This chapter documents the Environments pages in the Mobile Security Access Server (MSAS) console and describes how to configure security for individual MSAS instances. To open this page from the Mobile Security Launch Pad, select Environments in the Mobile Security Access Server section.
This chapter contains the following topics:
Use the Environments page to perform the following tasks in the MSAS environment:
View the total number of MSAS instances configured in the environment.
View the total number of applications deployed on the MSAS instances.
View the total number of URLs configured in the MSAS instances.
Navigate to the MSAS Instances Summary page to see summary information for each instance.
Navigate to the Mobile Security Access Server Applications Summary page to view summary details about each application.
Register a new MSAS instance with the MSM server.
The Environments page provides a high-level summary of the MSAS instances, applications, and URLs.
Element | Description |
---|---|
MSAS |
Instances in the environment. Click to navigate to the MSAS Instances Summary page. |
Instances |
Total number of MSAS instances registered in the environment. Click to navigate to the MSAS Instances Summary page. |
Applications |
Total number of Mobile Security Access Server applications in all the MSAS instances in the environment. Click to navigate to the Mobile Security Access Server Applications Summary page. |
URLs |
Total number of URLs configured in all the MSAS applications in the environment. |
Register Instance |
Click to create a new logical MSAS instance and register the instance with the MSM server. When you register the instance you can configure it in the MSAS Instance Configuration page. |
Display Name |
Meaningful name that will be used to identify the instance in the console. |
Name |
Unique name used to identify the MSAS instance that adheres to the XML xs:NCName format using only valid NCName ASCII characters. For example, it must start with a letter or underscore (_ ), and cannot contain any space characters or colons (: ). It must be unique within the MSAS environment. Non-ASCII characters are not supported. This field is required.
The NCName format is defined in the W3C document Namespaces in XML 1.0 (Third Edition) at |
Description |
Brief description of the instance. |
OK |
Save the new instance. The MSAS Instance Configuration page displays where you can provide configuration details. |
Cancel |
Exit the Register MSAS Instance dialog without registering the instance. |
"Managing Mobile Security Access Server Instances" in Administering Oracle Mobile Security Access Server
Use the MSAS Instances Summary page to perform the following tasks in the Mobile Security Access Server environment:
Search for instances in the environment. You also can use this field to filter the number of instances displayed on the page.
View summary details for all instances in the environment, including number of applications and URLs.
Navigate to the MSAS Instance Configuration page for each instance.
Navigate to the MSAS Applications Summary page for each instance.
Delete MSAS instances.
Element | Description |
---|---|
Search |
Enter all or part of an MSAS instance name in the search field and click Search. You can use the search field to filter the number of instances displayed. Empty strings display all instances in the environment.
Wildcards are not recognized and are treated as plain text. Searches are case-insensitive. |
Instance name |
Name of the instance that you specified when you created the instance. Click the instance name to access the MSAS Instance Configuration page. |
X |
Delete the instance from the environment. Click X, then in the Delete MSAS Instance window, click OK to delete the instance or Cancel to cancel the operation.
When you delete the instance, all associated applications and URLs are also deleted. |
Applications |
Total number of applications configured in the instance. Click Applications to access the Applications Summary page for the instance. |
URLs |
Total number of URLs configured in all applications in the instance. |
Configure | Click to access the MSAS Instance Configuration Page. |
Synchronize | Synchronize the MSAS instance configuration with the MSAS runtime server. Typically, synchronization occurs at a user-specified polling interval. Clicking Synchronize forces immediate synchronization and avoids having to wait for the polling interval for the changes to take effect. |
Show more | View additional instances in the environment. By default, ten instances are displayed. Each time you click Show More an additional five instances are shown.
Note: You can adjust the screen width of the display area to view all of the instances. To do so, select the username in the upper right corner, then Screen Width, then the desired width. |
"Managing Mobile Security Access Server Instances" in Administering Oracle Mobile Security Access Server
Use the MSAS Instance Configuration page to perform the following tasks on an MSAS instance:
View or modify general configuration information.
View or configure identity store profiles.
