17 Configuring Oracle Access Management

Access Manager enables your users to seamlessly gain access to web applications and other IT resources across your enterprise. It provides a centralized and automated single sign-on (SSO) solution, which includes an extensible set of authentication methods and the ability to define workflows around them. It also contains an authorization engine, which grants or denies access to particular resources based on properties of the user requesting access as well as based on the environment from which the request is made. Comprehensive policy management, auditing, and integration with other components of your IT infrastructure enrich this core functionality.

Access Manager consists of several components, including OAM Server, Oracle Access Management Console, and WebGates. The OAM Server includes all the components necessary to restrict access to enterprise resources. The Oracle Access Management Console is the administrative console to Access Manager. WebGates are web server agents that act as the actual enforcement points for Access Manager.

When you created the domain IAMAccessDomain in Chapter 15, "Creating Domains for an Enterprise Deployment", you created the domain with all of the Oracle Access Management components. This chapter explains how to configure Oracle Access Management after the domain creation.

This chapter includes the following topics:

17.1 About Domain URLs

After you complete this chapter, the following URL will be available:

Table 17-1 OAM URLs Prior to Web Tier Integration

Component URLs User

OAM Console



Access Console



After you complete this chapter, the following URL will be available:

Table 17-2 OAM URLs After Web Tier Integration

Component URLs User SSO User

OAM Console




Access Console




17.2 Post-Installation Tasks

This section describes tasks to be completed after Installing Oracle Access Manager.

This section contains the following topics:

17.2.1 Setting the Front End URL for the Administration Console

Oracle WebLogic Server Administration Console tracks changes to ports, channels, and security using the console. When changes made through the console are activated, the console validates its current listen address, port and protocol. If the listen address, port, and protocol are still valid, the console redirects the HTTP request, replacing the host and port information with the Administration Server's listen address and port. When the Administration Console is accessed using a load balancer, you must change the Administration Server's front end URL so that the user's browser is redirected to the appropriate load balancer address.

To make this change:

  1. Log in to Oracle WebLogic Server Administration Console.

  2. Click Lock and Edit.

  3. Expand the Environment node in the Domain Structure window.

  4. Click Clusters to open the Summary of Servers page.

  5. Select cluster_ama in the Names column of the table.

    The Settings page appears.

  6. Click the Configuration tab.

  7. Click the HTTP tab.

  8. Set the Front End Host and Front End HTTP PORT fields to your load balancer address, as shown below.

    Table 17-3 Front End URL Information

    Domain Front End Host Front End HTTP Port




  9. Save and activate the changes.

17.2.2 Removing IDM Domain Agent

By default, the IDMDomainAgent provides single sign-on capability for administration consoles. In enterprise deployments, WebGate handles single sign-on, so you must remove the IDMDomainAgent.

To remove the IDMDomainAgent:

Log in to the WebLogic console at the URL listed in Section 31.2, "About Identity and Access Management Console URLs".


  1. Select Security Realms from the Domain Structure Menu

  2. Click myrealm.

  3. Click the Providers tab.

  4. Click Lock and Edit from the Change Center.

  5. In the list of authentication providers, select IAMSuiteAgent.

  6. Click Delete.

  7. Click Yes to confirm the deletion.

  8. Click Activate Changes from the Change Center.

  9. Restart WebLogic Administration Server and ALL running Managed Servers, as described in Section, "Starting and Stopping a WebLogic Administration Server".

17.2.3 Configuring and Integrating with LDAP

This section describes how to configure and integrate Oracle Access Manager with LDAP.

This section contains the following topics: Setting a Global Passphrase

By default, Access Manager is configured to use the Open security model. If you plan to change this mode using idmConfigTool, you must set a global passphrase. Although you need not set the global passphrase and the Web gate access password to be the same, Oracle recommends doing so.

To set a global passphrase:

  1. Log in to the OAM console at the URL listed in Section 31.2, "About Identity and Access Management Console URLs" as the WebLogic Administration user.

