1/75
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in This Guide?
Product Enhancements for Oracle Access Management 11.1.2.1.0
Product Enhancements in Oracle Access Management 11.1.2.0.0
Product and Component Name Changes with 11.1.2
Part I Introduction to Oracle Access Management
1
Introduction to Oracle Access Management
1.1
Introduction to Oracle Access Management
1.1.1
About Oracle Access Management Installation
1.1.2
About Oracle Access Management Post-Installation Tasks
1.2
Introduction to Oracle Access Management Access Manager
1.2.1
Introduction to Access Manager Architecture
1.2.2
Introduction to Access Manager Deployment Types
1.3
Summarizing Oracle Access Management Access Manager 11.1.2
1.3.1
About Access Manager 11.1.2
1.3.2
About Functionality Not Available with Access Manager 11g
1.4
Introduction to Oracle Access Management Security Token Service
1.4.1
Security Token Service Key Terms and Concepts
1.4.2
About Security Token Service
1.4.3
About Integrated Oracle Web Services Manager
1.4.4
About Security Token Service Architecture
1.4.5
About Security Token Service Deployments
1.4.5.1
Centralized Token Authority Deployment
1.4.5.2
Tokens Behind a Firewall Deployment
1.4.5.3
Web Services SSO Deployment
1.4.6
About Installation Options
1.4.6.1
Security Token Service Cluster in Single WLS Domain
1.4.6.2
Endpoint Exposure through a Web Server Proxy
1.4.6.3
Interoperability of Requester and Relying Party with Other Oracle WS-Trust based Clients
1.4.6.4
Security Token Service Installation Overview
1.4.6.5
Post-Installation Tasks: Security Token Service
1.4.7
About Security Token Service Administration
1.5
System Requirements and Certification
Part II Using the Console for Common Tasks
2
Getting Started with Oracle Access Management Administration and Navigation
2.1
Prerequisites
2.2
Starting and Stopping Servers in Your Deployment
2.2.1
Starting Node Manager
2.2.2
Starting and Stopping AdminServer
2.2.3
Starting and Stopping OAM Servers
2.3
Introduction to Oracle Access Management Administrators
2.4
Logging In to and Signing Out of Oracle Access Management Console
2.4.1
Logging In to the Oracle Access Management Console
2.4.2
Signing Out of Oracle Access Management Console
2.5
Choosing a Language for Oracle Access Management Login
2.5.1
Selecting A Language for Oracle Access Management Login
2.5.2
Understanding the Language Preference Cookie
2.5.3
Propagating Language Preference and Application Integration
2.5.4
Configuring Your Language Preference
2.6
Introduction to the Oracle Access Management Console and Controls
2.6.1
Console Layout and Controls
2.6.1.1
Welcome Page and Shortcuts
2.6.1.2
Function-Level Tabs and Controls
2.6.1.3
Content Pages and Page Controls
2.6.2
Elements on a Page
2.6.3
Selecting Controls in the Console
2.7
Introduction to System Configuration and Policy Configuration Tabs
2.7.1
About the System Configuration Tab
2.7.2
About the Policy Configuration Tab
2.8
Viewing Configuration Details in the Console
2.9
Conducting Searches Using the Console
2.10
Using Online Help
2.11
Command-Line Tools
2.12
Logging, Auditing, Monitoring Performance
3
Managing Common Services and Certificate Validation
3.1
Introduction to Common Configuration Elements
3.2
Enabling or Disabling Available Services
3.3
Managing Common Settings
3.3.1
About Common Settings Pages
3.3.2
Managing Common Settings
3.3.3
Viewing Common Coherence Settings
3.4
Managing Global Certificate Validation and Revocation
3.4.1
About Certificate Validation and Revocation
3.4.2
Managing Certificate Revocation Lists (CLRs)
3.4.3
Enabling Certificate Validation
3.4.4
Configuring CRL Distribution Point Extensions (CDP)
4
Managing Data Sources
4.1
Prerequisites
4.2
Introduction to Common Data Sources
4.2.1
About the Oracle Access Management Configuration Data File: oam-config.xml
4.3
Managing User Identity Stores
4.3.1
About User Identity Stores
4.3.2
About Using Multiple Identity Stores
4.3.3
About the User Identity Store Registration Page
4.3.4
Registering a New User Identity Store
4.3.5
Viewing or Editing a User Identity Store Registration
4.3.6
Deleting a User Identity Store Registration
4.4
Setting the Default Store and System Store
4.4.1
About Setting the Default Store and System Store
4.4.2
Defining a Default Store and System Store
4.5
Managing the Administrators Role
4.5.1
About Managing the Administrator Role
4.5.2
Managing Administrator Roles
4.6
Managing the Policy and Session Database
4.6.1
About the Database Store for Policy, Password Management, and Sessions
4.6.2
About Database Deployment
4.6.3
Configuring a Separate Database for Access Manager Sessions
4.7
Introduction to Oracle Access Management Keystores
4.7.1
About Access Manager Security Keys and the Embedded Java Keystore
4.7.2
About Access Manager Keystores
4.7.3
About Identity Federation Keystore
4.8
Integrating a Supported LDAP Directory with Oracle Access Manager
5
Managing Server Registration
5.1
Prerequisites
5.2
Introduction to OAM Servers, Registration, and Management
5.2.1
About Individual OAM Server Registrations
5.2.2
About the Embedded Proxy Server and Backward Compatibility
5.2.3
About 11g SSO, Legacy 10g SSO in Combination with OSSO 10g
5.2.4
About Communication Between OAM Servers and Webgates
5.2.5
About Restarting Servers After Configuration Changes
5.3
Managing Individual OAM Server Registrations
5.3.1
About the OAM Server Registration Page
5.3.1.1
OAM Proxy Page
5.3.1.2
Coherence Page for Individual Servers
5.3.2
Registering a Fresh OAM Server Instance
5.3.3
Viewing or Editing Individual OAM Server and Proxy Settings
5.3.4
Deleting an Individual Server Registration
Part III Common Logging, Auditing, Performance Monitoring and Tuning
6
Logging Component Event Messages
6.1
Prerequisites
6.2
Introduction to Logging Component Event Messages
6.2.1
About Component Loggers
6.2.2
Sample Logger and Log Handler Definition
6.2.3
About Logging Levels
6.3
Configuring Logging for Access Manager
6.3.1
Modifying the Logger Level for Access Manager
6.3.2
Adding an Access Manager-Specific Logger and Log Handler
6.4
Configuring Logging for Security Token Service and Identity Federation
6.4.1
Configuring Logging for Security Token Service or Identity Federation
6.4.2
Defining Log Level and Log Details for Security Token Service or Identity Federation
6.5
Validating Run-time Event Logging Configuration
7
Logging Webgate Event Messages
7.1
About Logging, Log Levels, and Log Output
7.1.1
About Log Levels
7.1.2
About Log Output
7.2
About Log Configuration File Paths and Contents
7.2.1
Log Configuration File Paths and Names
7.2.2
Log Configuration File Contents
7.2.2.1
When Changes to the File Take Effect
7.2.2.2
About Comments in the Log File
7.3
About Directing Log Output to a File or the System File
7.4
Structure and Parameters of the Log Configuration File
7.4.1
The Log Configuration File Header
7.4.2
The Initial Compound List
7.4.3
The Simple List and Logging Threshold
7.4.4
The Second Compound List and Log Handlers
7.4.5
The List for Per-Module Logging
7.4.6
The Filter List
7.4.7
About XML Element Order
7.5
About Activating and Suppressing Logging Levels
7.5.1
About Log Handler Precedence
7.6
Mandatory Log-Handler Configuration Parameters
7.6.1
Settings in the Default Log Configuration File
7.6.1.1
Description of the Settings in the Default Log Configuration File
7.7
Configuring Different Threshold Levels for Different Types of Data
7.7.1
About the MODULE_CONFIG Section
7.7.1.1
Location of the Per-Module Logging Section in the Log Configuration File
7.7.1.2
List of Modules That Can Be Logged
7.7.2
Configuring a Log Level Threshold for a Function or Module
7.8
Filtering Sensitive Attributes
8
Auditing Administrative and Run-time Events
8.1
Prerequisites
8.2
Introduction to Auditing
8.2.1
About Oracle Access Management Auditing Configuration
8.2.2
About Audit Record Storage
8.2.3
About Audit Reports and Oracle Business Intelligence Publisher
8.2.4
About the Audit Log and Data
8.3
Access Manager Events You Can Audit
8.3.1
Access Manager Administrative Events You Can Audit
8.3.2
Access Manager Run-time Events You Can Audit
8.3.3
About Authentication Event Auditing
8.4
Identity Federation Events You Can Audit
8.4.1
Session Management Events for Identity Federation
8.4.2
Protocol Flow Events for Identity Federation
8.4.3
Server Configuration Events for Identity Federation
8.4.4
Security Events for Identity Federation
8.5
Security Token Service Events You Can Audit
8.5.1
About Audit Record Content Common to All Events
8.5.2
Security Token Service Administrative Events You Can Audit
8.5.3
Security Token Service Run-time Events You Can Audit
8.6
Setting Up Auditing for Oracle Access Management
8.6.1
Setting Up the Audit Database Store
8.6.2
Preparing Oracle Business Intelligence Publisher EE
8.6.3
About Auditing Configuration Using Oracle Access Management Console
8.6.4
Adding, Viewing, or Editing Audit Settings
8.7
Validating Auditing and Reports
9
Reporting
9.1
Using the Reports
9.2
Accessing Oracle Access Management Reports
9.3
Supported Output Formats
9.4
Reports for Access Manager
9.4.1
Account Management Reports
9.4.2
Authentication Reports
9.4.2.1
Authentication Statistics Report
9.4.2.2
AuthenticationFromIPByUser
9.4.2.3
AuthenticationPerIP
9.4.2.4
AuthenticationStatisticsPerServer Report
9.4.3
Errors and Exceptions
9.4.3.1
All Errors and Exceptions
9.4.3.2
Authentication Failures
9.4.3.3
User Activities
9.4.3.4
Authentication History
9.4.3.5
Authorization History
9.4.3.6
Multiple Logins From Same IP
9.5
Creating Reports Using Third-Party Software
9.6
Required Access Manager Tasks for BI Publisher Reports
10
Monitoring Performance by Using Oracle Access Management Console
10.1
Introduction to Performance Monitoring
10.2
Reviewing DMS Metric Tables
10.3
