Integrating Oracle Adaptive Access Manager (OAAM) with Oracle Access Manager (OAM) enables fine-grain control over the authentication process and provides risk analysis.
This chapter describes the process for integrating Oracle Adaptive Access Manager 11g with Oracle Access Manager 10g.
It contains the following sections:
Configuring Oracle Adaptive Access Manager Properties for Oracle Access Manager
Testing Oracle Adaptive Access Manager and Oracle Access Manager Integration
This section describes the process flow when a user tries to access a protected resource in an Oracle Access Manager and OAAM integration.
When a user tries to access a resource protected by Access Manager, he is redirected to the Oracle Adaptive Access Manager login page instead of the Oracle Access Manager login.
Oracle Adaptive Access Manager delegates user authentication to Oracle Access Manager.
Then, Oracle Adaptive Access Manager performs risk analysis of the user.
Table 18-1 lists the high-level tasks for integrating Oracle Adaptive Access Manager with Access Manager.
Except where specified, the following procedures are required to complete the integration of Oracle Access Adaptive Manager 11g and Oracle Access Manager 10g.
Table 18-1 Integration Flow for Oracle Access Manager and Oracle Adaptive Access Manager
| Number | Task | Information |
|---|---|---|
|
1 |
Verify that all required components have been installed and configured prior to integration. |
For information, see "Prerequisites". |
|
2 |
Configure the OAM AccessGate for OAAM Web Server. |
For information, see "Configuring OAM AccessGate for OAAM Web Server". |
|
3 |
Configure the OAM Authentication Scheme. |
For information, see "Configuring OAM Authentication Scheme". |
|
4 |
Configure the Oracle Access Manager connection (optional). |
For information, see "Configuring Oracle Access Manager Connection (Optional)". |
|
5 |
Set up the WebGate for the OAAM web server |
For information, see "Setting Up WebGate for OAAM Web Server". |
|
6 |
Configure the OAM Domain to use OAAM authentication |
For information, see "Configuring OAM Domain to Use OAAM Authentication". |
|
7 |
Configure OHS. |
For information, see "Configuring Oracle HTTP Server (OHS)". |
|
8 |
Configure Oracle Adaptive Access Manager properties. |
For information, see "Configuring Oracle Adaptive Access Manager Properties for Oracle Access Manager". |
|
9 |
Turn off IP validation. |
For information, see "Turning Off IP Validation". |
|
10 |
Validate the Access Manager and Oracle Adaptive Access Manager Integration. |
For information, see "Testing Oracle Adaptive Access Manager and Oracle Access Manager Integration". |
Ensure that the following prerequisites are met before performing the integration:
All necessary components have been properly installed and configured:
Oracle Adaptive Access Manager 11g
Oracle Access Manager 10.1.4.3
Application Server
For installation information for Oracle Adaptive Access Manager 11g, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
For installation information for Oracle Access Manager 10g, see Oracle Access Manager Installation Guide 10g (10.1.4.3).
The Oracle Access Manager environment has been configured to protect simple HTML resources using two different authentication schemes:
The first authentication scheme uses Basic Over LDAP.
This built-in Web server challenge mechanism requires the user to enter their login ID and password. The credentials supplied are compared to the user's profile in the LDAP directory server.
The second authentication scheme is a higher-security level and integrates OAAM Server by using a custom form-based authentication scheme.
This method is similar to the basic challenge method, but users enter information in a custom HTML form. You can choose the information users must provide in the form that you create. A challenge parameter is used. For information about challenge parameters, see "About Challenge Parameters" in Chapter 5, "Configuring User Authentication" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
For information on authentication schemes, see Chapter 5, "Configuring User Authentication" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
In Oracle Access Manager and Oracle Adaptive Access Manager integration, the Oracle Access Manager AccessGate fronts the Web server (a traditional WebGate) to OAAM Server. For information on AccessGates, see Chapter 3, "Configuring WebGates and Access Servers" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
To configure the Oracle Access Manager AccessGate that fronts the Web server to OAAM Server, perform the following steps:
Navigate to the Access System Console.
For information on logging in to the Access System, see Chapter 1, "Preparing for Administration" in Oracle Access Manager Identity and Common Administration Guide, 10g (10.1.4.3).
Click the Access System Console link, and then log in as a Master Administrator.
Click Access System Configuration, then select Add New AccessGate.
Use the settings in the table below to create a new AccessGate and assign it an Access Server.