  2. Click the Configuration tab.

  3. Select View, and then Access Manager from the Settings launch pad.

  4. If you are going to change the security mode to Simple, supply a global passphrase.

  5. Click Apply. Configuring Access Manager to use the LDAP Directory

Now that the initial installation is done and the security model set, you must now associate Access Manager and your LDAP directory. In this release, the following LDAP directories are supported:

  • Oracle Unified Directory (OUD)

  • Oracle Internet Directory (OID)

  • Microsoft Active Directory (AD)

To associate Access Manager and your LDAP directory, perform the following tasks: Creating a Configuration File

Configuring Oracle Access Management to use LDAP requires running the idmConfigTool utility. Therefore, you must create a configuration file called oam.props to use during the configuration. The contents of this file will be the same as the Configuration file created in Section 13.2, "Creating a Configuration File" with the following additions:

# Miscellaneous Properties
# OAM Properties
PRIMARY_OAM_SERVERS: oamhost1.example.com:5575,oamhost2.example.com:5575
WEBGATE_TYPE: ohsWebgate11g
COOKIE_DOMAIN: .example.com
OAM11G_IDM_DOMAIN_OHS_HOST: login.example.com
OAM11G_SERVER_LBR_HOST: login.example.com
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_OIM_OHS_URL: https://prov.example.com:443/
# WebLogic Properties
WLSADMIN: weblogic

OAM Property Descriptions:

  • OAM11G_IDSTORE_NAME is the name you wish to assign to the ID store in OAM. This is an optional parameter.

  • PRIMARY_OAM_SERVERS a comma-separated list of all of the OAM managed servers that are in the deployment. The format of this is Server Running the OAM Managed Server: OAM Proxy port. Note the proxy port used is not the OAM managed server listen port. The OAM Proxy port can be found in the worksheet (OAM_PROXY_PORT)

  • WEBGATE_TYPE The type of webgate profile to create. This should always be ohsWebgate11g

  • ACCESS_GATE_ID is the name of the Webgate Agent to create.

  • OAM11G_OIM_WEBGATE_PASSWD is the password you wish to assign to the webgate agent you will be creating.

  • COOKIE_DOMAIN is the domain you wish to associate the OAM cookie with this is normally the same as the IDSTORE_SEARCH_BASE in domain format. The search base can be found in the worksheet (REALM_DN).

  • COOKIE_EXPIRY_INTERVAL the amount of time before a cookie is expired.

  • OAM11G_WG_DENY_ON_NOT_PROTECTED this should always be set to true. It ensures that any attempt to access a resource not explicitly stated in the OAM Resource list will be rejected.

  • OAM11G_IDM_DOMAIN_OHS_HOST this is the name of the Oracle HTTP Server (OHS) server which fronts the IAMAccessDomain. In the case of an enterprise deployment this will be the load balancer name.

  • OAM11G_IDM_DOMAIN_OHS_PORT this is the port on which the OHS server fronting the IAMAccessDomain listens. In the case of an Enterprise Deployment, this will be the load balancer port. This is the IAD_HTTPS_PORT in the worksheet.

  • OAM11G_IDM_DOMAIN_OHS_PROTOCOL this determines which process is being used when accessing the OHS server fronting the IAMAccessDomain.In the case of an Enterprise Deployment this will be the load balancer protocol. In the Enterprise Deployment Blueprint SSL is terminated at the load balancer. But the URL will always have the HTTPS prefix, so this value should be set to https.

  • OAM11G_SERVER_LBR_HOST this is the name of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_HOST.

  • OAM11G_SERVER_LBR_PORT this is the port of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_PORT.

  • OAM11G_SERVER_LBR_PROTOCOL this is the protocol of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_PROTOCOL.

  • OAM11G_OAM_SERVER_TRANSPORT_MODE this is the type of OAM security transport to be used. This should be Simple for all platforms, except for AIX where it should be Open. You can specify cert if extra security is required. If you wish to use cert, refer to the Oracle Access Manager documentation for how to configure this.

  • OAM_TRANSFER_MODE this is the type of OAM security transport to be used. This should be the same as OAM11G_OAM_SERVER_TRANSPORT_MODE

  • OAM11G_SSO_ONLY_FLAG this is used to determine whether authentication mode is going to be used. For Enterprise Deployments this should be set to false.

  • OAM11G_IMPERSONATION_FLAG determines whether OAM be configured for impersonation. Impersonation is typically used in help desk type applications where a support user "impersonates" and actual user for the purposes of providing support.

  • OAM11G_IDM_DOMAIN_LOGOUT_URLS is a list of URLs that various products can invoke for the purposes of logging out.

