle Access Management
Service
Security Token Service.
See "Managing Oracle Access Management Security Token Service"
Settings > Access Portal
Service

Provides access to configurations for Oracle Access Portal.
See "Managing Oracle Access Management Oracle Access Portal"

3.2 Enabling or Disabling Available Services
Figure 3–2 shows the Available Services page of the Common Configuration section,
which provides the status of services, and controls to enable or disable a service.
Initially, only Access Manager services are enabled. Oracle Access Management
Administrators must enable a service in the Oracle Access Management Console to use
the related functionality. The exception to this is Identity Context, which is enabled by
default and does not have any controls to disable it.
Figure 3–2 Available Services

Managing Common Services and Certificate Validation 3-3

Enabling or Disabling Available Services

A green check mark in the Status field beside the service name indicates the service is
enabled. A red circle with a cross through it indicates that the corresponding service is
disabled.
Table 3–2

Common Services

Service

Description

Access Manager

Access Manager functionality is enabled by default. Access Manager
Service is required to set SSO policies, configure Access Manager, as
well as Common Configuration, and when REST Services are enabled.
Default: Enabled
No other services are required for Access Manager and Common
Configuration.

Adaptive Authentication Service

Required for adaptive authentication functionality.
Default: Enabled
See Also: Part VIII, "Managing the Adaptive Authentication Service
and Oracle Mobile Authenticator".

Identity Federation

Must be enabled to manage the federation partners.
Default: Disabled
Note: The Access Manager service must also be enabled because
Identity Federation is another authentication module.
See Also: Part IX, "Managing Oracle Access Management Identity
Federation".

Security Token Service

Enable this service to use Security Token Service functionality.
Default: Disabled
Access Manager service is not required.
See Also: Part X, "Managing Oracle Access Management Security
Token Service".

Access Portal Service

Must be enabled to manage the Access Portal Service.
Default: Disabled
See Part XIII, "Managing Oracle Access Management Oracle Access
Portal"

Mobile and Social

Mobile and Social Services can be deployed in either of two ways:
■

■

As part of Oracle Access Management, where Access Manager is
enabled by default and Mobile and Social must be enabled
manually to operate together with Access Manager.
Oracle Access Management and Mobile and Social only. Here
only Mobile and Social is enabled by default to work on its own
(or use a remote Access Manager).

See Also: Part XI, "Managing Oracle Access Management Mobile and
Social"
Mobile Security Service

Required for mobile security functionality, which governs secure
access to mobile applications and devices. This includes features like
Mobile Security Manager, Mobile Security Access Server, Mobile
Authentication and Mobile OAuth Services.
Default: Enabled
See Also: Part XI, "Managing Oracle Access Management Mobile and
Social"

Follow this procedure to enable or disable an available service. The WebLogic
AdminServer and OAM Server must be running. (For details. see Starting and
Stopping Servers in Your Deployment.)
1.

From the Oracle Access Management Console Launch Pad, click Available Services
under Configuration.

2.

Click Enable beside the desired service name (or confirm that the Status check
mark is green).

3-4 Administrator's Guide for Oracle Access Management

Managing Common Settings

3.

Click Disable beside the desired service name (or confirm that the Status check
mark is red).

3.3 Managing Common Settings
Common Settings apply to all services within the suite. Figure 3–3 shows the named
sections on the Common Settings page, which can be expanded to reveal related
elements and values.
Figure 3–3 Common Settings Page (Collapsed View)

Oracle Access Management Administrators can control and specify parameters used
by the entire suite, not just a single service, as introduced in Table 3–3.
Table 3–3

Common Settings

Tab Name

Description

Session

Session configuration refers to the process of managing the lifecycle requirements of
a session, and notification of events to enable global logout. Global logout is
required for OSSO Agents (mod_osso) to ensure that logging out of a session on any
entity propagates the logout to all entities.

Coherence

Common Oracle Coherence settings shared by all OAM Servers differ from those
for individual OAM Servers. However, in both cases Oracle recommends that you
make no adjustments to these settings unless instructed to do so by an Oracle
Support Representative.

Audit Configuration Oracle Access Management supports auditing for a large number of administrative
and run-time events, uniform logging and exception handling, and the diagnostics
of all audit events. Oracle Access Management auditing configuration is recorded in
oam-config.xml.
See Also: "Using the Oracle Access Management Console for Audit Configuration"
on page 8-22.
Default and System
Identity Stores

This section identifies the default identity and system stores, which can be one in
the same (or different).

See Also: Details for other operations common to all OAM
components:
■

Chapter 7, "Logging Component Event Messages"

■

Chapter 11, "Monitoring Performance and Health"

Managing Common Services and Certificate Validation 3-5

Managing Common Settings

The following sections have more information.
■

Managing Common Settings

■

Viewing Common Coherence Settings

3.3.1 Managing Common Settings
Users with valid Oracle Access Management Administrator credentials can perform
the following task to display the Common Settings page and perform changes. To
manage common settings, the OAM Server must be running. (For details. see Starting
and Stopping Servers in Your Deployment.)
1.

At the top of the Console, click Configuration.

2.

In the Configuration Launch Pad, select Common Settings from the View menu in
the Settings section.

3.

Session:
a.

On the Common Settings page, expand the Session section.

b.

Click the arrow keys beside each list to increase or decrease session lifecycle
settings as needed:
Session Lifetime (minutes)
Idle Timeout (minutes)
Maximum Number of Sessions per User

c.

Database Persistence: Check the box to enable Database Persistence for Active
Sessions (or clear it to disable Database Persistence).

d.

Click Apply to submit your changes.

e.

See Also: Chapter 16, "Maintaining Access Manager Sessions".

4.

Coherence: See "Viewing Common Coherence Settings" on page 3-7.

5.

Audit Configuration:
a.

Expand the Audit Configuration section.

b.

In the Audit Configuration section, enter appropriate details for your
environment:
Maximum (Log) Directory Size
Maximum (Log) File Size
Filter Enabled
Filter preset (select from the list to define verbosity of audit data)
Audit Configuration Table: Use Add (+) or Delete (x) buttons to specify users.

6.

c.

Click Apply to submit the Audit Configuration (or close the page without
applying changes).

d.

See Also: Chapter 8, "Auditing Administrative and Run-time Events".

Default Store and System Stores:
a.

Expand the Default and System Identity Stores section.

b.

Click the name of the System Store (or Default Store) to display the
configuration page.

3-6 Administrator's Guide for Oracle Access Management

Managing Certificate Validation and Revocation

c.

See Section 5.2.2, "Using the System Store for User Identities" for more
information.

3.3.2 Viewing Common Coherence Settings
Follow this procedure to expand and view the Coherence settings.
1.

At the top of the Console, click Configuration.

2.

In the Configuration Launch Pad, select Common Settings from the View menu in
the Settings section.

3.

On the Common Settings page, expand the Coherence section.

4.

Close the page when you finish; do not make any changes.

Figure 3–4 shows the Common Settings page with the Coherence section expanded.
Figure 3–4 Common Coherence Settings

Table 3–4 describes these settings.
Oracle strongly recommends that you do not alter these
settings without the assistance of Oracle Support.

Note:

Table 3–4

Common Coherence Settings

Element

Description

Port

Value between 1 and 65535 is supported.

Multicast (Cluster) Address

Value between 224.1.255.0 to 239.255.255.255 is allowed.

Time to Live (number of hops)

Value between 0 and 255 is supported.

Multicast (Cluster) Port

Value between 1 and 65535 is supported.

3.4 Managing Certificate Validation and Revocation
The Certificate Validation module is used by the Security Token Service to validate
X.509 tokens and to verify whether or not the certificates have been revoked. It
supports the following options.
■

■

A Certificate Revocation List (CRL) is a list of certificates (identified by serial
numbers) that have been revoked. Revoked certificates are listed with a reason, an
issue date, and the issuing entity. (In addition, each list contains a proposed date
for the next release.) Entities presenting these (revoked) certificates should no
longer be trusted. When a potential user attempts to access a server, the server
allows or denies access based on the CRL entry for the particular user. For more
information, see "Enabling the Certificate Revocation List Functionality."
The Online Certificate Status Protocol (OCSP) was developed as an alternative to
CRLs. OCSP specifies how the client application that requests information on a
certificate's status will obtain it from the server that responds to the request. An
Managing Common Services and Certificate Validation 3-7

Managing Certificate Validation and Revocation

OCSP responder can return a signed response signifying that the certificate
specified in the request is either good, revoked or unknown. If the OCSP cannot
process the request, it returns an error code. For more information, see "Enabling
OCSP Certificate Validation" and "Additional OCSP Configurations."
■

A CRL Distribution Point extension (CDP extensions) contains information
regarding the location of Certificate Revocation Lists (CRLs) and OCSP servers.
You can use the Administration Console to define these points. For more
information, see "Enabling CRL Distribution Point Extensions."

3.4.1 Enabling the Certificate Revocation List Functionality
Users with Oracle Access Management Administrator credentials can use the
following procedure to enable the CRL functionality and import a current Certificate
Authority Certificate Revocation List (CA CRL). Before beginning, you should have
your CA CRL ready to import.
1.

In the Configuration Launch Pad section of the Oracle Access Management
Console, click Certificate Validation.
The Certificate Revocation List tab is displayed.

2.

Confirm that the Enabled box is checked.

3.

Add or remove a CRL.
■

■

Add: Click the Add (green plus sign) button, browse for the CRL file, select it,
and click Import.
Remove: Click the name of the list in the table, click the Delete (x) button, and
confirm when asked.

Figure 3–5 is a screenshot of the pop-up window used to add a CA CRL to the
CRL List using the Administrative Console.
Figure 3–5 Certificate Revocation List Dialog Box

4.

Click Apply to save the configuration.

3-8 Administrator's Guide for Oracle Access Management

Managing Certificate Validation and Revocation

5.

Proceed to "Enabling OCSP Certificate Validation".
To search for CRLs in the table, enable Query by Example from
the View drop-down. Enter filter strings in the header fields displayed
and hit Enter.

Note:

3.4.2 Enabling OCSP Certificate Validation
Users with Oracle Access Management Administrator credentials can use the
following procedure to enable the OCSP. Before you begin, you should have the URL
of the OCSP service ready to import.
1.

Under the Configuration section of the Oracle Access Management Console, click
Certificate Validation.
The Certificate Revocation List page is displayed. Confirm that the Enabled box is
checked.

2.

Click the OCSP/CDP tab.
a.

Enable OCSP.

b.

Enter the URL of the OCSP Service.

c.

Enter the Subject DN of the OCSP Service.

d.

Save this configuration.

Figure 3–6 illustrates how to add an OCSP URL using the Administration Console.
See "Using WLST to Update the OCSP Configuration" for details on how to do this
using the WLST command.
Figure 3–6 OCSP/CDP Settings

3.

Proceed to "Enabling CRL Distribution Point Extensions".

3.4.3 Enabling CRL Distribution Point Extensions
Users with Oracle Access Management Administrator credentials can use the
following procedure to add CRL distribution points in issued certificates.

Managing Common Services and Certificate Validation 3-9

Managing Certificate Validation and Revocation

1.

Under the Configuration section of the Oracle Access Management Console, click
Certificate Validation.
The Certificate Revocation List page is displayed. Confirm that the Enabled box is
checked.

2.

Open the OCSP/CDP tab.
a.

Enable CDP.

b.

Save this configuration.

Figure 3–6 illustrates this.

3.4.4 Additional OCSP Configurations
Support for HTTP Proxy and multiple OCSP Responder configurations have been
added for this 11g Release 2 (11.1.2.3) version of Oracle Access Manager. Example 3–1
illustrates the current Certificate Validation Module configuration.
Example 3–1 Certificate Validation Module Configuration



/scratch/maymaria/installed/wlsHome/user_projects/
domains/base_domain/config/fmwconfig/amcrl.jar
/scratch/maymaria/installed/wlsHome/user_projects/
domains/base_domain/config/fmwconfig/amtruststore
jks
false
false
false


The following sections contain configuration information for these new features.
■

Using WLST to Configure HTTP Proxy

■

Using WLST to Update the OCSP Configuration

■

Configuring Multiple OCSP Responders

3.4.4.1 Using WLST to Configure HTTP Proxy
The Oracle Access Manager OCSP checker can perform authentication against OCSP
responders that are outside an enterprise's intranet via HTTP Proxy.
Use the updateHTTPProxyConfig WLST command to configure the proxy.
3.4.4.1.1 Using the updateHTTPProxyConfig WLST Command Online command that
configures the OAM OCSP checker to use HTTP proxy.
3.4.4.1.2

Description Adds or updates proxy information.

3.4.4.1.3

Syntax updateHTTPProxyConfig(proxyHost, proxyPort, conTimeOut)

3-10 Administrator's Guide for Oracle Access Management

Managing Certificate Validation and Revocation

Argument

Definition

proxyHost

Mandatory. The host name of the proxy.

proxyPort

Mandatory. The port number of the proxy.

conTimeOut

Mandatory. The connection timeout in milliseconds.

3.4.4.1.4

Example

updateHTTPProxyConfig(proxyHost="hostname.example.com", proxyPort="8888",
conTimeOut="600")

3.4.4.2 Using WLST to Update the OCSP Configuration
Online command that updates the OAM OCSP configuration including:
Updates or adds an OCSP responder URL and subject details to the
"certpathvalidationocspurltocamap"

■

Clear the newly added configuration; for example,
"certpathvalidationocspurltocamap"

■

Set or unset the "useJDKOCSP" flag to enable or disable JDK OCSP

■

3.4.4.2.1 configureOAMOSCSPCertValidation Online command that updates the OAM
OCSP configuration.
3.4.4.2.2 Description Updates the OAM OCSP configuration by adding/modifying the
OCSP responder URL and subject details in the certpathvalidationocspurltocamap
property and enabling/disabling the use of the JDK OCSP Checker.
3.4.4.2.3

Syntax configureOAMOCSPCertValidation(url, subject, clear (optional),
display (optional), useJDKOCSP (optional))

Argument

Definition

url

Mandatory. Takes as a value the valid URL.

subject

Mandatory. Takes the details being modified.

clear

Optional. Takes a value of true or false.

display

Optional. Takes a value of true or false.

useJDKOCSP

Optional. Takes a value of true or false.

3.4.4.2.4 Examples The following example enables the OAM OCSP and sets the
Responder URL and subject.
configureOAMOCSPCertValidation(url="http://sample:9898",
subject="cert-subject-detail")

The following example enables the OAM OCSP and updates the Responder URL and
subject.
configureOAMOCSPCertValidation(url="http://sample:9898",
subject="details changed/updated")

The following example disables and clears the OAM OCSP.
configureOAMOCSPCertValidation(url="http://sample:9898", subject="subject-detail",

Managing Common Services and Certificate Validation

3-11

Managing Certificate Validation and Revocation

clear="true")

The following example enables/disables the JDK OCSP.
configureOAMOCSPCertValidation(url="http://sample:9898",
subject="details changed/updated", useJDKOCSP="true")

3.4.4.3 Configuring Multiple OCSP Responders
Certificate authentication currently supports authentication against a single OCSP
responder as documented in "Enabling OCSP Certificate Validation" on page 3-9.
Support for multiple OCSP responders has been added since the responder URL is
now part of the certificate's Authority Information Access Extension. To support
multiple OCSP Responders, the three lines of configuration in Example 3–2, "Multiple
OCSP Responder Configuration" must be added to the top of the Certificate Validation
Module configuration section (illustrated in Example 3–1).
Example 3–2 Multiple OCSP Responder Configuration





false
...


Configure the first and second lines to enable multiple OCSP responders.
■
■

Set certpathvalidationocspenabled to true.
Update the certpathvalidationocspurltocamap configuration. It is of type Map,
the key is the OCSP Responder URL (URL Encoded) and the value is the OCSP
Responder's Certificate subject.


emailAddress=sagar@pspl.com,CN=ps2436,OU=OBLIX-QA,O=PSPL,
L=PUNE,ST=MAHA,C=MY


■

(Optionally) set values for certpathvalidationocspcertsubject and
certpathvalidationocspurl.

The Responder URLs will be fetched first from the AuthorityInformationAccess
extension of the user's X.509 certificate and second from Modules/Plugin
(CertValidation). The Responder Subjects will be fetched first from the defined
configuration map and second from the Module/Plugin (CertValidation)
configuration. In cases where these configurations are not found, the OCSP validation
will fail.
Configure the third line to provide backward compatibility for those who want to use
JDK OCSP validation rather than the new OAM OCSP Checker. By default, the JDK
OCSP Checker is enabled. When configuring the OAM OCSP Checker using the WLST
command, the flag is set to false. For more information on the WLST command, see
Section 3.4.4.2, "Using WLST to Update the OCSP Configuration."
Depending on the Certificate Validation Module configuration there are three different
options as documented in Table 3–5.

3-12 Administrator's Guide for Oracle Access Management

Managing Certificate Validation and Revocation

Table 3–5

Configuration

OCSP
CRL Configuration JDK/OAM OCSP
Configuration
(certpathvalidationo (certpathvalidation Configuration
(useJDKOCSP)
crlenabled)
cspenabled)

No OCSP Checking

False

False

False

True

True/False

False

Simple certificate validation
is performed during OAM
X-509 authentication
OAM OCSP
X-509 authentication
performs certificate
validation with OCSP
checking using the new
OAM OCSP Checker.
JDK OCSP

(does not matter)

True

True

True

X-509 authentication
performs certificate
validation with OCSP
checking using the JDK
OCSP Checker.

To enable OCSP validation to be done using one configured responder URL, set the
certpathvalidationcrlenabled and certpathvalidationocspenabled properties to
true and set values for the certpathvalidationocspcertsubject and
certpathvalidationocspurl properties. If these properties are not set, OCSP
validation will be done using the responder URL defined within the user certificate's
AIA Extension. If no URL is defined, OCSP validation will fail.

Managing Common Services and Certificate Validation

3-13

Managing Certificate Validation and Revocation

3-14 Administrator's Guide for Oracle Access Management

4
Delegating Administration
4

[5Delegating
]
administration allows a high-level administrator to grant responsibilities to
other, more local administrators. This is useful in large organizations where it may be
necessary to administer thousands or millions of users. With this release of Oracle
Access Management, a System Administrator can delegate administration of
Application Domains to other administrators. An Application Domain Administrator
role has been developed towards this end.

This chapter contains an overview of delegating administration; in effect, determining
what rights you want to grant to another user. It contains the following sections.
■

Understanding Administrator Roles

■

Delegating the Identity Store

■

Assigning Roles Using the Administration Console

■

Using the Container Security Framework and MBeans

■

Using the Remote Registration Utility

■

Auditing Reports

4.1 Understanding Administrator Roles
After installation, Access Manager has a set of pre-defined roles that can be assigned to
administrators. The Access Manager System Administrator (as described in
Section 2.2, "About Oracle Access Management Administrators") can administer the
following:
■

■

■

■

All Application and component policy objects (including Resources,
Authentication Policies, Authorization Policies, and Token Issuance Policies)
Shared components (including Authentication Schemes, Host Identifiers, and
Resource Types)
System configuration (including Common Configuration, Access Manager settings
and Authentication Modules, Security Token Service Settings, Custom Tokens,
Endpoints, Templates and Profiles, and Access Manager Agents and Security
Token Service Partners)
Agents and partners

A System Administrator can grant the rights to administer an Application Domain to
an Application (Domain) Administrator. (A virtual Access Manager Administrator
group is defined and mapped to the Application Administrator role.) An Application
Administrator can further delegate the rights to administer one or more of their
Application Domains to other Application Administrators. An Application

Delegating Administration

4-1

Delegating the Identity Store

Administrator can create and edit Resources, Authentication Policies and
Authorization Policies. These rights are scoped to one or more Application Domains.
Only the System Administrator can assign roles to users; users
cannot further delegate that role to others.

Note:

The System Administrator, Application Administrator and Help Desk Administrator
roles are mutually exclusive; that is, a group or user can be assigned to only one such
administrator role. However, the Application Administrator and Agent Administrator
roles can be assigned to the same user or group. Table 4–1 documents details about the
pre-defined administrator roles.
Table 4–1

Roles for Delegating Administration

Role Name

Description

System Administrator

Access to entire Oracle Access Management Console including
policy creation and system configuration; encompasses the
privileges to manage all system configurations, policy objects,
Access Manager Settings, Agents, Authentication Modules,
Authentication Schemes, Host Identifiers, Resource Types,
Federation Partners and Enterprise Single Sign-on policies.
Additionally, Security Token Service Settings, Partners, Custom
Tokens, Endpoints, Templates and Profiles can be managed.
NOTE: The System Administrator does not support seamless
failover. If one server goes offline, the System Administrator can
re-login and continue on the other server(s) in the cluster.

Application Administrator Access to policy creation and resources in the specified
Application Domain. This role has access to the Application
Registration Quick Wizard link.
Help Desk Administrator

Access to the Help Desk console.

Agent Administrator

Access to the Agent configuration pages. This role has access to
the Agent Registration Quick Wizard link.

Authenticated User

Access to the Self Service Launch Pad and pages.

For information on the Oracle Access Management Console, see Section 2.3, "About
the Oracle Access Management Console and the Policy Manager Console" and
Section 2.4, "Understanding the Oracle Access Management Console."

4.2 Delegating the Identity Store
The Access Manager System Identity Store is used to enforce authentication and
authorization during the execution of administrative operations. The LDAP Directory
defined as the System Identity Store will contain all the administrators having access
to the Administration Console. An administrator can define a new User Identity Store
and select one of the existing profiles as the System Identity Store but only the System
Administrator can modify the current System Identity Store or switch to a new one.
When migrating to a new Identity Store, if users from the new store are assigned
Access Manager roles, those privileges become active and are enforced by Access
Manager. The administrator will be responsible for removing any delegated
administration privileges for the new Identity Store and the Access Manager
Administrator group will be mapped to the Administrator role of the new identity
store.

4-2 Administrator's Guide for Oracle Access Management

Using the Container Security Framework and MBeans

If the user currently logged in does not have the necessary
administrator roles in the new system store, the Administration
Console will log out or refresh so that it is compliant with the roles
assigned to the current administrator.

Note:

4.3 Assigning Roles Using the Administration Console
The System Administrator can use the Oracle Access Management Console to assign
roles to users or groups that cover specific Application Domains. Users can be
assigned multiple roles as long as the functionality doesn't overlap. For example, if
user X is assigned Global Policy Administrator, the user cannot be granted Policy
Administrator for the HR domain because the latter is a child of the former.
Roles can be assigned only to users or groups from the
system/default store.

Note:

From a high level:
1.

When delegating administration for a specific policy object or a set of policy
objects, the delegator selects the item(s) and assigns the user(s), group(s), LDAP
Search Filter(s) or Domain System role(s) to it.

2.

When delegating administration for all objects of a specific type, the delegator will
select the user(s), group(s), LDAP Search Filter(s) or Domain System role(s) and
grant the rights to administer the objects of that type to the selected. In this case,
the administrator can't select objects for which administration is being delegated;
the administrator will select a role that is granted to the appropriate delegatee
with a specific right.
Customers using Oracle Identity Manager (or Oracle Identity
Manager XE) may want to define Enterprise Roles that are common to
all of IDM and use OIM to assign users and groups to these Enterprise
Roles. The Administration Console allows for this.

Note:

4.4 Using the Container Security Framework and MBeans
MBeans that enforce authentication and authorization using the container security
framework are published using the Portable JMX Framework.
■

■

The Configuration Service MBeans are used for configuring the Certificate
Validation Module, the STS Endpoints, Templates & Profiles, and the STS Settings
& Custom Tokens.
The Partner and Trust Store Service MBeans are used for managing the STS
Partners.

At runtime, the JMX Framework will authenticate the client during the connection
operation and ensure that the client belongs to the role specified in the MBean security
annotations. Because of this, the Access Manager System Identity Store needs to be
configured as an Authentication Provider in the security realm of the domain.
Additionally, users accessing the MBeans will need to be assigned the following role
depending on the container:
■

WebLogic: Admin

Delegating Administration

4-3

Using the Remote Registration Utility

■

WebSphere: Admin or Configurator

4.5 Using the Remote Registration Utility
The Remote Registration Utility (RREG) is also governed by the roles assigned to the
user invoking them. When using RREG to remotely register agents, the administrator
provides credentials that allows the RREG client to successfully connect and
authenticate to the RREG Access Manager Server; this, in turn, propagates the client's
identity to the Access Manager components that will enforce the appropriate
administration roles. The following might occur when running the RREG based on the
administrator's role:
■

■

In a creation operation:
a.

A new agent entry can be provisioned.

b.

A HostID for that Agent can be created.

c.

An Application for that agent might be created.

d.

Resources might be added to the new Application using the newly created
HostID.

In an update operation:
a.

Agent settings can be changed.

b.

A HostID for that agent can be changed.

c.

An Application for that agent can be created if it does not exist.

d.

Resources can be added to the Application.

The RREG administrator must be assigned roles to ensure successful completion of the
administrative operations.
■
■

■

The System Administrator role to create/update an Agent.
The OAM Shared Component Administrator / System Administrator role to
create/update an HostID entry.
The OAM Domain Administrator role / System Administrator to create/update
an Application and create/configure Resources.

After executing the RREG command, the administrator will be set as the delegated
administrator for the created Application, Agent and HostID.

4.6 Auditing Reports
Auditing becomes even more critical when administration has been delegated to
several users. All policy object and system configuration operations performed by
administrators through the Administration Console or programmatically are logged
and informational reports can be generated. For more information, see Chapter 8,
"Auditing Administrative and Run-time Events."

4-4 Administrator's Guide for Oracle Access Management

5
Managing Data Sources
5

The term data source is a Java Database Connectivity (JDBC) term used within Oracle
Access Management to refer to a collection of user identity stores or a database for
policies. These data sources must be registered using the Oracle Access Management
Console in order to be accessed.

[6]

This chapter provides the steps to register and administer data sources using the
Oracle Access Management Console. The information is common to all services
available through the Oracle Access Management Console.
■

About the Data Sources

■

Registering and Managing User Identity Stores

■

Managing the Identity Directory Service User Identity Stores

■

Understanding Administrator Roles

■

Managing the Policy and Session Database

■

Introduction to Oracle Access Management Keystores

■

Integrating a Supported LDAP Directory with Oracle Access Manager

5.1 About the Data Sources
Oracle Access Management supports several types of data sources that are typically
installed for the enterprise. Each data source is a storage container for the various
types of information described in Table 5–1.
Table 5–1

Data Sources for Oracle Access Management

Data Source

Description

Database

A collection of information that is organized and stored so that its content
can be easily accessed, managed, and updated.
■

■

■

Access Manager policy data, including password management data,
must be stored in a database that is extended with the Access
Manager-specific schema and registered with Access Manager. See
"Managing the Policy and Session Database" on page 5-29.
Session Store: By default, Access Manager session data is stored
within in-memory caches that is migrated to the policy store. In
production environments, you can have an independent database for
policy data and another for session data. For details about sessions
and session data, see Chapter 16.
Audit Store: Audit data can be stored either in a file or in a separate
database (not the policy store database). For information on auditing
administrative and run time events, see Chapter 8.

Managing Data Sources

5-1

About the Data Sources

Table 5–1 (Cont.) Data Sources for Oracle Access Management
Data Source

Description

User Identity Store

Central LDAP storage in which an aggregation of user-oriented data is
kept and maintained in an organized way. (Access Manager does not
include identity services; there is no native user, group, or role store.) The
identity store must be installed and registered with Access Manager to
enable authentication when a user attempts to access a protected resource
(and during authorization, to ensure that only authorized users can access
a resource). During the initial deployment process, described in the Oracle
Fusion Middleware Installation Guide for Oracle Identity and Access
Management, the embedded LDAP store is used as the User Identity
Store.
Oracle recommends that you use only the Oracle Access Management
Console or WebLogic Scripting Tool (WLST) commands for changes; do
not edit oam-config.xml.
By default, Access Manager uses the Embedded LDAP in the WebLogic
Server domain as the user identity store. However, a number of other
external LDAP repositories can also be registered as user identity stores. In
this case, one store must be designated as the System Store that contains
Administrator roles and users.

Oracle Access Management
configuration data file:
oam-config.xml

During the initial deployment process, described in the Oracle Fusion
Middleware Installation Guide for Oracle Identity and Access
Management, Oracle Access Management configuration data is stored in
an XML file: oam-config.xml.
See "About the oam-config.xml Configuration Data File" on page 5-3.

Keystores

Several keystores are associated with Oracle Access Management services
as described in "Introduction to Oracle Access Management Keystores" on
page 5-31.
■

Embedded Java Keystore: Used for certificates for Simple or
Certificate-based communication between OAM Servers and
Webgates. The keystore bootstrap occurs upon initial AdminServer
startup after running the Configuration Wizard.
See: "About Access Manager Security Keys and the Embedded Java
Keystore" on page 5-31

■

■

Security Token Service Keystores: Access Manager and Security
Token Service keystore should always be different. For more
information, see "About Access Manager Keystores" on page 5-32.
Identity Federation Keystores: Keystore settings enable you to create
aliases (a short hand notation) for keys in the keystore.
See: "About Identity Federation Keystore" on page 5-34

Table 5–2 contains the Oracle Access Management services and links to information
about the data sources used for each.
Table 5–2

Data Sources for Oracle Access Management Services

Service

Description

Access Manager

Access Manager supports multiple Identity Stores and provides SSO
authentication using data sources:

Identity Federation

■

"Registering and Managing User Identity Stores"

■

"Managing the Policy and Session Database"

■

"About the oam-config.xml Configuration Data File"

■

"About Access Manager Security Keys and the Embedded Java Keystore"

Identity Federation supports multiple Identity Stores which can be assigned on a
per Identity Partner basis. Each Identity Store must be registered with Access
Manager. If no Identity Store is defined in the Identity Partner, the designated
Default Store is used.
■

"Using Multiple Identity Stores"

■

"About Identity Federation Keystore"

■

Section 38.3, "Administering Identity Federation As A Service Provider"

5-2 Administrator's Guide for Oracle Access Management

About the Data Sources

Table 5–2 (Cont.) Data Sources for Oracle Access Management Services
Service

Description

Security Token Service

Mobile and Social

Security Token Service uses only the designated Default Store for user identities.
■

"About Access Manager Keystores"

■

"Configuration overview: Identity Propagation with the Username Token".

■

Chapter 44, "Managing Security Token Service Certificates and Keys"

Mobile and Social provides its own Identity Directory Service configuration that
points to directory servers for user authentication and/or user profile services.
There is no dependency on the global data sources upon which Access Manager
and other Oracle Access Management services rely.
■

Chapter 49, "Configuring Mobile and Social Services"

See Also:
■

■
■

■

"Managing Global Password Policy" and "Configuring 11g
WebGates and Authentication Policy for DCC"
"Using the System Store for User Identities" on page 5-5
Chapter 16 for details about sessions stored in-memory using
Oracle Coherence and propagated to Oracle Database
Chapter 8 for details about Audit data stored within audit files or
a separate Oracle Database

The following sections contain additional details.
■

About the oam-config.xml Configuration Data File

■

About the Default LDAP Group

5.1.1 About the oam-config.xml Configuration Data File
Oracle Access Management provides an XML file (oam-config.xml) containing all
Access Manager-related system configuration data. Any changes made to the Access
Manager deployment configuration, including server and agent registration, are stored
in oam-config.xml and are automatically propagated to each Access Manager server.
Each Access Manager server has a local copy of the latest configuration XML file.
Whether you have failover configured in a high-availability environment or not, all
Access Manager servers always have the latest oam-config.xml file.
Oracle recommends not editing oam-config.xml directly. Manual changes to this file
could result in lost data or overwriting of the file during data sync operations.
However, if you must edit oam-config.xml, use the following guidelines:
■

■

■

Back up oam-config.xml in: $DOMAIN_HOME/config/fmwconfig/ and store the
copy in a different location for use if needed.
Make your changes on the node running the AdminServer to minimize possible
conflicts that another AdminConsole user might make.
If Access Manager Servers are running, increment the configuration version
number at the top of the file to associate your change and enable automatic
propagation and dynamic activation across all OAM Servers. For example, see the
next to last line of this example (existing value + 1):

11.1.1.3

Managing Data Sources

5-3

Registering and Managing User Identity Stores

2


5.1.2 About the Default LDAP Group
The default LDAP group, Administrators, is set during initial deployment using the
Oracle Fusion Middleware Configuration Wizard, as described in "About Oracle
Access Management Administrators" on page 2-3.

5.2 Registering and Managing User Identity Stores
A User Identity Store is a centralized LDAP repository in which an aggregation of
Administrator and user-oriented data is stored and maintained in an organized way.
Oracle Access Management supports multiple LDAP vendors, and multiple LDAP
stores can be registered for use by Oracle Access Management and its services. Oracle
Access Management addresses each user population and LDAP directory store as an
identity domain. Each identity domain maps to a configured LDAP User Identity Store
that must be registered with Oracle Access Management. This section provides the
information you need to register and manage user identity stores using the Oracle
Access Management Console.
■

Understanding User Identity Stores

■

Using the System Store for User Identities

■

Using Multiple Identity Stores

■

Defining the User Identity Store Registration Settings

■

Registering a New User Identity Store

■

Viewing or Editing a User Identity Store Registration

■

Deleting a User Identity Store Registration
Oracle recommends that you use the Identity Directory Service
Profiles to access identity data stores rather than the legacy OAM ID
Stores function as it will be deprecated in a future release. The Identity
Directory Service is documented in Section 5.3, "Managing the
Identity Directory Service User Identity Stores."

Note:

5.2.1 Understanding User Identity Stores
During initial WebLogic Server domain configuration using the Oracle Fusion
Middleware Configuration Wizard, the Embedded LDAP is configured as the one and
only user identity store for Oracle Access Management. Within the Embedded LDAP,
the Administrators group is created with weblogic seeded as the default
Administrator.
The Embedded LDAP performs best with fewer than 10,000
users. With more users, consider a separate enterprise LDAP server. In
a highly available configuration, Oracle recommends that an external
LDAP is used as the User Identity Store. See Oracle Fusion
Middleware Securing Oracle WebLogic Server.

Note:

5-4 Administrator's Guide for Oracle Access Management

Registering and Managing User Identity Stores

When attempting to access an Access Manager-protected resource, a user can be
authenticated against any store, not simply the designated Default Store. That said,
there are a few considerations:
■

■

System Store: Only one User Identity Store can (and must) be designated as the
System Store. This is used to authenticate Administrators signing in to use the
Oracle Access Management Console, remote registration tools, and custom
administrative commands in WLST. Thus, Administrators using the Oracle Access
Management Console or remote registration utility must have credentials stored in
the System Store. Once you define a remote User Store as the System Store, you
must change the OAMAdminConsoleScheme to use an LDAP Authentication Module
that references the same remote user store (the System Store). For details, see
"Using the System Store for User Identities."
Default Store: As the name implies, the LDAP store designated as the Default
Store is the automatic choice for use by LDAP authentication modules unless you
configure use of a different store for the module or plug-in.
Users attempting to access an Access Manager-protected
resource can be authenticated against any user identity store that is
registered and defined in the authentication scheme while the Security
Token Service uses only the Default User Identity Store. For example,
when adding User Conditions to a Token Issuance Policy, the identity
store from which the users are chosen must be the Default Store.

Note:

In the Oracle Access Management Console, User Identity Store registrations are
organized under the Configuration Launch Pad. Administrators can register, view,
modify, and delete User Identity Store registrations using either the Oracle Access
Management Console or custom WLST commands described in Oracle Fusion
Middleware WebLogic Scripting Tool Command Reference.

5.2.2 Using the System Store for User Identities
Users with valid Oracle Access Management System Administrator credentials can
designate a registered user identity store as either the Default Store, the System Store
or both. You can select the Default and System Identity Store configurations using the
Oracle Access Management Console as documented in "Managing the Identity
Directory Service User Identity Stores."
UserIdentityStore1 is the embedded Access Manager LDAP store. After installation,
the Oracle Access Management Console and OAM Policy Manager are protected by
the IAM Suite Agent. The IAM Suite Application Domain is seeded with the OAM
Admin Console Authentication Policy which uses the OAMAdminConsoleScheme
authentication scheme. In turn, the OAMAdminConsoleScheme uses the LDAP
Authentication module, and the System Store and the LDAP authentication module
both use the WebLogic Embedded Identity Store (UserIdentityStore1). The Access
Manager Administrator roles are mapped to the enterprise groups and users that
belong to the System Store.
Changing the System Store impacts the entire identity management (IAM Suite)
domain. When you want to change the System Store to a remote identity store, you
need to create an Authentication Provider in WebLogic for this remote store. The
remote store provider should be displayed after the IAMSuiteAgent provider in the
list of providers in the WebLogic console. Additionally:

Managing Data Sources

5-5

Registering and Managing User Identity Stores

■

■

■

Ensure the control flags for all providers preceding the new remote store provider
are set to SUFFICIENT or OPTIONAL.
Assign ADMIN, the WebLogic global role, to the enterprise groups or users from
this remote store. This can be done by following the steps to prepare the remote
store using IDM Config Tool and by referring to the WebLogic documentation.
If using Oracle Unified Directory as a system store, create IPlanetAuthenticator in
WebLogic.

The above configuration should be done and tested before you change the System
Store to a remote store. You will also have to change the LDAP authentication module
configuration to use the remote store. The remote store can be configured using OAM
Identity Store or IDS Profile.
Administrator login works only when the LDAP
Authentication Module (used by the OAMAdminConsoleScheme) also
uses the System Store. If you set another store as a remote store,
ensure that the OAMAdminConsoleScheme is modified to avoid a
lockout.
Note:

When you want to use a WebGate to protect the Oracle Access Management Console
(on the AdminServer) and the Policy Manager Console (on the OAM Server), in
addition to the above procedure, create an OAM Identity Asserter in WebLogic and
enable OAM as the SSO provider in JPS using WLST commands. For details, see
Appendix A, "Integrating Oracle ADF Applications with Access Manager SSO." You
will also have to whitelist the OAM Policy Manager Console host name and port, and
delete the IAMSuiteAgent provider from WebLogic to fully enable WebGate
protection.
The supported method of configuring the identity Store for a WebSphere installation is
documented in the Oracle Fusion Middleware Third-Party Application Server Guide for
Oracle Identity and Access Management. Information regarding administrator roles can
be found in "Understanding Administrator Roles."

5.2.3 Using Multiple Identity Stores
Administrators can install and register multiple user identity stores for Oracle Access
Management. Each identity store can rely on a different LDAP provider. When more
than one identity store is registered, an Administrator must define:
■
■

The System Store: Administrators can login against the System Store only.
The Default Store: Comes into play during patching and when using Identity
Federation, and Security Token Service.
–

Patching: Oracle recommends that before patching, you designate
UserIdentityStore1 as the Default Store and also update LDAP Authentication
Modules to use UserIdentityStore1(the Embedded LDAP of Weblogic Server).
For more information see, Oracle Fusion Middleware Upgrade Guide for Oracle
Identity and Access Management.

–

Identity Federation: Supports multiple identity stores, on a per IdP Partner
basis. The specified identity store must be registered like any other store. If no
identity store is defined in the IdP Partner, the Default Store is used. For
details, see Section 38.3, "Administering Identity Federation As A Service
Provider."

5-6 Administrator's Guide for Oracle Access Management

Registering and Managing User Identity Stores

–

■

Security Token Service: An LDAP server is required for Security Token Service
to map the Username token referencing the user to an LDAP User record, and
thus use that record to populate the outgoing token. Ensure that the desired
LDAP server is registered and configured as the Oracle Access Management
Default Identity Store, as described in "Using the System Store for User
Identities" on page 5-5. For more information, see "Configuration overview:
Identity Propagation with the Username Token".

The specific store to use with each LDAP authentication module or plug-in (and
Form or Basic authentication schemes)

External LDAP repositories can provide user, role, and group membership
information. A user's group memberships, for example, are calculated at login time
and stored for the duration of the session. Information is used as follows:
■

When evaluating policies during authentication

■

When evaluating identities for authorization conditions in a policy

■

When using LDAP to search for identities for conditions in an authorization policy
There is no way to flush a user's group memberships
information to force Oracle Access Management to recalculate it at a
later date.

Note:

Registering user identity stores is required to provide connectivity with OAM Servers.
After registering the identity store, Administrators can reference it in one or more
authentication modules that form the basis for authentication schemes.
Oracle Access Management addresses each user population and directory as an
identity domain. Each identity domain simply maps to a configured identity store
name.
In the first Oracle Access Manager 11g release, users were identified using a simple
user name/id field both internally and externally. Support for multiple identity realms
requires cross-realm representation of a user or a group or any entity that resides
within the identity store. This representation, referred to as a canonical identifier,
serves as a unique identifier to various run time and administrative components of
Oracle Access Management:
■

External Representation: Qualifies the simple user name with identity domain
information.
For instance, in Oracle Access Management Console a table that lists user names
includes a column that displays the identity domain of the respective user. Identity
domains map to identity store names. All functional components (the console,
Policies, Responses, Logging, Session management, Auditing, and so on) that
display user information will begin to qualify the same with the identity domain
information.

■

Internal Representation: To support disambiguation, OAM stores and uses the
fully-qualified name (or uses both fields, as-is, to form a composite key).
For instance, The Session Management Engine does this to eliminate the need to
store composite). In any case, the fully-qualified name is not visible.

Table 5–3 documents the various run time and administrative components of Oracle
Access Management that use identity stores.

Managing Data Sources

5-7

Registering and Managing User Identity Stores

Table 5–3

Components That Use Identity Stores

Component

Description

Authorization Policy
Administration

Authorization policy administration allows authoring of grants to
users or groups. Administrators can search within specific identity
stores, selecting certain users or groups and granting or denying them
access. Search results provide canonical identifiers for users and
groups such that those values are stored as principals of the Identity
Condition type of an Access Manager Authorization policy. The
console displays the names and the Identity Store of origin.

Run Time

Authentication and Authorization relies on the Policy run time
component. OAMIdentity is the runtime representation of the
authenticated user and any groups that the user is a member of (if
any). During policy evaluation, information present within the
OAMIdentity is matched with what is stored as part of authorization
policy's Identity Constraint. The domain is asserted as a Name
Qualifier within the token.
For OAM Proxy, in addition to the existing OAM_REMOTE_USER
header, a second OAM_IDENTITY_DOMAIN header is set on every
request for an authenticated user, such that a consuming application
can disambiguate the user if needed.

Sessions

Session Management searches inform Administrators as to the user
Identity Store, which is listed in the search results table.

Auditing and Logging The user Identity Store against which the user has been authenticated
is accounted for during auditing and logging.

See Also:
■

"Defining the User Identity Store Registration Settings"

■

"Understanding Administrator Roles"

■

"Using the System Store for User Identities"

■

Oracle Fusion Middleware WebLogic Scripting Tool Command
Reference for Identity and Access Management

5.2.4 Defining the User Identity Store Registration Settings
This topic describes the various user identity store settings under the System
Configuration tab. Figure 5–1 illustrates the Create User Identity Store Page, which
provides fields where you enter details for your store and default settings that you can
edit for your environment. The Store Type drop-down list provides supported choices.

5-8 Administrator's Guide for Oracle Access Management

Registering and Managing User Identity Stores

Figure 5–1 Creating User Identity Store Registration

Required settings are identified by the asterisk (*) on the page. Table 5–4 describes
each element and is organized by element types.
Table 5–4

User Identity Store Elements

Elements

Description

Store Name

A unique name for this registration. Use up to 30 characters for the name.

Managing Data Sources

5-9

Registering and Managing User Identity Stores

Table 5–4 (Cont.) User Identity Store Elements
Elements

Description

Store Type

A list of all supported LDAP providers from which you can choose. You can
have multiple identity stores, as described in "Using Multiple Identity Stores" on
page 5-6.

See Also: Table 24–6, " Location of Oracle-provided LDIFs for LDAP Providers".
Description

Optional.

Enable SSL

Click to check this box and indicate that SSL is enabled between the directory
server and OAM Server.
Using the keytool command line interface, you must also import the
appropriate CA root certificate and server certificate to the default JDK keystore
(located at $JAVA_HOME/lib/security/cacerts).
NOTE: The CA root certificate can be added to any keystore as long as the
appropriate values regarding that keystore are set for the following Java
properties. To do this, start the OAM Admin Server and Managed Server
instances with the appropriate values and the -D option.
■

javax.net.ssl.trustStore=trust.jks

■

javax.net.ssl.trustStorePassword=

■

javax.net.ssl.keyStore=keystore.p12

■

javax.net.ssl.keyStoreType=pkcs12

■

javax.net.ssl.keyStorePassword=

Prefetched Attributes

List of comma-separated user attributes; for example, email, phone, mobile. The
OAM server will cache the list of user attributes in memory while it
authenticates the user against the identity store. The cached values will be used
to compute the Authentication response headers, Authorization policy response
headers and Authorization policy conditions. Pre-fetched attributes provide
huge performance improvements by avoiding a round trip to the user identity
store. The OAM Administrator has to make sure all the user attributes used in
Authentication and Authorization policy response headers and Authorization
conditions are defined as prefetched attributes in the user identity store profile.

User Native ID Store

This enables getting the authentication code for natively locked/disabled/pw_
must_change code in the LDAP authentication module.

Location and Credentials

Description

Location

The URL for the LDAP host, including the port number. Oracle Access
Management 11g support multiple LDAP URLs with failover capability. The
Identity Assertion Provider fails over to the next LDAP URL based on the order
in which these appear.
Enter one (or more) LDAP URLs in host:port format, Multiple URLs must be
separated by a space or new line. There is no need to specify ldap:// or
ldaps://(which supports SSL_NO_AUTH) in the URL value:
localhost:myhost:7001
Note: The number of characters a supported URL can have is based on the
browser version. Ensure that your applications do not use URLs that exceed the
length that Oracle Access Management and the browser can handle.

5-10 Administrator's Guide for Oracle Access Management

Registering and Managing User Identity Stores

Table 5–4 (Cont.) User Identity Store Elements
Elements

Description

Bind DN

The user DN for the connection pool over which all other BINDs occur. Oracle
recommends a non administrative user with appropriate Read and Search
privileges for the user and group base DNs.
For example:
uid=amldapuser,ou=people,o=org

Password

The password of the Principal, which is encrypted for security.

Users and Groups

Description

Login ID Attribute

The attribute that identifies the login ID (user name).
For example:
uid

User password attribute

The attribute in the user identity store (LDAP directory) which stores the user’s
password. This is made configurable for added flexibility.

User Search Base

The node in the directory information tree (DIT) under which user data is
stored, and the highest possible base for all user data searches.
For example:
ou=people,ou=myrealm,dc=base_domain

User Filter Object
Classes

The object classes to be included in search results for users, in a
comma-separated list of user object class names. For example: user,person.

Group Name Attribute

The attribute that identifies the group name.
Default: cn

Group Search Base

Currently only static groups are supported, with the uniquemember attribute.
The node in the directory information tree (DIT) under which group data is
stored, and the highest possible base for all group data searches.
For example:
ou=groups,ou=myrealm,dc=base_domain

Group Filter Classes

The object classes to be included in the search results for groups, in a
comma-separated list of group object classes. For example:
groups,groupOfNames.

Enable Group
Membership Cache

Boolean value for group cache: true or false.

Group Cache Size

Integer for the group cache size.

Default: true

Default: 10000
Group Cache
Time-to-Live (seconds)

Integer (in seconds) for Time to Live for group cache elements.

Connection Details

Description

Minimum Pool Size

The smallest size set for the connection pool.

Default: 0

Default: 10
Maximum Pool Size

The greatest size set for the connection pool.
Default: 50

Wait Timeout

The number (in seconds) that connection requests can wait before timing out in
the event of a fully utilized pool.
Default: 120

Inactivity Timeout

The number (in seconds) that connection requests can be inactive before timing
out in the event of a fully utilized pool.

Results Time Limit
(seconds)

The time limit (in seconds) for LDAP searches and bind operations on the
connection pool.
Default: 0

Managing Data Sources 5-11

Registering and Managing User Identity Stores

Table 5–4 (Cont.) User Identity Store Elements
Elements

Description

Retry Count

The number of time that the connection is retried when there is a connection
failure.
Default: 3

Referral Policy

One of these values:
■

follow: Follows referrals during an LDAP search (Default)

■

ignore: Ignores referral entries during an LDAP search

■

throw: Results in a Referral Exception, which can be caught by the
component user.

Enable Password
Management

Enables password policy enforcement against the attribute values listed below.
The corresponding options in the password policy must be configured as well.

Use Oblix User Schema

Enables the use of OBLIX schema instead of standard Oracle schema.

Global Common ID
Attribute

Specifies the User ID attribute name. This attribute will be used as part of the
password policy to check that the user ID is not part of the password.

First Name Attribute

Specifies the First Name attribute name. This attribute will be used as part of the
password policy to check that the user’s first name is not part of the password.

Last Name Attribute

Specifies the Last Name attribute name. This attribute will be used as part of the
password policy to check that the user’s last name is not part of the password.

Email Address Attribute Not currently supported.
Challenge Questions
Attribute

Not currently supported.

Challenge Answers
Attribute

Not currently supported.

Figure 5–2 shows the Default and System Store designations. Notice the Access System
Administrators section. You can add or remove Administrator roles only within the
defined System Store and the store itself.
Figure 5–2 System Store Registration

See Also: Details about classifying users in Chapter 25, "Managing
Policies to Protect Resources and Enable SSO"

5.2.5 Registering a New User Identity Store
Users with valid Oracle Access Management Administrator credentials can use this
procedure to register a new user identity store using the Oracle Access Management
Console. After you register the identity store, you can reference it in one or more

5-12 Administrator's Guide for Oracle Access Management

Registering and Managing User Identity Stores

authentication modules that form the basis for authentication schemes. You can also
reference a specific identity store within Identity Conditions in Authorization Policies.
Before you begin:
■

■

■

Install the user identity store that you intend to register with Oracle Access
Management.
Extend the LDAP directory schema for Access Manager, as described in Oracle
Fusion Middleware Installation Guide for Oracle Identity and Access
Management.
Create Users and Groups in the LDAP directory, as described in your vendor
documentation.

Follow this procedure to register a new identity store definition.
1.

At the top of the Oracle Access Management Console, click Configuration.

2.

In the Configuration console, click User Identity Stores.

3.

In the OAM ID Stores section, click Create.

4.

Fill in the form with appropriate values for your deployment (Table 5–4), then
click Apply to submit the registration.

5.

Test Connection: Click Test Connection to confirm connectivity, then close the
Confirmation window.

6.

Close the registration page.

7.

Add Administrators: See "Understanding Administrator Roles" on page 5-26.
a.

In the navigation tree, double-click the store name to open the registration
page.

b.

In the Access System Administrators section, click the + above the table.

c.

Fill in the Add System Administrator Roles dialog box (...).

d.

Click Apply.

8.

Set Default Store: See "Using the System Store for User Identities" on page 5-5.

9.

Click Apply to submit the registration and close the page.

10. Configure one or more authentication modules or plug-ins to use this store, as

described in:
■
■

"Native LDAP Authentication Modules" on page 22-25
"Orchestrating Multi-Step Authentication with Plug-in Based Modules" on
page 22-29

5.2.6 Viewing or Editing a User Identity Store Registration
Users with valid Oracle Access Management Administrator credentials can view or
modify the registration of a user identity store. The user identity store that you intend
to register must be installed and running.
1.

At the top of the Oracle Access Management Console, click Configuration.

2.

In the Configuration console, click User Identity Stores.

3.

In the OAM ID Stores list, select the target identity store and click Edit.

4.

Modify values as needed (see Table 5–4).

5.

Click Apply to update the registration (or close the tab without applying changes).
Managing Data Sources 5-13

Managing the Identity Directory Service User Identity Stores

6.

Test Connection: Click Test Connection button to confirm connectivity, then close
the Confirmation window.

7.

Set as System or Default Store: See "Using the System Store for User Identities".

8.

Manage Administrator Roles: See "Understanding Administrator Roles".

9.

Configure one or more authentication modules or plug-ins to use this store, as
described in:
■
■

"Native LDAP Authentication Modules" on page 22-25
"Orchestrating Multi-Step Authentication with Plug-in Based Modules" on
page 22-29

10. Close the page when you finish.

5.2.7 Deleting a User Identity Store Registration
Users with valid Oracle Access Management Administrator credentials can use this
procedure to delete a user identity store registration using the Oracle Access
Management Console.
You cannot delete the Default Store or System Store
registration.

Note:

1.

Edit LDAP Authentication Modules that reference the store to be deleted (to
ensure a valid identity store is referenced within the module).

2.

At the top of the Oracle Access Management Console, click Configuration.

3.

In the Configuration console, click User Identity Stores.

4.

In the OAM ID Stores list, select the target identity store and click Delete.

5.

In the confirmation dialog that appears, click Delete to confirm the deletion (or
click Cancel to dismiss the window and retain the instance).

6.

Confirm that the definition is no longer listed in the navigation tree.

5.3 Managing the Identity Directory Service User Identity Stores
Identity Directory Service (IDS) is a flexible and configurable service used by Access
Manager as the means for accessing multiple identity data stores. The purpose of IDS
is to allow the management of users or groups from identity stores not deployed with
Access Manager itself. The following sections contain the details.
■

Using Identity Directory Services

■

Creating an Identity Directory Service Profile

■

Editing or Deleting an Identity Directory Service Profile

■

Creating a Form-fill Application Identity Directory Service Profile

■

Understanding the Pre-Configured Identity Directory Service Profile

■

Creating an Identity Directory Service Repository

5-14 Administrator's Guide for Oracle Access Management

Managing the Identity Directory Service User Identity Stores

5.3.1 Using Identity Directory Services
Identity Directory Service offers a consistent and rationalized technology to access
identity stores that eliminates redundant configurations and simplifies Identity
Management operations. IDS provides the following benefits:
1.

Support for different types of user directories including integration with native
user/password state managed by the directory.

2.

Consistent administration user interface and a paradigm for working with
different identity stores across Oracle Identity Management components.

3.

Built in failover and load balancing capabilities.

4.

Logical to physical attribute mapping and entity relationships.

The following list of directory servers are among those supported.
■

Microsoft Active Directory

■

Novell eDirectory

■

Oracle Directory Server Enterprise Edition

■

Oracle Internet Directory

■

Oracle Unified Directory

■

Oracle Virtual Directory

■

OpenLDAP

■

IBM Tivoli Directory Server

■

WebLogic Server Embedded LDAP
Oracle recommends that you use the Identity Directory Service
Profiles to access identity data stores rather than the legacy OAM ID
Stores function as it will be deprecated in a future release.

Note:

Figure 5–3 is a screen capture of the Identity Directory Service console page.

Managing Data Sources 5-15

Managing the Identity Directory Service User Identity Stores

Figure 5–3 Identity Directory Service Console Page

Note this page contains the configuration panel for the legacy
OAM ID Stores. Oracle recommends that you use the Identity
Directory Service Profiles to access identity data stores rather than the
legacy OAM ID Stores function as it will be deprecated in a future
release.

Note:

Configuring an Identity Directory Service store involves configuring parameters for an
IDS Profile and an IDS Repository. The IDS Profile specifies the full scope of traits for a
particular type of identity store. It is the logical configuration for the repository and
contains the following data.
■

Entity definition

■

Entity relationship definition

■

Default operational configuration (including the tenant search/create base, the
tenant filter, timeouts and cache configuration)

5-16 Administrator's Guide for Oracle Access Management

Managing the Identity Directory Service User Identity Stores

The IDS Repository configuration defines the actual location of the store. The IDS
Repository is a physical configuration that containing the following data.
■

Connection details (including the host machine, port number and credentials)

■

Connection pool details

■

High-availability/failover configuration

■

Entity attribute mapping

5.3.2 Creating an Identity Directory Service Profile
To create an Identity Directory Service profile, proceed as follows.
1.

At the top of the Oracle Access Management Console, click Configuration.

2.

In the Configuration console, click User Identity Stores.

3.

In the IDS Profiles section, click Create.
The Create IDS Profile page is displayed as in Figure 5–4.

Managing Data Sources 5-17

Managing the Identity Directory Service User Identity Stores

Figure 5–4 Create IDS Profile Page

4.

Provide the following values for the new Identity Directory Service profile.

5-18 Administrator's Guide for Oracle Access Management

Managing the Identity Directory Service User Identity Stores

■
■

5.

Name - Type a unique name for this User Profile Service Provider.
Description - (Optional) Type a short description that will help you or another
Administrator identify this service in the future.

Configure the Repository properties by selecting Create New or Use Existing.
Create New defines a new Repository object (that is, a reference to an LDAP
directory server) for the Identity Directory Service connection. Click Test
Connection after you have defined the values in the Repository section to verify
they are correct. This option is only available when defining a new Identity
Directory Service connection. Use Existing allows you to choose a previously
defined Repository object by selecting it from the drop down menu.
■

■

■

■

■

(Repository) Name - Enter a new unique name to create, or choose an existing
one from the menu. After entering a new name, configure properties for the
Identity Directory Service connection.
Directory Type - Select the type of directory server software hosting the
Repository; for example, Microsoft Active Directory or Oracle Internet Directory.
If your directory is not listed, leave this field empty. If you are not defining a
new Identity Directory Service connection or creating a new repository, this
field is read-only.
Host Information - Contains information about the host computer on which
the Identity Directory Service Repository is located. Add multiple hosts if the
directory server is part of a cluster. Click Add to add a new host to the table. In
the Host Name column type either the IP Address or the name of the
computer (or virtual computer) on which the Directory server is running. In
the Port column, type the port number that the directory server is configured
to use. If the hosts are part of a cluster, in the Load Distribution column type
the load amount as a percentage that should be directed to each host. For
multiple hosts, the amount should add up to 100%. To delete a host, select its
row in the table and click Remove. If you are not defining a new Identity
Directory Service connection or creating a new repository, this field is
read-only.
Availability - Choose Failover if the cluster is configured for failover
operation, or choose Load balanced if the cluster distributes the load across
multiple hosts. This field is read-only if you are using an existing repository.
SSL - Select Enabled if the connection is configured for SSL. (See the Oracle
Fusion Middleware Application Security Guide for SSL configuration details.)

Managing Data Sources 5-19

Managing the Identity Directory Service User Identity Stores

Follow this procedure to add the SSL certificates required for
setting the TLS connection.

Note:
1.

Create the LibOVD keystore by running this command.
MW_HOME/oracle_common/bin/libovdconfig.sh -host WLS_ADMIN_HOST
-port WLS_ADMIN_PORT -userName weblogic
-domainPath WLS_DOMAIN_PATH -createKeystore
-contextName ids

Enter the AdminServer password and the password used for the
LibOVD keystore when requested.
2.

Import the OID server certificate into the LibOVD keystore.
keytool -importcert
-keystore DOMAIN_HOME/config/fmwconfig/ovd/
ids/keystores/adapters.jks
-storepass KEYSTORE_PASSWORD -alias ALIAS_NAME
-file FULL_PATH_TO_CERTFILE -noprompt

■

■

■

■

6.

Bind DN - Type the distinguished name (DN) of the LDAP Administrator
used to authenticate to the Directory server.
Bind Password - Type the Bind DN password used to authenticate to the
Directory server.
Base DN - Type the base distinguished name (DN) where User and Group
data is located.
Password Management - selecting Enable Password Management enables
password policy enforcement against the attribute values listed in Table 5–4.
The corresponding options in the password policy must be configured as well.

Configure the User properties to configure the LDAP User object in Mobile and
Social User Profile services.
Note: These fields are read-only if using an existing Identity
Directory Service connection.

■

■

■

■

■

7.

Object Classes - Click Add to add a custom object class that represents people
in an organization as defined on your directory server.
RDN Attribute - Type the relative distinguished name attribute (for example,
cn) designated for the User object on the directory server.
Base DN - Type the base DN (in LDAP form) for the User object on the
directory server.
Login ID Attribute - Type the LDAP attribute from which the login ID
specifying the User will be extracted.
Global Common ID Attribute - Type the global common user ID attribute.

Configure the Group properties to configure the LDAP group object in Mobile and
Social User Profile services.
■

Object Classes - Click Add to add a custom object class that represents a
group of people in an organization as defined on your Directory server.

5-20 Administrator's Guide for Oracle Access Management

Managing the Identity Directory Service User Identity Stores

■

■

■

8.

RDN Attribute - Type the relative distinguished name attribute (for example,
cn) designated for the Group object on the directory server.
Base DN - Type the base DN (in LDAP form) for the Group object on the
directory server.
ID Attribute - Type the LDAP attribute from which the ID designated for the
Group object will be extracted.

Click Create.
The profile is displayed in the IDS Profiles table.

5.3.3 Editing or Deleting an Identity Directory Service Profile
To edit or delete an IDS Profile, select the name in the table and click Edit or Delete in
the tool bar. Editing the profile allows for additional configuration properties for the
Identity Directory Service connection.
■

■

Name - Choose an Identity Directory Service connection to associate with the User
Profile Service Provider from the drop down menu.
–

If you choose either of the default Identity Directory Services (either userrole
or idxuserrole) you cannot view or edit the configuration values.

–

If you choose an Identity Directory Service connection that you or another
Administrator created, you can view and edit the configuration values as
needed.

General and Repository - Use the fields under this tab to edit the Directory
Service and Repository configuration values that Mobile and Social uses to
connect to the Directory Service.
–

Repository Name - Choose from the menu a repository to associate with the
Identity Directory Service connection. After choosing a repository, configure
its properties using the following form fields.

–

Directory Type - Displays the type of Directory server software hosting the
Repository, for example Microsoft Active Directory, Oracle Internet Directory, and
so on. This field is read-only.

–

Host Information - Displays information about the host computer where the
Identity Directory Service Repository is located. Add multiple hosts if the
Directory server is part of a cluster. Click Add to add a new host to the table.
In the Host Name column type either the IP Address or the name of the
computer (or virtual computer) that the Directory server is running on. In the
Port column, type the port number that the Directory server is configured to
use. If the hosts are part of a cluster, in the Load Distribution column type the
load amount as a percentage that should be directed to each host. For multiple
hosts, the amount should add up to 100%. To delete a host, select its row in the
table and click Remove. If you are not defining a new Identity Directory
Service connection or creating a new repository, this field is read-only.

–

Availability - Choose Failover if the cluster is configured for failover
operation, or choose Load balanced if the cluster distributes the load across
multiple hosts. This field is read-only if you are using an existing repository.

–

SSL - Select Enabled if the connection is configured for SSL. Otherwise clear
the option box. See SSL in Section 5.3.2, "Creating an Identity Directory
Service Profile" for information on how to add the SSL certificates required for
the TLS connection.

Managing Data Sources 5-21

Managing the Identity Directory Service User Identity Stores

■

■

–

Bind DN - Type the distinguished name (DN) of the LDAP Administrator
used to authenticate to the Directory server.

–

Bind Password - Type the Bind DN password used to authenticate to the
Directory server.

–

Base DN - Type the base distinguished name (DN) where User and Group
data is located.

–

Password Management - selecting Enable Password Management enables
password policy enforcement against the attribute values listed in Table 5–4.
The corresponding options in the password policy must be configured as well.

Entity Attributes - Use the fields under this tab to view or edit the attributes that
Mobile and Social uses to navigate the corporate directory service schema. Click
Add to add an attribute to the table or click Remove to delete an attribute.
–

Name - The attribute name.

–

Physical Attribute - The name of the corresponding physical attribute type in
the underlying Repository.

–

Type - The attribute's data type.

–

Description - A brief description of the attribute.

–

Sensitive - Select to mark that the attribute contains sensitive information
such as a password.

–

Read-only - Select to protect the attribute from modification.

Entities / User Properties - Use the fields under the User sub head to configure
how Mobile and Social interacts with the User entities on the LDAP server.
–

Create Base - Specifies the base DN (the top level of the LDAP directory tree)
at which Users are defined.

–

Search Base - Specifies the search base DN for Users. Only entries at or below
the search base DN are considered when processing the search operation.

–

Create Object Classes - Specifies the object class under which attributes
associated with a person are stored.

–

RDN Attribute - Specifies the relative distinguished name attribute, for
example cn.

–

ID Attribute - Specifies the attribute that uniquely identifies the User, such as
the uid attribute or the loginid attribute.

–

Filter Object Classes - Specifies the object class by which to filter.

–

Attributes Configuration - Specify the User attributes that should be available
to, and searchable by, the User Profile Service Provider.
*

Used - Specifies if the attribute is used for Users in the directory service.

*

Attribute Name - Specifies the name of the attribute as defined on the
Entity Attributes tab.

*

In Results - Select if the specified attribute should be returned in search
results.

*

Searchable - Select if the specified attribute should be available for search
operations.

*

Search Operator - Select a search operator from the menu to restrict how
the specified attribute is searched.

5-22 Administrator's Guide for Oracle Access Management

Managing the Identity Directory Service User Identity Stores

–

■

Entities / Group Properties - Use the fields under the Group sub head to configure
how Mobile and Social interacts with the Group entities on the LDAP server.
–

Create Base - Specifies the base DN (the top level of the LDAP directory tree)
at which Users are defined.

–

Search Base - Specifies the search base DN for Groups. Only entries at or
below the search base DN are considered when processing the search
operation.

–

Create Object Classes - Specifies the object class under which attributes
associated with a Group are stored.

–

RDN Attribute - Specifies the relative distinguished name attribute; for
example, cn.

–

ID Attribute - Specifies the LDAP attribute that uniquely identifies the Group.

–

Filter Object Classes - Specifies the object class by which to filter.

–

Attributes Configuration - Specify the Group attributes that should be
available to, and searchable by, the User Profile Service Provider.

–

■

Operations Configuration - Select from Create, Update, Delete, and Search to
enable those operations at the User entity level. Clear the option boxes to
disable them.

*

Used - Specifies if the attribute is used for Users in the directory service.

*

Attribute Name - Specifies the name of the attribute as defined on the
Entity Attributes tab.

*

In Results - Select if the specified attribute should be returned in search
results.

*

Searchable - Select if the specified attribute should be available for search
operations.

*

Search Operator - Select a search operator from the menu to restrict how
the specified attribute is searched.

Operations Configuration - Select from Create, Update, Delete, and Search to
enable those operations at the Group entity level. Clear the option boxes to
disable them.

Relationships - Use the fields under this tab to configure the relationship between
attributes for this Identity Directory Service.
–

Name - The relationship name.

–

(From) Entity - Choose User to select from User attributes or choose Group to
select from Group attributes in the (From) Attribute column.

–

(From) Attribute - Choose the attribute from which you are mapping.

–

Relation - Choose the menu option that describes the relationship between the
specified attribute in the From column and the specified attribute in the To
column.

–

(To) Entity - Choose User to select from User attributes or choose Group to
select from Group attributes in the (To) Attribute column.

–

(To) Attribute - Choose the attribute to which you are mapping.

–

Recursive - Select if the relationship extends down the directory tree to
include nested child entities or up the directory tree to include parent entities.

Managing Data Sources 5-23

Managing the Identity Directory Service User Identity Stores

■

Relationship Configuration - Type the URI segment used to access the
corresponding column in the Identity Directory Service. Use Add to add a new
relationship or Remove to remove a configured relationship.
–

Access URI - Type a URI segment that will be used to access a corresponding
data column in the Identity Directory service. For example, if memberOf is the
Access URI, then:
http://host:port/.../idX/memberOf

would be the URI to access related entities of an entity with ID idX.
–

Identity Directory Service Relation - Choose the Directory Service
relationship that is to be accessed by the Access URI segment. You can
configure relationships on the Relationships tab in the Identity Directory
Service configuration section provided that the Identity Directory Service is
not the pre-configured UserProfile Identity Provider. (You cannot configure
Identity Directory Service relationships for the UserProfile Service Provider.)

–

Entity URI Attribute - Type the JSON attribute name to be used in the URI
response sent from the Mobile and Social server. For example, if person-uri is
the specified entity URI attribute, the URI response would be as follows:
{ {"person-uri":uriY1, ...}, {"person-uri":uriY2, ...}, ... }

where uriY1 and uriY2 are the direct URIs to access each of the related
entities.
–

Scope for Requesting Recursion - Use Scope attribute values with the scope
query parameter to retrieve a nested level of attributes in a relationship search.
To access related entities recursively, type the value to be used. The Mobile
and Social default configuration uses two scope attribute values: toTop and
all. If the Scope for Requesting Recursion value is the attribute value all,
then the following REST URI example is used to make the request:
http://host:port/.../idX/reports?scope=all

In this example, the URI returns the entities related to the entity with ID idX,
as well as all further related entities.

5.3.4 Creating a Form-fill Application Identity Directory Service Profile
To create an Identity Directory Service Profile for a Form-fill Application, click the
Create Form-fill Application IDS Profile button on the left of the User Identity Stores
console page. (See Figure 5–3.)
Section 5.3.2, "Creating an Identity Directory Service Profile" and Section 5.3.3, "Editing
or Deleting an Identity Directory Service Profile" contain definitions for most of the
Form-fill attributes. Additional definitions for the Entity Search Bases section specific
to this type of profile are listed below.
■

■

■

User Search Base - Full DN for the node at which enterprise users are stored in the
directory; for example, cn=Users,realm_DN.
App Template Search Base - Full DN for the node from which searches for the
Application Templates will begin.
Top Search Base - Full DN for the node from which searches will begin; for
example, cn=realm_DN.

5-24 Administrator's Guide for Oracle Access Management

Managing the Identity Directory Service User Identity Stores

5.3.5 Understanding the Pre-Configured Identity Directory Service Profile
Mobile and Social provides a pre-configured IDS Profile named UserIdentityStore1.
This profile allows lookup and update tasks to be performed on directory objects using
Mobile and Social.

5.3.6 Creating an Identity Directory Service Repository
To create an Identity Directory Service repository, proceed as follows.
1.

At the top of the Oracle Access Management console, click Configuration.

2.

In the Configuration console, click User Identity Stores.

3.

Click Create under IDS Repository.
The Create IDS Repository page is displayed as in Figure 5–5.

Figure 5–5 Create IDS Repository Page

4.

Provide the following values for the new Identity Directory Service repository.
■

Name: the entry must be a unique.

■

Select the Directory Type from the drop down choices.

Managing Data Sources 5-25

Understanding Administrator Roles

5.

Click Add to configure the physical location of the repository (Host name, Port
number and Load Weightage percentage).

6.

Configure the Repository properties as follows:
■

■

■

■

■

■

■

■

■

(Repository) Name - Enter a new unique name to create, or choose an existing
one from the menu. After entering a new name, configure properties for the
Identity Directory Service connection.
Directory Type - Select the type of directory server software hosting the
Repository; for example, Microsoft Active Directory or Oracle Internet Directory.
If your directory is not listed, leave this field empty. If you are not defining a
new Identity Directory Service connection or creating a new repository, this
field is read-only.
Host Information - Contains information about the host computer on which
the Identity Directory Service Repository is located. Add multiple hosts if the
directory server is part of a cluster. Click Add to add a new host to the table. In
the Host Name column type either the IP Address or the name of the
computer (or virtual computer) on which the Directory server is running. In
the Port column, type the port number that the directory server is configured
to use. If the hosts are part of a cluster, in the Load Distribution column type
the load amount as a percentage that should be directed to each host. For
multiple hosts, the amount should add up to 100%. To delete a host, select its
row in the table and click Remove. If you are not defining a new Identity
Directory Service connection or creating a new repository, this field is
read-only.
Availability - Choose Failover if the cluster is configured for failover
operation, or choose Load balanced if the cluster distributes the load across
multiple hosts. This field is read-only if you are using an existing repository.
SSL - Select Enabled if the connection is configured for SSL. See SSL in
Section 5.3.2, "Creating an Identity Directory Service Profile" for information
on how to add the SSL certificates required for the TLS connection. (See the
Oracle Fusion Middleware Application Security Guide for SSL configuration
details.)
Bind DN - Type the distinguished name (DN) of the LDAP Administrator
used to authenticate to the Directory server.
Bind Password - Type the Bind DN password used to authenticate to the
Directory server.
Base DN - Type the base distinguished name (DN) where User and Group
data is located.
Password Management - selecting Enable Password Management enables
password policy enforcement against the attribute values listed in Table 5–4.
The corresponding options in the password policy must be configured as well.

7.

Click Test Connection to confirm the values are correct.

8.

Click Create.
The repository is displayed in the IDS Repositories table.

5.4 Understanding Administrator Roles
By default, the Oracle Access Management Administrators role is the same as the
WebLogic Administrators role (Administrators). You can register another User Identity

5-26 Administrator's Guide for Oracle Access Management

Understanding Administrator Roles

Store (Oracle Internet Directory, for example); however, user weblogic must be defined
with at least one user in the registered store to authenticate against. Administrator
login works only when the Authentication Scheme (and assigned Authentication
Module) used by the IAMSuiteAgent, also uses the System Store. This section provides
the following topics:
■

Adding Administrator Roles

■

Managing Administrator Roles

5.4.1 Adding Administrator Roles
Your enterprise might require independent sets of Administrators: one set of users
responsible for Access Manager and another for Security Token Service. All
Administrator roles, users, and groups must be stored in the System Store. If the
System Store changes, appropriate Administrator roles must be added to the new
System Store. If, when editing an Identity Store registration, you designate a store as
the System Store the Access System Administrator section appears.
You can add new Administrator roles when adding or editing a User Identity Store
registration. Figure 5–6 shows the page and controls to use.
Figure 5–6 Add System Administrator Roles

5.4.2 Managing Administrator Roles
This section explains how to define or remove Oracle Access Management
Administrator roles which must be stored in the User Identity Store designated as the
System Store. First, define the desired LDAP group to use for Administrators and then
ensure that your Administrators group is available in the group search base. (See
Using the System Store for User Identities.) To add or remove an Administrator role
from the System Store, follow this procedure.
1.

View System Store Registration: Perform the following steps (or find a different
System Store in the Data Sources node to designate as the System Store).

Managing Data Sources 5-27

Understanding Administrator Roles

a.

At the top of hte Oracle Access Management Console, click Configuration.

b.

In the Configuration console, click Administration.
The registered System Store can not be changed from this page.

c.
2.

3.

4.

5.

Search the System Store to find configured administrators.

Add User Roles:
a.

Click the Grant (+) button above the Access System Administrators table to
display the Add Users and Groups dialog box.

b.

Select User in the Type list and click Search.

c.

In the results list, click the desired user, then click Add Selected.

d.

Repeat as need to add desired Administrator User roles.

e.

Click Apply to submit user roles.

Add Group Roles:
a.

Click the Grant (+) button above the Access System Administrators table to
display the Add Users and Groups dialog box.

b.

Select Group in the Type list and click the Search button.

c.

In the results list, click the desired Group and then click the Add Selected
button.

d.

Repeat as need to add desired Administrator Group roles.

e.

Click Apply to submit Group roles.

Remove Administrator Roles:
a.

In the Access System Administrators table, click the row containing the user or
group to remove.

b.

Click the Delete (x) button above the table.

c.

Confirm removal when asked.

d.

Click Apply to submit the removal.

Correct any authentication plug-ins that use the System Store (if this is a new
store).
This procedure is described in "Orchestrating Multi-Step Authentication with
Plug-in Based Modules" on page 22-29

6.

Test the New Role: Close the browser window, then re-open it.
a.

Sign out of the Oracle Access Management Console and close the browser
window.

b.

Start up the Oracle Access Management Console and attempt to log in using
the previous Administrator role to confirm that this attempt fails.

c.

Log in using the new Administrator role to confirm that this attempt is
successful.
Login Failure: See "Administrator Lockout" on page E-6.

5-28 Administrator's Guide for Oracle Access Management

Managing the Policy and Session Database

5.5 Managing the Policy and Session Database
Oracle Access Management requires a database to store Access Manager policy data,
password management data, and Access Manager sessions in a production
environment.
At most, your deployment can have one policy store database
(which serves password management) and one session store. By
default, a single JDBC data source is used for both.

Note:

This section includes the following topics:
■

About the Database Store for Policy, Password Management, and Sessions

■

About Database Deployment

■

Configuring a Separate Database for Access Manager Sessions

5.5.1 About the Database Store for Policy, Password Management, and Sessions
The following data is maintained in the policy store database by default:
■

■

■

Policy data, including authentication modules and schemes, Application Domains,
and policies.
Password Management data, which includes password policy type for each
configured User Identity store as well as the policy that governs password
requirements, expiry, notification,
Sessions, as a persistent backup to distributed in-memory storage
Note: The preferred mode for audit data storage in production
environments is writing audit records to a stand-alone RDBMS
database for audit data only. This is done using a separately
configured audit store. The policy store is not used for audit data.

See Also:

"Managing the Policy and Session Database" on page 5-29

5.5.2 About Database Deployment
Oracle requires a single database as the policy store in production environments. This
single database can also be used to store session data. Using the database as the
session store provides greater scalability and fault-tolerance (against a power event
taking all servers down).
You can have up to two databases: one policy database and
one session database. Access Manager is agnostic with respect to the
actual back end repository and does not manage this policy store
configuration directly.

Note:

The policy database must be installed according to vendor instructions. The policy
database is configured for use in a Oracle WebLogic Server domain using Oracle
Fusion Middleware Configuration Wizard and policy store Database configuration
template.

Managing Data Sources 5-29

Managing the Policy and Session Database

During initial deployment with the WebLogic Configuration Wizard, the following
database details are requested:
■

Database login ID and password

■

Database Service name and location

An Administrator must extend the database with the Access Manager-specific schema
using RCU, as described in Oracle Fusion Middleware Installation Guide for Oracle
Identity and Access Management. Basic schema creation occurs when the RCU is
invoked. The RCU prepares the database to accept Access Manager policy, password
management, and session data.
Using the WebLogic Configuration Wizard you can register and test the connection to
the database.
Actual Access Manager policy elements are created the first time the WebLogic
AdminServer is started with the Oracle Access Management Console deployed.
See Also: Oracle Fusion Middleware Installation Guide for Oracle
Identity and Access Management

5.5.3 Configuring a Separate Database for Access Manager Sessions
Access Manager includes a data source named oamDS which is configured against the
database instance extended with the Access Manager Schema. The following
pre-defined Java Naming and Directory Interface (JNDI) names are used by the OAM
Server to refer the data source.
jdbc/oamds (used by both the policy layer and session layer to access database)

You can use the following procedure to create a separate database instance for session
data using the WebLogic Administration Console. There is no support for this action in
the Oracle Access Management Console.
In this rare instance, Oracle recommends that you carefully
edit oam-config.xml as described in Step 2f.

Note:

1.

Install and configure the database for session data and then use RCU with the
Access Manager-specific schema to set up the database as a session data store.

2.

Create a new Data Source instance for session data:
a.

From the WebLogic Administration Console, Domain Structure panel, expand
the domain name, Services node.

b.

Expand JDBC, Data Source.

c.

Create a new Data Source with the JNDI name jdbc/oamsession.

d.

Save the changes.

e.

Stop the OAM Servers and the AdminServer to avoid potential loss of data
during the next step.

f.

In oam-config.xml, edit the value of the DataSourceName attribute to the one
configured in step 1. For example:
domain-home/config/fmwconfig/oam-config.xml

From:

5-30 Administrator's Guide for Oracle Access Management

Introduction to Oracle Access Management Keystores


jdbc:oracle:thin://amdb.example.
com:2001/AM
amuser
password
jdbc/oamds


To:

jdbc:oracle:thin://amdb.example.
com:2001/AM
amuser
password
jdbc/oamsession

3.

Restart AdminServer and OAM Servers.

5.6 Introduction to Oracle Access Management Keystores
This section provides the following topics:
■

About Access Manager Security Keys and the Embedded Java Keystore

■

About Access Manager Keystores

■

About Identity Federation Keystore

5.6.1 About Access Manager Security Keys and the Embedded Java Keystore
Keystores are created and configured during Access Manager installation. The
password and the key entries password were randomly generated.
The preferred keystore format is JKS (Java keystore). A Java keystore is associated with
Access Manager behind the scenes and is used to store cryptographic security keys
that are generated to encrypt agent traffic and session tokens:
■

■
■

Every OAM Agent and OSSO Agent has a secret key that other agents cannot
read.
There is a key to encrypt Oracle Coherence-based session traffic.
During agent and application registration, a key is generated for encrypting and
decrypting SSO Cookies (for Webgates and mod_osso).

Administrators use the Oracle-provided importcert tool for several different
procedures related to keystores, keys, and certificates, as described in Appendix C.
The WLST resetKeystorePassword method allows you to set the .oamkeystore
password and any key entries with a password identical to the .oamkeystore password
to a new value. See Oracle Fusion Middleware WebLogic Scripting Tool Command
Reference.
Table 5–5 identifies the generated Access Manager cryptographic keys.

Managing Data Sources 5-31

Introduction to Oracle Access Management Keystores

Table 5–5

Access Manager Keys and Storage

Keys and Storage
Access Manager
Cryptographic keys

Description
■

One global shared secret key used by all your 10g Webgates
■

Key storage

One per agent secret key shared between 11g Webgate and OAM Server

■

■

One OAM Server key
Agent side: A per-agent key is stored locally in the Oracle Secret Store in a wallet file. Client
keystore/scratch/clientTrustStore.jks and /scratch/clientKey.jks can be used.
OAM Server side: .oamkeystore contains a per-agent key, and server key, are stored in the
credential store on the server side.

Keystores are not accessible using the Oracle Access Management Console. You can
manage keystores and certificates as described in Appendix C, "Securing
Communication".
See Also:

"About Identity Federation Keystore" on page 5-34

"About Communication Between OAM Servers and WebGates" on
page 6-4

■

Oracle Fusion Middleware Administrator's Guide for details
about the SSL automation tool and managing ports for WebLogic
Server, Oracle HTTP Server, and Oracle Fusion Middleware

■

5.6.2 About Access Manager Keystores
Table 5–6 provides a summary of keystores used for Access Manager.
Table 5–6

Keystores for Access Manager and Security Token Service

Keystore

Description

System Keystore / Partner
Keystore

The container for keys and certificates associated with OAM
Server instances (OAM secret keys and Security Token Service
private keys for signing and encryption).

.oamkeystore

The container for keys and certificates that are used to
establish trust with partners, clients, and agents. The partner
keys and certificates are stored in.oamkeystore with sensitive
information encrypted.
Only one System Keystore of type JCEKS can be present:
.oamkeystore.
$DOMAIN_HOME/config/fmwconfig/.oamkeystore
The certificate alias and password can be configured using the
Oracle Access Management Console.
See Also:
■
■

Table 43–1, " Security Token Service Settings"
Chapter 44, "Managing Security Token Service Certificates
and Keys"

5-32 Administrator's Guide for Oracle Access Management

Introduction to Oracle Access Management Keystores

Table 5–6 (Cont.) Keystores for Access Manager and Security Token Service
Keystore

Description

Trust Keystore

The Trust Keystore is used to validate keys and certificates
presented by clients to establish trust in entities interacting
with OAM Server instances.

amtrustkeystore

$DOMAIN_HOME/config/fmwconfig/amtruststore
amtruststore is created during installation, and must include at
least one trusted anchor.
The Trust Keystore is managed by using the JRE's keytool
application. Security Token Service can use a custom trust
keystore.
See Also:
■

■

Certificate Revocation Lists
(CRL)
amcrl.jar

"Managing the Trust Anchors Store (amtruststore)" on
page 44-9
"Using a Custom Trust Anchor Store for Security Token
Service" on page 44-10

Certificate revocation information lists are stored in a ZIP
archive on the filesystem. These are used by OAM Servers
when performing CRL-based certificate revocation checking.
amcrl.jar contains CRL files in the DER format:
$DOMAIN_HOME/config/fmwconfig/amcrl.jar
The OAM Server defines a notification listener for the
Keystores and the CRL Zip file. Any changes to these files
causes Security Token Service to reload the keystore/crl-zip at
runtime, without requiring any restarts.
amcrl.jar is created by installation and can be modified using
the Oracle Access Management Console.
See Also:
■

■

Oracle WSM Agent Keystore
default-keystore.jks

"Managing Certificate Validation and Revocation" on
page 3-7
"Managing Certificate Revocation Lists" on page 44-10

The Oracle WSM Agent uses this keystore for various
cryptographic operations. For these operations, the Oracle
WSM Agent uses the keystore configured for Oracle WSM
tasks.
Oracle strongly recommends that the Oracle WSM Agent
keystore and the Access Manager and Security Token Service
keystore always be different. Otherwise, keys could be
available to any modules authorized by OPSS to access the
keystore and Access Manager/Security Token Service keys
might be accessed.
See Also:
"About the Oracle Web Services Manager Keystore
(default-keystore.jks)" on page 44-3

OPSS Keystore

For special cases where clients use referencing schemes such as
SKI (as opposed to a certificate token being received as part of
the web service request), the requester's certificates need to be
populated in the OPSS Keystore.
This is an uncommon scenario that requires manually
provisioning keys to the OPSS keystore.
See Also:
■

"About Agents and Security Token Service" on page 43-4

■

Oracle Fusion Middleware Application Security Guide.

Managing Data Sources 5-33

Integrating a Supported LDAP Directory with Oracle Access Manager

Table 5–6 (Cont.) Keystores for Access Manager and Security Token Service
Keystore

Description

.cohstore.jks

This is used to store the SSL Key and Certificate that is used to
encrypt SSL communication between Coherence nodes. For
information on securing Coherence communications, see the
Oracle Coherence Security Guide.

5.6.3 About Identity Federation Keystore
Identity Federation and Access Manager store key pairs and certificates that are used
for digital signatures and encryption operations. Identity Federation uses keys to:
■

Sign outgoing assertions

■

Decrypt incoming XML encrypted data contained inside the SAML message

The following keystore is used to store the encryption and signing certificates:
$DOMAIN_HOME/config/fmwconfig/.oamkeystore

Identity Federation uses CSF to securely store keystore passwords, as well as server
credentials such as HTTP Basic Authentication usernames and passwords.
See Also:
■

■

"About Communication Between OAM Servers and WebGates" on
page 6-4
"Defining Keystore Settings for Federation" on page 39-4

5.7 Integrating a Supported LDAP Directory with Oracle Access Manager
This section describes how to enable a centralized LDAP store for use with Oracle
Access Manager post-installation. Oracle Internet Directory is featured in this
discussion however the tasks are the same regardless of your chosen LDAP directory.
Oracle Access Manager addresses each user population and LDAP directory store as
an identity domain. Each identity domain maps to a configured LDAP User Identity
Store that is registered with Oracle Access Manager. Multiple LDAP stores can be used
with each one relying on a different supported LDAP provider.
During initial WebLogic Server domain configuration, the Embedded LDAP is
configured as the one and only User Identity Store for Oracle Access Manager. Within
the Embedded LDAP, the Administrators group is created, with weblogic seeded as
the default Administrator:
■

■

■

Only the User Identity Store designated as the System Store is used to authenticate
Administrators signing in to use the Oracle Access Management Console, remote
registration, and custom administrative commands in WLST.
Users attempting to access an OAM-protected resource can be authenticated
against any store, not necessarily the only one designated as the Default User
Identity Store.
Security Token Service uses only the Default User Identity Store. When adding
User constraints to a Token Issuance Policy, for instance, the identity store from
which the users are to be chosen must be Default User Identity Store.

After registering a User Identity Store with Access Manager, administrators can
reference the store in one or more authentication modules, which form the basis for
Oracle Access Manager Authentication Schemes and Policies. When you register a

5-34 Administrator's Guide for Oracle Access Management

Integrating a Supported LDAP Directory with Oracle Access Manager

partner (either using the Oracle Access Management Console or the remote
registration tool), an application domain can be created and seeded with a policy that
uses the designated default Authentication Scheme. When a user attempts to access an
Oracle Access Manager-protected resource, she is authenticated against the store
designated by the authentication module. For more information, see Oracle Fusion
Middleware Integration Guide for Oracle Identity Management Suite.

Managing Data Sources 5-35

Integrating a Supported LDAP Directory with Oracle Access Manager

5-36 Administrator's Guide for Oracle Access Management

6
Managing Server Registration
6

Managed server instances must be registered in order to interact with Oracle Access
Management. (In this book, these managed servers are referred to as OAM Servers.)
Accomplish this registration task using the Oracle Access Management Console.

[7]

This chapter contains the following sections:
■

Before You Register

■

Understanding OAM Server Registration and Management

■

Managing Individual OAM Server Registrations

6.1 Before You Register
Ensure that the following environmental considerations are met:
■

■

A new Managed Server has been added to the domain using either the Oracle
WebLogic Server Administration Console or WLST commands.
The Oracle JRF Template was applied to the Managed Server (or cluster) if needed.
For details, see Oracle Fusion Middleware Administrator's Guide.

Oracle recommends that you review "Understanding OAM Server Registration and
Management".

6.2 Understanding OAM Server Registration and Management
The Oracle Access Management Console is a Java EE application that must be installed
and run on the same computer as the WebLogic Administration Server. Other key
applications that run on the WebLogic Administration Server include the WebLogic
Server Administration Console and Enterprise Manager for Fusion Middleware
Control.
The Oracle Access Management Console might be referred to
as the OAM Administration Server. However, this is not a peer of the
OAM Server deployed on a WebLogic Managed Server.

Note:

The Oracle Access Management runtime instance deployed on Oracle WebLogic
Managed Servers is referred to as an OAM Server. Each OAM Server must be
registered with Access Manager to enable communication with registered agents
during authentication, authorization, and resource access.

Managing Server Registration 6-1

Understanding OAM Server Registration and Management

Administrators can extend the WebLogic Server domain and add more OAM Server
instances whenever needed, using either:
■

■
■

The WebLogic Server Administration Console, after which you manually register
the OAM Server instance using the Oracle Access Management Console
The WebLogic Configuration Wizard
Customized Oracle WebLogic Scripting Tool (WLST) commands as described in
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference

The last two methods automatically register the OAM Server instance, which appears
in the Oracle Access Management Console; no additional steps are required.
See Also: Oracle Fusion Middleware Installation Guide for Oracle
Identity and Access Management.

This section introduces OAM Server instance registration and management using the
Oracle Access Management Console:
■

About Individual OAM Server Registrations

■

About the Embedded Proxy Server and Backward Compatibility

■

About 11g SSO, Legacy 10g SSO in Combination with OSSO 10g

■

About Communication Between OAM Servers and WebGates
See Also: Table 1–3 for a comparison of Access Manager 11g versus
Oracle Access Manager 10g.

6.2.1 About Individual OAM Server Registrations
Administrators can add one or more Managed Servers to the WebLogic Server domain
for Oracle Access Management.
When using the WebLogic Configuration Wizard, the OAM Server is automatically
registered. However, if the configuration wizard was not used, the OAM Server must
be registered manually to open a communication channel.
Alternatively. You can use custom WLST commands for OAM to display, edit, or
delete a server registration Any changes are automatically propagated to the Oracle
Access Management Console and to every OAM Server in the cluster.
See Also: Oracle Fusion Middleware WebLogic Scripting Tool
Command Reference

Only OAM Servers are registered with Oracle Access Management. The Oracle Access
Management Console (on the WebLogic Administration Server) is not registered with
itself.
Regardless of the method used to register an OAM Server, details for each instance are
located on the System Configuration tab, Common Configuration section in the Oracle
Access Management Console, including:
■
■

Server name, Host, Port
Proxy: Performs as the legacy Access Server and defines the communication
security mode. For more information, see:
–

About the Embedded Proxy Server and Backward Compatibility

–

About 11g SSO, Legacy 10g SSO in Combination with OSSO 10g

6-2 Administrator's Guide for Oracle Access Management

Understanding OAM Server Registration and Management

–
■

About Communication Between OAM Servers and WebGates

Oracle Coherence: Provides a distributed cache for various OAM services,
including session data.

Administrators can search for a specific instance registration, register a newly installed
OAM Server, view, modify, or delete server registrations using the Oracle Access
Management Console. For more information, see "About the OAM Server Registration
Page" on page 6-5.

6.2.2 About the Embedded Proxy Server and Backward Compatibility
Oracle Access Management server-side components include Proxy servers to maintain
backward compatibility with Oracle Access Manager 10g policy-enforcement agents
(10g Webgates and Access Clients) and OracleAS SSO 10g mod_osso (known as OSSO
Agents in 11g), as well as OpenSSO Agents.
Legacy 10g SSO: The OAM Proxy can accept requests from multiple Access clients
concurrently and enables all Webgates and AccessGates (known as Access Clients in
11g) to interact with Access Manager. For more information, see "OAM Proxy Settings"
on page 6-6.
Legacy OracleAS 10g (OSSO): The integrated OSSO proxy handles token generation
and validation in response to token requests during authentication using OSSO Agents
with Access Manager. The OSSO proxy needs no configuration. Simply register the
OSSO agent as described in Chapter 14 and Chapter 15.
See Also: "About 11g SSO, Legacy 10g SSO in Combination with
OSSO 10g"

6.2.3 About 11g SSO, Legacy 10g SSO in Combination with OSSO 10g
You can upgrade OracleAS SSO to use Access Manager SSO when you have a legacy
deployment where Oracle Access Manager 10g is integrated and used in combination
with OracleAS (OSSO) 10g.
After upgrading OSSO to use Access Manager 11g, you can have 10g Webgates
operating with Access Manager 11g SSO the same deployment. In this situation, the
OAM Proxy forwards requests to either the 10g Access Server or to Access Manager
11g as needed.
The Oracle Access Manager 10g ObSSOCookie is an encrypted session-based single
sign-on cookie that is generated when a user authenticates successfully. The 10g
ObSSOCookie stores user identity information, which you can cache if needed.
The integrated OAM Proxy supports the AES encryption algorithm of the 10g
ObSSOCookie to enable backward compatibility with release 10g Webgates. The 10g
Access Server can decrypt the cookie created by the OAM Proxy (and vice versa). This
allows Access Manager 11g to perform authentication and Oracle Access Manager 10g
to perform authorization (and vice versa).
An Access Manager 11g ObSSOCookie created by OAM Proxy
is compatible with the 10g ObSSOCookie created by Access Server.

Note:

For more information, see "OAM Proxy Settings" on page 6-6.

Managing Server Registration 6-3

Understanding OAM Server Registration and Management

6.2.4 About Communication Between OAM Servers and WebGates
Communication modes for the OAP channel include:
■

■

■

Open: Use this unencrypted mode if communication security is not an issue in
your deployment.
Simple: Use this Oracle-signed certificate mode if you have some security
concerns, such as not wanting to transmit passwords as plain text, but you do not
manage your own Certificate Authority (CA).
Cert: Use if you want different certificates on OAM Servers and WebGates and
you have access to a trusted third-party CA.

On each individual OAM Server registration, the security mode is defined on the
Proxy tab, as described in "About the OAM Server Registration Page" on page 6-5.
Simple and Cert modes also require:
■

■

Security passwords that are common to all OAM Servers and WebGates, as
described in "Managing the Access Protocol for OAM Proxy Simple and Cert
Mode Security" on page 13-6.
Appropriately signed X.509 digital certificates, as described in Appendix C,
"Securing Communication".

At least one OAM Server instance must be running in the same mode as the agent
during agent registration. Otherwise, agent registration fails. After agent registration,
however, you can change the communication mode of the OAM Server.
Communication between the agent and server would continue to work as long as the
Webgate mode is at least at the same level as the OAM Server mode or higher. The
agent mode can be higher but cannot be lower. For example, of OAM Server mode is
Open, agents can communicate in any of the three modes. If OAM Server mode is
Simple, agents can use Simple or Cert mode. If OAM Server mode is Cert, agents must
use Cert mode.
See Also:

Appendix C, "Securing Communication"

6.2.5 About Restarting Servers After Configuration Changes
Most Oracle Access Management functional services take up changes made through
the Oracle Access Management Console without restarting OAM Server. Table 6–1
identifies conditions that do require a server restart.
Table 6–1

Conditions Requiring Server Restart

Event

Description

Session persistence change

A change from database to in-memory (or vice versa) session
persistence requires an OAM Server restart.

Oracle Coherence port
number

A change to the port number requires an OAM Server restart.

Load balancer server
definition

A change requires an OAM Server restart.

Managed Server port number

A change requires an OAM Server restart.

New Managed Server

Adding a new managed server to the cluster requires
restarting the AdminServer to policy enable uptake.
OAM Servers must be restarted to reinitialize Oracle
Coherence security configuration with the new server
included.

6-4 Administrator's Guide for Oracle Access Management

Managing Individual OAM Server Registrations

6.3 Managing Individual OAM Server Registrations
This section describes how to register and manage OAM Server instances using the
Oracle Access Management Console. Topics here include:
■

About the OAM Server Registration Page

■

Registering a Fresh OAM Server Instance

■

Viewing or Editing Individual OAM Server Registrations and Proxy Settings

■

Deleting an Individual Server Registration

6.3.1 About the OAM Server Registration Page
Users with valid Administrator credentials can register a freshly installed Managed
Server (OAM Server instance) or modify an existing OAM Server registration using
the Oracle Access Management Console.
Alternatively: You can use custom WLST commands to register and manage OAM
Server instances. Changes are reflected in the Oracle Access Management Console and
are automatically propagated to every OAM Server in the cluster.
See Also: Oracle Fusion Middleware WebLogic Scripting Tool
Command Reference

Figure 6–1 illustrates a typical OAM Server registration page when viewed within the
Oracle Access Management Console. To access the OAM Server registration page
using the Oracle Access Management Console, click Configuration in the top right of
the console and then click the Server Instances link on the Configuration page. From
the resulting Server Instances search page, click Create in the Search Results table to
display the Create: OAM Server page. See Section 6.3.2, "Registering a Fresh OAM
Server Instance" for details on how to configure this page.
Figure 6–1 OAM Server Registration Page with Proxy Tab Displayed

Individual server registration settings are described in Table 6–2.

Managing Server Registration 6-5

Managing Individual OAM Server Registrations

Table 6–2

OAM Server Instance Settings

Element

Definition

Server name

The identifying name for this server instance, which was defined during initial
deployment in the WebLogic Server domain.

Host

The full DNS name (or IP address) of the computer hosting the server instance. For
example: host2.domain.com.

Port

The port on which this server communicates (listens and responds).
Default: 5575
Note: If both the SSL and Open ports of the Managed Server are enabled, then the
Managed Server is set to the SSL port by default. If you must use the non-SSL port,
the credential collector URL of the authentication scheme must be set to the absolute
URL which points to http as the protocol and non-SSL port.
See Also: Appendix C, "Securing Communication"

Proxy

See "OAM Proxy Settings" on page 6-6

Coherence

See "Coherence Settings for Individual Servers" on page 6-7

See Also: "Managing Individual OAM Server Registrations" on
page 6-5

6.3.1.1 OAM Proxy Settings
An integrated proxy server (OAM Proxy) is installed with each Managed Server for
OAM Server. The OAM Proxy is used as a legacy Access Server to provide backward
compatibility for 10g Agents that are registered with Access Manager 11g. The Agent
can be freshly installed or currently operating within an Oracle Access Manager 10g
SSO deployment.
Each OAM Proxy instance requires a different port. The proxy starts listening when
the application starts. Registered access clients can immediately communicate with the
proxy.
The OAM Proxy handles both configuration and run-time events. Each OAM Proxy
can accept requests from multiple access clients concurrently. Each OAM Proxy
enables access clients to interact with Access Manager 11g. This includes:
■

10g (10.1.4.3) WebGates

■

10g (10.1.4.2.0) WebGates

■

10g (10.1.4.0.1) WebGates

■

11g WebGates (needs no proxy)
For Access Clients, Access Manager 11g provides
authentication and authorization functionality only. Policy
modification through Access Clients is not supported.

Note:

OAM Proxy settings are documented in Table 6–3.
Table 6–3

OAM Proxy Settings for an Individual OAM Server

OAM Proxy Setting
Port

Value
The unique port on which this OAM Proxy instance is listening.
On a default installation, the port is 5575.

6-6 Administrator's Guide for Oracle Access Management

Managing Individual OAM Server Registrations

Table 6–3 (Cont.) OAM Proxy Settings for an Individual OAM Server
OAM Proxy Setting

Value

Proxy Server ID

The identifier of the computer on which the OAM Proxy (and this OAM Server
instance) resides. DNS hostname is preferred; however, you can use any valid
and relevant string.
On a default installation, the Proxy Server ID is AccessServerConfigProxy.

Mode

OAM channel transport security for the OAM Proxy can be one of the following
(the agent mode must match during registration and can be higher after
registration):
■
■

Open: No encryption.
Simple: The data passed between the OAM Agent and OAM Server is
encrypted using OAM self-signed certificates.
Before specifying Simple mode, you must specify the global passphrase.

■

Cert: The data between the OAM Agent and OAM Server is encrypted
using Certificate Authority (CA) signed X.509 certificates.
Note: Before specifying Cert mode, you must acquire signed certificates
from a trusted third party Certificate Authority.

On a default installation, the Mode is Open.
Note: Simple and Cert transport security modes are governed by information
defined on the OAM Server Common Properties OAM Proxy tab, as described in
"Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security"
on page 13-6.
See Also: Appendix C if you are configuring Simple or Cert transport security
modes.

OAM Proxy Logging: Oracle Access Management services use the same logging
infrastructure as any other Oracle Fusion Middleware 11g component, as described in
Chapter 8. However, OAM Proxy uses Apache log4j for logging.

6.3.1.2 Coherence Settings for Individual Servers
Coherence provides replicated and distributed (partitioned) data management and
caching services on top of a reliable, highly scalable peer-to-peer clustering protocol.
Coherence has no single points of failure; it automatically and transparently fails over
and redistributes its clustered data management services when a server becomes
inoperative or is disconnected from the network.
When a new server is added, or when a failed server is restarted, it automatically joins
the cluster and Coherence fails back services to it, transparently redistributing the
cluster load. Coherence includes network-level fault tolerance features and transparent
soft re-start capability to enable servers to self-heal.
Coherence modules consist of the values, and types for the individual server instance,
as shown in Figure 6–1.
WARNING: Oracle recommends that you do not modify Oracle
Coherence settings for an individual server unless you are
requested to do so by an Oracle Support Representative.

Table 6–4

Default Coherence Settings for Individual OAM Servers

Coherence
Module

Type of Entry

Description and Default Values

LogLevel

String

The Coherence log level (from 0 to 9) for OAM Server events.

LogPort

int (integer)

The listening port for Coherence logging on the WebLogic Server.

Managing Server Registration 6-7

Managing Individual OAM Server Registrations

Table 6–4 (Cont.) Default Coherence Settings for Individual OAM Servers
Coherence
Module

Type of Entry

Description and Default Values

LogLimit

String

The Coherence log limit

Coherence Logging: Appears only in the WebLogic Server log. There is no bridge from
Oracle Coherence logging to Oracle Access Management logging. For Oracle Fusion
Middleware 11g logging infrastructure details, see Chapter 7.

6.3.2 Registering a Fresh OAM Server Instance
Users with valid Administrator credentials can perform the following task to register a
new Managed Server (OAM Server) instance using the Oracle Access Management
Console.
Note: Each OAM Server must be registered to communicate with
agents.

Before you begin, the new Managed Server instance must be configured in the Oracle
WebLogic Server domain, but not yet started.
1.

Install the new Managed Server instance and configure it in the Oracle WebLogic
Server domain, but do not start this instance.

2.

Log in to the Oracle Access Management Console and click Configuration in the
top bar.

3.

In the Configuration console, click Server Instances.

4.

In the tab that appears, click Create OAM Server.
The OAM Server registration page illustrated in Figure 6–1 is displayed.

5.

6.

On the Create: OAM Server page, enter details for your instance, as described in
Table 6–2:
■

Server name

■

Host

■

Port

Proxy: Enter or select details for this OAM Proxy instance, as described in
Table 6–3:
■

Port

■

Proxy Server ID

■

Mode (Open, Simple, or Cert)
See Also:

7.

Appendix C if you are using Simple or Cert mode

Coherence: Oracle recommends that you do not modify Oracle Coherence settings
for an individual server instance unless you are requested to do so by an Oracle
Support Representative.
See Also:

"Using Coherence" on page E-29

6-8 Administrator's Guide for Oracle Access Management

Managing Individual OAM Server Registrations

8.

Click Apply to submit the configuration, which should appear in the navigation
tree (or close the page without applying changes).

9.

Start the newly registered server.
See Also:
■

■

Oracle Fusion Middleware Installation Guide for Oracle Identity
and Access Management
"About the OAM Server Registration Page" on page 6-5

6.3.3 Viewing or Editing Individual OAM Server Registrations and Proxy Settings
Users with valid Administrator credentials can perform the following task to view or
modify settings for an individual server instance using the Oracle Access Management
Console. (For instance, you might need to change the listening port or the Proxy
communication transport security mode.) Changes made are immediately visible in
the Oracle Access Management Console and propagated to all OAM Servers in the
cluster.
See Also:
■
■

■

"About the OAM Server Registration Page" on page 6-5
Oracle Fusion Middleware WebLogic Scripting Tool Command
Reference
Moving Identity Management to a New Production Environment
in the Oracle Fusion Middleware Administrator's Guide

1.

At the top of the Oracle Access Management Console, click Configuration.

2.

In the Configuration console, click Server Instances.

3.

In the page that appears, click Search, then double-click the target instance to
display its configuration, and then proceed as follows:
■

View Only: Close the page when you finish viewing details.

■

Modify: Perform remaining steps to edit the configuration.

4.

On the OAM Server page, change details for your instance, as described in
Table 6–2.

5.

Proxy: Change details for this OAM Proxy instance, as described in Table 6–3.
See Also:

6.

Coherence: Oracle recommends that you do not modify Oracle Coherence settings
for an individual server instance unless you are requested to do so by an Oracle
Support Representative.
See Also:

7.

Appendix C if you are using Simple or Cert mode

"Using Coherence" on page E-29

Click Apply to submit the changes (or close the page without applying change).

6.3.4 Deleting an Individual Server Registration
Users with valid Administrator credentials can perform the following task to delete an
OAM server registration, effectively disabling it.

Managing Server Registration 6-9

Managing Individual OAM Server Registrations

1.

At the top of the Oracle Access Management console, click Configuration.

2.

In the Configuration console, click Server Instances.

3.

In the tab that appears, double-click the target instance to confirm its details, then
close the tab.

4.

In the list of instances, select the target instance, click Delete in the tool bar, and
confirm removal in the dialog that appears.

5.

Confirm that the instance has been removed from the instance list.

6.

Remove the deleted instance from the WebLogic Server Administration Console.
The Node Manager on Managed Server host handles the rest automatically.

6-10 Administrator's Guide for Oracle Access Management

Part III
Part III

Logging, Auditing, Reporting and Monitoring
Performance
Part III provides information to help you perform logging, auditing, and performance
monitoring for Oracle Access Management services. It contains the following chapters:
■

Chapter 7, "Logging Component Event Messages"

■

Chapter 8, "Auditing Administrative and Run-time Events"

■

Chapter 9, "Logging WebGate Event Messages"

■

Chapter 10, "Reporting"

■

Chapter 11, "Monitoring Performance and Health"

■

Chapter 12, "Monitoring Performance and Logs with Fusion Middleware Control"

7
Logging Component Event Messages
7

Logging is the mechanism by which components and services write messages to a log
file in order to capture critical component events, processes, and state information.
Administrators can configure logging to provide information at various levels of
granularity using the same logging infrastructure and guidelines as any other
component in Oracle Fusion Middleware 11g: java.util.logging (standard and
available in all Java environments).
[8]

Configuring logging and locating log files are the focus of this chapter which contains
the following sections.
■

About Oracle Access Management Logging

■

Logging Component Event Messages

■

Configuring Logging for Access Manager

■

Configuring Logging for Security Token Service and Identity Federation

■

About Mobile and Social Logging

■

Understanding Logging for the Access Portal Service

■

Validating Run-time Event Logging Configuration

7.1 About Oracle Access Management Logging
The logging system writes output to flat files only. Logging to an Oracle Database
instance is not supported. Unless explicitly stated, information in this chapter is the
same whether using any of the services in Oracle Access Management. Additionally:
■

■

■

You can use a custom Oracle WebLogic Scripting Tool (WLST) command to change
logging levels.
Diagnosing problems using the information in log files is outside the scope of this
chapter.
Before you can perform tasks in this chapter ensure that the Oracle Access
Management Console and a managed OAM Server are running.

Oracle also recommends that you review Chapter 6, "Managing Server Registration."

7.2 Logging Component Event Messages
The logging infrastructure records messages that can be used for problem diagnosis.
Security Token Service is a J2EE Web application, part of the Access Manager J2EE
Application. Both use OJDL for logging purposes. Security Token Service captures the
interactions between itself and Partners with timestamps.
Logging Component Event Messages

7-1

Logging Component Event Messages

The Administrator controls the amount of information that is logged in a message by
specifying log levels for each component for which a logger is defined.
Generally, you enable logging to produce files that you send to
Oracle Technical Support for problem diagnosis. Documentation for
log messages is not available. In some cases, you might be able to
diagnose problems on your own by reading log files.

Note:

Oracle Access Management makes use of the files in Table 7–1.
Table 7–1

Logging Files

File Type

Description

Logging Configuration
File

Provides logging level and other configuration information for logging. This file
is stored in the following path:
$DOMAIN_HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml
Note: By default, Security Token Service and Identity Federation messages are
logged in the OAM Server's log file. However, for convenience, you can edit
logging.xml to direct Security Token Service or Identity Federation information
to a separate log file, as described in "Configuring Logging for Security Token
Service and Identity Federation" on page 7-8.
Logged information is stored in the following location:

Log File

$DOMAIN_HOME/servers/SERVER-NAME/logs/
SERVER-NAME-diagnostics.log

Oracle Access Management uses the WebLogic container's logging defaults in
Table 7–2.
Table 7–2

Logging Defaults
Description

Events

The following events are logged automatically:
■
■

Levels

OAM Server events (managed run-time servers)
Administrative events (generated for configuration changes made
using the console)

By default, the log level for all Oracle Access Management components
is the Notification level. Logging at the Error level produces a small
amount of output while other log levels can result in voluminous
logging output, which can impact performance. In production
environments, logging is usually either disabled or the log level is set
to a level that results in a small volume of logging output (the error
level, for example).

For more information, see:
■

About Component Loggers

■

Sample Logger and Log Handler Definition

■

About Logging Levels
See Also:
■

■

Chapter 12 for details about how you can configure and view logs
using Fusion Middleware Control
Logging information in the Oracle Fusion Middleware
Application Security Guide

7-2 Administrator's Guide for Oracle Access Management

Logging Component Event Messages

7.2.1 About Component Loggers
This section introduces component loggers for Security Token Service and Access
Manager. There are differences.
Security Token Service has only a single logger: oracle.security.fed. For more
information, see "Configuring Logging for Security Token Service and Identity
Federation" on page 7-8.
Each Access Manager component is associated with its own logger name, as listed in
the following tables:
■
■

■

Table 7–3

Table 7–3, " Oracle Access Management Server-Side Component Loggers"
Table 7–4, " Oracle Access Management Shared-Service Engine Component
Loggers"
Table 7–5, " Oracle Access Management Foundation API Component Loggers"

Oracle Access Management Server-Side Component Loggers

Component Name

OAM Logger Name

Description

Protocol Binding

oracle.oam.binding

Responsible for marshalling/unmarshalling wire
protocol request and response to a Java Object
representation.

SSO Controller

oracle.oam.controller.sso

Responsible for managing the user session
lifecycle and orchestrating the SSO and logout
flows.

OAM Proxy

oracle.oam.proxy.oam

Responsible for interacting with OAM Webgates
by marshalling/unmarshalling OAP protocol
requests and responses and performing the
data/message transformation necessary to help
the OAM Server process OAP
requests/responses.

OSSO Proxy

oracle.oam.proxy.osso

Responsible for interacting with OSSO Agents by
marshalling/unmarshalling requests and
responses and doing the data/message
transformation necessary to help the OAM Server
process mod_osso requests/responses.

OpenSSO Proxy

oracle.oam.proxy.opensso

Responsible for interacting with OpenSSO Web
and Java Agents by marshalling/unmarshalling
requests and responses and performing the
data/message transformation necessary to help
the OAM Server process OpenSSO agent
requests/responses.

Credential Collector

oracle.oam.credcollector

Responsible for interacting with the user to
acquire the necessary information required by the
Authentication Scheme.

Remote Registration of Partners

oracle.oam.engine.remotereg

Responsible for registering partners with the
OAM Server and managing associated protected
policies.

Oracle Access Management Console

oracle.oam.admin.console

Console that supports administration and
monitoring of the Access Management
deployment.

Admin-Service Config

oracle.oam.admin.service.config

Module used by the UI Console to manage the
configuration.

Diagnostics and Monitoring

oracle.oam.diag

Provides instrumentation used by the OAM
Server components to enable Diagnostic and
Monitoring.

Logging Component Event Messages

7-3

Logging Component Event Messages

Table 7–4

Oracle Access Management Shared-Service Engine Component Loggers

Component Name

OAM Logger Name

Description

Authentication Engine

oracle.oam.engine.authn

Supports establishing the identity of the user by
validating the credentials and other data as
required by the specified Authentication scheme.

Policy Service Engine

oracle.oam.engine.policy

Supports management of Authentication,
Authorization and Token Issuance Policies. In
addition, it also provide a policy decision service
to support runtime processing.

Session Management Engine

oracle.oam.engine.session

Supports managing user session and token
context information with support for
user/administrator-initiated and time-out based
events.

Token Engine

oracle.oam.engine.token

Supports managing the entire token life cycle
from generation to cancellation.

SSO Engine

oracle.oam.engine.sso

Supports the single sign-on experience by
managing the lifecycle of the user login
session(s).

PartnerTrustMetadata Engine

oracle.oam.engine.ptmetadata

Supports management of partner metadata and
trust information.

Authorization Engine

oracle.oam.engine.authz

Wrapper that provides methods that map
directly to OAP runtime request operations.

Table 7–5

Oracle Access Management Foundation API Component Loggers

Component Name

OAM Logger Name

Description

Session Access

oracle.oam.session.access

** Not useful unless your are decompiling code.

Session Access Implementation

oracle.oam.session.accessimpl

** Not useful unless your are decompiling code.

Policy Access

oracle.oam.policy.access

** Not useful unless your are decompiling code.

7.2.2 Sample Logger and Log Handler Definition
This topic provides a sample for Access Manager only.
Security Token Service has only one logger and log handler, as
described in "Configuring Logging for Security Token Service and
Identity Federation" on page 7-8.

Note:

Example 7–1 illustrates the configuration of an Access Manager logger and a log
handler in the file logging.xml.
Example 7–1 Configuring Access Manager Loggers and Log Handlers











7-4 Administrator's Guide for Oracle Access Management

Configuring Logging for Access Manager


...




See Also: For more information about Java EE application logging,
see Appendix I, section I.1.1, in Oracle Fusion Middleware
Application Security Guide.

7.2.3 About Logging Levels
This topic applies to Oracle Access Management.
The amount of data output by a logger is controlled by its level; the higher the level,
the more information is logged. The level of a logger is specified with the element
 in the file logging.xml with the following format:


where loggerName is a logger name (see "About Component Loggers"), and notifLevel is
either an ODL message level or a Java message level.
Table 7–6 shows the correspondence between ODL message levels and Java message
levels, in increasing order:
Table 7–6

Mapping of ODL to Java Levels

ODL Message Level

Java Message Level

INCIDENT_ERROR:1

SEVERE.intValue()+100

ERROR:1

SEVERE (logs exceptions)

WARNING:1

WARNING (logs exceptions)

NOTIFICATION:1

INFO (default)

NOTIFICATION:16

CONFIG

NOTIFICATION:32

INFO and CONFIG

TRACE:1

FINE (occasionally recommended in production environments)

TRACE:16

FINER (not recommended in production environments)

TRACE:32

FINEST (not recommended in production environments)

Any other Java level value not listed above (that is, one outside the interval
[SEVERE.intValue()+100 - FINEST] is mapped to the ODL level UNKNOWN.
If you define a filter to log messages at the finest level for the
oracle.security.fed package and sub-package (classes for Security
Token Service), after restarting the server you would see logs for the
OAM Server. For more information, see "Configuring Logging for
Security Token Service and Identity Federation" on page 7-8.

Note:

7.3 Configuring Logging for Access Manager
This section describes tasks for only Access Manager.

Logging Component Event Messages

7-5

Configuring Logging for Access Manager

See Also: "Configuring Logging for Security Token Service and
Identity Federation"

There is no graphical user interface available to change logger levels; only WLST
commands can be used. This section provides the following topics:
■

Modifying the Logger Level for Access Manager

■

Adding an Access Manager-Specific Logger and Log Handler

7.3.1 Modifying the Logger Level for Access Manager
Administrators can use custom WLST commands for Access Manager to change
logger settings as described in the following procedure. Your deployment and choices
will be different.
Note:

Use the WLST command help("fmw diagnostics").

See Also: Oracle Fusion Middleware WebLogic Scripting Tool
Command Reference

Follow this procedure to modify the OAM logger level.
1.

Confirm that the OAM Server is running.

2.

Acquire the custom WLST script for Access Manager. For example:
$ORACLE_HOME/common/bin/wlst.sh

3.

Connect to the WebLogic Server and log in as the WebLogic Administrator. For
example:
connect([username, password])

4.

List available loggers for the OAM Server. For example:
wls:/base_domain/serverConfig> listLoggers(pattern="oracle.oam.*",
target="oam_server1")
wls:/WLS_IDM/serverConfig> listLoggers(pattern="oracle.oam.*",
target="oam_policy_mgr1")

Here pattern= represents the oam.controller component and target= represents the
desired OAM Server as it was specified during registration.
5.

View the list of Access Manager loggers associated with this OAM Server. For
example:
Logger
| Level
--------------------------------------------+----------------oracle.oam
| 
oracle.oam.admin.foundation.configuration
| 
oracle.oam.agent-default
| 
oracle.oam.audit
| 
oracle.oam.binding
| 
oracle.oam.commonutil
| 
oracle.oam.config
| 
oracle.oam.controller
| 
oracle.oam.default
| 

7-6 Administrator's Guide for Oracle Access Management

Configuring Logging for Access Manager

oracle.oam.diagnostic
oracle.oam.engine.authn
oracle.oam.engine.authz
oracle.oam.engine.policy
oracle.oam.foundation.access
oracle.oam.idm
oracle.oam.idm
oracle.oam.idm
oracle.oam.user.identity.provider
6.

|
|
|
|
|
|
|
|
|











Modify the log level based on your requirements. For example, this sequence
changes the log level of the oam.controller to TRACE:32 with no persistence:
wls:/base_domain/serverConfig> domainRuntime()
wls:/base_domain/domainRuntime> setLogLevel(logger="oracle.oam.controller",
level="TRACE:32", persist="0", target="oam_server1")
wls:/WLS_IDM/domainRuntime> setLogLevel(logger="oracle.oam", level="TRACE:32",
persist="0", target="oam_policy_mgr1")

7.

Repeat step 4 to list the loggers again and verify the log level change. For example:
wls:/base_domain/serverConfig> listLoggers(pattern="oracle.oam.*",target="oam_
server1")
Logger
| Level
--------------------------------------------+----------------oracle.oam
| 
oracle.oam.admin.foundation.configuration
| 
oracle.oam.agent-default
| 
oracle.oam.audit
| 
oracle.oam.binding
| 
oracle.oam.commonutil
| 
oracle.oam.config
| 
oracle.oam.controller
| TRACE:32
oracle.oam.default
| 
oracle.oam.diagnostic
| 
oracle.oam.engine.authn
| 
oracle.oam.engine.authz
| 
oracle.oam.engine.policy
| 
oracle.oam.foundation.access
| 
oracle.oam.idm
| 
oracle.oam.idm
| 
oracle.oam.idm
| 
oracle.oam.user.identity.provider
| 

8.

Verify the generated log file to confirm the controller is logged at the TRACE:32
level:
$DOMAIN_HOME/server/SERVER_INSTNCE_NAME/logs/

9.

Proceed to "Validating Run-time Event Logging Configuration" on page 7-11.

7.3.2 Adding an Access Manager-Specific Logger and Log Handler
Administrators can use the following procedure to specify a log file path and
necessary attributes.
In the following procedure, you will identify the target OAM Server, rotation and
retention periods, a path to the log file, the handler, and logger. Your deployment and
choices will be different.
Logging Component Event Messages

7-7

Configuring Logging for Security Token Service and Identity Federation

Note: Use the WLST command help("fmw diagnostics") to get
more information.

Skip steps 1 through 3 if the following items are true:
■

The OAM Server is running

■

You have the WLST script

■

You have connected to the server and logged in
See Also: Oracle Fusion Middleware WebLogic Scripting Tool
Command Reference

Follow this procedure to specify the OAM logger. level and log handler.
1.

Confirm that the OAM Server is running.

2.

Acquire the WLST script. For example:
$ORACLE_HOME/common/bin/wlst.sh

3.

Connect to the WebLogic Server and log in as the WebLogic Administrator. For
example:
sh wlst.sh wls:/offline> connect

4.

Add an Access Manager logger and level for the OAM Server. For example:
wls:/base_domain/serverConfig> domainRuntime()
wls:/base_domain/domainRuntime> setLogLevel(logger="oracle.oam",
level="WARNING", persist="0", target="oam_server1")

5.

Add a custom log handler and associate it with the Access Manager logger. For
example:
wls:/base_domain/domainRuntime> configureLogHandler(name="oam-log-handler",
target="oam_server1", rotationFrequency="daily", retentionPeriod="week",
path="${domain.home}/oamlogs" , maxFileSize ="10485760", maxLogSize =
"104857600", addHandler="true", handlerType="oracle.core.ojdl.logging
.ODLHandlerFactory", addToLogger="oracle.oam")
wls:/base_domain/domainRuntime>configureLogHandler(name="oam-log-handler",
addProperty="true", propertyName="supplementalAttributes", propertyValue=
"OAM.USER, OAM.COMPONENT", target="oam_server1")

6.

Verify all the logs in the $DOMAIN_HOME/oamlogs directory:
$DOMAIN_HOME/oamlogs/

7.4 Configuring Logging for Security Token Service and Identity
Federation
By default Security Token Service and Identity Federation messages are logged into
the OAM Server's log files. You can view and configure these logs in Fusion
Middleware Control. However, you can also edit logging.xml and direct Security
Token Service and Identity Federation information to a separate log file, as described
in this section. The files involved in this procedure are:

7-8 Administrator's Guide for Oracle Access Management

Configuring Logging for Security Token Service and Identity Federation

■

■

Logging Configuration File: Provides logger names and other configuration
information for logging. This file is stored in: $DOMAIN_
HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml.
Log File: $DOMAIN_HOME/ostslogs/SERVER-NAME-diagnostics.log, for
example.

Security Token Service and Identity Federation do not categorize log handlers as
Access Manager does. Instead, there is only one logger that affects the log levels for
Security Token Service and Identity Federation. Table 7–7 provides details for this
logger, which are required in the WLST command.
Table 7–7

Oracle Security Token Service and Identity Federation Loggers

Component Name

Logger Name

Log Handler Name

Log Class

Security Token Service or
Identity Federation

oracle.security.fed

stsfed-handler

class=oracle.core.ojdl.loggi
ng.ODLHandlerFactory

For details, see:
■
■

Configuring Logging for Security Token Service or Identity Federation
Defining Log Level and Log Details for Security Token Service or Identity
Federation
See Also:
■

■

Chapter 12 for details about how you can configure and view logs
using Fusion Middleware Control
Logging information in the Oracle Fusion Middleware
Application Security Guide

7.4.1 Configuring Logging for Security Token Service or Identity Federation
Administrators can use the following procedure to separate Security Token Service or
Identity Federation log messages from OAM Server message logs.
1.

Locate and open logging.xml: $DOMAIN_
HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml.

2.

Add the following to create the independent message log for Security Token
Service and Identity Federation:









3.

Save the file.

4.

Proceed with "Defining Log Level and Log Details for Security Token Service or
Identity Federation".

Logging Component Event Messages

7-9

Configuring Logging for Security Token Service and Identity Federation

7.4.2 Defining Log Level and Log Details for Security Token Service or Identity
Federation
Administrators can use custom WLST commands for Oracle Access Management to
change logger settings for Security Token Service as described here. This specifies an
independent output file for only Security Token Service log messages.
Note:

Use the WLST command help("fmw diagnostics").

Skip steps 1 through 3 if the following items are true:
■

The OAM Server is running

■

You have the WLST script

■

You have connected to the server and logged in
See Also: Oracle Fusion Middleware WebLogic Scripting Tool
Command Reference

This sample procedure for Security Token Service logging is very similar to the one for
Access Manager. However, there are a few differences. Your deployment choices will
be different.
1.

Confirm that the OAM Server is running.

2.

Acquire the custom WLST script for Oracle Access Management:
$ORACLE_HOME/common/bin/wlst.sh

3.

Connect to the WebLogic Server and log in as the WebLogic Administrator. For
example:
sh wlst.sh wls:/offline> connect adminID password

4.

Modify the log level of oracle.security.fed based on your requirements. For
example, this sequence changes the log level to WARNING with no persistence:
wls:/base_domain/serverConfig> domainRuntime()
wls:/base_domain/domainRuntime> setLogLevel(logger="oracle.security.fed",
level="WARNING", persist="0", target="oam_server1")

5.

Specify the target OAM Server, as well as rotation and retention periods, path to
the log file, the handler, and logger. For example:
wls:/base_domain/domainRuntime> configureLogHandler(name="osts-log-handler",
target="oam_server1", rotationFrequency="daily", retentionPeriod="week",
path="${domain.home}/ostslogs", maxFileSize ="10485760", maxLogSize
="104857600", addHandler="true",handlerType="oracle.core.ojdl.logging.ODL
HandlerFactory", addToLogger="oracle.security.fed")

6.

Verify the generated log file to confirm the controller is logged at the WARNING
level:
$DOMAIN_HOME/ostslogs/SERVER-NAME-diagnostics.log
$DOMAIN_HOME/oiflogs/SERVER-NAME-diagnostics.log

7.

Proceed to "Validating Run-time Event Logging Configuration" on page 7-11.

7-10 Administrator's Guide for Oracle Access Management

Validating Run-time Event Logging Configuration

7.5 About Mobile and Social Logging
For information about Fusion Middleware logging, see the "Monitoring Oracle Fusion
Middleware" chapter in the Oracle Fusion Middleware Administrator's Guide.
For information about Fusion Middleware auditing, see the "Configuring and
Managing Auditing" chapter in the Oracle Fusion Middleware Application Security Guide.

7.6 Understanding Logging for the Access Portal Service
The Access Portal Service logs five events to the Oracle Access Management table.
■

CredentialAdded

■

CredentialDeleted

■

CredentialModified

■

Login

■

CredentialChange_Password

The Access Portal Service uses the Common Audit Framework (CAF) for auditing. To
enable CAF, set the UseCAF property in the oam-config.xml file to true.

7.7 Validating Run-time Event Logging Configuration
You can use the following procedure to test your run-time event logging configuration.
Before you begin:
■

Configure logging using WLST commands as described in this chapter.

■

Ensure the Agents and Servers are running.

■

Configure an Application Domain to protect the resource as described in
Chapter 25, "Managing Policies to Protect Resources and Enable SSO".

1.

In a browser, enter the URL to a protected resource and sign in using an invalid
credential.

2.

Sign in again using the proper credential.

3.

On the physical server, verify all the logs appear in:
$DOMAIN_HOME/oamlogs/
$DOMAIN_HOME/ostslogs/SERVER-NAME-diagnostics.log
$DOMAIN_HOME/oiflogs/SERVER-NAME-diagnostics.log

4.

Open the log file and look for the last entries to confirm authentication failure and
success, respectively.

Logging Component Event Messages 7-11

Validating Run-time Event Logging Configuration

7-12 Administrator's Guide for Oracle Access Management

8
Auditing Administrative and Run-time Events
8

[9In
]
Oracle Fusion Middleware, auditing refers to the process of collecting for review
specific information related to administrative, authentication, and run-time events.
Auditing can help you evaluate adherence to polices, user access controls, and risk
management procedures, and provides a measure of accountability and answers to the
"who has done what and when" types of questions. Audit data can be used to create
dashboards, compile historical data, and assess risks. Analyzing recorded audit data
allows compliance officers to perform periodic reviews of compliance policies.
(Analyzing and using audit data is outside the scope of this chapter.)

This chapter describes the administrative and run-time events that can be audited for
Oracle Access Management services as well as information on configuring common
auditing settings and validating your auditing configuration.
■

Introduction to Oracle Fusion Middleware Auditing

■

Understanding Oracle Access Management Auditing

■

Access Manager Events You Can Audit

■

Mobile and Social Events You Can Audit

■

Identity Federation Events You Can Audit

■

Security Token Service Events You Can Audit

■

Setting Up Auditing for Oracle Access Management

■

Validating Auditing and Reports

8.1 Introduction to Oracle Fusion Middleware Auditing
Review the following sections in the Oracle Fusion Middleware Application Security Guide
to gain an understanding of auditing and the Audit Framework in Oracle Fusion
Middleware.
■

Introduction to Oracle Fusion Middleware Audit Framework

■

Setting up Oracle Business Intelligence Publisher

■

Customizing Audit Reports

■

"Auditing the Security Token Service" on page 43-21

■

Oracle Fusion Middleware Audit Framework Reference for details about how the
Audit database is laid out

Auditing Administrative and Run-time Events 8-1

Understanding Oracle Access Management Auditing

There is nothing specific or separate related to auditing
OpenSSO Agents or Identity Context. Unless explicitly stated,
information in this chapter is the same for all Oracle Access
Management services.

Note:

8.2 Understanding Oracle Access Management Auditing
Many businesses must now be able to audit identity information and user access on
applications and devices. Compliance audits help an enterprise conform with
regulatory requirements—Sarbanes-Oxley or the Health Insurance Portability and
Accountability Act (HIPAA) are two examples.
Oracle Access Management uses the Oracle Fusion Middleware Common Audit
Framework to support auditing for a large number of user authentication and
authorization run-time events, and administrative events (changes to the system). The
Oracle Fusion Middleware Common Audit Framework provides uniform logging and
exception handling and diagnostics for all audit events.
Auditing is based on configuration parameters set using the Oracle Access
Management Console which enables data capture for a user or set of users. While
auditing can be enabled or disabled, it is normally enabled in production
environments. Audit data can be written to either a single, centralized Oracle Database
instance or to flat files known as bus-stop files.
The Oracle Fusion Middleware Common Audit Framework
database audit store does not include Access Manager policy or
session-data and is not configured through the Oracle Access
Management Console.

Note:

Auditing has minimal performance impact, and the information captured by auditing
can be useful (even mission-critical). The audit log file helps the audit Administrator
track errors and diagnose problems if the audit framework is not working properly.
This section contains the following topics.
■

About Oracle Access Management Auditing Configuration

■

About Audit Record Storage

■

About Audit Reports and Oracle Business Intelligence Publisher

■

About the Audit Log and Data

8.2.1 About Oracle Access Management Auditing Configuration
An Administrator controls certain auditing parameters using the Oracle Access
Management Console. This auditing configuration is recorded in the oam-config.xml
file. Additional auditing configuration is required through the Common Audit
Framework.
Oracle recommends that you use only the Oracle Access
Management Console or WebLogic Scripting Tool (WLST) commands
for changes; do not edit the oam-config.xml file directly.

Note:

8-2 Administrator's Guide for Oracle Access Management

Understanding Oracle Access Management Auditing

Event configuration (mapping events to levels) occurs in the component_events.xml
file. An audit record contains a sequence of items that can be configured to meet
particular requirements.
Within the Oracle Access Management Console, you can set the maximum log file and
log directory size. Audit policies (known as Filter Presets declare the types of events to
be captured by the audit framework for particular components.
Audit policies cannot be configured using Fusion Middleware Control. Oracle Access
Management does not use JPS infrastructure to configure the audit configuration.
There are no WebLogic Scripting Tool (WLST) commands for auditing.
See Also:
■

"Access Manager Events You Can Audit" on page 8-6

■

"Security Token Service Events You Can Audit" on page 8-16

8.2.2 About Audit Record Storage
Audit data can be written to either a single, centralized Oracle Database instance or to
flat files known as bus-stop files. By default, audit data is recorded to the file but
administrators can change the configuration to log audit data to a database. Although
the formats differ, audit data content is identical in both the flat file and the database.
■

Audit Bus-stop: Local files containing audit data records before they are pushed to
the audit data store. In the event that no audit data store is configured, audit data
remains in these bus-stop files. The bus-stop files are simple text files that can be
queried easily to look up specific audit events. When an audit data store is in
place, the bus-stop acts as an intermediary between the component and the audit
data store. The local files are periodically uploaded to the audit data store based
on a configurable time interval.
Bus-stop files for Java components are located in:
$DOMAIN_HOME/servers/$SERVER_NAME/logs/auditlogs/OAM/audit.log

Bus-stop files for system components are located in:
$ORACLE_INSTANCE/auditlogs/OAM/oam_server1/audit.log
■

■

Database Logging: Implements the Common Auditing Framework across a range
of Oracle Fusion Middleware products. The benefit is audit-function commonality
at the platform level.
Database Audit Store: In production environments, Oracle recommends using a
database audit store to provide scalability and high-availability for the Common
Audit Framework. A key advantage of the audit data store is that audit data from
multiple components can be correlated and combined in reports; for example,
authentication failures in all Middleware components and instances. Audit data is
cumulative and grows over time so ideally this is a stand-alone RDBMS database
for audit data only and not used by other applications.
The preferred mode in production environments is writing
audit records to a stand-alone RDBMS database for audit data only.

Note:

To switch to a database as the permanent store for your audit records, you must
first use the Repository Creation Utility (RCU) to create a database schema for
audit data. The RCU seeds that database store with the schema required to store

Auditing Administrative and Run-time Events 8-3

Understanding Oracle Access Management Auditing

audit records in a database. After the schema is created, configuring a database
audit store involves:
■

Creating a data source that points to the audit schema you created

■

Configuring the audit store to point to the data source

Figure 8–1 provides a simplified view of the audit architecture with a supported
database. As previously documented, the Oracle Fusion Middleware Audit
Framework schema is provided by the RCU.
Figure 8–1 Audit to Database Architecture

See Also:
■

■

"Configuring and Managing Auditing" in the Oracle Fusion
Middleware Application Security Guide
"Setting Up the Audit Database Store" on page 8-21

An independent audit loader process reads the flat log file and inserts records in
the log table of the Oracle database. The audit store allows Administrators to
expose audit data with Oracle Business Intelligence Publisher using a variety of
out-of-the-box reports.

8.2.3 About Audit Reports and Oracle Business Intelligence Publisher
Oracle Access Management integrates with Oracle Business Intelligence Publisher,
which provides a pre-defined set of compliance reports through which the data in the
database audit store is exposed. These reports allow you to drill down the audit data
based on various criteria, such as user name, time range, application type, and
execution context identifier (ECID). Out-of-the-box, there are several sample audit
reports available with Oracle Access Management and accessible with Oracle Business
Intelligence Publisher. You can also use Oracle Business Intelligence Publisher to create
your own custom audit reports.
Oracle BI Enterprise Edition (Oracle BI EE) is a comprehensive set of enterprise
business intelligence tools and infrastructure, including a scalable and efficient query
and analysis server, an ad-hoc query and analysis tool, interactive dashboards,
proactive intelligence and alerts, real-time predictive intelligence, and an enterprise
8-4 Administrator's Guide for Oracle Access Management

Understanding Oracle Access Management Auditing

reporting engine. The components of Oracle BI EE share a common service-oriented
architecture, data access services, analytic and calculation infrastructure, metadata
management services, semantic business model, security model and user preferences,
and administration tools. Oracle BI EE provides scalability and performance with
data-source specific optimized analysis generation, optimized data access, advanced
calculation, intelligent caching services, and clustering.
See Also: Using Audit Analysis and Reporting in the Oracle Fusion
Middleware Security Guide

For an overview of how to prepare Oracle BI EE for use with auditing reports for
Oracle Access Management, see "Preparing Oracle Business Intelligence Publisher EE"
on page 8-21.
Oracle BI EE reports contain enumerated fields, the data fields and labels of which are
self-explanatory. Content of reports is described in Table 8–1 (taken from Knowledge
Base Doc ID 1495333.1 on My Oracle Support.
Table 8–1

Oracle Business Intelligence Enterprise Edition Reports for OAM

Report Type

Description

Account Management

User ID | Timestamp | Component/ Application Name | Event Details

Authentication_Statistics

Authentication_statistics
Failure | Userid | Number of Events
AuthenticationFromIPByUser
IP Address | Distinct User Count | Total Attempts | Users
AuthenticationPerIP
IP Address | Distinct Users | Total Number of Attempts
AuthenticationStatisticsPerServer
Server Instance Name | Success Count | Failure Count

Errors_and_Exceptions

All_Errors_and_Exceptions
User ID | Timestamp | Component/Application Name | Client IP Address |
Message Event | Event Details
Authentication_Failures
User ID | Timestamp | Component/ Application Name | Client IP Address |
Authentication Method | Message Event Details | Authorization_Failures
Users_Activities
Authentication_History
User ID | Timestamp | Component/ Application Name | Client IP Address |
Authentication Method | Message Event Details | Authorization_Failures
Multiple_Logins_From_Same_IP
IP Address | Usernames Used

For more information, see the following topics:
■

Access Manager Events You Can Audit

■

Identity Federation Events You Can Audit

■

Security Token Service Events You Can Audit

8.2.4 About the Audit Log and Data
An audit log file helps the audit administrator track errors and diagnose problems
when the audit framework is not working properly. An audit log file records several
fields including (but not limited to) Date, Time, Initiator, EventType, EventStatus,

Auditing Administrative and Run-time Events 8-5

Access Manager Events You Can Audit

MessageText, ECID, RID ContextFields, SessionId, TargetComponentType,
ApplicationName, and EventCategory.
See Also: The topic on audit logs in the chapter on configuring and
managing auditing in the Oracle Fusion Middleware Security Guide

8.3 Access Manager Events You Can Audit
This section provides the following topics:
■

Access Manager Administrative Events You Can Audit

■

Access Manager Run-time Events You Can Audit

■

Auditing Authentication Events
See Also:
■

Identity Federation Events You Can Audit on page 8-14

■

Security Token Service Events You Can Audit on page 8-16

8.3.1 Access Manager Administrative Events You Can Audit
Administrative events are those generated when the Oracle Access Management
Console is used. The Access Manager-specific administrative events that can be
audited and the details captured for them are listed in Table 8–2. These event
definitions and configurations are implemented as part of the audit service in Oracle
Platform Security Services.
The amount and type of information that is logged is
controlled by choosing a filter preset from the Audit Configuration
section. Auditable events for each filter preset are fixed in the
read-only component_events.xml file. Editing or customizing this file
is not supported.
Note:

Table 8–2

Access Manager Administrative Audit Events

Administrative Event
Oracle Access Management Console Login
success/failure

Authentication Policy Creation

Authentication Policy Modification

8-6 Administrator's Guide for Oracle Access Management

Event Data Include
■

User name

■

Remote IP

■

Roles

■

Policy name

■

Authentication scheme details

■

Resource details

■

Policy type (authentication or authorization)

■

Policy name

■

Authentication scheme details

■

Resource details

■

Policy type (authentication or authorization

■

Old Policy name

■

Old Authentication scheme details

■

Old Resource details

Access Manager Events You Can Audit

Table 8–2 (Cont.) Access Manager Administrative Audit Events
Administrative Event

Event Data Include

Authentication Policy Removal

■

Policy name

■

Authentication scheme details

■

Resource details

■

Policy type (authentication or authorization

■

Resource name

■

URI

■

Operation

■

Resource type

■

Resource name

■

URI

■

Operation

■

Resource type

■

Old Resource name

■

Old URI

■

Old Operation

■

Resource name

■

URI

■

Operation

■

Resource type

■

Scheme name

■

Authentication modules

■

Level

■

Scheme name

■

Authentication modules

■

Level

■

Old Scheme name

■

Old Authentication modules

■

Old Level

■

Scheme name

■

Authentication modules

■

Level

■

Response name

■

Response key

■

Data source

■

Response Type

■

Response name

■

Response key

■

Data source

■

Response Type

■

Old Response name

■

Old Response key

■

Old Data source

■

Response name

■

Response key

■

Data source

■

Response Type

Resource Creation

Resource Modification

Resource Removal

Authentication Scheme Creation

Authentication Scheme Modification

Authentication Scheme Removal (Delete)

Response Creation

Response Modification

Response Removal (Delete)

Auditing Administrative and Run-time Events 8-7

Access Manager Events You Can Audit

Table 8–2 (Cont.) Access Manager Administrative Audit Events
Administrative Event

Event Data Include

Partner Addition

■

Partner name

■

Partner ID

■

Partner URL

■

Logout URL

■

Partner name

■

Partner ID

■

Partner URL

■

Logout URL

■

Old Partner name

■

Old Partner URL

■

Old Logout URL

■

Partner name

■

Partner ID

■

Partner URL

■

Logout URL

■

Condition Name

■

Condition type

■

Condition data

■

Condition Name

■

Condition type

■

Condition data

■

Old Condition name

■

Old Condition type

■

Old Condition data

■

Condition Name

■

Condition type

■

Condition data

Server Domain creation

■

Domain Name

Server Domain Modification

■

Domain Name

■

Old Domain Name

Server Domain Removal

■

Domain Name

Server configuration change

■

New details

■

Old details

■

Instance Name

■

Application Name

■

User Name

■

Remote ID

■

Roles

■

Date and time

Partner Modification

Partner Removal

Conditions creation

Conditions Modification

Conditions Removal

8.3.2 Access Manager Run-time Events You Can Audit
Run-time events are those generated by some of the events the Access Manager
component engines issue when interacting with one another. The run-time events that
can be audited, when they are issued, and the details captured for them are listed in
Table 8–3. These event definitions and configurations are implemented as part of the
audit service in Oracle Platform Security Services.

8-8 Administrator's Guide for Oracle Access Management

Access Manager Events You Can Audit

The amount and type of information that is logged is
controlled by choosing a filter preset in the Audit Configuration.
Auditable events for each filter preset are fixed in the read-only
component_events.xml file. Editing or customizing this file is not
supported.
Note:

Table 8–3

Access Manager Run-time Audit Events

Run-time Event

Issued When

Authentication
Attempt

A user attempts to access a protected
resource and the request arrives at the SSO
server; this event might be followed by the
events credential submit and authentication
success or failure.

Authentication
Success

Authentication
Failure

Session Creation

Session Destroy

Event Details Include

A client submits credentials and credential
validation is successful.

A client submits credentials and credential
validation fails.

Authentication succeeds.

Authentication succeeds.

■

Remote IP

■

Resource ID

■

Partner ID

■

Resource ID

■

Authentication scheme ID

■

Authentication Policy ID

■

Remote IP

■

User Name

■

User DN

■

Resource ID

■

Authentication scheme ID

■

Authentication Policy ID

■

Partner ID

■

Remote IP

■

User Name

■

User DN

■

Resource ID

■

Authentication Scheme ID

■

Failure Error Code

■

Retry count

■

Authentication Policy ID

■

Partner ID

■

SSO Session ID

■

User Name

■

User DN

■

Remote IP

■

Resource ID

■

Authentication scheme ID

■

Authentication Policy ID

■

SSO Session ID

■

User Name

■

User DN

■

Partner ID

Auditing Administrative and Run-time Events 8-9

Access Manager Events You Can Audit

Table 8–3 (Cont.) Access Manager Run-time Audit Events
Run-time Event

Issued When

Login success

A client finishes the login procedure and it
is forwarded to the agent.

Login failure

Logout success

Logout failure

Credential
Collection

Credential Submit

Authorization
Success

Authorization
Failure

Server Start Up

A client fails to login; this event is issued
only when all the retry authentication
attempts allowed have failed or when the
account is locked.

A client finishes the logout procedure and
is forwarded to the agent.

A client fails to logout.

A client is redirected to the credential
collection page.

A client submits credentials.

A client has been authorized to access a
resource.

A client has not been authorized to access a
resource.

The server starts up.

8-10 Administrator's Guide for Oracle Access Management

Event Details Include
■

Remote IP

■

User Name

■

User DN

■

Authentication level

■

Resource ID

■

Authentication scheme ID

■

Authentication Policy ID

■

Partner ID

■

Remote IP

■

User Name

■

Authentication level

■

Resource ID

■

Authentication scheme ID

■

Authentication Policy ID

■

Partner ID

■

Remote IP

■

User DN

■

Authentication level

■

SSO Session ID

■

Partner ID

■

Remote IP

■

User DN

■

SSO Session ID

■

Failure details

■

Partner ID

■

Remote IP

■

Resource Name

■

Resource ID

■

Authentication scheme ID

■

Authentication Policy ID

■

Remote IP

■

User Name

■

Resource ID

■

Authentication scheme ID

■

Authentication Policy ID

■

Remote IP

■

User DN

■

Resource ID

■

Authorization Policy ID

■

Remote IP

■

User DN

■

Resource ID

■

Authorization Policy ID

■

Date and time

■

Instance Name

■

Application Name

■

User Name

Mobile and Social Events You Can Audit

Table 8–3 (Cont.) Access Manager Run-time Audit Events
Run-time Event

Issued When

Event Details Include

Server Shut Down

The server shuts down.

■

Date and time

■

Instance Name

■

Application Name

■

User Name

8.3.3 Auditing Authentication Events
Auditing events during authentication can help Administrators scrutinize security
weaknesses in their systems. The events that an Administrator can configure for
auditing during authentication are:
■

Authentication success

■

Authentication failure

■

Create, modify, delete, or view Authentication Policy data

Information related to the user being authenticated may include the following:
■

IP address

■

Browser type

■

User Login ID

■

Time of Access
Oracle recommends that you avoid auditing, logging, or
tracing sensitive user attributes, such as user passwords.

Note:

Information about users requesting authentication or brute force attacks can be stored
in the file system or in a back-end database.

8.4 Mobile and Social Events You Can Audit
This section provides the following topics:
■

REST Run-Time Audit Events

■

Mobile and Social Audit Events

8.4.1 REST Run-Time Audit Events
You can audit the run-time events in the following table.

Auditing Administrative and Run-time Events 8-11

Mobile and Social Events You Can Audit

Table 8–4

REST Run-Time Audit Events

Run-time Event

Issued When

Partner Security Validation
Event

Partner credentials are
validated using the
appropriate security
mechanism. The event is
logged for both success and
failure scenarios.

Event Details Include
■

■

Remote IP

■

Security Mechanism

■

■

Create Token

Terminate Token

Get Token

A token is created.

A token is terminated.

A token is obtained/read.

Partner ID (or any unique
partner var)

Service Instance
(Endpoint or name)
Event Status
(success/fail)

■

Event Status

■

Caller Attribute

■

Subject Attribute

■

Filter Subject Attribute

■

Token Attribute

■

Opcode Attribute

■

Message Text

■

Event Status

■

Caller Attribute

■

Subject Attribute

■

Filter Subject Attribute

■

Token Attribute

■

Opcode Attribute

■

Message Text

■

Event Status

■

Caller Attribute

■

Subject Attribute

■

Filter Subject Attribute

■

Token Attribute

■

Opcode Attribute

■

Message Text

8.4.2 Mobile and Social Audit Events
You can audit the runtime events in the following table.
Table 8–5

Mobile and Social Run-Time Audit Events

Run-Time Event

Issued When

IDP Login

A user attempts to log in
using an identity provider

8-12 Administrator's Guide for Oracle Access Management

Event Details Include
■

Event status

■

Application ID

■

Identity provider name

■

Event message

Mobile and Social Events You Can Audit

Table 8–5 (Cont.) Mobile and Social Run-Time Audit Events
Run-Time Event

Issued When

IDP Rest Access

The REST service for identity
providers is accessed

IDP User Profile

The user profile related to a
user authenticated by an
identity provider is obtained

Event Details Include
■

Event status

■

Application ID

■

Protocol

■

Event message

■

Event status

■

Application ID

■

User attributes

■

Identity provider name

■

Local Registration

Security Validation

OpenID Authentication
Request

OAuth Authentication
Request

OAuth Access Token Request

Local Login

A user registers locally by
providing registration info

The security mechanism on
the Identity Provider REST
Services for Relying Party
(RP) is validated
An OpenID authentication
request is initiated

An OAuth authentication
request is initiated

An OAuth access token
request is initiated

User logs in locally

Event message (optional
attributes)

■

Event status

■

User ID

■

First name

■

Last name

■

E-mail

■

Location

■

Time zone

■

Event message

■

Security mechanism

■

Client principal

■

Remote IP address

■

Event message

■

Event status

■

Request ID

■

IDP login URL

■

Request attributes

■

Message text

■

Event status

■

Request ID

■

Return URL

■

IDP attributes

■

Message text

■

Event status

■

Request ID

■

Token

■

Message text

■

Event status

■

Application ID

■

User ID

■

Token

■

Message text

Auditing Administrative and Run-time Events 8-13

Identity Federation Events You Can Audit

8.5 Identity Federation Events You Can Audit
The Identity Federation service also uses the Fusion Middleware Audit Framework for
auditing. The following data is part of each audit record, regardless of the event or
event type that is audited:
■
■

■

timestamp - Date and time the audit event occurred
initiator - the initiator of the audit event (for some events this attribute may be
empty)
ECID - the execution context ID

The Fusion Middleware Audit Framework supports the following audit levels:
■

None

■

Low

■

Medium

■

Custom

Events can be audited in different categories and audit levels. Table 8–6 lists the event
categories and where they are described in this chapter.
Table 8–6

Categories of Audit Events for Identity Federation

Category

Described in ...

Session Management

Session Management Events for Identity Federation

Protocol Flow

Protocol Flow Events for Identity Federation

Server Configuration

Server Configuration Events for Identity Federation

Security

Security Events for Identity Federation

See Also: Oracle Fusion Middleware Administrator's Guide for
Oracle Identity Federation chapter on "Diagnostics and Auditing" for
greater detail

The following section contain more information.
■

Session Management Events for Identity Federation

■

Protocol Flow Events for Identity Federation

■

Server Configuration Events for Identity Federation

■

Security Events for Identity Federation

8.5.1 Session Management Events for Identity Federation
Session Management events for this Identity Federation release, include a subset of
auditable events for the previous release. For attributes of each event, see "Session
Management Events" in Oracle Fusion Middleware Administrator's Guide for Oracle
Identity Federation.
Table 8–7

Identity Federation Session Management Events

Auditable Events

Auditing Not Supported in This Release for ...

CreateUserSession –

CreateUserFederation –

Creation of a session after a successful login

Creation of a user federation between two remote servers

8-14 Administrator's Guide for Oracle Access Management

Identity Federation Events You Can Audit

Table 8–7 (Cont.) Identity Federation Session Management Events
Auditable Events

Auditing Not Supported in This Release for ...

DeleteUserSession –

UpdateUserFederation -

Deletion of a session after logout

Updating the user federation between two remote servers

CreateActiveUserFederation –

DeleteUserFederation –

Creation of an active federation after
successful login

Deletion of a user federation between two remote servers

CreateActiveUserFederation –
Creation of an active federation after
successful login
DeleteActiveUserFederation Deletion of an active federation after logout
LocalAuthentication –
Authentication of a user at OIF
LocalLogout - Logout of a user at Identity
Federation

8.5.2 Protocol Flow Events for Identity Federation
Protocol flow events for this Identity Federation release, include a subset of auditable
events for the previous Identity Federation release. For attributes of each event, see
"Protocol Flow Events" in Oracle Fusion Middleware Administrator's Guide for Oracle
Identity Federation.
Table 8–8

Protocol Flow Events for Identity Federation

Auditable Events

Auditing Not Supported in This Release for ...

IncomingMessage

AssertionCreation

Message being received by Identity Federation

Creation of an assertion by Identity Federation
(Success only

OutgoingMessage
Message being sent by Identity Federation (Success
only)
AssertionConsumption
Consumption of an assertion by Identity Federation
(Success only)

8.5.3 Server Configuration Events for Identity Federation
Auditable Server configuration events for this Identity Federation release, include a
subset of auditable events for the previous Identity Federation release. For attributes of
each event, see "Server Configuration Events" in Oracle Fusion Middleware
Administrator's Guide for Oracle Identity Federation.
Table 8–9

Server Configuration Identity Federation

Auditable Events

Auditing Not Supported in This Release for ...

CreateConfigProperty

SetDataStoreType

Adding a new configuration property (Success only) Changing the type of a data store (Success only)
ChangeConfigProperty

ChangeDataStore

Changing the value of an existing configuration
property (Success only)

Setting of the federation data store (Success only)

DeleteConfigProperty
Deleting a configuration property (Success only)

Auditing Administrative and Run-time Events 8-15

Security Token Service Events You Can Audit

Table 8–9 (Cont.) Server Configuration Identity Federation
Auditable Events

Auditing Not Supported in This Release for ...

CreatePeerProvider
Adding a new provider to the list of trusted
providers (Success only)
UpdatePeerProvider
Updating the information on an existing provider in
the list of trusted providers (Success only)
PeerProviderID
DeletePeerProvider
Deleting a provider from the list of trusted
providers (Success only)
LoadMetadata
Loading of metadata (Success only)
ChangeFederation
Changing of the trusted providers (Success only)
ChangeServerProperty
Changing of a server configuration property
(Success only)

8.5.4 Security Events for Identity Federation
Auditable security events for this Identity Federation release, include all auditable
events for the previous Identity Federation release. For attributes of each event, see
"Security Events" in Oracle Fusion Middleware Administrator's Guide for Oracle
Identity Federation.
Table 8–10

Security Events for Identity Federation

Auditable Events

Auditing Not Supported in This Release for ...

CreateSignature

n/a

Creation of a digital signature by Identity
Federation
VerifySignature
Verification of a digital signature by Identity
Federation
EncryptData
Encryption of data by Identity Federation
DecryptData
Decryption of data by Identity Federation

8.6 Security Token Service Events You Can Audit
Security Token Service provides an independent audit configuration file, named
component_events.xml, that defines specific event types and events to audit. The
following sections provide more details.
■

About Audit Record Content Common to All Events

■

Security Token Service Administrative Events You Can Audit

■

Security Token Service Run-time Events You Can Audit

8-16 Administrator's Guide for Oracle Access Management

Security Token Service Events You Can Audit

8.6.1 About Audit Record Content Common to All Events
The following data is part of each audit record, regardless of the event or event type
that is audited:
■

Date and time of event

■

IP address of the client initiating event

■

Client identity

■

Processing time for the event

8.6.2 Security Token Service Administrative Events You Can Audit
Security Token Service administrative events fall into several configuration
management operations defined in component_events.xml. See details in Table 8–11.
See Also: "Setting Up Auditing for Oracle Access Management" on
page 8-20
Table 8–11

Security Token Service Configuration Management Operations

Security Token Service
Configuration Operations

Description

Common Attributes

■

■
■

■

■

■

Create Validation Template

OldSettings: The string representing the previous settings before
the change was applied.
NewSettings: The string representing the new settings.
TemplateID: The ID of the Validation or Issuance Template being
created or updated or deleted.
ProfileID: The ID of the Partner Profile being created or updated
or deleted.
PartnerID: The ID of the Partner being created or updated or
deleted.
SettingsID: The ID of the generic settings being created or
updated or deleted.

Audit event recorded for the creation of a Validation Template
referenced by CreateValidationTemplate.
Attributes:

Update Validation Template

■

TemplateID

■

NewSettings

Audit event recorded for the update of a Validation Template
referenced by UpdateValidationTemplate.
Attributes:

Delete Validation Template

■

TemplateID

■

OldSettings

■

NewSettings

Audit event recorded for the delete event of a Validation Template
referenced by DeleteValidationTemplate.
Attributes:

Create Issuance Template

■

TemplateID

■

OldSettings

Audit event recorded for the creation of an Issuance Template
referenced by CreateIssuanceTemplate.
Attributes:
■

TemplateID

■

NewSettings

Auditing Administrative and Run-time Events 8-17

Security Token Service Events You Can Audit

Table 8–11 (Cont.) Security Token Service Configuration Management Operations
Security Token Service
Configuration Operations
Update Issuance Template

Description
Audit event recorded for the update of an Issuance Template
referenced by UpdateIssuanceTemplate.
Attributes:

Delete Issuance Template

■

TemplateID

■

OldSettings

■

NewSettings

Audit event recorded for the delete event of an Issuance Template
referenced by DeleteIssuanceTemplate.
Attributes:

Create Partner Profile

■

TemplateID

■

OldSettings

Audit event recorded for the creation of Partner Profile referenced by
CreatePartnerProfile.
Attributes:

Update Partner Profile

■

ProfileID

■

NewSettings

Audit event recorded for the update of a Partner Profile referenced by
UpdatePartnerProfile.
Attributes:

Delete Partner Profile

■

ProfileID

■

OldSettings

■

NewSettings

Audit event recorded for the delete event of Partner Profile referenced
by DeletePartnerProfile.
Attributes:

Create Partner

■

ProfileID

■

OldSettings

Audit event recorded for the creation of Partner Profile referenced by
CreatePartner.
Attributes:

Update Partner

■

PartnerID

■

NewSettings

Audit event recorded for the update of a Partner Profile referenced by
UpdatePartner.
Attributes:

Delete Partner

■

PartnerID

■

OldSettings

■

NewSettings

Audit event recorded for the delete event of Partner Profile referenced
by DeletePartner.
Attributes:

Generic Admin Creation

■

PartnerID

■

OldSettings

Audit event recorded for the generic create administrative operation
referenced by GenericAdminCreation.
Attributes:
■

SettingsID

■

NewSettings

8-18 Administrator's Guide for Oracle Access Management

Security Token Service Events You Can Audit

Table 8–11 (Cont.) Security Token Service Configuration Management Operations
Security Token Service
Configuration Operations
Generic Admin Update

Description
Audit event recorded for the update of a generic update
administrative operation referenced by GenericAdminUpdate.
Attributes:

Generic Admin Removal

■

SettingsID

■

OldSettings

■

NewSettings

Audit event recorded for generic delete administrative operation
referenced by GenericAdminDeletion.
Attributes:
■

SettingsID

■

OldSettings

8.6.3 Security Token Service Run-time Events You Can Audit
Security Token Service-specific run-time events for token operations are defined in
component_events.xml. See details in Table 8–12.
Table 8–12

Security Token Service-specific Run-time Events

Token Operations

Description

Common Attributes

■

Requester: Who made the request by sending the RST

■

RelyingParty: The one for whom the token is created

■

UserID: End user identity

■

■
■

■

Incoming Message

TokenType: Either SAML11, SAML20, Username, X.509,
Kerberos, OAM or Custom
Token: The XML value of the token
TokenContext: The Context data passed for token
operations
Message: The XML representation of the incoming or
outgoing message

Incoming RSTR message received by Security Token Service
referenced by OutgoingMessage.
Attributes populated for this event, if available:

Outgoing Message

■

Requester

■

RelyingParty

■

Message

Outgoing RSTR message received by Security Token Service
referenced by IncomingMessage.
Attributes populated for this event, if available:
■

Requester

■

RelyingParty

■

Message

Auditing Administrative and Run-time Events 8-19

Setting Up Auditing for Oracle Access Management

Table 8–12 (Cont.) Security Token Service-specific Run-time Events
Token Operations

Description

Token Validation

Audit event for token validation in Security Token Service
referenced by TokenValidation. The status attribute indicates
whether or not the validation operation was successful.
Attributes populated for this event, if available:

Token Generation

■

Requester

■

RelyingParty

■

Token

■

TokenType

■

TokenContext

■

Status

Audit event for token generation in Security Token Service
referenced by TokenGeneration.
Attributes populated for this event, if available:

LDAP User Authentication

■

Requester

■

RelyingParty

■

Token

■

TokenType

■

TokenContext

■

UserID

Audit event for local user authentication with the LDAP
Directory referenced by LDAPUserAuthentication.
Attributes populated for this event, if available:

Generic Runtime Operation

■

UserID

■

Status

Audit event for a generic operation performed by Security
Token Service referenced by GenericRuntimeOperation
Attributes populated for this event, if available:
■
■

OperationType: type of operation
OperationData: string representing context of the
operation

8.7 Setting Up Auditing for Oracle Access Management
The following overview provides a list of the tasks that must be performed before you
can perform auditing for Oracle Access Management.
1.

Set up the audit data store, as described in "Setting Up the Audit Database Store"
on page 8-21.

2.

Set up publishing for audit reports, as described in "Preparing Oracle Business
Intelligence Publisher EE" on page 8-21.

3.

Edit the Audit Configuration in the Oracle Access Management Console, as
described in:
■

Using the Oracle Access Management Console for Audit Configuration

■

Adding, Viewing, or Editing Audit Settings

See Section 8.8, "Validating Auditing and Reports" for details testing and validating
the audit configuration.

8-20 Administrator's Guide for Oracle Access Management

Setting Up Auditing for Oracle Access Management

8.7.1 Setting Up the Audit Database Store
This topic provides an overview of the tasks required to create the audit database and
extend the schema using the Repository Creation Utility (RCU). This task is required
before you can audit events for Oracle Access Management if you choose a database
store for audit data.
See Also:
■

■

Oracle Fusion Middleware Application Security Guide for details on
managing the audit store
Oracle Fusion Middleware Repository Creation Utility User's
Guide

1.

Create an audit database, version 11.1.0.7 or later, as described in the Oracle Fusion
Middleware Application Security Guide.

2.

Run the RCU against the database, as described in "Create the Audit Schema using
RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

3.

Set up audit data sources for the audit loader and configure it for the OAM Server
as described in "Set Up Audit Data Sources" in the Oracle Fusion Middleware
Application Security Guide:
■
■

4.

Use the Java EE audit loader configuration for WebLogic Server.
Use the JNDI name of the data source jdbc/AuditDB that points to the
database that was set up in step 2 above.

In the service instance specified in the domain file ($DOMAIN_
HOME/config/fmwconfig/jps-config.xml), enable database auditing by changing
the value of the property audit.loader.repositoryType to DB. For example:











5.

Restart the WebLogic Server.

6.

Ensure that the audit loader is configured for the OAM Server and that it points to
the proper database, as described in "Configure a Database Audit Store for Java
Components" in the Oracle Fusion Middleware Application Security Guide.

7.

Maintain the bus-stop files, as described in "Tuning the Bus-stop Files" in the
Oracle Fusion Middleware Application Security Guide.

8.7.2 Preparing Oracle Business Intelligence Publisher EE
You must prepare Oracle Business Intelligence Publisher Enterprise Edition (EE) for
use with Oracle Access Management audit reports as outlined in the following
procedure.

Auditing Administrative and Run-time Events 8-21

Setting Up Auditing for Oracle Access Management

See Also:
■

■

■

Oracle Fusion Middleware Metadata Repository Builder's Guide for
Oracle Business Intelligence Enterprise Edition
Oracle Fusion Middleware Developer's Guide for Oracle Business
Intelligence Enterprise Edition
Oracle Fusion Middleware User's Guide for Oracle Business
Intelligence Enterprise Edition

1.

Install Oracle BI Publisher, as described in the Oracle Business Intelligence Enterprise
Edition Installation and Upgrade Guide.

2.

Perform tasks as described in "Set Up Oracle Reports in Oracle Business
Intelligence Publisher" in the Oracle Fusion Middleware Application Security
Guide:
■

Unzip the oam_audit_reports_11_1_2_0_0.zip into your Reports folder.
This zip file is located in the $ORACLE_HOME/oam/server/reports/
directory.

■

Unjar the AuditReportTemplates.jar into your Reports folder.
AuditReportTemplates.jar is located in the $MW_ORA_HOME/oracle_
common/modules/oracle.iau_11.1.1/reports/ directory.

■

Set up the JNDI connection for the audit data source or the JDBC connection
the audit database.
The datasource name must be "Audit".

3.

Set up audit report templates, as described in the section "Set Up Audit Report
Templates" of the Oracle Fusion Middleware Application Security Guide.

4.

Set up audit report filters, as described in the section "Set Up Audit Report Filters"
of the Oracle Fusion Middleware Application Security Guide.

5.

View reports from the following path: Reports/Oracle_Fusion_Middleware_Audit
reports.
See Also:

"Validating Auditing and Reports" on page 8-25

8.7.3 Using the Oracle Access Management Console for Audit Configuration
Within Oracle Access Management, certain Audit Configuration settings are accessible
as Common Settings under the System Configuration. These settings are not required
when you audit to a database. Figure 8–2 shows the Audit Configuration section of the
Common Settings page.

8-22 Administrator's Guide for Oracle Access Management

Setting Up Auditing for Oracle Access Management

Figure 8–2 Common Settings: Auditing Configuration

The Auditing section provides settings for the Log Directory, Filter Settings, and Audit
Configuration Users.
The actual log directory cannot be configured using the Oracle
Access Management Console. It is the default directory for the
Common Audit Framework audit loader. Changing the directory
impacts the audit loader and is not supported.

Note:

Table 8–13 describes the elements in the Audit Configuration page.
Table 8–13

Audit Configuration Elements

Elements

Description

Maximum Directory Size

The maximum size, in MBs, of the directory that contains audit output files.
For example, assuming that the maximum file size is 10, a value of 100 for
this parameter implies that the directory allows a maximum of 10 files.
Once the maximum directory size is reached, the audit logging stops.
For example, a value of 100 specifies a maximum of 10 files if the file size is
10 MB. If the size exceeds this, the creation of audit logs stops.
This is configured using the max.DirSize property described in the
configuration filejps-config.xml. This property controls the maximum size
of a bus-stop directory for Java components as described in the Oracle Fusion
Middleware Application Security Guide.

Maximum File Size

The maximum size, in MBs, of an audit log file. Once the size of a file
reaches the maxi mum size, a new log file is created. For example,
specifying 10 directs file rotation when the file size reaches 10 MB.
This is configured using the max.fileSize property described in the
configuration filejps-config.xml. This property controls the maximum size
of a bus-stop file for Java components as described in the Oracle Fusion
Middleware Application Security Guide.

Filter Enabled

Check this box to enable event filtering.

Auditing Administrative and Run-time Events 8-23

Setting Up Auditing for Oracle Access Management

Table 8–13 (Cont.) Audit Configuration Elements
Elements

Description

Filter Preset

Defines the amount and type of information that is logged when the filter is
enabled. The default value is Low.
■

All: captures and records all auditable OAM events

■

Low: captures and records a specific set of auditable OAM events

■

■

Medium: captures and records events covered by the Low setting plus
a number of other auditable OAM events
None: no OAM events are captured and recorded

Events for each filter preset are fixed in the read-only component_
events.xml file. Editing or customizing this file is not supported for Oracle
Access Management. Only items that are configured for auditing at the
specified filter preset can be audited.
Users

Specifies the list of users whose actions are included only when the filter is
enabled. All actions of the special users are audited regardless of the filter
preset. Administrators can add, remove or edit special users from this table.

8.7.4 Adding, Viewing, or Editing Audit Settings
The Administrator controls the amount and type of information that is logged by
choosing a filter preset from the Audit Configuration tab on the OAM Server Common
Properties page.
Auditable events for each filter preset are fixed in the
read-only component_events.xml file. Editing or customizing this file
is not supported.
Note:

The following procedure describes how to add, view, or edit OAM Server Common
Audit Configuration settings. Individual audit policies cannot be configured using
Fusion Middleware Control. Oracle Access Management does not use JPS
infrastructure to configure the audit configuration. There are no WebLogic Scripting
Tool (WLST) commands for auditing.
1.

In the Oracle Access Management Console, click Configuration at the top of the
window.

2.

In the Settings section, select Common Settings from the View menu.

3.

In the Audit Configuration section, enter appropriate details for your environment
(Table 8–13):
■

Maximum Log directory size

■

Maximum Log file size

■

Filter Enabled

■

Filter Preset (to define verbosity of audit data)

■

Users to include specific users from the audit by clicking the Add (+) button
above the Users table and entering a value in the field.

4.

Click Apply to submit the Audit Configuration (or close the page without
applying changes).

5.

Restart AdminServer and OAM Servers after changes are applied.

8-24 Administrator's Guide for Oracle Access Management

Validating Auditing and Reports

8.8 Validating Auditing and Reports
Use the following procedure to test your run-time event auditing configuration. Before
you begin:
■

■
■

1.

Configure auditing parameters as described in "Setting Up Auditing for Oracle
Access Management" on page 8-20.
Ensure the Agents and Servers are running.
Prepare BI EE Publisher as described in "Preparing Oracle Business Intelligence
Publisher EE" on page 8-21.
To validate an Authentication Event: Audit Console login success/failure as
described here or any administrative event described in Table 8–2, " Access
Manager Administrative Audit Events".
a.

Sign out of Oracle Access Management Console.

b.

Sign in to Oracle Access Management Console with invalid user (not
Administrator) credentials.

c.

Sign in to Oracle Access Management Console using the proper Administrator
credentials.

d.

Review Log File: Open the audit.log file and search for the last Administrative
event entries:
$DOMAIN_HOME/servers/$ADMINSERVER_NAME/logs/auditlogs/OAM/audit.log

e.

2.

Review Database Log:
a.

Perform tasks in "Setting Up the Audit Database Store" on page 8-21.

b.

Generate an Authentication event as described in Step 1.

c.

Connect to the database and connecting to the database and reviews audit
events under IAU_BASE table.

To validate a Runtime Event: Audit Authorization success/failure as described
here or any runtime event described in Table 8–3, " Access Manager Run-time
Audit Events".
a.

In a browser window, enter the URL of a protected resource for which you are
not authorized.

b.

Review Log File: Open the audit.log file and search for the last Administrative
event entries:
$DOMAIN_HOME/servers/$ADMINSERVER_NAME/logs/auditlogs/OAM/audit.log

c.

3.

Review Database Log:
a.

Perform tasks in "Setting Up the Audit Database Store" on page 8-21.

b.

Generate and Authentication event as described in Step 1.

c.

Connect to the database and connecting to the database and reviews audit
events under IAU_BASE table.

To validate Audit Configuration Changes: See Also "Adding, Viewing, or Editing
Audit Settings" on page 8-24.
a.

From the Oracle Access Management Console, System Configuration tab,
Common Configuration, modify Maximum Directory Size (MB) and
Maximum File Size (MB) parameters.

Auditing Administrative and Run-time Events 8-25

Validating Auditing and Reports

b.
4.

Repeat Steps here to confirm auditing is working.

To View Reports:
a.

Sign in to Oracle BI EE. For example:
http://host:port/xmlpserver
Here, host is the computer hosting Oracle BI Publisher; port is the listening port
for BI Publisher; xmlpserver is the login page for BI Publisher.

b.

In Oracle BI Publisher Enterprise, locate the desired reports. For example:
Click Shared Folders, the component that contains the report you would like
to view and then select the desired report.

c.

Perform any analysis as desired, or edit your auditing configuration as
needed.
$MW_HOME/user_projects/domains/base_domain/servers/oam_server1/logs/
auditlogs/OAM/

5.

Archive and manage audit logs according to your company policies.

8-26 Administrator's Guide for Oracle Access Management

9
Logging WebGate Event Messages
9

[10Each
]
10g and 11g WebGate instance can write information about its processes and
states to a log file. The logs can be configured to provide information at various levels
of granularity. For example, you can record errors, errors plus state information, or
errors, states, and other information to the level of a debug trace. You can also
eliminate sensitive information from the logs.

This chapter provides the following sections.
■

About Logging, Log Levels, and Log Output

■

About Log Configuration File Paths and Contents

■

About Directing Log Output to a File or the System File

■

Structure and Parameters of the Log Configuration File

■

About Activating and Suppressing Logging Levels

■

Understanding the Mandatory Log-Handler Configuration Parameters

■

Configuring Different Threshold Levels for Different Types of Data

■

Filtering Sensitive Attributes

9.1 About Logging, Log Levels, and Log Output
The logging feature enables you to analyze system performance and to troubleshoot
issues. You can configure logging for individual WebGate instances of the following
components:
■

10g WebGates

■

11g WebGates

■

Custom Access Clients (Access Manager SDK)
Unless explicitly stated, all information in this section applies
equally to 10g and 11g WebGates. For instance, the location of the log
configuration, oblog_config_wg.xml, has changed for 11g but the
content of the file and most other specifics have not.

Note:

You can configure different logging levels for different functional areas of a component
instance. For example, you can capture debug data for LDAP activity while recording
only error-level data for all other component activity. You can also record the time
taken for each request that a component processes, and you can send different levels of

Logging WebGate Event Messages 9-1

About Logging, Log Levels, and Log Output

log data to different destinations. For example, you can send error information to a file
and all other log data to the system log.
Securing Sensitive Information: Access Manager handles sensitive information about
users. On some sites, this includes user password, date of birth, a social security
number, security questions and answers for lost password requests. Sensitive data on
your site might include a security number or other information you want to secure. At
certain logging levels, sensitive information might be captured. Today, you can filter
sensitive information out of log files, as described in "Filtering Sensitive Attributes" on
page 9-26.
Configuring Logging: You configure logging by editing a configuration file that is
stored with the Webgate. See "About Log Configuration File Paths and Contents" on
page 9-4.
Logging Levels: You can request logging at various levels. The highest level is Fatal
and the lowest level is Trace. See "About Log Levels" on page 9-2 for details.
Logging Destinations: In the log configuration file, a parameter known as a log writer
determines the destination for log output. See "About Directing Log Output to a File or
the System File" on page 9-9 for details. You create a complete definition for your log
output by identifying a log writer and a log level. This complete definition is known as
a log-handler. See "About The Second Compound List and Log Handlers" on page 9-13
for details.
The rest of this section discusses the following topics:
■

About Log Levels

■

About Log Output

9.1.1 About Log Levels
A logging level determines the amount of data that is written to the log data file. Each
logging level is cumulative, that is, each level contains all the data generated by the
higher levels. For example, Error logs contain all the data generated by the Fatal logs,
plus the events that are specific to the Error category.
Table 9–5 describes the levels. The default log level is Warning: LOGLEVEL_
WARNING.
Table 9–1

Level
LOGLEVEL_
FATAL

Logging Levels
Number of
Events
Reported
> 60

Description
Records critical errors. Generally, these events can
cause the component to exit.
In the event of a system failure, Fatal-level messages are
always flushed to the log file.

LOGLEVEL_
ERROR

> 960

Records events that may require corrective action, for
example, a component is unavailable. Error logs can
also be generated for transient or self-correcting
problems, for example, failure to connect to another
component.

LOGLEVEL_
WARNING

> 1200

Records issues that may lead to an error or require
corrective action in the future.

LOGLEVEL_ INFO > 400

Records completed actions or the current state of a
component, for example, the component is initializing.

9-2 Administrator's Guide for Oracle Access Management

About Logging, Log Levels, and Log Output

Table 9–1 (Cont.) Logging Levels
Number of
Events
Reported

Level

Description

LOGLEVEL_
DEBUG1

> 400

Records debugging information. Typically, the
information at this level is only meaningful to a
developer.

LOGLEVEL_
DEBUG2

> 100

Records advanced debugging information. This level
augments the Debug1 log level. Typically, the
information at this level is only meaningful to a
developer.

LOGLEVEL_
DEBUG3

> 900

Records a large amount of debugging information or
data pertaining to an expensive section of the code.
This level is useful for debugging a tight loop or a
performance-sensitive function. Typically, the
information at this log level is only meaningful to a
developer.
These logs can contain sensitive information.

LOGLEVEL_
TRACE

> 900 Access
Manager API
> 150
third-party API

This log level is used to trace code path execution or to
capture performance metrics. This information is
captured at the entry and exit points for each
component function. Typically, the information at this
log level is only meaningful to a developer.
These logs can contain sensitive information.

LOGLEVEL_ ALL

> 5000

This level includes all the events and states from all
other levels.

Compound Lists: You can collect log data from non-adjacent levels and send different
levels of log data to different destinations. For example, you can send the Fatal logs to
the system log, and write Error logs to a file. See "About The Second Compound List
and Log Handlers" on page 9-13 for details.
Threshold: You configure a global cutoff, or threshold, for logging on the LOG_
THRESHOLD_LEVEL parameter in the log configuration file. By default, if a configured
level for a log-handler exceeds the cutoff, the log data is not collected. Note that logs
can fail to be written despite the configured level because the LOG_THRESHOLD_LEVEL
parameter takes precedence over the level configured in the log-handler. Only the
MODULE_CONFIG section of the log configuration file overrides the global threshold. See
"About The Simple List and Logging Threshold" on page 9-11 for details.
Overrides: You specify function- or module-specific overrides for the global logging
threshold on the MODULE_CONFIG parameter. See "Configuring Different Threshold
Levels for Different Types of Data" on page 9-22 for details.
The Trace and Debug3 level logs can contain sensitive
information. For more information about sensitive information, see
"Filtering Sensitive Attributes" on page 9-26.

Note:

9.1.2 About Log Output
Each line of the log output file follows a particular structure. A line starts with a date
and time stamp, followed by the thread that is processing the request, the name of the
function or module being logged, and the log level.
The following is a snapshot of the left-most columns of the log output file:

Logging WebGate Event Messages 9-3

About Log Configuration File Paths and Contents

2007/06/01@00:50:56.859000
2007/06/01@00:50:56.859000
2007/06/01@00:50:56.859000
2007/06/01@00:50:56.859000
2007/06/01@00:50:56.859000

5932
5932
5932
5932
5932

2672
2672
2672
2672
2672

DB_RUNTIME
DB_RUNTIME
LDAP
LDAP
LDAP

DEBUG3
TRACE
DEBUG1
TRACE
TRACE

The two columns to the right of the log level are internal code references, and can be
ignored. The following is an example of these columns:
0x00000205

ldap_connection_mngr.cpp:212

To the right of the internal code reference columns, you see the log message that is
associated with this log level, for example, "Function called" or "Function
returned," followed by the name of the function, as illustrated in the following
example:
"Function called"

_CallName^ldap_init

The log message and function name can be followed by additional information, for
example, the duration of the process, the address space where the function is running,
or state information, as illustrated in the following examples:
"Connection health check result"
Connection available^true
"Function entered"

Server^dlsun4072

Port^389

Server Priority^1

_TraceName^ConnectionWatcherThread::CheckPrimaries

"Function exited"
_TraceName^ConnectionWatcherThread::CheckPrimaries
TraceDuration^0.000028
"Connection Pool Status in ValidateConnections()
"NumLivePrimaryConnections^1
Maximum Connections^1
UpConnections^1
Failover Threshold^1
Max Session
Time^0
SleepFor^60

To secure sensitive information and ensure that it is not included in the output of the
logging operation, see "Filtering Sensitive Attributes" on page 9-26.
See Also:

"Log Configuration File Contents" on page 9-5

9.2 About Log Configuration File Paths and Contents
The log configuration file, oblog_config_wg.xml, is used to specify configuration
details for WebGate logging (oblogs). You configure parameters that control WebGate
log output in XML-based log files that can be edited with a plain text editor. Changes
made to these files are effective immediately. Details are in the following sections:
■

Log Configuration File Paths and Names

■

Log Configuration File Contents

9.2.1 Log Configuration File Paths and Names
By default, WebGate logging is enabled and oblogs are generated in the Oracle HTTP
Server (OHS) instance diagnostics directory: instance1/diagnostics/logs/OHS/ohs1/.
Each WebGate instance includes a log configuration file (oblog_config_wg.xml) where
you can define what type of data is recorded in the log output. A log configuration file
is distinct from the log output file. For details on log output files, see "About Log
Output" on page 9-3.

9-4 Administrator's Guide for Oracle Access Management

About Log Configuration File Paths and Contents

The oblog_config_wg.xml file is updated when you edit to configure WebGate
logging. For example, by setting a new log threshold level, changing a log file name, or
filtering logs related to some modules and so on.
Log configuration, oblog_config_wg.xml, files reside in the following locations
depending upon your WebGate version:
10g WebGates: Webgate_install_dir\oblix\config
11g WebGates: $WEBGATE_HOME or $ORACLE_HOME/webgate/ohs/config. The
same oblog_config_wg.xml file is copied to the WebGate instance directory
($INSTANCE_HOME/webgate/config) when the WebGate instance is created The
later is to be used when configuring logging.
Do not change the path to this file. If you install more than one
instance, a log configuration file is installed for each instance. When
configuring logging, oblog_config_wg.xml under $INSTANCE_HOME
should be updated.

Note:

After installation, oblog_config_wg.xml and oblog_config_wg_original.xml both
contain comments to help guide your editing.
Table 9–2 lists the names of the log configuration files. Do not change the names.
Table 9–2

Log Configuration File Names for Components

Component

Log Configuration FIle Name

Webgate

oblog_config_wg.xml

Access Manager SDK (custom Access
Client)

oblog_config.xml

Important: Do not change the default path or name for any logging

configuration file.
The oblog_config_wg.xml file can be edited using any text editor as long as you ensure
that after the update the file is still valid XML. After updates to the file, changes will
take affect in about 60 seconds.

9.2.2 Log Configuration File Contents
The log configuration file controls items such as the following:
■

What is logged for that component

■

Where the data is sent

■

In certain cases, the size of the write buffer used for the log

■

Log file rotation intervals

The configuration file contains XML statements that you can edit in a text editor.

9.2.2.1 When Changes to the File Take Effect
A watcher thread picks up changes to the log configuration file every 60 seconds and
ensures that changes take effect. It is unnecessary to restart the server

Logging WebGate Event Messages 9-5

About Log Configuration File Paths and Contents

9.2.2.2 About Comments in the Log File
Each default log configuration file contains comments that are intended to assist with
editing the file.
See Also:

The log configuration file on your system.

The commented default configuration file is shown here:
Comments can span one or multiple lines. Comments look similar to the following:

-->
-->
-->

Example 9–1 shows a typical log configuration file with comments. Example 9–8
shows an example of a log file without comments.
Example 9–1 The Default Log Configuration File with Comments




-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->

About Log Configuration File Paths and Contents





























































Logging WebGate Event Messages 9-7

About Log Configuration File Paths and Contents























































-->



-->

-->

9-8 Administrator's Guide for Oracle Access Management

About Directing Log Output to a File or the System File








-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->

9.3 About Directing Log Output to a File or the System File
To send log output to a destination, you configure a log writer. A log writer can send
log output to one, none, or both of the following:
■

A log file.
This file resides under the root installation directory of the component.

■

The system file of the host for the component.
If more than one component resides on the same host, all components send data to
the system log file on that host.

You can send logs of a particular level, or logs of different levels, to more than one type
of log writer. For instance, you can send Fatal data to the system log, and send Trace
data to a file. Or, you can send Fatal data to both the system log and a file.
You define log writers in the log configuration file using the LOG_WRITER parameter in
a log-handler definition. See "About The Second Compound List and Log Handlers"

Logging WebGate Event Messages 9-9

Structure and Parameters of the Log Configuration File

on page 9-13 for details.
The log writers are described in Table 9–3.
Table 9–3

Log Writers

Writer

Description

SysLogWriter

Sends data to the system log file for the computer that hosts the
component being logged. Typically, the system log file contains event
information from multiple applications and the host operating system.
For Windows, this is the application log file located at My Computer,
Manage, Event Viewer, Application.
For UNIX platforms, the name and location of the system log file can
vary according to the computer and the preferences of the system
Administrator. Consult the Administrator of the computer for the file
location.
The default log configuration file sends Fatal, Error, and Warning
messages to the system log file.

FileLogWriter

This writer is recommended when you want to save log data for an
OAM Server or other single-process application on a disk file.
The FileLogWriter opens the log file and holds it open for disk writes
until the approximate file size limit or file rotation interval has been
reached. Oracle does not recommend this log writer for situations
where more than one process needs to write to the same log file. For
these situations, use the MPFileLogWriter.

MPFileLogWriter

This writer resembles the FileLogWriter, except that it opens and
closes the log file each time it writes data to the file. This enables
multiple processes to write to the file in turn. However, this practice
can slow performance substantially.
Oracle recommends using MPFileLogWriter only when FileLogWriter
fails to record logging data from some of the processes associated with
a multi-process application, for example, an Access Client installed on
a multi-process Web server (such as Apache) or the Solaris version of
the iPlanet Web server.

9.4 Structure and Parameters of the Log Configuration File
The log configuration file conforms to a standard format. You can edit parameters and
add or subtract sections known as log-handler definitions, but do not change the
underlying format of the log configuration file.
See Example 9–1 or Example 9–8 for a listing of the default log configuration file.
The rest of this section discusses the following topics:
■

About The Log Configuration File Header

■

About The Initial Compound List

■

About The Simple List and Logging Threshold

■

About The Second Compound List and Log Handlers

■

About The List for Per-Module Logging

■

About The Filter List

■

About XML Element Order

9-10 Administrator's Guide for Oracle Access Management

Structure and Parameters of the Log Configuration File

9.4.1 About The Log Configuration File Header
At the beginning of the log configuration file there is an XML file header:


The header serves the following purposes:
■

The header declares the relevant XML version, which is always 1.0.

■

It also declares the encoding format, which is always ISO-8559-1.

9.4.2 About The Initial Compound List
The header is followed by an initial compound list that is delimited as follows:

. . .


The first compound list is structured as follows:
■

■

■

The compound list start-tag shows the relevant XML name space for the log
configuration file in the xmlns parameter.
The compound list start-tag also provides a name for the compound list in the
ListName parameter.
The compound list end-tag occurs near the end of the file.
This compound list delimits all log configuration information.

9.4.3 About The Simple List and Logging Threshold
After the start-tag for the first compound list, a simple list sets the global defaults for
logging, as follows:

. . .


Between the start and end tags of the simple list, you configure the following:
Table 9–4

Global Parameters in the First Compound List

Parameter

Description

LOG_LEVEL_THRESHOLD

Sets the default logging threshold.
Default value: LOGLEVEL_WARNING
Possible Values: Refer to log levels in "About Log Levels" on
page 9-2
The global threshold allows logs of a particular level and more
general levels to be collected, and prevents lower-level logs from
being collected. This threshold can be overridden by a
per-module threshold. See "Configuring Different Threshold
Levels for Different Types of Data" on page 9-22 for details.

SECURE_LOGGING

Dynamically enables or disables the secure logging mechanism.
This does not require a server or component restart.
Default value: On
Possible Values: On or Off

Logging WebGate Event Messages 9-11

Structure and Parameters of the Log Configuration File

Table 9–4 (Cont.) Global Parameters in the First Compound List
Parameter

Description

LOG_SECURITY_THRESHOLD_
LEVEL

Indicates the log threshold for which secure logging is effective.
Default value: LOGLEVEL_TRACE
Possible Values: Refer to log levels in "About Log Levels" on
page 9-2
Note: Ensure that LOG_THRESHOLD_LEVEL and LOG_SECURITY_
THRESHOLD_LEVEL are the same or are consistent with one
another. For example, if LOG_THRESHOLD_LEVEL is set to
LOGLEVEL_TRACE while LOG_SECURITY_THRESHOLD_LEVEL is set at
LOGLEVEL_WARNING, then secure logging applies to LOGLEVEL_
WARNING and above but does not apply to LOGLEVEL_TRACE.

LOG_SECURITY_ESCAPE_
CHARS

Configure escape sequence characters used to avoid additional
information being overwritten due to the secure logging
mechanism. Use a comma separated list as shown here.
Default value: ),]
Possible Values: Characters only
Note: Default values are recommended. Configuring
inappropriate characters may lead to sensitive information being
unmasked.

LOG_SECURITY_MASK_LENGTH Specifies the default masking length if none is specified in
FILTER_LIST.
Default value: 300
Possible Values: Positive integer
Note: FILTER_LIST appears after the second compound list (log
handlers). For more information, see "Filtering Sensitive
Attributes" on page 9-26.

Example 9–2 shows the simple lists containing global settings, which appear in the
first compound list in the oblog_config_wg.xml file.
Example 9–2 Simple Lists with Global Settings (First Compound List in oblog_config_
wg.xml)












9-12 Administrator's Guide for Oracle Access Management

Structure and Parameters of the Log Configuration File





9.4.4 About The Second Compound List and Log Handlers
After the simple list containing global settings, and within the start and end tags for
the initial compound list, you specify an additional compound list. This compound list
contains log-handler definitions. The start and end tags for this list are as follows:

. . .


This compound list tag is configured as follows:
■

■

In the start tag for the compound list, the xmlns parameter indicates the relevant
XML name space.
Also in the start tag, you specify the name of the list on the ListName parameter.
Typically, the name of this list is LOG_CONFIG.

Between the start and end tags for the compound list for the log-handler, you specify
one or more ValNameList elements. Each ValNameList element contains the definition
for a log-handler. Each instance of this element begins and ends as follows:

. . .


The ValNameList elements are configured as follows:
■

The opening tag sets the relevant XML name space on the xmlns parameter.

■

The opening tag also sets a name for the log-handler on the ListName parameter.

Within the opening and closing ValNameList tags, you configure the log-handler. A
log-handler definition contains three mandatory NameValPair elements:
■

The first mandatory NameValPair element defines the logging level for the
log-handler.
This element contains the statement ParamName="LOG_LEVEL", whose value is a
reserved name in Table 9–1, as follows:


■

The second mandatory NameValPair element defines the destination for log
output.
This element contains a statement ParamName="LOG_WRITER", whose value is a
reserved name in Table 9–3, as follows:


■

The third mandatory NameValPair element toggles this log-handler on and off.
This element contains a statement ParamName="LOG_STATUS", with a value of On or
Off, as follows:


Logging WebGate Event Messages 9-13

Structure and Parameters of the Log Configuration File

Finally, within the opening and closing ValNameList tags, if you specify
FileLogWriter or MPFileLogWriter as the log writer, you can add none, some, or all of
the following. See Table 9–7 for details:
■

A destination file name, as follows:


■

A buffer size, as follows:


■

A a file size that determines when a new log file is generated, as follows:


■

A time in minutes that determines the interval at which a new log file is generated,
as follows:


9.4.5 About The List for Per-Module Logging
After the end tag for the compound list that delimits the log-handlers, and before the
end tag for the initial compound list, you can add per-module logging parameters. See
"Configuring Different Threshold Levels for Different Types of Data" on page 9-22 for
details.

9.4.6 About The Filter List
After the per-module logging parameters a filter list identifies sensitive information
that you might want to filter out of the log file. For example, passwords and responses
for lost password management are sensitive information that you might want to filter
out of the log file.
Each name value pair associated with the FILTER_LIST parameter provides the name
of a word or phrase to be checked before the log is written and the corresponding
masking length for that word or phrase. During logging, the value of the word or
phrase is masked and omitted from the log file.
Simply put, during logging Access Manager does not recognize whether a value to be
masked is an attribute or its display name or something different (plain text). Secure
Logging works by searching for words or phrases added in the FILTER_LIST and then
masking out any data that is followed by the occurrence of those words or phrases. For
example, in the following statement:
\csabuild\coreid1014\np_common\db\ldap\util\ldap_util3.cpp:3107 "ldap_parse_result
of Simple Bind"
ld handle^0x0779FA00
result^0x09FB0088
bind^cn=orcladmin
LDAP bind operation status code^0
Additional
error message^ freeit^0 parse_rc^0

After turning Secure Logging ON and adding "bind" in the FILTER_LIST (which is
neither an attribute nor a display name), whatever follows the word in the FILTER_
LIST (in this case, "bind") is masked. In this case, you would see the following in logs:
\csabuild\coreid1014\np_common\db\ldap\util\ldap_util3.cpp:3107 "ldap_parse_result
of Simple Bind"
ld handle^0x0779FA00
result^0x09FB0088
bind^cn=orcladmin
LDAP bind********** status code^0
Additional
error message^ freeit^0 parse_rc^0

9-14 Administrator's Guide for Oracle Access Management

Structure and Parameters of the Log Configuration File

All attributes are case sensitive. For example, if you enter "password" instead of
"Password" as a display name for an attribute, then "Password" is not filtered. By
default, four attributes are always configured in the filter list: password, Password,
response, and Response.
The default masking length, 40, is specified for each of the four default attributes. The
default mask length can be altered for the default attributes if needed. If you add other
attributes to the filter list, you might need a larger mask length (300, for example).
The default filter list is shown in Example 9–3.
Example 9–3 FILTER_LIST Masks Sensitive Attributes in Log Files

xmlns="http://www.oblix.com"
ListName="FILTER_LIST">








When you add another attribute to the filter list, you must include the display name as
well as the attribute name in the directory server.

9.4.7 About XML Element Order
When using XML, you can specify parallel elements in a list in any order as long as the
elements remain intact and within the tags that originally bracketed them. For
example, the lists in Example 9–4 and Example 9–5 are equivalent:
Example 9–4 Valid Name/Value List





Example 9–5 Another Valid Name/Value List






Logging WebGate Event Messages 9-15

About Activating and Suppressing Logging Levels

Similarly, within a given tag, the attributes (except for the tag name, which must
always be the first element within the tag brackets) can be reordered, as long as they
remain intact and within the tag elements that originally bracketed them. The opening
tags for a name-value list in Example 9–6 and Example 9–7 are equivalent:
Example 9–6 Opening tag for a Name/Value List

Example 9–7 Opening tag for a Name/Value List


9.5 About Activating and Suppressing Logging Levels
Several factors determine if logging is active for a particular log-handler. Table 9–5 lists
these factors.
Table 9–5

Factors that Determine Whether Logging Is Active

Factor

Importance

Description

LOG_ THRESHOLD_
LEVEL

Primary

This parameter sets a cutoff for logging. Any log level
that is more detailed than the threshold is
suppressed. See Table 9–1 for valid log levels.
You override this parameter for a subset of items that
can be logged using the MODULE_CONFIG parameter.
See "Configuring Different Threshold Levels for
Different Types of Data" on page 9-22 for details.

MODULE_CONFIG

Primary

This sets a per-module override for the global logging
threshold.
See "Configuring Different Threshold Levels for
Different Types of Data" on page 9-22 for details.

LOG_STATUS

Secondary

This parameter toggles logging on or off, as long as it
is not overridden by the logging threshold or a
module-specific override.

The physical
position of a log
handler

Secondary

See "About Log Handler Precedence" on page 9-16.

9.5.1 About Log Handler Precedence
You can configure up to three log-handler definitions for a single log level in a log
configuration file. Three different log handlers are required to send output for a
particular log level to each of the three log writers described in Table 9–3.
If you specify different LOG_STATUS settings in these log handlers, the setting in the
log-handler definition closest to the physical end of the log configuration file sets the
status for the other log-handler definitions of the same log level. For example, you can
set LOG_STATUS to Off for the first two log handlers for the Error log level, but if LOG_
STATUS is On for the third and final log handler in the configuration file, logging still
occurs for all three handlers.
The LOG_STATUS settings are moot if that level is more fine-grained than the current
LOG_THRESHOLD_LEVEL. In this case, logging cannot be activated at this level unless the
threshold is overridden by a module-specific threshold. See "Configuring Different
Threshold Levels for Different Types of Data" on page 9-22 for details.
9-16 Administrator's Guide for Oracle Access Management

Understanding the Mandatory Log-Handler Configuration Parameters

9.6 Understanding the Mandatory Log-Handler Configuration Parameters
At minimum, each log-handler definition contains five parameters listed in Table 9–6.
Table 9–6

Mandatory Log Configuration File Parameters

Parameter

Comment

xmlns

This parameter is specified in the opening ValNameList tag.
It specifies the relevant XML namespace for the current list and
is identical for all log-handler definitions in a given logging
configuration file. Example:
http://www.example.com

ListName

This parameter is specified in the opening ValNameList tag.
Where possible, use the default names.
When creating a new log-handler definition, select a memorable
name that you cannot confuse with other log handlers.
Examples:
WarningsAndAboveToSyslog sends Fatal, Error, and Warning
messages to the system log file.
WarningsOnlyToFileLog128KBuffer sends messages from just
the Warning level to a 128KB buffer, and hence to a disk file.
TraceOnlyToMPRotateDaily sends messages from just the Trace
level to the multi-process file writer, which opens and closes the
file each time it writes to disk. This file is replaced with a fresh
(empty) file every day, regardless of the size of the file at the
time of replacement.

LOG_LEVEL

This specifies a log level. See Table 9–1 for details.
The default logging configuration file activates logging for three
levels: Fatal, Error, and Warning.

LOG_WRITER

This specifies the destination for log output for this log-handler.
See Table 9–3 for details.
The default log configuration file sends output to both the
system log and the log data file for the component doing the
logging.

LOG_STATUS

This parameter turns the log handler on or off.

If you specify FileLogWriter or MPFileLogWriter as the value for the LOG_WRITER
parameter, the four parameters in Table 9–7 are relevant.

Logging WebGate Event Messages 9-17

Understanding the Mandatory Log-Handler Configuration Parameters

Table 9–7

Log Data File Configuration Parameters

Parameter

Description

Default

FILE_ NAME

Mandatory. Used only for the FileLogWriter or
MPFileLogWriter. It is the name and location of the
file where log data is written.

oblog.log

You can prepend an absolute path to the file name
to store it somewhere other than the default
location, which is:
component_install_dir\oblix\logs
Where component_install_dir is the root installation
directory for the component whose system events
you are logging.
When you create more than one log-handler
definition that sends output to FileLogWriter or
MPFileLogWriter, provide unique file names so
that multiple handlers do not write to the same file.
This caution does not apply to log handlers
accessing the SysLogWriter.
BUFFER_SIZE

Optional. This is the size of the buffer, in bytes, for
logged data as it is being written to the log file.

65535
(64KB)

If you set the buffer value to 0 or a negative
number, the default value is used. To write to the
log file immediately, without buffering, set the
value to a small number, for example, 5. Oracle
recommends that you set a small buffer size in
situations where there are system failures.
MAX_ ROTATION_
SIZE

Optional. When the log file reaches this size (in
bytes), a time stamp is appended to the file name,
for example oblog.log becomes
oblog.log1081303126. New data is written to the
file with the original name.

52428800

MAX_ ROTATION_
TIME

Optional. A time interval, in seconds, when the log
file is renamed, whether or not it has reached the
maximum rotation size.

86400

(512KB)

(1 day, in
seconds)

If the rotation time determines when the file is
rotated, the numbers appended to the log files
differ by the number of seconds in the rotation
interval. For example, oblog.log.1081389526 and
oblog.log.1081303126 differ by 84,600, which is
the number of seconds in 24 hours. This is the
rotation interval set in the log configuration file.

The following sections contain more information.
■

Settings in the Default Log Configuration File

■

Description of the Settings in the Default Log Configuration File

9.6.1 Settings in the Default Log Configuration File
As installed with each component, the log configuration file activates only the highest
three levels (Fatal, Error, and Warning) and directs all log output to the system log.
On Windows, you can view the system log for the computer that hosts the component
you are logging by navigating to My Computer, Manage, Event Viewer, Application.
System event entries for the components being logged are interspersed among the
system events for the operating system and applications other than Access Manager.

9-18 Administrator's Guide for Oracle Access Management

Understanding the Mandatory Log-Handler Configuration Parameters

For Solaris and Linux environments, the location of the system log is recorded in a
system configuration file whose particulars can vary from computer to computer. For
the name and location of this system file or the system log, consult the owner of the
computer that hosts the component whose system log you want to examine.
Example 9–8 shows the default log configuration file with comments removed to
expose the file structure.
Example 9–8 A Default Log Configuration File Without Embedded Comments



























Logging WebGate Event Messages 9-19

Understanding the Mandatory Log-Handler Configuration Parameters





















9.6.2 Description of the Settings in the Default Log Configuration File
The default configuration file sends Fatal, Error, and Warning messages to both the
system log and to a log data file named oblog.log.
The simple list near the top of the file sets the following parameters:
■

It sets the LOG_THRESHOLD_LEVEL to Warning.
The threshold suppresses logging for levels that are more fine-grained than
Warning. You can override this threshold. See "Configuring Different Threshold

9-20 Administrator's Guide for Oracle Access Management

Understanding the Mandatory Log-Handler Configuration Parameters

Levels for Different Types of Data" on page 9-22 for details.
The nested compound list contains four log-handler definitions:
■

The first, named LogFatal2Sys, sets the logging level to Fatal and sets LOG_
STATUS to On.
The threshold level is Warning, which is more fine-grained than Fatal, so this
definition is in effect. The log output is written to the system log, as specified by
the LOG_WRITER parameter.

■

The LogError2Sys log-handler definition sends Error level messages to the system
log.
Error is located before the current threshold level (Warning), so this definition is in
effect.

■

The LogWarning2Sys definition sends Warning level output to the system log.
Like the two previous log-handler definitions, it is not overridden by the current
LOG_THRESHOLD_LEVEL parameter.

■

LogAll2File, the final log-handler definition, appears to send output from all log
levels to a disk file named oblog.log.
The LOG_THRESHOLD_LEVEL parameter is set to Warning, so only the output from
the Fatal, Error, and Warning levels are recorded in this log data file. Since output
from LogAll2File goes to the FileLogWriter, the parameters governing file name,
buffer size, rotation size, and rotation interval all take effect.

Figure 9–1 illustrates log-level activation in the default log confirmation file.
Figure 9–1 Log-Level Activation in the Default Log Configuration File

Logging WebGate Event Messages 9-21

Configuring Different Threshold Levels for Different Types of Data

9.7 Configuring Different Threshold Levels for Different Types of Data
When diagnosing a problem, you may not want detailed logs for every operation that
a component performs. For example, to diagnose slow response times for requests that
an Identity Server submits to its directory, you would want detailed information on
LDAP operations and fewer details about other types of operations.
As of release 10.1.4.2, you can configure per-module or per-function threshold levels in
the log configuration file, so that Access Manager generates detailed logs for some
components while generating concise logs, or no logs, for others.
You configure per-module logging thresholds in a MODULE_CONFIG section in the oblog_
config_wg.xml file. The MODULE_CONFIG section overrides the global default that you
specify on the LOG_THRESHOLD_LEVEL in the simple list section of this file.
The rest of this section discusses the following topics:
■

About the MODULE_CONFIG Section

■

Configuring a Log Level Threshold for a Function or Module

9.7.1 About the MODULE_CONFIG Section
As described in "Structure and Parameters of the Log Configuration File" on page 9-10,
in the log configuration file you configure a global logging threshold. The following is
an example of the global LOG_THRESHOLD_LEVEL setting:


. . .


In addition to the global threshold, the configuration file can contain a ValNameList
that defines function- or module-specific log thresholds. The name of this list is always
MODULE_CONFIG. Only one instance of this list is permitted in the log configuration file,
and the information in the list applies to all log writers defined in the file. As of release
10.1.4.2, the default log configuration file contains a commented sample of the MODULE_
CONFIG list.
Each item in the MODULE_CONFIG list sets a logging level for a module, as shown in the
following example:





The elements in this section are as follows:
■

The ValNameList tag delimits the list of per-module logging thresholds.

■

One NameValPair tag delimits each specific per-module logging threshold.

■

The ParamName parameter sets the name of a module or function.
See Table 9–8 for a list of valid values.

■

The Value parameter sets the logging threshold for the module that you specify as
a value for the ParamName parameter.
Table 9–1 lists the permissible values for the Value parameter. In addition to these
values, you can specify the value ON to enable logging for the module and a value
of OFF to disable logging for the specific module.

9-22 Administrator's Guide for Oracle Access Management

Configuring Different Threshold Levels for Different Types of Data

The following sections contain more information.
■

Location of the Per-Module Logging Section in the Log Configuration File

■

List of Modules That Can Be Logged

9.7.1.1 Location of the Per-Module Logging Section in the Log Configuration File
You add the per-module logging threshold section near the end of the log
configuration file, after the closing tag for the compound list for the log-handlers and
before the closing tag for the first compound list in the file.
This section contains an example of the per-module logging section. See "Configuring
a Log Level Threshold for a Function or Module" for details.

9.7.1.2 List of Modules That Can Be Logged
Table 9–8 describes the a partial list of the values that you can specify for the
ParamName parameter in the MODULE_CONFIG list.
Table 9–8

ParamName Values You Can Configure for Per-Module Logging Threshold

ParamName Value

Logging Threshold That This Parameter Sets

AAA_ACTIONS

Sets a logging threshold for triggered actions that are configured as
part of a policy in the OAM Server.




AAA_AMENGINE

Sets a logging threshold for activity performed by the Access
Manager engine.

AAA_ISRESRCOPPROT

Sets a logging threshold for all OAM Server activities related to
determining if a resource operation is protected.

ACCESS_CLIENT

Sets a logging threshold for operations performed by an access
client, that is, an Access Client or Webgate.

ACCESS_GATE

Sets a logging threshold for operations performed by an Access
Client.

ACCESS_SDK

Sets a logging threshold for operations performed by the Access
Manager SDK interface.
See the Oracle Fusion Middleware Developer's Guide for Oracle
Access Management for details.

ACCESS_SERVER

Sets a logging threshold for operations performed in the OAM
Server.

AM_SDK

Sets a logging threshold for the Access Manager SDK.
See the Oracle Fusion Middleware Developer's Guide for Oracle
Access Management for details.

AUDIT

Sets a logging threshold for auditing.
See Chapter 8 for details.

AUTHENTICATION

Sets a logging threshold for user authentication operations.

AUTHN_MGMT

Sets a logging threshold for authentication scheme management.

AUTHN_PLUGIN

Sets a logging threshold for operations performed by an
authentication plug-in.

AUTHORIZATION

Sets a logging threshold for user authorization operations.

Logging WebGate Event Messages 9-23

Configuring Different Threshold Levels for Different Types of Data

Table 9–8 (Cont.) ParamName Values You Can Configure for Per-Module Logging
ParamName Value

Logging Threshold That This Parameter Sets

AUTHZ_MGMT

Sets a logging threshold for authorization scheme management.

AUTHZ_PLUGIN

Sets a logging threshold for authorization plug-in operations.

CACHE

Sets a logging threshold for cache management and operations on
the caches.

CONN_MGMT

Sets a logging threshold for connection management.

CONN_RUNTIME

Sets a logging threshold for connection run time.

CONNECTIVITY

Sets a logging threshold for client-sever connectivity and
messaging.

DB_CONFIGURATION

Sets a logging threshold for the data store interface layer
configuration.

DB_RUNTIME

Sets a logging threshold for the data store interface layer run time.

DIAGNOSTIC_FRAMEWORK

Sets a logging threshold for the diagnostic framework.

GROUPDB

Sets the threshold for logging accesses of Group Manager data in
the directory.

GROUP_MGR

Sets the threshold for logging Group Manager operations.

HTTP_REQ

Sets the threshold for logging HTTP request processing.

IDXML

Sets the threshold for logging IDXML operations.
See the Oracle Fusion Middleware Developer's Guide for Oracle
Access Management for details.

LDAP

Sets a logging threshold for LDAP SDK, for example:




NET

Sets a logging threshold for network APIs.

OBMYGROUPS

Sets a logging threshold for ObMyGroups processing. This refers to
searches of groups where the person who initiated the search is a
member.

OIS_CLIENT

Sets a logging threshold for the Identity client.

POLICY_MGMT

Sets a logging threshold for policy and policy domain management.

PPP

Sets a logging threshold for Identity Event Plug-in API operations.
See the Oracle Fusion Middleware Developer's Guide for Oracle
Access Management for details.

QUERY_BUILDER

Sets a logging threshold for Query Builder operations.

SECURITY

Sets a logging threshold for the security and encryption library.

SELECTOR

Sets a logging threshold for Selector operations.

SERVER

Sets a logging threshold for server infrastructure.

SSOTOKEN

Single sign-on token management.

UTILS

Sets a logging threshold for utility classes.

WEB

Sets a logging threshold for the Web server plug-in interface.

XML

Sets a logging threshold for the XML Infrastructure.

9-24 Administrator's Guide for Oracle Access Management

Configuring Different Threshold Levels for Different Types of Data

9.7.2 Configuring a Log Level Threshold for a Function or Module
The following procedure describes how to configure a function- or module-specific log
level threshold.
1.

Open the log configuration file in the following location:
Webgate_install_dir\identity|access\oblix\config

2.

If a ValNameList section with a ListName of MODULE_CONFIG does not already exist
in this file, create one that is similar to the following:



Place this list after the end tag for the compound list that contains the log handler
definitions. If there are comments immediately after this end tag, place the list
after the comments.
3.

Between the opening and closing tags of the new ValNameList element, configure
one or more NameValPair elements.
This element contains a ParamName parameter and a Value parameter. See
Table 9–8 for the modules that you can supply on the ParamName parameter. See
Table 9–1 for values, or you can specify a value of On or Off. The following is an
example:


You can specify multiple ValNamePair elements within the ValNameList.
A complete per-module logging threshold section is illustrated in bold in the
following example:









. . .


-->

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->

Logging WebGate Event Messages 9-25

Filtering Sensitive Attributes





-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->








9.8 Filtering Sensitive Attributes
As described earlier, you can activate secure logging and expand the default filter list
to mask sensitive information from the log file.
When you add an attribute to the filter list, you must include the display name as well
as the attribute name in the directory server. The following procedure describes how to
perform this task. In this example, you are instructed to filter the user's home phone
number: display name Home Phone; attribute name homePhone. However, you can
filter the attribute of your choice.
Each value added to FILTER_LIST increases the runtime cost
of using Secure Logging.

Note:

Oracle recommends that you optimize the use of FILTER_LIST to reduce the runtime
cost. For example, rather than adding two ParamName variations (User Password and
userPassword), you could use only one. Using Password as the ParamName masks
values for User Password, userPassword, and other words that end with Password.
Also, instead of including both Home Phone and homePhone in FILTER_LIST, you could
simply use Phone.
See Also:

1.

■

"About Logging, Log Levels, and Log Output" on page 9-1

■

"About The Simple List and Logging Threshold" on page 9-11

■

"About The Filter List" on page 9-14

■

"Settings in the Default Log Configuration File" on page 9-18

Open the log configuration file in a text editor:
Webgate_install_dir\identity|access\oblix\config\oblog_config_wg.xml

2.

In oblog_config_wg.xml:

9-26 Administrator's Guide for Oracle Access Management

Filtering Sensitive Attributes

a.

Confirm that secure logging is active. For example:




b.

Locate the FILTER_LIST parameter at the end of the file. For example:







c.

Add the display name to mask and the value for the mask length, then add the
attribute and the value for the mask length. For example:



For testing, set the LOG_THRESHOLD_LEVEL and LOG_SECURITY_
THRESHOLD_LEVEL to TRACE. See Step 6a.

Note:

d.

Confirm that LOG_THRESHOLD_LEVEL and LOG_SECURITY_THRESHOLD_LEVEL are
at the same level or are consistent with each other, as described in Table 9–4 on
page 9-11. For example:



...




e.
3.

Save the oblog_config_wg.xml file.

Filtering User Password: Perform the following steps and see "About The Filter
List" on page 9-14:
In the filter list in oblog_config_wg.xml, add the User Password display name and
the corresponding attribute, and set the mask length for each. For example:

...




4.

Test secure logging and filtering of sensitive information as follows:
a.

In the oblog_config_wg.xml file, set the LOG_THRESHOLD_LEVEL and LOG_
SECURITY_THRESHOLD_LEVEL to TRACE:

...

b.

Perform a task that involves the component for which you have configured
secure logging. For example:
Access a resource
View or modify the value of the attribute in the user's profile: Home Phone (if
the filtered attribute is homePhone).

c.

Check the oblog and confirm that the filtered attribute value is masked by a
string like ***********.
Webgate_install_dir/access/oblix/log/oblog.log

d.

In the oblog_config_wg.xml file, reset the LOG_THRESHOLD_LEVEL and LOG_
SECURITY_THRESHOLD_LEVEL to the desired level for your enterprise.

e.

Adjust the mask length of filtered attributes if needed in the oblog_config_
wg.xml file. For example:



5.

Repeat Steps 1 through 6 for each component in your deployment with one or
more masked attributes.

9-28 Administrator's Guide for Oracle Access Management

10
Reporting
10

[1Oracle
]
Access Manager enables you to use Oracle BI Publisher as the reporting
solution for Oracle Access Management services. Access Manager provides a
restricted-use license for Oracle BI Publisher and easy-to-use reporting packages.

This chapter contains the following sections.
■

About the Reports

■

Accessing Oracle Access Management Reports

■

Supported Output Formats

■

Reports for Access Manager

■

Creating Reports Using Third-Party Software
For large-scale deployments, it is recommended that you
deploy a dedicated enterprise-class reporting solution. A solution
based on tools such as Oracle Business Intelligence Enterprise Edition
can provide the flexibility, automation, and performance required for
a large-scale organizations.

Note:

10.1 About the Reports
Oracle Access Management integrates with Oracle Business Intelligence Publisher,
which provides a pre-defined set of compliance reports. The data in the database audit
store is exposed through pre-defined reports in Oracle Business Intelligence Publisher.
These reports allow you to drill down the audit data based on various criteria, such as
user name, time range, application type, and execution context identifier (ECID).
Out-of-the-box, there are several sample audit reports available with Oracle Access
Management and accessible with Oracle Business Intelligence Publisher. You can also
use Oracle Business Intelligence Publisher to create your own custom reports.
Oracle BI Enterprise Edition (Oracle BI EE) is a comprehensive set of enterprise
business intelligence tools and infrastructure, including a scalable and efficient query
and analysis server, an ad-hoc query and analysis tool, interactive dashboards,
proactive intelligence and alerts, real-time predictive intelligence, and an enterprise
reporting engine. Oracle BI EE is designed to bring greater business visibility and
insight to a wide variety of users.
The components of Oracle Business Intelligence Enterprise Edition share a common
service-oriented architecture, data access services, analytic and calculation
infrastructure, metadata management services, semantic business model, security
model and user preferences, and administration tools. Oracle Business Intelligence

Reporting 10-1

Accessing Oracle Access Management Reports

Enterprise Edition provides scalability and performance with data-source specific
optimized analysis generation, optimized data access, advanced calculation, intelligent
caching services, and clustering. The following are Oracle Access Management
reporting features:
■

Select and view reports from a predefined list in the BI Publisher.

■

Filter report information.

■

View reports on-screen in the desired format.

■

Provide interactive reports.

10.2 Accessing Oracle Access Management Reports
To access Access Manager Reports, you must start BI Publisher and run them. BI
Publisher cannot be accessed through the Access Manager Console. You must open BI
publisher explicitly to access Access Manager reports.
Follow this procedure to start BI Publisher.
1.

Navigate to Start, Oracle BI Publisher Desktop, Oracle - BIPHome10134 and
click Start BI Publisher.
The Oracle BI Publisher Home page appears.

2.

Enter the user name and password.

3.

Click Sign In.

Follow this procedure to run a report.
1.

Start Access Manager Reports.
See "Accessing Oracle Access Management Reports" on page 10-2 for more
information.

2.

Click the more... link under Shared Folders.

3.

Click Access Manager Reports to access the reports.
Alternately, click the more... link under Access Manager Reports. The resulting
page displays the Access Manager Reports classified according to functional area.

4.

Select the report to view by clicking its name.

5.

Click View.
The Report Input Parameters page displays the input parameters that must be
provided to run a report. The parameters act as filter criteria. In some cases, at
least one or more fields are mandatory while some reports do not require any
input parameters. If you leave the input parameter field blank and click View, all
the information associated with the report is displayed.

6.

Enter the required parameters, if any.

7.

Click View to run the report.
The report is displayed.

10.3 Supported Output Formats
All BI Publisher reports are generated in a native XML format. This XML can be
transformed into other output formats. The following formats are supported:
■

HTML

10-2 Administrator's Guide for Oracle Access Management

Reports for Access Manager

■

PDF

■

RTF

■

MHTML

10.4 Reports for Access Manager
Access Manager Reports are classified based on functional area. For example, Access
Policy Reports, Attestation, Request and Approval Reports and Password Policy
Reports are available. (It is no longer named Operational and Historical.) Oracle
Access Manager Reports are classified into the following categories based on their
functional areas:
■

Account Management Reports

■

Authentication Reports

■

Errors and Exceptions

10.4.1 Account Management Reports
The Accounts_Locked_Out Report is the account management report that allows
administrators to view details about accounts that have been locked out.
Table 10–1

Accounts_Locked_Out Report Fields

Field

Description

User ID

Identifier of the locked out user

Timestamp

Time stamp of the lockout

Component/Application Name

Component from which the user has been locked out

Event Details

Additional information

10.4.2 Authentication Reports
Authentication reports allow administrators to view details regarding user
authentications. They include:
■

Authentication Statistics Report

■

AuthenticationFromIPByUser

■

AuthenticationPerIP

■

AuthenticationStatisticsPerServer Report

10.4.2.1 Authentication Statistics Report
This report contains details regarding failed and successful authentications.
Table 10–2

Authentication_statistics Report Fields

Field

Description

Failure

Failed (yes) or successful (no) authentication

Userid

Identifier of the user

Number of Events

Number of authentication events

Reporting 10-3

Reports for Access Manager

10.4.2.2 AuthenticationFromIPByUser
This report contains details regarding failed and successful authentications from a
particular IP address.
Table 10–3

AuthenticationFromIPByUser Report Fields

Field

Description

IP Address

IP address of the client

Distinct User Count

Number of distinct users

Total Attempts

Number of authentication attempts from this IP address

Users

List of users attempting authentication from this IP address

10.4.2.3 AuthenticationPerIP
This report contains details regarding failed and successful authentications from this
IP address.
Table 10–4

AuthenticationPerIP Report Fields

Field

Description

IP Address

IP address of the server

Distinct Users

Number of users authenticated

Total Number of Attempts

Number of authentication attempts (successful and failed)

10.4.2.4 AuthenticationStatisticsPerServer Report
This report contains details regarding failed and successful authentications from a
particular server instance.
Table 10–5

AuthenticationStatisticsPerServer Report Fields

Field

Description

Server Instance Name

Identifier of the server instance

Success Count

Number of successful authentications

Failure Count

Number of failed authentications

10.4.3 Errors and Exceptions
Error and exception reports allow administrators to view errors and exceptions logged
during the authentication process. They include:
■

All Errors and Exceptions

■

Authentication Failures

■

User Activities

■

Authentication History

■

Authorization History

■

Multiple Logins From Same IP

10.4.3.1 All Errors and Exceptions
This report contains details regarding errors and exceptions encountered during
runtime.
10-4 Administrator's Guide for Oracle Access Management

Reports for Access Manager

Table 10–6

All Errors and Exceptions Report Fields

Field

Description

User ID

Identifier of the locked out user

Timestamp

Time stamp of the lockout

Component/Application Name

Component from which the user has been locked out

Client IP Address

IP address of the client

Message Event

The error or exception

Event Details

Information regarding the error or exception

10.4.3.2 Authentication Failures
This report contains details regarding failed and successful authentications.
Table 10–7

Authentication Failures Report Fields

Field

Description

User ID

Identifier of the locked out user

Timestamp

Time stamp of the lockout

Component/Application Name

Component from which the user has been locked out

Client IP Address

IP address of the client

Authentication Method

Authentication method

Message Event Details

Message regarding the failed authentication

Authorization_Failures

Authorization failure

10.4.3.3 User Activities
There are no fields to define in this report.

10.4.3.4 Authentication History
This report contains details regarding failed and successful authentications.
Table 10–8

Authentication History Report Fields

Field

Description

User ID

Identifier of the locked out user

Timestamp

Time stamp of the lockout

Component/Application Name

Component from which the user has been locked out

Client IP Address

IP address of the client

Authentication Method

Authentication method

Message Event Details

Message regarding the failed authentication

Authorization_Failures

Authorization failure

10.4.3.5 Authorization History
This report contains details regarding failed and successful authorizations.

Reporting 10-5

Creating Reports Using Third-Party Software

Table 10–9

Authorization History Report Fields

Field

Description

User ID

Identifier of the locked out user

Timestamp

Time stamp of the lockout

Component/Application Name

Component from which the user has been locked out

Client IP Address

IP address of the client

Authentication Method

Authentication method

Message Event Details

Message regarding the failed authentication

Authorization_Failures

Authorization failure

10.4.3.6 Multiple Logins From Same IP
This report contains details regarding multiple logins from the same IP address.
Table 10–10

Multiple Logins From Same IP Report Fields

Field

Description

IP Address

IP address

Usernames Used

Identifiers of users

10.5 Creating Reports Using Third-Party Software
Access Manager supports the creation of reports by using third-party tools such as
Crystal Reports. To learn how to create reports by using third-party software, see the
third-party software documentation. Additional information on the audit schema and
creating custom reports can be found in the Oracle Fusion Middleware Application
Security Guide.

10-6 Administrator's Guide for Oracle Access Management

11
Monitoring Performance and Health
11

[12Monitoring
]
performance refers to observing (viewing) performance metrics to make
yourself aware of the state of specific components of Oracle Access Management.
Monitoring health allows perimeter devices to check the health of an Access Manager
server instance by hitting the heartbeat URL of the Managed Server.

This chapter contains the following sections on monitoring Oracle Access
Management performance and Access Manager health.
■

Introduction to Performance Monitoring

■

Monitoring Server Metrics Using Oracle Access Management Console

■

Monitoring SSO Agent Metrics Using Oracle Access Management Console

■

Introduction to OAM Proxy Metrics and Tuning

■

Monitoring Metrics Using the DMS Console

■

Monitoring the Health of an Access Manager Server
See Also:
■

Chapter 12 if you are using Oracle Enterprise Manager Fusion
Middleware Control

11.1 Introduction to Performance Monitoring
Component performance metrics can be collected in memory during the completion of
particular events. These metrics are kept only in memory so there are several
mechanisms to extract and display them including (but not limited to) Oracle
Enterprise Manager Fusion Middleware Control (FMW), the Oracle Dynamic
Monitoring Service (DMS) and the Oracle Process Manager and Notification Server
(OPMN).
■

■

■

FMW Control is a Web browser-based, graphical user interface that offers
monitoring options. See Chapter 12, "Monitoring Performance and Logs with
Fusion Middleware Control" for details.
DMS uses the DMS Spy Servlet to provide access to DMS metric data from a web
browser. Information is categorized by Noun Types; for Oracle Access
Management the prefix is OAMS.OAM_. See Monitoring Metrics Using the DMS
Console.
dmsdump is provided by DMS to take metrics from the servers based on
definitions in a dms configuration file. There are many OAM metrics exposed
when dms dumps are generated. See the Oracle Fusion Middleware Performance and
Tuning Guide for more details.

Monitoring Performance and Health

11-1

Monitoring Server Metrics Using Oracle Access Management Console

■

OPMN provides access to metrics using dmsdump. See the Oracle Fusion
Middleware Performance and Tuning Guide for more details.

11.2 Monitoring Server Metrics Using Oracle Access Management
Console
Users with valid Oracle Access Management Administrator credentials can log into
the Oracle Access Management Console and monitor various performance metrics.
This section provides the following topics:
■

Monitoring Server Instance Performance

■

Reviewing Server Metrics

11.2.1 Monitoring Server Instance Performance
Users with valid Oracle Access Management Administrator credentials can monitor
performance for Access Manager using the Monitoring command on the Actions menu
under the System Configuration tab using the Oracle Access Management Console.
See Section 2.4, "Understanding the Oracle Access Management Console" for details.
Before you begin, the OAM Server must be running.
1.

From the Oracle Access Management Console, click Server Instances and the
desired server instance.

2.

Server Instance:
a.

From the Actions menu in the navigation tree, click Monitor Menu.

b.

On the Monitor page, click the desired subtab to view results for the server
instance:
Server Processes Overview
Session Operations
Server Operations
WebGates

c.
3.

Proceed to "Reviewing Server Metrics."

See also, "Introduction to OAM Proxy Metrics and Tuning" on page 11-10.

11.2.2 Reviewing Server Metrics
This topic provides a look at the Server metrics available through the Monitor option
from the Server Instances tab in the Configuration section of the console. Figure 11–1
shows the Server Processes page.

11-2 Administrator's Guide for Oracle Access Management

Monitoring Server Metrics Using Oracle Access Management Console

Figure 11–1 Server Processes Overview Page

Server Processes Overview provides the following OAM Server events, organized in
individual columns on the tab.
Table 11–1

OAM Server Metrics: Server Processes Overview Tab

Server Metric Columns
Authorization Process
Authorization Requests
Authentication Process Failure
Authentication Process Success
Pre Authentication Process Failure
Pre Authentication Process Success

Figure 11–2 shows the Session Operations tab.

Monitoring Performance and Health

11-3

Monitoring Server Metrics Using Oracle Access Management Console

Figure 11–2 OAM Server Metrics: Session Operations Monitoring Page

OAM Server Session Operations metrics include:
Table 11–2

OAM Server Metrics: Session Operations

Session Operations
Check Session Valid
Check Session Valid Failure
Check Session Valid Success
Create Session
Create Session Failure
Create Session Success
Destroy Session
Destroy Session Failure
Destroy Session Success
Delete Client Session
Delete Client Session Failure

Figure 11–3 shows the Server Operations tab.

11-4 Administrator's Guide for Oracle Access Management

Monitoring Server Metrics Using Oracle Access Management Console

Figure 11–3 OAM Server Metrics: Server Operations Tab

OAM Server Operations metrics include those in Table 11–3.
Table 11–3

OAM Server Metrics: Server Operations Tab

OAM Server: Operations Metrics
Authentication Policy Response Failure
Authentication Policy Response Success
Authentication Scheme Response Failure
Authentication Scheme Response Success
Authentication Failure
Authentication Failure Responses
Authentication Policy Response
Authentication Requests
Authentication Scheme Response
Authorization Failure
Authorization Failure
Authorization Process Failure
Authorization Process Success

Figure 11–4 shows the OAM Server Metrics: WebGates tab with all available metrics
showing.

Monitoring Performance and Health

11-5

Monitoring SSO Agent Metrics Using Oracle Access Management Console

Figure 11–4 OAM Server Metrics: WebGates Tab

WebGate performance metrics include:
■

Agent Name

■

Agent Status

■

Version

11.3 Monitoring SSO Agent Metrics Using Oracle Access Management
Console
This section describes how to review metrics for various components and how to
determine whether tuning is needed. Users with valid Oracle Access Management
Administrator credentials can use the following procedure to display various SSO
Agent performance metrics using the Oracle Access Management Console.
Before you begin, the server and agent must be running.
1.

In the Oracle Access Management Console, click Application Security at the top
of the window.

2.

In the Application Security console, click Agents.

3.

In the Search SSO Agents page, select the desired agent type tab:
■

WebGates

■

OSSO Agents

■

OpenSSO Agents
This Agent can only be monitored using OpenSSO Proxy behavior with
respect to Agent Requests. See Monitoring OpenSSO Proxy Metrics.

4.

Search for the agent you want to monitor.

5.

In the Search Results table, highlight the desired agent SerialNumber and from the
Actions menu select Monitor.

6.

Proceed as needed.
■

Reviewing WebGate Metrics

■

Reviewing OSSO Agent Metrics

11.3.1 Reviewing WebGate Metrics
WebGate metrics are organized across the following tabs:
■

Connectivity

■

Operations Overview

11-6 Administrator's Guide for Oracle Access Management

Monitoring SSO Agent Metrics Using Oracle Access Management Console

■

Operations Detail

■

Information
See Also: Oracle Fusion Middleware Performance and Tuning
Guide

Following figures illustrate detached tables for one Webgate with all possible metrics
displayed for each:
■

Figure 11–5, "Webgate Metrics: Connectivity Table"

■

Figure 11–6, "Webgate Metrics: Operations Overview Table"

■

Figure 11–7, "Webgate Metrics: Operations Detail Table"

■

Figure 11–8, "Webgate Metrics: Detached Information Table"

Figure 11–5 Webgate Metrics: Connectivity Table

Figure 11–6 Webgate Metrics: Operations Overview Table

Figure 11–7 Webgate Metrics: Operations Detail Table

Monitoring Performance and Health

11-7

Monitoring SSO Agent Metrics Using Oracle Access Management Console

Figure 11–8 Webgate Metrics: Detached Information Table

11.3.2 Reviewing OSSO Agent Metrics
When you have an OSSO Agent selected OSSO Agents Search Results table and
choose Monitor from the table's Actions menu, the following metrics pages are
available:
■

Figure 11–10, "OSSO Agent Monitoring Process Overview Table"

■

Figure 11–11, "OSSO Agent Operation Details Table"

Figure 11–9 OSSO Agent Monitoring Page with Operation Details

Figure 11–10 illustrates the OSSO Agent Monitoring Process Overview table.

11-8 Administrator's Guide for Oracle Access Management

Monitoring SSO Agent Metrics Using Oracle Access Management Console

Figure 11–10

OSSO Agent Monitoring Process Overview Table

Figure 11–11 illustrates the OSSO Agent Operation Details table.
Figure 11–11

OSSO Agent Operation Details Table

Monitoring Performance and Health

11-9

Introduction to OAM Proxy Metrics and Tuning

11.4 Introduction to OAM Proxy Metrics and Tuning
This section provides the following topics:
■

About OAM Proxy Metrics

■

OAM Proxy Server Tuning Parameters
See Also:
■

"OpenSSO Proxy Events and Metrics: Server" on page 11-13

■

Oracle Fusion Middleware Performance and Tuning Guide

11.4.1 About OAM Proxy Metrics
Throughput refers to the number of requests processed per second. Latency refers to
the time required to process a particular request. There is less than a 20% latency
increase with the introduction of a proxy between WebGate and OAM Server.
Table 11–4 lists the various OAM Proxy metrics available.
Table 11–4

OAM Proxy Metrics

Metric

Description

handshakes.active

Number of active threads doing handshake

handshakes.avg

Average time spent performing initial handshake

handshakes.completed

Number of times an initial handshake has been executed

handshakes.maxTime

Maximum time spent performing initial handshake

handshakes.minTime

Minimum time spent performing initial handshake

handshakes.time

Total time spent performing initial handshake

failedHandshakes.count

Count of failed handshakes

peerCompatibilityFailures.c Count of how many Peer Compatibility Check Failures have
ount
happened
openSecurityMode.count

Count of how many Open Security Mode handshakes have
happened

simpleSecurityMode.count

Count of how many Simple Security mode handshakes have
happened

SSLSecurityMode.count

Count of how many SSL Security Mode handshakes have
happened

negotiateSecurityMode.acti Number of active threads doing security mode negotiation
ve

11.4.2 OAM Proxy Server Tuning Parameters
Performance of the OAM Proxy can be tuned by changing its configuration through
the Java EE container Administration Console.
Both the Java EE container Administrator and the Oracle
Access Management Administrator can tune performance using the
Java EE container Administration Console, which is outside the scope
of this book.

Note:

Table 11–5 provides the tuning parameters for the OAM Proxy.
11-10 Administrator's Guide for Oracle Access Management

Monitoring Metrics Using the DMS Console

Table 11–5

OAM Proxy Tuning Parameters

Purpose

Parameter

Type

Value

Description

Denial of
Service
Attacks

ConnectionValidationInterval

Integer

120

The time interval in seconds for
validating the connections
periodically for denial of service
attacks

BacklogQueue

Integer

50

Maximum length of backlog
queue

MaxNAPHandShakeTime

Integer

100

The maximum time in
milliseconds within which the
client should complete the NAP
handshake with client. If NAP
handshake over a connection is
not completed within this time,
the connection will be marked as
malicious

11.5 Monitoring Metrics Using the DMS Console
Oracle Access Management uses the Oracle Dynamic Monitoring Systems (DMS) to
measure application-specific performance information for OAM Servers and registered
Agents. The metrics can be used to monitor the time spent in a particular area, or track
particular occurrences or state changes. To access the DMS console, type the following
URL in a browser window and log in with your Oracle Access Management
Administrator credentials.
http:// /oracle_common/bin/orapki wallet add
-wallet $DOMAIN_HOME/output/$Agent_Name/cwallet.sso -trusted_cert
-cert  -auto_login_only

13.5.5 Tuning the Simple Mode WebGate
If using a simple mode WebGate, you can improve the response time of the OAM login
page by changing the aaaTimeoutThreshold time parameter in the WebGate profile
from -1 to 10. For detailed information about the AAA Timeout Threshold
configuration element, see Table 15–3, " Elements on Expanded 11g and 10g
WebGate/Access Client Registration Pages" in Chapter 15.

13.6 Managing Run Time Policy Evaluation Caches
This section explains:
■

About Run Time Policy Evaluation Caches

■

Managing Run Time Policy Evaluation Caches
See Also:

"About Run Time Resource Evaluation" on page 25-26

13.6.1 About Run Time Policy Evaluation Caches
Figure 13–4 illustrates the Policy section of the Access Manager Settings page. This
section provides settings for the Resource Matching Cache and the Authorization
Result Cache, which come into play during policy evaluation at run time.
Configuring Access Manager Settings 13-9

Managing Run Time Policy Evaluation Caches

Figure 13–4 Common Policy Evaluation Caches

Table 13–8 outlines these global settings that apply to all servers and requests.
Table 13–8

Policy Evaluation Caches

Element

Description

Resource Matching Cache

Caches mappings between the requested URL and the policy holding
the resource pattern that applies to the URL.
Default Values:

Authorization Result Cache

■

Maximum Size 100000

Zero disables the cache

■

Time to Live (seconds) 3600

Zero disables Time to Live

Caches policy decisions for the requested URL and user.
Default Values:
■

Maximum Size 100000

Zero disables the cache

■

Maximum Size per User 100

Zero disables the cache

■

Time to Live (seconds) 3600

Zero disables Time to Live

See Also: Oracle Fusion Middleware Performance and Tuning Guide

13.6.2 Managing Run Time Policy Evaluation Caches
Administrators can use this procedure to manage the Access Manager common run
time policy evaluation cache settings.
See Also:

Guide

■

Oracle Fusion Middleware High Availability Guide

■

Oracle Fusion Middleware Performance and Tuning Guide

1.

In the Oracle Access Management Console, click Configuration at the top of the
window.

2.

In the Configuration console, select Access Manager from the View menu in the
Settings section.

3.

Expand the Policy section.

4.

Resource Matching Cache: Specify details and click apply (Table 13–8).

5.

Authorization Result Cache: Specify details and click apply (Table 13–8).

6.

Click Apply to submit the changes and dismiss the Confirmation window (or
close the page without applying changes).

13-10 Administrator's Guide for Oracle Access Management

14
Introduction to Agents and Registration
14

An agent (also known as a single sign-on agent or policy-enforcement agent) is any
front-ending entity that acts as an access client to enable single sign-on across
enterprise applications. Individual agents must be registered with Access Manager 11g
to set up the required trust mechanism between the agent and OAM Server. Registered
agents delegate authentication tasks to the OAM Server.
This chapter includes the following topics to give you an overview of agents, their
registration and management, processing, and tools.
■

Introduction to Policy Enforcement Agents

■

Introduction to Agent Registration

■

Introduction to Remote Registration

14.1 Introduction to Policy Enforcement Agents
An agent is a software plug-in that can be installed on a Web server (such as Oracle
HTTP Server) where the application resides. To secure access to protected resources, a
Web server, Application Server, or third-party application must be associated with an
agent that is registered with Access Manager. To spare users from re-authenticating
when accessing multiple resources, the application delegates the authentication
function to the single sign-on (SSO) provider: Access Manager.
During agent registration, the application can be automatically registered and basic
policies automatically generated. Alternatively, you can turn off automatic policy
generation during Agent registration and manually create policies.
After registration, the Agent acts as a filter for HTTP/HTTPS requests, communicating
between the OAM Server and its services. The Agent intercepts requests for resources
protected by Access Manager and works with Access Manager to fulfill access
requirements. The following sections introduce the types of agents.
■

About Agent Types and Runtime Processing

■

About 11g WebGate Configured as a Detached Credential Collector

■

About 11g WebGate Functionality for Mobile and Social

■

About the Pre-Registered 10g WebGate IAMSuiteAgent

14.1.1 About Agent Types and Runtime Processing
With Access Manager 11.1.2, each Agent acts as a filter for requests. Your deployment
can include the agent types described in Table 14–1, in any combination.

Introduction to Agents and Registration

14-1

Introduction to Policy Enforcement Agents

Table 14–1

Agent Types

Agent Type

Description

OAM Agents

OAM Agents must be installed independently, following Oracle Access
Management installation. After registering the agent with Access Manager,
the agent communicates directly with registered OAM Servers and Access
Manager services. OAM Agents communicate with Access Manager using
the OAM Proxy to "sanitize" the request and respond identically for all
agents. The following OAM Agents types are available:

Note: Unless explicitly
stated, the terms Webgate
and Access Client are used
interchangeably.

■

Webgate: An out of an box Web server access client that intercepts
HTTP requests for Web resources and forwards these to the OAM
Server. WebGates for various Web servers are shipped with Access
Manager.
11g WebGates (Chapter 30) provide:
Oracle Universal Installer for platform
Host-based cookie
Individual WebGate OAMAuthnCookie_
Resource to Authorization Policy
Authorization Result
Webgate Authorization Caching
Diagnostic page to tune parameters
Capability to act as a detached credential collector
See Also:
"About 11g WebGate Functionality for Mobile and Social"
"About 11g WebGate Configured as a Detached Credential Collector"
Oracle Fusion Middleware Performance and Tuning Guide
10g WebGates provide
InstallShield and One installer per platform
Domain-based cookie
ObSSOCookie (one for all 10g WebGates)
Web server configuration
See Also: 10g Pre-registered IAMSuiteAgent in this table and
Chapter 30

■

IAMSuiteAgent
a Pre-registered OAM 10g
Agent

Custom, Programmatic Access Clients: Access Manager provides a
pure Java software developer kit (SDK). Use this SDK to create custom
Access Clients and extensions for Access Manager authentication and
authorization functionality (and custom tokens). An Access Client
processes requests for Web and non-Web resources (non-HTTP) from
users or applications. See details in the Oracle Fusion Middleware
Developer's Guide for Oracle Access Management.

This pre-registered 10g agent provides single sign-on functionality for the
IAM suite of consoles. The IAM Suite Agent includes a companion
Application Domain (IAMSuite) and basic policies that should not be
modified.
See Also: About the Pre-Registered 10g WebGate IAMSuiteAgent on
page 14-5

Legacy OSSO Agents

mod_osso is part of the OracleAS 10g single sign-on (OSSO) solution that
authenticates users at a central OSSO Server. The mod_osso module is an
Oracle HTTP Server module that provides authentication to OracleAS
applications.
After registration with Access Manager, OSSO 10g Agents communicate
directly with Access Manager 11g services through an OSSO proxy. The
OSSO proxy supports existing OSSO agents when upgrading to Access
Manager. The OSSO proxy handles requests from OSSO Agents and
translates the OSSO protocol into a protocol for Access Manager 11g
authentication services.
Access Manager gives mod_osso the redirect URL for the user based on the
authentication scheme associated with the OAM policy defined for the
resource
See Also: Chapter 29, "Registering and Managing Legacy OSSO Agents" as
well as the following topics:

14-2 Administrator's Guide for Oracle Access Management

Introduction to Policy Enforcement Agents

Table 14–1 (Cont.) Agent Types
Agent Type

Description

Legacy OpenSSO Agents

Java Agents are deployed J2EE containers to work with the OpenSSO
server. Web Agents can be deployed on any Web or Servlet container. Each
OpenSSO Agent is a filter that is plugged into the container (Oracle
WebLogic Server, JBoss, Apache, and so on) that hosts applications.
Access Manager provides an OpenSSO Proxy to handle requests for
resources protected by OpenSSO Agents:
Scope can be Host- or Domain-based
OpenSSO Agent key stored locally (Agent bootstrap file, Agent host)
See Also: Chapter 28, "Registering and Managing Legacy OpenSSO
Agents".

Table 14–2 introduces Access Manager features that support agent registration,
configuration, management, and single-sign on. Links to topics providing more
information are included.
Table 14–2

Agent Registration and SSO Support

Oracle Provides

Description

Oracle Access Management Console

Agent Registration, Configuration, Management.
See Also: "Registering an OAM Agent Using the Console" on page 15-13

oamreg tool

Remote Agent Registration and Management
See Also: "Acquiring and Setting Up the Remote Registration Tool". on
page 15-33

SSO Implementations

Access Manager supports numerous SSO scenarios.
See Also: "Introducing Access Manager Single Sign-On" on page 21-1

Protocols that secure information
exchange on the Internet

This depends on the credential collector you choose.

Login and Logout Forms

The location of the login and logout forms depends on the credential collector.

See Also: Table 22–5, " Comparing the DCC and ECC"

See Also: Table 22–5, " Comparing the DCC and ECC" and Chapter 27
Cryptographic keys

One key is generated and used per registered mod_osso or 11g Webgate.
However, one single key is generated for all 10g Webgates.
See Also: Table 1–2, " Features in Access Manager 11.1.2"

Keys storage

■

■

Agent side: A per agent key is stored locally in the Oracle Secret Store in a
wallet file.
OAM Server side: A per agent key, and server key, are stored in the
credential store on the server side.

Table 14–3 provides run time processing information for OAM Agents.
See Also:

"Understanding Credential Collection and Login"

Introduction to Agents and Registration

14-3

Introduction to Policy Enforcement Agents

Table 14–3

Run Time Processing Overview for Access Manager

Agent Type

Description

11g WebGates

After installation and registration, 11g WebGates communicate with Access Manager
using the OAM Proxy to "sanitize" the request and respond identically for all agents.

11g Access Clients

Process overview, Authentication Request without OAMAuthnCookie: When a
request for a resource protected by Basic authentication scheme comes without an
authorization header (credentials)
1.

WebGate redirects through the front channel to either Embedded or Detached
Credential Collector (depending on scheme configuration) to collect credentials.

2.

Credential Collector collects user credentials based on the challenge method
defined for the authentication scheme.

3.

User is authenticated; OAM Proxy (Embedded Collector) or Detached Collector
itself (DCC) communicates with the OAM Server through the back channel
protocol for the token and returns a response through the front channel with a
token issued by the OAM Server.

4.

WebGate validates the response, extracts the authentication token issued by the
OAM Server, and sets a token in OAMAuthnCookie.

5.

WebGate is redirected to the requested resource, with the newly set
OAMAuthnCookie attached.

6.

WebGate validates the OAMAuthnCookie, performs authorization through the
back channel, and serves the page when authorization is successful.

Process overview, Basic Authentication: When a request for a resource protected by
Basic authentication scheme comes without an authorization header (credentials)
1.

WebGate responds with WWW-Authenticate header containing the realm
mentioned in the authentication scheme with status code 401(authorization
required).

2.

Browser client interprets the WWW-Authenticate header and collects credentials
from user.

3.

Browser client performs request again with authorization header containing
credentials.

See Also:
"About 11g WebGate Configured as a Detached Credential Collector" on page 14-4
"About 11g WebGate Functionality for Mobile and Social" on page 14-5
10g Webgates
10g Access Clients

After installation and registration, 10g WebGates communicate directly with Access
Manager using the OAM proxy, which acts as a bridge.
See Also:
■
■

■

■

IAMSuiteAgent for details about this agent and Application Domain.
Chapter 30 for details about registering legacy 10g WebGates with Access
Manager.
Appendix A for details about legacy 10g WebGates currently operating with Web
Applications coded for Oracle ADF Security and the OPSS SSO Framework.
Oracle Fusion Middleware Application Security Guide for details about legacy 10g
Webgates configured as the Identity Assertion Provider (IAP) for SSO (for
applications using WebLogic container-based security with Access Manager 11g
(or Oracle Access Manager 10g).

OpenSSO Agents

See Also: "Runtime Processing Between OpenSSO Agents and Access Manager" on
page 28-6.

OSSO Agent
(mod_osso 10g)

See: "Understanding OSSO Agents with Access Manager" on page 29-1.

14.1.2 About 11g WebGate Configured as a Detached Credential Collector
With Oracle Access Manager 11.1.1, the Embedded Credential Collector (ECC) is the
default. The ECC was and is integrated with the OAM Server.
Access Manager 11.1.2 also supports the ECC by default. However, Access Manager
11.1.2 also enables you to configure an 11g WebGate to use a detached credential

14-4 Administrator's Guide for Oracle Access Management

Introduction to Agent Registration

collector (DCC). The DCC is considered more secure when compared to the default
ECC.
An 11g WebGate configured to act as a DCC is known as an Authenticating WebGate.
WebGates that protect resources are known as Resource WebGates.
See Also: "Configuring 11g WebGates and Authentication Policy for
DCC"

14.1.3 About 11g WebGate Functionality for Mobile and Social
WebGates interact with the client to perform authentication and authorization; this
involves redirection to collect credentials, set the cookie to hold the session, report
errors, and so on. WebGates work with browser clients, which usually have all the
support required for this interaction end to end. However, there are cases where a
non-browser client making REST calls directly needs to access resources and perform
authentication and authorization. This use case can be addressed with Mobile and
Social.
Mobile and Social support is enabled using two user-defined parameters within the
WebGate agent registration page. Mobile and Social services use a programmatic
non-browser client with Access Manager. For details, see the following
documentation.
■

Part XI, "Managing Oracle Access Management Mobile and Social"

■

Oracle Fusion Middleware Developer's Guide for Oracle Access Management

14.1.4 About the Pre-Registered 10g WebGate IAMSuiteAgent
This 10g WebGate and the companion Application Domain provides single sign-on
functionality for the IDM Administration Console. IAMSuiteAgent is installed and
pre-configured for this purpose as part of the initial OAM Server installation and
configuration.
Oracle strongly recommends that you do not alter IAMSuiteAgent and the companion
Application Domain. However, you can replace the IAMSuiteAgent with a fresh 10g
WebGate. For details, see the following sections.
■

"Replacing the IAMSuiteAgent with an 11g WebGate" on page 15-42

■

"Configuring Centralized Logout for IAMSuiteAgent" on page 30-10

■

"Bundled 10g IAMSuiteAgent Artifacts" on page D-1

14.2 Introduction to Agent Registration
You can use either the Oracle Access Management Console or the remote registration
tool for Agent registration and updates. Unless explicitly stated, information in this
section applies to agent registration using either of these tools. This section provides
the following details.
■

About Agent Registration, Keys, and Policies

■

About File System Changes and Artifacts for Registered Agents

Introduction to Agents and Registration

14-5

Introduction to Agent Registration

14.2.1 About Agent Registration, Keys, and Policies
Administrators must register each Agent to operate with Access Manager. Only
registered agents can communicate with an OAM Server, and process information for
a user attempting to access a protected resource.
The agent is presumed to reside on the computer hosting the
application to be protected. However, it can reside on a proxy Web
server and the application on a different host.

Note:

An agent key and partner key are created during registration. You can also create
policies to protect the application during agent registration. If you choose to
automatically create policies during agent registration, a host identifier and
Application Domain are created with basic policies and resource definitions. Later on,
you can view and manage the Application Domain and policies.
You can register multiple WebGates or Access Clients under a
single host identifier, with the same Application Domain and policies,
as follows:

Note:

1.

When you register a WebGate, allow the process to create a host identifier
(a name of your choice), and enable "Auto Create Policies".

2.

Register a second WebGate with the same host identifier as Step 1, and
clear the "Auto Create Policies" box to eliminate policy creation.

Following a successful registration (using either the console or remote registration
tool), the full agent registration appears in the Oracle Access Management Console
and is propagated to all Managed Servers in the cluster. Table 14–4 identifies the keys
and policies generated during agent registration.
Table 14–4

Keys and Policies Generated During Agent Registration

Keys and Policies

Accessible to

One key per 11g WebGate Agent

■

OAM Server

One key for all 10g Agents

Accessible through
■

■

One key per OpenSSO Agent stored in
local Agent bootstrap file

Client-side: Secure local storage
on the client host (a local wallet
file)
Server side: The Java Keystore

One key per OSSO Agent
See Also: "About Key Use, Generation,
Provisioning, and Storage" on page 15-27
Partner key for the application

■

11g WebGate

Client-side

Administrators can view, modify, or
remove a registered agent using either
the Oracle Access Management
Console or custom WLST commands
for Access Manager

Oracle Access Management Console
Policy Configuration
Application Domains
DomainName

(None for OpenSSO Agents)
Application Domain and default Policies
are generated during Agent registration on
demand:
■
■

■

■

Named for the Agent
Populated with default
authentication and authorization
policies (but not Token Issuance
Policies)
Identified by the same host identifier
that was specified for the Agent
during registration

■

All agent types at run time monitor
attempts to access a Web site and use
OAM Servers to provide
authentication and authorization
services before completing the request

14-6 Administrator's Guide for Oracle Access Management

Introduction to Agent Registration

14.2.2 About File System Changes and Artifacts for Registered Agents
When you register an agent using the Oracle Access Management Console, a new file
system directory is created for the Agent on the Oracle Access Management Console
host (AdminServer). This new directory includes generated files for the registered
agent, as described in Table 14–5.
Table 14–5

Artifacts Associated with Agent Registration

Registration Artifact

Generated for ...

All WebGates or Access Client

All WebGates/Access Clients on the console host (AdminServer).

ObAccessClient.xml

During run time, periodic update checks are made. ObAccessClient is updated
automatically when a change is discovered.
Note: The pre-registered 10g IAMSuiteAgent does not use ObAccessClient.xml for
bootstrap or configuration.
See Also: Properties files generated on the client in this table.

cwallet.sso

11g WebGates, regardless of the transport security mode.

11g WebGate only
Certificate and password files for secure
communication

All WebGates/Access Clients. For example:
■
■

■

password.xml (nominally encrypted file for Simple Mode Global passphrase)
aaa_cert.pem (reserved name for WebGate certificate file, which cannot be
changed)
aaa_key.pem (reserved name for WebGate key file, which cannot be changed)

Cert Mode:
■

PEM keystore Alias

■

PEM keystore Alias Password

Note: When editing an 11g WebGate registration, password.xml is updated only when
the mode is changed from Open to Cert or Simple to Cert. In Cert mode, once
generated, password.xml cannot be updated. Editing the agent Key Password does not
result in creation of a new password.xml.
See: Chapter 13 for details about Simple and Cert mode transport security)
OpenSSO Properties files

See: Chapter 28, "Registering and Managing Legacy OpenSSO Agents"

osso.conf file

See: Chapter 29, "Registering and Managing Legacy OSSO Agents"

Generated or updated artifacts must be copied from the console host (AdminServer)
into the agent's installation directory, as shown in Table 14–6.
Table 14–6

Copying Generated Artifacts

Agent Type & Artifacts

Copy Generated Artifacts to Agent Installation Directory ...

ObAccessClient.xml

Before agent startup, copy the ObAccessClient file (and cwallet.sso) from the
generated location (AdminServer (Console) host) to the agent installation directory.

(and 11g WebGate cwallet.sso)

See: Chapter 15, "Registering and Managing OAM 11g Agents"
11g WebGate or Access Client
ObAccessClient.xml
10g WebGate or Access Client

Before agent startup, copy ObAccessClient.xml from the generated location to the
agent installation directory. For example, from the AdminServer (Console) host:
Note: The pre-registered IAMSuiteAgent does not use ObAccessClient.xml and
should not be modified.
See: Chapter 30, "Registering and Managing 10g WebGates with Access Manager
11g"

OpenSSO Agent Properties Files

See: Chapter 28, "Registering and Managing Legacy OpenSSO Agents"

10g OSSO Agent osso.conf

See: Chapter 29, "Registering and Managing Legacy OSSO Agents"

Introduction to Agents and Registration

14-7

Introduction to Remote Registration

14.3 Introduction to Remote Registration
As an alternative to using the Console for agent registration, you can use the remote
registration utility, oamreg, with Oracle-provided templates. The user of the remote
registration script can be a part of any group that is mapped against the
Administrator's Role in the primary user-identity store for Access Manager
(Chapter 5).
Secure registration and creation of an Application Domain (as well as Symmetric key
generation) is supported using either remote registration mode described in
Table 14–7.
Table 14–7

Remote Registration Methods

Method

Description

In-band mode

For Administrators within the network who manage the Web server that hosts
the agent can use this mode or the Oracle Access Management Console.

Out-of-band mode

Administrators outside the network must submit registration requests to an
Administrator within the network. After processing the request, the in-band
Administrator returns the files required by the out-of-band Administrator who
uses the files to configure his environment.

Symmetric key generation per Application: One key is generated and used per
registered mod_osso or 11g WebGate. However, one single key only is generated for all
10g WebGates.
Registration of legacy Agents (10g WebGate, OpenSSO, and
OSSO 10g) is also supported.

Note:

Table 14–8 describes functionality that is not supported:
Table 14–8

Remote Registration Does Not Support

Not Supported with Remote Registration
Persistence of the Key and Agent Information
Generation of Keys used by internal components
API support for reading Agent information

For more information on the registration modes, see the following sections:
■

Performing In-Band Remote Registration

■

Performing Out-of-Band Remote Registration

■

Updating Agent Configuration Files

Chapter 15 has additional details.

14.3.1 Performing In-Band Remote Registration
Following is a brief overview of in-band Web server Administrator tasks for
provisioning an application using the remote registration tool. Unless explicitly stated,
tasks are the same regardless of the type of agent you have protecting resources.
In this overview, the term "Administrator" refers to any user within the network who
is part of the LDAP group that is designated for Administrators in the Default System
User Identity Store registered with Oracle Access Management.

14-8 Administrator's Guide for Oracle Access Management

Introduction to Remote Registration

1.

Acquire the registration tool as described in "Acquiring and Setting Up the Remote
Registration Tool" on page 15-33.

2.

Update the input file with unique values for the agent and Application Domain as
described in "Creating Your Remote Registration Request" on page 15-34.

3.

Run the registration tool to configure the Agent and create a default Application
Domain for the resources, as described in "Performing In-Band Remote
Registration" on page 15-34.

4.

Validate the configuration as described in "Validating Remote Registration and
Resource Protection" on page 15-40.

5.

Perform access checks to validate that the configuration is working, as described
in "Verifying Authentication and Access After Remote Registration" on page 15-40.

14.3.2 Performing Out-of-Band Remote Registration
The term out-of-band registration refers to manual registration that involves
coordination and actions by both the in-band Administrator and the out-of-band
Administrator. Following is a brief overview of out-of-band remote registration (when
the Agent is outside the network).
1.

Out-of-band Administrator: Creates a starting request input file containing
specific application and agent details and submits it to the in-band Administrator.
■

■

■

2.

Acquire the registration tool as described in "Acquiring and Setting Up the
Remote Registration Tool" on page 15-33.
Copy and edit a template to input unique values for the agent and Application
Domain as described in "Creating Your Remote Registration Request" on
page 15-34.
Submit the starting request input file to the in-band Administrator using a
method you choose (email or file transfer).

In-band Administrator:
■

■

Acquire the registration tool as described in "Acquiring and Setting Up the
Remote Registration Tool" on page 15-33.
Use the out-of-band starting request with the registration tool to provision the
agent and create the following files to return to the out-of-band Administrator.
See "Performing Out-of-Band Remote Registration" on page 15-35 for details:
–

agentName_Response.xml is generated for the out of band Administrator
to use in Step 3.

–

OAM Agents: A modified ObAccessClient.xml file is created (and the 11g
WebGate cwallet.sso file), which the out-of-band Administrator can use to
bootstrap the WebGate.
11g WebGates: SSO wallet creation.

3.

–

OSSO Agents: A modified osso.conf file is created for the out-of-band
Administrator to bootstrap the OSSO module.

–

OpenSSO Agents: A modified version of the OpenSSO properties files are
generated.

Out-of-band Administrator: Uses the registration tool with the agentName_
Response.xml file and copies the Agent configuration and any other generated
artifacts to the appropriate file system directory.

Introduction to Agents and Registration

14-9

Introduction to Remote Registration

Note: In outofband mode, the in-band Administrator uses the
starting request file submitted by the out-of-band Administrator, and
returns a generated agentName_Response.xml file to the out-of-band
Administrator for additional processing. The out-of-band
Administrator runs the remote registration tool with agentName_
Response.xml as input to generate agent configuration files.
4.

In-band Administrator: Validates the configuration as described in "Validating
Remote Registration and Resource Protection" on page 15-40.

5.

Out-of-band Administrator: Performs several access checks to validate that the
configuration is working, as described in "Verifying Authentication and Access
After Remote Registration" on page 15-40.
See Also:
■
■

"Updating Agent Configuration Files" on page 14-10
"Understanding the Remote Registration Tool, Modes, and
Process" on page 15-24

14.3.3 Updating Agent Configuration Files
After a successful registration (or update), you must locate the Agent configuration
files on the AdminServer (console) host and copy these to the Agent host, as described
in Table 14–9.
Table 14–9

Agent Registration and Configuration Update Artifacts

Artifacts For ...

Description

Simple or Cert mode

If Simple or Cert mode is used, certificate artifacts must also be copied to
the Agent host following registration.
See Also: Appendix C, "Securing Communication"

11g OAM Agents
(WebGate/Access Client)

See Also: Chapter 15, "Registering and Managing OAM 11g Agents"

10g OAM Agents
(WebGate/Access Client)

See Also: Chapter 30, "Registering and Managing 10g WebGates with
Access Manager 11g"

OSSO Agent

See Also: Chapter 29, "Registering and Managing Legacy OSSO Agents"

OpenSSO Agent

See Also: Chapter 28, "Registering and Managing Legacy OpenSSO Agents"

14-10 Administrator's Guide for Oracle Access Management

15
Registering and Managing OAM 11g Agents
15

[14This
]
chapter provides information on registration and management of 11g WebGates
(and the programmatic equivalent, Access Clients) using either the Oracle Access
Management Console or the remote registration command-line utility. During
registration, you can identify specific applications to be protected by Access Manager
policies.

This chapter includes the following topics:
■

Before Registering and Managing Agents

■

Understanding OAM Agent Registration Parameters in the Console

■

Registering an OAM Agent Using the Console

■

Configuring and Managing Registered OAM Agents Using the Console

■

Understanding the Remote Registration Tool, Modes, and Process

■

Understanding Remote Registration Templates: OAM Agents

■

Performing Remote Registration for OAM Agents

■

Introduction to Updating Agents Remotely

■

Updating Agents Remotely

■

Validating Remote Registration and Resource Protection

■

Replacing the IAMSuiteAgent with an 11g WebGate

■

Managing the Preferred Host in 10g WebGates

15.1 Before Registering and Managing Agents
Before you can perform tasks in this chapter, ensure that the Oracle Access
Management Console host (AdminServer) and a managed OAM Server are running.
See Also:
■
■

The following, as needed for your environment.

Chapter 14, "Introduction to Agents and Registration"
"Managing Policies and Application Domains Remotely" on
page 25-82

■

Chapter 28, "Registering and Managing Legacy OpenSSO Agents"

■

Chapter 29, "Registering and Managing Legacy OSSO Agents"

■

Chapter 30, "Registering and Managing 10g WebGates with
Access Manager 11g"

Registering and Managing OAM 11g Agents 15-1

Understanding OAM Agent Registration Parameters in the Console

15.2 Understanding OAM Agent Registration Parameters in the Console
This section describes OAM Agent registration parameters. Unless explicitly stated,
the information here applies equally to both 11g and 10g WebGates, including
programmatic Access Clients. Topics include:
■

About Create OAM WebGate Page and Parameters

■

About User-Defined WebGate Parameters

■

About IP Address Validation for WebGates

15.2.1 About Create OAM WebGate Page and Parameters
The Create OAM ... WebGate page requests minimal information to streamline
registration. Required details are identified by the asterisk (*). Whether you register an
11g WebGate or 10g WebGate, the initial information requested is the same.
Figure 15–1 Create OAM 11g WebGate Page

Table 15–1 describes the Create page for 11g WebGates (or Access Clients). Unless
explicitly noted, all elements apply to both 11g and 10g Agents.

15-2 Administrator's Guide for Oracle Access Management

Understanding OAM Agent Registration Parameters in the Console

Table 15–1

Elements on Create Pages for 11g and 10g OAM Agents

OAM WebGate Element

Description

Version

Specifies whether this will be a 10g or an 11g WebGate.

Name

The unique identifying name for this Agent registration. This is often the name of the computer that
is hosting the Web server used by WebGate.
A unique identifying name for each Agent registration is preferred. However:
■

■

If the Agent Name exists, no error occurs and the registration does not fail. Instead, Access
Manager creates the policies if they are not already in place.
If the host identifier exists, the unique Agent Base URL is added to the existing host identifier
and registration proceeds.

Description

A meaningful description of this Agent registration.

Base URL

The host and port of the computer on which the Web server for the WebGate is installed. For
example, http://example_host:port or https://example_host:port. The port number is optional.

Optional

Note: A particular Base URL can be registered once only. There is a one-to-one mapping from this
Base URL to the Web server domain on which the WebGate is installed (as specified with the Host
Identifier element). However, one domain can have multiple Base URLs.
Access Client Password
Optional

An optional, unique password for this WebGate, which can be assigned during this registration
process.
When a registered WebGate connects to an OAM Server, the password is used for authentication to
prevent unauthorized WebGates from connecting to OAM Servers and obtaining policy
information.

Security

Level of communication transport security between the Agent and the OAM Server (this must
match the level specified for the OAM Server):
■

Open--No transport security

■

Simple--SSL v3/TLS v1.0 secure transport using dynamically generated session keys

■

Cert--SSL v3/TLS v1.0 secure transport using server side x.509 certificates. Choosing this
option displays a field where you can enter the Agent Key Password.
Agent Key Password: The private key file (aaa_key.pem) is encrypted using DES algorithm.
The Agent Key Password is saved in obfuscated format in password.xml and is required by
the server to generate password.xml. However, this password is not retained by the server.
When editing an 11g WebGate registration, password.xml is updated only when the mode is
changed from Open to Cert or Simple to Cert. In Cert mode, once generated, password.xml
cannot be updated. Editing the Agent Key Password does not result in creation of a new
password.xml.

Note: For more information on Simple and Cert modes, and private key encryption, see
Appendix C.
Host Identifier

This identifier represents the Web server host. This is automatically seeded with the value in the
agent Name field.
Note: You can register multiple OAM WebGates (or Access Clients) under a single host identifier
with the same Application Domain and policies, as follows:
1.

When you register a WebGate, allow the process to create a host identifier (a name of your
choice), and enable "Auto Create Policies".

2.

Register a second WebGate with the same host identifier as Step 1, and clear the "Auto Create
Policies" box to eliminate policy creation.

See Also: "About Virtual Web Hosting" on page 22-10.
User-defined Parameters

Parameters you can enter to enable specific WebGate behaviors:

Virtual Host

Check the box beside Virtual Host if you installed a WebGate on a Web server that contains
multiple Web site and domain names. The WebGate must reside in a location that enables it to
protect all of the Web sites on that server.

See Also: "About User-Defined WebGate Parameters" on page 15-5.

See Also: "About Virtual Web Hosting" on page 22-10.

Registering and Managing OAM 11g Agents 15-3

Understanding OAM Agent Registration Parameters in the Console

Table 15–1 (Cont.) Elements on Create Pages for 11g and 10g OAM Agents
OAM WebGate Element

Description

Auto Create Policies

During agent registration, you can have authentication and authorization policies created
automatically. This option is checked (enabled) by default.
Default: Enabled
Shared Registration and Policies: Multiple WebGates (or Access Clients) installed on different Web
servers can share a single registration and policies to protect the same resources. This is useful in a
high-availability failover environment. To do this:
1.

WebGate1: Register the first WebGate and enable Auto Create Policies to generate a host
identifier (named as you like) and policies.

2.

WebGate2: Register the second WebGate, specify the same host identifier as the first WebGate,
and disable Auto Create Policies.

After registering the second agent, both WebGates use the same host identifier and policies.
IP Validation

Check the box beside IP Validation to ensure a client's IP address is the same as the IP address
stored in the ObSSOCookie generated for single sign-on. In the IP Validation Exceptions box, enter
any IP addresses to exclude from validation using standard notation for the addresses: for example,
10.20.30.123.
When enabled, the IP address stored in the ObSSOCookie must match the client's IP address.
Otherwise, the cookie is rejected and the user must re-authenticate.
Default: Disabled
See Also: "About IP Address Validation for WebGates" on page 15-10.

Agent Key Password

Requested for only Cert mode communication, this passphrase is used to encrypt the private key
used for SSL communication between WebGate and the OAM Server in Simple and Cert modes.
Note: The Agent Key Password has no relationship to the Access Client Password described earlier
within this table.
Cert Mode: In this mode, the agent key can be different on the client and server; it is no longer
global. Administrators must enter the Agent Key Password to enable generation of a password.xml
file during agent registration, which must be copied to the agent side. For certificate generation,
you must encrypt the private key (used for SSL) using this password through openssl or other
third-party tools to be placed inside aaa_key.pem. At runtime, WebGate retrieves the key from
password.xml, and uses it to decrypt the key in aaa_key.pem.
■

■

■

If the key is encrypted, WebGate internally invokes the call back function to obtain the
password.
If the key is encrypted and password.xml does not exist, WebGate cannot establish
connections with the OAM Server.
If the key is not encrypted, there is no attempt to read password.xml.

For more information, see Appendix C.
Resource Lists

15-4 Administrator's Guide for Oracle Access Management

Understanding OAM Agent Registration Parameters in the Console

Table 15–1 (Cont.) Elements on Create Pages for 11g and 10g OAM Agents
OAM WebGate Element

Description

Protected Resource (URI)
List

URIs for the protected application: /myapp/login, for example. Each URI for the protected
application should be specified in a new row of the table for the Protected Resource List.
Default: /**
The default matches any sequence of characters within zero or more intermediate levels spanning
multiple directories.
Add Resources: Each URI should be specified in a new row of the table for the Protected Resource
List. Click the + button to add a resource to the Protected Resource List. For instance, if you add
/financial (and repeat to add /myfinancial) the following URLS are seeded into the designated
policies of the Application Domain when Auto Create Policies is selected):
/financial
/myfinancial
/**

yields Resource URL /financial/**
yields Resource URL /myfinancial/**

See Also: "About the Resource URL, Prefixes, and Patterns" on page 25-18.
Public Resource (URI) List

Each public application should be specified in a new row of the table for the Public Resource List.
Add Resources: Each URI should be specified in a new row of the table for the Public Resource
List. Click the + button to add a resource to the Public Resource List. For instance, if you add
/people the following URLS are included here and in the Application Domain (when Auto Create
Policies is selected):
/people
See Also: "About the Resource URL, Prefixes, and Patterns" on page 25-18.

See Also:

Table 15–3, " Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages"

To help streamline WebGate registration, some elements are concealed during the
create operation and default values are applied.
All changes made using the Oracle Access Management
Console are taken up without restarting the application server.
Changes are reflected automatically after the reconfiguration timeout
period.

Note:

15.2.2 About User-Defined WebGate Parameters
Certain supported parameters can be defined by Administrators entering values
directly on the WebGate registration page or within the OAM Agent remote
registration request template. Table 15–2 describes supported user-defined parameters.
Each parameter can have only one value.

Registering and Managing OAM 11g Agents 15-5

Understanding OAM Agent Registration Parameters in the Console

Table 15–2

User-Defined WebGate Parameters

User-Defined WebGate Parameter

Description

ChallengeRedirectMethod

Configure this user-defined authentication POST data preservation parameter for both
the embedded credential collector (ECC) and the detached credential collector (DCC).
Value: GET|POST|DYNAMIC
Note: Preference is given first to the Authentication Scheme containing this parameter;
second to the WebGate providing this user defined parameter. Otherwise, default
behavior is Dynamic.
See Also: Table 22–23, " User-Defined Challenge Parameters for Authentication
Schemes"

ChallengeRedirectMaxMessageBytes

Configure this user-defined WebGate parameter to limit the size of the message data
received as obrareq.cgi and obrar.cgi. Message data is comprised of query string length,
if present (or POST data length, if POST data is present). If message size exceeds this
limit, the message is not processed and the existing message is shown in the browser.
The event is logged as usual.
Default: 8192 bytes
Notes:
obrareq.cgi is the authentication request in the form of a query string redirected from
WebGate to OAM Server.
obrar.cgi is the authentication response string redirected from the OAM Server to
WebGate.
See Also: "Configuring Authentication POST Data Handling" on page 22-90
Table 15–2, " User-Defined WebGate Parameters"

MaxPostDataBytes

Authentication post-data preservation parameter for both the embedded credential
collector (ECC) and the detached credential collector (DCC).
This parameter requires a positive integer value that restricts the maximum number of
bytes of POST data that is submitted as user credentials and sent to the OAM Server.
Default: 8192 bytes
Assigning MaxPostDataBytes to a Resource WebGate gives preference to restricting the
size of the post data received from the application before forwarding the post data to be
preserved.
See Also: "Configuring the PasswordPolicyValidationScheme"
"Configuring Authentication POST Data Handling" on page 22-90
Table 22–23, " User-Defined Challenge Parameters for Authentication Schemes"

MaxPreservedPostDataBytes

Configure this user-defined WebGate parameter (or user-defined Authentication Scheme
challenge parameter) for authentication POST-data preservation.
Default: 8192 bytes
Note: Preference is given first to the Authentication Scheme containing this parameter;
second to the WebGate providing this user-defined parameter. Otherwise, default
behavior is 8192 bytes.
This parameter defines the maximum length of POST data that WebGate can preserve. If
the size of inbound raw user POST data (or encrypted post data after processing),
crosses this limit, POST data is dropped and the existing authentication flow continues.
The event is logged as usual.
See Also: "Configuring Authentication POST Data Handling" on page 22-90
Table 22–23, " User-Defined Challenge Parameters for Authentication Schemes"

PostDataRestoration

Authentication post-data preservation parameter for both the embedded credential
collector (ECC) and the detached credential collector (DCC). This parameter requires a
value of true or false.
Default: false
When set to true, WebGate initiates POST data preservation.
See Also: "Configuring Authentication POST Data Handling" on page 22-90

15-6 Administrator's Guide for Oracle Access Management

Understanding OAM Agent Registration Parameters in the Console

Table 15–2 (Cont.) User-Defined WebGate Parameters
User-Defined WebGate Parameter

Description

serverRequestCacheType

Authentication post-data preservation parameter by the embedded credential collector
(ECC).

ECC Only

This OAM Server parameter in oam-config.xml indicates mechanism to be used to
remember the request context. Possible values are FORM, COOKIE, or CACHE.
Default: COOKIE
FORM is the required value for POST data preservation.
See Also: TempStateMode in Table 22–23, " User-Defined Challenge Parameters for
Authentication Schemes".
"Configuring Authentication POST Data Handling" on page 22-90
UrlInUTF8Format=true

In an environment that uses Oracle HTTP Server 2, this parameter must be set to true to
display latin-1 and other character sets.

ProxySSLHeaderVar=IS_SSL

Uses when the WebGate is located behind a reverse proxy, SSL is configured between the
client and the reverse proxy, and non-SSL is configured between the reverse proxy and
the Web server. It ensures that URLs are stored as HTTPS rather than HTTP. The proxy
ensures that URLs are stored in HTTPS format by setting a custom header variable
indicating whether it is servicing an SSL or non-SSL client connection.
The value of the ProxySSLHeaderVar parameter defines the name of the header variable
the proxy must set. The value of the header variable must be "ssl" or "nonssl".
If the header variable is not set, the SSL state is decided by the SSL state of the current
Web server.
Default: IS_SSL

client_request_retry_attempts=1

WebGate-to-OAM Server timeout threshold specifies how long (in seconds) the WebGate
waits for the OAM Server before it considers it unreachable and attempts the request on
a new connection.
If the OAM Server takes longer to service a request than the value of the timeout
threshold, the WebGate abandons the request and retries the request on a new
connection.
Default: 1
Note: The new connection that is returned from the connection pool can be to the same
OAM Server, depending on your connection pool settings. Also, other OAM Servers
may also require more time to process the request than the time specified on the timeout
threshold. In some cases, the WebGate can retry the request until the OAM Servers are
shut down. You can configure a limit on the number of retries that the WebGate
performs for a non-responsive server using the client_request_retry_attempts parameter.

InactiveReconfigPeriod=10

The WebGate update thread reads the shared secret from the OAM Server every 1
minute when WebGate is active. The OAM Server server returns the shared secret in its
own cache (the OAM Server cache).
Default: 10 (minutes)
See Also: Oracle Fusion Middleware Performance and Tuning Guide

fallbackToContainerPolicy=true

Used for the IAMSuiteAgent. When set to false, user access to the resource is denied
and an HTTP response code, 403 is returned.
When set to 'true' the request goes through to the container and uses whatever policy
(related to J2EE authentication/authorization) is configured on the container to grant or
deny the user access.
Default: true

logoutRedirectUrl=

Default = http://OAMServer_host:14200/oam/server/logout

protectWebXmlSecuredPagesOnly=tr
ue

Used for the IAMSuiteAgent. After the user is authenticated, this parameter is used for
all subsequent requests to determine if the Agent should validate the incoming request.
When set to:
false: The Agent always validates the incoming request
true: The default. The Agent determines whether to validate the incoming request based
on the following:
■

■

If the application specifies 'CLIENT-CERT' as part of the construct:
"" in its web.xml, the Agent validates the incoming request.
If the application does not specify 'CLIENT-CERT' as part of the construct:
"" in its web.xml, the Agent does not validate the incoming request.
Instead, the Agent lets the request go through to the application.

Registering and Managing OAM 11g Agents 15-7

Understanding OAM Agent Registration Parameters in the Console

Table 15–2 (Cont.) User-Defined WebGate Parameters
User-Defined WebGate Parameter

Description

maxAuthorizationResultCacheElems

Max Authorization Results Cache Elements—Number of elements maintained in the
Authorization Result Cache. This cache maintains information about authorization
results for associated sessions. For example:
maxAuthorizationResultCacheElems=10000
Default = 100000
See Also: Oracle Fusion Middleware Performance and Tuning Guide

authorizationResultCacheTimeout

Authorization Results Cache Timeout—Number of elements maintained in the
Authorization Result Cache. This cache maintains information about authorization
results for associated sessions. For example:
authorizationResultCacheTimeout=60
Default, if no time is specified = 15 (seconds)
Note: Authorization Results Cache Timeout is not set by default.
With the cache enabled, the first request result persists for the cache duration. This
magnifies the effect causing a brief time delay. For example suppose you set an
authentication policy Response and set a custom session attribute exmpl:sample. The
corresponding authorization policy Response returns this as HEADER SESSION_ATTR_
EXMPL=sample. When a user access the URL protected by these policies, the header
comes after a few refreshes. Initially, however, the value might not be found.
A value of 0 disables the cache. With no cache, it takes two requests for the header
response to be filled. The first sets the session variable used, the second uses the session
variable. Oracle recommends that you do not set a Response value in the same
authorization request that triggers it.
See Also: Oracle Fusion Middleware Performance and Tuning Guide.

UniqueCookieNames

Controls WebGate cookie name format:
■

■

■

■

Legacy format (still the default and backward compatible): _
:_
Enabled UniqueCookieNames format (rfc2109-compliant cookie name restriction):
_:_
Disabled: Cookie name format is _. No : and No
_ is added to the cookie name.
Any other value is treated as the default legacy format: _:_


11g WebGate only
SetKeepAlive

By default, SetKeepAlive is ON. In this case, a first keep-alive message will be sent after
the default idle time of 2 minutes. To change this behavior, set a new value for the
parameter. If SetKeepAlive=Off, the feature is disabled and no keep-alive messages will
be sent. If SetKeepAlive=x (where x is some positive integer value), the keep-alive
message will be sent after the channel is idle for x minutes. Any firewall or load balancer
should be configured to forward the TCP/IP keep-alive messages to the actual end
parties (front-ending Access Manager server).
A programmatic way to change the idle time is implemented for Linux64, Linux32, and
Windows32 WebGates. This is not possible on SPARC Solaris platforms; in that case,
SetKeepAlive is enabled and the idle time out for Keep alive must be set manually by
the system administrator.

filterOAMAuthnCookie

For 11g WebGate, a user-defined parameter (filterOAMAuthnCookie (default true)) can
be used to prevent the OAMAuthnCookie from being passed to downstream
applications for security consideration. If you do want to pass the cookie on, then set the
filterOAMAuthnCookie parameter to false.

15-8 Administrator's Guide for Oracle Access Management

Understanding OAM Agent Registration Parameters in the Console

Table 15–2 (Cont.) User-Defined WebGate Parameters
User-Defined WebGate Parameter
ssoCookie

Description
Controls the OAMAuthnCookie cookie.
Default:
ssoCookie=httponly
ssoCookie=Secure
Disable either setting:
ssoCookie=disablehttponly
ssoCookie=disableSecure
Note: These parameters are configured differently depending on your credential
collector configuration.
■

■

For detached credential collector-enabled 11g WebGates, set these parameters
directly in the agent registration page.
For non-DCC agents (Resource WebGates), these parameters are configured
through user-defined challenge parameters in authentication schemes.

See Also:
Table 22–23, " User-Defined Challenge Parameters for Authentication Schemes"
"Configuring Challenge Parameters for Encrypted Cookies" on page 22-88
"Configuring 11g WebGates and Authentication Policy for DCC"
miscCookies

Controls other miscellaneous Access Manager internal cookies. By default, httponly is
enabled for all other (miscellaneous) cookies.
Default:
miscCookies=httponly
miscCookies=Secure
Disable either setting:
miscCookies=disablehttponly
miscCookies=disableSecure
Note: These parameters are configured differently depending on your credential
collector configuration.
■

■

For detached credential collector-enabled WebGates, set these parameters directly
in the agent registration page.
For non-DCC agents (Resource WebGates), these parameters are configured
through challenge parameters of the same name.

See Also:
Table 22–23, " User-Defined Challenge Parameters for Authentication Schemes"
"Configuring Challenge Parameters for Encrypted Cookies" on page 22-88
"Configuring 11g WebGates and Authentication Policy for DCC"
obSSOCookieCoExConfig

Controls the cookie properties set on ObSSOCookie during OAM 10g Co-Existence.
Default:
obSSOCookieCoExConfig=httponly
obSSOCookieCoExConfig=Secure
Disable either setting:
obSSOCookieCoExConfig=disablehttponly
obSSOCookieCoExConfig=disableSecure
Disable both settings:
obSSOCookieCoExConfig=disableSecure;disablehttponly
For detached credential collector-enabled 11g WebGates used for Co-Existence (as DCC
or with DCC Tunneling), set this parameter in the agent registration page. See the
Co-existence chapter in Oracle Fusion Middleware Migration Guide for Oracle Identity and
Access Management for more information.

Registering and Managing OAM 11g Agents 15-9

Understanding OAM Agent Registration Parameters in the Console

Table 15–2 (Cont.) User-Defined WebGate Parameters
User-Defined WebGate Parameter

Description

OAMAuthAuthenticationServiceLoca Activates non-browser client functionality and defines the location of the authentication
tion
service.
11g WebGate non-browser client
functionality

OAMAuthUserAgentPrefix=prefix string that acts as the prefix for the "user-agent" HTTP
header value.
For example, to activate this functionality for Identity Connect:
OAMAuthAuthenticationServiceLocation=https://login.example.com/nbc
Non-browser client functionality is deactivated if the parameter is omitted (or is
provided with no value).
See Also: Section XI, "Managing Oracle Access Management Mobile and Social."

OAMAuthUserAgentPrefix
11g WebGate non-browser client
functionality

Activates non-browser client functionality and defines the string that acts as a prefix for
the "user-agent" http header value.
OAMAuthAuthenticationServiceLocation=full URL location of the NBC authentication
service.
For example, to activate this functionality for Identity Connect:
OAMAuthUserAgentPrefix=NBC
Non-browser client functionality is deactivated if this parameter is omitted (or is
provided with no value).
See Also: Section XI, "Managing Oracle Access Management Mobile and Social."

RequestContextCookieExpTime

Controls the time (in seconds) to expire OAMRequestContext cookie. Configuring the
cookie lifetime is an optional control for deployments with a critical need to handle
situations where the cookies could proliferate.
Default: not set
In the Resource WebGate registration, add this parameter to expire the
OAMRequestContext cookie in the configured number of seconds using the "Max-Age"
directive on all but IE browsers (default 5 minutes).
Note: For Internet Explorer only, this parameter requires a time sync between the
browser and Web server hosts because IE uses the "Expires" directive to expire the
cookie with an absolute time. However, on IE browsers, when this parameter is not set,
OAMRequestContext cookie is a transient session cookie.
On other (non-IE) browsers, the cookie is persistent and expires based on the time set
using the "Max-Age" directive.
See Also:
OAMRequestContext in Table 21–6, " SSO Cookies"

ProxyTrustedIPList

Multi-valued parameter that holds the list of IP addresses of the trusted proxies or load
balancers. See Section 15.2.3.2.1, "Using ProxyTrustedIPList."

ProxyRemoteIPHeaderVar

Specifies the name of the HTTP header that contains the list of IP addresses. See
Section 15.2.3.2.2, "Defining ProxyRemoteIPHeaderVar."

15.2.3 About IP Address Validation for WebGates
IP address validation is a function that determines if a client's IP address is the same as
the IP address stored in the cookie generated for single sign-on. The IPValidation
parameter turns IP address validation on and off; it is a WebGate specific parameter
found in the WebGate profile. If IPValidation is true, the IP address stored in the
cookie must match the client's IP address, otherwise, the SSO cookie (Table 1–2) is
rejected and the user must reauthenticate. By default, IPValidation is false. The
following is true in regards to enabling and disabling IP Validation.
■

■

Enabling IP Validation on the WebGate automatically enables it on the OAM
server side; this can be verified in the Access Manager settings.
Disabling IP Validation on the WebGate will not disable it on the OAM server.

15-10 Administrator's Guide for Oracle Access Management

Understanding OAM Agent Registration Parameters in the Console

■

■

IP Validation on the OAM server side should be disabled manually, if and only if it
is disabled on all the WebGates.
When IP Validation is enabled on the WebGate side, server side IP Validation
should never be turned off.
Access Manager now supports Internet Protocol version 6
(IPv6) as well as IPv4.

Note:

To configure single sign-on between WebGate and an Access Client that does not have
the client IP address at authentication, the IP validation option can be explicitly turned
off (set IP Validation to false). When the IP Validation parameter is set to false, the
browser or client IP address is not used as a part of the SSO cookie. However, Oracle
recommends that you keep IP validation on whenever possible. For WebGate profile
configuration information, see Section 15.4.3, "Viewing or Editing an OAM Agent
Registration Page in the Console." Additional details are in the following sections.
■

Defining The IP Validation Exceptions List

■

Enabling IP Validation in Load Balanced Environments

15.2.3.1 Defining The IP Validation Exceptions List
The IP Validation parameter can cause problems with certain Web application
deployments. For example, Web applications managed by a proxy server typically
change the user's IP address, substituting the IP address of the proxy. This prevents
single sign-on from using the cookie. The IP Validation Exceptions parameter lists IP
addresses that are exceptions to this process. When IPValidation is true, the IP
address is compared to the IP Validation Exceptions List. If the address is found on the
list, it does not need to match the IP address stored in the cookie.
You can add as many IP addresses as needed to the Exceptions list - the actual IP
addresses of the client and not the IP addresses stored in the ObSSOCookie SSO
cookie. If an SSO cookie is from one of the exception IP addresses, the Access System
ignores the address stored in the SSO cookie for validation. (The IP addresses in the IP
Validation Exceptions List can be used when the IP address in the cookie is for a
reverse proxy.)

15.2.3.2 Enabling IP Validation in Load Balanced Environments
In the case of (proxy servers or) a load balancer, Oracle Access Manager can not
enforce true IP validation because an attacker can use the IP address defined in the
exception list. Web applications managed thusly typically change the user's IP address
(substituting the IP address of the proxy or load balancer). This can prevent single
sign-on using the SSO cookie.
A load balancer adds an "X-forwarded-for" header variable to incoming HTTP
requests, containing a comma-space-separated list of the original IP number of the
requester. Consider the following example in which the request passed proxy1, proxy2
and proxy3 (proxy3 appears as the remote address of the request). The last IP address
is always the IP address that connects to the last proxy.
X-Forwarded-For: client1, proxy1, proxy2

The trust list will be referenced to look up each IP address from the header, starting
with the right-most value. The left-most IP address being the farthest downstream
client and each successive proxy that passed the request (adding the IP address from
which it received the request).

Registering and Managing OAM 11g Agents

15-11

Understanding OAM Agent Registration Parameters in the Console

Within the specified order, the first IP address that does not match any of those in the
trusted list is treated as an apparent client IP (defined as the IP address of the initiator
of the connection to the furthest node along the communication path that can be
trusted). Additionally:
■

■

■

When all IP addresses from the header (starting from the right side) match with
entries in the trusted list, WebGate chooses the end client IP (the left most IP
address in the header).
When the IP address is determined, WebGate obtains a session token that contains
the apparent client IP address and IP validation is evaluated by comparing the IP
address against the address in the session token.
When the IP validation feature is enabled within a load balanced deployment,
authentication (session creation) and authorization is done by the WebGate with
this feature; otherwise the authenticated user must re-authenticate. When
WebGate searches for the particular HTTP header, the search is case-insensitive.
For example, "X-Forwarded-For" and "X-FORWARDED-FOR" are treated the same.

15.2.3.2.1 Using ProxyTrustedIPList ProxyTrustedIPList is a user defined, multi-valued
WebGate parameter that holds the list of IP addresses for the trusted proxies or load
balancers. The values are space separated. The IP addresses in the IP Validation
Exceptions List can be used when the IP address in the cookie is for a reverse proxy.
Figure 15–2 Load Balanced Deployment

In Figure 15–2, the end user's HTTP request passes through REVERSEPROXY1 and
REVERSEPROXY2 to reach the actual Web server. In this case, the IP addresses of
REVERSEPROXY1 and REVERSEPROXY2 should be added in the ProxyTrustedIPList
list as follows:
ProxyTrustedIPList=10.77.199.59 10.77.199.26

In a centralized authentication deployment, if any Resource
WebGate (RWG) or Authentication WebGate (AWG) is behind a proxy,
the IP addresses of all intermediaries must be configured (in the
ProxyTrustedIPList parameter) in the profile of the WebGate behind
the proxy. Otherwise, IP validation failures can occur.
Note:

15.2.3.2.2 Defining ProxyRemoteIPHeaderVar The ProxyRemoteIPHeaderVar parameter
specifies the name of the HTTP header that contains the list of IP addresses. If this
parameter is not provided, the default header X-Forwarded-For is used. This
parameter can be configured like any other user-defined parameter in a WebGate
profile. For example, in the deployment described in Using ProxyTrustedIPList,
"X-FORWARDED-FOR" and other headers that come to the Web server take the
following form.
HTTP_X_FORWARDED_FOR="10.77.199.129, 10.77.199.59"
REMOTE_ADDR="10.77.199.26"

15-12 Administrator's Guide for Oracle Access Management

Registering an OAM Agent Using the Console

15.3 Registering an OAM Agent Using the Console
This procedure is for both a WebGate or programmatic Access Client. Registration
steps are the same. You can register an OAM-type agent before you deploy it. Users
with valid Administrator credentials can perform the following task to register a
WebGate using the Oracle Access Management Console.
See Also:
■

■

Understanding OAM Agent Registration Parameters in the
Console
Oracle Fusion Middleware Installation Guide for Oracle Identity
and Access Management chapter "Installing and Configuring
Oracle HTTP Server 11g WebGate for OAM"

After agent registration, you can change the communication mode of the OAM Server
if needed. Communication between the agent and server continues to work as long as
the WebGate mode is at least at the same level as the OAM Server mode or higher. See
Appendix C.
Before you begin, confirm that at least one OAM Server is running in the same mode
as the agent to be registered.
1.

In the Oracle Access Management Console, click Application Security at the top
of the window.

2.

In the Application Security console, select Create WebGate from the Agents
menu.

3.

On the Create WebGate page, enter required details (those with an *) to register
this Agent.
Note:

If you are creating an OAM 10g Agent, also see Chapter 30.

4.

Protected Resource List: In this table, enter individual resource URLs to be
protected by this Agent, as shown in Table 15–1.

5.

Public Resource List: In this table, enter individual resource URLs to be public
(not protected), as shown in Table 15–1.

6.

Auto Create Policies: Check to create a fresh Application Domain and policies (or
clear and use the same host identifier as another WebGate and share policies
(Table 15–1)).

7.

Click Apply to submit the registration.
You may also close the page without applying changes, if applicable.

8.

Click the Download button to download the generated artifacts.
Downloaded artifacts are located in the $DOMAIN_HOME/output/$Agent_name
folder.

9.

10g WebGate: See Chapter 30 and:
a.

Proceed as needed for your environment (Chapter 30):
Existing WebGate: Perform Step 8, then go to Chapter 27, "Configuring
Centralized Logout for Sessions Involving 11g WebGates".

Registering and Managing OAM 11g Agents

15-13

Configuring and Managing Registered OAM Agents Using the Console

New WebGate: Go to "Locating and Installing the Latest 10g WebGate for
Access Manager 11g" on page 30-14.
10. Copy the artifacts as follows (or install WebGate with the same specifications, then

copy artifacts), including any Simple or Cert mode files. For example, Open mode
files include:
Agent & Artifacts

Artifacts

11g WebGate/Access Client

From the AdminServer (Console) host:

ObAccessClient.xml and
cwallet.sso
10g WebGate/Access Client
ObAccessClient.xml

$DOMAIN_HOME/output/$Agent_Name/
To the Agent host: $11gWG_install_dir/WebGate/config
From the AdminServer (Console) host:
$DOMAIN_HOME/output/$Agent_Name/

Note: Go to Chapter 30 before To the Agent host:
completing this task.
$10gWG_install_dir/oblix/lib/
11. Verify Registration: These are similar to steps in "Validating Agent Registration

using the Oracle Access Management Console".
a.

Under Agents in Application Security, search and confirm the Agent name is
listed.

b.

Confirm the Agent’s page contains the appropriate information.

c.

Auto Create Policies: Confirm the Application Domain was generated, the
host identifier was created for the application, and that resources were created
in the Application Domain and associated with the host identifier.

d.

Perform further tests, as described in "Verifying Authentication and Access
After Remote Registration".

12. Proceed as needed for your deployment:
■

"Configuring and Managing Registered OAM Agents Using the Console"

■

Part VI, "Managing Access Manager SSO, Policies, and Testing"

15.4 Configuring and Managing Registered OAM Agents Using the
Console
This section provides the following topics to help you manage registered WebGates:
■

Understanding Registered OAM Agent Configuration Parameters in the Console

■

Searching for an OAM Agent Registration

■

Viewing or Editing an OAM Agent Registration Page in the Console

■

Deleting OAM Agent Registration Using the Console

15.4.1 Understanding Registered OAM Agent Configuration Parameters in the Console
Whether you registered the agent using the Oracle Access Management Console or the
remote registration utility, you can view the full agent configuration page in the
console, as shown in Figure 15–3.

15-14 Administrator's Guide for Oracle Access Management

Configuring and Managing Registered OAM Agents Using the Console

Figure 15–3 Expanded 11g WebGate Page with Defaults

There are only a few differences between 11g and 10g WebGate registration pages.
Most elements on the agent's page are the same as those you
define when using the remote registration tool with the expanded
OAM template. ObAccessClient.xml is populated with values after
agent registration or modification, regardless of the method you use.
Note:

Table 15–3 describes elements on an expanded registration. Additional settings
revealed here are used by the OAM Proxy.

Registering and Managing OAM 11g Agents

15-15

Configuring and Managing Registered OAM Agents Using the Console

Table 15–3

Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages

Element

Description

Name

See: Table 15–1, " Elements on Create Pages for 11g and 10g OAM Agents".

Version
Description
Access Client Password
Security
User-defined Parameters

See Also: "About User-Defined WebGate Parameters" on page 15-5

IP Validation

See Also: "About IP Address Validation for WebGates" on page 15-10.

Primary Cookie Domain

This parameter describes the Web server domain on which the Agent is deployed,
for instance,.example.com.

10g WebGate only, Chapter 30

You must configure the cookie domain to enable single sign-on among Web servers.
Specifically, the Web servers for which you configure single sign-on must have the
same Primary Cookie Domain value. WebGate uses this parameter to create the
ObSSOCookie authentication cookie.
This parameter defines which Web servers participate within the cookie domain and
have the ability to receive and update the ObSSOCookie. This cookie domain is not
used to populate the ObSSOCookie; rather it defines which domain the
ObSSOCookie is valid for, and which Web servers have the ability to accept and
change the ObSSOCookie contents.
Default: If the client side domain can be determined during registration, the Primary
Cookie Domain is populated with that value. However, if no domain is found, there
is no value and WebGate uses the host-based cookie.
Note: The more general the domain name, the more inclusive your single sign-on
implementation will be. For example, if you specify b.com as your primary cookie
domain, users will be able to perform single sign-on for resources on b.com and on
a.b.com. However, if you specify a.b.com as your primary cookie domain, users will
have to re-authenticate when they request resources on b.com.
State

Specifies whether this registration is enabled or disabled.

Only in the console.

Default = Enabled

Max Cache Elements

Number of elements maintained in the cache. Caches are the following:
■

■

Resource to Authentication Scheme—This cache maintains information about
Resources (URLs), including whether it is protected and, if so, the
authentication scheme used for protection.
(11g WebGate only) Resource to Authorization Policy—This cache maintains
information about Resources and associated authorization policy—This cache
stores authentication scheme information for a specific authentication scheme
ID.

The value of this setting refers to the maximum consolidated count for elements in
these caches.
Default = 100000
Cache Timeout (seconds)

Amount of time cached information remains in the WebGate caches (Resource to
Authentication Scheme, Authentication Schemes, and 11g WebGate only Resource to
Authorization Policy) when the information is neither used nor referenced.
Default = 1800 (seconds)

Token Validity Period (seconds)
11g WebGate only

Maximum valid time period for an agent token (the content of OAMAuthnCookie
for 11g WebGate). This value is the validity period for the obsso cookie. Within this
period, only authorization nap calls will pass to the OAM server. Once this period
has passed, the obsso cookie will be considered invalid and an 'obrareq.cgi' redirect
will occur. The OAM Server will validate the OAM_ID cookie and re-issue a new
obsso cookie, or challenge the user if the server side session is
expired/deleted/timed out).
Default = 3600 (seconds)
Note: For 10g WebGates, use Cookie Session Time to set the Token Validity Period.

Max Connections

The maximum number of connections that this WebGate can establish with the
OAM Server. This number must be the same as (or greater than) the number of
connections that are actually associated with this agent.
Default = 1

15-16 Administrator's Guide for Oracle Access Management

Configuring and Managing Registered OAM Agents Using the Console

Table 15–3 (Cont.) Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages
Element

Description

Max Session Time (hours)

Maximum time to keep network connections from this WebGate to the OAM Server
alive. After elapsed time, all the WebGate to OAM Server network connections will
be shutdown and replaced with new ones. The unit is based on the
maxSessionTimeUnits user-defined parameter which can be 'minutes' or 'hours'.
When maxSessionTimeUnits is not defined, the unit is defaulted to 'hours'.

Failover Threshold

Number representing the point when this WebGate opens connections to a
Secondary OAM Server.
Default = 1
For example, if you type 30 in this field and the number of connections to primary
OAM Server falls to 29, this Agent opens connections to secondary OAM Server.

AAA Timeout Threshold

Number (in seconds) to wait for a response from the OAM Server. If this parameter
is set, it is used as an application TCP/IP timeout instead of the default TCP/IP
timeout.
Default = -1 (default network TCP/IP timeout is used)
If using a simple mode WebGate, you can improve the response time of the OAM
login page by changing the aaaTimeoutThreshold time parameter in the WebGate
profile from -1 to 10.
A typical value for this parameter is between 30 and 60 seconds. If set to a very low
value, the socket connection can be closed before a reply from OAM Server is
received, resulting in an error.
For example, suppose a WebGate is configured to talk to one primary OAM Server
and one secondary OAM Server. If the network wire is pulled from the primary
OAM Server, the WebGate waits for the TCP/IP timeout to learn that there is no
connection to the primary OAM Server. The WebGate tries to reestablish the
connections to available servers starting with the primary OAM Server. Again, the
Agent waits for the TCP/IP timeout to determine if a connection can be established.
If it cannot, the next server in the list is tried. If a connection can be established to
another OAM Server (either a primary or secondary), the requests are re-routed.
However this can take longer than desired.
When finding new connections, WebGate checks the list of available servers in the
order specified in its configuration. If there is only one primary OAM Server and
one secondary OAM Server specified, and the connection to the primary OAM
Server times out, the Agent still tries the primary OAM Server first. As a result, the
Agent cannot send requests to an OAM Server for a period greater than twice the
setting in the OAM Server Timeout Threshold.
If the OAM Server takes longer to service a request than the value of the timeout
threshold, the Agent abandons the request and retries the request on a new
connection. Note that the new connection that is returned from the connection pool
can be to the same OAM Server, depending on your connection pool settings. Also,
other OAM Server may also take longer to process the request than the time
specified on the threshold. In these cases, the Agent can continue to retry the request
until the OAM Server is shut down.

ServerConnectionReadTimeout

This parameter can be configured in the ASDK Agent User Defined Parameters
section, for further timeout fine-tuning. This setting can be configured for TCP read
timeout if required. The read timeout is the timeout on waiting to read data.
Specifically, if the server fails to send a byte n seconds after the last byte, a read
timeout error will be raised.

poolTimeOut

This parameter can be configured in the ASDK Agent User Defined Parameters
section. poolTimeout is the maximum time a request thread will wait to get a
connection from the connection pool, before throwing an exception. The default is 30
seconds.

Registering and Managing OAM 11g Agents

15-17

Configuring and Managing Registered OAM Agents Using the Console

Table 15–3 (Cont.) Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages
Element

Description

Idle Session Timeout

Default: 3600

10g WebGate only, Chapter 30

Release 7.0.4 WebGates enforced their own idle session timeout only.
10.1.4.0.1 WebGates enforced the most restrictive timeout value among all WebGates
the token had visited.
With 10g (10.1.4.3), the 7.0.4 behavior was reinstated as the default with this element.
To set Idle Session Timeout logic:
■

■

The default value of leastComponentIdleTimeout instructs the WebGate to use
the most restrictive timeout value for idle session timeout enforcement.
A value of currentComponentIdleTimeout instructs the WebGates to use the
current WebGate timeout value for idle session timeout enforcement.

The idle session timeout behavior varies across WebGate versions. For example,
with WebGate 10.1.4.3 it is used to control idle timeout. If both Idle Session Timeout
and Cookie Session Time are set, the obsso cookie will be considered invalid when
one of the events happens (idle session timeout/cookie session time). In this case,
the request will go to the OAM server which will use server side parameter
validation to decide if the session has timed out/expired followed by a credential
challenge or obsso cookie reissue.
Preferred Host

Specifies how the hostname appears in all HTTP requests as users attempt to access
the protected Web server. The hostname within the HTTP request is translated into
the value entered into this field regardless of the way it was defined in a user's
HTTP request.
The Preferred Host function prevents security holes that can be inadvertently
created if a host's identifier is not included in the Host Identifiers list. However, it
cannot be used with virtual Web hosting. For virtual hosting, you must use the Host
Identifiers feature.
Defaults to Name (of WebGate registration)

User Defined Parameters

See Also: "About User-Defined WebGate Parameters" on page 15-5 and Oracle
Fusion Middleware Performance and Tuning Guide

Logout URL

The Logout URL triggers the logout handler, which removes the cookie
(ObSSOCookie for 10g WebGates; OAMAuthnCookie for 11g WebGates) and
requires the user to re-authenticate the next time he accesses a resource protected by
Access Manager.

10g and 11g WebGates

Default = [] (not set)
Note: This is the standard 10g WebGate configuration parameter used to trigger
initial logout through a customized local logout page as described in "Configuring
Centralized Logout for 10g WebGate with 11g OAM Servers" on page 30-22.
Additional Logout for 11g WebGate Only

For 11g WebGate single sign-off behavior, specific logout elements and values
automate the redirect to a central Logout URL, callback URL, and end_URL.
See Also: Table 27–2, " Logout Details After Registration (ObAccessClient.xml)"

Logout Callback URL
11g WebGate only

The URL to oam_logout_success, which clears cookies during the call back. This can
be a URI format without host:port (recommended), where the OAM Server calls back
on the host:port of the original resource request. For example:
Default = /oam_logout_success
This can also be a full URL format with a host:port, where OAM Server calls back
directly without reconstructing callback URL.
Note: In the remote registration template this parameter is named
logoutCallbackUrl (Table 15–10).
See Also: Table 27–2, " Logout Details After Registration (ObAccessClient.xml)"

Logout Redirect URL
11g WebGate only

This parameter is automatically populated after agent registration completes.By
default, this is based on the OAM Server host name with a default port of 14200. For
example:
Default = http://OAMServer_host:14200/oam/server/logout
See Also: Table 27–2, " Logout Details After Registration (ObAccessClient.xml)"

15-18 Administrator's Guide for Oracle Access Management

Configuring and Managing Registered OAM Agents Using the Console

Table 15–3 (Cont.) Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages
Element

Description

Logout Target URL

The value is the name for the query parameter that the OPSS applications passes to
WebGate during logout; the query parameter specifies the target URL of the landing
page after logout completes.

11g WebGate only

Default: end_url
Note: The end_url value is configured using param.logout.targeturl in
jps-config.xml.
See Also: Table 27–2, " Logout Details After Registration (ObAccessClient.xml)"
Sleep for (seconds)

The frequency (in seconds) with which the OAM Server checks its connections to the
directory server. For example, if you set a value of 60 seconds, the OAM Server
checks its connections every 60 seconds from the time it comes up.
Default: 60 (seconds)

Cache Pragma Header

These settings apply only to WebGates and control the browser's cache.

Cache Control Header

By default, both parameters are set to no-cache. This prevents WebGate from
caching data at the Web server application and the user's browser.

WebGate only (not Access Clients)

However, this may prevent certain operations such as downloading PDF files or
saving report files when the site is protected by a WebGate.
You can set the Access Manager SDK caches that the WebGate uses to different
levels. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html section 14.9
for details.
All of the cache-response-directives are allowed. For example, you may need to set
both cache values to public to allow PDF files to be downloaded.
Defaults: no-cache
Note: Browsers may store a local cached copy of content served by an OAM
protected resource. Some browsers, including Internet Explorer, cache content
accessed via HTTPS which may be retrieved by other users who have access to the
same computer at a future time. Please ensure that the Cache Directives are set
based on the sensitivity of the application content.
See Also: Oracle Fusion Middleware Performance and Tuning Guide
Debug

Debugging can be enabled or not.

Deny on Not Protected

Oracle recommends enabling Deny On Not Protected.

WebGates only (not Access Clients)

When enabled, this element denies access to all resources to which access is not
explicitly allowed by a rule or policy. Enabling this can limit the number of times the
WebGate queries the OAM Server, and can improve performance for large or busy
Application Domains.
■

11g WebGate: Always enabled, and cannot be changed

■

10g WebGate: Can be disabled.

Important: Deny on Not Protected overrides Host Identifiers and Preferred Host.
Oracle recommends enabling Deny on Not Protected. Otherwise security holes can
occur in large installations with multiple Host Identifiers, virtual hosts, and other
complex configurations.
Allow Management Operations

This Agent Privilege function enables the provisioning of session operations per
agent, as follows:
■

Terminate session

■

Enumerate sessions

■

Add or Update attributes for an existing session

■

List all attributes for a given session ID or read session

Default: Disabled
Note: Only privileged agents can invoke session management operations. When this
parameter is enabled, session management requests (listed above) are processed by
the OAM Server. If disabled, such requests are rejected for the agent.
11g WebGate only

Registering and Managing OAM 11g Agents

15-19

Configuring and Managing Registered OAM Agents Using the Console

Table 15–3 (Cont.) Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages
Element

Description

Allow Credential Collector Operations

Activates WebGate detached credential collector functionality for simple-form or
dynamic multi-factor authentication.

11.1.2.0.0 and later WebGate only

Default: Disabled
See Also: "Configuring 11g WebGates and Authentication Policy for DCC"
Allow Master Token Retrieval

Allows the ASDK code to retrieve the OAM_ID cookie.

Allow Token Scope Operations

Allows the ASDK code to scope the OAM_ID cookie to the domain level instead of
host level.

Sharepoint Impersonation User

The trusted user for impersonation, in Active Directory. This user should not be
used for anything other than impersonation. The constraints are the same as any
other user in Active Directory.

10g WebGate only, Chapter 30

Note: SharePoint impersonation is separate and distinct from the Access Manager
user impersonation feature described in the Oracle Fusion Middleware Developer's
Guide for Oracle Access Management.
Sharepoint Impersonation Password
10g WebGate only, Chapter 30

This is the trusted user password for impersonation. The constraints are the same as
any other user password in Active Directory.
Oracle recommends that the user choose a very complex password, because the
trusted user is granted powerful permissions. Also, check the box Password Never
Expires. The impersonation module should be the only entity that ever sees the
trusted user account. It is extremely difficult for an outside agency to discover that
the password has expired.

Primary Server List

Identifies Primary Server details for this Agent. The default is based on the OAM
Server:
■

Server Name

■

Host Name

■

Host Port

■

Secondary Server List

Max Number (maximum connections this WebGate will establish with the
OAM Server (not the maximum total connections the WebGate can establish
with all OAM Servers).)

Identifies Secondary OAM Server details for this agent, which must be specified
manually:
■

Server Name

■

Host Name

■

Host Port

■

Max Number (maximum connections this WebGate will establish with the
OAM Server (not the maximum total connections the WebGate can establish
with all OAM Servers).)

15.4.2 Searching for an OAM Agent Registration
Figure 15–4 shows the WebGates Search controls, defaults, and the empty Search
Results table. From this page you can create a new WebGate registration, or search for
a specific WebGate or group of WebGates (all 11g WebGates, for instance).

15-20 Administrator's Guide for Oracle Access Management

Configuring and Managing Registered OAM Agents Using the Console

Figure 15–4 WebGate Search Controls and Create Button

If you do not know the exact name, you can use a wild card (*) in the search string.
From the search results table, you can choose an name to open and view or edit the
registration page.
The controls available on this page are described in Table 15–4. Most of the controls
apply to all three (WebGates, OSSO Agents and OpenSSO Agents) tabs; controls
specific to each tab are marked accordingly.
Table 15–4

Agent Search Controls

Control

Description

Create WebGate

Click to open a fresh WebGate registration page.

Create OSSO Agent

Click to open a fresh OSSO Agent registration page.

Create OpenSSO Agent

Click to open a fresh OpenSSO Agent registration page.

Name

Enter the name (or partial name and wild card (*)) as defined on the
registration page. For example: entering a* could return Agent_WebGate_
AccessDebugNew in the result table.

Version

Choose a WebGate version to narrow the search and results:

(Webgates tab only)

■

11g

■

10g

Preferred Host
(Webgates tab only)

Enter all (or part of with a wild card (*)) hostname as it appears in HTTP
requests. For example: iam* could return IAMSuiteAgent in the result
stable.

State

Choose a state to narrow the search and results:

(Webgates tab only)

■

Enabled

■

Disabled

Primary Server

Enter the entire (or partial with a wild card (*)) Primary Server name.

(Webgates tab only)
Secondary Server

Enter the entire (or partial with a wild card (*)) Secondary Server name.

(Webgates tab only)
Agent ID

Enter the entire (or partial with a wild card (*)) Agent ID value.

(OSSO Agents tab only)

Registering and Managing OAM 11g Agents

15-21

Configuring and Managing Registered OAM Agents Using the Console

Table 15–4 (Cont.) Agent Search Controls
Control

Description

Agent Type

Select the target Agent type:

(OpenSSO Agents tab only)

■

J2EE

■

Web

Before you begin, the Agent must be a registered agent of Access Manager.
1.

In the Oracle Access Management Console, click Application Security at the top of
the window.

2.

In the Application Security console, click Agents.

3.

If not already displayed, select the desired agent type tab.

4.

Find:
■
■

■

■

■

All Enabled: Select Version All, State All, and click the Search button.
An Agent ID (OSSO Agents tab only): enter the desired Agent ID into the
Agent ID field.
An Agent Type (OpenSSO Agents tab only): from the Agent Type drop-down
list, select J2EE or Web, as appropriate for your search.
A WebGate Version: From the Version list, choose 10g or 11g and click the
Search button.
An Agent/WebGate Name: In the text field, enter the exact name of the
instance you want to find and click the Search button. For example:
my_OAM_WebGate

5.

Click the Search Results tab to display the results table, then:
■

■

■
■

6.

Edit or View: Click the Edit command button in the tool bar to see the
configuration page.
Delete: Proceed to "Deleting OAM Agent Registration Using the Console" on
page 15-23.
Detach: Click Detach in the tool bar to expand the table to a full page.
Reconfigure Table: Select a View menu item to alter the appearance of the
results table.

Apply any changes (or dismiss the page) when you finish.

15.4.3 Viewing or Editing an OAM Agent Registration Page in the Console
This procedure is the same whether you are editing a WebGate or Access Client
registration. Users with valid Administrator credentials can change any setting for
registered WebGates and programmatic Access Clients using the Oracle Access
Management Console, as described in the following procedure. For example, you
might want to revise the time-out threshold or other settings used by the OAM Proxy.
After changes, updated details are propagated through a runtime configuration
update process. There is usually no need to copy the artifacts over to the WebGate
configuration area. (Artifacts need only be copied to the WebGate directory path if the
agent name, access client password, or security mode is changed.)

15-22 Administrator's Guide for Oracle Access Management

Configuring and Managing Registered OAM Agents Using the Console

All changes made using the Oracle Access Management
Console are taken up without restarting the application server, and are
reflected automatically after the reconfiguration time-out period.

Note:

Before you begin, the agent must be registered and available in the Oracle Access
Management Console.
See Also:
■

1.

About Create OAM WebGate Page and Parameters

From the Oracle Access Management Console, click SSO Agents.
a.

Double-click OAM Agents node to display the Search page.

b.

Find the Registration: See "Searching for an OAM Agent Registration".

c.

Click the Agent name in the results table to open the page.

2.

Modify Agent details, and Primary or Secondary Server details, as needed
(Table 15–1, Table 15–3).

3.

User-Defined Parameters: Add or modify these as desired (Table 15–2).

4.

Click Apply to submit changes and dismiss the Confirmation window (or close
the page without applying changes).

5.

Copy the artifacts as follows (or install WebGate with the same specifications, then
copy artifacts), including any Simple or Cert mode files. For example, Open mode
files include:
Agent & Artifacts

Artifacts

11g WebGate/Access Client

From the AdminServer (Console) host:

ObAccessClient.xml and
cwallet.sso
10g WebGate/Access Client
ObAccessClient.xml

$DOMAIN_HOME/output/$Agent_Name/
To the Agent host: $11gWG_install_dir/WebGate/config.
From the AdminServer (Console) host:
$DOMAIN_HOME/output/$Agent_Name/

Note: Go to Chapter 30 before To the Agent host
completing this task.
$10gWG_install_dir/oblix/lib/ObAccessClient.xml
6.

Proceed as needed for your deployment:
Part VI, "Managing Access Manager SSO, Policies, and Testing".

15.4.4 Deleting OAM Agent Registration Using the Console
Users with valid Administrator credentials can perform the following procedure to
delete a registered WebGate or Access Client from the Oracle Access Management
Console.
Deleting an agent registration removes only the registration
(not the associated host identifier, Application Domain, resources, or
the agent itself).

Note:

Registering and Managing OAM 11g Agents

15-23

Understanding the Remote Registration Tool, Modes, and Process

See Also:
■

Understanding OAM Agent Registration Parameters in the
Console

Before you begin, evaluate the Application Domain, resources, and policies associated
with this agent and ensure that these are configured to use another agent (or be
removed).
1.

2.

In the Oracle Access Management Console, click Application Security at the top
of the window.
a.

In the Application Security console, click Agents to display the Search page.

b.

Find the Registration: See "Searching for an OAM Agent Registration".

c.

Select the desired registration from the results table, and open it to confirm it
is the right agent to remove, close the page.

d.

Select the name in the results table, click the Delete (X) button, check the
Confirmation dialog and then close the page.

e.

Confirm the Agent name is no longer listed in the navigation tree.

Remove the 10g Agent Instance: Perform the following steps (see "Removing a
10g WebGate from the Access Manager 11g Deployment" on page 30-27, if
needed).
a.

Shut down the Web server.

b.

Remove WebGate software using the utility provided in the following
directory path:
$WebGate_install_dir/oui/bin
Windows: setup.exe -d
Unix: runInstaller -d

c.

Revert to the httpd.conf version before updates for WebGate. For example:
Copy: httpd.conf.ORIG
To: httpd.conf

d.

Restart the Web server.

e.

On the agent host, manually remove the WebGate instance directory:
11g WebGate/Access Client: $11gWebGate_instance_dir/WebGate/config.
10g WebGate/Access Client: $WebGate_install_dir/oblix/lib/

15.5 Understanding the Remote Registration Tool, Modes, and Process
As an alternative to using the console for agent registration, you can use the remote
registration utility, oamreg, with Oracle-provided templates. Administrators using the
Oracle Access Management Console or remote registration utility must have
credentials stored in the System Store (Chapter 5).
This section provides details about remote registration in the following topics:
■

About Remote Registration Command Arguments and Modes

■

Common Elements within Remote Registration Request Templates

■

About Key Use, Generation, Provisioning, and Storage

15-24 Administrator's Guide for Oracle Access Management

Understanding the Remote Registration Tool, Modes, and Process

See Also:

"Introduction to Remote Registration" on page 14-8

15.5.1 About Remote Registration Command Arguments and Modes
Before using the remote registration tool, two environment variables within the script
must be set as shown in the samples in Table 15–5, which presume the location of the
tool to be $OAM_REG_HOME on a Linux system. Your environment might be
different.
Table 15–5

Environment Variables to Set within oamreg

Environment Variable

Description

OAM_REG_HOME

The directory under which RREG.tar was exploded, followed by
/rreg:
$OAM_HOME/oam/server/rreg/client/rreg

JAVA_HOME

The location where Java is located on the client computer. For
example: $WLS_HOME/Middleware/jdk160_11.
Note: $JAVA_HOME should point to JDK 1.6. (JDK 1.7 can also be
used in R2PS3.)

