This chapter describes the procedure to extend an Identity and Access Management domain to include Oracle Adaptive Access Manager.
This chapter contains the following topics:
Section 17.1, "Overview of Extending the Domain to Include Oracle Adaptive Access Manager"
Section 17.4, "Extending Domain for Oracle Adaptive Access Manager"
Section 17.5, "Restarting Administration Server on OAMHOST1"
Section 17.6, "Deploying Managed Server Configuration to Local Storage"
Section 17.7, "Adding OAAM Servers to Start and Stop Scripts"
Section 17.11, "Loading Oracle Adaptive Access Manager Seed Data."
Section 17.13, "Integrating Oracle Adaptive Access Manager 11g with Oracle Identity Manager 11g."
Section 17.14, "Changing Domain to Oracle Adaptive Access Manager Protection."
Section 17.15, "Backing Up the Application Tier Configuration"
Oracle Adaptive Access Manager (OAAM) is built on a Java EE-based, multi-tiers deployment architecture that separates the platform's presentation, business logic, and data tiers. Because of this separation of tiers, OAAM can rapidly scale with the performance needs of the customer. The architecture can leverage the most flexible and supported cross-platform Java EE services available: a combination of Java, XML and object technologies. This architecture makes OAAM a scalable, fault-tolerant solution.
Oracle Adaptive Access manager consists of the following two components.
OAAM Administration Applications
OAAM Server Applications
Use this worksheet to keep track of OAAM information
| Description | Documented Variable | Documented Value | Customer Value |
|---|---|---|---|
|
OAAM Managed Server Names |
wls_oaam1 wls_oaam2 |
||
|
OAAM Managed Server Port |
|
14300 |
|
|
OAAM Managed Server SSL Port |
|
14301 |
|
|
OAAM Administrative Managed Server Names |
wls_oaam_admin1 wls_oaam_admin2 |
||
|
OAAM Administrative Managed Port |
|
14200 |
|
|
OAAM Administrative Managed SSL Port |
|
14201 |
|
|
Identity Store Host |
|
LDAPHOST1.mycompany.com |
|
|
Identity Store Port |
|
1389 |
|
|
Identity Store Bind DN |
|
cn=oudadmin |
|
|
Identity Store Administrator Port |
|
4444 |
|
|
Identity Store Group Search Base |
|
cn=Groups,dc=mycompany,dc=com |
|
|
OAAM Administrative User |
|
oaamadmin |
|
|
Access Manager Host1 (Virtual) |
|
|
|
|
Access Manager Host2 (Virtual) |
|
|
|
|
Access Manager Host1 (Physical) |
|
|
|
|
Access Manager Host2 (Physical) |
|
|
Note:
Only one LDAPHOST needs to be specified and it should not be the LDAP load balancer name.The instructions in the following subsections are for the Exalogic virtual mode. If you are using the Exalogic physical deployment, references to OAMHOST1 and OAMHOST2 should be replaced by IAMHOST1 and IAMHOST2, as shown in Table 17-1.
Before you extend the domain to include Oracle Adaptive Access Manager (OAAM), the following prerequisites must be in place.
Create a highly available database to hold the OAAM data, if you are not using the IAMDB. Pre-seed the database with OAAM data objects using the repository creation utility as described in Section 10.5, "Loading the Identity and Access Management Schemas in the Oracle RAC Database by Using RCU."
Create OAAM Users and Groups as follows:
Create a configuration file with the following contents:
# Common IDSTORE_HOST: LDAPHOST1.mycompany.com IDSTORE_PORT: 1389 IDSTORE_ADMIN_PORT: 4444 IDSTORE_BINDDN: cn=oudadmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com IDSTORE_OAAMADMINUSER: oaamadmin
Where:
IDSTORE_HOST (LDAP_HOST) and IDSTORE_PORT (LDAP_PORT) are, respectively, the host and port of your Identity Store directory, for example:
OUD: LDAPHOST1 and 1389
IDSTORE_ADMIN_PORT (LDAP_DIR_ADMIN_PORT) is the administration port of your Oracle Unified Directory instance.
IDSTORE_BINDDN (LDAP_ADMIN_USER) is an administrative user in the Identity Store Directory.
IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored. This is composed of cn=Groups combined with the REALM_DN defined in Section 11.1, "Assembling Information for Identity and Access Management Deployment," for example: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored. This is the same as the REALM_DN defined in Section 11.1, "Assembling Information for Identity and Access Management Deployment," for example: dc=mycompany,dc=com
IDSTORE_USERNAMEATTRIBUTE is the name of the directory attribute containing the user's name, for example: cn. Note that this is different from the login name.
IDSTORE_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name, for example: uid.
IDSTORE_USERSEARCHBASE is the location in the directory where users are stored. This is composed of cn=Users combined with the REALM_DN defined in Section 11.1, "Assembling Information for Identity and Access Management Deployment," for example: cn=Users,dc=mycompany,dc=com
IDSTORE_OAAMADMINUSER (OAAMADMINUSER) is the name of the user you want to create as your Oracle Adaptive Access Manager Administrator.
Create users using idmConfigTool.
