Skip Headers
Oracle® Access Manager Access Administration Guide
10
g
(10.1.4.2.0)
Part Number B32420-01
Home
Book List
Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Access Manager?
Product and Component Name Changes
WebGate Updates
URL Prefixes and Patterns
Triggering Authentication Actions After the ObSSOCookie Is Set
Form-based Authentication
Disabling Authentication Schemes
Persistent Cookies in Authentication Schemes
HTTP Header Variables and Cookies
Configuring Logout
Associating WebGates with Specific Virtual Hosts, Directories, and Files
Configuring the validate_password Plug-In
Configuring Impersonation
Configuring Lotus Domino and Windows Impersonation Single Sign-On
Troubleshooting
Part I Configuring the Access System
1
Overview of Access System Configuration and Administration
1.1
About the Access System
1.2
Access System Components
1.3
Review of Access System Installation and Setup
1.4
About Configuring Resources and Rules for Who Can Access Them
1.5
About Configuring and Managing the Access System Components
2
Configuring Access Administrators and Server Settings
2.1
Prerequisites
2.2
Configuring Access Administrators
2.2.1
Configuring Master Access Administrators
2.2.2
Configuring Delegated Access Administrators
2.2.3
Creating a Group of Delegated Access Administrators
2.2.4
Modifying a Group of Delegated Administrators
2.3
Managing Server Settings
2.3.1
Viewing Server Settings
2.3.2
Customizing Email Addresses
2.3.3
Configuring a Single Sign-On Logout URL
2.3.4
Configuring the Directory Server
3
Configuring WebGates and Access Servers
3.1
About Configuring the Access System
3.2
Prerequisites for Configuring AccessGates and Access Servers
3.3
Configuring Access Servers
3.3.1
Viewing Access Server Configuration Details
3.3.1.1
Access Server Configuration Parameters
3.3.2
Adding an Access Server Instance
3.3.2.1
Configuring a Directory Server Profile for the Access Server
3.3.3
Modifying Access Server Details
3.3.4
Deleting an Access Server
3.3.5
Clustering Access Servers
3.3.5.1
Managing Access Server Clusters
3.3.6
Managing Access Servers from the Command Line
3.3.6.1
Using the ConfigureAAAServer Tool
3.3.6.2
Setting the Number of Queues from the Command Line
3.4
Configuring AccessGates and WebGates
3.4.1
Viewing AccessGates
3.4.2
AccessGate Configuration Parameters
3.4.3
Adding an AccessGate
3.4.3.1
Configuring Logout for an Identity System Resource
3.4.3.2
Configuring User-Defined Parameters
3.4.3.3
Reducing Network Traffic Between Components
3.4.3.4
Changing the WebGate Polling Frequency
3.4.4
Modifying an AccessGate
3.4.5
Deleting an AccessGate
3.5
Managing WebGates
3.5.1
Synchronizing Clocks with the Access Server
3.5.2
Modifying a WebGate
3.5.3
Configuring IP Address Validation for WebGates
3.5.4
Viewing WebGate Diagnostics
3.5.5
Checking the Status of a WebGate
3.5.5.1
Checking the Number of Connections
3.5.6
Placing a WebGate Behind a Reverse Proxy
3.6
Associating AccessGates and WebGates with Access Servers
3.6.1
About Associating AccessGates with Clusters
3.6.2
Associating an AccessGate
3.6.3
Viewing AccessGates Associated with an Access Server
3.6.4
Disassociating an AccessGate
3.7
Configuring Preferred HTTP Hosts, Host Identifiers, and Virtual Web Hosts
3.7.1
About Preferred HTTP Hosts
3.7.1.1
About Preferred HTTP Hosts Without Virtual Web Hosting
3.7.1.2
About the Preferred HTTP Host Setting for a Virtual Host
3.7.2
Configuring Host Identifiers
3.7.2.1
Including Authenticating Hosts
3.7.2.2
Viewing or Deleting Host Identifiers
3.7.2.3
Adding a Host Identifier
3.7.3
Configuring Virtual Web Hosting
3.8
Denying Access to All Resources by Default
3.8.1
Example of Using DenyOnNotProtected
3.9
Associating a WebGate with Particular Virtual Hosts, Directories, or Files
3.10
The Access Login Process
3.10.1
Combined Authentication and Authorization Process
3.10.2
Login Processes
3.10.3
Cookies Generated During Login
3.10.3.1
ObSSOCookie
3.10.3.2
ObBasicAuthCookie
3.10.3.3
ObFormLoginCookie
3.10.3.4
ObTEMC cookie
3.10.3.5
ObTEMP cookie
3.10.3.6
ObPERM cookie
Part II Protecting Resources
4
Protecting Resources with Policy Domains
4.1
Prerequisites
4.1.1
About the Policy Base
4.1.2
About the Policy Domain Root
4.2
About Policy Domain Administration
4.2.1
About Creating the First Policy Domain
4.2.2
About Managing a Policy Domain
4.2.3
Overview of Creating a Policy Domain
4.3
About Policy Domains and Their Policies
4.3.1
Parts of a Policy Domain
4.3.2
How the Policy Domain or Policy for a Resource Is Determined
4.3.3
Preconfigured Policy Domains
4.3.4
Who Creates Policy Domains?
