6 Integrating Oracle Access Manager and Oracle Adaptive Access Manager

This chapter explains how to integrate Oracle Adaptive Access Manager with Oracle Access Manager to provide advanced login security. The integration includes virtual authentication devices, device fingerprinting, real-time risk analysis, and risk-based challenge authentication.

This chapter contains these sections:

• About Basic and Advanced Integration Modes

• Oracle Access Manager-Oracle Adaptive Access Manager Basic Integration

• Oracle Access Manager-Oracle Adaptive Access Manager Advanced Integration

• Configuration and Troubleshooting

Note:

Integration with Oracle Identity Manager provides additional features related to password collection. See Chapter 7, "Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager".

See Also:

Chapter 2, "Introduction to Oracle Access Manager Integrations".

6.1 About Basic and Advanced Integration Modes

There are several types of Oracle Access Manager and Oracle Adaptive Access Manager integration. Basic requires less server resources and offers a subset of functionality where Advanced requires an additional managed server but is not limited in functionality.

Table 6-1 summarizes the Oracle Access Manager and Oracle Adaptive Access Manager integrations types.

Table 6-1 Types of Oracle Access Manager-Oracle Adaptive Access Manager Integration

Details	Basic	Advanced	Advanced Using TAP
Available	11.1.1.3.0	11.1.1.3.0	11.1.1.5.0
Description	The Basic integration embeds the Oracle Adaptive Access Manager server into Oracle Access Manager. It includes the libraries and configuration interface for different flows (challenge, registration, and so on) and reduces the footprint. Note: The OAAM Server is embedded in the Oracle Access Manager Server, but you will still need a separate managed server for the OAAM Admin application.	The Advanced integration option includes OTP Anywhere, a challenge processor framework, the shared library framework, and the secure self-service password management flows.	The Advanced integration option using TAP includes all the features of the 11g (11.1.1.3) integration and supports the use of both 10g and 11g agents.
Supported Agents	10g WebGate and OSSO Agent	10g WebGate	10g and 11g WebGates
Authentication Scheme	The native integration offers the OAAMBasic authentication scheme out-of-the-box. For information about the scheme, see "Managing Authentication Schemes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.	OAAMAdvanced authentication scheme	tapScheme
Where information is located	Section 6.2, "Oracle Access Manager-Oracle Adaptive Access Manager Basic Integration"	Section 6.3, "Oracle Access Manager-Oracle Adaptive Access Manager Advanced Integration"	Chapter 7, "Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager"

6.2 Oracle Access Manager-Oracle Adaptive Access Manager Basic Integration

Oracle Access Manager and Oracle Adaptive Access Manager Basic integration, which is a native integration, requires the OAM server and OAAM Admin Server in the IDM Middleware WebLogic Domain and a functional OAAM database. The OAAM Admin Server is used by Oracle Access Manager Administrators to import and export policies, create new policies, view sessions, and configure Oracle Adaptive Access Manager functionality. When policies are imported, exported, or configured, the changes are saved to the OAAM database.

The Oracle Adaptive Access Manager libraries are bundled with the Oracle Access Manager server. Oracle Access Manager is integrated with Oracle Adaptive Access Manager through the extension libraries and uses them directly. The rules engine and the runtime functionality of Oracle Adaptive Access Manager are provided using these libraries. When a user enters the registration flow, Oracle Access Manager shows the user the virtual authentication devices and runs the pre-authentication policies by using the OAAM libraries to make API calls. The OAAM libraries internally make JDBC calls to save the data related to the user to the OAAM database. The OAAM Server is not needed in this deployment since the Oracle Adaptive Access Manager runtime functionalities are available through the libraries. Knowledge-based Authentication (KBA) is the only challenge mechanism available in this integration.

This section explains how to integrate Oracle Access Manager (OAM) 11g and Oracle Adaptive Access Manager (OAAM) 11g as a Basic integration.

See Also:

Section 2.8.2, "Deployment Options for Strong Authentication".