Additionally, before using the remote registration tool, you must modify several tags
in the request file, as described later (Table 15–9).
The arguments required to run the remote registration script are listed in Table 15–6.
Table 15–6

Remote Registration Command Arguments: mode

Arguments

Description

mode

Either:

input/filename.xml

■

inband

■

outofband

Either the absolute path to the input file (*request.xml or an
agentName_Response.xml), or the path relative to the value of $OAM_
REG_HOME.
The preferred location is $OAM_REG_HOME/input

The sample commands illustrated in Table 15–7 presume the location of the tool to be
$OAM_REG_HOME on a Linux system.
Table 15–7

Remote Registration Command Samples

Command Type

Sample (on Linux)

In-band Administrator In-band
Request

./bin/oamreg.sh inband input/*Request.xml

In-band Administrator
Submitted Request

./bin/oamreg.sh outofband input/starting_request.xml

Out-of-band Administrator
Returned Response

./bin/oamreg.sh outofband input/agentName_Response.xml

Registering and Managing OAM 11g Agents

15-25

Understanding the Remote Registration Tool, Modes, and Process

Table 15–7 (Cont.) Remote Registration Command Samples
Command Type

Sample (on Linux)

[prompt_flag] value:
[-noprompt]

Optional. When -noprompt is used, oamreg does not wait for prompts
(password, and so on). Instead these values can be piped in, either from
an input file or from the command line itself using an echo command.
Examples from $OAM_REG_HOME location:
(echo username; echo password; echo WebGate_password;) |
./bin/oamreg.sh inband input/Request.xml -noprompt
config.file
(echo username; echo password; echo WebGate_password; echo
httpscert_trust_prompt;) | ./bin/oamreg.sh inband
input/Request.xml -noprompt
(echo username; echo password; echo WebGate_password; echo
cert_password;) | ./bin/oamreg.sh inband input/Request.xml
-noprompt
(echo username; echo password; echo WebGate_password; echo
httpscert_trust_prompt; echo cert_password;) |
./bin/oamreg.sh inband input/Request.xml -noprompt
See Also: "Updating Agents Remotely" on page 15-38

After launching the script, Administrators are prompted for a
username and password (unless -noprompt is used as shown in
Table 15–7.)
Note:

After running the script, messages inform you of success or failure. Following a
successful registration or update, you must copy the artifacts to the Agent host, as
outlined in "Updating Agent Configuration Files" on page 14-10.

15.5.2 Common Elements within Remote Registration Request Templates
Table 15–8, shows the global elements that are common within all remote registration
request files, regardless of agent type.
Note: In Table 15–8, descriptions of each element are omitted; see
Table 15–1.

Table 15–8

Common Elements in Remote Registration Requests

Element

Example



http://{oam_admin_ser
ver_host}:{oam_admin_server_port}




RREG_OAM



RREG_HostId11G


Extended Templates Only


http://{web_server_
host):(web_server_port}


15-26 Administrator's Guide for Oracle Access Management

Understanding the Remote Registration Tool, Modes, and Process

Table 15–8 (Cont.) Common Elements in Remote Registration Requests
Element

Example



true




RREG_OAM11G




false

15.5.3 About Key Use, Generation, Provisioning, and Storage
Each registered agent has a symmetric key, regardless of the registration method
(Oracle Access Management Console versus remote registration).
Each application will have a symmetric key whether it is protected through mod_osso,
or an OAM Agent. This key is generated by the registration tool. Storage of the
application mapping, key, and type of Agent persists in the system configuration for
retrieval as needed. The following sections contain details.
■

About Key Use

■

About Key Generation

■

About Key Accessibility and Provisioning

■

About Key Storage

15.5.3.1 About Key Use
Each 11g WebGate agent has its own secret key that is shared between the agent and
the OAM Server. If one 11g WebGate is compromised, other 11g WebGates are
unaffected. The following presents an overview:
■

■

Encrypt/Decrypt the host-based WebGate-specific OAMAuthnCookie_
_.
Encrypt/Decrypt the data that is redirected between WebGate and OAM Server.

15.5.3.2 About Key Generation
Figure 15–5 illustrates the process of key generation, which occurs automatically when
the agent is registered, regardless of the method used (Oracle Access Management
Console versus remote registration). There is one symmetric key per agent.

Registering and Managing OAM 11g Agents

15-27

Understanding the Remote Registration Tool, Modes, and Process

Figure 15–5 Key Generation

15.5.3.3 About Key Accessibility and Provisioning
Each Agent specific key must be accessible to the corresponding WebGate through a
secure local storage on the client machine. Cryptographic keys are not stored in the
data store. Instead, an alias to an entry in a Java keystore or CSF repository is stored;
the Partner and Trust Management API obtain the actual key when it is requested. The
agent specific secret key:
■

■
■

■

Is provisioned during remote registration (either in-band mode or out-of-band
mode)
Is unique so that it can uniquely identify each agent.
Is distributed securely back to the agent (either through the wire during in-band
mode or through a separate secure channel during out-of-band mode).
Is saved in the Oracle Secret Store, in the SSO wallet. SSO wallet creation applies
only to 11g WebGates (not to 10g WebGates or other agent types).
The Oracle Secret Store is a container that consolidates the
storage of secret keys and other security-related secret information
inside the Oracle Wallet, not in plain-text. The SSO wallet relies on
underlying file system security to protect its data. Opening this wallet
does not require a password. The SSO wallet depends on the
operating system and file permissions for its security.

Note:

■

Is saved in the Oracle Secret Store, in an auto-login editable SSO wallet, upon
completion of registration.

15.5.3.4 About Key Storage
The SSO wallet containing the agent key must be located in cwallet.sso, in the
directory with ObAccessClient.xml in WebGate_instance_dir/WebGate/config (for
example, $WebTier_MW_Home/Oracle_WT1/instances).

15-28 Administrator's Guide for Oracle Access Management

Understanding Remote Registration Templates: OAM Agents

The SSO wallet does not require a user password, and should be protected with the
proper file permission (700) or registry on Windows.

15.6 Understanding Remote Registration Templates: OAM Agents
Oracle provides both a short and extended registration request template for use with
the remote agent registration tool: oamreg.sh (Linux) or oamreg.bat (Windows). This
topic focuses on OAM Agent templates (WebGates and Access Clients).
Regardless of the template you choose (short or extended), only a few differences exist
between 11g and 10g OAM Agent templates, listed in Table 15–9 and stored in $OAM_
REG_HOME/input/.
Table 15–9

Remote Registration Request Templates for OAM Agents

Template Type

Template Name in $OAM_REG_HOME/input/

Abbreviated (Short) Form

OAM11GRequest_short.xml (11g WebGates)
OAMRequest_short.xml (10g WebGates)

Extended (Full) Form

OAM11gRequest.xml (11g WebGates)
OAMRequest.xml (10g WebGates)

Other Templates

For a look at these specialized tasks and templates, see:

Update Agent

■

Create Policies, Update Policies

■

Out-of-band Response

■

"Updating Agents Remotely" on page 15-38
"Managing Policies and Application Domains Remotely" on
page 25-82
"Performing Out-of-Band Remote Registration" on page 15-35

Despite being nearly identical for both 10g and 11g WebGates,
be sure to copy and use the appropriate request for your release.

Note:

15.6.1 OAM Agent Parameters for Remote Registration
Table 15–10 describes elements specific to OAM Agent remote registration requests.
Element names in request templates might differ slightly from counterparts in the
Oracle Access Management Console. Unless explicitly stated, all information applies
equally to requests for both 10g and 11g WebGates/Access Clients. Protected, public,
and excluded resource lists are included in both the short and extended request
templates for OAM Agents.
Note:

Descriptions of elements in Table 15–10 are in Table 15–3.

Registering and Managing OAM 11g Agents

15-29

Understanding Remote Registration Templates: OAM Agents

Table 15–10

Elements in Extended OAM Agent Remote Registration Requests

Element

Example



See Table 15–8, " Common Elements in Remote Registration Requests".












host1
7777

host2
7778






/





/public/index.html






/excluded/index.html





{client_domain}


10g Request Only
In OAMRequest.xml (10g WebGates)
 is also used as preferred HTTP
host


100000




1800



3600


11g Request Only

10g WebGate only, Chapter 30

3600




1



24



3600>


1


-

-1




60



false

15-30 Administrator's Guide for Oracle Access Management

Understanding Remote Registration Templates: OAM Agents

Table 15–10

(Cont.) Elements in Extended OAM Agent Remote Registration Requests

Element

Example



open

1




false/



no-cache




no-cache


0




10,11,11,11
10,11,11,12
10,11,11,13





/logout1.html
/logout2.html




/oam_logout_success


11g Request Only

11g Request Only
User-Defined Parameter Names

end_url

Examples


...
...


MaxPostDataLength



MaxPostDataLength
750000


maxSessionTimeUnits


maxSessionTimeUnits
hours


useIISBuiltinAuthentication


useIISBuiltinAuthentication

false


idleSessionTimeoutLogic


idleSessionTimeoutLogic

leastComponentIdleTimeout



10g WebGates only

URLInUTF8Format


URLInUTF8Format
true


Registering and Managing OAM 11g Agents

15-31

Performing Remote Registration for OAM Agents

Table 15–10

(Cont.) Elements in Extended OAM Agent Remote Registration Requests

Element

Example

inactiveReconfigPeriod


inactiveReconfigPeriod
10


Shared secret applies to only 10g WebGate
Configuration applies to only 11g WebGate.
WaitForFailover


WaitForFailover
-1


proxySSLHeaderVar


proxySSLHeaderVar
IS_SSL


client_request_retry_attempts


client_request_retry_attempts 
1


ContentLengthFor401Response


ContentLengthFor401Response

0


SUN61HttpProtocolVersion


SUN61HttpProtocolVersion

1.0


impersonationCredentials


username:password

cred


UseWebGateExtForPassthrough


UseWebGateExtForPassthrough

false


syncOperationMode


syncOperationMode
false


filterOAMAuthnCookie


filterOAMAuthnCookie
true


11g Request only.

15.7 Performing Remote Registration for OAM Agents
This section includes the following topics describing how to perform remote
registration, which is similar regardless of the agent type:
■

Acquiring and Setting Up the Remote Registration Tool

■

Creating Your Remote Registration Request

■

Performing In-Band Remote Registration

■

Performing Out-of-Band Remote Registration

15-32 Administrator's Guide for Oracle Access Management

Performing Remote Registration for OAM Agents

15.7.1 Acquiring and Setting Up the Remote Registration Tool
The oamreg client tool can be used anywhere, not just on the OAM Server. If the
oamreg home is already exploded, you can use the following procedure to acquire and
update the oamreg script for your operating system:
Windows: oamreg.bat
Linux: oamreg.sh
Oracle Recommends using the latest tool and files by applying
the latest bundle patch and untarring RREG.tar.gz again as described
here.

Note:

For remote registration, two variables are required: JAVA_HOME and OAM_REG_
HOME, as described in Table 15–11.
Table 15–11

Variables Required for Remote Registration

Location

Variable

Description

Client Side

JAVA_HOME

The JDK 1.6 location on the computer that relies on
$JAVA_HOME already set in the environment. (JDK 1.7
can also be used in R2PS3.)

OAM_REG_HOME

The absolute file location for RREG HOME (directory
under which RREG.tar was exploded, followed by /rreg
and one directory above where the scripts reside).
For example:
$OAM_HOME/oam/server/rreg/client/rreg
If $ORACLE_IDM_HOME is $MW_HOME/Oracle_IDM:
export $OAM_REG_HOME=$MW_HOME/Oracle_
IDM/oam/server/rreg

rreg folder location
(not RREG.tar.gz
location)

JAVA_HOME

Relies on $JAVA_HOME already set in the environment.

OAM_REG_HOME

Is already set in the script during the installation.

See Also: "About Remote Registration Command Arguments and
Modes" on page 15-25
1.

Locate RREG.tar.gz file in the following path:
$ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz

2.

Untar RREG.tar.gz file, which creates directories beneath /client containing the
required tool and templates.

3.

In the oamreg script (.../rreg/client/rreg/bin) set environment variables as
follows:
a.

Set JAVA_HOME to JDK 1.6 (Table 15–11).
JDK 1.7 can also be used in R2PS3.

b.
4.

Set OAM_REG_HOME to the exploded_dir_for_RREG.tar/rreg based on your
environment (client side or server side Table 15–11).

Proceed with "Creating Your Remote Registration Request".

Registering and Managing OAM 11g Agents

15-33

Performing Remote Registration for OAM Agents

15.7.2 Creating Your Remote Registration Request
You can use the following procedure to create an appropriate *Request*.xml file to
provide input for the specific agent you want to register.
Before you begin, read "Understanding Remote Registration Templates: OAM Agents."
1.

Locate the required *Request*.xml input file for the agent you want to register:
Regardless of the template you choose (short or extended), only a few differences
exist between 11g and 10g agent templates stored in $OAM_REG_HOME/input/. For
example:
OAM11GRequest.xml

2.

Copy the request file to a new name. For example:
From: OAM11GRequest.xml
To: my11gagent_request.xml

3.

In the Request file, modify information to reflect details for your agent and the
resources to protect using details in:
■
■

4.

Table 15–9, " Remote Registration Request Templates for OAM Agents"
Table 15–10, " Elements in Extended OAM Agent Remote Registration
Requests"

Proceed with task needed for your environment:
■

Performing In-Band Remote Registration

■

Performing Out-of-Band Remote Registration

15.7.3 Performing In-Band Remote Registration
The OAM Administrator within the network performs all tasks. This section provides
the steps to perform in-band remote registration, regardless of agent type. For this
example, an OAM Agent is being registered using the short request on a Linux system.
Your agent type, request template, and output files will be different.
See Also: Oracle Fusion Middleware Installation Guide for Oracle
Identity and Access Management chapter "Installing and Configuring
Oracle HTTP Server 11g WebGate for OAM"

Before you begin, read:
■

Acquiring and Setting Up the Remote Registration Tool

■

Creating Your Remote Registration Request

1.

On the computer hosting the Agent, run the registration command and specify
your own *Request*.xml as the input file. For example:
./bin/oamreg.sh inband input/myagent_request.xml

2.

Provide the registration Administrator user name and password when asked.
Example 15–1 illustrates a sample rreg registration output.

Example 15–1

rreg registration Sample Output

Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are:
Mode: inband

15-34 Administrator's Guide for Oracle Access Management

Performing Remote Registration for OAM Agents

Filename: /scratch/work/mw1916/idm1385/oam/server/rreg/input/1.xml
Enter admin username:oamadminuser
Username: oamadminuser
Enter admin password:
Do you want to enter a Webgate password?(y/n):
n
Do you want to import an URIs file?(y/n):
n
---------------------------------------Request summary:
OAM Agent Name:RREG_1234
URL String:RREG_1234
Registering in Mode:inband
Your registration request is being sent to the Admin server at:
http://slc01huw.us.example.com:20081
---------------------------------------Inband registration process completed successfully! Output artifacts are created
in the output folder.

The output folder is in the same location where RREG.tar.gz was expanded:
/rreg/output/AgentName/
3.

Review the native configuration file created for the agent in the
/rreg/output/AgentName/ folder.

4.

Finalize Registration: Perform the following steps to replace the earlier agent
configuration file if it is not already replaced:
a.

Copy artifacts in /rreg/output/AgentName/ to update the agent
configuration. For example:
From the AdminServer (Console) host
/rreg/output/Agent_Name/ObAccessClient.xml and cwallet.sso
To the Agent host: $11gWG_install_dir/WebGate/config. For example:
$WebTier_MW_Home/Oracle_WT1/instances/instance1
/config/OHS/ohs1/WebGate/config

b.
5.

Restart the OAM Server hosting the agent.

Proceed with "Validating Remote Registration and Resource Protection".

15.7.4 Performing Out-of-Band Remote Registration
This section provides steps for Administrators outside (and inside) the network as
they work together to register an agent remotely.
During out-of-band remote registration, an administrator outside the network submits
a registration request to an Administrator within the network. After processing the
request, the in-band Administrator returns the following files to the out-of-band
Administrator to configure his environment:
Table 15–12

Files Returned by in-band Administrator to out-of-band Administrator

File

Description

agentName_Response.xml

Returned to, and used by, the out-of-band Administrator. Oracle
recommends that you do not open or edit agentName_Response.xml.

Registering and Managing OAM 11g Agents

15-35

Performing Remote Registration for OAM Agents

Table 15–12

(Cont.) Files Returned by in-band Administrator to out-of-band

File

Description

Native Web server configuration
files

Returned to, and used by, the out-of-band Administrator to update
his Web server.

See Also

"Updating Agent Configuration Files" on page 14-10

The steps performed by each Administrator are identified:
■

■

In-Band Administrator: Identifies a task performed by the Web server
Administrator within the network.
Out-of-Band Administrator Identifies a task performed by the Web server
Administrator outside the network
See Also: Oracle Fusion Middleware Installation Guide for Oracle
Identity and Access Management chapter "Installing and Configuring
Oracle HTTP Server 11g WebGate for OAM"

Steps here illustrate registering an OAM Agent on a Linux system. Your templates and
output files will be different.
Before you begin, read "Acquiring and Setting Up the Remote Registration Tool."
See Also: Part VII, "Registering and Using Agents with Access
Manager", if needed.
1.

Out-of-Band Administrator: Create and send your starting_request.xml file to the
in-band Administrator for processing (see "Creating Your Remote Registration
Request" on page 15-34):
$WLS_Home/Middleware/Oracle_
$IDM1/oam/server/rreg/client/rreg/output/AgentName/starting_request.xml

2.

In-Band Administrator:
a.

Run the registration command and specify the out-of-band Administrator's
starting_request.xml as the input file. For example:
./bin/oamreg.sh outofband input/starting_request.xml

b.

Provide the Registration Administrator user name and password when asked.

c.

Read messages on-screen to confirm:
Success: "... registration process completed successfully!
Response.xml location: "... created in input folder ..."
The input folder is in the same location where RREG.tar.gz was expanded:
/rreg/input/

d.

Return the agentName_Response.xml file to the out-of-band Administrator
along with any other artifacts. For example:
agentName_Response.xml

3.

Out-of-Band Administrator: Updates the environment, as follows.
a.

On the computer hosting the Agent, run the remote registration command and
specify the received agentName_Response.xml as the input file. For example:
./bin/oamreg.sh outofband input/agentName_Response.xml

15-36 Administrator's Guide for Oracle Access Management

Introduction to Updating Agents Remotely

b.

Copy artifacts generated in /rreg/output/AgentName/ to update the agent
configuration (), then restart the OAM Server hosting the agent. For example,
ObAccessClient.xml and cwallet.sso:
From the AdminServer (Console) host /rreg/output/Agent_
Name/ObAccessClient.xml and cwallet.sso
To the Agent host: $11gWG_install_dir/WebGate/config. For example:
$WebTier_MW_Home/Oracle_WT1/instances/instance1
/config/OHS/ohs1/WebGate/config

c.

Proceed with "Validating Remote Registration and Resource Protection".

15.8 Introduction to Updating Agents Remotely
Several remote management modes are provided to help Administrators quickly
update, validate, or delete an existing agent registration. This section provides the
following topics:
■

About Remote Agent Update Modes

■

About Remote 11g OAM Agent Updates Template

15.8.1 About Remote Agent Update Modes
Table 15–13 presents remote agent management modes. Command parameters include
the mode, input *Request.xml file (a relative path with respect to $OAM_REG_HOME,
the preferred location for the input *Request.xml files):
./oamreg.sh   [prompt_flag] [component.oam.config_file] 
value
Table 15–13

Remote Agent Update Modes and Input Files

Mode and Input Files

Description and Syntax

agentUpdate mode

Allows Administrators to update existing agent attributes, regardless
OAM11GUpdateAgentRequest.xml of agent type:
./bin/oamreg.sh agentUpdate input/*UpdateAgentRequest.xml
OAMUpdateAgentRequest.xml
See Also:
OpenSSOUpdateAgentRequest, Chapter 28
OSSOUpdateAgentRequest, Chapter 29

agentValidate mode
No input file needed.

Validates whether the agent is already provisioned in Oracle Access
Manager:
./bin/oamreg.sh agentValidate agentname

agentDelete mode
No input file needed.

Allows Administrators to delete the agent registration:
./bin/oamreg.sh agentDelete agentname

15.8.2 About Remote 11g OAM Agent Updates Template
You use OAM11GUpdateAgentRequest.xml to pass specific Agent-update values to the
remote registration tool, oamreg. The primary differences between the update request
and the original registration request is that the update request.
Table 15–14

Delta: OAM Agent Update versus Registration Request

Delta

Element

Adds



Registering and Managing OAM 11g Agents

15-37

Updating Agents Remotely

Table 15–14

(Cont.) Delta: OAM Agent Update versus Registration Request

Delta

Element

Omits





 and application domain-related elements



See Also:
■

Table 15–3, " Elements on Expanded 11g and 10g WebGate/Access
Client Registration Pages"

15.9 Updating Agents Remotely
This section provides the following topics for agents registered with Access Manager,
regardless of agent type:
■

Updating Agent Registrations Remotely

■

Validating an Agent Registration Remotely

■

Removing an Agent Registration Remotely

15.9.1 Updating Agent Registrations Remotely
This topic provides the steps to update agents registered with Access Manager,
regardless of agent type. Before you begin, review "About Remote Agent Update
Modes."
See Also:
■

Chapter 28, "Registering and Managing Legacy OpenSSO Agents"

■

Chapter 29, "Registering and Managing Legacy OSSO Agents"

■

"Managing 10g OAM Agents Remotely" on page 30-13

1.

Set up the registration tool as described in, "Acquiring and Setting Up the Remote
Registration Tool" on page 15-33.

2.

Create your update request using one of the following templates:

3.

■

OAM11GUpdateAgentRequest.xml

■

OAMUpdateAgentRequest.xml (10g) Chapter 30

■

OSSOUpdateAgentRequest.xml Chapter 29

■

OpenSSOUpdateAgentRequest.xml Chapter 28

On the computer hosting the Agent, run the following command with
agentUpdate mode specify your own *Request*.xml as the input file. For example:
./bin/oamreg.sh agentUpdate input/*UpdateAgentRequest.xml

4.

Provide the registration Administrator user name and password when asked.

15-38 Administrator's Guide for Oracle Access Management

Updating Agents Remotely

5.

Read the messages on-screen to confirm:
■

Success: On-screen message confirms
agentUpdate process completed successfully!
Native Configuration File Location: "... created in output folder
..."
The output folder is in the same location where RREG.tar.gz was expanded:
/rreg/output/AgentName/

6.

Finalize Agent Registration: Copy the updated ObAccessClient.xml and
cwallet.sso.
From the AdminServer (Console) host:

/rreg/output/Agent_Name/

To the Agent host: $11gWG_install_dir/WebGate/config. For example:
$WebTier_MW_Home/Oracle_WT1/instances/instance1/
config/OHS/ohs1/WebGate/config
7.

Restart the OAM Server that is hosting this agent and proceed to "Validating an
Agent Registration Remotely".

15.9.2 Validating an Agent Registration Remotely
This topic provides the steps to validate agent registration, regardless of agent type.
Before you begin, review "About Remote Agent Update Modes."
1.

Set up the registration tool as described in, "Acquiring and Setting Up the Remote
Registration Tool" on page 15-33.

2.

On the Agent host, run the following command in agentValidate mode. For
example:
./bin/oamreg.sh agentValidate agentname

3.

Provide the registration Administrator user name and password when asked.

4.

Read the messages on-screen to confirm:
■

Success: On-screen message confirms
AgentValidation process completed successfully!

15.9.3 Removing an Agent Registration Remotely
This topic provides the steps to remove a registered agent, regardless of agent type.
Before you begin, review "About Remote Agent Update Modes."
1.

Set up the registration tool as described in, "Acquiring and Setting Up the Remote
Registration Tool" on page 15-33.

2.

On the computer hosting the Agent, run the following agentDelete command. For
example:
./bin/oamreg.sh agentDelete agentname

3.

Provide the registration Administrator user name and password when asked.

4.

Read the messages on-screen to confirm:
■

Success: On-screen message confirms
AgentDelete process completed successfully!
Registering and Managing OAM 11g Agents

15-39

Validating Remote Registration and Resource Protection

15.10 Validating Remote Registration and Resource Protection
You can use the following sections as a guide to validate registration of an agent
regardless of the agent type. You must be an in-band Administrator to perform tasks
using the Oracle Access Management Console. Out-of-band Administrators must test
authentication and access remotely.
■

Validating Agent Registration using the Oracle Access Management Console

■

Verifying Authentication and Access After Remote Registration

15.10.1 Validating Agent Registration using the Oracle Access Management Console
Only an in-band Administrator can use the following procedure.
Chapter 25, "Managing Policies to Protect Resources and
Enable SSO"

See Also:

1.

Validate Agent Registration in the Oracle Access Management Console:
a.

Confirm Agent details under Application Security in the Oracle Access
Management Console.

b.

Confirm the updated Agent configuration files are in the appropriate location,
as described in "Performing Remote Registration for OAM Agents".

2.

Validate Shared Components, Host identifier: Confirm that the host identifier is
defined in the Oracle Access Management Console.

3.

Validate Application Domain: Under the Policy Configuration tab, confirm there
is a new Application Domain named after the registered agent. Resources in the
Application Domain should be associated with the host identifier.

4.

Proceed with "Verifying Authentication and Access After Remote Registration".

15.10.2 Verifying Authentication and Access After Remote Registration
After registration, protected resource should be accessible with proper authentication
without restarting the AdminServer or OAM Server. Both in-band and out-of-band
Administrators can use the following procedure to validate proper registration and
policies.
The procedure here provides several methods for confirming that registration,
authentication, and authorization are properly configured and operational. The
procedures is nearly identical for all agent types.
1.

Enter the URL for an application protected by the registered OAM Agent to
confirm that the log in page appears (proving that the authentication redirect URL
was specified appropriately). For example:
http://exampleWebserverHost.sample.com:8100/resource1.html

2.

On the Log In page, enter a valid username and password when asked, and click
Login.

3.

Check the OAM specific cookies are created in the browser session. For example:
ObSSOCookie:
Set-Cookie:
ObSSOCookie=GGVEuvjmrMe%2FhbItbjT24CBmJo1eCIfDIwQ1atdGdnY4mt6kmdSekSFeAAFvFrZZZ
xDfvpkfS3ZLZFbaZU2rAn0YYUM3JUWVYkYFwB%2BBK7V4x%2FeuYHj%2B8gwOyxhNYFna3iSx1MSZBE
y51KTBfsDYOiw6R%2BCxUhOO8uZDTYHI3s0c7AQSyrEiQTuUV3nv1omaFZlk1GuZa4J7ycaGbIUyqwX

15-40 Administrator's Guide for Oracle Access Management

Validating Remote Registration and Resource Protection

rM0cKuBJNd6sX1LiRj9HofYQsvUV7ToqeAOpDS7z9qs5LhqU5Vq60bBn12DTX6zNX6Lcc0L5tVwvh7%
2BnOAkz2%2BoDkLs%2BBTkeGcB3ppgC9;httponly; path=/; domain=.example.com;

OAM_ID Cookie:
Set-Cookie:
OAM_ID=v1.0~0~E1EBBC9846E09857060A68E79AEEB608~AA79FC43C695162B6CDE3738F40E94DA
6408D58B879AC3B467EBBD4800743C899843672B3511141FFABCF58B2CDCB700C83CC734A913625
7C4ABDA6913C9EF5A4E05C5D03D3514F2FECACD02F1C1B9314D76B4A68CB7A8BE42AEB09AFB98B8
EB; path=/; HttpOnly
4.

Proceed as follows:
■

■

Success: If you authenticated successfully and were granted access to the
resource; the configuration is working properly. Proceed with Steps 5 through
12 for further validations.
Failure: If you received an error during login or were denied access to the
resource, check the following:
–

Login Error: Confirm that you provided a valid user id and password.

–

Unavailable Resource: Confirm that the resource is available.

–

Wrong Redirect URL: Verify the redirect URL in the Oracle Access
Management Console.

5.

User Variations: Perform steps 1 through 4 again with user variations to confirm
appropriate behavior (either success for authorized users or failure for
unauthorized users).

6.

Request Cancellation: Perform a partial log in and click Cancel to confirm that the
resource is not accessed.

7.

Modified Authentication URL: Enter a nearly identical authentication URL as
you perform Steps 1 through 5 to confirm appropriate response. For example, add
a character to the URL string.

8.

Updated Resource: Perform the following steps to ensure the resource is
accessible. For example:
Original Resource: /abc/test.html
Updated Resource: /abc/xyz/test.html
Without restarting the Oracle WebLogic Server:
■

■

9.

Access the updated resource and confirm the user is asked to authenticate and
the resource is accessible.
Access the original resource and confirm that the resource is accessible and the
user is not asked for authentication.

Various URL Patterns: Verify authentication for various URL patterns as you
perform steps 1 through 5.

10. New Authentication Scheme: Perform the following steps to confirm

authentication operations without restarting the WebLogic Server.
■

Add a new authentication policy that uses a different Authentication Scheme.

■

Protect the resource using the new policy.

■

Without restarting the Oracle WebLogic Server, perform steps 1 through 4.

Registering and Managing OAM 11g Agents

15-41

Replacing the IAMSuiteAgent with an 11g WebGate

Chapter 25, "Managing Policies to Protect Resources and
Enable SSO"

See Also:

11. CGI Resource Header Variable and Cookies: Perform the following steps to

confirm authentication operations without having to restart the WebLogic Server.
■

Add a new authentication policy to protect a Common Gateway Interface
(CGI) resource and set the Response for "Authentication Successful".

■

Protect the resource using the new policy.

■

Access the CGI resource.

■

Check for the header values configured for the response in a CGI data dump.

12. Agent Disabled: Perform the following steps to validate accessibility and

authentication if WebGate is disabled in ObAccessClient.xml (WebGate should
pick up the enabled value from oam-config.xml).
■

Disable the Agent State.

■

Start the Web server and OAM Server.

■

Access an application protected by the Agent and confirm that you are asked
to authenticate.

15.11 Replacing the IAMSuiteAgent with an 11g WebGate
You can skip this section if you are not replacing the IAMSuiteAgent with an 11g
WebGate.
Access Manager and Oracle Identity Manager are among the Oracle Fusion
Middleware 11g components. During initial configuration with the WebLogic Server
Configuration Wizard, the IAMSuiteAgent is registered with Access Manager 11g
along with the IDM domain host identifier and an Application Domain named for the
agent.
Oracle Fusion Middleware uses Access Manager to protected Oracle Identity
Management consoles out of the box using the IAMSuiteAgent.
To protect applications beyond containers, you can replace the IAMSuiteAgent with a
11g WebGate (to protect the same set of applications using the same Application
Domain and policies as the pre-registered IAMSuiteAgent). The following list is the
task overview for this section.
1.

Registering a Replacement 11g WebGate for IAMSuiteAgent

2.

Installing the Replacement 11g WebGate for IAMSuiteAgent

3.

Updating the WebLogic Server Plug-in Configuration

4.

Optional: Confirming the AutoLogin Host Identifier for an OAM / OIM
Integration

5.

Optional: Configuring OAM Security Providers for WebLogic

6.

Optional: Disabling IAMSuiteAgent

7.

Configuring Centralized Logout for 11g WebGates

8.

Verifying the Webgate Configuration

15-42 Administrator's Guide for Oracle Access Management

Replacing the IAMSuiteAgent with an 11g WebGate

15.11.1 Registering a Replacement 11g WebGate for IAMSuiteAgent
The following procedure walks through registering a replacement 11g WebGate using
the remote registration tool, in-band mode.
See Also:
■

Chapter 15 for more information about the remote registration
tool, processing, and request files

In this example, OAMRequest_short.xml is used as a template to create an agent named
11g4IAM, protecting /.../*, and declaring a public resource, /public/index.html. Your
values will be different.
To use IAM Suite policies with the replacement WebGate,
ensure that the WebGate registration is configured to use the
IAMSuiteAgent Host Identifier and Preferred Host.

Note:

1.

Acquire the Access Manager remote registration tool and set up the script for your
environment. For example:
a.

Locate RREG.tar.gz file in the following path:
$ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz

b.

Untar RREG.tar.gz file to any suitable location. For example: exploded_dir_
for_RREG.tar/rreg/input/oamreg.

c.

In the oamreg script, set the following environment variables based on your
situation (client side or server side) and information in Table 15–5:
OAM_REG_HOME = exploded_dir_for_RREG.tar/rreg
JAVA_HOME = Java_location_on_the_computer

2.

Create the registration request and ensure that the autoCreatePolicy parameter is
set to false:
a.

Locate OAMRequest_short.xml and copy it to a new file. For example:
exploded_dir_for_RREG.tar/rreg/input/oamreg/

Copy: OAM11gRequest_short.xml
To: 11g4IAM.xml
b.

Edit 11g4IAM.xml to include details for your environment. For example, if you
are changing from the IAMSuiteAgent to an 11g WebGate Agent your request
might look like the following:

http://ruby.uk.example.com:7001
11g4IAM
11g4IAM
false
/oamsso/logout.html
...retain defaults for remaining elements...
...
...


Registering and Managing OAM 11g Agents

15-43

Replacing the IAMSuiteAgent with an 11g WebGate

See Also: "Creating Your Remote Registration Request" on
page 15-34
3.

Register the agent. For example:
a.

Locate the remote registration script.
Linux: rreg/bin/oamreg.sh
Windows: rreg\bin\oamreg.bat

b.

From the directory containing the script, execute the script using inband
mode. For example:
$ ./bin/oamreg.sh inband input/11g4IAM.xml
Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are:
Mode: inband
Filename: ...

c.

When prompted, enter the following information using values for your
environment:
Enter your agent username: userame
Username: userame
Enter agent password: ********
Do you want to enter a WebGate password?(y/n)
n
iv.Do you want to import an URIs file?(y/n)
n

d.

Review the final message to confirm that this was a successful registration:
Inband registration process completed successfully! Output artifacts are
created in the output folder"

4.

Log in to the Oracle Access Management Console and review your new
registration:
a.

From the System Configuration tab, Access Manager section, open the OAM
Agents node and locate your agent registration.
See Also:

b.

"Searching for an OAM Agent Registration" on page 15-20

Double-click the agent's name to display the registration page and review the
details. For example:
If you install a fresh WebGate, enter matching details during
installation.

Note:

c.

5.

OAM Proxy Port—From the System Configuration tab, Common
Configuration section, double-click Server Instances and locate the port on
which the OAM Proxy is running.

Copy the artifacts as follows (or install WebGate with the same specifications, then
copy artifacts), as described in "Installing the Replacement 11g WebGate for
IAMSuiteAgent".

15-44 Administrator's Guide for Oracle Access Management

Replacing the IAMSuiteAgent with an 11g WebGate

Agent & Artifacts

Artifacts

11g WebGate/Access Client

From the AdminServer (Console) host:

ObAccessClient.xml and
cwallet.sso

6.

$DOMAIN_HOME/output/$Agent_Name/
To the Agent host: $11gWG_install_dir/WebGate/config

Proceed to "Updating the WebLogic Server Plug-in Configuration".

15.11.2 Installing the Replacement 11g WebGate for IAMSuiteAgent
After provisioning you must install the 11g WebGate to replace the IAMSuiteAgent.
During the installation, you must provide some of the same information for the
WebGate as you did when provisioning it. Following is the task overview.
1.

Install the 11g WebGate as described in Oracle Fusion Middleware Installation Guide
for Oracle Identity and Access Management.

2.

Replace IAMSuiteAgent Registration as described in "Updating the WebLogic
Server Plug-in Configuration".

15.11.3 Updating the WebLogic Server Plug-in Configuration
After provisioning and installing the 11g WebGate to replace the IAMSuiteAgent, the
mod_wl_ohs.conf file requires specific entries to instruct the WebGate Web server to
forward requests to the applications on the WebLogic Server.
The generic name of the WebLogic Server plug-in for Apache
is mod_weblogic. For Oracle HTTP Server 11g, the name of this
plug-in is mod_wl_ohs (the actual binary name is mod_wl_ohs.so).
Examples show exact syntax for implementation.

Note:

Example 15–2 illustrates the areas that must be changed using sample entries. Entries
for your environment will be different.
Example 15–2

Updates for the 11g WebGate in mod_wl_ohs.conf



SetHandler weblogic-handler
WebLogicHost ruby.uk.example.com
WebLogicPort
6162


SetHandler weblogic-handler
WebLogicHost ruby.uk.example.com
WebLogicPort
6162

...


You need similar Location entries for each of the URIs for all
the applications that were earlier accessed directly on the WebLogic
Server.

Note:

Registering and Managing OAM 11g Agents

15-45

Replacing the IAMSuiteAgent with an 11g WebGate

1.

Locate the mod_wl_ohs.conf file in the following path:
$OHS-INSTANCE_HOME/config/OHS/INSTANCE_NAME/mod_wl_ohs.conf

2.

Edit the file to include a Location element for each application URI that was
previously accessed directly on the WebLogic Server (see Example 15–2).

3.

Save the file.

4.

Restart the Web server.

5.

Proceed to the following task, as needed:
■

Confirming the AutoLogin Host Identifier for an OAM / OIM Integration

■

Configuring OAM Security Providers for WebLogic

15.11.4 Confirming the AutoLogin Host Identifier for an OAM / OIM Integration
This topic describes how to confirm (or configure) Oracle Identity Manager (OIM)
automatic login functionality when you have Access Manager integrated with OIM.
Skip this step if you do not have Access Manager 11g
integrated with Oracle Identity Manager 11g.

Note:

The AutoLogin functionality when Oracle Identity Manager is integrated with Access
Manager 11g requires the 10g WebGate Web server host name and port in the list of
host identifiers for the IAMSuiteAgent.
If you have a load balancer in front of the 11g WebGate Web
server, you must also include the load balancer's host name and port
during Step 3.

Note:

The agentBaseUrl parameter is used to update a given Host Identifier. However, if
automatic policy creation is set to false, the remote registration utility does not create
the Application Domain and does not honor the agentBaseUrl parameter.
The following procedure shows how to confirm (or configure) the AutoLogin host
identifier for an Access Manager/Oracle Identity Manager integration. Your values
will be different. Before you begin, read "Updating the WebLogic Server Plug-in
Configuration."
1.

From the Policy Configuration tab, Host Identifiers node, and select
IAMSuiteAgent.
See Also:

"Searching for a Host Identifier Definition" on page 22-16

2.

In the Operations panel, confirm that all host name and port combinations are
listed for this Host Identifier.

3.

Proceed to "Configuring OAM Security Providers for WebLogic".

15.11.5 Configuring OAM Security Providers for WebLogic
This section describes how to configure the WebLogic Security Providers to ensure
Single Sign On using Access Manager 11g and the 10g WebGate.

15-46 Administrator's Guide for Oracle Access Management

Replacing the IAMSuiteAgent with an 11g WebGate

Skip this step if you do not have Access Manager 11g
integrated with Oracle Identity Manager 11g.

Note:

Refer to following topics for more information on setting up the security providers for
the 11g WebGate.
■

About Security Providers

■

Setting Up Security Providers for the 11g WebGate

15.11.5.1 About Security Providers
To complete the Access Manager 11g SSO configuration when a 11g WebGate is
replacing the IAMSuiteAgent requires configuring the following security providers in
a WebLogic Server domain:
■

■

OAM Identity Asserter: Uses token-based authentication and asserts the OAM
SSO header and token.
OID (or OVD) Authenticator: Creates the Subject and populates it with the correct
principals.
Depending on the store where your users are located, you configure either the
Oracle Internet Directory Authenticator or the Oracle Virtual Directory
Authenticator as the primary credential authenticator.

■

Default Authenticator: This default WebLogic Authentication provider allows you
to manage users and groups in one place: the embedded WebLogic Server LDAP
server. This Authenticator is used by the Oracle WebLogic Server to login
administrative users:

When you configure multiple Authentication providers, you use the JAAS Control
Flag for each provider to control how the Authentication providers are used in the
login sequence. You can choose the following the JAAS Control Flag settings, among
others:
■

■

■

REQUIRED—The Authentication provider is always called, and the user must
always pass its authentication test. Regardless of whether authentication succeeds
or fails, authentication still continues down the list of providers. The OAM
Identity Asserter is required.
SUFFICIENT—The user is not required to pass the authentication test of the
Authentication provider. If authentication succeeds, no subsequent Authentication
providers are executed. If authentication fails, authentication continues down the
list of providers. Both the Oracle Internet Directory (or Oracle Virtual Directory)
and the Default Authenticator are sufficient.
OPTIONAL—When additional Authentication providers are added to an existing
security realm, the Control Flag is set to OPTIONAL by default. You might need to
change the setting of the Control Flag and the order of providers so that each
Authentication provider works properly in the authentication sequence.
The user is allowed to pass or fail the authentication test of this Authentication
provider. However, if all Authentication providers configured in a security realm
have the JAAS Control Flag set to OPTIONAL, the user must pass the
authentication test of one of the configured providers.

Registering and Managing OAM 11g Agents

15-47

Replacing the IAMSuiteAgent with an 11g WebGate

See Also: "Configuring Authentication Providers" in Oracle Fusion
Middleware Securing Oracle WebLogic Server for a complete list of
Authentication providers and details about configuring the Oracle
Internet Directory provider to match the LDAP schema for user and
group attributes.

Access Manager JAR are WAR files for authentication providers are available when
you install an Oracle Fusion Middleware product (Oracle Identity Management,
Oracle SOA Suite, or Oracle WebCenter). If you have a Fusion Middleware
application, you already have the files you need.
■

■

oamAuthnProvider.jar: Includes files for both the Access Manager Identity
Asserter for single sign-on and the Authenticator for Oracle WebLogic Server
10.3.1+. A custom Access Manager AccessGate is also provided to process requests
for Web and non-Web resources (non-HTTP) from users or applications.
oamauthenticationprovider.war: Restricts the list of providers that you see in the
Oracle WebLogic Server Console to only those needed for use with Access
Manager.
When you deploy the extension, the Administration Console creates an
in-memory union of the files and directories in its WAR file with the files and
directories in the extension WAR file. Once the extension is deployed, it is a full
member of the Administration Console: it is secured by the WebLogic Server
security realm, it can navigate to other sections of the Administration Console, and
when the extension modifies WebLogic Server resources, it participates in the
change control process For more information, see Oracle Fusion Middleware
Extending the Administration Console for Oracle WebLogic Server.

15.11.5.2 Setting Up Security Providers for the 11g WebGate
The following procedure requires the WebLogic Server Administration Console. This
example illustrates setting up the Oracle Internet Directory provider with the OAM
Identity Asserter and Default Authenticator. The steps are the same for OVD, should
you need this.
If you have a Fusion Middleware application, you already
have the files you need and you can skip Step 1 of the following
procedure. With no Fusion Middleware application, however, you
have a stand-alone Oracle WebLogic Server and must obtain the JAR
and WAR files from Oracle Technology Network as described in Step
1.

Note:

1.

No Oracle Fusion Middleware Application: Obtain the Access Manager provider:
a.

Log in to Oracle Technology Network at:
http://www.oracle.com/technology/software/products/middleware/htdocs/111110
_fmw.html

b.

Locate the oamAuthnProvider ZIP file with WebGates:
oamAuthnProvider.zip

c.

Extract and copy oamAuthnProvider.jar to the following path on the computer
hosting Oracle WebLogic Server:
$BEA_HOME/wlserver_10.x/server/lib/mbeantypes/oamAuthnProvider.jar

15-48 Administrator's Guide for Oracle Access Management

Replacing the IAMSuiteAgent with an 11g WebGate

2.

With Oracle Fusion Middleware Application Installed:
a.

Locate oamauthenticationprovider.war in the following path:
$ORACLE_HOME/modules/oracle.oamprovider_11.1.2/oamauthenticationprovi
der.war

b.

Copy oamauthenticationprovider.war to the following location:
$BEA_HOME/wlserver_10.x/server/lib/console-ext/autodeploy/oamauthentication
provider.war

3.

Log in to the WebLogic Server Administration Console and click Security Realms,
Default Realm Name, and click Providers.

4.

OAM Identity Asserter: Perform the following steps to add this provider:
a.

Click Authentication, click New, and then enter a name and select a type:
Name: OAM ID Asserter
Type: OAMIdentityAsserter
OK

5.

b.

In the Authentication Providers table, click the newly added authenticator.

c.

Click the Common tab, set the Control Flag to REQUIRED, and click Save

OID Authenticator: Perform the following steps to add this provider.
a.

Click Security Realms, Default Realm Name, and click Providers

b.

Click New, enter a name, and select a type:
Name: OID Authenticator
Type: OracleInternetDirectoryAuthenticator
OK

c.

In the Authentication Providers table, click the newly added authenticator.

d.

On the Settings page, click the Common tab, set the Control Flag to
SUFFICIENT, and then click Save.

e.

Click the Provider Specific tab and specify the following required settings
using values for your own environment:
Host: Your LDAP host. For example: localhost
Port: Your LDAP host listening port. For example: 6050
Principal: LDAP administrative user. For example: cn=orcladmin
Credential: LDAP administrative user password.
User Base DN: Same searchbase as in Access Manager.
All Users Filter: For example: (&(uid=*)(objectclass=person))
User Name Attribute: Set as the default attribute for username in the LDAP
directory. For example: uid
Group Base DN: The group searchbase (same as User Base DN)
Do not set the All Groups filter as the default works fine as is.
Save.

Registering and Managing OAM 11g Agents

15-49

Replacing the IAMSuiteAgent with an 11g WebGate

6.

7.

Default Authenticator: Perform the following steps to set up the Default
Authenticator for use with the Identity Asserter:
a.

Go to Security Realms, Default Realm Name, and click Providers.

b.

Click Authentication, Click DefaultAuthenticator to see its configuration
page.

c.

Click the Common tab and set the Control Flag to SUFFICIENT.

d.

Save.

Reorder Providers:
a.

Click Security Realms, Default Realm Name, Providers.

b.

On the Summary page where providers are listed, click the Reorder button

c.

On the Reorder Authentication Providers page, select a provider name and
use the arrows beside the list to order the providers as follows:
OAM Identity Asserter (REQUIRED)
OID Authenticator (SUFFICIENT)
Default Authenticator (SUFFICIENT)

d.

Click OK to save your changes

8.

Activate Changes: In the Change Center, click Activate Changes

9.

Reboot Oracle WebLogic Server.

10. Proceed as follows:
■
■

Successful: Go to "Disabling IAMSuiteAgent".
Not Successful: Confirm that all providers have the proper specifications for
your environment, are in the proper order, and that oamAuthnProvider.jar is
in the correct location as described in "About Security Providers" on
page 15-47.

15.11.6 Disabling IAMSuiteAgent
This step is optional, not required.
IAMSuiteAgent detects when the WebGate has performed the authentication and then
goes silent. However, if the agent must be disabled, then either the WLSAGENT_
DISABLED system property or environment variable must be set to true for each one
of the servers on which the agent should be disabled. This applies to both
AdminServer and OAM Servers.
You can disable the agent in one of two ways:
■

Either set the WLSAGENT_DISABLED environment variable to true

■

Or pass WLSAGENT_DISABLED as a System Property

Before you begin: Configuring OAM Security Providers for WebLogic, if needed.
1.

On the computer hosting the IAMSuiteAgent, perform one the following tasks:
■

Either set the WLSAGENT_DISABLED environment variable to true:
setenv WLSAGENT_DISABLED true

■

Or or pass DWLSAGENT_DISABLED=true as a System Property:

15-50 Administrator's Guide for Oracle Access Management

Managing the Preferred Host in 10g WebGates

-DWLSAGENT_DISABLED=true
2.

Restart the Web server.

3.

Proceed with "Configuring Centralized Logout for 11g WebGates" on page 27-4,
then return to "Verifying the Webgate Configuration".

15.11.7 Verifying the Webgate Configuration
Oracle recommends testing your environment using the 11g WebGate to ensure that all
applications that were previously protected by the IAMSuiteAgent are now protected
after configuration.
Before you begin: "Configuring Centralized Logout for 11g WebGates"
See Also:
■

■

"Validating Authentication and Authorization in an Application
Domain" on page 25-76
Chapter 26, "Validating Connectivity and Policies Using the
Access Tester"

15.12 Managing the Preferred Host in 10g WebGates
In previous 10g releases, the preferred host was a mandatory parameter which could
be made optional through configuration. In the current implementation of Access
Manager, the value of the preferred host parameter in the agent profile is a mandatory
field populated when the profile is created. Thus when migrating agent profiles from
Access Manager 10g, this parameter might have no value. Because of the empty
preferred host value in a migrated agent profile, the Access Manager 11g console does
not allow the administrator to modify the agent profile. Since the current migration
process does not support migration when this parameter is empty, the following
actions have been incorporated into the migration process.
■

During the migration of agent profiles with no preferred host value, the host
identifier defined as the value of AUTO_UPDATE_HOSTID will be set as the
preferred host. This will work for 11g WebGates as well as 10g WebGates.
Note: In the getClientConfigResponse() method, the AUTO_
UPDATE_HOSTID host identifier will be replaced with an empty
string so that the preferred host will not be set in ObAccessClient.xml.
In these cases, the WebGate will read the host from the HTTP header.
Because the user can modify the HTTP header, this vulnerability is
indicated as follows.
■

■

■

The 11g Access Manager console displays the agent profile with a
red mark indicating that the value of the preferred host is blank.
The agent's GetClientConfig() method indicates that the empty
preferred host is null.

The ALLOWBLANKPREFERREDHOST flag will be added and action taken based
on its value. In cases where it is set to true, the empty string will be sent to the
agent as the preferred host. In cases where it is set to false, the server will send a
fatal error to the agent.

Registering and Managing OAM 11g Agents

15-51

Managing the Preferred Host in 10g WebGates

Use the setAllowEmptyHostIdentifier WLST command, described in the following
section, to manage this feature.

15-52 Administrator's Guide for Oracle Access Management

setAllowEmptyHostIdentifier

setAllowEmptyHostIdentifier
Enables and disables the use of an empty preferred host parameter.

Description
15

Enables or disables the use of an empty preferred host parameter. The following
parameters (added to the oam-config.xml file) will be set to enable or disable an empty
preferred host parameter in the ObAccessClient.xml file.
AUTO_UPDATE_HOSTID
true

Syntax
15

setAllowEmptyHostIdentifier(enable="true/false")

Argument

Definition

enable

Set to true or false to allow for an empty host identifier or not.

Sample
15

setAllowEmptyHostIdentifier(enable ="true")

Registering and Managing OAM 11g Agents

15-53

setAllowEmptyHostIdentifier

15-54 Administrator's Guide for Oracle Access Management

16
Maintaining Access Manager Sessions
16

An Access Manager session is created during authentication and bound to both the
user and the client with which the user has authenticated. Access Manager sessions are
maintained to provide tracking and policy enforcement (performed either manually by
an Administrator or using automated flows) for a given session's lifecycle. The Access
Manager session lifecycle consists of state transitions for session creation, updates,
idleness, and expiration.
This chapter describes concepts and procedures for Access Manager sessions.
■

Introducing Access Manager Session Management

■

Understanding Server-Side Session Management

■

Server-Side Session Enforcement Examples

■

Configuring the Server-Side Session Lifecycle

■

Managing Active Server-Side Sessions

■

Validating Server-Side Session Operations

■

Understanding Client-Side Session Management

■

Using WLST To Configure Session Management

16.1 Introducing Access Manager Session Management
With this 11gR2 PS2 release of Oracle Access Management, Access Manager sessions
can be managed from either the server side or the client side.
■

Server-side session management (also referred to as Coherence-based session
management) is the default session management option developed for Access
Manager. It allows for advanced session management across nodes via
Coherence-based caching. Offering reliable performance and advanced features
(including impersonation, session sniping, identity context propagation and the
like), server side session management is recommended for most deployments especially internal ones where rich session management features are desired. More
details are documented in:
–

"Understanding Server-Side Session Management" on page 16-2

–

"Server-Side Session Enforcement Examples" on page 16-7

–

"Configuring the Server-Side Session Lifecycle" on page 16-8

–

"Managing Active Server-Side Sessions" on page 16-12

–

"Validating Server-Side Session Operations" on page 16-15

Maintaining Access Manager Sessions 16-1

Understanding Server-Side Session Management

■

Client-side session management (also referred to as cookie-based session
management) manages sessions using browser cookies; it is essentially stateless.
Client side session management offers higher performance with a lightweight
footprint when compared to the Coherence-based option. It stores session details
in the browser cookie with no information saved on the server-side and is most
appropriate for very large deployments where advanced server-side session
management features are not needed. More details are documented in
"Understanding Client-Side Session Management" on page 16-16.
Cookie-based sessions can be accessed only from a browser
request context and not directly from the server.

Note:

See "Using WLST To Configure Session Management" on page 16-16 for instructions
on how to configure the session management option.

16.2 Understanding Server-Side Session Management
This section provides the following topics:
■

Securing Access Manager Sessions

■

Understanding the Access Manager Session Lifecycle, States, and Enforcement

■

Access Manager Sessions and the Role of Oracle Coherence

16.2.1 Securing Access Manager Sessions
Session security begins with a secure installation. For installation details see the Oracle
Fusion Middleware Installation Guide for Oracle Identity and Access Management.
See Also: Oracle Fusion Middleware Administrator's Guide for
details about configuring secure communications between Oracle
Fusion Middleware components using SSL.

The HTTPS protocol, Oracle Coherence and database encryption are some of the ways
in which Access Manager supports server-side session security. The following list
describes how this support can work.
■

HTTPS Protocol
Access Manager helps prevent session fixation by providing IP address checks by
the Proxy. To further help prevent session fixation, be sure to use the secure
HTTPS protocol for communication between WebGates and OAM Servers.

■

Oracle Coherence
Data is not encrypted in-memory; however, data is protected over the wire. Oracle
Coherence communicates between the different Access Manager instances on
various servers, and this communication is secured in the following ways.
–

Coherence supports communication only between hosts that have been
previously identified. This is done as a range of IP addresses, or by specific
host names. Access Manager configuration files contain entries for each server
that participates in the communication. During startup, this information is
provided to Coherence ensuring that only authorized servers participate in the
communication.

16-2 Administrator's Guide for Oracle Access Management

Understanding Server-Side Session Management

–

Coherence uses mutually-authenticated SSL between all servers in the cluster.
The jceks keystore file, which holds the applicable keys and certificates, is
created during installation.

For more information, see "Access Manager Sessions and the Role of Oracle
Coherence" on page 16-6 as well as the Oracle Coherence documentation.
■

Database Encryption
The Session Management Engine does not encrypt data. For security concerns, use
an in-database encryption such as Oracle Advanced Security.

16.2.2 Understanding the Access Manager Session Lifecycle, States, and Enforcement
The session lifecycle refers to a set of states with defined transitions from one state to
another that depend on user activity (or lack thereof), and manual (or automated)
Administrator activity. Administrators can define the following global session lifecycle
settings:
■

Session Lifetime

■

Idle Timeout

■

Maximum number of Sessions

■

Database Persistence of Active Sessions
Idle Timeout can also be implemented as application-specific
settings, as described later.

Note:

Session lifecycle states include those in Table 16–1.
Table 16–1

Session Lifecycle States

State

Description

Active

Newly-created sessions are active. A session is created when the user is
authenticated by Access Manager.
The session remains active until Access Manager determines that the session must
transition into one of the other states in this table.
Note: Administrators can delete only active sessions.

Idle

An active session becomes idle when the user does not access Access
Manager-protected content for the period defined by an Administrator.
When an active session becomes idle, the user must re-authenticate to proceed.
When re-authentication is successful, the session returns to the Active state; session
attribute values are preserved through this process.

Expired

An active session expires when the duration of the session exceeds the defined
lifetime. An expired session is completely inaccessible and eligible for deletion.
When an active session expires, the user must re-authenticate to proceed.
When re-authentication is successful, a new session is created; however, session
attribute values are not preserved (as they are for Idle states).

For more information, see the following topics:
■

About Global Session Enforcement Checks

■

About Session Removal

■

About Step-Up and Step-Down Authentication and Credentials

■

About Optional Application-Specific Session Enforcement

Maintaining Access Manager Sessions 16-3

Understanding Server-Side Session Management

■

About Timeout with Multiple-Agent Types: OSSO and OAM Agents

■

About OpenSSO Agents

16.2.2.1 About Global Session Enforcement Checks
Each Access Manager session holds the following attributes and applicable values.
■

Session creation time

■

Last access time

The values of these attributes are compared for session enforcement as described in
Table 16–2.
Table 16–2

Session Checks for State Changes

Session Check

Description

Is the Session Idle?

Compares the last access time against the configured Idle Timeout value.
Exceeding the configured period triggers a change from the Active to the Idle
state.

Is the Session Expired?

Compares the session creation time against the configured Session Lifetime.
Exceeding the configured period triggers a change from the Active to the Expired
state.

During transitions to the Idle state, underlying session attributes are preserved
because the user previously satisfied authentication criteria and the data is trusted.
However, continued access to protected resources based on that session, and resulting
modification of data within that session, is not allowed until the user re-authenticates,
proving not to be a malicious user with access to an unlocked computer.

16.2.2.2 About Session Removal
A session can be removed by any of the actions described in Table 16–3.
Table 16–3

Session Removal

Action

Description

Expiration

Expired sessions are eligible for removal based on their creation time. Actual
removal is determined by the storage mechanism. The session is removed from the
distributed cache using a background task running on the server; it is removed
from the database using a similar background task, an optionally-enabled job
within the database itself, or both methods in combination.
Once a session has been deleted from storage on all tiers (local and distributed
caches, and from the database if enabled), the session is removed.

User Logout

User Logout triggers immediate removal from the distributed cache, subject to
present volume of DB session writes and performance.

Termination

Termination is identical to user log out whether the session is interactively
terminated through the Administration Console or in an automated way--as part of
an Oracle Identity Management user lockout or de-provisioning flow.

16.2.2.3 About Step-Up and Step-Down Authentication and Credentials
On occasion, multiple forms of authentication are required and performed within a
single session to complete a step-up flow. In a step-up flow, a user authenticates to
access protected content and later in the same session, the user requests other, more
sensitive content and is required to authenticate again to access it at a more stringent
level. In a step-up flow, multiple authentications always occur in order of the
increasing authentication level. Each session holds the Authentication Level attribute
for step-up authentication enforcement.

16-4 Administrator's Guide for Oracle Access Management

Understanding Server-Side Session Management

A re-authentication level might be a step down from the session. If the
re-Authentication Level is less than that previously contained in the session, the user
has completed a step-down process. Upon successful re-authentication, the session is
restored to the Active state with an Authentication Level that is equal to the lower
level of the authentication scheme used. If the user later attempts to access content that
is protected at a higher level, step-up authentication occurs.

16.2.2.4 About Optional Application-Specific Session Enforcement
Access Manager enforces limitations on user access to resources in a more granular
way than is possible with a single set of global session timings, or single set of
authentication schemes in which access depends solely on a single authentication
level. Access to certain data has more stringent requirements, while access to all other
data is configured globally.
Administrators can choose to override global session timeout settings on a per
application basis, defined as part of Application Domain settings. Optional
application-specific session configuration provides:
■

■

The ability to declare session idle timings on a per-application basis, which is
generally more stringent than the global idle timing defined within the
deployment as a whole.
The ability to require the user to re-authenticate after a per-application session
inactivity timeout.

Table 16–4 describes session enforcement when you have defined Application
Domain-specific overrides to global session settings.
Table 16–4

Application Domain-Specific Overrides

Override

Description

Is the Session Idle?

Compares the last access time against the configured Idle Timeout
value for the defined Application Domain only. Exceeding the
configured period triggers a change from the Active to the Idle state.

Is the Session Expired?

Compares the session creation time against the configured Session
Lifetime. Exceeding the configured period triggers a change from the
Active to the Expired state for the defined Application Domain group
only.

16.2.2.5 About Timeout with Multiple-Agent Types: OSSO and OAM Agents
The idle timeout is applied appropriately even if the session is operating in a
disconnected state. (A disconnected state occurs if mod_osso requests are being made
but not by the WebGate. In this case, the session appears to have idled out to the
server.) To enable global logout for the OSSO Agent, the Session Management Engine
reconciles a period of inactivity with the OAM Agent against a period of activity with
the OSSO Agent.
mod_osso agents support granular timeout only if the Global Inactivity TimeOut
feature is enabled (using the editGITOValues WLST command). The OAM_GITO
cookie is needed in special cases to support timeout with multiple types of agents
working with OAM Server (such as mod_osso and WebGate). If a user leaves an active
session (with an OAM Agent), starts a session with an OSSO Agent, and then returns
to the initial session (with the OAM Agent, now inactive), the Session Management
Engine reconciles the period of inactivity with the OAM Agent against the period of
activity with the OSSO Agent to enable global logout for the OSSO Agent.

Maintaining Access Manager Sessions 16-5

Understanding Server-Side Session Management

Oracle strongly recommends that you change the value of the
Idle Timeout parameter when using the OAM_GITO cookie:

Note:
1.

Login to the OAM Console as administrator.

2.

Click the System Configuration tab.

3.

Click Common Settings.

4.

Change the value for the Idle Timeout parameter (in the Session section)
so that it matches the value of the OAM_GITO cookie as defined.

The OAM_GITO cookie is enabled and configured using the
editGITOValues WLST command. For details, see the Oracle
Fusion Middleware WebLogic Scripting Tool Command Reference for
Identity and Access Management.

16.2.2.6 About OpenSSO Agents
In the context of session management, OpenSSO agents are equivalent to WebGates.
Unlike mod_osso, OpenSSO Agents do not operate in a disconnected state.

16.2.3 Access Manager Sessions and the Role of Oracle Coherence
Access Manager sessions can be configured as Persisted or Distributed sessions. The
default Access Manager configuration is the Persisted Sessions but you can use the
Oracle Access Management Console to change this.
■

■

When Access Manager is configured for Persisted Sessions, all user sessions are
stored in a backing database and are available across server restarts. Recently
created sessions and the most frequently used sessions will also be stored in
memory in the Coherence cache. The sessions are written out to the database in a
batched mode in an asynchronous thread, enabling faster latencies during session
creation and updates. When requested by the server, the Coherence cache
transparently fetches either its local copy or the copy stored in the backing
database based on the number of cache hits at the time. The size of the in-memory
cache can be small enough to accommodate active sessions. The size of the
Coherence cache is configurable; by default, it is defined as 100 MB.
When Access Manager is configured for Distributed Sessions, the user sessions are
stored only in the in-memory Coherence Cache. These sessions are not available
across server cluster restarts. However if any specific node is stopped, the backup
sessions of that node will used. The total sessions retained are restricted to the size
of the Coherence cache - configurable using the Oracle Access Management
Console. If more users login than can be stored in the cache, the oldest non-active
sessions are deleted from the cache. A user whose session has been deleted from
the cache will have to login again to be recognized and granted access to protected
resources.

The Coherence cache size required for either of the described configurations is
calculated using the following formula.
S = N * (1 + b) * s / n
■

■

S is the size of heap to be allocated to the Coherence Session cache per OAM
server. The size of the heap allocated to sessions per OAM node may be updated
in the OAM configuration file under the Setting element name
DistributedCacheMaxSize. This update to the configuration requires, at the least, a
rolling restart of the servers.
N is the maximum number of sessions to be stored in the cache.

16-6 Administrator's Guide for Oracle Access Management

Server-Side Session Enforcement Examples

■
■

■

b is the number of backup copies.
s is the average size of a session object. The average size of a session object may
vary based on attributes and responses that are stored in the session. This value
may be discovered in any installation by examining the Coherence mbeans for
backing store of SmeNearCache cache.
n is the number of OAM server nodes that participate in the cluster.

16.3 Server-Side Session Enforcement Examples
Satisfying the authentication scheme of a given level provides access to all resources
protected at lower levels. Additionally, all authentication schemes of a given level are
viewed as equivalent. This section provides a simple session enforcement example
based on a single authentication scheme used in two application domains as well as a
more complex example based on multiple authentication schemes used in two
application domains.
■

Example 1: Single Authentication Scheme

■

Example 2: Multiple Authentication Schemes

16.3.1 Example 1: Single Authentication Scheme
Consider the following configuration:
■

A single authentication scheme (S1) defined using Level 2

■

Application domains D1 and D2

■

■

All resources within each domain are protected with a single authentication policy,
which uses S1, and a single authorization policy.
Global Session Configuration:
–

Session Lifetime: 90 minutes

–

Idle Session Timeout: 0 (session never idles out)

–

Application Domain Timeout: 30 minutes

Now consider the outcomes in Table 16–5.
Table 16–5

Session Content: Single Authentication Scheme

Time (Delta)

Action

Access Allowed or Denied

Session Content

0

Access to D1

Denied due to no session

null

1

Authentication with S1 and
Access to D1

Allowed because Authentication scheme is
satisfied

Level 2, authentication
time 1

21

Access to D2

Allowed

Level 2, authentication
time 1

66

Access to D1

Denied due to Application Domain Timeout
(based on the parameters configured)

Level 2, authentication
time 1

67

Authentication with S1 and
Access to D1 and D2

Both Allowed because the Authentication Sceme is Level 2, authentication
satisfied
time 67

16.3.2 Example 2: Multiple Authentication Schemes
In previous releases of Access Manager, a session could only have its authentication
level reduced in the context of an Oracle Identity Management integration self-service
flow (such as forced password reset). In this release, step-down authentication occurs

Maintaining Access Manager Sessions 16-7

Configuring the Server-Side Session Lifecycle

when a session times out as a matter of course--until the user happens to provide new
credentials that satisfy a scheme of the same level as the maximum held by the session
previously. Otherwise, from the authentication perspective, it is as if the session is new
and further step-up is required. Consider this example with two authentication
schemes (for step-up and step-down).
■

Authentication schemes S1 (Level 2) and S2 (Level 3)

■

Application domains D1 and D2

■

All resources within each domain are protected with a single authentication policy,
and a single authorization policy

■

D1 uses S1; D2 uses S2

■

Global Session Configuration:
–

Session Life: 240 mins

–

Idle Timeout: 30 mins

–

Appdomain 2 (D2) Timeout: 15 mins (appdomain setting)

When accessing resources from D1, timeout will occur after 30 minutes (global timeout
setting); D2 timeout will happen after 15 mins since its timeout value is overridden at
the global level. Table 16–6 shows the resulting outcomes.
Table 16–6

Session Outcomes: Multiple Authentication Schemes

Time (Delta)

Action

Access Allowed or Denied

Session Content

0

Access D1 resource
(RD1)

Access allowed after successful login

Timeout for D1 will be set to
0+30=30 (30 is default global timeout
as D1 has not overriden timeout at
the Application Domain level)

1 (implies
after 1
minute)

Access D2 resource
(RD2)

Access allowed post credential challenge (user
will be prompted for credentials since D2 is
protected using a higher authentication
scheme)

Timeout of D2 will be set to 1+15=16

t>16 and t<30
(say t=20)

Access RD1 and RD2

Allowed access to RD1 because timeout of
D1=30. Allowed access to RD2 after providing
credentials since timeout of D2=16

The new timeout of D2 is 16

40

Access RD1

Allowed: D1 resource will be allowed since
timeout is 50

55

Access RD1 and RD2

Allowed to access both resources after user is
successfully challenged for credentials.

Timeout of D1 is now 85 (55+30)
Timeout of D2 is now 70 (55+15)

The access order does have an impact on the outcome. For instance, the last D1 access
could have been allowed if the user had chosen to first pursue access to the D2
application after credentials had expired. For example:
■

■

Authentication S2 with Access to D2 Allowed: L3 scheme satisfied; resulting level
of the now (again) active session same as before. Session Content: Level 3,
authentication time 51
Access to D1 Allowed: Level 3 credentials also sufficient for Level 2-protected
access. Session Content: Level 3, authentication time 51.

16.4 Configuring the Server-Side Session Lifecycle
Session Lifecycle settings can be defined using the Oracle Access Management
Console. When you define either global or application-specific session lifecycle
settings, any timing interval set to 0 cancels the corresponding check. For example if
16-8 Administrator's Guide for Oracle Access Management

Configuring the Server-Side Session Lifecycle

idle timeout is set to 0, sessions never idle out. With a session lifetime of 0, sessions
never expire. In all cases, applicable data is tracked and updated in the session, just as
if it is being checked on a per-request basis.
This section provides the following topics:
■

About Global Session Lifecycle Settings

■

About Application-Specific Session Overrides

■

Viewing or Modifying Global Session Settings

■

Viewing or Modifying Optional Application-Specific Session Overrides

16.4.1 About Global Session Lifecycle Settings
Access Manager session lifecycle settings are defined as part of the Common Settings
shared by all OAM Servers. Figure 16–1 shows the lifecycle attributes that you can
configure on the Common Settings page.
Figure 16–1 Global Session Details: Common Settings Page

Table 16–7 describes the global session lifecycle settings and their defaults. Sessions
can operate in a disconnected mode (mod_osso, for example). Therefore, changes to
the configuration establishing your session rules apply only to new sessions. To apply
changes immediately, Oracle recommends that you terminate existing sessions and
force users to create new ones that adhere to your new rules.
See Also: Oracle Fusion Middleware Performance and Tuning
Guide
Table 16–7

Global Session Settings

Setting

Description

Session Lifetime (minutes)

The amount of time, in minutes, that a user's authentication session
remains active. When the lifetime is reached, the session expires.
Default = 1440 minutes (24 hours specified in an integer representing
minutes)
A value of zero (0) disables this setting. Any value between 0 (zero) and
2147483647 is allowed.
Note: An expired session is automatically deleted from the in-memory
caches (or database).

Maintaining Access Manager Sessions 16-9

Configuring the Server-Side Session Lifecycle

Table 16–7 (Cont.) Global Session Settings
Setting

Description

Idle Timeout (minutes)

The amount of time, in minutes, that a user's authentication session
remains active without accessing any Access Manager protected
resources. When the user is idle for a longer period, they are asked to
re-authenticate.
Default = 15 minutes
A value of zero (0) disables this setting. Any value between 0 (zero) and
2147483647 is allowed.
Note: Timed-out sessions are not deleted from the session manager.
Session data could be removed from memory but will still be available in
the persistant store (database). After re-authentication, the same session
will be re-activated.
See Also: "About Application-Specific Session Overrides"

Maximum Number of Sessions
per User

The exact number of sessions each user can have at one time. Use this
setting to configure multiple session restrictions for all users.
Any positive integer is allowed.
Specifying the count as "1", activates a special mode. If a user who
already has a session authenticates using another device (thereby
creating a new session), then their existing session is deleted. No error is
reported and no warning is given.
Note: Too high a number impacts performance and result in a security
risk. Oracle recommends less than 20 as a reasonable limit per user.
Otherwise there can be performance impact. For tuning information, see
Oracle Fusion Middleware Performance and Tuning Guide.

(Management) Maximum
Search Results

Maximum number of sessions fetched by default for a session query if
the result set is large.

Database Persistence for Active
Sessions Enabled

Persists active sessions to the configured database session store, in
addition to the local and distributed caches. Sessions are retained even if
all managed servers die off.
Default = Enabled (checked)
If this is overkill for your environment, or you want to perform
deployment sizing to take into account the database, you can clear the
checkbox and restart all OAM Servers to disable this function.

16.4.2 About Application-Specific Session Overrides
Application-specific access is tracked from the initial application-access time and is
updated only as further requests are made of that Application Domain. In other
words, the user's authentication and the authentication state are under control of
Access Manager and the Administrator. The current idle time for a given application is
shared between Access Manager and the application. The application provisions its
own run time data for the user on a per-session basis and needs to remove it as soon as
possible to make room for others.
Administrators can add application-specific session overrides on the Summary tab of
an Application Domain. Table 16–8 lists application-specific settings that, when
specified, override global session settings.
Table 16–8

Application-Specific Session Timing Overrides

Element

Description

Idle timeout

Access Manager previously stored the last access time value within the session. To
enforce maximum idle time on a per-application basis, Access Manager includes a
new application-specific last access time field to hold it. This is filled with the last
access time for each subset of domains visited within the course of a session, on
which a per-application idle timeout override has been defined. This is not
needed for domains on which an override has not been defined--no checking is
done against such data.
Default: undefined

16-10 Administrator's Guide for Oracle Access Management

Configuring the Server-Side Session Lifecycle

For more information, see "Viewing or Modifying Optional Application-Specific
Session Overrides" on page 16-11.

16.4.3 Viewing or Modifying Global Session Settings
Users with valid Administrator credentials can use the following procedure to modify
common session lifecycle settings using the Oracle Access Management Console.
See Also:

"About Global Session Lifecycle Settings"

1.

In the Oracle Access Management Console, click Configuration at the top of the
window.

2.

In the Configuration console, select Common Settings from the View menu in the
Settings section.

3.

On the Common Settings page, expand the Session section.

4.

Click the arrow keys beside each list to increase or decrease session lifecycle
settings as needed (Table 16–7):
■

Session Lifetime (minutes)

■

Idle Timeout (minutes)

■

Maximum Number of Sessions per User

■

■

(Management) Maximum Search Results - denotes the number of sessions
fetched by default for a session query if the result set is large
Database Persistence of Active Sessions Enabled

5.

Check the box to enable Database Persistence for Active Sessions.

6.

Click Apply to submit the changes (or close the page without applying changes).

7.

Close the page when you finish.

8.

Proceed to one of the following topics:
■

"Viewing or Modifying Optional Application-Specific Session Overrides"

■

"Managing Active Server-Side Sessions"

16.4.4 Viewing or Modifying Optional Application-Specific Session Overrides
Users with valid Administrator credentials can use the following procedure to modify
optional session settings for one or more application domains in a named group.
See Also: "About Application-Specific Session Overrides" on
page 16-10
1.

In the Oracle Access Management Console, click Application Security at the top
of the window.

2.

In the Access Manager section, click Application Domains.

3.

Find and open the desired domain.

4.

On the Summary tab, enter the following information to create (or add) this
domain to the group that uses session overrides (Table 16–8):
■

5.

Idle Timeout

Click Apply to submit the changes (or close the page without applying changes).
Maintaining Access Manager Sessions

16-11

Managing Active Server-Side Sessions

6.

Proceed to "Managing Active Server-Side Sessions".

16.5 Managing Active Server-Side Sessions
The Oracle Access Management Console Session Management page provides Search
controls that enable Administrators to create a query based on filter conditions, save
their Search Criteria for use later, and add fields to the query form to further refine the
search.
In the database store configuration, the session might exist in the database but not in
the cache. Session searches are based on the system time stamp. The database is
queried for sessions updated earlier than the time stamp (minus the write delay). The
cache is queried for sessions updated later than this time stamp. Resulting data found
in the cache and the database is merged. If duplicate results exist, cache data prevails.
Detailed performance metrics are generated for search operations.
This section describes how to locate and delete one or more sessions for a single user,
or for all users. It provides the following information:
■

About the Session Management Pages

■

Locating and Managing Active Sessions

16.5.1 About the Session Management Pages
Figure 16–2 illustrates the Session Management page, accessible from the
Configuration section of the Oracle Access Management Console. Additional details
follow the figure.
Figure 16–2 Common Configuration: Session Management Page

Table 16–9 describes Session Management page and Search controls that enable you to
create a query that is based on filter conditions.
Table 16–9

Session Management Controls and the Results Table

Name

Description

Delete All User Sessions ...

Choose this command button to delete the active sessions of all users.
Note: A Confirmation window appears where you can confirm or decline
the operation.

16-12 Administrator's Guide for Oracle Access Management

Managing Active Server-Side Sessions

Table 16–9 (Cont.) Session Management Controls and the Results Table
Name

Description

Saved Search

Drop down menu that lists any search criteria saved previously for reuse.
The list of searches is made available whenever you save search criteria.
The drop down menu also has a Personalize ... option in addition to the
saved searches. If you choose Personalize, you can change the behavior
of the saved search criteria by making new choices such as Set as Default
or Run Automatically.

Match All Any

Enables you to match either any of the criteria you have specified or
match all of the criteria you have specified during the search.
Note: When a resource is protected byAnonymousScheme, it is not
displayed in a session search.

User ID

Enter a specific userID in the field and then click the Search button to
display all active sessions for this user. Incomplete strings and wild cards
are allowed. A drop down menu includes options like Starts With,
Equals, Contains and the like to assist in your search.

Client IP Address

Enter a Client IP Address and then click the Search button to display all
active sessions for this user. Incomplete strings and wild cards are
allowed. The same list is available to assist your Userid search and your
Client IP Address.

Search

Click this button to initiate a search based on criteria in the form.

Reset

Click this button to clear the form of all criteria.

Add Fields

Displays a drop down menu from which you can select different options
to add to your search form. This can include Client IP Address, ID Store,
Impersonating and other options.
1.

Click the Add Fields button.

2.

Select items in the list to add them to the form and click Save.

After adding an item, notice that a list is available to assist with the
search.
Reorder

Displays a pop-up dialog allowing you to reorder the search fields.

View

Choose commands from the View menu above the results table to
configure the table. Commands include:
■

■

Detach: Expands the results table to a full-screen view

■

Attach: Restores the Session Management page view.

■

Delete

Columns: Displays a menu with the following options you can use
to hide or display specific details in the table:

Reorder Columns: Specifies a new order for columns containing
session data in the results table.

Choose this command button (red X) after selecting items in the results
table to delete.
Note: When session search criteria is generic (using just a wild card (*),
for example), there is a limitation on deleting a session from a large list of
sessions. Oracle recommends that your session search criteria is
fine-grained enough to obtain a relatively small set of results (ideally 20
or less).
Also: A Confirmation window appears where you can confirm or decline
the operation.

Detach

Click Detach to expand the results table to a full-page view.
Note: If the table is already a detached full-page, click Detach to restore
the Session Management page.

Maintaining Access Manager Sessions

16-13

Managing Active Server-Side Sessions

Table 16–9 (Cont.) Session Management Controls and the Results Table
Name

Description

Results table (not named)

After searching for the active sessions of a specific user, results are
displayed in the table. Details include:
■

Session ID: A unique, OAM-generated session Id.

■

User ID:

■

Impersonating:

■

Creation Time: The day and time the session was created.

■

Last Accessed: The day and time the session was last accessed

■

Client IP: The IP address of the specified user.

■

ID Store

■

Impersonator

16.5.2 Locating and Managing Active Sessions
Users with valid Administrator credentials can use information in the following
procedure to configure the search results table, locate the active sessions of a specific
user, delete one or more sessions for a specific user, or delete all sessions for all users.
When a resource is protected by AnonymousScheme, it is not displayed in a session
search.
See Also:

"About the Session Management Pages"

Skip any steps that do not apply to your requirements. The OAM Server must be
running.
1.

In the Oracle Access Management Console, click Application Security at the top
of the window.

2.

In the Application Security console, click Session Management.
The Session Management Search page appears with the Username field and a
results table.

3.

Add Fields: From the Add Fields list, choose the desired field name (Table 16–9).

4.

Choose Operators: Open the list of operators for the chosen search field, and
choose the desired function.

5.

Find sessions:
a.

In the desired query field, enter your criteria (with or without a wild card (*)).

b.

Click the Search button to locate sessions that match either any or all your
criteria.

c.

Review the results table.

d.

Repeat if needed to further refine your search.

6.

Configure the Results Table: Use functions on the View menu to create the
desired results table.

7.

Delete sessions:
a.

In the results table, click one or more sessions to remove.

b.

Click the Delete (x) button to delete the selected sessions.

c.

Click Yes to confirm deleting selected sessions (or click No to cancel the delete
operation).

16-14 Administrator's Guide for Oracle Access Management

Validating Server-Side Session Operations

d.
8.

9.

Notify the user, if needed.

Delete sessions for all users:
a.

Click the Delete All Sessions button in the upper-right corner.

b.

Click Yes when you are asked to confirm.

Close the Session Management page when you finish.

10. Proceed to "Validating Server-Side Session Operations".

16.6 Validating Server-Side Session Operations
Use the following procedure to verify your configured session lifecycle operations.
1.

2.

Authenticate:
a.

Access a resource from a browser using a credential other than your
Administrative credential.

b.

Verify that the session exists, as described in "Locating and Managing Active
Sessions".

Multiple Sessions:
a.

From a second browser (with cookies removed), access the same resource.

b.

Verify that two sessions exist.

3.

Delete all sessions, (Step 7 of "Locating and Managing Active Sessions") and
confirm that the Active sessions are removed.

4.

Re-authentication Verification:

5.

a.

From the second browser (Step 2), access a different resource to confirm that
you must re-authenticate.

b.

Enter credentials for the resource.

c.

Verify that a session was created.

Database Verification:
a.

Delete all sessions.

b.

Connect to the database and run the following query:
SQL> select * from oam_session

c.

Confirm that you see the following results:
no row selected

d.

From the second browser, access a different resource.

e.

Connect to the database and run the following query
SQL> select * from oam_session

f.

Confirm that you see one row of data:
1 rows selected

g.

Select rows from OAM_SESSION_ATTRIBUTES and confirm that data exists
for the user.

Maintaining Access Manager Sessions

16-15

Understanding Client-Side Session Management

16.7 Understanding Client-Side Session Management
Client-side (or cookie-based) session management is a light weight session
management solution that reduces server-side overhead and provides better
scalability. It uses client-side cookies as the persistent mechanism for SSO sessions,
making the server stateless. Client-Side session management supports the following
features:
■

Authentication

■

Authorization (excluding session constrains and responses)

■

OAM & OIM integration over TAP - excluding session deletion on attribute
change (account lock/disable, etc.)

■

Step up authentication

■

Inactivity time out with single web domain

16.8 Using WLST To Configure Session Management
The following WLST commands can be used to configure for server-side (default) or
client-side (cookie-based) session management.
■

displaySSOSessionType

■

configSSOSessionType

16.8.1 displaySSOSessionType
Online and offline command that allows you to view the session management
configuration.

16.8.1.1 Description
Allows you to view the session type configuration.

16.8.1.2 Syntax
displaySSOSessionType(domainHome="")

Argument

Definition

domainHome

Specifies the location for the Weblogic Server OR Cell Path for
WebSphere. This parameter is mandatory for WebSphere. When
Offline, a value is mandatory; when online, optional.

16.8.1.3 Example
displaySSOSessionType(domainHome="/oracle/product/OAM/domains/oam_domain")

16.8.2 configSSOSessionType
Online and offline command that allows you to configure session management as
COOKIE-BASED or DEFAULT.

16.8.2.1 Description
Configure session management for Access Manager.
16-16 Administrator's Guide for Oracle Access Management

Using WLST To Configure Session Management

16.8.2.2 Syntax
configSSOSessionType(type="",
cookieDomain="",domainHome="")

Argument

Definition

type

Specifies the type of session store. Accepted values are COOKIE_
BASED or DEFAULT.

cookieDomain

Specifies the value of the SSO Session Timeout cookie domain.

domainHome

Specifies the location for the Weblogic Server OR Cell Path for
WebSphere. This parameter is mandatory for WebSphere. When
Offline, a value is mandatory; when online, optional.

16.8.2.3 Examples
configSSOSessionType(type="COOKIE_BASED",cookieDomain-".example.com")
configSSOSessionType(type="COOKIE_BASED",cookieDomain-".example.com",
domainHome="domainHome1")
configSSOSessionType(type="Default",cookieDomain=".example.com")

Maintaining Access Manager Sessions

16-17

Using WLST To Configure Session Management

16-18 Administrator's Guide for Oracle Access Management

Part V
Part V

Implementing Multi-Data Centers

Oracle Access Management allows for distribution of identical copies of directory
service data across more than one data center. These multiple data centers (referred to
as multi-data centers) provide a scalable deployment model to support access
management requirements for millions of users.
The chapters in this section provide details on implementing and managing a
Multi-Data Center environment.
■

Chapter 17, "Understanding Multi-Data Centers"

■

Chapter 18, "Configuring Multi-Data Centers"

■

Chapter 19, "Synchronizing Data In A Multi-Data Center"

■

Chapter 20, "Setting Up the Multi-Data Center: A Sequence"

17
Understanding Multi-Data Centers
17

[15Oracle
]
Access Manager allows for distribution of identical copies of directory service
data across more than one data center. These multiple data centers (referred to as
multi-data centers) provide a scalable deployment model to support access
management requirements for millions of users.

The Access Manager Multi-Data Center topology scales horizontally - within a single
data center by clustering multiple nodes, or across multiple data centers. This model
provides for load balancing as well as failover capabilities in the case that one of the
nodes or data centers goes down. This chapter contains introductory details.
■

Introducing the Multi-Data Center

■

Understanding Multi-Data Center Deployments

■

Deploying Active-Active Multi-Data Center Topology

■

Load Balancing Between Access Management Components

■

Understanding Time Outs and Session Syncs

■

Replicating a Multi-Data Center Environment

■

Multi-Data Center Recommendations

17.1 Introducing the Multi-Data Center
Large organizations using Access Manager 11g typically deploy their applications
across multi-data centers to distribute load as well as address disaster recovery.
Deploying Access Manager in multi-data centers allows for the transfer of user session
details transparently after configuration of single sign-on (SSO) between them. The
scope of a data center comprises protected applications, WebGate agents, Access
Manager servers and other infrastructure entities including identity stores and
databases.
Access Manager 11g supports scenarios where applications are
distributed across two or more data centers.

Note:

The Multi-Data Center approach supported by Access Manager is a Master-Clone
deployment in which the first data center is specified as the Master and one or more
Clone data centers mirror it. (Master and Clone data centers can also be referred to as
Supplier and Consumer data centers.) A Master Data Center is duplicated using
Test-to-Production (T2P) tools to create one or more cloned Data Centers. See Oracle
Fusion Middleware Administrator's Guide for information on T2P.

Understanding Multi-Data Centers

17-1

Introducing the Multi-Data Center

During setup of the Multi-Data Center, session adoption policies are configured to
determine where a request would be sent if the Master Data Center is down.
Following the setup, a manner of replicating data from the Master to the Clone(s) will
be designated. This can be done using the Automated Policy Sync (APS) Replication
Service or it can be done manually. See Chapter 18, "Configuring Multi-Data Centers"
and Chapter 19, "Synchronizing Data In A Multi-Data Center" for details on the setup
and synchronization process.
A data center may include applications, data stores, load balancers and the like. Each
data center includes a full Access Manager installation. The WebLogic Server domain
in which the instance of Access Manager is installed will not span data centers.
Additionally, data centers maintain user to data center affinity. Figure 17–1 illustrates
the Multi-Data Center system architecture.
Figure 17–1 Multi-Data Center System Architecture

Global load balancers are configured to route HTTP traffic to
the geographically closest data center. No load balancers are used to
manage Oracle Access Protocol traffic.

Note:

All applications are protected by WebGate agents configured against Access Manager
clusters in the respective local data centers. Every WebGate has a primary server and
one or more secondary servers; WebGate agents in each data center have Access
Manager server nodes from the same data center in the primary list and nodes from
other data centers in the secondary list. Thus, it is possible for a user request to be
routed to a different data center when:
■

A local data center goes down.

■

There is a load spike causing redistribution of traffic.

■

Certain applications are deployed in only one data center.

■

WebGates are configured to load balance within one data center but failover across
data centers.

The following sections contain more information on how the Multi-Data Center
solution works.
■

Understanding Cookies for Multi-Data Center

17-2 Administrator's Guide for Oracle Access Management

Introducing the Multi-Data Center

■

Understanding Session Adoption During Authorization

■

Understanding Session Indexing

■

Supported Multi-Data Center Topologies

17.1.1 Understanding Cookies for Multi-Data Center
The following sections contain information on the SSO cookies enhanced and used by
the Multi-Data Centers.
■

OAM_ID Cookie

■

OAMAuthn / ObSSO WebGate Cookies

■

OAM_GITO (Global Inactivity Time Out) Cookie

17.1.1.1 OAM_ID Cookie
The OAM_ID cookie is the SSO cookie for Access Manager and holds the attributes
required to enable the MDC behavior across all Data Centers. If a subsequent request
from a user in the same SSO session is routed to a different Data Center in the
Multi-Data Center topology, session adoption is triggered per the configured session
adoption policies. Session adoption refers to the action of a Data Center creating a local
user session based on the submission of a valid authentication cookie (OAM_ID) that
indicates a session for the user exists in another other Data Center in the topology. (It
may or may not involve re-authentication of the user.) When a user session is created
in a Data Center, the OAM_ID cookie will be augmented/updated with the clusterid
of the Data Center, a sessionid and the latest_visited_clusterid.
In Multi-Data Center deployments, OAM_ID is a host-scoped cookie. Its domain
parameter is set to a virtual host name which is a singleton across data centers and is
mapped by the global load balancer to the Access Manager servers in the Access
Manager data center based on the load balancer level user traffic routing rules (for
example, based on geographical affinity). The OAM_ID cookie is not accessible to
applications other than the Access Manager servers.

17.1.1.2 OAMAuthn / ObSSO WebGate Cookies
OAMAuthn is the WebGate cookie for 11g and ObSSO is the WebGate cookie for 10g.
On successful authentication and authorization, a user will be granted access to a
protected resource. At that point, the browser will have a valid WebGate cookie with
the clusterid:sessionid of the authenticating Data Center. If authentication followed
by authorization spans across multiple Data Centers, the Data Center authorizing the
user request will trigger session adoption by retrieving the session's originating
clusterid from the WebGate cookie. (WebGates need to have the same host name in
each data center due to host scoping of the WebGate cookies.) After adopting the
session, a new session will be created in the current Data Center with the synced
session details.

Understanding Multi-Data Centers

17-3

Introducing the Multi-Data Center

Note: The WebGate cookie cannot be updated during authorization
hence the newly created sessionid cannot be persisted for future
authorization references. In this case, the remote sessionid and the
local sessionids are linked through session indexing. During a
subsequent authorization call to a Data Center, a new session will be
created when:
■
■

■

■

MDC is enabled.
A session matching the sessionid in the WebGate cookie is not
present in the local Data Center.
There is no session with a Session Index that matches the
sessionid in the WebGate cookie.
A valid session exists in the remote Data Center (based on the
MDC SessionSync Policy).

In these instances, a new session is created in the local Data Center
with a Session Index that refers to the sessionid in the WebGate
cookie.

17.1.1.3 OAM_GITO (Global Inactivity Time Out) Cookie
OAM_GITO is a domain cookie set as an authorization response. The session details of
the authentication process will be recorded in the OAM_ID cookie. If the authorization
hops to a different Data Center, session adoption will occur by creating a new session
in the Data Center servicing the authorization request and setting the session index of
the new session as the incoming sessionid. Since subsequent authentication requests
will only be aware of the clusterid:sessionid mapping available in the OAM_ID cookie,
a session hop to a different Data Center for authorization will go unnoticed during the
authentication request. To address this gap, an OAM_GITO cookie (which also
facilitates timeout tracking across WebGate agents) is introduced.
During authorization, the OAM_GITO cookie is set as a domain cookie. For
subsequent authentication requests, the contents of the OAM_GITO cookie will be
read to determine the latest session information and the inactivity/idle time out
values. The OAM_GITO cookie contains the following data.
■

Data Center Identifier

■

Session Identifier

■

User Identifier

■

Last Access Time

■

Token Creation Time
For the OAM_GITO cookie, all WebGates and Access Manager
servers should share a common domain hierarchy. For example, if the
server domain is .us.example.com then all WebGates must have (at
least) .example.com as a common domain hierarchy; this enables the
OAM_GITO cookie to be set with the .example.com domain.
Note:

17.1.2 Understanding Session Adoption During Authorization
Multi-Data Center session adoption is supported during the authorization flow. After
successful authentication, the OAMAuthn cookie will be augmented with the cluster

17-4 Administrator's Guide for Oracle Access Management

Introducing the Multi-Data Center

ID details of the Data Center where authentication has taken place. During
authorization, if the request is routed to a different Data Center, Access Manager
runtime checks to determine whether it is a Multi-Data Center scenario by looking for
a valid remote session. If one is located, the Multi-Data Center session adoption
process is triggered per the session adoption policy.
The session adoption policy can be configured so that the clone Access Manager
cluster would make a back-end request for session details from the master Access
Manager cluster using the Oracle Access Protocol (OAP). The session adoption policy
can also be configured to invalidate the previous session so the user has a session only
in one data center at a given time. Following the session adoption process, a new
session will be created in the Data Center servicing the authorization request.
Since OAMAuthn cookie updates are not supported during
authorization, the newly created session's session index will be set to
that of the incoming session ID. See Understanding Session Indexing.

Note:

More details on session adoption can be found in the Section 17.2, "Understanding
Multi-Data Center Deployments."

17.1.3 Understanding Session Indexing
During an authorization call to a Data Center, a new session will be created in the local
Data Center with a Session Index that refers to the session identifier in the
OAMAuth/ObSSO cookie. This will occur if all of the following conditions are met:
■

■
■

■

Session matching Session ID in the OAMAuth/ObSSO cookie is not present in the
local Data Center.
MDC is enabled.
No session with Session Index matching Session ID in the OAMAuth/ObSSO
cookie.
Valid Session exists in the remote Data Center based on the MDC SessionSync
Policy.

17.1.4 Supported Multi-Data Center Topologies
Access Manager supports several Multi-Data Center topologies. The following
sections contain details on these modes.
■

The MDC Active-Active Mode

■

The MDC Active-Passive Mode

■

The MDC Active-Hot Standby Mode

17.1.4.1 The MDC Active-Active Mode
An Active-Active topology is when Master and Clone data centers are exact replicas
and active at the same time. They cater to different sets of users based on defined
criteria; geography, for example. A load balancer routes traffic to the appropriate Data
Center. Figure 17–2 illustrates a Multi-Data Center set up in Active-Active mode
during normal operations.

Understanding Multi-Data Centers

17-5

Introducing the Multi-Data Center

Figure 17–2 Active-Active Deployment Mode

In Figure 17–2, the New York Data Center is designated as the Master and all policy
and configuration changes are restricted to it. The London Data Center is designated
as a Clone and uses T2P tooling and utilities to periodically synchronize data with the
New York Data Center. The global load balancer is configured to route users in
different geographical locations (US and Europe) to the appropriate data centers (New
York or London) based on proximity to the data center (as opposed to proximity of the
application being accessed). For example, all requests from US-based User 1 will be
routed to the New York Data Center (NYDC) and all requests from Europe-based User
2 will be routed to the London Data Center (LDC).
Note: The Access Manager clusters in Figure 17–2 are independent
and not part of the same Oracle WebLogic domain. WebLogic domains
are not recommended to span across data centers.

In this example, if NYDC was overloaded with requests, the global load balancer
would start routing User 1 requests to the clone Access Manager cluster in LDC. The
clone Access Manager cluster can tell (from the user's OAM_ID cookie) that there is a
valid session in the master cluster and would therefore create a new session without
prompting for authentication or re-authentication. Further, the session adoption policy
can be configured such that the clone Access Manager cluster would make a back-end
request for session details from the master Access Manager cluster using the Oracle
Access Protocol (OAP). The session adoption policy can also be configured to
invalidate the remote session (the session in NYDC) so the user has a session only in
one data center at a given time.
Figure 17–3 illustrates how a user might be rerouted if the Master cluster is overloaded
or down. If the Master Access Manager cluster were to go completely down, the clone
Access Manager cluster would try to obtain the session details of User 1 but since the
latter would be completely inaccessible, User 1 would be forced to re-authenticate and
establish a new session in the clone Access Manager cluster. In this case, any
information stored in the previous session is lost.

17-6 Administrator's Guide for Oracle Access Management

Understanding Multi-Data Center Deployments

Figure 17–3 Active-Active Mode Failover

Note: An Active-Active topology with agent failover is when an
agent has Access Manager servers in one Data Center configured as
primary and Access Manager servers in the other Data Centers
configured as secondary to aid failover scenarios.

More details on an Active-Active topology can be found in "Deploying Active-Active
Multi-Data Center Topology."

17.1.4.2 The MDC Active-Passive Mode
An Active-Passive topology is when the primary Data Center is operable but the clone
Data Center is not. In this topology, the clone can be brought up within a reasonable
time in cases when the primary Data Center fails. Thus, in the Active-Passive Mode
one of the data centers is passive and services are not started. In this use case, the data
center does not have to be brought up immediately but within a reasonable amount of
time in cases when the primary data center fails. There is no need to do an MDC setup
although policy data will be kept in sync.

17.1.4.3 The MDC Active-Hot Standby Mode
Active–Hot Standby is when one of the Data Centers is in hot standby mode. In this
case, traffic will not be routed to the Hot Standby Data Center unless the Active Data
Center goes down. In this use case, you do not need additional data centers for traffic
on a daily basis but only keep one ready. Follow the Active-Active Mode steps to
deploy in Active-Hot Standby Mode but do not route traffic to the center defined as
Hot Standby. The Hot Standby center will continue to sync data but will only be used
when traffic is directed there by the load balancer or by an administrator.

17.2 Understanding Multi-Data Center Deployments
In a Multi-Data Center deployment, each data center will include a full Access
Manager installation; WebLogic Server domains will not span the Data Centers. Global
load balancers will maintain user to Data Center affinity although a user request may
be routed to a different Data Center when:
■

The data center goes down.

■

A load spike causes redistribution of traffic.

■

Each Data Center is not a mirror of the other. For example, certain applications
may only be deployed in a single Data Center.
Understanding Multi-Data Centers

17-7

Understanding Multi-Data Center Deployments

■

WebGates are configured to load balance within the Data Center and failover
across Data Centers.

Figure 17–4 illustrates a basic Multi-Data Center deployment.
Figure 17–4 Multi-Data Center Deployment

The following sections describe several deployment scenarios.
■

■

■

■

Understanding Session Adoption Without Re-authentication, Session Invalidation
or Session Data Retrieval
Understanding Session Adoption Without Re-authentication But With Session
Invalidation & Session Data Retrieval
Understanding Session Adoption Without Re-authentication & Session
Invalidation But With On-demand Session Data Retrieval
Understanding Authentication & Authorization Requests Served By Different
Data Centers

■

Understanding Logout and Session Invalidation

■

Understanding Stretch Cluster Deployments
Note: The OAP connection used for back channel communication
does not support load balancing or failover so a load balancer needs to
be used.

17.2.1 Understanding Session Adoption Without Re-authentication, Session
Invalidation or Session Data Retrieval
The following scenario illustrates the flow when the Session Adoption Policy is
configured without re-authentication, remote session invalidation and remote session
data retrieval. It is assumed the user has affinity with DC1.
1.

User is authenticated by DC1.
On successful authentication, the OAM_ID cookie is augmented with a unique
data center identifier referencing DC1 and the user can access applications
protected by Access Manager in DC1.

2.

Upon accessing an application deployed in DC2, the user is routed to DC2 by a
global load balancer.

17-8 Administrator's Guide for Oracle Access Management

Understanding Multi-Data Center Deployments

3.

Access Manager in DC2 is presented with the augmented OAM_ID cookie issued
by DC1.
On successful validation, Access Manager in DC2 knows that this user has been
routed from the remote DC1.

4.

Access Manager in DC2 looks up the Session Adoption Policy.
The Session Adoption Policy is configured without reauthentication, remote
session invalidation or remote session data retrieval.

5.

Access Manager in DC2 creates a local user session using the information present
in the DC1 OAM_ID cookie (lifetime, user) and re-initializes the static session
information ($user responses).

6.

Access Manager in DC2 updates the OAM_ID cookie with its data center
identifier.
Data center chaining is also recorded in the OAM_ID cookie.

7.

User then accesses an application protected by Access Manager in DC1 and is
routed back to DC1 by the global load balancer.

8.

Access Manager in DC1 is presented with the OAM_ID cookie issued by itself and
updated by DC2.
On successful validation, Access Manager in DC1 knows that this user has
sessions in both DC1 and DC2.

9.

Access Manager in DC1 attempts to locate the session referenced in the OAM_ID
cookie.
■
■

If found, the session in DC1 is updated.
If not found, Access Manager in DC1 looks up the Session Adoption Policy
(also) configured without reauthentication, remote session invalidation and
remote session data retrieval.

10. Access Manager in DC1 updates the OAM_ID cookie with its data center identifier

and records data center chaining as previously in DC2.

17.2.2 Understanding Session Adoption Without Re-authentication But With Session
Invalidation & Session Data Retrieval
The following scenario illustrates the flow when the Session Adoption Policy is
configured without re-authentication but with remote session invalidation and remote
session data retrieval. It is assumed the user has affinity with DC1.
1.

User is authenticated by DC1.
On successful authentication, the OAM_ID cookie is augmented with a unique
data center identifier referencing DC1.

2.

Upon accessing an application deployed in DC2, the user is routed to DC2 by a
global load balancer.

3.

Access Manager in DC2 is presented with the augmented OAM_ID cookie issued
by DC1.
On successful validation, Access Manager in DC2 knows that this user has been
routed from the remote DC1.

4.

Access Manager in DC2 looks up the Session Adoption Policy.

Understanding Multi-Data Centers

17-9

Understanding Multi-Data Center Deployments

The Session Adoption Policy is configured without reauthentication but with
remote session invalidation and remote session data retrieval.
5.

Access Manager in DC2 makes a back-channel (OAP) call (containing the session
identifier) to Access Manager in DC1 to retrieve session data.
The session on DC1 is terminated following data retrieval. If this step fails due to a
bad session reference, a local session is created as documented in Section 17.2.1,
"Understanding Session Adoption Without Re-authentication, Session Invalidation
or Session Data Retrieval."

6.

Access Manager in DC2 creates a local user session using the information present
in the OAM_ID cookie (lifetime, user) and re-initializes the static session
information ($user responses).

7.

Access Manager in DC2 rewrites the OAM_ID cookie with its own data center
identifier.

8.

The user then accesses an application protected by Access Manager in DC1 and is
routed to DC1 by the global load balancer.

9.

Access Manager in DC1 is presented with the OAM_ID cookie issued by DC2.
On successful validation, Access Manager in DC1 knows that this user has
sessions in DC2.

10. Access Manager in DC1 makes a back-channel (OAP) call (containing the session

identifier) to Access Manager in DC2 to retrieve session data.
If the session is found, a session is created using the retrieved data. If it is not
found, the OAM Server in DC1 creates a new session. The session on DC2 is
terminated following data retrieval.

17.2.3 Understanding Session Adoption Without Re-authentication & Session
Invalidation But With On-demand Session Data Retrieval
Multi-Data Center supports session adoption without re-authentication except that the
non-local session are not terminated and the local session is created using session data
retrieved from the remote DC. Note that the OAM_ID cookie is updated to include an
attribute that indicates which data center is currently being accessed.

17.2.4 Understanding Authentication & Authorization Requests Served By Different
Data Centers
Consider a scenario where an authentication request is served by the New York Data
Center (NYDC) but the authorization request is presented to the London Data Center
(LDC) because of user affinity. If Remote Session Termination is enabled, the scenario
requires a combination of the OAM_ID cookie, the OamAuthn/ObSSO authorization
cookie and the GITO cookie to perform the seamless Multi-Data Center operations.
This flow (and Figure 17–5 following it) illustrates this. It is assumed that the user has
affinity with NYDC.
1.

Upon accessing APP1, a user is authenticated by NYDC.
On successful authentication, the OAM_ID cookie is augmented with a unique
data center identifier referencing NYDC. The subsequent authorization call will be
served by the primary server for the accessed resource, NYDC. Authorization
generates the authorization cookie with the NYDC identifier (cluster-id) in it and
the user is granted access to the APP1.

2.

User attempts to access APP2 in LDC.

17-10 Administrator's Guide for Oracle Access Management

Understanding Multi-Data Center Deployments

3.

The WebGate for APP2 finds no valid session in LDC and initiates authentication.
Due to user affinity, the authentication request is routed to NYDC where seamless
authentication occurs. The OamAuthn cookie contents are generated and shared
with the APP2 WebGate.

4.

The APP2 WebGate forwards the subsequent authorization request to APP2's
primary server, LDC with the authorization cookie previously generated.
During authorization, LDC will determine that this is a Multi-Data Center scenario
and a valid session is present in NYDC. In this case, authorization is accomplished
by syncing the remote session as per the configured session adoption policies.

5.

A new session is created in LDC during authorization and the incoming session id
is set as the new session's index.
Subsequent authorization calls are honored as long as the session search by index
returns a valid session in LDC. Each authorization will update the GITO cookie
with the cluster-id, session-id and access time. The GITO cookie will be re-written
as an authorization response each time.
lf a subsequent authentication request from the same user hits NYDC, it will use
the information in the OAM_ID and GITO cookies to determine which Data
Center has the most current session for the user. The Multi-Data Center flows are
triggered seamlessly based on the configured Session Adoption policies.

Understanding Multi-Data Centers

17-11

Understanding Multi-Data Center Deployments

Figure 17–5 Requests Served By Different Data Centers

17.2.5 Understanding Logout and Session Invalidation
In Multi-Data Center scenarios, logout ensures that all server side sessions across Data
Centers and all authentication cookies are cleared out. For session invalidation,
termination of a session artifact over the back-channel will not remove the session
cookie and state information maintained in the WebGates. However, the lack of a
server session will result in an Authorization failure which will result in
re-authentication. In the case of no session invalidation, the logout clears all server
side sessions that are part of the current SSO session across Data Centers. This flow
(and Figure 17–6 following it) illustrates logout. It is assumed that the user has affinity
with NYDC.
1.

User with affinity to NYDC gets access to APP1 after successful authentication
with NYDC.

2.

User attempts to access APP2.

17-12 Administrator's Guide for Oracle Access Management

Understanding Multi-Data Center Deployments

At this point there is a user session in NYDC as well as LDC (refer to section 2.4.5)
as part of SSO.
3.

User logs out from APP1.
Due to affinity, the logout request will reach NYDC.

4.

The NYDC server terminates the user's SSO session and logs out from all the SSO
partners.

5.

The NYDC server sends an OAP terminate session request to all relevant Data
Centers associated with the SSO session - including LDC.
This results in clearing all user sessions associated with the SSO across Data
Centers.

Figure 17–6 Logout and Session Invalidation

17.2.6 Understanding Stretch Cluster Deployments
For data centers that are geographically very close and have a guaranteed latency of
less than 5 milliseconds, customers can choose a Stretch Cluster deployment. In this
case, unlike the traditional Multi Data Center deployment described in the preceding
sections, a single OAM cluster is stretched across multiple data centers; there are some
OAM nodes in one Data Center and the remaining nodes in another Data Center.
Though the deployment is spread across two data centers, Access Manager treats this
as a single cluster. The policy database would reside in one of the Data Centers. The
following limitations apply to a Stretch Cluster Deployment.
■

■

Access Manager depends on the underlying WebLogic and Coherence layers to
keep the nodes in sync. The latency between Data Centers must be less than 5
milliseconds at all times. Any spike in the latency may cause instability and
unpredictable behavior.
The cross data center chatter at runtime in a Stretch Cluster deployment is
relatively more than that in the traditional Multi Data Center deployment. In case

Understanding Multi-Data Centers

17-13

Deploying Active-Active Multi-Data Center Topology

of the latter, the runtime communication between Data Centers is restricted to
use-cases where a session has to be adopted across Data Centers.
■

Since it is a single cluster across Data Centers, it does not offer the same level of
reliability/availability as a traditional multi data center deployment. The policy
database can become a single point of failure. In a traditional Multi Data Center
deployment, each Data Center is self-sufficient and operates independent of the
other Data Center which provides far better reliability.

Figure 17–7 illustrates a Stretch Cluster deployment while Figure 17–8 below it
illustrates a traditional MDC deployment. Oracle does recommend a traditional multi
data center deployment over a Stretch Cluster deployment. See also Section 17.1,
"Introducing the Multi-Data Center" for other topology illustrations.
Figure 17–7 Stretch Cluster Deployment

Figure 17–8 Traditional MDC Deployment

17.3 Deploying Active-Active Multi-Data Center Topology
An Active-Active topology is when Master and Clone Data Centers are exact replicas
of each other (including applications, data stores and the like). They are active at the
same time and cater to different sets of users based on defined criteria - geography, for
example. A load balancer routes traffic to the appropriate Data Center. Identical Access
Manager clusters are deployed in both locales with New York designated as the
Master and London as the Clone.
17-14 Administrator's Guide for Oracle Access Management

Deploying Active-Active Multi-Data Center Topology

Note: An Active-Active topology with agent failover is when an
agent has Access Manager servers in one Data Center configured as
primary and Access Manager servers in the other Data Centers
configured as secondary to aid failover scenarios.

Figure 17–9 illustrates the topology for a Multi-Data Center deployment in
Active-Active mode. The New York Data Center is designated as the Master and all
policy and configuration changes are restricted to it. The London Data Center is
designated as a Clone and uses T2P tooling and utilities to periodically synchronize
data with the New York Data Center. The global load balancer is configured to route
users in different geographical locations (US and Europe) to the appropriate data
centers (New York or Europe) based on proximity to the data center (as opposed to
proximity of the application being accessed). For example, all requests from US-based
User 1 will be routed to the New York Data Center (NYDC) and all requests from
Europe-based User 2 will be routed to the London Data Center (LDC).
Figure 17–9 Active-Active Topology

The Global Load Balancer is configured for session stickiness so once a user has been
assigned to a particular data center, all subsequent requests from that user would be
routed to the same data center. In this example, User 1 will always be routed to the
New York Data Center and User 2 to the London Data Center.
User requests in the respective data centers are intercepted by different WebGates
depending on the application being accessed. Each WebGate has the various nodes of
the Access Manager cluster within the same data center configured as its primary
servers. In this case, the WebGates load balance and failover the local data center.

Understanding Multi-Data Centers

17-15

Load Balancing Between Access Management Components

Administrators have the flexibility to configure the primary
servers for every WebGate in different orders based on load
characteristics. Running monitoring scripts in each data center will
detect if any of the Access Manager components – the WebGates or the
servers – are unresponsive so administrators can reconfigure the load
balancers to direct user traffic to a different data center.

Note:

Any number of Clone data centers can be configured to distribute the load across the
globe. The only condition is that all Clone data centers are synchronized from a single
Master using T2P. Figure 17–10 below depicts an Active-Active Multi-Data Center
deployment across five data centers.
Figure 17–10

Active-Active Topology Across Multiple Data Centers

17.4 Load Balancing Between Access Management Components
The topology described earlier shows global and local load balancers for routing the
end user HTTP traffic to various data centers. Additionally, customers can choose to
deploy load balancers between the access manager components to simplify the
configuration of the access manager components by using virtual host names. For
example, instead of configuring the primary servers in each WebGate in the NYDC as
ssonode1.ny.acme.com, ssonode2.ny.acme.com and so on, they can all point to a single
virtual hostname like sso.ny.acme.com and the load balancer will resolve the DNS to
direct them to various nodes of the cluster. However, while introducing a load
balancer between Access Manager components, there are a few constraining
requirements to keep in mind.
■

■

OAP connections are persistent and need to be kept open for a configurable
duration even while idle.
The WebGates need to be configured to recycle their connections proactively prior
to the Load Balancer terminating the connections, unless the Load Balancer is
capable of sending TCP resets to both the Webgate and the server ensuring clean
connection cleanup.

17-16 Administrator's Guide for Oracle Access Management

Load Balancing Between Access Management Components

■

The Load Balancer should distribute the OAP connection uniformly across the
active Access Manager Servers for each WebGate (distributing the OAP
connections according the source IP), otherwise a load imbalance may occur.

Figure 17–11 illustrates a variation of the deployment topology with local load
balancers (LBR 3 and LBR 4) front ending the clusters in each data center. These local
load balancers can be Oracle HTTP Servers (OHS) with mod_wl_ohs. The OAP traffic
still flows between the WebGates and the Access Manager clusters within the data
center but the load balancers perform the DNS routing to facilitate the use of virtual
host names.
For information on monitoring Access Manager server health
with a load balancer in use, see Section 11.6, "Monitoring the Health of
an Access Manager Server."

Note:

Figure 17–11

Load Balancing Access Manager Components

Figure 17–12 illustrates a second variation of the deployment topology with the
introduction of a global load balancer (GLBR2) to front end local load balancers (LBR3
and LBR4). In this case, the host names can be virtualized not just within the data
center but across the data centers. The WebGates in each data center would be
configured to load balance locally but fail over remotely. One key benefit of this
topology is that it guarantees high availability at all layers of the stack. Even if the
entire Access Manager cluster in a data center were to go down, the WebGates in that
data center would fail over to the Access Manager cluster in the other data center.

Understanding Multi-Data Centers

17-17

Understanding Time Outs and Session Syncs

Figure 17–12

Global Load Balancer Front Ends Local Load Balancer

17.5 Understanding Time Outs and Session Syncs
The following sections contain information on how the Multi-Data Center deals with
session time outs and syncs.
■

Ensuring Maximum Session Constraints

■

Configuring Policies for Idle Timeout

■

Expiring Multi-Data Center Sessions

■

Synchronizing Sessions and Multi-Data Center Fail Over

17.5.1 Ensuring Maximum Session Constraints
Credential Collector user affinity ensures that maximum session constraints per user
are honored. There is no Multi-Data Center session store to validate allowed
maximum sessions per user.

17.5.2 Configuring Policies for Idle Timeout
The OAM_ID and OAM_GITO cookies are used to calculate and enforce idle
(inactivity) timeouts. The OAM_GITO cookie, though, can be set only if there is a
common sub-domain across WebGates. Thus, Multi-Data Center policies should be
configured based on whether or not the OAM_GITO cookie is set. Table 17–1
documents the policy configurations.

17-18 Administrator's Guide for Oracle Access Management

Understanding Time Outs and Session Syncs

Table 17–1

Multi-Data Center Policy Configurations for Idle Timeout

OAM_GITO Set

Multi-Data Center Policies

Yes

SessionMustBeAnchoredToDataCenterServicingUser=

Idle timeout will be
SessionDataRetrievalOnDemand=true
calculated from the latest
Reauthenticate=false
OAM_GITO cookie
SessionDataRetrievalOnDemandMax_retry_attempts=
SessionDataRetrievalOnDemandMax_conn_wait_
time=
SessionContinuationOnSyncFailure=
MDCGitoCookieDomain=
No

SessionMustBeAnchoredToDataCenterServicingUser=false

Idle time out will be
calculated from the
OAM_ID cookie because
OAM_GITO is not
available

SessionDataRetrievalOnDemand=true
Reauthenticate=false
SessionDataRetrievalOnDemandMax_retry_attempts=
SessionDataRetrievalOnDemandMax_conn_wait_
time=
SessionContinuationOnSyncFailure=
#MDCGitoCookieDomain= This setting should be commented or
removed

17.5.3 Expiring Multi-Data Center Sessions
Session expiration will be managed by the Data Center with which the user has
affinity. Users have affinity to a particular Data Center based on the global trffic
manager/load balancer.

17.5.4 Synchronizing Sessions and Multi-Data Center Fail Over
Access Manager server side sessions are created and maintained based on single
sign-on (SSO) credentials. The attributes stored in the session include (but are not
limited to) the user identifier, an identity store reference, subject, custom attributes,
partner data, client IP address and authentication level. SSO will be granted if the
server can locate a valid session corresponding to the user's request.
In a Multi-Data Center scenario, when a user request hops across Data Centers, the
Data Center servicing the request should validate for a legitimate session locally and
across Data Centers. If a valid session for a given request exists in a remote Data
Center, the remote session needs to be migrated to the current Data Center based on
the MDC session synchronization policies. (See Section 17.2, "Understanding
Multi-Data Center Deployments" for details.) During this session synchronization, all
session attributes from the remote session are synced to the newly created session in
the Data Center servicing the current request.
The Multi-Data Center also supports WebGate failover across Data Centers. When a
WebGate fails over from one Data Center to a second, the session data can not be
synchronized because the first Data Center servers are down. Thus, the second Data
Center will decide whether or not to proceed with the session adoption based on the
setting configured for SessionContinuationOnSyncFailure. When true, even if the
OAP communication to the remote Data Center fails, the Data Center servicing the
current request can proceed to create a new session locally based on the mandatory
attributes available in the cookie. This provides seamless access to the requested
resource despite the synchronization failure. Table 17–2 summarizes prominent session

Understanding Multi-Data Centers

17-19

Understanding Time Outs and Session Syncs

synchronization and failover scenarios. The parameters in this table are explained in
greater detail in Section 18–3, " partnerInfo.properties Properties."
Table 17–2

MDC
Deployment
Active-Active

Session Synchronization and Failover Scenarios

MDC Policy

Validate
Remote
Session

SessionMustBeAnchoredToDataCen Yes
terServicingUser=true
SessionDataRetrievalOnDemand=tr
ue
Reauthenticate=false
SessionDataRetrievalOnDemandMa
x_retry_attempts=
SessionDataRetrievalOnDemandMa
x_conn_wait_time=
SessionContinuationOnSyncFailure
= false
MDCGitoCookieDomain=

17-20 Administrator's Guide for Oracle Access Management

Session
Synchronized
in DC
Terminate
Servicing
Remote
User From
Session
User Challenged
Remote DC
Yes

Yes

When a valid
session could not
be located in a
remote DC

Understanding Time Outs and Session Syncs

Table 17–2 (Cont.) Session Synchronization and Failover Scenarios

MDC
Deployment
Active-Active

MDC Policy

Validate
Remote
Session

SessionMustBeAnchoredToDataCen Yes
terServicingUser=false

Session
Synchronized
in DC
Servicing
Terminate
User From
Remote
Remote DC
Session
User Challenged
Yes

No

When a valid
session could not
be located in a
remote DC

No, since the
remote DC is
down

Could not
terminate
as the
remote
DC is
down

Yes

No, since the
remote DC is
down

Could not
terminate
as the
remote
DC is
down

No

SessionDataRetrievalOnDemand=tr
ue
Reauthenticate=false
SessionDataRetrievalOnDemandMa
x_retry_attempts=
SessionDataRetrievalOnDemandMa
x_conn_wait_time=
SessionContinuationOnSyncFailure
= false
MDCGitoCookieDomain=
Active-Standby SessionMustBeAnchoredToDataCen Could
terServicingUser=true
not
validate
SessionDataRetrievalOnDemand=tr
as the
ue
remote
Reauthenticate=false
DC is
down
SessionDataRetrievalOnDemandMa
x_retry_attempts=
SessionDataRetrievalOnDemandMa
x_conn_wait_time=
SessionContinuationOnSyncFailure
= false
MDCGitoCookieDomain=
Active-Standby SessionMustBeAnchoredToDataCen Could
terServicingUser=true
not
validate
SessionDataRetrievalOnDemand=tr
as the
ue
remote
Reauthenticate=false
DC is
down
SessionDataRetrievalOnDemandMa
x_retry_attempts=

Provides seamless
access by creating
a local session
from the details
available in the
valid cookie

SessionDataRetrievalOnDemandMa
x_conn_wait_time=
SessionContinuationOnSyncFailure
= true
MDCGitoCookieDomain=

Understanding Multi-Data Centers

17-21

Replicating a Multi-Data Center Environment

17.6 Replicating a Multi-Data Center Environment
Data in the Multi-Data Center environment must be replicated from the Master
(supplier) to the Clones (consumers) as part of the initial setup procedure. Following
this initial replication, the data must be synced across data centers on a regular basis.
The following sections have more details.
■

Replicating Data Using the WLST

■

Syncing Data Using Automated Policy Synchronization

The following artifacts must be replicated and synced regularly.
■

WebGate Profiles
While the WebGate profile is replicated to the Clone, the primary server list and
logout URL details are updated with information about the Clone data center.

■

Authentication Modules

■

OAM Proxy Configurations

■

Session Manager configurations

■

Policy and partner data

For more details on replication and syncing data, see Chapter 19, "Synchronizing Data
In A Multi-Data Center."

17.6.1 Replicating Data Using the WLST
Initial replication of data (when setting up the Multi-Data Center) must be done
manually using the WLST. Following this initial replication, WLST commands or the
Automated Policy Sync Replication Service (discussed in Syncing Data Using
Automated Policy Synchronization) can be used to sync the already replicated data.
When using the WLST, partner profiles and policies are exported from the Master Data
Center and then imported to the Clone Data Center. Replication of data in a
Multi-Data Center environment is a requirement and using WLST for this purpose is
the minimum method for accomplishing this. For more details, see Section 19.1.3,
"Manually Syncing Data in a Multi-Data Center."

17.6.2 Syncing Data Using Automated Policy Synchronization
Automated Policy Synchronization (APS, also referred to as the Replication Service) is
a set of REST API used to automatically replicate data from the Master Data Center to
Clone Data Centers. It can be configured to keep Access Manager data synchronized
across multiple data centers. A valid replication agreement between the data centers
must be present before APS can run. For more details, see Section 19.1,
"Understanding the Multi-Data Center Sync."
APS is not used to do a complete replication from scratch. You
will first need to replicate data manually using the WLST to establish
a base line. APS is only designed to keep data centers in sync.

Note:

17.7 Multi-Data Center Recommendations
This section contains recommendations regarding the Multi-Data Center functionality.
■

Using a Common Domain

17-22 Administrator's Guide for Oracle Access Management

Multi-Data Center Recommendations

■

Concerning the DCC and the OAM_GITO

■

Using an External Load Balancer

■

Honoring Maximum Sessions

■

WebGate Cookie Cannot Be Refreshed During Authorization

17.7.1 Using a Common Domain
It is recommended that WebGates be domain-scoped in a manner that a common
domain can be inferred across all WebGates and the OAM Server Credential
Collectors. This allows for WebGates to set an encrypted GITO cookie to be shared
with the OAM Server. For example, if WebGates are configured on
applications.abc.com and the OAM Server Credential Collectors on server.abc.com,
abc.com is the common domain used to set the GITO cookie. In scenarios where a
common domain cannot be inferred, setting the GITO cookie is not practical as a given
Data Center may not be aware of the latest user sessions in another Data Center. This
would result in the Data Center computing session idle-timeout based on old session
data and could result in re-authenticating the user even though a more active session
lives elsewhere.
A similar issue occurs during server fail-over when the
SessionContinuationOnSyncFailure property is set. The expectation
is to retrieve the session from contents of the OAM_ID cookie. Since
it's not possible to retrieve the actual inactivity time out value from the
GITO cookie, a re-authentication could result.
Note:

When there is no common cookie domain across WebGates and OAM servers, make
the following configuration changes to address idle time out issues.
■

■

Run the enableMultiDataCentreMode WLST command after removing the
MDCGitoCookieDomain property from the input properties file.
Because a WebGate cookie cannot be refreshed during authorization, set the value
of the WebGate cookie validity lower than the value of the session idle time out
property. Consider a session idle time out value of 30 minutes and a WebGate
cookie validity value of 15 minutes; in this case, every 15 minutes the session will
be refreshed in the authenticating Data Center.
For 10G WebGates, since the token is not expired by the
WebGate, the server will continue to honor a 10G WebGate cookie
until the session in the base DC (authenticating DC) idles out.

Note:

17.7.2 Concerning the DCC and the OAM_GITO
The OAM_GITO cookie is not applicable when using the DCC. Because of this:
■
■

■

The #MDCGitoCookieDomain= setting should be commented out.
The SessionMustBeAnchoredToDataCenterServicingUser parameter must be set to
false.
The WebGate cookie expiration interval should be set as documented in "Using a
Common Domain."

Understanding Multi-Data Centers

17-23

Multi-Data Center Recommendations

17.7.3 Using an External Load Balancer
Access Manager uses the 11g SDK API to retrieve session data but this API does not
support SDK based load-balancing across the configured set of primary servers. Use
an external TCP based load balancer to front-end the OAP endpoints of the Data
Center nodes where high performance is expected.
Failover between primary and secondary OAM servers is
supported in the current release of 11g SDK APIs.

Note:

17.7.4 Honoring Maximum Sessions
A typical Multi-Data Center scenario authenticates users against the Data Center with
which the user geography has an affinity. In the rare scenarios where user
authentication and session creation for a given user spans across member Data Centers
(bypassing geographic affinity and load spike), the maximum sessions the user has in
the whole Multi-Data Center topology would not be honored.

17.7.5 WebGate Cookie Cannot Be Refreshed During Authorization
Because a WebGate cookie cannot be refreshed during authorization, set the value of
the WebGate cookie validity lower than the value of the session idle time out property.
Consider a session idle time out value of 30 minutes and a WebGate cookie validity
value of 15 minutes; in this case, every 15 minutes the session will be refreshed in the
authenticating Data Center. Setting the WebGate cookie expiration to less than 2
minutes is the recommendation.
This will not work for 10G WebGates because the 10G
WebGate token expiration is driven by the server and not the
WebGate. The server will continue to honor a 10G WebGate cookie
until the session in the base DC (authenticating DC) idles out. A
logout will work by clearing browser cookies; the dangling server side
session will continue to exist but is considered harmless.

Note:

17-24 Administrator's Guide for Oracle Access Management

18
Configuring Multi-Data Centers
18

[16The
]
Multi-Data Center feature is disabled by default. This chapter contains details on
how to enable and configure the Multi-Data Center functionality.

The following sections have details.
■

Before Setting Up a Multi-Data Center

■

Understanding the Primary Use Cases

■

Setting Up a Multi-Data Center

■

Adding A Second Clone to An Existing Multi-Data Center Setup

■

Understanding Multi-Data Center Security Modes

■

WLST Commands for Multi-Data Centers

18.1 Before Setting Up a Multi-Data Center
The following prerequisites must be satisfied before beginning the Multi-Data Center
(MDC) configuration process documented in Setting Up a Multi-Data Center.
■

■

■

■

Ensure you have a fully functioning Oracle Access Management environment with
all applicable WebGates configured.
Partners (WebGates or agents) are anchored to a single Data Center thus, partner
registration is done at the individual Data Centers.
All Data Center clusters must be front ended by a single Load Balancer. The load
balancer should send all requests in a user session consistently to the same
backend server (persistence, stickiness) and it should be route traffic
geographically (geo-affinity).
Clocks on the machines in which Access Manager and agents are deployed must
be in sync. Non-MDC Access Manager clusters require the clocks of WebGate
agents be in sync with Access Manager servers. This requirement applies to the
MDC as well. If the clocks are out of sync, token validations will not be consistent
resulting in deviations from the expected behaviors regarding the token expiry
interval, validity interval, timeouts and the like.

■

The identity stores in a Multi-Data Center topology must have the same Name.

■

WebLogic Server domains do not span Data Centers.

■

Any firewall between Data Centers must allow communication over the Oracle
Access Protocol (OAP) channel. This entails opening the necessary ports and
taking into account the lifetime of the connection. In regards to the latter, the

Configuring Multi-Data Centers

18-1

Understanding the Primary Use Cases

MaxSessionTime parameter in the WebGate profile should be set to less than the
firewall timeout value.

18.2 Understanding the Primary Use Cases
Table 18–1 lists the primary MDC use cases.
Table 18–1

MDC
Deployment
Active-Active

MDC Use Cases

MDC Policy

Validate
Remote
Session

SessionMustBeAnchoredToDataCenterServ Yes
icingUser=false

Session
Synchroni
zed in DC
Servicing
User From
Remote
DC

Terminate
Remote
Session

Yes

No

When a valid
session could
not be
located in a
remote DC

Could not
terminate
as the
remote DC
is down

No

SessionDataRetrievalOnDemand=true
Reauthenticate=false

User
Challenged

SessionDataRetrievalOnDemandMax_
retry_attempts=
SessionDataRetrievalOnDemandMax_
conn_wait_time=
SessionContinuationOnSyncFailure= false
MDCGitoCookieDomain=
Active-Standb
y

SessionMustBeAnchoredToDataCenterServ Could not No, since
icingUser=false
validate
the remote
DC is down
as the
SessionDataRetrievalOnDemand=true
remote
Reauthenticate=false
DC is
down
SessionDataRetrievalOnDemandMax_
retry_attempts=
SessionDataRetrievalOnDemandMax_
conn_wait_time=
SessionContinuationOnSyncFailure= true

Provides
seamless
access by
creating a
local session
from the
details
available in
the valid
cookie

MDCGitoCookieDomain=

18.3 Setting Up a Multi-Data Center
The MDC feature is disabled by default. To set up an Access Manager MDC, start with
an Access Manager cluster, set all MDC global configurations and designate the cluster
as the Master Data Center. Following this, set up the Clone Data Center.
Before beginning this procedure, ensure that you have
completed the points documented in "Before Setting Up a Multi-Data
Center."

Note:

The following sections document the process for setting up an MDC. They include
running the commands documented in Section 18.6, "WLST Commands for Multi-Data
Centers."

18-2 Administrator's Guide for Oracle Access Management

Setting Up a Multi-Data Center

■

Enabling the Master Data Center

■

Setting Up the Clone Data Center

18.3.1 Enabling the Master Data Center
The following procedure contains more details.
1.

Set up the primary Access Manager Data Center and designate it as the Master.
A Master Data Center can be an existing Access Manager cluster or a vanilla
installation.
a.

Make note of the clusterId.
The Access Manager bootstrap assigns a unique clusterId to the Access
Manager cluster. To set a custom clusterId, use the
setMultiDataCentreClusterName WLST command documented in
Section 18.6.7, "setMultiDataCentreClusterName."

b.

Enable Multi-Data Center mode by running the enableMultiDataCentreMode
WLST command.
enableMultiDataCentreMode sets an Access Manager cluster as Master, by
default, and applies the global configurations. See Section 18.6.1,
"enableMultiDataCentreMode" for details on the command and a sample
properties file used for input. See Understanding the Primary Use Cases for
details on the primary MDC scenarios.
To explicitly set the DC type as Master or Clone, use the
setMultiDataCenterType WLST command documented in
Section 18.6.5, "setMultiDataCenterType."
Note:

c.

Validate the MDC configuration by running the validateMDCConfig WLST
command.
See Section 18.6.8, "validateMDCConfig."

d.
2.

Restart the Admin server.

Register and seed Partner Profiles for the Multi Data Centers.
Each Data Center will use an Oracle Access Protocol (OAP) channel to fetch
sessions from a remote DC. This runtime session sync can be initiated by a Master
or Clone and thus each Data Center requires a WebGate agent profile (created
using the Oracle Access Management Console) to be registered as a Partner Profile
in the cluster.
These registrations can be performed in the Master DC and the
configurations will be applied to all clones created using T2P process.

Note:

This procedure will register two profiles, DCMaster and DCClone1. These profiles
are used for the back channel OAP communication mentioned above. A WebGate
profile should also be defined for the Master and all Clone Data Centers.
a.

Log in to the Oracle Access Management Console as System Administrator
and click Application Security at the top of the window.

Configuring Multi-Data Centers

18-3

Setting Up a Multi-Data Center

b.

In the Application Security console, click SSO Agent Registration in the
Quick Start Wizards section.
The SSO Agent Registration tab opens.

c.

Configure the DCMaster agent profile by entering the required details
including Version, Name (DCMaster) and Security Mode.
The security mode of the MDC partner profile should match the security mode
defined for the Access Manager server. See Understanding Multi-Data Center
Security Modes for details on the property files for each security mode. These
files will be used as input when the addPartnerForMultiDataCentre WLST
command is executed below.

d.

Uncheck Auto Create Policies and click Finish.
A DCMaster tab is displayed. Ensure that the Allow Management Operation
option is selected in the newly created agent profile.

e.

Repeat the steps to create the DCClone1 agent profile.

f.

Execute the addPartnerForMultiDataCentre WLST command to seed the
DCMaster and DCClone1 agent profiles to the Master Data Center.
The WLST command would be run twice on the Master Data Center as
follows:
addPartnerForMultiDataCentre(propfile= "/path/DCMaster.properties")
addPartnerForMultiDataCentre(propfile= "/path/DCClone1.properties"

Example 18–1 and Example 18–2 illustrate the property files used as input.
The RESTEndpoint property takes a value of the HTTP or HTTPS endpoint of
the Access Manager AdminServer used to invoke replication related REST
services. HTTPS is preferred.
Example 18–1

DCMaster.properties for Master

remoteDataCentreClusterId=DC1
#webgate profile for session fetch created earlier and its password in DC1
oamMdcAgentId=DCMaster
AccessClientPasswd=secret
PrimaryHostPort=dc1.us.example.com:5575
SecondaryHostPort=dc1.example.com:5576
oamMdcSecurityMode=OPEN
trustStorePath=NA
keyStorePath=NA
globalPassPhrase=NA
keystorePassword=NA
agentVersion=11g
RESTEndpoint=https://:

Example 18–2

DCClone1.properties for Clone

remoteDataCentreClusterId=DC2
#webgate profile for session fetch created earlier and its password in DC2
oamMdcAgentId=DCClone1
AccessClientPasswd=secret
PrimaryHostPort=dc2.us.example.com:5575

18-4 Administrator's Guide for Oracle Access Management

Setting Up a Multi-Data Center

SecondaryHostPort=dc2.example.com:5576
oamMdcSecurityMode=OPEN
trustStorePath=NA
keyStorePath=NA
globalPassPhrase=NA
keystorePassword=NA
agentVersion=11g
RESTEndpoint=https://

After running the WLST commands, the agent profiles will be recognized by
the Master as the profiles to use for runtime session sync. See
addPartnerForMultiDataCentre for more details.
At this point in the procedure, the clone DC has not been
setup but it is assumed that the service host and port information are
known so can be defined in the DCClone1.properties file. If the
information is not known, you can register the clone DC partner after
the T2P process. In this case, only DCMaster will be registered now so
the WLST command for the second DC has to be executed first in the
Master DC and then in the clone DC after the T2P process is
completed.

Note:

18.3.2 Setting Up the Clone Data Center
The Data Center set up in Enabling the Master Data Center is designated as the Master
and will be cloned using T2P tools for any additional Data Centers. All configuration
and policy changes are propagated from the Master to a Clone using the WLST
commands provided as part of T2P Tooling. The T2P process is explained in the
following documents.
■

■

1.

See Oracle Fusion Middleware Administrator's Guide for information on T2P when
using WebLogic Server.
See Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity
and Access Management for information on T2P when using Websphere Server.
Execute the following commands on the Master Data Center.
Ensure that the AdminServer and all Managed Servers are running. The $T2P_
HOME directory is just a location where all the artifacts of this process are saved.
$MIDDLEWARE_HOME/oracle_common/bin/copyBinary.sh -javaHome $JAVA_HOME
-archiveLoc $T2P_HOME/oamt2pbin.jar
-sourceMWHomeLoc $MIDDLEWARE_HOME
-idw true
-ipl $MIDDLEWARE_HOME/oracle_common/oraInst.loc
-silent true
-ldl $T2P_HOME/oam_cln_log;
$MIDDLEWARE_HOME/oracle_common/bin/copyConfig.sh -javaHome $JAVA_HOME
-archiveLoc $T2P_HOME/oamt2pConfig.jar
-sourceDomainLoc $DOMAIN_HOME
-sourceMWHomeLoc $MIDDLEWARE_HOME
-domainHostName admin-dc1.us.example.com
-domainPortNum 7001
-domainAdminUserName weblogic
-domainAdminPassword $T2P_HOME/t2p_domain_pass.txt
-silent true
-ldl $T2P_HOME/oam_cln_log_config

Configuring Multi-Data Centers

18-5

Setting Up a Multi-Data Center

-opssDataExport true
-debug true;
2.

Copy the following files to the clone machine.
The clone machine should not have any Oracle Access Management software
installed on it.
$MIDDLEWARE_HOME/oracle_common/bin/pasteBinary.sh
$MIDDLEWARE_HOME/oracle_common/jlib/cloningclient.jar
$MIDDLEWARE_HOME/oracle_common/oraInst.loc

3.

Execute the following commands on the Clone Data Center to copy all contents of
$T2P_HOME directory from the master to the $T2P_HOME directory of the clone.
$T2P_HOME/pasteBinary.sh -javaHome $JAVA_HOME -al $T2P_HOME/oamt2pbin.jar
-tmw $MIDDLEWARE_HOME -silent true -idw true -esp false
-ipl $T2P_HOME/oraInst.loc -ldl $T2P_HOME/oam_cln_log_p
-silent true
$MIDDLEWARE_HOME/oracle_common/bin/extractMovePlan.sh -javaHome $JAVA_HOME
-al $T2P_HOME/oamt2pConfig.jar
-planDirLoc $T2P_HOME/moveplan/

4.

Edit the extracted Moveplan.xml on the Clone Data Center to provide relevant
details.
Note:

Backup the original Moveplan.xml before editing.

cp $T2P_HOME/moveplan/moveplan.xml $T2P_
HOME/moveplan/moveplan.xml.org

Each Clone Data Center will use a fresh set of OAM related schemas which need
to be created using RCU in their respective databases. The new schema names and
passwords need to be referenced in the moveplan.
$MIDDLEWARE_HOME/oracle_common/bin/pasteConfig.sh -javaHome $JAVA_HOME
-archiveLoc $T2P_HOME/oamt2pConfig.jar
-targetMWHomeLoc $MIDDLEWARE_HOME
-targetDomainLoc $DOMAIN_HOME
-movePlanLoc $T2P_HOME/moveplan/moveplan.xml
-domainAdminPasswordFile $T2P_HOME/t2p_domain_pass.txt
-ldl $T2P_HOME/oam_cln_log_paste_p
-silent true
5.

Use pack and unpack to copy managed servers on separate hosts.
See Oracle Fusion Middleware Creating Templates and Domains Using the Pack and
Unpack Commands for details.

6.

Configure any or all Clone Data Centers as follows.
a.

Set a unique data center identifier for the clone DC using the
setMultiDataCentreClusterName WLST command.
setMultiDataCentreClusterName(clusterName="DC2")

This step may be skipped if it was already done through the
T2P process.

Note:

18-6 Administrator's Guide for Oracle Access Management

Understanding Multi-Data Center Security Modes

b.

Set the type to Clone for the Clone DC.
setMultiDataCenterType(DataCenterType="Clone")

Optionally the configuration and policy updates can be disabled on the Clone
by executing setMultiDataCenterWrite(WriteEnabledFlag="false"). After
executing the command, the Clone becomes read only for policy and
configuration artifacts. See setMultiDataCenterWrite for details.
7.

Verify access to the Oracle Access Management Console and single sign-on
between data centers.

To this point, one master and one clone are set up. Multiple clones can be set up
similarly as required by repeating the cloning process. The above commands need to
be executed for each of the clone DCs as per the topology using the appropriate cluster
name each time.

18.4 Adding A Second Clone to An Existing Multi-Data Center Setup
To add another clone to an already existing MDC environment follow these steps. The
specifics are documented in "Setting Up a Multi-Data Center."
1.

Register a Partner Profile for the new Clone DC (DC3) on the Master DC.

2.

Seed the data center partner on the Master DC.

3.

Setup the new Clone DC.

4.

Setup replication for the new Clone DC.

5.

Customize with transformation rules if required.

18.5 Understanding Multi-Data Center Security Modes
A Multi-Data Center relies on the Oracle Access Protocol (OAP) channel for inter data
center session management operations and back channel communication. The security
mode of the MDC partner profile should match the security mode defined for the
Access Manager server: OPEN, SIMPLE or CERT.
An MDC partner profile is exposed by each data center and
used by other data centers to communicate with it. Registering an
MDC partner is a two step process. Consider an MDC with three data
centers. In DC1, expose an MDC partner profile by creating a 10g or
11g WebGate (DC1_MDC_Partner). Then, register DC1_MDC_Partner
in DC2 and DC3 using addPartnerForMultiDataCentre. See
Section 18.6.3, "addPartnerForMultiDataCentre" for details.

Note:

The following sections have details about the security modes.
■

OPEN Security Mode

■

SIMPLE Security Mode

■

CERT Security Mode

Configuring Multi-Data Centers

18-7

Understanding Multi-Data Center Security Modes

18.5.1 OPEN Security Mode
This is the default mode of the Access Manager deployment. No configuration is
needed. The following is a sample input properties file for use with the
addPartnerForMultiDataCentre WLST command.
remoteDataCentreClusterId=

oamMdcAgentId=

PrimaryHostPort=
for example:PrimaryHostPort=adc.example.com:5575
SecondaryHostPort=
for example:SecondaryHostPort=adc.example.com:5577
AccessClientPasswd=
oamMdcSecurityMode=OPEN
agentVersion=
#NA ----> Not Applicable
trustStorePath=NA
keyStorePath=NA
globalPassPhrase=NA
keystorePassword=NA

18.5.2 SIMPLE Security Mode
Follow the instructions in Appendix C.5, "Configuring Simple Mode Communication
with Access Manager" to set up the Access Manager servers in SIMPLE mode. In short,
create an MDC partner profile in each of the member data centers in SIMPLE mode,
and add it to each of the other data centers. The following is a sample input properties
file for use with the addPartnerForMultiDataCentre WLST command.
remoteDataCentreClusterId=

oamMdcAgentId=
PrimaryHostPort=
for example:PrimaryHostPort=adc.example.com:5575
SecondaryHostPort=
for example:SecondaryHostPort=adc.example.com:5577
AccessClientPasswd=
oamMdcSecurityMode=SIMPLE
agentVersion=
#Copy the oamclient-truststore.jks & oamclient-keystore.jks from
#/output/webgate-ssl/ from 'datacenter with cluster ID
#remoteDataCentreClusterId' above into the local DC say /scratch/MDCArtifacts/ and
#refer them in the below parameters
trustStorePath=
keyStorePath=
#Use the online WLST command displaySimpleModeGlobalPassphrase() to list
#the global passphrase in SIMPLE mode. Admins can also update this in the UI
#@ System Configuration-->Access Manager-->Access Manager Settings-->
#Access Protocol-->Simple Mode Configuration-->Global Passphrase.
#globalPassPhrase & keystorePassword are the same for SIMPLE mode
globalPassPhrase=
keystorePassword=

18-8 Administrator's Guide for Oracle Access Management

Understanding Multi-Data Center Security Modes

18.5.3 CERT Security Mode
Follow the instructions in Appendix C.4, "Configuring Cert Mode Communication for
Access Manager" to set up the Access Manager servers in CERT mode. In short, create
an MDC partner in each of the member data centers in CERT mode, and generate the
'clientTrustStore.jks' and 'clientKeyStore.jks' keystores to be used by the MDC partner
using the following procedure.
1.

Run the following openssl command from a Linux command prompt to generate
aaa_key.pem & aaa_req.pem.
openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8
Use the certreq command to generate the certificate and chain.

2.

Create aaa_cert.pem using the following procedure.
a.

Open aaa_req.pem in a text editor and copy the contents.
Exclude the trailing spaces from your selection.

b.

Paste the copied text into Signcsr.
Include [-----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE
REQUEST-----].

c.
3.

Copy the output into a text editor and save it as aaa_cert.pem.

Create aaa_chain using the following procedure.
a.

Open certreq.

b.

Click on chain.pem and copy/paste the contents into a text editor and save it
as aaa_chain.pem.
Excluding traiing and leading spaces from your selection.

4.

Encrypt the private key (aaa_key.pem) using the following command.
openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout
pass:Welcome1 -des

The password used in this command must be defined as the access client
password or agent key password while registering the MDC partner.
5.

Copy aaa_key.pem, aaa_cert.pem and aaa_chain.pem to a temporary location.
For example, /tmp/clientCertArtifacts/

6.

Convert aaa_cert.pem and aaa_key.pem into DER format using one of the
following commands.
-openssl x509 -in /tmp/clientCertArtifatcs/aaa_cert.pem -inform PEM -out
/tmp/clientCertArtifatcs/aaa_cert.der -outform DER;
-openssl pkcs8 -topk8 -nocrypt -in /tmp/clientCertArtifatcs/aaa_key.pem
-inform PEM -out /tmp/clientCertArtifatcs/aaa_key.der -outform DER;

7.

Import the aaa_key.der and aaa_cert.der into clientKeyStore.jks; and the aaa_
chain.pem into clientTrustStore.jks with the below steps
-cd $IDM_HOME/oam/server/tools/importcert/;
-unzip importcert.zip;
-java -cp importcert.jar
oracle.security.am.common.tools.importcerts.CertificateImport -keystore

Configuring Multi-Data Centers

18-9

WLST Commands for Multi-Data Centers

/tmp/clientCertArtifatcs/clientKeyStore.jks -privatekeyfile
/tmp/clientCertArtifatcs/aaa_key.der -signedcertfile
/tmp/clientCertArtifatcs/aaa_cert.der -storetype jks -genkeystore yes
-keytool -importcert -file /tmp/clientCertArtifatcs/aaa_chain.pem -trustcacerts
-keystore /tmp/clientCertArtifatcs/clientTrustStore.jks -storetype JKS

Enter the keystore passwords when prompted. The password needs to be defined
in the input properties file for the addPartnerForMultiDataCentre WLST
command as well.
8.

If not done when creating the certificates for the WebGate, import the aaa_key.der
and aaa_cert.der formatted certificates into the .oamkeystore using the same
Oracle provided importcert.jar used inthe previous step.
-java -cp importcert.jar
oracle.security.am.common.tools.importcerts.CertificateImport
-keystore /scratch/Oracle/Middleware/domains/
base_domain/config/fmwconfig/.oamkeystore -privatekeyfile
/tmp/clientCertArtifacts/aaa_key.der -signedcertfile
/tmp/clientCertArtifacts/aaa_cert.der -alias mycertmode1 -storetype JCEKS

alias is the alias name defined when setting CERT mode in Access Manager.
The following is a sample input properties file for use with the
addPartnerForMultiDataCentre WLST command.
remoteDataCentreClusterId=

oamMdcAgentId=
PrimaryHostPort=
for example:PrimaryHostPort=adc.example.com:5575
SecondaryHostPort=
for example:SecondaryHostPort=adc.example.com:5577
AccessClientPasswd=
oamMdcSecurityMode=CERT
agentVersion=
trustStorePath=
keyStorePath=
globalPassPhrase=NA
#use keystore password used for generating keystore in the previous step
keystorePassword=

18.6 WLST Commands for Multi-Data Centers
The following WebLogic Scripting Tool (WLST) commands are specific to Multi-Data
Center deployment. More information is in the following sections.
■

enableMultiDataCentreMode

■

disableMultiDataCentreMode

■

addPartnerForMultiDataCentre

■

removePartnerForMultiDataCentre

■

setMultiDataCenterType

■

setMultiDataCenterWrite

18-10 Administrator's Guide for Oracle Access Management

WLST Commands for Multi-Data Centers

■

setMultiDataCentreClusterName

■

validateMDCConfig

■

exportAccessStore

■

importAccessStore

See the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for
information on the WebLogic Scripting Tool.

18.6.1 enableMultiDataCentreMode
Online command used to enable Multi-Data Center mode.

18.6.1.1 Description
This command enables Multi-Data Center mode. It takes a value equal to the full path
to, and name of, the MDC.properties file.
Setting the SSO Token version to 5 is not supported from the
administration console. To do this, modify the Access Manager
Settings page and run the enableMultiDataCentreMode WLST
command to set.
Note:

18.6.1.2 Syntax
enableMultiDataCentreMode(propfile="../MDC_properties/oamMDCProperty.properties")
Argument

Definition

propfile

Mandatory. Takes a value equal to the full path to, and name of, the
oamMDCProperty.properties file. Table 18–2 documents the
properties that comprise the file. Example 18–3 (following the
table) is a sample oamMDCProperty.properties file.

Table 18–2

oamMDC.properties Properties

Property

Definition

SessionMustBeAnchoredToDataCenterServicing Takes a value of True (Invalidate) or False
User
(No Invalidation).
SessionDataRetrievalOnDemand

Takes a value of True (Cross DC retrieval) or
False (No). Data retrieval can be turned off
without disabling MDC. If False, session data
is not transferred but SSO is still performed
as the user moves across DCs.
NOTE: SessionDataRetrievalOnDemand
must be set to False when deploying in
Co-existence mode. See Oracle Fusion
Middleware Migration Guide for Oracle Identity
and Access Management for information on
co-existence scenarios.

Reauthenticate

Takes a value of True (force reauthentication)
or False (No forced reauthentication).

SessionDataRetrievalOnDemandMax_retry_
attempts

Takes a value equal to a binary that
represents the number of times to retry data
retrieval when it fails. Default is 2.

Configuring Multi-Data Centers 18-11

WLST Commands for Multi-Data Centers

Table 18–2 (Cont.) oamMDC.properties Properties
Property

Definition

SessionDataRetrievalOnDemandMax_conn_
wait_time

Takes a value equal to a binary that
represents the total amount of time in
seconds to wait for a connection. Default is
1000.

SessionContinuationOnSyncFailure

Decides the session adoption action on fail
over. When set to 'true', the session will
continue on the DC servicing the current
request even though the parent DC is
down/not reachable. The session will be
created in the DC servicing the current
request from the mandatory minimal
information available in the incoming token.
When set to 'false', the user will be
challenged on fail-over scenarios.

MDCGitoCookieDomain

Specifies the domain with which the OAM_
GITO cookie should be set. In MDC
deployments where a common cookie
domain hierarchy cannot be derived, this
setting should be commented or removed as
described in Inactivity time outs scenario.

Example 18–3

Sample oamMDCProperty.properties File

SessionMustBeAnchoredToDataCenterServicingUser=false
SessionDataRetrievalOnDemand=true
Reauthenticate=true
SessionDataRetrievalOnDemandMax_retry_attempts=3
SessionDataRetrievalOnDemandMax_conn_wait_time=80
SessionContinuationOnSyncFailure=true
#MDCGitoCookieDomain=.example.com 

18.6.1.3 Example
The following command enables this data center.
enableMultiDataCentreMode(propfile="../MDC_properties/oamMDCProperty.properties")

18.6.2 disableMultiDataCentreMode
Online command used to disable Multi-Data Center mode.

18.6.2.1 Description
This command disables Multi-Data Center mode.

18.6.2.2 Syntax
disableMultiDataCentreMode()

There are no arguments for this command.

18.6.2.3 Example
The following command disables Multi-Data Center mode.

18-12 Administrator's Guide for Oracle Access Management

WLST Commands for Multi-Data Centers

disableMultiDataCentreMode()

18.6.3 addPartnerForMultiDataCentre
In an MDC deployment with n number of Data Centers, each Data Center has a
registered partner to communicate with each of the other (n-1) Data Centers. This
makes the total number of partner registrations (n) x (n-1). This online command is
used to add a partner for inter Data Center OAP communication.
An MDC partner profile is exposed by each data center and
used by other data centers to communicate with it. Registering an
MDC partner is a two step process. Consider an MDC with three data
centers. In DC1, expose an MDC partner profile by creating a 10g or
11g WebGate (DC1_MDC_Partner). Then, register DC1_MDC_Partner
in DC2 and DC3 using addPartnerForMultiDataCentre. See
Section 18.6.3, "addPartnerForMultiDataCentre" for details.

Note:

18.6.3.1 Description
This command adds a partner to the Data Center. It takes a value equal to the full path
to, and name of, the partnerInfo.properties file.

18.6.3.2 Syntax
addPartnerForMultiDataCentre(propfile="../MDC_properties/partnerInfo.properties")
Argument

Definition

propfile

Mandatory. Takes a value equal to the path to, and name of, the
partnerInfo.properties file.

RESTEndpoint

Optional. Takes as a value the HTTP/HTTPS URL from which the
Access Manager REST services can be accessed.

Table 18–3 documents the properties that comprise partnerInfo.properties. See
Understanding Multi-Data Center Security Modes for properties file samples.
Table 18–3

partnerInfo.properties Properties

Property

Definition

remoteDataCentreClusterId

Cluster id of the remote Data Center with which the OAP
communication needs to be established.

oamMdcAgentId

Partner ID of the registered partner profile in the remote Data
Center. The "allow management operations" flag for this partner
should be set in the remote Data Center.

PrimaryHostPort

Takes a fully-qualified-host-name:OAM-port for the primary Access
Manager server corresponding to the remote DC identified by
remoteDataCentreClusterId; for example:
PrimaryHostPort=abc.example.com:5575

Configuring Multi-Data Centers 18-13

WLST Commands for Multi-Data Centers

Table 18–3 (Cont.) partnerInfo.properties Properties
Property

Definition

SecondaryHostPort

Takes a fully-qualified-host-name:OAM-port for the secondary
Access Manager server corresponding to the remote DC
identified by remoteDataCentreClusterId; for example:
SecondaryHostPort=abc.example.com:5577
Consider an OAM MDC member Data Center with two
managed servers at abc.example.com with ports as follows:
oam_server1 (5575) and oam_server2 (5577). High
availability/failover of the OAP SDK partner can be achieved by
setting the PrimaryHostPort and SecondaryHostPort as below.
PrimaryHostPort=abc.example.com:5575
SecondaryHostPort=abc.example.com:5577

AccessClientPasswd

The access client password of the MDC partner registered in the
remote Data Center.

oamMdcSecurityMode

Defines the MDC security mode. Takes a value of
OPEN/SIMPLE/CERT. (CERT Mode is preferred, SIMPLE is
fine but OPEN is discouraged.)
For SIMPLE and CERT modes, the following values should be
supplied appropriately. For OPEN mode, these values are not
applicable. See Understanding Multi-Data Center Security
Modes.

agentVersion

Valid agent version 11g/10g.

trustStorePath

Absolute path to the truststore file [SIMPE/CERT].

keyStorePath

Absolute path to the keyStore file [SIMPLE/CERT].

globalPassPhrase

Global passphrase set during the partner registration
[SIMPLE/CERT].

keystorePassword

Key store password set during partner configuration
[SIMPLE/CERT].

18.6.3.3 Example
The following command defines this data center as a Master.
addPartnerForMultiDataCentre(propfile="../MDC_properties/partnerInfo.properties")

18.6.4 removePartnerForMultiDataCentre
Online command used to remove a registered remote partner from the Data Center
configuration.

18.6.4.1 Description
This command removes a registered remote partner from a configured Data Center. It
takes a value equal to a valid remoteDataCentreClusterId.

18.6.4.2 Syntax
removePartnerForMultiDataCentre=("")
Argument

Definition

cluster_ID

Mandatory. Takes a string value equal to the cluster ID.

18-14 Administrator's Guide for Oracle Access Management

WLST Commands for Multi-Data Centers

18.6.4.3 Example
The following command defines the partner to be removed.
removePartnerForMultiDataCentre("99bf9-adc2120609")

18.6.5 setMultiDataCenterType
Online command used to set the type of data center - either Master or Clone.

18.6.5.1 Description
In an MDC deployment one Data Center is designated as the Master and the others as
a Clone. Essentially all MDC wide global configurations and policy updates should be
applied to the Master and propagated to the Clones using the supported T2P
commands. This command sets the type of the data center. Values are Master or Clone.

18.6.5.2 Syntax
setMultiDataCenterType(DataCenterType="")
Argument

Definition

DataCenterType

Mandatory. Takes a string value of Master or Clone.

18.6.5.3 Example
The following command defines this data center as a Master.
setMultiDataCenterType(DataCenterType="Master")

18.6.6 setMultiDataCenterWrite
Online command used to set write protection for modifications to system and policy
configurations on the Clone Data Center.

18.6.6.1 Description
A Clone Data Center can be write protected by setting WriteEnabledFlag to false. In
this case, the Clone Data Center will not allow updates through the Oracle Access
Management Console or WLST commands. Data synchronization will still continue to
update as the command is used to write protect the Clone Data Center against
accidental updates after the initial set up is complete.

18.6.6.2 Syntax
setMultiDataCenterWrite(WriteEnabledFlag="")
Argument

Definition

WriteEnabledFlag

Mandatory. Takes a string value of true or false.

18.6.6.3 Example
The following example protects the Clone Data Center from accidental overwrites.
setMultiDataCenterWrite(WriteEnabledFlag = "false")

Configuring Multi-Data Centers 18-15

WLST Commands for Multi-Data Centers

18.6.7 setMultiDataCentreClusterName
Online command to set the cluster name of the Data Center to the supplied string.

18.6.7.1 Description
This command sets the Multi-Data Center cluster name. Value is a string.

18.6.7.2 Syntax
setMultiDataCentreClusterName(clusterName="")
Argument

Definition

clusterName

Mandatory. Takes a string equal to the cluster name.

18.6.7.3 Example
The following command enables this data center.
setMultiDataCentreClusterName(clusterName="MyCluster")

18.6.8 validateMDCConfig
Online command used to insure the Multi-Data Center configuration is correct.

18.6.8.1 Description
This command validates that the required entries in the Multi-Data Center
configuration are present in oam-config.xml. For the MDC solution, a new Access
Manager event named mdc_session_update is required to create or update MDC
sessions during authorization. The Access Manager event model requires a set of
configurations to be present in the oam-config.xml configuration file. The required
configurations cannot be added statically so validateMDCConfig validates the required
entries for mdc_session_update and seeds any configurations not already present.

18.6.8.2 Syntax
validateMDCConfig()

There are no arguments for this command.

18.6.8.3 Example
The following command validates the MDC configuration.
validateMDCConfig()

18.6.9 exportAccessStore
Online command to create a ZIP file of the Master Data Center UDM metadata.

18.6.9.1 Description
This command will create a ZIP file of the Master Data Center UDM metadata.

18.6.9.2 Syntax
exportAccessStore(toFile=" 'https://dc1-admin.example.com:7002/
oam/services/rest/_replication/hello

2.

Enable Replication for the Clone Data Center(s) using the following procedure.
a.

Set the oracle.oam.EnableMDCReplication VM property to true in the
setDomainEnv.sh/cmd file on the Clone Data Center machine.
-Doracle.oam.EnableMDCReplication=true

Figure 19–2 EnableMDCReplication Java Property

19-4 Administrator's Guide for Oracle Access Management

Syncing Master and Clone Metadata

b.

Stop and start the Access Manager AdminServer.

c.

Validate that the REST endpoints are enabled by running the following
command.
curl -u  'https://dc1-admin.example.com:7002/
oam/services/rest/_replication/hello

d.

Repeat this process on all Clone Data Centers.

19.3 Syncing Master and Clone Metadata
The process for syncing metadata across an MDC involves first syncing Access
Manager UDM metadata and then creating a replication agreement (as discussed in
Understanding the Replication Agreement). The procedures are documented in the
following sections.
■

Syncing the UDM Metadata

■

Creating the Replication Agreement

■

Modifying the Replication Agreement

19.3.1 Syncing the UDM Metadata
It is required to sync Access Manager UDM metadata stored in the Master to all
Clones and this step must be executed before creating the replication agreement.
1.

Execute the exportAccessStore WLST command on the Master Data Center to
create a ZIP file containing the UDM metadata.
exportAccessStore(toFile="/master/location/dc1metadata.zip",
namePath="/")

2.

Copy dc1metadata.zip to the Clone DC location.

3.

Execute the importAccessStore WLST command on the Clone Data Center to
import the UDM metadata.
importAccessStore(fromFile="/clone/location/dc1metadata.zip",
namePath="/")

4.

Repeat on all Clone DCs.

19.3.2 Creating the Replication Agreement
This is a one time operation which will enable the Clone DCs to pull changes from the
master DC. The replication agreement can be created using any REST client. In this
procedure, we use the standard curl utility. This command will:
■

■

Insert an entry in the Master's Replication Agreement store containing details
regarding the Clone that wants to pull changes.
Insert an entry in the Clone's Replication Agreement store containing details
regarding the Master from which it will pull changes. Replication configuration
values like the poll interval will also be set.

1.

Ensure the Master and Clone DC REST endpoints are up and running.

2.

Execute the following command on the Master DC.

Synchronizing Data In A Multi-Data Center 19-5

Syncing Master and Clone Metadata

This command will use the repluser specified for replication queries from the
Master to the Clone. repluser is expected to be available in the default identity
stores for all involved DCs.
curl -u  -H 'Content-Type: application/json' -X POST
'https://supplier.example.com:7002/oam/services/rest/
_replication/setup' -d '{"name":"DC12DC2",
"source":"DC1","target":"DC2","documentType":"ENTITY"}'

The following is an example of output for the command.
{"enabled":"true","identifier":"201409231329353668","ok":"true",
"pollInterval":"900","startingSequenceNumber":"110","state"
:"READY"}

Be sure to note the values of the replication identifier, pollInterval and
startingSequence Number. The identifier is a reference specific to this Replication
Agreement and is used for replication related queries. The pollInterval is a value
(in seconds) after which the Clone will poll for changes against the Master.
(Typically policy and configuration are not changed often so this number can be as
high as the default value of 900 seconds.) The startingSequenceNumber is the
value before which all records will be unavailable. In the example, all records
before the value of 110 are unavailable. It is implicit that bootstrapping happened
before creating the Replication Agreement thus the Clone can start pulling
changes from sequence number 110. The Clone also has an entry created in its local
replication table which keeps track of the last sequence number. The starting
sequence process is illustrated in Figure 19–3.
Figure 19–3 Starting Sequence Illustrated

The create replication agreement command will return details of an already
existing replication agreement if applicable. In this case, the value of ok will be
false.
{"enabled":"true","identifier":"201409231329353668","ok":"false",
"pollInterval":"900","startingSequenceNumber":"110",
"state":"READY"}

19-6 Administrator's Guide for Oracle Access Management

Syncing Master and Clone Metadata

If a specific user needs to be used for replication, the user’s
credentials can be provided in the command in the format "BASIC
base64(user:password)".

Note:

For example, "BASIC base64(weblogic:welcome1)" is specified as
"BASIC d2VibG9naWM6d2VsY29tZTE=" in the following command.
curl -u  -H 'Content-Type: application/json' -X POST
'https://supplier.example.com:7002/oam/services/rest/
_replication/setup' -d
'{"source":"DC1","target":"DC2","documentType":"ENTITY","config":
{"entry":{"key":"authorization","value":"BASIC
d2VibG9naWM6d2VsY29tZTE="}}}''

Basic Authorization is supported for replication REST API.
3.

Restart the Master and Clone AdminServers.
Once the replication agreement is created and the AdminServers restarted, the
Clone will start polling for changes. The default poll interval is ‘900’ seconds or 15
minutes. The poll interval can be changed by executing an edit replication
agreement command. For example, the following command will change the
polling interval to 60 seconds. Restart the Clone AdminServer after running the
command.
curl -u  -H 'Content-Type: application/json' -X PUT
'https://supplier.example.com:7002/oam/services/rest/
_replication/201409231
329353668' -d '{"pollInterval":"60","replicaType":"CONSUMER"}''

To query the details of a Clone’s replication agreement (including the polling interval),
use the following command.
curl -u 
'https://supplier.example.com:7002/oam/services/rest/_replication/201409231
329353668?type=consumer'

The output would be similar to the following.
{"enabled":"true","identifier":"201409231329353668","ok":"true",
"pollInterval":"60","startingSequenceNumber":"110","state":"READY"}

To query the details of a Master’s replication agreement (including the polling
interval), use the following command.
curl -u 
'https://supplier.example.com:7001/oam/services/rest/_replication/201409231
329353668'

The output would be similar to the following. (The poll Interval of the Master’s
replication agreement does not affect the actual replication.)
{"enabled":"true","identifier":"201409231329353668","ok":"true",
"pollInterval":"3600","startingSequenceNumber":"110","state":"ACTIVE"}

In R2PS3, the following command can also be used on the Master or the Clone to get
details of any replication agreements. In cases where the replication agreement
identifier is unknown, this command can be used to list all the replication agreement
identifiers for input in the previous commands.

Synchronizing Data In A Multi-Data Center 19-7

Syncing Master and Clone Metadata

curl -k -u weblogic
'https://oamadmin.example.com:7002/oam/services/rest/_replication/agreements'
Sample output 1:
{"featureEnabled":"true","identifiers":"201411211137273612","ok":"true"}
Sample output 2:
{"featureEnabled":"true","identifiers":["201411211137273612","201411211137273900"]
,"ok":"true"}

To remove a replication agreement, first disable it on the Clone side, then disable it on
the Master side and then delete it on both sides. The following commands illustrate
this process.
curl -u  -H 'Content-Type: application/json' -X PUT
'https://supplier.example.com:7002/oam/services/rest/_replication/201409231
329353668' -d '{"enabled":"false","replicaType":"CONSUMER"}''
curl -u  -H 'Content-Type: application/json' -X PUT
'https://supplier.example.com:7002/oam/services/rest/_replication/201409231
329353668' -d '{"enabled":"false","replicaType":"SUPPLIER"}''
curl -u weblogic:welcome1 -H 'Content-Type: application/json' -X DELETE
'https://supplier.example.com:7001/oam/services/rest/_replication/201409231
329353668'

19.3.3 Modifying the Replication Agreement
Using the Replication Agreement identifier, changes can be made to the Replication
Agreement configuration. In this example, the value of pollInterval will be changed to
60 seconds.
Service responds back with JSON object that is the status of replication agreement
before making the change. You need to fetch replication agreement status again to see
updated configuration.
1.

Execute the following command to get the current status of the Replication
Agreement.
curl -u weblogic:****** -H ’Content-Type: application/json’
’http://oam1-nyc.example.com:7001/oam/services/rest/
_replication/201409040157218184’

The JSON response would be:
{“enabled”:”true”,”identifier”:”201409040157218184?,”ok”:”true”,
”pollInterval”:”3600?,”startingSequenceNumber”:”101?,”state”:”ACTIVE”}
2.

Execute the following command to modify the value of pollInterval.
curl -u weblogic:****** -H ’Content-Type: application/json’
-X PUT ’http://oam1-nyc.example.com:7001/oam/services/rest/
_replication/201409040157218184’
-d ’{“pollInterval”:”60?,”replicaType”:”consumer”}’

The JSON response would be:
{“enabled”:”true”,”identifier”:”201409040157218184?,”ok”:”true”,”pollInterval”:
”3600?,”startingSequenceNumber”:”101?,”state”:”ACTIVE”}
3.

Restart the AdminServer on both Master and Clone machines.

19-8 Administrator's Guide for Oracle Access Management

Using and Customizing Transformation Rules

4.

Execute the following command to get the current status of the Replication
Agreement.
This will validate that the change has been made. Note the value of pollInterval in
the JSON Response is different from the value returned in the first step of this
procedure.
curl -u weblogic:****** -H ’Content-Type: application/json’
’http://oam1-nyc.example.com:7001/oam/services/rest/
_replication/201409040157218184’

The JSON response would be:
{“enabled”:”true”,”identifier”:”201409040157218184?,”ok”:”true”,
”pollInterval”:”60?,”startingSequenceNumber”:”101?,”state”:”ACTIVE”}

19.4 Using and Customizing Transformation Rules
Transformation rules are used by APS. The transformation rules illustrated in
Example 19–1 are the default rules provided by Access Manager. A Clone can be
configured to override these OOTB rules. This section documents how some of these
rules can be modified and how to configure Access Manager to recognize these custom
rules.
Example 19–1

Default Transformation Rules






${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile/OAMS
erverProfile/OAMSERVER/serverhost}


${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile/OAMS
erverProfile/OAMSERVER/serverprotocol}
${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile/OAMS
erverProfile/OAMSERVER/serverhost}
${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile/OAMS
erverProfile/OAMSERVER/serverport}


${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile/OAMS
erverProfile/OAMSERVER/serverprotocol}
${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile/OAMS
erverProfile/OAMSERVER/serverhost}
${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile/OAMS

Synchronizing Data In A Multi-Data Center 19-9

Using and Customizing Transformation Rules

erverProfile/OAMSERVER/serverport}

















These transformation rules make changes to WebGate agent definitions. The following
information details how you can modify these changes for the PrimaryServerList and
logoutRedirectUrl attributes.
■

PrimaryServerList updates the primary server list for all WebGate agents and
replaces them with the Access Manager server host from the Clone environment.
This change can be viewed in the oam-config.xml file; it replaces the value of the
PrimaryServerList attribute with the value equal to
${DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAM
SERVER/serverhost}; for example, oam1-lon.example.com. The limitation of this
rule is that it updates all servers in the primary list. You can use the transformation
rule in Example 19–2 to update servers in PrimaryServerList with the different
Clone servers.

Example 19–2

Modified PrimaryServerList Transformation Rule



${”/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/
Instance/oam_server1/host”}



${”/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/
Instance/oam_server2/host”}




A load balancer is recommended between the WebGate and Access Manager
server. In this case, you do not have to update the PrimaryServerList across data
19-10 Administrator's Guide for Oracle Access Management

Modifying a Rule Document

centers and can remove this transformation rule from the XML. However, you do
need to update the PrimaryServerList parameter for IAMSuiteAgent and
accessgate-oic unless you have configured these agents to communicate with the
load balancer as well. Example 19–3 illustrates how to change the transformation
rule to update the PrimaryServerList only for IAMSuiteAgent and accessgate-oic
agents and not WebGate agents.
Example 19–3

Modified Transformation Rule for Different Agents



${”/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/
Profile/OAMServerProfile/OAMSERVER/serverhost”}



${”/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/
Profile/OAMServerProfile/OAMSERVER/serverhost”}



■

The logoutRedirectUrl attribute updates the logout URL protocol, host and port
for all WebGate agents with respective values from the Clone. If a load balancer is
used globally to define the logout URL for all WebGate agents in the Master
environment, you don’t need to replace the logout URL in the Clone environment
and can remove the transformation rule. If you are using a DCC authentication
scheme and a global load balancer host name to define the DCC login and logout
URL, then again you don’t need to replace the login and logout URL in the Clone
environment and can remove the transformation rule.

To configure Access Manager to use custom transformation rules, update the
setDomainEnv.xml file on the Clone machine. Each Clone can use different
transformation rules. Be sure to restart the Clone’s AdminServer after changing a
transformation rule. Figure 19–4 illustrates how to apply these custom rules.
Figure 19–4 Applying Custom Transformation Rules

19.5 Modifying a Rule Document
A rule document is created for the purpose of replicating. The allowed transformation
rules are represented by the XML document in Example 19–4.
Example 19–4

Replication Rules XML File




Synchronizing Data In A Multi-Data Center 19-11

Modifying a Rule Document





${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile
/OAMServerProfile/OAMSERVER/serverhost}



${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile
/OAMServerProfile/OAMSERVER/serverprotocol}

${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile
/OAMServerProfile/OAMSERVER/serverhost}

${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile
/OAMServerProfile/OAMSERVER/serverport}



${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile
/OAMServerProfile/OAMSERVER/serverprotocol}

${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile
/OAMServerProfile/OAMSERVER/serverhost}

${/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile
/OAMServerProfile/OAMSERVER/serverport}

















The rule document will mention the XPath of system configuration artifacts to be
replicated for a clone. If there is any transformation to be done during replication for
the entry in XPath, it can be provided as replacement rule for that clone. To add a new
19-12 Administrator's Guide for Oracle Access Management

Using REST API for Replication Agreements

XPath for replication to a clone, create a new transformation XML file, using the above
XML document as a template. Add and remove XPaths as required. For example,
adding the following XPath as the child of an  node and
saving the file to the clone’s file system will modify Available Services.


Set the following VM property in the Clone’s adminserver (setDomainEnv.sh) to use
the newly created transformation rule document for replication instead of the OOTB
one.
-Doracle.oam.MDCRuleFile=/path/to/rule/mdcrule.xml

For developer recommendations when using replication, see Section 19.8, "Best
Practices for Replication."

19.6 Using REST API for Replication Agreements
The following sections contain details on how to use the REST API provided by Access
Manager.
■

Querying for Replication Agreement Details

■

Modifying an Existing Replication Agreement

■

Deleting a Replication Agreement

19.6.1 Querying for Replication Agreement Details
A REST request can be executed at the Master's endpoint to query the details of the
Replication Agreement between a Master and a Clone.
GET http://oam1.example.com/oam/services/rest/
_replication/201312040602298762 HTTP/1.1
Content-Type: application/json

To query details of a Clone, use the following:
GET http://oam1.example.com/oam/services/rest/
_replication/201312040602298762?type=CONSUMER HTTP/1.1 HTTP/1.1
Content-Type: application/json

19.6.2 Modifying an Existing Replication Agreement
Replication Agreement properties (enabled status, poll interval and the like) can be
updated by executing a REST request at the Master's endpoint. Either the Master or
Clone Replication Agreement will be updated as specified by the value of the
replicaType parameter. The clone will poll for changes, apply them and wait the
duration specified as the pollInterval.
PUT http://supplier.example.com/oam/services/rest/
_replication/201312040602298762 HTTP/1.1
Content-Type: application/json
{"enabled":"false","pollInterval":"60","replicaType":"CONSUMER"}

This example will disable the Clone Replication Agreement and change the poll
interval to '60' seconds. If a value for replicaType is not defined (or it is defined as
SUPPLIER), the Master's Replication Agreement will be updated.
Synchronizing Data In A Multi-Data Center 19-13

Replicating Domains in Identity Manager Deployments

To edit the poll interval using cURL, use the following command. Note that the
replicaType value for updating the clone in this case is SUPPLIER or CONSUMER.
curl -u  -H 'Content-Type: application/json' -X PUT
'https://supplier.example.com/oam/services/rest/_replication/201409231329353668'
-d '{"pollInterval":"60","replicaType":"CONSUMER"}'

Table 19–2 lists properties that can be modified using cURL and REST.
Table 19–2

Modifying Replication Agreement Properties

Property

Modification Command

BatchSize

Number of change records (journals) returned by the master as a result of a
getChanges query by clone. Ideally the default batch size of 32 is sufficient as all
changes are pulled in multiple batches as part of fetching. However if the setup
needs a large batch size, execute the following command:
curl -u  -H 'Content-Type: application/json' -X PUT
'https://master.example.com/oam/services/rest/_
replication/'
-d '{"batchSize":"100","replicaType":"SUPPLIER"}'

User Context In rare instances, the user context for replication poll may need to be modified.
curl -u  -H 'Content-Type: application/json' -X PUT
'https://supplier.example.com:7002/oam/services/rest/_
replication/201409231329353668'
-d '{"replicaType":"CONSUMER",
"config":{"entry":{"key":"authorization","value":"
BASIC cG9sbHVzZXI6c2VjcmV0"}}}'
'cG9sbHVzZXI6c2VjcmV0' is a base 64 encoded value for polluser credentials.
Any user credentials can be used here instead of the repluser which is used to
execute the command.

19.6.3 Deleting a Replication Agreement
A Replication Agreement can be deleted by executing the following REST API at the
master DC's endpoint. Replication Agreements that are currently active and in use
cannot be deleted until the Master and Clone have been disabled.
DELETE http://oam1.example.com/oam/services/rest/_replication/
201312040602298762 HTTP/1.1

19.7 Replicating Domains in Identity Manager Deployments
If you have a deployment where Access Manager 11.1.2.1.0 and Oracle Identity
Manager (11.1.2.1.0) are integrated in the same domain T2P cannot be used for domain
replication because Identity Manager does not support it. In this case, Access Manager
and Identity Manager should be installed in different domains using the following
procedure.
1.

Install Access Manager.

2.

Run configureSecurityStore (-create).

3.

Start Access Manager.
Remember to enable TRACE logging with instrumented EAR.

4.

Install Identity Manager.

19-14 Administrator's Guide for Oracle Access Management

Best Practices for Replication

5.

Run configureSecurityStore (-join).

6.

Update the default passwords for the Access Manager and Identity Manager
domains in $DOMAIN_HOME/config/fmwconfig/default-keystore.jks password
using the keytool command.

7.

Set the same password values in the CSF using the EM console.
a.

Navigate to the domain_name of the appropriate Weblogic domain.

b.

Right click the domain_name and navigate to Security --> Credentials.

c.

Expand the oracle.wsm.security Credential map and edit the value of
keystore-csf-key.

d.

Update password and confirm password fields with the password.
This password should be same as the new password for
default-keystore.jks in both Access Manager and Identity Manager
domains

8.

Map oracle.wsm.security with the Key keystore-csf-key.

9.

Start Identity Manager.

10. Restart Access Manager and Identity Manager.

19.8 Best Practices for Replication
The following points and the information in the sections should be taken into account
when setting up data replication.
■

■

■

It is recommended that as many Policy Domain artifacts are created as possible
before cloning. This will help the replication manager work efficiently during
incremental updates.
The OAM server instance list will be used as the Well Known Addresses (WKA) to
create a Coherence cluster so do not add other data center servers to the server
instance list.
To allow for a WebGate profile to point to a remote data center in the secondary
server list, use the Other option to provide OAP with the host and port details of
the remote data center.

■

Enabling Replication Logs

■

Changing the User Identifier

19.8.1 Enabling Replication Logs
To get detailed logs on replication agreement and replication poll related issues, enable
the logger ‘oracle.oam.replication’ by executing the WLST command
setLogLevel(logger="oracle.oam.replication", level="TRACE:32", persist="0",
target="AdminServer")

This will enable logger only till next shutdown of AdminServer. To keep the logger
state across restart, set the persist attribute to “1”

19.8.2 Changing the User Identifier
While creating replication agreement if you have not specified any authorization
header of the user to be used for replication if the user’s password got changed at later

Synchronizing Data In A Multi-Data Center 19-15

Best Practices for Replication

point, you can edit the replication agreement with the latest user identity and
password using the following command.
curl -u  -H 'Content-Type: application/json' -X PUT
'https://supplier.example.com:7002/oam/services/rest/_replication/201409231
329353668' -d '{"replicaType":"CONSUMER","config":{"entry":
{"key":"authorization","value":"BASIC d2VibG9naWM6d2VsY29tZTE="}}}'

19-16 Administrator's Guide for Oracle Access Management

20
Setting Up the Multi-Data Center: A Sequence
02

[18The
]
sequence of steps in this chapter will help you to setup a Multi-Data Center with
four nodes using Oracle Access Manager 11.1.1.2. The configuration spans two Data
Centers with two nodes per Data Center. The nodes are configured in Active/Active
Mode.

This chapter contains the following section.
■

Before You Begin

■

Setting Up a Multi-Data Center

■

Enabling Automated Policy Synchronization

■

Troubleshooting the Multi-Data Center Setup

20.1 Before You Begin
Read the following chapters before beginning the steps documented in this sequence
for an understanding of Multi-Data Center and its features.
■

Chapter 17, "Understanding Multi-Data Centers"

■

Chapter 18, "Configuring Multi-Data Centers"

■

Chapter 19, "Synchronizing Data In A Multi-Data Center"

Confirm the following before you begin the Multi-Data Center set-up sequence.
■

Check that your operating system is up-to-date with all necessary patches applied.

■

Mount the binaries you will be using. The applicable Oracle software includes:
–

Oracle Fusion Middleware Identity and Access Management 11g (11.1.2.3.0)

–

Oracle WebLogic Server 10g (10.3.6)

–

Oracle Database 11g (11.2.0.4)

–

Oracle Fusion Middleware Repository Creation Utility 11g (11.1.2.3.0)

■

Add /etc/hosts entries on all four nodes being configured.

■

Verify that the Oracle Database is connected and accessible.

■

Verify that each machine has more than 30 GB space available and more than 8GB
of memory available.

Setting Up the Multi-Data Center: A Sequence

20-1

Setting Up a Multi-Data Center

20.2 Setting Up a Multi-Data Center
Be sure to follow this sequence as documented for a successful set-up of a Multi-Data
Center with data replication using T2P. The configuration spans two Data Centers with
two nodes per Data Center. The nodes are configured in Active/Active Mode.
1.

Install the Java Development Kit (JDK) 1.7.0.60 on all four of the Nodes and set the
appropriate environment variables.

2.

Run the Repository Creation Utility (RCU) 11.1.2.3.0 on Data Center 1 and Data
Center 2.
This will create and load the appropriate database schemas for Oracle Identity and
Access Management products.

3.

Install WebLogic Server 10g (10.3.6) on Data Center 1, Node 1.
This process creates the Middleware Home ().

4.

Install the Oracle Identity and Access Management 11g (11.1.2.3.0) software on
Data Center 1, Node 1.
Oracle Identity and Access Management contains the Oracle Access Management
suite which includes Oracle Access Manager. The default name of this Oracle
product home directory after installation is Oracle_IDM1.

5.

Run the Oracle Fusion Middleware Configuration Wizard script to configure
Oracle Access Management on Data Center 1, Node 1.
The Wizard script is Oracle_IDM1/common/bin/config.sh script (on Linux or
UNIX), or Oracle_IDM1\common\bin\config.cmd (on Windows). Minimally, you
will be configuring:

6.

7.

■

a new WebLogic domain

■

an Oracle Access Management Administration Server

■

an Oracle Access Management Managed Server

■

Oracle Access Manager

Run the configureSecurityStore.py script on Data Center 1, Node 1 to configure
the Database Security Store.
a.

/oracle_common/common/bin/wlst.sh

b.

/Oracle_IDM1/common/tools/configureSecurityStore.py
-c IAM -d /user_projects/domains/OAMDomain
-p Oracle123 -m create -v

Modify the following WebLogic scripts on Data Center 1, Node 1.
a.

Open startWeblogic.sh and startManagedWeblogic.sh using vi and enter
the appropriate value for WLS_USER.
Enter the password when asked; do not hard code it here.

b.

Save startWeblogic.sh and startManagedWeblogic.sh.

c.

Open setDomainEnv.sh using vi and add the following line:
USER_MEM ARGS=“-Xms1024m -Xmx1024m -XX:MaxPermSize=512m"

d.
8.

Save setDomainEnv.sh.

Create and run a cConfig.sh script in the MDC folder on Data Center 1, Node 1.

20-2 Administrator's Guide for Oracle Access Management

Setting Up a Multi-Data Center

The cConfig.sh script concatenates the necessary environment variables and
copyConfig.sh into one script. You will need to create the MDC folder to serve as
the T2P_HOME.
a.

Add the following contents and save as cConfig.sh.
export
export
export
export

b.

JAVA_HOME=/u01/app/jdk1.7.0_60;
MW_HOME=/u01/app/Middleware;
T2P_HOME=/u01/bits/MDC;
WL_DOMAIN_HOME=$MW_HOME/user_projects/domains/OAMDomain;

Source cConfig.sh.
$<>. cConfig.sh

9.

Execute copyBinary.sh on Data Center 1, Node 1.
copyBinary.sh and pasteBinary.sh will be used to avoid a time-consuming
installation process on the remaining nodes. When running copyBinary.sh, the
Administration and Managed Servers can be running or stopped.
a.

Change to the bin directory.
cd $MW_HOME/oracle_common/bin/;

b.

Run the script.
./copyBinary.sh -javaHome $JAVA_HOME
-archiveLoc $T2P_HOME/oamt2pbin.jar -sourceMWHomeLoc $MW_HOME
-idw true -ipl $MW_HOME/oracle_common/oraInst.loc -silent true
-ldl $T2P_HOME/oam_cln_log

10. Copy the following files to the MDC folder on Data Center 1, Node 1.
■

$T2P_HOME/cConfig.sh (already in the MDC folder)

■

$T2P_HOME/oamt2pbin.jar (already in the MDC folder)

■

$MW_HOME/oracle_common/bin/pasteBinary.sh

■

$MW_HOME/oracle_common/jlib/cloningclient.jar

■

$MW_HOME/oracle_common/oraInst.loc

11. Copy the MDC folder (populated with the five files) to Data Center 1, Node 2, and

Data Center 2, Nodes 1 and 2.
12. Execute pasteBinary.sh on Data Center 1, Node 2.
a.

Source cConfig.sh.
$<>. cConfig.sh

b.

Run pasteBinary.sh on Data Center 1, Node 2.
$T2P_HOME/pasteBinary.sh -javaHome $JAVA_HOME
-al $T2P_HOME/oamt2pbin.jar -tmw $MW_HOME -silent true
-idw true -esp false -ipl $T2P_HOME/oraInst.loc
-ldl $T2P_HOME/oam_cln_log -silent true

13. Create a Managed Server JAR on Data Center 1, Node 1 and copy it to Data Center

1, Node 2.
pack.sh is used to create the JAR and is located in the /oracle_
common/common/bin directory. The pack and unpack (used in the next step)
scripts must be executed in the same Data Center only whereas copyConfig and
Setting Up the Multi-Data Center: A Sequence

20-3

Setting Up a Multi-Data Center

pasteConfig (used later in the procedure) must be executed to the Master node of
the other Data Center and then run Pack/UnPack within those data centers.
a.

Run pack.sh.
./pack.sh -domain=$MW_HOME/user_projects/domains/OAMDomain
-template=OAMManagedServer.jar -template_name=“OAM Domain” -managed=true

b.

Copy OAMManagedServer.jar to the MW_HOME/oracle_
common/common/bin directory on Data Center 1, Node 2.

14. Unpack the Managed Server JAR on Data Center 1, Node 2 using unpack.sh.

The JAR is used as a template to create the OAMDomain Domain Structure on
Data Center 1, Node 2.
a.

mkdir -p $MW_HOME/user_projects/domains/OAMDomain

b.

cd /oracle_common/common/bin

c.

./unpack.sh -domain=$MW_HOME/user_projects/domains/OAMDomain
-template=OAMManagedServer.jar

15. Modify the following WebLogic scripts on Data Center 1, Node 2.
a.

Open startManagedWeblogic.sh using vi and enter the appropriate values for
WLS_USER and WLS_PW.

b.

Save startWeblogic.sh and startManagedWeblogic.sh.

c.

Open setDomainEnv.sh using vi and add the following line:
USER_MEM ARGS=“-Xms1024m -Xmx1024m -XX:MaxPermSize=512m"

d.

Save setDomainEnv.sh.

At this point in the sequence, the Data Center 1 cluster and its two nodes are
configured and ready for Multi-Data Center configurations. Start the
Administration Server and the oam_server1 and oam_server2 Managed Servers.
Disable the SSL port number 14101.
16. Enable Multi-Data Center mode on Data Center 1, Node 1.
a.

cd $T2P_HOME/MDC

b.

Create OAMMDC.properties on Data Center 1, Node 1 using vi.
Add the following lines to OAMMDC.properties and save.
SessionMustBeAnchoredToDataCenterServicingUser=false
SessionDataRetrievalOnDemand=true
Reauthenticate=false
SessionDataRetrievalOnDemandMax_retry_attempts=3
SessionDataRetrievalOnDemandMax_conn_wait_time=80
SessionContinuationOnSyncFailure=true
MDCGitoCookieDomain=.customerpoc.com

c.

Change to the ../Oracle_IDM1/common/bin directory and run WLST.

d.

./wlst.sh

e.

connect()

f.

domainRuntime()

g.

enableMultiDataCentreMode(propfile=“../OAMMDC.properties”)

h.

setMultiDataCentreClusterName(clusterName="”)

20-4 Administrator's Guide for Oracle Access Management

Setting Up a Multi-Data Center

i.

setMultiDataCenterWrite(WriteEnabledFlag="true")

j.

validateMDCConfig()

k.

exit()

17. Create oamt2pconfig.jar on Data Center 1, Node 1 and copy it to Data Center 2,

Node 1.
copyConfig.sh is located in $MW_HOME/oracle_common/bin/ and must be
executed on the Master node. To run copyConfig.sh, the Administration and
Managed Servers should be up and running.
a.

Source cConfig.sh.
$<>. cConfig.sh

b.

Create $T2P_HOME/t2p_domain_pass.txt using vi.
Add a password value for use with copyConfig.sh; for example, Oracle123
(without quotes).

c.

./copyConfig.sh -javaHome $JAVA_HOME
-archiveLoc $T2P_HOME/oamt2pConfig.jar
-sourceDomainLoc $WL_DOMAIN_HOME
-sourceMWHomeLoc $MW_HOME
-domainHostName oam1-dc1.customerpoc.com
-domainPortNum 7001 -domainAdminUserName weblogic
-domainAdminPassword $T2P_HOME/t2p_domain_pass.txt
-silent true -ldl $T2P_HOME/oam_cln_log_config
-opssDataExport true -debug true

d.

Copy oamt2pconfig.jar to the Data Center 2, Node 1.

18. Execute pasteBinary.sh on Data Center 2, Node 1.
a.

Source cConfig.sh.
$<>. cConfig.sh

b.

Run:
$T2P_HOME/pasteBinary.sh -javaHome $JAVA_HOME
-al $T2__HOME/oamt2pbin.jar -tmw $MW_HOME -silent true
-idw true -esp false -ipl $T2P_HOME/oraInst.loc
-ldl $T2P_HOME/oam_cln_log -silent true

19. Execute pasteBinary.sh on Data Center 2, Node 2.
a.

Source cConfig.sh.
$<>. cConfig.sh

b.

Run:
$T2P_HOME/pasteBinary.sh -javaHome $JAVA_HOME
-al $T2__HOME/oamt2pbin.jar -tmw $MW_HOME -silent true
-idw true -esp false -ipl $T2P_HOME/oraInst.loc
-ldl $T2P_HOME/oam_cln_log -silent true

20. Execute extractmovePlan.sh on Data Center 2, Node 1.
a.

mkdir $T2P_HOME/moveplan

b.

cd $MW_HOME/oracle_common/bin/

Setting Up the Multi-Data Center: A Sequence

20-5

Setting Up a Multi-Data Center

c.

Source cConfig.sh.
$<>. cConfig.sh

d.

./extractMovePlan.sh -javaHome $JAVA_HOME -al $T2P_
HOME/oamt2pConfig.jar -planDirLoc $T2P_HOME/moveplan/

e.

Backup the moveplan and then make the following modifications using vi.
Search and Replace the hostnames
:1,$s/oam1-dc1/oam1-dc2/g
:1,$s/oam2-dc1/oam2-dc2/g
Search and replace datasource names
:1,$s/DC1/DC2/g
Search for the two instances of "Password File” and add the previously
created t2p_domain_pass.txt Password File location as a .
/u01/bits/final/MDC/t2p_domain_pass.txt

f.

Create $T2P_HOME/t2p_pass.txt with a password value you want.
This file is used to create new components on the target environment with the
associated password. The moveplan has a reference to it so that when the
components are created the password will be assigned.

21. Run the psa.sh PSA script to update the Oracle Platform Security Services (OPSS)

schema on Data Center 2, Node 1.
The script is in the Oracle_IDM1/bin/ directory. Use the following procedure to
verify that the PSA has updated the OPSS version from 11.1.1.7.0 to 11.1.1.7.2.
a.

Connect to the system as sysdba.
You can use SQL Plus or SQL Developer.

b.

Enter the following SQL statement.
select * from DC2_OPSS.JPS_ATTRS where JPS_
ATTRS.ATTRNAME='orclProductVersion';

22. Execute pasteConfig.sh on Data Center 2, Node 1.

The same JDK used on the source must be used on the target.
$MW_HOME/oracle_common/bin/pasteConfig.sh
-javaHome $JAVA_HOME -archiveLoc $T2P_HOME/oamt2pConfig.jar
-targetMWHomeLoc $MW_HOME -targetDomainLoc $WL_DOMAIN_HOME
-movePlanLoc $T2P_HOME/moveplan/moveplan.xml -domainAdminPassword
$T2P_HOME/t2p_domain_pass.txt -ldl $T2P_HOME/oam_cln_log
-silent true
Comment out all keystore <> tags in the moveplan if there is
an issue.

Note:

23. Modify the following WebLogic scripts on Data Center 2, Node 1.
a.

Open startWeblogic.sh and startManagedWeblogic.sh using vi and enter
the appropriate values for WLS_USER and WLS_PW.

20-6 Administrator's Guide for Oracle Access Management

Setting Up a Multi-Data Center

b.

Save startWeblogic.sh and startManagedWeblogic.sh.

c.

Open setDomainEnv.sh using vi and add the following line:
USER_MEM ARGS=“-Xms1024m -Xmx1024m -XX:MaxPermSize=512m"

d.

Save setDomainEnv.sh.

24. Create a Managed Server JAR on Data Center 2, Node 1 and copy it to Data Center

2, Node 2.
pack.sh is used to create the JAR and is located in the /oracle_
common/common/bin directory. The pack and unpack (used in the next step) scripts
must be executed in the same Data Center only.
a.

Run pack.sh.
./pack.sh -domain=$MW_HOME/user_projects/domains/OAMDomain
-template=OAMManagedServer.jar -template_name=“OAM Domain” -managed=true

b.

Copy OAMManagedServer.jar to the /oracle_common/common/bin
directory on Data Center 2, Node 2.

25. Unpack the Managed Server JAR on Data Center 2, Node 2 using unpack.sh.

The JAR will be used as a template to create the OAMDomain Domain Structure
on Data Center 2, Node 2.
a.

mkdir -p $MW_HOME/user_projects/domains/OAMDomain

b.

cd /oracle_common/common/bin

c.

./unpack.sh -domain=$MW_HOME/user_projects/domains/OAMDomain
-template=OAMManagedServer.jar

26. Modify the following WebLogic scripts on Data Center 2, Node 2.
a.

Open startManagedWeblogic.sh using vi and enter the appropriate values for
WLS_USER and WLS_PW.

b.

Save startWeblogic.sh and startManagedWeblogic.sh.

c.

Open setDomainEnv.sh using vi and add the following line:
USER_MEM ARGS=“-Xms1024m -Xmx1024m -XX:MaxPermSize=512m"

d.

Save setDomainEnv.sh.

At this point in the sequence, the Data Center 2 cluster and its two nodes are
configured and ready for Multi-Data Center configurations. Start the
Administration Server and the oam_server1 and oam_server2 Managed Servers.
Disable the SSL port number 14101.
27. Enable Multi-Data Center mode on Data Center 2, Node 1.
a.

Restart the Administration Server on Data Center 2, Node 1.

b.

Change to the ../Oracle_IDM1/common/bin directory and run WLST.

c.

./wlst.sh

d.

connect()

e.

domainRuntime()

f.

enableMultiDataCentreMode(propfile=“//OAMMDC.properties”)

g.

setMultiDataCentreClusterName(clusterName="”)

Setting Up the Multi-Data Center: A Sequence

20-7

Setting Up a Multi-Data Center

h.

setMultiDataCenterWrite(WriteEnabledFlag="true")

i.

exit()

28. Create two WebGate agents using the Oracle Access Management Console on Data

Center 1, Node 1 only.
■

Name the agents MDC-DC1 and MDC-DC2

■

Check AccessClientPassword and AllowManagementOperations

■

Be sure the Primary Server List has Access Server listed as “Other” - ideally it
will have global load balancer/LTM entries rather than the local hosts entries.

29. Create the MDCPartner-DC1 and MDCPartner-DC2 property files using vi

Create these files on both Data Center 1, Node 1 and Data Center 2, Node 1 with
the following data.
vi MDCPartner-DC1.properties
remoteDataCentreClusterId=FINALDC1
oamMdcAgentId=MDC-DC1
PrimaryHostPort=oam1-dc1.poc.com:5575
SecondaryHostPort
AccessClientPasswd
oamMdcSecurityMode=Open
agentVersion=11g
trustStorePath
keyStorePath
globalPassPhrase
keystorePassword
RESTEndpoint=http://oam1-dc1.poc.com:7001
vi MDCPartner-DC2.properties
remoteDataCentreClusterId=FINALDC2
oamMdcAgentId=MDC-DC2
PrimaryHostPort=oam1-dc2.poc.com:5575
SecondaryHostPort
AccessClientPasswd
oamMdcSecurityMode=Open
agentVersion=11g
trustStorePath
keyStorePath
globalPassPhrase
keystorePassword
RESTEndpoint=http://oam1-dc2.poc.com:7001
30. Register the partners on Data Center 1, Node 1 using wlst.sh.
a.

Change to the ../Oracle_IDM1/common/bin directory and run WLST.

b.

./wlst.sh

c.

connect()

d.

domainRuntime()

e.

addPartnerForMultiDataCentre(propfile=“../MDCPartner-DC1.properties”)

f.

addPartnerForMultiDataCentre(propfile=“../MDCPartner-DC2.properties”)

g.

setMultiDataCenterType(DataCenterType=“Master”)

h.

exit()

20-8 Administrator's Guide for Oracle Access Management

Enabling Automated Policy Synchronization

31. Register the partners on Data Center 2, Node 1 using wlst.sh.
a.

Change to the ../Oracle_IDM1/common/bin directory and run WLST.

b.

./wlst.sh

c.

connect()

d.

domainRuntime()

e.

addPartnerForMultiDataCentre(propfile=“../MDCPartner-DC1.properties”)

f.

addPartnerForMultiDataCentre(propfile=“../MDCPartner-DC2.properties”)

g.

setMultiDataCenterType(DataCenterType=“Clone”)

h.

exit()

32. Export the partner and policy information from Data Center 1, Node 1 and then

import it to Data Center 2, Node 1.
a.

Change to the ../Oracle_IDM1/common/bin directory and run WLST to
export from Data Center 1, Node 1.

b.

./wlst.sh

c.

connect()

d.

exportPartners(pathTempOAMPartnerFile=“”)

e.

exportPolicy(pathTempOAMPolicyFile=“”)

f.

exit()

g.

Copy oampolicy.xml and oampartner.xml to Data Center 2, Node 1.

h.

Change to the ../Oracle_IDM1/common/bin directory and run WLST to
import on Data Center 2, Node 1.

i.

./wlst.sh

j.

connect()

k.

importPolicy(pathTempOAMPolicyFile=“”)

l.

importPartners(pathTempOAMPartnerFile=“”)

m. exit()

20.3 Enabling Automated Policy Synchronization
The sequence in this section will enable the Automated Policy Synchronization (APS)
feature for automated data synchronization among the servers. The procedure
includes commands for testing the REST services as well as details on adding custom
transformation rules to the synchronization. See Chapter 19, "Synchronizing Data In A
Multi-Data Center" for details on APS and transformation rules.
1.

Stop all the Administration and Managed Servers.

2.

Add the following line to $WL_DOMAIN_HOME/bin/setDomainEnv.sh on both Data
Center 1, Node 1 and Data Center 2, Node 1 and save the file.
EXTRA_JAVA_PROPERTIES="
-Doracle.oam.EnableMDCReplication=true -DCONFIG_DS=jdbc/oamds …

3.

Start the Administration Servers only.

4.

Test the REST services using the following commands:

Setting Up the Multi-Data Center: A Sequence

20-9

Enabling Automated Policy Synchronization

curl -u weblogic 'http://oam1-dc1.customerpoc.com:7001/oam/services/rest/_
replication/hello'
RESPONSE: {"ok":"true”}
curl -u weblogic 'http://oam1-dc2.poc.com:7001/oam/services/rest/_
replication/hello'
RESPONSE: {"ok":"true”}
curl -u weblogic:Oracle123 -H 'Content-Type: application/json' -X POST
'http://oam1-dc1.poc.com:7001/oam/services/rest/_replication/setup' -d
'{"name”:"DC1toDC2",
"source”:"FINALDC1","target”:"FINALDC2","documentType":"ENTITY”}'
RESPONSE:
{"enabled":"true","identifier":"201409040157218184","ok":"true","pollInterval":"900","
startingSequenceNumber":"101","state":"READY"}
#The random long number will be unique to every replication agreement, so don’t
use that number as is, though use the number which comes as an output from the
3rd curl command below
curl -u weblogic:Oracle123 -H 'Content-Type: application/json’
'http://oam1-dc1.poc.com:7001/oam/services/rest/_
replication/201409040157218184'
RESPONSE:
{"enabled":"true","identifier":"201409040157218184","ok":"true","pollInterval":"3600"
,"startingSequenceNumber":"101","state":"ACTIVE"}
curl -u weblogic:Oracle123 -H 'Content-Type: application/json’
'http://oam1-dc1.poc.com:7001/oam/services/rest/_
replication/201409040157218184?type=consumer'
RESPONSE:
{"enabled":"true","identifier":"201409040157218184","ok":"true","pollInterval":"900","
startingSequenceNumber":"101","state":"READY"}
curl -u weblogic:Oracle123 -H 'Content-Type: application/json' -X PUT
'http://oam1-dc1.poc.com:7001/oam/services/rest/_
replication/201409040157218184' -d '{"pollInterval":"60","replicaType":"consumer"}'
RESPONSE:
{"enabled":"true","identifier":"201409040157218184","ok":"true","pollInterval":"3600"
,"startingSequenceNumber":"101","state":"ACTIVE”}
#Run this command on NODE1DC2 ONLY IF you want to disable Policy Writes to
DC2 (or Clones) and just accept policy writes via the Master Policy Server using
APS Synch: setMultiDataCenterWrite(WriteEnabledFlag="false”)
5.

Create a transformation rules file using vi as $T2P_
HOME/transformationrules.xml.
transformationrules.xml should contain the following content.




${DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMSERVER/

20-10 Administrator's Guide for Oracle Access Management

Troubleshooting the Multi-Data Center Setup

serverhost}




6.

Add the following line to $WL_DOMAIN_HOME/bin/setDomainEnv.sh on Data Center
2, Node 1 only and save the file.
EXTRA_JAVA_PROPERTIES="
-Doracle.oam.MDCRuleFile=/u01/bits/customer/MDC/transformationrules.xml
-Doracle.oam.EnableMDCReplication=true -DCONFIG_DS=jdbc/oamds …

7.

Start the Administration and Managed Servers.

This completes the Multi-Data Center setup with T2P data replication and APS
configuration! You can test the APS function by creating an agent and a policy on data
Center 1 and verifying that it auto migrates to Data Center 2.

20.4 Troubleshooting the Multi-Data Center Setup
Follow this procedure if you have identified inconsistencies or errors in your setup
and want to revert the APS.
1.

Disable replication on the Master (Supplier).
curl -u weblogic:welcome1 -H 'Content-Type: application/json'
-X PUT 'http://supplier.example.com:7001/oam/services/
rest/_replication/201311271226476658'
-d '{"enabled":"false","replicaType":"SUPPLIER"}'

2.

Disable replication on the Clone (Consumer).
curl -u weblogic:welcome1 -H 'Content-Type: application/json'
-X PUT 'http://supplier.example.com:7001/oam/services/
rest/_replication/201311271226476658'
-d '{"enabled":"false","replicaType":"CONSUMER"}'

3.

Delete the replication agreements on the Master and Clone using this command.
curl -u weblogic:welcome1 -H 'Content-Type: application/json'
-X DELETE 'http://supplier.example.com:7001/oam/services/
rest/_replication/201311271226476658'
The AM_REPLICATION_SETTINGS table in the OAM
Schema defines the replication agreements so you can also delete the
agreements by manual deletion using the following SQL statement.

Note:

■

Select * from FINALDC1_OAM.AM_REPLICATION_SETTINGS;

■

Select * from FINALDC2_OAM.AM_REPLICATION_SETTINGS;

Alternately:

4.

■

Delete from FINALDC1_OAM.AM_REPLICATION_SETTINGS;

■

Delete from FINALDC2_OAM.AM_REPLICATION_SETTINGS;

commit;

Setting Up the Multi-Data Center: A Sequence 20-11

Troubleshooting the Multi-Data Center Setup

20-12 Administrator's Guide for Oracle Access Management

Part VI
Part VI

Managing Access Manager SSO, Policies,
and Testing
This part, Part V, provides information to help you understand single-sign on (SSO)
with Access Manager, and help you to configure Access Manager policies and logout.
Testing your single sign-on connection and policies is also described.
Part V contains the following chapters:
■

Chapter 21, "Understanding Single Sign-On with Access Manager"

■

Chapter 22, "Managing Authentication and Shared Policy Components"

■

Chapter 23, "Understanding Credential Collection and Login"

■

Chapter 24, "Using Password Policy"

■

Chapter 25, "Managing Policies to Protect Resources and Enable SSO"

■

Chapter 26, "Validating Connectivity and Policies Using the Access Tester"

■

Chapter 27, "Configuring Centralized Logout for Sessions Involving 11g
WebGates"

21
Understanding Single Sign-On with Access
Manager
21

[19This
]
chapter introduces the elements that comprise Access Manager single sign-on. It
provides an administrator with the foundation to begin developing policies.

This chapter includes the following topics:
■

Introducing Access Manager Single Sign-On

■

Understanding the Access Manager Policy Model

■

Anatomy of an Application Domain and Policies

■

Introduction to Policy Conditions and Rules

■

Understanding SSO Cookies

■

Introduction to Configuration Tasks for Single Sign-On
Unless explicitly stated, information in this chapter is the same
for all agent types and Access Manager credential collectors.

Note:

For details about single log-out, see Chapter 27, "Configuring
Centralized Logout for Sessions Involving 11g WebGates".

21.1 Introducing Access Manager Single Sign-On
Login is the action a user takes to authenticate and gain access to a protected
application. Single sign-on (SSO) is the process that gives users the ability to access
multiple protected resources (Web pages and applications) with a single
authentication. SSO is enabled by Access Manager to eliminate the need for additional
or different logins to access other applications at the same (or lower) authentication
level during the same session.
Access Manager converges several SSO architectures (including Identity Federation for
Partner Networks, and Service Oriented Architecture) and provides SSO through a
common SSO Engine for consistent service across multiple protocols. The Oracle
Identity Management Infrastructure stores user identities in the identity store
referenced in the policy.

Understanding Single Sign-On with Access Manager 21-1

Introducing Access Manager Single Sign-On

Contextual data is the information that is presented to or
collected by Access Manager at various stages of user interaction.
These stages include authentication, authorization, enterprise SSO,
federation, adaptive authentication, token validation, session creation,
and so on. The information itself might comprise a user's device
fingerprints, IP address, antivirus and firewall protection, assertion
and so on. Components that play the role of contextual data providers
and asserters when integrated with Access Manager include
Enterprise Single Sign-on, Identity Federation, Oracle Adaptive
Access Manager.

Note:

Table 21–1 summarizes the components that support or enforce Access Manager
policies, and where to find more information about these, if needed.
Default Access Manager behavior is to deny access when a
resource is not protected by a policy that explicitly allows access. To
delegate authentication tasks to Access Manager, agents must reside
with the relying parties and must be registered with Access Manager.
Registering an agent sets up the required trust mechanism between
the agent and Access Manager SSO.

Note:

Table 21–1

Summary: SSO Components

Component

Description

Applications

Applications can delegate authentication and authorization to Access Manager and accepts
headers from a registered Agent.
Note: External applications do not delegate authentication. Instead, these display HTML
login forms that ask for application user names and passwords. For example, Yahoo! Mail
is an external application that uses HTML login forms.

■
■

OAM Server
Oracle Access Management
Console (installed on
WebLogic AdminServer)

Non-administrative users first gain access by entering the URL of a protected resource,
which returns the SSO login page.
See Also: "Understanding Credential Collection and Login".
Administrative users access the console to author policies by typing the URL:
https://host:port/oamconsole. Although, default policies can be generated automatically
during Agent registration, as described in Chapter 15.
See Also: Chapter 25, "Managing Policies to Protect Resources and Enable SSO".

Policy Enforcement Agents

■

OAM Agents (Webgate or Access Client)

■

Legacy OSSO Agents

■

Legacy OpenSSO Agents

See Also: Chapter 14, "Introduction to Agents and Registration".
Credential Collectors and
Communication Channels

■

■

■

Authentication with the default embedded credential collector (ECC) occurs across
the HTTP (HTTPS) channel
Authentication with the optional detached credential collector (DCC) occurs across
the Oracle Access Protocol (OAP) channel
Authorization occurs across the Oracle Access Protocol (OAP) channel

See Also: Table 22–5, " Comparing the DCC and ECC"
SSO Engine

Manages the session lifecycle, facilitates global logout across all relying parties in the valid
session, and provides consistent service across multiple protocols.
See Also: Chapter 16, "Maintaining Access Manager Sessions" and Chapter 27,
"Configuring Centralized Logout for Sessions Involving 11g WebGates"

21-2 Administrator's Guide for Oracle Access Management

Introducing Access Manager Single Sign-On

Table 21–1 (Cont.) Summary: SSO Components
Component

Description

Proxy support for legacy systems

■

OAM Proxy supports legacy Access Manager implementations by acting as a legacy
Access Server. See:
"Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security"
"Introduction to OAM Proxy Metrics and Tuning" on page 11-10

■

■

OSSO Proxy supports OSSO Agents by acting as the legacy OSSO Server. See:
Chapter 29
Oracle-provided OpenSSO Proxy handles requests for resources protected by
OpenSSO Agents. See: Chapter 28

See Also: About the Embedded Proxy Server and Backward Compatibility
Access Policies

Registered agents rely on Access Manager authentication, authorization, and token
issuance policies to determine who gets access to protected applications (defined
resources).
Note: Default Access Manager behavior is to deny access when a resource is not protected
by a policy that explicitly allows access.
See Also: Chapter 25, "Managing Policies to Protect Resources and Enable SSO"

Policy Store

Database in production environments (otherwise, oam-config.xml).
See Also: Chapter 5

Cryptographic keys and Key
Storage

One key is generated and used per registered mod_osso or 11g Webgate. However, one
single key is generated for all 10g Webgates.
See Also: Table 1–2, " Features in Access Manager 11.1.2".

Cookies

See: "Understanding SSO Cookies" on page 21-14.

Single Sign-on for the Oracle Access Management Console,
and other Oracle Identity Management consoles deployed in a
WebLogic container, is enabled using the pre-registered
IAMSuiteAgent and companion policies. No further configuration is
needed to protect the consoles.

Note:

Single sign-on can be implemented as introduced in Table 21–2, which includes
pointers to additional information.
Table 21–2

Introduction to SSO Implementations

SSO Type

Description

Single Network Domain SSO

You can set up Access Manager single sign-on for resources within a
single network domain (example.com, for example). This includes
protecting resources belonging to multiple WebLogic administration
domains within a single network domain.

Multiple Network Domain SSO

Access Manager 11g supports cross-network-domain single sign-on
out of the box.

Single Network Domain SSO is the subject of this book.

See Also:"About Multiple Network Domain SSO" on page 21-4.
Application SSO

Application single sign-on allows users who have been authenticated
by Access Manager to access applications without being
re-authenticated.
See Also: "About Application SSO and Access Manager" on page 21-4

Understanding Single Sign-On with Access Manager 21-3

Introducing Access Manager Single Sign-On

Table 21–2 (Cont.) Introduction to SSO Implementations
SSO Type

Description

Multiple WebLogic Server
Domain SSO

The basic administration unit for WebLogic Server instances is known
as a domain. You can define multiple WebLogic administration
domains based on different system Administrators' responsibilities,
application boundaries, or the geographical locations of WebLogic
servers. However, all Managed Servers in a cluster must reside in the
same WebLogic Server domain.
See Also: "About Multiple WebLogic Server Domain SSO" on
page 21-5

Reverse-Proxy SSO

This SSO implementation type is supported with a few configuration
differences.
See Also: "About Reverse-Proxy SSO" on page 21-5

SSO with Mixed Release Agents

Access Manager seamlessly supports registered 11g and 10g OAM
gents (Webgates and programmatic access clients), as well as legacy
OSSO Agents (mod_osso 10g), and legacy OpenSSO agents). These can
be used in any combination.

21.1.1 About Multiple Network Domain SSO
With Access Manager, this is a standard feature. When 11g WebGates are used
exclusively all cookies in the system are host-based. However, you must have control
over all the domains. If some domains are controlled by external entities (not part of
the Access Manager deployment), Oracle recommends that you use Identity
Federation.
Access Manager supports cross-network-domain single sign-on out of the box. During
single sign-off with Access Manager:
■

■

■

The SSO cookie set by OAM Server is a host cookie that works across the network
domains. The WebGate clears its standalone Agent cookie and then redirects to the
OAM Server for session clearing.
10g WebGates do not have a standalone Agent cookie; logout occurs only on the
server side with no redirection required.
With 11g WebGates and OSSO agents that support a standalone agent cookie, the
agent Logout Callback URL is called in parallel. The agents accessed in a session
and agents from multiple domains are all called in parallel, depending on the
number of concurrent connections supported in the browser.
Access Manager provides a proprietary multiple network
domain SSO capability that predates Identity Federation 11.1.1. If this
is implemented in your Oracle Access Manager 10g deployment, you
can register 10g Agents with Access Manager 11g to continue this
support.

Note:

See Also:
■
■

"Configuring Centralized Logout for 11g WebGates" on page 27-4
Oracle Fusion Middleware Administrator's Guide for Oracle Identity
Federation, 11.1.1

21.1.2 About Application SSO and Access Manager
Access Manager enables Administrators to create a web of trust in which a user's
credentials are verified once and are provided to each application the user runs. Using

21-4 Administrator's Guide for Oracle Access Management

Introducing Access Manager Single Sign-On

these credentials, the application does not need to re-authenticate the user with its
own mechanism.
Application single sign-on allows users who have been authenticated by Access
Manager to access applications without being re-authenticated.
There are two ways to send a user's credentials:
■

■

Using Cookies: A specific value is set on the browser's cookie that the application
must extract to identify a user.
Using Header Variables: An HTTP header set on the request by the agent and
visible to the application.
Both forms require Administrators to enter the appropriate
responses within the policy. For more information, see "Introduction
to Policy Responses for SSO" on page 25-68.

Note:

Header response values are inserted into a request by an OAM Agent, and can only be
applied on Web servers that are protected by an agent. registered with Access Manager
11g If the policy includes a redirect URL that is hosted by a Web server not protected
by Access Manager, header responses are not applied.
For example, when a user authenticates, she might be redirected to a portal index
page:
http://example.com/authnsuccess.htm

For authentication failure, an authentication action might redirect the user to an error
page or a self-registration script:
http://example.com/authnfail.htm

21.1.3 About Multiple WebLogic Server Domain SSO
Access Manager supports SSO in multiple WebLogic administration domains.
You can define multiple WebLogic administration domains based on different system
Administrators' responsibilities, application boundaries, or the geographical locations
of WebLogic servers. Conversely, you can use a single domain to centralize all
WebLogic Server administration activities.
All Managed Servers in a cluster must reside in the same
domain; you cannot split a cluster over multiple domains. All
Managed Servers in a domain must run the same version of the Oracle
WebLogic Server software. The Administration Server can run either
the same version as the Managed Servers in the domain, or a later
service pack.

Note:

There are two basic types of WebLogic administration domains:
■

Domain with Managed Servers: A simple production environment can consist of
a domain with several Managed Servers that host applications, and an
Administration Server to perform management operations. In this configuration,
applications and resources are deployed to individual Managed Servers; similarly,
clients that access the application connect to an individual Managed Server.

Understanding Single Sign-On with Access Manager 21-5

Introducing Access Manager Single Sign-On

Production environments that require increased application performance,
throughput, or availability may configure two or more of Managed Servers as a
cluster. Clustering allows multiple Managed Servers to operate as a single unit to
host applications and resources. For more information about the difference
between a standalone and clustered Managed Servers, see Managed Servers and
Clustered Managed Servers.
■

Standalone WebLogic Server Domain: For development or test environments,
you may want to deploy a single application and server independently from
servers in a production domain. In this case, you can deploy a simple domain
consisting of a single server instance that acts as an Administration Server and
also hosts the applications you are developing. The examples domain that you can
install with WebLogic Server is an example of a standalone WebLogic Server
domain.

All Managed Servers in a cluster must reside in the same domain; you cannot split a
cluster over multiple domains. All Managed Servers in a domain must run the same
version of the Oracle WebLogic Server software. The Administration Server can run
either the same version as the Managed Servers in the domain, or a later service pack.
Each domain's configuration is stored in a separate configuration file (config.xml),
which is stored on the Administration Server along with other files such as logs and
security files. When you use the Administration Server to perform a configuration
task, the changes you make apply only to the domain managed by that Administration
Server. To manage another domain, use the Administration Server for that domain. For
this reason, the servers instances, applications, and resources in one domain should be
treated as being independent of servers, applications, and resources in a different
domain.You cannot perform configuration or deployment tasks in multiple domains at
the same time.
Each domain requires its own Administration Server for performing management
activities. When you use the Oracle Access Management Console to perform
management and monitoring tasks, you can switch back and forth between domains,
but in doing so, you are connecting to different Administration Servers.
If you have created multiple domains, each domain must reference its own database
schema. You cannot share a configured resource or subsystem between domains. For
example, if you create a JDBC data source in one domain, you cannot use it with a
Managed Server or cluster in another domain. Instead, you must create a similar data
source in the second domain. Furthermore, two or more system resources cannot have
the same name.

21.1.4 About Reverse-Proxy SSO
This is a supported configuration with the following caveats.
Caveats
If you are going to use a reverse proxy in a single sign-on configuration, be sure to
perform one of the following tasks. Otherwise, the reverse proxy hides the client's IP
address:
■
■

Either to set the IPvalidation parameter to false
Or add the proxy IP address to the IPValidationExceptions list in the Webgate
registration

In some situations the Reverse Proxy does not pass the 10g Webgate ObSSOCookie to
Oracle WebLogic after a successful authentication. To avoid this issue:

21-6 Administrator's Guide for Oracle Access Management

Understanding the Access Manager Policy Model

■

■

Use Form authentication instead of Basic Over LDAP when using Reverse Proxy
with Oracle WebLogic
For 11g Webgate, a user-defined parameter (filterOAMAuthnCookie (default true))
can be used to prevent the OAMAuthnCookie from being passed to downstream
applications for security consideration. If you do want to pass the cookie on, then
set the filterOAMAuthnCookie parameter to false.

21.2 Understanding the Access Manager Policy Model
Access Manager distills the policy models of Oracle Access Manager and OSSO into a
single Access Manager policy model. Figure 21–1 illustrates the main elements of the
Access Manager 11g policy model including the shared policy components, an
individual Application Domain, and external dependencies.
Figure 21–1 Access Manager 11g Policy Model

Access Manager

Authentication
Schemes

Application
Domains

Resource
Types

Host
Identifiers

Authentication
Modules

Policies

Resources
Legend
Relationship: One-to-Many

Authentication
Policies

Authorization
Policies

Token Issuance
Policies

Relationship: Many-to-Many
External Dependencies
Relationship: Containment

Identities

Contextual Data

Shared Policy Components
Shared policy components are global and can be used in one or more Application
Domains. Figure 21–2 illustrates the shared components for Access Manager policies.
Figure 21–2 Access Manager Shared Policy Components

Access Manager

Authentication
Schemes

Resource
Types

Host
Identifiers

Authentication
Modules

Table 21–3 describes the global, shared components in an Access Manager policy.

Understanding Single Sign-On with Access Manager 21-7

Understanding the Access Manager Policy Model

Table 21–3

Access Manager Global, Shared Policy Components

Component

Description

Resource Types

Defines the type of resource to be protected and the associated
operations. The default resource type is HTTP. However,
Administrators can define non-HTTP resource types that can be
applied to specific resources in an Application Domain.
Any number of resources can belong to a specific resource type.
However, each resource that is added to a policy must be defined as a
single type:
■

HTTP

■

wl_authen

■

TokenServiceRP

See Also:

Host Identifiers

■

Chapter 22: Managing Resource Types

■

Chapter 45: Managing TokenServiceRP Type Resources

A host can be known by multiple names. To ensure that OAM
recognizes the URL for a resource, OAM must know the various ways
used to refer to that resource's host computer.
With Access Manager, all possible host variations are stored together.
Administrators enter the canonical name for the host and every other
name by which the host can be addressed by users. A request sent to
any address on the list is mapped to the official host name.
Authentication and authorization policies in an Application Domain
protect resources based on host identifiers. Host identifiers are used to
identify resources or an application at run time and can be used to
formulate policies for application resources at design time.
Host identifiers can be generated automatically during Agent
registration and are used to seed the Resource definition and default
authentication and authorization policies in the new Application
Domain.
Alternatively: Administrators can create a host identifier definition for
use in one or more Application Domains.
Virtual Web Hosting: Enables support of multiple domain names and
IP addresses that each resolve to their unique subdirectories on a
single server. The same host can have multiple sites being served
either based on multiple NIC cards (IP based) or multiple names (for
example, abc.com and def.com) resolving to same IP.
See Also: "About Host Identifiers" on page 22-8.

Authentication Scheme

A named component that defines the challenge mechanism, level of
trust, and the underlying authentication module or plug-in required to
authenticate a user. Several default schemes provided with Access
Manager and Administrators can define their own schemes.
Authenticating a user's identity with Access Manager refers to running
a pre-defined set of processes to verify the digital identity of the user.
One authentication scheme can be assigned to multiple authentication
policies. However, each authentication policy can have only one
authentication scheme assigned to it.
Note: Authentication schemes are defined globally to ensure that a
small number of Administrators define them in a consistent, secure
way.
See Also: "Managing Authentication Schemes" on page 22-64

21-8 Administrator's Guide for Oracle Access Management

Understanding the Access Manager Policy Model

Table 21–3 (Cont.) Access Manager Global, Shared Policy Components
Component

Description

Authentication Modules and
Plug-ins

The smallest executable unit of an authentication scheme. The
authentication module determines the exact procedure to be followed
and the method for challenging the user for credentials.
Authentication involves determining which credentials a user must
supply when requesting access to a resource, gathering credentials,
and returning a response that is based on the results of credential
validation.
All authentication processing relies on an authentication module to
define the rules governing requirements and transmission of
information to the backend authentication scheme. All information
collected by the plug-in and saved in the context is available to the
plug-in through the authentication process. Context data can also be
used to set cookies or headers in the user's login page
A number of plug-ins and several pre-defined modules are provided.
Oracle strongly recommends using plug-ins, which you can configure
and orchestrate as needed to provide multi-step authentication.
See Also:
■
■

"Managing Native Authentication Modules" on page 22-23
"Orchestrating Multi-Step Authentication with Plug-in Based
Modules" on page 22-29

Access Manager Policy Components
Access Manager default behavior denies access when a resource is not protected by a
policy that explicitly allows access. Table 21–4 describes policy components you
configure to allow access and where you can find the details.
See Also: "Anatomy of an Application Domain and Policies" on
page 21-10
Table 21–4

Access Manager Policy Components

Component

Description

Application Domain

Each Application Domain provides a logical container for resources, and the associated
policies that dictate who can access these resources. An application domain can be
created automatically during Agent registration or manually using the console.
See Also: "Anatomy of an Application Domain and Policies" on page 21-10

Resource Definitions

Based on a defined host identifier, Administrators can add specific resources to an
Application Domain and apply policies to protect those resources.
See Also: "Adding and Managing Policy Resource Definitions" on page 25-13.

Authentication Policy

Each resource defined in an Application Domain can be protected by only one
authentication policy. Each authentication policy requires one authentication scheme.
One authentication policy can protect many resources. However, each resource can be
protected by only one authentication policy.
See Also: "Defining Authentication Policies for Specific Resources" on page 25-31

Authorization Policies

Each resource assigned to an Application Domain can be protected by only one
authorization policy. Each policy can include one or more conditions and a rule.
Authorization policies can also contain success responses.
One authorization policy can protect many resources. However, each resource can be
protected by only one authorization policy.
See Also: "Defining Authorization Policies for Specific Resources" on page 25-35.

Token Issuance Policy

By default, only a container for Token Issuance Policies is provided in a generated
Application Domain. No Conditions or Rules are generated automatically. You must add
these manually.
See Also: "Displaying Token Issuance Policy Pages" on page 25-10.

Understanding Single Sign-On with Access Manager 21-9

Anatomy of an Application Domain and Policies

Table 21–4 (Cont.) Access Manager Policy Components
Component

Description

Policy Responses

Available for all policy types, Authentication and Authorization success Responses can
be defined within respective policies to be applied after policy evaluation.
See Also: "Introduction to Policy Responses for SSO" on page 25-68.

Rule

Available for only Authorization and Token Issuance Policies.
Each Authorization policy includes a rule that defines whether the policy allows or
denies access to resources protected by the policy.
The rule references Authorization conditions, described next.
See Also: "Introduction to Authorization Policy Rules and Conditions" on page 25-40.

Condition

Available for only Authorization and Token Issuance Policies.
Each Authorization policy rule references conditions that define to whom the rule
applies, if there is a time Condition, and how evaluation outcomes are to be applied.
Conditions are declared outside of rules and are referenced within a rule.
See Also: "Introduction to Authorization Policy Rules and Conditions" on page 25-40.

21.3 Anatomy of an Application Domain and Policies
Access Manager enables you to control who can access resources based on policies
defined within an Application Domain. Users attempt to access a protected resource
by entering a URL in a browser, by running an application, or by calling some other
external business logic. When a user requests access to a protected resource, the
request is evaluated according to policies that discriminate between authenticated
users who are authorized and those who are not authorized for access to a particular
resource.
Application domains do not have any hierarchical relationship to one another. Each
Application domain can be made to contain policy elements related to an entire
application deployment, a particular tier of the deployment, or a single host.
Within each Application Domain, specific resources are identified for protection by
specific policies that govern access. Authentication and authorization policies include
Administrator-configured responses that are applied upon successful evaluation.
Authorization policies include Administrator-configured conditions and rules that
define how evaluation is performed, and responses to be applied upon successful
evaluation.
The size and number of Application Domains is up to the Administrator. The decision
can be based on individual application resources or any other logical grouping as
needed. An Application Domain is automatically created during Agent registration.
Also, Administrators can protect multiple Application Domains using the same agent
by manually creating the Application Domain and adding the resources and policies.
Figure 21–3 shows an expanded view of policies within an Application Domain, as
well as how the shared elements are used in an Application Domain.

21-10 Administrator's Guide for Oracle Access Management

Anatomy of an Application Domain and Policies

Figure 21–3 Anatomy of Access Manager Policies

For more information, see the following topics:
■

About Resource Definitions for Policies

■

About Authentication Policies

■

About Authorization Policies

■

About Token Issuance Policies

21.3.1 About Resource Definitions for Policies
The term resource represents a document, or entity, or pieces of content stored on an
OAM Server and available for access by a large audience.
Clients communicate with the OAM Server to request a resource using a particular
protocol (HTTP or HTTPS, for example), which corresponds to an existing Resource
Type. Every HTTP Resource Type must be associated with a host identifier. However,
non-HTTP Resource Types are associated with a specific name (not a host identifier).
With Access Manager, each resource must be defined as within the Resources
container in an Application Domain before it can be associated with a specific policy.
Only resources defined in the Resources container can be
associated with policies in the Application Domain.

Note:

For more information, see "Adding and Managing Policy Resource Definitions" on
page 25-13.
To protect pieces of content on a page, Oracle recommends
using Oracle Entitlements Server.

Note:

21.3.2 About Authentication Policies
Administrators can create an authentication policy to apply to specific resources
within an Application Domain. Each authentication policy:
■

■

■

Identifies the specific resources covered by this policy, which must be defined on
the Resources tab of this policy and in the Resources container for the Application
Domain
Specifies the authentication scheme that provides the challenge method to be used
to authenticate the user
Specifies the Success URL (and the failure URL) that redirects the user based on
the results of this policy evaluation

Understanding Single Sign-On with Access Manager

21-11

Anatomy of an Application Domain and Policies

■

Defines optional Responses that identify post-authentication actions to be carried
out by the Agent.
Policy responses provide the ability to insert information into a session and pull it
back out at any later point. This is more robust and flexible than Oracle Access
Manager 10g, which provided data passage to (and between) applications by
redirecting to URLs in a specific sequence.
Policy responses are optional. These must be configured by an Administrator and
are applied to specific resources defined within the Application Domain. For more
information, see "Introduction to Policy Responses for SSO" on page 25-68.

Authentication Policy Evaluation Results
To authenticate a user, Access Manager presents the user's browser with a request for
authentication credentials based on the challenge method defined by the
authentication scheme for this policy.
After policy evaluation, the result is returned and the user is redirected based on that
result:
■

Success (allow access) redirects to the requested URL

■

Failure, (deny access) redirects to a generic error page
Note:

Policy evaluation results can be overridden policy by policy.

See Also:
■

"Displaying Authentication Policy Pages" on page 25-7

■

"Managing Run Time Policy Evaluation Caches" on page 13-9

21.3.3 About Authorization Policies
Authorization is the process of determining if a user has a right to access a requested
resource. A user might want to see data or run an application program protected by a
policy, for example.
Administrators can create an authorization policy to specify the conditions under
which a subject or identity has access to a particular resource. The requested resource
must belong to an Application Domain and must be included within a specific
authorization policy.
OracleAS SSO 10g does not provide authorization; OSSO
Agents do not use Access Manager 11g Authorization Policies.

Note:

Each authorization policy:
■

■

■

Identifies the specific resources covered by this policy, which must be defined on
the Resources tab of this policy and in the Resources container for the Application
Domain
Specifies the Success URL (and the failure URL) that redirects the user based on
the results of this policy evaluation
Identifies specific Allow or Deny Rules based on defined conditions for this policy
and resources. See Table 21–5 for an overview of Condition types.

21-12 Administrator's Guide for Oracle Access Management

Introduction to Policy Conditions and Rules

■

Defines optional Responses that identify post-authorization actions to be carried
out by the Agent, as described in "Introduction to Policy Responses for SSO" on
page 25-68.
See Also:

"Introduction to Policy Conditions and Rules"

21.3.4 About Token Issuance Policies
A Token Issuance Policy defines the rules under which a token can be issued for a
resource (Relying Party Partner) based on the client's identity. The client can be either a
Requester Partner or an end user.
Unless explicitly stated, information on Application Domains and authorization
policies applies equally to Token Issuance policies.
During automatic policy generation, no Token Issuance
Policies are created; only the container for Token Issuance Policies is
generated automatically.

Note:

For specific information about Token Issuance Policies, see:
■

"Managing TokenServiceRP Type Resources" on page 45-30

■

"Managing Token Issuance Policies, Conditions, and Rules" on page 45-27

21.4 Introduction to Policy Conditions and Rules
Unless explicitly stated, information on policy Conditions and Rules applies equally
to:
■

Authorization policies

■

Token Issuance policies

Conditions
Conditions can be specified only within Authorization and Token Issuance policies.
Conditions are used in conjunction with Rules that specify Allow or Deny access,
based on defined Conditions. Table 21–5 identifies available condition types.
Table 21–5

Condition Types

Type

For more information, see ...

Identity

"Introduction to Authorization Policy Rules and Conditions" on page 25-40.

IP4 Range

"Defining IP4 Range Conditions" on page 25-51.

Temporal

"Defining Temporal Conditions" on page 25-54.

Attribute

"Defining Attribute Conditions" on page 25-55.

True

Effectively "Allow All". Oracle recommends this be used as the default option in
cases where you need to let in any authenticated use. In this case, you do not
need any particular conditions to be satisfied at authorization time.
This replaces the Use Implied Constraints flag the previous release of Access
Manager, which similarly lets policy evaluation complete with an Allow result
when no specifically-defined constraints were present.

Each Authorization and Token Issuance policy can contain one or more condition
objects. There can be more than one instance of a type of condition in a policy (the
previous policy model allowed only one instance of a class in a policy).

Understanding Single Sign-On with Access Manager

21-13

Understanding SSO Cookies

Conditions are similar to earlier Access Manager 11g authorization constraints.
However, constraints included Allow or Deny specifications and conditions do not.
Rules
Rules are new constructs in the policy model. Each Rule defines the Allow or Deny
specification that determines the overall effect of the policy. Rules also define how the
outcomes of each Condition evaluation is to be combined. Conditions are referenced in
rules and declared outside of rules.
Within a Rule, evaluation outcomes can be combined as follows:
■

■

Simple Mode: Accepts a list of condition names that are combined based on the
value of a combiner that allows either All conditions to be met or Any one
condition to be met to return "true" for the evaluation. [Previously, ALL allowed
constraints while ANY denied them.]
Expression mode: Allows the user to specify a Boolean expression to combine
conditions using condition names and special characters (comma, vertical bar,
ampersand and exclamation point: , |& and !.
A policy in which there are one or more conditions that are not
part of either an Allow or Deny Rule is treated as a valid policy.

Note:

For more information about Conditions and Rule, see Chapter 25.

21.5 Understanding SSO Cookies
This section provides a brief overview of single sign-on with Access Manager 11g. It
includes the following topics:
■

About Single Sign-On Cookies During User Login

■

About Single Sign-On Server and Agent Cookies

21.5.1 About Single Sign-On Cookies During User Login
Table 21–6 describes the cookies that can be set or cleared during user login.
Table 21–6

SSO Cookies

SSO Cookie Set at
User Login
OAM_ID cookie

OAMAuthnCookie

Set By

Description

OAM Server
Embedded
Credential
Collector

When a user attempts to access a protected application, the request
comes to the SSO Engine and the controller checks for the existence
of the cookie.

11g Webgate

Set by each 11g Webgate that is contacted. Protected by the key
known to the respective 11g Webgate and the OAM Server. A valid
OAMAuthnCookie is required for a session.

See Also: "OAM_ID cookie" on page 21-16.

Note: If the user accesses applications protected by different 11g
Webgates, you will have multiple OAMAuthnCookies.
See "OAMAuthnCookie for 11g OAM Webgates" on page 21-16.

21-14 Administrator's Guide for Oracle Access Management

Understanding SSO Cookies

Table 21–6 (Cont.) SSO Cookies
SSO Cookie Set at
User Login

Set By

Description

ObSSOCookie

10g Webgate

A domain-based cookie for 10g Webgates is set only when a 10g
Webgate is contacted. Protected with keys known to the OAM
Server only. One global shared secret key for all Webgates.
Note: This cookie enables backward compatibility and
inter-operability between Access Manager 11g and older agents.
See "ObSSOCookie for 10g Webgates" on page 21-17

OAM_REQ

OAM Server
Embedded
Credential
Collector

A transient cookie that is set or cleared by the OAM Server if the
Authentication request context cookie is enabled. Protected with
keys known to the OAM Server only.
Note: This cookie is configured as a high availability option to store
the state about user's original request to a protected resource while
his credentials are collected and authentication performed.
See "OAM_REQ Cookie" on page 21-17.

OAMRequestContext

11g Webgate

Set or cleared by the 11g Webgate and protected by the key known
to the respective 11g Webgate and the OAM Server.
With Internet Explorer browser:
--When RequestContextCookieExpTime is not set,
OAMRequestContext is a transient cookie.
--When RequestContextCookieExpTime is set, the
OAMRequestContext cookie expires by the time set using the
"Expires" directive. This requires a time sync between the client
host and Web server host.
With all other (non-IE) browsers, when
RequestContextCookieExpTime is not set OAMRequestContext
expires in 5 minutes by default or by the time set using the
"Max-Age" directive.
See Also: "OAMRequestContext" on page 21-17
Table 15–2, " User-Defined WebGate Parameters"

DCCCtxCookie

OHS-host-port

Detached
Credential
Collector

For detached credential collector (DCC)--similar to OAM_REQ
created by embedded credential collector (ECC).
See "DCCCtxCookie" on page 21-18

Oracle HTTP Set only when OSSO Agents (mod_osso) are contacted on Oracle
Server
HTTP Server (OHS). Protected with the key known to the
respective mod_osso agent and the OAM Server.
Note: This cookie enables backward compatibility and
inter-operability between Access Manager 11g and older agents.
See "mod_osso Cookies" on page 21-18.

OAM_GITO cookie

OAM Server

Provides backward compatibility and inter-operability between
OSSO 10g and Access Manager 11g. The cookie is created by the
OAM Server and accessed or modified by the OAM Server or mod_
osso agent.
See "mod_osso Cookies" on page 21-18.

OpenSSO cookie

OpenSSO
Proxy

See "OpenSSO Cookie (iPlanetDirectoryPro)" on page 21-19.

For details about configuring authentication and authorization policies, see
Chapter 25, "Managing Policies to Protect Resources and Enable SSO".

21.5.2 About Single Sign-On Server and Agent Cookies
■

OAM_ID cookie

■

OAMAuthnCookie for 11g OAM Webgates

■

ObSSOCookie for 10g Webgates

Understanding Single Sign-On with Access Manager

21-15

Understanding SSO Cookies

■

OAM_REQ Cookie

■

OAMRequestContext

■

DCCCtxCookie

■

mod_osso Cookies

■

OpenSSO Cookie (iPlanetDirectoryPro)

21.5.2.1 OAM_ID cookie
This cookie is scoped to the OAM Server. OAM_ID is generated by the OAM Server
when the user is challenged for credentials, and submitted to the server on every
redirect to the server.
OAM_ID is protected by keys known to the OAM Server only.
When a user attempts to access a protected application, the request comes to the SSO
Engine and the controller checks for the existence of the cookie:
■

■

If the cookie does not exist, user authentication begins. After successful
authentication, the user context and token are set by the SSO Engine. The cookie is
set with the global user ID (GUID), creation time, and idle timeout details.
Information in the cookie is encrypted with the SSO Server key and can be
decrypted only by the SSO Engine.
If the cookie exists, then the cookie is decrypted and the sign in flow completes
with the authenticated user.

21.5.2.2 OAMAuthnCookie for 11g OAM Webgates
There is one OAMAuthnCookie__ set by each 11g
Webgate using the authentication token received from the OAM Server after successful
authentication. A valid OAMAuthnCookie is required for a session.
SSL Connections: Administrators can ensure the ObSSOCookie is only sent over an
SSL connection and prevents the cookie from being sent back to a non-secure Web
server by configuring SSL and then specifying Simple or Cert mode for Agents and
Servers. For details, see "About Communication Between OAM Servers and
WebGates" on page 6-4.
Cookie Expiration: For 11g Webgate and OAMAuthnCookie, expiration is controlled
by the "tokenValidityPeriod" parameter, which controls the valid token (or cookie)
time.
This key is known to both the 11g Webgate and SSO Engine and is used for encrypting
OAMAuthnCookie. The SSO engine key (only known to the SSO Engine) is used for
encrypting the OAM_ID OAM Server cookie.
Similar to ObSSOCookie for 10g Webgates.

21.5.2.3 ObSSOCookie for 10g Webgates
Access Manager 11g sets a key-based cookie ObSSOCookie for each user or application
that accesses a resource protected by a 10g Webgate. The key is set up during agent
registration and is known to both the agent and SSO Engine (shared between them).
This key is different from the OAM Server (or SSO Engine) key.
Removing the ObSSOcookie causes the 10g Webgate to log the user out and requires
the user to re-authenticate the next time he or she requests a resource that is protected
by the Access System.

21-16 Administrator's Guide for Oracle Access Management

Understanding SSO Cookies

The WebGate sends the ObSSOCookie to the user's browser upon successful
authentication. This cookie can then act as an authentication mechanism for other
protected resources that require the same or a lower level of authentication. When the
user requests access to a browser or another resource, the request flows to the OAM
Server. The user is logged in, and the ObSSOCookie is set. The OAM Server generates
a session token with a URL that contains the ObSSOCookie. Single sign-on works
when the cookie is used for subsequent authorizations in lieu of prompting the user to
supply authorization credentials.
When the cookie is generated, part of the cookie is used as an encrypted session token.
The single sign-on cookie does not contain user credentials such as user name and
password.
SSL Connections: Administrators can ensure the ObSSOCookie is only sent over an
SSL connection and prevents the cookie from being sent back to a non-secure Web
server by configuring SSL and then specifying Simple or Cert mode for Agents and
Servers. For details, see "About Communication Between OAM Servers and
WebGates" on page 6-4.
Cookie Expiration: Administrators can specify the desired Cookie Session Time in the
OAM Agent registration. For more information, see "Registering an OAM Agent Using
the Console" on page 15-13.

21.5.2.4 OAM_REQ Cookie
A transient cookie that is set or cleared by the OAM Server if the Authentication
request context cookie is enabled. Protected with keys known to the OAM Server only.
This cookie is configured as a high availability option to store the state about user's
original request to a protected resource while his credentials are collected and
authentication performed.
In high availability configurations, the Request Cache type must be changed from
BASIC to COOKIE using Infrastructure Security custom WLST commands.
You must invoke the WLST script from the Oracle Common
home. See "Using Custom WLST Commands" in the Oracle Fusion
Middleware Administrator's Guide.

Note:

See Also:
■

■

Oracle Fusion Middleware WebLogic Scripting Tool Command
Reference
Table 21–6, " SSO Cookies"

21.5.2.5 OAMRequestContext
This cookie is set or cleared by the 11g Resource WebGate and protected by the key
known to the respective 11g WebGate and the OAM Server.
This cookie is configured to store the state about the user's original request to a
protected resource while his credentials are collected and authentication performed.
■

With Internet Explorer browser:
–

When RequestContextCookieExpTime is not set, OAMRequestContext is a
transient cookie.

Understanding Single Sign-On with Access Manager

21-17

Understanding SSO Cookies

–

■

When RequestContextCookieExpTime is set, the OAMRequestContext cookie
expires by the time set using the "Expires" directive. This requires a time sync
between the client host and Web server host.

With all other (non-IE) browsers, when RequestContextCookieExpTime is not set
OAMRequestContext expires in 5 minutes by default or by the time set using the
"Max-Age" directive.
See Also: RequestContextCookieExpTime in Table 15–2,
" User-Defined WebGate Parameters"

21.5.2.6 DCCCtxCookie
This comes into play only with the Detached Credential Collector (DCC).
The DCCCtxCookie is used by DCC to save various context information required
during authentication. It includes information necessary to reconstruct the original
request upon completion of authentication, to maintain server affinity, and to perform
iterative multi-step authentication.
By default, DCCCtxCookie is set when the DCC is first redirected away to collect
credentials based on the authentication scheme (when the browser is first redirected to
the login form with a form-based authentication scheme).
With the DCC, once authenticated the OAM server issues a DCC master session token
to the DCC in the authenticate response. DCC then sets a host- based DCC cookie
using the token and:
■

■

If DCC cookie Presented During Authentication: DCC decrypts the token using
a DCC key, and performs partial token validation locally (integrity check, token
validity period check). If it passes, DCC performs complete token validation for
timeout aspects over the OAP channel against the OAM Server.
If no DCC Cookie: This indicates a first time authentication which initiates
credential collection, performs sanity and syntactic checks on the credential and
submits to OAM Server for validation.
See Also: "Configuring 11g WebGates and Authentication Policy for
DCC"

21.5.2.7 mod_osso Cookies
The mod_osso module is the Oracle HTTP Server module that provides authentication
to OracleAS applications. This module resides on the Oracle HTTP Server that enables
applications protected by OracleAS Single Sign-On to accept HTTP headers in lieu of a
user name and password once the user has logged into the OracleAS Single Sign-On
server. The values for these headers are stored in a mod_osso cookie.
Located on the application server, mod_osso simplifies the authentication process by
serving as the sole application to the single sign-on server. In this way, mod_osso
renders authentication transparent to OracleAS applications. The Administrator for
these applications is spared the burden of integrating them with an SDK. After
authenticating a user, mod_osso transmits the simple header values that applications
may use to authorize the user.
OAM_GITO Cookie
Needed in special cases to support timeout when multiple types of agents (mod_osso
and WebGate) are working with Access Manager 11g. Server side session managers
can check the validity of the cookie for expiry and timeout during session validation.

21-18 Administrator's Guide for Oracle Access Management

Understanding SSO Cookies

Global logout is required for OSSO Agents (mod_osso) to ensure that logging out of a
session on any entity propagates the logout to all entities.
When a user is authenticated by OSSO 10g, the OSSO Server sets the OAM_GITO
cookie. Once the partner cookie (OHS cookie) is set, OHS does not route the request to
the server. Instead, on every access, OHS decrypts the OAM_GITO cookie and updates
the last activity timestamp. During request processing, if any partner detects that
current time has surpassed GITO timeout (last activity time + GITO timeout), the
request is sent to OSSO 10g in forced authentication mode. When a request reaches
OSSO server in forced authentication mode, server chooses to ignore SSO_ID cookie
and challenges user for credentials, considering it as a fresh request. After successful
authentication, SSO_ID and OAM_GITO cookie are updated.
This is enabled (using the editGITOValues WLST command), as described in the
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
OssoSecureCookies Directive
Add the OssoSecureCookies directive to set the Secure flag on all cookies. This tells the
browser to only transmit those cookies on connections secured by HTTPS. An example
of this directive in a mod_osso configuration (mod_osso.conf), is as follows:

OssoIpCheck off
OssoIdleTimeout off
OssoSecureCookies on
OssoConfigFile osso/osso.conf

require valid-user
AuthType Basic



For more information, see Oracle Application Server Single Sign-On Administrator's
Guide.

21.5.2.8 OpenSSO Cookie (iPlanetDirectoryPro)
The agent finds this cookie after the OpenSSO Proxy triggers session validation. The
default name of the OpenSSO cookie is:
iPlanetDirectoryPro
After the OpenSSO agent is authenticated and logged in, the agent verifies whether
the user has an OpenSSO cookie. If not, the user authentication request is initiated
from the OpenSSO Agent. During SSO User Login and Authentication flow OpenSSO
cookie is created, which contains the OpenSSO session identifier, and this cookie is set
in the user's browser.
During End User Session Validation, OpenSSO agent intercepts the request to the
protected application and finds an OpenSSO cookie.
During User Single Logout, the OpenSSO Proxy receives a User logout request and
forwards the user to the OAM Logout URL OpenSSO Proxy decrypts the OpenSSO
cookie, fetches the OpenSSO session identifier and, from that, fetches the OAM session
ID. OpenSSO proxy sends the logout request to controller through the OpenSSO
logout event with the OAM session ID.
■

SSO User Login and Authentication flow

■

End User Session Validation flow

Understanding Single Sign-On with Access Manager

21-19

Introduction to Configuration Tasks for Single Sign-On

■

User Single Logout flow

21.6 Introduction to Configuration Tasks for Single Sign-On
The following overview outlines the tasks that Administrators must perform to
configure single sign-on with Access Manager 11g,. For each task, a link to additional
information is included.

Task overview: Configuring single sign-on
1.

Review all topics in this chapter to get familiar with the Access Manager 11g SSO
policy model.

2.

Configure a single sign-on logout URL for each application you want to protect,
using documentation for your specific application.

3.

Install and register an Agent on each Web server that is hosting an application to
protect using either method. See:

4.

■

Chapter 14, "Introduction to Agents and Registration"

■

Chapter 15, "Registering and Managing OAM 11g Agents"

Proceed to manage resource types, host identifiers, authentication schemes, and
modules:
■

5.

Chapter 22, "Managing Authentication and Shared Policy Components"

Locate an existing Application Domain (or start a fresh one) and add resources
and policies, as described in:
■

Chapter 25, "Managing Policies to Protect Resources and Enable SSO"

21-20 Administrator's Guide for Oracle Access Management

22
Managing Authentication and Shared Policy
Components
22

This chapter describes how Administrators can manage shared policy components in
the following topics:
■

Prerequisites

■

Understanding Authentication and Shared Policy Component Tasks

■

Managing Resource Types

■

Managing Host Identifiers

■

Understanding Authentication Methods and Credential Collectors

■

Managing Native Authentication Modules

■

Orchestrating Multi-Step Authentication with Plug-in Based Modules

■

Deploying and Managing Individual Plug-ins for Authentication

■

Managing Authentication Schemes

■

Extending Authentication Schemes with Advanced Rules

■

Configuring Challenge Parameters for Encrypted Cookies

■

Configuring Authentication POST Data Handling

■

Long URL Handling During Authentication

■

Using Application Initiated Authentication

22.1 Prerequisites
Oracle recommends that you review information in Chapter 21, "Understanding Single
Sign-On with Access Manager" before performing activities in this chapter.
Additionally, the Oracle Access Management Console and at least one OAM Server
must be installed and running within a WebLogic Server domain, and Access Manager
must be running with at least two registered Agents.

22.2 Understanding Authentication and Shared Policy Component Tasks
This section introduces the tasks that must be performed to configure shared policy
components required for use in Access Manager authentication policies that protect
resources and enable single sign-on.

Managing Authentication and Shared Policy Components 22-1

Managing Resource Types

See Also: Chapter 21, "Understanding Single Sign-On with Access
Manager"

Task overview: Configuring shared policy components
1.

Confirm that the desired resource type is defined, as described in this chapter:
■

2.

Confirm that a host identifier definition named for the agent was created during
agent registration, (or create one yourself), as described in:
■

3.

5.

6.

7.

Managing Host Identifiers

Gain comprehension about credential collection with Access Manager:
■

4.

Managing Resource Types

Understanding Authentication Methods and Credential Collectors

Learn about and use the authentication plug-ins that enable multi-step
authentication:
■

Orchestrating Multi-Step Authentication with Plug-in Based Modules

■

Deploying and Managing Individual Plug-ins for Authentication

Create and manage authentication schemes that you can add to authentication
policies, as described in:
■

Managing Authentication Schemes

■

Configuring Challenge Parameters for Encrypted Cookies

Set up your own global password policy for either the default embedded or
optional detached credential collector (unless specified, tasks apply to both ECC
and DCC, with minor changes noted in the discussion):
■

Configuring Password Policy

■

Managing Global Password Policy

■

Configuring Password Policy Authentication

■

DCC: Configuring 11g WebGates and Authentication Policy for DCC

■

Completing Password Policy Configuration

Proceed to Chapter 25 to set up authentication policies.

22.3 Managing Resource Types
This section includes the following topics:
■

About Resource Types and Their Use

■

About the Resource Type Page

■

Searching for a Specific Resource Type

■

Creating a Custom Resource Type

22.3.1 About Resource Types and Their Use
When adding a resource to an Application Domain, Administrators must choose from
a list of defined Resource Types. Oracle-provided resource types include:
■

HTTP

22-2 Administrator's Guide for Oracle Access Management

Managing Resource Types

■

wl_authen

■

TokenServiceRP

Administrators can configure additional resource types, and define operations on both
Oracle-provided and custom resource types. A particular resource can be defined to
use a subset of the declared operations, or all of them (which includes any new
operators defined on the resource's type subsequently.
Administrators cannot remove custom resource types or operations for which
resources have been created. Oracle-provided resource types and operations are
marked as read-only within the policy store and cannot be removed.
Changes to the operation list of a resource type is not allowed
if a resource of that type exists.

Note:

Table 22–1 compares resource types and operations.
Table 22–1

Comparison: Resource Types for Access Manager versus 10g

Access Manager 11g

Oracle Access Manager 10g

HTTP: The default resource type used with HTTP and HTTPS protocols.

HTTP: The HTTP resource type is read-only.

When adding an HTTP type resource to an Application Domain, Administrators
must choose from a list of existing host identifiers and add the resource URL.

Operations: Oracle-provided resource types
are read-only; associated operations are
pre-defined. Policies developed and applied
to the resource apply to all operations.

This resource type is read-only. Default operations associated with the HTTP
resource type need not be defined by an Administrator. Instead, policies
developed and applied to the resource apply to all operations:
Operations: Oracle-provided resource types are read-only; associated operations
are pre-defined. Policies developed and applied to HTTP type resources apply to
all operations.
■

Get

■

Post

■
■

Put
Head

■

Delete

■

Trace

■

Options

■

Connect

■

Other

■

Get

■

Post

■

Put

■

Head

■

Delete

■

Trace

■

Options

■

Connect

■

Other

See Also: "About the Resource Type Page" on page 22-4.
wl_authen: Resources for representing WebLogic Authentication schemes is also
read-only (default operations cannot be modified or deleted.)

N/A

This non-HTTP resource type is available to use with resources deployed in a
WebLogic container in a domain that does not include Access Manager. The
protected resource is accessed through its URL on the Oracle WebLogic Server.
Type wl_authen resources, require a custom Access Client.

Managing Authentication and Shared Policy Components 22-3

Managing Resource Types

Table 22–1 (Cont.) Comparison: Resource Types for Access Manager versus 10g
Access Manager 11g

Oracle Access Manager 10g

TokenServiceRP: Resources for representing Token Service Relying Party. The
Operation for this resource type is Issue.

N/A

Custom Resource Types: Have no associated host identifier.

EJB: A custom resource type used in SSO
integrations with WebLogic and WebSphere
for authenticating the user. During
authentication, the user's groups were
fetched and populated in the Subject
Principal as roles. Subsequent authorization
was executed inside the application server
based on user roles.

A custom "EJB" resource type can be created on demand for use in SSO
integrations.

No authorization calls were made using
resource operations.
Non-HTTP resource types have no associated host identifier.
When adding non-HTTP resources to an Application Domain, Administrators
must enter the Type name into the Resource URL field as a pointer. The name
cannot match any host Identifier (and vice versa). This is not a relative HTTP
URL.

22.3.2 About the Resource Type Page
In the Oracle Access Management Console, resource types are organized with other
Components under the Policy Configuration tab. The navigation tree shows
Oracle-provided resource types: HTTP, wl_authen, and TokenServiceRP.
Pre-defined resource types cannot be deleted. Pre-defined
operations are shown with a lock icon and cannot be deleted.
Additional operations can be created, edited, or deleted as needed.

Note:

The HTTP resource type, shown in Figure 22–1, is used for Web applications protected
by Access Manager and accessed using internet protocols (HTTP or HTTPS).
Figure 22–1 Default HTTP Resource Type Definition

22-4 Administrator's Guide for Oracle Access Management

Managing Resource Types

The wl_authen resource type is shown in Figure 22–2. It is used for Fusion Middleware
applications that use one of the following Access Manager Identity Assertion Provider
configurations described in the Oracle Fusion Middleware Application Security Guide:
■

Identity Asserter

■

Identity Asserter with Oracle Web Services Manager

■

Authenticator function

Figure 22–2 Default Resource Type wl_authen

The TokenServiceRP resource type represents the Token Service Relying Party, as
shown in Figure 22–3. The operation for this resource type is Issue. For more
information, see "Managing TokenServiceRP Type Resources" on page 45-30.
Figure 22–3 Default Resource Type TokenServiceRP Resource Type

Table 22–2 describes the elements in each resource type definition.
Table 22–2

Resource Type Definition

Element

Description

Name

Required. A unique name of up to 30 alpha or numeric characters.
Note: A non-HTTP Resource Type name cannot match a Host Identifier (and vice
versa).

Description

Optional. Use this field to describe the purpose of this resource type using up to 200
alpha or numeric characters.
For example: Resources representing WebLogic Authentication schemes.

Managing Authentication and Shared Policy Components 22-5

Managing Resource Types

Table 22–2 (Cont.) Resource Type Definition
Element

Description

Operations

Optional. Policies that govern a particular resource apply to all specified operations
defined for the resource. Add (or remove) operations for this resource type as a
string and the operations will be available when you define a resource of this type
within an Application Domain. There is no limit to the number of operations that
can be added to the resource type.
■

Get

■

Post

■

Put

■

Head

■

Issue (TokenServiceRP)

■

Login (wl_authen)

■

Delete

■

Trace

■

Options

■

Connect

■

Other (available with Oracle Access Manager 10 is not supported in 11g).

Remote Registration: During automatic policy creation, specified operations are
supported. During automatic policy creation with no operations specified, then All
operations defined for that type are supported.
Migration: During an upgrade to Access Manager 11.1.2 (from 10g or from 11.1.1.3
or from 11.1.1.5), resource definitions and HTTP default operations are handled
automatically. However, you must create any custom resource types to replace
10g-provided EJB custom resource types which are no longer provided by Oracle.
See
See Also: "About Resource Types and Their Use" on page 22-2 and "Defining
Resources in an Application Domain" on page 25-14.

Following topics describe how to create, modify, and delete a resource type.

22.3.3 Searching for a Specific Resource Type
Users with valid Administrator credentials can use the following procedure to locate a
defined resource type.
See Also:

"Conducting A Search"

To search for a resource type
1. In the Oracle Access Management Console, click Application Security at the top
of the window.
2.

In the Application Security console, click Resource Types in the Access Manager
section.

3.

In the Name field, enter the name of the Resource Type you want to find (with or
without a wild card (*)), and click Search. For example:
h*

Alternatively: Go to the desired Application Domain, open the Resources node to
display controls for that domain, choose a Resource Type from the list, and click
Search.
4.

In the results table, you can:
■

Edit or View: Click the Edit button in the tool bar to display the configuration
page.

22-6 Administrator's Guide for Oracle Access Management

Managing Host Identifiers

■

■
■

Delete: Click the Delete button in the tool bar to remove the instance; confirm
removal in the Confirmation window.
Detach: Click Detach in the tool bar to expand the table to a full page.
Reorder Columns: Select a View menu item to alter the appearance of the
results table.

22.3.4 Creating a Custom Resource Type
Users with valid Administrator credentials can use the following procedure to create a
defined resource type. For instance, you can define a custom resource type that applies
to as few as one or two (or more) operations. Any defined custom resource type is
listed with default resource types when adding resources to an authentication or
authorization policy.
See Also:
■

"About Resource Types and Their Use" on page 22-2

■

"Defining Resources in an Application Domain" on page 25-27

To create a custom resource type
1. In the Oracle Access Management Console, click Application Security at the top
of the window.
2.

In the Application Security console, click Resource Types in the Access Manager
section.

3.

Click Create Resource type.

4.

In the page that appears, enter the following information:
■

Name: A unique name that identifies this resource type.

■

Description: Optional.

■

■

Operations: Click + in the Operations table, type the operation name into the
field provided. Repeat as needed to define all operations for this resource type.
Reconfigure Table: Select a View menu item to alter the appearance of the
results table.

5.

Click Apply to submit this custom resource definition.

6.

Add this resource definition to an Application Domain as described in "Adding
and Managing Policy Resource Definitions" on page 25-13.

22.4 Managing Host Identifiers
This section describes host identifiers and their use as well as how to create, modify, or
remove a host identifier. Topics here include:
■

About Host Identifiers

■

About Virtual Web Hosting

■

About the Host Identifier Page

■

Creating a Host Identifier

■

Searching for a Host Identifier Definition

■

Viewing or Editing a Host Identifier Definition

Managing Authentication and Shared Policy Components 22-7

Managing Host Identifiers

■

Deleting a Host Identifier Definition

22.4.1 About Host Identifiers
Access Manager policies protect resources on computer hosts. Within Access Manager,
the computer host is specified independently using a host identifier.
Table 22–3 illustrates the different host names under which a Web server might be
accessible to employees. Creating a single Host Identifier using all of these names
allows you to define a single set of policies to appropriately protect the application,
regardless of how the user accesses it.
Table 22–3

Host Identifiers Examples

Sample Host Identifier

Description

hrportal.intranet.company.com

A friendly name employees can remember. This is a load-balanced
proxy, and requests to this could actually utilize one of several servers
hosting the HR application.

hr-sf-02.intranet.company.com

A single machine hosting the application, which can be accessed
directly.

hrportal.company.com

The same application is also accessible externally to the corporate
firewall, primarily for use by ex-employees to check benefits, 401k
info, and so on. This is also a load-balanced reverse proxy.

Based on a defined host identifier, Administrators can add specific resources to an
Application Domain and apply policies to protect those resources.
Registered Agents protect all requests that match the addressing methods defined for
the host identifier used in a policy. A request sent to any address on the list is mapped
to the official host name and Access Manager can apply the policies that protect the
resource and OAM can apply the policies that protect the resource.
A host identifier is automatically created when an Agent (and application) are
registered using either the Oracle Access Management Console or the remote
registration tool. Administrators can manually add a host identifier if an application
and resources exist on a host that does not have a mapped host identifier. Also, Oracle
Access Management Administrators can modify an existing host identifier to add in
the new host name variations. For instance, adding another proxy Web server with a
different host name requires a new host name variation.
For more information, see:
■

Host Identifier Usage

■

Host Identifier Guidelines

■

Host Identifier Variations

22.4.1.1 Host Identifier Usage
At design time, the host identifier can be used while defining which resources belong
to a specific Application Domain. Resources are scoped using their host identifier
(HTTP) or type (non-HTTP). This combination uniquely identifies them across Access
Manager.
Each resource should be unique across all Application
Domains; each resource and host identifier combination must be
unique across all Application Domains.

Note:

22-8 Administrator's Guide for Oracle Access Management

Managing Host Identifiers

Runtime Usage
At run time, Web server host information in the access query from an OAM Agent is
mapped to a host identifier and associated with the resource that is being accessed by
a user. The OAM Agent obtains the Web server host information in one of two ways:
■

■

If the Preferred Host parameter is configured for virtual Web hosting support
(see"About Virtual Web Hosting" on page 22-10), Web server host information for
the given request is obtained from the Web server.
If the Preferred Host parameter directly specifies the Web server host information,
it is always used irrespective of the Web server's own host information.

This allows for the Resources to be specified in terms of logical host names in their
Host Identifiers, instead of the host names matching the present deployment of the
Web server.
For instance, a user accessing aseng-wiki, would enter:
http://example-wiki.uk.example.com/wikiexample
Here, wikiexample is the resource URL and example-wiki.uk.example.com is the host.
Matching this host and port (port is 80) provides the host identifier.
Preferred Host
Web server host information is generally acquired by setting the Preferred Host string
of the OAM Agent. If the Agent is actively protecting multiple virtual hosts, this string
can be set to server_name to ensure that the actual request hostname is correctly
picked up from the Web server's request object. For more information, see "About
Virtual Web Hosting" on page 22-10
Authenticating Hosts and Challenge Redirect in Authentication Schemes
When a user attempts to access a protected resource URL, she is redirected to the
server specified in the Challenge Redirect field of the authentication scheme. If the
authentication challenge is to be processed by another host, the name of that host must
be defined to be available in the Host Identifiers list. For example, if a user is
redirected to an SSL-enabled server for authentication, that server must be defined as a
host identifier.
If you enter a host name in the Challenge Redirect field of an
authentication scheme, it must be defined as a Host Identifier.

Note:

22.4.1.2 Host Identifier Guidelines
Each host identifier can be defined to represent one or more Web server hosts.
Following are several important guidelines for host identifiers:
■

Each host name must be unique.

■

Each host name:port pair must be unique.

■

Each host name:port pair must belong to only one host identifier.

■

Each host name:port pair must match the end user's entry exactly.

■

■

A Host Identifier name cannot match a non-HTTP Resource Type name (and vice
versa).
Each resource and host identifier combination must be unique across all
Application Domains.

Managing Authentication and Shared Policy Components 22-9

Managing Host Identifiers

For more information, see "Host Identifier Variations".

22.4.1.3 Host Identifier Variations
Host identifiers are used to simplify the identification of a Web server host by defining
all possible hostname variations. Host identifiers consist of a list of all URL addressing
methods. A host identifier must be configured for each Web site or virtual Web site
that you want to protect with Access Manager.
You can identify Web server hosts to Access Manager in various ways, for example, by
providing a computer name or an IP address. The following are examples of how the
same host can be addressed:
■

example.com

■

example.com:80

■

www.example.com

■

www.example.com:80

■

216.200.159.58

■

216.200.159.58:80

22.4.2 About Virtual Web Hosting
You can install a Webgate on a Web server that contains multiple Web site and domain
names. The Webgate must reside in a location that enables it to protect all of the Web
sites on that server.
The information here is the same for both 11g and 10g
Webgates.

Note:

The virtual Web hosting feature of many Web servers enables you to support multiple
domain names and IP addresses that each resolve to their unique subdirectories on a
single virtual server. For example, you can host abc.com and def.com on the same
virtual server, each with its own domain name and unique site content. You can have
name-based or IP-based virtual hosting.
A virtual host referees the situation where the same host has multiple sites being
served either based on multiple NIC cards (IP based) or multiple names (for example,
abc.com and def.com resolving to same IP).
Consider a case where you have two virtual hosts configured on an OHS Server acting
as reverse proxy to OAM Server, as follows:
■

One virtual host is configured in two-way SSL mode

■

One virtual host configured in non-SSL mode

Suppose there are two resources protected with different authentication schemes and
Application Domains:
■

/resource1 is protected by a X509Scheme with a Challenge URL (to define the
credential collection URL) of https://sslvhost:port/
When the user accesses /resource1 he is redirected to the OHS Server on the SSL
port for authentication and is asked for the X.509 Certificate.

■

/resource2 is protected by a LDAPScheme on the second virtual host with a
Challenge Redirect of http://host:port/

22-10 Administrator's Guide for Oracle Access Management

Managing Host Identifiers

When user accesses /resource2 he is redirected to second virtual host which is in
non-SSL mode (or in one way SSL mode if required). The Login form for LDAP
authentication is displayed.
Your deployment can support X.509 and Form authentication
with 10g mod_osso. However, mod_osso can be configured for only
one SSO Server. In this case, the Agent redirects to Access Manager on
the non-SSL virtual host. The credential collector checks the
Authentication Scheme's Challenge URL parameter for the resource
and redirects back to the HTTPS virtual host for X509 authentication.

Note:

22.4.2.1 Placing a Webgate Behind a Reverse Proxy
You can use 10g Webgates with reverse proxies for Access Manager. This topic
discusses benefits and pitfalls of this strategy.
Benefits:
■

All Web content can be protected from a single logical component as long as all
requests go through the proxy.
This is true even for platforms that are not supported by Access Manager. If you
have different types of Web servers (for example, iPlanet, Apache, and so on) on
different platforms (for example, Windows XP, Linux, and so on), all content on
these servers can be protected. A reverse proxy can be a workaround for
unsupported Web servers, eliminating the need to write custom Access Clients for
unsupported Web servers and on platforms that do not have Webgate support, for
example, MacOS.

■

A reverse proxy offers architecture flexibility.
Reverse proxies can allow deployments to expose an application that is available
on the intranet to the extranet. Or applications that are available on the extranet
can be exposed to the intranet. This can be done without any changes to the
application that is already deployed.

■

You only need to install a separate Webgate on the reverse proxy, rather than on
every Web server.
This allows for a single management point and can help with manageability of the
system. You can manage the security of all of the Web servers through the reverse
proxy without establishing a footprint on the other Web Servers.

Pitfalls: The main pitfall of using a proxy is the extra work involved in setup. If you
deploy the Webgate on a Web server that is behind a reverse proxy, the following are
configuration requirements:
■

Ensure that any Web server that uses the reverse proxy for authentication only
accepts requests from the reverse proxies.
This will also require that Webgates deployed on this Web server be configured to
not enforce IP validation for requests from the reverse proxy server that front-ends
the Webgate. This is done by configuring the known IP addresses of the reverse
proxy server or servers in the IP Validation list. Note that while you can achieve
the same effect by turning IP validation off for the Webgate, this is not a
recommended approach due to security risks.
Ensuring that the Web server only accepts requests from reverse proxies is
typically done by adding an ACL statement in the server. This prevents users from
bypassing the reverse proxy and directly accessing restricted content.

Managing Authentication and Shared Policy Components

22-11

Managing Host Identifiers

■

■

Update the virtual hosts that are configured in the Policy Manager so that the
Access System intercepts requests that are sent to the reverse proxy.
Prevent people from circumventing the proxy by entering URLs that point directly
to the back-end system.
You can prevent this problem through the use of Web Server Access Control Lists
or firewall filters.

■

■

Since all user requests are processed by the proxy, you must deploy enough proxy
servers to enable the system to handle the load.
Redirect all existing URLs to the host name and port number of the reverse proxy
server.
This often requires configuring the reverse proxy to perform content inspection
and rewriting to prevent any absolute HTML links, for instance, to prevent broken
link. This is achievable with most reverse proxies, and this is something you can
configure independently of the Access System,.

■

It is a best practice that URL links exposed to the front-ended applications rely on
only relative URLs (../../sub-path/resource) rather than absolute URLs
(http://example.com:[port]/path/resource).
Absolute URLs can break links on the end user's browser when deployed behind a
reverse proxy.

22.4.2.2 Configuring Virtual Hosting for Non-Apache Web Servers
Ensure that the Virtual Host box is checked on the 10g Webgate registration page.
On most Web servers, other than Apache-based servers, you must set the Preferred
Host value to HOST_HTTP_HEADER. This ensures that, when user's browser sends a
request, the Webgate sets the value of the Preferred Host to the host value in the
request. For example, suppose a user enters the string example2 in a URL:
http://example2
On the Web server, if one of the Web sites has a host named example2, the request is
served by the matching virtual site.
In the Preferred Host field of the expanded 10g Webgate registration page, enter the
following:
HOST_HTTP_HEADER.
IIS Virtual Hosting: From the IIS console, you must configure each virtual Web site to
contain the following fields:
■

Host Header Name

■

IP address

■

Port
See Also:
■

http://www.simpledns.com/kb.aspx?kbid=1149

■

http://support.microsoft.com/kb/q190008/

22.4.2.3 Associating a Webgate for Apache with Virtual Hosts, Directories, or Files
Ensure that the Virtual Host box is checked on the 10g Webgate registration page.

22-12 Administrator's Guide for Oracle Access Management

Managing Host Identifiers

On Apache-based Web servers (Apache, Apache 2, IBM HTTP Server, Oracle HTTP
Server, and so on), the Preferred Host value must be set to SERVER_NAME.
The SERVER_NAME value is not supported for any host other
than an Apache-based server. If you set this value for a
non-Apache-based server, users will be unable to access any resources
that are protected by Webgate on that Web server. Users will, instead,
receive an error that the Webgate configuration is incorrect.

Note:

The ServerName directive must be explicitly set with 7777 along with
the hostName. This is irrespective of the Listen directive is set
correctly. The Server sometimes requires this value explicitly to
identify itself, most often it can identify itself automatically.
When using an Apache-based reverse proxy for single sign-on, in the Web server
configuration file (httpd.config, for example) file you specify the Web sites to run on
the Apache server. The settings can be global across all Web sites or local to a Web site.
You can restrict the Access Manager loading references in the httpd.config file to be
associated with a specified site, with virtual hosts, specific directories or even files.
To associate the Webgate with specific targets, you move the following directives the
the http.conf file:
AuthType Oblix
require valid-user

You can put these directives in a block that tells Apache to use Webgate for every
request. You can also move the directives to a block that limits when the Webgate is
called. The following is an example of putting the LocationMatch directive after a
VirtualHost directive:
DocumentRoot /usr/local/apache/htdocs/myserver
ServerName myserver.example.net
AuthType Oblix
require valid-user

After you move the LocationMatch block to the VirtualHost directive, the Webgate
will only work for that virtual host. You can add the LocationMatch block to as many
virtual hosts as you want. The following examples shows how you could protect one
virtual server:
ServerAdmin webmaster@example.net
DocumentRoot "Z:/Apps/Apache/htdocs/MYsrv"
ServerName apps.example.com
ProxyRequests On
SSLEngine on
SSLCACertificateFile Z:/Apps/sslcert_exampleapps_ptcweb32/intermediateca.cer
SSLCertificateFile Z:/Apps/sslcert_exampleapps_ptcweb32/sslcert_myapps_
ptcweb32.cer
SSLCertificateKeyFile Z:/Apps/sslcert_exampleapps_ptcweb32/sslcert_myapps_
ptcweb32.key
ErrorLog logs/proxysite1_log
CustomLog logs/proxysite1_log common
ProxyPass /https://apps.example.com/
ProxyPassReverse /https://apps.example.com/
ProxyPass /bkcentral https://apps.example.com/bkcentral
ProxyPassReverse /bkcentral https://apps.example.com/bkcentral
ProxyPass /NR https://apps.example.com/NR
ProxyPassReverse /NR https://apps.example.com/NR
Managing Authentication and Shared Policy Components

22-13

Managing Host Identifiers

AuthType Oblix
require valid-user
#*** BEGIN Oracle Access Manager Webgate Specific ****
LoadModule obWebgateModule
Z:/apps/Oracle/WebComponent/access/oblix/apps/webgate/bin/webgate.dll
WebgateInstalldir Z:/apps/Oracle/WebComponent/access
WebgateMode PEER
SetHandler obwebgateerr
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none
SSLLog logs/SSL.log
SSLLogLevel info
# You can later change "info" to "warn" if everything is OK

22.4.3 About the Host Identifier Page
A host identifier is automatically created when an Agent (and application) are
registered using either the Oracle Access Management Console or the remote
registration tool. In the Application Domain that is registered with the Agent, the host
identifier is used automatically.
Administrators can use the console to create and manage host identifiers. Within the
Oracle Access Management Console, host identifiers are organized under Shared
Components, on the Policy Configuration tab navigation tree. Administrators can
manually create a new host identifier definition, modify a definition, delete a
definition, or copy an existing definition to use as a template. The name of the copy is
based on the original definition name. For example, if you copy a definition named
host3, the copy is named copy of host3.
Figure 22–4 illustrates the Create Host Identifier configuration page in the console,
where you enter the canonical name for the host, and every other name by which the
same host can be addressed by users.
Each host identifier must be unique. You cannot use the same
host name and port in any other host identifier definition.

Note:

Figure 22–4 Create Host Identifier Page

22-14 Administrator's Guide for Oracle Access Management

Managing Host Identifiers

Table 22–4 describes the host identifier definitions.
Table 22–4

Host Identifier Definitions

Property

Description

Name

A unique name for this definition. Use only upper- and lower-case alpha characters.
No punctuation or special characters are allowed.

Description

The optional description, up to 200 characters, that explains the use of this
configuration.

Host Name
Variations

■

Host Name: A list of the various host names or permutations that users might
use when accessing the application.
See also: "Host Identifier Variations" on page 22-10 and "Host Identifier
Guidelines" on page 22-9.

■

Port: The Web server port used by each host or permutation

22.4.4 Creating a Host Identifier
Users with valid Administrator credentials can use the following procedure to create a
host identifier definition manually. This is needed if an application and resources were
manually added to a host that has no mapped host identifier. When you choose Auto
Create Policies when registering an Agent, this is done automatically.
If you copy an existing definition to use as a template, you
must modify all unique identifiers in the copy.

Note:

See Also:
■

"About Host Identifiers" on page 22-8

■

"About Virtual Web Hosting" on page 22-10

To manually create a Host Identifier
1.

In the Oracle Access Management Console, click Application Security at the top
of the window.

2.

In the Application Security console, click Host Identifiers in the Access Manager
section.

3.

Click Create Host Identifier.

4.

On the Create Host Identifier page, fill in the:
a.

Name

b.

Description

c.

Host Name Variations: Add (or remove) host name and port variations in the
Operations list.
Add: Click the Add (+) button, then enter a new host name and port
combination to identify variables that map to the Host Identifier Name.
Remove: Click a host name, then click the Delete button to remove it.

5.

Repeat step 3c as needed to identify all variations of this host that users can access.

6.

Click Apply to submit the new definition (or close the page without applying
changes).

Managing Authentication and Shared Policy Components

22-15

Managing Host Identifiers

7.

Close the Confirmation window, and confirm the new definition is listed in the
results table.

22.4.5 Searching for a Host Identifier Definition
Users with valid Administrator credentials can perform the following task to search
for a specific host identifier.
Note: During Delete, if the Host Identifier is associated with a
resource, you are prompted with an alert. Without any association, the
Host Identifier is deleted successfully.

See Also:

"Conducting A Search"

To find for a host identifier
1.

In the Oracle Access Management Console, click Application Security at the top
of the window.

2.

In the Application Security console, click Host Identifiers in the Access Manager
section.

3.

In the Search Host Identifiers page Name field, enter a name (or a partial name
with wild card (*)), or leave the Name field blank to show all Host Identifiers. For
example:
my_h*

4.

Click the Search button to initiate the search and display results in a table, then:
■

■

■

■

View or Edit: Double-click the name in the Search Results table to display the
configuration page, then add or edit as usual.
Delete: Click the Delete button in the tool bar to remove the selected item in
the results table; confirm removal in the Confirmation window.
Detach: Click Detach in the tool bar to expand the Search Results table to a full
page (or from the View menu, click Detach).
Reorder Columns: From the View menu, select reorder Columns and use the
arrows provided to reorder the columns.

22.4.6 Viewing or Editing a Host Identifier Definition
Users with valid Administrator credentials can use the following procedure to modify
a host identifier definition. This can include adding, changing, or removing individual
host identifiers from the definition. For instance, when adding another proxy Web
server with a different host name, you might need to modify an existing host identifier
definition to add the new host name variation.
Prerequisite: Inventory Application Domains that refer to the host identifier and
After viewing settings, you can either close the page or modify
settings as needed.

Note:

See Also:

"About the Host Identifier Page" on page 22-14

22-16 Administrator's Guide for Oracle Access Management

Managing Host Identifiers

To view or modify a Host Identifier
1.

Locate the desired host identifier and view it as described in "Searching for a Host
Identifier Definition" on page 22-16.

2.

On the Host Identifier page, modify information as needed (Table 22–4):
a.

Name

b.

Description

c.

Host Name Variations: In the table provided:
Add (+) Host Name Variations: Click the Add (+) button, then enter a new
host name and port combination to identify variables that map to the Host
Identifier Name.
Delete (X) Host Name Variations: Click a host name, then click the Delete
button to remove it.

3.

Repeat step 3c as needed to add or remove variations.

4.

Click Apply to submit the changes (or close the page without applying changes).

5.

Dismiss the Confirmation window, and close the page when you finish.

22.4.7 Deleting a Host Identifier Definition
Users with valid Administrator credentials can use the following procedure to delete
an entire host identifier definition. A validation error occurs if you attempt to delete
the host identifier that is being used in a resource.
If the Host Identifier is associated with a resource, you are
alerted. Without any association, the Host Identifier is deleted.

Note:

Prerequisites
Each resource in an Application Domain is associated with a specific host identifier. If
you intend to delete a host identifier you must first modify any resource definitions in
an Application Domain that uses this host identifier.
See Also: "Viewing or Editing a Host Identifier Definition" on
page 22-16 if you want to remove a single host identifier from an
existing definition.

To delete a Host Identifier
1.

Locate and modify related resource definitions in any application domains that
uses this host identifier. See "Searching for a Resource Definition" on page 25-28.

2.

Locate the desired host identifier as described in "Searching for a Host Identifier
Definition" on page 22-16.

3.

View: Double-click the name in the results table to display the configuration page,
and confirm this can be removed.

4.

Delete: Click the Delete button in the tool bar to remove the selected item in the
results table; confirm removal in the Confirmation window.

Managing Authentication and Shared Policy Components

22-17

Understanding Authentication Methods and Credential Collectors

22.5 Understanding Authentication Methods and Credential Collectors
With Access Manager, authentication involves redirecting the requester (user) to a
centralized component that performs authentication (known as the Credential
Collector).
This section provides the following topics:
■

About Different Authentication Methods

■

Comparing Embedded Credential Collector with Detached Credential Collector

■

Authentication Event Logging and Auditing

22.5.1 About Different Authentication Methods
Authentication is the process of proving that a user is who he or she claims to be.
Authenticating a user's identity with Access Manager refers to running a pre-defined
set of processes to verify the digital identity of the user.
Using Access Manager, a resource or group of resources can be protected by a single
authentication process known as an authentication scheme. Authentication schemes
rely on pre-defined authentication modules or plug-ins.
This section describes multi-level authentication and other authentication methods
supported by Access Manager.
Multi-level Authentication
Access Manager enables Administrators to assign different authentication levels to
different authentication schemes, and then choose which scheme protects which
application. Every authentication scheme requires a strength level. The lower this
number, the less stringent the scheme. A higher level number indicates a more secure
authentication mechanism.
SSO capability enables users to access more than one protected resource or application
with a single sign in. A user who is authenticated to access resources at level 2, is
eligible to access resources protected at levels less than or equal to 2. However, if the
user is authenticated to access resources at level 2 and then attempts to access
resources protected by level 3, the user is asked to re-authenticate (this is known as
step-up authentication).
For more information, see "About Multi-Level and Step-Up Authentication" on
page 22-80.
See Also:

"Multi-Step Authentication"

Multi-Step Authentication
Multi-step authentication requires a custom authentication module composed of two
or more authentication plug-ins that transmit information to the backend
authentication scheme several times during the login process. All information
collected by the plug-in and saved in the context will be available to the plug-in
through the authentication process. Context data can also be used to set cookies or
headers in the user's login page.
See "Comparing Simple Form and Multi-Factor (Multi-Step) Authentication" on
page 22-30.

22-18 Administrator's Guide for Oracle Access Management

Understanding Authentication Methods and Credential Collectors

Windows Native Authentication
Integrated Windows Native Authentication is supported for both OSSO and Webgate
protected applications. This form of authentication relies on the Kerberos
authentication module. For more information, see Chapter 57, "Configuring Access
Manager for Windows Native Authentication".
Other Authentication Types
Authentication features required by Oracle Fusion Middleware applications are
supported, including:
■

Weak authentication, typically a user name and password, no certificates

■

Auto-login with third-party self-service user provisioning

■

HTTP header support for user context information. For instance, host identifiers
are used to create a host context for the resource. This is useful when adding
resources that have the same URL paths on different computers.

If you use different authentication schemes for two WebGates, users can go from a
higher authentication scheme to a lower one without re-authentication, but not from a
lower level to a higher level.
Note: During single sign-on, users might pass the authentication
tests but might fail authorization tests when attempting to access a
second or third resource. Each resource in the domain might have a
unique authorization policy.

For details about configuring and using authentication schemes with Access Manager,
see "Managing Authentication Schemes" on page 22-64.

22.5.2 Comparing Embedded Credential Collector with Detached Credential Collector
Access Manager 11.1.2 supports the embedded credential collector (ECC) by default
but also enables you to configure the latest WebGate to use as a detached credential
collector (DCC, also known as an Authenticating WebGate). The DCC is considered
more secure than the default ECC. The centralized DCC presents the login page,
collects the user credentials (userID and password, for example), and sends these to
the OAM Server using the back channel Oracle Access Protocol (OAP). Additional
credentials can be requested using the DCC.
The DCC is the recommended approach for credential
collection. See Chapter 23, "Understanding Credential Collection and
Login" for more details.

Note:

When OAM Server is configured to use the DCC, the ECC and its HTTP endpoints are
disabled. The only HTTP communication is to the Oracle Access Management Console
hosted by the WebLogic AdminServer in the domain where the OAM Server is
deployed. Connectivity to the AdminServer can be controlled at the network level, for
example, to disallow administration requests from outside the internal network.
■

Allowing both the ECC and DCC to co-exist enables you to use authentication
schemes and policies configured for use with either the ECC or the DCC. This
enables a fallback mechanism for resources that rely on the ECC, which includes
the Oracle Access Management Console.

Managing Authentication and Shared Policy Components

22-19

Understanding Authentication Methods and Credential Collectors

■

Disabling (turning off) the ECC entirely prohibits access to resources that rely on
the ECC mechanism, including the Oracle Access Management Console.

While the embedded and detached credential collectors (ECC and DCC, respectively)
are essentially the same, compare the two in Table 22–5.
See Also:
Table 22–5

"Understanding Credential Collection and Login"

Comparing the DCC and ECC

Deployment

DCC

ECC

The Detached Credential Collector remains a
logical part of the server and acts as a front
channel communication endpoint of the OAM
Server. However, the DCC also:

The Embedded Credential Collector is deployed
with, and integral to, the OAM Server and part of
the protocol binding layer.

■

■

■

DMZ Deployment

Stands alone (detached from the OAM
Server and does not require an application
server).

The ECC supports RSA SecurID passcode
verification, get next token, create new pin
workflows.

Supports RSA SecurID passcode verification,
get next token, create new pin workflows.
Is similar to the earlier 10g Authenticating
Webgate with greater flexibility for server
scale-out and attack resilience as well as
credential collection UI construction, flow,
and lifecycle management.

Yes.

No.

The main benefit of a deployment using DCC in
the DMZ is the termination of the end-user
network connections within the public network,
and the use of Oracle Access Protocol (Oracle's
proprietary application network protocol) over
mutually authenticated connections reaching the
OAM Server. This offers a complete isolation of
the OAM Server from the establishment of any
unauthenticated network connection.
Unauthenticated users cannot send malformed
requests to the OAM Server.
Communication channel

DCC consumes HTTP/HTTPS requests from the
user, then communicates with the OAM Server
across the Oracle Access Protocol (back channel),
which can be SSL-enabled.

22-20 Administrator's Guide for Oracle Access Management

ECC communicates with both the user and the
OAM Server across HTTP/HTTPS.

Understanding Authentication Methods and Credential Collectors

Table 22–5 (Cont.) Comparing the DCC and ECC

DCC login, error, and
password pages

DCC

ECC

Dynamic pages general login/logout and
password policy with the DCC are excluded
automatically through the OHS
httpd.conf/webgate.conf file--you do not need to
configure a policy to exclude these. See the
Webgate host in $WEBGATE_
HOME/webgate/ohs/oamsso/*, $WEBGATE_
HOME/webgate/ohs/oamsso-bin/*pl, and
$WEBGATE_
HOME/webgate/ohs/oamsso-bin/templates/*
directory:

Pages where the user enters her credentials arrive
out of the box on the OAM Server and require no
additional settings or changes.

■

Login page: /oamsso-bin/login.pl

■

Logout: /oamsso-bin/logout.pl

■

■

Login page: /pages/login.jsp

■

Logout page: /pages/logout.jsp

■

Error page: /pages/servererror.jsp

■

Multi-step: /pages/mfa_login.jsp

RSA SecurID login pages:
/oamsso-bin/securid.pl

Note: Update the Perl location in the first line of
the login, logout, and securid scripts in
/oamsso-bin.
See Also: Table 24–4, " Credential Collector
Password Pages".
Chapter 56, "Integrating RSA SecurID
Authentication with Access Manager" for details
about login pages for this implementation.
For details about customizing pages and
messages, see the Oracle Fusion Middleware
Developer's Guide for Oracle Access
Management.
Perl Scripts for
DCC-based Login and
Logout

Perl Scripts for DCC-based Login and Logout

N/A

The path name of the Perl executable must be
updated in Oracle-provided Perl scripts on the
Webgate host $WEBGATE_
HOME/webgate/ohs/oamsso-bin/*pl to be
consistent with the actual location.
Unix: The which command finds Perl on the
OAM Server. For example:
which perl
/usr/bin/perl
However, Perl scripts themselves point to:
/usr/local/bin/perl
Windows: The default Perl Interpreter specified
in Oracle-provided Perl scripts will not be
available. You must update the Perl Interpreter
path in these scripts to actual path to Perl on your
system.

Password policy
enforcement

Yes.

Yes

See Configuring 11g WebGates and
Authentication Policy for DCC

See: Managing Global Password Policy

Authentication scheme
collection methods

DCC supports only Form Based Authentication.

Custom Authentication
Plug-ins and Challenge
Methods

Yes; same as ECC.

ECC supports all challenge methods.
The ECC collects user credentials based on the
challenge method of the Authentication Scheme
and sends it back to OAM Server for validation.
All challenge methods and multi-step
authentication (Password Policy and other
custom authentication plugins) are supported.

Managing Authentication and Shared Policy Components

22-21

Understanding Authentication Methods and Credential Collectors

Table 22–5 (Cont.) Comparing the DCC and ECC

Single Step (Simple
Form) Authentication

DCC

ECC

Yes; same as ECC.

Yes. Both the DCC and ECC handle this, where:
■

■

■

Multi-Step
Authentication

Yes. Both the DCC and ECC handle complex
multi-factor (multi-step, iterative, and variable)
Authentication processing.

All credentials are supplied in one simple
form
Upon credential validation and
authentication, either success or failure
status is returned
This can be retried upon failure

Yes. Both the DCC and ECC handle complex
multi-factor (multi-step, iterative, and variable)
Authentication processing.

In this case:
■

■

■

■

Not all required credentials are supplied at
once
Depending on the authentication status,
PENDING state, expected credentials and
context data are returned, expecting those
credentials to be supplied in the next round
Each intermediate step, submit required
credentials and context data to feed
authentication engine, until a success or
failure status returned
The Authentication plug-in can have
multiple steps configured

See "Understanding Multi-Level and Step-Up
Authentication" on page 22-79
Authentication
Processing

The DCC does not restrict authentication
functionality of the OAM Server in any way as
compared to the ECC.

During authentication:
1.

The ECC handles the request coming to the
protocol binding layer (PBL), which converts
it and sends it to the SSO Engine.

2.

The SSO Engine checks for a valid session
and, if none, transfers control to the
Authentication Engine.

3.

The Authentication Engine checks for
resource protection and fetches the
authentication scheme associated with the
resource.

The DCC:
1.

Handles authentication redirects from both
10g and 11g Webgates.

2.

Handles Form-based authentication, which
consists of a challenge to the user for their
credentials (simple form or multi-factor).

3.

Decrypts the authentication request message
from the agent using the agent key; performs
basic integrity checks; validates request time; 4.
and extracts all parameters from the request
including request context.

4.

Constructs the authentication response
message, including request context
originally retrieved, encrypts obrar using the
agent key.

5.

Decrypts the logout redirect request using
the agent key to trigger logout processing.

22-22 Administrator's Guide for Oracle Access Management

The ECC interacts with the client, accepts the
data, and submits this to the PBL.

Managing Native Authentication Modules

Table 22–5 (Cont.) Comparing the DCC and ECC

Overriding the ECC

DCC

ECC

To deploy the DCC and override the ECC, an
Administrator must perform the following tasks
to specify the relevant DCC URLs and forms.

N/A

■

■

■

■

■
■

OAM Agent registration: Allow Credential
Collector Operations (enable for DCC)
Authentication Module, Step Orchestration:
Error (if Failure)
Authentication Scheme: Challenge Redirect
URL (DCC host and port)
Authentication Scheme: Challenge URL
/oamsso-bin/login.pl (DCC login pages)
Authentication Scheme: Challenge Method
Password Policy: Password Service URL for
DCC (Default: /oamsso-bin/login.pl)

See Configuring 11g WebGates and
Authentication Policy for DCC
Logout Configuration

See "Configuring Logout When Using Detached
Credential Collector-Enabled WebGate" on
page 27-6

Cookie/Token

See "Configuring Centralized Logout for 11g
WebGates" on page 27-4

■

DCCCtxCookie

■

11g Webgate: OAMAuthnCookie

■

11g WebGate: OAMAuthnCookie

■

11g Webgate: OAM_REQ

■

11g WebGate: OAMRequestContext

■

11g Webgate: OAM_ID

■

10g Resource WebGate: ObSSOCookie

■

11g Webgate: OAMRequestContext

■

10g Webgate: ObSSOCookie

See: "About Single Sign-On Cookies During User
Login" on page 21-14

See: "About Single Sign-On Cookies During User
Login" on page 21-14

22.5.3 Authentication Event Logging and Auditing
Authentication Success and Failure events are audited, in addition to administration
events. Auditing covers creating, modifying, viewing, and deleting authentication
schemes, modules, and policies. Information that is collected about the user who is
authenticating includes:
■

IP address

■

User Login ID

■

Time of Access

During logging (or auditing), user information, user sensitive attributes are not
recorded. Secure data (user passwords, for example) are removed to avoid misuse.
See Also:
■

Chapter 7, "Logging Component Event Messages"

■

Chapter 8, "Auditing Administrative and Run-time Events."

■

Chapter 11, "Monitoring Performance and Health"

22.6 Managing Native Authentication Modules
In Access Manager, each authentication scheme requires an authentication module.

Managing Authentication and Shared Policy Components

22-23

Managing Native Authentication Modules

Native authentication modules lack the flexibility to
orchestrate two or more plug-ins to meet specialized authentication
needs. Therefore, native authentication modules are targeted for
deprecation in future releases. Oracle strongly recommends using
plug-in based authentication modules as described "Orchestrating
Multi-Step Authentication with Plug-in Based Modules" on
page 22-29.

Note:

This section provides the following information:
■

About Native Access Manager Authentication Modules

■

Viewing or Editing Native Authentication Modules

■

Deleting a Native Authentication Module

22.6.1 About Native Access Manager Authentication Modules
Table 22–6 lists the Native Access Manager Authentication Modules.
Table 22–6

Native Authentication Modules

Module Name

Description

LDAP

Matches the credentials (username and password) of the user who
requests a resource to a user definition stored in an LDAP directory
server. An LDAP module is required for Basic and Form challenge
methods.
See Also: "Native LDAP Authentication Modules" on page 22-25.

LDAPNoPasswordAuthModule

Matches the credentials (username and password) of the user who
requests a resource to a user definition stored in an LDAP directory
server. An LDAP module is required for Basic and Form challenge
methods.
See Also: "Native LDAP Authentication Modules" on page 22-25.

Kerberos

Identifies the key tab file and krb5.configuration file names and
Principal.
Use this plug-in when configuring Access Manager for Windows
Native Authentication, as described in Chapter 57.
See Also: "Native Kerberos Authentication Module" on page 22-25.

X509

Similar to the LDAPPlugin with additional properties that indicate
which attribute of the client's X.509 certificate should be validated
against the user attribute in LDAP.
See Also: "Native X.509 Authentication Module" on page 22-26.

Custom Authentication Modules

This type of module relies on bundled plug-ins (or those that are
developed using the Access Manager Authentication Extensibility
Java API). This type of module generally uses more than one plug-in
that you can orchestrate to ensure that each one performs a specific
authentication function. Depending on the success or failure action
defined for each plug-in, another authentication plug-in is called.
See Also: "About Plug-in Based Modules for Multi-Step
Authentication" on page 22-39, and Oracle Fusion Middleware
Developer's Guide for Oracle Access Management for details about
developing and deploying plug-ins, custom authentication modules,
and schemes that use custom modules.

22-24 Administrator's Guide for Oracle Access Management

Managing Native Authentication Modules

See Also:
■
■

"About Challenge Methods" on page 22-71
Oracle Fusion Middleware Developer's Guide for Oracle Access
Management for details about creating custom authentication
plug-ins

22.6.1.1 Native Kerberos Authentication Module
The pre-configured Kerberos authentication module is illustrated in Figure 22–5.
Additional details follow the figure.
Figure 22–5 Native Kerberos Authentication Module

Table 22–7 describes the definition of the native Kerberos authentication module. You
can use the existing, pre-configured Kerberos authentication module or create one of
your own.
Table 22–7

Native Kerberos Authentication Module Definition

Element

Description

Name

The unique ID of this module, which can include upper and lower case alpha
characters as well as numbers and spaces.

Key Tab File

The path to the encrypted, local, on-disk copy of the host's key, required to authenticate
to the key distribution center (KDC). For example: /etc/krb5.keytab.
The KDC authenticates the requesting user and confirms that the user is authorized for
access to the requested service. If the authenticated user meets all prescribed
conditions, the KDC issues a ticket permitting access based on a server key. The client
receives the ticket and submits it to the appropriate server. The server can verify the
submitted ticket and grant access to the user submitting it.
The key tab file should be readable only by root, and should exist only on the
machine's local disk. It should not be part of any backup, unless access to the backup
data is secured as tightly as access to the machine's root password itself.

Principal

Identifies the HTTP host for the principal in the Kerberos database, which enables
generation of a keytab for a host.

KRB Config File

Identifies the path to the configuration file that controls certain aspects of the Kerberos
installation. A krb5.conf file must exist in the /etc directory on each UNIX node that is
running Kerberos.
krb5.conf contains configuration information required by the Kerberos V5 library (the
default Kerberos realm and the location of the Kerberos key distribution centers for
known realms).

22.6.1.2 Native LDAP Authentication Modules
Oracle provides two LDAP authentication modules:
■

LDAP

■

LDAPNoPasswordAuthModule

Managing Authentication and Shared Policy Components

22-25

Managing Native Authentication Modules

Both modules have the same requirements (Name and User Identity Store), as
illustrated in Figure 22–6. Additional details follow the figure.
Figure 22–6 Native LDAP Authentication Module

Table 22–8 describes the elements in an LDAP authentication module. The same
elements and values are also used in LDAPNoPasswordAuthnModule.
These standard LDAP Authentication Modules are targeted
for deprecation. Future enhancements will not be available in
standard modules. Oracle strongly recommends using plug-in based
modules.

Note:

Table 22–8

Native LDAP Authentication Modules Definition

Element

Description

Name

A unique name for this module.

User Identity Store

The designated LDAP user identity store must contain any user credentials
required for authentication by this module. The LDAP store must be registered
with Access Manager.
See Also: "Registering and Managing User Identity Stores" on page 5-4.
Multiple identity store vendors are supported. Upon installation, there is only
one User Identity Store, which is also the designated System Store. If you add
more identity stores and designate a different store as the System Store, be sure
to change the LDAP module to point to the System Store. The authentication
scheme OAMAdminConsoleScheme relies on the LDAP module for Administrator
Roles and credentials.
See Also: "Using the System Store for User Identities" on page 5-5 and
"Administrator Lockout" on page E-6.

22.6.1.3 Native X.509 Authentication Module
Access Manager provides a pre-configured X.509 authentication module as a default.
Administrators can also create new X.509 authentication modules. In cryptographic
terms, X.509 is a standard for digital public key certificates used for single sign-on
(SSO). X.509 specifies standard formats for public key certificates, certificate revocation
lists, and attribute certificates among other things.
With X.509 digital certificates you can assume a strict hierarchical system of certificate
authorities (CAs) issuing the certificates. In the X.509 system, a CA issues a certificate
that binds a public key to a particular Distinguished Name, or to an Alternative Name
such as an e-mail address or a DNS-entry.
The trusted root certificates of an enterprise can be distributed to all employees so that
they can use the company PKI system. Certain Web browsers provide pre-installed
root certificates to ensure that SSL certificates work immediately.
Access Manager uses the Online Certificate Status Protocol (OCSP) Internet protocol to
maintain the security of a server and other network resources. OCSP is used for
obtaining the revocation status of an X.509 digital certificate. OCSP specifies the

22-26 Administrator's Guide for Oracle Access Management

Managing Native Authentication Modules

communication syntax used between the server containing the certificate status and
the client application that is informed of that status.
When a user attempts to access a server, OCSP sends a request for certificate status
information. OCSP discloses to the requester that a particular network host used a
particular certificate at a particular time. The server returns a response of "current",
"expired," or "unknown." OCSP allows users with expired certificates a configurable
grace period, during which they can access servers for the specified period before
renewing.
OCSP messages are encoded in ASN.1 and are usually transmitted over HTTP. The
request and response characteristic of OCSP has led to the term "OCSP responders"
when referring to OCSP servers. With Access Manager, the computer hosting the
Oracle Access Management Console is the OCSP responder.
An OCSP responder can return a signed response signifying that the certificate
specified in the request is 'good', 'revoked' or 'unknown'. If OCSP cannot process the
request, it can return an error code.
Figure 22–7 Native X.509 Authentication Module

Table 22–9 describes the requirements of the native X.509 authentication module.
This standard Authentication Module is targeted for
deprecation. Future enhancements will not be available in standard
modules. Oracle strongly recommends using plug-in based modules.

Note:

Table 22–9

X509 Authentication Module Definition

Element

Description

Name

Identifies this module definition with a unique name.

Match LDAP Attribute

Defines the LDAP distinguished name attribute to be searched against given
the X509 Cert Attribute value.
For example, if the certificate subject EMAIL is me@example.com and it
must be matched against the "mail" LDAP Attribute, an LDAP query must
search LDAP against the "mail" attribute with a value "me@example.com
(cn).
Default: cn

Managing Authentication and Shared Policy Components

22-27

Managing Native Authentication Modules

Table 22–9 (Cont.) X509 Authentication Module Definition
Element

Description

X509 Cert Attribute

Defines the certificate attribute to be used to bind the public key (attributes
within subject, issuer scope to be extracted from the certificate: subject.DN,
issuer.DN, subject.EMAIL, for example).
See Also. Match LDAP Attribute earlier in this table.

Cert Validation Enabled

Enables (or disables if not checked) X.509 Certificate validation.
When enabled, the OAM Server performs the certificate validation (rather
than having the WebLogic server intercept and validate the certificate before
passing it to the OAM Server). Access Manager performs the entire
certificate path validation.

OCSP Enabled

Enables (or disables when not checked) the Online Certificate Status
Protocol. Values are either true or false. For example:
OCSP Enabled: true
Note: OCSP Server Alias, OCSP Responder URL and OCSP Responder
Timeout are required only when OCSP Enabled is selected.

OCSP Server Alias

An aliased name for the OSCSP Responder pointing to CA certificates in
.oamkeystore file--a mapping between the aliased name and the actual
instance name or the IP address of the OSCSP Responder instance.

OCSP Responder URL

Provides the URL of the Online Certificate Status Protocol responder. For
example, OpenSSL Responder URL:
http://localhost:6060

OCSP Responder Timeout

Specifies the grace period for users with expired certificates, which enables
them to access OAM Servers for a limited time before renewing the
certificate.

22.6.2 Viewing or Editing Native Authentication Modules
Users with valid Administrator credentials can use the following procedure to modify
an existing authentication module. This includes changing the name of an existing
module as well as changing other attributes.
Prerequisites
Modify each authentication scheme that references the module you will change, to use
another authentication module if needed.
By default, the LDAP module is used in the authentication
scheme that protects the Oracle Access Management Console. To
ensure Administrator access, the LDAP module must point to the User
Identity Store that is designated as the System Store. If you change the
designated System Store, be sure to change the LDAP Module to
reference the newly designated System Store.
Note:

To find, view, or edit an authentication module
1. In the Oracle Access Management Console, click Application Security at the top
of the window.
2.

In the Application Security console, click Authentication Modules in the Plug-ins
section.

3.

In the Search Results list, select the desired module to open its properties page.

4.

On the properties page, modify information as needed:
■

Kerberos Module: See Table 22–7

22-28 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

■

LDAP Module: See Table 22–8

■

X.509 Module: See Table 22–9 and Table 22–15

5.

Click Apply to submit the changes and close the Confirmation window (or close
the page without applying changes).

6.

Add the updated authentication module to authentication schemes (or change to
another authentication module in each authentication scheme that references this
module), as described in "Managing Authentication Schemes" on page 22-64.

22.6.3 Deleting a Native Authentication Module
Users with valid Administrator credentials can use the following procedure to delete
an authentication module.
The following procedure is the same whether you are deleting a custom authentication
module or a native module.
Prerequisites
In each authentication scheme that references the module to be deleted, specify
another authentication module.
To delete an authentication module
1. In the Oracle Access Management Console, click Application Security at the top
of the window.
2.

In the Application Security console, click Authentication Modules in the Plug-ins
section.

3.

Optional: Open the module to verify this is the module to remove, then close the
page.

4.

In the Search Results list, click the desired module name, then click the Delete
button.

5.

Confirm removal (or dismiss the confirmation window to retain the module).

22.7 Orchestrating Multi-Step Authentication with Plug-in Based Modules
Authentication involves determining which credentials a user must supply when
requesting access to a resource, gathering credentials, and returning a response that is
based on the results of credential validation. All authentication processing relies on an
authentication module to define the rules governing requirements and transmission of
information to the backend authentication scheme. All information collected by the
plug-in and saved in the context is available to the plug-in through the authentication
process. Context data can also be used to set cookies or headers in the user's login
page.
Oracle strongly recommends using authentication plug-ins to
create custom authentication modules.

Note:

This section provides the following topics:
■

Comparing Simple Form and Multi-Factor (Multi-Step) Authentication

■

About Plug-ins for Multi-Step Authentication Modules

Managing Authentication and Shared Policy Components

22-29

Orchestrating Multi-Step Authentication with Plug-in Based Modules

■
■

About Plug-in Based Modules for Multi-Step Authentication
Example: Leveraging SubjectAltName Extension Data and Integrating with
Multiple OCSP Endpoints

■

Creating and Orchestrating Plug-in Based Multi-Step Authentication Modules

■

Creating and Managing Step-Up Authentication

■

Configuring an HTTPToken Extractor Plug-in

■

Configuring a JSON Web Token Plug-in
See Also: Oracle Fusion Middleware Developer's Guide for Oracle
Access Management if you want to create custom authentication
plug-ins.

22.7.1 Comparing Simple Form and Multi-Factor (Multi-Step) Authentication
Simple form-based authentication relies on the default embedded or optional detached
credential collector and Web forms that process user logins with Access Manager
authentication mechanisms. Simple form-based authentication is the default and does
not require additional configuration unless you want to customize forms. With simple
form-based authentication:
■
■

■

All credentials are supplied in one simple form.
Upon credential validation and authentication, either success or failure status is
returned.
Authentication can be retried upon failure.
See Also: Oracle Fusion Middleware Developer's Guide for Oracle Access
Management for details about customizing login pages and forms

For dynamic, multi-step authentication, Access Manager provides a number of
plug-ins with which you can design and orchestrate your own customized
authentication modules. Authentication plug-ins provide processing that meets your
specific needs. Both the ECC and DCC handle complex multi-factor (multi-step,
iterative, and variable) Authentication processing, where:
■
■

■

■

Not all required credentials are supplied at once
Depending on the authentication status, PENDING state, expected credentials and
context data are returned, expecting those credentials to be supplied in the next
round
Each intermediate step, submit required credentials and context data for the
authentication engine, until a success or failure status is returned.
The Authentication plug-in can have multiple steps configured.
Administrators can install multiple user identity stores for
Access Manager. Each identity store can rely on a different LDAP
provider. Each authentication plug-in can be configured to use a
different user identity store.

Note:

Table 22–10 provides more information about these two forms of authentication.

22-30 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Table 22–10

Simple Form versus Multi-Step Authentication

Authentication Method

Description

Simple form-based
authentication

Simple form-based authentication relies on Credential Collectors (both ECC
and DCC) and Web forms that process user logins using Access Manager
authentication mechanisms. This is the default and does not require
additional configuration unless you want to customize forms.
See Also:
Oracle Fusion Middleware Developer's Guide for Oracle Access Management
for details about customizing login pages and forms

Multi-Step Authentication

Multi-step authentication requires a custom authentication module composed
of two or more authentication plug-ins that transmit information to the
backend authentication scheme several times during the login process. All
information collected by the plug-in and saved in the context will be available
to the plug-in through the authentication process. Context data can also be
used to set cookies or headers in the user's login page.
Multi-Step authentication relies on:
■

■

■

Authentication Chaining: You can chain multiple authentication plug-ins
in a new authentication module, and add the module to an
authentication scheme.
Challenge Mechanism: Controls the way in which the required
credentials are collected. Currently, this is tied to the authentication
scheme. Both the ECC and DCC use the same challenge mechanisms.
Credential Collection: Either the ECC or DCC can be used for multi-step
authentication. (DCC provides greater flexibility for interactions with
users or programmatic entities when collecting authentication-related
information that involves several methods to establish the user's
identity).

See Also:
Configuring 11g WebGates and Authentication Policy for DCC
"Creating and Managing Step-Up Authentication" on page 22-50
Oracle Fusion Middleware Developer's Guide for Oracle Access Management
for details about custom authentication plug-ins

22.7.2 About Plug-ins for Multi-Step Authentication Modules
You can create custom plug-in based authentication modules using existing Access
Manager as described in this chapter. You can also create your own plug-ins, as
described in the Oracle Fusion Middleware Developer's Guide for Oracle Access
Management.
Plug-ins operate with either the default embedded credential collector (ECC) or the
optional detached credential collector (DCC-enabled WebGate). Each authentication
plug-in provides an individual piece of functionality that you can use alone or string
together into a series of steps. The lifecycle of a plug-in centers around the ability to
add and use the plug-ins to build features and work flows that act as extensions to the
OAM Server. Each plug-in is deployed as a JAR file and each plug-in's configuration
requirements must be given in XML format.
Standard (native) Authentication Modules are targeted for
deprecation; future enhancements will not be available in the standard
modules. Oracle strongly recommends using plug-in based modules
as described in "Orchestrating Multi-Step Authentication with Plug-in
Based Modules" on page 22-29.

Note:

Figure 22–8 shows plug-ins available out of the box. These plug-ins, and any that you
create using the SDK and import, appear in a list when you add steps to build a
custom authentication module.

Managing Authentication and Shared Policy Components

22-31

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Figure 22–8 Access Manager Plug-ins for Customized Authentication Modules

The Name generally defines the component that relies on the plug-in. The Description
is optional. The Type column indicates the purpose of the plug-in. Activation Status
lets you know if this is active and ready to use.
See Also: Oracle Fusion Middleware Developer's Guide for Oracle Access
Management for details about building your own custom plug-ins. You
can import new plug-ins, distribute, activate, deactivate, and remove
custom plug-ins.

22-32 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Whether you use an Oracle-provided plug-in or create one of your own, adding a
plug-in when you create a custom authentication module is the same. Each custom
module requires the following types of information:
■

■

■

General identifies the unique name and optional description for the individual
plug-in.
Steps identify the specific plug-ins to use, and their execution order, based on the
configuration details of each plug-in (including the user identity store to use).
Step Orchestration specifies the action to be taken on success or on failure or on
error.
When multi-factor authentication is used, the
UserIdentificationPlugin should be invoked in the last pass during the
authentication process.

Note:

Figure 22–9 shows the Custom Authentication Module within the Access Manager
section of the System Configuration tree. Each module has three configuration tabs.
Figure 22–9 Creating Custom Authentication Modules: General

Table 22–11 describes the content of the General tab.
Table 22–11

General tab

Element

Description

Name

A unique name up to 60 characters.

Description

Optional; up to 250 characters.

Clicking the Steps tab opens a fresh page where you can add a new step. When you
add a new Step, the following dialog box appears. Information that you enter is used
to populate the table and Details sections of the page.

Managing Authentication and Shared Policy Components

22-33

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Figure 22–10

Adding a Step and Associating a Plug-in

Table 22–12 describes the information required when adding a new step. Each step
requires a plug-in and each plug-in requires specific details for proper operation.
Table 22–12

Add New Step Entries, Steps Results Table, and Details Section

Element

Description

Step Name

The unique name you enter to identify this step, up to 60 characters.

Description

The optional description for this step, as entered when adding the step (up to 250
characters).

Plugin Name

The plug-in that you select for a particular step from the list of imported and activated
plug-ins.
See Also: Oracle Fusion Middleware Developer's Guide for Oracle Access Management
for details about creating custom plug-ins.

Step Details

Plug-in configuration details must be specified to ensure proper operation. Details might
differ depending the chosen plug-in and its requirements.
See Also: Table 22–13.

Table 22–13 describes the Plug-in Parameter Details required by Oracle-provided
plug-ins. Absent from this table are the plug-in exceptions (those plug-ins with no
initial parameters): KerberosTokenIdentifier, FedAuthnRequestPlugin, and
FedUserAuthenticationPlugin.

22-34 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Table 22–13

Parameter Details for Various Plug-ins

Plug-in Parameter

Display Name

Description

KEY_IDENTITY_STORE_REF

Identity Store Name

Most plug-ins require this attribute to ensure that the
appropriate user identity store is called during
authentication.
The following plug-in uses only this property:
■

TAPAssertionPlugIn

For additional Details required by plug-ins that employ
this property, see:

CredentialCollectorPlugIn

CredentialCollectorPlugIn

■

UserIdentificationPlugIn

■

UserAuthenticationPlugIn

■

UserPasswordPolicyPlugin

■

TAPUserAuthenticationPlugin

■

TenantDisambiguationPlugin

This plugin allows the administrator to configure which
credentials will be collected for authentication.
Credentials to be collected are configured as step
parameters. The plugin validates these parameters and
renders the UI to collect the credentials. After user
input, the plugin parses the credential parameters and
builds the user context with credential objects.
NOTE: Plugin error responses are set to the context if
the credentials are invalid and the plugin returns failure.
The plugin supports the collection of 4 credentials as
step level parameters.
1.

CRED_PARAM_1

2.

CRED_PARAM_2

3.

CRED_PARAM_3

4.

CRED_PARAM_4

The following example illustrates how to collect a
username and password.
CRED_PARAM_1=
{ID=KEY_USERNAME},{DISPLAY_NAME=KEY_
USERNAME},{TYPE=text}
{ID=KEY_PASSWORD},{DISPLAY_NAME=KEY_
PASSWORD},{TYPE=password}
Where ID, DISPLAY_NAME and TYPE are constants.
Actiontype

Action Type

Indicates if the plugin wants to REDIRECT or
FORWARD to the login page to collect credentials.

loginPageURL

Login Page URL

The URL to which the user will be forwarded or
redirected for credential collection.

NO_OF_CREDENTIALS

The number of credentials provided for the plugin
instance. If the number of instances is more than 4, the
user must update the oam-config file to add additional
CRED_PARAMS as plugin parameters.

UserIdentificationPlugIn

UserIdentificationPlugIn

This native plug-in maps the user to a specific LDAP
user record.

KEY_LDAP_FILTER

LDAP Filter

The search filter required to identify the user. LDAP
attributes are used when defining an LDAP search filter.

KEY_SEARCHBASE_URL

LDAP Searchbase

The search base required for the query. The node in the
directory information tree (DIT)) under which user data
is stored; the highest possible base for all user data
searches.

UserAuthenticationPlugIn

UserAuthenticationPlugIn

This native plug-in authenticates the supplied
username/password credentials against an LDAP
directory.

Managing Authentication and Shared Policy Components

22-35

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Table 22–13 (Cont.) Parameter Details for Various Plug-ins
Plug-in Parameter

Display Name

Description

KEY_PROP_AUTHN_
EXCEPTION

Propagate LDAP errors

Enables (or disables) propagation of LDAP errors.
UserAuthenticationPlugIn employs this attribute.

UserAuthnLevelCheckPlugin

UserAuthnLevelCheckPlugin

This native plug-in shall determine if the user has been
authenticated to the authentication level X - where the
value of X is provided by the plugin parameter
AUTHN_LEVEL_FOR_PLUGIN. For example, it checks
the current Authentication Level of the user with the
value specified. In addition, the plug-in specifies a list of
parameters to collect depending on whether the
Authentication Level check succeeded or failed.

AUTHN_LEVEL_FOR_PLUGIN

AUTHN_LEVEL_FOR_PLUGIN

Specify the authentication level as an integer.
Multiple steps can use UserAuthnLevelCheckPlugin.
However, each Step must have a unique name and
AUTHN_LEVEL_FOR_PLUGIN.
See Also: "Creating and Managing Step-Up
Authentication" on page 22-50

UserPasswordPolicyPlugin

UserPasswordPolicyPlugin

PLUGIN_EXECUTION_MODE

Mode of Operation

The execution mode of UserPasswordPolicyPlugin.
UserPasswordPolicyPlugin is supported only when
using LDAP based authentication modules. It does not
work with non LDAP authentication modules.
Depending upon the configuration, can operate either
alone or with other default plug-ins. Values are one of
the following:
■

■

■

POLICY_SCHEMA

Policy Schema To Use

NEW_USERPSWD_BEHAVIOR

Force Password Change on First
Login

PSWDONLY: Default. The most preferred
configuration where only the password status is
determined. The ID and authentication must be
performed using the UserIdentification and
UserAuthentication Plugins.
AUTHWITHPSWD: Both authentication and
password are performed using this plug-in.
AUTHONLY: Only the user identification and
authentication is performed using this plug-in

Specifies the schema for the password service (used
with UserPasswordPolicyPlugin). Only OAM10G is
supported.
Default: OAM10G
Configures retroactive behavior of the new-user
password-policy. Used with
UserPasswordPolicyPlugin.Values are either:
■

■

FORCECHANGEPASSWORD: Forces a password
change.
NOFORCEPASSWORDCHANGE: The password
policy change does not affect user passwords that
are already set.

Default: FORCECHANGEPASSWORD
DISABLED_STATUS_SUPPORT

Disabled Account Status Support

Specifies whether the disabled status is to be supported
and acted upon in this password service. Valid values
are either True or False.
Default: TRUE

URL_ACTION

Password Management Action
URL

Specifies the URL to which the user is sent for password
management. The type of servlet action needed for
redirecting the user to the specific password page for
expiry and warning pages. Values can be either:
■

REDIRECT_POST

■

REDIRECT_GET

■

FORWARD

Default: REDIRECT_POST

22-36 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Table 22–13

(Cont.) Parameter Details for Various Plug-ins

Plug-in Parameter

Display Name

Description

KEY_USER_RECORD_
ATTRIBUTE_LIST

List of User Attributes

For Federation. Comma-separated list of assertion
attributes required to create the user record.