You must seed the Identity Store with users and groups that are required by the Identity and Access Management components. To seed users and groups in Identity Store, perform the following tasks on OAMHOST1:
Set environment variables.
Set MW_HOME to IAD_MW_HOME.
Set ORACLE_HOME to IAD_ORACLE_HOME.
Set JAVA_HOME to JAVA_HOME.
Configure the Identity Store by using the command idmConfigTool, which is located at: IAD_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=OAAM input_file=configfile
Where configfile is the name of the configuration file you created at the beginning of this section.
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.
During the command execution you are prompted to supply passwords for the accounts being created. For ease of use, it is recommended that you supply the COMMON_IDM_PASSWORD if you are using a common password throughout.
After running each command, check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory where you run the tool.
Start the configuration wizard by executing the following command on OAMHOST1:
IAD_MW_HOME/common/bin/config.sh
Then proceed as follows:
On the Welcome Screen, select Extend an Existing WebLogic Domain. Click Next
On the Select a WebLogic Domain screen, using the navigator select the domain home of the Administration Server, for example: IAD_ASERVER_HOME (IAMAccessDomain)
Click Next.
On the Select Extension Source screen, select the following:
Oracle Adaptive Access Manager - Server
Oracle Adaptive Access Manager - Admin Server
Click Next
On the Configure JDBC Component Schema screen, do the following:
Select:
OAAM Admin Schema
OAAM Server Schema
OAAM Admin MDS Schema
OWSM MDS Schema
For the RAC configuration for component schema, select Convert to GridLink.
Click Next.
The Gridlink RAC Component Schema screen appears. In this screen, enter values for the following fields, specifying the connect information for the Oracle RAC database that was seeded with RCU. For Exadata SDP Connections, enter the TCP parameters below. Later, this must be converted to an SDP Connect String.
Driver: Select Oracle's driver (Thin) for GridLink Connections,Versions:10 and later.
Select Enable FAN.
Do one of the following:
If SSL is not configured for ONS notifications to be encrypted, deselect SSL.
Select SSL and provide the appropriate wallet and wallet password.
Service Listener: Enter the SCAN address and port for the RAC database being used. You can identify this address by querying the parameter remote_listener in the database:
SQL>show parameter remote_listener; NAME TYPE VALUE ------------------------------------------------------------- remote_listener string iamdbscan.mycompany.com:1521
Note:
For Oracle Database 11g Release 1 (11.1), use the virtual IP and port of each database instance listener, for example: DBHOST1-VIP.mycompany.com (port 1521) and DBHOST2-VIP.mycompany.com (port 1521), where 1521 is DB_LSNR_PORT
ONS Host: Enter the SCAN address for the Oracle RAC database and the ONS remote port as reported by the database:
srvctl config nodeapps -s ONS exists: Local port 6100, remote port 6200, EM port 2016
Note:
For Oracle Database 11g Release 1 (11.1), use the hostname and port of each database's ONS service, for example:DBHOST1.mycompany.com (port 6200)
and
DBHOST2.mycompany.com (port 6200)
Use the screen at the top left side of the wizard to update the values reflected on the lower bottom screen. Once the value of a row is updated, it has to be deselected to enter the value for the next row. Otherwise, the value is overwritten.
Enter the following RAC component schema information:
| Schema Name | Service Name | Schema Owner | Password |
|---|---|---|---|
OAAM Admin Schema |
oaamedg.mycompany.com |
EDGIAD_OAAM |
password |
OAAM Admin MDS Schema |
oaamedg.mycompany.com |
EDGIAD_MDS |
password |
OAAM Server Schema |
oaamedg.mycompany.com |
EDGIAD_OAAM |
password |
OWSM MDS Schema |
oamedg.mycompany.com |
EDGIAD_MDS |
password |
On the Test Component Schema screen, the configuration wizard attempts to validate the data source. If the data source validation succeeds, click Next. If it fails, click Previous, correct the issue, and try again.
On the Select Optional Configuration screen, select Managed Server Clusters and Machines. Click Next
When you first enter the Configure Managed Servers screen, you will see entries for components already configured such as Access Manager. In addition the wizard will create 2 new managed servers for OAAM.
Note:
When you first enter this screen the config wizard has created default Managed Servers for you.Change the details of the default Managed Server to reflect the following details. That is, change one entry and add one new entry.
Do not change the configuration of any Managed Servers which have already been configured as part of previous application deployments.
| Default Name | Name | Listen Address | Listen Port | SSL Listen Port | SSL Enabled |
|---|---|---|---|---|---|
| oaam_server_server1 | wls_oaam1Foot 1 | OAMHOST1 | 14300 (OAAM_ADMIN_PORT)Foot 2 |
14301 (OAAM_ADMIN_SSL_PORT) |
Selected |
| wls_oaam2 | OAMHOST2 | 14300 (OAAM_PORT) |
14301 (OAAM_ADMIN_SSL_PORT) |
Selected | |
| oam_admin_server1 | wls_oaam_admin1 | OAMHOST1 | 14200 (OAAM_OAAM_PORT) |
14201 (OAAM_SSL_PORT) |
Selected |
| wls_oaam_admin2 | OAMHOST2 | 14200 (OAAM_PORT) |
14201 (OAAM_SSL_PORT) |
Selected |
Footnote 1 You MUST use the names listed in the table to facilitate automated patching.