  • OAM11G_OIM_INTEGRATION_REQ specifies whether Oracle Identity Manager is integrated with Oracle Access Manager. If you are creating a topology containing both Oracle Access Manager and Oracle Identity Manager, this parameter should be set to true. Otherwise set it to false.

    If, at a later date, you decide to add Oracle Identity Manager into your topology, rerun the OAM configuration with this flag set to true

  • OAM11G_OIM_OHS_URL this is used when OAM and OIM are being integrated. This is the OIM URL to which OAM directs requests. This url is made up of the following values from the worksheet:


  • WLS_HOST: is the Admin Server listen address. For OAM configuration, this will be IADADMINVHN.example.com

  • WLS_PORT: is the Admin Server listen port. This is the IAD_WLS_PORT in the worksheet.

  • WLS_ADMIN the user used to connect to the Admin Server

  • SPLIT_DOMAIN is used when OAM and OIM are in different domains. This should always be set to true. Integrating Access Manager and LDAP Using the idmConfigTool

This section describes how to integrate Oracle Access Manager and LDAP using the idmConfigTool.

Perform the following tasks on OAMHOST1:

  1. Set the environment variables MW_HOME, JAVA_HOME and ORACLE_HOME.

  2. Run the idmConfigTool utility to perform the integration.

    The syntax of the command on Linux is:

    cd IAD_ORACLE_HOME/idmtools/bin
    idmConfigTool.sh -configOAM input_file=configfile 

    For example:

    idmConfigTool.sh -configOAM input_file=oam.props

    When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to these accounts:




  3. Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool.

  4. Restart WebLogic Administration console, WLS_OAM1, WLS_OAM2, WLS_AMA1, WLS_AMA2.


    After you run idmConfigTool, several files are created that you need for subsequent tasks. Keep these in a safe location.

    The following files exist in the following directory:


    You need these when you install the WebGate software.

    • cwallet.sso

    • ObAccessClient.xml

    • password.xml

    • aaa_cert.pem

    • aaa_key.pem


    If the wls_ama servers were running when configOAM was run, then the WebGate_IDM artifacts may have been created in IAD_MSERVER_HOME/output. If this is the case, move them back to IAD_ASERVER_HOME/output. Validating the OAM LDAP Configuration

To validate that this has completed correctly:

  1. Access the OAM console using the following URL:

  2. Log in as the Access Manager administration user you created when you prepared the ID Store. For example oamadmin.

  3. Click Agents Launch pad from the Application Security screen.

  4. When the Search SSO Agents screen appears, click Search.

  5. You should see the Web Gate agent Webgate_IDM and Webgate_IDM_11g. Adding LDAP Groups to WebLogic Administrators

Access Manager requires access to MBeans stored within the administration server. In order for Access Manager to invoke these Mbeans, users in the OAM Administrators group must have WebLogic Administration rights.

When Single Sign-on is implemented, provide the LDAP group IDM Administrators with WebLogic administration rights, so that you can log in using one of these accounts and perform WebLogic administrative actions.

To add the LDAP Groups OAMAdministrators and IDM Administrators to the WebLogic Administrators:

  1. Log in to the WebLogic Administration Server Console.

  2. In the left pane of the console, click Security Realms.

  3. On the Summary of Security Realms page, click myrealm under the Realms table.

  4. On the Settings page for myrealm, click the Roles & Policies tab.

  5. On the Realm Roles page, expand the Global Roles entry under the Roles table.

  6. Click the Roles link to go to the Global Roles page.

  7. On the Global Roles page, click the Admin role to go to the Edit Global Roles page.

  8. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

  9. On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.

  10. On the Edit Arguments Page, Specify OAMAdministrators in the Group Argument field and click Add.

  11. Repeat for the Group IDM Administrators.

  12. Click Finish to return to the Edit Global Roles page.

  13. The Role Conditions table now shows the groups OAMAdministrators and IDM Administrators as role conditions.

  14. Click Save to finish adding the Admin role to the OAMAdministrators and IDM Administrators Groups.

17.2.4 Updating WebGate Agents

When the idmConfigTool is run, it changes the default OAM security model and creates two new WebGate profiles. However, it does not change the existing WebGate profiles to the new security model. After running the idmConfigTool, you must update any WebGate agents that previously existed. This involves the following steps:

  • Change the security mode to match that of the OAM servers. Failure to do so will result in a security mismatch error.

