This chapter describes how to configure Oracle Mobile Security Services (OMSS). Before performing any of the steps in this section, ensure that the latest Mobile Security Suite and Mobile Security Access Server Bundle Patches have been applied.
Oracle Mobile Security Services (OMSS) will be deployed when you configure Oracle Access Management. However, to use its functionality, you must configure OMSS.
This chapter includes the following topics:
Create two properties files - msm.props and msas.props. The content of these files must be same as the file you created in Section 13.2, "Creating a Configuration File", with the following additional properties:
Note:
if your deployment is on Exalogic, you must provide the OTD fail-over group name forIDSTORE_HOST parameter. For non-Exalogic setups, provide the LBR entry point for IDSTORE_HOST.For msm.props file:
# OMSS Properties
OMSS_OMSM_IDSTORE_PROFILENAME: MSSProfile
OMSS_DOMAIN_LOCATION: /u01/oracle/config/domains/IAMAccessDomain
WLSHOST: iadadminvhn.example.com
WLSPORT: 7001
WLSADMIN: weblogic
WLSPASSWD: password
OMSS_SCEP_DYNAMIC_CHALLENGE_USER: msmadmin
OMSS_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OMSS_IDSTORE_ROLE_SECURITY_HELPDESK: MSMHelpDesk
OMSS_MSAS_SERVER_HOST: msas.example.com
OMSS_MSAS_SERVER_PORT: 9002
OAM_SERVER_URL: http://iadinternal.example.com:7777
OMSS_OMSM_SERVER_NAME: wls_msm1,wls_msm2
OMSS_OAM_POLICY_MGR_SERVER_NAME: wls_ama1,wls_ama2
OMSS_OMSM_SERVER_HOST:OAMHOST1.example.com,OAMHOST2.example.com
OMSS_OMSM_FRONT_END_URL: http://iadinternal.example.com:7777
OMSS_JDBC_URL: jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS=(PROTOCOL=TCP)(HOST=iaddb-scan.example.com)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=iadedg.example.com)))
OMSS_OMSM_SCHEMA_USER: EDGIAD_OMSM
OMSS_GATEWAY_INSTANCE_ID: EDGMSAS
For msas.props file:
# OMSS Properties
OMSS_OMSM_IDSTORE_PROFILENAME: MSSProfile
WLSHOST: iadadminvhn.example.com
WLSPORT: 7001
WLSADMIN: weblogic
WLSPASSWD: password
OMSS_DOMAIN_LOCATION: /u01/oracle/config/domains/IAMAccessDomain
OMSS_SCEP_DYNAMIC_CHALLENGE_USER: msmadmin
OMSS_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OMSS_IDSTORE_ROLE_SECURITY_HELPDESK: MSMHelpDesk
OMSS_MSAS_SERVER_HOST: msas.example.com
OMSS_MSAS_SERVER_PORT: 9002
OAM_SERVER_URL=http://iadinternal.example.com:7777
OMSS_OMSM_SERVER_NAME: wls_msm1,wls_msm2
OMSS_OAM_POLICY_MGR_SERVER_NAME: wls_ama1,wls_ama2
OMSS_OMSM_FRONT_END_URL: http://iadinternal.example.com:7777
OMSS_JDBC_URL: jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS=(PROTOCOL=TCP)(HOST=iaddb-scan.example.com)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=iadedg.example.com)))
OMSS_OMSM_SCHEMA_USER: EDGIAD_OMSM
OMSS_OMSAS_IDSTORE_PROFILENAME: msas-profile
OMSS_GATEWAY_INSTANCE_ID: EDGMSAS
Description of the Properties:
Table 18-1 describes the properties used for Oracle Mobile Security Suite configuration.
Note:
The value of the propertyIDSTORE_DIRECTORYTYPE must be specified in UPPERCASE.
The WebLogic Managed Server names in properties OMSS_OMSM_SERVER_NAME and OMSS_OAM_POLICY_MGR_SERVER_NAME must be specified in the same case as configured in WebLogic.