Footnote 2 See Section B.3.
Leave all other fields at the default settings and click Next.
On the Configure Clusters screen, create a cluster by clicking Add and provide the values shown for oaam_cluster in the following table. Then create a second cluster by clicking Add and provide the values shown for oaam_admin_cluster in the table.
| Name | Cluster Messaging Mode | Multicast Address | Multicast Port | Cluster Address |
|---|---|---|---|---|
| oaam_cluster | unicast | n/a | n/a | Leave it empty. |
| oaam_admin_cluster | unicast | n/a | n/a | Leave it empty. |
Leave all other fields at the default settings and click Next.
On the Assign Servers to Clusters screen, associate the Managed Servers with the cluster. Click the cluster name in the right pane. Click the Managed Server under Servers, then click the arrow to assign it to the cluster.
Assign servers to the clusters as follows:
| Cluster | Server |
|---|---|
| oaam_cluster | wls_oaam1 |
| wls_oaam2 | |
| oaam_admin_cluster | wls_oaam_admin1 |
| wls_oaam_admin2 |
Note:
Do not change the configuration of any clusters which have already been configured as part of previous application deployments.Click Next.
On the Configure Machines screen, click Next.
Note:
Deployment will have created Machines for youOn the Assign Servers to Machines screen, assign servers to machines as follows:
OAMHOST1: wls_oaam1, wls_oaam_admin1
OAMHOST2: wls_oaam2, wls_oaam_admin2
Click Next to continue.
On the Configuration Summary screen, click Extend to extend the domain.
Note:
Note: If you receive a warning that says:CFGFWK: Server listen ports in your domain configuration conflict with ports in use by active processes on this host
Click OK.
This warning appears if Managed Servers have been defined as part of previous installs and can safely be ignored.
Restart WebLogic Administration Server on OAMHOST 1. See Section 20.1, "Starting and Stopping Components."
Once the configuration is complete, you must propagate the Oracle Adaptive Access Manager configuration to the managed server directory on OAMHOST1 and OAMHOST2.
Propagate the Oracle Adaptive Access Manager by packing first the domain IAMAccessDomain from the shared storage location and unpacking it to managed server directory on local storage.
You do this by packing and unpacking the domain, you pack the domain first on IAMAccessDomain on OAMHOST1 then unpack it on OAMHOST1 and OAMHOST2.
Follow these steps to propagate the domain to the managed server domain directory.
Invoke the pack utility from ORACLE_COMMON_HOME/common/bin/ on OAMHOST1.
./pack.sh -domain=IAD_ASERVER_HOME -template=iam_domain.jar -template_name="IAM Domain" -managed=true
This creates a file called iam_domain.jar.
Note:
The template is common to both hosts as it is mounted and available on the other host.On OAMHOST1 and OAMHOST2, invoke the utility unpack, which is also located in the directory: ORACLE_COMMON_HOME/common/bin/
./unpack.sh -domain=IAD_MSERVER_HOME -template=iam_domain.jar -overwrite_domain=true -app_dir=IAD_MSERVER_HOME/applications
If you see a message similar to this, you may safely ignore it:
-------------------------------------------------------- >> Server listen ports in your domain configuration conflict with ports in use by active processes on this host. Port 14100 on wls_oam2 ----------------------------------------------------------------
Deployment creates a set of scripts to start and stop managed servers defined in the domain. Whenever you create a new managed server in the domain you must update the domain configuration so that these start and stop scripts can also start the newly created managed server. You must now do this for each of the OAAM managed servers.
To update the domain configuration, edit the file serverInstancesCustom.txt, which is located in the directory: SHARED_CONFIG_DIR/scripts
If you want to start a node manager on a new machine, add an entry which looks like this:
newmachine.mycompany.com NM nodemanager_pathname nodemanager_port
For example:
OAMHOST3.mycompany.com NM /u01/oracle/config/nodemanager/oamhost3.mycompany.com 5556
For each of the OAAM managed servers in the table in Section 17.4, "Extending Domain for Oracle Adaptive Access Manager", Step 8 (Configure Managed Servers screen), add an entry which looks like this:
newmachine.mycompany.com OAAM ManagedServerName
For example:
OAMHOST1 OAAM wls_oaam1 IADADMINVHN 7001 OAMHOST1 OAAM wls_oaam_admin1 IADADMINVHN 7001 OAMHOST2 OAAM wls_oaam2 IADADMINVHN 7001 OAMHOST2 OAAM wls_oaam_admin2 IADADMINVHN 7001
Save the file.
This section contains the following topics:
Start the WebLogic Administration Console for IAMAccessDomain using the URL specified in Section 20.2, "About Identity and Access Management Console URLs."
Select Environment, Servers from the domain structure menu then click the Control tab.
Select the servers wls_oaam_admin1 and wls_oaam1 and click Start.
