This chapter explains how to configure Oracle Virtual Directory for integration with Oracle Access Management Access Manager (Access Manager).
This chapter includes the following sections:
Note:
You can use Oracle Virtual Directory with most LDAP-enabled technologies. The information in this chapter highlights Oracle Virtual Directory features and capabilities that simplify common integrations.
Contact your Oracle support representative for assistance with other Oracle Virtual Directory integrations.
Perform the following steps to configure Oracle Virtual Directory for integration with Access Manager using Oracle Directory Services Manager's Setup for Oracle Access Manager Quick Config Wizard. This Wizard walks you through the steps to create the required Local Store Adapter and also the appropriate adapter type; either LDAP, Database, or Custom, for the data repository that Access Manager uses.
Log in to Oracle Directory Services Manager.
Select Advanced from the task selection bar. The Advanced navigation tree appears.
Expand the Quick Config Wizards entry in the Advanced tree.
Click Setup for Oracle Access Manager in the tree. The Setup for Oracle Access Manager screen appears.
Enter the namespace for the Local Store Adapter in DN format in the Namespace used for creating Local Store Adapter (LSA) field and click Apply. The Adapters screen appears.
Create an adapter that is appropriate for the data repository that Access Manager uses. Refer to one of the following sections for instructions:
Configure the adapter for the data repository that Access Manager uses by selecting Adapter from the Oracle Directory Services Manager task selection bar and then clicking the name of the adapter to configure in the Adapter tree.
Go to the following sections for more information about configuring each type of adapter:
This section provides instructions for creating and configuring an LDAP Adapter for Access Manager.
To create an LDAP Adapter for Access Manager, refer to "Creating LDAP Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
After you create the LDAP Adapter, you can configure that adapter by using the procedures described in the following sections:
Note:
For more information, about configuring LDAP adapters, refer to "Configuring LDAP Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory
You can configure the general settings for the adapter by clicking the adapter name in the Adapter tree, clicking the General tab, setting values for the following fields, and clicking Apply:
This field defines the root DN that the adapter provides information for. The DN defined, and the child entries below it, comprise the adapter's namespace. The value you enter in this field should be the base DN value for the returned entries. For example, if you enter dc=mydomain,dc=com in the field, all entries end with dc=mydomain,dc=com.
You can configure an adapter as active (enabled) or inactive (disabled). An adapter configured as inactive does not start during a server restart or an attempted adapter start. Use the inactive setting to keep old configurations available or in stand-by without having to delete them from the configuration. The default setting is active (enabled).
Perform the following procedures to configure the proxy LDAP host information in the LDAP Servers table in the General tab. Each proxy LDAP host must provide equivalent content, that is, must be replicas.
Be careful when specifying only a single host for proxying. Without a failover host, the LDAP Adapter cannot automatically fail over to another host. A single host is suitable when Oracle Virtual Directory is connected to a logical LDAP service by using a load balancing system.
Note:
The information in the LDAP Servers table is used only if you set the Use DNS for Auto Discovery parameter to No.
To add a proxy LDAP host to the adapter:
Click the Add Host button.
Enter the IP Address or DNS name of the LDAP host to proxy to in the Hosts field.
Note:
Oracle Virtual Directory 11g Release 2 (11.1.2) supports IPv6. If your network supports IPv6 you can use a literal IPv6 address in the Hosts field to identify the proxied LDAP host.
Enter the port number the proxied LDAP host provides LDAP services on in the Port field.
Enter a number between 0 and 100 in the Percentage field to configure the load percentage to send to the host. If the combined percentages for all of the hosts configured for the adapter do not total 100, Oracle Virtual Directory automatically adjusts the load percentages by dividing the percentage you entered for a host by the total percentage of all hosts configured for the adapter. For example, if you have three hosts configured for the adapter at 20 percent, 30 percent, and 40 percent, Oracle Virtual Directory adjusts the 20 to 22 (20/90), the 30 to 33 (30/90), and the 40 to 44 (40/90).
Select the Read-only option to configure the LDAP Adapter to only perform search operations on the LDAP host. The LDAP Adapter automatically directs all modify traffic to read/write hosts in the list.
To delete a proxy LDAP host from the adapter:
Click anywhere in the row of the host you want to delete in the Remote Host table.
Click the Delete button. A confirmation dialog box appears.
Click Confirm to delete the proxy LDAP host from the adapter.
