12 Configuring Access Manager Settings
This chapter describes Access Manager-specific settings. It provides the following topics:
12.1 Prerequisites
This section identifies requirements for tasks in this chapter. Before you begin tasks in this chapter, be sure to review the following topics:
12.2 Introduction to Access Manager Settings
The Access Manager section of the System Configuration tab provides a number of settings specific to Access Manager service operations.
Table 12-1 Access Manager Settings
| Setting | Described in ... |
|---|---|
|
Load Balancing |
|
|
Server Error Mode |
|
|
SSO |
|
|
Access Protocol |
Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security |
|
Policy |
12.3 Managing Load Balancing
This section provides the following topics:
12.3.1 About Common Load Balancing Settings
For production environments that require increased application performance, throughput, or high availability, you can configure two or more Managed Servers to operate as a cluster. A cluster is a collection of multiple WebLogic Server server instances running simultaneously and working together to provide increased scalability and reliability. In a cluster, most resources and services are deployed identically to each Managed Server (as opposed to a single Managed Server), enabling failover and load balancing. A single domain can contain multiple WebLogic Server clusters and multiple Managed Servers that are not configured as clusters. The key difference between clustered and non-clustered Managed Servers is support for failover and load balancing. These features are available only in a cluster of Managed Servers.
By default, Access Manager has a single OAM Server to which all login and logout requests are sent. In a high-availability deployment, you must change this setup so that login and logout requests are first sent to the load balancer.
See Also:
Oracle Fusion Middleware High Availability Guide, "Access Manager High Availability Configuration Steps" for high-level instructions for setting up a high availability deployment for Access Manager.Figure 12-2 shows the Load Balancing Settings section of the Access Manager Settings page. In earlier releases this was part of the SSO Engine settings; the SSO Engine being the controller for sessions.
Figure 12-2 Access Manager Settings: Load Balancer
Description of "Figure 12-2 Access Manager Settings: Load Balancer"
Table 12-2 describes each element and how it is used. Settings are global and common to all OAM Servers in the WebLogic administration domain.
Table 12-2 Access Manager Settings: Load Balancer
| Element | Description |
|---|---|
|
OAM Server Host |
The virtual host name that represents the OAM Server Cluster, which might be exposed by a load balancer in front of an OAM Server Cluster. |
|
OAM Server Port |
The virtual host port associated with the OAM Server Cluster. Values between 1 and 65535 are supported. |
|
OAM Server Protocol |
The protocol, either HTTP or HTTPS, that is used to access the virtual host that represents the OAM Server Cluster. See Also: "About Security Modes and X509Scheme Authentication" |
12.3.2 Managing OAM Server Load Balancing
Users with valid Administrator credentials can perform the following task to modify Access Manager load balancing settings using the Oracle Access Management Console.
See Also:
"About Common Load Balancing Settings"To view or edit common load balancing specifications
-
From the Oracle Access Management Console, open Load Balancing:
System Configuration tab
Access Manager section
Access Manager Settings
Load Balancing -
Expand the Load Balancing area:
-
View Only: Close the page when you finish.
-
Modify: Edit Load Balancing settings for your deployment (Table 12-2).
-
-
Click Apply to submit the changes (or close the page without applying changes).
-
Dismiss the Confirmation window.
12.4 Managing Secure Error Modes
A custom error page is packaged as part of the custom login application. An out-of-the-box custom Web application archive file is provided that you can use as a starting point to develop customized login and password pages.
Server Error Mode settings are global and common to all OAM Servers in the WebLogic administration domain. This section provides the following topics:
12.4.1 About OAM Server Error Modes
Figure 12-2 shows the Server Error Mode function, which appears on the Load Balancing Settings area of the Access Manager Settings page.
Figure 12-3 Access Manager Settings: Server Error Mode
Description of "Figure 12-3 Access Manager Settings: Server Error Mode"
Table 12-3 describes the options you can choose to configure Server Error Mode for your deployment.
| Element | Description |
|---|---|
|
Server Error Mode |
The setting you choose determines the nature of error messages and error codes returned by the OAM Server when an operation fails (because of an invalid username or password, for example, or a server error (connection to the LDAP Server is down)). Choose one of the following settings to configure error messages with varying degrees of security for your custom login pages:
See Also: "Managing OAM Server Secure Error Modes". |
Table 12-4 shows the error triggering condition and message codes for each of the three modes.
