14.3 OAM Remote Registration

As an alternative to using the Console for agent registration, you can use the remote registration utility, oamreg, with Oracle-provided templates.

The user of the remote registration script can be a part of any group that is mapped against the Administrator's Role in the primary user-identity store for Access Manager (Managing Data Sources).

Secure registration and creation of an Application Domain (as well as Symmetric key generation) is supported using either remote registration mode described in Table 14-7.

Table 14-7 Remote Registration Methods

Method Description

In-band mode

For Administrators within the network who manage the Web server that hosts the agent can use this mode or the Oracle Access Management Console.

Out-of-band mode

Administrators outside the network must submit registration requests to an Administrator within the network. After processing the request, the in-band Administrator returns the files required by the out-of-band Administrator who uses the files to configure his environment.

Symmetric key generation per Application: One key is generated and used per registered mod_osso or 11g WebGate. However, one single key only is generated for all 10g WebGates.

Note:

Registration of legacy Agents (10g WebGate, OpenSSO, and OSSO 10g) is also supported.

The functionality that are not supported with remote registration are as follows:

  • Persistence of the Key and Agent Information

  • Generation of Keys used by internal components

  • API support for reading Agent information

For more information on the registration modes, see the following sections:

Registering and Managing OAM 11g Agents has additional details.

14.3.1 Performing In-Band Remote Registration

Using the remote registration tool, an in-band Web server Administrator can perform tasks for provisioning an application. Unless explicitly stated, tasks are the same regardless of the type of agent you have protecting resources.

In this overview, the term "Administrator" refers to any user within the network who is part of the LDAP group that is designated for Administrators in the Default System User Identity Store registered with Oracle Access Management.

  1. Acquire the registration tool as described in "Acquiring and Setting Up the Remote Registration Tool".
  2. Update the input file with unique values for the agent and Application Domain as described in "Creating Your Remote Registration Request".
  3. Run the registration tool to configure the Agent and create a default Application Domain for the resources, as described in "Performing In-Band Remote Registration".
  4. Validate the configuration as described in "Validating Remote Registration and Resource Protection".
  5. Perform access checks to validate that the configuration is working, as described in "Verifying Authentication and Access After Remote Registration".

14.3.2 Performing Out-of-Band Remote Registration

The term out-of-band registration refers to manual registration that involves coordination and actions by both the in-band Administrator and the out-of-band Administrator.

Following is a brief overview of out-of-band remote registration (when the Agent is outside the network).

  1. Out-of-band Administrator: Creates a starting request input file containing specific application and agent details and submits it to the in-band Administrator.
  2. In-band Administrator:

    • Acquire the registration tool as described in "Acquiring and Setting Up the Remote Registration Tool".

    • Use the out-of-band starting request with the registration tool to provision the agent and create the following files to return to the out-of-band Administrator. See "Performing Out-of-Band Remote Registration" for details:

      • agentName_Response.xml is generated for the out of band Administrator to use in Step 3.

      • OAM Agents: A modified ObAccessClient.xml file is created (and the 11g WebGate cwallet.sso file), which the out-of-band Administrator can use to bootstrap the WebGate.

        11g WebGates: SSO wallet creation.

      • OSSO Agents: A modified osso.conf file is created for the out-of-band Administrator to bootstrap the OSSO module.

      • OpenSSO Agents: A modified version of the OpenSSO properties files are generated.

  3. Out-of-band Administrator: Uses the registration tool with the agentName_Response.xml file and copies the Agent configuration and any other generated artifacts to the appropriate file system directory.

    Note:

    In outofband mode, the in-band Administrator uses the starting request file submitted by the out-of-band Administrator, and returns a generated agentName_Response.xml file to the out-of-band Administrator for additional processing. The out-of-band Administrator runs the remote registration tool with agentName_Response.xml as input to generate agent configuration files.

  4. In-band Administrator: Validates the configuration as described in "Validating Remote Registration and Resource Protection".
  5. Out-of-band Administrator: Performs several access checks to validate that the configuration is working, as described in "Verifying Authentication and Access After Remote Registration".

See Also:

14.3.3 Updating Agent Configuration Files

After a successful registration (or update), you must locate the Agent configuration files on the AdminServer (console) host and copy these to the Agent host.

The artifacts for Agent’s registration or update are described in Table 14-8.

Table 14-8 Agent Registration and Configuration Update Artifacts

Artifacts For ... Description

Simple or Cert mode

If Simple or Cert mode is used, certificate artifacts must also be copied to the Agent host following registration.

See Also: Securing Communication

11g OAM Agents (WebGate/Access Client)

See Also: Registering and Managing OAM 11g Agents

10g OAM Agents (WebGate/Access Client)

See Also: Registering and Managing 10g WebGates with Access Manager 11g

OSSO Agent

See Also: Registering and Managing Legacy OSSO Agents

OpenSSO Agent

See Also: Registering and Managing Legacy OpenSSO Agents