This chapter describes how to integrate Oracle Access Manager with Oracle Identity Manager and Oracle Adaptive Access Manager to provide highly secure self-service password management flows.
This chapter contains these sections:
Install Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
Perform Post-Configuration for Oracle Access Manager and Oracle Adaptive Access Manager
Integrate Oracle Access Manager and Oracle Adaptive Access Manager
Configure Oracle Identity Manager Properties for the Integration
Configure TAP Scheme to Access Applications in the IAMSuite Agent Application Domain
In the 11g Release 1 (11.1.1), Oracle Access Manager does not provide its own identity service. Instead, Oracle Access Manager provides the following:
It consumes identity services provided by Oracle Identity Manager, LDAP directories, and other sources.
It integrates with Oracle Identity Manager and Oracle Adaptive Access Manager to deliver a range of secure password collection and challenge-related functionality to Oracle Access Manager protected applications.
Lost password management starts off from Oracle Access Manager login page but using OAAM challenge questions and synchronized to user repositories through OIM.
Although other combinations are possible, integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager is the recommended option and provides these features:
Password entry and malware protection through personalized virtual authentication devices
Knowledge Based Authentication (KBA), secondary login authentication, used for all flows including risk-based authentication at login and password resets
One-Time Password (OTP) challenge for secondary login authentication based on risk
Registration flows to support password protection and KBA and OTP challenge functionality
User preference flows to support password protection and KBA and OTP challenge functionality
Password management flows
Oracle Adaptive Access Manager
Oracle Adaptive Access Manager is responsible for:
Running real-time risk analysis rules before and after authentication
Navigating the user through login, challenge, registration, and self-service flows
Oracle Identity Manager is responsible for:
Provisioning users (to add, modify, or delete users)
Managing passwords (to reset or change passwords)
Oracle Access Manager is responsible for:
Authenticating and authorizing users
Providing advanced status flags such as Reset Password, Password Expired, User Locked, and others
In this deployment, the process flow is as follows:
Resource Protection and Credential Collection Flow
The OAM WebGate server is in charge of protecting the URLs and redirecting the users when they are not authenticated so they can be authenticated.
OAAM collects the username and password for authentication.
So when the OAM WebGate finds that the user is not authenticated and trying to access the protected URL, it redirects the user to the OAAM Server login page.
The credentials are split into two different pages: a username page and a password page. OAAM allows the user to enter his username. If he is a registered user and based on his registration status, OAAM presents the password page with his personalized image and caption.
The OAAM Server runs the pre-authentication rules and lets the user enter his password.
Since OAAM Server has the user's username and he has entered his password, the OAAM Server makes a NAP API call to the OAM Server for authentication.
Once the OAM server returns the status, which indicates whether the user has entered his username and password correctly, the OAAM Server determines whether the authentication was successful or not.
If the authentication was successful, the OAAM Server redirects the user to the OAM WebGate.
The OAM WebGate server redirects the user to his original URL.
The OAM WebGate allows the user to access the protected URL.
OAAM Server communicates with the OIM server when the OAAM Server needs to call the OIM server for the password policy text that is shown when user is trying to change his password.
Based on the policy, OAAM Server enables the user to enter a password that meets the policy text requirements.
Because the OAAM Server manages the flows, it is the one that presents the user with the pages where the user can enter his new password and old password.
The text is maintained by the OAM server, but it is the OAAM server that makes the calls to get that password policy text so that it is displayed when the user tries to change his password.
After he finishes the task, the OAAM Server makes an API call to propagate the changes to the OAM Server.
The OAM Server can persist those changes to the user directory or where the credentials are maintained.
The OAM Server and OIM Server communicate with the same user directory where all the user data is maintained.
The following must be in place for the integration:
All necessary components must be properly installed and configured:
Oracle Internet Directory 11g installed
For information on installing Oracle Internet Directory, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Oracle Virtual Directory 11g installed
For information on installing Oracle Virtual Directory, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Repository Creation Utility 11g installed
For information on installing and using RCU, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Oracle WebLogic Servers for Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Identity Manager, and Oracle HTTP Server installed
For information on installing the WebLogic Server, refer to Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.