KEY_PROVIDERID_ATTRIBUTE_
NAME

Partner Attribute Name

For Federation. The attribute name of the LDAP user
record whose value will be set to the Partner's Identity
Provider ID when provisioning the user. This field is
optional and if empty, the Partner's Identity Provider ID
will not be set in the LDAP user record.

KEY_USERID_ATTRIBUTE_
NAME

User UserID Attribute

For Federation. Name of the attribute in the assertion
attributes that is used as the LDAP UserID.

Username Mapping Attribute

Name of the attribute used for account linking by
TAPIdentifyPlugIn.

Orchestration Strategy

Name of the plugin orchestration strategy required by
SequentialPlugInExecutionStrategy.

KEY_KEYTAB_FILE

Location of Keytab file

Name of the file containing Kerberos principals and
encrypted keys required by
KerberosTokenAuthenticator

KEY_PRINCIPAL

OAM Service Principal

Your OAM Account SPN, required by
KerberosTokenAuthenticator.

KEY_KRB_CONFIG_FILE

Location of Kerberos
Configuration file

Location of the Kerberos configuration properties file,
required by KerberosTokenAuthenticator.

KEY_DOMAIN_DNS2DN_MAP

AD Domain DNS Names to DN
Mapping

Comma-separated list of Active Directory DNS
Domains to DN mappings required by
KerberosTokenAuthenticator.

FedUserProvisioningPlugin

TAPIdentifyPlugIn
KEY_TAP_RETURN_ATTRIBUTE
SequentialPlugInExecutionStrate
gy
StrategyName
KerberosTokenAuthenticator

X509CredentialExtractor
KEY_CERTIFICATE_ATTRIBUTE_ User Mapping Attribute
TO_EXTRACT

X509 certificate Attribute to be used for user mapping
required by X509CredentialExtractor.

KEY_IS_CERT_VALIDATION_
ENABLED

Certificate Validation

Enable or disable X.509 certificate validation, required
by X509CredentialExtractor.

TAPS2PVersion

Integration Protocol Version

Token version for Integration.

TAPPartnerId

Integration PartnerId

Integration Partner Identifier.

TAPChallengeURL

Partner Integration Endpoint
URL

Remote Partner End Point URL.

KEY_USERNAME_ATTRIBUTE

Username Mapping Attribute

Name of the attribute used for account linking required
by TAPUserAuthenticationPlugin

KEY_CHECK_TOKEN_EXPIRY

Enable Token Expiration
Checking

Enable or disable Integration token expiration.

FederatedTenantNames

Optional names of tenants (comma separated) for whom
federated authentication is enabled. Plugin will check
with Federation engine if tenant names are not
mentioned.

Username Parameter

Name of the username plugin parameter required by
RSA SecurID Plugin.

TAPRequestPlugin

TAPUserAuthenticationPlugin

TenantDisambiguationPlugin
KEY_FEDERATED_TENANTS

RSA SecurID Plugin
username

Managing Authentication and Shared Policy Components

22-37

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Table 22–13 (Cont.) Parameter Details for Various Plug-ins
Plug-in Parameter

Display Name

Description

passcode

Passcode Parameter

Name of the passcode plugin parameter required by
RSA SecurID Plugin.

nexttoken

Next Token Parameter

Name of the next token plugin parameter required by
RSA SecurID Plugin.

newpin

New PIN Parameter

Name of the new pin plugin parameter required by RSA
SecurID Plugin.

confirmnewpin

Confirm New PIN Parameter

Name of the confirm new pin plugin parameter
required by RSA SecurID Plugin.

KEY_HEADER_PROPERTY

HTTP Header Names

Comma separated list of HTTP Headers. See
Section 22.7.7, "Configuring an HTTPToken Extractor
Plug-in."

KEY_COOKIE_PROPERTY

HTTP Cookie Names

Comma separated list of Cookies. See Section 22.7.7,
"Configuring an HTTPToken Extractor Plug-in."

HTTPTokenExtractor

Figure 22–11 illustrates the Steps tab and Details section for a custom authentication
module. When adding Steps, there is no data to display in the table. However, when
you add one or more Steps to the table, the Details sections are populated.
Figure 22–11

Plug-in Based Authentication Module Steps and Details

Figure 22–12 illustrates the Steps Orchestration tab of a custom authentication module,
which is populated by information for each defined step (and the action you choose
for each operational condition).

22-38 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Figure 22–12

Steps Orchestration for Plug-in Based Authentication Modules

Table 22–14 describes the elements on the Steps Orchestration tab. The lists available
for OnSuccess, OnFailure, and OnError include the following choices:
■

success

■

failure

■

StepName (any step in the module can be selected as the action for an operational
condition)

Table 22–14

Steps Orchestration Tab

Element

Description

Initial Step

Choose the starting step from those listed. The list includes only those
steps defined for this module.

Name

Each step added to this module is listed by the name that was entered
when the step was added.

Description

The optional description for this step, entered when this step was
added.

OnSuccess

The action selected for successful operation. A list provides actions
you can choose:

OnFailure

OnError

■

Success

■

Failure

■

StepName (activates the next step)

The action selected for failure of this step. A list provides actions you
can choose:
■

Success

■

Failure

■

StepName (activates the next step)

The action selected for an error when executing this step. A list
provides actions you can choose:
■

Success

■

Failure

■

StepName (activates the next step)

22.7.3 About Plug-in Based Modules for Multi-Step Authentication
The following topics describe several of the native Custom modules provided with
pre-populated plug-ins. You can use these to orchestrate your own custom
authentication modules:
Managing Authentication and Shared Policy Components

22-39

Orchestrating Multi-Step Authentication with Plug-in Based Modules

■

KerberosPlugin

■

LDAPPlugin

■

X509Plugin

■

Password Policy Validation Module and Plug-ins
See Also:
■
■

■

Table 22–13, " Parameter Details for Various Plug-ins"
Example: How to leverage the SubjectAltName extension data
and integrate with multiple OCSP Endpoints on page 22-46
"Creating and Managing Step-Up Authentication" on page 22-50

KerberosPlugin
Use this plug-in when configuring Access Manager for Windows Native
Authentication, as described in Chapter 57.
Figure 22–13 shows the KerberosPlugin module that is bundled with Access Manager
11g. This is a credential mapping module that matches the credentials (username and
password) of the user who requests a resource to the encrypted "kerberos ticket".
Figure 22–13

KerberosPlugin

Figure 22–14 shows the default steps and details. Figure 22–15 shows the orchestration
of the steps and conditions.

22-40 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Figure 22–14

Default KerberosPlugin Steps and Details

Figure 22–15

Default KerberosPlugin Steps and Orchestration

LDAPPlugin
Figure 22–16 shows the LDAPPlugin module that is bundled with Access Manager. By
default, LDAPPlugin has 2 steps, shown in Figure 22–17. Figure 22–18 shows the
default orchestration of steps for LDAPplugin.

Managing Authentication and Shared Policy Components

22-41

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Figure 22–16

LDAPPlugin

Figure 22–17

Default LDAPPlugin Steps and Details

22-42 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Figure 22–18

Default Orchestration of Steps for LDAPplugin

X509Plugin
Figure 22–19 shows the X509Plugin module that is bundled with Access Manager 11g.
The X509Plugin is similar to the LDAPPlugin with additional properties that indicate
which attribute of the client's X.509 certificate should be validated against the user
attribute in LDAP. Figure 22–20 shows default steps and details for this plug-in.
Figure 22–21 shows the default orchestration of steps for the X509Plugin.
Figure 22–19

X509Plugin

Managing Authentication and Shared Policy Components

22-43

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Figure 22–20

X509Plugin Default Steps and Details

With this plug-in, the root and sub CA certificates must be added to the $DOMAIN_
HOME/config/fmwconfig/amtruststore because the X509CredentialExtractor plug-in
loads certificates from this location.
Table 22–15 lists the stepX509 values for Subject and Subject Alternative Names. Such
processing is only supported when the X509Plugin is used.
See Also:
■
■

Table 22–13, " Parameter Details for Various Plug-ins"
Example: How to leverage the SubjectAltName extension data
and integrate with multiple OCSP Endpoints on page 22-46

Table 22–15
issuer.D
subject.

X509 Step Details (KEY_CERTIFICATE_ATTRIBUTE_TO_EXTRACT)
Subject
EDIPI
Note: EDIPI refers to the Electronic Data Interchange Personal
Identifier.

subjectAltName.

OTHER_NAME (FASC-N)
Note: FASC-N refers to the Federal Agency Smart Credential Number.

subjectAltName.

RFC822_NAME

subjectAltName.

UNIFORM_RESOURCE_IDENTIFIER

22-44 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Figure 22–21

Default Orchestration for X509Plugin Steps

See Also: "Example: Leveraging SubjectAltName Extension Data
and Integrating with Multiple OCSP Endpoints"

Password Policy Validation Module and Plug-ins
Oracle provides a Password Policy Validation Module that employs the following
plug-ins as individual steps in the authentication process:
■

User Identification Step

■

User Authentication Step

■

User Password Status Step

Figure 22–22 shows the Steps tab. Additional details follow the figure.
Figure 22–22

Password Policy Validation Module Plug-ins

Figure 22–23 shows the Steps Orchestration page for the Password Policy Validation
Module plug-ins, which is self explanatory.

Managing Authentication and Shared Policy Components

22-45

Orchestrating Multi-Step Authentication with Plug-in Based Modules

See Also:
■

Table 22–13, " Parameter Details for Various Plug-ins"

■

Configuring Password Policy

Figure 22–23

Steps Orchestration: Password Policy Validation Plug-ins

22.7.4 Example: Leveraging SubjectAltName Extension Data and Integrating with
Multiple OCSP Endpoints
Access Manager 11g support for personal identity verification (PIV) cards (a United
States Federal smart card), is to use FASC-N and EDIPI attributes from the
SubjectaltName extension to map the user during X.509 authentication. While multiple
OCSP providers are not supported, you can use an OCSP Gateway or write a custom
authentication plug-in that uses the OSDT OCSP APIs to validate against multiple
OCSP providers.
The following functionality is available only with the X.509 Plug-in (not the X.509
Authentication module). The Plug-in configuration specifies the LDAP attribute to
which the extracted attribute from the X.509 client certificate will be mapped.
Example: How to leverage the SubjectAltName extension data and integrate with
multiple OCSP Endpoints
1. In the Oracle Access Management Console, click Application Security at the top
of the window.
2.

In the Plug-ins section, click Authentication Modules.

3.

In the list of modules, select the X509Plugin module.

4.

In the page that opens, click Duplicate and fill out the fields as follows:
See Also: "Creating and Orchestrating Plug-in Based Multi-Step
Authentication Modules" on page 22-48

General Tab:
a.

Name: CustomX509Plugin.

b.

Description: Custom Plug-in for X509.

Steps Tab:

22-46 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

a.

Click + to add a step to the plug-in.

b.

Enter a Name and Description, then select the X509CredentialExtractor plug-in.

Step Details:
a.

KEY_IS_CERT_VALIDATION_ENABLED true.

b.

KEY_CERTIFICATE_ATTRIBUTE_TO_EXTRACT (Table 22–15):
subject.EDIPI, subjectAltName.OTHER_NAME (FASC-N),
subjectAltName.RFC822_NAME, subjectAltName.UNIFORM_RESOURCE_
IDENTIFIER

c.

Click the Save button.

Add Another Plug-in:
a.

Click + to add a different plug-in.

b.

Enter the Name, Description, and select UserIdentificationPlugin

Step Details for Second Plug-in:
a.

Set KEY_IDENTITY_STORE_REF to the required identity store.

b.

Add the LDAP filter to the KEY_LDAP_FILTER attribute. For example:
(&(uid=
Unknown macro: {subject.CN}
)(mail=
Unknown macro: {subject.E}
))

5.

6.

c.

Add the user search base, if required, to the KEY_SEARCH_BASE_URL
attribute.

d.

Click the Save button.

e.

Proceed to Step Orchestration tab (Step2).

Orchestrate Steps:
a.

Initial Step: Select the X509CredentialPlugin Step from the drop down.

b.

On Success: X509CredentialPlugin step, select the UserIdentificationPlugin Step
from the drop down list.

c.

On Success: UserIdentificationPlugin step, select Success from the drop down
list.

d.

On Failure: Select Failure for both X509CredentialPlugin and
UserIdentificationPlugin steps.

e.

On Error: Select Failure for both X509CredentialPlugin and
UserIdentificationPlugin steps.

f.

Click the Apply button and review the confirmation window stating that the
plug-in has been created successfully.

Set up the Certificate Validation Module for Certificate Validation and Revocation
using OCSP.
See Also:

"Managing Certificate Validation and Revocation" on

page 3-7
a.

In the Oracle Access Management Console, click Configuration at the top of
the window.
Managing Authentication and Shared Policy Components

22-47

Orchestrating Multi-Step Authentication with Plug-in Based Modules

b.

In the Configuration console, click Certificate Validation.

c.

In the Certificate Revocation list, confirm that Enabled is checked, then click
Save.

d.

In the OCSP/CDP section, enable OCSP, enter the OCSP URL and the Subject
of the OCSP Server's certificate, then click Save.

e.

On the command line, use the Java keytool application to import the trusted
certificates into the $DOMAIN_HOME/config/fmwconfig/amtruststore
keystore, as trusted certificate entries.
Initially the keystore is empty; its password is set the first time
the Java keytool application is used.

Note:

22.7.5 Creating and Orchestrating Plug-in Based Multi-Step Authentication Modules
Users with valid Administrator credentials can use the following procedure to create
custom authentication module that uses one or more authentication plug-ins. This
procedure outlines general steps for any authentication module (with sample
information to configure an authentication X509 module for use with the Online
Certificate Status Protocol (OCSP) to maintain the security of a server and other
network resources).
See Also:
■

■

"Example: How to leverage the SubjectAltName extension data
and integrate with multiple OCSP Endpoints" on page 22-46
"Creating and Managing Step-Up Authentication" on page 22-50

Prerequisites
Ensure that any user identity store associated with the module is running and includes
the required user population.
To create a custom authentication module using bundled plug-ins
1. In the Oracle Access Management Console, click Application Security at the top
of the window.
2.

In the Application Security console, select Create Custom Authentication Module
from the Create (+) drop-down list in the Plug-ins section.

3.

In the page that appears, enter the Name and optional Description. For example:
CustomX509Plugin and Plugin for X509, respectively.
Click Apply to save general information.

4.

Add Steps:
a.

Click the Steps subtab.

b.

Click the Add (+) button above the Steps table.

c.

In the Add New Step dialog box, enter a unique Step Name and optional
Description.

d.

Browse for and select the desired plug-in name (X509CredentialExtractor, for
instance) and click OK.

e.

Confirm information in the results table.

22-48 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

f.
5.

Repeat b through e to add other steps until you have listed all required
plug-ins for your module.

Define Step Details: Use appropriate values for requested parameters
(Table 22–12, Table 22–13, Table 22–17, " Managing Custom Plug-ins Actions" and
"Example: How to leverage the SubjectAltName extension data and integrate with
multiple OCSP Endpoints"):
a.

Click a StepName in the table to reveal required details, enter appropriate
values for the requested details.

b.

Validate User Cert using OCSP:
Confirm that KEY_IS_CERT_VALIDATION_ENABLED is set to true.
Add the certificate attributes to be extracted with KEY_CERTIFICATE_
ATTRIBUTE_TO_EXTRACT (Table 22–15):
subject.EDIPI
subjectAltName.OTHER_NAME (FASC-N)
subjectAltName.RFC822_NAME
subjectAltName.UNIFORM_RESOURCE_IDENTIFIER

6.

7.

c.

Click the Save button.

d.

Repeat to configure each step appropriately.

e.

Ensure that users are provisioned in any user identity stores assigned in the
steps.

Orchestrate Steps: See Table 22–14 as you perform following steps.
a.

Click the Steps Orchestration subtab.

b.

From the InitialStep list, choose the name of the first step to be used.

c.

Select a StepName in the table.

d.

From the OnSuccess List, choose a condition (success or failure) or a step
name.

e.

From the OnFailure List, choose the desired condition or a StepName.

f.

From the OnError List, choose the desired condition or a StepName.

g.

Repeat Steps c through f to orchestrate operations for each plug-in this
module.

h.

Review your orchestration.

Initiate Strategy Validation: Click Apply to initiate validation of your
orchestration strategy:
■

■

Successful Strategy: The orchestration strategy is applied and the module is
ready to include in an authentication scheme. Continue with Steps 9 and 10.
Invalid Strategy: Click OK in the Error box, then edit your OnSuccess,
OnFailure, OnError strategies (or add or remove plug-ins) to correct the
problem. Repeat this step until your strategy is successful.

8.

In the navigation tree, confirm the new Custom Authentication Module is listed,
and then close the page when you finish.

9.

Use your custom module in an authentication scheme, as described in "Managing
Authentication Schemes" on page 22-64.

Managing Authentication and Shared Policy Components

22-49

Orchestrating Multi-Step Authentication with Plug-in Based Modules

22.7.6 Creating and Managing Step-Up Authentication
This section describes how to define step-up authentication using plug-ins within a
customized module. In this example, there are users who need standard level access to
pages on the corporate portal and those who need access to sensitive information. For
standard applications, authentication credentials include username and password. For
sensitive applications, credentials include username, password, and a security code
(the later obtained with a custom plugin that validates the code).
The processing that occurs with a customized step-up authentication module is driven
by the steps and plug-ins described in Table 22–16. For more information, see
Table 22–13.

22-50 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Table 22–16

Steps and Plug-ins in a Customized Step-up Authentication Module

Step
#

Step Name

Plug-in Name

Description

1

StandardLevelCheck-2

UserAuthnLevelCheckPlu
gin

Configurable with the LevelCheck Rule and credentials
parameters associated with the SUCCESS or FAILURE
outcome resulting from the check.
This plugin communicates with the authentication engine to
determine the current authentication level of the user and
compares it with the plugin level parameter AUTHN_LEVEL_
FOR_PLUGIN. It interacts with a custom credential collector
and checks the current Authentication Level of the user against
the value specified. For example, if 2 is specified for X:
■

■

Authentication Level >= X returns
ExecutionStatus.SUCCESS and proceeds to the next step;
for example it will check for higer level authentication.
Authentication Level < X returns
ExecutionStatus.FAILURE and proceeds to the next step
in the plugin; for example it will collect the standard
credentials for level 2 (username and password).

Specifies parameters to collect depending on whether the
Authentication Level check succeeded or failed:

2

CollectUserNamePassword CredentialCollectorPlugin
Flow must start with the
Plug-in communicating
the credential parameters
to collect. The Action must
support allowing the
Server to mark parameters
as immutable.

■

ON SUCCESS, go to SensitiveLevelCheck-6

■

ON FAILURE, go to CollectUserNamePassword

■

ON ERROR, Failure

This plugin interacts with the credential collector
(CustomReadServlet) to allow the administrator to configure
the credentials collected for authentication. Credentials to be
collected are configured as step parameters. The plugin
validates these parameters and renders the UI to collect them.
The user provides the credentials that need to be collected in
the step parameter. In this example, since in previous step user
was not authenticated to level 2, he will be prompted to enter a
user name and password.
■

loginPageURL: /CustomRead/Servlet (generic credential
collector for UserAuthnLevelCheckPlugin to render the
interface to acquire plug-in specified credentials.

■

No_OF_CREDENTIALS: 4

■

CRED_PARAM_4

■

CRED_PARAM_3

■

■

■

CRED_PARAM_2: {ID=KEY_PASSWORD},{DISPLAY_
NAME=KEY_PASSWORD},{TYPE=password}
CRED_PARAM_1: {ID=KEY_USERNAME},{DISPLAY_
NAME=KEY_USERNAME },{TYPE=text}
actiontype: FORWARD

Credentials to be collected should be specified in this format
only for the credential collector to render the UI interface.
Also specifies action on:

3

UserIdentificationProcess

UserIdentificationPlugIn

■

ON SUCCESS, go to UserIdentificationProcess

■

ON FAILURE, Failure

■

ON ERROR, Failure

Out of the box plug-in that maps the user to a specific LDAP
user record:
■

ON SUCCESS, go to UserAuthenticationStep

■

ON FAILURE, Failure

■

ON ERROR, Failure

Managing Authentication and Shared Policy Components

22-51

Orchestrating Multi-Step Authentication with Plug-in Based Modules

Table 22–16 (Cont.) Steps and Plug-ins in a Customized Step-up Authentication Module
Step
#

Step Name

Plug-in Name

Description

4

UserAuthenticationStep

UserAuthenticationPlugin

Out of the box plug-in that authenticates the supplied
username and password credentials against an LDAP
directory.

5

6

SensitiveLevelCheck-6

UserAuthnLevelCheckPlu
gin

CollectSensitiveLevelCreds CredentialCollectorPlugin

■

ON SUCCESS, go to SensitiveLevelCheck-6

■

ON FAILURE go to CollectSensitiveLevelCreds

■

ON ERROR, Failure

This plugin communicates with the authentication engine to
determine the current authentication level of the user and
compares it with the plugin level parameter AUTHN_LEVEL_
FOR_PLUGIN. It interacts with a custom credential collector
and checks the current Authentication Level of the user against
the value specified. Specifies parameters to collect depending
on whether the check succeeded or failed:
■

ON SUCCESS, Success

■

ON FAILURE, go to CollectSensitiveLevelCreds

■

ON ERROR, Failure

This plugin renders the UI for collecting credentials for level 6
authentication. This is similar to CollectUserNamePwd.
■

ON SUCCESS, go to ValidateSensitiveLevelCreds

■

ON FAILURE, Failure

■

ON ERROR, Failure

■

7

ValidateSensitiveLevelCred SubjectSetPlugin
s

CRED_PARAM_1: {ID=securitycode},{DISPLAY_
NAME=form_securecode},{TYPE=text}

This custom developed plug-in validates the security code
against the server.
■

ON SUCCESS, Success

■

ON FAILURE, Failure

■

ON ERROR, Failure

After defining and orchestrating plug-ins in an authentication module, you can use the
module in an authentication scheme and use the scheme in a policy.
See Also: "Creating and Orchestrating Plug-in Based Multi-Step
Authentication Modules"

Task overview: Configuring Step-up Authentication
1. Create or edit a custom authentication module for step up authentication:

2.

Define your custom authentication module based on the Steps shown here.

22-52 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

3.

Orchestrate your Steps and Plug-ins as shown here and described in Table 22–16.

Managing Authentication and Shared Policy Components

22-53

Orchestrating Multi-Step Authentication with Plug-in Based Modules

4.

Sensitive Scheme: Create or edit an Authentication Scheme for sensitive
applications that uses your customized step-up authentication module. For
example:
See Also:

5.

"Managing Authentication Schemes" on page 22-64

Lower-Level Scheme: Create or edit an Authentication Scheme for the lowest level
applications using your customized step-up authentication module F.or example:

22-54 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

6.

Sensitive Policy: Create or edit an Authentication Policy for sensitive-level
resources using your customized step-up Authentication Scheme. For example:
See Also: Chapter 25, "Managing Policies to Protect Resources and
Enable SSO"

7.

Lower-Level Policy: Create or edit an Authentication Policy for the lowest level
resources using your customized step-up Authentication Scheme. For example:

Managing Authentication and Shared Policy Components

22-55

Orchestrating Multi-Step Authentication with Plug-in Based Modules

8.

Verify: Verify your resources and the policies that protect them.

22.7.7 Configuring an HTTPToken Extractor Plug-in
The following process should be followed to configure an HTTPToken Extractor
plug-in.
1.

Create a sample plug-in that will re-direct the user to the authenticating
application.
The authenticating application will authenticate the user and set the user name in
the HTTP header or cookie.

2.

Create a custom authentication module that will access any applicable plug-ins.
For example, if you add the plug-in created in the previous step and the
HTTPToken Extractor and User identification plug-ins, successful authentication
occurs when the process for all three plug-ins has been successfully completed.

3.

Add values for the header name and the user search filter properties.
The KEY_HEADER_PROPERTY is set in the HTTPToken Extractor plug-in while
KEY_LDAP_FILTER is set in the UI plug-in. For example:
■

KEY_HEADER_PROPERTY = cookieorheadername

■

KEY_LDAP_FILTER = (uid={cookieorheadername})
Note:

The user should be present in the data store which is being

used.

22.7.8 Configuring a JSON Web Token Plug-in
Oracle Access Manager (OAM) provides complete but different access management
solutions for both users and applications. After OAM authentication, SSO tokens are
issued which can be used with WebGates or products like Oracle API Gateway. These
tokens are specific to OAM though and there are often business requirements where
Web services or REST services need to be protected. While OAM tokens can be used to
protect web services, they are usually protected by standard tokens. A JSON Web
Token (JWT) is one of the standard tokens that is widely used.

22-56 Administrator's Guide for Oracle Access Management

Orchestrating Multi-Step Authentication with Plug-in Based Modules

In the RSPS2 release, OAM introduced complete support for an OAuth authorization
service provided by the Oracle Access Manager Mobile and Social (OAMMS) service.
The OAuth Service issues a JSON Web Token (JWT) for accessing Web services
subsequent to the user’s authentication and/or authorization. Thus, a user can be
authenticated with an OAM authentication mechanism and subsequently have both an
OAM and a JWT for access to different resources. A typical scenario in which this can
be used is when a WebGate protected application is accessed. The user is authenticated
by an OAM authentication module and both an OAM token and a JWT are provided.
The OAM token is used for access through the WebGate and the JWT can be used to
access a Web service or a REST service when needed. (The Web service or REST service
is protected by a product like Oracle API Gateway or Oracle Web Services Manager.)
A JSON Web Token Plug-in is now available in OAM. Use this JSON Web Token
Plug-in when you need to protect REST or Web services with standard tokens. The
JSON Web Token Plug-in issues both an OAM token and a Mobile and Social JWT that
can be used for Web services access. Oracle API Gateway and Oracle Web Services
Manager can use this JWT for Web services protection as well. See the following
sections for additional details.
■

Understanding the JSON Web Token Plug-in

■

Configure the JSON Web Token Plug-In

22.7.8.1 Understanding the JSON Web Token Plug-in
The following flow describes how the JSON Web Token Plug-in can be used in
deployments:
■

■

■

■

■

■

Configure the Oracle Access Management WebGate to use both OAM
authentication and the JSON Web Token Plug-in.
When a user accesses a resource protected by the WebGate, the WebGate redirects
the user to authenticate with Access Manager.
Upon authentication, the plug-in identifies which OAuth service end point should
generate the JWT. (OAuth service end points are unique and can be configured to
point to a specific OAuth service profile within a specific Identity Domain.) Oracle
Access Manager Mobile and Social creates the JWT and the plug-in returns it as a
cookie. (The cookie name can be configured in the plug-in configuration.)
The Web application intercepts the response and accesses the cookie so that it can
be used later for Web service access. Depending on how the web application is
deployed, there may be other options to retrieve the JWT. The user can now access
the Web resource.
When the Web resource needs to access a Web service, it extracts the OAM Mobile
and Social JWT and sends it to the Oracle API Gateway.
The Oracle API Gateway uses the Oracle OAuth Service REST API to validate the
token. It then grants access to the Web service. The Oracle API Gateway can also
validate the JWT locally without making a remote call to the OAuth service.
Notes: Currently there is not a mechanism to pass scope to the
OAuth service while issuing a JWT with OAM authentication.
Consequently, the token should be considered to have global scope.

Both the OAM token timeout and the JWT timeout can be set to the
same value to have the same validity. The OAM tokens and JWT are
not linked, so they cannot be terminated using single logout.

Managing Authentication and Shared Policy Components

22-57

Deploying and Managing Individual Plug-ins for Authentication

22.7.8.2 Configure the JSON Web Token Plug-In
Use these steps to configure the JSON Web Token Plug-in. You will be creating a
custom authentication module.
1.

In the Oracle Access Management Console, click Application Security at the top of
the window.
The Search Authentication Modules screen is displayed.

2.

Select Create Custom Authentication Module from the Create (+) drop-down
menu in the Plug-ins section.
The General tab is displayed.

3.

Enter a name (and optional description) for the custom authentication module.
For this example, we name the module JWTToken AuthnModule.

4.

Click the Steps tab and the + (plus sign) to add a new step.
The Add New Step dialog is displayed. Three new steps will be added.

5.

Specify a step name (and optional description), select an activated plug-in from
the Plug-in name drop down list and click OK.
For this example, the values are StepUI and UserIdentificationPlugin. The flow
parameters for that plug-in can be edited after it is added to the step

6.

Enter values for the UserIdentificationPlugin parameters and click Save.

7.

Click the + (plus sign) to add a second step, enter the name StepUA, select
UserAuthenticationPlugin from the drop down list and click OK.

8.

Enter values for the UserAuthenticationPlugin parameters and click Save.

9.

Click the + (plus sign) to add a third step, enter the name StepOAuth, select
OAuthTokenResponsePlugin from the drop down list and click OK.

10. Enter values for the OAuthTokenResponsePlugin parameters and click Save.
11. Click the Steps Orchestration tab to configure the orchestration of the steps in the

following order.
a.

StepUI

b.

StepUA

c.

StepOAuth

12. Click Apply and close the Custom Authentication Module tab.
13. Click Authentication Schemes from the Launch Pad.
14. Select LDAPScheme and click Duplicate.

A Copy of LDAPScheme screen displays.
15. Change the value of Name to JWTToken AuthnScheme and the value of

Authentication Module to JWTToken AuthnModule.
16. Click Save.
17. Configure an Authentication policy with the newly defined JWTToken

AuthnScheme Authentication Scheme.

22.8 Deploying and Managing Individual Plug-ins for Authentication
This section provides the following topics:
22-58 Administrator's Guide for Oracle Access Management

Deploying and Managing Individual Plug-ins for Authentication

■

About Managing Your Own Authentication Plug-ins

■

Deploying and Managing Individual Plug-ins for Authentication

■

Deleting Your Custom Authentication Plug-ins

22.8.1 About Managing Your Own Authentication Plug-ins
Using information in the Oracle Fusion Middleware Developer's Guide for Oracle
Access Management, custom authentication plug-ins can be created and used to define
customized multi-step authentication modules.
After development, the plug-in must be deployed on the AdminServer, as a JAR file,
which is validated automatically. After validation, an Administrator can configure and
distribute the plug-in using the Oracle Access Management Console.
The server processes the XML configuration file within the plug-in JAR file to extract
data about the plug-in. After the plug-in is imported, an Administrator can see and
modify the various plug-in states based on information available from the
AdminServer.
Figure 22–24 illustrates the Plug-ins Node under the Common Configuration section
of the System Configuration tab, and the Plugins page. This Plugins page includes a
tool bar with command buttons, most of which operate on the plug-in that is selected
in the table. The table provides information about the existing custom plug-ins and
their state. The Plugin Details section at the bottom of the page reflects configuration
details for the selected plug-in the table.
Figure 22–24

Plug-ins Page

Administrators control plug-in states using the command buttons across the table at
the top of the Plug-ins page, as described in Table 22–17.

Managing Authentication and Shared Policy Components

22-59

Deploying and Managing Individual Plug-ins for Authentication

Table 22–17

Managing Custom Plug-ins Actions

Action Button

Description

Import Plugin...

Adds the plug-in JAR file to the AdminServer $DOMAIN_HOME/oam/plugins and begins
plug-in validation.
■

■

■

Same JAR Name: If the new plug-in JAR name (in $DOMAIN_HOME/oam/plugins)
matches an existing plug-in JAR name (in $DOMAIN_
HOME/config/fmwconfig/oam/plugins), Oracle Access Manager extracts new
configuration metadata from the XML file in the JAR (in $DOMAIN_HOME/oam/plugins)
and checks the version of the new plug-in.
XML Version: If the new plug-in XML version (in $DOMAIN_HOME/oam/plugins) is
greater than the existing XML version (in $DOMAIN_
HOME/config/fmwconfig/oam/plugins), validation is successful. Otherwise, "invalid
plugin name with invalid version" is returned and the new plug-in JAR is removed (from
$DOMAIN_HOME/oam/plugins).
Different JAR Name: If the new plug-in JAR name (in $DOMAIN_HOME/oam/plugins) is
different then existing plug-in JAR names (in $DOMAIN_
HOME/config/fmwconfig/oam/plugins), the new plug-in JAR is uploaded and validation
is successful.

On Success: Status is reported as "Uploaded" (even if an OAM Server is down). If all registered
OAM Servers report "Uploaded", then the status on AdminServer is also "Uploaded".
On Failure: Status is reported as "Upload Failed"
See Also: "About the Custom Plug-in Life Cycle" in the Oracle Fusion Middleware Developer's
Guide for Oracle Access Management
Distribute Selected

■

Propagates the plug-in to all registered OAM Servers.

■

Sets the plug-in flag in oam-config.xml to "Distribute=true".

■

■

Starts the distribution listener and notification mechanism between AdminServer and OAM
Servers
Distributes the plug-in JAR from AdminServer node to each OAM Server node under
$DOMAIN_HOME/config/fmwconfig/oam/plugins

On Success: Status is reported as "Distributed" (even if an OAM Server is down). If all registered
OAM Servers report "Distributed", then the status on AdminServer is also "Distributed".
On Failure: Status is reported as "Distribution Failed"

22-60 Administrator's Guide for Oracle Access Management

Deploying and Managing Individual Plug-ins for Authentication

Table 22–17

(Cont.) Managing Custom Plug-ins Actions

Action Button
Activate Selected

Description
After successful distribution the plug-in can be activated on all registered OAM Servers.
Activation:
■
■

■

Updates the plug-in flag in oam-config.xml to "Activate=true"
Starts the Message listener and notification mechanism between AdminServer and OAM
Servers
AdminServer sends message "Activate" to all registered OAM Servers

On Success: Status is reported as "Activated" (even if an OAM Server is down). If all registered
OAM Servers report "Activated", then the status on AdminServer is also "Activated".
On Failure: Status is reported as "Activation Failed"
Following activation on all OAM Servers, the plug-in can be used and executed in any
authentication module construction or orchestration.
Deactivate Selected

Following plug-in activation, an Administrator can choose to deactivate the plug-in: if the plug-in
is not used in any authentication module or scheme, for example. The selected plug-in from all
registered OAM Servers.
Deactivate:
■
■

■

■
■

Updates the plug-in flag in oam-config.xml to "De-activate=true"
Starts the Distribution listener and notification mechanism between AdminServer and OAM
Servers
Removes the plug-in JAR from AdminServer and each registered OAM Server ($DOMAIN_
HOME/config/fmwconfig/oam/plugins)
AdminServer sends message "De-activation" to all registered OAM Servers
OAM Servers send status message to AdminServer using the "Message" listeners on both
AdminServer and OAM Server

On Success: Status is reported as "De-activation" (even if an OAM Server is down). If all
registered OAM Servers report "De-activation", then the status on AdminServer is also
"De-activation". Plug-in configuration is removed from oam-config.xml.
Note: After deactivation, the plug-in cannot be used or executed in any authentication module or
orchestration.
On Failure: Status is reported as "De-activation Failed"
Remove Selected

Following plug-in deactivation, an Administrator can delete the selected plug-in. During this
process, Access Manager:
Delete:
■
■

■

■

Updates the plug-in flag in oam-config.xml to "Remove=true"
Starts the Distribution listener and notification mechanism between AdminServer and OAM
Servers
Removes the plug-in JAR from AdminServer and each registered OAM Server ($DOMAIN_
HOME/config/fmwconfig/oam/plugins)
AdminServer sends message "Activate" to all registered OAM Servers

On Success: Status is reported as "Removed" (even if an OAM Server is down). If all registered
OAM Servers report "Removed", then the status on AdminServer is also "Removed". Plug-in
configuration is removed from oam-config.xml.
On Failure: Status is reported as "Removal Failed"

Table 22–18 describes elements in the Plugins status table.
Table 22–18

Plugins Status Table

Element

Description

Plugin Name

Extracted from the Plugin name element of the XML metadata file.

Description

Extracted from the description element of the XML metadata file.

Activation Status

Reported activation status based on information from AdminServer.

Managing Authentication and Shared Policy Components

22-61

Deploying and Managing Individual Plug-ins for Authentication

Table 22–18

(Cont.) Plugins Status Table

Element

Description

Type

Extracted from the type element of the XML metadata file.

Last Updated on

Extracted from the creation date element of the XML metadata file.

Last Updated by

Extracted from the author element of the XML metadata file.

In the Plugin Details section of the page, the Activation Status is maintained by the
AdminServer, as shown in Table 22–18.
Figure 22–25

Plugin Details: Activation Status of Selected Plug-in

Depending on your plug-in, various configuration details are extracted from the
configuration element of the XML metadata file to populate Configuration Parameters
in the Plugin Details section. Examples are shown in Table 22–19; see also, Table 22–13.
Table 22–19

Example of Plugin Details Extracted from XML Metadata File

Configuration
Element

Description

DataSource

- 
- 
DataSource
true
false
true
jdbc/CISCO



Kerberos Details

Defines the following Kerberos details:

User Identification
Details

Defines the User Identity Store and LDAP filter parameters. for this plug-in to use:

User Authentication
Details

Defines the User Identity Store for this plug-in to use:

X.509 Details

Defines the X.509 certificate details for this plug-in to use:

KEY_KEYTAB_FILE, KEY_PRINCIPAL, KEY_KRB_CONFIG_FILE

KEY_IDENTITY_STORE_REF, KEY_LDAP_FILTER

KEY_IDENTITY_STORE_REF

KEY_CERTIFICATE_ATTRIBUTE_TO_EXTRACT, KEY_IS_CERT_VALIDATION_ENABLED

22.8.2 Making Custom Authentication Plug-ins Available for Use
Users with valid Administrator credentials can perform the following task to add,
validate, distribute, and activate a custom plug-in.
Prerequisites
Developing a custom plug-in as described in the Oracle Fusion Middleware
Developer's Guide for Oracle Access Management

22-62 Administrator's Guide for Oracle Access Management

Deploying and Managing Individual Plug-ins for Authentication

To make available for use a custom authentication plug-in
1. Import the Plug-in:
a.

In the Oracle Access Management Console, click Application Security at the
top of the window

b.

In the Application Security Console, click Authentication Plug-ins in the
Plug-ins section.

c.

In the page that appears, click Import Plug-in.

d.

In the Import Plugin dialog box, click Browse and select the name of your
plug-in JAR file.

e.

Review the message in the dialog box, then click Import.
The JAR file is validated as described in Oracle Fusion Middleware
Administrator's Guide for Oracle Access Management.

2.

Configure Parameters: Expand the Plugin Details section, click Configuration
Parameters, and enter appropriate information as needed.

3.

Distribute the Plug-in to OAM Servers:

4.

5.

a.

In the Plug-ins table, select the target plug-in.

b.

Click Distribute Selected, then check the plug-in’s Activation Status tab.

Activate the Plug-in (and the custom plugin implementation class) so it is ready to
be used by OAM Server:
a.

In the Plug-ins table, select the target plug-in.

b.

Click Activate Selected, then check the plug-in’s Activation Status.

Perform the following tasks as needed:
■

Checking an Authentication Plug-in's Activation Status

■

Deleting Your Custom Authentication Plug-ins

■

Creating and Orchestrating Plug-in Based Multi-Step Authentication Modules

22.8.3 Checking an Authentication Plug-in's Activation Status
Users with valid Administrator credentials can perform the following task to add,
validate, distribute, and activate a custom plug-in.
Prerequisites
Making Custom Authentication Plug-ins Available for Use
To check the activation status of a custom authentication plug-i
1. In the Oracle Access Management Console, click Application Security at the top
of the window
2.

In the Application Security console, click Authentication Plug-ins in the Plug-ins
section.

3.

In the Plug-ins table, select the target plug-in.

4.

Server Instance Name: Expand the Plug-in Details section and click Activation
Status to display the location and status of the plug-in.

5.

Perform the following tasks as needed:

Managing Authentication and Shared Policy Components

22-63

Managing Authentication Schemes

■

Deleting Your Custom Authentication Plug-ins

■

Creating and Orchestrating Plug-in Based Multi-Step Authentication Modules

22.8.4 Deleting Your Custom Authentication Plug-ins
Users with valid Administrator credentials can use the following procedure to
deactivate and then delete a custom plug-in.
When an Administrator deletes a custom authentication plug-in, its name is not
removed from the list of plug-ins. To delete the plug-in (for the purpose of
re-importing the same plug-in later), the Administration must stop the WebLogic
Server and edit the oam-config.xml manually.
Prerequisites
The plug-in must have been added and available in the console
To delete a custom authentication plug-in
1. In the Oracle Access Management Console, click Application Security at the top
of the window
2.

In the Application Security console, click Authentication Plug-ins in the Plug-ins
section.

3.

Deactivate the Plug-in: You must perform this before removing a plug-in.

4.

5.

a.

In the Plug-ins table, select the target plug-in.

b.

Click Deactivate Selected, then check the plug-in’s Activation Status.

Delete the Deactivated Plug-in:
a.

In the Plug-ins table, select the target plug-in.

b.

Click Delete Selected.

c.

Stop the WebLogic Administration Server, locate and edit oam-config.xml
manually to remove the deactivated plug-in, and then restart the WebLogic
Administration Server.

Perform the following tasks as needed:
■

Making Custom Authentication Plug-ins Available for Use

■

Creating and Orchestrating Plug-in Based Multi-Step Authentication Modules

22.9 Managing Authentication Schemes
Access to a resource or group of resources can be governed by a single authentication
process known as an authentication scheme. An authentication scheme is a named
component that defines the challenge mechanism required to authenticate a user. Each
authentication scheme must also include a defined authentication module (standard or
custom, as described in "Deploying and Managing Individual Plug-ins for
Authentication" on page 22-58).
When you register a partner (either using the Administration Console or the remote
registration tool), the Application Domain that is created is seeded with a policy that
uses the authentication scheme that is set as the default scheme. You can choose any of
the existing authentication schemes as the default for use during policy creation.
You can also create a new authentication scheme, copy an existing definition to use as
a template, modify a definition, or delete the definition. The copy uses a default name
22-64 Administrator's Guide for Oracle Access Management

Managing Authentication Schemes

that is based on the original. For example, if you copy the scheme named
KerberosScheme, the copy is named Copy of KerberosScheme.
This section is divided into the following topics:
■

About Authentication Schemes and Pages

■

Understanding Multi-Level and Step-Up Authentication

■

Creating an Authentication Scheme

■

Viewing, Editing, or Deleting an Authentication Scheme

■

Searching for an Authentication Scheme

22.9.1 About Authentication Schemes and Pages
All authentication schemes include the same elements with differing values.
Figure 22–26 shows the default LDAPScheme page as an example.
Figure 22–26

Default LDAPScheme Page

Table 22–20 provides information about each of the elements and values in any
authentication scheme. Use the Set as Default button to make this the default scheme.
Table 22–20

Authentication Scheme Definition

Element

Description

Name

The unique name for this scheme, which appears in the navigation tree.
See Also:"Pre-configured Authentication Schemes" on page 22-68

Description

The optional description, up to 200 characters, that explains the use of this
scheme.

Managing Authentication and Shared Policy Components

22-65

Managing Authentication Schemes

Table 22–20

(Cont.) Authentication Scheme Definition

Element

Description

Authentication Level

The trust level of the authentication scheme. This reflects the challenge method
and degree of trust used to protect transport of credentials from the user.
The trust level is expressed as an integer value between 0 (no trust) and 99
(highest level of trust).
Note: Level 0 is unprotected. Only unprotected resources can be added to an
Authentication Policy that uses an authentication scheme at protection level 0.
For more information, see Table 25–1, " Resource Definition Elements".
Note: After a user is authenticated for a resource at a specified level, the user is
automatically authenticated for other resources in the same Application Domain
or in different Application Domains, if the resources have the same or a lower
trust level as the original resource.
See Also: "About Multi-Level and Step-Up Authentication" on page 22-80.

Default

A non-editable box that is checked when the Set as Default button is clicked.

Challenge Method

One challenge method must be selected from those listed as available:
■

Form

■

Basic (LDAP)

■

X509 (Certificate)

■

WNA (Windows Native Authentication)

■

None

■

DAP

■

OAM10g

See Also: "About Challenge Methods" on page 22-71
Challenge Redirect
URL

This URL declares the end point referencing the Credential Collector (ECC or
DCC). For example:
ECC: /oam/server
DCC: http:///
See Also:
■

"About Host Identifiers" on page 22-8

■

Configuring 11g WebGates and Authentication Policy for DCC

Authentication Module Identifies the pre-configured authentication module to be used to challenge the
user for credentials. The module or plug-in specified here identifies the exact
user identity store to be used.
■

FederationMTPlugin

■

FederationPlugin

■

Kerberos Plugin (Authentication Modules and Custom Authentication
Module)

■

MTLDAPBasic

■

MTLDAPPlugin

■

OIFMTLDAPPlugin

■

Password Policy Validation Module

■

TAPModule

■

X509 Plugin (under the X509 Authentication Modules node)

See Also "Managing Native Authentication Modules" on page 22-23 and
"Orchestrating Multi-Step Authentication with Plug-in Based Modules" on
page 22-29.

22-66 Administrator's Guide for Oracle Access Management

Managing Authentication Schemes

Table 22–20

(Cont.) Authentication Scheme Definition

Element

Description

Challenge URL

This URL is associated with the designated Challenge Method (FORM, for
instance).
FORM-based, out of the box authentication scheme (LDAPScheme and
LDAPNoPasswordValidationScheme), Challenge URL is "/pages/login.jsp". The
context type and context values are used to build the final URL.
X509-based Challenge URL takes the form: https://managed_server_
host:managed_server_ssl_port/oam/CredCollectServlet/X509
Note: The default Challenge URL is based on the credential collector embedded
with the OAM Server (ECC). If you are using detached credential
collector-enabled Webgate and related DCC pages installed with WebGate, see
Configuring 11g WebGates and Authentication Policy for DCC.

Challenge Parameters

Supported challenge parameters are discussed in "About Challenge Parameters
for Authentication Schemes" on page 22-75.

For schemes using
Challenge Method
FORM, X509, or DAP

Only Schemes with the Challenge Method of FORM, X509, or DAP include the
following additional elements. Other schemes use defaults that require no
change.

Context Type

Used to build the final URL for the Embedded Credential Collector (ECC only,
DCC does not use this) based on the following possible values:
■

■

default: The Context Value is used to construct the final URL to forward to
for credential collection. For example: with a challenge URL of
"/pages/login.jsp" and a context value of /oam, the server forwards to
"/oam/pages/login.jsp" for credential collection by the ECC.
customWar: If a customized credential collector page "customlogin.jsp" is
deployed in a WAR file (with context root, "custom") within the same
domain, it should be used to collect credentials. Then set the following
values to have server forward to the WEB application page
"/custom/customlogin.jsp" to collect credentials:
challenge_url = "/customlogin.jsp"
contextType="customWar"
contextValue="/contextroot of custom application"

■

customHtml: A custom html credential collector page. This file can be
placed in a location that is accessible to the application. Set the following
values to have the server forward to the custom servlet provided to read the
html file and render the page:
challenge_url = "/CustomReadServlet"
contextType="customHtml"
contextValue="html file location"

■

external: If the login page is external, the file can be placed in a location that
is accessible to the application. Set the following values to have the server
redirect to the challenge URL (the fully-qualified URL of the external
credential collector page) for credential collection. The username and
password are collected by the external form (HTML or jsp) and submitted
to the OAM Server:
challenge_url = "http://host:port/externallogin.jsp"
contextType="external"
contextValue=Not applicable
See Also: "About Custom Login Pages" on page 22-67 and Managing Global
Password Policy

Context Value

Used to build the final URL for the credential collector. The default value is
/oam.

About Custom Login Pages
Only Schemes with the Challenge Method of FORM, X509, or DAP include additional
elements described at the end of Table 22–20. All custom login pages must meet the
following requirements:

Managing Authentication and Shared Policy Components

22-67

Managing Authentication Schemes

■

■

Custom login pages require two form fields (username and password). Access
Manager supports custom forms as described in Oracle Fusion Middleware
Developer's Guide for Oracle Access Management.
CustomWar and external context types, require logic within the custom login page
to perform the following two tasks:
–

Send back the request ID the page received from the Access Manager server.
For example: String reqId = request.getParameter("request_id");


