54.3 Deploying the Access Portal Service

The following topics describes how to configure the environment and deploy Access Portal:

54.3.1 Deploying Java Cryptography Extension Policy Files

If you want to enable unlimited strength jurisdiction policy encryption on your Oracle Access Manager server, you must download the appropriate policy files and place them in the server's Java Runtime Environment.

To deploy Java Cryptography extension policy files:

Download the latest policy files from one of the following locations, depending on your Java Runtime Environment version:
- For Java 7: http://www.oracle.com/technetwork/java/javase/downloads/ jce-7-download-432124.html
- For Java 6: http://www.oracle.com/technetwork/java/javase/downloads/ jce-6-download-429243.html
- For IBM JDK on WebSphere: http://www.ibm.com/developerworks/java/ jdk/security/60/
Decompress the downloaded archive and place the US_export_policy.jar and local_policy.jar in $JDK_Home/jre/lib/security/ within the target Java Runtime Environment (replace any existing files when prompted).
Reboot the Weblogic Administration Server and the Oracle Access Manager Managed Server.

54.3.2 Identity Store Configuration File

You can apply guidelines to create the idstore.props file that configures the identity keystore for the Access Portal Service.

You pass this file to the IDM Configuration Tool.

See Preparing and Enabling the Access Portal Service on an Oracle Repository.

Oracle Unified Directory Example

# Common
IDSTORE_HOST: IDMHOST1.mycompany.com
IDSTORE_PORT: 1389
IDSTORE_ADMIN_PORT: 4444
IDSTORE_KEYSTORE_FILE: OUD_ORACLE_INSTANCE/OUD/config/admin-keystore
IDSTORE_KEYSTORE_PASSWORD: Password key
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_NEW_SETUP: true
POLICYSTORE_SHARES_IDSTORE: true
# OAM
IDSTORE_OAMADMINUSER:oamadmin
IDSTORE_OAMSOFTWAREUSER:oamLDAP
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
# OAM and OIM
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
# OIM
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_OIMADMINUSER: oimLDAP
# WebLogic
IDSTORE_WLSADMINUSER : weblogic_idm
IDSTORE_WLSADMINGROUP : WLSAdmins

Oracle Internet Directory Example

# Common
IDSTORE_HOST: OIDHOST1.mycompany.com
IDSTORE_PORT: 3060 
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_NEW_SETUP: true
# OAM
IDSTORE_OAMADMINUSER:oamadmin 
IDSTORE_OAMSOFTWAREUSER:oamLDAP 
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
# OAM and OIM
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com 
# OIM
IDSTORE_OIMADMINGROUP: OIMAdministrators 
IDSTORE_OIMADMINUSER: oimLDAP 
# WebLogic
IDSTORE_WLSADMINUSER : weblogic_idm
IDSTORE_WLSADMINGROUP : WLSAdmins

Microsoft Active Directory Example

# Common
IDSTORE_HOST: <AD-server-hostname>IDSTORE_PORT: <AD-server-port>IDSTORE_DIRECTORYTYPE: adIDSTORE_BINDDN: <domain>\AdministratorIDSTORE_PASSWD: <password>IDSTORE_USERNAMEATTRIBUTE: cnIDSTORE_LOGINATTRIBUTE: cn (or another login attribute)>IDSTORE_USERSEARCHBASE: CN=Users,DC=essodev,DC=idc,DC=localIDSTORE_SEARCHBASE: DC=essodev,DC=idc,DC=localIDSTORE_GROUPSEARCHBASE: CN=Users,DC=essodev,DC=idc,DC=localIDSTORE_SYSTEMIDBASE: CN=Users,DC=essodev,DC=idc,DC=localIDSTORE_OAMSOFTWAREUSER: oamSoftwareUserIDSTORE_OAMADMINUSER: oamAdminUserOAM11G_CREATE_IDSTORE: trueESSO_IDSTORE_HOST : <AD-server-hostame>ESSO_IDSTORE_PORT : <AD-server-port>ESSO_IDSTORE_BINDDN : <domain>\AdministratorESSO_IDSTORE_TYPE : adIS_ESSO_PRESENT : trueESSO_IDSTORE_PASSWD : <password>

Where:

IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. Specify the back end directory here, rather than OVD. In the case of OID and OUD, specify, respectively, one of the Oracle Internet Directory or Oracle Unified Directory instances, for example:

OID: OIDHOST1 and 3060

OUD: IDMHOST1 and 1389
IDSTORE_ADMIN_PORT (LDAP_DIR_ADMIN_PORT) is the administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter.
IDSTORE_KEYSTORE_FILE is the location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in OUD_ORACLE_INSTANCE/OUD/config. If you are not using Oracle Unified Directory, you can leave out this parameter. This file must be located on the same host that the idmConfigTool command is running on. The command uses this file to authenticate itself with OUD.
IDSTORE_KEYSTORE_PASSWORD is the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin. If you are not using Oracle Unified Directory, you can leave out this parameter. This file must be located on the same host that the idmConfigTool command is running on. The command uses this file to authenticate itself with OUD.
IDSTORE_BINDDN is an administrative user in the Identity Store Directory
IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.
IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.
IDSTORE_USERNAMEATTRIBUTE is the name of the directory attribute containing the user's name. Note that this is different from the login name.
IDSTORE_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name.
IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.
IDSTORE_NEW_SETUP is always set to true for Oracle Unified Directory. If you are not using OUD, you do not need to specify this attribute.
POLICYSTORE_SHARES_IDSTORE is set to true for IDM 11g.
IDSTORE_OAMADMINUSER is the name of the user you want to create as your Access Manager Administrator.
IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group which is used to allow access to the OAM console.
IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
IDSTORE_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.
IDSTORE_OIMADMINUSER is the user that Oracle Identity Manager uses to connect to the Identity store.
IDSTORE_WLSADMINUSER: The username to be used for logging in to the web logic domain once it is enabled by SSO.
IDSTORE_WLSADMINGROUP: is the name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Console and EM, belong.

Use OIM entries only if your topology includes Oracle Identity Manager. Use OAM entries only if your topology includes Access Manager.