4.3.5
Examples of Policy Domains and Policies
4.3.6
About Allocating Responsibility for a Policy Domain
4.4
Configuring Resource Types
4.4.1
About Resource Types
4.4.2
Default Resource Types
4.4.3
Supported HTTP Operations
4.4.4
Supported EJB Operation
4.4.5
Supported Resource Types
4.4.6
Defining a Resource Type
4.5
Configuring URLs for Resources
4.5.1
About URL Prefixes
4.5.2
About URL Patterns
4.5.3
How URL Patterns are Used
4.5.4
URL Pattern Matching Symbols
4.5.5
Invalid Patterns
4.5.6
Access System Patterns
4.6
About Schemes
4.7
About Plug-Ins
4.8
About Rules and Expressions
4.8.1
Lessening or Increasing Controls with Rules
4.8.1.1
Beginning with All Resources Unprotected
4.8.1.2
Beginning with All Resources Protected
4.9
Creating and Managing Policy Domains
4.9.1
Creating a Policy Domain
4.9.2
Modifying a Policy Domain
4.9.3
Deleting a Policy Domain
4.9.4
Enabling and Disabling Policy Domains
4.9.5
Searching for Policy Domains and Policies
4.9.6
Viewing General Information about Policy Domains
4.9.7
Adding Resources to Policy Domains
4.9.7.1
Using Host Identifiers and Host Contexts
4.9.8
Modifying a Resource's Description
4.9.9
Deleting a Resource
4.10
About the Master Audit Rule
4.10.1
Configuring the Master Audit Rule
4.10.2
Modifying the Master Audit Rule
4.10.3
Deleting the Master Audit Rule
4.11
Configuring Policies
4.11.1
Policies with Overlapping Patterns
4.11.2
Adding a Policy
4.11.3
Modifying a Policy
4.11.4
Setting the Order in which Policies Are Checked
4.11.5
Deleting a Policy
4.11.6
Deploying a Policy into Production
4.12
Auditing User Activity for a Policy Domain
4.12.1
Creating an Audit Rule for a Policy Domain
4.12.2
Modifying an Audit Rule for a Policy Domain
4.12.3
Defining an Audit Rule for a Policy
4.12.4
Modifying an Audit Rule for a Policy
4.12.5
About the Audit Log File
4.13
Using Access Tester
4.14
Delegating Policy Domain Administration
4.14.1
Configuring Policy Domain Administrators
5
Configuring User Authentication
5.1
About Authentication and Authentication Schemes
5.1.1
Background Reading
5.1.2
Basic Components of Authentication
5.1.3
About Authentication Schemes
5.1.4
Default Authentication Schemes
5.2
About Challenge Methods
5.2.1
About Plug-Ins for Challenge Methods
5.3
Defining and Managing Authentication Schemes
5.3.1
Listing and Viewing Authentication Schemes
5.3.2
Defining a New Authentication Scheme
5.3.3
Modifying an Authentication Scheme
5.3.4
Configuring an Authentication Scheme When Using Multiple Searchbases
5.3.5
Enabling and Disabling Authentication Schemes
5.3.6
Securing the ObSSOCookie in an Authentication Scheme
5.3.7
Retaining the ObSSOCookie Over Multiple Sessions
5.3.8
Configuring Browser Cookies as Credentials in an Authentication Scheme
5.3.9
Deleting a Authentication Scheme
5.4
Plug-Ins for Authentication
5.4.1
About Access System-Provided Plug-Ins
5.4.2
About Custom Plug-Ins
5.4.2.1
Note on Managed Code and Plug-Ins
5.4.3
Return Codes for Plug-Ins
5.4.4
About Reusing Plug-Ins Across Authentication Schemes
5.4.5
Changing the Security Level of an Authentication Scheme
5.4.6
Access System Plug-Ins for Authentication Challenge Methods
5.4.7
Credential Mapping Plug-In
5.4.8
Filtering Inactive Users
5.4.9
Validate Password Plug-In
5.4.10
Certificate Decode Plug-In
5.4.11
Caching Validated Passwords to Increase Performance
5.4.12
