35.4 Configuring an Adaptive Authentication Service

You can configure an Adaptive Authentication Service if you have already installed Access Manager, a WebGate, and Oracle HTTP Server (OHS).

Some of these configurations are specific to one or the other Adaptive Authentication Service options.

This section describes the following topics:

35.4.1 Generating a Secret Key for the Oracle Mobile Authenticator

A secret key needs to be shared between Access Manager and the OMA app. Businesses can generate secret keys in different ways so the means in which the secret key is generated is not important.

The following RESTful endpoint is used to generate the secret key for a user in the Oracle Access Management identity store.

http://<HOST>:<PORT>/ms_oauth/resources/userprofile/secretkey

In the case of OMA online configuration (which is Oracle's recommended method of configuration), OMA uses the RESTful endpoint to store the key for a user in the identity store. In the cases of OMA manual configuration or Google Authenticator, the administrator sets up a web application which allows the user to generate a secret key also using above mentioned RESTful endpoint. The secret key is stored as a String in an LDAP attribute in the identity store and the name of this attribute must is passed to the business in the RESTful endpoint configuration before they generate the secret key.

See Understanding Oracle Mobile Authenticator Configuration.

35.4.2 Configuring Mobile OAuth Services to Protect a Secret Key

You can enable the Mobile and Social Service and update the User Profile Service in the Oracle Access Management Console to protect the REST Secret Key endpoint by using the Basic Authentication Scheme.

To configure mobile OAuth services to protect a secret key:

From the Configuration Launch Pad, click Available Services.
Click Enable to enable Mobile and Social, if not already.
From the Mobile Security Launch Pad, click Mobile OAuth Services.
Click DefaultDomain under Mobile OAuth Identity Domains.
From the Resource Servers tab, click UserProfile under User Profile Services.
Expand the Resource URIs.
From the /secretkey tab, expand Attributes.
Change the value of basicauth.allowed to true.
Click Apply.

35.4.3 Configuring the Adaptive Authentication Plug-in in the Oracle Access Management Console

Access Manager provides the Adaptive Authentication Plug-in that you can use for two-factor authentication.

To configure the Adaptive Authentication plugin in the Oracle Access Management Console:

Log into the Oracle Access Management Console as System Administrator.
From the Application Security Launch Pad, click Authentication Plug-ins in the Plug-ins panel.
From the Authentication Plug-in tab, type Adaptive in the quick search box above the Plug-in Name column and hit Enter.

The AdaptiveAuthenticationPlugin is displayed.

Change the properties displayed under Plug-in Details: AdaptiveAuthenticationPlugin as applicable to your environment.

Table 35-1 describes the Adaptive Authentication Plugin properties.

Table 35-1 Adaptive Authentication Plugin Properties

Property	Description	Default Value	Required for Challenge Method
IdentityStoreRef	Identity store name	UserIdentityStore1	All
TotpSecretKeyAttribute	Name of the user attribute in which the secret key is stored.	Attribute description	OTP using OMA, Time based OTP
TotpTimeWindow	The number of OTP codes generated by the mobile device that Access Manager will accept for validation. Since the mobile device generates a new OTP every 30 seconds, if the value is 3, Access Manager will accept the current and last three OTPs generated by the mobile device.	3	OTP using OMA, Time based OTP
PushAPNsProdServer	If set to true, the APNS production server will be used to send notifications.	false	Access Request Notifications (iOS)
PushProxyHost	Name of the proxy host if notifications are to sent to the server using a proxy.		Access Request Notifications
PushProxyPort	Proxy port if notifications are to sent to the server using a proxy.	80	Access Request Notifications
PushProxyProtocol	Proxy protocol	https://	Access Request Notifications
UmsAvailable	When Adaptive Authentication Service requires UMS to send Email and SMS, set to true.	false	SMS, Email
UmsClientUrl	URL of UMS web service		SMS, Email
PhoneField	Attribute in the identity store where the user phone number is stored	mobile	SMS
EmailField	Attribute in the identity store where the user email address is stored	mail	Email
Totp_Enabled Email_Enabled Sms_Enabled Push_Enabled	Controls the options displayed in the UI. If enabled and user is not registered for Push, not setup for TOTP, or doesn't have email/phone populated in id store, those options won't be displayed. For example if user has not registered for TOTP and Push but has email populated then Email will be the only option shown.	true NOTE: Properties should be set to false only when the Administrator wants to disable a particular feature for all users.

Click Save.
Update the same properties as applicable in the AdaptiveAuthenticationModule by clicking Authentication Modules under Plug-ins in the Access Manager Launch Pad.

From the Authentication Modules tab, search for AdaptiveAuthenticationModule.

Table 35-1 does not list all available Adaptive Authentication Service properties.

35.4.4 Setting Credentials for UMS, iOS, and Android

Use the WLST command line script to set the credentials for the Oracle User Messaging Service (UMS), the iOS certificate or the Android API key.

These credentials are used by the OAM Server in the process of sending SMS/Email and push notifications. Table 35-2 lists information that you need to complete the procedure.

