Skip Headers
Oracle® Fusion Middleware Integration Guide for Oracle Access Manager
11g Release 1 (11.1.1)

Part Number E15740-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

8 Integrating Oracle Access Manager 10g and Oracle Adaptive Access Manager 11g

This chapter describes the process for integrating Oracle Adaptive Access Manager 11g with Oracle Access Manager 10g. The integration works as follows:

  1. When the user tries to access a protected resource, he is redirected to the Oracle Adaptive Access Manager login page instead of the Oracle Access Manager login.

  2. Oracle Adaptive Access Manager delegates user authentication to Oracle Access Manager.

  3. Then, Oracle Adaptive Access Manager performs risk analysis of the user.

This chapter contains these sections:

8.1 Prerequisites

Ensure that the following prerequisites are met before performing the integration:

8.2 Integration Overview

Except where specified, the following procedures are required to complete the integration of Oracle Access Adaptive Manager 11g and Oracle Access Manager 10g.

8.3 Configure OAM AccessGate for OAAM Web Server

In Oracle Access Manager and Oracle Adaptive Access Manager integration, the Oracle Access Manager AccessGate fronts the Web server (a traditional WebGate) to OAAM Server.

To configure the Oracle Access Manager AccessGate that fronts the Web server to OAAM Server, perform the following steps:

  1. Click Add New AccessGate.

  2. Use the settings in the table below to create a new AccessGate and assign it an Access Server

    Table 8-1 OHS WebGate Configuration

    Parameter Value

    AccessGate Name

    ohsWebGate

    Description

    AccessGate for Web server hosting OAAM Server

    Hostname

    <hostname>

    Port

    <port>

    AccessGate Password

    <passwd>

    Debug

    <Off>

    Maximum user session time (seconds)

    3600

    Idle Session Time (seconds)

    3600

    Maximum Connections

    1

    Transport Security

    <Open>

    IP Validation

    <On>

    IP Validation Exception

    <leave blank>

    Maximum Client Session Time (hours)

    24

    Failover Threshold

    1

    Access server timeout threshold

    <leave blank>

    Sleep for (seconds)

    60

    Maximum elements in cache

    10000

    Cache timeout (seconds)

    1800

    Impersonation Username

    <leave blank>

    Impersonation Password

    <leave blank>

    Access Management Service

    <On>

    Preferred HTTP Cookie Domain

    .<domain_name>

    Preferred HTTP Host

    <hostname>:<port>

    Deny on not protected

    <Off>

    CachePragmaHeader

    no-cache

    CacheControlHeader

    no-cache

    LogOutURLs

    <leave blank>

    User Defined Parameters

    <leave blank>

       

    Assign An Access Server (Primary)

    <oam_hostname>:<port>

    Number of Connections

    1


  3. Click AccessGate Configuration.

  4. Click OK to search for all AccessGates.

    The new AccessGate is now listed

8.4 Configure OAM Authentication Scheme

To leverage OAAM Server as an authentication mechanism, Oracle Access Manager must have a defined Authentication Scheme to understand how to direct authentications to OAAM Server.

To define the authentication scheme for Oracle Adaptive Access Manager, follow the steps below:

  1. Click Authentication Management.

  2. Click New.

  3. Using the settings in the table below, begin creating the new OAAM Server authentication scheme:

    Table 8-2 OAAM Server Authentication Scheme Configuration

    Parameter Value

    Name

    Adaptive Strong Authentication

    Description

    Oracle Adaptive Access Manager-OAAM Server virtual authentication pad authentication scheme

    Level

    3

    Challenge Method

    Form

    Challenge Parameter(s)

    form:/oaam_server/oamLoginPage.jsp

     

    creds:userid password

     

    action:/oaam_server/

    SSL Required

    <No>

    Challenge Redirect

    <Redirect Url>

    Enabled

    <Disabled/Greyed Out>


  4. Click Save.

  5. Click Ok to confirm the saved operation.

  6. Click Plugins.

  7. Click Modify.

  8. Click Add.

  9. Create the plugin configurations using the information presented in the table below.

    Table 8-3 OAAM Server Authentication Scheme Configuration - Plugins

    Plugin Name Plugin Parameters

    credential_mapping

    obMappingBase="dc=<domain>,dc=com",obMappingFilter="(uid=%userid%)"

    validate_password

    obCredentialPassword="password"


  10. Click Save.

  11. Click General.

  12. Click Modify.

  13. Set Enabled to Yes.

  14. Click Save.

8.5 Configure Oracle Access Manager Connection (Optional)

The AccessGates used by OAAM Server must have host identifier entries. Use the Host Identifiers feature to enter the official name for the host, and every other name by which the host can be addressed by users.

