This chapter explains how to configure properties that are used in common by the services integrated into Oracle Access Management.
This chapter contains the following sections:
This section introduces the Oracle Access Management options and settings collectively called Configuration. Unless explicitly stated, these Configuration options are shared by all Access Manager servers and services in the domain. Figure 3-1 shows the Configuration options defined in the new Oracle Access Management Console.
Figure 3-1 Oracle Access Management Configuration Options
Table 3-1 describes the Configuration options. The items listed apply to all services in the suite.
Table 3-1 Configuration Options
Node | Description |
---|---|
Available Services |
|
User Identity Stores |
See "Managing OAM Identity Stores" in Chapter 5, "Managing Data Sources." |
Administration |
|
Certificate Validation |
Provides access to the certificate revocation list and OCSP/CDP settings. |
Server Instances |
Provides access to all registered OAM Server instances. |
Common Settings |
Provides configurations that apply to all Oracle Access Management services including Session properties, Oracle Coherence, Auditing, and Default and System Identity Stores. |
Access Manager Settings |
Provides access to Access Manager operation configurations. |
Mobile and Social Settings |
Provides access to configurations for Oracle Access Management Mobile and Social. |
Federation Settings |
Provides access to configurations for Oracle Access Management Identity Federation. |
Security Token Service Settings |
Provides access to configurations for Oracle Access Management Security Token Service. See "Managing Oracle Access Management Security Token Service" |
Access Portal Settings |
Provides access to configurations for Oracle Access Portal. See "Managing Oracle Access Management Oracle Access Portal" |
Figure 3-2 shows the Available Services page of the Common Configuration section, which provides the status of services, and controls to enable or disable a service. Initially, only Access Manager services are enabled. Oracle Access Management Administrators must enable a service in the Oracle Access Management Console to use the related functionality. The exception to this is Identity Context, which is enabled by default and does not have any controls to disable it.
A green check mark in the Status field beside the service name indicates the service is enabled. A red circle with a line through it indicates that the corresponding service is disabled.
Service | Description |
---|---|
Access Manager |
Access Manager functionality is enabled by default. Access Manager Service is required to set SSO policies, configure Access Manager, as well as Common Configuration, and when REST Services are enabled. Default: Enabled No other services are required for Access Manager and Common Configuration. |
Identity Federation |
Must be enabled to manage the federation partners. Default: Disabled Note: The Access Manager service must also be enabled because Identity Federation is another authentication module. See Also: Part II, "Managing Oracle Access Management Identity Federation". |
Security Token Service |
Enable this service to use Security Token Service functionality. Default: Disabled Access Manager service is not required. See Also: Part II, "Managing Oracle Access Management Security Token Service". |
Mobile and Social |
Mobile and Social Services can be deployed in either of two ways:
See Also: Part II, "Managing Oracle Access Management Mobile and Social" |
Access Portal |
Must be enabled to manage Access Portal. Default: Disabled See Part II, "Managing Oracle Access Management Oracle Access Portal" |
WebLogic AdminServer must be running.
See Using the New Oracle Access Management Console.
To enable or disable a service
From the Oracle Access Management Console Launch Pad, click Available Services under Configuration.
Click Enable beside the desired service name (or confirm that the Status check mark is green).
Click Disable beside the desired service name (or confirm that the Status check mark is red).
The Common Settings apply to all OAM Server instances and services. This section provides the following topics:
Common Settings apply to all services within the suite. Figure 3-3 shows the named sections on the Common Settings page, which can be expanded to reveal related elements and values.
Figure 3-3 Common Settings Page (Collapsed View)
Oracle Access Management Administrators can control and specify parameters used by the entire suite, not just a single service, as introduced in Table 3-3.
Tab Name | Description |
---|---|
Session |
Session configuration refers to the process of managing the lifecycle requirements of a session, and notification of events to enable global logout. Global logout is required for OSSO Agents (mod_osso) to ensure that logging out of a session on any entity propagates the logout to all entities. See Also: "Managing Common Settings". |
Coherence |
Common Oracle Coherence settings shared by all OAM Servers differ from those for individual OAM Servers. However, in both cases Oracle recommends that you make no adjustments to these settings unless instructed to do so by an Oracle Support Representative. See Also: "Managing Common Settings". |
Audit Configuration |
Oracle Access Management supports auditing for a large number of administrative and run-time events, uniform logging and exception handling, and the diagnostics of all audit events. Oracle Access Management auditing configuration is recorded in See Also: "Managing Common Settings" and "Using the Oracle Access Management Console for Audit Configuration". |
Default and System Identity Stores |
This section identifies the default identity and system stores, which can be one in the same (or different). See Also: "Managing Common Settings". |
See Also:
Details for other operations common to all OAM components:Users with valid Oracle Access Management Administrator credentials can perform the following task to display the Common Settings page and perform changes. Included in each main step is a reference to more information elsewhere in this book.
The OAM Server must be running.
From the Launch Pad, click Common Settings.
Session:
On the Common Settings page, expand the Session section.
Click the arrow keys beside each list to increase or decrease session lifecycle settings as needed:
Database Persistence: Check the box to enable Database Persistence for Active Sessions (or clear it to disable Database Persistence).
Click Apply to submit your changes.
See Also: Chapter 17, "Maintaining Access Manager Sessions".
Coherence: See "Viewing Common Coherence Settings".
Audit Configuration:
Open the Audit Configuration section.
In the Audit Configuration section, enter appropriate details for your environment:
Click Apply to submit the Audit Configuration (or close the page without applying changes).
See Also: Chapter 9, "Auditing Administrative and Run-time Events".
Default Store and System Stores:
Expand the Default and System Identity Stores section.
Click the name of the System Store (or Default Store) to display the configuration page.
See "Setting the Default Store and System Store" for more information.
Figure 3-4 shows the Common Settings page with the coherence section expanded.
Note:
Oracle strongly recommends that you do not alter these settings without the assistance of Oracle Support.Table 3-4 describes these settings.
Table 3-4 Common Coherence Settings
Element | Description |
---|---|
Port |
Value between 1 and 65535 is supported. |
Cluster Address |
Value between 224.1.255.0 to 239.255.255.255 is allowed. |
Time to Live |
Value between 0 and 255 is supported. |
Cluster Port |
Value between 1 and 65535 is supported. |
To view Common Coherence settings
From the System Configuration tab, expand the Common Configurations section, and double-click Common Settings.
On the Common Settings page, expand the Coherence section.
Close the page when you finish; do not make any changes.
The Certificate Validation module is used by the Security Token Service to validate X.509 tokens and to verify whether or not the certificates have been revoked. It supports the following options.
A Certificate Revocation List (CRL) is a list of certificates (identified by serial numbers) that have been revoked. Revoked certificates are listed with a reason, an issue date, and the issuing entity. (In addition, each list contains a proposed date for the next release.) Entities presenting these (revoked) certificates should no longer be trusted. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for the particular user. For more information, see Section 3.4.1, "Managing Certificate Revocation Lists."
The Online Certificate Status Protocol (OCSP) was developed as an alternative to CRLs. OCSP specifies how the client application that requests information on a certificate's status will obtain it from the server that responds to the request. An OCSP responder can return a signed response signifying that the certificate specified in the request is either good, revoked or unknown. If the OCSP cannot process the request, it returns an error code. For more information, see Section 3.4.2, "Enabling OCSP Certificate Validation."
A CRL Distribution Point extension (CDP extensions) contains information regarding the location of Certificate Revocation Lists (CRLs) and OCSP servers. You can use the Administration Console to define these points. For more information, see Section 3.4.3, "Enabling CRL Distribution Point Extensions."
The following sections provide more information.
Users with Oracle Access Management Administrator credentials can use the following procedure to enable the CRL functionality and import a current Certificate Authority Certificate Revocation List (CA CRL).
Have your CA CRL ready to import.
To import Certificate Revocation Lists
Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.
The Certificate Revocation List tab is displayed.
Confirm that the Enabled box is checked.
Add or remove a CRL.
Add: Click the Add (green plus sign) button, browse for the CRL file, select it, and click Import.
Remove: Click the name of the list in the table, click the Delete (x) button, and confirm when asked.
Figure 3-5 is a screenshot of the pop-up window used to add a CA CRL to the CRL List using the Administration Console.
Figure 3-5 Certificate Revocation List Dialog Box
Click Apply to save the configuration.
Proceed to "Enabling OCSP Certificate Validation".
Note:
To search for CRLs in the table, enable Query by Example from the View drop-down. Enter filter strings in the header fields displayed and hit Enter.Users with Oracle Access Management Administrator credentials can use the following procedure to enable the OCSP.
Have the URL of the OCSP service ready to import.
To enable OCSP certificate validation
Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.
The Certificate Revocation List page is displayed. Confirm that the Enabled box is checked.
Click the OCSP/CDP tab.
Enable OCSP.
Enter the URL of the OCSP Service.
Enter the Subject DN of the OCSP Service.
Save this configuration.
Figure 3-6 illustrates how to add an OCSP URL using the Administration Console. See "Using the configureOAMOSCSPCertValidation WLST Command" for details on how to do this using the WLST command.
Proceed to "Enabling CRL Distribution Point Extensions".
Users with Oracle Access Management Administrator credentials can use the following procedure to add CRL distribution points in issued certificates.
Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.
The Certificate Revocation List page is displayed. Confirm that the Enabled box is checked.
Open the OCSP/CDP tab.
Enable CDP.
Save this configuration.
Figure 3-6 illustrates this.
Support for HTTP Proxy and multiple OCSP Responder configurations have been added for this 11g Release 2 (11.1.2.2) version of Oracle Access Manager. Example 3-1 illustrates the current Certificate Validation Module configuration.
Example 3-1 Certificate Validation Module Configuration
<Setting Name="CertValidationModule" Type="htf:map"> <Setting Name="certpathvalidationocspcertsubject" Type="xsd:string"></Setting> <Setting Name="certpathvalidationocspurl" Type="xsd:string"></Setting> <Setting Name="certvalidationcrlstorelocation" Type="xsd:string">/scratch/maymaria/installed/wlsHome/user_projects/ domains/base_domain/config/fmwconfig/amcrl.jar</Setting> <Setting Name="defaulttrustcastorelocation" Type="xsd:string">/scratch/maymaria/installed/wlsHome/user_projects/ domains/base_domain/config/fmwconfig/amtruststore</Setting> <Setting Name="defaulttrustcastoretype" Type="xsd:string">jks</Setting> <Setting Name="certpathvalidationcdpenabled" Type="xsd:boolean">false</Setting> <Setting Name="certpathvalidationcrlenabled" Type="xsd:boolean">false</Setting> <Setting Name="certpathvalidationocspenabled" Type="xsd:boolean">false</Setting> </Setting>
The following sections contain configuration information for these new features.
The Oracle Access Manager OCSP checker can perform authentication against OCSP responders that are outside an enterprise's intranet via HTTP Proxy. Use the updateHTTPProxyConfig
WLST command to configure the proxy.
Online command that configures the OAM OCSP checker to use HTTP proxy.
Certificate authentication currently supports authentication against a single OCSP responder as documented in "Enabling OCSP Certificate Validation". Support for multiple OCSP responders has been added since the responder URL is now part of the certificate's Authority Information Access Extension. To support multiple OCSP Responders, the three lines of configuration in Example 3-2, "Multiple OCSP Responder Configuration" must be added to the top of the Certificate Validation Module configuration section (illustrated in Example 3-1).
Example 3-2 Multiple OCSP Responder Configuration
<Setting Name="CertValidationModule" Type="htf:map"> <Setting Name="certpathvalidationocspurltocamap" Type="htf:map"> <Setting Name="<url_value>" Type="xsd:string"> <ocsp_responder_subject></Setting> </Setting> <Setting Name="useJDKOCSP" Type="xsd:string">false</Setting> ... </Setting>
Configure the first and second lines to enable multiple OCSP responders.
