Integrating Oracle Adaptive Access Manager (OAAM) with Oracle Access Manager enables fine-grain control over the authentication process and pre- and post-authentication checking against Oracle Adaptive Access Manager policies.
This chapter explains how to integrate Oracle Adaptive Access Manager 11g with OAM 10g. OAAM integration with OAM 10g can involve scenarios with or without Access Manager 11g for simultaneous integration.
It contains the following sections:
This section provides step-by-step instructions for integrating Oracle Access Manager with Oracle Adaptive Access Manager (OAAM) to secure resources via risk-based authentication. It contains the following topics:
Roadmap for OAAM 11g Integration with Oracle Access Manager 10g
Prerequisites to OAAM 11g Integration with Oracle Access Manager 10g
Testing Oracle Adaptive Access Manager and Oracle Access Manager Integration
This section describes the process flow when a user tries to access a protected resource in an Oracle Access Manager and OAAM integration.
When a user tries to access a resource protected by Oracle Access Manager, he is redirected to the OAAM login page instead of the Oracle Access Manager login.
Oracle Adaptive Access Manager delegates user authentication to Oracle Access Manager.
Then, Oracle Adaptive Access Manager performs risk analysis of the user.
Table 20-1 lists the high-level tasks for integrating Oracle Adaptive Access Manager with Oracle Access Manager.
Except where specified, the following procedures are required to complete the integration of Oracle Access Adaptive Manager 11g and Oracle Access Manager 10g.
Table 20-1 Integration Flow for Oracle Access Manager and Oracle Adaptive Access Manager
Number | Task | Information |
---|---|---|
1 |
Verify that all required components have been installed and configured prior to integration. |
For information, see "Prerequisites to OAAM 11g Integration with Oracle Access Manager 10g". |
2 |
Configure the OAM AccessGate for OAAM Web Server. |
For information, see "Configuring OAM AccessGate for OAAM Web Server". |
3 |
Configure the OAM Authentication Scheme. |
For information, see "Configuring OAM Authentication Scheme". |
4 |
Configure the Oracle Access Manager connection (optional). |
For information, see "Configuring Oracle Access Manager Connection (Optional)". |
5 |
Set up the WebGate for the OAAM web server |
For information, see "Setting Up WebGate for OAAM Web Server". |
6 |
Configure the OAM Domain to use OAAM authentication |
For information, see "Configuring OAM Domain to Use OAAM Authentication". |
7 |
Configure OHS. |
For information, see "Configuring Oracle HTTP Server (OHS)". |
8 |
Configure OAAM properties. |
For information, see "Configuring OAAM Properties for Oracle Access Manager". |
9 |
Turn off IP validation. |
For information, see "Turning Off IP Validation". |
10 |
Validate the Oracle Access Manager and Oracle Adaptive Access Manager Integration. |
For information, see "Testing Oracle Adaptive Access Manager and Oracle Access Manager Integration". |
Ensure that the following prerequisites are met before performing the integration:
All necessary components have been properly installed and configured:
Oracle Adaptive Access Manager 11g
Oracle Access Manager 10.1.4.3
Application Server
For installation information for Oracle Adaptive Access Manager 11g, see Installation Guide for Oracle Identity and Access Management.
For installation information for Oracle Access Manager 10g, see Oracle Access Manager Installation Guide 10g (10.1.4.3).
The Oracle Access Manager environment has been configured to protect simple HTML resources using two different authentication schemes:
The first authentication scheme uses Basic Over LDAP.
This built-in Web server challenge mechanism requires the user to enter their login ID and password. The credentials supplied are compared to the user's profile in the LDAP directory server.
The second authentication scheme is a higher-security level and integrates OAAM Server by using a custom form-based authentication scheme.
This method is similar to the basic challenge method, but users enter information in a custom HTML form. You can choose the information users must provide in the form that you create. A challenge parameter is used. For information about challenge parameters, see "About Challenge Parameters" in Chapter 5, "Configuring User Authentication" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
For information on authentication schemes, see Chapter 5, "Configuring User Authentication" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
In Oracle Access Manager and Oracle Adaptive Access Manager integration, the Oracle Access Manager AccessGate fronts the Web server (a traditional WebGate) to OAAM Server. For information on AccessGates, see Chapter 3, "Configuring WebGates and Access Servers" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
To configure the Oracle Access Manager AccessGate that fronts the Web server to OAAM Server, perform the following steps:
Navigate to the Access System Console.
For information on logging in to the Access System, see Chapter 1, "Preparing for Administration" in Oracle Access Manager Identity and Common Administration Guide, 10g (10.1.4.3).