Oracle SOA Suite installed and patched to at least PS2
For information on installing the Oracle SOA Suite, refer to Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.
Oracle HTTP Server installed
For information on installing Oracle HTTP Server, refer to Oracle Fusion Middleware Installation Guide for Oracle Web Tier.
Oracle Access Manager 10g or 11g agent (WebGate) for Oracle HTTP Server 11g must be installed on the Oracle HTTP Server 11g instance.
For information on installing the Oracle HTTP Server WebGate, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
The steps below are based on the assumption that Oracle Access Manager and Oracle Identity Manager are integrated using the out-of-the box integration.
The following tasks are required to perform this integration:
Install Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
Perform Post-Configuration for Oracle Access Manager and Oracle Adaptive Access Manager
Integrate Oracle Access Manager and Oracle Adaptive Access Manager
Integrate Oracle Identity Manager and Oracle Adaptive Access Manager
Configure Oracle Identity Manager Properties for the Integration
Configure TAP Scheme to Access Applications in the IAMSuite Agent Application Domain
Install Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager on different WebLogic servers with Oracle Access Manager and Oracle Adaptive Access Manager in the same or different WebLogic domains.
Note:
In this chapter, OAM_HOME is OAM_WL_HOME/Oracle_IDM1, and OAAM_HOME is OAAM_WL_HOME/Oracle_IDM1.
For both Oracle Access Manager and Oracle Adaptive Access Manager, ensure that you have:
Installed the database
Installed and ran RCU to create database schemas for Oracle Access Manager and Oracle Adaptive Access Manager
For the setup and configuration of Oracle Access Manager, ensure that you have:
Installed the Oracle WebLogic Server at OAM_WL_HOME
Installed Oracle Access Manager
Configured Oracle Access Manager
For the setup and configuration of Oracle Adaptive Access Manager, ensure that you have:
Installed the Oracle WebLogic Server at OAAM_WL_HOME
Installed Oracle Adaptive Access Manager
Configured Oracle Adaptive Access Manager
Note:
If so preferred, Oracle Access Manager and Oracle Adaptive Access Manager can be installed in different domains or on the same WebLogic domain.
For multiple domain installation, the oaam.csf.useMBeans property must be set to true. Refer to "Oracle Adaptive Access Manager Command-Line Interface Scripts" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager for information on setting this parameter.
During the integration steps below, for reference we will refer to the WLS Domain which contains Oracle Access Manager as OAM_DOMAIN_HOME, and the WLS Domain which contains OAAM as OAAM_DOMAIN_HOME.
For information on installing the Identity Management Suite, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
This section contains steps to perform post-configuration of Oracle Adaptive Access Manager and to verify that Oracle Access Manager and Oracle Adaptive Access Manager are functional.
Before you can perform tasks in this section, ensure that the Oracle Access Manager and Oracle Adaptive Access Manager Administration Consoles and managed servers are running.
To perform the minimum required steps for Oracle Adaptive Access Manager to be functional, create Oracle Adaptive Access Manager users and import the OAAM Snapshot which contains OAAM policies, dependent components, and configurations.
For the complete set of post-configuration procedures, refer to "Setting Up the Oracle Adaptive Access Manager Environment" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Before you can access the OAAM Administration Console, you must create administration users.
If protecting the OAAM Administration Console, you must take care of user and group creation in the external LDAP store. For details, see "Creating Users and Groups For Oracle Adaptive Access Manager" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.
If not protecting the OAAM Administration Console, then the administration user must be created in the WebLogic Administration Console. To create an administration user in the WebLogic Administration Console:
Note:
You can disable OAAM Administration Console protection by disabling the IDM Domain Agent that protects it. To do so, you must set the environment variable or Java property WLSAGENT_DISABLED=true.
For instructions on disabling the IDM Domain Agent, refer to "Disabling the IDM Domain Agent" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.
In the Domain Structure tab at the left-hand side, select Security Realms.
On the Summary of Security Realms page, select the realm that you are configuring (for example, myrealm).