Plug-Ins for Windows NT/2000 and SecurID
5.5
Adding and Managing Plug-Ins
5.5.1
Viewing Plug-Ins for an Authentication Scheme
5.5.2
Adding a Plug-In to an Authentication Scheme
5.5.3
Deleting Plug-Ins from an Authentication Scheme
5.6
About Chained Authentication
5.6.1
About Creating an Authentication Rule Using Chained Authentication
5.6.2
About Authentication Steps
5.6.3
About Single-Step Authentication Schemes
5.6.4
Why Separate Plug-Ins Into Steps?
5.7
Configuring and Managing Steps
5.7.1
Viewing the Steps of an Authentication Scheme
5.7.2
Viewing the Configuration Details for a Step
5.7.3
Adding a Step to an Authentication Scheme
5.7.4
Modifying a Step
5.7.5
Deleting a Step
5.8
Configuring Authentication Flows
5.8.1
Authentication Flows Example
5.8.2
Viewing the Flows of an Authentication Scheme
5.8.3
Configuring and Modifying the Flows of an Authentication Chain
5.8.4
Verifying and Correcting Cycles in an Authentication Flow
5.9
Managing Authentication Rules
5.9.1
Creating an Authentication Rule for a Policy Domain
5.9.2
Modifying an Authentication Rule for a Policy Domain
5.9.3
Deleting a Policy Domain's Authentication Rule
5.9.4
Creating an Authentication Rule for a Policy
5.9.5
Modifying an Authentication Rule for a Policy
5.9.6
Deleting an Authentication Rule for a Policy
5.10
Managing Authentication Actions
5.10.1
About Kinds of Actions
5.10.2
About the Use of HTTP Header Variables and Cookies
5.10.3
Passing Information Using Actions
5.10.4
Actions and Header Variables
5.10.4.1
How Caching Header Variables Affects their Availability
5.10.4.2
Ways Different Web servers Handle Header Variables
5.10.5
Using Actions for Redirection
5.10.5.1
Using Form-Based Authentication Instead of a Plug-In
5.10.6
Custom Actions
5.10.7
Setting Authentication Actions
5.10.8
Defining Actions for a Policy's Authentication Rule
5.10.9
Triggering Authentication Actions After the ObSSOCookie is Set
5.10.9.1
About the OTA Authentication Scheme
5.10.9.2
Configuring the OTA Authentication Scheme and Authorization Action
5.11
Auditing Authentication Events
5.11.1
Information Logged on Success or Failure
5.11.2
About Creating a Master Audit Rule and Derived Rules
6
Configuring User Authorization
6.1
About Authorization
6.1.1
Background Reading
6.1.2
Introduction to Authorization Rules and Expressions
6.1.2.1
Guidelines for Classifying Users
6.2
About Authorization Rules
6.2.1
About Allow Access and Deny Access Conditions
6.2.2
Reuse of Authorization Rules
6.2.3
About the Contents of an Authorization Rule
6.2.4
About Authorization Rule Evaluation
6.3
Working with Authorization Rules
6.3.1
Displaying a List of Configured Authorization Rules
6.3.2
Configuring Authorization Rules
6.3.3
Setting Allow Access
6.3.4
Setting Deny Access
6.3.5
Setting Timing Conditions
6.3.6
Viewing General Information About a Rule
6.3.7
Modifying an Authorization Rule
6.3.8
Deleting an Authorization Rule
6.4
About Authorization Expressions
6.4.1
About the Contents of an Authorization Expression
6.4.2
About Authorization Expression Evaluation
6.4.2.1
Status Codes for an Inconclusive Result
6.4.2.2
About Evaluation of the Rules of an Expression
6.4.2.3
Authorization Rules Used in Example Scenarios
6.4.2.4
About the AND Operator
6.4.2.5
Examples of Compound Conditions
6.4.2.6
About the OR Operator
6.4.2.7
Examples of Complex Conditions
6.4.2.8
