57.6 Integrating the KerberosPlugin with Search Failover

In cases where an Oracle Virtual Directory deployment is not viable, and it is acceptable to perform search failover based on some order or hierarchy when finding the user, you can configure Access Manager.

1. Complete tasks in the following earlier sections:

   • "About Preparing Your Active Directory and Kerberos Topology"

   • "Confirming Access Manager Operations" (except "Preparing Oracle Virtual Directory for This Integration", which is not needed for Search Failover)

   • "Enabling the Browser to Return Kerberos Tokens"

2. Perform tasks in this section:

   • "Registering Microsoft Active Directory Instances with Access Manager"

   • "Setting Up the KerberosPlugin for ADGCs"

3. "Configuring Access Manager for Windows Native Authentication"
4. "Validating WNA with Access Manager Protected Resources"

57.6.1 Registering Microsoft Active Directory Instances with Access Manager

Users with valid Oracle Access Management Administrator credentials can register each Active Directory Global Catalog (ADGC), with relevant search bases and naming attributes, as an individual User Identity Store for Oracle Access Management.

A fully-configured Microsoft Active Directory authentication service should be set up with User accounts for mapping Kerberos services, Service Principal Names (SPNs) for those accounts, and Key tab files. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3).

1. In the Oracle Access Management Console, click Configuration at the top of the window.
2. Click User Identity Stores.
3. In the OAM ID Stores section, click Create.
4. Enter required values for your first ADGC. For example:
   • Name: ADGC1-EXAMPLE
   • LDAP Url: ldap://ADGC1_host.domain.com:389
   • Principal: cn=Administrator,cn=users,dc=lm,dc=example,dc=com
   • Credential: ********
   • User Search Base: dc=lm,dc=example,dc=com
   • User Name Attribute: userprincipalname
   • Group Search Base: dc=lm,dc=example,dc=com
   • LDAP Provider: AD
5. Default Store: Click the Default Store button.
6. Click Apply to submit the changes and dismiss the confirmation window.
7. Repeat these steps to add the second ADGC (ADGC2-SPRITE) with appropriate search bases and naming attributes.
   • Name: ADGC2-SPRITE
   • LDAP Url: ldap://ADGC2_host.domain.com:389
   • Principal: cn=Administrator,cn=users,dc=lm,dc=example,dc=com
   • Credential: ********
   • User Search Base: dc=lmsib,dc=example,dc=com
   • User Name Attribute: userprincipalname
   • Group Search Base: dc=lmsib,dc=example,dc=com
   • LDAP Provider: AD
8. Restart the AdminServer and OAM Servers.
9. Proceed to "Setting Up the KerberosPlugin for ADGCs".

57.6.2 Setting Up the KerberosPlugin for ADGCs

When a native authentication module does not offer enough flexibility for your needs, you can create a custom authentication module using plug-ins designed to meet specific needs. The KerberosPlugin is a credential mapping module that matches the credentials (username and password) of the user who requests a resource to the encrypted "Kerberos ticket". By default, KerberosPlugin maps the domain DNS name to the corresponding distinguished name using the dc component.

However, if the mapping is different, you can specify the correct mapping as a semi-colon (;) separated list of name:value tokens. For example:

LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB.SPRITE.COM:dc=lmsib,dc=sprite,dc=com

Users with valid Oracle Access Management Administrator credentials can perform the following task to replace or update KerberosPlugin steps with steps that point to the ADGCs you have created. These will operate in tandem with their counterparts (if the initial step and ADGC fail, the secondary ADGC is used). Before you begin, be sure to complete the sections About Preparing Your Active Directory and Kerberos Topology and Confirming Access Manager Operations.

1. In the Oracle Access Management Console, click Application Security at the top of the window.

2. Click Authentication Modules in the Plug-ins section.

3. Click Search, locate the KerberosPlugin plug-in and open it for editing.

4. On the KerberosPlugin page, click the Steps tab.

   Steps Tab: Replace stepKTA, as described here, then click Save.

   1. Click stepKTA then click the Delete (x) button to remove this step.

   2. Click the Add (+) button and add the following step to the plug-in:

      Element	Description
      Name	stepKTA
      Class	KerberosTokenAuthenticator

   New stepKTA Details:

   Confirm that this new stepKTA includes the parameter KEY_DOMAIN_DNS2DN_MAP (created earlier) and enter values for your deployment:

   Element	Description
   KEY_DOMAIN_DNS2DN_MAP	LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB.SPRITE.COM:dc=lmsib,dc=sprite,dc=com
   Service Principal	HTTP/oam11g.example.com@LM.EXAMPLE.COM
   keytab.conf	keytab.conf location for stepKTA. For example: /refresh/home/oam.keytab
   krb5.conf	krb5.conf location for stepKTA. /etc/krb5.conf

5. stepUIF: Step Details (configure as follows and save):

   Element	Description
   KEY_IDENTITY_STORE_REF	ADGC1-ORACLE
   KEY_SEARCHBASE_URL	{KEY_USERDOMAIN}
   KEY_LDAP_FILTER	(samAccountName={KEY_USERNAME}) NOTE: For untrusted, multi-domain Active Directory environments, use the userPrincipalName user attribute.

6. stepUI and stepUA: Step Details (configure these steps and save):

   Element	Description
   KEY_IDENTITY_STORE_REF	ADGC1-ORACLE

7. Save the changes.

8. Add stepUIF2: This will operate in tandem and execute if stepUIF fails:

   Element	Description
   KEY_IDENTITY_STORE_REF	ADGC2-SPRITE
   KEY_SEARCHBASE_URL	{KEY_USERDOMAIN}
   KEY_LDAP_FILTER	(samAccountName= {KEY_USERNAME}) NOTE: For untrusted, multi-domain Active Directory environments, use the userPrincipalName user attribute.

9. Add stepUI2: This will operate in tandem and execute if stepUI fails:

   Element	Description
   KEY_IDENTITY_STORE_REF	ADGC2-SPRITE

10. Add stepUA2: This executes when stepUI2 succeeds:

    Element	Description
    KEY_IDENTITY_STORE_REF	ADGC1-EXAMPLE and ADGC2-SPRITE, respectively

11. Add Step Details: Common Configuration, Plugins, KerberosTokenAutheticator.

    Enter values for your deployment:

    Element	Description
    keytab.conf	keytab.conf location for stepKTA. For example: /refresh/home/oam.keytab
    krb5.conf	krb5.conf location for stepKTA. For example: /etc/krb5.conf

12. Restart the OAM Cluster.

13. Proceed with "Configuring Access Manager for Windows Native Authentication".