1/57
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New
New Features in 11.1.1.7
New Features in Patch Set 1
Release 11g Release 1 (11.1.1)
Product and Component Name Changes
Part I Introduction to Oracle Access Manager with Oracle Security Token Service
1
Oracle Product Introduction
1.1
Introduction to Oracle Access Manager
1.1.1
Introduction to Oracle Access Manager Architecture
1.1.2
Introduction to Oracle Access Manager Deployment Types and Installation
1.1.2.1
About Deployment Types and OAM
1.1.2.2
About Oracle Access Management Post-Installation Tasks
1.1.2.3
About Installation versus Upgrading
1.1.3
Comparing Oracle Access Manager 11g, 10g, and OracleAS SSO 10g
1.1.3.1
Enhancements in Oracle Access Manager 11g
1.1.3.2
Oracle Access Manager 10g Functionality Not Available with 11g
1.1.3.3
Comparing Oracle Access Manager 11g, 10g, and OracleAS SSO 10g
1.2
Introduction to Oracle Security Token Service
1.2.1
Oracle Security Token Service Key Terms and Concepts
1.2.2
About Oracle Security Token Service with Oracle Access Manager
1.2.3
About Integrated Oracle Web Services Manager
1.2.4
About Oracle Security Token Service Architecture
1.2.5
About Oracle Security Token Service Deployments
1.2.5.1
Centralized Token Authority Deployment
1.2.5.2
Tokens Behind a Firewall Deployment
1.2.5.3
Web Services SSO Deployment
1.2.6
About Installation Options
1.2.6.1
Oracle Security Token Service Cluster in Single WLS Domain
1.2.6.2
Endpoint Exposure through a Web Server Proxy
1.2.6.3
Interoperability of Requester and Relying Party with Other Oracle WS-Trust based Clients
1.2.6.4
Oracle Security Token Service Installation Overview
1.2.6.5
Post-Installation Tasks: Oracle Security Token Service
1.2.7
About Oracle Security Token Service Administration
2
Introduction to This Book
2.1
Introduction to This Book
2.2
Part I: Oracle Product Introduction
2.3
Part II: Common Tasks
2.3.1
Getting Started with Common Administration and Navigation
2.3.2
Managing Services, Certificate Validation, and Common Settings
2.3.3
Data Sources
2.3.4
OAM Server Instances and the Console
2.3.5
Oracle Access Manager Session Management
2.4
Part III, Oracle Access Manager Settings
2.4.1
Access Manager Settings
2.4.2
Single Sign-on Agents
2.5
Part IV, Single Sign-on, Oracle Access Manager Policies, and Testing
2.5.1
Single Sign-On
2.5.2
Oracle Access Manager Policy Model and Shared Policy Components
2.5.3
Oracle Access Manager Policy Model, Application Domains, and Policies
2.5.4
Connectivity and Policy Testing
2.5.5
Centralized Logout for Oracle Access Manager 11g
2.6
Part V: Oracle Security Token Service
2.7
Part VI: Common Logging, Auditing, Performance Monitoring
2.7.1
Component Event Message Logging
2.7.2
Webgate Event Message Logging
2.7.3
Common Audit Framework
2.7.4
Performance Metrics in the Oracle Access Manager Console
2.7.5
Performance Metrics in Fusion Middleware Control
2.8
Part VII: Using OAM 10g Webgates with OAM 11g
2.8.1
Provisioning OAM 10g Webgates for OAM 11g
2.8.2
Configuring 10g Webgates for Apache v2-based Web Servers (OHS and IHS)
2.8.3
Configuring 10g Webgates for the IIS Web Server
2.8.4
Configuring 10g Webgates for the ISA Server
2.8.5
Configuring Lotus Domino for OAM 10g Webgates
2.9
Part VIII: Appendixes
2.9.1
Co-existence: OAM 11g SSO versus OAM 10g SSO with OracleAS SSO 10g
2.9.2
Moving OAM 11g From Test (Source) to Production (Target)
2.9.3
Integration with Oracle ADF Applications
2.9.4
Internationalization and Multibyte Data Support for OAM 10g Webgates
2.9.5
Secure Communication and Certificate Management
2.9.6
Custom WebLogic Scripting Tool Commands for OAM
2.9.7
OAM 11g for IPv6 Clients
2.9.8
Creating Deployment-Specific Pages
2.9.9
Troubleshooting
Part II Using the Console for Common Tasks
3
Getting Started with Common Administration and Navigation
3.1
Prerequisites
3.2
Introduction to Administrators
3.3
Logging In to and Signing Out of Oracle Access Manager Console
3.3.1
Logging In to the Oracle Access Manager Console
3.3.2
Signing Out of Oracle Access Manager Console
3.4
Introduction to the Oracle Access Manager Console and Controls
3.4.1
Console Layout and Controls
3.4.1.1
Welcome Page and Shortcuts
3.4.1.2
Function-Level Tabs and Controls
3.4.1.3
Content Pages and Page Controls
3.4.2
Elements on a Page
3.4.3
Selecting Controls in the Console
3.5
Introduction to Policy Configuration and System Configuration Tabs
3.5.1
About the System Configuration Tab
3.5.2
About the Policy Configuration Tab
3.6
Viewing Configuration Details in the Console
3.7
Conducting Searches Using the Console
3.7.1
Conducting Policy Element Searches Using the Console
3.7.1.1
About Policy Configuration Search Controls
3.7.1.2
Searching for Policy Elements
3.7.2
Refining Searches for System Configuration Elements
3.8
Using Online Help
3.9
Command-Line Tools
3.10
Logging, Auditing, Monitoring Performance
4
Managing Services, Certificate Validation, and Common Settings
4.1
Prerequisites
4.2
Introduction to Common Configuration Elements
4.3
Enabling or Disabling Available Services
4.4
Managing the Common Settings
4.4.1
About Common Settings Pages
4.4.2
Managing Common Settings
4.4.3
Viewing Common Coherence Settings
4.5
Managing Global Certificate Validation and Revocation
4.5.1
About Certificate Validation and Revocation Lists
4.5.2
Managing Certificate Revocation Lists (CLRs)
4.5.3
Managing Certificate Validation
4.5.4
Configuring CDP
5
Managing Common Data Sources
5.1
Prerequisites
5.2
Introduction to Managing Common Data Sources
5.2.1
About User Identity Stores
5.2.1.1
Multiple Identity Stores
5.2.2
About the Policy and Session Database Store
5.2.3
About the Oracle Access Manager Configuration Data File
5.2.4
About Oracle Access Manager Security Keys and the Embedded Java Keystore
5.2.5
About Oracle Security Token Service Keystores
5.3
Managing User Identity Stores
5.3.1
About the User Identity Store Registration Page
5.3.2
Registering a New User Identity Store
5.3.3
Viewing or Editing a User Identity Store Registration
5.3.4
Deleting a User Identity Store Registration
5.4
Setting the Default Store and System Store
5.4.1
About Setting the Default Store and System Store
5.4.2
Defining a Default Store and System Store
5.5
Managing the Administrators Role
5.5.1
About Managing the Administrator Role
5.5.2
Managing Administrator Roles