The following topics explain how this type of integration is implemented:

• Processing Flow for Native Integration

• Prerequisites

• Native Integration Steps

6.2.1 Processing Flow for Native Integration

The flow is as follows:

1. The Oracle Access Manager server receives a request for a page protected by an Oracle Access Manager WebGate.

2. Oracle Access Manager calls the Oracle Adaptive Access Manager APIs to execute the pre-authentication rules. Based on the result (allow/block/deny), Oracle Access Manager displays the appropriate pages to collect credentials. Oracle Access Manager performs all the processing, never passing control to Oracle Adaptive Access Manager.

3. Oracle Access Manager collects the user credentials.

4. Oracle Access Manager verifies the credentials against the identity store.

5. To run post-authentication rules, Oracle Access Manager calls the Oracle Adaptive Access Manager APIs again. Based on the result (register user, register questions, register user [optional], challenge, allow, or block), Oracle Access Manager renders the appropriate set of pages.

   For example, if the result of the rule check is a challenge, Oracle Access Manager renders a challenge question page with the security question displayed.

6.2.2 Prerequisites

Take the following steps to prepare for the integration procedure:

1. Install the Oracle Database.

2. Create and load the Oracle Access Manager and Oracle Adaptive Access Manager schemas in the database.

   See the Oracle Fusion Middleware Repository Creation Utility User's Guide for instructions on running the Repository Creation Utility to create the Oracle Access Manager and Oracle Adaptive Access Manager schemas in the database repository.

3. Install WebLogic Servers

   See the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server for complete information on installing the Oracle WebLogic Server.

4. Install Oracle Access Manager and Oracle Adaptive Access Manager.

   See the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for instructions on installing Oracle Access Manager and Oracle Adaptive Access Manager.

5. Patch the software to the latest version.

6. Run the Oracle Identity Management 11g Configuration Wizard to configure Oracle Adaptive Access Manager in a new WebLogic administration domain or in an existing one.

   Refer to "Configuring Oracle Adaptive Access Manager" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for instructions on configuring Oracle Adaptive Access Manager.

7. Start the Administration Server for the WebLogic domain.

   For UNIX systems:

   DOMAIN_HOME/bin/startWebLogic.sh
   

   For Windows systems:

   DOMAIN_HOME\bin\startWebLogic.cmd
   

6.2.3 Native Integration Steps

Follow the steps in this section to implement the Oracle Access Manager and Oracle Adaptive Access Manager integration.

If you prefer to use the configureOAAM WLST command to create the data source, associate it as a target with the OAM server, and enable the property in the oam-config.xml, refer to "Using ConfigureOAAM WLST to Create the Datasource".

1. Locate and modify the oam-config.xml file manually.

   The oam-config.xml file contains all OAM-related system configuration data and is located in the DOMAIN_HOME/config/fmwconfig directory.

   Set the OAAMEnabled property to true as shown in the following example:

   <Setting Name="OAAM" Type="htf:map">
   <Setting Name="OAAMEnabled" Type="xsd:boolean">true</Setting>
   <Setting Name="passwordPage" Type="xsd:string">/pages/oaam/password.jsp</Setting>
   <Setting Name="challengePage" Type="xsd:string">/pages/oaam/challenge.jsp</Setting>
   <Setting Name="registerImagePhrasePage" Type="xsd:string">/pages/oaam/registerImagePhrase.jsp</Setting>
   <Setting Name="registerQuestionsPage" Type="xsd:string">/pages/oaam/registerQuestions.jsp</Setting>
   

2. Navigate to the Oracle Access Manager Administration Console:

   http://oam_admin_server_host:oam_admin_server_port/oamconsole
   

3. Select Resources under IDMDomainAgent.

4. Add the protected resource.

   For example, provide the following information for the resource:

   • Host Identifier: IDMDomain

   • Resource URL: /<resource>/.../*

5. Create a new Authentication Policy under IDMDomainAgent and make sure to set the Authentication Scheme to OAAMBasic.

   In this step, you are associating the protected resource with the OAAMBasic Authentication Scheme.