Table 18-1 Oracle Mobile Security Suite Configuration Properties
| Property | Description |
|---|---|
|
|
Name of the identity store profile for Oracle Mobile Security Manager. |
|
|
The absolute path to the Oracle Mobile Security Suite domain. This is the value of IAD_ASERVER_HOME from the worksheet. |
|
|
User account used for authentication. |
|
|
Name of the administrator group whose members have administrative privileges for Oracle Mobile Security Manager operations. This group is used to allow access to the Oracle Mobile Security Manager features on the Policy Manager Console. This should be set to the same value that you provided for |
|
|
Name of the Oracle Mobile Security Manager helpdesk group whose members get helpdesk privileges for Oracle Mobile Security Manager operations. This group is used to allow access to the Security Help Desk privileges on the Policy Manager Console. |
|
|
The host name for Oracle Mobile Security Access Server. For example, If the Mobile Security Access Server instance is behind a load balancer, provide the host name of the load balancer. |
|
|
The SSL port where the Oracle Mobile Security Access Server instance will be running. This is the value of MSAS_PORT from the worksheet. If the Mobile Security Access Server instance is behind a load balancer, provide the port number of the load balancer. |
|
|
This is the internal link for OAM internal calls. For example: http://iadinternal.example.com:7777 |
|
|
A comma-separated list of Mobile Security Manager Managed Server names. For example, |
|
|
A comma-separated list of Policy Manager Managed Server names. For example, |
|
|
A comma-separated list of host names hosting the Oracle Mobile Security Manager Managed Servers. For example, |
|
|
The URL of the load balancer which routes requests to the Mobile Security Manager Managed Servers. For example:
|
|
|
The JDBC URL to the Oracle Mobile Security Manager database repository, in the following format, where
|
|
|
The user name for the Oracle Mobile Security Manager schema, which consists of the prefix that was configured for the repository in RCU followed by For example, |
|
|
The name of the Oracle Mobile Security Access Server gateway instance. The gateway instance ID must be the same as the instance ID you use when you configure Oracle Mobile Security Access Server. This property is only required when you are running the This property should not be set when you are running the |
|
|
Name of the identity store profile for Oracle Mobile Security Access Server. This property is only required for running the This property should not be set when you are running the |
Oracle Mobile Security Manager can send notifications such as the number of unread e-mails. To enable this, you must provide the exchange server and email server details using the properties described in Table 18-2. These properties are optional and can be provided after the configuration, if required.
Table 18-2 Optional Properties for Oracle Mobile Security Suite Configuration
| Property | Description |
|---|---|
|
|
The URL of the Exchange server that Oracle Mobile Security Suite will connect to. |
|
|
The listener URL of the Exchange server that Oracle Mobile Security Suite will connect to. |
|
|
The domain name of the Exchange server that Oracle Mobile Security Suite will connect to. |
|
|
The administrative user name of the Exchange server that Oracle Mobile Security Suite will connect to. |
|
|
The password of the Exchange Server administrator. |
|
|
The version number of the Exchange server that Oracle Mobile Security Suite will connect to. |
|
|
The Email address of the Oracle Mobile Security Suite administrator. |
|
|
The password of the Oracle Mobile Security Suite administrator's Email address. |
|
|
The host name of the SMTP server that Oracle Mobile Security Manager will use to send Email invites to users. |
|
|
The port number of the SMTP server that Oracle Mobile Security Manager will use to send Email invites to users. |
|
|
The location of Apple root CA. Required during iOS device enrollment in Oracle Mobile Security Suite. |
|
|
The full path and file name of the Apple Push Notification Service (APNs) keystore file, which is used to establish secure connection to Apple server and to send notifications. This should be the same location on all hosts. For example, |
|
|
The type of keystore used for the Apple Push Notification Service (APNs) keystore file ( The valid keystore types are |
|
|
The API key value for Google Cloud Messaging (GCM) notification. |
|
|
The Google Cloud Messaging (GCM) notification sender ID. |
Configure Oracle Mobile Security Manager (MSM) using the idmConfig tool. To do this, complete the following steps on OAMHOST1:
Set the following environment variables:
Set MW_HOME to IAD_MW_HOME
Set JAVA_HOME to JAVA_HOME
Set ORACLE_HOME to IAD_ORACLE_HOME
Set WL_HOME to IAD_MW_HOME/wlserver_10.3
Change directory to the IAD_ORACLE_HOME/idmtools/bin directory using the following command:
cd IAD_ORACLE_HOME/idmtools/bin
Run the following command:
idmConfigTool.sh -configOMSS mode=OMSM input_file=configfile
In this command, configfile is the full or relative path to the properties file (msm.props) you created in Creating the Configuration Files.