5.6
Managing the Policy Database by Using the Console
5.6.1
About Database Deployment for Oracle Access Manager
5.6.2
Configuring a Separate Database for Session Data
5.7
Integrating a Supported LDAP Directory with Oracle Access Manager
5.7.1
Installing and Setting Up Required Components
5.7.2
Defining Authentication in Oracle Access Manager for Oracle Internet Directory
5.7.3
Managing Oracle Access Manager Policies that Rely on Your LDAP Store
5.7.4
Validating Authentication and Access
6
Managing Common OAM Server Registration
6.1
Prerequisites
6.2
Introduction to OAM Server Registration and Management
6.2.1
About Server Side Differences Between OAM 11g and OAM 10g
6.2.2
About Individual OAM Server Registrations
6.2.3
About the Embedded Proxy Server and Backward Compatibility
6.2.4
About OAM 11g SSO and Legacy OAM 10g SSO in Combination with OSSO
6.2.5
About Communication Between OAM Servers and Webgates
6.3
Managing Individual OAM Server Registrations
6.3.1
About the OAM Server Registration Page
6.3.1.1
OAM Proxy Page
6.3.1.2
Coherence Page for Individual Servers
6.3.2
Registering a Fresh OAM Server Instance
6.3.3
Viewing or Editing Individual OAM Server and Proxy Settings
6.3.4
Deleting an Individual Server Registration
7
Managing Sessions
7.1
Prerequisites
7.2
Introduction to User Sessions and Session Management
7.2.1
About the User Session Lifecycle
7.2.2
Oracle Coherence and Session Management
7.3
Configuring User Session Lifecycle Settings
7.3.1
About Common Session Lifecycle Setting Page
7.3.2
Viewing or Modifying Common Session Lifecycle Settings
7.4
Managing Active User Sessions
7.4.1
About the Session Management Page
7.4.2
Managing Active User Sessions
7.5
Verifying Session Management Operations
7.6
Security
7.6.1
Secure HTTPS Protocol
7.6.2
Coherence
7.6.3
Database Persistence
Part III Oracle Access Manager Settings Management
8
Configuring Access Manager Settings
8.1
Prerequisites
8.2
Introduction to Access Manager Settings
8.3
Managing Access Manager Load Balancing and Secure Error Modes
8.3.1
About Access Manager Load Balancing Settings and Secure Error Modes
8.3.2
Managing OAM Server Load Balancing and Secure Error Modes
8.4
Managing SSO Tokens and IP Validation
8.4.1
About Access Manager SSO Tokens and IP Validation Settings
8.4.2
Managing SSO Tokens and IP Validation
8.5
Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security
8.5.1
About Simple and Cert Mode Transport Security
8.5.2
About the Common OAM Proxy Page for Secure Server Communications
8.5.3
Viewing or Editing Simple or Cert Settings for OAM Proxy
8.6
Managing Run Time Policy Evaluation Caches
8.6.1
About Run Time Policy Evaluation Caches
8.6.2
Managing Run Time Policy Evaluation Caches
8.7
Managing Authentication Modules
8.7.1
About Default Authentication Modules and Pages
8.7.1.1
Kerberos Authentication Module
8.7.1.2
LDAP Authentication Modules
8.7.1.3
X509 Authentication Module
8.7.2
Creating a New Authentication Module of an Existing Type
8.7.3
Viewing or Editing Authentication Modules
8.7.4
Deleting an Authentication Module
8.8
Creating Custom Authentication Modules
8.8.1
About Creating Custom Authentication Modules
8.8.2
About the Custom Authentication Module Plug-ins
8.8.3
Creating a Custom Authentication Module
9
Registering Partners (Agents and Applications) by Using the Console
9.1
Prerequisites
9.2
Introduction to Policy Enforcement Agents
9.2.1
About Policy-Enforcement Agents
9.2.2
About the Pre-Registered IAMSuiteAgent
9.2.3
About Registering Partners (Agents and Applications)
9.2.4
About File System Changes and Artifacts for Registered Agents
9.3
Registering and Managing OAM Agents Using the Console
9.3.1
About Creating and Editing Webgate Registration
9.3.2
About User-Defined Webgate Parameters
9.3.3
About IP Address Validation for Webgates
9.3.4
Searching for an OAM Agent Registration
9.3.5
Registering a Webgate or Programmatic Access Client
9.3.6
Viewing or Editing an OAM Agent Registration
9.3.7
Deleting Webgate Registration
9.4
Tuning 10g and 11g Webgate Caches
9.4.1
Introducing Webgate Caches
9.4.2
Reducing Network Traffic Between Components
9.4.3
Changing the Webgate Polling Frequency
9.5
Registering and Managing OSSO Agents Using the Console
9.5.1
About OSSO Agents and the OSSO Proxy
9.5.2
About the Create OSSO Agent Page
9.5.3
Refining the Search for an OSSO Agent (mod_osso) Registration
9.5.4
Registering an OSSO Agent (mod_osso)
9.5.5
Viewing or Editing OSSO Agent (mod_osso) Registration
9.5.6
Deleting an OSSO Agent (mod_osso) Registration
10
Registering Partners (Agents and Applications) Remotely
10.1
Prerequisites
10.2
Introduction to Remote Partner Registration
10.2.1
About In-Band Remote Registration
10.2.2
About Out-of-Band Remote Registration
10.2.3
About Key Use, Generation, Provisioning, and Storage
10.2.4
About the Remote Registration Tool
10.2.5
About Remote Registration Request Files
10.2.5.1
OSSO Remote Registration Request
10.2.5.2
Short, Simplified OAM Remote Registration Requests
10.2.5.3
Common Elements of Remote Registration Requests
10.2.5.4
OSSO-Specific Elements in a Remote Registration Request
10.2.5.5
Full OAM Remote Registration Requests
10.2.6
About Out-of-Band Registration Responses
10.3
Acquiring and Setting Up the Registration Tool
10.4
Creating the Registration Request
10.5
Performing In-Band Remote Registration
10.6
Performing Out-of-Band Remote Registration
10.7
Validating Remote Registration and Resource Protection
10.7.1
Validating Remote Registration
10.7.2
Validating Authentication, Resource Protection, and Access After Remote Registration
10.8
Introducing Remote Management Modes
10.8.1
About Remote Agent Management Modes
10.8.1.1
OSSOUpdateAgentRequest.xml
10.8.1.2
OAM11GUpdateAgentRequest.xml
10.8.1.3
OAMUpdateAgentRequest.xml
10.8.2
About Remote Application Domain Management Modes
10.8.2.1
About the Create Policy Request File
10.8.2.2
About the Update Policy Request File
10.8.2.3
About <rregApplicationDomain> Elements
10.9
Managing Agents Remotely
10.9.1
Performing Remote Agent Updates
10.9.2
Performing Remote Agent Validation
10.9.3
Performing Remote Agent Removal
10.10
Creating or Updating an Application Domain Without an Agent
11
Integrating Oracle Access Manager with SAP NetWeaver Enterprise Portal
11.1
What is New in This Release?
