Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service
11
g
Release 1 (11.1.1)
Part Number E15478-06
Home
Book List
Index
Contact Us
Next
PDF
·
Mobi
·
ePub
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New
New Features in Patch Set 1
Release 11g Release 1 (11.1.1)
Product and Component Name Changes
Part I Introduction to Oracle Access Manager with Oracle Security Token Service
1
Oracle Product Introduction
Introduction to Oracle Access Manager
Introduction to Oracle Access Manager Architecture
Introduction to Oracle Access Manager Deployment Types and Installation
About Deployment Types and OAM
About Oracle Access Management Post-Installation Tasks
About Installation versus Upgrading
Comparing Oracle Access Manager 11g, 10g, and OracleAS SSO 10g
Enhancements in Oracle Access Manager 11g
Oracle Access Manager 10g Functionality Not Available with 11g
Comparing Oracle Access Manager 11g, 10g, and OracleAS SSO 10g
Introduction to Oracle Security Token Service
Oracle Security Token Service Key Terms and Concepts
About Oracle Security Token Service with Oracle Access Manager
About Integrated Oracle Web Services Manager
About Oracle Security Token Service Architecture
About Oracle Security Token Service Deployments
Centralized Token Authority Deployment
Tokens Behind a Firewall Deployment
Web Services SSO Deployment
About Installation Options
Oracle Security Token Service Cluster in Single WLS Domain
Endpoint Exposure through a Web Server Proxy
Interoperability of Requester and Relying Party with Other Oracle WS-Trust based Clients
Oracle Security Token Service Installation Overview
Post-Installation Tasks: Oracle Security Token Service
About Oracle Security Token Service Administration
2
Introduction to This Book
Introduction to This Book
Part I: Oracle Product Introduction
Part II: Common Tasks
Getting Started with Common Administration and Navigation
Managing Services, Certificate Validation, and Common Settings
Data Sources
OAM Server Instances and the Console
Oracle Access Manager Session Management
Part III, Oracle Access Manager Settings
Access Manager Settings
Single Sign-on Agents
Part IV, Single Sign-on, Oracle Access Manager Policies, and Testing
Single Sign-On
Oracle Access Manager Policy Model and Shared Policy Components
Oracle Access Manager Policy Model, Application Domains, and Policies
Connectivity and Policy Testing
Centralized Logout for Oracle Access Manager 11g
Part V: Oracle Security Token Service
Part VI: Common Logging, Auditing, Performance Monitoring
Component Event Message Logging
Webgate Event Message Logging
Common Audit Framework
Performance Metrics in the Oracle Access Manager Console
Performance Metrics in Fusion Middleware Control
Part VII: Using OAM 10g Webgates with OAM 11g
Provisioning OAM 10g Webgates for OAM 11g
Configuring 10g Webgates for Apache v2-based Web Servers (OHS and IHS)
Configuring 10g Webgates for the IIS Web Server
Configuring 10g Webgates for the ISA Server
Configuring Lotus Domino for OAM 10g Webgates
Part VIII: Appendixes
Co-existence: OAM 11g SSO versus OAM 10g SSO with OracleAS SSO 10g
Moving OAM 11g From Test (Source) to Production (Target)
Integration with Oracle ADF Applications
Internationalization and Multibyte Data Support for OAM 10g Webgates
Secure Communication and Certificate Management
Custom WebLogic Scripting Tool Commands for OAM
OAM 11g for IPv6 Clients
Creating Deployment-Specific Pages
Troubleshooting
Part II Using the Console for Common Tasks
3
Getting Started with Common Administration and Navigation
Prerequisites
Introduction to Administrators
Logging In to and Signing Out of Oracle Access Manager Console
Logging In to the Oracle Access Manager Console
Signing Out of Oracle Access Manager Console
Introduction to the Oracle Access Manager Console and Controls
Console Layout and Controls
Welcome Page and Shortcuts
Function-Level Tabs and Controls
Content Pages and Page Controls
Elements on a Page
Selecting Controls in the Console
Introduction to Policy Configuration and System Configuration Tabs
About the System Configuration Tab
About the Policy Configuration Tab
Viewing Configuration Details in the Console
Conducting Searches Using the Console
Conducting Policy Element Searches Using the Console
About Policy Configuration Search Controls
Searching for Policy Elements
Refining Searches for System Configuration Elements
Using Online Help
Command-Line Tools
Logging, Auditing, Monitoring Performance
4
Managing Services, Certificate Validation, and Common Settings
Prerequisites
Introduction to Common Configuration Elements
Enabling or Disabling Available Services
Managing the Common Settings
About Common Settings Pages
Managing Common Settings
Viewing Common Coherence Settings
Managing Global Certificate Validation and Revocation
About Certificate Validation and Revocation Lists
Managing Certificate Revocation Lists (CLRs)
Managing Certificate Validation
Configuring CDP
5
Managing Common Data Sources
Prerequisites
Introduction to Managing Common Data Sources
About User Identity Stores
Multiple Identity Stores
About the Policy and Session Database Store
About the Oracle Access Manager Configuration Data File
About Oracle Access Manager Security Keys and the Embedded Java Keystore
About Oracle Security Token Service Keystores
Managing User Identity Stores
About the User Identity Store Registration Page
Registering a New User Identity Store
Viewing or Editing a User Identity Store Registration
Deleting a User Identity Store Registration
Setting the Default Store and System Store
About Setting the Default Store and System Store
