14 Integrating Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager on IBM WebSphere

This chapter documents how to integrate Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager on IBM WebSphere. The following integrations are covered.

Integrating Access Manager and Oracle Identity Manager on IBM WebSphere
Integrating Access Manager and OAAM on IBM WebSphere
Integrating Access Manager, OAAM, and OIM on IBM WebSphere

14.1 Integrating Access Manager and Oracle Identity Manager on IBM WebSphere

This section contains information about integrating Access Manager with Oracle Identity Manager using the IBM HTTP Server (IHS) WebGate 11g on IBM WebSphere.

This section includes the following topics:

Integration Roadmap
Configure Additional IHS Web Server Reverse Proxies (Optional)
Configuring the Identity Store
Restart the OIM Servers
Copy the OAM 11g SSO Agent Artifacts
Configure the Web Server to Route Requests to OIM on WebSphere

14.1.1 Integration Roadmap

The process of integrating Access Manager with Oracle Identity Manager on IBM WebSphere includes the following high-level tasks.

Table 14-1 Integration Flow for Access Manager and Oracle Identity Manager of IBM WebSphere

No.	Task	Information
1	Install Oracle Identity Manager on a WebSphere server.	For information, see Installing and Configuring Oracle Identity and Access Management on IBM WebSphere.
2	Enable LDAP synchronization for Oracle Identity Management.	For information, see: "Configuring OIM Server", "Completing the Prerequisites for Enabling LDAP Synchronization", and "Creating Adapters in Oracle Virtual Directory" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
3	Install Oracle Access Management on a WebSphere server.	For information, see Installing and Configuring Oracle Identity and Access Management on IBM WebSphere. If necessary, Oracle Access Management can be installed in the same WebSphere cell as Oracle Identity Manager.
4	Install IBM HTTP Server (IHS) 7.0	Download IBM HTTP Server version 7.0.0.0 from the IBM web site. Install the IHS 7 software using the default values.
5	Install and configure the IHS 11g Webgate for OAM.	For information, see "Installing and Configuring IHS 11g Webgate for OAM" in Installing Webgates for Oracle Access Management. Install the IHS 11g Webgate on the IBM HTTP Server (IHS) host.
6	Install WebServer Plug-in for WebSphere Application Server 7.0 on each WebSphere Application Server machine.	Download WebServer Plug-in for WebSphere Application Server 7.0 from the IBM web site. Install the software using the default values.
7	Add an IHS Web server reverse proxy.	For information, see Configure Additional IHS Web Server Reverse Proxies (Optional).
8	Configure the Identity Store.	For information, see Configuring the Identity Store.
9	Configure the OAM TAI Configuration File	For information, see Configuring the OAM TAI Configuration File
10	Restart all the servers in the OIM WebSphere cell.	For information, see Restart the OIM Servers.
11	Copy the OAM 11g SSO agent artifacts.	For information, see Copy the OAM 11g SSO Agent Artifacts.
12	Configure IHS to route requests to Oracle Identity Manager	For information, see Configure the Web Server to Route Requests to OIM on WebSphere.

14.1.2 Configure Additional IHS Web Server Reverse Proxies (Optional)

Complete the steps in this section to configure additional IHS Web servers to use as reverse proxies.

Start the IBM HTTP Server using the adminctl command as root user.

bin/adminctl start
Open the WebSphere administrative console.

Refer to the IBM documentation for IBM HTTP Server for details.
Choose Servers > Server Types > Web servers.

Click New to add a new Web server to WebSphere.
Specify the Web server name, type, host name, and platform and click Next.
Select the template name on the "Select a Web server template" screen.
Type the properties for the IBM HTTP Server and the IBM HTTP Server Administration Server, and click Next.
Confirm the new Web server properties and click Finish.
Select the newly created Web server and click Generate Plug-in.

Next, click Propagate Plug-in.
Click Save to save the configuration to the master configuration.
Start the new Web server.

14.1.3 Configuring the Identity Store

The Identity Store must be configured so that it can be used by Access Manager, Oracle Identity Management, and WebSphere. It must be seeded with the required users and groups.

Use idmConfigTool to configure the Identity Store.

Note:

Refer to the "Using the idmConfigTool Command" chapter in the Integration Guide for Oracle Management Suite for information about idmConfigTool. The following steps assume that you understand the conceptual information provided in that chapter.

14.1.3.1 Set the Environment Variables for idmConfigTool

Set the following environment variables before running idmConfigTool.

If Oracle Identity Manager and Oracle Access Management are installed on different WebSphere cells, set the environment variable for each cell.