11.2
Supported Versions and Platforms
11.3
Integration Architecture
11.3.1
Process Overview: Integration with SAP NetWeaver Enterprise Portal
11.4
Prerequisites
11.5
Configuring SAP NetWeaver Enterprise Portal for Oracle Access Manager
11.5.1
Configuring the Apache HTTP Server as a Proxy
11.5.2
Configuring SAP NetWeaver Enterprise Portal for External Authentication
11.5.3
Adjusting the Login Module Stacks for using Header Variables
11.6
Configuring Oracle Access Manager to Work With SAP NetWeaver Enterprise Portal
11.6.1
Configuring Oracle Access Manager for SAP Enterprise Portal
11.7
Testing the Integration
11.8
Troubleshooting the Integration
Part IV Managing Oracle Access Manager SSO, Policies, and Testing
12
Introduction to the OAM Policy Model, Single Sign-On
12.1
Prerequisites
12.2
Comparing the OAM 11g Policy Model and OAM 10g Model
12.3
Introduction to the OAM 11g Policy Model
12.3.1
About Resource Types
12.3.2
About Host Identifiers
12.3.3
About Authentication, Schemes, and Modules
12.3.3.1
Authentication Schemes and Modules
12.3.3.2
Authentication Event Logging and Auditing
12.3.4
About Application Domains and Policies
12.3.5
About Resources and Resource Definitions
12.3.6
About Authentication Policies, Responses, and Resources
12.3.7
About Authorization Policies, Resources, Constraints, and Responses
12.4
Introduction to Configuring OAM Single Sign-On
12.5
Introduction to SSO Components
12.5.1
About Single Sign-On Components
12.5.2
About Single Sign-On Cookies During User Login
12.5.3
About Single Sign-On Cookies
12.5.3.1
OAMAuthnCookie for 11g OAM Webgates
12.5.3.2
ObSSOCookie for 10g OAM Webgates
12.5.3.3
OAM_REQ Cookie
12.5.3.4
mod_osso Cookies
12.6
Introduction to OAM 11g Single Sign-On Implementation Types
12.6.1
Application SSO
12.6.2
Single Sign-On with OAM 11g
12.6.3
Cross-Network Domains and Oracle Access Manager 11g
12.7
Introduction to OAM 11g SSO Processing
12.7.1
About SSO Log In Processing
12.7.1.1
Login
12.7.1.2
Login with Self-Service Provisioning Applications
12.7.1.3
Login and Auto Login for Applications Using Oracle ADF Security
12.7.2
About SSO Log In Processing with OAM Agents
12.7.3
About SSO Login Log In Processing with OSSO Agents (mod_osso)
12.7.4
About Single Sign-On Processing with Mixed Release Agents
13
Managing Policy Components
13.1
Prerequisites
13.2
Introduction to Managing Policy Components
13.3
Managing Resource Types
13.3.1
About Resource Types and Their Use
13.3.2
About the Resource Type Page
13.3.3
Searching for a Specific Resource Type
13.4
Managing Host Identifiers
13.4.1
About Host Identifiers
13.4.1.1
Host Identifier Usage
13.4.1.2
Host Identifier Guidelines
13.4.1.3
Host Identifier Variations
13.4.2
About Virtual Web Hosting
13.4.2.1
Placing a Webgate Behind a Reverse Proxy
13.4.2.2
Configuring Virtual Hosting for Non-Apache Web Servers
13.4.2.3
Associating a Webgate for Apache with Virtual Hosts, Directories, or Files
13.4.3
About the Host Identifier Page
13.4.4
Creating a Host Identifier
13.4.5
Searching for a Host Identifier Definition
13.4.6
Viewing or Editing a Host Identifier Definition
13.4.7
Deleting a Host Identifier Definition
13.5
Managing Authentication Schemes
13.5.1
About the Authentication Schemes Page
13.5.1.1
Pre-configured Authentication Schemes
13.5.1.2
About Challenge Methods
13.5.1.3
About Challenge Parameters for Authentication Schemes
13.5.1.4
About Authentication Modules
13.5.1.5
About Multi-Level Authentication
13.5.2
Creating an Authentication Scheme
13.5.3
Searching for a Authentication Scheme
13.5.4
Viewing or Editing a Authentication Scheme
13.5.5
Deleting an Authentication Scheme
13.6
Configuring Challenge Parameters for Encrypted Cookies
13.6.1
About ssoCookie Challenge Parameters for Encrypted Cookies
13.6.2
Configuring Challenge Parameters for Encrypted Cookie Security
13.6.3
Setting Challenge Parameters for Encrypted Cookie Persistence
13.7
Long URL Handling During Authentication
13.7.1
About Long URLs and Authentication
13.7.2
Configuring Long URL Handling
14
Managing Policies to Protect Resources and Enable SSO
14.1
Prerequisites
14.2
Introduction to Application Domain Creation
14.2.1
About Automatic Application Domain Creation
14.2.2
About Manually Creating Application Domains
14.3
Anatomy of an Application Domain and Policies
14.3.1
Application Domain General Details
14.3.2
Default Resources in a Generated Application Domain
14.3.3
Default Authentication Policies in a Generated Application Domain
14.3.4
Default Authorization Policies in a Generated Application Domain
14.3.5
About Token Issuance Policies
14.4
Managing Application Domains using the Console
14.4.1
About the Application Domains Page
14.4.2
Creating a Fresh Application Domain Manually
14.4.3
Searching for an Application Domain
14.4.4
Viewing or Editing an Application Domain
14.4.5
Deleting an Application Domain and Its Content
14.5
Adding and Managing Resource Definitions for Use in Policies
14.5.1
About the Resource Definition Page in an Application Domain
14.5.1.1
About the Resource Type in a Resource Definition
14.5.1.2
About the Host Identifier in a Resource Definition
14.5.1.3
About the Resource URL
14.5.1.4
About Run Time Resource Evaluation
14.5.2
Adding Resource Definitions to an Application Domain
14.5.3
Searching for a Resource Definition
14.5.3.1
About Searching for a Specific Resource Definition
14.5.3.2
Searching for a Specific Resource Definition
14.5.4
Viewing or Editing a Resource Definition in an Application Domain
14.5.5
Deleting a Resource Definition from an Application Domain
14.6
Defining Authentication Policies for Specific Resources
14.6.1
About the Authentication Policy Page
14.6.1.1
About Resources in an Authentication Policy
14.6.2
Adding an Authentication Policy and Resources
14.6.3
Searching for an Authentication Policy
14.6.4
Viewing or Editing an Authentication Policy
14.6.5
Deleting an Authentication Policy
14.7
Defining Authorization Policies for Specific Resources
14.7.1
About Authorization Policies for Specific Resources
14.7.2
Adding an Authorization Policy and Specific Resources
14.7.3
Searching for an Authorization Policy
14.7.4
Viewing or Editing an Authorization Policy and Resources
14.7.5
Deleting an Authorization Policy
14.8
Introduction to Policy Responses for SSO
14.8.1
About Authentication and Authorization Policy Responses for SSO
14.8.2
About the Policy Response Language
14.8.3
About the Namespace and Variable Names for Policy Responses
14.8.4
About Constructing a Policy Response for SSO
14.8.4.1
Simple Responses
14.8.4.2