For information on assigning the AccessGate to an Access Server, see Section 3.6, "Associating AccessGates and WebGates with Access Servers," in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
Table 18-2 Oracle HTTP Server (OHS) WebGate Configuration
| Parameter | Value | Description |
|---|---|---|
|
AccessGate Name |
ohsWebGate |
Name of this AccessGate instance. |
|
Description |
AccessGate for Web server hosting OAAM Server |
Summary that will help you identify this AccessGate later on. |
|
Hostname |
|
Name or IP address of the server hosting this AccessGate. |
|
Port Number |
|
Web server port protected by the AccessGate when deployed as a WebGate. |
|
AccessGate Password |
|
Password for this AccessGate. The AccessGate uses this password to identity itself to an Access Server. |
|
Debug |
<Off> |
Off so debug messages between the AccessGate and Access Server are not written. |
|
Maximum user session time (seconds) |
3600 |
Maximum amount of time, in seconds, that a user's authentication session is valid, regardless of their activity. At the expiration of this session time, the user is re-challenged for authentication. |
|
Idle Session Time (seconds) |
3600 |
Amount of time in seconds that a user's authentication session remains valid without accessing any AccessGate protected resources. |
|
Maximum Connections |
1 |
Maximum number of connections this AccessGate can establish with associated Access Servers. |
|
Transport Security |
<Open> |
Method for encrypting messages between this AccessGate and the Access Servers it is configured to talk to. |
|
IP Validation |
<Off> |
Determine if a client IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on. |
|
IP Validation Exception |
leave blank |
IP addresses to exclude from IP address validation. |
|
Maximum Client Session Time (hours) |
24 |
Connection maintained to the Access Server by the AccessGate. |
|
Failover Threshold |
1 |
Number representing the point when this AccessGate opens connections to secondary Access Servers. |
|
Access server timeout threshold |
leave blank |
Time (in seconds) during which the AccessGate must wait for a response from the Access Server. |
|
Sleep for (seconds) |
60 |
Number (in seconds) that represents how often this AccessGate checks its connections to Access Servers. |
|
Maximum elements in cache |
10000 |
Maximum number of elements that can be maintained in the URL and authentication scheme caches. |
|
Cache timeout (seconds) |
1800 |
Time period during which cached information remains in the AccessGate cache when neither used nor referenced. |
|
Impersonation Username |
leave blank |
Name of the trusted user that you created to be used for impersonations. |
|
Impersonation Password |
leave blank |
Password for the impersonation user name. |
|
Access Management Service |
<On> |
Whether the Access Management Service is On or Off. On if the Access Server is associated and communicating with AccessGates (which communicate using APIs in the SDK). |
|
Primary HTTP Cookie Domain |
|
Describes the Web server domain on which the AccessGate is deployed. |
|
Preferred HTTP Host |
|
determines how the host name appears in all HTTP requests as they attempt to access the protected Web server. |
|
Deny on not protected |
<Off> |
True denies all access to resources on the Web server protected by WebGate unless access is allowed by a policy. |
|
CachePragmaHeader |
no-cache |
By default, CachePragmaHeader and CacheControlHeader are set to no-cache. This prevents WebGate from caching data at the Web server application and the user's browser. |
|
CacheControlHeader |
no-cache |
By default, CachePragmaHeader and CacheControlHeader are set to no-cache. This prevents WebGate from caching data at the Web server application and the user's browser. |
|
LogOutURLs |
leave blank |
Enables you to configure one or more specific URLs that log out a user. |
|
User Defined Parameters |
leave blank |
Configure the WebGate to work with particular browsers, proxies, and so on. |
|
Assign An Access Server (Primary) |
|
Access server. |
|
Number of Connections |
1 |
Number of connections to the Access Server. |
Click AccessGate Configuration.
Click OK to search for all AccessGates.
The new AccessGate is now listed
To leverage OAAM Server as an authentication mechanism, Oracle Access Manager must have a defined Authentication Scheme to understand how to direct authentications to OAAM Server. For information on authentication schemes, see Chapter 5, "Configuring User Authentication" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3)
To define the authentication scheme for Oracle Adaptive Access Manager, follow the steps below:
From the Access System Console, click the Access System Configuration tab.
Click Authentication Management in the left navigation pane.
Click New.