For example:
idmConfigTool.sh -configOMSS mode=OMSM input_file=msm.props
When the command runs, you will be prompted to enter the password of the account that is used to connect to the identity store. It also prompts you to enter passwords for the following:
OMSS Keystore: Enter the password that will be assigned to the OMSS keystore when it is created.
SCEP Dynamic Challenge Password: Enter the password for the SCEP Dynamic Challenge user.
OMSM Schema User Password: Enter the password of the Oracle Mobile Security Manager schema (prefix_OMSM) created using RCU.
The following is the sample command output:
(1/8) MSM Configurations Success (2/8) Seeding User Notification Templates Success (3/8) Seeding CSF Credentials Success (4/8) Configuring IDS Profile Success (5/8) Configuring OMSS Authentication Provider Success (6/8) Creating MSM Keystores Success (7/8) Configuring MSM Server's SSL Success (8/8) OAM Console Integration Success
Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool.
This process creates objects in the domain. To make these objects visible, you must restart the Administration Server.
Pack the IAMAccessDomain on OAMHOST1 and unpack it on OAMHOST1 and OAMHOST2.
To pack the IAMAccessDomain, run the following command on OAMHOST1 from the location IAD_MW_HOME/oracle_common/common/bin:
./pack.sh -managed=true -domain=IAD_ASERVER_HOME -template=domaintemplateMSM.jar -template_name=domain_template_MSM
Note:
Thepack command does not overwrite existing files. If the file name that you specify matches the name of an existing file in the specified folder, the pack command fails. You must use a different name for the template file for pack command and use the option overwrite_domain=true for the unpack command.
The -overwrite_domain option in the unpack command allows unpacking a Managed Server template into an existing domain and existing applications directories. For any file that is overwritten, a backup copy of the original is created. If any modifications had been applied to the start scripts and ear files in the Managed Server domain directory, they must be restored after the unpack operation.
To unpack the IAMAccessDomain, run the following command on both OAMHOST1 and OAMHOST2 from the location IAD_MW_HOME/oracle_common/common/bin:
./unpack.sh -domain=IAD_MSERVER_HOME -template=domaintemplateMSM.jar -app_dir=IAD_MSERVER_HOME/applications -overwrite_domain=true
Before you run the unpack command, ensure that you have write permissions on the LOCAL_CONFIG_DIR/domains/ directory.
Restart the WebLogic Administration console, and start the following servers:
Oracle Access Manager Managed Servers (wls_oam1, wls_oam2)
Oracle Access Manager Policy Manager Managed Servers (wls_ama1, wls_ama2)
Oracle Mobile Security Manager Managed Servers (wls_msm1, wls_msm2)
Note:
If you are using OUD, just start the Administration Server at this stage.If you are using Oracle Unified Directory (OUD) as the LDAP identity store and the group object class is groupOfUniqueNames, perform the following additional steps:
Launch the WebLogic Scripting Tool (WLST) by running the following command from the location IAD_ORACLE_HOME/common/bin:
./wlst.sh
Connect to the WebLogic Administration Server using the following command:
connect(username='weblogic', password='wls_admin_password', url='t3://IADADMINVHN:IAD_WLS_PORT')
For example:
connect(username='weblogic', password='wls_admin_password', url='t3://iadadminvhn.example.com:7001')
Run the following WLST commands in the same order:
edit()
startEdit()
cd('/SecurityConfiguration/IAMAccessDomain/Realms/myrealm/AuthenticationProviders/OUDAuthenticator')
cmo.setStaticMemberDNAttribute('uniquemember')
cmo.setStaticGroupDNsfromMemberDNFilter('(&(uniquemember=%M)(objectclass=groupOfUniqueNames))')
cmo.setStaticGroupObjectClass('groupOfUniqueNames')
activate()
Restart the WebLogic Administration Server and all the Managed Servers.