View or configure authentication settings for the instance, such as trusted issuers.
View or configure keystore and message security settings.
View or configure the connection between the Mobile Security Access Server and the Mobile Security Manager.
View or configure the authentication endpoints for the instance.
View or configure outbound message, proxy server, and server settings.
The MSAS Instance Configuration page is arranged in the following tabs:
The General tab of the MSAS Instance Configuration page displays the instance name and description, the URL of the physical MSAS instance to which this logical instance is bound, the number of URLs and applications in the instance, and version data. You can modify the display name and the description for the instance. It also provides version information for the configuration.
Element | Description |
---|---|
Name |
Unique identifier for the instance. This field is read-only. |
Display Name |
Meaningful name used to identify the instance in the user interface. This field is editable. |
Description |
Description of the instance. This field is editable. |
MSAS URLs |
URLs of the physical MSAS instances to which this logical instance is bound. For details about creating a physical MSAS instance, see "Configuring an MSAS Instance."
A logical MSAS instance can be bound to more than one physical instance. How? |
Host |
Physical MSAS instance host. |
Port |
Physical MSAS instance port. |
Stats | General statistics about the instance in read-only mode. |
URLs |
Total number of URLs added to all the applications in the MSAS instance. |
Applications |
Total number of applications in the MSAS instance. |
The Version Information section provides details about the version of the MSAS instance in read-only mode.
Element | Description |
---|---|
Version Number |
Number of times the MSAS instance has been updated. |
Last Updated | Timestamp of the last update to the MSAS instance. |
Updated By |
User who last updated the MSAS instance. |
The Identity Store Profiles tab of the MSAS Instance Configuration page provides the ability to add an identity store profile to the MSAS instance, edit an existing profile, and set the default profile to be used by the instance. An identity store profile is a logical representation of a user repository. There can be multiple profiles associated with an MSAS instance, and one profile can be marked as the default against which all authentication and user profile queries will occur.
The Identity Store Profile table displays a list of the profiles defined in the MSAS instance.
Element | Description |
---|---|
Profile Name |
Name of the identity profile unique in the MSAS instance. |
Directory Info |
Host and port of the server hosting the directory configured in the profile. |
Perform the following actions for an identity store profile.
Action | Description |
---|---|
Add |
Add identity store profiles to the MSAS instance. |
Edit |
Edit an existing identity store profile. Select the profile name in the table and click Edit to display the Identity Store Profile page where you can edit the fields as desired. |
Remove |
Remove the identity store profile from the MSAS instance. Select the profile name in the table and click Remove. |
Set as default |
Select the profile to use as the default. When set, all authentication and user profile queries will occur against the default identity store profile.
Select the profile name in the table and click Set as default. |
Use the Identity Store Profile page to define the identity store for the MSAS instance. You access this page using the Add or Edit actions on the Identity Store Profiles tab of the MSAS Instance Configuration page. It includes the following sections:
Element | Description |
---|---|
Name |
Name of the identity store profile. |
Description |
General description for the profile. |
The Directory Information section enables you to set the directory type, hostname, and credential details for the identity store, and to test the connection to the identity store.
Element | Description |
---|---|
Directory Type |
Type of directory. Supported types are:
|
Host Name |
Host name of the server running the selected directory. |
Port |
Port used to access the selected directory. |
Bind DN |
DistinguishedName (DN) of the user to connect to the LDAP Directory. |
Bind Password |
Password to use to connect to the selected directory. |
Confirm Password |
Reenter the password to use to connect to the selected directory. |
Base DN |
LDAP Searchbase under which all users and groups are located in the LDAP directory. For example, cn=ldap, dn=example, dc=com . |
SSL |
If connecting using an SSL port, select this control to enable SSL. |
Trust Store Type |
Type of the trust store. For Mobile Security Access Server, the supported trust store is KSS . This field is read only. |
Trust Store Path |
Fully qualified path to the trust store. By default, this path is kss:// msas_id /ssltruststore , where msas_id is the MSAS ID of the instance with which this identity store profile is associated. This field is read only. |
Test Connection |
After completing all the required fields, click Test Connection to test the connection to the directory. |
The User Searchbase section enables you to set the user names, base DN, and object classes for the identity store profile.
