24.6 Managing Global Password Policy

Regardless of whether you choose the ECC or DCC, you can configure a global password policy that applies to all Access Manager-protected resources.

Authentication involves determining which credentials a user must supply when requesting access to a resource, gathering credentials, and returning a response that is based on the results of credential validation. Access Manager authentication processing relies on an authentication module (or plug-in) to define the rules governing requirements and transmission of information to the back-end authentication scheme. By default, Access Manager supports using the OAM Server Embedded Credential Collector (ECC) for authentication processing. However, you can also configure an 11g WebGate to use as an detached credential collector (DCC) instead.

Note:

Both the ECC and DCC facilitate multi-step authentication flows where credentials are not provided all at once. This increases the flexibility of interaction with users or programmatic entities for the purpose of collecting authentication-related information. For more information, see Orchestrating Multi-Step Authentication with Plug-in Based Modules.

The following overview provides links to topics that describe how to configure and use the password policy. Unless explicitly stated, all tasks apply equally to the ECC and DCC. Skip any tasks that do not apply to your deployment.

Password policy management includes

1. Defining Your Global Password Policy

2. Adding Key Password Attributes to the Default Store

3. Adding an Administrator to Change User Attributes After a Password Change

4. Configuring Password Policy Authentication

5. DCC: Configuring 11g WebGate and Authentication Policy for DCC

6. Completing Password Policy Configuration

7. Testing Your Multi-Step Authentication

24.6.1 Defining Your Global Password Policy

Users with Oracle Access Management Administrator credentials can define a common password policy based on enterprise-defined requirements.

Note:

The only difference between a global password policy for the ECC versus the DCC is Password Service URL, which is credential collector-specific and defaults to ECC pages as shown in Step 2.

The specifications in this example are for illustration only. Your environment will be different.

1. In the Oracle Access Management Console, click Application Security at the top of the window.
2. In the Application Security console, click Password Policy.
3. On the Password Policy page, enter the Password Service URL for the desired credential collector login page (ECC or DCC, Table 24-3).

   ECC Password Service URL	DCC Password Service URL
   /pages/login.jsp	/oamsso-bin/login.pl

4. On the Password Policy page, enter values (Table 24-2) based on requirements for your enterprise. For example:

   • Warn After 3

   • Expire After 20

   • Permanent Lockout (Disable)

   • Lockout duration 1

   • Minimum Special Characters 1

5. Click Apply to submit the policy.
6. Proceed as needed for your environment; skip any tasks that have been completed already:

   • Adding Key Password Attributes to the Default Store

   • Adding an Administrator to Change User Attributes After a Password Change

24.6.2 Designating the Default Store for Your Password Policy

The Password Policy operates only with the designated Default Store. Administrator roles and credentials must reside in the System Store.

See Also:

"About using the System Store for User Identities"

1. In the Oracle Access Management Console, click Configuration at the top of the window.

2. In the Configuration console, click User Identity Stores.

3. Set the System Store: Administrator roles and credentials must reside in this store.

   1. Open the page of the store to designate as the System Store.

   2. Check Set as system store (for domain wide authentication and authorization operations).

   3. Click Apply.

   4. Add Administrators: See "Managing Administrator Roles".

   5. Authentication Module: Set the LDAP Authentication Module used by the OAMAdminConsoleScheme (authentication scheme) to use this System Store.

   6. Configure one or more authentication plug-ins to use this store, as described in "Orchestrating Multi-Step Authentication with Plug-in Based Modules".

4. Set Default Store: This store is required for Password Policy, Security Token Service, and migration when patching.

   1. Open the page of the store to designate as the Default Store.

   2. Check the box beside Set as default store.

   3. Authentication Module: Locate OAMAdminConsoleScheme and confirm that the LDAP module does not refer to this store. See "Managing Native Authentication Modules".

   4. Authorization Policy Conditions: Choose the desired user identity store when setting Identity Conditions in Authorization Policies. See "Defining Authorization Policy Conditions".

   5. Token Issuance Policy Conditions: Choose the desired user identity store when setting Identity Conditions in Token Issuance Policies. See "Managing Token Issuance Policies, Conditions, and Rules".

5. Close the registration page.

24.6.3 Adding Key Password Attributes to the Default Store

The Password Policy operates only with the designated Default Store.

This section provides steps for extending the default store schema for Oracle Access Management password policy operations.

• LDIF Files and Key Password Attributes for Password Policy

• Extending the Default Store Schema with Password Policy Attributes

24.6.3.1 LDIF Files and Key Password Attributes for Password Policy

The LDIF (Lightweight Directory Interchange Format) files distributed as part of Access Manager are meant to extend the schema with required object classes. Generally, these are applied using the Access Manager and Oracle Identity Management wiring has been performed manually. The user data object definition in the Access Manager schema is extended with attributes that enable password user status and password history maintenance. This definition is provided in an LDIF file, and must be added to each user identity store using the ldapadd tool.