54.3.3 Oracle Access Manager Configuration File

You can apply guidelines to create the config-oam.props file that configures the Oracle Access Manager instance.

You will pass this file to the IDM Configuration Tool in Preparing and Enabling the Access Portal Service on an Oracle Repository. Note that the Access Portal Service requires the Simple mode security posture. To enable this posture, set the parameters below as follows:

OAM11G_OAM_SERVER_TRANSFER_MODE: simple

OAM_TRANSFER_MODE: simple

The file will have the following structure:

Create a properties file called config_oam.props with the following contents:

WLSHOST: ADMINVHN.mycompany.com
WLSPORT: 7001
WLSADMIN: weblogic
WLSPASSWD: Admin Password
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_HOST: IDSTORE.mycompany.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=oudadmin 
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
IDSTORE_OAMSOFTWAREUSER: oamLDAP
IDSTORE_OAMADMINUSER: oamadmin
PRIMARY_OAM_SERVERS: IDMHOST1.mycompany.com:5575,IDMHOST2.mycompany.com:5575
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: Webgate_IDM
OAM11G_OIM_WEBGATE_PASSWD: password to be assigned to WebGate
COOKIE_DOMAIN: .mycompany.com
OAM11G_WG_DENY_ON_NOT_PROTECTED: true
OAM11G_IDM_DOMAIN_OHS_HOST: SSO.mycompany.com
OAM11G_IDM_DOMAIN_OHS_PORT: 443
OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https
OAM11G_SERVER_LBR_HOST: SSO.mycompany.com
OAM11G_SERVER_LBR_PORT: 443
OAM11G_SERVER_LBR_PROTOCOL: https
OAM11G_OAM_SERVER_TRANSFER_MODE: simple
OAM_TRANSFER_MODE: simple
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OAM11G_SSO_ONLY_FLAG: false
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_IMPERSONATION_FLAG: false 
OAM11G_OIM_INTEGRATION_REQ: false
OAM11G_OIM_OHS_URL:https://SSO.mycompany.com:443
SPLIT_DOMAIN:true

Where:

WLSHOST (ADMINVHN) is the host of your administration server. This is the virtual name.
WLSPORT is the port of your administration server.
WLSADMIN is the WebLogic administrative user you use to log in to the WebLogic console.
WLSPASSWD is the WebLogic administrator password.
IDSTORE_DIRECTORYTYPE is OUD, OID or OVD.
IDSTORE_HOST and IDSTORE_PORT are the host and port of the Identity Store directory when accessed through the load balancer.
IDSTORE_BINDDN is an administrative user in the Identity Store directory.
IDSTORE_USERSEARCHBASE is the location in the directory where Users are stored.
IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are stored.
IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.
IDSTORE_SYSTEMIDBASE is the location of a container in the directory where the user oamLDAP is stored.
IDSTORE_OAMSOFTWAREUSER is the name of the user account to be used to interact with LDAP.
IDSTORE_OAMADMINUSER is the name of the user account that can access your OAM Console.
PRIMARY_OAM_SERVERS is a comma separated list of your OAM Servers and the proxy ports they use, for example: IDMHOST1:OAM_PROXY_PORT
Note:

To determine the proxy ports your OAM Servers use:
1. Log in to the Oracle Access Management Console.
2. Click Configuration in the upper right corner.
3. Click Server Instances.
4. Search for the OAM Server, such as WLS_OAM1, and select Open from the Actions menu.
5. Proxy port is the value shown as Port.
ACCESS_GATE_ID is the name you want to assign to the WebGate.
OAM11G_OIM_WEBGATE_PASSWD is the password to be assign to the WebGate.
OAM11G_IDM_DOMAIN_OHS_HOST is the name of the load balancer which is in front of the OHS's.
OAM11G_IDM_DOMAIN_OHS_PORT is the port that the load balancer listens on (HTTP_SSL_PORT).
OAM11G_IDM_DOMAIN_OHS_PROTOCOL is the protocol to use when directing requests at the load balancer.
OAM11G_WG_DENY_ON_NOT_PROTECTED, when set to false, allows login pages to be displayed. It should be set to true when using webgate11g.
OAM_TRANSFER_MODE is the security model that the Oracle Access Manager Servers function in. Valid values are simple and open. If you use the simple mode, you must define a global passphrase.
OAM11G_OAM_SERVER_TRANSFER_MODE is the security model that the OAM Servers function in.
OAM11G_IDM_DOMAIN_LOGOUT_URLS is set to the various logout URLs.
OAM11G_SSO_ONLY_FLAG confgures Access Manager as authentication only mode or normal mode, which supports authentication and authorization.

If OAM11G_SSO_ONLY_FLAG is true, the OAM Server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the OAM Server.

If the value is false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the OAM Server. WebGate allows the access to the requested resources or not, based on the responses from the OAM Server.
OAM11G_IMPERSONATION_FLAG is set to true if you are configuring OAM Impersonation.
OAM11G_SERVER_LBR_HOST is the name of the load balancer fronting your site. This and the following two parameters are used to construct your login URL.
OAM11G_SERVER_LBR_PORT is the port that the load balancer is listening on (HTTP_SSL_PORT).
OAM11G_SERVER_LBR_PROTOCOL is the URL prefix to use.
OAM11G_OIM_INTEGRATION_REQ should be set to true if you are building a topology which contains both OAM and OIM. Otherwise set to false at this point. This value is only set to true when performing Access Manager/Oracle Identity Manager integration and is set during the integration phase.
OAM11G_OIM_OHS_URL should be set to the URL of your load balancer. This parameter is only required if your topology contains OAM and OIM.
COOKIE_DOMAIN is the domain in which the WebGate functions.
WEBGATE_TYPE is the type of WebGate agent you want to create.
OAM11G_IDSTORE_NAME is the Identity Store name. If you already have an Identity Store in place which you wish to reuse (rather than allowing the tool to create a new one for you), then set the value of this parameter to the name of the Identity Store you wish to reuse.
OAM11G_SERVER_LOGIN_ATTRIBUTE when set to uid, ensures that when users log in, their username is validated against the uid attribute in LDAP.
SPLIT_DOMAIN should be set to true If you are creating a domain with just OAM or OAM located in a different domain from OIM (Split Domain). Otherwise, it is not necessary to specify this parameter.