–

Submit back to the OAM Server the end point, "/oam/server/auth_cred_
submit". For example: 
or "http://oamserverhost:port/oam/server/auth_cred_submit". For more information, see the following topics: ■ Pre-configured Authentication Schemes ■ About Challenge Methods ■ About Challenge Parameters for Authentication Schemes See Also: Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details about customizing login pages and messages. 22.9.1.1 Pre-configured Authentication Schemes Table 22–21 identifies the pre-configured authentication schemes available with Access Manager and some specific details of each. For more information about challenge parameters, see Table 22–21. Table 22–21 Pre-configured Authentication Schemes Scheme Name Specifications Purpose AnonymousScheme Authentication Level: 0 Challenge Method: None Authentication Module: AnonymousModule Leaves unprotected specific Access Manager URLs and allows users to access such URLs without a challenge. Users are not challenged and do not need to enter their credentials. Note: Authentication Level 0 is for public pages. Oracle recommends that you do not use Level: 0 in a custom authentication scheme. Also: When a resource is protected by AnonymousScheme, it is not displayed in a session search. BasicFAScheme For Fusion Applications Only for Oracle Fusion Applications For specific information about this authentication scheme, refer to the Oracle Fusion Applications Technology Library located on the Oracle Technology Network (OTN) web site: http://www.oracle.com/technetwork BasicScheme BasicSessionlessScheme Authentication Level: 1 Challenge Method: Basic Authentication Module: LDAP Protects Access Manager-related resources (URLs) for most directory types. Authentication Level: 1 Challenge Method: Basic Authentication Module: LDAP Primarily used for clients that don't support URL redirect or cookies. Note: Authentication Level 1 is only one step higher than 0 public pages. Oracle recommends that you do not use Level: 1 in a custom authentication scheme. Challenge Parameters: CookieLessMode=true Note: Authentication Level 1 is only one step higher than 0 public pages. Oracle recommends that you do not use Level: 1 in a custom authentication scheme. 22-68 Administrator's Guide for Oracle Access Management Managing Authentication Schemes Table 22–21 (Cont.) Pre-configured Authentication Schemes Scheme Name Specifications Purpose FAAuthScheme Authentication Level: 2 Challenge Method: FORM Authentication Module: LDAP Context: customWar Context Value: /fusion_apps For specific information about this authentication scheme, refer to the Oracle Fusion Applications Technology Library located on the Oracle Technology Network (OTN) web site: Only for Oracle Fusion Applications http://www.oracle.com/technetwork FederationMTScheme Only for Oracle Fusion Applications FederationScheme Only for Identity Federation 11.1.2. KerberosScheme For specific information about this authentication Authentication Level: 2 Challenge Method: FORM scheme, refer to the Oracle Fusion Applications Authentication Module: FederationMTPlugin Technology Library located on the Oracle Technology Network (OTN) web site: Context Type: customWar Context Value: /fusion_apps http://www.oracle.com/technetwork Challenge Parameters: initial_ See Also: "About Challenge Parameters for command=NONE Authentication Schemes" on page 22-75. is_rsa=true Authentication Level: 2 Challenge Method: FORM Authentication Module: FederationPlugin See Also: Part IX, "Managing Oracle Access Management Identity Federation". Context Type: customWar Context Value: /oam Challenge Parameters: initial_ command=NONE is_rsa=true Note: With Oracle Identity Federation 11.1.1, use OIFScheme as described in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager. Authentication Level: 2 Challenge Method: WNA Authentication Module: Kerberos Protects Access Manager-related resources (URLs) for most directory types based on a Windows Native Authentication challenge method and valid WNA credentials in Active Directory. Context Type: customWar Context Value: /fusion_apps LDAPNoPasswordValid Authentication Level: 2 Challenge Method: FORM ationScheme Authentication Module: LDAPNoPasswordAuthModule Context Type: default Context Value: /oam Protects Access Manager-related resources (URLs) for most directory types based on a form challenge method. Used with the Identity Asserter for SSO when you have resources in a WebLogic Container. For details, see the Oracle Fusion Middleware Application Security Guide. Note: LDAPNoPasswordAuthModule is similar to the DAP (asserter) mechanism. See Also OAM10gScheme, later in this table. LDAPScheme Authentication Level: 2 Challenge Method: FORM Authentication Module: LDAP Protects Access Manager-related resources (URLs) for most directory types based on a form challenge method. Context Type: customWar Context Value: /fusion_apps OAAMAdvanced Authentication Level: 2 Challenge Method: FORM Authentication Module: LDAP Context Type: external OAAMBasic Authentication Level: 2 Challenge Method: FORM Authentication Module: LDAP Context Type: default Context Value: /oam Protects OAAM-related resources with an external context type. This authentication scheme is used when complete integration with OAAM is required. A Webgate must front ending the partner. Protects OAAM-related resources with a default context type. This scheme should be used when basic integration with OAAM is required. Here, advanced features like OTP are not supported. This is more of an integration when mod_osso is used as the agent. Challenge Parameters oaamPostAuth=true oaamPreAuth=true Managing Authentication and Shared Policy Components 22-69 Managing Authentication Schemes Table 22–21 (Cont.) Pre-configured Authentication Schemes Scheme Name Specifications Purpose OAM10gScheme Authentication Level: 2 Challenge Method: OAM10G Authentication Module: LDAPNoPasswordAuthModule Facilitates integration and coexistence with Oracle Access Manager 10g. In the coexistence mode, Oracle Access Manager 10g is the authenticator and Access Manager 11g is the asserter. See Also LDAPNoPasswordValidationScheme, earlier in this table. This scheme requires challenge mechanism OAM10G, specifically for OAM10g coexistence with OSSO as described in "OAM10G" on page 22-74. enableCoexistMode and disableCoexistMode in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. OAMAdminConsoleSch eme Authentication Level: 2 Challenge Method: FORM Authentication Module: LDAP Authentication scheme for Oracle Access Management Console. Context Type: default Context Value: /oam OICScheme Authentication Level: 2 Challenge Method: DAP Authentication Module: TAPModule Context Type: External Challenge Parameters: TAPPartnerId=RPPartner MatchLDAPAttribute=mail OIFScheme Only for Oracle Identity Federation 11.1.1. For Identity Federation 11.1.2, use FederationScheme. Authentication Level: 2 Challenge Method: DAP Authentication Module: DAP Context Type: External Access Manager uses this scheme to delegate authentication to Mobile and Social services and redirects the user to the Mobile and Social login page for authentication. See Also: Part XI, "Managing Oracle Access Management Mobile and Social" This scheme delegates authentication to OIF, after which, Oracle Identity Federation sends back a token that is asserted by the OAM Server as described in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager. The Delegated Authentication Protocol (DAP) challenge method is used to delegate authentication to a third-party (OIF in this case). Challenge Parameters: TAPPartnerId=OIFDAPPartner See Also: "About Challenge Parameters for Authentication Schemes" on page 22-75. OIMScheme Authentication Level: 1 Challenge Method: FORM Authentication Module: LDAP Context Type: default Context Value: /oam Protects Oracle Identity Manager-related resources with a default context type. Note: When integrating OAM and OIM, OAM downgrades the user's authentication level when any of the following is detected: password expiry forced password change challenge setup not done This enables the user to access the pages only after performing necessary operations in the identity management (OIM) page to which the user is redirected. At Level 1, only public and OIM pages for the required operations can be accessed. Note: Authentication Level 1 is only one step higher than 0 public pages. Oracle recommends that you do not use Level: 1 in a custom authentication scheme. OSSOCoexistMigrateSc heme Set as the Default authentication scheme for environments that have been migrated from OSSO 10g to Access Manager 11g. See Also: Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management. 22-70 Administrator's Guide for Oracle Access Management Managing Authentication Schemes Table 22–21 (Cont.) Pre-configured Authentication Schemes Scheme Name Specifications Purpose PasswordPolicyValidati onScheme Authentication Level: 2 Challenge Method: FORM Authentication Module: Password Policy Validation Module Context: External Enables password policy evaluation. TAPResponseOnlySche me Authentication Level: 2 Challenge Method: DAP Authentication Module: DAP TAPScheme Authentication Level: 2 Challenge Method: DAP Authentication Module: DAP To use TAPScheme for IDM product resources in the IAM Suite Application Domain, Protected HigherLevel Policy, the following configuration must be done in addition to changing the Authentication Scheme. Context Type: External 1. From the IAM Suite Application Domain, Protected Higher Level Policy, remove IAMSuiteAgent:/oamTAPAuthenticate. 2. Create a new Authentication Policy in the IAM Suite Application Domain, that uses LDAPScheme. 3. Protect IAMSuiteAgent:/oamTAPAuthenticate using the newly created policy. Challenge Parameters: TAPPartnerId=TAPPartnerName X509Scheme Authentication Level: 5 Challenge Method: X509 Authentication Module: X509 This authentication scheme is a certificate-based user identification method. To use this method, a certificate must be installed on the user's browser and the Web server must be SSL-enabled. Note: This scheme relies on SSL to deliver the use's X.509 certificate to the OAM Server. 22.9.1.2 About Challenge Methods Authentication involves determining what credentials a user must supply when requesting access to a resource, gathering credentials over HTTP, and returning an HTTP response that is based on the results of credential validation. Access Manager provides the following credential challenge methods for use in an authentication scheme: ■ FORM ■ BASIC ■ X509 ■ WNA ■ NONE ■ DAP ■ OAM10G FORM This authentication challenge uses an HTML form with one or more text input fields for user credentials. In a typical form-based challenge, users enter a user name and password in two text boxes on the form. The most common credential choices are user name and password; however, you can use any user attributes: for example, user name, password, and domain. Managing Authentication and Shared Policy Components 22-71 Managing Authentication Schemes A Submit button posts the content of the form. When the user clicks the Submit button, the form data is posted to the Web server. OAM and OSSO Agents intercept and process the form data. Upon validation of the user credentials collected in the form, the user is authenticated. This challenge method relies on an LDAP Authentication Module and the user identity store associated with that module. Note: You might want to use form-based authentication challenge for reasons such as: ■ ■ A consistent user experience: Using form-based login and a standardized logout means that the user experience for login and logout features will be consistent across browsers. A Custom Form: You can apply your organization's look and feel in the authentication process. For example, a custom form can include a company logo and a welcome message instead of the standard user name and password window used in Basic authentication. ■ ■ Additional Information: You can gather additional information at the time of login. Additional Functionality: You can provide additional functionality with the login procedure, such as a link to a page for lost password management. BASIC This built-in Web server challenge mechanism requires a user to enter her login ID and password. The credentials supplied are compared to the user's definition in the LDAP directory server. Thus, a Basic challenge relies on the LDAP Authentication Module and user identity store associated with that module. If a URL is protected by Access Manager using Basic Authentication with OID configured as the identity store, OID defined users can not log in. To resolve this, add the following line before the closing tag in the config.xml file. Note: false X509 With the X509 certificate challenge method, a user's browser must supply an X.509 digital certificate over SSL to the OAM Server through the Agent to perform authentication. Note: X509 is the challenge method for the X509Scheme. The user's organization can determine how to obtain a certificate. The X.509 client certificate must be verified against the trusted CAs in the keystore used by OAM Proxy and OAM Servers to ensure the validity of X.509 Client certificate for authentication. 22-72 Administrator's Guide for Oracle Access Management Managing Authentication Schemes The following attributes of the X.509 certificate can be validated against the user identity store associated with Access Manager: ■ SubjectDN ■ SubjectUniqueID ■ Mail ■ CN To acquire the user entry, the X509 Authentication Module takes the attribute name of the X.509 certificate to be validated and the LDAP attribute against which the search will be launched. The expected result is the single user entry matching the criteria. If the search returns no user entry, or more than one entry, authentication fails. Authentication scheme parameters are located in oam-policy.xml. For X509 authentication, Administrators must configure the Oracle HTTP Server as a reverse proxy (or a server with the wl-proxy plug-in). The Oracle HTTP Server must be configured in two way SSL Mode to acquire X.509 certificate for authentication. Oracle HTTP Server can also be configured for CRL verification. Note: The online certificate status protocol (OCSP) capabilities are also provided. Any certificate passed for X.509 certificate-based authentication is validated using an OCSP request. Administrators can configure the system to communicate with one or more OCSP servers to retrieve the certificate status. The X509 Authentication Module configuration for the OCSP responder URL indicates whether OCSP validation is to be done. The value, if specified, indicates the URL for validation of the X.509 client certificate using OCSP. No value indicates no OCSP validation. WNA Uses Windows Native Authentication with Active Directory, and the Kerberos Authentication Module. The KerbScheme relies on the WNA challenge method and Kerberos Authentication Module. Note: See Also: Chapter 57 for details about integration with Windows Native Authentication NONE The challenge method of None means that users are not challenged and do not need to enter their credentials. This is used in the AnonymousScheme authentication scheme, which allows users to access Access Manager-specific URLs that you do not want to protect. DAP The Delegated Authentication Protocol (DAP) challenge method is required for OIFScheme (Oracle Identity Federation 11.1.1 integration) with the DAP authentication module and external context type (Table 22–20). The DAP challenge mechanism indicates that Access Manager does an assertion of the token that it Managing Authentication and Shared Policy Components 22-73 Managing Authentication Schemes receives, which differs from the standard challenge "FORM" mechanism with the external option. DAPModule is an assertion module, though it is specialized for this one application and does not appear in the list of Authentication Modules in the Oracle Access Management Console. This integration replaces OSSO 10g with Access Manager 11g, with no changes from the Identity Federation side. The DAP challenge mechanism delegates authentication to a third party (Identity Federation in this case). The challenge_url points to the Identity Federation Server URL. When a resource is protected by this scheme, the OAM Server redirects to the Identity Federation Server URL for credential collection. OAM Server does not perform the credential collection or validation in this case. Identity Federation collects the credentials, authenticates the user against its identity store and returns an assertion token to the OAM Server consisting of the username. Access Manager receives and decrypts this token, checks whether the user is a valid user in the default identity store for Oracle Access Management. If the user is valid, Access Manager gives access to the resource. The DAPToken is encrypted and decrypted with a key that is shared between Access Manager and Identity Federation. The DAPToken is built from the Access Manager side. The Identity Federation Administration EM Console provides a way to generate the keystore containing the encryption keys that will be used to secure communications between the Access Manager and Identity Federation. Access Manager provides a WLST command (registerOIFDAPPartner), that takes the keystore location generated by the Identity Federation store and retrieves the keys and stores it on the Identity Federation side. OAM10G This mechanism is created for Oracle Access Manager 10g coexistence with OSSO 10g. The OAM10G method always acts as the authentication and authorization provider and is required for OAM10gScheme with the LDAPNoPasswordAuthModule to facilitate trust when you have Oracle Access Manager 10g protecting a domain that also includes an OSSO 10g integrated classic application (Portal, Disco, and so on). OSSO10g is protected with OAM10G challenge method through Webgate; OAM10G always acts as the authentication and authorization provider. Facilitating Integration: The OSSO 10g integrated classic applications can be upgraded to Access Manager, which then acts only as an asserter. Access Manager creates the tokens that mod_osso can consume so that access can be provided to these applications. The mod_osso applications are protected by the new "OAM10gScheme". There is a Webgate front ending the OAM Server and configured against the 10g Access Server. Setup: When the resource is accessed, Webgate intercepts the request and sends it to the 10g Access Server for authentication. Oracle Access Manager 10g collects the credentials, validates it against its identity store, and sets the username as a header variable (OAM_REMOTE_USER). The request now goes to the OAM Server which uses the OAM10gScheme to locate the username in the header variable. Access Manager retrieves the header variable and asserts the presence of the user against the primary identity store. If present, the required cookies (OAM_ID) are generated and redirected to the resource. 22-74 Administrator's Guide for Oracle Access Management Managing Authentication Schemes See Also: ■ ■ OAM10gScheme in Table 22–21 enableCoexistMode and disableCoexistMode in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference 22.9.1.3 About Challenge Parameters for Authentication Schemes Challenge parameters are short text strings consumed and interpreted by Webgates and Credential Collector modules to operate in the manner indicated by those values. The syntax for specifying any challenge parameter is: = This syntax is not specific to any Webgate release (10g versus 11g). Authentication schemes are independent of Webgate release. Table 22–22 identifies the pre-configured schemes with challenge parameters. Table 22–22 Challenge Parameters in Pre-configured Schemes Pre-configured Schemes BasicSessionlessScheme Challenge Parameter CookieLessMode=true Primarily used for clients that do not support URL redirect or cookies. FederationMTScheme initial_command=NONE Primarily used for Fusion Applications that support multiple factor authentication. is_rsa=true Used with RSA multi-step authentication, as described in Chapter 56, "Integrating RSA SecurID Authentication with Access Manager" and the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. FederationScheme Primarily used for clients that do not support URL redirect or cookies. For Identity Federation 11.1.2.only. Use OIFScheme for Oracle Identify Federation 11.1.1. Context Value: /fusion_apps Challenge Parameters: initial_command=NONE is_rsa=true Primarily used for clients that do not support URL redirect or cookies. OAAMBasic oaamPostAuth=true oaamPreAuth=true Protects OAAM-related resources. These parameters should be used when basic integration with OAAM is required. OIFScheme TAPPartnerId=OIFDAPPartner For Oracle Identify Federation 11.1.1 This scheme delegates authentication to Oracle Identity Federation 11.1.1, after which, only. Use FederationScheme for Federation sends back a token that is asserted by the OAM Server. Identity Federation 11.1.2. TapScheme TAPPartnerId=TAPPartnerName An authentication scheme can collect context-specific information before submitting the request to the Access Server. Context-specific information can be in the form of an external call for information. Table 22–23 lists user-defined challenge parameters you can use in Authentication Schemes. Managing Authentication and Shared Policy Components 22-75 Managing Authentication Schemes Table 22–23 User-Defined Challenge Parameters for Authentication Schemes Challenge Parameter Definition initial_command=NONE Required to enable the plug-in to indicate which credentials are to be collected. For example, for Form-based authentication, the framework typically expects to collect "username" and "password" (submitted from the login page). However, you might want credentials from different fields of the login page; "form_username" and "form_password" for example. Setting this challenge parameter shifts initial control from the login page to the plug-in, which decides the parameters to collect from the login page then appropriately forwards or redirects to the page. Default: blank (not set) action= The actions parameter identifies the URL to which the HTML form is posting when you do not want to use the hard coded ECC default /oam/server/auth_cred_submit. Note: ECC does not use the action= parameter. When the action= challenge parameter is not specified, both the DCC and ECC use the default: /oam/server/auth_cred_submit. See Also: "Configuring the PasswordPolicyValidationScheme" creds= Supported by the detached credential collector (DCC) only. DCC Only In the following 11g example, username and password are the names of relevant fields in the login form: creds=username password NOTE: Format of this challenge parameter has changed since the 10g release. The Web server source (server parameter) takes precedence over other sources. This prevents the request data, which is under control of the user, from overriding Web server data. For example, a remote_user cookie sent from a user will not override a remote_user variable set by the Web server Generally, when the user submits a login form that is protected by an authentication scheme with a Form-based challenge method, the DCC processes the credentials that were specified with this creds= parameter. For forms using METHOD=POST processing, the browser sends a POST request to the Web server with the credential data from the form in the body of the request. If the form uses METHOD=GET, the browser sends a GET request with query string parameters with the same names as those specified on the creds parameter. Oracle recommends that you use POST processing, if possible. Note: You can specify the creds parameter with the other types of challenge methods. For a plug-in to make use of the creds parameter, you specify what is passed in the obMap credentials parameter of the ObUserSession object, as described in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. See Also: "Configuring the PasswordPolicyValidationScheme" extracreds= DCC Only Supported by the DCC only. Specifies optional parameters which, if present, are made available to the authentication plug-in for collection during each iteration of a multi-step authentication using the DCC. The extracreds parameter uses the same syntax as the creds parameter: extracreds= separated qualified or unqualified names [{any | cookie | header | server | query | post}:] . However, the value any is used by extracreds only. For example: extracreds=[{any | cookie | header | server | query | post}:] See Also: "Configuring the PasswordPolicyValidationScheme" OverrideRetryLimit=0 The number of tries that can override the RetryLimit for login. The value must be a positive integer. A value of zero (0) disables this function. See Also: "Configuring the PasswordPolicyValidationScheme" ChallengeRedirectMethod Authentication POST data preservation parameter for both the embedded credential collector (ECC) and the detached credential collector (DCC). Value: GET|POST|DYNAMIC Note: Preference is given first to the Authentication Scheme containing this parameter; second to the Webgate providing this user defined parameter. Otherwise, default behavior is Dynamic. See Also: "Configuring Authentication POST Data Handling" Table 15–2, " User-Defined WebGate Parameters" 22-76 Administrator's Guide for Oracle Access Management Managing Authentication Schemes Table 22–23 (Cont.) User-Defined Challenge Parameters for Authentication Schemes Challenge Parameter Definition MaxPreservedPostDataBytes Configure this Authentication Scheme challenge parameter (or user-defined Webgate parameter) for authentication POST-data preservation. Default: 8192 bytes Note: Preference is given first to the Authentication Scheme containing this parameter; second to the Webgate providing this user-defined parameter. Otherwise, default behavior is 8192 bytes. This parameter defines the maximum length of POST data that Webgate can preserve. If the size of inbound raw user POST data (or encrypted post data after processing), crosses this limit, POST data is dropped and the existing authentication flow continues. The event is logged as usual. See Also: "Configuring Authentication POST Data Handling" on page 22-94 Table 15–2, " User-Defined WebGate Parameters" MaxPostDataBytes= DCC Only Configure this Authentication Scheme challenge parameter to restrict the maximum number of bytes of POST data that is submitted as user credentials and sent to the OAM Server. Configure this challenge parameter for POST-data preservation by the DCC only to limit the maximum size of the POST data that can be posted as credentials on the form and sent to the OAM Server. DCC compares the value of the content-length header with the limit set. Default: 8192 bytes This challenge parameter requires a positive integer value. See Also: Table 15–2, " User-Defined WebGate Parameters" "Configuring the PasswordPolicyValidationScheme" "Configuring Authentication POST Data Handling" on page 22-90 ssoCookie= Controls the OAMAuthnCookie cookie, as described in "Configuring Challenge Parameters for Encrypted Cookies" on page 22-88. Default: ssoCookie=httponly ssoCookie=Secure Disable either setting: ssoCookie=disablehttponly ssoCookie=disableSecure Note: These parameters are configured differently depending on your credential collector configuration. ■ ■ For detached credential collector-enabled 11g Webgates, set these parameters directly in the agent registration page. For non-DCC agents (Resource Webgates), these parameters are configured through user-defined challenge parameters in authentication schemes. See Also: Table 22–30, " Challenge Parameters for 10g/11g Encrypted Cookies" Managing Authentication and Shared Policy Components 22-77 Managing Authentication Schemes Table 22–23 (Cont.) User-Defined Challenge Parameters for Authentication Schemes Challenge Parameter Definition miscCookies= Controls other miscellaneous Access Manager internal cookies. By default, httponly is enabled for all other (miscellaneous) cookies. Default: miscCookies=httponly miscCookies=Secure Disable either setting: miscCookies=disablehttponly miscCookies=disableSecure Note: These parameters are configured differently depending on your credential collector configuration. ■ ■ For detached credential collector-enabled Webgates, set these parameters directly in the agent registration page. For non-DCC agents (Resource Webgates), these parameters are configured through challenge parameters of the same name. See Also: Table 22–30, " Challenge Parameters for 10g/11g Encrypted Cookies" "Configuring the PasswordPolicyValidationScheme" DCCCtxCookieMaxLength= Defines the maximum length of the DCC cookie. DCC Only Default: 4096 See Also: TempStateMode in this table for more information. 22-78 Administrator's Guide for Oracle Access Management Managing Authentication Schemes Table 22–23 (Cont.) User-Defined Challenge Parameters for Authentication Schemes Challenge Parameter Definition TempStateMode= Controls how the DCC stores the OAM Server state (cookie or form) as specified with the parameter's value: ■ form: This is the default, and is required for retaining authentication POST data. The OAM Server state stored and passed through the form parameter "OAM_REQ", to avoid the case when the OAM Server configuration serverRequestCacheType=COOKIE, bloated server state causes DCCCtxCookie to explode beyond limit resulting in incorrect behavior. The cookie cache mode can be changed to FORM mode from default COOKIE mode. FORM mode works with long URLs. The only difference in behavior is for programmatic authentication, which requires a proper form Submit to pass the OAM_REQ parameter set to the form. Custom credential collection pages need to handle the OAM_REQ parameter that is submitted with the form. ■ cookie: Adding this parameter and value stores the OAM Server state through part of the DCCCtxCookie (encdata=… svrctx=…). However, when serverRequestCacheType=COOKIE or =FORM, this could cause incorrect behavior if the resulting cookie length is beyond browser limit. Note: ■ When serverRequestCacheType=COOKIE, Oracle recommends TempStateMode=form. ■ When serverRequestCacheType=BASIC, either mode is fine. To update serverRequestCacheType, use the WLST command configRequestCacheType as described in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Editing serverRequestCacheType is not supported using the Oracle Access Management Console. With ECC: The serverRequestCacheType dictates whether OAM Server stores its state in memory(BASIC) or not (FORM or COOKIE). serverRequestCacheType = COOKIE or FORM only makes difference when ECC is used. OAM Server stores its state in a request token, which ECC keeps in a cookie or hidden form field as specified with the parameter: serverRequestCacheType=COOKIE, for example. With DCC: There is no difference between serverRequestCacheType=COOKIE or FORM. TempStateMode controls how the DCC stores the OAM Server state (cookie or form) as specified with the parameter's value: TempStateMode=cookie, for example. With the DCC, POST data restoration with a Form-based Authentication Scheme requires the challenge parameter TempStateMode=form. See Also: allowedAccessGateList= ■ Configuring 11g WebGates and Authentication Policy for DCC ■ Table 15–2, " User-Defined WebGate Parameters" ■ " Parameters Required for Authentication POST Data Handling" ■ "Configuring the PasswordPolicyValidationScheme" Authentication Scheme challenge parameter configured with SPACE separated list of WebGate IDs defining those WebGates that are allowed to enforce authentication by this scheme. For example: allowedAccessGateList=WebgateID1 WebgateID2 TunneledUrls ■ For OAM : TunneledUrls=/oam ■ For OAAM : TunneledUrls=/oam/server/obrareq.cgi,/oam/server/dap/cred_submit ■ For OIF : TunneledUrls=/oamfed ■ For OIM : TunneledUrls=/oam 22.9.2 Understanding Multi-Level and Step-Up Authentication This section provides the following topics: ■ About Multi-Level and Step-Up Authentication ■ Detection of Insufficient Authentication Level by OAM Agent ■ Multi-Level Authentication Processing with 10g OSSO Agent Managing Authentication and Shared Policy Components 22-79 Managing Authentication Schemes 22.9.2.1 About Multi-Level and Step-Up Authentication Every authentication scheme requires a strength level. The higher the number, the more more secure the authentication mechanism; the lower the number, the less stringent the scheme. For example: ■ LDAPScheme authLevel=1 ■ KerbScheme authLevel=3 Note: Multi-level authentication does not affect, negate, or alter X.509 certificate authentication. SSO capability enables users to access more than one protected resource or application with a single sign in. After a successful user authentication at a specific level, the user can access one or more resources protected by one or more Application Domains. However, the authentication schemes used by the Application Domains must be at the same level (or lower). When a user accesses a resource protected with an authentication level that is greater than the level of his current SSO token, he is re-authenticated. In the step-up case, the user maintains his current level of access even if failing the challenge presented for the higher level. This is "additional authentication". A user who is authenticated to access resources at level 3, is eligible to access resources protected at levels less than or equal to 3. However, if the user is authenticated to access resources at level 2 and then attempts to access resources protected by level 3, the user is asked to re-authenticate (this is known as step-up authentication). Note: Access Manager policies allow different resources of the same application to be protected with different authentication levels. In such cases, the application must enforce the Level and send the Dynamic Directive to mod_osso for re-authentication. On receiving the Dynamic Directive, mod_osso will redirect to Access Manager for re-authentication at the appropriate level. Both agent types redirect the user to the OAM Server to authenticate again. The challenge is presented according to the level of the authentication scheme configured in the policy for the resource. Registered agents detect the authentication level as follows: ■ ■ OAM Agents receive an insufficient level error message from the OAM Server, as described in "Detection of Insufficient Authentication Level by OAM Agent" on page 22-81. mod_osso detects the authentication level from dynamic directives, as described in Multi-Level Authentication Processing with 10g OSSO Agent on page 22-81. Note: mod_osso delegates authentication to Access Manager. Oracle recommends that mod_osso-protected resources be protected with Access Manager authentication levels. the mod_osso plug-in does not support two resources on the same application with a different trust level. 22-80 Administrator's Guide for Oracle Access Management Managing Authentication Schemes See Also: Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite; for example, the chapter Integrating Access Manager and Oracle Adaptive Access Manager. The user was already authenticated when he accessed another resource with a lower authentication level using Access Manager. Oracle Adaptive Access Manager does not show the user name and password pages because the user is already authenticated. However, the flows that are executed in Oracle Adaptive Access Manager depend on whether the user was already logged in to Oracle Adaptive Access Manager. 22.9.2.2 Detection of Insufficient Authentication Level by OAM Agent When the user requests a resource that is protected with a higher level authentication scheme, the following process occurs. See Also: "Understanding Authentication Methods and Credential Collectors" on page 22-18 Process overview: OAM Agent detects insufficient session level No check of the authentication level is made on the server side. The following example refers to a 10g OAM Agent. 11g OAM Agents are associated with individual per-agent OAMAuthnCookies. Note: 1. The OAM Agent sends the request to the OAM Proxy to obtain the scheme details for the protected resource. 2. The OAM Agent sends the request for session information to the OAM Proxy. 3. The OAM Proxy returns details of the ObSSOCookie, including the authenticated level of the ObSSOCookie. 4. The OAM Agent compares the level of ObSSOCookie with that of the authentication scheme. ■ If insufficient, the agent invokes the authentication process again. ■ If sufficient, the access is granted access. 22.9.2.3 Multi-Level Authentication Processing with 10g OSSO Agent In contrast to OAM Agents, all the resources protected by mod_osso on a host (or virtual host) are protected at the same level. With mod_osso, multi-level authentication applies when user is already authenticated using one mod_osso host (or virtual host) at Level 2 and then tries to access another mod_osso protected host (or virtual host) at level 3. Process overview: OSSO Agent multi-level authentication flow 1. The user tries to access a resource protected by mod_osso on host1 at level 2. 2. The OSSO Agent sends the request to the OAM Proxy to obtain the authentication scheme details for the protected resource. 3. The OAM_ID cookie for SSO Server and a host based cookie "HOST_port" for host1 are set and contain authentication level information. Managing Authentication and Shared Policy Components 22-81 Managing Authentication Schemes 4. After authentication, the user tries to access a resource on host2 that is protected with a higher level of authentication. 5. The user is redirected to the OAM Server for authentication because this is the first time accessing host2. 6. The OAM Server (OSSO Proxy) receives the OAM_ID cookie which has an insufficient level to access the resource on host2. ■ ■ If the level is insufficient, the OAM Server (OSSO Proxy) triggers re-authentication. If the level is sufficient, the access is granted access. 22.9.3 Creating an Authentication Scheme Users with valid Administrator credentials can use the following procedure to add a new authentication scheme for use in an Application Domain. Prerequisites The authentication module must be defined and ready to use as described in "Deploying and Managing Individual Plug-ins for Authentication" on page 22-58. See Also: ■ ■ "About Authentication Schemes and Pages" on page 22-65 Configuring 11g WebGates and Authentication Policy for DCC if needed To create an authentication scheme 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security Console, click Authentication Schemes in the Access Manager section. 3. Click the Create Authentication Scheme. 4. Fill in the fresh Authentication Scheme page (Table 22–20) by supplying information based on your deployment: a. Name: LDAPSimpleFormScheme b. Authentication Level c. Challenge Method: FORM d. Challenge Redirect URL: http://CredentialCollectorhost:port e. Authentication Module: LDAP f. Challenge URL: /CredentialCollector/loginform... g. Challenge Parameters: Table 22–22, Table 22–23, Table 22–30 h. Context Type 5. Click Apply to submit the new scheme (or close the page without applying changes). 6. Dismiss the Confirmation window. 7. Optional: Click the Set as Default button to automatically use this with new Application Domains, then close the Confirmation window. 22-82 Administrator's Guide for Oracle Access Management Managing Authentication Schemes 8. Confirm the new scheme appears in the list of schemes (refresh if needed). 9. Proceed to "Defining Authentication Policies for Specific Resources" on page 25-31. 22.9.4 Searching for an Authentication Scheme Users with valid Administrator credentials can perform the following task to search for a specific authentication scheme. See Also: "Conducting A Search" To search for an authentication scheme 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security Console, click Authentication Schemes in the Access Manager section. 3. In the Name field, enter the target scheme name (with or without wild card *). For example: OA* 4. Click the Search button to initiate the search. 5. Click the Search Results tab to display the results table, and then: ■ ■ Edit: Click the Edit button in the tool bar to display the configuration page. Delete: Click the Delete button in the tool bar to remove the instance; confirm removal in the Confirmation window. ■ Detach: Click Detach in the tool bar to expand the table to a full page. ■ View: Select a View menu item to alter the appearance of the results table. 22.9.5 Viewing, Editing, or Deleting an Authentication Scheme Users with valid Administrator credentials can use the following procedure to view or modify an existing authentication scheme. During a delete operation, if the Authentication Scheme is associated with any authentication policy, she is prompted with association details. Without policy associations, the scheme is deleted. Note: See Also: ■ "About Authentication Schemes and Pages" ■ "Configuring the PasswordPolicyValidationScheme" To view or modify an authentication scheme 1. Search for the target scheme, as described in the previous section. 2. In the list of search results, select the target scheme and click Edit. 3. Edit: a. On the Authentication Scheme page, modify values for your environment (Table 22–20). Managing Authentication and Shared Policy Components 22-83 Extending Authentication Schemes with Advanced Rules In an upgraded deployment with OSSO Agents, change the Authentication Scheme and any Protected Resource Policies to use SSOCoExistMigrateScheme. Note: b. Click Apply to submit the changes (or close the page without applying changes). c. Dismiss the Confirmation window. 4. Set as Default: Click the Set as Default button to automatically use this scheme when creating policies in fresh Application Domains, then close the Confirmation window. 5. Delete: a. Review any Application Domain using this authentication scheme and assign a different scheme. b. Review the Authentication Scheme page to confirm this is the scheme to remove, then close the page. c. In the navigation tree, click the name of the scheme and then click the Delete button in the tool bar. d. Confirm removal (or dismiss the Confirmation window). 22.10 Extending Authentication Schemes with Advanced Rules Advanced Rules have been added to allow for extending an existing authentication policy. Both Pre-Authentication and Post-Authentication rules can be applied although the following configurations are not supported by Post-Authentication Rules. ■ ■ ■ Two or more resources front ended by the same OHS/WebGate and protected by the same Authentication Scheme. A Post-Authentication rule configured for one of the resources defined in step up authentication. A user accesses a resource for which no Post-Authentication rule is configured followed by a resource for which a Post-Authentication rule is configured for step up authentication. In this case, the Post-Authentication rule configured for the resource is not effective. Advanced Rules are part of the Adaptive Authentication Service for which a license is required. See Section 35.1, "Using the Adaptive Authentication Service." Note: Advanced Rules contain Boolean expressions. If there is more than one triggered outcome to an Authentication Scheme, the lowest execution order outcome will be chosen as the final outcome. Table 22–24 documents the attributes that need be defined when creating an Advanced Rule. Table 22–24 Advanced Rules Attributes Name Description Name AuthnRule name. Name has to be unique within the checkpoint Description Description of the rule 22-84 Administrator's Guide for Oracle Access Management Extending Authentication Schemes with Advanced Rules Table 22–24 (Cont.) Advanced Rules Attributes Name Description Execution Order Order in which the outcome will be executed in cases of more than 1 outcome Condition Script; the user can configure condition based on the HTTP request header's availability and set the desired outcome Outcome ID of the Authentication Scheme to which the rule applies. Access / Deny. See the following sections for details. ■ Using Advanced Rules ■ Using Context Data for Advanced Rules 22.10.1 Using Advanced Rules Advanced Rules can be configured for the following use cases. ■ ■ ■ ■ Non Browser Client - For user authentication, a form-based login page is presented through the browser for the user to complete. In some cases, a non-browser client (switches, routers and the like) might need to do basic authentication based on credentials passed via the request header. Non-browser client authentication can be configured as a pre-authentication Advanced Rule only. To support non-browser client authentication, configure the desired condition in an Authentication Rule (based on the HTTP request header's availability) and set the desired outcome. Windows Native Authentication Option - An Advanced Rule can be configured to allow for switching between Windows Native Authentication (WNA) and form-based user authentication depending on whether the user comes thru VPN or a corporate network. User Authentication Scheme Option - An Advanced Rule can be configured to allow the user to choose the method of authentication. The choice would be passed as a request parameter. Second Factor Authentication - An Advanced Rule can be configured to allow for Second Factor Authentication (SFA) based on defined user or request attributes. For details on SFA, see Chapter 35, "Introducing the Adaptive Authentication Service." Table 22–25 contains examples of how the conditions might be configured in these Advanced Rules use cases. Table 22–25 Sample Advanced Rules Sample Rule Sample Jython Script-based Condition Notes Switching authentication scheme based on private or public IP rule location.clientIP.startswith('10.') or This rule can be used in location.clientIP.startswith('172.16') or Pre and Post location.clientIP.startswith('192.168') authentication checkpoints Black listed IP location.clientIP in ['130.35.50.115', '130.35.50.112', '130.35.50.113'] This rule can be used in Pre and Post authentication checkpoints Managing Authentication and Shared Policy Components 22-85 Extending Authentication Schemes with Advanced Rules Table 22–25 (Cont.) Sample Advanced Rules Sample Jython Script-based Condition Sample Rule Notes Client Browser Type request.userAgent.lower().find('firefo x') > 0 This rule can be used in Pre and Post authentication checkpoints Blocking access to user having user attribute 'description' equals 'test' user.userMap['description'] == 'test' This rule can be used only in Post authentication checkpoints Non browser client request.authorization.lower().startswi This rule can be used th('basic') only in Pre authentication checkpoints Customer HTTP Header value request.requestMap['param'] == 'test' This rule can be used in Pre and Post authentication checkpoints Switching authentication scheme based on IP address in range location.isIPinRange('192.35.50.180','1 92.35.50.188') This rule can be used in Pre and Post authentication checkpoints 22.10.2 Using Context Data for Advanced Rules Before executing the Authentication Condition, the Access Manager server prepares a request context using the available data (to construct a Boolean expression based condition). The following tables describe the various context data details. ■ Table 22–26, " Request Context Data" ■ Table 22–27, " Location Context Data" ■ Table 22–28, " Session Context Data" ■ Table 22–29, " User Context Data" Table 22–26 Request Context Data Attribute Name Description requestMap Map of all the request headers, parameters and post data values. This example can get the custom-header key from request header and compare it with value 'test'. request.requestMap['custom-header'].lower().find('test') > 0 resourceMap Map of matched resource details accept Returns 'Accept' header value acceptCharset Returns 'Accept-Charset' header value acceptEncoding Returns 'Accept-Encoding' header value acceptLanguage Returns 'Accept-Language' header value authorization Returns 'Authorization' header value connection Returns 'Connection' header value contentLength Returns 'ContentLength' header value cookie Returns 'Cookie' header value 22-86 Administrator's Guide for Oracle Access Management Extending Authentication Schemes with Advanced Rules Table 22–26 (Cont.) Request Context Data Attribute Name Description host Returns 'Host' header value ifModifiedSince Returns 'ifModifiedSince' header value pragma Returns 'Pragma' header value referer Returns 'Referer' header value userAgent Returns 'UserAgent' header value resourceHost Returns matched Resource's Host value resourcePost Returns matched Resource's Port value resourceOperation Returns matched Resource's Operation value resourceQueryString Returns matched Resource's QueryString resourceName Returns matched Resource's name resourceType Returns matched Resource's Type resourceURL Returns matched Resource's URL; for example, if 'landingPage' is in request.resourceURL, condition will evaluate to true if resourceURL has landingPage in it. isIPinRange('start IP' ,'end IP') Evaluates to true if location.clientIP is in the specified range. Example: location.isIPinRange('192.35.50.180','192.35.50.188') Table 22–27 Location Context Data Attribute Name Description locationMap Map of all the location data values; for example: location.locationMap['CLIENT_IP'] == '10.1.23.4' clientIP Returns client IP address; for example: location.clientIP.startswith('10.2') proxyIP Table 22–28 Returns Proxy IP address Session Context Data Attribute Name Description sessionMap Map of all the session data values; for example: session.sessionMap['count'] > 2; count Returns number of sessions for the current user; for example: session.count > 2 Table 22–29 User Context Data Attribute Name Description userMap Map of all the user profile data; for example: user.userMap['email'] == 'john.joe@example.com' Managing Authentication and Shared Policy Components 22-87 Configuring Challenge Parameters for Encrypted Cookies 22.11 Configuring Challenge Parameters for Encrypted Cookies This section provides the following topics: ■ About Challenge Parameters for Encrypted Cookies ■ Configuring Challenge Parameters for Security of Encrypted Cookies ■ Setting Challenge Parameters for Persistence of Encrypted Cookies 22.11.1 About Challenge Parameters for Encrypted Cookies In addition to the OAM Server cookie (OAM_ID), Access Manager implements single sign-on through an encrypted cookie: ■ 11g Webgate, One per agent: OAMAuthnCookie__ set by Webgate using the authentication token received from the OAM Server after successful authentication Note: A valid OAMAuthnCookie is required for a session. ■ 10g Webgate, One ObSSOCookie for all 10g Webgates. Access Manager provides the ssoCookie challenge parameter that you can use within any authentication scheme to control how Webgates set the flags of the encrypted cookie. For example: ■ ■ Securing Encrypted Cookie: Ensures that the encrypted cookie is sent only over an SSL connection and prevents the encrypted cookie from being sent back to a non-secure Web server. Persisting Encrypted Cookie: Allows the user to log in for a time period rather than a single session. Persistent cookie functionality works with Internet Explorer and Mozilla browsers. The value of the challenge parameter is note case sensitive. Syntax is the same regardless of your Webgate release. A single value is specified after the equal sign (=): Note: ssoCookie=value Multiple values must be separated by a semicolon (;). For example: ssoCookie=value1;value2;... ■ ■ For detached credential collector-enabled Webgates, set these parameters directly in the agent registration page (Table 15–2). For non-DCC agents (Resource Webgates), these parameters are configured through Authentication Scheme challenge parameters (Table 22–30). Table 22–30 describes specific challenge parameters that control how Webgates set encrypted cookie flags for single sign-on. Table 22–30 Challenge Parameters for 10g/11g Encrypted Cookies 11g /10g Webgate Challenge Parameter Syntax for Encrypted Cookies Description ssoCookie= Parameter that controls flags for the SSO cookie OAMAuthnCookie. 22-88 Administrator's Guide for Oracle Access Management Configuring Challenge Parameters for Encrypted Cookies Table 22–30 (Cont.) Challenge Parameters for 10g/11g Encrypted Cookies 11g /10g Webgate Challenge Parameter Syntax for Encrypted Cookies Description Parameter that controls flags for all other Access Manager encrypted cookies. miscCookies= Ensures that the encrypted cookie is sent only when the resource is accessed through HTTPS. A secure cookie is required only when a browser is visiting a server using HTTPS. Secure ssoCookie=Secure miscCookies=Secure Explicitly disables Secure cookies. disableSecure ssoCookie=disableSecure miscCookies=disableSecure Enabled by default with 11g Webgate SSO OAMAuthnCookie and miscellaneous cookies. httponly ssoCookie=httponly miscCookies=httponly disablehttponly Explicitly disables httponly functionality, making the encrypted cookies accessible to client-side scripts. ssoCookie=disablehttponly miscCookies=disablehttponly ssoCookie=max-age=time-in-secon Creates a persistent cookie in browsers, rather than one that lasts for a single session, and specifies the time interval in-seconds when the ds cookie expires. For example, to set the cookie to expire in 30 days (2592000 seconds): max-age=2592000 22.11.2 Configuring Challenge Parameters for Security of Encrypted Cookies The challenge parameter is not case sensitive. See Also: "Creating an Authentication Scheme" on page 22-82 To secure the encrypted cookie 1. Create an authentication scheme. 2. In the Challenge Parameter field, enter your specification for the desired encrypted cookies (Table 22–30). 3. Confirm that the OAM Servers and clients (OAM Agents) are communicating securely across the Oracle Access Protocol channel, as described in Appendix C. 22.11.3 Setting Challenge Parameters for Persistence of Encrypted Cookies The challenge parameter is not case sensitive. See Also: "Creating an Authentication Scheme" on page 22-82 To define encrypted cookie persistence 1. Define an authentication scheme. 2. In the challenge parameter for this scheme, add the following (Table 22–30): WebGate ssoCookie=max-age=time-in-seconds Managing Authentication and Shared Policy Components 22-89 Configuring Authentication POST Data Handling 22.12 Configuring Authentication POST Data Handling Post data preservation and restoration functions apply to both credential collectors (ECC or DCC). This section provides the following topics: ■ About Authentication Post Data Preservation and Restoration ■ About Configuring Authentication POST Data Handling ■ Configuring Authentication POST Data Handling ■ Testing POST Data Handling Configuration 22.12.1 About Authentication Post Data Preservation and Restoration POST data preservation and restoration functions come into play when an application has a form wherein the user has entered a credential (or other data) but the session has expired, an idle session timeout has occurred, or the token validity period has ended by the time the user submits the form. If this scenario occurs, the user is presented with a fresh login form (depending on the authentication scheme) unless POST data is preserved and restored. Administrators can configure the Resource Webgate to perform POST data preservation when the expired user and newly authenticated user are the same. Table 22–31 describes Resource Webgate support and behavior for post data. Authentication POST data preservation and restoration is not supported when Access Manager performs authentication through custom agents. Note: Table 22–31 Resource Webgate Support of POST Data Preservation and Restoration Resource Webgate Description Supports Authentication Schemes LDAP, Basic, Sessionless Basic, X509, WNA Supports form encoding with text/html, text/plain, multipart/form-data, and application/x-www-form-urlencoded type data posted by the application form. Preserves The encoding type of the data posted by the original application form, except the input field of file type. Ensures The downstream application sees the same post data that was posted by the original application form. Constrains The overall size of the inbound request data or the inbound front channel message. There shall be a configuration parameter to override the code default value. This shall be per application. Maintains application data confidentiality and integrity Neither the Resource Webgate nor credential collector will interpret, nor log, application post data. If, after expiration and during re-authentication, the user authenticates with different credentials, then the post data of the previous user is cleared by the Resource Webgate and not restored. However, Webgate will post to the downstream application URL that was posted by the original application form. 22-90 Administrator's Guide for Oracle Access Management Configuring Authentication POST Data Handling Table 22–31 (Cont.) Resource Webgate Support of POST Data Preservation and Resource Webgate Description Ignores Preservation if ... Post data is larger than the configured or hard-coded limit, preservation is ignored. Logs a Message when ... Performs Standard Authentication if ... Shows an Error when ... Post data is skipped because it is bigger than the allowed limit, a message is logged. Post data size is larger than the hard-coded limit (or the configured value), the standard authentication flow is used. Together, if both front channel message data and application post data are large an error occurs. Table 22–32 describes credential collector feature support for POST data handling. Table 22–32 Credential Collector Support for POST Data Handling Credential Collector Support ECC and DCC Compatible with earlier 11g Webgates Supports post data preservation for Form based authentication scheme with the default login form provided out of the box. Preserves application post data during authentication processing by: ■ Challenging the user ■ Re-challenging the user if invalid credentials are provided Does not interpret application post data. Constrains the overall size of inbound front-channel messages using a configuration parameter to override the default value, per application. Logs a warning when post data is skipped because it is larger than the allowed limit. Does not preserve application post data when: ■ Authentication policy is configured with Success or Failure authentication URLs ■ Password management (password expiration and so on) is involved ■ Access Manager is used for performing authentication through custom agents. ECC Only ■ The embedded credential collector does not support POST data handling with the external login page. DCC Only ■ ■ ■ ■ POST data is preserved through the HTTP header, and the amount of POST data that can be handled to 8192 characters. POST data restoration with a Form-based Authentication Scheme requires the challenge parameter TempStateMode=form. DCC does not support custom login pages. DCC does not support POST data restoration during password management operations (password expiration, for instance) when the URL_ACTION in the password policy plug-in is set to anything other than FORWARD. 22.12.2 About Configuring Authentication POST Data Handling Table 22–33 summarizes the authentication schemes that support authentication POST data handling. Managing Authentication and Shared Policy Components 22-91 Configuring Authentication POST Data Handling Table 22–33 Authentication Schemes Supporting POST Data Handling Authentication Schemes ■ FORM challenge method, supported with the out of the box login page. ■ WNA ■ Basic ■ Basic+Sessionless ■ X509 ■ OIF, OIM, OAAM integrations using TAP Table 22–34 summarizes complete configuration requirements for authentication POST data handling. All requirements described in Table 22–34 are supported end to end with the authentication schemes in Table 22–33. Table 22–34 Parameters Required for Authentication POST Data Handling Parameter Description MaxPostDataBytes Configure this Authentication Scheme challenge parameter for POST-data preservation used by the DCC only to limit the maximum size of the POST data that can be posted as on the login form. DCC compares the value of the content-length header with the limit set. Default: unlimited This Authentication Scheme challenge parameter requires a positive integer value that restricts the maximum number of bytes of POST data that is submitted as user credentials and sent to the OAM Server. MaxPreservedPostDataBytes Configure this Authentication Scheme challenge parameter (or user-defined Webgate parameter) for authentication POST-data preservation. Default: 8192 bytes Note: Preference is given first to the Authentication Scheme containing this parameter; second to the Webgate providing this user-defined parameter. Otherwise, default behavior is 8192 bytes. This parameter defines the maximum length of POST data that Webgate can preserve. If the size of inbound raw user POST data (or encrypted post data after processing), crosses this limit, POST data is dropped and the existing authentication flow continues. The event is logged as usual. See Also: "Configuring Authentication POST Data Handling" on page 22-90 Table 15–2, " User-Defined WebGate Parameters" TempStateMode=form DCC Only With the DCC, a Form-based Authentication Scheme requires the challenge parameter TempStateMode=form for POST data restoration For Form authentication scheme, if this parameter is not defined, the value will be "form". See Also: "Configuring Authentication POST Data Handling" on page 22-90 Table 15–2, " User-Defined WebGate Parameters" 22-92 Administrator's Guide for Oracle Access Management Configuring Authentication POST Data Handling Table 22–34 (Cont.) Parameters Required for Authentication POST Data Handling Parameter Description ChallengeRedirectMaxMessageBy Configure this user-defined Webgate parameter to limit the size of the tes message data received as obrareq.cgi and obrar.cgi. Message data is comprised of query string length (if present) or POST data length (if POST data is present). If message size exceeds this limit, the message is not processed and the existing message is shown in the browser. The event is logged as usual. Default: 8192 bytes Notes: obrareq.cgi is the authentication request in the form of a query string redirected from Webgate to the credential collector (OAM Server or DCC). obrar.cgi is the authentication response string redirected from the credential collector (OAM Server or DCC) to Webgate. See Also: "Configuring Authentication POST Data Handling" on page 22-90 Table 15–2, " User-Defined WebGate Parameters" PostDataRestoration Configure this user-defined Webgate parameter to initiate authentication POST-data preservation for the resource Webgate. This parameter requires a value of true or false. Default: false When set to true, Webgate initiates POST data preservation. See Also: "Configuring Authentication POST Data Handling" on page 22-90 Table 15–2, " User-Defined WebGate Parameters" serverRequestCacheType ECC Only Configure this OAM parameter to define the mechanism used to remember the request context by the embedded credential collector (ECC). This OAM Server parameter in $DOMAIN_ HOME/config/fmwconfig/oam-config.xml indicates mechanism to be used to remember the request context. Possible values are FORM, COOKIE, or CACHE. Default: COOKIE FORM is the required value for POST data preservation, Long URL handling and Form-based authentication schemes. See Also: TempStateMode in this table. "Configuring Authentication POST Data Handling" on page 22-90 22.12.3 About Post Data Size Limits Assuming the usual form data entered by users is about several kilobytes, putting a limit on data comsumption from the incoming request is a general requirement. The data transferred in the front channel protocol (either request or response) must also go through the size check. Considering these situations: ■ Limit the size of data passed to the OAM Server on the back channel using the maxpostdatabytes authentication challenge parameter In cases where the DCC is used, the maxpostdatabytes authentication challenge parameter performs this check on the overall POST data. ■ Limit the size of the POST data from the end user application using MaxPreservedPostDataBytes authentication scheme challenge parameter. The MaxPreservedPostDataBytes authentication scheme challenge parameter handles this. Additionally, this can be set as a user-defined Webgate parameter. ■ Limit size of the front channel payload on obrar.cgi or obrareq.cgi with a Webgate user-defined parameter ChallengeRedirectMaxMessageBytes. Managing Authentication and Shared Policy Components 22-93 Configuring Authentication POST Data Handling 22.12.4 Configuring Authentication POST Data Handling Be sure to read all POST data topics in this section before attempting this procedure. There is no need to make any explicit change in your authentication scheme. To configure authentication POST data handling 1. Configure the Authentication Scheme: a. Use the Oracle Access Management Console to create or find the desired scheme (Table 22–33). b. On the Authentication Scheme page, modify values for POST data handling. This example uses the embedded credential collector (Table 22–20) and values for POST data handling (Table 22–23): Name: DesiredScheme Authentication Level 2 Challenge Method: Form Challenge Redirect URL: /oam/server/ Authentication Module: LDAP Challenge URL: /pages/login.jsp Context Type: External Challenge Parameters Authentication Scheme Challenge Parameters for Post Data with ECC Authentication Scheme Challenge Parameters for Post Data with DCC MaxPreservedPostDataBytes=9000 MaxPreservedPostDataBytes=9000 TempStateMode=form c. 2. 3. Click Apply to submit the changes. ECC: Configure serverRequestCacheType, the OAM parameter in oam-config.xml, if using ECC. a. Stop the managed server. b. Stop the administration server. c. Open oam-config.xml and modify the value of serverRequestCacheType. d. Save the file. e. Restart the administration server. f. Restart the managed server. Configure Webgate Parameters for POST data handling: a. From the System Configuration tab, Access Manager section, create or find the desired OAM Agent registration. b. On the agent registration page, submit values for POST data handling (Table 22–23): Name: DesiredAgent User-Defined Parameters User-Defined Webgate User-Defined Webgate Post Data Parameters with ECC Post Data Parameters with DCC PostDataRestoration=true PostDataRestoration=true 22-94 Administrator's Guide for Oracle Access Management Long URL Handling During Authentication c. Click Apply to submit the changes. 22.12.5 Testing POST Data Handling Configuration The following actions can be performed in sequence to test your POST data handling configuration. 1. Complete all configurations as documented. 2. Develop a simple script to print the POST data and the URL protected by Webgate. 3. Use a browser to access the protected resource. 4. Provide credentials and establish SSO. Wait for the idle session timeout period. 5. With the same browser, use the form to post data to the same Webgate using the URL which can print the POST data. You will be redirected to credential collector. 6. Enter the same credentials previously used. From the HTTP headers you can see, after getting obrar.cgi from the credential collector, the protected resource Webgate will give a 200 response (previously it was 302) and the POST data can be printed by your script. 22.13 Long URL Handling During Authentication Long URL handling applies to both credential collectors (ECC or DCC) and is a default operation. 22.13.1 About Long URLs and Authentication Handling Authentication involves redirecting the user's request to a centralized component that performs authentication, known as a Credential Collector. The mechanism used to redirect user from the policy enforcement point (OAM Agent) to the Credential Collector, is a proprietary front channel protocol over HTTP. This protocol currently provides the context of the request and the authentication response on the query string. In situations where the URL of the requested page is larger, the overall context becomes larger and can go beyond the browser's permissible size. This is referred to as Long URL Handling. By default, the Resource Webgate checks the payload size of the front channel protocol message to determine if it is larger than the coded limit. When long URL handling is explicitly enabled, the limit is ignored and has no impact. The credential collector determines if the front channel response payload is to be sent as HTTP Post data when: ■ ■ ■ The incoming request indicates that the agent is capable of handling HTTP POST or REDIRECT type of response The credential collector is configured to always send the payload as HTTP post data The credential collector is configured to always send the payload as a query string If no explicit configuration is present, then if the payload size is greater than predefined limit, then it shall send payload as the HTTP post data. But if the payload size is lower than the predefined limit, then it shall send it on the query string. Note: If application post data is also preserved there is no impact. Managing Authentication and Shared Policy Components 22-95 Long URL Handling During Authentication Table 22–35 identifies Long URL handling functionality with both the ECC and DCC. Table 22–35 ECC and DCC: Long URL Handling ECC Long URL Handling DCC Long URL Handling ECC is compatible with all 11g Webgates. Same as ECC. N/A Long URL handling is limited to the maximum allowed size of the DCCContextCookie. The DCC does not perform explicit long URL handling. There is no support to preserve the front channel payload on the form. 22.13.2 About Configuring Long URL Handling Table 22–36 summarizes the authentication schemes that support authentication Long URL handling. Table 22–36 Authentication Schemes Supporting Long URL Handling Authentication Schemes ■ FORM challenge method, supported with the out of the box login page. ■ WNA ■ Basic ■ Basic+Sessionless ■ X509 ■ OIF, OIM, OAAM integrations using TAP Table 22–37 summarizes the parameters and complete configuration requirements for authentication Long URL handling. All requirements described in Table 22–37 are supported end to end with the authentication schemes in Table 22–36. Table 22–37 Parameters Required for Long URL Handling Parameter Description ChallengeRedirectMethod Configure this as either as an Authentication Scheme challenge parameter (or as a user-defined Webgate parameter) for POST-data preservation for both the embedded credential collector (ECC) and the detached credential collector (DCC). Note: Preference is given first to the Authentication Scheme containing this parameter; second to the Webgate providing this user-defined parameter. Otherwise, default behavior is Dynamic. Value: GET|POST|DYNAMIC Behavior when value is: ■ ■ ■ POST: Webgate sends encquery as POST data and credential collectors send encreply as POST data. GET: Webgate sends encquery as query string and expects encreply as query string. DYNAMIC: Default behavior, based on the length of the encquery/encreply. Webgate/credential collector sends data either as a query string or as POST data. Code default maximum length is 2000 characters. See Also: "Configuring Authentication POST Data Handling" Table 15–2, " User-Defined WebGate Parameters" 22-96 Administrator's Guide for Oracle Access Management Using Application Initiated Authentication Table 22–37 (Cont.) Parameters Required for Long URL Handling Parameter Description ChallengeRedirectMaxMessageBy Configure this user-defined Webgate parameter to limit the size of the tes message data received as obrareq.cgi and obrar.cgi. Message data is comprised of query string length (if present) or POST data length (if POST data is present). If message size exceeds this limit, the message is not processed and the existing message is shown in the browser. The event is logged as usual. Default: 8192 bytes Notes: obrareq.cgi is the authentication request in the form of a query string redirected from Webgate to the credential collector (OAM server or DCC). obrar.cgi is the authentication response string redirected from the credential collector (OAM server or DCC) to Webgate. See Also: "Configuring Authentication POST Data Handling" on page 22-90 Table 15–2, " User-Defined WebGate Parameters" serverRequestCacheType ECC Only Configure this OAM parameter to define the mechanism used to remember the request context by the embedded credential collector (ECC). This OAM Server parameter in $DOMAIN_ HOME/config/fmwconfig/oam-config.xml indicates mechanism to be used to remember the request context. Possible values are FORM, COOKIE, or CACHE. Default: COOKIE FORM is the required value for POST data preservation, Long URL handling and Form-based authentication schemes. See Also: TempStateMode in this table. "Configuring Authentication POST Data Handling" on page 22-90 Long URL handling is enabled by default. The Webgate/credential collector sends data either as a query string or a POST. The length of the querystring parameter sent with obrareq.cgi and obrar.cgi is 2000 characters maximum. 22.14 Using Application Initiated Authentication Access Manager exposes a Reauthentication URL that applications may choose to invoke if the user is accessing a sensitive URL or operation. This re-authentication will be triggered irrespective of whether or not the user already has a valid session. An application can trigger re-authentication by invoking the /oamreauthenticate URL at: http://:/oamreauthenticate Access Manager will expect the /oamreauthenticate to be registered and associated with an authentication policy. Re-authentication will be performed using the scheme associated with this policy. The re-authentication URL takes the redirection URL as a query parameter. After re-authentication is complete, Access Manager redirects the user to this URL. A request to re-authenticate the user might look like the following: http://:/oamreauthenticate? redirect_url=http://:/ If the redirection URL is not specified, a 404 error code is returned. If the incorrect credentials are specified during re-authentication, the user will remain on the login page and, after the maximum retry limit, the user will be redirected to an appropriate error page. The following process is how to configure for application initiated authentication. Managing Authentication and Shared Policy Components 22-97 Using Application Initiated Authentication 1. Create an http://:/oamreauthenticate resource and assign the desired authentication scheme to it. 2. In the redirect URL, set the appropriate responses to verify that re-authentication has been successful and to communicate back to the application about the re-authentication responses. Access Manager sets the last re-authentication time as a "OAM_LAST_ REAUTHENTICATION_TIME" header and this value is updated every time the user is re-authenticated. 22-98 Administrator's Guide for Oracle Access Management 23 Understanding Credential Collection and Login 23 [20This ] chapter introduces the elements that comprise Access Manager credential collection. Credential collection is a functionality that can be executed either on the Access Manager server (ECC) or WebGates (DCC). This chapter includes the following topics: ■ Logging In with Access Manager Credential Collection ■ Processing SSO Login with OAM Agents and ECC ■ Processing SSO Login with OAM Agents and DCC ■ Processing SSO Login with OSSO Agents (mod_osso) and ECC ■ Configuring 11g WebGates and Authentication Policy for DCC ■ Tunneling from DCC to Access Manager Over Oracle Access Protocol ■ Configuring a DCC WebGate for X509 Authentication Unless explicitly stated, information in this chapter is the same for all agent types and Access Manager credential collectors. Note: For details about single log-out, see Chapter 27, "Configuring Centralized Logout for Sessions Involving 11g WebGates". 23.1 Logging In with Access Manager Credential Collection Access Manager provides two mechanisms for credential collection during authentication processing: ■ The default Embedded Credential Collector (ECC) is installed with the Access Manager Server and can be used as-is with no additional installation or set up steps (except the global password policy configuration described in "Managing Global Password Policy"). The mechanism that redirects the user from the Policy Enforcement Point to the Credential Collector is a proprietary front channel protocol over HTTP. This protocol currently provides a context of the request and the authentication response on the query string. ■ The 11.1.2 (or later) WebGate provides a single switch for the optional Detached Credential Collector (DCC). The DCC provides network isolation for greater security in production deployments, and is required for some forms of authentication. Understanding Credential Collection and Login 23-1 Logging In with Access Manager Credential Collection For a detailed comparison of the two mechanisms for credential collection, see Section 22.5, "Understanding Authentication Methods and Credential Collectors." Although the DCC is the recommended approach for credential collection, instructions in this book presume you are using the ECC unless explicitly stated. Note: Single Sign On login processing determines whether the user is a valid user and whether the session state is active or inactive (either a first time user or the user session has expired). Session management support locates, persists, and cleans up the session context and user token. Details are in the following sections. ■ Login with Self-Service Provisioning Applications ■ Login Processing with Access Manager-Protected Resources 23.1.1 Login with Self-Service Provisioning Applications Provisioning does not create the session in Access Manager. When a new user uses a self-service provisioning application to create an account, he is prompted for his userID and password again when accessing an application. The protected application is directed to Access Manager 11g, which requests the user's credentials. For example, if Oracle Identity Manager is protected by Access Manager, the user request is redirected to Access Manager from which a request to enter credentials is made. Note: Success and failure results are the same as described in "Login Processing with Access Manager-Protected Resources". 23.1.2 Login Processing with Access Manager-Protected Resources The first time a user attempts to access a protected resource, she is prompted for her credentials based on the authentication scheme and authentication level for the resource. Typically a userID and password are needed. Failure: Authentication fails if the wrong userID or password is entered. The user is not authenticated and another prompt for credentials appears. With Oracle Access Manager 11.1.1, only the ECC in the OAM server was available. Access Manager 11.1.2 supports the ECC by default. However, Access Manager also enables you to configure an 11g WebGate to use as a detached credential collector (DCC). A DCC-enabled WebGate can be separate from (or combined with) a Resource WebGates. Both the ECC and DCC provide an authentication flow that includes form login, error, and login retries. They provide SecurID and server affinity as well as password policy enforcement and a dynamic, multi-step, iterative, and variable (multi-step authentication) where the credentials are not supplied all at one time. A customizable authentication flow can include authentication plug-ins with contracts between the plug-in, OAM Proxy, and Credential Collector; a contract between the plug-in and login application; and between the Credential Collector and login application. When deciding whether to use one credential collector or both, consider: ■ Co-existence: Allowing both the ECC and DCC to co-exist enables you to use authentication schemes and policies configured for either the ECC or the DCC. 23-2 Administrator's Guide for Oracle Access Management Processing SSO Login with OAM Agents and ECC This enables a fallback mechanism for resources that rely on the ECC (Oracle Access Management Console, for instance). ■ Disabling ECC: Disabling the ECC entirely prohibits access to resources that rely on the ECC mechanism (Oracle Access Management Console, for instance). Table 23–1 provides links to more information. Table 23–1 Login Processing with Access Manager-Protected Resources Login Processing Topic See With OAM Agents and ECC "Processing SSO Login with OAM Agents and ECC" on page 23-3 With OAM Agents and DCC "Processing SSO Login with OAM Agents and DCC" on page 23-5 With OSSO Agents and ECC "Processing SSO Login with OSSO Agents (mod_osso) and ECC" on page 23-9 With Other Agents or Mixed Agent Types Mixed agent types are supported. Processing is the same for each agent type. For other agent types, see: ■ ■ ■ Login and Auto Login for Applications Using Oracle ADF Security Chapter 28, "Registering and Managing Legacy OpenSSO Agents" Chapter 29, "Registering and Managing Legacy OSSO Agents" Chapter 30, "Registering and Managing 10g WebGates with Access Manager 11g" Oracle Platform Security Services (OPSS) comprise Oracle WebLogic Server's internal security framework. On the Oracle WebLogic Server, you can run a Web application that uses Oracles Application Development Framework (Oracle ADF) security, integrates with Access Manager 11g SSO, and uses OPSS SSO for user authentication. For more information, see Appendix A, "Integrating Oracle ADF Applications with Access Manager SSO". 23.2 Processing SSO Login with OAM Agents and ECC This topic is based on using the default Embedded Credential Collector with OAM Agents (Resource WebGates) protecting resources). Access Manager authenticates each user with a customer-specified authentication method to determine the identity and leverages information stored in the user identity store. Access Manager authentication supports several authentication methods and a number of authentication levels. Resources with varying degrees of sensitivity can be protected by requiring higher levels of authentication that correspond to more stringent authentication methods. When a user tries to access a protected application, the request is received by Access Manager which checks for the existence of the SSO cookie. After authenticating the user and setting up the user context and token, Access Manager sets the SSO cookie and encrypts the cookie with the SSO Server key (which can be decrypted only by the SSO Engine). Depending on the actions (responses in Access Manager 11g) specified for authentication success and authentication failure, the user may be redirected to a specific URL, or user information might be passed on to other applications through a header variable or a cookie value. Based on the authorization policy and results of the check, the user is allowed or denied access to the requested content. If the user is denied access, she is redirected to another URL (specified by the Administrator in WebGate registration). Figure 23–1 shows the processes involved in evaluating policies, validating a user's identity, authorizing the user for a protected resource, and serving the protected Understanding Credential Collection and Login 23-3 Processing SSO Login with OAM Agents and ECC resource. This example shows the OAM Agent flow. There are slight variations with 11g WebGates/Access Clients. Figure 23–1 SSO Log-in with Embedded Credential Collector and OAM Agents Process overview: SSO Login Processing with Embedded Credential Collector and OAM Agents 1. The user requests a resource. 2. WebGate forwards the request to Access Manager for policy evaluation. 3. Access Manager: ■ Checks for the existence of an SSO cookie. ■ Checks policies to determine if the resource protected and if so, how? 4. Access Manager Server logs and returns decisions. 5. WebGate responds as follows: a. Unprotected Resource: Resource is served to the user. b. Protected Resource: Request is redirected to the credential collector. The login form is served based on the authentication policy. Authentication processing begins 23-4 Administrator's Guide for Oracle Access Management Processing SSO Login with OAM Agents and DCC 6. User sends credentials. 7. Access Manager verifies credentials. 8. Access Manager starts the session and creates the following host-based cookies: ■ One per Agent: OAMAuthnCookie set by 11g WebGates (ObSSOCookie set by 10g Webgate) using the authentication token received from the OAM Server after successful authentication. Note: A valid cookie is required for a session. ■ 9. One for OAM Server: OAM_ID Access Manager logs Success or Failure. 10. Credential collector redirects to WebGate and authorization processing begins. 11. Webgate prompts Access Manager to look up policies, compare the user's identity, and determine the user's level of authorization. 12. Access Manager logs policy decision and checks the session cookie. 13. OAM Server evaluates authorization policies and cache the result. 14. OAM Server logs and returns decisions 15. WebGate responds as follows: ■ ■ If the authorization policy allows access, the desired content or applications are served to the user. If the authorization policy denies access, the user is redirected to another URL determined by the Administrator. 23.3 Processing SSO Login with OAM Agents and DCC The detached credential collector is simply a WebGate configured to use the additional Credential Collection capability in your deployment. There are two deployment types depending on whether the DCC WebGate is also protecting the applications or not. Table 23–2 identifies the DCC-supported deployments. Understanding Credential Collection and Login 23-5 Processing SSO Login with OAM Agents and DCC Table 23–2 DCC Deployment Support Deployment Type Description Separate DCC and Resource Webgate A distributed deployment where WebGates protecting applications are managed independently from the centralized DCC. You can have: ■ ■ Two or more 11.1.1.5 Resource Webgates that redirect to the 11.1.2 DCC-enabled WebGate for authentication 10.1.4.3 Resource WebGate that redirects to the 11.1.2 DCC-enabled WebGate for authentication Enable HTTPS between the user-agent and the DCC (but not with some or all Resource WebGates). When credential collection is externalized and centralized in the DCC, the user-agent connections with other WebGates never carry user credentials, nor session tokens that could be used to obtain access to resources protected by any other WebGate. This significantly reduces exposure caused by lack of SSL on these links and may be an acceptable tradeoff in some deployments. ■ ■ ■ Separate OHS Instances: Install the DCC on a different OHS instance (on the same or different host) as the Resource WebGate. Define the Resource WebGate Authentication Scheme Challenge Redirect URL to point to the DCC. Define the Resource WebGate logoutRedirectUrl to point to the DCC logout script/page (logout callbacks to Resource WebGate is invoked during logout). See Also: Figure 23–2 Combined DCC and Resource Webgate A streamlined deployment minimizing configuration and processing overhead. A DCC WebGate can function as both a resource WebGate (Policy Enforcement Point) that protects application resources and a DCC. In this case, there is no front-channel redirection or processing: ■ ■ ■ Install the DCC on a the same OHS instance (on the same host) as the Resource WebGate. Simplified configuration: The Challenge Redirect URL can be empty. No logoutRedirectUrl is needed, no logout callback is needed. See Also: Figure 23–3 Separate DCC and Resource Webgates: A sample deployment with segregated DCC is shown in Figure 23–2. 23-6 Administrator's Guide for Oracle Access Management Processing SSO Login with OAM Agents and DCC Figure 23–2 Example: Separate Resource WebGate and DCC WebGate Deployment This topology (Figure 23–2) showcases choices appropriate for scenarios with maximum security sensitivity. Both centralized and externalized credential collection are used: Resource WebGates protecting applications are segregated from the DCC WebGate performing credential collection. The user accesses the Access Manager-protected resource from the public network. A WebGate protecting the application is deployed within a DMZ. The DCC WebGate is also deployed within a DMZ. The protected application and OAM Server instances are located within the private network and not directly accessible from the public network. Using the DCC in the DMZ, only authenticated network connections are allowed to reach the server itself. The DCC inherits all back-channel communication characteristics available to 11g WebGates (network connection using the Oracle Access Protocol). The OAP offers: ■ SSL between the client and the server, optionally using 3rd party signed certificates ■ mutual authentication at the application level using client id and password ■ request multiplexing and full-duplex communication at the application level ■ built-in connection load balancing and failover capability The DCC receives an authentication request from the Agent and checks for the presence of the DCC cookie. If the cookie does not exist, credential collection is initiated; checks are made, and user-supplied credentials are passed for validation. Understanding Credential Collection and Login 23-7 Processing SSO Login with OAM Agents and DCC Encryption occurs only from an 11g resource WebGate to the DCC. The channel is not encrypted for communication between 10g resource WebGate and 11g DCC; this is in clear text. Note: Figure 23–3 Combined DCC and WebGate Configuration OHS 1 3 4 3 2 9 DCC WebGate Login App with pages: Login / CredCollection Logout Error 5 Browser User Agent 8 OAM Server Instance 6 OAM 7 Proxy AUTHN Plugin Legend Front channel: HTTPS User-Agent channel: HTTPS Other: SSL Process overview: Authentication with the combined DCC and Resource Webgate 1. The user requests access to a resource which initiates the authentication process. 2. The DCC redirects through the front channel to the login page. 3. The login page is returned to the user. 4. User enters credentials, which are posted to the action URL (a user-defined parameter in an authentication scheme, Table 22–23). 5. Authentication occurs using the back channel (OAP) and OAM Proxy. 6. The Authentication Plug-in is activated. 7. The Plug-in requests redirect to a URL to collect additional credentials. 8. The Plug-in request is returned to the DCC. 9. The DCC redirects to the URL and expects specified credentials. 10. The Browser follows the redirect. 11. Credentials are posted to the Action URL. See Also: "Configuring Logout When Using Detached Credential Collector-Enabled WebGate" on page 27-6 23-8 Administrator's Guide for Oracle Access Management Processing SSO Login with OSSO Agents (mod_osso) and ECC 23.4 Processing SSO Login with OSSO Agents (mod_osso) and ECC SSO login processing with registered OSSSO Agents (mod_osso) is similar to login processing with WebGates. However, mod_osso provides only authentication using Access Manager 11g authentication policies. mod_osso does not support authorization either on its own or using Access Manager 11g policies. Note: Figure 23–4 illustrates the login processing with mod_osso and Access Manager 11g. Figure 23–4 SSO Login Processing with OSSO Agents and ECC Process overview: SSO Log-in Processing with OSSO Agents and ECC 1. The user requests a resource. 2. mod_osso forwards the request to Access Manager for policy evaluation. 3. Access Manager: 4. ■ Checks for the existence of an SSO cookie. ■ Checks policies to determine if the resource protected and if so, how? OAM Server logs and returns decisions. Understanding Credential Collection and Login 23-9 Configuring 11g WebGates and Authentication Policy for DCC 5. mod_osso responds as follows: a. Unprotected Resource: Resource is served to the user. b. Protected Resource: Request is redirected to the credential collector. The login form is served based on the authentication policy. Authentication processing begins 6. User sends credentials. 7. ECC verifies credentials. 8. Access Manager starts the session, passes an authentication token to the application, and creates the following cookies: ■ One per partner: OHS_host_port ■ One for the OAM Server: OAM_ID ■ 9. Global Inactivity Out: A domain-level cookie GITO, described in mod_osso Cookies. Access Manager logs Success or Failure. 10. Credential collector redirects to mod_osso, which transmits the simple header values that applications can use to authorize the user. 11. Resource is served upon authentication success and the OHS-host-port cookie is set. 23.5 Configuring 11g WebGates and Authentication Policy for DCC The following task overview documents how to configure an 11g WebGate and Authentication Policy for use with the DCC. The appropriate sub sections are linked within each step. 1. Enabling DCC Credential Operations provides steps for either configuration: DCC Combined with Resource Webgate: Enable Allow Credential Collector Operations in the DCC's OAM Agent registration page. Separate DCC and Resource Webgate: Enable Allow Credential Collector Operations in the DCC's OAM Agent registration page and edit the Resource Webgate registration page to set the Logout Redirect URL to the DCC's logout.pl. 2. Locating and Updating DCC Forms for Password Policy 3. Adding PasswordPolicyValidationScheme to Authentication Policy for DCC provides steps for either configuration: DCC Combined with Resource Webgate: In the combined DCC/Resource Webgate Application Domain, update the Protected Resources Authentication Policy to use your DCC Authentication Scheme. Separate DCC and Resource Webgate: In the separate Resource Webgate Application Domain, update the Protected Resources Authentication Policy to use your DCC Authentication Scheme. 4. Supporting Federation Flows With DCC provides steps to incorporate the DCC into Federation flows. 23-10 Administrator's Guide for Oracle Access Management Configuring 11g WebGates and Authentication Policy for DCC If your environment uses the ECC, go to "Completing Password Policy Configuration". Note: 23.5.1 Enabling DCC Credential Operations Whether you are using a separate DCC or combined DCC and Resource WebGate, you must enable Allow Credential Collector Operations in the DCC's OAM Agent registration page. With a separate DCC and Resource WebGate, you must also edit the Resource WebGate registration page to set the Logout Redirect URL to the DCC's logout.pl, as described in Step 3. The following procedure presumes your deployment uses Open mode communication. If your deployment uses Simple or Cert mode communication, be sure to copy the appropriate artifacts when you perform Step 4. Prerequisites ■ Configuring and Managing Registered OAM Agents Using the Console ■ Managing Global Password Policy ■ Configuring Password Policy Authentication using DCC-specific details To enable DCC credential operations 1. In the Access Manager section of the Oracle Access Management Console, click SSO Agents to find and open the registration page for the 11.1.2 Webgate that will function as the DCC. 2. DCC WebGate Registration: Check Allow Credential Collector Operations, click Apply, then perform Steps 4 and 5. Note: If the DCC is combined with a Resource WebGate, skip Step 3. 3. Separate Resource WebGate: Edit the Resource WebGate registration to set the Logout Redirect URL to the DCC's logout.pl (Table 24–3), click Apply, then perform Steps 4 and 5. 4. Copy Agent configuration file (including Simple or Cert mode files) from the AdminServer (Console) host to the Agent host. For example: Agent & Artifacts Artifacts 11g WebGate/Access Client From the AdminServer (Console) host: ObAccessClient.xml and cwallet.sso Simple or Cert Mode $DOMAIN_HOME/output/$Agent_Name/ To the Agent host: $11gWG_install_dir/webgate/config Copy to the Agent host: $11gWG_install_dir/webgate/config ■ aaa_key.pem ■ aaa_cert.pem ■ aaa_chain.pem ■ password.xml See Also: Appendix C, "Securing Communication" 5. Restart the OHS Web server. Understanding Credential Collection and Login 23-11 Configuring 11g WebGates and Authentication Policy for DCC 6. Proceed to "Locating and Updating DCC Forms for Password Policy". 23.5.2 Locating and Updating DCC Forms for Password Policy Access Manager provides several dynamic pages for user interactions with the DCC. See Also: Oracle Fusion Middleware Developer's Guide for Oracle Access Management Prerequisites Enabling DCC Credential Operations To locate and update the DCC forms 1. Locate the DCC forms in the WebGate host (Table 24–3): $WEBGATE_HOME/webgate/ohs/oamsso/*, $WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl, and $WEBGATE_HOME/webgate/ohs/oamsso-bin/templates/*. 2. Customize their location, depending on the desired topology of the authentication scheme being developed. 3. Update Perl Location: Update the Perl location to be consistent with the actual location, in the first line of the login, logout, and securid scripts on Webgate host in $WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl (Table 24–3). 4. Customize the default pages for your enterprise, or replace them entirely with custom pages. For example, you can design, implement, and deploy a custom page that displays a different version of the login form for a mobile browser than is used for a desktop browser. 5. Proceed to "Adding PasswordPolicyValidationScheme to Authentication Policy for DCC". 23.5.3 Adding PasswordPolicyValidationScheme to Authentication Policy for DCC The following procedure provides steps that you must perform to use your DCC Authentication Scheme in a Protected Resources Authentication Policy. The steps you perform depend on the type of deployment you have: ■ ■ Combined DCC/Resource WebGate: Perform Step 1 to add your DCC Authentication Scheme to the Protected Resources Authentication Policy of the combined DCC/Resource WebGate Application Domain. Separate Resource WebGate: Perform Step 3 to add your DCC Authentication Scheme to the Protected Resources Authentication Policy of the separate Resource WebGate Application Domain. Perform Step 2 regardless of your DCC deployment type. By default, login and logout forms are excluded through OHS /httpd.conf/webgate.conf so that you do not need to exclude them through policies. However, with the Chrome browser, you must explicitly exclude the async favicon.ico request (which overrides the DCCCtxCookie). This example refers to the PasswordPolicyValidationScheme set for the DCC in Section 24.7, "Configuring Password Policy Authentication." Note: 23-12 Administrator's Guide for Oracle Access Management Configuring 11g WebGates and Authentication Policy for DCC Prerequisites Locating and Updating DCC Forms for Password Policy To use the DCC Authentication Scheme in an Authentication Policy 1. Combined DCC/Resource WebGate: Open the DCC application domain: Policy Configuration Application Domains DCCDomain a. Locate and open the Authentication Policy, Protected Resource Policy (see "Searching for an Authentication Policy" on page 25-34). b. Add your DCC Authentication Scheme to this policy (see "Defining Authentication Policies for Specific Resources" on page 25-31). PasswordPolicyValidationScheme (DCC Authentication Scheme) c. 2. Perform Step 2 if you have the Chrome Browser. Otherwise, go to Step 4. Chrome Browser: Add and exclude resource /favicon.ico in the DCCDomain, as follows. a. From DCCDomain, click the Resources tab. b. Find and open the HTTP resource /favicon.ico (or click the New Resource button and then add this resource). c. Confirm or edit the Resource URL to: /favicon.ico 3. d. In the Protection section, Protection Level list, select Excluded, then click Apply. e. Proceed to Step 4. Separate Resource Webgate: Open the Resource Webgate application domain. Policy Configuration Application Domains ResourceWGDomain a. Locate and open the Authentication Policy, Protected Resource Policy (see "Searching for an Authentication Policy" on page 25-34). b. Add your DCC Authentication Scheme and an optional Failure URL (when not specified, Failure URL displays the default error page) to this policy (see "Defining Authentication Policies for Specific Resources" on page 25-31): DCC Authentication Scheme Failure URL (optional) c. 4. Perform Step 2 if you have the Chrome Browser. Otherwise, go to Step 4. Restart your Web server and proceed to "Completing Password Policy Configuration". See Also: "Configuring Logout When Using Detached Credential Collector-Enabled WebGate" on page 27-6 Understanding Credential Collection and Login 23-13 Tunneling from DCC to Access Manager Over Oracle Access Protocol 23.5.4 Supporting Federation Flows With DCC The DCC is enhanced to work as a public end-point to the Access Manager server. HTTP requests to the DCC are tunneled via NAP to the proxy module of the Access Manager server. Only requests defined in the TunneledUrls parameter of the DCC Profile will be tunneled. The JSP pages and servlets are executed in the Access Manager server and the response is tunneled back to the DCC. The end user effectively communicates only to the DCC. Note: If a WebGate is configured as a DCC and federated flows are in use, the DCC WebGate cannot be used to protect the resource. A separate WebGate must be configured and used to protect the resource. Authentication and authorization requests will be tunneled to the OAM Server, and the ECC login form will be tunneled and displayed in the user’s browser. To use DCC for converged Federation flows, perform the following manual steps. 1. Configure the following internal resources as Public instead of Excluded. /oamfed/.../* /oam/.../* /.../* 2. In the DCC WebGate, set the logout value to a valid DCC WebGate logout URL; for example, /oamsso-bin/logout.pl 3. Update the DCC Agent entry by adding the following entry to the User Defined Parameters list using the Access Manager Administration Console. TunneledUrls=/oam,/oamfed See Section 23.6.2, "Configuring OAP Tunneling." 4. Update the OAM public endpoint entry so that it points to the DCC WebGate. Under Access Manager Settings, set the OAM Server Host, OAM Server Port and OAM Server Protocol to the values pertinent to the OHS/DCC and click Apply. Alternately you can update a single Authentication Scheme to point to the DCC WebGate by altering the challenge redirect URL leaving the REST parameters unchanged. Note: 5. Update the ProviderID value under Federation Settings (if applicable) and redistribute the new metadata to all Federation partners due to the endpoint change. 6. Set the contextType to 'External'. See Section 22.9.1, "About Authentication Schemes and Pages" for details on this setting. 23.6 Tunneling from DCC to Access Manager Over Oracle Access Protocol Access Manager supports HTTP communication over the Oracle Access Protocol (OAP). In this case, a WebGate configured as a DCC uses the ECC servlets for 23-14 Administrator's Guide for Oracle Access Management Tunneling from DCC to Access Manager Over Oracle Access Protocol credential collection during Access Manager authentication. The following sections contain more details. ■ How DCC Tunneling with OAP Works ■ Configuring OAP Tunneling For details on the DCC, see Section 22.5.2, "Comparing Embedded Credential Collector with Detached Credential Collector." Note: 23.6.1 How DCC Tunneling with OAP Works Figure 23–5 illustrates how the tunneling process works. This process works for DCC WebGates only. Figure 23–5 OAP Tunneling with DCC The following steps provide more details in regards to the OAP Tunneling process. 1. The URL to be tunneled is configured in the DCC WebGate profile. 2. This same URL is mapped to a servlet or JSP page in the Access Manager server. 3. On accessing the tunneled URL, the WebGate intercepts the HTTP request and converts it to an OAP request. 4. The OAP request is forwarded to the Access Manager server. 5. The Access Manager server (OAM proxy) receives the OAP request and passes it to the tunnel proxy. 6. The tunnel proxy will convert the OAP request to an HTTPServletRequest and invoke the corresponding servlet (or compiled servlet in the case of a JSP). 7. The response is converted back to an OAP message and passed to the OAP end point. 8. The OAM end point responds to the WebGate with the converted OAP message. 9. The WebGate converts the OAP message back to an HTTP response. 10. The WebGate provides the HTTP response to the caller (browser). 23.6.2 Configuring OAP Tunneling To configure OAP Tunneling, a WebGate must be installed and configured to work with the Access Manager server as a DCC. The Access Manager endpoint must be deployed on the Access Manager Server. After ensuring these prerequisites have been met, add a user-defined parameter to the WebGate profile that defines all URLs to be tunneled using the form TunneledUrls=,. For example: TunneledUrls=/oam,/sampleapp Understanding Credential Collection and Login 23-15 Configuring a DCC WebGate for X509 Authentication Lastly, protect the Tunneled URLs with an Authentication Policy. For details, see Chapter 22, "Managing Authentication and Shared Policy Components." 23.7 Configuring a DCC WebGate for X509 Authentication The following sections document the procedures to configure a DCC WebGate for use with X509 authentication. 1. Configuring the WebLogic Server 2. Configuring a WebGate For DCC 3. Converting the DCC WebGate to SSL 23.7.1 Configuring the WebLogic Server Use the procedures in the following sections to configure a WebLogic Server for X509 authentication. 1. Creating the Server and Trust Store 2. Configuring the WebLogic Server Instance 3. Creating the User Certificate 4. Adding the Root CA Certificate 23.7.1.1 Creating the Server and Trust Store These are common procedures for WebLogic Server. 1. Create Server certificate Create a Server Certificate and key for the WLS domain on which Oracle Access Management 11g is deployed. This entails requesting a certificate (in which the Common Name is the OAM server machine name), having the certificate signed and converting it to the P12 format. The Server certificate can be created and signed using any Certificate utility. 2. Create the server store and the trust store using keytool. See Section C.2, "Securing Communication Between OAM Servers and WebGates" for details. 23.7.1.2 Configuring the WebLogic Server Instance Use the WebLogic console to configure the instance of the WebLogic Server to be SSL and client certificate enabled. 1. Navigate to the server instance which is to be SSL and Client Cert enabled. 23-16 Administrator's Guide for Oracle Access Management Configuring a DCC WebGate for X509 Authentication Figure 23–6 Enable SSL 2. Check the SSL Listen Port Enabled check box and provide the port number as in Figure 23–6. 3. Provide the server and trust keystore path under the “Keystore” tab. Figure 23–7 Keystore Configuration 4. Add the private key alias details under the SSL tab. The alias name is same name specified as the server store name in Section 23.7.1.1, "Creating the Server and Trust Store." Understanding Credential Collection and Login 23-17 Configuring a DCC WebGate for X509 Authentication Figure 23–8 Add Private Key Alias 5. Display the Advanced options under the SSL tab and make the configurations illustrated in Figure 23–9. Figure 23–9 SSL Advanced Options 23.7.1.3 Creating the User Certificate Run the following OpenSSL commands to create a user certificate in the .p12 format and install it in your browser. 1. openssl req -config openssl.cnf -new -out weblogic.csr Provide the certificate details. The Common Name is the name of the user for whom the certificate is requested. 23-18 Administrator's Guide for Oracle Access Management Configuring a DCC WebGate for X509 Authentication 2. openssl x509 -req -md5 -CAcreateserial -in weblogic.csr -days 180 -CA F:\openssl\simpleCA\ca.pem -CAkey F:\openssl\simpleCA\ca-key.pem -extfile F:\openssl\openssl.cnf -out weblogic.pem 3. openssl rsa -in privkey.pem -out weblogic.key 4. openssl pkcs12 -export -in weblogic.pem -inkey weblogic.key -out user1k1.p12 5. Install the .p12 formatted certificate output in your browser. 23.7.1.4 Adding the Root CA Certificate This procedure adds the Root CA certificate of the certificate utility used to SSL enable the WebLogic server. (In this example, the OpenSSL certificate utility is used.) The Root CA certificate must be added to the .oamkeystore and amtruststore files located in the following WebLogic directory: $DOMAIN_HOME/base_domain/config/fmwconfig 1. 2. Retrieve the password for the .oamkeystore and amtruststore files in WebLogic. a. Navigate to $MIDDLEWARE_HOME/Oracle_IDM1/common/bin/. b. Run wlst.sh. c. Run connect() in the WLST shell. d. Run domainRuntime() in the WLST shell. e. Run listCred(map="OAM_STORE",key="jks") in the WLST shell to display the password. Add the Root CA certificate to the .oamkeystore and amtruststore files using the keytool command. The value of –storepass is the password retrieved in the previous step. For example: ./keytool -importcert -alias ROOT_CA -file /scratch/CA/ca.pem -keystore /scratch/Oracle/Middleware/user_projects/domains/base_ domain/config/fmwconfig/.oamkeystore -storepass oru8nd3hhd4t4nrmh6unhv825b -storetype jceks ./keytool -importcert -alias ROOT_CA -file /scratch/CA/ca.pem -keystore /scratch/Oracle/Middleware/user_projects/domains/base_ domain/config/fmwconfig/amtruststore -storepass oru8nd3hhd4t4nrmh6unhv825b -storetype jks 23.7.2 Configuring a WebGate For DCC This section details the steps to configuring a WebGate for DCC. As part of this procedure you will also create the LDAPScheme_DCC Authentication Scheme. You will use the Oracle Access Management Console for the configuration steps. This procedure assumes you have already installed the WebGates for which you will be creating profiles. 1. Configure an 11g WebGate profile named, for example, ABC_WG1 on http://:7778/index.html. Understanding Credential Collection and Login 23-19 Configuring a DCC WebGate for X509 Authentication 2. Configure an 11g WebGate profile named, for example, XYZ_WG1_DCC on http://:7779/index.html. This WebGate will act as the authentication WebGate. 3. Navigate to the XYZ_WG1_DCC WebGate profile and Select Allow Credential Collector Operations Option. This configures the WebGate for use as a DCC. 4. Create a new Authentication Scheme by making a copy of the LDAPScheme Authentication Scheme and modifying the following values. Only modify the following values; leave the other parameters untouched. 5. a. Name as LDAPScheme_DCC b. Challenge redirect URL is http://:/ (http://:7779/) c. Challenge URL : /oamsso-bin/login.pl Navigate to the ABC_WG1 Application Domain and do the following. a. Go to Authentication Policy. b. Select Authentication Policy (Protected Resource Policy). c. Select the newly created Authentication Scheme LDAPScheme_DCC. 6. Restart the Oracle HTTP Server with port 7779 in use. 7. Access the protected resource at http://:7778/index.html. You should get challenge page from the authenticating WebGate server (port 7779). After providing valid credentials, the resource on the port 7778 server should be displayed. 23.7.3 Converting the DCC WebGate to SSL Execute the following steps to convert the DCC WebGate instance to SSL. The following sections have details. ■ Generating Server Certificates ■ Generating and Importing Client Certificates 23.7.3.1 Generating Server Certificates Generate server certificates using Oracle Wallet Manager (OWM). 1. Create a Wallet using OWM. a. Start OWM. $ /bin/owm 2. b. Select Wallet > New and follow the on screen instructions to create a Certificate Request. c. Save the created Wallet in an accessible location and write down the path for future reference. d. Select the Auto Login option and save the Wallet again. Create and export the server request file as server.csr using OWM. a. Select Operations > Export Certificate Request. 23-20 Administrator's Guide for Oracle Access Management Configuring a DCC WebGate for X509 Authentication b. 3. Save as server.csr Sign server.csr to generate user certificate server.pem. You can use the OpenSSL utility as follows: openssl x509 -req -md5 -CAcreateserial -in ohs_server.csr -days 3656 -CA / /ca.pem -CAkey //ca-key.pem -out server.pem The values of ca.pem and ca-key.pem should be the same ones used when generating the client certificate. 4. 5. 6. Import the CA certificate (ca.pem) into OWM. a. Select Operations > Import Trusted Certificate. b. Point to ca.pem, your CA certificate. c. Import the CA certificate and save the wallet. Import server.pem as user cert a. Select Operations > Import User Certificate. b. Point to the server.pem certificate generated in step 3. c. Import the server certificate and save the wallet. Edit the Oracle HTTP Server (OHS) ssl.conf file to point to this wallet as follows. #Path to the wallet SSLWallet "//wallet" SSLVerifyClient require ssl.conf is located at //config/ohs/ssl.conf. 7. Restart the OHS instance. 23.7.3.2 Generating and Importing Client Certificates Generate and import client certificates and create a new X509 authentication scheme. 1. Create a user certificate by following the steps documented in Creating the User Certificate. 2. Create a new Authentication Scheme named X509_DCC as illustrated in Figure 23–10. Add a Challenge Redirect URL. The Challenge URL should be blank. Understanding Credential Collection and Login 23-21 Configuring a DCC WebGate for X509 Authentication Figure 23–10 New X509 Scheme 3. Import .p12 into your browser. 4. Access the protected resource via its SSL port. For example: https://:/index.html A popup is displayed asking which certificate to use. Select the appropriate certificate and the requested resource is accessed. 23-22 Administrator's Guide for Oracle Access Management 24 Using Password Policy 24 [21Access ] Manager provides several pages for user interactions during credential collection. This includes login, error and password forms. This chapter contains details on these forms and how to configure a password policy. ■ Using Password Management ■ Enabling Password Management ■ Configuring Password Policy ■ Specifying Credential Collector URLs with Password Policy ■ Using the Oracle-Provided Password Forms ■ Managing Global Password Policy ■ Configuring Password Policy Authentication ■ Completing Password Policy Configuration ■ Configuring the IPFUserPasswordPolicyPlugin 24.1 Using Password Management The Password Management feature is only supported when the identity store used is an LDAP directory. When enabled, Password Management can be used for the following scenarios. ■ ■ ■ ■ ■ When a user account is disabled by an administrator, the user is not allowed to enter the system. An appropriate error message is displayed if the user requests access. When a user account is locked by an administrator (whether permanently or temporarily due to incorrect passwords or challenges), the user is not allowed to enter the system. An appropriate error message is displayed if the user requests access. A user can be forced by the administrator to change a password if specific values are set in the user’s LDAP entry. When a user has to change a soon-to-be expiring password, a screen is displayed from which the user can choose one of the following options: change the password now or continue to the requested page without changing the password. If a user submits a password with invalid characters during a password reset operation, an error message can be displayed with the password creation rules that the user must follow. Using Password Policy 24-1 Enabling Password Management Using the Oracle-Provided Password Forms has screenshots of the error messages discussed. Caveats for Integrated Deployments When you are using Oracle Identity Management and Oracle Access Management with Oracle Internet Directory, there are two sets of password policy definitions and enforcement. Password Policy Definition can be configured in both Oracle Identity Management and in Oracle Internet Directory. Password Policy Enforcement occurs according to the following: ■ ■ Oracle Access Management enforces state policies (incorrect password, for example) during Web access; Oracle Internet Directory enforces its own state policies as well as LDAP operations (bind and compare, for example). Oracle Identity Management enforces value policies (characteristics of the password) during user creation of the password update; Oracle Internet Directory enforces it's own value policies as well for policies for LDAP operations (add, modify for example). Password Policy is only certified when the configured Identity Store is an LDAP directory. It is not certified with a virtualized LDAP directory (for example, Oracle Virtual Directory fronting another data repository) or a non LDAP directory Any LDAP directory (such as Oracle Internet Directory) has a way to configure password policies that define lexical constraints to which the user password must conform (minimum characters, maximum length of time the password is valid, use of special characters, etc.) This password policy gets applied when the user's password is changed in the LDAP directory. To make sure that this LDAP directory password policy does not conflict with the password policy configured in OAM, the administrator has to manually study the LDAP password policy and do one of the following. 1. Make the backend LDAP identity store policies weaker or the same strength as the Oracle Identity Management and Oracle Access Management policies. However, this leads to a double enforcement. 2. Disable native LDAP password policy validation, which unfortunately leaves no enforcement for direct LDAP operations. 24.2 Enabling Password Management Use the Oracle Access Management Console to enable the Password Management service. This is done as a configuration of the defined user identity store. The Password Management feature is only supported when the identity store used is an LDAP directory. 1. Log in to the Oracle Access Management Console as Administrator. 2. Click Configuration at the top right of the Oracle Access Management Console. 3. Click User Identity Stores in the Configuration console. 4. Select the appropriate LDAP directory to enable Password Management. Alternately, click Create to register a user identity store. See Chapter 5, "Managing Data Sources" for details. 5. Under Password Management, check Enable Password Management. 6. Define the Password Management parameters and click Apply to save. Table 24–1 documents the parameters used for configuration. 24-2 Administrator's Guide for Oracle Access Management Configuring Password Policy Table 24–1 Password Policy Configuration Parameters Parameter Description Enable Password Management Enables password management for this identity store. If password management is not enabled, the password plugin returns right away and the status is not captured. Use Oblix Schema If checked, the Oblix schema is used. If not, the Oracle Schema is used. Global Common ID Attribute This is the userid attribute used for password policy verification to make sure the password doesn’t contain the user id attribute value. First Name Attribute This is the first name attribute used for password policy verification to make sure the password doesn’t contain the first name attribute value. Last Name Attribute This is the last name attribute used for password policy verification to make sure the password doesn’t contain the last name attribute value. Email Address Attribute This is the email attribute of the users in this identity store. It is used for password policy verification. 24.3 Configuring Password Policy Once Password Management is enabled, you can configure the Password Policy. Administrators define password policy based on enterprise requirements. When configured, the Password Options and Challenge Options are used by both the Embedded Credential Collector (ECC) and Detached Credential Collector (DCC). See Chapter 23, "Understanding Credential Collection and Login" for information on the Credential Collection options. Follow this procedure to access the Password Policy configuration page. 1. Log in to the Oracle Access Management Console as Administrator. 2. Click Application Security at the top right of the Oracle Access Management Console. 3. Click Password Policy in the Application Security console. Figure 24–1 is a screenshot of the Password Policy page in the Oracle Access Management Console. Table 24–2 below it describes the options in detail. Using Password Policy 24-3 Configuring Password Policy Figure 24–1 Password Policy Configuration Page Table 24–2 describes the configurable Password Policy options (as read from left to right in the console). These elements are used by both the ECC and DCC. Table 24–2 Password Policy Elements Element Description Minimum Uppercase Characters Defines the minimum number of uppercase characters required in a password. Minimum Lowercase Characters Sets the minimum number of lowercase characters required in a password. Minimum Alphabetic Characters Defines the minimum number of special characters allowed in the password. Minimum Numeric Characters Sets the minimum number of numeric characters required in a password. Minimum Alphanumeric Characters Defines the minimum number of alphanumeric characters required in a password. Minimum Special Characters Sets the minimum number of special characters required in a password. Maximum Special Characters Defines the maximum number of special characters allowed in a password. Minimum Unicode Characters Defines the minimum number of unicode characters required in a password. Maximum Unicode Characters Sets the maximum number of unicode characters allowed in a password. 24-4 Administrator's Guide for Oracle Access Management Specifying Credential Collector URLs with Password Policy Table 24–2 (Cont.) Password Policy Elements Element Description Minimum Password Length Sets the total minimum number of characters required in a password. Maximum Password Length Defines the total maximum number of characters allowed in a password. Characters Required Defines the specific characters that are required in a password. No delimiter is needed or allowed in this definition. Characters Not Allowed Sets the specific characters that cannot be used in a password. No delimiter is needed or allowed in this definition Characters Allowed Defines all allowed characters in a password. No delimiter is needed or allowed in this definition Substrings Not Allowed Specific character strings that are not allowed in a password. Use a comma as the delimiter in this definition. Alphabetic Character Must Start Password Specifies that the first character in a password must be alphabetic, when checked. Can Include User’s Last Name Specifies that the user's last name is allowed in the password, when checked. Can Include User’s First Name Specifies that the user's first name is allowed in the password, when checked. Can Include User ID Specifies that the user's userID is allowed in the password, when checked. Warn after (days) Defines the number of days before a designated date in which a user will be warned about password expiration. For example, you enter 30 in the Expires After (Days) field, and 20 in the Warn After (Days) field, and the password is created on November 1. On November 21, the user will be informed that the password will expire on December 1. This field accepts values from 0 to 999. Maximum Attempts Identifies the maximum number of login attempts a user can make before a lockout. Expire after (days) Defines the period of time (in days) that the password is valid. Lockout Duration (minutes) Identifies the period of time the user is locked out (in minutes) after the designated number of failed login attempts. After this period, the user can attempt a fresh login. Permanent Lockout specifies permanent lockout after the designated number of failed login attempts. Disallow Last Defines the number of previous passwords that cannot be used when the user changes her password. Password Dictionary File Identifies the physical file on OAM Servers that contain the list of restricted words that can not be specified in a password. Password File Delimiter Defines the delimiter used in the Password Dictionary file to separate various words. For example, if the file contains abc,def,welcome and the dictionary delimiter is comma (,), the words that are restricted and cannot be used in a user password are abc def and welcome. Password Service URL The location of various password pages. 24.4 Specifying Credential Collector URLs with Password Policy Regardless of the credential collection method, you can configure one global password policy that applies to all Access Manager-protected resources (using the Password Policy Validation Module in the authentication scheme). The relevant URLs for the credential collector and related forms must be specified as outlined in Table 24–3. Using Password Policy 24-5 Specifying Credential Collector URLs with Password Policy Table 24–3 Specifying Credential Collectors and Related Forms for Authentication In the . . . For the ECC . . . For the DCC . . . OAM Agent Registration N/A. Check the box beside Allow Management Operations in the OAM Agent registration page. DCC Only See Also: "Enabling DCC Credential Operations" login, error, and password pages Pages where the user enters credentials arrive out of the box on the OAM Server and require no additional settings or changes. ■ Login page: /pages/login.jsp ■ Logout page: /pages/logout.jsp ■ Error page: /pages/servererror.jsp ■ Dynamic pages for general login/logout and password policy with the DCC are excluded automatically through the OHS httpd.conf/webgate.conf file--you do not need to configure a policy to exclude these. See WebGate host directories $WEBGATE_ HOME/webgate/ohs/oamsso/*, $WEBGATE_ Multi-step authentication: /pages/mfa_ HOME/webgate/ohs/oamsso-bin/*pl, and $WEBGATE_ login.jsp HOME/webgate/ohs/oamsso-bin/templates/* for: ■ Login page: /oamsso-bin/login.pl ■ Logout: /oamsso-bin/logout.pl ■ RSA SecurID login pages: /oamsso-bin/securid.pl Perl Scripts for DCC-based Login and Logout The path name of the Perl executable must be updated in Oracle-provided Perl scripts on the WebGate host $WEBGATE_ HOME/webgate/ohs/oamsso-bin/*pl to be consistent with the actual location. See Also: Table 22–5, " Comparing the DCC and ECC" Password Policy, Password Service URL The Default/ECC password page is used automatically: Password Service URL for ECC: /oam/pages/pswd.jsp See Also: "Defining Your Global Password Policy" on page 24-11 User Identity Store Password Policy Validation Authentication Module The user data object definition in the Access Manager schema is extended with attributes that enable password user status and password history maintenance. This definition is provided in an LDIF file, and must be added to each user identity store using the ldapadd tool. Oracle-provided LDIFs are identified in Table 24–6. Enter the Default Store as the KEY_ IDSTORE_REF for each of the three plug-ins / steps (with an Error redirect on Failure): Enter the DCC password page: Password Service URL for DCC: /oamsso-bin/login.pl See Also: "Locating and Updating DCC Forms for Password Policy" Same for both DCC and ECC: See Also: ■ ■ "Adding Key Password Attributes to the Default Store" on page 24-13 "Adding an Administrator to Change User Attributes After a Password Change" Same for both DCC and ECC: See Also: ■ ■ Authentication Scheme, Challenge Redirect URL Table 22–13, " Parameter Details for Various Plug-ins" "Configuring the Password Policy Validation Authentication Module" Enter the Credential Collector host: ■ For ECC, relative URI format: /oam/server (server prepends the host:port) See Also: "Configuring the PasswordPolicyValidationScheme" 24-6 Administrator's Guide for Oracle Access Management Enter the Credential Collector host: ■ ■ For DCC, full URL: http://dcchost:port For DCC combined with Resource Webgate: Leave empty See Also: "Configuring the PasswordPolicyValidationScheme" Specifying Credential Collector URLs with Password Policy Table 24–3 (Cont.) Specifying Credential Collectors and Related Forms for Authentication In the . . . For the ECC . . . For the DCC . . . Authentication Scheme, Challenge URL Enter the Credential Collector login form relative URI: Enter the Credential Collector login form relative URI: ■ For ECC: /pages/login.jsp See Also: "Configuring the PasswordPolicyValidationScheme" Authentication Scheme, Challenge Parameters ECC: User-defined Challenge Parameters: OverrideRetryLimit=0 initial_command=NONE See Also: ■ ■ Table 22–23, " User-Defined Challenge Parameters for Authentication Schemes" "Configuring the PasswordPolicyValidationScheme" ■ For DCC: /oamsso-bin/login.pl See Also: "Configuring the PasswordPolicyValidationScheme" DCC: User-defined Challenge Parameters: ■ creds ■ extracreds ■ MaxPostDataBytes ■ DCCCtxCookieMaxLength ■ TempStateMode See Also: ■ ■ Table 22–23, " User-Defined Challenge Parameters for Authentication Schemes" "Configuring the PasswordPolicyValidationScheme" Using Password Policy 24-7 Using the Oracle-Provided Password Forms Table 24–3 (Cont.) Specifying Credential Collectors and Related Forms for Authentication In the . . . Server Error Mode Authentication Policy For the ECC . . . For the DCC . . . Same for both DCC and ECC. Same for both DCC and ECC. See: "Setting the Error Message Mode for Password Policy Messages" on page 24-21 See: "Setting the Error Message Mode for Password Policy Messages" on page 24-21 Credential collectors in authentication policies: Credential collectors in Authentication Policies: ■ ECC: Use any authentication scheme configured for the ECC in the application domain for the protecting Webgate (Resourcre Webgate) See Also: "Adding Your PasswordPolicyValidationScheme to ECC Authentication Policy" DCC Separate from Resource Webgate: ***Protecting (Resource) Webgate Application Domain, (Authentication Policy protecting resources), use the DCC-related Authentication Scheme. ***DCC Webgate Application Domain, Authentication Policy protecting resources, use the DCC-related Authentication Scheme. Consider: --With No Action URL: DCC uses the default /oam/server/auth_cred_submit, which is automatically protected with the DCC-related authentication scheme. --With an Action URL: Explicitly protect the specified Action URL with the DCC Scheme. See Also: "Adding PasswordPolicyValidationScheme to Authentication Policy for DCC" Logout Configuration ECC: In the protecting (Resource) Webgate Agent registration, configure the Logout URL as shown in Table 15–3, " Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages" DCC: ■ ■ In the DCC Agent registration page the Logout Redirect URL is ignored. In the protecting (Resource) Webgate registration, define the: Logout Redirect URL: http//dcchost:port/oamsso-bin/logout.pl See "Configuring Centralized Logout for 11g WebGates" on page 27-4 Note: If the Resource Webgate's Logout Redirect URL is anything other than logout.*, then that URL must be defined in the Logout URL parameter of the DCC Webgate registration. For example: If Resource Webgate registration has: Logout Redirect URL http//dcchost:port/someurl.html then DCC Webgate registration must have: Logout URL: someurl.html ■ DCC: Perl path must be updated in Oracle-provided scripts. See "Configuring Logout When Using Detached Credential Collector-Enabled WebGate" on page 27-6 24.5 Using the Oracle-Provided Password Forms Access Manager provides several pages for user interactions during credential collection, as described in Table 24–4, " Credential Collector Password Pages". The location can be customized, depending on the desired topology of the authentication scheme being developed. 24-8 Administrator's Guide for Oracle Access Management Using the Oracle-Provided Password Forms Table 24–4 Credential Collector Password Pages Credential Collector Description ECC pages The default embedded credential collector jsp forms, by default, reside on the OAM Servers. DCC pages ■ Login page: /pages/login.jsp ■ Logout page: /pages/logout.jsp ■ Error page: /pages/servererror.jsp ■ Multi-step authentication page: /pages/mfa.jsp Dynamic pages general login/logout and password policy with the DCC are excluded automatically through the OHS httpd.conf/webgate.conf file--you do not need to configure a policy to exclude these. See the Webgate host: ■ ■ ■ $WEBGATE_HOME/webgate/ohs/oamsso/* $WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl (update the Perl location in the first line of the login, logout, and securid scripts) $WEBGATE_HOME/webgate/ohs/oamsso-bin/templates/* See Also: For details about customizing pages and messages, see the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. Table 24–5 shows the password forms provided. The default pages can be customized for your enterprise, or replaced entirely with custom pages. For example, you can design, implement, and deploy a custom page that displays a different version of the login form for a mobile browser than is used for a desktop browser. Table 24–5 Password Management Forms and Functions Form Function Sign In Form The standard login form provides fields for userID and password. Clicking the Login button initiates authentication processing governed by the configured authentication module. See: Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details about customizing login forms. Sign In Error This standard login form appears when an error occurs. The text in red identifies the errors, which can be suppressed or displayed. See: Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details about suppressing or displaying. Password Expiry Notification The following message appears to inform the user that her password will expire, based on the notification policy. Using Password Policy 24-9 Managing Global Password Policy Table 24–5 (Cont.) Password Management Forms and Functions Form Function Change Password Form Based on password expiration policy configuration, the following window appears to enforce the policy and require user to change his password. Password Change Success The following message appears to confirm the password change was successful. Locked or Disabled User Account Based on the password policy, user account lockout occurs when supplied credentials fail during the maximum allowed login attempts. 24.6 Managing Global Password Policy Authentication involves determining which credentials a user must supply when requesting access to a resource, gathering credentials, and returning a response that is based on the results of credential validation. Access Manager authentication processing relies on an authentication module (or plug-in) to define the rules governing requirements and transmission of information to the back-end authentication scheme. By default, Access Manager supports using the OAM Server Embedded Credential Collector (ECC) for authentication processing. However, you can also configure an 11g WebGate to use as an detached credential collector (DCC) instead. 24-10 Administrator's Guide for Oracle Access Management Managing Global Password Policy Both the ECC and DCC facilitate multi-step authentication flows where credentials are not provided all at once. This increases the flexibility of interaction with users or programmatic entities for the purpose of collecting authentication-related information. For more information, see Section 22.7, "Orchestrating Multi-Step Authentication with Plug-in Based Modules." Note: Regardless of whether you choose the ECC or DCC, you can configure a global password policy that applies to all Access Manager-protected resources. The following overview provides links to topics that describe how to configure and use the password policy. Unless explicitly stated, all tasks apply equally to the ECC and DCC. Skip any tasks that do not apply to your deployment. Task overview: Password policy management includes 1. Defining Your Global Password Policy 2. Adding Key Password Attributes to the Default Store 3. Adding an Administrator to Change User Attributes After a Password Change 4. Configuring Password Policy Authentication 5. DCC: Configuring 11g WebGates and Authentication Policy for DCC 6. Completing Password Policy Configuration 7. Testing Your Multi-Step Authentication 24.6.1 Defining Your Global Password Policy Users with Oracle Access Management Administrator credentials can use the following procedure to define a common password policy based on enterprise-defined requirements. The only difference between a global password policy for the ECC versus the DCC is Password Service URL, which is credential collector-specific and defaults to ECC pages as shown in Step 2. Note: The specifications in this example are for illustration only. Your environment will be different. To configure the password policy in Oracle Access Management 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, click Password Policy. 3. On the Password Policy page, enter the Password Service URL for the desired credential collector login page (ECC or DCC, Table 24–3). 4. ECC Password Service URL DCC Password Service URL /pages/login.jsp /oamsso-bin/login.pl On the Password Policy page, enter values (Table 24–2) based on requirements for your enterprise. For example: Using Password Policy 24-11 Managing Global Password Policy ■ Warn After 3 ■ Expire After 20 ■ Permanent Lockout (Disable) ■ Lockout duration 1 ■ Minimum Special Characters 1 5. Click Apply to submit the policy. 6. Proceed as needed for your environment; skip any tasks that have been completed already: ■ Adding Key Password Attributes to the Default Store ■ Adding an Administrator to Change User Attributes After a Password Change 24.6.2 Designating the Default Store for Your Password Policy The Password Policy operates only with the designated Default Store. Administrator roles and credentials must reside in the System Store. See Also: "Using the System Store for User Identities" To designate a Default Store for the global password policy 1. In the Oracle Access Management Console, click Configuration at the top of the window. 2. In the Configuration console, click User Identity Stores. 3. Set the System Store: Administrator roles and credentials must reside in this store. 4. a. Open the page of the store to designate as the System Store. b. Check Set as system store (for domain wide authentication and authorization operations). c. Click Apply. d. Add Administrators: See "Understanding Administrator Roles" on page 5-26. e. Authentication Module: Set the LDAP Authentication Module used by the OAMAdminConsoleScheme (authentication scheme) to use this System Store. f. Configure one or more authentication plug-ins to use this store, as described in "Orchestrating Multi-Step Authentication with Plug-in Based Modules". Set Default Store: This store is required for Password Policy, Security Token Service, and migration when patching. a. Open the page of the store to designate as the Default Store. b. Check the box beside Set as default store. c. Authentication Module: Locate OAMAdminConsoleScheme and confirm that the LDAP module does not refer to this store. See "Managing Native Authentication Modules". d. Authorization Policy Conditions: Choose the desired user identity store when setting Identity Conditions in Authorization Policies. See "Defining Authorization Policy Conditions" on page 25-43. e. Token Issuance Policy Conditions: Choose the desired user identity store when setting Identity Conditions in Token Issuance Policies. See "Managing 24-12 Administrator's Guide for Oracle Access Management Managing Global Password Policy Token Issuance Policies, Conditions, and Rules" on page 45-27. 5. Close the registration page. 24.6.3 Adding Key Password Attributes to the Default Store The Password Policy operates only with the designated Default Store. This section provides steps for extending the default store schema for Oracle Access Management password policy operations. ■ About Extending the Default Store Schema ■ Extending the Default Store Schema with Password Policy Attributes 24.6.3.1 About Extending the Default Store Schema The LDIF (Lightweight Directory Interchange Format) files distributed as part of Access Manager are meant to extend the schema with required object classes. Generally, these are applied using the idmConfigTool or Access Manager and Oracle Identity Management wiring has been performed manually. The user data object definition in the Access Manager schema is extended with attributes that enable password user status and password history maintenance. This definition is provided in an LDIF file, and must be added to each user identity store using the ldapadd tool. Oracle-provided LDIFs are identified in Table 24–6. Note: OAM_HOME contains installed files necessary to host Oracle Access Management. OAM_HOME resides within the directory structure of the Middleware home ($MW_HOME). Table 24–6 Location of Oracle-provided LDIFs for LDAP Providers LDAP Provider LDIF Location OID: Oracle Internet Directory $OAM_HOME/ oam/server/pswdservice/ldif/OID_PWDPersonSchema.ldif OVD: Oracle Virtual Directory $OAM_HOME/ oam/server/pswdservice/ldif/OVD_PWDPersonSchema.ldif AD: Microsoft Active Directory $OAM_HOME/ oam/server/pswdservice/ldif/AD_PWDPersonSchema.ldif SJS: sun Java System Directory $OAM_HOME/ oam/server/pswdservice/ldif/IPLANET_PWDPersonSchema.ldif eDirectory: Novell eDirectory $OAM_HOME/ oam/server/pswdservice/ldif/EDIR_PWDPersonSchema.ldif ODSEE: Oracle Directory Server Enterprise Edition $OAM_HOME/ oam/server/pswdservice/ldif/IPLANET_PWDPersonSchema.ldif OUD: Oracle Unified Directory $OAM_HOME/ oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif SLAPD: OpenLDAP Directory $OAM_HOME/ oam/server/pswdservice/ldif/OLDAP_PWDPersonSchema.ldif IBM: OBM Tivoli Directory $OAM_HOME/ oam/server/pswdservice/ldif/TIVOLI_PWDPersonSchema.ldif The attributes that enable password user status and password history maintenance are shown in Table 24–7. The user data object of each user identity store must include the attributes shown in Table 24–7. These can be added with the ldapadd tool, LDIF (Lightweight Directory Interchange Format) file. Using Password Policy 24-13 Managing Global Password Policy Table 24–7 Key Password Attributes in a Password Policy Attribute Description Format and Values obPasswordCreationDate The date and time used to calculate (at the time of user login) whether the password has expired and whether a warning needs to be issued. YYYY-MM-DDThh:mm:ssZ obPasswordHistory Used to track the number of last passwords used. Access Manager understands 10g oblixPersonPwdPolicy format and changes it to new format. New format: password1###password2### Previous format: passwordX = SHA256 (password+canonical userid) obPasswordChangeFlag obuseraccountcontrol Boolean string value. Used during forced password change for first time user login (or forced password change initiated by the Administrator. true | false Used to represent a disabled user. Non-encrypted string value. Empty string represents false. activated | deactivated Empty string represents "activated". obpasswordexpirydate The time after which the user password is considered to be expired. YYYY-MM-DDThh:mm:ssZ Empty value represents not expired. obLockoutTime The time up to which the user is considered to be locked out due to too many login attempts. Epoch value (in seconds) representing time in the future. obLoginTrvCount The number of consecutive login failures by the user. This counter is reset on the first correct password entry. 1,2,3, and so on. oblastsuccessfullogin The time of the last successful login. YYYY-MM-DDThh:mm:ssZ oblastfailedlogin The time of the last failed login. YYYY-MM-DDThh:mm:ssZ Seconds (since 01 January, 1970) Non-encrypted integer value. 24.6.3.2 Extending the Default Store Schema with Password Policy Attributes You can skip this task if the environment has been configured using idmConfigTool -prepareIDStore. If your user identity store has not been extended with the oblix schema, you must update the schema to include the object classes required by the password service. LDAP tools should be run from the /bin directory beneath $OAM_HOME. The following procedure illustrates extending the Oracle Internet Directory schema. Your environment might be different. To extend the Default User Identity Store schema 1. Use the following command to update the Oracle Internet Directory object classes of the designated Default Store required by the password service: ldapadd -D "cn=orcladmin" -w –h -p 3060 –x -f $OAM_HOME/ oam/server/pswdservice/ldif/OID_PWDPersonSchema.ldif 2. Proceed to "Adding an Administrator to Change User Attributes After a Password Change". 24-14 Administrator's Guide for Oracle Access Management Configuring Password Policy Authentication 24.6.4 Adding an Administrator to Change User Attributes After a Password Change In this procedure, you modify the Default Store (Oracle Internet Directory in this example) to use a different privileged account as the Bind DN. This enables sufficient privileges to change user attributes after a password change. Prerequisites Register a supported LDAP store and designate it as the Default Store. Ensure that the user you add is defined within the Default Store. See Also: "Understanding Administrator Roles" on page 5-26 To add a new Administrator 1. In the Oracle Access Management Console, click Configuration at the top of the window. 2. In the Configuration console, click Administration. 3. Add a New Administrator: 4. a. In the Administration page, click Grant. b. In the dialog that appears, click Search. c. Select the desired role from the Roles drop-down list and click Add Selected to grant it to the selected user. d. Click Apply to submit the changes. Proceed with "Configuring Password Policy Authentication". 24.7 Configuring Password Policy Authentication After preparing your password policy, Default Store, and Administrator, you can develop your authentication module and scheme as described in this section. ■ Configuring the Password Policy Validation Authentication Module ■ Configuring the PasswordPolicyValidationScheme ■ Adding Your PasswordPolicyValidationScheme to ECC Authentication Policy—If you are using the DCC, skip this topic and go to "Configuring 11g WebGates and Authentication Policy for DCC" 24.7.1 Configuring the Password Policy Validation Authentication Module You must also configure the Password Policy Validation Authentication Module to use the Default Store. There are no credential collector dependencies when defining the Password Policy Validation Module for authentication. Note: A sample module is shown in Figure 24–2. The User Password Status Step is the unique step that relies on the UserPasswordPolicyPlugin. UserPasswordPolicyPlugin is supported only when using LDAP based authentication modules. It does not work with non LDAP authentication modules. Note: Using Password Policy 24-15 Configuring Password Policy Authentication Figure 24–2 Password Policy Validation Authentication Module with Orchestrated Plug-ins Each step identifies the action provided by a specific named plug-in. See Also: "Orchestrating Multi-Step Authentication with Plug-in Based Modules". Figure 24–3 shows the orchestration of steps within the authentication module. For more information on modules and steps, see "About Plug-in Based Modules for Multi-Step Authentication". Figure 24–3 Step Orchestration for Password Policy Validation Module Table 24–8 describes the Password Policy Validation module step details that you specify. 24-16 Administrator's Guide for Oracle Access Management Configuring Password Policy Authentication Table 24–8 User Password Step Details Step Name Step Details Description User Identification Step KEY_LDAP_FILTER Add the LDAP filter to the KEY_LDAP_FILTER attribute. Only standard LDAP attributes can be used when defining an LDAP search filter. For example: (uid={KEY_USERNAME}) See Also: Table 25–15, " LDAP Search Filter Examples for Access Manager" and your vendor documentation for the exact syntax for your identity store KEY_IDENTITY_STORE_REF The name of the registered Identity Store containing the module users. Default: The registered Default Store. KEY_SEARCH_BASE_URL Base URL for user searches. For example: dc=us,dc=example,dc=com User Authentication Step KEY_IDENTITY_STORE_REF The name of the registered Identity Store containing the module users. Default: The registered Default Store. User Password Status Step KEY_PROP_AUTHN_ EXCEPTION Enable or disable the propagation of LDAP errors. "KEY_ PROP_AUTHN_EXCEPTION" needs to be set to TRUE when the Authentication module has "Password Policy Plugin" as the next step of plugin execution; for example, when the module has Authentication Plugin ->Password Plugin, change this parameter to TRUE. PLUGIN_EXECUTION_MODE The execution mode of plug-in. Depending upon the configuration, this plug-in can operate either alone or with other default plug-ins. Values are one of the following: ■ ■ ■ PSWDONLY: The most preferred configuration where only the password status is determined. The ID and authentication must be performed using the UserIdentification and UserAuthentication Plugins. AUTHWITHPSWD: Both authentication and password are performed using this plug-in. AUTHONLY: Only the user identification and authentication is performed using this plug-in Default: PSWDONLY OBJECTCLASS_EXTENSION_ SUPPORTED The object classes "oblixpersonpwdpolicy" and "oblixorgperson" are required to be present in the OAM user's entry for successful execution of this plugin. If this parameter is FALSE, the plugin will not add these object classes. If this parameter is TRUE, the plugin will try to add these object classes to the user's entry if the current user's entry does not already have them present. Default: FALSE KEY_IDENTITY_STORE_REF The name of the registered Identity Store containing the module users. NEW_USERPSWD_BEHAVIOR Configures retroactive behavior of the new-user password-policy. Values are either: Default: The registered Default Store. ■ ■ FORCEPASSWORDCHANGE: Forces a password change. NOFORCEPASSWORDCHANGE: The password policy change does not affect user passwords that are already set. Default: NOFORCEPASSWORDCHANGE Using Password Policy 24-17 Configuring Password Policy Authentication Table 24–8 (Cont.) User Password Step Details Step Name Step Details Description POLICY_SCHEMA Policy schema for password service. Currently only OAM10G is supported. Default: OAM10G URL_ACTION The type of servlet action needed for redirecting the user to the specific password page for expiry and warning pages. Values can be either: ■ REDIRECT_POST ■ REDIRECT_GET ■ FORWARD Default: REDIRECT_POST DISABLED_STATUS_SUPPORT Specifies whether the disabled status is to be supported and acted upon in this password service. Valid values are either True or False. Default: TRUE Prerequisites Defining Your Global Password Policy There are no credential collector dependencies when defining the Password Policy Validation Module. Enter the Default Store as the KEY_IDSTORE_REF for each of the three plug-ins (with an Error redirect on Failure). Note: To configure the Password Policy Validation Module 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, click Authentication Modules. in the Plug-ins section. 3. In the Authentication Modules page, click Search, then click Password Policy Authentication Module. 4. Select the Steps tab; for each of the three steps add the Default Store name in the field beside KEY_IDSTORE_REF (Save after each change). For example: a. User Identification Step KEY_IDSTORE_REF: OID Save. b. User Authentication Step KEY_IDSTORE_REF: OID Save. c. User Password Status Step KEY_IDSTORE_REF: OID Save. 5. Click Apply. 6. Proceed to "Configuring the PasswordPolicyValidationScheme". 24-18 Administrator's Guide for Oracle Access Management Configuring Password Policy Authentication 24.7.2 Configuring the PasswordPolicyValidationScheme You can have multiple authentication schemes for use with the global password policy. Users with Administrator credentials can follow this procedure to configure the PasswordPolicyValidationScheme. Differences between values for the ECC versus the DCC include (Table 24–3): Note: ■ Challenge Redirect URL: Credential Collector host and port ■ Challenge URL: Credential Collector Pages ■ Challenge Parameters: Table 22–22 Prerequisites Configuring the Password Policy Validation Authentication Module See Also: "Managing Authentication Schemes" To configure the PasswordPolicyValidationScheme 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, click Authentication Schemes in the Access Manager section. 3. In the Search Authentication Schemes page, click Search, then click PasswordPolicyValidationScheme. 4. Set up the scheme for your environment. For example: ■ Authentication Level 2 ■ Default (blank) ■ Challenge Method: Form ■ Challenge Redirect URL: http://CredCollector_host:port/ ■ Authentication Module: Password Policy Validation Module ■ Challenge URL: /CredCollector_pages/ ■ Context Type: External ■ Challenge Parameters: ECC Challenge Parameters DCC Challenge Parameters OverrideRetryLimit=0 initial_command=NONE OverrideRetryLimit=0 creds=userid password Using Password Policy 24-19 Configuring Password Policy Authentication ECC Challenge Parameters DCC Challenge Parameters See Also: Table 22–23, " User-Defined Challenge Parameters for Authentication Schemes" action If not specified, the default for both ECC and DCC is /oam/server/auth_cred_submit. DCCCtxCookieMaxLength (default is 4096) TempStateMode controls how the DCC stores the OAM Server state: cookie or form (the default) as specified with the parameter's value. MaxPostDataBytes Restricts the maximum number of bytes of POST data submitted as user credentials. creds Whatever is passed must be specified in the obMap credentials parameter of the ObUserSession object, as described in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management 5. Click Apply. 6. Proceed to "Adding Your PasswordPolicyValidationScheme to ECC Authentication Policy". 24.7.3 Adding Your PasswordPolicyValidationScheme to ECC Authentication Policy A user with Administrative privileges can use the PasswordPolicyValidationScheme configured for the ECC in the application domain of the protecting Webgate (Resource Webgate). Prerequisites Configuring the PasswordPolicyValidationScheme To add PasswordPolicyValidationScheme to an ECC authentication policy 1. ECC: In the console, search for and open the appropriate Application Domain. (See "Searching for an Existing Application Domain" on page 25-12). See Also: "Adding Your PasswordPolicyValidationScheme to ECC Authentication Policy" 2. ECC: Protect Resources using the PasswordPolicyValidationScheme: a. Find and open your Protected Resource Policy on the Authentication Policies tab (see "Viewing or Editing an Authentication Policy" on page 25-34): Authentication Policies Protected Resource Policy b. Select PasswordPolicyValidationScheme for the Protected Resource Policy (Authentication Scheme) and click Apply. c. Finish updating your Authentication and Authorization policies, as desired (Chapter 25). 24-20 Administrator's Guide for Oracle Access Management Completing Password Policy Configuration 3. Proceed as needed for your environment: ■ ECC: Completing Password Policy Configuration ■ DCC: Configuring 11g WebGates and Authentication Policy for DCC 24.8 Completing Password Policy Configuration These tasks are the same regardless of the credential collector you have configured. Perform the following tasks to complete your password policy configuration: ■ Setting the Error Message Mode for Password Policy Messages ■ Overriding Native LDAP Password Policy Validation ■ Disabling ECC Operation and Using DCC Exclusively ■ Testing Your Multi-Step Authentication 24.8.1 Setting the Error Message Mode for Password Policy Messages Users with administrative privileges can use this procedure to set the Server Error Mode for password policy messages, as shown in Figure 24–4. Figure 24–4 Server Error Mode for Password Management Prerequisites ■ Managing Global Password Policy ■ Configuring Password Policy Authentication ■ Optional: Configuring 11g WebGates and Authentication Policy for DCC To set the error message mode In the Oracle Access Management Console, click Configuration at the top of the window. 1. 2. In the Configuration console, select Access Manager from the Settings drop-down list. 3. In the Load Balancing section, set the Server Error Mode to Internal. 4. Click Apply. 5. Proceed with "Overriding Native LDAP Password Policy Validation". 24.8.2 Overriding Native LDAP Password Policy Validation As described earlier, you need to disable native LDAP password policy validation before the non-native password policy can be used. For example, with Oracle Internet Directory registered for Oracle Access Management, native password policy is generally located as follows: Using Password Policy 24-21 Completing Password Policy Configuration dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext, Caution: Disabling the native LDAP password policy validation leaves no enforcement for direct LDAP operations. There are various password policies in Oracle Internet Directory, including one in the following: dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext However, this might not apply to your domain. You can disable the Oracle Internet Directory password policy by setting the orclpwdpolicyenable parameter to zero (0). See Also: The various attributes described in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory The following procedure is only an example. Your environment will be different. Prerequisites Setting the Error Message Mode for Password Policy Messages To override native LDAP policy with Oracle Access Management password policy 1. Refer to the manual from your LDAP directory vendor. 2. Oracle Internet Directory: Disable native policy by setting orclpwdpolicyenable to zero (0). ■ ■ Confirm the location of the password policy for your domain. When you are sure you have the proper native LDAP policy, disable the policy. For example: orclpwdpolicyenable = 0 3. Proceed as follows, depending on your deployment: ■ "Disabling ECC Operation and Using DCC Exclusively" ■ "Testing Your Multi-Step Authentication" ■ Chapter 27: "Configuring Logout When Using Detached Credential Collector-Enabled WebGate" 24.8.3 Disabling ECC Operation and Using DCC Exclusively You can skip this task to allow the DCC and ECC to co-exist, and maintain authentication schemes and policies for both credential collectors. To disable ECC, you must edit the oam-config.xml file as described here. Generally, Oracle recommends not editing oam-config.xml. Changes to this file could result in lost data or overwriting of the file during data sync operations. However, there is no other way to disable the ECC completely in favor of the DCC. 24-22 Administrator's Guide for Oracle Access Management Completing Password Policy Configuration After disabling the ECC, access to resources protected by schemes and policies that rely on the ECC will be prohibited, including access to the Oracle Access Management Console. Note: Prerequisites Configuring 11g WebGates and Authentication Policy for DCC To disable ECC operation and use DCC exclusively 1. Make your changes on the node running the AdminServer to minimize possible conflicts that another AdminConsole user might make. 2. Back up oam-config.xml in $DOMAIN_HOME/config/fmwconfig/ and store the copy in a different location for use later if needed. 3. Locate the ECCEnabled parameter in the OAMServicesDescriptor section and make the changes shown here in bold: ... ... false 4. Increment by 1, the configuration version number at the top of the file to associate your change and enable automatic propagation and dynamic activation across all running OAM Servers (see the next to last line of this example): 11.1.1.3 2 5. Proceed to "Testing Your Multi-Step Authentication". 24.8.4 Testing Your Multi-Step Authentication This section provides a number of evaluations you can perform to confirm that your deployment is working properly. See Also: Chapter 27, "Configuring Centralized Logout for Sessions Involving 11g WebGates" To confirm your multi-step authentication 1. Confirm access after login: 2. a. Open a new browser and request a resource. b. Log in with your user credentials. c. Confirm that you have access to the resource. Confirm no access on incorrect login: a. Open a new browser and request a resource. b. Log in with incorrect user credentials. c. Confirm that you must re-authenticate. Using Password Policy 24-23 Configuring the IPFUserPasswordPolicyPlugin 3. 4. 5. Confirm lockout after exceeding maximum incorrect login attempts: a. Open a new browser and request a resource. b. Log in with incorrect user credentials repeatedly. c. Confirm that the user account is locked. Modify and evaluate your password expiry policy: a. Log in to the Oracle Access Management Console. b. In your password policy, reset the expiry and lockout periods (Table 24–2) so that you will see warnings on your next login. c. Save the policy updates. d. Open a new browser and request a resource. e. Verify the warning page appears advising that the password will expire. f. Click the link to continue without password change. Change your password: a. Open a new browser and request a resource. b. On the password expiry warning page, click the link to change your password. c. On the password change page, enter your correct old password. d. In the new password field, enter a different new password that does not follow the password policy and confirm the password validation error. e. Enter a new password that meets requirements and confirm success and access to the resource. 24.9 Configuring the IPFUserPasswordPolicyPlugin The Identity Password Framework (IPF) password policy plugin handles the password related flows during login. Configuring the IPF password policy plugin is the most critical step in making sure that OAM and OIM LDAP applications can work in tandem. Using the IPF password plugin in OAM makes sure that password features act across both OAM and OIM in similar ways. This section contains the following information: ■ Enabling the IPF Password Service ■ Configuring Password Policy for IPF Password Service ■ Extending the LDAP Definitions ■ Configuring the Password Policy Validation Authentication Module and Scheme ■ Setting Up the Forgot Password Module 24.9.1 Enabling the IPF Password Service The IPF password service can be enabled in a newly installed (not upgraded) environment by manually editing oam-config.xml to add the following line: 3 This procedure assumes: 24-24 Administrator's Guide for Oracle Access Management Configuring the IPFUserPasswordPolicyPlugin ■ ■ The WebLogic Server, Oracle Internet Directory, Oracle HTTP Server and a database are installed. Oracle Access Management is installed in DB mode and configured to use OID as a user store. ■ WebGate 11g is installed and configured against the policy server. ■ The exact mechanism of extending LDAP directory for each directory type. 1. Shut down the entire domain including the WebLogic Admin Server and all OAM Managed Servers. 2. Locate the correct oam-config.xml file in /config/fmwconfig/ and make a backup of it before editing. 3. Modify the file so it contains the following snippet. 3 /oam/pages/pswd.jsp Be sure to increment the version number of the file by 1 to ensure that the changes are not overwritten by the Oracle Access Management Console. 4. Save the file. 5. Restart the WebLogic Admin Server. 6. Restart the OAM Managed Servers. As a verification step, check /config/fmwconfig/oam-config.xml on each of the OAM Managed Server nodes to ensure that the updated version has propagated correctly. 24.9.2 Configuring Password Policy for IPF Password Service See Configuring Password Policy for details. Note that the password policy in OAM should be in sync with that of OAM LDAP to work consistently between both products. It is up to the administrator to ensure that the policies are indeed the same and consistent. 24.9.3 Extending the LDAP Definitions Depending on the type of the directory, add the required objectclass schema definitions so that the LDAP directory can use these to extend the user objectclass. The appropriate schema files are located in $IDM_HOME/modules/oracle.idm.ipf_ 11.1.2/scripts/ldap. Table 24–9 documents the LDIF file to use with supported LDAP directories. Table 24–9 Included LDIF Schema Files LDAP Directory LDIF Schema File OID OID_OblixSchema.ldif, OID_OracleSchema.ldif AD AD_OblixSchema.ldif, AD_OracleSchema.ldif OUD OUD_OblixSchema.ldif, OUD_OracleSchema.ldif ODSEE IPLANET_OblixSchema.ldif, IPLANET_OracleSchema.ldif OPENLDAP OLDAP_OblixSchema.schema, OLDAP_OracleSchema.schema Using Password Policy 24-25 Configuring the IPFUserPasswordPolicyPlugin Table 24–9 (Cont.) Included LDIF Schema Files LDAP Directory LDIF Schema File OVD OVD_OblixSchema.ldif, OVD_OracleSchema.ldif Tivoli TIVOLI_OblixSchema.ldif, TIVOLI_OracleSchema.ldif EDIR EDIR_OblixSchema.ldif, EDIR_OracleSchema.ldif 24.9.4 Configuring the Password Policy Validation Authentication Module and Scheme The Password Policy Validation Authentication Module needs to be configured to use the required identity store, as well as some of the operations configuration as per installation requirements. There are no credential collector dependencies when defining the Password Policy Validation Module for authentication. The User Password Status Step is the unique step that relies on the IPFUserPasswordPolicyPlugin. See "Configuring the Password Policy Validation Authentication Module" and "Configuring the PasswordPolicyValidationScheme." 24.9.5 Setting Up the Forgot Password Module If the forgot password feature needs to be enabled in OAM, the IPFForgotPasswordModule is used. The forgot password authentication enables OAM users to change their password by authenticating them using previously collected challenges. The administrator can setup forgot password URL by following the procedure documented in Section 2.9.1, "Administering the Forgot Password URL." 24-26 Administrator's Guide for Oracle Access Management 25 Managing Policies to Protect Resources and Enable SSO 25 Access Manager Application Domains and policies can be accessed and managed through the Oracle Access Management Console. This chapter describes how to create and manage policies, and identify the resources to be governed by these policies. It includes the following topics: ■ Prerequisites ■ Introduction to Application Domain and Policy Creation ■ Understanding Application Domain and Policy Management ■ Managing Application Domains Using the Console ■ Adding and Managing Policy Resource Definitions ■ Defining Authentication Policies for Specific Resources ■ Defining Authorization Policies for Specific Resources ■ Configuring Success and Failure URLs for Authorization Policies ■ Introduction to Authorization Policy Rules and Conditions ■ Defining Authorization Policy Conditions ■ Defining Authorization Policy Rules ■ Configuring Policy Ordering ■ Introduction to Policy Responses for SSO ■ Adding and Managing Policy Responses for SSO ■ Validating Authentication and Authorization in an Application Domain ■ Understanding Remote Policy and Application Domain Management ■ Managing Policies and Application Domains Remotely ■ Defining an Application 25.1 Prerequisites Preview: ■ Understanding Application Domain and Policy Management See Also: Appendix D, "Reviewing Bundled, Generated, and Migrated Artifacts" Managing Policies to Protect Resources and Enable SSO 25-1 Introduction to Application Domain and Policy Creation System level requirements for tasks in this chapter include the following: ■ ■ ■ ■ OAM Server should be running Users and groups who can access a protected resource should already be created in the User Identity Store associated with Oracle Access Management. Policy-enforcement Agents should be registered as described in Chapter 14. Shared components for use in any Application Domain should be defined, as described in Chapter 22. 25.2 Introduction to Application Domain and Policy Creation Application domains are the top-level constructs of the Access Manager 11g policy model. Each Application Domain provides a logical container for resources or sets of resources, and the associated policies that dictate who can access specific protected resources. Certain shared components are used within each Application Domain. Each Application Domain represents a singular application on a particular host or Administrators can define different Application Domains for resources that reside on the same Web server and are closely tied to each other in one way or another. For example, an Administrator can create a single Application Domain for a financial application and an accounts receivable application, or have a different Application Domain for each. Configurable policies allow or deny access to the resources. To enhance security, Access Manager, by default, will deny access when a resource is not protected by a policy that explicitly allows access. Note: Each Access Manager Application Domain contains information regarding: ■ Resource Definitions Each resource definition in an Application Domain requires a Resource Type, Host Identifier (for HTTP resources), and a URL to the specific resource. You can have as many resource definitions as you need in an Application Domain. ■ Authentication Policies and Responses for Specific Resources Each authentication policy includes a unique name, one authentication scheme, success and failure URLs, one or more resources to which this policy applies, and Administrator-defined responses to be applied after successful authentication. Depending on the policy responses specified for authentication or authorization success and failure, the end user might be redirected to a specific URL, or user information might be passed to other applications through a header variable or a cookie value. Note: ■ Authorization Policies, Conditions, Rules, and Responses for Specific Resources Each authorization policy includes a unique name, success and failure URLs, and one or more resources to which this policy applies. In addition, Administrators can define specific conditions that must be fulfilled for a successful authorization and define responses to be applied after successful authorization. ■ Token Issuance Policies, Conditions, and Rules for Specific Resources 25-2 Administrator's Guide for Oracle Access Management Introduction to Application Domain and Policy Creation A Token Issuance Policy defines the rules under which the Security Token Service can issue a token for a resource (Relying Party Partner) based on the client's identity, with the client either being a Requester Partner or an end user. ■ Policy Ordering Policy ordering is a new feature in which the administrator manually designates the order in which policies within an application domain will be matched to incoming requests for access to protected resources. Previous versions of Access Manager used the best match algorithm for this purpose. When a new application is placed behind an existing agent, the Administrator must decide if the application should be protected by a separate (new) Application Domain and policies or an existing Application Domain and policies. This section provides information in the following sections to inform your choice. ■ Generating Application Domains and Policies Automatically ■ Managing Application Domains and Policies Remotely ■ Creating or Managing an Application Domain and Policies 25.2.1 Generating Application Domains and Policies Automatically When you register a policy-enforcement Agent with Access Manager, you can choose to have the domain and policies generated automatically or decline the automatic generation. An automatically generated Application Domain is named for the Agent and seeded with default resources and basic policies (authentication and authorization). No Token Issuance Policy is defined, though an empty container is provided. During Agent registration, it is presumed that the Agent resides on the same Web Server as the application it protects. However, the Agent can be on a proxy Web server and the application can be on a different host. Default resources are protected by basic policies until an Administrator adds more resources or modifies or adds policies. IAMSuiteAgent is a pre-registered Java Agent filter that provides an Application Domain (IAMSuite) to protect the Oracle Fusion Middleware console and other consoles. For more information, see "Bundled 10g IAMSuiteAgent Artifacts" on page D-1. Note: 25.2.2 Managing Application Domains and Policies Remotely Access Manager provides two modes to manage Application Domains and their policies without registering or modifying the companion agent. Remote policy and Application Domain management supports only create and update functions. Remote management does not support removing Application Domains or policies. For more information, see "Understanding Remote Policy and Application Domain Management" on page 25-77. 25.2.3 Creating or Managing an Application Domain and Policies The following overview outlines the procedures that must be performed to manually create or manage an Application Domain and policies, and identifies the topics that provide the steps to complete the procedure. Task overview: Managing an Application Domain 1. Get acquainted with the following details: Managing Policies to Protect Resources and Enable SSO 25-3 Understanding Application Domain and Policy Management 2. ■ Chapter 21, "Understanding Single Sign-On with Access Manager" ■ Chapter 22, "Managing Authentication and Shared Policy Components" ■ Understanding Application Domain and Policy Management ■ Understanding Remote Policy and Application Domain Management Perform all prerequisite tasks for this chapter, as described in: ■ 3. 4. Start a fresh Application Domain (or view an existing one), as described in: ■ Creating a New Application Domain ■ Viewing or Editing an Application Domain ■ Managing Policies and Application Domains Remotely Add resource definitions to your Application Domain as described in: ■ 5. 6. 7. 8. 9. Prerequisites Adding and Managing Policy Resource Definitions Define your Authentication Policy, as described in: ■ Creating an Authentication Policy for Specific Resources ■ Adding and Managing Policy Responses for SSO Define your Authorization Policy, as described in: ■ Creating an Authorization Policy and Specific Resources ■ Adding and Managing Policy Responses for SSO ■ Defining Authorization Policy Conditions ■ Defining Authorization Policy Rules Define your Token Issuance Policy, as described in: ■ Chapter 45: Managing Token Issuance Policies and Conditions ■ Adding and Managing Policy Responses for SSO ■ Defining Authorization Policy Conditions ■ Defining Authorization Policy Rules Configure SSO settings and policy evaluation caches, as described in: ■ Chapter 13: "Managing SSO Tokens and IP Validation" ■ Chapter 13: Managing Run Time Policy Evaluation Caches Validate your policies and configuration, as described in: ■ Chapter 27: Validating Global Sign-On and Centralized Logout 25.3 Understanding Application Domain and Policy Management Whether you create an Application Domain manually or you accept automatic policy generation when registering an Agent, the elements of an Application Domain are the same. All policies and Application Domains are managed using the Oracle Access Management Console. For details, see the following topics: ■ Navigating the Application Domain Pages ■ Displaying the Application Domain Summary Page 25-4 Administrator's Guide for Oracle Access Management Understanding Application Domain and Policy Management ■ Defining an Application ■ Displaying the Resource Container in an Application Domain ■ Displaying Authentication Policy Pages ■ Displaying Authorization Policy Pages ■ Displaying Token Issuance Policy Pages 25.3.1 Navigating the Application Domain Pages Regardless of the method you choose to create an Application Domain, a unique name is required to be used as an identifier. When you click Application Domains, a Search page is displayed. The Create Application Domain button in the upper-right corner enables you to start a fresh domain definition. Otherwise, enter a name (or leave the Name field blank) and click the Search button to list existing Application Domains. Figure 25–1 is the Application Domains Search page, controls, and the Search Results table with its own tool bar. Figure 25–1 Application Domains Search Page 25.3.2 Displaying the Application Domain Summary Page When you click the name of an Application Domain in the Search results, the Name, an optional description and Policy Ordering configuration are displayed on the Summary tab. Other information is organized in the following tabs. ■ Resources ■ Authentication Policies ■ Authorization Policies ■ Token Issuance Policies ■ Administration Figure 25–2 is a screenshot of a typical Application Domain page. In a generated Application Domain, the Name and Description are populated as shown. When you create an Application Domain manually, the Description is entered by the Administrator. Managing Policies to Protect Resources and Enable SSO 25-5 Understanding Application Domain and Policy Management Figure 25–2 Example Application Domain Summary Page 25.3.3 Displaying the Resource Container in an Application Domain The Resources tab in the Application Domain represents the container for all resource definitions in that domain. When the Resources tab is clicked and displayed, the Search controls are available to help you find specific definitions quickly. Figure 25–3 illustrates Search controls that you can use to refine your resource definition search. There is also a New Resource button in the upper-right corner. The Search Results table provides key information about each definition found. Figure 25–3 Search Results for Resources in an Application Domain The default Resource Type is HTTP; default Resource URL is /**. With HTTP resource definitions you can also search on a query string defined for that resource. The query string can be only the Base URL and can include optional pattern-matching special characters to represent a set of URLs. In this generated domain, the Host Identifier matches the name of the HTTP agent that was registered. Basic information about the policies is also provided. 25-6 Administrator's Guide for Oracle Access Management Understanding Application Domain and Policy Management See Also: ■ ■ "Adding and Managing Policy Resource Definitions" on page 25-13 Appendix D, "Reviewing Bundled, Generated, and Migrated Artifacts" 25.3.4 Displaying Authentication Policy Pages The Authentication Policies tab provides access to defined or generated policies with no search controls needed. When an Administrator creates an Application Domain manually she must also manually create all policies. In a generated Application Domain, two Authentication policies are created automatically, as shown in Figure 25–5: ■ Authentication Policy: Protected Resource Policy ■ Authentication Policy: Public Resource Policy Figure 25–4 Authentication Policies Tab Authentication policies are local, which means that each policy applies only to the resources specified for the policy. Each resource can be protected by only a single authentication policy. Figure 25–5 shows the Protected Resource Policy and the columns of information displayed automatically on the policy's Resources tab. The Responses tab is available. Managing Policies to Protect Resources and Enable SSO 25-7 Understanding Application Domain and Policy Management Figure 25–5 Authentication Policy Page: Resources and Responses Initially, all resources are protected. Success and Failure URLs and Responses must be added manually; no default values are supplied. Note: A description is provided during automatic generation: "Policy set during domain creation. Add resources to this policy to protect them." This generated policy uses the LDAPScheme as the authentication scheme. However, the optional elements of the policy are not yet defined. Protected Resources are identified on the Resources tab as HostIdentifier/**. Note: Administrators can change the authentication scheme, specify Success and Failure URLs, add other resources, and define SSO Responses. Public Resource Policy: A second authentication policy is also generated automatically. This policy uses AnonymousScheme as the default scheme for authentication, which allows anyone access. Initially, this Public Resource Policy does not include or serve any Resources. The Description tells Administrators what is needed: Policy set during domain creation. Add resources to this policy to allow anyone access. See Also: "Introduction to Policy Responses for SSO" on page 25-68 25.3.5 Displaying Authorization Policy Pages The Authorization Policies tab also provides access to defined or generated policies with no search controls needed. In a generated Application Domain, two 25-8 Administrator's Guide for Oracle Access Management Understanding Application Domain and Policy Management Authorization policies are created automatically; however, each resource can be protected by only a single authorization policy: ■ Protected Resource Policy ■ Public Resource Policy The Authorization Policy tab is shown in Figure 25–7. From this tab, you can select a policy to edit or create a new policy. Figure 25–6 Authorization Policies Page The Authorization Policy page is shown Figure 25–7. It provides several tabs where you can define the various components of this Authorization policy. Initially, all resources are protected and access is denied. Success and Failure URLs Conditions, Rules, and Responses must be added manually (no default are supplied). Figure 25–7 Individual Authorization Policy Page The Authorization Policy Resources tab is shown in Figure 25–8. You use this page to add (or remove) resources for this policy. Managing Policies to Protect Resources and Enable SSO 25-9 Managing Application Domains Using the Console Figure 25–8 Individual Authorization Policy Resources tab Administrators can also define Conditions, Rules, and Responses for this policy. None are generated automatically. See Also: ■ ■ "Introduction to Policy Responses for SSO" on page 25-68 "Introduction to Authorization Policy Rules and Conditions" on page 25-40 25.3.6 Displaying Token Issuance Policy Pages By default, only a container for Token Issuance Policies is provided in a generated Application Domain. Any Resources, Conditions, Rules, and Responses must be added manually. Figure 25–9 Token Issuance Policies Page For specific information on this policy type, see: ■ "Managing TokenServiceRP Type Resources" on page 45-30 ■ "Managing Token Issuance Policies, Conditions, and Rules" on page 45-27 25.4 Managing Application Domains Using the Console Managing an Application Domain involves adding, modifying, or deleting general and resource-related settings and policies. Each Application Domain must have a unique name that matches the agent name. After entering a name and optional description for the new Application Domain, click Apply to create it. This manual creation makes available the complete series of tabs: Summary, Resources, Authentication Policies, Authorization Policies, Token Issuance Policies. 25-10 Administrator's Guide for Oracle Access Management Managing Application Domains Using the Console If the Application Domain was created using remote registration or while registering an agent, basic policy information is generated with it. For details, see Understanding Remote Policy and Application Domain Management and Managing Policies and Application Domains Remotely. Note: This section describes how to create and manage an Application Domain using the Oracle Access Management Console. It includes the following topics: ■ Creating a New Application Domain ■ Searching for an Existing Application Domain ■ Viewing or Editing an Application Domain ■ Deleting an Application Domain and Its Contents 25.4.1 Creating a New Application Domain Decide whether you need a new Application Domain or if you can add resources to an existing Application Domain. You can protect multiple applications using the same Agent by manually creating one Application Domain and manually adding resources and policies. Users with valid Administrator credentials can perform the following task to manually create an Application Domain using the Oracle Access Management Console. Alternatively, Application Domains can be generated automatically during agent registration, as described in Chapter 14 and Chapter 15. Prerequisites See Prerequisites at the beginning of this chapter. To create a new Application Domain 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, select Create Application Domain from the Create (+) menu in the Access Manager section. 3. On the Create Application Domains page, add a unique name, an optional description and other details, then click Apply and close the Confirmation window. See Configuring Policy Ordering. 4. View and manage the following containers (tabs) within the Application Domain container: ■ ■ ■ ■ Resources: See "Adding and Managing Policy Resource Definitions" on page 25-13. Authentication Policies: See "Defining Authentication Policies for Specific Resources" on page 25-31. Authorization Policies: See "Defining Authorization Policies for Specific Resources" on page 25-35. Token Issuance Policies: See "Managing Token Issuance Policies, Conditions, and Rules" on page 45-27. Managing Policies to Protect Resources and Enable SSO 25-11 Managing Application Domains Using the Console 25.4.2 Searching for an Existing Application Domain Users with valid Administrator credentials can use the following procedure to search for a specific Application Domain. Note: This Search operation is case sensitive. To search for an Application Domain 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, click Application Domains. 3. In the page that appears, enter the name of the Application Domain you want to find (or partial name and wild card, *, or leave the field blank to retrieve all domains). For example: DesiredDomain 4. Click the Search button to initiate the search. 5. Choose a name in the Search Results table to perform the desired task. For instance: ■ ■ Edit: Click the Edit button in the tool bar to display the configuration page and go to "Viewing or Editing an Application Domain". Delete: See "Deleting an Application Domain and Its Contents" before you perform this task. ■ Detach: Click Detach in the tool bar to expand the table to a full page. ■ View: Select a View menu item to alter the appearance of the results table. 25.4.3 Viewing or Editing an Application Domain Users with valid Administrator credentials can perform the following task to view or modify an Application Domain (including its resources, policies, conditions, and responses) using the Oracle Access Management Console. Oracle recommends that you consider grouping similar applications into the same Application Domain. While editing the Application Domain, be aware that different applications are using the same domain. Editing the description and domain name are supported. See Also: "Managing Policies and Application Domains Remotely" To view or modify an Application Domain and its content 1. Locate the desired Application Domain as described in "Searching for an Existing Application Domain". 2. Click to open each of the following tabs to add, view, modify, or delete specific details: ■ ■ Resources: See "Adding and Managing Policy Resource Definitions" on page 25-13. Authentication Policies: See "Defining Authentication Policies for Specific Resources" on page 25-31. 25-12 Administrator's Guide for Oracle Access Management Adding and Managing Policy Resource Definitions ■ ■ Authorization Policies: See "Defining Authorization Policies for Specific Resources" on page 25-35 Token Issuance Policies: See "Managing Token Issuance Policies, Conditions, and Rules" on page 45-27. 25.4.4 Deleting an Application Domain and Its Contents Users with valid Administrator credentials can perform the following task to delete an Application Domain (including its resources, policies, conditions, and responses) using the Oracle Access Management Console. Deleting the Application Domain and its content removes all referenced objects, including the Agent registration. Using this method, if you later need to re-register the same Agent, you can because there are no remaining references to the previous Application Domain and its content. During a Delete operation, if the Application Domain contains any policy elements, you are alerted. Note: Prerequisites Ensure that resources in the domain to be deleted are placed in another Application Domain for protection. To delete an Application Domain 1. Locate the desired Application Domain as described in "Searching for an Existing Application Domain". 2. Ensure that resources in the domain to be deleted are placed in another Application Domain for protection. 3. In the Search Results table, click the Serial Number beside the desired name, and then click the Delete (x) button in the tool bar. 4. In the Warning window, click Delete (or click Cancel to dismiss the window). 5. Check the results table to confirm the Application Domain has been removed. 25.5 Adding and Managing Policy Resource Definitions Protecting resources requires an Application Domain containing definitions of the specific resources. With OAM, you can protect different types of resources, including non-HTTP/HTTPS-based resources and HTTP/HTTPS-based resources such as: ■ An entire external Web site ■ Specific pages in a Web site ■ Partner portals ■ A parts order application ■ Invoice applications ■ A benefits enrollment application on Web servers of an enterprise in many countries Each Application Domain includes a container for resource definitions, the Resources tab. Once you have defined a resource in this container, you can add it to a policy in the Application Domain. This section provides the following topics: Managing Policies to Protect Resources and Enable SSO 25-13 Adding and Managing Policy Resource Definitions ■ Defining Resources in an Application Domain ■ Searching for a Resource Definition ■ Defining Resources in an Application Domain ■ Viewing, Editing, or Deleting a Resource Definition 25.5.1 Defining Resources in an Application Domain Each resource must be defined separately in an Application Domain. Within an Application Domain, resource definitions exist as a flat collection of objects. Each resource is defined as a specific type, and the URL prefix that identifies the resource (document or entity) stored on a server and available for access by a large audience. The location is specified using an existing shared Host Identifier. If a resource that is not explicitly marked as excluded, is not associated with a policy, then access is denied to all users because there is no policy match. Note: Resource Definition Guidelines 1. No URL prefixes. Resource definitions are treated as complete URLs. 2. Pattern matching (with limited features) for: ' * ' and '...' are supported 3. Resources need not be unique across domains. 4. Query-string protection for HTTP URLs. 5. Each HTTP resource is defined as a URL path, and associated with a host identifier. However, resources of other types are associated with a specific name (not a host identifier). 6. Non-HTTP resource types are supported, with definition of specific operations. Non-HTTP resource types are never associated with a host identifier. 7. Resources can designated as either Protected, Unprotected, or Excluded. 8. Custom resource types are allowed. Figure 25–10 illustrates the Create Resource page. 25-14 Administrator's Guide for Oracle Access Management Adding and Managing Policy Resource Definitions Figure 25–10 Create Resource Page in the Application Domain Table 25–1 describes elements that comprise a resource definition. Table 25–1 Resource Definition Elements Elements Description Type The HTTP type is the default; it covers resources that are accessed using either the HTTP or HTTPS protocol. Policies that govern a particular resource apply to all operations defined for the resource. The wl_authen resource type is used for Fusion Middleware application scenarios, as described in the Oracle Fusion Middleware Application Security Guide. The TokenServiceRP resource type is used to represent the Token Service Relying Party as described in "Managing TokenServiceRP Type Resources" on page 45-30. Any custom resource type that has been defined is listed with default resource types when you add a resource definition (or search for resources). See Also: "About the Resource Type in a Resource Definition" on page 25-17. Description An optional unique description for this resource. Host Identifier A list of host identifiers is available, which contains all identifiers that were defined as a shared component. You must choose a host identifier to assign this resource. Note: The combination of the host identifier and URL string that make up a resource definition must be unique across all Application Domains. See Also: "Managing Host Identifiers" on page 22-7. URI Section Information will differ depending on the selected Resource Type. Managing Policies to Protect Resources and Enable SSO 25-15 Adding and Managing Policy Resource Definitions Table 25–1 (Cont.) Resource Definition Elements Elements Description Query For HTTP resource types only. You can provide a list of Name and Value pairs for use in access policies. Name-Value list See Also: "About Query String Name and Value Parameters for Resource Definitions" on page 25-21. Query String For HTTP resources, you can provide a query string for literal full query string matching within access policies. See Also: "About Literal Query Strings in Resource Definitions" on page 25-25. Resource URL The value must be expressed as a single relative URL string that represents a path component of a full URL composed of a series of hierarchical levels separated by the '/' character. The URL value of a resource must begin with / and must match a resource value for the chosen host identifier. Based on its contents, a URL is matched in response to an incoming request as a literal or a wild card pattern. The special characters available to define a pattern, if included, are: ■ ■ The asterisk (*) is allowed only at the lowest, terminating level of the path. The asterisk matches zero or more characters. An ellipses (…) is allowed at any level of the path except the terminating level. The ellipses represents a sequence of zero or more intermediate levels. See Also Table 25–2. Operations Section You can define specific allowed operations to customize you own resource definitions. Note: Oracle-provided Resource Types are read-only. Operations associated with Oracle-provided Resource Types need not be defined and cannot be modified. Policies developed and applied to resources of Oracle-provided types apply to all operations. Operations Available Identify all HTTP operations that are allowed for this resource definition. Policies developed and applied to this customized resource apply to only the operations you identify. Unless explicitly noted, all of the following possible operations are for HTTP resource types: ■ Connect ■ Options ■ Put ■ Post ■ Trace ■ Head ■ Delete ■ Connect ■ Login (wl_authen resource type only) ■ Issue (TokenServiceRP resource type only) Note: During Agent registration, if no operation is specified for the resource definition itself, then All operations for that resource type are supported. See Also: "About Resource Types and Their Use" on page 22-2. Protection Using the controls in this section of the Resource Definition, you can identify the desired level of protection for this resource and name the policies to be used. 25-16 Administrator's Guide for Oracle Access Management Adding and Managing Policy Resource Definitions Table 25–1 (Cont.) Resource Definition Elements Elements Description Protection Level Choose the appropriate protection level from the following: ■ Protected (the default) Protected resources are associated with a protected-level Authentication policy that uses a variety of authentication schemes (LDAP, or example). Authorization policies are allowed for protected resources. Responses, conditions, auditing, and session management are enabled for protected resources using a policy that protects the resource. ■ Unprotected Unprotected resources are associated with an unprotected-level Authentication policy (level 0) that can use a variety of authentication schemes (LDAP, for example). Authorization policies are allowed for unprotected resources, and a basic one is needed to allow such access. However, an elaborate policy with conditions and responses is irrelevant. Responses, conditions, and auditing are enabled for Unprotected resources using a policy that protects the resource. Only Session Management is not enabled. Access to Unprotected resources incur an OAM Server check from Webgate, which can be audited. ■ Excluded (these are public) Only HTTP resource types can be excluded. Typically security insensitive files like Images (*.jpg, *.png), protection level Excluded resources do not require an OAM Server check for Authentication, Authorization, Response processing, Session management, and Auditing. Excluded resources cannot be added to any user-defined policy in the console. While allowing access to excluded resources, Webgate does not contact the OAM Server.Therefore, such access is not audited. Most regular resource validations apply to Excluded resources. However, excluded resources are not listed when you add resources to a policy. There is no Authentication or Authorization associated with the resource. Authentication Policy A list of Authentication policies based on the specified resource protection level becomes available. Only policies within this domain, and that match the specified protection level, are listed. Authorization Policy A list of authorization policies defined in the domain become available from which you can choose the one to protect this resource. After adding the resource, it is grouped under the Resources node of the named Application Domain. When you create policies all defined resources for the domain are listed and you can choose one or more for inclusion in the policy. For more information about different specifications within a resource definition, see the following topics: ■ About the Resource Type in a Resource Definition ■ About the Host Identifier in a Resource Definition ■ About the Resource URL, Prefixes, and Patterns ■ About Query String Name and Value Parameters for Resource Definitions ■ About Literal Query Strings in Resource Definitions ■ About Run Time Resource Evaluation 25.5.1.1 About the Resource Type in a Resource Definition When adding a resource definition to an Application Domain, Administrators must choose from a list of defined Resource Types. Native Resource Types are read-only cannot be modified or deleted; these include HTTP, TokenserviceRP, and wl_authen. See Also: "About Resource Types and Their Use" on page 22-2 Managing Policies to Protect Resources and Enable SSO 25-17 Adding and Managing Policy Resource Definitions When adding an HTTP type resource to an Application Domain, Administrators choose from a list of existing host identifiers and then add the resource URL. Operations associated with the HTTP resource type need not be defined by an Administrator. Instead, policies apply to all HTTP operations. Table 25–2 shows sample URL values for resources. For more information, see "About the Resource URL, Prefixes, and Patterns" on page 25-18. Table 25–2 HTTP Resources Sample URL Values Resource Sample URL Values Directories ■ /mydirectory ■ /mydirectory/** ■ /mydirectory/projects/index.html ■ /mydirectory/projects/*.html ■ /mydirectory/.../*.html ■ /mydirectory/projects/example.exe ■ /mydirectory/projects/*.exe ■ /mydirectory/** Pages Web applications 25.5.1.2 About the Host Identifier in a Resource Definition Administrations identify resources in an Application Domain by the host where the resources reside and the resource URL. Non-HTTP resource types are not associated with a host identifier. Instead, Administrators must enter the type's name into the Resource URL field of the resource definition page. Note: Host identifiers create a context for each resource, which is useful when adding resources that have the same URL paths on different computers. Administrations can protect all of these resources in the same way within the same Application Domain. The only variable that distinguishes one set of resources from another is identification of its host computer. All defined host identifiers appear on the Host Identifiers list on the Resources page. When adding a resource to an Application Domain, administrations must choose one host identifier for the computer hosting the resource. To ensure that Access Manager recognizes the URL for a resource, Access Manager must know the various ways used to refer to that resource's host computer. 25.5.1.3 About the Resource URL, Prefixes, and Patterns During automated Application Domain generation, a URL prefix is defined under which all resources are protected. Resources are linear, not hierarchical. Resource definitions are treated as complete URLs. Note: No host identifier is associated with a non-HTTP resource type. Administrations identify individual resources in the Application Domain using a specific resource URL. Individual resource URLs need not be unique across domains. 25-18 Administrator's Guide for Oracle Access Management Adding and Managing Policy Resource Definitions However, the combination of a resource URL, Query String, and a host identifier must be unique across domains. An HTTP type resource is expressed as a single relative URL string representing a path. The string is composed of a series of hierarchical levels separated by the '/' character. Based on its content, a URL is matched in response to an incoming request as a literal or a wild card pattern. URL Prefixes The Access Manager policy model does not support a resource prefix. In other words, there is no policy inheritance. If a policy is defined for /mydirectory/projects/, it only applies to this URL (and does not apply to /mydirectory/projects/index.html, for example). If you need a policy for all resources with the same prefix string, you can define the resource using special characters (three periods ... (ellipsis) or * (asterisk) for instance: /mydirectory/projects/.../*. Note: The Access Manager policy model does not support a resource prefix. In other words, there is no policy inheritance. URL Patterns, Matching, and Precedence Administrators can create granular URL patterns to specify the fine-grained portion of a resource's namespace. All matching is case insensitive. Table 25–3 ■ Supported wildcard matching is provided for the patterns in Table 25–3 ■ Sample Resource URLs and their correctness are shown in Table 25–4 Supported Wildcards in Resource URL Patterns (Precedence Order) Pattern Description Example /** The default. Matches any sequence of zero or more characters that starts with the forward slash character (/). ·/** You can use this pattern to protect a path under a specific, named directory. Matches /foo/bar /foo/ Note: This is not an existing 10g wildcard. In 10g, the /.../* pattern yielded an exclusive match that did not include the root of the level at which the pattern was defined. For example, /foo/.../* matched /foo/bar and the root directory /foo/ itself, but it wouldn't match foo/ or /foo. 10g had the notion of a prefix (the "root"), and most evaluation occurred after striping off the prefix. Literals The resource's pattern contains no special characters. {pattern1,patter n2,...} Matches one from a set of patterns. ■ The patterns inside the braces can themselves include any other special characters (except braces; sets of patterns cannot be nested). ■ a{ab,bc}b matches aabb and abcb. a{x*y,y?x}b matches axyb, axabayb, ayaxb, and so on. Managing Policies to Protect Resources and Enable SSO 25-19 Adding and Managing Policy Resource Definitions Table 25–3 (Cont.) Supported Wildcards in Resource URL Patterns (Precedence Order) Pattern Description Example [range or set] Matches one from a set of characters. ■ A set can be specified as a series of literal characters or as a range of characters. A range of characters is any two characters (including -) with a hyphen (-) between. ■ ■ A range of characters is any two characters (including -) with a hyphen (-) between them. The forward slash character (/) is not a valid character to include in a set. A set of characters will not match / even if a range that includes / is specified. ■ ■ [nd] matches only n or d. [m-x] matches any character between m and x, inclusive. [--b] matches any character between - and b inclusive (except for /; see /usr/pub/ascii for order of punctuation characters). [abf-n] matches a, b, and any character between f and n, inclusive. [a-f-n] matches any character between a and f inclusive, -, or n. (The second - is interpreted literally because the f preceding it is already part of a range.) Single Character Wildcard ? The ? (question mark) matches any one character other than /. This is not treated as a query string delimiter. a?b matches aab and azb but not a/b. Wildcard * The * (asterisk) wildcard matches any sequence of zero or more characters. However, the * (asterisk) does not match the forward slash character (/). a*b matches ab, azb, and azzzzzzb but not a/b. * The * (asterisk) can be used only at the lowest, terminating level of the path. It matches zero or more characters. The following URL pattern: Every character in a URL pattern must match the corresponding character in the URL path exactly. Exceptions: ■ ■ ■ At the end of a pattern, /* matches any sequence of characters from that point forward. The pattern *.extension matches any file name ending with the named extension. /.../update.html Matches: /humanresources/benefits/update.html /corporate/news/update.html update.html See Also: Table 25–4 Does not match /. /.../ Hierarchy Matches any sequence of one or more characters that starts and ends with the forward slash character (/). ■ /index.html Evaluation descends from the root /. At each directory level, resources matching the highest precedence level are selected as candidates for continued evaluation and then descend to the next level. This continues until resources representing the best match possible, based solely on the path information, is obtained. /oracle/index.html /oracle/sales/index.html index.html It does not match xyzindex.html or xyz/index.html. Host wide; the entirety of the pattern. /.../* Host wide The pattern /.../index.html matches: ■ /oracle/.../*.html matches: /oracle/index.html /oracle/sales/order.html, and so on. \ The backslash character is used to escape special characters. Any character preceded by a backslash matches itself. ■ ■ Escaped special characters need to be ignored if putting the pattern in wildcard buckets ■ abc\*d only matches abc*d ■ abc\\d only matches abc\d Escaped special characters are matched literally to the special characters, if any, within the incoming URL Table 25–4 illustrates a number of resource definitions within an Application Domain, organized alphabetically according to the Host Identifier and Resource URL. The right-hand column in Table 25–4 declares whether the form is correct or not. 25-20 Administrator's Guide for Oracle Access Management Adding and Managing Policy Resource Definitions Table 25–4 Sample Resource URLs Resource URL /bank/accounts/* /bank/accounts/*.jsp /bank/accounts/checking /bank/.../checking.jsp /.../*.jsp /bank/accounts/checking*.jsp /bank/accounts/c*.jsp /bank/.../accounts/def.gif 25.5.1.4 About Query String Name and Value Parameters for Resource Definitions The Policy Model supports Query String Name and Value parameters in a Resource pattern definition: ■ ■ ■ ■ Name: A string literal that can contain any characters, including symbols; all characters are treated as literal. Value: Can be a string literal with any characters and can contain a wildcard (* only) to match a sequence of 0 or more characters. Asterisk (*) is treated as a wildcard. Amount: There is no limit to the number of name and value pairs in a query string. However, for a single resource there will be only a few pairs. Order: Any order can be used for name and value pairs because at run time these might come in any order as part of the query string. Resource Matching and Precedence: Query String Name and Value Parameters Access Manager uses an algorithm that locates the least specific match and continues to the most specific possible resource. When you have candidates defined with both a single-query string and query parameters, those with the single string take precedence. For resources containing parameter lists, the best match is determined as follows: 1. Path Matching: Access Manager attempts to match the path of the requested resource. There may be multiple candidates matched, differing by query component and/or operations declared. 2. Query String Matching: For matches obtained, Access Manager attempts to match the query string (if present in the requested URL). If candidates are defined with both single query string and query parameters, those with the literal string take precedence. There may be multiple candidates remaining, differing by operation. 3. Operation Matching: For matches obtained, attempt to match the requested operation. If there is no exact match present, then check for resources for which no specific operation(s) have been defined. In other words, they apply to any operation defined as part of the resource's type. In either case, this yields a single, best match. Path Matching: Defined resources are evaluated for potential match, against the requested URL's path component, in the following precedence order: ■ Literals (as in, the resource's pattern contains no special characters) Managing Policies to Protect Resources and Enable SSO 25-21 Adding and Managing Policy Resource Definitions ■ Choice: {pattern1,pattern2,...} , each of which may itself contain the below special characters and is evaluated, in turn, using this same precedence order ■ Range: [ ] ■ Single-char wildcard: ? ■ Wildcard: * ■ Hierarchy: /.../ ■ Hostwide: /…/* is the entirety of the pattern Evaluation descends from the root '/'. At each directory level, resource(s) matching with the highest precedence level are selected as candidates for continued evaluation and then descent to the next level occurs. This continues until resource(s) representing the best match possible, based solely on the path information, is obtained. Note: All matching in 11g has been, and remains, case insensitive. Table 25–5 illustrates the matching pattern for each of several requested URLs. Table 25–5 Pattern Matching for Requested URLs Requested URL Matching Pattern /oam/sales/oam/page8.html /oam/.../*.html /oam/Dept1/page8.html /oam/Dept?/page8.html /oam/DeptQ/page8.html /oam/Dept[A-Z]/page[1-8].html /oam/DeptQ/page8.html /oam/Dept[A-Z]/page?.html /oam/saals/foo/aba/zzz/indexp.html /oam/sa{*,le,l?,a[k-m],[a-f-m]}s/.../{*b,?a}{a,/../ii}/.../{ind ex,test}[pa].?tml Query String Matching When you have candidates defined with both single query string and query parameters, those with the single string take precedence. Single query strings are scored using the algorithm already-mentioned. For resources containing parameter lists, the best match is determined as follows: ■ ■ ■ ■ Resources with parameter values without wildcards are given higher order of precedence; the combined length of the parameter names and values is used to determine the best match among the set of such resources. As for query string literals, if there are two or more matches with the same combined length, then matching will fail. Resources with parameter values containing wildcards are considered next. The total number of wildcards within each resource is used to determine the best match among such resources. If there are two or more matches having same number of wildcards, then the combined length of the parameter names and values determines the best match Matching fails if multiple resources contain the same combined length. Query String Matching Patterns: Second and subsequent patterns use parameter lists: /oam/index.html::a=*d (a single query string) /oam/index.html::a:b /oam/index.html::a:b,c:d /oam/index.html::a:b* 25-22 Administrator's Guide for Oracle Access Management Adding and Managing Policy Resource Definitions /oam/index.html::a:b*,c:d /oam/index.html::a:b*,c:d* /oam/index.html::a:b*,c:*d* Table 25–6 illustrates the matching pattern for each of several requested URLs. Table 25–6 Query String Matching: Examples Requested URL Matching URL Pattern Matching Query String Pattern /oam/index.html?a=b&c=d /oam/index.html a=*d /oam/index.html?a=b1&c=d /oam/index.html a:b*,c:d /oam/index.html?a=b1,c=d1 /oam/index.html a:b*,c:d* /oam/index.html?a=b1,c=1d1 /oam/index.html a:b*,c:*d* Operation Matching Examples: At this point in request processing, there are one or more candidate resources, all of which match the requested URL path and query string components equally. Access Manager now matches the requested operation to one of those candidates: a resource defined to protect that operation specifically (as well as other, specific operations). As only a single resource can be defined to protect any given operation, this will give the single best match. Run Time Evaluation: Name value pairs are evaluated at run time as follows: NAME a a VALUE ab a* Same Resource URL Specified Differently: Resources with the same URL and with the same characters in the query string (although specified differently in the console (one as a key and value and the other as a single string)) are considered different and are allowed. For example, the two following resource patterns are considered as different: Resource URL: /test.html Query string: area=*&dept=* Resource URL: /test.html Query NAME VALUE area * dept * Resource Matching During Policy Evaluation: The order in which name and value pairs arrive at run time does not matter. As long as all the names and values match the query string, the match is successful. The incoming request can have more name and value parameters than defined and still have a successful match. Example 1: The following pattern matches the incoming URL if no other pattern is defined with the same URL, query string variables, and the extra query string variable (revenue=1000): Incoming URL => /test.html?area=emea&dept=engg&revenue=1000 resource pattern => /test.html Query String NAME area dept VALUE emea engg Managing Policies to Protect Resources and Enable SSO 25-23 Adding and Managing Policy Resource Definitions Example 1: For a resource with the same resource URL and the same query string, with one defined as a single string and the other defined as name and value pairs, the policy evaluation preference matches the literal query string before considering name and value pairs. For instance, in the following example, a) is matched: Runtime Request: URL => /test.html?area=emea&dept=engg Resource Patterns: a) Resource:/test.html Query string: area=emea&dept=engg b) Resource:/test.html Query String NAME area dept VALUE emea engg Best Match, Multiple Resources: When you have multiple resources with query string name and value pairs defined, the best resource match is the pattern that matches the most number of query string parameters. When wildcard values are used, this is followed by how closely each parameter value matches. For example: With the following two query string patterns defined: Query String NAME area dept VALUE e* e* area dept em* en* and Run Time Query String Parameters: area emea dept engg Result: The second name and value pattern match order is higher. Figure 25–11 shows the resource definition page. Here, "rev*" is a valid name (the asterisk character is allowed and treated as a literal character, which is equivalent to 10g behavior). The Oracle Access Management Console enables you to add query strings as name and value pairs. You can also add the query string as a literal string. If If you select a literal query string, then the name and value option is disabled (and vice versa). 25-24 Administrator's Guide for Oracle Access Management Adding and Managing Policy Resource Definitions Figure 25–11 HTTP Resources, Query String Resource URL Controls Behavior When Migrating to Access Manager: If you upgrade to Access Manager (from 10g), previous query strings are created in 11g appropriately (whether a single string or a name and value pair). The appropriate type of query string is created in Access Manager. 25.5.1.5 About Literal Query Strings in Resource Definitions The Policy Model supports resource protection based on matching literal, full query-string-based HTTP resource definitions within Access Policies. A single Query String Pattern that would be matched against the entire input Query string (as opposed to matching only portions (selected name and value pairs) of the query string. For example: status=active&adminrole=* A Query String pattern specified as a regular free form string with these extra features: ■ ■ Optional: Special character (*) that matches zero or more characters, which is applied to a set of names in the run time Query String. Two resource definitions can exist with same URL base path pattern and different Query String patterns. These two are independent and non-equal resources. For example, these are all valid and can exist at same time: /foo /foo?bar=true /foo?bar=false The Query String is free form with no restriction in terms of format or characters. It is not required to specify Query String as key/value pairs At run time, only the Query String that is part of HTTP GET requests is processed; Query String pattern does not apply to HTTP POST data. Resource Matching at run time: ■ ■ The base URL path is matched and then the Query String is matched Multiple resource patterns that contain matching Query Strings: The best match is determined based on the number of tokens (pattern delimited by '*') and the length of the token at each position. Patterns with longer tokens in the beginning are preferred and then the pattern that contains more number of tokens. (If there are matching patterns that contain same number of tokens and same length at each position then the match would fail.) Conflicts: Managing Policies to Protect Resources and Enable SSO 25-25 Adding and Managing Policy Resource Definitions ■ ■ Super Set: The input resource definition contains a set of name-value Query String patterns that are a super set of patterns of an existing resource definition in the policy store. Overlap: The input resource specification contains a set of name-value Query string patterns that overlap a set of patterns of an existing resource definition in the policy store. Remote Registration: For OAM Agents, the remote registration tool (oamreg) accepts Query-string based HTTP resource definitions and generates the relevant policy objects for securing access of these resources. If any conflicts are encountered during policy provisioning, only policies for resources that do not have any conflicts are provisioned. This feature does not apply to 10g OSSO agent-based partners and applications. OSSO agents are not capable of enforcing authentication scheme per resource. Instead, a single authentication scheme is applied to all resources of an application. 25.5.1.6 About Run Time Resource Evaluation While processing requests for resources, an evaluation is made to ensure that the proper policy is invoked for the resource. See Also: ■ ■ ■ ■ Other processing details in the following topics: "About the Resource URL, Prefixes, and Patterns" on page 25-18 "About Query String Name and Value Parameters for Resource Definitions" on page 25-21 "About Literal Query Strings in Resource Definitions" on page 25-25 "Managing Run Time Policy Evaluation Caches" on page 13-9 Process overview: Resource evaluation 1. A user specifies the URL for a requested resource. 2. Access Manager creates a fully qualified URL that includes the URL pattern, based on the host identifier and URL. 3. Access Manager compares the incoming URL for the requested resource to the fully-qualified URL constructed from Application Domain information and the policy's URL pattern: ■ ■ If there is a match, the various policies are evaluated to determine whether the requester should be allowed or denied access to the resource. If the requester is allowed access, the resource is served. Table 25–7 describes the possible outcomes. Table 25–7 Resource Evaluation Outcomes Outcome Description Best Match The best match is when a resource definition has the least resource scope compared to other possible matches to the run time resource. The term resource scope represents all possible resources that could be matched using a particular resource definition No Match1 If no match is found, the default evaluation outcome is FAILURE. Depending on what kind of policy was being evaluated, this could mean no authentication is attempted, or no resource access is granted. 25-26 Administrator's Guide for Oracle Access Management Adding and Managing Policy Resource Definitions Look Up Mechanism Examples ■ The default resource URL in an Application Domain defines the broadest scope of content possible (all directories and below): /.../* ■ The pattern /.../index.html matches: /index.html /oracle/index.html /oracle/sales/index.html It does not match, for example, xyzindex.html. ■ /oracle/.../*.html matches: /oracle/index.html /oracle/sales/order.html and so on Resource Scope Examples ■ Resource scope of the following resource definition (includes the asterisk): /mybank/…/* includes all URLs prefixed with "/mybank/" ■ Resource scope of the following resource definition (no special characters in the definition): /mybank/account.html includes only one URL: "/mybank/account.html" 25.5.2 Defining Resources in an Application Domain Users with valid Administrator credentials can use the following procedure to add the resource definitions to protect to the corresponding Application Domain. Resource protection based on a list of discrete query parameters is more secure and easier to administer than literal query strings. You might want to create a policy based on resource URL with query parameters (string and name-value pairs). An error can occur if you specify a host identifier value that is invalid: The challenge URL is invalid. Note: Prerequisites The Resource Type must be defined as a Shared Component. Several elements in the Resource definition page are based on the defined and selected Resource Type. For details, see "Managing Resource Types" on page 22-2. See Also: "Defining Resources in an Application Domain" on page 25-14 To add resource definitions to an Application Domain In the Oracle Access Management Console, locate and view the desired Application Domain, as described in "Searching for an Existing Application Domain" on page 25-12. 1. Managing Policies to Protect Resources and Enable SSO 25-27 Adding and Managing Policy Resource Definitions 2. In the Application Domain, click the Resources tab, then click the New Resource button in the upper-right corner of the Search page. 3. On the Resource Definition page: a. Select or enter your details for a single resource (Table 25–1): Type Description Host Identifier Resource URL (Table 25–4) Operations Query String (Table 25–6) Protection Level Authentication Policy (if level is Protected) Authorization Policy (if level is Protected and Authentication Policy is chosen) 4. b. Click Apply to add this resource to the Application Domain. c. Repeat this procedure to add other resources to this Application Domain. Proceed by adding defined resources to specific policies in the Application domain as described in: ■ Defining Authentication Policies for Specific Resources ■ Defining Authorization Policies for Specific Resources ■ Managing Token Issuance Policies, Conditions, and Rules 25.5.3 Searching for a Resource Definition This section provides the following topics: ■ About Searching for a Specific Resource Definition ■ Searching for a Specific Resource Definition 25.5.3.1 About Searching for a Specific Resource Definition Figure 25–12 shows the default Search elements and Search Results table for resource definitions in an Application Domain. 25-28 Administrator's Guide for Oracle Access Management Adding and Managing Policy Resource Definitions Figure 25–12 Resource Search within an Application Domain You can simply click the Search button using the defaults or refine your search by supplying as much or as little of the information in Table 25–8 as needed to find the resource. Table 25–8 Search Elements for a Resource in an Application Domain Search Elements Description Resource Type Provides a list of defined resource types from which you can choose. You can also leave this blank. Default: HTTP Host Identifier Enter a host identifier here, if desired. You can leave this blank Default: blank Resource URL Enter a resource URL, if desired. You can leave this blank Default: blank Query String Enter a query string for the resource, or leave this blank. You can include this in the search criteria if a query string was defined for the resource when it was added to the Application Domain. Default: blank Authentication Policy Provides a list of defined authentication policies for this Application Domain. You can choose one or leave the space blank. Default: blank Authorization Policy Provides a list of defined authorization policies for this Application Domain. You can choose one or leave the space blank. Default: blank You can click Reset to clear the form or Search to initiate the search. Each resource listed includes everything specified when it was added to the domain. The Actions and View menus are available for use with the table. Also you can click the Create command button to add a new resource definition to this domain. 25.5.3.2 Searching for a Specific Resource Definition Users with valid Administrator credentials can use the following procedure to search for a specific resource definition. Managing Policies to Protect Resources and Enable SSO 25-29 Adding and Managing Policy Resource Definitions To find a resource definition 1. In the Oracle Access Management Console, locate and view the desired Application Domain, as described in "Searching for an Existing Application Domain" on page 25-12. 2. Click the Resources tab to display Resources Search controls. 3. Fill in your search criteria (Table 25–8), and click the Search button. 4. In the Search Results table, click the desired resource definition and take the desired action: ■ Actions Menu: Select an item to Create, Edit, or Delete the selected resource. ■ View Menu: Select an item to alter the appearance of the results table. ■ Edit Button: Click the button in the tool bar to display the configuration page. ■ Delete: See "Viewing, Editing, or Deleting a Resource Definition". ■ Detach: Click Detach in the tool bar to expand the table to a full page. 25.5.4 Viewing, Editing, or Deleting a Resource Definition Users with valid Administrator credentials can use the following procedure to modify resource definitions within a specific Application Domain. If a resource protection level is modified from "Protected" to "Excluded" while it is associated with a policy, the modification will fail. First, remove the resource from the policy, make the change, and add the resource to the policy. During a Delete, you are alerted if the resource is associated with a policy. Without a policy association, the resource is deleted. Note: Prerequisites You must have the desired resource type defined as a shared component. For details, see "Managing Resource Types" on page 22-2. See Also: "Defining Resources in an Application Domain" on page 25-14 To view, modify, or delete resource definitions Find the Resource, as described in "Searching for a Resource Definition". 1. ■ ■ ■ View Only: Close the page when you finish. Modify: Alter the definition as desired and then click Apply to submit changes (or close the page without applying changes). Delete: – Open the resource definition and confirm this is the one to be deleted, then close the page. – Click the name of the desired resource definition and then click the Delete button in the tool bar. – In the Confirmation window, click Delete (or click Cancel to dismiss the window). If the Resource is associated with a policy, remove it from the policy first. 25-30 Administrator's Guide for Oracle Access Management Defining Authentication Policies for Specific Resources – Repeat as needed to delete other resources in the Application Domain. 25.6 Defining Authentication Policies for Specific Resources Each resource assigned to an Application Domain can be protected by only one authentication policy. After adding a resource definition to the Application Domain, the Administrator can begin refining a default authentication policy, adding a new policy, and assigning resources to the authentication policy. In an automatically generated Application Domain, the following authentication policies are seeded as defaults to help streamline the Administrator's tasks: ■ Protected Resource ■ Public Resource See Also: "Understanding Application Domain and Policy Management" on page 25-4 This section provides the following topics: ■ About the Authentication Policy Page ■ Creating an Authentication Policy for Specific Resources ■ Searching for an Authentication Policy ■ Viewing or Editing an Authentication Policy ■ Deleting an Authentication Policy 25.6.1 About the Authentication Policy Page Administrators use authentication policies to protect specific resources. The authentication policy provides the sole authentication method for resources governed by the policy. Each authentication policy defines the type of verification that must be performed to provide a sufficient level of trust for Access Manager to grant access to the user making the request. Authentication policies are local. A single policy can be defined to protect one or more resources in the Application Domain. However, each resource can be protected by only one authentication policy. Authentication Policy Guidelines 1. Authentication policies include resources, success responses, and an authentication scheme. 2. Authentication and Authorization policies can evaluate to Success or Failure. 3. Query Builder and support for LDAP filters (for retrieving matches based on an attribute of a certain display type, for example). 4. Define a policy for resource: /…/* which can be used within a determined scope. 5. Token Issuance Policies can be defined using resources and user- or partner-based conditions. Figure 25–13 shows the Authentication Policies page of an Application Domain. Managing Policies to Protect Resources and Enable SSO 25-31 Defining Authentication Policies for Specific Resources Figure 25–13 Sample Authentication Policies Page in the Application Domain Figure 25–14 shows a specific Authentication Policy. The resources assigned to this policy are displayed on the Resources tab of the policy. Figure 25–14 Sample Individual Authentication Policy Page Table 25–9 describes authentication policy elements. Table 25–9 Authentication Policy Elements and Descriptions Element Description Name A unique name used as an identifier. Description Optional unique text that describes this authentication policy. Authentication Scheme A single, previously-defined authentication scheme to be used by this policy for user authentication. See Also: "Managing Authentication Schemes" on page 22-64 for details. Success URL The redirect URL to be used upon successful authentication. 25-32 Administrator's Guide for Oracle Access Management Defining Authentication Policies for Specific Resources Table 25–9 (Cont.) Authentication Policy Elements and Descriptions Element Description Failure URL The redirect URL to be used if authentication fails. Resources The URL of a resource chosen from those listed. The listed URLs were added to this Application Domain earlier. You can add one or more resources to protect with this authentication policy. The resource definition must exist within the Application Domain before you can include it in a policy. See Also: "About Resources in an Authentication Policy" on page 25-33. Responses The obligations (post authentication actions) to be carried out by the Web agent. After a successful authentication, the application server hosting the protected application should be able to assert the User Identity based on these responses.After a failed authentication, the browser redirects the request to a pre-configured URL See Also: "Introduction to Policy Responses for SSO" on page 25-68. 25.6.1.1 About Resources in an Authentication Policy You can choose to add one or more resources to be protected by the authentication policy. The Resources tab on the Authentication Policy page provides a table where you can enter resource URLs. A list is also provided from which you can choose from defined resources within the Application Domain. To add a resource, click the + button and select from the list. To delete a resource, select the name from the Resources table and click the Delete button in the table. 25.6.2 Creating an Authentication Policy for Specific Resources Users with valid Administrator credentials can use the following procedure to add an authentication policy and resources to an Application Domain. You can use a pre-configured authentication scheme or a custom authentication scheme in the authentication policy. See Also: ■ "About the Authentication Policy Page" on page 25-31 ■ "Managing Authentication Schemes" on page 22-64 Prerequisites Any resource to be added to a policy must be defined within the same Application Domain as the policy. To add an authentication policy for specific resources 1. Locate the desired domain as described in "Searching for an Existing Application Domain". 2. Click the Authentication Policies tab, then click the Create Authentication Policy button to open a fresh page. 3. Required Elements: Add your information for this policy. 4. ■ Name ■ Authentication Scheme Optional Elements (Table 25–9): Add as needed for your policy. ■ Description (optional) ■ Success URL ■ Failure URL Managing Policies to Protect Resources and Enable SSO 25-33 Defining Authentication Policies for Specific Resources Tip: See Configuring Success and Failure URLs for Authorization Policies. 5. Add Resources: A Resource must be defined within the Application Domain before you can add the resource to a specific policy. ■ Click the Resources tab on the Authentication Policy page. ■ Click the Add button on the Resources tab. ■ Click the Search button. ■ Click a URL in the Results table, then click Add Selected. ■ Repeat these steps as needed to add more resources. 6. Click Apply to save changes and close the Confirmation window. 7. Responses: Add policy Responses as described in "Adding and Managing Policy Responses for SSO" on page 25-75. 8. Close the page when you finish. 25.6.3 Searching for an Authentication Policy Users with valid Administrator credentials can use the following procedure to search for a specific authentication policy. To search for an authentication policy in an Application Domain 1. Locate the desired domain as described in "Searching for an Existing Application Domain". 2. Click the Authorization Policies tab and: ■ Edit: See "Viewing or Editing an Authentication Policy". ■ Delete: "Deleting an Authentication Policy". ■ Detach Table: Click Detach in the tool bar to expand the table to a full page. ■ View Menu: Select a menu item to alter the appearance of the results table. 25.6.4 Viewing or Editing an Authentication Policy Users with valid Administrator credentials can use the following procedure to modify an authentication policy in an Application Domain. This includes changing the authentication scheme, adding or removing resources or responses, and altering the Success or Failure URLs. See Also: "About the Authentication Policy Page" on page 25-31 To view or modify an authentication policy 1. Locate the desired policy as described in "Searching for an Authentication Policy". 2. Click the desired policy name to display its configuration. 3. Edit Policy Elements (Table 25–9): 4. Resource: Click the Resources tab and: ■ Add: Click the Add button on the Resources table, click a URL in the list, click Apply. 25-34 Administrator's Guide for Oracle Access Management Defining Authorization Policies for Specific Resources ■ Delete: Click a URL in the Resources table, click the Delete button on the table. 5. Click Apply to submit changes and close the Confirmation window (or close the page without applying changes) 6. Responses: View or edit responses as described in "Adding and Managing Policy Responses for SSO" on page 25-75. 7. Close the page when you finish. 25.6.5 Deleting an Authentication Policy Users with valid Administrator credentials can use the following procedure to delete an authentication policy from an Application Domain. When you remove the policy, all resource definitions remain within the Application Domain. However, the policy and all responses are eliminated. During a Delete operation, you are alerted to confirm removal of the policy. Confirmation is required to complete the operation. Note: The following procedure describes how to delete the entire policy. To simply alter an element in the policy, see "Viewing or Editing an Authentication Policy". See Also: "About the Authentication Policy Page" on page 25-31 To delete an authentication policy 1. Locate the desired policy as described in "Searching for an Authentication Policy". 2. Click the desired policy name to display and confirm this configuration. 3. Ensure that resources governed by this policy are added to a different policy. 4. Delete all responses, as described in "Adding and Managing Policy Responses for SSO" on page 25-75. 5. On the Authentication Policies tab, click the Serial Number beside the policy, then click the Delete button in the tool bar. 6. In the Confirmation window, click Delete to confirm (or click Cancel to dismiss the window). 25.7 Defining Authorization Policies for Specific Resources Each resource assigned to an Application Domain can be protected by only one authorization policy. In an automatically generated Application Domain, the following authorization policies are seeded as defaults: ■ Protected Resource ■ Public Resource See Also: "Understanding Application Domain and Policy Management" on page 25-4 After adding resource definitions to the Application Domain, Administrators can begin refining a default authorization policy, adding a new policy, and adding resources to authorization policies. This section provides the following topics: Managing Policies to Protect Resources and Enable SSO 25-35 Defining Authorization Policies for Specific Resources ■ About Authorization Policies for Specific Resources ■ Creating an Authorization Policy and Specific Resources ■ Searching for an Authorization Policy ■ Viewing or Editing an Authorization Policy and Resources ■ Deleting an Entire Authorization Policy 25.7.1 About Authorization Policies for Specific Resources Administrators can create an authorization policy to protect access to one or more resources based on attributes of an authenticated user or the environment. The authorization policy provides the sole authorization protection for resources included in the policy. Authorization policies are local, which means that each policy applies only to the resources specified for the policy. A policy cannot be derived or applied to any other resource. A single policy can be defined to protect one or more resources in the Application Domain. However, each resource can be protected by only one authorization policy. Figure 25–15 shows the Authorization Policy page within an Application Domain. The resources assigned to this policy are displayed on the Resources tab of the policy. Figure 25–15 Sample Individual Authorization Policy Page Table 25–10 describes authorization policy elements. The elements are the same regardless of the domain; only the details will differ. Table 25–10 Authorization Policy Elements and Descriptions Element Description Name A unique name used as an identifier in the navigation tree. Description Optional unique text that describes this authorization policy. Success URL The redirect URL to be used upon successful authorization. Failure URL The redirect URL to be used if authorization fails. Summary General information (usually Name and optional Description). Resources One or more previously-defined resource URLs to be protected by this authorization policy. Conditions See Also "Introduction to Authorization Policy Rules and Conditions" on page 25-40. 25-36 Administrator's Guide for Oracle Access Management Defining Authorization Policies for Specific Resources Table 25–10 (Cont.) Authorization Policy Elements and Descriptions Element Description Rules See Also "Introduction to Authorization Policy Rules and Conditions" on page 25-40. Responses See Also "Introduction to Policy Responses for SSO" on page 25-68. 25.7.2 Creating an Authorization Policy and Specific Resources Users with valid Administrator credentials can use the following procedure to add an authorization policy to an Application Domain. Prerequisites Any resource to be added to a policy must be defined within the same Application Domain as the policy. See Also: "About Authorization Policies for Specific Resources" on page 25-36 To create an authorization policy and resources 1. Locate the desired domain as described in "Searching for an Existing Application Domain". 2. Click the Authorization Policies tab, then click the Create button to open a fresh page. 3. Summary Tab: Add your information to the Summary tab (Table 25–10). 4. Add Resources: The Resource must be defined in the Application Domain before you can add the resource to a specific policy. ■ Click the Resources tab on the Authorization Policy page. ■ Click the Add button on the Resources tab. ■ Click the Search button. ■ Click a URL in the Results table, then click Add Selected. ■ Repeat these steps to add more resources. 5. Click Apply to save changes and close the Confirmation window. 6. Responses: Add policy Responses as described in "Adding and Managing Policy Responses for SSO" on page 25-75. 7. Conditions: Add authorization conditions, as described in "Defining Authorization Policy Conditions" on page 25-43. 8. Rules: Add authorization rules, as described in "Defining Authorization Policy Rules" on page 25-43. 9. Close the page when you finish. 25.7.3 Searching for an Authorization Policy Users with valid Administrator credentials can use the following procedure to locate a specific authorization policy. Managing Policies to Protect Resources and Enable SSO 25-37 Defining Authorization Policies for Specific Resources To search for an authorization policy 1. Locate the desired domain as described in "Searching for an Existing Application Domain". 2. Click the Authorization Policies tab and: ■ Edit: See "Viewing or Editing an Authorization Policy and Resources". ■ Delete: "Deleting an Entire Authorization Policy". ■ Detach Table: Click Detach in the tool bar to expand the table to a full page. ■ View Menu: Select a menu item to alter the appearance of the results table. 25.7.4 Viewing or Editing an Authorization Policy and Resources Users with valid Administrator credentials can use the following procedure to view or modify an authorization policy within an Application Domain. See Also: "About Authorization Policies for Specific Resources" on page 25-36 To view or edit an authorization policy 1. Locate the desired domain as described in "Searching for an Authorization Policy". 2. Summary: Edit as needed (Table 25–10): 3. Resource: Click the Resources tab and add or delete resources as needed: ■ ■ Add: Click the Add button on the Resources table, click a URL in the list, click Apply. Delete: Click a URL in the Resources table, click the Delete button on the table then confirm. 4. Click Apply to submit changes and close the Confirmation window (or close the page without applying changes). 5. Conditions: See "Viewing, Editing, or Deleting Authorization Policy Conditions" on page 25-59. 6. Rules: See "Defining Authorization Policy Rules" on page 25-43. 7. Responses: See "Viewing, Editing, or Deleting a Policy Response for SSO" on page 25-76. 8. Close the page when you finish. 25.7.5 Deleting an Entire Authorization Policy Users with valid Administrator credentials can use the following procedure to delete an authorization policy or simply delete resources within the policy. During a Delete operation, you are alerted to confirm removal of the policy. Confirmation is required to complete the operation. Note: When you remove the entire policy, all resource definitions remain within the Application Domain. However, the authorization policy and the conditions and rules governing access are eliminated. 25-38 Administrator's Guide for Oracle Access Management Configuring Success and Failure URLs for Authorization Policies To simply alter an element in the policy see "Viewing or Editing an Authentication Policy". See Also: "About Authorization Policies for Specific Resources" on page 25-36 Prerequisites Assign resources governed by this policy to another authorization policy, either before or after deleting the policy. To delete an authorization policy 1. Locate the desired domain as described in "Searching for an Authorization Policy". 2. Optional: Double-click the policy name to review its content, and then close the page when finished. 3. Delete: Click the policy name, and then click the Delete button in the tool bar. 4. In the Confirmation window, click Delete (or click Cancel to dismiss the window). 5. Confirm that the policy is no longer listed in the navigation tree. 25.8 Configuring Success and Failure URLs for Authorization Policies When an Authorization Success or Failure redirect URL is set, the target URL for which the end user is seeking access should be passed along as a parameter. The following information has relevance when configuring an Authorization policy Success or Failure URL. ■ The original resource location will be URL encoded and added as a value to the oam_res query parameter before redirecting to the success or failure URL. The following rules are relevant to building the oam_res value; during an authorization call, only the HostIdentifier is passed so building the URL with a fully qualified host and port is slightly more involved. Here are two examples. Using the HostIdentifier, we find the first fully qualified host:port entry and construct the URL with it. The rest of the entries are then added as query parameters to the resource URL. For example: HostList = [Host hostName:="adc00oyf.us.example.com", port=7777", Host hostName:="11gAgent", port=null", Host hostName:="adc00oyf.us.example.com", port=80"] , HostIdentifier = 11gAgent The resource URL built will be: HTTP://adc00oyf.us.example.com:7777/index.html?Host1=adc00oyf.us.example.com:80 In this second example: HostList =[Host hostName:="adc00oyf.us.example.com", port=7777", Host hostName:="11gAgent", port=null] , HostIdentifier = 11gAgent The resource URL built will be: HTTP://adc00oyf.us.example.com:7777/index.html ■ To send a Hashed value of the resource URL for security reasons, run the displayAuthZCallBackKey() WLST command. This will return a Base64 encoded Managing Policies to Protect Resources and Enable SSO 25-39 Introduction to Authorization Policy Rules and Conditions string value of the AES 128 key which is generated. This key can be used by the OAM server and the receiving app. It is stored in the oam-config.xml. The entry in oam-config.xml is found under /DeployedComponent/Server/NGAMServer/Profile. 1E8461DFA32AD746AF28BAAAA9F327327941C14CAC216DCFA9AC17985E09 7A0DD603EC1DF5C6D9F5C904ED44952A5D5F true Note: The Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for Identity and Access Management provides details on the displayAuthZCallBackKey() WLST command. ■ If WLST in step 2 is enabled, we also send a hashed value of the original resource URL as a value of the oam_res_hash query parameter. For example: http://adc00oyf.us.example.com:7001/SampleLoginWAR/pages/MFALogin.jsp? oam_res=HTTP%3A%2F%2Fadc00oyf.us.example.com%3A0%2Findex.html%3FHost1 %3D11gAgent%3Anull&oam_res_hash=45438D536865B256681D328AA1BFD47D5D4D0039 25.9 Introduction to Authorization Policy Rules and Conditions In Access Manager 11g, each Authorization policy includes a rule that defines whether the policy allows or denies access to resources protected by the policy. The rule references conditions that define the user or population to be granted or denied access and other considerations for authorization. Authorization rules and conditions apply to all resources within a specific authorization policy. Evaluation of conditions and rules determines if the authorization policy applies to the incoming request. The appropriate obligations take affect after successful authentication and work in concert with defined authorization rules, conditions, and responses. For each incoming request, the authorization policy determines if there are any conditions that apply. If so, these conditions are evaluated. This section provides the following topics: ■ About Allow or Deny Rules ■ About Authorization Policy Conditions ■ About Classifying Users and Groups for Conditions ■ Guidelines for Authorization Responses Based on Conditions 25.9.1 About Allow or Deny Rules In an authorization policy, a Rule contains all (or a subset) of conditions defined for the policy. The effect of the Rule determines the effect of the policy. You can set one or more rule effects (outcomes) per policy. However, you can specify only one Rule per outcome. The following outcomes can be applied to authorization and token issuance policies: 25-40 Administrator's Guide for Oracle Access Management Introduction to Authorization Policy Rules and Conditions ■ ■ Allow authorized users access to a protected resource. If Allow conditions do not apply to a user, the user is not qualified by the policy and, by default, the user is denied access to the requested resource. Deny authorized users access to a protected resource. You can develop simple rules that rely on a single condition, or use expressions to define more complex rules based on multiple conditions. For more information, see "About Expressions and Expression-Based Policy Evaluation" on page 25-63. 25.9.2 About Authorization Policy Conditions A condition is an element that specifies one or more criteria to be satisfied by the access request. In structure, conditions are similar to constraints (in 11.1.1.3 and 11.1.1.5). However, earlier constraints included Allow and Deny rules that are now specified independently on the Rules tab. Each authorization policy can contain one or more conditions. Using different condition types, you can: ■ ■ Identify the users or groups of users who are either allowed or denied access (based on the rule) to protected resources. Stipulate the range of IP addresses who are either allowed or denied access to protected resources. If the user's IP address falls outside the range of denied addresses, this by itself is not enough for authorization to be successful. For authorization to be successful, the user must specifically be granted access based on an Allow rule. Note: ■ ■ Set a time period defining when the condition applies. Specify attributes that enforces evaluation of request context, user session state, and user attributes The Conditions tab provides a table of defined conditions, organized by name, and a table of details for the selected condition, as shown in Figure 25–16. Managing Policies to Protect Resources and Enable SSO 25-41 Introduction to Authorization Policy Rules and Conditions Figure 25–16 Individual Authorization Policy Conditions Tab Table 25–11 describes elements and controls on the Conditions tab. Table 25–11 Authorization Policy Condition Tab Element Description Conditions Table Elements Lists all conditions defined for this policy. Name A unique name used as an identifier for the condition. Type The kind of condition you want to use. Only one Type can be specified: ■ Identity ■ IP4 Range ■ Temporal ■ Attribute ■ True (see Table 21–5) Description Optional unique text that describes this condition. Condition Details Section Depending on the Type of the selected condition, the information in this table will differ. For details, see: ■ "About Identity Conditions" on page 25-46 ■ "About IP4 Range Condition Types" on page 25-52 ■ "About Temporal Conditions" on page 25-54 ■ "About Attribute Conditions" on page 25-56 25.9.3 About Classifying Users and Groups for Conditions Oracle recommends that you consider the same information for the policies and conditions when analyzing users and groups to determine who is explicitly allowed or denied access. For example, one authorization policy might be constrained to a particular time of day (Temporal Type) while another might be constrained to a specific group of users (Identity Type). 25-42 Administrator's Guide for Oracle Access Management Defining Authorization Policy Conditions Do not be concerned about users who are denied access under any conditions. Users are denied access by default if none of the conditions qualify them for access. Note: When classifying users Oracle recommends that you divide the users, and groups of users, into groups for whom different conditions apply. For example, conditions can determine when the users can access the resources, the computers from which they must make their requests, and so on. If some users fall into multiple categories, for example, a user in the marketing group belongs to a certain project group, or a user in the human resources group also belongs to the project group, put the user in both categories. You can require that the user meet the conditions of two conditions. To create policies for subsets of resources in an Application Domain and protect them with different authorization rules and conditions, consider the same information: who can access the resources protected by this policy and under what conditions you want explicitly to allow or deny access to the resources. 25.9.4 Guidelines for Authorization Responses Based on Conditions For each condition type, consider the response actions that you want to occur for authorized users. For example, you might want the system to return user profile information and pass that information to a downstream application. For example: ■ ■ If the user is authorized, you might want to pass the user's common name (cn) to another application so that the application can present a customized greeting to the user. If the user is not authorized, you might also want to return information about the user for security purposes. 25.10 Defining Authorization Policy Conditions You use conditions in an authorization policy to: ■ Identify the users by user name, role, or an LDAP filter whose criteria the user must satisfy. ■ Stipulate the computers where users can access resources. ■ Set a time period when the rule applies. ■ Specify attributes that enforces evaluation of request context, user session state, and user attributes The mechanism to add a condition is the same regardless of the type you choose. A dialog box pops up where you define the name and type to create the condition container. Afterward you are presented with controls to define the specifics of the condition. This section is divided as follows: ■ Choosing a Condition Type ■ Defining Identity Conditions ■ Defining IP4 Range Conditions ■ Defining Temporal Conditions Managing Policies to Protect Resources and Enable SSO 25-43 Defining Authorization Policy Conditions ■ Defining Attribute Conditions ■ Viewing, Editing, or Deleting Authorization Policy Conditions 25.10.1 Choosing a Condition Type This section provides the following topics: ■ About Choosing a Condition Type ■ Choosing a Condition Type 25.10.1.1 About Choosing a Condition Type You can have more than one instance of a given type of condition within a policy. When an Administrator adds a condition to an authorization policy, a window (Figure 25–17) appears where you enter capture the Name, Type, and optional Description. When submitted, this information is used to create a container for condition details that must be also specified. Figure 25–17 Add Condition Window Table 25–12 describes the Add Condition elements. Table 25–12 Add Condition Window Elements Element Description Name A unique name for this condition. Type Description Only one Type can be specified: ■ Identity (See "About Identity Conditions" on page 25-46) ■ IP4 Range (See "About IP4 Range Condition Types" on page 25-52) ■ Temporal (See "About Temporal Conditions" on page 25-54) ■ Attribute (See "About Attribute Conditions" on page 25-56) Optional. After the container is added it is displayed on the Condition tab as shown in Figure 25–18. The Name, Type, and Description are displayed in the Results table at the top of the tab. The lower panel contains the details of the condition 25-44 Administrator's Guide for Oracle Access Management Defining Authorization Policy Conditions Figure 25–18 Condition Containers on the Authorization Policy Page See Also: "Defining Authorization Policy Conditions" for information and procedures 25.10.1.2 Choosing a Condition Type Users with valid Administrator credentials can use the following procedure to choose a condition class for the authorization policy. You can have more than one instance of a given class of condition in a policy. Note: Prerequisites The Application Domain must exist. See Also: "About Choosing a Condition Type" on page 25-44 To choose a condition class 1. Locate the desired policy as described in "Searching for an Authorization Policy". 2. Click the policy name to open its configuration. 3. On the individual policy page, click the Conditions tab. 4. Click the Add (+) button and (Table 25–12): 5. ■ Name: Enter a unique name. ■ Type list, choose the kind of condition (Identity, for example). ■ Click the Add Selected button. Proceed to one of the following topics to complete your definition: ■ Defining Identity Conditions ■ Defining IP4 Range Conditions ■ Defining Temporal Conditions ■ Defining Attribute Conditions 25.10.2 Defining Identity Conditions This section provides all information about Identity Conditions in the following topics: ■ About Identity Conditions ■ Specifying Identity Type Conditions Managing Policies to Protect Resources and Enable SSO 25-45 Defining Authorization Policy Conditions 25.10.2.1 About Identity Conditions When defining an Identity Condition, you must add one or more members of a user population from one or more User Identity Stores. You can add the user population as a list of users or groups. Alternatively, you can add LDAP search filters to be used at runtime to identify the user population. LDAP search filters provide a simple way to specify a target identity population without having to reorganize or create new groups in the identity store (directory server). For details see: ■ About Identity Conditions and User Populations ■ About LDAP Search Filter Support in Identity Conditions ■ About LDAP Search Filter Syntax 25.10.2.1.1 About Identity Conditions and User Populations After opening the condition container, any defined user population is displayed. As with the other condition types, the Identity type can be used in conjunction with identity and temporal conditions. When adding an identity condition, you open the popup menu beside the Add (+) button (labeled 1 in Figure 25–19), choose to Add Users and Groups or Add Search Filter (2). Figure 25–19 shows the popup menu and the Add Identities window that appears (3). After locating the desired identities, select the desired Identities and click Add Selected (4). Figure 25–19 Add Identities Window Table 25–13 describes the Add Identities elements. 25-46 Administrator's Guide for Oracle Access Management Defining Authorization Policy Conditions Table 25–13 Add identities Elements Element Description Store Name Select the desired LDAP store for this search from the list of registered LDAP stores. Entity type Choose either Users, Groups, or All to define your search criteria. Entity Name Enter information to further refine your search criteria. Search Click this button when your search criteria are defined. Results table Displays the results of your search. Add Selected Click to add the selected users or groups from the results table to the Condition's Details. After selecting one or more identities and clicking the Add Selected button, your Conditions tab might look something like Figure 25–20. Figure 25–20 Identity Condition and Details To save these details as a condition, click the Save button in the upper-right corner of the tab. 25.10.2.1.2 About LDAP Search Filter Support in Identity Conditions Access Manager 11g authorization conditions accept a list of users, groups, and LDAP search filters as part of allowed or denied identities. An LDAP filter is a text string that expresses specific criteria for the search operation. LDAP search filters provide a simple way to specify a target population without reorganizing or creating new groups in the identity store (directory server). Access Manager 11g accepts LDAP search filter data for the following conditions and resource types: ■ Identity Conditions ■ Token Requestor Identity Conditions ■ All resource types (HTTP, TokenServiceRP, and other custom resource types) When a user tries to access a resource protected by a condition containing an LDAP search filter, Access Manager performs a directory lookup (LDAP search) on the identity domain (identity store) specified as a part of the filter. Search results are cached to avoid repeated directory server lookups. If you choose Add Search Filter ..., the controls shown in Figure 25–21 appear. You can add more than one LDAP Search Filter in an authorization rule for evaluation at runtime. The field where you enter your LDAP search filter is used to identify allowed/denied users. Managing Policies to Protect Resources and Enable SSO 25-47 Defining Authorization Policy Conditions Figure 25–21 Add Search Filter Controls Table 25–14 describes elements associated with adding a Search Filter. Table 25–14 Add Search Filter Elements Element Description Domain The Identity Domain (registered user identity store) in which the search should be conducted during runtime. Each filter must be associated with a specific user identity store. With Access Manager 11g, a directory lookup (LDAP Search) is performed only on the specified identity domain (identity store). Search Filter The field where you enter your LDAP search filter. For example: ((|dept=sales)(dept=support)) See Also: "About LDAP Search Filter Syntax" on page 25-49 Test Filter This button enables you to test your LDAP Search Filter to ensure it returns the expected result. Test Results The results of your filter test are displayed with your own designations for: Add Filter ■ Type: LDAPSearchFilter ■ Identifier: Your LDAP Search Filter Click to Add the filter to this identity condition. 25-48 Administrator's Guide for Oracle Access Management Defining Authorization Policy Conditions Table 25–14 (Cont.) Add Search Filter Elements Element Description Cancel Click to dismiss the Add Search Filter dialog without adding a filter. Figure 25–22 shows the Identity Conditions: Details page, displayed after adding an LDAP Search Filter. Figure 25–22 Identity Conditions: Details See Also: ■ "About LDAP Search Filter Syntax" on page 25-49 ■ "Defining Identity Conditions" on page 25-45 25.10.2.1.3 About LDAP Search Filter Syntax Only standard LDAP attributes can be used when defining an LDAP search filter. Exact syntax depends on your identity store; see your vendor documentation. Table 25–15 illustrates LDAP Search Filter examples for Access Manager. Table 25–15 LDAP Search Filter Examples for Access Manager Filter Type and Operators Static LDAP Search Filters Description Syntax Example When you implement a static search filter, all search results must match a fixed value. For example, you can restrict a search to return only people whose directory profiles show an organizational unit of Sales. (attribute=value) As an example of a simple static filter, suppose you want to provide Selector searches for the seeAlso attribute. The filter returns search results that show only people whose directory profiles contain a businessCategory value of dealership. (businessCategory=dealership) For example: Static Searches Using Wild Cards As an example of a static filter that uses wild cards, suppose (attribute=*value*) you want only people with the word Manager in their title to be returned on a search using the Selector. You can create a filter that searches for the string Manager with the asterisk For example: (*) wildcard. (title=*manager*) Dynamic LDAP Search Filters A dynamic filter allows a search to return results that are based on a user profile. A dynamic filter is a conventional LDAP search filter with filter substitution syntax. (attribute=$attribute$) Managing Policies to Protect Resources and Enable SSO 25-49 Defining Authorization Policy Conditions Table 25–15 (Cont.) LDAP Search Filter Examples for Access Manager Filter Type and Operators Substitution syntax Description Syntax Example Substitution syntax is evaluated dynamically, according to the person executing a task. For instance, you can enter substitution syntax where the attribute value for the source DN (the person logged into the application) is substituted and evaluated against the target DN (the entry you are trying to view). (attribute=$attribute$) Note: Setting a searchbase can present significant administrative overhead. A filter-based approach accomplished by substitution syntax can provide the same functionality in a more scalable and simplified design. For example: The following filter finds all those in the same organizational unit as the person logged in to the application: (ou=$ou$) Using substitution syntax, you can create a function that starts searches higher in the directory structure, but filters the search data by comparing an attribute of information from the search initiator's record (for example, using the substitution $ou$) to an attribute of data on each possible result (for example, ou=). You can use substitution syntax for attribute access control and searchbases. For example, by placing a filter on the type attribute Login for inetOrgPerson, the ability of a user to view any records outside their scope is removed. Note: For the selected searchbase, users can search only for entries from the same ou as their own. This applies only to the attribute on the person's record, not the ou of the branch of the directory in which they reside. Additionally, users from ou=people can search for entries within the selected searchbase. Dynamic Searches Using Wild Cards Searches Using the Not Operator: (!) Wildcards are supported in a dynamic filter. For example, suppose you want to supply a contactPerson attribute in an organizationalUnit object. The contactPerson attribute should return people in same Zip code as the organizationalUnit object. If the organizationalUnit profile contains an attribute zipCode, and the Zip code is specified at the end of a postalAddress directory attribute. The Not operator is supported when constructing a filter. The optimized algorithm causes the filter (!(sn=white)) to not give the expected result. See Also: (attribute=*$attribute$) For example: (postalAddress=*$zipCode$) ((!(sn=white))(objectclass=personO C)) "Specifying Identity Type Conditions" on page 25-50 During migration to Access Manager 11g (from 10g), each LDAP Rule maps to corresponding 11g identity domains (user identity stores) based on Oracle Access Manager 10g directory profiles. Access Manager 11g identity domains (user identity stores) must be associated with each LDAP search filter. See Also: Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management 25.10.2.2 Specifying Identity Type Conditions Users with valid Administrator credentials can use the following procedure to add identity type conditions to an Application Domain. You must save each condition definition individually, before adding or selecting another condition. Note: 25-50 Administrator's Guide for Oracle Access Management Defining Authorization Policy Conditions Prerequisites The Application Domain must exist. See Also: ■ ■ "About Identity Conditions" on page 25-46 "About LDAP Search Filter Support in Identity Conditions" on page 25-47 To add identity conditions to an authorization policy 1. Locate the desired policy as described in "Searching for an Authorization Policy". 2. Click the Conditions tab, click the Add (+) button. 3. Enter a Name, select Identity from the Type list (or Token Requestor Identity) and click Add Selected. 4. Add Users/Groups: ■ In the Condition Details section click the Add (+) button. ■ Choose Add Users and Groups from the list. ■ Store Name: Choose the desired name from the list of registered LDAP stores. ■ 5. Enter criteria (Identity Type and Identity Name) for the population you want to find, and click the Search button. ■ Select desired results. ■ Click Add Selected. ■ Repeat to add another User or Group condition. Add Search Filter: ■ In the Condition Details section click the Add (+) button. ■ Domain Name: Choose the desired user identity store for this filter. ■ Search Filter: Enter your search filter syntax (Table 25–14). ■ Test: Click the Test Filter button and review the results table. ■ Click the Add Selected button. ■ Repeat to add another LDAP Search Filter condition. 6. Click Apply and then close the Confirmation window. 7. Close the page when you finish. 8. Verify the Conditions by logging in as different users and test access to the resource. 25.10.3 Defining IP4 Range Conditions This section provides the following information: ■ About IP4 Range Condition Types ■ Defining IP4 Range Conditions Managing Policies to Protect Resources and Enable SSO 25-51 Defining Authorization Policy Conditions 25.10.3.1 About IP4 Range Condition Types With the IP4 Range condition type, Administrators can specify a list of IP address ranges that will either be allowed or denied access. Like the other authorization conditions, IP4 Range condition types can be used in conjunction with identity and temporal conditions. Explicit Addresses: Each IP address you specify must be an explicit, valid address (format nnn.nnn.nnn.nnn): 192.2.2.2, for example. Note: Oracle Access Manager 10g accepts a wildcard as the last entry (192.2.2.* or 192.2.*, for example). IP4 Ranges with no wildcards can be easily ported to 11g by creating a Condition containing multiple IP4 Range values. However, 10g IP4 Ranges with wildcards are expanded by upgrade tooling into multiple ranges relevant to the wildcard. IP4 Range: You define a range by entering From (start) and To (end-range) address values. Each IP address you specify must be an explicit, valid address (format nnn.nnn.nnn.nnn): 192.2.2.2, for example. The address specified in the To field should be greater than the address specified in the From field. During authorization, Access Manager checks to ensure that the client IP address falls between the From (start)) and To (end-range) addresses specified. If multiple overlapping ranges are specified, and the client's IP address falls within even one of the ranges, the condition evaluates to "true" and allows (or denies) access based on the condition that was set for the condition. If multiple overlapping ranges are specified, and the client's IP address falls within any one of the ranges, the condition evaluates to "true" and allows (or denies) access based on the condition. If the From IP address is greater than the To address, the condition cannot match any client IP address. Note: Figure 25–23 illustrates the IP4 Range Conditions table with a sample starting and ending IP4 Range. If you enter an invalid range, you are notified and unable to save it. 25-52 Administrator's Guide for Oracle Access Management Defining Authorization Policy Conditions Figure 25–23 IP4 Range Conditions 25.10.3.2 Defining IP4 Range Conditions Users with valid Administrator credentials can use the following procedure to add IP4 Range type conditions to an Application Domain. You must save each condition definition individually, before adding or selecting another condition. If the user's IP address falls outside the range of denied addresses, this by itself is not enough for authorization to be successful. For authorization to be successful, the user must specifically be granted access based on an Allow rule. Note: Prerequisites The Application Domain must exist. See Also: "About IP4 Range Condition Types" on page 25-52 To add IP4 Range type conditions to an authorization policy 1. Locate the desired policy as described in "Searching for an Authorization Policy". 2. Click the Conditions tab, click the Add (+) button. 3. Enter a Name, select IP Range from the Type list, enter an optional Description, and click Add Selected. 4. Add the desired IP address range (Table 25–23): ■ In the Details panel, click the Add (+) button to display the Add IP Range dialog. ■ From: Enter the start of the range. ■ To: Enter the end of the range. ■ Click the Add button to include this range in the Condition Details section. Managing Policies to Protect Resources and Enable SSO 25-53 Defining Authorization Policy Conditions ■ Repeat these steps to add another range. 5. Click Apply and then close the Confirmation window. 6. Verify your IP4 Range Conditions by logging from different clients with different IP addresses to test access to the protected resource. 25.10.4 Defining Temporal Conditions This section provides the following topics: ■ About Temporal Conditions ■ Defining Temporal Conditions 25.10.4.1 About Temporal Conditions With the Temporal condition type, Administrators must add the start and end time and the range of days. Like the other conditions, this one can be used in conjunction with identity and IP4 Range conditions. By default, all days in the range are enabled (though none are checked in the form as shown in Figure 25–24. Figure 25–24 Temporal Condition Type Details Page Time periods must be specified in the HH:MM:SS (hour, minute, and second) format based on a 24-hour clock based on Greenwich Mean Time (GMT). Midnight is specified as 00:00:00 (start). The day ends at 24:59:59. 25-54 Administrator's Guide for Oracle Access Management Defining Authorization Policy Conditions Table 25–16 Temporal Condition Details Elements Description Start Time Specifies the hour, minute, and second that this condition begins. Notes: Time is specified using a full 24-hour range. For instance, midnight is specified as 00:00:00 and 11:00 PM is specified as 23:00:00. Notes: Time is based on Greenwich Mean Time (GMT). GMT is the same all year with no adjustments for daylight savings time or summer time. End Time Specifies the hour, minute, and second that this condition concludes. Days Specifies the days where this policy is active. Default: All Days (even though these are not checked). Save the details before closing this page. See Also: "Defining Temporal Conditions" 25.10.4.2 Defining Temporal Conditions Users with valid Administrator credentials can use the following procedure to add temporal type conditions to an Application Domain. You must save each condition definition individually, before adding or selecting another condition. Note: Prerequisites The Application Domain must exist. See Also: "About Temporal Conditions" on page 25-54 To add temporal conditions to an authorization policy 1. Locate the desired policy as described in "Searching for an Authorization Policy". 2. Click the Conditions tab, click the Add (+) button. 3. Enter a Name, select Temporal from the Type list, enter an optional Description, and click Add Selected. 4. In the Details panel (Table 25–16): Click the condition name in the table to open the details panel: ■ Enter the Start time. ■ Enter the End time. ■ ■ Click the days of the week to which this condition applies (or leave all blank to specify every day of the week). Click Save. 5. Click Apply and then close the Confirmation window. 6. Verify the Temporal Conditions by logging in at different times to validate access to the protected resource. 25.10.5 Defining Attribute Conditions This section provides the following topics: ■ About Attribute Conditions Managing Policies to Protect Resources and Enable SSO 25-55 Defining Authorization Policy Conditions ■ Defining Attribute Type Conditions 25.10.5.1 About Attribute Conditions An attribute-type condition enforces the evaluation of request context, user session state and user attributes for Allow or Deny access pertaining to all resource types and authorization policies in the Application Domain. With an attribute-type condition defined, access is based on a list of name-value pairs scoped by the: ■ ■ ■ Request context: Information on the requested resource, the client making the request, and the policy that was matched during evaluation. Session: User Session details (pre-defined session attributes or a reference to an arbitrary session attribute) when the user has an established session. User: User attribute information (reference to a LDAP attribute). This condition is used to define a condition on a reference to a user's arbitrary LDAP attribute only. However, conditions based on userID or groupID are defined using Identity Conditions. Attribute type conditions are required when access is based on one of the situations described in Table 25–17. Table 25–17 Access Conditions that Require Attribute-Type Conditions When Access is based on ... Description Session attribute A user is authorized to access the resource if the session attribute "Authentication level" is xx and Session Attribute "s1" = "v1" and Session Start Time = "xxxx". See: Table 25–20, " Attribute Names for Session Built-ins" Requested resource hostname and port number See: Table 25–19, " Attribute Names for Request Built-ins" User details A user is authorized to access the resource if its "Empno" = "xxxx" (department=sales, for example) See: Table 25–21, " Attribute Condition Data (Aggregation of Conditions)" Token Issuance based on a session attribute The Requester Partner can issue a token to the Relying Party if the claim contains an attribute "SessionActiveTime" = "15000". You define claims-based conditions of the Token Issuance policy based on the assertions created using session data. An Administrator defining attribute type conditions enters data into fields for built-in attributes and known attributes. The attribute name can be entered in a text field or selected from a list of values. The condition to be executed is constructed using "AND" or "OR" conjunctions on the condition. Figure 25–25 illustrates the Attribute Conditions page. 25-56 Administrator's Guide for Oracle Access Management Defining Authorization Policy Conditions Figure 25–25 Attribute Conditions Page Figure 25–26 shows the Add Attribute Condition dialog box. Each attribute condition is defined by the fields described in Table 25–18. See Also: "Defining Attribute Conditions" Figure 25–26 Add Attribute Condition Dialog Table 25–18 Attribute Condition Elements Condition Description Namespace Supported namespaces: ■ Request Built-ins ■ Session Built-ins ■ Session (User Session) ■ User (User Attributes) Managing Policies to Protect Resources and Enable SSO 25-57 Defining Authorization Policy Conditions Table 25–18 (Cont.) Attribute Condition Elements Condition Description Name Attribute name, which can be added as follows, depending on the: ■ ■ Operator Selected from a list if the Namespace is Request (Table 25–19) or Session (Table 25–20) Entered manually into a text field if the Namespace is User Allowed operators: Value ■ STARTS WITH ■ EQUALS ■ CONTAINS ■ ENDS WITH Literal value with no special wildcard characters. Request Built-ins Table 25–19 identifies the list of built-in attribute names for Request Built-ins: Table 25–19 Attribute Names for Request Built-ins Attribute Name Description agent_id Name of the requesting agent. client_ip IP address of the user browser. Policy_appdomain Name of the Application Domain holding the policy matched for the request. Policy_res Resource host ID and URL pattern matched for the request. policy_name Name of the specific policy matched for the request. res_host Requested resource's hostname. res_port Requested resource's port number. res_type Requested resource's type. res_url Requested resource URL. Session Built-ins Table 25–20 identifies the list of attribute names for Session-based attribute-type conditions. Table 25–20 Attribute Names for Session Built-ins Attribute Name Description Authentication Level Current authentication level for the session. Authentication Scheme Name of the authentication scheme executed to achieve the current authentication level. Session Count Session count for the user bound to this session. Session Creation Time Session creation time. Session Expiry Time Session expiration time. Example: Attribute Condition Data (Aggregation of Conditions) Table 25–21 illustrates sample condition data for each allowable namespace. 25-58 Administrator's Guide for Oracle Access Management Defining Authorization Policy Conditions Table 25–21 Attribute Condition Data (Aggregation of Conditions) Namespace Name Operator Value Request-Builtins Res_host Equals 7777 Session-Builtins Authn_level Equals 2 Session Sessionattr1 Contains Foo User department Equals sales 25.10.5.2 Defining Attribute Type Conditions Users with valid Administrator credentials can use the following procedure to add attribute type conditions to an Application Domain. You must save each condition definition individually, before adding or selecting another condition. Note: Prerequisites The Application Domain must exist. See Also: "About Attribute Conditions" on page 25-54 To add attribute type conditions to an authorization policy 1. Locate the desired policy as described in "Searching for an Authorization Policy". 2. Click the Conditions tab, click the Add (+) button. 3. Enter a Name, select Attribute from the Type list, enter an optional Description, and click Add Selected. 4. Add Details for Attribute Condition: Click the name of the condition to expand the details panel, and: ■ Match: Click either All or Any. ■ Namespace: Select from the list (Table 25–18). ■ Name: Select from the list or enter manually (Table 25–19 or Table 25–20). ■ Operator: Select from the list (Table 25–18). ■ Value: Enter manually (Table 25–21). ■ Click Save. ■ Repeat as needed. 5. Click Apply and then close the Confirmation window. 6. Verify the Attribute Conditions by logging in with different scenarios. 25.10.6 Viewing, Editing, or Deleting Authorization Policy Conditions Users with valid Administrator credentials can use the following procedure to add identity type conditions to an Application Domain. Prerequisites The Application Domain and authorization policy exist. Managing Policies to Protect Resources and Enable SSO 25-59 Defining Authorization Policy Rules See Also: "Introduction to Authorization Policy Rules and Conditions" on page 25-40 To view, edit, or delete authorization policy conditions 1. Locate the desired policy as described in "Searching for an Authorization Policy". 2. Click the Conditions tab. 3. Edit Condition Details: Click the desired condition, click the Edit button to display the Details panel. Depending on the condition type, perhaps only the Description can be edited. ■ "Defining Identity Conditions" on page 25-45 ■ "Defining IP4 Range Conditions" on page 25-51 ■ "Defining Temporal Conditions" on page 25-54 ■ "Defining Attribute Conditions" on page 25-55 ■ True: Click the name, click the Edit button; only the Description can be edited. 4. Delete Conditions: Click the condition to remove and click the Delete button on the Condition tab. 5. Click Apply and then close the Confirmation window. 6. Close the page when you finish. 7. Verify the Conditions by accessing the resource and evaluating the results. 25.11 Defining Authorization Policy Rules When Allow access rules, Deny access rules, or both are specified and do not apply to a user, the user is not qualified by the rule, and is denied access to the requested resource by default. To specify who is allowed or denied access to the resource, the rule can do the following: ■ Identify the users by user name, role, or an LDAP filter whose criteria the user must satisfy. ■ Stipulate the computers where users can access resources. ■ Set a time period when the rule applies. This section provides the following topics: ■ About Defining Rules in an Authorization Policy ■ About Expressions and Expression-Based Policy Evaluation ■ Defining Rules in an Authorization Policy 25.11.1 About Defining Rules in an Authorization Policy Rules are new constructs in the Access Manager 11g policy model. A Rule specifies of how to combine condition evaluation outcomes. Each Rule also contains a rule effect (ALLOW or DENY), which determines the overall policy outcome. Authorization rules define the actions to take during evaluation of the policy, conditions, and rules as well as what to do based on the outcome. There are three possible outcomes: 25-60 Administrator's Guide for Oracle Access Management Defining Authorization Policy Rules ■ ■ ■ True (Allow access): If the user meets the Allow access condition, the user qualifies for the Allow access part of the rule. False (Deny access): If the user meets the Deny access condition, the user qualifies for the Deny access part of the rule. Inconclusive: If the user satisfies neither the Allow access nor the Deny access conditions, the rule is said to be unqualified for that user. You can also think of this as the user not qualifying for the rule. If evaluation of a rule results in an unqualified user, the user is denied access to the resource based on that rule. In some cases, a single authorization rule is all that is required to protect the resources of an Application Domain or a policy. You can configure a rule to identify who is allowed access to the resources it protects, who is denied access to them, and under what conditions these controls apply (for example, when they apply and from which computer). An authorization rule does not need to cover all users in its Allow access and Deny access conditions. Users who request access to a resource that is protected by the rule but do not qualify for any of the conditions are, by default, denied access to the resource. For other cases, it may be necessary to configure multiple authorization conditions into rules to protect resources. You can impose complex conditions on different users. For example, you can define a rule that includes several authorization conditions, one or more of which a user must meet to qualify for access to a protected resource (or to qualify for denial of access to it). For example, you might require the user to meet two conditions—such as belonging to one group and using a computer assigned a specific IP address—to be granted access to the resource. Oracle Access Management Console makes it easy for you to form expressions for an authorization rule. Conditions are declared outside of rules and are referenced within rules. Evaluation outcomes are combined in either Simple mode or Expression mode. Figure 25–27 shows the Rules tab in an authorization policy. Managing Policies to Protect Resources and Enable SSO 25-61 Defining Authorization Policy Rules Figure 25–27 Authorization Policy Rules Tab: Simple Mode Table 25–22 describes the elements and controls on the Rules tab for Simple Mode evaluations. Table 25–22 Authorization Policy Rules Elements Element Description Rule Mode The method used for evaluation of conditions and rules: ■ Simple: Accepts a list of condition names that are combined using a simple algorithm: ALLOW conditions are combined using logical AND. All Allow conditions must be met to get access. DENY conditions are combined using logical OR. Any Deny condition that is true denies access. DENY always takes precedence over ALLOW. ■ Expression: Accepts a user-specified Boolean expression to combine conditions using condition names, "(", ")", "|", "&" and "!" special characters. Combines conditions into complex policies. See Also: "About Expressions and Expression-Based Policy Evaluation" on page 25-63 ■ Allow Rule A policy in which there are one or more conditions that are not part of either Allow rule or Deny rule is treated as a valid policy. The rule that allows access based on evaluation of your rules and the Selected Conditions list. 25-62 Administrator's Guide for Oracle Access Management Defining Authorization Policy Rules Table 25–22 (Cont.) Authorization Policy Rules Elements Element Description Deny Rule The rule that denies access based on the evaluation of your rules and the Selected Conditions list. Match Criteria you choose to either match All conditions in the Selected Conditions list or Any conditions the Selected Conditions list. Available Conditions A list of all defined conditions for this authorization policy. Selected Conditions A list of the specific conditions that you build by moving items from the Available Conditions list to this list for use during the policy evaluation process. Arrow Controls Controls in the form of arrows enable you to add a condition to the Selected Conditions list (or vice versa to remove a condition from those selected). 25.11.2 About Expressions and Expression-Based Policy Evaluation When a user requests access to a resource that is protected by an authorization condition and rule, information about the user is checked against the rule. If the condition stipulates other information, such as time period or time of day the condition applies, that, too, is checked. This process is referred to as evaluation of the rule. An authorization expression consists of a single rule or a group of rules combined to express more complex conditions. For example, you can create an expression that requires a user to meet the Allow access conditions of two rules to be granted access to the resource. You use the Oracle Access Management Console to create these expressions, which include the following elements: ■ ■ Authorization conditions that you select from those that are defined and available in the authorization policy Operators that you use to combine rules to provide the kind of authorization protection that you want (Table 25–24) For expressions that contain multiple conditions, a user may qualify for none of the expression's conditions, one of the conditions, or for the conditions of multiple rules. In any case, it is the result of evaluation of the expression—all of its conditions and how they are combined—not any one condition, that determines whether a user is allowed or denied access to a resource. About the Definitive Result of an Authorization Expression: Access Manager evaluates the rules of an expression until it can produce a definitive result. Evaluation of an authorization expression may produce a definitive Allow access result, a Deny access result, or an Inconclusive result. Figure 25–28 shows the Rules tab when you use Expression as a Rule Mode. Managing Policies to Protect Resources and Enable SSO 25-63 Defining Authorization Policy Rules Figure 25–28 Rules Tab: Expression Rule Mode Table 25–23 describes the elements on the Rule tab in Expression mode. Table 25–23 Rule Tab in Expression Mode Element Description Rule Mode The method used for evaluation of conditions and rules: ■ ■ Expression: Accepts a user-specified Boolean expression to combine conditions using condition names, "(", ")", "|", "&" and "!" special characters. Combines conditions into complex policies. A policy in which there are one or more conditions that are not part of either Allow rule or Deny rule is treated as a valid policy. See Also: Table 25–24, " Operators for Expressions in Authorization Rules" Allow Rule The rule that allows access based on evaluation of your rules and the Selected Conditions list. Deny Rule The rule that denies access based on the evaluation of your rules and the Selected Conditions list. Conditions Provides a list of all conditions defined for this authorization policy. Insert Condition Adds the selected Condition to the expression window. Validate Automatically tests the validity of the expression and reports results. Table 25–24 identifies the operators you can use when building an authorization expression. Table 25–24 Operators for Expressions in Authorization Rules Operator Description ( ) By default, two rules on either side of an AND operator compose the compound AND condition. Rules on either side of an OR operator are alternatives. When no parenthesis are used to enforce grouping of rules, the AND operator takes precedence over the OR operator. You can use parenthesis to override the default way in which the rules of an expression are grouped. Evaluation still occurs from left to right, but the rules are organized within the couplings and groups you create through use of parenthesis. 25-64 Administrator's Guide for Oracle Access Management Defining Authorization Policy Rules Table 25–24 (Cont.) Operators for Expressions in Authorization Rules Operator Description & The AND operator, which you use to form a compound condition which combines authorization rules. Any number of rules can be combined using the AND operator to implement the full scope of conditions a user must meet to satisfy the authorization requirement. However, a user must satisfy the same kind of condition—either Allow Access or Deny Access—of all of the rules of the AND compound condition for the AND clause to produce a definitive result. An authorization expression can contain more than one coupling or grouping of rules combined using AND. For example, it may contain several AND clauses, one connected to another by an OR operator. | The AND operator. An authorization expression can include a complex rule containing two or more alternative authorization conditions. Authorization rules forming a complex condition are combined using the OR operator. Each of the authorization rules specified by a complex OR condition stands on its own. Unlike compound conditions using the AND operator, the user need qualify for the condition of only one of the authorization rules connected by OR operators. An authorization expression can contain as many authorization rules connected using the OR operator as are required to express the authorization policy for the resources it protects. You can use the OR operator to connect authorization rules all of which have Deny Access conditions, all of which have Allow Access conditions, or which specify a mix of Deny Access and Allow Access conditions. You can connect single rules to single rules using OR, and you can connect a single rule to a clause containing rules combined using AND. 25.11.2.1 Expression Evaluation in Authorization Rules The result of evaluation of an authorization rule, in conjunction with other authorization rules, if more than one is included in the expression, determines if a user is granted access to the requested resource. Evaluation of the rule occurs as follows: ■ ■ ■ Each authorization rule specified in the expression is evaluated from left to right. The outcome is combined progressively with the previously evaluated rules. When the evaluation outcome is good enough to decide the overall policy outcome without having to evaluate any more rules, evaluation stops and the overall outcome is returned. Each evaluation outcome can be either True, False, or Inconclusive. Authorization Success: In this case, the user succeeds in gaining access to the requested resource. This result is associated with the Allow Access condition of the expression. Authorization Failure: In this case, the user fails to gain access to the requested resource. This result is associated with the Deny Access condition of the expression. Authorization Inconclusive: In this case, the rules of the expression produce conflicting results, and the user is denied access to the resource. If the match for Identity, IP4 address, or timing condition fails then expression evaluation stops and the result of the overall evaluation is deemed Inconclusive. However, based on the other rules present in the expression, this result might not affect the overall policy evaluation. For example, the following expression: (Rule1 AND Rule 2) OR (Rule 3 AND Rule 4) Yields the following outcomes: ■ Rule1 - INCONCLUSIVE ■ Rule2 - FALSE Managing Policies to Protect Resources and Enable SSO 25-65 Defining Authorization Policy Rules ■ Rule3 - TRUE ■ Rule4 - TRUE ■ Overall: TRUE (Allow) The following sample expression uses (in order of type) Identity, Temporal, IP4Range, and Attribute conditions: (IsEMEAemployee & IsEMEAWorkingHours & !(ConnectedOverVPN |NotReadDisclaimer)) Condition names that include spaces, tabs, or special characters (if properly escaped when defining the expression) are properly handled 25.11.3 Defining Rules in an Authorization Policy Users with valid Administrator credentials can use the following procedure to add rules to an authorization policy. Prerequisites Defining Authorization Policy Conditions. See Also: "About Defining Rules in an Authorization Policy" To define authorization policy rules 1. Locate the desired domain as described in "Searching for an Authorization Policy". 2. Click the Rules tab. 3. Expression: 4. a. Click Expression as the Rule Mode. b. In the Allow Rule Expression field, build your expression by entering operators (Table 25–24) and choosing and inserting conditions (Table 25–23). c. Click the Validate button to confirm your expression. d. Repeat Steps b and c for the Deny Rule. e. Click Apply. Simple Rule Mode: a. Click Simple as the Rule Mode. b. Allow Rule: Click to Match either: All selected conditions Any of the selected conditions Using arrows for Allow (or Deny) Rule, move desired conditions from the Available Conditions column into the Selected Conditions column. Click Apply. c. Repeat step b for the Deny Rule. 5. Click Apply and then close the Confirmation window. 6. Verify the rules by accessing the resource and evaluating the results. 25-66 Administrator's Guide for Oracle Access Management Configuring Policy Ordering 25.12 Configuring Policy Ordering Previous releases of Access Manager used a policy matching algorithm to match incoming resource URLs with the stored patterns in an Application Domain. A best match is arrived at based on a predefined algorithm. (This algorithm can not be changed.) If multiple patterns are matched with an incoming URL, the best match pattern is selected and its associated policy is evaluated. With this 11gR2 PS2 release, rather than the best match algorithm, an Administrator manually designates the order of policies within an Application Domain. To turn on Policy Ordering, the Administrator must first add one or more resource prefixes to the Application Domain. Once these have been added, you can click the Enable Policy Ordering flag. (See Figure 25–2, "Example Application Domain Summary Page".) You may create resource prefixes and not enable policy ordering. In this case, the resource prefixes are ignored and the best match algorithm is used. Note: Figure 25–29 is a screenshot of the Resource Prefix configuration pop up. Figure 25–29 Adding a Resource Prefix for Policy Ordering During runtime, the incoming URL of the protected resource is checked to determine if it starts with any resource prefix defined in the Application Domain. If the URL matches a resource prefix, the policies in the Application Domain configured with that resource prefix are checked (in the order defined by the Administrator) to see if any resource in the policy matches the incoming resource. If the incoming resource matches a particular policy, it is evaluated and the results are returned; the other policies are not checked. To configure Policy Ordering 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, select Create Application Domain from the Create (+) drop-down menu 3. On the Create Application Domain page, add a unique name and an optional description. 4. Click Add to add a Resource Prefix. 5. Tick the Enable Policy Ordering box. Managing Policies to Protect Resources and Enable SSO 25-67 Introduction to Policy Responses for SSO 6. Select the Resource Type from the drop down list. See Table 25–1 for definitions of the default Resource Types. 7. Add an optional host identifier. Host identifier is mandatory for an HTTP Resource Type. 8. Add the Resource Prefix. For example, if the policy Resource being protected is /em/**, the Resource Prefix is /em. If the policy Resource being protected is /blog/**, the Resource Prefix is /blog. 9. Click Add. 25.13 Introduction to Policy Responses for SSO Each policy can optionally contain one or more authentication or authorization responses, or both. Responses are post-processing actions (obligations) to be carried out by the web agent. Note: There are no responses in Token Issuance Policies. This section provides the following information: ■ About Authentication and Authorization Policy Responses for SSO ■ About the Policy Response Language ■ About the Namespace and Variable Names for Policy Responses ■ About Constructing a Policy Response for SSO ■ About Policy Response Processing ■ About Assertion Claims and Processing 25.13.1 About Authentication and Authorization Policy Responses for SSO Administrators can define responses that declare the actions that must be fulfilled after successful authentication or authorization. Authentication and authorization data is returned to the client (typically a Web Agent). Policy responses enable the insertion of information into a session or application and the ability to withdraw the information at a later time to enable SSO. For instance, identity mappings can be inserted into the customer's application or actions can be carried out by the Agent or the application. Depending on the responses specified for authentication or authorization success and failure, the user might be redirected to a specific URL, or user information might be passed on to other applications through a header variable or a cookie value. Oracle Access Manager 10g provided data passage to (and between) applications only by redirecting to URLs in a specific sequence. Note: There are no default response provided. Figure 25–30 illustrates an Authorization Policy Response defined by an Administrator in the Oracle Access Management 25-68 Administrator's Guide for Oracle Access Management Introduction to Policy Responses for SSO Console. Authorization responses can operate in conjunction with authorization conditions. Figure 25–30 Authorization Policy Response in the Console Each response consists of two inputs (a type and an expression) and a single output (the value of the evaluated expression). The expression declares how the value should be constructed when the expression is processed. The response type defines the form of action to be taken with the value string. ■ ■ The authentication policy determines the identity of the user. Each authentication policy requires an authentication scheme and responses (expressions). The authorization policy determines whether the user has the right to access the resource. Each authorization policy requires authorization conditions and responses (expressions). Response Guidelines Cookie, Header, and Session responses are supported. 1. 2. URL redirection can be set. 3. Response definitions are part of each policy. Response values can be literal strings or can contain additional embedded expressions that derive values from request, user, and session attributes. Administrators set Responses in the Oracle Access Management Console, as described Table 25–25. Table 25–25 Response Elements Element Description Name A unique name to distinguish this response from other responses that use the same mechanism (type). Managing Policies to Protect Resources and Enable SSO 25-69 Introduction to Policy Responses for SSO Table 25–25 (Cont.) Response Elements Element Description Type The mechanism used to convey the response. form of the action to be taken with the value string: ■ ■ ■ HEADER (Header variables): Sets an HTTP request header for downstream applications using the defined value to dictate the action to be taken (such as the assertion of a User ID using a pre-defined HTTP header name). Another example gets the subscriber information (realm DN and so on) for OSSO and creates a response during the upgrade; a fresh OSSO Agent requires manual configuration. SESSION: Sets an attribute inside the user session by the client (to enable single sign-on) based on the defined session variable name and value. COOKIE: Sets a variable name and value (typically set by Web agents) inside the authentication session cookie to enable single sign-on. In cookie-less mode, Web-cache is currently used to store cookies from Webgate. However, in cookie-less mode, the end application does not have access to cookies and cannot use them. ■ Value Asserted Attribute: With this type, Identity Assertion must be enabled for the policy to collect Assertion Attribute type responses when this policy is executed. The Name list provides valid identifiers from which to choose. The response expression, set as a variable. For more information, see "About the Policy Response Language". Identity Assertion Identity Assertion is required for ID propagation for any issued token from Access Manager that represents an end user (and possibly its Access Manager session). Security Token Service clients that are Web applications protected by Access Manager requesting tokens to gain proxy access to a Relying Party (ID Propagation use case) are required to pass an Access Manager Identity Assertion token that represents the end user. The Identity Assertion Token is generated and returned as a policy response (HTTP HEADER named "OAM_IDENTITY_ASSERTION", value as a SAML token) after a successful authentication. As you add each (non-Asserted Attribute Type) Response, you might be informed that Identity Assertion has not been enabled for this policy.... Enable Identity Assertion to collect Assertion Attribute type responses when this policy is executed. See Also: ■ "Scenario: Identity Propagation with the Access Manager Token" on page 42-2 ■ "Authentication Policy Response for Identity Assertion by Webgate" on page 42-13 ■ Chapter 55, "Using Identity Context" 25.13.2 About the Policy Response Language Access Manager authentication and authorization responses are defined using a very small, domain-specific language (DSL) with two main constructs: ■ Literal strings: For example: This is a valid expression ■ Variable references: – Declared using a dollar sign prefix $ – Scoped to a namespace: $namespace.var_name Note: Certain variables include an attribute: $ns.name.attribute 25.13.3 About the Namespace and Variable Names for Policy Responses With the namespace mechanism, the following variable types are to enable single sign-on: 25-70 Administrator's Guide for Oracle Access Management Introduction to Policy Responses for SSO ■ Request: Information on the requested resource, the client making the request, and the policy matched during evaluation ■ Session: User session details ■ User: User details (user ID, group, and attribute information) For details of each, see: ■ Table 25–26, " Namespace Request Variables for Single Sign-On" ■ Table 25–27, " Namespace Session Variables for Single Sign-On" ■ Table 25–28, " Namespace User Variables" Table 25–26 Namespace Request Variables for Single Sign-On Namespace Description agent_id Name of the requesting agent client_ip IP address of the user browser policy_appdomain Name of the Application Domain holding the policy matched for the request policy_eval_success_conditions List of policy conditions that evaluated to true, separated by COLON or configured response separator policy_eval_failure_conditions List of policy conditions that evaluated to false, separated by COLON or configured response separator policy_res Resource host ID and URL pattern matched for the request policy_name Name of the specific policy matched for the request res_host Requested resource's hostname res_port Requested resource's port number res_type Requested resource's type res_url Requested resource URL path res_complete_url Requested resource URL path with query string Table 25–27 Namespace Session Variables for Single Sign-On Namespace Description attr Reference to an arbitrary session attribute, the name of which is passed to us as a variable attribute. Its value has been bound to the session by executing a session response during a previous request. authn_level Current authentication level for the session authn_scheme Name of the authentication scheme executed to achieve the current authentication level count Session count for the user bound to this session creation Session creation time expiration Session expiration time Table 25–28 Namespace User Variables Namespace Description attr. Value of user attribute attrName. If attrName is multivalued, list of values, separated by COLON or configured response separator. groups List of user's group membership, separated by COLON or configured response separator. Managing Policies to Protect Resources and Enable SSO 25-71 Introduction to Policy Responses for SSO Table 25–28 (Cont.) Namespace User Variables Namespace Description userid The user ID user.id_domain The user's identity domain (essentially the same as the identity store) guid A unique identifier that locates the user entry in an Identity Store 25.13.4 About Constructing a Policy Response for SSO This section is divided as follows: ■ Simple Responses ■ Compound and Complex Responses ■ Multi-Valued Responses See Also: Guidelines for Authorization Responses Based on Conditions 25.13.4.1 Simple Responses After deciding on the response type and determining which namespace and variable, you simply enter the response attributes in the Oracle Access Management Console. A simple response might look like one of the several authorization responses shown in Figure 25–31. Figure 25–31 Simple Response Samples Simple responses stand alone. Each is preceded with the dollar sign ($), followed by the namespace, which is separated from the variable Value by a dot (.). For example: $namespace1.var1 Table 25–29 illustrates several simple responses and a description of what each one returns. Table 25–29 Simple Responses and Descriptions Name Type Value (Simple $Namespace.Variable) Returned Environment Variables and Values oam_sessioncount Header $session.count HTTP_OAM_SESSIONCOUNT integer oam_userid Header $user.userid HTTP_OAM_USERID name oam_ipaddress Header $request.client_ip HTTP_OAM_IPADDRESS nnn.nn.nn.nnn oam_literal Header This is a response string. HTTP_OAM_LITERAL This is a response string 25-72 Administrator's Guide for Oracle Access Management Introduction to Policy Responses for SSO 25.13.4.2 Compound and Complex Responses When crafting a compound or complex policy response, Administrators can combine literals and variables arbitrarily using braces { } to construct an expression. A colon (:) is used as a separator. For example: ${namespace1.var1}:${namespace2.var2} Literal String (LS): ${namespace1.var1}:${namespace2.var2} LS: ${namespace1.var1}, LS:${namespace2.var2} Figure 25–32 illustrates several complex responses defined by an Administrator. All are Header type responses, which set values in a header variable of an HTTP request for consumption by a downstream application. Figure 25–32 Complex Response Sample Table 25–30 describes the complex responses shown in Figure 25–32. Table 25–30 Complex Responses Name Value Returned Environment Variables and Values oam_resinfo Runtime resource: ${request.res_host}:${request.res_ port}${request.res_url} HTTP_OAM_RESINFO Runtime client: Agent ID: ${request.agent_id}, Browser IP: $request.client_ip HTTP_OAM_CLIENTINFO ${user.userid}'s groups: ${user.groups}, description: ${user.attr.description} HTTP_OAM_USERINFO Session creation/expiration/count: ${session.creation}/${session.expiration}/${session.count} HTTP_OAM_SESSIONINFO $user.userid HTTP_OAM_USERID name oam_clientinfo oam_userinfo oam_sessioninfo oam_app_user Runtime resource: myhost.domain.com:1234/cgi-bin/myres3 Runtime client: Agent ID: RREG_OAM, Browser IP: 123.45.67.891 WebLogic's groups: Administrators, description: This user is the default Administrator Session creation/expiration/count: Tue Oct 23 17:47:42 PST 2011/Wed Oct 24 01:47:42 PST 2011/7 For more information, see "About Policy Response Processing". 25.13.4.3 Multi-Valued Responses Access Manager 11g supports responses with multiple values. These can be multivalued user attribute responses, user's group membership responses and the like. For multivalued responses, Access Manager uses a COLON as the separator and a BACKSLASH as the escape character. For example, if a user attribute genType has the values "Gold", "Platinum" and "Silver", the policy response for $user.attr.genType would be: "Gold:Platinum:Silver" Managing Policies to Protect Resources and Enable SSO 25-73 Introduction to Policy Responses for SSO If a COLON appears in any of the attribute values, it will be escaped with BACKSLASH. For example, for a user with group memberships as "Administrators", "Special:Users", the policy response for $user.groups would be "Administrators:Special\:Users" It is possible to change the default separator and escape character using the configurePolicyResponses(responseSeparator, responseEscapeChar) WLST command. Refer to the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for details. 25.13.5 About Policy Response Processing Policy response processing occurs during the authorization request for which the authentication responses are replayed. Variable references are filled with appropriate values to ensure that all variables have a value set, and can be set consistently with authorization values. Processing a response expression is done through a series of steps: ■ Scanner/tokenizer ■ Parser ■ Interpreter During interpretation, variable references are resolved to values. The result after processing is a simple String value, which is propagated to the Agent or saved within the session for future use. Authentication success responses are saved and then "replayed" along with any authorization responses on the first applicable authorization request. Authorization response expressions create the actions to be taken, depending on the evaluation of the expression: success, failure, or inconclusive. Oracle Access Manager 10g exhibits the same behavior in the "authenticating Webgate" configuration. This is also employed by Access Manager 11g with 10g Webgates: The 10g Webgate always redirects to the Access Manager 11g credential collector which acts like the authenticating Webgate. Note: When referencing a variable, either the value is returned, or the following is returned: ■ NOT FOUND is returned if the variable is not set ■ NULL is returned if the variable is set to a null value Note: Verify the Responses. Pass Through Without Processing A value that must be passed through without processing, can be identified using a \. For example: \$1000 results in the value $1000 appearing in the returned value. 25-74 Administrator's Guide for Oracle Access Management Adding and Managing Policy Responses for SSO 25.13.6 About Assertion Claims and Processing For details, see Chapter 55, "Using Identity Context". 25.14 Adding and Managing Policy Responses for SSO Policies and responses enable single sign-on and can override other directives. Before starting activities in this section, be sure to review the "Introduction to Policy Responses for SSO" on page 25-68. Unless explicitly stated, information in this section applies equally to authentication and authorization responses. ■ Adding a Policy Response for SSO ■ Viewing, Editing, or Deleting a Policy Response for SSO 25.14.1 Adding a Policy Response for SSO Users with valid Administrator credentials can use the following procedure to add a policy response for authentication or authorization to the Protected Resource Policy. For example, you can collect the DN of the realm that is created when Oracle Internet Directory is installed. Optionally, you can also configure the global user ID of the subscriber in Oracle Internet Directory or a subscriber name rather than the default company as shown in Table 25–31. Table 25–31 Fresh OSSO Installation: Protected Policy Response (Header) Response Parameter Collect Realm DN when OID is Installed Configure GUID of Subscriber IN OID to Different Company Configure GUID of Subscriber IN OID to Default Company Name osso-subscriber-dn (lowercase) osso-subscriber (optional) osso-subscriber-guid (optional) Type Header Header Header Value dc=country,dc=example,dc=com dc=country_or_region,dc=com ,dc=default_company,dc=com Go to the subscriber DN (in Oracle Internal Directory for example) and find the value (of orclguid for the DN, for example). Prerequisites Analyze desired conditions before crafting authorization responses to ensure the appropriate actions are taken by the response. You need an Application Domain with an existing authentication or authorization policy. See Also: "Introduction to Policy Responses for SSO" on page 25-68 To add a policy Response 1. Locate the desired domain as described in "Searching for an Authorization Policy". 2. In the individual policy page, click the Responses tab, then click the Add button and: ■ In the Name field, enter a unique name for this response. ■ From the Type list, choose a response type (Session or Header or Cookie). ■ In the Value field, enter a value for this response. For example: $namespace1.var1 Managing Policies to Protect Resources and Enable SSO 25-75 Validating Authentication and Authorization in an Application Domain See Also: "About the Namespace and Variable Names for Policy Responses" on page 25-70 ■ Repeat as needed. 3. Click Apply, then close the Confirmation window. 4. Close the page when you finish. 5. Verify the Responses based on your definitions. 25.14.2 Viewing, Editing, or Deleting a Policy Response for SSO Users with valid Administrator credentials can use the following procedure to view or edit a policy response for authentication or authorization. Prerequisites You must have an Application Domain with an existing authentication or authorization policy. See Also: "Introduction to Policy Responses for SSO" on page 25-68 To view, modify, or delete a policy response 1. Locate the desired domain as described in "Searching for an Existing Application Domain". 2. Click the Authentication (or Authorization) Policies tab, then click the desired policy name. 3. On the individual policy page, click the Responses tab and proceed as needed: ■ ■ ■ Add: See "Adding a Policy Response for SSO" Edit: Click the desired Response Name, Type, or Value, edit as needed, and click Apply. Delete: Click the desired response, then click the Delete button for the Response table. 4. Close the Confirmation window. 5. Close the page when you finish. 6. Verify Responses based on your definitions for: ■ Header ■ Session ■ ■ Cookie: Use a browser plug-in tool or turn on the browser "show cookies" settings. Assertion Claim 25.15 Validating Authentication and Authorization in an Application Domain The procedure here provides several methods for confirming that Agent registration and authentication and authorization policies are operational. The procedures are nearly identical for both OAM Agents and OSSO Agents (mod_osso). However, OSSO Agents use only the authentication policy and not the authorization policy. 25-76 Administrator's Guide for Oracle Access Management Understanding Remote Policy and Application Domain Management Prerequisites ■ Users and groups who are granted access must exist in the primary LDAP User Identity Store that is registered with Oracle Access Management ■ ■ ■ Agents must be registered to operate with Access Manager. After registration, protected resources should be accessible with proper authentication without restarting the Administration or Managed Server. Application domain, authentication policies, and authorization policies must be configured. Logout should be configured as described in Chapter 27, "Configuring Centralized Logout for Sessions Involving 11g WebGates" To verify authentication and access 1. Using a Web browser, enter the URL for an application protected by the registered Agent to confirm that the login page appears (proving that the authentication redirect URL was specified appropriately). For example: http://exampleWebserverHost.example.com:8100/resource1.html 2. Confirm that you are redirected to the login page. 3. On the Sign In page, enter a valid username and password when asked, and click Sign In. 4. Confirm that you are redirected to the resource and proceed as follows: ■ ■ Success: If you authenticated successfully and were granted access to the resource; the configuration is working properly. Failure: If you received an error during login or were denied access to the resource, check the following: – Authentication Failed: Sign in again using valid credentials. – Access to URL ... denied: This userID is not authorized to access this resource. – Resource not Available: Confirm that the resource is available. – Wrong Redirect URL: Verify the redirect URL in the Oracle Access Management Console. See Also: Chapter 26, "Validating Connectivity and Policies Using the Access Tester" 25.16 Understanding Remote Policy and Application Domain Management Several remote management modes enable Administrators to update, or validate, or delete an existing agent registration. This section provides the following topics: ■ About Managing Policies Remotely ■ About the Create Policy Request Template ■ About the Update Policy Request Template ■ About Remote Policy Management and Templates Managing Policies to Protect Resources and Enable SSO 25-77 Understanding Remote Policy and Application Domain Management 25.16.1 About Managing Policies Remotely Access Manager provides two modes to manage Application Domains and their policies without registering or modifying the companion agent. Remote policy and Application Domain management supports only create and update functions. Remote management does not support removing Application Domains or policies. Application Domain removal is a manual task that must be performed using the Oracle Access Management Console. Note: Table 25–32 describes these remote Application Domain management modes. Again, command parameters include the mode, and an input *Request.xml file using a relative path with respect to $OAM_REG_HOME, the preferred location for input files): ./oamreg.sh [prompt_flag] [component.oam.config_file] value Table 25–32 Remote Policy Management Modes, Templates, and Flags Mode and Template Description policyCreate Allows Administrators to create Host Identifiers and an Application Domain without registering an Agent. $OAM_REG_HOME/input/ CreatePolicyRequest.xml ./bin/oamreg.sh policyCreate input/myCreatePolicyRequest.xml See Also: "About the Create Policy Request Template" on page 25-79 policyUpdate $OAM_REG_HOME/input/ UpdatePolicyRequest.xml Allows Administrators to update existing Host Identifiers and Application Domain without updating an Agent. ./bin/oamreg.sh policyUpdate input/UpdatePolicyRequest.xml See Also: "About the Update Policy Request Template" on page 25-80 Flag Optional [prompt_flag] value: [-noprompt] When the optional -noprompt flag is used, oamreg can read input from system.in by using echo and pipe to pass data. Examples from $OAM_REG_HOME location: (echo username; echo password; echo webgate_password;) | ./bin/oamreg.sh inband input/Request.xml -noprompt component.oam.conf (echo username; echo password; echo webgate_password; echo httpscert_trust_prompt;) | ./bin/oamreg.sh inband input/Request.xml -noprompt (echo username; echo password; echo webgate_password; echo cert_password;) | ./bin/oamreg.sh inband input/Request.xml -noprompt (echo username; echo password; echo webgate_password; echo httpscert_trust_prompt; echo cert_password;) | ./bin/oamreg.sh inband input/Request.xml -noprompt 25-78 Administrator's Guide for Oracle Access Management Understanding Remote Policy and Application Domain Management Table 25–32 (Cont.) Remote Policy Management Modes, Templates, and Flags Mode and Template Description component.oam.config_file Optional. Remote registration accepts a configuration file with a URI list as an argument. component.oam.config_file defines the full path to a file containing any number of protected or public URIs. Ensure that the file uses the following syntax and format: ■ At least one protected URI is required ■ Only one product family is allowed per file ■ Comments begin with '#' ■ ■ Keyword 'public_uris': list public URIs on separate lines after this key word. Keyword 'protected_uris': list URIs to be protected on separate lines after this key word Note: You can configure the authentication scheme for a policyusing the following format (the policy name and authentication scheme name must be separated by a Tab character): 'tab' For example: ######################## protected_uris ######################## protected policy1 Basic Over LDAP /finance/protected1/** /finance/protected2/** protected policy2 Client Certificate /finance/protected3/*.js,*.png,*.gif ######################## public_uris ######################## /finance/public /finance/test1/public 25.16.2 About the Create Policy Request Template The CreatePolicyRequest.xml file with the remote policyCreate mode allows Administrators to create Host Identifiers and an Application Domain without creating or updating an agent registration. ■ Create a Host Identifier add multiple hostPortVariations (host port pairs). ■ Create an Application Domain. ■ ■ Add multiple protected, public, and excluded resources. Resources can be with or without query strings, both are supported. Create default authentication and authorization policies for the resources that do not require customized policies. Many of the same parameters are found in the CreatePolicyRequest.xml file and the expanded (full) Agent registration templates discussed earlier. CreatePolicyRequest.xml provides elements for Authentication and Authorization Policies and resources (with no element). Some parameters in the CreatePolicyRequest.xml file are new and not included in the full agent registration XML files, while certain elements in the original agent registration file are used to create or update. However, some elements are The primary differences of CreatePolicyRequest.xml are specific to: Managing Policies to Protect Resources and Enable SSO 25-79 Understanding Remote Policy and Application Domain Management ■ ■ Elements for Authentication and Authorization Policies and resources are provided No element or related elements are provided See Also: "About Remote Policy Management and Templates" on page 25-80 25.16.3 About the Update Policy Request Template UpdatePolicyRequest.xml and CreatePolicyRequest.xml are nearly identical. Both provide the same elements, with the exception of the element. See Also: "About Remote Policy Management and Templates" on page 25-80 Using UpdatePolicyRequest.xml, Administrators can: ■ Update a Host Identifier add multiple hostPortVariations (host port pairs) ■ Update an Application Domain ■ ■ ■ Add multiple protected, public, and excluded resources.(with or without query strings). Update default authentication and authorization policies for the resources that do not require customized policies Create customized policies that include: ■ Policy display name ■ Policy description ■ Authentication scheme (Authentication policies only) ■ A subset of resources to be associated with the policy 25.16.4 About Remote Policy Management and Templates This section describes the unique remote management elements for Application Domain management found in the CreatePolicyRequest.xml and UpdatePolicyRequest.xml files. These elements are described in Table 25–33. Table 15–8, " Common Elements in Remote Registration Requests" for a description of elements common to remote registration and remote management. See Also: 25-80 Administrator's Guide for Oracle Access Management Understanding Remote Policy and Application Domain Management Table 25–33 Remote Management Template Elements Element Description Specifies the name and description for the Authentication Policy (to use when creating a new policy or updating an existing policy). AuthenticationPolicy1 Authentication policy created using policyUpdate mode of rreg tool . . Specifies the Authentication Scheme to use in the Authentication Policy. . . authnSchemeName>LDAPScheme . . Identifies a resource that requires authentication using the policy. . . - /res1 . . Specifies the name and description for the Authorization Policy (to use when creating it anew or updating an existing policy). AuthorizationPolicy1 Authorization policy created using policyUpdate mode of rreg tool . . Identifies a resource that requires Authorization using the Authorization Policy. . . - /res1 . . Example Managing Policies to Protect Resources and Enable SSO 25-81 Managing Policies and Application Domains Remotely 25.17 Managing Policies and Application Domains Remotely The following procedure describes how Administrators can create or update existing policies remotely, without revising an agent's registration. Prerequisites Review About Managing Policies Remotely To managing policies or an Application Domain remotely without an Agent 1. Set up the registration tool as described in, "Acquiring and Setting Up the Remote Registration Tool" on page 15-33. 2. 3. Copy the appropriate request template and develop your own policy-management request (including any Application Domain revisions needed): ■ Create Policy Request File ■ Update Policy Request File On the Agent host, run the following command with the appropriate mode and your own *Request*.xml input file. For example: policyCreate Mode: ./bin/oamreg.sh policyCreate input/myCreatePolicyRequest.xml policyUpdate Mode: ./bin/oamreg.sh policyUpdate input/myUpdatePolicyRequest.xml 4. Provide the registration Administrator user name and password when asked. 5. Confirm success by reading on-screen messages, then use the Oracle Access Management Console to manage the domain and policies: agentUpdate process completed successfully! Native Configuration File Location: "... created in output folder ..." The output folder is in the same location where RREG.tar.gz was expanded: .../rreg/output/AgentName/ 25.18 Defining an Application Application is a new concept introduced in PS2. An Application contains: ■ ■ launch-url (that will be used by the end user of the application) icons, description and other meta-data that is used to display it in the Access Portal (which is user facing) The following Application types are supported: ■ ■ ■ SSO Agent Application (protected by a WebGate) Federation Service Provider Partner Application (through Federation, launch a third-party partner application) Form-Fill Application (Access Portal Application template based application) The Application should have the configuration required to SSO enable it. However, for PS2, only Form-Fill application and Federation SP applications have their configuration in the Application. SSO applications have only the launch URL. Additional functionality will be added in subsequent releases. 25-82 Administrator's Guide for Oracle Access Management Defining an Application Application registration will work only if ESSO is configured and enabled. In order to register an Application, an ESSO IDS Profile must be created because the Application's policy information is stored in the ESSO directory store. Note: Managing Policies to Protect Resources and Enable SSO 25-83 Defining an Application 25-84 Administrator's Guide for Oracle Access Management 26 Validating Connectivity and Policies Using the Access Tester 62 Oracle provides a portable, stand-alone Java application, Access Tester, which simulates registered Agents connecting to OAM Servers. The scripted execution allows for command-line processing. You can record and playback scripts and capture output for different functions. Encrypted and multiple-server connections are supported. IT professionals and Administrators can use the Access Tester to troubleshoot agent to server connections in addition to on-the-fly testing of request and response semantics and access policy designs. This chapter introduces the Access Tester and how to use it in the following sections: ■ Prerequisites ■ Introduction to the Access Tester for Access Manager 11g ■ Installing and Starting the Access Tester ■ Introduction to the Access Tester Console and Navigation ■ Testing Connectivity and Policies from the Access Tester Console ■ Creating and Managing Test Cases and Scripts ■ Evaluating Scripts, Log File, and Statistics 26.1 Prerequisites Before you can perform tasks in this chapter: ■ ■ Ensure that the Oracle Access Management Console and OAM Server are running. Confirm the Application Domain and policies for one or more resources, as described in Chapter 25. 26.2 Introduction to the Access Tester for Access Manager 11g The Access Tester is a portable, stand-alone Java application that ships with Access Manager 11g. The Access Tester provides a functional interface between an individual IT professional or Administrator and the OAM Server. IT professionals can use the Access Tester to verify connectivity and troubleshoot problems with the physical deployment. Application Administrators can use the Access Tester to perform a quick validation of policies. In this chapter, the term "Administrator" represents any individual who is using the Access Tester. Validating Connectivity and Policies Using the Access Tester 26-1 Introduction to the Access Tester for Access Manager 11g The Access Tester can be used from any computer having a network connection to the OAM Server. Both a graphical user interface (known as the Tester Console in this chapter) and a command-line interface are provided. Command line mode enables complete automation of test script execution in single or multi-client mode environments. By appearing to be a real agent, the Access Tester helps with policy configuration design and troubleshooting, and sometimes with troubleshooting OAM Server responsiveness. When using the Access Tester, you must appear to be the real end user; the Access Tester does not actually communicate with a real end user. To use the Access Tester, you must understand and administer authentication and authorization policies for an application or resource that is protected by Access Manager. The Access Tester enables you to: ■ ■ ■ ■ Configure a request to be sent to the OAM Server that emulates what a real agent would send to the OAM Server in a real environment. Send your request to the OAM Server and receives a response that is the same as the response that would received by a real Agent. The Access Tester uses the OAM Access Protocol (OAP) API to send requests over the OAP channel to the OAM Proxy running as part of the OAM Server. The OAM Server processes the request and returns a response. Process and display the server response. Proceed in the manner a real agent would to handle the response. For example, if a Webgate determines that a resource is protected by a certificate authentication scheme, then it must obtain the end user's certificate from the http SSL connection. In the case of a certificate authentication scheme, you must point the Access Tester to a certificate to be used as the end user's credentials. In addition to simulating the Agent while performing functions in the previous list, the Access Tester enables you to: ■ Review performance characteristics of intended policy changes ■ Track the latency of authentication and authorization requests ■ ■ ■ Stress test the OAM Server to establish low- and high-performance watermarks relative to desired user loads, and to size back-end hardware Stress test the policy server by running multiple concurrent tests (multi-threaded mode) with command-line mode only. Establish performance metrics and measuring on an ongoing basis to prove desired outcomes During basic operations, the Access Tester does not make any determination about the Server response and whether it is a right or wrong response (for instance, whether or not resource X is protected, or user Y is authorized to access resource X). When operating the Access Tester, you must be aware of the policy configuration to determine if a specific response is appropriate. The Access Tester offers advanced functionality that enables you to group a number of individual requests into a test script that can be sent to the OAM Server for processing. The output of such a test run can be captured by the Access Tester and used to compare against a similar document containing "known good" responses. In this way, the Access Tester can be used for automated testing of policy configuration against errant changes. 26-2 Administrator's Guide for Oracle Access Management Introduction to the Access Tester for Access Manager 11g Additionally, the Access Tester provides a multi-threaded capability designed to stress test the policy server. In the multi-threaded approach, you identify the number of virtual test clients to connect to the policy server and the number of iterations that each virtual client should execute a test script. This enables you to stress test the policy server. For more information, see the following topics in this chapter: ■ About OAM Agent and Server Interoperability ■ About Access Tester Security and Processing ■ About Access Tester Modes and Administrator Interactions 26.2.1 About OAM Agent and Server Interoperability The two primary types of actors in the OAM architecture are the policy servers (OAM Servers) and OAM policy enforcement agents (Webgates or Access Clients). In the security world, Agents represent the policy enforcement point (PEP), while OAM Servers represent the policy decision point (PDP): ■ ■ The Agent plays the role of a gatekeeper to secure resources such as http-based applications and manage all interactions with the user who is trying to access that resource. This is accomplished according to access control policies maintained on the policy server (OAM Server). The role of the OAM Server is to provide policy, identity, and session services to the Agent to properly secure application resources, authenticate and authorize users, and manage user sessions. This core OAM product architecture revolves around the following exchanges, which drive the interaction between the Agent and OAM Server. To expose inter-operability and the key decision points, Figure 26–1 illustrates a typical OAM Agent and OAM Server interaction during a user's request for a resource. Validating Connectivity and Policies Using the Access Tester 26-3 Introduction to the Access Tester for Access Manager 11g Figure 26–1 OAM Agent (PEP) and OAM Server (PDP) Inter-operability The following overview outlines the processing that occurs between OAM Agents and OAM Servers. During testing, the Access Tester emulates the Agent and communicates with the OAM Server while the Administrator emulates the end user. Process overview: Interoperability between OAM Agents and OAM Servers 1. Establish server connectivity: The registered OAM Agent connects to the OAM Server. 2. The user requests accesses to a resource. 3. Validate resource protection: The Agent forwards the request to the OAM Server to determine if the resource is protected. Protected: The OAM Server responds with the type of credentials required. 4. User credentials: Establishing the user identity enables tracking for Audit and SSO purposes, and conveyance to the application. For this, the Agent prompts the user for his credentials. 5. Authenticate user credentials: The Agent forwards the supplied user credentials to the OAM Server for validation. Authentication Success: The Agent forwards the resource request to the OAM Server. 6. Authorize user access to a resource: The Agents must first determine if the user is allowed to access the resource by forwarding the request for access to the OAM Server for authorization policy evaluation. 7. The Agent grants or denies access based on the policy response. 26-4 Administrator's Guide for Oracle Access Management Introduction to the Access Tester for Access Manager 11g 26.2.2 About Access Tester Security and Processing This topic provides information about secure communications, connections, storage, input, logging, and Analysis. Secure Communication: The Access Tester supports Open, Simple, or Cert connection modes for communication with the OAM Server: ■ ■ ■ Open mode: No security on the physical connection Simple mode: The physical connection is encrypted using built-in certificates. With Simple mode, you are asked to enter the Global Pass Phrase that is configured for the OAM Server. Cert mode: The physical connection is encrypted using a field-provided certificates. Access Tester Cert Mode requires: – Configuring the agent (either existing or new) for Cert mode communication. – Obtaining certificates for the agent being emulated. Access Tester Cert Mode requires two JKS key stores, created using the importcert tool from the supplied PEM (BASE64-encoded ASCII) certificates: aaa_trust.pem, aaa_ key.pem, aaa_cert.pem: ■ ■ ■ A Trust Store (file containing the JKS key store with the root CA certificate) is required. A Key Store (file containing the JKS key store with the agent's private key and certificate) is required. A Key Store Password is used to encrypt the Key Store with the agent certificates. See Also: ■ ■ Appendix C, "Securing Communication" for details about Simple and Cert mode configuration for OAM Server and clients (Webgates) "Introduction to the Access Tester Console and Navigation" on page 26-12 Connections: The Access Tester encrypts all password-type values that it saves to configuration files and test cases. Access Tester validates whether the pool contains valid connections. Cache flush requests are sent over an established connection (not an out-of-band connection to delete the user session (to simulate logout) over OAP. Using an already established connection can improve performance. Persistent Storage: The Access Tester manages a number of data structures that require persistent storage between Access Tester invocations. XML-file-based storage is provided for the following types of information: ■ Configuration data to minimize data entry between invocations of the application (OamTestConfiguration) ■ Test scripts consisting of captured test cases (OamTestScriptCase) ■ Statistical data representing execution metric from a test run (OamTestStats) XML Files for Input, Logging, and Analysis: The Access Tester uses a single XML schema to define all the XML documents it generates. The following XML files are produced when you run the Access Tester to process test scripts: ■ Configuration Script: config.xml is the output file generated using the Save Configuration command within the Access Tester. The name of this document is Validating Connectivity and Policies Using the Access Tester 26-5 Introduction to the Access Tester for Access Manager 11g used within the input script to provide proper connection information to the Access Tester running in command line mode. For details, see "About the Saved Connection Configuration File" on page 26-32. ■ ■ ■ ■ Input Script: script.xml represents a script that is generated by the Access Tester after capturing one or more test cases. For details, see "About the Generated Input Test Script" on page 26-33. Target Output Script: oamtest_target.xml is generated by running the Access Tester in command line mode and specifying the input script. For details, see "About the Target Output File Containing Test Run Results" on page 26-34. For example: -Dscript.scriptfile="script.xml" -jar oamtest.jar Statistics: oamtest_stats.xml is generated together with the output script. For details, see "About the Statistics Document" on page 26-36. Execution Log: lamtest_log.log is generated together with the output script. For details, see "About the Execution Log" on page 26-38. For more information, see "About Access Tester Modes and Administrator Interactions". 26.2.3 About Access Tester Modes and Administrator Interactions This topic describes modes, interactions, and the jar files needed to start and run the Access Tester. Console: The Access Tester provides a single window for interactions with the user. All Access Tester operations are available in the main window, which performs as a central dashboard where users can submit specific details for the test case and view responses. Command Line and Scripts: You can use the Access Tester command line and develop test scripts, which you can run interactively or in batches for computerized execution to maximize productivity and minimize costs and resources. Startup and Run Time JAR Files: The Access Tester requires nap-api.jar in the same directory as the main jar oamtest.jar, which is used to start the application. Interactions: Regardless of the mode you choose for running the Access Tester, your primary interactions with the Access Tester include: ■ Issuing Requests and Reviewing Results You use the Access Tester to issue requests to the OAM Server to validate resource protection, policy configuration, user authentication, and user authorization. You can immediately analyze test case results and also retain the data for longer-term analysis, if needed. ■ Managing Test Scripts You can build test scripts by capturing the data generated by test execution, which is available as stand-alone documents. You can run the test script for manual or automated analysis. The Access Tester provides for some automated analysis after each test run, while collecting full set of statistics to enable analysis after the fact. ■ Managing OAM Server Connectivity You can manage application settings that include server connection information. Figure 26–2 depicts the flow of information during operations in both Console and command-line modes. Details follow the figure. Advanced operations include building and executing test scripts. 26-6 Administrator's Guide for Oracle Access Management Introduction to the Access Tester for Access Manager 11g Command-line mode enables complete automation of test script execution in single or multi-client mode environments. The Access Tester exposes a control mechanism to configure test runs without having to change "known good" input test scripts which are available in read-only mode. Note: Figure 26–2 User Interactions with the Access Tester Table 26–1 describes the process flow of information during both Tester Console mode operations and command-line mode operations. Table 26–1 User Interactions: Tester Console Mode versus Command Line Mode Operations Tester Console mode Command Line Mode The user starts the Access Tester from the command line. The user or a shell script starts the Access Tester in command line mode. Cert mode for secure communication: The keystores are specified in the OamTestConfiguration.xml file containing previously saved configuration information. The user opens a previously saved OamTestConfiguration.xml file to populate the application fields and minimize data entry, including server connection fields. Alternatively, the user can use the Tester Console and enter data manually The Access Tester starts processing test cases based on the input script. The user clicks the Connect button to open the connection with the OAM Server. The Access Tester opens a connection with the OAM Server based on details in the input script. Resource Protection: The user performs steps in a sequence to validate resource protection, authenticate user credentials, and authorize user access. Resource Protection: The Access Tester starts processing test cases based on the input script. Validating Connectivity and Policies Using the Access Tester 26-7 Installing and Starting the Access Tester Table 26–1 (Cont.) User Interactions: Tester Console Mode versus Command Line Mode Operations Tester Console mode Command Line Mode When the test completes, the Access Tester generates: Once the script completes, the Access Tester generates: ■ ■ ■ A script with results ■ A file with execution statistics including information about mismatched responses A log file detailing processing flow ■ ■ A script with results A file with execution statistics including information about mismatched responses A log file detailing processing flow The user repeats steps as needed to complete validation The user repeats steps as needed to complete validation. In Cert mode, you will be prompted to identify the necessary keystores. In Cert mode, the keystores are specified in the XML file containing previously saved configuration information. The following overview outlines the tasks involved with using the Access Tester, and the topics where more information can be found in this chapter. Task overview: Testing Access Manager connections and policies 1. Review the following topics: ■ Installing and Starting the Access Tester ■ Introduction to the Access Tester Console and Navigation 2. Perform and capture tests using the Access Tester Console as described in "Testing Connectivity and Policies from the Access Tester Console" 3. Proceed to "Creating and Managing Test Cases and Scripts" 26.3 Installing and Starting the Access Tester The Access Tester consists of two jar files that can be used from any computer, either within or outside the WebLogic Server domain. This section describes how to install the Access Tester, which involves copying the Access Tester jar files to a computer from which you want to run tests. The Access Tester must be started from a command line regardless of the mode you choose for test input: Tester Console mode or command line mode. This section is divided into the following topics: ■ Installing the Access Tester ■ About Access Tester Supported System Properties ■ Starting the Tester Without System Properties For Use in Tester Console Mode ■ Starting the Access Tester with System Properties For Use in Command Line Mode 26.3.1 Installing the Access Tester This topic describes how to install the Access Tester for use on any computer. Following installation, the Access Tester is ready to use. No additional setup is required. To install the Access Tester 1. Ensure that the computer from which the tester will be run includes JDK/JRE 6. For example, you can test for Java as follows: java -version The previous command returns the following information: java version "1.6.0_18" 26-8 Administrator's Guide for Oracle Access Management Installing and Starting the Access Tester Java(TM) SE Runtime Environment (build 1.6.0_18-b07) Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode) 2. On a computer hosting the OAM Server, locate and copy the Access Tester Jar files. For example: $ORACLE_HOME/oam/server/tester/oamtest.jar $ORACLE_HOME/oam/server/tester/nap-api.jar 3. Store the jar file copies together in the same directory on any computer from which you want to run the Access Tester. 4. Cert Mode: If the OAM Server communication mode is Cert, ensure that the computer from which you will run the Access Tester includes the same keystores that are defined on the agent registration page of the Oracle Access Management Console. See Chapter 14. 5. Proceed as follows, depending on your environment and requirements: ■ ■ ■ Starting the Tester Without System Properties For Use in Tester Console Mode enables you to manually drive requests. Starting the Access Tester with System Properties For Use in Command Line Mode Executing a Test Script enables you to use a test script that has been created against a "Known Good" policy configuration and marked as "Known Good" 26.3.2 About Access Tester Supported System Properties The Access Tester supports a number of configuration options that are used for presentation or during certain aspects of testing. These options are specified at startup using the Java-D mechanism, as shown in Table 26–2, which describes all supported system properties. Table 26–2 Access Tester Supported System Properties Property log.traceconnfile display.fontname Access Tester Mode Description and Command Syntax Tester Console and Command Line modes Logs connection details to the specified file name. Tester Console mode Starts the Access Tester with the specified font. This could be useful in compensating for differences in display resolution. -Dlog.traceconnfile="" - Ddisplay.fontname ="" display.fontsize Tester Console mode Starts the Access Tester with the specified font size. This could be useful in compensating for differences in display resolution. - Ddisplay.fontsize ="" display.usesystem Tester Console mode Starts the Access Tester with the default font name and size (Dialog font, size 10). - Ddisplay.usesystem script.scriptfile Command Line mode Runs the script in command line mode. -Dscript.scriptfile="" Validating Connectivity and Policies Using the Access Tester 26-9 Installing and Starting the Access Tester Table 26–2 (Cont.) Access Tester Supported System Properties Property control.configfile Access Tester Mode Command Line mode Description and Command Syntax Overwrites script's "configfile" attribute containing the absolute path to the configuration XML file with the connection information. The Access Tester uses the configuration file to establish a connection to the Policy Server indicated by Connection element. -Dcontrol.config="" control.testname Command Line mode Overwrites script's "testname" attribute of the Control element containing a string representing a name of the test series to be used in naming output script, stats, and log files. Output log files begin with _ . -Dcontrol.testname="" control.testnumber Command Line mode Specifies the control number to be used in naming output script, stats, and log files. Output log files begin with _ . -Dcontrol.testnumber="". Although the auto generated string is a 7 digit number based on current local time (2 character minutes + 2 character seconds + 3 character hundredths), any string can be used to denote the control number as long as it can be used in a filename. control.ignorecontent Command Line mode Overwrites script's "ignorecontent" attribute of the Control element indicating the Access Tester should ignore differences in Content between the original test case and current results. -Dcontrol.testname="true|false" control.displayiteration Command Line stats mode Controls whether or not to display intermediate statistics after each iteration of the test run. -Dcontrol.displayiterationstats="true|false" control.loopback Command Line mode Runs the Access Tester in loopback mode to test the Access Tester for internal regressions against a known good script. Used for unit testing the Access Tester. -Dcontrol.loopback="true" 26.3.3 Starting the Tester Without System Properties For Use in Tester Console Mode To manually drive (and capture) requests and view real-time response through the graphical user interface, start the tester in Tester Console mode. This procedure omits all system properties, even though several can be used with Tester Console mode. The jar file defines the class to be started by default; no class name need be specified. Ensure that the nap-api.jar is present in the same directory as oamtest.jar. 26-10 Administrator's Guide for Oracle Access Management Installing and Starting the Access Tester See Also: ■ ■ "About Access Tester Supported System Properties" "Starting the Access Tester with System Properties For Use in Command Line Mode" To start the Access Tester in console mode without system properties 1. From the directory containing the Access Tester jar files, enter the following command: java -jar oamtest.jar 2. Use the -help option to list all the options available for the oamtest command-line tool. java -jar oamtest.jar -help 3. Proceed to one of the following topics for more information: ■ Introduction to the Access Tester Console and Navigation ■ Testing Connectivity and Policies from the Access Tester Console ■ Creating and Managing Test Cases and Scripts 26.3.4 Starting the Access Tester with System Properties For Use in Command Line Mode This section is divided into the following topics: ■ About the Access Tester Command Line Mode ■ Starting the Tester Without System Properties For Use in Tester Console Mode 26.3.4.1 About the Access Tester Command Line Mode To run a test script, or to customize Access Tester operations, you must start the tester in command line mode and include system properties using the Java -D option. See Also: "About Access Tester Supported System Properties" on page 26-9 When running in command line mode, the Access Tester returns completion codes that can be used by shell scripts to manage test runs. When you run the Access Tester in Console mode, you do not need to act upon codes that might be returned by the Access Tester. Shell scripts that wrap the Access Tester to execute specific test cases must be able to recognize and act upon exit codes communicated by the Access Tester. In command line mode, the Access Tester exits using System.Exit (N), where N can be one of the following codes: ■ ■ ■ 0 indicates successful completion of all test cases with no mismatches. This also includes a situation where no test cases are defined in the input script. 3 indicates successful completion of all test cases with at least one mismatch. 1 indicates that an error prevented the Access Tester from running or completing test cases. This includes conditions such as No input script specified, Unable to read the input script, Unable to establish server connection, Unable to generate the target script. Validating Connectivity and Policies Using the Access Tester 26-11 Introduction to the Access Tester Console and Navigation These exit codes can be picked up by shell scripts ($? In Bourne shell) designed to drive the Access Tester to execute specific test cases. 26.3.4.2 Starting the Access Tester with System Properties Use the following procedure to start the Access Tester in command line mode and specify any number of configuration options using the Java-D mechanism. See Also: "About Access Tester Supported System Properties" on page 26-9 To start the Access Tester with system properties or for use in command line mode 1. From the directory containing the Access Tester jar files, enter the command with the appropriate system properties for your environment. For example: java -Dscript.scriptfile="\tests\script.xml" -Dcontrol.ignorecontent="true" -jar oamtest.jar 2. After startup, proceed to one of the following topics for more information: ■ Testing Connectivity and Policies from the Access Tester Console ■ Creating and Managing Test Cases and Scripts 26.4 Introduction to the Access Tester Console and Navigation This section introduces the Access Tester Console, navigation, and controls. Figure 26–3 shows the fixed-size Access Tester Console. This is the window through which users can interact with the application if the Access Tester is started in Console mode. The window can not be resized. Details follow the screen. 26-12 Administrator's Guide for Oracle Access Management Introduction to the Access Tester Console and Navigation Figure 26–3 Access Tester Console At the top of the main window are the menu names within a menu bar. Under the menu bar is the tool bar. All of the commands represented by buttons in the tool bar are also available as menu commands.The Access Tester Console is divided into four panels, described in Table 26–3. Table 26–3 Access Tester Console Panels Panel Name Description Server Connection Provides fields for the information required to establish a connection to the OAM Server (a single primary server and a single secondary server), and the Connect button: See also: "Establishing a Connection Between the Access Tester and the OAM Server" on page 26-16. Protected Resource URI Provides information about a resource whose protected status needs to be validated. The Validate button is used to submit the Validate Resource server request. See also: "Validating Resource Protection from the Access Tester Console" on page 26-18. User Identity Provides information about a user whose credentials need to be authenticated. The Authenticate button is used to submit the Authenticate User server request. See also: "Testing User Authentication from the Access Tester Console" on page 26-20. Status Messages Provides a scrollable status message area containing messages displayed by the application in response to user gestures. The Authorize button is used to submit the Authorize User server request. See also: "Observing Request Latency" on page 26-24. Validating Connectivity and Policies Using the Access Tester 26-13 Introduction to the Access Tester Console and Navigation Text fields support right-clicking to display the Edit menu and drag-and-drop operations using the mouse and cursor. There are four primary buttons through which you submit test requests to the OAM Server. Each button acts as a trigger to initiate the named action described in Table 26–4. Table 26–4 Command Buttons in Access Tester Panels Panel Button Description Connect Submits connection information and initiates connecting. Validate Submits information provided in the Protected Resource URI panel and initiates validation of protection. Authenticate Submits information provided in the User Identity panel and initiates authentication confirmation. Authorize Submits information provided in the User Identity panel and initiates authorization confirmation. See Also: "Access Tester Menus and Command Buttons" 26.4.1 Access Tester Menus and Command Buttons Table 26–5 identifies additional Access Tester Console buttons and their use. All command buttons provide a tip when the cursor is on the button. Table 26–5 Additional Access Tester Buttons Command Buttons Description Open Folder Loads connection configuration details that were saved to an XML file (config.xml, by default). You can refresh the information in the Console by clicking this button. Disk Saves connection configuration details to a file (default name, config.xml). You can add the name of this document to the input script to provide proper connection information to the Access Tester running in command line mode. The Save command button at the bottom of the Console saves the content of the Status Message panel to a log file. Eraser Clears fields on a panel containing the icon. Tool bar action clears all fields except connection fields if the connection has already been established. Blue Up Arrows Captures the last named request to the capture queue with the corresponding response received from the OAM Server. Together, the request and response create a test case. The capture queue status at the bottom of the Console is updated to reflect the number of test cases in the queue. You can save the contents of the capture queue to create a test script containing multiple test cases using the Generate Script command on the Test menu or a command button. Paper Scroll Generates a test script that includes every test case currently in the capture queue, and asks if the queue should be cleared. Do not clear the queue until all your test cases have been captured and saved to a test script. Paper Scroll with right facing arrow Runs a test script against the current OAM Server. The Status message window is populated with the execution status as the script progresses through each test case. Globe with right facing red arrow Imports a copied URI from the clipboard after parsing it to populate fields in the URI panel. Question Mark Displays a dialog showing the password in clear text 26-14 Administrator's Guide for Oracle Access Management Testing Connectivity and Policies from the Access Tester Console The Access Tester provides the menus described in Table 26–6. All menu items have mnemonics that are exposed by holding down the ALT key (on Windows systems). There are also command accelerators (keyboard activation) available using the CTRL- combination defined for each menu command. Table 26–6 Access Tester Menus Menu Title Menu Commands File ■ Open Configuration ■ Save Configuration ■ Exit Note: To minimize the amount of data entry the Save Configuration and Open Configuration menu (and tool bar command buttons) allow for specific Connection, URI, and Identity information to be saved to (and read from) a file. Thus, it becomes fairly simple to manage multiple configurations. Also, the configuration file can be used as input to the Access Tester when you run it in command line mode and execute a test script. Edit Provides standard editing commands, which act on fields: Test ■ Cut ■ Copy ■ Paste ■ Clear all fields ■ Import URI fields from a saved URL ■ Capture last "..." request (for example, Capture last "authorize" request) ■ Save test script ■ Run test script Note: You can use functions here to capture the last request and response to create a test case that you can save to a test script to be run at a later time. Help The command About, which displays usage information. 26.5 Testing Connectivity and Policies from the Access Tester Console This section describes how to perform quick spot checks using the Access Tester in Console mode with OAM Servers. Spot checks or troubleshooting connections between the Agent and OAM Server can help you assess whether the Agent can communicate with the OAM Server, which is especially helpful after an upgrade or product migration. Spot checks or troubleshooting resource protection that can be exercised by Agents and OAM Servers can help you develop end-to-end tests of policy configuration during the application lifecycle. The following overview identifies the tasks and sequence to be performed and where to locate additional information about each task. You can capture each request and response pair to create a test case, and save the test cases to a script file that can be run later. For details, see "Creating and Managing Test Cases and Scripts" on page 26-24. Note: Task overview: Performing spot checks from the Access Tester Console 1. Start the Access Tester, as described in "Installing and Starting the Access Tester" on page 26-8. Validating Connectivity and Policies Using the Access Tester 26-15 Testing Connectivity and Policies from the Access Tester Console 2. Add relevant details to the Server Connection panel and click Connect, as described in "Establishing a Connection Between the Access Tester and the OAM Server" on page 26-16. 3. Enter or import details into the Protected Resource URI pane and click Validate, as described in "Validating Resource Protection from the Access Tester Console" on page 26-18. 4. Add relevant details to the User Identity panel and click Authenticate, as described in "Testing User Authentication from the Access Tester Console" on page 26-20. 5. After successful authentication, click Authorize in the User Identity panel, as described in "Testing User Authorization from the Access Tester Console" on page 26-23. 6. Check the latency of requests, as described in "Observing Request Latency" on page 26-24. 26.5.1 Establishing a Connection Between the Access Tester and the OAM Server Before you can send a request to the OAM Server you must establish a connection between the Access Tester and the server. This section describes how to establish that connectivity. ■ About the Connection Panel ■ Connecting the Access Tester with the OAM Server 26.5.1.1 About the Connection Panel You enter required information for the OAM Server and the Agent you are emulating in the Access Tester Connection panel and then click the Connect button. The Tester initiates the connection, and displays the status in the Status Messages panel. Once the connection is established, it is used for all further operations. Caution: Once the connection is established, it cannot be changed until you restart the Access Tester Console. Figure 26–4 illustrates the Server Connection panel and controls. This panel contains information needed to establish a connection to the OAM Server's Proxy port. Figure 26–4 Server Connection Panel in the Access Tester Table 26–7 describes the information needed to establish the connection. The source of your values is the Oracle Access Management Console, System Configuration tab. 26-16 Administrator's Guide for Oracle Access Management Testing Connectivity and Policies from the Access Tester Console Table 26–7 Connection Panel Information Fields Description IP Address The IP Address of the Primary and Secondary OAM Proxy listens on for this set of tests. Note: Oracle recommends that you enter values for only the Primary OAM Proxy. The Secondary OAM Proxy is needed only if you want to test failover between the primary and secondary OAM Server. However, a more practical use of the Secondary Server is reserved for later use, when the OAP API supports load balancing between Primary and Secondary OAM Server. Port Enter the port number of the Primary and Secondary OAM Server. Max Conn The maximum number of physical connection (TCP) sockets the Access Tester will use. Access Tester emulates a single threaded Agent. Note: Oracle recommends that you accept the default value, 1. Min Conn The minimum number of physical connection (TCP) sockets the Access Tester will use. The Access Tester emulates a single threaded Agent. Note: Oracle recommends that you accept the default value, 1. Timeout The number of milliseconds the Access Tester should wait for the connection to be established or to receive a response from the OAM Server. Note: Oracle recommends that you accept the default value. Mode The level of communication security that is designated for the Agent to be emulated. ■ ■ ■ Open--No special configuration needed for this mode. Simple--Presents a field for the global pass phrase set for the OAM Server. See Also: "Retrieving the Global Passphrase for Simple Mode" on page C-14. Cert--Presents a Configure Certs ... button that opens a dialog asking for the following: Trust Store (Root Store Alias): A file containing the JKS key store with the root CA certificate. Key Store: A file containing the JKS key store with the agent's private key and certificate. Currently, the agent certificate is used for encrypting the connection and not the agent identification. Key Store Password: The password used to encrypt the Key Store with the agent certificates. See Also: "About Access Tester Security and Processing" on page 26-5, and "Generating Client Keystores for OAM Tester in Cert Mode" on page C-5. Agent ID Enter the identity of the OAM Agent the Tester is simulating. Agent Password Enter the password for the OAM Agent the Tester is simulating, if there is one configured. Question Mark Click ? beside the Agent Password field for help. Green Check Mark The green check mark beside the Connect button indicates a "Yes" response; the connection is made. The Status Messages panel also indicates a "Yes" response for the connection. X in red circle The red circle beside the Connect button indicates a "No" response; no connection exists. The Status Messages panel also indicates a "No" response for the connection. After entering information and establishing a connection, you can save details to a configuration file that can be re-used later. See Also: "Establishing a Connection Between the Access Tester and the OAM Server" Validating Connectivity and Policies Using the Access Tester 26-17 Testing Connectivity and Policies from the Access Tester Console 26.5.1.2 Connecting the Access Tester with the OAM Server Use the following procedure to submit your connection details for the OAM Server. Cert mode requires the presence of keystores generated as described in Appendix C, "Securing Communication" Note: Prerequisites Installing and Starting the Access Tester See Also: "About the Connection Panel" To test connectivity between the Access Tester and the OAM Server 1. Start the Access Tester, as described in "Installing and Starting the Access Tester" on page 26-8. 2. In the Server Connection Panel (Table 26–7), enter: ■ Primary and secondary OAM Proxy details ■ Timeout period ■ Communication encryption mode ■ Agent details 3. Click the Connect button. 4. Beside the Connect button, look for the green check mark indicating the connection is established. 5. In the Status Messages panel, verify a Yes response. Not Successful: If there is a problem connecting to the OAM Server, ensure that you entered all connection information correctly (IP address and port, Agent name and password, connection mode and related certificates and passwords, as needed). If the connection still cannot be made, start the Access Tester Console using the Trace Connection command mode and look for additional details in the connection log. Also, ask the Administrator of the OAM Server to review the policy server log. 26.5.2 Validating Resource Protection from the Access Tester Console Before a user can access a resource, the Agent must first validate that the resource is protected. Using the Access Tester, you can act as the Agent to have the OAM Server validate whether or not the given URI is protected and communicate the response to the Access Tester, as described here. ■ About the Protected Resource URI Panel ■ Validating Resource Protection 26.5.2.1 About the Protected Resource URI Panel You must enter required information for the resource you want to validate in the Access Tester Protected Resource URI panel, and then click the Validate button. 26-18 Administrator's Guide for Oracle Access Management Testing Connectivity and Policies from the Access Tester Console To minimize data entry, you can import long URIs that you have copied from a browser and then click the Import URI command button. The Tester parses the URI saved to the clipboard and populates the URI fields in the Access Tester. Figure 26–5 illustrates the panel where you enter the URI details to validate that the resource is protected. When combined, the URI fields follow RFC notation. For example: http://oam_server1:7777/index.html. Figure 26–5 Protected Resource URI Panel in the Access Tester Table 26–8 describes the information needed to perform this validation. Table 26–8 Protected Resource URI Panel Fields and Controls Field or Control Description Scheme Enter http or https, depending on the communication security specified for the resource. Note: The Access Tester supports only http or https resources. You cannot use the Access Tester to test policies that protect custom non-http resources. Host Enter a valid host name for the resource. Note: Your combination specified in the Access Tester must match one of the Host Identifiers defined in the Oracle Access Management Console. If the host identifier is not recognized, OAM cannot validate resource protection. Port Enter a valid port for the URI. Note: The combination specified in the Access Tester must match one of the Host Identifiers as defined in the OAM Server. If the host identifier is not recognized, OAM cannot validate resource protection. Resource Enter the Resource component of the URI (/index.htm in the example). This resource should match a resource defined for an authentication and authorization policy in the Oracle Access Management Console. Note: If protected, the resource identifier that you provide here must match the one specified in an authorization policy in the Oracle Access Management Console. Globe with red arrow Click this button to parse and import a URI that is saved on a clipboard. Operation Select the operational component of the URI from the list provided in the Access Tester. The OAM Server does not distinguish between different actions, however. Therefore, leaving this set to Get should suffice. Get Auth Scheme Check this box to request the OAM Server to return details about the Authentication Scheme that is used to secure the protected resource. If the URI is protected, this information is displayed in the Status Messages panel. Validate Click the Validate button to submit the request to the OAM Server. When the response is received, the Access Tester displays it in the Status Messages panel. Validating Connectivity and Policies Using the Access Tester 26-19 Testing Connectivity and Policies from the Access Tester Console Table 26–8 (Cont.) Protected Resource URI Panel Fields and Controls Field or Control Description Green Check Mark A green check mark appearing beside the Validate button indicates a "Yes" response; the resource is protected. The Status Messages panel provides the redirect URL for the resource and that credentials are expected. Note: If you checked the Get Auth Scheme box, the name and level of the Authentication Scheme that protects this resource are also provided in the Status Messages panel. X in red circle A red circle appearing beside the Validate button indicates that the resource is not protected. A No response will also appear in the Status Messages. You can capture each request and response pair to create a test case, and save multiple test cases to a script file that can be run later. See Also: ■ "Validating Resource Protection from the Access Tester Console" ■ "Creating and Managing Test Cases and Scripts" on page 26-24 26.5.2.2 Validating Resource Protection Use the following procedure to submit your resource information to the OAM Server and verify responses in the Status Messages panel. Prerequisites Establishing a Connection Between the Access Tester and the OAM Server See Also: "About the Protected Resource URI Panel" To confirm that a resource is protected 1. In the Access Tester Protected Resource URI panel, enter or import your own resource information (Table 26–8). 2. Click the Validate button to submit the request. 3. Review Access Tester output, including the relevant data about the resource such as how the resource is protected, level of protection, and so on. 4. Beside the Validate button, look for the green check mark indicating the resource is protected. 5. In the Status Messages panel, verify the redirect URL, authentication scheme, and that credentials are expected. 6. Capture the request and response to create a test case for use later, as described in "Creating and Managing Test Cases and Scripts" on page 26-24. 7. Retain the URI to minimize data entry and server processing using one of the following methods. 8. Proceed to "Testing User Authentication from the Access Tester Console" 26.5.3 Testing User Authentication from the Access Tester Console This topic provides the following information: ■ About the User Identity Panel 26-20 Administrator's Guide for Oracle Access Management Testing Connectivity and Policies from the Access Tester Console ■ Testing User Credential Authentication 26.5.3.1 About the User Identity Panel Before a user can access a resource, the Agent must validate the user's identity based on the defined authentication policy on the OAM Server. Using the Access Tester, you can act as the Agent to have the OAM Server authenticate a specific userID for the protected resource. All relevant authentication responses are considered during this policy evaluation. Figure 26–6 illustrates the Access Tester panel where you enter the information needed to test authentication. Figure 26–6 Access Tester User Identity Panel Table 26–9 describes the information you must provide. Table 26–9 Access Tester User Identity Panel Fields and Controls Field or Control Description IP Address Enter the IP Address of the user whose credentials are being validated. All Agents communicating with the OAM Server send the IP address of the end user. Default: The IP address that is filled in belongs to the computer from which the Access Tester is run. To test a policy that requires a real user IP address, replace the default IP address with the real IP address. User Name Enter the userID of the individual whose credentials are being validated. Note: The Access Tester enables or disables the username and password fields if the resource is protected by an authentication scheme that requires those credentials. Similarly the Access Tester enables or disables the certificate field if the resource is protected by an authentication scheme that requires a user's X509 certificate. Password Enter the password of the individual whose credentials are being validated. ? Click this button to display the password in clear text within a popup window. User Certificate Store The PEM format file containing the X.509 certificate of the user whose credentials should be authenticated. If the URI is protected by the X509 Authentication Scheme then the Tester will use the PEM-formatted X509 certificate as a credential instead of or in addition to the username/password. The X509 cert may also be used for authorization if security policies are so configured on the OAM Server. Note: For certificate-based authentication to work, the OAM Server must be properly configured with root CA certificates and SSL keystore certificates. See Appendix C for details about securing communication between OAM Servers and Webgates. ... Click this button to browse the file system for the user certificate store path. Validating Connectivity and Policies Using the Access Tester 26-21 Testing Connectivity and Policies from the Access Tester Console Table 26–9 (Cont.) Access Tester User Identity Panel Fields and Controls Field or Control Description Authenticate Click the Authenticate button to submit the request to the OAM Server and look for a response in the Status Messages panel. Note: The type of credentials supplied (username/password or X.509 certificate) must match the requirements of the authentication scheme that protects the URI. Note: For certificate-based authentication, the OAM Server deployment must be properly configured with certificates as described in Appendix C. Authorize After the user's credentials are validated, you can click the Authorize button to submit the request for the resource to the OAM Server. Check the Status Messages panel for a response. This request submits information collected in the URI and Identity panels to the OAM Server to decide if the user defined on the Identity panel can access the resource defined on the URI panel. The server returns Yes (user can access the resource) or No (user can not access the resource). The OAM Server might return additional information such as actions (responses) that the real Agent would normally handle. Green Check Mark A green check mark appearing beside the Authenticate button indicates authentication success; The Status Messages panel also indicates "yes" authentication was successful, and provides the user DN and session id. A green check mark appearing beside the Authorize button indicates authorization success; The Status Messages panel also indicates "yes" authorization was successful, and provides Application Domain details. X in red circle A red circle appearing beside the Authenticate button indicates authentication failure; The Status Messages panel also indicates "no" authentication was not successful. A red circle appearing beside the Authorize button indicates authorization failure; The Status Messages panel also indicates "no" authorization was not successful. You can capture each request and response pair to create a test case, and save multiple test cases to a script file that can be run later. See Also: ■ "Testing User Authentication from the Access Tester Console" ■ "Creating and Managing Test Cases and Scripts" on page 26-24 26.5.3.2 Testing User Credential Authentication Use the following procedure to submit the end user credentials to the OAM Server and verify authentication. All relevant authentication responses are considered during this policy evaluation. Prerequisites Validating Resource Protection from the Access Tester Console with URI information retained in the Console. See Also: "About the User Identity Panel" To test user credential authentication In the Access Tester User Identity panel, enter information for the user to be authenticated (Table 26–9). 1. 2. Click the Authenticate button to submit the request. 3. Beside the Authenticate button, look for the green check mark indicating the user is authenticated. 26-22 Administrator's Guide for Oracle Access Management Testing Connectivity and Policies from the Access Tester Console Not Successful: Confirm that you entered the correct userID and password and try again. Also, check the Oracle Access Management Console for an active user session that you might need to end, as described in Chapter 16. 4. Capture the request and response to create a test case for use later, as described in "Creating and Managing Test Cases and Scripts" on page 26-24. 5. Retain the URI and user identity information and proceed to "Testing User Authorization from the Access Tester Console". 26.5.4 Testing User Authorization from the Access Tester Console Before a user can access a resource, the Agent must validate the user's permissions based on defined policies on the OAM Server. Using the Access Tester, you can act as the Agent to have the OAM Server validate whether or not the authenticated user identity can be authorized to access the resource. Use the following procedure to verify the authenticated end user's authorization for the resource. All relevant authorization conditions and responses are considered during this policy evaluation. Prerequisites Testing User Authentication from the Access Tester Console with all information retained in the Console. See Also: "About the User Identity Panel" Once the protected resource URI is confirmed and the user's identity is authenticated from the Access Tester, no further information is needed. You simply click the Authorize button to submit the request. However, if the resource is changed to another you must start the sequence anew and validate, then authenticate, and then authorize. Note: To test user authorization In the Access Tester User Identity panel, confirm the user is authenticated (Table 26–9). 1. 2. In the Access Tester User Identity panel, click the Authorization button. 3. Beside the Authorization button, look for the green check mark indicating the user is authorized. Not Successful: Confirm the authorization policy using the Oracle Access Management Console. 4. In the Status Messages panel (or execution log file), verify details about the test run. 5. Capture the request and response to create a test case for use later, as described in "Creating and Managing Test Cases and Scripts" on page 26-24. 6. Proceed to: ■ Observing Request Latency ■ Creating and Managing Test Cases and Scripts ■ Evaluating Scripts, Log File, and Statistics Validating Connectivity and Policies Using the Access Tester 26-23 Creating and Managing Test Cases and Scripts 26.5.5 Observing Request Latency To understand OAM Server performance you must know how well the OAM Server handles requests passed by the Agent. While there are many ways to expose a server's metrics, it is sometimes useful to expose server performance from the standpoint of the Agent. Using the Access Tester, you can do just that as described here. Prerequisites "Installing and Starting the Access Tester" on page 26-8 Task overview: Observing request latency includes 1. "Validating Resource Protection" on page 26-20 2. "Testing User Authentication from the Access Tester Console" on page 26-20 3. "Testing User Authorization from the Access Tester Console" on page 26-23 4. Check latency information in the execution log file as shown here, as well as in other files generated during a test run. For example: ... [2/3/12 [2/3/12 [2/3/12 [2/3/12 187ms [2/3/12 ... 5. 11:03 11:03 11:03 11:03 PM][info] PM][info] PM][info] PM][info] Summary statistics Matched 4 of 4, avg latency 232ms vs 238ms Validate: matched 2 of 2, avg latency 570ms vs 578ms Authenticate: matched 1 of 1, avg latency 187ms vs 11:03 PM][info] Authorize: matched 1 of 1, avg latency 172ms vs 188ms Proceed to: ■ Creating and Managing Test Cases and Scripts ■ Evaluating Scripts, Log File, and Statistics 26.6 Creating and Managing Test Cases and Scripts Test management refers to the creation of repeatable tests that can be executed at any time by an individual Administrator or system. Quick spot checks are very useful and effective in troubleshooting current issues. However, a more predictable and repeatable approach to validating server and policy configuration is often necessary. This approach can include testing OAM Server configuration for regressions after a product revision, or during a policy development and QA cycle. To be useful such tests must allow for multiple use cases to be executed as group. Once the test scripts have been designed and validated as correct, replaying the tests against the OAM Server helps identify regressions in a policy configuration. This section provides the information you need to perform test management in the following topics: ■ About Test Cases and Test Scripts ■ Capturing Test Cases ■ Generating an Input Test Script ■ Personalizing an Input Test Script ■ Executing a Test Script 26-24 Administrator's Guide for Oracle Access Management Creating and Managing Test Cases and Scripts 26.6.1 About Test Cases and Test Scripts A test case is created from the request sent to, and response data received from, the OAM Server using the Access Tester. Among other data elements, a test case includes request latency and other identifying information that enables analysis and comparison of old and new test cases. Once captured, the test case can be replayed without new input, and then new results can be compared with old results. If the old results are marked as "known good" then deviations from those results constitute failed test cases. The test case workflow is illustrated by Figure 26–7. Figure 26–7 Test Case Workflow Task overview: Creating and managing a test case From the Access Tester Console, you can connect to the OAM Server and manually conduct individual tests. You can save the request to the capture queue after a request is sent and the response is received from the OAM Server. You can continue capturing additional test cases before generating a test script and clearing the capture queue. If you exit the Access Tester before saving the capture queue, you are asked if the test cases should be saved to a script before exiting. Oracle recommends that you do not clear the queue until all your test cases have been captured. Once you have the test script, you can run it from either the Access Tester Console or from the command line. 26.6.2 Capturing Test Cases You can save each test case to a capture queue after sending the request from the Access Tester to the OAM Server and receiving the response. You can capture as many individual test cases as you need before generating a test script that will automate running the group of test cases. For instance, the following outlines three test cases that must be captured individually: ■ A validation request and response ■ An authentication request and response Validating Connectivity and Policies Using the Access Tester 26-25 Creating and Managing Test Cases and Scripts ■ An authorization request and response Table 26–10 describes the location of the capture options. Table 26–10 Access Tester Capture Request Options Location Description Test menu Select this command from the Test menu to add the last request issued and results received to the capture queue (for inclusion in a test script later). Capture last "..." request Blue up arrow Select this command button from the tool bar to add the last request issued and results received to the capture queue (for inclusion in a test script later). If you exit the Access Tester before saving the capture queue, you are asked if the test cases should be saved to a script before exiting. Do not clear the Access Tester capture queue until all your test cases have been captured. To capture one or more test cases Initiate a request from the Access Tester Console, as described in "Testing Connectivity and Policies from the Access Tester Console" on page 26-15. 1. 2. After receiving the response, click the Capture last "..." request command button in the tool bar (or choose it from the Test menu). 3. Confirm the capture in the Status Messages panel and note the Capture Queue test case count at the bottom of the Console. 4. Repeat steps 1, 2, and 3 to capture in the queue each test case that you need for your test script. 5. Proceed to "Generating an Input Test Script". 26.6.3 Generating an Input Test Script A test script is a collection of individual test cases that were captured using the Access Tester Console. When individual test cases are grouped together, it becomes possible to automate test coverage to validate policy configuration for a specific application or site. You can create a test script to be used as input to the Access Tester and drive automated processing of multiple test cases. The Generate Script option enables you to create an XML file test script and clear the capture queue. If you exit the Access Tester before saving the capture queue, you are asked if the test cases should be saved to a script before exiting. Do not clear the capture queue until you have captured all the test cases you want to include in the script. Note: 26.6.3.1 About Generating an Input Test Script You can create a test script to be used as input to the Access Tester and drive automated processing of multiple test cases. Such a script must follow these rules: ■ ■ Allows possible replay by a person or system Allows possible replay against different policy servers w/o changing the script, to enable sharing of test scripts to drive different Policy Servers 26-26 Administrator's Guide for Oracle Access Management Creating and Managing Test Cases and Scripts ■ Allows comparison of test execution results against "Known Good" results Following are the locations of the Generate Script command. Table 26–11 Generate Script Command Location of the Command Description Test menu Select Generate Script from the Test menu to initiate creation of the script containing your captured test cases. Generate Script Paper Script Scroll Select the Generate Script command button from the tool bar to initiate creation of the script containing your captured test cases. After you specify or select a name for your script, you are asked if the capture queue should be cleared. Do not clear the capture queue until all your test cases are saved to a script. 26.6.3.2 Generating an Input Test Script Prerequisites Capturing Test Cases To record a test script containing captured test cases 1. Perform and capture each request that you want in the script, as described in "Capturing Test Cases" on page 26-25. 2. Click the Generate Script command button in the tool bar (or choose it from the Test menu to include all captured test cases. 3. In the new dialog box, select or enter the name of your new XML script file and then click Save. 4. Click Yes to overwrite an existing file (or No to dismiss the window and give the file a new name). 5. In the Save Waning dialog box, click No to retain the capture queue and continue adding test cases to your script (or click Yes to clear the queue of all test cases). 6. Confirm the location of the test script before you exit the Access Tester. 7. Personalize the test script to include details such as who, when, and why the script was developed, as described next. 26.6.4 Personalizing an Input Test Script This section describes how to personalize and customize a test script. ■ About Customizing a Test Script ■ Customizing a Test Script 26.6.4.1 About Customizing a Test Script The control block of a test script is used to tag the script and specify information to be used during the execution of a test. You might want to include details about who created the script and when and why the script was created. You might also want to customize the script using one or more control parameters. The Access Tester provides command line "control" parameters to change processing of the script without changing the script. (test name, test number, and so on). This enables you to configure test runs without having to change "known good" input test scripts. Table 26–12 describes the control elements and how to customize these. Validating Connectivity and Policies Using the Access Tester 26-27 Creating and Managing Test Cases and Scripts Table 26–12 Test Script Control Parameters Control Parameter Description ignorecontent=true Ignores differences in the Content section of the use case when comparing the original OAM Server response to the current response. The default is to compare the Content sections. This parameter can be overwritten by a command line property when running in the command line mode. Default: false (Compare Content sections). Values: true or false In command line mode, use ignorecontent=true to over ride the specified value in the Control section of the input script. testname="oamtest" Specifies a prefix to add to file names in the "results bundle" as described in the previous section. In command line mode, use Testname=name to over ride the specified value in the Control section. configfile="config.xml" Specifies the absolute path to a configuration XML file that was previously created by the Access Tester. In command line mode, this file is used by the Access Tester to locate connection details to establish a server connection. numthreads="1" Indicates the number of threads (virtual clients) that will be started by the Access Tester to run multiple copies of the test script. Each thread opens its own pool of connections to the policy server. This feature is designed for stress testing the Policy Server, and is available only in command line mode. Default: 1 Note that when running a test script in GUI mode, the number of threads is ignored and only one thread is started to perform a single iteration of the test script. numiterations="1" Indicates the number of iterations that will be performed by the Access Tester. This feature is designed for stress testing and longevity testing the Policy Server and is available only in command line mode. Default: 1 26.6.4.2 Customizing a Test Script Prerequisites Generating an Input Test Script To customize a test script 1. Locate and open the test script that was generated by the Access Tester. 2. Add any details that you need to customize or personalize the script. 3. Save the file and proceed to "Executing a Test Script". 26.6.5 Executing a Test Script Once a test script has been created against a "Known Good" policy configuration and marked as "Known Good", it is important to drive the Access Tester using the script rather than specifying each test manually using the Console. This section provides the following topics: ■ About Test Script Execution ■ Running a Test Script 26-28 Administrator's Guide for Oracle Access Management Creating and Managing Test Cases and Scripts 26.6.5.1 About Test Script Execution You can interactively execute tests scripts from within the Access Tester Console, or use automated test runs performed by command scripts. Automated test runs can be scheduled by the operating system or a harness such as Apache JMeter, and executed without manual intervention. Other than lack of human input in command line mode, the two execution modes are identical. A script such as .bat (Windows) or .sh (Unix) executes a test script in command line mode. Once a test script is created, it can be executed using either the Run Script menu command or the Access Tester command line. Note: Table 26–13 describes the commands to execute a test script. Table 26–13 Run Test Script Commands Location Description Test menu Select the Run Script command from the Test menu to begin running a saved test script against the current policy server. The Status message panel is populated with the execution status as the script progresses. Run Script Paper Script Scroll with green arrow Select the Run Script command button from the tool bar to begin running a saved test script against the current policy server. The Status message panel is populated with the execution status as the script progresses. Command line mode A script such as .bat (Windows) or .sh (Unix) executes a test script in command line mode. Once a test script is created, it can be executed using either the Run Script menu command or the Access Tester command line. The following overview describes how the Access Tester operates when running a test. Other than lack of human input in command line mode, the two execution modes are identical. Process overview: Access Tester behavior when running a test script 1. The Access Tester loads the input xml file. In command line mode, the Access Tester opens the configuration XML file defined within the input test script's Control element. 2. The Access Tester connects to the primary and secondary OAM Proxy using information in the Server Connection panel of the Console. In command line mode, the Access Tester uses information in the Connection element of the configuration XML file. 3. In command line mode, the Access Tester checks the Control elements in the input script XML file to ensure none have been overwritten on the command line (command line values take precedence). 4. For each original test case defined in the script, the Access Tester: a. Creates a new target test case. b. Sends the original request to the OAM Server and collects the response. c. Makes the following comparisons: Compares the new response to the original response. Validating Connectivity and Policies Using the Access Tester 26-29 Creating and Managing Test Cases and Scripts Compares response codes and marks as "mismatched" any new target test case where response codes differ from the original test case. For instance, if the original Validate returned "Yes", and now returns "No", a mismatch is marked. When response codes are identical, and "the ignorecontent" control parameter is "false", the Access Tester compares Content (the name of the Authentication scheme or post authorization actions that are logged after each request). If Content sections differ, the new target test case is marked "mismatched". 5. d. Collect new elapsed time and store it in the target use case. e. Build a new target test case containing the full state of the last server request and the same unique ID (UUID) as the original test case. f. Update the internal statistics table with statistics for the target test case (request type, elapsed time, mismatched, and so on). After completing all the input test cases, the Access Tester: a. Displays summary results. b. Obtains and combines the testname and testnumber, and generates a name for the "results bundle" (three files whose names start with _ . Note: Shell scripts can automate generating the bundle by providing testname and testnumber command line parameters. Obtain testname from the command line parameter. If not specified in the command line, use the testname element of the input script's Control block. Obtain testnumber from the command line parameter. If not specified, testnumber defaults to a 7-character numeric string based on the current local time: 2 character minutes, 2 character seconds, 3 character hundredths. c. Generates the "results bundle": three files whose names start with _ : The target XML script contains the new test cases: __ _ http oam_server1 7777 /index.html Get admin1 00030d05101b050c42 111.222.3.4 26-32 Administrator's Guide for Oracle Access Management Evaluating Scripts, Log File, and Statistics 26.7.3 About the Generated Input Test Script The input test script is generated by using the Access Tester and capturing your own test cases. The "configfile" attribute of the "Control" element is updated after creation to specify the connection configuration file to be used in command line mode for establishing a connection to the OAM Server. Example 26–2 Generated Input Test Script http oam_server1 7777 /index.html Get Major code: 4(ResrcOpProtected) Minor code: 2(NoCode) LDAPScheme 2 2 http://emerald.uk.example.com:14100/oam/server/ http oam_server1 7777 /index.html Get weblogic 00030d05101b050c42 192.168.1.8 Major code: 10(CredentialsAccepted) Minor code: Validating Connectivity and Policies Using the Access Tester 26-33 Evaluating Scripts, Log File, and Statistics 2(NoCode) cn=weblogic,dc=uk,dc=example,dc=com http oam_server1 7777 /index.html Get weblogic 00030d05101b050c42 192.168.1.8 Major code: 8(Allow) Minor code: 2(NoCode) http oam_server1 7777 /index.html Get Major code: 4(ResrcOpProtected) Minor code: 2(NoCode) 26.7.4 About the Target Output File Containing Test Run Results This example was generated by running the Access Tester in command line mode and specifying the script.xml file as input to execute the 4 captured test cases: Dscript.scriptfile="script.xml" -jar oamtest.jar Notice the various sections in Example 26–3. As shown in the execution log, this test run found no mismatches, and shows that 4 out of 4 requests matched. 26-34 Administrator's Guide for Oracle Access Management Evaluating Scripts, Log File, and Statistics Example 26–3 Output File Generated During a Test Run http oam_server1 7777 /index.html Get Major code: 4(ResrcOpProtected) Minor code: 2(NoCode) LDAPScheme 2 2 http://emerald.uk.example.com:14100/oam/server/ http oam_server1 7777 /index.html Get weblogic 00030d05101b050c42 111.222.3.4 Major code: 10(CredentialsAccepted) Minor code: 2(NoCode) cn=weblogic,dc=us,dc=oracle,dc=com Validating Connectivity and Policies Using the Access Tester 26-35 Evaluating Scripts, Log File, and Statistics http oam_server1 7777 /index.html Get weblogic 00030d05101b050c42 111.222.3.4 Major code: 8(Allow) Minor code: 2(NoCode) http oam_server1 7777 /index.html Get Major code: 4(ResrcOpProtected) Minor code: 2(NoCode) 26.7.5 About the Statistics Document The statistics file (_stats.xml) is generated together with the target output script during the test run identified in the Execution log. The script.xml file was used as input to execute the 4 captured test cases. The test run found no mismatches, and shows that 4 out of 4 requests matched. A sample statistics document is shown in Example 26–4. The various sections that provide statistics for this run, which you can compare against statistics for an earlier "known good" run. Example 26–4 Sample Statistics Document A sample statistics document is shown here. Notice, 26-36 Administrator's Guide for Oracle Access Management Evaluating Scripts, Log File, and Statistics 4 4 238232 2 2 578 570 1 1 187 187 1 1 188 172 2 0 0 0 1156 1 0 0 0 187 1 0 0 0 188 2 0 0 0 1140 1 0 Validating Connectivity and Policies Using the Access Tester 26-37 Evaluating Scripts, Log File, and Statistics 0 0 187 1 0 0 0 172 26.7.6 About the Execution Log This sample execution log was generated together with the target output script during a test run using script.xml to execute 4 test cases. The test run found no mismatches, and shows that 4 out of 4 requests matched. As you review this example, notice the information provided which is the same as the information you see in the Status Messages panel of the Access Tester. Notice the test cases, test name, connection configuration file, agent name, connection status, request validation status, authentication scheme, redirect URL, credentials expected, authentication status and user DN, session ID, authorization status, validation status, and summary statistics. Also notice that the target script and statistics document were generated by this run. Example 26–5 Execution Log [2/3/12 11:02 PM][info] Setting up to run script 'script.xml' [2/3/12 11:02 PM][info] Loading test cases and control parameters from script [2/3/12 11:02 PM][info] Loaded 4 cases [2/3/12 11:02 PM][info] Control data for this test run: [2/3/12 11:02 PM][info] Test name : 'samplerun1' [2/3/12 11:02 PM][info] Configuration file : 'config.xml' [2/3/12 11:02 PM][info] Ignore content : 'false' [2/3/12 11:02 PM][info] Loading server configuration from file [2/3/12 11:02 PM][info] Loaded server configuration [2/3/12 11:02 PM][info] Connecting to server as agent 'oam_agent1' [2/3/12 11:03 PM][info][request] Connect : Yes ... [2/3/12 11:03 PM][info] Test 'samplerun1' will process 4 cases [2/3/12 11:03 PM][info][request] Validate : Yes [2/3/12 11:03 PM][info] Authentication scheme : LDAPScheme, level : 2 [2/3/12 11:03 PM][info] Redirect URL : http://oam_server1.uk.example.com:2100/server/ [2/3/12 11:03 PM][info] Credentials expected: 0x01 (password) [2/3/12 11:03 PM][info][request] Authenticate : Yes [2/3/12 11:03 PM][info] User DN : cn=admin1,dc=us,dc=company,dc=com [2/3/12 11:03 PM][info] Session ID : -1 [2/3/12 11:03 PM][info][request] Authorize : Yes [2/3/12 11:03 PM][info][request] Validate : Yes [2/3/12 11:03 PM][info] Summary statistics [2/3/12 11:03 PM][info] Matched 4 of 4, avg latency 232ms vs 238ms [2/3/12 11:03 PM][info] Validate: matched 2 of 2, avg latency 570ms vs 578ms [2/3/12 11:03 PM][info] Authenticate: matched 1 of 1, avg latency 187ms vs 187ms 26-38 Administrator's Guide for Oracle Access Management Evaluating Scripts, Log File, and Statistics [2/3/12 11:03 PM][info] Authorize: matched 1 of 1, avg latency 172ms vs 188ms [2/3/12 11:03 PM][info] Generated target script 'samplerun1_0302171__target.xml' [2/3/12 11:03 PM][info] Generated statistics log 'samplerun1_0302171__stats.xml' Validating Connectivity and Policies Using the Access Tester 26-39 Evaluating Scripts, Log File, and Statistics 26-40 Administrator's Guide for Oracle Access Management 27 Configuring Centralized Logout for Sessions Involving 11g WebGates 27 [2This ] chapter describes Access Manager single logout (also known as global logout) for sessions involving 11g WebGates. With Access Manager, single logout refers to the process of terminating an active session. Oracle recommends using the logout mechanism provided by Access Manager in the manner described in this chapter (not custom logout scripts). This chapter provides the following sections: ■ Prerequisites ■ Introduction to Centralized Logout for Access Manager 11g ■ Configuring Centralized Logout for 11g WebGates ■ Validating Global Sign-On and Centralized Logout See Also: Different agents require different logout implementation steps described as follows: ■ 10g Webgate logout Chapter 30 ■ OSSO Agent (mod_osso) logout Chapter 29 27.1 Prerequisites Before you can perform tasks in this chapter: ■ ■ ■ The application must be deployed on the Web server where the agent is configured and registered with Access Manager One OAM Agent, on any supported Web server and platform, must be running and registered with Access Manager 11g (Chapter 15) Policies must be configured to protect the resource in an Access Manager 11g Application Domain (Chapter 25) 27.2 Introduction to Centralized Logout for Access Manager 11g Unless explicitly stated, information in this chapter applies to OAM 11g WebGate Agents using the default embedded credential collector (ECC). This section provides the following topics: ■ About Centralized Logout for 11g WebGates ■ About Logout Parameters for 11g WebGates Configuring Centralized Logout for Sessions Involving 11g WebGates 27-1 Introduction to Centralized Logout for Access Manager 11g 27.2.1 About Centralized Logout for 11g WebGates Access Manager provides centralized logout (also known as global log out) for sessions. Centralized logout refers to the process of terminating an active session, which means that: ■ ■ Applications must not provide their own logout page for use in an SSO environment. Applications must make their logout links configurable with a value that points to the logout URL specified by the WebGate Administrator. Oracle strongly recommends that applications use the ADF Authentication servlet, which interfaces with OPSS where a domain-wide configuration parameter can be used to specify the logout URL. This way applications need not be modified or redeployed to change logout configuration. Note: Unlike partner applications, external applications (Yahoo! Mail, for example), do not delegate authentication to OAM and do not cede logout control to the OAM single sign-on server. It is the user's responsibility to log out of each of these applications. Table 27–1 describes the circumstances under which centralized logout occurs. When the logout URL is encountered and the cookie is removed (OAMAuthnCookie for 11g Webgates; ObSSOcookie for 10g Webgates). Webgate logs out the user and requires user re-authentication. Table 27–1 Centralized Logout Circumstances Circumstance Description Explicitly The client state is invalidated and the session ends. If a new attempt is made to access the resource, the client must re-authenticate. When the user logs out. When the Administrator terminates the session When the session is terminated based on changes on the identity side Implicitly When no user activity occurs within the defined session timeout period, the user is logged out automatically and redirected back to the partner with a new session ID and a new prompt for credentials. This occurs if no lower-level authentication is configured for the resource. With Access Manager, the user is not logged out if 10g Webgate simply encounters a logout URL unless the logout.html provides an explicit redirection to the Server logout. The Webgate redirects the user to the Server logout. 27.2.2 About Logout Parameters for 11g WebGates Generally speaking, during centralized logout, the SSO Engine receives a user-session-exists request. The Session Management Engine looks up the session and responds with the-session-exists response. The SSO engine sends a Clear Session request. The Session management engine clears the token and session context. The SSO engine then sends a Session Cleared response. Clearing the user token and the session context clears the server-side state, which includes clearing the OAM_ID cookie set on the server side. When the agent is notified, the agent clears the client-side state of the application. Configuring 11g WebGates for logout against OAM Servers requires a Logout Callback URL (Table 15–3). Centralized logout for 11g agents sets the cookie from 27-2 Administrator's Guide for Oracle Access Management Introduction to Centralized Logout for Access Manager 11g loggedout to empty and expires OAMAuthnCookie__ to explicitly clear it during logout, (rather than leaving behind an empty or logged out cookie). 11g WebGates differ only slightly from 10g Webgates, and match only the URI part of Logout Callback URL. The SSO Engine supports the central logout page on the OAM Server and: ■ Calls back to Logout Callback URL of 11g Webgates during logout The WebGate parameter Logout Callback URL can be configured using a URI format (recommended), without host:port. OAM Server dynamically constructs the full URL based on the host:port in the original request and calls back on it. This can also be a full URL format with a host:port, where OAM Server calls back directly without reconstructing callback URL. ■ Lands on end_url (passed in as query parameter) after logout Several elements in the 11g Webgate registration page enable centralized logout for 11g WebGates. After registration, the ObAccessClient.xml file is populated with the information in Table 27–2. Table 27–2 Logout Details After Registration (ObAccessClient.xml) Element Description Logout URL The Logout URL triggers the logout handler, which removes the cookie (ObSSOCookie for 10g Webgates; OAMAuthnCookie for 11g WebGates) and requires the user to re-authenticate the next time he accesses a resource protected by Access Manager. 10g and 11g WebGates ■ ■ If there is a match, the WebGate logout handler is triggered. If Logout URL is not configured the request URL is checked for "logout." and, if found (except "logout.gif" and "logout.jpg"), also triggers the logout handler. Default = [] (not set) Note: This is the standard 10g WebGate configuration parameter used to trigger initial logout through a customized local logout page as described in "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers" on page 30-22. Additional Logout for 11g WebGate Only For 11g WebGate single sign-off behavior, the following elements and values automate the redirect to a central logout URL, callback URL, and end URL. This replaces 10g WebGate single sign-off only through a customized local logout page. Configuring Centralized Logout for Sessions Involving 11g WebGates 27-3 Configuring Centralized Logout for 11g WebGates Table 27–2 (Cont.) Logout Details After Registration (ObAccessClient.xml) Element Description Logout Callback URL The URL to oam_logout_success, which clears cookies during the call back. This can be a URI format without host:port (recommended), where the OAM Server calls back on the host:port of the original resource request. For example: Default = /oam_logout_success This can also be a full URL format with a host:port, where OAM Server calls back directly without reconstructing callback URL. When the request URL matches the Logout Callback URL, Webgate clear its cookies and streams an image .gif in the response. This is similar to OSSO agent behavior. When Webgate redirects to the server logout page, it records an "end" URL as a query parameter (end_url=http://host:port/..."), which becomes the landing page that the OAM Server redirects back to after logout. Note: In the remote registration template this parameter is named logoutCallbackUrl (Table 15–10). Other Oracle Access Management services support the central logout page on the server. The end_ url relies on the target URL query parameter passed from OPSS integrated applications. See Also: "Configuring Centralized Logout for Oracle ADF-Coded Applications" on page A-7. Logout Redirect URL This parameter is automatically populated after agent registration completes. By default, this is based on the OAM Server host name with a default port of 14200. For example: Default = http://OAMServer_host:14200/oam/server/logout The Logout URL triggers the logout handler, which removes the OAMAuthnCookie__ and requires the user to re-authenticate the next time he accesses a resource protected by Access Manager. When Webgate logout handler is triggered, it redirects to the central logout page specified by the Logout Redirect URL parameter if it is configured. ■ If this is explicitly cleared (and not configured), then 10g behavior is triggered. The local logout page can have a customized script to redirect to the central logout page and can clear additional 3rd party cookies if desired. ■ Logout Target URL The value for this is name for the query parameter that the OPSS applications passes to Webgate during logout. This query parameter specifies the target URL of the landing page after logout. Default: end_url Note: The end_url value is configured using param.logout.targeturl in jps-config.xml. If Logout Target URL is configured, Webgate searches for the value passed in the logout request's query parameter and passes it as end_url query parameter in the redirect URL to OAM Server. ■ If Logout Target URL is not configured, Webgate searches for the default name "end_url" and passes that end_url query parameter along. ■ 27.3 Configuring Centralized Logout for 11g WebGates This section provides the following topics: ■ Configuring Centralized Logout for 11g WebGates When the ECC is Used ■ Configuring Logout When Using Detached Credential Collector-Enabled WebGate See Also: ■ ■ ■ "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers" on page 30-22 "Configuring Logout for OSSO Agents with Access Manager 11.1.2" on page 29-16 "Configuring Centralized Logout for Oracle ADF-Coded Applications" on page A-7 27-4 Administrator's Guide for Oracle Access Management Configuring Centralized Logout for 11g WebGates 27.3.1 Configuring Centralized Logout for 11g WebGates When the ECC is Used During 11g Resource WebGate registration or editing, you configure the logout parameters as described here. If the LogOutUrl parameter is already configured for the 11g WebGate (with a value other than /oamsso/logout.html), then ensure that is also present as part of the LogOutUrl parameter. Note: See Also: "Configuring Logout When Using Detached Credential Collector-Enabled WebGate" on page 27-6 To configure centralized logout for 11g WebGates 1. Choose your method for registration described in Chapter 15, "Registering and Managing OAM 11g Agents" 2. When creating or editing an agent registration, include appropriate logout values for your environment (Table 27–2): ■ Logout URL ■ Logout Callback URL ■ Logout Redirect URL ■ Logout Target URL 3. Finish and save your agent registration, as usual. 4. Multiple DNS Domains: Perform the following steps if you have multiple DNS domains configured for Access Manager 11g SSO. The Logout Callback URL can be unique for each WebGate; however, to construct the Logout Callback URL for each WebGate, it is sufficient for the OAM Server to know the host and port of each WebGate from each domain. The file that the Logout Callback URL points to must differ from the logout.html script in the WebGate installation directory. Note: a. Configure the Logout Callback URL as the second value in the logOutUrls parameter on each resource WebGate. Logout Callback URL is the location on WebGate that the request must be sent to, for clearing the SSO Cookie in that domain. The Logout Callback URL cannot be logout.html. b. Ensure that a file physically exists on each Web server at the Logout Callback URL location (usually, at the same location as logout.html). For example, if you configure a file named logout.png in the same location as logout.html, then the Logout Callback URL of logout.png would be: /oamsso/logout.png 5. Perform steps in "Validating Global Sign-On and Centralized Logout" on page 27-6. Configuring Centralized Logout for Sessions Involving 11g WebGates 27-5 Validating Global Sign-On and Centralized Logout 27.3.2 Configuring Logout When Using Detached Credential Collector-Enabled WebGate When the DCC receives a logout request from the Agent, the DCC: ■ Decrypts the logout request, if needed ■ Retrieves the end_url, constructs the full URL with the Agent's host:port if needed ■ Clears the DCC cookie (DCCCtxCookie) ■ Sends the logout request across the back channel to terminate the session ■ ■ Logout Callback URLLogout Callback URLsGets a logout page containing links to all visited agent from OAM Sever (which has this information), or get only a list of the visited from OAM Sever to construct a logout page locally, and redirect user to this page on DCC. Returns to the end_url after logout completes To configure logout for Resource Webgates separate from DCC 1. Confirm that the Perl scripts for DCC logout include the actual location of the Perl executable on the Webgate host $WEBGATE_HOME/oamsso-bin/*pl. 2. Resource Webgate: Modify the Logout Redirect URL to point to DCC's logout.pl: a. Find the Resource Webgate Registration: See "Searching for an OAM Agent Registration". b. Modify the Logout Redirect URL to point to the DCC's logout.pl. For example: http://DCCWGhost:port/oamsso-bin/logout.pl The DCC ignores the Logout Redirect URL parameter in the Webgate registration page. However, if the Resource Webgate Logout Redirect URL is anything other than logout.*, then that URL must be defined in DCC Logout URLs. See Table 24–3, " Specifying Credential Collectors and Related Forms for Authentication" Note: 3. Perform steps in "Validating Global Sign-On and Centralized Logout" on page 27-6. 27.4 Validating Global Sign-On and Centralized Logout This section provides the following topics: ■ Confirming Global Sign-On ■ Validating Global Sign-On with Mixed Agent Types ■ Observing Centralized Logout 27.4.1 Confirming Global Sign-On Use the following procedure to observe single sign-on global login. Prerequisites ■ Agents and Servers must be registered with Access Manager and running 27-6 Administrator's Guide for Oracle Access Management Validating Global Sign-On and Centralized Logout ■ Resources and policies controlling SSO must be defined within Access Manager Application Domains To observe global sign-on 1. From a browser, enter the URL to a protected resource. 2. On the login page, sign in using proper credentials. 3. Verify that the resource is presented; do not log out. 4. In the same browser window, enter the URL to another protected resource and confirm that the resource is presented without having to re-authenticate. 27.4.2 Validating Global Sign-On with Mixed Agent Types Use the following procedure to observe single sign-on global login with different applications and agents that have the same authentication level. For example, suppose you have: ■ ■ OSSO Partner at http://host1.example.com:7777/private/index.html protected using mod_osso Webgate Partner at http://host2.example.com:8888/mydomain/finance/index.html protected using OAM Agent Within the same browser session, you can access all applications protected by either agent with only a single sign in. Prerequisites Agents and Servers must be registered with Access Manager and running ■ ■ Resources and policies must be defined within Access Manager Application Domains ■ Both partners must be protected at the same authentication level ■ Single sign-on must be configured as described in this chapter To observe global sign-on with mixed agent types 1. OSSO Agent Protected Application: 2. a. From a browser, enter the URL of the OSSO-protected resource b. Confirm that the login page appears and sign in using proper credentials. c. Confirm that the protected resource is served. d. Remain in the same browser session and proceed to Step 2. Same Browser Session, OAM Agent Protected Application: a. In the same browser session as Step 1, enter the URL of the OAM Agent-protected resource. b. Confirm that the protected resource is served and that no login page appears. 3. Log out of the browser session. 4. Fresh Browser Session, OAM Agent Protected Application: a. In a fresh browser session, enter the URL of the OAM-protected resource. b. Confirm that the login page appears and sign in using proper credentials. Configuring Centralized Logout for Sessions Involving 11g WebGates 27-7 Validating Global Sign-On and Centralized Logout 5. c. Confirm that the protected resource is served. d. Remain in the same browser session and proceed to Step 5. Same Browser Session, OSSO Agent Protected Application: a. In the same browser session as Step 4, enter the URL of the OSSO Agent-protected resource. b. Confirm that the protected resource is served and that no login page appears. 27.4.3 Observing Centralized Logout Use the following procedure to observe centralized logout: ■ ■ With OAM Agents, the logout URL redirects to the server and cookies are cleared and invalidated so that a subsequent request cannot locate the cookie. With mod_osso, each agent destroys its own cookies. The logout URL redirects to the global logout page on the server and each partner sends cookies to the server. Prerequisites ■ Agents must be registered and running ■ ■ Resources must be protected by Access Manager Application Domains Single sign-on must be configured with authentication and authorization policies and responses in Access Manager Application Domains To observe centralized logout 1. Single Application: 2. a. From a browser, enter the URL of the protected resource. b. Confirm that the login page appears and sign in using proper credentials. c. Confirm that the protected resource is served. d. Open a new browser tab or window and access the same resource to confirm that the second attempt does not require another login. e. Logout from one tab. f. Access the resource again to confirm that a login page appears. Two Applications: a. From a browser, enter the URL of the protected resource. b. Confirm that the login page appears and sign in using proper credentials. c. In a new tab or window, access another protected application and confirm that the second application does not require another login. d. Log out of the first application. e. Access the second application and confirm that the login page appears. 27-8 Administrator's Guide for Oracle Access Management Part VII Part VII Registering and Using Agents with Access Manager When your enterprise includes Web server types other than Oracle HTTP Server, you can install 10g WebGates to use with Access Manager. Part VI contains the following chapters: ■ Chapter 28, "Registering and Managing Legacy OpenSSO Agents" ■ Chapter 29, "Registering and Managing Legacy OSSO Agents" ■ Chapter 30, "Registering and Managing 10g WebGates with Access Manager 11g" ■ Chapter 31, "Configuring Apache, OHS, IHS for 10g WebGates" ■ Chapter 32, "Configuring the ISA Server for 10g WebGates" ■ Chapter 33, "Configuring the IIS Web Server for 10g WebGates" ■ Chapter 34, "Configuring Lotus Domino Web Servers for 10g WebGates" 28 Registering and Managing Legacy OpenSSO Agents 28 [23If ] OpenSSO is already in place as the enterprise solution for your existing Oracle deployment, Oracle Fusion Middleware continues to support this as a solution. Additionally, you can register existing OpenSSO agents for use with Access Manager. This chapter explains how to register or manage legacy OpenSSO agents for use with Access Manager 11.1.2 and provides the following sections: ■ Introduction to OpenSSO, Agents, Migration and Co-existence ■ Runtime Processing Between OpenSSO Agents and Access Manager ■ Understanding OpenSSO Agent Registration Parameters ■ Registering and Managing OpenSSO Agents Using the Console ■ Performing Remote Registration for OpenSSO Agents ■ Updating Registered OpenSSO Agents Remotely ■ Locating Other OpenSSO Agent Information 28.1 Introduction to OpenSSO, Agents, Migration and Co-existence OpenSSO is the open source version of the Sun Access Management, Federation Management, and Web Services Security product. Each OpenSSO Agent is a filter that is plugged into a container (Oracle WebLogic Server, JBoss, Apache, and so on) that hosts applications. OpenSSO Agents can co-exist together with Webgates, Access Clients, or OSSO Agents. Oracle provides OpenSSO Assessment and OpenSSO Migration tools that you can use to transition existing OpenSSO agents, profiles, and policies in to Access Manager. See Also: Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management for details about Oracle-provided tools and processes to assess and transition OpenSSO agents, profiles, and policies in to Access Manager. Each OpenSSO Agent provides restricted access to applications by intercepting requests to these applications. After provisioning, OpenSSO Agents use OAM Server instead of the OpenSSO Server. Registering and Managing Legacy OpenSSO Agents 28-1 Introduction to OpenSSO, Agents, Migration and Co-existence OpenSSO Agents must be registered with Access Manager to use OAM Server instead of the OpenSSO Server. Note: After provisioning, OpenSSO Agents use OAM Server instead of the OpenSSO Server. Restricted access to applications is provided by intercepting requests to these applications. OAM Server provides an OpenSSO Proxy that enables communication between the agent and OAM Server and facilitates SSO to the agent-protected application. OAM Server provides an OpenSSO Proxy that enables communication between the agent and OAM Server and facilitates SSO to the agent-protected application. Using registered OpenSSO Agents, Access Manager provides the features outlined in Table 28–1 (authentication features and a subset of authorization features). Table 28–1 Features: OpenSSO Agents with Access Manager Agent Authentication User Authentication User Single-Sign-On User Single Logout SSO in mixed agents case (between OpenSSO agent and WebGate agent) User Authorization Self and Sub-tree mode search Policy Conditions (Identity, LDAP filter, Session attribute, IP Range, Temporal) User profile attributes retrieval Centralized Agent configuration with REST request or response Migration of Agent profiles, Policies, User Stores, Authentication Stores Migration Assessment tool For more information, see: ■ About Migration and Co-existence Between OpenSSO and Access Manager ■ About OpenSSO Agent Reliance on Access Manager ■ Runtime Processing Between OpenSSO Agents and Access Manager 28.1.1 About Migration and Co-existence Between OpenSSO and Access Manager Access Manager supports co-existence with an existing OpenSSO Server deployment that has been migrated using the OpenSSO to Access Manager upgrade tool. The OpenSSO to Access Manager Upgrade makes use of OpenSSO Discovery Agents and Policy mapping logic, which fulfills requirements described in following topics: ■ OpenSSO Policy Migration ■ Application Domain Creation During OpenSSO Migration ■ OpenSSO Authentication Policy Migration ■ Host Identifier Creation in Access Manager For System Requirements and Supported Platforms for Access Manager and OpenSSO, see the Oracle Identity and Access Management matrix on the following site: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-10 0350.html 28-2 Administrator's Guide for Oracle Access Management Introduction to OpenSSO, Agents, Migration and Co-existence See Also: Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management OpenSSO Policy Migration The OpenSSO policy is mapped to Access Manager authentication and authorization policies based on available artifacts in the OpenSSO deployment. Table 28–2 table outlines the mapping that occurs between OpenSSO and Access Manager during Policy migration. See Also: Table 28–2 "Migrated Artifacts: OpenSSO" on page D-13 OpenSSO Policy Migration Serian OpenSSO Access Manager 1 Policy Realm Policy Domain 2 Policy Authentication and Authorization Policies 3 Resources Resources plus Host Identifier 4 Actions Not specified (By default only "GET") 5 Subject Identity Conditions in Authorization Policies 6 Conditions Authentication Scheme plus Authorization Conditions 7 Response Providers Policy Responses Application Domain Creation During OpenSSO Migration If an existing Access Manager Application Domain and policies do not match an OpenSSO policy domain, a new Application Domain is created in Access Manager. The created Application Domain corresponds to an OpenSSO Realm. With respect to each Realm, (OpenSSO Top-level and Sub -level Realms), an Application Domain is created in Access Manager. All existing Application Domains are compared against OpenSSO Policy Domains. The policy name is checked against all existing policies. If a policy of the same name exists, an error occurs. Otherwise, a new policy is created in Access Manager. Note: An OpenSSO policy referral policy is not migrated. OpenSSO Authentication Policy Migration An OpenSSO policy containing valid rules and conditions is migrated to an Access Manager Authentication Policy: either a new policy to be created or an existing policy to be updated. During policy creation, the OpenSSO policy rule host:port information is used to create the host identifier and exact resource URL (or URI) to the Application Domain. An OpenSSO policy containing artifacts with no rules is not a valid policy. Note: A policy with conditions is valid for OpenSSO. However, these are migrated based on the default Authentication Policy for Access Manager. Such policies with IP or Temporal conditions can be migrated to Access Manager Authorization Policy conditions. Registering and Managing Legacy OpenSSO Agents 28-3 Introduction to OpenSSO, Agents, Migration and Co-existence If the OpenSSO policy is a non-referral policy, an Access Manager Authentication Policy is created containing an authentication scheme with the corresponding authentication module from OpenSSO, host identifier, and resources from OpenSSO policy. In the Access Manager Authorization policy, corresponding OpenSSO constraints and subjects are set. Limitation: Authentication policy creation exception if the resource already exists (in one of the policy in same Application Domain or Realm. If the resource is already protected by another policy (already exists under the host identifier), new policy creation for the same resource causes an exception. This new policy is not created. The errors are logged in a log file and also displayed in the Oracle Access Management Console. Host Identifier Creation in Access Manager One Host Identifier is created within Access Manager for each unique host:port combination from OpenSSO. Need to retrieve all the host:port from each policy rules in each realm and will create the number of hostIdentifiers = number of unique host:port combinations. Top Realm: By default, OpenSSO has only one top-level realm (/). All other realms can be created under this top-level realm. Ideally, the top-level realm will contain all the host:port combinations for which Host Identifiers are created in Access Manager. Sub Realm: host:port combinations in policy rules within sub realms depend on the host:port in the Referral policy created under the top realm. The host:port in referral policy is not necessarily from any of the host:port in other non-referral policies in top realm (also referral policy is not applicable for migration). Hence, the host:port in sub realm's policies can be different from the host:port in top realm's policies which are applicable for migration.The host:port from each realm's policies is checked. Limitation: In OpenSSO, if there are 2 (or more) policies with same rule yet with different authentication schemes to protect the same resource, then only one (the first one in occurrence) can be migrated to Access Manager; the others are ignored and are not created in Access Manager. There are rare chances for such an occurrence. 28.1.2 About OpenSSO Agent Reliance on Access Manager Access Manager supports OpenSSO Agents and processing as outlined in Table 28–3. 28-4 Administrator's Guide for Oracle Access Management Introduction to OpenSSO, Agents, Migration and Co-existence Table 28–3 OpenSSO Reliance on Access Manager Component Description OpenSSO Agent OpenSSO agents must be registered with Access Manager to establish trust by authenticating themselves. The OAM Server: ■ Authenticates the agents with the credentials provided. ■ Creates a session for the agent. ■ ■ Stores this information in the cache so that any server in the group/cluster can service the next request from the agent. Passes the session identifier to the agent so that it can present this to OAM Server during subsequent interactions. This agent session does not expire, which enables the Agent to maintain trust continuity with the OAM Server. The agent registration can be enabled or disabled. When disabled, the Agent does not respond. Multiple OpenSSO agents can share same centralized configuration (if required and if registered in centralized configuration mode). Even so, each agent has its own unique session and session ID. The agent registration can be configured for the "maximum number of agent sessions allowed" per registration. It might have a session timeout property that defines whether the agent's session should expire or not. See Also: "Registering and Managing OpenSSO Agents Using the Console" on page 28-19 "Understanding Credential Collection and Login" OpenSSO Proxy This Oracle-provided proxy is bundled and installed with Access Manager 11.1.2. OpenSSO Proxy enables communication between the OpenSSO Agent and OAM Server. OpenSSO Proxy serves all OpenSSO Agent requests and responses for Authentication, Authorization, and SSO. OpenSSO Proxy provides protocol binding and message (request or response) conversion functionality. See Also: "Runtime Processing Between OpenSSO Agents and Access Manager" on page 28-6 Protocol Binding Layer This Oracle-provided framework is responsible for agent-specific protocol handling and mapping authentication protocol messages. This framework also unmarshals incoming protocol-specific requests to protocol agnostic requests and marshals back protocol-agnostic responses to protocol-specific responses. Partner and Trust Store Stores OpenSSO Agent centralized configuration. The Access Manager Partner and Trust Store also supports Agent authentication by providing GET APIs for the Agent ID and Agent Password. OpenSSO Application Domain This can be generated automatically by using the Auto Create Policies option during OpenSSO Agent registration. Cookies The end user has the following valid cookies: ■ ■ OAM_ID cookie (represents the end session after agent authentication); see OpenSSO cookie (the agent finds this cookie after the OpenSSO Proxy triggers session validation). The default name of the OpenSSO cookie is: iPlanetDirectoryPro Authorization Policy for Protected Resources Set up the Authorization policy with ■ An IP Range Condition that allows access to only the specified range of IP Addresses. ■ A Temporal Condition that allows access to only during the specified time period. ■ ■ ■ ■ SSO Controller SSO Engine An Identity Condition that allows only the configured Identity (user or group) to access the protected resource. An LDAP Filter condition that allows access only if the filter condition is satisfied. A Session attribute condition that allows access only if the session has the configured session attribute with required value An attribute condition for namespaces Request, User, and Session that allows access only if the attribute has been configured with required values Fulfills protocol requests by invoking functional components (SSO Engine, Authentication Engine, and so on): Provides enterprise and same domain Sign-on and Single logout (SLO) during an online session. Manages the session lifecycle. Facilitates Global logout by orchestrating logout across all Relying Parties in the valid session. Communicates with the Token Processing Engine to create a valid session and persist the user. Registering and Managing Legacy OpenSSO Agents 28-5 Runtime Processing Between OpenSSO Agents and Access Manager Table 28–3 (Cont.) OpenSSO Reliance on Access Manager Component Description Session Management Engine Manages session and token context information with support for user- and Administrator-initiated and time-out based events. The SSO Engine uses Session Management Engine capabilities for session management: ■ Create Session ■ Read Session ■ Update Session ■ Delete Session ■ Validate Session ■ Get Session Id ■ Set/Get creation instant ■ Set/Get expiry instant ■ Set/Get Last access time ■ Set/Get Session state ■ Purge Sessions Note: There is no support for viewing or managing OpenSSO agent sessions using the Oracle Access Management Console. The OpenSSO engine controller layer invokes the appropriate session management interfaces as required. Session manager invokes the agent session cache manager internally to manage the distributed cache for the agent session. A unique session is created for each registered OpenSSO agent, which becomes the trust mechanism between the Agent and the OAM Server. The unique session ID accompanies all XML/HTTP requests for session validation, user authorization, and so on, as the agent token that must be validated by the OAM Server before it can serve any user requests. By default, the agent session does not expire. Agent sessions are stored within the in-memory session cache. Agent sessions are not required to be persisted if the OAM Server restarts. The agent session resides on the OAM Server and the unique agent session ID is passed back to Agent in a form it can use. The agent session supports two states: Invalid (unauthenticated), and Valid (authenticated). The OAM Server can successfully communicate with only an agent with a Valid session state. Token Processing Engine Oracle Access Management Console Responsible for token generation and token validation in response to token issuance and validation protocol requests. Default capability manages (issues, validates, renews, cancels) Username, SAML, and X509 tokens. This can also be extended to handle custom tokens beyond out-of-box/default supported security token types. Administrators use the console to: ■ ■ Remote registration utility Provision/register OpenSSO Agents Manage an Application Domain and authentication and authorization policies for protected resources. Administrators can use the remote registration utility to provision the agent and generate configuration files to be consumed by the agent in Centralized mode. The agent has a copy of all required configuration information and does not contact the OAM Server for this. Note: If you are migrating an OpenSSO agent profile to Access Manager, both localized and centralized modes are supported. WLST commands Administrators can use WLST commands to: ■ Migrate OpenSSO Agents to the OAM Server See Also: "Migrated Artifacts: OpenSSO" on page D-13. 28.2 Runtime Processing Between OpenSSO Agents and Access Manager The OAM Server includes an OpenSSO Proxy to handle communication with the OpenSSO Agent and facilitate interoperability with the OpenSSO server. Single Sign On (SSO) and Single Logout (SLO) between OpenSSO policy agents and the OAM Server, for instance. Interoperability is accomplished by honoring HTML/HTTP Authentication requests for end-user authentication (as an HTTP redirect) and XML/HTTP SSO requests for end-user session validation. 28-6 Administrator's Guide for Oracle Access Management Runtime Processing Between OpenSSO Agents and Access Manager Figure 28–1 shows a deployment that includes OpenSSO and Access Manager. The OpenSSO Agent resides with the Web/Java EE container and the protected resource. The OpenSSO Server resides on a different host. Figure 28–1 Typical Deployment with OpenSSO and Access Manager Table 28–4 describes SSO processing between Access Manager and OpenSSO Agents. Registering and Managing Legacy OpenSSO Agents 28-7 Runtime Processing Between OpenSSO Agents and Access Manager Table 28–4 Access Manager Processing with OpenSSO Functionality Description OpenSSO Agent Authentication OpenSSO agents are authenticated and a valid agent session is established before user authentication. The OpenSSO agent authenticates itself to the OAM Server through the OpenSSO Proxy. OpenSSO Agent Authentication (Agent authenticating itself to the OpenSSO Proxy occurs based on the Agent type: J2EE Agents: Upon Agent container startup. Web Agents: With the first user authentication request to the Web Server. 1. End user sends a request to access an application or resource protected by the OpenSSO agent. 2. OpenSSO agent redirects this un-authenticated user to the OAM Server for authentication as follows: J2EE Agents: Upon Agent container startup. Web Agents: With the first user authentication request to the Web Server. 3. Agent sends the naming request to the proxy to fetch all the other service URLs (Authentication service, Session Service, and so on). 4. Agent sends the xml Authentication request to the Proxy with its credentials on the Authentication service endpoint (obtained from the naming request in Step 3). 5. Proxy authenticates the Agent against an Agent authentication module and creates a non-expiry session in the proxy layer itself. 