Click the Access System Console link, and then log in as a Master Administrator.
Click Access System Configuration, then select Add New AccessGate.
Use the settings in the table below to create a new AccessGate and assign it an Access Server.
For information on assigning the AccessGate to an Access Server, see Section 3.6, "Associating AccessGates and WebGates with Access Servers," in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
Table 20-2 Oracle HTTP Server (OHS) WebGate Configuration
Parameter | Value | Description |
---|---|---|
AccessGate Name |
ohsWebGate |
Name of this AccessGate instance. |
Description |
AccessGate for Web server hosting OAAM Server |
Summary that will help you identify this AccessGate later on. |
Hostname |
|
Name or IP address of the server hosting this AccessGate. |
Port Number |
|
Web server port protected by the AccessGate when deployed as a WebGate. |
AccessGate Password |
|
Password for this AccessGate. The AccessGate uses this password to identity itself to an Access Server. |
Debug |
<Off> |
Off so debug messages between the AccessGate and Access Server are not written. |
Maximum user session time (seconds) |
3600 |
Maximum amount of time, in seconds, that a user's authentication session is valid, regardless of their activity. At the expiration of this session time, the user is re-challenged for authentication. |
Idle Session Time (seconds) |
3600 |
Amount of time in seconds that a user's authentication session remains valid without accessing any AccessGate protected resources. |
Maximum Connections |
1 |
Maximum number of connections this AccessGate can establish with associated Access Servers. |
Transport Security |
<Open> |
Method for encrypting messages between this AccessGate and the Access Servers it is configured to talk to. |
IP Validation |
<Off> |
Determine if a client IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on. |
IP Validation Exception |
leave blank |
IP addresses to exclude from IP address validation. |
Maximum Client Session Time (hours) |
24 |
Connection maintained to the Access Server by the AccessGate. |
Failover Threshold |
1 |
Number representing the point when this AccessGate opens connections to secondary Access Servers. |
Access server timeout threshold |
leave blank |
Time (in seconds) during which the AccessGate must wait for a response from the Access Server. |
Sleep for (seconds) |
60 |
Number (in seconds) that represents how often this AccessGate checks its connections to Access Servers. |
Maximum elements in cache |
10000 |
Maximum number of elements that can be maintained in the URL and authentication scheme caches. |
Cache timeout (seconds) |
1800 |
Time period during which cached information remains in the AccessGate cache when neither used nor referenced. |
Impersonation Username |
leave blank |
Name of the trusted user that you created to be used for impersonations. |
Impersonation Password |
leave blank |
Password for the impersonation user name. |
Access Management Service |
<On> |
Whether the Access Management Service is On or Off. On if the Access Server is associated and communicating with AccessGates (which communicate using APIs in the SDK). |
Primary HTTP Cookie Domain |
|
Describes the Web server domain on which the AccessGate is deployed. |
Preferred HTTP Host |
|
determines how the host name appears in all HTTP requests as they attempt to access the protected Web server. |
Deny on not protected |
<Off> |
True denies all access to resources on the Web server protected by WebGate unless access is allowed by a policy. |
CachePragmaHeader |
no-cache |
By default, CachePragmaHeader and CacheControlHeader are set to no-cache. This prevents WebGate from caching data at the Web server application and the user's browser. |
CacheControlHeader |
no-cache |
By default, CachePragmaHeader and CacheControlHeader are set to no-cache. This prevents WebGate from caching data at the Web server application and the user's browser. |
LogOutURLs |
leave blank |
Enables you to configure one or more specific URLs that log out a user. |
User Defined Parameters |
leave blank |
Configure the WebGate to work with particular browsers, proxies, and so on. |
Assign An Access Server (Primary) |
|
Access server. |
Number of Connections |
1 |
Number of connections to the Access Server. |
Click AccessGate Configuration.
Click OK to search for all AccessGates.
The new AccessGate is now listed
To leverage OAAM Server as an authentication mechanism, Oracle Access Manager must have a defined Authentication Scheme to understand how to direct authentications to OAAM Server. For information on authentication schemes, see Chapter 5, "Configuring User Authentication" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3)
To define the authentication scheme for Oracle Adaptive Access Manager, follow the steps below:
From the Access System Console, click the Access System Configuration tab.
Click Authentication Management in the left navigation pane.
Click New.
