49.9 Configuring Mobile and Social Services with Other Oracle Products

The following topics include information on how to configure Mobile and Social with other Oracle products:

• Configuring Mobile and Social Services for Access Manager

• Configuring Mobile and Social Services for Oracle Adaptive Access Manager

49.9.1 Configuring Mobile and Social Services for Access Manager

The following topics describe how to configure Mobile and Social to work with different versions of Access Manager:

• Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode

• Configuring an Authentication Service Provider for Remote Oracle Access Manager Server 10g

• Configuring an Authentication Service Provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1

Note:

During installation, the Oracle Fusion Middleware Configuration Wizard generates a domain that supports both Mobile and Social and Access Manager.

See "Configuring Mobile and Social" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

49.9.1.1 Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode

You can configure Mobile and Social Services to work with Access Manager if Access Manager is configured in Simple Mode.

Change the Server Mode to Simple

1. In the Oracle Access Management Administration Console, click Configuration at the top of the window.

2. Click Server Instances.Click Search and click oam_server1 in the Search Results.

3. Click Open.

4. In the OAM Proxy section, choose Simple from the Mode menu and click Apply.

Change the Webgate Communication Mode to Simple

1. In the Oracle Access Management Administration Console for the target Webgate, click Application Security at the top of the window.

2. In the Webgates tab, click Search.

3. Select the target Webgate and open it for editing.

4. Change the security mode for the Webgate to Simple, then click Apply.

   The system creates a new directory for the Webgate under ~/oam-domain/output/accessgate-oic with the following files:

   • aaa_cert.pem

   • aaa_key.pem

   • cwallet.sso

   • ObAccessClient.xml

   • password.xml

Change the OIC OAMASDKAuthNProvider Security Mode to Simple

1. Copy the .jks files from the ~/oam-domain/output/webgate-ssl directory to the ~/oam-domain/config/fmwconfig directory.
2. Go to the ~/oam-domain/output/accessgate-oic directory and open password.xml.

   Copy the passwd value from the file.

3. Open the Oracle Access Management Administration Console.

   The Launch Pad opens.

   Go to the Mobile and Social panel and click Mobile and Social Services > Service Providers > Authentication Service Providers > OAMAuthentication.

4. Add the following name-value pairs to the Attributes table.

   Name	Value
   PASSPHRASE	The passwd value from step 2.
   KEYSTORE	<fully qualified path>/oam-domain/config/fmwconfig/oamclient-keystore.jks
   TRUSTSTORE	<fully qualified path>/oam-domain/config/fmwconfig/oamclient-truststore.jks

5. In the Attributes table, locate TRANSPORT_SECURITY and change the value from OPEN to SIMPLE or CERT and click Save.
6. Restart the Oracle Access Management server.

49.9.1.2 Configuring an Authentication Service Provider for Remote Oracle Access Manager Server 10g

You need to configure an Authentication Service Provider to work with a remote instance of the Oracle Access Manager 10g server.

To configure an authentication service provider for remote Oracle Access Manager server 10g:

1. Log into the 10g Console and create the WG Profile.

   The OAM 10g Access Management Service must be turned on.

2. Navigate through the Mobile and Social Console to Mobile and Social Services > Service Providers > Authentication Service Providers.

3. Click New to create a new Authentication Service Provider configuration.

4. Enter the appropriate values for the parameters.

   1. Change OAM_VERSION to OAM_10G from OAM_11G.

   2. Change WEBGATE_ID to the name you previously used to create the WG profile.

   3. Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 10G server.

   4. Add a new parameter named AuthNURL and populate it with the URL for any protected resource; for example, http://server1.example.com/index.html.

5. Save the Authentication Service Provider configuration.

6. Navigate through the Mobile and Social console to Mobile and Social Services > Service Profiles > Authentication Services > OAMAuthentication.

7. From the Service Provider drop down menu, select the Authentication Service Provider just created; for example, 10GOAMAuthentication.

8. Check the Client Token checkbox.

9. Uncheck the Access Token checkbox.

10. Save the OAMAuthentication configuration.

If Mobile and Social is configured to work with a remote instance of the Oracle Access Manager 10g server, you must also do either of the following:

• Define a uid attribute in the directory DN entry for user records in the Oracle Access Manager UserStore.