6. Create a user that has the correct privileges to log in to the Oracle Adaptive Access Manager Administration Console and then grant the necessary groups to the user.

   For information, refer to "Creating OAAM Users" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

7. Start the OAAM Admin Server, oaam_admin_server1, to register the newly created managed servers with the domain.

   For UNIX systems, start the OAAM Administration Server by using the startManagedWebLogic.sh command, which is located in the DOMAIN_HOME/bin directory:

   startManagedWebLogic.sh oaam_admin_server1
   

   For Windows systems, start the OAAM Administration Server by using the startManagedWebLogic.cmd command, which is located in the DOMAIN_HOME\bin directory:

   startManagedWeblogic.cmd oaam_admin_server1
   

8. Log in to the OAAM Administration Console as an Oracle Adaptive Access Manager Administrator:

   http://oaam_managed_server_host:14200/oaam_admin
   

9. Import the Oracle Adaptive Access Manager snapshot into the system using the Oracle Adaptive Access Manager Administration Console. The snapshot contains policies, challenge questions, dependent components, and configurations that are required by Oracle Adaptive Access Manager.

   For instructions on importing the snapshot, refer to "Importing the OAAM Snapshot" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

10. Shut down the OAAM Administration Server, oaam_admin_server1.

    For UNIX systems, stop the OAAM Administration Server by using the stopManagedWebLogic.sh command, which is located in the DOMAIN_HOME/bin directory:

    stopManagedWebLogic.sh oaam_admin_server1
    

    For Windows systems, stop the OAAM Administration Server by using the stopManagedWebLogic.cmd command, which is located in the DOMAIN_HOME\bin directory:

    stopManagedWeblogic.cmd oaam_admin_server1
    

11. Access the Oracle WebLogic Administration Console:

    http://weblogic_admin_server:7001/console
    

12. If Oracle Adaptive Access Manager is not configured to be in the same WebLogic domain as Oracle Access Manager, perform the following steps for Oracle Access Manager:

    • Create a datasource with the following JNDI name:

      jdbc/OAAM_SERVER_DB_DS
      

      Note:

      The name of the datasource can be any valid string, but the JNDI name should be as shown above.

    • To the schema you created as part of the Oracle Adaptive Access Manager configuration, provide the connection details for the Oracle Adaptive Access Manager database.

13. Click Services and then Database Resources and locate the OAAM_SERVER_DB_DS resource.

14. Lock the environment by clicking the Lock button in the upper left corner of the WebLogic Administration Console.

15. Open the OAAM_SERVER_DB_DS resource and click the Target tab. Once there, you are presented a list of WebLogic servers that are available.

16. Associate Administration Server and oam_server1 as targets with the datasource.

17. Click the Activate button in the upper left corner of the Oracle WebLogic Administration Console.

18. Start the OAM Server, oam_server1.

    For UNIX systems, start the OAM Server by using startManagedWebLogic.sh, which is located in DOMAIN_HOME/bin:

    startManagedWebLogic.sh oam_server1
    

    For Windows systems, start the OAM Server by using startManagedWebLogic.cmd, which is located in DOMAIN_HOME\bin:

    startManagedWeblogic.cmd oaam_server1
    

19. Access the protected resource to verify the configuration.

    At this point the configuration of Oracle Adaptive Access Manager is completed. To test the configuration go to:

    http://admin_server:7001/resource
    

    You are prompted to enter a user name. Then, on a separate screen you are prompted for the password.Once the user name and password are validated you are asked to answer challenge questions. Once completed you are taken to the protected application.

20. For further testing, remote-register two agents, each protecting a resource.

21. Use the Administration Console to associate the first resource with the OAAMBasic policy for the authentication flow. Associate the second resource with the LDAPScheme.

