Skip Headers
Oracle® Fusion Middleware Integration Guide for Oracle Access Manager
11g Release 1 (11.1.1)

Part Number E15740-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

7 Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager

This chapter describes how to integrate Oracle Access Manager with Oracle Identity Manager and Oracle Adaptive Access Manager to provide highly secure self-service password management flows.

This chapter contains these sections:

7.1 Introduction

In the 11g Release 1 (11.1.1), Oracle Access Manager does not provide its own identity service. Instead, Oracle Access Manager provides the following:

Although other combinations are possible, integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager is the recommended option and provides these features:

Oracle Adaptive Access Manager

Oracle Adaptive Access Manager is responsible for:

Oracle Identity Manager

Oracle Identity Manager is responsible for:

Oracle Access Manager

Oracle Access Manager is responsible for:

7.2 Process Flow

In this deployment, the process flow is as follows:

Resource Protection and Credential Collection Flow

  1. The OAM WebGate server is in charge of protecting the URLs and redirecting the users when they are not authenticated so they can be authenticated.

  2. OAAM collects the username and password for authentication.

    So when the OAM WebGate finds that the user is not authenticated and trying to access the protected URL, it redirects the user to the OAAM Server login page.

  3. The credentials are split into two different pages: a username page and a password page. OAAM allows the user to enter his username. If he is a registered user and based on his registration status, OAAM presents the password page with his personalized image and caption.

  4. The OAAM Server runs the pre-authentication rules and lets the user enter his password.

  5. Since OAAM Server has the user's username and he has entered his password, the OAAM Server makes a NAP API call to the OAM Server for authentication.

  6. Once the OAM server returns the status, which indicates whether the user has entered his username and password correctly, the OAAM Server determines whether the authentication was successful or not.

  7. If the authentication was successful, the OAAM Server redirects the user to the OAM WebGate.

  8. The OAM WebGate server redirects the user to his original URL.

  9. The OAM WebGate allows the user to access the protected URL.

Reset Password Flow

  1. OAAM Server communicates with the OIM server when the OAAM Server needs to call the OIM server for the password policy text that is shown when user is trying to change his password.

  2. Based on the policy, OAAM Server enables the user to enter a password that meets the policy text requirements.

    Because the OAAM Server manages the flows, it is the one that presents the user with the pages where the user can enter his new password and old password.

    The text is maintained by the OAM server, but it is the OAAM server that makes the calls to get that password policy text so that it is displayed when the user tries to change his password.

  3. After he finishes the task, the OAAM Server makes an API call to propagate the changes to the OAM Server.

    The OAM Server can persist those changes to the user directory or where the credentials are maintained.

    The OAM Server and OIM Server communicate with the same user directory where all the user data is maintained.

7.3 Prerequisites for the Integration

The following must be in place for the integration:

The steps below are based on the assumption that Oracle Access Manager and Oracle Identity Manager are integrated using the out-of-the box integration.

7.4 Overview of Integration Tasks

The following tasks are required to perform this integration:

7.5 Install Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager

Install Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager on different WebLogic servers with Oracle Access Manager and Oracle Adaptive Access Manager in the same or different WebLogic domains.

Note:

In this chapter, OAM_HOME is OAM_WL_HOME/Oracle_IDM1, and OAAM_HOME is OAAM_WL_HOME/Oracle_IDM1.

For both Oracle Access Manager and Oracle Adaptive Access Manager, ensure that you have:

For the setup and configuration of Oracle Access Manager, ensure that you have:

For the setup and configuration of Oracle Adaptive Access Manager, ensure that you have:

Note:

If so preferred, Oracle Access Manager and Oracle Adaptive Access Manager can be installed in different domains or on the same WebLogic domain.

For multiple domain installation, the oaam.csf.useMBeans property must be set to true. Refer to "Oracle Adaptive Access Manager Command-Line Interface Scripts" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager for information on setting this parameter.