Compound and Complex Responses
14.8.5
About Policy Response Processing
14.9
Adding and Managing Policy Responses for SSO
14.9.1
Adding a Policy Response for SSO
14.9.2
Viewing, Editing, or Deleting a Policy Response for SSO
14.10
Introduction to Authorization Constraints
14.10.1
About Allow or Deny Type Constraints
14.10.2
About Classifying Users and Groups for Constraints
14.10.3
Guidelines for Authorization Responses Based on Constraints
14.10.4
About Constraints and General Authorization Policy Details
14.10.5
About the Add Constraint Window
14.10.6
About Identity Class Constraints
14.10.7
About IP4Range Class Constraints
14.10.8
About Temporal Class Constraints
14.11
Defining Authorization Policy Constraints
14.11.1
Defining Identity Class Constraints
14.11.2
Defining IP4Range Class Constraints
14.11.3
Defining Temporal Class Constraints
14.11.4
Viewing, Editing, or Deleting Authorization Policy Constraints
14.12
Validating Authentication and Authorization in an Application Domain
14.13
Example: Pre-seeded IAM Suite Application Domain and Policies
15
Validating Connectivity and Policies Using the Access Tester
15.1
Prerequisites
15.2
Introduction to the OAM 11g Access Tester
15.2.1
About OAM Agent and Server Interoperability
15.2.2
About Access Tester Security and Processing
15.2.3
About Access Tester Modes and Administrator Interactions
15.3
Installing and Starting the Access Tester
15.3.1
Installing the Access Tester
15.3.2
About Access Tester Supported System Properties
15.3.3
Starting the Tester Without System Properties For Use in Tester Console Mode
15.3.4
Starting the Access Tester with System Properties For Use in Command Line Mode
15.3.4.1
About the Access Tester Command Line Mode
15.3.4.2
Starting the Access Tester with System Properties
15.4
Introduction to the Access Tester Console and Navigation
15.4.1
Access Tester Menus and Command Buttons
15.5
Testing Connectivity and Policies from the Access Tester Console
15.5.1
Establishing a Connection Between the Access Tester and the OAM Server
15.5.1.1
About the Connection Panel
15.5.1.2
Connecting the Access Tester with the OAM Server
15.5.2
Validating Resource Protection from the Access Tester Console
15.5.2.1
About the Protected Resource URI Panel
15.5.2.2
Validating Resource Protection
15.5.3
Testing User Authentication from the Access Tester Console
15.5.3.1
About the User Identity Panel
15.5.3.2
Testing User Credential Authentication
15.5.4
Testing User Authorization from the Access Tester Console
15.5.5
Observing Request Latency
15.6
Creating and Managing Test Cases and Scripts
15.6.1
About Test Cases and Test Scripts
15.6.2
Capturing Test Cases
15.6.3
Generating an Input Test Script
15.6.3.1
About Generating an Input Test Script
15.6.3.2
Generating an Input Test Script
15.6.4
Personalizing an Input Test Script
15.6.4.1
About Customizing a Test Script
15.6.4.2
Customizing a Test Script
15.6.5
Executing a Test Script
15.6.5.1
About Test Script Execution
15.6.5.2
Running a Test Script
15.7
Evaluating Scripts, Log File, and Statistics
15.7.1
About Evaluating Test Results
15.7.2
About the Saved Connection Configuration File
15.7.3
About the Generated Input Test Script
15.7.4
About the Target Output File Containing Test Run Results
15.7.5
About the Statistics Document
15.7.6
About the Execution Log
16
Configuring Centralized Logout for OAM 11g
16.1
Prerequisites
16.2
Introduction to OAM 11g Centralized Logout
16.2.1
About Centralized Logout with OAM 11g Agents and Servers
16.2.2
About Centralized Logout with OAM 10g Agents and OAM 11g Servers
16.2.3
About Centralized Logout with the IAMSuiteAgent
16.2.4
About Centralized Logout with OSSO Agents (mod_OSSO) and OAM 11g
16.2.5
About Centralized Logout for Applications Using Oracle ADF Security
16.3
Configuring Centralized Logout for 11g Webgate with OAM 11g Server
16.3.1
About Configuring Centralized Logout for 11g Webgates
16.3.2
Configuring Centralized Logout for 11g Webgates
16.4
Configuring Centralized Logout for the IAMSuiteAgent
16.5
Configuring Centralized Logout for 10g Webgate with OAM 11g Servers
16.5.1
About Centralized Logout Processing for 10g Webgate with OAM 11g Server
16.5.2
About the Centralized Logout Script for OAM 10g Agents with OAM 11g Servers
16.5.3
Configuring Centralized Logout for 10g Webgates with OAM 11g
16.6
Configuring Centralized Logout for Oracle ADF-Coded Applications
16.6.1
About Centralized Logout Processing for Applications Coded to Oracle ADF Standards
16.6.2
Configuring Centralized Logout for ADF-Coded Applications with OAM 11g
16.7
Removing Custom mod_osso Cookies on Logout
16.8
Validating Global Sign-On and Centralized Logout
16.8.1
Confirming Global Sign-On
16.8.2
Validating Global Sign-On with Mixed Agent Types
16.8.3
Observing Centralized Logout
Part V Oracle Security Token Service
17
Oracle Security Token Service Implementation Scenarios
17.1
Prerequisites
17.2
Typical Token Ecosystem
17.3
Scenario: Identity Propagation with the OAM Token
17.3.1
Component Processing: Identity Propagation with the OAM Token
17.3.2
RST Attributes and Run Time Processing
17.3.3
Configuration Requirements: Identity Propagation with the OAM Token
17.3.4
Testing Your Implementation
17.4
Scenario: Web Service Security With On Behalf Of Username Token
17.4.1
Component interactions for Identity Propagation with Username Token
17.4.2
RST Attributes and Processing for Identity Propagation with a Username Token
17.4.3
Configuration Requirements: Identity Propagation with the Username Token
18
Managing Oracle Security Token Service Settings and Set Up
18.1
Prerequisites
18.2
Introduction to Oracle Security Token Service Configuration
18.2.1
Post-Installation Configuration
18.2.2
About Servers and Oracle Security Token Service
18.2.3
About Oracle Security Token Service Clients
18.2.4
About Agents and Oracle Security Token Service
18.2.5
About Oracle Security Token Service End Points and Policies
18.3
Enabling and Disabling Oracle Security Token Service
18.3.1
About Oracle Security Token Service and the Oracle Access Manager Console
18.3.1.1
About Oracle Security Token Service Administrators
18.3.1.2
About Logging In To, and Signing Out Of, Oracle Security Token Service
18.3.2
About Enabling Services for Oracle Security Token Service
18.3.3
Enabling and Disabling Services for Oracle Security Token Service
18.4
Defining Security Token Service Settings Using Oracle Access Manager Console
18.4.1
About Security Token Service Settings
18.4.2
Managing Security Token Service Settings
18.5
Using and Managing WSS Policies for Oracle WSM Agents