Oracle-provided LDIFs are identified in Table 24-6.

Note:

OAM_HOME contains installed files necessary to host Oracle Access Management. OAM_HOME resides within the directory structure of the Middleware home ($MW_HOME).

Table 24-6 Location of Oracle-provided LDIFs for LDAP Providers

LDAP Provider	LDIF Location
OID: Oracle Internet Directory	$OAM_HOME/ oam/server/pswdservice/ldif/OID_PWDPersonSchema.ldif
OVD: Oracle Virtual Directory	$OAM_HOME/ oam/server/pswdservice/ldif/OVD_PWDPersonSchema.ldif
AD: Microsoft Active Directory	$OAM_HOME/ oam/server/pswdservice/ldif/AD_PWDPersonSchema.ldif
SJS: sun Java System Directory	$OAM_HOME/ oam/server/pswdservice/ldif/IPLANET_PWDPersonSchema.ldif
eDirectory: Novell eDirectory	$OAM_HOME/ oam/server/pswdservice/ldif/EDIR_PWDPersonSchema.ldif
ODSEE: Oracle Directory Server Enterprise Edition	$OAM_HOME/ oam/server/pswdservice/ldif/IPLANET_PWDPersonSchema.ldif
OUD: Oracle Unified Directory	$OAM_HOME/ oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif
SLAPD: OpenLDAP Directory	$OAM_HOME/ oam/server/pswdservice/ldif/OLDAP_PWDPersonSchema.ldif
IBM: OBM Tivoli Directory	$OAM_HOME/ oam/server/pswdservice/ldif/TIVOLI_PWDPersonSchema.ldif

The attributes that enable password user status and password history maintenance are shown in Table 24-7. The user data object of each user identity store must include the attributes shown in Table 24-7. These can be added with the ldapadd tool, LDIF (Lightweight Directory Interchange Format) file.

Table 24-7 Key Password Attributes in a Password Policy

Attribute	Description	Format and Values
obPasswordCreationDate	The date and time used to calculate (at the time of user login) whether the password has expired and whether a warning needs to be issued.	YYYY-MM-DDThh:mm:ssZ
obPasswordHistory	Used to track the number of last passwords used. Access Manager understands 10g oblixPersonPwdPolicy format and changes it to new format.	New format: password1###password2### Previous format: passwordX = SHA256 (password+canonical userid)
obPasswordChangeFlag	Used during forced password change for first time user login (or forced password change initiated by the Administrator.	Boolean string value. true | false Empty string represents false.
obuseraccountcontrol	Used to represent a disabled user.	Non-encrypted string value. activated | deactivated Empty string represents "activated".
obpasswordexpirydate	The time after which the user password is considered to be expired.	YYYY-MM-DDThh:mm:ssZ Empty value represents not expired.
obLockoutTime	The time up to which the user is considered to be locked out due to too many login attempts.	Epoch value (in seconds) representing time in the future. Seconds (since 01 January, 1970)
obLoginTrvCount	The number of consecutive login failures by the user. This counter is reset on the first correct password entry.	Non-encrypted integer value. 1,2,3, and so on.
oblastsuccessfullogin	The time of the last successful login.	YYYY-MM-DDThh:mm:ssZ
oblastfailedlogin	The time of the last failed login.	YYYY-MM-DDThh:mm:ssZ

24.6.3.2 Extending the Default Store Schema with Password Policy Attributes

You can skip this task if the environment has been configured using idmConfigTool -prepareIDStore. If your user identity store has not been extended with the oblix schema, you must update the schema to include the object classes required by the password service. LDAP tools should be run from the /bin directory beneath $OAM_HOME.

The following procedure illustrates extending the Oracle Internet Directory schema. Your environment might be different.

1. Use the following command to update the Oracle Internet Directory object classes of the designated Default Store required by the password service:

   ldapadd -D "cn=orcladmin" -w <password> –h <hostname> -p 3060 –x -f $OAM_HOME/
   oam/server/pswdservice/ldif/OID_PWDPersonSchema.ldif
   

2. Proceed to "Adding an Administrator to Change User Attributes After a Password Change".

24.6.4 Adding an Administrator to Change User Attributes After a Password Change

You can modify the Default Store (Oracle Internet Directory in this example) to use a different privileged account as the Bind DN. This enables sufficient privileges to change user attributes after a password change.

Prerequisites

Register a supported LDAP store and designate it as the Default Store. Ensure that the user you add is defined within the Default Store.

See Also:

"Managing Administrator Roles"

1. In the Oracle Access Management Console, click Configuration at the top of the window.

2. In the Configuration console, click Administration.

3. Add a New Administrator:

   1. In the Administration page, click Grant.

   2. In the dialog that appears, click Search.

   3. Select the desired role from the Roles drop-down list and click Add Selected to grant it to the selected user.

   4. Click Apply to submit the changes.

4. Proceed with "Configuring Password Policy Authentication".