To validate a proxy LDAP host connection:
Click anywhere in the row of the Remote Host table for the host you want to validate the connection for.
Click the Validate button. The connection to the proxy LDAP host must be validated for the adapter to proxy the LDAP host.
Enabling this option secures the communication between the LDAP Adapter and the proxy LDAP hosts using SSL/TLS.
See:
"Managing Certificate Authorities for LDAP Adapters Secured by SSL" for information on Certificate Authorities.
If you select (enable) the Use SSL/TLS option, choose the SSL authentication mode to use for securing the adapter by selecting an option from the SSL Authentication Mode list. The SSL Authentication Mode setting is functional only when the Use SSL/TLS option is enabled.
If set to Sequential, the first host specified in LDAP Servers table is used unless a failure occurs. If a failure occurs, the next host is tried. Sequential failover is often used for fail-over between geographies. In sequential failover, the LDAP Adapter attempts to use the designated host until it fails. At this point, it would fail-over to an equivalent host available in another data center or continent.
If set to Distributed, each new connection made is load balanced through the list defined by the LDAP Servers table. Distributed failover is most often used when proxying a set of LDAP hosts that are typically in the same data center or are equally available in terms of network performance.
Note:
If a remote host's network fails, a delay of several minutes may occur in Oracle Virtual Directory because of platform specific TCP socket timeout settings. However, Oracle Virtual Directory failover is operating properly and no data is lost during the delay.
Enable this option to force the Oracle Virtual Directory server to continue trying to connect to the last host listed in the LDAP Servers table for new incoming requests on the adapter even after it has been determined that the connection to the host failed. When enabled, the adapter's Heartbeat Interval setting is ignored regardless if a connection to the host has failed and the host will not be removed from the LDAP Servers table. Some environments with distributed directories may prefer to disable the Extended Trying option with the Routing Critical setting to quickly return partial results at that time. The default setting is enabled.
The LDAP Adapter periodically verifies the availability of each the hosts defined in the LDAP Servers table. Any currently disabled host can be resurrected or a currently active host that fails the TCP/IP connection test is labeled as false during this verification cycle. The Heartbeat Interval parameter specifies the number of seconds between verification passes. Setting a value too low can cause unnecessary connections to the remote directory. Setting a value too high can mean extended time for recovery detection when you have a failure. For production environments, Oracle suggests starting with a value of 60 seconds, then making adjustments as needed.
The amount of time in milliseconds the server waits for an LDAP request to be acknowledged by a remote host. If the operation fails, the LDAP Adapter automatically tries the next server in the Remote Host table. The minimum configurable value is 100. Settings that are too low can cause erroneous failures on busy servers. For production environments, Oracle suggests starting with a value of 5000, which is 5 seconds, then making adjustments as needed.
A tuning parameter that enables you to control how many simultaneous connections can be made to a single server. For production environments, Oracle suggests starting with a value of 10 connections, then making adjustments as needed.
The maximum amount a time in milliseconds that an LDAP operation waits to use an existing connection before causing the LDAP Adapter to generate a new connection. For production environments, Oracle suggests starting with a value of 1000, which is 1 second, then making adjustments as needed.
Maximum number of times an operation waits for an LDAP connection before overriding the Max Pool Connections parameter to generate a new connection. Maximum time is a function of multiplying Max Pool Wait time by the number of tries. If pool wait is 1 second, and 10 is the maximum number of tries, then if after 10 seconds an LDAP connection is not available in the normal pool, the pool will be expanded to handle the extended load. To prevent pool expansion beyond Max Pool Connections, set the number of tries to a high number. For production environments, Oracle suggests starting with a value of 10, then making adjustments as needed.
If you enable the Use Kerberos option:
You must set the Pass Through option to BindOnly because the Kerberos authentication can only be used to validate credentials and not passed to the back-end server for any other operation.
The RDN value must be the same as the Kerberos principal name, for example, sAMAccountName in Active Directory. This may mean that the bind DN for a Kerberos bind is not the actual user DN. For example, if the user DN is cn=Jane Doe,cn=users,dc=mycompany,dc=com but the sAMAccountName is jdoe, the bind DN with the Use Kerberos option enabled is cn=jdoe,cn=users,dc=mycompany,dc=com.