18.5.1
Using and Modifying Web Service Security Policies
18.5.2
Managing WSS Policies for Oracle Security Token Service: Classpath
18.5.3
Managing WSS Policies for Oracle Security Token Service: Oracle WSM Policy Manager
18.6
Configuring OWSM for WSS Protocol Communication
18.6.1
About Oracle WSM Agent WS-Security Policies for Oracle Security Token Service
18.6.2
Retrieving the Oracle WSM Keystore Password
18.6.3
Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate
18.6.4
Adding Trusted Certificates to the Oracle WSM Keystore
18.6.5
Validating Trusted Certificates in the Oracle WSM Keystore
18.6.6
Configuring Oracle WSM Agent for WSS Kerberos Policies
18.7
Managing and Migrating Oracle Security Token Service Policies
18.7.1
About Managing and Migrating Oracle Security Token Service Policies
18.7.2
Managing Oracle Security Token Service Policies
18.7.3
Migrating Oracle Security Token Service Policies
18.8
Introduction to Logging Oracle Security Token Service Messages
18.9
Introduction to Auditing for Oracle Security Token Service
18.9.1
About Oracle Security Token Service Audit Record Storage
18.9.2
About Audit Reports and Oracle Business Intelligence Publisher
18.9.3
About the Audit Log
18.10
Auditing Oracle Security Token Service Administrative and Run-time Events
18.10.1
About Audit Record Content Common to All Events
18.10.2
Oracle Security Token Service Administrative Events You Can Audit
18.10.3
Oracle Security Token Service Run-time Events You Can Audit
19
Managing Oracle Security Token Service Certificates and Keys
19.1
Prerequisites
19.2
Introduction to Certificates and Keys for Oracle Security Token Service
19.2.1
About Keystores and Oracle Security Token Service
19.2.2
About the Oracle Web Services Manager Keystore (default-keystore.jks)
19.2.3
About Using the OPSS Keystore for Requester Certificates
19.3
Managing Oracle Security Token Service Encryption/Signing Keys
19.3.1
Retrieving the System Keystore (.oamkeystore) Password
19.3.2
Adding a New Key Entry to the System Keystore (.oamkeystore)
19.3.2.1
Adding a New Entry
19.3.2.2
Configuring a SAML Issuance Template to use a Signing Key
19.3.2.3
Setting the Default Encryption Key
19.3.3
Extracting an Oracle Security Token Service Certificate
19.3.3.1
Using the Certificate Retrieval Service
19.4
Managing Partner Keys for WS-Trust Communications
19.4.1
About Partner Certificates
19.4.2
About Downloading the Relying Party's Certificate at Run Time
19.4.3
Setting the Partner's Signing or Encryption Certificate
19.5
Managing Certificate Validation
19.5.1
Retrieving the Trust Anchors Store (amtruststore) Password
19.5.2
Managing the Trust Anchors Store (amtruststore)
19.5.3
Managing Certificate Revocation Lists
19.5.4
Using a Custom Trust Anchor Store for Oracle Security Token Service
20
Managing Templates, Endpoints, and Policies
20.1
Prerequisites
20.2
Introduction
20.3
Searching for an Existing Template
20.3.1
About Template Search Controls
20.3.2
Searching for a Template
20.4
Managing Token Issuance Templates
20.4.1
About Managing Token Issuance Templates
20.4.2
Managing a Token Issuance Template
20.5
Managing Token Validation Templates
20.5.1
About Managing Token Validation Templates
20.5.2
Managing Token Validation Templates
20.6
Managing Oracle Security Token Service Endpoints
20.6.1
About Managing Endpoints
20.6.2
Managing EndPoints
20.7
Managing Token Issuance Policies and Constraints with Oracle Access Manager
20.7.1
About Token Issuance Policies
20.7.2
About Managing Token Issuance Policies and Constraints
20.7.3
Managing Token Issuance Policies and Constraints
20.8
Managing TokenServiceRP Type Resources
20.8.1
About Managing TokenServiceRP Type Resources in Oracle Access Manager
20.8.2
Managing TokenServiceRP Type Resources in Application Domains
21
Managing Token Service Partners and Partner Profiles
21.1
Prerequisites
21.2
Introduction Token Service Partners and Partner Profiles
21.2.1
About Token Service Partners
21.2.2
About Partner Profiles
21.2.3
About Partner and Profile Data
21.3
Managing Token Service Partners
21.3.1
About Managing Token Service Partners
21.3.2
Managing a Token Service Partner
21.3.3
Refining Partner Searches
21.4
Managing Token Service Partner Profiles
21.4.1
About Managing Partner Profiles
21.4.2
Managing a Token Service Partner Profile
21.4.3
Refining a Profile Search
22
Troubleshooting Oracle Security Token Services
22.1
Authorization Issues
22.2
Endpoint Issues
22.3
Mapping Operation Issues
Part VI Common Logging, Auditing, Performance Monitoring
23
Logging Component Event Messages
23.1
Prerequisites
23.2
Introduction to Logging Component Event Messages
23.2.1
About Component Loggers
23.2.2
Sample Logger and Log Handler Definition
23.2.3
About Logging Levels
23.3
Configuring Logging for Oracle Access Manager
23.3.1
Modifying the Logger Level for Oracle Access Manager
23.3.2
Adding an Oracle Access Manager-Specific Logger and Log Handler
23.4
Configuring Logging for Oracle Security Token Service
23.4.1
Configuring Logging for Oracle Security Token Service
23.4.2
Defining the Log Level and Log Details for Oracle Security Token Service
23.5
Validating Run-time Event Logging Configuration
24
Logging Webgate Event Messages
24.1
About Logging, Log Levels, and Log Output
24.1.1
About Log Levels
24.1.2
About Log Output
24.2
About Log Configuration File Paths and Contents
24.2.1
Log Configuration File Paths and Names
24.2.2
Log Configuration File Contents
24.2.2.1
When Changes to the File Take Effect
24.2.2.2
About Comments in the Log File
24.3
About Directing Log Output to a File or the System File
24.4
Structure and Parameters of the Log Configuration File
24.4.1
The Log Configuration File Header
24.4.2
The Initial Compound List
24.4.3
The Simple List and Logging Threshold
24.4.4
The Second Compound List and Log Handlers
24.4.5
The List for Per-Module Logging
24.4.6
The Filter List
24.4.7
About XML Element Order
24.5
About Activating and Suppressing Logging Levels
24.5.1
About Log Handler Precedence
24.6
Mandatory Log-Handler Configuration Parameters
24.6.1
Settings in the Default Log Configuration File
24.6.1.1
Description of the Settings in the Default Log Configuration File
24.7
Configuring Different Threshold Levels for Different Types of Data
24.7.1
About the MODULE_CONFIG Section
24.7.1.1
Location of the Per-Module Logging Section in the Log Configuration File
24.7.1.2
List of Modules That Can Be Logged
24.7.2
Configuring a Log Level Threshold for a Function or Module
24.8
Filtering Sensitive Attributes
