Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 6 (11.1.6) Part Number E21032-18 |
|
|
PDF · Mobi · ePub |
This chapter describes how to configure Oracle Access Manager 11.1.1 in the Oracle Identity Management enterprise deployment.
This chapter includes the following topics:
Section 13.1, "Overview of Configuring Oracle Access Manager"
Section 13.5, "Starting Oracle Access Manager Managed Servers"
Section 13.8, "Adding the oamadmin Account to Access System Administrators"
Section 13.9, "Creating Oracle Access Manager Policies for WebGate 11g"
Section 13.11, "Updating Oracle Access Manager System Parameters"
Section 13.12, "Backing Up the Access Manager Configuration"
Oracle Access Manager enables your users to seamlessly gain access to web applications and other IT resources across your enterprise. It provides a centralized and automated single sign-on (SSO) solution, which includes an extensible set of authentication methods and the ability to define workflows around them. It also contains an authorization engine, which grants or denies access to particular resources based on properties of the user requesting access as well as based on the environment from which the request is made. Comprehensive policy management, auditing, and integration with other components of your IT infrastructure enrich this core functionality.
Oracle Access Manager consists of several components, including OAM Server, Oracle Access Manager Console, and WebGates. The OAM Server includes all the components necessary to restrict access to enterprise resources. The Oracle Access Manager Console is the administrative console to Oracle Access Manager. WebGates are web server agents that act as the actual enforcement points for Oracle Access Manager. Follow the instructions in this chapter and Chapter 20, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment" to install and configure the Oracle Access Manager components necessary for your enterprise deployment.
Before you complete this chapter, the following URL is available:
Table 13-1 OAM URLs Before Web Tier Configuration
Component | URLs |
---|---|
OAM Console |
|
Footnote 1 where 7001 is WLS_ADMIN_PORT in Section A.3.
After you complete this chapter, the following URL will be available:
The enterprise deployment described in this guide shows Oracle Access Manager using Oracle Internet Directory as the only LDAP repository. Oracle Access Manager uses a single LDAP for policy and configuration data. It is possible to configure another LDAP as the Identity Store where users, organizations and groups reside. For example, an Oracle Access Manager instance may use Oracle Internet Directory as its policy and configuration store and point to an instance of Microsoft Active Directory for users and groups.
In addition, the Identity Stores can potentially be front-ended by Oracle Virtual Directory to virtualize the data sources.
To learn more about the different types of directory configuration for Oracle Access Manager, consult the 11g Oracle Access Manager documentation at Oracle Technology Network. Customers considering these variations should adjust their Directory Tier and Oracle Access Manager deployment accordingly.
Before you configure Oracle Access Manager, ensure that the following tasks have been performed on IDMHOST1 and IDMHOST2:
Install Oracle WebLogic Server, Oracle Identity Management, and Oracle Identity and Access Management as described in Chapter 6, "Installing the Software for an Enterprise Deployment."
Install the Identity Store, as described in Chapter 10, "Extending the Domain to Include Oracle Internet Directory" or "Configuring an Identity Store with Multiple Directories" in Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite.
Prepare the Identity and Policy Stores as described in Chapter 11, "Preparing Identity and Policy Stores."
Install Oracle Virtual Directory, if required, as described in Chapter 14, "Extending the Domain to Include Oracle Virtual Directory."
Start the managed servers WLS_OAM1 and WLS_OAM2 by following the procedure in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Before proceeding, ensure that the following tasks have been performed:
Configure Oracle Web Tier on WEBHOST1 and WEBHOST2 as described in Chapter 8, "Configuring the Web Tier for an Enterprise Deployment."
Configure the load balancer as described in Section 3.3, "About Virtual Server Names Used by the Topologies."
Configure Oracle Access Manager on IDMHOST1 and IDMHOST2 as described in Section 13.11, "Updating Oracle Access Manager System Parameters" and Section 13.5, "Starting Oracle Access Manager Managed Servers."
This section contains the following topics:
By default, Oracle Access Manager is configured to use the Open security model. If you plan to change this mode using idmConfigTool
, you must set a global passphrase. Although you need not set the global passphrase and the web gate access password to be the same, it is recommended that you do.You do this by performing the following steps.
Log in to the OAM console at: http://ADMIN.mycompany.com/oamconsole
as the WebLogic administration user.
Click the System Configuration tab.
Click Access Manager Settings located in the Access Manager Settings section.