Using the settings in the table below, begin creating the new OAAM Server authentication scheme:
Table 20-3 OAAM Server Authentication Scheme Configuration
Parameter | Value | Description |
---|---|---|
Name |
Adaptive Strong Authentication |
Unique name for the scheme. |
Description |
Oracle Adaptive Access Manager-OAAM Server virtual authentication pad authentication scheme |
Brief description of what the scheme does. |
Level |
3 |
Security level of the authentication scheme. The security level of the scheme reflects the challenge method and degree of security used to protect transport of credentials from the user. |
Challenge Method |
Form |
Specifies how authentication is to be performed and the information required to authenticate the user. |
Challenge Parameter(s) |
form:/oaam_server/oamLoginPage.jsp |
Provides WebGate with additional information to perform an authentication form - Indicates where the HTML form is located relative to the host's document directory. |
creds:userid password |
Provides WebGate with additional information to perform an authentication creds- Lists all fields used for login in the HTML form. |
|
action:/oaam_server/ |
Provides WebGate with additional information to perform an authentication action- URL that the HTML form is posting to. |
|
SSL Required |
<No> |
Whether users must be authenticated using a server enabled for Secure Sockets Layer (SSL). |
Challenge Redirect |
|
URL of another server to which you want to redirect this request if authentication does not take place on the resource Web server. |
Enabled |
<Disabled/Greyed Out> |
Enable or disable the authentication scheme. |
Click Save. The Details for Authentication Scheme display page appears. This page displays the information you entered for the new authentication scheme.
Click Ok to confirm the saved operation.
Select the Plugins tab to display the plug-ins for this authentication scheme.
Click Modify. The Plugins for Authentication Scheme page changes to include the Add and Delete buttons as well as the Update Cache checkbox.
Click Add. The page changes to include a list of options and a text box for selecting and defining the plug-in to be added.
Create the plugin configurations using the information presented in the table below.
Table 20-4 OAAM Server Authentication Scheme Configuration Plugins
Plugin Name | Plugin Parameters |
---|---|
credential_mapping |
obMappingBase="dc=<domain>,dc=com",obMappingFilter="(uid=%userid%)" |
validate_password |
obCredentialPassword="password" |
The credential_mapping plug-in maps the user ID to a valid distinguished name (DN) in the directory.
The validate_password plug-in is used to validate the user's password against the LDAP data source.
Click Save.
Click General.
Click Modify.
Set Enabled to Yes.
Click Save.
The AccessGates used by OAAM Server must have host identifier entries. Use the Host Identifiers feature to enter the official name for the host, and every other name by which the host can be addressed by users.
A request sent to any address on the list is mapped to the official host name, and applicable rules and policies are implemented. This is primarily used in virtual site hosting environments.
For information on configuring host identifiers, see Section 3.7.2, "Configuring Host Identifiers" in Chapter 3, "Configuring WebGates and Access Servers" of Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
To correctly handle the cookies for authentication and the required HTTP headers for the OAAM Server, OAAM Server must be protected with a standard WebGate and Web server.
To set up the WebGate for use with OAAM Server:
Stop the application server (and Web server).
Run the WebGate installation program.
For the WebGate configuration, use the following settings:
Table 20-5 Setting Up the WebGate for Use with OAAM Server
Attribute | Value | Description |
---|---|---|
WebGate ID |
ohsWebGate |
Unique ID specified in the Access System Console. |
WebGate Password |
|
Password you defined in the Access System Console. |
Access Server ID |
|
Access Server ID associated with this WebGate. |
DNS Hostname |
|
For the Access Server associated with this WebGate. |
Port Number |
|
On which the Access Server listens for this WebGate. |
For detailed information, refer to Section 9.5.3, "Specifying WebGate Configuration Details" in Oracle Access Manager Installation Guide 10g (10.1.4.3) and Chapter 2, "Integrating Oracle HTTP Server" in Oracle Access Manager Integration Guide 10g (10.1.4.3).
The OAAM Server authentication should now be operable for Oracle Access Manager policy domains.
To modify the Oracle Access Manager policy domain to use the OAAM authentication scheme (Strong Authentication), follow these steps:
In the Access System Console, click the link for the Policy Manager at the top of the page.
Click My Policy Domains in the left navigation pane. A list of policy domains appears.
Click the link for the policy domain that you want to view. The General page for the selected policy domain appears.
Click Default Rules. The General page for the Authentication Rule tab appears. It shows the current configuration for the rule.
Click Modify. The General page, whose fields you can modify, appears.
From the Authentication Scheme drop-down selector, select Adaptive Strong Authentication.
Click OK to confirm the change in authentication schemes.
Ensure that Update Cache is checked.
Click Save to save your changes.
Close the browser.
