13 Managing Oracle Access Management Mobile and Social on IBM WebSphere

This chapter contains information about managing Oracle Access Management Mobile and Social on IBM WebSphere.

This chapter contains the following sections:

• Using Mobile and Social WLST Commands on IBM WebSphere

• Configuring Mobile Services for Oracle Adaptive Access Manager

• Supporting Internet Identity Services on IBM WebSphere

• Moving Mobile and Social From a Test to a Production Environment

13.1 Using Mobile and Social WLST Commands on IBM WebSphere

You can run Oracle Access Management commands from the IBM WebSphere wsadmin command line interface. For details, see Using the Oracle Fusion Middleware wsadmin Commands.

Oracle Access Management commands are documented in the Web Logic Scripting Tool Command Reference. Oracle Access Management commands are functionally identical on WebLogic and WebSphere. When running Mobile and Social wsadmin commands, however, you must prefix the command name with the Mobile and Social idaas_commands category name. For example:

idaas_commands.createServiceProvider(...)

13.2 Configuring Mobile Services for Oracle Adaptive Access Manager

Most topics in the Administrator's Guide for Oracle Access Management apply to both WebSphere and WebLogic environments. In the "Configuring Mobile Services" chapter, when referring to the "Configuring Mobile Services for Oracle Adaptive Access Manager" section, use the following modified steps instead of the steps documented in the "Configuring the WebLogic Administration Domain" section.

13.2.1 Creating an Administrator for OAAM Administration

Add users and groups from the WebSphere administration console. To do so, click Users and Groups > Manage Users/Manage Groups. Refer to the WebSphere documentation for more information.

13.2.2 Adding Oracle Access Management Server as Target of OAAM Data Source

Create a new data source in WebSphere using the WebSphere administration console using the same name and values of the OAAM_SERVER_DS datasource defined in the oaam_server scope. Create this new DS in the scope of the managed server where oam_server is installed.

Note:

To extend an OAM domain for OAAM, run was_config.sh on top of the OAM install and choose the option to use the existing WebSphere Application Server profile.

13.3 Supporting Internet Identity Services on IBM WebSphere

Complete the item in this section to configure IBM WebSphere to support Internet Identity Services.

This section includes the following items:

• Adding CA Certificates to the IBM Trust Store

• Configuration Requirements for Apps Protected by Access Manager

13.3.1 Adding CA Certificates to the IBM Trust Store

Follow these steps to configure WebSphere to provide proper SSL support for Internet Identity Services in Mobile and Social.

Import the default IBM certificates from the trust keystore trust.p12 into the JDK cacerts keystore. This will ensure that both the relying party (that is, the Internet Identity Service Provider) and the Oracle Access Management console can use SSL properly.

1. In Mozilla Firefox open the following URL using the correct values for the machine where the instance is installed:

   http://<host name>:<port>/ibm/console

   The browser presents a security page and prompts you to trust the certificate.

2. View the certificate and export it to a file using the .der format.

   If necessary, copy the .der file to the server where WebSphere is deployed.

3. In the WebSphere Application Server Administrative Console, choose Security > SSL certificate and key management.

4. For both the Cell and Node levels where OAM is deployed, change the trust store file name setting from trust.p12 to the cacerts file that ships with the default IBM WebSphere JDK. Typically this file is located here:

   <WAS_HOME>/java/jre/lib/security/cacerts

   Save your changes.

5. Click Signer Certificates to see all the signer certificates in the cacerts file.

6. Click Add, type an alias name, and type the path to the .der file you exported in step 2.

   Save your settings.

7. Hard-restart both the OAM managed server and the server hosting the Oracle Access Management Console.

13.3.2 Configuration Requirements for Apps Protected by Access Manager

If your apps are protected by Access Manager and use Internet Identity Services to provide users with additional log-in and registration options, you must configure user LDAP so that local log-in works properly. Because WebSphere does not include an embedded LDAP server like WebLogic, the LDAP user repository must be configured manually.

Configure your environment as follows:

• Add to the LDAP repository the wasadmin user that is used to log in to the Administration Console.

• Ensure that the following uid attributes are the same:

  • The uid attribute in the app using Internet Identity Services. See the "Editing or Deleting an Application Profile" section in the Administrator's Guide for Oracle Access Management for details. The OAMApplication Application Profile that is included with Mobile and Social is preconfigured to work with Access Manager and requires only minor configuration changes to get working in your environment.

  • The uid attribute used for Access Manager log-in. See the "Editing or Deleting an Application Profile" section in the Administrator's Guide for Oracle Access Management for details.

  • The uid attribute for (Mobile and Social) User Profile Services. See the "Editing or Deleting a User Profile Service Provider" section in the Administrator's Guide for Oracle Access Management for details.

• If your app is directly integrated with Mobile and Social, and if Internet Identity Services and User Profile Services both point to a user repository other than the Access Manager user repository, both configurations should have the same uid attribute.

Note:

For all configurations, do not use the same attribute for the account linking attribute and the uid attribute. The account linking attribute and the uid attribute must be separate.

13.4 Moving Mobile and Social From a Test to a Production Environment

When moving Mobile and Social from a test environment to a production environment, complete the following configuration steps on each production machine after running the Test-to-Production scripts.

Note:

Before performing these steps, complete the "Moving Access Manager From a Test to Production Environment on IBM WebSphere" steps located in the "Managing Access Manager on IBM WebSphere" chapter.

1. Launch the Oracle Access Management Console.

2. On the Policy Configuration tab, choose Shared Components > Authentication Schemes > OIC Scheme and click Open.

   The Authentication Schemes configuration page opens.

   Update the Challenge Redirect URL value to point to the production machine, not the test machine, then click Apply.

   For example: https://production_machine:port/oic_rp/login.jsp

3. Update the Mobile and Social credential store framework (CSF) entry to point from the test machine to the production machine. To do this, run the following WLST command:

   createCred(map="OIC_MAP", key=" https://<production machine host>:<production machine port>/oam/server/dap/cred_submit ", user="="<description>", password=" DCC5332B4069BAB4E016C390432627ED", desc="<description>");
   

   For password, use the value from oam-config.xml, which is located in the domain home/config/fmwconfig directory on the production machine. Use the value from the RPPartner entry, TapCipherKey attribute.

4. In the Oracle Access Management Console, do the following:

   1. Select the System Configuration tab.

   2. Choose Mobile and Social > Internet Identity Services.

   3. In the Application Profiles section, select OAMApplicaton and click Edit. (If using an application profile name other than OAMApplication, edit that instead.)

   4. Update the Registration URL field host name and port to point to the production machine.

      Click Apply.