Defining a Default Store and System Store
Managing the Administrators Role
About Managing the Administrator Role
Managing Administrator Roles
Managing the Policy Database by Using the Console
About Database Deployment for Oracle Access Manager
Configuring a Separate Database for Session Data
6
Managing Common OAM Server Registration
Prerequisites
Introduction to OAM Server Registration and Management
About Server Side Differences Between OAM 11g and OAM 10g
About Individual OAM Server Registrations
About the Embedded Proxy Server and Backward Compatibility
About OAM 11g SSO and Legacy OAM 10g SSO in Combination with OSSO
About Communication Between OAM Servers and Webgates
Managing Individual OAM Server Registrations
About the OAM Server Registration Page
OAM Proxy Page
Coherence Page for Individual Servers
Registering a Fresh OAM Server Instance
Viewing or Editing Individual OAM Server and Proxy Settings
Deleting an Individual Server Registration
7
Managing Sessions
Prerequisites
Introduction to User Sessions and Session Management
About the User Session Lifecycle
Oracle Coherence and Session Management
Configuring User Session Lifecycle Settings
About Common Session Lifecycle Setting Page
Viewing or Modifying Common Session Lifecycle Settings
Managing Active User Sessions
About the Session Management Page
Managing Active User Sessions
Verifying Session Management Operations
Security
Secure HTTPS Protocol
Coherence
Database Persistence
Part III Oracle Access Manager Settings Management
8
Configuring Access Manager Settings
Prerequisites
Introduction to Access Manager Settings
Managing Access Manager Load Balancing and Secure Error Modes
About Access Manager Load Balancing Settings and Secure Error Modes
Managing OAM Server Load Balancing and Secure Error Modes
Managing SSO Tokens and IP Validation
About Access Manager SSO Tokens and IP Validation Settings
Managing SSO Tokens and IP Validation
Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security
About Simple and Cert Mode Transport Security
About the Common OAM Proxy Page for Secure Server Communications
Viewing or Editing Simple or Cert Settings for OAM Proxy
Managing Run Time Policy Evaluation Caches
About Run Time Policy Evaluation Caches
Managing Run Time Policy Evaluation Caches
Managing Authentication Modules
About Default Authentication Modules and Pages
Kerberos Authentication Module
LDAP Authentication Modules
X509 Authentication Module
Creating a New Authentication Module of an Existing Type
Viewing or Editing Authentication Modules
Deleting an Authentication Module
Creating Custom Authentication Modules
About Creating Custom Authentication Modules
About the Custom Authentication Module Plug-ins
Creating a Custom Authentication Module
9
Registering Partners (Agents and Applications) by Using the Console
Prerequisites
Introduction to Policy Enforcement Agents
About Policy-Enforcement Agents
About the Pre-Registered IAMSuiteAgent
About Registering Partners (Agents and Applications)
About File System Changes and Artifacts for Registered Agents
Registering and Managing OAM Agents Using the Console
About Creating and Editing Webgate Registration
About User-Defined Webgate Parameters
About IP Address Validation for Webgates
Searching for an OAM Agent Registration
Registering a Webgate or Programmatic Access Client
Viewing or Editing an OAM Agent Registration
Deleting Webgate Registration
Tuning 10g and 11g Webgate Caches
Introducing Webgate Caches
Reducing Network Traffic Between Components
Changing the Webgate Polling Frequency
Registering and Managing OSSO Agents Using the Console
About OSSO Agents and the OSSO Proxy
About the Create OSSO Agent Page
Refining the Search for an OSSO Agent (mod_osso) Registration
Registering an OSSO Agent (mod_osso)
Viewing or Editing OSSO Agent (mod_osso) Registration
Deleting an OSSO Agent (mod_osso) Registration
10
Registering Partners (Agents and Applications) Remotely
Prerequisites
Introduction to Remote Partner Registration
About In-Band Remote Registration
About Out-of-Band Remote Registration
About Key Use, Generation, Provisioning, and Storage
About the Remote Registration Tool
About Remote Registration Request Files
OSSO Remote Registration Request
Short, Simplified OAM Remote Registration Requests
Common Elements of Remote Registration Requests
OSSO-Specific Elements in a Remote Registration Request
Full OAM Remote Registration Requests
About Out-of-Band Registration Responses
Acquiring and Setting Up the Registration Tool
Creating the Registration Request
Performing In-Band Remote Registration
Performing Out-of-Band Remote Registration
Validating Remote Registration and Resource Protection
Validating Remote Registration
Validating Authentication, Resource Protection, and Access After Remote Registration
Introducing Remote Management Modes
About Remote Agent Management Modes
OSSOUpdateAgentRequest.xml
OAM11GUpdateAgentRequest.xml
OAMUpdateAgentRequest.xml
About Remote Application Domain Management Modes
About the Create Policy Request File
About the Update Policy Request File
About <rregApplicationDomain> Elements
Managing Agents Remotely
Performing Remote Agent Updates
Performing Remote Agent Validation
Performing Remote Agent Removal
Creating or Updating an Application Domain Without an Agent
Part IV Managing Oracle Access Manager SSO, Policies, and Testing
11
Introduction to the OAM Policy Model, Single Sign-On
Prerequisites
Comparing the OAM 11g Policy Model and OAM 10g Model
Introduction to the OAM 11g Policy Model
About Resource Types
