This chapter contains information about managing Oracle Access Management Mobile and Social on IBM WebSphere.
This chapter contains the following sections:
Configuring Mobile Services for Oracle Adaptive Access Manager
Moving Mobile and Social From a Test to a Production Environment
You can run Oracle Access Management commands from the IBM WebSphere wsadmin command line interface. For details, see Using the Oracle Fusion Middleware wsadmin Commands.
Oracle Access Management commands are documented in the Web Logic Scripting Tool Command Reference. Oracle Access Management commands are functionally identical on WebLogic and WebSphere. When running Mobile and Social wsadmin commands, however, you must prefix the command name with the Mobile and Social idaas_commands
category name. For example:
idaas_commands.createServiceProvider(...)
Most topics in the Administrator's Guide for Oracle Access Management apply to both WebSphere and WebLogic environments. In the "Configuring Mobile Services" chapter, when referring to the "Configuring Mobile Services for Oracle Adaptive Access Manager" section, use the following modified steps instead of the steps documented in the "Configuring the WebLogic Administration Domain" section.
Add users and groups from the WebSphere administration console. To do so, click Users and Groups > Manage Users/Manage Groups. Refer to the WebSphere documentation for more information.
Create a new data source in WebSphere using the WebSphere administration console using the same name and values of the OAAM_SERVER_DS
datasource defined in the oaam_server
scope. Create this new DS in the scope of the managed server where oam_server
is installed.
Note:
To extend an OAM domain for OAAM, run was_config.sh
on top of the OAM install and choose the option to use the existing WebSphere Application Server profile.
Complete the item in this section to configure IBM WebSphere to support Internet Identity Services.
This section includes the following items:
Follow these steps to configure WebSphere to provide proper SSL support for Internet Identity Services in Mobile and Social.
Import the default IBM certificates from the trust keystore trust.p12
into the JDK cacerts
keystore. This will ensure that both the relying party (that is, the Internet Identity Service Provider) and the Oracle Access Management console can use SSL properly.
In Mozilla Firefox open the following URL using the correct values for the machine where the instance is installed:
http://
<host name>:<port>/ibm/console
The browser presents a security page and prompts you to trust the certificate.
View the certificate and export it to a file using the .der
format.
If necessary, copy the .der
file to the server where WebSphere is deployed.
In the WebSphere Application Server Administrative Console, choose Security > SSL certificate and key management.
For both the Cell and Node levels where OAM is deployed, change the trust store file name setting from trust.p12
to the cacerts
file that ships with the default IBM WebSphere JDK. Typically this file is located here:
<WAS_HOME>/java/jre/lib/security/cacerts
Save your changes.
Click Signer Certificates to see all the signer certificates in the cacerts
file.
Click Add, type an alias name, and type the path to the .der
file you exported in step 2.
Save your settings.
Hard-restart both the OAM managed server and the server hosting the Oracle Access Management Console.
If your apps are protected by Access Manager and use Internet Identity Services to provide users with additional log-in and registration options, you must configure user LDAP so that local log-in works properly. Because WebSphere does not include an embedded LDAP server like WebLogic, the LDAP user repository must be configured manually.
Configure your environment as follows:
Add to the LDAP repository the wasadmin user that is used to log in to the Administration Console.
Ensure that the following uid attributes are the same:
The uid attribute in the app using Internet Identity Services. See the "Editing or Deleting an Application Profile" section in the Administrator's Guide for Oracle Access Management for details. The OAMApplication Application Profile that is included with Mobile and Social is preconfigured to work with Access Manager and requires only minor configuration changes to get working in your environment.
The uid attribute used for Access Manager log-in. See the "Editing or Deleting an Application Profile" section in the Administrator's Guide for Oracle Access Management for details.
The uid attribute for (Mobile and Social) User Profile Services. See the "Editing or Deleting a User Profile Service Provider" section in the Administrator's Guide for Oracle Access Management for details.
If your app is directly integrated with Mobile and Social, and if Internet Identity Services and User Profile Services both point to a user repository other than the Access Manager user repository, both configurations should have the same uid attribute.
Note:
For all configurations, do not use the same attribute for the account linking attribute and the uid attribute. The account linking attribute and the uid attribute must be separate.
When moving Mobile and Social from a test environment to a production environment, complete the following configuration steps on each production machine after running the Test-to-Production scripts.
Note:
Before performing these steps, complete the "Moving Access Manager From a Test to Production Environment on IBM WebSphere" steps located in the "Managing Access Manager on IBM WebSphere" chapter.
Launch the Oracle Access Management Console.
On the Policy Configuration tab, choose Shared Components > Authentication Schemes > OIC Scheme and click Open.
The Authentication Schemes configuration page opens.
Update the Challenge Redirect URL value to point to the production machine, not the test machine, then click Apply.
For example: https://
production_machine:
port/oic_rp/login.jsp
Update the Mobile and Social credential store framework (CSF) entry to point from the test machine to the production machine. To do this, run the following WLST command:
createCred(map="OIC_MAP", key=" https://<production machine host>:<production machine port>/oam/server/dap/cred_submit ", user="="<description>", password=" DCC5332B4069BAB4E016C390432627ED", desc="<description>");
For password
, use the value from oam-config.xml
, which is located in the domain home/config/fmwconfig
directory on the production machine. Use the value from the RPPartner
entry, TapCipherKey
attribute.
In the Oracle Access Management Console, do the following:
Select the System Configuration tab.
Choose Mobile and Social > Internet Identity Services.
In the Application Profiles section, select OAMApplicaton and click Edit. (If using an application profile name other than OAMApplication, edit that instead.)
Update the Registration URL field host name and port to point to the production machine.
Click Apply.