  • When WebGates are created at first install, they are unaware that a highly available (HA) installation is performed. After enabling HA, you must ensure that all of the OAM servers are included in the agent configuration, to ensure system continuity.

  • When WebGates are created at first install, they are unaware that a highly available (HA) install is performed. You must check that any logout URLs are redirected to the hardware load balancer than one of the local OAM servers.

  • A WebGate agent called IAMSuiteAgent is created out of the box. This is created without any password protection and needs to have one added.

To perform these actions, complete the following steps:

  1. Log in to the OAM Console as the Access Management administrator user. For example, use the following URL:


  2. Click Agents Launch pad on the Application Security screen.

  3. Ensure that the WebGates tab is selected.

  4. Click Search.

  5. Click an Agent, for example: IAMSuiteAgent.

  6. Set the Security value to the same value defined to OAM Transfer Mode on the Access Manager Configuration screen during response file creation.

    The default setting is Open for AIX deployments and Simple for all others.

    If you have changed the OAM security model using the idmConfigTool, change the security model used by any existing Webgates to reflect this change.

    Click Apply.

  7. In the Primary Server list, click + and add any missing Access Manager Servers.

  8. If a password has not already been assigned, enter a password into the Access Client Password field and click Apply.

    Assign an Access Client Password, such as the Common IAM Password (COMMON_IDM_PASSWORD) you used during the response file creation or an Access Manager-specific password, if you have set one.

  9. Set Maximum Number of Connections to 20. This is the total maximum number of connections for the primary servers, which is 10 x WLS_OAM1 connections plus 10 x WLS_OAM2 connections.

  10. If you see the following in the User Defined Parameters:


    Change it to:

  11. Click Apply.

  12. Repeat Steps through for each WebGate.

  13. Check that the security setting matches that of your Access Manager servers.

17.2.5 Updating Host Identifiers

When you access your domain you enter using different load balancer entry points. Each of these entry points (virtual hosts) need to be added to the Policy list. This ensures that if you request access to a resource using login.example.com OR prov.example.com, you have access to the same set of policy rules.

  1. Access the OAM console.

  2. Log in as the Access Manager administration user you created when you prepared the ID Store. For example oamadmin.

  3. Select Launch Pad if not already displayed.

  4. Click on Host Identifiers under Access Manager.

  5. Click Search.

  6. Click on IAMSuiteAgent.

  7. Click + in the operations box.

  8. Enter the following information.

    Table 17-4 Host Name Port Values

    Host Name Port









  9. Click Apply.

17.2.6 Adding Missing Policies to OAM

If you are using Oracle Mobile Security Suite (OMSS) or OIM, you manually add the policies listed in Table 17-5 to OAM.

Table 17-5 OAM Policy Information

Product Resource Type Host Identifier Resource URL Protection Level Authentication Policy Authorization Policy
































Protected Higher Level Policy

Protected Resource Policy







To add these policies:

  1. Login to the OAM Console using the user oamadmin.

  2. From the Launchpad click Application Domains in the Access Manager section.

  3. Click Search on the Search page.

    A list of Application domains appears.

  4. Click the domain IAM Suite.

  5. Click the Resources Tab.

  6. Click Create.

  7. Enter information according to Table 17-5.

  8. Click Apply.

17.3 Validating Access Manager

You can validate Access Manager by using the oamtest tool. To do this, perform the following steps:

  1. Ensure that wls_oam managed server is up and running.

  2. Ensure that JAVA_HOME is set in your environment by adding JAVA_HOME/bin to your path. For example:

    export PATH=$JAVA_HOME/bin:$PATH
  3. Change the directory to the following:

  4. Start the test tool in a terminal window using the command:

    java -jar oamtest.jar
  5. When the OAM test tool starts, enter the following information in the Server Connection section of the page:

    • Primary IP Address: OAMHOST1.example.com

    • Port: 5575 (OAM_PROXY_PORT)

    • Agent ID: Webgate_IDM_11g

    • Agent Password: webgate password


      If you configured simple mode, select Simple and provide the global passphrase.

      Click Connect.

      In the status window you see: response] Connected to primary access server.

  6. In the Protected Resource URI section, enter the following information:

    • Scheme: http

    • Host: iadadmin.example.com

    • Port: 80 (IAD_HTTP_PORT)

    • Resource: /oamconsole

      Click Validate.