On the Settings for Realm Name page select Users and Groups > Users.
Click New and provide the required information to create a user, such as user1, in the security realm:
Name: oaam_admin_username
Description: optional
Provider: DefaultAuthenticator
Password/Confirmation
Click the newly created user, user1.
Click the Groups tab.
Assign any of the groups with the OAAM prefix to the user, user1.
Click Save.
A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. For Oracle Adaptive Access Manager to be functional, import the snapshot into the system by following these instructions:
Log in to the OAAM Administration Console at the URL:
http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin
Load the snapshot file into the system by following these instructions:
Open System Snapshot under Environment in the Navigation tree.
Click the Load from File button.
A Load and Restore Snapshot dialog appears.
Deselect Back up current system now and click Continue.
A dialog appears with the message that you have not chosen to back up the current system, and do you want to continue.
When the dialog appears with the message that you have not chosen to back up the current system, and do you want to continue, click Continue.
The Load and Restore Snapshot page appears for you to choose a snapshot to load.
Browse for oaam_base_snapshot.zip and click the Load button to load the snapshot into the system database.
The default oaam_base_snapshot.zip is located in the Oracle_IDM1/oaam/init directory.
Click OK and then Restore.
Once installation and post-installation are completed, check that Oracle Access Manager and Oracle Adaptive Access Manager have been set up correctly by following the instructions in the sections that follow.
Perform these steps to ensure that Oracle Access Manager is properly configured:
Go to http://oam_admin_server_host:oam_admin_server_port/oamconsole.
You should be redirected to the Oracle Access Manager Server for login.
Provide the administrator user name and password.
Verify that login to the Oracle Access Manager Administration Console is successful.
Try to access the OAAM Server using the URL: http://host:port/oaam_server. You should be able to log in to the OAAM Server and be able to register a profile.
Note:
When you login now, you will need to provide the password as "test" because the Oracle Access Manager and Oracle Adaptive Access Manager integration has not yet been performed. You must change the password immediately after the integration.
This section describes how to register the 11g WebGate. The WebGate is an out-of-the-box access client. This Web server access client intercepts HTTP requests for Web resources and forwards these to the Oracle Access Manager 11g Server.
Ensure that the following are installed before configuring and registering the Oracle Web Gate:
WebLogic Server for Oracle HTTP Server (WLS_FOR_OHS)
Oracle HTTP Server (WLS_FOR_OHS/Oracle_WT1, call this OHS_HOME)
WebGate (WLS_FOR_OHS/Oracle_OAMWebGate1, call this WG_HOME)
After installing Oracle HTTP Server 11g WebGate for Oracle Access Manager, refer to "Post-Installation Steps" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must register the Oracle Access Manager Agent that resides on the computer hosting the application to be protected.
Refer to the "Registering and Managing OAM Agents Using the Console" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Register the 11g WebGate partner using the Oracle Access Manager Administration Console. For example:
11gWG_myhost
Click the Edit button in the tool bar to display the configuration page.
Set the Access Client Password and click Apply. Note the Artifacts Location in the confirmation message.
In the Artifacts Location, locate the ObAccessClient.xml configuration file and cwallet.sso and copy them to the OHS_HOME/instances/instance/config/OHS/component/webgate/config directory.
To restart the OHS WebGate issue the following commands:
Navigate to the OHS_HOME/instances/instance/bin directory.
Stop the agent.
./opmnctl startall
Start the agent.
./opmnctl startall
Once the setup of WebGate is complete, validate the registration:
Navigate to http://ohs_host:ohs_port/.
You should be redirected to Oracle Access Manager for authentication.
Enter username and password.
You should see the Oracle HTTP Server Welcome page.
This is the partner that will be protected using Oracle Adaptive Access Manager.
Integration between Oracle Identity Manager and Oracle Access Manager is required for integration between Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.
For more information, see Chapter 5, "Integrating Oracle Access Manager and Oracle Identity Manager."
Enabling LDAP synchronization for Oracle Identity Manager is required for integration between Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.
Oracle Adaptive Access Manager will be working off the same directory with which Oracle Identity Manager is synchronizing.