About Host Identifiers
About Authentication, Schemes, and Modules
Authentication Schemes and Modules
Authentication Event Logging and Auditing
About Application Domains and Policies
About Resources and Resource Definitions
About Authentication Policies, Responses, and Resources
About Authorization Policies, Resources, Constraints, and Responses
Introduction to Configuring OAM Single Sign-On
Introduction to SSO Components
About Single Sign-On Components
About Single Sign-On Cookies During User Login
About Single Sign-On Cookies
OAMAuthnCookie for 11g OAM Webgates
ObSSOCookie for 10g OAM Webgates
OAM_REQ Cookie
mod_osso Cookies
Introduction to OAM 11g Single Sign-On Implementation Types
Application SSO
Single Sign-On with OAM 11g
Cross-Network Domains and Oracle Access Manager 11g
Introduction to OAM 11g SSO Processing
About SSO Log In Processing
Login
Login with Self-Service Provisioning Applications
Login and Auto Login for Applications Using Oracle ADF Security
About SSO Log In Processing with OAM Agents
About SSO Login Log In Processing with OSSO Agents (mod_osso)
About Single Sign-On Processing with Mixed Release Agents
12
Managing Policy Components
Prerequisites
Introduction to Managing Policy Components
Managing Resource Types
About Resource Types and Their Use
About the Resource Type Page
Searching for a Specific Resource Type
Managing Host Identifiers
About Host Identifiers
Host Identifier Usage
Host Identifier Guidelines
Host Identifier Variations
About Virtual Web Hosting
Placing a Webgate Behind a Reverse Proxy
Configuring Virtual Hosting for Non-Apache Web Servers
Associating a Webgate for Apache with Virtual Hosts, Directories, or Files
About the Host Identifier Page
Creating a Host Identifier
Searching for a Host Identifier Definition
Viewing or Editing a Host Identifier Definition
Deleting a Host Identifier Definition
Managing Authentication Schemes
About the Authentication Schemes Page
Pre-configured Authentication Schemes
About Challenge Methods
About Challenge Parameters for Authentication Schemes
About Authentication Modules
About Multi-Level Authentication
Creating an Authentication Scheme
Searching for a Authentication Scheme
Viewing or Editing a Authentication Scheme
Deleting an Authentication Scheme
Configuring Challenge Parameters for Encrypted Cookies
About ssoCookie Challenge Parameters for Encrypted Cookies
Configuring Challenge Parameters for Encrypted Cookie Security
Setting Challenge Parameters for Encrypted Cookie Persistence
13
Managing Policies to Protect Resources and Enable SSO
Prerequisites
Introduction to Application Domain Creation
About Automatic Application Domain Creation
About Manually Creating Application Domains
Anatomy of an Application Domain and Policies
Application Domain General Details
Default Resources in a Generated Application Domain
Default Authentication Policies in a Generated Application Domain
Default Authorization Policies in a Generated Application Domain
About Token Issuance Policies
Managing Application Domains using the Console
About the Application Domains Page
Creating a Fresh Application Domain Manually
Searching for an Application Domain
Viewing or Editing an Application Domain
Deleting an Application Domain and Its Content
Adding and Managing Resource Definitions for Use in Policies
About the Resource Definition Page in an Application Domain
About the Resource Type in a Resource Definition
About the Host Identifier in a Resource Definition
About the Resource URL
About Run Time Resource Evaluation
Adding Resource Definitions to an Application Domain
Searching for a Resource Definition
About Searching for a Specific Resource Definition
Searching for a Specific Resource Definition
Viewing or Editing a Resource Definition in an Application Domain
Deleting a Resource Definition from an Application Domain
Defining Authentication Policies for Specific Resources
About the Authentication Policy Page
About Resources in an Authentication Policy
Adding an Authentication Policy and Resources
Searching for an Authentication Policy
Viewing or Editing an Authentication Policy
Deleting an Authentication Policy
Defining Authorization Policies for Specific Resources
About Authorization Policies for Specific Resources
Adding an Authorization Policy and Specific Resources
Searching for an Authorization Policy
Viewing or Editing an Authorization Policy and Resources
Deleting an Authorization Policy
Introduction to Policy Responses for SSO
About Authentication and Authorization Policy Responses for SSO
About the Policy Response Language
About the Namespace and Variable Names for Policy Responses
About Constructing a Policy Response for SSO
Simple Responses
Compound and Complex Responses
About Policy Response Processing
Adding and Managing Policy Responses for SSO
Adding a Policy Response for SSO
Viewing, Editing, or Deleting a Policy Response for SSO
Introduction to Authorization Constraints
About Allow or Deny Type Constraints
About Classifying Users and Groups for Constraints
Guidelines for Authorization Responses Based on Constraints
About Constraints and General Authorization Policy Details
About the Add Constraint Window
About Identity Class Constraints
About IP4Range Class Constraints
About Temporal Class Constraints
Defining Authorization Policy Constraints
Defining Identity Class Constraints
Defining IP4Range Class Constraints
Defining Temporal Class Constraints
Viewing, Editing, or Deleting Authorization Policy Constraints
Validating Authentication and Authorization in an Application Domain
Example: Pre-seeded IAM Suite Application Domain and Policies