    See Also:

    "Managing Authentication Schemes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

6.3 Oracle Access Manager-Oracle Adaptive Access Manager Advanced Integration

Integrating Oracle Adaptive Access Manager with Oracle Access Manager provides an enterprise with advanced access security features that greatly improve the level of protection for applications. Features including anti-phishing, anti-malware, device fingerprinting, behavioral profiling, geolocation mapping, real-time risk analysis and multiple risk-based challenge mechanisms such as one-time password and knowledge based authentication questions provide an increased level of access security.

Features supporting the strong authentication flow for Oracle Access Manager logins are summarized in Table 6-2.

See Also:

Section 2.8.2, "Deployment Options for Strong Authentication".

Table 6-2 Oracle Adaptive Access Manager Features Supporting Strong Authentication for OAM Logins

Feature	Description
Virtual authenticators	Oracle Adaptive Access Manager includes unique functionality to protect users while interacting with a protected web application. The virtual authentication devices harden the process of entering and transmitting authentication credentials and provide users with verification they are authenticating on a valid application. For details on virtual authenticators, refer to "Using Virtual Authentication Devices" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.
Fraud rules	Rules are used to evaluate the level of risk at each checkpoint. For information on policies and rules, refer to "OAAM Security and Autolearning Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Knowledge Based Authentication (KBA)	Knowledge-based authentication (KBA) is a secondary authentication method that provides an infrastructure for users to select questions and provide answers which are used to challenge them later on, registration logic to manage the registration of challenge questions and answers, Answer Logic to intelligently detect the correct answers in the challenge response process, and validations for answers given by a user at the time of registration. For information, refer to "Managing Knowledge-Based Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
OTP Anywhere	OTP Anywhere is a risk-based challenge solution consisting of a server generated one-time password delivered to an end user via a configured out-of-band channel. For information, refer to "Setting Up OTP Anywhere" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

6.3.1 Processing Flow for Advanced Integration

The flow of interactions between Oracle Access Manager and Oracle Adaptive Access Manager is as follows:

1. A user tries to access a resource protected by Oracle Access Manager.

2. The Oracle Access Manager WebGate intercepts the (unauthenticated) request and redirects the user to the Oracle Adaptive Access Manager Server.

3. The Oracle Adaptive Access Manager Server presents the user with the Oracle Adaptive Access Manager user name page.

4. The user submits his user name on the Oracle Adaptive Access Manager user name page.

5. Oracle Adaptive Access Manager fingerprints the user device and runs pre-authentication rules to determine if the user should be allowed to proceed to the Oracle Adaptive Access Manager password page.

6. Device fingerprinting is performed.

   Device fingerprinting is performed. Device fingerprinting is a mechanism to recognize the devices a user logs in with, whether it is a desktop computer, laptop computer, PDA, cell phone, kiosk, or other Web-enabled device.

7. If the user is allowed to proceed, the virtual authentication device rules are run during the Authentication Pad checkpoint. These rules determine which virtual authenticator to display in the Oracle Adaptive Access Manager password page.

8. If the user has registered with Oracle Adaptive Access Manager, the Oracle Adaptive Access Manager Server displays the Oracle Adaptive Access Manager password page with either the personalized TextPad or KeyPad.

9. If the user has not registered, Oracle Adaptive Access Manager displays the Oracle Adaptive Access Manager password page with the Generic TextPad.

10. The user submits his password on the Oracle Adaptive Access Manager password page.

11. The credentials collected from Oracle Adaptive Access Manager is verified against the identity store using the Oracle Access Manager NAP (Network Assertion Protocol) API. After validation on the Oracle Access Manager side, Oracle Adaptive Access Manager runs the post-authentication rules.

12. Oracle Adaptive Access Manager interacts with the user to establish identity to perform the desired action. Oracle Adaptive Access Manager determines the user's risk score and executes any actions (for example, KBA or OTP) or alerts that are specified in the policy.

