The following topics include information on how to configure Mobile and Social with other Oracle products:
The following topics describe how to configure Mobile and Social to work with different versions of Access Manager:
Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode
Configuring an Authentication Service Provider for Remote Oracle Access Manager Server 10g
Note:
During installation, the Oracle Fusion Middleware Configuration Wizard generates a domain that supports both Mobile and Social and Access Manager.
See "Configuring Mobile and Social" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You can configure Mobile and Social Services to work with Access Manager if Access Manager is configured in Simple Mode.
Change the Server Mode to Simple
In the Oracle Access Management Administration Console, click Configuration at the top of the window.
Click Server Instances.Click Search and click oam_server1 in the Search Results.
Click Open.
In the OAM Proxy section, choose Simple from the Mode menu and click Apply.
Change the Webgate Communication Mode to Simple
In the Oracle Access Management Administration Console for the target Webgate, click Application Security at the top of the window.
In the Webgates tab, click Search.
Select the target Webgate and open it for editing.
Change the security mode for the Webgate to Simple, then click Apply.
The system creates a new directory for the Webgate under ~/oam-domain/output/accessgate-oic
with the following files:
aaa_cert.pem
aaa_key.pem
cwallet.sso
ObAccessClient.xml
password.xml
Change the OIC OAMASDKAuthNProvider Security Mode to Simple
You need to configure an Authentication Service Provider to work with a remote instance of the Oracle Access Manager 10g server.
To configure an authentication service provider for remote Oracle Access Manager server 10g:
Log into the 10g Console and create the WG Profile.
The OAM 10g Access Management Service must be turned on.
Navigate through the Mobile and Social Console to Mobile and Social Services > Service Providers > Authentication Service Providers.
Click New to create a new Authentication Service Provider configuration.
Enter the appropriate values for the parameters.
Change OAM_VERSION to OAM_10G from OAM_11G.
Change WEBGATE_ID to the name you previously used to create the WG profile.
Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 10G server.
Add a new parameter named AuthNURL
and populate it with the URL for any protected resource; for example, http://server1.example.com/index.html
.
Save the Authentication Service Provider configuration.
Navigate through the Mobile and Social console to Mobile and Social Services > Service Profiles > Authentication Services > OAMAuthentication.
From the Service Provider drop down menu, select the Authentication Service Provider just created; for example, 10GOAMAuthentication
.
Check the Client Token checkbox.
Uncheck the Access Token checkbox.
Save the OAMAuthentication configuration.
If Mobile and Social is configured to work with a remote instance of the Oracle Access Manager 10g server, you must also do either of the following:
Define a uid
attribute in the directory DN
entry for user records in the Oracle Access Manager UserStore
.
Define a unique directory user entry attribute that can be used to identify the directory user entry in Mobile and Social.
Note:
Mobile and Social can dynamically obtain the unique directory user attribute name from Oracle Access Manager version 11g but the earlier 10g release requires that you specify the attribute to use when configuring Mobile and Social. If this attribute is not set, Client Token validation will fail in Mobile and Social.
The following procedure demonstrates setting the value to CN
. Set the value to a unique user entry as configured on your directory server; uid
or loginid
may also be possible choices. Before beginning, confirm that the Oracle Access Manager DN for UserStore
does not include a uid
attribute for the Application Profile profileid1
, and that the DN is as follows:
"CN=profileid1 profileid1, OU=Test, ..."
Complete the next steps upon confirming that both are true.
Open the Application Profile Configuration page for profileid1
in Mobile and Social.
In the Attributes section, add the following name-value pair and click Apply.
Name: userPrincipalAttrValue
Value: CN
Open the Service Provider Configuration page for your Oracle Access Manager 10g Authentication Service Provider.
See Defining, Modifying or Deleting an Authentication Service Provider.
In the Attributes section, add the following name-value pair and click Apply.
Name: userPrincipalAttrName
Value: CN
You can configure an Authentication Service Provider to work with releases 11gR2 and 11gR1 PS1.