Select Open from the Actions menu. The access manager settings are displayed.
If you plan to use Simple security mode for OAM servers, supply a global passphrase.
Click Apply.
Now that the initial installation is done and the security model set, the following tasks must be performed:
Oracle Access Manager must be configured to use an external LDAP Directory (IDSTORE.mycompany.com
).
Oracle Access Manager WebGate Agent must be created.
You perform these tasks by using idmConfigTool
.
Perform the following tasks on IDMHOST1:
Set ORACLE_HOME
to IAM_ORACLE_HOME
Set MW_HOME
to IAM_MW_HOME
.
Set JAVA_HOME
to JAVA_HOME
.
Create a properties file called config_oam1.props
with the following contents:
WLSHOST: ADMINVHN.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic WLSPASSWD: weblogic password IDSTORE_HOST: IDSTORE.mycompany.com IDSTORE_PORT: 389 IDSTORE_DIRECTORYTYPE:OVD IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin PRIMARY_OAM_SERVERS: IDMHOST1.mycompany.com:5575,IDMHOST2.mycompany.com:5575 WEBGATE_TYPE: ohsWebgate11g ACCESS_GATE_ID: Webgate_IDM OAM11G_IDM_DOMAIN_OHS_HOST:SSO.mycompany.com OAM11G_IDM_DOMAIN_OHS_PORT:443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL:https OAM11G_WG_DENY_ON_NOT_PROTECTED: false OAM_TRANSFER_MODE: simple OAM11G_OAM_SERVER_TRANSFER_MODE:simple OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp OAM11G_OIM_WEBGATE_PASSWD: webgate password COOKIE_DOMAIN: .mycompany.com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SSO_ONLY_FLAG: true OAM11G_OIM_INTEGRATION_REQ: true OAM11G_IMPERSONATION_FLAG:true OAM11G_SERVER_LBR_HOST:SSO.mycompany.com OAM11G_SERVER_LBR_PORT:443 OAM11G_SERVER_LBR_PROTOCOL:https COOKIE_EXPIRY_INTERVAL: 120 OAM11G_OIM_OHS_URL:https://SSO.mycompany.com:443/ OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
Where:
WLSHOST
is the host of your administration server, created in Chapter 9, "Creating the Domain for an Enterprise Deployment." This is ADMINVHN
in Section A.1.
WLSPORT
is the port of your administration server, WLS_ADMIN_PORT
in Section A.3, created in Chapter 9, "Creating the Domain for an Enterprise Deployment."
WLSADMIN
and WLSPASSWD
are, respectively, the WebLogic administrative user and password you use to log in to the WebLogic console.
IDSTORE_HOST
and IDSTORE _PORT
are the host and port of the Identity Store directory when accessed through the load balancer. These are LDAP_LBR_HOST
and LDAP_LBR_PORT
in the Section A.3 worksheet.
IDSTORE_BINDDN
is an administrative user in the Identity Store directory.
IDSTORE_USERSEARCHBASE
is the container under which Oracle Access Manager searches for the users.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where Groups are stored.
IDSTORE_SEARCHBASE
is the location in the directory where Users and Groups are stored.
IDSTORE_OAMSOFTWAREUSER
is the name of the user you created in Section 11.5, "Preparing the Identity Store" to be used to interact with LDAP.
IDSTORE_OAMADMINUSER
is the name of the user you created in Section 11.5, "Preparing the Identity Store" to access your OAM Console.
PRIMARY_OAM_SERVERS
is a comma separated list of your OAM Servers and the proxy ports they use.
Note:
To determine the proxy ports your OAM Servers use:
Log in to the OAM console at: http://ADMIN.mycompany.com/oamconsole
Click the System Configuration tab.
Expand Server Instances under the Common Configuration section
Click an Oracle Access Manager server, such as WLS_OAM1, and click Open.
Proxy port is the one shown as Port.
ACCESS_GATE_ID
is the name you want to assign to the WebGate.
OAM11G_OIM_WEBGATE_PASSWD
is the password you will assign to the WebGate after OIM has been configured
OAM11G_IDM_DOMAIN_OHS_HOST
is the name of the load balancer which is in front of the OHS's.
OAM11G_IDM_DOMAIN_OHS_PORT
is the port that the load balancer listens on (HTTP_SSL_PORT).