Note:
The UID must match the CN of the newly created user in the LDAP store; otherwise, a login failure occurs.
For information about configuring LDAP synchronization, see the following sections in Chapter 15, "Configuring Oracle Identity Manager" of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management: "Completing the Prerequitistes for Enabling LDAP Synchronization", "Running the LDAP Post-Configuration Utility", and "Verifying the LDAP Synchronization".
This task involves integrating the Oracle Access Manager and Oracle Adaptive Access Manager components as part of integrating Oracle Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager (OAAM) to deliver password management and challenge-related functionality to Oracle Access Manager-protected applications.
Note:
In the integration of Oracle Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager, the IdentityManagerAccessGate profile should already exist since it is configured during the Oracle Access Manager and Oracle Identity Manager integration (see Section 7.8, "Integrate Oracle Access Manager and Oracle Identity Manager").
You configure Oracle Access Manager and Oracle Adaptive Access Manager integration so that the OAAM server acts as a trusted partner application. The OAAM server uses the Trusted Authentication Protocol (TAP) to communicate the authenticated user name to the Oracle Access Manager server after it performs strong authentication, risk, and fraud analysis. In this integration, the Oracle Access Manager server is responsible for redirecting to the protected resource.
Note:
For this section:
OAM_HOME is OAM_WL_HOME/Oracle_IDM1. For referring to Oracle Access Manager Software Install, we use OAM_HOME.
OAAM_HOME is OAAM_WL_HOME/Oracle_IDM1. For referring to Oracle Adaptive Access Manager Software Install, we use OAAM_HOME.
During the integration steps below, for reference the WLS Domain which contains Oracle Access Manager is referred to as OAM_DOMAIN_HOME, and the WLS Domain which contains Oracle Adaptive Access Manager is referred to as OAAM_DOMAIN_HOME.
Configure the Oracle Adaptive Access Manager and Oracle Access Manager integration as follows:
Protect a Resource with Oracle Adaptive Access Manager in Oracle Access Manager
Validate the Oracle Access Manager and Oracle Adaptive Access Manager Integration
If Oracle Access Manager is configured to use the Simple Security Transportation protocol, you must register the OAAM Server as a partner application using the registerThirdPartyTAPPartner WLST command.
To register the OAAM Server as a partner application, follow these steps:
Ensure that the OAM Administration Server is running.
Set up the environment for WLST.
Go to IAM_ORACLE_HOME/common/bin.
Execute the wlst.sh to enter the WLST shell.
Connect to the WebLogic Administration Server using the connect command:
connect ('username', 'password', 't3://hostname:port')
For example,
connect("weblogic","admin_password","t3://AdminHostname:7001")
Execute registerThirdPartyTAPPartner WLST.
An example is provided below.
registerThirdPartyTAPPartner(partnerName = "OAAMPartner", keystoreLocation= "/scratch/jsmith/dwps1tap/TapKeyStore/mykeystore.jks" , password="welcome1", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://11gWG_myhost.example.com:14300/oaam_server/oamLoginPage.jsp")
| Parameter | Details |
|---|---|
|
partnerName |
partnerName is a unique name. If the partner exists in Oracle Access Manager, the configuration will be overwritten. |
|
keystoreLocation |
Keystore is an existing location. If the directory path specified is not present, you will get an error. On Windows, the path needs to be escaped. For example: "C:\\oam-oaam\\tap\\keystore\\store.jks" The keystore is the outcome of the |
|
password |
The password is specified to encrypt the keystore. Make a note of the password as you will need it later. |
|
tapTokenVersion |
|
|
tapScheme |
This is the authentication scheme that will be updated. If you want two tap partners with different tapRedirectUrls, create a new authentication scheme using the Oracle Access Manager Administration Console and use that scheme here. The authentication scheme will be created automatically while you are running the |
|
tapRedirectUrl |
This URL must work. If it does not work, registration will fail.