• Define a unique directory user entry attribute that can be used to identify the directory user entry in Mobile and Social.

Note:

Mobile and Social can dynamically obtain the unique directory user attribute name from Oracle Access Manager version 11g but the earlier 10g release requires that you specify the attribute to use when configuring Mobile and Social. If this attribute is not set, Client Token validation will fail in Mobile and Social.

The following procedure demonstrates setting the value to CN. Set the value to a unique user entry as configured on your directory server; uid or loginid may also be possible choices. Before beginning, confirm that the Oracle Access Manager DN for UserStore does not include a uid attribute for the Application Profile profileid1, and that the DN is as follows:

"CN=profileid1 profileid1, OU=Test, ..."

Complete the next steps upon confirming that both are true.

1. Open the Application Profile Configuration page for profileid1 in Mobile and Social.

   See Defining Application Profiles.

2. In the Attributes section, add the following name-value pair and click Apply.

   Name: userPrincipalAttrValue

   Value: CN

3. Open the Service Provider Configuration page for your Oracle Access Manager 10g Authentication Service Provider.

   See Defining, Modifying or Deleting an Authentication Service Provider.

4. In the Attributes section, add the following name-value pair and click Apply.

   Name: userPrincipalAttrName

   Value: CN

49.9.1.3 Configuring an Authentication Service Provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1

You can configure an Authentication Service Provider to work with releases 11gR2 and 11gR1 PS1.

The differences for the 11gR1 PS1 release console are documented in notes in each 11gR2 step.

Note:

See Deployment Constraints for Mobile and Social for information about deploying Mobile and Social with a Webgate.

To configure an authentication service provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1:

1. Log into the Oracle Access Management Console and register a Webgate (OAM Agent) for Mobile and Social.

   Be sure to enable the following options.

   • Allow Management Operations

   • Allow Token Scope Operations

   • Allow Master Token Retrieval

   • Allow Credential Collector Operations

   Note:

   If using an OAM 11.1.1.n release console, enable Allow Management Operations.

2. Navigate through the Mobile and Social Console to Mobile and Social Services > Service Providers > Authentication Service Providers.

3. Click New to create a new Authentication Service Provider configuration.

4. When using an OAM 11.1.2 release console, enter the following values:

   1. Keep the default value of OAM_VERSION as OAM_11G.

   2. Change WEBGATE_ID to the name you previously used to create the WG profile.

   3. Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 11G server.

   Note:

   If using an OAM 11.1.1.n release console:

   1. Change the default value of OAM_VERSION to OAM_10G.

   2. Change WEBGATE_ID to the name you previously used to create the WG profile.

   3. Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 11.1.1.5 server.

   4. Add a new parameter named AuthNURL and populate it with the URL for any protected resource; for example, http://server1.example.com/index.html.

5. Save the Authentication Service Provider configuration.

6. Navigate through the Mobile and Social Console to Mobile and Social Services > Service Profiles > Authentication Services > OAMAuthentication.

7. From the Service Provider drop-down menu, select the Authentication Service Provider just created; for example, 10GOAMAuthentication.

8. Select the Client Token checkbox.

9. Clear the Access Token checkbox only if using OAM 11g R1 PS1.

10. Save the OAMAuthentication configuration.

11. Merge the CSF wallet files.

    OAM 11G generates the cwallet.sso file when the administrator creates the WG profile for Mobile and Social. To communicate with this WG profile, the administrator must merge the secret value in cwallet.sso into the Mobile and Social wallet.

    Note:

    Use the following command to display the wallet before and after the merge for verification that the merge has been successful.

    orapki wallet display -wallet wallet_location

    1. Copy cwallet.sso from OAM (~/domain-home/output) to the Mobile and Social host machine directory, /tmp/oam.

    2. Copy cwallet.sso from the Mobile and Social host machine directory (~/config/fmwconfig) to the Mobile and Social host machine directory, /tmp/oic.

    3. Download merge-creds.xml to the Mobile and Social host machine directory, /tmp.

       The following is a sample merge-creds.xml file.