Verify the configuration of Oracle Mobile Security Manager and Access Manager by completing the following steps:
Ensure that the following servers are up and running:
Oracle WebLogic Administration Server
Oracle Access Manager Managed Servers (for example, wls_oam1)
Oracle Access Manager Policy Manager Managed Servers (for example, wls_ama1)
Oracle Mobile Security Manager Managed Server (for example, wls_msm1)
Log in to the Administration Console for Oracle Access Management using the following URL:
http://iadadmin.example.com/oamconsole
Log in to the Access Console using the following URL:
http://iadadmin.example.com/access
On the Policy Manager console (http://iadadmin.example.com/access), go to the Configuration tab.
The Configuration Launch Pad opens.
On the Configuration Launch Pad, click Available Services.
The Available Services page opens.
Ensure that the status of Mobile Security Service has a green check mark. If not, click Enable Service next to Mobile Security Service to enable the status of Mobile Security Service.
After enabling Mobile Security Service, log out of the Policy Manager Console and then log in again.
To access the Mobile Security Manager console pages, click Mobile Security at the top of the screen. The Mobile Security Launch Pad opens.
Under Mobile Security Manager, click View to choose from the Mobile Security Manager console pages in the menu.
Access the resource http://iadinternal.example.com:7777/msm-mgmt/scim/v1/endpoints
You should be prompted for a user name and password. Use the oamadmin username and password. The page should be displayed without errors.
You must have installed Oracle Mobile Security Access Server (MSAS) in Section 11.2.3, "Installing Oracle Mobile Security Access Server."
After you configure Oracle Mobile Security Manager, you must configure Oracle Mobile Security Access Server Gateway instances. Each instance must be configured exactly the same, with the same instance id, so that they can function as a cluster. While this can be done interactively, it is better to do so by using a property file, which can then be used to configure each instance.
To configure MSAS Gateway instances, complete the following steps:
Create a property file named msas_instance.props with the following properties:
MSM_URL: http://iadinternal.example.com:7777
MSM_USER_NAME: weblogic
MSAS_INSTANCE_ID: EDGMSAS
MSAS_INSTANCE_ROOT_DIR: LOCAL_CONFIG_DIR/instances/
MSAS_INSTANCE_SSL_PORT: 9002
MSAS_LBR_URL: https://msas.example.com:9002
OAM_HOST: iadadminvhn.example.com
OAM_PORT: 7001
OAM_USER_NAME: oamadmin
OAM_PROTECT: /
OAUTH_HOST: login.example.com
OAUTH_PORT: 443
OAUTH_IS_SSL: true
OAUTH_SP_ENDPOINT: /oauthservice
OAM_COOKIE_DOMAIN: .example.com
Table 18-3 describes the properties used for configuring MSAS Gateway instances.
Table 18-3 Properties for Configuring MSAS Gateway Instances
| Property | Description |
|---|---|
|
|
The URL for the MSM server that you want this MSAS instance to be registered with. Enter the URL for the MSM server in the following format, where host is either the host name or the IP address of the MSM server and the port number is the listen port for the MSM server.