During the integration steps below, for reference we will refer to the WLS Domain which contains Oracle Access Manager as OAM_DOMAIN_HOME, and the WLS Domain which contains OAAM as OAAM_DOMAIN_HOME.

For information on installing the Identity Management Suite, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

7.6 Perform Post-Configuration for Oracle Access Manager and Oracle Adaptive Access Manager

This section contains steps to perform post-configuration of Oracle Adaptive Access Manager and to verify that Oracle Access Manager and Oracle Adaptive Access Manager are functional.

7.6.1 Restart the Servers

Before you can perform tasks in this section, ensure that the Oracle Access Manager and Oracle Adaptive Access Manager Administration Consoles and managed servers are running.

7.6.2 Create Users and Import Snapshot for Oracle Adaptive Access Manager

To perform the minimum required steps for Oracle Adaptive Access Manager to be functional, create Oracle Adaptive Access Manager users and import the OAAM Snapshot which contains OAAM policies, dependent components, and configurations.

For the complete set of post-configuration procedures, refer to "Setting Up the Oracle Adaptive Access Manager Environment" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

7.6.2.1 Create Oracle Adaptive Access Manager Users

Before you can access the OAAM Administration Console, you must create administration users.

If protecting the OAAM Administration Console, you must take care of user and group creation in the external LDAP store. For details, see "Creating Users and Groups For Oracle Adaptive Access Manager" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

If not protecting the OAAM Administration Console, then the administration user must be created in the WebLogic Administration Console. To create an administration user in the WebLogic Administration Console:

Note:

You can disable OAAM Administration Console protection by disabling the IDM Domain Agent that protects it. To do so, you must set the environment variable or Java property WLSAGENT_DISABLED=true.

For instructions on disabling the IDM Domain Agent, refer to "Disabling the IDM Domain Agent" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

  1. Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.

  2. In the Domain Structure tab at the left-hand side, select Security Realms.

  3. On the Summary of Security Realms page, select the realm that you are configuring (for example, myrealm).

  4. On the Settings for Realm Name page select Users and Groups > Users.

  5. Click New and provide the required information to create a user, such as user1, in the security realm:

    • Name: oaam_admin_username

    • Description: optional

    • Provider: DefaultAuthenticator

    • Password/Confirmation

  6. Click the newly created user, user1.

  7. Click the Groups tab.

  8. Assign any of the groups with the OAAM prefix to the user, user1.

  9. Click Save.

7.6.2.2 Import Oracle Adaptive Access Manager Snapshot

A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. For Oracle Adaptive Access Manager to be functional, import the snapshot into the system by following these instructions:

  1. Log in to the OAAM Administration Console at the URL:

    http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin

  2. Load the snapshot file into the system by following these instructions:

    1. Open System Snapshot under Environment in the Navigation tree.

    2. Click the Load from File button.

      A Load and Restore Snapshot dialog appears.

    3. Deselect Back up current system now and click Continue.

      A dialog appears with the message that you have not chosen to back up the current system, and do you want to continue.

    4. When the dialog appears with the message that you have not chosen to back up the current system, and do you want to continue, click Continue.

      The Load and Restore Snapshot page appears for you to choose a snapshot to load.

    5. Browse for oaam_base_snapshot.zip and click the Load button to load the snapshot into the system database.

      The default oaam_base_snapshot.zip is located in the Oracle_IDM1/oaam/init directory.

    6. Click OK and then Restore.

7.6.3 Set Up Validation for Oracle Access Manager and Oracle Adaptive Access Manager

Once installation and post-installation are completed, check that Oracle Access Manager and Oracle Adaptive Access Manager have been set up correctly by following the instructions in the sections that follow.

7.6.3.1 Validate the Oracle Access Manager Setup

Perform these steps to ensure that Oracle Access Manager is properly configured:

  1. Go to http://oam_admin_server_host:oam_admin_server_port/oamconsole.

    You should be redirected to the Oracle Access Manager Server for login.

