Skip Headers
Oracle® Access Manager Access Administration Guide
10
g
(10.1.4.0.1)
Part Number B25990-01
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Access Manager?
Product and Component Name Changes
WebGate Updates
URL Prefixes and Patterns
Triggering Authentication Actions After the ObSSOCookie Is Set
Form-based Authentication
Disabling Authentication Schemes
Persistent Cookies in Authentication Schemes
Configuring Logout
Associating WebGates with Specific Virtual Hosts, Directories, and Files
Troubleshooting
Part I Configuring the Access System
1
Overview of Access System Configuration and Administration
1.1
About the Access System
1.2
Access System Components
1.3
Review of Access System Installation and Setup
1.4
About Configuring Resources and Rules for Who Can Access Them
1.5
About Configuring and Managing the Access System Components
2
Configuring Access Administrators and Server Settings
2.1
Prerequisites
2.2
Configuring Access Administrators
2.2.1
Configuring Master Access Administrators
2.2.2
Configuring Delegated Access Administrators
2.2.3
Creating a Group of Delegated Access Administrators
2.2.4
Modifying a Group of Delegated Administrators
2.3
Managing Server Settings
2.3.1
Viewing Server Settings
2.3.2
Customizing Email Addresses
2.3.3
Configuring a Single Sign-On Logout URL
2.3.4
Configuring the Directory Server
3
Configuring WebGates and Access Servers
3.1
About Configuring the Access System
3.2
Prerequisites for Configuring AccessGates and Access Servers
3.3
Configuring Access Servers
3.3.1
Viewing Access Server Configuration Details
3.3.1.1
Access Server Configuration Parameters
3.3.2
Adding an Access Server Instance
3.3.2.1
Configuring a Directory Server Profile for the Access Server
3.3.3
Modifying Access Server Details
3.3.4
Deleting an Access Server
3.3.5
Clustering Access Servers
3.3.5.1
Managing Access Server Clusters
3.3.6
Managing Access Servers from the Command Line
3.3.6.1
Using the ConfigureAAAServer Tool
3.3.6.2
Setting the Number of Queues from the Command Line
3.4
Configuring AccessGates
3.4.1
Viewing AccessGates
3.4.2
AccessGate Configuration Parameters
3.4.3
Adding an AccessGate
3.4.3.1
Configuring Logout for an Identity System Resource
3.4.3.2
Configuring User-Defined Parameters
3.4.3.3
Reducing Network Traffic Between Components
3.4.3.4
Changing the WebGate Polling Frequency
3.4.4
Modifying an AccessGate
3.4.5
Deleting an AccessGate
3.5
Managing WebGates
3.5.1
Synchronizing Clocks with the Access Server
3.5.2
Modifying a WebGate
3.5.3
Configuring IP Address Validation for WebGates
3.5.4
Viewing WebGate Diagnostics
3.5.5
Checking the Status of a WebGate
3.5.5.1
Checking the Number of Connections
3.5.6
Placing a WebGate Behind a Reverse Proxy
3.6
Associating AccessGates with Access Servers
3.6.1
About Associating AccessGates with Clusters
3.6.2
Associating an AccessGate
3.6.3
Viewing AccessGates Associated with an Access Server
3.6.4
Disassociating an AccessGate
3.7
Using Preferred Hosts or Host Identifiers
3.7.1
Using Host Identifiers
3.7.1.1
Viewing or Deleting Existing Host Identifiers
3.7.1.2
Adding a Host Identifier
3.7.1.3
Including Authenticating Hosts
3.7.2
Preferred Host and Virtual Servers
3.7.3
Denying Access to All Resources by Default
3.7.3.1
Example of Using DenyOnNotProtected
3.8
Associating a WebGate with Specific Virtual Hosts, Directories, and Files
3.9
The Access Login Process
3.9.1
Login Processes
3.9.2
Cookies Generated During Login
3.9.2.1
ObSSOCookie
3.9.2.2
ObFormLoginCookie
3.9.2.3
ObTEMC cookie
3.9.2.4
ObTEMP cookie
3.9.2.5
ObPERM cookie
Part II Protecting Resources
4
Protecting Resources with Policy Domains
4.1
Prerequisites
4.1.1
About the Policy Base
4.1.2
About the Policy Domain Root
4.2
About Policy Domain Administration
4.2.1
About Creating the First Policy Domain
4.2.2
About Managing a Policy Domain
4.2.3
Overview for Delegated Access Administrators Creating a Policy Domain
4.3
About Policy Domains and Their Policies
4.3.1
Parts of a Policy Domain
4.3.2
How the Policy Domain or Policy for a Resource Is Determined
4.3.3
Preconfigured Policy Domains
4.3.4
Who Creates Policy Domains?