For example:
|
|
|
The WebLogic Server Administrator username for the MSM domain. |
|
|
A unique name to identify the MSAS instance. It can be any string and must be consistent across instances. This must be same as the value of |
|
|
Location where the instance configuration files will be created. For example:
|
|
|
The port that MSAS listens for requests on. This port is SSL enabled. This is the value of MSAS_PORT from the worksheet. |
|
|
This is the load balancer entry point for Mobile Security Access Server. For example:
|
|
|
The For example:
|
|
|
The port that the |
|
|
The OAMAdmin account your created above. |
|
|
The resource pattern for each protected application. For example:
The pattern you enter is relative to the host and port of the Access Manager gateway. This entry must begin with a If you enter |
|
|
The OAUTH entry point in an Enterprise Deployment. This will be the load balancer name. For example:
|
|
|
The port that OAM Managed Servers use in an Enterprise Deployment. This will be the load balancer port. For example:
|
|
|
This property specifies where oauth is using the SSL or non SSL port. Valid values are |
|
|
The endpoint where you are accessing clients from the OAuth server. For example:
|
Configure the MSAS Gateway instance by running the following command from the location MSAS_ORACLE_HOME/omsas/bin, on WEBHOST1:
./configMSAS.sh -properties msas_instance.props
When the command is run, you will be prompted for the following passwords:
Mobile security manager password: This is the WebLogic Administrator password of the IAMAccessDomain.
OAM Administrator Password: This is the Access Manager Administrator password.
When the configuration is completed, the MSAS instance is created in the directory LOCAL_CONFIG_DIR/instances/gateway-id, where the gateway-id is the value you provided in the property file. Validate that this directory exists.
Repeat this procedure on WEBHOST2.
Verify that the MSAS Gateway instance has been registered with MSM by performing the following steps:
Log in to the access console as the oamadmin user.
On the launch pad, click Mobile Security.
Click Environments in the Mobile Security Access Server section. The MSAS instances are shown.
To integrate the MSAS with the identity store, complete the following steps on OAMHOST1:
Set the following environment variables:
Set MW_HOME to IAD_MW_HOME
Set JAVA_HOME to JAVA_HOME
Set ORACLE_HOME to IAD_ORACLE_HOME
Set WL_HOME to IAD_MW_HOME/wlserver_10.3
Change directory to the IAD_ORACLE_HOME/idmtools/bin directory using the following command:
cd IAD_ORACLE_HOME/idmtools/bin
Run the following command:
idmConfigTool.sh -configOMSS mode=OMSAS input_file=configfile
In this command, configfile is the full or relative path to the properties file (msas.props) you created in Creating the Configuration Files.
For example:
idmConfigTool.sh -configOMSS mode=OMSAS input_file=msas.props
When the command runs, you will be prompted to enter the password of the account that is used to connect to the identity store. It also prompts you to enter passwords for the following:
OMSS Keystore: Enter the password that will be assigned to the OMSS keystore when it is created.
SCEP Dynamic Challenge Password: Enter the password for the SCEP Dynamic Challenge user.
OMSM Schema User Password: Enter the password of the Oracle Mobile Security Manager schema (prefix_OMSM) created using RCU.
Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool.
This process creates objects in the domain. To make these objects visible, you must restart the Administration Server.
Pack the IAMAccessDomain on OAMHOST1 and unpack it on OAMHOST1 and OAMHOST2.
To pack the IAMAccessDomain, run the following command on OAMHOST1 from the location IAD_MW_HOME/oracle_common/common/bin:
./pack.sh -managed=true -domain=IAD_ASERVER_HOME -template=domaintemplateMSAS.jar -template_name=domain_template_MSAS
Note:
Thepack command does not overwrite existing files. If the file name that you specify matches the name of an existing file in the specified folder, the pack command fails. You must use a different name for the template file for pack command and use the option overwrite_domain=true for the unpack command.
The -overwrite_domain option in the unpack command allows unpacking a Managed Server template into an existing domain and existing applications directories. For any file that is overwritten, a backup copy of the original is created. If any modifications had been applied to the start scripts and ear files in the Managed Server domain directory, they must be restored after the unpack operation.
To unpack the IAMAccessDomain, run the following command on both OAMHOST1 and OAMHOST2 from the location IAD_MW_HOME/oracle_common/common/bin:
./unpack.sh -domain=IAD_MSERVER_HOME -template=domaintemplateMSAS.jar -app_dir=IAD_MSERVER_HOME/applications -overwrite_domain=true
Before you run the unpack command, ensure that you have write permissions on the LOCAL_CONFIG_DIR/domains/ directory.