  2. Provide the administrator user name and password.

    Verify that login to the Oracle Access Manager Administration Console is successful.

7.6.3.2 Validate Oracle Adaptive Access Manager Setup

Try to access the OAAM Server using the URL: http://host:port/oaam_server. You should be able to log in to the OAAM Server and be able to register a profile.

Note:

When you login now, you will need to provide the password as "test" because the Oracle Access Manager and Oracle Adaptive Access Manager integration has not yet been performed. You must change the password immediately after the integration.

7.7 Register the 11g WebGate

This section describes how to register the 11g WebGate. The WebGate is an out-of-the-box access client. This Web server access client intercepts HTTP requests for Web resources and forwards these to the Oracle Access Manager 11g Server.

7.7.1 Pre-requisites for WebGate Registration

Ensure that the following are installed before configuring and registering the Oracle Web Gate:

  • WebLogic Server for Oracle HTTP Server (WLS_FOR_OHS)

  • Oracle HTTP Server (WLS_FOR_OHS/Oracle_WT1, call this OHS_HOME)

  • WebGate (WLS_FOR_OHS/Oracle_OAMWebGate1, call this WG_HOME)

7.7.2 Configure the 11g WebGate

After installing Oracle HTTP Server 11g WebGate for Oracle Access Manager, refer to "Post-Installation Steps" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

7.7.3 Register the 11g WebGate as a Partner

You must register the Oracle Access Manager Agent that resides on the computer hosting the application to be protected.

Refer to the "Registering and Managing OAM Agents Using the Console" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

  1. Register the 11g WebGate partner using the Oracle Access Manager Administration Console. For example:

    11gWG_myhost
    
  2. Click the Edit button in the tool bar to display the configuration page.

  3. Set the Access Client Password and click Apply. Note the Artifacts Location in the confirmation message.

  4. In the Artifacts Location, locate the ObAccessClient.xml configuration file and cwallet.sso and copy them to the OHS_HOME/instances/instance/config/OHS/component/webgate/config directory.

7.7.4 Restart the OHS WebGate

To restart the OHS WebGate issue the following commands:

  1. Navigate to the OHS_HOME/instances/instance/bin directory.

  2. Stop the agent.

    ./opmnctl startall
    
  3. Start the agent.

    ./opmnctl startall
    

7.7.5 Validate the WebGate Setup

Once the setup of WebGate is complete, validate the registration:

  1. Navigate to http://ohs_host:ohs_port/.

    You should be redirected to Oracle Access Manager for authentication.

  2. Enter username and password.

    You should see the Oracle HTTP Server Welcome page.

    This is the partner that will be protected using Oracle Adaptive Access Manager.

7.8 Integrate Oracle Access Manager and Oracle Identity Manager

Integration between Oracle Identity Manager and Oracle Access Manager is required for integration between Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.

For more information, see Chapter 5, "Integrating Oracle Access Manager and Oracle Identity Manager."

7.9 Enable LDAP Synchronization for Oracle Identity Manager

Enabling LDAP synchronization for Oracle Identity Manager is required for integration between Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.

Oracle Adaptive Access Manager will be working off the same directory with which Oracle Identity Manager is synchronizing.

Note:

The UID must match the CN of the newly created user in the LDAP store; otherwise, a login failure occurs.

For information about configuring LDAP synchronization, see the following sections in Chapter 15, "Configuring Oracle Identity Manager" of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management: "Completing the Prerequitistes for Enabling LDAP Synchronization", "Running the LDAP Post-Configuration Utility", and "Verifying the LDAP Synchronization".

7.10 Integrate Oracle Access Manager and Oracle Adaptive Access Manager

This task involves integrating the Oracle Access Manager and Oracle Adaptive Access Manager components as part of integrating Oracle Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager (OAAM) to deliver password management and challenge-related functionality to Oracle Access Manager-protected applications.