Element | Description |
---|---|
Base DN |
Container under which the users exist. For example, cn=users,dn=example,dc=com . |
Login ID Attribute |
Attribute that contains the users login ID. Typically this is uid or mail attribute in LDAP. In Active directory this refers to the UserPrincipalName . |
Object Classes |
Fully qualified names of the schema classes used to represent users. By default it is set to the standard LDAP objectclass inetOrgPerson . |
Add |
Click Add to add an object class and enter the value in the Object Class Name field. |
Remove |
Select an object class name from the table and click Remove to remove the name from the profile. |
The Group section enables you to set the group names, base DN, and object classes for the identity store profile.
Element | Description |
---|---|
Base DN |
Searchbase for the group entries in the LDAP directory. For example, cn=group,dn=example,dc=com . |
Group Name Attribute |
Attribute that uniquely identifies the name of the group or role. For example, cn . |
Object Classes |
Fully qualified names of the schema classes used to represent groups. By default, this refers to the LDAP standard objectclass of groupofuniquenames . In Active Directory this is group . |
Add |
Click Add to add an object class and enter the value in the Object Class Name field. |
Remove |
Select an object class name from the table and click Remove to remove the name from the profile. |
The Authentication tab of the MSAS Instance Configuration page provides the ability to define the trusted issuers and clients for the MSAS instance. It includes the following sections:
The SAML Trust section enables you to define SAML trusted issuers and a list of trusted distinguished names (DNs) for SAML signing certificates for trusted servers and clients. You can also define token attribute rules, which allow you to define additional security constraints for the trusted STS server and for the trusted SAML client.
The list of SAML issuers that you define on this page becomes the default list that is applicable to all applications in this MSAS instance.
This configuration option is optional; it is available for users that require more fine-grained control to associate each issuer with a list of one or more signing certificates. If you do not define a list of DNs for a trusted issuer, then MSAS allows signing by any certificate, as long as that certificate is trusted by the certificates present in the MSAS keystore.
Use the Trusted STS table to define a trusted DNs list for trusted STS servers. Use this list for SAML HOK and SAML bearer.
Use the Trusted Clients table to define a trusted DNs list for trusted clients. Use this list for SAML sender vouches.
Element | Description |
---|---|
Issuer Name |
Name of the trusted issuer. The default value for the predefined SAML client policies is www.oracle.com . |
Issuer DN |
Trusted DN for the trusted issuer. Select the row containing the issuer for which you want to define the DN list and enter it here. Use a string that conforms to RFC 2253.
For example, the trusted DN for the trusted issuer |
Token Rules |
Place your mouse over the icon to view the token rules configured for the DN in a pop-up window. |
Perform the following actions to add or delete SAML trusted issuers and DNs, and to configure token rules.
Action | Description |
---|---|
View |
Select the Columns and Reorder Columns... options in this menu to specify the columns that are visible and their order. |
Add |
Add a trusted issuer. Click Add to add a new row to the table and enter the trusted issuer and associated DN in the Issuer Name and Issuer DN fields. |
Delete |
Delete a trusted issuer. Select the row containing the issuer to be deleted and click Delete. |
Configure Token Rule |
Specify a token attribute rule for a trusted DN. Each rule has two parts: a name ID and an attributes part for user attributes that a DN for a signing certificate can assert. The name ID and the attribute can contain a filter with multiple value patterns.
Select the row containing the DN for which you want to configure the rule and click Configure Token Rule. In the Token Rule window, add new rules, delete or edit existing rules as required. |
The JWT Trust section enables you to define JWT trusted issuers and a list of trusted distinguished names (DNs) for JWT signing certificates. You can also define token attribute rules, which allow you to define additional security constraints for the trusted issuer.
The list of trusted issuers that you define on this page becomes the default list that is applicable to all applications in this MSAS instance.