A request sent to any address on the list is mapped to the official host name, and applicable rules and policies are implemented. This is primarily used in virtual site hosting environments.

8.6 Set Up WebGate for OAAM Web Server

To correctly handle the cookies for authentication and the required HTTP headers for the OAAM Server, OAAM Server must be protected with a standard WebGate and Web server.

To set up the WebGate for use with OAAM Server, follow these steps:

  1. Install an Apache HTTP server 2.x and configure it with the WebLogic Server Plug-in.

    For instructions on installing and configuring the Apache HTTP Server Plug-In, refer to the document named Oracle Fusion Middleware Using Web Server 1.1 Plug-Ins with Oracle WebLogic Server.

  2. Stop the application server (and Web server).

  3. Run the WebGate installation program.

  4. For the WebGate configuration, use the following settings:

    Table 8-4 Setting Up the WebGate for Use with OAAM Server

    Attribute Value

    WebGate ID

    ohsWebGate

    Password for WebGate

    <password>

    Access Server ID

    <Access ServerId>

    Host Name

    <hostname>

    Port

    <port


8.7 Configure OAM Domain to Use OAAM Authentication

The OAAM Server authentication should now be operable for Oracle Access Manager policy domains.

To modify the Oracle Access Manager policy domain to use the OAAM authentication scheme (Strong Authentication), follow these steps:

  1. Log in to the Oracle Access Manager host. For example, http://hostname/access/oblix.

  2. Click Policy Manager.

  3. Log in as an administrator.

  4. Click My Policy Domains.

  5. Click <ApplicationPolicy >.

  6. Click Default Rules.

  7. Click Modify.

  8. From the Authentication Scheme drop-down selector, select Adaptive Strong Authentication.

  9. Click OK to confirm the change in authentication schemes.

  10. Ensure that Update Cache is checked.

  11. Click Save.

  12. Close Internet Explorer.

8.8 Configure OHS

Configure OHS such that it proxies OAAM server. In 11g OHS, that is done by modifying mod_wl_ohs.conf.

To setup proxy, you need to go to the OHS config folder and modify the mod_wl_ohs.conf file. An example of an entry to add is shown below:

<Location /oaam_server>
SetHandler weblogic-handler
WebLogicHost name.mycompany.com
WebLogicPort 24300
</Location>

8.9 Configure Oracle Adaptive Access Manager Properties

Setting Oracle Adaptive Access Manager properties for Oracle Access Manager and Oracle Access Manager credentials in CSF is required for this integration to work.

8.9.1 Set Oracle Adaptive Access Manager Properties for Oracle Access Manager

Note:

Before doing this procedure, you must take into account whether the OAAM Admin Console is being protected.

  • If protecting the console, you must take care of user and group creation in the external LDAP store. For details, see Creating Oracle Adaptive Access Manager Administrative Groups and User in LDAP in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

    OR

  • If not protecting the OAAM Admin Console, then the user must be created in the WebLogic Administration Console.

    (Note: You can disable OAAM Admin Console protection by setting the environment variable or Java property WLSAGENT_DISABLED=true.)

To set Oracle Adaptive Access Manager properties for Oracle Access Manager:

  1. Start the managed server hosting the Oracle Adaptive Access Manager server.

  2. Navigate to the Oracle Adaptive Access Manager Admin Console at http://oaam_managed_server_host:oaam_admin_server_port/oaam_admin.

  3. Log in as a user with access to the property editor.

  4. Open the Oracle Adaptive Access Manager property editor to set the Oracle Access Manager properties.

    If a property does not exist, you must add it.