Note:

In the integration of Oracle Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager, the IdentityManagerAccessGate profile should already exist since it is configured during the Oracle Access Manager and Oracle Identity Manager integration (see Section 7.8, "Integrate Oracle Access Manager and Oracle Identity Manager").

You configure Oracle Access Manager and Oracle Adaptive Access Manager integration so that the OAAM server acts as a trusted partner application. The OAAM server uses the Trusted Authentication Protocol (TAP) to communicate the authenticated user name to the Oracle Access Manager server after it performs strong authentication, risk, and fraud analysis. In this integration, the Oracle Access Manager server is responsible for redirecting to the protected resource.

Note:

For this section:

OAM_HOME is OAM_WL_HOME/Oracle_IDM1. For referring to Oracle Access Manager Software Install, we use OAM_HOME.

OAAM_HOME is OAAM_WL_HOME/Oracle_IDM1. For referring to Oracle Adaptive Access Manager Software Install, we use OAAM_HOME.

During the integration steps below, for reference the WLS Domain which contains Oracle Access Manager is referred to as OAM_DOMAIN_HOME, and the WLS Domain which contains Oracle Adaptive Access Manager is referred to as OAAM_DOMAIN_HOME.

Configure the Oracle Adaptive Access Manager and Oracle Access Manager integration as follows:

7.10.1 Configure Oracle Access Manager for Oracle Access Manager and Oracle Adaptive Access Manager Integration

If Oracle Access Manager is configured to use the Simple Security Transportation protocol, you must register the OAAM Server as a partner application using the registerThirdPartyTAPPartner WLST command.

7.10.1.1 Register the OAAM Server as a Partner Application

To register the OAAM Server as a partner application, follow these steps:

  1. Ensure that the OAM Administration Server is running.

  2. Set up the environment for WLST.

  3. Go to IAM_ORACLE_HOME/common/bin.

  4. Execute the wlst.sh to enter the WLST shell.

  5. Connect to the WebLogic Administration Server using the connect command:

    connect ('username', 'password', 't3://hostname:port')

    For example,

    connect("weblogic","admin_password","t3://AdminHostname:7001")

  6. Execute registerThirdPartyTAPPartner WLST.

    An example is provided below.

registerThirdPartyTAPPartner(partnerName = "OAAMPartner", keystoreLocation= "/scratch/jsmith/dwps1tap/TapKeyStore/mykeystore.jks" ,
password="welcome1", tapTokenVersion="v2.0", tapScheme="TAPScheme",
tapRedirectUrl="http://11gWG_myhost.example.com:14300/oaam_server/oamLoginPage.jsp")

Table 7-1 TAP Partner Example

Parameter Details

partnerName

partnerName is a unique name. If the partner exists in Oracle Access Manager, the configuration will be overwritten.

keystoreLocation

Keystore is an existing location. If the directory path specified is not present, you will get an error. On Windows, the path needs to be escaped. For example:

"C:\\oam-oaam\\tap\\keystore\\store.jks"

The keystore is the outcome of the registerThirdPartyTAPPartner command executed in the instructions above. The location will be passed to the command by the user. In the example shown earlier, it was keystoreLocation= "/scratch/jsmith/dwps1tap/TapKeyStore/mykeystore.jks"

password

The password is specified to encrypt the keystore. Make a note of the password as you will need it later.

tapTokenVersion

tapTokenVersion is always v2.0 for 11.1.1.5.0.

tapScheme

This is the authentication scheme that will be updated. If you want two tap partners with different tapRedirectUrls, create a new authentication scheme using the Oracle Access Manager Administration Console and use that scheme here.

The authentication scheme will be created automatically while you are running the registerThirdPartyTAPPartner command in the instructions above. The name of the TAP scheme will be passed as parameter to that command. The example command has tapScheme="TAPScheme".

tapRedirectUrl

This URL must work. If it does not work, registration will fail. tapRedirectUrl is constructed as follows:

http://oaam_server_host:oaam_server_port/oaam_server/oamLoginPage.jsp

This URL should be reachable, otherwise the validation will fail and the partner will not be created.