54.3.4 Understanding the Access Portal Service Repository Objects

The vGoLocator object is required for all repositories and the value of its vGOLocatorAttribute attribute specifies the path to the People container in which the Access Portal Service stores application credentials for each user.

The vGOLocator object must point to the same data store instance as the Oracle Access Manager instance on which the Access Portal Service is deployed.

For Oracle LDAP directories, the following applies:

If there is a single object under the vGOLocator container, the vGoLocatorAttribute value is parsed regardless of the object's name.
If there are multiple objects under the vGOLocator container, the object named default is parsed. If no object named default exists, the request will fail.
If thevGOLocatorAttribute attribute has no value or does not exist, or if the vGOLocator container does not exist, the request will fail.

When using Microsoft Active Directory, the Access Portal Service stores application credentials under the Users container as described below:

If there is a single object under the vGOLocator container, the vGoLocatorAttribute value is parsed regardless of the object's name.
If there are multiple objects under the vGOLocator container, the object named default is parsed. If no object named default exists, the data will be within the USERS container.
If thevGOLocatorAttribute attribute has no value or does not exist, or if the vGOLocator container does not exist, the data will be stored within the Users container.

You must explicitly enable the storage of user credentials under respective user objects using the Oracle Enterprise Single Sign-On Suite Administrative Console. This makes the following changes to the repository:

The User class is added as a possible superior to the vGOUserData class.
All users are granted the right to create vGOUserData objects. These rights are granted at the directory root and are recursively inherited down to the user objects.

54.3.5 Preparing and Enabling the Access Portal Service on an Oracle Repository

You can prepare and enable the Access Portal Service on an Oracle Repository.

Before completing this procedure, make sure you have created the required configuration files as described in Identity Store Configuration File and Oracle Access Manager Configuration File.

The idmConfigTool is located at:

IAM_ORACLE_HOME/idmtools/bin

Note:

When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command on Linux is:

idmConfigTool.sh -configOAM input_file=configfile

For example:

idmConfigTool.sh -configOAM input_file=config_oam1.props

When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to these accounts:

IDSTORE_PWD_OAMSOFTWAREUSER
IDSTORE_PWD_OAMADMINUSER

On the machine running your target Oracle Access Manager instance, change into the following directory:

/Oracle/Middleware/Oracle_IDM1/idmtools/bin
Set the following environment variables:

setenv ORACLE_HOME /Oracle/Middleware/Oracle_IDM1

setenv MW_HOME /Oracle/Middleware

setenv JAVA_HOME JDKPath

(where JDKPath is the full path to the Java Development Kit used by the Oracle Access Manager instance)
Pre-configure the identity store to extend the directory schema with the required object classes by running the following command:

./idmConfigTool.sh -preConfigIDStore input_file=idstore.props

where idstore.props is a property file containing configuration parameters specific to your environment. For information on assembling this file, see Identity Store Configuration File.
Create the required users and groups by running the following command:

./idmConfigTool.sh -prepareIDStore mode=all input_file=idstore.props

where idstore.props is a property file containing configuration parameters specific to your environment. For information on assembling this file, see Identity Store Configuration File.

This command does the following:
- Adds the Access Portal Service object classes and attributes to the schema
- Creates the CO, People, and vGoLocator containers (with create permissions only, including children). For more information on these containers, see Understanding the Access Portal Service Repository Objects.
Create and configure the required Webgate profile by running the following command:

./idmConfigTool.sh -configOAM input_file=config_oam.props

where config_oam.props is a property file containing configuration parameters specific to your environment. For information on assembling this file, see Oracle Access Manager Configuration File.
Add conditions to the Admin role in the Security Realm as follows:
1. Log in to the Weblogic Administration Server Console.
2. In the left pane of the console, click Security Realms.
3. On the "Summary of Security Realms" page, click myrealm under the Realms table.
4. On the "Settings" page for myrealm, click the Roles & Policies tab.
5. On the "Realm Roles" page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles.
6. Click the Roles link to go to the Global Roles page.
7. On the "Global Roles" page, click the Admin role to go to the Edit Global Role page:
8. On the "Edit Global Roles" page, under Role Conditions, click Add Conditions.
9. On the "Choose a Predicate" page, select Group from the predicates list and click Next.
10. On the Edit Arguments Page, specify OAMAdministrators in the Group Argument field and click Add.
11. Click Finish to return to the "Edit Global Rule" page.
  
  The Role Conditions now show the OAMAdministrators Group as an entry.
12. Click Save to finish adding the Admin role to the OAMAdministrators Group.
Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool.
Restart the WebLogic Administration Server.
Enable the Access Portal Service:
1. Log on to the Oracle Access Manager Console.
2. Select the Launch Pad tab.
3. In the Configuration section, click Available Services.
4. In the screen that appears, click Enable next to Access Portal Service.

Note:

After you run idmConfigTool, several files are created that you need for subsequent tasks. Keep these in a safe location.

Two 11g WebGate profiles are created: Webgate_IDM, which is used for intercomponent communication and Webgate_IDM_11g, which is used by 11g Webgates.

The following files exist in the directory ASERVER_HOME/output/Webgate_IDM_11g. You need these when you install the WebGate software.

cwallet.sso
ObAccessClient.xml
password.xml

Additionally, you need the files aaa_cert.pem and aaa_key.pem, which are located in the directory ASERVER_HOME/output/Webgate_IDM.

54.3.6 Preparing and Enabling the Access Portal Service on Microsoft Active Directory

You can prepare and enable the Access Portal Service on Microsoft Active Directory.

The following LDIF file is required to extend the Active Directory schema with Access Portal Service classes and attributes:

<ORACLE_HOME>/idmtools/templates/ad/esso_schema_extn.ldif

The file is a template file. Before you can proceed, you need to modify the values, such as domain names and paths to match the target environment.