Monitoring Server Metrics Using Oracle Access Management Console
10.3.1
Monitoring Server Instance Performance
10.3.2
Reviewing Server Metrics Using Oracle Access Management Console
10.4
Monitoring SSO Agent Metrics Using Oracle Access Management Console
10.4.1
Monitoring Agent Metrics Using Oracle Access Management Console
10.4.2
Reviewing OAM Agent Metrics
10.4.3
Reviewing OSSO Agent Metrics
10.5
Introduction to OAM Proxy Metrics and Tuning
10.5.1
About OAM Proxy Metrics
10.5.2
OAM Proxy Server Tuning Parameters
10.6
Reviewing OpenSSO Metrics in the DMS Console
10.6.1
OpenSSO Proxy Events and Metrics: Server
10.6.2
OpenSSO Proxy Metrics: Agent
10.6.3
Reviewing OpenSSO Metrics Using the DMS Console
11
Monitoring Performance and Logs with Fusion Middleware Control
11.1
Prerequisites
11.2
Introduction to Fusion Middleware Control
11.3
Logging In to and Out of Fusion Middleware Control
11.3.1
About the Login Page for Fusion Middleware Control
11.3.2
Logging In To Fusion Middleware Control
11.3.3
Logging Out of Fusion Middleware Control
11.4
Displaying Menus and Pages in Fusion Middleware Control
11.4.1
About the Farm Page in Fusion Middleware Control
11.4.2
About Context Menus and Pages in Fusion Middleware Control
11.4.3
Displaying Context Menus and Target Details in Fusion Middleware Control
11.5
Viewing Performance in Fusion Middleware Control
11.5.1
About Performance Overview Pages in Fusion Middleware Control
11.5.1.1
Access Manager Component Pages
11.5.1.2
Security Token Service Component Pages
11.5.2
About the Metrics Palette and the Performance Summary Page
11.5.3
Displaying Performance Metrics in Fusion Middleware Control
11.5.4
Displaying Component-Specific Performance Details
11.6
Managing Log Level Changes in Fusion Middleware Control
11.6.1
About Dynamic Log Level Changes
11.6.2
Setting Log Levels Dynamically Using Fusion Middleware Control
11.7
Managing Log File Configuration from Fusion Middleware Control
11.7.1
About Log File Configuration
11.7.2
Managing Log File Configuration by Using Fusion Middleware Control
11.8
Viewing Log Messages in Fusion Middleware Control
11.8.1
About Finding, Viewing, and Exporting Log Messages
11.8.2
Viewing Logged Messages With Fusion Middleware Control
11.9
Displaying MBeans in Fusion Middleware Control
11.9.1
About the System MBean Browser
11.9.2
Managing Mbeans
11.10
Displaying Farm Routing Topology in Fusion Middleware Control
11.10.1
About the Routing Topology
11.10.2
Viewing the Routing Topology using Fusion Middleware Control
Part IV Managing Access Manager Settings and Agents
12
Configuring Access Manager Settings
12.1
Prerequisites
12.2
Introduction to Access Manager Settings
12.3
Managing Load Balancing
12.3.1
About Common Load Balancing Settings
12.3.2
Managing OAM Server Load Balancing
12.4
Managing Secure Error Modes
12.4.1
About OAM Server Error Modes
12.4.2
Managing OAM Server Secure Error Modes
12.5
Managing SSO Tokens and IP Validation
12.5.1
About Access Manager SSO Tokens and IP Validation Settings
12.5.2
Managing SSO Tokens and IP Validation
12.6
Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security
12.6.1
About Simple and Cert Mode Transport Security
12.6.2
About the Common OAM Proxy Page for Secure Server Communications
12.6.3
Viewing or Editing Simple or Cert Settings for OAM Proxy
12.7
Managing Run Time Policy Evaluation Caches
12.7.1
About Run Time Policy Evaluation Caches
12.7.2
Managing Run Time Policy Evaluation Caches
13
Introduction to Agents and Registration
13.1
Introduction to Policy Enforcement Agents
13.1.1
About Agent Types and Runtime Processing
13.1.2
About 11g Webgate Configured as a Detached Credential Collector
13.1.3
About 11g Webgate Functionality for Mobile and Social
13.1.4
About the Pre-Registered 10g Webgate IAMSuiteAgent
13.2
Introduction to Agent Registration
13.2.1
About Agent Registration, Keys, and Policies
13.2.2
About File System Changes and Artifacts for Registered Agents
13.3
Introduction to Remote Registration
13.3.1
About Performing In-Band Remote Registration
13.3.2
About Performing Out-of-Band Remote Registration
13.3.3
About Updated Agent Configuration Files
14
Registering and Managing OAM 11g Agents
14.1
Prerequisites
14.2
Understanding OAM Agent Registration Parameters in the Console
14.2.1
About Create OAM Webgate Page and Parameters
14.2.2
About User-Defined Webgate Parameters
14.2.3
About IP Address Validation for Webgates
14.3
Registering an OAM Agent Using the Console
14.4
Configuring and Managing Registered OAM Agents Using the Console
14.4.1
Understanding Registered OAM Agent Configuration Parameters in the Console
14.4.2
Searching for an OAM Agent Registration
14.4.3
Viewing or Editing an OAM Agent Registration Page in the Console
14.4.4
Deleting OAM Agent Registration Using the Console
14.5
Understanding the Remote Registration Tool, Modes, and Process
14.5.1
About Remote Registration Command Arguments and Modes
14.5.2
Common Elements within Remote Registration Request Templates
14.5.3
About Key Use, Generation, Provisioning, and Storage
14.6
Understanding Remote Registration Templates: OAM Agents
14.6.1
OAM Agent Parameters for Remote Registration
14.7
Performing Remote Registration for OAM Agents
14.7.1
Acquiring and Setting Up the Remote Registration Tool
14.7.2
Creating Your Remote Registration Request
14.7.3
Performing In-Band Remote Registration
14.7.4
Performing Out-of-Band Remote Registration
14.8
Introduction to Updating Agents Remotely
14.8.1
About Remote Agent Update Modes
14.8.2
About Remote 11g OAM Agent Updates Template
14.9
Updating Agents Remotely
14.9.1
Updating Agents Remotely
14.9.2
Performing Remote Agent Validation
14.9.3
Performing Remote Agent Removal
14.10
Validating Remote Registration and Resource Protection
14.10.1
Validating Remote Registration
14.10.1.1
Validating Agent Registration using the Oracle Access Management Console
14.10.1.2
Validating Authentication and Access After Remote Registration
14.11
Replacing the IAMSuiteAgent with an 11g Webgate
14.11.1
Registering a Replacement 11g Webgate for IAMSuiteAgent
14.11.2
Installing the Replacement 11g Webgate for IAMSuiteAgent
14.11.3
Updating the WebLogic Server Plug-in
14.11.4
Confirming the AutoLogin Host Identifier for an OAM / OIM Integration
14.11.5
Configuring OAM Security Providers for WebLogic
14.11.5.1
About Security Providers
14.11.5.2
Setting Up Security Providers for the 11g Webgate
14.11.6
Disabling IAMSuiteAgent
14.11.7
Verification
15
Managing Sessions
15.1
Prerequisites
15.2
Introduction to Sessions and Session Management
15.2.1
About Access Manager Session Security
15.2.1.1
Secure HTTPS Protocol
15.2.1.2
Oracle Coherence
15.2.1.3
Database Persistence
15.2.2
About the Session Lifecycle
15.2.3
About Timeout with Multiple-Agent Types: OSSO and OAM Agents
15.2.4
About OpenSSO Agents
15.2.5
About Oracle Coherence and Session Management
15.3
Configuring Session Lifecycle Settings
15.3.1
About Common Session Lifecycle Setting Page
15.3.2
Viewing or Modifying Common Session Lifecycle Settings
15.4
Managing Active Sessions
15.4.1
About the Session Management Page
15.4.2
Managing Active Sessions
15.5
Verifying Session Operations
Part V Managing Access Manager SSO, Policies, and Testing
16
Introduction to Single Sign-On with Access Manager
16.1
Introduction to Access Manager Single Sign-On
16.1.1
About Multiple Network Domain SSO
16.1.2
About Application SSO and Access Manager
16.1.3
About Multiple WebLogic Server Domain SSO
16.1.4
About Reverse-Proxy SSO
16.2
Understanding the Access Manager Policy Model
16.3
Anatomy of an Application Domain and Policies
16.3.1
About Resource Definitions for Policies
16.3.2
About Authentication Policies
16.3.3
About Authorization Policies
16.3.4
About Token Issuance Policies
16.4
Introduction to Policy Conditions and Rules
16.5
Introduction to Access Manager Credential Collection and Login
16.5.1
About Access Manager Credential Collection
16.5.2
About SSO Login Processing with OAM Agents and ECC
16.5.3
About Login Processing with OAM Agents and DCC
16.5.4
About SSO Login Processing with OSSO Agents (mod_osso) and ECC
16.6
Understanding SSO Cookies
16.6.1
About Single Sign-On Cookies During User Login
16.6.2
About Single Sign-On Server and Agent Cookies
16.6.2.1
OAM_ID cookie
16.6.2.2
OAMAuthnCookie for 11g OAM Webgates
16.6.2.3
ObSSOCookie for 10g Webgates
16.6.2.4
OAM_REQ Cookie
16.6.2.5
OAMRequestContext
16.6.2.6
DCCCtxCookie
16.6.2.7
mod_osso Cookies
16.6.2.8
OpenSSO Cookie (iPlanetDirectoryPro)
16.7
Introduction to Configuration Tasks for Single Sign-On
17
Managing Authentication and Shared Policy Components
17.1
Prerequisites
17.2
Introduction to Managing Authentication and Shared Policy Components
17.3
Managing Resource Types
17.3.1
About Resource Types and Their Use
17.3.2
About the Resource Type Page
17.3.3
Searching for a Specific Resource Type
17.3.4
Creating a Custom Resource Type
17.4
Managing Host Identifiers
17.4.1
About Host Identifiers
17.4.1.1
Host Identifier Usage
17.4.1.2
Host Identifier Guidelines
17.4.1.3
Host Identifier Variations
17.4.2
About Virtual Web Hosting
17.4.2.1
Placing a Webgate Behind a Reverse Proxy
17.4.2.2
Configuring Virtual Hosting for Non-Apache Web Servers
17.4.2.3
Associating a Webgate for Apache with Virtual Hosts, Directories, or Files
17.4.3
About the Host Identifier Page
17.4.4
Creating a Host Identifier
17.4.5
Searching for a Host Identifier Definition
17.4.6
Viewing or Editing a Host Identifier Definition
17.4.7
Deleting a Host Identifier Definition
17.5
Understanding Authentication Methods and Credential Collectors
17.5.1
About Different Authentication Methods
17.5.2
Comparing Embedded Credential Collector with Detached Credential Collector
17.5.3
Authentication Event Logging and Auditing
17.6
Managing Native Authentication Modules