In the Oracle Access Manager and Oracle Adaptive Access Manager integration, the credential collector page will be served by the OAAM Server. The authentication scheme created by registerThirdPartyTAPPartner (TAPScheme) points to the OAAM Server credential collector page as the redirectURL.


7.10.1.2 Update the IAMSuite Agent

After generating the initial configuration, you must update the IAMSuite Agent:

  1. Log in to the Oracle Access Manager Administration Console.

  2. Select the System Configuration tab.

  3. Select Access Manager Settings - SSO Agents - OAM Agent from the directory tree. Double-click or select the open folder icon.

  4. Search for IAMSuiteAgent and click the entry found in the Search Results.

    The IAMSuiteAgent details page appears.

  5. Provide the password for Access Client Password.

  6. Click Apply.

7.10.1.3 Configure for Domain Agent

Note: The IAMSuite Agent is now in Open Mode with password authentication. If you are using the Domain Agent in the IDM Domain for another console, make the following change to continue using the Domain Agent.

  1. Log in to WebLogic Administration Console.

  2. Select Security Realms from the Domain Structure menu.

  3. Click myrealm.

  4. Click the Providers tab.

  5. Select IAMSuiteAgent from the list of authentication providers.

  6. Click Provider Specific.

  7. Enter the agent password and type.

  8. To confirm, click Save.

7.10.2 Validate Oracle Access Manager Configuration

To validate the Oracle Access Manager configuration, perform the following steps:

  1. Log in to the Oracle Access Manager Administration Console.

  2. Edit the Authentication Scheme that was specified above. This is the value specified for the tapScheme parameter.

  3. Verify that the Challenge URL is set to the value specified in tapRedirectUrl. For information on the URL, refer to Table 7-1, "TAP Partner Example".

  4. Validate IAMSuiteAgent setup.

  5. Launch OAM tester at OAAM_HOME/../<jdk160_24>/bin/java -jar OAAM_HOME/oam/server/tester/oamtest.jar.

  6. Provide server connection details:

    1. IP Address: OAM Managed Server Host

    2. Port: OAM Oracle Access Protocol (OAP) Port

    3. Agent ID: IAMSuiteAgent

    4. Agent Password: Password provided inUpdate the IAMSuite Agent

    5. Click on Connect.

      If you can connect to the server, the next section, Protected Resource URI, will be enabled.

  7. Provide the protected resource URI as follows:

    1. Host: IAMSuiteAgent

    2. Port: 80

    3. Resource: /oamTAPAuthenticate

    4. Click Validate

      If the validation is successful, the next section for User Identity will be enabled.

  8. Provide User Identity and click Authenticate. If the authentication is successful, the setup is successful.

7.10.3 Configure Oracle Adaptive Access Manager for Oracle Access Manager and Oracle Adaptive Access Manager Integration

Set up the Oracle Access Manager and Oracle Adaptive Access Manager Integration:

  1. Copy the OAAM CLI folder to a working directory:

    cp -r OAAM_HOME/oaam/cli TEMP/oaam_cli

  2. Go to the work folder where you copied the cli folder and open TEMP/oaam_cli/cli/conf/bharosa_properties/oaam_cli.properties in a text editor and set the properties in Table 7-2.

    Table 7-2 OAAM CLI Properties

    Parameter Details

    oaam.adminserver.hostname

    This is the Admin Server Host of the WebLogic Server Domain where OAAM is installed.

    oaam.adminserver.port

    This is the Admin Server port of the WebLogic Server Domain where OAAM is installed.

    oaam.adminserver.username

    This is the Admin Server username of the WebLogic Server Domain (usually weblogic).

    oaam.adminserver.password

    This is the password of the user specified in oaam.adminserver.username property.

    oaam.db.url

    This is the valid JDBC URL of the OAAM database in the format:

    jdbc:oracle:thin:@db_host:db_port:db_sid

    oaam.uio.oam.tap.keystoreFile

    This is the location of keystore file generated by registerThirdPartyTAPPartner WLST.