The differences for the 11gR1 PS1 release console are documented in notes in each 11gR2 step.
Note:
See Deployment Constraints for Mobile and Social for information about deploying Mobile and Social with a Webgate.
To configure an authentication service provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1:
Log into the Oracle Access Management Console and register a Webgate (OAM Agent) for Mobile and Social.
Be sure to enable the following options.
Allow Management Operations
Allow Token Scope Operations
Allow Master Token Retrieval
Allow Credential Collector Operations
Note:
If using an OAM 11.1.1.n release console, enable Allow Management Operations.
Navigate through the Mobile and Social Console to Mobile and Social Services > Service Providers > Authentication Service Providers.
Click New to create a new Authentication Service Provider configuration.
When using an OAM 11.1.2 release console, enter the following values:
Keep the default value of OAM_VERSION
as OAM_11G
.
Change WEBGATE_ID
to the name you previously used to create the WG profile.
Change OAM_SERVER_1
to the hostname:port# of the machine hosting the OAM 11G server.
Note:
If using an OAM 11.1.1.n release console:
Change the default value of OAM_VERSION
to OAM_10G
.
Change WEBGATE_ID
to the name you previously used to create the WG profile.
Change OAM_SERVER_1
to the hostname:port# of the machine hosting the OAM 11.1.1.5 server.
Add a new parameter named AuthNURL
and populate it with the URL for any protected resource; for example, http://server1.example.com/index.html
.
Save the Authentication Service Provider configuration.
Navigate through the Mobile and Social Console to Mobile and Social Services > Service Profiles > Authentication Services > OAMAuthentication.
From the Service Provider drop-down menu, select the Authentication Service Provider just created; for example, 10GOAMAuthentication
.
Select the Client Token checkbox.
Clear the Access Token checkbox only if using OAM 11g R1 PS1.
Save the OAMAuthentication configuration.
Merge the CSF wallet files.
OAM 11G generates the cwallet.sso
file when the administrator creates the WG profile for Mobile and Social. To communicate with this WG profile, the administrator must merge the secret value in cwallet.sso
into the Mobile and Social wallet.
Note:
Use the following command to display the wallet before and after the merge for verification that the merge has been successful.
orapki wallet display -wallet
wallet_location
Copy cwallet.sso
from OAM (~/domain-home/output) to the Mobile and Social host machine directory, /tmp/oam
.
Copy cwallet.sso
from the Mobile and Social host machine directory (~/config/fmwconfig
) to the Mobile and Social host machine directory, /tmp/oic
.
Download merge-creds.xml
to the Mobile and Social host machine directory, /tmp
.
The following is a sample merge-creds.xml file.
Sample merge-creds.xml
<?xml version="1.0" encoding="UTF-8" standalone='yes'?> <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" schema-major-version="11" schema-minor-version="1"> <serviceProviders> <serviceProvider class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider" name="credstoressp" type="CREDENTIAL_STORE"> <description>File-based credential provider</description> </serviceProvider> </serviceProviders> <serviceInstances> <!-- Source file-based credential store instance --> <serviceInstance location="/tmp/oam" provider="credstoressp" name="credential.file.source"> </serviceInstance> <!-- Destination file-based credential store instance --> <serviceInstance location="/tmp/oic" provider="credstoressp" name="credential.file.destination"> </serviceInstance> </serviceInstances> <jpsContexts> <jpsContext name="FileSourceContext"> <serviceInstanceRef ref="credential.file.source"/> </jpsContext> <jpsContext name="FileDestinationContext"> <serviceInstanceRef ref="credential.file.destination"/> </jpsContext> </jpsContexts> </jpsConfig>
Set the PATH variable to include ~/oracle_common/bin:~/oracle_common/common/bin:~
Initialize the WebLogic Scripting Tool by running wlst.sh
on the command line.
Run the migrateSecurityStore
WLST command.
Following is sample syntax for the WLST command.
