Skip Headers
Oracle® Adaptive Access Manager Developer's Guide
Release 10g (10.1.4.5)

Part Number E12052-03
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

8 Oracle Access Manager Integration

This chapter describes the process for integrating Oracle Adaptive Access Manager's Adaptive Strong Authenticator with Oracle Access Manager. Integrating the two will allow you to use Oracle Adaptive Access Manager's Adaptive Strong Authenticator virtual authentication pads to identify users attempting to access Oracle Access Manager's protected applications.

This diagram illustrates an integration.

Using these products in combination will allow you fine control over the authentication process and full capabilities of pre-/post- authentication checking against Adaptive Risk Manager models.

8.1 Prerequisites

This integration process assumes that the Oracle Access Manager environment has been configured to protect simple HTML resources using two different authentication schemes. Authentication schemes protect the client application's url.

For more information, refer to the Oracle Access Manager Integration Guide.

The following set of components is required for this implementation:

8.2 Integration Overview

Except where specified, the following procedures are required to complete the integration of Oracle Access Adaptive Manager and Oracle Access Manager.

8.3 Configure Oracle Access Manager AccessGate for Adaptive Strong Authenticator Embedded AccessGate

Before installing the Access Server SDK (ASDK), you must define the Oracle Access Manager server-side settings for the AccessGate that the ASDK will use for communication.

This section shows you how to define the new AccessGate for the embedded Adaptive Strong Authenticator AccessGate.

Note:

This chapter will not explain in detail all of the settings involved with Oracle Access Manager AccessGates.

Steps

  1. Launch Internet Explorer.

  2. Log in to Oracle Access Manager.

    For example, http://<oam_hostname>/access/oblix.

  3. Click Access System Console.

  4. Log in as <Administrator>.

  5. Click Access System Configuration.

  6. Click Add New AccessGate.

  7. Using the oaamAccessGate configuration settings shown below, create a new AccessGate and assign it to an Access Server.

Table 8-1 oaamAccessGate Configuration

Parameter Value

AccessGate Name

oaamAccessGate

Description

AccessGate for Oracle Adaptive Access Manager-Adaptive Strong Authenticator authentication

Hostname

<hostname>

Port

<port>

AccessGate Password

<passwd>

Debug

<Off>

Maximum user session time (seconds)

3600

Idle Session Time (seconds)

3600

Maximum Connections

1

Transport Security

<Open>

IP Validation

<On>

IP Validation Exception

<leave blank>

Maximum Client Session Time (hours)

24

Failover Threshold

1

Access server timeout threshold

<leave blank>

Sleep for (seconds)

60

Maximum elements in cache

10000

Cache timeout (seconds)

1800

Impersonation Username

<leave blank>

Impersonation Password

<leave blank>

Access Management Service

<On>

Preferred HTTP Cookie Domain

<domain_name>

Preferred HTTP Host

<hostname>:<port>

Deny on not protected

<Off>

CachePragmaHeader

no-cache

CacheControlHeader

no-cache

LogOutURLs

<leave blank>

User Defined Parameters

<leave blank>

   

Assign An Access Server (Primary

<hostname>:<port>

Number of Connections

1


8.4 Configure Oracle Access Manager AccessGate for Adaptive Strong Authenticator Front-End Web Server

The Oracle Adaptive Access Manager's Adaptive Strong Authenticator/Oracle Access Manager integration involves two Oracle Access Manager AccessGates: one for fronting the Web server (a traditional WebGate) to Adaptive Strong Authenticator and one for the embedded AccessGate. This section explains how to configure the Oracle Access Manager AccessGate that fronts the Web server to Adaptive Strong Authenticator.

Steps

  1. Click Add New AccessGate.

  2. Use the settings in the table below to create a new AccessGate and assign it an Access Server

    Note:

    The Adaptive Strong Authenticator AccessGate settings (described in the Configure Oracle Access Manager AccessGate for Adaptive Strong Authenticator Embedded AccessGate section) and the OHS WebGate settings are identical (except for the AccessGate names) because OHS is also a server for the Adaptive Strong Authenticator application. In some deployments, these might differ.

    Table 8-2 ohsWebGate Configuration

    Parameter Value

    AccessGate Name

    ohsWebGate

    Description

    AccessGate for Web server hosting Adaptive Strong Authenticator application

    Hostname

    <hostname>

    Port

    <port>

    AccessGate Password

    <passwd>

    Debug

    <Off>

    Maximum user session time (seconds)

    3600

    Idle Session Time (seconds)

    3600

    Maximum Connections

    1

    Transport Security

    <Open>

    IP Validation

    <On>

    IP Validation Exception

    <leave blank>

    Maximum Client Session Time (hours)

    24

    Failover Threshold

    1

    Access server timeout threshold

    <leave blank>

    Sleep for (seconds)

    60

    Maximum elements in cache

    10000

    Cache timeout (seconds)