Using the settings in the table below, begin creating the new OAAM Server authentication scheme:
Table 18-3 OAAM Server Authentication Scheme Configuration
| Parameter | Value | Description |
|---|---|---|
|
Name |
Adaptive Strong Authentication |
Unique name for the scheme. |
|
Description |
Oracle Adaptive Access Manager-OAAM Server virtual authentication pad authentication scheme |
Brief description of what the scheme does. |
|
Level |
3 |
Security level of the authentication scheme. The security level of the scheme reflects the challenge method and degree of security used to protect transport of credentials from the user. |
|
Challenge Method |
Form |
Specifies how authentication is to be performed and the information required to authenticate the user. |
|
Challenge Parameter(s) |
form:/oaam_server/oamLoginPage.jsp |
Provides WebGate with additional information to perform an authentication form - Indicates where the HTML form is located relative to the host's document directory. |
|
creds:userid password |
Provides WebGate with additional information to perform an authentication creds- Lists all fields used for login in the HTML form. |
|
|
action:/oaam_server/ |
Provides WebGate with additional information to perform an authentication action- URL that the HTML form is posting to. |
|
|
SSL Required |
<No> |
Whether users must be authenticated using a server enabled for Secure Sockets Layer (SSL). |
|
Challenge Redirect |
|
URL of another server to which you want to redirect this request if authentication does not take place on the resource Web server. |
|
Enabled |
<Disabled/Greyed Out> |
Enable or disable the authentication scheme. |
Click Save. The Details for Authentication Scheme display page appears. This page displays the information you entered for the new authentication scheme.
Click Ok to confirm the saved operation.
Select the Plugins tab to display the plug-ins for this authentication scheme.
Click Modify. The Plugins for Authentication Scheme page changes to include the Add and Delete buttons as well as the Update Cache checkbox.
Click Add. The page changes to include a list of options and a text box for selecting and defining the plug-in to be added.
Create the plugin configurations using the information presented in the table below.
Table 18-4 OAAM Server Authentication Scheme Configuration Plugins
| Plugin Name | Plugin Parameters |
|---|---|
|
credential_mapping |
obMappingBase="dc=<domain>,dc=com",obMappingFilter="(uid=%userid%)" |
|
validate_password |
obCredentialPassword="password" |
The credential_mapping plug-in maps the user ID to a valid distinguished name (DN) in the directory.
The validate_password plug-in is used to validate the user's password against the LDAP data source.
Click Save.
Click General.
Click Modify.
Set Enabled to Yes.
Click Save.
The AccessGates used by OAAM Server must have host identifier entries. Use the Host Identifiers feature to enter the official name for the host, and every other name by which the host can be addressed by users.
A request sent to any address on the list is mapped to the official hostname, and applicable rules and policies are implemented. This is primarily used in virtual site hosting environments.
For information on configuring host identifiers, see Section 3.7.2, "Configuring Host Identifiers" in Chapter 3, "Configuring WebGates and Access Servers" of Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
To correctly handle the cookies for authentication and the required HTTP headers for the OAAM Server, OAAM Server must be protected with a standard WebGate and Web server.
To set up the WebGate for use with OAAM Server:
Stop the application server (and Web server).
Run the WebGate installation program.
For the WebGate configuration, use the following settings:
Table 18-5 Setting Up the WebGate for Use with OAAM Server
| Attribute | Value | Description |
|---|---|---|
|
WebGate ID |
ohsWebGate |
Unique ID specified in the Access System Console. |
|
WebGate Password |
|
Password you defined in the Access System Console. |
|
Access Server ID |
|
Access Server ID associated with this WebGate. |
|
DNS Hostname |
|
For the Access Server associated with this WebGate. |
|
Port Number |
|
On which the Access Server listens for this WebGate. |
For detailed information, refer to Section 9.5.3, "Specifying WebGate Configuration Details" in Oracle Access Manager Installation Guide 10g (10.1.4.3) and Chapter 2, "Integrating Oracle HTTP Server" in Oracle Access Manager Integration Guide 10g (10.1.4.3).
The OAAM Server authentication should now be operable for Oracle Access Manager policy domains.
To modify the Oracle Access Manager policy domain to use the OAAM authentication scheme (Strong Authentication), follow these steps:
In the Access System Console, click the link for the Policy Manager at the top of the page.
Click My Policy Domains in the left navigation pane. A list of policy domains appears.
Click the link for the policy domain that you want to view. The General page for the selected policy domain appears.
Click Default Rules. The General page for the Authentication Rule tab appears. It shows the current configuration for the rule.
Click Modify. The General page, whose fields you can modify, appears.
From the Authentication Scheme drop-down selector, select Adaptive Strong Authentication.
Click OK to confirm the change in authentication schemes.
Ensure that Update Cache is checked.
Click Save to save your changes.
Close Internet Explorer.
For information on modifying an Authentication Rule for a Policy Domain, see Section 5.9.2, "Modifying an Authentication Rule for a Policy Domain" in Chapter 5, "Configuring User Authentication" of Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
mod_wl_ohs is the plug-in for proxying requests from Oracle HTTP Server to Oracle WebLogic server. The mod_wl_ohs module is included in the Oracle HTTP Server installation. You need not download and install it separately. Configure OHS such that it proxies OAAM server. In 11g OHS, that is done by modifying the mod_wl_ohs.conf file.