OAM11G_IDM_DOMAIN_OHS_PROTOCOL
is the protocol to use when directing requests at the load balancer.
OAM11G_OAM_SERVER_TRANSFER_MODE
is the security model that the Oracle Access Manager servers function in, as defined in Section 13.7.1, "Setting a Global Passphrase."
OAM11G_IMPERSONATION_FLAG
is set to True
if you are using Oracle Fusion Applications.
OAM11G_IDM_DOMAIN_LOGOUT_URLS
is set to the various logout URLs.
OAM11G_SSO_ONLY_FLAG
configures Oracle Access Manager as authentication only mode or normal mode, which supports authentication and authorization. This is set to true
for Fusion Applications.
If OAM11G_SSO_ONLY_FLAG
is true
, the OAM Server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the OAM Server.
If the value is false
, the server runs in default mode, where each authentication is followed by one or more authorization requests to the OAM Server. WebGate allows the access to the requested resources or not, based on the responses from the OAM Server.
OAM11G_SERVER_LBR_HOST
is the name of the load balancer fronting your site. This and the following two parameters are used to construct your login URL.
OAM11G_SERVER_LBR_PORT
is the port that the load balancer is listening on (HTTP_SSL_PORT).
OAM11G_SERVER_LBR_PROTOCOL
is the URL prefix to use.
COOKIE_DOMAIN
is the domain in which the WebGate functions.
WEBGATE_TYPE
is the type of WebGate agent you want to create. In this release, the value is ohsWebgate11g
.
OAM11G_IDSTORE_NAME
is the name of the Identity Store. If you already have an Identity Store in place which is different from the default created by this tool, set this parameter to the name of that Identity Store.
OAM11G_OIM_OHS_URL
is the URL that will be used to access OIM when accessing through the load balancer, after OIM is configured.
OAM11G_SERVER_LOGIN_ATTRIBUTE
: Setting this to uid
ensures that when users log in their username is validated against the uid
attribute in LDAP.
Configure Oracle Access Manager using the command idmConfigTool
which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configOAM input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -configOAM input_file=configfile
For example:
idmConfigTool.sh -configOAM input_file=config_oam1.props
When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to these accounts:
IDSTORE_PWD_OAMSOFTWAREUSER
IDSTORE_PWD_OAMADMINUSER
Check the log file for any errors or warnings and correct them. A file named automation.log
is created in the directory where you run the tool.
Restart WebLogic Administration Server as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Note:
After you run idmConfigTool
, several files are created that you need for subsequent tasks. Keep these in a safe location.
Two WebGate profiles are created: Webgate_IDM
, which is a 10g profile, and Webgate_IDM_11g
, which is an 11g profile. Webgate_IDM
is used for intercomponent communication and Webgate_IDM_11g
is used by 11g Webgates.
The following files exist in the directory ASERVER_HOME
/output/Webgate_IDM_11g
. You need these when you install the WebGate software.
cwallet.sso
ObAccessClient.xml
password.xml
Additionally, you need the files aaa_cert.pem
and aaa_key.pem
, which are located in the directory ASERVER_HOME
/output/Webgate_IDM
.
To Validate that this has completed correctly.
Access the OAM console at: http://ADMIN.mycompany.com/oamconsole
Log in as the Oracle Access Manager administration user you created in Section 11.5, "Preparing the Identity Store."
Click the System Configuration tab
Expand Access Manager Settings - SSO Agents - OAM Agents.
Click the open folder icon, then click Search.
You should see the WebGate agents Webgate_IDM
and Webgate_IDM_11g
, which you created in Section 13.7.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool."
After generating the initial configuration, you must edit the configuration and add advanced configuration entries.
Select System Configuration Tab
Select Access Manager Settings - SSO Agents - OAM Agent from the directory tree. Double-click or select the open folder icon.
On the displayed search page click Search to perform an empty search.
Click the Agent Webgate_IDM
.
Select Open from the Actions menu.
Set Max Number of Connections to 4
for all of the OAM Servers listed in the primary servers list.
Click Apply.
Repeat Steps 4 through 7 for the WebGate agent Webgate_IDM_11g.
Click Policy Configuration tab.
Double Click IAMSuiteAgent under Host Identifiers.
Click +
in the operations box.
Enter the following information:
Host Name: ADMIN.mycompany.com
Port: 80
(HTTP_PORT)
Click Apply.
If you have changed the OAM security model using the idmConfigTool
you must change the security model used by any existing Webgates to reflect this change.