4.3.5
Examples of Policy Domain and Policies
4.3.6
About Allocating Responsibility for a Policy Domain
4.4
Configuring Resource Types
4.4.1
About Resource Types
4.4.2
Resource Types Defined by the Access System
4.4.3
Supported HTTP Operations
4.4.4
Supported EJB Operation
4.4.5
Supported Resource Types
4.4.6
Defining a Resource Type
4.5
Configuring URLs for Resources
4.5.1
About URL Prefixes
4.5.2
About URL Patterns
4.5.3
How URL Patterns are Used
4.5.4
URL Pattern Matching Symbols
4.5.5
Invalid Patterns
4.5.6
Access System Patterns
4.6
About Schemes
4.7
About Plug-Ins
4.8
About Rules and Expressions
4.8.1
Lessening or Increasing Controls with Rules
4.8.1.1
Beginning with All Resources Unprotected
4.8.1.2
Beginning with All Resources Protected
4.9
Creating and Managing Policy Domains
4.9.1
Creating a Policy Domain
4.9.2
Modifying a Policy Domain
4.9.3
Deleting a Policy Domain
4.9.4
Enabling and Disabling Policy Domains
4.9.5
Searching for Policy Domains and Policies
4.9.6
Viewing General Information about Policy Domains
4.9.7
Adding Resources to Policy Domains
4.9.7.1
Using Host Identifiers and Host Contexts
4.9.8
Modifying a Resource's Description
4.9.9
Deleting a Resource
4.10
About the Master Audit Rule
4.10.1
Configuring the Master Audit Rule
4.10.2
Modifying the Master Audit Rule
4.10.3
Deleting the Master Audit Rule
4.11
Configuring Policies
4.11.1
Policies with Overlapping Patterns
4.11.2
Adding a Policy
4.11.3
Modifying a Policy
4.11.4
Setting the Order in which Policies Are Checked
4.11.5
Deleting a Policy
4.11.6
Deploying a Policy into Production
4.12
Auditing User Activity for a Policy Domain
4.12.1
Creating an Audit Rule for a Policy Domain
4.12.2
Modifying an Audit Rule for a Policy Domain
4.12.3
Defining an Audit Rule for a Policy
4.12.4
Modifying an Audit Rule for a Policy
4.12.5
About the Audit Log File
4.13
Using Access Tester
4.14
Delegating Policy Domain Administration
4.14.1
Configuring Policy Domain Administrators
5
Configuring User Authentication
5.1
About Authentication
5.1.1
Background Reading
5.1.2
Basics of Authentication
5.2
Authentication Schemes
5.2.1
General Information
5.2.2
Plug-Ins
5.2.3
Steps
5.2.4
Authentication Flows
5.2.5
Default Authentication Schemes
5.3
Defining and Managing Authentication Schemes
5.3.1
Listing Authentication Schemes
5.3.2
Defining a New Authentication Scheme
5.3.2.1
About Challenge Methods
5.3.3
Modifying an Authentication Scheme
5.3.4
Viewing an Authentication Scheme Configuration
5.3.5
Deleting a Authentication Scheme
5.3.6
Configuring an Authentication Scheme when Using Multiple Searchbases
5.3.7
Enabling and Disabling Authentication Schemes
5.3.8
Modifying an Authentication Scheme
5.3.9
Viewing an Authentication Scheme Configuration
5.3.10
Deleting a Authentication Scheme
5.3.11
Securing the ObSSOCookie in an Authentication Scheme
5.3.12
Configuring an Authentication Scheme That Persists Over Multiple Sessions
5.4
Plug-Ins for Authentication
5.4.1
About Access System-Provided Plug-Ins
5.4.2
About Custom Plug-Ins
5.4.3
Return Codes for Plug-Ins
5.4.4
About Reuse of Plug-Ins
5.4.5
Reusing Plug-Ins across Authentication Schemes
5.4.6
Reusing Plug-Ins across Authentication Schemes
5.4.7
Changing the Security Level of an Authentication Scheme
5.4.8
Access System Plug-Ins for Authentication Challenge Methods
5.4.9
Credential Mapping Plug-In
5.4.10
Filtering Inactive Users
5.4.11
Validate Password Plug-In
5.4.12
Certificate Decode Plug-In
5.4.13
Caching Validated Passwords to Increase Performance
5.5
Adding and Managing Plug-Ins
5.5.1
Viewing Plug-Ins for an Authentication Scheme
5.5.2
Adding a Plug-In to an Authentication Scheme
5.5.3
Deleting Plug-Ins from an Authentication Scheme
5.6
About Chained Authentication Configuration
5.6.1
About Creating an Authentication Rule Using Chained Authentication
5.6.2
About Authentication Steps
5.6.3
About Single-Step Authentication Schemes
5.6.4
Why Separate Plug-Ins Into Steps?
5.7
Configuring and Managing Steps
5.7.1
Viewing the Steps of an Authentication Scheme
5.7.2
Viewing the Configuration Details for a Step
5.7.3
Adding a Step to an Authentication Scheme
5.7.4
Modifying a Step
5.7.5
Deleting a Step
5.8
About Authentication Flows
5.8.1
Authentication Flows Example
5.8.2
Viewing the Flows of an Authentication Scheme
5.8.3
Configuring and Modifying the Flows of an Authentication Chain
5.8.4
Verifying and Correcting Cycles in an Authentication Flow
5.9
Authentication Rules
5.9.1
Creating an Authentication Rule for a Policy Domain
5.9.2
Modifying an Authentication Rule for a Policy Domain
5.9.3
Deleting a Policy Domain's Authentication Rule
5.9.4
Creating an Authentication Rule for a Policy
5.9.5
Modifying an Authentication Rule for a Policy
5.9.6
Deleting an Authentication Rule for a Policy
5.10
Authentication Actions
5.10.1
About Kinds of Actions
5.10.2
About the Use of HTTP Header Variables and Cookies
5.10.3
Passing Information Using Actions
5.10.4
Actions and Header Variables
5.10.4.1
How Caching Header Variables Affects their Availability
5.10.4.2
Ways Different Web servers Handle Header Variables
5.10.5
Using Actions for Redirection
5.10.5.1
Using Form-Based Authentication Instead of a Plug-In
5.10.6
Custom Actions
5.10.7
Setting Authentication Actions
5.10.8
Defining Actions for a Policy's Authentication Rule
5.10.9
Triggering Authentication Actions After the ObSSOCookie is Set
5.10.9.1
About the OTA Authentication Scheme
5.10.9.2
Configuring the OTA Authentication Scheme and Authorization Action
5.11
Auditing Authentication Events
5.11.1
Information Logged on Success or Failure
5.11.2
About Creating a Master Audit Rule and Derived Rules
5.12
Plug-Ins to Authenticate Users on External Security Systems
5.12.1
Security Bridge Plug-In
5.12.1.1
Configuration Prerequisites
5.12.2
Creating an Authentication Scheme for Security Bridge
5.12.3
Authentication Rule for Security Bridge
5.12.4
Windows NT/2000 Plug-In
6
Configuring User Authorization
6.1
About Authorization
6.1.1
Background Reading
6.1.2
Introduction to Authorization Rules and Expressions
6.1.2.1
Guidelines for Classifying Users
6.2
Authorization Rules
6.2.1
About Allow Access and Deny Access Conditions
6.2.2
Reuse of Authorization Rules
6.2.3
About the Contents of an Authorization Rule
6.2.4
About Authorization Rule Evaluation
6.3
Working with Authorization Rules
6.3.1
Displaying a List of Configured Authorization Rules
6.3.2
Configuring Authorization Rules
6.3.3
Setting Allow Access
6.3.4
Setting Deny Access
6.3.5
Setting Timing Conditions
6.3.6
Viewing General Information About a Rule
6.3.7
Modifying an Authorization Rule
6.3.8
Deleting an Authorization Rule
6.4
Authorization Expressions
6.4.1
About the Contents of an Authorization Expression
6.4.2
About Authorization Expression Evaluation
6.4.2.1
Status Codes for an Inconclusive Result
6.4.2.2
About Evaluation of the Rules of an Expression
6.4.2.3
Authorization Rules Used in Example Scenarios
6.4.2.4
About the AND Operator
6.4.2.5
Examples of Compound Conditions
6.4.2.6
About the OR Operator
6.4.2.7
Examples of Complex Conditions
6.4.2.8
Compound Complex Expression Scenarios
6.4.2.9
About the Use of Parenthesis
6.5
Working with Authorization Expressions
6.5.1
Viewing Authorization Expressions
6.5.1.1
Viewing the Authorization Expression for a Policy
6.5.2
Creating Authorization Expressions
6.5.2.1
Creating an Authorization Expression for a Policy
6.5.3
Modifying an Authorization Expression as You Create It
6.5.3.1
Using the Authorization Expression List Box
6.5.3.2
Using the Authorization Expression in Text Format Box
6.5.3.3
Modifying an Existing Authorization Expression
6.5.4
Deleting an Authorization Expression
6.6
Authorization Actions
6.6.1
About Actions For Rules and Expressions
6.6.2
About Kinds of Actions
6.6.3
About the Use of HTTP Header Variables and Cookies
6.6.3.1
How Caching Header Variables Affects their Availability
6.6.3.2
How Web Servers Handle Header Variables
6.6.4
About Passing Information Using Actions
6.6.5
Which Actions Are Returned?