$ wlst.sh wls:/offline> connect("weblogic", "weblogic-passwd", "localhost:<port>") wls:/WLS_IDM/serverConfig> migrateSecurityStore(type="credStore",configFile="/tmp/merge-creds.xml", src="FileSourceContext",dst="FileDestinationContext")
Restart the Mobile and Social server.
You can configure a Service Domain to use the Oracle Adaptive Access Manager (OAAM) device registration functionality.
To configure a Service Domain, open the Service Domain Configuration page and choose the OAAMSecurityHandlerPlugin option from the Security Handler Plugin Name list.
See Creating a Service Domain.
Note:
During installation, the Oracle Fusion Middleware Configuration Wizard can generate a domain that supports both Mobile and Social and Oracle Adaptive Access Manager. Mobile and Social requires at least Oracle Adaptive Access Manager version 11g Release 2. For more information, see the "Configuring Mobile and Social" chapter in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
The following topics describe how to configure the required policies, conditions, rules, and actions to complete integration between Mobile and Social and OAAM:
Here is a list of OAAM policies supported by Mobile and Social.
Table 49-21 displays the supported OAAM policies (by OAAM checkpoint).
Table 49-21 OAAM Policies Supported By Mobile and Social
Checkpoint | Supported Policies |
---|---|
Post-Authentication |
|
Challenge |
|
Device Identification |
|
Mobile and Social and OAAM also use similar terminology to describe the security actions that can be taken to respond to authentication and authorization events.
Table 49-22 maps the Mobile and Social term to the OAAM term.
Table 49-22 Mapping Terms Between OAAM and Mobile and Social
OAAM Action Groups | Mobile and Social Actions |
---|---|
OAAM Allow |
ALLOW |
OAAM Block |
DENIED |
OAAM Challenge |
CHALLENGE |
OAAM Black-Listed Mobile Device |
WIPE_OUT |
OAAM Lost Device |
WIPE_OUT |
Use the Oracle Adaptive Access Manager Administrator's Console to customize OAAM policies and rules.
Before you start to configure any OAAM policies, you need to complete the the following tasks:
You can create an Administrator for OAAM administration from the Oracle WebLogic Administration Console.
To create:
You can add Oracle Access Management Server as a target of OAAM data source.
To add:
OAAM_SERVER_DS
in the Data Sources table.oam_server1
.If Mobile and Social Services is configured to accept an authentication result from Social Identity, you can configure OAAM to work with Mobile and Social when users authenticate.
To configure OAAM if Social Identity Authentication is enabled in Mobile and Social Services:
Log into the OAAM Administration Console.
Click Policies and search for the OAAM Mobile and Social Integration Post-Authentication Security policy.
In the policy find the following rule: Mobile device is not registered.
Add a condition:
Search on "Session: Check value in comma separated values."
Add the following:
Parameter Key : oic.userIdType
Value to Check : URI
Return if in list : false
You can set up a Lost or Stolen Device Rule for each device reported as missing by adding the Device ID to the OAAM Lost or Stolen Devices device group.
Users should report lost or stolen devices to the support department so that the missing device can be added to the OAAM Lost or Stolen Device group. Then if an authentication attempt comes from the missing device, OAAM can send Mobile and Social a DENY or WIPE_OUT action to wipe out the application's data associated with the Mobile and Social server. If a User recovers a missing device, the device status can be reset in OAAM.
To set up a Lost or Stolen Device Rule:
Rules can be configured to block access to specific devices or applications.
The following topics include additional information:
You can create a Blacklisted Device Rule for each device to which you want to block access.
To set up a Blacklisted Device Rule by adding the Device ID to the OAAM Black-listed Mobile Devices group:
The task of adding a Blacklisted Application Rule is broken into the following tasks sequentially.
To add the application to the OAAM Blacklisted Mobile Devices group:
You can create a new alert group from the OAAM Administration Console.
To create:
You can create a generic strings group to store blacklisted application names.
