PK QHoa, mimetypeapplication/epub+zipPK QH OEBPS/supp.htm
Oracle Adaptive Access Manager provides a variety of mechanisms for integration with custom applications and custom development.
The Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager provides information to help developers integrate and customize Oracle Adaptive Access Manager and manage configuration changes in integrated deployments of Oracle Adaptive Access Manager.
Information in this book is grouped into the following main parts:
Part I, "Universal Installation Option"
Note: Although you can still use the UIO Proxy, it is deprecated starting with 11.1.2.2 and will be desupported and no longer shipped in 12.1.4 and future releases. The recommendation is to use the native integration or Advanced Oracle Access Management Access Manager and Oracle Adaptive Access Manager integration using Trusted Authentication Protocol (TAP). For information about native integration, see Chapter 2, "Natively Integrating Oracle Adaptive Access Manager," Chapter 3, "Natively Integrating with Native ASP.NET Applications," and Chapter 4, "Natively Integrating with Java Applications." For information about Access Manager and Oracle Adaptive Access Manager integration using TAP, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite. |
Note: Detailed information about Oracle Adaptive Access Manager integration with Oracle Identity Manager and Oracle Access Management Access Manager is not covered in this guide. For in-depth conceptual and procedural information, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite. |
OAAM includes a suite of highly secure virtual authentication devices as samples to deploy if you choose to. Alteration of these samples is considered custom development. Source art and information in this chapter are provided as a reference to allow you to develop your own custom virtual authentication devices.
Note: These samples are provided in English only. |
This chapter contains the following sections:
Virtual authentication devices are authenticator interfaces used to protect end users during the process of entering and transmitting authentication credentials and provide them with verification they are authenticating on the valid application. There are many security technologies employed in the authenticator user interfaces. Each virtual authentication device has its own unique set of security features that makes it much more than just an image on a web page.
This section defines terms used in this chapter.
Table 9-1 Virtual Authentication Device Terminology
Virtual authentication devices protect users from phishing attacks, data theft, and bots. Each user has an image and a phrase that are used as a shared secret between the business and the end user. The shared secret authenticates the website to the end user, which helps to protect end users from Phishing operations trying to fool them with social engineering.
Each time PinPad or KeyPad is used the data sent over the wire is random. The actual credential is not entered and sent by the end user. Instead, what is sent are screen coordinates. Basic jitter, sub-jitter and scramble are available. The following subsections introduces you to the virtual authentication devices.
TextPad is a personalized device that consists of a single form field for entering a password or PIN using a regular keyboard. This method of data entry helps to defend against phishing primarily. The field can act as a password HTML control that masks data entry. TextPad is often deployed as the default for all users in a large deployment. Then, each user individually can upgrade to another device if desired. The personalized image and phrase a user registers and sees every time the user logs in to the valid site serves as a shared secret between the user and server. If this shared secret is not presented or presented incorrectly, the users will notice. An example TextPad is shown in Figure 9-2.
PinPad and KeyPad are indirect authentication credential entry virtual devices. They can be invoked at the time of login or in-session if required. A user navigates using their mouse to click the visual "keys." On the wire, the data entered is a string of random numbers that only the OAAM server can decode into the valid password/PIN/data. A configurable number of randomization mechanisms control the balance of usability with the level of required strength. The PinPad and KeyPad are generally given as an optional upgrade users can choose to use or not. This flow ensures only users who want the extra protection utilize it since there is a slight learning curve related to navigation.
PinPad is a lightweight authentication device for entering a numeric PIN. Data input is limited to numerals. It supports key jitter, randomization, and offset. An example PinPad is shown in Figure 9-3.
KeyPad is a personalized graphics keyboard. The user uses KeyPad to enter alphanumeric and special character using a traditional keyboard. KeyPad is ideal for entering passwords and other sensitive data. For example, credit card numbers can be entered. An example KeyPad is shown in Figure 9-4.
QuestionPad is a personalized device that renders text in the form of a prompt or question. The user can provide information or an answer for the question using a regular keyboard. The QuestionPad is capable of incorporating the challenge question into the Question image. Like other Adaptive Strong Authentication devices, QuestionPad also helps in solving the phishing problem. An example QuestionPad is shown in Figure 9-5.
A virtual authentication device is composed of many elements. Table 9-2 describes the elements which are combined at run time to produce the virtual authentication device for display on the client side.
Table 9-2 Elements of an authenticator
Text based property files on the server side control how the virtual authentication devices are rendered and how they behave. These files are in the business application for Native deployments or in an application for UIO deployments. Details on the virtual authentication device properties are provided in this chapter for your reference.
Virtual authentication devices uses the following files:
oaam_custom.properties is the file where custom properties are added for virtual authentication devices, KeySet definitions used in the KeyPad and PinPad devices, and configuration properties that are not localized (translated).
oaam_custom_locale
.properties are files the administrator customizing the application creates to contain locale-specific properties such as translated displayed messages. The locale identifier consists of at least a language identifier, and a region identifier (if required). For example, the custom properties file for US English is oaam_custom_en_US.properties
.
