This chapter describes how Oracle Access Manager can protect the Oracle Adaptive Access Manager console and leverage the authentication capabilities of Oracle Adaptive Access Manager. It contains these topics:
Note:
Integration with Oracle Identity Manager provides additional features related to password collection. See Chapter 6, "Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager".This section explains how to protect the Oracle Adaptive Access Manager administration console.
You can configure Oracle Access Manager to SSO-enable the Oracle Adaptive Access Manager administration console URL (/oaam_admin). In this setup, the OHS proxy for the URL is configured to use 11g WebGate.
With this configuration, users enter their credentials on the Oracle Access Manager login page, and are automatically logged into Oracle Adaptive Access Manager.
Topics in this section include:
Ensure that the following prerequisites have been met before you perform the integration:
All necessary components have been properly installed and configured:
Oracle Access Manager 11g has been installed and configured.
Oracle Adaptive Access Manager 11g has been installed and configured.
Oracle HTTP Server 11g has been installed and configured as a front-ending proxy web server for Oracle Adaptive Access Manager.
Oracle Access Manager 11g agent (webgate) for Oracle HTTP Server 11g has been installed on the Oracle HTTP Server 11g instance
See the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for additional information about these topics.
If the IdentityManagerAccessGate is not present, you need to create a new 10g WebGate profile for Oracle Adaptive Access Manager. Refer to Provisioning a 10g WebGate with OAM 11g in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager for detailed instructions, and use the following information to configure the profile:
Use these values:
Name: OAAMAccessGate
Access Client Password: Set this to the same password configured for Oracle Adaptive Access Manager in the credential store framework. See Section 6.8.2, "Set Oracle Access Manager Credentials in Credential Store Framework"
Host Identifier: IDMDomain
Autocreate Policies: Uncheck this check box
Click Apply.
After changes are saved, update the primaryCookieDomain with your domain to be used.
Click Apply.
Note:
Make sure that you update the propertyoaam.uio.oam.webgate_id with the value OAAMAccessGate (used as the profile name above).Take these steps to configure Oracle Access Manager and Oracle Adaptive Access Manager to protect the Oracle Adaptive Access Manager administration console (oaam_admin URL):
Ensure that the required components are installed and configured as explained in Section 5.1.1, "Prerequisites".
Run the remote registration tool on the machine hosting Oracle HTTP Server 11g, to register Oracle Adaptive Access Manager as a partner application for the Oracle Access Manager agent.
Log in to Oracle WebLogic Server Administration Console.
For details, see Getting Started Using Oracle WebLogic Server Administration Console in the Oracle Fusion Middleware Administrator's Guide.
In Oracle WebLogic Server locate the Oracle Adaptive Access Manager provider page under myrealms, providers. Set up the Oracle Access Manager Identity Asserter and the OID Authentication provider. Oracle Adaptive Access Manager must be configured with these security providers.
See Also:
Configure Authentication and Identity Assertion providers in the Administration Console Online Help.Restart all the Oracle WebLogic Servers including the administration server and Oracle Adaptive Access Manager managed servers.
In the Oracle Access Manager user identity store (typically, an LDAP store like OID), verify that there is a user belonging to the Oracle Adaptive Access Manager administrator group. If such a user is not present, take these steps:
Navigate to Security Realms and select your security realm.
Click the Users and Groups tab, then the Users sub-tab.
Use the New button to create a new user and assign the group named OAAMRuleAdministratorGroup to the new user.
In the Oracle HTTP Server environment, locate and open the mod_wl_ohs.conf configuration file.
Add an entry to the file using this format:
MatchExpression /oaam_admin WebLogicHost=hostname.us.mycompany.com|WebLogicPort=WLS_port
This entry configures Oracle HTTP Server to forward application requests to the Oracle WebLogic Server.
Restart Oracle HTTP Server.
Verify that the Oracle Adaptive Access Manager administration console is now protected by Oracle Access Manager and participates in single sign-on.
For strong authentication, Oracle Adaptive Access Manager provides a comprehensive set of challenge question functionality, which includes challenging the user before and after authentication as required with a series of questions.
In addition to challenge questions, Oracle Adaptive Access Manager also provides images and various input devices.
Oracle Adaptive Access Manager also has a capability to ask questions one after another, revealing the questions only if correct answers are provided.
Your site can leverage Oracle Adaptive Access Manager features through one of these options:
In the native integration, Oracle Access Manager leverages Oracle Adaptive Access Manager features to provide pre- and post-authentication flow for logins, without requiring an Oracle Adaptive Access Manager server.
With native integration, the Oracle Adaptive Access Manager libraries and configuration interface for different flows (challenge, registration, and so on) are bundled with the Oracle Access Manager server. Although Oracle Adaptive Access Manager determines the strong authentication flows, these are rendered by the Oracle Access Manager server. Oracle Access Manager invokes the Oracle Adaptive Access Manager APIs to apply pre- and post-authentication rules, and based on the results, displays the next set of pages and performs necessary processing. Control is never transferred out of the Oracle Access Manager server.
For this type of integration, the Oracle Adaptive Access Manager database must be operational.
KBA is the only challenge mechanism available in this integration.
The following topics explain how this type of integration is implemented:
The Oracle Access Manager server receives a request for a page protected by an Oracle Access Manager WebGate.