You must create a krb5.conf file and place it in the Oracle Virtual Directory's configuration folder. The krb5.conf has the following properties:
Table 6-1 Properties in the krb5.conf File
| Property | Description |
|---|---|
|
default_realm |
The default domain used if not supplied by the mapping. For example, if a user binds as |
|
domain_realm |
Defines a mapping between a domain and a realm definition. For example: |
|
realms |
Defines one or more realms, for example: |
|
kdc |
The DNS name of the server running the Kerberos service for a particular realm definition. |
Kerberos binds use the Kerberos libraries provided in the standard Java package. The Kerberos libraries use the krb5.conf file, which is not currently synchronized with Oracle Virtual Directory LDAP Adapter settings. The default libraries control Kerberos fail-over. Refer to Sun Microsystem's Java documentation for more information on fail-over and advanced krb5.conf file configurations.
Note:
If a Microsoft Active Directory server is in the process of shutting down (either stopping or rebooting) and Oracle Virtual Directory tries to connect to it, Active Directory may not validate the credential and may return a Client not Found in Kerberos Database error message instead of returning a Key Distribution Center (Domain Controller) connection error.
The end-user should attempt to login again and assuming that either the Active Directory server is available or Key Distribution Center fail-over is enabled, successful authentication should be returned.
If you enable the Use Kerberos option, you can use the Kerberos Retry option to control whether Oracle Virtual Directory should retry logging in after failed authentication attempts. If you enable the Kerberos Retry option and authentication fails, Oracle Virtual Directory reloads the kerb5.conf file and retries the log in.
Note:
If you identified multiple Active Directory servers in a single Kerberos realm in the krb5.conf file, do not enable the Kerberos Retry option, as enabling the retry may disrupt fail-over functionality.
Instead of configuring specific proxy LDAP hosts in the LDAP Servers table, you can use this option to instruct Oracle Virtual Directory to use DNS to locate the appropriate LDAP servers for the remote base defined, also known as serverless bind mode. The LDAP Adapter supports the following modes of operation:
No: Use the LDAP Servers table configuration—no serverless bind.
Standard: Use standard DNS lookup for a non-Microsoft server. All servers are marked as read/write, so enabling the Follow Referrals setting is advised to allow for LDAP write support.
Microsoft: The DNS server is a Microsoft dynamic DNS and also supports load-balancing configuration. If proxying to a Microsoft dynamic DNS server, this is preferred setting because of Oracle Virtual Directory's ability to auto-detect read/write servers compared to read-only servers.
Note:
Remote base should have a domain component style name when using this setting, for example, dc=myorg,dc=com. This name enables Oracle Virtual Directory to locate the LDAP hosts within the DNS service by looking up myorg.com.
The following fields appear in the Settings section of the General tab:
The location in the remote server directory tree structure to which the local Oracle Virtual Directory root suffix corresponds. This is the location in the remote directory under which Oracle Virtual Directory executes all searches and operations for the current adapter. The LDAP Adapter applies an automatic mapping of all entries from the remote base to the adapter root base.
List of attributes to be treated as DNs for which namespace translation is required, such as member, uniquemember, manager. For example, when reading a group entry from a proxied directory, Oracle Virtual Directory automatically converts the DN for the group entry itself and the uniquemember or member attributes if these attributes are in the DN Attributes list.
Note:
Translate only those attributes you know must be used by the client application. Entering all possible DN attributes may not be necessary and can consume some a small amount of additional CPU time in the proxy.
To add attributes to the DN Attributes list:
Click Add. The Select DN Attribute dialog box appears.
Select the attribute you want to add.
Click OK.
When a / character is encountered in a directory, Oracle Virtual Directory can optionally escape the slashes with back-slashes \ character. Some directory server products accept un-escaped slashes, while others reject them. Selecting this setting enables escaping of slashes.
Enabling this setting causes the LDAP Adapter to follow (chase) referrals received from a source directory on the client's behalf. If disabled, the referral is blocked and not returned to the client.
The following list summarizes the LDAP Adapter's behavior with different settings in relation to the send managed DSA control in LDAP operations setting:
If the LDAP Adapter's Follow Referrals is set to Enabled (true), and Send Managed DSA Control in LDAP Operations is also set to True, Oracle Virtual Directory does not chase the referral entries, but it returns them back to the client.
If the LDAP Adapter's Follow Referrals is set to Enabled (true), but Send Managed DSA Control in LDAP Operations is set to False, Oracle Virtual Directory chases the referral entries.