14
Validating Connectivity and Policies Using the Access Tester
Prerequisites
Introduction to the OAM 11g Access Tester
About OAM Agent and Server Interoperability
About Access Tester Security and Processing
About Access Tester Modes and Administrator Interactions
Installing and Starting the Access Tester
Installing the Access Tester
About Access Tester Supported System Properties
Starting the Tester Without System Properties For Use in Tester Console Mode
Starting the Access Tester with System Properties For Use in Command Line Mode
About the Access Tester Command Line Mode
Starting the Access Tester with System Properties
Introduction to the Access Tester Console and Navigation
Access Tester Menus and Command Buttons
Testing Connectivity and Policies from the Access Tester Console
Establishing a Connection Between the Access Tester and the OAM Server
About the Connection Panel
Connecting the Access Tester with the OAM Server
Validating Resource Protection from the Access Tester Console
About the Protected Resource URI Panel
Validating Resource Protection
Testing User Authentication from the Access Tester Console
About the User Identity Panel
Testing User Credential Authentication
Testing User Authorization from the Access Tester Console
Observing Request Latency
Creating and Managing Test Cases and Scripts
About Test Cases and Test Scripts
Capturing Test Cases
Generating an Input Test Script
About Generating an Input Test Script
Generating an Input Test Script
Personalizing an Input Test Script
About Customizing a Test Script
Customizing a Test Script
Executing a Test Script
About Test Script Execution
Running a Test Script
Evaluating Scripts, Log File, and Statistics
About Evaluating Test Results
About the Saved Connection Configuration File
About the Generated Input Test Script
About the Target Output File Containing Test Run Results
About the Statistics Document
About the Execution Log
15
Configuring Centralized Logout for OAM 11g
Prerequisites
Introduction to OAM 11g Centralized Logout
About Centralized Logout with OAM 11g Agents and Servers
About Centralized Logout with OAM 10g Agents and OAM 11g Servers
About Centralized Logout with the IAMSuiteAgent
About Centralized Logout with OSSO Agents (mod_OSSO) and OAM 11g
About Centralized Logout for Applications Using Oracle ADF Security
Configuring Centralized Logout for 11g Webgate with OAM 11g Server
About Configuring Centralized Logout for 11g Webgates
Configuring Centralized Logout for 11g Webgates
Configuring Centralized Logout for the IAMSuiteAgent
Configuring Centralized Logout for 10g Webgate with OAM 11g Servers
About Centralized Logout Processing for 10g Webgate with OAM 11g Server
About the Centralized Logout Script for OAM 10g Agents with OAM 11g Servers
Configuring Centralized Logout for 10g Webgates with OAM 11g
Configuring Centralized Logout for Oracle ADF-Coded Applications
About Centralized Logout Processing for Applications Coded to Oracle ADF Standards
Configuring Centralized Logout for ADF-Coded Applications with OAM 11g
Removing Custom mod_osso Cookies on Logout
Validating Global Sign-On and Centralized Logout
Confirming Global Sign-On
Validating Global Sign-On with Mixed Agent Types
Observing Centralized Logout
Part V Oracle Security Token Service
16
Oracle Security Token Service Implementation Scenarios
Prerequisites
Typical Token Ecosystem
Scenario: Identity Propagation with the OAM Token
Component Processing: Identity Propagation with the OAM Token
RST Attributes and Run Time Processing
Configuration Requirements: Identity Propagation with the OAM Token
Testing Your Implementation
Scenario: Web Service Security With On Behalf Of Username Token
Component interactions for Identity Propagation with Username Token
RST Attributes and Processing for Identity Propagation with a Username Token
Configuration Requirements: Identity Propagation with the Username Token
17
Managing Oracle Security Token Service Settings and Set Up
Prerequisites
Introduction to Oracle Security Token Service Configuration
Post-Installation Configuration
About Servers and Oracle Security Token Service
About Oracle Security Token Service Clients
About Agents and Oracle Security Token Service
About Oracle Security Token Service End Points and Policies
Enabling and Disabling Oracle Security Token Service
About Oracle Security Token Service and the Oracle Access Manager Console
About Oracle Security Token Service Administrators
About Logging In To, and Signing Out Of, Oracle Security Token Service
About Enabling Services for Oracle Security Token Service
Enabling and Disabling Services for Oracle Security Token Service
Defining Security Token Service Settings Using Oracle Access Manager Console
About Security Token Service Settings
Managing Security Token Service Settings
Using and Managing WSS Policies for Oracle WSM Agents
Using and Modifying Web Service Security Policies
Managing WSS Policies for Oracle Security Token Service: Classpath
Managing WSS Policies for Oracle Security Token Service: Oracle WSM Policy Manager
Configuring OWSM for WSS Protocol Communication
About Oracle WSM Agent WS-Security Policies for Oracle Security Token Service
Retrieving the Oracle WSM Keystore Password
Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate
Adding Trusted Certificates to the Oracle WSM Keystore
Validating Trusted Certificates in the Oracle WSM Keystore
Configuring Oracle WSM Agent for WSS Kerberos Policies
Managing and Migrating Oracle Security Token Service Policies
About Managing and Migrating Oracle Security Token Service Policies
