You can configure an Adaptive Authentication Service if you have already installed Access Manager, a WebGate, and Oracle HTTP Server (OHS).
Some of these configurations are specific to one or the other Adaptive Authentication Service options.
This section describes the following topics:
The following RESTful endpoint is used to generate the secret key for a user in the Oracle Access Management identity store.
http://<HOST>:<PORT>/ms_oauth/resources/userprofile/secretkey
In the case of OMA online configuration (which is Oracle's recommended method of configuration), OMA uses the RESTful endpoint to store the key for a user in the identity store. In the cases of OMA manual configuration or Google Authenticator, the administrator sets up a web application which allows the user to generate a secret key also using above mentioned RESTful endpoint. The secret key is stored as a String in an LDAP attribute in the identity store and the name of this attribute must is passed to the business in the RESTful endpoint configuration before they generate the secret key.
See Understanding Oracle Mobile Authenticator Configuration.
You can enable the Mobile and Social Service and update the User Profile Service in the Oracle Access Management Console to protect the REST Secret Key endpoint by using the Basic Authentication Scheme.
To configure mobile OAuth services to protect a secret key:
/secretkey
tab, expand Attributes.basicauth.allowed
to true.Access Manager provides the Adaptive Authentication Plug-in that you can use for two-factor authentication.
To configure the Adaptive Authentication plugin in the Oracle Access Management Console:
Use the WLST command line script to set the credentials for the Oracle User Messaging Service (UMS), the iOS certificate or the Android API key.
These credentials are used by the OAM Server in the process of sending SMS/Email and push notifications. Table 35-2 lists information that you need to complete the procedure.
Table 35-2 Server Side Configuration for Adaptive Authentication Service
Configuration | Information | Challenge Method |
---|---|---|
iOS Certificate/Password |
Access Request (Push) notification using iOS |
|
API Key |
|
Access Request (Push) notification using Android |
UMS Credential |
UMS credentials that OAM will use to establish the connection to UMS Web service. |
Email/SMS |
To set credentials for UMS, iOS, and AndroidT:
Note:
For information on how to update, delete or otherwise manage credentials using Fusion Middleware Control, see Securing Applications with Oracle Platform Security Services.
When using Access Request Notifications on iOS, create a Java KeyStore (JKS) by using the cert file and key file.
Once the JKS is created, rename it as APNsCertificate.jks
and put it in the <domain>
/config/fmwconfig
directory of the Oracle Access Management installation. The JKS should contain the user's locally generated private key and the Apple Push Notification service (APNs) certificate downloaded from the Apple Developer Center.
The following sample commands generate and import the certificate:
openssl x509 -in aps_production.cer -inform DER -out aps_production.pem -outform PEM openssl pkcs12 -nocerts -in OMAKey.p12 -out OMAKey.pem openssl pkcs12 -export -inkey OMAKey.pem -in aps_production.pem -out iOS_prod.p12 keytool -import -keystore APNsCertificate.jks -file aps_production.cer -alias PushCert keytool -importkeystore -destkeystore APNsCertificate.jks -deststoretype JKS -srcstoretype PKCS12 -srckeystore iOS_prod.p12
These commands assume:
aps_production.cer to be the name of the APNs certificate downloaded from the Apple Developer Center.
OMAKey.p12 is the user's locally generated private key.
Also see Setting Credentials for UMS, iOS, and Android.
Note:
The section Maintain Your Certificates, Identifiers, and Profiles at the following Apple URL provides relevant information about app distribution certificates and APNs. https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/Introduction/Introduction.html
If you are setting up Android for Access Request notification, use the WebLogic console to update the WebLogic Managed Server for host name verification.
This step is required for Access Request notification configuration on Android only. It allows the verification of host names represented using wildcards; for example, *.googleapis.com.
To configure host name verifier for Android access requests (push) notifications:
weblogic.security.utils.SSLWLSWildcardHostnameVerifier
as the Custom Hostname Verifier.