Variable	Set to
`MW_HOME`	Set the value to the full path of the installation's Middleware home.
`ORACLE_HOME`	Set to the full path of the Oracle home. For IDM integrations, set to `Oracle_IDM1`
`APPSERVER_TYPE`	Set to `was`
`WAS_HOME`	Set the value to the full path of the WebSphere application server home directory. For example: /WASSH/WebSphere/AppServer
`JAVA_HOME`	Set the value to the full path of the IBM JDK. For example: /WASSH/WebSphere/AppServer/java Important: Do not use a JDK other than the IBM JDK.
`WAS_DMGR_PROFILE_HOME`	Set to the deployment manager profile home directory. The deployment manager deploys applications to a cell of application servers, which it manages. A profile defines the runtime environment. The profile includes all of the configurable files that the server processes in the runtime environment. Set to an absolute path, for example: /WASSH/WebSphere/AppServer/profiles/Dmgr01

14.1.3.2 Run idmConfigTool

At a command prompt run the following idmConfigTool commands in this order.

For information about command syntax and the use of properties files, see the "Syntax and Usage" section of the "Using the idmConfigTool Command" chapter.

Stop the Oracle Identity Manager, SOA, and OracleAdminServer servers, as well as the NodeAgent in the OIM WebSphere cell.

For instructions, refer to the WebSphere Application Server documentation.
Locate the preConfigIDStore.props property file in the idmCfgToolProps directory. See the "Using the idmConfigTool Command" chapter for an example preConfigIDStore.props properties file.

Run the preConfigIDStore command from the OAM WAS cell as follows:
```
./idmConfigTool.sh -preConfigIDStore input_file=/idmCfgToolProps/preConfigIDStore.props
```

Create the wasadmin user by running the prepareIDStore mode=WAS command.

The properties file for this command is similar to the properties file for the prepareIDStore=WLS command, except the IDSTORE_WASADMINUSER property is specified.

Here is a sample properties file.

IDSTORE_HOST : xyz1234.us.example.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_WASADMINUSER: wasadmin
IDSTORE_USERSEARCHBASE: cn=Users,dc=us,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=us,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=us,dc=example,dc=com

Create the properties file and run the command from the OIM WAS cell. In this example the properties file is named prepareIDStore.props:

./idmConfigTool.sh -prepareIDStore mode=WAS input_file=/idmCfgToolProps/prepareIDStore.props

Run the prepareIDStore mode=OAM command from the OAM WAS cell.

./idmConfigTool.sh -prepareIDStore mode=OAM input_file=/scratch/idmCfgToolProps/prepareIDStore.props.oam.template

Prepare to run the prepareIDStore mode=OIM command from the OIM WAS cell by creating a properties file.

Here is a sample properties file.

IDSTORE_HOST: xyz5678.us.example.com
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=us,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=us,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=us,dc=example,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=us,dc=example,dc=com
IDSTORE_OIMADMINUSER: oimLDAP
IDSTORE_OIMADMINGROUP: OIMAdministrators
OIM_DB_URL: jdbc:oracle:thin:@xyz5678.us.example.com:5522:wasdb1
OIM_DB_SCHEMA_USERNAME: dev_oim
OIM_WAS_CELL_CONFIG_DIR: /wassh/WebSphere/AppServer/profiles/Dmgr04/config/cells/xyz5678Cell04/fmwconfig

The following prepareIDStore mode=OIM command properties are specific to WebSphere:

Parameter	Description
`OIM_DB_URL`	The OIM DB connection URL.
`OIM_DB_SCHEMA_USERNAME`	The OIM DB schema User.
`OIM_WAS_CELL_CONFIG_DIR`	Location of the `fmwconfig` directory within the OIM cell.

Create and save the properties file.

Run the command from the OIM WAS cell. In this example the properties file is named prepareIDStore.props.oim.template:

./idmConfigTool.sh -prepareIDStore mode=OIM input_file=/idmCfgToolProps/prepareIDStore.props.oim.template

Prepare to run the configOAM command from the OAM WAS cell by creating a properties file.

Here is a sample properties file.

WLSHOST: abc1234.us.example.com
WLSPORT: 9810
WLSADMIN: orcladmin
WLSPASSWD: welcome1
IDSTORE_HOST: xyz5678.us.example.com
IDSTORE_PORT: 3060
IDSTORE_DIRECTORYTYPE:OID
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=us,dc=example,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=us,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=us,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=us,dc=example,dc=com
IDSTORE_OAMSOFTWAREUSER: oimLDAP
IDSTORE_OAMADMINUSER: oamadmin
PRIMARY_OAM_SERVERS: abc1234.us.example.com:5575
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: oimwebgate
OAM11G_IDM_DOMAIN_OHS_HOST:abc1234.us.example.com
OAM11G_IDM_DOMAIN_OHS_PORT:7777
OAM11G_IDM_DOMAIN_OHS_PROTOCOL:http
OAM11G_WG_DENY_ON_NOT_PROTECTED: false
OAM_TRANSFER_MODE: open
OAM11G_OAM_SERVER_TRANSFER_MODE:open
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
COOKIE_DOMAIN: .us.example.com
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OAM11G_SSO_ONLY_FLAG: false
OAM11G_OIM_INTEGRATION_REQ: true
OAM11G_IMPERSONATION_FLAG:true
OAM11G_SERVER_LBR_HOST:abc1234.us.example.com
OAM11G_SERVER_LBR_PORT:14100
OAM11G_SERVER_LBR_PROTOCOL:http
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_OIM_OHS_URL:http://tx401alu.us.example.com:7777
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid

The following table describes the configOAM command properties as they apply to WebSphere:

Parameter	Description
`WLSHOST`	The WebSphere Application Server host.
`WLSPORT`	The WebSphere Application Server bootstrap port.
`WLSADMIN`	Login ID for the OAM WebSphere Admin console.
`WLSPASSWD`	(Optional) Login password for the OAM console/WebSphere Admin console. To ensure security, do not save the password in the properties file.

Create and save the properties file.

Run the command from the OAM WAS cell. In this example the properties file is named oamcfg.props:

./idmConfigTool.sh -configOAM input_file=/oamcfg.props

Update the virtual host configuration.

In the WebSphere console on the OAM host, choose Environment > Virtual Hosts > default_host > Host Aliases.

Add the new IBM HTTP Server host and port, then restart the Oracle Access Management (OAM) server.

Prepare to run the idmConfigTool.sh -configOIM command by creating a properties file.

Here is a sample properties file.

LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: abc1234.us.example.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: oimwebgate
COOKIE_DOMAIN: .us.example.com
COOKIE_EXPIRY_INTERVAL: 120
OAM_TRANSFER_MODE: OPEN
WEBGATE_TYPE: ohsWebgate10g
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 3060
IDSTORE_HOST: xyz5678.us.example.com
IDSTORE_DIRECTORYTYPE: OID
IDSTORE_ADMIN_USER: cn=orcladmin
IDSTORE_USERSEARCHBASE: cn=Users,dc=us,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=us,dc=example,dc=com
MDS_DB_URL: jdbc:oracle:thin:@xyz5678.us.example.com:5522:wasdb1
MDS_DB_SCHEMA_USERNAME: dev_mds
WLSHOST: xyz5678.us.example.com
WLSPORT: 9809
WLSADMIN: wasadmin
DOMAIN_NAME: IDMDomain
OIM_MANAGED_SERVER_NAME: oim_server1
DOMAIN_LOCATION: /IDMPS2/user_projects/domains/IDMDomain
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_SEARCHBASE: dc=us,dc=example,dc=com
OIM_WEB_SERVER_HOST: tx401alu.us.example.com
OIM_WEB_SERVER_PORT: 7777
OAM11G_WLS_ADMIN_HOST: abc1234.us.example.com
OAM11G_WLS_ADMIN_PORT: 9810
OAM11G_WLS_ADMIN_USER: wasadmin

The following notes apply to this properties file:

The ACCESS_SERVER_PORT must be the Access Manager NAP port.
If your OAM Servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to SIMPLE. Otherwise set OAM_TRANSFER_MODE to OPEN.
Set WEBGATE_TYPE to ohsWebgate11g if Webgate version 11 is used, or ohsWebgate10g if Webgate version 10 is used.
Set IDSTORE_PORT to your Oracle Internet Directory port if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory port.
Set IDSTORE_HOST to your Oracle Internet Directory host or load balancer name if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory host or load balancer name.
Set IDSTORE_DIRECTORYTYPE to OVD if you are using Oracle Virtual Directory server to connect to either a non-OID directory or Oracle Internet Directory. Set it to OID if your Identity Store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory.
MDS_DB_URL in this case represents a single instance database. The string following the '@' symbol must have the correct values for your environment. SID must be the actual SID, not a service name. If you are using a single instance database, then set MDS_URL to: jdbc:oracle:thin:@DBHOST:1521:SID.
The value of IDSTORE_ADMIN_USER must contain the complete LDAP DN of the user. The entry should be similar to "cn=oamadmin,cn=Users,dc=myhost,dc=mycompany,dc=com" instead of just "oamadmin".
Set WLSPORT to the WebSphere bootstrap port for Oracle Identity Manager (OIM).
Set WLSADMIN to the primary administrative user name configured in the OIM WebSphere cell. This is wasadmin by default. If the configOIM command is being re-run, provide the current primary administrative user name configured in the OIM WebSphere cell.
Set DOMAIN_NAME to the WebSphere cell name.
Set DOMAIN_LOCATION to the cell home. For example:

<WAS_HOME>/profiles/Dmgr01/config/cells/<host name>
Set OAM11G_WLS_ADMIN_PORT to the WebSphere bootstrap port of Oracle Access Management (OAM).
Set OAM11G_WLS_ADMIN_USER to the primary administrative user name configured in the OAM WebSphere cell.