If the LDAP Adapter's Follow Referrals is set to Disabled (false), but Send Managed DSA Control in LDAP Operations is set to True, Oracle Virtual Directory does not chase the referral entries, but it returns them back to the client.
If the LDAP Adapter's Follow Referrals is set to Disabled (false), and Send Managed DSA Control in LDAP Operations is also set to False, Oracle Virtual Directory does not chase the referral entries and does not return them back to client.
If enabled, this setting allows the proxy to use the paged results control with a proxied directory. Enabling this setting is most often used when a directory limits the number of results in a query. This setting is used on behalf of and transparently to Oracle Virtual Directory's clients.
The following fields appear in the Credential Processing section of the General tab:
The default DN that the LDAP Adapter binds with when accessing the proxied directory. Depending on the Pass-through Mode setting, this DN is used for all operations, or only for exceptional cases such as pass-through mode. The form of the distinguished name should be in the form of the remote directory. Empty values are treated as Anonymous.
The authentication password to be used with the Proxy DN value. To set the password, enter a value in clear text. When loaded on the server, the value is automatically hashed with a reversible mask to provide additional security, for example, {OMASK}jN63CfzDP8XrnmauvsWs1g==.
To pass user credentials presented to Oracle Virtual Directory to the proxied LDAP server for all operations, set to Always. To pass user credentials to the proxied LDAP server for bind only and use the default server credentials for all other operations, set to Bind Only. To use the Proxy DN credentials for all operations, set to Never.
Note:
In some situations when pass-through mode is set to Always, the LDAP Adapter may still use the Proxy DN. This occurs when the user credential cannot be mapped, for example, from another adapter namespace, or is the root account.
If defining multiple adapters to different domain controllers within a Microsoft Active Directory forest, you can program the LDAP Adapter to proxy credentials from other adapters (that is, two or more adapters pointing to the same Active Directory forest) by using the Routing Bind-Include setting.
The following fields appear in the Ping Protocol Settings section of the General tab:
The Ping Protocol Settings provide options for how to determine when a source LDAP directory server that is not responding becomes available. If multiple source directory servers are configured, Oracle Virtual Directory identifies the non-responsive servers and performs subsequent operations against the next available server.
Select either TCP or LDAP as the protocol Oracle Virtual Directory should use to ping source directory servers. Select LDAP if the source directory server is using SSL.
Note:
While the TCP protocol option is faster than the LDAP option, it may produce an inaccurate response from the source directory server if its network socket is available, but its LDAP server process is unavailable.
If you select LDAP as the Ping Protocol, identify the DN to use for the LDAP bind.
If you select LDAP as the Ping Protocol, identify the password for the DN specified in the Ping Bind DN setting.
In some situations, SSL connections from Oracle Virtual Directory to the SSL port of an LDAP Adapter can fail and the following message may appear:
Oracle Virtual Directory could not load certificate chain
Two examples of situations when this may happen are when:
you create a new LDAP Adapter secured by SSL and use an untrusted Certificate Authority
a certificate for an existing LDAP Adapter secured by SSL expires and the new certificate is signed by an untrusted Certificate Authority
To resolve this issue, import the LDAP server certificate and the Root Certificate Authority certificate used to sign the LDAP server certificate, into the Oracle Virtual Directory server so it knows the certificates are trusted.
Use the following keytool command and an appropriate alias all on one command line:
ORACLE_HOME/jdk/jre/bin/keytool -import -trustcacerts -alias "NEW_CA" -file PATH_TO_CA_CERTIFICATE -keystore ORACLE_INSTANCE/config/OVD/ovd1/keystores/adapters.jks
Using LDAP Adapters with Microsoft Active Directory and Microsoft Certificate Services
By default, Microsoft Certificate Services automatically update expired Active Directory SSL certificates. However, client applications are not normally notified of this change. If this happens, the Oracle Virtual Directory LDAP Adapter connected to an updated Active Directory server stops functioning. If this occurs, use Oracle Directory Services Manager to configure the LDAP Adapter to import trusted certificates and the adapter should begin to function again.
This section describes how to create and configure a Database adapter for Access Manager.
To create a Database Adapter for Access Manager, refer to "Creating Database Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
After you create the Database Adapter, you can configure the general settings for that adapter by clicking the adapter name in the Adapter tree, clicking the General tab, setting values for the following fields, and clicking Apply:
Note:
For more information, about configuring LDAP adapters, refer to "Configuring Database Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
This field defines the root DN that the adapter provides information for. The DN defined, and the child entries below it, comprise the adapter's namespace. The value you enter in this field should be the base DN value for returned entries. For example, if you enter dc=mydomain,dc=com in the field, all entries end with dc=mydomain,dc=com.