This configuration option is optional; it is available for users that require more fine-grained control to associate each issuer with a list of one or more signing certificates. If you do not define a list of DNs for a trusted issuer, then MSAS allows signing by any certificate, as long as that certificate is trusted by the certificates present in the MSAS keystore.
Use the Trusted Issuer table to define a trusted DNs list for trusted JWT Issuers.
Element | Description |
---|---|
Issuer Name |
Name of the trusted issuer. The default value for the predefined JWT client policies is www.oracle.com . |
Issuer DN |
Trusted DN for the trusted issuer. Select the row containing the issuer for which you want to define the DN list and enter it here. Use a string that conforms to RFC 2253.
For example, the trusted DN for the trusted issuer |
Token Rules |
Place your mouse over the icon to view the token rules configured for the DN in a pop-up window. |
Perform the following actions to add or delete JWT trusted issuers and DNs, and to configure token rules.
Action | Description |
---|---|
View |
Select the Columns and Reorder Columns... options in this menu to specify the columns that are visible and their order. |
Add |
Add a trusted issuer. Click Add to add a new row to the table and enter the trusted issuer and associated DN in the Issuer Name and Issuer DN fields. |
Delete |
Delete a trusted issuer. Select the row containing the issuer to be deleted and click Delete. |
Configure Token Rule |
Specify a token attribute rule for a trusted DN. Each rule has two parts: a name ID and an attributes part for user attributes that a DN for a signing certificate can assert. The name ID and the attribute can contain a filter with multiple value patterns.
Select the row containing the DN for which you want to configure the rule and click Configure Token Rule. In the Token Rule window, add new rules, delete or edit existing rules as required. |
The Message Security tab of the MSAS Instance Configuration page provides the ability to configure the message protection settings required for the environment. It includes the following sections:
The Keystore section enables you to select the signature and encryption aliases for the default KSS keystore.
Element | Description |
---|---|
Key Store |
Keystore to be used with the MSAS instance. For Mobile Security Access Server, the supported keystore is KSS . You cannot change the keystore type. |
Path |
The KSS URI that points to the location of the keystore in KSS. By default, this path is kss:// msas_id /keystore where msas_id is the ID of the MSAS instance with which the keystore is associated and keystore is the stripeID. This field is read only. |
Sign Alias |
Alias of the key used to sign the messages. This value must match the value in the keystore.
Press Click to Add to add a signature alias using the Private Key for Signing window. |
Generate Keypair |
Click to generate a keypair to use for the signature key. |
Alias |
Alias of the keypair entry. |
Distinguished Name |
Distinguished name of the certificate wrapping the keypair. |
Algorithm |
Symmetric key algorithm. The default is RSA. |
Key Size |
RSA key size. The default is 1024 bytes. |
Generate Keypair |
Use this action to generate the keypair using the information provided. The keypair is added to the Pick a key table. |
Import from Keystore |
Click to import a signature keypair and alias from the keystore. |
Choose File |
Use this action to select a keypair to be imported from the file system. |
Keystore Password |
Password for the keystore from which the signature key will be imported. |
Alias |
Alias of the keypair to be imported. |
Alias Password |
Alias password for the keypair to be imported. |
Import |
Use this action to import the selected keypair into the keystore. It is added to the Pick a key table. |
Pick a key |
List of the signature alias keys available. Select the alias from the table and click OK. |
Encrypt Alias |
Alias of the key used to encrypt the messages. This value must match the value in the keystore. |
Generate Keypair |
Click to generate a keypair to use for the encryption key. |
Alias |
Alias of the keypair entry. |
Distinguished Name |
Distinguished name of the certificate wrapping the keypair. |
Algorithm |
Symmetric key algorithm. The default is RSA. |
Key Size |
RSA key size. The default is 1024 bytes. |
Generate Keypair |
Use this action to generate the keypair using the information provided. The keypair is added to the Pick a key table. |
Import from Keystore |
Click to import an encryption keypair and alias from the keystore. |
Choose File |
Use this action to select a keypair to be imported from the file system. |
Keystore Password |
Password for the keystore from which the keypair key will be imported. |
Alias |
Alias of the keypair to be imported. |
Alias Password |
Alias password for the keypair to be imported. |
Import |
Use this action to import the selected keypair into the keystore. It is added to the Pick a key table. |
Pick a key |
List of the encryption keys available. Select the alias from the table and click OK. |
The Security Settings section enables you to tune security policy enforcement by adjusting the default message timestamp skews between system clocks. You can also set the message expiration time.