To prepare and enable the Access Portal Service with Microsoft Active Directory:

Extend the Active Directory schema by running the following command on the server machine hosting the repository:

ldifde –i –f esso_schema_extn.ldif

Upon completion, a message will confirm that importing data was successful:
Use the ADSIEdit tool to create containers named CO, People, and vGoLocator under the repository root.
Under the vGoLocator container, create an object named default of class vGoLocatorClass and set its attribute value to the DN of the container that holds the People container. For more information, see Understanding the Access Portal Service Repository Objects.
Enable the storage of user credentials under user objects:
1. Launch the Oracle Enterprise Single Sign-On Suite Administrative Console and connect to the target repository.
2. In the Console, select Enable Storing Credentials Under User Object (AD Only) from the Repository menu.
3. The Console displays a dialog informing you of the changes about to be made to your Active Directory schema. Click OK.
4. Wait for a dialog confirming the changes to appear, then click OK to dismiss it.
Note:

Members of protected groups (i.e., users whose ACLs are governed by the AdminSDHolder object) will not be able to store credentials under their user objects until the AdminSDHolder ACL is updated with permissions required by this feature. See the guide Deploying Logon Manager with a Directory-Based Repository for instructions on how to remedy this issue.
Create the users in Active Directory if necessary.

Create a user data store:

Log on to the Oracle Access Manager console and click Configuration at the top of the page.
Click User Identity Stores.
In the screen that appears, click Create under OAM ID Stores.

In the dialog that appears, fill in the following required values, leaving the rest at their defaults:

Field	Value
Store Name	`ESSOAuthnStore`
Store Type	Microsoft Active Directory
Location	ad-server-hostname:port
Bind DN	domain\username
Password	password
Login ID Attribute	`cn`
User Search Base	Fully qualified DN of the Users container
Object Search Base	Fully qualified DN of the Groups container

Test the connection and correct any errors if necessary, then click Apply.
Update the LDAP authentication module:
1. Log on to the Oracle Access Manager console.
2. In the Plugins section, click Authentication Plug-ins.
3. In the Access Manager section, click Authentication Modules.
4. In the screen that appears, click Search.
5. In the list of search results, select the LDAPPlugin module.
6. In the Steps tab, select the stepUI step.
7. In the KEY_IDENTITY_STORE_REF field, enter the name of the user data store you created in step 5 of this procedure.
8. Repeat the above for the stepUA step.
9. Click Save to save your changes.

Create the identity data store (IDS) profile in Oracle Access Manager:

Log on to the Oracle Access Manager console.
Click Configuration at the top of the page.
Click User Identity Stores.
In the IDS Profile section, click Create Form Fill Application IDS Profile.

In the form that appears, fill in the fields as follows:

Field	Value
Name	meaningful profile name
Description	meaningful profile description
Repository Options	Create New
Repository Name	meaningful repository name
Directory Type	Microsoft Active Directory
Host name	Active Directory server host name
Port	Active Directory server port
Bind DN	domain/user name of repository account
Bind password	password of repository account
Base DN	fully qualified DN of the repository root
User search base	fully qualified DN of the Users container
App template search base	fully qualified DN of the CO (ESSO policy data) container
Top search base	fully qualified DN of the repository root

Test the connection, then click Apply.

Configure the relational mapping of users and groups:
1. Edit the IDS profile you just created.
2. Select the Entity Attributes tab.
3. Add the following new attributes, one at a time (adding multiple attributes at once is not supported):
  
  member, memberOf, distinguishedName
4. Select the Entities tab.
5. Under Users, enable the member, memberOf, and distinguishedName entity attributes.
6. Set the User Base, Group Base, Search Base, and Create Base entities to the fully qualified DNs of the respective containers in the repository.
7. Repeat steps e and f in the Groups section of the form.
8. Select the Relationships tab.
9. Configure the entity relationships as shown in the following illustration:
  
  This makes the following changes in the file DOMAIN_HOME/config/fmwconfig/ids-config.xml:
Enable the IDS profile:
1. Select the Launch Pad tab in the Admin console window.
2. At the top of the page, click Configuration.
3. In the Settings section, select Access Portal Service from the View drop-down list.
4. In the screen that appears, select the IDS profile you created earlier from the IDS Profile drop-down list.
5. Click Apply.
Add the Active Directory schema XML definition file to the IDS server configuration file:
1. Open the following file in a text editor:
  
  DOMAIN_HOME/config/fmwconfig/ovd/ids/server.os_xml
2. Locate the <schema check="true"> section and add the following line inside it:
  
  <location>schema.ms.xml</location>
3. Save and close the file.
4. Restart the managed server instance to apply your changes.

54.3.7 (Active Directory Only) Deploying the OAMAgent Web Application

The OAMAgent web application provides the means to configure Access Control Lists within an Active Directory-based Access Portal Service repository via a web interface running on Microsoft Internet Information Server.

To deploy th OAMAgent web application, do the following:

Extract the OAMAgent.zip file (available in the Logon Manager folder of the Enterprise Single Sign-On Suite ZIP archive) into a directory.
Using the IIS Manager application, create a new IIS web site; when prompted, in the Physical Path field, enter the full path to the directory into which you extracted the OAMAgent.zip archive.

Edit the newly created web application's Web.config file as follows:

Add the following to the system.webServer section:

<configuration><system.webServer><httpHandlers><add type="ColumbiaWindowsAgent.Rest.AgentAcl, OAMAgent" path="ColumbiaWindowsAgent/V1/AgentAcl" verb="POST"/></httpHandlers>  </system.webServer></configuration>

Add the following to the system.web section:

<compilation targetFramework="4.0"><assemblies><add assembly="Interop.ActiveDs, Version=1.0.0.0, Culture=neutral"/></assemblies></compilation>

Save and close the file.

