24.4 Specifying Credential Collector URLs with Password Policy

Regardless of the credential collection method, you can configure one global password policy that applies to all Access Manager-protected resources (using the Password Policy Validation Module in the authentication scheme).

The relevant URLs for the credential collector and related forms must be specified as outlined in Table 24-3.

Table 24-3 Specifying Credential Collectors and Related Forms for Authentication

In the . . . For the ECC . . . For the DCC . . .

In the . . .	For the ECC . . .	For the DCC . . .
OAM Agent Registration DCC Only	N/A.	Check the box beside Allow Management Operations in the OAM Agent registration page. See Also: "Enabling DCC Credential Operations"
login, error, and password pages	Pages where the user enters credentials arrive out of the box on the OAM Server and require no additional settings or changes. Login page: /pages/login.jsp Logout page: /pages/logout.jsp Error page: /pages/servererror.jsp Multi-step authentication: /pages/mfa_login.jsp	Dynamic pages for general login/logout and password policy with the DCC are excluded automatically through the OHS `httpd.conf/webgate.conf` file--you do not need to configure a policy to exclude these. See WebGate host directories `$WEBGATE_HOME/webgate/ohs/oamsso/,` $`WEBGATE_HOME/webgate/ohs/oamsso-bin/pl`, and `$WEBGATE_HOME/webgate/ohs`/`oamsso-bin/templates`/* for: Login page: `/oamsso-bin/login.pl` Logout: `/oamsso-bin/logout.pl` RSA SecurID login pages: `/oamsso-bin/securid.pl` Perl Scripts for DCC-based Login and Logout The path name of the Perl executable must be updated in Oracle-provided Perl scripts on the WebGate host `$WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl` to be consistent with the actual location. See Also: Table 22-5
Password Policy, Password Service URL	The Default/ECC password page is used automatically: Password Service URL for ECC: `/oam/pages/pswd.jsp` See Also: "Defining Your Global Password Policy"	Enter the DCC password page: Password Service URL for DCC: `/oamsso-bin/login.pl` See Also: "Locating and Updating DCC Forms for Password Policy"
User Identity Store	The user data object definition in the Access Manager schema is extended with attributes that enable password user status and password history maintenance. This definition is provided in an LDIF file, and must be added to each user identity store using the `ldapadd` tool. Oracle-provided LDIFs are identified in Table 24-6.	Same for both DCC and ECC: See Also: "Adding Key Password Attributes to the Default Store" "Adding an Administrator to Change User Attributes After a Password Change"
Password Policy Validation Authentication Module	Enter the Default Store as the KEY_IDSTORE_REF for each of the three plug-ins / steps (with an Error redirect on Failure): See Also: Table 22-13 "Password Policy Validation Authentication Module"	Same for both DCC and ECC:
Authentication Scheme, Challenge Redirect URL	Enter the Credential Collector host: For ECC, relative URI format: /oam/server (server prepends the host:port) See Also: "Configuring the PasswordPolicyValidationScheme"	Enter the Credential Collector host: For DCC, full URL: http://dcchost:port For DCC combined with Resource Webgate: Leave empty See Also: "Configuring the PasswordPolicyValidationScheme"
Authentication Scheme, Challenge URL	Enter the Credential Collector login form relative URI: For ECC: /pages/login.jsp See Also: "Configuring the PasswordPolicyValidationScheme"	Enter the Credential Collector login form relative URI: For DCC: /oamsso-bin/login.pl See Also: "Configuring the PasswordPolicyValidationScheme"
Authentication Scheme, Challenge Parameters	ECC: User-defined Challenge Parameters: OverrideRetryLimit=0 initial_command=NONE See Also: Table 22-23 "Configuring the PasswordPolicyValidationScheme"	DCC: User-defined Challenge Parameters: creds extracreds MaxPostDataBytes DCCCtxCookieMaxLength TempStateMode See Also: Table 22-23 "Configuring the PasswordPolicyValidationScheme"
Server Error Mode	Same for both DCC and ECC. See: "Setting the Error Message Mode for Password Policy Messages"	Same for both DCC and ECC. See: "Setting the Error Message Mode for Password Policy Messages"
Authentication Policy	Credential collectors in authentication policies: ECC: Use any authentication scheme configured for the ECC in the application domain for the protecting Webgate (Resourcre Webgate) See Also: "Adding Your PasswordPolicyValidationScheme to ECC Authentication Policy"	Credential collectors in Authentication Policies: DCC Separate from Resource Webgate: *Protecting (Resource) Webgate Application Domain, (Authentication Policy protecting resources), use the DCC-related Authentication Scheme. *DCC Webgate Application Domain, Authentication Policy protecting resources, use the DCC-related Authentication Scheme. Consider: --With No Action URL: DCC uses thedefault /oam/server/auth_cred_submit, which is automatically protected with the DCC-related authentication scheme. --With an Action URL: Explicitly protect the specified Action URL with the DCC Scheme. See Also: "Adding PasswordPolicyValidationScheme to Authentication Policy for DCC"
Logout Configuration	ECC: In the protecting (Resource) Webgate Agent registration, configure the `Logout URL` as shown in Table 15-3 See "Configuring Centralized Logout for 11g WebGates"	DCC: In the DCC Agent registration page the Logout Redirect URL is ignored. In the protecting (Resource) Webgate registration, define the: `Logout Redirect URL`: `http//`dcchost:port/`oamsso-bin/logout.pl` Note: If the Resource Webgate's Logout Redirect URL is anything other than `logout.*`, then that URL must be defined in the `Logout URL` parameter of the DCC Webgate registration. For example: If Resource Webgate registration has: Logout Redirect URL `http//dcchost:port/someurl.html` then DCC Webgate registration must have: `Logout URL:` `someurl.html` DCC: Perl path must be updated in Oracle-provided scripts. See "Configuring Logout When Using Detached Credential Collector-Enabled WebGate"