Element | Description |
---|---|
Clock Skew |
Tolerance of time differences, in seconds, between client and server machines. For example, when timestamps are sent across in a message to a service that follows a different time zone, this property allows for a tolerance. The default value is 360,000 milliseconds (6 minutes). Enter a new value in the field or click the up/down arrows to increase or decrease the default value.]
You should configure this property to:
|
Client Clock Skew | Tolerance of time, in seconds, that is used to calculate the NotBefore and NotOnOrAfter conditions for SAML or JWT token generation. Together, these conditions define the lower and upper boundaries to limit the validity of the token. The default is 0 . Enter a new value in the field or click the up/down arrows to increase or decrease the default value.] |
Message Expiration Time |
Duration of time, in seconds, before a message expires after its creation. This property is used in cases where a timestamp is sent across in the token to verify if the timestamp has expired or not. The default value is 300,000 milliseconds (5 minutes). Enter a new value in the field or click the up/down arrows to increase or decrease the default value.
You should configure this property to:
|
The Policy Access tab of the MSAS Instance Configuration page provides the ability to configure the cache refresh time. It includes the following sections:
The Cache Management section provides the ability to configure the cache refresh time.
Element | Description |
---|---|
Cache Refresh Time |
Number of milliseconds to wait between cache refreshes. The default is 86,400,000 milliseconds (24 hours). Enter a new value in the field or click the up/down arrows to increase or decrease the default value. |
Failure Retry Delay |
Reserved for future use. |
User Record Delay |
Reserved for future use. |
Failure Retry Count |
Reserved for future use. |
Missing Documents Retry Delay |
Reserved for future use. |
Initial Cache Refresh |
Reserved for future use. |
The Authentication Endpoints tab of the MSAS Instance Configuration page provides the ability to configure the KINIT/PKINIT and OAUTH2 endpoints, and the Crypto service. It includes the following sections:
The KINIT and PKINIT section of the Authentication Endpoints tab enables you to configure the properties of the Kerberos krb5.conf
file, which is required for Kerberos Password Authentication (KINIT) and Public Key Cryptography for Initial Authentication (PKINIT) to work. The krb5.conf
file contains Kerberos configuration information, including the locations of KDCs and administration daemons for the Kerberos realms of interest, the default realm, default domain, default encryption types, and for Kerberos applications, and mappings of host names onto Kerberos realms. The values entered here will be stored in the MSAS repository.
It includes the following sections:
Realms The KINIT & PKINIT Realms section provides the ability to add, edit, and delete Kerberos realms. You must specify one realm as the default realm.
The Realms table displays a list of the realms defined in the MSAS instance.
Element | Description |
---|---|
Realm Name |
Name of the Kerberos realm. |
Default |
Flag indicating the default realm. |
Perform the following actions for Kerberos realms.
Action | Description |
---|---|
Add |
Add a Kerberos realm to the MSAS instance. Click Add to display the Realm page. In the Realm page, complete the fields, click OK, then click Apply. |
Name |
Realm names can consist of any ASCII string. The realm name must match the REALM name defined during the Active Directory setup. |
KDC host |
Host for the KDC server running the realm specified in the Name field. |
KDC port |
Optional port of the KDC server running the realm specified in the Name field. |
Default Domain |
Enter the name of the default domain in the field or select a default domain from the menu. |
Edit |
Edit an existing Kerberos realm. Select the realm name in the table and click Edit to display the Realm page where you can edit the fields as desired. |
Remove |
Delete the Kerberos realm from the MSAS instance. Select the realm name in the table and click Remove. |
Set as default |
Select the realm to use as the default.