6. Proxy sends the Authentication xml Response with the agent session details to the agent over http. Once the agent is authenticated, a valid agent session is created. The key that is generated following agent authentication is stored in the Partner and Trust store. SSO User Login and Authentication After the agent is authenticated by the OAM Server, the user request is authenticated by the OAM Server. SSO is then provided to the authenticated user accessing resources protected by the agent. After the OpenSSO agent is authenticated and logged in, the gent verifies whether the user has an OpenSSO cookie. If not, the user authentication request is initiated from the OpenSSO agent. User Login 1. OpenSSO agent intercepts the request to protected application. OpenSSO agent checks if the user has an OpenSSO cookie. If not, OpenSSO agent redirects the user to the OpenSSO Proxy for authentication service. OpenSSO Proxy fetches the requested resource URL and the agent ID. 2. The OpenSSO Login event in the OpenSSO proxy wraps this request in a way that the core login events can understand. The OpenSSO login event passes the resource URL and the agent ID to the core login event. 3. Core Login events are performed, which checks if the request object contains an OAM_ID cookie. If yes, OAM Server checks if the session represented by the OAM_ID cookie is a valid session. 4. If the session represented by the OAM_ID cookie is valid, core login event returns the Login response event, which is wrapped by the OpenSSO Login event and is passed on to the OpenSSO login response handler. Core login event returns the identifier of the validated session. 5. OpenSSO login response handler (part of OpenSSO proxy) creates an OpenSSO session identifier in the format that the OpenSSO agent understands and extends this identifier with the OAM session identifier. OpenSSO cookie is created, which contains the OpenSSO session identifier and this cookie is set in the user's browser. 28-8 Administrator's Guide for Oracle Access Management Runtime Processing Between OpenSSO Agents and Access Manager Table 28–4 (Cont.) Access Manager Processing with OpenSSO Functionality End User Session Validation Description OpenSSO agents intercept the request to the protected application. End user Session Validation 1. OpenSSO agent intercepts the request to the protected application and finds an OpenSSO cookie. 2. OpenSSO agent constructs an XML/HTTP request to validate this OpenSSO cookie. Here XML request would have Application / Agent token ID and session ID. This request reaches the OpenSSO proxy layer. 3. OpenSSO Proxy gets the Application Token associated with the request and validates the Application Token with the OAM Server. 4. OAM Server validates the token and sends the response to the OpenSSO Proxy 5. If the Application Token is invalid, the OpenSSO proxy communicates that to the OpenSSO agent and OpenSSO agent starts the agent authentication flow to obtain that valid Application Token. 6. If the Application Token is valid, OpenSSO proxy decrypts the OpenSSO cookie, fetches the OpenSSO session ID and gets the OAM session ID which is stored as the extension in the OpenSSO session ID. 7. The OpenSSO Proxy triggers the session validation flow. 8. If the session represented by the OAM session ID valid, the OpenSSO proxy communicates that to the Agent and the protected application is displayed to the user. This session validation returns the session data (session attributes and values) to the proxy layer as the output of session validation event response. 9. If the session is invalid, authentication flow is initiated by the OAM Server, where the OAM Server collects the user credentials and validates the user. User profile attributes OpenSSO agents can request user profile attributes once the user is successfully logged in and a retrieval for Web Agent types valid session is created, by providing the session ID. The OpenSSO proxy layer must receive these requests and fetch the OAM session ID from the OpenSSO session ID extension. OpenSSO Web agents use the Policy service URL for these requests. OpenSSO proxy then fetches these attributes and passes the session ID to the OAM Server (which uses the responses framework to fetch the User Profile attributes and return the data to the OpenSSO Proxy). User profile attributes OpenSSO J2EE agents use jax-rpc calls to retrieve user profile attributes. The flow is similar as retrieval for J2EE Agent types the one for Web agents types to retrieve these properties. User Single Logout 1. The OpenSSO Proxy receives a User logout request and forwards the user to the OAM logout URL 2. OpenSSO Proxy decrypts the OpenSSO cookie, fetches the OpenSSO session identifier and, from that, fetches the OAM session ID. OpenSSO proxy sends the logout request to controller through the OpenSSO logout event with the OAM session ID. 3. Core logout events are performed, which includes the controller calls to the SSO engine to confirm the session exists. If the session exists, the OAM_ID cookie is deleted, and global logout is performed. 4. The SSO engine returns the response to the controller indicating the session has been cleared. 5. The controller sends a request to the proxy to clear tokens. 6. The Proxy sends the request to the agent to clear tokens through the OpenSSO Logout response handler. Registering and Managing Legacy OpenSSO Agents 28-9 Understanding OpenSSO Agent Registration Parameters Table 28–4 (Cont.) Access Manager Processing with OpenSSO Functionality Description SSO Agent Logout Access Manager handles single logout requests originating from the OpenSSO agents. Note: The user must be logged out from resources protected by other agents (WebGate and MOD_OSSO, for instance). Agent logout is not required other than in the multi-domain environment. 1. The OpenSSO Agent requests logout to OpenSSO Proxy. 2. The Proxy fetches the Application token from the request and verifies that the request is initiated by an authenticated agent. 3. Opensso Agent Logout is handled within the proxy as the session is created in an independent Agent Session Management Module. 4. The decrypted token is returned to the OpenSSO Proxy. If there is no OpenSSO token present, steps 2 and 3 are absent. 5. The OpenSSO Login event in the OpenSSO proxy wraps this request in a way that the core login events can understand. 6. Core Login events are performed, which includes forwarding the request to the SSO Engine through the controller and authenticating the user. A new session is created for the authenticated user. 7. Core login event returns the Login response event, which is wrapped by the OpenSSO Login event and is passed on to the OpenSSO login response handler. 8. OpenSSO login response handler sends the response to the OpenSSO agent. Token Generation for OpenSSO Agents Access Manager processes the tokens generated for, and to be consumed by the OpenSSO agents. Logging Enables you to track events during end user access enforcement for following events, using the OAM Server log component: ■ Login success and login failure events ■ Logout success and logout failure events ■ Auditing Log messages at different logging levels (FATAL, ERROR, WARNING, DEBUG, TRACE), each of which indicates severity in descending order. Using the OAM Server audit component to: Polling ■ Audit Login events ■ Audit Logout success events Polling is not Supported. Only Session Destroy notifications are supported by the OpenSSO Proxy. 28.3 Understanding OpenSSO Agent Registration Parameters Whether you migrate existing OpenSSO Agents to Access Manager or register a fresh OpenSSO Agent, the Oracle Access Management Console provides centralized registration and management of OpenSSO Agents. ■ About OpenSSO Agent Registration Parameters ■ About the Expanded OpenSSO Agent Page and Parameters 28.3.1 About OpenSSO Agent Registration Parameters Figure 28–2 shows the New OpenSSO Agent page where Administrators enter information during new OpenSSO agent registration. 28-10 Administrator's Guide for Oracle Access Management Understanding OpenSSO Agent Registration Parameters Figure 28–2 Create OpenSSO Agent Page Table 28–5 describes the elements on the New OpenSSO Agent page. Table 28–5 Elements on the New OpenSSO Agent Page Element Agent Type Description OpenSSO agent types can be either: ■ ■ Web: Use with Web resources and Web resource URLs. J2EE: Default agent type. Use J2EE type agents for Java EE resources and applications. For the J2EE Agent, Filter modes must be set by choosing either: SSO_ONLY (Access Manager Authentication Only): Enables the least restrictive mode of operation for the filter; the agent simply ensures that all users who try to access protected web resources are authenticated. URL_Policy (Access Manager Authentication and Authorization): Enables the agent filter to enforce URL policies. By default, with Web Agents, .com.sun.identity.agents.config.sso.onlyattribute is set to "false". Note: Both agent types provide access protection when you also choose SSO only. Agent Name Unique name for this agent. Password A required, unique password for this OpenSSO agent, which can be assigned during this registration process. The entry will appear in obfuscated format in the console, in oam-config.xml, and in OpenSSOAgentBootstrap.properties. Re-enter Password When a registered agent connects to an OAM Server, the user is prompted for the password. The password is used for authentication to prevent unauthorized agents from connecting and obtaining policy information. Host Identifier A name that identifies the host and port for the OpenSSO agent. Default: Agent Name See Also: "About Virtual Web Hosting" on page 22-10. Base URL The protocol, host, and port of the computer on which the OpenSSO agent is installed. For example, http://host.example.domain.com:port or https://example.domain.com:port. Registering and Managing Legacy OpenSSO Agents 28-11 Understanding OpenSSO Agent Registration Parameters Table 28–5 (Cont.) Elements on the New OpenSSO Agent Page Element Description Auto Create Policies During agent registration, you can have authentication and authorization policies created automatically. This option is checked (enabled) by default. The agent name is used as the Application Domain name by default. Default: Enabled See Also: "Generated Artifacts: OpenSSO" on page D-10. Notes: An Application Domain in Access Manager corresponds to a Realm in OpenSSO. If you already have an Application Domain and policies, you can simply add new resources to it. If you clear this option (no check), no Application Domain or policies are generated automatically. OpenSSO Agent Properties OpenSSO Agent properties are stored in the following files, which are updated during agent registration and configuration changes and consumed during run time: ■ OpenSSOAgentBootstrap.properties ■ OpenSSOAgentConfiguration.properties These files are stored on the console host (AdminServer) and must be relocated to the OpenSSO Agent /config directory as shown in Table 28–6. Table 28–6 Relocating OpenSSO Artifacts From AdminServer . . . To OpenSSO Agent /config Directory $/Oracle_ IDM1/oam/server/rreg/client/rreg/output $Policy-Agent-base/AgentInstance-Dir/config/ For details about the generated Application Domain for an Open SSO Agent, see "Generated Artifacts: OpenSSO" on page D-10. 28.3.2 About the Expanded OpenSSO Agent Page and Parameters This topic describes expanded OpenSSO Agent page that is available when managing the agent using the Oracle Access Management Console. During registration, only a small subset of available parameters is displayed to streamline the process. Whether you registered the agent using the Oracle Access Management Console or the remote registration utility, you can view the full agent configuration page in the console. Default values populate the page after initial registration and are displayed when you open the Agent's page, as shown in Figure 28–3. 28-12 Administrator's Guide for Oracle Access Management Understanding OpenSSO Agent Registration Parameters Figure 28–3 Expanded OpenSSO Web Agent Registration Page Information on the J2EE Agent registration page is nearly the same as details for Web Agents. The J2EE Agent registration page is shown in Figure 28–4. Registering and Managing Legacy OpenSSO Agents 28-13 Understanding OpenSSO Agent Registration Parameters Figure 28–4 Expanded OpenSSO J2EE Agent Registration Page Table 28–7 describes all elements on expanded OpenSSO Agent registration pages. 28-14 Administrator's Guide for Oracle Access Management Understanding OpenSSO Agent Registration Parameters Table 28–7 Expanded OpenSSO Agent Registration Elements Element Status Description The state of this agent registration: Enabled or Disabled. Default: Enabled See Also: Table 28–5, " Elements on the New OpenSSO Agent Page" Filter mode J2EE Agent Type only The Agent filter is installed within the protected application. It facilitates the enforcement of security policies, governing the access to all resources within the protected application. Every application protected by the J2EE Agent must have its deployment descriptors changed to reflect that it is configured to use the agent filter. Applications that do not have this setting are not protected by J2EE the Agent and might malfunction or become unusable if deployed on a deployment container where the Agent realm is installed. Filter modes must be set for the J2EE Agent by choosing one of the following options: SSO_ONLY or URL_Policy. Default: URL_Policy ■ ■ SSO_ONLY (Access Manager Authentication Only): Enables the least restrictive mode of operation for the filter; the agent simply ensures that all users who try to access protected web resources are authenticated. URL_Policy (Access Manager Authentication and Authorization): Enables the agent filter to enforce URL policies. By default, with Web Agents, .com.sun.identity.agents.config.sso.onlyattribute is set to "false". Process overview: Authentication Only (SSO_ONLY J2EE Filter Mode) 1. End user requests access to an application or resource protected by OpenSSO Agent. 2. OpenSSO Agent redirects this un-authenticated user to OAM Server for authentication. 3. After successful authentication, OpenSSO Proxy redirects the user back to the protected resource with OpenSSO session ID set in the response cookie. 4. Authenticated end user with valid OpenSSO session, accesses application or resource protected by OpenSSO Agent. 5. OpenSSO Agent validates the OpenSSO Session against OAM Server through the OpenSSO Proxy and enables SSO for the end user. 6. End user gets access to the protected application or resource. Process overview: Authentication and Authorization with URL_Policy J2EE Filter Mode 1. End user requests access to an application or resource protected by OpenSSO agent. 2. OpenSSO Agent redirects this un-authenticated user to OAM Server for authentication. 3. After successful authentication, OpenSSO Proxy redirects the user back to the protected resource with OpenSSO session ID set in the response cookie. 4. Authenticated end user with valid OpenSSO session, accesses application or resource protected by OpenSSO Agent. 5. OpenSSO Agent validates the OpenSSO Session against OAM Server through the OpenSSO Proxy. 6. OpenSSO Agent sends Policy requests to OAM Server through the OpenSSO Proxy to ensure the authenticated user is authorized to access the resource. 7. OpenSSO Proxy evaluates the Policies for the protected resource (using OAM Policy Engine) and sends the Policy decision to the Agent: Allow or Deny. 8. End user gets access if the Policy decision is Allow. Note: The following Filter Modes are not supported: NONE, J2EE_Policy, All. See Also: "Understanding OpenSSO Agent Registration Parameters" on page 28-10. Session Timeout in seconds (User) Click the arrows to specify the period, after which the session times out and the user must re-authenticate. You must set "Max Sessions" to a non-zero value to enable this setting. Default: 0 Max Sessions Maximum number of sessions allowed per user. Default: 0 Cookie Name The default name of the OpenSSO cookie is: Default: iPlanetDirectoryPro Cookie Separator Defines the character to be used as a separator when multiple values of the same attribute are being set as a cookie. For example, the pipe symbol "|", can be used. Default: Registering and Managing Legacy OpenSSO Agents 28-15 Understanding OpenSSO Agent Registration Parameters Table 28–7 (Cont.) Expanded OpenSSO Agent Registration Elements Element Description Enable Cookie Encoding Identifies whether cookie encoding is enabled or not. Default: Enabled J2EE-type Agent Only SSO Only Web-type Agent Only Enables OpenSSO Agent to bootstrap and authenticate with the OAM Server using the OpenSSO proxy provided by Access Manager: The end user accesses the application or resource protected by the OpenSSO Agent, which redirects the unauthenticated user to the OAM Server for authentication. After successful authentication, the OpenSSO proxy redirects the user back to the protected application or resource and sets the OpenSSO Session ID in the response cookie. The authenticated user with a valid OpenSSO session accesses the application or resource protected by the OpenSSO Agent, which validates the session against the OAM Server using the OpenSSO Proxy. The end user gets access based on Access Manager authorization policy. Urls Login URLs Enter the login URL, which must include the appropriate protocol (HTTP or HTTPS), host, domain, and port in the following form: http://example.domain.com:port Default: http://oamhost:port/opensso/UI/Login Note: The port number is optional. Logout URLs The Logout URL triggers the logout handler, which requires the user to re-authenticate the next time he accesses a resource protected by Access Manager. When yo enter the Logout URL, it must include the appropriate protocol (HTTP or HTTPS), host, domain, and port. For example: http://example.domain.com:port/opensso/UI/Logout Default: http://oamhost:port/opensso/UI/Logout Note: The port number is optional. The user must be logged out from resources protected by other agents (WebGate and MOD_OSSO, for instance). Agent logout is not required other than in the multi-domain environment. Not enforced URLs Web-type Agent Only Access Denied URI The URLs you enter in this list have no policy enforcement. These equate to Public URLs, with no protection and access is allowed by all. The URI to which the user is directed if access to the requested resource is denied. This is available for both Web and J2EE Agents, each with its own format requirements: Web Agent (full URL): http://host:port/context/accessDeniedURL.html J2EE Agent (relative URI): /context/accessDeniedURL.htm Default: (blank) Audit Debug Level J2EE-type Agent Only When set, the OAM Server logs messages for: ■ Login success and login failure events ■ Logout success and logout failure events ■ Log messages at different logging levels (ERROR, WARNING, MESSAGE, each of which indicates severity in descending order. Default: Error See Also: Chapter 7, "Logging Component Event Messages" Debug Directory J2EE-type Agent Only The filesystem directory path for audit logs from the OAM Server: ■ Audit Login events ■ Audit Logout success events See Also: Chapter 8, "Auditing Administrative and Run-time Events" Debug File Defines the filesystem directory path to the local component event logging file. Web-type Agent Only Default: 28-16 Administrator's Guide for Oracle Access Management Understanding OpenSSO Agent Registration Parameters Table 28–7 (Cont.) Expanded OpenSSO Agent Registration Elements Element Local Log File Description Defines the filesystem directory path to the local component event logging file. Default: User Mapping Mapping Mode ■ HTTP_HEADER ■ USER_ID ■ PROFILE_ATTRIBUTE ■ SESSION_PROPERTY Default: User_ID User Identity Default: User ID User Attribute Name Default: Attribute Mapping Attribute retrieval fetches and sets user attributes in the HTTP request for consumption by the applications. The following Attribute Mapping panels are available: ■ Profile Attributes ■ Response Attributes ■ Session Attributes Fetch Mode: Certain applications rely on the presence of user-specific profile information in some form to process user requests appropriately. The agent can make these attributes from the user's profile available in various forms. when you specify a Fetch Mode for Profile, Response, or Session Attributes: ■ ■ ■ ■ NONE: No attributes are fetched. HTTP_HEADER: When the agent is configured to provide the LDAP attributes as HTTP headers, these attributes can be retrieved. REQUEST_ATTRIBUTE: When the agent is configured to provide the LDAP attributes as request attributes, the agent populates these attribute values into HttpServletRequest as attributes that can later be used by the application as necessary. For example, fetch profile attributes, assign a mode to the profile attribute property, and map the profile attributes to be populated under specific names for the currently authenticated user. HTTP_COOKIE: When the agent is configured to provide the LDAP attributes as cookies, the necessary values are set as server specific cookies by the agent with the path specified as "/." Multi-valued attributes are set as a single cookie value such that all values of the attribute are concatenated into a single string using a separator character that can be specified by the property labeled Cookie Separator. Default: None Profile Attributes User profile information can be populated under specific names for the currently authenticated user. For example: Fetch Mode: REQUEST_ATTRIBUTE Name (Map key): cn Value: CUSTOM-Common-Name Name (Map key): mail Value: CUSTOM-Email Default: No data Response Attributes Obtains user-specific information by fetching policy response attributes, assigns a mode to the policy response attribute property, and maps the policy response attributes to be populated under specific names for the currently authenticated user. Fetch Mode: REQUEST_ATTRIBUTE Name (Map key): cn Value: CUSTOM-Common-Name Name (Map key): mail Value: CUSTOM-Email_Addr Default: No data Registering and Managing Legacy OpenSSO Agents 28-17 Understanding OpenSSO Agent Registration Parameters Table 28–7 (Cont.) Expanded OpenSSO Agent Registration Elements Element Description Session Attributes The attributes in the session object maintained by the OAM Server. These are sent as part of a session validation response to the Agents. Fetch Mode: REQUEST_ATTRIBUTE Name (Map key): UserToken Value: CUSTOM-userid Default: No data Miscellaneous Most agent properties are hot-swap enabled. Changing configuration properties can have unexpected results. Hot-swappable properties take effect immediately. Therefore, mistakes are instantly implemented. Most agent properties are presented in a format that is most useful for configuring using Oracle Access Management Console. However, this format is not used in the OpenSSOAgentBootstrap.properties file. List Properties: Certain properties are specified as lists composed of a key that represents the property name; a positive number (starting from 0) that increments by 1 for every value specified in the list; and a value. For example: com.sun.identity.agents.config.notenforced.uri[0]=/agentsample/public/* com.sun.identity.agents.config.notenforced.uri[1]=/agentsample/images/* com.sun.identity.agents.config.notenforced.uri[2]=/agentsample/index.html Map Constructs: Certain properties are specified as map constructs composed of a key that represents the property name; a name string that forms the lookup key as available in the map; and the value associated with the name in the map. For example: com.sun.identity.agents.config.filter.mode[app1]=ALL com.sun.identity.agents.config.filter.mode[app2]=SSO_ONLY Note: For a given name, there can only be one entry in the configuration for a given configuration key. If multiple entries with the same for a given configuration key are present only one of the values will be loaded in the system and the other values are discarded. Application-Specific Properties: Certain properties can be configured for specific applications. Thee agent can use different values of the same property for different applications as defined in the configuration file. Application Specific configuration properties must follow the rules and syntax of the map construct. The following settings for a single property serve as an example which illustrates that for applications other than the ones deployed on the root context and the context /Portal, the value of the property defaults to value3. com.sun.identity.agents.config.example[Portal] = value1 com.sun.identity.agents.config.example[DefaultWebApp] = value2 com.sun.identity.agents.config.example = value3 Global Properties: Properties that are not configured for specific applications apply to all the applications on that deployment container. Such properties are called global properties. Serial number: Assigned automatically Name: Select from one of the following Value: Enter the appropriate value for the Name you chose. Note: To enable OpenSSO Agent configuration hotswap, make sure the opensso agents have the following properties in the Miscellaneous properties section of their profile in the OpenSSO Proxy on OAM Server, and the agent servers are restarted: J2ee Agents: com.sun.identity.client.notification.url =http://:/agentapp/notification Web Agents: com.sun.identity.client.notification.url =http://AGENT_SERVER_HOST:AGENT_SERVER_ PORT/UpdateAgentCacheServlet?shortcircuit=false Not Supported, Web Agents: com.sun.identity.agents.config.change.notification.enable = true See Also: "Reviewing OpenSSO Bootstrap Configuration Mappings" Element Description 28-18 Administrator's Guide for Oracle Access Management Registering and Managing OpenSSO Agents Using the Console Table 28–7 (Cont.) Expanded OpenSSO Agent Registration Elements Element Description See Also: Table 28–5, " Elements on the New OpenSSO Agent Page" Status The state of this agent registration: Enabled or Disabled. Default: Enabled Filter mode J2EE Agent Type only The Agent filter is installed within the protected application. It facilitates the enforcement of security policies, governing the access to all resources within the protected application. Every application protected by the J2EE Agent must have its deployment descriptors changed to reflect that it is configured to use the agent filter. Applications that do not have this setting are not protected by J2EE the Agent and might malfunction or become unusable if deployed on a deployment container where the Agent realm is installed. Filter modes must be set for the J2EE Agent by choosing one of the following options: SSO_ONLY or URL_Policy. Default: URL_Policy ■ ■ SSO_ONLY (Access Manager Authentication Only): Enables the least restrictive mode of operation for the filter; the agent simply ensures that all users who try to access protected web resources are authenticated. URL_Policy (Access Manager Authentication and Authorization): Enables the agent filter to enforce URL policies. By default, with Web Agents, .com.sun.identity.agents.config.sso.onlyattribute is set to "false". Process overview: Authentication Only (SSO_ONLY J2EE Filter Mode) 1. End user requests access to an application or resource protected by OpenSSO Agent. 2. OpenSSO Agent redirects this un-authenticated user to OAM Server for authentication. 3. After successful authentication, OpenSSO Proxy redirects the user back to the protected resource with OpenSSO session ID set in the response cookie. 4. Authenticated end user with valid OpenSSO session, accesses application or resource protected by OpenSSO Agent. 5. OpenSSO Agent validates the OpenSSO Session against OAM Server through the OpenSSO Proxy and enables SSO for the end user. 6. End user gets access to the protected application or resource. Process overview: Authentication and Authorization with URL_Policy J2EE Filter Mode 1. End user requests access to an application or resource protected by OpenSSO agent. 2. OpenSSO Agent redirects this un-authenticated user to OAM Server for authentication. 3. After successful authentication, OpenSSO Proxy redirects the user back to the protected resource with OpenSSO session ID set in the response cookie. 4. Authenticated end user with valid OpenSSO session, accesses application or resource protected by OpenSSO Agent. 5. OpenSSO Agent validates the OpenSSO Session against OAM Server through the OpenSSO Proxy. 6. OpenSSO Agent sends Policy requests to OAM Server through the OpenSSO Proxy to ensure the authenticated user is authorized to access the resource. 7. OpenSSO Proxy evaluates the Policies for the protected resource (using OAM Policy Engine) and sends the Policy decision to the Agent: Allow or Deny. 8. End user gets access if the Policy decision is Allow. Note: The following Filter Modes are not supported: NONE, J2EE_Policy, All. See Also: "Understanding OpenSSO Agent Registration Parameters" on page 28-10. 28.4 Registering and Managing OpenSSO Agents Using the Console This topic provides the following topics: ■ Registering an OpenSSO Agent using the Oracle Access Management Console ■ Configuring and Managing Registered OpenSSO Agents Using the Console Registering and Managing Legacy OpenSSO Agents 28-19 Registering and Managing OpenSSO Agents Using the Console 28.4.1 Registering an OpenSSO Agent using the Oracle Access Management Console Users with Oracle Access Management Administrator credentials can either use Oracle-provided tools to analyze and migrate an OpenSSO environment or use the Oracle Access Management Console, as described here, to manually provision OpenSSO Agents. Registration steps are the same regardless of the OpenSSO agent type you choose: Web or J2EE. You can register an OpenSSO agent before you deploy it. Users with valid Administrator credentials can perform the following task to register an OpenSSO agent using the Oracle Access Management Console. Only centralized configuration mode is supported for new OpenSSO Agent creation. Note: After agent registration, you can change the communication mode of the OAM Server if needed. Communication between the agent and server continues to work as long as the Agent uses SSO Only filter mode. Prerequisites Confirm that at least one OAM Server is running in the same mode as the agent to be registered. Install the Agent, as described in: ■ Oracle Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents ■ Oracle Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for J2EE Agents See Also: "Understanding OpenSSO Agent Registration Parameters" To register an OpenSSO agent using the console 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security Console, select Create OpenSSO Agent from the Create (+) menu in the Agents section. 3. On the Create OpenSSO Agent page, enter required details (with an *) (Table 28–5). 4. Confirm that the Auto Create Policies box is checked (or clear the box to disable this function if you do not need a new Application Domain). 5. Click Apply to submit the registration (or close the page without submitting it): 6. Check the Confirmation window for the location of generated artifacts and then close the window. 7. In the navigation tree, confirm the Agent name is listed. 8. Copy OpenSSO Agent bootstrap and configuration files from the console host (AdminServer) to the Agent host Web server: OpenSSO Properties Files From ... Path ... From the AdminServer (Console) host $DOMAIN_HOME/output/$Agent_Name/ 28-20 Administrator's Guide for Oracle Access Management ■ OpenSSOAgentBootstrap.properties ■ OpenSSOAgentConfiguration.properties Registering and Managing OpenSSO Agents Using the Console 9. OpenSSO Properties Files From ... Path ... To the OpenSSO Agent host Web server $OHS_ dir/config. For example: $WebTier_MW_HOME/Oracle_ WT1/instances1/config/OHS/ohs1/config/ Restart the OAM Server hosting the Agent. 10. Proceed to the following topics, as needed: ■ "Configuring and Managing Registered OpenSSO Agents Using the Console" ■ Part VI, "Managing Access Manager SSO, Policies, and Testing" 28.4.2 Configuring and Managing Registered OpenSSO Agents Using the Console Steps in this procedure are the same whether you are editing (view, modify, or delete) a J2EE or Web type OpenSSO agent. Users with valid Administrator credentials can change any setting for a registered agent using the Oracle Access Management Console. After changes, updated details are propagated through a runtime configuration update process. There is usually no need to copy the artifacts over to OpenSSO agent configuration area. Artifacts need only be copied to the OpenSSO agent directory path if the agent name, password, or security mode is changed. Deleting an agent registration removes only the registration (not the associated host identifier, Application Domain, resources, or the agent instance itself), which prevents registering the same agent again if required. However, deleting the Application Domain and its content removes all referenced objects including the Agent registration, as described in "Deleting an Application Domain and Its Contents" on page 25-13. Note: Prerequisites The agent must be registered and the registration visible in the Oracle Access Management Console. The AdminServer and one OAM Server must be running. See Also: "About the Expanded OpenSSO Agent Page and Parameters" on page 28-12 To view or modify registration details (or delete a registration) 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. a. In the Application Security console, click Agents to display the Agents Search page. b. Find a Registration: Fill in the form (Agent Name or Agent Type or both) or simply click the Search button. c. Open a Registration: Click the Agent name in the results table to open the page. Modify Existing Details: a. Add or modify agent details as desired (Table 28–5). b. Click Apply to submit changes, then dismiss the Confirmation window. Registering and Managing Legacy OpenSSO Agents 28-21 Performing Remote Registration for OpenSSO Agents c. 3. Copy OpenSSO Agent configuration files only if the Agent name, password, or security mode was changed. Delete OpenSSO Agent Registration: This does not remove the Agent instance itself, only the registration page from the console. a. Close the agent's registration page if it is open. b. Click the desired agent's name, click the Delete button in the tool bar, and confirm the removal in the Confirmation window. c. Confirm the Agent name is absent in the navigation tree. 4. Restart the OAM Server hosting the Agent. 5. Proceed to Part VI, "Managing Access Manager SSO, Policies, and Testing". 28.5 Performing Remote Registration for OpenSSO Agents This section provides a brief review of remote registration using the Oracle-provided tool: oamreg. this section provides the following topics: ■ Understanding Request Templates for OpenSSO Agent Remote Registration ■ Reviewing OpenSSO Bootstrap Configuration Mappings ■ Performing In-Band Remote Registration with OpenSSO Agents ■ Performing Out-of-Band Remote Registration with OpenSSO Agents 28.5.1 Understanding Request Templates for OpenSSO Agent Remote Registration Each OpenSSO Agent provides restricted access to applications by intercepting requests to these applications. OpenSSO Agent provisioning is the process of registering an OpenSSO agent to use Access Manager. Both inband and outofband remote registration modes require a request file with the input argument, as listed in Table 28–8 Table 28–8 OpenSSO Request Files for Remote Registration Templates for . . . Description Register OpenSSO Agents $OAM_REG_HOME/input/OpenSSORequest.xml $OAM_REG_HOME/input/OpenSSORequest_short.xml When you run oamreg with the short request, default values are applied automatically for elements found only in the extended request. Other Templates Update Agent: $OAM_REG_HOME/input/OpenSSOUpdateAgentRequest.xml Create Policies: $OAM_REG_HOME/input/CreatePolicyRequest.xml Create New Host Identifiers and an Application Domain without Registering an Agent See Also: "Managing Policies and Application Domains Remotely" on page 25-82 Update Policies: $OAM_REG_HOME/input/UpdatePolicyRequest.xml Existing Host Identifiers and Application Domain (not associated with an Agent Registration) See Also: "Managing Policies and Application Domains Remotely" on page 25-82 See Also: "Updating Agents Remotely" on page 15-38 Remote OpenSSO Agent registration automatically: 28-22 Administrator's Guide for Oracle Access Management Performing Remote Registration for OpenSSO Agents ■ Creates the agent page for the Oracle Access Management Console ■ Creates an Application Domain and basic policies to protect applications ■ Produces OpenSSO properties files on the client to be consumed by the agent at run time Table 28–9 identifies the elements in OpenSSO Agent request templates. Unless explicitly stated, all elements are found in both the short and the extended request files. Table 28–9 OpenSSO Agent Remote Registration Request Element Description Example Elements common to all remote registration request templates. See Table 15–8, " Common Elements in Remote Registration Requests" Choose between J2EE or Web type OpenSSO agents. WEB Password A required, unique password for this OpenSSO agent, which can be assigned during this registration process. The entry will appear in obfuscated format in the console, in oam-config.xml, and in OpenSSOAgentBootstrap.properties. You are asked to supply a password during remote registration. This does not appear in the template. Re-enter Password When a registered agent connects to an OAM SServer, the user is prompted for the password. The password is used for authentication to prevent unauthorized agents from connecting and obtaining policy information. Extended OpenSSO Template Only With set to true, you can configure the directory path for logged agent messages. /scratch/debug Default: None See Also: Chapter 7, "Logging Component Event Messages" Defines the directory path for audit logs from the OAM Server: ■ Audit Login events ■ Audit Logout success events /scratch/audit See Also: Chapter 8, "Auditing Administrative and Run-time Events" Defines the audit log file name. audit.log Registering and Managing Legacy OpenSSO Agents 28-23 Performing Remote Registration for OpenSSO Agents Table 28–9 (Cont.) OpenSSO Agent Remote Registration Request Element Description When set to true, the OAM Server logs false messages for: ■ ■ ■ Example Login success and login failure events Logout success and logout failure events Log messages at different logging levels (FATAL, ERROR, WARNING, DEBUG, TRACE), each of which indicates severity in descending order. Default: false See Also: Chapter 7, "Logging Component Event Messages" The name of the cookie, which the agent finds this cookie after the OpenSSO Proxy triggers session validation iPlanetDirectoryP ro The end user has the following valid cookies: ■ ■ OAM_ID cookie (represents the end user session after agent authentication) OpenSSO cookie If access is denied, the user is redirected to this URL. Specifies the Authentication Scheme to use in the Authentication Policy. In an upgraded environment, use SSOCoExistMigrateScheme for the Protected Resource Policy for any new OSSO Agents you register. 28.5.2 Reviewing OpenSSO Bootstrap Configuration Mappings This section describes the bootstrap configuration mappings of an OpenSSO Agent. Table 28–10 ■ Table 28–10, " J2EE Request File Mappings to the Properties File" ■ Table 28–11, " Mapping the Web Request File to the Properties File" J2EE Request File Mappings to the Properties File Property Name Default Value Sample Value com.iplanet.am.naming.url from input xml as /opensso/nami ngservice http://example.com:7575/opensso/nami ngservice com.sun.identity.agents.app.username from input xml as com.iplanet.am.service.secret from input xml as Note: This is not collected as part of the input XML file but is prompted for by the remote registration tool. com.iplanet.services.debug.directory from input xml as 28-24 Administrator's Guide for Oracle Access Management /opt/30j2ee/j2ee_agents/tomcat_v6_ agent/Agent_001/logs/debug Performing Remote Registration for OpenSSO Agents Table 28–10 (Cont.) J2EE Request File Mappings to the Properties File Property Name Default Value Sample Value com.sun.identity.agents.config.local.logfile from input xml as /opt/30j2ee/j2ee_agents/tomcat_v6_ / example_com_7676.log com.sun.identity.agents.config.organization.name from input xml as Note: This is the value collected from the input xml file. By default it is taken as the unless explicitly provided. com.sun.identity.agents.config.profilename from input xml as N/A N/A com.sun.identity.agents.config.service.resolver N/A N/A com.sun.services.debug.mergeall N/A com.sun.identity.agents.config.lock.enable FALSE N/A N/A am.encryption.pwd N/A N/A Not included in the remote registration file ... com.iplanet.am.naming.url N/A Table 28–11 shows the mappings between a Web Agent request file and properties file. Table 28–11 Mapping the Web Request File to the Properties File Property Name Default Value Sample Value com.iplanet.am.naming.url from input xml as //opensso/namingservice http://example.com:7575/opensso/nami ngservice com.sun.identity.agents.config.username from input xml as com.sun.identity.agents.config.password from input xml as Note: This is not collected as part of the input XML file but is prompted for by the remote registration tool. com.iplanet.services.debug.directory from input xml as /opt/30j2ee/j2ee_agents/tomcat_v6_ agent/Agent_001/logs/debug com.sun.identity.agents.config.local.logfile from input xml as /opt/30j2ee/j2ee_agents/tomcat_v6_ / redsky_red_iplanet_com_7676.log com.sun.identity.agents.config.organization.name from input xml as Note: It is the value collected from the input xml. Status: Open Fixed or Closed com.sun.identity.agents.config.profilename from input xml as 28.5.3 Performing In-Band Remote Registration with OpenSSO Agents This is a brief summary of tasks required to perform in-band remote registration for your OpenSSO agent. Full details are provided in other chapters, as described here. Prerequisites "Introduction to Remote Registration" on page 14-8 Registering and Managing Legacy OpenSSO Agents 28-25 Performing Remote Registration for OpenSSO Agents Task overview: In-band Administrators performing remote registration 1. Acquire the registration tool and set environment variables as described in "Acquiring and Setting Up the Remote Registration Tool" on page 15-33. $ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz 2. Create your input file with unique values for the agent and Application Domain as described in "Creating Your Remote Registration Request" on page 15-34. From: OpenSSORequest.xml To: myopenssoagent_request.xml 3. Run the registration tool to configure the Agent, create a default Application Domain for the resources, and copy the updated agent configuration file as described in "Performing In-Band Remote Registration" on page 15-34. From the console host (AdminServer): /rreg/output/Agent_Name/ ■ OpenSSOAgentBootstrap.properties ■ OpenSSOAgentConfiguration.properties To the OpenSSO Agent host Web server $OHS_dir/config. For example: $WebTier_MW_HOME/Oracle_WT1/instances1/config/OHS/ohs1/config/ 4. Validate the configuration as described in "Validating Remote Registration and Resource Protection" on page 15-40. 5. Perform access checks to validate that the configuration is working, as described in "Verifying Authentication and Access After Remote Registration" on page 15-40. 28.5.4 Performing Out-of-Band Remote Registration with OpenSSO Agents This is a brief summary of tasks required to perform out-of-band remote registration for your OpenSSO agent. Full details are provided in other chapters, as described here. Prerequisites "Introduction to Remote Registration" on page 14-8 Task overview: Out-of-band remote registration (Agent is outside the network) 1. Out-of-band Administrator: Creates a starting request input file containing specific application and agent details and submits it to the in-band Administrator. ■ Acquire the registration tool and set environment variables as described in "Acquiring and Setting Up the Remote Registration Tool" on page 15-33. $ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz ■ Copy and edit a template to input unique values for the agent and Application Domain as described in "Creating Your Remote Registration Request" on page 15-34. $OAM_REG_HOME/input/OpenSSORequest.xml ■ 2. Submit the starting request input file to the in-band Administrator using a method you choose (email or file transfer). In-band Administrator: 28-26 Administrator's Guide for Oracle Access Management Updating Registered OpenSSO Agents Remotely ■ Acquire the registration tool and set environment variables as described in "Acquiring and Setting Up the Remote Registration Tool" on page 15-33. $ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz ■ 3. Use the out-of-band starting request with the registration tool to register the agent and create the response and native agent configuration files to return to the out-of-band Administrator. See "Performing Out-of-Band Remote Registration" on page 15-35: – opensso_Response.xml is generated for the out of band Administrator to use in Step 3. – OpenSSO properties files are modified for the out-of-band Administrator to bootstrap the OSSO module. Out-of-band Administrator: Use the registration tool with the response file and copy artifacts to the appropriate file system directory. – opensso_Response.xml. – opensso....properties files 4. In-band Administrator: Validates the configuration as described in "Validating Remote Registration and Resource Protection" on page 15-40. 5. Out-of-band Administrator: Performs several access checks to validate that the configuration is working, as described in "Verifying Authentication and Access After Remote Registration" on page 15-40. 28.6 Updating Registered OpenSSO Agents Remotely This section describes how to update, validate, and delete OSSO Agents using remote registration templates and modes described in "Introduction to Updating Agents Remotely" on page 15-37. The update request file passes specific values to the remote registration tool, oamreg. The primary differences between the update template and the original registration template is that the update template. Table 28–12 Delta: OpenSSO Remote Registration versus Remote Updates Delta Element Adds yyyy_mm_dd element to track changes Adds element that specifies the agent_base_url_port Omits Omits See Also: ■ Table 28–7, " Expanded OpenSSO Agent Registration Elements" ■ Updating OpenSSO Agents Remotely Registering and Managing Legacy OpenSSO Agents 28-27 Locating Other OpenSSO Agent Information 28.6.1 Updating OpenSSO Agents Remotely To remotely update OAM 10g Agent registration 1. Set up the registration tool as described in, "Acquiring and Setting Up the Remote Registration Tool" on page 15-33. 2. Update Agent: a. Create your update request using the OAMUpdateAgentRequest.xml template. b. On the computer hosting the Agent, run the following command with agentUpdate mode specify your own *Request*.xml as the input file. For example: ./bin/oamreg.sh agentUpdate input/OpenSSOUpdateAgentRequest.xml c. Provide the registration Administrator user name and password when asked. d. Confirm success with on-screen messages. e. Relocate to the agent host OpenSSOAgentBootstrap and OpenSSOAgentConfiguration.properties files: From the AdminServer (Console) host: /rreg/output/Agent_Name/ To the OpenSSO Agent host Web server $OHS_dir/config. For example: $WebTier_MW_HOME/Oracle_ WT1/instances1/config/OHS/ohs1/config/*.properties f. 3. Restart the OAM Server that is hosting this agent Validating Agent: a. On the Agent host, run the following command in agentValidate mode. For example: ./bin/oamreg.sh agentValidate agentname 4. b. Provide the registration Administrator user name and password when asked. c. Confirm success with on-screen messages. Deleting an Agent: a. On the computer hosting the Agent, run the following agentDelete command. For example: ./bin/oamreg.sh agentDelete agentname b. Provide the registration Administrator user name and password when asked. c. Confirm success with on-screen messages. Success: On-screen message confirms AgentDelete process completed successfully! 28.7 Locating Other OpenSSO Agent Information See Table 28–13 for additional information on legacy OpenSSO agents with Access Manager. 28-28 Administrator's Guide for Oracle Access Management Locating Other OpenSSO Agent Information Table 28–13 Other OpenSSO Information in this Guide Topic Location Component Loggers Table 7–3, " Oracle Access Management Server-Side Component Loggers" OpenSSO Metrics in the DMS Console "Monitoring OpenSSO Proxy Metrics" on page 11-12 Sessions and Session Management Chapter 16, "Maintaining Access Manager Sessions" Artifacts "Generated Artifacts: OpenSSO" on page D-10 "Migrated Artifacts: OpenSSO" on page D-13 Registering and Managing Legacy OpenSSO Agents 28-29 Locating Other OpenSSO Agent Information 28-30 Administrator's Guide for Oracle Access Management 29 Registering and Managing Legacy OSSO Agents 92 [24If ] legacy OracleAS SSO 10g is already in place as the enterprise solution for an existing deployment, Oracle Fusion Middleware continues to support this as a solution. Additionally, you can register existing OSSO 10g mod_osso modules as agents for Access Manager as described in Chapter 14. This chapter explains how to register or manage legacy OSSO agents for use with Access Manager 11.1.2 and provides the following sections: ■ Understanding OSSO Agents with Access Manager ■ Registering OSSO Agents Using Oracle Access Management Console ■ Configuring and Managing Registered OSSO Agents Using the Console ■ Performing Remote Registration for OSSO Agents ■ Updating Registered OSSO Agents Remotely ■ Configuring Logout for OSSO Agents with Access Manager 11.1.2 ■ Locating Other OSSO Agent Information 29.1 Understanding OSSO Agents with Access Manager This section provides the following topics: ■ About OSSO Agents with Access Manager ■ Comparing Access Manager 11g SSO versus OSSO 10g 29.1.1 About OSSO Agents with Access Manager The mod_osso module is an Oracle HTTP Server module that simplifies the authentication process by serving as the sole application to the single sign-on server. In this way, mod_osso renders authentication transparent to OracleAS applications. It enables applications protected by OracleAS Single Sign-On to accept HTTP headers in lieu of a user name and password once the user has logged in. The values for these headers are stored in a mod_osso cookie. The Administrator for these applications is spared the burden of integrating them with an SDK. After authenticating a user, mod_osso transmits the simple header values that applications may use to authorize the user: ■ User name ■ User GUID (global user identity) Registering and Managing Legacy OSSO Agents 29-1 Understanding OSSO Agents with Access Manager ■ Language and territory After registration with Access Manager, OSSO 10g Agents can communicate directly with Access Manager 11g services through the OSSO proxy. The OSSO proxy supports existing OSSO agents when upgrading to Access Manager. The proxy handles requests from OSSO Agents and translates the OSSO protocol into a protocol for Access Manager 11g authentication services. The OSSO Proxy supports inter-operability between Access Manager and OSSO agents (using an OSSO agent to access a valid SSO session created for a Webgate or Access Client and vice versa). OSSO Proxy Supports Description SSO login From an OSSO Agent to the OAM Server (and OSSO-specific tokens) SSO logout From the OSSO Agent to the OAM Server OSSO Agent requests and protocols OSSO Proxy translates the OSSO protocol into a protocol for Access Manager. After registering 10g mod_osso as an agent, Access Manager gives mod_osso the redirect URL for the user based on the authentication scheme associated with the OAM policy defined for the resource (Table 29–1). Table 29–1 OSSO Agents with Access Manager Checks for an existing valid Oracle HTTP Server cookie Redirects to the OAM Server if needed to contact the directory during authentication Decrypts the encrypted user identity populated by the OSSO server Sets the headers with user attributes 29.1.2 Comparing Access Manager 11g SSO versus OSSO 10g This topic introduces key components for implementing and enforcing Access Manager 11g single sign-on policies as compared to OSSO 10g. Access Manager 11g default behavior is to deny access when a resource is not protected by a policy that explicitly allows access. OracleAS SSO 10g provides only authentication. Table 29–2 summarizes the differences. 29-2 Administrator's Guide for Oracle Access Management Understanding OSSO Agents with Access Manager Table 29–2 11g Access Manager SSO versus OSSO 10g Component Summary Component Description 11g Access Manager OSSO 10g Oracle Identity Management Infrastructure Enables secure, central management of enterprise identities. Enables secure, central management of enterprise identities. Agents ■ 11g OAM Agents ■ 10g OAM Agents ■ 10g OSSO Agents (mod_osso) ■ OpenSSO Agents Resides with the relying parties and delegate authentication and authorization tasks to OAM Servers. ■ mod_osso (partner) Note: The mod_osso module is an Oracle HTTP Server module that provides authentication to OracleAS applications. Note: Nine Administrator languages are supported. Servers Notes: Administrative users access the console home page by typing the URL: https://host:port/oamconsole. ■ ■ OAM Server ■ Oracle Access Management Console (installed on the WebLogic Administration Server) OracleAS SSO server (OSSO server) See Also: Oracle Application Server Single Sign-On Administrator's Guide. Non-administrative users first gain access See Also: to the single sign-on server by entering "Understanding the Oracle Access the URL of an application, which returns Management Console" the SSO login page. "Understanding Credential Collection and Login" Proxy ■ Provides support for legacy systems: ■ ■ OAM Proxy supports legacy Access Manager implementations by acting as a legacy Access Server. ■ OSSO Proxy supports legacy SSO implementations by acting as the legacy OSSO Server. OSSO Proxy supports OSSO Agents by acting as the legacy OSSO Server. Oracle-provided OpenSSO Proxy handles requests for resources protected by OpenSSO Agents Console Oracle Access Management Console No console equivalent before Access Manager 11g. Protocols that secure information exchange on the Internet Front channel protocols exchanged between Agent and Server: HTTP/HTTPS. N/A 11g Webgate secures information exchange using the Agent key. -See Also: Cryptographic keys. Policy Store Database mod_osso and partner application Applications An application that delegates authentication and authorization to Access Manager and accepts headers from a registered Agent. An application that delegates authentication to mod_osso and the OracleAS Single Sign-On server. Note: External applications do not delegate authentication. Instead, these display HTML login forms that ask for application user names and passwords. For example, Yahoo! Mail is an external application that uses HTML login forms. Note: After registering mod_osso with Access Manager 11g, mod_osso delegates authentication to OAM. The mod_osso module enables the applications to accept authenticated user information once the user is logged in. Re authenticating is avoided by accepting headers from the registered OSSO Agent. The application is responsible for determining whether the authenticated user is authorized to use the application. Registering and Managing Legacy OSSO Agents 29-3 Understanding OSSO Agents with Access Manager Table 29–2 (Cont.) 11g Access Manager SSO versus OSSO 10g Component Summary Component Description 11g Access Manager SSO Engine Manages the session lifecycle, facilitates global logout across all relying parties in the valid session, and provides consistent service across multiple protocols. OSSO 10g ■ mod_osso delegates authentication only and communicates exclusively through the HTTP channel. Uses Agents registered with Access Manager 11g: ■ ■ Cryptographic keys ■ Authentication (credential collection) occurs across the HTTP (HTTPS) channel Authorization occurs across the Oracle Access Protocol (OAP) channel During 11g agent registration, a key is generated for the agent and also shared with the OAM Server The key is used for encrypting and decrypting SSO cookies ■ ■ ■ ■ ■ ■ ■ One key per partner shared between mod_osso and OSSO server OSSO server's own key One global key per OSSO setup for the GITO domain cookie During 10g agent registration, a global shared secret key is generated across all of Access Manager 11g (all Agents and OAM Servers). During OSSO agent registration, One key per partner shared between mod_osso and OSSO server. OpenSSO Agent: Host- or Domain-based key stored locally in bootstrap file on Agent host. During OAM Server installation, one OAM Server key is generated Note: One key is generated and used per registered mod_osso Agent. However, one single key is generated for all 10g Webgates. Keys storage ■ ■ ■ Agent side: A per-agent key is stored locally in the Oracle Secret Store in a wallet file OAM Server side: A per- agent key, and server key, are stored in the credential store on the server side Host-based authentication cookie: See Also: Table 21–6 ■ "About Single Sign-On Cookies During User Login" ■ ■ Policies ■ mod_osso side: partner keys and GITO global key stored locally in obfuscated configuration file OSSO server side: partner keys, GITO global key, and server key are all stored in the directory server Security Token Service Cookies and ■ ■ 10g Webgate, One ObSSOCookie for all 10g Webgates. One for the OAM Server: OAM_ID (Table 21–6) Registered agents rely on Access Manager authentication, authorization, and token issuance policies to determine who gets access to protected applications (defined resources). 29-4 Administrator's Guide for Oracle Access Management Host-based authentication cookie: one per partner: OHS-host-port 11g Webgate, One per agent: OAMAuthnCookie__ one for OSSO server: (not with Access Manager 11g) ■ Domain-level session cookie for global inactivity timeout (GITO) if enabled mod_osso uses only Access Manager 11g authentication policies to determine who gets access to defined resources. mod_osso provides authentication only. Understanding OSSO Agents with Access Manager Table 29–2 (Cont.) 11g Access Manager SSO versus OSSO 10g Component Summary Component Description 11g Access Manager Client IP ■ OSSO 10g Maintain this Client IP, and include it in the host- based OAMAuthnCookie. ■ Include the original client IP inside the host cookie. In later authentication requests, when the cookie is presented, the original client IP is compared with the presenter's IP. Rejection occurs if there is no match Encryption / Decryption (converting encrypted data back into original form) Introduces client-side cryptography and ensures that cryptography is performed at both the agent and server ends: 1. Cryptography is performed at both mod_ osso and OSSO server: 1. Webgate encrypts obrareq.cgi using the agent key. Note: obrareq.cgi is the authentication request in the form of 2. a query string redirected from Webgate to OAM Server. site2pstore token (request from mod_osso to server) is encrypted using the partner key locally at mod_osso. OSSO server decrypts site2pstore token, authenticates, and generates its own cookie. 2. OAM Server decrypts the request, authenticates, creates the session, and sets the server cookie. 3. urlc token (the response from OSSO server to mod_osso) is encrypted using the partner key at the server. 3. OAM Server also generates the authentication token for the agent (encrypted using the agent key), packs it in obrar.cgi with a session token (if using cookie-based session management), authentication token and other parameters, then encrypts obrar.cgi using the agent key. 4. mod_osso decrypts the urlc token locally and re-encrypts using its own format to set in a host-based cookie. Note: obrar.cgi is the authentication response string redirected from the OAM Server to Webgate. 4. Session Management ■ Webgate decrypts obrar.cgi, extracts the authentication token, and sets a host-based cookie. Session idle timeout behavior is supported through the 11g Session Management Engine (SME). ■ Single domain supported through a domain-level cookie for global inactivity timeout (GITO). Multi-domain SSO: After a user logs in to one domain, and then goes to a different domain, he is considered idle from the first domain. When the idle times out on the original domain, the user must re-authenticate on the original domain. Registering and Managing Legacy OSSO Agents 29-5 Registering OSSO Agents Using Oracle Access Management Console Table 29–2 (Cont.) 11g Access Manager SSO versus OSSO 10g Component Summary Component Description 11g Access Manager Response token replay prevention ■ Multiple network domain support Include RequestTime (the timestamp just before redirect) in obrareq.cgi and copy it to obrar.cgi to prevent response token replay. Access Manager 11g supports cross-network-domain single sign-on out of the box. OSSO 10g ■ Include RequestTime (timestamp just before redirect) in the site2pstore token and copy it to the urlc token to prevent token replay. N/A Oracle recommends you use Oracle Federation for this situation. Centralized log-out ■ ■ The logOutUrls (10g Webgate configuration parameter) is preserved. 10g logout.html requires specific details for Access Manager 11g. There is no change required for Access Manager 11g with mod_osso (OSSO Agents). Logout Redirect URL Applications that use dynamic directives require no entry in mod_osso.conf. Instead, protection is written into the application as one or more dynamic directives. Logout Callback URL See Chapter 27. 11g Webgate parameters are new: Logout Target URL See Chapter 27. See Also: "Understanding Credential Collection and Login" 29.2 Registering OSSO Agents Using Oracle Access Management Console This section describes how to manage OSSO Agent registrations (mod_osso) using the Oracle Access Management Console. For details, see: ■ Understanding the Create OSSO Agent Registration Page and Parameters ■ Registering an OSSO Agent (mod_osso) Using the Console 29.2.1 Understanding the Create OSSO Agent Registration Page and Parameters This topic describes OSSO Agent registration using the Oracle Access Management Console. Before you register an OSSO Agent, ensure that the Oracle HTTP Server is installed on the client computer and that the Web server is configured for mod_osso. Note: Figure 29–3 shows a Create OSSO Agent page, under the System Configuration tab in the Oracle Access Management Console. 29-6 Administrator's Guide for Oracle Access Management Registering OSSO Agents Using Oracle Access Management Console Figure 29–1 Create OSSO Agent Page On the Create OSSO Agent page, required information is identified by the asterisk (*). Table 29–3 describes the required and optional details that you can specify when you register a new agent. Table 29–3 Create OSSO Agent Page Elements Element Description Name The identifying name for this mod_osso Agent. Token Version The default version of the token is 3.0; the following options are available: Base URL Required for OSSO agents. ■ 1.2 ■ 1.4 ■ 3.0 The required protocol, host, and port of the computer on which the Web server for the agent is installed. For example, http://host.example.domain.com:port or https://example.domain.com:port. Note: The host and port are used as defaults for the expanded registration. See Table 29–5. Admin ID Optional Administrator log in ID for this mod_osso instance. For example, SiteAdmin. Admin Info Optional Administrator details for this mod_osso instance. For example, Application Administrator. Host Identifier The host identifier is filled in automatically based on the Agent name. Auto Create Policies During agent registration, you can have authentication and authorization policies created automatically. This option is checked (enabled) by default. The OSSO Proxy requires an Application Domain that includes a resource with the generic URL (/**) protected by a policy based on the LDAP scheme (default). This is why a generic URL is used at the server side. Default: Enabled Notes: If you already have a domain and policies registered, you can simply add new resources to it. If you clear (uncheck) this option, no Application Domain or policies are generated automatically. In an upgraded deployment, you must change the Authentication Scheme in your Authentication Policy to use SSOCoExistMigrateScheme. To help streamline Agent registration, several elements are concealed and default values are used during registration with the console. When you view an agent's registration page in the Oracle Access Management Console, all elements and values are revealed as described in "Understanding the Expanded OSSO Agent Page in the Console" on page 29-9. OSSO Agent Configuration File The OSSO Agent configuration file, osso.conf, is updated during agent registration and configuration changes. It is stored on the console host (AdminServer). Following Registering and Managing Legacy OSSO Agents 29-7 Registering OSSO Agents Using Oracle Access Management Console registration or configuration updates, you must relocate the artifacts to the mod_osso directory path on the Agent host as shown in Table 29–4. Table 29–4 Relocating OSSO Artifacts From AdminServer . . . $DOMAIN_HOME/output/$Agent_Name/ To OHS_dir/osso.conf $WebTier_MW_HOME/Oracle_ WT1/instances1/config/OHS/ohs1/config/osso 29.2.2 Registering an OSSO Agent (mod_osso) Using the Console Users with Oracle Access Management Administrator credentials can perform the following procedure to register an OSSO Agent using the Oracle Access Management Console. Prerequisites Ensure that the Oracle HTTP Server is installed and running on the client computer, and is configured for mod_osso. See Also: Understanding the Create OSSO Agent Registration Page and Parameters To register an OSSO Agent 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, select Create OSSO Agent from the Create (+) drop-down list in the Agents section. 3. On the Create OSSO Agent page, enter required details, as shown in Table 29–3: ■ Name ■ Base URL 4. Select the desired Token Version, and enter optional details as desired (Table 29–3). 5. Click Apply to submit the registration (or close the page without applying changes). 6. In the Confirmation window, check the path to generated artifacts and then close the window. For example: Artifacts are generated in following location : /.../base_domain/output/$Agent_ Name 7. Copy the osso.conf file from the console host (AdminServer) to the Agent host Web server. For example: osso.conf From ... Path ... From the AdminServer (Console) host $DOMAIN_HOME/output/$Agent_Name/ To the mod_osso directory path on the Agent host Web server: $OHS_dir/osso.conf. $WebTier_MW_HOME/Oracle_ WT1/instances1/config/OHS/ohs1/config/oss o.conf 8. In an upgraded deployment, change the Authentication Scheme in the Protected Resources Policy to use SSOCoExistMigrateScheme. 9. Restart the OAM Server hosting the Agent. 29-8 Administrator's Guide for Oracle Access Management Configuring and Managing Registered OSSO Agents Using the Console 10. Proceed as needed: ■ "Configuring and Managing Registered OSSO Agents Using the Console" ■ Part VI, "Managing Access Manager SSO, Policies, and Testing" 29.3 Configuring and Managing Registered OSSO Agents Using the Console This section describes how to manage OSSO Agent registrations (mod_osso) using the Oracle Access Management Console. For details, see: ■ Understanding the Expanded OSSO Agent Page in the Console ■ Searching for an OSSO Agent (mod_osso) Registration ■ Viewing or Editing OSSO Agent (mod_osso) Registration ■ Deleting an OSSO Agent (mod_osso) Registration 29.3.1 Understanding the Expanded OSSO Agent Page in the Console During registration, only a subset of available parameters is displayed to streamline the registration process. Whether you registered the agent using the Oracle Access Management Console or the remote registration utility, you can view the full agent configuration page in the console after registration. Default values populate previously concealed elements, which are visible when you open the Agent's page, as shown in Figure 29–2. The Confirmation window is still visible. Figure 29–2 OSSO Agent Page and Confirmation Window Table 29–5 summarizes the expanded elements and defaults that are used by the OSSO Agent. Table 29–5 Expanded OSSO Agent Elements Element Description Site Token The Application Token used by the partner when requesting authentication. This cannot be edited. Success URL The redirect URL to be used upon successful authentication. By default, osso_login_ success on the fully qualified host and port specified with the Base URL are used. For example: Default: https://example.domain.com:7001/osso_login_success Registering and Managing Legacy OSSO Agents 29-9 Configuring and Managing Registered OSSO Agents Using the Console Table 29–5 (Cont.) Expanded OSSO Agent Elements Element Description Failure URL The redirect URL to be used if authentication fails.By default, osso_login_failure on the fully qualified host and port specified with the Agent Base URL are used: Default: https://example.domain.com:7001/osso_login_failure Start Date First month, day, and year for which log in to the application is allowed by the server. Default: The date the Agent was registered. Home URL The redirect URL to be used for the Home page after authentication. By default, the fully qualified host and port specified with the Agent Base URL are used: Default: https://example.domain.com:7001 Logout URL The redirect URL to be used when logging out. This redirects the user to the global logout page on the server: osso_logout_success. By default, the fully qualified host and port specified with the Agent Base URL are used: Default: https://example.domain.com:7001/osso_logout_success See Also: "Introduction to Centralized Logout for Access Manager 11g" on page 27-1. 29.3.2 Searching for an OSSO Agent (mod_osso) Registration When you first open the OSSO Agents node, the Search form appears. The Results table lists all OSSO Agents. If there are too many to quickly locate the one you want, you can use the controls to refine your search. There are only two element on which you can refine an OSSO Agent search: The Agent Name that assigned during registration or the Agent ID assigned by the system. Prerequisites The OSSO Agent must be registered to be available in the Oracle Access Management Console. To search for an OSSO Agent registration 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, click Agents. 3. In the Name field, enter criteria for your search (with or without including the wild card (*)). For example: my* 4. Click the Search button. 5. In the Search Results table: ■ ■ ■ ■ ■ 6. Crreate: Click the Create OSSO Agent button at the top of the Search page. Edt or View: Click the Edit command button in the tool bar to display the configuration page. Delete: Proceed to "Deleting an OSSO Agent (mod_osso) Registration" on page 29-11. Detach: Click Detach in the tool bar to expand the table to a full page. Reconfigure Table: Select a View menu item to alter the appearance of the results table. Apply any changes (or dismiss the page) when finished. 29-10 Administrator's Guide for Oracle Access Management Configuring and Managing Registered OSSO Agents Using the Console 29.3.3 Viewing or Editing OSSO Agent (mod_osso) Registration Users with valid Administrator credentials can change any setting for a registered OSSO Agent using the Oracle Access Management Console, as described in the following procedure. For example, you might want to revise the end date or add Administrator information. Prerequisites Ensure that the Oracle HTTP Server is installed and running on the client computer, and is configured for mod_osso. See Also: ■ Understanding the Expanded OSSO Agent Page in the Console To view or modify an OSSO Agent registration 1. Find the Agent: See "Searching for an OSSO Agent (mod_osso) Registration". 2. View or Modify: On the registration page, view or modify details as needed (Table 29–3 and Table 29–5). 3. Click Apply to submit the changes (or close the page without applying changes), and close the Confirmation window. 4. Copy the osso.conf file from the console host (AdminServer) to the Agent host Web server. For example: osso.conf From ... Path ... From the AdminServer (Console) host $DOMAIN_HOME/output/$Agent_Name/ To the mod_osso directory path on the Agent host Web server: $OHS_dir/osso.conf. $WebTier_MW_HOME/Oracle_ WT1/instances1/config/OHS/ohs1/config/oss o.conf 5. Restart the OAM Server hosting the Agent. 6. Proceed to Part VI, "Managing Access Manager SSO, Policies, and Testing". 29.3.4 Deleting an OSSO Agent (mod_osso) Registration Users with valid Administrator credentials can perform the following procedure to delete a registered OSSO Agent from the Oracle Access Management Console. Deleting an agent registration removes only the registration (not the associated host identifier, Application Domain, resources, or the agent instance itself), which prevents registering the same agent again if required. However, deleting the Application Domain and its content removes all referenced objects including the Agent registration, as described in "Deleting an Application Domain and Its Contents" on page 25-13. Note: Prerequisites Evaluate the Application Domain, resources, and policies associated with this agent and ensure that these are configured to use another agent or that they can be removed. See Also: Searching for an OSSO Agent (mod_osso) Registration Registering and Managing Legacy OSSO Agents 29-11 Performing Remote Registration for OSSO Agents To delete an OSSO Agent registration 1. Find the Agent: See "Searching for an OSSO Agent (mod_osso) Registration". 2. In the list of search results, select the desired agent and click Delete in the toolbar; confirm the deletion when prompted. 29.4 Performing Remote Registration for OSSO Agents This section provides a brief review of remote registration using the Oracle-provided tool (oamreg) with OSSO Agents. This section provides the following topics: ■ Understanding Request Templates for OSSO Remote Registration ■ Performing In-Band Remote Registration of OSSO Agents ■ Performing Out-of-Band Remote Registration for OSSO Agents 29.4.1 Understanding Request Templates for OSSO Remote Registration This topic provides the OSSO Registration Request for use with the remote registration tool oamreg.sh (Linux) or oamreg.bat (Windows). The information highlighted in bold must be modified for a mod_osso agent. However, all other fields can use the default values. Both inband and outofband remote registration modes require a request file with the input argument, as listed in Table 29–6. Table 29–6 OpenSSO Request Files for Remote Registration Templates for . . . Description Register OSSO Agents (mod_ osso) $OAM_REG_HOME/input/OSSORequest.xml Other Templates Update Agent: $OAM_REG_HOME/input/OSSOUpdateAgentRequest.xml See Also: "Updating Agents Remotely" on page 15-38 Create Policies: $OAM_REG_HOME/input/CreatePolicyRequest.xml Create New Host Identifiers and an Application Domain without Registering an Agent See Also: "Managing Policies and Application Domains Remotely" on page 25-82 Update Policies: $OAM_REG_HOME/input/UpdatePolicyRequest.xml Existing Host Identifiers and Application Domain (not associated with an Agent Registration) See Also: "Managing Policies and Application Domains Remotely" on page 25-82 Table 29–7 describes elements in the OSSO request file: OSSORequest.xml. 29-12 Administrator's Guide for Oracle Access Management Performing Remote Registration for OSSO Agents Table 29–7 OSSO-Specific Elements in a Remote Registration Request Elements Description Example Elements common to all remote registration request templates. See Table 15–8, " Common Elements in Remote Registration Requests" SSO Token version values: >... > ■ ■ ■ v3.0: Most secure token using AES encryption standard for encrypting tokens exchanged between OAM Server and mod_osso. This is the default value. This was supported by OSSO 10.1.4.3 patch set. v1.4: This is supported by OSSO 10g prior to OSSO 10.1.4.3 patch set. Uses DES encryption standard. v1.2: This used to be version of tokens exchanged between OSSO partners prior to OSSO 10.1.4.0.1. Uses DES. The absolute file system directory path to the mod_osso agent. $ORACLE_HOME Default: None specified Optional. Administrator details for this mod_osso instance. For example, Application Administrator. Default: None specified Optional. Administrator log in ID for this mod_osso instance. For example, SiteAdmin. Default: None specified Include the Logout URLs for consumption during remote registration. logout1.html Default: None specified Include the Failure URLs for consumption during remote failure1.html registration. Default: None specified Remote OSSO Agent registration automatically: ■ Creates the agent page for the Oracle Access Management Console ■ Creates an Application Domain and basic policies to protect applications ■ Updates the OSSO configuration file on the client to be consumed by the agent at run time 29.4.2 Performing In-Band Remote Registration of OSSO Agents This is a brief summary of tasks required to perform in-band remote registration for your OSSO agent. Full details are provided in Chapter 15. Registering and Managing Legacy OSSO Agents 29-13 Performing Remote Registration for OSSO Agents Prerequisites Introduction to Remote Registration on page 14-8 Task overview: In-band Administrators performing remote registration 1. Acquire the registration tool and set environment variables as described in "Acquiring and Setting Up the Remote Registration Tool" on page 15-33. $ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz 2. Create your input file with unique values for the agent and Application Domain as described in "Creating Your Remote Registration Request" on page 15-34. From: OSSORequest.xml To: myossoagent_request.xml 3. Run the registration tool to configure the Agent, create a default Application Domain for the resources, and copy the updated agent configuration file as described in "Performing In-Band Remote Registration" on page 29-13. From AdminServer (Console) host: $DOMAIN_HOME/output/$Agent_Name/osso.conf To: mod_osso directory path on the Agent host: $OHS_dir/osso.conf. For example: $WebTier_MW_HOME/Oracle_WT1/instances1/config/OHS/ohs1/config/ osso.conf 4. Validate the configuration as described in "Validating Remote Registration and Resource Protection" on page 15-40. 5. Perform access checks to validate that the configuration is working, as described in "Verifying Authentication and Access After Remote Registration" on page 15-40. 29.4.3 Performing Out-of-Band Remote Registration for OSSO Agents The term out-of-band registration refers to manual registration that involves coordination and actions by both the in-band Administrator and the out-of-band Administrator. In outofband mode, the in-band Administrator uses the starting request file submitted by the out-of-band Administrator, and returns a generated response file to the out-of-band Administrator for additional processing. The out-of-band Administrator runs the remote registration tool with the response file as input to update the agent configuration file. This is a brief summary of tasks required to perform out-of-band remote registration for your OSSO agent. Full details are provided in other chapters, as described here. Prerequisites "Introduction to Remote Registration" on page 14-8 Task overview: Out-of-band remote registration (Agent is outside the network) 1. Out-of-band Administrator: Creates a starting request input file containing specific application and agent details and submits it to the in-band Administrator. ■ Acquire the registration tool and set environment variables as described in "Acquiring and Setting Up the Remote Registration Tool" on page 15-33. $ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz 29-14 Administrator's Guide for Oracle Access Management Updating Registered OSSO Agents Remotely ■ Copy and edit a template to input unique values for the agent and Application Domain as described in "Creating Your Remote Registration Request" on page 15-34. $OAM_REG_HOME/input/OSSORequest.xml ■ 2. Submit the starting request input file to the in-band Administrator using a method you choose (email or file transfer). In-band Administrator: ■ Acquire the registration tool and set environment variables as described in "Acquiring and Setting Up the Remote Registration Tool" on page 15-33. $ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz ■ 3. Use the out-of-band starting request with the registration tool to register the agent and create the response and native agent configuration files to return to the out-of-band Administrator. See "Performing Out-of-Band Remote Registration" on page 15-35: – osso_Response.xml is generated for the out of band Administrator to use in Step 3. – osso.conf is modified for the out-of-band Administrator to bootstrap the OSSO module. Out-of-band Administrator: Use the registration tool with the response file and copy artifacts to the appropriate file system directory. – osso_Response.xml. – osso.conf 4. In-band Administrator: Validates the configuration as described in "Validating Remote Registration and Resource Protection" on page 15-40. 5. Out-of-band Administrator: Performs several access checks to validate that the configuration is working, as described in "Verifying Authentication and Access After Remote Registration" on page 15-40. 29.5 Updating Registered OSSO Agents Remotely This section describes how to update, validate, and delete OSSO Agents using remote registration templates and modes described in "Introduction to Updating Agents Remotely" on page 15-37. The update request file passes specific values to the remote registration tool, oamreg. The primary differences between the update template and the original registration template is that the update template. Table 29–8 Delta: OSSO Remote Registration versus Remote Updates Delta Element Adds yyyy_mm_dd element to track changes element that specifies the agent_base_url_port Omits Omits Registering and Managing Legacy OSSO Agents 29-15 Configuring Logout for OSSO Agents with Access Manager 11.1.2 To remotely update OSSO Agent registration 1. Set up the registration tool as described in, "Acquiring and Setting Up the Remote Registration Tool" on page 15-33. 2. Update Agent: a. Create your update request using the OSSOUpdateAgentRequest.xml template. b. On the computer hosting the Agent, run the following command with agentUpdate mode specify your own *Request*.xml as the input file. For example: ./bin/oamreg.sh agentUpdate input/*OSSOUpdateAgentRequest.xml c. Provide the registration Administrator user name and password when asked. d. Confirm success with on-screen messages. e. Relocate to the agent host osso.conf: From the AdminServer (Console) host: /rreg/output/Agent_Name/ To the mod_osso directory path (Agent host Web server $OHS_dir/osso.conf): $WebTier_MW_HOME/Oracle_ WT1/instances1/config/OHS/ohs1/config/osso.conf f. 3. Restart the OAM Server that is hosting this agent Validating Agent: a. On the Agent host, run the following command in agentValidate mode. For example: ./bin/oamreg.sh agentValidate agentname 4. b. Provide the registration Administrator user name and password when asked. c. Confirm success with on-screen messages. Deleting an Agent: a. On the computer hosting the Agent, run the following agentDelete command. For example: ./bin/oamreg.sh agentDelete agentname b. Provide the registration Administrator user name and password when asked. c. Confirm success with on-screen messages. Success: On-screen message confirms AgentDelete process completed successfully! 29.6 Configuring Logout for OSSO Agents with Access Manager 11.1.2 This section provides the following topics: ■ About Centralized Logout with OSSO Agents (mod_OSSO) and Access Manager ■ Removing Custom mod_osso Cookies on Logout 29-16 Administrator's Guide for Oracle Access Management Configuring Logout for OSSO Agents with Access Manager 11.1.2 29.6.1 About Centralized Logout with OSSO Agents (mod_OSSO) and Access Manager With OSSO Agents (mod_osso 10g), partner applications also cede logout control to the OAM Server (single sign-on server). When the user logs out of one application, she is automatically logged out of all other applications. No change is needed in the logout URL configuration of existing applications that use the OSSO Agent. Note: Process overview: Centralized logout with mod_osso 1. Clicking Logout in an application takes the user to the page where logout occurs 2. When a user has signed off successfully, each of the applications listed on the centralized logout page has a check mark beside the application name. 3. A broken image beside an application name identifies an unsuccessful logout. 4. Once all of the application names activated in a session have a check mark, you can click Return to go to the application from which you initiated logout. 5. Delete the custom mod_osso agent cookies on logout. 29.6.2 Removing Custom mod_osso Cookies on Logout The OSSO server cookie includes a list of partner IDs. Process overview: When a user logs off from one partner application 1. OSSO server pulls a list of the logout URLs. 2. OSSO server clears its own cookie. 3. OSSO server redirects to a customized JSP page (hosted on the OSSO server), and passes the list of logout URLs in the request. 4. The JSP page loads those logout URLs that contains some image tags of check marks, and as a result of the loading, the cookies for those mod_osso instances are cleared However, on user logout, some custom cookies set by OAM Server through authentication response settings might not get deleted. However, you can edit oam-config.xml to configure the OAM Server to delete custom cookies set during authentication when a user logs out of OAM. For instance, when integrating with Oracle E-Business Suite, the ORASSO_AUTH_HINT cookie is set by the application and should be included in the CookieNames list (or the UCM cookie, for example). Syntax (beneath PluginClass" Type=...): COOKIE_NAME The following procedure guides as you edit the CookieDelMap element and add CookieNames as a single value or a comma-separated list of custom cookies to delete when a user logs out. This procedure also explains how to increment the oam-config.xml file version to propagate your change to all managed servers without restarting. Registering and Managing Legacy OSSO Agents 29-17 Locating Other OSSO Agent Information Caution: Work carefully. In general, Oracle recommends that you do not edit the oam-config.xml file. This, however, is a rare exception. To delete custom mod_osso cookies on logout 1. Back up $DOMAIN_HOME/config/fmwconfig/oam-config.xml. 2. In oam-config.xml, add (or edit) the CookieDelMap element and CookieNames. For example: ORASSO_AUTH_HINT 3. Configuration Version: Increment the Version xsd:integer as shown in the next to last line of this example (existing value (25, here) + 1): Example: 11.1.1.3 25 4. Save the file. 29.7 Locating Other OSSO Agent Information See Table 29–9 for additional information on legacy OSSO agents with Access Manager. Table 29–9 Other OSSO Information in this Guide Topic Location Component Loggers Table 7–3, " Oracle Access Management Server-Side Component Loggers" OSSO Metrics in the DMS Console "Reviewing OSSO Agent Metrics" on page 11-8 Sessions and Session Management Chapter 16, "Maintaining Access Manager Sessions" 29-18 Administrator's Guide for Oracle Access Management 30 Registering and Managing 10g WebGates with Access Manager 11g 03 The Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management describes initial deployment of Access Manager 11g with the Oracle HTTP Server. However, when your enterprise includes Web server types other than Oracle HTTP Server you might want to use existing 10g WebGates or install fresh 10g WebGates for use with Access Manager. Also, you might want to switch from using the pre-registered IAMSuiteAgent to using a 10g WebGate to protect Oracle Identity Management Consoles. The following sections describe how to install fresh instances of 10g WebGates for use with Access Manager: ■ Prerequisites ■ Introduction to 10g OAM Agents for Access Manager 11g ■ Comparing Access Manager 11.1.2 and 10g ■ Configuring Centralized Logout for IAMSuiteAgent ■ Registering a 10g WebGate with Access Manager 11g Remotely ■ Managing 10g OAM Agents Remotely ■ Locating and Installing the Latest 10g WebGate for Access Manager 11g ■ Configuring Centralized Logout for 10g WebGate with 11g OAM Servers ■ Removing a 10g WebGate from the Access Manager 11g Deployment 30.1 Prerequisites Review the latest certification matrix from Oracle Technology Network to locate the latest WebGates for your deployment: http://www.oracle.com/technetwork/middleware/id-mgmt/fusion-certification100350.html Ensure that your Oracle Access Management Console is running and get familiar with: ■ Introduction to Policy Enforcement Agents on page 14-1 ■ Introduction to 10g OAM Agents for Access Manager 11g in this chapter Registering and Managing 10g WebGates with Access Manager 11g 30-1 Introduction to 10g OAM Agents for Access Manager 11g 30.2 Introduction to 10g OAM Agents for Access Manager 11g This section provides the following topics: ■ About IAMSuiteAgent: A Pre-Configured 10g WebGate Registered with Access Manager ■ About Legacy Oracle Access Manager 10g Deployments and WebGates ■ About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2 ■ About Centralized Logout with 10g OAM Agents and 11g OAM Servers 30.2.1 About IAMSuiteAgent: A Pre-Configured 10g WebGate Registered with Access Manager IAMSuiteAgent is a Java agent filter that is pre-registered with Access Manager 11.1.2 out of the box. This agent and the companion Application Domain are installed pre-configured with Access Manager. The IAMSuiteAgent is a domain-wide agent: ■ ■ ■ Once Access Manager is deployed, the IAMSuiteAgent is installed on every server in the domain Unless disabled, every request coming into the WebLogic Application Server is evaluated and processed by the IAMSuiteAgent Certain IAMSuiteAgent configuration elements are available in the WebLogic Administration Console (in the Security Provider section) and others in the Oracle Access Management Console. IAMSuiteAgent and related policies provide SSO protection for the IDM Administration Console, Oracle Identity Console, Oracle Access Management Console, and specific resources in the Identity Management domain. You can replace the IAMSuiteAgent with a 10g WebGate to protect Oracle Identity Management Consoles and resources in the Identity Management domain, if you choose. See Also: ■ ■ ■ Section 30.4, "Configuring Centralized Logout for IAMSuiteAgent" Section 15.11, "Replacing the IAMSuiteAgent with an 11g WebGate" Section D.1, "Bundled 10g IAMSuiteAgent Artifacts" 30.2.2 About Legacy Oracle Access Manager 10g Deployments and WebGates 11g OAM Servers support 10g WebGates that are registered to operate with Access Manager 11.1.2. Such WebGates might include: ■ ■ ■ Legacy 10g WebGates currently operating with Oracle Access Manager 10g. Legacy 10g WebGates configured as the Identity Assertion Provider (IAP) for SSO (for applications using IAP WebLogic container-based security with Oracle Access Manager 10g, as described in the Oracle Fusion Middleware Application Security Guide). Legacy 10g WebGates currently operating with Web Applications coded for Oracle ADF Security and the OPSS SSO Framework 30-2 Administrator's Guide for Oracle Access Management Introduction to 10g OAM Agents for Access Manager 11g You can register these agents to use Access Manager SSO using either the Oracle Access Management Console or the remote registration tool. After registration, 10g WebGates directly communicate with Access Manager through a Java-based OAM Proxy that acts as a bridge. See Also: ■ ■ Table 1–2 Appendix A, "Integrating Oracle ADF Applications with Access Manager SSO" The following overview outlines the tasks that must be performed to set up an existing 10g WebGate to operate with Access Manager. Task overview: Setting up a legacy 10g WebGate to operate with Access Manager 1. Registering a 10g WebGate with Access Manager 11g Remotely 2. Configuring Centralized Logout for 10g WebGate with 11g OAM Servers 3. Optional: Deploying Applications in a WebLogic Container as described in the Oracle Fusion Middleware Application Security Guide. 30.2.3 About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2 You can install fresh 10g WebGates for use with Access Manager 11g as described in this chapter. 10g WebGates are available for a number of Web server platforms. After installation and registration, 10g WebGates directly communicate with Access Manager through a Java-based OAM proxy that acts as a bridge. When installing fresh 10g WebGates for Access Manager, Oracle recommends that you use the latest WebGates. Oracle also recommends that you install multiple WebGates for failover and load balancing. Note: There are several differences between installing a 10g WebGate to operate in an 11g Access Manager deployment versus installing the 10g WebGate in an 10g Oracle Access Manager deployment. Table 30–1 outlines these differences. Registering and Managing 10g WebGates with Access Manager 11g 30-3 Introduction to 10g OAM Agents for Access Manager 11g Table 30–1 Installation Comparison with 10g WebGates 10g WebGates in 11g Deployments 10g WebGates in 10g Deployments 1. Packages: 10g WebGate installation packages are found on 1. media and virtual media that is separate from the core components. Packages: 10g WebGate installation packages are found on media and virtual media that is separate from the core components. 2. Provisioning: Before installation, provision WebGate with Access Manager 11g as described in "Registering a 10g WebGate with Access Manager 11g Remotely" on page 30-11. 2. Provisioning: Before installation, you create a WebGate instance in the Access System Console. 3. Associating with AAA: Before installation, you associated the WebGate with an Access Server in the Access System Console. 4. Installing: Using 10g WebGate packages. 5. Language Packs: 10g WebGate Language Packs could be installed during WebGate installation (or later). 6. Web Server Configuration: Automatic during WebGate installation (or manually after WebGate installation). 7. Certificate Installation: You copied files to the WebGate installation directory path. 8. Forms: Were provided for use in 10g deployments. 9. Centralized Log Out for Oracle Access Manager 10g. 10. Multi-Domain Support: Could be configured for Oracle Access Manager 10g. 3. Associating with OAM Server: Occurs during WebGate registration (task 2 of this sequence). 4. Installing: Install the 10g WebGate in front of the application (or for Fusion Middleware, in front of the WebLogic Server). 5. Language Packs: 10g WebGate Language Packs are supported with Access Manager. 6. Web Server Configuration: Copy Access Manager generated files to the WebGate installation directory path to update the Web server configuration. 7. Certificate Installation: Copy files to the WebGate installation directory path. 8. Forms: 10g forms provided with 10g WebGates cannot be used with 11g OAM Servers. Using 10g WebGates with 11g OAM Servers is similar in operation and scope to a resource WebGate (one that redirects in contrast to the Authentication WebGate). With a 10g WebGate and 11g OAM Server, the 10g WebGate always redirects to the 11g credential collector which acts like the authenticating WebGate. 9. Single Log Out: Configure using information in Chapter 27, "Configuring Centralized Logout for Sessions Involving 11g WebGates." 10. Multi-Domain Support: Does not apply with Access Manager 11g. The following overview lists the topics in this chapter that describe 10g WebGate installation and registration tasks for Access Manager 11g in detail. You must complete all procedures for successful operation with Access Manager 11g. Task overview: Registering and installing a 10g WebGate for Access Manager 11g 1. Registering a 10g WebGate: 2. Locating and Downloading 10g WebGates for Use with Access Manager 11g 3. Configuring Centralized Logout for 10g WebGate with 11g OAM Servers 4. Optional: Deploying Applications in a WebLogic Container as described in Oracle Fusion Middleware Application Security Guide. 30.2.4 About Centralized Logout with 10g OAM Agents and 11g OAM Servers Logout is initiated when an application causes the invocation of the logout.html file configured for any registered 10g WebGate. Generally speaking, during centralized logout with 10g WebGates the SSO Engine receives a user-session-exists request. The Session Management Engine looks up the session and responds that the session exists. The SSO engine sends a Clear Session request. The Session management engine clears the token and session context. The SSO engine sends a Session Cleared response. 30-4 Administrator's Guide for Oracle Access Management Comparing Access Manager 11.1.2 and 10g Clearing the user token and the session context clears the server-side state, which includes clearing the OAM_ID cookie set on the server side. When the agent is notified, the agent clears the client-side state of the application. For more information, see Section 30.8, "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers." See Also: Section 30.4, "Configuring Centralized Logout for IAMSuiteAgent" 30.3 Comparing Access Manager 11.1.2 and 10g This topic provides a comparison against the 10g architecture for Access Manager and OSSO. Included are the following topics: ■ Comparing Access Manager 11g versus 10g ■ Comparing Access Manager 11g versus 10g Policy Model 30.3.1 Comparing Access Manager 11g versus 10g Access Manager 11g differs from 10g in that the identity administration features have been transferred to Oracle Identity Manager 11g (including user self-service and self registration, workflow functionality, dynamic group management, and delegated identity administration). Access Manager 10g supported Single Sign-on using a single session cookie (the ObSSOCookie) that contained the user identity and session information required to access target resources that had the same or lower authentication level. The ObSSOCookie was encrypted and decrypted using a global shared secret key, the value of which was stored in the directory server. The ObSSOCookie was consumed by Access System components to verify the user identity and allow or disallow access to protected resources. To close any possible security gaps, Access Manager 11g provides new server-side components that maintain backward compatibility with existing Access Manager 10g policy-enforcement agents (WebGates) and OSSO 10g agents (mod_osso). New Access Manager 11g WebGates are enhanced versions of 10g WebGates, that support a per-agent secret key for the Single Sign-on (SSO) solution. Thus, cookie-replay type of attack are prevented. The 11g WebGates are all trusted at the same level; a cookie specific for the WebGate is set and cannot be used to access any other WebGate-protected applications on a user's behalf. Unless explicitly stated, the term "WebGate" refers to both an out of the box WebGate or a custom Access Client. Access Manager 11g uses technology from Oracle Coherence to provide centralized, distributed, and reliable session management. Table 30–2 provides a comparison of Access Manager 11g versus 10g. For a list of names that have changed with Access Manager 11g, see "Product and Component Name Changes with 11.1.2." Registering and Managing 10g WebGates with Access Manager 11g 30-5 Comparing Access Manager 11.1.2 and 10g Table 30–2 Comparison: Access Manager 11g versus 10g Access Manager 11g Agents ■ Agents: WebGate, Access Client, OpenSSO, OSSO (mod_osso), IAMSuiteAgent Note: Nine Administrator languages are supported. 10g ■ Resource WebGate (RWG) ■ Authentication WebGate (AWG) ■ AccessGate ■ Access Server ■ Policy Manager ■ Identity System Note: Nine Administrator languages are supported. Server-side components ■ OAM Server (installed on a WebLogic Managed Sever) Security Token Service and Identity Federation run on OAM Server Console Oracle Access Management Console ■ Access Server ■ Policy Manager ■ Identity Server Access System Console Identity System Console Protocols that secure information exchange on the Internet Cryptographic keys Front channel protocols exchanged between Agent and Server: HTTP/HTTPS. 10g Agent information exchange is unsecured, in plain text. 11g WebGate secures information exchange using the Agent key. -See Also: Cryptographic keys. ■ ■ One per-agent secret key shared between 11g WebGate and OAM Server One global shared secret key per Access Manager deployment which is used by all the 10g WebGates One OAM Server key, generated during Server registration Note: One key is generated and used per registered mod_osso agent. Keys storage ■ ■ ■ Agent side: A per-agent key is stored locally in the Oracle Secret Store in a wallet file OAM Server side: A per- agent key, and server key, are stored in the credential store on the server side Security Token Service Cookies Host-based authentication cookie, described in Table 1–2, " Features in Access Manager 11.1.2" Encryption / Decryption (The process of converting encrypted data back into its original form) Introduces client-side cryptography and ensures that cryptography is performed at both the agent and server ends: 1. WebGate encrypts obrareq.cgi using the agent key. Note: obrareq.cgi is the authentication request in the form of a query string redirected from WebGate to OAM Server. 2. OAM Server decrypts the request, authenticates, creates the session, and sets the server cookie. 3. OAM Server also generates the authentication token for the agent (encrypted using the agent key), packs it in obrar.cgi with a session token (if using cookie-based session management), authentication token and other parameters, then encrypts obrar.cgi using the agent key. Note: obrar.cgi is the authentication response string redirected from the OAM Server to WebGate. 4. Global shared secret stored in the directory server only (not accessible to WebGate) WebGate decrypts obrar.cgi, extracts the authentication token, and sets a host-based cookie. 30-6 Administrator's Guide for Oracle Access Management ■ ■ ■ One domain-based ObSSOCookie for all WebGates (including the AWG), for both authentication and session management Token generation/ encryption, and validation/ decryption are delegated to the Access Server. Both obrareq.cgi and obrar.cgi are sent unencrypted, relying on the underlying HTTP(S) transport for security. Comparing Access Manager 11.1.2 and 10g Table 30–2 (Cont.) Comparison: Access Manager 11g versus 10g Access Manager 11g Session Management Client IP ■ ■ 10g Chapter 16, "Maintaining Access Manager Sessions" Maintain this Client IP, and include it in the host- based OAMAuthnCookie. ■ Single domain supported. Multi-domain: If a user idles out on one domain, but not on the authentication WebGate, the AWG cookie is still valid (re-authentication is not needed).A new cookie is generated with the refreshed timeout. ■ Include the original client IP inside the ObSSOCookie. If IP validation is configured, when cookie presented in later authentication or authorization requests this original client IP is compared with the presenter's IP. Rejection occurs if there is no match Response token replay prevention ■ Include RequestTime (the timestamp just before redirect) in obrareq.cgi and copy it to obrar.cgi to prevent response token replay. Multiple network Cross-network-domain single sign-on out of the box. domain support Oracle recommends you use Oracle Federation for multiple network domain support. N/A A proprietary multiple network domain SSO capability predates Oracle Access Management Identity Federation. If this is implemented in your 10g deployment, register 10g Agents with Access Manager 11g to continue this support. ■ Single domain is supported. Once a user logs off from one WebGate, the domain cookie is cleared and the user is considered to be logged off the entire domain. ■ Centralized log-out ■ ■ Multi-domain SSO can be supported through chained customized logout pages. logout.html requires specific details when using a 10g The logOutUrls (10g WebGate configuration WebGate with Access Manager 11g. See Chapter 27, parameter) is preserved. 10g logout.html requires specific details for Access Manager 11g. "Configuring Centralized Logout for Sessions Involving 11g WebGates." 11g WebGate parameters are new: ■ Logout Redirect URL Once a user logs off from one WebGate, the domain cookie is cleared and the user is considered to be logged off the entire domain. Logout Callback URL Logout Target URL See Chapter 27, "Configuring Centralized Logout for Sessions Involving 11g WebGates." Single domain is supported. ■ Multi-domain SSO can be supported through chained customized logout pages. 30.3.2 Comparing Access Manager 11g versus 10g Policy Model Access Manager 11g default behavior is to deny access when a resource is not protected by a policy that explicitly allows access. Access Manager 10g provides authentication and authorization based on policies within a policy domain. Access Manager 10g default behavior allowed access when a resource was not protected by a rule or policy that explicitly denied access to limit the number of WebGate queries to the Access Server. Table 30–3 compares the Access Manager 11g policy model with the 10g model. Access Manager 11g default behavior is to deny access when a resource is not protected by a policy that explicitly allows access. In contrast, Access Manager 10g default behavior allowed access when a resource was not protected by a rule or policy that explicitly specified access. Registering and Managing 10g WebGates with Access Manager 11g 30-7 Comparing Access Manager 11.1.2 and 10g Table 30–3 Comparing Access Manager 11g Policy Model versus 10g Policy Elements 11g Policy Model 10g Policy Model Policy Authoring Oracle Access Management Console Policy Manager Policy Store Database LDAP directory server Domain Application Domain Policy Domain Resources 1. 2. Host identifiers Authentication Policies No URL prefixes. Resource definitions are treated as complete URLs. 1. URL prefixes are defined in domains 2. Pattern matching for: Pattern matching (with limited features) for: { } * … ' * ' and '...' are supported 3. Resources need not be unique across domains. 3. Resources need not be unique across domains. 4. 4. Query-string protection for HTTP URLs. http resources can be protected based on URL query string contents and/or HTTP operation. 5. Each HTTP resource is defined as a URL path, and associated with a host identifier. However, resources of other types are associated with a specific name (not a host identifier). 5. Non-HTTP resource types and operations can be defined. 6. Non-HTTP resource types are supported, with definition of specific operations. Non-HTTP resource types are never associated with a host identifier. 7. Resources can designated as either Protected, Unprotected, or Excluded. 8. Custom resource types are allowed. 1. Host Identifiers are defined outside of policies 1. and are used while defining HTTP resources. Host Identifiers are defined outside of policies and are used while defining HTTP resources. 2. Host Identifiers are mandatory for defining HTTP resources. 2. Host Identifiers are not mandatory, for defining HTTP resources, till there are no Host Identifiers defined in the system. 1. Authentication policies include resources, success responses, and an authentication scheme. 1. Authentication policies are simple and contain only authentication-scheme-based rule. 2. 2. Authorization policies can also contain success responses, and time based, IP based and user-based conditions. 3. Only one authentication policy and one authorization policy can be associated with any resource. One resource can be associated with a set of Authorization policies. Evaluation of these policies can be based on an expression that combines the policies within the set using logical operators as desired. 4. Authentication and Authorization policies can evaluate to Success or Failure. 5. No Query Builder and no support for LDAP filters for (for retrieving matches based on an attribute of a certain display type, for example). 6. There is no notion of a default policy in an Application Domain. However, you can define a policy for resource: /…/* which can be used as a default policy within a determined scope). 7. Token Issuance Policies can be defined using resources and user- or partner-based conditions. See Section 25.3.6, "Displaying Token Issuance Policy Pages.". 30-8 Administrator's Guide for Oracle Access Management A resource can also be associated with multiple authentication policies and authorization policy sets. However, only one set applies. 3. An Authorization policy can evaluate to Success or Failure, or Inconclusive. 4. Users can be specified using LDAP filters. 5. Default authentication policy and authorization policy set can be defined for a policy domain. This policy is only applicable if there are no other applicable policies for a runtime resource in that domain. 6. There is no support for Token Issuance Policies. Comparing Access Manager 11.1.2 and 10g Table 30–3 (Cont.) Comparing Access Manager 11g Policy Model versus 10g Policy Elements 11g Policy Model 10g Policy Model Authentication Schemes Authentication Schemes are defined globally and can be shared (referenced within authentication policies). Authentication Schemes can be defined outside of policies and can be referenced within authentication policies. The trust level is expressed as an integer value between 0 (no trust) and 99 (highest level of trust). Note: Level 0 is unprotected. Only unprotected resources can be added to an Authentication Policy that uses an authentication scheme at protection level 0. See Also: Table 22–20, " Authentication Scheme Definition". Authorization Policy Each resource assigned to an Application Domain can be protected by only one authorization policy. Each policy can include one or more conditions and a rule. See Also: Rule, later in this table, and Section 25.7, "Defining Authorization Policies for Specific Resources.". Token Issuance Policy By default, only a container for Token Issuance Policies is provided in a generated Application Domain. No Conditions or Rules are generated automatically. You must add these manually. To protect resources, you define authorization rules that contain one or more conditions.You also configure authorization expressions using one or more authorization rules. A policy domain (and a policy) can each contain only one authorization expression. N/A See Also: Section 25.3.6, "Displaying Token Issuance Policy Pages.". Responses Cookies Available for all policy types: 1. Authentication and Authorization Responses can be defined within the policies for Success, Failure, and Inconclusive events. These are returned to the caller after evaluation of policies. 2. HTTP_HEADER and Cookie based variables can be set. 3. Redirect URLs can be set for Success and Failure events of authentication and authorization policy evaluations. 1. Authentication and Authorization success Responses can be defined within the policies. These are applied after evaluation of policies. 2. Cookie, Header, and Session responses are supported. 3. URL redirection can be set. 4. Response definitions are part of each policy. Response values can be literal strings or can contain additional embedded expressions that 4. derive values from request, user, and session attributes. Response values can contain literal strings and list of user attribute values. See Also: Table 21–6 See Also: Table 21–6 and and Section 21.5.1, "About Single Sign-On Cookies During User Login." Section 21.5.1, "About Single Sign-On Cookies During User Login." Registering and Managing 10g WebGates with Access Manager 11g 30-9 Configuring Centralized Logout for IAMSuiteAgent Table 30–3 (Cont.) Comparing Access Manager 11g Policy Model versus 10g Policy Elements 11g Policy Model 10g Policy Model Query String-based HTTP Resource Definitions Supported within Access Policies, as described in Table 25–1, " Resource Definition Elements" This Policy Model supports query string-based HTTP resource definitions within Access Policies. Rule Available for only Authorization and Token Issuance Policies. At run time, the OAM Proxy passes the Query String to the policy layer after URL encoding, just like for base resource URL. Only Query String that are part of HTTP GET requests are passed. Query String pattern does not apply to HTTP POST data. Each Authorization policy includes a rule that defines whether the policy allows or denies access to resources protected by the policy. The rule references Authorization conditions, described next. A policy is defined using authorization rules (among other policy elements). Authorization rules: ■ ■ See Also: Section 25.9, "Introduction to Authorization Policy Rules and Conditions.". Are defined outside of policies (but scoped within a policy domain) and are referenced in policies. Appear in two places: 1) as part of default rules for the domain and 2) in policy definitions. Each rule specifies who (which users, groups or IP4 addresses) is allowed or denied access and the time period in which this rule applies. There is also a provision to specify whether Allow takes precedence over Deny. Condition Available for only Authorization and Token Issuance Policies. N/A Each Authorization policy rule references conditions that define to whom the rule applies, if there is a time Condition, and how evaluation outcomes are to be applied. Conditions are declared outside of rules and are referenced within a rule. See Also: Section 25.9, "Introduction to Authorization Policy Rules and Conditions." 30.4 Configuring Centralized Logout for IAMSuiteAgent The IAMSuiteAgent is pre-configured with the logout parameters needed to perform central logout against the OAM Server. While similar to a 10g WebGate, the IAMSuiteAgent does not have a local logout.html page to be configured. Instead, the IAMSuiteAgent is delivered with a pre-deployed application oamsso_logout), that is used by the agent to perform the logout. The logout functionality for the IAMSuiteAgent requires that the oamsso_logout application is deployed in the Server where the IAMSuiteAgent is used. The initial installation adds this application to AdminServer and to OAM Servers. However, you must update this application's Target servers to include all those that are using the IAMSuiteAgent. To configure logout for the IAMSuiteAgent 1. Log in to the WebLogic Server Administration Console. 2. Navigate to Domain, Deployments, oamsso_logout, Targets. 3. Select all the Servers where the IAMSuiteAgent is enabled and where logout is performed. For example, oim_server, oaam_admin, oaam_server, and so on. 4. Click Save. 5. Proceed to: 30-10 Administrator's Guide for Oracle Access Management Registering a 10g WebGate with Access Manager 11g Remotely ■ ■ Section 25.15, "Validating Authentication and Authorization in an Application Domain" Chapter 26, "Validating Connectivity and Policies Using the Access Tester" 30.5 Registering a 10g WebGate with Access Manager 11g Remotely Whether you have a legacy 10g WebGate installed, or you are installing a fresh 10g WebGate instance to use with Access Manager 11g, you must register WebGate to use Access Manager 11g authentication and authorization services. You can use either the Oracle Access Management Console or the remote registration tool to perform this task. The remote registration tool enables you to specify all WebGate parameters before registration using a template. The following procedure walks through provisioning using the remote registration tool, in-band mode. In this example, OAMRequest_short.xml is used as a template to create an agent named my-10g-agent1, protecting /.../*, and declaring a public resource, /public/index.html. Your values will be different. You can use a full registration template to specify public, private, and excluded resources. See Also: ■ The following, if needed: Section 15.7, "Performing Remote Registration for OAM Agents" To use remote registration with a 10g WebGate for Access Manager 11g 1. Acquire the remote registration tool and set up the script for your environment. For example: a. Locate RREG.tar.gz file in the following path: $ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz b. Untar RREG.tar.gz file to any suitable location. For example: rreg/bin/oamreg. c. In the oamreg script (oamreg.bat or oamreg.sh), set the following environment variables based on your situation (client side or server side) and information in Table 15–5: OAM_REG_HOME = exploded_dir_for_RREG.tar/rreg JAVA_HOME = Java_location_on_the_computer 2. Create the registration request: a. Locate OAMRequest_short.xml and copy it to a new file. For example: $OAM_REG_HOME/input/OAMRequest_short.xml/ Copy: OAMRequest_short.xml To: my-10g-agent1.xml b. Edit my-10g-agent1.xml to include details for your environment. For example: http://ruby.uk.example.com:7001 my-10g my-10g-agent1 /myapp/ /myapp/.../* Registering and Managing 10g WebGates with Access Manager 11g 30-11 Registering a 10g WebGate with Access Manager 11g Remotely /public/index.html /excluded/index.html true .uk.example.com /oamsso/logout.html See Also: Section 15.7.2, "Creating Your Remote Registration Request" 3. Register the agent. For example: a. Locate the remote registration script. Linux: rreg/bin/oamreg.sh Windows: rreg\bin\oamreg.bat b. From the directory containing the script, execute the script using inband mode. For example: $ ./bin/oamreg.sh inband input/my-10g-agent1.xml Welcome to OAM Remote Registration Tool! Parameters passed to the registration tool are: Mode: inband Filename: ... c. When prompted, enter the following information using values for your environment: Enter your agent username: userame Username: userame Enter agent password: ******** Do you want to enter a WebGate password?(y/n) n iv.Do you want to import an URIs file?(y/n) n d. Review the final message to confirm that this was a successful registration: Inband registration process completed successfully! Output artifacts are created in the output folder" 4. Ignore the ObAccessClient.xml file created during registration for now. 5. Log in to the Oracle Access Management Console and add resources for the new registration to the Application Domain (Table 25–1): a. Under Application Security, click the following links to reveal Search controls: Access Manager Application Domains 30-12 Administrator's Guide for Oracle Access Management Managing 10g OAM Agents Remotely 6. b. Use the Search controls to locate the Application Domain in which your WebGate registration page is created, then click the name in the Results table to display the page. c. Click the Resources tab and then Create. d. OAM Proxy Port—Under Configurations, double click Server Instances and search for the server to get the OAM Proxy port details (Table 6–3). Proceed as needed for your environment: ■ ■ ■ Existing WebGate: Configuring Centralized Logout for 10g WebGate with 11g OAM Servers Uninstalled WebGate: Locating and Installing the Latest 10g WebGate for Access Manager 11g Optional: Managing 10g OAM Agents Remotely 30.6 Managing 10g OAM Agents Remotely This section describes how to update, validate, and delete OAM 10g Agents using remote registration templates and modes described in Section 15.8, "Introduction to Updating Agents Remotely." To remotely update OAM 10g Agent registration 1. Set up the registration tool as described in Section 15.7.1, "Acquiring and Setting Up the Remote Registration Tool." 2. Update Agent: a. Create your update request using the OAMUpdateAgentRequest.xml template. b. On the computer hosting the Agent, run the following command with agentUpdate mode specify your own *Request*.xml as the input file. For example: ./bin/oamreg.sh agentUpdate input/*OAMUpdateAgentRequest.xml c. Provide the registration Administrator user name and password when asked. d. Confirm success with on-screen messages. e. Relocate to the agent host ObAccessClient.xml: From the AdminServer (Console) host: /rreg/output/Agent_Name/ To the Agent host: $10gWG_install_dir/oblix/lib. f. 3. Restart the server that is hosting this agent. Validating Agent: a. On the Agent host, run the following command in agentValidate mode. For example: ./bin/oamreg.sh agentValidate agentname 4. b. Provide the registration Administrator user name and password when asked. c. Confirm success with on-screen messages. Deleting an Agent: Registering and Managing 10g WebGates with Access Manager 11g 30-13 Locating and Installing the Latest 10g WebGate for Access Manager 11g a. On the computer hosting the Agent, run the following agentDelete command. For example: ./bin/oamreg.sh agentDelete agentname b. Provide the registration Administrator user name and password when asked. c. Confirm success with on-screen messages. Success: On-screen message confirms AgentDelete process completed successfully! 30.7 Locating and Installing the Latest 10g WebGate for Access Manager 11g Use the procedures in this section if you need to install a fresh 10g WebGate for use with Access Manager 11g. Otherwise, skip this section and proceed to Section 30.8, "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers." Task overview: Installing the WebGate includes 1. Preparing for a Fresh 10g WebGate Installation with Access Manager 11g 2. Locating and Downloading 10g WebGates for Use with Access Manager 11g 3. Starting WebGate 10g Installation 4. Specifying a Transport Security Mode 5. Specifying WebGate Configuration Details 6. Requesting or Installing Certificates for Secure Communications 7. Updating the WebGate Web Server Configuration 8. Finishing WebGate Installation 9. Installing Artifacts and Certificates 10. Confirming WebGate Installation 30.7.1 Preparing for a Fresh 10g WebGate Installation with Access Manager 11g Table 30–4 outlines the requirements that must be met before starting an 10g WebGate installation. Table 30–4 Preparing for 10g WebGate Installation with Access Manager 11g About the ... Description Latest Supported WebGates Always use the latest supported 10g (10.1.4.3) WebGates with Access Manager 11g. However, if the desired 10g (10.1.4.3) WebGate is not provided, use the next latest WebGate (10g (10.1.4.2.0). See Also: Section 30.7.2, "Locating and Downloading 10g WebGates for Use with Access Manager 11g." Location for installation Consider: ■ ■ User Accounts WebGate in front of the application server. Applications using WebLogic Server container-managed security: In front of the WebLogic Application Server in which your application is deployed The account that is used to install the WebGate is not the account that runs the WebGate: ■ ■ The 10g WebGate should be installed using the same user and group as the Web server. Unix: You can be logged in as root to install the WebGate. The WebGate can be installed using a non-root user if the Web server process runs as a non-root user 30-14 Administrator's Guide for Oracle Access Management Locating and Installing the Latest 10g WebGate for Access Manager 11g Table 30–4 (Cont.) Preparing for 10g WebGate Installation with Access Manager 11g About the ... Root Level versus Site Level Description ■ The WebGate can be installed at the root level or the site level. ■ Installing WebGate on multiple virtual sites amounts to only one instance of WebGate. Transport Security Mode Ensure that at least one OAM Server is configured to use the same mode as the agent to be installed. Computer Level or Virtual Web Server Level The WebGate can be configured to run at either the computer level or the virtual Web server level. Do not install at both the computer level and the virtual Web server levels. Oracle HTTP Server Web Server: The 10g WebGate for Oracle HTTP Server is based on open source Apache. WebGate package names include: Apache Web Servers See Also Appendix C, "Securing Communication." ■ OHS (based on Apache v1.3) ■ OHS2 (based on Apache v2) ■ OHS11g (based on Apache v2.2 and is not the subject of this chapter) Access Manager 11g provides a single package for components that support Apache with or without SSL enabled: ■ ■ The APACHE2_WebGate supports v2 with or without SSL (and with or without reverse proxy enabled on Solaris and Linux). See also Chapter 31, "Configuring Apache, OHS, IHS for 10g WebGates." The APACHE22_WebGate supports v2.2 with or without SSL (and with or without reverse proxy enabled on Solaris and Linux). See also Chapter 31, "Configuring Apache, OHS, IHS for 10g WebGates." Note: For SSL-enabled communication, Access Manager supports Apache with mod_ssl only, not Apache-SSL. mod_ssl is a derivative of, and alternative to, Apache-SSL. IBM HTTP Server IHS2_WebGate is powered by Apache v2 on IBM-AIX. Access Manager supports IHS v2 and IHS v2 Reverse Proxy servers with or without SSL enabled. (IHS) v2 Web Servers: For details, see Chapter 31, "Configuring Apache, OHS, IHS for 10g WebGates." Registering and Managing 10g WebGates with Access Manager 11g 30-15 Locating and Installing the Latest 10g WebGate for Access Manager 11g Table 30–4 (Cont.) Preparing for 10g WebGate Installation with Access Manager 11g About the ... Description Domino Web Servers: Before you install the 10g WebGate with a Domino Web server, you must have properly installed and set up the Domino Enterprise Server R5. See Also: Chapter 34, "Configuring Lotus Domino Web Servers for 10g WebGates." IIS Web Servers Before installing WebGate, ensure that your IIS Web server is not in lock down mode. Otherwise things will appear to be working until the server is rebooted and the metabase re-initialized, at which time IIS will disregard activity that occurred after the lock down. If you are using client certificate authentication, before enabling client certificates for the WebGate you must enable SSL on the IIS Web server hosting the WebGate. Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. For example, suppose you install the ISAPI WebGate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 fleshiest. In this case, these instructions may be ignored. Each IIS Virtual Web server can have it's own WebGate.dll file installed at the virtual level, or can have one WebGate affecting all sites installed at the site level. Either install the Webgate.dll at the site level to control all virtual hosts or install the Webgate.dll for one or all virtual hosts. You may also need to install the postgate.dll file at the computer level. The postgate.dll is located in the \WebGate_install_dir, as described in Section 33.5.3.4.2, "Installing the Postgate ISAPI Filter." If you perform multiple installations, multiple versions of this file may be created which may cause unusual Access Manager behavior. In this case, you should verify that only one webgate.dll and one postgate.dll exist. See Also: Chapter 33, "Configuring the IIS Web Server for 10g WebGates" Removal: To fully remove a WebGate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand. There is also a tool available, MetaEdit, to edit the metabase. MetaEdit looks like Regedit and has a consistency checker and a browser/editor. To fully remove a WebGate from IIS, use MetaEdit to edit the metabase. ISA Proxy Servers On the ISA proxy server, all ISAPI filters must be installed within the ISA installation directory. They can be anywhere within the ISA installation directory structure: 1. Before installing the WebGate on the ISA proxy server: Check for general ISAPI filter with ISA instructions on: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isa/isaisapi_5cq8.asp Ensure that the internal and external communication layers are configured and working properly. 2. During installation you will asked if this is an ISA installation; be sure to: Indicate that this is an ISA proxy server installation, when asked. Specify the ISA installation directory path as the WebGate installation path. Use the automatic Web server update feature to update the ISA proxy server during WebGate installation. 3. After WebGate installation, locate the file configureISA4webgate.bat, which calls a number of scripts and the process to configure the ISA server filters that must be added programmatically. See Also: Chapter 32, "Configuring the ISA Server for 10g WebGates" 30.7.2 Locating and Downloading 10g WebGates for Use with Access Manager 11g Use the following procedure to obtain an 10g WebGate, if needed. Be sure to choose the appropriate installation package for your Web server. To find and download 10g WebGates 1. Review the latest Oracle Access Manager 10g certification information on the Oracle Technology Network at: http://www.oracle.com/technetwork/middleware/id-mgmt/fusion-certificati on-100350.html 2. Go to Oracle Fusion Middleware 11gR1 Software Downloads at: http://www.oracle.com/technology/software/products/middleware/htdocs/fm w_11_download.html 30-16 Administrator's Guide for Oracle Access Management Locating and Installing the Latest 10g WebGate for Access Manager 11g 3. Click Accept License Agreement, at the top of the page. 4. From the Access Manager WebGates (10.1.4.3.0) row, click the download link for the desired platform and follow on-screen instructions. 5. Store the WebGate installer in the same directory with any 10g Access System Language Packs you want to install. 6. Proceed to Section 30.7.3, "Starting WebGate 10g Installation." 30.7.3 Starting WebGate 10g Installation The following procedure walks through the steps, which are the same regardless of Web server type. Installation options are identified and can be skipped if they do not apply to your environment. During WebGate installation, information is saved at specific points. You can cancel WebGate installation processing if needed. However, if you cancel WebGate installation after being informed that the WebGate is being installed, you must uninstall the component. On HP-UX and AIX systems, you can direct an installation to a directory with sufficient space using the -is:tempdir path parameter. The path must be an absolute path to a file system with sufficient space. Note: To start WebGate 10g installation 1. On the computer to host WebGate 10g, log in as a user with Web server Administrator privileges. 2. Stop the Web server instance. 3. Launch the WebGate installer for your preferred platform, installation mode, and Web server. For example: GUI Method: Windows— Oracle_Access_Manager10_1_4_3_0_Win32_API_Webgate.exe Console Method: Solaris—./ Oracle_Access_Manager10_1_4_3_0_sparc-s2_API_Webgate Linux—./ Oracle_Access_Manager10_1_4_3_0_linux_API_Webgate where API refers to the API used by your Web server (for example, ISAPI for IIS Web servers). 4. Dismiss the Welcome screen; follow on-screen instructions with Administrator privileges. 5. Specify the installation directory for the WebGate. 6. Linux or Solaris: Specify the location of the GCC runtime libraries on this computer. 7. Language Pack—Choose a Default Locale and any other Locales to install, then click Next. 8. Record the installation directory name in the preparation worksheet if you haven't already, then click Next to continue. Registering and Managing 10g WebGates with Access Manager 11g 30-17 Locating and Installing the Latest 10g WebGate for Access Manager 11g The WebGate installation begins, which may take a few seconds. On Windows systems, a screen informs you that the Microsoft Managed Interfaces are being configured. The installation process is not yet complete. You are asked to specify a transport security mode. At this point, you cannot go back to restate information. 9. Specify the location where you unzipped the previously downloaded GCC libraries, if needed. 30.7.4 Specifying a Transport Security Mode Transport security between at least one OAM Server must match. See Also: Appendix C, "Securing Communication" To specify a transport security mode 1. Choose Open, Simple, or Cert for the WebGate. 2. Proceed according to your specified transport security mode: ■ ■ Simple or Certificate Mode—Go to "Requesting or Installing Certificates for Secure Communications" Open Mode—Skip to Section 30.7.7, "Updating the WebGate Web Server Configuration" 30.7.5 Requesting or Installing Certificates for Secure Communications If your Access Manager 11g environment uses Open mode transport security, you can skip to Section 30.7.7, "Updating the WebGate Web Server Configuration." WebGate Certificate Request: Generates the request file (aaa_req.pem), which you must send to a root CA that is trusted by the OAM Server. The root CA returns signed certificates, which can then be installed for WebGate. Requested certificates must be copied to the \WebGate_install_dir\access\oblix\config directory and then the WebGate Web server should be restarted. See Also: Appendix C, "Securing Communication" To request or install certificates for WebGate 10g Indicate whether you are requesting or installing a certificate, then click Next and continue. For example: 1. 2. ■ Requesting a certificate, proceed with step 2. ■ Installing a certificate, skip to step 3. Request a Certificate: ■ ■ ■ 3. Enter the requested information, then click Next and issue your request for a certificate to your CA. Record certificate file locations, if these are displayed. Click Yes if your certificates are available and continue with step 3. Otherwise, skip to Section 30.7.7, "Updating the WebGate Web Server Configuration." Install a Certificate During Installation: Specify the full paths to the following files, then click Next: 30-18 Administrator's Guide for Oracle Access Management Locating and Installing the Latest 10g WebGate for Access Manager 11g WebGate_install_dir\access\oblix\config ■ ■ cacert.pem the certificate request, signed by the Oracle-provided openSSL Certificate Authority password.xml contains the random global passphrase that was designated during installation, in obfuscated format. This is used to prevent other customers from using the same CA. Access Manager performs an additional password check during the initial handshake between the OAM Agent and OAM Server. ■ aaa_key.pem contains your private key (generated by openSSL). ■ aaa_cert.pem signed certificates in PEM format. ■ Proceed to Section 30.7.7, "Updating the WebGate Web Server Configuration." 30.7.6 Specifying WebGate Configuration Details You perform the following task using information provided during WebGate provisioning and registration with Access Manager 11g. To provide WebGate configuration details 1. Provide the information requested for the WebGate as specified in the Access System Console. ■ ■ ■ ■ ■ 2. WebGate ID—Enter the agent name that you supplied during registration. WebGate password—Enter the password supplied during registration, if any. If no password was entered, leave the field blank. Access Server ID—Enter the name of the OAM Server with which this WebGate is registered, if desired, or use any name you choose. Access Server Host Name—Enter the DNS host name for the OAM Server with which this WebGate is registered Port number—Enter the port on which the OAM Proxy is running. If a port was not entered during provisioning, the default port is 3004. Click Next to continue. 30.7.7 Updating the WebGate Web Server Configuration Your Web server must be configured to operate with the WebGate. Oracle recommends automatically updating your Web server configuration during installation. However, procedures for both automatic and manual updates are included. Note: To manually update your Web server configuration 1. Click No when asked if you want to proceed with the automatic update, then click Next. 2. Review the screen that appears to assist you in manually setting up your WebGate Web server, and see Section 30.7.7.1, "Manually Configuring Your Web Server." 3. Return to the WebGate installation screen, click Next, and proceed to Section 30.5, "Registering a 10g WebGate with Access Manager 11g Remotely." Registering and Managing 10g WebGates with Access Manager 11g 30-19 Locating and Installing the Latest 10g WebGate for Access Manager 11g To automatically update your Web server configuration 1. Click Yes to automatically update your Web server then click Next (or click No and see Section 30.7.7.1, "Manually Configuring Your Web Server"): ■ ■ Most Web servers—Specify the absolute path of the directory containing the Web server configuration file. IIS Web Servers—The process begins immediately and may take more than a minute. For more information, see Chapter 33, "Configuring the IIS Web Server for 10g WebGates." You might receive special instructions to perform before you continue. Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored. ■ Sun Web Servers—Be sure to apply the changes in the Web server Administration console before you continue. A screen announces that the Web server configuration has been updated. 2. Click Next and continue with Section 30.7.8, "Finishing WebGate Installation." 30.7.7.1 Manually Configuring Your Web Server If, during WebGate installation, you declined automatic Web server updates, you must perform the task manually. If the manual configuration process was launched during WebGate installation, you can skip Step 1 in the following procedure. Note: To manually configure your Web server for the WebGate 1. Launch your Web browser, and open the following file, if needed. For example: \WebGate_install_dir\access\oblix\lang\langTag\docs\config.htm where \WebGate_install_dir is the directory where you installed the WebGate. Note: If you choose manual IIS configuration during 64-bit WebGate installation, you can access details in the following path WebGate_install_dir\access\oblix\lang\en-us\docs\dotnet_isapi.htm 2. Select from the supported Web servers and follow all instructions, which are specific to each Web server type, as you: ■ ■ Make a back up copy of any file that you are required to modify during WebGate set up, so it is available if you need to start over. Ensure that you return to and complete all original setup instructions to enable your Web server to recognize the appropriate Access Manager files. 30-20 Administrator's Guide for Oracle Access Management Locating and Installing the Latest 10g WebGate for Access Manager 11g If you accidentally closed the window, return to step 1 and click the appropriate link again. Some setups launch a new browser window or require you to launch a Command window to input information. Note: 3. Continue with Section 30.7.8, "Finishing WebGate Installation." 30.7.8 Finishing WebGate Installation The ReadMe information provides details about documentation and Oracle. Note: If you are installing a 64-bit IIS WebGate, see Section 33.8, "Finishing 64-bit Webgate Installation." To finish the WebGate installation 1. Review the ReadMe information, then click Next to dismiss it. 2. Click Finish to conclude the installation. 3. Restart your Web server to enable configuration updates to take affect. ■ ■ 4. Security-Enhanced Linux: Run the chcon commands for the WebGate you just installed on this platform. Proceed with following topics before installing artifacts and certificates: ■ ■ ■ ■ ■ 5. IIS Web Servers—Consider using net stop iisadmin and net start w3svc after installing the WebGate to help ensure that the Metabase does not become corrupted. Native POSIX Thread Library: When installing Access Manager WebGate for use with NPTL, there is no need to set the environment variable LD_ ASSUME_KERNEL to 2.4.19. Apache2, OHS2, IHS2 Web Servers: Chapter 31, "Configuring Apache, OHS, IHS for 10g WebGates." IIS Web Servers: Consider using net stop iisadmin and net start w3svc after installing the WebGate to help ensure that the Metabase does not become corrupted. See also Chapter 33, "Configuring the IIS Web Server for 10g WebGates." ISA Web Servers: Chapter 32, "Configuring the ISA Server for 10g WebGates." Lotus Domino Web Servers: Chapter 34, "Configuring Lotus Domino Web Servers for 10g WebGates." Proceed to Section 30.7.9, "Installing Artifacts and Certificates." 30.7.9 Installing Artifacts and Certificates The ObAccessClient.xml file is one result of product of provisioning. After WebGate installation, you must copy the file to the WebGate installation directory path. If you received signed WebGate 10g certificates after installing WebGate, you can use the following procedure to install these as well. Registering and Managing 10g WebGates with Access Manager 11g 30-21 Configuring Centralized Logout for 10g WebGate with 11g OAM Servers Prerequisites Configuring your Web server To install artifacts (and certificates) for WebGate 10g 1. Copy ObAccessClient.xml ■ From: $WLS_DOMAIN_HOME/output/AGENT_NAME ■ To: $WebGate_install_dir/oblix/lib Copy password.xml 2. ■ From: $WLS_DOMAIN_HOME/output/AGENT_NAME ■ To: $WebGate_install_dir/oblix/config Copy aaa_key.pem and aaa_cert.pem: ■ From: $IDM_DOMAIN_HOME/output/AGENT_NAME ■ To: $WebGate_install_dir/oblix/config/simple The simple directory must be created before copying the artifacts. 3. Restart the WebGate Web server. 30.7.10 Confirming WebGate Installation After WebGate installation and Web server updates, you can enable WebGate diagnostics to confirm that your WebGate is running properly. To review WebGate diagnostics 1. Confirm Access Manager 11g components are running. 2. Specify the following URL for WebGate diagnostics. For example: Most Web Servers—http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.cgi? progid=1 IIS Web Servers—http(s)://hostname:port/access/oblix/apps/ webgate/bin/webgate.dll?progid=1 where hostname refers to the name of the computer hosting the WebGate; port refers to the Web server instance port number. 3. The WebGate diagnostic page should appear. ■ ■ Successful: If the WebGate diagnostic page appears, the WebGate is functioning properly and you can dismiss the page. Go to Section 30.8, "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers." Unsuccessful: WebGate should be uninstalled and reinstalled, as described in Section 30.9, "Removing a 10g WebGate from the Access Manager 11g Deployment." 30.8 Configuring Centralized Logout for 10g WebGate with 11g OAM Servers This section provides the following topics: ■ About Centralized Logout with 10g OAM Agents and 11g OAM Servers 30-22 Administrator's Guide for Oracle Access Management Configuring Centralized Logout for 10g WebGate with 11g OAM Servers ■ About the Centralized Logout Script for 10g WebGates with 11g OAM Servers ■ Configuring Centralized Logout for 10g WebGates with Access Manager 30.8.1 About Centralized Logout Processing for 10g WebGate with 11g OAM Server The following process overview outlines the Access Manager centralized logout process that occurs when the application is deployed on the Web server for which the protecting 10g WebGate is configured. Logout is initiated when an application causes the invocation of the logout.html file configured for the OAM agent (in this case, a 10g WebGate). Process overview: Centralized logout for 10g WebGate with 11g OAM Server 1. The application causes invocation of the logout.html file configured for the 10g WebGate. The application might also pass end_url as a query string to logout.html. The end_ url parameter could either be a URI or a URL. For example: /oamsso/logout.html?end_url=/welcome.html or /oamsso/logout.html?end_url=http://my.site.com/welcome.html 2. WebGate clears the ObSSOCookie for its domain and loads the logout.html script. 3. If the end_url parameter does not include host:port, the logout.html script gets the host:port of the local server and constructs the end_url parameter as a URL. For example: http://serverhost:port/oam/server/logout?end_url=http://my.site.com/ welcome.html 4. Logic in logout.html redirect to the OAM Server. For example: http://myoamserverhost:port/oam/server/logout?end_url=http://my.site.com/ welcome.html 5. The OAM Server executes logout as follows: a. Cleans up the session information associated with the user at the server side. b. Validates the end_url and sends a page with callback URLs to the user's browser. The Logout Callback URL is specified in the expanded OAM Agent registration page, as described in "About Create OAM WebGate Page and Parameters" on page 15-2 (or remote registration template in Table 15–3, " Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages"). Note: c. From the callback page, a new request is initiated to a specific URI on each WebGate. When this request reaches the specific WebGate in the specific domain, the ObSSOCookie for that domain is cleared. d. The user is redirected to the end_url in the logout script. However, if the end_ url parameter is not present, an appropriate message is sent by the OAM Server. Registering and Managing 10g WebGates with Access Manager 11g 30-23 Configuring Centralized Logout for 10g WebGate with 11g OAM Servers For more information, see Section 30.8.2, "About the Centralized Logout Script for 10g WebGates with 11g OAM Servers." 30.8.2 About the Centralized Logout Script for 10g WebGates with 11g OAM Servers With an 10g WebGate, the logout.html script is required for both single- and multiple DNS-domain centralized logout processing. The logout.html activates JavaScripts that perform the actual logout. 11g WebGates do not use the logout.html script and instead require additional details in their Agent registration configuration, as described in Section 30.8, "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers." Note: Example 30–1 is a logout.html script that you can use as a template by editing certain lines for your own environment, which are described at the top of the script. For instance, SERVER_LOGOUTURL must be changed. Additional information is provided after the example. Example 30–1 logout.html Script Process overview: Logic in logout.html 1. Gets the host and port from the incoming request. 2. Gets the end_url parameter from the query string. If the end_url parameter is not a URL, then the logout.html script constructs a URL using the host and port from task 1. See "Guidelines for the end_url parameter in logout.html" following this section. 3. Redirects to the OAM Server logout URL (SERVER_LOGOUTURL). For example: http://myoamserver/host:port/oam/server/logout. ■ Use the end_url constructed in process 2 as the query string. ■ Preserve all other query string parameters in the query string. Guidelines for the end_url parameter in logout.html The end_url parameter can be either a URI or an URL. ■ If the end_url query string is a URI, without host and port, then the logout.html must construct the URL by determining the host and port of the Web Server where logout.html is hosted. For example: http://myoamserverhost:port/oam/server/logout?end_url=http://my .site.com/welcome.html ■ If the end_url parameter is a URL with the host and port, the logout.html script simply passes that on without reconstructing it. Registering and Managing 10g WebGates with Access Manager 11g 30-25 Configuring Centralized Logout for 10g WebGate with 11g OAM Servers An ADF application must pass the end_url parameter indicating where to redirect the user after logout, as described in Section A.3, "Configuring Centralized Logout for Oracle ADF-Coded Applications." Note: //adfAuthentication?logout=true&end_url= Table 30–5 illustrates how a logout link in the logout.html file might be specified: Table 30–5 Sample end_url Parameter Specifications As a ... Sample end_url Value URI /oamsso/logout.html?end_url= For example: /oamsso/logout.html?end_url=/welcome.html URL /oamsso/logout.html?end_url= For example: /oamsso/logout.html?end_url=http://my.site.com/welcome.html 30.8.3 Configuring Centralized Logout for 10g WebGates with Access Manager The following procedures describe how to configure centralized logout for 10g WebGates with Access Manager. Optional tasks or those required for only multiple DNS domain logout are identified and can be skipped unless needed. Note: Oracle Fusion Middleware Application Security Guide includes a sample procedure that includes steps for deploying an application in a WebLogic Server domain. Task overview: Configuring centralized logout for 10g WebGates 1. Create a default logout page (logout.html) and make it available on the WebGate installation directory: a. Create and edit logout.html for the WebGate based on Example 30–1, "logout.html Script". b. Store your logout.html script in the following directory path: WebGate_install_dir/oamsso/logout.html If the logout.html file is located elsewhere, ensure that the logout link is correctly specified in the agent registration to point to the correct location of the logout.html file. Note: c. 2. Proceed with following steps, as needed. Ensure that the logout.html (from Step 1) redirects the user to this central logout URI, "/oam/server/logout' on the 11g OAM Server. 30-26 Administrator's Guide for Oracle Access Management Removing a 10g WebGate from the Access Manager 11g Deployment 3. Optional: Allow the application to pass the end_url parameter indicating where to redirect the user after logout, as described in "Guidelines for the end_url parameter in logout.html" in Section 30.8.2. 4. Check the Web server file for which the 10g WebGate is configured and perform the appropriate step: ■ OHS Web server, httpd.conf file: If the following lines exist, delete them: Satisfy any ■ Other Web servers, configuration file: Add the following line: Alias /oamsso "WebGateInstallationDirectory/oamsso" 30.9 Removing a 10g WebGate from the Access Manager 11g Deployment Use the following procedure to remove the 10g WebGate from the Access Manager 11g deployment, if needed. Deleting an agent registration does not remove the associated host identifier, Application Domain, resources, or the agent instance. Note: Considerations Web Server Configuration Changes: Web server configuration changes must be manually reverted after uninstalling the WebGate). For more information about what is added, see the appropriate chapter for your Web server. WebGate IIS Filters: To fully remove a WebGate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand. Prerequisites Evaluate the Application Domain, resources, and policies associated with this agent and ensure that these are configured to use another agent or that they can be removed. To uninstall the 10g WebGate 1. Turn off the Web server for the WebGate you will remove. If you don't turn off the Web server, uninstall might fail and the backup folder will not be removed. If this happens, you need to manually remove the backup folder. Note: 2. On the WebGate registration page in the Oracle Access Management Console, click the Disable box beside the State option to disable the WebGate. 3. Language Packs: Remove installed Language Packs (except the one selected as the default Administrator language (locale)) as follows: ■ Locate the appropriate Language Pack file in the component's uninstall directory. For example: WebGate_install_dir\uninstIdentityLP_fr-fr Registering and Managing 10g WebGates with Access Manager 11g 30-27 Removing a 10g WebGate from the Access Manager 11g Deployment \uninstaller.exe ■ ■ ■ ■ 4. Repeat this process to remove the same Language Pack from associated components. Stop and restart WebGate Web server to re-initialize proper language support. Repeat this process to remove each Language Pack (except the one selected as the default Administrator language (locale)). Perform the following steps to remove 10g WebGate configuration data: ■ ■ 5. Run the Language Pack Uninstaller program to remove the files. If you have only one instance of an Access Manager component, complete step 4 to remove it. If you have multiple instances of a component, see also step 5. Locate and run the Uninstaller program for the specific component to remove Access Manager files. For example: WebGate_install_dir\access\_uninstWebGate\uninstaller.exe Note: 6. On UNIX systems, use uninstaller.bin Multiple Instances: If you have multiple WebGate instances and want to remove one or all of them, you must use a specific method for your platform: ■ ■ Windows: The last component can be uninstalled from Add/Remove programs. Others can be uninstalled by running the uninstall program from the \access \uninstComponent directory. UNIX: You must always run uninstaller.bin. 7. Remove Access Manager-related updates to your Web server configuration. For details about specific Web servers, see Chapter 31, "Configuring Apache, OHS, IHS for 10g WebGates," Chapter 32, "Configuring the ISA Server for 10g WebGates," Chapter 33, "Configuring the IIS Web Server for 10g WebGates,", and Chapter 34, "Configuring Lotus Domino Web Servers for 10g WebGates." 8. Restart the Web server. 9. Remove the WebGate_install_dir directory if it remains, especially if you plan to reinstall it. 30-28 Administrator's Guide for Oracle Access Management 31 Configuring Apache, OHS, IHS for 10g WebGates 31 Oracle provides WebGates for Web servers powered by Apache v2. This includes Apache, Oracle HTTP Server, and IBM HTTP Server (IHS). This chapter provides details about configuring the three Web server types, and includes: ■ About Oracle HTTP Server and Access Manager ■ About Access Manager with Apache and IHS v2 Webgates ■ About Apache v2 Architecture and Access Manager ■ Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers ■ Preparing Your Web Server ■ Activating Reverse Proxy for Apache v2 and IHS v2 ■ Verifying httpd.conf Updates for Webgates ■ Tuning Oracle HTTP Server Webgates for Access Manager ■ Tuning OHS /Apache Prefork and Worker MPM Modules for OAM ■ Starting and Stopping Oracle HTTP Server Web Servers ■ Tuning Apache/IHS v2 Webgates for Access Manager ■ Removing Web Server Configuration Changes After Uninstall ■ Helpful Information 31.1 Prerequisites Ensure that your Oracle Access Management Console is running and get familiar with: ■ ■ "Introduction to Policy Enforcement Agents" on page 14-1 "About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2" on page 30-3 31.2 About Oracle HTTP Server and Access Manager Access Manager Web component package names for Oracle HTTP Server are designated with OHS, as follows: ■ Oracle HTTP Server 11g is based on Apache v2.2; package names include OHS11g, for example: Configuring Apache, OHS, IHS for 10g WebGates 31-1 About Access Manager with Apache and IHS v2 Webgates Oracle_Access_Manager10_1_4_3_0_ platform_OHS11g_Webgate ■ Oracle HTTP Server 10g R2 (10.1.2) and 10g (10.1.3.1.0) provide packages based on Apache v1.3 and Apache v2.0: Apache v2.0-based packages include OHS2, for example: Oracle_Access_Manager10_1_4_3_0_platform_OHS2_Webgate Apache v1.3-based packages include OHS, for example: Oracle_Access_Manager10_1_4_3_0_platform_OHS_Webgate The following Oracle HTTP Server releases operate with Access Manager: Oracle HTTP Server 11g: Access Manager Webgates Oracle HTTP Server 11g can be used like Webgates for any other Web server. In addition, this Webgate for Oracle HTTP Server 11g is a key component when configuring enterprise-level single sign-on for Oracle Fusion Middleware 11g. For details, see the Oracle Fusion Middleware Security Guide. See also the Oracle Fusion Middleware Administrator's Guide for HTTP Server 11g Release 1 (11.1.1). Oracle HTTP Server 10g (10.1.3.1.0): Provides two packages (one based on Apache v1.3 and another based on Apache v2.0). Webgates can be installed on a standalone Oracle HTTP Server. OHS2 Webgate must be installed on the Oracle Application Server to enable integration with Oracle single sign-on. During installation, the Webgate is installed as a module on OHS2. Be sure to familiarize yourself with Oracle HTTP Server Web component requirements, as described in "Preparing Your Web Server" on page 31-7. 31.3 About Access Manager with Apache and IHS v2 Webgates Access Manager provides components for Apache v2 Web servers and the IBM HTTP Server in addition to the Oracle HTTP Server. The IBM HTTP Server (IHS2) is a variation of Apache v2. Unless otherwise stated, the following information applies to all three: ■ ■ ■ Apache v2.0.5.2 Webgate Apache v2.0.48 Webgate, including reverse proxy if you choose to activate this capability. Apache v2.0.47 Webgate for the IBM HTTP Server (IHS2) powered by Apache, including reverse proxy if you choose to activate this capability. Note: For the latest Access Manager certification information, see: http://www.oracle.com/technology/products/id_mgmt/coreid_ acc/pdf/oracle_access_manager_certification_10.1.4_r3_matrix.xls Each platform-specific installation package supports both plain and SSL-capable Apache modes. The number 2 in a file name indicates that this component is based on Apache v2. For example: AIX: Oracle_Access_Manager10_1_4_3_0_power-aix_IHS2_Webgate Linux: Oracle_Access_Manager10_1_4_3_0_ linux_Apache2_Webgate Solaris: Oracle_Access_Manager10_1_4_3_0_sparc-s2_Apache2_Webgate Windows: Oracle_Access_Manager10_1_4_3_0_Win32_APACHE2_Webgate 31-2 Administrator's Guide for Oracle Access Management About Access Manager with Apache and IHS v2 Webgates Earlier Access Manager releases included separate platform-specific installation packages for plain versus SSL-capable modes. For example, two Webgate files were provided for each platform: the APACHE_Webgate, and the APACHESSL_Webgate. There have been no functional changes to Access Manager components to support these Web servers. Access Manager authentication occurs through the Webgate using HTTP basic, form, or SSL client certificates. Authorization for Web resources by authenticated users, and simple and multi-domain SSO with other Web servers or applications, also occurs through the Webgate. 31.3.1 About the Apache HTTP Server The Apache HTTP Server is an open-source HTTP Web server project of the Apache Software Foundation. The project goal is to provide a secure, efficient and extensible server and HTTP services that meet current HTTP standards. For more information, see "About Apache v2 Architecture and Access Manager" on page 31-4. 31.3.2 About the IBM HTTP Server The IBM HTTP Server (IHS) is a variation of Apache v2. Portions of the IBM HTTP Server are based on software developed by The Apache Group. The IBM HTTP Server component also includes software developed by the OpenSSL Project and software developed by Eric Young. Details about the Apache architecture and Access Manager, discussed in "About Apache v2 Architecture and Access Manager" on page 31-4 apply to IHS with the following exceptions: ■ ■ ■ Previous versions of IHS required a separate IDS Client to use the mod_ibm_ldap module. With IHS powered by Apache v2.0.47, this is not a requirement. IHS v2.0.47 supports FIPS 140-2. FIPS support is disabled by default. To enable FIPS support, just add the SSLFIPSEnable directive to the httpd.conf file. Similarly, use SSLFIPSDisable directive to disable FIPS support. On AIX, ensure that the appropriate runtime library is installed before you install IHS v2.0.47. For example on AIX 5.1, the xlC.rte 6.0 runtime library (for example: xlC.rte.6.0.0.0) must be installed before you install IHS v2.0.47. This library is required on AIX to install and use SSL with IHS v2. You can download this library from the following Web site: http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp 31.3.3 About the Apache and IBM HTTP Reverse Proxy Server Typically, a reverse proxy is used in the following situations: ■ ■ ■ To provide Internet users with access to a server behind a firewall To balance the load among several back-end servers, or to provide caching for a slower back-end server To bring several servers into the same URL space The proxy_module implements a proxy/gateway for Apache and IHS powered by Apache. The client requires no special configuration; a reverse proxy appears like an Configuring Apache, OHS, IHS for 10g WebGates 31-3 About Apache v2 Architecture and Access Manager ordinary Web server. The client makes requests as usual for content in the name-space of the reverse proxy. It is the reverse proxy that decides where those requests are sent. Content is returned as if the reverse proxy was the origin. The proxy_module can be used to implement a proxy capability for FTP, CONNECT (for SSL), HTTP/0.9, HTTP/1.0, and HTTP/1.1. However, only the reverse proxy capability is supported with the Webgate. Important: For more information, see "Requirements for Apache v2 Web Servers" on page 31-6. 31.4 About Apache v2 Architecture and Access Manager The Apache v2 Web server provides a hybrid multi-threaded, multi-process architecture that is compatible with the thread-safe Access Manager libraries. Unless explicitly stated otherwise, all details in this discussion apply equally to Apache v2 and IHS v2 Web Servers for 10g Webgates. Important: In addition to the standard set of modules, the Apache v2 Web server includes Multi-Process Modules (MPMs) to bind network ports on the computer and to accept and process requests. The appropriate MPM must be compiled into the server and activated before you install an Apache or IHS v2 Webgate: ■ ■ On Windows: mpm_winnt is the default MPM on Windows platforms. mpm_ winnt can use native networking features rather than the POSIX layer used in Apache 1.3. On UNIX: The prefork MPM is the default MPM for Apache v2 Web servers on UNIX platforms. The prefork MPM implements a non-threaded, pre-forking Web server that handles requests in a manner similar to Apache v1.3. If you compile Apache on UNIX with the mpm_worker_ module for Webgate, you need to optimize the default pthread stacksize for Webgate to ensure optimal performance during multithreaded server implementation as described in "Apache v2 on UNIX with the mpm_worker_module for Webgate" on page E-32. Note: ■ On AIX: The worker MPM is the default MPM for IHS v2 on the AIX platform. The worker MPM implements a hybrid multi-process, multi-threaded server. The most important directives used to control this MPM are ThreadsPerChild and MaxClients. For details, see "Tuning Apache/IHS v2 Webgates for Access Manager" on page 31-27. The Apache v2 Web server includes an Apache Portable Runtime (APR) library that provides an interface to platform-specific implementations, assures API developers predictable if not identical behavior regardless of platform, and eliminates the need for conditional compilation #lfdefs. Although backward compatibility is supported with the include/apu_compat.h file, using the Apache v2 APR is recommended. For more information, see your Apache v2 documentation. See also, "Tuning Apache/IHS v2 Webgates for Access Manager" on page 31-27. 31-4 Administrator's Guide for Oracle Access Management Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers The Apache architecture affects Access Manager components in different ways, as discussed in the following sections. For Webgates installed with IHS and Apache v2 ■ ■ There is no shared cache between processes. Each process maintains its own connections to the Access Server. Therefore, you should limit the number of Webgate connections. This issue is partially affected by the performance of the systems running the Web servers and Access Servers. Webgates for Apache v2 (and derivatives) can be used in installations that contain Webgates for other Web servers. Note: If you compile Apache on UNIX with the mpm_worker_module for Webgate, you need to optimize the default pthread stacksize for Webgate to ensure optimal performance during multithreaded server implementation as described in "Apache v2 on UNIX with the mpm_ worker_module for Webgate" on page E-32. Limitations of Apache and IHS v2 Web Servers Due to limitations of the Apache v2 Web server, plug-ins configured for the Access Manager form-based authentication scheme do not pass variables when: ■ ■ The optional challenge parameter, passthrough:Yes, is included in the authentication scheme to pass login credentials through to a post-processing program. The form action is a CGI script that dumps all headers and variables passed to it and the method is called using the HTTP POST method. For example: 31.5 Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers Access Manager HTML pages use UTF-8 encoding. Apache-based Web servers, including Apache, Oracle HTTP Server, and IBM HTTP Server (IHS) allow Administrators to specify a default character set for all HTML pages sent out using the AddDefaultCharset directive. This directive overrides any character specified by the application generating the HTML pages. If the AddDefaultCharset directive enables a character set other than UTF-8, Access Manager HTML pages are garbled. Oracle recommends that you specify the AddDefaultCharset directive in the Web server configuration file (httpd.conf) as follows to ensure the correct display of Access Manager HTML pages: AddDefaultCharset Off See your Web server documentation for more information about this directive. The following topics provide additional details you should be aware of: ■ Requirements for IHS2 Web Servers ■ Requirements for Apache and IHS v2 Reverse Proxy Servers Configuring Apache, OHS, IHS for 10g WebGates 31-5 Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers ■ Requirements for Apache v2 Web Servers 31.5.1 Requirements for IHS2 Web Servers This discussion identifies specific requirements for IHS v2 with Access Manager. With IHS v2, you do not compile any source code to get the binaries. However, the following requirements do apply to IHS v2 Web servers: ■ ■ For an SSL capable configuration on AIX, the xLC.rte.6.0 runtime library is required. For an SSL capable configuration, the GSKit7 is required and can be downloaded from https://techsupport.services.ibm.com/server/aix.fdc. 31.5.2 Requirements for Apache and IHS v2 Reverse Proxy Servers As discussed earlier, the proxy_module implements a proxy/gateway. The client requires no special configuration. Although the proxy_module can be used to implement a proxy capability for FTP, CONNECT (for SSL), HTTP/0.9, HTTP/1.0, and HTTP/1.1, only the reverse proxy capability is supported with certain Access Manager Apache and IHS v2 Webgates. For Apache Web Servers: To use reverse proxy functions with Access Manager, you need to include the proxy module in the configure command. For example: --enable-proxy: Apache proxy module --enable-proxy-connect: Apache proxy CONNECT module --enable-proxy-ftp: Apache proxy FTP module --enable-proxy-http: Apache proxy HTTP module You also need to load mod_proxy and the mod_proxy_http module into the server dynamically. A reverse proxy is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive. For IHS Web Servers: After installing the IHS Web server, reverse proxy configurations must be completed in the httpd.conf file in the following directory: IHS_install_dir/conf directory For more information, see "Activating Reverse Proxy for Apache v2 and IHS v2" on page 31-19. 31.5.3 Requirements for Apache v2 Web Servers This discussion identifies specific requirements for Apache v2 with Access Manager. Additional information can be found in your Apache documentation: PATH Variable: On UNIX systems, your PATH variable must contain the gcc location before you compile Apache v2. However, the Sun C compiler location must not be in your PATH variable. On Windows systems, Apache can be built using either command-line tools or the Visual Studio IDE Workbench. The command-line build requires that the environment reflect the PATH, INCLUDE, LIB and other variables that can be configured with the vcvars32 batch file. Multi-Process Module (MPM): With Apache v2, a default MPM is provided for each platform to bind network ports on the computer and to accept and process requests. Apache must have one, and only one, MPM in use at any time. If no MPM is selected during compilation, the default will be loaded into the Web server. You may activate the MPM during compilation. 31-6 Administrator's Guide for Oracle Access Management Preparing Your Web Server mod_ssl: Access Manager supports Apache with or without SSL-capable communication. The base Apache Web server does not use SSL for browser connections and will not respond to HTTPS requests. For SSL-capable communication, Access Manager supports Apache with mod_ssl only. No SSL-specific Access Manager features operate with Apache-SSL. mod_ssl relies on OpenSSL to provide the cryptography engine; mod_ssl provides an interface to the OpenSSL library. The OpenSSL library provides Strong Encryption using the Secure Sockets Layer and Transport Layer Security protocols. With previous versions of Apache, the mod_ssl module had to be downloaded separately and compiled into the server. With Apache HTTP Server v2 module, mod_ ssl comes as a loadable module that you can enable during configuration. Multi-threading: Multi-threading is required for installations with Apache v1.3.27 or later. Dynamic Shared Object (DSO): DSO support is required for Webgate. Apache modules that extend basic core server functionality may be either statically compiled for permanent inclusion in the Apache binary, or dynamically compiled and stored separately to load at runtime without recompiling. With Apache v1.3, mod_so had to be compiled. With Apache v2 on Windows systems, mod_so is a Base module and always included. With Apache v2 on UNIX, the loaded code typically comes from shared object files. Note: Dynamically loaded Apache 1.3 modules cannot be used directly with Apache v2. Apache v1.3 modules must be modified to load dynamically or compile into Apache v2. mod_perl: mod_perl embeds the Perl programming language in the Apache Web server. Without Perl, Apache v2 can still be built and installed; however, some support scripts written in Perl cannot be used. With Apache v.1.3.2x, some operating systems required additional options during configuration. However, to build Apache v2, there is no need to set any additional variables. Note: 31.6 Preparing Your Web Server The methods and steps to prepare your host computer for the Access Manager Web component installation depends upon the specific Web server and platform, as discussed in the following task overview. To use reverse proxy functions with Access Manager, you need to include the proxy module in the configure command, as discussed in "About the Apache and IBM HTTP Reverse Proxy Server" on page 31-3. See also "Activating Reverse Proxy for Apache v2 and IHS v2" on page 31-19. Task overview: Preparing your Web server and installing Access Manager 1. Install the IHS v2 Web server or compile and install the Apache v2 Web server as discussed in: ■ Preparing the IHS v2 Web Server ■ Preparing Apache and Oracle HTTP Server Web Servers on Linux Configuring Apache, OHS, IHS for 10g WebGates 31-7 Preparing Your Web Server ■ Preparing Oracle HTTP Server Web Servers on Linux and Windows Platforms ■ Setting Oracle HTTP Server Client Certificates ■ Preparing the Apache v2 Web Server on UNIX ■ Preparing the Apache v2 SSL Web Server on AIX ■ Preparing the Apache v2 Web Server on Windows 2. Activate reverse proxy capability if desired, as described in "Activating Reverse Proxy for Apache v2 and IHS v2" on page 31-19. 3. Install Oracle Access Management, as described in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. 4. Finish Web server configuration, as described in "Verifying httpd.conf Updates for Webgates" on page 31-22. 5. Refer to the following topics as needed: ■ ■ ■ "Tuning Oracle HTTP Server Webgates for Access Manager" on page 31-25 "Tuning OHS /Apache Prefork and Worker MPM Modules for OAM" on page 31-25 "Tuning Apache/IHS v2 Webgates for Access Manager" on page 31-27 In all the procedures that follow, path name variables, modules, and options are examples provided only to illustrate the steps. Your environment will vary. Refer to your Web server documentation for additional details. Note: 31.6.1 Preparing the IHS v2 Web Server To prepare your IHS v2 Web server to accept and use the Webgate for IHS v2, you need to complete one or more of the following procedures, depending on your environment and requirements: ■ Preparing the Host for IHS v2 Installation ■ Installing the IBM HTTP Server v2 ■ Setting Up SSL-Capability ■ Starting a Secure Virtual Host ■ Activating Reverse Proxy for Apache v2 and IHS v2 When you have completed the appropriate procedures, you are ready to install the Webgate for IHS v2. 31.6.1.1 Preparing the Host for IHS v2 Installation You need to complete this procedure to set up the host computer before you install the IHS Web server. For additional information, see "Requirements for IHS2 Web Servers" on page 31-6 and "Requirements for Apache v2 Web Servers" on page 31-6. This example illustrates installation on AIX 5.1. Your environment may vary. To prepare for IHS v2 installation 1. On the host computer, download and install the IBM Developer Kit, Java Technology Edition version 1.4 from the following site: 31-8 Administrator's Guide for Oracle Access Management Preparing Your Web Server http://www.ibm.com/java/jdk The IBM Developer Kit ships with the WebSphere Application Server or can be downloaded from this site. 2. On the host computer, download and install the xlC.rte 6.0 runtime for AIX 5.1, which is required by the GSKit7 runtime executable from the following site: https://techsupport.services.ibm.com/server/aix.fdc 3. On the host computer, create a new directory in which you will uncompress the IBM HTTP Server install image. 4. On the host computer, download the IBM HTTP Server install image from the following Web site: http://www-306.ibm.com/software/webservers/httpservers/ 5. On the host computer, uncompress the install image in your new directory. For example: tar -xf IHS.tar A listing of the following files appears, based on your operating system: gskit.sh setup.jar gskta.rte (a GSKit runtime executable for AIX) You are ready to begin the installation, as described next. 6. Proceed to "Installing the IBM HTTP Server v2" on page 31-9. 31.6.1.2 Installing the IBM HTTP Server v2 The procedure that follows walks you through a typical IBM HTTP Web server installation. Alternatively, you may choose to perform a silent installation. In this case, you use silent.res file with the java -jar setup.jar -silent -options silent.res command. You can customize silent install options by editing the silent.res text file. All options are set to true by default. To disable an option, set its value to false. To install the IBM HTTP Web server powered by Apache v2 1. Set your path to point to the Java Technology Edition version 1.4 installed on your computer in the previous example. For example: export PATH=$PATH:/usr/java14/java/bin 2. From to the directory where you uncompress the install image, type the following command: java -jar setup.jar 3. Choose the language in which to run the installation. The Welcome to the InstallShield Wizard for the IBM HTTP Server appears. 4. Click Next to dismiss the Welcome screen. 5. Specify the directory name. For example: AIX: /usr/IBMIHS/ Configuring Apache, OHS, IHS for 10g WebGates 31-9 Preparing Your Web Server 6. Click Next to continue. Options appear for a typical, custom, or developer installation. When you choose a typical installation, a list will appear with everything included and the size of the image. If you choose a custom installation, a list of components appears and you can clear the box next to the any components you do not want to install. 7. Select the type of installation you would like to perform, then click Next. For example: Typical The following message appears. You can click Cancel to stop the installation. Installing IBM HTTP Server. Please wait. The next message also appears. You can click Cancel to stop the inventory update. Updating the inventory. 8. Click Finish to complete your installation. 9. Stop then start the IHS server using the apachectl commands, as follows: For example: IHS2_install_dir/bin ./apachectl stop ./apachectl start where IHS2_install_dir is the directory where you installed the IHS v2 Web server. You may configure the IHS v2 Web server in several modes either before or after installing the Webgate for IHS v2: ■ Setting Up SSL-Capability ■ Starting a Secure Virtual Host ■ Activating Reverse Proxy for Apache v2 and IHS v2 31.6.1.3 Setting Up SSL-Capability If you need to setup SSL-capability, use the following procedure either before or after installing the Webgate for IHS v2. To setup SSL for IHS v2 using the default configuration file 1. Locate and open the following file: IHS2_install_dir/conf/httpd.conf 2. Specify the SSLEnable directive to enable SSL. 3. Specify a Keyfile directive and any SSL directives you want to enable. 4. Stop then start the IHS server, as follows. For example: IHS2_install_dir/bin ./apachectl stop ./apachectl start where IHS2_install_dir is the directory where you installed the IHS v2 Web server. 5. Continue with the following procedures: ■ Starting a Secure Virtual Host 31-10 Administrator's Guide for Oracle Access Management Preparing Your Web Server ■ Activating Reverse Proxy for Apache v2 and IHS v2 31.6.1.4 Starting a Secure Virtual Host If you need to start a secure virtual host, use the following procedure either before or after installing the Webgate for IHS v2. To start an IHS v2 secure virtual host 1. Locate and open the following file: IHS2_install_dir/conf/httpd.conf where IHS2_install_dir is the directory where you installed the IHS v2 Web server. 2. Specify the SSLEnable directive in the virtual host stanza of the configuration file, to enable SSL for a virtual host. You can specify any directive, with the exception of the cache directives, inside a virtual host. 3. Specify a Keyfile directive and any SSL directives you want to enable for that particular virtual host. 4. Load the mod_ibm_ssl.so using the LoadModule directive in the conf file. 5. Stop then start the IHS virtual host, as follows. For example: IHS2_install_dir/bin ./apachectl stop ./apachectl start Note: The start and stop instructions for an SSL implementation are the same as non-SSL-capable implementations. 6. Continue with Activating Reverse Proxy for Apache v2 and IHS v2. 31.6.2 Preparing Apache and Oracle HTTP Server Web Servers on Linux When installing Webgates for Apache or Oracle HTTP Server on Linux, you are prompted to install as the same user under which the Web server is running. See the User and Group directive entries in the httpd.conf file. When installing Access Manager Webgates for vendor-bundled Apache v2 on Red Hat Enterprise Linux 4, ensure that all Webgates are installed for Web server user & group (default: apache). See also "Tuning Apache/IHS v2 Webgates for Access Manager" on page 31-27. On Linux, Webgates for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19. Note: 31.6.3 Preparing Oracle HTTP Server Web Servers on Linux and Windows Platforms When using Webgates for Oracle HTTP Server v2 on Windows and Linux platforms, both the Perl module and the PHP module must be commented out in the httpd.conf. Configuring Apache, OHS, IHS for 10g WebGates 31-11 Preparing Your Web Server With Oracle HTTP Server 11g, there is no need to comment out any module for Webgates on any platform. Note: 31.6.4 Setting Oracle HTTP Server Client Certificates When using cert_decode and credential_mapping authentication modules, you must ensure that the Client Certificate authentication scheme works properly with SSL-enabled Oracle HTTP Server by adding +EarlierEnvVars and +ExportCertData to the existing SSL options in the Oracle HTTP Server Web server configuration file. For example: credential_mapping: obMappingBase="o=company,c=us",obMappingFilter= "(&(objectclass=InetOrgPerson)(mail=%certSubject.E%))" ssl.conf must include: SSLOptions +StdEnvVars +ExportCertData +EarlierEnvVars To add ssl options to Oracle HTTP Server 1. Locate and open the Oracle HTTP Server Web server configuration file with a text editor. For example: $ORACLE_INSTANCE/ohs/conf/ssl.conf 2. In the ssl.conf file, add the following information to existing SSL options. For example: SSLOptions +StdEnvVars +ExportCertData +EarlierEnvVars 3. Save the file and restart the Web server. 31.6.5 Preparing the Apache v2 Web Server on UNIX This discussion provides an overview and steps to prepare the Apache v2 HTTP Web server for Access Manager on UNIX platforms, including Solaris, UNIX, Linux, and AIX. See also "Preparing the Apache v2 SSL Web Server on AIX" on page 31-16 Apache v2 can be configured, built, and installed plain or as SSL-capable. After downloading and extracting Apache source files, you use a script (configure script on UNIX and the makefile.win make script for Windows) to compile the source tree for your environment. Basic requirements are the same regardless of your platform. However, the remainder of this discussion and the procedures that follow focus on UNIX platforms. For more information, see also "Preparing the Apache v2 SSL Web Server on AIX" on page 31-16. Note: When you configure Apache v2 on UNIX platforms, you specify the installation directory path name using the -prefix= option with the ./configure command. During configuration you enable the modules that are appropriate for your environment. For example, mod_so is included in the server automatically when dynamic modules are included in the compilation. However, you can ensure the server is capable of loading DSOs by including the -enable-so option with the configure 31-12 Administrator's Guide for Oracle Access Management Preparing Your Web Server command. If you have multiple Perl interpreters installed, you can include the -with-perl option to ensure the correct interpreter is selected during configuration. In the configure command, you can also include the options to enable mod_ssl, and to activate an MPM. After configuration, you can verify which MPM was chosen using ./httpd -l to list every module that is compiled into the server. When you finish configuring Apache, you build the various parts that form the Apache package using the make command then install the package under the installation directory you specified with the -prefix= option during configuration. For steps and examples, see the following procedures and your Apache documentation: ■ To prepare plain Apache v2 for UNIX ■ To prepare SSL-capable Apache v2 on UNIX ■ To prepare Apache v2 for Windows ■ Activating Reverse Proxy for Apache v2 and IHS v2 In the procedures that follow, path name variables, modules, and options are examples provided only to illustrate the steps. Your environment will vary. Refer to your Web server documentation for additional details. There is no difference in the build procedure between Apache v2.0.48 and v2.0.52. To prepare plain Apache v2 for UNIX 1. Confirm that your environment meets Apache requirements for the appropriate compiler and build tools, as described in Apache documentation located at: http://httpd.apache.org/docs-2.0/install.html#requirements There are no known restrictions with regard to supported compiler versions for Apache v2 and Access Manager plug-ins. See the Apache documentation. Note: 2. Download a complete, unmodified version of the Apache HTTP Server v2, as described in the Apache documentation. For example: http://httpd.apache.org/download.cgi Note: 3. Be sure to download Perl, if needed. Extract (uncompress, then untar) source files from the tarball, as described in the Apache documentation. For example: gzip -d httpd-2_0_48.tar.gz tar -xvf httpd-2_0_48.tar You can use the following step as an example of configuring the Apache source tree. If you compile Apache on UNIX with the mpm_worker_module for Webgate, see "Apache v2 on UNIX with the mpm_worker_module for Webgate" on page E-32. Configuring Apache, OHS, IHS for 10g WebGates 31-13 Preparing Your Web Server To use reverse proxy functions with Access Manager, you need to include the proxy module in the configure command, as discussed in "About the Apache and IBM HTTP Reverse Proxy Server" on page 31-3. Note: 4. Ensure that you have the correct version of GNU gcc libraries in the proper path to build the Apache source; gcc libraries should be in the PATH: export PATH=/usr/local/packages/gcc-3.4.6/bin:$PATH 5. Configure the Apache source tree and enable or activate the desired modules using details in the Apache documentation. For example: cd apache_source_dir ./configure --with-mpm=prefork --prefix=apache_install_dir --with-included-apr ./configure --with-mpm=worker --prefix=apache_install_dir --with-included-apr where apache_source_dir refers to the directory where you extracted Apache and apache_install_dir refers to the directory where you want to install Apache. 6. Compile the Apache package you configured using the make command. For example: make 7. Install the Apache package in the configured directory path that you specified earlier using the --prefix= option. For example: make install 8. Customize the installation using instructions in the Apache documentation. For example, you may need to tune the httpd.conf to set basic values for: ServerName User/owner of the WebServer Group To view the complete list of values, use the command: ./configure --help. Note: 9. Stop then restart the Apache Web server to test the installation using commands in the apache_install_dir/bin directory. For example: ./apachect1 stop ./apachectl start 10. Continue with appropriate tasks for your environment, as follows: ■ To prepare SSL-capable Apache v2 on UNIX ■ Preparing the Apache v2 Web Server on UNIX ■ Activating Reverse Proxy for Apache v2 and IHS v2 The following procedure outlines how to prepare an SSL-capable Apache v2 Web server on UNIX. The Apache mod_ssl is loadable; however, this installation requires the Open Source toolkit for SSL/TLS. Again, be sure to download Perl, if needed. If AIX is the platform you are using, be sure to see "Preparing the Apache v2 SSL Web 31-14 Administrator's Guide for Oracle Access Management Preparing Your Web Server Server on AIX" on page 31-16 for additional information. To prepare SSL-capable Apache v2 on UNIX 1. Confirm that your environment meets Apache requirements for the appropriate compiler and build tools, as described in Apache documentation located at: http://httpd.apache.org/docs-2.0/install.html 2. Download a complete, unmodified version of the Apache HTTP Server v2 and Open Source, as described in the Apache documentation. http://httpd.apache.org/download.cgi http://www.openssl.org/ 3. Extract (uncompress, then untar) source files from the tarballs, as described in the Apache documentation. For example: gzip -d httpd-2_0_48.tar.gz tar -xvf httpd-2_0_48.tar gzip -d openssl-0_9_6f.tar.gz tar -xvf openssl-0_9_6f.tar 4. Configure the OpenSSL source tree, as described in Apache documentation. For example: cd openssl_source_dir ./config -fPIC --prefix=openssl_install_dir where openssl_source_dir refers to the directory where you extracted OpenSSL and openssl_install_dir refers to the directory where you want to install the configured OpenSSL package. 5. Compile the OpenSSL package in the installation directory you configured using the make command with the --prefix= option. For example: make 6. Issue the make test command to complete any sanity testing of OpenSSL and check the correct version of the tools required. For example: make test 7. Install the OpenSSL package in the configured directory path that you specified earlier using the --prefix= option. For example: make install 8. Configure the Apache source tree and enable or activate desired modules, as described in your Apache documentation. For example: cd apache_source_dir ./configure --prefix=apache_install_dir --enable-so \ --with-mpm='prefork' --with-perl=perl_interpreter_path \ --with-port=non_ssl_port --enable-ssl \ --with-ssl=openssl_install_dir where apache_source_dir refers to the directory where you extracted Apache; apache_install_dir refers to the directory where you want to install Apache; and openssl_install_dir refers to the directory where you installed the configured OpenSSL package. 9. Compile using the make command to build the Apache SSL-capable package in the installation directory you configured using the --prefix= option. For example: Configuring Apache, OHS, IHS for 10g WebGates 31-15 Preparing Your Web Server make install 10. Install the Apache SSL-capable package in the configured directory path that you specified earlier using the --prefix= option. For example: make install You must explicitly make certificates for the Apache v2 server to enable SSL using the openssl tool located at openssl_install_dir/bin/. The make certificate command does not work with Apache v2. 11. Make certificates using the OpenSSL tool in the openssl_install_dir/bin directory, as described in your OpenSSL documentation and remember that "Common Name" is the fully qualified host name. 12. Customize the installation using instructions in the Apache documentation: ■ Tune the httpd.conf to set basic values for: ServerName User/owner of the WebServer `Group ■ Tune the ssl.conf to set basic values for: Listen 7000 ServerName ps0733.persistent.co.in:7000 SSLCertificateFile /home/qa/software/ws/apache/ apache-2.0.48_ssl_7000/conf/ssl.crt/server.crt SSLCertificateKeyFile /home/qa/software/ws/apache/ apache-2.0.48_ssl_7000/conf/ssl.key/server.key 13. Stop then restart the Apache Web server to test the installation using commands in the apache_install_dir/bin directory. For example: ./apachectl stop ./apachectl startssl 14. Continue with Activating Reverse Proxy for Apache v2 and IHS v2, if needed. 31.6.6 Preparing the Apache v2 SSL Web Server on AIX While building the Apache v2 SSL Web server, the symbols from the OpenSSL Library libssl.a are exported into the httpd executable in Apache. The symbols needed by Access Manager from the OpenSSL library are: ■ SSL_get_peer_certificate( ) ■ i2d_X509( ) During linking and binding on the AIX platform, any unused or unreferenced symbols are deleted. Therefore, the two symbols required by Access Manager are missing from the httpd executable. You need to use openssl-0.9.7d to compile on AIX (openssl-0.9.7e does not compile on AIX). The rest of the steps are the same as on UNIXopenssl-0.9.7d. Client Cert Authentication: If you are using Client Cert Authentication on the AIX platform, be sure to use AIX 5.2 Maintenance Level 4 with the following hot fix applied for dlsym problem on AIX: http://www-1.ibm.com/support/docview.wss?uid=isg1IY63366 31-16 Administrator's Guide for Oracle Access Management Preparing Your Web Server To prepare the AIX platform for Apache v2 1. Ensure that your AIX platform meets the system requirements for Access Manager. 2. See details in "Preparing the Apache v2 Web Server on UNIX" on page 31-12 and when building the Apache v2 Web server: ■ Use openssl-0.9.7d to compile the Web server for AIX. ■ Use the make command in the following manner: make MFLAGS=EXTRA_LDFLAGS='-Wl,-bE:OpenSSL_Symbols.exp' where OpenSSL_Symbols.exp is the file containing the two required symbols. The symbol must be exported using the export file only, as shown. Do not export the symbol on AIX with the following methods: -bnog: To suppress garbage collection of symbols -bexpal: To export all symbols -uSymbolName: To export a particular symbol. Note: 31.6.7 Preparing the Apache v2 Web Server on Windows Following are some details about how installing and configuring Apache v2 on Windows differs from Apache v2 on UNIX. For more information, see your Apache documentation. During Installation: Apache will configure files in the \conf subdirectory to reflect the chosen installation directory. If any configuration files in this directory already exist, a new copy of the corresponding file will be written with the extension .ORIG. For example, \conf\httpd.conf.ORIG. After Installation: Apache is configured using the files in the \conf subdirectory. These are the same files used to configure the UNIX version. However, there are a few differences. You must edit the configuration files in the \conf subdirectory to customize Apache for your environment. These files will be configured during the installation; Apache is ready to run from the installation directory, with the documents server from the subdirectory htdocs. There are many options you should set before starting to use Apache. For example, Apache listens on port 80 unless you change the Listen directive in the configuration files or install Apache only for the current user. Multi-Threading: Apache for Windows is multi-threaded, which means that it does not use a separate process for each request as Apache does on UNIX. Instead there are usually only two Apache processes running: a parent process, and a child which handles the requests. Within the child process each request is handled by a separate thread. UNIX-Style Names: Apache uses UNIX-style names internally. The directives that accept filenames as arguments must use Windows filenames instead of UNIX filenames. However, you must use forward slashes, not back slashes. Drive letters may be used. However, if a drive letter is omitted, the drive with the Apache executable is assumed. LoadModule Directive: Apache for Windows includes the ability to load modules at runtime without recompiling the server. If Apache is compiled normally, it will install a number of optional modules in the \Apache2\modules directory. To activate these or other modules, you must use the LoadModule directive. For example, to activate Configuring Apache, OHS, IHS for 10g WebGates 31-17 Preparing Your Web Server the status module, use the following (in addition to the status-activating directives in access.conf): LoadModule status_module modules/mod_status.so On UNIX, the loaded code typically comes from shared object files (.so extension), on Windows this may be either the .so or .dll extension. Process Management Directives: These directives are also different for Apache on Windows. Error Logging: During Apache startup, any errors are logged into the Windows event log, which provides a backup to the error.log file. For more information, see your Apache documentation. Apache Service Monitor: Apache comes with an Apache Service Monitor utility. With it you can see and manage the state of all installed Apache services on any computer on your network. To manage an Apache service with the monitor, you must first install the service. Apache may be run as a service on Windows. For details, see your Apache documentation. Starting, Restarting, Shutting Down: Running Apache as a service is the recommended method. An Apache service is typically started, restarted, and shut down using the Apache Service Monitor and commands like NET START Apache2 and NET STOP Apache2. You may also use standard Windows service management. You may work with Apache from the command line using the apache command. Apache will execute and remain running until it is stopped by pressing Control-C. You may also run Apache from the Start Menu during installation. Pressing Control-C may not allow Apache to end any current operations and clean up gracefully. Note: Apache Services Accounts: By default, all Apache services are registered to run as the system user (the LocalSystem account). The LocalSystem account has no network privileges through any Windows-secured mechanism. However, the LocalSystem account has wide privileges locally. For details about creating a separate account to run one or more Apache services, see your Apache documentation. To prepare Apache v2 for Windows 1. Confirm that your environment meets Apache requirements, as described in Apache documentation located at: http://httpd.apache.org/docs-2.0/install.html For Windows installations a list of HTTP and FTP mirrors from which you can download Apache v2 is provided online. When you complete the next step, be sure to download the version of Apache for Windows with the .msi extension. 2. Download a complete, unmodified version of the Apache HTTP Server v2 (and OpenSSL), as described in the Apache documentation. For example: http://httpd.apache.org/download.cgi http://www.openssl.org/ 3. Install Apache v2 (run the .msi file you downloaded and supply requested information), using your Apache documentation as a guide. 31-18 Administrator's Guide for Oracle Access Management Activating Reverse Proxy for Apache v2 and IHS v2 4. Locate the .default.conf file, verify new settings, then update your existing configuration file if needed. 5. Start Apache, either in a console window or as a service. 6. Launch a browser and enter the following URL to connect to the server and access the default page. For example: http://localhost/ A welcome page and a link to the Apache manual should appear. If not, look in the error.log file in the logs subdirectory. Once your basic installation is working, you need to configure it properly by editing the files in the \conf subdirectory. 7. Configure the Apache installation for your environment, using the Apache documentation as a guide. 8. Test your customized environment. 9. Continue with Activating Reverse Proxy for Apache v2 and IHS v2, if needed. 31.7 Activating Reverse Proxy for Apache v2 and IHS v2 The Webgates for Apache v2 and IHS v2 powered by Apache support reverse proxy capability, if you choose to activate this capability. The procedures to implement reverse proxy capability differ, depending on your environment: ■ To activate reverse proxy capability for Apache v2 Web servers ■ To activate reverse proxy capability for IHS v2 Web servers 31.7.1 Activating Reverse Proxy For Apache v2 Web Servers For reverse proxy functions with Access Manager, you need to include the Apache proxy module in the configure command for the Web server. You also need to load mod_proxy and the mod_proxy_http module into the server dynamically. A reverse proxy is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive. Reverse proxy capability is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive. It is not necessary to turn ProxyRequests on to configure a reverse proxy. Access control is less critical when using a reverse proxy (ProxyPass directive with ProxyRequests Off), because clients can contact only the hosts that you have specifically configured. You can control access to your proxy using the control block. To activate reverse proxy capability for Apache v2 Web servers 1. Review "About the Apache and IBM HTTP Reverse Proxy Server" on page 31-3. 2. Include the Apache proxy module in the configure command for the Web server, if needed. For example: --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http See the Apache documentation for more information. Configuring Apache, OHS, IHS for 10g WebGates 31-19 Activating Reverse Proxy for Apache v2 and IHS v2 3. Use the ProxyPass directive or the [P] flag to the RewriteRule directive to activate a reverse proxy, as follows: Reverse Proxy ProxyRequests Off Order deny,allow Allow from all ProxyPass /foo http://foo.example.com/bar ProxyPassReverse /foo http://foo.example.com/bar 4. Control access to your proxy using the control block as follows: Order Deny,Allow Deny from all Allow from 192.168.0 5. Perform steps in Chapter 30, "Registering and Managing 10g WebGates with Access Manager 11g", if you haven't yet done so. 31.7.2 Activating Reverse Proxy For IHS v2 Web Servers Use the following procedure after installing the Web server. To activate reverse proxy capability for IHS v2 Web servers 1. Review "About the Apache and IBM HTTP Reverse Proxy Server" on page 31-3 2. Install the IHS v2 Web server, as described in "Preparing the IHS v2 Web Server" on page 31-8. 3. Load the modules by including these lines (uncommented) in the Dynamic Shared Object section of the httpd.conf file in: IHS_install_dir/conf/httpd.conf LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule LoadModule access_module modules/mod_access.so auth_module modules/mod_auth.so auth_dbm_module modules/mod_auth_dbm.so include_module modules/mod_include.so log_config_module modules/mod_log_config.so env_module modules/mod_env.so unique_id_module modules/mod_unique_id.so setenvif_module modules/mod_setenvif.so proxy_module modules/mod_proxy.so proxy_connect_module modules/mod_proxy_connect.so proxy_ftp_module modules/mod_proxy_ftp.so proxy_http_module modules/mod_proxy_http.so mime_module modules/mod_mime.so dav_module modules/mod_dav.so autoindex_module modules/mod_autoindex.so asis_module modules/mod_asis.so info_module modules/mod_info.so cgid_module modules/mod_cgid.so dav_fs_module modules/mod_dav_fs.so vhost_alias_module modules/mod_vhost_alias.so dir_module modules/mod_dir.so imap_module modules/mod_imap.so actions_module modules/mod_actions.so 31-20 Administrator's Guide for Oracle Access Management Activating Reverse Proxy for Apache v2 and IHS v2 LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so 4. Directives Under the IfModule mod_proxy.c Tag--Use the information and the following examples to ensure that: ■ Allow or Deny conditions are appropriately commented. For example: Order deny, allow # Deny from all Allow from all # Allow from .domain.com ■ URLs to be protected are mentioned in both the ProxyPass and the ProxyPassReverse directives. For example: ProxyRequests Off ProxyPass /testproxy http://bedford: 8809/testrev/ ProxyPassReverse /testproxy http://bedford: 8809/testrev/ ProxyPass /test2 http://bedford: 8809/testrev/ ProxyPassReverse /test2 http://bedford: 8809/testrev/ 5. Restart the Web server after any modifications to the httpd.conf file. 6. Testing: To access the proxy URL, access http://:80/testproxy/ Note: While testing, make sure the URLs have a trailing forward slash. Sometimes resources cannot be accessed without the forward slash at the end. 7. Enabling SSL on Reverse Proxy Server: Use the documentation on the IHS default page. For example, sample SSL settings in the DSO section of the httpd.conf file load the ibm_ssl_module as: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so 8. Include the following directives in your httpd.conf file: SSLEnable Keyfile /opt/IBMIHS/bin/key.kdb SSLClientAuth none SSLProxyEngine on 9. Restart server. 10. Access the Web server URL and confirm that the browser is presented with a certificate. Configuring Apache, OHS, IHS for 10g WebGates 31-21 Verifying httpd.conf Updates for Webgates You can switch back to open mode for the Web server simply by commenting out the preceding directives and restarting the server. Note: 11. key.kdb: To generate the key.kdb, use the ikeyman utility (preferably in GUI mode) provided in the IHS_install_dir/bin directory. The ikeyman utility uses the gsk7bas utility. However, you need to apply fix pack PQ83048 on gsk7bas. Note: 12. Perform the following steps: ■ ■ Complete 10g Webgate installation with Access Manager 11g as described in Chapter 30, "Registering and Managing 10g WebGates with Access Manager 11g", if you haven't yet done so Return to this chapter to perform remaining tasks in this chapter as needed. 31.8 Verifying httpd.conf Updates for Webgates It is a good idea to complete the following procedures to ensure that the Apache or IHS v2 httpd.conf file includes Web server configuration updates for Access Manager. For details, see: ■ Verifying Webgate Details ■ Verifying Language Encoding To update httpd.conf for reverse proxy on IHS Web servers, see "Activating Reverse Proxy For IHS v2 Web Servers" on page 31-20. To customize httpd.conf for your Web server, see your Web server documentation. 31.8.1 Verifying Webgate Details The example that follows shows the Webgate section in the httpd.conf file. The details will vary, depending on your environment. This example is provided only to illustrate the type of changes you will see in httpd.conf. To verify the Webgate section in httpd.conf 1. Locate the updated httpd.conf file on the computer hosting the Webgate. 2. Open the httpd.conf file and ensure that the section that loads the Webgate in your platform is present. For example: On Windows #*** BEGIN Oblix NetPoint Webgate Specific **** LoadModule obWebgateModule "WebGate_install_ dir\access\oblix\apps\webgate\bin\webgatessl.d ll" WebGateInstalldir "WebGate_install_dir" WebGateMode PEER LoadModule obWebgateModule "WebGate_install_ dir\access\oblix\apps\webgate\bin\webgate.dll" 31-22 Administrator's Guide for Oracle Access Management Verifying httpd.conf Updates for Webgates WebGateInstalldir "WebGate_install_dir" WebGateMode PEER SetHandler obwebgateerr AuthType Oblix require valid-user #*** END Oblix NetPoint Webgate Specific **** On UNIX #*** BEGIN Oblix NetPoint Webgate Specific **** LoadFile "/home/qa/netpoint/703/c1-copy/wg/access/oblix/lib/libgcc_s.so.1" LoadFile "/home/qa/netpoint/703/c1-copy/wg/access/oblix/lib/libstdc++.so.5" LoadModule obWebgateModule "/home/qa/netpoint/703/c1-copy/wg/access/oblix/ apps/webgate/bin/webgatessl.so" LoadModule obWebgateModule "/home/qa/netpoint/703/c1-copy/wg/access/oblix/ apps/webgate/bin/webgate.so" WebGateInstalldir "/home/qa/netpoint/703/c1-copy/wg/access" WebGateMode PEER SetHandler obwebgateerr SetHandler obwebgateerr AuthType Oblix require valid-user #*** END Oblix NetPoint Webgate Specific **** Notes for UNIX When running Apache v2 on HP-UX, do not use nobody for User or Group, because shared memory may not work. Instead, use your login name as User Name with a group Group as "Oblix" (or "www" as User Name and "others" as Group Name). On HP-UX, "www" is equivalent to "nobody" on Solaris. When running Apache v2 on HPUX 11.11, ensure that the AcceptMutex directive in the Apache httpd.conf file is set to "fcntl". If the directive is not present, add it to the httpd.conf file (AcceptMutex fcntl). For more information, see http://issues.apache.org/bugzilla/show_bug.cgi?id=22484). Notes for IHS on AIX #*** BEGIN Oblix NetPoint Webgate Specific **** LoadModule obWebgateModule DR/oblix/apps/webgate/bin/webgate.so WebGateInstalldir DR WebGateMode PEER SetHandler obwebgateerr Configuring Apache, OHS, IHS for 10g WebGates 31-23 Verifying httpd.conf Updates for Webgates AuthType Oblix require valid-user #*** END Oblix NetPoint Webgate Specific **** 1. Use the chmod -r username:groupname directory/file to change the User Name and Group Name of a directory or a file. When you do this, you need to change the User and Group parameters in the httpd.conf file accordingly. 2. See "Tuning Apache/IHS v2 Webgates for Access Manager" on page 31-27 for more information and complete any additional steps needed to finish the Access Manager implementation for Apache v2. You use the following procedure only if you need to clear the httpd.conf file of Webgate-related changes, then complete the Apache v2 Web server configuration for the Webgate anew. Important: To start httpd.conf updates anew 1. Restore the original httpd.conf file to remove any Access Manager entries that are present. 2. Update the httpd.conf file for Access Manager using one of the following methods: ■ ■ Either open the file component_install_ dir/access/oblix/lang/LangTag/docs/config.htm and perform a manual configuration, as described in Chapter 30, "Registering and Managing 10g WebGates with Access Manager 11g". Or launch the ManageHttpConf program in component_install_ dir/access/oblix/tools/setup/InstallTools/ManageHttpConf without any options to print instructions on its use. If the ManageHttpConf program is run with Webgate entries already present in the httpd.conf file, an error message will be printed and the httpd.conf file will not be updated. Note: 3. Complete activities in "Tuning Apache/IHS v2 Webgates for Access Manager" on page 31-27. 31.8.2 Verifying Language Encoding As mentioned earlier, Access Manager HTML pages use UTF-8 encoding. Apache-based Web servers allow Administrators to specify a default character set for all HTML pages sent out using the AddDefaultCharset directive, which overrides any character specified by the application generating the HTML pages. If the AddDefaultCharset directive enables a character set other than UTF-8, Access Manager HTML pages are garbled. To ensure proper language encoding 1. Open the httpd.conf file. 2. Locate the AddDefaultCharset directive. 31-24 Administrator's Guide for Oracle Access Management Tuning OHS /Apache Prefork and Worker MPM Modules for OAM 3. 4. Complete one of the following activities to ensure that proper encoding of Access Manager HTML pages: ■ Either set the AddDefaultCharset directive to Off. ■ Or Comment out the AddDefaultCharset directive. Save the httpd.conf file and restart the Web server. 31.9 Tuning Oracle HTTP Server Webgates for Access Manager After installing the Access Manager Web component for Oracle HTTP Server, you need to complete the steps that follow. As mentioned earlier, before installing Webgates for Oracle HTTP Server, in the httpd.conf file you must change the user and group to match the user that is installing the component. On Linux, Webgates for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19. Note: To tune Oracle HTTP Server for Webgates 1. Shut down opmn, as you usually do. 2. Locate and open the opmn.xml file for editing. For example: $ORACLE_HOME/opmn/bin/opmn.xml 3. In the opmn.xml file, adjust items as follows: 4. Refresh the OPMN configuration by executing the following script: #ORACLE_HOME/opmn/bin/opmnctl reload 5. Start the Oracle HTTP Server Web server, as described in "Starting and Stopping Oracle HTTP Server Web Servers" 31.10 Tuning OHS /Apache Prefork and Worker MPM Modules for OAM Oracle recommends specific tuning parameters with Webgates for these Web servers. The tuning parameters described in this section are configured in the httpd.conf file with Apache v2.0 and OHS11g. Configuring Apache, OHS, IHS for 10g WebGates 31-25 Tuning OHS /Apache Prefork and Worker MPM Modules for OAM For Apache v2.2, however, tuning is configured in the following files: apache_install_dir/conf/extra/httpd-mpm.conf apache_install_dir/conf/extra/httpd-default.conf Also for Apache v2.2, the entries for httpd-mpm.conf and httpd-default.conf should be uncommented, as follows: From: #Include conf/extra/httpd-mpm.conf #Include conf/extra/httpd-default.conf To: Include conf/extra/httpd-mpm.conf Include conf/extra/httpd-default.conf Use the following topics as needed for your environment: ■ Tuning Oracle HTTP Server /Apache Prefork MPM Module ■ Tuning Oracle HTTP Server /Apache Worker MPM Module ■ Tuning Kernel Parameters 31.10.1 Tuning Oracle HTTP Server /Apache Prefork MPM Module Oracle recommends the following as broad guidelines when using Access Manager with either the Oracle HTTP Server or Apache Prefork MPM module: Timeout 300 KeepAlive On MaxKeepAliveRequests 500 KeepAliveTimeout 10 StartServers: 5 (Initial number of processes to start; used only on startup.) MaxClients: 500 (Total number of processes to handle load at peak time. Determines how many child processes will be created to handle requests at peak period. ServerLimit: 500 (The maximum configured value for MaxClients for the lifetime of the process. If MaxClients is set to a value higher than the default, ServerLimit value should be specified above the rest of the parameters. MinSpareServers, MaxSpareServers: Default values should suffice requirements to handle a heavy load. During operation, these values regulate how the parent process creates children to serve requests. MaxRequestsPerChild: 0 - Number of requests sent to each child process. 0 indicates the process never expires/dies 31.10.2 Tuning Oracle HTTP Server /Apache Worker MPM Module Oracle recommends the following as broad guidelines when using Access Manager with either the Oracle HTTP Server or the Apache Worker MPM module: Timeout 300 KeepAlive On MaxKeepAliveRequests 500 31-26 Administrator's Guide for Oracle Access Management Tuning Apache/IHS v2 Webgates for Access Manager KeepAliveTimeout 10 StartServers: 2 (Initial number of processes to start; used only on startup.) MaxClients: 500 (Total number of processes to handle load at peak time. Determines how many child processes will be created to handle requests at peak period. ServerLimit: 25 (The maximum configured value for MaxClients for the lifetime of the process. If MaxClients is set to a value higher than the default, ServerLimit value should be specified above the rest of the parameters. MinSpareServers, MaxSpareServers: 25, 75. During operation, these values regulate how the parent process creates children to serve requests. ThreadsPerChild: 25 (The number of worker threads in single httpd process.) MaxRequestsPerChild: 0 (This directive sets the limit on the number of requests that an individual child server process will handle. The value 0 will ensure that the process never expires.) 31.10.3 Tuning Kernel Parameters Oracle recommends that you ensure the kernel parameters for the soft and hard limit on the file descriptors are set to a high value. For example: Hard limit (rlim_fd_max): 65535 Soft limit (rlim_fd_cur): 65535 The high value of the file descriptor is a strong recommendation for the Apache server that will open and close sockets for requests. 31.11 Starting and Stopping Oracle HTTP Server Web Servers Starting and stopping an Oracle HTTP Server Web server is the same procedure for both v1.3 and v2, on all platforms. To start the Oracle HTTP Server Web server 1. Locate and change to the following directory: $ORACLE_HOME\opmn\bin\ 2. From the command line, enter the following command: opmnctl/startproc process-type=HTTP_Server To stop the Oracle HTTP Server Web server 1. Locate and change to the following directory: $ORACLE_HOME\opmn\bin\ 2. From the command line, enter the following command: opmnctl/stopproc process-type=HTTP_Server 31.12 Tuning Apache/IHS v2 Webgates for Access Manager Unless explicitly stated, information here applies to both Apache and IHS v2 Webgate (also known as plug-ins). For details about Oracle HTTP Server, see the Oracle HTTP Server Administrator's Guide 10 g R2 (10.1.2). Configuring Apache, OHS, IHS for 10g WebGates 31-27 Tuning Apache/IHS v2 Webgates for Access Manager Apache v2 bundled with Security-Enhanced Linux: With SELinux, errors could be reported in WebServer logs/console when starting a Web server on Linux distributions that have more strict SELinux policies in place after installing an Access Manager Webgate. You can avoid these errors by running appropriate chcon commands for the installed Web component before restarting the Web server. See Also: "SELinux Issues" on page E-25 Apache v2 bundled SELinux-enabled Linux Distribution: Security-enhanced Linux (SELinux) is an automatically enabled implementation of a mandatory access-control mechanism. As described in your Linux documentation, SELinux policies provide access to certain pre-defined system directories such as /etc/httpd/conf, /usr/sbin/apachect, and /var/log/ (to name a few) for system daemons. When Webgates are installed with the bundled Apache Web server, certain policies must be added to allow Apache processes to access installation files. The bundled Apache Web server runs as user "apache" with a security context defined as context=user_u:system_r:unconfined_t. As a result, when Webgates are installed in any of the user folders, the Apache Web server will not start. The $SELINUX_SRC variable represents the SELinux policy source directory. The default value is /etc/selinux/targeted/src/policy. However, your environment may vary. Be sure to consult your system Administrator for the actual value for your system. To add Access Manager policies to Apache bundled with Red Hat Enterprise Linux 4 1. After installing each Access Manager Webgate, log in as the 'root' user. 2. Ensure that all Webgates are installed for Web server user & group (default: apache). 3. Create an oracle_access_manager.te policy file in the $SELINUX_ SRC/domains/programs/directory and add the following rules: type oracle_access_manager_t, file_type, sysadmfile; allow httpd_t oracle_access_manager_t:file { rw_file_perms create rename link unlink setattr execute }; allow httpd_t oracle_access_manager_t:dir { rw_dir_perms create append rename link unlink setattr }; 4. Create an oracle_access_manager.fc file context in the directory $SELINUX_ SRC/file_contexts/program, then register the Webgate installation directory (without identity or access suffix). For example: Oracle_Access_Manager_install_dir(/.*)? system_u:object_r:oracle_access_ manager_t When the Webgate is installed in a separate directory from the Access Manager, be sure to register the Webgate installation directory separately. Note: 5. Compile and deploy the policy files as follows: cd $SELINUX_SRC make load Label Oracle Access Manager files 31-28 Administrator's Guide for Oracle Access Management Tuning Apache/IHS v2 Webgates for Access Manager run restorecon -R Oracle_Access_Manager_install_dir (without the identity or access suffix) Apache v2 Directives: Apache 1.3 uses a process model for serving multiple HTTP requests at once. This differs from the single process (thread) model employed by other Web servers, which manage several requests simultaneously in one process. Only the prefork MPM in Apache v2 uses the same process model for serving HTTP requests as Apache v1.3. For all other MPMs, Apache v2 uses a hybrid process-thread model. Note: Several directives in the Apache v2 Web server configuration file (httpd.conf) affect how the Apache Web server decides to create or destroy worker processes. The following parameters affect the performance of the Apache v2 Web server: ■ ThreadsPerChild: This directive sets the number of threads created by each child process. The child creates these threads at startup and never creates more. ■ ■ ■ ■ If you are using an MPM like mpm_winnt, where there is only one child process, this number should be high enough to handle the entire load of the server. If you are using an MPM like mpm_worker, where there are multiple child processes, the total number of threads should be high enough to handle the common load on the server. MinSpareThreads: This value is only used with mpm_worker. Since Access Manager plug-in initialization is deferred until the first request, there is minimal advantage of keeping high value for this directive. However, it is useful to keep this parameter as high as possible. MaxSpareThreads: This value is only used with mpm_worker. The value for MaxSpareThreads must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild or the Apache HTTP Server automatically corrects it. Recommendation: Keep the value high. For a dedicated server this will not be a problem. ■ ■ ■ MaxSpareServers: With Apache v2, this is used only with the prefork MPM model. To preserve as much state as possible in the server, set the MaxSpareServers to a high value. Setting this value to the maximum of 255 keeps all Apache worker-processes available indefinitely, but it does not provide an opportunity for worker-process recycling during low-load periods. MinSpareServers: With Apache v2, this is used only with the prefork MPM model. Since Access Manager plug-in initialization is deferred until the first request, using a high value for the MinSpareServers parameter provides minimal advantage. However, it is useful to keep this parameter as high as possible. For dedicated Web server systems, this should pose no great burden. MaxClients: With IHS v2 and the worker MPM, MaxClients restricts the total number of threads that will be available to serve clients. For hybrid MPMs, the default value is 16 (ServerLimit) multiplied by a value of 25 (ThreadsPerChild). To increase MaxClients to a value that requires more than 16 processes, you must also raise ServerLimit. Appropriate values for the preceding parameters depend on the expected load and the performance class of the systems involved, including the Access Server and LDAP server. Configuring Apache, OHS, IHS for 10g WebGates 31-29 Removing Web Server Configuration Changes After Uninstall Apache servers on very high performance systems with high expected loads may be recompiled with a larger limit on the number of worker processes. These systems may see a greater performance impact on the StartServers and MinSpareServers parameters for dealing with sudden load spikes. You may need to adjust operating system limits for the Access Server for proper operation. In particular, the maximum number of file descriptors available for any one Access Server may need to be increased beyond the default value. Configuring more than one connection between each Apache-based Webgate and an Access Server may quickly exceed this limit. For additional information, see your Apache documentation. 31.13 Removing Web Server Configuration Changes After Uninstall Web server configuration changes that occur during installation must be manually removed after uninstalling the Webgate). This type of information must be removed manually. Further, you must remove any changes that you manually made to your Web server configuration file for the Webgate) should be removed. For more information about what is added for each component, look elsewhere in this chapter. 31.14 Helpful Information Consult the following manual for more information about the Oracle HTTP Server: Oracle HTTP Server Administrator's Guide 10 g R2 (10.1.2) The following URLs provide information about building an Apache release and source code: Apache v2 documentation: http://httpd.apache.org/docs-2.0/ Apache v2 source code: http://httpd.apache.org/download.cgi Mod-SSL documentation: http://httpd.apache.org/docs-2.0/mod/mod_ssl.html OpenSSL documentation: http://www.openssl.org/docs/ OpenSSL source code: http://www.openssl.org/source/ Compiling and Installing Apache v2: http://httpd.apache.org/docs-2.0/install.html#test IHS: http://www-306.ibm.com/software/webservers/httpservers/doc/v2047/manual/re adme.html 31-30 Administrator's Guide for Oracle Access Management 32 Configuring the ISA Server for 10g WebGates 32 This chapter describes how to configure the Access Manager ISAPI Webgate and Microsoft Internet Security and Acceleration Server (ISA Server) to operate together. Topics include: ■ Prerequisites ■ About Access Manager and the ISA Server ■ Compatibility and Platform Support ■ Installing and Configuring Webgate for the ISA Server ■ Configuring the ISA Server for the ISAPI Webgate ■ Starting, Stopping, and Restarting the ISA Server ■ Removing Access Manager Filters Before Webgate Uninstall on ISA Server 32.1 Prerequisites Ensure that your Oracle Access Management Console is running and get familiar with: ■ "Introduction to Policy Enforcement Agents" on page 14-1 ■ "About Access Manager and the ISA Server" on page 32-1 32.2 About Access Manager and the ISA Server The ISA Server is Microsoft's "integrated edge security gateway". It is designed to protect IT environments from Internet-based threats and to give users secure remote access to applications and data. Webgate is the Access Manager Web server plug-in access client that intercepts HTTP requests for Web resources and forwards them to the Access Server for authentication and authorization. ISAPI is the Internet Web server extension that Access Manager uses to identify Webgates that communicate with the ISA Server (and the IIS Web Server). This Webgate has been tested to operate with the ISA Server in scenarios that use both Access Manager Basic and Form (form-based) authentication schemes. You develop Basic and Form authentication schemes and policy domains using Access Manager as usual. Access Manager Client Certificate authentication is not supported for the ISA Server. Note: Configuring the ISA Server for 10g WebGates 32-1 Compatibility and Platform Support See Also: Oracle Fusion Middleware Administrator's Guide for Oracle Access Management for more information about authentication management and policy domains. Using ISA Server with Access Manager is similar to using the IIS Web server. However, the ISA Server provides firewall and Virtual Private Network (VPN) functions. ISA Server can be configured for third-party security filters. To enforce Access Manager security during authentication and authorization when you use ISA Server, both webgate.dll and postgate.dll must be registered as ISA Server Web filters. Every request to the Access Server that passes through ISA Server requires webgate.dll and postgate.dll. The following overview outlines the tasks that you must perform and the topics where you will find the steps to set up the ISAPI Webgate with the ISA Server. Task overview: Installing and configuring the ISAPI Webgate on ISA Server 1. Confirming "Compatibility and Platform Support" on page 32-2 2. "Installing and Configuring Webgate for the ISA Server" on page 32-2. 3. "Configuring the ISA Server for the ISAPI Webgate" on page 32-3. 4. Perform the following tasks, as described in: a. "Ordering the ISAPI Filters" on page 32-6 b. "Removing Access Manager Filters Before Webgate Uninstall on ISA Server" on page 32-7 32.3 Compatibility and Platform Support Get the latest certification matrix from Oracle Technology Network at the following URL: http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/oracle_access_ manager_certification_10.1.4_r3_matrix.xls 32.4 Installing and Configuring Webgate for the ISA Server After ISA Server installation, you perform the following tasks to install Webgate for use with ISA Server. See Also: "Compatibility and Platform Support" on page 32-2 Task overview: Performing Webgate configuration for ISA Server includes 1. "Installing Webgate with ISA Server" on page 32-2 2. "Changing /access Directory Permissions" on page 32-3 3. "Registering Access Manager Plug-ins as ISA Server Web Filters" on page 32-3 32.4.1 Installing Webgate with ISA Server When you install Webgate with the ISA Server, the destination for the ISAPI Webgate installation (also known as the Webgate_install_dir) should be same as that of the 32-2 Administrator's Guide for Oracle Access Management Configuring the ISA Server for the ISAPI Webgate Microsoft ISA Server. For example, if ISA Server is installed on C:\Program Files\Microsoft ISA Server, the ISAPI Webgate should also be installed there. During Webgate installation, do not automatically update the ISA Server configuration. Instead, choose "No" when asked about automatic updates to the ISA Server configuration. Note: Task overview: Installing the ISAPI Webgate for the ISA Server 1. See Chapter 30 for details on the following topic, as these apply to your environment: 2. ■ Registering a 10g WebGate with Access Manager 11g Remotely ■ Locating and Installing the Latest 10g WebGate for Access Manager 11g ■ Configuring Centralized Logout for 10g WebGate with 11g OAM Servers Changing /access Directory Permissions on page 32-3 32.4.2 Changing /access Directory Permissions After finishing ISAPI Webgate installation and configuration for the ISA Server, you need to change permissions to the \access subdirectory. This subdirectory was created in the ISA Server (also Webgate) installation directory. You need to add the user NETWORK SERVICE and grant full control to NETWORK ADMINISTRATOR. This enables the ISA Server to establish a connection between the Webgate and Access Server. Certain configuration files should be readable by network Administrators, which is why you grant NETWORK ADMINISTRATOR full control. To change permissions for the \access subdirectory 1. In the file system, right-click Webgate_install_dir\access, and select Properties. 2. In the Properties window, click the Security tab. 3. Add user "NETWORK SERVICE" and then select "Allow" to give "Full Control". 4. For the "NETWORK ADMINISTRATOR", select "Full Control". 32.5 Configuring the ISA Server for the ISAPI Webgate The following topics describe how to configure the ISA Server to operate with the Access Manager ISAPI Webgate. Task overview: Performing Webgate configuration for ISA Server includes 1. "Registering Access Manager Plug-ins as ISA Server Web Filters" on page 32-3 2. "Configuring ISA Firewall Policies for ISA Web Filters" on page 32-4 32.5.1 Registering Access Manager Plug-ins as ISA Server Web Filters After resetting ISAPI Webgate permissions, you need to register Access Manager webgate.dll and postgate.dll plug-ins as Web Filters within ISA Server. Web filters screen all HTTP traffic that passes through the ISA Server host. Only compliant requests are allowed to pass through. Access Manager authentication schemes define how the user is challenged for credentials, maps user-supplied information, verifies it, and so forth. With the ISA Configuring the ISA Server for 10g WebGates 32-3 Configuring the ISA Server for the ISAPI Webgate Server, you must choose either Form or Basic authentication as the challenge method. You must also specify a Challenge Parameter to map the credentials provided by the user to the corresponding user profile stored in the directory server. If Access Manager libraries are not registered as ISA Web filters, Access Manager authentication could fail. Do not point to webgate.dll in the action path for form-based login in the authentication scheme. Instead, specify the path to a dummy file in the /access directory as shown here: Note: action= "/access/dummy" For form based authentication, postgate.dll must be installed and should be at a higher level than webgate.dll. The following procedure describes how to register Access Manager plug-ins in the ISA Server. If you need to undo the filter registration, you can use the following procedure with the /u option in the regsvr32 command. For example: regsvr32 /u ISA_install_ dir\access\oblix\apps\webgate\bin\webgate.dll Note: To register Access Manager plug-ins as ISA Server Web filters 1. Locate the ISA Server installation directory, from which you will perform the following tasks. 2. Run net stop fwsrv to stop the ISA Server. 3. Register the webgate.dll as an ISAPI Web filter by running regsvr32 ISA_ install_dir\access\oblix\apps\webgate\bin\webgate.dll. 4. Register the postgate.dll as an ISAPI Web filter by running regsvr32 ISA_ install_dir\access\oblix\apps\webgate\bin\postgate.dll. 5. Restart the ISA Server by running net start fwsrv to restart the ISA Server. 6. Proceed to "Configuring ISA Firewall Policies for ISA Web Filters". 32.5.2 Configuring ISA Firewall Policies for ISA Web Filters To authenticate users, ISA Server must be able to communicate with the authentication servers. After registering Access Manager webgate.dll and postgate.dll as ISA Web filters, you must configure the ISA Firewall Policy rule to protect resources using these Web filters. Web publishing rules essentially map incoming requests to the appropriate Web servers. Access rules determine how clients on a source network access resources on a destination network. ISA Firewall Policy rules require client membership in a user set: either Firewall clients, authenticated Web clients, or virtual private network (VPN) clients. The ISA Server attempts to match authenticated users based upon ISA Firewall Policy rules. See Also: Your ISA Server documentation for details about ISA Firewall Policies and rules 32-4 Administrator's Guide for Oracle Access Management Configuring the ISA Server for the ISAPI Webgate The following procedure describes how to configure an ISA Firewall Policy rule to use with ISA Web filters for Access Manager webgate.dll and postgate.dll. After you perform the following procedure, when you create a listener in the authentication click Allow client authentication over HTTP in Advanced Properties. Note: To configure ISA policies to enable Access Manager authentication and authorization 1. From the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. 2. From the tree of the ISA Server Management console, locate the name of this server, and then click Firewall Policy. 3. From the Tasks tab, click Publish Web Sites. 4. In the Web publishing rule name field, type a descriptive name for the rule, and then click Next. 5. On the Select Rule Action page, confirm that the Allow option is selected, and then click Next. 6. In the Publishing type, confirm that the Publish a single Web site or load balancer option is selected, and then click Next. 7. On the Server Connection Security page, click Use non-secured connections to connect the published Web server or server farm, and then click Next. If you are using secured connections, see the server connection security settings provided by ISA Server. Note: 8. 9. Perform the following steps to set internal publishing details: a. In the Internal site name box, type the internally-accessible name of the Web server. b. Check the Use a computer name or IP address to connect to the published server check box. c. Type the internally-accessible and fully qualified domain name, or type the IP address of the Web server computer, in the Computer name or IP address box d. Click Next. In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next. 10. To publish a particular folder in the Web site: a. Type the folder name in the Path (optional) box to display the full path of the published Web site in the Web site box. b. Click Next. 11. In the Accept requests for list: a. Click This domain name (type below). b. In the Public name box, type the publicly-accessible fully qualified domain name of the Web site. Configuring the ISA Server for 10g WebGates 32-5 Configuring the ISA Server for the ISAPI Webgate c. Click Next. 12. In the Web listener list, either click the Web listener to use for this Web publishing rule; otherwise or create a new Web listener, as follows: a. Click New, type a descriptive name for the new Web listener, and then click Next. b. Click Do not require SSL secured connections with clients, and then click Next. c. In the Listen for requests from these networks list, click the required networks and click to check the External box, then click Next. d. In the Select how clients will provide credentials to ISA Server list, click No Authentication, and then click Next. e. On the Single Sign On Settings page, click Next, and then click Finish. 13. Authentication Delegation: Perform the following steps in the Select the method used by ISA Server to authenticate to the published Web server list: a. Click No Delegation. b. Click Client Cannot Authenticate Directly. c. Click Next. This is used by ISA Server to authenticate to the published Web server. 14. On the User Sets page: a. Choose All (the default user setting) to set the rule that applies to requests from the user sets box. b. Click Next and then click Finish. 15. Click Apply to update the firewall policy, and then click OK. 16. Validate that only applicable ports are open and that the traffic that you would like to pass through is allowed. 32.5.3 Ordering the ISAPI Filters It is important to ensure that the Webgate ISAPI filters are included in the right order. postgate.dll should be loaded before webgate.dll. To order the Webgate ISAPI filters for ISA Server 1. From the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. 2. Expand Configuration, then check Add-ins to display your Web-filters. 3. Right-click the Web-filters and select Properties. 4. Confirm the following .dll files appear. For example: postgate.dll webgate.dll 5. Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in step 5. 32-6 Administrator's Guide for Oracle Access Management Removing Access Manager Filters Before Webgate Uninstall on ISA Server WARNING: Confirm that there is only one webgate.dll and one postgate.dll filter and ensure that these are in an enabled state. Also, ensure that postgate.dll is installed at higher priority level than webgate.dll. 32.6 Starting, Stopping, and Restarting the ISA Server When instructed to restart your ISA Server during Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen. Also, consider using net stop fwsrv and net start fwsrv are good ways to stop and start the ISA Server. The net commands help to ensure that the Metabase does not become corrupted following an installation. For more information, see your ISA Server documentation. 32.7 Removing Access Manager Filters Before Webgate Uninstall on ISA Server If you plan to uninstall the Webgate that is configured to operate with the ISA Server, you must first unregister the Access Manager filters manually, and then uninstall Webgate. See Also: Chapter 30 for details about uninstalling 10g Webgates To unregister filters before Webgate uninstall 1. Stop the ISA Server. 2. Run the following command to unregister webgate.dll. For example: regsvr32 /u ISA_install_dir\access\oblix\apps\webgate\bin\webgate.dll 3. Run the following command to unregister postgate.dll. For example: regsvr32 /u ISA_install_dir\access\oblix\apps\webgate\bin\postgate.dll Configuring the ISA Server for 10g WebGates 32-7 Removing Access Manager Filters Before Webgate Uninstall on ISA Server 32-8 Administrator's Guide for Oracle Access Management 33 33 Configuring the IIS Web Server for 10g WebGates This chapter summarizes activities that you need to perform to configure 10.1.4 WebGate with a Microsoft Internet Information Server (IIS Web server for Windows environments). Unless explicitly stated, information and steps in this chapter apply equally to 32-bit and 64-bit WebGate installations. Topics include: ■ Prerequisites ■ WebGate Guidelines for IIS Web Servers ■ Prerequisite for Installing Webgate for IIS 7 ■ Updating IIS 7 Web Server Configuration on Windows 2008 ■ Completing Webgate Installation with IIS ■ Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance ■ Installing and Configuring Multiple Webgates for a Single IIS 6 Instance ■ Finishing 64-bit Webgate Installation ■ Confirming Webgate Installation on IIS ■ Starting, Stopping, and Restarting the IIS Web Server ■ Removing Web Server Configuration Changes Before Uninstall 33.1 Prerequisites Ensure that your Oracle Access Management Console is running and get familiar with: ■ ■ Introduction to Policy Enforcement Agents on page 14-1 About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2 on page 30-3 33.2 WebGate Guidelines for IIS Web Servers ISAPI is an Internet Web server extension that the WebGate that communicates with the IIS Web server. For example, you will need the following package to install the WebGates for IIS: Oracle_Access_Manager10_1_4_3_0_Win32_ISAPI_Webgate 64-bit Webgate: Oracle_Access_Manager10_1_4_3_0_Win64_ISAPI_Webgate.exe Configuring the IIS Web Server for 10g WebGates 33-1 WebGate Guidelines for IIS Web Servers Updating the IIS Web server configuration file is required when installing Webgates. With IIS Web servers, a configuration update involves updating the Web server directly by adding the ISAPI filter and creating extensions required by Access Manager. A filter listens to all requests to the site on which it is installed. Filters can examine and modify both incoming and outgoing streams of data to enhance IIS functionality. ISAPI extensions are implemented as DLLs that are loaded into a process that is controlled by IIS. Like ASP and HTML pages, IIS uses the virtual location of the DLL file in the file system to map the ISAPI extension into the URL namespace that is served by IIS. Oracle recommends that you update the IIS Web server configuration file automatically during Webgate installation. Automatic updates may take more than a minute. However, updating the IIS Web server configuration file manually takes longer and could introduce unintended errors. For more specific guidelines, see: ■ Guidelines for ISAPI WebGates ■ Prerequisite for Installing Any 10g Webgate for IIS 7 ■ Prerequisite for Installing a 32-bit Webgate for IIS 7 33.2.1 Guidelines for ISAPI WebGates General WebGate preparation and installation details apply to ISAPI WebGates. Additionally, this topic provides specific guidelines for ISAPI WebGates installed with an IIS Web server. You can install multiple WebGates with a single IIS Web server instance or you might have a 64-bit WebGate. Note: Unless explicitly stated, details apply equally to 32-bit and 64-bit Webgates. lockdown Mode: Before installing the WebGate, ensure that your IIS Web server is not in lockdown mode. Otherwise things will appear to be working until the server is rebooted and the metabase re-initialized, at which time IIS will disregard activity that occurred after the lockdown. Permissions: Setting various permissions for the /access directory is required for IIS Webgates only when you are installing on a file system that supports NTFS. For example, suppose you install the ISAPI Webgate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored. Virtual Hosts: Each IIS Virtual Web server can have it's own Webgate.dll file installed at the virtual level, or can have one Webgate affecting all sites installed at the site level. Either install the Webgate.dll at the site level to control all virtual hosts or install the Webgate.dll for one or all virtual hosts. postgate.dll: You may also need to install the postgate.dll file at the computer level. The postgate.dll is located in the \Webgate_install_dir, as described in "Installing the Postgate ISAPI Filter". If you perform multiple installations, multiple versions of this file may be created which may cause unusual Access Manager behavior. In this case, you should verify that only one webgate.dll and one postgate.dll exist. 33-2 Administrator's Guide for Oracle Access Management WebGate Guidelines for IIS Web Servers Note: The postgate.dll is always installed at the site level. If for some reason the Webgate is reinstalled, the postgate.dll is also reinstalled. In this case, ensure that only one copy of the postgate.dll exists at the site level. Updating Web Server Configuration for Webgate: As with other Webgates, your Web server must be configured to operate with the Webgate. Oracle recommends automatically updating your Web server configuration during installation. However, you can decline the automatic update and instead manually configure your Web server as described in "Registering a 10g WebGate with Access Manager 11g Remotely" on page 30-11. FAT32 file system: You may receive special instructions to perform during Webgate installation. For example: Setting various permissions for the /access directory is required for IIS Webgates only when you are installing on a file system that supports NTFS. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions can be ignored. SSL and Client Certificate Authentication: On IIS, if you are using client certificate authentication you must enable SSL on the IIS Web server hosting the Webgate before enabling client certificates for Webgate. You must also ensure that various filters are installed in a particular order. In addition, you may need to install the postgate.dll as an ISAPI filter. Web Server Releases: Web server details in this chapter apply to the stated release. If the release is not stated, you can presume it is IIS v5. Details specific to IIS v6 or IIS v7 are identified. See Also: ■ Webgates for IIS v7 on page 33-4 ■ Webgates for IIS v6 on page 33-4 32-bit versus 64-bit Webgates: Unless explicitly stated, all information applies equally to both 32-bit and 64-bit Webgates. See Also: ■ Webgates for IIS v6 on page 33-4 ■ Finishing 64-bit Webgate Installation on page 33-24 General Webgate Preparation and Installation Details: Refer to this chapter for IIS-specific guidelines. Refer to Chapter 30 for general preparation and installation details. Completing and Confirming Webgate Installation: Perform tasks relevant to your ISAPI Webgate and IIS version: See Also: ■ Completing Webgate Installation with IIS ■ Finishing 64-bit Webgate Installation ■ Confirming Webgate Installation on IIS Configuring the IIS Web Server for 10g WebGates 33-3 WebGate Guidelines for IIS Web Servers 33.2.1.1 Webgates for IIS v7 General guidelines and Webgate installation are usually the same regardless of the IIS release for which you are installing a Webgate. However, there are several specific topics to review when you are installing one or more Webgates for IIS v7: ■ Prerequisite for Installing Webgate for IIS 7 on page 33-5 ■ Updating IIS 7 Web Server Configuration on Windows 2008 on page 33-6 ■ Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance on page 33-14 33.2.1.2 Webgates for IIS v6 General guidelines and Webgate installation are usually the same regardless of the IIS release for which you are installing a Webgate. However, there are several specific topics of interest. Multiple Webgates with a Single IIS 6 Instance: IIS v6.0 supports hosting multiple Web sites on a single Web server instance and ISAPI Webgate allows you to protect each Web site with a different Webgate. See Also: Multiple Webgates with a Single IIS 6 Instance 64-bit IIS v6 Webgate: Perform installation as you do for all others, using instructions available in Chapter 30. If you choose manual Web server configuration during Webgate installation, you can access details in the following path: Webgate_install_dir\access\oblix\lang\en-us\docs\dotnet_isapi.htm Following Webgate installation and IIS configuration, perform tasks in "Finishing 64-bit Webgate Installation" on page 33-24. Earlier Release Webgate Installations: Previously Oracle recommended that Webgate be installed in the same physical directory location as Policy Manager. This required a virtual directory named "access" for both Policy Manager and Webgate, which is mapped to the physical location of both Policy Manager and Webgate. You can install Webgate 10g (10.1.4.3) for IIS in any location, separate from that of Policy Manager. Note: If you have an earlier, combined Webgate and Policy Manager installation, you can de-couple the components using the following steps. To de-couple an earlier Webgate/Policy Manager installation 1. Uninstall any patches applied to the earlier Webgate and Policy Manager, if any. 2. Uninstall the earlier Policy Manager and Webgate combination. 3. Install Policy Manager 10g (10.1.4.3). 4. In a separate directory location, install Webgate 10g (10.1.4.3) 33.2.1.3 Multiple Webgates with a Single IIS 6 Instance Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit Webgates. IIS v6.0 supports hosting multiple Web sites on a single Web server and ISAPI Webgate allows you to protect each Web site with a different Webgate. 33-4 Administrator's Guide for Oracle Access Management Prerequisite for Installing Webgate for IIS 7 Previous ISAPI Webgate releases did not support multiple Webgates with a single IIS Web server instance. You either had to install one Webgate for all Web sites at the top level, or protect a single Web site by configuring Webgate at the Web site level. Note: IIS 6 provides application pools that are used to run virtual servers. You can think of an application pool as a group of one or more URLs that are served by a worker process or a set of worker processes. An application pool is a configuration that links one or more applications to a set of one or more worker processes. Because applications in this pool are separated from other applications by worker process boundaries, an application in one application pool is not affected by problems caused by applications in other application pools. Today, Webgate instances can run in different process spaces. When you have multiple Web sites on a single IIS v6.0 Web server instance, you need to ensure that user requests reach the correct Web site. To do this, you need to configure a unique identity for each site on the server using at least one of three unique identifiers: ■ Host header name ■ IP address ■ TCP port number If you have multiple Web sites on a single server and these are distinguished by IP address and port, multiple Webgates are not required. Starting with release 10.1.4.2.0 virtual hosts on Apache and IIS 6.0 are supported. As a result, a single Webgate on the top level can protect all the Web sites even if the IP addresses are different. This is handled by using different Host Identifiers for each Web site. Note: You can install multiple Webgates on different Web sites of the same IIS Web server instance. However, several manual steps are required. See Also: "Installing and Configuring Multiple Webgates for a Single IIS 6 Instance" on page 33-19 33.3 Prerequisite for Installing Webgate for IIS 7 This section provides prerequisites for installing Webgates with IIS v7 Web servers. It includes the following topics: ■ Prerequisite for Installing Any 10g Webgate for IIS 7 ■ Prerequisite for Installing a 32-bit Webgate for IIS 7 33.3.1 Prerequisite for Installing Any 10g Webgate for IIS 7 The following procedure applies to 32-bit and 64-bit Webgates equally. With Webgate for IIS v7 Web Server, you can use Form-based authentication without enabling pass through functionality only when the entry is not present in the applicationHost.config file. For example, if you have access/oblix/apps/webgate/bin/webgate.dll as an action in the Form-based authentication scheme, ensure that the entry is not present in Configuring the IIS Web Server for 10g WebGates 33-5 Updating IIS 7 Web Server Configuration on Windows 2008 the applicationHost.config file. If the entry is present, you must remove it, as described next To locate and remove the entry 1. Go to Windows\System32\inetsrv\config and open the applicationHost.config file. 2. Search for the module. 3. Remove the entry if it is present. 4. Save the file. 33.3.2 Prerequisite for Installing a 32-bit Webgate for IIS 7 The following procedure applies to 32-bit Webgates only. The following procedure provides steps to configure a 32-bit Webgate for IIS 7 Web Server to use either Simple or Cert transport security mode. This configuration requires that the IIS 6 Management Compatibility module be installed. To add the IIS 6 Management Compatibility module for a 32-bit Webgate for IIS 7 and Simple or Cert security 1. From the State menu, click Administrative Tools, and then click Server Manager. 2. In the Server Manager tree, expand Roles, and then click Web Server (IIS). 3. In the Web Server (IIS) pane, Role Services section, click Add Role Services. 4. On the Select Role Services page of the Add Role Services Wizard, click IIS6 Management Compatibility under Management Tools. 5. On the Confirm Installation Selections page, click Install. 6. On the Results page, click Close. 33.4 Updating IIS 7 Web Server Configuration on Windows 2008 You can display these steps when you decline automatic Web server updates during Webgate installation. To display steps to configure IIS 7 Web server on Windows 2008 for ISAPI Webgates 1. When installing Webgate, click No when asked if you want the automatic Web server update and: a. Read information on a new screen to assist in manually setting up your Web server for the Webgate. b. Click the following item in the table that appears perform the steps that are displayed. Table 33–1 IIS 7 Webgate Windows Server 2008 Supported Server OS Microsoft IIS Windows Server 2008 ISAPI ... ... 33-6 Administrator's Guide for Oracle Access Management Completing Webgate Installation with IIS 2. After performing steps to update the IIS 7 Web server on Windows 2008, return to the Webgate installation screen and click Next, as described in the chapter on Webgate installation. 3. Proceed with "Completing Webgate Installation with IIS". 33.5 Completing Webgate Installation with IIS Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit Webgates. See Also: As needed, see: ■ ■ Finishing 64-bit Webgate Installation on page 33-24 Installing and Configuring Multiple Webgates for a Single IIS 6 Instance on page 33-19 If you have IIS v7, Oracle recommends the following topics: ■ ■ Updating IIS 7 Web Server Configuration on Windows 2008 on page 33-6 Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance on page 33-14 Completing Webgate installation with an IIS Web server, includes the following activities after the installation is complete. Task overview: Completing IIS Webgate installations includes 1. Enabling Client Certificate Authentication on the IIS Web Server on page 33-7 2. Ordering the ISAPI Filters on page 33-8 3. Enabling Pass-Through Functionality for POST Data on page 33-9 4. Protecting a Web Site When the Default Site is Not Setup on page 33-13 33.5.1 Enabling Client Certificate Authentication on the IIS Web Server Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit Webgates. If you are using client certificate authentication, you must enable SSL on the IIS Web server. If you select client certificate authentication during setup, you must also add the cert_authn.dll as one of the ISAPI filters. The procedures here reflect the sequence for IIS v5. Your environment might be different. Note: To enable SSL on the IIS Web server 1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services. 2. Expand the local computer to display your Web Sites. 3. Expand the Default Web Site (or the appropriate Web site), then expand \access\oblix\apps\webgate\bin. Configuring the IIS Web Server for 10g WebGates 33-7 Completing Webgate Installation with IIS 4. Right click cert_authn.dll and select Properties. 5. In the Properties panel, select the File Security tab. 6. In the Secure Communications sub-panel, click Edit. 7. In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK. 8. Click OK in the cert_authn.dll Properties panel. 9. Proceed to the next procedure: "To add cert_authn.dll as an ISAPI filter". To add cert_authn.dll as an ISAPI filter 1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services. 2. Expand the local computer to display your Web Sites. 3. Right click the appropriate Web Site to display the Properties panel. 4. Click the ISAPI Filters tab, then click the Add button to display the Filter Properties panel. 5. Enter filter name "cert_authn". 6. Click the Browse button and navigate to the following directory: \Webgate_install_dir\access\oblix\apps\webgate\bin 7. Select cert_authn.dll as the executable. 8. Click OK on the Filter Properties panel. 9. Click Apply on the ISAPI Filters panel. 10. Click OK. 11. Ensure the filters are listed in the correct order. 33.5.2 Ordering the ISAPI Filters Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit Webgates. It is important to ensure that the Webgate ISAPI filters are included in the right order. This task is the same whether you are installing one or more Webgates per IIS Web server instance. Note: To order the Webgate ISAPI filters 1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services. 2. Expand the local computer to display your Web Sites. 3. Right-click the Web Site and select Properties. 4. Click Properties, select ISAPI filters. 5. Confirm the following .dll files appear. For example: 33-8 Administrator's Guide for Oracle Access Management Completing Webgate Installation with IIS cert_authn.dll webgate.dll 6. Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in step 5. WARNING: Confirm that there is only one webgate.dll and one postgate.dll filter. If you perform multiple Webgate installations on one computer, multiple versions of the postgate.dll file might be created and cause unusual Access Manager behavior. 33.5.3 Enabling Pass-Through Functionality for POST Data This section describes how the Webgate can be set up in conjunction with IIS 6.0 Worker Process Isolation Mode. It also covers configuration steps required for IIS 6.0 running in IIS 5.0 Isolation Mode. This section supersedes information in "Installing Postgate.dll on IIS Web Servers" in the 10g Oracle Access Manager Installation Guide. For the IIS 5.0 Web server, the existing functionality using postgate.dll continues to be supported. Note: Topics here include: ■ About ISAPI Webgate 10.1.4.2.3 ■ About Pass-Through Functionality for POST Data ■ Implementing Pass-Through: IIS 6.0 in Worker Process Isolation Mode ■ Implementing Pass-Through with IIS 6.0 Web Server in IIS 5.0 Isolation Mode 33.5.3.1 About ISAPI Webgate 10.1.4.2.3 Starting with ISAPI Webgate release 10.1.4.2.3, Access Manager pass-through functionality is supported with IIS 6.0 running in a Worker Process Isolation Mode. ISAPI Webgate 10.1.4.2.3 also operates with IIS 6.0 running in IIS 5.0 Isolation Mode using postgate.dll. Oracle recommends using Worker Process Isolation Mode for new or existing implementations. Worker Process Isolation Mode is a default setting for the IIS 6.0 Web server. For the IIS 5.0 Web server, the existing functionality (using postgate.dll) continues to be supported. Note: This section describes how to set up ISAPI Webgate release 10.1.4.2.3 in conjunction with IIS 6.0 Worker Process Isolation Mode. It also provides configuration steps required for IIS 6.0 running in IIS 5.0 Isolation Mode. This section supersedes information in Section 19-6 (Installing Postgate.dll on IIS Web Servers) of the Oracle Access Manager Installation Guide. 33.5.3.2 About Pass-Through Functionality for POST Data POST data is required for pass through during a form login on the IIS Web server when using the Webgate extension method (where the Webgate is the action of the form). In other words, if a form authentication scheme on the IIS Web server is Configuring the IIS Web Server for 10g WebGates 33-9 Completing Webgate Installation with IIS configured with the pass-through option, and the target of the login form requires the data posted by the form, the Webgate extension method (where the Webgate DLL is the action of the form) cannot be used. The Webgate filter method (where the action of the form is a protected URL that is not the Webgate DLL) must be used instead, and based on IIS version, the postgate.dll must be installed or configure webgate.dll as ISAPI extension. IIS 6.0 in Worker Process Isolation Mode: webgate.dll must be configured as an ISAPI filter and also as an ISAPI extension to achieve pass-through functionality. (This does not apply to ISA server integration.) Pass-through functionality is supported with 10.1.4.2.3 and higher ISAPI Webgates. However, you must also set a new user-defined parameter "UseWebGateExtForPassthrough" to true in the Webgate configuration profile in the Access System Console. IIS 5.0 or IIS6.0 running in IIS 5.0 Isolation Mode: postgate.dll must be configured as an ISAPI filter to achieve the pass-through functionality. 33.5.3.3 Implementing Pass-Through: IIS 6.0 in Worker Process Isolation Mode The following steps outline this task. Task overview: Implementing Pass-Through Functionality with IIS 6.0 Web Server in Worker Process Isolation Mode 1. Install Webgate as described in "Locating and Installing the Latest 10g WebGate for Access Manager 11g" on page 30-14. 2. Set the pass-through parameter as described in "Setting the UseWebGateExtForPassthrough Parameter in the Webgate Profile". 3. Configure webgate.dll as described in "Configuring webgate.dll as an ISAPI Extension". 33.5.3.3.1 Setting the UseWebGateExtForPassthrough Parameter in the Webgate Profile You must set the new user-defined parameter, UseWebGateExtForPassthrough, in the Webgate profile to implement pass-through functionality with the IIS 6.0 Web server in Worker Process Isolation Mode. You must set UseWebGateExtForPassthrough to true. If this parameter is set to false, pass-through functionality will not work. See Also: "IIS Web Server Issues" on page E-18 To set the UseWebGateExtForPassthrough Parameter in the WebGate Profile 1. Launch the Access System Console and click Application Security. 2. Click Agents. 3. Enter your search criteria for the WebGate, and then click Search. 4. In the Search Results table, click a WebGate name. 5. Locate the User Defined Parameters section of the Access/WebGate Gate page, enter the following parameter, and click Apply. Parameter: UseWebGateExtForPassthrough Value: true 6. Click the Apply button if you want to add more user-defined parameters. 7. Repeat for each WebGate in your deployment. 8. Proceed to "Configuring webgate.dll as an ISAPI Extension". 33-10 Administrator's Guide for Oracle Access Management Completing Webgate Installation with IIS 33.5.3.3.2 Configuring webgate.dll as an ISAPI Extension The webgate.dll is part of the Webgate installation. The following procedure describes how to configure webgate.dll as an ISAPI extension. This task must also be performed to implement pass-through functionality with IIS 6.0 Web Server in Worker Process Isolation Mode. You can have multiple webgate.dlls configured at different website levels from the top level Web Sites. In this case, you also need to configure webgate.dll as an ISAPI extension for each website protected by Webgate. Note: To configure webgate.dll as an ISAPI extension 1. Go to websites, right click, and select Properties. 2. In the Properties dialog box, select the Home Directory tab. 3. Click the Configurations button to open the Application Configurations dialog box. 4. In Wild Card Application Maps, click the Inset button. 5. Provide the path to webgate.dll. For example: Webgate_install_dir/access/oblix/apps/webgate/bin/webgate.dll 6. Uncheck the "verify that file exists" box. 7. Confirm and finalize the changes: click OK, then click OK again; click Apply, and then click OK. 8. Stop the IIS Administration Server from Services and restart the IIS Web server. 33.5.3.4 Implementing Pass-Through with IIS 6.0 Web Server in IIS 5.0 Isolation Mode The following steps outline this task. Skip this task if you are using IIS 6.0 Web server in Worker Process Isolation Mode. Note: Task overview: Implementing Pass-Through Functionality with IIS 6.0 Web Server in IIS 5.0 Isolation Mode 1. Install Webgate as described in the Chapter 30, "Registering and Managing 10g WebGates with Access Manager 11g". 2. Set up IIS 6.0 as described in "Setting Up IIS 6.0 Web Server in IIS 5.0 Isolation Mode" on page 33-11. 3. Install postgate.dll as described in "Installing the Postgate ISAPI Filter""Installing the Postgate ISAPI Filter". 33.5.3.4.1 Setting Up IIS 6.0 Web Server in IIS 5.0 Isolation Mode The following information is updated for the 10.1.4.2.3 Webgate. When IIS 6.0 Web server is used, the following steps outline how to set up the WWW Service to run in IIS 5.0 Isolation Mode. This is required by the ISAPI postgate filter. Configuring the IIS Web Server for 10g WebGates 33-11 Completing Webgate Installation with IIS To set IIS 5.0 isolation on IIS 6 Web servers 1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services. 2. Expand the local computer to display your Web Sites. 3. Right-click the Web Site and select Properties. 4. Select the Service tab in the Web Site Properties window. 5. Check the box beside Run WWW service in IIS 5.0 Isolation Mode. 6. Click OK. 7. Proceed with "Installing the Postgate ISAPI Filter". 33.5.3.4.2 Installing the Postgate ISAPI Filter The following information is updated for the 10.1.4.2.3 Webgate. For single Webgate installations, you should install the filters in the following order: ■ The ISAPI Webgate filter should be installed after the sspifilt filter and before any others. ■ The postgate filter should be installed before the Webgate filter, only if needed. ■ All other Access Manager filters can be installed at the end. Before installation (or after uninstallation) the filters must be removed manually. If multiple copies of a filter are installed, this means that they were not manually removed before installing the new filters. Note: You can have multiple webgate.dlls configured at different levels from the top level Web Sites. However, they share the same postgate.dll. If you perform multiple Webgate installations on one computer, multiple versions of the postgate.dll file can be created which might cause unusual Access Manager behavior. There can only be one postgate.dll configured at the (top) Web Sites level of a computer postgate.dll is not supported when you have more than one Webgate installed and configured for a single IIS Web server instance. Note: The following procedures guide as you install and position the postgate ISAPI filter when you have a single Webgate installed with a single IIS Web server instance. To install the postgate ISAPI filter 1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services. 2. Expand the local computer to display your Web Sites. 3. Right-click the Web Site and select Properties. 4. Select the ISAPI Filters tab in the Web Site Properties window. 5. Click the Add button to display the Filter Properties panel. 6. Enter the filter name "postgate". 7. Click the Browse button and navigate to the following directory: 33-12 Administrator's Guide for Oracle Access Management Completing Webgate Installation with IIS \Webgate_install_dir\access\oblix\apps\webgate\bin 8. Select postgate.dll as the executable. 9. Click OK on the Filter Properties panel. 10. Click Apply on the ISAPI Filters panel. 11. Reposition the postgate ISAPI filter, as follows: a. Start the Internet Information Services console, if needed. b. Right-click your local computer, then select All Tasks, select Restart IIS. c. Select the ISAPI Filters tab on the Properties panel. d. Select the postgate filter and move it before Webgate, using the up arrow. For example: postgate.dll webgate.dll e. Restart IIS. Note: Consider using net stop iisadmin and net start w3svc to help ensure that the Metabase does not become corrupted. 33.5.4 Protecting a Web Site When the Default Site is Not Setup Unless explicitly stated, this topic applies equally to 32-bit and 64-bit Webgates. See Also: "Setting Access Permissions, ISAPI filters, and Directory Security Authentication" on page 33-25 When you install a Webgate on an IIS Web server that does not have the "Default Web Site" configured, the installer does not create "Virtual Directory access", which must be done manually using the following procedure. To protect a Web site (not the default site) 1. Start the Internet Information Services console, if needed 2. Select the name of the Web site to protect. 3. Right-click the name of the Web site to protect and select New, and then select Virtual Directory in the menu. 4. Click Next. 5. Select Alias: access, then click Next. 6. Directory: Enter the full path to the /access directory, then click Next. Webgate_install_dir\access 7. Select Read, Run Scripts, and Execute, then click Next. 8. Click Finish. 9. Restart IIS. For example: Select Start, then Run. Type net start w3svc. Click OK. Configuring the IIS Web Server for 10g WebGates 33-13 Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance 33.6 Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance This section describes how to install and configure multiple Webgates for different Web sites on the same IIS 7 Web server instance. Several steps are manual and will differ from those that are performed when you install a single Webgate with a single IIS instance. When installing multiple Webgates for a single IIS instance: ■ ■ The webgate.dll must be configured as an ISAPI filter at the individual Web site level, not the default (top) Web server level The /access virtual directory is mapped at the Web site level to the respective /access directory in the Webgate installation. When configuring the impersonation DLL for multiple Webgates, you need to configure a user to act as the operating system. Task overview: Installing and configuring multiple Webgates for a single IIS 7 instance 1. Installing Each IIS 7 Webgate in a Multiple Webgate Scenario 2. Setting the Impersonation DLL for Multiple IIS 7 Webgates 3. Enabling Client Certification for Multiple IIS 7 Webgates 4. Configuring IIS 7 Webgates for Pass Through Functionality 5. Confirming IIS 7 Webgate Installation 6. Perform the following tasks, which are the same whether you install one or more Webgates per IIS Web server instance: ■ "Ordering the ISAPI Filters" on page 33-8 ■ "Confirming Webgate Installation on IIS" on page 33-26 See Also: "Confirming Multiple Webgate Installation" on page 33-24 33.6.1 Installing Each IIS 7 Webgate in a Multiple Webgate Scenario After installing the ISAPI Webgate, there are several manual steps to perform as described here. By default, webgate.dll is configured as an ISAPI filter at the host name (top) level. When installing multiple Webgates with a single IIS 7 instance, you need to remove the respective webgate.dll from the top level and configure it for the appropriate individual Web site after each Webgate installation. To install each Webgate when you will have several with one IIS 7 instance 1. Install the ISAPI 7 Webgate as described in Chapter 30. 2. Go to the Web site to protect, and configure webgate.dll as the ISAPI filter using these steps: a. Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. b. Select the hostname from the Connections pane. c. From the hostname Home pane, double-click ISAPI Filters, look for any Webgate.dll; if it is present, select it and click Remove from the Action pane. 33-14 Administrator's Guide for Oracle Access Management Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance d. In the Connection pane, under Sites, click the name of the Web Site for which you want to configure a Webgate filter. e. In the Home pane, double-click ISAPI Filters. f. In the Actions pane, click Add… g. In the Filter name text box of the Add ISAPI Filter dialog box, type "Webgate" as name for the ISAPI filter. h. In the Executable box, type the file system path of the Webgate ISAPI filter file or click the ellipsis button (...) to go to the folder that contains the Webgate.dll ISAPI filter file, and then click OK. Webgate_install_dir\access\oblix\apps\webgate\bin\webgate.dll 3. Creating a Virtual Directory: a. Expand the Sites pane and select the Web Site for which you just configured the ISAPI filter (Webgate.dll). b. On the Action pane, click View Virtual Directories and then select Add Virtual Directory. c. Specify access in the Alias text box and the physical path to the Webgate access folder of Webgate or click the ellipsis button (...) to go to the "access" folder, and then click OK. Webgate_install_dir\access\ d. 4. 5. 6. 7. Save and apply these changes. Setting permissions to the Virtual Directory: a. Select the "access" virtual directory created in Step 3. b. From the access Home pane, double click Handler Mappings; from the Action pane, select Edit Feature Permissions…. c. Check boxes beside Read, Script, and Execute, then click OK. Setting Directory Permissions for Webgate: a. In Explorer, right click the Webgate installation directory Webgate_install_ dir\access and select Properties. b. Click the Security tab and click the Edit button. c. Add user "IUSR", select "Allow" for "Modify". d. Add user "IIS_IUSRS", select "Allow" for "Modify". e. Add user "NETWORK", select "Allow" for "Modify". f. Add user "NETWORK SERVICE", select "Allow" for "Modify". g. For group "Administrators" select "Allow" for "Modify". Webgate in Simple or Cert Mode: a. In the file system, locate and right-click the "password.xml" file in Webgate_ install_dir\access\oblix\config\password.xml, and select Properties. b. Click the Security tab. c. Give "Allow" for "Read" rights to users "IUSR", "NETWORK SERVICE", "IIS_ WPG", "IIS_IUSRS". Ensure that there is no webgate.dll in the top level (the hostname level). Configuring the IIS Web Server for 10g WebGates 33-15 Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance 8. 9. Perform the next set of tasks using instructions in the following topics: a. "Setting the Impersonation DLL for Multiple IIS 7 Webgates" on page 33-16 b. "Enabling Client Certification for Multiple IIS 7 Webgates" on page 33-17 Repeat these steps when you install the next Webgate for the IIS instance. 33.6.2 Setting the Impersonation DLL for Multiple IIS 7 Webgates The client's access token is known as an impersonation token. The impersonation token identifies the client, the client's groups, and the client's privileges. The information in the token is used during access checks when the thread requests access to resources on the client's behalf. Access Manager authenticates and authorizes the user. The Access Manager IISImpersonationExtension.dll in the wildcard extension behaves like a filter for each request to the Web server. Access Manager designates a special user that does have the right to impersonate another user by configuring it using the impersonation username/password on the AccessGate Configuration page. That designated user must have "act as operating system" rights. DLL impersonates the user authenticated and authorized by Access Manager and generates the impersonation token. You perform the following steps to set the impersonation DLL for each Webgate that protects a Web site for a single IIS 7 Web server instance. You can do this either immediately after the installation task in the previous topic or all at one time. This task must be performed for each Webgate that protects an individual Web site for a single IIS Web server instance. Note: To add the impersonation DLL to IIS 7 configuration for individual Web sites 1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2. Add "IISImpersonationExtension.dll" as a Wildcard Script Map to the required Web Site: a. Expand Sites in the connection pane. b. Click the Web Site name to which you want to add IISImpersonationExtension.dll. c. Double click Handler Mappings from the selected Web Site's "home" pane. d. From the Action pane, click Add Wildcard Script Map. e. In the Name text box of the Add Wildcard Script Map dialog box, type "Oracle Impersonation Plugin" as name for the dll. f. In the Executable box, type the file system path of the Webgate IISImpersonationExtension.dll or click the ellipsis button (...) to go to the folder that contains IISImpersonationExtension.dll, and then click OK. Webgate_install_dir/access/oblix/apps/Webgate/bin/ IISImpersonationExtension.dll This example shows the default path, where Webgate_install_dir is the file system directory where you have installed this particular Webgate. 3. Proceed as follows: 33-16 Administrator's Guide for Oracle Access Management Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance ■ ■ Client Certificate Authentication: "Enabling Client Certification for Multiple IIS 7 Webgates" "Confirming IIS 7 Webgate Installation" on page 33-19. 33.6.3 Enabling Client Certification for Multiple IIS 7 Webgates You perform this task to set the enable client certification for each Webgate that protects a Web site for a single IIS 7 Web server instance. You can do this either immediately after the adding the impersonation DLL to an individual Web site or all at one time. SSL should be enabled on the Web Site before configuring the client certification for Webgate. Follow these steps after the Web Site is SSL enabled. Note: If you select client certificate authentication during setup, you must also enable and then add the cert_authn.dll as one of the ISAPI filters in the respective Web site. To enable cert_authn.dll on the IIS 7 Web server 1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2. Expand Sites in the connection pane. 3. Expand the Web Site to \access\oblix\apps\webgate\bin. 4. Right click the "bin" directory and select Switch To Content View. 5. Right click the "cert_authn.dll".and from the drop down menu, select Switch To Feature View. 6. From the cert_authn.dll Home pane, double click SSL Settings. 7. From SSL Settings pane, select Require SSL check-box and select Accept from Client Certificates. 8. Select Apply from Action pane. 9. Repeat for each Webgate installed on this host, for which you want to enable client certification. 10. Restart the IIS 7 Web server. 11. Proceed to the next task: "To add cert_authn.dll as an ISAPI v7 filter". To add cert_authn.dll as an ISAPI v7 filter 1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2. Expand Sites in the connection pane. 3. Click on the Web Site name for which you want to add "cert_authn.dll". 4. In the Home pane, double-click ISAPI Filters. 5. In the Actions pane, click Add. 6. In the Filter name box of the Add ISAPI Filter dialog box, type Oracle Certification Authentication Plugin as name for the ISAPI filter. Configuring the IIS Web Server for 10g WebGates 33-17 Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance 7. In the Executable box, type the file system path of the Webgate cert_authn.dll or click the ellipsis button (...) to go to the folder that contains cert_authn.dll, and then click OK. Webgate_install_dir/access/oblix/apps/Webgate/bin/cert_authn.dll This example shows the default path, where Webgate_install_dir is the file system directory where you have installed this particular Webgate. 8. Click View Ordered List from the Action pane and arrange the filters as shown here by using "Move Up" or "Move Down": cert_authn.dll webgate.dll 9. Select Apply from Action pane. 10. Repeat for each Webgate installed on this host, for which you want to enable client certification. 11. Restart the IIS 7 Web server. 12. Proceed as needed for your deployment: ■ "Configuring IIS 7 Webgates for Pass Through Functionality" 33.6.4 Configuring IIS 7 Webgates for Pass Through Functionality Here you will add Webgate.dll as a Wildcard Script Map to the required Web Site. While configuring Webgate to work with pass through functionality, you must ensure that "Physical Path" of the Web sites on which you are installing Webgates differ. Otherwise, the changes in "Handler Mappings" are reflected in all the Web Sites sharing the same physical path. "Physical Path" is the path that is provided at the time of creating the Web Site. To check this path after the creation of the Web Site, , In Action pane click on Basic Settings..., you will be presented with a window showing the physical path of the Web Site. Note: ■ Click the Web Site name. ■ In the Action pane, click Basic Settings. To configure Webgate for pass through functionality 1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2. Expand Sites in the connection pane. 3. Click the Web Site name for which you want to enable pass through. 4. Double click Handler Mappings from the selected Web Site's "home" pane. 5. From the Action pane, click Add Wildcard Script Map. 6. In the Name text box of the Add Wildcard Script Map dialog box, type Webgate as name for the ISAPI filter. 7. In the Executable box, type the file system path of the Webgate ISAPI filter file (Webgate.dll) or click the ellipsis button (...) to go to the folder that contains the Webgate.dll ISAPI filter file, and then click OK. Webgate_install_dir/access/oblix/apps/Webgate/bin/Webgate.dll 33-18 Administrator's Guide for Oracle Access Management Installing and Configuring Multiple Webgates for a Single IIS 6 Instance 8. In the Access System Console: a. Locate the Web Gate profile and click Modify. b. Under User Defined Parameters, enter the following parameter and value: UseWebGateExtForPassthrough true c. 9. Save the profile. Repeat for each Webgate installed on this host, for which you want to enable pass through. 10. Restart the IIS 7 Web server. 11. Proceed to the next task: "Confirming IIS 7 Webgate Installation". 33.6.5 Confirming IIS 7 Webgate Installation You can use the following procedure to confirm IIS 7 Webgate installation. To verify IIS 7 Webgate installation 1. Go to the URL: http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1 where hostname refers to the name of the computer hosting the Webgate; port refers to the Web server instance port number. 2. The Webgate diagnostic page should appear. ■ ■ Successful: If the Webgate diagnostic page appears, the Webgate is functioning properly and you can dismiss the page. Unsuccessful: If the Webgate diagnostic page does not open, the Webgate is not functioning properly. In this case, the Webgate should be uninstalled and reinstalled. For more information about removing Access Manager see the OAM Installation Guide Chapter 22, then return to the chapter on installing a Webgate. 33.7 Installing and Configuring Multiple Webgates for a Single IIS 6 Instance Unless explicitly stated, this topic applies equally to 32-bit and 64-bit Webgates. See Also: "Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance" on page 33-14 This section describes how to install and configure multiple Webgates for different Web sites on same IIS Web server instance. Several steps are manual and will differ from those that are performed when you install a single Webgate with a single IIS instance. When installing multiple Webgates for a single IIS instance: ■ ■ The webgate.dll must be configured as an ISAPI filter at the individual Web site level, not the default (top) Web server level The /access virtual directory is mapped at the Web site level to the respective /access directory in the Webgate installation. Configuring the IIS Web Server for 10g WebGates 33-19 Installing and Configuring Multiple Webgates for a Single IIS 6 Instance When configuring the impersonation DLL for multiple Webgates, you need to configure a user to act as the operating system. There can only be one postgate.dll configured at the (top) Web Sites level of a machine. However, you might have multiple webgate.dlls configured at different levels below the top level Web Sites. If you perform multiple Webgate installations on one machine, multiple versions of the postgate.dll file might be created that can cause unusual Access Manager behavior. Task overview: Installing and configuring multiple Webgates for a single IIS instance 1. Installing Each Webgate in a Multiple Webgate Scenario 2. Setting the Impersonation DLL for Multiple Webgates 3. Enabling SSL and Client Certification for Multiple Webgates 4. Perform the following tasks, which are the same whether you install one or more Webgates per IIS Web server instance: ■ "Ordering the ISAPI Filters" on page 33-8 ■ "Confirming Webgate Installation on IIS" on page 33-26 See Also: "Confirming Multiple Webgate Installation" on page 33-24 33.7.1 Installing Each Webgate in a Multiple Webgate Scenario Unless explicitly stated, this topic applies equally to 32-bit and 64-bit Webgates. After installing the ISAPI Webgate, there are several manual steps to perform as described here. By default, webgate.dll is configured as an ISAPI filter at the Web sites (top) level. When installing multiple Webgates with a single IIS instance, you need to remove the respective webgate.dll from the top level and configure it for the appropriate individual Web site after each Webgate installation. If you perform multiple Webgate installations on one machine, multiple versions of the postgate.dll file might be created which can cause unusual Access Manager behavior. The postgate.dll is not supported in environments where you have multiple Webgates configured with a single IIS v6 web server instance. Note: To install each Webgate when you will have several with one IIS instance 1. Install the ISAPI Webgate as described in Chapter 30. 2. Go to the Web site to protect, and configure webgate.dll as the ISAPI filter using these steps: a. Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager b. Right click Web Sites, and then click the Properties option. c. Click the ISAPI filter tab, look for the path to webgate.dll; if it is present in the filter, then select it and click the Remove button. d. Under Web Sites, right-click the name of the Web site to protect, and select the Properties option. 33-20 Administrator's Guide for Oracle Access Management Installing and Configuring Multiple Webgates for a Single IIS 6 Instance e. Click the ISAPI filter tab to add the filter DLLs. f. Add the following filter to identify the path to the webgate.dll file, and name it "webgate". Webgate_install_dir/access/oblix/apps/webgate/bin/webgate.dll 3. 4. g. Save and apply these changes. h. Go to the Directory Security tab. i. Confirm that "anonymous access" and "basic authentication" are selected so that Access Manager provides authentication for this Web server. j. Save and apply these changes. Go to Web sites level to protect and create an /access virtual directory that points to the newly installed Webgate_install_dir: a. Under Web Sites, right-click the name of the Web site to be protected. b. Select New and create a new virtual directory named access that points to the appropriate Webgate_install_dir/access. c. Under Access Permissions, check Read, Run Scripts, and Execute. d. Save and apply these changes. In the file system, set directory permissions for Access Manager: a. In the file system, locate and right-click Webgate_install_dir\access, and the select Properties. b. Click the Security tab. c. Add user "IUSR_machine_name" and then select "Allow" for "Modify". For example, for a machine_name of Oracle, select IUSR_ORACLE. d. Add user "IWAM_machine_name" and then select "Allow" for "Modify" For example, for a machine_name Oracle, select IWAM_ORACLE. 5. 6. e. Add user "IIS_WPG" and then select "Allow" for "Modify". f. Add user "NETWORK SERVICE" and then select "Allow" for "Modify". g. For the group "Administrators", select "Allow" for "Modify". If Webgate has been set up in Simple or Cert mode, perform the follow steps: a. In the file system, locate and right-click the "password.xml" file in Webgate_ install_dir\access\oblix\config\password.xml. b. Click the Security tab. c. Give "Allow" for "Read" rights to users "IUSR_machine_name", IWAM_ machine_name, "IIS_WPG", and "NETWORK SERVICE". Add a new Web service extension using the following steps: a. Right click Web Service Extensions, and then select Add a new Web service extension.... b. Add the Extension name Oracle Webgate. c. Click Add to add the path to the extension file, and then enter the path to the appropriate webgate.dll. Webgate_install_dir\access\access\oblix\apps\webgate\bin\webgate.dll Configuring the IIS Web Server for 10g WebGates 33-21 Installing and Configuring Multiple Webgates for a Single IIS 6 Instance d. Click OK to save the changes. e. Check box beside Set extension status to allowed. f. Click OK to save the changes. 7. Ensure that there is no webgate.dll in the ISAPI filter at the top Web site level ("web sites"). 8. Perform the next set of tasks using instructions in the following topics: 9. a. "Setting the Impersonation DLL for Multiple Webgates" on page 33-22 b. "Enabling SSL and Client Certification for Multiple Webgates" on page 33-23 Repeat these steps when you install the next Webgate for the IIS instance. 33.7.2 Setting the Impersonation DLL for Multiple Webgates Unless explicitly stated, this topic applies equally to 32-bit and 64-bit Webgates and IIS v6. The client's access token is known as an impersonation token. The impersonation token identifies the client, the client's groups, and the client's privileges. The information in the token is used during access checks when the thread requests access to resources on the client's behalf. The Access System authenticates and authorizes the user. IISImpersonationExtension.dll of Access Manager in the wildcard extension behaves like a filter for each request to the Web server. The Access System designates a special user that does have the right to impersonate another user by configuring it using the impersonation username/password on the AccessGate Configuration page. That designated user must have "act as operating system" rights. DLL impersonates the user authenticated and authorized by Access Manager and generates the impersonation token. You perform the following steps to set the impersonation DLL for each Webgate that protects a Web site for a single IIS Web server instance. You can do this either immediately after the installation task in the previous topic or all at one time. This task must be performed for each Webgate that protects an individual Web site for a single IIS Web server instance. Note: To add the impersonation DLL to IIS configuration for individual Web sites 1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2. Click the plus icon (+) beside the Local Computer icon in the left pane to display your Web Sites. 3. Click Web Service Extensions in the left pane. 4. Double-click Webgate in the right pane to open the Properties panel. 5. Click the Required Files tab. 6. Click Add. 7. In the Path to file text box, type the full path to IISImpersonationExtension.dll, and then click OK. For example: 33-22 Administrator's Guide for Oracle Access Management Installing and Configuring Multiple Webgates for a Single IIS 6 Instance Webgate_install_dir\access\oblix\apps\webgate\bin\IISImpersonationExtension.dll This example shows the default path, where Webgate_install_dir is the file system directory where you have installed this particular Webgate. 8. Verify that the Allow button beside the Webgate icon is grayed out, which indicates that the dll is allowed to run as a Web service extension. 9. Right click the Web site name, and then click Properties. 10. Click the Home Directory tab, and then click the Configuration button. 11. In the list box for Wildcard application maps, click the entry for IISImpersonationExtension.dll to highlight it, then click Edit. 12. Ensure that the box is unchecked, and then click OK. 13. Repeat these steps for each Webgate and Web site pair for the IIS Web server instance. 14. Proceed as follows: ■ ■ Client Certificate Authentication: "Enabling SSL and Client Certification for Multiple Webgates" "Confirming Multiple Webgate Installation" on page 33-24. 33.7.3 Enabling SSL and Client Certification for Multiple Webgates You perform this task to set the enable client certification for each Webgate that protects a Web site for a single IIS Web server instance. You can do this either immediately after the adding the impersonation DLL to an individual Web site or all at one time. Procedures in this topic apply equally to 32-bit and 64-bit Webgates, and IIS 6, unless stated otherwise. Note: If you select client certificate authentication during setup, you must also add the cert_ authn.dll as one of the ISAPI filters in the respective Web site. To enable SSL on the IIS v6 Web server 1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2. Expand the local computer icon to display your Web Sites. 3. Expand the appropriate individual Web Site, then expand \access\oblix\apps\webgate\bin. 4. Right click cert_authn.dll and select Properties. 5. In the Properties panel, select the File Security tab. 6. In the Secure Communications sub-panel, click Edit. 7. In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK. 8. Click OK in the cert_authn.dll Properties panel. 9. Repeat for each Webgate installed on this host. 10. Proceed to the next task: "To add cert_authn.dll as an ISAPI filter". Configuring the IIS Web Server for 10g WebGates 33-23 Finishing 64-bit Webgate Installation To add cert_authn.dll as an ISAPI filter 1. Start the Internet Information Services console, if needed. 2. Expand the local computer to display your Web Sites. 3. Right click the appropriate Web Site to display the Properties panel. 4. Click the ISAPI Filters tab, then click the Add button to display the Filter Properties panel. 5. Enter filter name "cert_authn". 6. Click the Browse button and navigate to the following directory: \Webgate_install_dir\access\oblix\apps\webgate\bin 7. Select cert_authn.dll as the executable. 8. Click OK on the Filter Properties panel. 9. Click Apply on the ISAPI Filters panel. 10. Click OK. 11. Repeat for each Webgate installed on this host. 12. Ensure the filters are listed in the correct order. 13. Proceed to "Confirming Multiple Webgate Installation". 33.7.4 Confirming Multiple Webgate Installation This task applies equally to 32-bit and 64-bit Webgates, and IIS v6 Web servers. If you perform multiple Webgate installations on one machine, multiple versions of the postgate.dll file might be created which can cause unusual Access Manager behavior. the postgate.dll is not supported in environments where you have multiple Webgates configured with a single IIS v6 web server instance. See Also: ■ "Finishing 64-bit Webgate Installation" on page 33-24 ■ "Confirming Webgate Installation on IIS" on page 33-26 33.8 Finishing 64-bit Webgate Installation This section describes how to complete installation of a 64-bit Webgate. You can skip this section if you are installing a 32-bit Webgate. In this case, see instead, "Completing Webgate Installation with IIS" on page 33-7. Before you start tasks here, be sure that you have completed Webgate installation according to information in Chapter 30. You must also have completed Web server configuration updates for this Webgate either automatically during Webgate installation or manually, as described in "Webgates for IIS v6" on page 33-4. Task overview: Finishing installation of a 64-bit Webgate 1. Perform steps in "Setting Access Permissions, ISAPI filters, and Directory Security Authentication" on page 33-25. 2. Enable client certificates, if desired. See "Setting Client Certificate Authentication" on page 33-25. 3. When finished, you can: 33-24 Administrator's Guide for Oracle Access Management Finishing 64-bit Webgate Installation ■ ■ Confirm operations as described in "Confirming Webgate Installation on IIS" on page 33-26 Implement Windows Impersonation, as described in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager. 33.8.1 Setting Access Permissions, ISAPI filters, and Directory Security Authentication Unless explicitly stated, this topic applies equally to 32-bit and 64-bit Webgates. It describes setting access permissions for the Web site that you are using as a default. To set or confirm access Permissions, ISAPI filters, and Directory Security Authentication 1. Start the Internet Service Manager. For example, from the Start menu click Programs then click Administrative Tools, and click Internet Service Manager. 2. Expand the local computer by clicking +, in the left panel. 3. Click to expand the Web Sites tab. 4. Right-click Default Web Site (or the site you are using as a default), and create a virtual directory as described in "Protecting a Web Site When the Default Site is Not Setup" on page 33-13. 5. Right-click Web Sites in the Internet Information Services tab, click Properties, and perform the following steps: a. From the Internet Information Services tab, click the Edit button. b. Locate the ISAPI filter tab to confirm (or add) the filter DLLs, as follows: Filter: If you updated the IIS Web server configuration file, webgate.dll should be properly located. No Filter: Add the webgate.dll filter from Webgate_install_ dir\oblix\access\apps\webgate\bin\webgate.dll c. Save and apply any changes. d. Click the Directory Security tab and confirm that both Anonymous Access and Basic Authentication are selected. Selected: Proceed to Step 6. Not Selected: Select Anonymous Access and Basic Authentication, then save and apply these changes. 6. Proceed as follows: ■ "Setting Client Certificate Authentication", if desired ■ No Client Certificate Authentication: Restart the IIS Web server. ■ Filter Positions: Perform instructions in "Ordering the ISAPI Filters" on page 33-8 to ensure that all filters have been added and are in the proper order. 33.8.2 Setting Client Certificate Authentication This task is optional and should be performed only if you want to use client certificate authentication. In this case, IIS and Webgate must be SSL-enabled. Information in this topic is a sub set of details in "Enabling Client Certificate Authentication on the IIS Web Server" on page 33-7. Configuring the IIS Web Server for 10g WebGates 33-25 Confirming Webgate Installation on IIS To add cert_authn.dll as an ISAPI filter 1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Service Manager. 2. Expand the local computer to display your Web Sites. 3. Right-click the Default Web Site (or the Web site that you use as a default), then expand \access\oblix\apps\webgate\bin. 4. Right click cert_authn.dll and select Properties, then: a. In the Properties panel, select the File Security tab. b. In the Secure Communications sub-panel, click Edit. c. In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK. d. Click OK in the Secure Communications panel. e. Click OK in the cert_authn.dll Properties panel. 5. Click the ISAPI Filters tab, click the Add button to display the Filter Properties panel, and then: 6. Ensure the filters are listed in the correct order, as described in "Ordering the ISAPI Filters" on page 33-8. 7. Proceed to "Confirming Webgate Installation on IIS" on page 33-26. 33.9 Confirming Webgate Installation on IIS After installing Webgate and updating the IIS Web server configuration file, you can use the Webgate diagnostics to verify the Webgate is properly installed. Note: This task is the same for both 32-bit and 64-bit Webgates. It is the same whether you are installing one or more Webgates per IIS Web server instance. To verify Webgate installation 1. Go to the URL: http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1 where hostname refers to the name of the computer hosting the Webgate; port refers to the Web server instance port number. 2. The Webgate diagnostic page should appear. ■ ■ Successful: If the Webgate diagnostic page appears, the Webgate is functioning properly and you can dismiss the page. Unsuccessful: If the Webgate diagnostic page does not open, the Webgate is not functioning properly. In this case, the Webgate should be uninstalled and reinstalled. For more information about removing Access Manager see "Removing a 10g WebGate from the Access Manager 11g Deployment" on page 30-27, in the chapter on installing a 10g Webgate Chapter 30. 33-26 Administrator's Guide for Oracle Access Management Removing Web Server Configuration Changes Before Uninstall 33.10 Starting, Stopping, and Restarting the IIS Web Server When instructed to restart your IIS Web server during Webgate installation or setup, be sure to follow any instructions that appear on the screen. Also, consider using net stop iisadmin and net start w3svc are good ways to stop and start the Web server. The net commands help to ensure that the Metabase does not become corrupted following an installation. 33.11 Removing Web Server Configuration Changes Before Uninstall The information in this section applies equally to 32-bit and 64-bit Webgates. Web server configuration changes that occur during installation must be manually reverted after uninstalling the Webgate. For example, the ISAPI transfilter will be installed for IIS Webgate. However, if you uninstall Webgate this is not removed automatically. Also, the created Web service extension and the link to the identity directory will not be removed. This type of information must be removed manually. These are examples of information to remove, not a complete list. Further, you must remove any changes that you manually made to your Web server configuration file for the Webgate should be removed. For more information about what is added for each component, look elsewhere in this chapter. To fully remove a Webgate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand. There is also a tool available, MetaEdit, to edit the metabase. MetaEdit looks like Regedit and has a consistency checker and a browser/editor. To fully remove a Webgate from IIS, use MetaEdit to edit the metabase. Configuring the IIS Web Server for 10g WebGates 33-27 Removing Web Server Configuration Changes Before Uninstall 33-28 Administrator's Guide for Oracle Access Management 34 34 Configuring Lotus Domino Web Servers for 10g WebGates This chapter provides tips about installing and configuring Lotus Domino to operate with the WebGate. Topics include: ■ Prerequisites ■ Installing the Domino Web Server ■ Setting Up the First Domino Web Server ■ Starting the Domino Web Server ■ Enabling SSL (Optional) ■ Installing a Domino Security (DSAPI) Filter The information here presumes that you are familiar with your operating system commands, Lotus Notes, and the Domino Web server. Note: 34.1 Prerequisites Ensure that your Oracle Access Management Console is running and get familiar with: ■ ■ "Introduction to Policy Enforcement Agents" on page 14-1 "About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2" on page 30-3 34.2 Installing the Domino Web Server Before you install the WebGate with a Domino Web server, you need a properly installed and set up Domino Enterprise Server R5. The following information focuses on Solaris. However, with some modifications, these steps can be used as a guide for other UNIX systems. You need to register if this is the first time you download from lotus.com. Note: To download the Domino Web server on UNIX 1. Download Lotus Domino from the following URL: Configuring Lotus Domino Web Servers for 10g WebGates 34-1 Setting Up the First Domino Web Server http://www-10.lotus.com/ldd/down.nsf 2. Untar the downloaded file to your staging area. For example: gct@planetearth[/export/users2/gct/temp] 433 : ls C37UUNA.tar gct@planetearth[/export/users2/gct/temp] 434 : tar xf C37UUNA.tar gct@planetearth[/export/users2/gct/temp] 435 : ls C37UUNA.tar sol/ You need to install Domino as user "root". The installation script creates soft link, /opt/lotus, to link to your Lotus Domino installation directory. To install the Domino Web server on UNIX 1. Run the install script for the Domino Web server. For example: gct@planetearth[/export/users2/gct/temp/sol] 441 : su root Password: root@planetearth[/export/users2/gct/temp/sol] 1 : ls install* license.txt script.dat sets/ tools/ root@planetearth[/export/users2/gct/temp/sol] 2 : root@planetearth[/export/users2/gct/temp/sol] 2 : ./install ======================================================== Domino Server Installation ======================================================== Welcome to the Domino Server Install Program. Type h for help on how to use this program. Press TAB to begin the installation. -------------------------------------------------------Type h for help Type e to exit installation Press TAB to continue to the next screen. -------------------------------------------------------- You are asked to select the setup type. 2. Select Setup type. For example: Select Setup type: [Domino Enterprise Server] 3. Complete the installation with the following considerations in mind. For example: ■ ■ ■ ■ The default program directory is set to /opt/lotus. You may over write it to another directory. For example, /export/home/WWW/lotus. The default data directory is set to /local/notesdata1. You may also over write this to something else. For example, /export/home/WWW/lotus/data1. Over write Domino UNIX user to own data directory. The default user is set to notes. You may change it to a valid UNIX user. For example, gct or root. Over write "The UNIX user for this directory must be a member of this group". The default group is set to notes. You may change it to a valid UNIX group name. For example: oblix. Be sure to put Domino data directory in your $PATH before you proceed from here. Note: 34.3 Setting Up the First Domino Web Server After successfully installing, you must set up the first Domino server. 34-2 Administrator's Guide for Oracle Access Management Enabling SSL (Optional) To set up first Domino server 1. Run /opt/lotus/bin/http httpsetup. By default, Domino will use port 8081. 2. Ensure that port 8081 is not already in use. 3. Launch your browser and enter the URL that follows. For example: http://hostname:8081 4. Follow instructions on the screen and keep the following in mind. ■ Check HTTP to get the Web server. ■ Ensure the designated Administrator has a first and last name. ■ 5. Keep passwords simple, and record them in a safe location. For example, oracleoracle. Run all commands as the UNIX user that you've configured for this Domino Web server. WARNING: Do not run as root. 34.4 Starting the Domino Web Server After successfully setting up the first Domino Web server, you must start it. To start Domino server 1. Run /opt/lotus/bin/server. 2. Launch your browser and enter the following URL. For example: http://hostname:80/names.nsf You will be prompted for login name and password. 3. Select Server-Server. 4. Select your intended server. 5. Select Edit Server. 6. Select Ports, select Internet Ports, then click Web. 7. Change the value for TCP/IP port number to your desired port number. 8. Click Save and Close to save all your changes. 9. Restart server /opt/lotus/bin/server. 34.5 Enabling SSL (Optional) Enabling SSL is not mandatory for the WebGate. However, if you need to generate a keyring file (.kyr) and its corresponding stash file (.sth) from the Lotus Notes client on a Windows system to the UNIX system, use the steps that follow. To generate the keyring and stash files 1. Launch the Lotus Notes Client on your Windows system. Configuring Lotus Domino Web Servers for 10g WebGates 34-3 Installing a Domino Security (DSAPI) Filter For example: File, select Databases, then click Open 2. Select Server Certificate Admin. 3. Create the key ring file. 4. Create the certificate request. 5. Install the trusted root certificate into the key ring file. 6. Install the certificate into the key ring file. 7. Copy or ftp the newly created keyring file and stash file from the Windows system to your UNIX computer. 8. Store both files in your Domino data directory. To enable SSL 1. Launch your browser and enter the following URL. For example: http://hostname:port/names.nsf You will be prompted for login name and password 2. Select Server-Server. 3. Select your intended server. 4. Select Edit Server. 5. Select Ports, select Internet Ports, then click Web. 6. In the SSL Key file name field, enter the absolute path to the keyring file. 7. Change the SSL Port number value to your desired port number. 8. Enable SSL port status. 9. Select Client Certificate "Yes" for Client Certificate authentication. 10. Click Save and Close to save all your changes. 11. Restart the Web server. For example: /opt/lotus/bin/server 34.6 Installing a Domino Security (DSAPI) Filter The Domino security API filter, DSAPI, is an authentication method that enables you to register a DLL with the Domino Web server. In this case, the Web server calls the WebGate DLL to authenticate the user when a request for authentication occurs rather than using SSL or basic authentication. Authentication within Domino is optional with the Access Manager DSAPI filter. You can implement certain aspects of authentication that the default Web server does not support. Task overview: Completing WebGate and filter installation 1. Before you install the WebGate on a Domino Web server, complete all steps described earlier. 34-4 Administrator's Guide for Oracle Access Management Installing a Domino Security (DSAPI) Filter 2. Complete the WebGate installation and Web server update as described in "Locating and Installing the Latest 10g WebGate for Access Manager 11g" on page 30-14. 3. Set ObWebGateInstallDir=$WEBGATE_INSTALL_DIR in your notes.ini file. 4. See "Completing the WebGate Installation" on page 34-5 and choose one of the two options discussed there. 34.6.1 Completing the WebGate Installation To ensure the Domino Web Server can use the WebGate DLL, you need to edit the enter the name or names of the DLL/DLLs (DSAPI libraries) to be called for authentication in the DSAPI filter file names field of the HTTP tab under the Internet Protocols tab in the Server document. Relative paths will be based on the Domino executable directory. DSAPI filter libraries will be called to handle events in the order they appear in this list. Note: There are two ways to install the filter: ■ Through a Web browser and names.nsf (option 1) ■ Through a Lotus Notes workstation and the Address Book (option 2) Option 1: To setup the DSAPI filter to access names.nsf 1. Go to the names.nsf URL and log in. For example: http://hostname:port/names.nsf 2. Click the Server-Servers link. A Java applet will be loaded. 3. Select a server from those listed. 4. Click the Edit Server link to go to Edit mode. 5. Click the Internet Protocols link. By default, the HTTP tab is selected and information is displayed in Edit mode. 6. Look for DSAPI where it says "DSAPI filter file names:", then type in the absolute path to the libwebgate.so file. 7. Save your changes. 8. Restart the Domino http server task. Option 2: To access the Address Book through Lotus Notes 1. Open Domino Name and Address book. For example, select: File, Database, Open, then click Address Book 2. Switch to server view and open the server document. 3. Edit the server document. 4. Click the Internet Protocols tab. By default, the HTTP tab is selected and information is displayed in Edit mode. Configuring Lotus Domino Web Servers for 10g WebGates 34-5 Installing a Domino Security (DSAPI) Filter 5. Look for DSAPI where it says "DSAPI filter file names:", then type in the absolute path to the libwebgate.so file. 6. Save your changes. 7. Restart the Domino http server task. 34-6 Administrator's Guide for Oracle Access Management Part VIII Managing the Adaptive Authentication Service and Oracle Mobile Authenticator Part VIII The Adaptive Authentication Service is a One Time Password Authenticator that provides multifactor authentication in addition to the standard user name and password type authentication. This part contains the following chapters: ■ Chapter 35, "Introducing the Adaptive Authentication Service" ■ Chapter 36, "Configuring the Oracle Mobile Authenticator" 35 Introducing the Adaptive Authentication Service 53 [25The ] Adaptive Authentication Service offers stronger multifactor (also referred to as second factor) authentication for sensitive applications that require additional security in addition to the standard user name and password type authentication. Multifactor authentication involves more than one stage when verifying the identity of an entity attempting to access services from a server or on a network. For example, when multifactor authentication is enabled and configured, the traditional user name and password is the first factor. Additional security is enforced by adding a One Time Pin (OTP) step, or an Access Request (Push) Notification step as a second factor in the authentication process. The following sections contain more details about the Adaptive Authentication Service and Access Manager Second Factor Authentication. ■ Using the Adaptive Authentication Service ■ Working with the Adaptive Authentication Service ■ Understanding Adaptive Authentication Service and OMA Configurations ■ Configuring the Adaptive Authentication Service 35.1 Using the Adaptive Authentication Service The Adaptive Authentication Service offers the ability to add multiple steps to the authentication process. Additional security may be enforced by adding a OTP step, or an Access Request (Push) Notification step after initial user authentication. This may or may not involve the use of the Oracle Mobile Authenticator, a mobile device app that uses Time-based One Time Password and push notifications to authenticate users within the second factor authentication scheme. installing Oracle Adaptive Access Manager is not required since the Adaptive Authentication Service uses a set of libraries that makes a OTP step feasible using the Oracle Mobile Authenticator. Note: The Adaptive Authentication Service has to be licensed and explicitly enabled in order to use it. Once the proper product license is procured you can enable the Adaptive Authentication Service using the Oracle Access Management Console. From the Oracle Access Management Console, the Adaptive Authentication Service can be enabled or disabled from the Available Services link on the Configuration Launch Pad. These section links contain more details. Introducing the Adaptive Authentication Service 35-1 Working with the Adaptive Authentication Service ■ Section 3.2, "Enabling or Disabling Available Services" ■ Section 2.4, "Understanding the Oracle Access Management Console" For an introduction to the Adaptive Authentication Service and how it works, see the next section, Working with the Adaptive Authentication Service. 35.2 Working with the Adaptive Authentication Service The Adaptive Authentication Service offers second factor authentication. This second factor can be a One Time Pin (OTP) or an Access Request (or push) Notification. After an initial successful user/password authentication, a Second Factor Authentication page is displayed from which the user selects their preferred method of second factor authentication. The options are: ■ OTP from Oracle Mobile Authenticator ■ OTP through SMS ■ OTP through Email ■ Access Request Notification from Oracle Mobile Authenticator Figure 35–1 is a screenshot of the Second Factor Authentication page in which the user has selected the OTP Through Email option. In this case, the user receives the OTP via a configured Email address. Figure 35–1 Second Factor Authentication Preferred Method Page If the selected option is either OTP From Oracle Mobile Authenticator or Access Request Notification from Oracle Mobile Authenticator, the Adaptive Authentication Service works in tandem with the Oracle Mobile Authenticator (OMA), a mobile device app that uses Time-based One Time Password and push notifications to authenticate users within the second factor authentication scheme. In advance of using the OTP from OMA or Access Request Notification from OMA options, a user must download a supported authenticator app to a mobile device (for example, Oracle Mobile Authenticator to an Apple iPhone) and configure it by clicking a link provided by the Access Manager administrator. (The OMA app is not needed if using the OTP through Email or OTP through SMS options.) 35-2 Administrator's Guide for Oracle Access Management Working with the Adaptive Authentication Service The Oracle Mobile Authenticator mobile device app must be configured to retrieve a secret key required to generate a OTP. Information on the secret key is in Section 35.4.1, "Generating a Secret Key for the Oracle Mobile Authenticator." Information on configuring the OMA is in Chapter 36, "Configuring the Oracle Mobile Authenticator." Note: The following sections contain more details on each option and how the Oracle Mobile Authenticator works. ■ Understanding the One Time Password Option ■ Understanding the Access Request (Push) Notification Option ■ Using the Oracle Mobile Authenticator with OTP And Access Request 35.2.1 Understanding the One Time Password Option Let’s assume the Adaptive Authentication Service is enabled and configured for second factor authentication. When the user accesses a resource protected by Access Manager, a page is displayed that requests a user name and password. If these initial credentials are authenticated successfully, a Second Factor Authentication Preferred Method Page page is displayed and the user selects from one of the options. In this use case, the user selects one of the OTP options and receives a OTP through SMS/Email or generated and displayed by the OMA app. The user enters the OTP in the OTP login page. Figure 35–2 is a screenshot of the OTP login page. Figure 35–2 One Time Password Login Page Once the OTP is successfully validated by Access Manager, the user will be directed to the protected resource. On failure of any of the OTP options, an error message will be displayed, and the user will be returned to the same OTP page. Introducing the Adaptive Authentication Service 35-3 Working with the Adaptive Authentication Service Access Manager validates the OTP using the Time-based One Time Password (TOTP) algorithm. TOTP is a two-factor authentication scheme specified by the Internet Engineering Task Force (IETF) under RFC 6238 and used by the Adaptive Authentication Service. TOTP is an extension of the HMAC-based One Time Password algorithm and supports a time-based moving factor (a value that must be changed each time a new password is generated). Note: The following sections have additional details on how the user may receive the OTP. ■ Using OTP through Email/SMS ■ Using OTP from Oracle Mobile Authenticator 35.2.1.1 Using OTP through Email/SMS In cases where OTP through Email or SMS is chosen, Access Manager will send a OTP to the configured email address or phone number respectively. The user then enters the received OTP and Access Manager will validate it. On a successful validation, the user will be directed to the protected resource. The Adaptive Authentication Service expects that the required email address or phone number is configured in the appropriate field as documented in Configuring the Adaptive Authentication Plug-in. When using the OTP with Email or SMS option, the OTP is accessible from any device where the email address can be accessed or from the SMS app associated with the specified phone number, respectively. The OMA mobile app is not used for the OTP through Email or OTP through SMS options. Note: 35.2.1.2 Using OTP from Oracle Mobile Authenticator In the use case where a OTP will be generated and displayed by the OMA app on a mobile device, the app must be configured with the Access Manager server details. Following this configuration, the user authenticates with Access Manager using the proper credentials and Access Manager will return a secret key. This secret key is unique to each user and known only to Access Manager and the OMA. The secret key is used to generate the OTP. See Section 35.4.1, "Generating a Secret Key for the Oracle Mobile Authenticator" for information on how to populate this secret key with the required data. After Access Manager generates a OTP for the user using the secret key, the OTP is pushed to the OMA. The user then enters the OTP in the One Time Pin Login Page. If the OTP generated by Access Manager matches the OTP entered by the user, access to the protected resource is allowed. If the OTP entries do not match, access is not allowed. See Using the Oracle Mobile Authenticator with OTP And Access Request for more details. The OMA refreshes the OTP every 30 seconds so the OTP entered by a user is valid only for that period of time. Note: 35.2.2 Understanding the Access Request (Push) Notification Option Again let’s assume the Adaptive Authentication Service is enabled and configured for second factor authentication. When the user accesses a resource protected by Access 35-4 Administrator's Guide for Oracle Access Management Working with the Adaptive Authentication Service Manager, a page is displayed that requests a user name and password. If these initial credentials are authenticated successfully, a Second Factor Authentication Preferred Method Page page is displayed and the user selects from one of the options. In this use case, the user selects Access Request Notification from Oracle Mobile Authenticator. Note: This is a push notification option which works in tandem with the OMA. See Using the Oracle Mobile Authenticator with OTP And Access Request for more details. Figure 35–3 is a screenshot of the Second Factor Authentication Preferred Method Page with Access Request Notification selected. Figure 35–3 Access Request Notification Preferred Method Page When the user selects Access Request Notification from the Second Factor Authentication Preferred Method Page, Access Manager sends an Access Request Notification to either the Apple Push Notification Server or the Google Notification Server depending upon the user’s configured device. The notification server then pushes a notification to the mobile device and the user will approve or deny it. Based on a successful response, the user will be directed to the protected resource. On failure, an error message will be displayed and the user will be returned to the same OTP page. Figure 35–4 is a screenshot of the Access Request Notification message displayed during this process. Introducing the Adaptive Authentication Service 35-5 Understanding Adaptive Authentication Service and OMA Configurations Figure 35–4 Access Request Notification Wait Screen 35.2.3 Using the Oracle Mobile Authenticator with OTP And Access Request Depending on the selected option, the Adaptive Authentication Service will need to work in tandem with the Oracle Mobile Authenticator (OMA), a mobile device app that uses Time-based One Time Password and push notifications to authenticate users with the second factor authentication scheme. To receive the OTP or Access Request Notification using the OMA, a user downloads it to an Apple or Android mobile device and configures it by clicking a link provided by the Access Manager administrator. Access Manager and OMA must share a secret key. See Section 35.4.1, "Generating a Secret Key for the Oracle Mobile Authenticator" for details on the secret key. For information on configuring OMA, see Chapter 36, "Configuring the Oracle Mobile Authenticator." The OMA app is not needed if using the OTP through Email or OTP through SMS options as discussed in Using OTP through Email/SMS. Note: 35.3 Understanding Adaptive Authentication Service and OMA Configurations You need to configure the Adaptive Authentication Service and, depending on the option, the OMA. ■ ■ To configure the Adaptive Authentication Service, perform the procedures documented in Section 35.4, "Configuring the Adaptive Authentication Service." For information on configuring the OMA, see Chapter 36, "Configuring the Oracle Mobile Authenticator." 35.4 Configuring the Adaptive Authentication Service The following configurations are for using the Adaptive Authentication Service. It is assumed that you have installed Access Manager, a WebGate and Oracle HTTP Server (OHS). Some of these configurations are specific to one or the other Adaptive Authentication Service options. ■ Generating a Secret Key for the Oracle Mobile Authenticator 35-6 Administrator's Guide for Oracle Access Management Configuring the Adaptive Authentication Service ■ Configuring Mobile OAuth Services to Protect the Secret Key ■ Configuring the Adaptive Authentication Plug-in ■ Setting Credentials for UMS, iOS and Android ■ Creating a Java KeyStore for iOS Access Request (Push) Notifications ■ Configuring Host Name Verifier for Android Access Request (Push) Notifications ■ Configuring Access Manager for VPN Use Case 35.4.1 Generating a Secret Key for the Oracle Mobile Authenticator A secret key needs to be shared between Access Manager and the OMA app. Businesses can generate secret keys in different ways so the means in which the secret key is generated is not important. The following RESTful endpoint is used to generate the secret key for a user in the Oracle Access Management identity store. http://:/ms_oauth/resources/userprofile/secretkey In the case of OMA online configuration (which is Oracle’s recommended method of configuration), OMA uses the RESTful endpoint to store the key for a user in the identity store. In the cases of OMA manual configuration or Google Authenticator, the administrator sets up a web application which allows the user to generate a secret key also using above mentioned RESTful endpoint. The secret key is stored as a String in an LDAP attribute in the identity store and the name of this attribute must is passed to the business in the RESTful endpoint configuration before they generate the secret key. For more details, see Section 36.1, "Understanding Oracle Mobile Authenticator Configuration." 35.4.2 Configuring Mobile OAuth Services to Protect the Secret Key Using the Oracle Access Management Console, follow this procedure to enable the Mobile and Social Service and update the User Profile Service to protect the REST Secret Key endpoint using the Basic Authentication Scheme. 1. From the Configuration Launch Pad, click Available Services. 2. Click Enable to enable Mobile and Social, if not already. 3. From the Mobile Security Launch Pad, click Mobile OAuth Services. 4. Click DefaultDomain under Mobile OAuth Identity Domains. 5. From the Resource Servers tab, click UserProfile under User Profile Services. 6. Expand the Resource URIs. 7. From the /secretkey tab, expand Attributes. 8. Change the value of basicauth.allowed to true. 9. Click Apply. 35.4.3 Configuring the Adaptive Authentication Plug-in Access Manager provides the Adaptive Authentication Plug-in to be used for two-factor authentication. Use this procedure to configure the Adaptive Authentication Plug-in using the Oracle Access Management Console. 1. Login to the Oracle Access Management Console as System Administrator. Introducing the Adaptive Authentication Service 35-7 Configuring the Adaptive Authentication Service 2. From the Application Security Launch Pad, click Authentication Plug-ins in the Plug-ins panel. 3. From the Authentication Plug-in tab, type Adaptive in the quick search box above the Plug-in Name column and hit Enter. The AdaptiveAuthenticationPlugin is displayed. 4. Change the properties displayed under Plug-in Details: AdaptiveAuthenticationPlugin as applicable to your environment. Table 35–1 describes the properties. Table 35–1 Adaptive Authentication Plugin Properties Property Description Default Value Required for Challenge Method IdentityStoreRef Identity store name UserIdentityStore1 All TotpSecretKeyAttribut Name of the user attribute e in which the secret key is stored. Attribute description OTP using OMA, Time based OTP TotpTimeWindow 3 OTP using OMA, Time based OTP false Access Request Notifications (iOS) The number of OTP codes generated by the mobile device that Access Manager will accept for validation. Since the mobile device generates a new OTP every 30 seconds, if the value is 3, Access Manager will accept the current and last three OTPs generated by the mobile device. PushAPNsProdServer If set to true, the APNS production server will be used to send notifications. PushProxyHost Name of the proxy host if notifications are to sent to the server using a proxy. PushProxyPort Proxy port if notifications are to sent to the server using a proxy. 80 Access Request Notifications PushProxyProtocol Proxy protocol https:// Access Request Notifications UmsAvailable When Adaptive false Authentication Service requires UMS to send Email and SMS, set to true. SMS, Email UmsClientUrl URL of UMS web service SMS, Email PhoneField Attribute in the identity store where the user phone number is stored mobile SMS EmailField Attribute in the identity store where the user email address is stored mail Email 35-8 Administrator's Guide for Oracle Access Management Access Request Notifications Configuring the Adaptive Authentication Service Table 35–1 (Cont.) Adaptive Authentication Plugin Properties Property Description Default Value Totp_Enabled Controls the options displayed in the UI. If enabled and user is not registered for Push, not setup for TOTP, or doesn’t have email/phone populated in id store, those options won’t be displayed. For example if user has not registered for TOTP and Push but has email populated then Email will be the only option shown. true Email_Enabled Sms_Enabled Push_Enabled Required for Challenge Method NOTE: Properties should be set to false only when the Administrator wants to disable a particular feature for all users. 5. Click Save. 6. Update the same properties as applicable in the AdaptiveAuthenticationModule by clicking Authentication Modules under Plug-ins in the Access Manager Launch Pad. From the Authentication Modules tab, search for AdaptiveAuthenticationModule. Not all properties listed in Table 35–1 will be available. 35.4.4 Setting Credentials for UMS, iOS and Android Use the WLST command line script to set the credentials for the Oracle User Messaging Service (UMS), the iOS certificate or the Android API key. These credentials are used by the OAM Server in the process of sending SMS/Email and push notifications. Table 35–2 contains information for the items which are needed to complete the procedure in this section. Table 35–2 Server Side Configuration for Adaptive Authentication Service Configuration Information Challenge Method iOS Certificate/Password https://developer.apple.com/libr Access Request (Push) ary/mac/documentation/Networking notification using iOS Internet/Conceptual/RemoteNotifi cationsPG/Chapters/ApplePushServ ice.html API Key https://developers.google.com/we Access Request (Push) b/updates/2015/03/push-notificat notification using Android ons-on-the-open-web?hl=en UMS Credential UMS credentials that OAM will use to establish the connection to UMS Web service. Email/SMS 1. cd /oracle_common/common/bin 2. ./wlst.sh 3. connect() 4. Enter the WebLogic user name and password when prompted. 5. Press Enter to accept the default URL or modify the host and port as necessary and press Enter. Introducing the Adaptive Authentication Service 35-9 Configuring the Adaptive Authentication Service 6. Run one or more of the following commands to set credentials for the UMS server, iOS or Android depending on your deployment. Replace , , and with values specific to your environment. Do not change the values for any parameters in these commands but those listed and marked as variables. Note: ■ For OTP for email/SMS only: createCred(map="OAM_CONFIG", key="umsKey", user="", password="") For example: createCred(map="OAM_CONFIG", key="umsKey", user="weblogic", password="password") ■ For Access Request (Push) Notifications on iOS only: createCred(map="OAM_CONFIG", key="pushApnsCertKey", user="apnskey", password="") For example: createCred(map="OAM_CONFIG", key="pushApnsCertKey", user="apnskey", password="password") See Creating a Java KeyStore for iOS Access Request (Push) Notifications for additional information when using iOS. ■ For Access Request (Push) Notifications on Android only: createCred(map="OAM_CONFIG", key="omaApiKey", user="omaApiKey", password="") For example: createCred(map="OAM_CONFIG", key="omaApiKey", user="omaApiKey", password="ADDGFDGDFGRTERSDFSDFSDFTYERTERTASDASDASD") 7. Verify the keys by logging into Fusion Middleware Control, navigating to Domain > Security > Credentials, and checking the OAM_CONFIG map for the keys input using the commands. For information on how to update, delete or otherwise manage credentials using Fusion Middleware Control, see Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services. Note: 35.4.5 Creating a Java KeyStore for iOS Access Request (Push) Notifications When using Access Request Notifications on iOS, create a Java KeyStore (JKS) by using the cert file and key file. Once the JKS is created, rename it as APNsCertificate.jks and put it in the /config/fmwconfig directory of the Oracle Access Management installation. 35-10 Administrator's Guide for Oracle Access Management Configuring the Adaptive Authentication Service The JKS should contain the user's locally generated private key and the Apple Push Notification service (APNs) certificate downloaded from the Apple Developer Center. The following sample commands generate and import the certificate. openssl x509 -in aps_production.cer -inform DER -out aps_production.pem -outform PEM openssl pkcs12 -nocerts -in OMAKey.p12 -out OMAKey.pem openssl pkcs12 -export -inkey OMAKey.pem -in aps_production.pem -out iOS_prod.p12 keytool -import -keystore APNsCertificate.jks -file aps_production.cer -alias PushCert keytool -importkeystore -destkeystore APNsCertificate.jks -deststoretype JKS -srcstoretype PKCS12 -srckeystore iOS_prod.p12 These commands assume: ■ ■ aps_production.cer to be the name of the APNs certificate downloaded from the Apple Developer Center. OMAKey.p12 is the user's locally generated private key. Also see Setting Credentials for UMS, iOS and Android. The section Maintain Your Certificates, Identifiers, and Profiles at the following Apple URL provides relevant information about app distribution certificates and APNs. https://developer.apple.com/library/ios/documentation/IDEs/C onceptual/AppDistributionGuide/Introduction/Introduction.htm l Note: 35.4.6 Configuring Host Name Verifier for Android Access Request (Push) Notifications If you are setting up Android for Access Request notification, use the WebLogic console to update the WebLogic Managed Server for host name verification. This step is required for Access Request notification configuration on Android only. It allows the verification of host names represented using wildcards; for example, *.googleapis.com. 1. Navigate to base_domain -> Summary of Environment -> Summary of Servers -> oam_server1. 2. Click the SSL tab. 3. Expand Advanced and select the Hostname verification entry to configure the Hostname Verifier. 4. Enter weblogic.security.utils.SSLWLSWildcardHostnameVerifier as the Custom Hostname Verifier. 5. Click Save. 6. Restart the oam_server1. 35.4.7 Configuring Access Manager for VPN Use Case This use case procedure illustrates how to configure Access Manager when a user will be accessing a protected resource using VPN software. Introducing the Adaptive Authentication Service 35-11 Configuring the Adaptive Authentication Service 1. Login to the Oracle Access Management Console as System Administrator. 2. From the Application Security Launch Pad, click Application Domains in the Access Manager panel. The Application Domain tab is displayed. 3. Click Search to display all available Application Domains. 4. Click the Application Domain name that contains the resource being protected. The Application Domain opens in a new tab. 5. Click Authentication Policies in the Application Domain tab. 6. Click the name of the Authentication Policy that is being used to protect the particular resource for which two factor authentication is being configured. The appropriate Authentication Policy opens in a new tab. 7. Click Advanced Rules in the Authentication Policy tab. 8. Add a new rule by clicking the plus sign (+) under Post Authentication. The Add Rule dialog is displayed. 9. Enter a Rule Name and the following jython script. location.clientIP.startswith(’10.’) See Section 22.10.2, "Using Context Data for Advanced Rules" for details. 10. Select the AdaptiveAuthenticationScheme Authentication Scheme from the If Condition is True drop-down list. This Authentication Scheme will be used when the defined condition is true. 11. Click Add and then Apply to complete the procedure. 35-12 Administrator's Guide for Oracle Access Management 36 Configuring the Oracle Mobile Authenticator 36 [26The ] Oracle Mobile Authenticator is a mobile device app that uses Time-based One Time Password (TOTP) and push notifications to authenticate users with a two-factor authentication scheme. The Oracle Mobile Authenticator mobile device app must be configured to retrieve the secret key required to generate a One Time Password (OTP). The following sections contain configuration details when using the Oracle Mobile Authenticator app on an iOS or Android mobile device. ■ Understanding Oracle Mobile Authenticator Configuration ■ Using the Oracle Mobile Authenticator App on iOS ■ Using the Oracle Mobile Authenticator App on Android ■ Configuring the Google Authenticator App ■ Using a QR Code for Configuration 36.1 Understanding Oracle Mobile Authenticator Configuration The Oracle Mobile Authenticator (OMA) app can retrieve a secret key required to generate a OTP or register with Access Manager to receive push notifications. Provisioning the secret key can be done online or offline however registering for push notifications can only be done while online. Note: For details on the secret key, see Section 35.4.1, "Generating a Secret Key for the Oracle Mobile Authenticator." ■ Online Configuration uses the REST web services and the Mobile OAuth Services described in Section 35.4.1, "Generating a Secret Key for the Oracle Mobile Authenticator" and Section 35.4.2, "Configuring Mobile OAuth Services to Protect the Secret Key." Once enabled, the OMA app can invoke this service to get a secret key or register for push notifications. To invoke the REST web services, OMA needs to know its location URL. In this case, the Oracle Access Management administrator creates a web page to configure the OMA. When the user taps on the web page’s link (provided via e-mail), it launches the OMA, passes the location URL to the app and the REST web services location is configured. The format of the location URL is as follows. oraclemobileauthenticator://settings?ServiceName::= &ServiceType::=SharedSecret/Notification/Both& SharedSecretAuthServerType::=HTTPBasicAuthentication/OAuthAuthentication &LoginURL::=http://:/secretKeyURL &NotificationAuthServerType::= HTTPBasicAuthentication Configuring the Oracle Mobile Authenticator 36-1 Understanding Oracle Mobile Authenticator Configuration &PushPreferencesEndpoint::=http://:/preferencesURL &ChallengeAnswerEndpoint::=http://:/challengeAnswerURL &SenderID::= &OAuthClientID::= &OAMOAuthServiceEndpoint::=http://:/oauthserviceURL &OAuthScope::= Table 36–1 documents definitions for the location URL parameters. Table 36–1 Location URL Parameter Definitions Parameter Definition ServiceName Name of the service. This name should be unique in OMA. If another configuration with same name is sent then it will prompt the user to overwrite the previous one ServiceType The type of service provided by this configuration i.e. one-time password, notification or a hybrid service which combines both one-time password and notification. Value can be SharedSecret, Notification or Both. SharedSecretAuthServerType The type of authentication by which shared secret provisioning REST endpoint is protected. Value can be HTTPBasicAuthentication or OAuthAuthentication. LoginURL The REST endpoint that provisions the shared secret for generating one-time passwords. The value specified for the LoginURL query parameter is based on the OAuth settings for Oracle Mobile Authenticator. NotificationAuthServerType The type of authentication by which notification registration endpoint is protected. Currently only HTTP basic authentication is supported thus the value is HTTPBasicAuthentication. PushPreferencesEndpoint The REST endpoint where push notification preferences should be sent. ChallengeAnswerEndpoint The REST endpoint where push notification responses should be sent. SenderID The Android sender ID for sending push notifications. The SenderID is only required on Android; it is not required when using iOS. OAuthClientID OAuth client ID if SharedSecretAuthServerType is set for OAuth OAMOAuthServiceEndpoint OAM OAuth service endpoint to get OAuth profiles available on the server. OAuthScope The OAuth scope required to access the shared secret. Online configuration details are also documented in Configuring the Oracle Mobile Authenticator for iOS and Configuring the Oracle Mobile Authenticator for Android. OAuth configuration details are in Chapter 53, "Configuring OAuth Services." Note: ■ Oracle recommends using online configuration. Offline Configuration supports use cases in which the mobile device can not connect to the REST end point or the parameters needed to generate the OTP are different than the defaults. The Access Manager administrator sets up a web 36-2 Administrator's Guide for Oracle Access Management Using the Oracle Mobile Authenticator App on iOS application which allows the user to generate or recreate a secret key. The user logs into this web application and, after authentication, the user is allowed to view the secret key and enter it in the OMA app manually. The secret key can also be delivered via an offline configuration URL so the administrator has the option of changing the OTP generation parameters (time step, hashing algorithm and the like). The format of the offline configuration URL is: oraclemobileauthenticator://settings?SharedSecretValue::= &AccountName::=&SharedSecretEncoding::=Base32/Base64String &OTPAlgorithm::=TOTP &HashingAlgorithm::=MD5/SHA-1/SHA-224/SHA-256/SHA-384/SHA-512 &OTPLength::=&TimeStep::= Table 36–2 contains details regarding the parameters. Table 36–2 Offline Configuration URL Parameters Parameter Description SharedSecretValue Mandatory value is the secret key AcountName Prompts the user for input if omitted SharedSecretEncoding Default is Base32 OTPAlgorithm Default is TOTP Hashing Algorithm Default is SHA-1 OTPLength Default is 6 TimeStep Default is 30 sec Offline configuration details are also documented in Configuring Oracle Mobile Authenticator for Offline OTP Generation on iOS and Configuring Oracle Mobile Authenticator for Offline OTP Generation on Android. 36.2 Using the Oracle Mobile Authenticator App on iOS The following sections contain procedures for using OMA on an iOS mobile device. ■ Configuring the Oracle Mobile Authenticator for iOS ■ Initializing the Oracle Mobile Authenticator on iOS ■ Copying a One-Time Password from the Oracle Mobile Authenticator on iOS ■ Editing an Account on the Oracle Mobile Authenticator on iOS ■ Deleting an Account on the Oracle Mobile Authenticator on iOS ■ Responding to Access Request (Push) Notifications on iOS ■ Displaying Access Request (Push) Notifications History on iOS ■ Displaying Service Account Details on iOS ■ Displaying Access Manager Registered Accounts on iOS ■ Displaying the OMA Version on iOS 36.2.1 Configuring the Oracle Mobile Authenticator for iOS This procedure configures the OMA on iOS to communicate with Access Manager. A configuration URL is provided by the Access Manager administrator either by e-mail Configuring the Oracle Mobile Authenticator 36-3 Using the Oracle Mobile Authenticator App on iOS or through a web page. Details about the URL are in Understanding Oracle Mobile Authenticator Configuration. 1. Tap the configuration URL provided by the Access Manager administrator. The app will open, display a unique service name to identify this app configuration, and prompt the user to accept the new settings. 2. Tap Accept to apply the settings. The OMA is configured to communicate with Access Manager. 36.2.2 Initializing the Oracle Mobile Authenticator on iOS The OMA must authenticate and register an account with Access Manager. Be sure to complete Configuring the Oracle Mobile Authenticator for iOS before attempting these procedures. Any of the following procedures can be used to initialize the OMA. ■ Initializing the Oracle Mobile Authenticator for OTP Generation on iOS ■ Adding a OTP Generation Account Manually on iOS ■ ■ ■ Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications Using Apple Push Notifications Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications and OTP Generation on iOS Configuring Oracle Mobile Authenticator for Offline OTP Generation on iOS 36.2.2.1 Initializing the Oracle Mobile Authenticator for OTP Generation on iOS Once authenticated, the app receives a key from the server that will be used to generate the OTP. 1. Tap the Sign In button. The login screen will appear. 2. Select the OTP service name for which you are configuring second factor authentication. This is the unique service name defined in Configuring the Oracle Mobile Authenticator for iOS. 3. Enter your user name and password and tap Submit. If login is successful, you will be taken to the OTP screen for the newly added account. If login is successful but an account with the same user name for the same service already exists, you will be asked to enter a different user name. Once the user name is unique, you will be taken to the OTP screen. 36.2.2.2 Adding a OTP Generation Account Manually on iOS You can manually configure a OTP account by entering a unique account name and key. This is the same account that would be created automatically in Initializing the Oracle Mobile Authenticator for OTP Generation on iOS. 1. Tap Enter Provided Key. 2. Enter a unique account name and key. If the name and key are valid, you will be taken to OTP screen for your new account. If the name is not unique or the key is not valid, you will be prompted to enter the information again. 36-4 Administrator's Guide for Oracle Access Management Using the Oracle Mobile Authenticator App on iOS 36.2.2.3 Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications Using Apple Push Notifications The OMA must have the user’s consent to receive push notifications. It must also register successfully with the Apple Push Notification Servers and get a unique device token. Afterwards, the OMA can register with Access Manager to receive push notifications. 1. Tap the Sign In button. The login screen will appear. 2. Select the Push Notification service name for which you are configuring second factor authentication. This is the unique service name defined in Configuring the Oracle Mobile Authenticator for iOS. 3. Enter your user name and password and tap Submit. If authentication and registration is successful, you will be taken to the Accounts page which will display all the accounts that have been configured for Push Notifications. 36.2.2.4 Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications and OTP Generation on iOS The OMA must have the user’s consent to receive push notifications. It must also register successfully with the Apple Push Notification Servers and get a unique device token. Afterwards, the OMA can register with Access Manager to receive push notifications. 1. Tap the Sign In button. The login screen will appear. 2. Select the service name for which you are configuring second factor authentication. This is the unique service name defined in Configuring the Oracle Mobile Authenticator for iOS. 3. Enter your user name and password and tap Submit. If authentication and registration is successful, you will be taken to the OTP screen for the newly added account. If login is successful but a OTP account with the same user name for the same service already exists, you will be asked to enter a different user name. Once the user name is unique you will be taken to the OTP screen. Note that the newly added account will have small globe icon on the top left corner signifying that this account is also configured for push notifications. 36.2.2.5 Configuring Oracle Mobile Authenticator for Offline OTP Generation on iOS The OMA can also be configured with a URL that contains the key used for generating a OTP. This allows for OTP generation when the mobile app is offline. This configuration URL contains the secret key so it should be delivered on a secure channel. 1. Tap on the offline configuration URL. This will open the OMA. If there are no OTP accounts configured with the same user name defined by the URL, the account will be added and the user will be Configuring the Oracle Mobile Authenticator 36-5 Using the Oracle Mobile Authenticator App on iOS taken to the OTP screen. If there are user name conflicts, the user will be prompted to enter a new, unique user name. 2. Enter the displayed OTP in the corresponding login page to complete authentication. 36.2.3 Copying a One-Time Password from the Oracle Mobile Authenticator on iOS Use this procedure to copy a OTP from the OMA. 1. Tap on the account from which you want to copy the OTP. The Edit, Copy and Delete icons are displayed. 2. Tap the Copy icon on the left to copy the one-time password to the clipboard. 3. Paste the one-time password in the corresponding login page to complete authentication. 36.2.4 Editing an Account on the Oracle Mobile Authenticator on iOS Use this procedure to edit an account on the OMA. 1. Tap on the account you want to edit. The Edit, Copy and Delete icons are displayed. 2. Tap the Edit icon in the middle to edit an account. A new screen in which you can edit the user name and secret key is displayed. 3. Edit the name and/or key. 4. Tap Update Account to complete the modification. 36.2.5 Deleting an Account on the Oracle Mobile Authenticator on iOS Use this procedure to delete an account on the OMA. 1. Tap on the account you want to delete. The Edit, Copy and Delete icons are displayed. 2. Tap the Delete icon on the right to delete an account. You will be prompted for confirmation. 3. Tap Delete to confirm and delete. 36.2.6 Responding to Access Request (Push) Notifications on iOS The OMA can receive push notifications from Access Manager if the push notification option is selected when configuring two factor authentication. An administrator can use this procedure to respond to the notifications received on the mobile device. 1. Tap the notification alert on the mobile device. The OMA app will come to the foreground and display notification details. This includes a user name, the resource being accessed, access time and IP address. A timer depicting how much time you have to respond to this notification is also displayed. 2. Tap Allow or Deny to control access to the resource. 36-6 Administrator's Guide for Oracle Access Management Using the Oracle Mobile Authenticator App on Android OMA will send the resource to Access Manager and remove the notification information screen. 36.2.7 Displaying Access Request (Push) Notifications History on iOS You can see the notifications which were received by the OMA and the decision taken for that particular access request. 1. Tap on three dots icon in the top left corner. 2. Tap on Notifications button. All the notifications that have been received by Oracle Mobile Authenticator will be shown. 3. Tap on any of the notifications to see the details. 36.2.8 Displaying Service Account Details on iOS You can display the services with which the OMA has been configured. This corresponds to the unique service name defined in Configuring the Oracle Mobile Authenticator for iOS. 1. Tap the three dots icon in the top left corner. 2. Tap the Configurations button. All the services that have been configured using this OMA will be displayed. 3. Tap a specific configuration to display the details. A screen will be displayed that will show all the details of the selected configuration. You can swipe from right to left to delete the configuration. 36.2.9 Displaying Access Manager Registered Accounts on iOS You can see all the accounts that are added to the OMA and check the account type (OTP, notification or a combination of both). This corresponds to accounts configured using one of the procedures in Initializing the Oracle Mobile Authenticator on iOS. 1. Tap the three dots icon in the top left corner. 2. Tap the Accounts button. All the accounts that currently exist in the OMA will be displayed. Swipe from right to left to delete any account. 36.2.10 Displaying the OMA Version on iOS You can display the version number of the OMA running on your mobile device. 1. Tap the three dots icon in the top left corner. 2. Tap the About button. An alert will display the OMA version. 36.3 Using the Oracle Mobile Authenticator App on Android The following sections contain procedures for using OMA on an Android mobile device. ■ Configuring the Oracle Mobile Authenticator for Android Configuring the Oracle Mobile Authenticator 36-7 Using the Oracle Mobile Authenticator App on Android ■ Initializing the Oracle Mobile Authenticator on Android ■ Copying a One-Time Password from the Oracle Mobile Authenticator on Android ■ Editing an Account on the Oracle Mobile Authenticator on Android ■ Deleting an Account on the Oracle Mobile Authenticator on Android ■ Responding to Access Request (Push) Notifications on Android ■ Displaying Access Request (Push) Notifications History on Android ■ Displaying Service Account Details on Android ■ Displaying Access Manager Registered Accounts on Android ■ Displaying the OMA Version on Android 36.3.1 Configuring the Oracle Mobile Authenticator for Android This procedure configures the OMA on Android to communicate with Access Manager. A configuration URL is provided by the Access Manager administrator either by e-mail or through a web page. Details about the URL are in Understanding Oracle Mobile Authenticator Configuration. 1. Tap the configuration URL provided by the Access Manager administrator. The app will open, display a unique service name to identify this app configuration, and prompt the user to accept the new settings. 2. Tap Accept to apply the settings. The OMA is configured to communicate with Access Manager. 36.3.2 Initializing the Oracle Mobile Authenticator on Android The OMA must authenticate and register an account with Access Manager. Be sure to complete Configuring the Oracle Mobile Authenticator for Android before attempting these procedures. Any of the following procedures can be used to initialize the OMA. ■ Initializing the Oracle Mobile Authenticator for OTP Generation on Android ■ Adding a OTP Generation Account Manually on Android ■ ■ ■ Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications Using Google Cloud Messaging Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications and OTP Generation on Android Configuring Oracle Mobile Authenticator for Offline OTP Generation on Android 36.3.2.1 Initializing the Oracle Mobile Authenticator for OTP Generation on Android Once authenticated, the app receives a key from the server that will be used to generate the OTP. 1. Tap the Sign In button. The login screen will appear. 2. Select the service name for which you are configuring second factor authentication. This is the unique service name defined in Configuring the Oracle Mobile Authenticator for Android. 36-8 Administrator's Guide for Oracle Access Management Using the Oracle Mobile Authenticator App on Android 3. Enter your user name and password and tap Submit. If login is successful, you will be taken to the OTP screen for the newly added account. If login is successful but an account with the same user name for the same service already exists, you will be asked to enter a different user name. Once the user name is unique, you will be taken to the OTP screen. 36.3.2.2 Adding a OTP Generation Account Manually on Android You can manually configure a OTP account by entering a unique account name and key. This is the same account that would be created automatically in Initializing the Oracle Mobile Authenticator for OTP Generation on Android. 1. Tap Enter Provided Key. 2. Enter a unique account name and key. If the name and key are valid, you will be taken to OTP screen for your new account. If the name is not unique or the key is not valid, you will be prompted to enter the information again. 36.3.2.3 Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications Using Google Cloud Messaging The OMA must register successfully with the Google Cloud Messaging (Push Notification) servers and get a unique registration token. This registration token is sent to Access Manager to complete the push notification setup. Once complete, the OMA can register with Access Manager to receive push notifications. 1. Tap the Sign In button. The login screen will appear. 2. Select the service name for which you are configuring second factor authentication. This is the unique service name defined in Configuring the Oracle Mobile Authenticator for Android. 3. Enter your user name and password and tap Submit. If authentication and registration is successful, you will be taken to the Accounts page which will display all the accounts that have been configured for Push Notifications. 36.3.2.4 Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications and OTP Generation on Android The OMA must register successfully with the Google Cloud Messaging (Push Notification) Servers and get a unique registration token. This registration token is sent to Access Manager to complete the push notification setup. Afterwards, the OMA can register with Access Manager to receive push notifications. 1. Tap the Sign In button. The login screen will appear. 2. Select the service name for which you are configuring second factor authentication. This is the unique service name defined in Configuring the Oracle Mobile Authenticator for Android. 3. Enter your user name and password and tap Submit. Configuring the Oracle Mobile Authenticator 36-9 Using the Oracle Mobile Authenticator App on Android If authentication and registration is successful, you will be taken to the OTP screen for the newly added account. If login is successful but a OTP account with the same user name for the same service already exists, you will be asked to enter a different user name. Once the user name is unique you will be taken to the OTP screen. Note that the newly added account will have small globe icon on the top left corner signifying that this account is also configured for push notifications. 36.3.2.5 Configuring Oracle Mobile Authenticator for Offline OTP Generation on Android The OMA can also be configured with a URL that contains the key used for generating a OTP. This allows for OTP generation when the mobile app is offline. This configuration URL contains the secret key so it should be delivered on a secure channel. 1. Tap on the offline configuration URL. This will open the OMA. If there are no OTP accounts configured with the same service name defined by the URL, the account will be added and user will be taken to the OTP screen. If there are user name conflicts, the user will be prompted to enter a new, unique service name. 2. Enter the displayed OTP in the corresponding login page to complete authentication. 36.3.3 Copying a One-Time Password from the Oracle Mobile Authenticator on Android Use this procedure to copy a OTP from the OMA. 1. Long press on the account from which you want to copy the OTP. Three icons are displayed in the top/ action bar. 2. Tap the Copy icon on the left to copy the one-time password to the clipboard. 3. Paste the one-time password in the corresponding login page to complete authentication. 36.3.4 Editing an Account on the Oracle Mobile Authenticator on Android Use this procedure to edit an account on the OMA. 1. Long press on the account you want to edit. Three icons are displayed in the top/ action bar. 2. Tap the Edit icon in the middle to edit an account. A new screen in which you can edit the user name and secret key is displayed. 3. Edit the name and/or key. 4. Tap Save to complete the modification. 36.3.5 Deleting an Account on the Oracle Mobile Authenticator on Android Use this procedure to delete an account on the OMA. 1. Long press on the account you want to delete. Three icons are displayed in the top/ action bar. 2. Tap the Delete icon on the right to delete an account. 36-10 Administrator's Guide for Oracle Access Management Using the Oracle Mobile Authenticator App on Android You will be prompted for confirmation. 3. Tap Delete to confirm and delete. 36.3.6 Responding to Access Request (Push) Notifications on Android The OMA can receive push notifications from Access Manager if the push notification option is selected when configuring two factor authentication. An administrator can use this procedure to respond to the notifications received on the mobile device. 1. Tap the notification alert on the mobile device. The OMA app will come to the foreground and display notification details. This includes a user name, the resource being accessed, access time and IP address. A timer depicting how much time you have to respond to this notification is also displayed. 2. Tap Allow or Deny to control access to the resource. OMA will send the resource to Access Manager and remove the notification information screen. 36.3.7 Displaying Access Request (Push) Notifications History on Android You can see the notifications which were received by the OMA and the decision taken for that particular access request. 1. Tap on menu in the action bar. 2. Tap on the Notifications menu item. All the notifications that have been received by Oracle Mobile Authenticator will be shown. 3. Tap on any of the notifications to see the details. 36.3.8 Displaying Service Account Details on Android You can display the services with which the OMA has been configured. This corresponds to the unique service name defined in Configuring the Oracle Mobile Authenticator for Android. 1. Tap on menu in the action bar. 2. Tap the Configurations menu item. All the services that have been configured using this OMA will be displayed. 3. Tap a specific configuration to display the details. A screen will be displayed that will show all the details of the selected configuration. You can select each configuration to see the details. You can delete a configuration by selecting the delete item from the menu items in the action bar. 36.3.9 Displaying Access Manager Registered Accounts on Android You can see all the accounts that are added to the OMA and check the account type (OTP, notification or a combination of both). This corresponds to accounts configured using one of the procedures in Initializing the Oracle Mobile Authenticator on Android. 1. Tap on the menu in the action bar. Configuring the Oracle Mobile Authenticator 36-11 Configuring the Google Authenticator App 2. Tap the Accounts menu item. All the accounts that currently exist in the OMA will be displayed. You can long press on an account to edit or delete it. 36.3.10 Displaying the OMA Version on Android You can display the version number of the OMA running on your mobile device. 1. Tap the menu in the action bar. 2. Tap the About menu item to display the OMA version. 36.4 Configuring the Google Authenticator App The Google Authenticator app only supports manual configuration. To initiate configuration in the Google Authenticator app, the user creates an account for two-factor authentication using the app. After account creation, the user manually enters the secret key received from the resource owner. (For details on the secret key, see Section 35.4.1, "Generating a Secret Key for the Oracle Mobile Authenticator.") Additionally, ensure that TOTP is enabled at the bottom of the Google Authenticator screen. Google Authenticator generates the OTP code in an offline, disconnected mode; it does not interact with Access Manager. 36.5 Using a QR Code for Configuration A Quick Response (QR) code can be used to configure the OMA. The OMA scans the QR code for either online configuration or offline configuration details. ■ ■ In the case of online configuration, it gets the URL against which the user will be authenticated and registers the OMA app for said user. After a successful authentication and registration, the OMA gets the shared secret from the OAM server to generate the TOTP. In the case of offline configuration, it is assumed that the customer develops a web application and a user is authenticated by said application. The OMA scans the QR code which must have the shared secret, shared secret encoding information and optionally the OTP validity duration, the hashing algorithm to be used for TOTP or the length of the OTP (5 digits/6 digits). The QR code needs to be created from any of the following configuration URLs. ■ ■ ■ oraclemobileauthenticator://settings?LoginURL::=http://OAMhost:port//ms_ oauth/resources/userprofile/secretkey oraclemobileauthenticator://settings?AuthServerType::=HTTPBasicAuthentication& &LoginURL::=http://OAMhost:port/ms_ oauth/resources/userprofile/secretkey&&ServiceName::=MyBank oraclemobileauthenticator://settings?AuthServerType::=OAuthAuthentication&&Lo ginURL::=http://OAMhost:port/ms_ oauth/resources/userprofile/secretkey&&ServiceName::=OAuth&&OAuthClient ID::=8d91cb4821dd417286ca973045e9e25a&&OAMOAuthServiceEndpoint::=http: //OAMhost:port/ms_oauth/oauth2/endpoints/oauthservice The mobile phone user needs to go to the "Add Account" screen and select the "Scan a barcode" option. After positioning the QR code in front of the phone’s camera, the OMA app will update its configuration. See "Understanding Oracle Mobile Authenticator Configuration" for additional configuration URLs. 36-12 Administrator's Guide for Oracle Access Management Part IX Part IX Managing Oracle Access Management Identity Federation Part VII contains the following chapters: ■ Chapter 37, "Introducing Identity Federation in Oracle Access Management" ■ Chapter 38, "Managing Identity Federation Partners" ■ Chapter 39, "Managing Settings for Identity Federation" ■ Chapter 40, "Managing Federation Schemes and Policies" 37 Introducing Identity Federation in Oracle Access Management 37 [27A ] federation is defined as "an association formed by merging several groups or parties". A federated environment (as defined in the identity management realm) is one in which organizations that provide services and identity data (business partners) have established trust in order to share access to a set of protected resources while protecting the same from unauthorized access. Oracle Identity Federation enables business partners to achieve this by providing the mechanism with which companies can form a federation and securely share services and data across their respective security domains. With the 11g Release 2 (11.1.2.3) of Oracle Access Management, the standalone Oracle Identity Federation product has begun it's integration with Oracle Access Manager. This chapter introduces the integrated Identity Federation and includes the following sections. ■ Integrating Identity Federation with Access Manager ■ Deploying Identity Federation with Oracle Access Management ■ Understanding How Identity Federation Works ■ Using Identity Federation ■ Initiating Federation SSO ■ Exchanging Identity Federation Data ■ Administrating Identity Federation ■ Enabling Identity Federation 37.1 Integrating Identity Federation with Access Manager The Oracle Identity Management framework supports either of the following approaches to cross-domain single sign-on. You cannot mix-and-match these approaches as each stands on its own. 1. Beginning with the 11g Release 2 (11.1.2), the Oracle Access Management Access Manager server (OAM Server) has been integrated with an Oracle Access Management Identity Federation server. All configuration for the Identity Federation server is performed using the Oracle Access Management Console. 2. Previous, separate releases of Oracle Identity Federation (11.1.1) and Oracle Access Manager can still be deployed to provide federation capabilities. Both servers must be configured and managed for this integration. This approach existed in 11g Release 1 (11.1.1) and is still available. Introducing Identity Federation in Oracle Access Management 37-1 Deploying Identity Federation with Oracle Access Management The topics in this book presume familiarity with federation and how it works. See "Introduction to Oracle Identity Federation" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation for background and conceptual information. This current document is limited to describing Oracle Identity Federation functionality as it has been integrated with Access Manager in 11g Release 2 (11.1.2.3). Note: Benefits of using the new Identity Federation 11g Release 2 (11.1.2.3) server integrated with Access Manager include: ■ ■ Eliminating the need to install and maintain separate servers. Simplifying post-install configuration of the federation features, particularly when accessing those features through the Oracle Access Management Console. ■ Improving the scalability of the two services working together. ■ Providing enhanced diagnostics and troubleshooting. 37.2 Deploying Identity Federation with Oracle Access Management From a functional perspective, the components in an 11g Release 2 (11.1.2.3) scenario using the Identity Federation service (when a user attempts to log in to a protected resource using a Web browser) include: ■ ■ ■ The Access Manager server contains all the components needed to provide access management services in the federated context, including: – a credential collector – a federation authentication plugin – the Identity Federation engine to generate and process assertions – a federation data cache Oracle WebLogic Server hosts and provides key infrastructure services, including: – the authorization engine, which interacts with Oracle Entitlement Server – federation data including circle of trust details and other configuration – the Coherence map store Data stores, including the identity store and Coherence database, maintain the identity data needed for authentication tasks. Identity Federation supports the Access Manager common user store and provides multiple identity store support. Federation data for persistent account linking can be stored in a database. Note: Calls are routine HTTP calls. 37.3 Understanding How Identity Federation Works A federation can comprise any number of identity providers and service providers. One common federated network topology is referred to as the hub-and-spoke model. In this topology, there is either a single service provider accepting authentication from multiple identity providers, or a single identity provider authenticating users for 37-2 Administrator's Guide for Oracle Access Management Using Identity Federation multiple service providers. An instance of Identity Federation in a federated network can serve as either an identity provider, a service provider, or both. ■ ■ A service provider (SP) is a commercial or not-for-profit organization that offers a web-based service such as a news portal, a financial repository, or retail outlet. When configured as the SP in a federated network and a user wants to access a resource protected by an authentication engine such as Oracle Access Manager, Identity Federation redirects the user to an IdP for global authentication. The IdP will obtain credentials, authenticate the user, and redirect the user back to the Identity Federation server instance - which retrieves the asserted identity from the IdP and redirects the authenticated user to the authentication engine which provides access to the protected resource. An identity provider (IdP) is a service provider that stores identity profiles. (Identity providers might also offer services above and beyond those related to identity profile storage.) When configured as the IdP in a federated network and a user wants to access a protected resource, the resource's SP directs the user to the Identity Federation server instance - which uses the Access Manager authentication engine to obtain credentials and authenticate the user. Following successful authentication, the Identity Federation instance can assert the user's identity to the resource's SP - which then authenticates the user itself and provides access to the requested resource. The integrated Identity Federation server can operate as an IdP or an SP. See Chapter 38, "Managing Identity Federation Partners" for information on configuring Identity Federation to operate in one of these provider modes and communicate with remote partners in the federation. If the Administrator terminates a user session using the Oracle Access Management Console, the logout is not propagated to any remote identity providers involved in the session. This could result in a logged-out user being automatically re-authenticated to Access Manager through Identity Federation. Note: 37.4 Using Identity Federation In SP-initiated SSO, the federated SSO process begins when the SP sends an authentication request to the IdP. In IdP-initiated SSO, the IdP sends the SP an unsolicited assertion response (in the absence of an authentication request from the SP). Supported runtime flows in both modes include SSO, Logout (initiated from a remote federation partner or Access Manager protected application) and Attribute Query. The following sections have more information. ■ Achieving SSO ■ Logging Out ■ Authorizing ■ Forcing Authentication ■ Indicating a Passive Identity Provider ■ User and Assertion Mapping ■ Platform Dependencies Introducing Identity Federation in Oracle Access Management 37-3 Using Identity Federation 37.4.1 Achieving SSO When the Identity Federation (acting as an IdP) is performing federated SSO with an SP, the Access Manager server authenticates the user or ensures an authenticated user doesn't need to be challenged due to inactivity. Additionally, the Access Manager server will check that any requested federation authentication method specified by the SP does not require a challenge based on authentication level. The Authentication Scheme mappings to the authentication methods will determine this. (If the SP does not specify a Federation Authentication Method, the IdP will use the one specified for the SP partner in the defaultschemeid property.) See Initiating Federation SSO for details. 37.4.2 Logging Out With Identity Federation, a logout operation is dissociated from the authentication operation. Logout can be initiated by user the (Access Manager server) or a partner in the federation. ■ ■ When initiated by the user accessing the Access Manager Logout service, Access Manager kills the user's Access Manager session and displays a logout page that will instruct the various WebGate agents to remove the user cookies. Access Manager then redirects the user to the Identity Federation Logout service which notifies each partner involved in this session by either redirecting the user with a Logout Request message via HTTP Redirect or HTTP POST or by directly sending a Logout Request message via SOAP. Identity Federation then kills the OIF session and redirects the user to the defined return URL. When initiated by the user on a web site from a partner in the federation, the partner redirects the user to the Identity Federation server which marks the user session as logging out. Identity Federation then redirects the user to the Access Manager server which kills the user's Access Manager session. Access Manager then displays a logout page that will instruct the various WebGate agents to remove the user cookies, and redirects the user back to Identity Federation to resume the Federation logout process by notifying each partner involved in this session (except the one who first redirected the user) by either redirecting the user with a Logout Request message via HTTP Redirect or HTTP POST or by directly sending a Logout Request message via SOAP. Identity Federation then kills the OIF session and redirects the user with a Logout Response message to the partner who first redirected the user to the Identity Federation server. 37.4.3 Authorizing When the Identity Federation server acts as an IdP, it has the need to issue an Identity Token to the SP during the Federation SSO operation. The Identity Token will contain user information as well as session information. By default, the authorization feature is turned off. It can be enabled or disabled using the configureFedSSOAuthz WLST command. You also need to create a resource of type TokenServiceRP (with the Resource URL set to the SP Partner ID) and a Token Issuance Policy to which the Resource is added. The Token Issuance Policy indicates the conditions under which the token should be issued. 37.4.4 Forcing Authentication SAML 2.0 and OpenID 2.0 provide a way for a SP to indicate during Federation SSO whether the user should be challenged by the IdP, even if a valid user session already exists. In this case, the SP will send an authentication request with a parameter indicating that the IdP should re-challenge the user or force authentication. 37-4 Administrator's Guide for Oracle Access Management Initiating Federation SSO 37.4.5 Indicating a Passive Identity Provider SAML 2.0 and OpenID 2.0 provide a way for the SP to indicate during Federation SSO whether the Identity Provider should interact with the user. In this case, the SP will send an authentication request with a parameter indicating that the IdP should not interact with the user or is passive. The IdP recognizes the parameter and returns to the SP: ■ ■ An error if the IdP must interact with the user but cannot because of this parameter. A Federation Assertion that indicates whether the user has a valid session. 37.4.6 User and Assertion Mapping In Identity Federation, after a SP validates the SAML assertion created by it's IdP partner, it can map the assertion to the local user in one of the following ways. ■ ■ ■ By mapping the SAML subject to a user record with a user attribute (for example, mail). By mapping a SAML Assertion Attribute to a user record with a user attribute (for example, the SAML Assertion Attribute emailAddress mapped to mail). By mapping one or more attributes contained in the SAML assertion's AttributeStatement element or the SAML subject with an LDAP query. You must configure both the SAML attribute name and the user attribute to which it is mapped. 37.4.7 Platform Dependencies This architecture leverages the Oracle Fusion Middleware platform for the Credential Store Framework (CSF). CSF securely stores keystore passwords as well as server credentials such as HTTP Basic Authentication usernames and passwords. 37.5 Initiating Federation SSO The following sections contain details about initiating the Federation SSO process. ■ IdP Initiated Federation SSO Service ■ SP Initiated Federation SSO Service 37.5.1 IdP Initiated Federation SSO Service When Identity Federation is working as an IdP, the URL for initiating Federation SSO is: http://public-oam-host:public-oam-port/oamfed/idp/initiatesso The query parameters are: ■ ■ providerid: name of the SP partner with which to perform Federation SSO or the issuer ID / provider ID of the SP partner with which to perform Federation SSO. (required) returnurl: the SP URL where the user will be redirected after a successful Federation SSO (optional) Introducing Identity Federation in Oracle Access Management 37-5 Exchanging Identity Federation Data ■ acsurl: the SAML 2.0 Assertion Consumer Service URL where Identity Federation will redirect the user with the SAML 2.0 Assertion. This URL must be declared in the SP SAML 2.0 Metadata. (optional) 37.5.2 SP Initiated Federation SSO Service When Identity Federation is working as an SP, the URL for initiating Federation SSO is: http://public-oam-host:public-oam-port/oamfed/sp/initiatesso The query parameters are: ■ ■ providerid: name of the IdP partner with which to perform Federation SSO or the issuer ID / provider ID of the IdP partner with which to perform Federation SSO. (required) returnurl: the URL where the user will be redirected after a successful Federation SSO (optional) 37.6 Exchanging Identity Federation Data The integrated Identity Federation server supports the transport and receipt of request and response messages using either the Security Access Markup Language (SAML) 2.0 specifications, SAML 1.1, OpenID 2.0 or WS-Federation 1.1. The following sections contain more information. ■ Using SAML 2.0 ■ Using SAML 1.1 ■ Using OpenID 2.0 ■ Using WS-Federation 1.1 The specification describing how SAML might be used in a given context is referred to as a SAML profile. The specification describing how a SAML assertion and/or message is conveyed in, or transported over, another protocol is referred to as a SAML Binding. Note: 37.6.1 Using SAML 2.0 SAML uses an eXtensible Markup Language (XML) framework to define a simple request-response protocol in order to achieve interoperability between vendor platforms that provide SAML assertions. A SAML requester sends a SAML Request element to a responder. Similarly, a SAML responder returns a SAML Response element to the requester. Within the SAML 2.0 protocol, Identity Federation supports the functionality described in the following sections. ■ SAML 2.0 Bindings for SSO and Federation ■ SAML 2.0 Bindings for Single Logout ■ SAML 2.0 NameID Formats ■ Securing SAML 2.0 Data ■ SAML 2.0 Service Details 37-6 Administrator's Guide for Oracle Access Management Exchanging Identity Federation Data 37.6.1.1 SAML 2.0 Bindings for SSO and Federation SSO and Federation relies on SAML artifacts and assertions to relay authentication information. The following bindings are supported for the exchange of data regarding SSO and federation. ■ ■ ■ The HTTP Artifact Binding uses the Artifact Resolution Protocol and the SAML SOAP Binding (over HTTP) to resolve a SAML message by reference. The IdP will store the Assertion in its repository and redirect the user to the SP with a string (artifact) that references the stored Assertion. The SP will retrieve the Assertion by connecting to the IdP directly over SOAP/HTTP and presenting the artifact The HTTP POST Binding relies on an HTML form to communicate authentication information between providers. For example, the service provider may use HTTP Redirect to send a request while the identity provider uses HTTP POST to transmit the response. The IdP can also redirect the user to the SP in an HTML FORM that contains the Assertion itself. The Reverse SOAP binding (PAOS) is only supported when Access Manager is configured as an IdP. In this flow, the client sends a SOAP request containing a SAML 2.0 Authn Request message to the IdP. The IdP authenticates the user locally, and returns a SOAP response containing a SAML 2.0 Assertion. The client then presents the results to the remote SP. 37.6.1.2 SAML 2.0 Bindings for Single Logout Single Logout defines how providers notify each other of logout events. This message exchange terminates all sessions when a logout occurs at the SP or IdP. The following profiles are supported for exchanging data regarding single logout. ■ ■ ■ The HTTP Redirect profile relies on HTTP redirects between providers. For example, the IdP redirects the user to the SP using a 302 redirect operation with the URL containing the Logout Request/Response message. This profile can be used for sending and receiving data regarding single logout. The HTTP POST profile occurs when the IdP redirects the user to the SP using an HTML FORM containing the Logout Request/Response message. This profile can be used for sending and receiving data regarding single logout. The SOAP Binding Profile allows the IdP to connect directly with the SP and send a Logout Request message. During logout, the IdP redirects the user to the various SPs in a sequential manner. The SP will respond with a Logout Response message. This profile relies on asynchronous SOAP over HTTP messaging calls between providers and can be used only for sending data regarding single logout. 37.6.1.3 SAML 2.0 NameID Formats The Name Identifier Mapping defines how an SP can obtain name identifiers assigned to a principal that has authenticated in the name space of a different SP. When a principal authenticated to one SP requests access to a second site, the second SP can use this protocol to obtain the name identifier and communicate with the first SP about the principal - even though no federation for the principal exists between them. The SAML 2.0 NameID formats listed in Table 37–1 are supported in both IdP and SP mode. Table 37–1 Supported SAML 2.0 NameID Formats NameID Format Description urn:oasis:names:tc:SAML:1.1:nameid-format: SP/IdP will use the applicable user attribute to unspecified populate/process the NameID value Introducing Identity Federation in Oracle Access Management 37-7 Exchanging Identity Federation Data Table 37–1 (Cont.) Supported SAML 2.0 NameID Formats NameID Format Description urn:oasis:names:tc:SAML:1.1:nameid-format: SP/IdP will use the applicable user attribute to emailAddress populate/process the NameID value urn:oasis:names:tc:SAML:1.1:nameid-format: SP/IdP will use the applicable user attribute to X509SubjectName populate/process the NameID value urn:oasis:names:tc:SAML:1.1:nameid-format: SP/IdP will use the applicable user attribute to WindowsDomainQualifiedName populate/process the NameID value urn:oasis:names:tc:SAML:2.0:nameid-format: SP/IdP will use the applicable user attribute to kerberos populate/process the NameID value urn:oasis:names:tc:SAML:2.0:nameid-format: SP/IdP will use either: persistent ■ A user attribute to populate the NameID value ■ ■ A user attribute (such as DN) to set the value (same for every operations) A random value and will store that value in the Federation Data Store (only this mode will require the use of a Federation Data Store) urn:oasis:names:tc:SAML:2.0:nameid-format: IdP will generate a random value transient custom value When this NameID format is used, OIF/IdP will use a user attribute to populate the NameID value 37.6.1.4 Securing SAML 2.0 Data Regarding the security of identity data transported using the SAML 2.0 specifications,the following is true. ■ All outgoing Assertions will be signed. ■ All outgoing responses containing Assertions will not be signed. ■ All outgoing requests/responses not containing Assertions will be signed. ■ The signing certificate will not be included in the messages. ■ ■ ■ ■ Identity Federation (acting as the IdP) will not require signatures on any messages except when specified in the SP Partner metadata. NameIDs, attributes and Assertions will not be encrypted. Information on the default XML Encryption algorithm is located at http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#aes12 8-cbc The hashing algorithm for signatures is SHA-1 by default. Identity Federation can be configured to use SHA-256. 37.6.1.5 SAML 2.0 Service Details The SAML 2.0 Metadata for the IdP and SP is contained in a single XML document and can be retrieved using either the Oracle Access Management Console or by accessing either of the following URLs: http://public-oam-host:public-oam-port/oamfed/idp/metadata http://public-oam-host:public-oam-port/oamfed/sp/metadata 37-8 Administrator's Guide for Oracle Access Management Exchanging Identity Federation Data The certificates used for signature and encryption operations are published via the SAML 2.0 Metadata. The certificates can be retrieved by using a Service URL that specifies the Key ID of the key/certificate entry as defined in the Keystore Settings. (See Section 39.5, "Defining Keystore Settings for Federation.") For example, http://public-oam-host:public-oam-port/oamfed/idp/cert?id=osts_signing The Provider ID and the Issuer ID of the IdP and SP profiles are identical and can be retrieved from the applicable Provider Partner profile using the Oracle Access Management Console. Table 37–2 documents the SAML 2.0 URLs for use when Identity Federation is configured to act as an IdP. Table 37–2 SAML 2.0 URLs for Identity Federation Acting As Identity Provider Description URL Single Sign On Service URL for HTTP Redirect binding http://public-oam-host:public-oam-port/oamfed/idp/samlv20 Single Sign On Service URL for HTTP POST binding http://public-oam-host:public-oam-port/oamfed/idp/samlv20 Single Sign On Service URL for SOAP binding http://public-oam-host:public-oam-port/oamfed/idp/soap Artifact Resolution Service URL for SOAP binding http://public-oam-host:public-oam-port/oamfed/idp/soap Single Logout Service URL for HTTP Redirect binding http://public-oam-host:public-oam-port/oamfed/idp/samlv20 Single Logout Service URL for HTTP POST binding http://public-oam-host:public-oam-port/oamfed/idp/samlv20 Attribute Authority Service URL for SOAP binding http://public-oam-host:public-oam-port/oamfed/aa/soap Table 37–3 documents the SAML 2.0 URLs for use when Identity Federation is configured to act as an SP. Table 37–3 SAML 2.0 URLs for Identity Federation Acting as Service Provider Description URL Assertion Consumer Service http://public-oam-host:public-oam-port/oam/server/fed/sp/s URL for Artifact binding so Assertion Consumer Service http://public-oam-host:public-oam-port/oam/server/fed/sp/s URL for HTTP POST so binding Single Logout Service URL for HTTP Redirect binding http://public-oam-host:public-oam-port/oamfed/sp/samlv20 Single Logout Service URL for HTTP POST binding http://public-oam-host:public-oam-port/oamfed/sp/samlv20 37.6.2 Using SAML 1.1 Although the standards address the same use case, SAML 2.0 and SAML 1.1 get there in different ways. The most important type of SAML 1.1 request is a query. A SP makes a query directly to an IdP over a secure back channel (using SOAP). Within the SAML 1.1 protocol, Identity Federation supports the features described in the following sections. Introducing Identity Federation in Oracle Access Management 37-9 Exchanging Identity Federation Data ■ SAML 1.1 Profiles for Web Browser SSO ■ SAML 1.1 Logout Profile ■ SAML 1.1 NameID Formats ■ Securing SAML 1.1 Data ■ SAML 1.1 Service Details 37.6.2.1 SAML 1.1 Profiles for Web Browser SSO SAML 1.1 profiles rely on pushing SAML artifacts and assertions to an SP to relay authentication information. The following profiles are supported. ■ ■ The Browser/Artifact Profile passes a SAML assertion from the IdP to the SP by reference (through the browser using HTTP Redirect). This artifact is subsequently dereferenced through a back-channel exchange in which the SP retrieves the assertion from the IdP using SAML over SOAP over HTTP. The Browser/POST Profile passes an SSO assertion to an SP through the browser using HTTP POST. We say that the identity provider "pushes" the assertion to the service provider. 37.6.2.2 SAML 1.1 Logout Profile The SAML 1.1 specifications do not define a logout profile thus Identity Federation is not able to notify remote partners regarding a user logging out. 37.6.2.3 SAML 1.1 NameID Formats When a principal authenticated to one SP requests access to a second site, the second SP can obtain the name identifier and communicate with the first SP regarding the principal - even though no federation for the principal exists between them. The SAML 1.1 NameID formats listed in Table 37–4 are supported in both IdP and SP mode. Table 37–4 Supported SAML 1.1 NameID Formats NameID Format Description urn:oasis:names:tc:SAML:1.1:nameid-format: SP/IdP will use the applicable user attribute to unspecified populate/process the NameID value urn:oasis:names:tc:SAML:1.1:nameid-format: SP/IdP will use the applicable user attribute to emailAddress populate/process the NameID value urn:oasis:names:tc:SAML:1.1:nameid-format: SP/IdP will use the applicable user attribute to X509SubjectName populate/process the NameID value urn:oasis:names:tc:SAML:1.1:nameid-format: SP/IdP will use the applicable user attribute to WindowsDomainQualifiedName populate/process the NameID value urn:oasis:names:tc:SAML:2.0:nameid-format: SP/IdP will use the applicable user attribute to kerberos populate/process the NameID value custom value When this NameID format is used, OIF/IdP will use a user attribute to populate the NameID value 37.6.2.4 Securing SAML 1.1 Data Regarding the security of identity data transported using the SAML 1.1 specifications,the following is true. ■ All outgoing Assertions will be signed. 37-10 Administrator's Guide for Oracle Access Management Exchanging Identity Federation Data ■ All outgoing responses containing Assertions will not be signed. ■ The signing certificate will not be included in the messages. ■ Identity Federation (acting as the IdP) will not require signatures on any messages. ■ The hashing algorithm for signatures is SHA-1 by default. Identity Federation can be configured to use SHA-256. 37.6.2.5 SAML 1.1 Service Details The certificates used for signature and encryption operations can be retrieved by using a Service URL that specifies the Key ID of the key/certificate entry as defined in the Keystore Settings. (See Section 39.5, "Defining Keystore Settings for Federation.") For example, http://public-oam-host:public-oam-port/oamfed/idp/cert?id=osts_signing The Provider ID and the Issuer ID of the IdP and SP profiles are identical and can be retrieved from the applicable Provider Partner profile using the Oracle Access Management Console. Table 37–5 documents the SAML 1.1 URLs for use when Identity Federation is configured to act as an IdP. Table 37–5 SAML 1.1 URLs for Identity Federation Acting As Identity Provider Description URL Single Sign On Service URL http://public-oam-host:public-oam-port/oamfed/idp/samlv11sso Artifact Resolution Service URL http://public-oam-host:public-oam-port/oamfed/idp/soapv11 Table 37–6 documents the SAML 1.1 URL for use when Identity Federation is configured to act as an SP. Table 37–6 SAML 1.1 URL for Identity Federation Acting as Service Provider Description URL Assertion Consumer Service URL http://public-oam-host:public-oam-port/oam/server/fed/sp/sso 37.6.3 Using OpenID 2.0 OpenID 2.0 allows users to create accounts with a preferred OpenID IdP and use the account as the basis for signing on to any website that accepts OpenID authentication. Identity data is communicated through the exchange of an OpenID identifier (a URL or XRI chosen by the end-user) and the IdP provides OpenID authentication. Within the OpenID protocol, Identity Federation supports the functionality described in the following sections. ■ OpenID 2.0 Authentication/SSO ■ OpenID 2.0 Logout ■ OpenID 2.0 NameID Format ■ Securing OpenID 2.0 Data ■ Using OpenID 2.0 Extensions Introducing Identity Federation in Oracle Access Management 37-11 Exchanging Identity Federation Data ■ OpenID 2.0 Service Details 37.6.3.1 OpenID 2.0 Authentication/SSO OpenID 2.0 allows a user to sign into a new web site using a special OpenID URL. For example, if you have a blog at myblog.com, you might have created the OpenID URL, yourname.myblog.com. Then if you navigate to a second web site that accepts OpenID logins and click on the OpenID button, you can type in the URL and click to log in. The second SP discovers the OpenID IdP URL with this OpenID identifier. When the OpenID IdP redirects the authenticated user to the SP, it includes the OpenID Assertion which contains the result of the operation, the NameID of the user and (optional) attributes. 37.6.3.2 OpenID 2.0 Logout The OpenID 2.0 specifications do not define a logout profile thus Identity Federation is not able to notify remote partners regarding a user logging out. 37.6.3.3 OpenID 2.0 NameID Format OpenID defines the NameID as being a random string thus Identity Federation will use one of the following as the value for the NameID. ■ ■ A hashed user attribute (such as DN) A generated, random value that will be stored in the Federation Data Store; this mode requires the use of a Federation Data Store 37.6.3.4 Securing OpenID 2.0 Data Regarding the security of identity data transported using the OpenID 2.0 specifications,the following is true. ■ All outgoing Assertions will be signed. ■ The default Association Algorithm is HMAC SHA-1. ■ The default Session Agreement Algorithm is Diffie-Hellmann SHA-1. 37.6.3.5 Using OpenID 2.0 Extensions OpenID is an extensible specification. The following extensions are available when using the integrated Identity Federation. ■ ■ ■ ■ Attribute Exchange (AX): If enabled, a SP can request attributes to be included in the OpenID Assertion response. The IdP can include the requested attributes or attributes configured to be in the response. (Default: enabled) Provider Authentication Policy Extension (PAPE): If enabled, advanced authentication methods can be defined and specified. This might include, for example, a phishing-resistant authentication method or multi-factor authentication. (Default: disabled) GSA Level 1: identifier in the OpenID Assertion indicating if this server is compliant with the http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf policy. If enabled and if PAPE is enabled, OIF will include this policy in the OpenID response (Default: disabled) Level Of Assurance (LOA): identifier in the OpenID Assertion indicating if this server is compliant with the http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf policy. If 37-12 Administrator's Guide for Oracle Access Management Exchanging Identity Federation Data enabled, OIF/IdP will use the mapping between Level of Assurance and schemeID to determine the value to use for LOA in the OpenID response (see 2.5.2 for more information) (Default: disabled) ■ ■ ■ ■ No Private Identifier Information (NoPII): identifier in the OpenID Assertion indicating if this server is compliant with the http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf policy. Note, if enabled, OIF will not include attributes in the OpenID Assertion Persistent Personal Identifier (PPID): identifier in the OpenID Assertion indicating if this server is compliant with the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidenti fier policy. If enabled and if PAPE is enabled, OIF will include this policy in the OpenID response (Default: disabled) Registration (SReg): extension for attributes in the OpenID Assertion. If enabled, the SP can request attributes to be included in the response, and the IdP can include requested attributes or attributes configured to be in the response (Default: disabled) UI Extension (UIExt): extension for UI. In OIF/IdP, support for this extension is limited to advertisement in the XRDS metadata (Default: disabled) 37.6.3.6 OpenID 2.0 Service Details The following URL is the realm of the OpenID 2.0 SP component. http://public-oam-host:public-oam-port Table 37–7 documents the OpenID 2.0 URLs for use when Identity Federation is configured to act as an IdP. Table 37–7 OpenID 2.0 URLs for Identity Federation Acting As Identity Provider Description URL Single Sign On Service URL http://public-oam-host:public-oam-port/oamfed/idp/openidv20 Discovery Service URL http://public-oam-host:public-oam-port/oamfed/idp/openidv20 Table 37–8 documents the OpenID 2.0 URLs for use when Identity Federation is configured to act as an SP. Table 37–8 OpenID 2.0 URLs for Identity Federation Acting as Service Provider Description URL Single Sign On Service URL http://public-oam-host:public-oam-port/oam/server/fed/sp/sso Discovery Service URL http://public-oam-host:public-oam-port/oamfed/sp/openidv20 Realm URL http://public-oam-host:public-oam-port 37.6.4 Using WS-Federation 1.1 Access Manager now supports features of the WS-Federation 1.1 protocol. WS-Federation 1.1 partners can be created using the new addWSFed11IdPFederationPartner and addWSFed11SPFederationPartner WLST commands. After creating the partners, the profiles can be configured using the existing WLST Identity Federation commands. For details, see the Oracle Fusion Introducing Identity Federation in Oracle Access Management 37-13 Administrating Identity Federation Middleware WebLogic Scripting Tool Command Reference for Identity and Access Management. Partial administration of the WS-Federation 1.1 partners is available using the Oracle Access Management Console. Note: 37.7 Administrating Identity Federation Identity Federation integrated with Access Manager can be administered with a combination of configurations using the Oracle Access Management Console and Oracle WebLogic Scripting Tool (WLST) commands. Use the Oracle Access Management Console to enable the Identity Federation service, manage IdP and SP partner profiles, and work with federated authentication schemes and policies. Use the WLST utilities to manage additional server and partner configuration properties. Not all WLST command functionality is duplicated in the Oracle Access Management Console and not all console functionality is duplicated on the command line. Note: The Oracle Access Management Console enables Administrators to manage configuration related to the federation service and partners. Table 37–9 summarizes the types of information that you can configure for Identity Federation using Oracle Access Management Console. Table 37–9 Configuring Identity Federation Settings Configuring ... Description Federation Administrators Administrators who can manage federated partners and related configuration. Federation Service Enable and disable the Identity Federation service in Access Manager. See "Enabling Identity Federation" on page 37-15. Federation Settings Manage basic Identity Federation service configuration properties. See Chapter 39, "Managing Settings for Identity Federation". Providers for Federation IdP partners are managed within the context of administering Identity Federation as a SP. Conversely, SP partners are managed within the context of administering Identity Federation as an IdP. See Section 38.3, "Administering Identity Federation As A Service Provider" or Section 38.4, "Administering Identity Federation As An Identity Provider.". Authentication Schemes and Modules for Federation Manage federation authentication schemes. See "Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2)" on page 40-2. Policies for Use with Federation Manage policies for use with federation partners. See "Managing Access Manager Policies for Use with Identity Federation" on page 40-9. Table 37–10 outlines the tasks required to implement identity federation using the Oracle Access Management Console. Table 37–10 Implementing Identity Federation Task Reference Enable the Identity Federation service. Section 37.8 Configure federation settings. Section 39.3 Identity IdP and/or SP partners, and configure attributes for them. Section 38.3 37-14 Administrator's Guide for Oracle Access Management Enabling Identity Federation Table 37–10 (Cont.) Implementing Identity Federation Task Reference Configure an authentication or authorization policy. Chapter 40 Protect a resource with this policy. Chapter 25 37.8 Enabling Identity Federation Identity Federation is an authentication module in Oracle Access Management so both the Access Manager service and Identity Federation must be enabled. Figure 37–1 illustrates the Available Services page in Oracle Access Management Console with the Access Manager service and Identity Federation aleady enabled. Use this page to enable (or disable) Identity Federation together with the Access Manager service. Once enabled, it is possible to enable or disable specific Federation features such as IdP, SP, Attribute Authority and/or Attribute Requester. Use the configureFederationService() WLST command as documented in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Note: Figure 37–1 Available Services Page Introducing Identity Federation in Oracle Access Management 37-15 Enabling Identity Federation To enable the Identity Federation service with Access Manager 1. Log in to the Oracle Access Management Console. https://hostname:port/oamconsole/ 2. From the Welcome page, under Configuration, click Available Services. 3. Enable Identity Federation: Click Enable beside Identity Federation (or confirm that the green Status check mark displays). A Confirmation window is displayed. 4. Click OK. 5. Enable Access Manager: Click Enable beside Access Manager (or confirm that the green Status check mark displays). A Confirmation window is displayed. 6. Click OK. 37-16 Administrator's Guide for Oracle Access Management 38 Managing Identity Federation Partners 38 This chapter introduces the concept of federation partners (service providers and identity providers) in Oracle Access Management Identity Federation. This chapter includes the following sections: ■ Understanding Federation And Partners ■ Managing Federation Partners ■ Administering Identity Federation As A Service Provider ■ Administering Identity Federation As An Identity Provider ■ Using Attribute Mapping Profiles ■ Mapping Federation Authentication Methods to Access Manager Authentication Schemes ■ Using the Attribute Sharing Plug-in for the Attribute Query Service ■ Using the Federation Proxy ■ Using WLST for Identity Federation Administration 38.1 Understanding Federation And Partners The topics in this chapter assume some familiarity with the federation and partner concepts described in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation. The current chapter also assumes that you have performed Section 37.8, "Enabling Identity Federation" as described. The integrated Identity Federation server supports the transport and receipt of request and response messages using either the Security Access Markup Language (SAML) 2.0 specifications, SAML 1.1, OpenID 2.0 or WS-Federation 1.1. Thus, Identity Provider (IdP) and Service Provider (SP) partners can be created with any of these protocols defined. SAML and OpenID partners can be defined using the Oracle Access Management Console as described in Creating Remote Identity Provider Partners and Creating Remote Service Provider Partners. WS-Federation partners can be created using WLST commands as described in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for Identity and Access Management. 38.2 Managing Federation Partners This 11g Release 2 (11.1.2.2) of the integrated Identity Federation provides the ability to be configured as a Service Provider (SP) or an Identity Provider (IdP). Following this provider definition, remote providers (whether service or identity) partnered in Managing Identity Federation Partners 38-1 Administering Identity Federation As A Service Provider Federation SSO need to be managed as well. Towards this end, Identity Federation developed the configuration hierarchy concepts of a partner and a partner profile. ■ ■ A partner profile refers to settings specific to a partner type (IdP or SP) or a protocol version (SAML 2.0, SAML 1.1, OpenID 2.0). It is a configuration group that represents a sets of common properties that apply to all partners that reference it. It contains mostly secondary configuration objects such as Authentication Method mappings, cryptographic settings (SHA-1 vs SHA-256) and the like. A partner refers to the configuration for a specific organization partnered in the Federation SSO process. Each partner is associated with a partner profile. The partnerprofileid property in a Partner entry defines the partner profile to which this partner is assigned. If the partnerprofileid property is not defined, the default Partner Profile for the Partner (based on the Partner type and the Partner protocol) will be used. All Partners associated with the same Partner Profile will share its defined settings unless they are specifically overridden for a partner at the Partner configuration level. A Partner configuration overrides a Partner Profile configuration which, in turn, overrides a global configuration. Partner profiles are only manageable using WLST commands. Each new partner created will be bound to one of the default partner profiles listed in Table 38–1. To assign a new partner profile to a partner, use the setFedPartnerProfile() WLST command after creating the partner. See Section 38.9, "Using WLST for Identity Federation Administration" for details. Table 38–1 Default Partner Profiles Default Partner Profile Description saml20-idp-partner-profile SAML 2.0 Partner Profile for IdP partners saml20-sp-partner-profile SAML 2.0 Partner Profile for SP partners saml11-idp-partner-profile SAML 1.1 Partner Profile for IdP partners saml11-sp-partner-profile SAML 1.1 Partner Profile for SP partners openid20-idp-partner-profile OpenID 2.0 Partner Profile for IdP partners openid20-sp-partner-profile OpenID 2.0 Partner Profile for SP partners 38.3 Administering Identity Federation As A Service Provider When the integrated Identity Federation is configured as an SP, you must define any remote IdP partners as trusted by creating and managing profiles that contain details regarding each remote IdP. To begin administration of the integrated Identity Federation server as an SP, click the Service Provider Administration link under Identity Federation from the Launch Pad in the Oracle Access Management Console. This section provides the following topics. ■ Creating Remote Identity Provider Partners ■ Managing the Remote Identity Provider Partners 38.3.1 Creating Remote Identity Provider Partners Use the New Identity Provider Page to define an identity provider (IdP) partner record for Access Manager. You can specify service details manually or load them from a metadata file. 38-2 Administrator's Guide for Oracle Access Management Administering Identity Federation As A Service Provider Figure 38–1 shows the Create Identity Provider Partner page when service details are configured by loading an XML metadata file. Figure 38–1 New Identity Provider Page, Service Details Loaded from Metadata Figure 38–2 shows the Create Identity Provider Partner page when service details are configured by entering values manually. Managing Identity Federation Partners 38-3 Administering Identity Federation As A Service Provider Figure 38–2 New Identity Provider Page, Service Details entered Manually Table 38–2 describes each element on the New Identity Provider page. Table 38–2 Identity Provider Partner Settings Element Description Name This is the provider name. Description This is a brief description of the provider. (Optional). Protocol This is the provider protocol (SAML 1.1, SAML 2.0 and so on). Service Details This drop-down enables you to choose whether to enter service details manually or load from metadata. Metadata File This field appears if loading metadata from a file. Click Browse to select a file to use. Applies to SAML 2.0 only. Issuer ID This is the issuer ID of the provider. Applies to SAML 2.0 and SAML 1.1 only. 38-4 Administrator's Guide for Oracle Access Management Administering Identity Federation As A Service Provider Table 38–2 (Cont.) Identity Provider Partner Settings Element Description Succinct ID This is the succinct ID of the provider. This element is required if using the artifact profile. Applies to SAML 2.0 and SAML 1.1 only. SSO Service URL This is the URL address to which SSO requests are sent. SOAP Service URL This is the URL address to which a SOAP service request is sent. This element is required if using artifact profile. Logout Request Service URL This is the URL address to which a logout request is sent by the provider. This element is required if using the logout feature. Applies to SAML 2.0 only. Logout Response Service URL This is the URL address to which a logout response is sent. This element is required if using the logout feature. Applies to SAML 2.0 only. Signing Certificate This is the signing certificate used by the provider. You can specify it in pem and der formats. Applies to SAML 2.0 and SAML 1.1 only. User Identity Store This is the identity store in which the IdP's users will be located and mapped. Identity Federation supports multiple identity stores, defined on a per-partner basis. Optionally, if no user identity store is selected, the default Access Manager store is used. User Search Base DN This is the base search DN used when looking up user records. (Optional.) If omitted, the default user search base DN configured for the selected user identity store is used.) Mapping Option This setting indicates how an incoming assertion is mapped to a user in the identity store. Select one of the following: ■ Map Assertion Name ID to User ID Store Attribute Enter the identity store attribute to which the assertion NameID will be mapped. ■ Map Assertion Attribute to User ID Store Attribute Enter assertion attribute and the identity store attribute to which it will be mapped. ■ Map Assertion to User Record Using LDAP Query Enter an LDAP query with placeholders for incoming data. You may use: - an attribute from the SAML assertion's AttributeStatement element, referenced by its name prefixed and suffixed with the % character - the SAML assertion subject's NameID, referenced by %fed.nameidvalue% - the identity provider's partner name, referenced by %fed.partner%. For example, an LDAP query to map an incoming assertion based on two assertion attributes (lastname and email) would be (&(sn=%lastname%)(mail=%email%)). Enable Basic HTTP Authentication Check this box to accept HTTP basic credentials. (Advanced element, available only in provider Edit mode.) Attribute Mapping Profile Indicates the attribute profile to which the partner is bound. Service Details Indicates which of the following options Identity Federation (the RP) uses to perform Federation SSO with the IdP. Applies to OpenID 2.0 only. ■ ■ By discovering the IdP SSO URLs via the IdP XRDS metadata available at the Discovery Service URL. By using the specified static OpenID login endpoint which is the IDP SSO service URL. Discovery URL Defines the location where the IdP publishes its XRDS metadata. Applies to OpenID 2.0 only. Endpoint URL Defines the IdP SSO Service location. Applies to OpenID 2.0 only. Managing Identity Federation Partners 38-5 Administering Identity Federation As A Service Provider Table 38–2 (Cont.) Identity Provider Partner Settings Element Description Enable Global Logout Indicates whether or not Identity Federation should notify the remote partner when the user is signing off during the logout flow. Applies to SAML 2.0 only. HTTP POST SSO Response Binding Indicates whether the SAML Assertion should be sent back from the IdP using the HTTP POST Binding or the Artifact Binding. Applies to SAML 2.0 only. Authentication Request NameID Format Indicates the NameID format that Identity Federation will request from the IdP during the Federation SSO operation. If none is selected, a NameID format is not specified in the request. Applies to SAML 2.0 only. For IdP functionality, use the 11g Release 1 (11.1.1) Oracle Identity Federation server. For details, see Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation. Note: To Define SAML 2.0 Identity Providers for Federation Take these steps to define a new SAML 2.0 identity provider (IdP): 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Create Identity Provider Partner from the Create (+) drop-down list in the Federation section. 3. In the Service Details field, select Load from provider metadata. (SAML 2.0 is typically configured with metadata.) 4. A new field named Metadata File appears. Click Browse. 5. Select the metadata file of interest. 6. The metadata is loaded from the file. 7. Click Save to create the Identity Provider definition. To Define SAML 1.1 Identity Providers for Federation Take these steps to create a new SAML 1.1 identity provider (IdP): 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Create Identity Provider Partner from the Create (+) drop-down list in the Federation section. 3. In the Service Details field, select Enter Manually. 4. Fill in the New Identity Provider page using values for your environment (Table 38–2). The information you provide depends on the protocol chosen for the provider and other factors. 5. Click Save to create the identity provider definition. 38-6 Administrator's Guide for Oracle Access Management Administering Identity Federation As A Service Provider Note: Some SAML 1.1 configuration parameters are not exposed through the Oracle Access Management Console. The values of these parameters can be modified using the updatePartnerProperty WLST command. For details, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. To Define OpenID 2.0 Identity Providers for Federation In 11g Release 2 (11.1.2.3) the Identity Federation supports OpenID, and acts as an OpenID RP/SP. OpenID Providers can be registered as IdP partners. Authentication schemes created using these OpenID partners protect Access Manager resources using authentication services provided by the OpenID identity providers. Take these steps to create a new OpenID 2.0 identity provider (IdP). 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Create Identity Provider Partner from the Create (+) drop-down list in the Federation section. 3. Fill in the values appropriate for your environment either manually or by uploading a metadata file. The information you provide depends on the protocol chosen for the provider and other factors. 4. Click Save to create the identity provider definition. Google IdP Partners Take these steps to add Google as an OpenID 2.0 IdP. 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Create Identity Provider Partner from the Create (+) drop-down list in the Federation section. 3. From the Launch Pad, click Service Provider Administration under Identity Federation. 4. Select OpenID 2.0 from the Protocol drop down menu. 5. Select Google provider default settings from the Service Details drop down menu. 6. Click Save to create the identity provider definition. The partner is configured so that the SP requests the assertion attributes listed in Table 38–3 from the Google IdP and maps them to the corresponding session attribute names: Table 38–3 Attributes for Google OpenID Partner Assertion Attribute Name Session Attribute Name http://axschema.org/contact/country/home country http://axschema.org/contact/email email http://axschema.org/namePerson/first firstname http://axschema.org/pref/language language http://axschema.org/namePerson/last lastname Managing Identity Federation Partners 38-7 Administering Identity Federation As A Service Provider The Google partner uses mail as the user mapping attribute, so that an incoming http://axschema.org/contact/email attribute should match the mail attribute of the user in the user identity store. Yahoo IdP Partners Take these steps to add Yahoo as an OpenID 2.0 IdP. 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Create Identity Provider Partner from the Create (+) drop-down list in the Federation section. 3. Select OpenID 2.0 from the Protocol drop down menu. 4. Select Yahoo provider default settings from the Service Details drop down menu. 5. Click Save to create the identity provider definition. The partner is configured so that the SP requests the assertion attributes listed in Table 38–4 from the Yahoo IdP and maps them to the corresponding session attribute names: Table 38–4 Attributes for Yahoo OpenID Partner Assertion Attribute Name Session Attribute Name http://axschema.org/contact/country/home country http://axschema.org/contact/email email http://axschema.org/namePerson/first firstname http://axschema.org/pref/language language http://axschema.org/namePerson/last lastname The yahoo partner uses mail as the user mapping attribute, so that an incoming http://axschema.org/contact/email attribute should match the mail attribute of the user in the user identity store. To Enable OpenID Simple Registration By default, Identity federation uses the Attribute Exchange extension to obtain user identity attributes from an OpenID IdP. However, if you need to use the older Simple Registration (SREG) extension, you can enable it by running the following WLST commands: putBooleanProperty("/spglobal/openid20axenabled", "false") putBooleanProperty("/spglobal/openid20sregenabled", "true") To Disable OpenID Simple Registration To switch from the Simple Registration (SREG) extension to the Attribute Exchange extension to obtain user identity attributes from an OpenID IdP: putBooleanProperty("/spglobal/openid20axenabled", "true") putBooleanProperty("/spglobal/openid20sregenabled", "false") 38.3.2 Managing the Remote Identity Provider Partners You can use the following procedure to manage an existing IdP for Identity Federation. 38-8 Administrator's Guide for Oracle Access Management Administering Identity Federation As A Service Provider To Search for Existing Identity Providers Follow these steps: 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, click Identity Provider Management in the Federation section. 3. In the Search section of the page, enter appropriate search criteria for identity provider(s). The characters "*" (asterisk) and "." (period) are supported as search wildcards. See Table 38–5 for details about the search parameters. 4. Click Search. 5. The search results are displayed in a table. Table 38–5 Elements Used for IdP Provider Search Element Description Partner Name Searches for a specific partner name. Provider ID Searches by provider ID. Status Searches providers matching a status. Description Searches by provider description. Protocol Searches for providers that use a specified protocol. Table 38–5 describes the parameters by which providers can be searched. Figure 38–3 Searching for Identity Providers To Update Identity Providers for Federation 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, click Identity Provider Management in the Federation section. 3. Search for the provider you wish to update. See "To Search for Existing Identity Providers" for details. 4. Select the provider of interest from the search results table. Managing Identity Federation Partners 38-9 Administering Identity Federation As An Identity Provider 5. Click the pencil icon to display the provider update page. The page is divided into sections for: Service Information, Signing Certificates, User Mapping, and Advanced. 6. Update the provider information. See Table 38–2 for details. For information on configuring HTTP Basic Authentication to protect SOAP URLs after it has been enabled, see the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation. 7. Click Save to update the Identity Provider definition. 38.4 Administering Identity Federation As An Identity Provider When the integrated Identity Federation is configured as an IdP, you must define any remote SP partners as trusted by creating and managing profiles that contain details regarding each remote SP. This section provides the following topics. ■ Creating Remote Service Provider Partners ■ Managing the Remote Service Provider Partners 38.4.1 Creating Remote Service Provider Partners Use the Service Provider Partner page to define a partner profile when Identity Federation is configured as an IdP. You can specify service details manually or load them from a metadata file. 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Create Service Provider Partner from the Create (+) drop-down list in the Federation section. 3. Enter values for the parameters. Table 38–6 describes each element on the Create Service Provider page. Table 38–6 Service Provider Partner Settings Element Description Name This is the provider name. Enable Partner Select whether this partner is currently participating in the federation. Description This is a brief description of the provider. (Optional). Protocol This is the provider protocol (SAML 1.1, SAML 2.0 or OpenID 2.0). Service Details Select whether to enter service details manually or load from metadata. If selecting the latter, browse for the metadata file. Applies to SAML 2.0 only. Metadata File This field appears if loading metadata from a file. Click Browse to select a file to use. Applies to SAML 2.0 only. Provider ID The provider ID or issuer ID of the remote Service Provider. Applies to SAML 2.0 and SAML 1.1 only. Assertion Consumer URL A URL to which Assertion responses are sent. Applies to SAML 2.0 and SAML 1.1 only. Load Signing Certificate Upload the signing certificate used by this SP. Only visible when Enter Manually is selected. Applies to SAML 2.0 and SAML 1.1 only. Logout Request URL A URL to which logout requests are sent. Applies to SAML 2.0 only. Logout Response URL A URL to which responses to logout requests are sent. Applies to SAML 2.0 only. 38-10 Administrator's Guide for Oracle Access Management Administering Identity Federation As An Identity Provider Table 38–6 (Cont.) Service Provider Partner Settings Element Description Load Encryption Certificate Upload the encryption certificate used by this SP. Only visible when Enter Manually is selected. Applies to SAML 2.0 only. NameID Format Indicates which NameID format should be used for this SP. Applies to SAML 2.0 and SAML 1.1 only. See Section 37.6.1, "Using SAML 2.0" and Section 37.6.2, "Using SAML 1.1" respectively for details on the NameID format. NameID Value Indicates how to populate the NameID Value. Applies to SAML 2.0 and SAML 1.1 only. ■ ■ If User ID Store Attribute is selected, specify the user attribute to be used. If Expression is specified, enter the expression to be used Attribute Mapping Profile Indicates the attribute mapping profile to which the partner is bound. Applies to SAML 2.0 and SAML 1.1 only. User Identity Store This is the identity store in which the IdP's users will be located and mapped. Identity Federation supports multiple identity stores, defined on a per-partner basis. If no user identity store is selected, the default store defined for Access Manager is used. User Search Base DN This is the base search DN used when looking up user records. (Optional. If omitted, the default user search base DN configured for the selected user identity store is used.) Enable Global Logout Indicates whether or not OIF should notify the remote partner when the user is signing off, during the logout flow. Applies to SAML 2.0 only. SSO Response Binding Indicates whether the SAML Assertion should be sent back from the IdP using the HTTP POST Binding or the Artifact Binding, Applies to SAML 2.0 and SAML 1.1 only. Encrypt Assertion Indicates whether or not the Assertion should be encrypted for this partner. Applies to SAML 2.0 only. Realm The URL identifying an OpenID SP. Applies to OpenID 2.0 only. Endpoint URL The URL to which the IdP will redirect the user with the OpenID Assertion. Applies to OpenID 2.0 only. 4. Click Save to create the remote SP partner profile. 38.4.2 Managing the Remote Service Provider Partners To edit and manage the profiles of remote SP partners, search for the profile and make changes to the attribute values. To Search for Existing Service Provider Partner Profiles 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, click Service Provider Management in the Federation section. 3. In the Search section of the page, enter appropriate search criteria for identity provider(s). The characters "*" (asterisk) and "." (period) are supported as search wildcards. See Table 38–5 for details about the search parameters. 4. Click Search. 5. Select the appropriate partner in the Search Results table and click Edit in the toolbar. Managing Identity Federation Partners 38-11 Using Attribute Mapping Profiles A new tab is activated that displays the partner's attributes. In addition to the attributes documented in Table 38–6, the following advanced attributes can be modified. 6. ■ Enable Global Logout ■ Encrypt Assertion ■ SSO Response Binding (HTTP POST or Artifact) Click Save to keep the changes. If using SAML 1.1, you can include a certificate in the signature. See Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for details. Note: 38.5 Using Attribute Mapping Profiles Identity Federation (when configured as an SP) supports the capability to request attributes from an IdP during the Federation process. To configure for this, map the name of an attribute from the incoming Assertion to a local attribute that will be available in the Access Manager session ($session.attr.fed.attr.ATTR_NAME, for example). An IdP Attribute Mapping Profile contains these mappings. Similarly, Identity Federation (when configured as an IdP) supports including attributes in an SSO Assertion or allowing SP partners to request that attributes be placed in the SSO Assertion. Configuring Identity Federation as an IdP involves setting up an SP Attribute Mapping profile that defines the name of the attribute in the SSO assertion, the expression to be used to populate the attribute value, and whether or not to always send the attribute in the SSO Assertion. The protocol used by the provider must support the feature; for example, OpenID 2.0. Note: Each partner type (IdP or SP) references an Attribute Mapping Profile that defines the applicable mappings. It indicates how to map attributes for that partner to attributes defined in the Identity Federation server. If a partner does not have an Attribute Mapping Profile defined, the default Attribute Mapping Profile (based on the partner type) will be used. There is a default Attribute Mapping Profile for each provider type. ■ ■ SP Attribute Mapping Profile: Each SP partner profile will reference an SP Attribute Mapping Profile. A default SP Attribute Mapping Profile will be used if none is configured. See Section 38.5.1, "Using the SP Attribute Mapping Profile" for details. IdP Attribute Mapping Profile: Each IdP partner profile will reference an IdP Attribute Mapping Profile. A default IdP Attribute Mapping Profile will be used if none is configured. See Section 38.5.2, "Using the IdP Attribute Mapping Profile" for details. 38.5.1 Using the SP Attribute Mapping Profile When the Identity Federation instance is configured as an IdP, the SP Attribute Mapping Profile allows the administrator to define which message attributes (included in an incoming or outgoing Identity Federation message) map to which Access Manager session attributes. An expression is used to find the value for the 38-12 Administrator's Guide for Oracle Access Management Using Attribute Mapping Profiles Access Manager attribute when including it in an Assertion or outgoing message. Table 38–7 documents some sample SP attribute mappings. Table 38–7 Sample SP Attribute Mappings Message Attribute Access Manager Session Attribute Always Send mail $user.attr.mail firstname $user.attr.givenname true lastname $user.attr.sn true authn-level $session.authn_level true Always Send indicates if the attribute should be sent even when it has not been specifically requested. If an attribute has to be included in an outgoing Assertion irrespective of whether it has been requested, Always Send should be set to true. If Always Send is false, this attribute will not be included in the Assertion unless requested. When an SP sends a request, message attributes are looked up and the mapping value for this message attribute is calculated by evaluating its expression. The Value expression will use the OAM Policy Expression Language as documented in Section 25.13, "Introduction to Policy Responses for SSO." More than one message attribute can have the same value expression. Note: When creating or modifying an SP partner profile (as documented in Section 38.4.1, "Creating Remote Service Provider Partners"), the available Attribute Mapping Profiles are displayed in a drop-down list. sp-attribute-profile is the default profile. Select the default or click the green plus sign to create a custom mapping profile. When creating a new Attribute Mapping for an SP partner, the expressions documented in Table 38–8 can be embedded in the value string of the attribute. These expressions will be replaced by their runtime values. Table 38–8 Attribute Mapping Value Expressions Value Type Accepted Values Expression request httpheader.HTTP_HEADER_ NAME HTTP_HEADER_NAME being the name of an HTTP Header stored as $request.httpheader.HTTP_HEADER_ NAME cookie.COOKIE_NAME COOKIE_NAME being the name of a cookie stored as $request.cookie.COOKIE_ NAME client_ip stored as $request.client_ip authn_level stored as $session.authn_level authn_scheme stored as $session.authn_scheme count stored as $session.count creation stored as $session.creation expiration stored as $session.expiration attr.ATTR_NAME ATTR_NAME being the name of an Access Manager Session Attribute stored as $session.attr.ATTR_NAME session Managing Identity Federation Partners 38-13 Using Attribute Mapping Profiles Table 38–8 (Cont.) Attribute Mapping Value Expressions Value Type Accepted Values Expression user userid stored as $user.userid id_domain stored as $user.id_domain guid stored as $user.guid groups stored as $user.groups attr.ATTR_NAME ATTR_NAME being the name of an LDAP User Attribute stored as $user.attr.ATTR_ NAME - request: - expression (Based on the identifiers defined above and qualified with the type of data) ■ ■ ■ $request.httpheader.HTTP_ HEADER_NAME $request.cookie.COOKIE_ NAME $request.client_ip - session: ■ ■ - $session.authn_level ■ ■ $session.authn_scheme ■ ■ $session.count ■ ■ $session.creation ■ ■ $session.expiration ■ ■ $session.attr.ATTR_NAME ■ $user.userid ■ ■ $user.id_domain ■ ■ $user.guid ■ ■ $user.groups ■ ■ $user.attr.ATTR_NAME ■ can be any string, with '.' (dot) characters, spaces characters (like "$user.userid" or "$user.attr.givenname $user.attr.sn" or "This is the number of sessions: $session.count") ATTR_NAME being the name of an Access Manager Session Attribute - ■ ■ COOKIE_NAME being the name of a cookie ■ ■ - from user: HTTP_HEADER_NAME being the name of an HTTP Header ATTR_NAME being the name of an LDAP User Attribute ■ 38.5.2 Using the IdP Attribute Mapping Profile When the Identity Federation instance is configured as an SP, the IdP Attribute Mapping Profile allows the administrator to define which attributes (included in an incoming or outgoing Identity Federation message) map to which Access Manager session attributes. The profile allows for the inclusion of the following data: ■ ■ Message Attribute: the name of the attribute in the incoming/outgoing Federation messages. Access Manager Session Attribute: the name by which the attribute is known to the local Access Manager server. 38-14 Administrator's Guide for Oracle Access Management Mapping Federation Authentication Methods to Access Manager Authentication Schemes ■ Request From Partner: Indicates if this attribute is sent in the Request made to the IdP (a value for this attribute is requested by the SP). Table 38–9 documents sample IdP attribute mappings. Table 38–9 Sample IdP Attribute Mappings Message Attribute Access Manager Session Attribute Request for Inclusion mail email true givenname true sn surname uid uid In a protocol where a SP can specify which attributes are required in a response from the IdP, a Message Attribute name is sent in the request to the IdP. In cases when the SP receives an assertion or response from an IdP, the Attributes from the assertion are stored in the Access Manager session. If no Access Manager value is specified, the Message Attribute is stored. When creating or modifying an IdP partner profile (as documented in Section 38.3.1, "Creating Remote Identity Provider Partners"), the Attribute Mapping Profile is displayed with a drop-down list. The idp-attribute-profile is the default profile. Select the default or click the green plus sign to create a custom mapping profile. The Ignore Umapped Attributes checkbox (in the configuration screen) indicates how to deal with Assertion Attributes not present (or that are present but have no value in the Access Manager Session Attribute column). If this checkbox is not checked, all Assertion Attributes that are not present in the table (or don't have a value mapped to Access Manager) will be stored in the Access Manager session with the same attribute name it had in the Assertion. If checked, any Assertion Attribute not present in the table (or with no value mapped to Access Manager) will be ignored and not added to the Access Manager session. When the Identity Federation instance is configured as an SP it can request attributes only if the federation protocol used supports it. OpenID 2.0 supports this feature; SAML 2.0 and SAML 1.1 do not. Note: 38.6 Mapping Federation Authentication Methods to Access Manager Authentication Schemes A Federation Authentication Method (FAM) is an identifier representing an authentication mechanism in Federation messages. This identifier can either be well known (such as the identifiers defined in the SAML specifications like urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport or urn:oasis:names:tc:SAML:1.0:am:password) or it can be an arbitrary identifier agreed upon between the two communicating partners. In its responsibilities as an IdP, Identity Federation generates an Assertion (SAML or OpenID) that might contain information on how the user was authenticated. During the Assertion generation process, the IdP will retrieve the Authentication Scheme with which the user was authenticated and attempt to map it to a FAM. If such a mapping exists, the IdP will include the FAM in the outgoing Assertion. If no mapping exists, the IdP will include the defined Authentication Scheme as the FAM in the Assertion. Managing Identity Federation Partners 38-15 Mapping Federation Authentication Methods to Access Manager Authentication Schemes Session attributes can be used in proxy mode when a mapping is not defined. Identity Federation (when acting as an IdP) can use session attributes for the FAM value when creating the assertion, if both protocols are equivalent. Note: Table 38–10 lists the default, out-of-the-box mappings between FAMs and Access Manager Authentication Schemes. Table 38–10 Default Federation Authentication Method and Access Manager Authentication Scheme Mappings Protocol Mapping saml20-sp-partner-profile urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTranspor t to: ■ LDAPScheme (scheme used if the SP Partner requests urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTran sport) ■ FAAuthScheme ■ BasicScheme ■ BasicFAScheme saml11-sp-partner-profile urn:oasis:names:tc:SAML:1.0:am:password to: ■ LDAPScheme (scheme used if the SP Partner requests urn:oasis:names:tc:SAML:1.0:am:password) ■ FAAuthScheme ■ BasicScheme ■ BasicFAScheme More details are in the following sections. ■ Understanding Federation SSO As An IdP ■ Understanding Federation SSO As An SP ■ Configuring an Alternate Authentication Scheme ■ Using WLST For Mapping Administration 38.6.1 Understanding Federation SSO As An IdP When Identity Federation acts as an IdP, it processes incoming Authentication Request messages sent by SP partners. These messages might specify a FAM with which the user should be challenged by Access Manager (the IdP). If the Authentication Request contains a FAM, the IdP will attempt to map it to an Access Manager Authentication Scheme. If such a mapping is defined, Access Manager will authenticate the user using that scheme - only if the user needs to be challenged. The user would need to be challenged if, for example, the session timed out or does not exist or, the authentication level of the current session is lower than the level of the mapped Authentication Scheme or, the user has not yet been authenticated by Access Manager. If no mapping is defined, the IdP will return an error to the SP indicating that the FAM is unknown. When the IdP Authentication Module invokes Access Manager to challenge the user, it will determine the Authentication Scheme to be used for the operation in one of the following ways: 38-16 Administrator's Guide for Oracle Access Management Mapping Federation Authentication Methods to Access Manager Authentication Schemes ■ ■ The SP requests a specific means to authenticate the user with a Federation Authentication Request. The SP settings in the IdP configuration that define a default scheme. The Partner configuration is checked first, followed by the Partner Profile configuration and finally the global default Authentication Scheme defined in the IdP configuration (LDAPScheme). By default, the Partner and Partner Profile configurations do not define a default Authentication Scheme. As such, the global default Authentication Scheme is in effect: LDAPScheme. Note: After authentication, the IdP creates an Assertion and maps the Access Manager Authentication Scheme (and appropriate level) to a FAM, if such a mapping exists. The FAM is set as the Authentication Context. If no mapping exists, Identity Federation sends the default Access Manager Authentication Scheme as the Authentication Context. Following this process, the user is redirected back to Identity Federation. 38.6.2 Understanding Federation SSO As An SP When acting as an SP in a Federation SSO process, Identity Federation processes an incoming Assertion generated by an IdP partner. This process results in the creation of an Access Manager session for the user and the mapping of the FAM contained in the Assertion to the default SchemeID/Access Manager authentication scheme. Identity Federation provides the authentication level, if set, that should be used when Access Manager creates the user session. (By default, the Authentication Level of the Access Manager session will be set to the Authentication Level of the defined FederationScheme.) The FAM will be saved as a session attribute. The administrator can define a mapping where the SP will create an Access Manager session with a level set to the mapped Authentication Level for the FAM contained in the Assertion. This provides a way to reflect the strength of the mechanism with which the user was originally authenticated by the IdP. 38.6.3 Configuring an Alternate Authentication Scheme During a Federation SSO operation, the IdP invokes the Access Manager Authentication Module to challenge the user when required; for example, if the user is not authenticated in Access Manager, has an Access Manager session that has been inactive too long or timed out or, if the Service Provider indicates (with a Federation Authentication Request) that the IdP must re-challenge the user. For certain clients, an IdP might be required to use another Authentication Scheme to challenge a user besides the default one. This is especially true for mobile phones when an administrator might want to challenge a user with an Authentication Scheme that is different than the one used for computer-based browsers; for example, instead of an HTTP Basic Authentication Scheme, a scheme designed for mobile clients would be used. Identity Federation (when working as an IdP) can be configured to evaluate whether an alternate Authentication Scheme should be used instead of the configured one by examining the HTTP Header sent by the user's browser. Identity Federation evaluates based on the following configurable settings: ■ ■ A setting indicating which HTTP Header attribute is sent by the user's browser. A setting containing a regular expression that will evaluate the value of the above HTTP Header attribute. Managing Identity Federation Partners 38-17 Using the Attribute Sharing Plug-in for the Attribute Query Service ■ A setting containing the alternate Authentication Scheme to use. If the SP requested a specific Authentication Scheme, evaluation does not apply. Note: An alternate Authentication Scheme is only configurable using WLST commands and not the Oracle Access Management Console. For information on the setSPPartnerAlternateScheme and setSPPartnerProfileAlternateScheme WLST commands, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. 38.6.4 Using WLST For Mapping Administration All Authentication Method/Scheme/Level mappings are configured using the WLST commands. This can be done either at the partner level or, if not defined at the partner level, at the partner profile level. See Section 38.9, "Using WLST for Identity Federation Administration" for details. 38.7 Using the Attribute Sharing Plug-in for the Attribute Query Service Identity Federation provides an attribute sharing plug-in to enable Access Manager to request user attributes from an IdP. In this interaction, the SP is an requestor and the IdP is an responder. The Attribute Sharing Plug-in depends on the Attribute Query Service, a request/response protocol transported using SOAP. The Attribute Sharing Plug-in leverages the AttributeQuery requestor service to implement (a superset of) the X.509 Authentication Based Attribute Sharing Profile (XASP) in the context of Access Manager authentication flows. Note: Identity Federation (when configured as an SP) can send a SAML 2.0 to the IdP in response to a SOAP call. The plug-in can be configured as a step in an Authentication Scheme. It can be invoked after authentication (by another plug-in) to fetch attributes for the authenticated user and set them into the Access Manager session. The following sections contain additional details. ■ Understanding the Plug-in and Query Service Design ■ Configuring for Attribute Sharing 38.7.1 Understanding the Plug-in and Query Service Design Identity Federation must be configured as an SP to request user attributes from a remote IdP. From a high level, the design of the Attribute Sharing plug-in is illustrated in Figure 38–4. 38-18 Administrator's Guide for Oracle Access Management Using the Attribute Sharing Plug-in for the Attribute Query Service Figure 38–4 Attribute Sharing Plug-in Design The Attribute Sharing plug-in can be part of an Access Manager Custom Authentication Module and is invoked after a user has been authenticated. The Attribute Sharing plug-in will fetch the user attributes by invoking the Identity Federation Java API, setting the attributes into the Access Manager session and transforming the Java arguments into an Attribute Request that can be processed by the SP. The Identity Federation SP receives the Attribute Request (at an exposed SOAP endpoint), determines the attributes being requested and sends an (optionally) signed and encrypted SAML 2.0 using the requested attribute names over a SOAP/HTTP/SSL channel to the IdP's Attribute Responder Service. When invoking the Attribute Sharing plug-in, the framework will provide the following for inclusion in the : Note: ■ ■ User ID of the authenticated user or SubjectDN if available Partner ID user session attribute (available only if the Federation Authentication plug-in was used to authenticate user) ■ Tenant Name ■ IdP Name if the plug-in was created specifically for an IdP The Attribute Responder Service (at the remote IdP) receives the , decrypts it (verifying the signature if necessary) and determines (from its local policy) if the SP is authorized to request the attributes. If so, it retrieves the attributes from a user repository, constructs and (optionally) signs and encrypts an (with an containing the attribute values) and returns a with the assertion to the SP. On receiving the , the SP decrypts the assertion, verifies (if necessary) its signature, extracts the attributes from the assertion and set the information in the Access Manager session. The following sections contain more details. ■ Using the SP Attribute Requester ■ Using the IdP Attribute Responder ■ Using the SOAP Endpoint 38.7.1.1 Using the SP Attribute Requester The Attribute Requester Service processes the SOAP Attribute Request and returns a SOAP Attribute Response. (See Section 38.7.1.3, "Using the SOAP Endpoint" for details.) The Attribute Request will contain a SubjectDN and a list of other requested attributes and their values. The Attribute Requester Service identifies the IdP from Managing Identity Federation Partners 38-19 Using the Attribute Sharing Plug-in for the Attribute Query Service which to fetch attributes by extracting one of the following (searched for in the order listed) from the request. 1. The partner/IdP name if the request comes from the Federation engine. 2. The IdP configured in the plug-in used for authentication. 3. The request's Subject DN to determine which IdP will get the query from the configured SubjectDN-IdP map. Map the SubjectDN from most specific (cn=Joe User,ou=Finance,o=Company,c=US) to least specific (c=US). 4. The default IdP. Following this discovery, the Attribute Requester Service retrieves the SOAP Attribute Responder Service endpoint URL from the IdP's metadata and creates a list of attributes to fetch by processing the attributes in the request through the Attribute Mapping profile. Attribute Mapping profile specified for the target IdP will be used to change any incoming attribute names as well as add any attributes that are configured as send-with-sso (always requested) in the Attribute Mapping for this IdP. Note: A SAML Attribute Query is generated with the attribute list and sent to the IdP's SOAP endpoint. Once a response is received, the subject is verified and the each attribute is extracted from the Assertion, its value is found and both attribute and value are cached. Finally, an Attribute Response SOAP message is constructed and returned to the caller. Example 38–1 is a sample SOAP Attribute Request. Example 38–1 Sample SOAP Attribute Request alice@example.com Example 38–2 is a sample SOAP attribute response. Example 38–2 Sample SOAP Attribute Response Success alice@example.com alice 38.7.1.2 Using the IdP Attribute Responder The Identity Federation IdP Attribute Responder receives the SAML Attribute Query and returns a SAML response with an Attribute Statement that contains values for the requested attributes. The IdP first identifies the requester as an SP partner and then confirms that the user is in the user data store by searching on the NameId or SubjectDN value. It then uses the Attribute Mapping profile of the SP partner to retrieve values for each of the requested attributes. Finally, it constructs and returns a SAML response containing an Attribute Statement with attribute values. The Attribute Responder uses the SP partner's Attribute Mapping profile to retrieve values. An empty value is returned for an attribute if there is no mapping present in the Attribute Mapping profile. If the value expression contains variables in the namespace of a session or request, this also evaluates to an empty string. Value Expressions in the Attribute Mapping Profile can only use variables in the namespace of user.attr to be evaluated correctly. Note: 38.7.1.3 Using the SOAP Endpoint The Attribute Requester Service on the SP exposes a SOAP interface for client requests. The SOAP service is available on the SP at the following URL: Managing Identity Federation Partners 38-21 Using the Attribute Sharing Plug-in for the Attribute Query Service http://:/oamfed/ar/soap 38.7.2 Configuring for Attribute Sharing The Attribute Sharing Plug-in can optionally be provided with the configuration parameters documented in Table 38–11. Table 38–11 Configuration Parameters for Attribute Sharing Plug-in Parameter Description NameIDValueAttribute The name of the session attribute from which the user's nameID can be retrieved. NameIDFormatAttribute The name of the attribute that contains the value to be used as the nameID format. AttributeAuthorityAttribute The name of the attribute that contains the value used as the IdP to which the SP will send the . RequestedAttributes This parameter can be used to specify attributes to be requested in the URL query format; for example, attr1&attr2&attr3=value1. In this case, attr1 and attr2 will be fetched but attr3 will be present in the response ONLY if one of its values is value1. DefaultNameIDFormat The nameID format to be used if it is undetermined from the other parameters and session attributes. DefaultAttributeAuthority The default IdP partner from whom to request the user's attributes. The Attribute Sharing Plug-in can also access the attributes documented in Table 38–12. These attributes may be present in the Access Manager session during its operation. Table 38–12 Session Attributes Accessible To Attribute Sharing Plug-in Attribute Description fed.partner If Federation was used to authenticate the user, this value is used to determine the IdP used. The same IdP would then be used for Attribute Sharing. fed.nameidformat If Federation was used to authenticate the user, the value of this attribute is used to determine the NameID format. fed.nameidvalue If Federation was used to authenticate the user, the value of this attribute is used to determine the NameID of the user. If present in the session, it will be used as the DN to locate the user in the SP's identity store. KEY_USERNAME_DN If this value is present, it will be used as the DN to locate the user in the SP's identity store. The following sections have additional details on parameters and how they determine how the Attribute Sharing process. ■ NameID ■ NameID Format ■ IdP ■ RequestedAttributes 38-22 Administrator's Guide for Oracle Access Management Using the Attribute Sharing Plug-in for the Attribute Query Service 38.7.2.1 NameID This is the name identifier of the user for whom the SP is requesting attributes. To determine the NameID, the following searches will be conducted in order. In the Attribute Sharing plug-in 1. If the NameIDValueAttribute is specified, retrieve the value of the specified attribute from the session and use it as the NameID. 2. If NameIDValueAttribute is not specified, use the value of fed.nameidvalue for the NameID. 3. If undetermined by the above, the Attribute Sharing Plug-in will invoke the Federation Engine with a null/empty NameID and the UserID (specified in the KEY_USERNAME_DN session attribute) is sent to the SP Attribute Requester. In the Attribute Requester (SP) 1. If the NameID is in the Request, use its value for the user's nameID. 2. If a NameID is undetermined but a UserID is present (which occurs when invoking the Authentication Plug-in), retrieve the value of the defaultattrrequestnameiduserattribute attribute (found in the SP configuration for this IdP) and use it as the NameID. 3. When using SAML 2.0 only: If a NameID is not determined and SSO is configured for Simple NameID mapping, use the nameiduserattribute attribute (found in the SP configuration for this IdP). For example, if the value of this attribute is $user.attr.mail, extract the name of the user from this attribute and use it as the NameID. 4. If a NameID is still undetermined, an error is thrown. 38.7.2.2 NameID Format This is the format of the user's NameID. To determine the NameID format, the following searches will be conducted in order. In the Attribute Sharing plug-in 1. If the NameIDFormatAttribute parameter (Table 38–11) is specified, retrieve the value of the specified attribute and use it as the NameID format. 2. Use the value of the fed.nameidformat attribute (Table 38–12) as the NameID format. 3. Use the value of the DefaultNameIDFormat (Table 38–11) as the NameID format. 4. If NameID Format is still undetermined, the Attribute Sharing plug-in will invoke Federation with a null/empty NameID Format. In the Attribute Requester (SP) Use the NameID Format specified in the request. 1. 2. Use the value of the defaultattrrequestnameidformat attribute (found in the SP configuration for this IdP). 3. When using SAML 2.0 only: If the NameID Format is still undetermined, use the value of the defaultauthnrequestnameidformat attribute (found in the SP configuration for this IdP). 4. If a NameID Format is still undetermined, an error is thrown. Managing Identity Federation Partners 38-23 Using the Federation Proxy 38.7.2.3 IdP This is the IdP partner to which the attribute request should be sent. To determine the IdP partner, the following searches will be conducted in order. In the Attribute Sharing plug-in 1. If the AttributeAuthorityAttribute (Table 38–11) is specified, retrieve its value and use it as the IdP name. 2. Use the value of the fed.partner attribute (Table 38–12) as the IdP name. 3. Use the value of the DefaultAttributeAuthority parameter (Table 38–11) as the IdP name. 4. If the IdP is still undetermined, the Attribute Sharing plug-in will invoke Federation with a null/empty NameID Format. In the Attribute Requester (SP) Use the IdP name included with the request sent to the Attribute Sharing plugin. 1. 2. When using x509 only: look up the dn-idp mapping to determine the IdP for this user DN. 3. Use the value of the defaultattrauthority attribute (found in the SP configuration). 4. Use the value of the defaultssoidp attribute (found in the SP configuration). 5. If an IdP name is still undetermined, an error is thrown. 38.7.2.4 RequestedAttributes These are the attributes to be requested from the Attribute Authority. To determine the attributes, the following searches will be conducted in order. In the Attribute Sharing plug-in If the RequestedAttributes parameter (Table 38–11) is defined, use the attributes specified. If none are specified, no attributes are sent. In the Attribute Requester (SP) 1. If the RequestedAttributes parameter (Table 38–11) is defined, use the attributes specified. 2. Append (or add) attributes to the request from partner(send-with-sso) attribute in the IdP partner profile. In the Attribute Responder (IdP) If the from the SP contains requests for specific attribute values, return values for those attributes. 1. 2. If no attribute values are requested, return any attributes specified as Always Send (send-with-sso) in the SP attribute profile configuration. 38.8 Using the Federation Proxy When configured as an IdP, Identity Federation can enable the Federation Proxy to receive an Authentication Request from a remote SP partner. Rather than authenticating the user locally, the IdP begins a second Federation SSO flow (SP2) with a second, remote IdP (IdP2). IdP2 then authenticates the user, creates an Assertion and 38-24 Administrator's Guide for Oracle Access Management Using WLST for Identity Federation Administration redirects the user back to the Federation Proxy (IdP/SP2). The proxy validates the Assertion, identifies the user and resumes the first Federation SSO flow by creating a second Assertion and redirecting the user back to the original SP. With Federation Proxy, the first IdP is proxying the authentication to the second IdP. The Federation Proxy does not refer to the HTTP Proxy settings listed under Federation Settings. That is used by Identity Federation to connect to remote servers when a firewall is present. Note: To use Federation IdP Proxy, the administrator configures Identity Federation to use FederationScheme for authentication rather than a local scheme (like LDAPScheme or BasicScheme). At runtime, if the user needs to be authenticated using the FederationScheme, Identity Federation will act as an SP and start the Federation SSO flow with a remote IdP. There is an option to include the proxied Federation authentication method used by the second IdP in the Assertion created for the first SP. This is only possible if the Federation SSO operation between SP2 and IdP2 use the same protocol as the one used between SP1 and IdP1. Note: For information on how to enable Federation Proxy using the useProxiedFedAuthnMethod WLST command, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. 38.9 Using WLST for Identity Federation Administration Identity Federation uses WLST commands for administration. There are commands for managing authentication mappings, partner profiles and SAML 1.1 that do not have applicable administrative fields for configuration in the Oracle Access Management Console. For information on these and other WLST commands, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for Identity and Access Management. Managing Identity Federation Partners 38-25 Using WLST for Identity Federation Administration 38-26 Administrator's Guide for Oracle Access Management 39 Managing Settings for Identity Federation 39 This chapter introduces the settings that must be configured for use by Oracle Access Management Identity Federation. This chapter includes the following sections: ■ Prerequisites ■ Introduction to Federation Settings ■ Managing General Federation Settings ■ Managing Proxy Settings for Federation ■ Defining Keystore Settings for Federation ■ Exporting Metadata 39.1 Prerequisites The topics in this chapter presume that you have performed tasks in Chapter 38, "Managing Identity Federation Partners". 39.2 Introduction to Federation Settings This section introduces the federation settings that must be configured to enable the Identity Federation functionality available from the Oracle Access Management Console. Figure 39–1 shows the Federations Settings page as it appears in the Oracle Access Management Console. This page is the same whether you choose Identity Federation Service Settings from the Welcome page, Configuration panel, or you display the Federation section of the System Configuration tab and choose Federation Settings. Managing Settings for Identity Federation 39-1 Managing General Federation Settings Figure 39–1 Identity Federation Service Settings Page Table 39–1 outlines the types of federation settings you can configure. Table 39–1 Federation Settings in the Console Elements Description General General federation settings include basic information about the provider and the keys used to send assertions. See Also: Managing General Federation Settings Proxy Proxy settings enable you to set up a proxy server for federation. See Also: Managing Proxy Settings for Federation Keystore Keystore settings enable you to create aliases (a short hand notation) for keys in the keystore. See Also: Defining Keystore Settings for Federation 39.3 Managing General Federation Settings This topic is divided as follows: ■ About Managing General Federation Settings ■ Managing General Federation Settings 39.3.1 About Managing General Federation Settings You view and manage general federation properties on the Federation Settings page of the console. 39-2 Administrator's Guide for Oracle Access Management Managing Proxy Settings for Federation Figure 39–1 shows the General section of the Federation Settings page. Table 39–2 describes each element on the General section of the Federation Settings page. Table 39–2 General Federation Settings Element Description Provider ID This is the provider ID of this federation server. For example, http://foo.example.com/fed. Signing Key This key is used to sign assertions. Encryption Key This key is used to decrypt incoming messages. Custom Trust Anchor File Specifies a keystore that contains trusted root certificates use in federation. The default trust store is $DOMAIN_HOME/config/fmwconfig/amtruststore. In most cases, the default trust anchor should be enough. If necessary, specify the location of an alternate keystore to use. Note: When you use a custom trust anchor keystore, it will not be replicated automatically across the cluster. You must manage replication of this keystore. Export SAML 2.0 Metadata After changes to the General settings, you must export the metadata for use by federation partners. See Also: Exporting Metadata 39.3.2 Managing General Federation Settings General settings include basic information about a provider. Prerequisites None. To set or modify General settings for Federation 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, Select Federation from the drop-down list in the Settings section. 3. On the Federation Settings page, enter General Settings values for your (Table 39–2). 4. Click Apply to save your changes. 5. Proceed to "Managing Proxy Settings for Federation". 39.4 Managing Proxy Settings for Federation This topic is organized in the following sections. ■ About Proxy Settings for Federation ■ Managing Proxy Settings for Identity Federation 39.4.1 About Proxy Settings for Federation A proxy may be required when Identity Federation needs to directly connect to the federation partner, such as in a SAML artifact SSO operation. You view and manage a proxy configured for use with federation partners on the Federation Settings page of the console. Managing Settings for Identity Federation 39-3 Defining Keystore Settings for Federation Figure 39–1 illustrates the Federation Proxy Settings section of the Federation Settings page. Table 39–3 describes each element on the Federation Proxy Settings section of the Federation Settings page. Table 39–3 Federation Proxy Settings Element Description Enable Proxy Checking the box enables the proxy server. When the box is unchecked, the Proxy function is disabled and related fields are inaccessible for editing. Host This element specifies the proxy hostname. Port This element specifies the proxy port number. Non-proxy Hosts This is a list of hosts for which the proxy should not be used. Use ';' to separate multiple hosts. Username This is the proxy user name to use when connecting to the proxy. Password This is the proxy password to use when connecting to the proxy. 39.4.2 Managing Proxy Settings for Identity Federation Skip Step 1 if viewing the Federation Settings page. Prerequisites None. To set or modify Proxy settings for Federation 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, Select Federation from the drop-down list in the Settings section. 3. On the Federation Settings page, evaluate current proxy settings values against those needed for your environment. 4. Fill in the Proxy settings using values for your environment (Table 39–3). 5. Click Apply to save your changes. 6. Proceed to "Defining Keystore Settings for Federation". 39.5 Defining Keystore Settings for Federation This topic is organized in the following sections. ■ About Managing Keytore Settings for Identity Federation ■ Managing Identity Federation Encryption/Signing Keys 39.5.1 About Managing Keytore Settings for Identity Federation You view and manage keystores configured for use with federation partners on the Federation Settings page of the console. Figure 39–2 illustrates the expanded Federation Proxy Settings section of the Federation Settings page. 39-4 Administrator's Guide for Oracle Access Management Defining Keystore Settings for Federation Figure 39–2 Keystore Settings Table 39–4 describes each element on the Keystore Settings section of the Federation Settings page. Table 39–4 Keystore Settings for Federation Element Description Keystore Location This element specifies the keystore path. Key ID This is the unique key ID. Description This element provides a brief description of the key, such as its usage type. Alias This element specifies the key alias. Note: You can choose one of the aliases that is available in the keystore using the drop-down. Password This element specifies the key password. 39.5.2 Managing Identity Federation Encryption/Signing Keys As described in Chapter 5, Identity Federation uses keys in the following keystore to store encryption and signing certificates: $DOMAIN_HOME/config/fmwconfig/.oamkeystore Task overview: Managing Identity Federation Encryption/Signing Keys ■ Resetting the System (.oamkeystore) and Trust (amtruststore) Keystore Password ■ Adding a New Key Entry to the System Keystore (.oamkeystore) AM denotes Access Manager, STS denotes Security Token Service, and IF denotes Identity Federation in this discussion. Note: 39.5.2.1 Resetting the System (.oamkeystore) and Trust (amtruststore) Keystore Password Use the following procedure to reset the password that protects the keystores as well as the key entries which use the same password as the keystore. Note that the keystores were created and configured by the IM/OAMAM/OSTS installer, and the password and the key entries password were randomly generated. Managing Settings for Identity Federation 39-5 Defining Keystore Settings for Federation The WLST resetKeystorePassword method allows you to set the .oamkeystore password and any key entries with a password identical to the .oamkeystore password to a new value. The command: ■ ■ ■ ■ updates the .oamkeystore password updates the key entries in the .oamkeystore which had the same password as the keystore updates the OAMAM/STS/IF configuration to reflect the change updates the amtruststore password if the keystore is protected by the same password as the .oamkeystore (default) To set the system keystore (.oamkeystore) password: 1. Enter the WLST scripting environment. 2. Connect to the WebLogic Server AdminServer, using the connect() command. 3. Navigate to the domain runtime tree: domainRuntime() . 4. Execute the following command: resetKeystorePassword() 5. Enter and confirm the password. 39.5.2.2 Adding a New Key Entry to the System Keystore (.oamkeystore) You can add a new key entry into the system keystore (.oamkeystore) using the keytool command to create and add the new key entry. Once the entry has been added, it must be defined in the Identity Federation settings configuration screen so that it can be used to sign assertions and decrypt incoming messages. This topic provides the following procedures to add a new entry to the system keystore to sign SAML assertions or decrypt XML-encrypted data not covered by WSS: ■ Adding a New Entry in the .oamkeystore ■ Adding a New Entry in the Identity Federation Settings ■ Configuring the Signing and Encryption Key 39.5.2.2.1 Adding a New Entry in the .oamkeystore Prerequisites The system keystore (.oamkeystore) password has been reset. To configure a new entry: 1. Locate keytool. 2. Use keytool to: generate a self-signed certificate, or ■ ■ generate a certificate request, export the request to a remote Certificate Authority (CA), and finally import the certificate issued by the CA. 39.5.2.2.2 Adding a New Entry in the Identity Federation Settings The steps are as follows: 1. In the Oracle Access Management Console, click Federation at the top of the window. 39-6 Administrator's Guide for Oracle Access Management Exporting Metadata 2. In the Federation console, Select Federation from the drop-down list in the Settings section. 3. On the Federation Settings page, navigate to the Keystore table. 4. Add a row. 5. Enter a key ID that will be used to reference this key when configuring Identity Federation. 6. Select the alias of the key entry stored in .oamkeystore. 7. Enter the key password. 8. Click Apply. 39.5.2.2.3 Configuring the Signing and Encryption Key Once the key has been added to the keystore table, you can configure Identity Federation to use the key. The steps are as follows: 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, Select Federation from the drop-down list in the Settings section. 3. Navigate to the General section. 4. Select the Signing Key from the list of available key entries that were defined in the keystore table. 5. Select the encryption key from the list of available key entries that were defined in the keystore table. 6. Click Apply. Identity Federation will now use those keys to sign and decrypt messages. 39.6 Exporting Metadata After changes to the general settings, you can export the metadata for use by federation partners. To Export SAML 2.0 Metadata Take these steps to export the metadata: 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, Select Federation from the drop-down list in the Settings section. 3. On the Federation Settings page, click Export SAML 2.0 Metadata. 4. A dialog box appears where you must specify the file for the exported metadata. 5. Click Save to save your new metadata file. Managing Settings for Identity Federation 39-7 Exporting Metadata 39-8 Administrator's Guide for Oracle Access Management 40 Managing Federation Schemes and Policies 04 [28To ] enable Oracle Access Management Access Manager to work with federation providers, you define one or more authentication schemes. The defined schemes will authenticate users that request access to resources protected by Access Manager. This chapter introduces authentication schemes and policies that may be configured for Oracle Access Management Identity Federation. ■ ■ ■ Using Identity Federation and Access Manager Together Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2) Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1 ■ Managing Access Manager Policies for Use with Identity Federation ■ Testing Identity Federation Configuration ■ Using the Default Identity Provisioning Plug-in ■ Configuring the Identity Provider Discovery Service ■ Configuring the Federation User Self-Registration Module ■ Integrating OAM Identity Provider With Microsoft Office 365 Service Provider 40.1 Using Identity Federation and Access Manager Together The use of federation features within Access Manager varies depending on the release. When integrating with Identity Federation: ■ ■ 11g Release 1 (11.1.1) sites, and those upgrading from 11g Release 1 (11.1.1) to 11g Release 2 (11.1.2), can use the integration described in Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite. Sites with new 11g Release 2 (11.1.2) installations can leverage federation features using the Oracle Access Management Console. For Identity Federation concepts, background and high-level flows, see Chapter 3, Deploying Oracle Identity Federation, of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation Note: Managing Federation Schemes and Policies 40-1 Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2) 40.2 Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2) This topic is divided as follows: ■ About the FederationScheme Authentication Scheme ■ About the FederationMTScheme ■ About the FederationPlugin Authentication Module ■ Managing Authentication with Identity Federation in 11g Release 2 40.2.1 About the FederationScheme Authentication Scheme FederationScheme is a general-purpose scheme for use with Identity Federation 11g Release 2 (11.1.2.2). Figure 40–1 shows the Access Console page for FederationScheme: Figure 40–1 FederationScheme Table 40–1 describes the FederationScheme. Table 40–1 FederationScheme Element Definitions Element Description Name This is the scheme name. Description This is a brief description of the scheme. Authentication Level This is the trust level of the authentication scheme. Default This is a non-editable box that is checked when the Set as Default button is clicked. 40-2 Administrator's Guide for Oracle Access Management Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2) Table 40–1 (Cont.) FederationScheme Element Definitions Element Description Challenge Method You may select a challenge method from those available in the drop-down box. Challenge Redirect URL This is the URL of another server to which user requests must be redirected for processing. Authentication Module This is the authentication module to use with the scheme. Challenge URL This is the URL to which the credential collector will redirect for credential collection. Not used by the federation plug-in. Context Type This element is used to build the final URL for the credential collector. Context Value This element is used to build the final URL for the credential collector. The value depends on the context type. Challenge Parameters This is the list of parameters, if any, to use with the challenge. See Also: Table 22–21 for FederationScheme specifications. 40.2.2 About the FederationMTScheme The FederationMTScheme authentication scheme is a scheme designed for use in multi-tenancy environments. 40.2.3 About the FederationPlugin Authentication Module FederationPlugin provides a custom authentication module. Figure 40–2 is a screen shot of the module’s Console page. Figure 40–2 FederationPlugin Steps Table 40–2 describes the attributes used to configure the FederationPlugin steps. Managing Federation Schemes and Policies 40-3 Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2) Table 40–2 FederationPlugin Steps Element Description Step Name This is the name of the step within the module. Description This element contains a brief description of the step. Plugin Name This element specifies the plugin associated with the step. The value of FedSSOIdP is the IDP to be picked up by the authentication plugin. Orchestration enables you to specify the order of the steps within the plugin, and what to do if each of those steps succeeds or fails. Figure 40–3 illustrates the orchestration of the FederationPlugin, which is similar to the orchestration described in Table 22–14, " Steps Orchestration Tab". Figure 40–3 FederationPlugin Orchestration Table 40–3 describes the attributes for the orchestration of the FederationPlugin. Table 40–3 Orchestration of FederationPlugin Element Description Name This is the step name. The steps appear in this column in order of execution, which can be modified with the Initial Step drop-down. Description This is a brief description of the step. On Success This is the action to take upon successful completion of the step, such as execution of next step in the orchestration. On Error This is the action to take upon error, such as taking the specified failure action. On Failure This is the action to take upon step failure. 40.2.4 Managing Authentication with Identity Federation in 11g Release 2 This section explains how to manage the FederationScheme; and FederationPlugin plug-in, a custom authentication module. Prerequisites None. 40-4 Administrator's Guide for Oracle Access Management Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2) To view or modify FederationScheme 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, click Authentication Schemes in the Access Manager section. 3. Search for and open the FederationScheme authentication scheme. 4. Review FederationScheme details to ensure these are desired for your deployment. Table 40–1 describes field details. 5. Click the Save button. To view or modify FederationPlugin In the Oracle Access Management Console, click Application Security at the top of the window. 1. 2. In the Application Security console, click Authentication Plug-ins in the Plug-ins section. 3. Search for and open the FederationPlugin authentication plug-in. 4. Review FederationPlugin details to ensure these are desired for your deployment. Table 40–2 provides plugin step details. 5. Use the icons above the step table to add a step (+) or delete a step (x). 6. Modify the order of steps as needed using the Steps Orchestration tab. Table 40–3 provides orchestration details. 7. Click the Save button. To Add an Authentication Policy with FederationScheme Prerequisite: Any resource to be added to a policy must be defined within the same Application Domain as the policy. Take these steps to set up an authentication policy that uses FederationScheme, and associate a resource that will be protected using this policy: 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Application Security console, click Application Domains in the Access Manager section. 3. Search for and open the target application domain. 4. In the application domain configuration page, click the Authentication Policies tab. 5. Click Create and enter the following General Policy Details (Table 25–9, " Authentication Policy Elements and Descriptions"): 6. ■ Name ■ Authentication Scheme Add these Global Policy Elements and Specifications: ■ Description (optional) ■ Success URL ■ Failure URL Managing Federation Schemes and Policies 40-5 Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1 7. To add resources: a. Click the Resources tab on the Authentication Policy page. b. Click the Add button on the tab. c. Choose a URL from the list. d. Repeat these steps as needed to add more resources. 8. Click Apply to save changes and close the confirmation window. 9. Responses: See "Introduction to Policy Responses for SSO" on page 25-68 and "Adding and Managing Policy Responses for SSO" on page 25-75. Figure 40–4 shows the console page to define the authentication policy and associate the policy to the resources. Figure 40–4 Setting Up the Authentication Policy with FederationScheme 40.3 Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1 This section describes the authentication schemes and modules available for use with the Oracle Identity Federation server in Oracle Fusion Middleware Release 11g R1 (11.1.1). The schemes used for Identity Federation in 11g Release 2 (11.1.2.3) are described in Section 40.2. Note: An authentication scheme is a named component that defines the challenge mechanism required to authenticate a user. Each authentication scheme must also include a defined authentication module. See Also: For additional information about schemes, see Section 22.9. ■ About Scheme OIFScheme ■ About the OIFMTLDAPPlugin Authentication Module 40-6 Administrator's Guide for Oracle Access Management Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1 ■ Managing Authentication with Oracle Identity Federation Release 11gR1 40.3.1 About Scheme OIFScheme OIFScheme and OIFMTScheme are used for integration with Oracle Identity Federation 11g Release 1 (11.1.1). See Section 40.2 for the schemes available with Identity Federation 11g Release 2 (11.1.2.3). Note: Figure 40–5 OIFScheme Table 40–4 describes the scheme OIFScheme. Table 40–4 OIFScheme Definition Element Description Name This is the scheme name. Description This is a brief description of the scheme. Authentication Level This is the trust level of the authentication scheme. Default This is a non-editable box that is checked when the Set as Default button is clicked. Challenge Method Use to select a challenge method from those available in the drop-down box. Challenge Redirect URL This is the URL of another server to which user requests must be redirected for processing. Authentication Module This is the authentication module to use with the scheme. Challenge URL This is the URL the credential collector will redirect to for credential collection. Context Type Use this element to build the final URL for the credential collector. Challenge Parameters This is the list of parameters, if any, to use with the challenge. See Also: Table 22–21 for OIFScheme specifications. Managing Federation Schemes and Policies 40-7 Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1 40.3.2 About the OIFMTLDAPPlugin Authentication Module The OIFMTLDAPPlugin module authenticates federated tenants through Identity Federation and non-federated tenants with the identity store associated with Access Manager. Figure 40–6 OIFMTLDAPPlugin Table 40–5 describes the steps for OIFMTLDAPPlugin. Table 40–5 OIFMTLDAPPlugin Steps Element Description Step Name This is the name of the step within the module. Description This element contains a brief description of this step. Plugin Name This element specifies the plugin associated with this step. Plugin Parameters This element lists the parameters, if any, needed for plugin execution. The parameter list varies with the plugin. 40.3.3 Managing Authentication with Oracle Identity Federation Release 11gR1 This section explains how to manage OIFScheme; and OIFMTLDAPPlugin, a custom authentication module for Identity Federation 11g Release 1 (11.1.1). Prerequisites None To view or modify the OIFScheme Authentication Scheme 1. In the Oracle Access Management Console, click Application Security at the top of the window. 40-8 Administrator's Guide for Oracle Access Management Managing Access Manager Policies for Use with Identity Federation 2. In the Application Security console, click Authentication Schemes in the Access Manager section. 3. Search for and open the OIFScheme authentication scheme. 4. Review OIFscheme details to ensure these are desired for your deployment. For field details, see Table 40–4. 5. Click the Save button. Prerequisites None. To view or modify the OIFMTLDAPPlugin Authentication Module In the Oracle Access Management Console, click Application Security at the top of the window. 1. 2. In the Application Security console, click Authentication Modules in the Plug-ins section. 3. Search for and open the OIFMTLDAPPlugin authentication module. 4. Review OIFMTLDAPPlugin details to ensure these are configured as desired for your deployment. For field details, see Table 40–5. 5. Click the Save button. To add an Authentication Policy with OIFScheme The procedure for this task is the same as described in "To Add an Authentication Policy with FederationScheme". 40.4 Managing Access Manager Policies for Use with Identity Federation This section explains the use of policy responses in Access Manager in the context of federation policies. ■ About Policy Responses with Assertion Attributes for Identity Federation ■ Defining Policy Responses with Assertion Attributes for Identity Federation 40.4.1 About Policy Responses with Assertion Attributes for Identity Federation A policy can optionally contain one or more authentication responses, or authorization responses, or both. You can configure the use of assertion attributes when setting up Access Manager policy responses with Identity Federation. You use assertion attributes in the following contexts: ■ Authorization policy conditions ■ Response attributes as HTTP headers ■ Response attributes for identity context Figure 40–7 shows the Response configuration tab for an authorization policy: Managing Federation Schemes and Policies 40-9 Managing Access Manager Policies for Use with Identity Federation Figure 40–7 Authorization Policy Response Tab Table 40–6 describes the elements for a policy response. Table 40–6 Policy Response Elements Element Description Name This is a unique name to distinguish this response from other responses that use the same mechanism (type). Type This is the mechanism used to convey the response form of the action to be taken with the value string. Select Assertion Attribute. Value This is the response expression, set as a variable. To provide the federation data as response attributes in the authentication or authorization policy, the values can reference: ■ ■ $session.attr.fed.nameidvalue for the name ID value $session.attr.fed.attr.AttributeName for any other assertion attribute 40.4.2 Defining Policy Responses with Assertion Attributes for Identity Federation Use the Oracle Access Management Console to configure policy responses with assertion attributes. Background on Conditions and Responses for Identity Federation Identity Federation conditions and responses must be specified separately because they are used for different tasks. A condition is used to control access to a resource within Access Manager. For example, if the identity provider is sending a role assertion and the service provider wished to only allow people who had a role of sales to access the resource, you would add a condition wherein: ■ the Condition Namespace would be "Session". ■ the Name would be "fed.attr.role". ■ the Operator is set to EQUALS. 40-10 Administrator's Guide for Oracle Access Management Managing Access Manager Policies for Use with Identity Federation ■ value is "sales". Notes: ■ ■ Replace the role in this example to the actual SAML asserted attribute. If you wanted to use the standard SAML NameID value as the condition then the value would be "attr.fed.nameidvalue". A response, on the other hand, enables you to pass an asserted attribute to the application. For example, if you wanted to pass the asserted attribute role to a back-end application in an HTTP header, you would: ■ go to the Response tab. ■ Add a Header, name Role (this is the name of the HTTP header). ■ The value would be $session.attr.fed.attr.role. Again, replace the role in this example to correspond to the actual SAML asserted attribute. Prerequisites None. To View or Configure Policy Responses with Assertion Attributes 1. Using the Oracle Access Management Console, search for the desired application domain and open the desired policy to view or configure a response. 2. Select the Responses tab. 3. Click the relevant icon to add, delete or update a response. 4. When updating, review the response details to ensure these are desired for your deployment. For field details, see Table 40–6. 5. Click the Save button. Figure 40–8 shows an example of federation response attribute configuration: Managing Federation Schemes and Policies 40-11 Testing Identity Federation Configuration Figure 40–8 Adding a Federation Response Attribute to an AuthZ Policy 40.5 Testing Identity Federation Configuration After performing the procedure described in the previous section, you have completed all the steps to configure federation in SP mode. To recap, these steps are: 1. Enabling the Identity Federation service using Oracle Access Management Console. 2. Creating an IdP partner or using an existing IdP partner. 3. Ensuring that IdP setup including SAML attributes, global logout, and nameID format are configured. 4. Configuring an authentication/authorization policy that uses FederationScheme with federation response attributes; and 5. Protecting a resource with this policy. To test this configuration, access the resource that is protected by the authentication policy and verify that access is granted or denied according to the policy. Test SP Module Identity Federation provides a Test SP module which allows you to: ■ ■ test Federation SSO with an IdP Partner see the result of the Federation SSO operation as well as the assertion sent by the Identity Provider Follow these steps to enable or disable the Test SP Module: 1. Enter the WLST environment: $OH/common/bin/wlst.sh 2. Connect to the Admin Server: connect() 3. Move to the domain runtime location: 40-12 Administrator's Guide for Oracle Access Management Testing Identity Federation Configuration domainRuntime() 4. Execute the following WLST command to enable the Test SP Module: configureTestSPEngine("true") 5. Execute the following WLST command to disable the Test SP Module: configureTestSPEngine("false") The Test SP Module should be disabled in a production environment. Note: To access the Test SP module and perform a federation SSO operation with an IdP partner, perform the following steps: 1. Access the following service: http(s)://oam-hostname:oam-port/oamfed/user/testspsso 2. Select the IdP with which to perform a federation SSO (note: only enabled IdP partners are listed). 3. Start the federation SSO operation. The browser will be redirected to the IdP Partner for authentication and redirected back to Identity Federation with a federation response. 4. Identity Federation will process the federation assertion and the Test SP module will display the result of the processing (note: no Access Manager session will be created as a result of the operation). Troubleshooting Error During Federation Configuration After Upgrade IAM Suite is the OOTB Application Domain created when OAM 11.1.2 is installed. This Application Domain can be renamed after installation but when upgrading OAM to 11.1.2.2.0, it must be renamed back to IAM Suite otherwise the upgrade operation will fail with the following error seen in the WLS admin logs. java.lang.NullPointerException at oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.FedR2PS2Bootstr apHandler.createFedAuthnResource(FedR2PS2BootstrapHandler.java:505) at oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.FedR2PS2Bootstr apHandler.doBootstrap(FedR2PS2BootstrapHandler.java:151) at oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.R2PS2BootstrapH elper.doBootstrap(R2PS2BootstrapHelper.java:70) at oracle.security.am.common.policy.tools.PolicyComponentLifecycle.initialize(Pol . icyComponentLifecycle.java:99) If the IAM Suite Application Domain has been renamed after installation, it is required to rename it back to its original IAM Suite name prior to beginning the upgrade process. After the upgrade process is complete, the name can be changed back to a custom name. Managing Federation Schemes and Policies 40-13 Using the Default Identity Provisioning Plug-in 40.6 Using the Default Identity Provisioning Plug-in 11g Release 2 (11.1.2.3) features a plug-in that you can optionally use to provision a missing identity during a federated SSO operation. ■ Why Use a Provisioning Plug-in? ■ About the Default Provisioning Plug-in ■ Using the Default Provisioning Plug-in ■ Switching to a Custom Provisioning Plug-in 40.6.1 Why Use a Provisioning Plug-in? When a federated SSO transaction is initiated, the processing flows as follows: 1. The IdP authenticates a user and sends an assertion to Oracle Access Management Identity Federation. 2. Acting as SP, Identity Federation maps the user to the local identity store. 3. If the user does not exist in the local store, the mapping fails. Resolving this issue requires the ability to provision the user so the transaction can continue. 40.6.2 About the Default Provisioning Plug-in To handle the identity mapping failure, Identity Federation supports the ability to set up a plug-in, known as the default provisioning plug-in, to provision the missing user in the identity store and enable the federated single sign-on to proceed. The user is provisioned in the identity store associated with the IdP partner. You can specify a list of attributes to use in provisioning the plug-in, as explained in the next section. 40.6.3 Using the Default Provisioning Plug-in You can enable this default provisioning plug-in from the plug-in configuration interface. The steps are as follows: 1. From the plug-in configuration interface select FedUserProvisioningPlugin. 2. In the configuration parameters tab, set the following parameters: ■ ■ ■ 3. KEY_USER_RECORD_ATTRIBUTE_LIST - This is the list of attributes with which the user should be provisioned. These attributes are available as part of the assertion, for example: mail, givenname. (optional) KEY_PROVIDERID_ATTRIBUTE_NAME – This is the tenant ID attribute name in the identity store which Identity Federation populates at run-time with the tenant name. (optional) KEY_USERID_ATTRIBUTE_NAME – This is the attribute name to use for the userid value from the assertion attributes. (optional) Enable user provisioning with the default plug-in by executing the WLST command: putBooleanProperty("/fedserverconfig/userprovisioningenabled","true") 40-14 Administrator's Guide for Oracle Access Management Configuring the Identity Provider Discovery Service 40.6.4 Switching to a Custom Provisioning Plug-in A custom provisioning plug-in is also available with Identity Federation. To switch from the default plug-in to the custom plug-in, follow the guidelines in Developing a Custom User Provisioning Plug-in chapter of the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. When using the custom plug-in, set the plug-in name with the WLST command: putStringProperty("/fedserverconfig/userprovisioningplugin","CustomPlugin") 40.7 Configuring the Identity Provider Discovery Service Identity provider discovery is a service that selects an identity provider (possibly through interaction with the user) to use during SSO. While Identity Federation does not provide an identity provider discovery service, it provides support for using such a service to select an IdP, if one is not passed in the authentication request to the SP during SP-initiated SSO. For more information about IdP discovery refer to the specifications at: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery-c s-01.pdf When acting as a service provider, Identity Federation can be configured so that if an SSO operation is initiated without the provider ID of the partner IdP, the user is redirected to an IdP discovery service to select the identity provider with which to perform SSO. After the user selects an identity provider, the custom page resubmits the SSO request with the chosen IdP to Identity Federation. ■ Using the Bundled IdP Discovery Service ■ Creating a custom IdP Discovery Service ■ Disabling the use of an IdP Discovery Service 40.7.1 Using the Bundled IdP Discovery Service Identity Federation provides a simple Identity Provider Discovery Service that can be used to determine the Federation IdP Partner to be used at runtime during a Federation SSO operation. Follow these steps to configure IdP discovery: 1. Enter the WLST environment: $OH/common/bin/wlst.sh 2. Connect to the Admin Server: connect() 3. Move to the domain runtime location: domainRuntime() 4. Execute the following WLST command to configure Identity Federation to use an IdP Discovery Service: putBooleanProperty("/spglobal/idpdiscoveryserviceenabled", "true") Managing Federation Schemes and Policies 40-15 Configuring the Identity Provider Discovery Service 5. Execute the following WLST command to configure Identity Federation to use the default out-of-the-box IdP Discovery Service: putBooleanProperty("/spglobal/idpdiscoveryservicepageenabled", "true") putStringProperty("/spglobal/idpdiscoveryserviceurl", "/oamfed/discovery.jsp") 40.7.2 Creating a custom IdP Discovery Service You can configure Identity Federation to interact with a custom IdP Discovery Service deployed remotely. Follow these steps to configure Identity Federation to use a custom IdP discovery: 1. Enter the WLST environment: $OH/common/bin/wlst.sh 2. Connect to the Admin Server: connect() 3. Move to the domain runtime location: domainRuntime() 4. Execute the following WLST command to configure Identity Federation to use an IdP Discovery Service: putBooleanProperty("/spglobal/idpdiscoveryserviceenabled", "true") 5. Execute the following WLST command to configure Identity Federation to use a custom IdP Discovery Service (replace IDP_DISCOVERY_SERVICE_URL with the fully qualified URL of the Discovery Service): putBooleanProperty("/spglobal/idpdiscoveryservicepageenabled", "false") putStringProperty("/spglobal/idpdiscoveryserviceurl", "IDP_DISCOVERY_SERVICE_ URL") At runtime, Identity Federation redirects to the IdP Discovery Service page with the following parameters: ■ ■ return: This is the URL to which the page should send the new request containing the chosen IdP provider ID to Identity Federation. returnIDParam: This is the name of the parameter to use to specify the chosen IdP provider ID in the request sent to Identity Federation. The discovery service gets the values of these parameters, displays a list of IdPs, and sends a new request to Identity Federation specifying the chosen IdP Provider ID. Check that the URL query parameter values are correctly URL-encoded. Note: Example The following is an example of an IdP discovery service page. This page allows the user to select an identity provider (from the list of provider IDs: http://idp1.com, http://idp2.com, http://idp3.com), and submit the chosen provider ID to Identity Federation to continue the SSO flow. 40-16 Administrator's Guide for Oracle Access Management Configuring the Identity Provider Discovery Service <%@ page buffer="5kb" autoFlush="true" session="false"%> <%@ page language="java" import="java.util.*, java.net.*"%> <% // Set the Expires and Cache Control Headers response.setHeader("Cache-Control", "no-cache"); response.setHeader("Pragma", "no-cache"); response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT"); // Set request and response type request.setCharacterEncoding("UTF-8"); response.setContentType("text/html; charset=UTF-8"); String submitURL = request.getParameter("return"); String returnIDParam = request.getParameter("returnIDParam"); List idps = new ArrayList(); idps.add("http://idp1.com"); idps.add("http://idp2.com"); idps.add("http://idp3.com"); %> Select an Identity Provider