6.6.6
About Complementary Actions
6.6.7
About the Evaluation Order of Authorization Actions
6.7
Working with Authorization Actions
6.7.1
Setting Actions for Authorization Rules
6.7.1.1
Configuring an Authorization Action When Using Disjoint Domains
6.7.2
Setting Actions for Authorization Expressions
6.7.2.1
About Actions for Inconclusive Results
6.7.3
About Duplicate Actions
6.7.3.1
How Duplicate Actions Are Handled
6.7.3.2
Duplicate Actions and WebGate Restrictions
6.7.4
Setting the System Default Duplicate Actions Behavior
6.7.5
Setting the Duplicate Actions Behavior for an Expression
6.7.6
Creating Custom Authorization Actions
6.8
Authorization Schemes for Custom Plug-Ins
6.8.1
About Authorization Schemes and Custom Plug-Ins
6.8.1.1
About Authorization Plug-Ins
6.9
Working with Authorization Schemes
6.9.1
Specifying Authorization Plug-In Paths and Parameters
6.9.1.1
User Parameters
6.9.1.2
Required Parameters
6.9.1.3
Optional Parameters for Authorization Plug-Ins
6.9.2
Viewing Authorization Schemes
6.9.3
Adding an Authorization Scheme
6.9.4
Modifying an Authorization Scheme
6.9.5
Deleting an Authorization Scheme
6.10
Auditing Authorization Events
6.10.1
Information Logged on Success or Failure
6.10.2
About Creating a Master Audit Rule and Derived Rules
6.11
Retrieving External Data for an Authorization Request
6.11.1
Example: Configuring a WebGate to Use Authorization Data from and External Source
7
Configuring Single Sign-On
7.1
Prerequisites
7.2
About Single Sign-On
7.2.1
Different Types of Single Sign-On
7.3
Single Sign-On Cookies
7.3.1
Security of the ObSSOCookie
7.3.2
Configuring the ObSSOCookie
7.4
Single Domain Single Sign-On
7.4.1
How Single Domain Single Sign-On Works
7.4.2
Setting up Single Domain Single Sign-On
7.4.2.1
Configuring the WebGates
7.4.3
Reverse Proxy Single Sign-On
7.4.4
Logout From a Single Domain Single Sign-On Session
7.5
Multi-Domain Single Sign-On
7.5.1
Using Redirection to Enable Multi-Domain Single Sign-On
7.5.2
Testing Multi-Domain Single Sign-On
7.5.3
Logout from a Multi-Domain Single Sign-On Session
7.6
Application Single Sign-On
7.6.1
Additional Information on Application Single Sign-On
7.6.2
Logging Out From an Application Single Sign-On Session
7.7
Single Sign-On Between Identity and Access Systems
7.7.1
Configuring Policy Domains for Single Sign-On
7.7.2
Displaying the Employee Type in the Top Navigation Bar
7.7.3
Troubleshooting SSO Between Identity and Access Systems
7.8
Single Sign-On for Lotus Domino
7.9
Enabling Impersonation in the Access System
7.10
Troubleshooting Single Sign-On
Part III Managing the Access System
8
Access System Configuration and Management
8.1
Prerequisites
8.2
About Access System Configuration and Management
8.2.1
Access System Configuration
8.2.2
System Management
8.3
Configuring User Access
8.3.1
Revoking Users
8.3.2
Flushing Users from the Cache
8.4
Creating a Shared Secret Key
8.4.1
Changes to the Shared Secret Key
8.5
Flushing Password Policy Caches
8.6
Running Diagnostics
8.7
Managing User Access Privilege Reports
8.7.1
Adding a Report
8.7.2
Managing Reports
8.8
Managing Sync Records
9
Managing Access System Configuration Files
9.1
Prerequisites
9.2
Automatic Access System Cache Flush