Select the realm name in the table and click Set as default. |
Domains The KINIT & PKINIT Domains section provides the ability to add and delete DNS domains in the MSAS instance.
The Domains table displays a list of the domains defined in the realm.
Element | Description |
---|---|
Domain |
DNS domain name |
Realm |
Kerberos realm associated with the domain. |
Perform the following actions for a domain.
Action | Description |
---|---|
Add |
Add a DNS domain to the MSAS instance. Click Add and enter the name of the domain in the Domain field. Typically, the domain name is in lower case, for example example.com . Select the associated Realm from the menu, then click Apply. |
Remove |
Remove the domain from the MSAS instance. Select the domain name in the table and click Remove, then click Apply. |
Encryption The KINIT & PKINIT Encryption section provides the ability to specify the type of Kerberos encryption the client must use when making requests to the KDC.
Element | Description |
---|---|
default TKT enctypes |
Supported list of session key encryption types that the client should request when making an AS-REQ, in order of preference from highest to lowest.
Select the encryption type from the menu. |
default TGS enctypes |
Supported list of session key encryption types that the client should request when making a TGS-REQ, in order of preference from highest to lowest.
Select the encryption type from the menu. |
Logging The KINIT & PKINIT Logging section provides the ability to configure logging location for the Kerberos and KCM messages.
Element | Description |
---|---|
krb5 |
Select the log location to be used for the Kerberos configuration. Supported options are:
|
KCM |
Select the log location to be used for the Kerberos Cache Manager (KCM). Supported options are:
|
Edit Policy | Use this action to open the URL Policy Configuration page for the KINIT endpoint. It displays the internal policies attached to the on-request and on-response subjects. You can use this page to view details about the endpoint and attached policies. |
On-Request |
The Http Kerberos password Authentication Service Policy is attached On-Request. This internal policy enables the Kerberos password authentication.
Select the policy name, or click the Options menu icon Optionally, click the Overrides tab to configure property overrides or to add a Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies. |
On-Response |
The Http Session Token Issue Policy is attached On-Response. This policy issues a session token with the authenticated user ID to the client.
Select the policy name, or click the Options menu icon Optionally, click the Overrides tab to configure property overrides or to add a Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies. |
PKINIT Trust anchors Use the KINIT & PKINIT PKINIT Trust anchors section to enable the use of trust anchors for PKINIT authentication. PKINIT trust anchors are stored in the keystore.
Element | Description |
---|---|
Enable |
Select this action to enable the use of PKINIT anchors to trust the authority issuing the KDC certificate, then select the trusted certificate from the table, or import a certificate into the truststore. The certificate you select must be the first certificate in the certificate chain. MSAS will automatically fetch the complete chain using the selected certificate as the starting point. |
Truststore Location |
Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. Only KSS keystores are supported. This field is read only. |
Choose File |
Use this action to select a certificate to be imported from the file system. |
Alias |
Alias of the PKINIT trust certificate to be imported. |
Import |
Use this action to import the selected certificate into the truststore. It is added to the trusted certificate table. |
Select |
Select the certificate to set the alias for the PKINIT trust anchor. |
X |
To delete a certificate, click X in the row of the certificate to be deleted. In the Delete Key window, click Yes to confirm the deletion. |
Edit Policy | Use this action to open the URL Policy Configuration page for the PKINIT endpoint. It displays the internal policies attached to the on-request and on-response endpoints. You can use this page to view details about the endpoint and attached policies. |
On-Request |
The Http Kerberos PKI Authentication Service Policy is attached On-Request. This internal policy enables Kerberos PKI authentication.
Select the policy name, or click the Options menu icon Optionally, click the Overrides tab to configure property overrides or to add a Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies. |
On-Response |
The Http Session Token Issue Policy is attached On-Response. This policy issues a session token with the authenticated user ID to the client.
Select the policy name, or click the Options menu icon Optionally, click the Overrides tab to configure property overrides or to add a Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies. |
Use the OAuth2 Confidential Client section of the Authentication Endpoints tab to specify the OAuth2 endpoint and specify the client ID and secret in the Credential Store Framework (CSF) for the OAuth2 confidential client.