In the IIS Manager application, navigate to IIS Manager > Target Site > .NET Compilation > Assemblies and ensure that the new assembly appears in the list of assemblies (i.e., that the Interop.ActiveDs.dll file appears in the web root directory).
Create a new handler mapping:
1. In the IIS Manager application, navigate to IIS Manager > Target Site > Handler Mappings and click Add Managed Handler in the right-hand pane.
2. In the dialog that appears, fill in the fields as follows and save your changes:
  
  Field Value
  
  Path
  
  ColumbiaWindowsAgent/V1/AgentAcl
  
  Type
  
  ColumbiaWindowsAgent.Rest.AgentAcl, OAMAgent
  
  Name
  
  OAMAgent
Enable 32-bit application support:
1. In the IIS Manager application, navigate to IIS Manager > Application Pools.
2. Right-click the target site and select Advanced Settings from the context menu.
3. Set the Enable 32-bit Applications option to True and save your changes.
Make the following site configuration changes:
1. In the IIS Manager application, navigate to IIS Manager > Application Pools.
2. Select the target site.
3. Set the .NET Version to 4.0.
4. Set the Identity option to LocalSystem.
5. Save your changes.
In the IIS Manager application, select the host machine, click Server Certificates, and click Import a Certificate, and provide the path to a root CA certificate trusted by both the IIS server running the OAMAgent web application as well as the server running the target Access Portal Service instance.

Additionally, the Access Portal Service server must have a certificate signed by that CA in its keystore. That CA must also be present in the server's cacert file (trust store).
Create a https binding using the newly installed certificate:
1. In the IIS Manager application, right-click the target site and select Edit Bindings from the context menu.
2. Click Add New Site Binding.
3. Select https from the Type drop-down list.
4. Select the certificate you imported in step 8.
5. Click Close.
Enable SSL for the target site:
1. In the IIS Manager application, select the target site.
2. Click SSL Settings.
3. Select the Require SSL check box.
4. Select the Require client certificates check box.
5. Click Apply in the right-hand pane.

Field	Value
Path	`ColumbiaWindowsAgent/V1/AgentAcl`
Type	`ColumbiaWindowsAgent.Rest.AgentAcl, OAMAgent`
Name	`OAMAgent`

Add the following to the oam-config.xml file on the Access Portal Service server instance, then restart the instance to apply your changes:

 <Setting Name="RestServicePath" Type="xsd:string">ColumbiaWindowsAgent/V1/AgentAcl</Setting><Setting Name="IPAddress" Type="xsd:string">iis-server-hostname</Setting><Setting Name="Protocol" Type="xsd:string">https</Setting><Setting Name="Port" Type="xsd:string">iis-server-port</Setting><Setting Name="Version" Type="xsd:string">1</Setting><Setting Name="ADPath" Type="xsd:string">AD-server-hostname:port</Setting>

Add the following keystore parameters to the managed server's startup script JAVA_OPTIONS line:

-Djavax.net.ssl.keyStore=keystore-location

-Djavax.net.ssl.keyStorePassword=keystore-password

54.3.8 Setting the Policy Cache Refresh Interval

When using the Oracle Enterprise Single Sign-On Administrative Console to create and modify Access Portal Service application policies, the Access Portal Service must periodically fetch the modified policies from the repository to keep the policy cache up to date. By default, the cache refresh interval is set to -1 (never refresh).

A value of 0 disables the policy cache and causes every request to retrieve the corresponding policy from the repository.

To set a custom policy cache refresh interval:

Open the following file in a text editor:

OAMDomainHome/config/fmwconfig/oam-config.xml
Locate the following setting string (or add it if it does not already exist).

TimeToLive is set under the ESSOConfig section of the oam-config.xml file.

<Setting Name="TimeToLive" Type="xsd:long">-1</Setting>
Change the default value (-1) to the desired number of minutes.
Increment the file's version.

See oam-config.xml Configuration Data File.
Save and close the file.
Restart both the administration server and the managed server to apply the new settings.

54.3.9 About Integrating with Oracle Privileged Account Manager

When you integrate with Oracle Privileged Account Manager, you need to be aware of the Privileged Account Manager templates and the Privileged Account Manager server URL.

Following are the issues:

Only Oracle Privileged Account Manager templates of type "Privileged" are supported. Templates of type "Delegated" are not supported when created on the server side; creating such a template will result in unpredictable behavior.
You must specify the Oracle Privileged Account Manager server URL in the Access Portal Service settings in the target Oracle Access Manager server instance.

54.3.9.1 Installing Oracle Privileged Account Manager Certificates

You must import the certificates into the identity keystore of the application server running the Oracle Access Manager instance.

This procedure is currently only available for WebLogic; do not perform it on other application servers.

Note:

The listCred command in OPSS has been deprecated in this release; keystore passwords must now be retrieved programmatically.

To install Oracle Privileged Account Manager:

Obtain the location and name of the identity keystore by examining the value of the following environment variables in the WebLogic console (where OAMServerName is the name of the target Oracle Access Manager instance):

environment-servers-OAMServerName-keystores

environment-servers-OAMServerName-ssl
Import the certificate into the identity keystore using the following command:

keytool -importcert -alias CertificateAlias -file CertificateName.crt -keystore ./IdentityStoreName.jks -storepass IdentityStorePassword

where CertificateAlias is a meaningful alias you want to assign to the certificate for identification, CertificateName is the name of the certificate file, IdentityStoreName is the name of the target identity store and IdentityStorePassword is the password for that identity store.
Obtain the location and name of the CA certificate by examining the value of the following environment variable via the WebLogic console:

environment-servers-oam_server1-keystores
Import the CA certificate into the identity keystore using the following command:

keytool -importcert -alias CertificateAlias -file CertificateName.der -keystore ./cacerts -storepass IdentityStorePassword

where CertificateAlias is a meaningful alias you want to assign to the certificate for identification, CertificateName is the name of the certificate file, IdentityStoreName is the name of the target identity store and IdentityStorePassword is the password for the cacerts identity keystore.
Export the target Oracle Access Manager domain's private key certificate (used for generating the SAML assertion) using the following command:

Note:

If a keystore type is not explicitly specified in the embedded trust provider configuration section of the following file:

OAMDomainHome/config/fmwconfig/jps-config.xml

then the Oracle Key Store Service keystore type is assumed.