    Copy the file from the location specified in the above WLST for parameter "keystoreLocation". If Oracle Access Manager and OAAM are on different machines, you will need to manually copy the keystore file created in the OAM server to the OAAM Server and provide the location on the OAAM server here.

    On Windows, the file path value must be escaped. For example: "C:\\oam-oaam\\tap\\keystore\]store.jks"

    oaam.uio.oam.tap.partnername

    This is the "partnerName" used in the WLST registerThirdPartyTAPPartner command. For example, OAAMPartner.

    oaam.uio.oam.host

    This is the OAM Primary Host.

    oaam.uio.oam.port

    This is the OAM Primary NAP (Network Assertion Protocol)/OAP Port. This is the OAM Server port, with the default port number 5575.

    oaam.uio.oam.webgate_id

    This is the IAMSuiteAgent value. Do NOT change this.

    oaam.uio.oam.secondary.host

    This is the OAM Secondary Host.

    oaam.uio.oam.secondary.host.port

    This is the OAM Secondary NAP/OAP Port.


  3. Set the environment variable ORACLE_MW_HOME to the location of the WebLogic Server install where Oracle Adaptive Access Manager is installed.

    setenv ORACLE_MW_HOME <Location of WLS install where Oracle Adaptive Access Manager is installed>

  4. Set the environment variable JAVA_HOME to the JDK used for the WebLogic installation.

  5. Run the following command:

    TEMP/oaam_cli/cli/setupOAMTapIntegration.sh TEMP/oaam_cli/cli/conf/bharosa_properties/oaam_cli.properties

7.10.4 Protect a Resource with Oracle Adaptive Access Manager in Oracle Access Manager

To protect a resource with Oracle Adaptive Access Manager, follow these steps:

  1. Log in to the Oracle Access Manager Administration Console.

  2. Check for the Application Domain that was created as part of the 11gWebGate registration. (11gWG_myhost in the example).

  3. Edit the Authentication Policy, following these steps:

    1. From the Navigation window expand: Application Domains > 11gWG_myhost > Authentication Policies.

    2. Click Protected Resource Policy.

      Except for "11gWG_myhost" in the example, all other strings would be as is in Oracle Access Manager.

    3. Update Authentication Scheme to the TAP scheme specified as the "tapScheme" parameter in "registerThirdPartyTAPPartner" command.

  4. Click Apply to save the changes.

7.10.5 Validate the Oracle Access Manager and Oracle Adaptive Access Manager Integration

Try to access the protected resource. You should be redirected to OAAM for registration and challenge. The OAAM login page is shown instead of the Oracle Access Manager login page.

7.11 Integrate Oracle Identity Manager and Oracle Adaptive Access Manager

This section describes how to integrate Oracle Identity Manager and Oracle Adaptive Access Manager for the three-way integration of Oracle Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager:

7.11.1 Set Oracle Adaptive Access Manager Properties for Oracle Identity Manager

To set Oracle Adaptive Access Manager properties for Oracle Identity Manager:

  1. Go to the OAAM Administration Console at the URL:

    http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin

  2. Log in as a user with access to the Properties Editor.

  3. Open the Oracle Adaptive Access Manager Property Editor to set the Oracle Identity Manager properties.

    If a property does not exist, you need to add it.