To do this, perform the following steps:
Log in to the Oracle Access ManagerConsole as the Oracle Access Manager administration user you created in Section 11.5, "Preparing the Identity Store," at: http://ADMIN.mycompany.com/oamconsole
Click the System Configuration tab.
Expand Access Manager Settings - SSO Agents.
Click OAM Agents and select Open from the Actions menu.
In the Search window, click Search.
Click each Agent that was not created by idmconfigTool
in Section 13.7.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool", for example: IAMSuiteAgent.
Set the Security value to the new security model.
Click Apply.
Restart the managed servers WLS_OAM1 and WLS_OAM2 as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
The oamadmin
user is assigned to the Oracle Access Manager Administrators group, which is in turn assigned to the Access System Administrators group. Fusion Applications, however, requires the oamadmin
user to be explicitly added to that role. To do this perform the following steps:
Log in to the oamconsole at: http://ADMIN.mycompany.com/oamconsole
Click the System Configuration tab.
Expand Data Sources - User Identity Stores.
Click OIMIDStore.
Click Open.
Click the +
symbol next to Access System Adminsitrators.
Type oamadmin
in the search box and click Search.
Click the returned oamadmin row, then click Add Selected.
Click Apply.
In order to allow WebGate 11g to display the credential collector, you must add /oam
to the list of public policies.
Proceed as follows:
Log in to the OAM console at: http://ADMIN.mycompany.com/oamconsole
Select the Policy Configuration tab.
Expand Application Domains - IAM Suite
Click Resources.
Click Open.
Click New resource.
Provide the following values:
Type: HTTP
Description: OAM Credential Collector
Host Identifier: IAMSuiteAgent
Resource URL: /oam
Protection Level: Unprotected
Authentication Policy: Public Policy
Click Apply.
When you configure Oracle Access Manager to work using the simple transport protocol, all traffic to Oracle Access Manager is encrypted. When you integrate Oracle Access Manager with other components, such as Oracle Identity Manager, you must enable the product being integrated to understand this encryption. You do this by using a keystore.
When you change Oracle Access Manager to use the simple protocol, keystores are created automatically in the directory ASERVER_HOME
/output/webgate-ssl
. This directory contains the following files:
ooamclient-keystore.jks
–contains the private key.
ooamclient-truststore.jks
–contains the Oracle Access Manager simple mode CA certificate
These files are accessed using the Global Passphrase defined at the time of enabling Oracle Access Manager in simple mode.
Some products require configuring with both of the files above and some products, such as Oracle Identity Manager require a single consolidated keystore.
To create a keystore suitable for use by Oracle Identity Manager, perform the following steps.
Change directory to ASERVER_HOME
/output/webgate-ssl
, for example:
cd ASERVER_HOME/output/webgate-ssl
Copy the file oamclient-keystore.jks
to ssoKeystore.jks
, for example
cp oamclient-keystore.jks ssoKeystore.jks
Import the trust store into the new keystore ssoKeystore.jks
using the command:
keytool -importcert -file IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS
On Windows, type:
keytool -import -file IAM_ORACLE_HOME\oam\server\config\cacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS
Enter the keystore password when prompted. For example:
keytool -importcert -file IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore ssoKeystore.jks -storetype JKS
Note:
The files ssoKeystore.jks
and oamclient-truststore.jks
are required when you integrate Oracle Access Manager running in Simple mode with Oracle Identity Manager. When you integrate these components, you are asked to copy these files to the ASERVER_HOME
/config/fmwconfig
directory. If you subsequently extend the domain on machines where these files have been placed using pack
/unpack
, you must recopy ssoKeystore.jks
and oamclient-truststore.jks
after unpacking.
Update ASERVER_HOME
/config/fmwconfig/oam-config.xml
in the administration server domain home.
Set the parameters Timeout, Expiry, and MaxSessionsPerUser as follows:
Log in to the OAM console at http://ADMIN.mycompany.com/oamconsole
as the WebLogic administration user.
Select the System Configuration tab.
Click Common Settings under the Common Configuration entry.
Click Open.
Set the following values:
Idle Timeout (minutes): 120
Session Lifetime: 120
Maximum Number of Sessions per user: 200
Click Apply.
Back up the database, the WebLogic domain, and the LDAP directories, as described in Section 21.6.3, "Performing Backups During Installation and Configuration."