For information on modifying an Authentication Rule for a Policy Domain, see Section 5.9.2, "Modifying an Authentication Rule for a Policy Domain" in Chapter 5, "Configuring User Authentication" of Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
mod_wl_ohs is the plug-in for proxying requests from Oracle HTTP Server to Oracle WebLogic server. The mod_wl_ohs module is included in the Oracle HTTP Server installation. You need not download and install it separately. Configure OHS such that it proxies OAAM Server. In 11g OHS, that is done by modifying the mod_wl_ohs.conf
file.
To set up the proxy:
Locate the mod_wl_ohs.conf
file.
The mod_wl_ohs.conf
file is located in the following directory:
ORACLE_INSTANCE/config/OHS/component_name
Open the mod_wl_ohs.conf
file and add an entry similar to the following example:
<Location /oaam_server> SetHandler weblogic-handler WebLogicHost name.mycompany.com WebLogicPort 24300 </Location>
Setting OAAM properties for Oracle Access Manager and Oracle Access Manager credentials in the Credential Store Framework (CSF) is required for this integration to work.
To set OAAM properties for Oracle Access Manager:
Start the Managed Server hosting the OAAM Server.
Navigate to the OAAM Admin Console at http://oaam_managed_server_host:oaam_admin_server_port/oaam_admin.
Log in as a user with access to the property editor.
Open the OAAM property editor to set the Oracle Access Manager properties.
If a property does not exist, you must add it.
For the following properties, set the values according to your deployment:
Table 20-6 Configuring Oracle Access Manager Property Values
Property Name | Property Values |
---|---|
bharosa.uio.default.password.auth.provider.classname |
com.bharosa.vcrypt.services.OAMOAAMAuthProvider |
bharosa.uio.default.is_oam_integrated |
false |
oracle.oaam.httputil.usecookieapi |
true |
oaam.uio.oam10.host |
Access Server host machine name For example, host.example.com |
oaam.uio.oam10.port |
Access Server Port; for example, 3004 |
oaam.uio.oam.obsso_cookie_domain |
Cookie domain defined in Access Server WebGate Agent |
oaam.uio.oam.java_agent.enabled |
false |
oaam.uio.oam10.webgate_id |
Webgate ID configured in Section 20.1.4, "Configuring OAM AccessGate for OAAM Web Server." |
oaam.uio.oam10.authenticate.withoutsession |
false |
oaam.uio.oam10.secondary.host |
Name of the secondary Access Server host machine. The property must be added, as it is not set by default. This property is used for high availability. You can specify the fail-over host name using this property. |
oaam.uio.oam10.secondary.host.port |
Port number of the secondary Access Server The property must be added as it is not set by default. This property is used for high availability. You can specify the fail-over port using this property. |
oaam.oam10.csf.credentials.enabled |
true This property enables configuring credentials in the Credential Store Framework instead of maintaining them using the properties editor. This step is performed so that credentials can be securely stored in CSF. |
For information on setting properties in Oracle Adaptive Access Manager, see "Using the Property Editor" in Administering Oracle Adaptive Access Manager.
So that Oracle Access Manager WebGate credentials can be securely stored in the Credential Store Framework, follow these steps to add a password credential to the OAAM domain:
Navigate to the Oracle Fusion Middleware Enterprise Manager Console at http://weblogic_server_host:admin_port/em.
Log in as a WebLogic Administrator.
Expand Base_Domain in the navigation tree in the left pane.
Select your domain name, right-click, select the menu option Security, and then select the option Credentials in the sub-menu.
Click Create Map.
Click oaam to select the map, then click Create Key.
In the pop-up window make sure Select Map is oaam.
Provide the following properties and click OK.
In order for Oracle Adaptive Access Manager to direct the user to the protected URL after authentication, you must turn off IP validation. For information on configuring IP validation, see Section 3.5.3, "Configuring IP Address Validation for WebGates" in Chapter 3, "Configuring WebGates and Access Servers" in Oracle Access Manager Access Administration Guide, 10g (10.1.4.3).
To turn off IP validation, follow the steps below:
On the Access System main page, click the Access System Console link, and then log in as an administrator.
On the Access System Console main page, click Access System Configuration, and then click the Access Gate Configuration link on the left pane to display the AccessGates Search page.
Enter the proper search criteria and click Go to display a list of AccessGates.
Select the AccessGate.
For example, ohsWebGate.
Click Modify at the bottom of the page.
Set IP Validation to off.
Click Save at the bottom of the page.
To test the configuration, try accessing your application. The Oracle Access Manager will intercept your un-authenticated request and redirect you to OAAM Server to challenge for credentials.