Compound Complex Expression Scenarios
6.4.2.9
About the Use of Parenthesis
6.5
Working with Authorization Expressions
6.5.1
Viewing Authorization Expressions
6.5.1.1
Viewing the Authorization Expression for a Policy
6.5.2
Creating Authorization Expressions
6.5.2.1
Creating an Authorization Expression for a Policy
6.5.3
Modifying an Authorization Expression as You Create It
6.5.3.1
Using the Authorization Expression List Box
6.5.3.2
Using the Authorization Expression in Text Format Box
6.5.3.3
Modifying an Existing Authorization Expression
6.5.4
Deleting an Authorization Expression
6.6
About Authorization Actions
6.6.1
About Actions For Rules and Expressions
6.6.2
About Kinds of Actions
6.6.3
About the Use of HTTP Header Variables and Cookies
6.6.3.1
How Caching Header Variables Affects their Availability
6.6.3.2
How Web Servers Handle Header Variables
6.6.4
About Passing Information Using Actions
6.6.5
Which Actions Are Returned?
6.6.6
About Complementary Actions
6.6.7
About the Evaluation Order of Authorization Actions
6.7
Working with Authorization Actions
6.7.1
Setting Actions for Authorization Rules
6.7.1.1
Configuring an Authorization Action When Using Disjoint Domains
6.7.2
Setting Actions for Authorization Expressions
6.7.2.1
About Actions for Inconclusive Results
6.7.3
About Duplicate Actions
6.7.3.1
How Duplicate Actions Are Handled
6.7.3.2
Duplicate Actions and WebGate Restrictions
6.7.4
Setting the System Default Duplicate Actions Behavior
6.7.5
Setting the Duplicate Actions Behavior for an Expression
6.7.6
Creating Custom Authorization Actions
6.8
About Authorization Schemes for Custom Plug-Ins
6.8.1
Overview of Authorization Schemes and Custom Plug-Ins
6.8.1.1
About Authorization Plug-Ins
6.9
Working with Authorization Schemes
6.9.1
Specifying Authorization Plug-In Paths and Parameters
6.9.1.1
User Parameters
6.9.1.2
Required Parameters
6.9.1.3
Optional Parameters for Authorization Plug-Ins
6.9.2
Viewing Authorization Schemes
6.9.3
Adding an Authorization Scheme
6.9.4
Modifying an Authorization Scheme
6.9.5
Deleting an Authorization Scheme
6.10
Retrieving External Data for an Authorization Request
6.10.1
Example: Configuring a WebGate to Use Authorization Data from and External Source
6.11
Auditing Authorization Events
6.11.1
Information Logged on Success or Failure
6.11.2
About Creating a Master Audit Rule and Derived Rules
7
Configuring Single Sign-On
7.1
Prerequisites
7.2
About Single Sign-On
7.2.1
Different Types of Single Sign-On
7.3
Single Sign-On Cookies
7.3.1
Security of the ObSSOCookie
7.3.2
Configuring the ObSSOCookie
7.4
Single Domain Single Sign-On
7.4.1
How Single Domain Single Sign-On Works
7.4.2
Setting up Single Domain Single Sign-On
7.4.2.1
Configuring the WebGates
7.4.3
Reverse Proxy Single Sign-On
7.4.4
Logout From a Single Domain Single Sign-On Session
7.5
Multi-Domain Single Sign-On
7.5.1
Using Redirection to Enable Multi-Domain Single Sign-On
7.5.2
Testing Multi-Domain Single Sign-On
7.5.3
Logout from a Multi-Domain Single Sign-On Session
7.6
Application Single Sign-On
7.6.1
Additional Information on Application Single Sign-On
7.6.2
Logging Out From an Application Single Sign-On Session
7.7
Single Sign-On Between Identity and Access Systems
7.7.1
Configuring Policy Domains for Single Sign-On
7.7.2
Displaying the Employee Type in the Top Navigation Bar
7.7.3
