Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 (11.1.1) Part Number E15478-07 |
|
|
PDF · Mobi · ePub |
This chapter explains how to navigate to and configure properties that are common to both Oracle Access Manager and Oracle Security Token Service. This chapter includes the following topics:
This section introduces the common System Configuration elements, shared by all OAM Servers and services in the domain. Figure 4-1 shows the Common Configuration section of the System Configuration navigation tree.
Figure 4-1 Common Configuration Nodes in Navigation Tree
Table 4-1 introduces the common configuration elements that apply to all services in the suite, and where you can find more information on each one.
Table 4-1 Common Configuration Nodes in Navigation Tree
Node | Description |
---|---|
Available Services |
Provides access to all services. |
Common Settings |
Provides properties and settings that apply to all services in the suite, including Session lifetime, Oracle Coherence, Auditing configuration, and Default and System Identity Stores. |
Server Instances |
Provides access to all registered OAM Server instances. |
Session Management |
Provides access to user session management operations. |
Certificate Validation |
Provides access to the certificate revocation list and OCSP/CDP settings. See: "Managing Global Certificate Validation and Revocation". |
Data Sources |
Provides access to registered user identity stores for Oracle Access Manager and Oracle Security Token Service. |
Plug-Ins |
Provides access to custom plug-ins to extend authentication functionality for Oracle Access Manager with Oracle Security Token Service. |
By default, Oracle Security Token Service is disabled at installation time, and must be enabled as described here before using Oracle Security Token Service.
Figure 4-2 shows the Available Services page of the Common Configuration section. This page shows the status of services and provides controls to enable or disable a service.
A green check mark in the Status field beside the service name indicates the service is enabled. A red circle with a line through it indicates that the corresponding service is disabled.
Oracle Access Manager (OAM) must be enabled, whether Oracle Security Token Service is enabled or disabled. Oracle Access Manager does not require Oracle Security Token Service. However, Oracle Access Manager must be enabled to use Oracle Security Token Service.
Prerequisites
AdminServer must be running.
Logging In to and Signing Out of Oracle Access Manager Console
To enable or disable an available service
Log in to the Oracle Access Manager Console, as usual
https://hostname:port/oamconsole/
From the System Configuration tab, Common Configuration section, click Available Services.
Enable Service: Click Enable beside the desired service name (or confirm that the Status check mark is green).
Disable Service: Click Disable beside the desired service name (or confirm that the Status check mark is red).
The Common Settings apply to all OAM Server instances and services. This section provides the following topics:
Common Settings apply to all services within the suite. Figure 4-3 shows the named sections on the Common Settings page, which can be expanded to reveal related elements and values.
Figure 4-3 Common Settings Page (Collapsed View)
OAM Administrators can control and specify parameters used by the entire suite, not just a single service, as introduced in Table 4-2.
Table 4-2 Common Settings
Tab Name | Description |
---|---|
Session |
Session management refers to the process of managing the lifecycle requirements of a user session, and notification of session events to enable global logout. Global logout is required for OSSO Agents (mod_osso) to ensure that logging out of a session on any entity propagates the logout to all entities. See Also: "Managing Common Settings". |
Coherence |
Common Oracle Coherence settings shared by all OAM Servers differ from those for individual OAM Servers. However, in both cases Oracle recommends that you make no adjustments to these settings unless instructed to do so by an Oracle Support Representative. See Also: "Managing Common Settings". |
Audit Configuration |
Oracle Access Manager supports auditing for a large number of administrative and run-time events, uniform logging and exception handling, and the diagnostics of all audit events. Oracle Access Manager auditing configuration is recorded in See Also: "Managing Common Settings". |
Default and System Identity Stores |
This section identifies the default identity and system stores, which can be one in the same (or different). See Also: "Managing Common Settings". |
See Also:
Details for other operations common to all OAM components:
Users with valid OAM Administrator credentials can perform the following task to display the Common Settings page and perform changes. Included in each main step is a reference to more information elsewhere in this book.
Prerequisites
The OAM Server must be running.
To manage common settings
From the System Configuration tab, Common Configuration section, double-click Common Settings in the navigation tree.
Session:
On the Common Settings page, expand the Session section.
Click the arrow keys beside each list to increase or decrease session lifecycle settings as needed:
Check the box to enable Database Persistence for Active Sessions (or clear it to disable Database Persistence).