Managing Oracle Security Token Service Policies
Migrating Oracle Security Token Service Policies
Introduction to Logging Oracle Security Token Service Messages
Introduction to Auditing for Oracle Security Token Service
About Oracle Security Token Service Audit Record Storage
About Audit Reports and Oracle Business Intelligence Publisher
About the Audit Log
Auditing Oracle Security Token Service Administrative and Run-time Events
About Audit Record Content Common to All Events
Oracle Security Token Service Administrative Events You Can Audit
Oracle Security Token Service Run-time Events You Can Audit
18
Managing Oracle Security Token Service Certificates and Keys
Prerequisites
Introduction to Certificates and Keys for Oracle Security Token Service
About Keystores and Oracle Security Token Service
About the Oracle Web Services Manager Keystore (default-keystore.jks)
About Using the OPSS Keystore for Requester Certificates
Managing Oracle Security Token Service Encryption/Signing Keys
Retrieving the System Keystore (.oamkeystore) Password
Adding a New Key Entry to the System Keystore (.oamkeystore)
Adding a New Entry
Configuring a SAML Issuance Template to use a Signing Key
Setting the Default Encryption Key
Extracting an Oracle Security Token Service Certificate
Using the Certificate Retrieval Service
Managing Partner Keys for WS-Trust Communications
About Partner Certificates
About Downloading the Relying Party's Certificate at Run Time
Setting the Partner's Signing or Encryption Certificate
Managing Certificate Validation
Retrieving the Trust Anchors Store (amtruststore) Password
Managing the Trust Anchors Store (amtruststore)
Managing Certificate Revocation Lists
Using a Custom Trust Anchor Store for Oracle Security Token Service
19
Managing Templates, Endpoints, and Policies
Prerequisites
Introduction
Searching for an Existing Template
About Template Search Controls
Searching for a Template
Managing Token Issuance Templates
About Managing Token Issuance Templates
Managing a Token Issuance Template
Managing Token Validation Templates
About Managing Token Validation Templates
Managing Token Validation Templates
Managing Oracle Security Token Service Endpoints
About Managing Endpoints
Managing EndPoints
Managing Token Issuance Policies and Constraints with Oracle Access Manager
About Token Issuance Policies
About Managing Token Issuance Policies and Constraints
Managing Token Issuance Policies and Constraints
Managing TokenServiceRP Type Resources
About Managing TokenServiceRP Type Resources in Oracle Access Manager
Managing TokenServiceRP Type Resources in Application Domains
20
Managing Token Service Partners and Partner Profiles
Prerequisites
Introduction Token Service Partners and Partner Profiles
About Token Service Partners
About Partner Profiles
About Partner and Profile Data
Managing Token Service Partners
About Managing Token Service Partners
Managing a Token Service Partner
Refining Partner Searches
Managing Token Service Partner Profiles
About Managing Partner Profiles
Managing a Token Service Partner Profile
Refining a Profile Search
21
Troubleshooting Oracle Security Token Services
Authorization Issues
Endpoint Issues
Mapping Operation Issues
Part VI Common Logging, Auditing, Performance Monitoring
22
Logging Component Event Messages
Prerequisites
Introduction to Logging Component Event Messages
About Component Loggers
Sample Logger and Log Handler Definition
About Logging Levels
Configuring Logging for Oracle Access Manager
Modifying the Logger Level for Oracle Access Manager
Adding an Oracle Access Manager-Specific Logger and Log Handler
Configuring Logging for Oracle Security Token Service
Configuring Logging for Oracle Security Token Service
Defining the Log Level and Log Details for Oracle Security Token Service
Validating Run-time Event Logging Configuration
23
Logging Webgate Event Messages
About Logging, Log Levels, and Log Output
About Log Levels
About Log Output
About Log Configuration File Paths and Contents
Log Configuration File Paths and Names
Log Configuration File Contents
When Changes to the File Take Effect
About Comments in the Log File
About Directing Log Output to a File or the System File
Structure and Parameters of the Log Configuration File
The Log Configuration File Header
The Initial Compound List
The Simple List and Logging Threshold
The Second Compound List and Log Handlers
The List for Per-Module Logging
The Filter List
About XML Element Order
About Activating and Suppressing Logging Levels
About Log Handler Precedence
Mandatory Log-Handler Configuration Parameters
Settings in the Default Log Configuration File
Description of the Settings in the Default Log Configuration File
Configuring Different Threshold Levels for Different Types of Data
About the MODULE_CONFIG Section
Location of the Per-Module Logging Section in the Log Configuration File
List of Modules That Can Be Logged
Configuring a Log Level Threshold for a Function or Module
Filtering Sensitive Attributes
24
Auditing Administrative and Run-time Events
Prerequisites
Introduction to Auditing
About Oracle Access Manager Auditing Configuration
About Oracle Access Manager Audit Record Storage
About Audit Reports and Oracle Business Intelligence Publisher
About the Audit Log
Oracle Access Manager Events You Can Audit
Oracle Access Manager Administrative Events You Can Audit
OAM Run-time Events You Can Audit
About Authentication Event Auditing
Setting Up Auditing for Oracle Access Manager with Oracle Security Token Service
Setting Up the Audit Database Store