An adapter can be configured as active (enabled) or inactive (disabled). An adapter configured as inactive does not start during a server restart or an attempted adapter start. Use the inactive setting to keep old configurations available or in stand-by without having to delete them from the configuration. The default setting is active.
The following fields appear in the Connection Settings section of the General tab:
Select an option from the following URL Type list. Some fields for Database Adapter connection settings differ depending on which option you choose. After selecting an option, continue configuring the Connection Settings by setting the fields listed for each option.
Use Custom URL: Select this option to connect Oracle Virtual Directory a custom database.
Enter the JDBC driver class name for the database in the JDBC Driver Class field.
Enter the URL that Oracle Virtual Directory should use to access the database in the Database URL field.
Enter the user name that the Database Adapter should use to connect the database in the Database User field.
Enter the password for the user name you entered in the Database User field in the Password field. Oracle Virtual Directory replaces the value you enter in this field with a reversible masked value upon startup.
Use Predefined Database: Select this option to connect to a predefined database. The predefined databases appear in the Database Type list after selecting Use Predefined Database from the URL Type list. If you are unsure if Oracle Virtual Directory has predefined your type of database, select Use Predefined Database from the URL Type list and verify if your database is listed in the Database Type list. If your database is listed in the Database Type list, continue with the following steps. If your database is not listed, select Use Custom URL from the URL Type list and perform the steps for using a custom URL.
Select the type of your database from the Database Type list. After selecting the database type, the JDBC Driver Class and Database URL fields are populated with the appropriate information for the database.
Enter the IP Address or DNS host name of the database in the Host field.
Enter the port number the database listens on in the Port field.
Enter the name of the database, for example, the Oracle SID, in the Database Name field.
Enter the user name that the Database Adapter should use to connect the database in the Database User field.
Enter the password for the user name you entered in the Database User field in the Password field. Oracle Virtual Directory replaces the value you enter in this field with a reversible masked value upon startup.
The following fields appear in the Settings section of the General tab:
Since objectclasses in the database are logical objects and do not map directly to a table column in the mapping, modifications to the objectclass attribute can cause errors. If the Ignore Modify Objectclasses option is enabled, the Database Adapter removes any references to the objectclass attribute so that errors are not be sent to the client application, that is, they are ignored. If the Ignore Modify Objectclasses option is not selected, error messages are sent to the client application
This setting causes the Database Adapter to list objectclass parent classes along with the main objectclass in the objectclass attribute. Disable this setting when you want to emulate Microsoft Active Directory server schema. For most scenarios, it is useful to enable this setting so that objectclass=xxx queries can be executed against parent objectclass values.
Enabling (selecting) the Enable Case Insensitive Search option makes the search case insensitive for case insensitive LDAP attributes, such as uid. Oracle Virtual Directory uses UPPER in the SQL query when Enable Case Insensitive Search is enabled. If the database cannot maintain functional indexes, such as for Oracle TimesTen or MySQL databases, then you should disable the Enable Case Insensitive Search option. When the Enable Case Insensitive Search is disabled, Oracle Virtual Directory performs case sensitive searches and does not use UPPER in the SQL query. The default value for Enable Case Insensitive Search is Enable.
This setting defines the maximum connections the Database Adapter may make with the database.
This setting determines how much time (in seconds) the Database Adapter should wait before timing-out when trying to establish a connection with the database.
The following fields appear in the DB/LDAP Mapping section of the General tab:
This field displays the database tables the Database Adapter is set to use. To add a database table, click the Add button, navigate to the table file, select it and click OK.
The following fields appear in the Object Classes section of the General tab:
This field displays object classes and their RDNs that map to the database tables. To add an Object Class Mapping, click the Create button, select the appropriate object class from the Object Class list, enter an RDN value for the object class in the RDN field, and click OK.
Note:
For more information, about configuring Database adapters, refer to "Configuring Database Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
This section describes how to create and configure a Custom adapter for Access Manager.