Table 12-4 Error Trigger Condition, Modes, and Message Codes
| Error Triggering Condition | Internal Mode | External Mode | Secure Mode |
|---|---|---|---|
|
Invalid login attempt |
OAM-1 |
OAM-2 |
OAM-8 |
|
Processing submitted credentials fails. For example: In WNA mode, the SPNEGO token is not received. |
OAM-3 |
OAM-3 |
OAM-8 |
|
An authentication exception is raised. |
OAM-4 |
OAM-4 |
OAM-9 |
|
User account gets locked based on certain conditions (exceeded invalid attempts, for instance). |
OAM-5 |
OAM-5 |
OAM-8 OAM-9 with OIM integration |
|
User account disabled. |
OAM-5 |
OAM-5 |
OAM-9 |
|
User has exceeded the maximum number of allowed sessions (a configurable attribute). |
OAM-6 |
OAM-6 |
OAM-9 |
|
Default error message, which is displayed when no other specific messages propagate up. This is not propagated to the user level. Cause could be multiple conditions. |
OAM-7 |
OAM-7 |
OAM-9 |
|
Password expired. |
OAM-10 |
OAM-10 |
OAM-9 |
Table 12-5 identifies the error codes, trigger conditions, and recommended messages.
See Also:
Developing Custom Error Pages in the Oracle Fusion Middleware Developer's Guide for Oracle Access ManagementTable 12-5 External Error Codes, Trigger Conditions, and Recommended Messages
| External Error Code | Trigger Condition | Recommended Display Message |
|---|---|---|
|
OAM-1 |
Invalid login attempts less than the allowed count. |
An incorrect Username or Password was specified |
|
OAM-2 |
Invalid login attempts less than the allowed count. |
An incorrect Username or Password was specified |
|
OAM-3 |
Processing submitted credentials fails for some reason. For example: in WNA mode, the SPENGO token is not received. |
Internal Error. |
|
OAM-4 |
An authentication exception is raised for some reason. |
System error. Please contact the System Administrator. |
|
OAM-5 |
The user account gets locked because of certain conditions (exceeded invalid attempts, for instance). OIM Integration. The Error page appears with contact details after the password is validated. |
The user account is locked or disabled. Please contact the System Administrator. |
|
OAM-5 |
The user account gets locked because of certain conditions (exceeded invalid attempts, for instance). OID Without OIM Integration: The Error page appears with contact details after the password is validated. |
The user account is locked or disabled. Please contact the System Administrator. |
|
OAM-5 |
The user account is disabled. |
The user account is locked or disabled. Please contact the System Administrator. |
|
OAM-6 |
The user has exceeded the maximum number of allowed sessions, which is a configurable attribute. |
The user has already reached the maximum allowed number of sessions. Please close one of the existing sessions before trying to login again. |
|
OAM-7 |
Failure could be due to multiple reasons; the exact reason is not propagated to the user level for security reasons. For instance:
The default error message is displayed when no other specific messages are propagated up. |
System error. Please re-try your action. If you continue to get this error, please contact the Administrator. |
|
OAM-8 |
See Table 12-4 |
Authentication failed. |
|
OAM-9 |
System error. Please re-try your action. If you continue to get this error, please contact the Administrator. |
System error. Please re-try your action. If you continue to get this error, please contact the Administrator. |
|
OAM-10 |
Password expired. |
The password has expired. |
12.4.2 Managing OAM Server Secure Error Modes
Users with valid Administrator credentials can perform the following task to modify Access Manager secure error modes for OAM Servers using the Oracle Access Management Console.
See Also:
"About Common Load Balancing Settings"To view or edit secure error modes for OAM Servers
-
From the Oracle Access Management Console, open Access Manager Settings Page:
System Configuration tab
Access Manager section
Access Manager Settings node
Load Balancing -
Server Error Mode:
-
Modify: Choose the desired Server Error Mode for your deployment (Table 12-3 and Table 12-5).
-
View Only: Close the page when you finish.
-
-
Click Apply to submit the changes (or close the page without applying changes).
-
Dismiss the Confirmation window.
-
Proceed to "Managing SSO Tokens and IP Validation".