    For the following properties, set the values according to your deployment:

    Table 7-3 Configuring Oracle Identity Manager Property Values

    Property Name Property Values

    bharosa.uio.default.user.management.provider.classname

    com.bharosa.vcrypt.services.OAAMUserMgmtOIM

    oaam.oim.auth.login.config

    ${oracle.oaam.home}/../designconsole/config/authwl.conf

    oaam.oim.url

    t3://<OIM Managed Server>:<OIM Managed Port>

    For example, t3://host.example.com:14000

    URLs can be listed as comma-separated values; for example:

    oaam.oim.url = t3://oimhost1.mycompany.com:14000,oimhost2.mycompany.com:14000
    

    The two OIM hosts are clustered and load balanced, however there's no hardware load-balancer to route the traffic between them. In this case, if one of the hosts is down, the traffic is routed to the other.

    oaam.oim.xl.homedir

    ${oracle.oaam.home}/../designconsole

    bharosa.uio.default.signon.links.enum.selfregistration.url

    http://<OIM Managed Server>:<OIM Managed Port>/oim/faces/pages/USelf.jspx?E_TYPE=USELF&OP_TYPE=SELF_REGISTRATION&backUrl=<OAAM Login URL for OIM>

    where <OAAM Login URL for OIM> is http://<OHS host>:<OHS port>/oim/faces/pages/Self.jspx or (in case of IDMDOMAINAgent ) is http://<OIM host>:<OIMport>/oim/faces/pages/Self.jspx.

    OHS setup was performed during the integration between Oracle Access Manager and Oracle Identity Manager.

    bharosa.uio.default.signon.links.enum.trackregistration.url

    http://<OIM Managed Server>:<OIM Managed Port>/oim/faces/pages/USelf.jspx?E_TYPE=USELF&OP_TYPE=UNAUTH_TRACK_REQUEST&backUrl=<OAAM Login URL for OIM>

    where <OAAM Login URL for OIM> is http://<OHS host>:<OHS port>/oim/faces/pages/Self.jspx or (in case of IDMDOMAINAgent ) is http://<OIM host>:<OIMport>/oim/faces/pages/Self.jspx.

    OHS setup was performed during the integration between Oracle Access Manager and Oracle Identity Manager.

    bharosa.uio.default.signon.links.enum.trackregistration.enabled

    true

    bharosa.uio.default.signon.links.enum.selfregistration.enabled

    true

    oaam.oim.csf.credentials.enabled

    true

    This property enables the configuring of credentials in the Credential Store Framework as opposed to maintaining them using the Properties Editor. This step is performed so that credentials can be securely stored in CSF.


For information on setting properties in Oracle Adaptive Access Manager, see "Using the Property Editor" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

7.11.2 Set Oracle Identity Manager Credentials in Credential Store Framework

So that Oracle Identity Manager WebGate credentials can be securely stored in the Credential Store Framework, follow these steps to add a password credential to the Oracle Adaptive Access Manager domain:

  1. Go to the Oracle Fusion Middleware Enterprise Manager Console at http://weblogic_host:administration_port/em.

  2. Log in as a WebLogic Administrator, for example WebLogic.

  3. Expand the <Base_Domain> icon in the navigation tree in the left pane.

  4. Select your domain name, right click, and select the menu option Security and then the option Credentials in the sub menu.

  5. Click Create Map.

  6. Click oaam to select the map, then click Create Key.

  7. In the pop-up dialog, ensure that Select Map is oaam.

  8. Provide the following properties and click OK.

    Table 7-4 Oracle Identity Manager Credentials

    Name Value

    Map Name

    oaam

    Key Name

    oim.credentials

    Key Type

    Password

    UserName

    Username of Oracle Identity Manager Administrator

    Password

    Password of Oracle Identity Manager Administrator


7.12 Configure Oracle Identity Manager Properties for the Integration

In Oracle Identity Manager, system properties are configured to enable Oracle Adaptive Access Manager instead of Oracle Identity Manager to provide the functionality related to challenge questions.

To modify Oracle Identity Manager properties for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integration, take these steps:

  1. Log in to the Oracle Identity Manager Administrative Console.

  2. Click the Advanced link in the self-service console.

  3. Click System Properties in System Management.

  4. Click on Advanced Search.

  5. Set the following properties and click Save.

    Note:

    For the URLs, use the hostnames as they were configured in Oracle Access Manager. For example, if a complete hostname (with domain name) was provided during Oracle Access Manager configuration, use the complete hostname for the URLs.