If no application stripe name is specified for that KSS keystore, the service defaults to the following location:

OAMDomainHome/config/fmwconfig/default-keystore.jks

keytool -export -alias orakey -file orakey.der -keystore ./IdentityStoreName.jks -storepass IdentityStorePassword

where IdentityStoreName is the name of the target identity store and IdentityStorePassword is the password for that identity keystore.
Change to the following directory:

OPAMDomainHome/config/fmwconfig
Import the target Oracle Access Manager domain's private key into the target Oracle Privileged Account Manager domain using the following command:

keytool -importcert -alias orakey -file orakey.der -keystore ./IdentityStoreName.jks -storepass IdentityStorePassword

where IdentityStoreName is the name of the target identity store and IdentityStorePassword is the password for that identity keystore.
Restart the affected Oracle Access Manager instance and the affected Oracle Privileged Account Manager instance.

54.3.9.2 Configuring the Oracle Privileged Account Manager Server

You can configure the Oracle Privileged Account Manager server.

Before completing the steps below, make sure you have created a provider on the target Oracle Access Manager instance for the desired Oracle Privileged ccount Manager instance and placed it as the first provider in the provider list.

To configure the Oracle Privileged Account Manager server:

Create a target with the following parameter values:

Field	Value
Storage Type	Deployed repository type
Server	Hostname:port of the repository server
Root DN	Fully qualified DN of the repository root
User Path	Fully qualified DN of the Users container
Connect as User	CN of the repository connection account
Password	Password of the repository connection account
Use secure connection (SSL)	Disabled
Use configuration objects instead of application list	Enabled
Role/Group support	Enabled
Configuration and role/group objects root DN	Fully qualified DN of the CO container
Admin Group DN	(not applicable; leave blank)
User Name Prepend	`UID`

Search for targets and click the target you created in step 1.
Click the Privileged Accounts tab.
In the Privileged Accounts tab, add the desired privileged account (stored on the target you created in step 1).
Add the desired grantees to the privileged account.
Restart both the admin and the privileged Oracle Privileged Account Manager server instances to apply your changes.

54.3.9.3 Creating the Required Template Mapping on the Provisioning Gateway Server

You can create the required template mapping on the Provisioning Gateway server machine using Provisioning Gateway Administrative Console.

To create:

Run the following command on the Provisioning Gateway server machine:

certutil -setreg chain\minRSAPubKeyBitLength 512
Restart the Provisioning Gateway server machine.
Log on to the Provisioning Gateway Administrative Console.
Select the Settings tab, then the Template Mapping section.
Click Edit and select the privileged template associated with your Oracle Privileged Account Manager target, then save your changes. This will create the required cn=OpamTemplateMap mapping in the repository.
Test the configuration:
1. Log on to Web Logon Manager as one of the grantees assigned to the target privileged account.
2. Click Add next to the target privileged template. The privileged account details will appear in a separate tab.

54.3.10 Deploying the Oracle Traffic Director Administration Server

The Oracle Traffic Director Administration Server deploys and manages Oracle Traffic Director proxy instance(s).

Linux security restricts the opening of ports under 1024 to the root user. If you wish to run Oracle Traffic Director proxies on ports 80 or 443, follow the configuration gudielines for running as the root user.

See "Creating an Administration Server and Administration Node" in the Oracle Traffic Director Installation Guide.

WARNING:

Oracle highly recommends against running Oracle Traffic Director as the root user due to increased security risk; you should limit the use of the root user to development environments only.

To deploy the Oracle Traffic Director Administration Server:

Start the installation:

./<OTD-installer>/runinstaller
In the screen that appears, click Next.
In the next screen, check for and install any applicable updates.
In the screen that appears, set the Oracle Traffic Director home directory to the following and click Next:

/OTD11g/trafficdirector_Home_1
Wait for the installation to complete, then change into the following directory:

/OTD11g/trafficdirector_Home_1/bin
Create an Oracle Traffic Director administration server instance using the following command (only include --server-user=root if you want to run the server as the root user):

./tadm configure-server --user=admin --host=otd.hostname --server-user=root --instance-home=/OTD11g/trafficdirector_Home_1/instances

Oracle recommends using the default port (8989) for the Oracle Traffic Director administration server.
Start the Oracle Traffic Director administration server with the following command:

./OTD11g/trafficdirector_Home_1/instances/admin-server/bin/startserv
Log on to the Oracle Traffic Director Admin Console at the following URL:

https://otd.hostname:8989

See the Oracle Traffic Director Installation Guide.

54.3.11 Deploying Webgate Binaries and Secure Trust Artifacts

You must have already created a Webgate profile in the Oracle Access Manager server before you start to deploy Webgate binaries and secure trust artifacts.

The secure trust artifacts that is generated during the procedure are required to complete the deployment of Webgate binaries and secure trust artifacts.

See Preparing and Enabling the Access Portal Service on an Oracle Repository.

To deploy Webgate binaries and secure trust artifacts:

Decompress the Webgate binaries installer into a local directory on the Oracle Traffic Director host and launch the installer with the following command:

./runInstaller
When prompted, specify the full path to your Java runtime environment. For example: /usr/local/packages/jdk16
In the installer's "Prerequisite Checks" screen, click Next.
Specify the installation path and click Next:

/MW_HOME/OAM_OTD_WebGate_HOME
Click Install and wait for the installation to complete.
Change into the following directory:

/MW_HOME/OAM_OTD_WebGate_HOME/webgate/iplanet/tools/deployWebGate
Deploy the Webgate binaries using the following command:

./deployWebGateInstance.sh -w /MW_HOME/wginst1 -oh /MW_HOME/OAM_OTD_WebGate_HOME -ws otd
Copy the Oracle Access Manager artifact files (generated while completing the following steps:

See Preparing and Enabling the Access Portal Service on an Oracle Repository:
- Copy the ObAccessClient.xml, cwallet.sso, and password.xml artifact files to:
  
  /MW_HOME/wginst1/webgate/config
- Copy the aaa_key.pem and aaa_cert.pem artifact files to:
  
  /MW_HOME/wginst1/webgate/config/simple
(Optional) If you deployed your Oracle Traffic Director administration server instance as the root user, grant that instance permissions to the Webgate (otherwise, skip this step).

WARNING:

Oracle highly recommends against running Oracle Traffic Director instances as the root user due to increased security risk; you should limit the use of the root user to development environments only.
1. Change into /MW_HOME/wginst1
2. Execute chmod -R 777 .