      In the status window you see: [request] [validate] yes.

  7. In the User Identity window, enter:

    • Username: oamadmin

    • Password: oamadmin password

    • Click Authenticate.

    • In the status window, you see: [request] [authenticate] yes

    • Click Authorize.

    • In the status window you see. [request] [authorize] yes

17.4 Creating Access Manager Key Store

If you are integrating other components, such as Oracle Identity Manager with Access Manager and Access Manager is using the simple security transport model, you must generate a keystore that can be used with those components.

Access Manager comes with a self-signed Certificate Authority that is used in Simple mode to issue certificates for the Access Client. This certificate must be added to the keystore as follows

The following example will add the Trust Store to the system generated keystore and place it into a common location.

  1. Create a directory for the keystore to reside, if not created already. For example, SHARED_CONFIG_DIR/keystores.

  2. Copy the system generated keystore to this location and give it a unique name using the following command:

    cp IAD_ASERVER_HOME/output/webgate-ssl/oamclient-keystore.jks SHARED_CONFIG_DIR/keystores/ssoKeystore.jks

  3. To add the trust store to the keystore file you first add a dummy entry to create the keystore file and you use a tool called keytool that comes with the JDK (Java Development Kit). Before running any of the following commands, ensure that the JDK is in your path. For example:


    The certificate resides in the file cacert.der, which is located in the following directory:


    Set JAVA_HOME to JAVA_HOME and add JAVA_HOME/bin to your PATH.

    Execute the following command to import a PEM/DER format CA certificate into the trust store:

    keytool -importcert -file IAD_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore 
    SHARED_CONFIG_DIR/keystores/ssoKeystore.jks -storetype JKS

    Enter keystore password when prompted.

    The password is the common password you used for the global passphrase.


    The files ssoKeystore.jks is required when you integrate Access Manager running in Simple mode with Oracle Identity Management or Adaptive Access Manager.

17.5 Updating Idle Timeout Value

The default timeout value set in Access Manager is often too long and can cause issues such as, not logging a session out after that session has timed out. Therefore, it is recommended that this value is reduced to 15 minutes.

To update the idle timeout value:

  1. Log in to the OAM Console at the URL listed in Section 31.2, "About Identity and Access Management Console URLs."

  2. Log in as the Access Manager administrator user you created during response file creation. For example:


  3. Click Configuration.

  4. Select Common Settings under Settings.

  5. Change Idle Time out (minutes) to 15.

  6. Click Apply.

17.6 Updating the ESSO IDS Repository

The ESSO Identity Store Repository is created by default as ssl enabled. If the LDAP connection is not SSL enabled, update the IDS repository to uncheck the ssl flag by doing the following:

  1. Log in to the OAM Console at the URL listed in Section 31.2, "About Identity and Access Management Console URLs".

  2. Log in as the Access Manager administrator user you created during response file creation. For example: oamadmin

  3. Click Configuration.

  4. Click User Identity Stores.

  5. Select ESSOIDSRepository under the section IDS Repositories, and click Edit.

  6. Uncheck the flag SSL.

  7. Click Save.

  8. Click Apply on the User Identity Stores page.

17.7 Enabling Exalogic Optimizations

This section describes post-deployment steps for Exalogic implementations.

This section includes the following topic:

17.7.1 Enabling OAM Persistence Optimizations

You can speed up OAM persistence by enabling OAM Exalogic optimizations by adding a new parameter to the server start options for each OAM managed server.

To enable OPMS optimizations:

  1. Log in to the WebLogic Console in the IAMAccessDomain.

    See the Console URLs in Section 31.2, "About Identity and Access Management Console URLs.".

  2. Navigate to Environment, and then Servers.

  3. Click Lock and Edit.

  4. Click on the server WLS_OAM1.

  5. Click on the Server Start subtab.

  6. Add the following to the Arguments field:

  7. Click Save.

  8. Repeat Steps 4-7 for the managed server WLS_OAM2.

  9. Click Activate Changes.

17.8 Backing Up the Application Tier Configuration

It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process

For information on database backups, refer to your database documentation.

To back up the installation to this point, back up the following:

  • The Web tier

  • The Access Manager database.

  • The Administration Server domain directory

  • The Managed Server domain directory

  • The LDAP Directory

  • The Keystores created