    Table 7-5 Oracle Identity Manager Redirection

    Keyword Property Name and Value

    OIM.DisableChallengeQuestions

    TRUE

    OIM.ChangePasswordURL

    URL for change password page in Oracle Adaptive Access Manager

    (http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/oimChangePassword.jsp

    In a high availability (HA) environment, set this property to point to the virtual IP URL for the OAAM server.

    OIM.ChallengeQuestionModificationURL

    URL for challenge questions modification page in Oracle Adaptive Access Manager

    (http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/oimResetChallengeQuestions.jsp)


7.13 Configure TAP Scheme to Access Applications in the IAMSuite Agent Application Domain

Note:

The instructions in this section should only be performed if you want to use the TAP Scheme in the IAMSuiteAgent application domain.

To use TAP scheme for Identity Management product resources in the IAM Suite domain, Protected HigherLevel Policy, the following configuration must be performed:

  1. Log in to the Oracle Access Manager Administration Console.

  2. Navigate to Policy Configuration, select Application Domains, select IAMsuiteAgent, select Authentication Policies, and select Protected Higher Level Policy.

  3. On the Authentication Policy page, remove IAMSuiteAgent:/oamTAPAuthenticate from the Resources tab.

  4. Click Apply.

  5. Create a new Authentication Policy in the IAMSuite Application Domain.

  6. On the Authentication Policy page, select LDAPScheme in the Authentication Scheme field.

  7. Add IAMSuiteAgent:/oamTAPAuthentication as a resource.

  8. Click Apply.

7.14 Troubleshooting Tips

This section provides additional troubleshooting and configuration tips for the integration of Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.

7.14.1 Policies and Challenge Questions

You may encounter a non-working URL if policies and challenge questions are not available as expected in your Oracle Adaptive Access Manager environment. For example, the Forgot Password page will fail to come up and you are redirected back to the login page.

To ensure correct operation, make sure that the default base policies and challenge questions shipped with Oracle Adaptive Access Manager have been imported into your system. For details, see Setting Up the Oracle Adaptive Access Manager Environment in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

7.14.2 Cookie Domain Definition

Incorrect value of the cookie domain in your configuration can result in login failure.

For correct WebGate operation, ensure that the property oaam.uio.oam.obsso_cookie_domain is set to match the corresponding value in Oracle Access Manager; for example, .us.example.com.

7.14.3 In the OAM and OAAM Integration TAP Could Not Modify User Attribute

In integration scenarios coupled with multiple identity stores, the user identity store that is set as the Default Store is used for authentication and assertion. If you change the Default Store to point to a different store, ensure that the TAPScheme also points to same store.

For the OAM-OAAM TAP integration, the assertion for the TAPScheme Authentication Scheme is made against the Default Store. In this case the backend channel authentication made against the LDAP module uses a specific user identity store (OID, for example). When the username is returned to Oracle Access Manager, the assertion occurs against the Default Store (not the same OID that was used for the authentication).

Note:

For Session Impersonation, the Oracle Internet Directory instance that is used for the user and grants must be the Default Store.

If you change the Default Store, ensure that the TAPScheme also points to same store. Otherwise, authentication can succeed but the final redirect can fail with the following errors:

Module oracle.oam.user.identity.provider 
Message Principal object is not serializable; getGroups call will result in 
an extra LDAP call 

Module oracle.oam.engine.authn 
Message Cannot assert the username from DAP token

Module oracle.oam.user.identity.provider 
Message Could not modify user attribute for user : cn, attribute :
userRuleAdmin, value : {2} .

7.14.4 TAP: setupOAMTapIntegration Script Does Not Provide Exit Status Message

When the setupOAMTapIntegration script is run to configure Oracle Adaptive Access Manager for Oracle Access Manager and Oracle Adaptive Access Manager integration, a message is not provided to indicate whether the script completed successfully or failed.