To create:
You can add a new rule for a blacklisted mobile application.
To create a rule:
Double-click Policies in the Navigation pane.
The Policies Search page displays.
Choose Post authentication from the Checkpoint menu, then click Search.
Click OAAM Post-Authentication Security.
The OAAM Post-Authentication Security page opens.
Click the Rules tab.
Click the Add Rule button.
Complete the form as follows and click Add:
Rule Name - Type Check for blacklisted mobile applications
.
Rule Status - Choose Active from the menu.
Rule Notes - Type Check if application is in the Oaam blacklisted mobile application group
.
Click the Conditions tab.
Click Add Conditions.
The Add Condition pop-up window opens.
Complete the form as follows and click Search:
Condition Name - Type Check Current Session
Type - Choose In Session from the menu.
In the table of results, click Session: Check Current Session using the filter conditions.
The filter condition details display.
Do the following and click Save:
Under Check if select Client Application.
Select in as the operator.
Select Group as the Target Type.
Select Generic Strings as the Group Type.
Select OAAM blacklisted mobile application as the Group Name.
In English the condition reads as "Check if the Client Application is in the "OAAM blacklisted mobile application" group."
Click the Results tab.
Choose OAAM Block from the Action Group menu.
Choose OAAM Blacklisted application used from the Alert Group menu.
Click Apply.
The OAAM Session is a commonly used conceptual entity in OAAM rule execution.
A rule can use a session attribute as input (for example, Client App Name and OAAM Device ID) and affect the status of the session at the output (that is, changing the status to "Blocked"). When OAAM is used in a non-mobile environment such as a web browser, there is a one-to-one relationship between a user authentication session (an OAM session, for example) and the OAAM session. For example, each OAAM session contains data associated with the following fields:
User ID
Client IP Address
OAAM Device ID and Fingerprint
(Auth) Status: Success, Pending, Blocked, and so on
Client Application Name
In a mobile application environment, different apps running on the same device used by the same user are expected to have different OAAM sessions, even in a mobile SSO scenario. For example, assume the following apps are installed on a mobile device:
SSO Security Agent App
White Pages App
Expense Report App
These apps are listed together as participants of the same Service Domain and they all participate in single sign-on. A user just needs to log in once using the mobile SSO agent app. This means that there will only be a single User Authentication session (that is, a single Access Manager session) shared by multiple apps on the same device. On the other hand, if the user uses all three apps simultaneously within the same Access Manager session, each mobile application will have its own OAAM session entry and three OAAM sessions will be seen in the OAAM Admin Console.
The reason to have separate OAAM sessions for each mobile application is to allow rules to take the mobile client application into account. The same rule can block sessions from some apps, while letting sessions from other apps succeed. (The Blacklisted Application Rule in Setting up a Blacklisted Application Rule is an example of this.) A more sophisticated rule can consider multiple factors from a session; for example an Expense Report application might rate as security sensitive while a "White Pages" (directory look-up) application might rate as less sensitive. The same Risky-IP rule may block sessions from the Expense Report application but not the White Pages app, even if the sessions come from the same medium-risky IP address.
OAAM provides strong authentication features, such as Knowledge-Based Authentication and One-Time Password.
One-Time Password delivers a password using e-mail or a mobile text message. These features require end users to register a security profile that may contain security questions, mobile phone numbers, and e-mail addresses.
The following topics include information on setting up these authentication processes:
Mobile and Social provides support for Knowledge-Based Authentication (KBA) if OAAM is installed.
KBA is the default option for Strong Authentication in OAAM. Administrators do not need to perform extra configuration for KBA to work. Users should use the OAAM Managed Server Console to record their KBA questions in their User Profile registration.
Mobile and Social provides One Time Password (OTP) support if OAAM is installed.
OTP allows end users to authenticate themselves by entering a server generated one-time-password that might be received by either SMS or e-mail. Because the one-time-password is sent out-of-band, the risk is reduced that someone other than the valid user could obtain access to it.
