24.8 Completing Password Policy Configuration

Administrators can set error mode for password policy messages, override native LDAP password policy validation, and perform evaluations to confirm the deployment is working as required.

These tasks are the same regardless of the credential collector you have configured. Perform the following tasks to complete your password policy configuration:

• Setting the Error Message Mode for Password Policy Messages

• Overriding Native LDAP Password Policy Validation

• Disabling ECC Operation and Using DCC Exclusively

• Testing Your Multi-Step Authentication

24.8.1 Setting the Error Message Mode for Password Policy Messages

Users with administrative privileges can set the Server Error Mode for password policy messages.

Figure 24-4shows the Access Manager settings.

Figure 24-4 Server Error Mode for Password Management

Description of "Figure 24-4 Server Error Mode for Password Management"

Prerequisites

• Managing Global Password Policy

• Configuring Password Policy Authentication

• Optional: Configuring 11g WebGate and Authentication Policy for DCC

1. In the Oracle Access Management Console, click Configuration at the top of the window.
2. In the Configuration console, select Access Manager from the Settings drop-down list.
3. In the Load Balancing section, set the Server Error Mode to Internal.
4. Click Apply.
5. Proceed with "Overriding Native LDAP Password Policy Validation".

24.8.2 Overriding Native LDAP Password Policy Validation

You need to disable native LDAP password policy validation before the non-native password policy can be used.

For example, with Oracle Internet Directory registered for Oracle Access Management, native password policy is generally located as follows:

dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,<DOMAIN_CONTAINER>

Caution:

Disabling the native LDAP password policy validation leaves no enforcement for direct LDAP operations. There are various password policies in Oracle Internet Directory, including one in the following:

dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext

However, this might not apply to your domain.

You can disable the Oracle Internet Directory password policy by setting the orclpwdpolicyenable parameter to zero (0).

See Also:

The various attributes described in

The following procedure is only an example. Your environment will be different.

Prerequisites

Setting the Error Message Mode for Password Policy Messages

1. Refer to the manual from your LDAP directory vendor.
2. Oracle Internet Directory: Disable native policy by setting orclpwdpolicyenable to zero (0).

   • Confirm the location of the password policy for your domain.

   • When you are sure you have the proper native LDAP policy, disable the policy. For example:

     orclpwdpolicyenable = 0
     

3. Proceed as follows, depending on your deployment:

   • "Disabling ECC Operation and Using DCC Exclusively"

   • "Testing Your Multi-Step Authentication"

   • Configuring Centralized Logout for Sessions Involving 11g WebGates: "Configuring Logout When Using Detached Credential Collector-Enabled WebGate"

24.8.3 Disabling ECC Operation and Using DCC Exclusively

You can skip this task to allow the DCC and ECC to co-exist, and maintain authentication schemes and policies for both credential collectors. To disable ECC, you must edit the oam-config.xml file. Generally, Oracle recommends not editing oam-config.xml. Changes to this file could result in lost data or overwriting of the file during data sync operations. However, there is no other way to disable the ECC completely in favor of the DCC.

Note:

After disabling the ECC, access to resources protected by schemes and policies that rely on the ECC will be prohibited, including access to the Oracle Access Management Console.

Prerequisites

Configuring 11g WebGate and Authentication Policy for DCC

1. Make your changes on the node running the AdminServer to minimize possible conflicts that another AdminConsole user might make.
2. Back up oam-config.xml in $DOMAIN_HOME/config/fmwconfig/ and store the copy in a different location for use later if needed.
3. Locate the ECCEnabled parameter in the OAMServicesDescriptor section and make the changes shown here in bold:

   <Setting Name="OAMServicesDescriptor" Type="htf:map">
     ... ...
      <Setting Name="ECCEnabled" Type="htf:map"> 
      <Setting Name="ServiceStatus" Type="xsd:boolean">false</Setting>
   </Setting>      
   

4. Increment by 1, the configuration version number at the top of the file to associate your change and enable automatic propagation and dynamic activation across all running OAM Servers (see the next to last line of this example):

   <Setting Name="Version" Type="xsd:integer">
     <Setting xmlns="http://www.w3.org/2001/XMLSchema"
       Name="NGAMConfiguration" Type="htf:map:> 
     <Setting Name="ProductRelease" Type="xsd:string">11.1.1.3</Setting>
       <Setting Name="Version" Type="xsd:integer">2</Setting>
   </Setting> 
        
   

5. Proceed to "Testing Your Multi-Step Authentication".

24.8.4 Testing Your Multi-Step Authentication

You can perform a number of evaluations to confirm that your deployment is working properly.

See Also:

Configuring Centralized Logout for Sessions Involving 11g WebGates

1. Confirm access after login:

   1. Open a new browser and request a resource.

   2. Log in with your user credentials.

   3. Confirm that you have access to the resource.

2. Confirm no access on incorrect login:

   1. Open a new browser and request a resource.

   2. Log in with incorrect user credentials.

   3. Confirm that you must re-authenticate.

3. Confirm lockout after exceeding maximum incorrect login attempts:

   1. Open a new browser and request a resource.

   2. Log in with incorrect user credentials repeatedly.

   3. Confirm that the user account is locked.

4. Modify and evaluate your password expiry policy:

   1. Log in to the Oracle Access Management Console.

   2. In your password policy, reset the expiry and lockout periods (Table 24-2) so that you will see warnings on your next login.

   3. Save the policy updates.

   4. Open a new browser and request a resource.

   5. Verify the warning page appears advising that the password will expire.

   6. Click the link to continue without password change.

5. Change your password:

   1. Open a new browser and request a resource.

   2. On the password expiry warning page, click the link to change your password.

   3. On the password change page, enter your correct old password.

   4. In the new password field, enter a different new password that does not follow the password policy and confirm the password validation error.

   5. Enter a new password that meets requirements and confirm success and access to the resource.