54.3.12 (Optional) Configuring the ESSOProvisioning Plugin

When you successfully log on to Oracle Access Manager, the ESSOProvisioning plugin will provision your directory credentials to a specific application in your Access Portal Service (ESSO) wallet.

It will also update the target application credentials if your directory credentials change. If you want to enable the plugin, you must assign the ESSOProvAuthnScheme to the ESSOAuthnPolicy authentication policy in the IAM Suite application domain profile.

To optionally configure the ESSOProvisioning plugin:

Log into the Oracle Access Manager Console.
At the top of the page, click Application Security.
In the Plug-ins section, click Authentication Modules.
In the screen that appears, click Search.
In the list of search results, click the ESSOProvisioningModule module.
In the screen that appears, select the Steps tab.
Edit the ESSO_PROV_Step step and enter the name of the target application for which you want to provision directory credentials.
Edit the ESSO_UI_Step and ESSO_UA_Step steps and add a User Identity Store value of KEY_IDENTITY_STORE_REF to each.
Click Save to save the steps, then click Apply to apply your changes to the module.
Select the Launch Pad tab; in the Access Manager section, click Application Domains.
In the screen that appears, click Search.
From the list of search results, locate and double-click the IAM Suite profile.
Select the Authentication Policies tab.
In the list of policies, select ESSOAuthnPolicy.
From the Authentication Scheme drop-down menu, select the ESSOProvAuthnScheme authentication scheme.
Click Apply to save your changes.

54.3.13 Creating an Oracle Traffic Director Configuration

You can create an Oracle Traffic Director Configuration

To create an Oracle Traffic Director configuration:

Log on to the Oracle Traffic Director Admin Console at the following URL:

https://otd.hostname:8989
Create a new Oracle Traffic Director configuration with the following parameters:
- Name: a descriptive name for the configuration
- Server User: leave at the default value, unless you deployed the Oracle Traffic Director administration server as root
- Select Origin Server Type: HTTP
Create a listener (your Oracle Traffic Director instance will listen for requests from the user's browser on this port) with the following parameters:
- Port: 8282
- ServerName: otd.hostname
Create an origin server pool with the following parameters:
- Add your target application host as applicationHostname:port
- Select the target node as applicationHostname
Click the Instance node in the tree on the left and start the instance.
Test the page by accessing the following URL and logging on with your administrator credentials:

http://otd.hostname:8282/target_webgate_profile

54.3.14 Protecting the Oracle Traffic Director Instance with the Webgate Plugin

To protect your Oracle Traffic Director instance with the Webgate plugin:

54.3.14.1 Generating Secure Trust Artifacts

You can generate secure trust artifacts.

To generate:

Go to the following directory:

/MW_HOME/OAM_OTD_WebGate_HOME/webgate/iplanet/tools/setup/InstallTools
Set the LD_LIBRARY_PATH variable:

bash export LD_LIBRARY_PATH=/MW_HOME/OAM_OTD_WebGate_HOME/lib

csh setenv LD_LIBRARY_PATH /MW_HOME/OAM_OTD_WebGate_HOME/lib
Run the following command to modify the magnus.conf file to include the directives to load the webgate library into the Oracle Traffic Director instance as well as modify the associated Oracle Traffic Director configuration file to include the directives to activate the two plugins.

./EditObjConf -f /OTD11g/trafficdirector_Home_1/instances/targetInstance/config/targetOTDconfiguration.conf -oh /MW_HOME/OAM_OTD_WebGate_HOME -w /MW_HOME/wginst1 -ws otd -enableESSO -enableWLM

Note:

Only include the -enableWLM flag if you have deployed the Access Portal reference application. Otherwise, the flag is not necessary.

If you do not include the -enableWLM flag and wish to deploy the Access Portal reference application later, you must manually modify the appropriate Oracle Traffic Director configuration file as described in the Access Portal reference application deployment instructions.

54.3.14.2 Loading Required WebGate Libraries into an OTD Instance

You can load the required WebGate libraries into an OTD instance

To load:

Go to the following directory:

/OTD11g/trafficdirector_Home_1/instances/targetOTDConfiguration/bin
Edit the startsrv script in a text editor and add the Webgate library path to the LD_LIBRARY_PATH variable as follows:

LD_LIBRARY_PATH="${SERVER_LIB_PATH}:/MW_HOME/OAM_OTD_WebGate_HOME/lib:${SERVER_JVM_LIBPATH}:${LD_LIBRARY_PATH}";

54.3.14.3 Deploying Configuration Changes

You can deploy configuration changes from the Oracle Traffic Director Admin Console.

To deploy:

Log into the Oracle Traffic Director Admin Console.
Select your configuration and click the Instance Modified notification at the top of the page.
Pull and deploy the changes.
When prompted to restart the instance, click OK, then click Finish.

54.3.14.4 Testing the WebGate

You can test the WebGate by logging in using your repository credentials.

To test the WebGate:

Navigate to http://otd.hostname:8282/target_webgate
Log into the Webgate using your repository credentials.

If the target application does not appear, check your configuration for errors.
After successful configuration, if Access Portal service does not capture application credentials and autologin user, you must add the following parameters in OTD Webgate Agent Configuration: TunneldUrl=/wlm,/idaas

54.3.15 (Optional) Enabling the Detached Credential Collector for the Target Webgate

You can enable the Detached Credential Collector for the target Webgate and deploy the Detached Credential Collector pages on Oracle HTTP Server.

The following topics describe how to enable and deploy the Detached Credential Collector:

54.3.15.1 Enabling Detached Credential Collector Operations

You can enable detached credential collector operations from the Application Security launch pad.

To enable:

Login to the Oracle Access Management Console.
Select Application Security and in the Launch Pad, click Agents icon.
In the screen that appears, click Search.
From the list of search results, locate and click the agent that is protecting your OTD Proxy Instance.
Check the box Allow Credential Collector Operations.
Click Apply to save your changes.
Restart the OTD Proxy Instance.

54.3.15.2 Creating and Applying a Detached Credential Collector Authentication Scheme

You can create and apply a detached credential collector authentication scheme from the Application Security launch pad.