Validate the implementation by connecting to the OAAM Administration Server at:
http://OAMHOST1.mycompany.com:14200/oaam_admin
and to the OAAM server at:
http://OAMHOST1.mycompany.com:14300/oaam_server
The implementation is valid if the OAAM Server login page is displayed and you can log in using the oaamadmin account you created in Section 17.3.2, "Creating OAAM Users and Groups in LDAP."
This section describes how to configure Oracle Adaptive Access Manager on OAMHOST2.
This section contains the following topics:
Start Oracle Adaptive Access Manager on OAMHOST2 by following the start procedures in Section 20.1, "Starting and Stopping Components" for WebLogic Managed Servers wls_oaam2 and wls_oaam_admin2.
Validate the implementation by connecting to the OAAM Administration Server at:
http://OAMHOST2.mycompany.com:14200/oaam_admin
and to the OAAM server at:
http://OAMHOST2.mycompany.com:14300/oaam_server
The implementation is valid if the OAAM Server login page is displayed and you can log in using the oaamadmin account you created in Section 17.3.2, "Creating OAAM Users and Groups in LDAP."
This section describes how to configure Oracle Adaptive Access Manager to work with the Oracle HTTP Server.
Note:
If you are using Oracle Traffic Director, follow Section 17.10.1, "Configuring Access from Oracle Traffic Director." If you are using external Oracle HTTP Server, follow Section 17.10.2, "Configuring Access from Oracle HTTP Server."This section contains the following topics:
Section 17.10.1, "Configuring Access from Oracle Traffic Director"
Section 17.10.2, "Configuring Access from Oracle HTTP Server"
Section 17.10.4, "Validating Oracle Adaptive Access Manager"
Create a server pool for OAAM Managed Servers as described in Section 12.7.1, "Creating an Origin-Server Pool."
Create OTD routes for OAAM as described in Section 12.8, "Creating Routes."
If you are adding OAAM to an existing domain, you must include OAAM in the Oracle HTTP Server configuration by updating the following files on WEBHOST1 and WEBHOST2. Depending on whether or not you are using OTD or the Oracle HTTP server to serve your web requests the instructions for incorporating OAAM into the web tier are different.
You must include OAAM in the Web Tier configuration by updating the following files on WEBHOST1 and WEBHOST2:
Add the following to WEB_ORACLE_INSTANCE/config/OHS/component_name/moduleconf/idmadmin_vh.conf:
######################################################
## Entries Required by Oracle Adaptive Access Manager
######################################################
# OAAM Console
<Location /oaam_admin>
SetHandler weblogic-handler
WebLogicCluster OAMHOST1.mycompany.com:14200,OAMHOST2.mycompany.com:14200
</Location>
Add the following to WEB_ORACLE_INSTANCE/config/OHS/component_name/moduleconf/sso_vh.conf:
######################################################
## Entries Required by Oracle Adaptive Access Manager
######################################################
<Location /oaam_server>
SetHandler weblogic-handler
WebLogicCluster OAMHOST1.mycompany.com:14300,OAMHOST2.mycompany.com:14300
WLProxySSL ON
WLProxySSLPassThrough ON
</Location>
Restart the Oracle HTTP Server on WEBHOST1 and WEBHOST2, as described in Section 20.1, "Starting and Stopping Components."
Restart the managed servers wls_oaam1, wls_oaam2, wls_oaam_admin1, and wls_oaam_admin2 as described in Section 20.1, "Starting and Stopping Components."
Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately.
To do this, log in to the WebLogic administration console in the IAMAccessDomain at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Then proceed as follows:
Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.
Click Lock and Edit in the Change Center Window to enable editing.
Click the Cluster Name (oaam_cluster).
Select HTTP and enter the following values (from Section 11.1, "Assembling Information for Identity and Access Management Deployment"):
Frontend Host: sso.mycompany.com (IAM_LOGIN_URI)
Frontend HTTP Port: 80 (HTTP_PORT)
Frontend HTTPS Port: 443 (HTTP_SSL_PORT)
This ensures that any HTTPS URLs created from within WebLogic are directed to port 443 on the load balancer.
Click Save.
Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.
Click the Cluster Name (oaam_admin_cluster).
Select HTTP and enter the following values (from Section 11.1, "Assembling Information for Identity and Access Management Deployment"):
Frontend Host: IADADMIN.mycompany.com (IAD_DOMAIN_ADMIN_LBRVHN)
Frontend HTTP Port: 80 (HTTP_PORT)
Click Save.
Click Activate Changes in the Change Center window to enable editing.
Restart the managed servers.
Log in to the Oracle Adaptive Access Management Administration console, at the URL listed in Section 20.2, "About Identity and Access Management Console URLs," using the oaamadmin account you created in Section 13.5.2, "Creating OAAM Administration User in WebLogic Console."
Also log in to the Oracle Adaptive Access Manager server at https://sso.mycompany.com/oaam_server in using the account oaamadmin account and the password test.
Check that the following URL can be accessed:
https://sso.mycompany.com:443/oaam_server/oamLoginPage.jsp
Note:
The credential collection procedure is the same in Exalogic and Non-Exalogic deployments, but after the credential collection page is displayed you see a "Page not found error" in the Exalogic test. This is normal and occurs because there is no such page in Oracle Traffic Director.This section describes how to load seed data into Oracle Adaptive Access Manager.
Note:
Either copy the files from OAMHOST1 to your local machine (where you are running the browser) or run this step from a browser started on OAMHOST1.Log in to Oracle Adaptive Access Management Administration console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Connect using the oaamadmin account that you created in Section 17.3.2, "Creating OAAM Users and Groups in LDAP."
Click System Snapshots, which is located on the Navigation -> Environment menu.
Click List System Snapshots.
Click Load From File.
Enter the following information:
Name: Default Snapshot
Notes: Default Snapshot
Select Backup Current System Now.
Click Continue.
Click OK to acknowledge backup creation.
Click Choose File.
Select the file oaam_base_snapshot.zip which is located in:
IAD_ORACLE_HOME/oaam/init
Click Load.
You will see a message that says that the snapshot file was loaded successfully. Acknowledge this message by clicking OK.
Click Restore near the top right.
When loading is complete, a message is displayed. Click OK.
This section describes how to integrate OAAM with Access Manager and Oracle Identity Manager. Once OAAM has been integrated with Access Manager, you can use OAAM instead of the standard Access Manager login to validate access to resources. Even though OAAM is performing the authentication, it is authenticating against users in Access Manager.
When OAAM is integrated with Oracle Identity Manager, Oracle Identity Manager is used to help users who have forgotten their username or password.
This section contains the following topics:
Section 17.12.1, "Retrieving the Global Passphrase for Simple Mode."
Section 17.12.2, "Registering OAAM as a Third Party Application."
Section 17.12.3, "Setting OAAM properties for Access Manager."
Section 17.12.4, "Creating Oracle Adaptive Access Manager Policies."
Access Manager generates a random global passphrase for Simple mode communication during installation. The following procedure describes how to retrieve this passphrase. You will need it later in this chapter.
To retrieve the random global passphrase for Simple mode communication, on OAMHOST1 invoke the WebLogic Scripting Tool located in IAD_ORACLE_HOME/common/bin. Once you are in the wlst shell, enter the command to connect.
./wlst.sh wls:/offline> connect()
Respond to the prompts as shown:
Please enter your username [weblogic] : weblogic
Please enter your password [weblogic] : COMMON_IDM_PASSWORD
Please enter your server URL [t3://localhost:7001] : t3://IADADMINVHN:7001
wls:/IAMAccessDomain/serverConfig>
Enter the following command to change the location to the read-only domainRuntime tree. For help, use help(domainRuntime)).
wls:/IAMAccessDomain/domainRuntime>domainRuntime()
View the global passphrase by entering the following command.
wls:/IAMAccessDomain/domainRuntime> displaySimpleModeGlobalPassphrase()
Make a note of this passphrase and exit wlst by using the exit command:
wls:/IAMAccessDomain/domainRuntime> exit()
If you have configured Access Manager to use the Simple Security Transportation protocol, you must register OAAM as a third-party application.
To register OAAM as a third-party application:
Create a directory to hold the OAAM Keystore. Placing this directory in the IAD_ASERVER_HOME ensures that it is available to all OAAM Hosts.
mkdir -p IAD_ASERVER_HOME/keystores
From OAMHOST1, start the WLST shell from the IAD_ORACLE_HOME/common/bin directory. For example, on Linux, you would type:
./wlst.sh
Connect to the WebLogic Administration Server using the following wlst connect command:
connect('AdminUser',"AdminUserPassword",t3://hostname:port')
For example:
connect("weblogic","admin_password","t3://IADADMINVHN.mycompany.com:7001")
Run the registerThirdPartyTAPPartner command as follows:
registerThirdPartyTAPPartner(partnerName = "partnerName", keystoreLocation= "path to keystore" , password="keystore password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="OAAM login URL")
For example:
registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner", keystoreLocation= "IAD_ASERVER_HOME/keystores/oaam_keystore.jks" , password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="https://sso.mycompany.com/oaam_server/oamLoginPage.jsp")
Where:
partnerName is a unique name. If the partner exists in Access Manager, the configuration will be overwritten.
keystoreLocation is an existing Key Store location. If the directory path you specified is not present, you get an error.
password is the password specified to encrypt the key store. Remember this, as you will need it later.
tapTokenVersion is always v2.0.
tapScheme is the authentication scheme to be updated.
tapRedirectUrl is a reachable URL. If it is not, registration fails with the message: Error! Hyperlink reference not valid.
Note:
Due to a bug,tapRedirectURL must be an HTTP URL. This is changed to HTTPS later.tapRedirectUrl is:
https://sso.mycompany.com/oaam_server/oamLoginPage.jsp
Exit WLST.
exit()
Log in to the Access Management Console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Click Authentication Schemes in the Access Manager section.
The Search Authentication Schemes Page is displayed.
Enter TAPScheme in the Search Name box and click Search.
Click TAPScheme.
Verify that the Challenge URL is set to:
/oaam_server/oamLoginPage.jsp
The parameters TAPPartnerId=OAAMTAPPartner and SERVER_HOST_ALIAS=OAMSERVER should already be listed as Challenge Parameters. Add the following Challenge Parameters:
MatchLDAPAttribute=uid
TAPOverrideResource=https://sso.mycompany.com:443/oamTAPAuthenticate
Click Apply.
Restart wls_oaam1 and wls_oaam2 as described in Section 20.1, "Starting and Stopping Components."
Set the OAAM properties for Access manager by editing the oaam_cli.properties file.
To set the OAAM properties on OAMHOST1:
Copy IAD_ORACLE_HOME/oaam/cli to a temporary location. For example:
cp -r IAD_ORACLE_HOME/oaam/cli/u01/oracle/oaam
Edit the file oaam_cli.properties, which is located in the directory:
/u01/oracle/oaam/conf/bharosa_properties.
Set the following property values in the file:
| Parameter | Value |
|---|---|
oaam.adminserver.hostname |
IADADMINVHN.mycompany.com |
oaam.adminserver.port |
7001 |
oaam.adminserver.username |
weblogic |
oaam.adminserver.password |
Password for the weblogic user |
oaam.db.url |
The DBC URL for the OAAM Database. Format: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCP)(HOST=IAMDBSCAN) (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=oaamedg.mycompany.com))) |
oaam.uio.oam.tap.keystoreFile |
The location of the keystore that was created in Section 17.12.2, "Registering OAAM as a Third Party Application."For example:
|
oaam.uio.oam.tap.partnername |
OAAMTAPPartner |
oaam.uio.oam.host |
OAMHOST1 |
oaam.uio.oam.port |
The Access Manager Server proxy port OAM_PROXY_PORT. For example: 5575. |
oaam.uio.oam.webgate_id |
IAMSuiteAgent |
oaam.uio.oam.secondary.host |
OAMHOST2 |
oaam.uio.oam.secondary.host.port |
The Access Manager Server proxy port, OAM_PROXY_PORT, on the second Access Manager Server. For example: 5575. |
oaam.uio.oam.security.mode |
This depends on the Access Manager security transport mode in use. If this is an AIX build, then the value will be 1 (Open) otherwise it will be 2 (Simple). |
oam.uio.oam.rootcertificate.keystore.filepath |
The location of the Keystore file generated for the root certificate:
This is required only for security modes |
oam.uio.oam.privatekeycertificate.keystore.filepath |
The location of the Keystore file generated for private key:
This is required for security modes |
Save the file
Execute the OAAM CLI tool by issuing the command setupOAMTapIntegration.sh, which is located in the directory:
/u01/oracle/oaam
as follows:
Set ORACLE_MW_HOME to IAD_MW_HOME
Set JAVA_HOME to JAVA_HOME
Set WLS_HOME to IAD_MW_HOME/wlserver_10.3
Set APP_SERVER_TYPE to weblogic
Run the commands:
chmod +x /u01/oracle/oaam/setupOAMTapIntegration.sh /u01/oracle/oaam/setupOAMTapIntegration.sh /u01/oracle/oaam/conf/bharosa_properties/oaam_cli.properties
When the command runs, it prompts you for the following information:
OAAM AdminServer User Name: weblogic
OAAM AdminServer Password: Password for weblogic account
OAAM DB username: EDGIAD_OAAM.
OAAM DB password: Password for the OAAM database user.
OAM Webgate Credentials to be stored in CSF: Enter WebGate password (COMMON_IDM_PASSWORD).
OAM TAP Key store file password: The password you assigned when you registered OAAM as a 3rd party application in Section 17.12.2, "Registering OAAM as a Third Party Application" (COMMON_IDM_PASSWORD).
OAM Private Key certificate Key store file password: The Access Manager global passphrase obtained in Section 17.12.1, "Retrieving the Global Passphrase for Simple Mode."
OAM Global Pass phrase: If you are using the OAAM Simple security model then this is the value retrieved in Section 17.12.1, "Retrieving the Global Passphrase for Simple Mode."
Create a group for OAAM Protected resources in the IAMSuite Application Domain.
Log in to the Access Management Console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs," using the oamadmin account created previously
Click Application Domains.
Click Search.
Click IAM Suite. The IAM Suite Domain page is displayed.
Click the Authentication Policies tab.
Click Create Authentication Policy and enter the following information:
Name: OAAM Protected Resources
Description: Resources protected by OAAM
Authentication Scheme: TAPScheme
Click Apply.
Repeat Steps 1 through 7, but enter the following values after clicking Create Authentication Policy:
Name: LDAP Protected Resource
Description: Resources protected by LDAPScheme
Authentication Scheme: LDAPScheme
Now that you have something to protect, you must create a resource in Access Manager and assign it to one of the policy groups you just created.
Log in to the Access Management Console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Click Application Domains.
Click Search.
Click IAM Suite.
Click the Resources tab.
Click New Resource and enter the following information:
Type: http
Description: OAAM Test Page
Host Identifier: IAMSuiteAgent
Resource URL: /oaam_sso.html
Protection Level: Protected
Authentication Policy: OAAM Protected Resources
Authorization Policy: Protected Resource Policy
Click Apply.