       Sample merge-creds.xml

       <?xml version="1.0" encoding="UTF-8" standalone='yes'?>
       <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xsi:schemaLocation=
         "http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd"  
        schema-major-version="11" schema-minor-version="1">
        
       <serviceProviders>
       <serviceProvider 
        class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider" 
        name="credstoressp" type="CREDENTIAL_STORE">
       <description>File-based credential provider</description>
       </serviceProvider>
       </serviceProviders>
        
       <serviceInstances>
       <!-- Source file-based credential store instance -->
       <serviceInstance location="/tmp/oam" provider="credstoressp" 
        name="credential.file.source">
       </serviceInstance>
        
       <!-- Destination file-based credential store instance -->
       <serviceInstance location="/tmp/oic" provider="credstoressp" 
        name="credential.file.destination">
       </serviceInstance>
       </serviceInstances>
        
       <jpsContexts>
       <jpsContext name="FileSourceContext">
       <serviceInstanceRef ref="credential.file.source"/>
       </jpsContext>
        
       <jpsContext name="FileDestinationContext">
       <serviceInstanceRef ref="credential.file.destination"/>
       </jpsContext>
       </jpsContexts>
       </jpsConfig>
       

    4. Set the PATH variable to include ~/oracle_common/bin:~/oracle_common/common/bin:~

    5. Initialize the WebLogic Scripting Tool by running wlst.sh on the command line.

    6. Run the migrateSecurityStore WLST command.

       Following is sample syntax for the WLST command.

       $ wlst.sh
       
       wls:/offline> connect("weblogic", "weblogic-passwd", "localhost:<port>")
       wls:/WLS_IDM/serverConfig> 
       migrateSecurityStore(type="credStore",configFile="/tmp/merge-creds.xml",
        src="FileSourceContext",dst="FileDestinationContext")
       

12. Restart the Mobile and Social server.

49.9.2 Configuring Mobile and Social Services for Oracle Adaptive Access Manager

You can configure a Service Domain to use the Oracle Adaptive Access Manager (OAAM) device registration functionality.

To configure a Service Domain, open the Service Domain Configuration page and choose the OAAMSecurityHandlerPlugin option from the Security Handler Plugin Name list.

See Creating a Service Domain.

Note:

During installation, the Oracle Fusion Middleware Configuration Wizard can generate a domain that supports both Mobile and Social and Oracle Adaptive Access Manager. Mobile and Social requires at least Oracle Adaptive Access Manager version 11g Release 2. For more information, see the "Configuring Mobile and Social" chapter in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

The following topics describe how to configure the required policies, conditions, rules, and actions to complete integration between Mobile and Social and OAAM:

• OAAM Support in Mobile and Social

• Configuring the WebLogic Administration Domain

• Configuring OAAM if Social Identity Authentication is Enabled in Mobile and Social Services

• Setting up a Lost or Stolen Device Rule

• Configuring Blacklisted Devices and Applications

• About OAAM Sessions for Mobile Applications

• Registering Users for OAAM Authentication

• Setting up OAAM Knowledge-Based Authentication

• Setting up OAAM One Time Password

49.9.2.1 OAAM Support in Mobile and Social

Here is a list of OAAM policies supported by Mobile and Social.

Table 49-21 displays the supported OAAM policies (by OAAM checkpoint).

Table 49-21 OAAM Policies Supported By Mobile and Social

Checkpoint	Supported Policies
Post-Authentication	OAAM Post-Authentication Security OAAM User vs Themselves OAAM User vs. All Users OAAM Does User Have Profile OAAM Predictive Analysis Policy
Challenge	OAAM Challenge Policy
Device Identification	OAAM Device ID Policy OAAM System Deep Analysis Flash Policy OAAM System Deep Analysis No Flash Policy

Mobile and Social and OAAM also use similar terminology to describe the security actions that can be taken to respond to authentication and authorization events.

Table 49-22 maps the Mobile and Social term to the OAAM term.

Table 49-22 Mapping Terms Between OAAM and Mobile and Social

OAAM Action Groups	Mobile and Social Actions
OAAM Allow	ALLOW
OAAM Block	DENIED
OAAM Challenge	CHALLENGE
OAAM Black-Listed Mobile Device	WIPE_OUT
OAAM Lost Device	WIPE_OUT

Use the Oracle Adaptive Access Manager Administrator's Console to customize OAAM policies and rules.