    1800

    Impersonation Username

    <leave blank>

    Impersonation Password

    <leave blank>

    Access Management Service

    <On>

    Preferred HTTP Cookie Domain

    .<domain_name>

    Preferred HTTP Host

    <hostname>:<port>

    Deny on not protected

    <Off>

    CachePragmaHeader

    no-cache

    CacheControlHeader

    no-cache

    LogOutURLs

    <leave blank>

    User Defined Parameters

    <leave blank>

       

    Assign An Access Server (Primary)

    <oam_hostname>:<port>

    Number of Connections

    1


  3. Click AccessGate Configuration.

  4. Click OK to search for all AccessGates.

    The new AccessGate is now listed

8.5 Configure Oracle Access Manager Authentication Scheme for the Adaptive Strong Authenticator

To leverage Adaptive Strong Authenticator as an authentication mechanism, Oracle Access Manager must have a defined Authentication Scheme to understand how to direct authentications to Adaptive Strong Authenticator.

Steps

  1. Click Authentication Management.

  2. Click New.

  3. Using the settings in the table below, begin creating the new Adaptive Strong Authenticator authentication scheme:

    Table 8-3 OAAM ASA Authentication Scheme Configuration

    Parameter Value

    Name

    Adaptive Strong Authentication

    Description

    Oracle Adaptive Access Manager-Adaptive Strong Authenticator virtual authentication pad auth scheme

    Level

    3

    Challenge Method

    Form

    Challenge Parameter(s)

    form:/oasa/loginPage.jsp

     

    creds:userid password

     

    action:/oasa/dummy.jsp

    SSL Required

    <No>

    Challenge Redirect

    <Redirect Url>

    Enabled

    <Disabled/Greyed Out>


    Note:

    For the challenge parameter, do not use "action:/oasa". Use "action:/oasa/dummy.jsp". If you do not do this, you will receive a "technical error" message from Oracle Adaptive Access Manager authentication. "dummy.jsp" does not need to exist.
  4. Click Save.

  5. Click Ok to confirm the saved operation.

  6. Click Plugins.

  7. Click Modify.

  8. Click Add.

  9. Create the plugin configurations using the information presented in the table below.

    Table 8-4 OAAM ASA Authentication Scheme Configuration - Plugins

    Plugin Name Plugin Parameters

    credential_mapping

    obMappingBase="dc=<domain>,dc=com",obMappingFilter="(uid=%userid%)"

    validate_password

    obCredentialPassword="password"


  10. Click Save.

  11. Click General.

  12. Click Modify.

  13. Set Enabled to Yes.

  14. Click Save.

8.6 Configure Oracle Access Manager Host Identifiers for Adaptive Strong Authenticator (Optional)

The AccessGates used by Adaptive Strong Authenticator must have host identifier entries. Use the Host Identifiers feature to enter the official name for the host, and every other name by which the host can be addressed by users.

A request sent to any address on the list is mapped to the official host name, and applicable rules and policies are implemented. This is primarily used in virtual site hosting environments.

8.7 Install ASDK for Adaptive Strong Authenticator

Install the ASDK that will be used by the Adaptive Strong Authenticator for communication with the Oracle Access Manager Access Server.

Adaptive Strong Authenticator requires ASDK to communicate with the Oracle Access Manager Access Server.

8.8 Configure ASDK AccessGate for Adaptive Strong Authenticator

After installing the ASDK for the Adaptive Strong Authenticator, the ASDK must be configured for use.

Use a command-line tool (configureAccessGate) to specify the settings for the ASDK to use for communication with the Oracle Access Manager Access Server.

Steps

  1. Navigate to the configureAccessGate directory at <ASDK install dir>\AccessServerSDK\oblix\tools\configureAccessGate.

  2. Run following command and press Enter.

    configureAccessGate -i < Installation directory of the AccessServerSDK>  -t AccessGate -w <Enter the name of the defined oaamAccessGate> -p <port> -h <hostname> -a <Name of the Access Server> -m open 
    

    For example:

    configureAccessGate -i E:\oracle\oaam\AccessServerSDK -t AccessGate -w oaamAccessGate -p 6021 -h www.otherdomain.com -a accessSvr1 -m open 
    

8.9 Install Web Server to Implement WebGate

Install an Apache HTTP server 2.x and configure it with the WebLogic Server Plug-in.

For instructions on installing and configuring the Apache HTTP Server Plug-In, refer to:

http://e-docs.bea.com/wls/docs92/plugins/apache.html

8.10 Install WebGate for Adaptive Strong Authenticator Front-End Web Server

To correctly handle the cookies for authentication and the required HTTP headers for the Adaptive Strong Authenticator application, Adaptive Strong Authenticator must be protected with a standard WebGate and Web server.