Restart the WebLogic Administration console, and start the following servers:
Oracle Access Manager Managed Servers (wls_oam1, wls_oam2)
Oracle Access Manager Policy Manager Managed Servers (wls_ama1, wls_ama2)
Oracle Mobile Security Manager Managed Servers (wls_msm1, wls_msm2)
To prepare MSAS for high availability, you must update the MSAS Gateway SSL certificate with the load balancer alias. To do this, complete the following steps on OAMHOST1:
Launch the WebLogic Scripting Tool (WLST) by running the following command from the location IAD_ORACLE_HOME/common/bin:
./wlst.sh
Connect to the WebLogic Administration Server using the following command:
connect(username='wls_admin_username', password='wls_admin_password', url='t3://IADADMINVHN.example.com:7001')
In this command, 7001 is the IAD_WLS_PORT from the worksheet.
Run the following commands:
svc = getOpssService(name='KeyStoreService')
svc.exportKeyStore(appStripe='EDGMSAS', name='sslkeystore', password='password', aliases='EDGMSAS_msasidentity', keypasswords='keypassword', type='JKS',filepath='SHARED_CONFIG_DIR/keystores/EDGMSAS.jks')
In this command,
EDGMSAS is the value you specified for the property OMSS_GATEWAY_INSTANCE_ID
Password is the password of the WebLogic Administrator of the IAMAccessDomain
keypassword is the password you wish to assign to the exported Keystore
Generate the new certificate request using the following command:
keytool -keystore SHARED_CONFIG_DIR/keystores/EDGMSAS.jks -storepass password -alias EDGMSAS_msasidentity -certreq -file SHARED_CONFIG_DIR/keystores/msasidentity.csr -keypass keypassword
Sign the new certificate request with Certificate Authority key and add the load balancer's hostname in the certificate's Subject Alternate Name (SAN). Use the load balancer DNS extension, such as msas.example.com. To do this, run the following command:
keytool -gencert -keystore IAD_ASERVER_HOME/config/fmwconfig/server-identity.jks -storepass password -alias ca -ext san=dns:msas.example.com -infile SHARED_CONFIG_DIR/keystores/msasidentity.csr -outfile SHARED_CONFIG_DIR/keystores/msasidentity.crt
Update the MSAS certificate on the server by completing the following steps:
Export the root CA by running the following command:
keytool -export -alias ca -file SHARED_CONFIG_DIR/keystores/ca.crt -keystore IAD_ASERVER_HOME/config/fmwconfig/server-identity.jks -storepass password
Import the certificate into the EDGMSAS JKS keystore created in the previous step by running the following command:
keytool -keystore SHARED_CONFIG_DIR/keystores/EDGMSAS.jks -import -file SHARED_CONFIG_DIR/keystores/ca.crt -alias ca -storepass password
When this command is run, you will be prompted to trust the certificate. Enter Yes.
Run the following command:
keytool -keystore EDGMSAS.jks -import -file SHARED_CONFIG_DIR/keystores/msasidentity.crt -alias 'EDGMSAS_msasidentity' -storepass password
In this command, EDGMSAS is the value you specified for the property OMSS_GATEWAY_INSTANCE_ID.
Import the new certificate into MSAS SSL keystore (KSS keystore) by running the following WLST commands:
svc = getOpssService(name='KeyStoreService')
svc.deleteKeyStoreEntry(appStripe='EDGMSAS',name='sslkeystore',password='password', alias='EDGMSAS_msasidentity', keypassword='keypassword')
svc.importKeyStore(appStripe='EDGMSAS', name='sslkeystore', password='password', aliases='EDGMSAS_msasidentity', keypasswords='keypassword', type='JKS',permission=true, filepath='SHARED_CONFIG_DIR/keystores/EDGMSAS.jks')
Start the MSAS instances on WEBHOST1 and WEBHOST2. To start the MSAS instances, run the following command:
MSAS_ORACLE_INSTANCE/bin/startServer.sh
The MSAS instances should start without error.
Verify that Mobile Security Suite is up and running by accessing the following URL:
https://msas.example.com:9002/msm/register/ios
You should be directed to a login page.