49.9.2.2 Configuring the WebLogic Administration Domain

Before you start to configure any OAAM policies, you need to complete the the following tasks:

• Creating an Administrator for OAAM Administration

• Adding Oracle Access Management Server as Target of OAAM Data Source

49.9.2.2.1 Creating an Administrator for OAAM Administration

You can create an Administrator for OAAM administration from the Oracle WebLogic Administration Console.

To create:

1. Log into the Oracle WebLogic Administration Console for your WebLogic administration domain.
2. In the Domain Structure tab on the left side of the page, select Security Realms.
3. On the Summary of Security Realms page, select the realm that you are configuring; for example, myrealm.
4. Click New and provide the required information to create a User in the security realm: Name (for example, user1), Description (optional), Provider (enter DefaultAuthenticator), Password, and Confirm Password.
5. Click to select the new created User.
6. Click the Groups tab.
7. Assign to the User all groups with an OAAM prefix.
8. Click Save.

49.9.2.2.2 Adding Oracle Access Management Server as Target of OAAM Data Source

You can add Oracle Access Management Server as a target of OAAM data source.

To add:

1. Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.
2. In the Domain Structure tab on the left side of the page, select Services.
3. On the Summary of Services page, select Data Sources.
4. Open OAAM_SERVER_DS in the Data Sources table.
5. Click the Targets tab.
6. Select oam_server1.
7. Click Save.

49.9.2.3 Configuring OAAM if Social Identity Authentication is Enabled in Mobile and Social Services

If Mobile and Social Services is configured to accept an authentication result from Social Identity, you can configure OAAM to work with Mobile and Social when users authenticate.

To configure OAAM if Social Identity Authentication is enabled in Mobile and Social Services:

1. Log into the OAAM Administration Console.

2. Click Policies and search for the OAAM Mobile and Social Integration Post-Authentication Security policy.

3. In the policy find the following rule: Mobile device is not registered.

4. Add a condition:

   1. Search on "Session: Check value in comma separated values."

   2. Add the following:

      Parameter Key : oic.userIdType

      Value to Check : URI

      Return if in list : false

49.9.2.4 Setting up a Lost or Stolen Device Rule

You can set up a Lost or Stolen Device Rule for each device reported as missing by adding the Device ID to the OAAM Lost or Stolen Devices device group.

Users should report lost or stolen devices to the support department so that the missing device can be added to the OAAM Lost or Stolen Device group. Then if an authentication attempt comes from the missing device, OAAM can send Mobile and Social a DENY or WIPE_OUT action to wipe out the application's data associated with the Mobile and Social server. If a User recovers a missing device, the device status can be reset in OAAM.

To set up a Lost or Stolen Device Rule:

1. Log into the OAAM Administration Console.
2. Double-click Sessions in the Navigation pane.

   The Sessions Search page displays.

3. Search by User Name, Client Application name, Device ID or similar to find the lost or stolen device.
4. Click the Session ID in the Search Results table.

   The Session Details page opens.

5. Click Add to Group.

   The Add to Group pop-up window opens.

6. In the Choose Data Type to Add section, choose Device and click Next.
7. Select the OAAM Lost or Stolen Devices Group and click Next.
8. Verify your selection and click Finish.
9. Click OK.

49.9.2.5 Configuring Blacklisted Devices and Applications

Rules can be configured to block access to specific devices or applications.

The following topics include additional information:

• Setting up a Blacklisted Device Rule

• Setting up a Blacklisted Application Rule

49.9.2.5.1 Setting up a Blacklisted Device Rule

You can create a Blacklisted Device Rule for each device to which you want to block access.

To set up a Blacklisted Device Rule by adding the Device ID to the OAAM Black-listed Mobile Devices group:

1. Log in to the OAAM Administration Console.
2. Double-click Sessions in the Navigation pane.

   The Sessions Search page displays.

3. Use the Search page to find the device to block. For example, search by a User Name, a Client Application name, a Device ID, and so on.
4. Click the Session ID in the Search Results table.

   The Session Details page opens.

5. Click Add to Group.

   The Add to Group pop-up window opens.

6. In the Choose Data Type to Add section, choose Device and click Next.
7. Select the OAAM Black-listed mobile devices Group and click Next.
8. Verify your selection and click Finish.
9. Click OK.