25
Auditing Administrative and Run-time Events
25.1
Prerequisites
25.2
Introduction to Auditing
25.2.1
About Oracle Access Manager Auditing Configuration
25.2.2
About Oracle Access Manager Audit Record Storage
25.2.3
About Audit Reports and Oracle Business Intelligence Publisher
25.2.4
About the Audit Log
25.3
Oracle Access Manager Events You Can Audit
25.3.1
Oracle Access Manager Administrative Events You Can Audit
25.3.2
OAM Run-time Events You Can Audit
25.3.3
About Authentication Event Auditing
25.4
Setting Up Auditing for Oracle Access Manager with Oracle Security Token Service
25.4.1
Setting Up the Audit Database Store
25.4.2
Preparing Oracle Business Intelligence Publisher EE
25.4.3
About the Auditing Configuration Section in Oracle Access Manager Console
25.4.4
Adding, Viewing, or Editing Common Audit Settings within Oracle Access Manager
25.5
Validating Oracle Access Manager Auditing and Reports
26
Monitoring Performance by Using Oracle Access Manager Console
26.1
Introduction to Performance Monitoring
26.2
Monitoring Server Performance Metrics Using the Console
26.2.1
Monitoring Server Instance Performance
26.2.2
Reviewing Server Metrics
26.3
Monitoring SSO Agent Performance Metrics
26.3.1
Monitoring SSO Agent Performance Metrics
26.3.2
Reviewing OAM Agent Metrics
26.3.3
Reviewing OSSO Agent Metrics
26.4
OXM Proxy Performance Tuning Parameters
26.4.1
About OAM Proxy Metrics
26.4.2
OAM Proxy Server Tuning Parameters
27
Monitoring Performance and Logs with Fusion Middleware Control
27.1
Prerequisites
27.2
Introduction to Fusion Middleware Control
27.3
Logging In to and Out of Fusion Middleware Control
27.3.1
About the Login Page for Fusion Middleware Control
27.3.2
Logging In To Fusion Middleware Control
27.3.3
Logging Out of Fusion Middleware Control
27.4
Displaying Menus and Pages in Fusion Middleware Control
27.4.1
About the Farm Page in Fusion Middleware Control
27.4.2
About Context Menus and Pages in Fusion Middleware Control
27.4.3
Displaying Context Menus and Target Details in Fusion Middleware Control
27.5
Viewing Performance in Fusion Middleware Control
27.5.1
About Performance Overview Pages in Fusion Middleware Control
27.5.1.1
Access Manager Component Pages
27.5.1.2
Security Token Service Component Pages
27.5.2
About the Metrics Palette and the Performance Summary Page
27.5.3
Displaying Performance Metrics in Fusion Middleware Control
27.5.4
Displaying Component-Specific Performance Details
27.6
Managing Log Level Changes in Fusion Middleware Control
27.6.1
About Dynamic Log Level Changes
27.6.2
Setting Log Levels Dynamically Using Fusion Middleware Control
27.7
Managing Log File Configuration from Fusion Middleware Control
27.7.1
About Log File Configuration
27.7.2
Managing Log File Configuration by Using Fusion Middleware Control
27.8
Viewing Log Messages in Fusion Middleware Control
27.8.1
About Finding, Viewing, and Exporting Log Messages
27.8.2
Viewing Logged Messages With Fusion Middleware Control
27.9
Displaying MBeans in Fusion Middleware Control
27.9.1
About the System MBean Browser
27.9.2
Managing Mbeans
27.10
Displaying Farm Routing Topology in Fusion Middleware Control
27.10.1
About the Routing Topology
27.10.2
Viewing the Routing Topology using Fusion Middleware Control
Part VII Using 10g Webgates with Oracle Access Manager 11g
28
Managing OAM 10g Webgates with OAM 11g
28.1
Prerequisites
28.2
Introduction to OAM 10g Agents for OAM 11g
28.2.1
About Replacing the IAMSuiteAgent with an OAM 10g Webgate
28.2.2
About Legacy OAM 10g Deployments and Webgates
28.2.3
About Installing Fresh OAM 10g Webgates to Use With OAM 11g
28.3
Provisioning a 10g Webgate with OAM 11g
28.4
Locating and Installing the Latest OAM 10g Webgate for OAM 11g
28.4.1
Preparing for a Fresh 10g Webgate Installation with OAM 11g
28.4.2
Locating and Downloading 10g Webgates for Use with OAM 11g
28.4.3
Starting Webgate 10g Installation
28.4.4
Specifying a Transport Security Mode
28.4.5
Requesting or Installing Certificates for Secure Communications
28.4.6
Specifying Webgate Configuration Details
28.4.7
Updating the Webgate Web Server Configuration
28.4.7.1
Manually Configuring Your Web Server
28.4.8
Finishing Webgate Installation
28.4.9
Installing Artifacts and Certificates
28.4.10
Confirming Webgate Installation
28.5
Configuring Centralized Logout for 10g Webgate with OAM 11g
28.6
Replacing the IAMSuiteAgent with an OAM 10g Webgate
28.6.1
Provisioning a 10g Webgate to Replace the IAMSuiteAgent
28.6.2
Installing a 10g Webgate to Replace the IAMSuiteAgent
28.6.3
Updating the WebLogic Server Plug-in
28.6.4
Confirming the AutoLogin Host Identifier for an OAM / OIM Integration
28.6.5
Configuring OAM Security Providers for WebLogic
28.6.5.1
About Security Providers
28.6.5.2
Setting Up Security Providers for the 10g Webgate
28.6.6
Disabling the IAMSuiteAgent
28.6.7
Verification
28.7
Deploying Applications in a WebLogic Container
28.8
Removing a 10g Webgate from the OAM 11g Deployment
29
Configuring Apache, OHS, IHS for 10g Webgates
29.1
Prerequisites
29.2
About Oracle HTTP Server and Oracle Access Manager
29.3
About Oracle Access Manager with Apache and IHS v2 Webgates
29.3.1
About the Apache HTTP Server
29.3.2
About the IBM HTTP Server
29.3.3
About the Apache and IBM HTTP Reverse Proxy Server
29.4
About Apache v2 Architecture and Oracle Access Manager
29.5
Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers
29.5.1
Requirements for IHS2 Web Servers
29.5.2
Requirements for Apache and IHS v2 Reverse Proxy Servers
29.5.3
Requirements for Apache v2 Web Servers
29.6
Preparing Your Web Server
29.6.1
Preparing the IHS v2 Web Server
29.6.1.1
Preparing the Host for IHS v2 Installation
29.6.1.2
Installing the IBM HTTP Server v2
29.6.1.3
Setting Up SSL-Capability
29.6.1.4
Starting a Secure Virtual Host
29.6.2
Preparing Apache and Oracle HTTP Server Web Servers on Linux
29.6.3
Preparing Oracle HTTP Server Web Servers on Linux and Windows Platforms
29.6.4
Setting Oracle HTTP Server Client Certificates
29.6.5
Preparing the Apache v2 Web Server on UNIX
29.6.6
Preparing the Apache v2 SSL Web Server on AIX
29.6.7
Preparing the Apache v2 Web Server on Windows
29.7
Activating Reverse Proxy for Apache v2 and IHS v2
29.7.1
Activating Reverse Proxy For Apache v2 Web Servers
29.7.2
Activating Reverse Proxy For IHS v2 Web Servers
29.8
Verifying httpd.conf Updates for Oracle Access Manager Webgates
29.8.1
Verifying Webgate Details
29.8.2
Verifying Language Encoding
29.9
Tuning Oracle HTTP Server for Oracle Access Manager Webgates
29.10