Oracle Access Manager calls the Oracle Adaptive Access Manager APIs to execute the pre-authentication rules. Based on the result (allow/block/deny), Oracle Access Manager displays the appropriate pages to collect credentials. Oracle Access Manager performs all the processing, never passing control to Oracle Adaptive Access Manager.
Oracle Access Manager collects the user credentials.
Oracle Access Manager verifies the credentials against the identity store.
Oracle Access Manager calls the Oracle Adaptive Access Manager APIs again, to run post-authentication rules. Based on the result (register user, register questions, register user (optional), challenge, allow, or block), Oracle Access Manager renders the appropriate set of pages.
For example, if the result of the rule check is a challenge, Oracle Access Manager renders a challenge question page with the security question displayed.
The native integration offers the OAAMBasic authentication scheme out-of-the-box.
For information about the scheme, see Managing Authentication Schemes in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
The prerequisites are as follows:
Install the Oracle Access Manager server.
Install the Oracle Adaptive Access Manager server and database.
For testing, remote-register two agents, each protecting a resource.
Use the Administration Console to associate the first resource with the OAAMBasic policy for the authentication flow. Associate the second resource with the LDAPScheme.
Take these steps to implement the Oracle Access Manager-Oracle Adaptive Access Manager integration:
Locate the oam-config.xml file.
Enable the OAAMEnabled property in the oam-config.xml file by setting it to "true".
A portion of the file with this property enabled will look like this:
<Setting Name="OAAM" Type="htf:map"> <Setting Name="OAAMEnabled" Type="xsd:boolean">true</Setting> <Setting Name="passwordPage" Type="xsd:string">/pages/oaam/password.jsp</Setting> <Setting Name="challengePage" Type="xsd:string">/pages/oaam/challenge.jsp</Setting> <Setting Name="registerImagePhrasePage" Type="xsd:string">/pages/oaam/registerImagePhrase.jsp</Setting> <Setting Name="registerQuestionsPage" Type="xsd:string">/pages/oaam/registerQuestions.jsp</Setting>
Create a schema on the Oracle Adaptive Access Manager database with a descriptive schema name; for example, "NATIVE_OAAM".
Access the Oracle WebLogic Server console.
Create a datasource with the following JNDI name:
jdbc/OAAM_SERVER_DB_DS
Note:
The name of the datasource can be any valid string, but the JNDI name should be as shown above.To the schema you created in Step 3, provide the connection details for the Oracle Adaptive Access Manager database.
Associate Administration Server and oam_server1 as targets with the datasource.
Access the Oracle Adaptive Access Manager administration console.
Import the policies file containing the specified scheme into the Oracle Adaptive Access Manager database using the Oracle Adaptive Access Manager Administration console.
Associate the protected resource with the OAAMBasic scheme.
Access the protected resource to verify the configuration.
After successful authentication on the Oracle Access Manager side, control is passed to Oracle Adaptive Access Manager to process the post-authentication rules. By default, if a user logging in enters the username in mixed case using a case combination that is different from that of the registered user, the Oracle Adaptive Access Manager server will consider the user to be unregistered. For example, this happens if userxy tries to log in by entering username userXY.
To ensure that logins are successful on both servers, you must configure the Oracle Adaptive Access Manager server to treat usernames as case-insensitive. To achieve this set the following property:
bharosa.uio.default.username.case.sensitive=false
With advanced integration, Oracle Adaptive Access Manager provides the strong authentication flow for Oracle Access Manager logins, including:
For details of the processing flow for interaction between Oracle Access Manager and Oracle Adaptive Access Manager, see Section 2.8.2.2, "Component Interactions".
Advanced integration between Oracle Access Manager and Oracle Adaptive Access Manager can involve scenarios with or without Oracle Identity Manager.
Integration with Oracle Identity Manager provides users with richer password management functionality, including secure 'Forgot Password' and 'Change Password' flows.
For integration details, see Chapter 6, "Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager".
Without Oracle Identity Manager
If Oracle Identity Manager is not part of your environment, follow the integration procedure described in Chapter 6, "Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager", omitting Oracle Identity Manager-related configuration of the Oracle Identity Manager server, and omitting the steps in Section 6.10, "Configure Oracle Identity Manager Properties for the Integration".
Note:
To initiate logout in this scenario, access this link:
http://host:<oaam-server-port>/oaam_server/oamLogout.jsp
This section provides additional troubleshooting and configuration tips for the integration of Oracle Access Manager and Oracle Adaptive Access Manager.
When using a non-ASCII username or password in the native authentication flow, you may encounter the following error message:
Sorry, the identification you entered was not recognized. Please try again.
Take these steps to resolve this issue:
Set the PRE_CLASSPATH variable to ${ORACLE_HOME}/common/lib/nap-api.jar
For C shell:
setenv ORACLE_HOME "IAMSUITE INSTALL DIR"
setenv PRE_CLASSPATH "${ORACLE_HOME}/common/lib/nap-api.jar"
For bash/ksh shell:
export ORACLE_HOME=IAMSUITE INSTALL DIR
export PRE_CLASSPATH="${ORACLE_HOME}/common/lib/nap-api.jar"
Start the managed server related to OAAM_SERVER.