49.9.2.5.2 Setting up a Blacklisted Application Rule

The task of adding a Blacklisted Application Rule is broken into the following tasks sequentially.

To add the application to the OAAM Blacklisted Mobile Devices group:

• Creating a New Alert Group

• Creating a Generic Strings Group to Store Blacklisted Application Names

• Creating a New Blacklisted Application Rule

49.9.2.5.2.1 Creating a New Alert Group

You can create a new alert group from the OAAM Administration Console.

To create:

1. Log in to the OAAM Administration Console.
2. Double-click Groups in the Navigation pane.

   The Groups Search page displays.

3. Click New Group.

   The Create Group pop-up window opens.

4. Complete the form as follows and click Create:

   • Group Name - Type OAAM Blacklisted mobile application used. (This is the name of the mobile application to be blacklisted.)

   • Group Type - Choose Alerts from the menu.

   • Cache Policy - Choose Full Cache from the menu.

   • Description - Type Session coming from a blacklisted mobile application.

5. Click the Alerts tab.
6. Click the Add member to this group button.

   The Add Alerts pop-up window opens.

7. In the Options to add a new element section, choose Create new Alerts.

   Complete the form as follows and click Add:

   • Alert Type - Choose Fraud from the menu.

   • Alert Level - Choose Medium from the menu.

   • Alert Message - Type Session coming from a blacklisted mobile application.

   The Add Alerts window displays a message confirming that the new element was created successfully.

49.9.2.5.2.2 Creating a Generic Strings Group to Store Blacklisted Application Names

You can create a generic strings group to store blacklisted application names.

To create:

1. Double-click Groups in the Navigation pane.

   The Groups Search page displays.

2. Click New Group.

   The Create Group pop-up window opens.

3. Complete the form as follows and click Create:

   • Group Name - Type OAAM blacklisted mobile application.

   • Group Type - Choose Generic Strings from the menu.

   • Cache Policy - Choose Full Cache from the menu.

   • Description - Type OAAM blacklisted mobile application.

4. Click the Generic Strings tab, then click the Add member to this group button.
5. Type the name of the app.

   The Add Generic Strings window displays a message confirming that the new element was created successfully.

   Click OK.

49.9.2.5.2.3 Creating a New Blacklisted Application Rule

You can add a new rule for a blacklisted mobile application.

To create a rule:

1. Double-click Policies in the Navigation pane.

   The Policies Search page displays.

2. Choose Post authentication from the Checkpoint menu, then click Search.

3. Click OAAM Post-Authentication Security.

   The OAAM Post-Authentication Security page opens.

4. Click the Rules tab.

5. Click the Add Rule button.

   Complete the form as follows and click Add:

   • Rule Name - Type Check for blacklisted mobile applications.

   • Rule Status - Choose Active from the menu.

   • Rule Notes - Type Check if application is in the Oaam blacklisted mobile application group.

6. Click the Conditions tab.

7. Click Add Conditions.

   The Add Condition pop-up window opens.

8. Complete the form as follows and click Search:

   • Condition Name - Type Check Current Session

   • Type - Choose In Session from the menu.

9. In the table of results, click Session: Check Current Session using the filter conditions.

   The filter condition details display.

10. Do the following and click Save:

    1. Under Check if select Client Application.

    2. Select in as the operator.

    3. Select Group as the Target Type.

    4. Select Generic Strings as the Group Type.

    5. Select OAAM blacklisted mobile application as the Group Name.

    In English the condition reads as "Check if the Client Application is in the "OAAM blacklisted mobile application" group."

11. Click the Results tab.

12. Choose OAAM Block from the Action Group menu.

13. Choose OAAM Blacklisted application used from the Alert Group menu.

14. Click Apply.

49.9.2.6 About OAAM Sessions for Mobile Applications

The OAAM Session is a commonly used conceptual entity in OAAM rule execution.

A rule can use a session attribute as input (for example, Client App Name and OAAM Device ID) and affect the status of the session at the output (that is, changing the status to "Blocked"). When OAAM is used in a non-mobile environment such as a web browser, there is a one-to-one relationship between a user authentication session (an OAM session, for example) and the OAAM session. For example, each OAAM session contains data associated with the following fields:

• User ID

• Client IP Address

• OAAM Device ID and Fingerprint

• (Auth) Status: Success, Pending, Blocked, and so on

• Client Application Name

In a mobile application environment, different apps running on the same device used by the same user are expected to have different OAAM sessions, even in a mobile SSO scenario. For example, assume the following apps are installed on a mobile device:

• SSO Security Agent App

• White Pages App

• Expense Report App

These apps are listed together as participants of the same Service Domain and they all participate in single sign-on. A user just needs to log in once using the mobile SSO agent app. This means that there will only be a single User Authentication session (that is, a single Access Manager session) shared by multiple apps on the same device. On the other hand, if the user uses all three apps simultaneously within the same Access Manager session, each mobile application will have its own OAAM session entry and three OAAM sessions will be seen in the OAAM Admin Console.

The reason to have separate OAAM sessions for each mobile application is to allow rules to take the mobile client application into account. The same rule can block sessions from some apps, while letting sessions from other apps succeed. (The Blacklisted Application Rule in Setting up a Blacklisted Application Rule is an example of this.) A more sophisticated rule can consider multiple factors from a session; for example an Expense Report application might rate as security sensitive while a "White Pages" (directory look-up) application might rate as less sensitive. The same Risky-IP rule may block sessions from the Expense Report application but not the White Pages app, even if the sessions come from the same medium-risky IP address.

49.9.2.7 Registering Users for OAAM Authentication

OAAM provides strong authentication features, such as Knowledge-Based Authentication and One-Time Password.

One-Time Password delivers a password using e-mail or a mobile text message. These features require end users to register a security profile that may contain security questions, mobile phone numbers, and e-mail addresses.

The following topics include information on setting up these authentication processes:

• Setting up OAAM Knowledge-Based Authentication

• Setting up OAAM One Time Password

49.9.2.7.1 Setting up OAAM Knowledge-Based Authentication

Mobile and Social provides support for Knowledge-Based Authentication (KBA) if OAAM is installed.

KBA is the default option for Strong Authentication in OAAM. Administrators do not need to perform extra configuration for KBA to work. Users should use the OAAM Managed Server Console to record their KBA questions in their User Profile registration.

49.9.2.7.2 Setting up OAAM One Time Password

Mobile and Social provides One Time Password (OTP) support if OAAM is installed.

OTP allows end users to authenticate themselves by entering a server generated one-time-password that might be received by either SMS or e-mail. Because the one-time-password is sent out-of-band, the risk is reduced that someone other than the valid user could obtain access to it.

The following topics include additonal information:

• Setting Up OTP E-Mail Integration

• Setting Up OTP Integration for SMS Messages

• Changing the OAAM Challenge Policy Trigger Combination

49.9.2.7.2.1 Setting Up OTP E-Mail Integration

You can configure either SMTP or UMS so that Mobile and Social can send the e-mail.

Mobile and Social can send e-mail in either of the following ways.

• Using the included SMTP client.

• Using the Oracle User Messaging Service (UMS).

This topics includes a procedure for each of these integrations. Choose either Setting Up SMTP for E-mail or Setting Up UMS for E-mail to begin.

Note:

Configure either SMTP or UMS. Do not configure both.

After configuring the SMTP or UMS attribute values, enable the Challenge Types on the OAAM server as documented in this section's third procedure, Enable "Challenge Types" on the OAAM Server for E-mail.

Setting Up SMTP for E-mail

1. Access the Mobile and Social Services configuration page.

   See Opening the Mobile and Social Services Configuration Page.

2. In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar.

3. In the Attributes section provide values for the following attribute names and click Apply.

   mail.smtp.host - The SMTP server host.

   mail.smtp.port - The SMTP server port.

   mail.smtp.security.type - The SMTP security type. Either SSL or TLS.

   mail.smtp.user - The user name to log on to the SMTP server.

   mail.smtp.fromadd - The Mobile and Social "From" address, for example: mobileadmin@example.com

   mail.smtp.password - The password for the mail.smtp.user account.

   mail.smtp.truststore.location - The file name with the location of the trust store to be used to validate the server identity.

   mail.smtp.keystore.location - The file name of the key store containing the client certificate.

   mail.smtp.keystore.password - The key store password.

   mail.smtp.truststore.password - The trust store password.