Note:
Unlike Oracle HTTP Server, displaying static HTML pages can be difficult. However, the purpose of creating this resource is to test OAAM.Log in to the Access Management Console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs," using the oamadmin account created previously.
Click on Application Domains under the Access Manager section.
The Application Domains Search screen appears.
Click Search.
Click on IAM Suite to bring up the IAM Suite Domain page.
Click on the Authentication Policies subtab.
Click Protected Higher Level Policy.
Click on the Resources subtab.
In the Resources window click /oamTAPAuthenticate.
Click Delete.
Click Apply.
Click on Application Domains under the Access Manager section.
The Application Domains Search screen appears.
Click Search.
Click on IAM Suite to bring up the IAM Suite Domain page.
Click on the Authentication Policies subtab.
Click LDAP Protected Resources.
In the Resources window, click Add.
When the Search box appears enter:
Resource URL: /oamTAPAuthenticate
Click Search.
Click on /oamTAPAuthenticate from the search results.
Click Add Selected.
Click Apply.
Use the OAM Access Tester tool to ensure that this integration has been completed successfully.
To ensure the integration is completed successfully:
Ensure that JAVA_HOME is set in your environment.
Add JAVA_HOME/bin to your PATH, for example:
export PATH=$JAVA_HOME/bin:$PATH
Change directory to:
IAD_ORACLE_HOME/oam/server/tester
Start the test tool in a terminal window using the command:
java -jar oamtest.jar
Connect using the following values:
Primary OAM Host: OAMHOST1
Port: 5575 (OAM_PROXY_PORT)
Agent ID: IAMSuiteAgent
Agent Password: Password you assigned to the IAMSuiteAgent profile
Mode: Select List System Snapshots for AIX platforms. Otherwise, select Simple.
Global Passphrase: If you selected Simple mode, enter the Access Manager global passphrase obtained in Section 17.12.1, "Retrieving the Global Passphrase for Simple Mode.".
Click Connect.
Provide Protected Resource URI:
Scheme: http
Host: IAMSuiteAgent
Port: Leave blank
Resource: /oamTAPAuthenticate
Click Validate.
Provide User Identity oamadmin and the password for oamadmin.
Click Authenticate. If the authentication is successful, integration has been completed successfully.
Perform the same validation on OAMHOST2.
Access your protected resource using the following URL:
https://sso.mycompany.com:443/oaam_sso.html
You are redirected to OAAM for registration and challenge. The OAAM login page is shown instead of the Access Manager login page. Log in using an authorized Access Manager user such as oamadmin. Once you are logged in, the OAAM protected resource is displayed.
Note:
Where Oracle Traffic Director is used, once you have been through the OAAM authentication, an error appears showing "page not found." This is expected, you have not created theoaam_sso.html page merely created a policy to test authentication.
If you have an Oracle HTTP Server, you can easily create a simple HTML page. This is possible in Oracle Traffic Director, but is complicated. If you are presented with an OAAM challenge when trying to access the resource, and you pass that validation, that is sufficient to validate OAAM. Whether or not a simple HTML page is displayed at the end is not relevant and does not invalidate the test.
OAAM provides a comprehensive set of challenge questions. Its functionality includes:
Challenging the user before and after authentication, as required, with a series of questions.
Presenting the questions as images and seeking answers through various input devices.
Asking questions one after another, revealing subsequent questions only if correct answers are provided.
Oracle Identity Manager also has basic challenge question functionality. It enables users to answer a set of configurable questions and reset their password if they forgot the password. Unlike OAAM, Oracle Identity Manager also has a rich set of password validation capabilities, and it enables policies to be set based on the accounts owned, in addition to simple attributes.
In an Identity and Access Management deployment, best practice is to register only a single set of challenge questions, and to use a single set of password policies. OAAM can be integrated with Oracle Identity Manager so that OAAM provides the challenge questions and Oracle Identity Manager provides password validation, storage and propagation. This enables you to use OAAM fraud prevention at the same time you use Oracle Identity Manager for password validation. When OAAM is integrated with Oracle Identity Manager, Oracle Identity Manager is used to help users who have forgotten their username or password.
Note:
Where Oracle Traffic Director is used, once you have been through the OAAM authentication, you see an error showing "page not found." This is expected, you have not created theoaam_sso.html page merely created a policy to test authentication.
If you have an Oracle HTTP Server server then creating a simple HTML page is easily done, and while possible in OTD it is complicated. So if you are presented with an OAAM challenge when trying to access the resource and you pass that validation that is sufficient to validate OAAM. Whether or not a simple HTML page is displayed at the end is not relevant, and does not invalidate the test.
This section contains the following topics:
Section 17.13.1, "Configuring Oracle Identity Manager Encryption Keys in CSF"
Section 17.13.3, "Setting Oracle Adaptive Access Manager Properties for Oracle Identity Manager"
Section 17.13.4, "Setting Oracle Identity Manager Properties for OAAM"
Section 17.13.5, "Restarting IAMAccessDomain and IAMGovernanceDomain"
Section 17.13.6, "Validating Oracle Identity Manager-Oracle Adaptive Access Manager Integration"
Go to Oracle Enterprise Manager Fusion Middleware Control for the domain IAMAccessDomain at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Log in using the WebLogic administrator account, for example weblogic_idm.