17.6.1
About Native Access Manager Authentication Modules
17.6.1.1
Native Kerberos Authentication Module
17.6.1.2
Native LDAP Authentication Modules
17.6.1.3
Native X509 Authentication Module
17.6.2
Viewing or Editing Native Authentication Modules
17.6.3
Deleting a Native Authentication Module
17.7
Orchestrating Multi-Step Authentication with Plug-in Based Modules
17.7.1
Comparing Simple Form and Multi-Factor (Multi-Step) Authentication
17.7.2
About Plug-ins for Multi-Step Authentication Modules
17.7.3
About Plug-in Based Modules for Multi-Step Authentication
17.7.4
Example: Leveraging SubjectAltName Extension Data and Integrating with Multiple OCSP Endpoints
17.7.5
Creating and Orchestrating Plug-in Based Multi-Step Authentication Modules
17.7.6
Creating and Managing Step-Up Authentication
17.8
Deploying and Managing Individual Plug-ins for Authentication
17.8.1
About Managing Your Own Authentication Plug-ins
17.8.2
Making Custom Authentication Plug-ins Available for Use
17.8.3
Checking an Authentication Plug-in's Activation Status
17.8.4
Deleting Your Custom Authentication Plug-ins
17.9
Managing Authentication Schemes
17.9.1
About Authentication Schemes and Pages
17.9.1.1
Pre-configured Authentication Schemes
17.9.1.2
About Challenge Methods
17.9.1.3
About Challenge Parameters for Authentication Schemes
17.9.2
Understanding Multi-Level and Step-Up Authentication
17.9.2.1
About Multi-Level and Step-Up Authentication
17.9.2.2
Detection of Insufficient Authentication Level by OAM Agent
17.9.2.3
Multi-Level Authentication Processing with 10g OSSO Agent
17.9.3
Creating an Authentication Scheme
17.9.4
Searching for an Authentication Scheme
17.9.5
Viewing, Editing, or Deleting an Authentication Scheme
17.10
Configuring Challenge Parameters for Encrypted Cookies
17.10.1
About Challenge Parameters for Encrypted Cookies
17.10.2
Configuring Challenge Parameters for Security of Encrypted Cookies
17.10.3
Setting Challenge Parameters for Persistence of Encrypted Cookies
17.11
Understanding Password Policy
17.11.1
Previewing Oracle-Provided Password Forms and Functionality
17.11.2
Previewing the Password Policy Page in Oracle Access Management Console
17.11.3
About Credential Collectors and Password Policy Validation
17.12
Managing Global Password Policy
17.12.1
Defining Your Global Password Policy
17.12.2
Designating the Default Store for Your Password Policy
17.12.3
Adding Key Password Attributes to the Default Store
17.12.3.1
About Extending the Default Store Schema
17.12.3.2
Extending the Default Store Schema with Password Policy Attributes
17.12.4
Adding an Administrator to Change User Attributes After a Password Change
17.13
Configuring Password Policy Authentication
17.13.1
Configuring the Password Policy Validation Authentication Module
17.13.2
Configuring the PasswordPolicyValidationScheme
17.13.3
Adding Your PasswordPolicyValidationScheme to ECC Authentication Policy
17.14
Configuring 11g Webgate and Authentication Policy for DCC
17.14.1
Enabling DCC Credential Operations
17.14.2
Locating and Updating DCC Forms for Password Policy
17.14.3
Adding PasswordPolicyValidationScheme to Authentication Policy for DCC
17.15
Completing Password Policy Configuration
17.15.1
Setting the Error Message Mode for Password Policy Messages
17.15.2
Overriding Native LDAP Password Policy Validation
17.15.3
Disabling ECC Operation and Using DCC Exclusively
17.15.4
Testing Your Multi-Step Authentication
17.16
Configuring Authentication POST Data Handling
17.16.1
About Authentication Post Data Preservation and Restoration
17.16.2
About Configuring Authentication POST Data Handling
17.16.3
About Post Data Size Limits
17.16.4
Configuring Authentication POST Data Handling
17.16.5
Testing POST Data Handling Configuration
17.17
Long URL Handling During Authentication
17.17.1
About Long URLs and Authentication Handling
17.17.2
About Configuring Long URL Handling
18
Managing Policies to Protect Resources and Enable SSO
18.1
Prerequisites
18.2
Introduction to Application Domain and Policy Creation
18.2.1
About Automatic Application Domain and Policy Generation
18.2.2
About Manually Creating Application Domains and Policies
18.2.3
About Remote Policy Creation and Updates
18.2.4
About Creating or Managing an Application Domain and Policies
18.3
Understanding Application Domain and Policy Management Using the Console
18.3.1
About Application Domain Pages and Navigation
18.3.2
About the Application Domain Summary Page
18.3.3
About the Resource Container in an Application Domain
18.3.4
About Authentication Policy Pages
18.3.5
About Authorization Policy Pages
18.3.6
About Token Issuance Policy Pages
18.4
Managing Application Domains and Policies Using the Console
18.4.1
About Application Domains Summary Page
18.4.2
Creating a Fresh Application Domain Using the Console
18.4.3
Searching for an Existing Application Domain
18.4.4
Viewing or Editing an Application Domain by Using the Oracle Access Management Console
18.4.5
Deleting an Application Domain and Its Content
18.5
Adding and Managing Resource Definitions to be Added to Policies
18.5.1
About Defining Resources in an Application Domain
18.5.1.1
About the Resource Type in a Resource Definition
18.5.1.2
About the Host Identifier in a Resource Definition
18.5.1.3
About the Resource URL, Prefixes, and Patterns
18.5.1.4
About Query String Name and Value Parameters for Resource Definitions
18.5.1.5
About Literal Query Strings in Resource Definitions
18.5.1.6
About Run Time Resource Evaluation
18.5.2
Defining Resources in an Application Domain
18.5.3
Searching for a Resource Definition
18.5.3.1
About Searching for a Specific Resource Definition
18.5.3.2
Searching for a Specific Resource Definition
18.5.4
Viewing, Editing, or Deleting a Resource Definition
18.6
Defining Authentication Policies for Specific Resources
18.6.1
About the Authentication Policy Page
18.6.1.1
About Resources in an Authentication Policy
18.6.2
Creating an Authentication Policy for Specific Resources
18.6.3
Searching for an Authentication Policy
18.6.4
Viewing or Editing an Authentication Policy
18.6.5
Deleting an Authentication Policy
18.7
Defining Authorization Policies for Specific Resources
18.7.1
About Authorization Policies for Specific Resources
18.7.2
Creating an Authorization Policy and Specific Resources
18.7.3
Searching for an Authorization Policy
18.7.4
Viewing or Editing an Authorization Policy and Resources
18.7.5
Deleting an Entire Authorization Policy
18.8
Introduction to Policy Responses for SSO
18.8.1
About Authentication and Authorization Policy Responses for SSO
18.8.2
About the Policy Response Language
18.8.3
About the Namespace and Variable Names for Policy Responses
18.8.4
About Constructing a Policy Response for SSO
18.8.4.1
Simple Responses
18.8.4.2
Compound and Complex Responses
18.8.5
About Policy Response Processing
18.8.6
About Assertion Claims and Processing
18.9
Adding and Managing Policy Responses for SSO
18.9.1
Adding a Policy Response for SSO
18.9.2
Viewing, Editing, or Deleting a Policy Response for SSO
18.10
Introduction to Authorization Policy Rules and Conditions
18.10.1
About Allow or Deny Rules
18.10.2
About Authorization Policy Conditions
18.10.3
About Classifying Users and Groups for Conditions
18.10.4
Guidelines for Authorization Responses Based on Conditions
18.11
Defining Authorization Policy Conditions
18.11.1
Choosing a Condition Type
18.11.1.1
About Choosing a Condition Type
18.11.1.2
Choosing a Condition Type
18.11.2
Defining Identity Conditions
18.11.2.1
About Identity Conditions
18.11.2.2
Specifying Identity Type Conditions
18.11.3
Defining IP4 Range Conditions
18.11.3.1
About IP4 Range Condition Types
18.11.3.2
Defining IP4 Range Conditions
18.11.4
Defining Temporal Conditions
18.11.4.1
About Temporal Conditions
18.11.4.2
Defining Temporal Conditions
18.11.5
Defining Attribute Conditions
18.11.5.1
About Attribute Conditions
18.11.5.2
Defining Attribute Type Conditions
18.11.6
Viewing, Editing, or Deleting Authorization Policy Conditions
18.12
Defining Authorization Policy Rules
18.12.1
About Defining Rules in an Authorization Policy
18.12.2
About Expressions and Expression-Based Policy Evaluation
18.12.2.1
Expression Evaluation in Authorization Rules
18.12.3
Defining Rules in an Authorization Policy
18.13
Validating Authentication and Authorization in an Application Domain
18.14
Understanding Remote Policy and Application Domain Management
18.14.1
About Managing Policies Remotely
18.14.2
About the Create Policy Request Template
18.14.3
About the Update Policy Request Template
18.14.4
About Remote Policy Management and Templates
18.15
Managing Policies and Application Domains Remotely
19
Validating Connectivity and Policies Using the Access Tester
19.1
Prerequisites
19.2
Introduction to the Access Tester for Access Manager 11g
19.2.1
About OAM Agent and Server Interoperability
19.2.2
About Access Tester Security and Processing
19.2.3
About Access Tester Modes and Administrator Interactions
19.3
Installing and Starting the Access Tester
19.3.1
Installing the Access Tester
19.3.2
About Access Tester Supported System Properties
19.3.3
Starting the Tester Without System Properties For Use in Tester Console Mode
19.3.4
Starting the Access Tester with System Properties For Use in Command Line Mode
19.3.4.1
About the Access Tester Command Line Mode
19.3.4.2
Starting the Access Tester with System Properties
19.4
Introduction to the Access Tester Console and Navigation
19.4.1
Access Tester Menus and Command Buttons
19.5
Testing Connectivity and Policies from the Access Tester Console
19.5.1
Establishing a Connection Between the Access Tester and the OAM Server
19.5.1.1
About the Connection Panel
19.5.1.2
Connecting the Access Tester with the OAM Server
19.5.2