You can integrate OAAM Server 11g with both Oracle Access Manager 10g and Oracle Access Management Access Manager (Access Manager) 11g Release 2 (11.1.2.3) simultaneously when the deployments coexist.
The integration enables both Oracle Access Manager 10g and Access Manager 11g to point to the same OAAM Server instead of multiple OAAM Servers. The integration has a smaller footprint than if multiple OAAM Servers were used.
OAAM can integrate with Oracle Access Manager 10g and Access Manager 11g in Advanced and TAP modes. OAAM Server integrates with Oracle Access Manager 10g in Advanced mode and OAAM Server integrates with Access Manager 11g in TAP mode.
Device fingerprinting, risk analysis, KBA challenge mechanisms, and Step Up authentication features are now available in the OAAM 11g and Oracle Access Manager 10g integration in coexistence mode.
Strong multi-factor authentication and advanced real-time fraud prevention are provided while Access Manager 11g protects migrated applications and any new applications registered with Access Manager 11g and Oracle Access Manager 10g protects applications that are still registered with Oracle Access Manager that have not been migrated to Access Manager 11g.
Through the Step Up Authentication feature, end-users have a seamless single sign-on (SSO) experience when they navigate between applications that are protected by Oracle Access Manager 10g and applications protected by Access Manager 11g. Users authenticated by Access Manager 11g need not enter credentials again if they access any resource protected by Oracle Access Manager 10g Server and vice versa.
Oracle Access Manager 10g and Access Manager 11g Servers can independently handle all authentication and authorization requests that are routed to them, without depending on each other.
Oracle Access Manager 10g and Access Manager 11g protect entirely different resources that have nothing to do with each other.
For instructions on how to integrate OAAM 11g with Access Manager 11g, see "Integrating Oracle Adaptive Access Manager with Access Manager" in Integration Guide for Oracle Identity Management Suite.
For information setting up coexistence for Oracle Access Manager 10g with Oracle Access Management Access Manager 11g, see the "Coexistence of Oracle Access Manager 10g with Oracle Access Management Access Manager 11.1.2.3.0" chapter in Migration Guide for Oracle Identity and Access Management.
The process flows in an OAAM Server 11g, Oracle Access Manager 10g, and Access Manager 11g integrated environment is documented below.
This section describes how the integration works in the coexistence mode when a user accesses a resource protected by Oracle Access Manager 10g Server, and then accesses a resource protected by Access Manager 11g Server.
The user requests access to the OAM 10g-protected resource through a web browser.
The Webgate intercepts the request and checks with OAM Server whether the resource is protected or not.
If the resource is protected, then OAM Server checks with the policy manager the authentication scheme configured for that resource. OAM Server redirects the users to OAAM for authentication and passes a redirect URL.
The User is prompted to enter his credentials as per the authentication scheme defined for the resource. During that time, fingerprinting and pre-authentication rules are run. Once OAAM has collected these credentials, it uses an embedded OAM Access SDK client (or custom AccessGate) to pass these credentials to the OAM Server.
OAM validates the credentials against its configured LDAP identity store and returns the result to OAAM.
OAAM evaluates if the user needs to be taken through the Registration or Challenge flows.
OAAM interacts with the user during the appropriate flows and if the user is successful, OAM sets the OAM cookie, redirects the user to the redirect URL, and a single sign-on session is created.
The user is able to access the OAM 10g-protected resource.
The user requests access to the Access Manager 11g-protected resource through a web browser.
Users authenticated by Oracle Access Manager 10g Server need not enter credentials again if they access any resource protected by Access Manager 11g Server.
The WebGate 11g reads the ObSSOCookie and obtains the authentication level information and determines if further authentication is needed.
Step Up Authentication allows users who have been authenticated by OAM at a lower level to access resources protected by OAAMTAPScheme configured at a relatively higher authentication level. When the user tries to access a protected resource that is configured at a higher level, OAAM runs policies to determine how to further authenticate the user so as to gain the required level of authentication needed for access to the protected resource. The user is not taken to the normal login flow since he is already authenticated.
If the user needs further authentication, the control comes to OAAM and the user is challenged.
If the user is able to provide the correct response, Access Manager sets the OAM cookie, user is logged in, and a single sign-on session is created. The user is able to access the Access Manager 11g-protected resource without getting prompted for credentials.
If a user logs out from any one of the servers, the session ends and the user is logged out from both Access Manager 11g and Oracle Access Manager 10g Servers. A user can access any protected resource only after re-authentication.