9.3
Synchronization of Access System Components
9.3.1
Synchronizing System Clocks
9.3.2
Changing Default Configuration Cache Timeout
9.4
Reducing Overhead for Viewing Policy Domains
9.5
Customizing the Policy Manager User Interface
9.5.1
Setting the Search page as the Default Page
9.5.2
Customizing the Policy Manager Search Interface
Part IV Appendices
A
Form-Based Authentication
A.1
About Form-Based Authentication
A.1.1
Challenge Parameters
A.1.2
Redirection
A.1.3
Plug-Ins Used with Form-Based Authentication
A.1.4
Session Cookie and Authentication Actions
A.1.5
Header Variables
A.1.6
Using an External Call for Data in an Authentication Request
A.2
Considerations when Creating a Form
A.2.1
ObFormLoginCookie
A.3
Configuring Form-Based Authentication
A.3.1
Configuring a Form-Based Authentication Scheme
A.3.1.1
About the Form Action
A.3.1.2
Forms that Reside on Servers Other Than a WebGate
A.3.2
Notes for Microsoft IIS
A.3.3
Including Users in the obMappingFilter
A.3.3.1
Including Only Active Users
A.3.3.2
Including Non-Active Users
A.4
Form Examples
A.4.1
Form Scheme Examples
A.4.1.1
Basic Example
A.4.1.2
Annotated Example
A.4.2
Sample Pop-Up Forms
A.4.3
Sample Multi-Language Form
A.5
Troubleshooting Form-Based Authentication
B
Enabling Impersonation with the Access System
B.1
About Windows Impersonation
B.2
About Impersonation and the Access System
B.3
Enabling Impersonation With a Header Variable
B.3.1
Requirements
B.3.2
Creating an Impersonator as a Trusted User
B.3.3
Assigning Rights to the Trusted User
B.3.4
Binding the Trusted User to Your WebGate
B.3.5
Adding an Impersonation Action to a Policy Domain
B.3.6
Adding an Impersonation DLL to IIS
B.3.7
Testing Impersonation
B.3.7.1
Creating an IIS Virtual Site Not Protected by SPPS
B.3.7.2
Testing Impersonation Using the Event Viewer
B.3.7.3
Testing Impersonation using a Web Page
B.4
Setting Up Impersonation with Integrations
B.5
Enabling Impersonation with a User Name and Password
B.6
Setting Up Impersonation for OWA
B.6.1
Creating a Trusted User Account for OWA
B.6.2
Assigning Rights to the OWA Trusted User
B.6.3
Binding the Trusted OWA User to Your WebGate
B.6.4
Adding an Impersonation Action to a Policy Domain
B.6.5
Adding an Impersonation dll to IIS
B.6.6
Testing Impersonation for OWA
B.6.6.1
Testing Impersonation Using the Event Viewer
B.6.6.2
Testing Impersonation using a Web Page
B.7
Windows Impersonation Background
B.7.1
Access Tokens
B.7.2
Security IDs
B.7.3
Access Control Lists and Entries
B.7.4
Wildcard Extension
B.7.5
The Kerberos Protocol
B.7.6
The S4U2Self Extension
C
Configuring Logout
C.1
How Logout Works
C.2
Configuring and Customizing the Logout URL and Page
D
Oracle Access Manager Parameter Files
D.1
File Categories
D.2
For More Information on the Parameter Files
E
Troubleshooting Oracle Access Manager
E.1
Problems and Solutions
E.1.1
Search Halts When Using Active Directory or .Net
E.1.2
The Access Server Is Not Sending Audit Data to the Database
E.1.2.1
Problem
E.1.2.2
Solution
E.1.3
Single Sign-On Between Identity and Access Systems
E.1.4
Other Single Sign-On Problems
E.1.5
The Login Form Appears Repeatedly
E.1.6
Other Form-Based Authentication Issues
E.2
Need More Help?
Index