To create a Custom Adapter for Access Manager, refer to "Creating Custom Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
After you create the Custom Adapter you can configure the general settings for that adapter by clicking the adapter name in the Adapter tree, clicking the General tab, setting values for the following fields, and clicking Apply:
Note:
For more information, about configuring LDAP adapters, refer to "Configuring Custom Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
This field defines the root DN that the adapter provides information for. The DN defined, and the child entries below it, comprise the adapter's namespace. The value you enter in this field should be the base DN value for returned entries. For example, if you enter dc=mydomain,dc=com in the field, all entries end with dc=mydomain,dc=com.
An adapter can be configured as active (enabled) or inactive (disabled). An adapter configured as inactive does not start during a server restart or an attempted adapter start. Use the inactive setting to keep old configurations available or in stand-by without having to delete them from the configuration. The default setting is active.
Note:
This section is only relevant to customers that are still running Oracle Access Manager 10g. The OAMPolicyControl plug-in does not work with Access Manager 11g.
Oracle Virtual Directory provides the OAMPolicyControl plug-in to simplify the Oracle Virtual Directory-Access Manager integration for applications that use LDAP for authentication and want to use Access Manager policy controls, but cannot integrate with Access Manager.
Before deploying the OAMPolicyControl plug-in, you must:
Set the Bind pass-through settings to Never for any LDAP Adapters that are using the Access Manager policy configuration.
The plug-in handles all authentications and uses proxy credentials to perform all operations.
Configure different adapters for Access Manager.
These adapters should use the OAMPolicyControl plug-in to use Access Manager policies. If you deploy these adapters on the same Oracle Virtual Directory server, you must configure one of the following options:
Use a different LDAP namespace for each adapter. An Access Manager adapter namespace must be independent from the namespaces used by general purpose LDAP clients.
Use an Oracle Virtual Directory view, with accessibility criteria that distinguishes requests for different Access Manager adapters.
Configure the Access Manager Access Server by:
Creating a proxy resource that corresponds to Oracle Virtual Directory.
Disabling the policy domains for Identity Server and Access Server because the plug-in does not cache the OBSSO Cookie.
Configure the AccessSDK as follows:
Configure an AccessSDK installation for the Access Manager Access Server by using AccessServerSDK\oblix\tools\configureAccessGate.
Configure the opmn to start the Oracle Virtual Directory component by pointing the -Djava.library.path to the AccessSDK installation.
Edit the INSTANCE_HOME/config/OPMN/opmn/opmn.xml file as follows:
<ias-component id="ovd1">
<process-type id="OVD" module-id="OVD">
<module-data>
<category id="start-options">
<data id="java-bin" value="$ORACLE_HOME/jdk/bin/java"/>
<data id="java-options" value="-server -Xms512m -Xmx512m
-Dvde.soTimeoutBackend=0
-Doracle.security.jps.config=$ORACLE_
INSTANCE/config/JPS/jps-config-jse.xml
-Djava.library.path=AccessSDK_install_
dir/AccessSDK/AccessServerSDK/oblix/lib/"/>
<data id="java-classpath" value="$ORACLE_
HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/>
</category>
</module-data>
<stop timeout="120"/>
</process-type>
</ias-component>
Copy the jobaccess.jar file from AccessSDK_install_dir/AccessServerSDK/oblix/lib to ORACLE_HOME/ovd/plugins/lib.
Note:
Failure to successfully complete the preceding prerequisite configurations will cause the Oracle Virtual Director to generate a NoClassDefFound error.
The OAMPolicyControl plug-in has the following configuration parameters:
Note:
All of the following configuration parameters—except for useAccessAuthPolicy—are required to deploy the OAMPolicyControl plug-in.
Identifies the proxy resource for Oracle Virtual Directory that the Access Manager server configures. For example: //host:port/ovd_proxy_resource.
Used for authentication against the Identity Server, the identityproxyid parameter identifies the value of the administrator's usernameAttribute.
Identifies the AccessSDK installation directory containing the required libraries. For example: AccessSDK_INSTALL_DIRECTORY/AccessServerSDK/.
Administrator password for authentication against Identity Server.
Identifies the URL corresponding to the listening endpoint of the Identity Server's um_modifyUser web service. For example: http://host:port/identity/oblix/apps/userservcenter/bin/userservcenter.cgi
Identifies the attribute configured to be the Login attribute of the Identity Server. For example, uid or genUserId.
An optional and case-insensitive parameter, useAccessAuthPolicy determines usage of the Access Manager server's authorization policies while accessing the proxy resource. Supported values are True and False. The default setting is False.