Expand the WebLogic Domain icon in the navigation tree in the left pane.
Select the IAMAccessDomain, right click, and select the menu option Security and then the option Credentials in the sub menu.
Click oaam to select the map and then click Create Key.
In the pop-up window, ensure Select Map is oaam.
Enter:
Key Name: oim.credentials
Type: Password
UserName: xelsysadm
Password: Password for xelsysadm account, COMMON_IDM_PASSWORD
Click OK to save the secret key to the Credential Store Framework.
When you are deploying Oracle Adaptive Access Manager, and Oracle Identity Manager and Oracle Adaptive Access Manager are in separate domains, you must configure cross-domain trust.
Configure cross-domain trust in the domain IAMAccessDomain, as follows:
Log in to WebLogic Administration Console in IAMAccessDomain.
Click Lock and Edit.
Click IAMAccessDomain in Domain Structure and select the Security tab.
Expand the Advanced section.
Select Cross domain security enabled.
Choose a password to be used to confirm cross domain trust and type it in the Credential and Confirm Credential fields.
Click Save.
Click Activate Changes.
Configure Cross-Domain Trust in the domain IAMGovernanceDomain, as follows:
Log in to WebLogic Administration Console in IAMGovernanceDomain.
Click Lock and Edit.
Click IAMGovernanceDomain in Domain Structure and select the Security tab.
Expand the Advanced section.
Select Cross domain security enabled.
Enter the password you entered into the credential fields of the IAMAccessDomain in the Credential and Confirm Credential fields.
Click Save.
Click Activate Changes.
Go to the OAAM Administration Console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Log in using the oaamadmin account you created in Section 17.3.2, "Creating OAAM Users and Groups in LDAP.""
Then proceed as follows:
In the navigation tree, click Properties under the Environment heading and then click List Properties. The properties search page is displayed.
To set a property value, enter its name in the Name field and click Search. The current value is shown in the search results window.
Click the entry. The Value field is displayed. Enter the new value and click Save.
Set the following properties to enable Oracle Adaptive Access Manager to integrate with Oracle Identity Manager:
bharosa.uio.default.user.management.provider.classname: com.bharosa.vcrypt.services.OAAMUserMgmtOIM
bharosa.uio.default.signon.links.enum.selfregistration.url: https://sso.mycompany.com:443/identity/faces/register?&backUrl=https://sso.mycompany.com:443/identity
bharosa.uio.default.signon.links.enum.trackregistration.enabled: true
bharosa.uio.default.signon.links.enum.selfregistration.enabled: true
bharosa.uio.default.signon.links.enum.trackregistration.url: https://sso.mycompany.com:443/identity/faces/trackregistration?&backUrl=https://sso.mycompany.com:443/identity
oaam.oim.passwordflow.unlockuser: true
oaam.oim.url: t3://oimhost1vhn.mycompany.com:14000,oimhost2vhn.mycompany.com:14000
Log in to the Oracle Identity Manager System Administration Console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Click System Configuration under the System Management heading. The System Configuration window opens.
Click Search in Search System Properties.
Click each of the properties shown below, then select Edit. Set the value of each property as shown and click Save to save the value.
Note:
The property name appears in the keyword column.OIM.DisableChallengeQuestions: TRUE
OIM.ChangePasswordURL: https://sso.mycompany.com:443/oaam_server/oimChangePassword.jsp
OIM.ChallengeQuestionModificationURL: https://sso.mycompany.com:443/oaam_server/oimResetChallengeQuestions.jsp
Restart the following Administration servers and managed servers as described in Chapter 20, "Starting and Stopping Components."
WebLogic Administration Servers
wls_oam1 and wls_oam2
wls_oim1 and wls_oim2
wls_oaam1 and wls_oaam2
Validate that Oracle Identity Manager is integrated with OAAM as follows:
Log in to the Oracle Identity Self Service as the xelsysadm user.
You are prompted to set up challenge questions and OAAM-specific security pictures.
To use OAAM authentication for everything:
Note:
Perform this procedure only if you want the entire domain to be protected by OAAM rather than just OAM.Log in to the Access Management Console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Click Application Domains.
Click Search.
Click IAM Suite.
Click the Authentication Policies tab.
Click on the policy Protected HigherLevel Policy.
Change the value of Authentication Scheme to TAPScheme.
Click Apply.
It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.
For information on database backups, refer to the Oracle Database Backup and Recovery User's Guide.
To back up the installation to this point, follow these steps:
Back up the web tier as described in Section 20.5.3.6, "Backing Up the Web Tier."
Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager.
Back up the Administration Server domain directory as described in Section 20.5.3.4, "Backing Up the WebLogic Domain IAMGovernanceDomain."
Back up the directory as described in Section 20.5.3.2, "Backing Up LDAP Directories."
For information about backing up the application tier configuration, see Section 20.5, "Performing Backups and Recoveries."