Table 35-2 Server Side Configuration for Adaptive Authentication Service

Configuration	Information	Challenge Method
iOS Certificate/Password	`https://developer.apple.com/library/mac/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html`	Access Request (Push) notification using iOS
API Key	`https://developers.google.com/web/updates/2015/03/push-notificatons-on-the-open-web?hl=en`	Access Request (Push) notification using Android
UMS Credential	UMS credentials that OAM will use to establish the connection to UMS Web service.	Email/SMS

To set credentials for UMS, iOS, and AndroidT:

cd <MW_HOME>/oracle_common/common/bin
./wlst.sh
connect()
Enter the WebLogic user name and password when prompted.
Press Enter to accept the default URL or modify the host and port as necessary and press Enter.
Run one or more of the following commands to set credentials for the UMS server, iOS or Android depending on your deployment.
Note:

Replace <UMS SERVER USER NAME>, <UMS SERVER PASSWORD>, <CERTIFICATE STORE PASSWORD> and <API KEY VALUE> with values specific to your environment. Do not change the values for any parameters in these commands but those listed and marked as variables.
- For OTP for email/SMS only:
```
createCred(map="OAM_CONFIG", key="umsKey", user="<UMS SERVER USER NAME>", 
  password="<UMS SERVER PASSWORD>")
```
  For example:
```
createCred(map="OAM_CONFIG", key="umsKey", user="weblogic", 
  password="password")
```
- For Access Request (Push) Notifications on iOS only:
```
createCred(map="OAM_CONFIG", key="pushApnsCertKey", user="apnskey", 
  password="<CERTIFICATE STORE PASSWORD>") 
```
  For example:
```
createCred(map="OAM_CONFIG", key="pushApnsCertKey", user="apnskey", 
  password="password")
```
  See Creating a Java KeyStore for iOS Access Request (Push) Notifications when using iOS.
- For Access Request (Push) Notifications on Android only:
```
createCred(map="OAM_CONFIG", key="omaApiKey", user="omaApiKey", 
  password="<API KEY VALUE>")
```
  For example:
```
createCred(map="OAM_CONFIG", key="omaApiKey", user="omaApiKey", 
  password="ADDGFDGDFGRTERSDFSDFSDFTYERTERTASDASDASD")
```
Verify the keys by logging into Fusion Middleware Control, navigating to Domain > Security > Credentials, and checking the OAM_CONFIG map for the keys input using the commands.

Note:

For information on how to update, delete or otherwise manage credentials using Fusion Middleware Control, see Securing Applications with Oracle Platform Security Services.

35.4.5 Creating a Java KeyStore for iOS Access Request (Push) Notifications

When using Access Request Notifications on iOS, create a Java KeyStore (JKS) by using the cert file and key file.

Once the JKS is created, rename it as APNsCertificate.jks and put it in the <domain>/config/fmwconfig directory of the Oracle Access Management installation. The JKS should contain the user's locally generated private key and the Apple Push Notification service (APNs) certificate downloaded from the Apple Developer Center.

The following sample commands generate and import the certificate:

openssl x509 -in aps_production.cer -inform DER -out aps_production.pem 
 -outform PEM

openssl pkcs12 -nocerts -in OMAKey.p12 -out OMAKey.pem

openssl pkcs12 -export -inkey OMAKey.pem -in aps_production.pem 
 -out iOS_prod.p12

keytool -import -keystore APNsCertificate.jks -file aps_production.cer 
 -alias PushCert

keytool -importkeystore -destkeystore APNsCertificate.jks 
 -deststoretype JKS -srcstoretype PKCS12 -srckeystore iOS_prod.p12

These commands assume:

aps_production.cer to be the name of the APNs certificate downloaded from the Apple Developer Center.
OMAKey.p12 is the user's locally generated private key.

Also see Setting Credentials for UMS, iOS, and Android.

Note:

The section Maintain Your Certificates, Identifiers, and Profiles at the following Apple URL provides relevant information about app distribution certificates and APNs. https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/Introduction/Introduction.html

35.4.6 Configuring Host Name Verifier for Android Access Request (Push) Notifications

If you are setting up Android for Access Request notification, use the WebLogic console to update the WebLogic Managed Server for host name verification.

This step is required for Access Request notification configuration on Android only. It allows the verification of host names represented using wildcards; for example, *.googleapis.com.

To configure host name verifier for Android access requests (push) notifications:

Navigate to base_domain -> Summary of Environment -> Summary of Servers -> oam_server1.
Click the SSL tab.
Expand Advanced and select the Hostname verification entry to configure the Hostname Verifier.
Enter weblogic.security.utils.SSLWLSWildcardHostnameVerifier as the Custom Hostname Verifier.
Click Save.
Restart the oam_server1.

35.4.7 Configuring Access Manager for VPN in a Use Case

You can configure Access Manager when a user needs to have access to a protected resource with VPN software.

To configure Access Manager for VPN in a use case:

Log into the Oracle Access Management Console as System Administrator.
From the Application Security Launch Pad, click Application Domains in the Access Manager panel.

The Application Domain tab is displayed.
Click Search to display all available Application Domains.
Click the Application Domain name that contains the resource being protected.

The Application Domain opens in a new tab.
Click Authentication Policies in the Application Domain tab.
Click the name of the Authentication Policy that is being used to protect the particular resource for which two factor authentication is being configured.

The appropriate Authentication Policy opens in a new tab.
Click Advanced Rules in the Authentication Policy tab.
Add a new rule by clicking the plus sign (+) under Post Authentication.

The Add Rule dialog is displayed.
Enter a Rule Name and the following jython script.

location.clientIP.startswith('10.')

See Context Data for Advanced Rules.
Select the AdaptiveAuthenticationScheme Authentication Scheme from the If Condition is True drop-down list.

This Authentication Scheme will be used when the defined condition is true.
Click Add and then Apply to complete the procedure.