Validating Resource Protection from the Access Tester Console
19.5.2.1
About the Protected Resource URI Panel
19.5.2.2
Validating Resource Protection
19.5.3
Testing User Authentication from the Access Tester Console
19.5.3.1
About the User Identity Panel
19.5.3.2
Testing User Credential Authentication
19.5.4
Testing User Authorization from the Access Tester Console
19.5.5
Observing Request Latency
19.6
Creating and Managing Test Cases and Scripts
19.6.1
About Test Cases and Test Scripts
19.6.2
Capturing Test Cases
19.6.3
Generating an Input Test Script
19.6.3.1
About Generating an Input Test Script
19.6.3.2
Generating an Input Test Script
19.6.4
Personalizing an Input Test Script
19.6.4.1
About Customizing a Test Script
19.6.4.2
Customizing a Test Script
19.6.5
Executing a Test Script
19.6.5.1
About Test Script Execution
19.6.5.2
Running a Test Script
19.7
Evaluating Scripts, Log File, and Statistics
19.7.1
About Evaluating Test Results
19.7.2
About the Saved Connection Configuration File
19.7.3
About the Generated Input Test Script
19.7.4
About the Target Output File Containing Test Run Results
19.7.5
About the Statistics Document
19.7.6
About the Execution Log
20
Configuring Centralized Logout for Sessions Involving 11g Webgates
20.1
Prerequisites
20.2
Introduction to Centralized Logout for Access Manager 11g
20.2.1
About Centralized Logout for 11g Webgates
20.2.2
About Logout Parameters for 11g Webgates
20.3
Configuring Centralized Logout for 11g Webgates
20.3.1
Configuring Centralized Logout for 11g Webgates When the ECC is Used
20.3.2
Configuring Logout When Using Detached Credential Collector-Enabled Webgate
20.4
Validating Global Sign-On and Centralized Logout
20.4.1
Confirming Global Sign-On
20.4.2
Validating Global Sign-On with Mixed Agent Types
20.4.3
Observing Centralized Logout
Part VI Registering and Using Legacy Agents with Access Manager
21
Registering and Managing Legacy OpenSSO Agents
21.1
Introduction to OpenSSO, Agents, Migration and Co-existence
21.1.1
About Migration and Co-existence Between OpenSSO and Access Manager
21.1.2
About OpenSSO Agent Reliance on Access Manager
21.2
Runtime Processing Between OpenSSO Agents and Access Manager
21.3
Understanding OpenSSO Agent Registration Parameters
21.3.1
About OpenSSO Agent Registration Parameters
21.3.2
About the Expanded OpenSSO Agent Page and Parameters
21.4
Registering and Managing OpenSSO Agents Using the Console
21.4.1
Registering an OpenSSO Agent using the Oracle Access Management Console
21.4.2
Configuring and Managing Registered OpenSSO Agents Using the Console
21.5
Performing Remote Registration for OpenSSO Agents
21.5.1
Understanding Request Templates for OpenSSO Agent Remote Registration
21.5.2
Reviewing OpenSSO Bootstrap Configuration Mappings
21.5.3
Performing In-Band Remote Registration with OpenSSO Agents
21.5.4
Performing Out-of-Band Remote Registration with OpenSSO Agents
21.6
Updating Registered OpenSSO Agents Remotely
21.6.1
Updating OpenSSO Agents Remotely
21.7
Locating Other OpenSSO Agent Information
22
Registering and Managing Legacy OSSO Agents
22.1
Understanding OSSO Agents with Access Manager
22.1.1
About OSSO Agents with Access Manager
22.1.2
Comparing Access Manager 11g SSO versus OSSO 10g
22.2
Registering OSSO Agents Using Oracle Access Management Console
22.2.1
Understanding the Create OSSO Agent Registration Page and Parameters
22.2.2
Registering an OSSO Agent (mod_osso) Using the Console
22.3
Configuring and Managing Registered OSSO Agents Using the Console
22.3.1
Understanding the Expanded OSSO Agent Page in the Console
22.3.2
Searching for an OSSO Agent (mod_osso) Registration
22.3.3
Viewing or Editing OSSO Agent (mod_osso) Registration
22.3.4
Deleting an OSSO Agent (mod_osso) Registration
22.4
Performing Remote Registration for OSSO Agents
22.4.1
Understanding Request Templates for OSSO Remote Registration
22.4.2
Performing In-Band Remote Registration of OSSO Agents
22.4.3
Performing Out-of-Band Remote Registration for OSSO Agents
22.5
Updating Registered OSSO Agents Remotely
22.6
Configuring Logout for OSSO Agents with Access Manager 11.1.2
22.6.1
About Centralized Logout with OSSO Agents (mod_OSSO) and Access Manager
22.6.2
Removing Custom mod_osso Cookies on Logout
22.7
Locating Other OSSO Agent Information
23
Registering and Managing 10g Webgates with Access Manager 11g
23.1
Prerequisites
23.2
Introduction to 10g OAM Agents for Access Manager 11g
23.2.1
About IAMSuiteAgent: A Pre-Configured 10g Webgate Registered with Access Manager
23.2.2
About Legacy Oracle Access Manager 10g Deployments and Webgates
23.2.3
About Installing Fresh 10g Webgates to Use With Access Manager 11.1.2
23.2.4
About Centralized Logout with 10g OAM Agents and 11g OAM Servers
23.3
Comparing Access Manager 11.1.2 and 10g
23.3.1
Comparing Access Manager 11g versus 10g
23.3.2
Comparing Access Manager 11g versus 10g Policy Model
23.4
Configuring Centralized Logout for IAMSuiteAgent
23.5
Registering a 10g Webgate with Access Manager 11g Remotely
23.6
Managing 10g OAM Agents Remotely
23.7
Locating and Installing the Latest 10g Webgate for Access Manager 11g
23.7.1
Preparing for a Fresh 10g Webgate Installation with Access Manager 11g
23.7.2
Locating and Downloading 10g Webgates for Use with Access Manager 11g
23.7.3
Starting Webgate 10g Installation
23.7.4
Specifying a Transport Security Mode
23.7.5
Requesting or Installing Certificates for Secure Communications
23.7.6
Specifying Webgate Configuration Details
23.7.7
Updating the Webgate Web Server Configuration
23.7.7.1
Manually Configuring Your Web Server
23.7.8
Finishing Webgate Installation
23.7.9
Installing Artifacts and Certificates
23.7.10
Confirming Webgate Installation
23.8
Configuring Centralized Logout for 10g Webgate with 11g OAM Servers
23.8.1
About Centralized Logout Processing for 10g Webgate with 11g OAM Server
23.8.2
About the Centralized Logout Script for 10g Webgates with 11g OAM Servers
23.8.3
Configuring Centralized Logout for 10g Webgates with Access Manager
23.9
Removing a 10g Webgate from the Access Manager 11g Deployment
24
Configuring Apache, OHS, IHS for 10g Webgates
24.1
Prerequisites
24.2
About Oracle HTTP Server and Access Manager
24.3
About Access Manager with Apache and IHS v2 Webgates
24.3.1
About the Apache HTTP Server
24.3.2
About the IBM HTTP Server
24.3.3
About the Apache and IBM HTTP Reverse Proxy Server
24.4
About Apache v2 Architecture and Access Manager
24.5
Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers
24.5.1
Requirements for IHS2 Web Servers
24.5.2
Requirements for Apache and IHS v2 Reverse Proxy Servers
24.5.3
Requirements for Apache v2 Web Servers
24.6
Preparing Your Web Server
24.6.1
Preparing the IHS v2 Web Server
24.6.1.1
Preparing the Host for IHS v2 Installation
24.6.1.2
Installing the IBM HTTP Server v2
24.6.1.3
Setting Up SSL-Capability
24.6.1.4
Starting a Secure Virtual Host
24.6.2
Preparing Apache and Oracle HTTP Server Web Servers on Linux
24.6.3
Preparing Oracle HTTP Server Web Servers on Linux and Windows Platforms
24.6.4
Setting Oracle HTTP Server Client Certificates
24.6.5
Preparing the Apache v2 Web Server on UNIX
24.6.6
Preparing the Apache v2 SSL Web Server on AIX
24.6.7
Preparing the Apache v2 Web Server on Windows
24.7
Activating Reverse Proxy for Apache v2 and IHS v2
24.7.1
Activating Reverse Proxy For Apache v2 Web Servers
24.7.2
Activating Reverse Proxy For IHS v2 Web Servers
24.8
Verifying httpd.conf Updates for Webgates
24.8.1
Verifying Webgate Details
24.8.2
Verifying Language Encoding
24.9
Tuning Oracle HTTP Server Webgates for Access Manager
24.10
Tuning OHS /Apache Prefork and MPM Modules for OAM
24.10.1
Tuning Oracle HTTP Server /Apache Prefork Module
24.10.2
Tuning Oracle HTTP Server /Apache MPM Module
24.10.3
Kernal Parameters Tuning
24.11
Starting and Stopping Oracle HTTP Server Web Servers
24.12
Tuning Apache/IHS v2 Webgates for Access Manager
24.13
Removing Web Server Configuration Changes After Uninstall
24.14
Helpful Information
25
Configuring the ISA Server for 10g Webgates
25.1
Prerequisites
25.2
About Access Manager and the ISA Server
25.3
Compatibility and Platform Support
25.4
Installing and Configuring Webgate for the ISA Server
25.4.1
Installing Webgate with ISA Server
25.4.2
Changing /access Directory Permissions
25.5
Configuring the ISA Server for the ISAPI Webgate
25.5.1
Registering Access Manager Plug-ins as ISA Server Web Filters
25.5.2
Configuring ISA Firewall Policies for ISA Web Filters
25.5.3
Ordering the ISAPI Filters
25.6
Starting, Stopping, and Restarting the ISA Server
25.7
Removing Access Manager Filters Before Webgate Uninstall on ISA Server
26
Configuring the IIS Web Server for 10g Webgates
26.1
Prerequisites
26.2
Webgate Guidelines for IIS Web Servers
26.2.1
Guidelines for ISAPI Webgates
26.2.1.1
Webgates for IIS v7
26.2.1.2
Webgates for IIS v6
26.2.1.3
Multiple Webgates with a Single IIS 6 Instance
26.3
Prerequisite for Installing Webgate for IIS 7
26.3.1
Prerequisite for Installing Any 10g Webgate for IIS 7
26.3.2
Prerequisite for Installing a 32-bit Webgate for IIS 7
26.4
Updating IIS 7 Web Server Configuration on Windows 2008
26.5
Completing Webgate Installation with IIS
26.5.1
Enabling Client Certificate Authentication on the IIS Web Server
26.5.2
Ordering the ISAPI Filters
26.5.3
Enabling Pass-Through Functionality for POST Data
26.5.3.1
About ISAPI Webgate 10.1.4.2.3
26.5.3.2
About Pass-Through Functionality for POST Data
26.5.3.3
Implementing Pass-Through: IIS 6.0 in Worker Process Isolation Mode
26.5.3.4
Implementing Pass-Through with IIS 6.0 Web Server in IIS 5.0 Isolation Mode
26.5.4
Protecting a Web Site When the Default Site is Not Setup
26.6
Installing and Configuring Multiple 10g Webgates for a Single IIS 7 Instance
26.6.1
Installing Each IIS 7 Webgate in a Multiple Webgate Scenario
26.6.2