Preparing Oracle Business Intelligence Publisher EE
About the Auditing Configuration Section in Oracle Access Manager Console
Adding, Viewing, or Editing Common Audit Settings within Oracle Access Manager
Validating Oracle Access Manager Auditing and Reports
25
Monitoring Performance by Using Oracle Access Manager Console
Introduction to Performance Monitoring
Monitoring Server Performance Metrics Using the Console
Monitoring Server Instance Performance
Reviewing Server Metrics
Monitoring SSO Agent Performance Metrics
Monitoring SSO Agent Performance Metrics
Reviewing OAM Agent Metrics
Reviewing OSSO Agent Metrics
OXM Proxy Performance Tuning Parameters
About OAM Proxy Metrics
OAM Proxy Server Tuning Parameters
26
Monitoring Performance and Logs with Fusion Middleware Control
Prerequisites
Introduction to Fusion Middleware Control
Logging In to and Out of Fusion Middleware Control
About the Login Page for Fusion Middleware Control
Logging In To Fusion Middleware Control
Logging Out of Fusion Middleware Control
Displaying Menus and Pages in Fusion Middleware Control
About the Farm Page in Fusion Middleware Control
About Context Menus and Pages in Fusion Middleware Control
Displaying Context Menus and Target Details in Fusion Middleware Control
Viewing Performance in Fusion Middleware Control
About Performance Overview Pages in Fusion Middleware Control
Access Manager Component Pages
Security Token Service Component Pages
About the Metrics Palette and the Performance Summary Page
Displaying Performance Metrics in Fusion Middleware Control
Displaying Component-Specific Performance Details
Managing Log Level Changes in Fusion Middleware Control
About Dynamic Log Level Changes
Setting Log Levels Dynamically Using Fusion Middleware Control
Managing Log File Configuration from Fusion Middleware Control
About Log File Configuration
Managing Log File Configuration by Using Fusion Middleware Control
Viewing Log Messages in Fusion Middleware Control
About Finding, Viewing, and Exporting Log Messages
Viewing Logged Messages With Fusion Middleware Control
Displaying MBeans in Fusion Middleware Control
About the System MBean Browser
Managing Mbeans
Displaying Farm Routing Topology in Fusion Middleware Control
About the Routing Topology
Viewing the Routing Topology using Fusion Middleware Control
Part VII Using 10g Webgates with Oracle Access Manager 11g
27
Managing OAM 10g Webgates with OAM 11g
Prerequisites
Introduction to OAM 10g Agents for OAM 11g
About Replacing the IAMSuiteAgent with an OAM 10g Webgate
About Legacy OAM 10g Deployments and Webgates
About Installing Fresh OAM 10g Webgates to Use With OAM 11g
Provisioning a 10g Webgate with OAM 11g
Locating and Installing the Latest OAM 10g Webgate for OAM 11g
Preparing for a Fresh 10g Webgate Installation with OAM 11g
Locating and Downloading 10g Webgates for Use with OAM 11g
Starting Webgate 10g Installation
Specifying a Transport Security Mode
Requesting or Installing Certificates for Secure Communications
Specifying Webgate Configuration Details
Updating the Webgate Web Server Configuration
Manually Configuring Your Web Server
Finishing Webgate Installation
Installing Artifacts and Certificates
Confirming Webgate Installation
Configuring Centralized Logout for 10g Webgate with OAM 11g
Replacing the IAMSuiteAgent with an OAM 10g Webgate
Provisioning a 10g Webgate to Replace the IAMSuiteAgent
Installing a 10g Webgate to Replace the IAMSuiteAgent
Updating the WebLogic Server Plug-in
Confirming the AutoLogin Host Identifier for an OAM / OIM Integration
Configuring OAM Security Providers for WebLogic
About Security Providers
Setting Up Security Providers for the 10g Webgate
Disabling the IAMSuiteAgent
Verification
Deploying Applications in a WebLogic Container
Removing a 10g Webgate from the OAM 11g Deployment
28
Configuring Apache, OHS, IHS for 10g Webgates
Prerequisites
About Oracle HTTP Server and Oracle Access Manager
About Oracle Access Manager with Apache and IHS v2 Webgates
About the Apache HTTP Server
About the IBM HTTP Server
About the Apache and IBM HTTP Reverse Proxy Server
About Apache v2 Architecture and Oracle Access Manager
Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers
Requirements for IHS2 Web Servers
Requirements for Apache and IHS v2 Reverse Proxy Servers
Requirements for Apache v2 Web Servers
Preparing Your Web Server
Preparing the IHS v2 Web Server
Preparing the Host for IHS v2 Installation
Installing the IBM HTTP Server v2
Setting Up SSL-Capability
Starting a Secure Virtual Host
Preparing Apache and Oracle HTTP Server Web Servers on Linux
Preparing Oracle HTTP Server Web Servers on Linux and Windows Platforms
Setting Oracle HTTP Server Client Certificates
Preparing the Apache v2 Web Server on UNIX
Preparing the Apache v2 SSL Web Server on AIX
Preparing the Apache v2 Web Server on Windows
Activating Reverse Proxy for Apache v2 and IHS v2
Activating Reverse Proxy For Apache v2 Web Servers
Activating Reverse Proxy For IHS v2 Web Servers
Verifying httpd.conf Updates for Oracle Access Manager Webgates
Verifying Webgate Details
Verifying Language Encoding
Tuning Oracle HTTP Server for Oracle Access Manager Webgates
Tuning OHS /Apache Prefork and MPM Modules for OAM
Tuning Oracle HTTP Server /Apache Prefork Module
Tuning Oracle HTTP Server /Apache MPM Module
Kernal Parameters Tuning
Starting and Stopping Oracle HTTP Server Web Servers
Tuning Apache/IHS v2 for Oracle Access Manager Webgates
Removing Web Server Configuration Changes After Uninstall
Helpful Information
29
Configuring the IIS Web Server for 10g Webgates
