23.5 Configuring 11g WebGate and Authentication Policy for DCC

Administrators can enable DCC credential operations, update DCC forms for password policy, add PasswordPolicyValidationScheme to Authentication Policy, and use DCC for converged Federation flows.

The following steps describe configuring an 11g WebGate and Authentication Policy for use with the DCC. The appropriate sub sections are linked within each step.

  1. Enabling DCC Credential Operations provides steps for either configuration:

    DCC Combined with Resource Webgate: Enable Allow Credential Collector Operations in the DCC's OAM Agent registration page.

    Separate DCC and Resource Webgate: Enable Allow Credential Collector Operations in the DCC's OAM Agent registration page and edit the Resource Webgate registration page to set the Logout Redirect URL to the DCC's logout.pl.

  2. Locating and Updating DCC Forms for Password Policy
  3. Adding PasswordPolicyValidationScheme to Authentication Policy for DCC provides steps for either configuration:

    DCC Combined with Resource Webgate: In the combined DCC/Resource Webgate Application Domain, update the Protected Resources Authentication Policy to use your DCC Authentication Scheme.

    Separate DCC and Resource Webgate: In the separate Resource Webgate Application Domain, update the Protected Resources Authentication Policy to use your DCC Authentication Scheme.

  4. Supporting Federation Flows With DCC provides steps to incorporate the DCC into Federation flows.

Note:

If your environment uses the ECC, go to "Completing Password Policy Configuration".

23.5.1 Enabling DCC Credential Operations

Whether you are using a separate DCC or combined DCC and Resource WebGate, you must enable Allow Credential Collector Operations in the DCC's OAM Agent registration page.

With a separate DCC and Resource WebGate, you must also edit the Resource WebGate registration page to set the Logout Redirect URL to the DCC's logout.pl, as described in Step 3.

The following procedure presumes your deployment uses Open mode communication. If your deployment uses Simple or Cert mode communication, be sure to copy the appropriate artifacts when you perform Step 4.

Prerequisites

  1. In the Access Manager section of the Oracle Access Management Console, click SSO Agents to find and open the registration page for the 11.1.2 Webgate that will function as the DCC.
  2. DCC WebGate Registration: Check Allow Credential Collector Operations, click Apply, then perform Steps 4 and 5.

    Note:

    If the DCC is combined with a Resource WebGate, skip Step 3.

  3. Separate Resource WebGate: Edit the Resource WebGate registration to set the Logout Redirect URL to the DCC's logout.pl (Table 24-3), click Apply, then perform Steps 4 and 5.
  4. Copy Agent configuration file (including Simple or Cert mode files) from the AdminServer (Console) host to the Agent host. For example:
    Agent & Artifacts Artifacts

    11g WebGate/Access Client

    ObAccessClient.xml and cwallet.sso

    From the AdminServer (Console) host:

    $DOMAIN_HOME/output/$Agent_Name/

    To the Agent host: $11gWG_install_dir/webgate/config

    Simple or Cert Mode

    Copy to the Agent host: $11gWG_install_dir/webgate/config

    • aaa_key.pem

    • aaa_cert.pem

    • aaa_chain.pem

    • password.xml

    See Also: Securing Communication
  5. Restart the OHS Web server.
  6. Proceed to "Locating and Updating DCC Forms for Password Policy".

23.5.2 Locating and Updating DCC Forms for Password Policy

Access Manager provides several dynamic pages for user interactions with the DCC.

See Also:

Oracle Fusion Middleware Developer's Guide for Oracle Access Management

Prerequisites

Enabling DCC Credential Operations

  1. Locate the DCC forms in the WebGate host (Table 24-3): $WEBGATE_HOME/webgate/ohs/oamsso/*, $WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl, and $WEBGATE_HOME/webgate/ohs/oamsso-bin/templates/*.
  2. Customize their location, depending on the desired topology of the authentication scheme being developed.
  3. Update Perl Location: Update the Perl location to be consistent with the actual location, in the first line of the login, logout, and securid scripts on Webgate host in $WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl (Table 24-3).
  4. Customize the default pages for your enterprise, or replace them entirely with custom pages. For example, you can design, implement, and deploy a custom page that displays a different version of the login form for a mobile browser than is used for a desktop browser.
  5. Proceed to "Adding PasswordPolicyValidationScheme to Authentication Policy for DCC".

23.5.3 Adding PasswordPolicyValidationScheme to Authentication Policy for DCC

You can use your DCC Authentication Scheme in a Protected Resources Authentication Policy.