Element | Description |
---|---|
Endpoint |
OAuth Service Profile Endpoint to which the MSAS server creates JWT User Token and OAM Tokens for OAuth2 Confidential Client Authentication flow. |
Edit Policy |
Use this action to open the URL Policy Configuration page for the endpoint. It displays the internal policies attached to the on-request and on-response subjects. You can use this page to view details about the endpoint and attached policies. |
On-Request |
The Http OAuth2 Confidential Client Over SSL Policy is attached On-Request. This internal policy performs OAuth2 Confidential Client Authentication and creates OAuth and OAM tokens.
Select the policy name, or click the Options menu icon Click the Overrides tab and enter the OAuth2 client CSF key in the Value field. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies. |
On-Response |
The Http Session Token Issue Policy is attached On-Response. This policy issues a session token with the authenticated user ID to the client.
Select the policy name, or click the Options menu icon Optionally, click the Overrides tab to configure property overrides or to add a Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies. |
Use the OAuth2 Mobile Client section of the Authentication Endpoints tab to specify the OAuth2 endpoint to which the client can connect, and specify the mobile client ID in the CSF for the OAuth2 Mobile Client flow.
Element | Description |
---|---|
Endpoint |
OAuth Service Profile Endpoint to which the MSAS Server registers a container mobile application and can create JWT User Token & OAM Tokens for OAuth2 Mobile Client Authentication flow. |
Edit Policy |
Use this action to open the URL Policy Configuration page for the endpoint. It displays the internal policies attached to the on-request and on-response subjects. You can use this page to view details about the endpoint and attached policies. |
On-Request |
The Http OAMMS Mobile Client Token Over SSL Service Policy. is attached On-Request. This internal policy performs OAMMS Mobile Client Authentication and creates OAUTH and OAM tokens.
Select the policy name, or click the Options menu icon Click the Overrides tab and enter the mobile client ID in the Value field. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies. |
On-Response |
The Http Session Token Issue Policy is attached On-Response. This policy issues a session token with the authenticated user ID to the client.
Select the policy name, or click the Options menu icon Optionally, click the Overrides tab to configure property overrides or to add a Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies. |
Use the Crypto service section of the Authentication Endpoints tab to configure the Crypto Service with archive key aliases.
Element | Description |
---|---|
Key Rollover Aliases |
Alias for the keystore used by the keystore rollover feature for the archived keys. These key aliases are maintained as an ordered list. The first alias is the oldest and second is next and so on. |
Edit Policy |
Use this action to open the URL Policy Configuration page for the endpoint. It displays the internal policies attached to the on-request and on-response subjects. You can use this page to view details about the endpoint and attached policies. |
On-Request |
Two policies are attached by default:
Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies. |
On-Response |
Click the Options menu icon to attach policies or templates if desired. There are no policies attached by default. |
The System Settings tab of the MSAS Instance Configuration page provides the ability to configure the system settings for the instance. It includes the following sections:
The Outbound Message Settings section enables you to configure the client connection to back-end services.
Element | Description |
---|---|
Total Connections in pool |
Maximum number of connections in a pool that a client can handle. The default is 512 . |
Maximum Connections per host |
Maximum number of connections in a pool, per host, that a client can handle. The default is 25. |
Connection Timeout |
Maximum time in milliseconds a client can wait when connecting to a back-end host. The default is 20,000 ms. |
Idle Connection pool Timeout |
Maximum time in milliseconds a client will keep idle connections in the pool.The default is 180,000 ms (3 minutes). |
Request Timeout |
Maximum time in milliseconds a client can wait for a response. The default is 60,000 ms (1 minute). |
The Proxy Server Settings section enables you to configure the proxy server used for outbound calls to the internet through MSAS for back-end applications and services.
Element | Description |
---|---|
Name |
Name of proxy server to uniquely identify it. This field is optional. |
Host Name |
Host name of proxy server. |
Port |
Port number of proxy server. |
User Name |
User ID to connect to the proxy server.