Note: Many of the properties related to the virtual authentication devices are in resource bundles so that they are capable of being localized. If the default value is in a "resource" file, then the override value should be placed in the client override file for resource bundle values (client_resource.properties ). |
Properties are constructed in the following manner.
bharosa.authentipad.padtype.property.subproperty=value
For example:
bharosa.authentipad.textpad.datafield.x=100
The pad type values are:
textpad
keypad
pinpad
questionpad
Any defined property can be overwritten or updated by redefining the property in the oaam_custom.properties
file. This allows only the relevant properties to be changed without having to rewrite all properties in a new set.
Specific elements of the Authenticator interfaces may be customized. Any and all alterations is considered custom development.
A set of sample background images are shipped with Oracle Adaptive Access Manager. There are 8,423 personalization images for each virtual authentication device. These images are for use in the virtual authentication devices only. For security reasons they should never be available to end users outside the context of the virtual authentication devices. The content, file sizes, and other attributes were optimized for a broad range of user populations and fast download speed. The sample phrase text for each supported language is provided with the package. Any and all alterations to these images or text is considered custom development. If the images are to be edited, make sure not to increase the physical dimensions or change the aspect ratio of the sample images because distortions will occur. These elements include buttons, fields, personalized phrase and personalized image.
A single image file contains the branding, frame and button images. Some issues to be careful of are text, hot spot, and key sizes. It is not recommended that these be made smaller than the provided samples. Also, there must be an identically named version of each image for each virtual authentication device used in your deployment.
Table 9-3 lists the default image property for the virtual authentication devices.
Table 9-3 Default Images for Personalization
Element | Property |
---|---|
Default TextPad background graphic (Can be application specific) |
|
Default PinPad background graphic (Can be application specific) |
|
Default QuestionPad background graphic (Can be application specific) |
|
Default KeyPad background graphic (Can be application specific) |
|
Develop Custom Background Images
Process the images to the correct resolution for each virtual authentication device being used.
You can configure a graphic editor to transform the images in batches.
Add Images to the Correct Directories
Add custom pad related images to oaam_extensions\WEB-INF\classes\bharosa_properties
.
If the image exists in the OAAM installation, such as the no logo frame, you do not have to move it to this folder. Only if you are adding a custom file would you need to add it to this folder.
Add Location of Images to client_resource_locale.properties
For the custom background images to display in the VAD, you must add the location of the images to client_resource_locale.properties
inside of an OAAM Extension library:
vcrypt.user.image.dirlist.property.name=bharosa.image.dirlist
bharosa.image.dirlist=absolute_folder_path_where_oaam_images_are_available
For example:
bharosa.image.dirlist=/Oracle/Middleware/Oracle_IDM1/oaam/
oaam_images/virtual_authentication_device
Frame images are in the extensions library. Background images are in ${oracle.oaam.home}/oaam_images/
deviceType.
Add Image Properties to client_resource_locale.properties
The default values for the images are located in the oaam_custom.properties
file. To overwrite, the default values, you must add the properties to client_resource_locale.properties
inside of an OAAM Extension library. For example:
bharosa.uio.default.DeviceTextPad.default.image = textpad_bg/BG_003.jpg
Save the file in the oaam_extensions\WEB-INF\classes
folder.
Each of the authenticator interfaces, such as TextPad, KeyPad, PinPad, and so on, has a frame. The frame marks the outer boundary of the authenticator user interface and delineates the virtual authentication device from the rest of the page.
The frame must always be apparent regardless of the graphical treatment to preserve the appearance of a device. The frame may not blend into the surrounding elements of an HTML page to the point were it disappears visually.
The overall size and aspect of each pad is fixed and may not be altered. All elements of the interface must be contained within the frame.
The frame and key samples are provided in English only. Master files for the virtual authentication device frames and keys along with descriptions of the parts are provided on request. You may create your own custom frame and key images and deploy them using product documentation, but any and all alterations to these images or the properties that correspond to them are considered custom development.
The frame may be altered only in the following ways:
Colors may be altered for the outline and fill of the frame
Colors of the buttons on the frame may be altered
Branding may be altered
Note: If the default value is in a "resource" file, you must specify the override value inclient_resource.properties . |
Table 9-1 lists the TextPad Authenticator Properties.
Table 9-4 TextPad Authenticator Properties
Feature | Property |
---|---|
Password Frame File (Can be application specific) |
|
Challenge Frame File (Can be application specific) |
Note: Challenge type can be any configured challenge type ( |
Registration Frame File (Can be application specific) This property applies to the registration page. |
|
User Preferences Frame File (Can be application specific) This property applies to the self-service user preferences page. |
|
Table 9-1 lists the PinPad Authenticator Properties.
Table 9-5 PinPad Authenticator Properties
Feature | Property |
---|---|
Password Frame File (Can be application specific) |
|
Challenge Frame File (Can be application specific) |
Note: Challenge type can be any configured challenge type ( |
Registration Frame File (Can be application specific) |
|