Select an Identity Provider
Provider ID
Managing Federation Schemes and Policies 40-17 Configuring the Federation User Self-Registration Module 40.7.3 Disabling the use of an IdP Discovery Service Follow these steps to configure Identity Federation to stop using an IdP discovery service: 1. Enter the WLST environment: $OH/common/bin/wlst.sh 2. Connect to the Admin Server: connect() 3. Move to the domain runtime location: domainRuntime() 4. Execute the following WLST command to configure Identity Federation to stop using an IdP Discovery Service: putBooleanProperty("/spglobal/idpdiscoveryserviceenabled", "false") putBooleanProperty("/spglobal/idpdiscoveryservicepageenabled", "false") putStringProperty("/spglobal/idpdiscoveryserviceurl", "/oamfed/discovery.jsp") 40.8 Configuring the Federation User Self-Registration Module When Identity Federation is acting in Service Provider (SP) mode, the user assertion is mapped to a local user record in the LDAP directory to complete the federated single sign-on. If the mapping fails because the user performing the Federation SSO operation does not have a local account, Identity Federation can be configured to trigger a user self-registration flowto enable the user to create an account locally. At runtime, when the Assertion mapping operation fails, if self-registration is enabled, the user self-registration framework will: ■ redirect the user to a self-registration page. ■ the self-registration page will contain the following fields: – username – password – confirm password – first name – last name – email address These fields might be pre-populated with data from the Assertion. Also, any field used in the Assertion Mapping process cannot be edited: the user will not be able to change the information used for the Assertion Mapping operation for security reasons. ■ Once the user creates the account, the Federation SSO flow will resume and result with the creation of an Access Manager session. At that point, the user will be redirected to the protected resource. 40-18 Administrator's Guide for Oracle Access Management Configuring the Federation User Self-Registration Module Follow these steps to enable or disable the user self registration module: 1. Enter the WLST environment: $OH/common/bin/wlst.sh 2. Connect to the Admin Server: connect() 3. Move to the domain runtime location: domainRuntime() 4. Execute the following WLST command to enable the user self-registration module: putBooleanProperty("/fedserverconfig/userregistrationenabled", "true") putStringProperty("/fedserverconfig/userregistrationurl", "/oamfed/registration.jsp") 5. Execute the following WLST command to disable the user self-registration module: putBooleanProperty("/fedserverconfig/userregistrationenabled", "false") putStringProperty("/fedserverconfig/userregistrationurl", "/oamfed/registration.jsp") You can configure Identity Federation to pre-populate the fields of the self-registration page with the data contained in the Assertion. By default, the self-registration page will populate those fields based on the following: ■ ■ ■ ■ first name: Identity Federation will use either the firstname or givenname attributes contained in the Assertion. The userregistrationfirstnameattr configuration property indicates the list of comma separated attributes that should be used to populate this field. By default, that field is set to firstname,givenname. last name: Identity Federation will use either the lastname or sn attributes contained in the Assertion. The userregistrationlastnameattr configuration property indicates the list of comma separated attributes that should be used to populate this field. By default, that setting is set to lastname,sn. email address: Identity Federation will use either the mail attribute contained in the Assertion, or the Assertion's NameID (referenced by fed.nameidvalue). The userregistrationemailattr configuration property indicates the list of comma separated attributes that should be used to populate this field. By default, that setting is set to mail,fed.nameidvalue. username: Identity Federation is not configured to use any Assertion attributes to populate this field. The userregistrationusernameattr configuration property indicates the list of comma separated attributes that should be used to populate this field. By default, that setting is empty. If the attributes or NameID are missing from the assertion, the fields will be empty. To configure the userregistrationfirstnameattr, userregistrationlastnameattr, userregistrationemailattr and userregistrationusernameattr properties: 1. Enter the WLST environment: $OH/common/bin/wlst.sh 2. Connect to the Admin Server: connect() Managing Federation Schemes and Policies 40-19 Integrating OAM Identity Provider With Microsoft Office 365 Service Provider 3. Move to the domain runtime location: domainRuntime() 4. Execute the following WLST command to set the first name field rule: putStringProperty("/fedserverconfig/userregistrationfirstnameattr", "firstname,givenname") 5. Execute the following WLST command to set the last name field rule: putStringProperty("/fedserverconfig/userregistrationlastnameattr", "lastname,sn") 6. Execute the following WLST command to set the email address field rule: putStringProperty("/fedserverconfig/userregistrationemailattr", "mail,fed.nameidvalue") 7. Execute the following WLST command to set the username field rule: putStringProperty("/fedserverconfig/userregistrationusernameattr", "uid,fed.nameidvalue") 40.9 Integrating OAM Identity Provider With Microsoft Office 365 Service Provider This section describes how to administer OAM Identity Federation 11g R2PS2 (11.1.2.2.0) as an IdP for integration with Microsoft Office 365 when the latter is configured as an SP leveraging the SAML 2.0 standard. After the integration implementation, you can use an account in the Identity Repository to access all web clients (including Office rich client apps connecting to SharePoint Online) and email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync or MAPI. (The Enhanced Client Protocol end point is required to be deployed). The deployment assumes: 1. OAM 11gR2PS2 has been installed and configured using SSL. 2. An account has been created using the Oracle Access Management Console that defines the Administrator role for Office 365. 3. Windows PowerShell 2.0 and Microsoft Online Services Module have been installed. 4. Get an available domain name to be used as the federated domain in Office 365. Generally, this domain needs to be purchased. Note: ■ ■ For non Web-based client integration: The OAM IdP endpoint must be accessible from the public network. A trusted SSL certificate issued by a well known entity must be used. The following sections contain the configuration details. ■ Configuring Microsoft Office 365 for OAM Integration 40-20 Administrator's Guide for Oracle Access Management Integrating OAM Identity Provider With Microsoft Office 365 Service Provider ■ Configuring OAM for Microsoft Office 365 Integration ■ Configuring Microsoft Office 365 for OAM Integration 40.9.1 Configuring Microsoft Office 365 for OAM Integration Use the following procedure to configure Microsoft Office 365. 1. Add the domain name (for example, test.com) and verify it using the Office 365 Web administration center. 2. Define the authentication scheme for the domain as Federated by running the Set-MsolDomainAuthentication PowerShell command. $dom="" $url="https://server_host:port/oamfed/idp/samlv20" $uri="" $ecpUrl=https:// server_host:port/oamfed/idp/soap $logouturl="https://server_host:port/oamfed/idp/samlv20" $cert="MIIB/DCCAWWgAwIBAgI......." Set-MsolDomainAuthentication -FederationBrandName $dom -Authentication Federated -ActiveLogUri $ecpUrl -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP The values for some of these parameters can be found in the OAM Identity Provider metadata. Note: 3. Create a user in the Federated domain by running the New-MsolUser PowerShell command. New-MsolUser -DisplayName –UserPrincipalName -UsageLocation -BlockCredential $false -ImmutableId Values for UserPrincipalName and ImmutableId are required by Office 365 for Federation. In the SAML assertion, the value of ImmutableId will be stored in the SAML Subject using the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameID format. The UserPrincipalName will be stored in the SAML Attribute using the attribute name IDPEmail. In the OAM User Identity Store, the user entry must use the same attributes to store the values of UserPrincipalName and ImmutableId. Use the following: ■ mail= ■ uid= If Office 365 has been before this integration, you can use an existing user for testing. You must know the values of the UserPrincipalName and ImmutableId attributes for the existing user. Note: 4. Assign a license to the user to make the applications provided by Office 365 available to the user. Managing Federation Schemes and Policies 40-21 Integrating OAM Identity Provider With Microsoft Office 365 Service Provider 40.9.2 Configuring OAM for Microsoft Office 365 Integration Use the following procedures to configure OAM for integration with Microsoft Office 365. ■ Configuring for Web and Non-Web Clients ■ Additional Configurations for Non-Web Clients For details on how to use the WLST commands needed in this procedure, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Note: 40.9.2.1 Configuring for Web and Non-Web Clients Use this procedure to configure for both Web and non-Web clients. 1. Log in to the Oracle Access Management Console. 2. Navigate to Available Services and enable the Identity Federation service. 3. Navigate to Identity Provider Administration. 4. Create a Service Provider Attribute Profile mapping. Table 40–7 Message Attribute Mapping Message Attribute Name Value Always Send IDPEmail $user.attr.mail true 5. Create a Service Provider Partner for Office 365 using the attributes and values documented in Table 40–8. Table 40–8 Office 365 Service Provider Attribute Values Name Office365 Protocol SAML 2.0 Service Details Load from provider metadata Metadata File Can be downloaded from: https://nexus.microsoftonline-p.com/federationmetadata/saml 20/federationmetadata.xml For customers in China using the China-specific instance of Office 365 download from: https://nexus.partner.microsoftonline-p.cn/federationmetadata /saml20/federationmetadata.xml NameID Format persistent NameID Value User ID Store Attribute + uid Attribute Mapping Profile The profile created in step 2 User Identity Store Identity Store used User Search Base DN The base DN for User search SSO Response Binding HTTP POST 40-22 Administrator's Guide for Oracle Access Management Integrating OAM Identity Provider With Microsoft Office 365 Service Provider 6. Optionally, set the default Authentication Scheme for the service provider partner using the setSPPartnerDefaultScheme WLST command. By default, OAM uses LDAPScheme for user authentication. To use another scheme, run the following command: setSPPartnerDefaultScheme(, ) See Section 40.9.2.2, "Additional Configurations for Non-Web Clients" if using non-Web clients. 40.9.2.2 Additional Configurations for Non-Web Clients Perform these additional configurations if using non-Web clients. These steps will not impact Web-based integration. 1. Use the setSPPartnerAlternateScheme WLST command to set an alternative Authentication Scheme for the Service Provider partner to handle HTTP Basic authentication. For example: setSPPartnerAlternateScheme(, "true", httpHeaderName="X-MS-Client-Application", httpHeaderExpression=".* Microsoft.Exchange..*", authnScheme="BasicScheme or BasicSessionlessScheme") The values of httpHeaderName and httpHeaderExpression can be determined from the HTTP request sent from Office365 to OAM. If you want to use other values, use rich clients to connect the email account and capture the HTTP request on OAM server side. It is recommended to use BasicSessionlessScheme because Office 365 only validates user credentials to get an assertion. Note: 2. Use the updatePartnerProperty WLST command to update the configuration to send certificates in XML signatures. updatePartnerProperty(,"sp","includecertinsignature","true","boolean") For Basic Authentication, you may need re-authentication even after the Request is already authenticated. 40.9.3 Verifying Federation Single Sign-On Use the procedures in this section to verify Federation SSO. ■ Verifying SP-Initiated SSO ■ Verifying IDP-Initiated SSO ■ Verifying Non Web-based Clients 40.9.3.1 Verifying SP-Initiated SSO Use this procedure to test SP-initiated SSO. 1. Open one of the following URLs. ■ http://portal.microsoftonline.com: from login page, input "xxx@test.com" in the user name field, then click the password field; at this time, you should be automatically redirected to the OAM login page. Managing Federation Schemes and Policies 40-23 Integrating OAM Identity Provider With Microsoft Office 365 Service Provider ■ 2. http://www.outlook.com/test.com: you should be automatically redirected to the OAM login page. Enter a user name and password in the displayed OAM login page and click Login. If SSO is successful, you will be logged into the Office 365 Web portal. 40.9.3.2 Verifying IDP-Initiated SSO Use this procedure to test IDP-initiated SSO. 1. Open http://host:port/oamfed/idp/initiatesso?providerid=urn:federation:MicrosoftO nline&returnURL=http://portal.microsoftonline.com in a browser. 2. Enter a user name and password in the displayed OAM login page and click Login. If SSO is successful, you will be logged into the Office 365 Web portal. 40.9.3.3 Verifying Non Web-based Clients Use this procedure to test federation with non Web-based clients. 1. Add an Email account for an email client. ■ ■ ■ For Desktop Email client like Outlook client, please refer to http://help.outlook.com/en-ca/140/cc875899.aspx For Native Email app in Android device, please refer to http://office.microsoft.com/client/15/help/preview?AssetId=HA102823196 &lcid=1033&NS=O365ENTADMIN&Version=15&CTT=5&origin=HA1037873 72 For IOS device, please refer to http://office.microsoft.com/client/15/help/preview?AssetId=HA102818554 &lcid=1033&NS=O365ENTADMIN&Version=15&CTT=5&origin=HA1028282 59 When adding an email account using the Outlook client, after you input Your Name and Email Address in the User Information area, it will auto-fill the User Name value in the Logon Information area with the value of Your Name. You should change the value of Your Name to reflect the email address. Note: 2. Check that you can send and receive email successfully. 40-24 Administrator's Guide for Oracle Access Management Part X Part X Managing Oracle Access Management Security Token Service Part VIII provides information to help Administrators manage the Security Token Services available with Oracle Access Management. Part VIII contains the following chapters: ■ Chapter 41, "Introducing the Oracle Access Management Security Token Service" ■ Chapter 42, "Security Token Service Implementation Scenarios" ■ Chapter 43, "Configuring Security Token Service Settings" ■ Chapter 44, "Managing Security Token Service Certificates and Keys" ■ Chapter 45, "Managing Templates, Endpoints, and Policies" ■ Chapter 46, "Managing Token Service Partners and Partner Profiles" ■ Chapter 47, "Troubleshooting Security Token Service" 41 Introducing the Oracle Access Management Security Token Service 41 [29The ] Oracle Access Management Security Token Service provides the foundation for the security infrastructure, facilitating a consistent and streamlined model for token acquisition, renewal, and cancellation that is protocol and security infrastructure agnostic. It helps simplify the effort needed to bridge access to various systems by using a standardized set of interfaces. Security Token Service facilitates Federated SSO and Single Logout (SLO) for users accessing resources through a Web browser and across different security domains or administrative boundaries. The following sections contain introductory material regarding the Security Token Service. ■ Understanding the Security Token Service ■ Using the Security Token Service ■ Security Token Service Key Terms and Concepts ■ Integrating the Oracle Web Services Manager ■ Architecting the Security Token Service ■ Security Token Service Supported Token Matrix ■ Deploying Security Token Service ■ Installing Security Token Service ■ Administrating the Security Token Service 41.1 Understanding the Security Token Service Security Token Service is a Web Service (WS) Trust-based token service that allows for policy-driven trust brokering and secure identity propagation and token exchange between Web Services. Security Token Service can be deployed as a Security and Identity Service and used to simplify the integration of distributed or federated Web services within an enterprise and its service providers. Security Token Service is primarily based on the OASIS WS-Trust protocol but it also delegates the processing of other WS-* protocols present in the SOAP message. Note: Security Token Service brokers trust between a Web Service Consumer (WSC) and a Web Service Provider (WSP) and provides security token lifecycle management Introducing the Oracle Access Management Security Token Service 41-1 Using the Security Token Service services to both. It allows for the use of various federation protocols like SAML, WS-Federation, Liberty, or OpenID.The Oracle Access Management Security Token Service (Security Token Service) is deployed with Access Manager and must be activated as a service. 41.2 Using the Security Token Service Security Token Service is installed with Oracle Access Management 11g on Managed Servers. Each Managed Server must be registered with Access Manager to open communication channels. Security Token Service leverages the common infrastructure for shared services and the Access Manager 11g administration model. All Security Token Service system configuration is done using the Oracle Access Management Console, providing a unified and consistent administration experience. Security Token Service also inter-operates with third party security token servers. Security Token Service is compliant and co-exists with Access Manager (using Access Manager as the primary authenticator for Web clients requesting tokens). Security Token Service also uses Oracle Web Services Manager Agents. WebGate is used as an Agent for identity propagation. The WebGate must be registered with Access Manager 11g to open a communication channel. Security Token Service processing: ■ ■ ■ Integrates with STS Audit events Publishes, in the Oracle Access Management Console and WLST scripts, available Security Token Service methods to manage partner data Performs validation operations specific to the Security Token Service use cases and configuration model Security Token Service adopts the same frameworks, guidelines, and practices for diagnostics, monitoring, auditing, and high availability used by Oracle Access Management 11g. For more information, see Part III, "Logging, Auditing, Reporting and Monitoring Performance". Note: The Security Token Service 11g infrastructure is described in Table 41–1. 41-2 Administrator's Guide for Oracle Access Management Security Token Service Key Terms and Concepts Table 41–1 Security Token Service 11g Infrastructure Component Description Default Trust Keystore Security Token Service private keys used for Signing/Encryption are stored in the common keystore used with Access Manager. Security Token Service and Access Manager use the common infrastructure certification validation module. Trusted Certificates and Certificate Revocation Lists (CRLs) used during certificate validation are stored in Trust Keystore and CRL ZIP file. The Security Token Service configuration stores the OCSP/CDP settings. The token security key pair is populated to Access Manager/Security Token Service keystore. Note: When the Oracle WSM Agent is used as the WS_Trust client in the Security Token Service deployment, Oracle strongly recommends that the Oracle WSM Agent keystore and the Security Token Service/Access Manager keystore always be different. Do not merge the two. Otherwise, Access Manager/Security Token Service keys could be available to any modules authorized by OPSS to access the keystore and Access Manager keys might be accessed. See Also: "About Access Manager Keystores" on page 5-32. Default User Identity Store Security Token Service authenticates and maps users against the User Identity stores configured through the Common Configuration section of System Configuration in the Oracle Access Management Console. Security Token Service maps the incoming token to user records and attributes in the default User Identity Store, which operates with both Access Manager and Security Token Service. See Also: "Using the System Store for User Identities" Certificates The certificates used by Security Token Service are self signed. The subject and the issuer field are identical. Out of the box, the OAM Server hosting Security Token Service is uniquely identified: ■ ■ The keys and certificates used in Security Token Service are generated during installation. The subject and issuer fields are linked to the host name. This applies to the signing and encryption keys and certificates used by Security Token Service, as well as the keys/certificates used by the OWSM Agent protecting Access Manager. The OWSM Agent is the certified WS-Trust client that can be used to communicate with Security Token Service. The SAML Issuer settings are configured to refer to the host name of the local computer. This ensures that two servers are not identical in terms of cryptographic materials and identifiers. The trust granted to one server by third-party modules is not granted to the other server because the identifiers and cryptographic keys differ. There are no identical keys, no identical identifiers, and authorization policies are in denial mode. Oracle Coherence Security Token Service integrates with the Oracle Coherence module to store and share run time WS-Trust data across all the physical instances of Security Token Service. The UserNameToken Nonce are stored in the Coherence store. This implementation supports the following requirements, which might be specific to Security Token Service: ■ Cleanup of timed out records ■ Existence of the records limited to several minutes (< 30) 41.3 Security Token Service Key Terms and Concepts Security tokens contain claims or statements that are used to assert trust. To secure communication between a Web service client and a Web service, the two parties must exchange security credentials. These credentials can be obtained from a trusted Security Token Service. To provide interoperable security tokens, the Security Token Service must be trusted by both the Web service client and the Web service. Note: Modern IT environments have numerous types of security tokens (most of them based on browser cookies) for facilitating SSO and session management for Web applications. These token types include Kerberos (primarily for Windows Native Authentication), Security Assertion Markup Language (SAML) assertions, and even digital certificates. Table 41–2 identifies common Security Token Service terminology. Introducing the Oracle Access Management Security Token Service 41-3 Security Token Service Key Terms and Concepts Table 41–2 Security Token Service Terms Term Description Security Token A security mechanism that protects messages using a token issued by a trusted Secure Token Service for message integrity and confidentiality protection. The issued tokens contain a key, which is encrypted for the server and which is used for deriving new keys for signing and encrypting. Service providers and consumers in potentially different managed environments can use a single Security Token Service to establish a chain of trust. The service does not trust the client directly, but instead trusts tokens issued by a designated Security Token Service. The Security Token Service is taking on the role of a second service with which the client must securely authenticate. Security Token Service A trusted third party in an explicit trust relationship with the server (and a trust relationship with the client). Security Token Service is one example. Secure Token Service A shared Web service that provides a standards-based consolidated mechanism of trust brokerage between different identity domains and infrastructure tiers. The service implements the protocol defined in the WS-Trust specification by making assertions based on evidence that it trusts, to whoever trusts it (or to specific recipients). This protocol defines message formats and message exchange patterns for issuing, renewing, canceling, and validating security tokens. To communicate trust, a service requires something to prove knowledge of a security token or set of security tokens. An XML Signature binds the sender's identity (or "signing entity") to an XML document, for example. The document is signed using the sender's private key, the signature is verified using the sender's public key. Request Security Token (RST) Request for a security token. Request Security Token Response (RSTR) Response generated by Security Token Service in response to the Request for Security Tokens with claims for the requested user. On Behalf Of (OBO) An OBO Request Security Token (RST) is used when only the identity of the original client is important. An OBO RST indicates that the requestor wants a token containing claims about only one entity: ■ ActAs Token Exchange the external entity represented by the token in the OnBehalfOf element. An ActAs RST requires composite delegation. The final recipient of the issued token can inspect the entire delegation chain (not just the client). An ActAs RST indicates that the requestor wants a token that contains claims about distinct entities: ■ The requestor ■ An external entity represented by the token in the ActAs element The exchange of one security token for another. The requestor (in order to invoke a web service) requires a particular token. It uses Security Token Service to exchange the incoming token with a token required by the service. 41-4 Administrator's Guide for Oracle Access Management Security Token Service Key Terms and Concepts Table 41–2 (Cont.) Security Token Service Terms Term Description WS-Security Web Services Security (WS-Security) specifies SOAP security extensions that provide confidentiality using XML Encryption and data integrity using XML Signature. The most prevalent security tokens used with WS-Security are Username, X.509 Certificates, SAML assertions, and Kerberos tickets (all supported by Oracle Web Service Manager). WS-Security also includes profiles that specify how to insert different types of binary and XML security tokens in WS-Security headers for authentication and authorization purposes: WS-* specifications often depend on each other. For example, WS-Policy is used in conjunction with WS-Security. WS-* specifications also leverage non-WS-* specifications; for example, WS-Security uses XML Encryption and XML Signature. For WS-Security, only SAML assertions are used. The protocols and bindings are provided by the WS-Security framework. Note: WS-Security, WS-Trust, WS-Policy have been transferred over to standards bodies such as the Organization for the Advancement of Structured Information Standards (OASIS) or the World Wide Web Consortium (W3C). WS-Trust Web Services Trust Language (WS-Trust) is a specification that uses the secure messaging mechanisms of WS-Security to facilitate trust relationships. WS-Trust defines a request and response protocol that enables applications to construct trusted SOAP message exchanges. Trust is represented through the exchange and brokering of security tokens. In a message exchange using WS-Security only, it is assumed that both parties involved in the exchange have a prior agreement on which type of security tokens they must use for sharing security information. However, there are cases where these parties do not have such an agreement, as a result trust must be established before exchanging messages. Trust between two parties exchanging SOAP / WS-Security-based messages is established by implementing the WS-Trust specification. WS-Policy Web Services Policy (WS-Policy). Together with WS-Security, WS-Policy is another key industry standard for Oracle Fusion Middleware security. WS-Policy is used in conjunction with WS-Security. A web service provider may define conditions (or policies) under which a service is to be provided. The WS-Policy framework enables one to specify policy information that can be processed by web services applications, such as Oracle Web Services Manager. A policy is expressed as one or more policy assertions representing a web service's capabilities or requirements. For example, a policy assertion may stipulate that a request to a web service be encrypted. Likewise, a policy assertion can define the maximum message size that a web service can accept. Certificates The certificates used by Security Token Service are self signed. The subject and the issuer field are identical. Out of the box, the OAM Server hosting Security Token Service is uniquely identified: Keystore Security Token Service key stores include: ■ System Keystore ■ Trust Keystore ■ Partner Keystore See Also: Chapter 44, "Managing Security Token Service Certificates and Keys" User Name Token (UNT) Identifies the requestor by their username, and optionally using a password (or shared secret, or password equivalent) to authenticate that identity. When using a username token, the user must be configured in the Default User Identity Store., Introducing the Oracle Access Management Security Token Service 41-5 Integrating the Oracle Web Services Manager Table 41–2 (Cont.) Security Token Service Terms Term Description X.509 Certificates A signed data structure designed to send a public key to a receiving party. A certificate includes standard fields such as certificate ID, issuer's Distinguished Name (DN), validity period, owner's DN, owner's public key, and so on. Certificates are issued by certificate authorities (CA), for example Verisign. A CA verifies an entity's identity and grants a certificate, signing it with the CA's private key. The CA publishes its own certificate which includes its public key. Each network entity has a list of the certificates of the CAs it trusts. Before communicating with another entity, a given entity uses this list to verify that the signature of the other entity's certificate is from a trusted CA. Security Assertion Markup Language (SAML) SAML Assertion An open framework for sharing security information on the Internet through XML documents. SAML provides: ■ ■ ■ ■ Assertions that define authentication and authorization information. Protocols to ask (SAML Request) and get (SAML Response) the assertions you need. Bindings that define how SAML Protocols ride on industry-standard transport (HTTP for instance) and messaging frameworks (SOAP for instance). Profiles that define how SAML Protocols and Bindings combine to support specific use cases. For WS-Security, only SAML assertions are used. However, the protocols and bindings are provided by the WS-Security framework. SAML assertions can include three types of statements: ■ ■ ■ Kerberos Authentication statement: issued by an authentication authority upon successful authentication of a subject. It asserts that Subject S was authenticated by Means M at Time T. Attribute statement: issued by an attribute authority, based on policies. It asserts that Subject S is associated with Attributes A, B, etc. with values a, b, and so on. Authorization decision statement (deprecated in SAML 2.0, now supported by XACML): issued by an authorization authority which decides whether to grant the request by Subject S, for Action A (read, write, and so on.), to Resource R (e.g., a file, an application, a web service), given Evidence E. A cross-platform authentication and single sign-on system. The Kerberos protocol provides mutual authentication between two entities relying on a shared secret (symmetric keys). Kerberos authentication requires a client, a server, and a trusted party to mediate between them called the Key Distribution Center (KDC). Also required: ■ ■ A Principal: An identity for a user (a user is assigned a principal), or an identity for an application offering Kerberos services. A Realm is a Kerberos server environment, which can be a domain name such as EXAMPLE.COM (by convention expressed in uppercase). Each Kerberos realm has at least one Web Services Security KDC. The Kerberos Token profile of WS-Security allows business partners to use Kerberos tokens in service-oriented architectures (SOAs). 41.4 Integrating the Oracle Web Services Manager In the 11g release, Oracle Web Services Manager (WSM) security and management has been integrated into the Oracle WebLogic Server along with Oracle WSM Agent functionality. Table 41–3 describes the WSM components. See Also: "About Access Manager Security Keys and the Embedded Java Keystore" 41-6 Administrator's Guide for Oracle Access Management Integrating the Oracle Web Services Manager Table 41–3 Integrated Oracle Web Services Manager Component Description Java Keystore (JKS) Required to store the signature and encryption keys required by the X.509 token on the client. JKS the proprietary keystore format defined by Sun Microsystems. Trusted certificates and public and private keys are stored in the keystore. To create and manage the keys and certificates in the JKS, use the keytool utility. Keys are used for a variety of purposes, including authentication and data integrity. If the client and Web service are in the same domain with access to the same keystore, they can share the same private/public key pair: ■ ■ Policy Interceptors The client can use the private key orakey to endorse the signature of the request message and the public key orakey to encrypt the symmetric key. The Web service in turn uses the public key orakey to verify the endorsement, and the private key orakey to decrypt the symmetric key. In Oracle Fusion Middleware 11g, Oracle WSM Agents are managed by the security and management policy interceptors. Policy Interceptors enforce policies, including reliable messaging, management, addressing, security, and Message Transmission Optimization Mechanism (MTOM). The Oracle WSM Agent manages the enforcement of policies using the Policy Interceptor Pipeline. For complete Oracle Web Services Manager details, including the differences between release 10g and 11g, see Oracle Fusion Middleware Security and Administrator's Guide for Web Services. Oracle WSM Agent The OWSM agent is the certified WS-Trust client that can be used to communicate with Security Token Service. The OWSM agent is embedded and used by Security Token Service for message protection only (to publish WS Policy and to enforce message protection on inbound and outbound WS messages). Security Token Service performs token validation/request authentication. ■ ■ Security Token Service embedded Oracle WSM Agent is used in the mode of "Message Protection Only" with authentication functionality disabled. This way all aspects related to authentication of incoming token are performed by Security Token Service only. Oracle WSM supports disabling of authentication using configuration overrides that Security Token Service must declare with each policy. Exception: The Kerberos token is handled by Oracle WSM and Security Token Service is involved in mapping only the identity. ■ The OWSM Agent is one of the certified WS-Trust clients that can be used to communicate with Security Token Service. Other 3rd party WS-Trust clients can be used to interact with Security Token Service. Note: Embedded means that the OWSM Agent is available as part of the JRF layer on the WebLogic Server that Security Token Service uses: Message/Token Protection Security Token Service/Access Manager manages its own keystore and trust store. For Oracle WSM to enforce message protection for Security Token Service, the OWSM key store is seeded with its own self-signed certificate; passwords for its corresponding keys are stored in CSF. It does not work with Security Token Service keystore. Note: Conversely, Oracle WSM requires Access Manager/Security Token Service to store keys related to message protection in the OPSS Keystore. For cases where the client uses schemes such as SKI, Thumbprint, and so on to refer to its certificate, Oracle WSM requires that client certificate(s) are present in the OPSS Keystore. Token Signing Key Security Token Service has strong security requirements around its token signing key and uses the token signing key to broker trust between a client and a relying party. Therefore, this key must be stored in an exclusive partition that only Security Token Service can access. Security Key Pairs Security Token Service creates separate key pairs for issued token security and message security to provide security of token signing keys and eliminate the need for Oracle WSM agents to work with Access Manager/Security Token Service keystore: OPSS Keystore ■ The message security key pair is populated to OPSS Keystore ■ The token security key pair is populated to Access Manager/Security Token Service keystore The message security key pair is populated to OPSS Keystore. For special cases where clients use referencing schemes such as SKI (not a certificate token being received as part of the Web service request), Security Token Service populates OPSS Keystore with the requesting party's certificates. This is an uncommon scenario. Security Token Service can provide instructions on manually provisioning the keys to OPSS keystore to make it work. Introducing the Oracle Access Management Security Token Service 41-7 Architecting the Security Token Service 41.5 Architecting the Security Token Service Security Token Service is a centralized token service that supports WS-Trust protocol. It also defines extensions to the WS-Security specification for issuing and exchanging security tokens and establishing trust relationships. The Security Token Service is hosted as a web service endpoint and coordinates security based interactions between a WSC and a WSP. All communication with the Security Token Service occurs through a WS_Trust client, as shown in Figure 41–1. Figure 41–1 Security Token Service Architecture When a WSC makes a call to the WSP, it gets the WS-Security policy that will indicate that a security token issued by Security Token Service should be presented. The policy will contain the location of the Security Token Service, and the WSC will use that location to contact the Security Token Service to retrieve the token expected by the WSP. (Alternately, the WSP could register its acceptable security mechanisms with the Security Token Service and, before validating the incoming SOAP request, check with the Security Token Service to determine its security mechanisms). When an authenticated WSC (carrying credentials that confirm either the identity of the end user or the application) requests a token for access to a WSP, the Security Token Service verifies the credentials and, in response, issues a security token that provides proof that the WSC has been authenticated. The WSC presents the security token to the WSP which verifies that the token was issued by a trusted Security Token Service. 41.6 Security Token Service Supported Token Matrix Figure 41–2 documents the token support matrix for Security Token Service. Figure 41–2 Security Token Service Token Support 41-8 Administrator's Guide for Oracle Access Management Deploying Security Token Service 41.7 Deploying Security Token Service This section provides overviews of different deployment options: ■ Centralized Token Authority Deployment ■ Tokens Behind a Firewall Deployment ■ Web Services SSO Deployment See Also: "Scenario: Identity Propagation with the Access Manager Token" on page 42-2 41.7.1 Centralized Token Authority Deployment The need for a token exchange for security integration between Web SSO and Web service security tiers is in demand in a deployment where a Web application makes internal or external Web service calls. An example of this is an intranet portal integration with an external Web service provided by a partner or another organization within the same company. The portal needs a way to securely access the service but the difficulty of security integration in this case stems from the fact that the Web SSO tier and WS tier use different methods of user authentication. In the Web SSO environment, the Web application can accept WAC-issued session tokens (SMSESSION, OBSSO), SAML assertions or proprietary tokens to authenticate the users. The WS* security tier also uses a variety of standard and proprietary tokens and, in most cases, local translation of token is required to achieve integration between the two tiers. Additionally, the WS performing the translation must contact the authority by which the token was issued (Oracle Adaptive Access Manager) to decompose the token before it can be translated. Decomposition requires every WS service to maintain trust with WAC systems; this is complex and not very secure because of multiple trust links that need to be maintained. With the introduction of Security Token Service, the translation of tokens can be done at the centralized authority as illustrated in Figure 41–3. Figure 41–3 Token Translation at a Centralized Authority 41.7.2 Tokens Behind a Firewall Deployment The situation when applications rely on special form of credentials for their business logic is very common in deployments of Oracle access products. Integrations of WAC Introducing the Oracle Access Management Security Token Service 41-9 Deploying Security Token Service systems with both Oracle and custom applications almost always require extensive coding for: 1. Decomposing tokens issued by one token authority (such as OAM or SiteMinder) by calling a proprietary vendor API (SM agent API or ASDK). 2. Composing a new token format (PSFT, Siebel), that the application requires for its internal business logic. Although such translations are often handled through application coding, it introduces the risk of exposing user names and passwords when the code is deployed on multiple application instances in the DMZ. Thus, Security Administrators need an ability to control the translation process by externalizing it from the application. Introducing the Security Token Service provides significant relief in this situation. Security Token Service plays the role of a centralized token authority, performing token translation behind the firewall, as shown in Figure 41–4. Figure 41–4 Translating Tokens Behind a Firewall Application 1 and Application 2 are protected by Access Manager. Application 2 relies on a different type of token for its internal business logic. It has a client-side connector that contacts Security Token Service for exchanging the OBSSO token for a username token. The Security Token Service relies on Access Manager for decomposing the OBSSO token and generates the new token required by Application 2. This is more secure, because the same authority (Access Manager) performs both operations (composing and decomposing the OBSSO token) thus, there is no need to decompose the token on the application side. 41.7.3 Web Services SSO Deployment As in the Web SSO case, Web services SSO is a convenience feature. The difference is that in the case of Web SSO the party who benefits from the feature is a user; in the WS SSO environment, the Security Administrator benefits. With Web services SSO different Web services have different token requirements (that change often). Externalizing the exchange to Security Token Service enables the application to simply supply the target and the current token in its possession. Security Token Service takes charge of determining the token type for each requested service. When one or more Web services change their authentication requirements, Security Token Service can seamlessly verify the token type submitted by the application. If the token is not of the requested type, the old token is revoked and the new one of the correct type is issued. Figure 41–5 illustrates Web services SSO. 41-10 Administrator's Guide for Oracle Access Management Installing Security Token Service Figure 41–5 Web Services SSO 41.8 Installing Security Token Service This section provides an overview of the installation options: ■ Security Token Service Cluster in Single WLS Domain ■ Endpoint Exposure through a Web Server Proxy ■ Security Token Service Installation Overview ■ Post-Installation Tasks: Security Token Service 41.8.1 Security Token Service Cluster in Single WLS Domain This installation option leverages clustering across Security Token Service instances deployed in different managed servers within a single WebLogic domain. This deployment topology facilitates High Availability capabilities through a load balancer. By default, Access Manager co-exists on the same managed server as Security Token Service. However, Security Token Service is disabled by default and must be manually enabled before it can be used. This deployment topology supports: ■ ■ Deploying multiple instances of Security Token Service through the suite installer. Deploying a load balancer to support the High Availability and failover scenarios on the front of the Security Token Service cluster. For more information, see the Oracle Fusion Middleware High Availability Guide. 41.8.2 Endpoint Exposure through a Web Server Proxy This installation option provides inter-operability of Requester and Relying Party with Third-party STS Servers. At runtime, Security Token Service supports interoperability with Requesters and Relying Parties of third-party security token servers using the OPSS WS-Trust-Provider. For instance, a third-party Security Token Service can create a valid SAML Assertion that can be consumed by Security Token Service. Introducing the Oracle Access Management Security Token Service 41-11 Administrating the Security Token Service 41.8.3 Interoperability of Requester and Relying Party with Other Oracle WS-Trust based Clients All run-time scenarios for Requesters and Relying Parties are supported by other Oracle WS-Trust Clients, including WLSClient, MetroClient, and Oracle Web Services Manager (Oracle WSM). All Web services clients are supported with Security Token Service only through the WS-Trust binding. 41.8.4 Security Token Service Installation Overview Access Manager and Security Token Service are installed together from a single EAR file and deployed on the same managed server in a WebLogic domain. The Oracle WSM Agent uses a keystore for various cryptographic operations. For those tasks, the Oracle WSM Agent uses the keystore configured for Oracle WSM tasks. During installation, if the Oracle WSM keystore service has not been configured, the installer: ■ ■ ■ Creates a new keystore in the $DOMAIN_HOME/config/fmwconfig folder (default name is default-keystore.jks Creates a key entry with the corresponding certificate to be used by OWSM for signature and encryption operations. This key entry is stored in the OWSM Keystore under the orakey alias Stores the passwords of the key entry and of the keystore in CSF Having access to the keystore is sometimes required to: ■ Extract the signing or encryption certificate to distribute to clients, if needed ■ Update or replace the signing or encryption key entry ■ Add trusted certificates For more information, see the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. 41.8.5 Post-Installation Tasks: Security Token Service Any server hosting Security Token Service must be registered with Access Manager. This can occur automatically during installation, or manually after installation. All Security Token Service system configuration is done using the Oracle Access Management Console. Elements in the Oracle Access Management Console enable Administrators to easily configure the Security Token Service to exchange WS Trust tokens with partners. Other Security Token Service elements provide for creation, viewing, modification, and removal of partners, endpoints, validation templates, issuance templates, and data store connections. For more details on the Security Token Service, see Part X, "Managing Oracle Access Management Security Token Service". 41.9 Administrating the Security Token Service During initial deployment, using the Oracle Fusion Middleware Configuration Wizard, the Administrator userID and password are set. Administrators can log in and use the Oracle Access Management Console (and WebLogic Server Administration Console). A single LDAP group, the WebLogic Server "Administrators" group, is set by default. For more information, see Chapter 2, "Getting Started with Oracle Access Management". 41-12 Administrator's Guide for Oracle Access Management 42 Security Token Service Implementation Scenarios 42 This chapter introduces several Security Token Service implementation and processing scenarios. Regardless of scenario specifics, there are many similarities in both configuration tasks and token handling. This chapter provides the following sections: ■ Prerequisites ■ Typical Token Ecosystem ■ Scenario: Identity Propagation with the Access Manager Token ■ Scenario: Web Service Security With On Behalf Of Username Token 42.1 Prerequisites "Introducing the Oracle Access Management Security Token Service" on page 41-1. 42.2 Typical Token Ecosystem The abstract model chosen here is of interest because of the requirements placed on Security Token Service to support such models. The phrase security token ecosystem is used here to represent a typical environment where security tokens are in use. In such environments the security token, based on the security model required for the environment, could be used to serve an end goal such as to enable brokered trust or single-sign-on and so on. Regardless of the environment and the type of security token, several aspects are common across all models, as shown and described here. Figure 42–1 illustrates a typical token ecosystem, which includes: Token Issuing Authority, Token Requestor, Token Consumer, and the Security Token. Security Token Service Implementation Scenarios 42-1 Scenario: Identity Propagation with the Access Manager Token Figure 42–1 Typical Token Ecosystem Actors and Process overview: In a typical token ecosystem 1. The Token Requestor places a request for a security token at the Token Issuing Authority. This security token is required to communicate and request access to a service provided by a Service Provider (a Token Consumer who accepts the security token). ■ ■ 2. A Token Requestor could be an End User (generally not registered with the Token Issuing Authority). The Token Issuing Authority (Access Manager and Security Token Service, for example) receives and processes the security token request and returns a security token, as follows: ■ ■ 3. A Token Requestor could be a Partner of the Token Issuing Authority (generally registered with the Token Issuing Authority). Authenticate the input credentials. Authorize the security token request based on a Token Issuance Policy that specifies which Token Requestors are authorized to request a security token for a given Token Consumer. The Token Consumer (typically a service provider). ■ ■ Accepts the security token as part of the service request and provides service based on the validity of the input security token. Validates the input security token with Token Issuing Authority. A Token Consumer is typically a registered Partner of the Token Issuing Authority. A Token Consumer is also known as a Relying Party, because it trusts and relies on the Token Issuing Authority for Token Requestor authentication. Token Consumers (Relying Party Partner) are Web Applications (for Access Manager, Security Token Service is the Token Issuing Authority) or STS Relying Party Web Services. Note: 42.3 Scenario: Identity Propagation with the Access Manager Token This is a deployment where the user's Identity information needs to be propagated from a Web application to a Web service provider. The Web service provider can reside in the same security domain as the web application or in a different security domain. 42-2 Administrator's Guide for Oracle Access Management Scenario: Identity Propagation with the Access Manager Token Figure 42–2 Identity Propagation with the OAM Token Identity propagation means that the original user context becomes visible outside its original security tier or domain boundaries. The user security context is propagated across different security tiers or domains to support tier-specific or domain-specific security needs such as step-up authentication, authorization, audit and/or internal application-specific business logic. ID Propagation is said to occur in a distributed processing of a request when the identity context established in the first node is propagated to subsequent nodes to enable further processing of the request in the context of that identity. ID Propagation can be achieved in several ways. One of them is based on a brokered-trust model where an ID provider acts as a trust-broker for ID Assertions. The discussion here is pertains to this model. Figure 42–3 illustrates an ID Propagation scenario in a brokered-trust model, where a user-facing application needs to request processing by a backend service application in the context of the end user. To bring out the main aspects of ID propagation all other interaction and relationship details between end user, application, and backend service application are ignored. Figure 42–3 Process Flow During Identity Propagation Actors and Process overview: Identity Propagation 1. The ID Assertion Token Requestor (an End User-Facing Application), upon end user access, requests authentication and ID Assertion Token at the identity Provider. Examples of ID Assertion Token Requestors include Web applications that are protected by OAM. The ID Assertion Token request could be either implicit or could be driven by a policy at the ID Provider. Note: 2. The ID Provider (Security Token Service) processes the request and returns an Authentication Token and an ID Assertion Token. An ID Assertion Token, in itself, Security Token Service Implementation Scenarios 42-3 Scenario: Identity Propagation with the Access Manager Token does not represent a user session and cannot be used independently to request direct access to a resource or service. 3. The ID Assertion Token Requestor uses this Token later, during the end user session, as part of a backend service processing request (on behalf of the end user). 4. The ID Assertion Token Consumer (Security Token Service), as part of the request processing, first validates the ID Assertion Token and then (on validation success) processes the request in the context of the end user Identity For more information, see the following topics: ■ Component Processing: Identity Propagation with the OAM Token ■ Request Security Token Attributes and Run Time Processing ■ Configuration Requirements: Identity Propagation with the OAM Token 42.3.1 Component Processing: Identity Propagation with the OAM Token Figure 42–4 illustrates a typical deployment topology for Identity propagation using Security Token Service with Access Manager. Figure 42–4 Identity Propagation Deployment Figure 42–5 illustrates a processing of Identity propagation using Security Token Service with Access Manager. Details follow the figure. Figure 42–5 Identity Propagation Processing 42-4 Administrator's Guide for Oracle Access Management Scenario: Identity Propagation with the Access Manager Token Process overview: Component interactions for Identity Propagation 1. User attempts to access a protected resource. 2. WebGate is protecting the resource; it sends request to Access Manager for authentication and authorization. 3. Access Manager authenticates the user using the policy configured for this WebGate Application Domain. It sees the response type "IDENTITY_ASSERTION" is configured for this Webgate, so it generates ID Assertion token as well. 4. Access Manager sends authentication and ID assertion token to WebGate 5. WebGate processes the response; sets ID assertion token to the header; (OHS where WebGate is installed on) then redirect the request to the WLS that hosts the resource. 6. IAP (Access Manager Identity Asserter on WebLogic Server) sees OAM_ IDENTITY_ASSERTION header is set, processes the headers, then sets ID assertion token to Subject's private credential as OamIdentity. 7. When the resource is finally accessed, a Web Service Client can then obtain the ID assertion token from current user's Subject, generates a OnBehalfOf (OBO) token with it, then creates and sends Request Security Token (RST) to Security Token Service. 8. Security Token Service sees the ID assertion Token inside OBO token, it sends validation/authentication request to Access Manager using Access Manager library. 9. Access Manager validates and authenticates the ID Assertion Token, then sends response (user identity) to Security Token Service. 10. Security Token Service uses this user identity to do further processing: policy evaluation, token issuance, and so on. It then generates Request Security Token Response. 11. Security Token Service sends Request Security Token Response to the client, which can then use the token inside the Request Security Token Response (RSTR) to create a web service request to access a service hosted on a relying party. 42.3.2 Request Security Token Attributes and Run Time Processing For an incoming Request Security Token (RST) with the following attributes, Security Token Service must be configured to process a request and issue a token): RST Attributes for Identity Propagation with the OAM Token ■ The SOAP header contains a Username token referencing a WS Requester. The Username token contains at least a username and a password. ■ ■ The SOAP body contains a WS-Trust RST message The RST contains a OAM ID Propagation token in the OnBehalfOf field referencing a user in LDAP. The token included in the OnBehalfOf element is a BinarySecrityToken, whose text value is the Base 64 encoded format of the OAM Session Propagation Token, and whose ValueType attribute is http://something.example.com/am/2012/11/token/session-propagation and whose EncodingType attribute is http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-sec urity-1.0#Base64Binary Security Token Service Implementation Scenarios 42-5 Scenario: Identity Propagation with the Access Manager Token ■ ■ ■ ■ The RST can possibly contain an AppliesTo field holding a URL pointing to the endpoint of the Relying Party Web Service The RST can possibly contain a TokenType field holding the type of token that needs to be returned The RST can possibly contain an Entropy field holding random data that will be used when creating the SecretKey when a symmetric proof key is required in the SAML Assertion The RST can possibly contain a UseKey field holding the certificate or public key to be used as an asymmetric proof key in the SAML Assertion, but this field will be ignored by Security Token Service Process overview: Identity Propagation with the OAM Token Client prepares the request by: 1. a. Creating the SOAP message b. Creating the Username token referencing the client and including it in the SOAP header c. Creating the WS-Trust RST message d. Creating the OAM ID Propagation token referencing the user and including it in the OnBehalfOf field of the RST e. Including the RST message in the SOAP body 2. Client sends the message to the Security Token Service, to an endpoint protected by a WS-Security User Name Token (UNT) Policy, with that endpoint being mapped to an Security Token Service WSS Validation Template. 3. Security Token Service will process the incoming request 4. Security Token Service validates the token included in the SOAP header by using the settings contained in the WS-Security Validation Template: 5. 6. a. Validates the format of the Username token b. Validates the credentials contained in the Username token against the Security Token Service Partner store, thus mapping this token to a Requester Partner c. Knowing the Requester Partner, Security Token Service will retrieve the Requester Partner Profile associated with this Requester Security Token Service then validates the token present in the OnBehalfOf field: a. Determines the type of token present in the OnBehalfOf field b. Retrieves the WS-Trust Validation Template to be used for OAM Token Type, from the Requester Partner Profile c. Validates the format of the OAM token d. Validates the OAM token, and maps the token to a user e. Creating the OAM ID Propagation token referencing the user and including it in the OnBehalfOf field of the RST Security Token Service then examines the AppliesTo field: ■ If present, Security Token Service will attempt to map the AppliesTo URL to a Relying Party Partner, using the WS Endpoint Mapping of the Relying Party Partner. If the mapping is successful, then the AppliesTo field has been mapped to a Relying Party Partner, and Security Token Service will retrieve 42-6 Administrator's Guide for Oracle Access Management Scenario: Identity Propagation with the Access Manager Token the Relying Party Partner Profile from this Partner. If mapping was not successful, then the AppliesTo field could not be mapped to a Relying Party Partner, and Security Token Service will retrieve the Default Relying Party Partner Profile from the Requester Partner Profile. ■ 7. If absent, Security Token Service will retrieve the Default Relying Party Partner Profile from the Requester Partner Profile. Security Token Service then examines the TokenType field: ■ ■ If present, Security Token Service will map the TokenType string to a local token type value using the Requester Partner Profile, and it will then use the Relying Party Partner Profile to retrieve the Issuance Template to be used to create the outgoing token. If absent, Security Token Service will retrieve the default token type from the Relying Party Partner Profile, and it will then use the Relying Party Partner Profile to retrieve the Issuance Template to be used to create the outgoing token. 8. Security Token Service will perform an Authorization evaluation to check that the Requester Partner is authorized to request a token for the Relying Party referenced in the flow (see Authorization Trust Policy for more information) 9. Security Token Service will then create the token: ■ ■ If the token to be issued is of SAML type, then the Issuance Template will list how to populate the NameID, the Relying Party Partner Profile will list which attributes need to be sent in the token, the Issuance Template will indicate whether or not to translate the names and values of the attributes, the Issuance Template will indicate whether or not to sign/encrypt the token. If the token to be issued if of SAML type, the Security Token Service server will examine the KeyType to determine the Subject Confirmation Method of the Assertion. If it is missing, it will use the Default Confirmation Method from the Issuance Template. 10. Security Token Service will create the Response that the client will process: a. Creates the WS-Trust RSTRC b. Includes the returned token c. Includes proof key if necessary 42.3.3 Configuration Requirements: Identity Propagation with the OAM Token This topic walks through the configuration requirements for the identity propagation scenario. It includes: ■ Configuration overview: Identity Propagation with the OAM Token ■ WebLogic Server Identity Assertion Providers ■ Access Manager Identity Asserter Details ■ LDAP Authentication Provider Details ■ Default Identity Store Configuration ■ Token Issuance Policy ■ Authentication Policy Response for Identity Assertion by Webgate ■ Endpoint Configuration Security Token Service Implementation Scenarios 42-7 Scenario: Identity Propagation with the Access Manager Token ■ Issuance Template Configuration ■ Partner Configuration: Requester ■ Partner Profile: Relying Party ■ Partner Profile: Requester ■ Validation Template for WS-TRUST ■ Cookies and Headers (Truncated) ■ Request Security Token Sent By the Client (Truncated) ■ Request Security Token Response sent by the Security Token Service (Truncated) Configuration overview: Identity Propagation with the OAM Token Following is an overview of the Identity Propagation environment and implementation tasks: ■ ■ ■ A custom application module that will act as a client to: – Retrieve the OAM Session Propagation token from the HTTP request – Send a WS-Trust request to the Security Token Service server with Access Manager Session Propagation token as the OnBehalfOf element A web application that will be protected by Webgate and will invoke the client web application that will send a WS-Trust request to Security Token Service Security Token Service URL: http://myhost.domain.com:14100/sts/ Note: Replace with the path configured in the STS Endpoints section. ■ An OHS 11g with Webgate protecting the web application Provision (register) a Webgate (11g or 10g) to protect the application deployed in WebLogic Server. The OAMSuite Application Domain is pre-seeded and delivered with Access Manager 11g. When you provision an OAM Agent to use this (or another existing) Application Domain, decline the option of having policies automatically created. Reverse Proxy mapping for Webgate in the OHS Server mod_wl_ohs.conf, is shown here. The following Security Token Service configuration is required to implement token processing for identity propagation: ■ One Requester Partner Profile ■ One Relying Party Partner Profile ■ One Issuance Template ■ One WS-Trust Validation Template 42-8 Administrator's Guide for Oracle Access Management Scenario: Identity Propagation with the Access Manager Token ■ ■ Security Token Service Endpoint An LDAP server is required for Security Token Service to map the Username token referencing the user to an LDAP User record, and thus use that record to populate the outgoing token. Ensure that the desired LDAP server is configured as the Default Identity Store. WebLogic Server Identity Assertion Providers Deploy the Identity Assertion Providers war. The Access Manager Identity Asserter is available in the following path with Oracle Fusion Middleware installed: $ORACLE_HOME/modules/oracle.oamprovider_11.1.1/oamauthenticationprovider.war Copy oamauthenticationprovider.war to the following location: $BEA_HOME/wlserver_10.x/server/lib/console-ext/autodeploy/oamauthentication provider.war Figure 42–6 illustrates the required WebLogic Server Identity Assertion Providers configuration for this scenario. Figure 42–6 Required v1.0 WebLogic Server Identity Assertion Providers Access Manager Identity Asserter Details The IAP-Security Token Service identity asserter must be the first, and set using the REQUIRED Control flag. The Active Types should be set as ObSSOCookie and OAM_ REMOTE_USER, with an SSO Header name of OAM_REMOTE_USER1. Figure 42–7 illustrates the configuration. Security Token Service Implementation Scenarios 42-9 Scenario: Identity Propagation with the Access Manager Token Figure 42–7 IAP-Security Token Service Details LDAP Authentication Provider Details Create the Authenticator for the LDAP with the OPTIONAL JAAS flag. This will point to the Default System Store of Oracle Access Management, which provides the Access Manager token. Figure 42–8 illustrates this. 42-10 Administrator's Guide for Oracle Access Management Scenario: Identity Propagation with the Access Manager Token Figure 42–8 LDAP Provider: IAP-DSEE Default Identity Store Configuration Figure 42–9 illustrates the Default Identity Store configuration within Oracle Access Management Console. Security Token Service Implementation Scenarios 42-11 Scenario: Identity Propagation with the Access Manager Token Figure 42–9 Default Identity Store Defined in Access Manager Token Issuance Policy Create the Token Issuance Policy for the resource URL within the IAM Suite Application Domain. Figure 42–10 is a screenshot of the Token Issuance Policy page. Figure 42–10 Token Issuance Policy for Identity Propagation 42-12 Administrator's Guide for Oracle Access Management Scenario: Identity Propagation with the Access Manager Token Authentication Policy Response for Identity Assertion by Webgate Identity Assertion is required for ID propagation for any issued token from Access Manager that represents an end user (and possibly its OAM session). The Identity Assertion Token is generated and returned as a policy response (HTTP HEADER named "OAM_IDENTITY_ASSERTION" with a value as a SAML token) after a successful authentication. Security Token Service clients that are Web applications protected by Access Manager requesting tokens to gain proxy access to a Relying Party (ID Propagation use case) are required to pass an OAM Identity Assertion token that represents the end user. The ID Provider (Access Manager) processes the request and returns an Authentication Token and an ID Assertion Token. An ID Assertion Token, in itself, does not represent a user session and cannot be used independently to request direct access to a resource or service. The ID Assertion Token Requestor uses this Token later, during the end user session, as part of a backend service processing request (on behalf of the end user). The ID Assertion Token Consumer (Security Token Service), as part of request processing, first validates the ID Assertion Token and then (on validation success) processes the request in the context of the end user Identity. See Also: "Introduction to Policy Responses for SSO" on page 25-68. Confirm that the Identity Assertion box is checked as part of the Authentication Policy Response within the IAM Suite Application Domain. This enables Webgate to perform Identity Assertion for protected resources. As you add each Response, you might be informed that Identity Assertion has not been enabled for this policy. Enable Identity Assertion in order to collect Assertion Attribute type responses (when this policy is executed). See Also: "Adding and Managing Policy Responses for SSO" on page 25-75. Endpoint Configuration The /wss10user Endpoint is needed, as shown in Figure 42–11. This endpoint is protected by the default WS-Security Validation Template. This is the one that will be used in the Web application to post the RST. Figure 42–11 /wssuser Endpoint for Identity Assertion Issuance Template Configuration The Issuance Template requires the following configuration for Identity Propagation: ■ Name: iap-issuance-template ■ Description: Custom issuance template Security Token Service Implementation Scenarios 42-13 Scenario: Identity Propagation with the Access Manager Token ■ Token Type: SAML 2.0 ■ Signing Key Id: osts_signing ■ Description: Custom issuance template Partner Configuration: Requester Create a new Requester Partner configuration for Identity Propagation with the OAM token as follows: ■ Partner Name: iap-request-partner ■ Requester Type: STS_REQUESTER ■ Partner Profile: iap-requestor-profile ■ Description: Custom requester ■ Trusted ■ Username Token Authentication ■ – Username – Password – Confirm Password Identity Attribute values for: – httpbasicusername – sslclientcertdn Partner Profile: Relying Party Create a new Relying Party Profile for Identity Propagation as follows: ■ Profile ID: iap-relyingparty-profile ■ Description: iap-issuance-template ■ Default Token Type: SAML 2.0 ■ Default Template: iap-issuance-template Partner Profile: Requester Create a new Requester Profile for Identity Propagation as follows: ■ Profile ID: iap-requestor-profile ■ Description: iap-requestor-profile partner profile ■ Default Relying Party Profile: iap-relyingparty-profile Validation Template for WS-TRUST The Validation Template requires the following configuration for Identity Propagation: ■ Validation Template Name: iap_wstrust_validation_template ■ Description: iap_wstrust_validation_template ■ Token Protocol: WS-Trust ■ Token Type: OAM ■ Timestamp Lifespan: 42-14 Administrator's Guide for Oracle Access Management Scenario: Identity Propagation with the Access Manager Token This completes the configuration requirements for the Identity Propagation with OAM Token scenario. 42.3.4 Testing Your Implementation Following configuration, you can try to access the resource to confirm your implementation is working properly. Webgate should redirect to the OAM Server if there is no existing session for the user Upon successful authentication, you should be able to see the RST and RSTR sent by the STS server. Cookies and Headers (Truncated) Request Security Token Sent By the Client (Truncated) Here is a (truncated) request for security token sent by the client. Request Security Token Response sent by the Security Token Service (Truncated) Here is a (truncated) response to the RST sent by the Security Token Service. Security Token Service Implementation Scenarios 42-15 Scenario: Web Service Security With On Behalf Of Username Token 42.4 Scenario: Web Service Security With On Behalf Of Username Token This section provides the following topics: ■ Component interactions for Identity Propagation with Username Token ■ RST Attributes and Processing for Identity Propagation with a Username Token ■ Configuration Requirements: Identity Propagation with the Username Token 42.4.1 Component interactions for Identity Propagation with Username Token Process overview: Component interactions for Identity Propagation 1. User attempts to access a protected resource. 2. User is authenticated. 3. The WebLogic container sets the user's identity into a Subject for this session. 4. When the resource is finally accessed, a Web Service Client can then obtain the user's identity from current user's Subject, generates a OnBehalfOf (OBO) token with it, then creates and sends Request Security Token (RST) to Security Token Service. 5. Security Token Service authenticates the Web Service Client as a Requester Partner. 6. Security Token Service sees the Username Token inside OBO token, it maps the maps the user's identity to a user record in LDAP. 7. Security Token Service then generates Request Security Token Response. 8. Security Token Service sends Request Security Token Response to the client, which can then use the token inside the Request Security Token Response (RSTR) to create a web service request to access a service hosted on a relying party. 42.4.2 RST Attributes and Processing for Identity Propagation with a Username Token For an incoming Request Security Token (RST) with the following attributes, Oracle Security Token Service must be configured to process a request and issue a token. RST Attributes for Identity Propagation with a Username Token ■ The SOAP header contains a Username token referencing a WS Requester. The Username token contains at least a username and a password. ■ ■ ■ ■ ■ ■ The SOAP body contains a WS-Trust RST message. The RST contains a Username Token in the OnBehalfOf field referencing a user in LDAP. The RST can possibly contain an AppliesTo field holding a URL pointing to the endpoint of the Relying Party Web Service. The RST can possibly contain a TokenType field holding the type of token that needs to be returned. The RST can possibly contain an Entropy field holding random data that will be used when creating the SecretKey when a symmetric proof key is required in the SAML Assertion. The RST can possibly contain a UseKey field holding the certificate or public key to be used as an asymmetric proof key in the SAML Assertion, but this field will be ignored by Security Token Service. 42-16 Administrator's Guide for Oracle Access Management Scenario: Web Service Security With On Behalf Of Username Token Process overview: Identity Propagation with the OAM Token 1. Client prepares the request by: ■ ■ ■ ■ ■ Creating the SOAP message Creating the Username token referencing the client and including it in the SOAP header. Creating the WS-Trust RST message. Creating the Username Token referencing the user and including it in the OnBehalfOf field of the RST. Including the RST message in the SOAP body. 2. Client sends the message to the Security Token Service, to an endpoint protected by a WS-Security User Name Token (UNT) Policy, with that endpoint being mapped to an Security Token Service WSS Validation Template. 3. Security Token Service will process the incoming request. 4. Security Token Service validates the token included in the SOAP header by using the settings contained in the WS-Security Validation Template: ■ ■ ■ 5. ■ ■ Knowing the Requester Partner, Security Token Service will retrieve the Requester Partner Profile associated with this Requester. Determines the type of token present in the OnBehalfOf field. Retrieves the WS-Trust Validation Template to be used for Username Token Type, from the Requester Partner Profile. Validates the Username Token, and maps the token to a user. Security Token Service then examines the AppliesTo field: ■ ■ 7. Validates the credentials contained in the Username token against the Security Token Service Partner store, thus mapping this token to a Requester Partner. Security Token Service then validates the token present in the OnBehalfOf field: ■ 6. Validates the format of the Username token. If present, Security Token Service will attempt to map the AppliesTo URL to a Relying Party Partner, using the WS Endpoint Mapping of the Relying Party Partner. If the mapping is successful, then the AppliesTo field has been mapped to a Relying Party Partner, and Security Token Service will retrieve the Relying Party Partner Profile from this Partner. If mapping was not successful, then the AppliesTo field could not be mapped to a Relying Party Partner, and Security Token Service will retrieve the Default Relying Party Partner Profile from the Requester Partner Profile. If absent, Security Token Service will retrieve the Default Relying Party Partner Profile from the Requester Partner Profile. Security Token Service then examines the TokenType field: ■ ■ If present, Security Token Service will map the TokenType string to a local token type value using the Requester Partner Profile, and it will then use the Relying Party Partner Profile to retrieve the Issuance Template to be used to create the outgoing token. If absent, Security Token Service will retrieve the default token type from the Relying Party Partner Profile, and it will then use the Relying Party Partner Profile to retrieve the Issuance Template to be used to create the outgoing token. Security Token Service Implementation Scenarios 42-17 Scenario: Web Service Security With On Behalf Of Username Token 8. Security Token Service will perform an Authorization evaluation to check that the Requester Partner is authorized to request a token for the Relying Party referenced in the flow (see Authorization Trust Policy for more information). 9. Security Token Service will then create the token: ■ ■ If the token to be issued is of SAML type, then the Issuance Template will list how to populate the NameID, the Relying Party Partner Profile will list which attributes need to be sent in the token, the Issuance Template will indicate whether or not to translate the names and values of the attributes, the Issuance Template will indicate whether or not to sign/encrypt the token. If the token to be issued if of SAML type, the Security Token Service server will examine the KeyType to determine the Subject Confirmation Method of the Assertion. If it is missing, it will use the Default Confirmation Method from the Issuance Template. 10. Security Token Service will create the Response that the client will process: ■ Creates the WS-Trust RSTRC ■ Includes the returned token ■ Includes proof key if necessary 42.4.3 Configuration Requirements: Identity Propagation with the Username Token This topic walks through the configuration requirements for the identity propagation scenario. It includes: ■ Configuration overview: Identity Propagation with the Username Token ■ Default Identity Store Configuration ■ Token Issuance Policy ■ Endpoint Configuration ■ Issuance Template Configuration ■ Partner Configuration: Requester ■ Partner Profile: Relying Party ■ Partner Profile: Requester ■ Validation Template for WS-TRUST ■ Example 42–1, "Sample exchange: Request Security Token Sent By the Client" ■ Example 42–2, "Request Security Token Response sent by the Security Token Service" Configuration overview: Identity Propagation with the Username Token Following is an overview of the Identity Propagation environment and implementation tasks: ■ ■ A web application where the user will request. This web application will authenticate the user, then attempt to send a SOAP message to a remote Web Service Provider. As part of that SOAP exchange, the WS-Security client will download the WS-Security policy of the Web Service Provider, connect to the Security Token Service to retrieve the token requested by the Web Service Provider, send the Security Token with the SOAP message to the Web Service Provider. Security Token Service URL: http://myhost.domain.com:14100/sts/ 42-18 Administrator's Guide for Oracle Access Management Scenario: Web Service Security With On Behalf Of Username Token Note: Replace with the path configured in the STS Endpoints section. The following Security Token Service configuration is required to implement token processing for identity propagation: ■ One Requester Partner Profile ■ One Relying Party Partner Profile ■ One Issuance Template ■ One WS-Trust Validation Template ■ Security Token Service Endpoint ■ ■ An LDAP server is required for Security Token Service to map the Username token referencing the user to an LDAP User record, and thus use that record to populate the outgoing token. Ensure that the desired LDAP server is configured as the Default Identity Store for Access Manager. Default Identity Store Configuration Figure 42–12 illustrates the Default Identity Store configuration within Oracle Access Management Console. Figure 42–12 Default Identity Store Defined for Access Manager Token Issuance Policy Create the Token Issuance Policy for the resource URL within the IAMSuite Application Domain. Figure 42–13 is a screen shot of the Token Issuance Policy page. Security Token Service Implementation Scenarios 42-19 Scenario: Web Service Security With On Behalf Of Username Token Figure 42–13 Token Issuance Policy for Identity Propagation Endpoint Configuration The /wss11user Endpoint is needed, as shown in Figure 42–14. This endpoint is protected by the default WS-Security Validation Template. This is the one that will be used in the Web application to post the RST. Figure 42–14 /wss11user Endpoint for Identity Assertion Issuance Template Configuration The Issuance Template requires the following configuration for Identity Propagation: ■ Name: saml-issuance-template ■ Description: SAML issuance template ■ Token Type: SAML 2.0 ■ Signing Key Id: osts_signing Partner Configuration: Requester Create a new Requester Partner configuration for Identity Propagation with the OAM token as follows: ■ Partner Name: requester-partner ■ Partner Type: Requester ■ Partner Profile: requester-profile ■ Description: Requester 42-20 Administrator's Guide for Oracle Access Management Scenario: Web Service Security With On Behalf Of Username Token ■ Trusted ■ Username Token Authentication ■ – Username – Password – Confirm Password Identity Attribute values for: – httpbasicusername – sslclientcertdn Partner Profile: Relying Party Create a new Relying Party Profile for Identity Propagation as follows: ■ Profile ID: relying-party-profile ■ Description: Relying Party Profile ■ Default Token Type: SAML 2.0 ■ Issuance Template: iap-issuance-template for SAML 2.0 Partner Profile: Requester Create a new Requester Profile for Identity Propagation as follows: ■ Profile ID: requester-profile ■ Description: Requester Partner Profile ■ Default Relying Party Profile: relying-party-profile Validation Template for WS-TRUST The Validation Template requires the following configuration for Identity Propagation: ■ Validation Template Name: username_wstrust_validation_template ■ Description: Username WS-Trust Template ■ Token Protocol: WS-Trust ■ Token Type: Username ■ Timestamp Lifespan: 600 ■ Enable Credential Validation: unchecked ■ Token Mapping: – Map Token To User: checked – Enable Simple User Mapping: checked – Datastore Attribute: uid This completes the configuration requirements for the Identity Propagation with Username Token scenario. Example 42–1 Sample exchange: Request Security Token Sent By the Client Here is a request for security token sent by the client. Security Token Service Implementation Scenarios 42-21 Scenario: Web Service Security With On Behalf Of Username Token requester-testwelcome1 http://docs.oasis-open.org/ws-sx/ ws-trust/200512/RST/Issue http ://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAM LV1.1 user-alice < /SOAP-ENV:Envelope> Example 42–2 Request Security Token Response sent by the Security Token Service Here is a response to the RST sent by the Security Token Service. http://docs.oasis-open.org/ws-sx/ws-t rust/200512/RSTRC/IssueFinal http://docs.oasis-open.org/wss/oa sis-wss-saml-token-profile-1.1#SAMLV1.1 user-alice@example .com urn:oasis:names:tc:SAML:1.0:cm:sender-vouches user-alice-last 42-22 Administrator's Guide for Oracle Access Management Scenario: Web Service Security With On Behalf Of Username Token 1GF2ZT9h+gs8sxyO+/yG/N6jxk8= InZVb5aRM5+KKI1VqXg9HiIgLjKyGm0VkD6sMJ/8SIbFbbxuNm7Mnky5W35p2 P0c5bCPRx02uzLEE4KhLkyM2GsLsVaDNkRztGMphQW/Mcg7DprJIEyR2OYMYDOQSipa/k2K98C4zO/RNiv o1KvyJsd6a3h6CBHwoO1RKip039w= MIIB/DCCAWWgAwIBAgIBCjANBgkqhki G9w0BAQQFADAjMSEwHwYDVQQDExhhZGMyMTEwNjE4LnVzLm9yYWNsZS5jb20wHhcNMTEwNDE5MTUxNTI2W hcNMjEwNDE2MTUxNTI2WjAjMSEwHwYDVQQDExhhZGMyMTEwNjE4LnVzLm9yYWNsZS5jb20wgZ8wDQYJKoZ IhvcNAQEBBQADgY0AMIGJAoGBAJnSxVc86TGcwewieaueIVG33C3Qouve6HuJxHsoM8cRRkJcmv+0auyvD LJfYAEOfHo5OsF4+za11iNPln9ZFaOjUy/Y8JC0kSVxatgU36RveIrpOJvp978Oa6IlMNUtdFf8q3Trsiz spE2hnbLY+0SMofgnAPcJEKPxkd6b0b0ZAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDA wfYADAdBgNVHQ4EFgQU47ZqWHgTOmZO67uw4YzsbrRMNOswDQYJKoZIhvcNAQEEBQADgYEAH0QIHaLMN/7 hD2VP0SLOCtNdEmY5IqLY1CDW+GpUZZ9e+MCgE/rvr34566D9Q8lvET6T9u+sg3h+hSkb3gE4a4wgShH/V 7nfHzx8ZntlxccvCZK6ePVDMt0Lfj2iVnE7IJxou4bO0w0m9DrvyKop7ncnSEzaVpxIZgCDo7+8Zdw= id-1LNkSUVcpbH7O0oQwbHJ5JOd5fs- id-1LNkSUVcpbH7O0oQwbHJ5JOd5fs- 2011-04-22T18:48:05Z2011-0422T19:48:05Z Security Token Service Implementation Scenarios 42-23 Scenario: Web Service Security With On Behalf Of Username Token 42-24 Administrator's Guide for Oracle Access Management 43 Configuring Security Token Service Settings 43 This chapter introduces how to manage components involved in the protection of Security Token Service endpoints. This chapter provides the following topics: ■ Prerequisites ■ Introduction to Security Token Service Configuration ■ Enabling and Disabling Security Token Service ■ Defining Security Token Service Settings ■ Using and Managing WSS Policies for Oracle WSM Agents ■ Configuring OWSM for WSS Protocol Communication ■ Managing and Migrating Security Token Service Policies ■ Logging Security Token Service Messages ■ Auditing the Security Token Service 43.1 Prerequisites Before beginning tasks in this chapter, be sure to review the following chapters. ■ Chapter 41, "Introducing the Oracle Access Management Security Token Service" ■ Chapter 2, "Getting Started with Oracle Access Management" ■ Chapter 6, "Managing Server Registration" 43.2 Introduction to Security Token Service Configuration Security Token Service a Web Service co-existing with Access Manager. Security Token Service invokes some Access Manager components to validate and issue security tokens. Typically, the Web client can use the Security Token Service to request an outbound token, such as SAML, by providing a security token, like a Username Token or an X.509 Token. Security Token Service is integrated with the Oracle Access Management Console to provide a unified and consistent administration experience. All Security Token Service system configuration is done using the Oracle Access Management Console. Security Token Service provides: ■ Tokens: – Validation Tokens: Standard (Username, X.509, Kerberos, SAML 1.1/2.0) and custom tokens. OnBehalfOf use cases (OAM Session ID Propagation Token Configuring Security Token Service Settings 43-1 Introduction to Security Token Service Configuration and custom tokens through the integration engine) also supports the following standard tokens along with OAM sessionID propagation token and custom token (Username, X.509, SAML 1.1/2.0). – ■ ■ ■ Issuance Tokens: Standard (Username, SAML 1.1/2.0) and custom tokens through the integration engine Configuration-driven token issuance and validation Enhanced auditing through identity propagation across multiple tiers and domains Consolidated shared-platform service interacts with internal (Access Manager SSO, Federation, Oracle Web Services Manager) and external services This section provides the following topics: ■ Post-Installation Configuration ■ About OAM Servers and Security Token Service ■ About Security Token Service Clients ■ About Agents and Security Token Service See Also: Oracle Fusion Middleware Security and Administrator's Guide for Web Services 43.2.1 Post-Installation Configuration After installation and server startup, you can access the Oracle Access Management Console on the OAM Server. For example, if the URL to the OAM Server is http://machine:14100/oam, you might access: ■ ■ Oracle Access Management Console at http://machine:7001/oamconsole Security Token Service: http://machine:14100/sts/wss11user?wsdl to view the WSDL of the /sts/wss11user endpoint that is available by default, to ensure that Security Token Service is available. By default, Security Token Service is disabled and as such all runtime functionality as well as Web Service endpoints are disabled. To access those endpoints, Security Token Service must first be enabled using the Oracle Access Management Console. Afterwards, the endpoints might be accessed Post-installation configuration includes the tasks in the following outline, which point to other areas in this book for details. Task overview: Security Token Service configuration requires 1. Server Side Configuration: Use the Oracle Access Management Console for the following tasks. a. Service enablement "Enabling and Disabling Services for Security Token Service" on page 43-9 b. Settings configuration "Managing Security Token Service Settings" on page 43-12 c. Endpoint registration "Managing EndPoints" on page 45-26 d. Token Issuance Template configuration "Managing Token Issuance Templates" on page 45-5 43-2 Administrator's Guide for Oracle Access Management Introduction to Security Token Service Configuration 2. e. Token Validation Template configuration "Managing Token Validation Templates" on page 45-13 f. Partner Profile creation "Managing Token Service Partner Profiles" on page 46-7 g. Partner configuration "Managing Token Service Partners" on page 46-3 h. Token Issuance Policies to define an authorization rule for issuing tokens with Security Token Service, for a specific Relying Party "Managing Token Issuance Policies, Conditions, and Rules" on page 45-27 Set up interactions with the Oracle WSM Agent as described in following topics: a. Using and Managing WSS Policies for Oracle WSM Agents b. Configuring OWSM for WSS Protocol Communication 3. Set up message logging, as described in "Logging Security Token Service Messages" on page 43-20. 4. Configure event auditing, as described in "Setting Up Auditing for Oracle Access Management" on page 8-20. 5. Configure lifecycle management a. Register the Security Token Service trust endpoint, as described in item 1c. b. Register the Requester or Relying Party Partner with Security Token Service, as described in "Managing Token Service Partners" on page 46-3. c. Monitor performance, as described in Chapter 12, "Monitoring Performance and Logs with Fusion Middleware Control". 43.2.2 About OAM Servers and Security Token Service With Oracle Access Management, all Security Token Service instances are installed on OAM Servers (also known as Managed Servers). Each server must be registered with Access Manager. Security Token Service leverages the common infrastructure for shared services and the Oracle Access Management administration model. Security Token Service support Web Services Security protocol 1.0 and 1.1 and process the following tokens, if present in the Security SOAP headers: ■ Username token (UNT) ■ SAML 1.1 or SAML 2.0 Assertion ■ Kerberos ■ X.509 Managed servers hosting Security Token Service must be registered with Access Manager as described in Chapter 6, "Managing Server Registration". Note: Third-Party Servers: Security Token Service interoperates with third party security token servers. For instance, a third party Security Token Service can create a valid Security Assertion Markup Language (SAML) Assertion that can be consumed by Security Token Service. Configuring Security Token Service Settings 43-3 Introduction to Security Token Service Configuration 43.2.3 About Security Token Service Clients Security Token Service provides services to various Oracle clients (Oracle Web Services Manager client) or third party clients (Microsoft and IBM are two). Oracle WSM Client: Oracle Web Services Manager client bindings are the responsibility of Oracle Web Services Manager (and out of scope for this book). For more information, see "Configuring Oracle WSM Agent for WSS Kerberos Policies" on page 43-18. See Also: "WS-Trust Policies and Configuration Steps" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services Third Party Clients: Require a secure key exchange between the Oracle WSM client and server. You simply import the Security Token Service certificate to the client. During SOAP interactions, the WS-Security protocol might require the client to trust the signing/encryption certificate used for WSS operations by the OWSM Agent protecting the Security Token Service endpoint. In those cases, the Oracle Access Management Administrator should extract the Security Token Service OWSM signing/encryption certificate used for WSS operations and provide it to the WS Client. For more information, see "Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate" on page 43-16. 43.2.4 About Agents and Security Token Service Oracle Web Services Manager communicates through agents. This topic introduces the agents that operate with Security Token Service. Oracle WSM Agent: The Oracle Web Services Manager (Oracle WSM) Agent is integrated with Security Token Service. This agent provides the Web Services Security support for Security Token Service Web Services endpoints. ■ ■ ■ Protects Web Services endpoints of Security Token Service Provides WS-Security support for sending SOAP messages to Relying Parties. As part of that process, the OWSM Client might interact with Security Token Service to get a security token that will be presented to the Relying Party Interacts with Security Token Service for token acquisition and token validation Security Token Service supports token acquisition and token validation by Oracle Web Services Manager (Oracle WSM) agents. Oracle Web Services Manager Agents are not required to use Security Token Service as part of their inbound or outbound security policy enforcement. Oracle Web Services Manager client bindings are the responsibility of Oracle Web Services Manager Administrators. The Oracle WSM Agent is used by Security Token Service to enforce message protection of the SOAP communication channel between Security Token Service and the client. The Oracle WSM Agent caches the OPSS Keystore (by default the default-keystore.jks keystore located in $DOMAIN_HOME/config/fmwconfig directory) which contains the trusted certificates involved when validating the WSS clients' certificates. Subsequent changes to the contents of the keystore or to its name, require a restart of the Managed Server using Oracle Enterprise Manager Fusion Middleware Control or WebLogic Server console, or NodeManager. The Oracle WSM Agent available to Security Token Service must be configured to protect the Security Token Service endpoints, to perform the following tasks: ■ Decrypt the request, if necessary 43-4 Administrator's Guide for Oracle Access Management Introduction to Security Token Service Configuration ■ ■ Verify any digital signatures present in the request Validate any certificate used to create the request's digital signatures, if the signatures were created with a private key ■ Validate any X.509 token, if present, in the SOAP headers ■ Validate the Kerberos token, if present, in the SOAP headers ■ Sign the outgoing response, if needed ■ Encrypt the outgoing response, if required Oracle WSM Agent Keystore: The Oracle WSM Agent uses a keystore for various cryptographic operations. For these operations, the Oracle WSM Agent uses the keystore configured for Oracle WSM tasks. See Also: ■ ■ "Introduction to Oracle Access Management Keystores" on page 5-31 Chapter 44, "Managing Security Token Service Certificates and Keys" Webgate: Security Token Service uses Webgate for the Access Manager session propagation token. This, identity propagation, use case is more advanced. It requires the Identity Assertion Provider in WebLogic Server and some custom integration. See Also: ■ ■ Chapter 42, "Security Token Service Implementation Scenarios" "About the Oracle Web Services Manager Keystore (default-keystore.jks)" on page 44-3 43.2.5 About Security Token Service End Points and Policies When you add an endpoint, you can choose from a list of Policy URI's and validation templates with which to associate the Security Token Service endpoint. By default, Security Token Service is configured with the endpoints shown in Figure 43–1. Figure 43–1 Default Endpoints, Policies, and Validation Templates The ORAPROVIDER is integrated with the Oracle WSM Agent, which provides Web Services Security support on the SOAP messages being exchanged between the client and Security Token Service. Security Token Service leverages ORAPROVIDER for Web Services to: Configuring Security Token Service Settings 43-5 Introduction to Security Token Service Configuration ■ publish Web Services endpoints dynamically ■ invoke Security Token Service to process SOAP messages ■ publish a WSDL file for each WS endpoint Oracle WSM Agent WSS Policy Stores: The Oracle WSM Agent requires a repository to retrieve the Web Services Security (WSS) policies it needs. Security Token Service supports two types of repositories: ■ ■ JAR file with WSS Policies: Used when the WLS Domain is configured for classpath. Oracle WSM Policy Manager available from the SOA deployment See Also: ■ ■ ■ "Configuring OWSM for WSS Protocol Communication" on page 43-15 Managing Oracle Workspace Studio policies for Security Token Service Oracle Fusion Middleware Security and Administrator's Guide for Web Services for details about the policies for Security Token Service Policy Assertions: Out of the box, Security Token Service provides a set of security policy assertions for use with the WS-Policy framework to describe how messages are to be secured in the context of Oracle Workspace Studio: SOAP Message Security and WS-Trust. ■ ■ Security Token Service makes its associated security policy files publicly available by attaching them to its deployed WSDL. Security Token Service runtime uses the private key and X.509 certificate pairs, stored in the keystores defined by the jps-config.xml file, for its WS-Security encryption and digital signature operations. The following paragraphs and tables identify the policies that are available out of the box for Security Token Service and the Oracle WSM Agent. Message-level Security Not Required: When message level-security is not required, use an Security Token Service policy that does not specify message_protection in its name. This authenticates users using credentials provided in tokens in the WS-Security SOAP header. The credentials in the Fusion Applications token are mapped based on the rules specified in the validation template. Both plain text and digest mechanisms are supported. Transport Security when Message-level Security Not Required: You can configure two-way SSL where both the client applications and WebLogic server present certificates to each other. To configure two-way or one-way SSL for the core WebLogic Server security see "Configuring SSL" in Oracle Fusion Middleware Securing Oracle WebLogic Server guide. Use the policies described in Table 43–1. Interoperability WS-Security 1.0 and 1.1 Policies: Use policies in Figure 43–2 if you require interoperability with WS-Security 1.0 or 1.1 (depending on your authentication requirements and credential availability). Use WS-Security 1.1 policies if you have strong security requirements. 43-6 Administrator's Guide for Oracle Access Management Enabling and Disabling Security Token Service Figure 43–2 WS-Security 1.0 and 1.1 Policies See Also: "Using and Managing WSS Policies for Oracle WSM Agents" Task overview: Using and modifying WS-S policies 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Endpoints from the View drop-down menu in the Security Token Service section. 3. Proceed as described in "Managing Security Token Service Endpoints" on page 45-25 to locate or create the endpoint to be protected. 4. In the Policy URI list, choose a specific WS Security policy to protect the endpoint, as described in: ■ ■ Managing WSS Policies for Security Token Service: Classpath Managing WSS Policies for Security Token Service: Oracle WSM Policy Manager 43.3 Enabling and Disabling Security Token Service This topic includes the following topics: ■ About Security Token Service and the Oracle Access Management Console ■ About Enabling Services for Security Token Service ■ Enabling and Disabling Services for Security Token Service Configuring Security Token Service Settings 43-7 Enabling and Disabling Security Token Service 43.3.1 About Security Token Service and the Oracle Access Management Console Elements in the Oracle Access Management Console enable Administrators to easily configure the Token Service to exchange WS Trust tokens with partners. Token Service elements provide for creation, viewing, modification, and removal of partners, endpoints, validation templates, issuance templates, and data store connections. All Security Token Service system configuration is done using the Oracle Access Management Console. This includes the following common tasks covered in Part II of this book: ■ Registering and managing common OAM Servers and proxy information ■ Registering and managing the common Default User Identity Store ■ ■ Configuring the OAM Keystore, which differs from the OWSM Keystore used for WSS processing Certificate Validation and Revocation The Oracle Access Management Console enables Administrators to perform the following Security Token Service-specific tasks: ■ ■ ■ ■ ■ ■ Manage validation token templates: The validation templates include configuration properties to validate a Web Services Security/WSTrust token, and map it to a Requester Partner or a User record in the Default User Identity Store. Manage issuance templates: The issuance templates contain rules on how a token will be created Manage Partner Data: A partner represents a partner trusted by Security Token Service. Security Token Service defines three types of partners: Requester, Relying Party and Issuing Authority. Each partner entry is associated to a partner profile. The partner entry contains signing and encryption certificates and identifiers used to uniquely identify a partner Manage Partner Profile: A partner profile contains configuration properties that are common to a set of partners: – Claim Mapping – Token Types definition – Issuance and Validation templates defined for the token Types – Override Validation Template rules for Issuing Authorities(Other STS) Manage Security Token Service Endpoints Manage Token Issuance Policies (authorization policies that will be evaluated to determine if a Requester Partner can request a token based on the Relying Party referenced in the request) ■ Security Token Service Global Settings ■ Custom tokens 43.3.1.1 About Security Token Service Administrators Users with administrative access to the Oracle Access Management Console, have access to Security Token Services. Initially, administrative users must log in to the Oracle Access Management Console using the WebLogic Administrator credentials set during initial configuration. However, your enterprise might require independent sets of Administrators: one set of users responsible for Access Manager and another for Security Token Service. 43-8 Administrator's Guide for Oracle Access Management Defining Security Token Service Settings 43.3.1.2 About Logging In To, and Signing Out Of, Security Token Service When using Security Token Service with Access Manager, logging in to, and signing out of the Oracle Access Management Console is the same. See Also: Chapter 2 for the following topics: ■ Logging Into the Oracle Access Management Console ■ Signing Out 43.3.2 About Enabling Services for Security Token Service To use Security Token Service, both it and Access Manager must be enabled. By default Security Token Service is disabled and needs to be enabled. A green check mark in the Status field beside the service name indicates the service is enabled. A red circle with a line through it indicates that the corresponding service is disabled. 43.3.3 Enabling and Disabling Services for Security Token Service Prerequisites Oracle Access Manager service must be enabled. To enable or disable Security Token Service 1. In the Oracle Access Management Console, click Configuration at the top of the window. 2. In the Configuration console, click Available Services. 3. Enable Security Token Service: Beside Security Token Service, click Enable (or confirm that the Status check mark is green) and confirm that the Access Manager Service is also enabled. 4. Disable Security Token Service: Beside Security Token Service, click Disable (or confirm that the Status check mark is red). 43.4 Defining Security Token Service Settings This section provides the following information: ■ About Security Token Service Settings ■ Managing Security Token Service Settings 43.4.1 About Security Token Service Settings Security Token Service can be viewed or altered from the Security Token Service section of the System Configuration tab. These settings are show in Figure 43–3. Configuring Security Token Service Settings 43-9 Defining Security Token Service Settings Figure 43–3 Security Token Service Page Table 43–1 describes the elements on the Security Token Service Settings page. Table 43–1 Security Token Service Settings Element Description Partner Identification Attributes A field where you list attributes, other than the standard ones available by default, that should be available in "Identity Attributes" Table in the Partner page. These attributes can be used to identify a partner by matching their values against those in the incoming request. When a Requester sends a WS-Trust request to Security Token Service, the server might map the incoming token containing the requester's identity to a partner entry in the Security Token Service partner store. To do so, Security Token Service will use the mapping settings configured in a validation template and will attempt to map the token data to a partner entry by performing a lookup by matching the token data to a Partner Identification Attribute. By default, each requester partner contains three identification attributes that can be set: username, HTTP Basic Username, SSL Client Certificate DN. It is possible to define additional Identification Attributes that could be set for each requester partner entry. This section allows new attributes to be set. After defining a new attribute, it becomes available in the Requester Partner entry section, and it can be used in mapping rules in the WSS Validation Templates. 43-10 Administrator's Guide for Oracle Access Management Defining Security Token Service Settings Table 43–1 (Cont.) Security Token Service Settings Element Description Custom Trust Anchor File By default, Access Manager and Security Token Service use the default $DOMAIN_HOME/config/fmwconfig/amtruststore keystore containing the trust anchors used for certificate validation by Security Token Service, when verifying X.509 Tokens, or when verifying certificates used in SAML Assertion signatures. It is possible to configure Security Token Service to use a specific trust anchor file if necessary, that will contain trust anchors only used for Security Token Service operations and validations. In this case, this field should contain the location of the JKS keystore to use. Note the following: ■ ■ When using a custom trust anchor keystore, it will not be replicated automatically across the cluster. You must manage replication. In most cases, the default Access Manager and Security Token Service trust anchor should be enough. See Also: Chapter 44, "Managing Security Token Service Certificates and Keys" Default Encryption Template A list from which you choose the default template for Security Token Service encryption: ■ osts_encryption ■ osts_signing See Also: Setting the Default Encryption Key on page 44-6. Proxy Outbound Connection Properties, HTTP Proxy Settings Use this section to configure Security Token Service to use a proxy for outgoing HTTP connections when optionally retrieving the WS-Sec Policy of Relying Parties at runtime: ■ Enabled: When this box is checked the Proxy function is enabled and will be used when retrieving the WS-Security Policy of Relying Parties. When the box is not checked, the Proxy function is disabled and related fields are inaccessible for editing. ■ Host: The proxy hostname ■ Port: The proxy port number. Default is 8080 ■ ■ ■ Non Proxy Hosts: A list of hosts for which the proxy should not be used. Use ';' to separate multiple hosts. Username: The username to use when connecting to the proxy. Password: The password to use when connecting to the proxy. Configuring Security Token Service Settings 43-11 Using and Managing WSS Policies for Oracle WSM Agents Table 43–1 (Cont.) Security Token Service Settings Element Description Keystore Location: Path of the active keystore that was set up during Security Token Service installation. The Keystore table includes the following information for each of the templates in the table, which are available for use as the Default Encryption Template: ■ ■ Template ID: The name of the template that can access the keystore. Alias: Identifies the alias for the template. When adding a template, you can choose from the Aliases listed. ■ Password: The password for the selected Alias. ■ Description: Optional. The keystore section defines key entries that exist in the Security Token Service keystore: $DOMAIN_ HOME/config/fmwconfig/.oamkeystore After an entry is defined an entry, it can be used in other Security Token Service templates (like SAML Issuance Templates). 43.4.2 Managing Security Token Service Settings Users with valid Administrator credentials can use this procedure to confirm or alter Security Token Service Settings. Prerequisites Both the Access Manager Service and the Security Token Service must be enabled. To view or edit Security Token Service Settings 1. In the Oracle Access Management Console, click Configuration at the top of the window. 2. In the Configuration console, select Security Token Service from the View drop-down menu in the Settings section. 3. On the Security Token Service Settings page view (or modify) the following information (see Table 43–1): ■ Partner Identification Attributes ■ Custom Trust Anchor File ■ Proxy details 4. Keystore Table: View, add, or remove new encryption templates 5. Click Apply to submit changes (or Revert to cancel changes). 6. Close the page when finished. 43.5 Using and Managing WSS Policies for Oracle WSM Agents You can use existing Oracle Workspace Studio policies to protect Security Token Service Web Service endpoints. For instance: ■ classpath mode: Existing Oracle Workspace Studio policies defined in $ORACLE_ IDM_HOME/oam/server/policy/sts-policies.jar are used in this mode 43-12 Administrator's Guide for Oracle Access Management Using and Managing WSS Policies for Oracle WSM Agents ■ SOA deployment: Policies defined in the Oracle WSM Policy Manager available from a SOA deployment are used This section describes how to manage Web Service Security Policies for Security Token Service in the following topics: ■ Using and Modifying Oracle Workspace Studio Policies ■ Managing WSS Policies for Security Token Service: Classpath ■ Managing WSS Policies for Security Token Service: Oracle WSM Policy Manager 43.5.1 Using and Modifying Oracle Workspace Studio Policies This section introduces WS-Security Policies used to protect Security Token Service WS Endpoint and how to modify these policies. TheWS-Security Policies that are provided by Oracle should cover most use cases. See Also: ■ ■ "About Security Token Service End Points and Policies" on page 43-5 Attaching Policies to Web Services in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services 43.5.2 Managing WSS Policies for Security Token Service: Classpath Predefined Oracle Web Services Manager policies are constructed using assertions based on predefined assertion templates. For WSS Policy classpath mode, the OWSM Agent retrieves policies from sts-policies.jar located on the classpath. If SOA is not deployed in the WebLogic Server domain, the Security Token Service installer configures the WebLogic Server domain for WSS Policy classpath mode. The JAR file containing the WSS Policies used when the WLS Domain is configured for classpath is located at: $ORACLE_IDM_HOME/oam/server/policy/sts-policies.jar When your environment is in classpath mode, perform the following tasks to Administrators confirm sts-policies.jar is located on the classpath. See Also: ■ ■ "About Security Token Service End Points and Policies" on page 43-5 Oracle WSM Predefined Policies and Assertion Templates in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services Task overview: Managing WSS Policies for Security Token Service: Classpath 1. Define an OWSM Assertion Template. 2. 3. Proceed as follows, depending on your need: ■ Modify an OWSM Policy ■ Define a Policy using the OWSM Assertion Template Bundle the Assertion Template and policy in the sts-policies.jar file: META-INF/assertiontemplates/oracle of the $ORACLE_IDM_HOME/oam/server/policy/ Configuring Security Token Service Settings 43-13 Using and Managing WSS Policies for Oracle WSM Agents sts-policies.jar 4. Confirm that sts-policies.jar is located in the following path to enable the policy URI to be available the Policy URI drop down list. $ORACLE_IDM_HOME/oam/server/policy/sts-policies.jar 5. Restart the Managed Servers running Security Token Service. 6. Proceed to the Oracle Access Management Console to configure the Security Token Service Endpoints. 43.5.3 Managing WSS Policies for Security Token Service: Oracle WSM Policy Manager The Oracle WSM Policy Manager is the security linchpin for Oracle Fusion Middleware Web services and SOA applications. For more information about how the Oracle WSM Policy Manager manages the policy framework, see "Understanding Oracle WSM Policy Framework" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. At design time, you attach Oracle WSM and WebLogic Web service policies to applications programmatically using your favorite IDE, such as Oracle JDeveloper. Alternatively, at deployment time you attach policies to SOA composites, ADF, and WebCenter applications using the Oracle Enterprise Manager Fusion Middleware Control, and to WebLogic Web services (Java EE) using the WebLogic Server Administration Console. System Administrators can leverage the Oracle WSM through the Oracle Enterprise Manager Fusion Middleware Control to: ■ Centrally define policies using the Oracle WSM Policy Manager. ■ Enforce Oracle WSM security and management polices locally at run time. When your environment is integrated with the OWSM Policy Manager, perform the following tasks to add or modify WSS policies for Security Token Service using Oracle Web Services Manager. All of Oracle WSM's functionality is accessible to Administrators from Oracle Enterprise Manager Fusion Middleware Control. Note: See Also: Oracle Fusion Middleware Security and Administrator's Guide for Web Services ■ Part II, "Basic Administration" ■ Part III, "Advanced Administration" Task overview: Managing WSS Policies for Security Token Service: OWSM Policy Manager 1. From the OWSM Policy Manager, locate and open the desired policy. 2. Refer to the Oracle Fusion Middleware Security and Administrator's Guide for Web Services and make any required changes to the policy. 3. Restart all Managed Servers running Security Token Service. 4. Proceed to "Configuring OWSM for WSS Protocol Communication". 43-14 Administrator's Guide for Oracle Access Management Configuring OWSM for WSS Protocol Communication 43.6 Configuring OWSM for WSS Protocol Communication This section describes how to configure communication between WS-Sec Clients and the Oracle WSM Agent embedded with Security Token Service. The Oracle WSM Agent protects the Web Service endpoints of Security Token Service, and provides support for WSS protocol exchanges. To ensure a client is communicating successfully with the Oracle WSM Agent: ■ ■ The client might need to be aware of the signing and encryption certificates used by the Oracle WSM Agent (this will require extracting and distributing the signing and encryption certificates used by the OWSM Agent embedded with Security Token Service). The Oracle WSM Agent might need to be aware, depending on the policies, of the signing certificate used by the client (this will require adding the client's certificate as a trusted certificate for the Oracle WSM Agent) Task overview: Configuring communication with Oracle WSM agents See "About Oracle WSM Agent WS-Security Policies for Security Token Service" 1. 2. Retrieving the Oracle WSM Keystore Password 3. Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate 4. Adding Trusted Certificates to the Oracle WSM Keystore 5. Validating Trusted Certificates in the Oracle WSM Keystore 6. Configuring Oracle WSM Agent for WSS Kerberos Policies See Also: Chapter 44, "Managing Security Token Service Certificates and Keys" 43.6.1 About Oracle WSM Agent WS-Security Policies for Security Token Service The Oracle WSM Agent requires a repository to retrieve the Web Services Security (WSS) policies it needs. Access Manager supports two types of repositories for Security Token Service: ■ ■ JAR file with WSS Policies: Used when the WLS Domain is configured for classpath. The required JAR file is located in $ORACLE_IDM_ HOME/oam/server/policy/ sts-policies.jar. Oracle WSM Policy Manager available from the SOA deployment During Security Token Service installation, the installer detects if the Oracle Web Services Manager Policy Manager is present and deployed in the WebLogic Security domain. ■ ■ If not deployed in the WebLogic Security domain, the installer configures the WebLogic Security domain for the Web Services Security Policy classpath mode, where the WSM Agent will retrieve the policies from a JAR file. If present, the installer connects to the Oracle Web Services Manager Policy Manager and uploads the policies that are used to protect Security Token Service endpoints. See Also: "About the Database Store for Policy, Password Management, and Sessions" on page 5-29 for details about the required database for Access Manager policy data and (optionally) Access Manager session data. Configuring Security Token Service Settings 43-15 Configuring OWSM for WSS Protocol Communication 43.6.2 Retrieving the Oracle WSM Keystore Password Administrators need to retrieve the keystore password and key entry password from CSF for certain activities. Otherwise, keystore or key entry cannot be changed. Having access to the keystore is sometimes required to: ■ Extract the signing/encryption certificate to distribute to clients if necessary ■ Update or replace the signing/encryption key entry ■ Add trusted certificates The following procedure displays the password used to protect the Oracle WSM keystore as well as the key entry. To retrieve the Oracle WSM keystore password Enter the WSLT scripting environment. 1. 2. Connect to the WebLogic Server AdminServer, using the connect() command. 3. Execute the following command by providing the connection information to the AdminServer: listCred(map="OAM_STORE", key="jks"). 4. Note the password. 5. Proceed to "Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate". 43.6.3 Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate During SOAP interactions, the WS-Security protocol might require the client to trust the signing/encryption certificate used for WSS operations by the OWSM Agent protecting the Security Token Service endpoint. In those cases, the Oracle Access Management Administrator should extract the Security Token Service OWSM signing/encryption certificate used for WSS operations and provide it to the WS Client. The Administrator must export the signing and encryption certificate used by Security Token Service for WSS cryptographic operations. The following procedure guides as you do this by: ■ Replacing $DOMAIN_HOME with the path to the Domain directory ■ CERT_FILE with the location of the file where the certificate will be saved If you are prompted to enter a password, simply press the Enter key. Prerequisites Retrieving the Oracle WSM Keystore Password To export the signing and encryption certificate Locate keytool. 1. 2. Execute the following command. keytool -exportcert -keystore $DOMAIN_HOME/config/fmwconfig/default-keystore.j ks -storetype JKS -alias orakey -file $CERT_FILE 3. Enter the keystore password retrieved in the previous section if prompted. 4. Proceed to "Adding Trusted Certificates to the Oracle WSM Keystore". 43-16 Administrator's Guide for Oracle Access Management Configuring OWSM for WSS Protocol Communication 43.6.4 Adding Trusted Certificates to the Oracle WSM Keystore To add a trusted certificate to the OWSM keystore for WSS cryptographic operations: ■ perform the command in the following procedure ■ replace the $DOMAIN_HOME with the path to the Domain directory ■ ■ replace the TRUSTED_CERT_FILE with the location of the file containing the trusted certificate replace the TRUSTED_CERT_ALIAS with the alias under which the trusted certificate will be stored When prompted to enter a password, enter the password of the OWSM keystore that you retrieved earlier. Prerequisites Retrieving the Oracle WSM Keystore Password The Administrator must have the certificate to import. To add trusted certificates to the Oracle WSM keystore Locate keytool. 1. 2. Execute the following command. keytool -importcert -trustcacerts -keystore $DOMAIN_HOME/config/fmwconfig/de fault-keystore.jks -storetype JKS -alias $TRUSTED_CERT_ALIAS -file $TRUSTED_ CERT_ALIAS 3. Observe messages on the screen, enter a password if requested. 4. Proceed to "Validating Trusted Certificates in the Oracle WSM Keystore". 43.6.5 Validating Trusted Certificates in the Oracle WSM Keystore When the Oracle WSM Agent performs a certificate validation, it uses the keystore configured for Oracle WSM tasks, and will validate the certificate against the trusted certificate entries contained in the keystore. For those operations, it might be required to add trusted certificate entries (the certificate itself or the issuer's certificate) in the OWSM keystore. When receiving a SOAP requester, the Oracle WSM Agent processes the request for message protection. Part of the steps might include a certificate validation operation if the incoming message: ■ is of type WSS 1.0, and includes a digital signature created with a private key, without the certificate being present. In this case: Remedy: The Oracle WSM keystore must contain the signing certificate. ■ is of type WSS 1.0, and includes a digital signature created with a private key, with the certificate being present. Remedy: The Oracle WSM keystore must contain either the signing certificate or the issuer's certificate of the signing certificate. ■ is of type WSS 1.1, and includes a digital signature created with a private key, without the certificate being present. Remedy: The Oracle WSM keystore must contain the signing certificate. Configuring Security Token Service Settings 43-17 Configuring OWSM for WSS Protocol Communication ■ is of type WSS 1.1, and includes a digital signature created with a private key, with the certificate being present. In this case, the OWSM keystore will need to contain either the signing certificate or the issuer's certificate of the signing certificate Remedy: The Oracle WSM keystore must contain either the signing certificate or the issuer's certificate of the signing certificate See Also: Chapter 44, "Managing Security Token Service Certificates and Keys" 43.6.6 Configuring Oracle WSM Agent for WSS Kerberos Policies Security Token Service provides services to various Oracle clients (Oracle Web Services Manager client) or third party clients (Microsoft and IBM are two). the Oracle WSM Agent performs only message protection (not authentication) on the incoming request. The Oracle WSM agent does not attempt to map the incoming Kerberos ticket to a user record in the OPSS Identity Store. If Oracle WSM is the client that will interact with Security Token Service using WSS Kerberos policies, then the entire Oracle WSM Kerberos setup section in Oracle Fusion Middleware Security and Administrator's Guide for Web Services applies. However, if the client is not Oracle WSM, see Table 43–2 and disregard sections on how to configure the client, sections related to authenticating the user referenced in the Kerberos ticket. Table 43–2 Configuring a Non-Oracle WSM Client for WSS Kerberos Policies Perform Tasks for Non-Oracle Client Skip These Tasks for Non-Oracle Client Configure the KDC Initialize and Start the MIT Kerberos KDC Create Principals Configure the Web Service Client to Use the Correct KDC Set the Service Principal Name In the Web Service Client Set the Service Principal Name In the Web Service Client at Design Time Configure the Web Service to Use the Right KDC Use the Correct Keytab File in Enterprise Manager Extract and Export the Keytab File Modify the krb5 Login Module to use the Keytab File Authenticate the User Corresponding to the Service Principal Create a Ticket Cache for the Web Service Client Use Active Directory with Kerberos and Message Protection Set Up the Web Service Client Create a User Account Create a Keytab File Set the Service Principal Name Set Up the Web Service 43-18 Administrator's Guide for Oracle Access Management Managing and Migrating Security Token Service Policies 43.7 Managing and Migrating Security Token Service Policies This section provides the following topics: ■ About Managing and Migrating Security Token Service Policies ■ Managing Security Token Service Policies ■ Migrating Security Token Service Policies 43.7.1 About Managing and Migrating Security Token Service Policies Security Token Service policies for endpoints reside in sts-policies.jar. This jar is copied to following location under $WLS_HOME ($Oracle_IDM1, for example): $WLS_HOME/oam/server/policy The sts-policies.jar contains the stspolicies.prop file at the following location in the JAR: META-INF/policies/sts/ This file lists all the policies packaged in the directory as file names to allow the server to read the JAR entries programmatically when migrating policies to destination repository. Be sure to update policies and stspolicies.prop as needed before migration. Note: 43.7.2 Managing Security Token Service Policies The following procedure outlines the various scenarios for policy updates. Task overview: Updating policies and stspolicies.prop 1. Add a Policy to sts-policies jar: Before creating the new jar, you must also update the stspolicies.prop file at META-INF/policies/sts/ to include this new policy file name. 2. Delete a Policy from sts-policies jar: You must also delete the entry from file META-INF/policies/sts/stspolicies.prop. 3. Update Existing Policy File Name: When re-naming a policy file at META-INF/policies/sts/, you must also update the corresponding entry in the file META-INF/policies/sts/stspolicies.prop file. 4. Update Existing Policy Content: When updating the content of a policy file, without touching the file name, there is no need to do anything else. 43.7.3 Migrating Security Token Service Policies During installation a check is performed to establish whether SOA is deployed within the domain where Security Token Service is being installed: ■ If SOA is not installed, the Oracle WSM protocol is set to classpath and policies are read from the JAR on the class path. Configuring Security Token Service Settings 43-19 Logging Security Token Service Messages See Also: "Using and Managing WSS Policies for Oracle WSM Agents" on page 43-12. ■ ■ If SOA is present within the domain, Security Token Service reads the policies from sts-policies.jar and migrates them to the Oracle WSM PM repository by calling Oracle WSM Mbeans. If SOA is installed after Security Token Service within the same domain, ensure smooth operations between SOA and Security Token Service as follows: – The Oracle WSM protocol must be set to 'remote'. – Security Token Service policies from sts-policies jar must be migrated to Oracle WSM PM repository using Oracle WSM provided tools. 43.8 Logging Security Token Service Messages Logging is the mechanism by which components write messages to a file. Administrators can use the logging mechanism to capture critical component events. Access Manager uses the same logging infrastructure and guidelines as any other component in Oracle Fusion Middleware 11g. This is accomplished by using the package java.util.logging, which is standard and available in all Java environments. The logging system writes output to flat files only. Logging to an Oracle Database instance is not supported. Configuring logging and locating log files are the focus of this section. Diagnosing problems using the information in log files is outside the scope of this manual. Log messages are used for problem diagnosis. The logging infrastructure records messages from Access Manager. The Administrator controls the amount of information that is logged in a message by specifying log levels for each component or service for which a logger is defined. Generally, you enable logging to produce files that you send to Oracle Technical Support for problem diagnosis. Documentation for log messages is not available. In some cases, you might be able to diagnose problems on your own by reading log files. Note: By default, the log level for Access Manager is the Notification level. Logging at the Error level produces a small amount of output while other log levels can result in voluminous logging output, which can impact OAM performance. In production environments, logging is usually either disabled or the log level is set to a level that results in a small volume of logging output (the error level, for example). Access Manager and Security Token Service uses the WebLogic container's logging defaults: ■ ■ Logging File: $DOMAIN_ HOME/servers/SERVER-NAME/logs/SERVER-NAME-diagnostics.log Logging Configuration File: Provides logging level and other configuration information for logging. This file is stored in the following path: $DOMAIN_ HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml 43-20 Administrator's Guide for Oracle Access Management Auditing the Security Token Service 43.9 Auditing the Security Token Service Oracle Fusion Middleware auditing provides a measure of accountability and answers to the "who has done what and when" types of questions. Audit data can be used to create dashboards, compile historical data, and assess risks. Analyzing recorded audit data allows compliance officers to perform periodic reviews of compliance policies. Configuring common auditing settings for Security Token Service and validating your auditing configuration is the subject of this section; analyzing and using audit data is outside it's scope. The Oracle Fusion Middleware Common Audit Framework supports auditing for a number of run-time events, and administrative events (changes to the system). It also provides uniform logging, and exception handling and diagnostics for all audit events. While auditing can be enabled or disabled, it is typically enabled in production environments. Auditing has minimal performance impact, and the information captured can be useful (even mission-critical). The Auditing Framework uses configuration parameters set in the Oracle Access Management Console that enable data capture for a user or set of users. Audit data can be written to either a single, centralized Oracle Database instance or to flat files. Regardless of where the audit record is stored, it contains a sequence of items that can be configured to meet particular requirements. The audit log file helps the audit Administrator track errors and diagnose problems if the audit framework is not working properly. More information is in the following sections. ■ About Security Token Service Audit Record Storage ■ About Audit Reports and Oracle Business Intelligence Publisher ■ About the Audit Log ■ About Auditing Security Token Service Events Security Token Service integrates with Oracle Business Intelligence Publisher which provides a pre-defined set of compliance reports. Note: 43.9.1 About Security Token Service Audit Record Storage Security Token Service can be configured to write audit records to a variety of targets supported by the Common Audit Framework: ■ ■ Local flat files: By default, Security Token Service records audit data to a file. Central database: In production environments, Oracle recommends using a database audit store to provide scalability and high-availability for the Common Audit Framework. Audit data is cumulative and grows over time. Ideally this is a database for only audit data; not used by other applications. ■ Platform-specific log (Linux Syslog and Windows Event Log) ■ Audit Vault To switch to a database as the permanent store for your audit records, you must first use the Repository Creation Utility (RCU) to create a database schema for audit data. The RCU seeds that database store with the schema required to store audit records in a database. After the schema is created, configuring a database audit store involves: ■ Creating a data source that points to the audit schema you created Configuring Security Token Service Settings 43-21 Auditing the Security Token Service ■ Configuring the audit store to point to the data source See Also: ■ Oracle Fusion Middleware Application Security Guide ■ "Setting Up the Audit Database Store" on page 8-21 ■ "Adding, Viewing, or Editing Audit Settings" on page 8-24 43.9.2 About Audit Reports and Oracle Business Intelligence Publisher The data in the database audit store is exposed through pre-defined reports in Oracle Business Intelligence Publisher. These reports allow you to drill down the audit data based on various criteria, such as user name, time range, application type, and execution context identifier (ECID). Out-of-the-box, there are several sample audit reports available with Security Token Service and accessible with Oracle Business Intelligence Publisher. You can also use Oracle Business Intelligence Publisher to create your own custom audit reports. See Also: "About Audit Reports and Oracle Business Intelligence Publisher" on page 8-4 43.9.3 About the Audit Log An audit log file helps the audit Administrator track errors and diagnose problems when the audit framework is not working properly. An audit log file records several fields including: Date, Time, Initiator, EventType, EventStatus, MessageText, ECID, RID ContextFields, SessionId, TargetComponentType, ApplicationName, and EventCategory to name a few. See Also: The topic on audit logs in the chapter on configuring and managing auditing in the Oracle Fusion Middleware Security Guide 43.9.4 About Auditing Security Token Service Events Specific administrative and run-time events that you can audit for Security Token Service are grouped together in Chapter 8, "Auditing Administrative and Run-time Events". Included with the events are the common instructions for setting up and validating auditing. For details, see: ■ Security Token Service Events You Can Audit ■ Setting Up Auditing for Oracle Access Management ■ Validating Auditing and Reports 43-22 Administrator's Guide for Oracle Access Management 44 Managing Security Token Service Certificates and Keys 44 This chapter provides the following sections: ■ Prerequisites ■ Introducing the Security Token Service Certificates and Keys ■ Managing Security Token Service Encryption/Signing Keys ■ Managing Partner Keys for WS-Trust Communications ■ Managing Certificate Validation 44.1 Prerequisites Security Token Service services must be running, as described in "Enabling and Disabling Security Token Service" on page 43-7. 44.2 Introducing the Security Token Service Certificates and Keys Depending on the public key infrastructure, the digital certificate establishes credentials for Web-based transactions, as described in "About Certificates, Authorities, and Encryption Keys" on page C-3. Public Keys at Run Time: There are distinct cases where public key infrastructure materials are used at run time. For instance, during Web Services Security (WSS) protocol communication between Requesters and Security Token Service (with OWSM Agent). See also Table 44–1. Managing Security Token Service Certificates and Keys 44-1 Introducing the Security Token Service Certificates and Keys Table 44–1 Security Token Service Public Keys Used at Run Time When Security Token Service ... Description Issues SAML Assertions ■ ■ ■ ■ Security Token Service Signing Assertions using a key defined in the STS Global settings Security Token Service using the Requester's signing certificate as a proof key for Holder-of-Key of type Public Key confirmation method Security Token Service using the Relying Party's encryption certificate to encrypt the secret proof key for Holder-of-Key of type Secret Key confirmation method Security Token Service using the Requester's encryption certificate to encrypt a secret proof/entry in the RSTR for Holder-of-Key of type Secret Key confirmation method Issues tokens ■ Validates SAML Assertions ■ Uses Web Services Security (WSS) protocol communication Between Requesters and Security Token Service (with OWSM Agent) Security Token Service uses the Relying Party's encryption certificate to encrypt the outgoing token Security Token Service uses the Issuing Authority's signing certificate to verify the signature of the incoming SAML Assertion 44.2.1 About Keystores and Security Token Service Following is a brief summary of the keystore files distributed across all OAM Servers in the domain by the JMX framework and used for Security Token Service: ■ ■ ■ ■ .oamkeystore: For keys and certificates associated with OAM Server instances .oamkeystore: Partner Keystore for keys and certificates used to establish trust with partners, clients, and agents. amtruststore: Trust Keystore for keys and certificates that are used to establish trust in entities that are interacting with the OAM Server instances amcrl.jar: Certificate Revocation Lists (CRL) are used by the OAM Server instances when performing CRL-based certificate revocation checking See Also: "Introduction to Oracle Access Management Keystores" on page 5-31 The files in Table 44–2, are distributed across all OAM Servers in the domain by the JMX framework. The $DOMAIN_HOME/config/fmwconfig /mbeans directory defines a registration mbeans.xml for each file that indicates the MBean to manage the file and also identify that the file should be propagated across the domain. Table 44–2 Keystore Mbeans Keystore Mbean and Description System/Partner Keystore: .oamkeystore Configuration of the .oamkeystore is done using the JRE's keytool application. Trust Keystore: .amtruststore Configuration of the amtruststore is done using the JRE's keytool application. CRL: amcrl.jar CRL MBean: Can be used to manage CRLs. The token security key pair is populated to the common keystore shared by Security Token Service. This eliminates the need for Oracle Web Services Manager agents to interact with the common keystore. 44-2 Administrator's Guide for Oracle Access Management Introducing the Security Token Service Certificates and Keys You can use a WLST command to retrieve the password for keystores and for the amtruststore, as described in "Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password" on page 44-4. 44.2.2 About the Oracle Web Services Manager Keystore (default-keystore.jks) This topic describes the keystore of type JKS required by the Oracle WSM Agent to contain System and Partner keys and certificates. Oracle WSM Agent functionality is available to Security Token Service to publish WS Policies and enforce message protection on inbound and outbound WS messages. Oracle WSM requires a separate keystore to contain System and Partner keys and certificates. The Oracle WSM Agent uses a keystore for various cryptographic operations. For these tasks, the Oracle Web Services Manager Agent uses the keystore configured for Oracle Web Services Manager tasks (containing OWSM private keys and OWSM trusted certificates). The OPSS modules publish a keystore service used by Oracle Web Services Manager for certificate validation operations, and the $DOMAIN_ HOME/config/fmwconfig/jps-config.xml will contain the settings for the keystore service. The default name is default-keystore.jks, which is specified in jps-config.xml. Oracle strongly recommends that the Oracle WSM Agent keystore and the Security Token Service keystore always be different. Otherwise, keys could be available to any modules authorized by OPSS to access the keystore and Access Manager keys might be accessed. Oracle strongly recommends that the Oracle WSM Agent keystore and the Security Token Service keystore always be different. Note: During installation, if the Oracle WSM keystore service has not been configured, the installer: ■ ■ ■ Creates a new keystore in the $DOMAIN_HOME/config/fmwconfig folder (default name is default-keystore.jks) Creates a key entry with the corresponding certificate that will be used by OWSM for signature and encryption operations. This key entry will be stored in the OWSM Keystore under the orakey alias Stores the passwords of the key entry and of the keystore in CSF Having access to the keystore is sometimes required, to: ■ Extract the signing/encryption certificate to distribute to clients if necessary ■ Update or replace the signing/encryption key entry ■ Add trusted certificates See Also: ■ "Configuring OWSM for WSS Protocol Communication" on page 43-15 44.2.3 About Using the OPSS Keystore for Requester Certificates For the special cases where clients use referencing schemes such as SKI (as opposed to a certificate token being received as part of the web service request), the requester's Managing Security Token Service Certificates and Keys 44-3 Managing Security Token Service Encryption/Signing Keys certificates need to be populated in the OPSS Keystore. This is an uncommon scenario that requires manually provisioning keys to the OPSS keystore. For more information on this, see "About Agents and Security Token Service" on page 43-4. 44.3 Managing Security Token Service Encryption/Signing Keys Security Token Service uses keys to: ■ ■ Sign outgoing Assertions Decrypt any incoming XML encrypted data contained inside the RST message (tokens, entropies...), which is not handled by the WSS Protocol Security Token Service uses the following keystore for storing Encryption and Signing Certificates. $DOMAIN_HOME/config/fmwconfig/.oamkeystore Task overview: Managing Security Token Service Keys 1. Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password 2. Adding a New Key Entry to the System Keystore (.oamkeystore) 3. Extracting an Security Token Service Certificate See Also: "Configuring OWSM for WSS Protocol Communication" on page 43-15 44.3.1 Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password Use the following procedure to reset the password that protects keystores, and the key entries that are using the same password as the keystore. These keystores were created and configured during installation, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. The password and key entries password were randomly generated. The WLST resetKeystorePassword method allows the Administrator to set the .oamkeystore password and any key entries with a password identical to the .oamkeystore password to a new value: ■ ■ ■ ■ Updates the .oamkeystore password Updates the key entries in .oamkeystore that had the same password as the keystore Updates Access Manager, Identity Federation, and Security Token Service configuration to reflect the changes Updates the amtruststore password (if the keystore is protected by the same password as the default .oamkeystore) See Also: Oracle Fusion Middleware WebLogic Scripting Tool Command Reference To reset system and trust keystore passwords Enter the WSLT scripting environment, as usual. 1. 44-4 Administrator's Guide for Oracle Access Management Managing Security Token Service Encryption/Signing Keys 2. Connect to the WebLogic Server AdminServer, using the connect() command. 3. Navigate to the domain runtime tree: domainRuntime(). 4. Execute the following: resetKeystorePassword() 5. Enter and confirm the password. 44.3.2 Adding a New Key Entry to the System Keystore (.oamkeystore) An Administrator can use the following procedure to add a new key entry into the System keystore (.oamkeystore) using the keytool command to create and add the new key entry. Once the entry has been added, it must be defined in the Security Token Service configuration screen so that it can be used to sign assertions and decrypt incoming messages. This topic provides the following procedures to add a new entry to sign SAML Assertions or decrypt XML-Encrypted data not covered by WSS: ■ Adding a New Entry ■ Configuring a SAML Issuance Template to use a Signing Key ■ Setting the Default Encryption Key 44.3.2.1 Adding a New Entry Prerequisites Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password To configure a new entry 1. Locate keytool. 2. Either generate a self signed certificate or generate a certificate request, export the request to a remote Certificate Authority, and import the certificate issued by the Certificate Authority. 3. Observe messages on the screen. 4. Proceed as needed: ■ "Configuring a SAML Issuance Template to use a Signing Key", if needed ■ "Setting the Default Encryption Key", if needed 44.3.2.2 Configuring a SAML Issuance Template to use a Signing Key Users with valid Administrator credentials can use this procedure as a guide when editing an existing template to use a signing key. See Also: ■ About Managing Token Issuance Templates ■ Searching for an Existing Template To configure a SAML Issuance Template to use a signing key 1. Display the list of existing Token Issuance Templates. Oracle Access Management Console System Configuration Security Token Services Managing Security Token Service Certificates and Keys 44-5 Managing Security Token Service Encryption/Signing Keys Token Issuance Templates 2. Find and open the SAML issuance template that will use the new key. For example: saml11-issuance-template. 3. On the SAML Issuance Template page, click the Security tab. 4. On the Security tab, Signing And Encryption section, click Sign Assertion. 5. From the Signing Keystore Access Template Id list, choose the KeyID as the Signing Keystore Entry. 6. Click Apply at the top of the page to save this information. 7. Proceed to "Setting the Default Encryption Key", if needed. 44.3.2.3 Setting the Default Encryption Key Users with valid Administrator credentials can use this procedure as a guide when editing an existing template to use a signing key. See Also: "About Security Token Service Settings" on page 43-9 To set the default encryption key 1. In the Oracle Access Management Console, click Configuration at the top of the window. 2. In the Configuration console, select Security Token Service from the View drop-down menu in the Settings section. 3. From the Default Encryption Template list, select the new key entry. 4. Click Apply at the top of the page to save this information. 5. Proceed to "Setting the Default Encryption Key". 44.3.3 Extracting an Security Token Service Certificate In some cases, it is required to distribute the Security Token Service keys used for SAML Signature operations or XML encryption operations: ■ ■ When a Relying Party needs to have access to the Security Token Service signing key, in order to validate the SAML Assertion issued by Security Token Service When a token needs to be encrypted for Security Token Service Server To distribute the certificate of a key entry used by Security Token Service for SAML Signature operations or XML encryption operations, use the Certificate Retrieval Service by specifying the KeyID (listed in System Configuration, Security Token Service, Security Token Service Settings and the preferred encoding (der vs pem). For more information, see "Using the Certificate Retrieval Service". 44.3.3.1 Using the Certificate Retrieval Service To use the Certificate Retrieval service 1. Retrieve the KeyID of the entry for which the certificate should be retrieved (listed in Oracle Access Management Console System Configuration tab, Security Token Service section, Security Token Service Settings). 44-6 Administrator's Guide for Oracle Access Management Managing Partner Keys for WS-Trust Communications 2. Create a URL. For example: http(s)://osts-hostname:osts-port/sts/servlet/samlcert?id=&encoding=, with: ■ ■ 3. id holding the KeyID of the entry encoding representing the format with which the certificate will be returned. Possible values are pem (PEM format) or der (DER format). (optional, default value is pem) Review the certificate returned in the browser. 44.4 Managing Partner Keys for WS-Trust Communications This topic provides the following information: ■ About Partner Certificates ■ About Downloading the Relying Party's Certificate at Run Time ■ Setting the Partner's Signing or Encryption Certificate 44.4.1 About Partner Certificates During the processing of the WS-Trust messages, Security Token Service might need to use a partner's certificate. The certificate needed depends on the situation, as described in Table 44–3. Table 44–3 Partner Keys for WS-Trust Communications If Security Token Service Must ... The OAM Server ... Issue a SAML Assertion encrypted for the Relying Party Uses the Relying Party's encryption certificate to encrypt the outgoing token Issue a SAML Assertion with the Subject Confirmation being of type Holder of Key / Asymmetric Uses the Requester Partner's signing certificate as the proof key to be included in the Assertion Issue a SAML Assertion with the Subject Confirmation being of type Holder of Key / Symmetric Uses the Relying Party's encryption certificate to encrypt the secret proof key to be included in the Assertion. Issue a SAML Assertion with the Subject Confirmation being of type Holder of Key / Symmetric Can encrypt in the RSTR for the Requester, the secret or the server entropy. Note: if the WS-Trust RST contains a UseKey element referencing an X.509 Binary Security Token in the SOAP header that was used in a signature, then Security Token Service will be able to use this certificate as the proof key. In this case, the server: ■ ■ uses the Requester's encryption certificate to encrypt the secret (if the secret was generated using only server entropy) or uses the server entropy to encrypt the secret in the RSTR (if the secret was derived from client and server entropy). Note: if the WS-Trust RST contains a ProofEncryption element referencing an X.509 Binary Security Token in the SOAP header that was used in a signature, then Security Token Service will be able to use this certificate to encrypt the secret or entropy returned to the client. Validate an incoming SAML Assertion Uses the Issuing Authority's signing certificate to verify the XML digital signature present on the Assertion. Managing Security Token Service Certificates and Keys 44-7 Managing Partner Keys for WS-Trust Communications 44.4.2 About Downloading the Relying Party's Certificate at Run Time At runtime, Security Token Service is capable of downloading the Relying Party WSS Policy of the service listed in the AppliesTo field of the RST. If Security Token Service is configured to download the Relying Party's WS-Sec policy, then ensure that the Proxy settings are correctly entered, if needed, so that Security Token Service can connect to the Relying Party. If the Relying Party Partner Profile is configured to do so, it instructs Security Token Service to download the WS-Sec Policy from the service. Security Token Service then extracts the certificate located in the policy and uses it for cryptographic operations, if necessary. Also: ■ ■ If Security Token Service issues a SAML Assertion encrypted for the Relying Party, the server uses the certificate downloaded from the Relying Party's WS-Sec Policy to encrypt the outgoing token. If Security Token Service issues a SAML Assertion with the Subject Confirmation of type Holder of Key / Symmetric, Security Token Service uses the certificate downloaded from the Relying Party's WS-Sec Policy to encrypt the secret proof key to be included in the Assertion. To configure the Relying Party Partner Profile to download the certificate at run time, see "Setting the Partner's Signing or Encryption Certificate". 44.4.3 Setting the Partner's Signing or Encryption Certificate To set the signing or encryption certificate of a partner, perform the following operations. Alternatively: Use the WLST Partner commands to set the signing or encryption certificate of a specific partner. Prerequisites Review Table 44–3, " Partner Keys for WS-Trust Communications" To set the certificate of a partner 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Partners from the View drop-down menu in the Security Token Service section. 3. Select the desired tab (Requesters, Relying Parties or Issuing Authorities (see Table 44–3)). 4. Search for and open (or Create) the Partner for which the certificate must be set. 5. Edit Partner settings as needed (see "Managing Token Service Partners" on page 46-3) and click Save. 6. Encryption Certificate: Click the Browse button to locate and choose the Encryption certificate. 7. Signing Certificate: Click the Browse button to locate and choose the Signing certificate. 8. Save the information and close the page. 9. Proceed with "Managing Certificate Validation". 44-8 Administrator's Guide for Oracle Access Management Managing Certificate Validation 44.5 Managing Certificate Validation This section describes managing certificate validation. Conditions for certificate validation are described in Table 44–4. Table 44–4 Conditions for Security Token Service Certificate Validation STS Validates a Certificate When ... The security token to be validated is one of the following types: ■ X.509 ■ X.509v3 ■ PKCS#7 A SAML Assertion must be validated Security Token Service is configured to validate the signing certificate of a SAML Issuing Authority Successful validation requirements are listed in Table 44–5. Table 44–5 Successful Certificate Validation Requirements Certificates Must ... How ... Be linked to a trusted anchor: ■ ■ Not be revoked: ■ ■ by being a trusted anchor or by having its issuer being a trusted anchor The revocation status of a certificate can be decided by checking: by being a trusted anchor or by having its issuer being a trusted anchor ■ Against a list of CRLs that were uploaded by the Administrator ■ Against an OCSP server ■ CRL Distribution Points Certificate validation requires the Trust Anchors Store (.amtruststore). Procedures for managing this store and validation are described in following topics: ■ Managing the Trust Anchors Store (amtruststore) ■ Managing Certificate Revocation Lists ■ Using a Custom Trust Anchor Store for Security Token Service 44.5.1 Managing the Trust Anchors Store (amtruststore) The Trust Anchors keystore is managed using the keytool command. Certificates added to the keystore are detected by the Certificate Validation module. Notification is performed using the JMX Notification Framework and might take some time, depending on the notification refreshing time (60 seconds by default). Note: Prerequisites Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password To manage the Trust Anchors store (amtruststore) 1. Locate keytool. Managing Security Token Service Certificates and Keys 44-9 Managing Certificate Validation 2. Execute the following command. keytool -keystore $DOMAIN_HOME/config/fmwconfig/amtruststore -storetype JKS -alias orakey -file $CERT_FILE 3. Observe messages on the screen and enter a password if requested. 4. Proceed to "Managing Certificate Revocation Lists". 44.5.2 Managing Certificate Revocation Lists Security Token Service uses the common infrastructure certification validation module. Trusted Certificates and Certificate Revocation Lists (CRLs) used during certificate validation are stored in Trust Keystore and CRL ZIP file. The Security Token Service configuration stores the OCSP/CDP settings. This section outlines how to add or remove certificate revocation lists (CLRs) to check the revocation status of a certificate, perform the following operations. See Also: "Managing Certificate Validation and Revocation" on page 3-7 Prerequisites Have your Certificate Revocation List ready to import. Task overview: Manage Certificate Validation and Revocation Lists 1. From the Oracle Access Management Console System Configuration tab, Common Configuration section, select Certificate Validation. 2. See "Enabling the Certificate Revocation List Functionality" on page 3-8. 3. See "Enabling OCSP Certificate Validation" on page 3-9: 4. See "Enabling CRL Distribution Point Extensions" on page 3-9. 44.5.3 Using a Custom Trust Anchor Store for Security Token Service Optionally, if a particular deployment requires a set of trust anchors separate from that of Access Manager, another keystore can be configured as the trusted certificate store for Security Token Service. This can be done by having the Administrator perform the following tasks. Using a Custom Trust Anchor Store is an optional feature that most customers will not need. Note: Task overview: Deploying a custom keystore for trusted certificates 1. Create the JKS keystore in the $DOMAIN_HOME/config/fmwconfig directory. 2. In the Oracle Access Management Console, Security Token Service Settings page, enter the full path name of the new trust store and Apply your changes. 3. In the domain where Security Token Service is deployed, the Custom Trust Anchor Keystore must be propagated manually by the Administrator across all the servers. 44-10 Administrator's Guide for Oracle Access Management 45 Managing Templates, Endpoints, and Policies 45 [30The ] Security Token Service must be enabled as documented in Section 43.3, "Enabling and Disabling Security Token Service." This chapter provides information about managing the templates, endpoints and policies for the Security Token Service. ■ Introduction ■ Searching for an Existing Template ■ Managing Token Issuance Templates ■ Managing Token Validation Templates ■ Managing Security Token Service Endpoints ■ Managing Token Issuance Policies, Conditions, and Rules ■ Managing TokenServiceRP Type Resources ■ Making Custom Classes Available ■ Managing a Custom Security Token Service Configuration 45.1 Introduction The Security Token Service controls who can access a Web Service Provider (WSP) by defining Application Domains that provide access to resources based on configured policies. Application Domains identify Web Services and the authorization rules that determine who can request a security token. The following functionality is established by Trust Issuance Policies. A Trust Issuance Policy can be managed by clicking the Application Domains link from the Oracle Access Management Console Launch Pad. ■ ■ ■ Resource of type TokenServiceRP representing Relying Parties or Web Service Providers. Token Issuance Policy defining a policy for a set of resources of type TokenServiceRP. Condition defining the identities of the clients that are allowed or denied issuance of tokens for the resources listed in the policy. The clients can either be Requester Partners or User from the Default Identity Store. Security Token Service supports the creation of Relying Party Partner, representing a remote Web Service Provider that will be the consumer of a security token issued by Security Token Service. Managing Templates, Endpoints, and Policies 45-1 Searching for an Existing Template For each Relying Party Partner, it is possible to define URLs that will be mapped to the partner, so that WS-Addressing endpoint specified in a WS-Trust Request can be mapped to an Security Token Service Relying Party Partner. At runtime, when a client requests a token to be issued, Security Token Service will evaluate the Trust Issuance Policies to determine whether or not the token can be issued: ■ ■ ■ ■ The client will be identified either as a Requester Partner or as an end user If an AppliesTo element was present in the WS-Trust Request and was mapped to a Relying Party Partner, then the TokenServiceRP resource for the Trust Issuance Policy evaluation will be the Partner ID of that Security Token Service Relying Partner. If an AppliesTo element was present in the WS-Trust Request and could not be mapped to a Relying Party Partner, then the TokenServiceRP resource for the Trust Issuance Policy evaluation will be the UnknownRP defined in the Access Manager Application Domain. If an AppliesTo element was missing in the WS-Trust Request, then the TokenServiceRP resource for the Trust Issuance Policy evaluation will be the MissingRP defined in the Access Manager Application Domain. Security Token Service requires the following items (at a minimum) to process a request and issue a token based on an incoming request (RST): ■ EndPoints ■ One Issuance Template ■ One Validation Template ■ One Requester Partner Profile that contains the token ■ One Relying Party Partner Profile Note: Partners might need to be provisioned. An LDAP server is required for the Security Token Service to map the Username token that references the user to an LDAP User record, and then use that record to populate the outgoing token. Partners might need to be provisioned before they are available. 45.2 Searching for an Existing Template All defined template names appear in the Search Results Table when you open either the Token Validation Template or Token Issuance Template node. To quickly find a specific template or set of templates, you can use the Search controls. This section explains the controls you can use to refine your search, which are similar whether you are searching for a Token Validation Template or a Token Issuance Template. It includes the following topics: ■ About Template Search Controls ■ Searching For a Template 45-2 Administrator's Guide for Oracle Access Management Searching for an Existing Template 45.2.1 About Template Search Controls The following figures show the search pages where you will see many similarities: ■ Figure 45–1, "Validation Templates Search Controls" ■ Figure 45–2, "Issuance Template Search Controls" Figure 45–1 Validation Templates Search Controls Figure 45–2 Issuance Template Search Controls Table 45–1 describes the controls available to refine a template search. Unless explicitly stated, all elements are available for both Validation and Issuance Template searches. Managing Templates, Endpoints, and Policies 45-3 Searching for an Existing Template Table 45–1 Search Validation Template Element Description Match Choose All to search for a template that matches all your specifications. Choose Any to search for a template that matches at least one of your specifications. Search Operations List A list of operations from which you choose one to help refine your search. ... Template Name Choose an operation from the list and enter information in the field to help refine your search. Description Refine your search using the optional description field. Token Protocol Choose the token protocol from those listed: Validation Template only ■ WS-Trust ■ WS-Security Token type Choose the token type. Both standard and custom token types are included. ■ Username: Consumption and Creation ■ X.509: Consumption ■ SAML: Consumption & Creation ■ OAM 11g: Consumption using the OBO (on behalf of) field ■ Kerberos: Consumption ■ Custom: Consumption the OBO (on behalf of) field and Creation Search Initiates the Search function using criteria in the form. Reset Resets the Search form with defaults only. Add Fields A list of additional items you can add as search criteria. Search Results Table Itemizes the results of your search based on choices in the View menu, described later in this table. Actions menu Provides the following functions that can be performed on a selection in the results table: Shown: Actions for Validation Template Note: Actions menu functions mirror command buttons above the results table. For example: ■ ■ ■ ■ View menu Validation Template only View menu Issuance Template only Up-Down Arrows New ... Template: Click the New ... Template button at the top of the Search page, or select New ... Template from the menu, or click the + button above the table. Edit: Click a name in the Results Table, or select Edit from the Actions menu, or click the Edit (pencil) command button above the Results Table. Create Like: Select the desired row in the table and either select Create Like from the Actions menu, or click the Create Like command button above the table Remove: Select the desired row in the Results Table and either select Delete from the Actions menu, or click the Delete (X) command button above the table. A list from which you can identify Validation Template information to display in the results table. A list from which you can identify Issuance Template information to display in the results table. Controls you can choose to define the order of items listed in the results table: ■ Ascending ■ Descending 45.2.2 Searching For a Template Users with valid Administrator credentials can use the following procedure to use search controls to locate a specific template or set of templates. For example, to locate all templates of a certain token type you can simply choose the type of token. To refine the search further to all templates of a specific token type and name. When performing these steps, fill in as much or as little as you want. Skip any steps that do not apply to you. See Also: "About Template Search Controls" 45-4 Administrator's Guide for Oracle Access Management Managing Token Issuance Templates To search for a template 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Token Validation Templates or Token Issuance Templates the View menu in the Security Token Service section. 3. Edit Search Criteria (Table 45–1). For example: 4. ■ Match: All ■ Name: contains em ■ Token Type: equals Username Click Search, review results, and click the one you want to open. 45.3 Managing Token Issuance Templates An issuance template contains rules on how a token will be created and is specific to a token type. Each issuance template indicates Signing and Encryption and also contains Attribute Name, Value Mapping, and Filtering settings to be sent as part of the token. This section provides the following information: ■ About Managing Token Issuance Templates ■ Managing a Token Issuance Template 45.3.1 About Managing Token Issuance Templates Each Token Issuance Template indicates how to construct a token. In other words, which signing or encryption to use when constructing a token. Each Token Issuance Template also defines the attributes mapping and filtering rules to be applied to the attributes that will be included in the outgoing token. However, Issuance Templates do not list the attributes that will be sent in the outgoing token: these are defined in the Relying Party Partner Profile. Token Issuance Template details which will differ depending on your chosen token type. Table 45–2 describes where to find more information. Table 45–2 Issuance Template Requirements Topic Figures and Tables General Details Figure 45–3, Table 45–3 Issuance Properties: Username Tokens Figure 45–4, Table 45–4 Issuance Properties: SAML Tokens Figure 45–5, Table 45–6 Security: SAML Tokens Figure 45–6, Table 45–6 Attribute Mapping: SAML Tokens Figure 45–9, Table 45–7 General Details Figure 45–3 shows the New Issuance Template page with defaults showing. Unless explicitly stated, General information is the same regardless of the Token Type you choose. For more information, see Table 45–3. After you fill in General information and click Save, you cannot return and edit the template name or token type. Managing Templates, Endpoints, and Policies 45-5 Managing Token Issuance Templates Figure 45–3 Issuance Template: General Details and Defaults Table 45–3 Issuance Template: General Details Elements Description Issuance Template Name Enter a unique name for this template. Description Optional. Token Type Choose a standard (or custom, if any) token type from those listed. SAML, Username, and Custom Token Types Send Encrypted Token Click to enable token encryption. Token Encryption Algorithm When token encryption is enabled, choose a Token Encryption Algorithm from those listed. Issuance Properties: Username Token Type If the token type is Username, the Issuance Properties shown in Figure 45–4 are needed for a Username token type template. Figure 45–4 Issuance Properties: Username Token Type Table 45–4 describes the Issuance Properties for the Username token type. Table 45–4 Issuance Properties: Username Token Type Element Description Name Identifier User Attribute Attribute to be used to populate the Username element in the Username Token. 45-6 Administrator's Guide for Oracle Access Management Managing Token Issuance Templates Table 45–4 (Cont.) Issuance Properties: Username Token Type Element Description Name Identifier User Attribute Store Choose the user attribute store type: ■ Userstore ■ Context Note: If the Attribute Store is the Userstore, LDAP is used to retrieve the attribute from the user record. If the Attribute Store is context, data from the incoming token is used as the attribute source. Password Attribute Password Attribute Store Attribute to be used to populate the Password element in the Username Token. Choose the password attribute store type: ■ Userstore ■ Context Note: If the Attribute Store is the Userstore, LDAP is used to retrieve the attribute from the user record. If the Attribute Store is context, data from the incoming token is used as the attribute source. Include Nonce Indicates whether or not a Nonce made of random data should be included in the Username token. Default: Disabled Include Timestamp Indicates whether or not a the Created element should be included in the Username token. Default: Disabled Issuance Properties: SAML Token Types SAML 1.1 and 2.0 token types require the issuance properties illustrated in Figure 45–5. These issuance properties differ from those for Username token type. Note: Figure 45–5 Issuance Properties: SAML Token Types Managing Templates, Endpoints, and Policies 45-7 Managing Token Issuance Templates Table 45–5 describes all Issuance Properties by token type. Only SAML token types require issuance properties. Table 45–5 Issuance Properties: SAML Token Types Element Description Assertion Issuer Specifies the identifier representing the issuer of the assertion. This string is used to represent this Security Token Service as the issuer of the assertion. Name Identifier Format Choose a format from the list and then enter the details in the text field. Options may include Custom, Kerberos Principal Name, Unspecified, X509 Subject Name and others. Name Identifier Qualifier Contains the string that will be set as the Name Identifier Qualifier. Name Identifier User Attribute References the attribute that will be used to populate the value of the Name Identifier. Name Identifier User Attribute Store ■ Userstore ■ Context Note: If the Attribute Store is the Userstore, LDAP is used to retrieve the attribute from the user record. If the Attribute Store is context, data from the incoming token is used as the attribute source. Include Authentication Statement Indicates whether or not a SAML Authentication Statement should be included in the Assertion. Default: Disabled Note: An authentication operation is required for a statement of this type to be included. An authentication statement will be included if the incoming token contained some authentication data and that those were validated (for example, the incoming SAML Assertion contains an authentication statement, or a Username Token contains credentials that were validated). Include Attribute Statement Indicates whether or not a SAML Attribute Statement will be included in the outgoing Assertion. A statement of this type will be included only if this flag is set to true and if at least one attribute is included in the outgoing Assertion. Default: Enabled Note: the RP PP will determine which attributes need to be included in an outgoing token. Validity Period Specify the length of time (in seconds) that the token will be valid. Default: 3600 (seconds) Security Details: SAML Tokens Only SAML token types require Security Details, as shown in Figure 45–6 and described in Table 45–6. 45-8 Administrator's Guide for Oracle Access Management Managing Token Issuance Templates Figure 45–6 Security Details: SAML Tokens Table 45–6 Security Details: SAML Tokens Elements Description Signing And Encryption Indicates whether or not the Assertion will be signed using the Key referenced by the Signing Keystore Access Template ID field. Sign Assertion Indicates whether or not the assertion will be digitally signed with a certificate. Default: Enabled Include Certificate in Signature Indicates whether or not the signing certificate will be included in the Assertion. Default: Enabled Signing Keystore Access Template References the key to be used to sign assertions created with this Id issuance template. The key templates are defined in the Security Token Service Settings section. Send Encrypted Name Identifier Indicates whether the encrypted token name identifier will be sent as part of the digital assertion signature. Subject Confirmation Default Subject Confirmation Method Compute Holder-of-Key Symmetric Key Indicates which Subject Confirmation Method will be used by default, if the requester did not specify a method in the WS-Trust request. Possible values are: ■ Bearer ■ Holder of Key with Public Key ■ Holder of Key with Symmetric Key ■ Sender Vouches Default: Enabled Indicates whether or not Security Token Service will generate random data when creating the Secret Key for the Holder of Key Symmetric Key data. ■ ■ If true, the server will generate the secret key if the client did not specify entropy. Otherwise it will derive the key from the client and server entropy If false, the client entropy will be used as the secret key Managing Templates, Endpoints, and Policies 45-9 Managing Token Issuance Templates Table 45–6 (Cont.) Security Details: SAML Tokens Elements Description Encrypt RSTR Proof Token Indicates whether or not the Proof Token must be encrypted when returning the server entropy or secret key to the requester in the WS-Trust response, when the Subject Confirmation method is Holder of Key with Symmetric Key Default: Disabled Holder-of-Key Symmetric Key Generation Algorithm Select the symmetric key generation algorithm that will be used to create the secret key when the Subject Confirmation method is Holder of Key with Symmetric Key: Attribute Mapping: SAML Tokens When the token type is SAML 1.1 or 2.0, it is possible to define attribute mapping and filter rules that will be applied to the attributes included in the Assertion. There are three different rules: ■ ■ ■ Attribute name mapping where the local name of an attribute can be changed to another value. For example, givenname can be changed to firstname. Attribute value mapping where the local value of an attribute can be translated to another value. For example, President to CEO. Attribute value filtering where the local value of an attribute can be filtered so it is not included in the outgoing assertion. For example, some sensitive attribute values could be removed while others would be issued. See Also: Table 45–7 Token Mapping attributes in Figure 45–9 and Table 45–11. Issuance Template: Attribute Mapping, SAML Token Element Description Attribute Name Mapping Defines an optional mapping between the local name of an attribute, and the name used to reference this attribute in the assertion. The mapping is optional. If an attribute does not have a mapping defined, then its local name will be used, and the namespace will be set to urn:oracle:security:fed:attrnamespace for SAML 1.1 Assertions or the format will be set to urn:oasis:names:tc:SAML:2.0:attrname-format:basic for SAML 2.0 Assertions. ■ ■ ■ External Attribute: Contains the externam name of the attribute as it will appear in the Assertion. Local Attribute: Contains the local name of the attribute. Format of Namespace: Contains an optional Format or Namespace. If missing, the namespace will be set to urn:oracle:security:fed:attrnamespace for SAML 1.1 Assertions or the format will be set to urn:oasis:names:tc:SAML:2.0:attrname-format:basic for SAML 2.0 Assertions. 45-10 Administrator's Guide for Oracle Access Management Managing Token Issuance Templates Table 45–7 (Cont.) Issuance Template: Attribute Mapping, SAML Token Element Description Attribute Value Mapping Defines an optional value mapping for an attribute that will be included in the Assertion. Note: this attribute value mapping applies to an Attribute Name mapping. In order to define an attribute mapping for an attribute, it is required to first define an attribute name mapping for that attribute. ■ ■ ■ ■ ■ Attribute Value Filters External Attribute: Contains the value that should be included in the Assertion, if the local attribute value matches the Local Attribute/Local Null fields. Local Attribute: Contains the local value of the attribute. External Null: Indicates if the value to be included in the Assertion should be null, if the local value of the attribute matches the Local Attribute/Local Null fields. Local Null: Represents a null local value. Ignore Case: Indicates whether or not Security Token Service should ignore case when comparing the attribute value to the Local Attribute field. Defines an optional value filtering for an attribute that will be included in the Assertion. Note: This attribute value filtering applies to an Attribute Name mapping. In order to define an attribute filtering for an attribute, it is required to first define an attribute name mapping for that attribute. ■ ■ ■ Condition: Contains the condition associated with the expression to determine whether or not the attribute value should be filtered. The possible values are described in "Attribute Value Condition Filters". Expression: Contains data that will be used to evaluate the filtering rule. Ignore Case: Indicates whether or not Security Token Service should ignore case when comparing the attribute value to the expression field. Attribute Value Condition Filters This optional value filtering applies to an Attribute Name mapping and will be included in the Assertion. To define an attribute filtering for an attribute, you must first define an attribute name mapping for that attribute. The Condition is associated with the expression to determine whether or not the attribute value should be filtered. The possible Condition values are: ■ ■ ■ ■ ■ ■ ■ ■ regexp: the expression will contain a regular expression, and if it evaluates to true, the attribute value will be filtered. equals: if the attribute value matches the data contained in the expression field, then it will be filtered. not-equals: if the attribute value does not match the data contained in the expression field, then it will be filtered. not-equals: if the attribute value does not match the data contained in the expression field, then it will be filtered. endswith: if the attribute value ends with the data contained in the expression field, then it will be filtered. contains: if the attribute value contains an occurrence of the data contained in the expression field, then it will be filtered. not-contains: if the attribute value does not contains any occurrence of the data contained in the expression field, then it will be filtered. equals-null: if the attribute value is null, then it will be filtered. Managing Templates, Endpoints, and Policies 45-11 Managing Token Issuance Templates ■ not-equals-null: if the attribute value is not null, then it will be filtered. 45.3.2 Managing a Token Issuance Template Users with valid Oracle Access Management Administrator credentials can use this procedure as a guide when developing a new Token Issuance Template (or editing an existing template) Skip any steps that do not apply to you. The following procedure describes how to create a new Token Issuance Template for a Security Assertion Markup Language (SAML) token. Prerequisites Confirm that the desired LDAP Identity Store is registered with and configured as the Default Store. See Also: ■ About Managing Token Issuance Templates ■ Searching for an Existing Template To create a new token issuance template 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Token Issuance Templates the View menu in the Security Token Service section. 3. New Token Issuance Template: a. Click the New Issuance Template button in the upper-right corner (or click the Add (+) button above the Search Results table). b. General: Define general information for this template and see: Table 45–3, " Issuance Template: General Details" c. Click Save and dismiss the confirmation window (or click Cancel without saving). d. Username Token Type: Define issuance parameters for this template and see: Table 45–4, " Issuance Properties: Username Token Type" e. SAML Token Type: Define parameters for this template and see: Table 45–5, " Issuance Properties: SAML Token Types" Table 45–6, " Security Details: SAML Tokens" Table 45–7, " Issuance Template: Attribute Mapping, SAML Token" 4. f. Click Apply (or click Revert without saving it). g. Close the definition. Find an Existing Template: From the Token Issuance Templates page: a. Find All: review the results table. All templates are returned by default when you access the Issuance Templates page. b. Narrow the Search: Specify your search criteria (Table 45–1), click the Search Button, and review the results table. c. Reset the Search Form: Click the Reset button. 45-12 Administrator's Guide for Oracle Access Management Managing Token Validation Templates 5. Edit a Template: Start with the saved page you just created. Alternatively: Use Step 3 to find the desired template and click the name in the Search Results table to display the definition. 6. a. Edit details as needed. b. Click the Apply button at the top of the page to submit changes (or Revert to undo your changes). Remove a Template: a. Click the desired name in the Search Results table to select the item to remove. b. From the Actions menu, click Delete (or click the Delete (X) command button above the table. c. Click the Delete button in the Confirmation window (or click No to cancel the operation). 45.4 Managing Token Validation Templates A validation template is used to validate an incoming token and, optionally, map the incoming token to either a Requester Partner or a user record: ■ For OnBehalfOf use cases, a WS-Trust Validation Template must be present. ■ For validating an Assertion, one Issuing Authority Partner Profile must be present. The Security Token Service Endpoint is linked to a WSS Validation Template that indicates how to validate the token in the WSS header and how to map the token and binding data to a Requester. This section provides the following topics. ■ About Managing Token Validation Templates ■ Managing Token Validation Templates 45.4.1 About Managing Token Validation Templates A Security Token Service Endpoint is always mapped with a WS-Security Validation Template that indicates how to map the request to a requester entry or to a user: ■ If mapping is required and no match is found, processing will fail. ■ If no mapping is required, a default requester partner profile will be used. ■ In either case, a requester partner profile is retrieved. ■ ■ If a mapping is performed to a user record, a default requester partner profile will be used. If a mapping is performed to a requester partner entry, the requester partner profile for this partner will be used. A validation template determines the token validation rules: ■ Whether or not to validate and map the incoming token. ■ The mapping rules to be used if mapping is enabled. A validation template is specific to a token type and specific to a protocol as described in Table 45–8. Managing Templates, Endpoints, and Policies 45-13 Managing Token Validation Templates Table 45–8 Validation Template Protocols Protocol Description WS-Security Validates only WS-Security Tokens: ■ ■ Possible Mapping actions: no action, map binding data to partner, map incoming token to partner, map incoming token to user and binding data to partner, map incoming token to user Token Types supported: SAML 1.1, SAML 2.0, Username X.509, Kerberos, None. When you toggle the Token Protocol from WS-Trust to WS-Security, options in the Token Type list do not change. However, the required "Default Partner Profile" list appears from which you must choose one profile for WS-Security. WS-Trust Validates only Tokens included in OBO (on behalf of) field of the RST (request): ■ ■ Possible Mapping actions: none, map incoming token to user Token Types supported: SAML 1.1, SAML 2.0, Username, X.509, Kerberos, OAM, Custom. A validation template mapping rules determines how the incoming data is mapped to a user or a partner, using data from the incoming token: ■ Username for Username Token ■ UserID for Kerberos Token ■ NameID and attributes for SAML Token ■ DN Components for X.509 Token ■ Attributes from a Custom Mapping is performed as follows: ■ ■ ■ Simple mapping: one incoming attribute matched against one user record attributes Complex LDAP query: LDAP query with placeholders for incoming data (e.g.: (&(sn=%lastname%)(mail=%email%)) NameID Mapping table for SAML Token Figure 45–7 illustrates default General details on the New Validation Template page. Figure 45–7 New Validation Template page: General Page Defaults Table 45–9 describes the elements on the New Validation Template, General page. 45-14 Administrator's Guide for Oracle Access Management Managing Token Validation Templates Table 45–9 New Validation Template: General Details Element Description Back Click this button to return to the previous page. Next Click this button to proceed to the next page. Cancel Click this button to dismiss the page. Validation Template Name The name you choose for this template. For example: email-wstrust-valid-temp Description Token Protocol Optional. The type of Validation Template to be created. Type can be either: ■ ■ Token Type WS-Security: This template will be used to validate and map tokens located in the Security SOAP Header of the incoming message A list of in-bound token types from which you choose the one to use for this template. The token type options depends on the protocol type: ■ ■ Default Partner Profile WS-Trust: This template will be used to validate and map tokens included in the OnBehalfOf element of the WS-Trust request. WS-Trust: SAML 1.1, SAML 2.0, Username, X.509, Kerberos, OAM, Custom WS-Security: SAML 1.1, SAML 2.0, Username, X,509, Kerberos, None Only applies to WS-Security Validation Template References the default requester partner profile to use, in case the incoming request is not mapped to a requester partner. For example, if the request is mapped to a user instead. A requester partner profiles contains settings that are used during the request processing. If the incoming request was mapped to a requester partner, then the partner profile for that requester will be retrieved and used as the requester partner profile Timestamp Lifespan Applies only to Username and SAML Validation Templates. It determines the validity time of a Token (for Username Token, only if it contains a Created element indicating the instant it was created). Default: 1000 (seconds) Authentication Details Specific to username token validation template. Enable Credential Validation Check this box to enable validation using credentials contained in the username token. When enabled, Security Token Service will validate the username and the password elements contained in the username token, using the specified validation source. Note: password digest as defined in the Username Token WS-Security Profile is not supported in this release. See Also: Table 45–10, " New Validation Template: Authentication Details" Figure 45–8 illustrates the General details page when Enable Credential Validation is checked and, as a result, the Authentication Details section of the page is visible with its default values. This is specific to username token validation. Managing Templates, Endpoints, and Policies 45-15 Managing Token Validation Templates Figure 45–8 New Validation Template: General Authentication Details Table 45–10 describes Authentication related details that are available when you choose Enable Credential Validation. Table 45–10 New Validation Template: Authentication Details Element Validation Source Description A list from which you can choose a credential validation sources There are four types of validation sources when validating the credentials contained in a username token: ■ ■ ■ ■ LDAP: a standalone LDAP server will be used to validate the credentials. The connection information will need to be entered Embedded LDAP: the LDAP server embedded in the WebLogic server will be used to validate the credentials. No information is required. Userstore: the default User Identity Store configured in the Common Configuration -> Data Sources will be used to validate the credentials. No information is required in this validation template screen Partner: the credentials will be verified against the username/password information entered in the Requester Partner entries. Note: When selected, the Token Mapping configuration section is disabled, because the token will have been mapped to a requester partner after the credentials validation operation. LDAP URL The URL of the LDAP server. Admin User The username of an account used to perform lookups in the LDAP server. Admin Password The password of an account used to perform lookups in the LDAP server. 45-16 Administrator's Guide for Oracle Access Management Managing Token Validation Templates Table 45–10 (Cont.) New Validation Template: Authentication Details Element Description Base DN The Base search DN used when looking up user records. Enable HA Indicates whether or not the LDAP server is in HA mode, fronted by a load balancer. Person Object Class The person object class associated with the user records. Unique Id The attribute of the user record containing the user unique identifier data. In most cases, is identical to the Credential ID field. Credential Id The attribute of the user record containing the username data. This field will be used to lookup user records, based on the username. Maximum Connections The maximum number of concurrent opened LDAP connections Default: 50 Connection Wait Timeout Maximum amount of time to wait when opening a new connection. Connection Inactivity Timeout Maximum amount of inactivity time for an LDAP connection, before closing it. Connection Read Timeout Maximum number of concurrent opened LDAP connections. Default: 5000 (seconds) Default: 5000 (seconds) Default: 5000 (seconds) Token Mapping The Token Mapping section indicates the following: ■ ■ ■ If an incoming token needs to be mapped. If the incoming token needs to be mapped, what kind of mapping is done. For example, mapping token to user, mapping token to partner, and so on. How the mapping is done. For example, by mapping a token attribute to a partner/user attribute, or by using an LDAP query involving several token attributes. Mapping rules determine how the incoming data is mapped to a user or a partner. The following data of the incoming token is used: ■ Username for UNT ■ UserID for Kerberos ■ NameID and attributes for SAML ■ DN Components for X.509 ■ Attributes from custom Mapping is performed using the following: ■ ■ ■ Simple mapping: One incoming attribute matched against one user record attributes. Complex LDAP query: An LDAP query with placeholders for incoming data. For example, (&(sn=%lastname%)(mail=%email%)) A NameID Mapping table for SAML Following are several Token Mapping Examples for a new Validation Template: ■ Figure 45–9, "Token Mapping: SAML2 WS-Security Validation Template" ■ Figure 45–10, "Token Mapping, username-wstrust-validation-template" ■ Figure 45–11, "Token Mapping: x509-wss-validation-template" Managing Templates, Endpoints, and Policies 45-17 Managing Token Validation Templates Figure 45–9 shows the mapping configuration settings required for Security Token Service to map the token to a user record, by matching the NameID value to user records that have a matching attribute, based on the NameID format: ■ Enable Map Token to User ■ Enable Simple User Mapping ■ Disable Attribute Based User Mapping Figure 45–9 Token Mapping: SAML2 WS-Security Validation Template Figure 45–10 shows the mapping configuration settings required for Security Token Service to map the token to a user record by matching the username element of the Username token to a user record that has a matching uid. The required settings are: ■ Enable Map Token to User ■ Enable Simple User Mapping ■ Datastore Attribute set to uid ■ Disable Attribute Based User Mapping 45-18 Administrator's Guide for Oracle Access Management Managing Token Validation Templates Figure 45–10 Token Mapping, username-wstrust-validation-template Figure 45–11 shows the mapping configuration settings required for Security Token Service to map the token to a requester partner entry by matching the Subject DN of the certificate to a Requester Partner that has a match on SSL Client Cert DN Identification attribute. The required settings are: ■ Map Token to Partner ■ Disable Simple User Mapping ■ Disable Attribute Based User Mapping ■ Enable Simple Partner Mapping Figure 45–11 Token Mapping: x509-wss-validation-template Managing Templates, Endpoints, and Policies 45-19 Managing Token Validation Templates Not all elements apply to all token types and token protocols. The elements that you must define will vary. Table 45–11 describes the token mapping elements for validation templates. Table 45–11 Element Map Token to New Validation Template: Token Mapping Description WS-Security Validation Template: Map Token to list ■ : no token mapping operation will occur ■ Map token to Partner: The token will be mapped to a requester partner ■ ■ Map Token to User and map binding data to Partner: The token will be mapped to a user, and binding data (such as SSL Client Cert DN or HTTP Basic Auth Username) will be used to map the HTTP request to a requester partner Map token to User: The token will be mapped to a user ---------WS-Trust Validation Template: Map Token to User Check the box to enable (or clear the checkbox to disable). 45-20 Administrator's Guide for Oracle Access Management Managing Token Validation Templates Table 45–11 (Cont.) New Validation Template: Token Mapping Element Description Enable Simple User Mapping Simple user mapping consists of mapping the incoming token to a user record by using a single token attribute and matching it against a single user record attribute. WS-Security Validation Template: Only Username, SAML Assertion, Kerberos. and X.509. WS-Trust Validation Template: Username, SAML Assertion, Kerberos, X.509, OAM and custom token. The layout is different, depending on the token type of this validation template: Username Token: ■ Datastore attribute references the user record attribute that will be matched against the username element of the username token. SAML Assertion: ■ User Token attribute references an attribute from the incoming token that will be matched against the Datastore attribute (defined below) of a user record. The values can be STS_SUBJECT_ID for the NameID Value, or the name of an Attribute contained in the Assertion's AttributeStatement. In the Token Mapping section of a SAML Validation template, the User Token Attribute will either be the NameID selected from the drop down or a SAML Attribute name entered in the text field. ■ Datastore attribute references the user record attribute that will be matched against the User token attribute referenced above. In the Token Mapping section of a SAML Validation template, the Datastore Attribute is the name of the directory attribute that will be used for the LDAP matching query. Kerberos: ■ ■ User Token attribute references an attribute from the incoming token that will be matched against the Datastore attribute (defined below) of a user record. The User Token Attribute can be specified by selecting one of the pre-populated attribute (Kerberos Principal, Kerberos Principal Primary or Kerberos Principal No Domain) or by entering a specific value. Datastore attribute references the user record attribute that will be matched against the User token attribute referenced above. X.509: ■ ■ User Token attribute references an attribute from the incoming token that will be matched against the Datastore attribute (defined below) of a user record. The User Token Attribute can be specified by selecting one of the pre-populated attribute (Subject DN, Common Name, Country Name, State or Province Name, Locality Name, Organizational Name, Organizational Unit Name or Domain Component) or by entering a specific value (which can be set to STS_X509_### by replacing ### with the upper case X.500 component name, for example STS_X509_CN to reference the common name component of the certificate subject). Datastore attribute references the user record attribute that will be matched against the User token attribute referenced above. OAM: ■ Datastore attribute references the user record attribute that will be matched against the username element of the username token. Should be the user ID attribute defined in the Default User Identity Store. Custom: ■ ■ User Token attribute references an attribute from the incoming token that will be matched against the Datastore attribute (defined below) of a user record. The possible values are the names of the attribute returned by the custom token validation module. Datastore attribute references the user record attribute that will be matched against the User token attribute referenced above. Managing Templates, Endpoints, and Policies 45-21 Managing Token Validation Templates Table 45–11 (Cont.) New Validation Template: Token Mapping Element Description Enable User Name Identifier Mapping When enabled, define the following: WSS and WS-Trust Validation Templates will contain the same section for the Name Identifier mapping settings. A NameID user mapping operation consists of mapping the incoming SAML Assertion to a user record by mapping the NameID Value to a single user record attribute, based on the NameID format When enabled, Security Token Service evaluates the NameID format, and based on the Name Identifier mapping table which user record attribute should be matched against the Name ID value contained in the Assertion. The Name Identifier mapping table holds the user record attributes to be used for the mapping operation. It contains standard NameID formats, but it can be customized to define custom Name ID formats. To add custom NameID format, click the add button on the Name Identifier mapping table, and enter the custom URI. To set an attribute for a specific NameID format to be used for mapping operation, set the user record attribute on the line for that format. Enable Attribute Based User Mapping WSS Validation Template: only Username, SAML Assertion, Kerberos and X.509. WS-Trust Validation Template: only Username, SAML Assertion, Kerberos, X.509 and custom token An Attribute Based User Mapping operation consists of mapping the incoming token to a user record by using an LDAP query and token attributes. The format of the LDAP query defines the mapping rule and specifies the token attributes to be used by their names, surrounded by the percent (%) character. For example, an LDAP query that will map a token based on two token attributes (firstname and lastname) would be (&(sn=%lastname)(givenname=%firstname%)). The possible token attributes depend on the token type. Username Token ■ STS_SUBJECT_ID is the only available token attribute containing the username element of the Username token. SAML Assertion ■ STS_SUBJECT_ID contains the NameID Value. ■ STS_NAMEID_FORMAT contains the NameID Format ■ STS_NAMEID_QUALIFIER contains the NameID Qualifier ■ STS_SAML_ASSERTION_ISSUER contains the Issuer of the Assertion ■ Attributes present in the Assertion's AttributeStatement Kerberos ■ ■ ■ STS_KERBEROS_PRINCIPAL_SHORT contains the Kerberos Principal attribute. STS_KERBEROS_PRINCIPAL_FULL contains the Kerberos Principal Primary attribute STS_KERBEROS_PRINCIPAL_NODOMAIN contains the Kerberos Principal No Domain attribute X.509 ■ STS_SUBJECT_ID contains the Subject DN. ■ STS_X509_CN contains the Common Name ■ STS_X509_C contains the Country Name ■ STS_X509_ST contains the State or Province Name ■ STS_X509_L contains the Locality Name ■ STS_X509_O contains the Organizational Name ■ STS_X509_OU contains the Organizational Unit Name ■ STS_X509_DC contains the Domain Component Custom Token ■ The possible values are the names of the attribute returned by the custom token validation module. 45-22 Administrator's Guide for Oracle Access Management Managing Token Validation Templates Table 45–11 (Cont.) New Validation Template: Token Mapping Element Description Enable Simple Partner Only for WSS Validation Template and for the following token types: Username, Mapping SAML Assertion, Kerberos, and X.509. A simple partner mapping operation consists of mapping the incoming token to a partner requester by using a single token attribute and matching it against a partner identification attributes. The layout is different, depending on the token type of this validation template Username Token ■ Partner Datastore attribute references the partner identification attribute that will be matched against the username element of the username token. SAML Assertion ■ ■ Partner Token attribute references an attribute from the incoming token that will be matched against the Partner Datastore attribute (defined below) of a Requester Partner. The values can be STS_SUBJECT_ID for the NameID Value, or the name of an Attribute contained in the Assertion's AttributeStatement. Partner Datastore attribute references the partner identification attribute that will be matched against the Partner token attribute referenced above Kerberos ■ ■ Partner Token attribute references an attribute from the incoming token that will be matched against the Partner Datastore attribute (defined below) of a requester partner. The Partner Token Attribute can be specified by selecting one of the pre-populated attribute (Kerberos Principal, Kerberos Principal Primary or Kerberos Principal No Domain) or by entering a specific value. Partner Datastore attribute references the partner identification attribute that will be matched against the Partner token attribute referenced above X.509 ■ ■ Enable Partner Name Identifier Mapping Partner Token attribute references an attribute from the incoming token that will be matched against the Partner Datastore attribute (defined below) of a requester partner. The Partner Token Attribute can be specified by selecting one of the pre-populated attribute (Subject DN, Common Name, Country Name, State or Province Name, Locality Name, Organizational Name, Organizational Unit Name or Domain Component) or by entering a specific value (which can be set to STS_X509_### by replacing ### with the upper case X.500 component name, for example STS_X509_CN to reference the common name component of the certificate subject). Partner Datastore attribute references the partner identification attribute that will be matched against the Partner token attribute referenced above. When enabled, defines the following only for WSS Validation Template and for SAML token types: A NameID user mapping operation consists of mapping the incoming SAML Assertion to a user record by mapping the NameID Value to a single requester partner identification attribute, based on the NameID format. When enabled, Security Token Service will evaluate the NameID format, and based on the Name Identifier mapping table which partner identification attribute should be matched against the Name ID value contained in the Assertion. The Name Identifier mapping table holds the requester partner identification attributes to be used for the mapping operation. It contains standard NameID formats, but it can be customized to define custom Name ID formats. To add custom NameID format, click the Add button on the Name Identifier mapping table, and enter the custom URI. To set an attribute for a specific NameID format to be used for mapping operation, set the requester partner identification attribute on the line for that format. 45.4.2 Managing Token Validation Templates This is a server side configuration. A default Token Validation Template exists. Users with valid Administrator credentials can use can use the procedure in this section to add, find, edit, or delete token validation templates. Skip any steps that you do not need. Managing Templates, Endpoints, and Policies 45-23 Managing Token Validation Templates The Security Token Service Endpoint must be linked to a WS Security Validation Template that indicates: ■ how to validate the token in the Webservice Security header ■ how to map the token and binding data to a Requester The information here can be applied when you want to validate the following: ■ ■ WS-Security tokens present in the SOAP Header, of type: Username, SAML 1.1, SAML 2.0, X.509 and Kerberos. WS-Trust tokens present in the OnBehalfOf element or in the ValidateTarget element of the WS-Trust request, of type: Username, SAML 1.1, SAML 2.0, X.509, Kerberos, OAM Session Propagation Token and custom tokens. The following procedure includes several examples of input following specific parameters. Also, a brief translation appears within parentheses (). For instance: Name (username-token): email-wstrust-valid-temp. Values in your environment will be different. Prerequisites See Also: ■ "About Managing Token Validation Templates" ■ "Searching for an Existing Template" To manage token validation templates 1. Locate and open the desired Token Validation Template as described in "Searching For a Template" on page 45-4. 2. New Token Validation Template: a. Click the New Validation Template button in the upper-right corner (or click the Add (+) command button above the Search Results table). b. General: Define parameters for this template (Table 45–9). For example: Name (username-token): email-wstrust-valid-temp Token Protocol (WS-Security for token protocol): Webservice Token Type (username): email Default Partner Profile: requester-profile 3. c. Authentication: Enable Credential Validation for this template, if needed, and provide details (Table 45–10). If the token type is username, enable credential validation if needed for this template and provide the details. d. Token Mapping: Specify preferences for this template based on your token type (Table 45–11). e. Click Save and dismiss the confirmation window (or click Cancel without saving it). f. Close the definition (or edit it as described in Step 4). Edit a Template: Start with the saved page you just created. a. Edit the template definition as needed. b. Click the Apply button at the top of the page to submit changes (or click Revert to undo your changes). 45-24 Administrator's Guide for Oracle Access Management Managing Security Token Service Endpoints 4. Remove a Token Validation Template: a. Click the desired name in the Search Results table to select the item to remove. b. From the Actions menu, click Delete (or click the Delete (X) command button above the table. c. Click the Delete button in the Confirmation window (or click No to cancel the operation). 45.5 Managing Security Token Service Endpoints An endpoint is a Web Service published by Security Token Service where clients can send WS-Trust requests over SOAP. An endpoint is: ■ ■ ■ Protected by a WS Security Policy. Bound to WSS Validation Template that will indicate how to validate the security token and how to map it. Specific to a token type, namely, the one specified in the WSS Validation Template. The WS-Security policy protecting the endpoint must be compatible with the WSS Validation Template bound to the endpoint. Note: An endpoint is a Web Service endpoint published by Security Token Service and protected by OWSM Agent. An endpoint is bound to: ■ ■ A WS-Security policy that will determine the WSS requirements in terms of message protection and security tokens A WSS Validation template that will indicate how the request will be processed, how the security token will be validated. This section provides the following information: ■ About Managing Endpoints ■ Managing EndPoints 45.5.1 About Managing Endpoints Security Token Service Endpoint definitions consist of three categories, as shown in Figure 45–12. Figure 45–12 Endpoints Page Managing Templates, Endpoints, and Policies 45-25 Managing Security Token Service Endpoints Table 45–12 describes the required Endpoints categories. Table 45–12 Endpoints Page Elements Description Endpoint URI The path to the Endpoint, relative to the Security Token Service base URL The Security Token Service base URL is /sts. Policy URI Choose from a listing of Oracle WSM policies the one used to protect this Endpoint. Oracle Access Management Administrators can add a new custom policy to the available listing.To show this newly created Policy URI in the endpoints table list, use the following wlst command to update the owsmpolicies map: putStringProperty("/stsglobal/owsmpolicies/", ") For example: putStringProperty("/stsglobal/owsmpolicies/31", "sts/newcustom_policy") Validation Template ID Choose from a listing of Validation Template names to identify one for use with this Endpoint. Once an Endpoint is created, you can remove it but you cannot edit the definition. 45.5.2 Managing EndPoints Users with valid Oracle Access Management Administrator credentials can perform the following task to add, edit, or remove an Endpoint. Prerequisites Creating a Token Validation Template to reference To create or delete an endpoint 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Endpoints from the View menu in the Security Token Service section. 3. New Endpoint: see Table 45–12 and 4. a. Click the Add (+) button above the table (or choose New Endpoint from the Actions menu). b. Enter the new Endpoint URI. c. Choose one of the Oracle WSM policies to protect this Endpoint. d. Choose the Validation Template to use with this Endpoint. e. Click Apply to submit the definition and dismiss the confirmation window (or click Revert to dismiss the page without submitting it). f. Close the page. Remove Endpoint: a. Highlight a row in the Endpoints table and click the Delete (X) button (or choose Delete Selected from the Actions menu). b. Confirm removal (or cancel the removal). 45-26 Administrator's Guide for Oracle Access Management Managing Token Issuance Policies, Conditions, and Rules 45.6 Managing Token Issuance Policies, Conditions, and Rules This section provides the following topics: ■ About Token Issuance Policies ■ About Managing Token Issuance Conditions and Rules ■ Managing Token Issuance Policies and Conditions 45.6.1 About Token Issuance Policies A Token Issuance Policy defines the rules under which a token can be issued for a resource (Relying Party Partner) based on the client's identity, with the client either being a Requester Partner or an end user. If a Requester is NOT present, it is assumed that the User (represented by the on-behalf-of (OBO) token or WSS Token) is trying to access the RelyingParty. When issuing a token, Security Token Service will determine for which Relying Party that token is created, and it will then evaluate if the client is authorized to request the token for that Relying Party. In order to issue a token, a Token Issuance Policy must be created with the resource involved in the operation, and with possibly a condition. At runtime if the policy evaluation is successful, the token will be issued. You can add Conditions, Rules, and Responses to this Token Issuance Policy. 45.6.2 About Managing Token Issuance Conditions and Rules The Token Issuance Policy allows the Administrator to define conditions along with "Allow" and "Deny" rules for the policy. Each Token Issuance Policy can contain one or more conditions, and rules that determine whether access to the requested resource should be granted or denied: ■ An Allow type rule specifies who is authorized to access a protected resource. Only partners and users listed in the Condition are granted access; everyone else is denied access to the resource. ■ A Deny type rule specifies explicitly who is denied access to the protected resource. Only partners and users listed in the Condition are denied access; everyone else is granted access to the resource. When adding User conditions, the identity store from which the users are to be chosen can be selected from a list. Ensure that you choose the Default User Identity Store, which is the only one used by Security Token Service. Note: Managing Token Issuance Conditions is similar to managing Authorization Conditions and Rules. Figure 45–4 shows the Conditions tab of a Token Issuance Policy. Managing Templates, Endpoints, and Policies 45-27 Managing Token Issuance Policies, Conditions, and Rules Figure 45–13 Token Issuance Policies and Conditions Table 45–13 describes the Token Issuance Condition requirements. See Also: Part XI, "Managing Oracle Access Management Mobile and Social" for details about Adding a Token Issuance Policy for Mobile and Social Authentication Service Table 45–13 Conditions tab: Token Issuance Policy Element Description Summary tab Name A unique name for this Token Issuance Policy. Description Optional. Conditions tab Table 25–11 describes elements and controls on the Conditions tab. Class Only Token Requester Identity is allowed for Token Issuance Policy conditions. You choose this in the Add Condition dialog box. Rules tab Table 25–22 describes the elements and controls on the Rules tab for Simple Mode evaluations. Table 25–23 describes the elements on the Rule tab in Expression mode. Condition Details 45-28 Administrator's Guide for Oracle Access Management Managing Token Issuance Policies, Conditions, and Rules Table 45–13 (Cont.) Conditions tab: Token Issuance Policy Element Description Add Choose from the following populations: ■ ■ Add Identities: This choice opens a Search window where you can set the Store Name, Choose an Entity Type (All, User, or Group), and Provide an Entity Name. You then choose one or more results from those listed and click Add Selected to populate the condition. Add Partners: This choice opens a Search window where you can locate specific partners to populate the condition. Enter your search criteria (or click the arrow key beside the field to find all partners), then choose one or more results and click Add Selected to populate the condition. Entity Name The name of the User or Group, as defined in the selected User Identity Store. Entity Type The type of entity you want to locate during a search to add identifies to the condition: User, or Group. Store Name Choose the name of the User Identity Store to search for users or groups to populate the condition. Remember, Security Token Service uses only the Default Identity Store. 45.6.3 Managing Token Issuance Policies and Conditions Users with valid Administrator credentials can use the following procedure to add a Token Issuance Policy and Conditions to an Application Domain. When adding resources to this policy, you might want to add the UnknownRP and MissingRP resources. Prerequisites The Application Domain must already exist. You can add Token Issuance Policies to the IAM Suite Application Domain. Note: To manage Token Issuance Policies and conditions 1. Locate the desired domain as described in "Searching for an Existing Application Domain" on page 25-12. 2. On the individual Application Domain page, select the Token Issuance Policies tab. 3. Create a Token Issuance Policy: 4. a. In the desired domain, click the Token Issuance Policies tab and then click the Create Token Issuance Policy button to open a fresh page. b. On the Summary page, enter a unique name and optional description. Add Resources: This step presumes that the resource has been defined in the Application Domain and is ready to be added to policies. a. Click the Resources tab. b. Click the Add (+) button. c. Click the Search button to display a list of defined resources you can add. d. Click the desired resource in the results table, then click Add Selected. e. Repeat as needed to add any other resources to this policy. Managing Templates, Endpoints, and Policies 45-29 Managing TokenServiceRP Type Resources 5. 6. Add Conditions to a Policy: The only types available are Token Requester Identity or True. a. Click the Conditions tab, then click the Add button on the Conditions tab to display the Add Condition window. b. Enter a unique name for this condition in the dialog box. c. Choose Token Requester Identity from the Type list. d. Click Add Selected. e. Proceed with Step 5 to add details for Token Requestor Identity. Otherwise, skip to Step 6. Add Conditions Details: a. Click the Condition name to display Conditions: Details. b. From the Selected Identities table, click the Add button and choose either: Add Partners: In the Search field, enter criteria (or click the arrow key beside the field to find all partners); click one or more results then click Add Selected to populate the condition. Add Identities: Select the Store Name, select the desired Identity Type, enter search criteria and click the Search button; choose one or more results and click Add Selected to populate the condition. c. 7. Click the Save button on the Condition Details panel. Add Rules: Perform these steps to Allow or Deny access based on your Conditions. a. Click the Rules tab. b. Check the Rule Mode: Simple or Expression. c. Expression Mode: Build your expression by entering operators (Table 25–24) and choosing and inserting conditions (Table 25–23). d. Simple Mode: Click to Match either All or Any of the selected conditions, then using arrows for Allow (or Deny) Rule, move desired conditions from the Available Conditions column into the Selected Conditions column. 8. Click Apply and then close the Confirmation window. 9. Find (or Add) TokenServiceRP Resources in the Application Domain: See "Managing TokenServiceRP Type Resources". 45.7 Managing TokenServiceRP Type Resources A Token Issuance Policy defines the rules under which a token can be issued for a resource (Relying Party Partner) based on the client's identity, with the client either being a Requester Partner or an end user. When issuing a token, Security Token Service will determine for which Relying Party that token is created, and it will then evaluate if the client is authorized to request the token for that Relying Party. 45-30 Administrator's Guide for Oracle Access Management Managing TokenServiceRP Type Resources To issue a token, a Token Issuance Policy must be created with the resource involved in the operation and, possibly, with a condition. At run time if the policy evaluation is successful, the token will be issued. Note: The resource(s) in a policy can be: ■ A TokenServiceRP type resource represents resources for, and is based on, the Token Service Relying Party (required for Mobile and Social REST clients). See Also: Part XI, "Managing Oracle Access Management Mobile and Social" for details about Configuring Access Manager for Mobile and Social Authentication Service ■ ■ The pre-existing UnknownRP resource which is needed when Security Token Service is not able to map the Service URL referenced in the AppliesTo element of the WS-Trust request to an Security Token Service Relying Party Partner entry. The pre-existing MissingRP resource which is needed when the AppliesTo element of the WS-Trust request is missing. Both the MissingRP and UnknownRP are defined in the IAM Suite Application Domain. Note: A resource of type TokenServiceRP, Figure 45–14, represents an Security Token Service Relying Party Partner defined in the Security Token Service Partner Store. Figure 45–14 Pre-defined Resource Type: TokenServiceRP Resources of type TokenServiceRP are used in Token Issuance Policies, which are evaluated when Security Token Service issues tokens at run time. This is a predefined resource type, which cannot be deleted. However, additional operations can be created, edited or deleted as needed. Predefined operations are shown with a lock icon. For more information, see: ■ About Managing TokenServiceRP Type Resources in Access Manager ■ Managing TokenServiceRP Type Resources in Application Domains Managing Templates, Endpoints, and Policies 45-31 Managing TokenServiceRP Type Resources 45.7.1 About Managing TokenServiceRP Type Resources in Access Manager Use the Search controls for the Application Domain to locate resources of a specific type within the domain. Figure 45–15 shows the search controls for the IAM Suite resources. Resource Type TokenServiceRP is the search criteria. The Search Results table lists all resources of this type within the Application Domain. Figure 45–15 Search: Resource Type TokenServiceRP in Application Domain The TokenServiceRP resources in this domain include those provided out of the box, and described earlier: ■ UnknownRP resource ■ MissingRP resource 45.7.2 Managing TokenServiceRP Type Resources in Application Domains Users with valid Administrator credentials can use the following procedure to add TokenServiceRP resources to an Application Domain. Note: ■ ■ If AppliesTo is present in the RST but the requester could not be mapped, use the TokenServiceRP:UnknownRP resource. If AppliesTo is not present, use TokenServiceRP:MissingRP, otherwise select the appropriate resource. See Also: "About Managing TokenServiceRP Type Resources in Access Manager" To manage TokenServiceRP Resources 1. Locate the desired Application Domain as described in "Searching for an Existing Application Domain" on page 25-12. 2. Add TokenServiceRP Resource to the Application Domain: a. Click the New Resource button on the Application Domain Search page. b. Specify the Resource Type as TokenServiceRP. c. Enter a Resource URL that is the Relying Party ID for whom the token issuance policy will be defined. 45-32 Administrator's Guide for Oracle Access Management Making Custom Classes Available 3. d. Click the Apply button at the top of the page to submit this and dismiss the confirmation window. e. See Also: "Defining Resources in an Application Domain" on page 25-27. Find TokenServiceRP Resources: a. In the desired Application Domain, open the Resources tab to display the Search controls. b. From the Resource Type, choose TokenServiceRP, and click Search. c. Review the Search Results table and click a name to open the Resource Definition. 45.8 Making Custom Classes Available When Security Token Service does not support the token that you want to validate or issue out-of-the-box, a developer can write custom validation and issuance module classes. This section describes how to make custom classes available using the console. The information here can be applied when you have: ■ WS-Security User Name Token ■ WS-Trust Custom Token ■ Issuing Custom Token Note: You can also write a script that includes WebLogic Scripting Tool commands for any operation that you can accomplish through the console. For more information, see Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. This section provides the following topics: ■ About Making Classes Available ■ About Narrowing a Search for Custom Tokens ■ Managing Custom Tokens 45.8.1 About Making Classes Available After writing the custom token validation and/or issuance classes, you must add Custom Token Configuration to Security Token Service to indicate when and how these classes should be used. On the New Custom Token page only the Token Type Name is required (identified with an asterisk, *), as shown in Figure 45–16. Not all elements apply to all custom tokens. However, if you submit information that is incomplete, a dialog box appears to identify what is missing. Managing Templates, Endpoints, and Policies 45-33 Making Custom Classes Available Figure 45–16 New Custom Token Page For the custom token, you must decide on the XML Element Name, XML Element Namespace, Binary Security Token Type, and so on. Table 45–14 describes the elements on a Custom Token page based on the examples in this chapter. Table 45–14 New Custom Token Elements Element Token Type Name Description The unique name you choose for this custom token. For example: email_token Note: After you save a new custom token configuration, you cannot edit this name. Default Token URI The URI for this custom token. This URI can then be used in the RST to request that a custom token of this type should be issued. For the example in this chapter, the value would be: oracle.security.fed.sts.customtoken.email XML Element Name The name you decide on, which will be associated with the Token Type Name. For example: email If you specify email as the XML Element Name, each time the element name, email, appears in an incoming token it will be associated with the Token Type Name (in this case email_token). Note: Minimally, you need either an XML Element Name or Binary Security Token Type. Validation Classname The name of the custom token validation class that you made available to Security Token Service. For example: oracle.security.fed.sts.tpe.providers.email.EmailTokenValidat orModuleImpl Note: Minimally, you need either an issuance class name or validation class name, depending on whether you want to issue or validate a custom token. 45-34 Administrator's Guide for Oracle Access Management Making Custom Classes Available Table 45–14 (Cont.) New Custom Token Elements Element XML Element Namespace Description The namespace of the custom token element name. For example: http://email.example.com Issuance Classname The name of the custom token issuance class that you made available to Security Token Service. For example: oracle.security.fed.sts.tpe.providers.email.EmailTokenIssuerM oduleImpl Note: Minimally, you need either an Issuance classname or Validation classname, depending on whether you want to issue or validate a custom token. Binary Security Token Type Enables the class to validate a custom token sent in as a BinarySecurityToken. The ValueType of the BinarySecurityToken for this custom token. If Security Token Service receives a Binary Security Token with this ValueType, it will be forwarded to this custom token's Validation class for validation. Validation Attributes This section enables you to add (or remove) validation attributes. The table displays existing validation attributes, if any. For this example: ■ Attribute Name: testsetting ■ Attribute Type: String Note: You will add a value to the attribute when creating a Token Validation Template. Issuance Attributes This section enables you to add (or remove) issuance attributes. The table displays the following information for existing issuance attributes. ■ Attribute Name: testsetting ■ Attribute Type: String Note: You will add a value to the attribute when creating a Token Issuance Template. Save Click this button on the New Custom Tokens page to save your configuration information. Cancel Click this button to dismiss your configuration details. Apply Click this button to submit your changes. Revert Click this button to dismiss your changes. Task overview: Adding custom tokens for custom classes 1. Create a JAR file containing only your custom TokenIssuerModule or TokenValidatorModule classes (or both). No XML metadata or manifest is needed. 2. Review information in Table 45–14. 3. Add the JAR to the OAM Server hosting Security Token Service and create a new custom token, as described in Section 45.8.3, "Managing Custom Tokens". 45.8.2 About Narrowing a Search for Custom Tokens Figure 45–17 illustrates the Custom Tokens Search controls and Results table. These appear when you double-click the Custom Tokens node in the navigation tree. By default, all currently defined custom tokens are listed when the Search Results table is displayed. Managing Templates, Endpoints, and Policies 45-35 Making Custom Classes Available Figure 45–17 Custom Tokens Search Page and Controls Table 45–15 describes the Custom Tokens Search elements and controls. No wild cards (*) are allowed in Custom Token searches. Table 45–15 Custom Tokens Search Elements and Controls Element Description Default Token URI The URI that was defined for the custom token. You can enter the entire URI or only part of it. For instance, if you enter "ai" the Search Results table will display all custom tokens defined with a token URI that includes the letters "ai". Note: Wild cards are not allowed in Custom Token searches. Search Initiates the Search function using criteria provided in the form. Reset Resets the Search form with defaults only. Search Results Provides the results of your search based on your choices in the View menu. Actions menu Provides the following functions that can be performed on a selection in the results table: Note: Actions menu functions mirror command buttons above the results table. For example: ■ ■ ■ ■ New Custom Token: Click the New Custom Token button at the top of the Search page, or select New Custom Token from the menu, or click the + button above the table. Edit: Double-click a name in the Token Type Name column of the Search Results table, or select Edit from the Actions menu, or click the Edit (pencil icon) command button above the Results Table. Create Like: Select the desired row in the table and either select Create Like from the Actions menu, or click the Create Like command button above the table Remove: Select the desired row in the table and either select Delete from the Actions menu, or click the Delete (X) command button above the table. View menu Provides functions you can use to display various information in the results table: Up-Down Arrows Controls affecting the ordering of items listed in the results table: ■ Ascending ■ Descending 45-36 Administrator's Guide for Oracle Access Management Making Custom Classes Available 45.8.3 Managing Custom Tokens Users with valid Administrator credentials can use the procedure in this section to manage custom tokens for custom Token Module classes. The following procedure includes steps to add, edit, and delete custom tokens or attributes of a custom token. Skip any steps that you do not need. Prerequisites Refer to the developer creating the custom tokens and the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details about: Writing a TokenValidatorModule Class Writing a TokenIssuanceModule Class See Also: ■ "Making Custom Classes Available" on page 45-33 ■ "About Narrowing a Search for Custom Tokens" on page 45-35 To make custom classes available 1. Create and add the JAR containing your Issuance and Validation classes to the OAM Server hosting Security Token Service using one of these methods: ■ ■ ■ 2. 3. Add the custom token jar and the sts-common.jar that is available in $DOMAIN_HOME/config/fmwconfig/mbeans/oam to the Managed Server classpath by editing the startup script. Add the custom token jar and the sts-common.jar that is available in $DOMAIN_HOME/config/fmwconfig/mbeans/oam to the $DOMAIN_ HOME/lib directory to automatically add these jars to the Managed Server classpath. Restart the OAM Server. New Custom Token: a. In the Oracle Access Management Console, click Federation at the top of the window. b. Select Create Custom Token from the Create (+) drop-down menu in the Security Token Service section. c. Fill in the New Custom Token page with details for your custom classes (Table 45–14). d. Click Save and dismiss the confirmation window (or click Cancel to dismiss the page without submitting it). e. Close the page (or edit as described in Step 4). f. Proceed to Step 4, if needed, or to "Managing a Custom Security Token Service Configuration" on page 45-38. Find Custom Tokens: In the Federation console, select Custom Tokens from the View menu in the Security Token Service section. a. Find All: Click the Search button and view the results table with all custom tokens listed. b. Narrow the Search: Enter some or all characters in the desired Default Token URI, click the Search Button, and review the results table. Managing Templates, Endpoints, and Policies 45-37 Managing a Custom Security Token Service Configuration c. 4. Reset the Search Form: Click the Reset button. Edit Custom Token Configuration: Start with the saved page you just created. Alternatively: Use Step 3 to find the desired Custom Token, then double-click the name in the Search Results table to open the page. 5. a. In the named Custom Token page, click the appropriate field and edit as needed. b. Add Attributes: Click the Add (+) icon for the Attributes table, enter the Attribute Name and an Attribute Type (Table 45–14). c. Remove Attributes: From the Attributes table, click the row containing the attribute to remove, click the Delete (X) icon for the table, and dismiss the Confirmation window. d. Apply Changes: Click the Apply button at the top of the page to submit changes. Remove a Custom Token: a. Click the desired name in the Search Results table to select the item to remove. b. From the Actions menu, click Delete (or click the Delete (X) command button above the table. c. Click the Delete button in the Confirmation window (or click No to cancel the operation). 45.9 Managing a Custom Security Token Service Configuration This tasks consists of the following procedures: ■ Creating the Validation Template ■ Creating the Issuance Template for a Custom Token ■ Adding the Custom Token to a Requester Profile ■ Adding the Custom Token to the Relying Party Profile ■ Mapping the Token to a Requestor ■ Creating an /wssuser EndPoint 45.9.1 Creating the Validation Template Users with valid Oracle Access Management Administrator credentials can perform the following task to create a Validation Template with a Token Protocol of Webservice Trust to map the token to the requester. The template in this example can be used for the module classes described earlier in this chapter. Full implementation details are shown in the following figures. As you review these, notice how specifications for this template reference the module class code: ■ Figure 45–18, "General Details: email-wstrust-valid-temp" ■ Figure 45–19, "Token Mapping: email-wstrust-valid-temp" 45-38 Administrator's Guide for Oracle Access Management Managing a Custom Security Token Service Configuration Figure 45–18 General Details: email-wstrust-valid-temp Figure 45–19 Token Mapping: email-wstrust-valid-temp To create the validation template for the custom module classes 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. Select Create Token Validation Template from the Create (+) drop-down menu in the Security Token Service section. 3. General: Set the following for use with the custom token. Validation Template Name: email-wstrust-valid-temp Token Protocol: Webservice Trust Token Type: email Managing Templates, Endpoints, and Policies 45-39 Managing a Custom Security Token Service Configuration Default Partner Profile: requester-profile Custom Validation Attributes: test: hello 4. Token Mapping: Set the following for use with the custom token in this chapter. Check the box beside Map Token To User (to enable it). Check the box beside Enable Simple User Mapping and enter: User Token Attribute: STS_SUBJECT_ID Datastore Attribute: mail 5. Click Save and dismiss the confirmation window. 6. Proceed to "Creating the Issuance Template for a Custom Token". 45.9.2 Creating the Issuance Template for a Custom Token This is a server side configuration. Users with valid Oracle Access Management Administrator credentials can perform the following task to create a Token Issuance Template. Each Token Issuance Template indicates how to construct a token, and which signing or encryption to use when constructing a token. Each Token Issuance Template also defines the attributes to be sent as part of the outbound token for mapping, and filtering data. However, Issuance Templates do not list mapping or filtering rules, which are defined in the Relying Party Partner Profile. The template in this example can be used for the email custom token described earlier in this chapter. Implementation details are shown in the following figures, and described in the accompanying procedure. As you review these, notice how specifications for this template reference the module class code: ■ Figure 45–20, "General Details: email-issuance-temp" ■ Figure 45–21, "Issuance Properties: email-issuance-temp" Figure 45–20 General Details: email-issuance-temp When you have a custom token type deployed, the Issuance Properties are tailored to accommodate the custom token. For instance, the custom email token type was chosen for the issuance template show in Figure 45–21. 45-40 Administrator's Guide for Oracle Access Management Managing a Custom Security Token Service Configuration Figure 45–21 Issuance Properties: email-issuance-temp This procedure produces a companion Issuance Template for the custom module classes in this chapter. For the example: ■ ■ Ignore the Token Encryption Algorithm, which is not used for the custom token type: email. Fill in a value for the Custom Token Attribute, which is populated from the custom token code. See Also: Oracle Fusion Middleware Administrator's Guide for Oracle Access Management To create the Issuance Template for the custom module classes 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. Select Token Issuance Templates from the View menu in the Security Token Service section. 3. New Token Issuance Template: a. Click the New Issuance Template button in the upper-right corner (or click the Add (+) command button above the Search Results table). b. General: Set the following for use with the custom token in this chapter. Issuance Template Name: email-issuance-temp Token Type: email c. Click Save and dismiss the confirmation window (or click Cancel without saving). d. Issuance Properties: Set the following for use with the custom token in this chapter. Custom Token Attribute Value: world 4. e. Click Apply and dismiss the confirmation window (or click Revert without saving it). f. Close the definition (or edit it as described in Step 4). Edit a Template: Find the desired template, edit details, and click Apply. Managing Templates, Endpoints, and Policies 45-41 Managing a Custom Security Token Service Configuration 45.9.3 Adding the Custom Token to a Requester Profile You can either edit an existing requester profile to add your custom token to the Token Type Configuration table, or create a new requester profile to use with the custom token. Either way, configure: ■ Token Type: email (your custom token) ■ Validation Template: email-wstrust-valid-temp Prerequisites Your Custom Token and Validation Template must be defined. To create or edit a requester profile for the custom token In the Oracle Access Management Console Launch Pad, click Federation at the top of the window. 1. 2. Select Partner Profiles from the View menu in the Security Token Service section. 3. Select the Requester Profiles tab. 4. Existing Profile: a. In the Search Results table of the Requester Profiles page, click the name of the desired profiles. b. Token and Attributes: Fill in the following details for the custom token in this chapter and then click the Save button at the top of the page. Token type: email Validation Template: email-wstrust-valid-temp 5. c. Click Save, dismiss the confirmation window, and close the page (or click Cancel to dismiss the page without submitting it). d. Proceed to "Adding the Custom Token to a Requester Profile". New Profile: Click the New Requester Profile button to display the New Partner Profile page where you enter details: a. General: Fill in the following details for the custom token in this chapter and then click the Next button at the top of the page. Profile ID: unique_requesterprofile_name Default Relying Party Profile: unique_relyingparty_name b. Add Token Type Configuration: Fill in the following details for the custom token in this chapter and then click the Save button at the top of the page. Token type: email Validation Template: email-wstrust-valid-temp c. Proceed to "Adding the Custom Token to a Requester Profile". 45.9.4 Adding the Custom Token to the Relying Party Profile You can either edit an existing Relying Party profile, or create a new one to issue the custom token by default, and refer to the Issuance Template and related information. Either way, configure: ■ Default token to issue: email (your custom token) ■ Issuance Template: email-issuance-temp 45-42 Administrator's Guide for Oracle Access Management Managing a Custom Security Token Service Configuration Prerequisites Your Custom Token and Issuance Template must be defined. To edit the requester profile for the custom module classes 1. In the Oracle Access Management Console Launch Pad, click Federation at the top of the window. 2. Select Partner Profiles from the View menu in the Security Token Service section. 3. Select the Relying Party Profiles tab. 4. Existing Profile: a. In the Search Results table of the Relying Party Profiles page, click the name of the desired profile. b. Click the Token and Attributes tab. c. Token Type Configuration: Click the Add (+) button above the Token Type Configuration table and enter the following details: Token type: email Issuance Template: email-issuance-temp d. Attributes: Click the Add (+) button above the Attributes table and define the following: Attribute name: mail Store Type: Userstore Include in Token: (check to enable) Encryption (leave blank) Value (leave blank) e. 5. Click Apply, dismiss the confirmation window, and close the page (or click Cancel to dismiss the page without submitting it). New Profile: Click the New Relying Party Profile button to display the New Partner Profile page where you enter details: a. General: Fill in the following details for the custom token in this chapter and then click the Next button at the top of the page. Profile ID: unique_relyingparty-name Default Token: email b. Click the Token and Attributes tab and perform Steps 2c and 2d, then click Apply. 45.9.5 Mapping the Token to a Requestor If you don't have a Username Validation Template (username-wss-valid-template), use the Oracle Access Management Console to create one to map the token to the requester. Validation Template Name: username-wss-valid-template Token Type: Username Proceed to "Creating an /wssuser EndPoint" Managing Templates, Endpoints, and Policies 45-43 Managing a Custom Security Token Service Configuration 45.9.6 Creating an /wssuser EndPoint Prerequisites Mapping the Token to a Requestor To create an endpoint 1. In the Oracle Access Management Console Launch Pad, click Federation at the top of the window. 2. Select Endpoints from the View drop-down menu in the Security Token Service section. 3. New Endpoint: a. Click the Add (+) button above the table (or choose New Endpoint from the Actions menu). b. Enter the new Endpoint URI: /wssuser c. Choose the Oracle WSM policy: sts/wss_username_service_policy d. Choose the Validation Template: username-wss-validation-template. e. Click Apply to submit the definition and dismiss the confirmation window (or click Revert to dismiss the page without submitting it). f. Close the page. 45-44 Administrator's Guide for Oracle Access Management 46 Managing Token Service Partners and Partner Profiles 64 This chapter provides the following topics describing management of Token Service Partners and Partner Profiles: ■ Prerequisites ■ Introduction Token Service Partners and Partner Profiles ■ Managing Token Service Partners ■ Managing Token Service Partner Profiles 46.1 Prerequisites Chapter 41, "Introducing the Oracle Access Management Security Token Service" Chapter 42, "Security Token Service Implementation Scenarios" Any task you can perform using the Oracle Access Management Console can also be performed using the See Also: Oracle Fusion Middleware WebLogic Scripting Tool Command Reference 46.2 Introduction Token Service Partners and Partner Profiles This section provides the following topics: ■ About Token Service Partners ■ About Partner Profiles ■ About Partner Entries 46.2.1 About Token Service Partners A Token Service partner represents a partner trusted by the Security Token Service. Table 46–1 describes the partner types. Table 46–1 Security Token Service Partners Partner Type Description Requester Represents a Web Service Client interacting directly with Security Token Service in order to issue or validate tokens Relying Party References a Web Service Provider that will be the recipient of tokens issued by the Security Token Service server Managing Token Service Partners and Partner Profiles 46-1 Introduction Token Service Partners and Partner Profiles Table 46–1 (Cont.) Security Token Service Partners Partner Type Description Issuing Authority Represents an Assertion issuer. When validating an Assertion, its issuer must be a known Issuing Authority Partner entry in Security Token Service The Security Token Service is capable of interacting with client types described in Table 46–2. Table 46–2 Security Token Service Clients Client Type Description Web Service Client Modules defined as requester partners in Security Token Service (typically SOAP clients). End users End users are not defined as requester partners, but possibly present in the User Identity Store. 46.2.2 About Partner Profiles A Partner Profile contains configuration properties that are common to a set of partners, and each partner entry is associated to a Partner Profile. Similar to the partners, there are three types of partner profiles: Requester, and Issuing Authority Partner Profiles. ■ Requester Profile ■ Relying Party Profile ■ Issuing Authority Partner Profile 46.2.2.1 About Partner Entries A partner entry contains the information in Table 46–3: Table 46–3 Security Token Service Partner Entry Partner Entry Description Certificates Signing and Encryption Certificates Reference Reference to a Partner Profile Requester only When the partner is a Requester, the partner entry also contains Username Token credentials, and Identification strings used to map incoming data to a requester. 46.2.2.2 About Partner Profile Data A partner profile entry contains the information in Table 46–4, depending on the type of profile. Table 46–4 Security Token Service Partner Profile Data Client Type Description Requester ■ ■ Relying Party Issuing Authority Claims Mappings WS-Trust Validation Templates used to validate tokens present in the OnBehalfOf element ■ Attributes to be sent to RP ■ Issuance Templates to be used ■ Attribute Name/Value Mapping settings ■ Specific Mapping Actions Rules used to map an incoming token to a partner/user 46-2 Administrator's Guide for Oracle Access Management Managing Token Service Partners 46.3 Managing Token Service Partners This section provides the following topics. ■ About Managing Token Service Partners ■ Managing a Token Service Partner ■ Refining Partner Searches 46.3.1 About Managing Token Service Partners When you choose to create a new partner, a fresh page appears for the specific Partner Type you selected. Figure 46–1 shows the New Requester partner page in the Oracle Access Management Console, which includes all Partner elements. Figure 46–1 New Requester Partner Page While most elements are common to all partners (name, description, and whether this partner is trusted), certain elements depend upon the specific partner type, as described in Table 46–5. Table 46–5 Partner Elements for Partner Types Partner Type Description Requester partners Can specify an encryption certificate and a signing certificate, as well as Token Authentication and Identity Attributes. Managing Token Service Partners and Partner Profiles 46-3 Managing Token Service Partners Table 46–5 (Cont.) Partner Elements for Partner Types Partner Type Description Relying Party partners Can specify only an encryption certificate and Resource URLs. See Figure 46–2 Issuing Authority partners Can specify only a signing certificate. Figure 46–2 New Relying Party Partners Page Table 46–6 describes elements for Security Token Service partners. Unless explicitly stated otherwise, all elements apply to every partner type. Table 46–6 Elements for Security Token Service Partners Element Description Partner Name Enter a name for this partner. Issuer ID Unique identifier used in SAML Assertion Issuer field referencing this Issuing Authority. Issuing Authority Only Partner Type Uneditable description, depending upon the type of partner you are creating or editing: ■ Requester ■ Relying Party ■ Issuing Authority Partner Profile Choose from the profiles listed to define your chosen partner. Description Optional. Trusted Check this box to indicate whether or not the partner is trusted. If not checked, the Security Token Service server will report an error when a request involves such an entry. Load Certificate Browse for and upload the requested certificates, which depend on partner type: ■ Encryption and signing certificates ■ Encryption certificate ■ Signing certificate 46-4 Administrator's Guide for Oracle Access Management Managing Token Service Partners Table 46–6 (Cont.) Elements for Security Token Service Partners Element Description Username Token Authentication Values can be entered for the following for Username Token Authentication: Requester only ■ Username ■ Password ■ Confirm Password New Requester Partner Identification Attributes can be defined in the STS Settings section and will appear in the requester partner Identity Attributes table. Note: the username and password data will be used to validate the credentials of a username token. It is also possible to only enter a username and no password, when the data will be used only to map an incoming token to this requester partner using the username. Identity Attributes Requester only At runtime, Security Token Service will use the data defined in the section to map an incoming request to a requester partner entry, using: ■ ■ The token data or binding data such as the SSL Client Certificate's Subject DN if present, or HTTP Basic Authentication username. The identity attributes present in each requester partner entry. New mappings can be added in the Relying Party Partner section as follows: http://relying.party.test.com/testing.service. At runtime, the Security Token Service server will use those URLs to map the AppliesTo service location contained in a WS-Trust request to a Relying Party Partner. Resource URL Relying Party only Enter the resource URL in the resource pattern column of the table, and enter a description beside it. For instance: Pattern: http://relying.party.test.com/testing/service The resource URL listed in the table will be used when mapping the AppliesTo location element from the WS-Trust request to this Relying Party Partner. The AppliesTo location value will be mapped to this Relying Party Partner: ■ ■ A Resource URL matches exactly the AppliesTo location value. For example, the AppliesTo location is http://relying.party.test.com/testing/service and the Resource URL is also http://relying.party.test.com/testing/service). Or, a Resource URL is the parent of the AppliesTo location value. For example, the AppliesTo location is http://relying.party.test.com/testing/service and the Resource URL is http://relying.party.test.com/testing, or Resource URL is http://relying.party.test.com/ 46.3.2 Managing a Token Service Partner Users with valid Administrator credentials can use the following procedure to create, find, edit, or delete a token service partner using Oracle Access Management Console. Prerequisites A partner profile must be defined for the type of partner you will create. To manage a token service partner 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Partners from the View menu in the Security Token Service section. Managing Token Service Partners and Partner Profiles 46-5 Managing Token Service Partners 3. 4. 5. 6. 7. Select the desired partner type tab and proceed with following steps as needed. ■ Requesters ■ Relying Parties ■ Issuing Authorities New Partner: a. Click the New [Partner Type] button to display a fresh page for your definition. b. Enter general information for the chosen partner type (Table 46–6). c. Trusted: Click to select (or leave blank if this is not a trusted partner). d. Certificates: Load any necessary certificates. e. Relying Party: Enter Resource URLs, if needed. f. Issuing Authority: Enter the Issuer ID of this Authority. g. Requester: Enter Username Token credentials, if needed. h. Click Save to submit (or click Cancel to dismiss the page) and then dismiss the confirmation window. Refine a Partner Search: "Refining Partner Searches" a. Perform Steps 1 and 2. b. Define your query and click the Search button. c. In the Search Results table, click the name of partner to view, edit, or remove. Edit a Partner: a. In the Search Results table, click the name of partner to edit and click the Edit button (or choose Edit from the Actions menu). b. Make desired changes to partner information (Table 46–6). c. Click Apply to submit the changes (or Revert to cancel changes) and then dismiss the confirmation window. Remove a Partner: Use the Search controls to refine and submit your query, as needed. a. In the Search Results table, highlight the row containing the partner to remove. b. Click the Delete (X) button (or choose Delete Selected from the Actions menu), then dismiss the confirmation window. 46.3.3 Refining Partner Searches From the console Launch Pad, when you click Partners, all Partner types can be viewed from tabs. When you choose a specific Partner, relevant Search controls, and the Search Results table, become available. Figure 46–3 illustrates a Requester Partner, where only the results differ from that of other Partner Types. 46-6 Administrator's Guide for Oracle Access Management Managing Token Service Partner Profiles Figure 46–3 Partner Search Controls From the Search page you can simply select a name in the Search Results table, or use the controls to refine your search to locate a specific Partner or Partners with specific characteristics. 46.4 Managing Token Service Partner Profiles This section provides information about Token Service Partner Profiles. ■ About Managing Partner Profiles ■ Managing a Token Service Partner Profile ■ Refining a Profile Search 46.4.1 About Managing Partner Profiles Figure 46–4 shows a completed Requester Profile page, with both a General tab and Token and Attributes tab. Managing Token Service Partners and Partner Profiles 46-7 Managing Token Service Partner Profiles Figure 46–4 Requester Profile: General Table 46–7 describes the General elements for all profile types. Table 46–7 Profile: General Element Description Profile ID A unique identifier for this profile Description Optional. Profile Type Type of profile, which cannot be edited: Requester, Relying Party or Issuing Authority. Default Relying Party Profile References the Relying Partner Profile to use, if the WS-Trust request does not reference the Relying Party (for example, the AppliesTo element is missing), or if the AppliesTo element could not be mapped to a known Relying Party Partner Profile. Requester Partner Profile Only Choose a Relying Party profile to use as the default and enable or disable the following characteristics as needed: ■ Return error for missing claims. Indicates whether or not Security Token Service will return an error if the issued token does not contain claims that were requested by the client. Since the Relying Party Partner Profile defines the list of attributes/claims that can be included in the issued token, it is possible that some claims requested by the client cannot be returned. ■ Allow unmapped claims. Claims listed in a WS-Trust request are specified in a dialect that will be translated to map to local attributes using the Token and Attributes section. This flag indicates whether or not claims that cannot be translated should be referenced as is. This allows to control which claims can be requested by the client. 46-8 Administrator's Guide for Oracle Access Management Managing Token Service Partner Profiles Table 46–7 (Cont.) Profile: General Element Description Default Token to Issue This table indicates which Issuance Template to use to issue a token for Relying Parties linked to this profile. Relying Party Only Choose a token type as the default for this profile: ■ SAML 1.1 ■ SAML 2.0 ■ Username ■ Custom Check the box beside Download Policy to associate a policy with the token. When checked, Security Token Service will download at runtime the WS-Security policy of the Relying Party referenced by the AppliesTo element in the RST. If present, Security Token Service will use that URL to download the policy, and then determine the type of token to return based on the information located in the policy. Requester Profile: Token and Attributes Figure 46–5 illustrates the Token and Attributes tab and accompanying tables for the Requester profile. The Token Type Configuration section indicates which WS-Trust Validation Template to use to validate tokens contained in the OnBelhalfOf element of the WS-Trust request, based on the token type. This section defines mappings between WS-Trust claims requested by the client and local attribute names Figure 46–5 Requester Profile: Token and Attributes Table 46–8 describes Requester Profile Token and Attributes elements and controls. Table 46–8 Requester Profile: Token and Attributes Element Description Token Type Configuration Click the + above the table to display a dialog box and then make one selection from each of the following drop down lists: ■ ■ Token Type list provides all supported (and custom) token types deployed. Validation Template list contains all currently defined WS-Trust validation templates. Managing Token Service Partners and Partner Profiles 46-9 Managing Token Service Partner Profiles Table 46–8 (Cont.) Requester Profile: Token and Attributes Element Description Attribute Name Mapping This table defines how Security Token Service maps a claim, represented by its name and optional Format/Namespace, to a local attribute. Security Token Service supports the Infocard Claims dialect. To translate Infocard claims to local attributes, a mapping will need to be defined where the Incoming Attribute will contain the claim name and the Local Attribute will contain the local name (The Format/Namespace column will be empty). For example, one mapping could be: ■ Incoming Attribute: surname ■ Local Attribute: sn Another mapping could be: ■ Incoming Attribute: givenname ■ Local Attribute: givenname Another mapping could be: ■ Incoming Attribute: emailaddress ■ Local Attribute: mail Relying Party Profile: Token and Attributes Figure 46–6 illustrates the Token and Attributes defined for a Relying Party Profile. This section allows the Administrator to define which Issuance Template should be used to issue a token for a Relying Party associated with this profile. Also, it lists the attributes that might be included in an issued token, by their names, the source of those attributes, and whether or not the attributes should be included in the issued token only if requested by the client or always. On this page, Relying Party Profiles require an Issuance Template in addition to the token type. Also, the attribute types differ from other profiles. Figure 46–6 Relying Party Profile Token and Attributes Table 46–9 describes the elements needed for the Relying Party Profile. 46-10 Administrator's Guide for Oracle Access Management Managing Token Service Partner Profiles Table 46–9 Relying Party Profile Requirements Element Descrip[tion Token Type Configuration Click the + above the table to display a dialog box and then make one selection from each drop down list: ■ ■ Attributes Token Type list provides all supported (and custom) token types deployed. Issuance Template list contains all currently defined Issuance Templates. The attributes that might be included in an issued token: ■ Attribute Name: Indicates the name of the attribute. ■ Store Type: Indicates the source of the attribute: Userstore: the default User Identity Store where the LDAP user record will be used to retrieve the attribute value. Incoming Token: the attribute will reference an element of the incoming token. Static: the value will be specified in the Value field. ■ ■ Include in Token: Indicates whether or not the attribute should always be included in the issued token. If unchecked, the attribute will only be included if the client requested this attribute. Encrypt: Indicates whether or not the attribute should be encrypted. Note: only supported for SAML 2.0. Also, the Encryption Certificate must be set in the Relying Party Partner entry, or it must be present in the WS-Trust request. ■ Value: Contains the value to be used if the Store Type is static value. See Also: "Relying Party Profile Attributes". Relying Party Profile Attributes When defining an attribute, you can indicate: ■ ■ ■ ■ The attribute source: User Store (LDAP), Incoming Token Data or static value. Whether or not to include the attribute in the token only if requested by the client or in all tokens. Whether or not to encrypt the attribute (only SAML 2.0; requires the Relying Party Encryption Certificate). The value of the attribute if this is a static attribute. Example: To include the mail attribute retrieved from LDAP in all outgoing tokens: ■ Attribute Name: mail ■ Store Type: User Store ■ Include in Token: checked ■ Encrypt: unchecked ■ Value: empty Example: To include the username element of an incoming Username Token in all outgoing tokens ■ Attribute Name: STS_SUBJECT_ID Managing Token Service Partners and Partner Profiles 46-11 Managing Token Service Partner Profiles ■ Store Type: Incoming Token ■ Include in Token: checked ■ Encrypt: unchecked ■ Value: empty Example: To include a static attribute in all outgoing tokens: ■ Attribute Name: rp-version ■ Store Type: Static ■ Include in Token: checked ■ Encrypt: unchecked ■ Value: 2.0 The following attributes are available from the incoming token data. The SAML attributes referenced by their names are also available as incoming token data: STS_SUBJECT_ID Contains the subject identifier (username for Username token, NameID Value for SAML assertions, Subject DN for X.509 certificates) STS_NAMEID_FORMAT Contains the SAML NameID Format. STS_NAMEID_QUALIFIER Contains the SAML NameID Format. STS_SPNAME_QUALIFIER Contains the SAML NameID Qualifier. STS_SP_PROVIDED_ID Contains the SAML NameID SP Qualifier STS_SESSION_INDEX Contains the session index. STS_AUTHENTICATION_INSTANT Contains the authentication instant (current after Username token credentials validation, from the authentication statement for SAML Assertions, current for X.509 validation, current for Kerberos Validation, authentication instant for OAM Session Propagation tokens). STS_AUTHENTICATION_TIMEOUT Contains the session expiration time if set (applies to SAML assertions and OAM Session Propagation tokens if present). STS_X509_CN Contains the CN component of the X.509 Certificate's Subject DN STS_X509_OU Contains the OU component of the X.509 Certificate's Subject DN. STS_X509_O Contains the O component of the X.509 Certificate's Subject DN. 46-12 Administrator's Guide for Oracle Access Management Managing Token Service Partner Profiles STS_X509_L Contains the L component of the X.509 Certificate's Subject DN. STS_X509_ST Contains the ST component of the X.509 Certificate's Subject DN. STS_X509_C Contains the C component of the X.509 Certificate's Subject DN. STS_X509_DC Contains the DC component of the X.509 Certificate's Subject DN. STS_X509_* Contains the component identified by * of the X.509 Certificate's Subject DN. STS_X509_VERSION Contains the version attribute of the X.509 Certificate. STS_X509_ISSUER_X500_PRINCIPAL_NAME Contains the issuer DN of the X.509 Certificate. STS_X509_NOT_AFTER Contains the not after attribute of the X.509 Certificate. STS_X509_NOT_BEFORE Contains the not before attribute of the X.509 Certificate. STS_X509_SUBJECT_X500_PRINCIPAL_NAME Contains the subject DN of the X.509 Certificate. STS_X509_SUBJECT_ALTERNATIVE_NAMES Contains the subject alternative name extension value of the X.509 Certificate. STS_X509_SERIAL_NUMBER Contains the serial number of the X.509 Certificate. STS_OAM_LAST_ACCESS_TIME Contains the last access time of the OAM Session Propagation Token. STS_OAM_LAST_UPDATE_TIME Contains the last update time of the OAM Session Propagation Token. STS_OAM_CREATION_TIME Contains the creation time of the OAM Session Propagation Token. STS_KERBEROS_PRINCIPAL_SHORT Contains the Principal Short value of the Kerberos Token. STS_KERBEROS_PRINCIPAL_FULL Contains the Principal Full value of the Kerberos Token. STS_KERBEROS_PRINCIPAL_NODOMAIN Contains the Principal No Domain value of the Kerberos Token. STS_SAML_ASSERTION_ID Contains the AssertionID of the SAML Assertion. Managing Token Service Partners and Partner Profiles 46-13 Managing Token Service Partner Profiles STS_SAML_SUBJECT_DNS Contains the Subject DNS attribute of the SAML Assertion. STS_SAML_SUBJECT_IP_ADDRESS Contains the Subject IP Address attribute of the SAML Assertion. STS_SAML_ASSERTION_ISSUER Contains the Issuer of the SAML Assertion. STS_SAML_AUTHN_INSTANT Contains the authentication instance of the SAML Assertion. STS_SAML_AUTHN_METHOD Contains the authentication method of the SAML Assertion. Issuing Authority Profile: Token and Attributes The Issuing Authority Partner Profile defines settings that can be common to different Issuing Authority Partners. The Token and Attributes section, as shown in Figure 46–7, allows the Administrator to define mapping rules that will be used to translate the name and value of attributes to local names and values. Figure 46–7 Token and Attributes: Issuing Authority Table 46–10 describes the Token and Attributes elements for Issuing Authority. It is possible to define attribute mapping rules that will be applied to the attributes included in the Assertion, when extracting them from the token. There are two different sets of rules: ■ ■ Attribute name mapping where the name of a SAML Attribute can be translated to a local name (for example, firstname could be translated to givenname). Attribute value mapping where the value of a SAML Attribute can be translated to a local value (for example, President to CEO). 46-14 Administrator's Guide for Oracle Access Management Managing Token Service Partner Profiles Table 46–10 Token and Attributes Elements: Issuing Authority Element Description Attribute Name Mapping Define an optional mapping between the name of a SAML Attribute and the local name of an attribute. The mapping is optional. If an attribute does not have a mapping defined, then its SAML attribute name will be used. ■ ■ ■ Value Mapping Incoming Attribute: Contains the external name of the attribute as it will appear in the Assertion. Local Attribute: Contains the local name of the attribute. Format or Namespace: Contains an optional Format or Namespace. If missing, the namespace value for mapping purposes will be assumed to be urn:oracle:security:fed:attrnamespace for SAML 1.1 Assertions or the format value for mapping purposes will be assumed to be urn:oasis:names:tc:SAML:2.0:attrname-format:basic for SAML 2.0 Assertions Define an optional value mapping for a SAML attribute. This will indicate how to translate an attribute value to a local value, if needed. Note: This attribute value mapping applies to an Attribute Name mapping. In order to define an attribute mapping for an attribute, it is required to first define an attribute name mapping for that attribute. ■ ■ ■ ■ ■ External Value: Contains the value of the SAML Attribute. Local Value: Contains the local value that will be set, if the SAML attribute value matches the External Attribute/Local Null fields. External Null: Represents a null SAML attribute value. Local Null: Indicates if the local value should be null, if the SAML attribute value matches the External Attribute/Local Null fields. Ignore Case: Indicates whether or not Security Token Service should ignore case when comparing the attribute value to the Local Attribute field. Issuing Authority Profile: Token Mapping Using the Token Mapping tab, shown in Figure 46–8, Administrators can override the Mapping Rules defined in a SAML Validation Template with the ones defined in an Issuing Authority Partner Profile. This way, Security Token Service can map SAML Assertions based on rules specific to a set of Assertion Issuers.Table 46–10 describes the Token Mapping elements for the Issuing Authority. Managing Token Service Partners and Partner Profiles 46-15 Managing Token Service Partner Profiles Figure 46–8 Issuing Authority Profile: Token Mapping Tab 46-16 Administrator's Guide for Oracle Access Management Managing Token Service Partner Profiles Table 46–11 Issuing Authority Token Mapping Elements Element Description Override Token Mapping Indicates whether or not the Mapping Rules defined in this section should override the ones listed in the SAML Validation Template used to process the assertion. This allows Security Token Service to use Mapping Rules that are specific to the Assertion Issuer. If true, all the Mapping Rules will be overridden by the settings listed in this section. Override Simple User Mapping Simple user mapping consists of mapping the incoming token to a user record by using a single token attribute and matching it against a single user record attribute. ■ ■ Override User Name Identifier Mapping User Token attribute references an attribute from the incoming token that will be matched against the Datastore attribute (defined below) of a user record. The values can be STS_ SUBJECT_ID for the NameID Value, or the name of an Attribute contained in the Assertion's AttributeStatement Datastore attribute references the user record attribute that will be matched against the User token attribute referenced above When enabled, define a NameID user mapping operation, which consists of mapping the incoming SAML Assertion to a user record by mapping the NameID Value to a single user record attribute, based on the NameID format. When enabled, Security Token Service will evaluate the NameID format, and based on the Name Identifier mapping table which user record attribute should be matched against the Name ID value contained in the Assertion. The Name Identifier mapping table holds the user record attributes to be used for the mapping operation. It contains standard NameID formats, but it can be customized to define custom Name ID formats. ■ ■ Override Attribute Based User Mapping To add custom NameID format, click the add button on the Name Identifier mapping table, and enter the custom URI. To set an attribute for a specific NameID format to be used for mapping operation, set the user record attribute on the line for that format. An Attribute Based User Mapping operation consists of mapping the incoming token to a user record by using an LDAP query and token attributes. The format of the LDAP query defines the mapping rule and specifies the token attributes to be used by their names, surrounded by % character. For example, an LDAP query that will map a token based on two token attributes (firstname and lastname) would be: (&(sn=%lastname)(givenname=%firstname%)) STS_SUBJECT_ID contains the NameID Value. STS_NAMEID_FORMAT contains the NameID Format STS_NAMEID_QUALIFIER contains the NameID Qualifier STS_SAML_ASSERTION_ISSUER contains the Issuer of the Assertion Attributes present in the Assertion's AttributeStatement Override Simple Partner Mapping A simple partner mapping operation consists of mapping the incoming token to a partner requester by using a single token attribute and matching it against a partner identification attributes. ■ ■ Partner Token attribute references an attribute from the incoming token that will be matched against the Partner Datastore attribute (defined below) of a Requester Partner. The values can be STS_ SUBJECT_ID for the NameID Value, or the name of an Attribute contained in the Assertion's AttributeStatement. Partner Datastore attribute references the partner identification attribute that will be matched against the Partner token attribute referenced above. Managing Token Service Partners and Partner Profiles 46-17 Managing Token Service Partner Profiles Table 46–11 (Cont.) Issuing Authority Token Mapping Elements Element Description Override Partner Name Identifier Mapping When enabled, define the following: A NameID user mapping operation consists of mapping the incoming SAML Assertion to a user record by mapping the NameID Value to a single requester partner identification attribute, based on the NameID format. When enabled, Security Token Service will evaluate the NameID format, and based on the Name Identifier mapping table which partner identification attribute should be matched against the Name ID value contained in the Assertion. The Name Identifier mapping table holds the requester partner identification attributes to be used for the mapping operation. It contains standard NameID formats, but it can be customized to define custom Name ID formats. ■ ■ To add custom NameID format, click the add button on the Name Identifier mapping table, and enter the custom URI. To set an attribute for a specific NameID format to be used for mapping operation, set the requester partner identification attribute on the line for that format. 46.4.2 Managing a Token Service Partner Profile Users with valid Administrator credentials can use this procedure to create, locate, view, edit, or remove a token service partner profile. Prerequisites The prerequisites for Requester Partner Profiles are: ■ ■ A Relying Party Partner Profile must exist, in order to be able to set the default Relying Partner Profile. WS-Trust Validation Templates must exist in order to set the templates that will be used to validate tokens located in the OnBehalfOf element. The prerequisites for Relying Partner Profiles are: ■ Issuance Template must exist in order to configure which templates to use for token issuance operations. There are no prerequisites for Issuing Authority Partner Profiles. To create, find, edit, or remove a partner profile 1. In the Oracle Access Management Console, click Federation at the top of the window. 2. In the Federation console, select Partner Profiles from the View drop-down menu in the Security Token Service section. 3. Select the desired profile type tab and proceed with following steps as needed. 4. ■ Requester Profiles ■ Relying Party Profiles ■ Issuing Authority Profiles New Profile: a. Click the New [Profile Type] button to display a fresh page for your definition. b. Enter general information for the chosen profile type (Table 46–7) and click the Next button. 46-18 Administrator's Guide for Oracle Access Management Managing Token Service Partner Profiles c. Token and Attributes: Use the appropriate table to provide details for the chosen profile type: Requester Profile Table 46–8 Relying Party Profile Table 46–9 Issuing Authority Profile Table 46–10 d. 5. 6. Click Save to submit (or click Cancel to dismiss the page) and then dismiss the confirmation window. Refine a Profile Search: "Refining a Profile Search" a. Perform Steps 1 and 2. b. Define your query and click the Search button. c. In the Search Results table, click the name of partner to view, edit, or remove. Edit a Profile: a. In the Search Results table, click the name of profile to edit and click the Edit button (or choose Edit from the Actions menu). b. Make desired changes to partner information. Requester Profile Table 46–8 Relying Party Profile Table 46–9 Issuing Authority Profile Table 46–10 c. 7. Click Apply to submit the changes (or Revert to cancel changes) and then dismiss the confirmation window. Remove a Profile: To remove a profile, it is required not to be referenced anywhere else. To remove a Requester Partner Profile, it is required that: ■ No Requester Partner references the profile. ■ No WS-Security Validation Template references the profile To remove a Relying Party Partner Profile, it is required that: ■ No Relying Party Partner references the profile. ■ No Requester Partner Profile references the profile. To remove an Issuing Authority Partner Profile, it is required that: ■ No Issuing Authority Partner references the profile If these prerequisites are met, proceed as follows: a. In the Search Results table, highlight the row containing the profile to remove. b. Click the Delete (X) button (or choose Delete Selected from the Actions menu), then dismiss the confirmation window. 46.4.3 Refining a Profile Search As with Partner definitions, when you open the Partner Profiles node, all Partner Profiles nodes become available. When you choose a specific type of Partner Profile node, relevant Search controls, and the Search Results table, become available. Managing Token Service Partners and Partner Profiles 46-19 Managing Token Service Partner Profiles Figure 46–3 illustrates a typical Search Profiles page. This one is for a Requester Profile. However, all controls are the same; only the results differ for different profile types. Figure 46–9 Search Partner Profiles Page: Requester Profiles From the Search page you can simply select a name in the Search Results table to view or edit the Profile, or use the controls to refine your search to locate a specific Profile or a Profile with specific characteristics. 46-20 Administrator's Guide for Oracle Access Management 47 Troubleshooting Security Token Service 47 This chapter provides troubleshooting tips for Security Token Service: ■ Authorization Issues ■ Endpoint Issues ■ Mapping Operation Issues 47.1 Authorization Issues Problem: Authorization Failure during Token Issuance operation During a WS-Trust request issuance operation, the Security Token Service returns an error. Error Message The following are sample error messages that can be seen in the logs: Solution Security Token Service is deployed but not enabled. To enable Security Token Service, perform the following operations: 1. In the Oracle Access Management Console, click Configuration at the top of the window. 2. In the Configuration console, click Available Services. 3. Enable the Security Token Service. Security Token Service detects the change and publishes the endpoints. No restart is required. 47.3 Mapping Operation Issues Problem: Failure to map the AppliesTo element to a Relying Party Partner When Security Token Service processes a WS-Trust request with an AppliesTo element referencing the Web Service Provider, the server will attempt to map the location contained in the AppliesTo element to an Security Token Service Relying Party Partner using the Resource URL defined in the Partner entry. If such a mapping fails, the server will log an Info message in the logs indicating that the operation failed and indicating what was the AppliesTo address used. Error Message The following is a sample of an error message: 47-2 Administrator's Guide for Oracle Access Management Mapping Operation Issues [2011-04-22T15:08:12.632-07:00] [oam_server1] [NOTIFICATION] [STS-15542] [oracle.security.fed.eventhandler.sts.creation.v13.CreateV13TokenEventHandler] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: f00aacae2d3f3ded:125005ed:12f7f412274:-8000-0000000000000016,0] [WEBSERVICE_ PORT.name: wssuser-port] [APP: oam_server] [J2EE_MODULE.name: sts] [WEBSERVICE.name: wssuser-serviceSoap12] [J2EE_APP.name: oam_server] The mapping of the AppliesTo element from the WS-Trust Request to a Relying Party Partner failed: could not map http://relying.party.test.com/testing/service Solution If the AppliesTo location should have been mapped to a Relying Party Partner, then the Partner settings should be verified to ensure that the Resource URLs are correctly defined to: ■ be the exact match of the AppliesTo address ■ be a parent of the AppliesTo address. For example, if the AppliesTo address is http://relying.party.test.com/testing/service, a parent could be http://relying.party.test.com/testing/ or http://relying.party.test.com/. In both cases, the AppliesTo location would be mapped to a Relying Party Partner with any of those Resource URLs defined. this message is recorded at Notification level, thus in order for Security Token Service to record it, the appropriate logging level must be set to include the Notification:1 level. Note: In certain cases, failure to correctly map the AppliesTo address to a Relying Party Partner will result in errors due to: ■ ■ Authorization evaluation failures Security Token Service not being able to retrieve certificate belonging to the Relying Party Partner. Troubleshooting Security Token Service 47-3 Mapping Operation Issues 47-4 Administrator's Guide for Oracle Access Management Part XI Part XI Managing Oracle Access Management Mobile and Social This part documents Oracle Access Management Mobile and Social. Mobile and Social serves as an intermediary between a user or client seeking to access protected resources, and the back-end Oracle Access Management and Oracle Identity Management services that protect the resources. Mobile and Social provides simplified client libraries that allow developers to quickly add feature-rich authentication, authorization, and Identity capabilities to registered applications. On the back-end, the Mobile and Social service's pluggable architecture lets system Administrators customize the access management services without having to update the installed software. Part IX contains the following chapters: ■ Chapter 48, "Understanding Mobile and Social" ■ Chapter 49, "Configuring Mobile and Social Services" ■ Chapter 50, "Configuring Social Identity" ■ Chapter 53, "Configuring OAuth Services" ■ Chapter 51, "Configuring Social Identity System Settings" 48 Understanding Mobile and Social 48 This chapter describes the purpose and capabilities of Oracle Access Management Mobile and Social. It includes the following topics. ■ Introducing Mobile and Social ■ Understanding Mobile and Social Services ■ Understanding the Mobile and Social Services Processes ■ Using Mobile and Social Services ■ Understanding Social Identity ■ Understanding Social Identity Processes ■ Using Social Identity 48.1 Introducing Mobile and Social The Oracle Access Management Mobile and Social service acts as an intermediary between a user or client seeking to access protected resources, and the back-end Access Management and Identity Management services that protect the resources. Mobile and Social provides simplified client libraries that allow developers to quickly add feature-rich authentication, authorization, and identity capabilities to registered applications. On the back-end, the Mobile and Social server's pluggable architecture lets system administrators customize identity and access management services without updating the user's client software or mobile applications. Mobile and Social provides two complimentary feature sets: ■ Mobile and Social Services (formerly Mobile Services) connects applications and devices to the enterprise Access Management and Identity Management services available in the Oracle Identity Access Management product suite. This makes it easy to utilize sophisticated authentication and authorization services functionality (such as mobile device and application registration, and device fingerprinting) to restrict access to authorized devices only. Client applications can also implement knowledge-based authentication, a powerful feature that goes beyond basic password-based authentication. Device fingerprinting and knowledge-based authentication both require Oracle Adaptive Access Manager. Note: Mobile and Social Services can be configured to require a valid device and client credential and a User Token with each application token request. This ensures that only an authorized user can access a protected resource, and then only if the user Understanding Mobile and Social 48-1 Introducing Mobile and Social is running an authorized application on an authorized device. Mobile and Social Services also provides easy access to User Profile Services if Mobile and Social is integrated with an LDAP compliant directory server. Prior to version 11.1.2.3, Mobile and Social Services was named Mobile Services. Note: ■ Social Identity allows Mobile and Social to serve as the relying party when interacting with popular cloud-based identity authentication and authorization services, such as Google, Yahoo, Facebook, Foursquare, Windows Live, Twitter, and/or LinkedIn. After deploying Mobile and Social, a user is provided with multiple log-in options without the need to implement each provider individually. This allows users to access protected resources using their credentials from a trusted Identity Provider. Prior to version 11.1.2.2, Social Identity was named Internet Identity Services. Note: ■ OAuth Services allows organizations to implement the open standard OAuth 2.0 Web authorization protocol in an Access Manager environment. OAuth enables a client to access Access Manager protected resources that belong to another user (that is, the resource owner). Applications that use Mobile and Social Services, and applications that use OAuth Services can co-exist on the same desktop or mobile device, but each requires its own separate implementation. In addition to tight integration with Access Manager, Mobile and Social is "pre-wired" to work with other back-end Identity and Access Management Service offerings, including Oracle Adaptive Access Manager and a variety of LDAP compliant directory servers. On the front-end, Mobile and Social provides easy to use SDKs for integration of client applications on the Java, Android, and iOS platforms. The client applications then use simple REST calls to communicate with the Mobile and Social server. REST (REpresentational State Transfer) is the software architectural style with which the World Wide Web has been developed. It is lightweight and especially well-suited to building web-based applications and services. Note: You can configure Mobile and Social Services and Social Identity to work together. For example, use Social Identity to let users authenticate with Google, Facebook, Twitter, and so on, and use Mobile and Social Services to (a) provide local authentication functionality, or (b) generate a User Token by accepting a User Identity assertion from a social Identity Provider. Mobile and Social Services can also enhance device registration security when used in conjunction with Social Identity. 48-2 Administrator's Guide for Oracle Access Management Introducing Mobile and Social Mobile and Social provides security layer functionality to registered applications that run on either Android or iOS devices, or in a Java SE JVM, or that communicate with the service using REST calls. If you require additional mobile functionality, ADF Mobile, a complimentary Oracle product offering, provides an application development framework for creating full-featured applications for iOS-powered devices. For more information, see the Oracle Fusion Middleware Mobile Developer's Guide for Oracle Application Development Framework. Note: The following sections contain additional information and documentation links regarding the installation and deployment of Mobile and Social. ■ Installing Mobile and Social ■ Deploying Mobile and Social ■ Enabling Mobile and Social 48.1.1 Installing Mobile and Social You install Mobile and Social together with Access Manager. You can configure Mobile and Social to run by itself, or in combination with either Access Manager or Oracle Adaptive Access Manager (OAAM), or you can deploy all three together. Depending on the software deployed alongside Mobile and Social, the available features may vary. Table 48–1 provides the details. Table 48–1 Features in Mobile and Social Based on the Companion Services Installed Feature Mobile and Social Only ✔ ✔ Ability to uniquely identify connecting mobile devices (Device fingerprinting) Basic (limited) device security checks during device registration, access requests Advanced device security checks during device registration and access requests, including risk-based access controls (for example, allow or deny access based on geolocation and other device attributes) Mobile and Social + OAAM ✔ Access Manager token support using native Access Manager authentication dialogs JWT token support for authentication and authorization Mobile and Social + Access Manager ✔ Mobile and Social + Access Manager + OAAM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Understanding Mobile and Social 48-3 Introducing Mobile and Social Table 48–1 (Cont.) Features in Mobile and Social Based on the Companion Services Mobile and Social + Access Manager Mobile and Social Only Feature Multi-step authentication support (knowledge-based authentication and one time password support) Mobile and Social + Access Manager + OAAM Mobile and Social + OAAM ✔ ✔ Interact with a Directory server ✔ and support User Profile services ✔ ✔ ✔ ✔ ✔ ✔ ✔ Relying party support for Internet-based Identity Providers (Facebook, Google, Twitter, LinkedIn, Yahoo) For installation details, see the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. 48.1.2 Deploying Mobile and Social The following list contains information and links regarding several Mobile and Social deployments. ■ ■ If deploying Mobile and Social together with Access Manager, both can be deployed together on the same server, either in the same domain or in separate domains. For details, see the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. If deploying Mobile and Social alongside Oracle Access Manager 10g or 11gR1 PS1, Mobile and Social and Oracle Access Manager need to be installed on different servers in different domains. For details, see Section 51.3, "Deploying Mobile and Social With Oracle Access Manager." If Access Manager is already installed, you cannot add Mobile and Social to an Oracle Access Management installation by extending the OAM domain. Attempting to do so will result in an error similar to the following: Note: CFGFWK-64071- the selection conflicted with templates already installed in the domain OAM with database policy store 11.1.1.3.0 ■ If deploying Mobile and Social with a WebGate, Mobile and Social can generate the Oracle Access Management token that clients need to access the WebGate-protected resources. The following restrictions apply: – If you deployed Oracle Access Management 11gR2 (11.1.2), Mobile and Social can generate a token that can access either an 11g WebGate or a 10g WebGate. – If you deployed either Access Manager 11gR1 (11.1.1) or 10g, Mobile and Social can generate an Oracle Access Management token that can access a 10g WebGate only. 48-4 Administrator's Guide for Oracle Access Management Understanding Mobile and Social Services ■ When moving Mobile and Social from a test environment to a production environment, see Section 51.5, "Configuring Social Identity After Running Test-to-Production Scripts." 48.1.3 Enabling Mobile and Social To leverage the Mobile and Social functionality, the service should be explicitly enabled. Follow these steps to enable the Mobile and Social service. 1. Log in to the Oracle Access Management Console. The Launch Pad opens. 2. Click Available Services in the Configuration pane. The Available Services page opens. 3. Click Enable next to Mobile and Social. 48.2 Understanding Mobile and Social Services Mobile and Social Services connect applications running on client devices to the security services and products available in the Oracle Identity Access Management product suite. In addition, User Profile Services is a Mobile and Social Services feature that connects client applications to many popular LDAP compliant directory servers. Mobile and Social Services consists of the following components: ■ ■ ■ A server component that interfaces with your backend Identity Services infrastructure. The server acts as an intermediary between supported client applications (and the users using those applications) and your backend Identity services. This arrangement decouples the client applications from the backend infrastructure so that you can modify your backend infrastructure without having to update your client programs. You can enable the Mobile and Social service to run by itself or in combination with the Access Manager service and/or the OAAM product as discussed in Section 48.1, "Introducing Mobile and Social." A server-side device store that can store security material, such as security tokens and security information required by the OAAM Security Handler Plug-in. The server-side device store provides several benefits: It improves security because tokens managed by the server-side device store are not sent to the client application where they can be copied if the device or client app is compromised; it eliminates the need for mobile client applications to manage and synchronize security material; and finally it allows security material to be shared and synchronized among multiple client apps. A Mobile and Social Mobile and Social Services Client Software Development Kit (Client SDK) is available for Android and iOS devices and Java. It is used to build authentication, authorization, and directory-access functionality into applications that run on mobile and desktop devices. The Mobile and Social Services Client SDK can also be used to build a mobile single sign-on (SSO) agent application (for Android and iOS devices only). Mobile SSO is described in Section 48.2.3, "Understanding Single Sign-on (SSO) for Mobile and Social Services." The Mobile and Social Mobile and Social Services Client SDK is described in Section 48.2.4, "Introducing the Mobile and Social Services Client SDK." The following sections contain more detailed information regarding the Mobile and Social Services portion of Mobile and Social. ■ Introducing Authentication Services and Authorization Services Understanding Mobile and Social 48-5 Understanding Mobile and Social Services ■ Understanding the Mobile and Social Services Authorization Flow ■ Understanding Single Sign-on (SSO) for Mobile and Social Services ■ Introducing the Mobile and Social Services Client SDK ■ Introducing User Profile Services 48.2.1 Introducing Authentication Services and Authorization Services Authentication and Authorization Services lets you extend an existing authentication and authorization infrastructure to include mobile and non-mobile applications. Mobile and Social Services supports the following common token types: ■ ■ ■ ■ A User Token grants the token bearer with the permissions associated with the person who has been authenticated. An Access Token grants access to a specific protected resource, such as a web resource or a URL. A Client Token grants access to a non-mobile hardware device, such as a web application or server application. A Client Registration Handle (similar to a Client Token) is also used by Mobile and Social Services. It represents a mobile client application running on a mobile device. Mobile and Social uses the Client Registration Handle to register mobile devices, whereas non-mobile Service Providers use Client Tokens to authenticate non-mobile devices. A mobile device is a device that runs a mobile operating system, such as the Android mobile operating system from Google or the iOS mobile operating system from Apple, while a non-mobile device is a device that runs a non-mobile operating system, such as Mac OS X, Windows 7, and Lynx desktop. Because mobile devices and non-mobile devices present different security challenges, mobile authentication and non-mobile authentication are managed separately in Mobile and Social. New mobile devices come online much more frequently and therefore require greater scrutiny, including heightened fraud detection measures. A non-mobile device can use either mobile services or non-mobile services as long as the correct input is provided. Note: Mobile and Social supports Oracle Access Manager tokens (if Access Manager is installed with Mobile and Social) and JWT (JSON Web Token) tokens. Each token type has a corresponding mobile and a non-mobile Service Provider. Mobile and Social provides six pre-configured Authentication Service Providers: ■ OAM Authentication ■ Mobile OAM Authentication ■ JWT Authentication ■ Mobile JWT Authentication ■ JWT-OAM Authentication ■ Mobile JWT-OAM Authentication Table 48–2 describes the Authentication Service Providers. 48-6 Administrator's Guide for Oracle Access Management Understanding Mobile and Social Services Table 48–2 Mobile and Non-Mobile Authentication Service Providers in Mobile and Social Services Authentication Service Provider Description OAMAuthentication Lets users running a web application from a desktop device authenticate using Access Manager. MobileOAMAuthentication Lets users using mobile devices authenticate using Access Manager JWTAuthentication Lets users running a web application from a desktop device authenticate using the JSON Web Token format. JSON Web Token is a compact token format that is suitable for space-constrained environments such as HTTP Authorization headers. MobileJWTAuthentication Lets users using mobile devices authenticate using the JSON Web Token format. JWTOAMAuthentication Allows lightweight, long-duration JWT tokens to be exchanged for OAM tokens. OAM tokens provide SSO and OAM resource access to clients. This provider allows users using non-mobile applications to get a new OAM token without having to provide credentials if they have a valid, long-duration JWT token. MobileJWTOAMAuthentication Allows lightweight, long-duration JWT tokens to be exchanged for OAM tokens. OAM tokens provide SSO and OAM resource access to clients. This provider allows users using mobile applications to get a new OAM token without having to provide credentials if they have a valid, long-duration JWT token. 48.2.2 Understanding the Mobile and Social Services Authorization Flow The Mobile and Social Services authorization flow is used if the client application implements mobile security using the Mobile and Social Client SDKs for Android, iOS, or Java, or if the client app goes through a Mobile SSO Agent app (covered later) to establish mobile security. In this flow the client app (or the Mobile SSO Agent) collects user inputs and maintains the user session on the mobile device. The diagrams in the following sections depict the Mobile and Social Services authorization flow: ■ Section 48.3.1, "Registering a Mobile Device With User Authentication" ■ Section 48.3.2, "Authenticating a User With a Registered Device" ■ Section 48.3.3, "Using REST Calls for User Authentication" ■ Section 48.3.4, "Authenticating the User With a Mobile Browser-Based Web App" 48.2.3 Understanding Single Sign-on (SSO) for Mobile and Social Services Mobile Single Sign-on (Mobile SSO) lets a user run multiple mobile applications on the same device without having to provide credentials for each one. Both native and browser-based applications can participate in Mobile SSO. Mobile and Social Services apps and Mobile OAuth apps require separate SSO implementations. For information about single sign-on for Mobile OAuth applications, see Section 52.8, "Understanding Mobile OAuth Services Server-Side Single Sign-on." Note: Understanding Mobile and Social 48-7 Understanding Mobile and Social Services Understanding the Mobile SSO Agent App A special app installed on a mobile device can be designated as a Mobile SSO Agent. This app serves as a proxy between the remote Mobile and Social server and the other apps on the device that need to authenticate with the back-end Identity services. The Agent can either be a dedicated agent (that is, an app that serves no other purpose), or a business (client) app that also provides agent functionality. Before an app can use the Mobile SSO agent app to authenticate with the Mobile and Social server, you must configure the app as either a Mobile SSO Agent or Client on the server. For more information about configuring Mobile and Social Services security for Mobile SSO, see Section 49.7, "Defining Service Domains." Note: The Mobile SSO Agent handles device registration and advanced authentication schemes (including multi-factor authentication and one time password authentication), so this functionality does not have to be built into each mobile application. When the Mobile SSO Agent is present, user credentials are never exposed to the mobile business applications. The Mobile SSO Agent and SSO Client interact as follows: ■ ■ ■ ■ The SSO Client app sends the device registration request, the application registration request, and the User Token request to the SSO Agent. The SSO Agent makes the necessary acquisitions on behalf of the SSO Client. The SSO Client app then requests any Access Tokens it needs using the registration handle and User Token. The SSO Agent app stores tokens and security material on behalf of the mobile SSO Client, similar to the server-side device store. A browser-based business app can also be configured to use a Mobile SSO Agent for authentication. If that is the case, launching a browser-based business app invokes the Mobile SSO Agent and causes the agent to collect a user name and password, and send them to the Mobile and Social server. If the business app and the agent are authorized for SSO, the Mobile and Social server authorizes access. The agent then requests an Access Token for the resource (on behalf of the business app) and redirects the browser to the URL of the business app with the Access Token included in the headers. From the user's perspective, native and browser-based apps open on the device without asking the user to provide credentials. If the agent is not installed on the mobile device, or if the business app is not approved for Mobile SSO, the user will have to directly and independently send his or her credentials to the Mobile and Social server with each and every app that is launched. The Mobile SSO Agent can time-out idle sessions, manage global logout for all apps, and assist in device selective wipe outs. Furthermore, it supports basic offline authentication. The agent one-way encrypts user passwords for local storage. During offline authentication, the agent validates the user name and password with the locally stored version. The agent then enforces all session idle time-outs and local password expiration policies. When using a mobile SSO agent, apps open on the device without asking the user to provide credentials. If the agent is not installed on the mobile device, or if the business app is not approved for Mobile SSO, the user will have to directly and independently send his or her credentials to the Mobile and Social server with each and every app that is launched. 48-8 Administrator's Guide for Oracle Access Management Understanding Mobile and Social Services Oracle does not provide a pre-built Mobile SSO Agent, however, documentation is provided so that you can build a Mobile SSO Agent app using the Mobile and Social Services Client SDK for Android or iOS. For more information about creating a Mobile SSO Agent app, refer to either the Android or the iOS Mobile and Social Services SDK documentation in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. The Mobile SSO Agent is only supported on Android and iOS devices. Note: 48.2.4 Introducing the Mobile and Social Services Client SDK The Mobile and Social Services Client SDK contains individual SDKs for Android and iOS devices, and for Java Virtual Machines (JVMs). Table 48–3 documents each Mobile and Social Services Client SDK feature and the software on which it works. Table 48–3 SDK Android, iOS, and Java Features of the Mobile and Social Services Client Feature Android Build a mobile application that can acquire Client Registration Handle, User, and Access Tokens through a Mobile and Social Server ✔ iOS ✔ ✔ Build a desktop application that can acquire Client, User, and Access Tokens through a Mobile and Social Server Interact with a Directory server and implement User ✔ Profile Services ✔ ✔ ✔ Create a mobile single sign-on (SSO) application Java ✔ 48.2.5 Introducing User Profile Services User Profile Services makes it possible to build an application that lets a user in your organization access the User Profile Services from mobile devices. User Profile Services allows Web, mobile, and desktop applications to perform a variety of LDAP compliant directory server tasks including: ■ Create, read, update, and delete functionality for users and groups ■ Search functionality ■ Org (organization) chart reporting functionality Towards this end, the Mobile and Social server can interface with many popular LDAP compliant directory servers including: ■ Microsoft Active Directory ■ Novell eDirectory ■ Oracle Directory Server Enterprise Edition ■ Oracle Internet Directory ■ Oracle Unified Directory ■ Oracle Virtual Directory ■ Open LDAP Understanding Mobile and Social 48-9 Understanding the Mobile and Social Services Processes ■ WebLogic Server Embedded LDAP Refer to the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for sample code that demonstrates how to use the SDK for User Profile Services. Any device capable of HTTP communication can use User Profile Services by sending REST calls to the Mobile and Social server. See "Sending Mobile and Social REST Calls With cURL" in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. Note: 48.3 Understanding the Mobile and Social Services Processes When a user tries to access a protected resource, Mobile and Social requires either a Client Token (if the user is connecting through a server or a computer which securely stores client credentials) or a Client Registration Handle (if the user is using a mobile device). Thus, client devices (including mobile devices) and client applications must register with Mobile and Social before access to protected resources can be granted. Applications are also typically configured to require a User Token and an Access Token. Note: Client applications running on mobile devices follow this high-level authentication process before the mobile application can access a protected resource. 1. The user enters a user name and password at the application login screen and authenticates with the Mobile and Social server. 2. If a mobile device has not previously registered with the Mobile and Social server, the server sends the mobile device a Client Registration Handle after authenticating the user. 3. The Client Registration Handle is submitted back to the Mobile and Social server to get a User Token. 4. The Client Registration Handle and User Token are submitted back to the Mobile and Social server to get an Access Token. A non-mobile application can also make use of Authentication Services provided by Mobile and Social Services. In such cases, a Client Token takes the place of the Client Registration Handle. After the Client Token is obtained, a User Token and Access Token can be requested as documented above. Additional scenarios are documented in these sections. ■ Registering a Mobile Device With User Authentication ■ Authenticating a User With a Registered Device ■ Using REST Calls for User Authentication ■ Authenticating the User With a Mobile Browser-Based Web App ■ Authorization Using the Mobile OAuth Authorization Flow 48.3.1 Registering a Mobile Device With User Authentication When the mobile device attempting to access a protected resource has not previously registered with Mobile and Social, a Mobile SSO Agent must be installed. The registration authentication process is documented in the following flow. Figure 48–1 48-10 Administrator's Guide for Oracle Access Management Understanding the Mobile and Social Services Processes and Figure 48–2 follow the text and illustrate the process. 1. The user launches an application on a mobile device. 2. The application redirects the user to the Mobile SSO Agent. 3. The Mobile SSO Agent displays a login page. 4. The user enters a user name and password. 5. The Mobile SSO Agent sends the user name and password to the Mobile and Social server along with the device attributes and application ID. 6. The Mobile and Social server forwards the user name and password to Access Manager which authenticates the user. 7. The Mobile and Social server sends device attributes and other authentication results to the OAAM Mobile Security Handler Plug-in which executes the policy stored on the OAAM server. OAAM has two registration flows—active and passive. The active flow prompts the user with a challenge before allowing the device registration process to proceed. The passive flow continues without challenging the user. Note: The OAAM Security Handler Plug-in creates two security handles (snippets of data that Mobile and Social stores with either the Mobile SSO Agent or the business application itself). Each handle stores a name, value, and expiration timestamp. ■ ■ The oaam.device handle represents the mobile device. (Different client applications on the same device all have the same device handle value.) OAAM uses this handle as a key to retrieve the full device profile stored in the OAAM database. This handle has a relatively long life span. The oaam.session handle represents an OAAM login session for a client application. (Each client application on a device has a unique session handle value.) OAAM uses this handle as a key to retrieve details about the OAAM session stored in the OAAM database. When the user logs out from the client application, the oaam.session handle is removed. 8. The Mobile and Social server returns the Mobile Client Registration Handle and OAAM device and session handles to the Mobile SSO Agent. 9. The Mobile SSO Agent gets a User Token by passing the Client Registration Handle and OAAM device handles that it previously received to the server. 10. The Mobile SSO Agent requests an Access Token from Access Manager. The request contains the Client Registration Handle and OAAM device handles. See Figure 48–2. Understanding Mobile and Social 48-11 Understanding the Mobile and Social Services Processes Figure 48–1 First Time Device/Application Registration and Authentication Process Mobile User Customer App (Mobile Device) Mobile SSO Agent Mobile and Social Server Access Manager OAAM Access App Get App Profile getSession() & getAccessToken() Present Login Page User name/Password Register (User, password, device attributes, appID) *Authenticate (User, password, attributes) Successful User Authentication Register App (appID, device profile attribute) OAAM Device Handle and OAAM Session Handle Mobile Client Registration Handle, OAAM Device and Session Handles Get User Token Get Access Token 48-12 Administrator's Guide for Oracle Access Management Understanding the Mobile and Social Services Processes Figure 48–2 Mobile SSO Agent Requests Access Token from Access Manager Mobile User Customer App (Mobile Device) Mobile SSO Agent Mobile and Social Server Access Manager OAAM Access App Get App Profile getSession() & getAccessToken() Present Login Page User name/ Password Authenticate (User, password, attributes) Successful Authentication Register App (appID, oaam device handle, device profile attributes) OAAM Result/ Action Client Registration Handle for Customer App Get Access Token 48.3.2 Authenticating a User With a Registered Device This scenario describes a user with a mobile device (already registered with Mobile and Social) launching a Mobile and Social compatible business application. In this scenario the Mobile SSO Agent is already installed and the user needs to access a protected resource that requires an Access Token. The business application must first acquire the User Token before it can request the Access Token. The accompanying figures (Figure 48–3 and Figure 48–4) illustrate the process. 1. The user launches the business application on a mobile device. 2. The business application asks the Mobile SSO Agent for a User Token and one of the following occurs. a. If a valid User Token exists in the local credential store, the Mobile SSO Agent returns it to the business application. The business application inserts the User Understanding Mobile and Social 48-13 Understanding the Mobile and Social Services Processes Token into a direct request to the Mobile and Social server for the Access Token. The flow completes when the business application uses the Access Token returned by the server to access the protected resource (as in Figure 48–3). Figure 48–3 Mobile SSO Agent Has Valid Access Token in Credential Store Client Web Tier REST/SOAP User App Client REST/ SOAP Server 3 Mobile SSO Agent b. 2 Authentication Mobile and Social 1 Access Token Access Manager OAAM If a valid User Token does not exist in the local credential store, the login flow continues (as in Figure 48–4). 3. The Mobile SSO Agent presents a login page and the user enters a user name and password. 4. The Mobile SSO Agent sends the user name, password, and Client Registration Handle to the Mobile and Social server. (Step 2 in Figure 48–4). 5. The Mobile and Social server validates the Client Registration Handle, authenticates the user credentials (with either the JWT token service or the Access Manager token service), invokes OAAM for risk analysis and then returns the User Token to the Mobile SSO Agent. (Step 3 in Figure 48–4). 6. The Mobile SSO Agent stores a copy of the user token in its local credential store and returns the User Token to the business application. (Step 4 in Figure 48–4). 7. The business application uses the User Token to make a direct request to the Mobile and Social server for the Access Token. (This step is not shown in the diagram.) 8. The Mobile and Social server returns the Access Token to the Mobile SSO Agent. 9. The business application uses the Access Token to make calls to the resource protected by Access Manager or Oracle Enterprise Gateway (OEG). (Step 5 in Figure 48–4). 48-14 Administrator's Guide for Oracle Access Management Understanding the Mobile and Social Services Processes Figure 48–4 Mobile SSO Agent Does Not Have Valid Access Token in Credential Store Client App (Mobile) 1 Request User Token Mobile SSO Agent 2 Oracle SDK Mobile and Social Server (Server) • If valid User token exists in localcredential store, return the token to App. Else continue below. 3 • Publishes ID context to Access Manager • Present login page. 5 Use token to make REST/SOAP calls to client server protected by Access Manager or OEG • Invokes OAAM for risk analysis • Accept username/password. • Extract device attributes and ID contexts. • Responds User/Access Tokens • Makes authentication call with user/password, and device attributes. 4 • Authenticates with Access Manager • Stores User/Access Token • Returns token to Client App 48.3.3 Using REST Calls for User Authentication In this scenario an application running on a mobile device interfaces with the Mobile SSO Agent, which communicates with the Mobile and Social server using REST calls. The server interfaces with Access Manager and OAAM as needed and returns the necessary tokens to the Mobile SSO Agent (again using REST calls). The agent forwards the tokens back to the application, which can now access the protected resource using either REST or SOAP calls. The process is documented in the following flow. Figure 48–5 follows the text and illustrates the process. 1. The user launches an application on a mobile device. 2. Because the client application needs to access a resource protected by Access Manager, the client application asks the Mobile SSO Agent for an Access Token. 3. The Mobile SSO Agent gets the Application Profile from the Mobile and Social server. 4. The Mobile SSO Agent prompts for a user name and password. 5. The Mobile SSO Agent sends the user name and password to the Mobile and Social server along with the device attributes and application ID. 6. The Mobile and Social server registers the device and authenticates the user. 7. The server returns an Access Token to the Mobile SSO Agent. 8. The Mobile SSO Agent saves the hashed password in its local credential store. 9. The Mobile SSO Agent passes the Access Token to the client application. 10. The client application accesses the protected resource by presenting the Access Token. Understanding Mobile and Social 48-15 Understanding the Mobile and Social Services Processes Figure 48–5 User Authentication Using REST Native App #1...#n Client Web Tier 1 7 REST/SOAP IDM SDK 2 Agent Mobile Device Client REST/ SOAP Server 6 Mobile SSO Agent Device Registration 5 Store Credential Mobile and Social SDK 4 Mobile and Social 3 Prompt Login Access Manager OAAM • Register Device/App Device Database Provisioning /Deprovisioning • Authenticate User • Get Access Token • Get User Attributes 48.3.4 Authenticating the User With a Mobile Browser-Based Web App This scenario describes a user with a Mobile and Social registered mobile device launching a Mobile and Social compatible browser-based web application. In this scenario the Mobile SSO Agent is installed. The legacy authentication process is documented in the following flow. Figure 48–6 follows the text and illustrates the process. 1. The user opens a URL in a web browser on a mobile device. 2. The application web server redirects the browser to Access Manager. 3. Access Manager sends the web browser a URL redirect. 4. The web browser responds to the redirect by launching the Mobile SSO Agent. If the agent is not installed, a link with instructions to install the Mobile SSO Agent application is displayed. 5. The Mobile SSO Agent displays the User login page. 6. The user enters a user name and password. 7. The Mobile SSO Agent sends the user name, password, and Client Registration Handle to the Mobile and Social server. (This step is not shown in the diagram.) 8. The Mobile and Social server validates the Client Registration Handle, authenticates the credentials with Access Manager, publishes the ID context to the Access Manager server, and invokes OAAM for risk analysis. 9. Access Manager returns a User Token or an Access Token to the Mobile and Social server which, in turn, returns the User Token or the Access Token to the Mobile SSO Agent. (This step is not shown in the diagram.) 48-16 Administrator's Guide for Oracle Access Management Understanding the Mobile and Social Services Processes 10. The Mobile SSO Agent directs the browser to the Mobile and Social server where it injects a cookie. 11. The Mobile SSO Agent sends the web browser a URL redirect and an Access Token. 12. The mobile web browser responds to the redirect and opens the original web URL because the access request now includes an Access Token. 13. The application web server sends the requested pages to the mobile web browser. Figure 48–6 Authenticating User From Browser-based Web App on Registered Mobile Device Mobile User Browser (Mobile Device) Mobile SSO Agent App Web Server Mobile and Social Server Access Manager & OAAM Access Web URL Redirect to Access Manager Redirect to local app Redirect Present Login Page User name/Password Fingerprint & Authenticate Access Token Inject cookie Redirect App Pages Redirected to original Web URL Pages from App Web Server 48.3.5 Authorization Using the Mobile OAuth Authorization Flow The following diagram shows at a high level the interactions between a mobile app and the Oracle Access Management OAuth service in the context of Mobile and Social Services. To understand the difference between the legacy authorization flow and the Mobile OAuth authorization flow, see Section 48.2.2, "Understanding the Mobile and Social Services Authorization Flow." For a detailed look at the OAuth authorization flow in the context of the OAuth Service, see Section 52.3, "Understanding OAuth Services Authorization for Mobile Clients." Understanding Mobile and Social 48-17 Understanding the Mobile and Social Services Processes 1. The mobile app requests a client verification code by sending a device token. The OAuth service returns the client verification code. If the APNS/GCM option is enabled, the OAuth service returns half of the code using push notification, and the other half over HTTPS. Push notification provides an extra level of assurance for confirming the identity of the application and device. 2. The mobile app requests an authorization code by sending device claims and the client verification code. The OAuth service: 3. ■ Authenticates the user ■ Requests the user's consent to register the app (optional) ■ Invokes OAAM for risk analysis ■ Returns the authorization code using push notification (optional) and HTTPS The mobile app requests a Client Token by sending the authorization code and device claims. The OAuth service returns the Client Token using push notification (optional) and HTTPS. 4. The mobile app requests an Access Token by sending the Client Token, the authorization code, and the device claims. The OAuth service returns the Access Token. 5. The mobile app requests access to the protected resources using the Access Token. (Not shown in the diagram.) The resource server returns the protected resources to the client application. (Not shown in the diagram.) 48-18 Administrator's Guide for Oracle Access Management Using Mobile and Social Services Figure 48–7 48.4 Using Mobile and Social Services The following sections describe how you might use the Mobile and Social Services. ■ Protecting the Mobile Client Registration Endpoint ■ Exchanging Credentials ■ Protecting User Profile Services And Authorization Services ■ Using Mobile and Social Services with Oracle Access Manager ■ Using Mobile and Social Services with Oracle Adaptive Access Manager Services 48.4.1 Protecting the Mobile Client Registration Endpoint A mobile device attempting to access a protected resource must register with the Mobile and Social server as the server rejects anonymous requests sent to its registration endpoint. Additionally, each Service Domain should be configured to require either a User password or a User Token to register an application. The following is a sample registration endpoint for mobile clients and mobile applications: https:// host : port /idaas_rest/rest/mobileservice1/register Understanding Mobile and Social 48-19 Using Mobile and Social Services When registering with the Mobile and Social server, client applications using either the Java Client SDK or the REST API must present valid credentials to the server using one or more of the following schemes: ■ HTTP Basic Authentication ■ User ID and Password (UIDPASSWORD) ■ OAM Token Authentication Client applications using the Android or iOS SDK will acquire a Client Registration Handle which uses the UIDPASSWORD authentication scheme to secure registration. 48.4.2 Exchanging Credentials The Android, iOS, and Java SDKs will send the tokens, credentials, and other data required by the Mobile and Social server. Table 48–4 describes the tokens required and returned based on the client device or application. For a detailed look at the credentials, see “Mobile and Social Services REST Reference: Authentication and Authorization” in the “Sending Mobile and Social REST Calls With cURL” chapter of the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. Note: Table 48–4 Token Requirements for the Mobile and Social Server Device or App Type Seeking to Register Non-Mobile Device (Unregistered) Mobile SSO Agent App Token(s), Credentials, and/or Data Required by the Mobile and Social Server Type of Token Returned An ID and password associated with Client Token a client application sent over HTTPS. ■ ■ ■ A user ID and password sent over HTTPS. Device profile data for the Mobile Device. The name of the application (that is, the Client ID). Note - An Administrator must also add the name of the mobile SSO Agent to a Service Domain. 48-20 Administrator's Guide for Oracle Access Management Client Registration Handle Using Mobile and Social Services Table 48–4 (Cont.) Token Requirements for the Mobile and Social Server Device or App Type Seeking to Register Token(s), Credentials, and/or Data Required by the Mobile and Social Server Type of Token Returned Mobile SSO Client App ■ (For example, a business application that uses the Mobile SSO Agent App to register with Mobile and Social.) One of the following: A user ID and password sent to the Mobile and Social server over HTTPS. Client Registration Handle - or A User Token. ■ ■ Device profile data for the Mobile Device. The name of the application (that is, the Client ID). Note - An Administrator must also add the name of the mobile SSO Client application to a Service Domain. ■ ■ The oaam.device handle (if Mobile and Social is integrated with OAAM). Mobile SSO Client Registration Handle (previously obtained for the SSO agent), if the SSO Client application tries to register through the SSO agent application. 48.4.3 Protecting User Profile Services And Authorization Services You can choose to protect User Profile Services and Authorization Services as follows when configuring a Mobile and Social Services Service Domain. User Profile Services - Configure User Profile Services security by making the following selections for the Service Profile: ■ ■ ■ Choose the Authentication Service Provider (OAMAuthentication, MobileOAMAuthentication, JWTAuthentication, Mobile JWT Authentication, Social Identity Authentication, and so on) Protect the service by requiring a “Secured Application” security token and a “Secured User” security token Set the “Allow Read” and “Allow Write” options Authorization Services - Configure Authorization Services security by making the following selections for the Service Profile: ■ ■ Choose the Authentication Service Provider (OAMAuthentication, MobileOAMAuthentication, JWTAuthentication, Mobile JWT Authentication, Social Identity Authentication, and so on) Protect the service by requiring a “Secured Application” security token and a “Secured User” security token. 48.4.4 Using Mobile and Social Services with Oracle Access Manager Developers can quickly create applications that access resources protected by either Oracle Access Management Access Manager, or the 10g or 11gR1 PS1 (11.1.1.5) Understanding Mobile and Social 48-21 Understanding Social Identity versions of Oracle Access Manager. The Mobile and Social SDK handles authentication programatically after it collects user credentials using the credential collection interface. The SDK then uses the Mobile and Social REST interfaces to authenticate the user with the token service configured for the application. For more information about the Mobile and Social Services' authentication flow with Access Manager, see Section 48.3.1, "Registering a Mobile Device With User Authentication." 48.4.5 Using Mobile and Social Services with Oracle Adaptive Access Manager Services Oracle Adaptive Access Manager (OAAM) can be used to make runtime authentication decisions, such as blocking authentication if the user is authenticating from an unauthorized country or location. The following functionality is also supported. ■ ■ ■ ■ Multi-part login flows - for example, OAAM can challenge the user with knowledge-based authentication questions, or require the user to authenticate using one-time password (OTP) functionality if OAAM detects a risky or unusual usage pattern (using the device at unusual hours or if the user is geographically distant from the place where authentication last took place). Check device attributes (such as the MAC Address assigned to a device) and verify that the device is not jail broken. Based on device attributes, OAAM can allow or deny access. Device-selective wipeouts are also an option when using OAAM together with Mobile and Social. Based on registered device info, OAAM can white-list or black-list specific devices. For more information about using Mobile and Social with OAAM, see Section 49.9.2, "Configuring Mobile and Social Services for Oracle Adaptive Access Manager." 48.5 Understanding Social Identity Social Identity lets Mobile and Social serve as the relying party (RP) when interacting with cloud-based Identity Authentication and Authorization Services, such as Google, Yahoo, Facebook, Twitter, Windows Live, Foursquare and/or LinkedIn. Allowing users to log in to a protected resource using their credentials from a trusted Identity Provider is a convenience for the user. By deploying Mobile and Social, you can provide users with a convenient multiple log-in option without the need to implement each Provider individually. Users can use their credentials from cloud-based identity services to log in to any of the following application types. ■ ■ ■ Web applications that run on Java-compliant application servers. To add Social Identity functionality to a Web application, a developer connects the Web application to the Mobile and Social server using the Social Identity Client SDK. For details, see the "Developing Applications Using the Social Identity Client SDK" chapter in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. Applications protected by either Access Manager, or the 10g or 11.1.1.5 versions of Oracle Access Manager. Applications protected by either the Access Manager service in the Oracle Access Management product, or the 10g or 11gR1 PS1 versions of Oracle Access Manager can be configured to work with Social Identity without using an SDK. For details about the authentication flow, see Section 48.6.4, "Authenticating a User With Access Manager and Social Identity." Mobile applications running Android or iOS. Mobile applications running Android or iOS can be configured to authenticate with an Social Identity Provider. To connect 48-22 Administrator's Guide for Oracle Access Management Understanding Social Identity Processes to the Mobile and Social server, Android and iOS applications use the Mobile and Social Services SDKs for those platforms. A separate SDK is not required. Social Identity provides services for Identity Providers that support the following standards: ■ OpenID version 2.0 ■ OpenID Simple Registration Extension 1.0 ■ Open ID Attribute Exchange Extension 1.0 ■ OpenID Provider Authentication Policy Extension 1.0 ■ OAuth 1.0 and 2.0 Native support for the Identity Providers listed in Table 48–5 is provided by Mobile and Social after installation. Table 48–5 Identity Providers That Mobile and Social Natively Supports Identity Provider Supported Protocol Facebook OAuth 2.0 Google OAuth 2.0 LinkedIn OAuth 2.0 Twitter OAuth 2.0 Yahoo OpenID 2.0 Foursquare OAuth 2.0 Windows Live OAuth 2.0 Java programmers can add relying party support for additional OpenID and OAuth Identity Providers by implementing a Java interface and using the Mobile and Social console to add the Java class to the Mobile and Social deployment. For more information, see the “Extending the Capabilities of the Mobile and Social Server” chapter in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. 48.6 Understanding Social Identity Processes The following scenario documents the basic authentication process when using Social Identity. 1. A user requests access to a protected resource and is redirected to Mobile and Social. 2. Mobile and Social (RP) asks the user if they would like to log in using their credentials from, for example, Google (the Identity Provider). 3. Mobile and Social redirects the user to a Google login page where a user name and password is entered. 4. Google verifies the credentials and redirects the user back to Mobile and Social. At the same time the Identity Provider returns identity attributes to Mobile and Social based on its configuration. If the user does not have an account with your organization, the user can be prompted to register for one; the registration form will be prepopulated with the information that the Identity Provider returns. Understanding Mobile and Social 48-23 Understanding Social Identity Processes In the case of Access Manager, a user MUST register locally, otherwise access is not given. If not using Access Manager, the user is redirected to the protected resource and allowed access even if they don't register. For details, see Section 48.7.1, "Using Social Identity With Oracle Access Manager." Note: Additional scenarios are documented in these sections. ■ Authenticating a Returning User With a Local Account ■ Authenticating a New User With No Local Account ■ Using OAuth For Access Token Retrieval ■ Authenticating a User With Access Manager and Social Identity ■ Authenticating a User Locally 48.6.1 Authenticating a Returning User With a Local Account This scenario describes the authentication flow between the User, the Mobile and Social server (the relying party), the Identity Provider, and the local user authentication service (represented by Local Auth and ID Repository in the diagram). In this scenario, the local Identity repository determines that the user already has a local account. Consequently Mobile and Social does not prompt to create one. Figure 48–8, following the text, illustrates the process. 1. The user opens a URL for a protected resource in a web browser and the Mobile and Social server presents the user with a login page and a menu of Identity Providers (Google, Yahoo, Facebook, Windows Live, Foursquare, Twitter, or LinkedIn) from which to choose. 2. The user chooses an Identity Provider. 3. The Mobile and Social server redirects the user to the selected Identity Provider and a login page is displayed. 4. The user enters a user name and password and, upon authentication, the Identity Provider sends the Mobile and Social server an authentication assertion. 5. The Mobile and Social server checks with the Identity repository to see if the user has a local account. The Identity repository could be a directory server, a database, Oracle Identity Manager, or similar. The user is determined to be a User with a local account: ■ ■ If a mobile application or a directly-integrated Web application is authenticating with Mobile and Social, the Mobile and Social server sends an authentication assertion to the user's browser. If an application protected by Access Manger is authenticating, Access Manager creates the session for the user only if the user has a local account. (Newly registered users count as local account holders.) 6. The user's browser sends the authentication assertion sent by Mobile and Social to the protected resource's Access Management Service. 7. The Access Management Service carries out additional authentication steps as needed. 8. The Access Management Service allows the user access to the protected resource. 48-24 Administrator's Guide for Oracle Access Management Understanding Social Identity Processes Figure 48–8 Authenticating a Returning User with a Local Account AAA/Idm or App User Browser AuthUI Mobile and Social Server Local Auth ID Repository Local Reg IDP AuthUI IDP Select SSO + Attr Protocol (Eg: OPENID) New or Existing User? Existing user: AuthN flow POST Existing User: Authentication New Session 48.6.2 Authenticating a New User With No Local Account This scenario describes the authentication flow between the User, the Mobile and Social server (the relying party), the Identity Provider, and the local User authentication service (represented by Local Auth and ID Repository in the diagram). In this scenario, the User does not have a local account so Mobile and Social prompts to create one. Figure 48–9, following the text, illustrates the process. 1. The user opens a URL for a protected resource in a web browser and the Mobile and Social server (RP in the diagram) presents the user with a login page and a menu of Identity Providers (Google, Yahoo, Facebook, Twitter, or LinkedIn) from which to choose. 2. The user chooses an Identity Provider. 3. The Mobile and Social server redirects the user to the selected Identity Provider which displays a login page. 4. The user enters a user name and password and, upon user authentication, the Identity Provider sends the Mobile and Social server an authentication assertion. 5. The Mobile and Social server checks with the Identity repository to see if the User has a local account. The Identity repository could be a directory server, a database, Oracle Identity Manager or similar. The user is determined to be a user who does not have a local account. Mobile and Social proceeds as follows: Understanding Mobile and Social 48-25 Understanding Social Identity Processes ■ ■ 6. If the Identity Provider uses the Open ID protocol, the Mobile and Social server retrieves the user's profile attributes by processing data in the previously obtained authentication assertion. If the Identity Provider uses the OAuth protocol, the Mobile and Social server makes a separate HTTP call to the Identity Provider with the previously obtained Access Token to retrieve the user's profile attributes. The Mobile and Social server sends a new user registration form to the user's browser. The registration form is pre-populated with the user profile attributes sent by the Identity Provider in the previous step. 7. The user completes the registration form and sends it to which interfaces with the user registry (either a directory server or Oracle Identity Manager) to create the account. In cases where an Access Token is retrieved from the Identity Provider, the Access Token is also returned to the client application by way of Mobile and Social. 8. The Access Management Service for the client application carries out additional authentication steps as needed. 9. The Access Management Service allows the user access to the protected resource. 48-26 Administrator's Guide for Oracle Access Management Understanding Social Identity Processes Figure 48–9 Authenticating a New User with No Local Account AAA/IdM or App User Browser AuthUI [C1] Mobile and Social Server Local Auth ID Repository Local Reg IDP AuthUI IDP Select SSO + Attr Protocol (Eg: OPENID) New or Existing User New User: Initiate REG flow New User: Retrieve user attrs New User: POST New User: Registration Registration Complete New Session 48.6.3 Using OAuth For Access Token Retrieval This section provides supplemental detail about the OAuth authentication and Access Token retrieval flow between the User, the Mobile and Social server (the relying party), and an OAuth Identity Provider. (Facebook, Foursquare, and Windows Live use the OAuth 2.0 protocol, and LinkedIn and Twitter use the OAuth 1.0 protocol.) In this scenario, the server interfaces with the OAuth Identity Provider to get an authorization code and Access Token to access a resource protected by the OAuth Identity Provider. The Client application in this scenario could be either a Web application running on a Java-compliant application server, or a mobile application. Figure 48–10, following the text, illustrates the process. 1. The user opens the client application which returns a protected web page to the user's browser. 2. The user attempts to open the protected resource on the client application. 3. The client application asks the Mobile and Social server for an Access Token so that the user can access the protected resource. If Mobile and Social has the valid Access Token in its cache, it will forward the Access Token to the client application and the authentication scenario would skip Understanding Mobile and Social 48-27 Understanding Social Identity Processes to step 10. This flow assumes Mobile and Social does not have the Access Token in its local cache. 4. Because the Access Token is not in its local cache, on behalf of the user, Mobile and Social initiates an authorization request (utilizing HTTP headers to embed an OAuth Client ID, scope information, and a redirect URL) with the OAuth Identity Provider. 5. The OAuth Identity Provider displays a login page. 6. The user enters a user name and password into the OAuth Identity Provider login page and gives consent to the Identity Provider to provide the user's profile attributes to the Mobile and Social server (and, by extension, the client application). 7. The OAuth Identity Provider sends an authorization code to the Mobile and Social server. 8. The Mobile and Social server sends an Access Token request to the OAuth Identity Provider. Included in the request is the authorization code received in the previous step and the OAuth Client ID and client credential. 9. The OAuth Identity Provider returns an Access Token to the Mobile and Social server. 10. The Mobile and Social server caches the Access Token (with the User ID and the OAuth Client ID) and forwards the Access Token to the client application. 11. The client application uses the Access Token to access the protected resource and returns the protected page to the user's browser. 48-28 Administrator's Guide for Oracle Access Management Understanding Social Identity Processes Figure 48–10 Authenticating a User With an OAuth Identity Provider AAA/Idm or App Browser User Mobile and Social Server Client App ID Repository Local Reg OAuth SP 1 Client Apps UI to access OAuth resource 2 User accesses protected resource 3 Get Access Token for given scope 4 Access Token not found. Get authorization code with Mobile and Social ID, scope, and redirect URL 5.1 User authenticates with the Provider 5.2 and gives consent to allow resources to be accessed by the client 6 OAuth Provider returns authorization code to Mobile and Social 7 Get Access Token using the authorization code, OAuth Client ID and Credential used by the Mobile and Social Server. 8 OAuth Provider returns token to Mobile and Social 9 Persist Access Token with User ID, scope, and return Access Token to client URL. 10 Access the resource using the Access Token 48.6.4 Authenticating a User With Access Manager and Social Identity This scenario describes the authentication process between the User, Access Manager, the Mobile and Social server (the relying party), and the Identity Provider. Note that the user must either have a local account or must register for a local account when prompted; otherwise Access Manager will not let the user access the protected resource and the User will be redirected to the login page. Figure 48–11, following the text, illustrates the process. 1. The user attempts to open a protected resource on the client application. 2. The WebGate protecting the resource intercepts the access request. Understanding Mobile and Social 48-29 Understanding Social Identity Processes 3. Access Manager identifies the authentication policy protecting the resource and redirects the user to a login page provided by the Mobile and Social server. 4. The login page presents a menu of Social Identity Providers. 5. The user chooses an OpenID Identity Provider and Access Manager redirects the user's browser to the Mobile and Social server, which redirects the user's browser to the login page for the selected Social Identity Provider (Google, Facebook, Twitter, and so on). 6. The user types a user name and password into the Social Identity Provider's login page. The Identity Provider completes the authentication process and requests the User's consent to share Identity information (if applicable). 7. When authentication is complete, the Social Identity Provider redirects the browser back to the Mobile and Social server. After further processing of Identity assertions supplied by the Identity Provider and after retrieving user identity information, the Mobile and Social server redirects the user's browser to Access Manager. This time HTTP headers in the page request provide Access Manager with the user's authentication status and attributes. 8. Access Manager creates a user session and redirects the user to the protected resource. 48-30 Administrator's Guide for Oracle Access Management Understanding Social Identity Processes Figure 48–11 User Browser Protected Application Authenticating a User with Access Manager WebGate Credential Collector Access Manager Mobile and Social Social Identity Provider 1 User tries to access protected application 2 WebGate Intercepts and redirects to Access Manager 3 Access Manager Identifies the authentication policy and redirects for Credential Collection 4 Credential collector presents Identity Provider Login Selection Page. 5 Access Manager reads the selection and redirect to Mobile and Social as per the contract 6 Mobile and Social completes the authentication process 7 Mobile and Social redirects to the Access Manager Auth scheme with status and user attributes 8 Access Manager creates a session and completes the access protection 48.6.5 Authenticating a User Locally This scenario describes the authentication process if the user chooses not to authenticate through a Social Identity Provider but instead authenticates using a local account. Figure 48–12, following the text, illustrates the process. 1. The user opens a URL for a protected resource in a web browser and the Mobile and Social server presents the user with a login page and a menu of Identity Providers from which to choose. 2. The user chooses to use local authentication and types a user name and password at the login page. 3. The client application's Access Management Service carries out additional authentication steps as needed. ■ ■ 4. If using the JWT Token Service, a User Token may be created. The OAM Token Service does not return tokens during the local authentication flow. The Access Management Service creates a session for the user and the user accesses the protected resource. Understanding Mobile and Social 48-31 Using Social Identity Figure 48–12 Authenticating a User Locally AAA/Idm or App User Browser AuthUI Mobile and Social Server Local Auth ID Repository Local Reg IDP AuthUI Local Login Select Existing User: authentication New Session 48.7 Using Social Identity The following sections contain details about how you might use the Social Identity. For examples of ways to integrate Social Identity, see Section 48.6, "Understanding Social Identity Processes." ■ Using Social Identity With Oracle Access Manager ■ Using Social Identity With Mobile and Social Services ■ Using the Social Identity SDK 48.7.1 Using Social Identity With Oracle Access Manager Users can choose to log in to Access Manager protected resources using credentials from a Social Identity Provider if you integrate Social Identity with Access Manager. In this arrangement, users enter their Identity Provider credentials. Access Manager forwards the User's login request to Mobile and Social, which completes the authentication process with the Identity Provider in the background. Mobile and Social (the relying party) redirects the User to Access Manager. At the same time, Mobile and Social provides Access Manager with the User's authentication status and User attributes, which were sent by the Identity Provider. For more information about how Access Manager uses Social Identity for authentication, see Section 48.6.4, "Authenticating a User With Access Manager and Social Identity." 48.7.2 Using Social Identity With Mobile and Social Services You can configure Mobile and Social Services to allow mobile devices to authenticate using Social Identity. After an Identity Provider verifies a user's credentials, Social Identity can prompt the user to create an account with your organization. To pre-populate the new user registration form with data returned from the Identity Provider, refer to the "Developing Applications Using the Social Identity Client SDK" chapter in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. 48-32 Administrator's Guide for Oracle Access Management Using Social Identity 48.7.3 Using the Social Identity SDK Developers who maintain Java-compliant Web applications can add Social Identity functionality to their Web offering using the Mobile and Social Social Identity SDK. This SDK is available for Java-powered Web applications only. For information about the SDK, see the "Developing Applications Using the Social Identity Client SDK" chapter in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. Understanding Mobile and Social 48-33 Using Social Identity 48-34 Administrator's Guide for Oracle Access Management 49 Configuring Mobile and Social Services 49 [31Mobile ] and Social provides a graphical user interface for configuring Mobile and Social Services. (Prior to version 11.1.2.3, Mobile and Social Services was named Mobile Services.) This chapter describes how to use the Oracle Access Management Console to configure Mobile and Social Services and contains the following topics. ■ Opening the Mobile and Social Services Configuration Page ■ Understanding Mobile and Social Services Configuration ■ Defining Service Providers ■ Defining Service Profiles ■ Defining Security Handler Plug-ins ■ Defining Application Profiles ■ Defining Service Domains ■ Using the Jailbreak Detection Policy ■ Configuring Mobile and Social Services with Other Oracle Products Mobile and Social Services can be configured from the command line using WLST. For more information about the Mobile and Social WLST commands, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Note: Only use tools provided with OAM Mobile and Social to change passwords, security credentials, or keys. Specifically, do not use Oracle Enterprise Manager (EM) for this purpose, because it is not compatible with the Mobile and Social credential store. WARNING: 49.1 Opening the Mobile and Social Services Configuration Page Follow these steps to open the Mobile and Social Services configuration page in the Oracle Access Management Console. 1. In the Oracle Access Management Console, click Mobile Security at the top of the window. 2. Click Mobile and Social Services. Configuring Mobile and Social Services 49-1 Understanding Mobile and Social Services Configuration 49.2 Understanding Mobile and Social Services Configuration The Welcome to Mobile and Social - Mobile and Social Services configuration page is divided into separate panels that can be expanded and collapsed by clicking the arrow button in the top left corner of the panel. The following sections contain more information about the Mobile and Social Services panels. ■ Understanding Service Providers ■ Understanding Service Profiles ■ Understanding Security Handler Plug-ins ■ Understanding Application Profiles ■ Understanding Service Domains Mobile and Social includes pre-configured objects to support typical deployment scenarios. These objects are designed to help you get Mobile and Social up and running with only minor modifications required. Each section lists the pre-configured objects available after installation. Note: 49.2.1 Understanding Service Providers A Service Provider is defined for each back-end service that you are making available to client applications. By configuring the back-end service as a Service Provider, the Mobile and Social server knows how to communicate with it. You can configure a back-end service as one of the following Service Provider types. ■ Authentication Service Provider - Interfaces with an Identity Provider so that the back-end service can authenticate users, mobile devices, client applications, access permissions, and issue authentication tokens accordingly. Mobile and Social supports Access Manager and JSON Web Tokens (JWT) with their own Service Provider and Service Profile configuration objects. Further, mobile client authentication and non-mobile client authentication is managed separately so each token type has a separate mobile and non-mobile Service Provider and Service Profile. The following pre-configured Authentication Service Providers are available for typical deployments. – OAMAuthentication - Oracle Access Manager Authentication Token Service Provider – MobileOAMAuthentication - Mobile Oracle Access Manager Authentication Token Service Provider – JWTAuthentication - JSON Web Token Authentication Service Provider – MobileJWTAuthentication - Mobile JSON Web Token Authentication Service Provider – JWTOAMAuthentication - Allows lightweight, long-duration JWT tokens to be exchanged for OAM tokens. OAM tokens provide SSO and OAM resource access to clients. This provider allows users using non-mobile applications to get a new OAM token without having to provide credentials if they have a valid, long-duration JWT token. – MobileJWTOAMAuthentication - Allows lightweight, long-duration JWT tokens to be exchanged for OAM tokens. OAM tokens provide SSO and OAM resource access to clients. This provider allows users using mobile applications 49-2 Administrator's Guide for Oracle Access Management Understanding Mobile and Social Services Configuration to get a new OAM token without having to provide credentials if they have a valid, long-duration JWT token. – InternetIdentityAuthentication -The Social Identity JSON Web Token Authentication Service Provider provides pre-configured support for apps using Mobile and Social Services to accept an authentication result from the Mobile and Social Social Identity (as described in Section 48.5, "Understanding Social Identity"). Also see Section 49.3.1, "Defining, Modifying or Deleting an Authentication Service Provider" for instructions on how to create a custom Authentication Service Provider. ■ ■ Authorization Service Provider - Interfaces with a back-end Identity Provider that makes authorization (access) decisions. The pre-configured OAMAuthorization Authorization Service Provider is provided for typical deployments. See Section 49.3.2, "Defining, Modifying or Deleting an Authorization Service Provider" for instructions on how to create a custom Authorization Service Provider. User Profile Service Provider - Interfaces with a directory server to lookup and update User Profile records. The pre-configured User Profile Service Provider is provided for typical deployments. See Section 49.3.3, "Defining, Modifying or Deleting a User Profile Service Provider" for instructions on how to create a custom User Profile Service Provider. 49.2.2 Understanding Service Profiles After defining a Service Provider, you configure one or more Service Profiles for it. A Service Profile is a logical envelope that defines a Service Endpoint URL for a Service Provider on the Mobile and Social server. You can create multiple Service Profiles for a Service Provider to define different token capabilities and service endpoints. Each Service Provider instance requires at least one corresponding Service Profile. Mobile and Social includes a pre-configured Service Profile for each pre-configured Service Provider configuration object documented in Section 49.2.1, "Understanding Service Providers." 49.2.3 Understanding Security Handler Plug-ins A Security Handler Plug-in enhances security by consulting additional logic for trust and risk analysis. (Such additional logic may deny certain risky operations.) The Security Handler Plug-in applies the logic during Authentication Service operations, including client application registration. Using a Security Handler Plug-in is optional. The Security Handler Plug-ins provided with this version of the software are optimized for mobile applications. If used, only apply it to mobile-related Service Domains, its authentication services, and client applications. Do not use a Security Handler Plug-in with a non-mobile application. Mobile and Social invokes the Security Handler Plug-in during sensitive security operations (such as authentication) as well as during operations that involve token acquisition. Mobile and Social includes the following preconfigured Security Handler Plug-ins: ■ ■ The OAAMSecurityHandlerPlugin enables the sophisticated device registration and risk-based strong authentication logic available in Oracle Adaptive Access Manager. The Default Security Handler Plug-in offers more limited device registration logic. Configuring Mobile and Social Services 49-3 Defining Service Providers 49.2.4 Understanding Application Profiles An Application Profile describes the configuration and security properties of the client application that will consume services provided by the Service Provider. An Application Profile is required either when mobile applications are used, or when a non-mobile application is used with a service that does not have secured application protection. Attributes defined include an Application Profile name, a short description of the application, a list of name-value attribute pairs, and its mobile configuration settings. (Mobile configuration settings include options such as the maximum duration in minutes that the Profile can be cached, the number of allowable authentication retries, and whether offline authentication is allowed.) You can also choose which mobile device attributes (such as phonecarriername, phonenumber, osversion, and so on) are required for the application. A single Application Profile can be assigned to multiple Service Domains. 49.2.5 Understanding Service Domains A Service Domain is a logical grouping that serves to associate a Service Profile with an Application Profile and (optionally) a Security Handler Plug-in. A Service Domain specifies how applications are allowed to access services in Mobile and Social. Typically an organization should have one Service Domain for managing mobile apps, and a separate Service Domain for managing non-mobile apps. When creating a Service Domain you: ■ ■ ■ ■ Decide whether the Service Domain is for managing mobile applications or desktop applications. Choose an authentication scheme and, optionally, a Security Handler Plug-in for the Service Domain. Add one or more Mobile SSO Agents and configure which agents have priority over the others. Add one or more applications to the Service Domain and configure which can use a Mobile SSO Agent. ■ Choose at least one Service Profile for the Service Domain. ■ Configure security settings to protect the Service Domain services. Mobile and Social includes the following pre-configured Service Domains: ■ The Default (Service Domain) is pre-configured for non-mobile applications. ■ The Mobile Service Domain is pre-configured for mobile applications. Use one of these Service Domains as a template to create your own, or modify them to suit the needs of your organization. Only mobile authentication Service Profiles can be added to a mobile Service Domain. 49.3 Defining Service Providers A Service Provider is defined for each back-end service that is available to client applications. This configures how the Mobile and Social server will interface with the defined back-end Service Provider. Depending on the services that you are providing, you may only need to configure one or two of the available Service Provider options. For example, if you are only providing authentication services, you do not need to define the User Profile Service Provider or Authorization Service Provider. This section includes the following procedures: ■ Defining, Modifying or Deleting an Authentication Service Provider 49-4 Administrator's Guide for Oracle Access Management Defining Service Providers ■ Defining, Modifying or Deleting an Authorization Service Provider ■ Defining, Modifying or Deleting a User Profile Service Provider 49.3.1 Defining, Modifying or Deleting an Authentication Service Provider An Authentication Service Provider allows Mobile and Social to authenticate users, client applications, and access permissions using a back-end Authentication Service by way of a token exchange. Upon successful authentication and verification, a token may be returned to the client application. The following authentication types are supported. ■ ■ When installed with Access Manager, Mobile and Social supports JSON Web Tokens (JWT) and Access Manager (OAM) tokens. When installed without Access Manager, only the JSON Web Token (JWT) type is supported. See Section 48.1.2, "Deploying Mobile and Social" for information about deploying Mobile and Social with a Webgate. Note: The following sections contain more information regarding Authentication Service Providers. ■ Understanding the Pre-Configured Authentication Service Providers ■ Understanding the JWT-OAM Token Authentication Service Provider ■ Creating an Authentication Service Provider ■ Editing or Deleting an Authentication Service Provider ■ Requiring User Credentials to Exchange a JWT Token for an OAM Token ■ Configuring OAM to use the JWT-OAM + PIN Token Service Provider 49.3.1.1 Understanding the Pre-Configured Authentication Service Providers Mobile and Social provides pre-configured Authentication Service Providers for the Authentication Services listed in Table 49–1. For each token type (Access Manager and JWT), Mobile and Social provides separate "out-of-the-box" mobile and non-mobile (or desktop) Service Provider configurations. Separate configurations are provided so that you can optimize each to best meet the needs of each access mode. Mobile devices must use a mobile Service Provider, however, non-mobile devices can use either a mobile service provider or a non-mobile service provider if correct input is provided. Mobile Service Providers use Client Registration Handles to register mobile devices, whereas non-mobile Service Providers use Client Tokens to authenticate non-mobile devices. The Client Token capability in Mobile and Social can be disabled, but the Client Registration Handle capability cannot. Configuring Mobile and Social Services 49-5 Defining Service Providers Table 49–1 Pre-configured Authentication Service Providers Authentication Service Mobile and Social Service Provider Name Access Manager OAMAuthentication Description Provides pre-configured support for users using desktop devices to authenticate using Access Manager. This Service Provider can issue a Client Token, but it cannot register mobile devices. The following Java class implements this Service Provider: oracle.security.idaas.rest.provider.token.OAMSD KTokenServiceProvider Mobile Access Manager MobileOAMAuthentication Provides pre-configured support for users using mobile devices to authenticate using Access Manager. This Service Provider supports registering new devices using a Client Registration Handle when the User authenticates. The following Java class implements this Service Provider: oracle.security.idaas.rest.provider.token.Mobil eOAMTokenServiceProvider JSON Web Token JWTAuthentication Provides pre-configured support for users using non-mobile applications to authenticate using the JSON Web Token format. JSON Web Token is a compact token format that is suitable for space-constrained environments such as HTTP Authorization headers. This Service Provider can issue a Client Token, but it cannot register new devices using a Client Registration Handle. The following Java class implements this Service Provider: oracle.security.idaas.rest.provider.token.JWTTo kenServiceProvider Mobile JSON Web Token MobileJWTAuthentication Provides pre-configured support for users using mobile devices to authenticate using the Mobile JSON Web Token format. This Service Provider supports registering new devices using a Client Registration Handle. The following Java class implements this Service Provider: oracle.security.idaas.rest.provider.token.Mobil eJWTTokenServiceProvider 49-6 Administrator's Guide for Oracle Access Management Defining Service Providers Table 49–1 (Cont.) Pre-configured Authentication Service Providers Authentication Service Mobile and Social Service Provider Name JWT-OAM Token Provider JWTOAMAuthentication Mobile JWT-OAM Token Provider MobileJWTOAMAuthentication Allows lightweight, long-duration JWT tokens to be exchanged for OAM tokens. OAM tokens provide SSO and OAM resource access to clients. This provider allows users using mobile applications to get a new OAM token without having to provide credentials if they have a valid, long-duration JWT token. Social Identity Web Token InternetIdentityAuthentication Description Allows lightweight, long-duration JWT tokens to be exchanged for OAM tokens. OAM tokens provide SSO and OAM resource access to clients. This provider allows users using non-mobile applications to get a new OAM token without having to provide credentials if they have a valid, long-duration JWT token. Provides pre-configured support for apps using Mobile and Social Services to accept an authentication result from Social Identity (for example, Google, Facebook, Twitter, and so on). This Service Provider supports registering new devices using a Client Registration Handle. After the User authenticates with the Identity Provider, this Service Provider issues a User Token to the requesting client application. The User Token allows the User to obtain a Client Registration Handle for the device. This service uses the same Java class as the JSON Web Token service, but it is configured with two additional name-value attribute pairs. The following Java class implements this Service Provider: oracle.security.idaas.rest.provider.token.JWTTo kenServiceProvider 49.3.1.2 Understanding the JWT-OAM Token Authentication Service Provider The JWTOAMAuthentication and the MobileJWTOAMAuthentication Service Provider types require further explanation. The JWT-OAM token provider lets mobile and non-mobile clients use a JSON Web Token (JWT) to retrieve an OAM User token and an OAM Master token. Depending on your deployment, you may want to have a long-duration JWT token instead of one or more long-duration OAM tokens. A JWT token is lightweight and makes an ideal token to hold for a long duration. Using the JWT-OAM token exchange feature, your application authenticates the user with a user name and password, then obtains a JWT token, an OAM user token, and an OAM master token. You can configure the JWT token to have a very long duration compared to the duration of OAM tokens. Once the OAM tokens expire, clients use the still-valid long-duration JWT token to get OAM tokens again. The presence of OAM tokens can provide mobile and non-mobile clients with access to resources protected by Access Manager. Exchanging a JWT token for OAM tokens benefits the user, who does not need to provide credentials to get new OAM tokens to replace the expired tokens. As an added security measure, Mobile and Social can require users to enter an additional credential, such as a PIN, when using a JWT user token to get an OAM token. For details, see Section 49.3.1.5, "Requiring User Credentials to Exchange a JWT Token for an OAM Token." Configuring Mobile and Social Services 49-7 Defining Service Providers 49.3.1.3 Creating an Authentication Service Provider 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. Click Create in the Service Providers section and choose Create Authentication Service Provider. The Authentication Service Provider Configuration page displays. 3. Enter values for the Authentication Service Provider properties. ■ ■ ■ 4. Name - Type a unique name for this Authentication Service Provider. Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future. Service Provider Java Class - Type the name of the Java class that implements this Authentication Service Provider. Add or delete Authentication Service Provider Attributes and their values based on either Table 49–2 (OAMAuthentication and the MobileOAMAuthentication Service Provider types), Table 49–4 (JWTAuthentication and the MobileJWTAuthentication Service Provider types), or Table 49–5 (JWT-OAM Authentication Service Provider Default Attributes). If you created a custom Authentication Service Provider, use the Attributes panel to further configure it. For the JWTAuthentication and MobileJWTAuthentication Service Providers, custom attributes are not used. Note: ■ Table 49–2 and Table 49–3 are specific to a Mobile and Social integration with Access Manager. The values in Table 49–2 apply to both the OAMAuthentication and the MobileOAMAuthentication Service Provider types. The values in Table 49–3 configure the Webgate agent. Table 49–2 Access Manager Authentication Service Provider Default Attributes Name Default Value Notes OAM_VERSION OAM_11G Either OAM_11G or OAM_10G, depending on the Oracle Access Manager version in use. DEBUG_VALUE 0 TRANSPORT_SECURITY OPEN Specify the method for encrypting messages between this AccessGate and the Access Servers. The encryption methods need to match. Valid values include: ■ OPEN ■ SIMPLE ■ CERT To update these settings, see Section 49.9.1.1, "Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode." 49-8 Administrator's Guide for Oracle Access Management Defining Service Providers Table 49–2 (Cont.) Access Manager Authentication Service Provider Default Attributes Name Default Value Notes OAM_SERVER_1 localhost:5575 Specify the host name and port number of the primary Oracle Access Management server. OAM_SERVER_1_MAX_CONN 4 Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_ SERVER_1. The default value is 4. OAM_SERVER_2 oam_server_2:5575 Specify the host name and port number of the secondary Oracle Access Management server. OAM_SERVER_2_MAX_CONN 4 Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_ SERVER_2. The default value is 4. IDContextEnabled true Add this attribute with a value of true to enable Identity Context, as described in Section 55.5.7, "Configuring Oracle Access Management Mobile and Social." OAM_LOCAL_MODE true Specifies if Mobile and Social should use "local mode" or "remote mode" to communicate with the OAM server. If the attribute value is set to false, Mobile and Social communicates with OAM over TCP/IP. If set to true (or if this attribute is undefined), Mobile and Social uses a direct connection to communicate with OAM. Prior to version 11.1.2.3, Mobile and Social only communicated with OAM using TCP/IP (that is, remote mode). Now communication defaults to local, which is faster. To configure Mobile and Social to communicate with OAM 10g, set the OAM_LOCAL_MODE attribute to false. Table 49–3 Webgate Agent for Authentication Service Provider Default Attributes Name Default Value Type the Webgate agent name that identifies the Webgate instance to which you are connecting. Webgate ID Encrypted Password ■ Notes Copy and paste the encrypted password for the Webgate ID Locate the OAM-Domain-Directory/output/Profile-N ame/ObAccessClient.xml file and copy the encrypted password value located in the element ParamName=accessClientPasswd. Table 49–4 is specific to connecting a Mobile and Social server to JWT Authentication Service Providers. The configuration values in this section apply to both the JWTAuthentication and the MobileJWTAuthentication Service Provider types. Configuring Mobile and Social Services 49-9 Defining Service Providers Table 49–4 JWT Authentication Service Provider Default Attributes Name Default Value Notes Identity Directory Service Name Select from the menu the Directory Service that should be used to verify the User. The JWT token service verifies the user with a directory server. Crypto Scheme RS512 The cryptographic algorithm used to sign the contents of the JWT token. The default value is RS512. (RSA encryption using SHA-512 hash algorithm.) Validity Period 3600 The length of time in seconds that the token is considered to be valid. The default value is 3600. Relying Party Token Enabled Select Enabled if the Service Provider should accept security tokens from an external issuer. Issuer If Relying Party Token is enabled, specify the Security Token Service issuer Table 49–5 is specific to the JWTOAMAuthentication and the MobileJWTOAMAuthentication Service Provider types. Table 49–5 JWT-OAM Authentication Service Provider Default Attributes Name Default Value Notes OAM_VERSION OAM_11G Either OAM_11G or OAM_10G, depending on the Oracle Access Manager version in use. DEBUG_VALUE 0 TRANSPORT_SECURITY OPEN Specify the method for encrypting messages between this AccessGate and the Access Servers. The encryption methods need to match. Valid values include: ■ OPEN ■ SIMPLE ■ CERT OAM_SERVER_1 localhost:5575 Specify the host name and port number of the primary Oracle Access Management server. OAM_SERVER_1_MAX_CONN 4 Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_ SERVER_1. The default value is 4. OAM_SERVER_2 oam_server_2:5575 Specify the host name and port number of the secondary Oracle Access Management server. OAM_SERVER_2_MAX_CONN 4 Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_ SERVER_2. The default value is 4. 49-10 Administrator's Guide for Oracle Access Management Defining Service Providers Table 49–5 (Cont.) JWT-OAM Authentication Service Provider Default Attributes Name Default Value user.Authenticator ■ ■ Notes Default value for JWTOAMAuthent ication provider: oracle.securi ty.idaas.rest .provider.tok en.OAMSDKToke nServiceProvi der Optional. Specify which of two available authenticators to use for user authentication. ■ ■ Default value for MobileJWTOAMA uthentication provider: oracle.securi ty.idaas.rest .provider.tok en.JWTTokenSe rviceProvider For OAM Authentication: oracle.security.idaas.rest.prov ider.token.OAMSDKTokenServicePr ovider For IDS Authentication: oracle.security.idaas.rest.prov ider.token.JWTTokenServiceProvi der UserAuthenticationInput UIDPASSWORD Specify how the client application should authenticate the user. The only supported value is UIDPASSWORD. UserAuthenticationOutput USERTOKEN Specify all possible token types that the client application will receive if user authentication is successful. Configure this parameter with any combination of the following: ■ USERTOKEN::JWTUT ■ USERTOKEN::OAMUT ■ USERTOKEN::OAMMT JWTUT specifies the JWT-type user token. OAMUT specifies the OAM-type user token. OAMMT specifies the OAM-type master token. If no value is supplied, all three token types are assumed. TokenExchangeInput JWT_UT+CRED Specifies what is required to exchange a JWT type user token for an OAM token. Configure this parameter with one of the following: ■ JWT_UT ■ JWT_UT+CRED JWT_UT specifies that a JWT type user token is required to get OAM tokens. JWT_UT+CRED specifies that, in addition to a JWT user token, an additional credential such as a personal identification number is required to get OAM tokens. If no value is supplied, the token exchange feature is disabled. Configuring Mobile and Social Services 49-11 Defining Service Providers Table 49–5 (Cont.) JWT-OAM Authentication Service Provider Default Attributes Name Default Value Notes TokenExchangeOutput USERTOKEN::OAMUT, USERTOKEN::OAMMT Configure this parameter with any combination of the following: ■ USERTOKEN::OAMUT ■ USERTOKEN::OAMMT OAMUT specifies the OAM type user token. OAMMT specifies the OAM type master token. OAM_LOCAL_MODE true Specifies if Mobile and Social should use "local mode" or "remote mode" to communicate with the OAM server. If the attribute value is set to false, Mobile and Social communicates with OAM over TCP/IP. If set to true (or if this attribute is undefined), Mobile and Social uses a direct connection to communicate with OAM. Prior to version 11.1.2.3, Mobile and Social only communicated with OAM using TCP/IP (that is, remote mode). Now communication defaults to local, which is faster. To configure Mobile and Social to communicate with OAM 10g, set the OAM_LOCAL_MODE attribute to false. 5. Click Create to create the Service Provider configuration object. 49.3.1.4 Editing or Deleting an Authentication Service Provider To edit or delete an Authentication Service Provider, select the Service Provider in the panel and click Edit or Delete on the panel's tool bar. 49.3.1.5 Requiring User Credentials to Exchange a JWT Token for an OAM Token As an added security measure, Mobile and Social can require users to enter an additional credential, such as a PIN, when using a JWT user token to get an OAM token. To enable the user PIN requirement, specify the JWT_UT+CRED parameter as described in Table 49–5 when configuring the TokenExchangeInput attribute. To use this feature, the user PIN or other credential must be present in the user entry in the directory server. Mobile and Social does not put restrictions on credential values; it simply validates the credential value submitted by the user with the value present in the user entry. For security reasons, user credentials should be saved as hashed attributes. See Section 49.3.1.6, "Configuring OAM to use the JWT-OAM + PIN Token Service Provider" for the steps required to get this configuration to work. 49.3.1.6 Configuring OAM to use the JWT-OAM + PIN Token Service Provider 1. Open your directory server and extend the LDAP Schema for the PIN Attribute. After the LDAP schema change, you can add new users and modify existing users to have a PIN value. a. Create the PIN attribute. See Figure 49–1 for an example using Oracle Directory Services Manager (ODSM) and Oracle Unified Directory (OUD). 49-12 Administrator's Guide for Oracle Access Management Defining Service Providers Figure 49–1 Using ODSM to create the PIN attribute in OUD b. Create a PINPERSON object class. See Figure 49–2 for an example using Oracle Directory Services Manager (ODSM). Configuring Mobile and Social Services 49-13 Defining Service Providers Figure 49–2 Using ODSM to create the pinperson object class 2. Using the OAM Console, create a new IdentityStore for the external LDAP server that you extended to use the PIN attribute. a. Log in to the OAM Console and click Configuration at the top of the window. b. Click User Identity Stores. c. Click the Create button to create a new IdentityStore in OAM ID Stores. See Figure 49–3 for details. 49-14 Administrator's Guide for Oracle Access Management Defining Service Providers Figure 49–3 Using the OAM Console to create an IdentityStore 3. Add a new OAM authentication module for the new Identity Store. a. In the OAM console, click Application Security at the top of the window. b. Select Create Custom Authentication Module from the Create (+) drop-down menu in the Plug-ins section. c. On the General tab, type a Name--for example, PINBasedUserPlugin. d. On the Steps tab, type the following values: Step Name: UI Plug-in Name: UserIdentificationPlugIn Plug-in Parameters: - KEY_LDAP_FILTER: (&(uid={KEY_USERNAME})(pin={cred})) - KEY_IDENTITY_STORE_REF: OUDIdentityStore (This data store has to be added first to do this step.) Configuring Mobile and Social Services 49-15 Defining Service Providers - KEY_SEARCH_BASE_URL: ou=users,dc=ngam,dc=oracle,dc=com e. 4. On the Steps Orchestration tab, choose UI from the Initial Step menu. Add a new authentication scheme. a. In the OAM console, click Application Security at the top of the window. b. Select Create Authentication Scheme from the Create (+) drop-down menu in the Access Manager section. c. Complete the form: Name: PINBasedUserAuthNScheme Authentication Level: 3 Challenge Method: FORM Authentication Module: Choose the authentication module you created in the previous step--for example, PINBasedUserPlugin. 5. 6. 7. 8. Change the authentication policy to use the new authentication scheme. a. In the OAM console, click Application Security at the top of the window. b. Click Application Domains in the Access Manager section. c. FInd the IAM Suite domain and open the OICTokenExchangePolicy policy. d. From the Authentication Scheme drop-down menu, choose PINBasedUserAuthNScheme. Configure the (Mobile) JWTOAMAuthenticationProvider. a. In the OAM console, click Mobile Security at the top of the window. b. Click Mobile and Social Services. c. Open the MobileJWTOAMAuthentication service provider for editing. d. From the Identity Directory Service Name drop-down menu, choose the directory service that points to the IdentityStore you created in step 2. e. If a desktop (or non-mobile) service is required, repeat steps a and b to configure the JWTOAMAuthentication provider. Create an application profile. a. In the OAM console, click Mobile Security at the top of the window. b. Click Mobile and Social Services. c. In the Application Profiles section, click the Create button and create a new application profile (for example, mobileapp1). Update the MobileServiceDomain. a. In the OAM console, click Mobile Security at the top of the window. b. Click Mobile and Social Services. c. In the Service Domains section, find the MobileServiceDomain domain and open it for editing. d. In the Application Profiles section (subtab), add the application profile you created in the previous step (mobileapp1). e. Click the Service Profiles subtab to open it and change the Authentication Service to MobileJWTOAMAuthentication. 49-16 Administrator's Guide for Oracle Access Management Defining Service Providers 49.3.2 Defining, Modifying or Deleting an Authorization Service Provider An Authorization Service Provider allows a back-end Identity service to make authorization decisions on behalf of a connected application. This section contains the following topics about Authorization Service Providers. ■ Creating an Authorization Service Provider ■ Editing or Deleting an Authorization Service Provider ■ Understanding the Pre-Configured Authorization Service Provider 49.3.2.1 Creating an Authorization Service Provider 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. Click Create in the Service Providers section and choose Create Authorization Service Provider. The Authorization Service Provider Configuration page displays. 3. Enter values for the Authorization Service Provider properties. ■ ■ ■ 4. Name - Type a unique name for this Authorization Service Provider. Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future. Service Provider Java Class - Type the name of the Java class that implements this Authorization Service Provider. Add or delete Authorization Service Provider Attributes and their values based on Table 49–6. Table 49–6 Access Manager Authorization Service Provider Default Attributes Name Value Notes OAM_VERSION OAM_11G Either OAM_11G or OAM_10G, depending on the Oracle Access Manager version in use. DEBUG_VALUE 0 TRANSPORT_SECURITY OPEN Specify the method for encrypting messages between this AccessGate and the Access Servers. The encryption methods need to match. Valid values include: ■ OPEN ■ SIMPLE ■ CERT OAM_SERVER_1 localhost:5575 Specify the host name and port number of the primary Oracle Access Management server. OAM_SERVER_1_MAX_CONN 4 Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_ SERVER_1. The default value is 4. OAM_SERVER_2 oam_server_2:5575 Specify the host name and port number of the secondary Oracle Access Management server. Configuring Mobile and Social Services 49-17 Defining Service Providers Table 49–6 (Cont.) Access Manager Authorization Service Provider Default Attributes Name Value Notes OAM_SERVER_2_MAX_CONN 4 Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_ SERVER_2. The default value is 4. 5. Configure the Webgate agent by creating a new agent or entering values for an existing agent as per Table 49–7. The Webgate agent configuration values are specific to the integration between Mobile and Social Services and Access Manager. Table 49–7 Webgate Agent for Authorization Service Provider Default Attributes Name Value Type the Webgate agent name that identifies the Webgate instance to which you are connecting. Webgate ID Encrypted Password 6. Notes Copy and paste the encrypted password for the Webgate ID Locate the OAM-Domain-Directory/output/Profile-N ame/ObAccessClient.xml file and copy the encrypted password value located in the element ParamName=accessClientPasswd. Click Create to create the Service Provider configuration object. 49.3.2.2 Editing or Deleting an Authorization Service Provider To edit or delete an Authorization Service Provider, select the Service Provider in the panel and click Edit or Delete on the panel's tool bar. 49.3.2.3 Understanding the Pre-Configured Authorization Service Provider Mobile and Social provides a pre-configured Authorization Service Provider for Access Manager named the OAMAuthorization Authorization Service Provider. The oracle.security.idaas.rest.provider.authorization.OAMSDKAuthZServiceProvid er Java class implements the pre-configured Authorization Service Provider. 49.3.3 Defining, Modifying or Deleting a User Profile Service Provider A User Profile Service Provider allows an application to query and update a directory server. Many LDAP compliant directory servers are supported including: ■ Microsoft Active Directory ■ Novell eDirectory ■ Oracle Directory Server Enterprise Edition ■ Oracle Internet Directory ■ Oracle Unified Directory ■ Oracle Virtual Directory (using the Oracle Internet Directory template) ■ OpenLDAP ■ IBM Tivoli Directory Server (using the OpenLDAP template) 49-18 Administrator's Guide for Oracle Access Management Defining Service Providers ■ WebLogic Server Embedded LDAP Mobile and Social includes a pre-configured User Profile Service Provider that your organization can use, or you can create your own. Before you can create a User Profile Service Provider you must first create an Identity Directory Service profile. The Identity Directory Service (IDS) is a flexible service used by Access Manager as the means for accessing multiple identity data stores. For more information about the Identity Directory Service, see Section 5.3, "Managing the Identity Directory Service User Identity Stores." The following sections contain more information about User Profile Service Providers. ■ Creating a User Profile Service Provider ■ Editing or Deleting a User Profile Service Provider ■ Understanding the Pre-Configured User Profile Service Provider 49.3.3.1 Creating a User Profile Service Provider 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. Click Create in the Service Providers section and choose Create User Profile Service Provider. The Service Provider Configuration page displays. 3. Enter values for the User Profile Service Provider properties. ■ ■ 4. Name - Type a unique name for this User Profile Service Provider. Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future. Add or delete User Profile Service Provider Attributes and their values based on Table 49–8. Note: LDAP attribute names are generally not case sensitive but when communicating with the Oracle Identity Governance Framework (IGF), LDAP attribute names are case sensitive. Table 49–8 User Profile Service Provider Default Attribute Names and Values Name Value Notes accessControl false Supported values include true or false (enable/disable, respectively) depending on whether the accessControl feature is to be disabled or enabled. adminGroup cn=Administrators,ou=groups, If accessControl is enabled, specify the ou=myrealm,dc=base_domain distinguished name (DN) of the adminGroup to see if the User is in it. selfEdit true Supported values include true or false depending on if the User can edit his or her profile for the accessControl feature. This is also one of the accessControl feature's configuration properties. Configuring Mobile and Social Services 49-19 Defining Service Providers Table 49–8 (Cont.) User Profile Service Provider Default Attribute Names and Values Name Value Notes proxyAuth - Supported values include true or false depending on if the proxyAuth feature is enabled or disabled, respectively. This attribute is required only if proxyAuth is supported and the Administrator does not want to use the proxyAuth feature. This attribute is not included in a new installation of Mobile and Social. An Administrator can add this property. 5. In the Identity Directory Service section, choose from the Name menu the Identity Directory Service profile to use with this User Profile Service Provider. ■ ■ ■ 6. To create an Identity Directory Service profile, see Section 5.3.2, "Creating an Identity Directory Service Profile." If you choose either of the default Identity Directory Services (userrole or idxuserrole) you can't view or edit the configuration values in this section. If you choose an Identity Directory Service connection that you or another administrator created, select the View option to view and edit additional properties as documented in Section 49.3.3.2, "Editing or Deleting a User Profile Service Provider." Click Create to create the Service Provider configuration object. 49.3.3.2 Editing or Deleting a User Profile Service Provider To edit or delete a User Profile Service Provider, select the Service Provider in the panel and click Edit or Delete on the panel's tool bar. This section describes the additional User Profile Service Provider Configuration properties for the Identity Directory Service connection as they appear when editing a User Profile Service Provider that you or another Administrator created. Name - The name of this User Profile Service Provider. Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future. Attributes Add or delete User Profile Service Provider Attributes and their values based on Table 49–8. Note: LDAP attribute names are generally not case sensitive but when communicating with the Oracle Identity Governance Framework (IGF), LDAP attribute names are case sensitive. Table 49–9 User Profile Service Provider Default Attribute Names and Values Name Default Value Notes accessControl false Supported values include true or false (enable/disable, respectively) depending on whether the accessControl feature is to be disabled or enabled. 49-20 Administrator's Guide for Oracle Access Management Defining Service Providers Table 49–9 (Cont.) User Profile Service Provider Default Attribute Names and Values Name Default Value Notes adminGroup cn=Administrators,ou=groups, If accessControl is enabled, specify the ou=myrealm,dc=base_domain distinguished name (DN) of the adminGroup to see if the User is in it. selfEdit true Supported values include true or false depending on if the User can edit his or her profile for the accessControl feature. This is also one of the accessControl feature's configuration properties. proxyAuth true Supported values include true or false depending on if the proxyAuth feature is enabled or disabled, respectively. This attribute is required only if proxyAuth is supported and the Administrator does not want to use the proxyAuth feature. This attribute is not included in a new installation of Mobile and Social. An Administrator can add this property. Identity Directory Service Name - The Identity Directory Service profile that connects the User Profile Service Provider to one or more directory servers. For more information about the Identity Directory Service, see Section 5.3, "Managing the Identity Directory Service User Identity Stores." ■ ■ If either of the default Identity Directory Services are selected (either userrole or idxuserrole) you cannot view or edit the configuration values. If an Identity Directory Service connection that you or another Administrator created is selected, you can view and edit the configuration values as needed. Relationship Configuration Type the URI segment used to access the corresponding column in the Identity Directory Service. Use Add to add a new relationship or Remove to remove a configured relationship. ■ Access URI - Type a URI segment that will be used to access a corresponding data column in the Identity Directory service. For example, if memberOf is the Access URI, then: http://host:port/.../idX/memberOf would be the URI to access related entities of an entity with ID idX. ■ ■ Identity Directory Service Relation - Choose the Directory Service relationship that is to be accessed by the Access URI segment. You can configure relationships on the Relationships tab in the Identity Directory Service configuration section provided that the Identity Directory Service is not the pre-configured UserProfile Identity Provider. (You cannot configure Identity Directory Service relationships for the UserProfile Service Provider.) Entity URI Attribute - Type the JSON attribute name to be used in the URI response sent from the Mobile and Social server. For example, if person-uri is the specified entity URI attribute, the URI response would be as follows: { {"person-uri":uriY1, ...}, {"person-uri":uriY2, ...}, ... } Configuring Mobile and Social Services 49-21 Defining Service Profiles where uriY1 and uriY2 are the direct URIs to access each of the related entities. ■ Scope for Requesting Recursion - Use Scope attribute values with the scope query parameter to retrieve a nested level of attributes in a relationship search. To access related entities recursively, type the value to be used. The Mobile and Social default configuration uses two scope attribute values: toTop and all. If the Scope for Requesting Recursion value is the attribute value all, then the following REST URI example is used to make the request: http://host:port/.../idX/reports?scope=all In this example, the URI returns the entities related to the entity with ID idX, as well as all further related entities. 49.3.3.3 Understanding the Pre-Configured User Profile Service Provider Mobile and Social provides a pre-configured User Profile Service Provider for LDAP-compliant directory servers named UserProfile. This Service Provider allows lookup and update tasks to be performed on directory objects using Mobile and Social. 49.4 Defining Service Profiles A Service Profile defines a Service Endpoint URL for a Service Provider on the Mobile and Social server. Each Service Provider instance requires at least one corresponding Service Profile instance. You can create multiple Service Profiles for a single Service Provider; each Service Profile will define different token capabilities and service endpoints for the Service Provider. One Service Profile can be assigned to multiple Service Domains. In general, mobile Service Profiles should be assigned to mobile Service Domains, and non-mobile Service Profiles should be assigned to non-mobile Service Domains. See Section 49.7, "Defining Service Domains." Note: Create one or more Service Profiles after creating the required Service Provider(s). This section covers the following topics: ■ Defining, Modifying and Deleting an Authentication Service Profile ■ Defining, Modifying and Deleting an Authorization Service Profile ■ Defining, Modifying and Deleting a User Profile Service Profile 49.4.1 Defining, Modifying and Deleting an Authentication Service Profile The following sections contain information regarding Authentication Service Profiles. ■ Creating an Authentication Service Profile ■ Editing or Deleting an Authentication Service Profile 49.4.1.1 Creating an Authentication Service Profile 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. Click Create in the Service Profiles section and choose Create Authentication Service Profile. 49-22 Administrator's Guide for Oracle Access Management Defining Service Profiles The Authentication Service Profile Configuration page displays. 3. Enter values for the Authentication Service Profile general properties. Table 49–10 Authentication Service Profile Default General Properties Name Notes Name Type a unique name for this Authentication Service Profile. Description (Optional) Type a short description that will help you or another Administrator identify this service in the future. Service Type Shows the type of Service Profile that you are creating (either a User Profile Service, an Authentication Service, or an Authorization Service).The value is read-only. Service Endpoint Create a unique uniform resource identifier (URI) address for this service by typing a string in the box; for example, localhost:5575. ■ ■ ■ If creating an Authentication Service Profile, the URI Category Information section shows the URIs that will be created to create, validate, manage, and delete the Profile's client, user, and Access Tokens, as well as the "Client Registration Handle" URI that is used to register devices. If creating an Authorization Service Profile, the URI Category Information section shows the authorization URI category that will be created on the Service. If creating a User Profile Service Profile, the URI Category Information section shows the URI categories that will be created on the Service (one URI to manage Users, and another to manage Groups). Service Provider Choose the Service Provider on which this Service Profile should be based. The contents of this list are determined by the Service Type. A Service Provider must be defined before you can create a corresponding Service Profile. Service Enabled Select the box to enable the service; clear the box to disable. 4. Select an option under Token Support and URI Category Information to enable support for the token type on the service, or clear the option box to disable support for the token type on the service. Token Support applies to Authentication Service Profiles only. The corresponding uniform resource identifier (URI) is listed alongside each token type. Table 49–11 Token Support and URI Category Information Default Properties Name Notes Client Registration Handle Required for mobile token services so that the client device can register with the Mobile and Social server. The server issues a Client Registration Handle after authenticating the user. When OAAM and its Security Handler Plug-in is used in conjunction with a mobile Authentication Service, the Plug-in can run fraud detection and risk analysis policy checks, enhancing authenticity and the trust level of a client. To add an Authentication Service Profile to a mobile Service Domain, Client Registration Handle must be enabled. Client Registration Handles are not used in non-mobile Service Domains. Client Token Select to enable Client Tokens on the Service. A Client Token is a security grant issued by the Mobile and Social server to prove that a non-mobile device or client is authenticated. The server issues a Client Token after authenticating the client based on a name and password or other credentials. Client Tokens are optional in non-mobile Service Domains. They are not used in mobile Service Domains. Configuring Mobile and Social Services 49-23 Defining Service Profiles Table 49–11 (Cont.) Token Support and URI Category Information Default Properties Name Notes User Token Select to enable User Tokens on the Service. A User Token is a security grant issued by the Mobile and Social server to prove that a user is authenticated. A User Token can be used to request an Access Token. Access Token Select to enable Access Tokens on the Service. An Access Token is a security grant issued by the Mobile and Social server so that a client application can access a specific protected resource. A client application can get an Access Token by presenting a User Token, provided that the user is authorized to access the resource. 