56.5 Configuring Access Manager for RSA SecurID Authentication

Users with valid Oracle Access Management Administrator credentials can enable RSA SecurID authentication.

Prerequisites

See Installation and Configuration Requirements for installation and configuration that is outside the scope of this manual) and which must be completed before you begin SecurID integration with Access Manager.

See Also:

• Developing Custom Pages in Oracle Fusion Middleware Developer's Guide for Oracle Access Management

To set up SecurID Authentication with Access Manager

1. In your oam-config.xml, set the OAM SecurID Sever serverRequestCacheType parameter to BASIC, as follows:

   1. Stop all WebLogic servers (OAM Servers and AdminServer).

   2. Locate oam-config.xml in the following path:

      $DOMAIN_HOME/config/fmwconfig/oam-config.xml
      

   3. Change the serverRequestCacheType from COOKIE (default) to BASIC, as follows:

      <Setting Name="serverRequestCacheType" Type="xsd:string">BASIC</Setting>
      

   4. Start all WebLogic Servers (OAM Servers and AdminServer).

2. Register a Web agent from the RSA Console that will be used by Access Manager, then copy the agent configuration file (sdconf.rec) as follows:

    $DOMAIN_HOME/config/fmwconfig/servers/$SERVER_NAME/oam/sdconf.rec
   

3. Using the Oracle Access Management Console, create a custom authentication module for RSA, as follows:

   See Also:

   "Orchestrating Multi-Step Authentication with Plug-in Based Modules"

   1. Click Application Security at the top of the window.

   2. Select Create Custom Authentication Module from the Create (+) drop-down menu in the Plug-ins section.

   3. Select the General tab and enter the following:

      Name: RSA_AUTH
      

   4. Select the Steps tab and enter a name for the Step, then choose the RSA SecurID Plugin

      Step Name: stepRSA
      Plugin Name: RSA SecurID Plugin
      OK
      

   5. In the stepRSA, Step Details tab, enter and Save the Step Details shown in the next screen, which should also appear in your customhtml.properties file:

      
      Description of the illustration GUID-163E54E2-4A0C-4FFE-B2A4-14DC0FF295C8-default.gif

   6. Steps tab: Add the User Identification Plugin: Enter a name for the Step, then choose the RSA SecurID Plugin:

      Step Name: rsa_useridentification
      Plugin Name: UserIdentificationPlugin
      OK
      

   7. rsa_useridentification, Step Details: Enter and Save the following details for your environment:

      KEY_LDAP_FILTER: (uid={KEY_USERNAME})

      KEY_IDENTITY_STORE_REF: The registered Default Store.

      KEY_SEARCH_BASE_URL: dc=us,dc=example,dc=com

4. Orchestrate the steps as follows: stepRSA should be first (to authenticate the user with the RSA Server); designate your User Identification Plugin for the success step.

   Initial Step: stepRSA
   
   Name: StepRSA
   On Success: rsa_useridentification
   On Failure: failure
   On Error: failure
   Apply
   

   Name: rsa_useridentification
   On Success: Success
   On Failure: failure
   On Error: failure
   Apply
   

   Note:

   The On Failure and On Error fields must both be set to failure.

5. Create a new authentication scheme (RSACredScheme, for example) that uses the custom authentication module that you just created for RSA with a custom HTML login form. Sample values are shown in the following screen:

   
   Description of the illustration GUID-BC486CD3-57E4-4039-9613-B53DDBB9D2E7-default.gif

   Note:

   The authentication scheme's Context Value specifies the path to your custom HTML login form. Your custom HTML properties file must share the same name as the form (with a .properties extension) in the same directory path. This example uses customhtml.html and customhtml.properties.

   Challenge parameters specify the initial RSA command for authentication (RSA_USER_PASSCODE). The is_rsa=true parameter and value must be specified for RSA.

6. Use this scheme in the Application Domain protecting resources requiring SecurID authentication.

7. Ensure that your custom HTML file is present in:

   $DOMAIN_HOME/config/fmwconfig/customhtml.html
   

   The Custom HTML for RSA Login Form requires form action set to /oam/server/auth_cred_submit, as follows:

   <form id="loginData" action="/oam/server/auth_cred_submit" method="post" name="loginData">
   
   <div id="oam_credentials" class="input-row"> 
   <span class="ctrl"></span>
   </div> 
   div class="button-row">
       <span class="ctrl"> 
   <input id="login_button" type="submit" value="Login" class="formButton" 
     onclick="this.disabled=true;document.body.style.cursor = 'wait'; 
     this.className='formButton-disabled';form.submit();return false;"/>
        </span> 
   </div>
   <div id="oam_error_messages"></div>
   </form>
   
   

8. Ensure that your customHTML.properties file is:

   • Named as your custom HTML file with a .properties extension

   • Stored in the same path as your custom HTML file

   • Confirmed; settings match the RSA SecurID plugin configuration parameters. For example:

       username=Username 
       password=Password 
       passcode=Mother's maiden name 
       rsa_new_pin=RSA New Pin 
       rsa_new_pin_confirm=RSA Confirm New Pin 
       Pin=RSA Pin 
       rsa_sysgen_pin=RSA Create New Pin 
       rsa_sysgen_pin_confirm=RSA System Generated Pin 
       error1=Username not specified 
   

9. Restart OAM Servers.

10. Test your configuration by accessing the appropriate protected resource and validating the various modes.

11. See "RSA SecurID Issues and Logs" for details if you experience problems.