4. Complete the steps in Enable "Challenge Types" on the OAAM Server for E-mail.

Setting Up UMS for E-mail

1. Access the Mobile and Social Services configuration page.

   See Opening the Mobile and Social Services Configuration Page.

2. In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar.

3. In the Attributes section provide values for the following attribute names and click Apply.

   ums.service.uri - The UMS server Web service URL, for example:

   http://<UMS Server URL>:<UMS Port>/ucs/messaging/webservice

   ums.username - The user name for the UMS server.

   ums.password - The password for the UMS server.

   ums.from.address - The Mobile and Social "From" address, for example: mobileadmin@example.com

   ums.from.name - The Mobile and Social "From" name.

   ums.email.enabled - Set to true.

4. Complete the steps in Enable "Challenge Types" on the OAAM Server for E-mail.

Enable "Challenge Types" on the OAAM Server for E-mail

1. Log into the OAAM Administration Console.
2. Choose Environment > Properties in the Navigation pane and double-click Properties.

   The Properties Search page displays.

3. In the Search box, type bharosa.uio.default.register.userinfo.enabled in the Name field and click Search.

   Click to select the record in the Search Results section, change the value to true, and click Save.

4. In the Search box, type bharosa.uio.default.userinfo.inputs.enum.email.enabled in the Name field and click Search.

   Click to select the record in the Search Results section, change the value to true, and click Save.

5. In the Search box, type bharosa.uio.default.challenge.type.enum.ChallengeEmail.available in the Name field and click Search.

   Click to select the record in the Search Results section, change the value to true, and click Save.

49.9.2.7.2.2 Setting Up OTP Integration for SMS Messages

Mobile and Social sends SMS messages using the Oracle UMS.

Complete Setting Up SMS Using UMS and then Enable "Challenge Types" on the OAAM Server for SMS.

Setting Up SMS Using UMS

1. Access the Mobile and Social Services configuration page.

   See Opening the Mobile and Social Services Configuration Page.

2. In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar.

3. In the Attributes section provide values for the following attribute names and click Apply.

   ums.service.uri - The UMS server Web service URL, for example:

   http://<UMS Server URL>:<UMS Port>/ucs/messaging/webservice

   ums.username - The user name for the UMS server.

   ums.password - The password for the UMS server.

   ums.from.address - The Mobile and Social "From" address, for example: mobileadmin@example.com

   ums.from.name - The Mobile and Social "From" name.

   ums.email.enabled - Set to true.

4. Complete the steps in the Enable "Challenge Types" on the OAAM Server for SMS.

Enable "Challenge Types" on the OAAM Server for SMS

1. Log into the OAAM Administration Console.
2. Choose Environment > Properties in the Navigation pane and double-click Properties.

   The Properties Search page displays.

3. In the Search box, type bharosa.uio.default.register.userinfo.enabled in the Name field and click Search.

   Click to select the record in the Search Results section, change the value to true, and click Save.

4. In the Search box, type bharosa.uio.default.challenge.type.enum.ChallengeSMS.available in the Name field and click Search.

   Click to select the record in the Search Results section, change the value to true, and click Save.

49.9.2.7.2.3 Changing the OAAM Challenge Policy Trigger Combination

OAAM evaluates the Challenge policy when an event triggers the Challenge action. You can change the OAAM Challenge Policy Trigger Combination from the OAAM Administration Console.

If KBA is active for a User, the system challenges the User with questions from the OAAM Challenge Question Action Group. If the User fails the OAAM challenge questions three times, the system starts the OAAM SMS Challenge Action group.

You can reorder the Action Group using OAAM Challenge Policy trigger combinations. So other Challenge Action Groups, such as the OAAM Challenge E-Mail group or the OAAM Challenge SMS group, will take precedence over the OAAM Challenge question.

To change the OAAM Challenge Policy Trigger Combination:

1. Log in to the OAAM Administration Console.
2. Double-click Policies in the Navigation pane.

   The Policies Search page displays.

3. Choose Challenge from the Checkpoint menu, then click Search.
4. Click to select OAAM Challenge Policy in the Search Results table.
5. Click the Trigger Combinations tab.
6. Click Reorder.

   The Reorder Trigger Combinations pop-up window opens.

7. Use the controls to move trigger combinations to higher or lower positions.