OAM Agent Registration

DCC Only

N/A.

Check the box beside Allow Management Operations in the OAM Agent registration page.

Pages where the user enters credentials arrive out of the box on the OAM Server and require no additional settings or changes.

Login page: /pages/login.jsp
Logout page: /pages/logout.jsp
Error page: /pages/servererror.jsp
Multi-step authentication: /pages/mfa_login.jsp

Dynamic pages for general login/logout and password policy with the DCC are excluded automatically through the OHS httpd.conf/webgate.conf file--you do not need to configure a policy to exclude these.

See WebGate host directories $WEBGATE_HOME/webgate/ohs/oamsso/*, $WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl, and $WEBGATE_HOME/webgate/ohs/oamsso-bin/templates/* for:

Login page: /oamsso-bin/login.pl
Logout: /oamsso-bin/logout.pl
RSA SecurID login pages: /oamsso-bin/securid.pl

Perl Scripts for DCC-based Login and Logout

The path name of the Perl executable must be updated in Oracle-provided Perl scripts on the WebGate host $WEBGATE_HOME/webgate/ohs/oamsso-bin/*pl to be consistent with the actual location.

See Also:

Password Policy Validation Authentication Module

Enter the Default Store as the KEY_IDSTORE_REF for each of the three plug-ins / steps (with an Error redirect on Failure):

See Also:

Same for both DCC and ECC:

Authentication Scheme, Challenge Redirect URL

Enter the Credential Collector host:

For ECC, relative URI format: /oam/server (server prepends the host:port)

Enter the Credential Collector host:

For DCC, full URL: http://dcchost:port
For DCC combined with Resource Webgate: Leave empty

Authentication Scheme, Challenge URL

Enter the Credential Collector login form relative URI:

For ECC: /pages/login.jsp

Enter the Credential Collector login form relative URI:

For DCC: /oamsso-bin/login.pl

Authentication Scheme, Challenge Parameters

ECC: User-defined Challenge Parameters:

OverrideRetryLimit=0
initial_command=NONE

See Also:

DCC: User-defined Challenge Parameters:

creds
extracreds
MaxPostDataBytes
DCCCtxCookieMaxLength
TempStateMode

See Also:

Server Error Mode

Same for both DCC and ECC.

See: "Setting the Error Message Mode for Password Policy Messages"

Same for both DCC and ECC.

See: "Setting the Error Message Mode for Password Policy Messages"

Authentication Policy

Credential collectors in authentication policies:

ECC: Use any authentication scheme configured for the ECC in the application domain for the protecting Webgate (Resourcre Webgate)

Credential collectors in Authentication Policies:

DCC Separate from Resource Webgate:

***Protecting (Resource) Webgate Application Domain, (Authentication Policy protecting
resources), use the DCC-related Authentication Scheme.
***DCC Webgate Application Domain,
Authentication Policy protecting resources, use
the DCC-related Authentication Scheme. Consider:
--With No Action URL: DCC uses thedefault /oam/server/auth_cred_submit, which is automatically protected with the DCC-related authentication scheme.
--With an Action URL: Explicitly protect the
specified Action URL with the DCC Scheme.

Logout Configuration

ECC:

In the protecting (Resource) Webgate Agent registration, configure the Logout URL as shown in Table 15-3

See "Configuring Centralized Logout for 11g WebGates"

DCC:

In the DCC Agent registration page the Logout Redirect URL is ignored.
In the protecting (Resource) Webgate registration, define the:
- Logout Redirect URL:
- http//dcchost:port/oamsso-bin/logout.pl
- Note: If the Resource Webgate's Logout Redirect URL is anything other than logout.*, then that URL must be defined in the Logout URL parameter of the DCC Webgate registration. For example:
- If Resource Webgate registration has:
- Logout Redirect URL
- http//dcchost:port/someurl.html
- then DCC Webgate registration must have:
- Logout URL: someurl.html
DCC: Perl path must be updated in Oracle-provided scripts.

See "Configuring Logout When Using Detached Credential Collector-Enabled WebGate"