Troubleshooting SSO Between Identity and Access Systems
7.8
Enabling Impersonation in the Access System
7.9
Troubleshooting Single Sign-On
Part III Managing the Access System
8
Access System Management
8.1
Prerequisites
8.2
About Access System Configuration and Management
8.2.1
Access System Configuration
8.2.2
System Management
8.3
Configuring User Access
8.3.1
Revoking Users
8.3.2
Flushing Users from the Cache
8.4
Creating a Shared Secret Key
8.4.1
Changes to the Shared Secret Key
8.5
Flushing Password Policy Caches
8.6
Running Diagnostics
8.7
Managing User Access Privilege Reports
8.7.1
Adding a Report
8.7.2
Managing Reports
8.8
Managing Sync Records
9
Managing Access System Configuration Files
9.1
Prerequisites
9.2
Automatic Access System Cache Flush
9.3
Synchronization of Access System Components
9.3.1
Synchronizing System Clocks
9.3.2
Changing Default Configuration Cache Timeout
9.4
Reducing Overhead for Viewing Policy Domains
9.5
Customizing the Policy Manager User Interface
9.5.1
Setting the Search page as the Default Page
9.5.2
Customizing the Policy Manager Search Interface
Part IV Appendices
A
Form-Based Authentication
A.1
About Form-Based Authentication
A.1.1
Challenge Parameters
A.1.2
Redirection
A.1.3
Plug-Ins Used with Form-Based Authentication
A.1.4
Session Cookie and Authentication Actions
A.1.5
Header Variables
A.1.6
Using an External Call for Data in an Authentication Request
A.2
Considerations when Creating a Form
A.2.1
ObFormLoginCookie
A.3
Configuring Form-Based Authentication
A.3.1
Configuring a Form-Based Authentication Scheme
A.3.1.1
About the Form Action
A.3.1.2
Forms that Reside on Servers Other Than a WebGate
A.3.2
Notes for Microsoft IIS
A.3.3
Including Users in the obMappingFilter
A.3.3.1
Including Only Active Users
A.3.3.2
Including Non-Active Users
A.4
Form Examples
A.4.1
Form Scheme Examples
A.4.1.1
Basic Example
A.4.1.2
Annotated Example
A.4.2
Sample Pop-Up Forms
A.4.3
Sample Multi-Language Form
A.5
Troubleshooting Form-Based Authentication
B
Configuring Logout
B.1
How Logout Works
B.2
Configuring and Customizing the Logout URL and Page
B.3
Configuring Single Sign-Off for an Integration Between Oracle Access Manager and Another Product
C
Oracle Access Manager Parameter Files
C.1
File Categories
C.2
For More Information on the Parameter Files
D
Troubleshooting Oracle Access Manager
D.1
Problems and Solutions
D.1.1
Directory Server Issues
D.1.1.1
Error Message to Check if the Directory Server is Running or Responding
D.1.1.2
Memory Usage Rises After Configuring a Directory Server Profile
D.1.1.3
Search Halts When Using Active Directory or .Net
D.1.2
WebGate Issues
D.1.2.1
WebGate Diagnostics URL Incorrectly Report that the Access Server Is Down
D.1.2.2
WebGate Is Unable to Connect to its Associated Access Server
D.1.3
Access Server Issues
D.1.3.1
Access Server Hangs on Windows 2003
D.1.3.2
The Access Server Is Not Sending Audit Data to the Database
D.1.4
Authentication and Authorization Issues
D.1.4.1
The Authentication Scheme Does Not Work
D.1.5
Single Sign-On Issues
D.1.5.1
Error with Single Sign-On Between Identity and Access Systems
D.1.5.2
Other Single Sign-On Problems
D.1.6
Form-Based Authentication Issues
D.1.6.1
The Login Form Appears Repeatedly
D.1.6.2
Other Form-Based Authentication Issues
D.2
Capturing Diagnostic Information
D.3
Need More Help?
Index