Note:

If Oracle Identity Manager (OIM) and Oracle Access Management (OAM) are configured in two different WebSphere cells, you must specify the following properties:

OAM11G_WLS_ADMIN_HOST
OAM11G_WLS_ADMIN_PORT
OAM11G_WLS_ADMIN_USER

If OIM and OAM are part of the same WebSphere cell, you do not have to specify these properties.

The following configOIM command properties are specific to WebSphere:

Parameter	Description
`IDSTORE_SEARCHBASE`	The ID store search base.
`OIM_WEB_SERVER_HOST`	The IBM HTTP Server (IHS) host or Oracle HTTP Server (OHS) host.
`OIM_WEB_SERVER_PORT`	The IBM HTTP Server (IHS) port or Oracle HTTP Server (OHS) port.

Create and save the properties file.

Run the command from the OIM WAS cell. In this example the properties file is named oimcfg.props:

./idmConfigTool.sh -configOIM input_file=/oimcfg.props

When prompted for WLS passwords for OIM/OAM, provide the corresponding WebSphere dmgr admin user passwords:

When prompted for WLSPASSWD, enter the OIM WebSphere admin password, for example: welcome1
When prompted for OAM11G_WLS_ADMIN_PASSWD, enter the OAM WebSphere admin password, for example: welcome1

14.1.3.3 Configure the OAM TAI Configuration File

Configure oamtai.xml for your environment. See Section 6.9.5.2, "Configuring the OAM TAI Configuration File" for details.

14.1.4 Restart the OIM Servers

Restart all of the servers in the OIM WAS cell. Restart OIM Dmgr and sync node, and then start nodeagent and the other servers in the following order.

Note - In the following sample commands, change the host name, port, user name, and password as appropriate.

Stop and Start OIM Dmgr

/WASSH/WebSphere/AppServer/profiles/Dmgr01/bin/stopManager.sh -username wasadmin -password welcome1
 
/WASSH/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

Restart Sync Node

In the following sample command, replace the values described below with values for your environment:

/WASSH/WebSphere/AppServer/profiles/Custom01/bin/syncNode.sh deploymgrHost.us.example.com 8881 -username wasadmin -password welcome1

deploymgrHost.us.example.com - Provide the hostname of the OIM cell's Deployment manager.
8881 - Provide the SOAP port (SOAP_CONNECTOR_ADDRESS) of the OIM cell's Deployment manager SOAP_CONNECTOR_ADDRESS.
wasadmin - Provide the "primary administrative user name" configured in the OIM WebSphere cell.
password - Provide the password of the primary administrative user.

Start the Node Agent and Servers

Start the servers as follows:

/WASSH/WebSphere/AppServer/profiles/Custom01/bin/startNode.sh
 
/WASSH/WebSphere/AppServer/profiles/Custom01/bin/startServer.sh soa_server1
 
/WASSH/WebSphere/AppServer/profiles/Custom01/bin/startServer.sh oim_server1
 
/WASSH/WebSphere/AppServer/profiles/Custom01/bin/startServer.sh OracleAdminServer

14.1.5 Copy the OAM 11g SSO Agent Artifacts

Complete the following steps.

Copy the OAM 11g SSO Agent artifacts created after running configOAM to the IHS webgate configuration location.

For example, the following OAM 11g SSO Agent artifacts are created after running configOAM:

<WAS_HOME>/profiles/Custom01/output/<webgate name>/

These artifacts should be copied to the following location:

<WebGate Instance Directory>/webgate/config
Restart IBM HTTP Server (IHS) or Oracle HTTP Server (OHS).

14.1.6 Configure the Web Server to Route Requests to OIM on WebSphere

Open the IBM HTTP Server (IHS) or Oracle HTTP Server (OHS) httpd.conf file and locate the WebSpherePluginConfig entry, for example:
```
WebSpherePluginConfig /scratch/mw/was-plugin/config/ohsSLC/plugin-cfg.xml
```

Open the following file:

/mw/was-plugin/config/ohsSLC/plugin-cfg.xml

Edit the file as follows:

Locate the UriGroup element and add the following entries:

<Uri Name="/identity/">
        <Uri Name="/sysadmin/">
        <Uri Name="/oim/">

Locate the VirtualHostGroup element and make sure the "default_host" VirtualHostGroup has an entry as follows:

<VirtualHost Name=":XXXX">

where XXXX is the HTTP Server port, for example: 7777.