This URL should be reachable, otherwise the validation will fail and the partner will not be created. In the Oracle Access Manager and Oracle Adaptive Access Manager integration, the credential collector page will be served by the OAAM Server. The authentication scheme created by |
After generating the initial configuration, you must update the IAMSuite Agent:
Log in to the Oracle Access Manager Administration Console.
Select the System Configuration tab.
Select Access Manager Settings - SSO Agents - OAM Agent from the directory tree. Double-click or select the open folder icon.
Search for IAMSuiteAgent and click the entry found in the Search Results.
The IAMSuiteAgent details page appears.
Provide the password for Access Client Password.
Click Apply.
Note: The IAMSuite Agent is now in Open Mode with password authentication. If you are using the Domain Agent in the IDM Domain for another console, make the following change to continue using the Domain Agent.
Log in to WebLogic Administration Console.
Select Security Realms from the Domain Structure menu.
Click myrealm.
Click the Providers tab.
Select IAMSuiteAgent from the list of authentication providers.
Click Provider Specific.
Enter the agent password and type.
To confirm, click Save.
To validate the Oracle Access Manager configuration, perform the following steps:
Log in to the Oracle Access Manager Administration Console.
Edit the Authentication Scheme that was specified above. This is the value specified for the tapScheme parameter.
Verify that the Challenge URL is set to the value specified in tapRedirectUrl. For information on the URL, refer to Table 7-1, "TAP Partner Example".
Validate IAMSuiteAgent setup.
Launch OAM tester at OAAM_HOME/../<jdk160_24>/bin/java -jar OAAM_HOME/oam/server/tester/oamtest.jar.
Provide server connection details:
IP Address: OAM Managed Server Host
Port: OAM Oracle Access Protocol (OAP) Port
Agent ID: IAMSuiteAgent
Agent Password: Password provided inUpdate the IAMSuite Agent
Click on Connect.
If you can connect to the server, the next section, Protected Resource URI, will be enabled.
Provide the protected resource URI as follows:
Host: IAMSuiteAgent
Port: 80
Resource: /oamTAPAuthenticate
Click Validate
If the validation is successful, the next section for User Identity will be enabled.
Provide User Identity and click Authenticate. If the authentication is successful, the setup is successful.
Set up the Oracle Access Manager and Oracle Adaptive Access Manager Integration:
Copy the OAAM CLI folder to a working directory:
cp -r OAAM_HOME/oaam/cli TEMP/oaam_cli
Go to the work folder where you copied the cli folder and open TEMP/oaam_cli/cli/conf/bharosa_properties/oaam_cli.properties in a text editor and set the properties in Table 7-2.
| Parameter | Details |
|---|---|
|
oaam.adminserver.hostname |
This is the Admin Server Host of the WebLogic Server Domain where OAAM is installed. |
|
oaam.adminserver.port |
This is the Admin Server port of the WebLogic Server Domain where OAAM is installed. |
|
oaam.adminserver.username |
This is the Admin Server username of the WebLogic Server Domain (usually weblogic). |
|
oaam.adminserver.password |
This is the password of the user specified in oaam.adminserver.username property. |
|
oaam.db.url |
This is the valid JDBC URL of the OAAM database in the format: jdbc:oracle:thin:@db_host:db_port:db_sid |
|
oaam.uio.oam.tap.keystoreFile |
This is the location of keystore file generated by Copy the file from the location specified in the above WLST for parameter " On Windows, the file path value must be escaped. For example: " |
|
oaam.uio.oam.tap.partnername |
This is the "partnerName" used in the WLST registerThirdPartyTAPPartner command. For example, OAAMPartner. |
|
oaam.uio.oam.host |
This is the OAM Primary Host. |
|
oaam.uio.oam.port |
This is the OAM Primary NAP (Network Assertion Protocol)/OAP Port. This is the OAM Server port, with the default port number 5575. |
|
oaam.uio.oam.webgate_id |
This is the |
|
oaam.uio.oam.secondary.host |
This is the OAM Secondary Host. |
|
oaam.uio.oam.secondary.host.port |
This is the OAM Secondary NAP/OAP Port. |
Set the environment variable ORACLE_MW_HOME to the location of the WebLogic Server install where Oracle Adaptive Access Manager is installed.
setenv ORACLE_MW_HOME <Location of WLS install where Oracle Adaptive Access Manager is installed>
Set the environment variable JAVA_HOME to the JDK used for the WebLogic installation.