12.5 Managing SSO Tokens and IP Validation
This section provides the following topics:
12.5.1 About Access Manager SSO Tokens and IP Validation Settings
Figure 12-4 shows the single-sign on (SSO) portion of the Access Manager Settings page. Table 12-6 describes each element and how it is used.
Table 12-6 Access Manager Settings: SSO
| Element | Description |
|---|---|
|
IP Validation |
Specific to Webgates and is used to determine whether a client's IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on. Check the box to enable IP Validation. Clear the box the disable IP Validation. |
|
SSO Token Version |
Select your SSO token version from the list. |
12.5.2 Managing SSO Tokens and IP Validation
Users with valid Administrator credentials can perform the following task to modify Access Manager load balancing settings using the Oracle Access Management Console.
See Also:
"About Common Load Balancing Settings"To view or edit Access Manager SSO specifications
-
From the Oracle Access Management Console, open Access Manager Settings Page:
System Configuration tab
Access Manager section
Access Manager Settings node -
On the Access Manager Settings page, expand the SSO section:
-
View Only: Close the page when you finish.
-
Modify: Perform remaining steps to edit the configuration.
-
-
Edit settings as needed for your deployment, based on details in Table 12-6.
-
Click Apply to submit the changes (or close the page without applying changes).
-
Dismiss the Confirmation window.
-
Proceed to "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security".
12.6 Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security
This section provides the following details:
12.6.1 About Simple and Cert Mode Transport Security
Table 12-7 outlines the similarities between Simple and Cert modes.
See Also:
Appendix C, "Securing Communication"Table 12-7 Summary: Simple and Cert Mode
| Artifact or Process | Simple Mode | Cert Mode | Open Mode |
|---|---|---|---|
|
X.509 digital certificates only. |
X |
X |
N/A |
|
Communication between OAM Agents and OAM Servers is encrypted using Transport Layer Security, RFC 2246 (TLS v1). |
X |
X |
N/A |
|
For each public key there is a corresponding private key that Access Manager stores in a file: |
aaa_key.pem generated by openSSL |
aaa_key.pem generated by your CA |
N/A |
|
Signed certificates in Privacy Enhanced Mail (PEM) format |
aaa_cert.pem generated by openSSL |
aaa_cert.pem generated by your CA |
N/A |
|
During OAM Server configuration, secure the private key with a Global passphrase or PEM format details, depending on which mode you are using. Before an OAM Server or Webgate can use a private key, it must have the correct passphrase. |
Global passphrase stored in a nominally encrypted file:
|
PEM format:
|
N/A |
|
During OAM Agent or OAM Server registration, the communication mode is propagated to the Oracle Access Management Console. |
Same passphrase for each Webgate and OAM Server instance. |
Different passphrase for each Webgate and OAM Server instance. |
N/A |
|
The certificate request for the Webgate generates the certificate request file, which you must send to a root CA that is trusted by the OAM Sever. The root CA returns the Webgate certificates, which can then be installed either during or after Webgate installation. |
cacert.pem The certificate request, signed by the Oracle-provided openSSL Certificate Authority |
aaa_req.pem The certificate request, signed by the your Certificate Authority |
N/A |
|
Encrypt the private key using the DES Algorithm. For example:
openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout pass: passphrase -des
|
N/A |
X |
N/A |
|
Agent Key Password |
N/A |
Enter a password during agent registration in Cert Security mode (see Table 14-1, "Elements on Create Pages for 11g and 10g OAM Agents"). |
N/A |
|
During Agent registration, ObAccessClient.xml is generated in: $DOMAIN_HOME/output/$Agent_Name/ |
ObAccessClient.xml Copy to: 11g Webgate: $11gWebgate_instance_dir/config/OHS/ohs1/webgate/config If: $11gWebgate_instance_dir=$ORACLE_HOME/instance/instance1 10g Webgate: $Webgate_install_dir/oblix/lib |
ObAccessClient.xml Copy to: 11g Webgate: $11gWebgate_instance_dir/... 10g Webgate: $Webgate_install_dir/... |
ObAccessClient.xml Copy to: 11g Webgate: $11gWebgate_instance_dir/... 10g Webgate: $Webgate_install_dir/ ... |
|
During Agent registration, password.xml is generated in: $DOMAIN_HOME/output/$Agent_Name/ See Also: Appendix C |
password.xml Copy to: 11g Webgate: $11gWebgate_instance_dir/... 10g Webgate: $Webgate_install_dir/... |
password.xml Copy to: 11g Webgate: $11gWebgate_instance_dir/... 10g Webgate: $Webgate_install_dir/... |
N/A |
|
During Agent registration, aaa_key.pem is generated in: $DOMAIN_HOME/output/$Agent_Name/ See Also: Appendix C |
aaa_key.pem Copy to: 11g Webgate: $11gWebgate_instance_dir... 10g Webgate: $Webgate_install_dir... |
aaa_key.pem Copy to: 11g Webgate: $11gWebgate_instance_dir... 10g Webgate: $Webgate_install_dir... |
N/A |
12.6.2 About the Common OAM Proxy Page for Secure Server Communications
Table 12-8 describes the settings required for Simple or Cert mode configurations.