Steps

  1. Stop the application server (and Web server).

  2. Run the WebGate installation program

  3. For the WebGate configuration, use the following settings:

    Table 8-5 ohsWebGate Configuration

    Attribute Value

    WebGate ID

    ohsWebGate

    Password for WebGate

    <password>

    Access Server ID

    <Access ServerId>

    Host Name

    <hostname>

    Port

    <port


    Note:

    Oracle Application Server installs an Oracle HTTP Server (OHS) with the application server and OC4J container.

    If a different application server or servlet container (for example, BEA WebLogic, JBoss, or Tomcat) is used for Adaptive Strong Authenticator/Adaptive Risk Manager, a front-end Web server with the appropriate proxy plug-in (for example, mod_wl_20.so or mod_jk) would be necessary before installing the WebGate on the Web server.

    Installation instructions for "mod_wl_20.so" is documented at:

    http://e-docs.bea.com/wls/docs92/plugins/apache.html
    

8.11 Unpack and Install Oracle Adaptive Access Manager Plug-In to Adaptive Strong Authenticator for Oracle Access Manager Integration

Unpack the Adaptive Strong Authenticator plug-in for Oracle Access Manager from the oaam_plugins folder and copy the required files to the Adaptive Strong Authenticator installation.

Steps

  1. Copy oasa_oam_override.jar from … oaam_plugins\oaam_oam_plugin\oasa\war\WEB-INF\lib to <OASA_HOME>\WEB-INF\lib.

  2. Copy the client folder to <OASA_HOME>\.

  3. Rename <OASA_HOME>\WEB-INF\struts-config.xml to <OASA_HOME>\WEB-INF\struts-config.xml.bak.

  4. Copy struts-config.xml from … oaam_plugins\oaam_oam_plugin\oasa\war\WEB-INF to <OASA_HOME>\WEB-INF\.

  5. Copy bharosauio_client.properties from … oaam_plugins\oaam_oam_plugin\oasa\war\WEB-INF\classe to <OASA_HOME>\WEB-INF\classes\bharosauio_client.properties.

  6. Copy bharosauio_client.properties from plugin.zip to <OASA_HOME>\WEB-INF\classes\bharosauio_client.properties

  7. Check lookup.properties under <OASA_HOME>\WEB-INF \classes to verify that bharosauio_client.properties is listed.

8.12 Copy ASDK JAR Files to Adaptive Strong Authenticator

Copy the key Java AccessGate library file from the ASDK to the Adaptive Strong Authenticator installation for use.

For example, copy <ASDK install>oblix\lib\jobaccess.jar to <OASA_HOME>\WEB-INF\lib.

If the jar files are not copied, the Adaptive Strong Authenticator installation will not identify the ASDK Java Access Gate library.

8.13 Add ASDK Library Path to Adaptive Strong Authenticator Application Properties

Modify bharosa_client.properties under <OASA_HOME>\WEB-INF\classes to include the path of the Oracle Access Manager Java AccessGate (jobaccess.jar). The application properties for Adaptive Strong Authenticator must be updated to locate the AccessGate configuration information you specified with the configureAccessGate utility previously.

For example

bharosa.accesserversdk.path=E:\\oracle\\oaam\\AccessServerSDK

Note:

There are 2 s's in a row in "accesserversdk" not 3 s's.

If we do not have this in our path, Adaptive Strong Authenticator will not be able to located the Access Gate configuration.

8.14 Add ASDK Library Path to Adaptive Strong Authenticator Server Properties

The Oracle Adaptive Access Manager AccessGate used by Adaptive Strong Authenticator must use the supporting library files from the ASDK directories. Please update your Application Server PATH variable to include the libraries from the ASDK.

For example,

Add E:\oracle\oaam\AccessServerSDK\oblix\lib to your Environment Variables

If this setting is not there, Adaptive Strong Authenticator will not be able to identify the AccessGate libraries during startup.

8.15 Configure Oracle Access Manager Domain to use Adaptive Strong Authenticator Authentication

The Adaptive Strong Authenticator authentication should now be operable for Oracle Access Manager policy domains. Please modify your application Oracle Access Manager policy domain to use the Adaptive Strong Authenticator authentication scheme (Adaptive Strong Authentication).

Steps

  1. Log in to the Oracle Access Manager host. For example, http://<hostname>/access/oblix.

  2. Click Policy Manager.

  3. Log in as an admin user

  4. Click My Policy Domains

  5. Click <ApplicationPolicy >.

  6. Click Default Rules.

  7. Click Modify

  8. From the Authentication Scheme drop-down selector, select Adaptive Strong Authentication.

  9. Click OK to confirm the change in authentication schemes.

  10. Ensure that Update Cache is checked.

  11. Click Save.

  12. Close Internet Explorer.

8.16 Testing Oracle Adaptive Access Manager-Oracle Access Manager Integration

To test the configuration, try accessing your application. The Oracle Access Manager will intercept your un-authenticated request and redirect you to the Adaptive Strong Authenticator to challenge for credentials.