Setting the Impersonation DLL for Multiple IIS 7 Webgates
26.6.3
Enabling Client Certification for Multiple IIS 7 Webgates
26.6.4
Configuring IIS 7 Webgates for Pass Through Functionality
26.6.5
Confirming IIS 7 Webgate Installation
26.7
Installing and Configuring Multiple Webgates for a Single IIS 6 Instance
26.7.1
Installing Each Webgate in a Multiple Webgate Scenario
26.7.2
Setting the Impersonation DLL for Multiple Webgates
26.7.3
Enabling SSL and Client Certification for Multiple Webgates
26.7.4
Confirming Multiple Webgate Installation
26.8
Finishing 64-bit Webgate Installation
26.8.1
Setting Access Permissions, ISAPI filters, and Directory Security Authentication
26.8.2
Setting Client Certificate Authentication
26.9
Confirming Webgate Installation on IIS
26.10
Starting, Stopping, and Restarting the IIS Web Server
26.11
Removing Web Server Configuration Changes Before Uninstall
27
Configuring Lotus Domino Web Servers for 10g Webgates
27.1
Prerequisites
27.2
Installing the Domino Web Server
27.3
Setting Up the First Domino Web Server
27.4
Starting the Domino Web Server
27.5
Enabling SSL (Optional)
27.6
Installing a Domino Security (DSAPI) Filter
27.6.1
Completing the Webgate Installation
Part VII Managing Oracle Access Management Identity Federation
28
Introduction to Identity Federation in Oracle Access Management
28.1
Identity Federation with Oracle Access Management
28.1.1
Federated SSO in Oracle Access Management
28.1.2
Benefits of using Identity Federation 11.1.2 with Access Manager
28.1.3
Key Elements of Access Manager with Identity Federation
28.1.4
Key Features
28.1.4.1
Operational Modes
28.1.4.2
Supported Protocols
28.1.4.3
Supported Data Stores
28.1.4.4
User Mapping
28.1.4.5
Multi-Tenant Support
28.1.4.6
Platform Dependencies
28.1.5
Administration
28.2
Introduction to Identity Federation within Oracle Access Management Console
28.3
Managing the Federation Service
29
Managing Partners for Identity Federation Using Oracle Access Management Console
29.1
Prerequisites
29.2
Introduction to Managing Federation Partners
29.3
Managing Identity Provider Partners for Federation
29.3.1
Creating Federation Identity Providers
29.3.2
Managing Identity Providers for Federation
30
Managing Settings for Identity Federation Using Oracle Access Management Console
30.1
Prerequisites
30.2
Introduction to Federation Settings in Oracle Access Management Console
30.3
Managing General Federation Settings
30.3.1
About Managing General Federation Settings
30.3.2
Managing General Federation Settings
30.4
Managing Proxy Settings for Federation in Oracle Access Management Console
30.4.1
About Proxy Settings for Federation
30.4.2
Managing Proxy Settings for Identity Federation
30.5
Defining Keystore Settings for Federation in Oracle Access Management Console
30.5.1
About Managing Keytore Settings for Identity Federation
30.5.2
Managing Identity Federation Encryption/Signing Keys
30.5.2.1
Resetting the System (.oamkeystore) and Trust (amtruststore) Keystore Password
30.5.2.2
Adding a New Key Entry to the System Keystore (.oamkeystore)
30.6
Exporting Metadata
31
Managing Federation-related Schemes and Policies Using Oracle Access Management Console
31.1
Prerequisites
31.2
Introduction to Using Identity Federation and Access Manager in Concert Together
31.3
Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.1)
31.3.1
About Scheme FederationScheme
31.3.2
About Module FederationPlugin
31.3.3
Managing Authentication with Identity Federation in 11g Release 2
31.4
Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1
31.4.1
About Scheme OIFScheme
31.4.2
About Module OIFMTLDAPPlugin
31.4.3
Managing Authentication with Oracle Identity Federation Release 11gR1
31.5
Managing Access Manager Policies for Use with Identity Federation
31.5.1
About Policy Responses with Assertion Attributes for Identity Federation
31.5.2
Defining Policy Responses with Assertion Attributes for Identity Federation
31.6
Testing Identity Federation Configuration
31.7
Using the Default Identity Provisioning Plug-in
31.7.1
Why Use a Provisioning Plug-in?
31.7.2
About the Default Provisioning Plug-in
31.7.3
Using the Default Provisioning Plug-in
31.7.4
Switching to a Custom Provisioning Plug-in
31.8
Configuring the Identity Provider Discovery Service
31.8.1
Using the Bundled IdP Discovery Service
31.8.2
Creating a custom IdP Discovery Service
31.8.3
Disabling the use of an IdP Discovery Service
31.9
Configuring the Federation User Self-Registration Module
Part VIII Managing Oracle Access Management Security Token Service
32
Security Token Service Implementation Scenarios
32.1
Prerequisites
32.2
Typical Token Ecosystem
32.3
Scenario: Identity Propagation with the Access Manager Token
32.3.1
Component Processing: Identity Propagation with the OAM Token
32.3.2
Request Security Token Attributes and Run Time Processing
32.3.3
Configuration Requirements: Identity Propagation with the OAM Token
32.3.4
Testing Your Implementation
32.4
Scenario: Web Service Security With On Behalf Of Username Token
32.4.1
Component interactions for Identity Propagation with Username Token
32.4.2
RST Attributes and Processing for Identity Propagation with a Username Token
32.4.3
Configuration Requirements: Identity Propagation with the Username Token
33
Managing Security Token Service Settings and Set Up
33.1
Prerequisites
33.2
Introduction to Security Token Service Configuration
33.2.1
Post-Installation Configuration
33.2.2
About OAM Servers and Security Token Service
33.2.3
About Security Token Service Clients
33.2.4
About Agents and Security Token Service
33.2.5
About Security Token Service End Points and Policies
33.3
Enabling and Disabling Security Token Service
33.3.1
About Security Token Service and the Oracle Access Management Console
33.3.1.1
About Security Token Service Administrators
33.3.1.2
About Logging In To, and Signing Out Of, Security Token Service
33.3.2
About Enabling Services for Security Token Service
33.3.3
Enabling and Disabling Services for Security Token Service
33.4
Defining Security Token Service Settings Using Oracle Access Management Console
33.4.1
About Security Token Service Settings
33.4.2
Managing Security Token Service Settings
33.5
Using and Managing WSS Policies for Oracle WSM Agents
33.5.1
Using and Modifying Oracle Workspace Studio Policies
33.5.2
Managing WSS Policies for Security Token Service: Classpath
33.5.3
Managing WSS Policies for Security Token Service: Oracle WSM Policy Manager
33.6
Configuring OWSM for WSS Protocol Communication
33.6.1
About Oracle WSM Agent WS-Security Policies for Security Token Service
33.6.2
Retrieving the Oracle WSM Keystore Password
33.6.3
Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate
33.6.4
Adding Trusted Certificates to the Oracle WSM Keystore
33.6.5
Validating Trusted Certificates in the Oracle WSM Keystore
33.6.6
Configuring Oracle WSM Agent for WSS Kerberos Policies
33.7
Managing and Migrating Security Token Service Policies
33.7.1
About Managing and Migrating Security Token Service Policies
33.7.2
Managing Security Token Service Policies
33.7.3
Migrating Security Token Service Policies
33.8
Introduction to Logging Security Token Service Messages
33.9
Introduction to Auditing for Security Token Service
33.9.1
About Security Token Service Audit Record Storage
33.9.2
About Audit Reports and Oracle Business Intelligence Publisher
33.9.3
About the Audit Log
33.9.4
About Auditing Security Token Service Events
34
Managing Security Token Service Certificates and Keys
34.1
Prerequisites
34.2
Introduction to Certificates and Keys for Security Token Service
34.2.1
About Keystores and Security Token Service
34.2.2
About the Oracle Web Services Manager Keystore (default-keystore.jks)
34.2.3
About Using the OPSS Keystore for Requester Certificates
34.3
Managing Security Token Service Encryption/Signing Keys
34.3.1
Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password
34.3.2
Adding a New Key Entry to the System Keystore (.oamkeystore)
34.3.2.1
Adding a New Entry
34.3.2.2
Configuring a SAML Issuance Template to use a Signing Key
34.3.2.3
Setting the Default Encryption Key
34.3.3
Extracting an Security Token Service Certificate
34.3.3.1
Using the Certificate Retrieval Service
34.4
Managing Partner Keys for WS-Trust Communications
34.4.1
About Partner Certificates
34.4.2
About Downloading the Relying Party's Certificate at Run Time
34.4.3
Setting the Partner's Signing or Encryption Certificate
34.5
Managing Certificate Validation
34.5.1
Managing the Trust Anchors Store (amtruststore)
34.5.2
Managing Certificate Revocation Lists
34.5.3
Using a Custom Trust Anchor Store for Security Token Service
35
Managing Templates, Endpoints, and Policies
35.1
Prerequisites
35.2
Introduction
35.3
Searching for an Existing Template
35.3.1
About Template Search Controls
35.3.2
Searching For a Template
35.4
Managing Token Issuance Templates
35.4.1
About Managing Token Issuance Templates
35.4.2
Managing a Token Issuance Template
35.5
Managing Token Validation Templates
35.5.1
About Managing Token Validation Templates
35.5.2
Managing Token Validation Templates
35.6
Managing Security Token Service Endpoints
35.6.1
About Managing Endpoints
35.6.2
Managing EndPoints
35.7
Managing Token Issuance Policies, Conditions, and Rules
35.7.1
About Token Issuance Policies
35.7.2
About Managing Token Issuance Conditions and Rules
35.7.3
Managing Token Issuance Policies and Conditions
35.8
Managing TokenServiceRP Type Resources
35.8.1
About Managing TokenServiceRP Type Resources in Access Manager
35.8.2
Managing TokenServiceRP Type Resources in Application Domains
35.9
Making Custom Classes Available
35.9.1
About Making Classes Available
35.9.2
About Narrowing a Search for Custom Tokens
35.9.3
Managing Custom Tokens
35.10
Managing a Custom Security Token Service Configuration