Locate the ServerCluster element and make sure that the Transport elements have the correct OIM and OAM WebSphere HOST and PORT properties configured:

<Transport Hostname="sdf1234.us.example.com" Port="14000" Protocol="http"/>
<Transport Hostname="sdf1234.us.example.com" Port="14001" Protocol="https">                    
   <Property name="keyring" value="/scratch/aime1/ihs-webgate/Plugins/etc/plugin-key.kdb"/>         
   <Property name="stashfile" value="/scratch/aime1/ihs-webgate/Plugins/etc/plugin-key.sth"/>
</Transport>
 
<Transport Hostname="jkl555.us.example.com" Port="14100" Protocol="http"/>
<Transport Hostname="jkl555.us.example.com" Port="14101" Protocol="https">
  <Property name="keyring" value="/scratch/aime1/ihs-webgate/Plugins/etc/plugin-key.kdb"/>
  <Property name="stashfile" value="/scratch/aime1/ihs-webgate/Plugins/etc/plugin-key.sth"/>
 </Transport>

where:

"sdf1234.us.example.com" is the OIM host

"14000" is the OIM HTTP port

"14001" is the OIM HTTPS port

"jkl555.us.example.com" is the OAM host

"14100" is the OAM HTTP port

"14101" is the OAM HTTPS port

Restart IBM HTTP Server (IHS) or Oracle HTTP Server (OHS).

14.2 Integrating Access Manager and OAAM on IBM WebSphere

For an overview of Access Manager and OAAM integration, see the "Integrating Oracle Adaptive Access Manager with Access Manager" appendix and "Integrating Access Manager, OAAM, and OIM" chapter in Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite. Differences between setup in IBM WebSphere and WebLogic are noted in this section.

14.2.1 Configuring OAAM Basic Integration with Access Manager

OAAM Basic integration with Access Manager is a native integration. Access Manager is integrated with Oracle Adaptive Access Manager through the shared libraries, which provide the rules engine and the runtime functionality of Oracle Adaptive Access Manager. The OAAM Server is not needed in this deployment since the OAAM runtime functionality is available through the libraries.

14.2.1.1 Prerequisites for OAAM Basic Integration with Access Manager

Prior to configuring Access Manager with Oracle Adaptive Access Manager, you must have installed all the required components, including any dependencies, and configured the environment in preparation of the integration tasks. For information on the required components that must be installed and configured before the integration tasks are performed, see "Prerequisites for OAAM Basic Integration with Access Manager" in Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

Instead of WebLogic, you will install and configure Oracle Fusion Middleware with IBM WebSphere. You must first install (but not configure) IBM WebSphere and apply the latest Fix Pack for IBM WebSphere.

14.2.1.2 Protecting Resource in Authentication Policy with OAAMBasic Scheme

The IDMDomainAgent is not used on IBM WebSphere. You must register a new WebGate agent. For information on managing an authentication scheme, see the "Managing Authentication and Shared Policy Components" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service. For general information with links to more detailed sections on registering an agent, see the "Introduction to Agents and Registration" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

14.2.1.3 Creating User with Privileges to Log into the OAAM Administration Console

By default there is not a user that has the correct privileges to log in to the OAAM Administration Console. You must create a user that has the correct privileges to log in to the OAAM Administration Console and then grant the necessary groups to the user. For details on creating user and groups in IBM WebSphere, see the IBM WebSphere documentation. Users and groups should be defined in LDAP directory configured for the IBM WebSphere cell. An example of an OAAM user is oaamadmin. For information on the OAAM roles, see Section 8.1.3, "Creating User with Privileges to Log into the OAAM Administration Console."

14.2.1.4 Modifying oam-config.xml

Locate and modify the oam-config.xml file manually. The oam-config.xml file contains all Access Manager-related system configuration data and is located in the was_profile_dir/config/cells/cell_name/fmwconfig directory. For example,

/scratch/xyz/IBM/WebSphere/AppServer/profiles/Dmgr04/config/cells/adc2170813Cell02/fmwconfig

Set the OAAMEnabled property to true as shown in the following example:

<Setting Name="OAAM" Type="htf:map">
<Setting Name="ProductRelease" Type="xsd:string">11.1.2.2.0</Setting>
<Setting Name="Version" Type="xsd:integer">1</Setting>
<Setting Name="OAAMEnabled" Type="xsd:boolean">true</Setting>
<Setting Name="passwordPage" Type="xsd:string">/pages/oaam/password.jsp</Setting>
<Setting Name="challengePage" Type="xsd:string">/pages/oaam/challenge.jsp</Setting>
<Setting Name="registerImagePhrasePage" Type="xsd:string">/pages/oaam/registerImagePhrase.jsp</Setting>
<Setting Name="registerQuestionsPage" Type="xsd:string">/pages/oaam/registerQuestions.jsp</Setting>

Note:

You must increment the version number given in the file for this integration to work. For example, if the version number is 1 in the file, change it to 2.