Table 12-8 Server Common OAM Proxy Secure Communication Settings
| Mode | Description |
|---|---|
|
Simple Mode Configuration |
The global passphrase for communication using OAM-signed X.509 certificates. This is set during initial OAM Server installation. Administrators can edit this passphrase and then reconfigure all existing OAM Agents to use it, as described in"Viewing or Editing Simple or Cert Settings for OAM Proxy". |
|
Cert Mode Configuration |
Details required for the Key KEYSTOREStore where the Cert mode X.509 certificates signed by an outside Certificate Authority reside:
Note: These are set during initial OAM Server installation. The certificates can be imported using the import certificate utility or the keytool shipped with JDK. Administrators can edit the alias and password and then reconfigure all existing OAM Agents to use them, as described in"Viewing or Editing Simple or Cert Settings for OAM Proxy". |
12.6.3 Viewing or Editing Simple or Cert Settings for OAM Proxy
Administrators can use this procedure to confirm or alter settings for the common OAM Proxy.
To view or edit Simple or Cert mode settings for the OAM Proxy
-
From the System Configuration tab, Access Manager section, open the Access Manager Settings page.
-
Expand the Access Protocol section of the page, if needed.
-
Simple Mode: Add or alter a Global Passphrase if you are using OAM-signed X.509 certificates.
-
Cert Mode Configuration: Specify the following details.
-
PEM Keystore Alias
-
PEM Keystore Alias Password
-
-
Click Apply to submit the changes and dismiss the Confirmation window (or close the page without applying changes).
-
Update Agent registration pages as needed to regenerate artifacts, and then replace the earlier artifacts as described in Chapter 13 or Chapter 14.
12.7 Managing Run Time Policy Evaluation Caches
This section explains:
See Also:
"About Run Time Resource Evaluation"12.7.1 About Run Time Policy Evaluation Caches
Figure 12-5 illustrates the Policy section of the Access Manager Settings page. This section provides settings for the Resource Matching Cache and the Authorization Result Cache, which come into play during policy evaluation at run time.
Figure 12-5 Common Policy Evaluation Caches
Description of "Figure 12-5 Common Policy Evaluation Caches"
Table 12-9 outlines these global settings that apply to all servers and requests.
Table 12-9 Policy Evaluation Caches
| Element | Description |
|---|---|
|
Resource Matching Cache |
Caches mappings between the requested URL and the policy holding the resource pattern that applies to the URL. Default Values:
|
|
Authorization Result Cache |
Caches policy decisions for the requested URL and user. Default Values:
See Also: Oracle Fusion Middleware Performance and Tuning Guide |
12.7.2 Managing Run Time Policy Evaluation Caches
Administrators can use this procedure to manage the Access Manager policy evaluation caches.
See Also:
Guide-
Oracle Fusion Middleware High Availability Guide
-
Oracle Fusion Middleware Performance and Tuning Guide
To manage common run time policy evaluation cache settings
-
From the Oracle Access Management Console, open Access Manager Settings Page:
System Configuration tab
Access Manager section
Access Manager Settings node
Load Balancing -
On the Access Manager Settings page, expand the Policy section.
-
Resource Matching Cache: Specify details and click apply (Table 12-9).
-
Authorization Result Cache: Specify details and click apply (Table 12-9).
-
Click Apply to submit the changes and dismiss the Confirmation window (or close the page without applying changes).