Tuning OHS /Apache Prefork and MPM Modules for OAM
29.10.1
Tuning Oracle HTTP Server /Apache Prefork Module
29.10.2
Tuning Oracle HTTP Server /Apache MPM Module
29.10.3
Kernal Parameters Tuning
29.11
Starting and Stopping Oracle HTTP Server Web Servers
29.12
Tuning Apache/IHS v2 for Oracle Access Manager Webgates
29.13
Removing Web Server Configuration Changes After Uninstall
29.14
Helpful Information
30
Configuring the IIS Web Server for 10g Webgates
30.1
Prerequisites
30.2
Webgate Guidelines for IIS Web Servers
30.2.1
Guidelines for ISAPI Webgates
30.2.1.1
Webgates for IIS v7
30.2.1.2
Webgates for IIS v6
30.2.1.3
Multiple Webgates with a Single IIS 6 Instance
30.3
Prerequisite for Installing Webgate for IIS 7
30.3.1
Prerequisite for Installing Any 10g Webgate for IIS 7
30.3.2
Prerequisite for Installing a 32-bit Webgate for IIS 7
30.4
Updating IIS 7 Web Server Configuration on Windows 2008
30.5
Completing Webgate Installation with IIS
30.5.1
Enabling Client Certificate Authentication on the IIS Web Server
30.5.2
Ordering the ISAPI Filters
30.5.3
Enabling Pass-Through Functionality for POST Data
30.5.3.1
About ISAPI Webgate 10.1.4.2.3
30.5.3.2
About Pass-Through Functionality for POST Data
30.5.3.3
Implementing Pass-Through: IIS 6.0 in Worker Process Isolation Mode
30.5.3.4
Implementing Pass-Through with IIS 6.0 Web Server in IIS 5.0 Isolation Mode
30.5.4
Protecting a Web Site When the Default Site is Not Setup
30.6
Installing and Configuring Multiple 10g Webgates for a Single IIS 7 Instance
30.6.1
Installing Each IIS 7 Webgate in a Multiple Webgate Scenario
30.6.2
Setting the Impersonation DLL for Multiple IIS 7 Webgates
30.6.3
Enabling Client Certification for Multiple IIS 7 Webgates
30.6.4
Configuring IIS 7 Webgates for Pass Through Functionality
30.6.5
Confirming IIS 7 Webgate Installation
30.7
Installing and Configuring Multiple Webgates for a Single IIS 6 Instance
30.7.1
Installing Each Webgate in a Multiple Webgate Scenario
30.7.2
Setting the Impersonation DLL for Multiple Webgates
30.7.3
Enabling SSL and Client Certification for Multiple Webgates
30.7.4
Confirming Multiple Webgate Installation
30.8
Finishing 64-bit Webgate Installation
30.8.1
Setting Access Permissions, ISAPI filters, and Directory Security Authentication
30.8.2
Setting Client Certificate Authentication
30.9
Confirming Webgate Installation on IIS
30.10
Starting, Stopping, and Restarting the IIS Web Server
30.11
Removing Web Server Configuration Changes Before Uninstall
31
Configuring the ISA Server for 10g Webgates
31.1
Prerequisites
31.2
About Oracle Access Manager and the ISA Server
31.3
Compatibility and Platform Support
31.4
Installing and Configuring Webgate for the ISA Server
31.4.1
Installing Webgate with ISA Server
31.4.2
Changing /access Directory Permissions
31.5
Configuring the ISA Server for the ISAPI Webgate
31.5.1
Registering Oracle Access Manager Plug-ins as ISA Server Web Filters
31.5.2
Configuring ISA Firewall Policies for ISA Web Filters
31.5.3
Ordering the ISAPI Filters
31.6
Starting, Stopping, and Restarting the ISA Server
31.7
Removing Oracle Access Manager Filters Before Webgate Uninstall on ISA Server
32
Configuring Lotus Domino Web Servers for 10g Webgates
32.1
Prerequisites
32.2
Installing the Domino Web Server
32.3
Setting Up the First Domino Web Server
32.4
Starting the Domino Web Server
32.5
Enabling SSL (Optional)
32.6
Installing a Domino Security (DSAPI) Filter
32.6.1
Completing the Webgate Installation
Part VIII Appendixes
A
Co-existence Overview: OAM 11g and OSSO 10g
A.1
Prerequisites
A.2
Introduction to Upgrading and Co-existence with OracleAS 10g SSO
A.3
Pre- and Post-Upgrade Topology and Authentication Examples
A.3.1
About Pre-Upgrade OSSO 10g Topology
A.3.1.1
Simple OSSO 10g with mod_oc4j on a Front-End Proxy Server
A.3.2
About Post-Upgrade Topology and Co-existence
A.3.2.1
Post-Upgrade: mod_wl Replaces mod_oc4j on the Proxy Server
A.3.2.2
Post-Upgrade: No Proxy Server
A.4
Introduction to Validating Post-Upgrade Co-Existence with OAM 11g
A.4.1
About Post-Upgrade SSO
A.4.2
About Post-Upgrade OSSO 10g Authentication
A.5
Validating Post-Upgrade Co-existence
A.5.1
Validating Post-Upgrade Registration and Policies
A.5.1.1
Sample Partner Applications Protected Using OSSO 10g
A.5.1.2
Policy Enforcement Agent Details
A.5.1.3
Shared Components: Host Identifiers for migratedSSOPartners
A.5.1.4
Resources in the migratedSSOPartners Application Domain
A.5.1.5
Authentication Policy in the migratedSSOPartners Application Domain
A.5.2
Validating Post-Upgrade SSO with Oracle Access Manager Protected Resources
A.5.3
Validating Post-Upgrade SSO with OSSO-Protected Resources
B
Transitioning OAM 11g from a Source to a Target Environment
B.1
Prerequisites
B.2
Introduction to Transitioning
B.2.1
About Deployment Types
B.2.2
About Oracle Access Manager Data
B.2.3
About Common Transition Tasks
B.2.4
About New versus Existing Target Environments
B.3
Introduction to Transitioning Methods and Tools
B.3.1
About Methods to Propagate Oracle Access Manager Source Data
B.3.2
About Migrating OSSO Partners from One OAM Instance to Another
B.3.3
About Configuring the Target User Identity Store and Migrating Data
B.3.3.1
About Policy Conflict Resolution
B.3.3.2
About Building a Dependency Tree for Each Application Domain
B.4
Planning Your Transition
B.4.1
Choosing A Transitioning Method
B.4.2
Noting Differences Between Source and Target Environments
B.4.3
Developing Deployment Inventories
B.4.4
Developing Backup and Recovery Strategies
B.4.5
Developing Tests
B.4.6
Getting Familiar with Change Propagation
B.4.7
Scheduling and Notifications
B.5
Migrating Oracle Access Manager 11g Data
B.5.1
Exporting Oracle Access Manager 11g Source Data
B.5.2
Importing Oracle Access Manager Data to the Target
C
Integrating Oracle ADF Applications with Oracle Access Manager 11g SSO
C.1
Introduction to Oracle Platform Security Services and Oracle Application Developer Framework
C.1.1
Oracle Platform Security Services Single Sign-on Framework
C.1.2
Oracle Application Developer Framework
C.2
Integrating OAM 11g With Web Applications Using Oracle ADF Security and the OPSS SSO Framework
C.2.1
Sample SSO Configuration for OAM 11g
C.2.2
SSO Provider Configuration Details
C.3
Confirming Application-Driven Authentication During Runtime
D
Internationalization and Multibyte Data Support for OAM 10g Webgates
D.1
Introduction to Internationalization and Multibyte Data Support
D.1.1
Languages For Localized Messages in Oracle Access Manager
D.1.2
Bi-directional Language Support
D.1.3
UTF-8 Encoding