14.2.1.5 Starting the OAAM Admin Server

Start the OAAM Admin Server to register the newly created managed servers with the domain.

Open a command prompt and change to the following bin directory:

For example:
```
WAS_HOME/profiles/Custom01/bin
```
Enter the following command:
```
./startServer.sh oaam_admin_server
```
The default server name for the OAAM Administration Server is oaam_admin_server1.

14.2.1.6 Importing the OAAM Snapshot

A full snapshot of policies, rules, challenge questions, dependent components, and configurations is shipped with Oracle Adaptive Access Manager. This snapshot is required for the minimum configuration of OAAM. Import the snapshot into the system by following the instructions in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

14.2.1.7 Shutting Down the OAAM Administration Server

Shut down the OAAM Administration Server.

Open a command prompt and change to the application server's bin directory:

For example:
```
WAS_HOME/profiles/Custom01/bin
```
Enter the following command:
```
./stopServer.sh oaam_admin_server -username username -password password
```
The default server name for the OAAM Administration Server is oaam_admin_server1.

14.2.1.8 Creating a Datasource

Use the IBM WebSphere Administrative Console to create a JDBC data source with JNDI name jdbc/OAAM_SERVER_DB_DS. The data source should be created at Cell level. Ensure that the OAAM managed server is selected in the cell scope. For information on creating a data source on IBM WebSphere, see Section 3.2.5, "Creating a Data Source in an IBM WebSphere Cell."

14.2.1.9 Deploying the Shared Library

Shared libraries are files used by multiple applications. Access Manager uses shared library files in OAAM Basic Integration with Access Manager; therefore, you must create the shared library in the scope of the application/managed server where Access Manager is deployed, and Access Manager must refer to this shared library.

14.2.1.9.1 Creating the Shared Library

To make library files available to multiple applications, create a shared library by following these steps:

Log in to the IBM WebSphere Administrative Console.
In the console navigation tree, expand Environment and then select Shared libraries.
In the Shared Libraries page, select Show scope selection drop-down list with the all scopes option, and then, select a shared library scope and click Apply. For example, for Access Manager, select the scope of Oracle Access Manager as server scope.
Above the table, under Preferences, click the New button to create a new shared library in the scope as selected in step 3.
In the settings page of the shared library, specify a name for the shared library in the Name field. For example oaam_native_shared_library.
In the Classpath text box, specify the absolute paths of all the JAR files present in the following directory:
```
MW_HOME/Oracle_IDM1/oaam/oaam_libs/was_native_jar 
```
These are the paths that the product searches for classes and resources of the shared library.

Note:

Each entry should be in a new line, do not use any path separator like ";" or ":".
Click OK and then Save.

14.2.1.9.2 Adding the Shared Library Reference to Application

To add the Shared Library reference to the application:

Log in to the IBM WebSphere Administrative Console.
In the console navigation tree, expand Applications, and then Application Types and click WebSphere enterprise applications to open the list of applications.
In the Enterprise Applications page, click the application to which you want to associate the shared library.
Under Configurations, click Shared library references to access the Shared library references page.
In the Shared Library Mapping for Modules section, select the checkbox next to the application you want to associate to the shared library, and then click the Reference Shared Libraries button above the table.
Select one or more shared libraries that the application will use in the Available list and add them to the Selected list. Then click OK.
Save the changes to the configuration.

14.2.1.10 Synchronizing the Node and Restarting the Server

Synchronize the node and restart the server that host the application referencing the shared library.

14.2.1.11 Setting the OAAM Image Directory for Virtual Authentication Devices

For images to be displayed in the virtual authentication devices during the OAAM Registration flow, perform the following steps:

Log in to the OAAM Administration Console with the Environment Administrator role.
In the Navigation pane, double-click Properties under the Environment node. The Properties Search page is displayed.
Enter bharosa.image.dirlist in the Name field and click Search.
Click to select the property in the Search Results section.
Add ${OAM_ORACLE_HOME}/../oaam/oaam_images as comma-separated value in the Value column. That is, change the value ${oracle.oaam.home}/oaam_images to ${oracle.oaam.home}/oaam_images, ${OAM_ORACLE_HOME}/../oaam/oaam_images.
Click Save.

A confirmation dialog is displayed.
Click OK to dismiss the dialog.

