Oracle® Adaptive Access Manager Installation and Configuration Guide Release 10g (10.1.4.5) Part Number E12050-03 |
|
|
View PDF |
set up access for Adaptive Risk Manager Online
set up access for Adaptive Strong Authenticator/Native Client
Note:
Both procedures must be performed for authentication to work.This chapter also provides information on security recommendations and how to disable HTTP authentication for Web Services.
Web Services/SOAP clients need to send the username and password for successful communication with Adaptive Risk Manager web services.
The password needs to be stored in a KeyStore for security.
Out-of-the-box, Adaptive Risk Manager publishes Web services at the URL: /oarm/services/. This URL is secured by HTTP authentication.
Access to this URL is allowed to the users of the "web_SOAPServices" role or "SOAPServicesGroup" group. You must add users to this role/group for access to Adaptive Risk Manager Web services. For more information about adding users to roles/groups, refer to the product-specific documentation for your chosen application/Web server.
Note:
Perform this procedure after Adaptive Strong Authenticator/Native Client setup.To set up security for Adaptive Strong Authenticator/Native Client web services
In the oaam_utils/keystore_util directory, create a file, for example, soap_key.file, and enter the HTTP authentication user password in it. (The password from the user that was added to the "web_SOAPServices" role or "SOAPServicesGroup" group).
Copy sample.soap_3des_input.properties to soap_3des_input.properties.
Update soap_3des_input.properties with the keystore password, the alias password, and password file.
#This is the password for opening the keystore. keystorepasswd= #This is the password reading alias (key) in the keystore keystorealiaspasswd= #File containing from key. Please note, keys in AES could be binary. Also note algorithms like 3DES require minimum 24 characters in the key #keyFile=soap_key.file keyFile=
Generate the keystore.
For Unix/Linux, run
genkeystore.sh soap_3des_input.properties
For Windows, run
genkeystore.cmd soap_3des_input.properties
If the KeyStore command was successful, you will see output similar to the following:
updateOrCreateKeyStore done! Keystore file:system_soap.keystore,algorithm=DESede KeyStore Password=ZG92ZTEyMzQ= Alias Password=ZG92ZTEyMw==
Note down the Keystore password and Alias Password print on the screen. You will need to add these to the bharosa_client.properties.
Save the system_soap.keystore file in your source code control system. Please take adequate security precaution while handling this file. The file contains critical password information. Make sure that only authorized personnel have read access to this file. If you lose it, Oracle Adaptive Access Manager will not be able to recover data encrypted.
Copy system_soap.keystore to the classpath of the Adaptive Strong Authenticator/Native Client deployment folder. For example: oasa/WEB-INF/classes.
Delete both the soap_key.file and soap_3des_input.properties files.
Later, when you update properties in oasa/WEB-INF/classes/bharosa_client.properties, you will add/update the following properties with the encoded passwords (from Step 5) and the authentication username.
vcrypt.soap.auth.keystorePassword=<base64 encoded keystore password> vcrypt.soap.auth.aliasPassword=<based64 encoded password to the alias> vcrypt.soap.auth.username=<user configured for accessing the soap services> vcrypt.soap.auth.keystoreFile=system_soap.keystore
For updating the bharosa_client.properties file, refer to Chapter 7, "Installing the Adaptive Strong Authenticator" for information about when to edit the file during the installation process and to Chapter 15, "Configuring Client Properties"for instructions on editing the file.
Security recommendations for Adaptive Risk Manager are listed below. We recommend that you,
have an LDAP of user roles
use form base authentication for Adaptive Risk Manager
split SOAP and Adaptive Risk Manager Admin servers
use Keystore if your Web container supports Keystores
Disabling Web Services for Adaptive Risk Manager
If Web services is secured in another way and HTTP authentication is not required, take a backup, and edit web.xml in oarm/WEB-INF removing the security constraints.
An example of security constraints is shown below.
<!-- Comment this section, if webservices security using http athentication is not required -- <security-constraint> <web-resource-collection> <web-resource-name>webservice</web-resource-name> <url-pattern>/services/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>web_SOAPServices</role-name> </auth-constraint> </security-constraint> -->
Note:
By removing security constraints, any one with access to Adaptive Risk Manager can call Web Services and perform Web services calls.Disabling Web Services for Adaptive Strong Authenticator/Native Client
To disable HTTP authentication for Adaptive Strong Authenticator, set vcrypt.soap.auth=false in the bharosa_client.properties file.
The bharosa_client.properties file is located in the classes directory in the Adaptive Strong Authenticator/Native client deployment folder (for example, oasa/WEB-INF/classes).
For more information on defining and adding encryption schemes and creating keystores, refer to Appendix C, "Upgrading from 3.5 to 10.1.4.3."