Click Apply to submit your changes.
See Also: Chapter 7, "Managing Sessions".
Coherence: See "Viewing Common Coherence Settings".
Audit Configuration:
Open the Audit Configuration section.
In the Audit Configuration section, enter appropriate details for your environment:
Click Apply to submit the Audit Configuration (or close the page without applying changes).
See Also: Chapter 25, "Auditing Administrative and Run-time Events".
Default and System Identity Stores:
Expand the Default and System Identity Stores section.
Click the name of the System Store (or Default Store) to display the configuration page.
See "Setting the Default Store and System Store" for more information.
Figure 4-4 shows the Common Settings page with the coherence section expanded.
Note:
Oracle strongly recommends that you do not alter these settings without the assistance of Oracle Support.
Table 4-3 describes these settings.
Table 4-3 Common Coherence Settings
Element | Description |
---|---|
Port |
Value between 1 and 65535 is supported. |
Cluster Address |
Value between 224.1.255.0 to 239.255.255.255 is allowed. |
Time to Live |
Value between 0 and 255 is supported. |
Cluster Port |
Value between 1 and 65535 is supported. |
To view Common Coherence settings
From the System Configuration tab, expand the Common Configurations section, and double-click Common Settings.
On the Common Settings page, expand the Coherence section.
Close the page when you finish.
This section provides the following topics:
Oracle Access Manager uses the Online Certificate Status Protocol (OCSP) to maintain the security of a server and other network resources. OCSP is used for obtaining the revocation status of an X.509 digital certificate. OCSP specifies the communication syntax between the server containing the certificate status and the client application that is informed of that status.
An OCSP responder can return a signed response signifying that the certificate specified in the request is 'good', 'revoked' or 'unknown'. If OCSP cannot process the request, it can return an error code.
The certificate validation module is used by OSTS to validate X.509 tokens and to verify if needed whether or not the certificates are revoked, by using
Certificate Revocation Lists (CRLs)
Online Certificate Status Protocol (OCSP)
CRL Distribution Point extensions (CDP extensions)
A Certificate Revocation List (CRL) is a common way to maintain access to servers in a network when using a public key infrastructure. The CLR is a list of subscribers paired with their digital certificate status. Revoked certificates are listed with a reason. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for the particular user.
Figure 4-5 shows OCSP/CDP settings for global certificate validation in the console.
Figure 4-5 OCSP/CDP Settings for Global Certificate Validation
Figure 4-6 shows adding a CA CRL using the console.
Figure 4-6 Certificate Revocation List Dialog Box
Users with OAM Administrator credentials can use the following procedure to maintain the security of a server and other network resources. This is accomplished by enabling continuous data protection and importing current CA Certificate Revocation Lists.
Prerequisites
Have your CA Certificate Revocation List (CA CRL) ready to import.
To manage certificate revocation lists
From the Oracle Access Manager Console System Configuration tab, Common Configuration section, select Certificate Validation.
Open the Certificate Revocation List node and:
Confirm that the Enabled box is checked.
Add: Click the Add button, browse for the CRL file and select it, click Import.
Remove: Click the name of the list in the table, click the Delete (x) button, and confirm when asked.
Save the configuration.
Search for CRLs:
Review the table.
Enable Query by Example and enter the filter strings in the header fields of the table.
Proceed to "Managing Certificate Validation".
Users with OAM Administrator credentials can use the following procedure to maintain the security of a server and other network resources. This is accomplished by enabling the Online Certificate Status Protocol.
Prerequisites
Have your CA Certificate Revocation List (CA CRL) ready to import.
To manage certificate validation
From the Oracle Access Manager Console System Configuration tab, Common Configuration section, select Certificate Validation.
Open the Certificate Revocation List node:
Confirm that the Enabled box is checked.
Save the configuration.
Open the OCSP/CDP node and:
Enable OCSP
Enter the URL of the OCSP Service
Enter the Subject DN of the OCSP Service
Save this configuration.
Proceed to "Configuring CDP".
Users with OAM Administrator credentials can use the following procedure to maintain the security of a server and other network resources.
To configure CDP
From the Oracle Access Manager Console System Configuration tab, Common Configuration section, select Certificate Validation.
Open the Certificate Revocation List node:
Confirm that the Enabled box is checked.
Save the configuration.
Open the OCSP/CDP node and:
Enable CDP.
Save this configuration.