14.2.1.12 Testing the Configuration

To test the configuration:

To verify the configuration, remote register two agents, each protecting a resource.
Use the Oracle Access Management Console to associate the first resource with OAAMBasic for the authentication flow. Associate the second resource with the LDAPScheme.

See Also:

"Managing Authentication Schemes" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Access the protected resource configured earlier to verify the configuration.

You are prompted to enter a user name. Then, on a separate screen you are prompted for the password.

Once the user name and password are validated you are asked to select and answer three challenge questions. Once completed you are taken to the protected application.

14.2.2 Configuring OAAM Advanced Integration with Access Manager

Integrating Oracle Adaptive Access Manager with Oracle Access Manager provides an enterprise with advanced access security features that greatly improve the level of protection for applications. OAAM Advanced integration with Access Manager can involve scenarios with or without Oracle Identity Manager.

Integration with Oracle Identity Manager provides users with richer password management functionality, including secure "Forgot Password" and "Change Password" flows. For details about integrating with Oracle Identity Manager, see Section 14.3, "Integrating Access Manager, OAAM, and OIM on IBM WebSphere."

If Oracle Identity Manager is not part of your environment, follow the integration procedure described in this section.

14.2.2.1 OAAM Advanced Integration with Access Manager Roadmap

Table 14-2 summarizes the steps to configure OAAM Advanced Integration with Access Manager on IBM WebSphere.

Table 14-2 Integration Flow for Access Manager and Oracle Adaptive Access Manager

No	Task	Information
1	Verify that all required components have been installed and configured prior to integration.	For information, see "OAAM Advanced Integration with Access Manager Prerequisites".
2	Ensure the Oracle Access Management and OAAM Administration Consoles and managed servers are running.	For information, see "Restarting the Servers".
3	Create the OAAM users. Before you can access the OAAM Administration Console, you must create administration users.	For information, see "Creating Users and Groups".
4	Import the OAAM base snapshot. A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. For Oracle Adaptive Access Manager to be functional, you must import the base OAAM snapshot into the system.	For information, see "Importing Base Snapshot in OAAM".
5	Validate that Access Manager was set up correctly. You should be able to log in to the Oracle Access Management Console successfully.	For information, see "Validating Initial Configuration of Access Manager".
6	Validate that OAAM was set up correctly.	For information, see "Validating Initial Configuration of Oracle Adaptive Access Manager".
7	Register the WebGate. The WebGate is an out-of-the-box access client. This Web server access client intercepts HTTP requests for Web resources and forwards these to the OAM Server 11g.	For information, see "Provisioning WebGate Using the Oracle Access Management Console".
8	Register the OAAM server to act as a trusted partner application to Access Manager. A partner application is any application that delegates the authentication function to Access Manager 11g.	For information, see "Setting Up Access Manager for Integration with OAAM and Register OAAM as Thirdparty in Access Manager".
9	Specify the Agent password in multiple places. OAAM needs this agent password in order to use the agent profile for integration.	For information, see "Setting the Agent Password".
10	Verify TAP partner registration using the Oracle Access Management tester.	For information, see "Verifying TAP Partner Registration".
11	Set up TAP integration properties in OAAM.	For information, see "Setting Up OAAM for TAP Integration".
12	Configure the integration to use OAAM TAPScheme to protect Identity Management product resources in the IAMSuiteAgent application domain.	For information, see "Moving the /oamTAPAuthenticate URL".
13	Update the authentication scheme in the policy-protected resource policy to protect a resource with the OAAM TAPScheme.	For information, see "Updating the Authentication Scheme in the Policy-Protected Resource Policy".
14	Validate the Access Manager and Oracle Adaptive Access Manager integration.	For information, see "Validating the Access Manager and Oracle Adaptive Access Manager Integration".

14.2.2.2 OAAM Advanced Integration with Access Manager Prerequisites

Prior to configuring Access Manager with Oracle Adaptive Access Manager, you must have installed all the required components, including any dependencies, and configured the environment in preparation of the integration tasks. For information, see "Prerequisites for OAAM Advanced Integration with Access Manager" in Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

You will be installing IBM WebSphere instead of WebLogic. For information on the system requirements and certifications, necessary software media and downloads, and installation instructions to install and configure Oracle Fusion Middleware with IBM WebSphere, see Chapter 2, "Installing and Configuring Oracle Identity and Access Management on IBM WebSphere."

14.2.2.3 Restarting the Servers

Start the IBM Deployment Manager.

To start the deployment manager, navigate to the following directory in the IBM WebSphere home and enter the following command:
```
(UNIX) WAS_HOME/profiles/deployment_mgr_profile_name/bin/startManager.sh
```
For example, on a UNIX operating system:
```
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh 
```
WAS_HOME is the path to the AppServer directory where IBM WebSphere is installed.

