Administrators can enable DCC credential operations, update DCC forms for password policy, add PasswordPolicyValidationScheme to Authentication Policy, and use DCC for converged Federation flows.
The following steps describe configuring an 11g WebGate and Authentication Policy for use with the DCC. The appropriate sub sections are linked within each step.
Note:
If your environment uses the ECC, go to "Completing Password Policy Configuration".
Whether you are using a separate DCC or combined DCC and Resource WebGate, you must enable Allow Credential Collector Operations in the DCC's OAM Agent registration page.
With a separate DCC and Resource WebGate, you must also edit the Resource WebGate registration page to set the Logout Redirect URL
to the DCC's logout.pl, as described in Step 3.
The following procedure presumes your deployment uses Open mode communication. If your deployment uses Simple or Cert mode communication, be sure to copy the appropriate artifacts when you perform Step 4.
Prerequisites
Access Manager provides several dynamic pages for user interactions with the DCC.
Prerequisites
: $WEBGATE_HOME/webgate/ohs/oamsso/*,
$WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl
, and $WEBGATE_HOME/webgate/ohs/oamsso-bin/templates/*
.$WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl
(Table 24-3).You can use your DCC Authentication Scheme in a Protected Resources Authentication Policy.
The steps you perform depend on the type of deployment you have:
Combined DCC/Resource WebGate: Perform Step 1 to add your DCC Authentication Scheme to the Protected Resources Authentication Policy of the combined DCC/Resource WebGate Application Domain.
Separate Resource WebGate: Perform Step 3 to add your DCC Authentication Scheme to the Protected Resources Authentication Policy of the separate Resource WebGate Application Domain.
Perform Step 2 regardless of your DCC deployment type. By default, login and logout forms are excluded through OHS /httpd.conf/webgate.conf so that you do not need to exclude them through policies. However, with the Chrome browser, you must explicitly exclude the async favicon.ico request (which overrides the DCCCtxCookie).
Note:
This example refers to the PasswordPolicyValidationScheme set for the DCC in Configuring Password Policy Authentication.
Prerequisites
Locating and Updating DCC Forms for Password Policy
Combined DCC/Resource WebGate: Open the DCC application domain:
Locate and open the Authentication Policy, Protected Resource Policy (see "Searching for an Authentication Policy").
Add your DCC Authentication Scheme to this policy (see "Defining Authentication Policies for Specific Resources").
Perform Step 2 if you have the Chrome Browser. Otherwise, go to Step 4.
Chrome Browser: Add and exclude resource /favicon.ico
in the DCCDomain, as follows.
From DCCDomain, click the Resources tab.
Find and open the HTTP resource /favicon.ico
(or click the New Resource button and then add this resource).
Confirm or edit the Resource URL to:
/favicon.ico
In the Protection section, Protection Level list, select Excluded, then click Apply.
Proceed to Step 4.
Separate Resource Webgate: Open the Resource Webgate application domain.
Locate and open the Authentication Policy, Protected Resource Policy (see "Searching for an Authentication Policy").
Add your DCC Authentication Scheme and an optional Failure URL (when not specified, Failure URL displays the default error page) to this policy (see "Defining Authentication Policies for Specific Resources"):
Perform Step 2 if you have the Chrome Browser. Otherwise, go to Step 4.
Restart your Web server and proceed to "Completing Password Policy Configuration".
The DCC is enhanced to work as a public end-point to the Access Manager server. HTTP requests to the DCC are tunneled through NAP to the proxy module of the Access Manager server. Only requests defined in the TunneledUrls parameter of the DCC Profile will be tunneled. The JSP pages and servlets are executed in the Access Manager server and the response is tunneled back to the DCC. The end user effectively communicates only to the DCC.
Note:
If a WebGate is configured as a DCC and federated flows are in use, the DCC WebGate cannot be used to protect the resource. A separate WebGate must be configured and used to protect the resource. Authentication and authorization requests will be tunneled to the OAM Server, and the ECC login form will be tunneled and displayed in the user's browser.
To use DCC for converged Federation flows, perform the following manual steps.