Prerequisites
Webgate Guidelines for IIS Web Servers
Guidelines for ISAPI Webgates
Webgates for IIS v7
Webgates for IIS v6
Multiple Webgates with a Single IIS 6 Instance
Prerequisite for Installing Webgate for IIS 7
Prerequisite for Installing Any 10g Webgate for IIS 7
Prerequisite for Installing a 32-bit Webgate for IIS 7
Updating IIS 7 Web Server Configuration on Windows 2008
Completing Webgate Installation with IIS
Enabling Client Certificate Authentication on the IIS Web Server
Ordering the ISAPI Filters
Enabling Pass-Through Functionality for POST Data
About ISAPI Webgate 10.1.4.2.3
About Pass-Through Functionality for POST Data
Implementing Pass-Through: IIS 6.0 in Worker Process Isolation Mode
Implementing Pass-Through with IIS 6.0 Web Server in IIS 5.0 Isolation Mode
Protecting a Web Site When the Default Site is Not Setup
Installing and Configuring Multiple 10g Webgates for a Single IIS 7 Instance
Installing Each IIS 7 Webgate in a Multiple Webgate Scenario
Setting the Impersonation DLL for Multiple IIS 7 Webgates
Enabling Client Certification for Multiple IIS 7 Webgates
Configuring IIS 7 Webgates for Pass Through Functionality
Confirming IIS 7 Webgate Installation
Installing and Configuring Multiple Webgates for a Single IIS 6 Instance
Installing Each Webgate in a Multiple Webgate Scenario
Setting the Impersonation DLL for Multiple Webgates
Enabling SSL and Client Certification for Multiple Webgates
Confirming Multiple Webgate Installation
Finishing 64-bit Webgate Installation
Setting Access Permissions, ISAPI filters, and Directory Security Authentication
Setting Client Certificate Authentication
Confirming Webgate Installation on IIS
Starting, Stopping, and Restarting the IIS Web Server
Removing Web Server Configuration Changes Before Uninstall
30
Configuring the ISA Server for 10g Webgates
Prerequisites
About Oracle Access Manager and the ISA Server
Compatibility and Platform Support
Installing and Configuring Webgate for the ISA Server
Installing Webgate with ISA Server
Changing /access Directory Permissions
Configuring the ISA Server for the ISAPI Webgate
Registering Oracle Access Manager Plug-ins as ISA Server Web Filters
Configuring ISA Firewall Policies for ISA Web Filters
Ordering the ISAPI Filters
Starting, Stopping, and Restarting the ISA Server
Removing Oracle Access Manager Filters Before Webgate Uninstall on ISA Server
31
Configuring Lotus Domino Web Servers for 10g Webgates
Prerequisites
Installing the Domino Web Server
Setting Up the First Domino Web Server
Starting the Domino Web Server
Enabling SSL (Optional)
Installing a Domino Security (DSAPI) Filter
Completing the Webgate Installation
Part VIII Appendixes
A
Co-existence Overview: OAM 11g and OSSO 10g
Prerequisites
Introduction to Upgrading and Co-existence with OracleAS 10g SSO
Pre- and Post-Upgrade Topology and Authentication Examples
About Pre-Upgrade OSSO 10g Topology
Simple OSSO 10g with mod_oc4j on a Front-End Proxy Server
About Post-Upgrade Topology and Co-existence
Post-Upgrade: mod_wl Replaces mod_oc4j on the Proxy Server
Post-Upgrade: No Proxy Server
Introduction to Validating Post-Upgrade Co-Existence with OAM 11g
About Post-Upgrade SSO
About Post-Upgrade OSSO 10g Authentication
Validating Post-Upgrade Co-existence
Validating Post-Upgrade Registration and Policies
Sample Partner Applications Protected Using OSSO 10g
Policy Enforcement Agent Details
Shared Components: Host Identifiers for migratedSSOPartners
Resources in the migratedSSOPartners Application Domain
Authentication Policy in the migratedSSOPartners Application Domain
Validating Post-Upgrade SSO with Oracle Access Manager Protected Resources
Validating Post-Upgrade SSO with OSSO-Protected Resources
B
Transitioning OAM 11g from a Source to a Target Environment
Prerequisites
Introduction to Transitioning
About Deployment Types
About Oracle Access Manager Data
About Common Transition Tasks
About New versus Existing Target Environments
Introduction to Transitioning Methods and Tools
About Methods to Propagate Oracle Access Manager Source Data
About Migrating OSSO Partners from One OAM Instance to Another
About Configuring the Target User Identity Store and Migrating Data
About Policy Conflict Resolution
About Building a Dependency Tree for Each Application Domain
Planning Your Transition
Choosing A Transitioning Method
Noting Differences Between Source and Target Environments
Developing Deployment Inventories
Developing Backup and Recovery Strategies
Developing Tests
Getting Familiar with Change Propagation
Scheduling and Notifications
Migrating Oracle Access Manager 11g Data
Exporting Oracle Access Manager 11g Source Data
Importing Oracle Access Manager Data to the Target
C
Integrating Oracle ADF Applications with Oracle Access Manager 11g SSO
Introduction to Oracle Platform Security Services and Oracle Application Developer Framework
Oracle Platform Security Services Single Sign-on Framework
Oracle Application Developer Framework
Integrating OAM 11g With Web Applications Using Oracle ADF Security and the OPSS SSO Framework
Sample SSO Configuration for OAM 11g
SSO Provider Configuration Details
Confirming Application-Driven Authentication During Runtime
D
Internationalization and Multibyte Data Support for OAM 10g Webgates
Introduction to Internationalization and Multibyte Data Support
Languages For Localized Messages in Oracle Access Manager
Bi-directional Language Support
UTF-8 Encoding
E
Securing Communication for Oracle Access Manager 11g
Prerequisites
Introduction to Securing Communication Between OAM 11g Servers and Webgates