35.10.1
Creating the Validation Template
35.10.2
Creating the Issuance Template for a Custom Token
35.10.3
Adding the Custom Token to a Requester Profile
35.10.4
Adding the Custom Token to the Relying Party Profile
35.10.5
Mapping the Token to a Requestor
35.10.6
Creating an /wssuser EndPoint
36
Managing Token Service Partners and Partner Profiles
36.1
Prerequisites
36.2
Introduction Token Service Partners and Partner Profiles
36.2.1
About Token Service Partners
36.2.2
About Partner Profiles
36.2.2.1
About Partner Entries
36.2.2.2
About Partner Profile Data
36.3
Managing Token Service Partners
36.3.1
About Managing Token Service Partners
36.3.2
Managing a Token Service Partner
36.3.3
Refining Partner Searches
36.4
Managing Token Service Partner Profiles
36.4.1
About Managing Partner Profiles
36.4.2
Managing a Token Service Partner Profile
36.4.3
Refining a Profile Search
37
Troubleshooting Security Token Service
37.1
Authorization Issues
37.2
Endpoint Issues
37.3
Mapping Operation Issues
Part IX Managing Oracle Access Management Mobile and Social
38
Understanding Mobile and Social
38.1
Introducing Mobile and Social
38.1.1
Deploying Mobile and Social
38.1.2
Installing Mobile and Social
38.2
Understanding Mobile Services
38.2.1
Introducing Authentication Services and Authorization Services
38.2.2
Introducing User Profile Services
38.2.3
Introducing Mobile Single Sign-on (SSO) Capabilities
38.2.4
Introducing the Mobile and Social Mobile Services Client SDK
38.3
Understanding the Mobile Services Processes
38.3.1
Registering a Mobile Device With User Authentication
38.3.2
Authenticating a User With a Registered Device
38.3.3
Using REST Calls for User Authentication
38.3.4
Authenticating the User With a Mobile Browser-Based Web App
38.4
Using Mobile Services
38.4.1
Protecting the Mobile Client Registration Endpoint
38.4.2
Exchanging Credentials
38.4.3
Protecting User Profile Services And Authorization Services
38.4.4
Using Mobile Services with Oracle Access Manager
38.4.5
Using Mobile Services with Oracle Adaptive Access Manager Services
38.5
Understanding Internet Identity Services
38.6
Understanding Internet Identity Services Processes
38.6.1
Authenticating a Returning User With a Local Account
38.6.2
Authenticating a New User With No Local Account
38.6.3
Using OAuth For Access Token Retrieval
38.6.4
Authenticating a User With Access Manager and Internet Identity Services
38.6.5
Authenticating a User Locally
38.7
Using Internet Identity Services
38.7.1
Using Internet Identity Services With Oracle Access Manager
38.7.2
Using Internet Identity Services With Mobile Services
38.7.3
Using the Internet Identity Services SDK
39
Configuring Mobile Services
39.1
Navigating the Mobile Services Graphical User Interface
39.2
Understanding Mobile Services Configuration
39.2.1
Understanding Service Providers
39.2.2
Understanding Service Profiles
39.2.3
Understanding Security Handler Plug-ins
39.2.4
Understanding Application Profiles
39.2.5
Understanding Service Domains
39.3
Defining Service Providers
39.3.1
Defining, Modifying or Deleting an Authentication Service Provider
39.3.1.1
Understanding the Pre-Configured Authentication Service Providers
39.3.1.2
Creating an Authentication Service Provider
39.3.1.3
Editing or Deleting an Authentication Service Provider
39.3.1.4
Creating a JWT-OAM Token Authentication Service Provider
39.3.2
Defining, Modifying or Deleting an Authorization Service Provider
39.3.2.1
Creating an Authorization Service Provider
39.3.2.2
Editing or Deleting an Authorization Service Provider
39.3.2.3
Understanding the Pre-Configured Authorization Service Provider
39.3.3
Defining, Modifying or Deleting a User Profile Service Provider
39.3.3.1
Creating a User Profile Service Provider
39.3.3.2
Editing or Deleting a User Profile Service Provider
39.3.3.3
Understanding the Pre-Configured User Profile Service Provider
39.4
Defining Service Profiles
39.4.1
Defining, Modifying and Deleting an Authentication Service Profile
39.4.1.1
Creating an Authentication Service Profile
39.4.1.2
Editing or Deleting an Authentication Service Profile
39.4.2
Defining, Modifying and Deleting an Authorization Service Profile
39.4.2.1
Creating an Authorization Service Profile
39.4.2.2
Editing or Deleting an Authorization Service Profile
39.4.3
Defining, Modifying and Deleting a User Profile Service Profile
39.4.3.1
Creating a User Profile Service Profile
39.4.3.2
Editing or Deleting a User Profile Service Profile
39.5
Defining Security Handler Plug-ins
39.5.1
Creating a Security Handler Plug-in
39.5.2
Editing or Deleting a Security Handler Plug-in
39.5.3
Device Fingerprinting and Device Profile Attributes
39.6
Defining Application Profiles
39.6.1
Creating an Application Profile
39.6.2
Editing or Deleting an Application Profile
39.7
Defining Service Domains
39.7.1
Creating a Service Domain
39.7.2
Editing or Deleting a Service Domain
39.8
Using the Jail Breaking Detection Policy
39.8.1
Adding a New Jail Breaking Detection Policy
39.8.2
Editing the Jail Breaking Detection Policy
39.9
Configuring Mobile Services with Other Oracle Products
39.9.1
Configuring Mobile Services for Access Manager
39.9.1.1
Configuring Mobile Services to Work With Access Manager in Simple and Certificate Mode
39.9.1.2
Configuring an Authentication Service Provider for Remote Oracle Access Manager Server 10g
39.9.1.3
Configuring an Authentication Service Provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1
39.9.2
Configuring Mobile Services for Oracle Adaptive Access Manager
39.9.2.1
Understanding OAAM Support in Mobile and Social
39.9.2.2
Configuring the WebLogic Administration Domain
39.9.2.3
Configuring OAAM if Social Identity Authentication is Enabled in Mobile Services
39.9.2.4
Setting up a Lost or Stolen Device Rule
39.9.2.5
Configuring Blacklisted Devices and Applications
39.9.2.6
Understanding the OAAM Sessions for Mobile Applications
39.9.2.7
Registering Users for OAAM Authentication
40
Configuring Internet Identity Services
40.1
Navigating the Internet Identity Services Graphical User Interface
40.2
Understanding Internet Identity Services Configuration
40.2.1
Understanding Internet Identity Providers
40.2.2
Understanding Service Provider Interfaces
40.2.3
Understanding Application Profiles
40.3
Defining Internet Identity Providers
40.3.1
Creating an Internet Identity Provider
40.3.2
Editing or Deleting an Internet Identity Provider
40.3.3
Generating the Consumer Key and Consumer Secret for OAuth Providers
40.3.3.1
Generating a Consumer Key and Consumer Secret for Facebook
40.3.3.2
Generating a Consumer Key and Consumer Secret for Twitter
40.3.3.3
Generating a Consumer Key and Consumer Secret for LinkedIn
40.3.3.4
Generating a Consumer Key and Consumer Secret for Foursquare
40.3.3.5
Generating a Consumer Key and Consumer Secret for Windows Live
40.3.4
Troubleshooting Facebook Internet Identity Providers
40.3.4.1
Configuring WebLogic Server for Facebook Compatibility
40.3.4.2
Configuring WebLogic Server 10.3.5 and Older for Facebook Compatibility
40.4
Defining Service Provider Interfaces
40.4.1
Creating a Service Provider Interface
40.4.2
Editing or Deleting an Service Provider Interface
40.4.3
Adding a Custom Service Provider Interface Implementation
40.5
Defining Application Profiles
40.5.1
Creating an Application Profile
40.5.2
Editing or Deleting an Application Profile
40.6
Integrating Internet Identity Services With Mobile Applications
40.7
Linking Internet Identity Provider Accounts
40.7.1
Using Internet Identity Provider Account Linking
40.7.2
Configuring Internet Identity Provider Account Linking
41
Configuring Mobile and Social System Settings
41.1
Accessing the Mobile and Social Settings Interface
41.2
Logging and Auditing
41.3
Deploying Mobile and Social With Oracle Access Manager
41.4
Configuring Mobile and Social After Running Test-to-Production Scripts
41.5
Enabling the REST Client to Specify the Tenant Name
Part X Using Identity Context
42
Using Identity Context
42.1
Introducing Identity Context
42.2
Understanding Identity Context
42.3
Working With the Identity Context Service
42.3.1
Using the Identity Context Dictionary
42.3.2
Understanding Identity Context Runtime
42.4
Using the Identity Context API
42.5
Configuring the Identity Context Service Components
42.5.1
Configuring Oracle Fusion Middleware
42.5.2
Configuring Access Manager
42.5.2.1
Configuring Identity Assertion
42.5.2.2
Configuring Federation Attributes
42.5.2.3
Configuring Session Attributes
42.5.2.4
Configuring Identity Store Attributes
42.5.3
Configuring Oracle Adaptive Access Manager
42.5.3.1
Setting Up Oracle Adaptive Access Manager
42.5.3.2
Configuring Access Manager for OAAM Integration
42.5.3.3
Validating Identity Context Data Published by OAAM
42.5.4
Configuring Web Service Security Manager
42.5.5
Configuring Oracle Entitlements Server
42.5.6
Configuring Oracle Enterprise Single Sign On
42.5.7
Configuring Oracle Access Management Mobile and Social
42.6
Validating Identity Context
Part XI Integrating Access Manager with Other Products
43
Integrating RSA SecurID Authentication with Access Manager
43.1
Introduction to Access Manager and RSA SecurID Authentication
43.2
Components Required for SecurID Authentication
43.2.1
Supported Versions and Platforms
43.2.2
Required RSA Components
43.2.2.1
RSA Authentication Manager
43.2.2.2
RSA SecurID Tokens
43.2.3
Installation and Configuration Requirements
43.3
SecurID Authentication Modes
43.3.1
Standard SecurID Authentication
43.3.2
SecurID Next Tokencode Authentication
43.3.3
SecurID New PIN Authentication
43.4
Configuring Access Manager for RSA SecurID Authentication
43.5
Running a Custom RSA Plug-in
44
Configuring Access Manager for Windows Native Authentication
44.1
What is New in this Release?