13. If the user is not registered, he may be asked to go through registration, for example, KBA or OTP.

14. Registration is required depending on security requirements, which specify whether the registration is mandatory or optional.

15. If authentication is successful and the user has the appropriate profile registered, Oracle Adaptive Access Manager sets the Oracle Access Manager cookie and redirects the user to the redirect URL.

6.3.2 Implementing Advanced Integration

Advanced integration between Oracle Access Manager and Oracle Adaptive Access Manager can involve scenarios with or without Oracle Identity Manager.

With Oracle Identity Manager

Integration with Oracle Identity Manager provides users with richer password management functionality, including secure "Forgot Password" and "Change Password" flows.

For integration details, see Chapter 7, "Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager".

Without Oracle Identity Manager

If Oracle Identity Manager is not part of your environment, follow the integration procedure described in this chapter.

Note:

To initiate logout in this scenario, access this link:

http://host:oaam_server_port/oaam_server/oamLogout.jsp

6.3.3 Prerequisites

To prepare for the integration procedure, ensure the necessary components have been properly installed and configured:

1. Install the Oracle Database.

2. Create and load the Oracle Access Manager and Oracle Adaptive Access Manager schemas in the database.

   See the Oracle Fusion Middleware Repository Creation Utility User's Guide for instructions on running the Repository Creation Utility to create the Oracle Access Manager and Oracle Adaptive Access Manager schemas in the database repository.

3. Install the Oracle WebLogic Servers

   See the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server for complete information about installing the Oracle WebLogic Server.

4. Install the Oracle SOA Suite and patch the software to the latest version.

   For information on installing the Oracle SOA Suite, refer to the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.

5. Install and configure the Oracle Internet Directory and Oracle Virtual Directory 11g.

   For information, refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

6. Install the Oracle HTTP Server.

   For information on installing the Oracle HTTP Server, refer to the Oracle Fusion Middleware Installation Guide for Oracle Web Tier.

7. Install Oracle Access Manager and Oracle Adaptive Access Manager.

   At installation, Oracle Access Manager is configured with the database policy store. The Oracle Access Manager and Oracle Adaptive Access Manager wiring requires the database policy store.

8. Install the Oracle Access Manager 10g agent (WebGate) on the Oracle HTTP Server 11g instance

   For information on installing the Oracle HTTP Server WebGate, refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

The following steps are based on the assumption that Oracle Access Manager and Oracle Identity Manager are integrated using the out-of-the box integration.

6.3.4 Oracle Access Manager and Oracle Adaptive Access Manager Integration Steps

Note:

The integration of Oracle Access Manager and Oracle Adaptive Access Manager requires that the IdentityManagerAccessGate 10gWebGate profile exist. You can validate this through the Oracle Access Manager Console by navigating to System Configuration, then Agents, then 10gWebGates.

The high-level integration tasks consist of:

• Setting Oracle Adaptive Access Manager Properties for Oracle Access Manager

• Settingthe Oracle Access Manager Credentials in Credential Store Framework

• Configuring the Oracle Access Manager Policy Authentication Scheme

6.3.4.1 Setting Oracle Adaptive Access Manager Properties for Oracle Access Manager

Note:

Before performing this procedure, you must take into account whether the Oracle Adaptive Access Manager Console is being protected.

• If protecting the console, you must take care of user and group creation in the external LDAP store. For details, see Creating OAAM Administrative Groups and Users in LDAP in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

  OR

• If not protecting console, the user must be created in the Oracle WebLogic Administration Console.

  (Note: You can disable Oracle Adaptive Access Manager administration console protection by setting the environment variable or Java property WLSAGENT_DISABLED=true.)

To set Oracle Adaptive Access Manager properties for Oracle Access Manager, follow these steps:

1. Start the managed server hosting the Oracle Adaptive Access Manager server.

2. Go to the Oracle Adaptive Access Manager Admin Console at http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin.

3. Log in as a user with access to Oracle Adaptive Access Manager environment properties.

4. Open the Oracle Adaptive Access Manager Property Editor to set the Oracle Access Manager properties.

   If a property does not exist, you must add it.

   For the following properties, set the values according to your deployment:

   Table 6-3 Configuring Oracle Access Manager Property Values

   Property Name	Property Values
   bharosa.uio.default.password.auth.provider.classname	com.bharosa.vcrypt.services.OAMOAAMAuthProvider
   bharosa.uio.default.is_oam_integrated	true
   oaam.uio.oam.host	Access Server host machine name For example, host.example.com
   oaam.uio.oam.port	Access Server Port; for example, 3004
   oaam.uio.oam.obsso_cookie_domain	Cookie domain defined in Access Server WebGate Agent
   oaam.uio.oam.java_agent.enabledFoot 1	Default value is false. Set this to true only if the OAM Java Agent (also known as the WLSAgent) is used to protect the application. When setting this property, note the following points about the property oaam.uio.oam.obsso_cookie_name: By default, the property oaam.uio.oam.obsso_cookie_name does not exist. If using Java agent, when setting oaam.uio.oam.java_agent.enabled to true, also set the property oaam.uio.oam.obsso_cookie_name to the value OAMAuthnCookie since the Java agent uses the OAMAuthnCookie cookie. If using WebGate Agent and oaam.uio.oam.java_agent.enabled is set to false, if the property oaam.uio.oam.obsso_cookie_name happens to be set, remove that property.
   oaam.uio.oam.virtual_host_nameFootref 1	Default value is IDMDomain when the OAM Java Agent (also known as the WLSAgent) is used. Change this value only if the virtual host name is different from IDMDomain.
   oaam.uio.oam.webgate_id	IdentityManagerAccessGate The name of the WebGate Agent for Oracle Identity Manager integration. The default is IdentityManagerAccessGate.
   oaam.uio.login.page	/oamLoginPage.jsp
   oaam.uio.oam.secondary.host	Name of the secondary Access Server host machine. The property must be added, as it is not set by default. This property is used for high availability. You can specify the fail-over hostname using this property.
   oaam.uio.oam.secondary.host.port	Port number of the secondary Access Server The property must be added as it is not set by default. This property is used for high availability. You can specify the fail-over port using this property.
   oaam.oam.csf.credentials.enabled	true This property enables configuring credentials in the Credential Store Framework instead of maintaining them using the properties editor. This step is performed so that credentials can be securely stored in CSF.

   
   

   ^Footnote 1 Required when using the OAM Java agent.

For information on setting properties in Oracle Adaptive Access Manager, see "Using the Property Editor" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

For more information about the IDM Domain Agent, see Section 1.2, "A Note About IDMDomain Agents and Webgates".

6.3.4.2 Settingthe Oracle Access Manager Credentials in Credential Store Framework

In order for Oracle Access Manager WebGate credentials to be securely stored in the Credential Store Framework, follow these steps to add a password credential to the Oracle Adaptive Access Manager domain:

1. Go to the Oracle Fusion Middleware Enterprise Manager Console:

   http://weblogic_admin_server_host:admin_server_port/em.

2. Log in as a WebLogic Administrator.

3. Expand the Base_Domain icon in the navigation tree in the left pane.

4. Select your domain name, right-click and select Security, and then select Credentials.

5. Click Create Map.

6. Click oaam to select the map, and then click Create Key.

7. In the dialog, make sure Select Map is oaam.

8. Provide the following properties and click OK.

   Name	Value
   Map Name	oaam
   Key Name	oam.credentials
   Key Type	Password
   UserName	Oracle Access Manager user with Administrator rights
   Password	Password of Oracle Access Manager WebGate Agent

   
   

6.3.4.3 Configuring the Oracle Access Manager Policy Authentication Scheme

Assign the Oracle Access Manager policy for the protected web application to the OAAMAdvanced authentication scheme using the Oracle Access Manager Administration Console.

The steps are as follows:

1. Go to the Oracle Access Manager Administration Console:

   http://hostname:port/oamconsole.

   For details, see "Logging In to the Oracle Access Manager 11g Administration Console" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

2. Log in as the Oracle Access Manager administrator.

3. From the Policy Configuration tab, navigate the tree as follows:

   • expand the Application Domains node

   • expand the IDMDomainAgent

   • expand Authentication Policies

4. Select the authentication policy named Protected HigherLevel Policy for editing, and assign to it the OAAMAdvanced authentication scheme.

5. Test the Oracle Adaptive Access Manager Challenge URL in a separate browser session by navigating to:

   http://oaam_server_managed_server:oaam_server_managed_server_port/oaam_server/oamLoginPage.jsp
   

6. Verify that the Oracle Adaptive Access Manager server user login page appears with no errors.

   Do not attempt to log in to the OAAM server yet.

7. Log in to the Oracle Access Manager Administration Console using the administrative credentials.

8. Modify the OAAMAdvanced authentication scheme to have the correct values for the challenge URL by making these changes:

   • Add the challenge_url.

     Ensure that the Oracle Adaptive Access Manager URL is correct and is the same URL that you tested in Step 5.

     http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/oamLoginPage.jsp
     

     (Note: Do not use the protocol string "http(s)", or URL redirection will not succeed. Use an explicit protocol, either http or https.)

   • Set contextType to external.

9. Restart the Oracle Access Manager managed server.

   The steps to integrate Oracle Access Manager with Oracle Adaptive Access Manager are completed.

6.4 Configuration and Troubleshooting

This section provides troubleshooting and additional configuration topics for the integration of Oracle Access Manager and Oracle Adaptive Access Manager.

• Using ConfigureOAAM WLST to Create the Datasource

• How to Implement Case-Insensitive Logins

• Using Non-ASCII Credentials

• Testing Before Setting Up the Integration

• OAM and OAAM Integration and Changes in the Console

• OAM and OAAM Integration and Internet Explorer Version 7

• OTP Challenge is Not Supported in OAAMBasic Integration

• OAAMAdvanced Authentication Scheme Protected Resource Is Not Accessible in OAM 11.1.1.4.0 - OAAM 11.1.1.5.0 Integration

• No Synchronization Between Database and LDAP

6.4.1 Using ConfigureOAAM WLST to Create the Datasource

You can use the configureOAAM WLST command to create the data source, associate it as a target with the OAM server, and the OAAMEnabled property in the oam-config.xml file. The syntax is as follows:

configureOAAM(dataSourceName,paramNameValueList)

where:

• dataSourceName is the name of the datasource to be created

• paramNameValueList is a comma-separated list of parameter name-value pairs. The format of each name-value pair is as follows:

  paramName='paramValue'
  

  The mandatory parameters are:

  • hostName —The name of the database host

  • port - the database port

  • sid - the database identifier (database sid)

  • userName - the OAAM schema name

  • passWord - the OAAM schema password

  The optional parameters are:

  • maxConnectionSize - maximum connection reserve time out size

  • maxPoolSize - maximum size of connection pool

For example:

configureOAAM(dataSourceName = "MyOAAMDS", hostName = "host.us.co.com",
port = "1521", sid = "sid", userName = "username", passWord = "password",
maxConnectionSize = None, maxPoolSize = None, serverName = "oam_server1")

Note:

SID = requires the service name.

6.4.2 How to Implement Case-Insensitive Logins

After successful authentication on the Oracle Access Manager side, control is passed to Oracle Adaptive Access Manager to process the post-authentication rules. By default, if a user logging in enters the user name in mixed case using a case combination that is different from that of the registered user, the Oracle Adaptive Access Manager server will consider the user to be unregistered. For example, this happens if userxy tries to log in by entering user name userXY.