This section describes the integration works in the coexistence mode when a user accesses a resource protected by Access Manager 11g Server and then accesses a resource protected by the Oracle Access Manager 10g Server.
The user requests access to the Access Manager 11g-protected resource through a web browser.
The Webgate intercepts the request and checks with OAM Server whether the resource is protected or not.
OAM Server checks with the policy manager and sees the resource is protected by the TAP Scheme. OAM Server redirects the user to OAAM for login.
OAAM collects the username from the username page, fingerprints the device, and runs pre-authentication rules before presenting the password page.
Once OAAM has collected these credentials, OAAM sends OAP API calls to Access Manager to validate credentials.
OAM validates the credentials against its configured LDAP identity store and sends a TAP token to OAAM. The TAP token sent by Access Manager provides parameters related to the authentication level.
OAAM evaluates the Post-Authentication to determine if the Registration and Challenge checkpoints should be run.
OAAM interacts with the user during the appropriate flows and if the user is successful, OAAM sets the OAM cookie and redirects user to resource requested.
The user requests access to the Oracle Access Manager 10g-protected resource through a web browser.
Step Up Authentication allows users who have been authenticated by OAM at a lower level to access resources protected by OAAMTAPScheme configured at a relatively higher authentication level. When the user tries to access a protected resource that is configured at a higher level, OAAM runs policies to determine how to further authenticate the user so as to gain the required level of authentication needed for access to the protected resource. The user is not taken to the normal login flow since he is already authenticated.
User is able to access the Oracle Access Manager protected resource without being prompted for credentials.
Users authenticated by Access Manager 11g Server need not enter credentials again if they access any resource protected by Oracle Access Manager 10g Server.
If a user logs out from any one of the servers, the session ends and the user is logged out from both Access Manager 11g and Oracle Access Manager 10g Servers. A user can access any protected resource only after re-authentication.
To configure OAAM Server so that OAM 10g and Access Manager 11g can redirect the user to the same OAAM Server, edit or add the configuration properties documented below. If you do not define values for these properties, values for the existing 11g properties are used. You can edit these properties using the oaam_cli.properties
file or the Properties Editor.
Editing 10g OAM Integration Properties in the oaam_cli.properties File
If you do not want to use the Properties Editor to manually edit parameters, you can edit the following properties in the oaam_cli.properties
file.
Table 20-8 Configuring OAM Server Values
Property Name | Property Values |
---|---|
oam.config.10g |
false |
oaam.uio.oam10.host |
Defines the primary OAM host name to which OAP connections should be established. |
oaam.uio.oam10.port |
Defines the OAP port for the primary OAM host. |
oaam.uio.oam10.webgate_id |
IAMSuiteAgent |
oaam.uio.oam10.secondary.host |
Defines the secondary, or failover, OAM host name. OAP connections will only be established to this host if connections to the primary OAM host fail. |
oaam.uio.oam10.secondary.host.port |
Defines the OAP port for the secondary OAM host. |
oaam.uio.oam10.security.mode |
Defines the communication security between OAAM and OAM, can be either 1 (open), 2 (simple) or 3 (cert). 1 |
oam.uio.oam10.rootcertificate.keystore.filepath |
This is required if OAM 10g is in Simple or Cert mode. |
oam.uio.oam10.privatekeycertificate.keystore.filepath |
The property can be set, but it should not need to be changed. |
oaam.oam10.csf.credentials.enabled |
This property, when set, uses the Fusion Middleware Credential Store Framework (CSF) to securely store password, such as the WebGate password. true |
Editing 10g OAM Integration Properties Using Properties Editor
Table 20-9 Configuring OAAM Server Values
Property Name | Property Values |
---|---|
oaam.uio.oam10.host |
Defines the primary OAM host name to which OAP connections should be established. |
oaam.uio.oam10.port |
Defines the OAP port for the primary OAM host. 0 |
oaam.uio.oam10.secondary.host |
Defines the secondary, or failover, OAM host name. OAP connections will only be established to this host if connections to the primary OAM host fail. |
oaam.uio.oam10.secondary.host.port |
Defines the OAP port for the secondary OAM host. 0 |
oaam.uio.oam10.webgate_id |
Defines the webgate ID used by OAAM. |
oaam.uio.oam10.security.mode |