To set up the proxy:
Locate the mod_wl_ohs.conf file.
The mod_wl_ohs.conf file is located in the following directory:
ORACLE_INSTANCE/config/OHS/component_name
Open the mod_wl_ohs.conf file and add an entry similar to the following example:
<Location /oaam_server> SetHandler weblogic-handler WebLogicHost name.mycompany.com WebLogicPort 24300 </Location>
Setting Oracle Adaptive Access Manager properties for Oracle Access Manager and Oracle Access Manager credentials in the Credential Store Framework (CSF) is required for this integration to work.
Note:
Before doing this procedure, you must take into account whether the OAAM Admin Console is being protected.If protecting the console, you must take care of user and group creation in the external LDAP store. For details, see Creating Oracle Adaptive Access Manager Administrative Groups and User in LDAP in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.
OR
If not protecting the OAAM Admin Console, then the user must be created in the WebLogic Administration Console.
(Note: You can disable OAAM Admin Console protection by setting the environment variable or Java property WLSAGENT_DISABLED=true.)
To set Oracle Adaptive Access Manager properties for Oracle Access Manager:
Start the managed server hosting the Oracle Adaptive Access Manager server.
Navigate to the Oracle Adaptive Access Manager Admin Console at http://oaam_managed_server_host:oaam_admin_server_port/oaam_admin.
Log in as a user with access to the property editor.
Open the Oracle Adaptive Access Manager property editor to set the Oracle Access Manager properties.
If a property does not exist, you must add it.
For the following properties, set the values according to your deployment:
Table 18-6 Configuring Oracle Access Manager Property Values
| Property Name | Property Values |
|---|---|
|
bharosa.uio.default.password.auth.provider.classname |
com.bharosa.vcrypt.services.OAMOAAMAuthProvider |
|
bharosa.uio.default.is_oam_integrated |
true |
|
oracle.oaam.httputil.usecookieapi |
true |
|
oaam.uio.oam.host |
Access Server host machine name For example, host.example.com |
|
oaam.uio.oam.port |
Access Server Port; for example, 3004 |
|
oaam.uio.oam.obsso_cookie_domain |
Cookie domain defined in Access Server WebGate Agent |
|
oaam.uio.oam.java_agent.enabled |
false |
|
oaam.uio.oam.webgate_id |
Webgate ID configured in Section 18.4, "Configuring OAM AccessGate for OAAM Web Server." |
|
oaam.uio.login.page |
/oamLoginPage.jsp |
|
oaam.uio.oam.authenticate.withoutsession |
false |
|
oaam.uio.oam.secondary.host |
Name of the secondary Access Server host machine. The property must be added, as it is not set by default. This property is used for high availability. You can specify the fail-over hostname using this property. |
|
oaam.uio.oam.secondary.host.port |
Port number of the secondary Access Server The property must be added as it is not set by default. This property is used for high availability. You can specify the fail-over port using this property. |
|
oaam.oam.csf.credentials.enabled |
true This property enables configuring credentials in the Credential Store Framework instead of maintaining them using the properties editor. This step is performed so that credentials can be securely stored in CSF. |
For information on setting properties in Oracle Adaptive Access Manager, see "Using the Property Editor" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
So that Oracle Access Manager WebGate credentials can be securely stored in the Credential Store Framework, follow these steps to add a password credential to the Oracle Adaptive Access Manager domain:
Navigate to the Oracle Fusion Middleware Enterprise Manager Console at http://weblogic_server_host:admin_port/em.
Log in as a WebLogic Administrator.
Expand Base_Domain in the navigation tree in the left pane.
Select your domain name, right-click, select the menu option Security, and then select the option Credentials in the sub-menu.
Click Create Map.
Click oaam to select the map, then click Create Key.
In the pop-up window make sure Select Map is oaam.
Provide the following properties and click OK.
In order for Oracle Adaptive Access Manager to direct the user to the protected URL after authentication, you must turn off IP validation. For information on configuring IP validation, see Section 3.5.3, "Configuring IP Address Validation for WebGates" in Chapter 3, "Configuring WebGates and Access Servers" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
To turn off IP validation, follow the steps below:
On the Access System main page, click the Access System Console link, and then log in as an administrator.
On the Access System Console main page, click Access System Configuration, and then click the Access Gate Configuration link on the left pane to display the AccessGates Search page.
Enter the proper search criteria and click Go to display a list of AccessGates.
Select the AccessGate.
For example, ohsWebGate.
Click Modify at the bottom of the page.
Set IP Validation to off.
Click Save at the bottom of the page.