The steps you perform depend on the type of deployment you have:

  • Combined DCC/Resource WebGate: Perform Step 1 to add your DCC Authentication Scheme to the Protected Resources Authentication Policy of the combined DCC/Resource WebGate Application Domain.

  • Separate Resource WebGate: Perform Step 3 to add your DCC Authentication Scheme to the Protected Resources Authentication Policy of the separate Resource WebGate Application Domain.

Perform Step 2 regardless of your DCC deployment type. By default, login and logout forms are excluded through OHS /httpd.conf/webgate.conf so that you do not need to exclude them through policies. However, with the Chrome browser, you must explicitly exclude the async favicon.ico request (which overrides the DCCCtxCookie).

Note:

This example refers to the PasswordPolicyValidationScheme set for the DCC in Configuring Password Policy Authentication.

Prerequisites

Locating and Updating DCC Forms for Password Policy

  1. Combined DCC/Resource WebGate: Open the DCC application domain:

    • Policy Configuration
    • Application Domains
    • DCCDomain

    1. Locate and open the Authentication Policy, Protected Resource Policy (see "Searching for an Authentication Policy").

    2. Add your DCC Authentication Scheme to this policy (see "Defining Authentication Policies for Specific Resources").

      • PasswordPolicyValidationScheme (DCC Authentication Scheme)

    3. Perform Step 2 if you have the Chrome Browser. Otherwise, go to Step 4.

  2. Chrome Browser: Add and exclude resource /favicon.ico in the DCCDomain, as follows.

    1. From DCCDomain, click the Resources tab.

    2. Find and open the HTTP resource /favicon.ico (or click the New Resource button and then add this resource).

    3. Confirm or edit the Resource URL to:

      /favicon.ico

    4. In the Protection section, Protection Level list, select Excluded, then click Apply.

    5. Proceed to Step 4.

  3. Separate Resource Webgate: Open the Resource Webgate application domain.

    • Policy Configuration
    • Application Domains
    • ResourceWGDomain

    1. Locate and open the Authentication Policy, Protected Resource Policy (see "Searching for an Authentication Policy").

    2. Add your DCC Authentication Scheme and an optional Failure URL (when not specified, Failure URL displays the default error page) to this policy (see "Defining Authentication Policies for Specific Resources"):

      • DCC Authentication Scheme
      • Failure URL (optional)

    3. Perform Step 2 if you have the Chrome Browser. Otherwise, go to Step 4.

  4. Restart your Web server and proceed to "Completing Password Policy Configuration".

    See Also:

    "Configuring Logout When Using Detached Credential Collector-Enabled WebGate"

23.5.4 Supporting Federation Flows With DCC

The DCC is enhanced to work as a public end-point to the Access Manager server. HTTP requests to the DCC are tunneled through NAP to the proxy module of the Access Manager server. Only requests defined in the TunneledUrls parameter of the DCC Profile will be tunneled. The JSP pages and servlets are executed in the Access Manager server and the response is tunneled back to the DCC. The end user effectively communicates only to the DCC.

Note:

If a WebGate is configured as a DCC and federated flows are in use, the DCC WebGate cannot be used to protect the resource. A separate WebGate must be configured and used to protect the resource. Authentication and authorization requests will be tunneled to the OAM Server, and the ECC login form will be tunneled and displayed in the user's browser.

To use DCC for converged Federation flows, perform the following manual steps.

  1. Configure the following internal resources as Public instead of Excluded. 
    /oamfed/.../*
/oam/.../*
/.../*
  2. In the DCC WebGate, set the logout value to a valid DCC WebGate logout URL; for example, /oamsso-bin/logout.pl
  3. Update the DCC Agent entry by adding the following entry to the User Defined Parameters list using the Access Manager Administration Console. 
    TunneledUrls=/oam,/oamfed

    See Configuring OAP Tunneling.

  4. Update the OAM public endpoint entry so that it points to the DCC WebGate.

    Under Access Manager Settings, set the OAM Server Host, OAM Server Port and OAM Server Protocol to the values pertinent to the OHS/DCC and click Apply.

    Note:

    Alternately you can update a single Authentication Scheme to point to the DCC WebGate by altering the challenge redirect URL leaving the REST parameters unchanged.

  5. Update the ProviderID value under Federation Settings (if applicable) and redistribute the new metadata to all Federation partners due to the endpoint change.
  6. Set the contextType to 'External'.

    See Authentication Schemes and Pages for details on this setting.