24.9 Configuring the IPFUserPasswordPolicyPlugin

The Identity Password Framework (IPF) password policy plugin handles the password related flows during login. Configuring the IPF password policy plugin is the most critical step in making sure that OAM and OIM LDAP applications can work in tandem.

Using the IPF password plugin in OAM makes sure that password features act across both OAM and OIM in similar ways. This section contains the following information:

24.9.1 Enabling the IPF Password Service

The IPF password service can be enabled in a newly installed (not upgraded) environment by manually editing oam-config.xml.

Edit oam-config.xml and add the following line:

<Setting Name="pswdServiceDataVersion" Type="xsd:string">3</Setting>

This procedure assumes:

  • The WebLogic Server, Oracle Internet Directory, Oracle HTTP Server and a database are installed.

  • Oracle Access Management is installed in DB mode and configured to use OID as a user store.

  • WebGate 11g is installed and configured against the policy server.

  • The exact mechanism of extending LDAP directory for each directory type.

  1. Shut down the entire domain including the WebLogic Admin Server and all OAM Managed Servers.
  2. Locate the correct oam-config.xml file in <DOMAIN_HOME>/config/fmwconfig/ and make a backup of it before editing.
  3. Modify the file so it contains the following snippet.
    <Setting Name="PasswordService" Type="htf:map">
     <Setting Name="pswdServiceDataVersion" Type="xsd:string">3</Setting>               
     <Setting Name="pswdServiceUrl" Type="xsd:string">/oam/pages/pswd.jsp</Setting>

    Be sure to increment the version number of the file by 1 to ensure that the changes are not overwritten by the Oracle Access Management Console.

  4. Save the file.
  5. Restart the WebLogic Admin Server.
  6. Restart the OAM Managed Servers.

As a verification step, check <DOMAIN_HOME>/config/fmwconfig/oam-config.xml on each of the OAM Managed Server nodes to ensure that the updated version has propagated correctly.

24.9.2 Configuring Password Policy for IPF Password Service

Note that the password policy in OAM should be in sync with that of OAM LDAP to work consistently between both products.

See Accessing Password Policy Configuration Page for details. It is up to the administrator to ensure that the policies are indeed the same and consistent.

24.9.3 Extending the LDAP Definitions

Depending on the type of the directory, add the required objectclass schema definitions so that the LDAP directory can use these to extend the user objectclass. The appropriate schema files are located in $IDM_HOME/modules/oracle.idm.ipf_11.1.2/scripts/ldap.

Table 24-9 documents the LDIF file to use with supported LDAP directories.

Table 24-9 Included LDIF Schema Files

LDAP Directory LDIF Schema File


OID_OblixSchema.ldif, OID_OracleSchema.ldif


AD_OblixSchema.ldif, AD_OracleSchema.ldif


OUD_OblixSchema.ldif, OUD_OracleSchema.ldif


IPLANET_OblixSchema.ldif, IPLANET_OracleSchema.ldif


OLDAP_OblixSchema.schema, OLDAP_OracleSchema.schema


OVD_OblixSchema.ldif, OVD_OracleSchema.ldif


TIVOLI_OblixSchema.ldif, TIVOLI_OracleSchema.ldif


EDIR_OblixSchema.ldif, EDIR_OracleSchema.ldif

24.9.4 Configuring the Password Policy Validation Authentication Module and Scheme

The Password Policy Validation Authentication Module needs to be configured to use the required identity store, as well as some of the operations configuration as per installation requirements.

There are no credential collector dependencies when defining the Password Policy Validation Module for authentication. The User Password Status Step is the unique step that relies on the IPFUserPasswordPolicyPlugin. See "Password Policy Validation Authentication Module" and Configuring the PasswordPolicyValidationScheme

24.9.5 Setting Up the Forgot Password Module

If the forgot password feature needs to be enabled in OAM, the IPFForgotPasswordModule is used. The forgot password authentication enables OAM users to change their password by authenticating them using previously collected challenges.

The administrator can setup forgot password URL by following the procedure documented in Administering the Forgot Password URL.