About Certificates, Authorities, and Encryption Keys
About Security Modes and X509Scheme Authentication
About the Importcert Tool
Generating Client Keystores for OAM Tester in Cert Mode
Configuring Cert Mode Communication for OAM 11g
About Cert Mode Encryption and Files
Generating a Certificate Request and Private Key for OAM Server
Retrieving the OAM Keystore Alias and Password
Importing the Trusted, Signed Certificate Chain Into the Keystore
Adding Certificate Details to Access Manager Settings
Generating a Private Key and Certificate Request for Webgates
Updating Webgate to Use Certificates
Configuring Simple Mode Communication with OAM 11g
About Simple Mode, Encryption, and Keys
Retrieving the Global Passphrase for Simple Mode
Updating Webgate Registration for Simple Mode
Verifying Simple Mode Configuration
F
Introduction to Custom WLST Commands for Administrators
Prerequisites
Introduction to WebLogic Scripting Tool Commands
WLST Command Summary: Oracle Access Manager
WLST Command Summary: Oracle Security Token Service
Running WLST Commands
Starting the WLST Shell and Logging In
Changing the Request Cache Type in a High Availability Environment
G
Configuring OAM 11g for IPv6 Clients
Prerequisites
Introduction to Oracle Access Manager 11g and IPv6
Configuring IPv6 with OAM 11g and Challenge Redirect
Considerations
Configuring IPv6: Separate Proxy for OAM 11g and Webgates
H
Creating Deployment-Specific Pages
How the Single Sign-On Server Uses Deployment-Specific Pages
Change Password Page Behavior
Password Has Expired
Password Is About to Expire
Grace Login Is in Force
Force Change Password
How to Write Deployment-Specific Pages
Login Page Parameters
Forgot My Password
Change Password Page Parameters
Single Sign-Off Page Parameters
External Application Login Page Parameters
Page Error Codes
Login Page Error Codes
Post-Login Messages
Change Password Page Error Codes
Change External Application Login Page Error Codes
Adding Globalization Support
Deciding What Language to Display the Page In
Use the Accept-Language Header to Determine the Page
Use Page Logic to Determine the Language
Rendering the Page
Guidelines for Deployment-Specific Pages
Installing Deployment-Specific Pages
Using policy.properties to Install Login, Single Sign-Off, and Change Password Pages
Using policy.properties to Install Wireless Login and Change Password Pages
Using policy.properties to Install External Application Login Pages
Examples of Deployment-Specific Pages
Using Custom Classes
Adding an External Application
I
Troubleshooting
Introduction to OAM 11g Troubleshooting
About System Analysis and Problem Scenarios
About LDAP Server or Identity Store Issues
About OAM Server or Host Issues
About Agent-Side Configuration and Load Issues
About Runtime Database (Audit or Session Data) Issues
About Change Propagation or Activation Issues
About Policy Store Database Issues
Oracle Access Manager Console Inconsistent State
AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation
Agent Naming Not Unique
Application URL Requirements
Authentication Issues
Anonymous Authentication Issues
X.509 Protected Resource and Single Sign Off
Authorization Issues
Cannot Access Authentication LDAP or Database
Cannot Find Configuration
Configuration Does Not Exist ...
Could Not Find Partial Trigger
Denial of Service Attacks
Protecting the OAM Server from Crashing Under Load
Compensating for Network Latency
Protecting OAM Servers from a Flood of HTTP Requests
Deployments with Freshly Installed OAM 10g Webgates
Authentication Issues with OAM 10g Webgates
Logout Issues with OAM 10g Webgates
Diagnosing OAM 11g Initialization and Performance Issues
Diagnosing an Initialization Issue
Diagnosing a Performance Issue
Diagnosing Out-of-Memory Issues With a Heap Dump
Disabling Windows Challenge/Response Authentication on IIS Web Servers
Changing UserIdentityStore1 Type Can Lock Out Administrators
IIS Web Server Issues
Form Authentication or Pass-Through Not Working
IIS and General Web Component Guidelines
Issues with IIS v6 Web Servers
Page Cannot Be Displayed Error
Removing and Reinstalling IIS DLLs
jps Logger Class Instantiation Warning is Logged on Authentication
Languages and Translation
Automatically Generated Descriptions Are Not Translated
Locales, Languages, and Oracle Access Manager Console Login Page
Console Looks Messy
Login Failure for a Protected Page
OAM Metric Persistence Timer IllegalStateException: SafeCluster
Partial Cluster Failure and Intermittent Login and Logout Failures
Registration Issues
Rowkey does not have any primary key attributes Error
SELinux Issues
Session Issues
Session Impersonation Not Enabled by Default
Sessions with Oracle Access Manager with Oracle Identity Federation
SSL versus Open Communication
Start Up Issues
Synchronizing OAM Server Clocks
Using Coherence
Validation Errors
Web Server Issues
Server Fails on an Apache Web Server
Apache v2 on HP-UX
Apache v2 Bundled with Red Hat Enterprise Linux 4
Apache v2 Bundled with Security-Enhanced Linux
Apache v2 on UNIX with the mpm_worker_module for Webgate
Domino Web Server Issues
Errors, Loss of Access, and Unpredictable Behavior
Known Issues for ISA Web Server
Oracle HTTP Server Fails to Start with LinuxThreads
Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4
Oracle HTTP Server Web Server Configuration File Issue
Issues with IIS v6 Web Servers
PCLOSE Error When Starting Sun Web Server
Removing and Reinstalling IIS DLLs
Windows Native Authentication
Index
Scripting on this page enhances content navigation, but does not change the content in any way.