Run the following command:
TEMP/oaam_cli/cli/setupOAMTapIntegration.sh TEMP/oaam_cli/cli/conf/bharosa_properties/oaam_cli.properties
To protect a resource with Oracle Adaptive Access Manager, follow these steps:
Log in to the Oracle Access Manager Administration Console.
Check for the Application Domain that was created as part of the 11gWebGate registration. (11gWG_myhost in the example).
Edit the Authentication Policy, following these steps:
From the Navigation window expand: Application Domains > 11gWG_myhost > Authentication Policies.
Click Protected Resource Policy.
Except for "11gWG_myhost" in the example, all other strings would be as is in Oracle Access Manager.
Update Authentication Scheme to the TAP scheme specified as the "tapScheme" parameter in "registerThirdPartyTAPPartner" command.
Click Apply to save the changes.
Try to access the protected resource. You should be redirected to OAAM for registration and challenge. The OAAM login page is shown instead of the Oracle Access Manager login page.
This section describes how to integrate Oracle Identity Manager and Oracle Adaptive Access Manager for the three-way integration of Oracle Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager:
Set Oracle Adaptive Access Manager Properties for Oracle Identity Manager
Set Oracle Identity Manager Credentials in Credential Store Framework
To set Oracle Adaptive Access Manager properties for Oracle Identity Manager:
Go to the OAAM Administration Console at the URL:
http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin
Log in as a user with access to the Properties Editor.
Open the Oracle Adaptive Access Manager Property Editor to set the Oracle Identity Manager properties.
If a property does not exist, you need to add it.
For the following properties, set the values according to your deployment:
Table 7-3 Configuring Oracle Identity Manager Property Values
| Property Name | Property Values |
|---|---|
|
bharosa.uio.default.user.management.provider.classname |
|
|
oaam.oim.auth.login.config |
|
|
oaam.oim.url |
For example, URLs can be listed as comma-separated values; for example: oaam.oim.url = t3://oimhost1.mycompany.com:14000,oimhost2.mycompany.com:14000 The two OIM hosts are clustered and load balanced, however there's no hardware load-balancer to route the traffic between them. In this case, if one of the hosts is down, the traffic is routed to the other. |
|
oaam.oim.xl.homedir |
${oracle.oaam.home}/../designconsole |
|
bharosa.uio.default.signon.links.enum.selfregistration.url |
where OHS setup was performed during the integration between Oracle Access Manager and Oracle Identity Manager. |
|
bharosa.uio.default.signon.links.enum.trackregistration.url |
where OHS setup was performed during the integration between Oracle Access Manager and Oracle Identity Manager. |
|
bharosa.uio.default.signon.links.enum.trackregistration.enabled |
true |
|
bharosa.uio.default.signon.links.enum.selfregistration.enabled |
true |
|
oaam.oim.csf.credentials.enabled |
true This property enables the configuring of credentials in the Credential Store Framework as opposed to maintaining them using the Properties Editor. This step is performed so that credentials can be securely stored in CSF. |
For information on setting properties in Oracle Adaptive Access Manager, see "Using the Property Editor" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
So that Oracle Identity Manager WebGate credentials can be securely stored in the Credential Store Framework, follow these steps to add a password credential to the Oracle Adaptive Access Manager domain:
Go to the Oracle Fusion Middleware Enterprise Manager Console at http://weblogic_host:administration_port/em.
Log in as a WebLogic Administrator, for example WebLogic.
Expand the <Base_Domain> icon in the navigation tree in the left pane.
Select your domain name, right click, and select the menu option Security and then the option Credentials in the sub menu.
Click Create Map.
Click oaam to select the map, then click Create Key.
In the pop-up dialog, ensure that Select Map is oaam.
Provide the following properties and click OK.
In Oracle Identity Manager, system properties are configured to enable Oracle Adaptive Access Manager instead of Oracle Identity Manager to provide the functionality related to challenge questions.