Defines the communication security between OAAM and OAM, can be either 1 (open), 2 (simple) or 3 (cert). |
oaam.uio.oam10.user |
Not needed if using CSF, which is default. |
oaam.uio.oam10.password |
Not needed if using CSF, which is default. |
oaam.oam10.oamclient.debugFlag |
false The property can be set, but it should not need to be changed. |
oaam.uio.oam10.virtual_host_name |
IDMDomain The property can be set, but it should not need to be changed. |
oaam.uio.oam10.authenticate.withoutsession |
false The property can be set, but it should not need to be changed. |
oaam.oam10.csf.credentials.enabled |
This property, when set, uses the Fusion Middleware Credential Store Framework (CSF) to securely store password, such as the webgate password. true The property can be set, but it should not need to be changed. |
oaam.oam10.csf.credentials.key |
oam.credentials The property should be set to a value other than oam.credentials in a co-existence environment, e.g., oam10.credentials. |
oaam.uio.oam10.java_agent.enabled |
false The property can be set, but it should not need to be changed. |
oam.uio.oam10.rootcertificate.keystore.filepath |
This is required if OAM 10g is in Simple or Cert mode. |
oam.uio.oam10.privatekeycertificate.keystore.filepath |
The property can be set, but it should not need to be changed. |
oaam.oam10.globalpp.credentials |
This is required if OAM 10g is set to Simple or Cert mode. This points to the CSF credential that contains the OAM 10g keystore credentials, e.g., value: oam10.globalpp.credentials. |
oaam.oam10.keystore.credentials |
This is required if OAM 10g is set to Simple or Cert mode, e.g., the value is oam10.keystore.credentials. |
oracle.oaam.httputil.usecookieapi |
If you are using the OAAMAdvanced scheme in OAAM Advanced integration with OAM 10g or Access Manager 11g, you must set this property. true |
oaam.uio.oam10.nap_version |
Optional property |
oaam.uio.oam10.num_of_connections |
Optional property Defines the target (maximum) number of OAP connections to the primary OAM Server that OAAM will maintain in its pool. |
oaam.uio.oam10.secondary.host.num_of_connections |
Optional property Defines the target (maximum) number of OAP connections to the secondary OAM Server that OAAM will maintain in its pool. |
oaam.oam10.oamclient.minConInPool |
Optional property Defines the minimum number of OAP connections that OAAM will maintain in its pool. |
oaam.oam10.oamclient.periodForWatcher |
Optional property Defines the rest period (in milliseconds) for the OAAM Pool Watcher thread, a thread which periodically checks the health of connections in the pool. Keep this a low value, if connections can go bad frequently. |
oaam.oam10.oamclient.initDelayForWatcher |
Optional property Defines the initial delay (in milliseconds) before the OAAM Pool Watcher thread starts to check connections. |
oaam.oam10.oamclient.timeout |
Optional property Period in milliseconds that a request will wait for an available OAP connection before timing out if no connections are available in the pool. Keep this value to a low number. |
In an Oracle Access Manager 10g and OAAM 11g integrated environment, you can configure OAAM and OAM for Step-Up Authentication so that OAAM can detect that the user is already authenticated when the user accesses a resource protected by an OAM basic authentication scheme (Level 1), and then tries to access a resource protected by a higher level authentication scheme (for example, Level 2). The user is not redirected to the OAAM login page where the user must log in again.
To configure Oracle Access Manager and Oracle Adaptive Access Manager, follow the steps in this section.
Create a host identifier that does not map to any real host, e.g., STEP_UP_HOST
.
Add a new AccessGate in OAM 10g console step-up authentication that is not used by any component except for Oracle Adaptive Access Manager. Use the host/host identifier specified in Step 1.
Create a new authentication scheme similar to Section 20.1.5, "Configuring OAM Authentication Scheme" with the settings in Table 20-10.
Table 20-10 Configuring Step-Up Authentication
Parameter | Value |
---|---|
Name |
Step-up Auth |
Description |
Authn Scheme for Step-up |
Level |
4 (Same level as Adaptive Strong Authentication) |
Challenge Method |
None |
Challenge Parameter(s) |
(Leave empty) |
SSL Required |
No |
Challenge Redirect |
(Leave empty) |
Enabled |
Yes |
In the Plugins section, provide the following setting:
credential_mappingobMappingBase="dc=<domain>,dc=com",obMappingFilter="(uid=%userid%)"
There should not be a "validate_password" plugin since this authentication scheme is only used to map username.
Create a new OAM application domain and protect a dummy resource, e.g., /step-up-noauth
. Set the authentication scheme used to the one created in Step 3.