44.2
Introduction to Access Manager with Windows Native Authentication
44.2.1
Access Manager WNA Login and Fall Back Authentication
44.2.2
Supported Integration Approaches
44.3
Preparing Your Active Directory/Kerberos Topology
44.4
Performing Oracle-Specific Prerequisite Tasks
44.4.1
Confirming Access Manager Operation
44.5
Enabling the Browser to Return Kerberos Tokens
44.6
Integrating KerberosPlugin with Oracle Virtual Directory
44.6.1
Preparing Oracle Virtual Directory for Integration
44.6.2
Registering Oracle Virtual Directory as the Default Store for WNA
44.6.3
Setting Up Authentication with Access Manager KerberosPlugin and OVD
44.7
Integrating Access Manager KerberosPlugin with Search Failover
44.7.1
Registering Microsoft Active Directory Instances with Access Manager
44.7.2
Setting Up Access Manager KerberosPlugin for ADGCs
44.8
Configuring Access Manager for Windows Native Authentication
44.8.1
Creating the Authentication Scheme for Windows Native Authentication
44.8.2
Configuring Access ManagerPolicies for Windows Native Authentication
44.8.3
Verifying the Access Manager Configuration File
44.9
Validating WNA with Access Manager-Protected Resources
44.10
Troubleshooting WNA Configuration
44.10.1
Kinit Fails
44.10.2
Unable To Access a Protected Resource Using WNA Authentication Scheme
44.10.3
User Identity Store is Not Active Directory
45
Integrating JBoss with Access Manager
45.1
Introduction to JBoss with Access Manager
45.1.1
About Configuration and Processing by Access Manager JBoss Agent
45.1.2
About Configuration and Processing by Access Manager Login Module
45.2
Integration Topology
45.2.1
Access Manager JBoss Agent Functionality
45.2.2
Topology: Access Manager with JBoss Agent
45.2.3
Topology: JBoss Agent Behind Web Server Configured with Webgate
45.2.4
Sample Integration Topology
45.3
Preparing Your Environment for JBoss Integration
45.4
Protecting JBoss-Specific Resources
45.4.1
Registering the JBoss Agent with Automatic Policy Creation
45.4.2
Creating a Custom Policy for JBoss Resource Protection
45.5
Protecting Web Applications with the JBoss Agent
45.5.1
Creating Configuration Properties for the JBoss Agent
45.5.2
Configuring the Authentication Valve
45.5.3
Mapping the Filter in the Application's web.xml File
45.5.4
Configuring the JBoss Login Module to Use Access Manager Policies
45.6
Configuring JBoss Server to Access a Host Name (not localhost)
45.7
Configuring the Login Module to Secure EJBs
45.7.1
Configuring the Server to Secure EJBs
45.7.2
Configuring the Client Side to Secure EJBs
45.8
Configuring the Login Module to Secure Web Service Access
45.8.1
Configuring the Server to Secure Web Services Access
45.8.2
Configuring the Client to Secure Web Services Access
45.9
Configuring Logging for the JBoss Agent and Login Module
45.10
Validating Your Configuration
46
Integrating Microsoft SharePoint Server with Access Manager
46.1
What is Supported in this Release?
46.2
Introduction to Integrating with the SharePoint Server
46.2.1
About Windows Impersonation
46.2.2
About Form-based Authentication With This Integration
46.2.3
About Authentication with Windows Impersonation and SharePoint Integration
46.2.4
About Access Manager and Windows Native Authentication
46.3
Integration Requirements
46.3.1
Confirming Requirements
46.3.2
Required Access Manager Components
46.3.3
Required Microsoft Components
46.4
Preparing for Integration with SharePoint Server
46.5
Integrating with Microsoft SharePoint Server
46.5.1
Creating a New Web Application in Microsoft SharePoint Server
46.5.2
Creating a New Site Collection for Microsoft SharePoint Server
46.6
Setting Up Microsoft Windows Impersonation
46.6.1
Creating Trusted User Accounts
46.6.2
Assigning Rights to the Trusted User
46.6.3
Binding the Trusted User to Your WebGate
46.6.4
Adding an Impersonation Response to an Authorization Policy
46.6.5
Adding an Impersonation DLL File to IIS
46.6.6
Testing Impersonation
46.6.6.1
Creating an IIS Virtual Site Not Protected by SharePoint Server
46.6.6.2
Testing Impersonation Using the Event Viewer
46.6.6.3
Testing Impersonation using a Web Page
46.6.6.4
Negative Testing for Impersonation
46.7
Completing the SharePoint Server Integration
46.7.1
Configuring IIS Security
46.8
Integrating with Microsoft SharePoint Server Configured With LDAP Membership Provider
46.8.1
About Integrating with Microsoft SharePoint Server Configured with LDAP Membership Provider
46.8.2
Installing Access Manager for Microsoft SharePoint Server Configured With LDAP Membership Provider
46.8.3
Configuring an Authentication Scheme for Use with LDAP Membership Provider
46.8.4
Updating the Application Domain Protecting the SharePoint Web Site
46.8.5
Creating an Authorization Response for Header Variable SP_SSO_UID
46.8.6
Creating an Authorization Response for the OAMAuthCookie
46.8.7
Configuring and Deploying OAMCustomMembershipProvider
46.8.8
Enabling Logging for CustomMemberShipProvider
46.8.9
Ensuring Directory Servers are Synchronized
46.8.10
Testing the Integration
46.9
Configuring Single Sign-On for Office Documents
46.10
Configuring Single Sign-off for Microsoft SharePoint Server
46.10.1
Configuring a Custom Logout URL in SharePoint Server
46.10.2
Configuring Logout in SharePoint Server with Impersonation
46.11
Setting Up Access Manager and Windows Native Authentication
46.11.1
Setting Up Access Manager WNA
46.11.2
Setting Up WNA with SharePoint Server
46.11.3
Installing Access Manager for WNA and SharePoint Server
46.11.4
Testing Your WNA Implementation
46.12
Synchronizing User Profiles Between Directories
46.13
Testing Your Integration
46.13.1
Testing the SharePoint Server Integration
46.13.2
Testing Single Sign-On for the SharePoint Server Integration
46.14
Troubleshooting
46.14.1
Internet Explorer File Downloads Over SSL Might Not Work
47
Integrating Access Manager with Outlook Web Application
47.1
What is New in This Release?
47.2
Introduction to Integration with Outlook Web Application
47.2.1
About Impersonation Provided by Microsoft Windows
47.2.2
About Access Manager 11g Support for Windows Impersonation
47.2.3
About Single Sign-On for Authenticated Access Manager Users into Exchange
47.2.4
About Confirming Requirements
47.3
Enabling Impersonation With a Header Variable
47.3.1
Requirements for Impersonation with a Header Variable
47.3.2
Creating an Impersonator as a Trusted User
47.3.3
Assigning Rights to the Trusted User
47.3.4
Binding the Trusted User to Your Webgate
47.3.5
Adding an Impersonation Response to An Application Domain
47.3.6
Adding an Impersonation DLL to IIS
47.3.7
Testing Impersonation
47.3.7.1
Creating an IIS Virtual Site
47.3.7.2
Testing Impersonation Using the Event Viewer
47.3.7.3
Testing Impersonation using a Web Page
47.4
Setting Up Impersonation for Outlook Web Application (OWA)
47.4.1
Prerequisites to Setting Impersonation for Outlook Web Application
47.4.2
Creating a Trusted User Account for Outlook Web Application
47.4.3
Assigning Rights to the Outlook Web Application Trusted User
47.4.4
Binding the Trusted Outlook Web Application User to Your Webgate
47.4.5
Adding an Impersonation Action to an Application Domain for Outlook Web Application
47.4.6
Adding an Impersonation dll to IIS
47.4.7
Configuring IIS Security
47.4.8
Testing Impersonation for Outlook Web Application
47.4.8.1
Testing Impersonation Using the Event Viewer
47.4.8.2
Testing Impersonation using a Web Page
47.4.8.3
Negative Testing for Impersonation
47.5
Setting Up Access Manager WNA for Outlook Web Application
48
Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager
48.1
What is New in This Release?