Note: The User Name and Password is required only if the proxy server requires authentication. |
Password |
Password corresponding to the User ID to connect to the proxy server. |
Hostnames without proxy |
List of hosts that will not use the proxy server. It supports the asterisk * wildcard, but only as a suffix and prefix.
By default, this field contains the value |
The Server Settings section enables you to specify general settings for the MSAS server.
Element | Description |
---|---|
Load Balancer URL |
Front ending Load Balancer non-SSL URL, for example http://lbr.example.org:80 . |
Load Balancer SSL URL |
Front ending Load Balancer SSL URL, for example https://lbr.example.org:443 . |
Service Principal Name | This property maps a URL with Service Principal Name. Service Principal Name is required for NTLM and SPNEGO.
Click Add to add a Service Principal Name and URL. To remove a Service Principal Name and URL, select the table row and click Remove. |
URL |
Service Principal Name URL It supports the asterisk * wildcard anywhere in the URL, for example, http*://example.host*80/* or *.example.org . |
Service Principal Name |
Service Principal Name in the form of SPN_SERVICECLASS / SPN_HOSTNAME . |
The SSL Settings section enables you to add certificates and keys for the outbound and inbound SSL HTTPS connections.
Element | Description |
---|---|
SSL TrustStore Location |
Read only field that specifies the location of SSL trust store. Only KSS keystore type is supported so the value must be a KSS URI. |
Server Certificate | To import a certificate, select Click to import to open the Server Certificate page where you can import a certificate to the truststore.
Note: Only Base64-encoded certificates are supported. |
Choose File |
Use this action to select the certificate to be imported from the file system. |
Alias |
Truststore alias. |
Certificate Type |
Type of certificate to be imported. Supported options are:
|
Import |
Use this option to import the selected certificate into the truststore. It is added to the certificate table. |
X |
To delete a certificate, click X in the row of the certificate to be deleted. Click Yes to confirm the deletion. |
SSL Keystore Location |
Read only field that specifies the location of SSL keystore. The SSL keystore is used for inbound SSL connections to MSAS and as the MSAS identity keystore. Only KSS keystore type is supported so the value must be a KSS URI. |
Private Key | To add a private key, click Click to add to open the Private Key page where you can generate a keypair or import a key from a JKS keystore. |
Generate Keypair |
Use this option to generate a private keypair for the MSAS SSL identity key. |
Alias |
Alias of the keypair entry. |
Distinguished Name |
Distinguished name of the certificate wrapping the keypair. |
Algorithm |
Symmetric key algorithm. The default is RSA. |
Key Size |
RSA key size. The default is 1024 bytes. |
Generate Keypair |
Generate the keypair using the information provided. The key is added to the keypair table. |
Import from Keystore |
Click to import the Java keystore file into the keystore service. |
Choose File |
Use this option to select a Java keystore file. |
Keystore Password |
Password for the JKS keystore from which the keypair will be imported. |
Alias |
Alias of the keypair to be imported. |
Alias Password |
Alias password for the keypair to be imported. |
Import |
Import the selected keypair into the KSS keystore. It is added to the keypair table. |
X |
To delete a keypair, click X in the row of the keypair to be deleted. Click Yes to confirm the deletion. |
The Log Configuration section enables you to configure run-time logging levels for MSAS sub-components. The configuration specified here applies to the logical MSAS instance, and is used by all physical MSAS instances to which the logical instance is bound.
Element | Description |
---|---|
Logger Name |
Name of the logger. The root logger is populated by default. All loggers for which the level is not explicitly configured will inherit from the root logger. |
Logging Level (Java Level) |
Select a logging level from the menu. Valid values are:
|
Perform the following actions for log level configuration.
Action | Description |
---|---|
Add |
Add an MSAS logger to the MSAS instance. Click Add and enter the name of the logger in the Logger Name field. Available loggers are:
Then select the desired logging level from the menu and click Apply at the top of the page. |
Remove |
Remove the logger from the MSAS instance. Select the logger name in the table and click Remove. |
"Configuring a Mobile Security Access Server Instance" in Administering Oracle Mobile Security Access Server