Oracle Adaptive Access Manager Side
Specify the OAAM Step-Up Authentication-related properties with the following WebGate and URL details:
oaam.uio.oam.10g.stepup.webgate.name=Name_of_Step-Up_AccessGate oaam.uio.oam.10g.stepup.authn.relative.url=Relative_URL_of_the_protected_Resource oaam.uio.oam.10g.stepup.authn.preferred.host=Preferred_Hostname_as_set_in_the_accessgate_and_policy
The value for oaam.uio.oam.10g.stepup.authn.relative.url
is the relative dummy URL provided in Step 4 of the Oracle Access Manager Side configuration. For example, /step-up-noauth
.
Ensure the following Access Manager and OAAM integration properties are set as documented below:
oaam.uio.oam.integration.tap.enabled=true bharosa.uio.default.is_oam_integrated=false oaam.uio.login.page=/login.do
The oaam.uio.oam.integration.tap.enabled
property must be set to true
even though the integration is not TAP-related. If it is not, the user will not be able to complete the step-up flow successfully.
The oaam.uio.login.page
property must remain a file-type property with the value set as /login.do
. If oaam.uio.login.page
is set incorrectly, users will not see an error message when an incorrect password is entered or when a user is blocked.
Using Oracle Enterprise Manager Fusion Middleware Control, add the password of the "OAM Step-Up AccessGate" (configured in Step 2 of the Oracle Access Manager Side configuration) as the password credential with the key-name as oam.stepup.webgate.credentials
under the map-name oaam
in the OAAM Weblogic Domain.
This section contains the following topics:
Configuring OAAM to Read the Host Name and Path in Load-Balanced Scenario
Specifying OAM Servers as Primary Servers for Load-Balancing
By default, Oracle Adaptive Access Manager reads the host name and path using wh
and wu
(original request. wh
is the value of host identifier and wu
is the value of the URL) respectively from the OAM Cookie ObFormLoginCookie
. In a load-balanced scenario, the host name and path have to be parsed using rh
and ru
(rh
is the host name in the request and ru
is the URI in the request) from the ObFormLoginCookie
.These can be set using the following properties:
oaam.uio.oam.cookie.redirect.hostname.attribute=rh (default=wh) oaam.uio.oam.cookie.redirect.path.attribute=ru (default=wu)
You can specify multiple OAM Servers as primary and secondary servers for load balancing. The OAM host name can be passed to each of the OAAM instances by setting it as a system property and passing it to the WebLogic JVM using the "-D" option. The steps are as follows:
Using the OAAM Administration Console, delete the following property:
oaam.uio.oam.host=ExistingValue
Using setenv
, set the OAM host as follows:
JAVA_OPTIONS "-Doaam.uio.oam.host=OAM_Host_Name"
Start the OAAM WebLogic managed server oaam_server_server1
.
Verify that it is passed as a system property by looking at the lines that are printed after Starting WLS with line
in the server console.
The OAMOAAMUtil.getRedirectURLFromCookie()
and OAMOAAMUtil.getIsProtectedResourceURLFromCookie()
are available through the OAM10gIntegrationProcessor
so that the load-balanced URL for redirection and the real-host URL for authentication by the OAM Authentication API can be parsed separately from ObFormLoginCookie
. To achieve this:
Ensure that Oracle Access Manager 10g and Oracle Adaptive Access Manager 11g are integrated with the integration processor set to OAM10gIntegrationProcessor
instead of OAMIntegrationProcessor
and the load balancer front ends the web servers.
Make sure the property oaam.server.integration.processor.oam has the value com.bharosa.uio.processor.integration
.OAM10gIntegrationProcessor.
Add all the real-host names as preferred hosts in the OAM policy.
Using the OAAM Properties Editor in the OAAM Administration Console, specify the attributes for authentication checks and redirections using the following OAAM properties. Default value are wh
and wu
respectively:
oaam.uio.oam.cookie.isprotected.hostname.attribute (default=wh) oaam.uio.oam.cookie.isprotected.path.attribute (default=wu) oaam.uio.oam.cookie.redirect.hostname.attribute (default=wh) oaam.uio.oam.cookie.redirect.path.attribute (default=wu)
The user id attribute value in the Distinguished Name (DN) can be configured in the LDAP/OAM setup.
For example, if the name of the userid
attribute coming in from DN
is "uid
", you would need to set the following property with = uid
as shown below:
oaam.uio.oam.obsso_cookie_dn_cn_attr_name=uid
OAAM also needs to be configured so that the DN attributes can be correctly identified during the integration with OAM.
The default value of oaam.uio.oam.obsso_cookie_dn_cn_attr_name
is uid,cn
.OAAM will look for an attribute called uid
in the DN and if present it will use it as a user id. If such an attribute (uid
) is not present, then OAAM will look for the cn
attribute in the DN and use it as the user id.