Set certpathvalidationocspenabled
to true.
Update the certpathvalidationocspurltocamap
configuration. It is of type Map, the key is the OCSP Responder URL (URL Encoded) and the value is the OCSP Responder's Certificate subject.
<Setting Name="certpathvalidationocspurltocamap" Type="htf:map"> <Setting Name=" http%3A%2F%2Flocalhost%3A9797" Type="xsd:string"> emailAddress=sagar@pspl.com,CN=ps2436,OU=OBLIX-QA,O=PSPL, L=PUNE,ST=MAHA,C=MY</Setting> </Setting>
(Optionally) set values for certpathvalidationocspcertsubject
and certpathvalidationocspurl
.
The Responder URLs will be fetched first from the AuthorityInformationAccess extension of the user's X.509 certificate and second from Modules/Plugin (CertValidation). The Responder Subjects will be fetched first from the defined configuration map and second from the Module/Plugin (CertValidation) configuration. In cases where these configurations are not found, the OCSP validation will fail.
Configure the third line to provide backward compatibility for those who want to use JDK OCSP validation rather than the new OAM OCSP Checker. By default, the JDK OCSP Checker is enabled. When configuring the OAM OCSP Checker using the WLST command, the flag is set to false. For more information on the WLST command, see Section 3.4.5, "Using the configureOAMOSCSPCertValidation WLST Command."
Depending on the Certificate Validation Module configuration there are three different options as documented in Table 3-5.
Configuration | OCSP Configuration (certpathvalidationocspenabled) | CRL Configuration (certpathvalidationcrlenabled) | JDK/OAM OCSP Configuration (useJDKOCSP) |
---|---|---|---|
No OCSP Checking Simple certificate validation is performed during OAM X-509 authentication |
False |
False |
False |
OAM OCSP X-509 authentication performs certificate validation with OCSP checking using the new OAM OCSP Checker. |
True |
True/False (does not matter) |
False |
JDK OCSP X-509 authentication performs certificate validation with OCSP checking using the JDK OCSP Checker. |
True |
True |
True |
To enable OCSP validation to be done using one configured responder URL, set the certpathvalidationcrlenabled
and certpathvalidationocspenabled
properties to true and set values for the certpathvalidationocspcertsubject
and certpathvalidationocspurl
properties. If these properties are not set, OCSP validation will be done using the responder URL defined within the user certificate's AIA Extension. If no URL is defined, OCSP validation will fail.
Online command that updates the OAM OCSP configuration including:
Updates or adds an OCSP responder URL and subject details to the "certpathvalidationocspurltocamap"
Clear the newly added configuration; for example, "certpathvalidationocspurltocamap"
Set or unset the "useJDKOCSP" flag to enable or disable JDK OCSP
Updates the OAM OCSP configuration by adding/modifying the OCSP responder URL and subject details in the certpathvalidationocspurltocamap property and enabling/disabling the use of the JDK OCSP Checker.
configureOAMOCSPCertValidation(url, subject, clear (optional), display (optional), useJDKOCSP (optional))
Argument | Definition |
---|---|
url
|
Mandatory. Takes as a value the valid URL. |
subject
|
Mandatory. Takes the details being modified. |
clear
|
Optional. Takes a value of true or false. |
display
|
Optional. Takes a value of true or false. |
useJDKOCSP
|
Optional. Takes a value of true or false. |
The following example enables the OAM OCSP and sets the Responder URL and subject.
configureOAMOCSPCertValidation(url="http://sample:9898", subject="cert-subject-detail")
The following example enables the OAM OCSP and updates the Responder URL and subject.
configureOAMOCSPCertValidation(url="http://sample:9898", subject="details changed/updated")
The following example disables and clears the OAM OCSP.
configureOAMOCSPCertValidation(url="http://sample:9898", subject="subject-detail", clear="true")
The following example enables/disables the JDK OCSP.
configureOAMOCSPCertValidation(url="http://sample:9898", subject="details changed/updated", useJDKOCSP="true")