To create:

Login to the Oracle Access Management Console.
Select Application Security and in the Launch Pad, click Authentication Schemes under Access Manager.
In the screen that appears, click Search.
From the list of search results, locate and click the ESSOProvAuthnScheme authentication scheme.
In the screen that appears, click Duplicate.
Give the new scheme a descriptive name - for example DCC-ESSOAuthnScheme.
In the Challenge Method drop-down list, select FORM.
In the Challenge Redirect URL field, enter the Oracle Traffic Director host name and port in the format http://otd.hostname:port/ (including the trailing slash).
In the Challenge URL field, enter /oamsso-bin/login.pl
In the Context Type drop-down list, select external.
Click Apply to save your changes.
Select the Launch Pad tab.
In the Access Manager section, click Application Domains.
In the screen that appears, click Search.
From the list of search results, locate and click the IAM Suite profile.
Select the Authentication Policies tab.
Click ESSOAuthnPolicy.
In the Authentication Scheme drop-down list of ESSOAuthnPolicy, select the DCC authentication scheme you just created.
Click Apply to save your changes.

54.3.15.3 Deploying Detached Credential Collector Pages on an Oracle HTTP Server

You can deploy Detached Credential Collector pages on an Oracle HTTP server.

To deploy:

Enable CGI on the target instance of Oracle HTTP Server if you have not already done so.
Your httpd.conf should contain the following directive:
```
LoadModule cgi_module modules/mod_cgi.so
```
Copy the oamsso directory from the following location:

$WG_ORACLE_HOME/webgate/iplanet/

To the following location:

$OHS_INSTANCE_DIR/config/OHS/ohs1/htdocs
Copy the oamsso-bin directory from the following location:

$WG_ORACLE_HOME/webgate/iplanet/

To the following location:

$OHS_INSTANCE_DIR/config/OHS/ohs1/
Locate the <IfModule alias_module> block in the httpd.conf file.
Enable CGI for the following block into the <IfModule alias_module> block:

ScriptAlias /oamsso-bin/ "${ORACLE_INSTANCE}/config/ ${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin/"
Restart the OHS instance.
Test your configuration by accessing the following URL:

http://ohs.host:port/oamsso-bin/login.pl

54.3.15.4 Routing Oracle Traffic Director Authentication Requests through a Detached Credential Collector

You can route Oracle Traffic Director Authentication requests through a detached credential collector and test your configuration using application’s proxy URL.

To route:

Under your target Oracle Traffic Director configuration, create a new origin server pool that points to the Oracle HTTP Server hostname and port.
Create a new route that points to the origin server pool created in step 1.
Add the following URI condition to the route:

/oamsso-bin OR /oamsso
Save your changes and restart the Oracle Traffic Director instance.
Test your configuration by accessing the target application's proxy URL.

54.3.16 Configuring Logon Manager for Compatibility with the Access Portal Service

You can enable interoperability between Logon Manager and the Access Portal Service.

If you have not already done so, install the Authentication Manager component of the Logon Manager on each target end-user machine to enable the MultiAuth authenticator in Logon Manager.

For more information on configuring Logon Manager repository settings, see the guide Deploying Logon Manager with a Directory-Based Repository.

Note:

For an Application Policy to be compatible, enable the "User Visible" setting in the Application profile in the Oracle Access Management Console. You must perform this task in addition to the modifications that are described in the following topics:

See Modifying the Access Portal Service Configuration.

54.3.16.1 Modifying the Access Portal Service Configuration

You can modify the Access Portal service configuration.

To modify:

In the IDS profile you have configured for the Access Portal Service, ensure that you are connecting with a user who possesses root privileges (e.g., orcladmin).
If you are using Oracle Internet Directory as your repository, set the following permissions to permit Logon Manager to its First Time Use wizard:
1. For the vGoLocator object and its default child object:
  
  orclaci = access to attr=(*) by * BindMode="Simple" (read,search,compare)
  
  orclaci = access to entry by * BindMode="Simple" (browse)
2. For the People container:
  
  orclaci = access to attr=(*) by * BindMode="Simple" (read,write,search,compare)
  
  orclaci: access to entry by * BindMode="Simple" (browse,add,delete)
Ensure that the PolicyCache TTL is set to a positive, non-zero value.

54.3.16.2 Modifying the Logon Manager Configuration

You can modify the Logon Manager configuration by connecting to your repository.

To modify:

Launch the Enterprise Single Sign-On Suite Administrative Console and connect to the Access Portal Service repository.
If you are using Active Directory as your repository, do the following (otherwise, skip this step):
1. Navigate to Global Agent Settings > Live > Synchronization > ADEXT.
2. Select the check box next to the Use secure location for storing user settings option and select Yes from the drop-down menu.
Navigate to Global Agent Settings > Live > Authentication > Authentication Manager and configure the graded authenticators as required by your environment. For more information, refer to the Enterprise Single Sign-On Suite Administrator's Guide.
Navigate to Global Agent Settings > Live > Authentication and configure each authenticator as required by your environment, noting the following:
- If using Oracle Internet Directory as your repository, there are two Recovery Method options Passphrase suppression using entryUUID and Passphrase suppression using secure key. Select Passphrase suppression using secure key if displayed; otherwise select Passphrase suppression using entryUUID.
- If using Active Directory as your repository, set the Recovery Method option to Passphrase suppression using user's SID.
For more information, see the guide Deploying Logon Manager with a Directory-Based Repository.
Navigate to Global Agent Settings > Live > Synchronization and configure the appropriate synchronizer as required by your environment, noting the following:
- Enable the Use aggressive synchronization option.
- Enable the Resynchronize when network or connection status changes option.
- Set the Interval for automatic resynchronization option to 1.
Publish your settings to the repository:
1. In the tree on the left-hand side right-click Live and select Publish from the context menu.
2. Click Browse and select the target path within the repository. (If prompted, enter the appropriate connection parameters and click OK to connect.)
3. In the Available configuration objects list, double-click Live to move it to the list of objects selected for publishing.
4. Click Publish and wait for the operation to complete.