To ensure that logins are successful on both servers, you must configure the Oracle Adaptive Access Manager server to treat user names as case-insensitive. To achieve this set the following property:

bharosa.uio.default.username.case.sensitive=false

For information on setting properties in Oracle Adaptive Access Manager, see "Using the Property Editor" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

6.4.3 Using Non-ASCII Credentials

When using a non-ASCII username or password in the native authentication flow, you may encounter the following error message:

Sorry, the identification you entered was not recognized. Please try again.

Follow these steps to resolve this issue:

1. Set the PRE_CLASSPATH variable to ${ORACLE_HOME}/common/lib/nap-api.jar.

   For C shell:

   setenv  ORACLE_HOME "IAMSUITE INSTALL DIR"
   setenv PRE_CLASSPATH "${ORACLE_HOME}/common/lib/nap-api.jar"
   

   For bash/ksh shell:

   export ORACLE_HOME=IAMSUITE INSTALL DIR
   export PRE_CLASSPATH="${ORACLE_HOME}/common/lib/nap-api.jar"
   

2. Start the managed server related to OAAM_SERVER.

6.4.4 Testing Before Setting Up the Integration

When setting up the environment, you may want to first test protecting a page with Oracle Access Manager only using the LDAP authentication scheme and see if you can successfully access the page. If you cannot access the page, try to resolve this issue before proceeding with the configuration.

6.4.5 OAM and OAAM Integration and Changes in the Console

In an environment where OAAMBasic integration is enabled, the following entry "OAAMEnabled" under oam-config.xml is set to "true":

<Setting Name="OAAM" Type="htf:map"> 
      <Setting Name="OAAMEnabled" Type="xsd:boolean">true</Setting> 
 </Setting>
...

If you see an error in OAAMBasic flows, check the value of this flag. In certain environments (Windows) or scenarios (creating a new Oracle Internet Directory and associating it with the OAAMBasic scheme) the original flows might be broken and OAAMBasic does not work because the OAAMEnabled flag is reset to false.

Workaround: Manually change the value of the flag to "true".

6.4.6 OAM and OAAM Integration and Internet Explorer Version 7

In the OAM and OAAM Basic integration mode, when you access a protected resource you are forwarded to the OAAM page. With Internet Explorer v7, after entering a username and clicking Submit, you can be stuck on the next page (/oam/pages/oaam/handleLogin.jsp) rather than being redirected to the password page automatically.

Workaround: Click the "continue" link, which brings you to /oam/pages/oaam/handleJump.jsp?clientOffset=-7.

6.4.7 OTP Challenge is Not Supported in OAAMBasic Integration

The following procedure outlines the steps required to replace the OAAM Challenge SMS policy with the OAAM Challenge policy, to prevent a challenge flow request to OTP.

During registration with Oracle Access Manager, after registering the challenge questions, you are forwarded to a contact page to enter a mobile number. In this mode of integration, with OTP unsupported, this page is not significant. You complete the registration by entering a mobile number in the following form, and Submit.

:09900502139

To modify the policies

1. Search for "OAAM Challenge Policy"

2. Under Action Group, replace "OAAM Challenge SMS" with "OAAM Challenge" every where you find it.

3. Save the policy.

6.4.8 OAAMAdvanced Authentication Scheme Protected Resource Is Not Accessible in OAM 11.1.1.4.0 - OAAM 11.1.1.5.0 Integration

An OAAMAdvanced Authentication Scheme protected resource is not accessible in an OAM 11.1.1.4.0 and OAAM 11.1.1.5.0 integration unless you perform the following:

• Set the WebGate password for OAAM.

• Set oaam.uio.oam.authenticate.withoutsession to false. By default, this is set to true and the authnwithoutsession opcode, which is not supported in OAM 11.1.1.4.0, is used.

6.4.9 No Synchronization Between Database and LDAP

Registered status records remain in the OAAM database even if registered users are removed from LDAP. When the user is added to LDAP again, the old image, phrase, and challenge questions are used, because the OAAM database and LDAP are not synched.