The following topics include additonal information:
You can configure either SMTP or UMS so that Mobile and Social can send the e-mail.
Mobile and Social can send e-mail in either of the following ways.
Using the included SMTP client.
Using the Oracle User Messaging Service (UMS).
This topics includes a procedure for each of these integrations. Choose either Setting Up SMTP for E-mail or Setting Up UMS for E-mail to begin.
Note:
Configure either SMTP or UMS. Do not configure both.
After configuring the SMTP or UMS attribute values, enable the Challenge Types on the OAAM server as documented in this section's third procedure, Enable "Challenge Types" on the OAAM Server for E-mail.
Setting Up SMTP for E-mail
Access the Mobile and Social Services configuration page.
See Opening the Mobile and Social Services Configuration Page.
In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar.
In the Attributes section provide values for the following attribute names and click Apply.
mail.smtp.host - The SMTP server host.
mail.smtp.port - The SMTP server port.
mail.smtp.security.type - The SMTP security type. Either SSL
or TLS
.
mail.smtp.user - The user name to log on to the SMTP server.
mail.smtp.fromadd - The Mobile and Social "From" address, for example: mobileadmin@example.com
mail.smtp.password - The password for the mail.smtp.user
account.
mail.smtp.truststore.location - The file name with the location of the trust store to be used to validate the server identity.
mail.smtp.keystore.location - The file name of the key store containing the client certificate.
mail.smtp.keystore.password - The key store password.
mail.smtp.truststore.password - The trust store password.
Complete the steps in Enable "Challenge Types" on the OAAM Server for E-mail.
Setting Up UMS for E-mail
Access the Mobile and Social Services configuration page.
See Opening the Mobile and Social Services Configuration Page.
In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar.
In the Attributes section provide values for the following attribute names and click Apply.
ums.service.uri - The UMS server Web service URL, for example:
http://
<UMS Server URL>:
<UMS Port>/ucs/messaging/webservice
ums.username - The user name for the UMS server.
ums.password - The password for the UMS server.
ums.from.address - The Mobile and Social "From" address, for example: mobileadmin@example.com
ums.from.name - The Mobile and Social "From" name.
ums.email.enabled - Set to true
.
Complete the steps in Enable "Challenge Types" on the OAAM Server for E-mail.
Enable "Challenge Types" on the OAAM Server for E-mail
Mobile and Social sends SMS messages using the Oracle UMS.
Complete Setting Up SMS Using UMS and then Enable "Challenge Types" on the OAAM Server for SMS.
Setting Up SMS Using UMS
Access the Mobile and Social Services configuration page.
See Opening the Mobile and Social Services Configuration Page.
In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar.
In the Attributes section provide values for the following attribute names and click Apply.
ums.service.uri - The UMS server Web service URL, for example:
http://
<UMS Server URL>:
<UMS Port>/ucs/messaging/webservice
ums.username - The user name for the UMS server.
ums.password - The password for the UMS server.
ums.from.address - The Mobile and Social "From" address, for example: mobileadmin@example.com
ums.from.name - The Mobile and Social "From" name.
ums.email.enabled - Set to true
.
Complete the steps in the Enable "Challenge Types" on the OAAM Server for SMS.
Enable "Challenge Types" on the OAAM Server for SMS
OAAM evaluates the Challenge policy when an event triggers the Challenge action. You can change the OAAM Challenge Policy Trigger Combination from the OAAM Administration Console.
If KBA is active for a User, the system challenges the User with questions from the OAAM Challenge Question Action Group. If the User fails the OAAM challenge questions three times, the system starts the OAAM SMS Challenge Action group.
You can reorder the Action Group using OAAM Challenge Policy trigger combinations. So other Challenge Action Groups, such as the OAAM Challenge E-Mail group or the OAAM Challenge SMS group, will take precedence over the OAAM Challenge question.
To change the OAAM Challenge Policy Trigger Combination: