15 FAQ/Troubleshooting

This chapter provides troubleshooting tips and answers to frequently asked questions.

It contains the following sections:

• Universal Installation Option Proxy

• Virtual Authentication Devices

• Configurable Actions

• One-Time Password

• Man-in-the-Middle/Man-in-the-Browser

15.1 Universal Installation Option Proxy

Oracle Adaptive Access Manager Proxy for Microsoft ISA

To troubleshoot Proxy Web publishing issues:

• Ensure that the .NET2.0 framework is installed and enabled to successfully register the Bharosa Proxy DLL.

• Ensure the database access credentials are correct when the firewall logging properties in Microsoft ISA use SQL Database as the Log Storage Format.

• IP Exceptions are defined for Trusted IPs (like Router IP) when Flood Mitigation settings are enabled to mitigate flood attacks and worm propagation.

• Ensure that the default inbound and outbound rules allow HTTP/HTTPS traffic to be forwarded to/from OAAM server.

• Check the order (precedence) of the rules to ensure that the default rule, "deny," is not at a higher order; otherwise, it blocks all rules. If the rule is last in precedence, all rules are executed.

• In OAAM server rule you must ensure

  • The external IP/name is mapped to the internal IP/name

  • The external port is mapped to the internal port where OAAM server is listening

  • The /OAAM server path is published

To troubleshoot problems experienced while configuring the Oracle Adaptive Access Manager Proxy, enable tracing to file and set the trace level to 0x8008f. This will print detailed interceptor evaluation and execution information to the log file.

Oracle Adaptive Access Manager Proxy for Apache

Tips to troubleshoot problems with the Oracle Adaptive Access Manager Proxy for Apache are listed in this section.

• On launching httpd, an error for loading mod_uio.so occurs. Ensure that mod_uio.so and all the libraries are placed in the proper directories. On Linux, use the 'ldd' command to confirm that mod_uio.so can load all the dynamic libraries that it depends upon. On Windows, use Dependency Walker to find out any missing DLLs and in some cases, you may have to install the "Microsoft Visual C++ 2005 Redistributable Package" from the Microsoft Web site, if your server does not have these libraries pre-installed.

• If nothing is working- no logs and so on, ensure that the user of httpd has permissions to read the uio directory. Typically httpd is run as a daemon user. Ensure the daemon user has write permissions for the logs directory.

• In case of a parsing error in UIO_Settings.xml or any configuration XML, an error log will be created in httpd's logs directory with the name UIO_Settings.xml.log.

• For errors, look in uio.log. Use log level of error for production use; info for more details; debug for debugging issues and trace for verbose logs.

• Ensure that the config XML and settings XML are conforming to the RNG schema. You can use the UIO_Settings.rng and UIO_Config.rng in any XML editor to edit the UIO_Settings.xml and application configuration XML files.

• You can change the Apache httpd log level to debug for testing, or keep it at info to reduce log file size. The Apache httpd log is separate from Oracle Adaptive Access Manager Proxy for Apache log.

• When migrating ISA config XML to be used with the Apache Universal Installation Option Proxy, you need to do the following:

  1. Change the header of the XML file to use

     <?xml version="1.0" encoding="utf-8"?><BharosaProxyConfig xmlns="http://bharosa.com/">
     

  2. Run your config XML file through libxml2's xmllint utility.

     For Windows, download the latest libxml2-2.x.x.win32.zip file from

     http://www.zlatkovic.com/pub/libxml

     and unzip it.

     For Linux, if you have libxml2 installed then xmllint command should be available, or check with your Linux System Administrator.

     Copy the UIO_Config.rng file from the Apache Universal Installation Option distribution and run following command:

     xmllint --noout --relaxng UIO_Config.rng <your config xml file>
     

     And fix any errors that are reported.

• The Oracle Adaptive Access Manager Proxy for Apache is not working or intercepting request.

  Problem: The following error appears:

  Failed to create session in memcached, err = 70015(Could not find specified socket in poll list.) proxy - Failed to create session, cannot process this request distsessions - memcache server localhost create failed 111 
  

  Possible Solutions:

  • Make sure "memcache" is installed and configured.

  • Make sure "memcache" process is up and running before creating the session.

Oracle Adaptive Access Manager Debug Mode

In debug mode, the value of any variable--username, password, and any other information--is not displayed. In capture mode, the HTTP traffic is shown. Therefore, capture mode is not recommended in production.

In-Session/Transaction Analysis

The Oracle Adaptive Access Manager proxy is a solution for login security only. It does not support in-session capabilities. Options are provided below based on possible requirements:

• If you are using a packaged application you do not have access to alter/integrate with, the Oracle Adaptive Access Manager Proxy or Oracle Access Manager are options for real-time/in-line use cases like anti-malware, anti-phishing, risk-based authentication in the login flow.

• If you have the ability to integrate with the application and require in-session/transactional use cases, then consider native integration. This is the most flexible option for this case.

• If you want in-session/transactional use cases but do not have the ability to integrate with the application, a custom option could potentially be possible using either Oracle Adaptive Access Manager offline 10g or Oracle Adaptive Access Manager with a listener.

15.2 Virtual Authentication Devices

Accessible Versions of the Virtual Authentication Devices

Question/Problem: Users who access using assistive techniques need to use the accessible versions of the virtual authentication devices. How do I enable these versions?

Answer/Solution: Accessible versions of the TextPad, QuestionPad, KeyPad and PinPad are not enabled by default. If accessible versions are needed in a deployment, they can be enabled using the Properties Editor in OAAM Admin or using the Oracle Adaptive Access Manager extensions shared library.

The accessible versions of the virtual authentication devices contain tabbing, directions and ALT text necessary for navigation via the screen reader and other assistive technologies.

To enable these versions, set the "is ADA compliant" flag to true.

For native integration the property to control the virtual authentication device is

desertref.authentipad.isADACompliant

For Oracle Adaptive Access Manager out-of-the-box, the property to control the virtual authentication device is

bharosa.uio.default.authentipad.is_ada_compliant

Visible Text Input or Password (Non-Visible) Input Setting

Question/Problem: How can I configure QuestionPad so that challenge answers can be enter as non-visible text?

Answer/Solution: Add the following property to client_resource_<locale>.properties. This property determines whether the QuestionPad is set for visible text input or password (non-visible) input.

bharosa.authentipad.questionpad.datafield.input.type

Valid values are text and password.

KeyPad or PinPad for KBA challenges?

Question/Problem: Can I use KeyPad or PinPad for KBA challenges?

Answer/Solution: KBA is designed for use with QuestionPad or plain HTML. Using KeyPad or PinPad is not recommended because KBA questions are not presented in that scenario.

How can the virtual authentication devices protect users from screen capture malware?

Question/Problem: How can virtual authentication devices protect users from screen capture malware?

Answer/Solution: These attacks currently require a manual process. An individual must look at the video or images captured to figure out the PIN or password. The virtual devices are primarily aimed at preventing automated attacks that affect large numbers of customers. If the Trojan did include OCR technology, finding the characters clicked on KeyPad and PinPad would be more difficult to read than other types of onscreen keyboards since Oracle Adaptive Access Manager keys are translucent so that background image can be seen and the font and key shapes can be randomized each session.

Also, the jitter would complicate the task. The virtual authentication devices are a good mix of security and usability for large scale deployments that want to keep the authentication already used and layer more security on top of it. Even if there were malware developed that is capable of deciphering the password, it does not necessarily cause fraud to occur. The virtual authentication devices are only one component of the full solution. Even if a fraudster has the PIN or password, he will have to pass the real-time behavioral/event/transactional analysis and secondary authentication. Oracle Adaptive Access Manager tracks, profiles and evaluates users/devices/locations activity in real-time regardless of authentication. Oracle Adaptive Access Manager takes proactive action to prevent fraud when it detects high risk situations. In this way, fraud could be prevented even if the standard form of authentication (password/PIN/etc.) is removed from the applications

KeyPad Troubleshooting

Question/Problem: I am having trouble with KeyPad. How should I troubleshoot the problem?

Answer/Solution: Refer to the following list:

KeyPad does not display.

• Check the property:

  bharosa.authentipad.image.url=kbimage?action=kbimage&
  

• Make certain that the client application is pointing to the correct server application.

Buttons stop jittering.

• Someone has changed the KeyPad settings. Check with your server personnel regarding property modifications they may have made.

Same image displayed to all users.

• Check the properties file to make sure that the backgrounds directory setting is correct.

No image displayed in pad background.

• User may have images disabled in the browser.

• Users image may have been deleted from the backgrounds directory.

• Check the properties file to make sure that the backgrounds directory setting is correct.

• Check that the system is configured to assign images for personalization.

15.3 Configurable Actions

Moving Configurable Action from testing environment to a production environment

Question/Problem: I defined a custom configurable action in the test environment and now I want to move the custom action template from test and to production.