To modify Oracle Identity Manager properties for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integration, take these steps:
Log in to the Oracle Identity Manager Administrative Console.
Click the Advanced link in the self-service console.
Click System Properties in System Management.
Click on Advanced Search.
Set the following properties and click Save.
Note:
For the URLs, use the hostnames as they were configured in Oracle Access Manager. For example, if a complete hostname (with domain name) was provided during Oracle Access Manager configuration, use the complete hostname for the URLs.
Table 7-5 Oracle Identity Manager Redirection
| Keyword | Property Name and Value |
|---|---|
|
OIM.DisableChallengeQuestions |
TRUE |
|
OIM.ChangePasswordURL |
URL for change password page in Oracle Adaptive Access Manager (http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/ In a high availability (HA) environment, set this property to point to the virtual IP URL for the OAAM server. |
|
OIM.ChallengeQuestionModificationURL |
URL for challenge questions modification page in Oracle Adaptive Access Manager (http://oaam_server_managed_server_host:oaam_server_managed_server_port/ |
Note:
The instructions in this section should only be performed if you want to use the TAP Scheme in the IAMSuiteAgent application domain.
To use TAP scheme for Identity Management product resources in the IAM Suite domain, Protected HigherLevel Policy, the following configuration must be performed:
Log in to the Oracle Access Manager Administration Console.
Navigate to Policy Configuration, select Application Domains, select IAMsuiteAgent, select Authentication Policies, and select Protected Higher Level Policy.
On the Authentication Policy page, remove IAMSuiteAgent:/oamTAPAuthenticate from the Resources tab.
Click Apply.
Create a new Authentication Policy in the IAMSuite Application Domain.
On the Authentication Policy page, select LDAPScheme in the Authentication Scheme field.
Add IAMSuiteAgent:/oamTAPAuthentication as a resource.
Click Apply.
This section provides additional troubleshooting and configuration tips for the integration of Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.
In the OAM and OAAM Integration TAP Could Not Modify User Attribute
TAP: setupOAMTapIntegration Script Does Not Provide Exit Status Message
You may encounter a non-working URL if policies and challenge questions are not available as expected in your Oracle Adaptive Access Manager environment. For example, the Forgot Password page will fail to come up and you are redirected back to the login page.
To ensure correct operation, make sure that the default base policies and challenge questions shipped with Oracle Adaptive Access Manager have been imported into your system. For details, see Setting Up the Oracle Adaptive Access Manager Environment in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Incorrect value of the cookie domain in your configuration can result in login failure.
For correct WebGate operation, ensure that the property oaam.uio.oam.obsso_cookie_domain is set to match the corresponding value in Oracle Access Manager; for example, .us.example.com.
In integration scenarios coupled with multiple identity stores, the user identity store that is set as the Default Store is used for authentication and assertion. If you change the Default Store to point to a different store, ensure that the TAPScheme also points to same store.
For the OAM-OAAM TAP integration, the assertion for the TAPScheme Authentication Scheme is made against the Default Store. In this case the backend channel authentication made against the LDAP module uses a specific user identity store (OID, for example). When the username is returned to Oracle Access Manager, the assertion occurs against the Default Store (not the same OID that was used for the authentication).
Note:
For Session Impersonation, the Oracle Internet Directory instance that is used for the user and grants must be the Default Store.
If you change the Default Store, ensure that the TAPScheme also points to same store. Otherwise, authentication can succeed but the final redirect can fail with the following errors:
Module oracle.oam.user.identity.provider
Message Principal object is not serializable; getGroups call will result in
an extra LDAP call
Module oracle.oam.engine.authn
Message Cannot assert the username from DAP token
Module oracle.oam.user.identity.provider
Message Could not modify user attribute for user : cn, attribute :
userRuleAdmin, value : {2} .
When the setupOAMTapIntegration script is run to configure Oracle Adaptive Access Manager for Oracle Access Manager and Oracle Adaptive Access Manager integration, a message is not provided to indicate whether the script completed successfully or failed.