5. Click Create to create the Service Profile configuration object. 49.4.1.2 Editing or Deleting an Authentication Service Profile To edit or delete an Authentication Service Profile, select the Service Profile in the panel and click Edit or Delete on the panel's tool bar. 49.4.2 Defining, Modifying and Deleting an Authorization Service Profile The following sections contain information regarding Authentication Service Profiles. ■ Creating an Authorization Service Profile ■ Editing or Deleting an Authorization Service Profile 49.4.2.1 Creating an Authorization Service Profile 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. Click Create in the Service Profiles section and choose Create Authorization Service Profile. The Authorization Service Profile Configuration page displays. 3. Enter values for the Authorization Service Profile general properties. Table 49–12 Authorization Service Profile Default General Properties Name Notes Name Type a unique name for this Authorization Service Profile. Description (Optional) Type a short description that will help you or another Administrator identify this service in the future. Service Type Shows the type of Service Profile that you are creating (either a User Profile Service, an Authentication Service, or an Authorization Service).The value is read-only. 49-24 Administrator's Guide for Oracle Access Management Defining Service Profiles Table 49–12 (Cont.) Authorization Service Profile Default General Properties Name Notes Service Endpoint Create a unique uniform resource identifier (URI) address for this service by typing a string in the box; for example, localhost:5575. ■ ■ ■ If creating an Authentication Service Profile, the URI Category Information section shows the URIs that will be created to create, validate, manage, and delete the Profile's client, user, and Access Tokens, as well as the "Client Registration Handle" URI that is used to register devices. If creating an Authorization Service Profile, the URI Category Information section shows the authorization URI category that will be created on the Service. If creating a User Profile Service Profile, the URI Category Information section shows the URI categories that will be created on the Service (one URI to manage Users, and another to manage Groups). Service Provider Choose the Service Provider on which this Service Profile should be based. The contents of this list are determined by the Service Type. A Service Provider must be defined before you can create a corresponding Service Profile. Service Enabled Select the box to enable the service; clear the box to disable. 4. Click Create to create the Service Profile configuration object. 49.4.2.2 Editing or Deleting an Authorization Service Profile To edit or delete an Authorization Service Profile, select the Service Profile in the panel and click Edit or Delete on the panel's tool bar. 49.4.3 Defining, Modifying and Deleting a User Profile Service Profile The following sections contain information regarding Authentication Service Profiles. ■ Creating a User Profile Service Profile ■ Editing or Deleting a User Profile Service Profile 49.4.3.1 Creating a User Profile Service Profile 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. Click Create in the Service Profiles panel in the home area and choose Create User Profile Service Profile. The User Profile Service Profile Configuration page displays. 3. Enter values for the User Profile Service Profile general properties. Table 49–13 User Profile Service Profile Default General Properties Name Notes Name Type a unique name for this Authorization Service Profile. Description (Optional) Type a short description that will help you or another Administrator identify this service in the future. Service Type Shows the type of Service Profile that you are creating (either a User Profile Service, an Authentication Service, or an Authorization Service).The value is read-only. Configuring Mobile and Social Services 49-25 Defining Security Handler Plug-ins Table 49–13 (Cont.) User Profile Service Profile Default General Properties Name Notes Service Endpoint Create a unique uniform resource identifier (URI) address for this service by typing a string in the box; for example, localhost:5575. ■ ■ ■ If creating an Authentication Service Profile, the URI Category Information section shows the URIs that will be created to create, validate, manage, and delete the Profile's client, user, and Access Tokens, as well as the "Client Registration Handle" URI that is used to register devices. If creating an Authorization Service Profile, the URI Category Information section shows the authorization URI category that will be created on the Service. If creating a User Profile Service Profile, the URI Category Information section shows the URI categories that will be created on the Service (one URI to manage Users, and another to manage Groups). Service Provider Choose the Service Provider on which this Service Profile should be based. The contents of this list are determined by the Service Type. A Service Provider must be defined before you can create a corresponding Service Profile. Service Enabled Select the box to enable the service; clear the box to disable. 4. Click Create to create the Service Profile configuration object. 49.4.3.2 Editing or Deleting a User Profile Service Profile To edit or delete a User Profile Service Profile, select the Service Profile in the panel and click Edit or Delete on the panel's tool bar. 49.5 Defining Security Handler Plug-ins A Security Handler Plug-in enhances security by consulting additional logic for trust and risk analysis. Such additional logic may deny access based on certain risky operations. Mobile authentication invokes the Security Handler Plug-in during sensitive security operations; for example, during virtually all token acquisition operations including client application registration. Security Plug-in usage is optional. If used, it should only be applied to mobile-related Service Domains and its authentication services and client applications. Note: Mobile and Social includes the following pre-configured Security Handler Plug-ins. ■ ■ OAAMSecurityHandlerPlugin enables sophisticated device and client application registration logic as well as the advanced risk and fraud analysis logic found in OAAM. Default offers very limited risk analysis logic. The following sections contain information regarding defining Security Handler Plug-ins. ■ Creating a Security Handler Plug-in ■ Editing or Deleting a Security Handler Plug-in 49-26 Administrator's Guide for Oracle Access Management Defining Security Handler Plug-ins ■ Device Fingerprinting and Device Profile Attributes 49.5.1 Creating a Security Handler Plug-in 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. Click Create in the Security Handler Plug-ins section. The Security Handler Plug-in Configuration page displays. 3. Enter values for the Security Handler Plug-in general properties. Table 49–14 Security Handler Plug-in General Properties Name Notes Name Type a unique name for this Authorization Service Profile. Description (Optional) Type a short description that will help you or another Administrator identify this service in the future. Security Handler Class Choose the Java class that defines the Security Handler Plug-in that you want to use. This release of Mobile and Social supports two Security Handler Plug-ins, the DefaultSecurityHandlerPlugin and the OAAMSecurityHandlerPlugin. 4. Enter name-value pairs for the Security Handler Plug-in Attributes. ■ ■ 5. For descriptions of the OaamSecurityHandlerPlugin attributes, see Section 49.9.2.7.3, "Setting Up OTP E-Mail Integration." The DefaultSecurityHandlerPlugin has a single attribute setting, allowJailBrokenDevices. This specifies if jail-broken client devices should be allowed or denied access to protected resources. Set the attribute's value to false to deny access (default setting) or set it to true to allow access. The OAAMSecurityHandlerPlugin does not need to be configured for jailbreak enforcement. See Section 49.8.1, "Adding a New Jailbreak Detection Policy," for more information. Click Create to create the Security Handler Plug-in configuration object. 49.5.2 Editing or Deleting a Security Handler Plug-in To edit or delete a Security Handler Plug-in, select the definition in the panel and click Edit or Delete on the panel's tool bar. 49.5.3 Device Fingerprinting and Device Profile Attributes When a mobile application is started, Mobile Client SDK logic in the application will attempt to detect a number of Device Profile attributes. Some Device Profile attributes are general attributes that cannot uniquely identify a device, such as OS Type, OS Version, language locale setting, network setting, and geographic location. Some attributes are hardware identifiers that can uniquely identify a device. An example of a hardware identifier is a MAC Address on a mobile device. The mobile OS type and version will dictate the kinds of Device Profile attributes that can be detected. When a mobile application requests a token through the Mobile Client SDK, the SDK logic will send the Device Profile attributes as a part of an HTTP request. This set of Device Profile attributes enhances security by creating an audit trail for devices that assists device identification. Configuring Mobile and Social Services 49-27 Defining Application Profiles When the OAAM Security Plug-in is used, a particular combination of Device Profile attribute values is treated as a device finger print, known as the Digital Finger Print in the OAAM Administration Console. Each finger print is assigned a unique fingerprint number. Each OAAM session is associated with a finger print and the finger print makes it possible to log (and audit) the devices that are performing authentication and token acquisition. 49.6 Defining Application Profiles An Application Profile defines the client application that will consume services provided by the Service Providers. A single Application Profile can be assigned to multiple Service Domains. More information can be found in the following sections. ■ Creating an Application Profile ■ Editing or Deleting an Application Profile 49.6.1 Creating an Application Profile 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. Click Create in the Application Profiles section. The Application Profiles Configuration page displays. 3. Enter values for the Application Profile general properties. Table 49–15 Application Profile General Properties Name Notes Name The value must be a unique one that distinguishes the application from all other applications on the server. This value and the application name value embedded in the client application must match. Description (Optional) Type a short description that will help you or another Administrator identify this service in the future. 4. Enter name-value pairs for the attributes used by the Mobile and Social server to perform server functions for this application; for example, creating a Client Registration Handle. ■ ■ ■ 5. Mobile.clientRegHandle.baseSecret is a mandatory attribute used by the server as a private secret to sign each Client Registration Handle for this application. userId4BasicAuth is the user ID attribute used by the server and the application to perform HTTP Basic authentication. For more information see Section 48.4.1, "Protecting the Mobile Client Registration Endpoint." sharedSecret4BasicAuth is the shared secret attribute used by the server and application to perform HTTP Basic authentication. Define the Mobile Application Profile properties. ■ Jailbreak Detection - Select the Enabled box to activate Jailbreak Detection for this application, or clear the box to disable it. If Jailbreak Detection is grayed out, the Jailbreak Detection Policy is disabled in Mobile and Social. For more information, see Section 49.8, "Using the Jailbreak Detection Policy." 49-28 Administrator's Guide for Oracle Access Management Defining Application Profiles ■ 6. Mobile Configuration - Select this option to expose additional mobile configuration settings on the Application Profile Configuration page. Click Create to create the Application Profile configuration object. See Section 49.6.2, "Editing or Deleting an Application Profile" for information on properties that can be configured only after the Application Profile is created. 49.6.2 Editing or Deleting an Application Profile To edit or delete an Application Profile, select the definition in the panel and click Edit or Delete on the panel's tool bar. This section describes additional Application Profile properties as they appear when editing a User Profile Service Provider that you or another Administrator previously created. ■ ■ Configuration Settings – Profile Cache Duration - The maximum amount of time that the Application Profile details cached on the mobile device will remain valid. If the time is elapsed when the mobile client application requests the Application Profile, the cached Profile is replaced with a freshly downloaded version. If the time is not elapsed, the cached Profile is used. – Authentication Retry Count - The maximum number of retries that a User is allowed if invalid credentials are provided during registration/authentication. This setting is not honored in the iOS Mobile SDK. – Offline Authentication - Select the Allowed box to allow users to log in and authenticate to the application locally. Clear the box to block users from authenticating locally. – Claim Attributes - The set of attributes that will be fetched from the device and passed to the server during registration/authentication. – Social Identity WebView - Choose Embedded if users should be presented with the Mobile and Social login page inside the application using the embedded WebView class, or choose External if the login page should be presented in an external browser. Platform Specific Settings – URL Scheme - Type the URL scheme that is used to invoke this mobile client application, as configured in the application itself. – Apple iOS Bundle ID - Type the unique Bundle ID that is configured in the mobile client application. Each iOS mobile application has a unique Bundle ID. – Android Package - Type the fully qualified name of an activity in the Android application. This activity should have in its . Note: The scheme (xyz) should be the same as the URL scheme. For details regarding the element, please see the following web page: http://developer.android.com/guide/topics/manifest/data-element.htm l – Android Application Signature - Enter the signature of the Android application. You can obtain the signature from the certificate with which the Configuring Mobile and Social Services 49-29 Defining Service Domains application is signed. On Linux, you can obtain the signature using the following command: keytool -exportcert -alias -keystore -storepass | xxd -c 256 -ps The signature obtained using the above command will have a carriage return after 256 characters. Remove it before entering the signature in this field. Note: You can also retrieve the signature programmatically. For details, see "Invoking the Mobile Single Sign-on Agent App" in the Developer's Guide for Oracle Access Management. ■ Custom Settings / Mobile Custom Attributes - Configure attributes or properties specific to the mobile client application. Mobile Custom Attributes are returned by the server to the mobile application as part of the Application Profile 49.7 Defining Service Domains Create a Service Domain to associate Service Profiles with Application Profiles and the corresponding configuration settings. When the Create Service Domain page is displayed, you can: ■ ■ ■ ■ Choose if the Service Domain is for managing mobile applications or desktop applications. Choose an authentication scheme and, optionally, a Security Handler Plug-in for the Service Domain. Add one or more Mobile SSO Agents to the Service Domain and configure which agents have priority over others. Add one or more applications to the Service Domain and configure which applications can use a Mobile SSO Agent. ■ Choose at least one Service Profile for the Service Domain. ■ Configure security settings to protect the Service Domain's selected services. More information can be found in the following sections. ■ Creating a Service Domain ■ Editing or Deleting a Service Domain 49.7.1 Creating a Service Domain 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. Click Create in the Service Domains panel in the home area. The Create Service Domain Configuration page displays. 3. Enter values for the Service Domain general properties. Table 49–16 Service Domain General Properties Name Notes Name Type a unique name for this Service Domain. 49-30 Administrator's Guide for Oracle Access Management Defining Service Domains Table 49–16 (Cont.) Service Domain General Properties Name Notes Description (Optional) Type a short description that will help you or another Administrator identify this service in the future. Type Choose Mobile Application or Desktop Application. A mobile application is an application that runs on a mobile operating system, such as the Android or iOS operating systems. A desktop application is an application that runs on a non-mobile operating system. Credential for Registering an Application If configuring a mobile Service Domain, choose the minimum credential level required to register an application. If you choose User Password, the server will prompt the User for a user name and password every time an application is registered, even if a mobile single sign-on agent is installed on the device. If you choose User Token, the server asks the mobile SSO agent to provide the User name and password. Subsequent application registrations on that device then will use the User Token issued to the mobile SSO agent for that purpose. User Password provides added security around the application registration process. User Token makes the application registration process more convenient for the User. Authentication Scheme If configuring a mobile Service Domain, choose Mobile Service Authentication or Social Identity Authentication. If you choose Mobile Service Authentication, the client will prompt the User for a User name and password. If you choose, Social Identity Authentication, the client will redirect to the Mobile and Social server and the User will use Social Identity to authenticate with an Identity Provider, for example Google or Facebook. This selection determines which Authentication Service Profiles you can choose on the Service Profile Selection configuration screen. Security Handler Plug-in Name Security Handler Plug-in Name - If configuring a mobile Service Domain, choose the Security Handler Plug-in to use. For information about the available Security Handler Plug-ins, see Section 49.2.3, "Understanding Security Handler Plug-ins." 4. Use one or all of the following options to add or select Application Profiles. If configuring a mobile domain, only mobile apps can be selected. Similarly, if configuring a non-mobile domain, only desktop apps can be selected a. Click Browse Application Profiles (under Application Profile Selection) to open a Search window from which you can search for one or more previously configured Application Profiles to add to the Service Domain. Select the Profiles to add and click Select. b. Alternately, if you know the exact name of the Application Profile, click Add and type the name directly into the table. Table 49–17 Name Application Profile Selection Properties Notes Application Profile Name The name that uniquely identifies the client application to Mobile and Social. Configuring Mobile and Social Services 49-31 Defining Service Domains Table 49–17 (Cont.) Application Profile Selection Properties Name Notes Mobile Single Sign-on (SSO) Configuration If configuring a mobile Service Domain, choose if each application should participate in mobile single sign-on as an SSO Agent, as an SSO Client, or not at all (None). ■ ■ ■ Choose None if this application does not want to participate in mobile SSO and instead wants to perform User authentication with the Mobile and Social server directly. Choose As an SSO Agent if the application is a mobile single sign-on agent that can accept authentication requests from other apps. For details about creating a custom mobile SSO agent, refer to the Android or iOS SDK information in the Developer's Guide for Oracle Access Management. Choose As an SSO Client if the application is configured to work with mobile single sign-on and it delegates user authentication and user session management responsibilities to a mobile SSO agent. Agent Priority Displays the numerical ranking for applications that are configured as mobile SSO Agents. When multiple agent apps are installed on the device, the Agent application with highest priority (smallest numerical rank) acts as the Agent application for all other Agent apps. If that Agent is deleted from the device, the Agent with the next highest ranking becomes the active Agent. Click Move Up and Move Down to reorder the agents by priority. Description (Optional) Type a short description that will help you or another Administrator identify this service in the future. 5. Click Next to select a Service Profile. The Service Profile page displays. 6. Use one or both of the following options to add at least one Service Profile to the Service Domain. For a mobile Service Domain, you can add one Service Profile for each authentication, authorization, and User Profile Services Service Provider. For a non-mobile Service Domain, you can add multiple Service Profiles for each authentication, authorization, and User Profile Services Service Provider. a. Click Select to open a Search window from which you can search for a previously configured Service Profile. If configuring a mobile Domain, you can only select a mobile-compatible Authentication Service Profile. Similarly, if configuring a non-mobile domain, you can only select a desktop-compatible Authentication Service Profile. Select the Profile to assign and click Select. If you know the exact name of the Service Profile, click Add and type the name directly into the table. b. Click Create to create a new Service Profile. Table 49–18 Service Profile Selection Properties Name Notes Authentication Service (Optional) Displays the name of the Authentication Service Profile configured for this Service Domain and the corresponding Service Endpoint. If creating a new Service Profile, see Section 49.4.1, "Defining, Modifying and Deleting an Authentication Service Profile." 49-32 Administrator's Guide for Oracle Access Management Defining Service Domains Table 49–18 (Cont.) Service Profile Selection Properties Name Notes Authorization Service (Optional) Displays the name of the Authorization Service Profile configured for this Service Domain and the corresponding Service Endpoint. If creating a new Service Profile, see Section 49.4.2, "Defining, Modifying and Deleting an Authorization Service Profile." User Profile Service (Optional) Displays the name of the User Profile Service Profile configured for this Service Domain and the corresponding Service Endpoint. If creating a new Service Profile, see Section 49.4.3, "Defining, Modifying and Deleting a User Profile Service Profile." 7. Click Next to configure Service Protection (authentication). The Service Protection page displays. 8. Configure authentication for the Service Profile using one of the following options. a. If you previously selected a User Profile Service for this Service Domain, configure the security settings to protect it. Table 49–19 User Profile Service Protection Properties Name Notes Authentication Choose from the menu the Authentication Service Profile configured for this Service Domain, with which you would like to protect this User Profile service. Secured Application Select to require the client application to authenticate, either by presenting a Client Resource Handle or a Client Token. Secured User Select to require a User to authenticate, either by presenting a User Token or an Access Token, where the access token is previously acquired with a User Token. Allow Read Select to allow users to view User Profile data. Allow Write Select to allow users to update User Profile data. b. If you previously selected an Authorization Service for this Service Domain, configure the security settings to protect it. Table 49–20 Authorization Service Protection Properties Name Notes Authentication Choose the Authentication Service Profile configured for this Service Domain, with which you would like to protect this Authorization service. Secured Application Select to require the client application to authenticate, either by presenting a Client Resource Handle or a Client Token. Secured User Select to require a User to authenticate, either by presenting a User Token or an Access Token, where the access token is previously acquired with a User Token. 9. Click Next to verify your selections. 10. Click Finish to create the Service Domain. Configuring Mobile and Social Services 49-33 Using the Jailbreak Detection Policy 49.7.2 Editing or Deleting a Service Domain To edit or delete an Service Domain, select the definition in the panel and click Edit or Delete on the panel's tool bar. 49.8 Using the Jailbreak Detection Policy Jailbreaking is the process of removing or circumventing the limitations that manufacturers impose on their mobile devices. While legal, jailbreaking can present a heightened security risk to protected resources. To counter this risk, Mobile and Social provides a preconfigured Jailbreak Detection Policy for iOS devices. The Jailbreak Detection Policy consists of one or more statements that instruct a client application (built using the Mobile and Social SDK for iOS) to search for files that may indicate the device is jailbroken. The Mobile and Social server sends the Policy statements to the iOS client application. The client device then returns a true (jailbreaking is detected) or false value back to the Mobile and Social server. This value is forwarded to the Security Handler Plug-in and, depending on the security policies of the Security Handler Plug-in in use, Mobile and Social can allow access, deny access, or wipeout any Mobile and Social specific data from the application. ■ ■ If the Default Security Handler Plug-in is active and the policy logic says the device is jail broken, the Plug-in can ALLOW or DENY access to the client device depending on how the allowJailBrokenDevices Plug-in attribute is set. If the Oaam Security Handler Plug-in is active and the policy logic says the device is jail broken, the Plug-in can ALLOW or BLOCK access to the client device depending on how the OAAM policy rules are configured. (Refer to the Administrator's Guide for Oracle Adaptive Access Manager for information on the policy rules as in, for example, the Jail broken Mobile Device rule under the "OAAM Post-Authentication Security" policy.) Additionally, if a device is blacklisted, lost or stolen, this Plug-in can send a WIPEOUT command that will delete any Mobile and Social specific data from the device and block the device from future requests. If the user recovers the missing device, the device can be reset in OAAM. See Section 49.5, "Defining Security Handler Plug-ins" for more information. OAAM's BLOCK and Mobile and Social's DENY mean the same thing. Note: The following sections contain more information. ■ Adding a New Jailbreak Detection Policy ■ Editing the Jailbreak Detection Policy 49.8.1 Adding a New Jailbreak Detection Policy If you choose to create a new Jailbreak Detection Policy using XML, click the Load button to overwrite the default Policy completely. A schema file is available from customer support. Use the following procedure to create a new Jailbreak Detection Policy with the Oracle Access Management Console. 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 49-34 Administrator's Guide for Oracle Access Management Using the Jailbreak Detection Policy 2. Click Jailbreak Detection Policy in the navigation pane. The Jailbreak Detection Policy page displays. 3. Click Add to configure the Conditions and Detection Logic properties for a new Jailbreak Detection Policy. ■ ■ ■ ■ ■ ■ ■ ■ Jailbreak Detection - Select Enabled to turn the Jailbreak Detection Policy on, or clear this option to turn it off for all client Application instances. If you enable the Jailbreak Detection Policy here, you can disable it on an application by application basis. If you disable the Policy here, you cannot enable or disable the feature on an application by application basis. Min OS Version - The minimum iOS version to which the policy applies. If the value is 1.0, the policy will apply to iOS devices running at least version 1.0 of iOS. Max OS Version - The maximum iOS version to which the policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version. Min Client SDK Version - The minimum Mobile and Social Client SDK version number. For example, 11.1.2.0.0. Max Client SDK Version - The maximum Mobile and Social Client SDK version number. For example, 11.1.2.3.0. Policy Expiration Duration - Type the length of time in seconds that the SDK on the iOS client device should wait before expiring the local copy of the policy and retrieving a newer version. Auto Check Period - Type the interval of time in minutes that the iOS client device should wait before executing the Jailbreak Detection Policy statements again. Detection Location - The iOS client device uses a logical-OR operator to evaluate Policy statements. Add a Detection Location as follows: – File Path - Type the absolute path to the file or directory on the device for which the Detection Policy should search. – Action - Select Exists which instructs the Detection Policy to evaluate whether it can access a file path. – Success - Select if the Policy should flag the device as jail broken if the specified files or directories are found on the device. Use this option if the policy is checking for unauthorized files or directories. Clear this option if the Policy should flag the device as jail broken if the specified files or directories are not found. (Use this option if checking for required files or directories.) 49.8.2 Editing the Jailbreak Detection Policy In most cases you can use the Policy Statements editor on the Jailbreak Detection Policy Configuration page to change a Jailbreak Detection Policy. 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. In the Jailbreak Detection Policy section, do one of the following: Configuring Mobile and Social Services 49-35 Configuring Mobile and Social Services with Other Oracle Products ■ ■ ■ To append changes to the Jailbreak Detection Policy, click Load in the tool bar, browse to the XML file that contains the Jailbreak Detection Policy statements that you want to append, choose Append after existing policy statements, and click OK. A schema file is available from customer support. To overwrite the Jailbreak Detection Policy, click Load in the tool bar, browse to the XML file that contains the Jail-Breaking Detection Policy statements that you want to load, choose Overwrite existing policy statements, and click OK. A schema file is available from customer support. To edit the Jailbreak Detection Policy, select it in the Policy Statements table to display its properties, make changes (as per Section 49.8.1, "Adding a New Jailbreak Detection Policy") and click Apply. 49.9 Configuring Mobile and Social Services with Other Oracle Products The following sections contain information on configuring Mobile and Social with other Oracle products. ■ Configuring Mobile and Social Services for Access Manager ■ Configuring Mobile and Social Services for Oracle Adaptive Access Manager 49.9.1 Configuring Mobile and Social Services for Access Manager The following sections describe how to configure Mobile and Social to work with different versions of Access Manager. ■ ■ ■ Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode Configuring an Authentication Service Provider for Remote Oracle Access Manager Server 10g Configuring an Authentication Service Provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1 During installation, the Oracle Fusion Middleware Configuration Wizard generates a domain that supports both Mobile and Social and Access Manager. For more information, see the "Configuring Mobile and Social" chapter in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Note: 49.9.1.1 Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode Use the following procedure to configure Mobile and Social Services to work with Access Manager if Access Manager is configured in Simple Mode. Change the Server Mode to Simple 1. In the Oracle Access Management Administration Console, click Configuration at the top of the window. 2. Click Server Instances. 3. Click Search and click oam_server1 in the Search Results. 4. Click Open. 49-36 Administrator's Guide for Oracle Access Management Configuring Mobile and Social Services with Other Oracle Products 5. In the OAM Proxy section, choose Simple from the Mode menu and click Apply. Change the Webgate Communication Mode to Simple 1. In the Oracle Access Management Administration Console for the target Webgate, click Application Security at the top of the window. 2. In the Webgates tab, click Search. 3. Select the target Webgate and open it for editing. 4. Change the security mode for the Webgate to Simple, then click Apply. The system creates a new directory for the Webgate under ~/oam-domain/output/accessgate-oic with the following files: ■ aaa_cert.pem ■ aaa_key.pem ■ cwallet.sso ■ ObAccessClient.xml ■ password.xml Change the OIC OAMASDKAuthNProvider Security Mode to Simple 1. Copy the .jks files from the ~/oam-domain/output/webgate-ssl directory to the ~/oam-domain/config/fmwconfig directory. 2. Go to the ~/oam-domain/output/accessgate-oic directory and open password.xml. Copy the passwd value from the file. 3. Open the Oracle Access Management Administration Console. The Launch Pad opens. Go to the Mobile and Social panel and click Mobile and Social Services > Service Providers > Authentication Service Providers > OAMAuthentication. 4. Add the following name-value pairs to the Attributes table. Name Value PASSPHRASE The passwd value from step 2. KEYSTORE /oam-domain/config/fmwconfig/oamclient-keystore.jks TRUSTSTORE /oam-domain/config/fmwconfig/oamclient-truststore.jks 5. In the Attributes table, locate TRANSPORT_SECURITY and change the value from OPEN to SIMPLE or CERT and click Save. 6. Restart the Oracle Access Management server. 49.9.1.2 Configuring an Authentication Service Provider for Remote Oracle Access Manager Server 10g The following procedure documents how to configure an Authentication Service Provider to work with a remote instance of the Oracle Access Manager 10g server. 1. Log in to the 10g Console and create the WG Profile. Configuring Mobile and Social Services 49-37 Configuring Mobile and Social Services with Other Oracle Products The OAM 10g Access Management Service must be turned on. 2. Navigate through the Mobile and Social Console to Mobile and Social Services > Service Providers > Authentication Service Providers. 3. Click New to create a new Authentication Service Provider configuration. 4. Enter the appropriate values for the parameters. a. Change OAM_VERSION to OAM_10G from OAM_11G. b. Change WEBGATE_ID to the name you previously used to create the WG profile. c. Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 10G server. d. Add a new parameter named AuthNURL and populate it with the URL for any protected resource; for example, http://server1.example.com/index.html. 5. Save the Authentication Service Provider configuration. 6. Navigate through the Mobile and Social console to Mobile and Social Services > Service Profiles > Authentication Services > OAMAuthentication. 7. From the Service Provider drop down menu, select the Authentication Service Provider just created; for example, 10GOAMAuthentication. 8. Check the Client Token checkbox. 9. Uncheck the Access Token checkbox. 10. Save the OAMAuthentication configuration. If Mobile and Social is configured to work with a remote instance of the Oracle Access Manager 10g server, you must also do either of the following: ■ ■ Define a uid attribute in the directory DN entry for user records in the Oracle Access Manager UserStore. Define a unique directory user entry attribute that can be used to identify the directory user entry in Mobile and Social. Mobile and Social can dynamically obtain the unique directory user attribute name from Oracle Access Manager version 11g but the earlier 10g release requires that you specify the attribute to use when configuring Mobile and Social. If this attribute is not set, Client Token validation will fail in Mobile and Social. Note: The following procedure demonstrates setting the value to CN. Set the value to a unique user entry as configured on your directory server; uid or loginid may also be possible choices. Before beginning, confirm that the Oracle Access Manager DN for UserStore does not include a uid attribute for the Application Profile profileid1, and that the DN is as follows: "CN=profileid1 profileid1, OU=Test, ..." Complete the next steps upon confirming that both are true. 1. Open the Application Profile Configuration page for profileid1 in Mobile and Social as documented in Section 49.6, "Defining Application Profiles." 2. In the Attributes section, add the following name-value pair and click Apply. 49-38 Administrator's Guide for Oracle Access Management Configuring Mobile and Social Services with Other Oracle Products Name: userPrincipalAttrValue Value: CN 3. Open the Service Provider Configuration page for your Oracle Access Manager 10g Authentication Service Provider as documented in Section 49.3.1, "Defining, Modifying or Deleting an Authentication Service Provider." 4. In the Attributes section, add the following name-value pair and click Apply. Name: userPrincipalAttrName Value: CN 49.9.1.3 Configuring an Authentication Service Provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1 The following procedure documents how to configure an Authentication Service Provider to work with releases 11gR2 and 11gR1 PS1. The differences for the 11gR1 PS1 release console are documented in notes within each 11gR2 step. See Section 48.1.2, "Deploying Mobile and Social" for information about deploying Mobile and Social with a Webgate. Note: 1. Log in to the Oracle Access Management Console and register a Webgate (OAM Agent) for Mobile and Social. Be sure to enable the following options. ■ Allow Management Operations ■ Allow Token Scope Operations ■ Allow Master Token Retrieval ■ Allow Credential Collector Operations Note: If using an OAM 11.1.1.n release console, enable Allow Management Operations. 2. Navigate through the Mobile and Social Console to Mobile and Social Services > Service Providers > Authentication Service Providers. 3. Click New to create a new Authentication Service Provider configuration. 4. When using an OAM 11.1.2 release console, enter the following values: a. Keep the default value of OAM_VERSION as OAM_11G. b. Change WEBGATE_ID to the name you previously used to create the WG profile. c. Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 11G server. Configuring Mobile and Social Services 49-39 Configuring Mobile and Social Services with Other Oracle Products Note: If using an OAM 11.1.1.n release console: 1. Change the default value of OAM_VERSION to OAM_10G. 2. Change WEBGATE_ID to the name you previously used to create the WG profile. 3. Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 11.1.1.5 server. 4. Add a new parameter named AuthNURL and populate it with the URL for any protected resource; for example, http://server1.example.com/index.html. 5. Save the Authentication Service Provider configuration. 6. Navigate through the Mobile and Social Console to Mobile and Social Services > Service Profiles > Authentication Services > OAMAuthentication. 7. From the Service Provider drop-down menu, select the Authentication Service Provider just created; for example, 10GOAMAuthentication. 8. Select the Client Token checkbox. 9. Clear the Access Token checkbox only if using OAM 11g R1 PS1. 10. Save the OAMAuthentication configuration. 11. Merge the CSF wallet files. OAM 11G generates the cwallet.sso file when the administrator creates the WG profile for Mobile and Social. To communicate with this WG profile, the administrator must merge the secret value in cwallet.sso into the Mobile and Social wallet. Use the following command to display the wallet before and after the merge for verification that the merge has been successful. Note: orapki wallet display -wallet wallet_location a. Copy cwallet.sso from OAM (~/domain-home/output) to the Mobile and Social host machine directory, /tmp/oam. b. Copy cwallet.sso from the Mobile and Social host machine directory (~/config/fmwconfig) to the Mobile and Social host machine directory, /tmp/oic. c. Download merge-creds.xml to the Mobile and Social host machine directory, /tmp. Example 49–1 is a sample merge-creds.xml file. Example 49–1 Sample merge-creds.xml 49-40 Administrator's Guide for Oracle Access Management Configuring Mobile and Social Services with Other Oracle Products File-based credential provider d. Set the PATH variable to include ~/oracle_common/bin:~/oracle_ common/common/bin:~ e. Initialize the WebLogic Scripting Tool by running wlst.sh on the command line. f. Run the migrateSecurityStore WLST command. Following is sample syntax for the WLST command. $ wlst.sh wls:/offline> connect("weblogic", "weblogic-passwd", "localhost:") wls:/WLS_IDM/serverConfig> migrateSecurityStore(type="credStore",configFile="/tmp/merge-creds.xml", src="FileSourceContext",dst="FileDestinationContext") 12. Restart the Mobile and Social server. 49.9.2 Configuring Mobile and Social Services for Oracle Adaptive Access Manager To configure a Service Domain to use the Oracle Adaptive Access Manager (OAAM) device registration functionality, open the Service Domain Configuration page and choose the OAAMSecurityHandlerPlugin option from the Security Handler Plugin Name list. See Section 49.7.1, "Creating a Service Domain." Configuring Mobile and Social Services 49-41 Configuring Mobile and Social Services with Other Oracle Products During installation, the Oracle Fusion Middleware Configuration Wizard can generate a domain that supports both Mobile and Social and Oracle Adaptive Access Manager. Mobile and Social requires at least Oracle Adaptive Access Manager version 11g Release 2. For more information, see the "Configuring Mobile and Social" chapter in the Fusion Middleware Installation Guide for Oracle Identity and Access Management. Note: The following sections describe how to configure the required policies, conditions, rules, and actions to complete integration between Mobile and Social and OAAM. ■ Understanding OAAM Support in Mobile and Social ■ Configuring the WebLogic Administration Domain ■ Configuring OAAM if Social Identity Authentication is Enabled in Mobile and Social Services ■ Setting up a Lost or Stolen Device Rule ■ Configuring Blacklisted Devices and Applications ■ Understanding the OAAM Sessions for Mobile Applications ■ Registering Users for OAAM Authentication ■ Setting up OAAM Knowledge-Based Authentication ■ Setting up OAAM One Time Password Note: See the Administrator's Guide for Oracle Adaptive Access Manager for information on how to set up OAAM rule and policy ordering. 49.9.2.1 Understanding OAAM Support in Mobile and Social Mobile and Social supports the OAAM policies listed (by OAAM checkpoint) in Table 49–21. Table 49–21 OAAM Policies Supported By Mobile and Social Checkpoint Supported Policies Post-Authentication OAAM Post-Authentication Security OAAM User vs Themselves OAAM User vs. All Users OAAM Does User Have Profile OAAM Predictive Analysis Policy Challenge OAAM Challenge Policy Device Identification OAAM Device ID Policy OAAM System Deep Analysis Flash Policy OAAM System Deep Analysis No Flash Policy Mobile and Social and OAAM also use similar terminology to describe the security actions that can be taken to respond to authentication and authorization events. Table 49–22 maps the the Mobile and Social term to the OAAM term. 49-42 Administrator's Guide for Oracle Access Management Configuring Mobile and Social Services with Other Oracle Products Table 49–22 Mapping Terms Between OAAM and Mobile and Social OAAM Action Groups Mobile and Social Actions OAAM Allow ALLOW OAAM Block DENIED OAAM Challenge CHALLENGE OAAM Black-Listed Mobile Device WIPE_OUT OAAM Lost Device WIPE_OUT ■ ■ For information about the OAAM policies, rules and checkpoints, see the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. To customize OAAM policies and rules, use the Oracle Adaptive Access Manager Administrator's Console. 49.9.2.2 Configuring the WebLogic Administration Domain Before configuring OAAM policies, complete the steps in this section. ■ Creating an Administrator for OAAM Administration ■ Adding Oracle Access Management Server as Target of OAAM Data Source 49.9.2.2.1 Creating an Administrator for OAAM Administration 1.Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain. 2. In the Domain Structure tab on the left side of the page, select Security Realms. 3. On the Summary of Security Realms page, select the realm that you are configuring; for example, myrealm. 4. Click New and provide the required information to create a User in the security realm: Name (for example, user1), Description (optional), Provider (enter DefaultAuthenticator), Password, and Confirm Password. 5. Click to select the new created User. 6. Click the Groups tab. 7. Assign to the User all groups with an OAAM prefix. 8. Click Save. 49.9.2.2.2 Adding Oracle Access Management Server as Target of OAAM Data Source 1.Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain. 2. In the Domain Structure tab on the left side of the page, select Services. 3. On the Summary of Services page, select Data Sources. 4. Open OAAM_SERVER_DS in the Data Sources table. 5. Click the Targets tab. 6. Select oam_server1. 7. Click Save. Configuring Mobile and Social Services 49-43 Configuring Mobile and Social Services with Other Oracle Products 49.9.2.3 Configuring OAAM if Social Identity Authentication is Enabled in Mobile and Social Services If Mobile and Social Services is configured to accept an authentication result from Social Identity, complete the following steps to configure OAAM to work with Mobile and Social when users authenticate. 1. Log in to the OAAM Administration Console. 2. Click Policies and search for the OAAM Mobile and Social Integration Post-Authentication Security policy. 3. In the policy find the following rule: Mobile device is not registered. 4. Add a condition: a. Search on "Session: Check value in comma separated values." b. Add the following: Parameter Key : oic.userIdType Value to Check : URI Return if in list : false 49.9.2.4 Setting up a Lost or Stolen Device Rule Users should report lost or stolen devices to the support department so that the missing device can be added to the OAAM Lost or Stolen Device group. Then if an authentication attempt comes from the missing device, OAAM can send Mobile and Social a DENY or WIPE_OUT action to wipe out the application's data associated with the Mobile and Social server. If a User recovers a missing device, the device status can be reset in OAAM. The following procedure documents how to create a Lost or Stolen Device Rule for each device reported as missing by adding the Device ID to the OAAM Lost or Stolen Devices device group. 1. Log in to the OAAM Administration Console. 2. Double-click Sessions in the Navigation pane. The Sessions Search page displays. 3. Search by User Name, Client Application name, Device ID or similar to find the lost or stolen device. 4. Click the Session ID in the Search Results table. The Session Details page opens. 5. Click Add to Group. The Add to Group pop-up window opens. 6. In the Choose Data Type to Add section, choose Device and click Next. 7. Select the OAAM Lost or Stolen Devices Group and click Next. 8. Verify your selection and click Finish. 9. Click OK. For information about managing the Lost Devices policy and group, see the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. 49-44 Administrator's Guide for Oracle Access Management Configuring Mobile and Social Services with Other Oracle Products 49.9.2.5 Configuring Blacklisted Devices and Applications Rules can be configured to block access to specific devices or applications. The following sections contain more information. ■ Setting up a Blacklisted Device Rule ■ Setting up a Blacklisted Application Rule 49.9.2.5.1 Setting up a Blacklisted Device Rule Create a Blacklisted Device Rule for each device to which you want to block access. The following procedure documents how to create a Blacklisted Device Rule by adding the Device ID to the OAAM Black-listed Mobile Devices group. 1. Log in to the OAAM Administration Console. 2. Double-click Sessions in the Navigation pane. The Sessions Search page displays. 3. Use the Search page to find the device to block. For example, search by a User Name, a Client Application name, a Device ID, and so on. 4. Click the Session ID in the Search Results table. The Session Details page opens. 5. Click Add to Group. The Add to Group pop-up window opens. 6. In the Choose Data Type to Add section, choose Device and click Next. 7. Select the OAAM Black-listed mobile devices Group and click Next. 8. Verify your selection and click Finish. 9. Click OK. 49.9.2.5.2 Setting up a Blacklisted Application Rule The task of adding a Blacklisted Application Rule is broken into the following procedures. Follow them (in order) to add the application to the OAAM Blacklisted Mobile Devices group. ■ Creating a New Alert Group ■ Creating a Generic Strings Group to Store Blacklisted Application Names ■ Creating a New Blacklisted Application Rule 49.9.2.5.3 Creating a New Alert Group 1. Log in to the OAAM Administration Console. 2. Double-click Groups in the Navigation pane. The Groups Search page displays. 3. Click New Group. The Create Group pop-up window opens. 4. Complete the form as follows and click Create: ■ Group Name - Type OAAM Blacklisted mobile application used. (This is the name of the mobile application to be blacklisted.) ■ Group Type - Choose Alerts from the menu. ■ Cache Policy - Choose Full Cache from the menu. Configuring Mobile and Social Services 49-45 Configuring Mobile and Social Services with Other Oracle Products ■ Description - Type Session coming from a blacklisted mobile application. 5. Click the Alerts tab. 6. Click the Add member to this group button. The Add Alerts pop-up window opens. 7. In the Options to add a new element section, choose Create new Alerts. Complete the form as follows and click Add: ■ Alert Type - Choose Fraud from the menu. ■ Alert Level - Choose Medium from the menu. ■ Alert Message - Type Session coming from a blacklisted mobile application. The Add Alerts window displays a message confirming that the new element was created successfully. 49.9.2.5.4 1. Creating a Generic Strings Group to Store Blacklisted Application Names Double-click Groups in the Navigation pane. The Groups Search page displays. 2. Click New Group. The Create Group pop-up window opens. 3. Complete the form as follows and click Create: ■ Group Name - Type OAAM blacklisted mobile application. ■ Group Type - Choose Generic Strings from the menu. ■ Cache Policy - Choose Full Cache from the menu. ■ Description - Type OAAM blacklisted mobile application. 4. Click the Generic Strings tab, then click the Add member to this group button. 5. Type the name of the app. The Add Generic Strings window displays a message confirming that the new element was created successfully. Click OK. 49.9.2.5.5 1. Creating a New Blacklisted Application Rule Double-click Policies in the Navigation pane. The Policies Search page displays. 2. Choose Post authentication from the Checkpoint menu, then click Search. 3. Click OAAM Post-Authentication Security. The OAAM Post-Authentication Security page opens. 4. Click the Rules tab. 5. Click the Add Rule button. Complete the form as follows and click Add: ■ Rule Name - Type Check for blacklisted mobile applications. 49-46 Administrator's Guide for Oracle Access Management Configuring Mobile and Social Services with Other Oracle Products ■ ■ Rule Status - Choose Active from the menu. Rule Notes - Type Check if application is in the Oaam blacklisted mobile application group. 6. Click the Conditions tab. 7. Click Add Conditions. The Add Condition pop-up window opens. 8. 9. Complete the form as follows and click Search: ■ Condition Name - Type Check Current Session ■ Type - Choose In Session from the menu. In the table of results, click Session: Check Current Session using the filter conditions. The filter condition details display. 10. Do the following and click Save: a. Under Check if select Client Application. b. Select in as the operator. c. Select Group as the Target Type. d. Select Generic Strings as the Group Type. e. Select OAAM blacklisted mobile application as the Group Name. In English the condition reads as "Check if the Client Application is in the "OAAM blacklisted mobile application" group." 11. Click the Results tab. 12. Choose OAAM Block from the Action Group menu. 13. Choose OAAM Blacklisted application used from the Alert Group menu. 14. Click Apply. 49.9.2.6 Understanding the OAAM Sessions for Mobile Applications The OAAM Session is a commonly used conceptual entity in OAAM rule execution. A rule can use a session attribute as input (for example, Client App Name and OAAM Device ID) and affect the status of the session at the output (that is, changing the status to "Blocked"). When OAAM is used in a non-mobile environment such as a web browser, there is a one-to-one relationship between a user authentication session (an OAM session, for example) and the OAAM session. For example, each OAAM session contains data associated with the following fields: ■ User ID ■ Client IP Address ■ OAAM Device ID and Fingerprint ■ (Auth) Status: Success, Pending, Blocked, and so on ■ Client Application Name Configuring Mobile and Social Services 49-47 Configuring Mobile and Social Services with Other Oracle Products In a mobile application environment, different apps running on the same device used by the same user are expected to have different OAAM sessions, even in a mobile SSO scenario. For example, assume the following apps are installed on a mobile device: ■ SSO Security Agent App ■ White Pages App ■ Expense Report App These apps are listed together as participants of the same Service Domain and they all participate in single sign-on. A user just needs to log in once using the mobile SSO agent app. This means that there will only be a single User Authentication session (that is, a single Access Manager session) shared by multiple apps on the same device. On the other hand, if the user uses all three apps simultaneously within the same Access Manager session, each mobile application will have its own OAAM session entry and three OAAM sessions will be seen in the OAAM Admin Console. The reason to have separate OAAM sessions for each mobile application is to allow rules to take the mobile client application into account. The same rule can block sessions from some apps, while letting sessions from other apps succeed. (The Blacklisted Application Rule in Section 49.9.2.5.2 is an example of this.) A more sophisticated rule can consider multiple factors from a session; for example an Expense Report application might rate as security sensitive while a "White Pages" (directory look-up) application might rate as less sensitive. The same Risky-IP rule may block sessions from the Expense Report application but not the White Pages app, even if the sessions come from the same medium-risky IP address. 49.9.2.7 Registering Users for OAAM Authentication OAAM provides strong authentication features, such as Knowledge-Based Authentication and One-Time Password. One-Time Password delivers a password using e-mail or a mobile text message. These features require end users to register a security profile that may contain security questions, mobile phone numbers, and e-mail addresses. Note: For more information about the OAAM user registration flow, see the Authentication Flow section in the Administrator's Guide for Oracle Adaptive Access Manager. The following sections contain information on setting up these authentication processes. ■ Setting up OAAM Knowledge-Based Authentication ■ Setting up OAAM One Time Password 49.9.2.7.1 Setting up OAAM Knowledge-Based Authentication Mobile and Social provides support for Knowledge-Based Authentication (KBA) if OAAM is installed. KBA is the default option for Strong Authentication in OAAM. Administrators do not need to perform extra configuration for KBA to work. Users should use the OAAM Managed Server Console to record their KBA questions in their User Profile registration. For more information about KBA, see the Administrator's Guide for Oracle Adaptive Access Manager. 49.9.2.7.2 Setting up OAAM One Time Password Mobile and Social provides One Time Password (OTP) support if OAAM is installed. OTP allows end users to authenticate themselves by entering a server generated one-time-password that might be received 49-48 Administrator's Guide for Oracle Access Management Configuring Mobile and Social Services with Other Oracle Products by either SMS or e-mail. Because the one-time-password is sent out-of-band, the risk is reduced that someone other than the valid user could obtain access to it. The following sections contain more information. ■ Setting Up OTP E-Mail Integration ■ Setting Up OTP Integration for SMS Messages ■ Changing the OAAM Challenge Policy Trigger Combination 49.9.2.7.3 Setting Up OTP E-Mail Integration Mobile and Social can send e-mail in either of the following ways. ■ Using the included SMTP client. ■ Using the Oracle User Messaging Service (UMS). This section contains a procedure for each of these integrations. Choose either Setting Up SMTP for E-mail or Setting Up UMS for E-mail to begin. Note: Configure either SMTP or UMS. Do not configure both. After configuring the SMTP or UMS attribute values, enable the Challenge Types on the OAAM server as documented in this section's third procedure, Enable "Challenge Types" on the OAAM Server for E-mail. Setting Up SMTP for E-mail 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar. 3. In the Attributes section provide values for the following attribute names and click Apply. mail.smtp.host - The SMTP server host. mail.smtp.port - The SMTP server port. mail.smtp.security.type - The SMTP security type. Either SSL or TLS. mail.smtp.user - The user name to log on to the SMTP server. mail.smtp.fromadd - The Mobile and Social "From" address, for example: mobileadmin@example.com mail.smtp.password - The password for the mail.smtp.user account. mail.smtp.truststore.location - The file name with the location of the trust store to be used to validate the server identity. mail.smtp.keystore.location - The file name of the key store containing the client certificate. mail.smtp.keystore.password - The key store password. mail.smtp.truststore.password - The trust store password. 4. Complete the steps in Enable "Challenge Types" on the OAAM Server for E-mail. Configuring Mobile and Social Services 49-49 Configuring Mobile and Social Services with Other Oracle Products Setting Up UMS for E-mail 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 2. In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar. 3. In the Attributes section provide values for the following attribute names and click Apply. ums.service.uri - The UMS server Web service URL, for example: http://:/ucs/messaging/webservice ums.username - The user name for the UMS server. ums.password - The password for the UMS server. ums.from.address - The Mobile and Social "From" address, for example: mobileadmin@example.com ums.from.name - The Mobile and Social "From" name. ums.email.enabled - Set to true. 4. Complete the steps in Enable "Challenge Types" on the OAAM Server for E-mail. Enable "Challenge Types" on the OAAM Server for E-mail 1. Log in to the OAAM Administration Console. 2. Choose Environment > Properties in the Navigation pane and double-click Properties. The Properties Search page displays. 3. In the Search box, type bharosa.uio.default.register.userinfo.enabled in the Name field and click Search. Click to select the record in the Search Results section, change the value to true, and click Save. 4. In the Search box, type bharosa.uio.default.userinfo.inputs.enum.email.enabled in the Name field and click Search. Click to select the record in the Search Results section, change the value to true, and click Save. 5. In the Search box, type bharosa.uio.default.challenge.type.enum.ChallengeEmail.available in the Name field and click Search. Click to select the record in the Search Results section, change the value to true, and click Save. 49.9.2.7.4 Setting Up OTP Integration for SMS Messages Mobile and Social sends SMS messages using the Oracle UMS. Complete Setting Up SMS Using UMS and then Enable "Challenge Types" on the OAAM Server for SMS. Setting Up SMS Using UMS 1. Access the Mobile and Social Services configuration page as described in Section 49.1, "Opening the Mobile and Social Services Configuration Page." 49-50 Administrator's Guide for Oracle Access Management Configuring Mobile and Social Services with Other Oracle Products 2. In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar. 3. In the Attributes section provide values for the following attribute names and click Apply. ums.service.uri - The UMS server Web service URL, for example: http://:/ucs/messaging/webservice ums.username - The user name for the UMS server. ums.password - The password for the UMS server. ums.from.address - The Mobile and Social "From" address, for example: mobileadmin@example.com ums.from.name - The Mobile and Social "From" name. ums.email.enabled - Set to true. 4. Complete the steps in the Enable "Challenge Types" on the OAAM Server for SMS. Enable "Challenge Types" on the OAAM Server for SMS 1. Log in to the OAAM Administration Console. 2. Choose Environment > Properties in the Navigation pane and double-click Properties. The Properties Search page displays. 3. In the Search box, type bharosa.uio.default.register.userinfo.enabled in the Name field and click Search. Click to select the record in the Search Results section, change the value to true, and click Save. 4. In the Search box, type bharosa.uio.default.challenge.type.enum.ChallengeSMS.available in the Name field and click Search. Click to select the record in the Search Results section, change the value to true, and click Save. 49.9.2.7.5 Changing the OAAM Challenge Policy Trigger Combination OAAM evaluates the Challenge policy when an event triggers the Challenge action. If KBA is active for a User, the system challenges the User with questions from the OAAM Challenge Question Action Group. If the User fails the OAAM challenge questions three times, the system starts the OAAM SMS Challenge Action group. You can reorder the Action Group using OAAM Challenge Policy trigger combinations. So other Challenge Action Groups, such as the OAAM Challenge E-Mail group or the OAAM Challenge SMS group, will take precedence over the OAAM Challenge question. The following procedure documents how to change the OAAM Challenge Policy Trigger Combination. 1. Log in to the OAAM Administration Console. 2. Double-click Policies in the Navigation pane. The Policies Search page displays. 3. Choose Challenge from the Checkpoint menu, then click Search. 4. Click to select OAAM Challenge Policy in the Search Results table. Configuring Mobile and Social Services 49-51 Configuring Mobile and Social Services with Other Oracle Products 5. Click the Trigger Combinations tab. 6. Click Reorder. The Reorder Trigger Combinations pop-up window opens. 7. Use the controls to move trigger combinations to higher or lower positions. 49-52 Administrator's Guide for Oracle Access Management 50 Configuring Social Identity 05 [32Mobile ] and Social provides a graphical user interface for configuring Social Identity. (Prior to version 11.1.2.2, Social Identity was named Internet Identity Services.) This chapter describes how to use the Oracle Access Management Console to configure Mobile and Social Services and contains the following topics. ■ Opening the Manage Social Identity Page ■ Understanding Social Identity Configuration ■ Defining Social Identity Providers ■ Defining Service Provider Interfaces ■ Defining Application Profiles ■ Integrating Social Identity With Mobile Applications ■ Linking Social Identity Provider Accounts Social Identity can also be configured from the command line using WLST. For more information about the Mobile and Social WLST commands, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Note: Only use tools provided with OAM Mobile and Social to change passwords, security credentials, or keys. Specifically, do not use Oracle Enterprise Manager (EM) for this purpose, because it is not compatible with the Mobile and Social credential store. WARNING: 50.1 Opening the Manage Social Identity Page Follow these steps to open the Manage Social Identity page in the Oracle Access Management Console. 1. In to the Oracle Access Management Console, click Federation at the top of the window. 2. Click Social Identity. 3. Click an OAuth Identity Domain to configure it. Configuring Social Identity 50-1 Understanding Social Identity Configuration 50.2 Understanding Social Identity Configuration The Welcome to Mobile and Social - Social Identity configuration page is divided into separate panels that can be expanded and collapsed by clicking the arrow button in the top left corner of the panel. The following sections contain more information about the Social Identity panels. ■ Understanding Social Identity Providers ■ Understanding Service Provider Interfaces ■ Understanding Application Profiles 50.2.1 Understanding Social Identity Providers The Social Identity Providers panel is used to edit the (preconfigured) configuration details for Identity Providers such as Google, Facebook, Twitter, and the like. Once established, you should not need to modify these settings very often. You can also define configuration details for Social Identity Providers that you add yourself by implementing the oracle.security.idaas.rp.spi.IdentityProvider Java interface. For information about adding additional Social Identity Providers, see "Extending the Capabilities of the Mobile and Social Server" in the Developer's Guide for Oracle Access Management. More information on Social Identity Providers is in Section 50.3, "Defining Social Identity Providers." 50.2.2 Understanding Service Provider Interfaces The Service Provider Interface refers to the set of rules that govern the authentication flow for the specified Application Profile. Mobile and Social provides the following Service Provider Interfaces. ■ ■ DefaultServiceProviderInterface - provides support for web applications that run on Java-compliant application servers. OAMServiceProviderInterface - provides support for web applications that run on the Access Manager service. More information on Service Provider Interfaces is in Section 50.4, "Defining Service Provider Interfaces." A Java developer can write custom implementations of one or more of the Identity Provider interface contracts. Use the Service Provider Interfaces section only if you need to add a custom Service Provider created by a developer. Note: 50.2.3 Understanding Application Profiles An Application Profile defines an application that uses Social Identity Provider services on the Mobile and Social server. Use this panel to configure mobile applications, web applications that run on Java-compliant application servers, and web applications that are integrated with Access Manager to use Social Identity. ■ If a web application is not integrated with Access Manager, integrate the Social Identity login page with the web application. See the "Developing Applications Using the Social Identity Client SDK" chapter in the Developer's Guide for Oracle Access Management for details. 50-2 Administrator's Guide for Oracle Access Management Defining Social Identity Providers ■ If the web application is integrated with Access Manager, edit the preconfigured Application Profile named OAMApplication. When Access Manager and Mobile and Social are installed together during Oracle Access Management installation, both products are registered as trusted partners and the preconfigured Application Profile is included. As a result, you do not need to write code to integrate web applications that are integrated with Access Manager and Social Identity. The OAMApplication Application Profile that is included with Mobile and Social is preconfigured to work with Access Manager and requires only minor configuration changes to get working in your environment. More information on Application Profiles is in Section 50.5, "Defining Application Profiles." 50.3 Defining Social Identity Providers The Social Identity Provider collects configuration details for Identity Providers such as Google, Facebook, Twitter, and the like. Once created, you should not need to modify Social Identity Provider settings very often. The following sections provide information regarding creating, modifying and deleting Social Identity Providers. ■ Creating a Social Identity Provider ■ Editing or Deleting a Social Identity Provider ■ Generating the Consumer Key and Consumer Secret for OAuth Providers ■ Troubleshooting Facebook Social Identity Providers 50.3.1 Creating a Social Identity Provider Social Identity Providers can also be created using the WebLogic Scripting Tool. See the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for details. 1. Access the Manage Social Identity page as described in Section 50.1, "Opening the Manage Social Identity Page." 2. Click Create in the Social Identity Provider panel in the home area. The Create New Social Identity Provider configuration page displays. 3. Enter values for the Social Identity Provider properties. ■ ■ ■ Name - Type a unique name for this Authentication Service Provider. Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future. Social Identity Provider Protocol - Select the Identity Provider Protocol from the drop down menu. – OpenID – OAuth – Custom Select Custom to configure a custom Identity Provider. Your choice here will change the displayed Protocol Attributes and User Attributes Returned panels to reflect properties more specific to the authentication protocol being used by the Social Identity Provider - either OpenID or OAuth. ■ Implementation Class - Based on the Social Identity Provider Protocol selection, the appropriate provider-specific implementation of the Configuring Social Identity 50-3 Defining Social Identity Providers oracle.security.idaas.rp.spi.IdentityProvider Java interface will be populated in this field. (If Custom, enter the corresponding implementation class that should interact with the Identity Provider.) The Mobile and Social server will use this information to communicate with this Social Identity Provider. 4. Enter values for the Protocol Attributes properties based on the protocol being used by the Social Identity Provider previously selected: OpenID (Table 50–1) or OAuth (Table 50–2). (If Custom, add all values required by the custom Provider and related to the authentication protocol used.) ■ Provide values required by the Identity Provider implementing the OpenID protocol as specified in Table 50–1. Table 50–1 OpenID Protocol Attributes Name Values Notes Yadis Endpoint Must be an absolute HTTP or HTTPS URL Type the published URL that accepts OpenID authentication protocol messages for this Identity Provider. Mobile and Social uses this URL to make user authentication requests. Hashing Algorithm ■ ■ ■ SHA256 is a 256-bit Choose a signature algorithm. Mobile key length and Social uses this value internally to algorithm configure the Session Type and Association Type properties for SHA1 is a 160-bit communicating with the Identity key length Provider. algorithm None Authentication Policy Choose Yes to request that an authentication policy be applied by the OpenID Provider when authenticating a user. Otherwise, choose No. Usage of PAPE (Provider Authentication Policy Extension) allows web developers to request other modifications to the flow, such as asking that the Identity Provider re-prompt the User for their password. Authentication Policy Maximum Age Provide a value greater than or equal to zero seconds. Specify 0 to force a password re-prompt. Type the maximum length of time in seconds that a User who has not actively authenticated can use a login session before being required to authenticate using the requested authentication policy. Use this parameter to ensure that the login session of the user at the Identity Provider is recent. Preferred Authentication Policies Type zero or more URIs separated by a space that represent authentication policies that the Identity Provider must satisfy when authenticating the user. For example: http://schemas.openid.net/pape/poli cies/2007/06/phishing-resistant http://schemas.openid.net/pape/poli cies/2007/06/multi-factor ■ Provide values required by the Identity Provider implementing the OAuth protocol as specified in Table 50–2. 50-4 Administrator's Guide for Oracle Access Management Defining Social Identity Providers Table 50–2 OAuth Protocol Attributes Name Value Notes Authorization URL The Identity Provider's published OAuth authorization URL. If an Identity Provider changes a published OAuth URL, update this value to match. Mobile and Social directs the User to this URL after the Identity Provider returns the request token (see Request Token URL). The Identity Provider verifies the User's identity, and the User grants the Identity Provider permission to release the User's protected information to the Mobile and Social server. Access Token URL Type the Identity Provider's published access token URL. Mobile and Social uses this URL to request an access token from the Identity Provider after the User authorizes the request token (using the Authorization URL). Request Token URL Type the Identity Provider's published Request Token URL. (Not applicable to Facebook.) Mobile and Social uses this URL to obtain a request token from the Identity Provider. After the Identity Provider grants the request token, the Mobile and Social server directs the User to the Identity Provider's Authorization URL. (The term temporary credentials supplants the terms request token and request secret in RFC 5849, The OAuth 1.0 Protocol.) Profile URL Type the Identity Provider's published Profile URL. Mobile and Social uses this URL to request User attributes based on a OAuth access token. Consumer Key Type the value that the Mobile and Social server should use to identify itself to the Identity Provider. See Section 50.3.3, "Generating the Consumer Key and Consumer Secret for OAuth Providers" for information about requesting a Consumer Key from the Identity Provider. Consumer Secret Type the secret that the Mobile and Social server should use to establish ownership of the Consumer Key. See Section 50.3.3, "Generating the Consumer Key and Consumer Secret for OAuth Providers" for information about requesting a Consumer Secret from the Identity Provider. Server Time Sync If the Mobile and Social server and a remote Identity Provider are not time synchronized, type the number of minutes of skew to add to the current server time when sending requests to the remote Provider. This field accepts both positive and negative integers. Typically LinkedIn requires synchronized server time values. Not applicable for Facebook or Twitter. In the Attribute Name column type the local application attribute name that should be assigned to the attribute name returned by the OpenID Identity Provider. In the Attribute Schema Name column, type the URL where the Mobile and Social server can request user data from the Identity Provider. If you add attributes in the Attribute Name column that the Identity Provider does not support, those attributes will not be available in Mobile and Social. Configuring Social Identity 50-5 Defining Social Identity Providers 5. Add values to the User Attributes Returned panel based on the Social Identity Provider Protocol previously selected: OpenID, OAuth or Custom. ■ OpenID: In the Attribute Name column type the local application attribute name that should be assigned to the attribute name returned by the Identity Provider. In the Attribute Schema Name column, type the URL where the Mobile and Social server can request user data from the Identity Provider. If you add attributes in the Attribute Name column that the Identity Provider does not support, those attributes will not be available in Mobile and Social. Table 50–3, " User Attributes Returned By Google" and Table 50–4, " User Attributes Returned By Yahoo" lists the user attributes supported by Google and Yahoo. Table 50–3 User Attributes Returned By Google Attribute Description country Requests the user's home country. Must be set to: http://axschema.org/contact/country/home email Requests the user's Gmail address. Must be set to: http://axschema.org/contact/email firstname Requests the user's first name. Must be set to: http://axschema.org/namePerson/first language Requests the user's preferred language. Must be set to: http://axschema.org/pref/language lastname Requests the user's last name. Must be set to: http://axschema.org/namePerson/last Table 50–4 User Attributes Returned By Yahoo Attribute Description gender Requests the user's gender. Must be set to: http://axschema.org/person/gender email Requests the user's e-mail address. Must be set to: http://axschema.org/contact/email fullname Requests the user's full name. Must be set to: http://axschema.org/namePerson language Requests the user's preferred language. Must be set to: http://axschema.org/pref/language nickname Requests the user's preferred name. Must be set to: http://axschema.org/namePerson/friendly Timezone Requests the user's preferred time zone. Must be set to: http://axschema.org/pref/timezone ■ OAuth: Specify the User Attributes that the OAuth Identity Provider should return. In the Attribute Name column type the local application attribute name that corresponds to the attribute name returned by the Identity Provider. In the Attribute Schema Name column, type the Identity Provider attribute name. For OAuth Providers, Attribute Name values and Attribute Schema Name values are usually the same. 50-6 Administrator's Guide for Oracle Access Management Defining Social Identity Providers LinkedIn does not return an e-mail address or an unencrypted login ID when it returns User Identity attributes to Mobile and Social. Please note this limitation when using Identity attributes from LinkedIn to pre-populate the registration form for Users. Note: Table 50–5, " User Profile Attributes Returned By Foursquare" and Table 50–6, " User Profile Attributes Returned By Windows Live" lists the user attributes supported by Foursquare and Windows Live. Table 50–5 User Profile Attributes Returned By Foursquare Attribute Description id Requests the user's ID. firstname Requests the user's first name. lastname Requests the user's last name. contact.email Requests the user's email address. homecity Requests the user's home city. gender Requests the user's gender. photo Requests the user's photo. Table 50–6 User Profile Attributes Returned By Windows Live Attribute Description id Requests the user's ID. first_name Requests the user's first name. last_name Requests the user's last name. name Requests the user's name. link Requests the user's link. email.preferred Requests the user's preferred e-mail address. gender Requests the user's gender. locale Requests the user's local. updated_time Requests the updated time. ■ 6. Custom: In the Attribute Name column type the local application attribute name that should be assigned to the attribute name returned by the Custom Identity Provider. In the Attribute Schema Name column, type the URL where the Mobile and Social server can request user data from the Identity Provider. Click Create to create the Social Identity Provider configuration object. 50.3.2 Editing or Deleting a Social Identity Provider To edit or delete a Social Identity Provider, select the Provider in the panel and click Edit or Delete on the panel's tool bar. See Section 50.3.1, "Creating a Social Identity Provider" for attribute descriptions. Configuring Social Identity 50-7 Defining Social Identity Providers 50.3.3 Generating the Consumer Key and Consumer Secret for OAuth Providers The following sections describe how to generate the Consumer Key and Consumer Secret for the Social Identity Providers that support the OAuth protocol. ■ Generating a Consumer Key and Consumer Secret for Facebook ■ Generating a Consumer Key and Consumer Secret for Twitter ■ Generating a Consumer Key and Consumer Secret for LinkedIn ■ Generating a Consumer Key and Consumer Secret for Foursquare ■ Generating a Consumer Key and Consumer Secret for Windows Live ■ Generating a Consumer Key and Consumer Secret for Google The steps in this section are accurate as of the date that this documentation was published. The steps required to create a Consumer Key and Consumer Secret using the Facebook, Twitter, and LinkedIn web sites are subject to change at any time. Note: 50.3.3.1 Generating a Consumer Key and Consumer Secret for Facebook This section describes how to generate a Consumer Key and Consumer Secret for Facebook. 1. Open the following URL in a web browser: https://developers.facebook.com/apps 2. Click Create New App. 3. Complete the Create New App form. Facebook creates the application and assigns it a unique App ID and App Secret. 4. Complete the information in the Basic Info section. In the Select how your application integrates with Facebook section, select Website with Facebook Login. 5. In the Site URL field, provide the URL where the Mobile and Social Server can be reached. For example: http://OAM-Hosted-Machine: Port/ 6. Click Save Changes. 7. From the Mobile and Social Console, open the "Social Identity Providers" > "Facebook" configuration page as described in section Section 50.3.2. 8. Paste the App ID in the Consumer Key field and paste the App Secret in the Consumer Secret field. Click Apply to save your changes. 50.3.3.2 Generating a Consumer Key and Consumer Secret for Twitter This section describes how to generate a Consumer Key and Consumer Secret for Twitter. 1. Open the following URL in a web browser: https://dev.twitter.com/apps/new 2. Complete the Create an application form. 50-8 Administrator's Guide for Oracle Access Management Defining Social Identity Providers In the Callback URL field provide the URL where the Mobile and Social Server can be reached. For example: http://OAM-Hosted-Machine: Port/oic_rp/return Twitter creates the application and assigns it a unique Consumer key and Consumer secret. 3. (Optional) Configure your Twitter application as needed and save your changes. 4. From the Mobile and Social Console, open the "Social Identity Providers" > "Twitter" configuration page as described in section Section 50.3.2. 5. Paste the Consumer Key in the Consumer Key field and paste the Consumer Secret in the Consumer Secret field. Click Apply to save your changes. 50.3.3.3 Generating a Consumer Key and Consumer Secret for LinkedIn This section describes how to generate a Consumer Key and Consumer Secret for LinkedIn. 1. Open the following URL in a web browser: https://www.linkedin.com/secure/developer?newapp= 2. Complete the Add New Application form. In the OAuth User Agreement section, add the URL in the OAuth Redirect URL field where the Mobile and Social Server can be reached. For example: http://OAM-Hosted-Machine:Managed Server Port/ 3. Click Add Application. LinkedIn creates the application and assigns it a unique API Key and Secret Key. 4. From the Mobile and Social Console, open the "Social Identity Providers" > "LinkedIn" configuration page as described in section Section 50.3.2. 5. Paste the API Key in the Consumer Key field and paste the Secret Key in the Consumer Secret field. Click Apply to save your changes. 50.3.3.4 Generating a Consumer Key and Consumer Secret for Foursquare This section describes how to generate a Consumer Key and Consumer Secret for Foursquare. 1. Open the following URL in a web browser: https://foursquare.com/developers/register 2. Fill in the application name and website URL. 3. Enter the URL where the Mobile and Social Server can be reached in the Callback URL field. For example: http://OAM-Hosted-Machine:Port/ 4. Save your changes. From the screen that is displayed, copy the 'Client ID' and 'Client secret' codes. Configuring Social Identity 50-9 Defining Social Identity Providers 5. From the Mobile and Social Console, open the "Social Identity Providers" > "Foursquare" configuration page as described in section Section 50.3.2. 6. Paste the Client ID in the Consumer Key field and the Client Secret in the Consumer Secret field and click Apply to save your changes. 50.3.3.5 Generating a Consumer Key and Consumer Secret for Windows Live This section describes how to generate a Consumer Key and Consumer Secret for Windows Live. 1. Open the following URL in a web browser: https://manage.dev.live.com/ 2. Sign in with your Windows Live ID and password. 3. Click Create Application. 4. Fill in the application name. 5. Read and accept the terms of use. From the screen that is displayed, copy the 'Client ID' and 'Client secret' codes. 6. From the Mobile and Social Console, open the "Social Identity Providers" > "Windows Live" configuration page as described in section Section 50.3.2. 7. Paste the Client ID in the Consumer Key field and the Client Secret in the Consumer Secret field and click Apply to save your changes. 50.3.3.6 Generating a Consumer Key and Consumer Secret for Google This section describes how to generate a Consumer Key and Consumer Secret for Google. 1. Open the following URL in a web browser: https://code.google.com/apis/console 2. Under APIs & auth (on the left side) click Credentials. 3. Under OAuth click Create new Client ID. The Create Client ID form opens. 4. Complete and submit the form. The new Client ID and secret are added. 5. From the Mobile and Social Console, open the "Social Identity Providers" > "Google" configuration page as described in section Section 50.3.2. 6. Paste the Client ID in the Consumer Key field and the Client Secret in the Consumer Secret field. Click Apply to save your changes. 50.3.4 Troubleshooting Facebook Social Identity Providers This section documents known configuration issues that affect the Facebook Social Identity Provider. ■ Configuring WebLogic Server for Facebook Compatibility ■ Configuring WebLogic Server 10.3.5 and Older for Facebook Compatibility 50-10 Administrator's Guide for Oracle Access Management Defining Service Provider Interfaces 50.3.4.1 Configuring WebLogic Server for Facebook Compatibility Follow these steps to configure WebLogic Server to support Facebook. 1. Open the WebLogic Console. http://host:port/console 2. Choose Domain > Environment > Servers > Managed Server. 3. Click the SSL tab, then click Advanced. 4. Click Lock and Edit configuration. 5. Change the Host Name Verifier to None. 6. Restart the Managed Server. If Host Name Verifier is not set to None, the following error may display when trying to access a protected resource if Facebook is the Identity Provider: Exception in processRequest method: oracle.security.idaas.rp.RPException: oracle.security.idaas.rp.RPException: Request failed: 50.3.4.2 Configuring WebLogic Server 10.3.5 and Older for Facebook Compatibility Facebook's SSL certificate contains *.facebook.com as a wildcard host identifier. WebLogic Server versions 10.3.5 and older have a problem verifying host names that contain wildcards that can lead to communication failures between Facebook and installations of Oracle Access Management Mobile and Social deployed on WebLogic Server. The following workarounds are available. ■ ■ If using WebLogic Server versions 10.3.5 or older, follow these steps: 1. In the administration console, choose servers > oam_server_where_Mobile_and_ Social_is_deployed > SSL > Advanced. 2. Change Hostname Verifier to NONE. This WebLogic Server bug has been fixed in version 10.3.6 as follows: A new custom host name verifier SSLWLSWildcardHostnameVerifier was implemented, derived from the default host name verifier, so that it supports everything the default host name verifier does, including SANs. You must configure your WebLogic server to use this custom host name verifier if support for wildcard certificates is required during the SSL handshake. One option is to use the following WebLogic property: -Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildca rdHostnameVerifier 50.4 Defining Service Provider Interfaces The Service Provider Interface refers to the set of rules that govern the authentication flow for the specified Application Profile. Mobile and Social provides the following Service Provider Interfaces. ■ ■ DefaultServiceProviderInterface - provides support for web applications that run on Java-compliant application servers. OAMServiceProviderInterface - provides support for web applications that run on the Access Manager service. If necessary, a Java developer can write custom implementations of one or more of the Identity Provider interface contracts. This section includes the following topics: Configuring Social Identity 50-11 Defining Service Provider Interfaces ■ Creating a Service Provider Interface ■ Editing or Deleting an Service Provider Interface ■ Adding a Custom Service Provider Interface Implementation 50.4.1 Creating a Service Provider Interface 1. Open the Social Identity Home Page in the Oracle Access Management Console as described in Section 50.1, "Opening the Manage Social Identity Page." 2. Click Create in the Service Provider Interface panel in the home area. The Create New Service Provider Interface configuration page displays. 3. Enter values for the Service Provider Interface properties. ■ ■ 4. Name - Type a unique name for this Authentication Service Provider. Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future. Enter values for the Interface Information properties as specified in Table 50–7. Table 50–7 Service Provider Interface Information Properties Name Notes IDP Selector Choose the IDP Selector implementation class for the custom Provider. NOTE: The console will not check the validity of the provided class. Post IDP Selector Choose the Post IDP Selector implementation class for the custom Provider. IDP Interaction Provider Choose the IDP Interaction Provider implementation class for the custom Provider. Registration Status Check Choose the Registration Status Check implementation class for the custom Provider. Session Creation Provider Choose the Session Creation Provider implementation class for the custom Provider. 5. Click Create to create the Service Provider Interface configuration object. 50.4.2 Editing or Deleting an Service Provider Interface To edit or delete a Service Provider Interface, select the Provider in the panel and click Edit or Delete on the panel's tool bar. See Section 50.4.1, "Creating a Service Provider Interface" for attribute descriptions. 50.4.3 Adding a Custom Service Provider Interface Implementation To add a custom interface implementation, create a new Social Identity Provider and choose a mix of custom and/or default implementation classes as needed to meet your business objectives. See "Developing Applications Using the Social Identity Client SDK" in the Developer's Guide For Oracle Access Management for information. 50-12 Administrator's Guide for Oracle Access Management Defining Application Profiles 50.5 Defining Application Profiles An Application Profile defines an application that uses Social Identity Provider services on the Mobile and Social server. Use this panel to configure mobile applications, web applications that run on Java-compliant application servers, and web applications that are integrated with Access Manager to use Social Identity. ■ ■ If a web application is not integrated with Access Manager, integrate the Social Identity login page with the web application. See the "Developing Applications Using the Social Identity Client SDK" chapter in the Developer's Guide for Oracle Access Management for details. If the web application is integrated with Access Manager, edit the preconfigured Application Profile named OAMApplication. When Access Manager and Mobile and Social are installed together during Oracle Access Management installation, both products are registered as trusted partners and the preconfigured Application Profile is included. As a result, you do not need to write code to integrate web applications that are integrated with Access Manager and Social Identity. The OAMApplication Application Profile that is included with Mobile and Social is preconfigured to work with Access Manager and requires only minor configuration changes to get working in your environment. Typically, when a WebGate is configured in Access Manager, an Application Domain is created involving resources and policies. In Mobile and Social, OAMApplication is the Application Profile that corresponds to the Access Manager Application Domain. So, if you define 10 WebGates in Access Manager, and each represents an application that needs to use Mobile and Social for user authentication, use OAMApplication as a template to create 10 corresponding Application Profiles with names that match the 10 Application Domains. When you install a WebGate to protect an application in Access Manager, the WebGate setup automatically creates an Application Domain that has LDAP as the authentication mechanism. To use Mobile and Social authentication, change the Authentication Scheme to OICScheme. Note: This section provides help for the Create Application Profile wizard and the Edit Application Profiles page. The following sections contain more information. ■ Creating an Application Profile ■ Editing or Deleting an Application Profile 50.5.1 Creating an Application Profile 1. Access the Manage Social Identity page as described in Section 50.1, "Opening the Manage Social Identity Page." 2. Click Create in the Application Profiles panel in the home area. The Create New Application Profile configuration page displays. 3. Enter values for the general Application Profile properties. ■ Name - Displays the context name of the web application or mobile application. This name should match the name registered with the agent protecting the resource. If the application is integrated with Access Manager, Configuring Social Identity 50-13 Defining Application Profiles the Application Domain name as defined in Access Manager is displayed. This should be the same value as that of the Name defined in the Mobile and Social Services Application Profile, if applicable. ■ ■ ■ Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future. Shared Secret - For mobile or web applications, provide the security secret that the application and the Mobile and Social server share to facilitate secure communication. This is needed to use the Mobile and Social user registration functionality. It can be any string. Return URL - This value is not used if the application is a mobile application but it is a mandatory attribute. So for mobile applications, use the Mobile Application Return URL. For web applications, provide the URL that Mobile and Social should use to send back authentication responses. If the application is integrated with Access Manager, provide the following URL which Mobile and Social uses to send back authentication responses: http://oam-host:port/oam/server/dap/cred_submit ■ 4. Mobile Application Return URL - For mobile applications, provide the URL that Mobile and Social should use to send back authentication responses. This value should match the mobile application's return URL. Enter values for the following Application Profile configuration properties. ■ Login Type - If configuring a non-mobile application, choose Local Authentication and Social Identity Provider Authentication if the User login page should let users choose between authenticating locally and authenticating using an Identity Provider. If configuring either a mobile application or a non-mobile application, choose Social Identity Provider Authentication only if the User login page should not give the users the option of authenticating locally. The Mobile and Social login page supports Social Identity Provider Authentication only. Local login is not supported. Note: If configuring a mobile application, choose Social Identity Provider Authentication only from the Login Type menu. The Local Authentication and Social Identity Provider Authentication option is not valid for mobile applications. ■ ■ ■ Enable Browser Popup - Choose Yes if the login page should open in a pop-up window. This value should be false if this is a mobile application. User Registration - Choose Enabled to allow users to register with the application after authenticating against a Social Identity Provider. The login page for the application will show a User Registration form and prompt the User to register. The User can complete the form and register, or click the Skip Registration button. Choose Disabled if the login page should not show a User Registration form and should not prompt the User to register. Registration URL - Type the URL that the system should forward the User to so that the User can register for a local account. Typically the User is directed to a form with fields that correspond to the registration service attributes defined in the Application Profile. An encrypted token with attribute objects in a map are also passed to the client application as a parameter. These 50-14 Administrator's Guide for Oracle Access Management Defining Application Profiles attributes are used to pre-populate the registration page with the User's profile data. ■ ■ ■ ■ 5. UserID Attribute - Type the attribute name that is used to uniquely identify the User. This attribute name should also appear in the Application User Attribute section of the Application Profile Configuration page. User Profile Service Endpoint - Choose the User Profile Service endpoint that the application should use. The User Profile Service directs the application to the LDAP Directory service where the User will be created upon registration. User Profile Service endpoints are configured in Mobile and Social Services. Authentication Service Endpoint - The Authentication Service endpoint determines how the user should be authenticated when local login is requested. If a mobile application, choose InternetIdentityAuthentication or any custom authentication of the type InternetIdentityAuthentication. – Choose /oamauthentication to forward the authentication request to Access Manager. The authentication scheme associated with the Mobile and Social Authentication Policy inside the IAMSuite Application domain determines how the user will be authenticated. – Choose /internetidentityauthentication to use the Identity Store specified in the corresponding endpoint. Application Profile Properties - Click Add to add Application Profile attributes to the table. The following are supported. – app.passwd.field - Encrypts the password on the registration page. Add password as the value. To mask the password with asterisks (*) on the registration page, add the app.passwd.field property and add password as the value. – oic.app.idp.oauth.token - Instructs Mobile and Social to include the OAuth Access Token as part of the final redirect to the application. Add true as the value. Only applies if the User selected an OAuth provider (Facebook, Twitter, LinkedIn). – oic.app.user.token - Creates a JWT User Token when a User authenticates with an Identity Provider and gets redirected back to the application. Add true as the value. This token contains the Identity Provider related URI and the User identifier value on record with the Identity Provider. Use this token to access other protected Mobile and Social REST services, for example the User Profile REST Service. Click Add to add the Application User Attributes that the Social Identity Provider should return to the application after authentication. Configure more details for these attributes in the following Registration Service Details with Application User Attribute Mapping step. 6. Add rows to the Registration Service Details with Application User Attribute Mapping table to map local (User) registration attributes to the application attributes provided by the Social Identity Provider. Add any additional Application User Attributes in the previous step first. The following definitions apply to the Registration Service Details with Application User Attribute Mapping table properties. ■ Registration Service Attribute - Choose from the menu the registration service attribute to configure. Configuring Social Identity 50-15 Integrating Social Identity With Mobile Applications ■ ■ User Attribute Display Name - For the attribute in the Registration Service Attribute column, type the name that should appear on the User registration form. This is the attribute name that the user sees. Read-only - Select to prevent the user from updating the attribute value. The attribute value will display grayed-out on the form and the user will be blocked from making updates. Note: Do not select the Read-only option for First Name and Last Name if Yahoo is the Social Identity Provider. Yahoo does not return values for these attributes. Selecting the Read-only option will cause user registration to fail and an exception error to display. ■ ■ 7. Mandatory - Select to make the attribute a required item on the user registration form. Application User Attribute - Choose the attribute that corresponds to the attribute in the Registration Service Attribute column. Click Next to configure the Service Provider Interface. The Service Provider Interface page displays. 8. Choose the DefaultServiceProviderInterface from the drop down menu. For information about the Service Provider Interface, see Section 50.4, "Defining Service Provider Interfaces." 9. Click Next to configure the Social Identity Provider. The Social Identity Provider page displays. Use this section to select one or more Social Identity Providers, and to map local application user attributes to Social Identity Provider attributes. For example, to use an e-mail address as the unique local user identifier when Google is the Social Identity Provider: a. Select Google in the Social Identity Provider column. A two-column table opens. b. Create the mapping as follows: a. Choose uid in the first row of the Application User Attribute column. b. Choose e-mail in the Social Identity Provider User Attributes column. 10. Click Finish to create the Application Profile. 50.5.2 Editing or Deleting an Application Profile To edit or delete an Application Profile, select the Profile in the panel and click Edit or Delete on the panel's tool bar. See Section 50.5.1, "Creating an Application Profile" for attribute descriptions. 50.6 Integrating Social Identity With Mobile Applications You can configure Mobile and Social Services to allow applications on mobile devices to authenticate using Social Identity. Any application that needs to use Social Identity must have a corresponding Application Profile in Social Identity. If you want a mobile application to use Social Identity, the application needs to have a profile under Social Identity and under Mobile and Social Services. 50-16 Administrator's Guide for Oracle Access Management Linking Social Identity Provider Accounts 1. Under Social Identity, open the Create Application Profile wizard. 2. Populate the Application Profile attributes with values applicable to the mobile application being protected and click Next. See Section 50.5.1, "Creating an Application Profile" for attribute definitions. 3. Select the Service Provider Interface and click Next. See Section 50.4, "Defining Service Provider Interfaces." 4. Select the Social Identity Provider and click Next. See Section 50.2, "Understanding Social Identity Configuration." 5. View the Application Profile summary and click Finish to create the Application Profile. 6. Under Mobile and Social Services, open the Create Service Domain wizard. If modifying an existing Service Domain, open it for editing. See Section 49.4, "Defining Service Profiles" for information. 7. Complete the form as follows. ■ For Type, select Mobile Application. ■ For Authentication Scheme, select Social Identity Authentication. See Section 49.7, "Defining Service Domains" for information. 8. In the Application Profile Selection section, add the Mobile and Social Services Application Profile that represents the mobile application being protected and choose if it will participate in mobile SSO as an agent, a client or not at all. Select the appropriate Application Profile by browsing existing Profiles or entering a name. The Application Profile must already be created. (To create Mobile and Social Services Application Profiles, see Section 49.6, "Defining Application Profiles"; for Social Identity Application Profiles, see Section 50.5, "Defining Application Profiles.") 9. Click Next to select (or create) a Service Profile. See Section 49.4, "Defining Service Profiles." 10. Click Next to select the Service Protection. For example, use InternetIdentityAuthentication as the authentication service to protect the User Profile Services. 11. Click Next to view the Create Service Domain summary. 12. Click Finish to create the Service Domain. See "Integrating Social Identity With a Mobile Application" in the "Developing Applications Using the Social Identity Client SDK" chapter of the Developer's Guide for Oracle Access Management for more information. Note: 50.7 Linking Social Identity Provider Accounts Social Identity Account Linking allows users to link several Internet identities together with an existing or new local user account. The following sections contain information about how to enable and use this feature. Configuring Social Identity 50-17 Linking Social Identity Provider Accounts ■ Section 50.7.1, "Using Social Identity Provider Account Linking" ■ Section 50.7.2, "Configuring Social Identity Provider Account Linking" 50.7.1 Using Social Identity Provider Account Linking The following sequence documents the steps in the Account Linking Flow. 1. The user lands at the Mobile and Social Login Page. 2. The user is prompted to log in locally or with an Identity Provider. 3. The user selects Identity Provider Login (for example, Google) and enters password credentials. Once authenticated (and if determined that the user is already registered with a local account), the user is automatically logged in as the local user and then presented with a Linked Accounts page that has the option to link the Identity Provider to this local account. By clicking the link next to Google, the user will link the local account to the Google Identity Provider account. The user may choose to link and unlink additional Identity Providers from this page. Figure 50–1 illustrates this scenario. Figure 50–1 Social Identity Account Linking 2 Mobile Services (REST) User logs in using Enterprise ID 1 User Clicks Login 9 Return to user Third-Party Application IDP account is linked to Enterprise account 6 7 IDP account successfully linked 3 8 Authenticated user, requests account linking via IDP Internet Identity Services (RP) Account linking response comp lete User authenticated by IDP 5 4 Internet Identity (Google, Yahoo, etc.) User is redirected to IDP for authentication Additional scenarios include: ■ If the user logs into an Identity Provider account without having a local account and selects the Register option after Identity Provider authentication, an enterprise ID will be created and the Identity Provider account will be automatically associated with this enterprise ID. In other words, the user logs in with the Identity Provider Login ID and Mobile and Social creates a local account with the same user name as the Identity Provider Login ID. The user is then redirected to the linked accounts page associated with the newly created local account. From this page, the user may choose to link or unlink Identity Provider accounts or return back to the application. 50-18 Administrator's Guide for Oracle Access Management Linking Social Identity Provider Accounts ■ If the user logs in using the local account only, in the app the user has to choose the linked accounts page displaying Identity Providers. From this page, the user may choose to link (or unlink) Identity Provider accounts or return back to the app. When the accounts are linked, Social Identity will detect that the user is linked to a local account even when the user logs in using Identity Provider credentials. The linked accounts page can be provided by the relying party (by way of Social Identity) or a third-party application that hosts the options for linking accounts. In either case, the following items will need to be provided: Note: ■ ■ An API call (for example, AccountLinkingHelper.getProviders ()) listing the various Identity Providers that can be linked. This will include linkage status and IDs. An RP-specific account linking page (for example, linkedAccounts.jsp) that will display the various Identity Providers that can be linked. This will include linkage status and IDs. 50.7.2 Configuring Social Identity Provider Account Linking The properties documented in Table 50–8 need to be configured to use Account Linking. They are set in the Application Profile Properties table. Table 50–8 Account Linking Properties Property Details app.acct.link.enabled This configuration property is set to true to enable Account Linking. app.acct.link.attr Specify the OAM entity attribute name that corresponds to the LDAP attribute where the multi-valued account linking information is to be stored. Use the OAM entity attribute name defined in the IDS Profile. To look up this name in the OAM console, choose Configuration > User Identity Stores > IDS Profiles. Select the identity profile and click edit, then click Entity Attributes. The Entity Attributes page lists both the entity attribute names defined by OAM, and the corresponding LDAP physical attributes. Use the OAM name listed in the first column. Note: This value is case-sensitive. The following should also be taken into account when enabling Account Linking. ■ ■ ■ ■ Ensure the proxy setting is correct. This setting can be found by navigating the Oracle Access Management Console: System Configuration > Mobile & Social > Mobile & Social Settings. Images for Identity Provider icons or logos can only be specified using WLST. If the image path starts with http, the image is retrieved from the location using the img tag. Otherwise, it uses the internal references that come with Social Identity. Ensure that the username attribute and the account linking attribute are different. If they are the same then it can cause inconsistent behavior. For example, you can set the username attribute to uid and the linking attribute to mail. Set the Shared Secret for the application. Set the Auth Scheme on the authentication policy to point to OICScheme and ensure that the settings are Configuring Social Identity 50-19 Linking Social Identity Provider Accounts correct. For example, the MatchLDAPAttribute should match the username attribute set in the relying party Application Profile, typically uid. 50-20 Administrator's Guide for Oracle Access Management 51 Configuring Social Identity System Settings 51 [3This ] chapter discusses system configuration tasks for the Oracle Access Management Social Identity. It contains the following sections. ■ Accessing the Social Identity Settings Interface ■ Logging and Auditing ■ Deploying Mobile and Social With Oracle Access Manager ■ Configuring Social Identity After Running Test-to-Production Scripts ■ Configuring Social Identity for High Availability (HA) ■ Enabling the REST Client to Specify the Tenant Name 51.1 Accessing the Social Identity Settings Interface Use the Social Identity Settings page in the Oracle Access Management Console to configure system level settings. You can perform many Social Identity configuration tasks from the command line using the WebLogic Scripting Tool (WLST). For more information, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Note: Follow this procedure to access the Manage Social Identity page. 1. In the Oracle Access Management Console, click Configuration at the top of the window. 2. Select Social Identity from the View menu in the Settings section. 51.1.1 Understanding the Social Identity Settings Page This section describes the form fields on the Social Identity Settings page. Configuration Settings for Social Identity Configure the following Social Identity settings if a proxy server is in place between the Social Identity server and an Identity Provider. ■ ■ Proxy URL - Choose the protocol to use to connect to the proxy server (HTTP or HTTPS), then type the proxy server host name and port number. Proxy Authentication - Type the user name and password required to authenticate with the proxy server. Configuring Social Identity System Settings 51-1 Logging and Auditing ■ SAE Token Validity Period - Type the number of seconds that the system should wait before expiring the Secured Attribute Exchange token. SAE is the default scheme used to secure communication between the Social Identity server and any application integrating directly with Social Identity. 51.2 Logging and Auditing For information about Fusion Middleware logging, see the "Monitoring Oracle Fusion Middleware" chapter in the Oracle Fusion Middleware Administrator's Guide. For information about Fusion Middleware auditing, see the "Configuring and Managing Auditing" chapter in the Oracle Fusion Middleware Application Security Guide. 51.3 Deploying Mobile and Social With Oracle Access Manager Mobile and Social can be configured for use with either Oracle Access Manager 10g or 11gR1 PS1. For this to work, however, Oracle Access Manager and Mobile and Social need to be installed on different servers in different domains. Mobile and Social and Oracle Access Manager then need to be configured to work together. The following procedure documents how to do this using Oracle Access Manager 11gR1 PS1. Before you Begin - Install Social Identity on Host 1 and Oracle Access Manager 11gR1 PS1 on Host 2. 1. Log on to the Oracle Access Management Console on Host 2 and create a Webgate profile for Social Identity using the default settings. 2. In Social Identity, create an Authentication Service Provider for Oracle Access Manager 11.1.1.5. See Section 49.3.1.3, "Creating an Authentication Service Provider," for instructions. Set the Attributes as described in the following table. Table 51–1 Attribute Settings for an Oracle Access Manager 11gR1 PS1 Authentication Service Provider Name Value OAM_VERSION OAM_10G DEBUG_VALUE 0 TRANSPORT_SECURITY OPEN OAM_SERVER_1 host:port OAM_SERVER_1_MAX_CONN 4 OAM_SERVER_2 host:port OAM_SERVER_2_MAX_CONN 4 AuthNURL wl_authen://Authen/Basic 3. In Social Identity, create a Service Profile for the Authentication Service Provider that you created in the previous step. See Section 49.4, "Defining Service Profiles," for instructions. 4. In Social Identity, create a Service Domain. See Section 49.7.1, "Creating a Service Domain," for instructions. 51-2 Administrator's Guide for Oracle Access Management Deploying Mobile and Social With Oracle Access Manager 5. Merge the cwallet.sso file on Host 2 with the cwallet.sso file on Host 1 as follows: a. Copy cwallet.sso from Host 2 to Host 1. b. On Host 1 type # mkdir /tmp/oam /tmp/oic # cp /cwallet.sso /tmp/oam # cp config/fmwconfig/cwallet.sso /tmp/oic c. Create file merge-creds.xml: File-based credential provider d. Set the path variable to include $MW_HOME/oracle_common/bin:$MW_ HOME/oracle_common/common/bin e. Execute the command to merge the cwallet.sso files: # wlst.sh wlst:/> migrateSecurityStore(type="credStore", configFile="/tmp/mergecreds.xml",src="FileSourceContext",dst="FileDestinati onContext") f. Copy the merged file to config/fmwconfig: # cp /tmp/oic/cwallet.sso /scratch/kerwin/wls10/user_projects/domain/base_ domain/cfnfig/fmwconfig Configuring Social Identity System Settings 51-3 Configuring a Webgate to Support Social Identity g. Restart the OAM Server on Host 1. 51.4 Configuring a Webgate to Support Social Identity This section describes how to configure a Webgate for use with the OAuth Service. The Webgate serves as a proxy so that client authorization and token endpoint requests access the Webgate instead of accessing the Oracle Access Management server directly. These steps are for WebLogic environments only. 1. Install the Oracle HTTP Server 11g Webgate for OAM using the instructions in Installing Webgates for Oracle Access Manager. 2. Configure the Webgate by defining the following resource and creating an authentication policy and authorization policy. a. Open the Oracle Access Management console. b. Under Access Manager, click Application Domains. c. Find the target domain and open it for editing. d. Select the Resources tab. e. Create the following resource. If you are using the existing IAMSuiteAgent Host Identifier, the resource is already present and can be searched on using the Resource URL field. /ms_oauth/oauth2/ui/** Click to select the resource, then click the Edit button. f. Under the Protection heading, choose the following options from the menus and click Apply: Protection Level - Protected Authentication Policy - Protected HigherLevel Policy Authorization Policy - Protected Resource Policy These settings allow the Webgate to perform user authentication and user authorization. g. Add the following resources and set the Protection Level to Excluded: /ms_oauth/oauth2/endpoints/** /ms_oauth/oauth2/oammsui/** /ms_oauth/style/** /ms_oauth/img/** /oam/** The Webgate does not protect Excluded resources and allows them to be accessed. 3. Add the following lines to the mod_wl_ohs.conf file and restart the Webgate. For WebLogicPort, be sure to add the managed port details for your environment. # the following directive proxies all the OAuth requests WebLogicHost host123.us.example.com WebLogicPort 17100 Debug ON WLLogFile /tmp/weblogic.log MatchExpression /ms_oauth/* 51-4 Administrator's Guide for Oracle Access Management Configuring a Webgate to Support Social Identity # the following directive proxies all the OAM managed server requests. WebLogicHost host123.us.example.com WebLogicPort 17100 Debug ON WLLogFile /tmp/weblogic.log MatchExpression /oam/* 4. 5. Update the Access Manager Load Balancing settings as follows: a. In the Oracle Access Management console, click Configuration at the top of the window. b. Select Access Manager from the View menu in the Settings section. c. In the Load Balancing section, change the OAM Server Host and the OAM Server Port settings to the Webgate's host and port settings. d. Click Apply. Complete the following steps. a. Open $ORACLE_HOME/ORACLE_IDM1/oam/server/apps/ and locate the oam-server.ear file. For example: cd /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps b. Back up the.ear file: cp oam-server.ear oam-server.ear.original c. Create a temporary directory and go to that directory: mkdir tmp-ear cd tmp-ear/ d. Extract the oam-server.ear file into the tmp-ear directory: jar -xvf ../oam-server.ear e. Create another temporary directory inside tmp-ear and go to that directory: mkdir tmp-ms-war cd tmp-ms-war You should be in this directory: /scratch/test/Oracle/Middleware/Oracle_ IDM1/oam/server/apps/tmp-ear/tmp-ms-war f. Extract the ms_oauth.war into the tmp-ms-war directory: jar -xvf ../ms_oauth.war g. Open the WEB-INF/web.xml file for editing and update it by adding comment tags around the security-constraint as follows: h. Recreate the.war file in the tmp-ms-war directory: jar cvf ms_oauth.war i. Copy the updated.war file to the parent directory, then remove the tmp-ms-war directory located in tmp-ear/: cp /scratch/test/Oracle/Middleware/Oracle_ IDM1/oam/server/apps/tmp-ear/tmp-ms-war/ms_oauth.war /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear rm -rf /scratch/test/Oracle/Middleware/Oracle_ IDM1/oam/server/apps/tmp-ear/tmp-ms-war j. Create the oam-server.ear archive in the tmp-ear directory: jar cvf oam-server.ear . k. Copy the tmp-ear/oam_server.ear archive file to the parent directory: cp /scratch/test/Oracle/Middleware/Oracle_ IDM1/oam/server/apps/tmp-ear/oam-server.ear /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/oam-server.ear l. Restart the WebSphere server. The Webgate will now reverse-proxy OAuth URLs as well as OAM managed server URLs. All authorization and token endpoint requests are now accessed using the Webgate host and port values instead of the actual OAM host and port values. 51.5 Configuring Social Identity After Running Test-to-Production Scripts When moving Social Identity from a test environment to a production environment, complete the following configuration steps on each production machine after running the Test-to-Production scripts. 1. In the Oracle Access Management Console, click Application Security. 2. Click Authentication Schemes in the Access Manager section. 3. Find the OICScheme scheme and open it for editing. 4. Update the Challenge Redirect URL value to point to the production machine (not the test machine) and click Apply. For example: https://production_machine:port/oic_rp/login.jsp 5. Run the following WLST command to update the Social Identity credential store framework (CSF) entry to point from the test machine to the production machine. createCred(map="OIC_MAP", key=" https://:/oam/server/dap/cred_submit ", user="="", password=" DCC5332B4069BAB4E016C390432627ED", desc=""); 51-6 Administrator's Guide for Oracle Access Management Enabling the REST Client to Specify the Tenant Name For password, use the value from the RPPartner entry, TapCipherKey attribute in oam-config.xml, located in the domain home/config/fmwconfig directory on the production machine. 6. In the Oracle Access Management Console, do the following: a. Click Mobile Security at the top of the window. b. Click Mobile and Social Services. c. In the Application Profiles section, select OAMApplicaton and click Edit. (If using an application profile name other than OAMApplication, edit that instead.) d. Update the Registration URL field host name and port to point to the production machine. Click Apply. 51.6 Configuring Social Identity for High Availability (HA) For information about configuring Social Identity High Availability, see "Configuring High Availability for Social Identity" in the Fusion Middleware High Availability Guide for Oracle Identity and Access Management. 51.7 Enabling the REST Client to Specify the Tenant Name Follow these steps to enable the REST client to specify the tenant name. Refer to "Specifying the Tenant Name in the Header" in the Developer's Guide for Oracle Access Management for more information. 1. Navigate to the following directory: ~/OAM-Domain-dir/bin 2. In a text editor, add the following line to the ./startManagedWebLogic.sh file: MT_OPTION="-Doracle.multitenant.headername=MY-MT-NAME" JAVA_OPTIONS="${MY_OPTIONS} ${JAVA_OPTIONS}" export JAVA_OPTIONS If you do not specify the JVM option, the server will expect the client to use the default header name, X-ID-TENANT-NAME. Note: 3. Save the file. Configuring Social Identity System Settings 51-7 Enabling the REST Client to Specify the Tenant Name 51-8 Administrator's Guide for Oracle Access Management Part XII Part XII Managing the Oracle Access Management OAuth Service The Oracle Access Management OAuth Service allows organizations to implement the open standard OAuth 2.0 Web authorization protocol in an Access Manager environment. OAuth enables a client to access Access Manager protected resources that belong to another user (that is, the resource owner). Part IX contains the following chapters: ■ Chapter 52, "Understanding OAuth Services" ■ Chapter 53, "Configuring OAuth Services" 52 Understanding OAuth Services 25 [34OAuth ] provides a method to exchange identity credentials for an access token. This token, in return, can be used for granting access of private resources in a user's account on one service provider site to a second, consumer site without having to divulge the identity credentials to the consumer site. Oracle Access Management implements the OAuth Core 2.0 specifications to offer OAuth Services. This chapter describes the purpose and capabilities of the Oracle Access Management OAuth Services. It includes the following topics. ■ Using Oracle Access Management OAuth Services ■ Understanding OAuth Services Authorization for Web Clients ■ Understanding OAuth Services Authorization for Mobile Clients ■ Understanding the OAuth Services Components ■ Understanding OAuth Services Tokens ■ Understanding the Authorization and Authentication Endpoints ■ Enforcing Access Control ■ Understanding Mobile OAuth Services Server-Side Single Sign-on ■ Understanding OAuth Services Plug-ins 52.1 Using Oracle Access Management OAuth Services OAuth is an open standard authorization protocol that provides authentication and access control between a Client (including mobile apps and Web services) and a Resource Owner (or Service Provider) on the Web. Oracle Access Management OAuth Services is based on this standard and designed: ■ To address enterprise-level extranet use cases. ■ To provide secure mobile access to APIs. ■ ■ To leverage built-in Oracle Access Management features (including authentication schemes, strong authentication, fraud detection, session management and federated authentication). To secure confidential clients with a high level of security. Oracle Access Management OAuth Services are available for Web clients or for mobile clients. OAuth Services for Web clients implement the standard OAuth 2.0 use cases. In this case, the clients rely on a Client ID/Client Password (or secret) to secure itself. For an example, see http://tools.ietf.org/html/rfc6749#page-4. Understanding OAuth Services 52-1 Understanding OAuth Services Authorization for Web Clients Mobile OAuth Services is an extension on top of the standard OAuth specification in which the identity of the mobile client is secured through application registration, and a credential specific to the mobile client is included with a request for access. As mobile clients store passwords on mobile devices, they can not be confidential like Web clients so the identity of the mobile client is established through device/app registration before accessing REST or Web services using the OAuth Services Access Token. Thus, the key difference between the standard Web and mobile OAuth Services use cases is that the mobile client is secure before it can request an Access Token (through device/app registration) whereas a standard OAuth Web client uses a credential like password or an assertion to self identify. Section 53.1, "Enabling OAuth Services" contains details on how OAuth Services and Mobile OAuth Services are enabled and configured separately. See the following sections for details on how OAuth Services works. ■ Understanding OAuth Services Authorization for Web Clients ■ Understanding OAuth Services Authorization for Mobile Clients 52.2 Understanding OAuth Services Authorization for Web Clients In the most common OAuth scenario, the Client accessing the protected resource is issued a different set of credentials than those of the user. (In this case, the user does not disclose their credentials to the client.) Oracle Access Management OAuth Services acts as the intermediary Authorization Server, interacting directly with the Client, the service hosting the user's protected resource (Resource Owner) and the server on which the resource is located (Resource Server). It issues access tokens to a Client that has (already) successfully authenticated with the Resource Server - in effect, authorizing the client to access private resources or activities on the server. A single Authorization Server instance can issue access tokens accepted by multiple resource servers. OAuth does not impose special requirements on the interaction between a Resource Server and an Authorization Server. Note: The following sections describe web-based scenarios in which OAuth Services works. ■ Understanding 3-Legged Authorization ■ Understanding 2-Legged Authorization The scenarios introduce the concept of OAuth Services endpoints. For detailed information on these endpoints, see Understanding the Authorization and Authentication Endpoints. The scenarios also use terms documented in Understanding the OAuth Services Components including the following: ■ ■ ■ ■ The Resource Owner refers to the user requesting access to a protected resource. The Client is the mobile app or Web service through which the Resource Owner is requesting access to a protected resource. OAuth Services refers to the Authorization Server, Oracle Access Management. The Resource Server is the machine on which the protected resource is stored. It can be any website or Web service where restricted resources are located; for example, a photo sharing site, a blogging platform and an online bank service control access to private resources and activities. The Resource Server is deployed in a different location from Oracle Access Management and the Client. The Resource Server needs to be capable of accepting and responding to protected 52-2 Administrator's Guide for Oracle Access Management Understanding OAuth Services Authorization for Web Clients resource requests using access tokens. The Resource Server must also validate the access token with OAuth Services as described in Enforcing Access Control. 52.2.1 Understanding 3-Legged Authorization In 3-legged authorization, the Resource Owner grants access to an OAuth-enabled Client to request access to resources stored on an OAuth protected Resource Server. Oracle Access Management OAuth Services validates the Resource Owner's identity and presents the owner with a consent form in a Web browser when approval is required. The third leg in this authorization scheme is the step in which the user grants or denies the client access. The following text has more details and Figure 52–1 illustrates the process. A WebGate proxy is required to use 3-legged authorization with an external LDAP directory server. See Section 53.5, "Configuring a WebGate to Protect OAuth Services" for details. Note: 1. The Resource Owner (user) undertakes an action in the user-agent (a browser, for example) that requires the Client web service (or app) to access protected resources belonging to the user on a different site. 2. The Client initiates the OAuth flow by invoking the OAuth Services authorization endpoint to get a request token. The Client sends its identifier, the requested scope, and a redirection URI to which the Authorization Server will direct the user-agent once access is granted or denied. 3. OAuth Services redirects the user-agent to request the Resource Owner's password credentials. 4. Access Manager displays a login page requesting a user name and password from the Resource Owner. OAuth Services supports all authentication schemes provided by Access Manager. 5. The Resource Owner enters a user name and password. 6. Access Manager validates the credentials, returns a request token and redirects the user-agent to OAuth Services. 7. OAuth Services determines that the Resource Server requires the user's consent before the authorization code can be sent to the Client. 8. OAuth Services displays the user consent form. Web-based clients require the consent form to be protected by a WebGate.For details, see Section 53.5, "Configuring a WebGate to Protect OAuth Services." 9. The user approves the request. 10. OAuth Services returns an authorization code to the Client using the redirection URI. The Authorization Code grant type is required for 3-legged authorization. See Section 52.4.3, "Understanding Clients" for details. Note: 11. The Client sends the authorization code in a POST request (including the redirection URI used to obtain the authorization code for verification) to the token endpoint and requests an OAuth access token. When making the request, the Client authenticates with OAuth Services. Understanding OAuth Services 52-3 Understanding OAuth Services Authorization for Web Clients 12. If the client type requires client credentials, the OAuth Services authenticates the client credentials, validates the authorization code, and ensures that the redirection URI received matches the URI previously used to return the authorization code. OAuth Services also validates the requested scope based on the Resource Server's configuration and the user's consent details. 13. OAuth Services returns an access token to the Client. A refresh token may also be returned with the access token if the client sends a refresh token request. For more information, see Section 52.5, "Understanding OAuth Services Tokens." 14. The Client presents the access token to the Resource Server. 15. The Resource Server validates the access token by sending a request to the OAuth Services token endpoint and waits for a success or failure response. 16. OAuth Services validates and sends the token success or failure response back to the Resource Server. 17. If the token is deemed valid, the Resource Server returns the requested resource to the Client. Figure 52–1 OAuth 3-Legged Flow Diagram User Agent Client Application OAM User Login Resource Server Token Service Authorization Service 1. Access Client App 2. Authorization request 3. Redirect to OAM user login 4. OAM user login UI 5. Enter user credentials 6. OAM redirect to authorization after valid login 7. User needs to give consent 8. Show user consent page 9. User gives consent 10. Return authorization code client app 11. Access token request 12. Verify client and user consent 13. Return access token after validation 14. Access the resource with access token 15. Validate access token 16. Access token validation response 17. Return resource details to client 52.2.2 Understanding 2-Legged Authorization In 2-legged authorization, the OAuth Client is pre-approved to access resources; thus, the user consent form step (described in Understanding 3-Legged Authorization) is not required. In this scenario, Access Manager returns a request token to the Client which the client sends to OAuth Services to request an access token. Because the request token is pre-authorized, OAuth Services token service returns an access token 52-4 Administrator's Guide for Oracle Access Management Understanding OAuth Services Authorization for Mobile Clients to the Client without displaying the consent form. This arrangement fits a service-to-service model, especially when the requesting service (Client) and the Resource Server are in a close partnership and Resource Owner approval is either assumed or not required. The Client Credentials grant type or the Resource Owner Credentials grant type are required for 2-legged authorization. See Section 53.3.3, "Configuring Clients" for more information. Note: 52.3 Understanding OAuth Services Authorization for Mobile Clients The Mobile OAuth Services authorization scenario supports mobile apps that run in a browser as well as device-native apps that do not use a browser or just use the browser during user authentication. This scenario provides enhanced security support (in addition to the baseline security measures defined in the OAuth 2.0 specification) including: ■ ■ ■ Client apps must be registered with OAuth Services in the Identity Domain that your organization uses to manage Mobile OAuth Services clients. Mobile applications must register with Oracle Access Management prior to using OAuth Services and each registration is specific to one app on the device. After the application registration, the mobile app will have a client token. It uses this token as the security credential for making Access Token requests. In comparison, the OAuth web client uses either a credential-like password or an assertion to identify itself. This scenario supports user consent management. If consent management is enabled, the client app prompts the user to accept or decline the app's request to register with Access Manager. This consent is controlled with the "Require User Consent for Client Registration" attribute under the Service Profiles. If set, the user will be asked to confirm app registration; if off, the user will not be asked. See Section 53.3.2, "Configuring Service Profiles." Note: ■ ■ Except for access tokens (and user tokens if server-side SSO is disabled), the server does not send security material, such as OAAM device and session handles to the client on the mobile device, but stores it in the Server-Side Device Store. Access tokens are both sent to the client and stored in the Server-Side Device Store to provide for validation and life cycle management. The OAM server component can restrict token delivery to a specific app installed on a specific device by sending part of a token through HTTPS, and sending the other part through push notification using either the Apple Push Notification Service (APNS) or Google Cloud Messaging (GCM). Figure 52–2 illustrates this. Understanding OAuth Services 52-5 Understanding OAuth Services Authorization for Mobile Clients Figure 52–2 Using a Split Request to get a Client Verification Code User Mobile Client App Token Service Push Service APNS / GCM Service Typical communication pattern involving APNS 1. Launch app 2. Acquire pre-Authorization code 3. Return first part of pre-authorization code 4. Request second part of pre-authorization code 5. Receive second part of pre-authorization The following scenario describes the additional interactions that Oracle Access Management undertakes when authenticating with a mobile client. The process is illustrated in Figure 52–3. 1. The Resource Owner opens the Client mobile app. An Oracle Access Management administrator has already registered this Client app as a Mobile OAuth Services Client. 2. The Mobile Client sends the client ID and the device token to OAuth Services and requests a client verification code. 3. OAuth Services returns half of the client verification code over HTTPS or HTTP. See Figure 52–2. This behavior can be configured in the Mobile Service Settings section of the OAuth Services Profile configuration page. ■ ■ If the security level is set to Advanced, all codes and tokens are returned using both HTTP and push notification. If the security level is set to Standard mode, all codes and tokens are sent over HTTP only. The rest of this scenario (beginning with step 4) contains details for when the security level is set to Advanced. 4. The Mobile client requests the second half of the client verification code from the OAuth Services push endpoint. The push endpoint forwards the request to the APNS or the GCM service depending on the mobile device’s operating system. 5. The APNS or GCM service sends the second half of the client verification code to the Client app. 6. The Mobile client requests an authorization code from OAuth Services by sending the client verification code and the device token. 7. OAuth Services redirects the request to Access Manager. 8. Access Manager sends a login page to the user-agent so that the user can log in. 9. The Resource Owner (user) enters a user ID and password. 10. Access Manager validates the login and redirects to OAuth Services. 52-6 Administrator's Guide for Oracle Access Management Understanding OAuth Services Authorization for Mobile Clients 11. OAuth Services is configured to obtain the user's approval to register the device. (It will not ask for the user's consent to register if Require User Consent for Client Registration is disabled on the OAuth Services Profile Configuration page.) 12. The consent page is sent to the Resource Owner. 13. The Resource Owner provides (or denies) consent. 14. OAuth Services checks the Oracle Adaptive Access Manager (OAAM) plug-in to determine if additional authentication steps are required. 15. The plug-in determines that an additional challenge question is required. 16. The OAAM challenge question is sent to the Resource Owner. 17. The Resource Owner provides the challenge answer which is forwarded to the OAAM plug-in. 18. The OAAM plug-in validates the challenge answer. 19. OAuth Services uses the mobile redirect URI to return half of the authorization code that the mobile app will need to request a client token. 20. The Mobile OAuth Services client requests the second half of the authorization code from OAuth Services push endpoint. The push endpoint forwards the request to the APNS or GCM service. 21. The mobile client app receives the second half of the authorization code from the APNS or GCM service. The mobile client app assembles the authorization code in preparation for requesting a client token. 22. After validating the authorization code, the Mobile OAuth client uses the code to request the first half of the client token from the OAuth Services token endpoint. 23. The token endpoint returns the first half of the client token to the mobile client. 24. The mobile client requests the second half of the client token from the OAuth Services push endpoint. 25. The APNS or GCM service sends the second half of the client token to the mobile client app. The mobile client assembles the client token as well as a refresh token. The client can use the refresh token to request a new client token. 26. The mobile client prepares to request an access token by completing the following steps: ■ ■ ■ ■ The Client requests and receives a client verification code from OAuth Services. The Client requests and receives the first part of the authorization code from OAuth Services. The resource owner does not need to log in if the user session is still valid. User consent may be required based on the Resource Server scope to which the Client is requesting access. ■ The OAAM plug-in does not repeat its challenge. ■ The client requests the second part of the authorization code. 27. The APNS or GCM service returns the second half of the authorization code for the access token. Understanding OAuth Services 52-7 Understanding OAuth Services Authorization for Mobile Clients The Client assembles the authorization code in preparation for the access token request. 28. The mobile client requests an access token by sending the client token and the access token authorization code. 29. The token endpoint sends the access token to the client. This behavior depends on whether the Security Level setting in the Mobile Service Settings section of the OAuth Services Profile configuration page is set to Advanced or Standard. 30. The Mobile OAuth Services client requests access to the protected resources by sending the access token to the Resource Server. 31. The Resource Server validates the access token with the OAuth Services token service. The Resource Server can also validate the token locally. If the certificates are configured correctly, JWT token signing is verified at the Resource Server. 32. The OAuth Services token service sends a response to the Resource Server. 33. The Resource Server sends the requested resources to the mobile client. 52-8 Administrator's Guide for Oracle Access Management Requested resources received. Access token received. Client token assembled along with a refresh token. Authorization code assembled in preparation for the access token request. Client token assembled along with a refresh token. Authorization code assembled in preparation for the client token request. Push Service 6. Authorization request with pre-authorization code APNS / GCM Service 16. Show user challenge question 32. Token validation response 30. Request resources with AT 29. Return to complete access token (AT) 28. Acquire AT with client token + authorization code 27. Client receives the second part of the authorization code Step 26: The client prepares to request an access token by completing the following steps: * The client requests and receives a pre-authorization code from the OAuth server (as shown in steps 2-5). The client requests and receives the first part of the authorization code from the OAuth server (as shown in step 6, steps 10-13, and step 19). * The client requests the second part of the authorization code (as shown in steps 20-21). Steps 22-25: Client gets a client token by including the authorization code in a split request to the Token Service and the APNS/GCM Service. OAM User Login 7. Redirect to OAM user login 19. Return first part of authorization code through mobile redirect URL Resource Server 33. Resource response 31. Validate access token 18. Plug-in validates the challenge answer 15. Plug-in may decide to challenge Adaptive Access Plug-in 14. Check with plug-in before returning to authorization code 11. User needs to give consent Authorization Service 10. OAM redirect to authorization after valid login 8. OAM user login UI User Agent 12. Show user consent page 21. Client receives the second part of the authorization code 20. Request the second part of the authorization code (in preparation for requesting a client token) 17. User provides challenge answer 13. User gives consent Token Service Steps 2-5: Get a pre-authorization code by sending a split request to the Token Service and the APNS/GCM Service. Mobile Client App 9. Enter user ID and password 1. Launch app User Understanding OAuth Services Authorization for Mobile Clients Figure 52–3 The Complete Mobile App Authorization Request Flow Understanding OAuth Services 52-9 Understanding the OAuth Services Components 52.4 Understanding the OAuth Services Components The following sections contain information about the Identity Domains configuration options. Information in the following sections applies to both Identity Federation and Mobile Security OAuth Services except for the Jailbreak Detection Policy which is specific to Mobile Security OAuth Services. See Chapter 53, "Configuring OAuth Services" for details on configuring these components. ■ Understanding Identity Domains ■ Understanding Service Profiles ■ Understanding Clients ■ Understanding Service Providers ■ Understanding Resource Servers ■ Understanding Plug-Ins ■ Understanding Server Settings ■ Understanding Jailbreak Detection Policy ■ Understanding Token Life Cycle Management 52.4.1 Understanding Identity Domains Identity Domains are entities that contain all artifacts required to provide standard OAuth Services or Mobile OAuth Services. Each Identity Domain is an independent entity. One of the primary use cases of the Identity Domain is for multi tenants deployments. Each Identity Domain will correspond to a tenant. This can apply to different departments in an organization if there is a need for independence. This will also be useful for cloud deployments where each Identity Domain can correspond to a separate tenant or entity. The following artifacts are just some of the components configured within an OAuth Services Identity Domain. ■ One or more Service Profiles ■ One or more Clients ■ A Service Provider ■ One or more Resource Servers ■ Plug-ins ■ Server Settings ■ Token Life Cycle Management (search for and revoke tokens across an Identity Domain) For information on configuring Identity Domains, see Section 53.3.1, "Configuring Identity Domains." 52.4.2 Understanding Service Profiles A Service Profile defines the following settings. ■ ■ ■ The clients with whom OAuth Services can interact The Custom and System Resource Servers that OAuth Services protects and to which it provides access Refresh token settings, token expiration settings, and the option to enable the token life-cycle management 52-10 Administrator's Guide for Oracle Access Management Understanding the OAuth Services Components ■ The User Profile Service and Consent Management Service profiles ■ The enabled security profile plug-ins ■ ■ The mobile service settings, including security settings for the supported mobile platform(s) The root URL for the OAuth Services endpoints If necessary, you can create multiple Service Profiles. Different Service Profiles may be needed if different clients or resources need to be grouped, or different token settings are required, or there are different service endpoints with different configuration settings. Being able to create multiple Service Profiles gives flexibility to configuration options although in most cases it may not be needed. For information on configuring Service Profiles, see Section 53.3.2, "Configuring Service Profiles." 52.4.3 Understanding Clients The Client initiates the OAuth protocol by invoking the OAuth Services. Client profiles must be created using the OAuth Services interface (in the Oracle Access Management Console) before the protocol can be initiated. At a minimum, client profiles include the application name, a client ID, and one or more URIs to which OAuth Services will redirect the user-agent once access is granted or denied. An OAuth Services Client can be defined as Web, Public or Mobile. ■ ■ ■ Web clients are assigned with a client ID and secret. These clients can interact with the OAuth Services server by sending the client ID and secret as part of an authorization header. It is up to each individual client to determine how the secret issued to them is securely stored. Public clients are assigned with a client ID but no secret. Typically these profiles pertain to browser based applications like Javascript or can be mobile based apps. Mobile clients are assigned with a client ID and the secret is dynamically generated as part of a mobile client’s registration flow with OAuth Services. (The registration flow is proprietary and was developed by extending the OAuth specification.) The client ID and secret are explained in the following bullet points. ■ ■ The Client ID is a unique string that represents the registration information and is required for each client. You can create a unique client ID or have OAuth Services generate one. OAuth Services compares the defined Client ID with the value the client sends over HTTPS or HTTP as part of an authorization request. If the values do not match, the request is rejected. Client IDs are Base64 encoded when they are sent as authorization header. The Client secret is the client password. You can create a unique client secret or have OAuth Services generate one. Web clients are required to have a Client ID and a Client secret. Mobile clients and Public clients, on the other hand, do not have a client secret and are given only a Client ID. To request an access token, the client obtains authorization from the resource owner. The authorization is expressed in the form of an authorization grant, which the client uses to request the access token.The OAuth 2.0 specification provides authorization grant types for different security use cases. OAuth Services has implemented some of these grant types. Web, Public and Mobile Clients can access the various OAuth Services grant types that are appropriate to them. For example, the Client Verification Code grant type is only relevant to mobile clients. The following grant types are supported by OAuth Services. Understanding OAuth Services 52-11 Understanding the OAuth Services Components (For general information about the OAuth specification grant types, see http://tools.ietf.org/html/rfc6749#section-1.3. Note: ■ ■ ■ ■ ■ ■ ■ ■ Authorization Code - The Resource Owner logs in using Oracle Access Management. The token endpoint exchanges the authorization code along with client credentials for an access token. The Authorization Code grant type is required for 3-legged flows. Resource Owner Credentials - The Resource Owner provides the client with a user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible. The Resource Owner Credentials grant type is required for 2-legged authorization scenarios. Client Credentials – The client requests an access token using only its client credentials (or another supported means of authentication). This is suitable if the client is requesting access to protected resources under its control, or those of another resource owner when previously arranged with the authorization server. The Client Credentials grant type is required for 2-legged authorization scenarios. Refresh Token - Select this option to return a refresh token together with an access token in the token response. See Section 52.5, "Understanding OAuth Services Tokens" for more information. JWT Bearer - Allows a JWT assertion to be used to request an OAuth Services access token. SAML 2 Bearer - Allows a SAML2 assertion to be used to request an OAuth Services access token. OAM Credentials - Used to request OAM tokens, such as a master token, an access token, or an OAuth Services access token. Client Verification Code - Used by Mobile OAuth Services clients to request a pre-verification code which subsequently gets used in mobile client flows. Privileges and Allowed Scopes can also be configured on a client by client basis. OAuth Services allows for the configuration of scopes to bypass the need for user consent. Thus, you can configure Privileges to define which clients are allowed which grant types. If applicable, the Client will then obtain an authorization grant that can be exchanged with OAuth Services for an access token. For information on configuring Clients, see Section 53.3.3, "Configuring Clients." 52.4.4 Understanding Service Providers The Service Provider settings are used to manage the connection between OAuth Services and Access Manager, the back-end authorization Service Provider that supports OAuth Services. The OAuthServiceProvider is the default Service Provider for the DefaultDomain Identity Domain although a Custom Service Provider can be created. In this release, OAuth Services provides support for both OAM authentication (most authentication modules can be invoked, usually user/credential based plugins) and IDS authentication. Any features not provided through OAM or IDS authentication will require a custom service provider. Each Identity Domain can only have one Service Provider. 52-12 Administrator's Guide for Oracle Access Management Understanding the OAuth Services Components Currently, authentication modules that have multi step orchestration in OAM can not be invoked; this refers to 2-legged OAuth Services scenarios. For 3-legged scenarios, there is no limitation on invoking OAM authentication modules because authentication is done through a browser flow. Note: For information on configuring Service Providers, see Section 53.3.4, "Configuring the Service Provider." 52.4.5 Understanding Resource Servers Resource Servers settings are independently configured in a profile for each remote resource server that contains applications or services to be protected by OAuth Services. The Resource Server profile does not define the resource server specific settings like the endpoint or security protection - only OAuth Services related configurations. Part of the Resource Server configuration involves defining scope. Scope determines the range of access the Client will have to the protected resource. Based on the scope setting, Oracle Access Management restricts access and informs the Client of the scope in the access token issued. Thus, an OAuth Services access token with proper scope needs to be obtained in order for a Client application to access a Resource Server. The client provides a scope string in it’s request to OAuth Services. The scope can be a URL or a string literal. After successful authentication and authorization, OAuth Services includes the scope in the Access Token. For example, if an OAuth client requests access to a resource for a specific end user, OAuth Services would create an Access Token with the scope defined as UserProfile.me and the client could access the User Profile Resource Server with the /me endpoint. (See Table 52–1.) In turn, the User Profile Resource Server will decide whether the client can access the resource with acquired access token or not. The following is true in regards to scope. ■ ■ ■ A Resource Server can have one or more scope(s) associated with it. Multiple Resource Servers can be created if there is a need, for example, to have different token settings or to modify the default security protection (like not allowing revocation of consent). Each will have it's own set of scope definitions. This is not a common scenario The client sends the scope parameter as part of an authorization request. If any part of the scope parameter value is invalid, OAuth Services sends the client application an invalid_scope error response. If the scope parameter value is valid, it gets embedded as part of the authorization code and access tokens. OAuth Services provides two out-of-the-box services modeled as Resource Servers and protected with an Access Token. For information on the User Profile Services and Consent Management Services Resource Servers, see the following sections. ■ Understanding User Profile Services ■ Understanding Consent Management Services For configuration information, see Section 53.3.5, "Configuring Custom Resource Servers," Section 53.3.6, "Configuring User Profile Services," and Section 53.3.7, "Configuring Consent Management Services." Understanding OAuth Services 52-13 Understanding the OAuth Services Components 52.4.5.1 Understanding User Profile Services The default UserProfile User Profile Services configuration is a Resource Server created during Oracle Access Management OAuth Services installation. This configuration allows your organization to use OAuth 2.0 to interact with a back-end LDAP directory server and perform the REST operations documented in Table 52–1 on Person, Group, and Relationship entities. See the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for more details on using REST to interact with the User Profile Services. Table 52–1 Default User Profile Services Endpoint Operations Resource Endpoint (URI) HTTP(S) Methods Use Details http://host:port/ms_oauth/ resources/userprofile/me GET allows read The OAuth client can request read and update privileges for the specified user’s profile. http://host:port/ms_oauth/ resources/userprofile/users GET allows read, search The OAuth client can request create, read, search, update, and POST allows create delete privileges for any user profile. PUT allows update PUT allows update DELETE allows delete http://host:port/ms_oauth/ resources/userprofile/groups GET allows read, search The OAuth client can request create, read, search, update, and POST allows create delete privileges for any group profile. PUT allows update DELETE allows delete http://host:port/ms_oauth/ GET allows read resources/userprofile/secretkey POST allows create DELETE allows delete Used by Oracle Mobile Authenticator to read, create or delete secret key for given user. The secret key is used by OMA to generate a one time pin. User Profile Services receives and responds to HTTPS requests using the service-specific endpoints for Person, Group, and Relationship entities. Each service endpoint can be individually disabled if it is not needed. If there are users across multiple user repositories, you can create multiple instances of User Profile Services; for example, if a company uses different repositories for different organizations this would be useful. Creating multiple user profile services may not be common though. See Section 48.2.5, "Introducing User Profile Services" for more information. For information on configuring User Profile Services, see Section 53.3.6, "Configuring User Profile Services." The following sections contain details on specific User Profile Services configurations. ■ Using Proxy Authentication ■ Securing User Profile Services Activity ■ Understanding the Entity Relationship 52.4.5.1.1 Using Proxy Authentication Proxy authentication allows a user to control the security of middle tier applications by preserving client identities and privileges through all tiers, and auditing actions taken on behalf of clients. For example, this feature allows the identity of a user using a web application (also known as a "proxy") to be passed through the application to the database server. Oracle Unified Directory (OUD) and Active Directory (AD) are few directory servers that support proxy authentication. Proxy authentication delivers the following security benefits. 52-14 Administrator's Guide for Oracle Access Management Understanding the OAuth Services Components ■ ■ ■ A limited trust model, by controlling the users on whose behalf middle tiers can connect, and the roles the middle tiers can assume for the user. Accountability, by preserving the identity of the real user through to the database, and enabling auditing of actions taken on behalf of the real user. Flexibility, by supporting environments in which users are known to the database, and in which users are merely "application users" of which the database has no awareness. Oracle Access Management provides the ability to add proxy authentication features on top of directory servers that do not support it. The Access Control option is simply Proxy Authentication support for directory servers that do not have built in support for proxy authentication. Proxy Authentication and Access Control were previously available in Mobile Services and now this support is available in OAuth Services. Without Proxy Authentication or Access Control enabled, communication with directory servers is done using the administrator user account; in this case, the administrator can perform any operations on any user. By enabling this feature, the logged in user can only perform operations for which privilege has been granted. 52.4.5.1.2 Securing User Profile Services Activity Security considerations are very important when implementing User Profile Services. For example, a user with write access to UserProfile.me can change their own UID or mail address causing a serious breach. Because of this it is possible to limit the scope of all URI to read only and you should be careful about granting write access to any scope. You can also configure read and write access independently on a per-attribute basis. Security protection is defined within the Scopes table of the configured User Profile Service. Adding a URI allows you to select whether the service endpoint is enabled, whether read or write access is allowed, whether the URI is protected by an access token, and whether user consent is required. The Oracle Access Management Console also allows fine-grained configuration of the attributes that can be modified. You can also add custom attributes or remove default attributes. Table 52–2 documents the out-of-the box configurable attributes for each scope setting. Table 52–2 User Profile Resource Server - Scope Settings Scope HTTP(S) Resource Method URI UserProfile.me GET /me uid, mail, description, commonname, firstname, lastname /users uid, mail, description, commonname, firstname, lastname /groups name, description PUT UserProfile.users GET Attributes POST PUT DELETE UserProfile.groups GET POST PUT DELETE Understanding OAuth Services 52-15 Understanding the OAuth Services Components Table 52–2 (Cont.) User Profile Resource Server - Scope Settings HTTP(S) Resource Method URI Scope UserProfile.secretkey.ma GET nagement POST Attributes /secretkey There are no attributes needed. DELETE 52.4.5.1.3 Understanding the Entity Relationship An entity relationship is an association between two entities such as Users and Groups. The entity types can be the same or different. For example, the memberOf entity is a relationship between a user and a group while the manager entity is a relationship between two users. Client applications can create, read or delete relationships using the User Profile Services relationship endpoint. The following REST operations illustrate how to create a memberOf relationship. In these examples, the relationship endpoint is memberOf, the source entity URI is user-uri and the destination-entity URI is group-uri. Create User "John" curl -H "Content-Type: application/json" --request POST http://localhost:port/ms_ oauth/resources/userprofile/users -d '{"uid":"John"Anderson","commonname":"John Anderson","firstname":"John"}' Create Group "Group1" curl -H "Content-Type: application/json" --request POST http://localhost:port/ms_ oauth/resources/userprofile/groups -d '{"description":"group1 testing","commonname":"group1"}' Create memberOf relationship curl -H "Content-Type: application/json" --request POST http://localhost:port/ms_ oauth/resources/userprofile/users/memberOf -d '{"group-uri":"\/idaas_ rest\/rest\/userprofile\/group\/group1", "user-uri":"\/idaas_ rest\/rest\/userprofile\/people\/John"}' 52.4.5.2 Understanding Consent Management Services The default Consent Management Services configuration is labeled ConsentManagement and handles consent storage, retrieval, revocation, and consent validation operations. If you select the Require User Consent option Oracle Access Management displays to the user a consent form so that access to the requested resource can be approved or denied by the user. The Require User Consent option can be enabled on a scope by scope basis. For example, you can require user consent for a scope request that allows "write" access but not "read" access. Consent data is stored in the Oracle Access Management database. For information on configuring Consent Management Services, see Section 53.3.7, "Configuring Consent Management Services." The Clients configuration page has a Bypass User Consent option. If this option is selected, the Client setting overrides the Resource Server setting. For information on configuring Clients, see Section 53.3.3, "Configuring Clients." Note: 52-16 Administrator's Guide for Oracle Access Management Understanding the OAuth Services Components Any consent operation requires an access token of the Client Credentials grant type (as discussed in Understanding Clients) and the desired Consent Management scope. A user (through the client) requests access to a resource protected by OAuth Services. The request contains an access token, the client identifier and the user identifier. OAuth Services retrieves the configured scopes and, if allowed, grants consent by adding the scope to the access token. The access token is added to the authorization header in the HTTP request which is used to retrieve, grant or revoke consent using the endpoints provided by the Consent Management Service. For details on using REST interfaces to interact with Consent Management Services, see Oracle Fusion Middleware Developer's Guide for Oracle Access Management. Note: Multiple Consent Management Services are not necessary. 52.4.6 Understanding Plug-Ins Plug-ins enhance security by consulting additional logic for trust and risk analysis. (Such additional logic may deny certain risky operations.) Plug-ins apply the logic during authentication operations, including client application registration for mobile apps. The following plug-in types are available for use with OAuth Services and Mobile OAuth Services. ■ ■ ■ ■ The Custom Token Attributes Plug-in defines security policy around the token service provider. The Authorization and Consent Service Plug-in defines security policy around interactions where authorization and user consent are granted. This plug-in type can influence claims in a generated token as well. The Client Plug-in defines a security policy for Clients in an Identity Domain. The Resource Server Profile Plug-in defines a security policy for Resource Servers in an Identity Domain. The following plug-in types are available for use with Mobile OAuth Services only: ■ ■ The Mobile Security Manager Plug-in is for use with Oracle Mobile Security Suite (OMSS). The Mobile Security Manager (MSM) component (part of OMSS) collects a rich set of mobile device data. This plug-in gathers that information and also invokes the MSM compliance policy, which checks the compliance status of the device. Finally, the plug-in sends the device information and the compliance status to the Adaptive Access Plug-in. For information about configuring the Mobile Security Manager plug-in, see Section 53.3.8.2, "Understanding the Plug-in Configuration Page." The Adaptive Access Plug-in is for use with Oracle Adaptive Access Manager (OAAM). It runs fraud detection and risk analysis policy checks that further validates that the user connection is authentic and can be trusted. The Adaptive Access Plug-in can utilize mobile device attribute values collected by the Mobile Security Manager Plug-in, or, if Oracle Mobile Security Suite is not available, the Adaptive Access plug-in can use mobile device attribute values that the Mobile OAuth Services obtains during mobile app requests. If the Mobile Security Manager Plug-in is active, it runs first and passes device data to the Adaptive Access Plug-in, which runs second. For more information, see Section 52.9, "Understanding OAuth Services Plug-ins." For each plug-in type only one instance can be active at a time at the service profile level. For example, you can create and save different instances of the Client Plug-in at the Identity Domain level, but at the Service Profile level you can only assign one Understanding OAuth Services 52-17 Understanding OAuth Services Tokens Client Plug-in instance at a time. Optional plug-ins can be configured to provide additional security. For information on configuring plug-ins, see Section 53.3.8, "Configuring Plug-Ins." 52.4.7 Understanding Server Settings The Server Settings page is for configuring general server settings for the Identity Domain under which it is accessed. For information on configuring Server Settings, see Section 53.3.9, "Configuring Server Settings." 52.4.8 Understanding Jailbreak Detection Policy A preconfigured Jailbreaking Detection Policy for iOS devices can search for files that indicate a device is jail broken and, if found, deny that device access to OAuth Services. This setting tab is displayed and for use with Mobile OAuth Services only. For information on configuring the Jailbreak Detection Policy, see Section 53.3.10, "Configuring the Jailbreak Detection Policy." 52.4.9 Understanding Token Life Cycle Management Use this screen to search for and revoke tokens that have been issued. You can search for tokens using criteria such as user ID, client ID/name, client IP address, service profile, assertion token category, and token creation/expiration time. For information on configuring Token Life Cycle Management, see Section 53.3.11, "Configuring Token Life Cycle Management." 52.5 Understanding OAuth Services Tokens OAuth Services generates a Client Token, a User Token and an Access Token. The Client Token is generated by OAuth Services when using the Client Credentials grant type without any scope for confidential clients, or for mobile clients. The User Token is generated by OAuth Services using the User Credentials grant type without any scope. The Access Token is generated with supported grant types using scope parameters. See Understanding Clients for details on grant types. A user and client can provide credentials in the form of a JWT token or an assertion for verification and generation of one of the three tokens. It is possible to use a Client Token or a User Token generated by OAuth Services as a Client Assertion or a User Assertion respectively but that is not common. Note: The Refresh Token is also generated by OAuth Services. It is issued when an offline scope is presented in the Access Token request and usually has a higher expiration time than the Access Token. A Refresh token can be used to get an Access Token. The following sections contain additional details. ■ Understanding OAuth Services Access Tokens ■ Understanding OAuth Services Refresh Tokens ■ Understanding Mobile OAuth Services Client Tokens 52-18 Administrator's Guide for Oracle Access Management Understanding OAuth Services Tokens 52.5.1 Understanding OAuth Services Access Tokens If OAuth Services determines that a user must consent to the request for access to a protected resource, a consent form is displayed. After the user consents, OAuth Services returns an authorization code to the Client service provider. The Client then sends the authorization code to the Token Endpoint and requests an OAuth Services Access Token. (When making the request, the Client authenticates with OAuth Services.) If received, the Access Token allows access to the protected resources. See Understanding the Authorization and Authentication Endpoints for details on the Token Endpoint. Oracle Access Management can embed custom attributes in Access Tokens. Custom attributes are configured as part of the Service Profile or the Custom Resource Server. They are defined as static or dynamic. ■ ■ Static Attributes - Attribute name and value pairs where the value is fixed at the time that you define the attribute. For example, name1=value1. Dynamic Attributes - User-profile specific attributes. You must also configure the User Store setting on the Service Profile Configuration page. This setting defines the source of the User Profile attributes. The User Profile Service (and/or the underlying IDS interface) may be used to retrieve attribute names and values. Because dynamic attributes are user related, the user consent page (if configured) shows that the configured attributes are being shared with clients and resources. Section 53.3.2, "Configuring Service Profiles" and Section 53.3.2, "Configuring Service Profiles" contain more information. Keep the following guidelines in mind when configuring custom attributes: ■ ■ Do not use the same name for a static and dynamic attribute. Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence. Custom attributes appear as claims in access tokens. JWT-based access tokens contain standard JWT claims along with OAuth Services specific ones. For example: ■ Standard "exp":1357596398000, "iat":1357589198000, "aud":"oam_server1", "iss":"OAuthServiceProfile", "prn":null, "jti":"340c8324-e49f-43cb-ba95-837eb419e068", ■ OAuth Services Specific "oracle.oauth.user_origin_id":"john101", "oracle.oauth.user_origin_id_type":"LDAP_UID", "oracle:idm:claims:client:macaddress":"1C:AB:A7:A5:F0:DC", "oracle.oauth.scope":"brokerage", "oracle.oauth.client_origin_id":"oauthssoapp1id", "oracle.oauth.grant_ type":"oracle-idm:/oauth/grant-type/resource-access-token/jwt" These claims are available as part of the access token generated by OAuth Services. Because the custom attributes appear as claims in a JWT-based access token, the following naming restrictions apply: ■ Avoid JWT standard claim names. Understanding OAuth Services 52-19 Understanding the Authorization and Authentication Endpoints ■ Avoid names with an "Oracle" prefix (as shown above) 52.5.2 Understanding OAuth Services Refresh Tokens OAuth Services can be configured to allow the Client to use a refresh token to obtain additional access tokens with identical or narrower scope. The refresh token is used when the access token is no longer valid. The purpose of a refresh token is to improve security. Access tokens are short-lived, so if stolen, they are only useful for a limited period. Refresh tokens are longer-lived, but are less frequently sent to the server, thus reducing the likelihood that they will be stolen. Any scope can request and use a refresh token, however, the refresh token is typically used when the user is offline. When configuring a Resource Server, the administrator can designate one scope to be the offline scope. If an access token request includes the scope designated as the offline scope, the server will include the refresh token with the access token. If the offline scope field is not configured, the server will not issue a refresh token. See Section 53.3.5.3, "Understanding the Custom Resource Servers Configuration Page" for details. The client must be configured to use the refresh token. See Section 53.3.2.3, "Understanding the Service Profile Configuration Page" and Section 53.3.3.3, "Understanding the Web Clients Configuration Page" for information about refresh token settings. 52.5.3 Understanding Mobile OAuth Services Client Tokens Mobile applications must register with Oracle Access Management prior to using OAuth Services and each registration is specific to one app on the device. After the application registration, the mobile app will have a Client Token. It uses this token as the security credential for making Access Token requests. See Understanding Mobile OAuth Services Server-Side Single Sign-on for details. 52.6 Understanding the Authorization and Authentication Endpoints OAuth Services has four authentication endpoints that receive and respond to HTTPS requests: the authorization endpoint, the token endpoint, the push endpoint, and the user consent revocation endpoint. Each endpoint is a URL that clients use to make requests. ■ Authorization Endpoint – The client uses the Authorization Endpoint to get authorization from the resource owner to access the requested resources. The client application initiates the Authorization Endpoint request by sending its identifier, a requested scope defining the resource to which it wants access, and a redirection URI to which OAuth Services will direct the web browser once access is granted or denied. This endpoint accepts the HTTPS request. The URI for this endpoint always ends in authorize. For example: http(s)://:/ms_ oauth/oauth2/endpoints//authorize ■ Token Endpoint – The client application interacts with the Token Endpoint to exchange an authorization code grant for an access token. It is also used for Client Credentials grant type and resource owner credentials grant type to get an access token. The client uses a Refresh token to obtain a new access token. The URI for this endpoint always ends in token. For example: http(s)://:/ms_ oauth/oauth2/endpoints//token 52-20 Administrator's Guide for Oracle Access Management Understanding Mobile OAuth Services Server-Side Single Sign-on ■ Push Endpoint – Mobile OAuth Services client apps interact with the push endpoint to obtain (depending on configuration) part of the authorization codes, and/or part of the client tokens, access tokens, and refresh tokens that are sent through either the Apple Push Notification Service (APNS) or the Google Cloud Messaging (GCM) service. It can also be used for Mobile Client Verification code, Authorization Code and Client Tokens. For example, the end point for requesting data from APNS is: http(s)://:/ms_oauth/oauth2/endpoints/oauthservice/push ■ User Consent Revocation Endpoint - Resource owners (end-users), who authenticate and authorize client applications using the browser-based authorization endpoint flow, use this endpoint to revoke their consent to client applications. For example: http(s)://:/ms_ oauth/oauth2/ui//showrevokeconsent When configuring clients with authorization code grant in the OAuth server, you also need to provide at least one client redirect URI where the server can return authorization credentials to the client. ■ Client Redirect URIs – The OAuth Services server returns authorization credentials to the client using the URI specified in the request provided that it exactly matches a URI configured in the client profile. 52.7 Enforcing Access Control Typically, an OAuth Services client application makes REST calls to services deployed on remote servers. These calls, carrying an access token, need to be validated before the call can go through. Enforcing access control is accomplished by sending a previously obtained access token to a resource server defined in OAuth Services. Exceptions to this are the native User Profile and Consent Management Services that are enforced by OAuth Services. The options for validation within the Oracle stack are Oracle API Gateway (OAG) and Oracle Web Services Manager. (An OAG filter validates the Oracle Access Management OAuth Services token before allowing access to the resource.) Custom code can also be written to provide access control. Note: WebGates do not support validating access tokens. 52.8 Understanding Mobile OAuth Services Server-Side Single Sign-on The server-side single sign-on (SSO) feature allows multiple mobile apps on a device to share a single user session that resides on the OAM server and not with the client. This feature saves JWT and OAM user tokens in the Server-Side Device Store, and maintains the user session in the browser with cookies. Thus, the server session is not tied to the client. Session time-out values are configurable at the Service Profile level for the client token, user token, and access token. The access token time-out value can also be overridden at the Resource Server level. Keeping sensitive session info on the server (and not on the device) reduces the risk of the tokens being copied if the device or client app is compromised. For 2-legged flows, if server-side single sign-on is turned off (it is on by default), the user token is not stored on the server but sent to the client on the mobile device. You can enable and Understanding OAuth Services 52-21 Understanding Mobile OAuth Services Server-Side Single Sign-on disable this feature using the Mobile OAuth Services Service Profile configuration page. For 3-legged flows, server-side single sign-on is always automatically enabled. ■ Understanding the Server-Side Single Sign-On Credential Collection Options ■ Understanding Server-Side SSO For Mobile OAuth Services 3-Legged Flows ■ Understanding Server-Side SSO For Mobile OAuth Services 2-Legged Flows 52.8.1 Understanding the Server-Side Single Sign-On Credential Collection Options Developers in your organization can implement single sign-on in a client app by using an external browser, an embedded browser, or by using a native app registered with Mobile and Social Services as an SSO proxy. This section briefly discusses the different approaches. ■ Using the External Browser Approach ■ Using the Embedded Browser Approach ■ Using the Native App Proxy Approach 52.8.1.1 Using the External Browser Approach In this approach the mobile app switches to an external browser, which executes the logic for user authentication and user consent management. A shared browser cookie maintains the user session and can be used to provide SSO across multiple apps. The external browser uses a typical Web SSO mechanism that supports OAM user authentication, JWT user authentication, third-party user authentication, and social authentication (using the Social Identity service). One drawback to using an external browser is the screen “flickering” that occurs when the application context switches between the browser and the application. 52.8.1.2 Using the Embedded Browser Approach In this approach the mobile app uses its own embedded browser. Because the browser cookie cannot be shared across multiple apps, OAM and third-party user authentication cannot be used. Instead, Mobile OAuth Services uses a JWT user session token stored in the Server-Side Device Store. When additional apps are launched, SSO is established using device identification together with the shared JWT user session token. The embedded browser approach eliminates the screen “flickering” that occurs when the application context switches between the application and the external browser (as discussed in Using the External Browser Approach). 52.8.1.3 Using the Native App Proxy Approach In this approach, if a native app is already installed on the device, it can facilitate SSO by serving as a proxy between the browser-based app and the Mobile OAuth Services SSO Servlet on the OAM server. As needed, the Servlet registers the device and app with OAM and obtains the tokens required to authenticate the app in the browser so that it can access the OAM-protected resource. To use this approach, native apps must use Mobile and Social Services to authenticate with Access Manager. This approach can be used for 2-legged flows. 52.8.2 Understanding Server-Side SSO For Mobile OAuth Services 3-Legged Flows Server-side SSO is always enabled for Mobile OAuth Services 3-legged scenarios. The Mobile OAuth Services server executes the logic for user authentication and user consent management, collects the user credentials, and provides the required SSO functionality. Users log in once and gain access to all systems without being prompted 52-22 Administrator's Guide for Oracle Access Management Understanding Mobile OAuth Services Server-Side Single Sign-on to log in again. For JWT, third-party, and social authentication, the OAM server stores the user token in the Device Store, whereas OAM authentication stores the OAM_ID (representing an OAM session) in the Device Store. When the user token or OAM_ID expires, the user is prompted to log in again. When implementing mobile 3-legged scenarios, enable the Authorization Code grant type by going to the Mobile OAuth Services Clients configuration page in the Oracle Access Management Console. Apps should implement the mobile 3-legged flows documented in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. Apps that use a Mobile OAuth Services 3-legged scenario should collect credentials using a mobile browser (as discussed in Understanding the Server-Side Single Sign-On Credential Collection Options). To specify an authentication type using the Oracle Access Management Console, open the Mobile OAuth Services Service Profile configuration page and under Mobile Service Settings, choose an option for Consent Service Protection. The following sections describe these options. OAM Authentication or Third-Party Access Management If using OAM authentication or Third-Party Access Management, Access Manager (or a third-party access management product) is responsible for user authentication. Any OAM authentication method that supports login through the browser is an option. Because Access Manager supports SSO using an OAM_ID cookie, this flow must use an external browser (as discussed in Using the External Browser Approach). Following authentication, the user token is stored in the Server-Side Device Store. Oracle Access Management supports session synchronization so that 2-legged flows can get OAM tokens later. For example, the first app registers with the server using the 3-legged flow. Next, a second app completes the 2-legged registration using the existing session established by the first app. Thus a 3-legged flow session can register additional apps using a 2-legged flow by using the same session created during the first app registration. JWT Authentication JWT authentication is an authentication mechanism provided by Mobile and Social for mobile applications. In this case, Mobile and Social hosts the user interface for user login. It accepts a user name and password for authentication, using the configured user store for user authentication. The user store can be configured in Mobile and Social or in Oracle Access Management. It is configured using the User Authenticator under User Store in OAuth Services profile. As discussed previously, JWT user authentication is the only authentication type that supports single sign-on using an embedded browser. (If the ability to use multiple apps on the same mobile device is not a requirement, then either OAM authentication or third-party authentication is sufficient.) JWT authentication can also be used with external browsers, but the application will need to switch from the app to the browser and back again when Mobile and Social checks the user token in the Device Store for single sign-on. Social Authentication Social authentication allows app users to authenticate using social identity providers such as Facebook and Twitter. This type of authentication requires the Oracle Access Management Social Identity service (part of Mobile and Social). If using social authentication, the Oracle Access Management server redirects the user to the social identity provider for authentication. For single sign-on, an external browser is Understanding OAuth Services 52-23 Understanding Mobile OAuth Services Server-Side Single Sign-on required. Following authentication, the user token is stored in the Server-Side Device Store. Social Authentication is supported for 3-legged flows only. 52.8.3 Understanding Server-Side SSO For Mobile OAuth Services 2-Legged Flows Apps that use Mobile OAuth Services 2-legged scenarios should collect user credentials using the native iOS or Android user interface although you are limited to username/password-based OAM authentication or IDS (directory server). By switching to an external browser, you can use the usual supported authentication schemes, including OAM user authentication, third-party authentication, and JWT user authentication. Unlike with mobile 3-legged scenarios, you can choose to disable the server-side single sign-on feature with mobile 2-legged scenarios. To disable it, open the Mobile OAuth Services Service Profile Configuration page and clear the Enable Server-Side Single Sign-On option. (Server-Side SSO can also be set using WLST.) ■ If Server-Side SSO is enabled, the server collects user credentials on behalf of the client and provides SSO. Additional apps (that is, apps that share the same device profile) have to register with the server the first time they are launched. You can require the user to authenticate every time an app is registered, or you can allow the registration to happen automatically in the background without involving the user. Configure the msAlwaysShowLogin attribute on the Service Profile page to select the desired behavior. ■ ■ If the msAlwaysShowLogin Service Profile attribute is set to true, the user has to enter a user name and password in the native app to register the app and get a client token. If the attribute is set to false, the server automatically registers apps using the server-side user token. Once registered, subsequent access requests from apps on the device typically result in the server providing a client token and allowing access. (In some cases the user may not get access right away—for example, if Oracle Adaptive Access Manager rules are active.) ■ If Server-Side SSO is disabled, the client collects the user credentials and must also provide SSO. On a first access attempt the user enters a user name and password in the native app to register the device. The server returns a user token that the device stores locally. Subsequent access requests from apps on the device must use the stored user token to register the apps and gain access. For mobile 2-legged scenarios, enable the Resource Owner grant type by going to the Mobile OAuth Services Clients configuration page in the Mobile Oracle Access Management Console. Apps should implement the mobile 2-legged flows documented in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. The following sections give an overview of SSO options. ■ Using the OAuth Mobile SSO Servlet Authentication ■ Using SSO Between Native Apps and an External Browser 52.8.3.1 Using the OAuth Mobile SSO Servlet Authentication If a user using a mobile browser (external or embedded) needs to access a protected Web resource, and there is a native app that uses Mobile and Social Services to authenticate with OAM already installed on the device, the native app can register the device on behalf of the Web app and gain access to the resource without requiring the user to sign on. This single sign-on approach utilizes the OAuth Mobile SSO Servlet 52-24 Administrator's Guide for Oracle Access Management Understanding OAuth Services Plug-ins that was added to the OAM server in release 11.1.2.3. For configuration steps, see Section 53.7, "Configuring Mobile OAuth for SSO Servlet Authentication." 52.8.3.2 Using SSO Between Native Apps and an External Browser Another alternative utilizing a native app and an app running in an external browser is to implement 2-legged flows in the native app using the OAuth Services REST API. (Server-side SSO can be enabled or disabled.) The native app registers the device and user, and exchanges an OAM token to get an OAM_ID cookie (which is the OAM master token). The native app can then launch the external browser and inject the OAM_ID cookie so that users accessing WebGate-protected resources with an external browser will not be prompted to log in every time. For information about implementing the 2-legged flows, see the Oracle Fusion Middleware Developer's Guide for Oracle Access Management. 52.9 Understanding OAuth Services Plug-ins Oracle Adaptive Access Manager (OAAM) is an optional product that can screen Mobile OAuth Services transactions using a provided security plug-in. Together, OAAM and the plug-in provide mobile-client fraud detection, knowledge-based authentication (for two-factor authentication after user name and password authentication), and one time password functionality. If the Oracle Mobile Security Suite is deployed, the Mobile Security Manager plug-in gathers additional mobile device data for OAAM to screen. To use OAAM with Mobile OAuth Services, the Adaptive Access security plug-in must be installed. This plug-in can add value during app registration when client tokens or user tokens are being validated or refreshed, and during token exchange. OAAM rules and policies are defined in Oracle Adaptive Access Manager. The following is a brief description of the OAAM and Adaptive Access Plug-in features. ■ ■ ■ The Adaptive Access Plug-in enhances security by screening mobile app registration requests for both 2-legged and 3-legged flows. The plug-in runs fraud detection and risk analysis policy checks. Knowledge-based authentication (KBA) and one time password authentication (OTA) can also be integrated into the mobile app registration process. The OAuth Service REST API flows include sample challenge requests and responses that a developer will need to implement in your app(s). Following registration, the Adaptive Access Plug-in screens user tokens for security violations instead of simply checking if the user token is valid. The result of this screening is either allowed or denied. Using the Mobile Security Manager Plug-in Together With the Adaptive Access Plug-in The Mobile Security Manager Plug-in is for use with Oracle Mobile Security Suite (OMSS). The Mobile Security Manager (MSM) component (part of OMSS) collects a rich set of mobile device data and passes it to the Adaptive Access Plug-in for use by OAAM. If Oracle Mobile Security Suite is not available, the Adaptive Access plug-in uses mobile device attribute values that the Mobile OAuth Services server obtains during mobile app requests. Understanding OAuth Services 52-25 Understanding OAuth Services Plug-ins The Mobile Security Manager plug-in requires special configuration before it can be used. See Section 53.8, "Configuring the Mobile Security Manager Plug-in" for details. Note: If the Mobile Security Manager Plug-in is active, it runs first and sends its data to the Adaptive Access Plug-in, which runs second. The Adaptive Access Plug-in checks the results of the MSM compliance policy that reports the compliance status of the device. If the compliance policy response is negative, the Adaptive Access Plug-in denies the mobile app request; If the response is positive, the Adaptive Access Plug-in passes the device data to Oracle Adaptive Access Manager for stronger authentication checks and risk evaluation. The Mobile Security Manager plug-in gets device info and checks the MSM compliance policy in the following cases: ■ During the app registration flow following user authentication. ■ As part of the client token and user token validation process. For more information: ■ ■ ■ See "Understanding OAuth Services Authorization for Mobile Clients" for a detailed look at when in the Mobile OAuth Services flow OAAM interacts with mobile apps. See Section 52.4.6, "Understanding Plug-Ins" for summary information about the various OAuth Services plug-ins. See Section 53.3.8, "Configuring Plug-Ins" for information about configuring the adaptive-access plug-in. 52-26 Administrator's Guide for Oracle Access Management 53 Configuring OAuth Services 53 [35Oracle ] Access Management provides a graphical user interface for configuring OAuth Services. The configuration options are available within the Identity Federation or Mobile Services interfaces depending on the licensing procured. This chapter describes how to use the Oracle Access Management Console to enable OAuth Services and configure the OAuth Services components. ■ Enabling OAuth Services ■ Configuring OAuth Services Components in an Identity Domain ■ Configuring OAuth Services Settings ■ Configuring OAuth Services for Third-Party JWT Bearer Assertions ■ Configuring a WebGate to Protect OAuth Services ■ Configuring OAM Session Synchronization ■ Configuring Mobile OAuth for SSO Servlet Authentication ■ Configuring the Mobile Security Manager Plug-in OAuth Services can be configured from the command line using WLST. For more information about the Mobile and Social WLST commands, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Note: 53.1 Enabling OAuth Services Oracle Access Management OAuth Services has to be explicitly enabled in order to use it. A license for Oracle Access Management Identity Federation (if using web clients only) or Mobile and Social (if using web and mobile clients) is required to enable it. Once correct licensing is procured, enable Identity Federation or Mobile and Social by clicking Available Services in the Configuration Launch Pad of the Oracle Access Management Console. These section links contain more details. ■ Section 2.4, "Understanding the Oracle Access Management Console" ■ Section 3.2, "Enabling or Disabling Available Services" ■ Section 37.8, "Enabling Identity Federation" ■ Section 48.1.3, "Enabling Mobile and Social" Configuring OAuth Services 53-1 Configuring OAuth Services Components in an Identity Domain 53.2 Configuring OAuth Services Components in an Identity Domain In order to use Oracle Access Management OAuth Services, you will need to configure an Identity Domain. OAuth Services ships with a default Identity Domain named DefaultDomain. You can create additional domains as needed. Each OAuth Services Identity Domain has a universally unique identifier (UUID) that specifically identifies it on the Internet. Access to the Identity Domain configuration page is dependent on whether you have enabled Identity Federation OAuth Services or Mobile and Social OAuth Services. Figure 53–1 contains two screenshots: the top displays the Mobile OAuth Identity Domains and the bottom displays the Federation (web only) OAuth Identity Domains. Note that both contain the DefaultDomain. To access the appropriate page, do the following. ■ ■ Click Mobile Security at the top of the Oracle Access Management Console and then click Mobile OAuth Services. Click Federation at the top of the Oracle Access Management Console and then click OAuth Services. Figure 53–1 Mobile (top) and Federation (bottom) Identity Domain Screens Figure 53–2 is a screenshot of the Identity Federation OAuth Services DefaultDomain configuration page. To access this page, click DefaultDomain (or any custom domain that might have been created) from the Identity Federation Identity Domain configuration page. (If OAuth Services is accessed by clicking a Mobile Security configured domain, a third OAuth Mobile Clients table is also displayed on the Clients tab of the selected domain.) 53-2 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings Figure 53–2 Identity Federation DefaultDomain Configuration Page When accessing the Identity Domain configuration page through Mobile Security, the Jailbreak Detection Policy tab is included with those previously listed for Identity Federation. Figure 53–3 is a screenshot of the Mobile Security OAuth Services DefaultDomain configuration page with the Jailbreak Detection Policy page displayed. To access this page, click DefaultDomain (or any custom domain that might’ve been created) from the Mobile Security Identity Domain configuration page. Figure 53–3 Mobile Security DefaultDomain Configuration Page The Identity Domains pages list all configured OAuth Services Identity Domains. When the list is displayed, you can create a new Identity Domain by clicking Create Using Single Step or Create Using Wizard Flow. Click a domain name to modify an already configured profile. 53.3 Configuring OAuth Services Settings OAuth Services has many components that must be configured before the authorization protocol can be used. Descriptions of the OAuth Services components and how they work together can be found in Section 52.4, "Understanding the OAuth Services Components." This section includes information on configuring the OAuth Configuring OAuth Services 53-3 Configuring OAuth Services Settings Services components using the Oracle Access Management Console only. It contains the following topics: ■ Configuring Identity Domains ■ Configuring Service Profiles ■ Configuring Clients ■ Configuring the Service Provider ■ Configuring Custom Resource Servers ■ Configuring User Profile Services ■ Configuring Consent Management Services ■ Configuring Plug-Ins ■ Configuring Server Settings ■ Configuring the Jailbreak Detection Policy ■ Configuring Token Life Cycle Management 53.3.1 Configuring Identity Domains See Section 53.2, "Configuring OAuth Services Components in an Identity Domain" for introductory information about Identity Domains. The following section describes how to use the user interface to configure an Identity Domain. It includes the following topics: ■ Creating an Identity Domain ■ Editing or Deleting an OAuth Identity Domain ■ Understanding the Identity Domain Configuration Page - Summary Tab ■ Understanding the Create Identity Domain Wizard Flow 53.3.1.1 Creating an Identity Domain 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain." 2. Choose one of the following: ■ To quickly create an Identity Domain with only basic information, click Create using single step (leftmost + button in the toolbar). The Identity Domain Configuration page opens. Complete the form and click Create to save your changes. You will need to provide additional configuration detail later. ■ To create an Identity Domain and configure essential Service Profile settings, click Create using wizard flow (rightmost + button in the toolbar). The Create OAuth Identity Domain wizard flow page opens. Click Back and Next to move backwards and forward through the wizard flow. Click Finish to save your changes. 53.3.1.2 Editing or Deleting an OAuth Identity Domain 1. Open the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain." 53-4 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings ■ ■ To view or edit an Identity Domain, click its name in the table. To delete an Identity Domain, select it by clicking the column to the left of the domain name and then click the delete button in the command bar. 53.3.1.3 Understanding the Identity Domain Configuration Page - Summary Tab This section describes the form fields on the Identity Domain Configuration Summary tab when viewing an existing identity domain or creating a new one. Identity Domain - The name of the identity domain. If creating or editing an identity domain, type a unique name without spaces. Description - (Optional) A short description to help you or another administrator identify this identity domain in the future. Identity Domain UUID - The identification code that uniquely identifies this identity domain on the Internet. Click Generate to populate this field with a universal unique identifier code. Allow Multiple Resource Servers - Select this option if the identity domain supports more than one resource server. Selecting multiple resources requires that scopes are prefixed with the Resource Server name. For example, if you add PhotoService as a Resource Server, the scopes must be prefixed with PhotoService. This is done automatically while adding scopes in the Resource Server. The prefix can be changed to something different but unique. Note: The fields listed below appear on the Create Identity Domain page. Service Profile (Service Profile) Name - The name of the identity domain's service profile. Each identity domain requires at least one service profile. See Section 52.4.2, "Understanding Service Profiles" for more information. (Service Profile) Endpoint - The URL where the OAuth authorization service for this identity domain responds to authorization requests. User Profile Service (User Profile Service) Name - The name of the identity domain's user profile service. A user profile service is created automatically for each identity domain. See Section 52.4.5, "Understanding Resource Servers" for more information. (User Profile Service) Endpoint - The URL where the User Profile Service receives and responds to create, read, update, and delete requests. Consent Management Service (Consent Management Service) Name - The name of the identity domain's consent management service. Each identity domain must have a consent management service, which stores and retrieves consent records, and performs consent validation and consent revocation operations. See Section 52.4.6, "Understanding Plug-Ins" for more information. (Consent Management Service) Endpoint - The URL where the Consent Management Service receives and responds to client and resource owner service requests. Configuring OAuth Services 53-5 Configuring OAuth Services Settings 53.3.1.4 Understanding the Create Identity Domain Wizard Flow For help understanding the form fields on the Create OAuth Identity Domain wizard flow pages, refer to the following sections. ■ ■ Information - For help, see Section 53.3.1.3, "Understanding the Identity Domain Configuration Page - Summary Tab." Service Profile - For help, see Section 53.3.2.3, "Understanding the Service Profile Configuration Page." ■ Mobile Service - For help, see "Mobile Service Settings" in Section 53.3.2.3. ■ Tokens - For help, see "Tokens (Token Settings)" in Section 53.3.2.3. ■ Summary - Review your settings and click Finish to create the identity domain. 53.3.2 Configuring Service Profiles See Section 52.4.2, "Understanding Service Profiles" for introductory information about Service Profiles. The following section describes how to use the user interface to configure a Service Profile. It includes the following topics: ■ Creating a Service Profile ■ Editing or Deleting a Service Profile ■ Understanding the Service Profile Configuration Page 53.3.2.1 Creating a Service Profile 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it. 2. Select the Service Profiles tab. 3. Click Create to complete the wizard. 53.3.2.2 Editing or Deleting a Service Profile 1. Open the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click an identity domain to open it for editing. 2. Click the Service Profiles tab. 3. Do the following: ■ ■ To edit a service profile, click its name in the table. To delete a service profile, select it by clicking the box to the left of the name and then click the delete button in the command bar. 53.3.2.3 Understanding the Service Profile Configuration Page Identity Domain - The name of the identity domain to which this service profile applies. (Read-only) Name - The name of this service profile. Description - (Optional) A short description to help you or another administrator identify this service profile in the future. Service Enabled - Select to activate the service profile, or clear the option box to inactivate it. 53-6 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings Service Provider - The name of the OAuth Service Provider that corresponds with this OAuth Service Profile. Service Endpoint - The URL where the OAuth authorization service responds to authorization requests. User Store User Authenticator - For user authentication, choose OAM to use the Oracle Access Management token provider, or choose IDS to use the Identity Directory Service token provider. Only choose IDS authentication if the OAM token is not used at all (for example, if only the JWT token is used). If both OAM and JWT tokens are used, choose OAM authentication to avoid duplicated authentication attempts sent by both IDS and OAM. Identity Store Name - The name of the identity store when IDS is configured as the user authenticator. User Profile Service (User Profile Service) Name - The name of the identity domain's user profile service. A user profile service is created automatically for each identity domain. See Section 52.4.5.1, "Understanding User Profile Services" for more information. (User Profile Service) Endpoint - The URL where the User Profile Service receives and responds to create, read, update, and delete requests. Consent Management Service (Consent Management Service) Name - The name of the identity domain's consent management service. Each identity domain must have a consent management service, which stores and retrieves consent records, and performs consent validation and consent revocation operations. See Section 52.4.5.2, "Understanding Consent Management Services" for more information. (Consent Management Service) Endpoint - The URL where the Consent Management Service receives and responds to client and resource owner service requests. Plug-Ins Choose available plug-ins from the menus in the following categories. See Section 52.4.6, "Understanding Plug-Ins" for more information. Adaptive Access - Runs Oracle Adaptive Access Manager (OAAM) fraud detection and risk analysis policy checks, enhancing authenticity and the trust level of a user. Mobile Security Manager - Gathers mobile device data from the Mobile Security Manager (MSM) component (part of Oracle Mobile Security Suite) and sends it, as well as the MSM compliance status, to the Adaptive Access Plug-in for stronger authentication checks and risk evaluation. Custom Token Attributes - Defines security policy around the token service provider. See Section 52.5.1, "Understanding OAuth Services Access Tokens" for more information. Client - Delegates the following to an external security module: confidential client authentication, client authorization, and client profile reading. Resource Server Profile - Delegates the following to an external security module: confidential resource server authentication, resource server authorization, and resource server profile reading. Configuring OAuth Services 53-7 Configuring OAuth Services Settings Authorization & Consent Service - Defines security policy around interactions where authorization and user consent are granted. This plug-in can influence claims in a generated token as well. Attributes Add or delete service profile attributes and their values to further configure the OAuth service profile. For JWT token generation and validation, configure the following parameters: ■ jwt.cert.alias ■ jwt.trusted.issuer.size ■ jwt.trusted.issuer.1 ■ jwt.trusted.issuer.2 For details, see Section 53.4, "Configuring OAuth Services for Third-Party JWT Bearer Assertions." Note: Table 53–1 OAuth Service Profile Configuration Attributes Name Value Notes Private key alias name for the signing certificate in the keystore. The default alias will be used if this attribute is not specified. jwt.cert.alias The cryptographic algorithm used to sign the contents of the JWT token. The default value is RS512. (RSA encryption using SHA-512 hash algorithm.) jwt.CryptoScheme RS512 jwt.issuer www.oracle.example. This issuer of the tokens (that is, the iss com claim value in the JWT token generated by OAuth Services). The default value, www.example.oracle.com,needs to be changed in the deployment. jwt.trusted.issuer.size 2 The number of trusted issuers. The value can be any number of trusted issuers. For example, if the number is 2, the following matching params need to be specified. jwt.trusted.issuer.1 The alias name for the public key of the first trusted issuer in the key store. See jwt.trusted.issuer.size for details. jwt.trusted.issuer.2 The alias name for the public key of the second trusted issuer in the key store. See jwt.trusted.issuer.size for details. createdByDefault true 53-8 Administrator's Guide for Oracle Access Management If set to true, the current OAuth Services profile is created automatically as part of domain creation. Otherwise, it's created manually. Configuring OAuth Services Settings Table 53–1 (Cont.) OAuth Service Profile Configuration Attributes Name Value Notes clientPWDValidation false If set to true, a client ID and secret (password) can be used as credentials to interact with OAuth Services for token validation and termination requests. If set to false, only a JWT/SAML client assertion can be used as client credentials to interact with OAuth Services for token validation and termination requests. tokenTenantClaimName user.tenant.name oauthServerSelfClientId Value to be specified The tenant claim name in the tokens issued by OAuth Services. By default this is set using the identity domain name. By default this is set with the value of the jwt.issuer attribute. This attribute gets used when OAuth Services generates a client assertion for itself when interacting with other services such as service-to-service interactions. oauthServerSelfCTValidi Value in seconds to be The default value is 300sec. This attribute tyInSec is related to oauthServerSelfClientId specified (that is, the OAuth Services own client assertion validity period). msAlwaysShowLogin true/false This attribute applies to mobile clients using the JWT SSO authentication mechanism. It is used with 2-legged flows only. (For 3-legged flows, the browser manages the session.) true - The user must authenticate for each app registration. (Mobile apps are not registered using the server-side JWT user token.) OAuth Services shows a login page for the user to submit credentials. false - Mobile apps are registered using the server-side JWT user token. By default true.. If this attribute is not defined in the service profile, the server does not allow mobile apps to use the server-side user token to register without a user name and password. For more information see Section 52.8.3, "Understanding Server-Side SSO For Mobile OAuth Services 2-Legged Flows." Mobile Service Settings Supported Platforms - Choose iOS, Android, and/or Others: ■ ■ ■ iOS - The authorization server accepts requests from iOS clients if selected. Android - The authorization server accepts requests from Android clients if selected. Others - The authorization server accepts requests from clients other than iOS or Android if selected. iOS Security Level - Choose Advanced or Standard: ■ Advanced - All client registrations and token acquisitions are done using both push notification and HTTP(S). Configuring OAuth Services 53-9 Configuring OAuth Services Settings ■ Standard - All client registrations and token acquisitions are done using HTTP(S) Android Security Level - Choose Advanced or Standard: ■ ■ Advanced - All client registrations and token acquisitions are done using both push notification and HTTP(S). Standard - All client registrations and token acquisitions are done using HTTP(S) Android Sender ID - Enter the GCM sender ID that is required for Android push notification. Android API Key - Enter the API key required for Android push notification. Consent Service Protection - Authorization requests are routed to the consent service, which requires the user to log in and give consent. Select OAM or Third-Party Access Management, JWT Authentication, or Social Authentication. ■ ■ ■ OAM or Third-Party Access Management - Use either Oracle Access Management or a third-party option for consent page protection. JWT Authentication - Use the OAuth server itself for consent page protection. If using the OAuth server for consent page protection, the authentication flow is determined by the User Store setting. Social Authentication - Use the Social Identity service for consent page protection. Require User Consent for Client Registration - Select this option to require the user to give authorization before registering each Mobile OAuth application installation instance on a mobile device. Enable Server-Side Single Sign-On - Determines if the server will provide single sign-on among multiple apps on the same device or if it is the client responsibility. Single sign-on is either achieved by storing a JWT user token or an OAM user token in the Server-Side Device Store, or by returning the user token to the client to manage. Server-side SSO applies to 2-legged Mobile OAuth flows only. If this option is selected, after registering the first app the server stores the user token and does not return it to the mobile device. If this option is not selected, the tokens are sent to the mobile device and are not stored in the Server Device Store. For more information, see Section 52.8, "Understanding Mobile OAuth Services Server-Side Single Sign-on." Preferred Hardware IDs - Use the list to prioritize the hardware ID attributes that should be used to uniquely identify mobile devices. The first available hardware ID from the list will be used. Mobile Client Attributes - Add or delete mobile client attributes and their values as needed if the server requires additional attributes. Configuration Settings Clients Allow access to all clients - Select if all clients in the identity domain should use this service profile. Clear this option to select which clients will be able to access the service profile. Client Table - Add to the table the clients that should be able to access the service profile. Click Browse Clients, then select the clients to add to the table. To assign a client to a different service profile, click the box to the left of the client name and click Remove. 53-10 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings Tokens (Token Settings) Use this tab to configure token settings, as well as settings for custom attribute that OAuth Services should embed in access tokens. Tokens ■ Token Name - The name of the token. ■ Expires - The length of time in minutes after which the token is no longer valid. ■ ■ ■ Refresh Token Enabled - Select this option to allow a refresh token to be used. A refresh token cannot be used with a client verification code or an authorization code. See Section 52.5, "Understanding OAuth Services Tokens" for more information. Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid. Life Cycle Enabled - Select this option if OAuth Services should cache a token and save it in the database until the token expires. Custom Attributes Use this section to define custom attributes that OAuth Services embeds in the access tokens. See Section 52.5.1, "Understanding OAuth Services Access Tokens" for more information about custom attributes. ■ ■ Static Attributes - Attribute name and value pairs where the value is fixed at the time that you define the attribute. For example, name1=value1. Dynamic Attributes - User-profile specific attributes. Resource Servers (Custom Resource Servers) Use this tab to choose which custom resource servers clients should have access to. A custom resource server is any resource server that is not the User Profile and Consent Management resource servers that are included with OAuth Services. Allow clients access to all resource servers - Select to allow clients to access all resource servers configured in the identity domain. Clear this option to select which resource servers clients will be able to access. Available Servers / Selected Servers - Use the arrows to move the resource servers that clients should be able to access from the Available Servers box to the Selected Servers box. (This option is only available if the Allow clients access to all resource servers option is not selected.) System Resource Servers Use this tab to configure if clients should have access to the user profile service and/or consent management service. User Profile Services -Use the arrows to move the user profile server that clients should be able to access from the Available Servers box to the Selected Servers box. Services listed in the Selected Servers box are active services. Consent Management Services - Use the arrows to move the consent management server that clients should be able to access from the Available Servers box to the Selected Servers box. Services listed in the Selected Servers box are active services. Configuring OAuth Services 53-11 Configuring OAuth Services Settings Trusted Issuers Use this tab to add certificate issuers who can be used to validate tokens. Click Add to add a record to the table; select a row and click Remove to delete a record from the table. Certificate Alias -The alias name. Trusted Issuer - The name of the trusted certificate issuer. Certificate Thumb Print - x5t - The base64url encoded digest of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign certificates. Key identifier - kid - The key ID value that indicates which key is used to secure certificates. 53.3.3 Configuring Clients See Section 52.4.3, "Understanding Clients" for introductory information about OAuth Services Clients. The following section describes how to use the user interface to configure a Web client and a mobile client. It includes the following topics: ■ Creating a Client ■ Editing or Deleting a Client ■ Understanding the Web Clients Configuration Page ■ Understanding the Mobile Clients Configuration Page 53.3.3.1 Creating a Client 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it. 2. Select the Clients tab. 3. Click Create and a Create Client tab will open as follows. ■ To create an OAuth Services Web (non-mobile) client, click the Create button located directly under the OAuth Web Clients heading. See Understanding the Web Clients Configuration Page. ■ To create an OAuth Services Public client, click the Create button located directly under the OAuth Public Clients heading. See Understanding the Public Clients Configuration Page. ■ To create an OAuth Services mobile client, click the Create button located directly under the OAuth Mobile Clients heading. See Understanding the Mobile Clients Configuration Page. 4. Enter the appropriate values in the form displayed under the Create Client tab. 53.3.3.2 Editing or Deleting a Client 1. Open the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click an identity domain to open it for editing. 2. Click the Clients tab. 3. Do the following: 53-12 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings ■ To edit a client configuration, click its name on the page. The client configuration page opens in a new tab. ■ To delete a client, select it by clicking the box to the left of the name and then click the delete button in the command bar. 53.3.3.3 Understanding the Web Clients Configuration Page This section describes the form fields on the Web Client Configuration page when viewing an existing Web client or creating a new one. The Mobile OAuth Client Configuration page is described in the next section. Identity Domain - The name of the identity domain in which this OAuth Web client is registered. (Read-only) Name - The name of this OAuth client. Description - (Optional) A short description to help you or another administrator identify this OAuth Web client in the future. Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with resource servers and the resource owner. See Section 52.5.1, "Understanding OAuth Services Access Tokens" for more information about custom attributes. Client ID - The unique ID that the authorization server created for this client during registration. (Read-only). Client Secret - A secret value known to the OAuth authorization service and the client. The authorization service checks the client secret and the client ID when it receives token endpoint requests from the client. HTTP Redirect URIs - The client URIs that the OAuth server is allowed to redirect the user-agent to once access is granted or denied. Privileges Bypass User Consent - If selected, the client will not ask for the user's explicit authorization to access the user's protected resources. If this option is selected, this setting overrides the resource server setting. Clear this option if the client should be subject to the resource server setting. Allow Access to all Scopes - If selected, the client can obtain an access token regardless of scope limitations for any resource server in the identity domain. Clear this option if the client should be subject to scope limitations. Allowed Scopes - Lists the range of access the client has to the requested resources. To grant additional access, click Add to add a row to the table, then choose from the drop-down menu the scope to be added. To restrict access, select the scope that you want to remove by clicking the table row, then click Delete to remove the highlighted row. Click OK at the prompt to confirm that you want to remove the selected scope. Grant Types - The OAuth 2.0 specification provides several authorization grant types for different security use-cases. Before obtaining an access token, the client must obtain an authorization grant that it can exchange with the OAuth service for an access token. Client privileges determine which clients are allowed which grant types. The following grant types are supported in OAuth Services: ■ Authorization Code - This grant type is required for 3-legged flows. The resource owner logs in using the authorization server. The token endpoint exchanges the authorization code along with client credentials for an access token. Configuring OAuth Services 53-13 Configuring OAuth Services Settings ■ ■ Resource Owner Credentials - This grant type is used for 2-legged flows. The resource owner provides the client with his or her user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible. Client Credentials - This grant type is used for 2-legged flows. The client requests an access token using only its client credentials (or another supported means of authentication). This is suitable if the client is requesting access to protected resources under its control, or those of another resource owner when previously arranged with the authorization server. In addition to the grant types defined in the OAuth 2.0 standard, the following options are also available: ■ ■ ■ ■ Refresh Token - Select this option to return a refresh token together with an access token in the token response. See Section 52.5, "Understanding OAuth Services Tokens" for more information. JWT Bearer - Allows a JWT assertion to be used to request an OAuth access token. SAML 2 Bearer - Allows a SAML2 assertion to be used to request an OAuth access token. OAM Credentials - Used to request OAM tokens, such as a master token, an access token, or an OAuth access token. Attributes Add or delete custom attributes that the authorization server returns to the client along with the scope settings. Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence. Table 53–2 Web Client Attributes Names and Values Name Value Notes jwt.audience Space separated values. Used when the OAuth server generates a client assertion and a user assertion. The aud claim for those JWT tokens contain the defined values in this token. 53.3.3.4 Understanding the Public Clients Configuration Page This section describes the form fields on the Web Client Configuration page when viewing an existing Web client or creating a new one. The Mobile OAuth Client Configuration page is described in the next section. Identity Domain - The name of the identity domain in which this OAuth Web client is registered. (Read-only) Name - The name of this OAuth client. Description - (Optional) A short description to help you or another administrator identify this OAuth Web client in the future. Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with resource servers and the resource owner. See Section 52.5.1, "Understanding OAuth Services Access Tokens" for more 53-14 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings information about custom attributes. Client ID - The unique ID that the authorization server created for this client during registration. (Read-only). HTTP Redirect URIs - The client URIs that the OAuth server is allowed to redirect the user-agent to once access is granted or denied. Privileges Bypass User Consent - If selected, the client will not ask for the user's explicit authorization to access the user's protected resources. If this option is selected, this setting overrides the resource server setting. Clear this option if the client should be subject to the resource server setting. Allow Access to all Scopes - If selected, the client can obtain an access token regardless of scope limitations for any resource server in the identity domain. Clear this option if the client should be subject to scope limitations. Allowed Scopes - Lists the range of access the client has to the requested resources. To grant additional access, click Add to add a row to the table, then choose from the drop-down menu the scope to be added. To restrict access, select the scope that you want to remove by clicking the table row, then click Delete to remove the highlighted row. Click OK at the prompt to confirm that you want to remove the selected scope. Grant Types - The OAuth 2.0 specification provides several authorization grant types for different security use-cases. Before obtaining an access token, the client must obtain an authorization grant that it can exchange with the OAuth service for an access token. Client privileges determine which clients are allowed which grant types. The following grant types are supported in OAuth Services: ■ ■ Authorization Code - This grant type is required for 3-legged flows. The resource owner logs in using the authorization server. The token endpoint exchanges the authorization code along with client credentials for an access token. Implicit - This grant type is used for 2-legged flows. The resource owner provides the client with his or her user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible. Attributes Add or delete custom attributes that the authorization server returns to the client along with the scope settings. Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence. 53.3.3.5 Understanding the Mobile Clients Configuration Page This section describes the form fields on the Mobile Client Configuration page when viewing an existing Mobile client or creating a new one. The OAuth Web Client Configuration page is described in the previous section. Identity Domain - The name of the identity domain in which this OAuth mobile client is registered. (Read-only) Name - The name of this OAuth client. Configuring OAuth Services 53-15 Configuring OAuth Services Settings Description - (Optional) A short description to help you or another administrator identify this OAuth mobile client in the future. Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with resource servers and the resource owner. See Section 52.5.1, "Understanding OAuth Services Access Tokens" for more information about custom attributes. Client ID - The unique ID that the authorization server created for this client during registration. (Read-only). Jailbreaking Detection - Select to enable jail breaking detection for mobile devices. See Section 52.4.8, "Understanding Jailbreak Detection Policy" for more information. Mobile Redirect URIs - The client URIs that the OAuth server is allowed to redirect the user-agent to once access is granted or denied. Privileges Bypass User Consent - If selected, the client will not ask for the user's explicit authorization to access the user's protected resources. If this option is selected, this setting overrides the resource server setting. Clear this option if the client should be subject to the resource server setting. Allow Access to all Scopes - If selected, the client can obtain an access token regardless of scope limitations for any resource server in the identity domain. Clear this option if the client should be subject to scope limitations. Allowed Scopes - Lists the range of access the client has to the requested resources. To grant additional access, click Add to add a row to the table, then choose from the drop-down menu the scope to be added. To restrict access, select the scope that you want to remove by clicking the table row, then click Delete to remove the highlighted row. Click OK at the prompt to confirm that you want to remove the selected scope. Grant Types - The OAuth 2.0 specification provides several authorization grant types for different security use-cases. Before obtaining an access token, the client must obtain an authorization grant that it can exchange with OAuth Services for an access token. Client privileges determine which clients are allowed which grant types. The following grant types are supported in OAuth Services: ■ ■ ■ ■ ■ Authorization Code - This grant type is required for 3-legged flows. The resource owner logs in using the authorization server. The token endpoint exchanges the authorization code along with client credentials for an access token. Resource Owner Credentials - This grant type is used for 2-legged flows. The resource owner provides the client with his or her user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible. Client Credentials - This grant type is used for 2-legged flows. The client requests an access token using only its client credentials (or another supported means of authentication). This is suitable if the client is requesting access to protected resources under its control, or those of another resource owner when previously arranged with the authorization server. Refresh Token - Select this option to return a refresh token together with an access token in the token response. See Section 52.5, "Understanding OAuth Services Tokens" for more information. JWT Bearer - Allows a JWT assertion to be used to request an OAuth access token. 53-16 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings ■ ■ ■ SAML 2 Bearer - Allows a SAML2 assertion to be used to request an OAuth access token. OAM Credentials - Used to request OAM tokens, such as a master token, an access token, or an OAuth access token. Client Verification Code - Used by mobile clients to request a pre-verification code from OAuth server, which subsequently gets used mobile client flows. Apple Push Notification Applies to iOS devices only. The OAuth authorization server can restrict token delivery to a specific app installed on a specific mobile device by sending part of the client registration handle through HTTPS, and sending the other part through push notification using the Apple Push Notification Service (APNS). Use the following fields to configure how the OAuth server connects to APNS for this specific client app. Connection Settings - Select Enabled to send a portion of security codes and tokens to the mobile client app using APNS. (The portions not sent using APNS are sent using HTTPS.) Clear this option if you do not want to use APNS for this mobile client app. Minimum Connection Pool Size - Specifies the minimum number of connections in the connection pool. Maximum Connection Pool Size - Specifies the maximum number of connections in the connection pool. Keep Alive - The Apple Push Notification keep alive value in seconds. Certificate for APNS Communication Setup - Choose Development to use the Apple development environment for initial development and testing of the application; choose Production to use Apple's production environment. SSL/TLS Certificate for Development - Click Browse to navigate to the development SSL/TLS certificate issued by Apple for the Apple Push Notification Service. Development Certificate Password - Type the development password for the Apple Push Notification certificate. SSL/TLS Certificate for Production - Click Browse to navigate to the production SSL/TLS certificate issued by Apple for the Apple Push Notification Service. Production Certificate Password - Type the production password for the Apple Push Notification certificate. Google Application Settings Applies to Android devices only. The OAuth authorization server can restrict token delivery to a specific app installed on a specific mobile device by sending part of the client registration handle through HTTPS, and sending the other part through push notification using Google Cloud Messaging (GCM) for Android. Use the following fields to configure how the OAuth server connects to the GCM service for this specific client app. Restricted Package Name - The Google restricted package name. Mobile Service Settings Override the default settings - By enabling Override the default settings in a Mobile Client profile, an administrator can set the security level and enable server-side single sign on at the client level. When set, these client settings over ride same settings at the OAuth Services Service Profile mobile configuration setting. This can be used if a Configuring OAuth Services 53-17 Configuring OAuth Services Settings particular client in an identity domain needs a behavior that is different from what is defined in the OAuth Services Service Profile. Configuration Settings Device Claim Attributes - Specifies the device attributes that the system should collect for device fingerprinting. If empty, the system collects every attribute in the SDK. Mobile Custom Attributes - Specifies key-value pairs that should be sent to mobile applications using app profiles. (Mobile applications request app profiles that contain server-side settings, including endpoints, jail break detection policies, and security level details. Attributes Add or delete custom attributes that the authorization server returns to the client along with the scope settings. Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence. 53.3.4 Configuring the Service Provider See Section 52.4.4, "Understanding Service Providers" for introductory information about Service Providers. The following section describes how to use the user interface to configure a Service Provider. It includes the following topics: ■ Editing or Deleting the Service Provider ■ Understanding the Service Provider Configuration Page Note: Only one Service Provider can be configured at a time. 53.3.4.1 Editing or Deleting the Service Provider 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it for editing. 2. Select the Service Providers tab. 3. Do the following: ■ ■ To edit a service provider, click its name in the table. To delete a service provider, select it by clicking the box to the left of the name and then click the delete button in the command bar. 53.3.4.2 Understanding the Service Provider Configuration Page This section describes the form fields on the Service Provider Configuration page. Identity Domain - The name of the identity domain with which this Service Provider is registered. (Read-only) Name - The name of this service provider. Description - (Optional) A short description to help you or another administrator identify this service provider. Service Provider Java Class - The Java class that implements this service provider. 53-18 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings Attributes Use the attribute settings in Table 53–3 to configure the Service Provider connection with Access Manager. Table 53–3 OAuth Service Provider Attributes for Access Manager Name Value Notes oam.OAM_VERSION OAM_11G Either OAM_11G or OAM_10G, depending on the Oracle Access Manager version in use. oam.Webgate_ID accessgate-oic oam.ENCRYPTED_PASSWORD oam.DEBUG_VALUE 0 oam.TRANSPORT_SECURITY OPEN Specify the method for encrypting messages between this AccessGate and the Access Servers. The encryption methods need to match. Valid values include: ■ OPEN ■ SIMPLE ■ CERT To update these settings, see Section 49.9.1.1, "Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode." oam.OAM_SERVER_1 localhost:5575 oam.OAM_SERVER_1_MAX_CONN 4 oam.OAM_SERVER_2 Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_ SERVER_1. The default value is 4. oam_server_2:5575 Specify the host name and port number of the secondary Oracle Access Management server. oam.OAM_SERVER_2_MAX_CONN 4 oam.AuthNURLForUID Specify the host name and port number of the primary Oracle Access Management server. Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_ SERVER_2. The default value is 4. wl_ authen://sample_ ldap_no_pwd_ protected_res Configuring OAuth Services 53-19 Configuring OAuth Services Settings Table 53–3 (Cont.) OAuth Service Provider Attributes for Access Manager Name Value Notes oam.OAM_LOCAL_MODE true Specifies if Mobile and Social should use "local mode" or "remote mode" to communicate with the OAM server. If the attribute value is set to false, Mobile and Social communicates with OAM over TCP/IP. If set to true (or if this attribute is undefined), Mobile and Social uses a direct connection to communicate with OAM. Prior to version 11.1.2.3, Mobile and Social only communicated with OAM using TCP/IP (that is, remote mode). Now communication defaults to local, which is faster. To configure Mobile and Social to communicate with OAM 10g, set the OAM_LOCAL_MODE attribute to false. 53.3.5 Configuring Custom Resource Servers See Section 52.4.5, "Understanding Resource Servers" for introductory information about Resource Servers. The following section describes how to use the user interface to configure a Resource Server. It includes the following topics: ■ Creating a Custom Resource Server ■ Editing or Deleting a Resource Server ■ Understanding the Custom Resource Servers Configuration Page OAuth Services provides two out-of-the-box services modeled as Resource Servers and protected with an Access Token. For configuration information on the User Profile Services and Consent Management Services Resource Servers, see Configuring User Profile Services and Configuring Consent Management Services respectively. 53.3.5.1 Creating a Custom Resource Server 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it. 2. Select the Resource Servers tab. 3. To define a new resource server for use with OAuth Services, click the Create button in the Custom Resource Servers section. The Custom Resource Server Configuration page opens. 53.3.5.2 Editing or Deleting a Resource Server 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it for editing. 2. Click the Resource Servers tab. 3. To open a configured custom Resource Server for editing, click its name in the Custom Resource Servers table. The Custom Resource Server Configuration page opens. 53-20 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings 53.3.5.3 Understanding the Custom Resource Servers Configuration Page Identity Domain - The name of the identity domain to which this resource server applies. (Read-only) Name - The name of this resource server (or resource service). Description - (Optional) A short description to help you or another administrator identify this resource server in the future. Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with clients and the resource owner. See Section 52.5.1, "Understanding OAuth Services Access Tokens" for more information about custom attributes. Authorization & Consent Service Plug-in - From the menu, choose an authorization plug-in for the resource server. This plug-in type defines security policy around interactions where authorization and user consent are granted. It can influence claims in a generated token as well. See Section 52.4.6, "Understanding Plug-Ins" for plug-in descriptions. Audience Claim - Identifies the audiences for which the OAuth token is intended. Each principal intended to process the OAuth token must identify itself with a value in Audience Claim. Resource Server ID - The unique ID created for this resource server during registration. (Once the resource server configuration is saved, this field cannot be changed.) Scopes Click Add to add a new row to the scopes table. Click to select a row, then click Delete to remove it. Name - Type a scope definition. Use dot notation, for example: photo.read Description - Type a short note that describes the scope. Require User Consent - Select to require the authorization server to display a user consent form so that the user can approve (or deny) the access request. Offline Scope - Allows client applications to request a refresh token that can be used to obtain an access token even when the user is offline or not present. Client applications use the refresh token to get a new access token to access resources. See Section 52.5, "Understanding OAuth Services Tokens" for more information. Token Settings Override the default settings - Select this option if the token settings defined on the resource server configuration page should override the default token settings defined on the OAuth Services profile page. Token Name - The name of the token. Expires - The length of time in minutes after which the token is no longer valid. Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid. Custom Attributes Use this section to define custom attributes that OAuth Services embeds in the access tokens. See Section 52.5.1, "Understanding OAuth Services Access Tokens" for more information about custom attributes. Configuring OAuth Services 53-21 Configuring OAuth Services Settings ■ ■ Static Attributes - Attribute name and value pairs where the value is fixed at the time that you define the attribute. For example, name1=value1. Dynamic Attributes - User-profile specific attributes. 53.3.6 Configuring User Profile Services See Section 52.4.5.1, "Understanding User Profile Services" for introductory information about the User Profile Services. The following section describes how to use the console to configure an instance for the User Profile Services. ■ Creating a New User Profile Service ■ Editing the User Profile Service ■ Understanding the User Profile Services Configuration Page 53.3.6.1 Creating a New User Profile Service 1. Open the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it. 2. Click the Resource Servers tab. 3. Click the Create button in the User Profile Services section. The User Profile Services Configuration page opens. 53.3.6.2 Editing the User Profile Service 1. Open the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it for editing. 2. Click the Resource Servers tab. 3. In the User Profile Services section, click the service name to edit it. The User Profile Services Configuration page opens. 53.3.6.3 Understanding the User Profile Services Configuration Page Use this page to configure the User Profile Service. This service supports OAuth 2.0 authorization and allows clients to interact with a back-end directory server and perform User Profile REST operations on Person, Group, and Relationship entities. Identity Domain - The name of the identity domain to which this service profile applies. (Read-only) Name - The name of this service profile. Description - (Optional) A short description to help you or another administrator identify this service profile in the future. Service Enabled - Select to enable the service, or clear the option box to disable it. Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with clients. If enabled, the user consent form notifies the user that user-profile-specific details will be shared with the client. See Section 52.5.1, "Understanding OAuth Services Access Tokens" for more information about custom attributes. 53-22 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings Audience Claim - Identifies the audiences that the OAuth token is intended for. Each principal intended to process the OAuth token must identify itself with a value in audience claim. Resource Server ID - The unique ID that OAuth Services created for this User Profile resource server. (Read-only) Service Endpoint - The URI where the service receives and responds to create, read, update, and delete user profile service requests. Create a unique uniform resource identifier (URI) address for this service; for example, localhost:5575 Authorization & Consent Service Plug-in - From the menu, choose an authorization plug-in for the service. This plug-in type defines security policy around interactions where authorization and user consent are granted. It can influence claims in a generated token as well. See Section 52.4.6, "Understanding Plug-Ins" for plug-in descriptions. Protected by OAuth Service Profile - From the menu, choose the OAuth service profile that protects the user profile service. Identity Store Name - The name of the identity store that contains the user records. Scopes Security Protection Configure individual permission settings for person, relationship, and group entities. Click Add to add a record to the table; select a row and click Delete to remove the record. The service uses the following default entity names: URI - The URI segment for which the scope is defined. ■ /me - Designates operations that apply to the user logged in to the client ■ /users - Designates operations that apply to other users ■ /groups - Designates operations that apply to groups ■ /secretkey - Designates operations that apply to secret key management Service Enabled - Select to enable the service for this scope. Allow Read - Select to allow read operations for this scope. Allow Write - Select to allow write operations for this scope. Unprotected - Select this option if you do not want to limit access, or clear this option to limit access by scope. OAuth Scope - Type a scope definition. Use dot notation, for example: UserProfile.me.write Description - Type a short note that describes the scope. Require User Consent - Select to require the authorization server to display a user consent form so that the user can approve (or deny) the access request. Identity Attributes of the Selected Scope - Click an entity row in the Security Protection table to view the Attribute table for that entity. Click Add to add a record to the table; select a row and click Delete to remove the record. Offline Scope - Allows client applications to request a refresh token that can be used to obtain an access token even when the user is offline or not present. Client applications use the refresh token to get a new access token to access resources. See Section 52.5, "Understanding OAuth Services Tokens" for more information. Configuring OAuth Services 53-23 Configuring OAuth Services Settings Token Settings Override the default settings - Select this option if the token settings defined on the resource server configuration page should override the default token settings defined on the OAuth Services profile page. Token Name - The name of the token. Expires - The length of time in minutes after which the token is no longer valid. Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid. Proxy Authentication Select Proxy Authentication to allow the identity of a user using a web application (also known as a "proxy") to be passed through the application to the database server. Oracle Unified Directory (OUD) and Active Directory (AD) support proxy authentication. The Access Control option is simply to provide Proxy Authentication support for directory servers that do not have it built in. See Section 52.4.5.1.1, "Using Proxy Authentication" for more details. Attributes Use this section to define user-profile specific (dynamic) attributes. Table 53–4 User Profile Service Attributes Name Value accessControl false adminGroup cn=Administrators,ou=groups,ou=myrealm,dc=base_domain selfEdit true Resource URIs Use this section to enable or disable the /me, /users, /groups, /secretkey services, and define the service endpoint URIs and provider implementation class paths for these services. Service Endpoint - The URI where the service receives and responds to service requests. Create a unique uniform resource identifier (URI) address for this service; for example, localhost:5575 Entities Use the fields in this section to configure entity relationships. ■ ■ ■ Name - The name of the defined entity relationship. Identity Directory Service Relation - Choose the directory service relationship that is to be accessed by the relationship End Point segment. End Point - Type an entity relationship URI segment that will be used to access a corresponding data column in the Identity Directory service. For example, if memberOf is the End Point URI, then: http://:/.../idX/memberOf would be the URI to access related entities of an entity with ID idX. ■ Source Entity URI - The URI (or URL) of the source entity. ■ Destination Entity URI - The URI (or URL) of the destination entity. 53-24 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings ■ Scope for Requesting Recursion - Use Scope attribute values with the scope query parameter to retrieve a nested level of attributes in a relationship search. To access related entities recursively, type the value to be used. The default configuration uses two scope attribute values: toTop and all. If the Scope for Requesting Recursion value is the attribute value all, then the following REST URI example is used to make the request: http://host:port/.../idX/reports?scope=all In this example, the URI returns the entities related to the entity with ID idX, as well as all further related entities. Attributes Use this section to define user-profile entity specific (dynamic) attributes. 53.3.7 Configuring Consent Management Services See Section 52.4.5.2, "Understanding Consent Management Services" for introductory information about the Consent Management Services. The following section describes how to use the user interface to configure the Consent Management Services. ■ Creating a New Consent Management Service ■ Editing an Existing Consent Management Service ■ Understanding the Consent Management Services Configuration 53.3.7.1 Creating a New Consent Management Service 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it. 2. Click the Resource Servers tab. 3. Click the Create button in the Consent Management Services section. The Consent Management Service Configuration page opens. 53.3.7.2 Editing an Existing Consent Management Service 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it for editing. 2. Click the Resource Servers tab. 3. In the Consent Management Services section, click the service name to edit it. The Consent Management Service Configuration page opens. 53.3.7.3 Understanding the Consent Management Services Configuration The Consent Management Services handle consent storage, retrieval, revocation, and consent validation operations. Identity Domain - The name of the identity domain to which this consent management service applies. (Read-only) Name - The name of this consent management service. Description - (Optional) A short description to help you or another administrator identify this service in the future. Configuring OAuth Services 53-25 Configuring OAuth Services Settings Service Enabled - Select to enable the service, or clear the option box to disable it. Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with clients, resource servers, and the resource owner. Audience Claim - Identifies the audiences that the OAuth token is intended for. Each principal intended to process the OAuth token must identify itself with a value in audience claim. Resource Server ID- The unique ID that the authorization server created for this resource server during registration. (Read-only) Service Endpoint - The URL where the Consent Management Service receives and responds to client and resource owner service requests. Authorization & Consent Service Plug-in - From the menu, choose an authorization plug-in for the service. This plug-in type defines security policy around interactions where authorization and user consent are granted. It can influence claims in a generated token as well. See Section 52.4.6, "Understanding Plug-Ins" for plug-in descriptions. Protected by OAuth Service Profile - From the menu, choose the OAuth service profile that protects the consent management service. Scopes Security Protection Configure individual permission settings. Click Add to add a record to the table; select a row and click Delete to remove the record. The service uses the following default entity names: URI - The URI segment for which the scope is defined. ■ /retrieve ■ /grant ■ /revoke Allow Read - Select to allow read operations for this scope. Allow Write - Select to allow write operations for this scope. Unprotected - Select this option if you do not want to limit access, or clear this option to limit access by scope. OAuth Scope - Type a scope definition. Use dot notation, for example: UserProfile.me.write Description - Type a short note that describes the scope. Require User Consent - Select to require the authorization server to display a user consent form so that the user can approve (or deny) the access request. Offline Scope - Allows client applications to request a refresh token that can be used to obtain an access token even when the user is offline or not present. Client applications use the refresh token to get a new access token to access resources. See Section 52.5, "Understanding OAuth Services Tokens" for more information. Token Settings Override the default settings - Select this option if the token settings defined on the resource server configuration page should override the default token settings defined on the OAuth service profile page. 53-26 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings Token Name - The name of the token. Expires - The length of time in minutes after which the token is no longer valid. Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid. Attributes Use this section to define custom attributes Resources URIs Use this section to enable or disable the retrieve, grant, and revoke services. You can also define the service endpoint URIs and provider implementation class paths for these services. Service Endpoint - The URI where the service receives and responds to requests. Create a unique URI address for this service. Service Enabled - Select to enable the service, or clear the option box to disable it. Attributes Use this section to define consent management entity-specific (dynamic) attributes. 53.3.8 Configuring Plug-Ins Use this page to configure security plug-ins. See Section 52.4.6, "Understanding Plug-Ins" for plug-in descriptions. 53.3.8.1 Creating a new Plug-in 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it. 2. Click the Plug-ins tab. 3. Click the Create button in one of the plug-in category sections. The Plug-in Configuration page opens. 53.3.8.2 Understanding the Plug-in Configuration Page Use this page to add a plug-in to an Identity Domain or edit an existing plug-in configuration. Only some of the fields listed below will apply to the plug-in you are configuring. Identity Domain - The name of the identity domain where the plug-in is located. Name - The name of the plug-in. Description - (Optional) A short description to help you or another administrator identify this plug-in in the future. Implementation Class - Choose the class from the menu that implements the plug-in interface. Applies to the Mobile Client Plug-in Configuration page, the Mobile Resource Server Plug-in Configuration page, and the Mobile Authorization & Consent Service Plug-in Configuration page. See the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details. Configuring OAuth Services 53-27 Configuring OAuth Services Settings Interface Class - Lists the interface class for this plug-in. Applies to the Mobile Client Plug-in Configuration page, the Mobile Resource Server Plug-in Configuration page, and the Mobile Authorization & Consent Service Plug-in Configuration page. Security Handler Class - Choose the Java class that defines the Security Handler Plug-in. Applies to the Mobile Adaptive Access Plug-in Configuration page and the Mobile Custom Token Attributes Plug-in Configuration page. Mobile Security Manager Plug-in Class - Choose the Java class that defines the Mobile Security Manager Plug-in. Applies to the Mobile Security Manager Plug-in Configuration page only. MSM Device Inventory Attributes Precedence - When enabled, if both the Mobile Security Manager (MSM) component and the Mobile OAuth server supply a value for the same device attribute, the value supplied by the Mobile Security Manager is used. If the attribute value from the MSM component is not available, the value from the Mobile OAuth server is used instead. MSM Attributes - Lists the attributes that the Mobile Security Manager plug-in harvests from mobile devices. The first column lists the mobile device attributes that the Mobile Security Manager component collects. The second column lists the mobile device attributes that the Mobile OAuth server collects during mobile app requests. If the same device attribute is available from both the MSM component and the server, both are listed in the same row. (For example, the MSM attribute "imei" appears in column one, and the matching server attribute "oracle:idm:claims:client:imei" appears in column two of the same row.) For a list of the device attributes that the Mobile OAuth server collects during app requests, open the OAuth Mobile Client Configuration page and locate the Device Claim Attributes list in the Configuration Settings section. To add additional attributes, click Add to add a row at the bottom of the table, and enter the attribute name. (Enter attributes sourced from Mobile Security Manager in the first column, and attributes from the Mobile OAuth server in the second column. Enter attributes one per row unless the attributes are equivalent and should be mapped to one another.) Attributes - Use this section to define custom plug-in attributes. 53.3.9 Configuring Server Settings Use the Server Settings Configuration page to configure general server settings for the identity domain named. See Section 48.1.2, "Deploying Mobile and Social" for information about deploying Mobile and Social with a WebGate. Note: Identity Domain - The name of the identity domain to which the settings on this configuration page apply. (Read-only) HTTP Proxy Settings Configure the following settings if a proxy server is in place between the OAuth Token Service (the Push Service) and the Apple Push Notification Service (APNS) or Google Cloud Messaging (GCM) service. Proxy URL - Choose the protocol to use to connect to the proxy server (HTTP or HTTPS), then type the proxy server host name and port number. Proxy Authentication - Type the user name and password required to authenticate with the proxy server. 53-28 Administrator's Guide for Oracle Access Management Configuring OAuth Services Settings Apple Push Notification Configure the default values that should be used for this identity domain. Use the OAuth Mobile Client Configuration page to customize these settings on an app by app basis. Minimum Connection Pool Size - Specifies the minimum number of connections in the connection pool. Maximum Connection Pool Size - Specifies the maximum number of connections in the connection pool. Keep Alive - The Apple Push Notification keep alive value in seconds. Token Life Cycle Management Maximum Search Results - Specify the maximum number of token entry search results that should be returned on the Token Life Cycle Management page. Attributes Attributes - Use this section to define custom attributes. Table 53–5 OAuth Server Settings Attributes Name Value Notes wgAuthnUserHeader OAM_REMOTE_USER This attribute usage is optional. If an OAM Webgate is front ending/proxying requests to an OAuth server, set this attribute. The OAM Webgate sets the OAM_REMOTE_ USER header to identify the authenticated user. If a deployment uses another header name instead of OAM_REMOTE_USER, then this attribute needs to be set with that header name. 53.3.10 Configuring the Jailbreak Detection Policy See Section 52.4.8, "Understanding Jailbreak Detection Policy" for introductory information about the jail breaking detection policy. The following section describes how to use the user interface to configure the policy. Jailbreak Detection - Select Enabled to turn the Jailbreaking Detection Policy on, or clear this option to turn it off for all client application instances. If you enable the Jailbreaking Detection Policy here, you can disable it on an application by application basis. If you disable the Policy here, you cannot enable or disable the feature on an application by application basis. Policy Statements Use the buttons in the menu to add, delete, and re-order policy statements. Order - The sequential row number assigned to each row in the table. Enabled - Select this option to activate the policy statement condition. Minimum OS Version - The minimum iOS version to which the policy applies. If the value is 1.0, the policy will apply to iOS devices running at least version 1.0 of iOS. Maximum OS Version - The maximum iOS version to which the policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to Configuring OAuth Services 53-29 Configuring OAuth Services Settings any iOS version higher than the value specified for Min OS Version. Once set you cannot remove the value and leave this field empty. Minimum Client SDK Version - The minimum Mobile and Social Client SDK version number. For example, 11.1.2.0.0. Maximum Client SDK Version - The maximum Mobile and Social Client SDK version number. For example, 11.1.2.3.0. Details - Additional details about the Jailbreak Detection Policy policy statement. Hover the mouse over the info icon to view the details in a pop-up. Policy Statement Conditions Click to select a row in the table to view or edit its values in this section. See the previous section (Policy Statements) for field descriptions. Policy Statement Detection Logic Policy Expiration Duration - Type the length of time in seconds that the SDK on the mobile client device should wait before expiring the local copy of the policy and retrieving a newer version. Auto Check Period - Type the interval of time in minutes that the client device should wait before executing the Jailbreaking Detection Policy statements again. Detection Location - The iOS client device uses a logical-OR operator to evaluate Policy statements. Add a Detection Location as follows: ■ ■ ■ File Path - Type the absolute path to the file or directory on the device for which the Detection Policy should search. Action - Select Exists which instructs the Detection Policy to evaluate whether it can access a file path. Success - Select if the Policy should flag the device as jail broken if the specified files or directories are found on the device. Use this option if the policy is checking for unauthorized files or directories. Clear this option if the Policy should flag the device as jail broken if the specified files or directories are not found. (Use this option if checking for required files or directories.) 53.3.11 Configuring Token Life Cycle Management Use this screen to search for and revoke tokens that have been issued. You can search for tokens using criteria such as user ID, client ID/name, client IP address, service profile, assertion token category, and token creation/expiration time. Enter your criteria and click Search. The maximum number of token entry search results returned is determined by the Maximum Search Results setting on the OAuth Server Settings page. Search Criteria Identity Domain - The name of the identity domain that you are searching for tokens. (Read only) User - Specify an LDAP UID (john.smith) or an LDAP Fully Qualified DN (cn=jane.smith,dc=example,dc=com) to search by. Client - Specify a client ID to search for tokens by. Client IP Address - Specify a client IP address (for example, 192.168.100.1) to search for tokens by 53-30 Administrator's Guide for Oracle Access Management Configuring OAuth Services for Third-Party JWT Bearer Assertions Service Profile - Choose a profile from the menu, or leave this selection empty. Assertion Token Category - Choose a category from the menu, or leave this selection empty. Token Issued - Search for tokens by the date and time that they were issued. Token Expiring at - Search for tokens by the date and time that they expire. Mobile Device Claim Attributes IMEI - Specify the unique 15-digit IMEI (International Mobile Equipment Identity) code to search by. The IMEI can be displayed on most mobile handsets by dialing *#06#. MAC Address - Specify the unique MAC (Media Access Control) address to search by. Phone Number - Specify a phone number to search by. 53.4 Configuring OAuth Services for Third-Party JWT Bearer Assertions OAuth Services accepts third-party (non-Oracle) JWT assertions. You must, however, configure a trust relationship by adding the third-party’s certificate into the OAuth Services Service Profile keystore. OAuth Services uses the keystore to verify the JWT assertion’s digital signature. Create a separate keystore for each Service Profile that needs its own signing certificate. This section covers the following topics: ■ Understanding the Default Service Profile Keystore ■ Creating a Non-Default Keystore for a Service Profile ■ Configuring a Third-Party JWT Trust Issuer 53.4.1 Understanding the Default Service Profile Keystore The role of the Service Profile is described in Section 52.4.2, "Understanding Service Profiles" The default Service Profile (OAuthServiceProfile) created in the DefaultDomain uses the Java Keystore (JKS) included with Oracle Access Management. It consists of the following files. Table 53–6 Default OAuth JKS Keystore File and Settings File File Path JKS keystore file $DOMAIN_HOME/config/fmwconfig/default-keystore.jks Keystore settings file $DOMAIN_HOME/config/fmwconfig/jps-config.xml Oracle Web Services Manager also uses the default-keystore.jks service. For details see Section 44.2.2, "About the Oracle Web Services Manager Keystore (default-keystore.jks)." Note: You can use the following Java keytool command to list all of the private key and certificate information in the default keystore (default-keystore.jks). keytool -list -keystore default-keystore.jks Configuring OAuth Services 53-31 Configuring OAuth Services for Third-Party JWT Bearer Assertions When a new key is added to the OAM keystore, the OAM server needs to be restarted since keystore changes are not automatically refreshed. Note: Use the following procedure to find the keystore credential with Oracle Enterprise Manager Fusion Middleware Control Console. 1. Login to the Oracle Enterprise Manager Fusion Middleware Control Console. http://host_name.domain_name:port_number/em 2. Navigate through WebLogic Domain --> . is the name of the domain in which the information is stored. 3. Click on the WeblogicDomain found in the right corner. 4. Select System MBean Browser ---> com.oracle.jps ---> Server:oam_server1 ---> JPS Credential Store. 5. Navigate through JPS Credential Store Mbean --> Operations --> getPortableCredentialMap. 6. Enter the p1 parameter as oracle.wsm.security. 7. Click Invoke. 8. Expand Data Element2. The password value is displayed. 53.4.2 Creating a Non-Default Keystore for a Service Profile The steps in this section describe how to: ■ Create a separate keystore to store the third-party’s certificates ■ Import the certificates into the keystore ■ Configure the keystore ■ Create a CSF Entry for the keystore service instance ■ Add the keystore service to the appropriate Service Profile Any changes made during this procedure require a restart of the OAM server. Note: Create the Keystore Create a new Java Keystore (JKS) using the keytool utility that is distributed with the Java JDK. 1. Go to $JDK_HOME/jdk/bin and open a prompt. 2. Using keytool, generate a key pair: keytool -genkeypair -keyalg RSA -dname dname -alias aliasname -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid Where: 53-32 Administrator's Guide for Oracle Access Management Configuring OAuth Services for Third-Party JWT Bearer Assertions ■ dname is the X.500 Distinguished Name to be associated with alias, and is used as the issuer and subject fields in the self-signed certificate. This can be any string as long as it's in the correct format (for example, cn=spaces,dc=example,dc=com). ■ aliasname is a short name that identifies the new keystore entry ■ key_password is the password for the new public key ■ keystore is the keystore name, (for example, oauth-xyz-keystore.jks) ■ keystore_password is the keystore password ■ days_valid is the number of days for which the certificate should be considered valid (for example, 1064). Example 53–1 Creating the Keystore keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias oauthkey -keypass password123 -keystore oauth-xyz-keystore.jks -storepass passwordxyz -validity 1064 Load the Certificates Into the Keystore Use the keytool utility to import the certificates into the keystore. 1. Using keytool, type the following command: keytool -importcert -alias aliasname -file certfile -keystore keystore -storepass keystore_password Where: ■ aliasname is a short name that identifies the keystore ■ certfile is the file containing the certificates to load ■ keystore is the keystore name, (for example, oauth-xyz-keystore.jks) ■ keystore_password is the keystore password Example 53–2 Loading the Certificates keytool -importcert -alias oauthkey_123 -file samplekey.cer -keystore oauth-xyz-keystore.jks -storepass passwordxyz Add the Keystore Instance to jps-config.xml Configure the keystore service and update the credential store so that OAM can read the keystore and keys correctly. In the jps-config.xml keystore settings file, add the following new keystore service instance in the element. 1. In a text editor, open the keystore settings file: $DOMAIN_HOME/config/fmwconfig/jps-config.xml 2. Find the node for the keystore.provider Provider, and add the following: Configuring OAuth Services 53-33 Configuring OAuth Services for Third-Party JWT Bearer Assertions Where: ■ service-instance-name = Any service-instance-name ■ keystore-location = Path to the keystore file Example 53–3 Update jps-config.xml 3. Find the node and add the new service instance into the default context section. (Do not remove any pre-existing service instances.) The following example shows the addition of a element with a ref to the oauth-xyz-keystore.db service instance (defined in the previous step). Example 53–4 Adding the new Service Instance ... other serviceInstanceRef elements ... Create a CSF Entry for the Keystore Service Instance Use the following WLST commands to create the necessary Credential Store Framework (CSF) entries. Restart the server when you are done. createCred(map="oracle.wsm.security", key="sign_csf_key", user="alias_ name", password=keystore_password, desc="Description of the signing key credential") createCred(map="oracle.wsm.security", key="enc_csf_key", user="alias_ name", password=keystore_password, desc="Description of the encryption key credential") createCred(map="oracle.wsm.security", key="keystore_csf_key", user="oauth", password=keystore_password, desc="Description of the keystore credential") Where: ■ sign_csf_key = the password for the signing key ■ alias_name = the alias name for the key ■ keystore_password = the keystore password 53-34 Administrator's Guide for Oracle Access Management Configuring OAuth Services for Third-Party JWT Bearer Assertions ■ enc_csf_key = the password for the encryption key ■ keystore_csf_key = the password for the keystore Example 53–5 Creating Credential Store Entries createCred(map="oracle.wsm.security", key="oauth-sign-csf-key", user="ms-oauth-key", password=passwordxyz, desc="Signing key credential") createCred(map="oracle.wsm.security", key="oauth-enc-csf-key", user="ms-oauth-key", password=passwordxyz, desc="Encryption key credential") createCred(map="oracle.wsm.security", key="keystore_csf_key", user="oauth", password=passwordxyz, desc="Keystore credential") Add the Provider Service Name to the Service Profile Apply the updated configuration to the Service Profile. See Section 53.3.2.1, "Creating a Service Profile" if you have not yet created an OAuth Service Profile for the third-party service. 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it for editing. 2. Click the Service Profiles tab. 3. Click the Service Profile name in the table. 4. Expand the Attributes section. 5. Add the keystore service information you configured in Example 53–4, "Adding the new Service Instance" to the Attributes table using the keystore.service name. Refer to the following screen capture. Configuring OAuth Services 53-35 Configuring OAuth Services for Third-Party JWT Bearer Assertions 53.4.3 Configuring a Third-Party JWT Trust Issuer This section describes how to configure OAuth Services to support specific JSON Web Token (JWT) issuers. All Trusted Issuers must be defined so the OAM Server can validate the token, the thumbprint (x5t) and the key identifier based on this configuration. If there is a trusted entry already available with the same claim, header values and alias name, that entry will be used. 1. Access the Identity Domains page as described in Section 53.2, "Configuring OAuth Services Components in an Identity Domain" and click the identity domain to open it for editing. 2. Click the Service Profiles tab. 3. Click the Service Profile name in the table. In this example, OAuthServiceProfile. 4. Expand the Configuration Settings section and click the Trusted Issuers tab. 5. Configure the following and click Apply. ■ The certificate alias ■ The URL of the Trusted Issuer ■ The key identifier (KID) of the certificate alias. ■ The X.509 Certificate Thumbprint 53-36 Administrator's Guide for Oracle Access Management Configuring a WebGate to Protect OAuth Services Figure 53–4 is a screenshot of the OAuth Services Service Profile Configuration Page where Trusted Issuers are defined under the Configuration Settings heading. Three Trusted Issuers are configured in it and the following is true of these configurations. ■ ■ ■ If a request comes with an assertion in which the Trusted Issuer is "www.example1.com", the kid header is "mykey" and there is no x5t header, the runtime uses the certificate with the "trustpartner1" alias name. If a request comes with an assertion in which the Trusted Issuer is "www.example2.com", the value of the x5t header is "s7RzuzdlJrDyvMS9ntyvMS9ntZt" and there is no kid header, the runtime uses the certificate with the "trustpartner2" alias name. If a request comes with an assertion in which the Trusted Issuer is "www.example.corp.com", the value of the kid header is "corpkey" and the value of the x5t header is "cYJ4pHYJrDYvMS9ntZts7Rzuzdl", the runtime uses the certificate with the "trustpartner3" alias name. Figure 53–4 OAuth Services Service Profile Configuration Page 53.5 Configuring a WebGate to Protect OAuth Services This section describes how to configure a WebGate for use with OAuth Services. The WebGate protects the OAuth Services consent page and serves as a proxy so that client authorization and token endpoint requests access the WebGate rather than the Oracle Access Management server directly. WebGates cannot be used to protect OAuth Services Resource Servers. These steps are for WebLogic environments only. A WebGate proxy is required to use the 3-legged authorization scenario with an external LDAP directory server. Note: 1. Install the Oracle HTTP Server 11g Webgate for OAM using the instructions in Installing Webgates for Oracle Access Manager. Configuring OAuth Services 53-37 Configuring a WebGate to Protect OAuth Services 2. Configure the WebGate by defining the following resource and creating an authentication policy and authorization policy. a. In the Oracle Access Management console, click Application Security at the top of the window. b. Under Access Manager, click Application Domains, then click Search to view the Application Domains on the Search Application Domains page. c. Click the target domain to open it for editing. d. Select the Resources tab. e. Create the following resource. If you are using the existing IAMSuiteAgent Host Identifier, the resource is already present and can be searched on using the Resource URL field. /ms_oauth/oauth2/ui/** Click to select the resource, then click the Edit button. f. Under the Protection heading, choose the following options from the menus and click Apply: Protection Level - Protected Authentication Policy - Protected HigherLevel Policy Authorization Policy - Protected Resource Policy These settings allow the Webgate to perform user authentication and user authorization. g. Add the following resources and set the Protection Level to Excluded: /ms_oauth/oauth2/endpoints/** /ms_oauth/oauth2/oammsui/** /ms_oauth/style/** /ms_oauth/img/** /oam/** The Webgate does not protect Excluded resources and allows them to be accessed. 3. Add the following lines to the mod_wl_ohs.conf file and restart the Webgate. For WebLogicPort, be sure to add the managed port details for your environment. # the following directive proxies all the OAuth requests WebLogicHost host123.us.example.com WebLogicPort 17100 Debug ON WLLogFile /tmp/weblogic.log MatchExpression /ms_oauth/* # the following directive proxies all the OAM managed server requests. WebLogicHost host123.us.example.com WebLogicPort 17100 Debug ON WLLogFile /tmp/weblogic.log MatchExpression /oam/* 53-38 Administrator's Guide for Oracle Access Management Configuring OAM Session Synchronization 4. Update the Access Manager Load Balancing settings as follows: a. In the Oracle Access Management console, click Configuration at the top of the window. b. Select Access Manager from the View menu in the Settings section. c. In the Load Balancing section, change the OAM Server Host and the OAM Server Port settings to the Webgate's host and port settings. d. Click Apply. 53.6 Configuring OAM Session Synchronization The OAM User session synchronization feature prevents multiple OAM sessions from being created by a mobile user. The initial OAM session is created during the 3-legged Mobile scenario when the authorization code is created (provided that the OAuth consent UI pages are protected by OAM). This session is stored in the device keystore and used for subsequent OAM token requests for as long as the session is valid. A one-time Authorization Policy change in Oracle Access Management is required for OAM session synchronization to work. The following steps configure OAM to send Session ID values to OAuth Services. Once configured, OAM session synchronization will always be used for mobile authorization requests when using OAM protection (as opposed to Mobile and Social protection) for the authorization endpoint. OAM Session Synchronization requires a WebGate protecting the OAuth Services consent UI pages. See Section 53.5, "Configuring a WebGate to Protect OAuth Services" for details. Note: 1. In the Oracle Access Management console, click Application Security at the top of the window. 2. Under Access Manager, click Application Domains. 3. Under Search Application Domains, enter the name of the target WebGate domain (or enter a partial name and wild card, *, or leave the field blank to retrieve all domains). For example: DesiredDomain 4. Click Search. 5. In the Search Results section, highlight the WebGate domain and click Edit. 6. Click the Authorization Policies tab. 7. In the policies table, click Protected Resource Policy to open it for editing. 8. Click the Responses tab. 9. Click Add. 10. Enter the following values in the Add Response dialog: ■ Type - choose Header from the menu. ■ Name - Enter any name, for example: mysession. ■ Value - Enter: ${session.id} Click Add. Configuring OAuth Services 53-39 Configuring Mobile OAuth for SSO Servlet Authentication 11. Click Apply. 53.7 Configuring Mobile OAuth for SSO Servlet Authentication The Mobile OAuth SSO Servlet makes it possible to use a device-native app as a single sign-on proxy app when a user signs on to an app running in a mobile browser (external or embedded) in a 2-legged flow. In this arrangement, the native app implements the login page and uses Mobile and Social Services to authenticate with Oracle Access Management. You can configure this authentication scheme to try multiple native apps on the device. If the first app does not respond within a half second (500ms) the servlet redirects the browser to the next app in the order that the apps are listed. If the servlet gets to the end of the list and there is not an application installed with the specified client ID, the servlet re-directs the user to the OAM login page. Similarly, if the request is received from a desktop browser, the request is forwarded to the OAM login page. Following is a description of the Mobile SSO Servlet authentication flow: 1. The user opens a URL in a mobile browser. 2. The web server hosting the application redirects the browser to OAM. 3. Access Manager redirects the browser to the native app on the device. 4. The browser launches the native app in response to the redirect. 5. The native app displays the user login page. 6. The user enters a user name and password. 7. The native app does a 2-legged device registration flow. It collects user credentials, does device registration, and gets the client token. If server-side single sign-on is enabled, the user token is stored on the server and is not returned to the client. If server-side single sign-on is turned off, the user token is returned to the client. 8. The native app exchanges the client token and user token for the OAM master token (OAM_ID). (If server-side single sign-on is enabled, the user token is exchanged from the server-side keystore.) 9. The native app directs the browser to the Oracle Access Management Mobile and Social server, which injects the OAM master token as a cookie. 10. The native app sends the mobile browser a URL redirect and OAM master token as a cookie. 11. The mobile browser opens the original URL now that the access request includes an OAM master token. 12. The web server sends the requested pages to the mobile browser. The following sections contain the configuration steps. ■ Configuring OAM and Your App to use the Mobile SSO Servlet ■ Configuring the MobileSSOServlet Authentication Scheme For information about Mobile OAuth SSO options, see Section 52.8, "Understanding Mobile OAuth Services Server-Side Single Sign-on." 53.7.1 Configuring OAM and Your App to use the Mobile SSO Servlet To use the Mobile OAuth Services single sign-on authentication scheme, complete the following configuration tasks: 53-40 Administrator's Guide for Oracle Access Management Configuring Mobile OAuth for SSO Servlet Authentication ■ ■ ■ ■ In the Oracle Access Management console, protect the Web resource(s) with an OAM WebGate. To learn how, see Chapter 15, "Registering and Managing OAM 11g Agents." In Access Manager, create a custom MobileSSOServlet authentication scheme on the OAM server and configure it with a list of mobile application IDs. Then configure the authentication scheme in OAM to protect the Web resource(s). To learn how, see Section 53.7.2, "Configuring the MobileSSOServlet Authentication Scheme." If necessary, register the native mobile app client with Mobile OAuth Services. To register the native mobile app client with OAuth Services see Section 53.3.3, "Configuring Clients." In Mobile OAuth Services, assign the Resource Owner grant type to the native mobile app(s) that will be configured to serve as single sign-on proxies. This grant type is required to be able to perform the 2-legged client registration. To assign the client the Resource Owner grant type, use the OAuth Services Mobile Clients configuration page. For more information, see Section 53.3.3.5, "Understanding the Mobile Clients Configuration Page." ■ To code the device-native app to authenticate with OAM using Mobile and Social Services, refer to the following sections in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management: – For iOS, see "Invoking Authentication Services With the iOS Client SDK." – For Android, see "Invoking Authentication Services With the Android Client SDK." – For the REST API, see "Mobile and Social Services REST Reference: Authentication and Authorization." When coding the app(s), implement the /authenticate endpoint, which is required to use this feature. This endpoint provides client registration, OAM token exchange, and URL redirection to the MobileSSOServlet. The /authenticate endpoint should accept a resource URL (resource_url) and Return URL (http://:/ms_oauth/mobilesso) as parameters. Once the app completes registration and the OAM token exchange, it returns control of the authentication process (along with the OAM_ID and resource_url) using the value of the return_url that was sent to /authenticate endpoint. Redirect the app back to the MobileSSOServlet using this URL: /mobilesso?OAM_ID=1234&resource_url=http://:7777/index.html where: – OAM_ID = the OAM master token value – resource_url = URL of the resource In this case, the redirect URL used to redirect the app back to the MobileSSOServlet will be http://:/ms_ oauth/mobilesso?OAM_ID=1234&resource_ url=http://:7777/index.html 53.7.2 Configuring the MobileSSOServlet Authentication Scheme Use these steps to configure a new authentication scheme (MobileSSOServlet authentication scheme) in Access Manager to protect the Web resource(s). Configuring OAuth Services 53-41 Configuring Mobile OAuth for SSO Servlet Authentication 1. Log on to the Oracle Access Management Administration Console. The Application Security Launch Pad opens. 2. Under Access Manager click Authentication Schemes, then click the Create Authentication Scheme button. The "Create Authentication Scheme" tab opens. 3. Create a new Authentication Scheme by completing the form as follows: ■ Name: MobileSSO-OAuth ■ Authentication Level: 2 ■ Challenge Method: FORM ■ Challenge Redirect URL: /oam/server/ ■ Authentication Module: LDAP ■ Challenge URL: /mobilesso ■ Context Type: customWar ■ Context Value: /ms_oauth/ ■ Challenge Parameters: applications=TestApp1,TestApp2 serviceEndPoint=oauthservice 4. In the Oracle Access Management Administration Console, do the following: a. Create a new Authentication Policy in an Application Domain and assign it the following Authentication Scheme: Authentication Scheme: MobileSSO-OAuth (MobileSSO-OAuth is the scheme that was created in step one.) 53-42 Administrator's Guide for Oracle Access Management Configuring the Mobile Security Manager Plug-in b. Create an HTTP Resource, for example /mobileoauthapp, and protect the resource using the created Authentication Scheme (MobileSSO-OAuth). This is the URI that will be accessed from the mobile web browser (mobile Safari for iOS) and protected by a WebGate. 53.8 Configuring the Mobile Security Manager Plug-in The Mobile Security Manager Plug-in is an optional plug-in for use with Oracle Mobile Security Suite (OMSS). If you will be using Oracle Mobile Security Suite, see Section 52.9, "Understanding OAuth Services Plug-ins" to learn more about this plug-in. Before you use this plug-in, you must configure the MSM data source in Oracle Access Management. Complete these steps to change the target of the omsm_ds JDBC data source to oam_server1. 1. Log in to the WebLogic console: http://host:port/console 2. Navigate to: base_domain > Services > Data Sources 3. In the Data Sources table, click omsm_ds. 4. Click the Targets tab. 5. Select oam_server1. Configuring OAuth Services 53-43 Configuring the Mobile Security Manager Plug-in 53-44 Administrator's Guide for Oracle Access Management Part XIII Part XIII Managing Oracle Access Management Oracle Access Portal This part documents Oracle Access Portal. It contains the following chapters. ■ Chapter 54, "Configuring the Access Portal Service" 54 Configuring the Access Portal Service 54 [36The ] Access Portal Service is a hosted single sign-on proxy service that enables intranet and extranet applications with Oracle's form-fill single sign-on technology. It also provides the REST interfaces that implement the Web Logon Manager end-user web application. Web Logon Manager, available as a standalone download from Oracle Support, provides end-users with the ability to create, modify, and delete application credentials as well as log on to provisioned applications through both desktop and mobile browsers. This chapter contains the following sections. ■ Prerequisites for Deploying the Access Portal Service ■ Overview of the Access Portal Service Deployment Process ■ Deploying the Access Portal Service ■ Enabling Form-Fill Single Sign-On for an Application ■ Adding a Federated Partner Provider Application ■ Adding an Oracle SSO Agent Application ■ Creating an Application Configuration Package ■ Managing Password Generation Policies ■ Managing Credential Sharing Groups ■ Managing Global Agent Settings 54.1 Prerequisites for Deploying the Access Portal Service Before completing the steps in this section, you must have completed the following prerequisites. Refer to the documentation for the respective supporting software for instructions on configuring that software. The documentation is available on the Oracle Support web site. ■ ■ Install and configure an Oracle database instance Install and configure a supported repository (refer to the Certification Matrix for a list of supported repositories) ■ Install and configure an instance of the WebLogic Administration server ■ Install and configure an instance of Oracle Access Manager managed server ■ Install the Oracle Enterprise Single Sign-On Administrative Console ■ (Optional) If you're planning to use the Detached Credential Collector, install and configure an instance of Oracle HTTP Server Configuring the Access Portal Service 54-1 Overview of the Access Portal Service Deployment Process 54.2 Overview of the Access Portal Service Deployment Process The Access Portal Service provides form-fill single sign-on functionality to intranet and extranet Web applications by acting as a proxy between the target application and the user's browser. Through the Oracle Traffic Director proxy, the Access Portal Service intercepts user connections to the target application, fetches the application's logon or password change page, and injects JavaScript code necessary to perform form-fill single sign-on tasks (such as credential capture or injection), then delivers the modified page to the user's browser. The Access Portal Service utilizes the following components: ■ ■ ■ ■ ■ ■ ■ Oracle Traffic Director - intercepts user connections to the target application and provides path-proxy and DNS-proxy functionality, allowing for path and DNS rewriting. Also hosts the WebGate plugin. WebGate plugin - a plugin that monitors whether the intercepted user connections require authentication via Oracle Access Manager (based on the assigned authentication policy) and redirects the user to the authentication page as necessary. It enables single sign-on functionality (logon, password change, and credential capture) in internal and external Web applications Oracle Access Manager - provides the authentication service to users as defined in the authentication policy. An LDAP Directory - serves as a data repository for the Access Portal Service and as the authentication back-end mechanism for Oracle Access Manager. For a list of supported directories, see the Certification Matrix accessible via the Oracle Support site. (Optional) Web Logon Manager - a reference client application that acts as a launchpad for applications enabled with Oracle's single sign-on technologies. Web Logon Manager supports Web applications enabled with the Access Portal Service's form-fill single sign-on technology and is available for download on the Oracle Technology Network web site. For more information, please contact Oracle Support. Oracle Enterprise Single Sign-On Administrative Console - provides the means to create and edit form-fill application policies (templates), password generation policies, delegate credentials, and configure other Access Portal Service features not accessible via the Oracle Access Manager Console. (Optional) Oracle HTTP Server - hosts the Detached Credential Collector Web pages. The following is a high-level overview of the deployment process: 1. Deploy the Java Cryptography Extension files on your Oracle Access Manager server. These files enable unlimited strength jurisdiction policy encryption on Oracle Access Manager. 2. Create the identity store configuration file. This file contains the connection specifics for the directory that will host the Access Portal Service data repository. 3. Prepare and enable the Access Portal Service. You must use the IDM Configuration Tool to extend the directory schema, create the necessary users and groups, create the Webgate profile, create and assign an authentication scheme, and create a data repository; then, you must enable the Access Portal Service. 54-2 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service 4. Set the Oracle Access Manager policy cache refresh interval. If you plan to use the Enterprise Single Sign-On Administrative Console to create and modify Access Portal Service application policies (templates), you must configure the Oracle Access Manager policy cache refresh interval to ensure that Oracle Access Manager periodically checks for updated policies in the Access Portal Service repository. 5. (Optional) Install the Oracle Privileged Account Manager certificates. If you plan to enable Oracle Privileged Account Manager-protected applications with the Access Portal Service, you must install the Oracle Privileged Account Manager certificates into the instance of Oracle Access Manager running the Access Portal Service. (Only supported on WebLogic.) 6. Deploy the Oracle Traffic Director Administration Server instance. This instance will provide the means to administrate Oracle Traffic Director proxy instance(s) (such as configuring listeners, origin servers, and server pools). 7. Deploy the Webgate binaries and Oracle Access Manager secure trust artifacts. You will run the Webgate installer to deploy the required plugin binaries into Oracle Traffic Director and copy the Oracle Access Manager secure trust artifacts into the deployed Webgate instance. 8. (Optional) Deploy the ESSOProvisioning plugin. This plugin enables provisioning of LDAP credentials as application credentials for single sign-on and the automatic updating of stored application credentials when the directory-provided credentials change. This plugin is optional and is not required by the Access Portal Service. 9. Create an Oracle Traffic Director configuration. An Oracle Traffic Director configuration is a collection of elements that define the run-time behavior of an Oracle Traffic Director instance. A configuration contains information about various elements of an Oracle Traffic Director instance such as listeners, origin servers, failover groups, and logs. 10. Protect the Oracle Traffic Directory instance with the Webgate plugin. To allow the Webgate plugin to process user traffic and provide authentication and single sign-on services, you must place them "in front of" your Oracle Traffic Director instance. This is called "protecting" the instance with the selected plugins. 11. (Optional) Enable the Detached Credential Collector for the Webgate. The Detached Credential Collector adds a layer of security by intercepting user authentication requests normally sent directly to Oracle Access Manager, collecting the user's credentials, and passing them to Oracle Access Manager. This avoids the need for users to connect directly to your Oracle Access Manager instance. The Detached Credential Collector pages run on an instance of Oracle HTTP Server. 12. Enable target applications for form-fill single sign-on. Once the Access Portal Service has been successfully deployed, you can begin enabling your target applications with form-fill single sign-on functionality. This includes configuring the necessary proxy rules in Oracle Traffic Director, and creating and publishing a form-fill application policy in Oracle Access Manager. 54.3 Deploying the Access Portal Service This section describes the steps necessary to configure the environment and deploy Access Portal. It covers the following tasks. ■ Deploying the Java Cryptography Extension Policy Files Configuring the Access Portal Service 54-3 Deploying the Access Portal Service ■ Creating the Identity Store Configuration File ■ Creating the Oracle Access Manager Configuration File ■ Understanding the Access Portal Service Repository Objects ■ Integrating with Oracle Privileged Account Manager ■ Preparing and Enabling the Access Portal Service on an Oracle Repository ■ Preparing and Enabling the Access Portal Service on Microsoft Active Directory ■ (Active Directory Only) Deploying the OAMAgent Web Application ■ Integrating with Oracle Privileged Account Manager ■ Deploying the Oracle Traffic Director Administration Server ■ Deploying the Webgate Binaries and Secure Trust Artifacts ■ (Optional) Configuring the ESSOProvisioning Plugin ■ Creating an Oracle Traffic Director Configuration ■ Protecting the Oracle Traffic Director Instance with the Webgate Plugin ■ (Optional) Enabling the Detached Credential Collector for the Target Webgate 54.3.1 Deploying the Java Cryptography Extension Policy Files In order to enable unlimited strength jurisdiction policy encryption on your Oracle Access Manager server, you must download the appropriate policy files and place them into your server's Java Runtime Environment. 1. Download the latest policy files from one of the following locations, depending on your Java Runtime Environment version: ■ ■ ■ For Java 7: http://www.oracle.com/technetwork/java/javase/downloads/ jce-7-download-432124.html For Java 6: http://www.oracle.com/technetwork/java/javase/downloads/ jce-6-download-429243.html For IBM JDK on WebSphere: http://www.ibm.com/developerworks/java/ jdk/security/60/ 2. Decompress the downloaded archive and place the US_export_policy.jar and local_policy.jar in $JDK_Home/jre/lib/security/ within the target Java Runtime Environment (replace any existing files when prompted). 3. Reboot the Weblogic Administration Server and the Oracle Access Manager Managed Server. 54.3.2 Creating the Identity Store Configuration File Use the guidelines below to create the idstore.props file that will configure the identity keystore for the Access Portal Service. You will pass this file to the IDM Configuration Tool in Preparing and Enabling the Access Portal Service on an Oracle Repository. Oracle Unified Directory Example # Common IDSTORE_HOST: IDMHOST1.mycompany.com IDSTORE_PORT: 1389 IDSTORE_ADMIN_PORT: 4444 54-4 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service IDSTORE_KEYSTORE_FILE: OUD_ORACLE_INSTANCE/OUD/config/admin-keystore IDSTORE_KEYSTORE_PASSWORD: Password key IDSTORE_BINDDN: cn=oudadmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_NEW_SETUP: true POLICYSTORE_SHARES_IDSTORE: true # OAM IDSTORE_OAMADMINUSER:oamadmin IDSTORE_OAMSOFTWAREUSER:oamLDAP OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators # OAM and OIM IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com # OIM IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_OIMADMINUSER: oimLDAP # WebLogic IDSTORE_WLSADMINUSER : weblogic_idm IDSTORE_WLSADMINGROUP : WLSAdmins Oracle Internet Directory Example # Common IDSTORE_HOST: OIDHOST1.mycompany.com IDSTORE_PORT: 3060 IDSTORE_BINDDN: cn=orcladmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_NEW_SETUP: true # OAM IDSTORE_OAMADMINUSER:oamadmin IDSTORE_OAMSOFTWAREUSER:oamLDAP OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators # OAM and OIM IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com # OIM IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_OIMADMINUSER: oimLDAP # WebLogic IDSTORE_WLSADMINUSER : weblogic_idm IDSTORE_WLSADMINGROUP : WLSAdmins Microsoft Active Directory Example # Common IDSTORE_HOST: IDSTORE_PORT: IDSTORE_DIRECTORYTYPE: ad IDSTORE_BINDDN: \Administrator IDSTORE_PASSWD: IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: cn (or another login attribute)> Configuring the Access Portal Service 54-5 Deploying the Access Portal Service IDSTORE_USERSEARCHBASE: CN=Users,DC=essodev,DC=idc,DC=local IDSTORE_SEARCHBASE: DC=essodev,DC=idc,DC=local IDSTORE_GROUPSEARCHBASE: CN=Users,DC=essodev,DC=idc,DC=local IDSTORE_SYSTEMIDBASE: CN=Users,DC=essodev,DC=idc,DC=local IDSTORE_OAMSOFTWAREUSER: oamSoftwareUser IDSTORE_OAMADMINUSER: oamAdminUser OAM11G_CREATE_IDSTORE: true ESSO_IDSTORE_HOST : ESSO_IDSTORE_PORT : ESSO_IDSTORE_BINDDN : \Administrator ESSO_IDSTORE_TYPE : ad IS_ESSO_PRESENT : true ESSO_IDSTORE_PASSWD : Where: ■ IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. Specify the back end directory here, rather than OVD. In the case of OID and OUD, specify, respectively, one of the Oracle Internet Directory or Oracle Unified Directory instances, for example: OID: OIDHOST1 and 3060 OUD: IDMHOST1 and 1389 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ IDSTORE_ADMIN_PORT (LDAP_DIR_ADMIN_PORT) is the administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter. IDSTORE_KEYSTORE_FILE is the location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in OUD_ORACLE_INSTANCE/OUD/config. If you are not using Oracle Unified Directory, you can leave out this parameter. This file must be located on the same host that the idmConfigTool command is running on. The command uses this file to authenticate itself with OUD. IDSTORE_KEYSTORE_PASSWORD is the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file OUD_ORACLE_ INSTANCE/OUD/config/admin-keystore.pin. If you are not using Oracle Unified Directory, you can leave out this parameter. IDSTORE_BINDDN is an administrative user in the Identity Store Directory IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored. IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored. IDSTORE_USERNAMEATTRIBUTE is the name of the directory attribute containing the user's name. Note that this is different from the login name. IDSTORE_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name. IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored. IDSTORE_NEW_SETUP is always set to true for Oracle Unified Directory. If you are not using OUD, you do not need to specify this attribute. POLICYSTORE_SHARES_IDSTORE is set to true for IDM 11g. 54-6 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service ■ ■ ■ ■ ■ ■ ■ ■ IDSTORE_OAMADMINUSER is the name of the user you want to create as your Access Manager Administrator. IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server. OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group which is used to allow access to the OAM console. IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters. IDSTORE_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Manager administrative users. IDSTORE_OIMADMINUSER is the user that Oracle Identity Manager uses to connect to the Identity store. IDSTORE_WLSADMINUSER: The username to be used for logging in to the web logic domain once it is enabled by SSO. IDSTORE_WLSADMINGROUP: is the name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Console and EM, belong. Use OIM entries only if your topology includes Oracle Identity Manager. Use OAM entries only if your topology includes Access Manager. 54.3.3 Creating the Oracle Access Manager Configuration File Use the guidelines below to create the config-oam.props file that will configure your Oracle Access Manager instance. You will pass this file to the IDM Configuration Tool in Preparing and Enabling the Access Portal Service on an Oracle Repository. Note that the Access Portal Service requires the Simple mode security posture. To enable this posture, set the parameters below as follows: OAM11G_OAM_SERVER_TRANSFER_MODE: simple OAM_TRANSFER_MODE: simple The file will have the following structure: Create a properties file called config_oam.props with the following contents: WLSHOST: ADMINVHN.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic WLSPASSWD: Admin Password IDSTORE_DIRECTORYTYPE: OUD IDSTORE_HOST: IDSTORE.mycompany.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=oudadmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid OAM11G_SERVER_LOGIN_ATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin Configuring the Access Portal Service 54-7 Deploying the Access Portal Service PRIMARY_OAM_SERVERS: IDMHOST1.mycompany.com:5575,IDMHOST2.mycompany.com:5575 WEBGATE_TYPE: ohsWebgate11g ACCESS_GATE_ID: Webgate_IDM OAM11G_OIM_WEBGATE_PASSWD: password to be assigned to WebGate COOKIE_DOMAIN: .mycompany.com OAM11G_WG_DENY_ON_NOT_PROTECTED: true OAM11G_IDM_DOMAIN_OHS_HOST: SSO.mycompany.com OAM11G_IDM_DOMAIN_OHS_PORT: 443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https OAM11G_SERVER_LBR_HOST: SSO.mycompany.com OAM11G_SERVER_LBR_PORT: 443 OAM11G_SERVER_LBR_PROTOCOL: https OAM11G_OAM_SERVER_TRANSFER_MODE: simple OAM_TRANSFER_MODE: simple OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SSO_ONLY_FLAG: false COOKIE_EXPIRY_INTERVAL: 120 OAM11G_IMPERSONATION_FLAG: false OAM11G_OIM_INTEGRATION_REQ: false OAM11G_OIM_OHS_URL:https://SSO.mycompany.com:443 SPLIT_DOMAIN:true Where: ■ ■ ■ WLSHOST (ADMINVHN) is the host of your administration server. This is the virtual name. WLSPORT is the port of your administration server. WLSADMIN is the WebLogic administrative user you use to log in to the WebLogic console. ■ WLSPASSWD is the WebLogic administrator password. ■ IDSTORE_DIRECTORYTYPE is OUD, OID or OVD. ■ IDSTORE_HOST and IDSTORE_PORT are the host and port of the Identity Store directory when accessed through the load balancer. ■ IDSTORE_BINDDN is an administrative user in the Identity Store directory. ■ IDSTORE_USERSEARCHBASE is the location in the directory where Users are stored. ■ ■ ■ ■ ■ ■ IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are stored. IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored. IDSTORE_SYSTEMIDBASE is the location of a container in the directory where the user oamLDAP is stored. IDSTORE_OAMSOFTWAREUSER is the name of the user account to be used to interact with LDAP. IDSTORE_OAMADMINUSER is the name of the user account that can access your OAM Console. PRIMARY_OAM_SERVERS is a comma separated list of your OAM Servers and the proxy ports they use, for example: IDMHOST1:OAM_PROXY_PORT 54-8 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service Note: To determine the proxy ports your OAM Servers use: 1. Log in to the Oracle Access Management Console. 2. Click Configuration in the upper right corner. 3. Click Server Instances. 4. Search for the OAM Server, such as WLS_OAM1, and select Open from the Actions menu. 5. Proxy port is the value shown as Port. ■ ACCESS_GATE_ID is the name you want to assign to the WebGate. ■ OAM11G_OIM_WEBGATE_PASSWD is the password to be assign to the WebGate. ■ ■ ■ ■ ■ ■ ■ ■ OAM11G_IDM_DOMAIN_OHS_HOST is the name of the load balancer which is in front of the OHS's. OAM11G_IDM_DOMAIN_OHS_PORT is the port that the load balancer listens on (HTTP_ SSL_PORT). OAM11G_IDM_DOMAIN_OHS_PROTOCOL is the protocol to use when directing requests at the load balancer. OAM11G_WG_DENY_ON_NOT_PROTECTED, when set to false, allows login pages to be displayed. It should be set to true when using webgate11g. OAM_TRANSFER_MODE is the security model that the Oracle Access Manager Servers function in. Valid values are simple and open. If you use the simple mode, you must define a global passphrase. OAM11G_OAM_SERVER_TRANSFER_MODE is the security model that the OAM Servers function in. OAM11G_IDM_DOMAIN_LOGOUT_URLS is set to the various logout URLs. OAM11G_SSO_ONLY_FLAG confgures Access Manager as authentication only mode or normal mode, which supports authentication and authorization. If OAM11G_SSO_ONLY_FLAG is true, the OAM Server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the OAM Server. If the value is false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the OAM Server. WebGate allows the access to the requested resources or not, based on the responses from the OAM Server. ■ ■ ■ ■ ■ OAM11G_IMPERSONATION_FLAG is set to true if you are configuring OAM Impersonation. OAM11G_SERVER_LBR_HOST is the name of the load balancer fronting your site. This and the following two parameters are used to construct your login URL. OAM11G_SERVER_LBR_PORT is the port that the load balancer is listening on (HTTP_ SSL_PORT). OAM11G_SERVER_LBR_PROTOCOL is the URL prefix to use. OAM11G_OIM_INTEGRATION_REQ should be set to true if you are building a topology which contains both OAM and OIM. Otherwise set to false at this point. This Configuring the Access Portal Service 54-9 Deploying the Access Portal Service value is only set to true when performing Access Manager/Oracle Identity Manager integration and is set during the integration phase. ■ OAM11G_OIM_OHS_URL should be set to the URL of your load balancer. This parameter is only required if your topology contains OAM and OIM. ■ COOKIE_DOMAIN is the domain in which the WebGate functions. ■ WEBGATE_TYPE is the type of WebGate agent you want to create. ■ ■ ■ OAM11G_IDSTORE_NAME is the Identity Store name. If you already have an Identity Store in place which you wish to reuse (rather than allowing the tool to create a new one for you), then set the value of this parameter to the name of the Identity Store you wish to reuse. OAM11G_SERVER_LOGIN_ATTRIBUTE when set to uid, ensures that when users log in, their username is validated against the uid attribute in LDAP. SPLIT_DOMAIN should be set to true If you are creating a domain with just OAM or OAM located in a different domain from OIM (Split Domain). Otherwise, it is not necessary to specify this parameter. 54.3.4 Understanding the Access Portal Service Repository Objects The vGoLocator object is required for all repositories and the value of its vGOLocatorAttribute attribute specifies the path to the People container in which the Access Portal Service stores application credentials for each user. The vGOLocator object must point to the same data store instance as the Oracle Access Manager instance on which the Access Portal Service is deployed. For Oracle LDAP directories, the following applies: ■ ■ ■ If there is a single object under the vGOLocator container, the vGoLocatorAttribute value is parsed regardless of the object's name. If there are multiple objects under the vGOLocator container, the object named default is parsed. If no object named default exists, the request will fail. If thevGOLocatorAttribute attribute has no value or does not exist, or if the vGOLocator container does not exist, the request will fail. When using Microsoft Active Directory, the Access Portal Service stores application credentials under the Users container as described below: ■ ■ ■ If there is a single object under the vGOLocator container, the vGoLocatorAttribute value is parsed regardless of the object's name. If there are multiple objects under the vGOLocator container, the object named default is parsed. If no object named default exists, the data will be within the USERS container. If thevGOLocatorAttribute attribute has no value or does not exist, or if the vGOLocator container does not exist, the data will be stored within the Users container. You must explicitly enable the storage of user credentials under respective user objects using the Oracle Enterprise Single Sign-On Suite Administrative Console. This makes the following changes to the repository: ■ ■ The User class is added as a possible superior to the vGOUserData class. All users are granted the right to create vGOUserData objects. These rights are granted at the directory root and are recursively inherited down to the user objects. 54-10 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service 54.3.5 Preparing and Enabling the Access Portal Service on an Oracle Repository Before completing this procedure, make sure you have created the required configuration files as described in Creating the Identity Store Configuration File and Creating the Oracle Access Manager Configuration File. The idmConfigTool is located at: IAM_ORACLE_HOME/idmtools/bin When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory: Note: IAM_ORACLE_HOME/idmtools/bin The syntax of the command on Linux is: idmConfigTool.sh -configOAM input_file=configfile For example: idmConfigTool.sh -configOAM input_file=config_oam1.props When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to these accounts: ■ IDSTORE_PWD_OAMSOFTWAREUSER ■ IDSTORE_PWD_OAMADMINUSER 1. On the machine running your target Oracle Access Manager instance, change into the following directory: /Oracle/Middleware/Oracle_IDM1/idmtools/bin 2. Set the following environment variables: setenv ORACLE_HOME /Oracle/Middleware/Oracle_IDM1 setenv MW_HOME /Oracle/Middleware setenv JAVA_HOME JDKPath (where JDKPath is the full path to the Java Development Kit used by the Oracle Access Manager instance) 3. Pre-configure the identity store to extend the directory schema with the required object classes by running the following command: ./idmConfigTool.sh -preConfigIDStore input_file=idstore.props where idstore.props is a property file containing configuration parameters specific to your environment. For information on assembling this file, see Creating the Identity Store Configuration File. 4. Create the required users and groups by running the following command: ./idmConfigTool.sh -prepareIDStore mode=all input_file=idstore.props where idstore.props is a property file containing configuration parameters specific to your environment. For information on assembling this file, see Creating Configuring the Access Portal Service 54-11 Deploying the Access Portal Service the Identity Store Configuration File. This command does the following: ■ ■ 5. Adds the Access Portal Service object classes and attributes to the schema Creates the CO, People, and vGoLocator containers (with create permissions only, including children). For more information on these containers, see Understanding the Access Portal Service Repository Objects. Create and configure the required Webgate profile by running the following command: ./idmConfigTool.sh -configOAM input_file=config_oam.props where config_oam.props is a property file containing configuration parameters specific to your environment. For information on assembling this file, see Creating the Oracle Access Manager Configuration File. 6. Add conditions to the Admin role in the Security Realm as follows: a. Log in to the Weblogic Administration Server Console. b. In the left pane of the console, click Security Realms. c. On the "Summary of Security Realms" page, click myrealm under the Realms table. d. On the "Settings" page for myrealm, click the Roles & Policies tab. e. On the "Realm Roles" page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. f. Click the Roles link to go to the Global Roles page. g. On the "Global Roles" page, click the Admin role to go to the Edit Global Role page: h. On the "Edit Global Roles" page, under Role Conditions, click Add Conditions. i. On the "Choose a Predicate" page, select Group from the predicates list and click Next. j. On the Edit Arguments Page, specify OAMAdministrators in the Group Argument field and click Add. k. Click Finish to return to the "Edit Global Rule" page. The Role Conditions now show the OAMAdministrators Group as an entry. l. Click Save to finish adding the Admin role to the OAMAdministrators Group. 7. Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool. 8. Restart the WebLogic Administration Server. 9. Enable the Access Portal Service: a. Log on to the Oracle Access Manager Console. b. Select the Launch Pad tab. c. In the Configuration section, click Available Services. d. In the screen that appears, click Enable next to Access Portal Service. 54-12 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service After you run idmConfigTool, several files are created that you need for subsequent tasks. Keep these in a safe location. Note: Two 11g WebGate profiles are created: Webgate_IDM, which is used for intercomponent communication and Webgate_IDM_11g, which is used by 11g Webgates. The following files exist in the directory ASERVER_ HOME/output/Webgate_IDM_11g. You need these when you install the WebGate software. ■ cwallet.sso ■ ObAccessClient.xml ■ password.xml Additionally, you need the files aaa_cert.pem and aaa_key.pem, which are located in the directory ASERVER_HOME/output/Webgate_ IDM. 54.3.6 Preparing and Enabling the Access Portal Service on Microsoft Active Directory The following LDIF file is required for extending the Active Directory schema with Access Portal Service classes and attributes: /idmtools/templates/ad/esso_schema_extn.ldif The file is a template file; before proceeding, modify the values such as domain names and paths to match the target environment. Complete the following steps to prepare and enable the Access Portal Service with Microsoft Active Directory: 1. Extend the Active Directory schema by running the following command on the server machine hosting the repository: ldifde –i –f esso_schema_extn.ldif Upon completion, a message will confirm that importing data was successful: 2. Use the ADSIEdit tool to create containers named CO, People, and vGoLocator under the repository root. 3. Under the vGoLocator container, create an object named default of class vGoLocatorClass and set its attribute value to the DN of the container that holds the People container. For more information, see Understanding the Access Portal Service Repository Objects. 4. Enable the storage of user credentials under user objects: a. Launch the Oracle Enterprise Single Sign-On Suite Administrative Console and connect to the target repository. b. In the Console, select Enable Storing Credentials Under User Object (AD Only) from the Repository menu. c. The Console displays a dialog informing you of the changes about to be made to your Active Directory schema. Click OK. d. Wait for a dialog confirming the changes to appear, then click OK to dismiss it. Configuring the Access Portal Service 54-13 Deploying the Access Portal Service Note: Members of protected groups (i.e., users whose ACLs are governed by the AdminSDHolder object) will not be able to store credentials under their user objects until the AdminSDHolder ACL is updated with permissions required by this feature. See the guide Deploying Logon Manager with a Directory-Based Repository for instructions on how to remedy this issue. 5. Create the users in Active Directory if necessary. 6. Create a user data store: a. Log on to the Oracle Access Manager console and click Configuration at the top of the page. b. Click User Identity Stores. c. In the screen that appears, click Create under OAM ID Stores. d. In the dialog that appears, fill in the following required values, leaving the rest at their defaults: Field Value Store Name ESSOAuthnStore Store Type Microsoft Active Directory Location ad-server-hostname:port Bind DN domain\username Password password Login ID Attribute cn User Search Base Fully qualified DN of the Users container Object Search Base Fully qualified DN of the Groups container 7. Test the connection and correct any errors if necessary, then click Apply. 8. Update the LDAP authentication module: 9. a. Log on to the Oracle Access Manager console. b. In the Plugins section, click Authentication Plug-ins. c. In the Access Manager section, click Authentication Modules. d. In the screen that appears, click Search. e. In the list of search results, select the LDAPPlugin module. f. In the Steps tab, select the stepUI step. g. In the KEY_IDENTITY_STORE_REF field, enter the name of the user data store you created in step 5 of this procedure. h. Repeat the above for the stepUA step. i. Click Save to save your changes. Create the identity data store (IDS) profile in Oracle Access Manager: a. Log on to the Oracle Access Manager console. b. Click Configuration at the top of the page. 54-14 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service c. Click User Identity Stores. d. In the IDS Profile section, click Create Form Fill Application IDS Profile. e. In the form that appears, fill in the fields as follows: Field Value Name meaningful profile name Description meaningful profile description Repository Options Create New Repository Name meaningful repository name Directory Type Microsoft Active Directory Host name Active Directory server host name Port Active Directory server port Bind DN domain/user name of repository account Bind password password of repository account Base DN fully qualified DN of the repository root User search base fully qualified DN of the Users container App template search base fully qualified DN of the CO (ESSO policy data) container Top search base f. fully qualified DN of the repository root Test the connection, then click Apply. 10. Configure the relational mapping of users and groups: a. Edit the IDS profile you just created. b. Select the Entity Attributes tab. c. Add the following new attributes, one at a time (adding multiple attributes at once is not supported): member, memberOf, distinguishedName d. Select the Entities tab. e. Under Users, enable the member, memberOf, and distinguishedName entity attributes. f. Set the User Base, Group Base, Search Base, and Create Base entities to the fully qualified DNs of the respective containers in the repository. g. Repeat steps e and f in the Groups section of the form. h. Select the Relationships tab. i. Configure the entity relationships as shown in the following illustration: Configuring the Access Portal Service 54-15 Deploying the Access Portal Service This makes the following changes in the file DOMAIN_HOME/config/fmwconfig/ids-config.xml: 11. Enable the IDS profile: a. Select the Launch Pad tab in the Admin console window. b. At the top of the page, click Configuration. c. In the Settings section, select Access Portal Service from the View drop-down list. d. In the screen that appears, select the IDS profile you created earlier from the IDS Profile drop-down list. e. Click Apply. 54-16 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service 12. Add the Active Directory schema XML definition file to the IDS server configuration file: a. Open the following file in a text editor: DOMAIN_HOME/config/fmwconfig/ovd/ids/server.os_xml b. Locate the section and add the following line inside it: schema.ms.xml c. Save and close the file. d. Restart the managed server instance to apply your changes. 54.3.7 (Active Directory Only) Deploying the OAMAgent Web Application The OAMAgent web application provides the means to configure Access Control Lists within an Active Directory-based Access Portal Service repository via a web interface running on Microsoft Internet Information Server. To deploy th OAMAgent web application, do the following: 1. Extract the OAMAgent.zip file (available in the Logon Manager folder of the Enterprise Single Sign-On Suite ZIP archive) into a directory. 2. Using the IIS Manager application, create a new IIS web site; when prompted, in the Physical Path field, enter the full path to the directory into which you extracted the OAMAgent.zip archive. 3. Edit the newly created web application’s Web.config file as follows: a. Add the following to the system.webServer section: b. Add the following to the system.web section: c. Save and close the file. 4. In the IIS Manager application, navigate to IIS Manager > Target Site > .NET Compilation > Assemblies and ensure that the new assembly appears in the list of assemblies (i.e., that the Interop.ActiveDs.dll file appears in the web root directory). 5. Create a new handler mapping: a. In the IIS Manager application, navigate to IIS Manager > Target Site > Handler Mappings and click Add Managed Handler in the right-hand pane. b. In the dialog that appears, fill in the fields as follows and save your changes: Configuring the Access Portal Service 54-17 Deploying the Access Portal Service Field Value Path ColumbiaWindowsAgent/V1/AgentAcl Type ColumbiaWindowsAgent.Rest.AgentAcl, OAMAgent Name OAMAgent 6. 7. 8. Enable 32-bit application support: a. In the IIS Manager application, navigate to IIS Manager > Application Pools. b. Right-click the target site and select Advanced Settings from the context menu. c. Set the Enable 32-bit Applications option to True and save your changes. Make the following site configuration changes: a. In the IIS Manager application, navigate to IIS Manager > Application Pools. b. Select the target site. c. Set the .NET Version to 4.0. d. Set the Identity option to LocalSystem. e. Save your changes. In the IIS Manager application, select the host machine, click Server Certificates, and click Import a Certificate, and provide the path to a root CA certificate trusted by both the IIS server running the OAMAgent web application as well as the server running the target Access Portal Service instance. Additionally, the Access Portal Service server must have a certificate signed by that CA in its keystore. That CA must also be present in the server’s cacert file (trust store). 9. Create a https binding using the newly installed certificate: a. In the IIS Manager application, right-click the target site and select Edit Bindings from the context menu. b. Click Add New Site Binding. c. Select https from the Type drop-down list. d. Select the certificate you imported in step 8. e. Click Close. 10. Enable SSL for the target site: a. In the IIS Manager application, select the target site. b. Click SSL Settings. c. Select the Require SSL check box. d. Select the Require client certificates check box. e. Click Apply in the right-hand pane. 11. Add the following to the oam-config.xml file on the Access Portal Service server instance, then restart the instance to apply your changes: ColumbiaWindowsAgent/V1/AgentAcl iis-server-hostname 54-18 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service https Name="Port" Type="xsd:string">iis-server-port
Name="Version" Type="xsd:string">1 Name="ADPath" Type="xsd:string">AD-server-hostname:port 12. Add the following keystore parameters to the managed server’s startup script JAVA_OPTIONS line: -Djavax.net.ssl.keyStore=keystore-location -Djavax.net.ssl.keyStorePassword=keystore-password 54.3.8 Setting the Policy Cache Refresh Interval When using the Oracle Enterprise Single Sign-On Administrative Console to create and modify Access Portal Service application policies, the Access Portal Service must periodically fetch the modified policies from the repository to keep the policy cache up to date. By default, the cache refresh interval is set to -1 (never refresh). To set a custom policy cache refresh interval, complete the steps below. A value of 0 disables the policy cache and causes every request to fetch the corresponding policy from the repository. 1. Open the following file in a text editor: OAMDomainHome/config/fmwconfig/oam-config.xml 2. Locate the following setting string (or add it if it does not already exist). TimeToLive is set under the ESSOConfig section of the oam-config.xml file. -1 3. Change the default value (-1) to the desired number of minutes. 4. Increment the file's version as described in About the oam-config.xml Configuration Data File. 5. Save and close the file. 6. Restart both the administration server and the managed server to apply the new settings. 54.3.9 Integrating with Oracle Privileged Account Manager When integrating with Oracle Privileged Account Manager, keep the following in mind: ■ ■ Only Oracle Privileged Account Manager templates of type "Privileged" are supported. Templates of type "Delegated" are not supported when created on the server side; creating such a template will result in unpredictable behavior. You must specify the Oracle Privileged Account Manager server URL in the Access Portal Service settings in the target Oracle Access Manager server instance. 54.3.9.1 Installing the Oracle Privileged Account Manager Certificates You must import the certificates into the identity keystore of the application server running the Oracle Access Manager instance. This procedure is currently only available for WebLogic; do not perform it on other application servers. Configuring the Access Portal Service 54-19 Deploying the Access Portal Service The listCred command in OPSS has been deprecated in this release; keystore passwords must now be retrieved programmatically. Note: 1. Obtain the location and name of the identity keystore by examining the value of the following environment variables in the WebLogic console (where OAMServerName is the name of the target Oracle Access Manager instance): environment-servers-OAMServerName-keystores environment-servers-OAMServerName-ssl 2. Import the certificate into the identity keystore using the following command: keytool -importcert -alias CertificateAlias -file CertificateName.crt -keystore ./IdentityStoreName.jks -storepass IdentityStorePassword where CertificateAlias is a meaningful alias you want to assign to the certificate for identification, CertificateName is the name of the certificate file, IdentityStoreName is the name of the target identity store and IdentityStorePassword is the password for that identity store. 3. Obtain the location and name of the CA certificate by examining the value of the following environment variable via the WebLogic console: environment-servers-oam_server1-keystores 4. Import the CA certificate into the identity keystore using the following command: keytool -importcert -alias CertificateAlias -file CertificateName.der -keystore ./cacerts -storepass IdentityStorePassword where CertificateAlias is a meaningful alias you want to assign to the certificate for identification, CertificateName is the name of the certificate file, IdentityStoreName is the name of the target identity store and IdentityStorePassword is the password for the cacerts identity keystore. 5. Export the target Oracle Access Manager domain's private key certificate (used for generating the SAML assertion) using the following command: If a keystore type is not explicitly specified in the embedded trust provider configuration section of the following file: Note: OAMDomainHome/config/fmwconfig/jps-config.xml then the Oracle Key Store Service keystore type is assumed. If no application stripe name is specified for that KSS keystore, the service defaults to the following location: OAMDomainHome/config/fmwconfig/default-keystore.jks keytool -export -alias orakey -file orakey.der -keystore ./IdentityStoreName.jks -storepass IdentityStorePassword where IdentityStoreName is the name of the target identity store and IdentityStorePassword is the password for that identity keystore. 6. Change to the following directory: OPAMDomainHome/config/fmwconfig 54-20 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service 7. Import the target Oracle Access Manager domain's private key into the target Oracle Privileged Account Manager domain using the following command: keytool -importcert -alias orakey -file orakey.der -keystore ./IdentityStoreName.jks -storepass IdentityStorePassword where IdentityStoreName is the name of the target identity store and IdentityStorePassword is the password for that identity keystore. 8. Restart the affected Oracle Access Manager instance and the affected Oracle Privileged Account Manager instance. 54.3.9.2 Configuring the Oracle Privileged Account Manager Server Before completing the steps below, make sure you have created a provider on the target Oracle Access Manager instance for the desired Oracle Privileged Account Manager instance and placed it as the first provider in the provider list. On the Oracle Privileged Account Manager instance, do the following: 1. Create a target with the following parameter values: Field Value Storage Type Deployed repository type Server Hostname:port of the repository server Root DN Fully qualified DN of the repository root User Path Fully qualified DN of the Users container Connect as User CN of the repository connection account Password Password of the repository connection account Use secure connection (SSL) Disabled Use configuration objects instead of application list Enabled Role/Group support Enabled Configuration and role/group objects root DN Fully qualified DN of the CO container Admin Group DN (not applicable; leave blank) User Name Prepend UID 2. Search for targets and click the target you created in step 1. 3. Click the Privileged Accounts tab. 4. In the Privileged Accounts tab, add the desired privileged account (stored on the target you created in step 1). 5. Add the desired grantees to the privileged account. 6. Restart both the admin and the privileged Oracle Privileged Account Manager server instances to apply your changes. 54.3.9.3 Configuring the Provisioning Gateway Server To create the required template mapping on the Provisioning Gateway server, do the following: 1. Run the following command on the Provisioning Gateway server machine: Configuring the Access Portal Service 54-21 Deploying the Access Portal Service certutil -setreg chain\minRSAPubKeyBitLength 512 2. Restart the Provisioning Gateway server machine. 3. Log on to the Provisioning Gateway Administrative Console. 4. Select the Settings tab, then the Template Mapping section. 5. Click Edit and select the privileged template associated with your Oracle Privileged Account Manager target, then save your changes. This will create the required cn=OpamTemplateMap mapping in the repository. 6. Test the configuration: a. Log on to Web Logon Manager as one of the grantees assigned to the target privileged account. b. Click Add next to the target privileged template. The privileged account details will appear in a separate tab. 54.3.10 Deploying the Oracle Traffic Director Administration Server The Oracle Traffic Director Administration Server provides the means to deploy and manage Oracle Traffic Director proxy instance(s). Linux security restricts the opening of ports under 1024 to the root user. If you wish to run Oracle Traffic Director proxies on ports 80 or 443, follow the configuration gudielines for running as the root user described in the "Creating an Administration Server and Administration Node" chapter of the Oracle Traffic Director Installation Guide. WARNING: Oracle highly recommends against running Oracle Traffic Director as the root user due to increased security risk; you should limit the use of the root user to development environments only. 1. Launch the installer: .//runinstaller 2. In the screen that appears, click Next. 3. In the next screen, check for and install any applicable updates. 4. In the screen that appears, set the Oracle Traffic Director home directory to the following and click Next: /OTD11g/trafficdirector_Home_1 5. Wait for the installation to complete, then change into the following directory: /OTD11g/trafficdirector_Home_1/bin 6. Create an Oracle Traffic Director administration server instance using the following command (only include --server-user=root if you want to run the server as the root user): ./tadm configure-server --user=admin --host=otd.hostname --server-user=root --instance-home=/OTD11g/trafficdirector_Home_ 1/instances Oracle recommends using the default port (8989) for the Oracle Traffic Director administration server. 54-22 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service 7. Start the Oracle Traffic Director administration server with the following command: ./OTD11g/trafficdirector_Home_1/instances/admin-server/bin/startserv 8. Log on to the Oracle Traffic Director Admin Console at the following URL: https://otd.hostname:8989 For detailed information on installing Oracle Traffic Director, see the Oracle Traffic Director Installation Guide. 54.3.11 Deploying the Webgate Binaries and Secure Trust Artifacts Before completing this procedure, make sure you have created a Webgate profile in your Oracle Access Manager server as described in Preparing and Enabling the Access Portal Service on an Oracle Repository; the secure trust artifacts generated during that procedure are required to complete the steps below. 1. Decompress the Webgate binaries installer into a local directory on the Oracle Traffic Director host and launch the installer with the following command: ./runInstaller 2. When prompted, specify the full path to your Java runtime environment. For example: /usr/local/packages/jdk16 3. In the installer's "Prerequisite Checks" screen, click Next. 4. Specify the installation path and click Next: /MW_HOME/OAM_OTD_WebGate_HOME 5. Click Install and wait for the installation to complete. 6. Change into the following directory: /MW_HOME/OAM_OTD_WebGate_HOME/webgate/iplanet/tools/deployWebGate 7. Deploy the Webgate binaries using the following command: ./deployWebGateInstance.sh -w /MW_HOME/wginst1 -oh /MW_HOME/OAM_OTD_ WebGate_HOME -ws otd 8. Copy the Oracle Access Manager artifact files (generated while completing the steps in Preparing and Enabling the Access Portal Service on an Oracle Repository as follows: ■ Copy the ObAccessClient.xml, cwallet.sso, and password.xml artifact files to: /MW_HOME/wginst1/webgate/config ■ Copy the aaa_key.pem and aaa_cert.pem artifact files to: /MW_HOME/wginst1/webgate/config/simple 9. (Optional) If you deployed your Oracle Traffic Director administration server instance as the root user, grant that instance permissions to the Webgate (otherwise, skip this step). WARNING: Oracle highly recommends against running Oracle Traffic Director instances as the root user due to increased security risk; you should limit the use of the root user to development environments only. Configuring the Access Portal Service 54-23 Deploying the Access Portal Service a. Change into /MW_HOME/wginst1 b. Execute chmod -R 777 . 54.3.12 (Optional) Configuring the ESSOProvisioning Plugin When you successfully log on to Oracle Access Manager, the ESSOProvisioning plugin will provision your directory credentials to a specific application in your Access Portal Service (ESSO) wallet. It will also update the target application credentials if your directory credentials change. To enable the plugin, you must assign the ESSOProvAuthnScheme to the ESSOAuthnPolicy authentication policy in the IAM Suite application domain profile. 1. Log on to the Oracle Access Manager Console. 2. At the top of the page, click Application Security. 3. In the Plug-ins section, click Authentication Modules. 4. In the screen that appears, click Search. 5. In the list of search results, click the ESSOProvisioningModule module. 6. In the screen that appears, select the Steps tab. 7. Edit the ESSO_PROV_Step step and enter the name of the target application for which you want to provision directory credentials. 8. Edit the ESSO_UI_Step and ESSO_UA_Step steps and add a User Identity Store value of KEY_IDENTITY_STORE_REF to each. 9. Click Save to save the steps, then click Apply to apply your changes to the module. 10. Select the Launch Pad tab; in the Access Manager section, click Application Domains. 11. In the screen that appears, click Search. 12. From the list of search results, locate and double-click the IAM Suite profile. 13. Select the Authentication Policies tab. 14. In the list of policies, select ESSOAuthnPolicy. 15. From the Authentication Scheme drop-down menu, select the ESSOProvAuthnScheme authentication scheme. 16. Click Apply to save your changes. 54.3.13 Creating an Oracle Traffic Director Configuration 1. Log on to the Oracle Traffic Director Admin Console at the following URL: https://otd.hostname:8989 2. Create a new Oracle Traffic Director configuration with the following parameters: ■ ■ ■ Name: a descriptive name for the configuration Server User: leave at the default value, unless you deployed the Oracle Traffic Director administration server as root Select Origin Server Type: HTTP 54-24 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service 3. 4. Create a listener (your Oracle Traffic Director instance will listen for requests from the user's browser on this port) with the following parameters: ■ Port: 8282 ■ ServerName: otd.hostname Create an origin server pool with the following parameters: ■ Add your target application host as applicationHostname:port ■ Select the target node as applicationHostname 5. Click the Instance node in the tree on the left and start the instance. 6. Test the page by accessing the following URL and logging on with your administrator credentials: http://otd.hostname:8282/target_webgate_profile 54.3.14 Protecting the Oracle Traffic Director Instance with the Webgate Plugin To protect your Oracle Traffic Director instance with the Webgate plugin, complete the steps below. 54.3.14.1 Generating the Secure Trust Artifacts 1. Change into the following directory: /MW_HOME/OAM_OTD_WebGate_HOME/webgate/iplanet/tools/setup/InstallTools 2. Set the LD_LIBRARY_PATH variable: bash export LD_LIBRARY_PATH=/MW_HOME/OAM_OTD_WebGate_HOME/lib csh setenv LD_LIBRARY_PATH /MW_HOME/OAM_OTD_WebGate_HOME/lib 3. Run the following command to modify the magnus.conf file to include the directives to load the webgate library into the Oracle Traffic Director instance as well as modify the associated Oracle Traffic Director configuration file to include the directives to activate the two plugins. ./EditObjConf -f /OTD11g/trafficdirector_Home_ 1/instances/targetInstance/config/targetOTDconfiguration.conf -oh /MW_ HOME/OAM_OTD_WebGate_HOME -w /MW_HOME/wginst1 -ws otd -enableESSO -enableWLM Note: Only include the -enableWLM flag if you have deployed the Access Portal reference application. Otherwise, the flag is not necessary. If you do not include the -enableWLM flag and wish to deploy the Access Portal reference application later, you must manually modify the appropriate Oracle Traffic Director configuration file as described in the Access Portal reference application deployment instructions. 54.3.14.2 Loading the Required WebGate Libraries into the OTD Instance 1. Change into the following directory: /OTD11g/trafficdirector_Home_1/instances/targetOTDConfiguration/bin 2. Edit the startsrv script in a text editor and add the Webgate library path to the LD_LIBRARY_PATH variable as follows: Configuring the Access Portal Service 54-25 Deploying the Access Portal Service LD_LIBRARY_PATH="${SERVER_LIB_PATH}:/MW_HOME/OAM_OTD_WebGate_ HOME/lib:${SERVER_JVM_LIBPATH}:${LD_LIBRARY_PATH}"; 54.3.14.3 Deploying the Configuration Changes 1. Log into the Oracle Traffic Director Admin Console. 2. Select your configuration and click the Instance Modified notification at the top of the page. 3. Pull and deploy the changes. 4. When prompted to restart the instance, click OK, then click Finish. 54.3.14.4 Testing the WebGate 1. Navigate to http://otd.hostname:8282/target_webgate 2. Log on to the Webgate using your repository credentials. If the target application does not appear, check your configuration for errors. 54.3.15 (Optional) Enabling the Detached Credential Collector for the Target Webgate This section describes how to enable the Detached Credential Collector for the target Webgate and how to deploy the Detached Credential Collector pages on Oracle HTTP Server. 54.3.15.1 Enabling Detached Credential Collector Operations 1. Login to the Oracle Access Management Console. 2. Select Application Security and in the Launch Pad, click Agents icon. 3. In the screen that appears, click Search. 4. From the list of search results, locate and click the agent that is protecting your OTD Proxy Instance. 5. Check the box Allow Credential Collector Operations. 6. Click Apply to save your changes. 7. Restart the OTD Proxy Instance. 54.3.15.2 Creating and Applying the Detached Credential Collector Authentication Scheme 1. Login to the Oracle Access Management Console. 2. Select Application Security and in the Launch Pad, click Authentication Schemes under Access Manager. 3. In the screen that appears, click Search. 4. From the list of search results, locate and click the ESSOProvAuthnScheme authentication scheme. 5. In the screen that appears, click Duplicate. 6. Give the new scheme a descriptive name - for example DCC-ESSOAuthnScheme. 7. In the Challenge Method drop-down list, select FORM. 8. In the Challenge Redirect URL field, enter the Oracle Traffic Director host name and port in the format http://otd.hostname:port/ (including the trailing slash). 54-26 Administrator's Guide for Oracle Access Management Deploying the Access Portal Service 9. In the Challenge URL field, enter /oamsso-bin/login.pl 10. In the Context Type drop-down list, select external. 11. Click Apply to save your changes. 12. Select the Launch Pad tab. 13. In the Access Manager section, click Application Domains. 14. In the screen that appears, click Search. 15. From the list of search results, locate and click the IAM Suite profile. 16. Select the Authentication Policies tab. 17. Click ESSOAuthnPolicy. 18. In the Authentication Scheme drop-down list of ESSOAuthnPolicy, select the DCC authentication scheme you just created. 19. Click Apply to save your changes. 54.3.15.3 Deploying Detached Credential Collector Pages on Oracle HTTP Server 1. Enable CGI on the target instance of Oracle HTTP Server if you have not already done so. Your httpd.conf should contain the following directive: LoadModule cgi_module modules/mod_cgi.so 2. Copy the oamsso directory from the following location: $WG_ORACLE_HOME/webgate/iplanet/ To the following location: $OHS_INSTANCE_DIR/config/OHS/ohs1/htdocs 3. Copy the oamsso-bin directory from the following location: $WG_ORACLE_HOME/webgate/iplanet/ To the following location: $OHS_INSTANCE_DIR/config/OHS/ohs1/ 4. Locate the block in the httpd.conf file. 5. Enable CGI for the following block into the block: ScriptAlias /oamsso-bin/ "${ORACLE_INSTANCE}/config/ ${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin/" 6. Restart the OHS instance. 7. Test your configuration by accessing the following URL: http://ohs.host:port/oamsso-bin/login.pl 54.3.15.4 Routing Oracle Traffic Director Authentication Requests via the Detached Credential Collector 1. Under your target Oracle Traffic Director configuration, create a new origin server pool that points to the Oracle HTTP Server hostname and port. 2. Create a new route that points to the origin server pool created in step 1. 3. Add the following URI condition to the route: Configuring the Access Portal Service 54-27 Deploying the Access Portal Service /oamsso-bin OR /oamsso 4. Save your changes and restart the Oracle Traffic Director instance. 5. Test your configuration by accessing the target application's proxy URL. 54.3.16 Configuring Logon Manager for Compatibility with the Access Portal Service Complete the steps below to enable interoperability between Logon Manager and the Access Portal Service. If you have not already done so, install the Authentication Manager component of Logon Manager on each target end-user machine to enable the MultiAuth authenticator within Logon Manager. For more information on configuring Logon Manager repository settings, see the guide Deploying Logon Manager with a Directory-Based Repository. For an Application Policy to be compatible, enable the "User Visible" setting in the Application profile using the Oracle Access Management Console. This is in addition to the modifications in Section 54.3.16.1, "Modifying the Access Portal Service Configuration." Note: 54.3.16.1 Modifying the Access Portal Service Configuration 1. In the IDS profile you have configured for the Access Portal Service, ensure that you are connecting with a user who possesses root privileges (e.g., orcladmin). 2. If you are using Oracle Internet Directory as your repository, set the following permissions to permit Logon Manager to its First Time Use wizard: a. For the vGoLocator object and its default child object: orclaci = access to attr=(*) by * BindMode="Simple" (read,search,compare) orclaci = access to entry by * BindMode="Simple" (browse) b. For the People container: orclaci = access to attr=(*) by * BindMode="Simple" (read,write,search,compare) orclaci: access to entry by * BindMode="Simple" (browse,add,delete) 3. Ensure that the PolicyCache TTL is set to a positive, non-zero value. 54.3.16.2 Modifying the Logon Manager Configuration 1. Launch the Enterprise Single Sign-On Suite Administrative Console and connect to the Access Portal Service repository. 2. If you are using Active Directory as your repository, do the following (otherwise, skip this step): 3. a. Navigate to Global Agent Settings > Live > Synchronization > ADEXT. b. Select the check box next to the Use secure location for storing user settings option and select Yes from the drop-down menu. Navigate to Global Agent Settings > Live > Authentication > Authentication Manager and configure the graded authenticators as required by your environment. For more information, refer to the Enterprise Single Sign-On Suite Administrator’s Guide. 54-28 Administrator's Guide for Oracle Access Management Enabling Form-Fill Single Sign-On for an Application 4. Navigate to Global Agent Settings > Live > Authentication and configure each authenticator as required by your environment, noting the following: ■ ■ If using Oracle Internet Directory as your repository, there are two Recovery Method options Passphrase suppression using entryUUID and Passphrase suppression using secure key. Select Passphrase suppression using secure key if displayed; otherwise select Passphrase suppression using entryUUID. If using Active Directory as your repository, set the Recovery Method option to Passphrase suppression using user’s SID. For more information, see the guide Deploying Logon Manager with a Directory-Based Repository. 5. Navigate to Global Agent Settings > Live > Synchronization and configure the appropriate synchronizer as required by your environment, noting the following: ■ ■ ■ 6. Enable the Use aggressive synchronization option. Enable the Resynchronize when network or connection status changes option. Set the Interval for automatic resynchronization option to 1. Publish your settings to the repository: a. In the tree on the left-hand side right-click Live and select Publish from the context menu. b. Click Browse and select the target path within the repository. (If prompted, enter the appropriate connection parameters and click OK to connect.) c. In the Available configuration objects list, double-click Live to move it to the list of objects selected for publishing. d. Click Publish and wait for the operation to complete. 54.4 Enabling Form-Fill Single Sign-On for an Application This section describes the steps necessary to enable form-fill single sign-on functionality for an application with the Access Portal Service. ■ Configuring a Form-Fill Application Policy ■ Configuring Proxy Rules for an Oracle Access Portal Application 54.4.1 Configuring a Form-Fill Application Policy This section describes how to configure a form-fill application policy. After you create the policy, you must add a proxy-enabled application URL to the policy to enable form-fill functionality. Once configured, you must publish the policy to the repository and test it to ensure that form-fill single-sign on is functioning as expected. 54.4.1.1 Creating a Form-Fill Application Policy 1. Launch the Oracle Enterprise Single Sign-On Administrative Console. 2. In the left-hand tree right-click the Applications node and select New Web Application from the context menu. 3. In the dialog that appears, enter a descriptive name and click Next. This will appear as the application policy name in Oracle Access Manager Console. 4. In the screen that appears, select the desired form type and click OK. Configuring the Access Portal Service 54-29 Enabling Form-Fill Single Sign-On for an Application 5. In the screen that appears, enter the URL of the target application. 6. Click Detect Fields. The application's logon form appears in the window and the appropriate fields are automatically detected and configured. Verify that: a. The fields have been detected and configured correctly in the field list. b. A Submit Button is detected. If no Submit button is defined, Silent Credential Capture will not function. For more information on creating application policies (also known as templates), see the guide Creating and Configuring Logon Manager Application Templates. 7. Click OK to save the application policy. 8. In the General tab, provide optional metadata describing the application (this metadata will appear in the Access Portal reference application or another user interface of your choice, if parsed): ■ ■ ■ ■ ■ ■ ■ 9. Description – a meaningful description of the application for the user. Reference – internal reference describing the version/variant of the application template. Category – the category under which the application will appear in the Access Portal reference application; for example, "Finance," "Development," and so on. Icon Image URL – URL to the icon image that will appear next to the application entry in the Access Portal reference application. Logo Image URL – URL to the full-size application logo image that will appear in the Access Portal reference application. Vendor – the vendor of the application. Administrator – contact information for the application's administrator within your organization. Select the desired users and/or user groups to whom this template will be available: a. Select the Security tab. b. Select the Access Portal Service repository from the Directory drop-down menu. c. Click Add. d. In the dialog that appears, enter the name of the target user or group. e. Click Check Names to verify the user or group exists in the directory; if you receive an error, re-enter the name and try again. f. Click OK to save your changes. 54.4.1.2 Adding a Proxy-Enabled URL to a Form Fill Application Policy 1. In the policy's General tab, double-click the target form. 2. In the dialog that appears, select the Identification tab and click Add. 3. In the dialog that appears, select the Regular Expression radio button and enter a launch URL in regular expression format for the target application. 54-30 Administrator's Guide for Oracle Access Management Enabling Form-Fill Single Sign-On for an Application You must trim any session IDs or other session-sensitive parameters from the URL, as they will become invalid as soon as the session expires. For example: .*?https://otd_proxy_host\\.oracle\\.com:8282/target_webgate/login\\.jsp.* 4. Click OK; then click OK in the parent dialog to save your changes. 54.4.1.3 Configuring Mock Credential Field Values The Access Portal Service allows you to configure mock credential field values which will be displayed in the browser during injection for each configured field to prevent man-in-the-middle snooping. 1. In the policy’s General tab, double-click the target form. 2. In the dialog that appears, select the Proxy tab. 3. In the Mock Fields list, select the desired field and click Edit. 4. In the dialog box that appears, enter the desired mock value and click OK. To clear the mock values for all fields, click Clear All. 54.4.1.4 Configuring Form Masking If you want to prevent the user from seeing or altering the injected credentials, you can configure the Access Portal Service to mask the entire form from view using an overlay (a solid color or an image of your choice). Keep in mind that: ■ ■ If no application credentials exist for the target form, the form will not be masked even if the mask has been configured, and the user will be able to enter their own credentials to continue with the form. If more than one set of credentials exists for the target form, the Logon Chooser dialog will appear, allowing the user to choose the desired credentials to inject. 1. In the policy’s General tab, double-click the target form. 2. In the dialog that appears, select the Proxy tab. 3. Select the Mask Form check box to enable form masking. 4. Configure the form mask as follows: ■ ■ ■ ■ ■ ■ ■ Mask form – enable/disable masking for the form. RED/GRN/BLUE – set the numerical value for the red, green, and blue components of the desired mask color. HEX – enter the hexadecimal value for the desired mask color. Select color – opens the color picker, allowing you to pick the desired mask color visually. Image – relative path and filename of the desired mask image to be used instead of a solid color mask. Timeout – number of seconds before the form mask is dismissed. Close button – enable/disable the Close button on the form mask (allows user to remove the mask). ■ Opacity – percentage opacity of the form mask. ■ Default – reset all form mask options to default values. Configuring the Access Portal Service 54-31 Enabling Form-Fill Single Sign-On for an Application 54.4.1.5 Publishing the Policy to the Repository 1. In the left-hand tree, right-click the target application policy and select Publish from the context menu. 2. If prompted to connect to the repository, fill in the fields in the "Connect to Repository" dialog as required. 3. In the "Browse" dialog, navigate to the policies and credentials container you created in Preparing and Enabling the Access Portal Service on an Oracle Repository. For example: ou=CO,dc=us,dc=oracle,dc=com 4. Click Publish. 54.4.1.6 (Optional) Importing the Policy into the Oracle Access Manager Console Instead of publishing the policy to the repository, you can import it into the Oracle Access Manager Console to further edit its basic settings there. If you have already published it to the repository, you can skip this step, as the Oracle Access Manager console will retrieve it from the repository and display it in its policies list. If you modify the policy in the Oracle Access Manager console and then decide to edit it in the Enterprise Single Sign-On Administrative Console, you will need to manually pull down the updated version from the Access Portal Service repository. Oracle recommends creating and configuring the policy in the Enterprise Single Sign-On Administrative Console as not all Oracle Access Portal features can be configured in the Oracle Access Manager Console. Additionally, you must select the Unicode encoding when saving the exported .INI file; the Oracle Access Management console does not support importing non-Unicode files. Note: 1. Launch the Enterprise Single Sign-On Administrative Console and load the desired policy (template) from the repository. 2. Export the policy to a file: 3. a. From the File menu, select Export. b. In the "Export to .INI File" dialog that appears, select the policy from the list and click OK. c. In the dialog that appears, select Unicode from the Encoding drop-down list, provide the desired path and name for the exported file, and click Save. Import the template file into Oracle Access Manager: a. Log on to the Oracle Access Manager console. b. In the "Access Manager" section of the page that appears, click Applications. c. In the toolbar above the application list, click Import (blue down-arrow). d. In the "Import Applications" pop-up that appears, click Browse. e. In the dialog that appears, navigate to the policy file, and click Open. f. Click OK in the "Import Applications" pop-up. g. In the list of applications to import displayed by the pop-up, select the desired application and click Import. 54-32 Administrator's Guide for Oracle Access Management Enabling Form-Fill Single Sign-On for an Application h. In the application configuration page that appears, verify that the configuration settings in each tab have been properly carried over and make any changes if necessary. When you have finished, click Save. The imported application policy appears in the application list. 54.4.1.7 Testing the Policy Test the configuration of your policy as follows: 1. In a Web browser, navigate to http://otd.hostname:8282/target_webgate and log on with your repository credentials. The logon form's fields will highlight indicating the Access Portal Service is ready to capture application credentials. 2. Enter your application credentials into the logon form and submit them. 3. Close the browser and access the application URL again. You will be automatically logged on to the application. If either the credential capture or automatic logon (after credentials have been captured) do not occur, check your configuration for errors. 54.4.2 Configuring Proxy Rules for an Oracle Access Portal Application This section provides the basic guidelines for creating the proxy rules necessary to intercept the user connections to the target application and redirect them to pass through the Webgate plugin. For in-depth information on configuring Oracle Traffic Director, please see the Oracle Traffic Director Administrator's Guide. Since the user connection requested is intercepted by Oracle Traffic Director and redirected to the origin server, all resources referenced within the page's code must have their path rewritten to point to the Oracle Traffic Director origin server instead of the original host; otherwise, those elements will not be loaded and the page will display improperly and likely not function as intended. This section contains guidelines for the following types of resources that must be rewritten for the page to function properly after proxy redirection: ■ Path Rewriting Guidelines for HTTP Request/Response Headers ■ Path Rewriting Guidelines for Browser Cookies ■ Path Rewriting Guidelines for Page Content 54.4.2.1 Adding an Oracle Access Portal Application to Oracle Traffic Director This section describes the general process for configuring Oracle Traffic Director proxy rules for an Oracle Access Portal Application residing on a single host server; applications hosted on multiple servers are not covered. Working knowledge of Oracle Traffic Director concepts and configuration procedures is assumed. 1. Select the protocol(s) required by the origin server application pages (home, logon, post URL, landing page) from the following scenarios: ■ HTTP only. All of the application’s pages are served over HTTP. ■ HTTPS only. All of the application’s pages are served over HTTPS. ■ HTTP pre-logon/HTTPS post-logon. Home and login pages are served over either HTTP or HTTPS; however, the landing page for successfully authenticated users is served over HTTPS. Configuring the Access Portal Service 54-33 Enabling Form-Fill Single Sign-On for an Application ■ HTTP with POST over HTTPS. All of the pages are served over HTTP but the logon form POST transaction occurs over HTTPS. For proper security, Oracle highly recommends matching the proxy listener protocols with those of their respective origin server pages when configuring the proxy rules. For example, do not configure an HTTP proxy listener for a page that is originally served over HTTPS. On the other hand, if you want to configure an HTTPS listener for a page that is originally server over HTTP, you will need to configure additional proxy rules for more information, see the Oracle Traffic Director documentation. 2. Create the appropriate listeners for each protocol and assign them to the target virtual server. 3. Create the corresponding origin server pools for each protocol. Include the protocol and URI of the origin application to clearly distinguish between each pool. For example: ■ URI: http://www.originapp.com Pool name: origin-server-pool-http-www-originapp.com ■ URI: https://www.originapp.com Pool name: origin-server-pool-https-www-originapp.com 4. Create a route for the origin application using the New Route Wizard as follows: a. Select the origin server pool you created in step 3. If you created more than one origin server pool, select the HTTP (non-SSL) pool. b. Create a URI route condition for the application - this will be the path at which your application will be accessible. Oracle recommends setting this value to the name of your origin application or using the condition builder. This path will be called the PROXY_MAP later in this procedure. For example: $uri =~ "^/originapp" c. Complete the remaining steps in the wizard to finish creating the route. 5. In the list of routes, select the route you created in step 4 and open the Advanced Settings section. 6. In the Rewrite Headers field, add the host header for the origin application in the following format: location,content-location,host 7. Apply the following route template and replace the variables as described below: ■ ■ #PROXY_MAP# - path to the proxied application (reverse map of the From-URI value) from step 4b. For example: originapp. #OTD_HTTP# - port of the application’s HTTP listener. For example: 80 ■ #OTD_HTTPS# - port number of the application’s HTTPS listener. For example: 443 ■ #ORIGIN_HOST# - host name of the origin server pool to rewrite. For example: www.originapp.com ■ #DOCUMENT-DOMAIN# - domain attribute in which cookie values can be specified. 54-34 Administrator's Guide for Oracle Access Management Enabling Form-Fill Single Sign-On for an Application For example: originapp.com #Instructs OTD to map the incoming URI from the user’s browser to the root path of the origin server. OTD also uses these values to create a reverse mapping to rewrite cookie paths. It is not usually necessary to change the value of the to parameter. NameTrans fn="map" to="/" from="/#PROXY_MAP#" #Rewrite the https referer header AuthTrans fn="set-variable" set-headers="referer=https://#ORIGIN_ HOST#/$1" #Rewrite the http referer header AuthTrans fn="set-variable" set-headers="referer=http://#ORIGIN_ HOST#/$1" #Remove potential headers that may interfere with mixed proxy content Output fn="sed-response-header" name="content-security-policy" sed="s|script-src |script-src 'self' |g" Output fn="set-variable" remove-srvhdrs="access-control-allow-origin" #rewrite the location header when origin server is redirecting from HTTP to HTTPS Output fn="set-variable" $srvhdrs{'location'}="https://$urlhost:#OTD_HTTPS#/#PROXY_MAP#$2" Configuring the Access Portal Service 54-35 Enabling Form-Fill Single Sign-On for an Application Output fn="set-variable" $srvhdrs{'location'}="http://$urlhost:#OTD_HTTP#/#PROXY_MAP#/$2" #Insert the Dynamic Proxy Script parameters AuthTrans fn="set-variable" insert-vars="DYNAMIC-PROXY-ENABLE=on" insert-vars="DYNAMIC-PROXY-MAP-TO=/#PROXY_MAP#" insert-vars="DYNAMIC-PROXY-MAP-FROM=/" insert-vars="DYNAMIC-PROXY-HTTPS=#OTD_HTTPS#" insert-vars="DYNAMIC-PROXY-HTTP=#OTD_HTTP#" insert-vars="DYNAMIC-PROXY-IGNORE-PATHS=" #Map all src,href,action,background,data-li-search-action and data-li-advanced-link attributes found in html content to the proxied path Output fn="insert-filter" filter="sed-response" sed="s|\\( src=\\)\"/\\([^/][^\"]*\"\\)|\\1\"/#PROXY_MAP#/\\2 oap=\"true\"|g" sed="s|\\( src=\\)'/\\([^/][^']*'\\)|\\1'/#PROXY_MAP#/\\2 oap='true'|g" sed="s|\\( href=\\)\"/\\([^/][^\"]*\"\\)|\\1\"/#PROXY_MAP#/\\2 oap=\"true\"|g" sed="s|\\( href=\\)'/\\([^/][^']*'\\)|\\1'/#PROXY_MAP#/\\2 oap='true'|g" sed="s|\\( action=\\)\"/\\([^/][^\"]*\"\\)|\\1\"/#PROXY_MAP#/\\2 oap=\"true\"|g" sed="s|\\( action=\\)'/\\([^/][^']*'\\)|\\1'/#PROXY_MAP#/\\2 oap='true'|g" sed="s|\\( background=\\)\"/\\([^/][^\"]*\"\\)|\\1\"/#PROXY_ MAP#/\\2 oap=\"true\"|g" sed="s|\\( background=\\)'/\\([^/][^']*'\\)|\\1'/#PROXY_MAP#/\\2 oap='true'|g" sed="s|\\( data-li-advanced-link=\\)\"/\\([^/][^\"]*\"\\)|\\1\"/#PROXY_ MAP#/\\2 oap=\"true\"|g" sed="s|\\( data-li-advanced-link=\\)'/\\([^/][^']*'\\)|\\1'/#PROXY_MAP#/\\2 oap='true'|g" sed="s|\\( data-li-search-action=\\)\"/\\([^/][^\"]*\"\\)|\\1\"/#PROXY_ MAP#/\\2 oap=\"true\"|g" sed="s|\\( data-li-search-action=\\)'/\\([^/][^']*'\\)|\\1'/#PROXY_MAP#/\\2 oap='true'|g" append-newline-at-end="false" type="(text/html*|text/xml*)" #Map CSS attributes to the proxied path Output fn="insert-filter" filter="sed-response" sed="s|url(\"/\\([^/][^\"]\\)|url(\"/#PROXY_MAP#/\\1|g" sed="s|url('/\\([^/][^']\\)|url('/#PROXY_MAP#/\\1|g" sed="s|url(/\\([^/][^)]\\)|url(/#PROXY_MAP#/\\1|g" type="(text/css*|text/html*)" append-newline-at-end="false" 54-36 Administrator's Guide for Oracle Access Management Enabling Form-Fill Single Sign-On for an Application #Rewrite full URL links to the OTD proxied host/port. These sed expressions keep the existing protocols in the URL. Output fn="insert-filter" filter="sed-response" sed="s|http://#ORIGIN_HOST#:80|http://$urlhost:#OTD_HTTP#/#PROXY_ MAP#|g" sed="s|http://#ORIGIN_HOST#|http://$urlhost:#OTD_ HTTP#/#PROXY_MAP#|g" sed="s|https://#ORIGIN_ HOST#:443|https://$urlhost:#OTD_HTTPS#/#PROXY_MAP#|g" sed="s|https://#ORIGIN_HOST#|https://$urlhost:#OTD_HTTPS#/#PROXY_ MAP#|g" sed="s|https:\\\\/\\\\/#ORIGIN_ HOST#|https:\\\\/\\\\/$urlhost:#OTD_HTTPS#\\\\/#PROXY_MAP#|g" sed="s|http:\\\\/\\\\/#ORIGIN_HOST#|http:\\\\/\\\\/$urlhost:#OTD_ HTTP#\\\\/#PROXY_MAP#|g" type="(text*|application*)" sed="s|//#ORIGIN_HOST#|https://$urlhost:#OTD_HTTPS#/#PROXY_MAP#|g" append-newline-at-end="false" #Sanitize any illegal javascript domain values for our proxied host Output fn="insert-filter" filter="sed-response" sed="s|\\(document.domain=\"\\)#DOCUMENT_DOMAIN#\"|\\1$urlhost\"|g" sed="s|\\(document.domain='\\)#DOCUMENT_DOMAIN#'|\\1$urlhost'|g" sed="s|\\(document.domain = \"\\)#DOCUMENT_ DOMAIN#\"|\\1$urlhost\"|g" sed="s|\\(document.domain = '\\)#DOCUMENT_DOMAIN#'|\\1$urlhost'|g" type="(text*|application*)" append-newline-at-end="false" #Attempt to rewrite any javascript page redirects Output fn="insert-filter" filter="sed-response" sed="s|\\(location.replace(\\)\"/\\([^/][^\"]*\"\\)|\\1\"/#PROXY_ MAP#/\\2|g" sed="s|\\(location.replace(\\)'/\\([^/][^']*'\\)|\\1'/#PROXY_ MAP#/\\2|g" sed="s|\\(location.href =\"\\)\\(/[^/][^\"]*\"\\)|\\1/#PROXY_MAP#\\2|g" sed="s|\\(location.href ='\\)\\(/[^/][^']*'\\)|\\1/#PROXY_ MAP#\\2|g" type="(text*|application*)" append-newline-at-end="false" #Attempt to rewrite any JSON objects that appear as URI paths.Output fn="insert-filter" filter="sed-response" sed="s|\\(:\"\\)\\(/[^/][^\"]*\"\\)|\\1/#PROXY_MAP#\\2|g" sed="s|\\(:'\\)\\(/[^/][^\']*'\\)|\\1/#PROXY_MAP#\\2|g" type="application/json*" append-newline-at-end="false" #rewrite any javascript page redirects common in ADF applications Output fn="insert-filter" filter="sed-response" sed="s|\\(redirect url=\"/\\)|\\1#PROXY_MAP#/|g" sed="s|/\\([^/][^<]*\\)|/#PROXY_MAP#/\\1|g" type="text/xml*" #Remove any domain attributes from the cookie header. This will force the browser to use the otd host name as a default Output fn="sed-response-header" name="set-cookie" Configuring the Access Portal Service 54-37 Enabling Form-Fill Single Sign-On for an Application sed="s|domain=#DOCUMENT_DOMAIN#||g" sed="s|Domain=#DOCUMENT_ DOMAIN#||g" sed="s|domain=.#DOCUMENT_DOMAIN#||g" sed="s|Domain=.#DOCUMENT_DOMAIN#||g" sed="s|domain=.#ORIGIN_ HOST#||g" sed="s|Domain=.#ORIGIN_HOST#||g" 8. Paste the generated template into the target route (e.g. originapp) section in the $SERVER-obj.conf file. 9. If you created one or more HTTPS listeners in step 2, make the following changes in the target route (e.g., originapp) section of the $SERVER-obj.conf file: a. Locate the following statement: Route fn="set-origin-server" origin-server-pool= "origin-server-pool-http-www-originapp-com" rewrite-host="true" b. Add the following security rule directly above the statement listed in step 9a: Route fn="set-origin-server" origin-server-pool="origin-server-pool-https-www-originapp-com" rewrite-host="true" 10. Reconfigure the server. 54.4.2.2 Path Rewriting Guidelines for HTTP Request/Response Headers HTTP request and response headers contain parameters that must be rewritten to point to the Oracle Traffic Director origin server. Oracle Traffic Director can rewrite basic location headers that contain the origin server host name and exact protocol, or a relative path. A typical HTTP request header looks as follows: GET /web/en-US/default.aspx HTTP/1.1 Host: www.oracle.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.oracle.com/web/en-US/default.aspx ?root=1 Connection: keep-alive This example header contains the following parameters that require path rewriting: ■ GET - contains the path of the requested page relative to the Web root, plus HTTP protocol version. For example: GET /web/en-US/default.aspx HTTP/1.1 An example proxy rule for rewriting the GET parameter: NameTrans fn="map" to="/" from="/myLocalPath" ■ Host - contains the URL of the page host. For example: www.oracle.com 54-38 Administrator's Guide for Oracle Access Management Enabling Form-Fill Single Sign-On for an Application An example proxy rule for rewriting the Host parameter: Route fn="set-origin-server" origin-server-pool="myoriginserverpool" rewrite-host="true" ■ Referer - contains the URL of the page that referred the request. For example: http://www.oracle.com/web/en-US/default.aspx ?root=1 An example rule for rewriting the Referer parameter: AuthTrans fn="set-variable" set-headers="referer=https://www.oracle.com/$1" Since Web applications vary widely, in addition to the above examples, you must examine your HTTP headers to account for any other parameters referencing a URL or a relative path. Note: A rewritten version of our example header would then look as follows: GET /myLocalPath/web/en-US/default.aspx HTTP/1.1 Host: myoriginserver.oracle.com:8484 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://myoriginserver.oracle.com:8484/myLocalPath/ web/en-US/default.aspx?root=1 Connection: keep-alive Oracle Traffic Director can not handle location redirects to another origin server. For example, if a logon page hosted on one host redirects the user to a page on another host upon successful logon, you must configure the rewriting rules for this remapping manually. For example: Output fn="set-variable" $srvhdrs{'location'}="https://myoriginserver.oracle.com:8484/travel-portal $2" Output fn="sed-response-header" name="set-cookie" sed="s|path=/travel-sso/|path=/|g" Configuring the Access Portal Service 54-39 Enabling Form-Fill Single Sign-On for an Application Route fn="set-origin-server" origin-server-pool="origin-server-portal-oracle-travle" rewrite-host="true" 54.4.2.3 Path Rewriting Guidelines for Browser Cookies The path and domain parameters in cookies need to be rewritten to point to the Oracle Traffic Director origin server instead of the target application host. For example: Set-cookie: v1st=1666B5EACC906D6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.www.oracle.com Must become: Set-cookie: v1st=1666B5EACC906D6; path=/myLocalPath/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.myoriginserver.oracle.com When configuring cookie rewriting rules, note the following: ■ ■ ■ Oracle Traffic Director cannot rewrite wildcarded domains, such as .oracle.com. A target host name must be specified, for example: .www.oracle.com. If your application shares cookies across multiple domains, you must create separate cookie rewriting rules for each domain. You must strip out the Oracle Authentication Manager cookie from the cookie set request, as it interferes with certain Web applications, such as Dropbox. Example rule for stripping out the Oracle Authentication Manager cookie: AuthTrans fn="sed-request-header" name="cookie" sed="s|OAMAuthnCookie[^;]*;| |g" sed="s|OAMRequestContext[^;]*;| |g" ■ You must strip out Oracle Authentication Manager headers before sending them to the application host. 54.4.2.4 Path Rewriting Guidelines for Page Content Oracle Traffic Director does not directly provide the means to rewrite host names and resource paths within the HTML code of the target page. You must use sed expressions to rewrite those values. Common HTML elements whose values will require rewriting include src, href, and action. Example sed rule set for rewriting the src, href, and action elements: Output fn="insert-filter" filter="sed-response" sed="s|\\(src\\)=\"/\\([^\"|^/]\\)|\\1=\"/myLocalPath/\\2|g" sed="s|\\(src\\)='/\\([^'|^/]\\)|\\1='/myLocalPath/\\2|g" sed="s|\\(href\\)=\"/\\([^\"|^/]\\)|\\1=\"/myLocalPath/\\2|g" sed="s|\\(href\\)='/\\([^'|^/]\\)|\\1='/myLocalPath/\\2|g" sed="s|\\(action\\)=\"/\\([^\"|^/]\\)|\\1=\"/myLocalPath/\\2|g" sed="s|\\(action\\)='/\\([^'|^/]\\)|\\1='/myLocalPath/\\2|g" type="text/html*" Example rule for rewriting hardcoded host names: Output fn="insert-filter" filter="sed-response" sed="s|https://www.oracle.com|https://myoriginserver.oracle.com:8484/myLoc alPath|g" type="(text*|application*)" Example rule for rewriting path references within CSS elements: 54-40 Administrator's Guide for Oracle Access Management Enabling Form-Fill Single Sign-On for an Application Output fn="insert-filter" filter="sed-response" sed="s|url(\"/\\([^\"|^/]\\)|url(\"/myLocalPath/\\1|g" sed="s|url('/\\([^'|^/]\\)|url('/myLocalPath/\\1|g" sed="s|url(/\\([^) |^/]\\)|url(/myLocalPath/\\1|g" type="text/css*" Note the following when creating host name and path rewriting rules: ■ ■ You must include the "Content-Type" attribute values for content types used by the target page in your Oracle Traffic Director configuration file to provide maximum content compatibility when rewriting. Compressed content is not directly supported by sed; you must configure Oracle Traffic Director to decompress compressed HTML content before applying sed rewriting rules to the content, and recompress it afterwards. Example rules for decompressing and recompressing HTML content: Output fn="insert-filter" type="(text*|application*)" filter="http-decompression" Output fn="insert-filter" type="(text*|application*)" filter="http-compression" ■ In some cases, you may be able to strip out the "Accept Encoding" parameter in the request header to prevent the application host from sending compressed data in the first place. Example rule for stripping out the "Accept Encoding" header: AuthTrans fn="set-variable" remove-headers="accept-encoding" ■ JavaScript code varies widely in complexity and must be examined on a case-by-case basis in order to create clean, compatible rewriting rules. 54.4.3 Configuring the Webgate Request Filtering The Webgate plugin provides the following HTTP request filtering mechanisms: ■ JavaScript tag injection into incoming (to the user browser) HTML pages ■ Mock credential substitution in outgoing POST requests ■ HTTP Basic Authentication credential injection and credential capture ■ Sanitization of outgoing HTTP requests to remove OAM/ESSO cookies and headers before the request is forwarded to the origin server The Webgate plugin requires the following Init directives in magnus.conf: ■ To load NSAPI filters and SAFs: Init fn="load-modules" funcs="OBWebGate_Init,OBWebGate_ Authent,OBWebGate_Control,OBWebGate_Err,OBWebGate_Handle401,OBWebGate_ Response,EssoBasicAuthInit,EssoBasicAuth,EssoClean" shlib="webgate.so" obinstalldir="Webgate_Home_Dir" obinstancedir="Webgate_Instance_Dir" Init fn="OBWebGate_Init" obinstalldir="Webgate_Home_Dir" obinstancedir="Webgate_Instance_Dir" Mode="PEER" ■ To enable HTTP Basic Authentication: Init fn="EssoBasicAuthInit" obinstalldir="Webgate_Home_Dir" obinstancedir="Webgate_Instance_Dir" Mode="PEER" where: Configuring the Access Portal Service 54-41 Enabling Form-Fill Single Sign-On for an Application Parameter Description shlib ="webgate.so" Full path to the webgate.so module. obinstalldir ="WebGate_Home_Dir" full path to the target Webgate installation directory. obinstancedir ="WebGate_Instance_Dir" full path to the Webgate instance directory. ESSOEnable ="On|Off" , default "On" Enable or disable all plugins. 54.4.3.1 Configuring the JavaScript Injection Filter The JavaScript injection filter provides tag injection into pages incoming into the target user’s Web browser. The following table describes the supported parameters. Parameter Description ESSOEnable ="on|off", default "on" Add to either magnus.conf or obj.conf Enable or disable the JavaScript injection filter. Specifying this directive in magnus.conf disables all ESSO plugin features. ESSOSearchTag ="str", default "" Add to obj.conf HTML tag to match on for JavaScript injection. ESSOInjectTag ="before|after", default "before" Add to obj.conf Determines whether to inject the JavaScript tag before or after the ESSOSearchTag parameter. ESSOSearchCaseSensitive ="yes|no", default "no" Add to obj.conf Determines whether the match is case sensitive. ESSOScriptPath ="path", default "/oamsso/columbiaWeb.js" Add to obj.conf Passed through to JavaScript as "src" ESSOConsoleLoggingLevel ="n", default "0", "5" is trace. Add to obj.conf Passed through to JavaScript as "essoConsoleLoggingLevel" ESSOPartnerId ="str" Add to magnus.conf Partner ID value. Passed through to JavaScript as "oam_partner". If present, takes precedence over the "id" value in .../webgate/config/ObAccessClient.xml For example, adding the following to obj.conf 54-42 Administrator's Guide for Oracle Access Management Enabling Form-Fill Single Sign-On for an Application AuthTrans fn="set-variable" insert-vars="DYNAMIC-PROXY-ENABLE=on" insert-vars="DYNAMIC-PROXY-MAP-TO=/myTarget" insert-vars="DYNAMIC-PROXY-MAP-FROM=/" insert-vars="DYNAMIC-PROXY-HTTPS=18484" insert-vars="DYNAMIC-PROXY-HTTP=18282" insert-vars="DYNAMIC-PROXY-IGNORE-PATHS=/ignoreMe" will produce the following result: Output fn="insert-filter" type="text/*" filter="esso_webproxy" ESSOSearchTag="" 54.4.3.2 Configuring Dynamic Proxy Support When dynamic proxy support is enabled (via the DYNAMIC-PROXY-ENABLE parameter), the following parameters are inserted into your route as Oracle Traffic Director server variables and passed down as JavaScript attributes to configure the dynamic proxy behavior. Only non-null values will be passed to the JavaScript tag. If either DYNAMIC-PROXY-MAP-FROM or DYNAMIC-PROXY-MAP-TO value is not specified, an error ("Dynamic proxy enabled but missing mapTo/mapFrom") will be logged. Add these parameters to obj.conf. Parameter Description DYNAMIC-PROXY-ENABLE ="on|off", default "off" Enables or disables the dynamic proxy functionality. When disabled, the parameters listed in the remainder of this table are not passed to the JavaScript injection filter. DYNAMIC-PROXY-MAP-TO Destination URI. Default is null (empty string). DYNAMIC-PROXY-MAP-FROM Source URI. Default is null (empty string). DYNAMIC-PROXY-HTTPS HTTPS port number. Default is null (empty string). DYNAMIC-PROXY-HTTP HTTP port number. Default is null (empty string). DYNAMIC-PROXY-IGNORE-PATHS URIs that should be ignored. Default is null (empty string). For example: 54.4.3.3 Configuring the Mock Credentials Filter The Mock Credentials filter provides substitution of ESSO mock credentials in the outgoing POST request. By default, OAM headers are stripped before the request is passed on to the origin server, but they can be forwarded with the pass-oam-headers parameter. To enable, add a directive with the parameter to your directive in obj.conf as follows: pass-oam-headers="true|false", default "false" This includes the following headers (by default, they are omitted): Configuring the Access Portal Service 54-43 Enabling Form-Fill Single Sign-On for an Application ■ OAM_IMPERSONATOR_USER ■ OAM_REMOTE_USER ■ OAM_LAST_REAUTHENTICATION_TIME ■ OAM_IDENTITY_DOMAIN For example: Input fn="insert-filter" type="application/x-www-form-urlencoded" filter="esso_webproxy_input" pass-oam-headers="true" 54.4.3.4 Configuring HTTP Basic Authentication HTTP Basic Authentication provides the ability to capture and inject credentials from and into Web browser basic authentication (modal) dialogs. Configure HTTP Basic Authentication in the magnus.conf as follows: ■ ■ Add the EssoBasicAuthInit and EssoBasicAuth functions to the load-modules Init directive (explained in Configuring the Webgate Request Filtering). Add a standalone Init directive that loads the ESSOBasicAuthInit function: For example: Init fn="load-modules" funcs="OBWebGate_Init,OBWebGate_Authent,OBWebGate_ Control,OBWebGate_Err,OBWebGate_Handle401,OBWebGate_ Response,EssoBasicAuthInit,EssoBasicAuth,EssoClean" shlib="webgate.so" obinstalldir="Webgate_Home_Dir" obinstancedir="Webgate_Instance_Dir" Init fn="EssoBasicAuthInit" obinstalldir="Webgate_Home_Dir" obinstancedir="Webgate_Instance_Dir" Mode="PEER" HTTP Basic Authentication is enabled by default when you install the Access Portal Service. To disable it, remove the EssoBasicAuthInit and EssoBasicAuth functions from the load-modules Init directive and delete the fn="EssoBasicAuthinit" standalone directive from the magnus.conf file. Note: Then, add one or more of the following parameters to obj.conf for the header injection SAF and the credential capture filter: Parameter Description policy ="policy name" Required. Name of the ESSO policy (application template) to use for authentication. realm ="realm name" Optional. The desired authentication realm of the target website, if more than one realm is in use. For example: NameTrans fn="EssoBasicAuth" policy="BasicAuth1" realm="realm1" Output fn="insert-filter" filter="esso_output_capture" policy="BasicAuth1" realm="realm1" 54-44 Administrator's Guide for Oracle Access Management Enabling Form-Fill Single Sign-On for an Application 54.4.3.5 Configuring the HTTP Request Sanitizer The HTTP request sanitizer strips the proxied HTTP request of any cookies and headers added by Oracle Access Manager and the Webgate plugin before the request is forwarded to the origin server. The sanitizer removes cookies with the following names: ■ OAM_Partner ■ OAMAuthnCookie_* ■ OAMRequestContext* ■ OAMAuthnHintCookie ■ OAM_* ■ ESSO_BAH* (Basic Authentication Hint, caches policy, realm, and credential GUID) Request-specific cookie names (for example, containing the server name) are matched using a wildcard, indicated above by the trailing asterisk. The sanitizer removes the following headers: ■ OAM_IMPERSONATOR_USER ■ OAM_REMOTE_USER ■ OAM_LAST_REAUTHENTICATION_TIME ■ OAM_IDENTITY_DOMAIN The Mock Credentials filter also provides this sanitization, but only while processing HTTP POST requests that contain mock credentials. The Webgate HTTP request sanitizer performs this function unconditionally on all requests. Note: To enable the sanitizer, add the EssoClean function to the load-modules Init directive in the magnus.conf file. For example: Init fn="load-modules" funcs="OBWebGate_Init,OBWebGate_Authent,OBWebGate_ Control,OBWebGate_Err,OBWebGate_Handle401,OBWebGate_ Response,EssoBasicAuthInit,EssoBasicAuth,EssoClean" shlib="webgate.so" obinstalldir="Webgate_Home_Dir" obinstancedir="Webgate_Instance_Dir" Then, add the following to the obj.conf file: NameTrans fn="EssoClean" Note: The HTTP Request Sanitizer is enabled by default when you install the Access Portal Service. To disable it, remove the EssoClean function from the load-modules Init directive in the magnus.conf file, and remove the above code from the obj.conf file. The Webgate plugin passes the target credential’s GUID value in the proxied URL to the origin server. If the target application does not function properly due to this value Configuring the Access Portal Service 54-45 Adding a Federated Partner Provider Application being passed, add the following rewrite rule to the Oracle Traffic Director configuration to strip out the GUID value: AuthTrans fn="set-variable" set-reqpb="query=$1$3" 54.5 Adding a Federated Partner Provider Application To add a federated partner provider application to the Access Portal Service application catalog, do the following: 1. Log on to the Oracle Access Manager console. 2. In the Quick Start Wizards section of the Launch Pad tab, click Application Registration. 3. In the page that appears, fill in the fields as follows: 4. a. Vendor - the vendor of the application. b. Name - a descriptive name for the application. c. Type - select Federated Server Partner Provider Application from this drop-down menu, as desired.The application will be available to all Access Portal users. d. Description - a meaningful description of the application for the user. e. Reference - internal reference describing the version/variant of the application template. f. Category - the category under which the application will appear; for example, "Finance," "Development," and so on. g. Reference - an internal reference for the application template, such as a version number or features that are enabled. h. Icon Image URL - URL to the icon image that will appear next to the application entry. A preview of the image is displayed below the field to confirm the URL is valid. i. Logo Image URL - URL to the full-size application logo image. A preview of the image is displayed below the field to confirm the URL is valid. j. When you have finished, click Next. In the "Configuration" page that appears, do the following: a. In the Partner field, enter the desired federated partner name. If you don't know the exact name, click the Search (magnifier) icon, enter the desired search term in the pop-up that appears, select the desired partner from the list of results, and click OK to add that partner to the template. If you want to create a new partner, click Create and refer to the "Identity Federation" chapter for more information on creating a new federation partner. b. In the Application URL field, enter the URL to the target application; obtain this URL from your application administrator. c. Click Next. 54-46 Administrator's Guide for Oracle Access Management Creating an Application Configuration Package 5. In the summary page that appears, review your configuration choices. To make changes, click Back; otherwise, click Finish. 54.6 Adding an Oracle SSO Agent Application To add an Oracle SSO Agent application to the Access Portal Service application catalog, do the following: 1. Log on to the Oracle Access Manager console. 2. In the Quick Start Wizards section of the Launch Pad tab, click Application Registration. 3. In the page that appears, fill in the fields as follows: 4. a. Vendor - the vendor of the application. b. Name - a descriptive name for the application. c. Type - select SSO Agent Application from this drop-down menu, as desired.The application will be available to all Access Portal users. d. Launch URL - enter the URL of the target application; obtain this URL from your application administrator. e. Description - a meaningful description of the application for the user. f. Reference - internal reference describing the version/variant of the application template. g. Category - the category under which the application will appear; for example, "Finance," "Development," and so on. h. Reference - an internal reference for the application template, such as a version number or features that are enabled. i. Icon Image URL - URL to the icon image that will appear next to the application entry. A preview of the image is displayed below the field to confirm the URL is valid. j. Logo Image URL - URL to the full-size application logo image. A preview of the image is displayed below the field to confirm the URL is valid. k. When you have finished, click Next. In the summary page that appears, review your configuration choices. To make changes, click Back; otherwise, click Finish. 54.7 Creating an Application Configuration Package The Access Portal Service ships with a configuration package tool that allows you to generate an environment-specific Access Portal Service configuration package for select target applications. The package will contain pre-configured application templates, as well as Oracle Traffic Director content rewriting and proxy rules that configure the Access Portal Service for the target application. 54.7.1 Contents of the Application Configuration Package The application configuration package contains the following: ■ Logo image(s) or URL(s) to the logo image(s) for the application. Configuring the Access Portal Service 54-47 Creating an Application Configuration Package ■ ■ Application policies (templates) and password generation policies (if defined) in .INI format, exported from the Enterprise Single Sign-On Administrative Console (formfill.ini). Oracle Traffic Director configuration data (described in detail in Enabling Form-Fill Single Sign-On for an Application): – Origin server pool definitions to be added to the server.xml file on the target managed server instance. – Rewriting rules for SED headers, page content, cookies, and so on, to be added to the object.conf file on the target Oracle Traffic Director instance. – Route configuration directives to be added to the routes.conf file on the target Oracle Traffic Director instance. The Oracle Traffic Director configuration data must not contain any hardcoded values such as host names, port numbers, and session identifiers, and should use the preprocessor directives described in the next section. 54.7.2 Required Environment-Specific Configuration Data You must provide the tool with the following configuration data specific to your target environment: ■ %OTD_HOST% ■ %OTD_HTTP_PORT% ■ %OTD_HTTPS_PORT% Optionally, you may also provide forward proxy configuration as follows: ■ %FORWARD_PROXY_HOST% ■ %FORWARD_PROXY_PORT% 54.7.3 Customizing an Application Configuration Package to the Target Environment Create your source configuration files as follows before generating an application configuration package as described in this section. If desired, compress the files into a ZIP archive named after the target application for easier portability. 54.7.3.1 Preprocessor Directives for the Oracle Traffic Director Configuration Data Because a preprocessor will parse your configuration data in order to apply the configuration to the target Oracle Traffic Director instance, you must define the following preprocessor directives in your configuration files: ■ %OTD_HOST% ■ %OTD_HTTP_PORT% ■ %OTD_HTTPS_PORT% Optionally, you may also define the following directives if your environment requires them: ■ %FORWARD_PROXY_HOST% ■ %FORWARD_PROXY_PORT% For example, a regex match URI for an application would look as follows: .*?https://%OTD_HOST%:%OTD_HTTPS_PORT%/myapplication.* 54-48 Administrator's Guide for Oracle Access Management Creating an Application Configuration Package 54.7.3.2 Rewriting Directives (object.conf) This file will contain the Oracle Traffic Director rewriting rules for SED, headers, content, and routes for the target application. It must not contain any hardcoded values; use the preprocessor directives listed earlier instead. For example: AuthTrans fn="set-variable" set-headers="referer=https://participant.myapplication.com/$1" NameTrans fn="map" to="/" from="/myapplication" Route fn="set-origin-server" origin-server-pool="origin-server-pool-participant-myapplication-com" Output fn="insert-filter" filter="sed-response" sed="s|\\(src\\)=\"/\\([^\"]\\)|\\1=\"/myapplication/\\2|g" sed="s|\\(href\\)=\"/\\([^\"]\\)|\\1=\"/myapplication/\\2|g" sed="s|\\(action\\)=\"/\\([^\"]\\)|\\1=\"/myapplication/\\2|g" Output fn="insert-filter" filter="sed-response" sed="s|https://participant.myapplication.com|https://$urlhost:%OTD_HTTPS_ PORT%/myapplication|g" Name this file object.conf and place it in the common package directory. The package generation tool will create a new file in that directory with the generated prefix in its name. 54.7.3.3 Origin Server Pools (server.xml) Name this file server.xml and place it in the common package directory. The package generation tool will create a new file in that directory with the generated prefix in its name. For example: origin-server-pool-participant-myapplication-com inet https participant.myapplication.com 54.7.3.4 Routing Conditions (routes.conf) Name this file routes.conf and place it in the common package directory. The package generation tool will create a new file in that directory with the generated prefix in its name. For example: NameTrans fn="assign-name" id="route-myapplication" name="route-myapplication" Configuring the Access Portal Service 54-49 Creating an Application Configuration Package 54.7.4 Generating the Customized Application Configuration Package To customize the application configuration package to your target environment, use the apspackageutility.jar tool. The tool is located in the following location within the Access Management suite installer archive: ../iamsuite/Disk2/stage/Components/oracle.oam.server/11.1.2.3.0/ 1/DataFiles/Expanded/server/tools/apsapputility The tool syntax is as follows: The package generation tool requires an up-to-date Java Runtime Environment installation. Note: java -jar apsapputility.jar -p properties-file -z package-file or -d package-directory where: ■ ■ ■ -p properties-file - full path and name of the property file to process (object.conf, server.xml, route.xml, or formfill.ini). This file contains the values for the properties listed in Required Environment-Specific Configuration Data. -z package-file - full path and name of the package ZIP file (if using a ZIP file), or -d package-directory - full path to the directory containing the configuration files (if not using a ZIP file) The -z and -d options are mutually exclusive; use only one or the other. The tool will add the customized file(s) to the ZIP file or package directory, depending on the selected option; the names of the generated files will contain the generatedprefix. The generated file(s) will be output one directory up from where the source files are located. 54.7.5 Deploying the Customized Application Configuration Package To deploy the customized application configuration package, do the following: 1. Deploy the generated form-fill application policies (templates) and password generation policies, if defined (generated-formfill.ini). Log on to the Oracle Access Management Console, navigate to the Applications section and upload the file. 2. Deploy the generated rewriting rules (generated-object.conf). a. Open the following file in a text editor: target-otd-instance-directory/config/server-name-obj.conf b. Paste the contents of the generated-object.conf file inside the following tag: paste contents here 3. Deploy the generated origin server pool definitions (generated-server.xml): a. Open the following file in a text editor: target-otd-instance-directory/config/server.xml b. Paste the contents of the generated-server.xml file inside the following tag: 54-50 Administrator's Guide for Oracle Access Management Managing Password Generation Policies paste contents here 4. Deploy the generated route conditions (generated-routes.xml): a. Open the following file in a text editor: target-otd-instance-directory/config/server-name-obj.conf b. Paste the contents of the generated-routes.conf file at the end of the file. 54.8 Managing Password Generation Policies Password policies facilitate user logons while ensuring the organization's security. The Access Portal Service lets administrators set policies that control automatic password generation. Most applications have constraints for passwords: how long they can or must be, whether they must or must not include numbers or symbols, and so on. the Access Portal Service's password generation feature improves application logon security by automatically creating passwords made up of random characters according to predefined sets of constraints, stored as password policies. Each policy can apply to multiple applications or subscribers. Using predefined password policies, you can completely automate password changes and implement sophisticated security schemes, including complex passwords and application-specific passwords unknown to users. To manage password generation policies, click Federation at the top of the Administrative Console, then click Password Generation Policies in the Access Portal Service section. A new tab containing options to search and create opens. Figure 54–1 Password Generation Policies Search/Create Tab 54.8.1 Searching for Password Generation Policies To search for an existing policy: 1. Enter a name or partial string in the Name field, and click the Search button. The results appear in the Search Results table. Configuring the Access Portal Service 54-51 Managing Password Generation Policies 2. Click any policy in the Search Results list to edit the policy configuration. Continue to step 3 in the next section to learn more about configuring these settings. 54.8.2 Creating Password Generation Policies To create a new policy: Figure 54–2 New Password Generation Policy Summary Tab 1. 2. Click the Create Password Generation Policy button to launch the New Password Policy tab, which contains two sub-tabs: ■ Summary ■ Password Constraints On the Summary tab, enter the following information: ■ A distinct name for the policy. ■ (Optional) A meaningful description to identify the policy. ■ 3. (Optional) Internal reference information describing the version/variant of the policy. Click the Password Constraints tab. If you would like to specify your password constraints using regular expressions, enter the desired REGEX string into the Regular Expressions Constraint field. Doing so will override and disable the manual constraint options listed below (except the Previous Password Constraints options). Note: On the Password Constraints tab, specify the following: ■ Length Constraints 54-52 Administrator's Guide for Oracle Access Management Managing Password Generation Policies ■ ■ ■ – The minimum password length. Options are 1-128. Default is 8 characters. – The maximum password length. Options are 1-128. Default is 8 characters. Alphabetic Characters – Check the box to allow uppercase characters. If you check the box, you must specify the minimum number required. Default is 0. – Check the box to allow lowercase characters. If you check the box, you must specify the minimum number required. Default is 0. Special Characters – Check the box to allow non-alphabetical and/or non-numeric characters. If you check the box, you must specify the minimum and maximum number permitted. Default minimum is 0. Default maximum is 8. – Check the box(es) to allow a special character to start and/or end a password. Excluded Characters – ■ ■ ■ Repeat Constraints – Enter the maximum number of times a given character can be repeated in a password (in any position). Options are 0-127. Default is 7. – Enter the number of times a given character can be repeated consecutively (adjacent to itself). Options are 0-127. Default is 7. Numeric Characters – Check the box to allow numeric characters. If you check the box, you must specify the minimum and maximum number permitted. Default minimum and maximum is 0. – Check the box(es) to allow a numeric character to start and/or end a password. Other Characters – ■ Enter a list of specific characters to exclude from a password. Do not use any delimiters. Check to allow other characters to be included in a password. Previous Password Constraints – Disallow use of previous password. Check the box to prohibit reusing the previous password entirely. – Limit use of previous password characters. Select to limit repetition of characters from the previous password. – Maximum previous password characters. If you checked the previous box to permit usage of some previous password characters, select the maximum number of characters to allow. Configuring the Access Portal Service 54-53 Managing Password Generation Policies The Access Portal Service recognizes multiple occurrences of a character as the same character and will therefore permit more than one occurrence of that character in the new password. Note: So, if the previous password contained three "A"s, and you specify that one character from the previous password can repeat, the Access Portal Service will allow more than one instance of "A" in the new password. 4. Click Save to complete policy configuration, or Cancel to close the tab without saving the policy. Figure 54–3 Password Constraints Tab of a Password Generation Policy 54.8.3 Managing Policy Subscribers Applications that use a password generation policy are called subscribers. You can add subscribers during creation of the policy or at any time thereafter. Following is the procedure to add subscribers to a policy. 54-54 Administrator's Guide for Oracle Access Management Managing Credential Sharing Groups Figure 54–4 Add Applications Dialog 1. On the Password Generation Policy Summary page, click the Add icon. The Add Applications dialog appears. 2. In the Name field, enter a name or text string and click Search. You can also leave this field blank to return every available application. 3. After a search, all applications that fit your search criteria appear in the Available Applications list. For each application, the list includes any policy to which it subscribes. 4. Select one or more applications from the Available Applications list, and click Add Selected. Or simply click Add All to add every application returned by the search. If you select an application that is already a subscriber to another policy, it will no longer be subscribed to the other policy. 5. Click Add when you are finished, or Cancel to dismiss the dialog without making changes. 6. Click Save to save your policy. 54.9 Managing Credential Sharing Groups Credential sharing groups are sets of applications that share the information of one or more fields to facilitate account management, allowing users to apply a credential change made in one application to other specified applications automatically. For each group that you create, you can include any number of applications and designate which credentials they have in common. When the Access Portal Service handles a credential change for any application that is a member of the sharing group, it automatically applies the credential change to all other group members. Any number or combination of applications can share a single credential. You can also designate a key field; that is, a field that the Access Portal Service uses when updating shared credentials, changing credentials only for accounts with the same key value. Configuring the Access Portal Service 54-55 Managing Credential Sharing Groups Applications will share credentials only for their initial deployment unless you enable credential sharing groups. Note: the Access Portal Service provides flexibility and granularity for you to control how credential sharing groups work. You can configure the following options: ■ ■ ■ ■ Sharing any or all fields for a group of applications: Pre-filling all shared fields when a user first encounters an application in a sharing group, thus requiring the user to enter information only for fields that are not shared by the group. Automatically creating an account when a user encounters an application for which all credentials are pre-determined. Designating a key field; that is, a field that the Administrative Console uses when updating shared credentials, changing credentials only for accounts with the same key value. The next sections describe how to create new groups or edit existing ones. After you create a group, the process for configuring it is the same as editing an existing one. 54.9.1 Searching for Credential Sharing Groups To search for an existing group: 1. Click Federation at the top of the Administrative Console, then click Credential Sharing Groups in the Access Portal Service section of the tab that appears. 2. Enter a name or partial string in the Name field, and click the Search button. The results appear in the Search Results table. 3. Click on any group in the Search Results list to edit its configuration. Continue to step 3 in the next section to learn more about configuring these settings. Figure 54–5 Credential Sharing Groups tab 54.9.2 Creating Credential Sharing Groups To create a new group: 54-56 Administrator's Guide for Oracle Access Management Managing Credential Sharing Groups 1. Click the Create Credential Sharing Group button to launch the New Credential Sharing Group page. 2. In the Name field, enter a name for the group. Optionally, you can add a description and reference information in the fields at the bottom of this section. 3. In the Shared credentials settings, select which credentials the group will share. You can include any or all fields: 4. – Username – Password – Third Field – Fourth Field From the Key Credential within group dropdown, select a field. The key credential field provides more granular criteria for updating shared credentials within a group. When a credential changes, updates will only occur for members that share the key field. to update shared credentials only for accounts that share this field value.s only for accounts that share this field value.: If the user wants to create an account that is not constrained by the key field, that account must have a new key field to avoid updating all existing accounts. Choose one of the following from the dropdown: ■ None (Default) ■ Username ■ Third Field ■ Fourth Field 5. If desired, select to pre-fill shared fields. This specifies that shared fields will be pre-populated with the shared credentials when the user creates a new account for an application. By default, this option is enabled. 6. If desired, select to automatically create accounts when all credentials are known. This means that the Access Portal Service will create an account automatically when the user encounters an application that has all fields pre-determined. Note: This field is available only if Key credential within group is set to None. 7. Click Save to complete policy configuration, or Cancel to close the tab without saving the group. Configuring the Access Portal Service 54-57 Managing Credential Sharing Groups Figure 54–6 New Credential Sharing Group Page 54.9.3 Managing Applications in Credential Sharing Groups You can add applications to a group during creation of the group or at any time thereafter. Following is the procedure to add applications to a group. 54-58 Administrator's Guide for Oracle Access Management Managing Global Agent Settings Figure 54–7 Add Applications Dialog 1. In the Applications section of the group page, click the Add icon. The Add Applications dialog appears. 2. In the Name field, enter a name or text string and click Search. You can also leave this field blank to return every available application. 3. After a search, all applications that fit your search criteria appear in the Available Applications list. For each application, the list includes any credential sharing group to which it belongs. 4. Select one or more applications from the Available Applications list, and click Add Selected. Or simply click Add All to add every application returned by the search. If you select an application that is already a member of another group, it will no longer be part of that group. 5. Click Add when you are finished, or Cancel to dismiss the dialog without making changes. 6. Click Save to store the changes made to the credential sharing group. 54.10 Managing Global Agent Settings Global Agent Settings determine single sign-on behavior when users encounter password-protected applications. With these settings you specify what the user sees and is allowed to do when navigating to an application. The next sections describe how to create new sets of Global Agent Settings or edit existing sets. You can use existing sets created in the the Access Portal Service, or Configuring the Access Portal Service 54-59 Managing Global Agent Settings import preconfigured settings in the format of INI files. After you create a set, the process for configuring it is the same as that for editing an existing one. 54.10.1 Searching for Sets of Global Agent Settings To search for an existing set: 1. Click Federation at the top of the Administrative Console, then click Global Agent Settings in the Access Portal Service section. 2. Enter a name or partial string in the Name field, and click the Search button. The results appear in the Search Results table. 3. Click on any group in the Search Results list to edit its configuration. Continue to step 3 in Creating a Set of Global Agent Settings to learn more about configuring these settings. Figure 54–8 Global Agent Settings Search tab 54.10.2 Importing an INI File with a Global Agent Settings Configuration To import an INI file (unicode format only): 1. Click the Import icon to launch the Import Global Agent Settings dialog, and click the Browse button. 2. Navigate to an existing INI file, select it and click Open. Then click the Update button. The Global Agent Settings' configuration page opens. Continue to step 3 in Creating a Set of Global Agent Settings to learn more about configuring these settings. 54.10.3 Creating a Set of Global Agent Settings To create a new set: 54-60 Administrator's Guide for Oracle Access Management Managing Global Agent Settings Figure 54–9 New Global Agent Settings Page 1. Click the Create Global Agent Settings button to launch the Create Global Agent Settings page. 2. In the Name field, enter a name for the group. Optionally, you can add a description of this set. 3. In the Credential Field Identification settings, specify the following: – Whether to display a highlighted border around the credential fields of an application during logon. The default is to show the border. Configuring the Access Portal Service 54-61 Managing Global Agent Settings – The default border color/size/style for highlighting detected web page fields. The default is a solid red border, six pixels in width. Following is an example of the results of using the default settings for this group. 4. In the Behavior settings, specify the following: ■ URL Matching Precision. The number of levels of the host portion of the URL used for application detection and response. Default is 2. For example, for the URL http://mail.company.co.uk: 2=match to *.co.uk 3=match to *.company.co.uk 4=match to *.mail.company.co.uk Note: ■ Values less than 2 are treated as 2. Scroll into View. Enables or disables scrolling the browser window to bring the logon fields into view. Default is No. This setting disables scrolling when the user has not yet stored credentials for a Web application. Scrolling always occurs when injecting credentials into the logon fields for an account that already exists. 5. In the Password Change Behavior settings, select a Default Password Policy from the dropdown list, if desired. Default is None. 6. In the Response Control settings: ■ Enter the list of Web pages to Ignore. This is typically used when the BHO causes conflicts with specific Web applications or sites. Click the ellipsis ("…") button to enter the regular expressions that match the URLs to be ignored (one per line). Examples: ■ – .*http://login\.company\.com/.* – .*http://.*\.company\.com/.* Enter the list of Allowed Dynamic Web Pages. Use this setting to list the permissible dynamic (DHTML) Web pages. By default, the BHO does not detect changes made to a dynamic page after the initial presentation of the page. Examples: 7. – .*http://login\.company\.com/.* – .*http://.*\.company\.com/.* In the Allowed Character Sets settings, enter the permissible characters for each of the four types of fields. The fields are pre-populated with the defaults for each character set. 54-62 Administrator's Guide for Oracle Access Management Managing Global Agent Settings 8. In the Masked Fields Security settings, specify the following. ■ ■ ■ 9. Obfuscate Length. Specifies whether to display encrypted fields with a string of blank characters different from the length of the obfuscated data. Default is Yes. Allow Revealing. Specifies whether the user is permitted to reveal masked fields. Default is Yes. Require Reauthentication to Reveal. Specifies whether the user must enter the Access Portal Service credentials in order to reveal masked fields, assuming that you have set Allow revealing to Yes. Default is Yes. In the Authentication section, specify the naming attribute string for the target data repository (if required by your environment). For more information, see the Enterprise Single Sign-On Suite Administrator’s Guide. 10. Click Save to complete global agent setting configuration, or Cancel to close the tab without saving the set. Configuring the Access Portal Service 54-63 Managing Global Agent Settings 54-64 Administrator's Guide for Oracle Access Management Part XIV Part XIV Using Identity Context This part introduces Oracle Identity Context. Part X contains the following chapters: ■ Chapter 55, "Using Identity Context" 55 Using Identity Context 55 Identity Context allows organizations to meet growing security threats by leveraging the context-aware policy management and authorization capabilities built into the Oracle Access Management platform. Identity Context secures access to resources using traditional security controls (such as roles and groups) as well as dynamic data established during authentication and authorization (such as authentication strength, risk levels, device trust and the like). The following sections contain additional information on Identity Context and how to use it. ■ Introducing Identity Context ■ Understanding Identity Context ■ Working With the Identity Context Service ■ Using the Identity Context API ■ Configuring the Identity Context Service Components ■ Validating Identity Context 55.1 Introducing Identity Context Over the last decade, changes have been made to enterprise application infrastructures in order to web-enable the business applications that these infrastructures support. The changes allow for access by a greater number of users using different types of devices. To compensate for the additional risk associated with the greater number of users, the underlying security models used for access management have evolved from a silo-based implementation to a more dynamic one in which identity and risk data is shared across components of the entire application delivery process. This dynamic implementation relies on systems that offer Web single sign-on (SSO), fine-grained authorization, Web Services Security, Identity Federation and the like to aggregate security controls within a particular run-time deployment environment (web server or application server container) and provide policy-based security controls to manage access to application resources. Additionally, the identity and risk data provides a context for the user who is requesting access. Initially, application security controls focused on unifying silos within a specific enterprise application deployment paradigm (for example, all web server applications, all web services applications, or all application server applications) but a growing presence of external and internal security threats now requires the unification of disparate security models in order to properly manage the greater amount of risk. This requirement is further magnified by the advent of the cloud and mobile computing paradigm in which applications are no longer made up of components running neatly in the protected confines of a secure enterprise. Using Identity Context 55-1 Introducing Identity Context The ability of applications to leverage cloud services comes at the cost of having to account for the greater amount of risk stemming from those services being silos in their own way. With the number of threats to cloud deployments and mobile delivery channels growing steadily, it is required for the end-to-end application delivery process to implement the necessary policy controls for dealing with the greater range of threats. These policy controls require access to information about the requesting user on the basis of which security decisions must be made. Thus, a security policy management infrastructure must be context-aware to allow for an Administrator to create policy that controls the level of security imposed on a user who is requesting access to a protected application environment. Previously, Identity Context was defined by the presence of an identity record in one or more identity stores (such as an LDAP directory or a SQL database). The identity record includes profile attributes, groups of which the user is a member, and enterprise roles. However, the constantly expanding reach of web, cloud, and mobile application delivery channels requires authorization policy controls that are aware of more dynamic information regarding the identity. This information is associated with the identity attempting to access the protected resource and may include some or all of the following: ■ Presence (location, historical patterns) ■ Authentication strength (weak, strong) ■ Level of Assurance (NIST levels, X509 certificates) ■ Risk Assessment (pattern analysis) ■ Federation (partner attributes) ■ Device characteristics (fingerprint, device health, device protection, trusted data) ■ Assertions from trusted partners (SAML tokens, etc.) ■ Single Sign On sessions (session time outs) The following examples illustrate how Identity Context data might be used by an application. The application might: ■ ■ ■ ■ ■ Disable a particular business function if the user is not authenticated using a strong credential such as smart card. Secure access to a transaction based on the identity data supplied by a business partner (via Identity Federation) with whom the organization does business. Request additional authentication credentials if it detects that access is originating from a location known for fraudulent activities. Limit the scope of administrative authority if the Administrator's industry certification (as maintained by a third party) has expired. Disable certain business functions if it detects that access is originating from an unknown device. By incorporating the concept of Identity Context into access management, control can now be determined using dynamic data that is not necessarily contained in an identity profile (referred to as Identity Context attributes). In short, Identity Context is considered the environment and circumstances surrounding a user's request to access a particular protected resource. It can be a sphere of activity, a geographical region, a communication platform, an application, or a logical or physical domain. 55-2 Administrator's Guide for Oracle Access Management Understanding Identity Context 55.2 Understanding Identity Context With this release, Access Manager enables context-aware access management by incorporating Identity Context as a built-in service of the Oracle Access Management platform. Figure 55–1 illustrates the flow of the Identity Context process, implemented by multiple system components. Each application delivery component has its own security policy infrastructure responsible for protecting its individual slice of the application. This specific use case involves the end user device, a Web Server running static GUI pages, an Application Server running the Portal Server rendering dynamic content, a Service Bus Server exposing the Web service endpoint, a database server containing transactional data, and an LDAP server containing identity profile data. Figure 55–1 End to End Identity Context Process Each component of the process has its own security infrastructure where the authorization policies governing access to protected resources are defined administratively and enforced at runtime. Additionally, some or all of the components may have externalized policy management to an external authorization server such as Oracle Entitlements Server - which is the case if the applications were built leveraging Oracle Platform Security Services. Figure 55–2 illustrates the functional architecture of Identity Context based on the Oracle applications of which it is comprised. Figure 55–2 End To End Identity Context Process Components As seen in the illustrations, context-aware security policy management is achieved by leveraging the Oracle Access Management platform. This platform contains native Using Identity Context 55-3 Working With the Identity Context Service support for working with and enforcing Identity Context attributes (including risk score, trusted device data, authentication data, and the like) without changing end-user applications. 55.3 Working With the Identity Context Service The Oracle Access Management platform enables Identity Context data to be collected, propagated across the involved components (as defined in Figure 55–2), and made available for granting or denying authorization to access protected resources. The Identity Context Service allows access to the Identity Context Runtime through the Identity Context API. The Identity Context Dictionary schema specifies the Identity Context attributes. The following sections contain more information on these components. ■ Using the Identity Context Dictionary ■ Understanding Identity Context Runtime 55.3.1 Using the Identity Context Dictionary At the core of the Identity Context architecture is the Identity Context Dictionary. The dictionary defines the Identity Context schema by specifying the identity context attributes as defined by the Oracle Access Management platform. The Schema describes each attribute with a unique name that equals namespace : attribute. Table 55–1 documents the Schema attributes. Note: Virtual attributes (as documented in Table 55–1) represent an abstract class of identity information from which specific attributes are created. When publishing virtual attributes, the Identity Context API expects the attribute value to contain attr-name=attr-value. The actual attribute will be created using the name namespace : attribute : attr-name and a value of attr-value. This approach allows the publication of attributes whose value comes from a source not directly managed by the Oracle Access Management components. Table 55–1 Identity Context Schema Attributes Type Virtual Primary Publisher oracle:idm:claims:n value ameid string no OAM Indicates a unique user identifier. Access Manager currently publishes User DN oracle:idm:claims:n format ameid string no OAM Indicates the type of user identifier. Access Manager currently publishes "urn:oasis:names:tc:SAML:1.1:nam eid-format:x509SubjectName" oracle:idm:claims:n qualifier ameid string no OAM Indicates a logical Identity Domain to whom the user belongs. Access Manager currently publishes a logical name of the identity store, such as UserIdentityStore1. Namespace Attribute 55-4 Administrator's Guide for Oracle Access Management Description Working With the Identity Context Service Table 55–1 (Cont.) Identity Context Schema Attributes Type Virtual Primary Publisher oracle:idm:claims:n spprovidedid ameid string no OAM Indicates unique identifier that can be used by any SP to locate the user in SP's own identity store(s). Access Manager currently publishes the value of the unique id attribute as configured in a registered identity store. oracle:idm:claims:c lient firewallenable d boolean no OESSO Indicates client device has firewall enabled. oracle:idm:claims:c lient antivirusenabl ed boolean no OESSO Indicates client device has antivirus enabled. oracle:idm:claims:c lient fingerprint string no Indicates fingerprint of the client OESSO, device. Oracle Access Manageme nt Mobile and Social (OMS) oracle:idm:claims:c lient ostype string no OMS Indicates client device's Operating System type. oracle:idm:claims:c lient osversion string no OMS Indicates client device's operating system version. oracle:idm:claims:c lient jailbroken boolean no OMS Indicates if client device is Jailbroken (iOS) or Rooted (Android). oracle:idm:claims:c lient macaddress string no OMS Indicates client device's Ethernet (MAC) Address. oracle:idm:claims:c lient ipaddress string no OMS Indicates client device's Client IP Address. oracle:idm:claims:c lient vpnenabled boolean no OMS Indicates if client's device has VPN enabled. oracle:idm:claims:c lient geolocation string no OMS Indicates client device location's geographical coordinates in the form of "latitude,longitude. oracle:idm:claims:ri newdevice sk boolean no OAAM Indicates if the client device has been seen before. True when logging in from a device never seen before; otherwise, false. oracle:idm:claims:ri level sk integer no OAAM Indicates risk level. Level increases after unsuccessful logins. oracle:idm:claims:ri safeforuser sk boolean no OAAM Indicates if the user answered a secondary challenge question. True after the user successfully answers it; otherwise false. oracle:idm:claims:ri fingerprint sk string no OAAM Indicates device fingerprint as measured by OAAM. Different devices will leave different fingerprints; can be switched between device (obtained via Flash) fingerprint and browser (http-only) fingerprint oracle:idm:claims:s ession authnlevel integer no OAM Indicates authentication level for Access Manager oracle:idm:claims:s ession usercount integer no OAM Indicates number of sessions held by the users Namespace Attribute Description Using Identity Context 55-5 Working With the Identity Context Service Table 55–1 (Cont.) Identity Context Schema Attributes Namespace Attribute Type Virtual Primary Publisher oracle:idm:claims:s ession appdomain string no OAM Indicates name of the Access Manager Application Domain containing policies oracle:idm:claims:s ession apppolicy string no OAM Indicates name of the Access Manager policy that allowed access oracle:idm:claims:s ession appagent string no OAM Indicates the name of the agent from which the request came to Access Manager oracle:idm:claims:s ession appclientip string no OAM Indicates the IP address of the client sending the request to Access Manager oracle:idm:claims:s ession sessionid string no OAM Indicates the Access Manager session ID oracle:idm:claims:s ession attributes string yes OAM Indicates session attributes as retrieved from the session store. For example, in Access Manager, select "oracle:idm:claims:session:attribut es" as the claim name and then specify the session attribute using the following notation: "attr-name=$session.attr.name where name is the name of the attribute stored in the session. The claim will be created with the name of "oracle:idm:claims:session:attribut es:attr-name" and value equal to session's name attribute. oracle:idm:claims:f ed partner string no OAM--or IF? Indicates partner ID as determined by Identity Federation oracle:idm:claims:f ed nameidvalue string no OAM--or IF? Indicates user ID from a federation partner as determined by Identity Federation oracle:idm:claims:f ed nameidformat string no OAM--or IF? Indicates format of the user ID from a federation partner as determined by Identity Federation oracle:idm:claims:f ed attributes string yes OAM Indicates federation attribute as supplied by the partner and determined by Identity Federation. For example, in Access Manager, select "oracle:idm:claims:fed:attributes" as the claim name and then specify the federation attribute using the following notation: "attr-name=$session.attr.fed.attr.na me, where name is the name of the SAML attribute in the partner's SAML assertion. The claim will be created with the name of "oracle:idm:claims:fed:attributes:at tr-name" and value equal to the partner's assertion provided in the SAML's name attribute. 55-6 Administrator's Guide for Oracle Access Management Description Working With the Identity Context Service Table 55–1 (Cont.) Identity Context Schema Attributes Namespace Attribute Type Virtual Primary Publisher oracle:idm:claims:i ds attributes string yes OAM For example, in Access Manager, select "oracle:idm:claims:ids:attributes" as the claim name, and then specify the ID Store attribute using the following notation: "attr-name=$user.attr.name where name is the name of the attribute on the user profile. The claim will be created with the name of "oracle:idm:claims:ids:attributes:at tr-name" and value equal to user profile's name attribute. oracle:idm:claims:t enant tenantid string no OAM Currently reserved for future use. (Indicates tenant id.) oracle:idm:claims:t enant attributes string yes OAM Currently reserved for future use. (Indicates tenant attributes as supplied by the Publisher. The claim value is meant to contain "attr-name=attr-value". The claim will be created with the name of "oracle.idm:claims:tenant:attr-nam e" and value of attr-value.) Description 55.3.2 Understanding Identity Context Runtime Identity Context Runtime refers to a collection of Identity Context attributes (as defined in the Identity Context Dictionary) that is asserted by various trusted application components and/or security frameworks known to be authoritative for the attributes; this is the Oracle Access Management platform. Runtime context represents current surroundings, circumstances, environment, background, or settings which determine, specify, or clarify the meaning of an event for an identity in the runtime application environment. The Oracle Access Management platform leverages a common infrastructure component called the Context Management Engine (CME). CME ensures that an Identity Context is generated for every transaction that is processed through the Oracle Access Management platform. The context data gathered by CME applies to transactions a user performs over the web channel or web service channel and using many of the software products available in the Oracle Access Management platform. Some transactions that are initiated on the back end may also require access to Identity Context, and may require Identity Context to be persisted for some duration of time. In a typical Oracle middleware deployment the Identity Context Runtime will be utilized primarily by the Oracle Access Management platform to perform policy-based decisions on behalf of protected applications. However, it is also possible for any applications running in the container to directly integrate with, and consume, the Identity Context Runtime by leveraging the Identity Context API. The amount of available Identity Context data will vary depending on what products have been deployed. There will be a default set of Identity Attributes that will be available out-of the box, which are mainly configured in the Access Manager by leveraging the Identity Assertion. Table 55–1, " Identity Context Schema Attributes" documents these default attributes. The following list provides details on the end-to-end flow of the Identity Context Runtime. Figure 55–3 below the list illustrates the flow. Process overview: End-to-end flow of the Identity Context Runtime 1. User accesses a protected application from a device. Using Identity Context 55-7 Working With the Identity Context Service 2. Access Manager asserts the identity, collects Identity Attributes from the participating Access Management publishing components and creates an Identity Context. 3. Access Manager generates an Identity Assertion (a SAML Session token) and incorporates the Identity Context attributes. The Access Manager Identity Asserter processes the Identity Assertion and publishes the Identity Context to the WebLogic Server container using the OPSS Attribute Service. 4. The protected application calls the OES PEP API to make an authorization decision. OES automatically propagates the Identity Context to the local OES PDP. 5. OES finds the appropriate Authorization Policy and evaluates it's Conditions (based on the Identity Context attributes). Evaluation can be done using a built-in Identity Context function or a custom function. 6. The protected application makes a JRF web service call in which the Oracle Web Service Manager (OWSM) client uses the SAML token to propagate Identity Context into the Web Service application environment. 7. OWSM (on the web service side) processes the SAML assertion with the Identity Context and publishes the Identity Context to the WebLogic Server container by using the OPSS Attribute Service. 8. Web Service application calls OES PEP API to make an authorization decision. 9. OES automatically propagates Identity Context to the remote OES PDP where conditions based on Identity Context attributes are evaluated using a built-in Identity Context function or a custom function. Figure 55–3 Identity Context Process Flow Once CME propagates Identity Context into the application tier and underlying Application Server container, the Identity Context is then made available to the container and applications running in it. Table 55–2 documents which Access Management platform products do what when working with Identity Context. 55-8 Administrator's Guide for Oracle Access Management Using the Identity Context API Table 55–2 Mapping Identity Context Operations Role and Context Operation Description Publisher - publishes Trusted security framework protecting an Identity Context application component obtains from another trusted security framework, or derives from the information available to it, suitable facts about the identity and/or identity's access request. The information collected by the authoritative component is based on the environmental context available to component's runtime framework. For example, Access Manager determines the user's level of authentication strength, OAAM computes the risk score associated with a specific online session, and OESSO determines whether or not the client device has a firewall enabled. Propagator propagates Identity Context Evaluators evaluate Identity Context Trusted security framework propagates Identity Context attributes for use by another application security framework or directly by the application. For example, OAAM propagates user's risk score into the Access Manager session for the user, Access Manager propagates Identity Assertion (SAML token) for with the authenticated user's unique id and authentication level, and OWSM client propagates the current Identity Context over to the web service where OWSM agent will rebuild Identity Context in the web service application. Trusted security framework or end-user application using Identity Context attributes to perform policy decisions or personalize application business logic. For example, when OAAM is present and configured to compute the risk score, the application's authorization policy in OES allows access only when the risk score is under a certain threshold. Also, when Identity Federation in Access Manager is configured, the application uses a partner-supplied assertion (available in the Identity Context) to authorize access to a transaction using OES. Components ■ OAM – Session, Federation, and identity store attributes ■ OAAM – Risk attributes ■ OESSO – Device attributes ■ ■ ■ ■ ■ ■ ■ ■ OMS Mobile SDK - Device attributes OAM is between Web tier and container tier OWSM is between web service client tier and web service tier OPSS is between Access Manager Identity Asserter or OWSM agent and WebLogic Server container OMS is between the OMS Mobile SDK and Access Manager OAM – Web Perimeter Policy OWSM – Web Service policy OES – App-specific or WLS-specific policy for all PEP API calls made from the container where Identity Context exists. This includes all ADF apps, IAM apps, custom apps, etc. 55.4 Using the Identity Context API The Identity Context API is a set of Java classes designed to work with the Identity Context Dictionary and Identity Context Runtime. The API is delivered as IdentityContext.jar, a part of Oracle Java Required Files (JRF). Example 55–1 illustrates an application working with Identity Context Dictionary. Example 55–1 Working with Identity Context Dictionary // Display Identity Context Dictionary try { ClaimDictionary idCtxDict = new ClaimDictionary(); System.out.println ("IDC Dictionary :" + idCtxDict.getClaimCount() + "attributes"); Iterator iterNamespace = idCtxDict.getAllNamespaces(); while (iterNamespace != null && iterNamespace.hasNext()) { String namespace = iterNamespace.next(); System.out.println("Namespace : " + namespace); Iterator Using Identity Context 55-9 Using the Identity Context API iterClaimSchema=idCtxDict.getClaimsForNamespace(namespace); while (iterClaimSchema != null && iterClaimSchema.hasNext()) { out.println(iterClaimSchema.next().getUniqueName()); } } } catch (Exception e) { System.out.println("Unable to acquire IDC Dictionary. " + toString()); } Applications work with the Identity Context Runtime to obtain the runtime state of the Identity Context as it currently exists in the application infrastructure. In order to work with the Identity Context Runtime, the protected application must be deployed to either a WebLogic Server domain built on Oracle Fusion Middleware PS5 with the OPSS Opatch for PS5, or Oracle Fusion Middleware PS6 or later. Additionally, working with the Identity Context Runtime is a privileged operation that requires applications running in the WebLogic Server (with the required Identity Context support) to have proper source code grants. The privileged application, running in the WebLogic Server container, can then access the Identity Context Runtime by requesting it from the OPSS Attribute Service. Example 55–2 demonstrates how to use WLST to grant the OPSS Attribute Service permission to access an application (in this case, ssofilter.jar). Example 55–2 Using WLST To Grant Attribute Service Access To Application # sh ../oracle_common/common/bin/wlst.sh connect ('', '','t3://localhost:7001') grantPermission(codeBaseURL="file:${common.components.home}/ modules/oracle.ssofilter_11.1.1/ssofilter.jar", permClass="oracle.security.jps.service.attribute.AttributeAccessPermission", permTarget="*", permActions="get, set, remove") exit() Example 55–3 illustrates an application working with Identity Context Runtime. Example 55–3 import import import import Working with Identity Context Runtime java.security.AccessController; java.security.PrivilegedAction; oracle.security.jps.internal.api.runtime.AppSecurityContext; oracle.security.idm.IdentityContext; … // get runtime ID Context from OPSS private static Object getIDContext() { Object idc = AccessController.doPrivileged(new PrivilegedAction() { public Object run() {return AppSecurityContext.getSecurityContext().getAttribute (oracle.security.idm.IdentityContext.Constants.IDC_API_ID); }}); return idc; } … // Display runtime ID Context try { Context idCtx = (Context)getIDContext(); if (idCtx != null) { System.out.println("IDC Runtime :" + idCtx.getSize() + "attributes"); 55-10 Administrator's Guide for Oracle Access Management Configuring the Identity Context Service Components Iterator i = idCtx.getClaims(); while (i != null && i.hasNext()) { Claim c = i.next(); System.out.println(c.getName() + " : " + c.getValue()); } } else { System.out.println("Identity Context Runtime is not available"); } } catch (Exception e) { System.out.println("Unable to acquire Identity Context Runtime. " + e.toString()); } … // Obtain few attributes from Identity Context Runtime Attr authnLevel = ctx.getAttr (Constants.ATTR_SESSION_AUTHN_LEVEL); Attr isFirewallEnabled = ctx.getAttr(Constants.ATTR_CLIENT_FIREWALL_ENABLED); Attr isTrustedDevice = ctx.getAttr(Constants.ATTR_RISK_TRUSTED_DEVICE); // Use user's authentication strength established at login by OAM int authLevel = new Integer(authnLevel.getValue()).intValue(); if (authLevel < 20) { // do something } More information can be found in the Oracle Fusion Middleware Java API Reference for Oracle Platform Security Services. 55.5 Configuring the Identity Context Service Components Support for Identity Context is pre-integrated into each participating Oracle Access Management component listed in Table 55–2, " Mapping Identity Context Operations". Because of this, each component must be configured to accommodate business requirements. The following sections provide a high level overview of the necessary Identity Context configurations. However, detailed information can be found in documentation accompanying individual products. ■ Configuring Oracle Fusion Middleware ■ Configuring Access Manager ■ Configuring Oracle Adaptive Access Manager ■ Configuring Web Service Security Manager ■ Configuring Oracle Entitlements Server ■ Configuring Oracle Enterprise Single Sign On ■ Configuring Oracle Access Management Mobile and Social 55.5.1 Configuring Oracle Fusion Middleware The application to be protected must be deployed in a WebLogic Server domain built on Oracle Fusion Middleware 11.1.1 patch set 5 (PS5) with the Oracle Platform Security Services (OPSS) Opatch for PS5 or, Oracle Fusion Middleware PS6 or later. The WebLogic Server domain in which the application is running must be protected by the Access Manager Identity Asserter component that will validate the Identity Using Identity Context 55-11 Configuring the Identity Context Service Components Assertion received from Access Manager and start the process of creating the Identity Context Runtime. The Access Manager Identity Asserter must be configured to detect the token type, OAM_IDENTITY_ASSERTION. Also, the protected application working with the Identity Context Runtime directly must be granted source code grants to work with the OPSS Attribute Service (as in Example 55–2). See Also: Oracle Fusion Middleware Application Security Guide for more information on configuring Access Manager Identity Asserter, as well a source code grants. 55.5.2 Configuring Access Manager As the main publisher and propagator of Identity Context, OAM serves as the central configuration point for collecting Identity Context data from its participating components. The following sections describe key elements of the architecture behind Identity Context management. ■ Configuring Identity Assertion ■ Configuring Federation Attributes ■ Configuring Session Attributes ■ Configuring Identity Store Attributes 55.5.2.1 Configuring Identity Assertion Oracle recommends that you define Asserted Attributes in Access Manager Authorization policies for proper enforcement of end-to-end security between the Web and application tiers. In addition to ensuring trust between the WebGate protecting a Web resource and the Application Server container, Identity Assertion (a SAML Session token) is used to publish the Identity Context data as SAML attributes. Identity Assertion must be enabled and populated with Asserted Attributes as required by the business logic expecting specific attributes in the Identity Context. It is configured within the OAM Policy Responses tab and can be defined for both Authentication and Authorization policies. See Also: Access Manager Identity Assertion and Asserted Attributes (Table 25–25). 55.5.2.2 Configuring Federation Attributes Once a resource is protected by the Access Manager authentication scheme FederationScheme, Access Manager will act as the service provider and receive the SAML assertion as provided by the federation partner. After the federation single sign on (SSO) operation, the following attributes will be present in the authenticated identity's Access Manager session: ■ $session.attr.fed.partner (contains the partner name) ■ $session.attr.fed.nameidvalue (contains the SAML NameID Value) ■ $session.attr.fed.nameidformat (contains the SAML NameID Format) ■ one $session.attr.fed.attr.name entry per SAML Attribute (contained in the SAML Assertion received from the partner) These federation attributes can be used in configuring an Identity Assertion by selecting oracle:idm:claims:fed:attributes as the Asserted Attribute, and 55-12 Administrator's Guide for Oracle Access Management Configuring the Identity Context Service Components setting the value to "attr-name=$session.attr.fed.attr.name" where attr-name is the name given to the Identity Context attribute and name is the name of the SAML attribute in the partner's SAML assertion. For example, defining oracle:idm:claims:fed:attributes with the value of partner-role=$session.attr.fed.attr.role will result in the creation of the Identity Context attribute oracle:idm:claims:fed:attributes:partner-role having a value of "manager" (assuming $session.attr.fed.attr.role contains "manager" as specified in the partner's SAML assertion for the SAML attribute "role"). 55.5.2.3 Configuring Session Attributes Access Manager session attributes can be used in configuring Identity Assertion by selecting oracle:idm:claims:session:attributes as the Asserted Attribute and setting the value to "attr-name=$session.attr.name" where attr-name is the name given to Identity Context attribute and name is the name of the Access Manager session attribute. For example, defining oracle:idm:claims:session:attributes with the value of authn-strength=$session.attr.authnlevel will result in the creation of the Identity Context attribute oracle:idm:claims:session:attributes:authn-strength having a value as defined by the authentication scheme used during the login process. 55.5.2.4 Configuring Identity Store Attributes Identity Store attributes can be used to configure an Access Manager Identity Assertion by selecting oracle:idm:claims:ids:attributes as the Asserted Attribute and setting the value to "attr-name=$user.attr.name" where attr-name is the name given to the Identity Context attribute and name is the name of the Identity Store attribute. For example, defining oracle:idm:claims:ids:attributes with the value of first-name=$user.attr.fname will result in the creation of the Identity Context attribute oracle:idm:claims:ids:attributes:first-name having a value from the user's fname attribute as maintained in the identity store. 55.5.3 Configuring Oracle Adaptive Access Manager As part of the integration between Oracle Access Manager and Oracle Adaptive Access Manager (OAAM), OAAM publishes and propagates risk-based Identity Context attributes. In this case, OAAM attributes are passed to OAM at the end of user authentication flow (on the OAAM side) in a DAP Token. The DAP Token will carry attributes as defined by the oracle:idm:claims:risk namespace in Table 55–1, " Identity Context Schema Attributes". OAM then pushes these attributes into the $session.risk.attr namespace. The following sections contain information regarding configuration of OAAM and OAM. ■ Setting Up Oracle Adaptive Access Manager ■ Configuring Access Manager for OAAM Integration ■ Validating Identity Context Data Published by OAAM 55.5.3.1 Setting Up Oracle Adaptive Access Manager This section contains information on installing and setting up OAAM. Using Identity Context 55-13 Configuring the Identity Context Service Components To setup Oracle Adaptive Access Manager 1. Set up OAAM by importing snapshots. See Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager for details. 2. Integrate OAAM and Access Manager as documented in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager. The TAP token version must be v2.1 and not v2.0. 3. Ensure that the following properties are set to true. ■ ■ oracle.oaam.idcontext.enabled is true by default; use the OAAM Administration Console to change the value. bharosa.uio.default.registerdevice.enabled must be true for proper operation of the 'safeforuser' claim. 4. From the OAAM Administration Console, go to Properties, Create New Property. 5. Enter the property name oaam.uio.oam.dap_token.version with a value equal to v2.1. 6. Restart oaam_server_server1. 55.5.3.2 Configuring Access Manager for OAAM Integration Perform the following steps. Using the TAPScheme forces the user to authenticate using the OAAM authentication schemes. Note: Do not use OAAM Advanced or OAAM Basic. To configure Access Manager for Integration with OAAM Integration 1. Protect a resource (Defining Authentication Policies for Specific Resources on page 25-31) using the TAPScheme for authentication (Table 22–21). 2. Add the following challenge parameter to the TAPScheme (Table 22–22): TAPOverrideResource=http://IAMSuiteAgent:80/oamTAPAuthenticate 55.5.3.3 Validating Identity Context Data Published by OAAM The following information describes how you might validate Identity Context data published by OAAM. ■ ■ ■ ■ oracle:idm:claims:risk:newdevice will be true after a login from a new device; false otherwise. oracle:idm:claims:risk:level will have a high value after a couple of unsuccessful logins followed by a successful login. To test for this, try a few unsuccessful logins and then a successful one. oracle:idm:claims:risk:safeforuser will have true after a user successfully answers the challenge question. oracle:idm:claims:risk:fingerprint contains the user's device's fingerprint. By default, the fingerprint built out of HTTP header data is used; if that is not available, fingerprint data built out of Flash will be used. To test for different fingerprints, try different devices. 55-14 Administrator's Guide for Oracle Access Management Configuring the Identity Context Service Components 55.5.4 Configuring Web Service Security Manager Do the following to enable Oracle Web Service Security Manager (OWSSM) to propagate Identity Context. To configure Web Service Security Manager for Identity Context 1. Configure Security Policy by modifying the Identity Context supported OWSSM security policies to contain the propagate.identity.context element with a value of true. Note: propagate.identity.context (by default, false) is a configuration override property on SAML related policies. To enable it globally, configure a global policy with the property set to true. 2. Configure the Keystore and Credential Store to sign the SAML assertion and messages: copy the updated Keystore and Credential Store to your $DOMAIN_ HOME/config/fmwconfig/ directory. 55.5.5 Configuring Oracle Entitlements Server Runtime integration with Oracle Entitlements Server (OES) is fully automated. When an application invokes the PEP API to make an authorization call, the PEP API automatically propagates the entire Identity Context Runtime to the OES PDP where Conditions (the policy objects that define the Identity Context) are evaluated. When making authorization calls, ensure that the last argument passed into the newPepRequest() method is not null, and is at least an empty hashmap as shown in this example: Note: PepRequestFactory requestFactory = PepRequestFactoryImpl.getPepRequestFactory(); PepRequest request = requestFactory.newPepRequest (subject, action, resource, new HashMap()); PepResponse response = request.decide(); boolean isAuthorized = response.allowed(); Conditions are built, based on the Identity Context schema, by a security Administrator using the OES Administration Console. The following built-in functions are used to specify Conditions using Identity Context attributes: ■ ASSERT_IDENTITY_CONTEXT ■ GET_STRING_IDENTITY_CONTEXT ■ GET_INTEGER_IDENTITY_CONTEXT ■ GET_BOOLEAN_IDENTITY_CONTEXT Custom OES functions receive the full Identity Context Runtime information as a well-known request attribute. This data structure can be converted into Identity Context Runtime using the Identity Context API. Example 55–4 shows a custom OES function creating a context from the received parameter. Example 55–4 Custom Function Creating Identity Context public OpssString GET_STRING_IDENTITY_CONTEXT_V2 ( Using Identity Context 55-15 Configuring the Identity Context Service Components RequestHandle requestHandle, Object[] args, Subject subject, Map roles, Resource resource, ContextHandler contextHandler) throws RuntimeException { // Obtain string representation of the runtime ID Context from the request handle. Context runtimeCtx = null; try { AttributeElement ctxAttr = requestHandle.getAttribute (Constants.IDM_IDC_API_ID, false); if (ctxAttr != null) { String ctxStr = (String) ctxAttr.getValue(); runtimeCtx = new Context(ctxStr); } else { throw new RuntimeException ("Unable to acquire ID Context from request handle"); } } catch (Exception e) { throw new RuntimeException (e.toString()); } … // start using Context which now contains the same exact Identity Context Runtime as was present in the application that made the PEP API call … } 55.5.6 Configuring Oracle Enterprise Single Sign On As part of the Identity Context Service, Oracle Enterprise Single Sign-on (OESSO) can publish and propagate client-based Identity Context attributes. Once full integration has been configured, client-specific Identity Context attributes (as documented in Section 55.3.1, "Using the Identity Context Dictionary") will be sent by OESSO to OAM in the session initiation request together with the user credentials submitted in the access request. After the request has been received, OESSO makes a call to an SSL-protected OAM REST API (previously configured by the OESSO Administrator and included as part of the OESSO client distribution). This API returns the OAM_ID cookie to OESSO. OESSO then propagates the valid OAM_ID cookie to the client browsers (Internet Explorer and Firefox) which enables OESSO resources to be protected and enables single sign-on (SSO) with those resources that are protected by the OAM Embedded Credential Collector. (This does not include resources that are protected by the Distributed Credential Collector.) OESSO then provides OAM credentials that are acceptable to the OAM Embedded Credential Collector as well as client context information in the payload. Note: The payload is secured by: ■ Generating a 16 byte Random Salt ■ Generating a SHA-256 Hash using the 16 Byte Random Salt ■ Encrypting the claims using the OAM password protected by OESSO 55-16 Administrator's Guide for Oracle Access Management Configuring the Identity Context Service Components To configure OESSO to get attributes for Identity Context 1. Refer to "Installing Logon Manager Client-Side Software" in the Oracle Enterprise Single Sign-On Suite Plus Installation Guide for details on integrating OAM and OESSO. 2. See additional details in the Oracle Enterprise Single Sign-On Suite Plus Administrator's Guide section "Oracle Access Management Support in Logon Manager". 55.5.7 Configuring Oracle Access Management Mobile and Social Oracle Access Management Mobile and Social (Mobile and Social) provides REST-based authentication services, in addition to a user profile service and an authorization service, for mobile and desktop devices. When Mobile and Social is configured to provide authentication using Access Manager, it can publish Identity Context attributes provided by the mobile client to Access Manager. The Identity Context attributes are published by the Mobile and Social SDK for iOS and Java platforms. Mobile applications use the Mobile and Social SDK to access and use services provided by the Mobile and Social server. When a mobile application uses the iOS or Android API to perform authentication, it captures the Identity Context attributes and publishes the data to the Mobile and Social server which, in turn, publishes the attributes to the Access Manager server. The Administrator can configure the Mobile and Social server to get all the attributes or only the required ones. The Administrator configures the Identity Context attributes to be sent by the application in the Application Profile configuration page of the Mobile and Social accordion under the System Configuration tab in the Access Manager Administration Console. The Mobile and Social server passes the required Identity Context attributes to the Mobile and Social SDK when it contacts the server for the application profile. (An application profile has information regarding the type of authentication to be performed as well as the Identity Context attributes to be collected.) The SDK collects the attributes, if allowed by the user or the platform, and publishes them to the Mobile and Social server as part of the authentication request. Some mobile platforms (iOS, for example) forbid applications from collecting certain device attributes (for example, the UDID or IMEI device number). The user can also deny an application from getting a location update. Thus, even if the server requests attributes, it is not guaranteed that all of them can be collected by the SDK. Note: To configure the Mobile and Social server to publish the attributes collected from the Mobile and Social SDK to the user session created on and maintained by the OAM Server, the administrator must configure Mobile and Social server to enable ID Context, as illustrated in Figure 55–4. Using Identity Context 55-17 Validating Identity Context Figure 55–4 OAM Authentication Provider Configuration To configure Mobile and Social to get attributes for Identity Context 1. Confirm that the Mobile and Social Service is enabled as described in "Enabling or Disabling Available Services" on page 3-3. 2. On the MobileOAMAuthentication Service Provider page, add the IDContextEnabled Attribute with the value of true. See Also: ■ ■ Chapter 49, "Configuring Mobile and Social Services" for full configuration details Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details on how to develop applications using the iOS SDK 55.6 Validating Identity Context Use the following procedure to ensure correct operation of the Identity Context with Access Manager. 55-18 Administrator's Guide for Oracle Access Management Validating Identity Context To validate your Identity Context operations 1. Perform the following to validate the Identity Assertion response that Access Manager is constructing. 2. a. Configure Access Manager to protect the /testidc resource with a WebGate agent and return the Identity Assertion with the desired Asserted Attributes as part of the Authorization response. b. Use the OAM Tester to validate that the Identity Assertion is returned as an OAM_IDENTITY_ASSERTION attribute in response to the authorization request for /testidc. Perform the following to validate that WebGate is creating an HTTP header that contains the Identity Assertion. a. Ensure the /cgi-bin/printenv.pl script is protected by the same policy that protects the /testidc resource. printenv.pl ships as part of OHS and must have permission to execute. Any script to display header information can be used instead. Note: b. Access the printenv.pl to trigger a login and display the HTTP headers. c. Ensure that the HTTP_OAM_IDENTITY_ASSERTION header contains a SAML token with Asserted Attributes. Using Identity Context 55-19 Validating Identity Context 55-20 Administrator's Guide for Oracle Access Management Part XV Part XV Integrating Access Manager with Other Products Part XI describes how to integrate Access Manager with products from other vendors. Part XI contains the following chapters: ■ Chapter 56, "Integrating RSA SecurID Authentication with Access Manager" ■ Chapter 57, "Configuring Access Manager for Windows Native Authentication" ■ Chapter 58, "Integrating JBoss with Access Manager" ■ Chapter 59, "Integrating Microsoft SharePoint Server with Access Manager" ■ Chapter 60, "Integrating Access Manager with Outlook Web Application" ■ ■ ■ Chapter 61, "Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager" Chapter 62, "Integrating Access Manager with SAP NetWeaver Enterprise Portal" Chapter 63, "Integrating Oracle Access Manager with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2" 56 Integrating RSA SecurID Authentication with Access Manager 56 [37Oracle ] provides components that interface with RSA Security products to provide native RSA SecurID® authentication for Access Manager protected resources. This chapter introduces SecurID authentication and the components, requirements, and processes needed to successfully integrate SecurID authentication with Access Manager 11.1.2. The following topics are included: ■ Introduction to Access Manager and RSA SecurID Authentication ■ Components Required for SecurID Authentication ■ SecurID Authentication Modes ■ Configuring Access Manager for RSA SecurID Authentication ■ Running a Custom RSA Plug-in 56.1 Introduction to Access Manager and RSA SecurID Authentication Access Manager 11.1.2 integrates with RSA components to provide SecurID authentication. RSA SecurID authentication is based on two factors: something the user knows and something the user has: ■ ■ Something the User Knows: This is a secret personal identification number (PIN), similar in concept to a personal bank code PIN. In this case, the PIN may be system generated or personally chosen and registered with the RSA Authentication Manager. Something the User Has: This is the current code generated by a hand held device known as a token. Oracle Access Manager supports all RSA SecurID token form factors, both hardware and software-based. These tokens algorithmically, based on an internal clock or event, generate tokencodes with unpredictable values. Together, the user's PIN and the SecurID tokencode become the user's Passcode. Access Manager uses and supports RSA two-factor SecurID authentication security features and enables integration with SecurID authentication by providing: ■ ■ The HTML forms required for SecurID authentication operations The RSA SecurID Plugin you can use with the User Identification Plugin to create and orchestrate authentication Access Manager integrates with RSA Authentication Manager and provides the integration features described in Table 56–1. Integrating RSA SecurID Authentication with Access Manager 56-1 Introduction to Access Manager and RSA SecurID Authentication Table 56–1 Access Manager Support for RSA Features RSA Feature Access Manager Support Authentication method Native SecurID authentication New PIN Mode (user-generated PINs) Asks for new PIN with confirmation. The token may be in New PIN mode the first time the user logs in or the Authentication Manager Administrator can enable New PIN mode. New PIN mode requires the user to complete a sequence of forms to define, or have the system generate, a new PIN number. Oracle-Provided New PIN Forms and Functions: ■ System Generated PIN (not supported) ■ User Defined (4-8 Alpha/numeric characters) ■ User Defined (5-7 Numeric) ■ Deny 4 and 8 Digit PIN ■ Deny Alphanumeric PIN ■ Deny Numeric PIN ■ PIN Reuse See Also: "SecurID New PIN Authentication" on page 56-6. Next Tokencode During authentication, the Authentication Manager may direct the user to provide the next tokencode that appears on their SecurID token to prove that they have the assigned token. This operation is known as Next Tokencode mode, which can be triggered by one of the following situations: See Also: "SecurID Next Tokencode Authentication". on page 56-6. Passcode ■ 16 Digit Passcode ■ 4 Digit Fixed Passcode Load Balancing RSA Authentication Manager Replicas. Secondary server support Yes SecurID user specification Designated users SecurID protection of Administrators Yes Access Manager features and functions All Access Manager does not support the RSA features in Table 56–2. Table 56–2 RSA Features Not Supported RSA Feature Not supported by Access Manager RSA Authentication Manager 7.1 SP2 Is not supported in an Active Directory Forest multi-domain environment Multiple ACE Realms The RSA Authentication API uses an automatic response time load balancing algorithm to determine where to send an authentication request. Such requests go to either a primary RSA Authentication Manager or a replica. The automatic algorithm can be overridden by creating a manual load balancing configuration file, sdopts.rec. However manually weighting an RSA Authentication Manager as a server of last resort does not preclude the Agent from communicating with it. As such, a true failover setup cannot be achieved with this method. For more information, see your RSA Authentication Manager documentation System Generated PINs Not supported by Access Manager. Failover Not supported for OAM SecurID Servers because only one OAM SecurID Server can perform SecurID authentication. 56-2 Administrator's Guide for Oracle Access Management Components Required for SecurID Authentication 56.2 Components Required for SecurID Authentication The following components are needed for the integration: ■ Supported Versions and Platforms ■ Required RSA Components ■ Installation and Configuration Requirements 56.2.1 Supported Versions and Platforms For the latest support information, see the Oracle Technology Network (OTN). You must register with OTN to view this information. The certification matrix provides platform and version support for this integration, which includes RSA Authentication Manager v7.x and the SecurID Authentication API: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-10 0350.html 56.2.2 Required RSA Components The following RSA components are required for integrating Access Manager and SecurID Authentication. ■ RSA Authentication Manager ■ RSA SecurID Tokens 56.2.2.1 RSA Authentication Manager Residing somewhere in your network are records of users, agents, tokens, and user's PINs. Portions of these records might reside in the Authentication Manager or in LDAP directories. During authentication, Authentication Manager compares these records to the information it receives when a user attempts to access the network. If the records and tokencode or passcode match, the user is granted access. 56.2.2.2 RSA SecurID Tokens An RSA SecurID token is either a hardware device or software-based security token that generates and displays a random number that enables users to securely access protected resources. The random number is called a tokencode. Before a user can authenticate with a token, the token must be recognized by Authentication Manager. RSA, or your vendor, ships a token seed file that you must import into the data store. Seeds listed in this file are assigned to tokens for generating the tokencode when an authentication request is received from an Authentication Manager agent. During the SecurID authentication process, users must submit their username and passcode using an HTML form. The RSA Authentication Manager authenticates the identity of each user through a server that is registered with the Authentication Manager as a client (RSA Authentication Agent). One Access Server (known as the Oracle SecurID Access Server to distinguish it from other Access Servers) must be registered and set up as a client/Agent. The RSA Authentication Manager compares the tokencode it has generated with the tokencode the user has entered. Tokencodes change at a specified interval, typically 60 seconds. Time synchronization ensures that the tokencode displayed on a user's token is the same code the Authentication Manager software has generated for that moment. Integrating RSA SecurID Authentication with Access Manager 56-3 Components Required for SecurID Authentication Authentication is successful when the tokencodes match. Two-factor authentication provides stronger legal evidence of who performed the task. When properly configured, the Authentication Manager tracks all login requests and operations to reliably identify the user who is responsible for each logged action. 56.2.3 Installation and Configuration Requirements SecurID requires affinity between the OAM Server and the RSA Authentication Manager for a user interaction. Therefore, the authentication dialog between the user and OAM Server must be sticky (this constraint is a security feature of SecurID authentication). In a cluster environment, if a load balancer is used to route requests to multiple managed server, ensure that stickiness is set between the load balancer and OAM Server. The SecurID Authentication API is bundled with Access Manager and installed on all OAM Servers. The SecurID Authentication API provides the connection functionality that eliminates the need for an Authentication Agent to be installed on the OAM Server. In other words, the API is the agent. Every OAM Server must be registered as an RSA Authentication Agent host on the Authentication Manager along with other requirements in Table 56–3. Table 56–3 Installation and Configuration Guidelines Only one designated OAM SecurID Server can complete SecurID authentication. However, every OAM Server must be registered as an RSA Authentication Agent Host on the Authentication Manager. Enable the OAM SecurID Server to be recognized as an Authentication Manager client. Port 5500 (UDP) should be available for the Authentication Manager to communicate with authentication agents (OAM SecurId Server). This service receives authentication requests from Oracle SecurId Server and sends replies. For more details refer to your RSA Authentication Manager documentation. Manage authentication requests from the client to the Authentication Manager. Enforce two-factor authentication and block unauthorized access. Provide automatic load balancing by detecting replica Authentication Manager response times and routing authentication requests accordingly. Ensure that the system time on the client is correct to prevent the server and client from being out of sync. Failover is not supported for Access Manager. The SecurID Authentication Manager must be installed on a supported platform. The system time must be correct to prevent the server and client from being out of sync. The SecurID tokens or key fobs must be provisioned with the Authentication Manager by providing it with the token seed records Each user name must be mappable through an LDAP filter to a Distinguished Name in the directory An Authentication Manager slave and/or replicated Authentication Manager can provide failover if the primary Authentication Manager is down 56-4 Administrator's Guide for Oracle Access Management SecurID Authentication Modes Table 56–3 (Cont.) Installation and Configuration Guidelines This integration requires a custom HTML login form and a properties file. Sample Oracle-provided custom html and custom html properties files can be found in: $ORACLE_HOME/oam/server/tools/customLoginHtml See Also: ■ ■ Developing Custom Login Pages in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management "Configuring Access Manager for RSA SecurID Authentication" on page 56-6 56.3 SecurID Authentication Modes The following scenarios illustrate the three modes of operation: ■ Standard SecurID Authentication ■ SecurID Next Tokencode Authentication ■ SecurID New PIN Authentication 56.3.1 Standard SecurID Authentication When a user attempts to access a resource protected by the SecurID authentication scheme, the following process occurs. For information on Credential Collectors, see Chapter 23, "Understanding Credential Collection and Login." Process overview: When the user requests a resource 1. The WebGate intercepts the resource request and queries the Access Server to determine if and how the resource is protected, and if the user is authenticated. 2. The OAM SecurId Server queries the directory for the authentication scheme, and receives authentication information from the directory. 3. The WebGate redirects to the Credential Collector, which presents a form challenging the user for a two-part SecurID Passcode. 4. The user submits credentials to the Credential Collector 5. The Credential Collector hands off the credentials to the OAM SecurId Server 6. The SecurID Authentication API on the OAM SecurId Server performs the authentication dialog and sends an LDAP bind to the Authentication Manager. 7. The Authentication Manager database matches the SecurID passcode to the user ID and returns a success response to the Authentication Manager, which matches the user's PIN. 8. The Authentication Manager returns the response to its Agent, the OAM SecurId Server. 9. When the user's credentials are valid, SecurID authentication is successful. The OAM SecurId Server creates a session for the user and redirects the user to the Webgate, which then queries the OAM SecurId Server for resource authorization: ■ ■ Under certain conditions a New Tokencode mode is initiated, as described in "Standard SecurID Authentication". Under certain conditions a New Pin mode is initiated, as described in "SecurID Next Tokencode Authentication". Integrating RSA SecurID Authentication with Access Manager 56-5 Configuring Access Manager for RSA SecurID Authentication 10. The OAM SecurId Server evaluates the authorization request, which allows or denies access based upon the authorization rule. 11. When access is granted, the OAM SecurId Server passes authorization to the WebGate, which presents the resource to the user. 56.3.2 SecurID Next Tokencode Authentication When Next Tokencode mode is On, the user must supply the next tokencode on their SecurID token. This mode can be triggered when: ■ ■ An incorrect Passcode was provided repeatedly during login. When a user attempts authentication with incorrect passcodes four consecutive times, the Authentication Manager turns on Next Tokencode mode, as noted in the Authentication Manager's Activity Report. The next time the user successfully authenticates with their correct Passcode, they are challenged for the next tokencode that appears on their SecurID token. The Authentication Manager requires confirmation of, or synchronization with the token. Even with a correct Passcode, the Authentication Manager Administrator might set the Next Tokencode mode On to force the user to confirm that they have the SecurID token or to synchronize the token with the Authentication Manager. When Next Tokencode mode is On, the Next Tokencode challenge form is presented to the user immediately following a successful login. Process overview: When Next Tokencode is On The Credential Collector presents a form to challenge the user for the next tokencode on the token following a successful login. 1. 2. The user enters a username, waits 60 seconds, then enters the next tokencode on the SecurID token. 3. When the tokencode is correct, the Passcode the user originally entered is accepted and the user is authenticated. 56.3.3 SecurID New PIN Authentication When the user is required to have a new PIN, the Credential Collector prompts the user with specific forms. Process overview: When New PIN is required 1. The Credential Collector presents a form that allows the user to enter the PIN they want. 2. The user enters the new PIN and then re-enters the new PIN to complete the form. 3. The OAM SecurID Server forwards the information to the Authentication Manager. 4. The Authentication Manager registers the new PIN, which becomes part of the Pincode the user must supply during subsequent logins. 5. The Login Form appears again where the user enters the username and Passcode for a forced re-authentication. 56.4 Configuring Access Manager for RSA SecurID Authentication Users with valid Oracle Access Management Administrator credentials can follow the steps in this section to enable RSA SecurID authentication. 56-6 Administrator's Guide for Oracle Access Management Configuring Access Manager for RSA SecurID Authentication Prerequisites See Table 56–3 for installation and configuration that is outside the scope of this manual) and which must be completed before you begin SecurID integration with Access Manager. See Also: ■ Developing Custom Login Pages in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management To set up SecurID Authentication with Access Manager 1. In your oam-config.xml, set the OAM SecurID Sever serverRequestCacheType parameter to BASIC, as follows: a. Stop all WebLogic servers (OAM Servers and AdminServer). b. Locate oam-config.xml in the following path: $DOMAIN_HOME/config/fmwconfig/oam-config.xml c. Change the serverRequestCacheType from COOKIE (default) to BASIC, as follows: BASIC d. 2. Start all WebLogic Servers (OAM Servers and AdminServer). Register a Web agent from the RSA Console that will be used by Access Manager, then copy the agent configuration file (sdconf.rec) as follows: $DOMAIN_HOME/config/fmwconfig/servers/$SERVER_NAME/oam/sdconf.rec 3. Using the Oracle Access Management Console, create a custom authentication module for RSA, as follows: See Also: "Orchestrating Multi-Step Authentication with Plug-in Based Modules" on page 22-29 a. Click Application Security at the top of the window. b. Select Create Custom Authentication Module from the Create (+) drop-down menu in the Plug-ins section. c. Select the General tab and enter the following: Name: RSA_AUTH d. Select the Steps tab and enter a name for the Step, then choose the RSA SecurID Plugin Step Name: stepRSA Plugin Name: RSA SecurID Plugin OK e. In the stepRSA, Step Details tab, enter and Save the Step Details shown in the next screen, which should also appear in your customhtml.properties file: Integrating RSA SecurID Authentication with Access Manager 56-7 Configuring Access Manager for RSA SecurID Authentication f. Steps tab: Add the User Identification Plugin: Enter a name for the Step, then choose the RSA SecurID Plugin: Step Name: rsa_useridentification Plugin Name: UserIdentificationPlugin OK g. rsa_useridentification, Step Details: Enter and Save the following details for your environment: KEY_LDAP_FILTER: (uid={KEY_USERNAME}) KEY_IDENTITY_STORE_REF: The registered Default Store. KEY_SEARCH_BASE_URL: dc=us,dc=example,dc=com 4. Orchestrate the steps as follows: stepRSA should be first (to authenticate the user with the RSA Server); designate your User Identification Plugin for the success step. Initial Step: stepRSA Name: StepRSA On Success: rsa_useridentification On Failure: failure On Error: failure Apply Name: rsa_useridentification On Success: Success On Failure: failure On Error: failure Apply Note: 5. The On Failure and On Error fields must both be set to failure. Create a new authentication scheme (RSACredScheme, for example) that uses the custom authentication module that you just created for RSA with a custom HTML login form. Sample values are shown in the following screen: 56-8 Administrator's Guide for Oracle Access Management Configuring Access Manager for RSA SecurID Authentication Note: The authentication scheme's Context Value specifies the path to your custom HTML login form. Your custom HTML properties file must share the same name as the form (with a .properties extension) in the same directory path. This example uses customhtml.html and customhtml.properties. Challenge parameters specify the initial RSA command for authentication (RSA_USER_PASSCODE). The is_rsa=true parameter and value must be specified for RSA. 6. Use this scheme in the Application Domain protecting resources requiring SecurID authentication. 7. Ensure that your custom HTML file is present in: $DOMAIN_HOME/config/fmwconfig/customhtml.html The Custom HTML for RSA Login Form requires form action set to /oam/server/auth_cred_submit, as follows:
div class="button-row">
8. Ensure that your customHTML.properties file is: ■ Named as your custom HTML file with a .properties extension ■ Stored in the same path as your custom HTML file Integrating RSA SecurID Authentication with Access Manager 56-9 Running a Custom RSA Plug-in ■ Confirmed; settings match the RSA SecurID plugin configuration parameters. For example: username=Username password=Password passcode=Mother's maiden name rsa_new_pin=RSA New Pin rsa_new_pin_confirm=RSA Confirm New Pin Pin=RSA Pin rsa_sysgen_pin=RSA Create New Pin rsa_sysgen_pin_confirm=RSA System Generated Pin error1=Username not specified 9. Restart OAM Servers. 10. Test your configuration by accessing the appropriate protected resource and validating the various modes. 11. See "RSA SecurID Issues and Logs" on page E-24 for details if you experience problems. 56.5 Running a Custom RSA Plug-in These steps should be followed to run a custom RSA plug-in, located in /oam/custom_plugins/rsa/RSAPlugin.jar. 1. Download the RSA dependent libraries named authapi.jar and cryptoj.jar. 2. Add the authapi.jar and cryptoj.jar libraries to /config/fmwconfig/oam/plugin-lib. 3. Get the custom RSAPlugin.jar file from its directory and import the plugin to add it to the list of custom plugins. 4. Once successfully imported, distribute and activate the plug-in. Activation will fail the first time. When it does, restart the server and activate again. After activation, use the plugin to specify the necessary orchestration steps. 56-10 Administrator's Guide for Oracle Access Management 57 Configuring Access Manager for Windows Native Authentication 57 [38Access ] Manager enables Microsoft Internet Explorer users to automatically authenticate to their Web-based single sign-on applications using their desktop credentials. This is known as Windows Native Authentication (WNA) This chapter contains the following sections to describe how to prepare your environment and perform this integration using Active Directory: ■ Introducing Access Manager with Windows Native Authentication ■ Preparing Your Active Directory/Kerberos Topology ■ Confirming Access Manager Operations ■ Enabling the Browser to Return Kerberos Tokens ■ Integrating KerberosPlugin with Oracle Virtual Directory ■ Integrating the KerberosPlugin with Search Failover ■ Configuring Access Manager for Windows Native Authentication ■ Validating WNA with Access Manager Protected Resources ■ Configuring WNA For Use With DCC ■ Troubleshooting WNA Configuration 57.1 Introducing Access Manager with Windows Native Authentication Access Manager supports Active Directory Multi-Domain and Multi-Forest topology integration with Windows Native Authentication (WNA). The Active Directory directory service uses a data store (known as the directory) for all information about objects (users, groups, computers, domains, organizational units, and security policies). See Also: The System Requirements and Supported Platforms for Oracle Identity and Access Management 11gR1 at https://www.oracle.com/technetwork/middleware/ias/downloads/ fusion-certification-100350.html For the integration described in this chapter, an application must be protected by an Access Manager authentication policy that uses the Kerberos authentication scheme (KerberosScheme) with WNA as the Challenge Method with the KerberosPlugin Authentication Module. In this case, credentials must be stored in a Windows Active Directory instance that is registered as a user-identify store with Access Manager. Configuring Access Manager for Windows Native Authentication 57-1 Introducing Access Manager with Windows Native Authentication Put another way, each protected resource is defined in an Application Domain. The Authentication Policy includes the Authentication Scheme (KerberosScheme) that uses an Authentication Module (Kerberos) that is tied to the default User Identity Store. The store uses the value of "User Name Attribute" for authentication. This value is tied to the user in Active Directory and its values for userprincipalname = username@domian or SamAccountName = username, depending on the specific Access Manager release. When Access Manager single sign-on is combined with WNA, a Kerberos session ticket is generated that contains the user's login credentials (among other things). This Kerberos session ticket is not visible to the user. Access Manager interoperates with WNA, which uses Kerberos credentials obtained when the user logs in to a Windows Domain. This cross-platform authentication is achieved by emulating the negotiate behavior of native Windows-to-Windows authentication services that use the Kerberos protocol. For this cross-platform authentication to work, OAM Servers must parse SPNEGO tokens to extract the Kerberos tokens that are then used for authentication. ■ ■ SPNEGO is a Generic Security Services Application Programming Interface (GSSAPI) "pseudo mechanism" used to negotiate one of a number of possible real mechanisms. SPNEGO is largely employed in the Microsoft "HTTP Negotiate" authentication extension which uses it to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP mechanisms. GSSAPI implementation is included with most major Kerberos distributions. For more information on SPNEGO see http://tools.ietf.org/html/rfc4559. Kerberos is a network authentication protocol that provides strong authentication for client/server applications and services using a secret-key cryptography. A free implementation of Kerberos protocol is available from the Massachusetts Institute of Technology and is also commercially available. For more information, see: ■ Understanding Access Manager WNA Login and Fall Back Authentication ■ Understanding Supported Kerberos Authentication Modules 57.1.1 Understanding Access Manager WNA Login and Fall Back Authentication With WNA implemented, a user can open a Web application without another challenge for credentials because the Kerberos session ticket is passed through the browser to the OAM Server. The OAM Server decrypts the received token (using keytab) and derives the authenticated user name from it. If authentication succeeds the user is granted access to the Web application automatically. See Also: Supported browsers in the System Requirements and Supported Platforms for Oracle Identity and Access Management 11gR1 at https://www.oracle.com/technetwork/middleware/ias/downloads/ fusion-certification-100350.html The following sections describe an overview of the process of two WNA login scenarios. ■ Successful Access Manager WNA Authentication ■ Access Manager WNA Fallback Authentication 57-2 Administrator's Guide for Oracle Access Management Introducing Access Manager with Windows Native Authentication 57.1.1.1 Successful Access Manager WNA Authentication 1. The Browser is configured for Integrated Windows Authentication (IWA). This is a browser security configuration. If the browser being used is not configured to use IWA, no TGT is supplied when a resource protected by the Kerberos authentication module is requested. A browser basic authentication window is displayed where you can enter a valid username/password combination defined in the Default Identity Store for User login attribute. 2. A resource protected by Access Manager and WNA is called. The protected resource should be configured as an intranet resource. This is done by adding the site in the "Local Intranet" zone of the Browser configuration. 3. A valid Kerberos ticket is present - Http headers... Authorization: Negotiate YIIJ/... 4. The user is not challenged for authentication. 5. The requested resource is displayed, proving that WNA works. In other words, when the browser is configured to use Integrated Windows Authentication, and a resource is protected by the Kerberos authentication module, then: ■ ■ If a Kerberos ticket is received by Access Manager (regardless of the domain), authentication is attempted: – Successful: Access is granted. – Failure: An incorrect user name or password error occurs if information from the Kerberos ticket is either not present or does not match the value of the User Name Attribute defined in the Default User Identity Store. Access is denied. The browser automatically submits the ticket, and the interaction with Access Manager is repeated until the user has been locked out. The browser cannot be made to pause before the start of each exchange. If the user is not logged on to a Windows Domain by way of Kerberos authentication, the browser sends OAM an NTLM token for authentication instead of a Kerberos token. Depending on how Access Manager is configured, it either uses WNA Fallback Authentication upon receiving an NTLM token or authentication fails. You need to configure Access Manager to provide fallback authentication when the browser sends an NTLM token. Without configuration, authentication fails. For configuration steps, see Section 57.7.3, "Configuring WNA for NTLM Fallback." Note: NTLMSSP is a security support provider that is available on all versions of the Distributed Component Object Model (DCOM). It uses the NTLM protocol for authentication, which does not actually transmit the user's password to the server during authentication. Note: If a Kerberos ticket cannot be identified by Access Manager (regardless of browser, Operating System, domain-login, and so on), the fallback mechanism is invoked. Configuring Access Manager for Windows Native Authentication 57-3 Introducing Access Manager with Windows Native Authentication 57.1.1.2 Access Manager WNA Fallback Authentication Fallback uses the authentication scheme "BasicScheme" with a challenge method of "Basic" and authentication module "LDAP". This LDAP Authentication Module uses the LDAP plug-in. In this plug-in, the User Identity Store can be defined as any currently registered User Identity Store in which you define the attribute to be used for "User Name Attribute." The authentication module can be changed using the console. 1. The Browser is configured for Integrated Windows Authentication (IWA). This is a browser security configuration. Access Manager handles two types of WNA fallback authentication. ■ ■ 2. Within Domain where IWA is enabled: OAM supports WNA for the SPNEGO token. But sometimes due to configuration or other issues, OAM receives NTLM tokens from the client rather than SPNEGO. During the DEFAULT flow, OAM will try to authenticate using the NTLM token and fail because OAM doesn't have the capability to authenticate NTLM tokens. Thus, with introduction of "HandleNTLMResponse" configuration, OAM server will challenge client with Basic prompt for authentication. i.e. The fallback here is to prompt for basic mode of authentication if client is sending NTLM tokens to OAM Server. See Section 57.7.3, "Configuring WNA for NTLM Fallback" for details. Outside Domain where IWA is disabled: Here no extra configuration is needed. By default the OOTB user will see a BASIC prompt during authentication. A resource protected by Access Manager and WNA is called. The protected resource should be configured as an intranet resource. This is done by adding the site in the "Local Intranet" zone of the Browser configuration. 3. No ticket is present (NTLM/Kerberos) - Http headers... Authorization: Basic 4. A basic authentication window pops up. 5. The user enters a valid username/password. 6. The requested resource is displayed (WNA Fallback works). 57.1.2 Understanding Supported Kerberos Authentication Modules Use the Kerberos Authentication Module or KerberosPlugin Authentication Module when configuring Access Manager for Windows Native Authentication. The Kerberos Authentication Module identifies the key tab file and krb5 configuration file names and Principal. The KerberosPlugin Authentication Module relies on bundled plug-ins (or those that are developed using the Access Manager Authentication Extensibility Java API). This module uses more than one plug-in that you can orchestrate to ensure that each one performs a specific authentication function. The KerberosPlugin Authentication Module is more robust and richer in functionality than the Kerberos Authentication Module. The KerberosPlugin Authentication Module (along with a plain WNA configuration) supports the following approaches: ■ ■ Kerberos Plugin with Oracle Virtual Directory: Using Access Manager with orchestrated authentication plug-ins integrated with Oracle Virtual Directory virtualize multiple Active Directory Global Catalogs. Kerberos Plugin with Search Failover Across Multiple ADGCs: Using Access Manager with orchestrated authentication plug-ins that exercise a failover pattern across multiple Active Directory Global Catalogs. 57-4 Administrator's Guide for Oracle Access Management Preparing Your Active Directory/Kerberos Topology See Also: ■ Preparing Your Active Directory/Kerberos Topology ■ Confirming Access Manager Operations ■ Integrating KerberosPlugin with Oracle Virtual Directory 57.2 Preparing Your Active Directory/Kerberos Topology You need a fully-configured Microsoft Active Directory authentication service set up as described here. The procedure in this section ensures that Active Directory and the Kerberos client will operate together. The tasks in this section are required regardless of the approach you choose. However, none of this is Oracle specific. The following sample scenario represents a typical Active Directory topology, and is not a requirement dictated by or for Access Manager. The naming used here is an example only. Your environment will be different. Note: As a sample scenario, consider two Active Directory forests operating within a company. Forest Domain Name ORACLE lm.example.com SPRITE lmsib.sprite.com Consider that a child domain exists within the ORACLE forest: child.lm.example.com. Trust is required as follows: ■ Between forests: Two-way, non-transitive trust. ■ Between the child domain and its parent: Two-way, transitive trust. The suffixes and inheritance are: ■ ■ ■ SPRITE users have UPN suffixes such as sun.com orjava.com. The SPRITE forest contains testuser.java.com. ORACLE users have suffixes such as myoracleco.com and oracleco.com. The ORACLE forest contains testuser.oracleco.com. ORACLE child domain inherits the UPN suffixes of the parent domain. Pre-Windows user names formed as DOMAIN\USERNAME, are not supported. Note: For integration with WNA, the User Name Attribute defined for the Default Identity Store can be any attribute whose value matches the Active Directory user's samAccountName. You also need to know which encryption type your environment will use. In some cases a user might be created with "Use DES encryption types for this account" enabled. However, Active Directory is not using DES encryption. Configuring Access Manager for Windows Native Authentication 57-5 Preparing Your Active Directory/Kerberos Topology The keytab file created in the following procedure uses RC4-HMAC encryption. Note: Access Manager supports what JGSS/JDK6 supports. The limitation on the TGT encryption that can be used would be determined by the piece that is the least common or lowest encryption supported: KDC, Keytab, Operating System, Kerberos client. Access Manager does not support any specific Kerberos encryption type. It is dependent on the Generic Security Services (GSS)/Kerberos jdk encryption types with which it is certified. Access Manager is not dependent on any encryption type and does not use TGT encryption. As part of SPNEGO token Access Manager only looks into the Service Ticket which is encrypted with a key that the service (in this case Access Manager) has registered when executing the ktpass/keytab commands. The keytab file created in the following procedure uses RC4-HMAC encryption. Note: Encryptions are used for communication among the different OS (Windows/Linux acting as Kerberos Server/Client). OAM Server just needs the SPNEGO token, from which it extracts the user credential. The encryption used in this three way negation process between the Windows Client (Browser), the Windows KDC, and the Generic Security Services (GSS) classes used by Access Manager, depend on the versions used (which must match). See Also: My Oracle Support for details about the Kerberos Encryption types Access Manager Supports [Doc 1212906.1] at: https://support.oracle.com/CSP/main/article?cmd=show&type=NO T&id=1212906.1 In the trusted domain (for example, the root domain lm.example.com), it is required that you follow the steps provided to: ■ ■ ■ Create an account for the OAM Server. Extract the keytab file that was configured with the Active Directory Multi-Domain or Multi-Forest topology and trust relationships. Specify the Service Principal Name (SPN) using the fully-qualified hostname of the OAM Server (or the load balancer that represents the OAM Cluster), followed by the Realm name. For this example the names in Table 57–1 are used. Table 57–1 Sample Naming Name Description kdc.lm.example.com KDC hostname KDC is a trusted network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services and is implemented as a domain service. The KDC uses Active Directory as its account database. In implementations of the Kerberos protocol, the KDC is a single process that provides two services: Authentication Service (AS) and Ticket Granting Service (TGS). 57-6 Administrator's Guide for Oracle Access Management Preparing Your Active Directory/Kerberos Topology Table 57–1 (Cont.) Sample Naming Name Description kdc.lm.example.com AdminServer hostname This is the same as the KDC hostname. oam11g.example.com OAM Server hostname LM.EXAMPLE.COM Default Active Directory Realm LMSIB.SPRITE.COM Second Active Directory Realm The realm name identifies the location of the user account. A realm name can be either a prefix or a suffix. When an access client sends user credentials, a user name is often included. Within the user name are two elements: a user account name and user account location. HTTP/fully_qualified_ Service Principal Names (SPNs) are needed for user accounts (the OAMServerhostname@REAL name by which a client uniquely identifies an instance of a M_NAME (in CAPITAL service). letters Note: If you install multiple instances of a service on computers throughout a forest, each instance must have its own Service Principal Name. The following procedure documents how to prepare Active Directory and Kerberos. Commands are for a Unix Operating System. Command syntax will vary depending on the specific Operating System in your environment. 1. Check the Oracle certification matrix to ensure you are installing a supported version of Active Directory for this integration: https://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certificatio n-100350.html 2. Install and configure Active Directory as follows: ■ Multi-Forest topology with requisite trust relationships configured and functional, including: a. User accounts to map Kerberos services b. Service Principal Names (SPNs) for these user accounts (the name by which a client uniquely identifies an instance of a service). c. Key tab files ■ ■ ■ Active Directory Global Catalog (ADGC) enabled and functional within each forest Multi-Forest Deployment: In this case, ensure there exists a naming attribute (available in global catalog) that uniquely identifies the users originating from various forests. Generally, userprincipalname is unique for the forest and samAccountName is unique for the domain One domain that is directly or indirectly trusted by every other domain, regardless of forest affiliation. 3. Create a user for Access Manager use during WNA authentication and record this user name for generating the keytab file (no DES encryption). 4. Record the OAM Server hostname. For example: oam11g.example.com Configuring Access Manager for Windows Native Authentication 57-7 Preparing Your Active Directory/Kerberos Topology 5. Record the KDC hostname and the Active Directory domain/realm: KDC = kdc.lm.example.com Default AD Realm = lm.example.com 6. Create the Service Principal Name (SPN) of the Active Directory user that the OAM Server client is using, and record the results (including encryption type). The user name should be in the format user_name@example.com where example.com is the domain name of the Active Directory. For example: ktpass -princ -pass -mapuser -out Ensure that the case of the user name is consistent when entering it with the ktpass, kinit and klist commands. If you enter the user name in lower case when running one command, it must be entered in lower case when running the other commands. Note: For example, the case used in the commands to create the keytabs and the configuration in /etc/krb5.conf file need to match. When ktpass is run to create the keytab (as below), the host name of the KDC server is lm.example.com. Since this is all lower case, the configuration in the /etc/krb5.conf file must also be lower case. Case sensitivity is not the issue as long as the case matches. ktpass -princ HTTP/oam11g.example.com@lm.example.com -mapuser oam -pass examplepw -out c:\temp\oam.keytab C:\Users\Administrator>ktpass -princ HTTP/oam11g.example.com@LM.EXAMPLE.COM -mapuser oam -pass welcome1 -out c:\temp\oam.keytab Targeting domain controller: kdc.lm.example.com Using legacy password setting method Successfully mapped HTTP/oam11g.example.com to oam. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to c:\temp\oam.keytab: Keytab version: 0x502 keysize 80 HTTP/oam11g.example.com@lm.example.com ptype 0 (KRB5_NT_ UNKNOWN) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xa3a685f89364d4a 5182b028fbe79ac38) If the user is not part of the Administrators group, follow this procedure to explicitly allow a remote desktop connection for the user. Note: 7. 1. From the Oracle Access Management Console, navigate to the Remote tab through Control Panel -> Remote Settings -> System Properties. 2. Select the "allow connections from computers running any version of Remote Desktop" option. 3. Click Select Users. 4. Add the user. 5. Click Apply. Copy the newly created keytab file to the proper location on the OAM Server and ensure permissions are correct so that the user who created Access Manager can access this file for running ktpass command. 57-8 Administrator's Guide for Oracle Access Management Preparing Your Active Directory/Kerberos Topology 8. Create a simple OAM Server Kerberos krb5.conf or krb5.ini configuration. For example: [libdefaults] default_realm = lm.example.com ticket_lifetime = 600 clock_skew = 600 [realms] lm.example.com = { -kdc = kdc.lm.example.com admin_server = kdc.lm.example.com default_domain = lm.example.com } [domain_realm] lm.example.com =LM.EXAMPLE.COM .lm.example.com = LM.EXAMPLE.COM The OAM account is created in one domain that is trusted by all, lm.example.com. This is not required for lmsib.sprite.com. Note: 9. Verify the klist and kinits work using the keytab file and SPN of the Active Directory and Access Manager user created, then record the results. a. kdestroy b. klist [-k] [-t ]. For example: bash-3.2$ klist -k -t -K -e FILE:/refresh/home/oam.keytab Keytab name: FILE:/refresh/home/oam.keytab KVNO Timestamp Principal ---- ----------------- --------------------------------------------------3 12/31/69 19:00:00 HTTP/oam11g.example.com@lm.example.com (ArcFour with HMAC/md5)(0xa3a685f89364d4a5182b028fbe79ac38) bash-3.2$ c. kdestroy d. kinit [-k] [-t ] []. For example: klist -k -t -K -e FILE:/refresh/home/oam.keytab bash-3.2$ kinit -V -k -t /refresh/home/oam.keytab HTTP/oam11g.example.com@lm.example.com Authenticated to Kerberos v5 e. klist -e bash-3.2$ klist -e Ticket cache: FILE:/tmp/krb5cc_8000 Default principal: HTTP/oam11g.example.com@lm.example.com Valid starting Expires Service principal 02/25/12 18:46:55 02/25/12 18:56:55 krbtgt/LM.EXAMPLE.COM@LM.EXAMPLE.COM Etype (skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC Kerberos 4 ticket cache: /tmp/tkt8000 klist: You have no tickets cached bash-3.2$ Configuring Access Manager for Windows Native Authentication 57-9 Confirming Access Manager Operations 10. Proceed as follows: Successful: Continue with "Confirming Access Manager Operations". Not Successful: Stop and resolve the issue which is not related to this integration. Any failure at this point indicates Access Manager WNA cannot work. 57.3 Confirming Access Manager Operations You need a fully-functioning Access Manager deployment. The tasks in this section are required regardless of the approach you choose. In this procedure you will install and register a WebGate, which configures an Application Domain to protect resources. Then you verify that the environment is working with an authentication scheme other than Kerberos. See Also: Oracle Fusion Middleware High Availability Guide for details about high availability environments with two or more Managed Servers configured to operate as a cluster 1. Log in to the Oracle Access Management Console using Administrator credentials. 2. Verify the Default Identity Store connection. 3. Register and install WebGate as an OAM Agent and accept automatic policy generation. 4. Add resources to the Application Domain and customize the authentication policy protecting resources to use any Authentication Scheme other than Kerberos. 5. Test the configuration to ensure that resource protection and access are working as expected. 6. Proceed to "Enabling the Browser to Return Kerberos Tokens." 57.4 Enabling the Browser to Return Kerberos Tokens Use either of the following procedures to configure the Internet Explorer or Mozilla Firefox browsers to return Kerberos tokens. Perform the appropriate procedure on all Active Directory servers. ■ Enabling Kerberos Tokens in Internet Explorer ■ Enabling Kerberos Tokens in Mozilla Firefox With Internet Explorer browsers, Integrated Windows Authentication is enabled by default and you might not need any changes to the default configuration for WNA to work. Note: 57.4.1 Enabling Kerberos Tokens in Internet Explorer 1. On a Windows host in the Active Directory domain, sign in as a domain user. 2. Open the Internet Explorer browser. 3. From the Tools menu, click Internet Options, click Security, click Local Intranet, click Advanced. 4. On the Advanced tab, Security section, check the box beside Enable Integrated Windows Authentication, and click OK. 57-10 Administrator's Guide for Oracle Access Management Integrating KerberosPlugin with Oracle Virtual Directory 5. Add Oracle Access Manager CC host or domain name to Local Intranet zone (use the format http://node.host:port (the port is not required)). For example: http://oam11g.example.com 6. Restart the Internet Explorer browser to enable the change. 57.4.2 Enabling Kerberos Tokens in Mozilla Firefox 1. In the browser Address bar, enter about:config. 2. Add Oracle Access Manager CC host or domain name under network.negotiate-auth.trusted-uris as: network.negotiate-auth.trusted-uris=http://oam11g.example.com Multiple URIs are separated with a comma. 57.5 Integrating KerberosPlugin with Oracle Virtual Directory Oracle Virtual Directory provides the ability to integrate LDAP-aware applications into diverse directory environments while minimizing or eliminating the need to change either the infrastructure or the applications. This section provides the tasks you must perform to configure Access Manager KerberosPlugin authentication for WNA with Oracle Virtual Directory. 1. Perform tasks in this section: ■ Preparing Oracle Virtual Directory for Integration ■ Registering Oracle Virtual Directory as the Default Store for WNA ■ Setting Up Authentication with Access Manager KerberosPlugin and OVD 2. Configuring Access Manager for Windows Native Authentication 3. Enabling the Browser to Return Kerberos Tokens 4. Validating WNA with Access Manager Protected Resources 57.5.1 Preparing Oracle Virtual Directory for Integration Oracle Virtual Directory communicates with other directories through adapters. Before you can start using Oracle Virtual Directory as an identity store, you must create adapters to each of the directories you want to use. The procedure differs slightly, depending on the directory to which you are connecting. If you choose to use Oracle Internet Directory, Active Directory, Oracle Directory Server Enterprise Edition (ODSEE), or Oracle Unified Directory, the required adapters are created and configured while installing and configuring the Oracle Identity Management Server. For more information on managing the adapters, see "Managing Identity Virtualization Library (libOVD) Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager. In the following procedure you create an account for the OAM Server in the trusted domain. Additionally, you create two Active Directory Adapters (one for each forest) using the fully-qualified domain names as namespaces. By default Active Directory uses dc to construct the root context distinguished name. If this is different in your deployment, adjust your adapter namespaces accordingly. 1. Perform tasks described in "Confirming Access Manager Operations". Configuring Access Manager for Windows Native Authentication 57-11 Integrating KerberosPlugin with Oracle Virtual Directory 2. Install Oracle Virtual Directory, as described in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. 3. In Oracle Virtual Directory Console, create two Active Directory Adapters (one for each forest) using the fully-qualified domain names as namespaces as follows: a. Adapter 1, EXAMPLE Adapter namespace (domain DNS lm.example.com): dc=lm,dc=example,dc=com b. Adapter 2, SPRITE Adapter namespace (domain DNS lmsib.sprite.com): dc=lmsib,dc=sprite,dc=com 4. Shut down the OAM Cluster. 5. Restart the AdminServer and all OAM Servers. 6. Proceed with "Registering Oracle Virtual Directory as the Default Store for WNA". 57.5.2 Registering Oracle Virtual Directory as the Default Store for WNA Users with valid Oracle Access Management Administrator credentials can perform the following task to register Oracle Virtual Directory as the user store for Access Manager interoperating with Windows Native Authentication. For Windows Native Authentication, the user credentials must reside in Microsoft Active Directory. Access Directory can be managed by Oracle Virtual Directory instance. For single sign-on with Access Manager, each User Identity Store must be registered to operate with Access Manager. Typically, userprincipalname reflects the Windows login name. For WNA with Access Manager, either leave the User Search Base and Group Search Base blank or provide the distinguished name path that is common to both the adapters configured while performing prerequisite tasks. Before you begin, be sure to complete the sections Preparing Your Active Directory/Kerberos Topology and Confirming Access Manager Operations. 1. In the Oracle the window. Access Management Console, click Configuration at the top of 2. Click User Identity Stores. 3. In the OAM ID Stores section, click Create. 4. Enter required values for your Oracle Virtual Directory instance. For example: Name: OVD LDAP Url: ldap://ovd_host.domain.com:389 Principal: cn=Administrator,cn=users,dc=lm,dc=example,dc=com Credential: ******** User Search Base: dc=com User Name Attribute: userprincipalname Group Name: cn Group Search Base: dc=com LDAP Provider: Oracle Virtual Directory 5. Default Store: Click the Default Store button to make this the user Identity Store for Access Manager. 6. Click Apply to submit the registration, then dismiss the Confirmation window. 7. Restart the AdminServer and OAM Servers. 57-12 Administrator's Guide for Oracle Access Management Integrating KerberosPlugin with Oracle Virtual Directory 8. Proceed to "Setting Up Authentication with Access Manager KerberosPlugin and OVD". 57.5.3 Setting Up Authentication with Access Manager KerberosPlugin and OVD When a native authentication module does not offer enough flexibility for your needs, you can create a custom authentication module using plug-ins designed to meet specific needs. The KerberosPlugin is a credential mapping module that matches the credentials (encrypted username in the Kerberos ticket (SPNEGO token)) of the user who requests the resource. By default, KerberosPlugin maps the domain DNS name to the corresponding distinguished name using the dc component. However, if the mapping is different, you can specify the correct mapping as a semi-colon (;) separated list of name:value tokens. For example: LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB.SPRITE.COM:dc=lmsib,dc=sprite,dc=com Users with valid Oracle Access Management Administrator credentials can perform the following task to replace default KerberosPlugin steps with steps that enable integration for Windows Native Authentication using the Oracle Access Management Console. 1. In the Oracle Access top of the window. Management Console, click Application Security at the 2. Click Authentication Modules in the Plug-ins section. 3. Click Search, locate the KerberosPlugin plug-in and open it for editing. 4. On the KerberosPlugin page, click the Steps tab. Steps Tab: Replace stepKTA, as described here, then click Save. a. Click stepKTA then click the Delete (x) button to remove this step. b. Click the Add (+) button and add the following step to the plug-in: Element Description Name stepKTA Class KerberosTokenAuthenticator Step Details: Edit this new stepKTA to change the Step Orchestration value from NULL (defined during the step deletion) to its default value of: On Success: StepUIF Failure Failure Also, confirm that this new stepKTA includes the parameter KEY_DOMAIN_DNS2DN_ MAP (created earlier), enter the appropriate values for your deployment and click Save. Configuring Access Manager for Windows Native Authentication 57-13 Integrating the KerberosPlugin with Search Failover Element Description KEY_DOMAIN_DNS2DN_MAP Active Directory Forests in your deployment. For example: LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB.SPR ITE.COM:dc=lmsib,dc=sprite,dc=com Note: By default, a DN domain name a.b.c is mapped into dc=a,dc=b,dc=c. Only if the mapping is different, one has to specify the parameter. Otherwise it is best not to use it and let the default behavior take its course. 5. 6. Service Principal HTTP/oam11g.example.com@LM.EXAMPLE.COM keytab.conf keytab.conf location for stepKTA krb5.conf krb5.conf location for stepKTA stepUIF Details: Configure as follows and click Save: Element Description KEY_LDAP_FILTER (samAccountName={KEY_USERNAME}) KEY_IDENTITY_STORE_REF OVD KEY_SEARCHBASE_URL Leave this empty stepUI and stepUA: Configure as follows and Save: KEY_IDENTITY_STORE_REF OVD 7. Save the changes. 8. Restart the OAM Cluster. 9. Proceed with "Configuring Access Manager for Windows Native Authentication". 57.6 Integrating the KerberosPlugin with Search Failover In cases where an Oracle Virtual Directory deployment is not viable, and it is acceptable to perform search failover based on some order or hierarchy when finding the user, you can configure Access Manager as described in the following task overview. 1. Complete tasks in the following earlier sections: ■ ■ ■ 2. "Preparing Your Active Directory/Kerberos Topology" "Confirming Access Manager Operations" (except "Preparing Oracle Virtual Directory for This Integration", which is not needed for Search Failover) "Enabling the Browser to Return Kerberos Tokens" Perform tasks in this section: ■ "Registering Microsoft Active Directory Instances with Access Manager" ■ "Setting Up the KerberosPlugin for ADGCs" 3. "Configuring Access Manager for Windows Native Authentication" 4. "Validating WNA with Access Manager Protected Resources" 57-14 Administrator's Guide for Oracle Access Management Integrating the KerberosPlugin with Search Failover 57.6.1 Registering Microsoft Active Directory Instances with Access Manager Users with valid Oracle Access Management Administrator credentials can perform the following task to register each Active Directory Global Catalog (ADGC), with relevant search bases and naming attributes, as an individual User Identity Store for Oracle Access Management. A fully-configured Microsoft Active Directory authentication service should be set up with User accounts for mapping Kerberos services, Service Principal Names (SPNs) for those accounts, and Key tab files. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3). 1. In the Oracle the window. Access Management Console, click Configuration at the top of 2. Click User Identity Stores. 3. In the OAM ID Stores section, click Create. 4. Enter required values for your first ADGC. For example: Name: ADGC1-EXAMPLE LDAP Url: ldap://ADGC1_host.domain.com:389 Principal: cn=Administrator,cn=users,dc=lm,dc=example,dc=com Credential: ******** User Search Base: dc=lm,dc=example,dc=com User Name Attribute: userprincipalname Group Search Base: dc=lm,dc=example,dc=com LDAP Provider: AD 5. Default Store: Click the Default Store button. 6. Click Apply to submit the changes and dismiss the confirmation window. 7. Repeat these steps to add the second ADGC (ADGC2-SPRITE) with appropriate search bases and naming attributes. Name: ADGC2-SPRITE LDAP Url: ldap://ADGC2_host.domain.com:389 Principal: cn=Administrator,cn=users,dc=lm,dc=example,dc=com Credential: ******** User Search Base: dc=lmsib,dc=example,dc=com User Name Attribute: userprincipalname Group Search Base: dc=lmsib,dc=example,dc=com LDAP Provider: AD 8. Restart the AdminServer and OAM Servers. 9. Proceed to "Setting Up the KerberosPlugin for ADGCs". 57.6.2 Setting Up the KerberosPlugin for ADGCs When a native authentication module does not offer enough flexibility for your needs, you can create a custom authentication module using plug-ins designed to meet specific needs. The KerberosPlugin is a credential mapping module that matches the credentials (username and password) of the user who requests a resource to the encrypted "Kerberos ticket". By default, KerberosPlugin maps the domain DNS name to the corresponding distinguished name using the dc component. However, if the mapping Configuring Access Manager for Windows Native Authentication 57-15 Integrating the KerberosPlugin with Search Failover is different, you can specify the correct mapping as a semi-colon (;) separated list of name:value tokens. For example: LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB.SPRITE.COM:dc=lmsib,dc=sprite,dc=com Users with valid Oracle Access Management Administrator credentials can perform the following task to replace or update KerberosPlugin steps with steps that point to the ADGCs you have created. These will operate in tandem with their counterparts (if the initial step and ADGC fail, the secondary ADGC is used). Before you begin, be sure to complete the sections Preparing Your Active Directory/Kerberos Topology and Confirming Access Manager Operations. 1. In the Oracle Access top of the window. Management Console, click Application Security at the 2. Click Authentication Modules in the Plug-ins section. 3. Click Search, locate the KerberosPlugin plug-in and open it for editing. 4. On the KerberosPlugin page, click the Steps tab. Steps Tab: Replace stepKTA, as described here, then click Save. a. Click stepKTA then click the Delete (x) button to remove this step. b. Click the Add (+) button and add the following step to the plug-in: Element Description Name stepKTA Class KerberosTokenAuthenticator New stepKTA Details: Confirm that this new stepKTA includes the parameter KEY_DOMAIN_DNS2DN_MAP (created earlier) and enter values for your deployment: Element Description KEY_DOMAIN_DNS2DN_MAP LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB. SPRITE.COM:dc=lmsib,dc=sprite,dc=com Service Principal HTTP/oam11g.example.com@LM.EXAMPLE.COM keytab.conf keytab.conf location for stepKTA. For example: /refresh/home/oam.keytab krb5.conf krb5.conf location for stepKTA. /etc/krb5.conf 5. stepUIF: Step Details (configure as follows and save): Element Description KEY_IDENTITY_STORE_REF ADGC1-ORACLE KEY_SEARCHBASE_URL {KEY_USERDOMAIN} KEY_LDAP_FILTER (samAccountName={KEY_USERNAME}) NOTE: For untrusted, multi-domain Active Directory environments, use the userPrincipalName user attribute. 57-16 Administrator's Guide for Oracle Access Management Configuring Access Manager for Windows Native Authentication 6. stepUI and stepUA: Step Details (configure these steps and save): Element Description KEY_IDENTITY_STORE_REF ADGC1-ORACLE 7. Save the changes. 8. Add stepUIF2: This will operate in tandem and execute if stepUIF fails: Element Description KEY_IDENTITY_STORE_REF ADGC2-SPRITE KEY_SEARCHBASE_URL {KEY_USERDOMAIN} KEY_LDAP_FILTER (samAccountName= {KEY_USERNAME}) NOTE: For untrusted, multi-domain Active Directory environments, use the userPrincipalName user attribute. 9. Add stepUI2: This will operate in tandem and execute if stepUI fails: Element Description KEY_IDENTITY_STORE_REF ADGC2-SPRITE 10. Add stepUA2: This executes when stepUI2 succeeds: Element Description KEY_IDENTITY_STORE_REF ADGC1-EXAMPLE and ADGC2-SPRITE, respectively 11. Add Step Details: Common Configuration, Plugins, KerberosTokenAutheticator. Enter values for your deployment: Element Description keytab.conf keytab.conf location for stepKTA. For example: /refresh/home/oam.keytab krb5.conf krb5.conf location for stepKTA. For example: /etc/krb5.conf 12. Restart the OAM Cluster. 13. Proceed with "Configuring Access Manager for Windows Native Authentication". 57.7 Configuring Access Manager for Windows Native Authentication Whether you are using Oracle Virtual Directory or Active Directory with Global Catalogs, this section provides the following topics with steps you can follow: ■ Creating the Authentication Scheme for Windows Native Authentication ■ Configuring Policies for Windows Native Authentication ■ Configuring WNA for NTLM Fallback ■ Verifying the Access Manager Configuration File Configuring Access Manager for Windows Native Authentication 57-17 Configuring Access Manager for Windows Native Authentication 57.7.1 Creating the Authentication Scheme for Windows Native Authentication Users with valid Oracle Access Management Administrator credentials can perform the following task to define an authentication scheme to use in policies protecting applications for Windows Native authentication. Before you begin, be sure to complete one of the following sections: Integrating KerberosPlugin with Oracle Virtual Directory or Integrating the KerberosPlugin with Search Failover. 1. In the Oracle Access top of the window. Management Console, click Application Security at the 2. Click Authentication Schemes in the Access Manager section. 3. Under Search, type KerberosScheme in the Name box and click Search. 4. Click KerberosScheme in the search results to open it. Set (or confirm) the following attributes: Challenge Method: WNA Authentication Module: KerberosPlugin 5. Finish configuring KerberosScheme for your deployment. 6. Click Apply and close the confirmation window. 7. Proceed to "Configuring Policies for Windows Native Authentication". 57.7.2 Configuring Policies for Windows Native Authentication In this procedure you edit (or Create) an Application Domain and policies to protect resources for Windows Native Authentication. Before you begin, complete Creating the Authentication Scheme for Windows Native Authentication. 1. In the Oracle Access top of the window. 2. Click Application Domains in the Access Manager section. 3. Open (or Create) the desired Application Domain, as described in "Managing Application Domains Using the Console" on page 25-10. 4. Resource Definitions: Add Resource Definitions to the domain as described in "Adding and Managing Policy Resource Definitions" on page 25-13. 5. Authentication Policies: a. Management Console, click Application Security at the Open the Authentication Policies node, and open (or Create) the desired Authentication Policy with the following attributes: Authentication Scheme: KerbScheme as the and ensure that it includes the updated KerberosPlugin. Choose KerbScheme as the Authentication Scheme and ensure that it includes the updated KerberosPlugin. b. Click Apply, close the Confirmation window. c. Resources for Authentication Policy: Add Resources to the Authentication Policy as described in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. d. Complete the Authentication Policy with any desired Responses. 57-18 Administrator's Guide for Oracle Access Management Configuring Access Manager for Windows Native Authentication 6. Authorization Policies: Complete the Authentication Policy with any desired Responses or Conditions as described in "Defining Authorization Policies for Specific Resources" on page 25-35. 7. Proceed to "Verifying the Access Manager Configuration File". 57.7.3 Configuring WNA for NTLM Fallback Follow these steps to configure Access Manager to use WNA Fallback Authentication upon receiving an NTLM token. For more information, see Section 57.1.1, "Understanding Access Manager WNA Login and Fall Back Authentication." 1. Stop the OAM managed server. 2. Back up the following file to a safe location: /config/fmwconfig/oam-config.xml 3. Modify /config/fmwconfig/oam-config.xml as follows: a. Find the following line: b. After the line, add the following elements (if they are not already present): ------------------------------------------------------------------------- BASIC -------------------------------------------------------------------------- If the following parameter already exists: DEFAULT change the HandleNTLMResponse value from DEFAULT to BASIC. For example: BASIC 4. Restart the OAM server processes. See Section 57.10.4, "Two BASIC Authentication Prompts Are Displayed" for troubleshooting information. Note: 57.7.4 Verifying the Access Manager Configuration File Verify that the following are specified in the oam-config.xml file as in Example 57–1: ■ path to the krb5.conf file ■ path to the keytab file ■ a principal to connect with KDC Example 57–1 oam-config.xml HTTP/oam11g.example.com@LM.EXAMPLE.COM Configuring Access Manager for Windows Native Authentication 57-19 Validating WNA with Access Manager Protected Resources XYZKerberosModule /refresh/home/oam.keytab /etc/krb5.conf 57.8 Validating WNA with Access Manager Protected Resources Integrated Windows Authentication (IWA) is associated with Microsoft products that use SPNEGO, Kerberos, and NTLMSSP authentication protocols included with certain Windows operating systems. The term Integrated Windows Authentication (IWA) is used for the automatic authentication process that happens between Microsoft Internet Information Services, Internet Explorer, and Microsoft's Active Directory. IWA is also known by other names such as HTTP Negotiate authentication, NT Authentication, NTLM Authentication, Domain authentication, Windows Integrated Authentication, Windows NT Challenge/Response authentication and Windows Authentication. Note: WNA authentication occurs internally. When integrated with Access Manager: ■ ■ ■ ■ The user is redirected to the Access Manager for authentication. The OAM Server requests authentication with a www-negotiate header when the resource is protected by Access Manager with a challenge method of WNA. The browser configured for Integrated Windows Authentication (IWA) sends the Kerberos SPNEGO token to the OAM Server for decryption. The OAM Server decrypts the received user SPNEGO token (using keytab) and redirects the user back to the Agent with the cookie and gets access to the resource. Use this procedure to validate WNA with Access Manager protected resources. 1. Log in to a Windows system in the Active Directory domain as a domain user. 2. Sign in to the Windows OS client using the Windows domain credentials stored in a hosted Active Directory that is registered with Access Manager. 3. Open an Internet Explorer browser window, and enter the URL for the OAM-protected application in your environment. 4. Confirm that you are logged in to the application with your Windows domain credentials with no additional login. 57.9 Configuring WNA For Use With DCC The Kerberos authentication protocol provides a mechanism for mutual authentication between entities before a secure network connection is established. This section provides information on how to configure Windows Native Authentication and Kerberos to use the DCC with Access Manager. It contains the following topics. ■ Initializing the Kerberos Protocol ■ Configuring Access Manager 57-20 Administrator's Guide for Oracle Access Management Configuring WNA For Use With DCC See Understanding Credential Collection and Login for details on DCC. Note: 57.9.1 Initializing the Kerberos Protocol To initialize Access Manager for the Kerberos protocol, do the following. 1. Run the ktpass command on the Windows data store, substituting the appropriate values for service, realm, user and user password. ktpass -princ @ -pass -mapuser -out For example: ktpass -princ HTTP/adc.example1.com@EXAMPLE.COM -pass Welcome1 -mapuser anil@example.com -out foobar2.keytab This command creates an SPN and associates it with the local service account created in the previous step. Only RC4-HMAC encryption is supported; do not use DES encryption. Note: 2. Copy the keytab output generated by the ktpass command and leave it at an appropriate location on the DCC host machine. 3. Modify the /etc/krb5.conf file on the DCC host machine accordingly. For example: [loggings] default = FILE:/scratch/anikukum/krb/krb5libs.log kdc = FILE:/scratch/anikukum/krb/krb5kdc.log admin_server = FILE:/scratch/anikukum/krb/krbadmin.log [libdefaults] default_realm = EXAMPLE.COM ticket_lifetime = 24h forwardable = yes dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac permitted_enctypes = rc4-hmac clockskew = 3600 [realms] EXAMPLE.COM = { kdc = adc.example1.com admin_server = adc.example1.com default_domain = EXAMPLE.COM } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM Configuring Access Manager for Windows Native Authentication 57-21 Configuring WNA For Use With DCC For multiple domain Active Directory environments, add entries for each domain as documented below. Note: [realms] EXAMPLE.COM = { kdc = adc.example1.com admin_server = adc.example1.com default_domain = EXAMPLE.COM } SPRITE.COM = { kdc = lmsib.sprite.com admin_server = lmsib.sprite.com default_domain = SPRITE.COM } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM sprite.com = SPRITE.COM .sprite.com = SPRITE.COM 4. Run the kinit command on the DCC host machine to obtain a Kerberos ticket. kinit -k -t @ For example: kinit -k -t foobar1.keytab HTTP/adc.example1.com@EXAMPLE.COM 5. Validate the Kerberos ticket on the DCC host machine using the klist command. klist 57.9.2 Configuring Access Manager This procedure will configure Access Manager to use the Kerberos Authentication Module. 1. Modify the Challenge Method of the Kerberos authentication scheme to WNA, if applicable. a. In the Oracle Access Management Console, click Application Security at the top of the window. b. In the Launch Pad tab, click Authentication Schemes in the Access Manager section. c. Search for KerberosScheme and click Edit. d. Change the Challenge Redirect URL to DCC WebGate URL. For example, http://:/ e. 2. Click Apply and close the page. Configure the User Identity Store for LDAP Authentication Module to the configured Windows data store. 57-22 Administrator's Guide for Oracle Access Management Troubleshooting WNA Configuration 3. a. In the Oracle Access Management Console, click Application Security at the top of the window. b. In the Launch Pad tab, click Authentication Modules in the Access Manager section. c. Search for LDAP and click Edit. d. Change the User Identity Store to, for example, Active Directory. e. Click Apply and close the page. Configure the Application Domain protecting the resource to use the Kerberos authentication scheme. Before accessing the protected resource ensure that its URL is added to the local intranet Site of Security. Additionally, check the Enable Integrated Windows Authentication option under Security in the Advance tab. 57.10 Troubleshooting WNA Configuration This section provides information about the following errors: ■ Kinit Fails ■ "An Incorrect Username or Password was Specified" Is Displayed ■ User Identity Store is Not Registered Correctly ■ Two BASIC Authentication Prompts Are Displayed See Also: Access Manager WNA Quick Start Guide on My Oracle Support, Knowledge Base note 1416903.1 at: https://support.oracle.com/ 57.10.1 Kinit Fails While retrieving initial credentials, the client may not be found in the Kerberos database. This is the Kerberos version of "User not found" and might be related to one of the following: ■ Misspelling or typo of the principal name ■ The principal was not added to the Kerberos database, the principal doesn't exist. ■ The user name does not exist in Active Directory or has not been registered as a Kerberos user. ■ The SPN is not unique. ■ On the Active Directory side one or more duplicate entries were found. The solution would be to have the Active Directory Administrator search the LDAP tree for duplicate entries of the SPN, and remove them. 57.10.2 "An Incorrect Username or Password was Specified" Is Displayed If unable to access a resource protected by Access Manager using the WNA authentication scheme and the error "An incorrect Username or Password was specified" is displayed, check the following. ■ An incorrect username or password was specified. ■ There is a mismatch in the encryption types being used. Configuring Access Manager for Windows Native Authentication 57-23 Troubleshooting WNA Configuration ■ The key version number (kvno) of the SPN mentioned in the keytab does not match the kvno of the mapped user in the identity store. 57.10.3 User Identity Store is Not Registered Correctly By default, the OAM identity store is Embedded LDAP. If you are using a different identity store (for example, Active Directory or Oracle Unified Directory) be sure to register the identity store. Chapter 5, "Managing Data Sources" has complete details on identity stores and how to register them. ■ ■ To set the identity store being used as the Default Store, see Section 5.2.2, "Using the System Store for User Identities." To register the User Identity Store being used, see Section 5.2.5, "Registering a New User Identity Store" with details in Section 5.2.4, "Defining the User Identity Store Registration Settings." 57.10.4 Two BASIC Authentication Prompts Are Displayed If OAM is configured for WNA and the client browser is not configured for IWA, two BASIC authentication prompts might be displayed when accessing a WNA protected resource. One prompt comes from the Weblogic Server and the second from OAM. To avoid this, the WebLogic Server must be configured to ignore HTTP Basic authentication requests. 1. Stop all WebLogic managed server and the admin server. 2. Create a copy of the config.xml file. $WLS_DOMAIN/config/config.xml 3. Add the following parameter at the end of the "" section in the config.xml file. false Be sure to add this parameter BEFORE the false parameter. 4. Restart the WebLogic environment. 57-24 Administrator's Guide for Oracle Access Management 58 Integrating JBoss with Access Manager 58 Oracle provides a J2EE-type JBoss Agent and JBoss Login Module for a smooth integration between Access Manager and JBoss. This chapter provides the following information to assist you with this integration. ■ Overview of JBoss Integration with Access Manager ■ Understanding the Integration Topology ■ Preparing Your Environment for JBoss 6.x Integration ■ Preparing Your Environment for JBoss 5.x Integration ■ Protecting JBoss-Specific Resources ■ Protecting Web Applications with the JBoss Agent ■ Configuring JBoss Server to Access a Host Name (not localhost) ■ Configuring the Login Module to Secure EJBs ■ Configuring the Login Module to Secure Web Service Access ■ Configuring Logging for the JBoss Agent and Login Module ■ Validating Your Configuration 58.1 Overview of JBoss Integration with Access Manager JBoss application server is an open source alternative to the IBM WebSphere and SAP NetWeaver application servers. The JBoss application server and related services are a J2EE platform used for developing and deploying enterprise Java applications, Web applications services, and portals. J2EE allows the use of standardized modular components and enables the Java platform to handle many aspects of programming automatically. For integration with JBoss, Oracle provides: ■ ■ A J2EE type JBoss Agent A JAAS-compliant Login Module, which can be used with any client to authenticate against Access Manager There is no special processing within (or by) Access Manager with (or for) the JBoss Agent. Note: Integration between JBoss and Access Manager enables you to: ■ Protect Web applications and establish user single sign-on ■ Secure EJB access by configuring the login module for EJBs Integrating JBoss with Access Manager 58-1 Overview of JBoss Integration with Access Manager ■ Secure Web Services using the login module with Web service handlers to authenticate and authorize the caller There are no client interfaces. For more information, see the following topics: ■ Understanding the Configuration of and Processing by the JBoss Agent ■ Understanding the Configuration of and Processing by the Login Module 58.1.1 Understanding the Configuration of and Processing by the JBoss Agent The JBoss Agent is a fully capable agent running on the JBoss Server. This JBoss Agent supports Access Manager Web single sign-on flows with (or without) a WebGate. Authentication and authorization are based on resource URLs defined within Access Manager policies. The JBoss Agent intercepts every incoming request to the OAM Server and checks for access permissions for the requested resource. If the resource is protected by an OAM policy, the JBoss Agent initiates authentication and authorization for the user trying to access the resource. Whenever an unauthenticated user requests access to any protected resource, the JBoss Agent redirects the user to the credential collector for a user name and password. The username and password that is entered is authenticated by the OAM Server. The JBoss Agent then establishes user session on the JBoss Container using the login module for the user. The login module queries the LDAP directory and fetches the authenticated user principals to set the subject. The JBoss Agent depends on the Pure Java ASDK classes and APIs for accessing and communicating with the OAM Server. The JBoss Agent implements the javax.servlet.Filter interface. For more information, see the Access Manager Java API Reference. Note: The JBoss Agent requires OAM Server communication details, certificate store, and more, which can be configured as: ■ ■ A properties file containing all configuration details (the path to this file can be set as a filter parameter) The absolute path of the properties file added within the filter configuration in web.xml The custom headers that are defined by the Oracle Access Management Administrator can only be defined using these methods. Note: The application filter should log messages at different logging levels (FATAL, ERROR, WARNING, DEBUG, TRACE). Each level indicates the severity of information logged, in descending order. The filter should be able to log the detailed trace of an incoming message as one set. The JBoss Agent and the Login Module are both equipped with messages for various log levels. For logging in the same log file (server.log): For example, for ASDK, the category name in the previous tag is oracle.security.am.asdk, as shown: 58-2 Administrator's Guide for Oracle Access Management Overview of JBoss Integration with Access Manager The following overview outlines the processing functions for the Access Manager JBoss Agent. 1. Query the OAM Server to check whether the requested resource is protected. 2. Call the OAM Server to retrieve the authentication scheme. 3. Analyze the authentication scheme for the protected resource, and redirect the request to the credential collector. 4. Authenticate the user credentials. 5. Successful Authentication: Set the authentication token generated from the OAM Server in the cookie. 6. Authentication Token: Validate the integrity of the token before servicing the request. Request the OAM Server to verify the user is authorized to access the protected resource and handle the response from the OAM Server accordingly. 7. Depending upon the user requests and OAM Server responses, the JBoss Agent identifies where user requests should be redirected to allow or deny access to the protected resource. The JBoss Agent is comprised of components described in Table 58–1. Each component uses the Access ASDK to communicate with the OAM Server. Table 58–1 JBoss Agent Composition Component Description Authentication Valve Invoked during the JBoss Authentication phase for all incoming requests. If the resource is marked as protected by security constraints in the application's Web descriptor, the Authentication Valve checks for the presence of a user principal in the HTTP session: ■ ■ ■ Authentication Filter Access Manager Login Module Valid User Present: The Authentication Valve evaluates whether the user principal satisfies the security constraints from the application's Web description. If constraints are satisfied, the request proceeds. Otherwise, an authorization failure message is displayed. Valid Single Sign On Cookie Present (ObSSOCookie) (No Valid User): The Authentication Valve verifies the cookie's validity by using the Access Manager Login module (and sets the user principal in the session). No Valid Single Sign On Cookie Present (ObSSOCookie) / No Valid User: The Valve redirects to the OAM Login page when the resource is marked as protected using Access Manager policies. Invoked for each incoming request following the JBoss authentication phase. For each incoming request, the filter verifies whether a token is present. ■ Token Present: The filter uses the ASDK to validate the token. ■ Invalid Token: The filter redirects to the Access Manager Login page. Used internally by the JBoss Agent to authenticate the user based on the SSO token. Any client (stand alone or deployed within the JBoss Container) can use the Login Module to authenticate the incoming user based on username and password or a valid token. 58.1.2 Understanding the Configuration of and Processing by the Login Module The JAAS-compliant Access Manager Login Module is a pluggable authentication module using JAAS APIs provided by the Access Manager javax.security.* package. The JAAS-compliant Login Module interfaces enable the client to pass authentication data to the server. The login module is configured with the JBoss server Integrating JBoss with Access Manager 58-3 Overview of JBoss Integration with Access Manager and application to integrate the module with the JBoss application server. The Login Module implementation class is: public class OAMLoginModule implements LoginModule The standard JAAS packages required by this class are javax.security.*. The login module class is stored in a jar file: $JBOSS_HOME/server/default/lib. The login-config.xml file is the default JBoss Login Module configuration file. This Login Module requires a JAAS security domain name (OAMLoginModule, for instance). Information is stored in login-config.xml as a list of named security domains, each of which specifies a number of JAAS Login Modules that are used for authentication within that domain. For example, you add this manually and then restart the JBoss Server. tokenBased D:/agentconfig /Authen/Basic OAM_GROUPS /Authen/SSOToken Whenever an application requires security, you must specify the domain name to use in the application's JBoss-specific deployment descriptors (either one or both): Note: ■ ■ jboss.xml: Defines JBoss-specific configurations for an application. jboss-web.xml: Defines JBoss for a Web application. This file must declare the security domain and should be placed in the WEB-INF folder. The JAAS-compliant Login Module consumes either user name/password or Access Manager token. It authenticates and validates the credentials or token with the OAM Server (using the Access Manager Java ASDK APIs) and populates the JAAS subject with user and group information obtained from the OAM Server. The Login Module can operate in either usernamePassword mode or tokenBased mode. The following sections provide details. ■ Understanding the Login Module Process in usernamePassword Mode ■ Understanding the Login Module Process in tokenBased Mode 58.1.3 Understanding the Login Module Process in usernamePassword Mode The usernamePassword mode authenticates the user based on user name and password or a user and certificate combination that forms a security identity and credential pair. The Login Module does not directly query the LDAP. Instead the login module uses the OAM Java ASDK to communicate and authenticate the user 58-4 Administrator's Guide for Oracle Access Management Understanding the Integration Topology credentials with the OAM Server; user and group information is retrieved as responses. Following is an overview of the process. 1. Fetches login information. 2. Authenticates the user with Access Manager based on credentials collected by the JBoss Agent. 3. Creates the container session for the client on the server. 4. Sets the JAAS subject with the userID and roles. 5. On logout, clears the principal settings of the subject in the session and removes the privilege settings associated with the roles of the subject. 58.1.4 Understanding the Login Module Process in tokenBased Mode The tokenBased mode sets the Subject by validating the SSO token. 1. Fetches login information. 2. Validates the SSO authentication token generated from the OAM Server in the cookie. 3. Creates the container session for the client on the server. 4. Sets the JAAS subject with the userID and roles fetched using the existing SSO session token. 5. On logout, clears the principal settings of the subject in the session and removes the privilege settings associated with the roles of the subject. 58.2 Understanding the Integration Topology This section provides the following information. ■ Topology: Access Manager with JBoss Agent ■ Topology: JBoss Agent Behind Web Server Configured with WebGate ■ Sample Integration Topology 58.2.1 Topology: Access Manager with JBoss Agent Figure 58–1 illustrates the various clients (whether browser, EJB, or Web serivce) that can securely access any J2EE application deployed on the JBoss Application Server. The JBoss Agent is configured for this access and is deployed within the JBoss Application Server. Figure 58–1 Various Clients Deployed on JBoss Application Server Integrating JBoss with Access Manager 58-5 Understanding the Integration Topology 58.2.2 Topology: JBoss Agent Behind Web Server Configured with WebGate In addition to operating alone, the JBoss Agent can be also work in conjunction with an Oracle HTTP Server (proxy) configured with a WebGate, as shown in Figure 58–2. Figure 58–2 JBoss Agent Deployed with an Oracle HTTP Server WebGate Applications are deployed in the JBoss Application Server protected with the JBoss Agent. Additionally the request comes through an Oracle HTTP Server instance that is configured with a WebGate. Both the WebGate and the JBoss Agent are configured against the same Access Manager deployment. Here, the JBoss Agent plays the role of an Identity Asserter that simply validates that the token forwarded by the WebGate is valid and uses the identity established by the WebGate. 58.2.3 Sample Integration Topology Figure 58–3 illustrates the topology used in this chapter for integration between Access Manager and JBoss. Figure 58–3 Sample Integration Topology Details for this deployment are described in "Preparing Your Environment for JBoss 5.x Integration" on page 58-9. Use Cases The topology in Figure 58–3 supports: ■ Protecting Web Applications This use case is Application specific and JBoss specific. It uses Access Manager SSO with the JBoss Agent and an authorization policy for browsers accessing Web applications on JBoss (with local EJB invocation, if any). – Access Manager (Host 1) 58-6 Administrator's Guide for Oracle Access Management Preparing Your Environment for JBoss 6.x Integration – ■ Application hosted on JBoss Application Server (Host 2) Invoking Secured EJBs using Rich Java Clients The client can access an EJB in different ways depending on the client architecture, as follows: a. Configure the JAAS-compliant Login Module on the JBoss Container to secure access to the EJB. The client can then make use of JBoss-specific mechanism to propagate the Access Manager SSO token to the JBoss Container. The client can either make use of an already procured Access Manager SSO token or the client can use the JAAS-compliant Access Manager Login Module to obtain the SSO token based on user's credentials. b. ■ Alternatively, the Access Manager SSO token can be obtained using a custom HTTP Web server-based Access Manager Authentication Service exposed to Rich Java clients. EJB invocation as a Web Service Provider (WSP) JAAS-compliant Access Manager Login Module can be configured on the Web Service Provider side to validate the Username and Password or the SSO Token. Alternatively: If only the Username is available for Web Services Consumption (WSC), you need the WSP requiring the SAML token issued by Security Token Service asserting the Username, followed by invocation of JAAS-compliant Access Manager Login Module with extra username-only assertion capability). – Secure EJB access using the JAAS-compliant Access Manager Login Module on (Host 2) – Host the EJB Application on the JBoss server (Host 2) – Access Manager (Host 1) Remaining sections in this chapter describe how to complete this integration. 58.3 Preparing Your Environment for JBoss 6.x Integration This section describes how to integrate JBoss Enterprise Application Platform (EAP) 6.x Application Server with Oracle Access Manager. It includes information regarding the Access Manager Access SDK and JBoss Agent. 1. Check the latest support information on: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification -100350.html 2. Host 1: Install Access Manager as described in Oracle Fusion Middleware Installation Guide for Oracle Identity Management. 3. Host 2: a. Install JBoss EAP 6.x Application Server, as described in your JBoss installation guide. b. Set JAVA_HOME environment variable. c. Edit JBoss standalone.xml/domain.xml to change host from 127.0.0.1 to 0.0.0.0. For example: JBoss_install_directory\standalone\configuration\standalone.xml From Integrating JBoss with Access Manager 58-7 Preparing Your Environment for JBoss 6.x Integration ${jboss.bind.address:127.0.0.1} To ${jboss.bind.address:127.0.0.1} 4. Host 2: install the Access Manager Access SDK, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. 5. Host 2: create a Global module. For example: a. Create a directory at JBoss_install_ directory\modules\system\layers\base\mymodule\main b. Create module.xml: 6. Host 2: install the OAM JBoss Agent. a. Download the JBoss Agent ZIP file and extract the files. For supported JBoss EAP 6.x versions, the JBoss agent is supplied as JAR files in patch 19440119. Download the referenced patch from My Oracle Support at http://support.oracle.com/. 7. b. From the /agentconfig/oam_config.properties file, copy oam-authenticatorvalve.jar and j2eeagent.jar to JBoss_install_ directory\modules\system\layers\base\mymodule\main c. Download the JBossWeb jar from http://www.java2s.com/Code/JarDownload/jbossweb/jbossweb-service.jar. zip and copy it’s jbossweb-service.jar to JBoss_install_ directory\modules\system\layers\base\mymodule\main Host 2: configure the Global module a. Open jboss_install_directory/standalone/configuration/standalone.xml(for standalone) or domain.xml (for multi structure) b. Under “jboss:domain:ee” subsystem, add below line: 8. Proceed to "Protecting JBoss-Specific Resources" and do the following procedures. a. "Registering the JBoss Agent with Automatic Policy Creation" 58-8 Administrator's Guide for Oracle Access Management Preparing Your Environment for JBoss 5.x Integration b. 9. "Creating a Custom Policy for JBoss Resource Protection" Proceed to "Protecting Web Applications with the JBoss Agent" and do the following procedures. a. "Creating Configuration Properties for the JBoss Agent" b. "Mapping the Filter in the Application's web.xml File" 10. Configure the JBoss Login Module to use Access Manager policies. a. Open jboss_install_directory/standalone/configuration/standalone.xml(for standalone) or domain.xml (for multi structure) b. Under the “jboss:domain:security” subsystem, add a new security-domain as follows: c. Deploy the application. d. Start JBoss using the following command: JBoss_install_dir\bin\standalone.bat Note: ■ ■ ■ Valve is not currently supported at the Global level. The JBoss agent codebase libraries are not updated during this procedure. Role based authorization in EJB is not working in EAP when trying to create the authentication token on the client side via OAMLoginModule and trying to propagate the authentication token to the JBoss server via the ClientLoginModule class. 58.4 Preparing Your Environment for JBoss 5.x Integration The following procedure describes how to prepare your environment for integrating JBoss Application Server with Access Manager. 1. Check the latest support information on: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification -100350.html 2. Host 1: Install Access Manager as described in Oracle Fusion Middleware Installation Guide for Oracle Identity Management. 3. Host 2: Integrating JBoss with Access Manager 58-9 Protecting JBoss-Specific Resources a. Install JBoss 5.1.0 Application Server, as described in your JBoss installation guide. b. Edit JBoss server.xml to change to . For example: JBoss_install_directory\server\default\deploy\jbossweb.sar\server.xml From To 4. Host 2, Install the Access Manager Access SDK, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. 5. Host 2, Install OAM JBoss Agent. For supported JBoss EAP 5.x versions, the JBoss agent is supplied as JAR files in controlled patch 14635540. Download the referenced patch from My Oracle Support at http://support.oracle.com/. a. Extract oam-j2eeagent.zip: From /agentconfig/oam_config.properties file b. Copy oam-authenticatorvalve.jar and j2eeagent.jar: To JBoss_install_directory\server\default\lib 6. Proceed to "Protecting JBoss-Specific Resources" and do the following procedures. a. "Registering the JBoss Agent with Automatic Policy Creation" b. "Creating a Custom Policy for JBoss Resource Protection" 58.5 Protecting JBoss-Specific Resources This task is JBoss specific and is required for all JBoss integration use cases: protecting applications, Web Services, or EJBs. The following sections describe how to create a JBoss Agent registration (which includes defining protected resources) and configure authorization policies for use with the JBoss Agent. ■ Registering the JBoss Agent with Automatic Policy Creation ■ Creating a Custom Policy for JBoss Resource Protection 58.5.1 Registering the JBoss Agent with Automatic Policy Creation For this task, you can use either the Oracle Access Management Console as described in this section, or remote registration as described elsewhere in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. For communication between Access Manager and the JBoss Agent, you can use Open, Simple, or Cert Security Mode. Configuring the JBoss Agent to use Simple or Cert mode signals the Java ASDK to operate in the same mode. During registration, a new file system directory is created for the agent on the Oracle Access Management 58-10 Administrator's Guide for Oracle Access Management Protecting JBoss-Specific Resources Console host (AdminServer). After registration, you copy artifacts to the Agent directory path: ■ ObAccessClient.xml ■ password.xml (Simple or Cert mode only) ■ oamclient-keystore.jks - see "Setting Up The Keystore" in Oracle Fusion Middleware Developer's Guide for Oracle Access Management. In the following procedure you will create a fresh registration for a 10g OAM Agent. Replace variables with values for your environment. This example uses Cert mode. Your deployment will be different. 1. Go to the Oracle Access Management Console (host 1) and log in using Administrator credentials. For example: https://host1:port/oamconsole User: adminuserID Password ******** 2. Click Application Security at the top of the window. 3. In the Launch Pad tab, click SSO Agent Registration in the Quick Start Wizards section. 4. Select WebGate as the agent type and click Next. 5. Enter the following (and required details) to register this OAM Agent. For example: ■ Name: JBoss ■ Version: 10g ■ ■ Security: Cert (See Oracle Fusion Middleware Developer's Guide for Oracle Access Management) User-defined Parameter: logoutRedirectUrl=http://OAM_Server.domain.com:14100/oam/server/logout 6. Protected Resource List: Click the Add (+) button in this table and enter the resources you want protected by the default Authentication and Authorization policies: /Authen/Basic /Authen/SSOToken 7. Auto Create Policies: Check to create fresh policies and an Application Domain. 8. Click Apply to submit the registration. 9. Check the Confirmation window for the location of generated artifacts and then close the window. 10. In the navigation tree, confirm the Agent name is listed. 11. Copy ObAccessClient.xml from the AdminServer to the JBoss Agent installation directory path: From: $WLS_HOME/middleware/user_projects/domains/base_ domain/output/AGENTNAME To: D:\agentconfig Integrating JBoss with Access Manager 58-11 Protecting JBoss-Specific Resources 12. Proceed with "Creating a Custom Policy for JBoss Resource Protection". 58.5.2 Creating a Custom Policy for JBoss Resource Protection In this task, you create a custom Authorization Policy to protect JBoss Agent-specific resources and add responses that return the user groups as header variables. For example, name the response OAM_GROUPS (with value $user.groups). For this custom authorization policy, the success and failure redirect URLs are not needed because the single purpose of this policy is to provide responses for an authorized user. If redirect URLs are provided, no redirection occurs with the processing logic of the JBoss Agent or Login Module. Note: 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Launch Pad tab, click Application Domains in the Access Manager section. 3. Search for the JBoss domain and open it for editing. 4. Authorization Policies: a. Click the Authorization Policies node and click the Create (+) button. b. In the Name field of the Summary tab, enter a unique name. For example: Custom Authorization Policy 5. Add Resources: JBoss Agent-specific resources were defined during agent registration. a. Click the Resources tab on the Authorization Policy page. b. Click the Add (+) button. c. Click the Search button. d. Choose a URL from the list, then click Add Selected: /Authen/Basic e. Repeat Steps a through d to add: /Authen/SSOToken f. 6. Click Apply Add Responses: Click the Responses tab, click the Add (+) button and: ■ In the Name field, enter a unique name for this response: OAM_GROUPS. ■ From the Type list, choose a response type (Header). ■ In the Value field, enter a value for this response. For example: $user.groups 7. Click Apply to save changes and close the Confirmation window. 8. Proceed to the proper topic for your deployment. ■ Protecting Web Applications with the JBoss Agent ■ Configuring the Login Module to Secure EJBs ■ Configuring the Login Module to Secure Web Service Access 58-12 Administrator's Guide for Oracle Access Management Protecting Web Applications with the JBoss Agent 58.6 Protecting Web Applications with the JBoss Agent This section provides the following tasks required to protect Web Applications with the JBoss Agent. Before beginning this section, deploy the application as usual. ■ Creating Configuration Properties for the JBoss Agent ■ Configuring the Authentication Valve ■ Mapping the Filter in the Application's web.xml File ■ Configuring the JBoss Login Module to Use Access Manager Policies 58.6.1 Creating Configuration Properties for the JBoss Agent In this task, you copy Jboss Agent registration artifacts from the AdminServer to the JBoss host and create a filter configuration properties file that is referenced later. The JBoss Agent relies on the 11g Java ASDK which operates in the same mode as the registered JBoss Agent. Note: The JBoss Agent requires a configuration file (oam_config.properties) that defines a number of critical properties. These include the file system path to the agent's registration artifact (ObAccessClient.xml), the security domain defined in the JBoss server's login configuration file, parameters and values that return to the JBoss Agent during authentication, and an optional attribute to check for the presence of authToken in the request. Use this procedure to create a configuration properties file for the JBoss Agent. 1. Create a JBoss Agent configuration file named oam_config.properties using the following sample as a guide: ##Path of the folder containing the ObAccessClient.xml configPath=D:\\agentconfig ##Name of the security domain as configured in JBoss's login-config.xml realmName=oamrealm ##Optional. If not specified then defaults to /Authen/Basic ##publicAuthnResourceName=/Authen/Basic ##Optional. If not specified then defaults to http ##publicAuthnResourceType=http ##Optional. If not specified then defaults to GET ##publicAuthnResourceOperation=GET ##Optional. If not specified then defaults to /Authen/SSOToken ##publicAuthzResourceName=/Authen/SSOToken ##Optional. If not specified then defaults to http ##publicAuthzResourceType=http ##Optional. If not specified then defaults to GET ##publicAuthzResourceOperation=GET rolesParam=OAM_GROUPS ##Optional. This attribute is responsible to check whether the credential in ##the subject / callback handler is an authn token. Defaults to authnToken. Integrating JBoss with Access Manager 58-13 Protecting Web Applications with the JBoss Agent authToken=authToken #################################### ##### OAM logout related properties ##### #################################### ##Host name of the OAM 11g Server ##oamHost=abchost.us.example.com ##Managed server port number of the OAM 11g Server ##oamPort=Port_value 2. Save oam_config.properties on the JBoss host: /agentconfig/oam_config.properties 3. Proceed to "Configuring the Authentication Valve". 58.6.2 Configuring the Authentication Valve Note: This procedure is not needed if you are Preparing Your Environment for JBoss 6.x Integration as the Valve is not currently supported at the Global level. This procedure must be performed to configure the Authentication Valve. There are two options. Choose the one that is best suited to your environment: ■ ■ Adding the Authentication Valve to context.xml: This global configuration causes the Authentication Valve to intercept all requests to the JBoss Agent. Adding the Authentication Valve to the Application's Deployment: Rather than adding the Authentication Valve to context.xml for global use, you can add a context.xml as part of the application's deployment. This configuration affects only the concerned application (the Authentication Valve intercepts requests coming only to this specific application). 58.6.2.1 Adding the Authentication Valve to context.xml 1. Locate and open for editing the JBoss Agent context.xml file in: JBoss_install_dir\server\default\deploy\jbossweb.sar\context.xml 2. Add the following Valve entry and save the file: 3. Proceed to "Mapping the Filter in the Application's web.xml File." 58.6.2.2 Adding the Authentication Valve to the Application's Deployment 1. Create a fresh context.xml file and store it under WEB-INF with web.xml: JBoss_install_dir\server\default\deploy\jbossweb.sar\context.xml 2. Add the following Valve entry: 58-14 Administrator's Guide for Oracle Access Management Protecting Web Applications with the JBoss Agent 3. Redeploy the application. 4. Proceed to "Mapping the Filter in the Application's web.xml File." 58.6.3 Mapping the Filter in the Application's web.xml File In this procedure, you add filter mapping for this integration to the application's web.xml. You also add the name of the filter's configuration properties file. 1. Locate the web.xml file in the application EAR file: my_app/WEB-INF/web.xml 2. Add the following filter mapping to the application's web.xml. For example: OAMFilterAgent oracle.security.am.agent.common.filter.OAMAuthenticationFilter configFile D:/oam_config.properties OAMFilterAgent /* 3. Save the file. 4. Proceed to "Configuring the JBoss Login Module to Use Access Manager Policies." 58.6.4 Configuring the JBoss Login Module to Use Access Manager Policies This procedure describes the required login module entry for JBoss to use Access Manager policies. After you add filter mapping to web.xml, you redeploy the application and start the JBoss Server. Starting JBoss Server using -b 0.0.0.0 allows the user to access the server by the host name rather than localhost / 127.0.0.1. Without this parameter, JBoss Server can be accessed using localhost / 127.0.0.1 as well as the host name. Note: 1. Locate and open the login-config.xml file: JBoss_install_dir\server\default\conf\login-config.xml 2. Add a new entry for the login module, as follows: tokenBased D:/agentconfig /Authen/Basic OAM_GROUPS /Authen/SSOToken The name of application-policy in this entry should have the same value as that defined for the realmname property in oam_config.properties. 3. Deploy the application. 4. Start JBoss as follows using the following command: JBoss_install_dir\bin\run –b 0.0.0.0 See "Configuring JBoss Server to Access a Host Name (not localhost)." 58.7 Configuring JBoss Server to Access a Host Name (not localhost) This procedure is optional. Perform this only to access the JBoss Server using the host name (rather than localhost/127.0.0.1). This procedure is not used when "Preparing Your Environment for JBoss 6.x Integration." Note: 1. On the JBoss Server host, locate the server.xml file in the following path: JBoss_install_dir\server\default\deploy\jbossweb.sar\server.xml 2. Edit server.xml to change the default host, as follows: From: To: 3. Save server.xml. Starting JBoss Server using -b 0.0.0.0 allows the user to access the server using host name rather than localhost / 127.0.0.1. Otherwise, JBoss Server can be accessed using localhost / 127.0.0.1 as well as host name. Note: 58.8 Configuring the Login Module to Secure EJBs This task involves both server-side and client-side configuration as documented in following sections. 58-16 Administrator's Guide for Oracle Access Management Configuring the Login Module to Secure EJBs ■ Configuring the Server to Secure EJBs ■ Configuring the Client Side for Login Module to Secure EJBs Note: These procedures are not used when Preparing Your Environment for JBoss 6.x Integration. 58.8.1 Configuring the Server to Secure EJBs On the server side, you must add the security domain annotation to the EJB and add descriptors to jboss.xml. You also add a new entry to the JBoss server configuration file for the Login Module. Securing EJBs, Web applications or a Web Service based on roles requires additional configuration in login-config.xml as follows: OAM_GROUPS Here OAM_GROUPS is the response configured when "Creating a Custom Policy for JBoss Resource Protection" on page 58-12. You can use either the agent configured in previous steps or a new agent. To use a new agent you must copy the ObAccessClient.xml from the /agent directory on the JBoss host to another directory. Note: 1. Copy ObAccessClient.xml as follows (one or the other): ■ ■ 2. From: $WLS_HOME/middleware/user_projects/domains/base_ domain/output/agent_name. To: A directory on the JBoss host. Add the @SecurityDomain("oamrealm") annotation to the EJB. For example, if the EJB class is DemoEJB the following should be added at the code level: import org.jboss.security.annotation.SecurityDomain; @SecurityDomain("oamrealm") public class DemoEJB{ ... } The application-policy defined as the value of @SecurityDomain (in this example, oamrealm) should have the same value as that defined for the realmname property in oam_config.properties. 3. Option: Add the following descriptor to the jboss.xml file to define the security domain. META-INF/jboss.xml java:/jaas/myother The application-policy name defined in this descriptor (myother) should have the same value as the realmname property defined in oam_config.properties. Integrating JBoss with Access Manager 58-17 Configuring the Login Module to Secure EJBs Note: The name associated with the security domain annotation should be specified in the Login Module to be used, as described in Step 4. See Also: Configuring the JBoss Login Module to Use Access Manager Policies on page 58-15. 4. JBoss Server Login Configuration: Add an entry for the Login Module class name, which must be part of the login mechanism: JBoss_install_dir\server\default\conf\login-config.xml tokenBased D:/agentconfig OAM_GROUPS /Authen/Basic /Authen/SSOToken Note: The name value in the application-policy element should match the realmname property value defined in oam_ config.properties. 5. Deploy the application. 6. Start JBoss using the following command: JBoss_install_dir\bin\run –b 0.0.0.0 See "Configuring JBoss Server to Access a Host Name (not localhost)." 58.8.2 Configuring the Client Side for Login Module to Secure EJBs This procedure describes how to create a client-login configuration file. 1. Copy ObAccessClient.xml as follows (one or the other): ■ ■ 2. New Agent: From $MW_HOME/middleware/user_projects/domains/base_ domain/output/agent_name to a folder on the Agent host. Existing Agent: From its location on the JBoss host to another directory on the Agent host. On the client host, create a client-login configuration text file as follows: oamauth { oracle.security.am.agent.common.jaas.login.OAMLoginModule required loginType="usernamePassword" configPath="D:/agentconfig" publicAuthzResourceName="/Authen/Basic" publicAuthzResourceName="/Authen/SSOToken"; 58-18 Administrator's Guide for Oracle Access Management Configuring the Login Module to Secure Web Service Access }; 3. Add the following to your entry to configure the login module to propagate identity to the EJB Container: propagate { org.jboss.security.ClientLoginModule required restore-login-identity="true"; }; 4. Save the file. Perform Step 5 while invoking EJBs from a Rich Client to ensure that Access Manager performs authentication (using the Pure Java ASDK) and then propagates the credentials to the EJB Application Server. Note: 5. Rich Client: Add the following to the client code before invoking the EJB from the Client side: System.setProperty("java.security.auth.login.config", authFile); MyCallbackHandler handler = new MyCallbackHandler(,); LoginContext lc = new LoginContext("oamauth", handler); lc.login(); //Fetch the private credentials of type String.class Set set = lc.getSubject().getPrivateCredentials(String.class); //Set the SSO Token in callback handler along with the username handler = new MyCallbackHandler(, set.iterator().next()); LoginContext lc2 = new LoginContext("propagate", handler); lc2.login(); 58.9 Configuring the Login Module to Secure Web Service Access The Web Service Provider may provide for one of the various mechanisms to intercept and handle the incoming web service SOAP message in order to enforce security on the web service invocation. This task involves both the server-side and client-side configuration as documented in the following sections. ■ Configuring the Server to Secure Web Services Access ■ Configuring the Client to Secure Web Services Access 58.9.1 Configuring the Server to Secure Web Services Access Configuring the Server to Secure Web Services Access involves copying Agent registration artifacts, and adding the Access Manager JAAS-compliant Login Module for Web Service security to the JBoss Server login-configuration file. You can use either the agent configured in previous steps or a new agent. To use a new agent you must copy the ObAccessClient.xml from the /agent directory on the JBoss host, to another directory on this host. Note: Integrating JBoss with Access Manager 58-19 Configuring the Login Module to Secure Web Service Access No specific details are provided for configuring or deploying a Web Service because any of several frameworks can be used to create a Web Service. The provider of the Web Services deployed on the JBoss Container should adhere to the following guidelines in general: ■ ■ ■ Include functionality to look for specific headers injected by the client order to retrieve the OAM SSO token. Use the OAM JAAS Login Module to validate the OAM SSO token If any EJB Session Beans are exposed as Web Services, the JBoss-specific JAAS Login Module ClientLoginModule must be used to propagate the OAM token to the EJB container. Use the following procedure to configure the server to secure Web Services access. 1. Copy ObAccessClient.xml as follows (one or the other): ■ ■ 2. Existing Agent: From its location on the JBoss host to another directory on the Agent host. New Agent: From $MW_HOME/middleware/user_projects/domains/base_ domain/output/agent_name to another directory on the Agent host. Register the SOAP Handler with the Web Service (ideally using the .wsdd file). The .wsdd file is generated when the WS stubs are created (and is located inside the application's WEB-INF folder). 3. Edit the JBoss Server login-configuration file to add an entry for the Access Manager JAAS-compliant Login Module for Web Service security, as follows: JBoss_install_dir\server\default\conf\login-config.xml tokenBased D:/agentconfig OAM_GROUPS /Authen/Basic /Authen/SSOToken 4. Save the JBoss Server login configuration file. 5. Deploy the application. 6. Start JBoss using the following command: JBoss_install_dir\bin\run –b 0.0.0.0 See "Configuring JBoss Server to Access a Host Name (not localhost)." 7. Proceed to "Configuring the Client to Secure Web Services Access." 58-20 Administrator's Guide for Oracle Access Management Validating Your Configuration 58.9.2 Configuring the Client to Secure Web Services Access In this task, you configure user authentication with the OAM Server and then create a security header element, containing the SSO token, for the SOAP message. Ideally, this step is performed before invoking a Web Service method, which means that this code must be added in the client code while invoking the Web Service. Note: 1. On the WS-client: Perform user authentication with OAM Server and then create a security header element, containing the SSO token, for the SOAP message. 2. Invoke the Web service, as usual. 3. Proceed with "Configuring Logging for the JBoss Agent and Login Module". 58.10 Configuring Logging for the JBoss Agent and Login Module The JBoss Agent and the Login Module are both equipped with logging messages at various log levels. To log these messages, you must edit the jboss-log4j.xml file as described in this procedure. 1. Locate the jobss-log4j.xml file in the following path: $JBOSS_HOME/server/default/conf/jboss-log4j.xml 2. Open the file in an editor and add the following information: ... 3. Save the file. 58.11 Validating Your Configuration There is no specific mechanism to validate your configuration. However, you can manually determine whether the configuration is correctly functioning by doing the following and recognizing the response. 1. Authorized User: Invoke the Web Service manually by providing the SSO token generated for the user who is authorized to invoke the Web Service. Integrating JBoss with Access Manager 58-21 Validating Your Configuration ■ Success: The authorized user is granted access. ■ Failure: The authorized user is denied access. ■ 2. Error: The configuration is incorrect. Review the OAM Server logs for the entries generated by the Login Module. Unauthorized User: Invoke the Web Service manually and provide the SSO token for a non-authorized user. ■ Success: The unauthorized user is denied access. ■ Failure: The unauthorized user is granted access. ■ Error: If any error occurs, the configuration is incorrect. Review the OAM Server logs for the entries generated by the Login Module. 58-22 Administrator's Guide for Oracle Access Management 59 Integrating Microsoft SharePoint Server with Access Manager 59 This chapter explains how to integrate Access Manager with a 10g WebGate and Microsoft SharePoint Server. It covers the following topics: ■ What is Supported in This Release? ■ Introduction to Integrating With the SharePoint Server ■ Integration Requirements ■ Preparing for Integration With SharePoint Server ■ Integrating With Microsoft SharePoint Server ■ Setting Up Microsoft Windows Impersonation ■ Completing the SharePoint Server Integration ■ Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider ■ Configuring Single Sign-On for Office Documents ■ Configuring Single Sign-off for Microsoft SharePoint Server ■ Setting Up Access Manager and Windows Native Authentication ■ Synchronizing User Profiles Between Directories ■ Testing Your Integration ■ Troubleshooting Access Manager with a 10g WebGate supports both Microsoft SharePoint Server 2010 and Microsoft SharePoint Server 2013. Other versions of Microsoft SharePoint Server are not supported in this release. Note: Unless explicitly stated, all details in this chapter apply equally to Access Manager integration with Microsoft SharePoint Server using the OAM impersonation plug-in, and Microsoft SharePoint Server configured with the LDAP Membership Provider. 59.1 What is Supported in This Release? Support for integration between Access Manager and SharePoint enables the following functionality: Integrating Microsoft SharePoint Server with Access Manager 59-1 Introduction to Integrating With the SharePoint Server ■ ■ ■ ■ When a user accesses SharePoint before SSO login with Access Manager, the user is prompted for Access Manager SSO login credentials. When a user with a valid Access Manager login session wants to access SharePoint documents, he must be established with SharePoint (logged in and authenticated with SharePoint). Once the Access Manager session is established, it is also respected by SharePoint for integration with Access Manager and SharePoint using LDAP Membership Provider, OAM WNA, and impersonation. Based on authentication status, SharePoint either allows or denies access to documents stored in SharePoint. When a user opens an Office document from SharePoint using a browser, the SSO session should persist into the MS Office program so that access to the document through the MS Office program is maintained. See "Configuring Single Sign-On for Office Documents" on page 59-32. Full feature parity with SharePoint integration with Access Manager 10g is provided to ease upgrades. 11g WebGates are not supported on the IIS Web server. Only the WebGate 10g WebGate for IIS can be used for this integration. Note: 59.2 Introduction to Integrating With the SharePoint Server SharePoint Server is a Microsoft-proprietary secure and scalable enterprise portal server that builds on Windows Server Microsoft Internet Information Services (IIS) and Windows SharePoint Services (WSS). SharePoint Server is typically associated with Web content and document management systems. SharePoint Server works with Microsoft IIS web server to produce sites intended for collaboration, file sharing, web databases, social networking and web publishing. In addition to WSS functionality, SharePoint Server incorporates additional features such as News and Topics as well as personal and public views for My Site, and so on. Microsoft SharePoint Server enhances control over content, business processes, and information sharing. Microsoft SharePoint Server provides centralized access and control over documents, files, Web content, and e-mail, and enables users to submit files to portals for collaborative work. SharePoint server farms can host web sites, portals, intranets, extranets, Internet sites, web content management systems, search engine, wikis, blogs, social networking, business intelligence, workflow as well as providing a framework for web application development. When integrated with Microsoft SharePoint Server, Access Manager handles user authentication through an ISAPI filter and an ISAPI Module. This enables single sign-on between Access Manager and SharePoint Server. SharePoint Server supports the following authentication methods: ■ Form Based Authentication ■ Impersonation Based Authentication ■ Windows Authentication: Used only for the configuration where the information about the users is stored in Active Directory server The integrations in this chapter provide single sign-on to Microsoft SharePoint Server resources and all other Access Manager protected resources. For more information, see: 59-2 Administrator's Guide for Oracle Access Management Introduction to Integrating With the SharePoint Server ■ About Windows Impersonation ■ About Form Based Authentication With This Integration ■ ■ About Authentication With Windows Impersonation and SharePoint Server Integration About Access Manager and Windows Native Authentication 59.2.1 About Windows Impersonation Unless explicitly stated, the integrations described in this chapter rely on Windows impersonation. Windows impersonation enables a trusted user in the Windows server domain to assume the identity of any user requesting a target resource in Microsoft SharePoint Server. This trusted impersonator maintains the identity context of the user while accessing the resource on behalf of the user. Impersonation is transparent to the user. Access appears to take place as if the SharePoint resource were a resource within the Access System domain. Windows impersonation is not used when integrating Microsoft SharePoint Server configured with the LDAP Membership Provider. Note: 59.2.2 About Form Based Authentication With This Integration You can integrate Access Manager with SharePoint Server using any of the three authentication methods. Given common use of LDAP servers (Sun Directory Server and Active Directory for instance), your integration can include any LDAP server. Form-based authentication in SharePoint Server is claims-aware. When a user enters credentials on the Forms login page of SharePoint Relying Party (RP), these are passed to the SharePoint Security Token Service (STS). SharePoint STS authenticates the users against its membership provider and generates the SAML token, which is passed to SharePoint RP. SharePoint RP validates the SAML token and generates the FedAuth cookie. The user is then allowed to access the SharePoint RP site. With form-based authentication, the WebGate is configured as an ISAPI filter. The form login page of SharePoint RP is customized such that the user is not challenged to enter the credentials by the SharePoint RP. Also, the membership provider is customized such that it just validates the ObSSOCookie set by the WebGate to authenticate the user. The WebGate only supports Form Based Authentication using the HTTP validation method (OAMHttp validation mode). The ASDK validation method (OAMsdk validation mode) is not supported for Form Based Authentication. Note: The following overview outlines the authentication flow for this integration using form-based authentication. Process overview: Request processing with form-based authentication 1. The user requests access to an SharePoint Server RP site. Integrating Microsoft SharePoint Server with Access Manager 59-3 Introduction to Integrating With the SharePoint Server 2. The WebGate protecting the site intercepts the request, determines if the resource is protected, and challenges the user. 3. The user enters their OAM credentials. Next the OAM WebGate server verifies the credentials from LDAP and authenticates the user. The WebGate generates the OAM native SSO cookie (ObSSOCookie), which enables single sign-on and sets the User ID header variable (to the user name) in the HTTP request and redirects the user to the SharePoint RP site. 4. The SharePoint RP custom login page is invoked, which sets the user name to the user ID passed in the header variable, and sets the password to the ObSSOCookie value. The login page also automatically submits these credentials to the SharePoint RP site. 5. The SharePoint RP site passes the credentials to SharePoint STS, which invokes the custom membership provider to validate the user credentials. 6. The custom membership provider gets the ObSSOCookie value (passed as a password) and sends it as part of the HTTP request to a resource protected by the WebGate to validate the ObSSOCookie. 7. If the ObSSOCookie is valid, SharePoint STS generates the SAML token and passes it to SharePoint RP. 8. SharePoint RP validates the SAML token and generates the FedAuth cookie. The user is then allowed to access the SharePoint RP site. 59.2.3 About Authentication With Windows Impersonation and SharePoint Server Integration As described earlier, Windows impersonation enables a trusted user in the Windows server domain to assume the identity of any user requesting a target resource in SharePoint Portal Server. This trusted impersonator maintains the identity context of the user while accessing the resource on behalf of the user. Impersonation is transparent to the user. Access appears to take place as if the SharePoint resource were a resource within the OAM Server domain. Windows based integration with SharePoint Server 2010 and 2013 is the same as the supported integration with SharePoint 2007. With the SharePoint 2007 integration, the Access Manager ISAPI extension (IISImpersonationExtension.dll) was used. Because the internal architecture of event handing changed with SharePoint 2010, Access Manager has changed the ISAPI extension to an HTTP module. Note: The next overview identifies the authentication processing flow with SharePoint Server and Windows impersonation enabled. Process overview: Integration Authentication with Windows Impersonation 1. The user requests access to a SharePoint Portal Server resource. 2. The WebGate ISAPI filter protecting SharePoint Portal Server intercepts the request, determines whether the target resource is protected, and if it is, challenges the user for authentication credentials. 3. If the user supplies credentials and the OAM Server validates them, the WebGate sets an ObSSOCookie in the user's browser, which enables single sign-on. The 59-4 Administrator's Guide for Oracle Access Management Introduction to Integrating With the SharePoint Server WebGate also sets an HTTP header variable named "impersonate," whose value is set to one of the following: ■ the authenticated user's LDAP uid ■ samaccountname, if the user account exists in Active Directory 4. The Access Manager HTTP module IISImpersonationModule.dll checks for the Authorization Success Action header variable named impersonate. 5. When the header variable exists, the Oracle ISAPI module obtains a Kerberos ticket for the user. This Service for User to Self (S4U2Self) impersonation token enables the designated trusted user to assume the identity of the requesting user and obtain access to the target resource through IIS and the SharePoint Portal Server. 59.2.4 About Access Manager and Windows Native Authentication Access Manager provides support for Windows Native Authentication (WNA). Your environment may include: ■ Windows 2008/R2 or 2012/R2 server ■ Internet Information services (IIS) 7.x or 8.x ■ Active Directory If the user's directory server has, for example, an NT Logon ID, or if the user name is the same everywhere, then a user is able to authenticate into any directory server. The most common authentication mechanism on Windows Server 2008 is Kerberos. The use of WNA by Access Manager is seamless. The user does not notice any difference between a typical authentication and WNA when they log on to their desktop, open an Internet Explorer (IE) browser, request a protected web resource, and complete single sign-on. Process overview: Using WNA for authentication 1. The user logs in to the desktop computer, and local authentication is completed using the Windows Domain Administrator authentication scheme. 2. The user opens an Internet Explorer (IE) browser and requests an Access System-protected Web resource. 3. The browser notes the local authentication and sends a Kerberos token to the IIS Web server. Ensure that Internet Explorer’s security settings for the Internet and (or) intranet security zones are adjusted properly to allow automatic logon. Note: 4. The WebGate installed on the IIS Web server sends the Kerberos token to the OAM 11g sever. The OAM 11g Server negotiates the Kerberos token with the KDC (Key distribution center). 5. Access Manager sends authentication success information to the WebGate. 6. The WebGate creates an ObSSOCookie and sends it back to the browser. 7. Access Manager authorization and other processes proceed as usual. Integrating Microsoft SharePoint Server with Access Manager 59-5 Integration Requirements The maximum session time-out period configured for the WebGate is applicable to the generated ObSSOCookie. 59.3 Integration Requirements Unless explicitly stated, this section introduces components required for integrations described in this chapter. It includes the following topics: ■ Confirming Requirements ■ Required Access Manager Components ■ Required Microsoft Components 59.3.1 Confirming Requirements References to specific versions and platforms are for demonstration purposes. For the latest Access Manager certification information, see the certification matrix on Oracle Technology Network at: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-10 0350.html 59.3.2 Required Access Manager Components Access Manager provides access and security functions, including Web-based single sign-on, policy management, reporting, and auditing. When integrated with Microsoft SharePoint Server, Access Manager handles user authentication through an ISAPI filter and an ISAPI Module, which enables single sign-on between the two products. The components in Table 59–1 are required to integrate with Microsoft SharePoint Server (or Microsoft SharePoint Server configured with LDAP Membership Provider.) Table 59–1 Component Requirements Component 10g WebGate Description The ISAPI version 10g WebGate must reside on the same computer as the SharePoint Server. Within the context of this integration, this WebGate is an ISAPI filter that intercepts HTTP requests for Web resources and forwards them to the OAM Server to authenticate the user who made the request. If authentication is successful, the WebGate creates an ObSSOCookie and sends it to the user's browser, thus facilitating single sign-on. The WebGate also sets impersonate as a HeaderVar action for this user session. For LDAP Membership Provider Scenario: See "Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider" on page 59-23. IISImpersonationModule.dll This IIS-native module is installed with the WebGate. The IISImpersonationModule.dll module determines whether the Authorization Success Action HeaderVar has been set to impersonate and, if it has, the DLL file creates a Kerberos S4U2Self ticket that enables the special trusted user in the SharePoint Server Active Directory to impersonate the user who originally made the request. After a WebGate installation, you must configure IISImpersonationModule.dll manually to enable impersonation and this integration. For LDAP Membership Provider Scenario: Do not configure IISImpersonationModule.dll. 59-6 Administrator's Guide for Oracle Access Management Integration Requirements Table 59–1 (Cont.) Component Requirements Component Description Directory Server Access Manager can be connected to any supported directory server including, but not limited to, LDAP and Active Directory. Access Manager can even connect to the same instance of Active Directory used by SharePoint Server. In any case, the directory is not required on the same machine as SharePoint Server and the protecting WebGate. OAM Server The integration also requires installation of the OAM Server with which the WebGate protecting your SharePoint Server installation is configured to inter-operate. Except for the WebGate protecting SharePoint Server, your components do not need to reside on the machine hosting SharePoint Server. See Also: "Preparing for Integration With SharePoint Server" on page 59-8. 59.3.3 Required Microsoft Components Minimum requirements dictate a 64-bit, four cores processor. However, references to specific versions and platforms are for demonstration purposes. For the latest Access Manager certification information, see the following Microsoft library location for Microsoft SharePoint Server: https://technet.microsoft.com/en-us/library/cc262485.aspx The SharePoint multi-purpose platform allows for managing and provisioning of intranet portals, extranets, and Web sites; document management and file management; collaboration spaces; social networking tools; enterprise search and intelligence tooling; process and information integration; and third-party developed solutions. Minimum requirements dictate a 64-bit, four cores processor. However, references to specific versions and platforms are for demonstration purposes. For the latest Access Manager certification information, see Oracle Technology Network at: Note: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-c ertification-100350.html Table 59–2 describes the other components required for this integration. See Also: The following library location for Microsoft SharePoint Server and access to applicable software: http://technet.microsoft.com/en-us/library/cc262485.aspx Table 59–2 Microsoft Requirements for this Integration Component Description Custom Login Page for SharePoint site When the user tries to access a SharePoint site configured to use Form Based Authentication, the user is redirected to a login page where the user enters his or her credentials (user name and password). The custom login page passes the credentials to the SharePoint site. Integrating Microsoft SharePoint Server with Access Manager 59-7 Preparing for Integration With SharePoint Server Table 59–2 (Cont.) Microsoft Requirements for this Integration Component Description SharePoint site You create the SharePoint site using the SharePoint Central Administration application. The site is configured to use Form Based Authentication as the authentication method by following the steps mentioned in http://technet.microsoft.com/en-us/library/ee806890.aspx. The SharePoint site passes the user credentials to the SharePoint STS that generates SAML token upon successful ObSSOCookie validation by the custom membership provider. The SharePoint site also generates FedAuth cookie upon receiving the SAML token from SharePoint STS. The SharePoint site passes the FedAuth cookie to the user so that he/she can access the SharePoint site. SharePoint Security Token Service The SharePoint site passes the user credentials (user name and (STS) password) to SharePoint STS, which invokes the custom membership provider and passes the credentials to it. Once the custom membership provider validates the ObSSOCookie passed to it, the SharePoint STS generates the SAML token for the user that is passed to the SharePoint Relying Party (RP). Custom Membership Provider for SharePoint STS The SharePoint STS invokes the membership provider (configured with Form Based Authentication). STS passes the user credentials and the URL for the IIS resource (configured in web.config on the SharePoint site) to the custom membership provider for cookie validation. The membership provider is customized such that it returns success if the ObSSOCookie value passed to it is valid. The custom membership provider library (OAMCustomMembershipProvider.dll) is packaged and installed with the 10g WebGate for IIS Web server. You must deploy the library in the global assembly cache of the SharePoint Server host. The CustomMembershipProvider class is derived from LdapMembershipProvider class present in the Microsoft.Office.Server.Security namespace. IIS resource for Cookie validation Configure the URL for the IIS resource in the SharePoint site’s web.config file. For the HTTP validation method, the WebGate intercepts the request sent by the custom membership provider, extracts the ObSSOCookie from the request, and validates it. If the cookie is valid, then the request is redirected to the IIS resource, which returns the response with a 200 (OK) status code to the custom membership provider. Otherwise, a 403 (Forbidden) error code is returned to the custom membership provider. 59.4 Preparing for Integration With SharePoint Server Tasks in the following procedure are required for all integration scenarios described in this chapter. After installing and testing Microsoft components, perform steps here to install Access Manager for your integration. This task applies to both integration scenarios in this chapter. To avoid repetition, information here is not repeated elsewhere. The ISAPI 10g WebGate must be installed on the same computer as the SharePoint Server. Other components in this integration can reside on the same host as the WebGate or any other computer in your deployment (Solaris, Linux, or Windows platforms). A different host can be set up for Active Directory or some other directory service. If both Access Manager and SharePoint Server are set up for different instances of Active Directory, both instances must belong to the same Active Directory domain. 59-8 Administrator's Guide for Oracle Access Management Preparing for Integration With SharePoint Server Prerequisites Install and test Microsoft components described in "Required Microsoft Components" on page 59-7. To prepare for integration with SharePoint Server 1. Install Oracle Identity Management and Access Manager as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management. 2. Register a 10g WebGate for IIS Web server with Access Manager: a. Log in to the Oracle Access Management Console. For example: http://host:port/oamconsole. b. Click Application Security at the top of the window. c. In the Launch Pad tab, click SSO Agent Registration in the Quick Start Wizards section. d. Select WebGate as the agent type and click Next. e. Set the agent version to 10g and enter required details (those with an *): Name SharePoint user name and password Security mode (Agent host must match OAM Server) Auto Create Policies (Checked) Note: 3. Do not specify a Base URL. f. Protected Resource List: In this table, enter individual resource URLs to be protected by this OAM Agent. g. Public Resource List: In this table, enter individual resource URLs to be public (not protected). h. Click Apply to submit the registration, check the Confirmation window for the location of generated artifacts, then close the window. Proceed as follows: ■ ■ Install a fresh WebGate: Continue with steps 6, 7, and 8. Existing WebGate on SharePoint Host: Skip to "Integrating With Microsoft SharePoint Server" on page 59-10. Only 64-bit ISAPI WebGates are supported as described in "Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider" on page 59-23. Note: 4. Locate and download the 64-bit ISAPI WebGate installer as follows: a. Go to Oracle Fusion Middleware 11gR1 Software Downloads at: https://www.oracle.com/technology/software/products/middleware/htdocs/fmw_ 11_download.html b. Click Accept License Agreement, at the top of the page. c. From the Access Manager Webgates (10.1.4.3.0) row, click the download link for the desired platform and follow on-screen instructions. Integrating Microsoft SharePoint Server with Access Manager 59-9 Integrating With Microsoft SharePoint Server d. 5. Store the WebGate installer in the same directory as any 10g (10.1.4.3) Access System Language Packs you want to install. Launch the WebGate installer for your platform, installation mode, and Web server. Follow these steps: 6. a. Follow on-screen prompts. b. Provide Administrator credentials for the Web server. c. Language Pack—Choose a Default Locale and any other Locales to install, then click Next. d. WebGate installation begins (IISImpersonationModule.dll will be installed in WebGate_install_dir\access\Oblix\apps\Webgate\bin\). Before updating the Web server configuration, copy WebGate artifacts from the Admin Server to the computer hosting the WebGate. a. On the computer hosting the Oracle Access Management Console (AdminServer), locate and copy ObAccessClient.xml (and any certificate artifacts): $DOMAIN_HOME/output/$Agent_Name/ ObAccessClient.xml password.xml (if needed) aaa_key.pem (your private key generated by openSSL) aaa_cert.pem (signed certificates in PEM format) b. On the OAM Agent host, add the artifacts to the WebGate path. For example: WebGate_install_dir/access/oblix/lib/ObAccessClient.xml WebGate_install_dir/access/oblix/config 7. c. Restart the WebGate Web server. d. (Optional.) Restart the OAM Server that is hosting this Agent. This step is recommended but not required. Proceed as needed to complete this integration within your environment: ■ ■ Integrating With Microsoft SharePoint Server Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider 59.5 Integrating With Microsoft SharePoint Server The following overview outlines the tasks that you must perform for this integration and the topics where you will find the steps and details. The custom membership provider library (OAMCustomMembershipProvider.dll) is packaged and installed with the 10g WebGate for IIS Web Server. You must deploy the library in the global assembly cache of the computer hosting SharePoint Server as outlined next. Task overview: Integrating with Microsoft SharePoint Server includes 1. Performing prerequisite tasks: ■ Installing "Required Microsoft Components" on page 59-7. 59-10 Administrator's Guide for Oracle Access Management Integrating With Microsoft SharePoint Server ■ 2. "Preparing for Integration With SharePoint Server" on page 59-8 Creating a new Web application (or site application) in SharePoint Server is described in following topics: ■ ■ "Creating a New Web Application in Microsoft SharePoint Server" on page 59-11 Creating a New Site Collection for Microsoft SharePoint Server on page 59-13 3. "Setting Up Microsoft Windows Impersonation" on page 59-14 (not used with LDAP Membership Provider). 4. "Completing the SharePoint Server Integration" on page 59-22. 5. "Configuring Single Sign-off for Microsoft SharePoint Server" on page 59-33. 6. "Synchronizing User Profiles Between Directories" on page 59-37. 7. "Testing Your Integration" on page 59-37. 59.5.1 Creating a New Web Application in Microsoft SharePoint Server You perform this task when integrating with Microsoft SharePoint Server, with or without LDAP Membership Provider. Prerequisites Installing Microsoft components. See "Required Microsoft Components" on page 59-7. To create a new Web application in Microsoft SharePoint Server 1. On the host where SharePoint Server is installed, open the Central Administration home page: Start, All Programs, SharePoint Products, SharePoint, Central Administration. 2. From the Central Administration home page, click Application Management. 3. From the Application Management page, Web Applications section, click Manage Web Applications. 4. In the top-left corner, click the New button to create a new web application. 5. Configure the items in Table 59–3 on the Create New Web Application page: Table 59–3 Create Web Application Options for Microsoft SharePoint Server Section What You Configure in This Section Authentication In this section you select either Claim Based Authentication or Classic Mode Authentication, as appropriate. Integrating Microsoft SharePoint Server with Access Manager 59-11 Integrating With Microsoft SharePoint Server Table 59–3 (Cont.) Create Web Application Options for Microsoft SharePoint Server Section What You Configure in This Section IIS Web Site In this section you configure the following settings for your new Web application, as follows: ■ To choose an existing Web site, click Use an Existing Web Site... ■ To create a new site, click Create. ■ In the Port field, enter the port number you want to use to access the Web application. For a new Web site, this field contains a default port number. For an exiting site, this field contains the currently configured port number. ■ ■ In the optional Host Header field, enter the URL for accessing the Web application. In the Path field, enter the path to the directory that contains the site on the server. For a new Web site, this field contains a default path. For an exiting site, this field contains the current path. Security Configuration In this section you configure authentication and encryption for your Web application, as follows: ■ ■ In the Authentication Provider section, select Negotiate(Kerberos) or NTLM, as appropriate. In the Allow Anonymous section, choose Yes or No. A value of Yes allows anonymous access to the Web site by using a computer-specific anonymous access account. The account name is IUSR_computername. ■ In the Secure Sockets Layer (SSL) section, choose Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing a certificate. Public URL Enter the URL for the domain name for all sites that users will access in this Web application. This URL domain will be used in all links shown on pages in the Web application. By default, the box is populated with the current server name and port. The Zone field is automatically set to Default for a new Web application and cannot be changed from this page. Application Pool In the Application Pool section, choose whether to use an existing application pool or create a new application pool for this Web application, as follows: ■ ■ To use an existing application pool, select Use Existing Application Pool, then select the application pool you wish to use from the drop-down menu. To create a new application pool, select Create a New Application Pool, and in the Application Pool Name field, type the name of the new application pool, or keep the default name. In the section Select a Security Account for This Application Pool, select Predefined to use an existing application pool security account, then select the security account from the drop-down menu. To use a security account that is not currently being used for an existing application pool, select Configurable, enter the user name of the account you want to use in the User Name field, and enter the password for the account in the Password field. 59-12 Administrator's Guide for Oracle Access Management Integrating With Microsoft SharePoint Server Table 59–3 (Cont.) Create Web Application Options for Microsoft SharePoint Server Section What You Configure in This Section Database Name and Authentication In this section, choose the database server, database name, and authentication method for your new Web application. In the Database Name field, enter the name of the database or use the default entry. In the Database Authentication field, choose whether to use Windows authentication (recommended) or SQL authentication, as follows: ■ ■ If you want to use Windows authentication, leave this option selected. If you want to use SQL authentication, select SQL authentication. In the Account field, type the name of the account that you want the Web application to use to authenticate to the SQL Server database, then type the password in the Password field. Failover Server You can optionally choose to specify a fail-over database server to configure a Fail-over Server. Service Application Connections You can use the default value or choose custom value and optionally select the services you want your web application to connect to. 6. Click OK to create the new Web application, or click Cancel to cancel the process and return to the Application Management page. 7. Proceed with "Creating a New Site Collection for Microsoft SharePoint Server". 59.5.2 Creating a New Site Collection for Microsoft SharePoint Server You perform this task when integrating with Microsoft SharePoint Server, with or without LDAP Membership Provider. To create a new site collection for Microsoft SharePoint Server 1. From the Application Management page, Site Collection section, click Create Site Collections. 2. On the Create Site Collection page, in the Web Application section, either select a Web application to host the site collection (from the Web Application drop-down list), or create a new Web application to host the site collection, as follows: Table 59–4 Create a Web Application to Host a Site Collection for SharePoint Server Section What You Configure in This Section Quota Template You can decide to use predefined quota template to limit resources used for this site collection or use "No quota" as appropriate. Title and Description Enter a title and description for the site collection Web Site Address Select a URL type, and specify a URL for the site collection. Template Select a template from the tabbed template control. Primary Site Collection Administrator Enter the user account name for the user you want to be the primary Administrator for the site collection. You can also browse for the user account by clicking the book icon to the right of the text box. You can verify the user account by clicking the check names icon to the right of the text box. Integrating Microsoft SharePoint Server with Access Manager 59-13 Setting Up Microsoft Windows Impersonation Table 59–4 (Cont.) Create a Web Application to Host a Site Collection for SharePoint Section What You Configure in This Section Secondary Site Collection Administrator (optional) Enter the user account for the user that you want to be the secondary Administrator for the site collection. You can also browse for the user account by clicking the book icon to the right of the text box. You can verify the user account by clicking the Check Names icon to the right of the text box. 3. Refer to the following topics as you finish this integration: ■ "Setting Up Microsoft Windows Impersonation" on page 59-14 ■ "Completing the SharePoint Server Integration" on page 59-22 ■ "Configuring Single Sign-off for Microsoft SharePoint Server" on page 59-33 ■ "Synchronizing User Profiles Between Directories" on page 59-37 ■ "Testing Your Integration" on page 59-37 See Also: "Task overview: Integrating with Microsoft SharePoint Server Configured with LDAP Membership Provider" on page 59-24 59.6 Setting Up Microsoft Windows Impersonation If you want to use a directory server other than Active Directory, use LDAP Membership provider. The OAMCustomMembership provider leverages the functionality of LDAP Membership provider. This section describes how to set up impersonation, whether for SharePoint Server integration or for use by some other application. Skip this section if you are integrating Microsoft SharePoint Server configured with LDAP Membership Provider. Windows impersonation is not used with the LDAP Membership Provider. Note: Task overview: Setting up impersonation 1. Create a trusted user account for only impersonation in the Active Directory connected to SharePoint Server, as described in "Creating Trusted User Accounts" on page 59-15. 2. Give the trusted user the special right to act as part of the operating system, as described in "Assigning Rights to the Trusted User" on page 59-15. 3. Bind the trusted user to the WebGate by supplying the authentication credentials for the trusted user, as described in "Binding the Trusted User to Your WebGate" on page 59-16. 4. Add a header variable named IMPERSONATE to the Authorization Success Action in the Application Domain for impersonation, as described in "Adding an Impersonation Response to an Authorization Policy" on page 59-17. 5. Configure IIS by adding the IISImpersonationModule.dll to your IIS configuration, as described in "Adding an Impersonation DLL to IIS" on page 59-18. 6. Test impersonation, as described in "Testing Impersonation" on page 59-20. 59-14 Administrator's Guide for Oracle Access Management Setting Up Microsoft Windows Impersonation 59.6.1 Creating Trusted User Accounts This special user should not be used for anything other than impersonation. The example in the following procedure uses Impersonator as the New Object - User. Your environment will be different. To create a trusted user account 1. Perform the following steps on the computer hosting your SharePoint Server installation: ■ Windows 2008: Select Start, Programs, Administrative tools, Active Directory Users and Computers. 2. In the Active Directory Users and Computers window, right-click Users on the tree in the left pane, then select New, User. 3. In the First name field of the pane entitled New Object - User, enter an easy-to-remember name such as Impersonator. 4. Copy this same string to the User logon name field, then click Next. 5. In succeeding panels, you will be asked to choose a password and then retype it to confirm. Oracle recommends that you chose a very complex password, because your trusted user is being given very powerful permissions. Also, be sure to check the box marked Password Never Expires. Since the impersonation module should be the only entity that ever sees the trusted user account, it would be very difficult for an outside agency to discover that the password has expired. Note: Figure 59–1 Setting up a Trusted User Account for Windows Impersonation 59.6.2 Assigning Rights to the Trusted User You need to give the trusted user the right to act as part of the operating system. To give appropriate rights to the trusted user 1. Perform steps for your environment: Integrating Microsoft SharePoint Server with Access Manager 59-15 Setting Up Microsoft Windows Impersonation ■ Windows 2008: Select Start, Programs, Administrative tools, Local Security Policy. 2. On the tree in the left pane, click the plus icon (+) next to Local Policies. 3. Click User Rights Assignment on the tree in the left pane. 4. Double-click Act as part of the operating system in the right pane. 5. Click Add User or Group. 6. In the Add User or Group panel, type the User logon name of the trusted user (SPPSImpersonator in our example) in the User and group names text entry box, then click OK to register the change. Figure 59–2 Configuring Rights for the Trusted User in Windows Impersonation 59.6.3 Binding the Trusted User to Your WebGate You need to bind the trusted user to the 10g WebGate that communicates with Access Manager by supplying the authentication credentials for the trusted user, as follows. The following procedure presumes that you have not yet registered a 10g WebGate with Access Manager. Values in the following procedure are provided as an example only. Your environment will be different. To bind your trusted user to your WebGate 1. Go to the Oracle Access Management Console. For example: http://hostname:port/oamconsole where hostname is the fully-qualified DNS name of the computer hosting the Oracle Access Management Console; port is the listening port configured for the OAM Server; oamconsole leads to the Oracle Access Management Console. 2. Click Application Security at the top of the window. 3. In the Launch Pad tab, click SSO Agent Registration in the Quick Start Wizards section. 4. Select WebGate as the agent type and click Next.. 59-16 Administrator's Guide for Oracle Access Management Setting Up Microsoft Windows Impersonation 5. Set the version to 10g and enter required details (those with an *) to register this WebGate. 6. Protected Resource List: In this table, enter individual resource URLs to be protected by this OAM Agent, as shown in Table 14–9. 7. Public Resource List: In this table, enter individual resource URLs to be public (not protected), as shown in Table 14–9. 8. Auto Create Policies: Check to create fresh policies (or clear and use the same host identifier as another WebGate to share policies (Table 14–9)). 9. Click Apply to submit the registration. 10. Check the Confirmation window for the location of generated artifacts, then close the window. 11. In the navigation tree, open the Agent page. 12. SharePoint Requirements: Enter trusted user credentials in the Sharepoint Impersonator fields and click Apply. 13. Copy the artifacts as follows (or install the WebGate and then copy these artifacts): a. On the Oracle Access Management Console host, locate the updated OAM Agent ObAccessClient.xml configuration file (and any certificate artifacts). For example: $DOMAIN_HOME/output/$Agent_Name/ObAccessClient.xml b. On the computer hosting the agent, copy the artifacts. For example 10g WebGate/AccessClient: $WebGate_install_dir/oblix/lib/ ObAccessClient.xml c. Proceed to "Adding an Impersonation Response to an Authorization Policy". 59.6.4 Adding an Impersonation Response to an Authorization Policy An Application Domain and basic policies to protect your SharePoint resources was created when you registered the WebGate with Access Manager. Now you must add an Authorization Success Action (Response) with a return type of Header, set the name to IMPERSONATE, with the Response value of $user.userid: "samaccountname" for a single-domain Active Directory installation or "userPrincipalName" for a multi-domain Active Directory forest. To add an impersonation response to your Authorization Policy 1. Click Application Security at the top of the Console window. 2. In the Launch Pad tab, click Application Domains in the Access Manager section. 3. Search for the desired domain and open it for editing. 4. Click the Authorization Policies tab and open the desired policy for editing. "Desired domain" refers to the Application Domain created specifically for impersonation (Impersonation for example). "Desired policy" is your default policy created during agent registration. By default, no policy Responses exist until you create them. 5. On the Policy page, click the Responses tab, click the Add (+) button, and: ■ From the Type list, choose Header. Integrating Microsoft SharePoint Server with Access Manager 59-17 Setting Up Microsoft Windows Impersonation 6. ■ In the Name field, enter a unique name for this response: IMPERSONATE ■ In the Value field, enter a value for this Response. For example: $user.userid. Click Add to save the Response, which is used for the second WebGate request (for authorization). 59.6.5 Adding an Impersonation DLL to IIS You are ready to configure IIS Web server for this integration by registering and configuring the IISImpersonationModule.dll across all sites including central administration and web services. Alternatively, if you have multiple Web sites, where some are integrated with Access Manager while others are not, you might want to enable impersonation only for those Web sites that are integrated with Access Manager. To do this, you must configure the Native Module only at those sites that require integration. See: ■ To configure and register ImpersonationModule to IIS ■ To configure site level Native Modules for Web sites To configure and register ImpersonationModule to IIS 1. Select Start, Administrative Tools, Internet Information Services (IIS) Manager. 2. In the left pane of IIS 7, click the hostname. 3. In the middle pane, under the IIS header, double click Modules. 4. In the right pane, click Configure Native Modules and click Register. 5. In the window, provide a module Name (for example, Oracle Impersonation Module). 6. In the Path field, type the full path to IISImpersonationModule.dll. By default, the path is: WebGate_install_dir\access\oblix\apps\Webgate\bin\IISImpersonation Where WebGate_install_dir is the directory of your WebGate installation. If any spaces exist in the path (for example, C:\Program Files\Oracle\...) surround the entire string with double quotes (" "). Note: 7. Click OK to register the module. 8. Check the name of the newly created module and click OK to apply the module across the Web sites. 59-18 Administrator's Guide for Oracle Access Management Setting Up Microsoft Windows Impersonation Figure 59–3 Registering the Impersonation Module To configure site level Native Modules for Web sites 1. Click the plus icon (+) icon to left of Sites. 2. Click the site where you want to enable Impersonation. 3. In the Middle pane, under IIS, double click Modules. 4. In the right pane, click Configure Native Modules and select the Impersonation Module registered earlier. 5. Click OK. Integrating Microsoft SharePoint Server with Access Manager 59-19 Setting Up Microsoft Windows Impersonation 6. Proceed with: ■ Testing Impersonation ■ Completing the SharePoint Server Integration 59.6.6 Testing Impersonation You can test to ensure that impersonation is working properly in the following ways before you complete the integration: ■ ■ ■ ■ Outside the SharePoint Server context or test single sign-on, as described in "Creating an IIS Virtual Site Not Protected by SharePoint Server" on page 59-20 Using the Event Viewer, as described in "Testing Impersonation Using the Event Viewer" on page 59-21 Using a Web page, as described in "Testing Impersonation using a Web Page" on page 59-22 Using negative testing as described in "Negative Testing for Impersonation" on page 59-22 See Also: "Completing the SharePoint Server Integration" after confirming impersonation configuration is working properly 59.6.6.1 Creating an IIS Virtual Site Not Protected by SharePoint Server To test the impersonation feature outside the SharePoint Server context or to test single sign-on, you will need a target Web page on an IIS virtual Web site that is not protected by SharePoint Server. You create such a virtual Web site by completing the following task. To create an IIS virtual site not protected by SharePoint Server 1. Select Start, Administrative Tools, Internet Information Services (IIS) Manager. 59-20 Administrator's Guide for Oracle Access Management Setting Up Microsoft Windows Impersonation 2. Click the plus icon (+) to the left of the local computer icon on the tree in the left pane. 3. Right-click Web Sites on the tree in the left pane, then navigate to New, Web Site on the menu. 4. Respond to the prompts by the Web site creation wizard. 5. After you create the virtual site, you must protect it with policies in an Application Domain. 59.6.6.2 Testing Impersonation Using the Event Viewer When you complete impersonation testing using the Windows 2003 Event Viewer, you must configure the event viewer before conducting the actual test. To test impersonation through the Event Viewer 1. Select Start Menu, Event Viewer. 2. In the left pane, right-click Security, then click Properties. 3. Click the Filter tab on the Security property sheet. 4. Verify that all Event Types are checked, and the Event Source and Category lists are set to All, then click OK to dismiss the property sheet. Your Event Viewer is now configured to display information about the HeaderVar associated with a resource request. Figure 59–4 Verifying Event Viewer Settings 5. Create a new IIS virtual server (virtual site). 6. Place a target Web page anywhere in the tree on the virtual site. 7. Point your browser at the Web page. If impersonation is working correctly, the Event Viewer will report the success of the access attempt. Integrating Microsoft SharePoint Server with Access Manager 59-21 Completing the SharePoint Server Integration 59.6.6.3 Testing Impersonation using a Web Page You can also test impersonation using a dynamic test page, such as an .asp page or a Perl script, that can return and display information about the request. To test impersonation through a Web page that displays server variables 1. Create an .asp page or Perl script that will display the parameters AUTH_USER and IMPERSONATE, which can resemble the sample page presented in the following listing: Example 59–1 Sample .ASP Page Code <%for each servervar in request.servervariables%> 2. Create an IIS virtual site, or use the one you created for the previous task. 3. Place an .asp page or Perl script (such as the sample in the preceding listing) anywhere in the tree of the new virtual site. 4. Point your browser at the page, which should appear, with both AUTH_USER and IMPERSONATE set to the name of the user making the request. 59.6.6.4 Negative Testing for Impersonation To conduct negative testing for impersonation, you need to unbind the trusted user from the WebGate, as explained in the following procedure. To unbind the trusted user from your WebGate 1. In the Oracle Access Management Console, locate the WebGate. 2. Open the desired WebGate registration page and remove the credentials for the trusted user. 3. Click Apply to save the change. 4. Restart the IIS server and in a browser window, go to a protected code page (previously accessible to the trusted user). 5. Confirm that you receive an message page should appear. Values for AUTH_USER and IMPERSONATE are necessary for impersonation credentials to be bound to a WebGate. 6. Restore the trusted user to the WebGate registration page. 59.7 Completing the SharePoint Server Integration You need to complete several procedures to set up an Access Manager with SharePoint Server integration. 59-22 Administrator's Guide for Oracle Access Management Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider Skip this section if you are integrating with SharePoint Server configured with LDAP Membership Provider. Note: Task overview: Completing the SharePoint Server integration 1. Set up IIS security, as described in "Configuring IIS Security" on page 59-23. 2. Test the integration, as described in "Testing the SharePoint Server Integration" on page 59-37. 59.7.1 Configuring IIS Security Be sure to configure IIS Security before you continue. To configure IIS Security for the SharePoint Server integration 1. Select Start, Administrative Tools, Internet Information Services (IIS) Manager. 2. Click the plus icon (+) to the left of the local computer icon on the tree in the left pane. 3. Click Web Sites on the tree in the left pane. 4. In the center pane, double-click on Authentication under IIS. 5. Ensure that Anonymous Authentication is enabled and Windows Authentication is disabled. Figure 59–5 Impersonation Authentication 59.8 Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider In this scenario, Access Manager gets integrated with SharePoint Server using SharePoint Security Token Service (STS). This includes the ISAPI WebGate installation on IIS, as well as Access Manager configuration and steps needed to achieve the HeaderVar integration. Note: Only 64-bit ISAPI WebGates are supported for this integration. The following overview introduces the tasks that you must perform for this integration, including prerequisites, and where to find the information you need for each task. Integrating Microsoft SharePoint Server with Access Manager 59-23 Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider Task overview: Integrating with Microsoft SharePoint Server Configured with LDAP Membership Provider 1. Preparing for this integration: 2. a. Install "Required Microsoft Components", as described on page 59-7. b. Create a SharePoint Web site, as described in "Creating a New Web Application in Microsoft SharePoint Server" on page 59-11. c. Configure the SharePoint site collection, as described in "Creating a New Site Collection for Microsoft SharePoint Server" on page 59-13. d. Configure the created Web site with LDAP directory using Claim-Based Authentication type (which uses the LDAP Membership Provider), as described in your SharePoint documentation. e. Ensure that users who are present in the LDAP directory can log in to the SharePoint Web site and get proper roles. f. Test the configuration to ensure that users who are present in the LDAP directory can log in to the SharePoint Web site and get proper roles, as described in your SharePoint documentation. Perform all tasks described in "Installing Access Manager for Microsoft SharePoint Server Configured With LDAP Membership Provider" on page 59-25. This task includes installing a 10g WebGate for IIS and configuring a WebGate.dll for the individual SharePoint Web site. 3. Add an authentication scheme for this integration, as described in "Configuring an Authentication Scheme for Use With LDAP Membership Provider" on page 59-26. 4. Update the Application Domain that protects the SharePoint Web Site, as described in "Updating the Application Domain Protecting the SharePoint Web Site" on page 59-27. 5. In the new Application Domain, create an authorization rule for this integration, as described in "Creating an Authorization Response for Header Variable SP_SSO_ UID" on page 59-28. 6. Perform all steps in "Creating an Authorization Response for the OAMAuthCookie" on page 59-29. 7. Perform all steps in "Configuring and Deploying OAMCustomMembershipProvider" on page 59-29. 8. Synchronize directory servers, if needed, as described in "Ensuring Directory Servers are Synchronized" on page 59-32. 9. Configure single-sign-on for office documents as described in "Configuring Single Sign-On for Office Documents" on page 59-32. 10. Configure single sign-off, as described in "Configuring Single Sign-off for Microsoft SharePoint Server" on page 59-33. 11. Finish by testing your integration to ensure it operates without problem, as described in "Testing the Integration" on page 59-32. 59.8.1 About Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider The previous scenario, "Integrating With Microsoft SharePoint Server" on page 59-10, describes how to use Windows authentication. In that scenario, authentication and 59-24 Administrator's Guide for Oracle Access Management Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider authorization are performed for users residing in Active Directory. Access Manager used Windows impersonation for integration. For the integration described in this section, support for the LDAP Membership Provider is achieved by using a HeaderVar-based integration. The ISAPI WebGate filter intercepts HTTP requests for Web resources and works with the OAM Server to authenticate the user who made the request. When authentication is successful, WebGate creates an ObSSOCookie and sends it to the user's browser to facilitate single sign-on (SSO). The WebGate also sets SP_SSO_UID as a HeaderVar action for this user session. The Oracle Custom Membership provider in SharePoint validates the ObSSOCookie using the HTTP validation method, whereby the Access Manager Custom Membership Provider makes an HTTP/HTTPS request to a protected resource. Access Manager then validates and compares the user login returned on Authorization success with SP_SSO_UID. See Also: "Introduction to Integrating With the SharePoint Server" on page 59-2 for a look at processing differences between this integration and the other integrations described in this chapter. Requirements: This integration requires that Microsoft SharePoint Server: ■ Must be integrated with the LDAP Membership Provider ■ Must not use Windows authentication ■ Must not have IISImpersonationModule.dll configured at the Web site using Claim Based Authentication See Also: "Integration Requirements" on page 59-6 59.8.2 Installing Access Manager for Microsoft SharePoint Server Configured With LDAP Membership Provider This procedure describes how to prepare your installation for integration with Microsoft SharePoint Server Configured with LDAP Membership Provider. Prerequisites Perform Step 1 of the previous "Task overview: Integrating with Microsoft SharePoint Server Configured with LDAP Membership Provider" on page 59-24. To prepare your deployment for integration that includes LDAP Membership Provider 1. Install Oracle Identity Management and Access Manager. 2. Provision and install an ISAPI WebGate. 3. Configure Webgate.dll at the SharePoint Web site that you want to protect. For example: a. Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager b. Under Web Sites, double click the name of the SharePoint Web site to protect. c. In the Middle pane, double click ISAPI Filters and click Add in the right pane. d. Enter the filter name as Oracle WebGate. e. Enter the following path to the Webgate.dll file. WebGate_install_dir/access/oblix/apps/Webgate/bin/Webgate.dll Integrating Microsoft SharePoint Server with Access Manager 59-25 Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider f. Save and apply these changes. g. Double click Authentication in the middle pane. h. Verify that the following Internet Information Services settings are correct: Anonymous Authentication and Forms Authentication is enabled, and Windows Authentication is disabled. For Claim-based Authentication to work with Access Manager, Windows Authentication for the SharePoint Site must be disabled. Note: i. 4. 5. Save and Apply these changes. Go to the Web sites level to protect and create an /access application that points to the newly installed WebGate_install_dir. For instance: a. Under Web Sites, right-click the name of the Web site to be protected. b. Select Add application named with the alias "access" that points to the appropriate WebGate_install_dir\access. c. Under Access Permissions, check Read, Run Scripts, and Execute. d. Save and apply these changes. Proceed to "Configuring an Authentication Scheme for Use With LDAP Membership Provider". 59.8.3 Configuring an Authentication Scheme for Use With LDAP Membership Provider When your integration includes the LDAP Membership Provider, only three Access Manager authentication methods are supported, as described in this procedure. To configure an authentication scheme for SharePoint with LDAP Membership Provider 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Launch Pad tab, select Create Authentication Scheme from the Create (+) drop-down menu the Access Manager section. 3. On the Authentication Scheme page, fill in the: Name: Enter a unique name for this scheme. For example: SharePoint w/LDAP-MP Description: Optional 4. Authentication Level: Choose a level of security for the scheme. 5. Choose a Challenge Method: Basic Authentication for SharePoint Web site root (/) Form Authentication with Challenge Redirect for SharePoint Web site root (/) Client Certificate Authentication for SharePoint Web site root (/) 6. Challenge Redirect: Enter your challenge redirect value, if required. 7. Choose an Authentication Module from those listed. 8. Challenge Parameters: Enter your challenge parameter values, if required. 59-26 Administrator's Guide for Oracle Access Management Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider 9. Challenge URL: The URL the credential collector will redirect to for credential collection. 10. Click Apply to submit the new scheme, review details in the Confirmation window. 11. Optional: Click the Set as Default button to automatically use this with new Application Domains, then close the Confirmation window. 12. In the navigation tree, confirm the new scheme is listed, and then close the page. 13. Proceed with "Updating the Application Domain Protecting the SharePoint Web Site". If the SharePoint resource is protected with an Access Manager client-cert authentication scheme, you might need to add to the PATH environment variable C:\Program Files\Microsoft Office Servers\14.0\Bin;C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN. Note: 59.8.4 Updating the Application Domain Protecting the SharePoint Web Site This Application Domain was created when you provisioned the IIS WebGate to protect the Microsoft SharePoint Server Web site for the integration scenario with LDAP Membership Provider. Within an Application Domain, resource definitions exist as a flat collection of objects. Each resource is defined as a specific type, and the URL prefix that identifies a document or entity stored on a server and available for access by a large audience. The location is specified using an existing shared Host Identifier. For this integration, leave empty the URL Prefix. Do not enter a region to be appended to the URL prefix. Note: You need to use the authentication scheme that you created earlier. To validate the ObSSOCookie, you must create another policy for a resource protected by a WebGate; for example: /ValidateCookie. This resource should be deployed on a Web server protected by a WebGate and you should be able to access it after providing correct Access Manager credentials: http(s)://host:port/ValidateCookie This example uses SharePoint w/LDAP-MP as the Application Domain name. Your environment will be different. Step 4 includes an alternative Authentication Scheme to protect the SharePoint Web site with a Form authentication scheme. Note: To update the Application Domain protecting the root SharePoint Web site 1. From the Oracle Access Management Console, open the SharePoint w/LDAP-MP Application Domain. 2. Open the Resources tab, then click the New Resource button. 3. On the Resource Definition page, select or enter your details for a single resource and click Apply: Type: http Integrating Microsoft SharePoint Server with Access Manager 59-27 Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider Description (optional): Protecting SharePoint Website Host Identifier: Select the host identifier that you added earlier. Resource URL: Enter /ValidateCookie. Protection Level: Protected Authentication Policy (if level is Protected) Authorization Policy (if level is Protected and Authentication Policy is chosen) 4. 5. In the Protected Resource Policy for Authentication, add a defined resource: ■ Click the Resources tab on the Authentication Policy page. ■ Click the Add button on the Resources tab. ■ Locate and select the desired resource definition, then click Add Selected. ■ Click Apply to add the resources. ■ Repeat to add more resources. Click the Responses tab, then click its Add button and: ■ In the Name field, enter a unique name for this response (SP_SSO_UID). ■ From the Type list, choose Header. ■ In the Value field, enter a value for this response. For example: $user.userid. ■ Click Apply. 6. Add a Policy: Add a policy for a resource used with the HTTP validation method, If selected. 7. Before you enable this Application Domain, proceed to "Creating an Authorization Response for Header Variable SP_SSO_UID" 59.8.5 Creating an Authorization Response for Header Variable SP_SSO_UID This topic describes how to add an Authorization Response for the integration configured with LDAP Membership Provider. For this integration, you add the following Header Variable to the Application Domain as Responses for Authorization success: Type = Header Name = SP_SSO_UID Return Attribute = $user.userid In this case: ■ The Return Attribute is the login attribute used in Login ■ This authorization rule protects the root SharePoint Web site "/ " To create an authorization response for SharePoint with LDAP Membership Provider 1. From the Oracle Access Management Console, open the SharePoint w/LDAP-MP Authorization Policy: ProtectedResourcePolicy. 2. Click the Authorization Policy Responses tab, then click its Add button: ■ In the Name field, enter a unique name for this response (SharePoint w/LDAP-MP). ■ From the Type list, choose Header. ■ In the Value field, enter a value for this response. For example: $user.userid. 59-28 Administrator's Guide for Oracle Access Management Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider 3. ■ Click Apply. ■ Repeat as needed. Proceed to "Creating an Authorization Response for the OAMAuthCookie". 59.8.6 Creating an Authorization Response for the OAMAuthCookie Here, you add the following Header Variable named OAMAuthCookie to the Application Domain as Responses under Authorization success: Type = Cookie Name = OAMAuthCookie Return Attribute = $user.userid To create a Application Domain to protect the validation URL 1. From the Oracle Access Management Console, open the SharePoint w/LDAP-MP Authorization Policy: Protected Resource Policy: 2. Click the Responses tab, then click its Add button and: Redirection URL: Not required for this integration Return Type = Cookie Name = OAMAuthCookie Return Attribute = $user.userid 3. ■ In the Name field, enter a unique name for this response (OAMAuthCookie). ■ From the Type list, choose Cookie. ■ In the Value field, enter a value for this response. For example: $user.userid. ■ Click Apply to submit the response, then close the confirmation window. ■ Repeat as needed. Proceed to "Configuring and Deploying OAMCustomMembershipProvider." 59.8.7 Configuring and Deploying OAMCustomMembershipProvider You perform the following configuration steps in SharePoint to use the Access Manager Authentication Module to authenticate and authorize the user. Note: You can specify a default login page bundled in this file: WebGate_install_dir\access\oblix\apps\Webgate\ OAMCustomMembershipProvider\samples\Sample.Default.aspx To configure SharePoint to use OAM authentication Module 1. Go to the physical location of the SharePoint Web site directory. For example: C:\Inetpub\wwwroot\wss\VirtualDirectories\SharePoint website Name 2. From the folder_forms, copy the file Default.aspx as Default.ORIG.aspx. 3. Open Default.aspx, search for , add the following after the line, and then save the file: <%bool autoLogin = loginTracker.Value == "autoLogin";%> 4. Go to IIS Manager and click the Plus icon (+) before Sites. 5. Click on the plus icon (+) before SharePoint Web Services. 6. Right -click SecurityTokenServiceApplication, then click Explore. 7. Create a backup copy of Web.config as Web.config.ORIG, then open Web.config. 8. In the membership provider entries for enabling the LDAP membership provider go to , , type, and then modify the type value as follows: type = "Oracle.CustomMembershipProvider, OAMCustomMembershipProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=52e6b93f6f0427a1 9. Add the following attribute at the end of the entry in Step 8 ValidationMode="OAMHttp" to indicate the ObSSOCookie validation method. The resource configured for ValidationURL must be present on the Web server. Also, the value of the OAMAuthUser parameter should be configured as the authorization return action as described in Step 6. Note: 10. Save the file. 11. Using command prompt go to the following directory: C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\gacutil.exe 12. Type: gacutil -l OAMCustomMembershipProvider 13. Confirm that no results are returned. 14. Type the following. Integrating Microsoft SharePoint Server with Access Manager 59-31 Configuring Single Sign-On for Office Documents gacutil -i \access\oblix\apps\Webgate\OAMCustomMembershipProvider\OAMCustomMembershipP rovider.dll 15. Type: gacutil -l OAMCustomMembershipProvider 16. Confirm that one result is returned. 17. Restart the SharePoint Web site. 18. Proceed as follows: ■ Enabling Logging for CustomMemberShipProvider ■ Ensuring Directory Servers are Synchronized ■ Configuring Single Sign-off for Microsoft SharePoint Server 59.8.8 Enabling Logging for CustomMemberShipProvider If you want to enable logs for the Oracle Custom Membership Provider, you must configure the DebugFile parameter in the configuration file for the Oracle Custom Membership Provider. For example: a sample entry for the DebugFile=Location_of_ logs_file": type = "Oracle.CustomMembershipProvider, OAMCustomMembershipProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=52e6b93f6f0427a1" DebugFile="c:\Debug.txt" 59.8.9 Ensuring Directory Servers are Synchronized Users in the directory server configured for Access Manager should be synchronized with the directory server used by SharePoint if these are different. This is the same task that you perform for other integration scenarios in this chapter. When your SharePoint integration includes an LDAP Membership Provider, however, you can use a directory server that supports LDAP commands. See Also: "Synchronizing User Profiles Between Directories" on page 59-37 59.8.10 Testing the Integration This is similar to the task you perform for other integration scenarios in this chapter. There are no differences when configured with LDAP Membership Provider. See Also: "Testing the SharePoint Server Integration" on page 59-37 59.9 Configuring Single Sign-On for Office Documents Single sign-on for Office documents can be achieved by setting a persistent cookie in the authentication scheme. To do this using OAM 11g, you need to set ssoCookie=max-age in the authentication scheme. This creates a persistent cookie which lasts for more than one session. For integration based on Windows Native Authentication, you do not need to set the persistent cookie parameter. Note: 59-32 Administrator's Guide for Oracle Access Management Configuring Single Sign-off for Microsoft SharePoint Server 1. Log in to the Oracle Access Management Console. 2. Find the Authentication Scheme being used and open the page. 3. In the Challenge Parameter, add: ssoCookie=max-age=1000000 Where, time-in-seconds represents the time interval when the cookie expires. For example, ssoCookie=max-age=3600 sets the cookie to expire in 1 hour (3600 seconds). 4. Save the change. 5. Configure centralized logout for the 10g or 11g WebGate. 59.10 Configuring Single Sign-off for Microsoft SharePoint Server Manual Logout occurs when the user clicks the Logout button from SharePoint Server. You can also configure the SharePoint Server logout URL in Access Manager so that when a user clicks the Logout button from SharePoint Server site, Access Manager logout is also triggered. Closing the browser window after sign-off is always recommended, for security. Note: Cookie time-out occurs when the overall user session is controlled by ObSSOCookie. Consider the following use-case: ■ ■ FedAuth cookie time-out and ObSSOCookie is still valid: The user won't be challenged again because the ObSSOCookie is present. A new FedAuth cookie is generated (using the same flow described earlier). ObSSOCookie time-out and FedAuth Cookie is still valid: Since each request is intercepted by the WebGate, the user is challenged for credentials again. Access Manager provides single logout (also known as global or centralized log out) for user sessions. With Access Manager, single logout refers to the process of terminating an active user session. This topic describes how to configure single sign-off for integration with SharePoint. Single sign-off kills the user session. ■ Configuring a Custom Logout URL in SharePoint Server ■ Configuring Logout in SharePoint Server With Impersonation 59.10.1 Configuring a Custom Logout URL in SharePoint Server To configure a Custom Logout URL in SharePoint Server 1. From the generated artifacts for WebGate, add logout.html to the SharePoint Server Site 2. Locate C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\CONTROLTEMPLATES. 3. In \CONTROLTEMPLATES, change the welcome.ascx by adding the following tag. For example: 4. Click Save. 5. Protect the two URLs /_layouts/SignOut.aspx and /_ layouts/closeConnection.aspx in an Application Domain using Anonymous authentication. 6. Proceed to Configuring Logout in SharePoint Server With Impersonation. 59.10.2 Configuring Logout in SharePoint Server With Impersonation You can skip this procedure if you do not have Impersonation configured. To configure Logout in SharePoint Server with Impersonation 1. Copy signout.aspx from C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\LAYOUTS) to MySignout.aspx in the same path. 2. In MySignout.aspx, below () add the following script details: 3. Save. 4. Use this URL _layouts/Mysignout.aspx as custom logout URL for SharePoint Server in the case of Impersonation. 5. Proceed with "Testing Your Integration". 59.11 Setting Up Access Manager and Windows Native Authentication This section provides the following topics: ■ Setting Up Access Manager WNA ■ Setting Up WNA With SharePoint Server ■ Installing Access Manager for WNA and SharePoint Server ■ Testing Your WNA Implementation 59.11.1 Setting Up Access Manager WNA Configure Access Manager to use Windows Native Authentication. 59-34 Administrator's Guide for Oracle Access Management Setting Up Access Manager and Windows Native Authentication 59.11.2 Setting Up WNA With SharePoint Server The following overview outlines the tasks that must be performed to set up WNA with Access Manager and the SharePoint Server. Task overview: Setting up WNA with SharePoint Server 1. Complete the following prerequisite tasks: ■ ■ ■ ■ 2. Perform tasks in "Required Microsoft Components" on page 59-7. Create a SharePoint Web site, as described in "Creating a New Web Application in Microsoft SharePoint Server" on page 59-11. Configure the SharePoint site collection, as described in "Creating a New Site Collection for Microsoft SharePoint Server". Test the configuration to ensure that users who are present in the directory server can log in to the SharePoint Web site and get proper roles, as described in your SharePoint documentation. Install Access Manager as described in "Installing Access Manager for WNA and SharePoint Server" on page 59-35. This step includes installing the WebGate for IIS and configuring Webgate.dll for the individual SharePoint Web site. 3. 4. Configure the Active Directory authentication provider, as follows: a. Login to the WebLogic Console. b. Go to Security Realm and click the realm being used. c. Go to the Provider tab provider, click New. d. Enter the provider name, select the Type ActiveDirectoryAuthenticator, click OK. e. Select the newly created Provider, change Control Flag to Sufficient, and Save. f. Go to Provider Specific tab, enter details for your Active Directory, and save these. Perform "Testing Your WNA Implementation" on page 59-37. 59.11.3 Installing Access Manager for WNA and SharePoint Server You perform this task after you perform all prerequisites described in step 1 of the "Task overview: Setting up WNA with SharePoint Server". Installing most Access Manager components for this integration scenario is the same as for any other situation. Installing the IIS WebGate is similar to installing any other WebGate. The WebGate should be installed with the IIS v7 Web server; later it can be configured at the specific SharePoint Web site level to be protected. For IIS, the WebGate must be configured at the "web sites" level. For Microsoft SharePoint Server, you must configure the WebGate for the specific SharePoint Web site level to be protected. To install Access Manager for WNA and SharePoint Server 1. Install Access Manager as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. 2. Install the ISAPI WebGate as follows: ■ Installing WebGates Integrating Microsoft SharePoint Server with Access Manager 59-35 Setting Up Access Manager and Windows Native Authentication ■ Installing Web components for the IIS Web server Next, you configure Webgate.dll at the SharePoint Web site that yo want to protect. Configuring Webgate.dll at the "Website level" protects all Web sites on the IIS Web server. However, configuring Webgate.dll at the "SharePoint Website" protects only the expected Web site. 3. Configure Webgate.dll at the SharePoint Web site that you want to protect. For example: a. Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. b. Select the hostname from the Connections pane. c. From the host name Home pane, double-click ISAPI Filters, look for any Webgate.dll; if it is present, select it and click Remove from the Action pane. d. In the Connection pane, under Sites, click the name of the Web Site for which you want to configure a WebGate filter. e. In the Home pane, double-click ISAPI Filters. f. In the Actions pane, click Add… g. In the Filter name text box of the Add ISAPI Filter dialog box, type WebGate as the name of the ISAPI filter. h. In the Executable box, type the file system path of the WebGate ISAPI filter file or click the ellipsis button (...) to go to the folder that contains the Webgate.dll ISAPI filter file, and then click OK. WebGate_install_dir\access\oblix\apps\Webgate\bin\Webgate.dll 4. Creating a Virtual Directory a. Expand the Sites pane and select the Web Site for which you just configured the ISAPI filter (Webgate.dll). b. On the Action pane, click View Virtual Directories and then select Add Virtual Directory. c. In the Alias field, specify access and the physical path to the WebGate \access folder (or click the ellipsis button (...), go to the \access folder, then click OK). WebGate_install_dir\access\ 5. Set permissions on the Virtual Directory: a. Select the "access" virtual directory created in Step 3. b. From the access Home pane, double click Handler Mappings; from the Action pane, select Edit Feature Permissions…. c. Select Read, Script, and Execute, then click OK 6. Configure Access Manager to use Windows Native Authentication. 7. Configure Microsoft SharePoint Server Authentication to Classic Mode Authentication while creating a new Web Application in Microsoft SharePoint. In the Authentication Provider section, select Negotiate(Kerberos). 8. Go to IIS newly created SharePoint site and: a. Open Authentication, Windows Authentication, Advance Settings. b. Select Enable Kernel mode authentication. 59-36 Administrator's Guide for Oracle Access Management Testing Your Integration 9. c. Select providers, delete NTLM provider. d. Add Negotiate:Kerberos and move it to the top level. e. Restart IIS. Proceed to "Testing Your WNA Implementation". 59.11.4 Testing Your WNA Implementation Use the following steps to confirm your WNA implementation is working properly. To test your WNA implementation 1. Log in to the machine as the Windows domain user (or AD user or AD user account). The login account must also be a user of Access Manager. 2. Enter the URL of the protected resource. 59.12 Synchronizing User Profiles Between Directories Unless explicitly stated, this task should be performed for all integration scenarios in this chapter. When your integration includes LDAP Membership Provider, you can use any directory server that supports LDAP commands. Note: You need to synchronize user profiles between the SharePoint Server directory and the Access Manager directory: ■ Uploading user data—If your Access Manager installation is configured for any directory server other than SharePoint Active Directory, you must load the user profiles that reside on the other directory server to SharePoint Active Directory. Proceed to "Testing Your Integration" 59.13 Testing Your Integration After you complete the tasks to enable integration, you should test to verify that integration is working. This section contains the following topics: ■ Testing the SharePoint Server Integration ■ Testing Single Sign-On for the SharePoint Server Integration 59.13.1 Testing the SharePoint Server Integration You can verify that a user can access SharePoint Server resources through Access Manager authentication and SharePoint Server authorization. To test your SharePoint Server integration 1. Navigate to any SharePoint Server Web page using your browser. You are challenged for your credentials. 2. Log in by supplying the necessary credentials. Integrating Microsoft SharePoint Server with Access Manager 59-37 Troubleshooting 3. Verify that the page you requested is visible. 4. Optional: Check the Event Viewer to confirm that the access request was successful. 59.13.2 Testing Single Sign-On for the SharePoint Server Integration You can also test single sign-on by demonstrating that a user who has just supplied credentials and accessed an SharePoint Server resource can (before the ObSSOCookie expires) access a non-SharePoint Server resource without having to supply credentials a second time. For example, use a resource defined in the Policy Manager. When single sign-on is working, you should be granted access to the page without having to supply credentials a second time. To test single sign-on for your SharePoint Server integration 1. Create and protect a new virtual site with a Application Domain (or use one you have already created. 2. Place a Web page anywhere in the tree of this virtual site. 3. Using a browser, navigate to the page in the new virtual site. If you have already passed authentication, you should be granted access to the page without having to supply credentials a second time. 59.14 Troubleshooting ■ Internet Explorer File Downloads Over SSL Might Not Work 59.14.1 Internet Explorer File Downloads Over SSL Might Not Work This issue may occur if the server sends a Cache-control:no-store header or sends a Cache-control:no-cache header. The WebGate provides configuration parameters to control setting these headers. Following are the parameters and their default value: CachePragmaHeader CacheControlHeader no-cache no-cache You can modify the WebGate configuration not to set these headers at all (the values for these parameters would be kept blank). By this, it would mean that Access Manager will not control the caching behavior. 59-38 Administrator's Guide for Oracle Access Management 60 06 Integrating Access Manager with Outlook Web Application In a Windows environment, after a user authenticates, the authenticating application can impersonate that user's identity. The primary purpose of impersonation is to trigger access checks against a client's identity. This chapter focuses on how to enable impersonation in Access Manager to override impersonation enabled with IIS. The following topics are provided: ■ What is New in This Release? ■ Introduction to Integration with Outlook Web Application ■ Enabling Impersonation With a Header Variable ■ Setting Up Impersonation for Outlook Web Application (OWA) ■ Setting Up Access Manager WNA for Outlook Web Application 60.1 What is New in This Release? Support for integration between Access Manager and Outlook Web Application (OWA) 2010. This chapter illustrates: ■ Enabling Impersonation With a Header Variable ■ Setting Up Impersonation for Outlook Web Application (OWA) ■ Setting Up Access Manager WNA for Outlook Web Application 60.2 Introduction to Integration with Outlook Web Application This section provides the following information to introduce the integration described in this chapter: ■ About Impersonation Provided by Microsoft Windows ■ About Access Manager 11g Support for Windows Impersonation ■ About Single Sign-On for Authenticated Access Manager Users into Exchange ■ About Confirming Requirements Integrating Access Manager with Outlook Web Application 60-1 Introduction to Integration with Outlook Web Application 60.2.1 About Impersonation Provided by Microsoft Windows When running in a client's security context, a service can to an extent become a client. After the user authenticates, the service can take on that user's identity through impersonation. One of the service's threads uses an access token, known as an impersonation token, to obtain access to objects the client can access. The access token is a protected object that represents the client's credentials. The impersonation token identifies the client, the client's groups, and the client's privileges. The information in the token is used during access checks when the thread requests access to resources on the client's behalf. When the server is impersonating the client, any operations performed by the server are performed using the client's credentials. Impersonation ensures that the server can or cannot do exactly what the client can or cannot do. Access to resources can be restricted or expanded, depending on what the client has permission to do. Impersonation requires the participation of both the client and the server. The client must indicate its willingness to let the server use its identity, and the server must explicitly assume the client's identity programmatically. When impersonation concludes, the thread uses the primary token to operate using the service's own security context rather than the client's. The primary token describes the security context of the user account associated with the process (the person who started the application). Services run under their own accounts and act as users in their own right. For example, system services that are installed with the operating system run under the Local System account. You can configure other services to run under the Local System account, or separate accounts on the local system or in Active Directory. The IIS Web server provides impersonation capabilities. However, the OAM Server overrides IIS authentication, authorization, and impersonation functions. For more information, see "About Access Manager 11g Support for Windows Impersonation" in the next section. 60.2.2 About Access Manager 11g Support for Windows Impersonation You can enable support for Windows impersonation to provide additional access control for protected applications. You bind a trusted user to a Webgate and protect the application with a application domain that includes an impersonation action in the authorization rule. During the authorization process, the protected application creates an impersonation token. For more information, see, "Enabling Impersonation With a Header Variable." It provides prerequisites and details about implementing impersonation using header variables. 60.2.3 About Single Sign-On for Authenticated Access Manager Users into Exchange This is also supported using the Windows Impersonation feature. Outlook Web Access (OWA) provides Web access to Exchange mail services and may be configured on either of the following: ■ ■ An IIS Web server that does not reside on the same host as the Exchange server, which is also known as a front-end server An IIS Web server running on the same host as the Exchange server, which is also known as the back-end server 60-2 Administrator's Guide for Oracle Access Management Enabling Impersonation With a Header Variable In a front-end server configuration, the front-end OWA server authenticates the user, determines the back-end Exchange server that hosts the user's mailbox, then proxies the request to the appropriate back-end Exchange server. No additional credential information is passed. No delegation is performed. Setting up Impersonation on the back-end Exchange server ensures that the Exchange server does not need to request credentials before granting access. For more information, see "Setting Up Impersonation for Outlook Web Application (OWA)." 60.2.4 About Confirming Requirements The example in this chapter illustrates setting up the impersonation feature for the OAM Server to Microsoft Exchange Server 2013 integration. The principles are the same regardless of your application. Any references to specific versions and platforms in this chapter are for demonstration purposes. For the latest Access Manager certification information, see Oracle Technology Network at: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-10 0350.html 60.3 Enabling Impersonation With a Header Variable Enabling impersonation with a header variable involves completing the procedures in the following sections. 1. Reviewing all Requirements for Impersonation with a Header Variable 2. Creating an Impersonator as a Trusted User 3. Assigning Rights to the Trusted User 4. Binding the Trusted User to Your WebGate 5. Adding an Impersonation Response to An Application Domain 6. Adding an Impersonation DLL to IIS 7. Testing Impersonation See Also: "Setting Up Impersonation for Outlook Web Application (OWA)" on page 60-10. 60.3.1 Requirements for Impersonation with a Header Variable Prepare the environment and confirm that it is operating properly before implementing Windows impersonation with the OAM Server. Table 60–1 identifies the Access Manager platform requirements when you enable impersonation using a header variable. Table 60–1 Requirements for Impersonation with a Header Variable Item Platform 11g WebGate (and Impersonation dll) Microsoft IIS 7.x and Windows Server 2008 and 2013 Integrating Access Manager with Outlook Web Application 60-3 Enabling Impersonation With a Header Variable Table 60–1 (Cont.) Requirements for Impersonation with a Header Variable Item Platform Impersonation dll Webgate_install_ dir\webgate\iis\lib\IISImpersonationModule.dll Kerberos Key Distribution Center (KDC) and Active Directory Client and Server machines ■ Must be installed as an IIS Module. ■ May be installed at any level of the Web site tree. Windows Server 2008 and 2013 ■ ■ Security context Both must be in the same Windows Server 2008 domain with a trust relationship. A bi-directional trust path is required because the service, acting on the client's behalf, must request tickets from the client's domain. Must have Act as operating system privileges. Note: IWAM_Machine is not recommended Mutual authentication is required Mutual authentication is supported remotely. 60.3.2 Creating an Impersonator as a Trusted User Whether you enable impersonation using a HeaderVar or user profile attribute, the return value must be a trusted user in Active Directory. This special user should not be used for anything other than impersonation. The example in the following procedure uses SPPSImpersonator as the New Object - User. With OWAImpersonator as SPPSImpersonator denotes SharePoint impersonation specifically. Your environment will be different. 1. Perform the steps for your environment on the computer hosting your Microsoft Exchange Server 2013 installation: ■ Windows 2008 or 2012: Select Start, Programs, Administrative tools, Active Directory Users and Computers. 2. In the Active Directory Users and Computers window, right-click Users on the tree in the left pane, then select New; User. 3. In the First name field of the pane entitled New Object - User, enter an easy-to-remember name such as SPPSImpersonator. 4. Copy this same string to the User logon name field, then click Next. 5. In succeeding panels, you are asked to choose a password and then retype it to confirm. Oracle recommends that you choose a very complex password, because your trusted user is being given very powerful permissions. Also, be sure to check the box marked Password Never Expires. Since the impersonation module should be the only entity that ever sees the trusted user account, it would be very difficult for an outside agency to discover that the password has expired. Note: 60-4 Administrator's Guide for Oracle Access Management Enabling Impersonation With a Header Variable Figure 60–1 Setting up a Trusted User Account for Windows Impersonation 60.3.3 Assigning Rights to the Trusted User Follow this procedure to give the trusted user the right to act as part of the operating system 1. Perform the appropriate step for your environment: ■ Windows 2008: Select Start > Programs > Administrative tools > Local Security Policy. You must modify the group policy object that applies to the computer where the Webgate is installed. 2. On the tree in the left pane, click the plus icon (+) next to Local Policies. 3. Click User Rights Assignment on the tree in the left pane. 4. Double-click "Act as part of the operating system" in the right pane. 5. Click Add User or Group. 6. In the Add User or Group panel, type the User logon name of the trusted user (Microsoft Exchange Server 2010 Impersonator in our example) in the User and group names text entry box, then click OK to register the change. Integrating Access Manager with Outlook Web Application 60-5 Enabling Impersonation With a Header Variable Figure 60–2 Configuring Rights for the Trusted User in Windows Impersonation 60.3.4 Binding the Trusted User to Your WebGate You need to bind the trusted user to the WebGate by supplying the authentication credentials for the trusted user, as described in this procedure. The procedure presumes that you have registered an 11g WebGate with Access Manager. The values in the procedure are provided as an example only. Your environment will be different. See Also: Chapter 15, "Registering and Managing OAM 11g Agents" 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Launch Pad tab, click Agents. 3. Find the desired 11g WebGate registration to modify for this integration: ■ Find All Enabled: Select State All, click the Search button, click the desired Webgate name in the results list. 4. On the WebGate registration page, enter the SharePoint username and password for the trusted user account, which you created earlier. 5. Click Apply to commit the changes. A bind has been created for the WebGate and the trusted user. The WebGate is now ready to provide impersonation on demand. The demand is created by an Authorization Success Action in the application domain created for impersonation. 60.3.5 Adding an Impersonation Response to An Application Domain You must create or configure an application domain to protect your OWA resources. For this you must add Responses in Authorization Policies (Header type Responses), as described in this procedure. Chapter 25, "Managing Policies to Protect Resources and Enable SSO" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. See Also: 60-6 Administrator's Guide for Oracle Access Management Enabling Impersonation With a Header Variable The procedure presumes that you have an application domain created for the 11g WebGate you registered. The application domain in this example is MyImpersonationDomain. Your environment will be different. 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. Click Application Domains in the Access Manager section. 3. Search for and open the OWA Application Domain (the relevant application domain for impersonation). Navigate as follows: Authorization Policies Protected Resource Policy Responses 4. Click the Add button, then Add Response. Complete the form as follows: ■ ■ ■ 5. From the Type list, choose Header. In the Name field, type a unique name for this response. For example, IMPERSONATE. In the Value field, type a value for this response. For example, $user.userid. Click Add, then click Apply to submit the changes. This Response is used for the second WebGate request (for authorization). 60.3.6 Adding an Impersonation DLL to IIS You are ready to configure IIS by adding the IISImpersonationModule.dll to your IIS configuration. 1. Select Start > Administrative Tools > Internet Information Services (IIS) Manager. 2. In the left pane of IIS 7.x, click the hostname. 3. In the middle pane, under the "IIS" header, double click on "Modules". 4. In the right pane, click "Configure Native Modules" and click "Register". 5. In the window, provide a module Name (for example, Oracle Impersonation Module). 6. In the Path field, type the full path to IISImpersonationModule.dll. By default, the path is: Webgate_install_dir\webgate\iis\lib\IISImpersonationModule.dll Where Webgate_install_dir is the directory of your WebGate installation. If any spaces exist in the path (for example, C:\Program Files\Oracle\...) surround the entire string with double quotes (" "). Note: 7. Click OK to register the module. Integrating Access Manager with Outlook Web Application 60-7 Enabling Impersonation With a Header Variable 8. Check the name of the newly created module and click OK to apply the module across the Web sites. 9. Remove the module from the Default site level (otherwise, it inherits when you add it on the machine level). 10. Ensure that the IISImpersonationModule.dll file added in these steps is applied only to "owa" and "ecp" applications and removed from the site level. Go to OWA, double-click modules, Configure Native Modules, and check the desired module (for example, Oracle Impersonation Module). Go to (ecp): Double-click modules, Configure Native Modules, and check the desired module (for example, Oracle Impersonation Module). 60.3.7 Testing Impersonation You can test Impersonation in the following two ways: ■ Testing Impersonation Using the Event Viewer ■ Testing Impersonation using a Web Page 60.3.7.1 Creating an IIS Virtual Site To test the impersonation feature outside the Microsoft OWA 2010 context or to test single sign-on, you will need a target Web page on an IIS virtual Web site You create such a virtual Web site by performing the following task. 1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager. 2. Click the plus icon (+) to the left of the local computer icon on the tree in the left pane. 3. Right-click Web Sites on the tree in the left pane, then select New, then select Web Site on the menu. 4. Respond to the prompts by the Web site creation wizard. 5. After you create the virtual site, you must protect it with an application domain, as described elsewhere in this guide. 60.3.7.2 Testing Impersonation Using the Event Viewer When you perform impersonation testing using the Windows 2008 Event Viewer, you must configure the event viewer before conducting the actual test. 1. Select Start Menu > Event Viewer. 2. In the left pane, right-click Security, then click Properties. 3. Click the Filter tab on the Security property sheet. 4. Verify that all Event Types are checked and the Event Source and Category lists are set to All, then click OK to dismiss the property sheet. Your Event Viewer is now configured to display information about the headerVar associated with a resource request. 60-8 Administrator's Guide for Oracle Access Management Enabling Impersonation With a Header Variable Figure 60–3 Verifying Event Viewer Settings 5. Create a new IIS virtual server (virtual site). 6. Place a target Web page anywhere in the tree on the virtual site. 7. Point your browser at the Web page If impersonation is working correctly, the Event Viewer will report the success of the access attempt. 60.3.7.3 Testing Impersonation using a Web Page You can also test impersonation using a dynamic test page, such as a.asp page or a Perl script, that can return and display information about the request. 1. Create a .asp page or Perl script that will display the parameters AUTH_USER and IMPERSONATE. It can resemble the sample page presented in the following listing:
Variable    Value
<%=servervar%>    <%=request.servervariables(servervar)%> 
<%for each servervar in request.servervariables%> 2. Create an IIS virtual site, or use the one you created for the previous task. 3. Place a .asp page or Perl script (such as the sample in the preceding listing) anywhere in the tree of the new virtual site. 4. Point your browser at the page. The page should display, with both AUTH_USER and IMPERSONATE set to the name of the user making the request. Integrating Access Manager with Outlook Web Application 60-9 Setting Up Impersonation for Outlook Web Application (OWA) 60.4 Setting Up Impersonation for Outlook Web Application (OWA) In a distributed Exchange/OWA single sign-on environment, each server needs Access Manager to impersonate the current user. When you enable Impersonation, you need to include additional HTTP headers in the "Response" tab of the Authorization Policy of your impersonation application domain. The following solution has been tested in both standalone and distributed OWA environments. 1. Install Access Manager 11g, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. 2. Install a 11g WebGate on all OWA client servers, as described in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. 3. On the WebGate registration page, Disable IP Checking for Webgates on the back-end server using the AccessGate (because the request comes from the front-end server, not from the user's browser). 4. Ensure that OWA is not using Integrated Windows Authentication, as described in "Prerequisites to Setting Impersonation for Outlook Web Application" on page 60-10. 5. Create a trusted user account for only impersonation in the Active Directory, as described in "Creating a Trusted User Account for Outlook Web Application" on page 60-11. 6. Give the trusted user the special right to act as part of the operating system, as described in "Assigning Rights to the Outlook Web Application Trusted User" on page 60-11. 7. Bind the trusted user to the WebGate by supplying the authentication credentials for the trusted user, as described in "Binding the Trusted Outlook Web Application User to Your WebGate" on page 60-11. 8. Add a header variable named impersonate to the Authorization Policy Response tab (in the impersonation application domain), as described in, as described in "Adding an Impersonation Action to an Application Domain for Outlook Web Application" on page 60-12. 9. Configure IIS by adding IISImpersonationModule.dll to your IIS configuration, as described in "Adding an Impersonation dll to IIS" on page 60-13. 10. Test Impersonation, as described in "Testing Impersonation for Outlook Web Application" on page 60-14. See Also: "Enabling Impersonation With a Header Variable" on page 60-3. 60.4.1 Prerequisites to Setting Impersonation for Outlook Web Application Before setting Impersonation for Outlook Web Application, ensure that OWA is not using Integrated Windows (or any other) Authentication. If it is not, you can use the following steps to set up OWA with Windows Authentication. 1. Open Exchange Management console. 2. Go to Server Configuration and click Client Access. 3. Select Outlook Web Access and click Properties. 4. In the Properties dialog box, click the Authentication tab. 60-10 Administrator's Guide for Oracle Access Management Setting Up Impersonation for Outlook Web Application (OWA) 5. Clear (unselect) all the authentication methods. 6. Click Apply, and click OK. 7. Restart the IIS server. 8. Proceed with "Creating a Trusted User Account for Outlook Web Application." 60.4.2 Creating a Trusted User Account for Outlook Web Application This special user should not be used for anything other than impersonation. Oracle recommends that you chose a very complex password, because your trusted user is being given very powerful permissions. Also, be sure to check the box marked Password Never Expires. Since the impersonation module should be the only entity that ever sees the trusted user account, it would be very difficult for an outside agency to discover that the password has expired. 1. On the Windows 2008 machine, select Start; Programs; Administrative tools, Active Directory Users and Computers. 2. In the Active Directory Users and Computers window, right-click Users on the tree in the left pane, then select New; User. 3. In the First name field of the pane entitled New Object - User, enter an easy-to-remember name such as OWAImpersonator. 4. Copy this same string to the User logon name field, then click Next. 5. In succeeding panels, you will be asked to choose a password and then retype it to confirm. 6. Proceed to "Assigning Rights to the Outlook Web Application Trusted User" on page 60-11. 60.4.3 Assigning Rights to the Outlook Web Application Trusted User You need to give the trusted user the right to act as part of the operating system. 1. Select Control Panel, Administrative Tools; and click either the Domain Controller Security Policy (if the computer is a domain controller) or Local Security Policy. 2. On the tree in the left pane, click the plus icon (+) next to Local Policies. 3. Click User Rights Assignment on the tree in the left pane. 4. Double-click "Act as part of the operating system" in the right pane. 5. Click Add User or Group. 6. In the Add User or Group panel, type the User logon name of the trusted user (OWAImpersonator in our example) in the User and group names text entry box, then click OK to register the change. 7. Proceed to "Binding the Trusted Outlook Web Application User to Your WebGate." 60.4.4 Binding the Trusted Outlook Web Application User to Your WebGate You need to bind the trusted user to the WebGate by supplying the authentication credentials for the trusted user, as described in the following procedure. When the bind has been created for the WebGate and the trusted user, WebGate is ready to provide impersonation on demand. The demand is created by a Response set in the Authorization Policy of application domain created for impersonation. Integrating Access Manager with Outlook Web Application 60-11 Setting Up Impersonation for Outlook Web Application (OWA) The following procedure presumes that you have registered a 11g WebGate (ImpersonateAgent) with Access Manager. The values in the following procedure are provided as an example only. Your environment will be different. Chapter 15, "Registering and Managing OAM 11g Agents" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management See Also: 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. in the Launch Pad tab, click Agents. 3. Find the desired 11g WebGate registration to modify for this integration. For example: ImpersonateAgent. ■ Find All Enabled: Select State All, click the Search button, click the desired Webgate name in the results list. 4. Open the Webgate registration page and enter the SharePoint username and password for the trusted user account, which you created earlier. 5. Click Apply to commit the changes. A bind has been created for the Webgate and the trusted user. The Webgate is now ready to provide impersonation on demand. The demand is created by an Authorization Success Action in the application domain created for impersonation. 60.4.5 Adding an Impersonation Action to an Application Domain for Outlook Web Application You must create or configure a application domain to protect your OWA resources (/owa and /ecp only). Ensure that IISImpersonation Module.dll is applied only to "owa" and "ecp" applications in IIS7.x, and removed from the site level. Note: The Authorization policy must set several HTTP Header variables (Header type Responses in the Authorization policy). This procedure presumes that you have an existing application domain for the 11g WebGate (ImpersonateAgent) you registered with Access Manager. See Also: The chapter on managing policies to protect resources and enable SSO in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. Click Application Domains in the Access Manager section. 3. Search for and open the OWA2010 Application Domain (the relevant application domain for impersonation). Navigate as follows: 60-12 Administrator's Guide for Oracle Access Management Setting Up Impersonation for Outlook Web Application (OWA) Authorization Policies Protected Resource Policy Responses 4. Click the Add button, then Add Response. Complete the form as follows: ■ ■ ■ From the Type list, choose Header. In the Name field, type a unique name for this response. For example, IMPERSONATE. In the Value field, type a value for this response. For example, $user.userid. 5. Click Add, then click Apply to submit the changes. 6. Go to the next section, "Adding an Impersonation DLL to IIS." This Response is used for the second Webgate request (for authorization). 60.4.6 Adding an Impersonation dll to IIS You are ready to configure IIS by adding the IISImpersonationModule.dll to your IIS configuration. You also need to set Enable Anonymous Access because this is required for impersonation of a user. 1. Select Start, Administrative Tools, Internet Information Services (IIS) Manager. 2. In the left pane of IIS 7.x, click the hostname. 3. In the middle pane, under the IIS header, double click on Modules. 4. In the right pane, click Configure Native Modules and click Register. 5. In the window, provide a module Name (for example, Oracle Impersonation Module). 6. In the Path field, type the full path to IISImpersonationModule.dll. By default, the path is: Webgate_install_dir\webgate\iis\lib\IISImpersonationModule.dll Where Webgate_install_dir is the directory of your WebGate installation. If any spaces exist in the path (for example, C:\Program Files\Oracle\...) surround the entire string with double quotes (" "). Note: 7. Click OK to register the module. 8. Check the name of the newly created module and click OK to apply the module across the Web sites. 60.4.7 Configuring IIS Security Be sure to configure IIS Security before you continue. Figure 60–4 shows an example. Integrating Access Manager with Outlook Web Application 60-13 Setting Up Impersonation for Outlook Web Application (OWA) Figure 60–4 Impersonation Authentication 1. Select Start, Administrative Tools, Internet Information Services (IIS) Manager. 2. Click the plus icon (+) to the left of the local computer icon on the tree in the left pane. 3. Click Web Sites on the tree in the left pane. 4. In the center pane, double-click Authentication under IIS. 5. Ensure that Anonymous Authentication is enabled and Windows Authentication is disabled. 60.4.8 Testing Impersonation for Outlook Web Application The following options are provided to test the Impersonation configuration for OWA. ■ Testing Impersonation Using the Event Viewer ■ Testing Impersonation using a Web Page 60.4.8.1 Testing Impersonation Using the Event Viewer Use this procedure to test impersonation through the Event Viewer. 1. Select Start Menu; Event Viewer. 2. In the left pane, right-click Security, then click Properties. 3. Click the Filter tab on the Security property sheet. 4. Verify that all Event Types are checked, and the Event Source and Category lists are set to All, then click OK to dismiss the property sheet. 5. Your Event Viewer is now configured to display information about the headerVar associated with a resource request. 6. Create a new IIS virtual server (virtual site). 7. Place a target Web page anywhere in the tree on the virtual site. 8. From your browser, enter the URl to the Web page. If impersonation is working correctly, the Event Viewer will report the success of the access attempt. 60-14 Administrator's Guide for Oracle Access Management Setting Up Access Manager WNA for Outlook Web Application 60.4.8.2 Testing Impersonation using a Web Page You can also test impersonation using a dynamic test page that can return and display information about the request. 1. Create a.asp page or Perl script that will display the parameters AUTH_USER and IMPERSONATE. It can resemble this sample page:
Variable    Value
<%=servervar%>    <%=request.servervariables(servervar)%> 
<%for each servervar in request.servervariables%> 2. Create an IIS virtual site, or use the one you created for the previous task. 3. Place the a.asp page or Perl script (such as the sample in the preceding listing) anywhere in the tree of the new virtual site. 4. Point your browser at the page, which should appear, with both AUTH_USER and IMPERSONATE set to the name of the user making the request. 60.4.8.3 Conducting Negative Testing for Impersonation To conduct negative testing for impersonation, you need to unbind the trusted user from the WebGate, as explained in the following procedure. 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Launch Pad tab, click Agents. 3. Search for the desired WebGate and open it for editing. 4. In the WebGate registration page, remove the credentials for the trusted user. 5. Click Apply to save the change. 6. Restart the IIS server and in a browser window, go to a protected code page (previously accessible to the trusted user). 7. Confirm that you receive a message page. Values for AUTH_USER and IMPERSONATE are necessary for impersonation credentials to be bound to a Webgate. 8. Restore the trusted user to the WebGate registration page. 60.5 Setting Up Access Manager WNA for Outlook Web Application Access Manager 11g can operate with Windows Native Authentication (WNA). This section describes setting up Access Manager with Windows Native Authentication (WNA) for Outlook Web Application (OWA). Enabling WNA for the IIS Site front-ending OWA is described in the following procedure. It presumes a fully-configured Microsoft Active Directory authentication service is set up with user accounts to map Kerberos services, Service Principal Names Integrating Access Manager with Outlook Web Application 60-15 Setting Up Access Manager WNA for Outlook Web Application (SPNs) for those accounts, and key tab files. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3) E13707-03. You need to configure Access Manager to use Windows Native Authentication (WNA), as described in Chapter 57, "Configuring Access Manager for Windows Native Authentication." 1. Perform all prerequisite tasks. 2. Open IIS Authentication (OWA on the front-ending Site). 3. Enable Windows authentication. 4. Click on Provider. 5. Add Negotiate to Provider and move it to the top of the list. 6. Create a policy to protect OWA in IIS, as described in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. 60-16 Administrator's Guide for Oracle Access Management 61 Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager 61 This chapter describes how to configure communication between Access Manager and Microsoft Forefront Threat Management Gateway (TMG) 2010. The following sections are provided: ■ What is New in This Release? ■ Introduction to Integration with TMG Server 2010 ■ Creating a Forefront TMG Policy and Rules ■ Installing and Configuring 10g Webgate for Forefront TMG Server ■ Configuring the TMG 2010 Server for the ISAPI 10g Webgate ■ Starting, Stopping, and Restarting the TMG Server ■ Removing Access Manager Filters Before WebGate Uninstall on TMG Server ■ Troubleshooting 61.1 What is New in This Release? Support for integration between Access Manager and Microsoft Forefront Threat Management Gateway (TMG) 2010. Details in this chapter presume that you are familiar with Access Manager policies and operation. 61.2 Introduction to Integration with TMG Server 2010 This section provides an overview of the tasks that, once performed, enable this integration. Topics included are: ■ About This Integration ■ About Confirming Certification Requirements 61.2.1 About This Integration Microsoft Forefront Threat Management Gateway (TMG) 2010 is the next generation of the Internet Security and Acceleration (ISA) Server 2006. This chapter provides steps to configure an open (non-secured) connection between the Forefront TMG Web server and Access Manager. This communication is based on using a 10g Webgate for ISAPI. Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager 61-1 Creating a Forefront TMG Policy and Rules For details about using a secured connection, see your Forefront TMG Server documentation. You can have IIS Web server and Forefront TMG installed on same or on different computer. In examples in ths chapter, both reside on same host. The following overview outlines the tasks that you must perform and the topics where you will find the steps to set up the ISAPI Webgate with the TMG Server within this chapter. Task overview: Installing and configuring the ISAPI Webgate on TMG Server 1. Getting the latest certification matrix as described in "About Confirming Certification Requirements". 2. "Creating a Forefront TMG Policy and Rules" 3. "Installing and Configuring 10g Webgate for Forefront TMG Server" 4. "Configuring the TMG 2010 Server for the ISAPI 10g Webgate" 61.2.2 About Confirming Certification Requirements Any references to specific versions and platforms in this chapter are for demonstration purposes. For the latest certification information, see Oracle Technology Network at: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-10 0350.html 61.3 Creating a Forefront TMG Policy and Rules After you install Forefront TMG 2010, other computers cannot ping the computer hosting Forefront because the default firewall policy denies all the traffic from and to the host. This section provides the information you need for: ■ Creating a Custom Policy for Forefront TMG ■ Creating a Forefront TMG Firewall Policy Rule ■ Verifying Forefront TMG Proxy Configuration 61.3.1 Creating a Custom Policy for Forefront TMG Use the following procedure to create a custom Forefront firewall policy. Prerequisites Install Forefront TMG 2010 using documentation from your vendor. To create a custom policy to over ride the default firewall policy 1. Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management. 2. From the left pane, click Firewall Policy. 3. From the right pane, click Create Access Rule to create a custom policy, 4. Create a rule with the following attributes and values assigned: ■ Name: Name for custom policy ■ Action =Allow ■ Protocol =All Outbound 61-2 Administrator's Guide for Oracle Access Management Creating a Forefront TMG Policy and Rules ■ Malware Inspection = Don not enable Malware Inspection for this rule ■ From =External,Internal,Local Host ■ To= External,Internal,Local Host ■ Condition =All Users 5. Click Next to create the Access Rule, then click Apply. 6. Restart Forefront TMG to have changes take affect: 7. ■ Stop Firewall Service use the command net stop fwsrv ■ Start Firewall Service use the command net start fwsrv Proceed to "Creating a Forefront TMG Firewall Policy Rule" 61.3.2 Creating a Forefront TMG Firewall Policy Rule To protect the resource, you must create a firewall policy rule using the Forefront TMG console as described in the following procedure. When you create a listener for Authentication Preferences, be sure to check Allow client authentication over HTTP and Require All users to authenticate. Otherwise, you will not be able to access the published Web site using the TMG proxy. Authentication Delegation is used by the TMG server to authenticate to the published Web server. You can have IIS and Forefront TMG installed on the same (or a different) computer. Here, both reside on same host. Note: To create a custom policy to override the default firewall policy 1. Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management. 2. From the left pane, click Firewall Policy. 3. From the Tasks tab, click Publish Web Sites. 4. In the Web publishing rule name field, type a descriptive name for the rule, and then click Next. 5. On the Select Rule Action page, confirm that the Allow option is selected, and then click Next. 6. In the Publishing type, confirm that the Publish a single Web site or load balancer option is selected, and then click Next. Step 7 describes configuration with an open (non-secured) connection with the Web server. If you are using a secured connection, see your Forefront TMG Server documentation. 7. On the Server Connection Security page, click Use non-secured connections to connect the published Web server or server farm, and then click Next. 8. Perform the following steps to set internal publishing details: ■ ■ In the Internal site name field, type the internally-accessible name of the IIS/apache Web server host: iis_host.us.example.com, for example. Check the box beside Use a computer name or IP address to connect to the published serve (or enter the IP address of the IIS Web server host). Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager 61-3 Creating a Forefront TMG Policy and Rules ■ 9. Click Next. Protecting Resources: Perform following steps to protect resources within a particular folder in the Web site (or a single resource): The folder must reside within htdocs/wwwroot of the corresponding Web server. Note: ■ Folder Containing Resources: In the Path field, type the folder name to display the full path of the published Web site in the Web site field (Res/* for example). ■ Single Resource: Type the resource name (test.html for example). ■ Click Next. 10. In the Accept requests for list: ■ ■ ■ Click your domain name (for example: myhost.example.com). In the Public name field, type the publicly-accessible fully-qualified Web site domain name of the host where Forefront TMG will be installed (for example: myhost.example.com). Click Next. 11. In the Web listener list, either click the Web listener to use for this Web publishing rule, or create a new Web listener as follows: Listener can also be configured in SSL mode if required; see your Forefront TMG documentation. Note: ■ ■ ■ ■ ■ ■ Click New, type a descriptive name for the new Web listener, and then click Next. Click Do not require SSL secured connections with clients, and then click Next. In the Listen for requests from these networks list, click the required networks (External, Internal, and Localhost) then click Next. Click No on the message that appears. In the Select how clients will provide credentials to Forefront TMG Server list, click No Authentication, and then click Next. On the Single Sign On Settings page, click Next, and then click Finish. 12. On the Select Web Listener page: ■ Click Edit. ■ Click connections tab. ■ Provide any unused port for Enable HTTP connections on port attribute (This will act as Forefront TMG port.) ■ Click Apply; click Ok. ■ Click Next. ■ On the Single Sign On Settings page, click Next, and then click Finish. 61-4 Administrator's Guide for Oracle Access Management Creating a Forefront TMG Policy and Rules 13. Authentication Delegation: Perform the following steps to choose the method used by Forefront TMG to authenticate to the published Web server list. ■ Click No Delegation, and Client Cannot Authenticate Directly. ■ Click Next. 14. On the User Sets page: ■ ■ Choose All (the default user setting - All Users) to set the rule that applies to requests from the user sets field. Click Next, and then click Finish. 15. Click Apply to update the firewall policy, and then click OK. 16. Double-click the recently created Firewall Policy. 17. Bridging: ■ ■ Open the Bridging tab. Provide suitable unused port for Redirect request to HTTP port attribute (which will act as the IIS or Apache Web server port). 18. Click Apply to update the firewall policy, and then click OK. 19. IIS or Apache Web server. 20. Restart Forefront TMG to have changes take affect: ■ Stop Firewall Service use the command net stop fwsrv ■ Start Firewall Service use the command net start fwsrv 21. Double-click the rule just created: ■ Open the Link Translation tab. ■ Confirm that Apply Link Translation to this rule is checked. ■ Click the Mapping button to see the mapping created between Forefront TMG and IIS or Apache 22. Proceed to "Verifying Forefront TMG Proxy Configuration" 61.3.3 Verifying Forefront TMG Proxy Configuration To validate the Forefront TMG proxy configuration, you can simply access the protected resource using the TMG port, as described in the following procedure. To verify Forefront TMG proxy configuration 1. Protected Single Resource: Enter the URL to the TMG host and port where the protected resource resides. For example: http://TMG_hostname:TMG_port/resource_name 2. Protected Folder: Enter the URL to the TMG host and port where the folder containing the resource resides. For example: http://TMG_hostname:TMG_port/folder-name/resource_name 3. Confirm there are no issues accessing the protected resource. Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager 61-5 Installing and Configuring 10g Webgate for Forefront TMG Server 61.4 Installing and Configuring 10g Webgate for Forefront TMG Server This section describes how to set up the 10g Webgate and register plug-ins as Web filters. Task overview: Configuring Webgateand Filters for TMG Server includes 1. Installing 10g Webgate with TMG Server 2. Changing /access Directory Permissions 3. Registering Access Manager Plug-ins as TMG Server Web Filters 4. Ordering the ISAPI Filters 5. Verifying Form-based Authentication 61.4.1 Installing 10g Webgate with TMG Server When you install Webgate with the Forefront TMG Server, the destination for the ISAPI Webgate installation (also known as the Webgate_install_dir) should be same as that of the Microsoft Forefront TMG. For example, if Forefront TMG is installed in C:\Program Files\Microsoft Forefront Threat Management Gateway, the ISAPI Webgate should also be installed there. Task overview: Installing the ISAPI Webgate for Forefront TMG Server 1. Register a 10g ISAPI Webgate with Access Manager, as described in Chapter 30, "Registering and Managing 10g WebGates with Access Manager 11g." Note: During Webgate installation, select the TMG option. 2. Install the ISAPI Webgate for TMG, as described in Section 30.7, "Locating and Installing the Latest 10g WebGate for Access Manager 11g." 3. Proceed to the "Changing /access Directory Permissions" section. 61.4.2 Changing /access Directory Permissions After finishing ISAPI Webgate installation and configuration for the Forefront TMG Server, you must change permissions to the \access subdirectory. This subdirectory was created in the Forefront TMG Server (also Webgate) installation directory. You must add the user NETWORK SERVICE and grant full control to SYSTEM ADMINISTRATOR. This enables the Forefront TMG Server to establish a connection between the Webgate and Access Server. Certain configuration files should be readable by system administrators, which is why you grant SYSTEM ADMINISTRATOR full control. Webgate in Simple Mode: add user NETWORK SERVICE and give Full Control for the password.xml file in TMG_install_ dir\access\oblix\config\password.xml. Note: To change permissions for the \access subdirectory 1. In the file system, right-click Webgate_install_dir\access, and select Properties. 2. In the Properties window, click the Security tab. 61-6 Administrator's Guide for Oracle Access Management Configuring the TMG 2010 Server for the ISAPI 10g Webgate 3. Add user "NETWORK SERVICE" and then select "Allow" to give "Full Control". 4. For the "SYSTEM ADMINISTRATOR", select "Full Control". 5. Proceed to the "Configuring the TMG 2010 Server for the ISAPI 10g Webgate" section. 61.5 Configuring the TMG 2010 Server for the ISAPI 10g Webgate The following topics describe how to configure the TMG Server to operate with the 10g ISAPI Webgate for Access Manager. Task overview: Configuring the TMG 2010 Server for the ISAPI 10g Webgate 1. Registering Access Manager Plug-ins as TMG Server Web Filters 2. Ordering the ISAPI Filters 3. Verifying Form-based Authentication. 61.5.1 Registering Access Manager Plug-ins as TMG Server Web Filters After resetting ISAPI Webgate permissions, you need to register Access Manager webgate.dll and postgate.dll plug-ins as Web Filters within Forefront TMG Server. Web filters screen all HTTP traffic that passes through the TMG Server host. Only compliant requests are allowed to pass through. The following procedure describes how to register Access Manager plug-ins in the TMG Server. To undo the filter registration, you can use the following procedure with the /u option in the regsvr32 command. For example: regsvr32 /u TMG_install_ dir\access\oblix\apps\webgate\bin\webgate.dll Note: To register Access Manager plug-ins as TMG Server Web filters Locate the TMG Server installation directory, from which you will perform the following tasks. 1. 2. Run net stop fwsrv to stop the TMG Server. 3. Register the webgate.dll as an ISAPI Web filter by running: regsvr32 TMG_install_dir\access\oblix\apps\webgate\bin\webgate.dll 4. Register the postgate.dll as an ISAPI Web filter by running: regsvr32 TMG_install_dir\access\oblix\apps\webgate\bin\postgate.dll 5. Restart the TMG Server by running net start fwsrv. 6. Proceed to "Ordering the ISAPI Filters". 61.5.2 Ordering the ISAPI Filters It is important to ensure that the Webgate ISAPI filters are included in the right order. postgate.dll should be loaded before webgate.dll. Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager 61-7 Starting, Stopping, and Restarting the TMG Server To order the Webgate ISAPI filters for TMG Server 1. From the Start menu, click All Programs, click Microsoft Forefront TMG, then click Forefront TMG Management. 2. In the left pane, select System, then select Web Filters, to display your Web-filters. 3. Confirm the following .dll files appear. For example: postgate.dll webgate.dll 4. Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in Step 3. 5. Proceed with "Verifying Form-based Authentication". 61.5.3 Verifying Form-based Authentication Here you ensure that the published Web site is accessible using the TMG proxy and verify that form-based authentication is working. TMG supports both Basic over LDAP and Form-based or Basic authentication. You can choose the desired authentication scheme. TMG need access to login.html, which you configure as described here. To verify that form-based authentication is working 1. Store the login page at the docroot of the Web server protecting the resource so that the TMG server can access the login page. 2. Ensure that the published Web site is accessible to the TMG proxy. 3. Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management. 4. From the left pane, select the Firewall Policy. 5. On the right, under the Firewall Policy Rule, select the rule that was created to protect the resource. 6. Go to the policy rule properties, select the Path tab, then add the /login.html and click OK. 7. Click Apply to save changes and update the configuration. 8. Restart Forefront TMG to have changes take affect: ■ Stop Firewall Service use the command net stop fwsrv ■ Start Firewall Service use the command net start fwsrv 61.6 Starting, Stopping, and Restarting the TMG Server When instructed to restart your TMG Server during Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen. Also, the net commands help to ensure that the Metabase does not become corrupted following an installation. Consider the following commands, hich provide good ways to stop and start the TMG Server: ■ net stop fwsrv ■ net start fwsrv 61-8 Administrator's Guide for Oracle Access Management Troubleshooting For more information, see your TMG Server documentation. 61.7 Removing Access Manager Filters Before WebGate Uninstall on TMG Server If you plan to uninstall the Webgate that is configured to operate with the TMG Server, you must first unregister the Access Manager filters manually, and then uninstall Webgate. To unregister filters before WebGate uninstall 1. Stop the TMG Server. 2. Run the following command to unregister webgate.dll. For example: regsvr32 /u TMG_install_dir\access\oblix\apps\webgate\bin\webgate.dll 3. Run the following command to unregister postgate.dll. For example: regsvr32 /u TMG_install_dir\access\oblix\apps\webgate\bin\postgate.dll 61.8 Troubleshooting The error "Failed Connection Attempt" in TMG logs on accessing any Access Manager protected resource does not affect functionality and can be ignored. Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager 61-9 Troubleshooting 61-10 Administrator's Guide for Oracle Access Management 62 Integrating Access Manager with SAP NetWeaver Enterprise Portal 62 This chapter describes the integration of Access Manager 11.1.2 with SAP NetWeaver Enterprise Portal. This chapter covers the following topics: ■ What is Supported in This Release? ■ Supported Versions and Platforms ■ Integration Architecture ■ Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x ■ Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x ■ Testing the Integration ■ Troubleshooting the Integration 62.1 What is Supported in This Release? Versions 7.0.x and 7.4.x of SAP NetWeaver Enterprise Portal are supported in this release. Access Manager supports SAP NetWeaver Enterprise Portal v7.4.x with the following caveats: ■ ■ Apache 2.2.x and 2.0.x (from Apache.org) are supported Web servers with this release. MySAP is not certified. Access Manager supports SAP NetWeaver Enterprise Portal v6.0 and v7.0.x with the following caveats: ■ Apache 2.0 (from Apache.org) is supported as a Web server with this release. ■ MySAP is not certified. 62.2 Supported Versions and Platforms Access Manager supports the versions and platforms described on the following site: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-10 0350.html Integrating Access Manager with SAP NetWeaver Enterprise Portal 62-1 Integration Architecture 62.3 Integration Architecture The following diagram illustrates the integration between Access Manager and SAP NetWeaver Enterprise Portal. 62.3.1 Process Overview: Integration with SAP NetWeaver Enterprise Portal 1. A user attempts to access content via the SAP NetWeaver Enterprise Portal. For example, the user may enter the following URL to access an HR application through a proxy server: https://host:port/irj 2. The WebGate intercepts the request and queries the Access Server for the security policy that determines if the resource is protected. The security policy consists of an authentication scheme, authorization rules, and allowed operations. Based on the authentication and authorization success or failure, specified actions are performed. The Access System security policy for the SAP /irj login URL is applicable to all resources accessed using the https://host:port/irj URL. Note that the SAP NetWeaver Enterprise Portal has its own authorization system that can be configured to set user access to iViews. 3. If the resource is protected, the WebGate prompts the user for authentication credentials. The credentials that the WebGate requests depend on the authentication scheme configured in the Access System, for example, Basic over LDAP or Form-based authentication. 4. If the credentials are validated, the Access System authenticates the user and sets an encrypted ObSSOCookie in the user's browser. 5. After authenticating, the authorization rules defined in the Access System are applied based on the security policy. Specific actions are performed based on the authorization rules. If the user is authorized, access to the SAP Portal login (the requested content) is allowed. For SAP Enterprise Portal header variable integration, the Access Server sets the authenticated user ID in a header variable. 62-2 Administrator's Guide for Oracle Access Management Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x If the user is not authenticated or authorized, he or she is denied access and redirected to another URL, as determined by the administrator. For example, the user may be redirected to an "invalid credentials" page. 6. For the integration with SAP NetWeaver Enterprise Portal, the proxy Web server redirects the request to the SAP NetWeaver Enterprise Portal internal Web server that contains the header variable details. 7. The SAP NetWeaver Enterprise Portal uses the header variable value to check the mapping of the user ID against the configured data source in the portal. Both the Access Manager and SAP NetWeaver Enterprise Portal data source must contain the same user ID value. Upon successful mapping, SAP NetWeaver Enterprise Portal allows the user to access the requested resource. SAP NetWeaver Enterprise Portal sends a response to the proxy, and the proxy redirects to the client browser. 8. All interaction with the SAP Enterprise Portal takes place through the proxy server. 62.4 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x This section describes how to configure Access Manager and SAP NetWeaver Enterprise Portal 7.0.x to work together. This section contains the following tasks: ■ Before You Begin ■ Configuring the Apache HTTP Server as a Proxy ■ Configuring SAP NetWeaver Enterprise Portal for External Authentication ■ Adjusting the Login Module Stacks for using Header Variables ■ Configuring Access Manager for SAP Enterprise Portal 62.4.1 Before You Begin ■ ■ ■ ■ ■ ■ Install SAP NetWeaver Enterprise Portal before completing the steps in this section. Install the Apache HTTP Server by following the installation steps provided by apache.org. Install and configure a WebGate on each Apache HTTP Server instance that supports the proxy connection to the SAP Enterprise Portal instance. See Installing Webgates for Oracle Access Manager for details. Install Access Manager before completing the steps in Section 62.4.5, "Configuring Access Manager for SAP Enterprise Portal." See the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for details. Synchronize the time on all servers where SAP NetWeaver Enterprise Portal and Access Manager components are installed. Ensure that the users exist in the Access Manager LDAP directory as well as on the SAP R3 system database. Integrating Access Manager with SAP NetWeaver Enterprise Portal 62-3 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x The user ID in Access Manager and the SAP database must be the same or be mapped to each other. Any attribute in a user's profile can be configured as the SAP ID and passed directly to SAP. Alternatively, SAP can be configured to map the SAP ID to any user attribute that it receives from Access Manager. ■ Verify that the Web browser is configured to allow cookies. Oracle suggests reviewing the following topics prior to integrating Access Manager with SAP NetWeaver Enterprise Portal. Note: ■ ■ ■ Chapter 5, "Managing Data Sources" to understand how to add and configure data sources in Access Manager. Chapter 22, "Managing Authentication and Shared Policy Components" to understand how to configure Form and Basic mode authentication in Access Manager. Section C.4, "Configuring Cert Mode Communication for Access Manager" to understand how to configure Cert mode for Access Manager. 62.4.2 Configuring the Apache HTTP Server as a Proxy The following procedure describes how to configure a proxy (Apache HTTP Server 2.0.x) to access SAP NetWeaver Enterprise Portal. To configure Apache HTTP Server 2.0.x 1. Set up the Apache HTTP Server proxy in non-SSL mode or SSL mode, as described in the Apache documentation. If HTTPS communication is used with the SAP NetWeaver Enterprise Portal, use SSL mode. 2. To enable the proxy to access the SAP NetWeaver Enterprise Portal, enter the following in the httpd.conf configuration file: For SAP NetWeaver Enterprise Portal 6: ProxyRequests Off ProxyPass /irj http://sap_host:port/irj ProxyPassReverse /irj http://sap_host:port/irj ProxyPreserveHost On For SAP NetWeaver Enterprise Portal 7: ProxyRequests Off ProxyPass /webdynpro http://sap_host:port/irj ProxyPassReverse /webdynpro http://sap_host:port/irj ProxyPreserveHost On Where sap_host is the name of the machine hosting the SAP NetWeaver Enterprise Portal instance and port is the listen port for the SAP NetWeaver Enterprise Portal instance. This set of directives specifies that all of the requests to this Web server of the form http://apache_host:port/irj or https://apache_host:port/irj are redirected to http://sap_host:port/irj or https://sap_host:port/irj. 3. Restart the proxy Web server. 4. Access the following URL: Non-SSL—http://apachehost:port/irj 62-4 Administrator's Guide for Oracle Access Management Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x SSL—https://apachehost:port/irj This request should be redirected to the SAP NetWeaver Enterprise Portal login. 5. Log in using the SAP NetWeaver Enterprise Portal administrator login ID. The administrator should be able to perform the available administrative functions. 6. Log in as a non-administrative user. This user should be able to perform non-administrative functions. 62.4.3 Configuring SAP NetWeaver Enterprise Portal for External Authentication The following steps describe enabling external authentication in SAP Enterprise Portal using the OB_USER header variable. For more information about configuring authentication schemes for SAP Enterprise Portal, see the SAP documentation. To configure the header variable 1. Stop the SAP J2EE dispatcher and server. 2. Browse to the following directory: SAP_J2EE_engine_install_dir\ume 3. Back up the file authschemes.xml.bak to another directory. 4. Rename authschemes.xml.bak to authschemes.xml. 5. Open authschemes.xml in an editor and change the reference of the default authentication scheme to the authentication scheme header as follows: header uidpwdlogon 6. In the authentication scheme header of authschemes.xml, specify the name of the HTTP header variable where the Access System provides the user ID. As described in "Configuring Access Manager for SAP Enterprise Portal" on page 62-7, this is the OB_USER header variable. You configure this header variable as follows: com.sap.security.core.logon.imp.HeaderVariableLoginModule REQUISITE Header=OB_USER 5 2 com.sap.portal.runtime.logon.header The control flag value REQUISITE means the login module must succeed. If login succeeds, authentication continues through the list of login modules. If it fails, Integrating Access Manager with SAP NetWeaver Enterprise Portal 62-5 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x control immediately returns to the application and authentication does not continue through the list of login modules. 7. Restart the portal server and J2EE engine. The modified authschemes.xml file will be loaded into the Portal Content Directory (PCD). SAP Enterprise Portal will rename it as authschemes.xml.bak. To Configure Logout 1. To enable logout from a single sign-on session in both SAP Enterprise Portal and Access Manager, configure a logout URL in SAP Enterprise Portal from the administration interface. The URL for the administration interface is as follows: http://SAP_host:port/irj/ Where SAP_host is the name of the machine hosting the SAP Enterprise Portal and port is the listen port for the portal. 2. From the administration interface, click System Administration, then System Configuration, then UM Configuration, then Direct Editing. 3. Add the following lines to the end of the configuration file: ume.logoff.redirect.url=http(s)://proxy_host:port/logout.html ume.logoff.redirect.silent=false Where http(s) is either http or https, proxy_host is the name of the proxy Web server, and port is the listen port for the proxy. 4. Save the changes and log out. 62.4.4 Adjusting the Login Module Stacks for using Header Variables Add the HeaderVariableLoginModule to the appropriate login module stack or template and configure the options as described here. Table 62–1 Login Module Stacks for using Header Variables Login Modules Flag Options EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=} CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true} BasicPasswordLoginModule REQUISITE {} CreateTicketLoginModule OPTIONAL {ume.configuration.active=true} To adjust the Login Module Stacks for using Header Variables Run the Visual Administrator tool, in the following location: 1. SAPJ2EEEngine_install_dir\j2ee\admin\go.bat 2. In the Visual Administrator, choose Security Provider. 3. Switch to edit mode by choosing the pencil icon. 4. Choose Policy Configurations, then Authentication. 5. For each template or application that is to support header variable authentication, add the login module HeaderVariableLoginModule to the login module stack (see Table 62–1. 62-6 Administrator's Guide for Oracle Access Management Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x 62.4.5 Configuring Access Manager for SAP Enterprise Portal The following procedure describes configuration of the security policy in Access Manager to protect log-ins to SAP NetWeaver Enterprise Portal. To configure Access Manager for SAP NetWeaver Enterprise Portal 1. In to the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Launch Pad tab, select Create Application Domain from the Create (+) drop-down menu in the Access Manager section. The Create OAM 11g Webgate page opens. 3. Complete the form to create a WebGate for this integration. For example: Name—SAP_AG Version - 11g Host Identifier—Apache proxy host Auto Create Policies—Enabled (checked) Public Resource List—Add any public Resources to this list. Apply—Click to create the WebGate. 4. Click the Authorization Policies tab, then click the Create Authorization Policy button to open a fresh page (Chapter 25). 5. Summary Tab: Add your information to the Summary tab. 6. Click the Resources tab, click Add (+), and define the resources for the policies in this application domain as follows: Name: SAP EP Security Policy Type: http Host identifiers: Enter the proxy host URL prefix: /irj. Description: SAP EP Login URL 7. Add Resources: The Resource must be defined in the Application Domain before you can add the resource to a specific policy. ■ Click the Resources tab on the Authorization Policy page. ■ Click the Add button on the Resources tab. ■ Click the Search button. ■ Click a URL in the Results table, then click Add Selected. ■ Repeat these steps to add more resources. 8. Click Apply to save changes and close the Confirmation window. 9. Responses: Add policy Responses, as described in "Adding and Managing Policy Responses for SSO" on page 25-75. 10. Conditions: Add authorization conditions, as described in "Defining Authorization Policy Conditions" on page 25-43. 11. Rules: Add authorization rules, as described in "Defining Authorization Policy Rules" on page 25-60. 12. Close the page when you finish. Integrating Access Manager with SAP NetWeaver Enterprise Portal 62-7 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x 62.5 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x This section contains the following tasks. ■ Before You Begin ■ Configuring Access Manager for SAP NetWeaver Enterprise Portal 7.4.x ■ Configuring Apache Web Server 2.0.x or 2.2.x ■ Configuring SAP Enterprise Portal 7.4 for External Authentication ■ Adjusting the Login Module Stacks for Using Header Variables 62.5.1 Before You Begin ■ ■ ■ ■ ■ ■ Install SAP NetWeaver Enterprise Portal version 7.4.x before completing the steps in this section. Install Access Manager as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Install Apache HTTP Server 2.0.x or 2.2.x by following the installation steps provided by apache.org. Install and configure an 11g WebGate on each Apache HTTP Server instance that supports the proxy connection to the SAP Enterprise Portal 7.4 instance. See Installing Webgates for Oracle Access Manager for details. Synchronize the time on all servers where SAP NetWeaver Enterprise Portal and Access Manager components are installed. Ensure that the users exist in the Access Manager LDAP directory as well as on the SAP R3 system database. The user ID in Access Manager and the SAP database must be the same or be mapped to each other. Any attribute in a user's profile can be configured as the SAP ID and passed directly to SAP. Alternatively, SAP can be configured to map the SAP ID to any user attribute that it receives from Access Manager. ■ Verify that your Web browser is configured to allow cookies. Oracle suggests reviewing the following topics prior to integrating Access Manager with SAP NetWeaver Enterprise Portal. Note: ■ ■ ■ Chapter 5, "Managing Data Sources" to understand how to add and configure data sources in Access Manager. Chapter 22, "Managing Authentication and Shared Policy Components" to understand how to configure Form and Basic mode authentication in Access Manager. Section C.4, "Configuring Cert Mode Communication for Access Manager" to understand how to configure Cert mode for Access Manager. 62.5.2 Configuring Access Manager for SAP NetWeaver Enterprise Portal 7.4.x Complete the following steps to configure the Access Manager security policy that protects SAP NetWeaver Enterprise Portal log-ins. 62-8 Administrator's Guide for Oracle Access Management Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x 1. In to the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Launch Pad tab, select Create Application Domain from the Create (+) drop-down menu in the Access Manager section. 3. Complete the form to create a WebGate for this integration. For example: Name—Type a meaningful name, for example, SAP_AG. Do not include spaces in the name. Version - select 11g from the drop-down menu. Access Client Password—Enter a password to be used during the installation of the WebGate. Security—Choose the type of communication that should occur between the WebGate and the OAM server. Click Apply. A confirmation page opens. 4. At the bottom of the confirmation page, in the Server Lists section, associate the WebGate with a defined Access Server. Click Apply. 5. On the Launch Pad page, go to the Access Manager section and click Host Identifiers. Click Search, then click the WebGate in the search results. Configure the host identifiers using the fully qualified proxy machine name and port for the Apache proxy. 6. Click Application Domains and search for the application domain name that you used to create the WebGate (for example, SAP_WG). Click the application domain name in the search results to open it a. Click the Resources tab and search for the resource that the WebGates should protect. Select the resource in the search results then click the Create button. Complete the form and click Apply. Type - HTTP Resource URL - /irj Protection Level - Protected Authentication Policy - Protected Resource Policy Authorization Policy - Protected Resource Policy b. Click the Authentication Policies tab, then click Protected Resource Policy. Choose the appropriate authentication scheme from the Authentication Scheme drop-down that you want to configure for this particular domain. For example, for a form-based authentication policy (FAAuthScheme), enter the following: Name - Protected Resource Policy Authentication Scheme - FAAuthScheme Integrating Access Manager with SAP NetWeaver Enterprise Portal 62-9 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x Note: Select either basic-over-LDAP or form-based authentication. Oracle recommends that you use a form-based authentication scheme. If you use the basic authentication scheme, also set the Challenge Redirect field to another WebGate to ensure that the ObSSOCookie is set. Click Apply to save your changes. c. Click the Authorization Policies tab, then click Protected Resource Policy. Click the Responses tab and add the following: Type - Header Name - OAM_REMOTE_USER Value - Same account name The other tabs in Authorization Policies include conditions and rules: Condition - Creates a list of users and puts them in a group. Rule - Allows or denies access to the group of users created in the conditions tab. Click Apply to save your changes. 7. If you configured a form-based authentication scheme, ensure that a login.html page is configured in the proxy server document root. Also, ensure that a logout.html page is present on the proxy Web server document root. You can create a custom logout page using HTML, a JSP file, or a CGI protocol. The default logout page (logout.html) is located here: WebGate_install_dir/webgate/apache/oamsso/logout.html Where: WebGate_install_dir is the directory where the WebGate is installed. Ensure that the name of the logout page contains the string logout. 8. Ensure that the user ID that is returned by the OAM_REMOTE_USER header variable exists in the user management data sources for SAP Enterprise 7.4. 9. On the Launch Pad page, go to the Access Manager section and click Authentication Schemes. Choose the authentication scheme to use. This is the scheme that you selected inside the application domain of the WebGate. 62.5.3 Configuring Apache Web Server 2.0.x or 2.2.x Follow these steps to configure a proxy to access SAP Enterprise Portal 7.4. 1. Set up the Apache proxy in non-SSL mode or in SSL mode. Refer to the Apache documentation for details. If HTTPS communication is used with the SAP Enterprise Portal 7.4, use SSL mode. 2. To enable the proxy to the SAP Enterprise Portal 7.4, add the following to the httpd.conf file: 62-10 Administrator's Guide for Oracle Access Management Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x ProxyRequests Off ProxyPass /http://sap_host:port/ ProxyPassReverse / http://sap_host:port// ProxyPreserveHost On Where: sap_host - The name of the machine hosting the SAP Enterprise Portal 7.4 instance port - The listening port for the SAP Enterprise Portal 7.4 instance. This set of directives specifies that all requests to the Web server that take the form http://apache_host:port/irj or https://apache_host:port/irj are redirected to http://sap_host:port/irj or https://sap_host:port/irj. 3. Uncomment the following proxy related modules: ■ LoadModule proxy_module modules/mod_proxy.so ■ LoadModule proxy_http_module modules/mod_proxy_http.so 4. Restart the proxy Web server. 5. Open a browser and access the following URL: ■ Non-SSL: http//apachehost:port/irj ■ SSL: https://apachehost:port/irj This request should be redirected to the SAP Enterprise Portal 7.4 login ID. 6. Log in using the SAP Enterprise Portal 7.4 administrator login ID. Verify that you can perform the provided administrative functions when logged in as an administrator. 7. Log in as a non-administrative user. Verify that you can perform the provided non-administrative functions when logged in. 62.5.4 Configuring SAP Enterprise Portal 7.4 for External Authentication Complete the following steps to enable external authentication in SAP Enterprise Portal 7.4 using the OAM_REMOTE_USER header variable. Note: See the SAP Enterprise Portal 7.4 Enterprise Postal Security Guide for more information about configuring authentication schemes for SAP Enterprise Portal. 1. To enable logout from a single sign-on session in both SAP Enterprise Portal 7.4 and Access Manager, use the SAP NetWeaver Administrator interface to configure a logout URL. Set the SAP NetWeaver Portal Logoff URL (ume.logoff.redirect.url) to the appropriate logout URL. 2. Open the config tool by running the configtool.bat file, which is located here: SAP_J2EE_engine_install_dir\configtool Integrating Access Manager with SAP NetWeaver Enterprise Portal 62-11 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x Prepare to edit the configuration by switching to configuration editor mode, and choosing edit mode. 3. Edit the properties for the following workernode service: com.sap.security.core.ume.service Update the ume.logoff.redirect.url property and the ume.logoff.redirect.silent property with the logoff URL configured in step 1. ume.logoff.redirect.url=http(s)://proxy_host:port/logout.html ume.logoff.redirect.silent=false Save your changes and close the config tool. 4. Stop the SAP J2EE dispatcher and server. 5. Again, open the config tool by running the configtool.bat file, which is located here: SAP_J2EE_engine_install_dir\configtool Prepare to edit the configuration by switching to configuration editor mode, and choosing edit mode. 6. Back up the authschemes.xml file (cluster_config > globals > clusternode_config > workernode > services > com.sap.security.core.service > persistent). 7. Open authschemes.xml in an editor and change the reference of the default authentication scheme to the authentication scheme header as follows: header ----------------> (for fall back) uidpwdlogon 8. In authschemes.xml, go to the authentication scheme header and specify the name of the HTTP header variable where the access system provides the user ID. Configure this header variable as follows: com.sap.security.core.logon.imp.HeaderVariableLoginModule REQUISITE Header=OAM_REMOTE_USER 5 2 com.sap.portal.runtime.logon.header The REQUISITE control flag value specifies that the login module must succeed. If login succeeds, authentication continues through the list of login modules. If it fails, control immediately returns to the application and authentication does not continue through the list of login modules. 62-12 Administrator's Guide for Oracle Access Management Testing the Integration 9. Save the XML to the same location. 10. Restart the portal server and J2EE engine. The modified authschemes.xml file is loaded into the Portal Content Directory (PCD). SAP Enterprise Portal 7.4 renames it as authschemes.xml.bak. 62.5.5 Adjusting the Login Module Stacks for Using Header Variables Use the NetWeaver Admin console to add the HeaderVariableLoginModule to the appropriate login module stack or template and configure the options as described here. In the console, choose Configuration > Authentication and Single Sign-On. Click Login Modules under the Authentication tab. Select the HeaderVariableLoginModule login module, choose ticket from the Login Module Use tab, and add the login module HeaderVariableLoginModule to the login module stack for each template or application that is to support header variable authentication. Table 62–2 Login Module Stacks for using Header Variables Login Modules Flag Options EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=} CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true} BasicPasswordLoginModule REQUISITE {} CreateTicketLoginModule OPTIONAL {ume.configuration.active=true} 62.6 Testing the Integration Use the following procedures to test the integration. Front-End Integration Test Procedure Follow these steps to test the integration using a Web browser. 1. Open a protected URL. For example: https://host:port/irj Access Manager should prompt for authentication (either form based, or basic authentication over LDAP, or Cert Mode authentication). 2. Enter the correct user credentials. If the credentials are correct, you will be logged into the SAP NetWeaver Enterprise Portal system. Back-End Integration Test Procedure To use these steps, download and install a plug-in for your Web browser that displays the HTTP requests and responses that happen when your browser requests a resource. Live HTTP Headers for Firefox, or ieHTTPHeaders for Internet Explorer are two such plug-ins. 1. Open the plug-in and type a URL in your browser to request a protected resource, for example: https://host:port/irj The plug-in window will be populated with the HTTP requests and responses. 2. Analyze the requests and responses and make sure that each request returns a response without errors. Once the user is authenticated you should see some sessions and cookies set in the HTTP Header logs. The cookies that are set include the following: Integrating Access Manager with SAP NetWeaver Enterprise Portal 62-13 Troubleshooting the Integration ■ ObSSOCookie ■ JSESSIONID ■ OAM_ID ■ OAM_REQ When the request reaches the SAP NetWeaver Enterprise Portal, you will receive responses from the Enterprise Portal system in the header logs. 62.7 Troubleshooting the Integration The following information is intended to help you troubleshoot issues with this integration. Problem: The browser has problems displaying the SAP 7.0.x administration interface through the proxy server. You may receive an "object not found" error and related JavaScript errors. Solution: See the following SAP document for a list of supported browsers, "SAP NetWeaver 7.0.x Product Availability Matrix." 62-14 Administrator's Guide for Oracle Access Management 63 Integrating Oracle Access Manager with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2 63 This chapter describes how to use Sun Java System Access Manager / OpenSSO Policy Agent 2.2 to integrate Oracle Access Manager 11.1.2 with SAP NetWeaver Enterprise Portal 7.01. This chapter covers the following topics: ■ What is Supported in This Release? ■ Registering the OpenSSO Agent ■ Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise Portal ■ Deploying the Agent Software Delivery Archive ■ Making a Class Loader Reference to the Login Module ■ Modifying the SAP Enterprise Portal 7.0 / Web Application Server 7.0 Class Path ■ Deploying and Starting the Agentapp.war File ■ Using Telnet to Create a Reference Between agentapp and Library AmSAPAgent2.2 ■ Adding the Login Module to the Stack ■ Modifying the Login Module Stack ■ Updating the ume.logoff.redirect.uri ■ Configuring the AMAgent.properties File ■ Testing the Integration 63.1 What is Supported in This Release? Only SAP Netweaver Enterprise Portal 7.01 is supported by the OpenSSO Policy Agent 2.2 in this release. MySAP is not certified. The following patch must be applied to the OpenSSO Policy Agent 2.2: Note: PSE ID: OpenSSO.J2EE.PSE.2.2.18810674 SAP single sign-on will not work without this patch. Integrating Oracle Access Manager with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2 63-1 Registering the OpenSSO Agent 63.2 Registering the OpenSSO Agent Before you begin, complete the following steps: ■ Remotely register the agent so that the Agent Profile is created on the Oracle Access Management side. Use the remote registration tool on the OAM server located here: /Oracle_IDM1/oam/server/rreg ■ Ensure that the fully-qualified domain name of the OAM server and the SAP server are updated in the hosts file on both systems. Always use the SAP and OAM server’s fully-qualified domain name while installing or registering the agent and doing OAM configuration. 1. Open the appropriate XML request file for editing. The request file will provide inputs for the registration. Request files are located inside the input folder. 2. Modify the specific values to match your environment. http://OAMserver.example.com:7001 OPENSSO_HOSTID8 OPENSSO_SAP8 http://SAPserver.example.com:50000 OPENSSO_APPDOMAIN //Modify this. true J2EE 2.2 //Important: Make sure the version is 2.2. 3. To register the agent, open a command prompt and run the following command from the bin directory in the rreg tool: oamreg.sh inband input/OpenSSORequest The command outputs the AMAgent.properties file, which is located in the output directory. For OpenSSO agent 2.2, there is only one output file (AMAgent.properties), whereas for OpenSSO agent 3 there are two output files (OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties). Note: This registration creates a footprint in the oam-config.xml file for the OAM domain, which is located here: 63-2 Administrator's Guide for Oracle Access Management Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise Portal /user_projects/domains/base_ domain1/config/fmwconfig/oam-config.xml The registered agent is in an entry similar to the following: The registration process is now complete. 63.3 Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise Portal Complete the following steps to install the agent on the SAP container. 1. Extract the OpenSSO Policy agent and navigate to the bin folder. 2. Open a command prompt and type the following command to install the agent on the SAP container. agentadmin.sh - -install The command will prompt you for values as needed. The following table summarizes the requested inputs. Table 63–1 Request prompt Sample Input Description SAP Directory \JC00\j2ee\clu ster\server0 Agent installed on WebAS domain false Access Manager Services host OAMserver.example.com OAM server fully-qualified domain name Access Manager Services Port 8003 Port where the OAM server is running Access Manager Services protocol http Access Manager Services deployment URI /opensso Agent host name SAPserver.example.com SAP server fully-qualified domain name Application server instance port number 50000 Port where the SAP EP server is running Protocol for Application Server instance http Deployment URI for the Agent Application /agentapp Encryption key gSwxyctnKWkx8fBgbwj8 Mn5ziksjaUqi Agent profile name OPENSSO_SAP8 Agent profile password file name /Policy_Agent/sap_v7_ agent/Info/p.txt OpenSSO proxy URL URI of the WAR file that we deploy Agent profile name given during registration 63.3.1 Post-Installation Steps After installation, an agent instance is created on the SAP container. Inside this directory is another instance of the AMAgent.properties file. (So there are two Integrating Oracle Access Manager with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2 63-3 Deploying the Agent Software Delivery Archive AMAgent.properties files: one generated during remote registration, and one generated just previously during the Agent installation.) 1. Compare the two properties files and consolidate them so that you have one properties file that contains all of the information. Be sure that all of the settings in the AMAgent.properties file matches the Agent Profile entry in the oam-config.xml file on the OAM server. 2. In oam-config.xml, add the following entry under the element: serverprotocol://serverhost:serverport Be sure to increment the version integer every time you update the oam-config.xml file: Note: 113 63.4 Deploying the Agent Software Delivery Archive 1. Go to the etc folder in the agent to locate the AmSAPAgent2.2.sda archive. The.sda file is a library that you will deploy onto the SAP server using the Software Deployment Manager (SDM). 2. Use the Software Deployment Manager (/usr/sap/SID/InstanceName/SDM/program/RemoteGui.sh) to deploy the AmSAPAgent2.2.sda file. Refer to the SAP documentation for details. Once the deployment is complete, verify that the library is deployed by viewing the Undeployment tab. The AmSAPAgent2.2 library should be listed. You can also use the SAP Visual Administrator tool (/usr/sap/SID/InstanceName/j2ee/admin/go.sh) to verify that the deployed library, along with the SAP-dependent libraries, are available in the container. 63.5 Making a Class Loader Reference to the Login Module Use the SAP Visual Administrator tool (/usr/sap/SID/InstanceName/j2ee/admin/go.sh) to make a class loader reference for the newly deployed library. Add the reference to the LoginModuleClassLoader by adding the following key-value pair on the Properties tab on the Security Provider configuration page (Server Instance > Services > Security Provider). Table 63–2 Key Value LoginModuleClassLoader library: AmSAPAgent2.2 63-4 Administrator's Guide for Oracle Access Management Using Telnet to Create a Reference Between agentapp and Library AmSAPAgent2.2 63.6 Modifying the SAP Enterprise Portal 7.0 / Web Application Server 7.0 Class Path Open the SAP Config Tool (/usr/sap/SID/InstanceName/j2ee/configtool/configtool.sh), navigate to Cluster_data > Instance ID > Server instance, and on the General tab, add the following paths to the Classpath field: /Policy_Agent/sap_v7_agent/j2ee_agents/sap_v7_agent//config /Policy_Agent/sap_v7_agent/j2ee_agents/sap_v7_agent/locale 63.7 Deploying and Starting the Agentapp.war File 1. Open the SAP Deployment Manager (deploy.sh) and create a new project. 2. Go to an empty directory owned by the SAP instance user (j2eeadm) and type agentapp for the address field. Go to the Assembler tab and add the agentapp.war archive (right-click the agentapp node and select Add Archive from the context menu). Save the project. Browse to the directory specified previously as owned by the SAP Instance user (j2eeadm), type agentapp for the address field, and click OK. Right-click the agentapp root node and select Make Ear from the context menu. 63.8 Using Telnet to Create a Reference Between agentapp and Library AmSAPAgent2.2 1. Telnet to the SAP host (for example, saphost.example.com 50008) and log on as an administrator. 2. Issue the following commands: a. $ jump 0 The system returns a message similar to the following: You jumped on node 4503950. b. $ add deploy c. $ CHANGE_REF -m sap.com/agentapp library:AmSAPAgent2.2 The system returns the following message: The reference between application sap.com/agentapp and library:AmSAPAgent2.2 was made! 3. Stop and Start the SAP Enterprise Portal instance. You can also use the SAP Visual Administrator tool (/usr/sap/SID/InstanceName/j2ee/admin/go.sh) to verify that the references were made properly. Choose Server Instance > Services > ClassLoader Viewer. Note: Integrating Oracle Access Manager with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2 63-5 Adding the Login Module to the Stack 63.9 Adding the Login Module to the Stack Before You Begin - Start the SAP Enterprise Portal instance if it is not running. 1. Start the SAP Visual Administrator tool and log in. (/usr/sap/SID/InstanceName/j2ee/admin/go.sh). 2. Select the Security Provider service, click the User Management tab, and switch to edit mode. 3. Click Manage Security Stores > Add Login Module. Click OK when the dialog box opens. 4. In the Class Name field, type the following: com.sun.identity.agents.sap.v70.AmSAPEP70LoginModule 5. In the Display Name field, type the following: AmSAPEP70LoginModule 63.10 Modifying the Login Module Stack 1. Start the SAP Visual Administrator tool and log in. (/usr/sap/SID/InstanceName/j2ee/admin/go.sh). 2. Select the Security Provider service, click the Policy Configurations tab, and switch to edit mode. 3. In the Components list, select the ticket authentication template. 4. Delete all login modules except for the following: ■ com.sap.security.core.server.jaas.EvaluteTicketLoginModule ■ com.sap.security.core.server.jaas.CreateTicketLoginModule 5. Click Add New and select AmSAPEP70LoginModule from the list of modules. 6. Click Modify and move AmSAPEP70LoginModule between the two remaining login modules. The new ticket authentication template should match the values in the following table. Table 63–3 Ticket Authentication Values Login Module Flag EvaluateTicketLoginModule SUFFICIENT AmSAPEP70LoginModule REQUISITE CreateTicketLoginModule OPTIONAL 63.11 Updating the ume.logoff.redirect.uri 1. Open the SAP Config Tool (/usr/sap/SID/InstanceName/j2ee/configtool/configtool.sh) and switch to edit mode. 2. Click the pencil and glasses button and choose cluster_data > server > cfg > services. The UME service property sheet opens. 63-6 Administrator's Guide for Oracle Access Management Testing the Integration 3. Open the com.sap.security.core.ume.service property sheet and add the following custom value to the ume.logoff.redirect.uri property. http://OAM-Server-Hostname:OAM-Port/oam/server/logout 63.12 Configuring the AMAgent.properties File Open the AMAgent.properties file for the Agent Instance and edit the following properties: The following properties in AMAgent.properties must match the properties in oam-config.xml. If the properties do not match, update the properties in oam-config.xml. Note: Be sure to increment the version integer every time you update the oam-config.xml file: 113 1. In Debug Service Properties, update the complete path of the log location similar to the following: com.iplanet.services.debug.directory = /Policy_Agent/sap_v7_agent/j2ee_ agents/sap_v7_agent/Agent_003/logs/debug 2. In COMMON ATTRIBUTE FETCH PROCESSING PROPERTIES, set cookie encode to false. com.sun.identity.agents.config.attribute.cookie.encode = false 3. In COOKIE RESET PROCESSING PROPERTIES, edit the following properties: com.sun.identity.agents.config.cookie.reset.enable = true com.sun.identity.agents.config.cookie.reset.name[0] = MYSAPSSO2 com.sun.identity.agents.config.cookie.reset.domain[MYSAPSSO2] = .corp.example.com 4. In URL DECODE SSO TOKEN FLAG, set decode to false: com.sun.identity.agents.config.sso.decode = false 5. In FILTER OPERATION MODE, add or update the following property: com.sun.identity.agents.config.filter.mode = SSO_ONLY 63.13 Testing the Integration Users in the Oracle Access Management user store should also be in the SAP server. Be sure to allow user access in OAM. To verify that the integration is working properly, try the following: 1. Access the protected URL (for example, /irj ). You should be redirected to the Oracle Access Manager login form. 2. Enter a valid user name and password. You should be authenticated and logged into the SAP server (/irj). Integrating Oracle Access Manager with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2 63-7 Testing the Integration 63-8 Administrator's Guide for Oracle Access Management Part XVI Part XVI Appendixes Part XII provides information that is outside the scope of day-to-day administration tasks with Oracle Access Management. Part XII contains the following appendixes: ■ Appendix A, "Integrating Oracle ADF Applications with Access Manager SSO" ■ Appendix B, "Internationalization and Multibyte Data Support for 10g WebGates" ■ Appendix C, "Securing Communication" ■ Appendix D, "Reviewing Bundled, Generated, and Migrated Artifacts" ■ Appendix E, "Troubleshooting" A Integrating Oracle ADF Applications with Access Manager SSO A The Oracle Application Developer Framework (ADF) and applications that are coded to Oracle ADF standards interface with the OPSS SSO Framework. The Oracle Platform Security Services (OPSS) single sign-on framework provides a way to integrate applications in a domain with a single sign-on (SSO) solution. You can integrate a Web application that uses Oracle ADF security and the OPSS SSO Framework with an Access Manager SSO security provider for user authentication. This chapter provides the following sections: ■ ■ Introducing Oracle Platform Security Services and Oracle Application Developer Framework Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework ■ Configuring Centralized Logout for Oracle ADF-Coded Applications ■ Confirming Application-Driven Authentication During Runtime A.1 Introducing Oracle Platform Security Services and Oracle Application Developer Framework This section provides the following topics: ■ Oracle Platform Security Services Single Sign-on Framework ■ Oracle Application Developer Framework A.1.1 Oracle Platform Security Services Single Sign-on Framework A single sign-on (SSO) solution must provide a standard way for applications to login and logout users. After successful authentication, the SSO service is responsible to redirect the user to the appropriate URL. The Oracle Platform Security Services (OPSS) SSO Framework provides a way to integrate applications in a domain with an SSO solution. Specifically, it provides applications with a common set of APIs across SSO products to handle login, auto login, and logout. The Oracle Application Developer Framework (ADF) and applications that are coded to Oracle ADF standards interface with the OPSS SSO Framework. For more information about Oracle ADF, see "Oracle Application Developer Framework" on page A-2. Integrating Oracle ADF Applications with Access Manager SSO A-1 Introducing Oracle Platform Security Services and Oracle Application Developer Framework The Access Manager SSO solution is available out-of-the-box and provides the following to applications that are coded to Oracle ADF standards and the OPSS SSO Framework: ■ ■ ■ Login (application-driven): Upon accessing a part of a secured artifact that requires authentication, the application triggers authentication and redirects the user to be authenticated by the appropriate solution. Auto login: A user who has initially accessed an application anonymously registers an account with the application (Oracle Identity Manager, for instance); upon a successful registration, the user is redirected to the authentication URL; the user can also be automatically logged in without being prompted. Global logout: When a user logs out of one application, the logout propagates across to any other application that is enabled by the solution. The OPSS SSO framework does not support multi-level authentication. Note: See Also: Oracle Fusion Middleware Application Security Guide part "Single Sign-On Configuration" for more information about choosing an SSO solution, and the Access Manager solutions. A.1.2 Oracle Application Developer Framework The Oracle Application Development Framework is an end-to-end application framework that builds on Java EE standards and open-source technologies to simplify and accelerate implementing service-oriented applications. The development and run-time environment required to deploy and manage ADF applications is similar in many ways to the environment required for other Java EE applications. The difference between a typical Java EE environment and an environment that supports Oracle ADF applications is the availability of the Oracle ADF run-time libraries: ■ In Oracle Fusion Middleware 11g, an Oracle WebLogic Server domain, by default, does not contain the Oracle ADF run-time libraries. However, you can optionally configure or extend your domain to include the Java Run-time Files (JRF). The Oracle ADF run-time libraries are included as part of the JRF component. The Oracle WebLogic Server domain can be extended with the Java Run-time Files (JRF) domain template, which includes the required Oracle ADF libraries, and other important Oracle-specific technologies. ■ In Oracle Application Server 10g, each instance of OC4J automatically provided the Oracle ADF run-time libraries required to support Oracle ADF applications. For information about the types of Java EE environments available in 10g and instructions for upgrading those environments to Oracle Fusion Middleware 11g, refer to the Oracle Fusion Middleware Upgrade Guide for Java EE. A-2 Administrator's Guide for Oracle Access Management Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework A.2 Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework This section describes how to integrate a Web application that uses Oracle ADF security and the OPSS SSO Framework with an Access Manager SSO security provider for user authentication. Before the Web application can be run, you must configure the domain-level jps-config.xml file on the application's target Oracle WebLogic Server for the Access Manager security provider. The domain-level jps-config.xml file is in the following path and should not be confused with the deployed application's jps-config.xml file: $DOMAIN_HOME/config/fmwconfig/jps-config.xml Do not confuse the domain-level jps-config.xml file with the deployed application's jps-config.xml file. Note: You can use an Oracle JRF WLST script to configure the domain-level jps-config.xml file, either before or after the Web application is deployed. This Oracle JRF WLST script is named as follows: Linux: wlst.sh Windows: wlst.cmd The Oracle JRF WLST script is available in the following path if you are running through JDev: $JDEV_HOME/oracle_common/common/bin/ In a standalone JRF WebLogic installation, the path is: $MW_HOME/oracle_common/wlst The Oracle JRF WLST script is required. When running WLST for Oracle Java Required Files (JRF), do not use the WLST script under $JDEV_HOME/wlserver_10.3/common/bin. Note: Command Syntax addOAMSSOProvider(loginuri, logouturi, autologinuri) Run the addOAMSSOProvider command as in the following example. cd $MW_HOME/oracle_common/common/bin ./wlst.sh .......after running ./wlst.sh............ Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi") addOAMSSOProvider(loginuri="/testapp/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi") wls:/offline> addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", Integrating Oracle ADF Applications with Access Manager SSO A-3 Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi") Table A–1 defines the expected value for each argument. Table A–1 addOAMSSOProvider Command-line Arguments Argument Definition loginuri Specifies the URI of the login page Note: For ADF security enabled applications, "//adfAuthentication" should be provided for the 'loginuri' parameter. Here is the flow: logouturi 1. User accesses a resource that has been protected by authorization policies in OPSS, fox example. 2. If the user is not yet authenticated, ADF redirects the user to the URI configured in 'loginuri'. 3. Access Manager, should have a policy to protect the value in 'loginuri': for example, "//adfAuthentication. 4. When ADF redirects to this URI, Access Manager displays a Login Page (depending on the authentication scheme configured in Access Manager for this URI). Specifies the URI of the logout page Note: For ADF security enabled applications, logouturi should be configured based on logout guidelines in Chapter 27. For the: ■ ■ autologinuri 11g WebGate the value of the logouturi should be sought from the 11g WebGate Administrator. 10g WebGate requires a logouturi value of "/oamsso/logout.html Specifies the URI of the autologin page. The procedure to configure domain-level jps-config.xml for a Fusion Web application with Oracle ADF Security enabled is part of a larger task. With the exception of the command syntax, all tasks are the same for Access Manager 10g and 11g. For more information, see: ■ Sample SSO Configuration for Access Manager ■ SSO Provider Configuration Details See Also: ■ ■ Oracle Fusion Middleware Oracle WebLogic Scripting Tool Oracle Fusion Middleware WebLogic Scripting Tool Command Reference "Infrastructure Security Commands" chapter A.2.1 Sample SSO Configuration for Access Manager The SSO service configuration entered with the procedure described in Oracle Fusion Middleware Application Security Guide for all tasks involving Access Manager SSO providers and an OAM Configuration Example is written to the file jps-config.xml. The data specified includes: ■ A particular SSO service ■ The auto-login and auto-logout URIs ■ The authentication level ■ The query parameters contained in the URLs returned by the selected SSO service A-4 Administrator's Guide for Oracle Access Management Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework ■ The appropriate settings for token generation The following fragment of a jps-config.xml file illustrates the configuration of an Access Manager SSO provider. Some values are merely placeholders for actual content. Your configuration should contain values for your implementation. See Also: "SSO Provider Configuration Details" Example A–1 Sample SSO Configuration for Access Manager SSO service provider A.2.2 SSO Provider Configuration Details Note the following important points: ■ ■ ■ ■ ■ Any SSO provider must define the URI for at least the FORM login with the property login.url.FORM. The value need not be a URL. If the application supports a self-registration page URI or URL, it must be specified with the property autologin.url. If the SSO solution supports a global logout URI or URL, it must be specified with the property logout.url. The OAM solution supports global logout. The following properties, illustrated in Example A–1, are optional: – param.login.successurl – param.login.cancelurl – param.autologin.targeturl – param.login.token – param.logout.targeturl The use of the variable app.context in URI specifications, in values within the property set props.auth.uri for instance, is allowed for only ADF applications when integrating with the Access Manager solution. ■ The property set props.auth.level is required. ■ The reference to props.auth.url is required. ■ The property sso.provider.class within a service instance of the SSO provider is the fully qualified name of the class implementing a specific SSO solution. In the case of the OAM solution, the provided class name is oracle.security.wls.oam.providers.sso.OAMSSOServiceProviderImpl. ■ ■ The property name default.auth.level within a service instance of the SSO provider must be set to "2", as illustrated in Example A–1. The property token.type within a service instance of the SSO provider is required. This token type identifies the token set on the HTTP request by the SSO provider upon a successful authentication; the SSO provider uses this token, after the first time, to ensure that the user does not need to be reauthenticated and that his sign-on is still valid. In the case of the OAM solution, the token type must be OAMSSOToken, as illustrated in Example A–1. ■ The property token.provider.class within a service instance of the SSO provider is the fully qualified name of the token class, and it is provider-specific. A-6 Administrator's Guide for Oracle Access Management Configuring Centralized Logout for Oracle ADF-Coded Applications ■ An application that implements a self-registration logic and wants to auto login a user after successful self-registration, it must call the OPSS autoLogin API; in turn, to allow this call, it must grant that application a code source permission named CredentialMapping with class JpsPermission. The following fragment of the file system-jazn-data.xml illustrates the specification of this permission to the application MyApp: file:${domain.home}/servers/MyApp/- oracle.security.jps.JpsPermission CredentialMapping A.3 Configuring Centralized Logout for Oracle ADF-Coded Applications The Access Manager SSO solution is available for applications that are coded to Oracle ADF standards and the OPSS SSO Framework. ADF-coded applications that are configured to perform logout with Access Manager, redirect to the /oamsso/logout.html resource. IAMSuiteAgent intercepts and processes the request, cleans up the session, redirects to the central logout page (done by the OAM Server) and redirects back to the end_url. See Also: Oracle Fusion Middleware Application Security Guide For ADF applications, only one extra configuration step is needed (to configure the OAMSSOProvider for OPSS). Note: Task overview: Protecting ADF-coded applications with Access Manager 1. Review "About Centralized Logout Processing for Applications Coded to Oracle ADF Standards". 2. Protect the ADF-coded application using either an: ■ 11g Webgate ■ 10g Webgate 3. Perform the single extra configuration step for ADF-coded applications: configure the OAMSSOProvider as described in "Configuring Centralized Logout for ADF-Coded Applications with Access Manager" on page A-8. 4. Perform logout configuration steps for your chosen Webgate version. A.3.1 About Centralized Logout Processing for Applications Coded to Oracle ADF Standards ADF-coded applications refer to either applications that have been fully integrated with ADF or those that simply use ADF Authentication Servlet to integrate with OPSS. Integrating Oracle ADF Applications with Access Manager SSO A-7 Configuring Centralized Logout for Oracle ADF-Coded Applications In this case, logout is initiated when an ADF application causes the invocation of the logout URI. The following process overview outlines the Access Manager centralized logout process for applications coded to Oracle ADF standards. Process overview: Centralized logout for ADF applications with 10g Webgate 1. An ADF application causes the invocation of the following URI. //adfAuthentication?logout=true&end_url= The end_url parameter specifies the URI to which the application returns control following logout. 2. ADF invokes the configured OPSS SSO provider (OAM in this case) and delegates the logout functionality to the configured logout URI by redirecting the request to the logout URI. The end_url value is passed as a query string to the logout URI. For example: /oamsso/logout.html?end_url=. 3. The logout URI is invoked on the Webgate front-ending the application. 4. 10g Webgate clears the ObSSOCookie for its domain and loads the logout.html script. 5. If the end_url parameter does not include host:port, the logout.html script gets the host:port of the local server and constructs the end_url parameter as a URL. For example: http://serverhost:port/oam/server/logout?end_url=http://my.site.com/ welcome.html 6. Logic in logout.html redirect to the OAM Server. For example: http://myoamserverhost:port/oam/server/logout?end_url=http://my.site.com/ welcome.html 7. The OAM Server executes logout as follows: a. Cleans up the session information associated with the user at the server side. b. Validates the end_url and sends a page with callback URLs to the user's browser. The Logout Callback URL is specified in the expanded (not short) OAM Agent registration, as described in Table 15–3. Note: c. From the callback page, a new request is initiated to a specific URI on each Webgate. When this request reaches the specific Webgate in the specific domain, the ObSSOCookie for that domain is cleared. d. The user is redirected to the end_url in the logout script. However, if the end_ url parameter is not present, an appropriate message is sent by the OAM Server. A.3.2 Configuring Centralized Logout for ADF-Coded Applications with Access Manager The following procedure is similar to configuring logout for 10g Webgates, with specific step for ADF-coded applications. The ADF-coded application must send the end_url value to identify where to redirect the user after logout processing. However, A-8 Administrator's Guide for Oracle Access Management Configuring Centralized Logout for Oracle ADF-Coded Applications with ADF-coded applications, logout occurs when the application causes the following URI to be invoked: //adfAuthentication?logout=true&end_url= The Applcore f/w could facilitate triggering of the above URL and the ADF application could leverage that. Note: Some steps in this procedure require the WebLogic Scripting Tool (WLST): wlst.sh (Linux) or wlst.cmd (Windows), which you must invoke from the WLST_install_dir. See Also: ■ "Using Custom WLST Commands" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference To configure centralized logout for ADF-coded applications Check with the Administrator to confirm the location of the logout.html script configured with the agent, which you need in following steps. 1. 2. Configure OPSS for OAM as the SSO provider to update jps-config.xml for the WebLogic administration domain, as follows: a. On the computer hosting the Oracle WebLogic Server and the Web application using Oracle ADF security, locate the Oracle JRF WLST script. For example: cd $ORACLE_HOME/oracle_common/common/bin b. Connect to the computer hosting the Oracle WebLogic Server, enter the Administrator ID and password, and the host and port of the WebLogic AdminServer: wls:/> /connect('admin_ID', 'admin_pw', 'hostname:port' For example, the Oracle WebLogic Administration Server host could be localhost using port 7001. However, your environment might be different. c. Check with the Administrator to confirm the location of the logout.html script configured with the agent. In Step d, you must use the value provided by the Administrator. Here, logouturi value is the URI of the logout script /logout.html. The value could either begin with "logout." (exceptions are logout.gif and logout.jpg) or it could be any other value configured by the Administrator. d. Enter the loginuri for ADF authentication and the logouturi (location of the logout.html script configured with the agent); the host and port are not needed. wls:/>addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi") Here, loginuri=/${app.context}/adfAuthentication; logouturival is the URI of the logout script /logout.html. The logouturl could either begin with "logout" (exceptions are logout.gif and logout.jpg) or it could be any other value configured by the Administrator. 3. Required: The ADF application must pass the end_url parameter indicating where to redirect the user after logout, as follows: Integrating Oracle ADF Applications with Access Manager SSO A-9 Confirming Application-Driven Authentication During Runtime If the end_url parameter does not include host:port, the logout.html script gets the host:port of the local server and constructs the end_url parameter as a URL. For example: http://serverhost:port/oam/server/logout?end_url=http://serverhost:port/ welcome.html 4. 11g Webgate: Perform steps in "Configuring Centralized Logout for 11g WebGates" on page 27-4. 5. 10g Webgate: Perform steps in "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers" on page 30-22. See Also: "Scenario: Identity Propagation with the Access Manager Token" on page 42-2 for details about setting up providers for Access Manager Identity Assertion. A.4 Confirming Application-Driven Authentication During Runtime As mentioned earlier in this chapter, it is the application that triggers authentication and redirects the user to be authenticated by the appropriate solution. For instance, when the application determines that a user is accessing a part of a secured artifact that requires authentication application-driven authentication is triggered, in this case using Access Manager SSO. To confirm application-driven authentication during run time 1. Create the application based on the Oracle ADF framework. 2. Configure the Access Manager SSO Security provider, as described in "Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework" on page A-3. 3. Access the protected field and confirm that the application triggers authentication. A-10 Administrator's Guide for Oracle Access Management B Internationalization and Multibyte Data Support for 10g WebGates B The information here might be of interest if you are using 10g WebGates: ■ Introduction to Internationalization and Multibyte Data Support B.1 Introduction to Internationalization and Multibyte Data Support Access Manager provides multi-lingual applications and software products that can be accessed and run anywhere simultaneously, without modification, while rendering content in the native user's language and locale preferences. A locale is the linguistic and cultural environment in which a system or program is running; data associated with a locale provides support for formatting and parsing of dates, times, numbers, currencies, and the like based on the linguistic and cultural requirements that corresponds to a given language and country. Oracle product globalization is a two part process that includes internationalization and localization. Internationalization (sometimes shortened to "I18N", meaning "I eighteen letters -N") requires that software products and applications must be usable on a computer running any supported operating system (in any supported language), with non-US keyboards or other country-specific hardware. Oracle applications do not have hard-coded dependencies on language strings, and inter-operate with non-US versions of other products. Oracle applications can handle multibyte characters and differences in a distributed environment, and also being able to detect the user's desired locale. Access Manager meets these requirements and conforms to Unicode Standard 4.0. Localization includes translation of separated file text. In Oracle products, information is presented in a manner that is consistent with the user's local cultural conventions, including data formatting, collation, currency, date, time, and directionality of text (right-to-left or left-to-right), as discussed next. For more information, see: ■ Languages For Localized Messages ■ Bi-directional Language Support ■ UTF-8 Encoding B.1.1 Languages For Localized Messages Translatable information can be categorized into two types: end-user information (accessible to all users) and administrative information (for users with Administrator privileges). When you install Oracle Access Manager 10.1.4 without a Language Pack, Internationalization and Multibyte Data Support for 10g WebGates B-1 Introduction to Internationalization and Multibyte Data Support English is the default language for Administrators and end users. When you install 10.1.4 with Oracle-provided Language Packs, you can choose the language to be used as the default for Administrative activities. Regardless of the default Administrator language you choose during installation, English is always installed. Messages added for minor releases (10g (10.1.4.2.0) and 10g (10.1.4.3) as a result of new functionality might not be translated and can appear in only English. Note: For end-users, the display of static application data is provided in the End Users languages identified in Table B–1: error messages, and display names for tabs, panels, and properties. Administrative information can be displayed in only the Administrators languages listed in Table B–1. If administrative pages are requested in any other language (by the browser setting), the language that was selected as the default during product installation is used to display the pages. Table B–1 Languages for Localized Messages Language Tag for Installation Directory End User Information Administrators en-us English English ar-ar Arabic pt-br Brazilian Portuguese fr-ca Canadian French cs-cs Czech da-dk Danish nl-nl Dutch fi-fi Finnish fr-fr French French de-de German German el-gr Greek he-il Hebrew hu-hu Hungarian it-it Italian Italian ja-jp Japanese Japanese ko-kr Korean Korean es-mx Latin American Spanish no-no Norwegian pl-pl Polish pt-pt Portuguese ro-ro Romanian ru-ru Russian zh-cn Simplified Chinese sk-sk Slovak B-2 Administrator's Guide for Oracle Access Management Brazilian Portuguese Simplified Chinese Introduction to Internationalization and Multibyte Data Support Table B–1 (Cont.) Languages for Localized Messages Language Tag for Installation Directory End User Information Administrators es-es Spanish/Spain Spanish sv-sv Swedish th-th Thai zh-tw Traditional Chinese tr-tr Turkish Traditional Chinese B.1.2 Bi-directional Language Support Most Western languages are written left to right (LTR), from the top of the page to the bottom. East Asian languages are usually written top to bottom, from the right side of the page to the left (RTL)—although exceptions are frequently made for technical books translated from Western languages. Some languages, such as Hebrew and Arabic, are written and read predominantly from right to left. Numbers reverse direction in Arabic and Hebrew. While the text is written right to left, numbers within the sentence are written left to right with the most significant digit on the left, as in European and other LTR languages. When LTR languages are mixed in with RTL languages, the complete document or content is considered bi-directional. Access Manager can support bi-directional languages. If the browser on the host computer is configured to use any bi-directional language, then Access Manager handles it properly. Note: No administrative languages require bi-directional support. To provide support for multiple languages and bi-directional languages, Access Manager 10.1.4 supports the Unicode standard for encoding. Writing direction does not affect the encoding of a character. Regardless of the writing direction, Oracle stores data in logical order—the order used by someone typing a language—rather than the order in which it is presented on the screen. Note: B.1.3 UTF-8 Encoding UTF-8 encoding and support is provided automatically, whether you have a new 10.1.4 installation or upgrade an older installation to Access Manager. You do not need to make any changes to your environment. As with previous releases, data in the directory server is stored with UTF-8 encoding. All of your directory data is UTF-8 format. Access Manager does not support a mix of data types in the directory. Note: Internationalization and Multibyte Data Support for 10g WebGates B-3 Introduction to Internationalization and Multibyte Data Support B-4 Administrator's Guide for Oracle Access Management C Securing Communication C This appendix provides the information and steps required to ensure that OAM Servers and clients (OAM Agents) can communicate securely across the Access Protocol channel. This chapter provides the following details: ■ Prerequisites ■ Securing Communication Between OAM Servers and WebGates ■ Generating Client Keystores for OAM Tester in Cert Mode ■ Configuring Cert Mode Communication for Access Manager ■ Configuring Simple Mode Communication with Access Manager C.1 Prerequisites If OAM Server mode is Cert mode, agents must use Cert mode. During agent registration, at least one OAM Server instance must be running in the same mode as the agent. After agent registration, you can change the mode of the OAM Server. See Also: ■ ■ "About Communication Between OAM Servers and WebGates" on page 6-4 Oracle Fusion Middleware Administrator's Guide for details about the SSL automation tool, managing ports for WebLogic Server, Oracle HTTP Server, and Oracle Fusion Middleware C.2 Securing Communication Between OAM Servers and WebGates Securing communication between OAM Servers and clients (WebGates) means defining the transport security mode for the NAP (also known as the OAP) channel within the component registration page. The security level for the channel is specified as either: ■ Open: Un-encrypted communication In Open mode, there is no authentication or encryption between the WebGate and OAM Server. The WebGate does not ask for proof of the OAM Server's identity and the OAM Server accepts connections from all WebGates. Use Open mode if communication security is not an issue in your deployment. ■ Simple: Encrypted communication through the Secure Sockets Layer (SSL) protocol with a public key certificate issued by Oracle. Securing Communication C-1 Securing Communication Between OAM Servers and WebGates Use Simple mode if you have some security concerns, such as not wanting to transmit passwords as plain text, but you do not manage your own Certificate Authority (CA). In this case, OAM Servers and WebGates use the same certificates, issued and signed by Oracle CA. For more information, see "About Simple Mode, Encryption, and Keys" on page C-14. ■ Cert: Encrypted communication through SSL with a public key certificate issued by a trusted third-party certificate authority (CA). Use Cert mode if you want different certificates on OAM Servers and WebGates and you have access to a trusted third-party CA. In this mode, you must encrypt the private key using the DES algorithm. Access Manager components use X.509 digital certificates in PEM format only. PEM refers to Privacy Enhanced Mail, which requires a passphrase. The PEM (Privacy Enhanced Mail) format is preferred for private keys, digital certificates, and trusted certificate authorities (CAs). The preferred keystore format is the JKS (Java KeyStore) format. For more information, see "About Cert Mode Encryption and Files" on page C-6. See Also: "About Certificates, Authorities, and Encryption Keys" on page C-3 Figure C–1 illustrates the communication channels used by OAM Servers and WebGates during user authentication and authorization. Logically the request is to the Access Manager credential collector. However, when you have a Web server proxy in front of the WebLogic AdminServer, with a , all requests are routed through the proxy. In this case, there is perimeter defense using the proxy. Figure C–1 Communication Channels for OAM Servers and WebGates C-2 Administrator's Guide for Oracle Access Management Securing Communication Between OAM Servers and WebGates Process overview: Authentication and authorization 1. Request is intercepted by WebGate. 2. Authentication (credential collection) occurs over HTTP(s) channel. 3. Authorization occurs over the NAP channel with OAM Agents only (not mod_ osso). Using the secure-sockets layer (SSL) protocol helps prevent eavesdropping and successful man-in-the-middle attacks across the HTTP (HTTPS) channel. The SSL protocol is included as part of most Web server products and Web browsers. SSL uses the public-and-private key encryption system, which includes the use of a digital certificate. For details about enabling SSL communication for a Web server or directory server, see your vendor's documentation. The PEM (Privacy Enhanced Mail) format (BASE64-encoded ASCII) is preferred for private keys, digital certificates, and trusted certificate authorities (CAs). The preferred keystore format for OAM Servers is JCEKS and for OAM Clients is JKS (Java KeyStore) format. Access Manager components use X.509 digital certificates in DER (binary form of a certificate) format only. For more information, see: ■ About Certificates, Authorities, and Encryption Keys ■ About Security Modes and X509Scheme Authentication ■ About the Importcert Tool C.2.1 About Certificates, Authorities, and Encryption Keys Depending on the public key infrastructure, the digital certificate establishes credentials for Web-based transactions based on: ■ Certificate owner's name ■ Certificate serial number ■ Certificate expiration date ■ ■ A copy of the certificate holder's public key, which is used to encrypt messages and digital signatures The digital signature of the certificate-issuing authority is provided so that a recipient can verify that the certificate is real Digital certificates can be stored in a registry from which authenticating users can look up the public keys of other users. In cryptography, a public key is a value provided by a designated authority to be used as an encryption key. The system for using public keys is called a public key infrastructure (PKI). As part of a public key infrastructure, a certificate authority checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. When the RA verifies the requestor's information, the CA can issue a certificate. Private keys can be derived from a public key. Combining public and private keys is known as asymmetric cryptography, which can be used to effectively encrypt messages and digital signatures. Securing Communication C-3 Securing Communication Between OAM Servers and WebGates See Also: ■ "About Cert Mode Encryption and Files" on page C-6 ■ "About Simple Mode, Encryption, and Keys" on page C-14 C.2.2 About Security Modes and X509Scheme Authentication Administrators must ensure that the OAM Server is reachable only over the transport specified in the OAM Server configuration. OAM Server configuration defines the end points for the Server and accounts for the deployment of load balancers or reverse proxies. When the OAM Server is reachable over both HTTP and HTTPS, all requests (over either transport) are accepted. To allow the user to interact with the OAM Server (and logout) over SSL with non-X509 authentication schemes, the specified Server Port must not be configured to require CLIENT CERTS. With the X509 authentication scheme (X509Scheme), the OAM Server SSL Port must differ from the Server Port, and must be configured to require Client Certificates. When X509Scheme is used, the X509 module is called after credential collection. X509Scheme requires the X509 challenge method and the X509 authentication module. The fully-qualified URL to the credential collector must be specified as the Challenge URL within X509Scheme. For example: https://managed_server_host:managed_ server_ssl_port/oam/CredCollectServlet/X509 If a relative Challenge URL is specified with X509Scheme, the OAM Server uses the specified Server Host/Port to construct the fully-qualified URL of the X509 Credential Collector. However, this configuration will not work. Note: See Also: "Managing SSO Tokens and IP Validation" on page 13-5 C.2.3 About the Importcert Tool Administrators use the Oracle-provided importcert tool for several different procedures related to keystores, keys, and certificates. Table C–1 provides the syntax for importcert commands. Table C–1 importcert Command Syntax Option Description keystore Follow this command with the path to an existing (or new) keystore. For example: /scratch/.oamkeystore or /scratch/clientKey.jks privatekeyfile Follow this option with the path to your private key. For example: /scratch/aaa_key.der signedcertfile Follow this option with the path to your signed certificate. For example: /scratch/aaa_cert.der C-4 Administrator's Guide for Oracle Access Management Generating Client Keystores for OAM Tester in Cert Mode Table C–1 (Cont.) importcert Command Syntax Option Description alias Follow this option with your keystore entry alias. Required with genkeystore.: alias storetype Follow this option with your keystore type. By default, the store type is JCEKS (OAM Server keystore). For example: Server keystore .oamkeystore, of type: JCEKS Client keystore/scratch/clientTrustStore.jks and /scratch/clientKey.jks can be used. Both are type: JKS genkeystore This flag is required for generating OAM client certificates. The client does not expose the alias and alias password parameters. However, importcert tool sets the keystore password as the alias password. Specify: Yes or No Yes imports the certificates in a new keystore. No imports certificates into an existing keystore. Sample for OAM Server - java -cp importcert.jar oracle.security.am.common.tools.importcerts.Certificate Import -keystore -privatekeyfile -signedcertfile -alias oam.certmode -aliaspassword -storetype genkeystore Enter the keystore password and alias password when prompted. Sample for OAM Client - java -cp importcert.jar See Also "Generating Client oracle.security.am.common.tools.importcerts.Certificate Keystores for OAM Tester in Import -keystore -privatekeyfile -signedcertfile Cert Mode" -storetype genkeystore Enter the keystore password when prompted. C.3 Generating Client Keystores for OAM Tester in Cert Mode This section is required to generate JKS keystores to be used with OAM Tester in Cert mode only. Otherwise, you can skip this section. This section describes how to use importcert commands to generate client keystores for OAM Tester in Cert mode to contain the imported trusted certificate chain. See Also: "About the Importcert Tool" on page C-4 To generate client keystores for OAM Tester in Cert mode 1. Use ImportCert tool to create JKS keystores (file name specified by -privatekeyfile and -signedcertfile). For example: - java -cp importcert.jar oracle.security.am.common.tools.importcerts.CertificateImport -keystore -privatekeyfile -signedcertfile path -storetype genkeystore Enter the keystore password when prompted. 2. 3. Proceed as needed for your environment: ■ Configuring Cert Mode Communication for Access Manager ■ Configuring Simple Mode Communication with Access Manager Remove a Keystore: Use the following command to remove the JKS keystore. For example: keytool -delete -alias -keystore -storetype Enter the keystore password when prompted. C.4 Configuring Cert Mode Communication for Access Manager This section describes how to configure Cert mode communication for Access Manager. The following tasks apply to Cert mode only. In Simple mode, the bundled Access Manager-CA-signed certificates are used and most of the following tasks are not needed. Note: Prerequisites During agent registration, at least one OAM Server instance must be running in the same mode as the agent. Otherwise, registration fails. After agent registration, however, you could change the communication mode of the OAM Server. Task overview: Adding certificates for the OAM Server includes 1. Reviewing: ■ Securing Communication Between OAM Servers and WebGates ■ About Cert Mode Encryption and Files 2. Generating a Certificate Request and Private Key for OAM Server 3. Retrieving the OAM Keystore Alias and Password 4. Importing the Trusted, Signed Certificate Chain Into the Keystore 5. Adding Certificate Details to Access Manager Settings 6. Generating a Private Key and Certificate Request for WebGates 7. Updating WebGate to Use Certificates C.4.1 About Cert Mode Encryption and Files The certificate request for WebGate generates the request file aaa_req.pem, which you must send to a root CA that is trusted by the OAM Sever. The root CA returns the certificates, which can then be installed either during or after 10g WebGate installation (for 11g WebGate these must be copied to the WebGate instance area manually after WebGate installation and configuration). ■ aaa_key.pem (reserved name for WebGate key file, which cannot be changed) C-6 Administrator's Guide for Oracle Access Management Configuring Cert Mode Communication for Access Manager ■ ■ aaa_cert.pem (reserved name for WebGate certificate file, which cannot be changed) aaa_chain.pem (reserved name for CA Cert for WebGate side) During component installation in Cert mode, you are asked to present a certificate obtained from an external CA. If you do not yet have a certificate you can request one. Until you receive the certificate, you can configure the WebGate in Simple mode. However, you cannot complete OAM deployment until the certificates are issued and installed. If you choose Cert mode when registering WebGate as an OAM Agent, a field appears where you can enter the Agent Key Password. When editing an 11g WebGate registration, password.xml is updated only when the mode is changed from Open to Cert or Simple to Cert. In cert mode, once generated, password.xml cannot be updated. Editing the agent Key Password does not result in creation of a new password.xml. You must create a Cert request and send that to the CA. When the certificate is returned you must import it to the OAM Server (or copy it to the WebGate). C.4.2 Generating a Certificate Request and Private Key for OAM Server Use the following procedure to retrieve the private key, certificate, and CA certificate for the OAM Server. The certified tool to maintain consistency between 10g and 11g registration, is openSSL. Oracle recommends that you use openSSL rather than other tools to generate certificates and keys in PEM format. Note: To retrieve the private key and certificates for OAM Server 1. Generate both the certificate request (aaa_req.pem) and Private Key (aaa_key.pem) as follows: –OpenSSL req –new –keyout aaa_key.pem –out aaa_req.pem –utf8 -nodes -config openssl_silent_ohs11g.cnf 2. Submit the certificate request (aaa_req.pem) to a trusted CA. 3. Download the CA Certificate in base64 as aaa_chain.pem. 4. Download the Certificate in both base64 and DER format as aaa_cert.pem and aaa_cert.der. 5. Encrypt the private key (aaa_key.pem) using a password as follows: openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout pass: ******** -des 6. Proceed to "Retrieving the OAM Keystore Alias and Password". C.4.3 Retrieving the OAM Keystore Alias and Password Users with valid Administrator credentials can perform the following task to retrieve the alias of the certificate in the specified keystore to be used for authentication, and the password that is required to import a certificate. Securing Communication C-7 Configuring Cert Mode Communication for Access Manager To retrieve the OAM Keystore password 1. Confirm the Oracle Access Management Console is running. 2. On the computer hosting the Oracle Access Management Console, locate the WebLogic Scripting Tool in the OAM Installation path to use when retrieving the keystore password. For example: $ORACLE_IDM_HOME/common/bin/ Here, $ORACLE_IDM_HOME is the base installation directory; /common/bin is the path in which the scripting tool is located. 3. Start the WebLogic Scripting Tool: ·/ wlst.sh 4. In the WLST shell, enter the command to connect and then enter the requested information. For example: wls:/offline> connect() Please enter your username [weblogic] : Please enter your password [welcome1] : Please enter your server URL [t3://localhost:7001] : wls:/base_domain/serverConfig> 5. Enter the following command to change the location to the read-only domainRuntime tree (For help, use help(domainRuntime)). For example: wls:/OAM_AC> domainRuntime() 6. Use the Oracle Enterprise Manager Console to retrieve the credentials for the OAM keystore. 1. Login to the Oracle Enterprise Manager Console. 2. Navigate to Farm_base_domain -> WebLogic Domain -> 3. Right click and select ’System mbean browser’. 4. Search for JpsCredentialStore. Alternatively, navigate to application defined mbeans ->com.oracle.jps -> Domain: -> JpsCredentialStore ->JpsCredentialStore 5. Click the 'operations' tab in the right hand window. 6. Click getPortableCredential. 7. Enter OAM_STORE for or Parameter 1 and jks for or Parameter 2. 8. Click Invoke. The returned value is the keystore password. 7. Pay close attention to the password of the OAM Keystore that is displayed because this is required to import the certificates. 8. Proceed to "Importing the Trusted, Signed Certificate Chain Into the Keystore". C.4.4 Importing the Trusted, Signed Certificate Chain Into the Keystore The Oracle-provided importcert tool is used to import existing private key, signed certificate (public key) files into the specified keystore format: JKS (client keystore format) or JCEKS (OAM Server keystore format; .oamkeystore for instance.). C-8 Administrator's Guide for Oracle Access Management Configuring Cert Mode Communication for Access Manager The keystores associated with Access Manager accepts only PKCS8 DER format certificates: ■ ■ If you have PEM format certificates signed by your certificate authority (CA), the following procedure describes how to convert and then import these using the importcert shipped with Access Manager. If PEM format certificates are not available, create a certificate request and have it signed by your CA before beginning the following procedure. Following are the steps for using the JDK version 6 keytool. If you have a different version of keytool, refer the documentation for your JDK version. When you use the keytool utility, the default key pair generation algorithm is Digital Signature Algorithm (DSA). However, Oracle Access Management and WebLogic Server do not support DSA and you must specify another key pair generation and signature algorithm. Note: Prerequisites Retrieving the OAM Keystore Alias and Password To import the trusted certificate chain into the keystore Locate the keytool in the following path: 1. $MW_HOME/jdk160_18/bin/keytool 2. Unzip importcert.zip and locate the Readme file in the following location: $ORACLE_IDM_HOME/oam/server/tools/importcert/README 3. aaa_chain.pem: Using a text editor, modify the aaa_chain.pem file to remove all data except that which is contained within the CERTIFICATE blocks, then save the file. ----BEGIN CERTIFICATE----... CERTIFICATE ... -----END CERTIFICATE----- 4. Import the trusted certificate chain using the following command with details for your environment. For example: keytool -importcert -file aaa_chain.pem -trustcacerts -storepass -keystore $ORACLE_HOME\user_projects\domains\$DOMAIN\config\fmwconfig\ .oamkeystore -storetype JCEKS 5. When prompted to trust this certificate, type yes. 6. aaa_cert.pem: a. Edit aaa_certn.pem using TextPad to remove all data except that which is contained within the CERTIFICATE blocks, and save the file in a new location to retain the original. For example: ----BEGIN CERTIFICATE----... CERTIFICATE ... Securing Communication C-9 Configuring Cert Mode Communication for Access Manager -----END CERTIFICATE----b. Enter the following command to convert the signed certificate (aaa_cert.pem) to DER format using openSSL or any other tool. For example: openssl x509 -in aaa_cert.pem -inform PEM -out aaa_cert.der -outform DER 7. aaa_key.pem: a. Edit aaa_key.pem to remove all data except that which is contained within the CERTIFICATE blocks, and save the file in a new location to retain the original. For example: ----BEGIN CERTIFICATE----... CERTIFICATE ... -----END CERTIFICATE----- b. Enter the following command to convert the private key (aaa_key.pem) to DER format using openSSL or any other tool. For example: openssl pkcs8 -topk8 -nocrypt -in aaa_key.pem -inform PEM -out aaa_key.der -outform DER 8. Import signed DER format certificates into the keystore. For example: a. Import aaa_key.der using the following command line arguments and details for your environment. For example: c:\Middleware\idm_home\oam\server\tools\importcert - java -cp importcert.jar oracle.security.am.common.tools.importcerts.CertificateImport -keystore <> -privatekeyfile -signedcertfile -alias [ -storetype <> genkeystore <> -help] Enter the key store password and alias password when prompted. On a Windows system, use a semicolon (;) instead of a colon (:) in the command line. Note: 9. Proceed to "Adding Certificate Details to Access Manager Settings". C.4.5 Adding Certificate Details to Access Manager Settings After importing the certificates into the keystore, you must add the alias and password that you specified earlier into Access Manager settings configuration in Oracle Access Management Console, as described here. No explicit configuration is needed for Simple mode, which is provided out of the box. Note: Prerequisites Importing the Trusted, Signed Certificate Chain Into the Keystore C-10 Administrator's Guide for Oracle Access Management Configuring Cert Mode Communication for Access Manager See Also: ■ "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security" on page 13-6 To add certificate details to Access Manager Settings 1. In the Oracle Access Management Console, click Configuration at the top of the window. 2. In the Launch Pad tab, select Access Manager from the View drop-down menu in the Settings section. 3. In the Access Protocol section, fill in the alias and alias password details acquired in the previous procedure. For example: Cert Mode Configuration PEM keystore Alias: my_keystore_alias PEM keystore Alias Password: my_keystore_alias_pw 4. Click Apply to save the configuration. 5. Close the page. 6. Open the OAM Server registration page, click the Proxy tab, change the Proxy mode to Cert, and click Apply. 7. Restart the OAM Server. 8. Proceed to "Generating a Private Key and Certificate Request for WebGates". C.4.6 Generating a Private Key and Certificate Request for WebGates Use the following procedure to retrieve the private key, certificate, and CA certificate for the WebGate. The certified tool to maintain consistency between 10g and 11g registration, is openSSL. Oracle recommends that you use openSSL rather than other tools to generate certificates and keys in PEM format. Note: To retrieve the private key and certificates for WebGates 1. Generate both the certificate request (aaa_req.pem) and Private Key (aaa_key.pem) as follows: openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8 -nodes 2. Submit the certificate request (aaa_req.pem) to a trusted CA. 3. Download the CA Certificate in base64 as aaa_chain.pem. 4. Download the Certificate in base64 format as aaa_cert.pem. 5. Encrypt the private key (aaa_key.pem) using a password as follows: openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout pass: ******** -des 6. Proceed to "Updating WebGate to Use Certificates". Securing Communication C-11 Configuring Cert Mode Communication for Access Manager C.4.7 Updating WebGate to Use Certificates For all communication modes (Open, Simple, or Cert), the Agent registration should be updated from the Oracle Access Management Console: ■ ■ Registering an Agent: If you choose Cert mode when registering an OAM Agent, a field appears where you can enter the Agent Key Password. Editing/Updating an Agent: When editing an 11g WebGate registration, password.xml is updated only when the mode is changed from Open to Cert or Simple to Cert. Editing the agent Key Password does not result in creation of a new password.xml. In Cert mode, once generated, password.xml cannot be updated. Prerequisites Adding Certificate Details to Access Manager Settings To update the communication mode in the WebGate Agent registration 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Launch Pad tab, click Agents. 3. On the Search page, define your criteria and open the desired agent registration, as described in "Searching for an OAM Agent Registration" on page 15-20. 4. On the agent's registration page, locate the Security options and click Cert (or Simple). 5. Cert Mode: Enter the Agent key Password as specified in Step 5 of "Generating a Private Key and Certificate Request for WebGates". 6. Click Apply to submit the changes. 7. Copy your updated WebGate files as follows: 11g WebGate: ObAccessClient.xml cwallet.sso (11g WebGate only) password.xml ■ From: $IDM_DOMAIN_HOME/output/AGENT_NAME ■ To: $OHS_INSTANCE_HOME/config/OHS/ohs2/webgate/config 10g WebGate: ObAccessClient.xml ■ From: $WLS_DOMAIN_HOME/output/AGENT_NAME ■ To: $WebGate_install_dir/oblix/lib 10g WebGate: password.xml 8. ■ From: $WLS_DOMAIN_HOME/output/AGENT_NAME ■ To: $WebGate_install_dir/oblix/config Copy the following files that were created when "Generating a Certificate Request and Private Key for OAM Server": 11g WebGate: ■ From: C-12 Administrator's Guide for Oracle Access Management Configuring Simple Mode Communication with Access Manager aaa_key.pem: WebGate11g_home/webgate/ohs/tools/openssl aaa_cert.pem: The location where this was saved after receiving from CA aaa_chain.pem: The location where this was saved after receiving from CA ■ To: OHS_INSTANCE_HOME/config/OHS/ohs2/webgate/config 10g WebGate: ■ From: aaa_key.pem: The location where the private key file was generated aaa_cert.pem: The location where this was saved after receiving from CA aaa_chain.pem: The location where this was saved after receiving from CA ■ 9. To: $WebGate_install_dir/oblix/config Restart the OAM Server and the Oracle HTTP Server instance. C.5 Configuring Simple Mode Communication with Access Manager The transport security communication mode is chosen during OAM installation. In Simple mode, the installer generates a random global passphrase initially, which can be edited as required later. Communication between the agent and server works when the WebGate mode matches (or is higher) than the OAM Server mode. Note: When you register an OAM Agent or a new OAM Server, you can specify the Security mode. However, changing the global passphrase requires that you reconfigure all agents to use the mode and the new global passphrase. During agent registration, at least one OAM Server instance must be running in the same mode as the agent. Otherwise, registration fails. After agent registration, however, you could change the communication mode of the OAM Server. Note: The agent mode can be higher but not lower. The highest level of security is Cert mode, the lowest is Open mode: Cert mode Simple mode Open mode This section provides the information you need to configure Simple mode communication. Task overview: Configuring Simple mode communication includes 1. Reviewing: ■ "About Simple Mode, Encryption, and Keys" ■ "About the Importcert Tool" 2. Retrieving the Global Passphrase for Simple Mode 3. Updating WebGate Registration for Simple Mode 4. Verifying Simple Mode Configuration Securing Communication C-13 Configuring Simple Mode Communication with Access Manager C.5.1 About Simple Mode, Encryption, and Keys For Simple mode encryption, Access Manager includes a certificate authority with its own private key, which is installed across all WebGates and OAM Servers. During installation, the OAM Server generates and saves the private-public keypair for the server. Similarly, for the OAM agent, an Oracle certificate authority is installed with the agent installation. The installer generates a random global passphrase initially, which can be edited or viewed as needed. When an agent is registered in SIMPLE mode, the following client certificates are generated to be consumed by clients: ■ aaa_key.pem: Contains private key ■ aaa_cert.pem: Signed certificate ■ password.xml: Contains the random global passphrase in obfuscated format Changing the global passphrase requires reconfiguring all agents that are already configured in Simple mode. Note: C.5.2 Retrieving the Global Passphrase for Simple Mode Access Manager generates a random global passphrase for Simple mode communication during installation. The following procedure describes how to retrieve this password. To retrieve the random global passphrase for Simple mode communication Ensure that the Oracle Access Management Console is running. 1. 2. On the computer hosting the Oracle Access Management Console, locate the WebLogic Scripting Tool in the following path. For example: $ORACLE_IDM_HOME/common/bin Where $ORACLE_IDM_HOME represents the base installation directory path; /common/bin is the path wherein the scripting tool is located. 3. Start the WebLogic scripting tool. For example, on a Unix system: ./ wlst.sh 4. In the WLST shell, enter the command to connect and then enter the requested information. For example: wls:/offline> connect() Please enter your username [weblogic] : Please enter your password [weblogic] : Please enter your server URL [t3://localhost:7001] : wls:/base_domain/serverConfig> 5. Enter the following command to change the location to the read-only domainRuntime tree (for help, use help(domainRuntime)). For example: wls:/OAM_AC>domainRuntime() 6. View the global passphrase by entering the following command. For example: wls:/OAM_AC> displaySimpleModeGlobalPassphrase() 7. Proceed to "Updating WebGate Registration for Simple Mode". C-14 Administrator's Guide for Oracle Access Management Configuring Simple Mode Communication with Access Manager C.5.3 Updating WebGate Registration for Simple Mode Artifacts generated for Simple Security mode use the Global Pass phrase and any change must be propagated to WebGates. To update an existing WebGate registration for Simple mode, you can delete the WebGate registration using the Oracle Access Management Console, then re-register it (specifying Simple mode and disabling the automatic generation of policies). Alternatively, you can edit the WebGate registration and then copy the artifacts as described here. See Also: ■ "Viewing or Editing an OAM Agent Registration Page in the Console" on page 15-22 To update the WebGate registration for Simple mode 1. In the Oracle Access Management Console, click Application Security at the top of the window. 2. In the Launch Pad tab, click Agents. 3. On the Search page, define your criteria and open the desired agent registration, as described in "Searching for an OAM Agent Registration" on page 15-20. 4. In the registration page, locate the Security options and click Simple. 5. Click Apply to submit the changes. 6. Copy the updated WebGate files as follows: 11g WebGate: ObAccessClient.xml cwallet.sso (11g WebGate only) password.xml ■ ■ From: $WLS_DOMAIN_HOME/output/AGENT_NAME (the WebLogic domain home where the OAM AdminServer is installed) To: $OHS_INSTANCE_HOME/config/OHS/ohs2/webgate/config 10g WebGate: ObAccessClient.xml ■ From: $WLS_DOMAIN_HOME/output/AGENT_NAME ■ To: $WebGate_install_dir/oblix/lib 10g WebGate: password.xml 7. ■ From: $WLS_DOMAIN_HOME/output/AGENT_NAME ■ To: $WebGate_install_dir/oblix/config Copy the following files, as directed for your WebGate release: aaa_key.pem aaa_cert.pem 11g WebGate: ■ From: $IDM_DOMAIN_HOME/output/AGENT_NAME ■ To: $OHS_INSTANCE_HOME/config/OHS/ohs2/webgate/config/simple 10g WebGate: Securing Communication C-15 Configuring Simple Mode Communication with Access Manager 8. ■ From: $IDM_DOMAIN_HOME/output/AGENT_NAME ■ To: $WebGate_install_dir/oblix/config/simple Restart the OAM Server and the Oracle HTTP Server instance. C.5.4 Verifying Simple Mode Configuration You must restart the Web server to instantiate the change to Simple mode. Then you can validate the results To validate Simple mode changes 1. From a command-line window, restart the Web server. For example: d:\middleware\ohs_home\instances\ohs_webgate11g\bin opmnctl stopall opmnctl startall 2. In a browser window, enter the URL to a resource protected by the WebGate using Simple mode. 3. Enter your login credentials, when asked. 4. Confirm that the resource is served. C-16 Administrator's Guide for Oracle Access Management D Reviewing Bundled, Generated, and Migrated Artifacts D [39This ] appendix provides a look at sample artifacts that are either bundled with Access Manager, or generated during agent registration. This appendix includes the following sections: ■ Bundled 10g IAMSuiteAgent Artifacts ■ Generated Artifacts: OpenSSO ■ Migrated Artifacts: OpenSSO D.1 Bundled 10g IAMSuiteAgent Artifacts This section provides the following topics: ■ Pre-Registered 10g IAMSuiteAgent ■ IAMSuiteAgent Security Provider Settings, WebLogic Administration Console ■ IAMSuiteAgent Registration ■ Resources Protected by IAMSuiteAgent ■ Pre-seeded IAM Suite Application Domain and Policies D.1.1 Pre-Registered 10g IAMSuiteAgent This 10g OAM Agent, and the companion Application Domain, described in Chapter 25, are available with 11.1.1.5. Oracle strongly recommends that you do not alter these definitions. The original IDMDomainAgent is not available with this patch set. It remains as an artifact after you apply the patch set. However, all content is removed. Note: The IAMSuiteAgent provides single sign-on functionality for the IDM Administration Console. The IAMSuiteAgent is installed and pre-configured as part of the OAM Server installation and configuration. The IAMSuiteAgent is a domain-wide agent: ■ ■ Once deployed, the IAMSuiteAgent is installed on every server in the domain Unless disabled, every request coming into the WebLogic Application Server is evaluated and processed by the IAMSuiteAgent Reviewing Bundled, Generated, and Migrated Artifacts D-1 Bundled 10g IAMSuiteAgent Artifacts ■ Configuration details are located under the 10g Webgates node (Policy Configuration tab) in the Oracle Access Management Console Certain IAMSuiteAgent configuration elements are available in the WebLogic Administration Console (in the Security Provider section) and others in the Oracle Access Management Console. D.1.2 IAMSuiteAgent Security Provider Settings, WebLogic Administration Console In the Security Provider section of the WebLogic Administration Console are five bootstrap configuration parameters. While Oracle recommends that you retain these without making changes, there are circumstances where you might need to change one of the following parameters: ■ ■ Primary Access Server: You can replace this value with information for your actual OAM Server. The default value (localhost:5575) can be replaced with information for your actual OAM Server if more than one host is part of the IDM Domain. The IAM Suite Agent and companion Application Domain (IAMSuite) replaces the 11.1.1.3.0 IDM Domain Agent and its companion Application Domain. Agent Password: By default there is no password. However, you can add one here if you want to establish a password for the IAMSuiteAgent connection to the OAM Server through the NetPoint (now Oracle) Access Protocol (NAP or OAP). Figure D–1 illustrates the default Security Provider settings for the IAMSuiteAgent. Figure D–1 IAMSuiteAgent Settings in the WebLogic Administration Console D.1.3 IAMSuiteAgent Registration The IAMSuiteAgent registration page provides details about the agent, like all other OAM agent registration pages. D-2 Administrator's Guide for Oracle Access Management Bundled 10g IAMSuiteAgent Artifacts ■ ■ Security Mode: Open is the only security mode available for the IAMSuiteAgent. This cannot be changed. Preferred Host: IAMSuiteAgent is the pre-configured host required by this agent The Access Client Password here must match the Agent Password in the WebLogic Administration Console. If you changed the Agent Password, you must also change the Access Client Password. Note: Figure D–2 shows the IAMSuiteAgent page. Notice the User Defined Parameter, which informs behavior to fall back to the container policy in the WebLogic Server and provides a redirect URL for logout. Figure D–2 IAMSuiteAgent Registration You can replace this agent with a 10g Webgate, as described in Chapter 30, "Registering and Managing 10g WebGates with Access Manager 11g". Table D–1 outlines the differences between IAMSuiteAgent and 11g and 10g WebGates. Reviewing Bundled, Generated, and Migrated Artifacts D-3 Bundled 10g IAMSuiteAgent Artifacts Table D–1 Comparing IAMSuiteAgent with 11g and 10g Webgates Element 11g Webgate Primary Cookie Domain Token Validity Period N/A x 10g Webgate x N/A IAMSuiteAgent x N/A Preferred Host x x x Logout URL x x x Logout Callback URL x N/A N/A Logout Redirect URL x N/A N/A Logout Target URL x N/A N/A Cache Pragma Header x Cache Control Header User Defined Parameters Deny on Not Protected x proxySSLHeaderVar=IS_SSL URLInUTF8Format=true client_request_retry_ attempts=1 inactiveReconfigPeriod=10 x x x x x fallbackToContainerPolicy =true logoutRedirectUrl=http:// hostname.domain.com:14100 client_request_retry_ /oam/server/logout attempts=1 inactiveReconfigPeriod=10 protectWebXmlSecuredPages Only=true proxySSLHeaderVar=IS_SSL URLInUTF8Format=true x x D.1.4 Resources Protected by IAMSuiteAgent Figure D–3 illustrates the resources protected by the IAMSuiteAgent, including the exact Authentication and Authorization policies. Oracle recommends that you do not make any additions or changes. The WebLogic Administration Console (/console) is protected. D-4 Administrator's Guide for Oracle Access Management Bundled 10g IAMSuiteAgent Artifacts Figure D–3 Resources Protected by the IAMSuiteAgent D.1.5 Pre-seeded IAM Suite Application Domain and Policies The following figures present Authentication Policies in the IAM Suite Application Domain: ■ Figure D–4, "IAMSuite Authentication Policy: OAM Admin Console Policy" ■ Figure D–5, "Protected HigherLevel Policy: Authentication, LDAP Scheme" ■ Figure D–6, "Protected LowerLevel Policy: Authentication, OIMScheme" ■ Figure D–7, "Public Policy: Authentication, AnonymousSheme" Reviewing Bundled, Generated, and Migrated Artifacts D-5 Bundled 10g IAMSuiteAgent Artifacts Figure D–4 IAMSuite Authentication Policy: OAM Admin Console Policy D-6 Administrator's Guide for Oracle Access Management Bundled 10g IAMSuiteAgent Artifacts Figure D–5 Protected HigherLevel Policy: Authentication, LDAP Scheme Reviewing Bundled, Generated, and Migrated Artifacts D-7 Bundled 10g IAMSuiteAgent Artifacts Figure D–6 Protected LowerLevel Policy: Authentication, OIMScheme Figure D–7 Public Policy: Authentication, AnonymousSheme IAM Suite Authorization Policy Figure D–8 presents Authorization Policy in the IAM Suite Application Domain. By default, no explicit conditions or responses are defined. However, you can add any that are appropriate for your environment. D-8 Administrator's Guide for Oracle Access Management Bundled 10g IAMSuiteAgent Artifacts Figure D–8 IAM Suite Authorization Policy IAM Suite Token Issuance Policy Figure D–9 presents IAM Suite Token Issuance Policy in the IAM Suite Application Domain. By default, there are no explicit conditions defined. However, you can define any that are needed in your environment. Figure D–9 IAM Suite Token Issuance Policy and Resource URLs Reviewing Bundled, Generated, and Migrated Artifacts D-9 Generated Artifacts: OpenSSO D.2 Generated Artifacts: OpenSSO This section shows the custom authentication module, host identifier, Application Domain, and policies generated during OpenSSO Agent provisioning. ■ Generated OpenSSOAgentAuthPlugin ■ Generated Host Identifier: OpenSSOAgent1 ■ Generated Application Domain: OpenSSOAgent1 ■ Generated Resources: OpenSSOAgent1 ■ Generated Authentication Policy: OpenSSOAgent Application Domain ■ Generated Authorization Policy: OpenSSOAgent Application Domain D.2.1 Generated OpenSSOAgentAuthPlugin Figure D–10 shows the OpenSSOAgent Custom Authentication Module: OpenSSOAgentAuthPlugin. Figure D–10 Generated Authentication Module: OpenSSOAgentAuthPlugin D-10 Administrator's Guide for Oracle Access Management Generated Artifacts: OpenSSO D.2.2 Generated Host Identifier: OpenSSOAgent1 Figure D–11 Generated Host Identifier: OpenSSOAgent1 D.2.3 Generated Application Domain: OpenSSOAgent1 Figure D–12 Generated Application Domain: OpenSSOAgent1 Reviewing Bundled, Generated, and Migrated Artifacts D-11 Generated Artifacts: OpenSSO D.2.4 Generated Resources: OpenSSOAgent1 Figure D–13 Application Domain Resources: OpenSSOAgent1 D.2.5 Generated Authentication Policy: OpenSSOAgent Application Domain Figure D–14 Generated Authentication Policy: OpenSSOAgent Application Domain D-12 Administrator's Guide for Oracle Access Management Migrated Artifacts: OpenSSO D.2.6 Generated Authorization Policy: OpenSSOAgent Application Domain Figure D–15 Generated Authorization Policy: OpenSSOAgent Application Domain D.3 Migrated Artifacts: OpenSSO This section shows the artifacts that are migrated when you use Oracle-provided tools to analyze and migrate an OpenSSO environment to Oracle Access Management Console. ■ Migrated User Identity Store: OpenSSOAgent1 ■ Migrated Agents: OpenSSOAgent1 ■ Migrated Authentication Module: OpenSSOAgent1 ■ Migrated Host Identifier: OpenSSOAgent1 ■ Migrated Application Domain: OpenSSOAgent1 ■ Migrated Resources: OpenSSOAgent1 ■ Migrated Authentication Policy: OpenSSOAgent1 ■ Migrated Authorization Policy: OpenSSOAgent1 Reviewing Bundled, Generated, and Migrated Artifacts D-13 Migrated Artifacts: OpenSSO D.3.1 Migrated User Identity Store: OpenSSOAgent1 Figure D–16 Migrated User Identity Store D-14 Administrator's Guide for Oracle Access Management Migrated Artifacts: OpenSSO D.3.2 Migrated Agents: OpenSSOAgent1 Figure D–17 Migrated Agent: OpenSSOAgent1 Reviewing Bundled, Generated, and Migrated Artifacts D-15 Migrated Artifacts: OpenSSO D.3.3 Migrated Authentication Module: OpenSSOAgent1 Figure D–18 Migrated Authentication Module: OpenSSOAgent1 D.3.4 Migrated Host Identifier: OpenSSOAgent1 Figure D–19 Migrated Host Identifier: OpenSSOAgent1 D.3.5 Migrated Application Domain: OpenSSOAgent1 Figure D–20 Migrated Application Domain: OpenSSOAgent1 D-16 Administrator's Guide for Oracle Access Management Migrated Artifacts: OpenSSO D.3.6 Migrated Resources: OpenSSOAgent1 Figure D–21 Migrated Resources: OpenSSOAgent1 D.3.7 Migrated Authentication Policy: OpenSSOAgent1 Figure D–22 Migrated Authentication Policy: OpenSSOAgent1 Reviewing Bundled, Generated, and Migrated Artifacts D-17 Migrated Artifacts: OpenSSO D.3.8 Migrated Authorization Policy: OpenSSOAgent1 Figure D–23 Migrated Authorization Policy2 Condition: OpenSSOAgent1 Figure D–24 Migrated Authorization Policy2: IP Condition Details D-18 Administrator's Guide for Oracle Access Management E Troubleshooting E This chapter provides troubleshooting tips. ■ Introduction to Oracle Access Management Troubleshooting ■ Using My Oracle Support for Additional Troubleshooting Information ■ Oracle Access Management Console Inconsistent State ■ AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation ■ Agent Naming Not Unique ■ Application URL Requirements ■ Authentication Issues ■ Authorization Issues ■ Cannot Access Authentication LDAP or Database ■ Cannot Find Configuration ■ Co-existence Between OSSO and Access Manager ■ Could Not Find Partial Trigger ■ Denial of Service Attacks ■ Deployments with Freshly Installed 10g Webgates ■ Disabling Windows Challenge/Response Authentication on IIS Web Servers ■ Changing UserIdentityStore1 Type Can Lock Out Administrators ■ IIS Web Server Issues ■ jps Logger Class Instantiation Warning is Logged on Authentication ■ Internationalization, Languages, and Translation ■ Login Failure for a Protected Page ■ OAM Metric Persistence Timer IllegalStateException: SafeCluster ■ Partial Cluster Failure and Intermittent Login and Logout Failures ■ RSA SecurID Issues and Logs ■ Registration Issues ■ Rowkey does not have any primary key attributes Error ■ SELinux Issues Troubleshooting E-1 Introduction to Oracle Access Management Troubleshooting ■ Session Issues ■ SSL versus Open Communication ■ Start Up Issues ■ Synchronizing OAM Server Clocks ■ Using Coherence ■ Validation Errors ■ Web Server Issues ■ Windows Native Authentication E.1 Introduction to Oracle Access Management Troubleshooting Oracle Access Management is a business critical system; downtime comes with a potentially high cost to your business. The goal of system analysis is to quickly isolate and correct the cause of any problem. This requires a big picture view of your system and the tools to observe the live system and correlate components to the bigger picture. To assist Administrators in performing a quick diagnosis, this section provides the following topics: ■ About System Analysis and Problem Scenarios ■ About LDAP Server or Identity Store Issues ■ About OAM Server or Host Issues ■ About Agent-Side Configuration and Load Issues ■ About Runtime Database (Audit or Session Data) Issues ■ About Change Propagation or Activation Issues ■ About Policy Store Database Issues E.1.1 About System Analysis and Problem Scenarios System analysis includes understanding how the product works, what can go wrong, how likely the scenarios are, and the consequences or observable issues. System problems can be divided into two basic categories: ■ Cascading catastrophic failure ■ Gradual breakdown in performance Cascading catastrophic failure might be caused by: ■ LDAP server is loaded and unresponsive ■ Morning peak load starts ■ Webgates send requests to the primary OAM Server ■ Webgate requests time-out and Webgates retry to secondary OAM Server Gradual breakdown in performance might occur over time when, for example: ■ ■ OAM is sized and rolled out for 10,000 users and 500 groups Over the course of a year, the number of users and groups increases significantly (to 50,000 users and 250 groups for example) E-2 Administrator's Guide for Oracle Access Management Introduction to Oracle Access Management Troubleshooting For information on the most commonly encountered issues, see the following topics: ■ About System Analysis and Problem Scenarios ■ About LDAP Server or Identity Store Issues ■ About OAM Server or Host Issues ■ About Agent-Side Configuration and Load Issues ■ About Runtime Database (Audit or Session Data) Issues ■ About Change Propagation or Activation Issues ■ About Policy Store Database Issues E.1.2 About LDAP Server or Identity Store Issues This topic provides symptoms, probable cause, and steps to diagnose the following issues: ■ Symptoms: Operational Slowness ■ Symptoms: Total loss of service Symptoms: Operational Slowness ■ Poor user experience ■ Agent time outs lead to retries Cause Non-OAM load might be impacting OAM operations ■ ■ Capacity problems due to gradual increase in peak load Symptoms: Total loss of service Cause Outage of all LDAP servers ■ ■ The load balancer is timing out old connections Diagnosis 1. Shut down the LDAP server. 2. Restart your browser. 3. Try to access a protected site. 4. Review errors in the OAM Server log file, as described in Chapter 7 (alternatively, in Chapter 12). 5. Try to access Oracle Access Management Console. 6. Observe errors in WebLogic AdminServer log file. 7. Bring up the LDAP server again. 8. Retry access to a protected application. 9. Retry access to the Oracle Access Management Console. 10. Correct the issue based on the requirements in your environment. Troubleshooting E-3 Introduction to Oracle Access Management Troubleshooting E.1.3 About OAM Server or Host Issues This topic provides symptoms, probable cause, and steps to diagnose the following issues: ■ Symptoms: Capacity Problems ■ Symptoms: Interference with Other Services on the Host Symptoms: Capacity Problems Poor user experience due to slow operations ■ ■ Agent time outs and retry can result in extra load Cause ■ CPU cycles ■ Memory issues Symptoms: Interference with Other Services on the Host Poor user experience due to slow operations ■ ■ Agent time outs and retry may result in extra load Cause ■ CPU cycle contention ■ Memory contention ■ File system full Diagnosis: OAM Server 1. Shut down the OAM Server 2. Try to access a Webgate or mod_osso protected resource 3. Bring up the OAM Server 4. Use the Access Tester to test authentication and authorization as described in Chapter 26. 5. Use 'top' to figure out the CPU and Memory consumption of the OAM Server as you use the access tester 6. Get a thread dump of the OAM Server. Diagnosis: AdminServer Shut down the AdminServer. 1. 2. Restart your browser and access a protected resource, which should work. 3. Use remote registration to register a new partner, as described in Chapter 15 (this should fail). 4. Startup OAM AdminServer. E.1.4 About Agent-Side Configuration and Load Issues This topic provides symptoms, probable cause, and steps to diagnose time issues between agents and servers. E-4 Administrator's Guide for Oracle Access Management Introduction to Oracle Access Management Troubleshooting Symptoms: Difference in Clock time Between Agent and Server ■ High CPU usage at both agent and server ■ User experiences a system hang Cause ■ Agent thinks the token issued by the server is invalid ■ Agent keeps going back to the server to re-issue the token Diagnosis Access protected resource. 1. 2. Confirm: Client access hangs. 3. Confirm: High CPU usage on agent and server. E.1.5 About Runtime Database (Audit or Session Data) Issues The audit and session functions are both write intensive operations. The policy database can be tuned for read intensive service. Symptoms ■ Audit and session operations are slow ■ ■ File system on the OAM Server is full with audit data that is not yet written to the database Loss of in-memory session data when one of the servers in the cluster fails Cause ■ Database is not tuned for write intensive operations ■ Database is unavailable due to maintenance ■ Space issues in the database Diagnosis 1. Shut down the database used to store Audit and Session data. 2. Try to access a protected resource. 3. Review error and warning messages in the OAM Server log files, as described in Chapter 7 (alternatively, in Chapter 12). E.1.6 About Change Propagation or Activation Issues This topic provides symptoms, probable cause, and steps to diagnose the following issues: Symptoms ■ Changes to policy do not take immediate effect ■ Changes to system configuration do not take immediate effect Cause Servers being too busy handling runtime requests (CPU contention) ■ ■ Coherence network slowness Troubleshooting E-5 Using My Oracle Support for Additional Troubleshooting Information Diagnosis: See "About Policy Store Database Issues" E.1.7 About Policy Store Database Issues This topic provides symptoms, probable cause, and steps to diagnose policy database issues. Symptoms: No policy changes are allowed; no impact on runtime Cause ■ Database is unavailable (down for maintenance) ■ Space issues in the database Diagnosis Shut down the database containing OAM policies. 1. 2. Try to access a protected resource and observe the runtime access is not impacted. 3. Try to access the Oracle Access Management Console to edit policies, and then observe errors in the AdminServer log file. E.2 Using My Oracle Support for Additional Troubleshooting Information You can use My Oracle Support (formerly MetaLink) to help resolve Oracle Fusion Middleware problems. My Oracle Support contains several useful troubleshooting resources, such as: ■ Knowledge base articles ■ Community forums and discussions ■ Patches and upgrades ■ Certification information Note: You can also use My Oracle Support to log a service request. You can access My Oracle Support at https://support.oracle.com. E.3 Administrator Lockout Problem Administrator cannot successfully log in to the Oracle Access Management Console. The following message appears: Manually Change Identity Store Settings at OPSS Level and configure the IDMDOmainAgent. Cause Access Manager secures the Oracle Access Management Console based on authentication information in the IAM Suite Application Domain: OAM Admin Console Policy. This policy relies on a single Authentication Scheme (OAMAdminConsoleScheme), which uses a Form challenge method and LDAP E-6 Administrator's Guide for Oracle Access Management Oracle Access Management Console Inconsistent State Authentication Module. The LDAP Authentication Module must be pointing to the User Identity Store designated as the System Store. If, for example, your deployment is configured to use Oracle Internet Directory (with all Administrators, users, and groups defined therein) ensure that the LDAP Authentication Module points to this user identity store and that this is designated as the System Store. Solution 1. Insert a user identity into both your designated system store and the Embedded LDAP store. 2. Log in to Oracle Access Management Console. 3. Configure the LDAP Authentication Module used by the designated System Store to point to the appropriate User Identity Store, as described in "Managing Native Authentication Modules" on page 22-23. E.4 Error During Federation Configuration After Upgrade from PS1 to PS2 IAM Suite is the OOTB Application Domain created when OAM 11.1.2 is installed. This Application Domain can be renamed after installation but when upgrading OAM to 11.1.2.2.0, it must be renamed back to IAM Suite. If it has been renamed, the upgrade operation will fail with this error seen in the WLS admin logs. java.lang.NullPointerException at oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.FedR2PS2Bootstr apHandler.createFedAuthnResource(FedR2PS2BootstrapHandler.java:505) at oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.FedR2PS2Bootstr apHandler.doBootstrap(FedR2PS2BootstrapHandler.java:151) at oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.R2PS2BootstrapH elper.doBootstrap(R2PS2BootstrapHelper.java:70) at oracle.security.am.common.policy.tools.PolicyComponentLifecycle.initialize(Pol . icyComponentLifecycle.java:99) If the IAM Suite Application Domain has been renamed, it is required to rename it back to its original IAM Suite name prior to beginning the upgrade process. After the upgrade, the name can be changed back to a custom name. E.5 Oracle Access Management Console Inconsistent State Problem Administrators performing updates concurrently will result in an inconsistent state within the system configuration of the Oracle Access Management Console. Cause Concurrent configuration updates are not supported. Troubleshooting E-7 AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation Solution Only one Administrator should be allowed to modify the system configuration at any given time. E.6 AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation WebLogic Server (wls1035_generic) installation is successful on Windows 64-bit with 32-bit Java (jdk1.6.0_24). When setup.exe is executed you must provide the path of the 64-bit java (jdk1.6.0_23) to successfully launch the install shield. If you provide the 32-bit Java (jdk1.6.0_24) path, the install shield is not launched. However, if you execute config.cmd from \Middleware\Oracle_IDM1\common\bin, by default 32-bit Java (jdk1.6.0_24) path is used, but after successful installation Access Manager installation, you cannot start AdminServer. On Windows host, the path to 32-bit JAVA_HOME (c:\Program files (x86)\java\jdkxxx) is not correctly handled by the startWeblogic.cmd. Replacing SUN_JAVA_HOME to use the path with the shorter name (c:\progra~2\java\jdkxxxx) works fine. On Windows, the shorter names can be seen by executing "dir /X". Alternatively, you can set windows cmd shell variable JAVA_HOME to path with shorter name and execute startWeblogic.cmd within that. For example: >set JAVA_HOME=c:\progra~2\java\jdkXXX >startweblogic.cmd E.7 Agent Naming Not Unique A unique identifying name for each Agent registration is preferred. However: ■ ■ If the Agent Name exists, no error occurs and the registration does not fail. Instead, Access Manager creates the policies if they are not already in place. If the host identifier exists, the unique Agent Base URL is added to the existing host identifier and registration proceeds. E.8 Application URL Requirements The number of characters allowed in a URL are based on browser version. The main attribute that affects the size of a cookie is the length of the requested URL. Some of the system generated URLs for ADF applications are quite long and can cause the cookie to exceed the maximum size. Another case is when using custom plug-ins. The data that a plug-in adds to the authentication context is persisted in the cookie and can cause the cookie size to grow. Multiple wrong password attempts can also add more context data to the cookie. Combined with one of the above cases, the cookie size can rapidly grow. Solutions Ensure that your applications do not use URLs that exceed the length that Access Manager and the browser can handle. E-8 Administrator's Guide for Oracle Access Management Authentication Issues The cookie cache mode can be changed to FORM mode from default COOKIE mode. FORM mode works with long URLs. The only difference in behavior is for programmatic authentication, which requires a proper form Submit to pass the OAM_REQ parameter set to the form. Custom credential collection pages need to handle the OAM_REQ parameter that is submitted with the form. Also, to support long URLs, set the serverRequestCacheType parameter to FORM in oam-config.xml under $DOMAIN_HOME/config/fmwconfig/oam-config.xml: FORM E.9 Authentication Issues This section provides the following information: ■ Anonymous Authentication Issues ■ X.509Scheme and SSL Handshake Issues ■ X.509 Protected Resource and Single Sign Off ■ X509CredentialExtractor Certificate Validation Error E.9.1 Anonymous Authentication Issues Problem Challenge Redirect URL can be NULL; however, Challenge Method cannot be NULL. If you open the Anonymous authentication scheme to edit, and click Apply without adding a value for Challenge method, the following errors might appear: Messages for this page are listed below. * Challenge Method You must make at least one selection. * Challenge Redirect You must enter a value. Solution You must include both a challenge method and a challenge redirect whenever you edit an anonymous authentication scheme. E.9.2 X.509Scheme and SSL Handshake Issues The Access Manager X.509 Authentication Scheme relies on SSL to deliver the user's X.509 certificate to the OAM Server. The X.509 Authentication Scheme requires the X.509Plugin as the value of the Challenge Method (not the Authentication Module). Problem User has selected his certificate in the Browser but the Certificate is not available to the OAM Server. Solution The specific solution will depend on the reason for the SSL Handshake failure. For instance: Troubleshooting E-9 Authentication Issues ■ ■ For debugging SSL connections terminating on the Weblogic Server, please refer to http://docs.oracle.com/cd/E12840_01/wls/docs103/secmanage/ssl.html For debugging SSL connections terminating on the OHS server, see http://docs.oracle.com/cd/E12839_01/web.1111/e10144/under_ mods.htm#i1007687. Determine the reason for the SSL Handshake failure and the peer that is terminating the SSL Handshake. The solution will fall into the following categories: ■ Configuration Issues ■ Trust Issues ■ Certificate Validation Issues E.9.2.1 Configuration Issues If you are encountering problems establishing a SSL connection with the default WebLogic server SSL implementation, switch to using the JSSE SSL implementation which is supported with WLS 10.3.3+. The following list identifies other possible configuration issues. ■ OHS plugin is incorrectly configured and not sending the user certificate to the WebLogic server. ■ Cipher suites: As configured, are not compatible with the user certificate. ■ Smart cards: The browser is not communicating with the smart card reader. ■ PKCS#11 (or hardware cryptography): Ensure that the devices are in working order. E.9.2.2 Trust Issues The server name within the certificate does not match the host name. This check can be disabled through configuration. The server does not contain a CA certificate on the user certificate path in its trust store. E.9.2.3 Certificate Validation Issues The following list identifies possible configuration issues. ■ Certificate has expired. ■ Certificate has been revoked. ■ Certificate validation is not working because this is incorrectly configured or there are connectivity issues. E.9.3 X.509 Protected Resource and Single Sign Off Problem Single Sign Off might not work after accessing the resource with X.509 authentication. When the user is logged out with the logout URL and tries to access the resource in the same browser, authentication might not occur. Instead, the user should be asked for authentication using the certificate pop up. This can occur with any Agent type. E-10 Administrator's Guide for Oracle Access Management Authorization Issues Solution After executing the logout URL, click on Clear SSL State from the browser as follows, and the access the X.509-protected resource: From the browser window, open the Tools menu, click Internet Options, choose Content, and then Clear SSL state. E.9.4 X509CredentialExtractor Certificate Validation Error Problem Client certificate authentication works fine using the standard X509 Authentication Module after importing the root and sub CA certificates into the WebLogic Server and .oamkeystore keystores. However, a certificate validation error can occur when using a Custom X509Plugin Authentication Module and root and sub CA certificates into the WebLogic Server and .oamkeystore keystores. Solution With the Custom X509Plugin Authentication Module the root and sub CA certificates must be added to the DOMAIN_HOME/config/fmwconfig/amtruststore because the X509CredentialExtractor plug-in loads certificates from this location. E.10 Authorization Issues This section provides the following topics: ■ Authorization Condition Error ■ LDAP Search Filter Test Results ■ Authorization Header Response Names E.10.1 Authorization Condition Error An error is logged in the oam-server diagnostic log file whenever you create or edit an IPv4 range or temporal condition: .... refreshPolicy specified but no response collector supplied Cause This is a message that is erroneously being logged at the ERROR level. Solution The correct level of the message is INFO. E.10.2 LDAP Search Filter Test Results If too many results are returned, you are informed as follows: Troubleshooting E-11 Cannot Access Authentication LDAP or Database Solution 1. Click OK. 2. Click Test Filter to initiate a new test. 3. In the Edit Search Filter dialog, make your changes. 4. Check the Test Results. E.10.3 Authorization Header Response Names Some characters might not be usable within header response names or values, depending on whether the client receiving these responses is a Webgate, and if so which Web server is protected. Certain characters might be subject to automatic conversion to other characters in a server-specific way. Oracle recommends that you refer to your Web server documentation for more details. E.11 Cannot Access Authentication LDAP or Database If the LDAP directory that is used for authentication is down or inaccessible (or the database that is configured as the policy store), it might be due to a heavy load or a timeout. You see a message when attempting to a protected resource that uses this LDAP or policy store. Solution 1. Manually shut down the registered LDAP or database. 2. Restart the registered LDAP or database. E.12 Cannot Find Configuration E.12.1 Configuration Does Not Exist ... If you attempt to create and apply configuration details for an OAM Server before configuring the OAM Server in the WebLogic Server domain, a message informs you of the following: Configuration does not exist for path /DeployedComponent/Server/oamServer/Instance/test For more information, please see the server's error log for an entry beginning with: Server Exception during PPR, #6. E-12 Administrator's Guide for Oracle Access Management Denial of Service Attacks To resolve this issue, you must configure the OAM Server in the WebLogic Server domain before you register the configuration with Access Manager. E.13 Co-existence Between OSSO and Access Manager Problem In the OSSO 10g coexistence with Access Manager 11g, if a user tries to access a protected resource when the OAM server is down, the request is redirected to the OSSO 10g login page through the load balancer. If the user enters valid credentials, the resource is provided. However, if the user deletes the Oracle HTTP Server cookie and brings the OSSO 10g server down (and brings the OAM Server up), upon accessing the protected resource the user is asked for Access Manager login (authentication). Instead, the application should be accessible without authentication. Solution Confirm that the migrated User Identity Store is set as the Access Manager Default Store and System Store. See Also: ■ ■ enableCoexistMode and disableCoexistMode in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management E.14 Could Not Find Partial Trigger In the Administration Server output, you might see a "Could Not Find Partial Trigger" error (multiple times for each clicked policy configuration node or host identifier node) and also when you click any of other nodes in the navigation tree. This does not block functionality. E.15 Denial of Service Attacks A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. One common method of attack involves saturating the target (victim) machine with external communication requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. Denial of service attacks are classified into Authenticated and Unauthenticated Requests, and further classified as: ■ NAP Requests ■ HTTP Requests Authenticated NAP Requests For Authenticated NAP Requests, the OAM Server maintains a counter in the session and limits the number of retries. Despite this, after redirecting the user to an error page the user can repeat the cycle. This needlessly consumes server resources and can lead to OAM Server overloading. Troubleshooting E-13 Denial of Service Attacks To avoid OAM Server overloading with Authenticated NAP Requests, use relevant WebLogic overload configuration settings. These ensure that the server does not crash under load. However, this does not differentiate legitimate users from malicious users. Note: Authenticated HTTP Requests You can handle a flood of HTTP Authenticated requests with a combination of WebLogic overload configuration and mod_security module settings. Unauthenticated NAP Requests Unauthenticated NAP Requests are handled by the WebLogic MDB pool throttling. This limits the number of NAP Requests that are forwarded to the OAM Server. Again, this does not differentiate legitimate users from malicious ones. Unauthenticated HTTP Requests Configuring the mod_security module for the OHS server that front-ends the OAM Server enables rejection of malicious requests (unauthenticated HTTP Requests). For more information, see: ■ Protecting the OAM Server from Crashing Under Load ■ Compensating for Network Latency ■ Protecting OAM Servers from a Flood of HTTP Requests E.15.1 Protecting the OAM Server from Crashing Under Load If the number of requests to the OAM Server unexpectedly increases beyond what the server can handle, it could crash. To limit the number of requests to the OAM Server: 1. In the WebLogic Console, use the Message Driven Bean pool to restrict the number of NAP requests to the OAM Server. MDBeans pull NAP requests from the Server queue and deliver NAP requests to the Server for processing. Limiting the number of MDBean instances helps control the number of requests that are processed at a given time. 2. In the WebLogic Console, configure the number of WebLogic worker threads that can be used (to restrict the number of requests to the OAM Server). MDBeans pull NAP requests from the server queue and deliver NAP requests to the Server for processing. Limiting the number of MDBean instances helps control the number of requests that are processed at a given time. 3. In the WebLogic Console, configure the number of WebLogic worker threads that can be used (to restrict the number of requests to the OAM Server). See the topic on Thread Management in the guide to Oracle Fusion Middleware Performance and Tuning for Oracle WebLogic Server. 4. In the WebLogic Console, specify a maximum incoming request size, complete message timeout, and set the number of file descriptors, to optimize performance as described in following topics in the Oracle Fusion Middleware Performance and Tuning for Oracle WebLogic Server: ■ Tuning Message Size E-14 Administrator's Guide for Oracle Access Management Deployments with Freshly Installed 10g Webgates ■ Tuning Complete Message Timeout ■ Tuning Number of File Descriptors E.15.2 Compensating for Network Latency Consider the scenario where Webgate sends an authentication request to the OAM Server. After successful credential collection and validation, the OAM Server creates the session and the relevant cookies (OAM_ID, ObSSOCookie). However, due to network latency, the response times out by the time the OAM Server sends it to the Webgate which triggers Webgate to re-send the authentication request to the Server. The OAM Server recognizes the session, then recreates the ObSSOCookie, and sends the response to the agent. If the network latency persists, the cycle continues in an infinite loop between the Server and the Webgate. The user is neither asked to login again nor presented with an error message. E.15.3 Protecting OAM Servers from a Flood of HTTP Requests ModSecurity is a Web application firewall (WAF) that can be deployed as part of the existing Apache-based Web server infrastructure. This module can be plugged into the OHS Server that front-ends the OAM Server. In this way, Mod_security module protects the OAM Server from denial of service attacks. A flexible rule engine is at the heart of ModSecurity. It implements the ModSecurity Rule Language, a specialized programming language designed to work with HTTP transaction data. A new configuration directive uses the httpd-guardian script to monitor for Denial of Service (DoS) attacks. By default httpd-guardian defends against clients that send more than 120 requests in a minute, or more than 360 requests in five minutes. See Also: http://www.modsecurity.org/documentation/modsecurity-apache/2 .5.12/html-multipage/configuration-directives.html#N10689 To protect from a flood of HTTP Requests 1. Add the mod_security module to the OHS Server that front-ends the OAM Server. 2. In the OHS Server configuration, set the configuration directive to use the httpd-guardian script to monitor for Denial of Service (DoS) attacks. Syntax: SecGuardianLog |/path/to/httpd-guardian Example: SecGuardianLog |/usr/local/apache/bin/httpd-guardian E.16 Deployments with Freshly Installed 10g Webgates Use the OAM Server's diagnostic features to debug on the OAM Server side. This section includes the following topics: ■ Authentication Issues with 10g Webgates ■ Logout Issues with 10g Webgates Troubleshooting E-15 Diagnosing Initialization and Performance Issues See Also: Chapter 27, "Configuring Centralized Logout for Sessions Involving 11g WebGates" E.16.1 Authentication Issues with 10g Webgates Use the following methods to troubleshoot authentication issues when you have freshly installed 10g Webgates in your Access Manager deployment. ■ ■ Confirm that your request was protected using an http header trace like Internet Explorer HTTP Headers or Firefox Live HTTP Headers Confirm that the request is sent to the OAM Server for authentication – GET /oam/server/obrareq.cgi?.... – Host: oam-server:port E.16.2 Logout Issues with 10g Webgates Use the following methods to troubleshoot logout issues when you have freshly installed 10g Webgates in your Access Manager deployment. ■ ■ ■ Make liberal use of HTTP Header Trace Confirm that the specific logout.html was copied to /access/oamsso folder in the 10g Webgate installation directory. If not present, you must create the logout.html as described in "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers" on page 30-22. Change the 10g Webgate's httpd.conf to remove the following lines: Satisfy any ■ From the Oracle Access Management Console, confirm that the LogoutUrls parameter (/oamsso/logout.html) is configured for this Webgate E.17 Diagnosing Initialization and Performance Issues This section includes the following topics: ■ Diagnosing an Initialization Issue ■ Diagnosing a Performance Issue ■ Diagnosing Out-of-Memory Issues With a Heap Dump E.17.1 Diagnosing an Initialization Issue Problem OAM Server does not start up. Solution 1. Locate and review the OAM Server log file on the computer hosting the OAM Server. DOMAIN_HOME/servers/SERVER-NAME/logs/SERVER-NAME-diagnostics.log E-16 Administrator's Guide for Oracle Access Management Diagnosing Initialization and Performance Issues 2. Enable logging for this computer, as described in Chapter 7, "Logging Component Event Messages": DOMAIN_HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml 3. Restart the OAM Server, observe the behavior, check the log file again if needed. E.17.2 Diagnosing a Performance Issue Problem Monitoring the OAM Server reveals a significant spike in latency during authentication. Solution 1. Locate and review the OAM Server log file on the computer hosting the OAM Server. DOMAIN_HOME/servers/SERVER-NAME/logs/SERVER-NAME-diagnostics.log 2. Enable logging for this computer, as described in Chapter 7, "Logging Component Event Messages": DOMAIN_HOME/config/fmwconfig/servers/SERVER-NAME/logging.xml 3. Restart the OAM Server, observe the behavior, check the log file again if needed. E.17.3 Diagnosing Out-of-Memory Issues With a Heap Dump Problem Debugging for all expression parsing and evaluation produced a significant performance drag within ~20 hours due to memory growth; running out of memory in ~50 hours. Configuration: 2GB heap; 3 minute session timeout; jdbc connections tuned min=32 max=200; jdbc connection idle timeout disabled; jbo pool size min = 10 & max=150 Solution To generate heap-dumps for comparison, you use the following command-line tools jmap for Sun jvm or jrcmd for jrockit jvm located under JAVA_HOME/bin. For jrockit jvm jrcmd pid /jrockit_160_14_R27.6.5-32/bin/jrcmd 16775 heap_diagnostics /jrockit_160_14_R27.6.5-32/bin/jrcmd 16775 print_threads /jrockit_160_14_R27.6.5-32/bin/jrcmd 16775 jrarecording .... For Sun jvm jmap -histo jmap -dump:live,format=b,file=heap.bin Troubleshooting E-17 Disabling Windows Challenge/Response Authentication on IIS Web Servers E.18 Disabling Windows Challenge/Response Authentication on IIS Web Servers The IIS Web server on Windows supports Challenge/Response Authentication, which defaults to On when IIS is installed. This enables users to use their domain log-ins when requesting resources from IIS and can conflict with Access Manager's authentication. For example, on the first request from an Internet Explorer (IE) browser to a resource on IIS protected by Access Manager with a basic authentication scheme, IE displays a login dialog box requesting a domain along with the user name and password login provided by Access Manager. To disable Windows challenge/response authentication 1. Launch the Microsoft Management Console for IIS. 2. Select the Web Server Host under Internet Information Server in the left hand panel. 3. Right click and select Properties. 4. Scroll down and select Edit the Master Properties for WWW Service. 5. Select the Directory Security tab. 6. Select Edit Anonymous Access and Authentication Control. 7. Complete the appropriate step for your platform: Windows 2000: Clear the Integrate Windows Authentication box. 8. Click OK. 9. In the Windows IIS properties screen, click OK. 10. Close the Microsoft Management Console. E.19 Changing UserIdentityStore1 Type Can Lock Out Administrators An Identity Store that is designated as the System Store should not be edited to change the store type (from Embedded LDAP to OID, for instance) nor the connection URLs. If you do need to change the Identity Store that is designated as the System Store should not be edited to change the store type, Oracle recommends that you create a new Identity Store and then edit that registration to mark it as your System Store. E.20 IIS Web Server Issues The following topics are provided to assist you: ■ Form Authentication or Pass-Through Not Working ■ IIS and General Web Component Guidelines ■ Issues with IIS v6 Web Servers ■ Page Cannot Be Displayed Error ■ Removing and Reinstalling IIS DLLs E-18 Administrator's Guide for Oracle Access Management IIS Web Server Issues E.20.1 Form Authentication or Pass-Through Not Working If form authentication or pass-through functionality is not working, the problem might be that either "UseWebGateExtForPassthrough" parameter is not set to true in the Webgate profile or that webgate.dll is not configured as Wild Card Application Mapping in IIS. In such cases, Webgate does not perform authentication or authorization for HTTP "POST" requests for the resources protected by form-based authentication. Solution: Confirm that the UseWebGateExtForPassthrough parameter is configured in the Webgate profile with a value of true and that webgate.dll is configured as Wild Card Application Mapping. E.20.2 IIS and General Web Component Guidelines Following are some general guidelines to follow when installing Access Manager Webgates with IIS Web servers. Account Privileges: The account that performs Access Manager installation must have administration privileges. The user account that is used to run OAM services must have the "Log on as a service" right, which can be set by selecting Administrative Tools, Local Policy, Local Policies, User Rights Assignments, Log on as a service. IIS 6 Web Servers: You must run the WWW service in IIS 5.0 isolation mode. This is required by the ISAPI postgate filter. During Access Manager installation, this is usually set automatically. If it is not, you must set it manually for the Default Web site. Webgate for IIS 7 Web Server: To use Form-based authentication without enabling pass through functionality (for example, "access/oblix/apps/webgate/bin/webgate.dll" is an action in the Form-based authentication scheme), ensure that the entry "" is not present in the applicationHost.config file. If the entry is present, you must remove it. Use the following steps to check this entry: ■ ■ Go to Windows\System32\inetsrv\config and open the file applicationHost.config. Search for the module and remove the entry if it is present. Webgate: When installing IIS Webgates, setting various permissions for the /access directory is required for IIS Webgates only when you are installing on a file system that supports NTFS. For example, suppose you install the ISAPI Webgate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored. E.20.3 Issues with IIS v6 Web Servers On IIS 6 Web servers only, you must run the WWW service in IIS 5.0 isolation mode, which is a requirement of the ISAPI postgate filter. This scenario will work if you have 32-bit Access Manager binaries running on a 32-bit Windows operating system. However, there is an issue if you attempt to run a 32-bit postgate.dll on a 64-bit Windows machine with IIS running in 32-bit mode. Problem When running IIS in IIS5.0 isolation mode, you see the following message: "ISAPI Filter 'C:\webgate\access\oblix\apps\webgate\bin\webgate.dll' could not be loaded due to a configuration problem. Troubleshooting E-19 IIS Web Server Issues Cause The current configuration only supports loading images built for an AMD 64-bit processor architecture. The data field contains the error number. Solution To learn more about this issue, including how to troubleshoot this kind of processor architecture mismatch error, see the following Web site: http://go.microsoft.com/fwlink/?LinkId=29349 For more information, see Help and Support Center at: http://go.microsoft.com/fwlink/events.asp Problem IIS5 never existed as 64-bit. However, IIS v6's IIS5 Compatibility Mode on 64-bit Windows computers only runs as 64-bit. Cause It is architecturally impossible run IIS5 Isolation Mode 32- bit on 64-bit Windows, as described in documentation available through the following URLs: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.pu blic.inetserver.iis&tid=5dd07102-8896-40cc-86cb-809060fa9426&cat=en_US_ 02ceb021-bb43-476d-8f8f-6c00a363ccf5&lang=en&cr=US&p=1 http://blogs.msdn.com/david.wang/archive/2005/12/14/HOWTO-Diagnose-one-cause-of-W3 SVC-failing-to-start-with-Win32-Error-193-on-64bit-Windows.aspx E.20.4 Page Cannot Be Displayed Error A "The page cannot be displayed" error that appears after configuring Webgate for pass-through functionality, indicates a configuration issue. Solution: Confirm that the UseWebGateExtForPassthrough parameter is configured in the Webgate profile with a value of true and that webgate.dll is configured as Wild Card Application Mapping. E.20.5 Removing and Reinstalling IIS DLLs When Access Manager is running with Microsoft's IIS Web server, you must manually uninstall and reinstall the following ISAPI filters when reinstalling Access Manager. ■ tranfilter.dll ■ oblixlock.dll (if you installed Webgate) ■ webgate.dll (if you installed Webgate) To remove and reinstall IIS DLLs 1. Uninstall Access Manager. 2. Manually uninstall the preceding DLLs. 3. Reinstall Access Manager.Active Directory. 4. Manually reinstall the DLLs. E-20 Administrator's Guide for Oracle Access Management Internationalization, Languages, and Translation These filters can change depending on the version of IIS you are using. If these filters do not exist or there are others present, contact Oracle to determine if the filters that are present need to be removed. Note: E.21 Import and File Upload Limits The UPLOAD_MAX_MEMORY and UPLOAD_MAX_DISK_SPACE is set to "50mb". To upload more than 50mb, manually change these settings in web.xml. To reset the memory and disk space parameters 1. Locate web.xml in WEB-INF/lib/ngam-ui.war. 2. Edit the file to change UPLOAD_MAX_MEMORY. For example: org.apache.myfaces.trinidad.UPLOAD_MAX_MEMORY 104857600 3. Edit the file to change UPLOAD_MAX_DISK_SPACE. For example: org.apache.myfaces.trinidad.UPLOAD_MAX_DISK_SPACE 104857600 4. Save the file. 5. Restart the OAM Server. See Also: "Providing File Upload Capability" in the Oracle Application Development Framework Developer's Guide. E.22 jps Logger Class Instantiation Warning is Logged on Authentication A jps logger class instantiation warning is might appear on the back end upon authentication. However, this is a harmless warning and no action is required. E.23 Internationalization, Languages, and Translation This section provides the following topics: ■ Automatically Generated Descriptions Are Not Translated ■ Console Looks Messy ■ Authentication Fails: Users with Non-ASCII Characters ■ Access Tester Does Not Work with Non-ASCII Agent Names ■ Locales, Languages, and Oracle Access Management Console Login Page Troubleshooting E-21 Internationalization, Languages, and Translation E.23.1 Automatically Generated Descriptions Are Not Translated The automatically generated Description for some components are not translated. This is expected and enables Administrators to change the Description to whatever they require. Following such a change, translation by Oracle is not possible. E.23.2 Console Looks Messy The Oracle Access Management Console displays policies and resources oddly when the input configuration file for remote registration is not in UTF-8 format or when the OAM Server is not started in UTF-8 locale (en_US.utf8, for instance). Be sure to use UTF-8 encoding if creating a configuration file for the remote registration tool, oamreg, to generate authentication policies and protected resources. Also, be sure to start OAM Server in UTF-8 locale machines. Otherwise, the Oracle Access Management Console might display policies and resources oddly following successful inband registration. E.23.3 Authentication Fails: Users with Non-ASCII Characters Configure Access Manager to use Kerberos Authentication Scheme with WNA challenge method, and create a non-ASCII user in Microsoft Active Directory. Problem An exception occurs when trying to get user details to populate the subject with the user DN and GUID attributes. Authentication fails and an error is recorded in the OAM Server log when a non-ASCII user in Active Directory attempts to access an Access Manager-protected resource: ... Failure getting users by attribute : cn, value .... Cause The username in the attribute is passed without modification as a java string. Solution Non-ASCII users can access the resource protected by Kerberos WNA scheme now by applying this JVM system property (for the built-in WebLogic SPNEGO support): -Dsun.security.krb5.msinterop.kstring=true E.23.4 Access Tester Does Not Work with Non-ASCII Agent Names Register a Webgate with Access Manager using a non-ASCII name. In the Access Tester, enter the valid IP Address, Port, and Agent ID (non-ASCII name), then click Connect. Connection testing fails. E.23.5 Locales, Languages, and Oracle Access Management Console Login Page When the browser locale is not supported, the Oracle Access Management Console Login page shows as server locale. It should fall back to English. This is the expected behavior: ■ If the client Locale is not supported, Oracle Access Management falls back to the server locale. E-22 Administrator's Guide for Oracle Access Management OAM Metric Persistence Timer IllegalStateException: SafeCluster ■ If the server locale is not supported, Oracle Access Management falls back to English. When users select an unsupported language and come to the Access Manager SSO page, it shows as server locale (German, for example). However, after logging in, all the pages are displayed as English. To fall back to English Disable the Access Manager SSO page and the original Access Manager login page also falls back to English. E.24 Login Failure for a Protected Page Problem After installing OAM and protecting a page using a physical host and port, register the application using the OHS physical host and port. Login fails to prompt the user for credentials when accessing the protected page. The log file shows that the URL is re-directed to a Virtual Host despite the fact that all configuration and registration is setup correctly. Solution Remove any Virtual Host Directives from httpd.conf when protecting a page using the Oracle HTTP Server (OHS) physical host and port. E.25 OAM Metric Persistence Timer IllegalStateException: SafeCluster Problem After using the WebLogic Configuration Wizard to create an OAM Server cluster on two computers, and starting AdminServer, all servers start up properly. After shut down, a third server is added using the WebLogic Server Administration Console to create a new managed server and add it to the cluster. The third server goes into Running mode when started, with some exceptions in the start up log. ... Exception in thread "OAM Metric Persistence Timer" Solution in addition to the actions in the WebLogic Administration Console, you must register the server using the Oracle Access Management Console to ensure that the server can identify itself. When adding and registering a second server instance for the same computer, all port numbers must differ: OAM Proxy port; the "port" that must match the one in the WebLogic Server Console; and the Coherence port. Note: For server registration details, see "Managing Individual OAM Server Registrations" on page 6-5. Troubleshooting E-23 Partial Cluster Failure and Intermittent Login and Logout Failures E.26 Partial Cluster Failure and Intermittent Login and Logout Failures Problem In the event of a partial outage of Access Manager (on some, but not all instances of the cluster), end users might see intermittent login and logout failures. Workarounds 1. Remove OHS from the deployment 2. Configure the OHS cluster such that each OHS instance is pinned to a WebLogic Server instance. 3. The WebLogic Server container with the malfunctioning Access Manager application must be removed from service (shutdown) and brought back up upon recovery. E.27 RSA SecurID Issues and Logs Each OAM SecurID Server must be registered as a separate agent with the RSA Authentication Manager. This provisions the OAM SecurID Server with its own node secret file. Every OAM SecurID Server must have its configuration file stored under $DOMAIN_HOME/config/fmwconfig/servers/$SERVER_NAME/oam. If the RSA SecurID authentication plug-in returns an error, it is logged in the OAM Server log. Web Server logs can also provide clues as to what might be going wrong. Be sure the enable logging on your Web server. If communication has been established between the Access Server and Authentication Manager, the sdadmin tool provides access to logs under the Report menu. Both Activity and Exception reports may give you helpful information. Verify Authentication Manager Logging Configuration and Reports 1. Confirm that you have added the user and assigned a token using the Authentication Manager Administrator tool, sdadmin. 2. Verify that you have copied the sdconf.rec file to the OAM Server. 3. In the Authentication Manager console, Report menu, open Activity and Exception reports for helpful information. Check SecurID Plug-In Parameters with Modified HTML Fields If you have modified the HTML field names in the HTML forms, ensure that the RSA SecurID plug-in parameters are configured to match. Remove the @ character From any Login Attribute Value User login can fail if there is an at-sign (@) in the login attribute value. This is a known issue with SecurID. E-24 Administrator's Guide for Oracle Access Management SELinux Issues E.28 Registration Issues Problem: Remote Registration Tool Failure Solution Ensure that the agent name is unique (does not already exist) and that the AdminServer is running. Problem: No ObAccessClient.xml File Generated Solution Protected and public resources must be described as relative URLs of the format '/index.html'. If the resource does not begin with a '/', no ObAccessClient.xml file will be generated.Verify the protected and public resource URLs and ensure all begin with a "/". For more information, see "About the Resource URL, Prefixes, and Patterns" on page 25-18. Problem: Partner Registration Failure Partner registration can fail if you do not supply a unique agent name, which is also used to create an Application Domain. The agent name and Application Domain name must be the same and must be unique. Using the oamreg validate command can fail when the agent name does not match the Application Domain name. Solution Ensure that the agent name and Application Domain name are the same. E.29 Rowkey does not have any primary key attributes Error While browsing across the Resources table in the Resource Type tab the following error message is logged: @ @ This is harmless and does not hinder any functionality. E.30 SELinux Issues Delivered with Oracle Enterprise Linux, SELinux modifications provide a variety of policies through the use of Linux Security Modules (LSM) within the Linux kernel. SELinux requires performing additional steps after installing Access Manager Webgates and before starting the associated Web server. Problem The following errors could be reported in logs/console when starting a Web server on Linux distributions that have more strict SELinux policies in place (after installing an Webgate): 11g Webgate $Webgate_OH/webgate/ohs/lib/webgate.so: cannot restore segment prot after reloc: Permission denied. Troubleshooting E-25 Session Issues 10g Webgate $Webgate_install_dir/access/oblix/apps/webgate/bin/webgate.so: cannot restore segment prot after reloc: Permission denied. Cause These errors are reported due to Secure Linux security context policies on files. Solution To avoid these errors and start the Web server, run following chcon commands to change the security context on files after installing each Access Manager Web component and before restarting the associated Web server. For more information on the chcon command, see your Linux documentation. 1. Run chcon -t texrel_shlib_t PATH_TO_LIBWEBPLUGINS.SO. For example: chcon -t texrel_shlib_t ... and libxmlengine.so 2. /Webgate_install_dir/access/oblix/lib/webgate.so Run chcon -t texrel_shlib_t PATH_TO_LIBWEBGATE.SO. For example: chcon -t texrel_shlib_t bin/webgate.so /Webgate_install_dir/access/oblix/apps/webgate/ E.31 Session Issues This section provides the following details: ■ ■ Session Impersonation Not Enabled by Default Sessions with Oracle Access Manager 11.1.1 Integrated with Oracle Identity Federation 11.1.1 E.31.1 Session Impersonation Not Enabled by Default Session impersonation is not enabled by default. You can update the value in oam-config.xml, then update the version of oam-config.xml to automatically propagate the ImpersonationConfig status to all managed servers without a restart. To enable Session Impersonation 1. Back up DOMAIN_HOME/config/fmwconfig/oam-config.xml. 2. Set ImpersonationConfig to true: false 3. Configuration Version: Increment the Version xsd:integer as shown in the next to last line of this example (existing value (25, here) + 1): Example: 11.1.1.3 E-26 Administrator's Guide for Oracle Access Management Start Up Issues 25 4. Save oam-config.xml. E.31.2 Sessions with Oracle Access Manager 11.1.1 Integrated with Oracle Identity Federation 11.1.1 Expected Behavior: Oracle Identity Federation 11.1.1 session is not cleared When Oracle Access Manager 11.1.1 is integrated with Oracle Identity Federation 11.1.1, and you clear the session using the console, only the Oracle Access Manager session is cleared. The Oracle Identity Federation session is not cleared. E.32 SSL versus Open Communication If both the SSL and Open ports of the Managed Server are enabled, then the Managed Server is set to the SSL port by default. If you must use the non-ssl port, the credential collector URL the authentication scheme must be set to the absolute URL which points to 'http' as the protocol and non-ssl port. E.33 Start Up Issues Problem: AdminServer Startup (or Remote Registration Tool Failure) on AIX Platforms AdminServer start up fails with following message: "java.net.SocketException: No buffer space available". Configuration for the number of AIX file descriptors set for the operating system is substantially high (ulimit file descriptor) resulting in a buffer overflow that causes remote registration failure with the following message: The ulimit value is application dependent and applies exclusively to application program data and the application stack. The default number of open files setting (2000) is typically sufficient for most applications. If the value is too low, errors might occur when opening files or establishing connections. Because this value limits the number of file descriptors that a server process might open, a value that is too low prevents optimum performance. For the AIX operating system, the default setting is 2000. Solution Increasing the ulimit file descriptor limits might improve performance. Increasing some of the other limits might be needed depending on your application. 1. Log in as root. 2. Perform the following steps to change the open file limit to 10,000 files: a. Open the command window. b. Locate and edit /etc/security/limits file to add the following lines to the user account on which the AdminServer process runs: nofiles = 10000 Troubleshooting E-27 Synchronizing OAM Server Clocks nofiles_hard = 10000 c. 3. Save the file and restart AIX. In a command window, decrease the TCP_TIMEWAIT interval with the following command to set the state to 15 seconds (which allows TCP to release closed connections faster and increases the number of available resources for open connections). /usr/sbin/no –o tcp_timewait =1 4. Tune the following parameters to 256k, as shown: no -a |grep space tcp_recvspace tcp_sendspace udp_recvspace udp_sendspace 5. = = = = 262144 262144 262144 262144 Tune the following parameters as indicated here: no -o rfc1323=1 no -o sb_max=4194304 Problem: Connection to OAM Server could not be established: Exception in connecting to server. Connection refused. Cause: This is normal and expected behavior for the Managed Server where the OAM Server runs because the IAMSuiteAgent agent is started before the OAM Server. The IAMSuiteAgent is deployed on every WebLogic container. When the WebLogic container starts, the agent tries to connect to the OAM Server. If it fails to connect, this message is logged and the agent tries to establish the connection in subsequent requests. When the agent is successful, this message is no longer displayed. Solution If the connection to the OAM Server is not successful, the IAMSuiteAgent falls back and the WebLogic container handles protection (including login), if it is configured. E.34 Synchronizing OAM Server Clocks The state of a session is the source of truth for relying parties. Synchronization of system clocks of the various Servers is required. The system clock of the relying party might be out of synchronization with the SME clock. If the relying party's clock is: ■ ■ Ahead of the session clock A relying party's request for authentication is made and the active sessionID is returned. Behind the session clock: Event notifications to the relying party help invalidate the session. For example, if a Web server clock is ahead of the server clock, a request sent from the Webgate to the OAM Server will contain a time that, to the OAM Server, has not yet occurred. This can cause login events to fail. When running in Simple or Cert mode, time stamps might become out of sync, or the client certificate might appear to be invalid. E-28 Administrator's Guide for Oracle Access Management Using Coherence To avoid event notification issues, ensure that all OAM Server clocks are synchronized to Time Services such as NIST internet time service. Note: For successful operation: ■ ■ Ensure all computer clocks are synchronized. There is no tolerance level. If, for example, the Webgate clock is even slightly ahead of the OAM Server clock, a cookie generated by the Webgate will appear to be in the future and can cause problems in the OAM Server. Confirm that the clock on each computer running a Webgate is not running ahead of the OAM Servers with which it is associated. The OAM Server must be ahead of the Webgate clock by a maximum of 60 seconds. E.35 Using Coherence Access Manager uses Oracle Coherence to replicate session states within a distributed installation. Coherence is used to communicate state changes between the Oracle Access Management Console and OAM Servers. Consider the following 2 distributed deployment topologies. Coherence relies on User Datagram Protocol (UDP) for cluster discovery and heartbeat. If a firewall exists between certain components of Access Manager, then the corresponding UDP ports used by Coherence must be open. Otherwise, Access Manager might not work correctly. For example, the UDP ports used by Coherence must be opened as follows: ■ ■ The Oracle Access Management Console is deployed within the intranet, and OAM Servers are deployed in the DMZ. In this case, the UDP ports used by Coherence must be opened on the firewall between the DMZ and the intranet. The Oracle Access Management Console and OAM Servers are deployed in different security zones of the DMZ, with firewalls between any two adjacent zones. In this case, the UDP ports used by Coherence must be opened on the firewall between the adjacent security zones, where one or more instances of Oracle Access Management Console and OAM Servers run. Access Manager 11g uses Oracle Coherence to provide a distributed cache with low-data access latencies and to transparently move data between distributed caches (and into the session store). Session data is redundant across these tiers. For example, when a session is created, it then exists within the local cache on the server that created it, the distributed cache, and (if enabled) within the session store database as well. For more information, see Chapter 16, "Maintaining Access Manager Sessions". WARNING: Oracle recommends that you do not modify Oracle Coherence settings unless requested to do so by an Oracle Support Representative. Whether you are viewing Oracle Coherence settings for an individual server instance or Oracle Coherence details that are common to all OAM Servers, Oracle recommends that you do not modify Oracle Coherence settings unless requested to do so by an Oracle Support Representative. Troubleshooting E-29 Validation Errors Oracle Coherence logging appears in the WebLogic Server log only. There is no bridge from Oracle Coherence logging to Access Manager logging. See Also: Oracle Coherence documentation. E.36 Validation Errors Problem: Resource not added to Authentication or Authorization Policy While creating an Authentication or Authorization Policy, if you add a resource that is already used in another Authentication or Authorization Policy, a validation error appears when you click Apply. This is expected. If you click OK in the error window and then attempt to add a valid resource that is not used within another Authentication or Authorization Policy, the resource is not added and the Authentication or Authorization Policy is not created. Solution 1. Click Apply and close the Authentication or Authorization Policy page. 2. From the navigation tree, click the named policy again, click the Edit to open the page, and add the new resource. Problem: Validation Failure - "description" attribute is not valid A validation error appears if you enter an optional description longer than 200 characters. Solution Keep optional descriptions to 200 characters in length and less than 10 lines. E.37 Web Server Issues The following issues with Web servers may arise: ■ Server Fails on an Apache Web Server ■ Apache v2 on HP-UX ■ Apache v2 Bundled with Red Hat Enterprise Linux 4 ■ Apache v2 Bundled with Security-Enhanced Linux ■ Apache v2 on UNIX with the mpm_worker_module for Webgate ■ Domino Web Server Issues ■ Errors, Loss of Access, and Unpredictable Behavior ■ Known Issues for ISA Web Server ■ Oracle HTTP Server Fails to Start with LinuxThreads ■ Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4 ■ Oracle HTTP Server Web Server Configuration File Issue ■ Issues with IIS v6 Web Servers ■ PCLOSE Error When Starting Sun Web Server ■ Removing and Reinstalling IIS DLLs E-30 Administrator's Guide for Oracle Access Management Web Server Issues E.37.1 Server Fails on an Apache Web Server Symptom: You are running an Apache Web server, and an OAM Server fails, displaying the following message: libthread panic: cannot create new lwp (PID: 9035 LWP 2). stackrace: ff3424cc 0 This symptom may be caused by the Apache Web server launching more instances of itself. This can happen when the server determines that more instances are needed to service the number of connections between one or more Webgates and the OAM Server. The additional instances create even more connections, which exceed the number of connections by the OAM Server. Solution: Reduce the number of MinSpareServers, MaxSpareServers, StartServers, and MaxClients parameters. Go to the OAM Server's configuration directory and open the http.d configuration file. Recommended parameter settings: ■ MinSpareServers 1 ■ MaxSpareServers 5 ■ StartServers 3 ■ MaxClients 5 E.37.2 Apache v2 on HP-UX When running Apache v2 on HP-UX, do not use nobody for User or Group, because shared memory may not work. Instead, use your login name as User Name with a your group as Group Name On HP-UX (on Solaris, "www" is equivalent to "nobody"). When running Apache v2 on HPUX 11.11, ensure that the AcceptMutex directive in the Apache httpd.conf file is set to "fcntl". If the directive is not present, add it to the httpd.conf file (AcceptMutex fcntl). For more information, see: http://issues.apache.org/bugzilla/show_bug.cgi?id=22484 E.37.3 Apache v2 Bundled with Red Hat Enterprise Linux 4 After installing a Webgate on vendor-bundled Apache, the Web server may give the following error upon startup: Error: Cannot load libgcc_s.so.1 library - Permission denied. Solution: Change the Security-Enhanced Linux (SELinux) policy rules for Access Manager Webgates as described in "Tuning Apache/IHS v2 Webgates for Access Manager" on page 31-27. E.37.4 Apache v2 Bundled with Security-Enhanced Linux Errors might be reported in WebServer logs/console when starting a Web server on Linux distributions, which have stricter SELinux policies in place, after installing an Access Manager Web component. You can avoid these errors by running appropriate chcon commands for the installed Web component before restarting the Web server. Troubleshooting E-31 Web Server Issues See Also: "SELinux Issues" on page E-25 E.37.5 Apache v2 on UNIX with the mpm_worker_module for Webgate The following item is required only if you compile Apache v2 for Webgate on UNIX with the mpm_worker_module. In this case, you need to modify the thread.c file from the Apache source for the UNIX environment. Making this change ensures that the default pthread stacksize for Webgate produces optimal performance during multi-threaded server implementation. If this change is not made, the default pthread stack size would not be sufficient for Webgate and could result in a crash. Apache 2.0 does not support the ThreadStackSize option. Therefore: ■ ■ With UNIX-based Apache v2.1 and later you must use the ThreadStackSize directive to set the size of the stack (for autodata) of threads that handle client connections and call modules to help process those connections. With UNIX-based Apache 2, it is best to use the compilable source while adding the mpm_worker_module and changing the thread.c file to avoid a stack overflow. The following procedure shows how to modify the Apache v2.0 thread.c file to provide the default pthread stacksize needed by Webgate for optimal performance during multi-threaded server implementation. For details about the Apache v2.1+ ThreadStackSize directive, see http://httpd.apache.org/docs/2.2/mod/mpm_ common.html#threadstacksize. The following procedure should be performed only for the Apache 2.0 Webgate. Otherwise, the default pthread stack size is not sufficient for the Webgate and could result in a crash. Note: To modify the Apache v2.0 thread.c file for Webgate in a UNIX environment 1. Locate the thread.c file. For example: APACHE 2.0.52 source/srclib/apr/threadproc/unix/thread.c 2. Locate the function named apr_threadattr_create(apr_threadattr_t **new,apr_ pool_t *pool) in the following code segment: **new,apr_pool_t *pool) in the following code segment: 1-----> apr_status_t stat; 2 3-----> (*new) = (apr_threadattr_t *)apr_pcalloc(pool, sizeof(apr_threadattr_ t)); 4-----> (*new)->attr = (pthread_attr_t *)apr_pcalloc(pool, sizeof(pthread_attr_ t)); 5 6-----> if ((*new) == NULL || (*new)->attr == NULL) { 7-----> return APR_ENOMEM; 8-----> } 9 10----->(*new)->pool = pool; 11----->stat = pthread_attr_init((*new)->attr); 12 13-----> if (stat == 0) { 14-----> return APR_SUCCESS; 15-----> } 16----->#ifdef PTHREAD_SETS_ERRNO 17----->stat = errno; 18----->#endif E-32 Administrator's Guide for Oracle Access Management Web Server Issues 19 20----->return stat; 21 3. Add the following code before line 13 shown earlier. int stacksize = 1 << 20; pthread_attr_setstacksize(&(*new)->attr, stacksize); 4. Run configure, make, and make install to set up the Apache Web server with the mpm_worker_module. E.37.6 Domino Web Server Issues Failure Authentication Event: For Domino Web servers, the redirection of a URL through Access Manager may not work if the authentication type is set as Basic Over LDAP and the URL to be redirected is mentioned as one of the following: Either a relative path present on the same Web server Or the Full path URL on the same Web server containing a computer name defined in the host identifier string combinations. To overcome a failure authentication event, you must set the redirected URL with a computer name that is not defined under the host identifier group. For example, the IP address of the computer. This problem does not occur with a form-based authentication type. Header Variables: It may not be possible to pass header variables other than REMOTE_USER to Webgates installed on Lotus Notes Domino Web servers when using Client Certificate authentication scheme. For example, header variables cannot be set on the one request where Client Certificate authentication occurs. However, all other requests do allow header variables to be set. For more information, see Chapter 34, "Configuring Lotus Domino Web Servers for 10g WebGates". E.37.7 Errors, Loss of Access, and Unpredictable Behavior Symptom: If you installed Access Manager on UNIX under a different user ID than you used to create your Web server instance, Access Manager can become unstable. Users may experience behavior such as: ■ Random bug report pages ■ Failure to write to log file errors ■ Loss of access to Web pages Solution: Change file permissions using the chown command. Change the Access Manager directory to the same user ID that you used to create your Web server instance. E.37.8 Known Issues for ISA Web Server Webgate uses ISAPI extension for displaying user deny error message and for displaying the diagnostic page. However, ISA 2006 does not support extensions. Therefore: Troubleshooting E-33 Web Server Issues ■ ■ If the user is denied access by Webgate, the user gets Page Cannot be displayed error message instead of Access Manager denied access error message. The following diagnostic URL does not work for ISA: http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1 for webgate. E.37.9 Oracle HTTP Server Fails to Start with LinuxThreads After installing a Webgate instance on an Oracle HTTP Server, the server does not start up. This occurs because Access Manager uses an older Linux threading model. Note: When running Access Manager, LinuxThreads is used by default. This requires setting the environment variable LD_ASSUME_ KERNEL to 2.4.19. If you are using NPTL with Access Manager, you do not set LD_ASSUME_KERNEL to 2.4.19.9 Solution: When using LinuxThreads mode, comment out the Perl module in the httpd.conf file, update the LD_ASSUME_KERNEL environment variable, and restart, as described in the following procedure. To resolve the failure to start Oracle HTTP Server in LinuxThreads mode 1. Comment out the perl module in the httpd.conf file in the following location: Oracle HTTP Server 11g: $ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf Oracle HTTP Server v2: OH$/ohs/conf/httpd.conf Oracle HTTP Server v1.3: OH$/Apache/Apache/conf/httpd.conf 2. To update the LD_ASSUME_KERNEL value, open the following file in a text editor: OH$/opmn/conf/opm.xml 3. Find the following line: Add the following information under the line you found in the previous step: 4. Save this file. 5. Run the following commands to implement your changes: opmnctl stopall opmnctl startall E.37.10 Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4 This situation might arise whether you are using Access Manager with LinuxThreads or NPTL. Symptom: Webgate fails to initialize when installed on an Oracle HTTP Server running Red Hat Enterprise Server version 4.0 with a kernel version lower than 2.6.9-34.EL. Version 2.6.9-34.EL is supplied with the Red Hat version 4, update 3. E-34 Administrator's Guide for Oracle Access Management Web Server Issues Solution: To prevent this problem, you must upgrade to Red Hat version 4, update 3 or higher. E.37.11 Oracle HTTP Server Web Server Configuration File Issue Problem With Oracle Application Server 10.1.x, OC4J, when the httpd.conf file is modified automatically during Webgate installation, it can be corrupted. Solution Before installing Webgate, run the following command to prevent the httpd.conf file from being overwritten. $ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct ohs E.37.12 Issues with IIS v6 Web Servers On IIS 6 Web servers only, you must run the WWW service in IIS 5.0 isolation mode, which is a requirement of the ISAPI postgate filter. This scenario will work if you have 32-bit Access Manager binaries running on a 32-bit Windows operating system. However, there is an issue if you attempt to run a 32-bit postgate.dll on a 64-bit Windows machine with IIS running in 32-bit mode. Problem When running IIS in IIS5.0 isolation mode, you see the following message: "ISAPI Filter 'C:\webgate\access\oblix\apps\webgate\bin\webgate.dll' could not be loaded due to a configuration problem. Cause The current configuration only supports loading images built for an AMD 64-bit processor architecture. The data field contains the error number. Solution To learn more about this issue, including how to troubleshoot this kind of processor architecture mismatch error, see the following Web site: http://go.microsoft.com/fwlink/?LinkId=29349 For more information, see Help and Support Center at: http://go.microsoft.com/fwlink/events.asp Problem IIS5 never existed as 64-bit. However, IIS v6's IIS5 Compatibility Mode on 64-bit Windows computers only runs as 64-bit. Cause It is architecturally impossible run IIS5 Isolation Mode 32- bit on 64-bit Windows, as described in documentation available through the following URLs: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.pu blic.inetserver.iis&tid=5dd07102-8896-40cc-86cb-809060fa9426&cat=en_US_ 02ceb021-bb43-476d-8f8f-6c00a363ccf5&lang=en&cr=US&p=1 Troubleshooting E-35 Windows Native Authentication http://blogs.msdn.com/david.wang/archive/2005/12/14/HOWTO-Diagnose-one-cause-of-W3 SVC-failing-to-start-with-Win32-Error-193-on-64bit-Windows.aspx E.37.13 PCLOSE Error When Starting Sun Web Server Symptom: When attempting to start the Sun Web server, you get an error like the following: Unable to start, PCLOSE Solution: A number of problems can cause this error: ■ A syntax error in your obj.conf file ■ Leading spaces in your obj.conf file ■ ■ Installing Access Manager as a different user ID than what you used to create your Web server instance A carriage return at the end of the obj.conf file E.37.14 Removing and Reinstalling IIS DLLs When Access Manager is running with Microsoft's IIS Web server, you must manually uninstall and reinstall the following ISAPI filters when reinstalling Access Manager. ■ tranfilter.dll ■ oblixlock.dll (if you installed Webgate) ■ webgate.dll (if you installed Webgate) To remove and reinstall IIS DLLs 1. Uninstall Access Manager. 2. Manually uninstall the preceding DLLs. 3. Reinstall Access Manager.Active Directory. 4. Manually reinstall the DLLs. These filters can change depending on the version of IIS you are using. If these filters do not exist or there are others present, contact Oracle to determine if the filters that are present need to be removed. Note: E.38 Windows Native Authentication Problem After setting up Windows Native Authentication, and accessing the WNA-protected page, the browser might give an error indicating that the user name and/or password are incorrect. Cause The Identity Store used by Oracle Access Management might not point to Windows Active Directory. By default, the identity store is Embedded LDAP. E-36 Administrator's Guide for Oracle Access Management Windows Native Authentication Solution 1. In the Oracle Access Management Console, review the identity store configuration: System Configuration, Data Sources, User Identity Store. 2. Confirm the LDAP store settings point to Active Directory. Troubleshooting E-37 Windows Native Authentication E-38 Administrator's Guide for Oracle Access Management
Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : Yes
Author                          : Oracle Corporation
Create Date                     : 2015:08:26 08:45:46Z
Marked                          : True
Modify Date                     : 2015:08:26 08:59:37-06:00
Language                        : en
XMP Toolkit                     : Adobe XMP Core 5.2-c001 63.139439, 2010/10/03-12:08:50
Creator Tool                    : FrameMaker 10.0.2
Metadata Date                   : 2015:08:26 08:59:37-06:00
Producer                        : Acrobat Elements 9.0.0 (Windows)
Format                          : application/pdf
Title                           : aiaag.book
Creator                         : Oracle Corporation
Document ID                     : uuid:801a5672-252b-4526-945b-c99b0de970f0
Instance ID                     : uuid:29ce9386-2415-4135-bed2-93fe7017864c
Page Mode                       : UseOutlines
Page Count                      : 1662
EXIF Metadata provided by EXIF.tools

Navigation menu

Variable    Value
<%=servervar%>    <%=request.servervariables(servervar)%>