Answer/Solution: To do this:

1. Use the Oracle Adaptive Access Manager extensions shared library to package the jar.

2. Add the jar to "oaam-extensions\WEB-INF\lib" folder.

3. Rejar oracle.oaam.extensions.war.

4. Deploy the jar.

Refer to Chapter 12, "Customizing Oracle Adaptive Access Manager."

15.4 One-Time Password

Are numeric/alphanumeric and pluggable random algorithms supported?

Question/Problem: Are numeric/alphanumeric and pluggable random algorithms supported in OTP?

Answer/Solution: OTP is configurable with a set of two properties:

# Length of the Pin bharosa.uio.otp.generate.code.length = 5 
# Characters to use when generating the Pin bharosa.uio.otp.generate.code.characters = 1234567890 

The pin generation method is in the base class (AbstractOTPChallengeProcessor), allowing integrators to override the generateCode method.

15.5 Localization

Customize and localize the virtual devices

Question/Problem: Can I make customizations and localize the virtual authentication devices?

Answer/Solution: The virtual authentication devices are provided as "samples" to use if you choose to. These samples are provided in English only. Source art and documentation are provided to allow you to develop your own custom virtual authentication device frames, keys, personalization images and phrases. Localization is included in these customizations. Custom development is not supported. Localization of the KeyPad may have issues since not all languages have the same number of characters. Portuguese for example has special characters not found in English. The key layout may be a bit different when these character keys are added. When adding keys to the layout it is vital that there is still enough free space around the keys to allow the "jitter" to function. General best practice is a space at least as large as a single key all the way around the bank of keys when they are positioned in the center of the jitter area. The source art contains notes with the pixel sizes for this area.

Alteration of these samples is considered custom development.

The "Pad" frame and key images

The frame and key samples are provided in English only. Master files for the virtual authentication device frames and keys along with descriptions of the parts are provided on request. You may create your own custom frame and key images and deploy them using product documentation. Any and all alterations to these images or the properties that correspond to them are considered custom development. Some issues to be careful of here are text, hot spot, key sizes. It is not recommended that these be made smaller than the provided samples.

Background images and phrase text

A set of sample images are shipped with Oracle Adaptive Access Manager. These images are for use in the virtual authentication devices only. For security reasons they should never be available to end users outside the context of the virtual authentication devices. The content, file sizes, and other attributes were optimized for a broad range of user populations and fast download speed. The sample phrase text for each supported language is provided with the package. Any and all alterations to these images or text is considered custom development. If the images are to be edited, make sure not to increase the physical dimensions or change the aspect ratio of the sample images because distortions will occur. Also, there must be an identically named version of each image for each virtual authentication device used in your deployment.

Images displayed during registration

Question/Problem: The images displayed in the page before user registration appear in English instead of the locale language.

Answer/Solution: Globalized virtual authentication device image files including the authentication registration flows are not provided. The deployment team develop these.

15.6 Man-in-the-Middle/Man-in-the-Browser

Question/Problem: I use mobile transaction authentication number to sign each transaction using an OTP via SMS. SMS costs are high. How can Oracle Adaptive Access Manager help? In addition, I want a solution that protects against Man-in-the-Middle (MiTM)/Man-in-the-Browser (MiTB) attacks.

Answer/Solution:

1. Use Oracle Adaptive Access Manager to assess risk and base the use of secondary authentication such as mTAN on risk. Then, SMS can be sent for transactions that are medium to high risk instead of all transactions.

2. One of the best ways to protect against MiTM and MiTB is to perform transactional risk analysis. For example, check to see if the target account has ever been used by this user before or if the user has ever performed a transfer over set dollar amount thresholds. To perform transactional analysis in real-time today requires native integration with the Web application.

3. Use PinPad to input the target account number. This ensures that the account number entered by the user cannot be easily changed in a session hijacking situation. The account number is not sent over the wire and cannot be easily altered by a MiTM/MiTB.

4. It is recommended that KeyPad and PinPad virtual authentication devices always be used over HTTPS. The virtual authentication devices send the one time random data generated on the end-user's machine (mouse click coordinates) to the server to be decoded and HTTPS provides the traditional encryption in addition. No client software or logic resides on the end-user's machine to be compromised.

5. With Oracle Adaptive Access Manager extremely high risk transfers can be blocked all together. Blocking high risk transfers reduces the fraud regardless of the authentication methods used.