Regardless of whether you choose the ECC or DCC, you can configure a global password policy that applies to all Access Manager-protected resources.
Authentication involves determining which credentials a user must supply when requesting access to a resource, gathering credentials, and returning a response that is based on the results of credential validation. Access Manager authentication processing relies on an authentication module (or plug-in) to define the rules governing requirements and transmission of information to the back-end authentication scheme. By default, Access Manager supports using the OAM Server Embedded Credential Collector (ECC) for authentication processing. However, you can also configure an 11g WebGate to use as an detached credential collector (DCC) instead.
Note:
Both the ECC and DCC facilitate multi-step authentication flows where credentials are not provided all at once. This increases the flexibility of interaction with users or programmatic entities for the purpose of collecting authentication-related information. For more information, see Orchestrating Multi-Step Authentication with Plug-in Based Modules.
The following overview provides links to topics that describe how to configure and use the password policy. Unless explicitly stated, all tasks apply equally to the ECC and DCC. Skip any tasks that do not apply to your deployment.
Password policy management includes
Users with Oracle Access Management Administrator credentials can define a common password policy based on enterprise-defined requirements.
Note:
The only difference between a global password policy for the ECC versus the DCC is Password Service URL
, which is credential collector-specific and defaults to ECC pages as shown in Step 2.
The specifications in this example are for illustration only. Your environment will be different.
The Password Policy operates only with the designated Default Store. Administrator roles and credentials must reside in the System Store.
See Also:
In the Oracle Access Management Console, click Configuration at the top of the window.
In the Configuration console, click User Identity Stores.
Set the System Store: Administrator roles and credentials must reside in this store.
Open the page of the store to designate as the System Store.
Check Set as system store (for domain wide authentication and authorization operations).
Click Apply.
Add Administrators: See "Managing Administrator Roles".
Authentication Module: Set the LDAP Authentication Module used by the OAMAdminConsoleScheme
(authentication scheme) to use this System Store.
Configure one or more authentication plug-ins to use this store, as described in "Orchestrating Multi-Step Authentication with Plug-in Based Modules".
Set Default Store: This store is required for Password Policy, Security Token Service, and migration when patching.
Open the page of the store to designate as the Default Store.
Check the box beside Set as default store.
Authentication Module: Locate OAMAdminConsoleScheme
and confirm that the LDAP module does not refer to this store. See "Managing Native Authentication Modules".
Authorization Policy Conditions: Choose the desired user identity store when setting Identity Conditions in Authorization Policies. See "Defining Authorization Policy Conditions".
Token Issuance Policy Conditions: Choose the desired user identity store when setting Identity Conditions in Token Issuance Policies. See "Managing Token Issuance Policies, Conditions, and Rules".
Close the registration page.
The Password Policy operates only with the designated Default Store.
This section provides steps for extending the default store schema for Oracle Access Management password policy operations.
The LDIF (Lightweight Directory Interchange Format) files distributed as part of Access Manager are meant to extend the schema with required object classes. Generally, these are applied using the Access Manager and Oracle Identity Management wiring has been performed manually. The user data object definition in the Access Manager schema is extended with attributes that enable password user status and password history maintenance. This definition is provided in an LDIF file, and must be added to each user identity store using the ldapadd
tool.
Oracle-provided LDIFs are identified in Table 24-6.
Note:
OAM_HOME contains installed files necessary to host Oracle Access Management. OAM_HOME resides within the directory structure of the Middleware home ($MW_HOME).
Table 24-6 Location of Oracle-provided LDIFs for LDAP Providers
LDAP Provider | LDIF Location |
---|---|
OID: Oracle Internet Directory |
$OAM_HOME/ oam/server/pswdservice/ldif/OID_PWDPersonSchema.ldif |
OVD: Oracle Virtual Directory |
$OAM_HOME/ oam/server/pswdservice/ldif/OVD_PWDPersonSchema.ldif |
AD: Microsoft Active Directory |
$OAM_HOME/ oam/server/pswdservice/ldif/AD_PWDPersonSchema.ldif |
SJS: sun Java System Directory |
$OAM_HOME/ oam/server/pswdservice/ldif/IPLANET_PWDPersonSchema.ldif |
eDirectory: Novell eDirectory |
$OAM_HOME/ oam/server/pswdservice/ldif/EDIR_PWDPersonSchema.ldif |
ODSEE: Oracle Directory Server Enterprise Edition |
$OAM_HOME/ oam/server/pswdservice/ldif/IPLANET_PWDPersonSchema.ldif |
OUD: Oracle Unified Directory |
$OAM_HOME/ oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif |
SLAPD: OpenLDAP Directory |
$OAM_HOME/ oam/server/pswdservice/ldif/OLDAP_PWDPersonSchema.ldif |
IBM: OBM Tivoli Directory |
$OAM_HOME/ oam/server/pswdservice/ldif/TIVOLI_PWDPersonSchema.ldif |
The attributes that enable password user status and password history maintenance are shown in Table 24-7. The user data object of each user identity store must include the attributes shown in Table 24-7. These can be added with the ldapadd
tool, LDIF (Lightweight Directory Interchange Format) file.
Table 24-7 Key Password Attributes in a Password Policy
Attribute | Description | Format and Values |
---|---|---|
obPasswordCreationDate |
The date and time used to calculate (at the time of user login) whether the password has expired and whether a warning needs to be issued. |
YYYY-MM-DDThh:mm:ssZ |
obPasswordHistory |
Used to track the number of last passwords used. Access Manager understands 10g oblixPersonPwdPolicy format and changes it to new format. |
New format: Previous format:
|
obPasswordChangeFlag |
Used during forced password change for first time user login (or forced password change initiated by the Administrator. |
Boolean string value.
Empty string represents |
obuseraccountcontrol |
Used to represent a disabled user. |
Non-encrypted string value.
Empty string represents "activated". |
obpasswordexpirydate |
The time after which the user password is considered to be expired. |
YYYY-MM-DDThh:mm:ssZ Empty value represents |
obLockoutTime |
The time up to which the user is considered to be locked out due to too many login attempts. |
Epoch value (in seconds) representing time in the future.
|
obLoginTrvCount |
The number of consecutive login failures by the user. This counter is reset on the first correct password entry. |
Non-encrypted integer value.
|
oblastsuccessfullogin |
The time of the last successful login. |
YYYY-MM-DDThh:mm:ssZ |
oblastfailedlogin |
The time of the last failed login. |
YYYY-MM-DDThh:mm:ssZ |
idmConfigTool -prepareIDStore
. If your user identity store has not been extended with the oblix
schema, you must update the schema to include the object classes required by the password service. LDAP tools should be run from the /bin
directory beneath $OAM_HOME
.The following procedure illustrates extending the Oracle Internet Directory schema. Your environment might be different.
You can modify the Default Store (Oracle Internet Directory in this example) to use a different privileged account as the Bind DN. This enables sufficient privileges to change user attributes after a password change.
Prerequisites
Register a supported LDAP store and designate it as the Default Store. Ensure that the user you add is defined within the Default Store.
See Also:
In the Oracle Access Management Console, click Configuration at the top of the window.
In the Configuration console, click Administration.
Add a New Administrator:
In the Administration page, click Grant.
In the dialog that appears, click Search.
Select the desired role from the Roles drop-down list and click Add Selected to grant it to the selected user.
Click Apply to submit the changes.
Proceed with "Configuring Password Policy Authentication".