    For the following properties, set the values according to your deployment:

    Table 8-5 Configuring Oracle Access Manager Property Values

    Property Name Property Values

    bharosa.uio.default.password.auth.provider.classname

    com.bharosa.vcrypt.services.OAMOAAMAuthProvider

    bharosa.uio.default.is_oam_integrated

    true

    oaam.uio.oam.host

    Access Server host machine name

    For example, host.example.com

    oaam.uio.oam.port

    Access Server Port; for example, 3004

    oaam.uio.oam.obsso_cookie_domain

    Cookie domain defined in Access Server WebGate Agent

    oaam.uio.oam.java_agent.enabled

    Default value is false. Set this to true only if the OAM Java Agent (also known as the WLSAgent) is used to protect the application.

    When setting this property, note the following points about the property oaam.uio.oam.obsso_cookie_name:

    • By default, the property oaam.uio.oam.obsso_cookie_name does not exist.

    • If using Java agent, when setting oaam.uio.oam.java_agent.enabled to true, also set the property oaam.uio.oam.obsso_cookie_name to the value OAMAuthnCookie since the Java agent uses the OAMAuthnCookie cookie.

    • If using WebGate Agent and oaam.uio.oam.java_agent.enabled is set to false, if the property oaam.uio.oam.obsso_cookie_name happens to be set, remove that property.

    Setting this property is only required when using the OAM Java agent.

    oaam.uio.oam.virtual_host_name

    Default value is IDMDomain when the OAM Java Agent (also known as the WLSAgent) is used.

    Change this value only if the virtual host name is different from IDMDomain.

    oaam.uio.oam.webgate_id

    IdentityManagerAccessGate

    The name of the WebGate Agent for Oracle Identity Manager integration. The default is IdentityManagerAccessGate.

    oaam.uio.login.page

    /oamLoginPage.jsp

    oaam.uio.oam.authenticate.withoutsession

    false

    oaam.uio.oam.secondary.host

    Name of the secondary Access Server host machine.

    The property must be added, as it is not set by default.

    This property is used for high availability. You can specify the fail-over hostname using this property.

    oaam.uio.oam.secondary.host.port

    Port number of the secondary Access Server

    The property must be added as it is not set by default.

    This property is used for high availability. You can specify the fail-over port using this property.

    oaam.oam.csf.credentials.enabled

    true

    This property enables configuring credentials in the Credential Store Framework instead of maintaining them using the properties editor. This step is performed so that credentials can be securely stored in CSF.


For information on setting properties in Oracle Adaptive Access Manager, see "Using the Property Editor" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

For more information about the IDM Domain Agent, see Section 1.2, "A Note About IDMDomain Agents and WebGates".

8.9.2 Set Oracle Access Manager Credentials in Credential Store Framework

So that Oracle Access Manager WebGate credentials can be securely stored in the Credential Store Framework, follow these steps to add a password credential to the Oracle Adaptive Access Manager domain:

  1. Navigate to the Oracle Fusion Middleware Enterprise Manager Console at http://weblogic_server_host:admin_port/em.

  2. Log in as a WebLogic Administrator.

  3. Expand Base_Domain in the navigation tree in the left pane.

  4. Select your domain name, right-click, select the menu option Security, and then select the option Credentials in the sub-menu.

  5. Click Create Map.

  6. Click oaam to select the map, then click Create Key.

  7. In the pop-up window make sure Select Map is oaam.

  8. Provide the following properties and click OK.

    Table 8-6 Adding Password Credentials to OAAM Domain

    Name Value

    Map Name

    oaam

    Key Name

    oam.credentials

    Key Type

    Password

    UserName

    Oracle Access Manager user with Administrator rights

    Password

    Password of Oracle Access Manager WebGate Agent


8.10 Turn Off IP Validation

In order for Oracle Adaptive Access Manager to direct the user to the protected URL after authentication, you must turn off IP validation.

To turn off IP validation, follow the steps below:

  1. On the Access System main page, click the Access System Console link, and then log in as an administrator.

  2. On the Access System Console main page, click Access System Configuration, and then click the Access Gate Configuration link on the left pane to display the AccessGates Search page.

  3. Enter the proper search criteria and click Go to display a list of AccessGates.

  4. Select the AccessGate.

    For example, oaam11gWg.

  5. Click Modify at the bottom of the page.

  6. Set IP Validation to off.

  7. Click Save at the bottom of the page.

8.11 Testing Oracle Adaptive Access Manager and Oracle Access Manager Integration

To test the configuration, try accessing your application. The Oracle Access Manager will intercept your un-authenticated request and redirect you to the OAAM Server to challenge for credentials.