E
Securing Communication for Oracle Access Manager 11g
E.1
Prerequisites
E.2
Introduction to Securing Communication Between OAM 11g Servers and Webgates
E.2.1
About Certificates, Authorities, and Encryption Keys
E.2.2
About Security Modes and X509Scheme Authentication
E.2.3
About the Importcert Tool
E.3
Generating Client Keystores for OAM Tester in Cert Mode
E.4
Configuring Cert Mode Communication for OAM 11g
E.4.1
About Cert Mode Encryption and Files
E.4.2
Generating a Certificate Request and Private Key for OAM Server
E.4.3
Retrieving the OAM Keystore Alias and Password
E.4.4
Importing the Trusted, Signed Certificate Chain Into the Keystore
E.4.5
Adding Certificate Details to Access Manager Settings
E.4.6
Generating a Private Key and Certificate Request for Webgates
E.4.7
Updating Webgate to Use Certificates
E.5
Configuring Simple Mode Communication with OAM 11g
E.5.1
About Simple Mode, Encryption, and Keys
E.5.2
Retrieving the Global Passphrase for Simple Mode
E.5.3
Updating Webgate Registration for Simple Mode
E.5.4
Verifying Simple Mode Configuration
E.6
Redirecting URLs in White List Mode
F
Introduction to Custom WLST Commands for Administrators
F.1
Prerequisites
F.2
Introduction to WebLogic Scripting Tool Commands
F.3
WLST Command Summary: Oracle Access Manager
F.4
WLST Command Summary: Oracle Security Token Service
F.5
Running WLST Commands
F.5.1
Starting the WLST Shell and Logging In
F.5.2
Changing the Request Cache Type in a High Availability Environment
G
Configuring OAM 11g for IPv6 Clients
G.1
Prerequisites
G.2
Introduction to Oracle Access Manager 11g and IPv6
G.2.1
Configuring IPv6 with OAM 11g and Challenge Redirect
G.2.2
Considerations
G.3
Configuring IPv6: Separate Proxy for OAM 11g and Webgates
H
Creating Deployment-Specific Pages
H.1
How the Single Sign-On Server Uses Deployment-Specific Pages
H.1.1
Change Password Page Behavior
H.1.1.1
Password Has Expired
H.1.1.2
Password Is About to Expire
H.1.1.3
Grace Login Is in Force
H.1.1.4
Force Change Password
H.2
How to Write Deployment-Specific Pages
H.2.1
Login Page Parameters
H.2.2
Forgot My Password
H.2.3
Change Password Page Parameters
H.2.4
Single Sign-Off Page Parameters
H.2.5
External Application Login Page Parameters
H.3
Page Error Codes
H.3.1
Login Page Error Codes
H.3.2
Post-Login Messages
H.3.3
Change Password Page Error Codes
H.3.4
Change External Application Login Page Error Codes
H.4
Adding Globalization Support
H.4.1
Deciding What Language to Display the Page In
H.4.1.1
Use the Accept-Language Header to Determine the Page
H.4.1.2
Use Page Logic to Determine the Language
H.4.2
Rendering the Page
H.5
Guidelines for Deployment-Specific Pages
H.6
Installing Deployment-Specific Pages
H.6.1
Using policy.properties to Install Login, Single Sign-Off, and Change Password Pages
H.6.2
Using policy.properties to Install Wireless Login and Change Password Pages
H.6.3
Using policy.properties to Install External Application Login Pages
H.7
Examples of Deployment-Specific Pages
H.7.1
Using Custom Classes
H.8
Adding an External Application
I
Troubleshooting
I.1
Introduction to OAM 11g Troubleshooting
I.1.1
About System Analysis and Problem Scenarios
I.1.2
About LDAP Server or Identity Store Issues
I.1.3
About OAM Server or Host Issues
I.1.4
About Agent-Side Configuration and Load Issues
I.1.5
About Runtime Database (Audit or Session Data) Issues
I.1.6
About Change Propagation or Activation Issues
I.1.7
About Policy Store Database Issues
I.2
Oracle Access Manager Console Inconsistent State
I.3
AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation
I.4
Agent Naming Not Unique
I.5
Application URL Requirements
I.6
Authentication Issues
I.6.1
Anonymous Authentication Issues
I.6.2
X.509 Protected Resource and Single Sign Off
I.7
Authorization Issues
I.8
Cannot Access Authentication LDAP or Database
I.9
Cannot Find Configuration
I.9.1
Configuration Does Not Exist ...
I.10
Could Not Find Partial Trigger
I.11
Denial of Service Attacks
I.11.1
Protecting the OAM Server from Crashing Under Load
I.11.2
Compensating for Network Latency
I.11.3
Protecting OAM Servers from a Flood of HTTP Requests
I.12
Deployments with Freshly Installed OAM 10g Webgates
I.12.1
Authentication Issues with OAM 10g Webgates
I.12.2
Logout Issues with OAM 10g Webgates
I.13
Diagnosing OAM 11g Initialization and Performance Issues
I.13.1
Diagnosing an Initialization Issue
I.13.2
Diagnosing a Performance Issue
I.13.3
Diagnosing Out-of-Memory Issues With a Heap Dump
I.14
Disabling Windows Challenge/Response Authentication on IIS Web Servers
I.15
Changing UserIdentityStore1 Type Can Lock Out Administrators
I.16
IIS Web Server Issues
I.16.1
Form Authentication or Pass-Through Not Working
I.16.2
IIS and General Web Component Guidelines
I.16.3
Issues with IIS v6 Web Servers
I.16.4
Page Cannot Be Displayed Error
I.16.5
Removing and Reinstalling IIS DLLs
I.17
jps Logger Class Instantiation Warning is Logged on Authentication
I.18
Languages and Translation
I.18.1
Automatically Generated Descriptions Are Not Translated
I.18.2
Locales, Languages, and Oracle Access Manager Console Login Page
I.18.3
Console Looks Messy
I.19
Login Failure for a Protected Page
I.20
OAM Metric Persistence Timer IllegalStateException: SafeCluster
I.21
Partial Cluster Failure and Intermittent Login and Logout Failures
I.22
Registration Issues
I.23
Rowkey does not have any primary key attributes Error
I.24
SELinux Issues
I.25
Session Issues
I.25.1
Session Impersonation Not Enabled by Default
I.25.2
Sessions with Oracle Access Manager with Oracle Identity Federation
I.26
SSL versus Open Communication
I.27
Start Up Issues
I.28
Synchronizing OAM Server Clocks
I.29
Using Coherence
I.30
Validation Errors
I.31
Web Server Issues
I.31.1
Server Fails on an Apache Web Server
I.31.2
Apache v2 on HP-UX
I.31.3
Apache v2 Bundled with Red Hat Enterprise Linux 4
I.31.4
Apache v2 Bundled with Security-Enhanced Linux
I.31.5
Apache v2 on UNIX with the mpm_worker_module for Webgate
I.31.6
Domino Web Server Issues
I.31.7
Errors, Loss of Access, and Unpredictable Behavior
I.31.8
Known Issues for ISA Web Server
I.31.9
Oracle HTTP Server Fails to Start with LinuxThreads
I.31.10
Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4
I.31.11
Oracle HTTP Server Web Server Configuration File Issue
I.31.12
Issues with IIS v6 Web Servers
I.31.13
PCLOSE Error When Starting Sun Web Server
I.31.14
Removing and Reinstalling IIS DLLs
I.32
Windows Native Authentication
Index
Scripting on this page enhances content navigation, but does not change the content in any way.