48.2
Introduction to Integration with TMG Server 2010
48.2.1
About This Integration
48.2.2
About Confirming Certification Requirements
48.3
Creating a Forefront TMG Policy and Rules
48.3.1
Creating a Custom Policy for Forefront TMG
48.3.2
Creating a Forefront TMG Firewall Policy Rule
48.3.3
Verifying Forefront TMG Proxy Configuration
48.4
Installing and Configuring 10g Webgate for Forefront TMG Server
48.4.1
Installing 10g Webgate with TMG Server
48.4.2
Changing /access Directory Permissions
48.5
Configuring the TMG 2010 Server for the ISAPI 10g Webgate
48.5.1
Registering Access Manager Plug-ins as TMG Server Web Filters
48.5.2
Ordering the ISAPI Filters
48.5.3
Verifying Form-based Authentication
48.6
Starting, Stopping, and Restarting the TMG Server
48.7
Removing Access Manager Filters Before Webgate Uninstall on TMG Server
48.8
Troubleshooting
49
Integrating Access Manager 11.1.2 with SAP NetWeaver Enterprise Portal
49.1
What is New in This Release?
49.2
Supported Versions and Platforms
49.3
Integration Architecture
49.3.1
Process Overview: Integration with SAP NetWeaver Enterprise Portal
49.4
Prerequisites
49.5
Configuring SAP NetWeaver Enterprise Portal for Access Manager
49.5.1
Configuring the Apache HTTP Server as a Proxy
49.5.2
Configuring SAP NetWeaver Enterprise Portal for External Authentication
49.5.3
Adjusting the Login Module Stacks for using Header Variables
49.6
Configuring Access Manager to Work With SAP NetWeaver Enterprise Portal
49.6.1
Configuring Access Manager 11.1.2 for SAP Enterprise Portal
49.7
Testing the Integration
49.8
Troubleshooting the Integration
Part XII Appendixes
A
Integrating Oracle ADF Applications with Access Manager SSO
A.1
Introduction to Oracle Platform Security Services and Oracle Application Developer Framework
A.1.1
Oracle Platform Security Services Single Sign-on Framework
A.1.2
Oracle Application Developer Framework
A.2
Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework
A.2.1
Sample SSO Configuration for Access Manager
A.2.2
SSO Provider Configuration Details
A.3
Configuring Centralized Logout for Oracle ADF-Coded Applications
A.3.1
About Centralized Logout Processing for Applications Coded to Oracle ADF Standards
A.3.2
Configuring Centralized Logout for ADF-Coded Applications with Access Manager
A.4
Confirming Application-Driven Authentication During Runtime
B
Internationalization and Multibyte Data Support for 10g Webgates
B.1
Introduction to Internationalization and Multibyte Data Support
B.1.1
Languages For Localized Messages
B.1.2
Bi-directional Language Support
B.1.3
UTF-8 Encoding
C
Securing Communication
C.1
Prerequisites
C.2
Introduction to Securing Communication Between OAM Servers and Webgates
C.2.1
About Certificates, Authorities, and Encryption Keys
C.2.2
About Security Modes and X509Scheme Authentication
C.2.3
About the Importcert Tool
C.3
Generating Client Keystores for OAM Tester in Cert Mode
C.4
Configuring Cert Mode Communication for Access Manager
C.4.1
About Cert Mode Encryption and Files
C.4.2
Generating a Certificate Request and Private Key for OAM Server
C.4.3
Retrieving the OAM Keystore Alias and Password
C.4.4
Importing the Trusted, Signed Certificate Chain Into the Keystore
C.4.5
Adding Certificate Details to Access Manager Settings
C.4.6
Generating a Private Key and Certificate Request for Webgates
C.4.7
Updating Webgate to Use Certificates
C.5
Configuring Simple Mode Communication with Access Manager
C.5.1
About Simple Mode, Encryption, and Keys
C.5.2
Retrieving the Global Passphrase for Simple Mode
C.5.3
Updating Webgate Registration for Simple Mode
C.5.4
Verifying Simple Mode Configuration
D
Reviewing Bundled, Generated, and Migrated Artifacts
D.1
Bundled 10g IAMSuiteAgent Artifacts
D.1.1
Pre-Registered 10g IAMSuiteAgent
D.1.2
IAMSuiteAgent Security Provider Settings, WebLogic Administration Console
D.1.3
IAMSuiteAgent Registration
D.1.4
Resources Protected by IAMSuiteAgent
D.1.5
Pre-seeded IAM Suite Application Domain and Policies
D.2
Generated Artifacts: OpenSSO
D.2.1
Generated OpenSSOAgentAuthPlugin
D.2.2
Generated Host Identifier: OpenSSOAgent
D.2.3
Generated Application Domain: OpenSSOAgent
D.2.4
Generated Resources: OpenSSOAgent
D.2.5
Generated Authentication Policy: OpenSSOAgent Application Domain
D.2.6
Generated Authorization Policy: OpenSSOAgent Application Domain
D.3
Migrated Artifacts: OpenSSO
D.3.1
Migrated User Identity Store: OpenSSO
D.3.2
Migrated Agents: OpenSSO
D.3.3
Migrated Authentication Module: OpenSSO
D.3.4
Migrated Host Identifier: OpenSSO
D.3.5
Migrated Application Domain: OpenSSO
D.3.6
Migrated Resources: OpenSSO
D.3.7
Migrated Authentication Policy: OpenSSO
D.3.8
Migrated Authorization Policy: OpenSSO
E
Troubleshooting
E.1
Introduction to Oracle Access Management Troubleshooting
E.1.1
About System Analysis and Problem Scenarios
E.1.2
About LDAP Server or Identity Store Issues
E.1.3
About OAM Server or Host Issues
E.1.4
About Agent-Side Configuration and Load Issues
E.1.5
About Runtime Database (Audit or Session Data) Issues
E.1.6
About Change Propagation or Activation Issues
E.1.7
About Policy Store Database Issues
E.2
Using My Oracle Support for Additional Troubleshooting Information
E.3
Administrator Lockout
E.4
Oracle Access Management Console Inconsistent State
E.5
AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation
E.6
Agent Naming Not Unique
E.7
Application URL Requirements
E.8
Authentication Issues
E.8.1
Anonymous Authentication Issues
E.8.2
X.509Scheme and SSL Handshake Issues
E.8.2.1
Configuration Issues
E.8.2.2
Trust Issues
E.8.2.3
Certificate Validation Issues
E.8.3
X.509 Protected Resource and Single Sign Off
E.8.4
X509CredentialExtractor Certificate Validation Error
E.9
Authorization Issues
E.9.1
Authorization Condition Error
E.9.2
LDAP Search Filter Test Results
E.9.3
Authorization Header Response Names
E.10
Cannot Access Authentication LDAP or Database
E.11
Cannot Find Configuration
E.11.1
Configuration Does Not Exist ...
E.12
Co-existence Between OSSO and Access Manager
E.13
Could Not Find Partial Trigger
E.14
Denial of Service Attacks
E.14.1
Protecting the OAM Server from Crashing Under Load
E.14.2
Compensating for Network Latency
E.14.3
Protecting OAM Servers from a Flood of HTTP Requests
E.15
Deployments with Freshly Installed 10g Webgates
E.15.1
Authentication Issues with 10g Webgates
E.15.2
Logout Issues with 10g Webgates
E.16
Diagnosing Initialization and Performance Issues
E.16.1
Diagnosing an Initialization Issue
E.16.2
Diagnosing a Performance Issue
E.16.3
Diagnosing Out-of-Memory Issues With a Heap Dump
E.17
Disabling Windows Challenge/Response Authentication on IIS Web Servers
E.18
Changing UserIdentityStore1 Type Can Lock Out Administrators
E.19
IIS Web Server Issues
E.19.1
Form Authentication or Pass-Through Not Working
E.19.2
IIS and General Web Component Guidelines
E.19.3
Issues with IIS v6 Web Servers
E.19.4
Page Cannot Be Displayed Error
E.19.5
Removing and Reinstalling IIS DLLs
E.20
Import and File Upload Limits
E.21
jps Logger Class Instantiation Warning is Logged on Authentication
E.22
Internationalization, Languages, and Translation
E.22.1
Automatically Generated Descriptions Are Not Translated
E.22.2
Console Looks Messy
E.22.3
Authentication Fails: Users with Non-ASCII Characters
E.22.4
Access Tester Does Not Work with Non-ASCII Agent Names
E.22.5
Locales, Languages, and Oracle Access Management Console Login Page
E.23
Login Failure for a Protected Page
E.24
OAM Metric Persistence Timer IllegalStateException: SafeCluster
E.25
Partial Cluster Failure and Intermittent Login and Logout Failures
E.26
RSA SecurID Issues and Logs
E.27
Registration Issues
E.28
Rowkey does not have any primary key attributes Error
E.29
SELinux Issues
E.30
Session Issues
E.30.1
Session Impersonation Not Enabled by Default
E.30.2
Sessions with Oracle Access Manager 11.1.1 Integrated with Oracle Identity Federation 11.1.1
E.31
SSL versus Open Communication
E.32
Start Up Issues
E.33
Synchronizing OAM Server Clocks
E.34
Using Coherence
E.35
Validation Errors
E.36
Web Server Issues
E.36.1
Server Fails on an Apache Web Server
E.36.2
Apache v2 on HP-UX
E.36.3
Apache v2 Bundled with Red Hat Enterprise Linux 4
E.36.4
Apache v2 Bundled with Security-Enhanced Linux
E.36.5
Apache v2 on UNIX with the mpm_worker_module for Webgate
E.36.6
Domino Web Server Issues
E.36.7
Errors, Loss of Access, and Unpredictable Behavior
E.36.8
Known Issues for ISA Web Server
E.36.9
Oracle HTTP Server Fails to Start with LinuxThreads
E.36.10
Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4
E.36.11
Oracle HTTP Server Web Server Configuration File Issue
E.36.12
Issues with IIS v6 Web Servers
E.36.13
PCLOSE Error When Starting Sun Web Server
E.36.14
Removing and Reinstalling IIS DLLs
E.37
Windows Native Authentication
Mobile and Social Glossary
Index
Scripting on this page enhances content navigation, but does not change the content in any way.