If you are integrating Access Manager and OAAM, and OAAM is in a different IBM WebSphere Cell, you must also start the Deployment Manager located in the IBM WebSphere profile where OAAM is installed.
Start the managed server hosting the OAM Server.
```
OAM_PROFILE/bin/startServer.sh oam_server1 
```
OAM_PROFILE is the IBM WebSphere profile where OAM is installed.

For example:
```
OAM_PROFILE - $WAS_HOME/profiles/Custom01
```
Start the managed server hosting OAAM Admin Server.

To start the OAAM Administration Server, navigate to the following directory in the IBM WebSphere home and enter the following command:
```
(UNIX) OAAM_PROFILE/bin/startServer.sh oaam_admin_server
```
The default server name for the OAAM Administration Server is oaam_admin_server1.

For example, on a UNIX operating system:
```
/opt/IBM/WebSphere/AppServer/profiles/Custom01/bin/startServer.sh
oaam_admin_server1
```
OAAM_PROFILE is the IBM WebSphere profile where OAAM Administration Server is installed.

For example, on the UNIX operating system, OAAM_PROFILE:
```
WAS_HOME/profiles/profile_name
```
Start the managed server hosting the OAAM runtime server.

To start the OAAM runtime server, navigate to the following directory in the IBM WebSphere home and enter the following command:
```
(UNIX) OAAM_PROFILE/bin/startServer.sh oaam_server_server
```
The default server name for the OAAM runtime server is oaam_server_server1.

OAAM_Profile is the IBM WebSphere profile where OAAM Server is installed.

For example, on a UNIX operating system:
```
/opt/IBM/WebSphere/AppServer/profiles/Custom01/bin/startServer.sh
oaam_server_server1
```
For example, on a UNIX operating system, OAAM_PROFILE:
```
WAS_HOME/profiles/profile_name
```

14.2.2.4 Creating Users and Groups

By default there is not a user that has the correct privileges to log in to the OAAM Administration Console. You must create a user that has the correct privileges to log in to the OAAM Administration Console and then grant the necessary groups to the user. For details on creating user and groups in IBM WebSphere, see the IBM WebSphere documentation. Users and groups should be defined in the LDAP directory configured for the IBM WebSphere cell. An example of an OAAM user is oaamadmin. For information on the OAAM roles, see Section 8.1.3, "Creating User with Privileges to Log into the OAAM Administration Console."

14.2.2.5 Importing Base Snapshot in OAAM

14.2.2.6 Validating Initial Configuration of Access Manager

Verify that Access Manager is set up correctly by accessing the Welcome to Oracle Access Management page.

Log in to the Oracle Access Management Console:
```
http://oam_adminserver_host:oam_adminserver_port/oamconsole
```
You should be redirected to the OAM Server for login.
Provide the administrator user name and password.

If the login is successful, the Welcome to Oracle Access Management page is displayed.

14.2.2.7 Validating Initial Configuration of Oracle Adaptive Access Manager

Verify that Oracle Adaptive Access Manager is set up correctly by accessing the OAAM Server.

Log in to the OAAM Server.
```
http://host:port/oaam_server
```
Provide any user name and click Continue.
Provide the password as test because the Access Manager and Oracle Adaptive Access Manager integration has not yet been performed. You must change the password immediately after the integration.
Click the Enter button on the virtual authentication device.
Click Continue to register the new user.
Click Continue to accept the security device.
Choose questions and provide answers to register for Knowledge Based Authentication (KBA).

A successful login indicates that you have configured the initial configuration correctly.
Note:

The test login URL /oaam_server is used to verify that the OAAM configuration is working before proceeding with the integration of Access Manager. This URL is not intended for use after the integration of Access Manager and OAAM.

After integration, if the user navigates to the URL and enters his username, he is directed to the page where the password is entered. After submitting the password, the login will fail and the following error will be displayed:
```
Error Sorry, the identification you entered was not recognized. Please try again
```

14.2.2.8 Provisioning WebGate Using the Oracle Access Management Console

Agents communicate with the OAM Server to check protected resources and configured access policies. Registering an agent sets up the required trust mechanism between the agent and the OAM Server.

Ensure that the following are installed and configured before registering the WebGate:

IBM HTTP Server and its required plugins

For information on installing and configuring IBM HTTP (IHS), refer to the IBM HTTP product documentation.
IHS WebGate

For information on installing the IHS 11g WebGate for Access Manager, see the "Installing and Configuring IHS 11g WebGate for OAM" chapter in Oracle Fusion Middleware Installing WebGates for Oracle Access Manager.

14.2.2.8.1 Registering the WebGate as a Partner

For information on registering the IHS 11g WebGate, see "Registering the New IHS 11g WebGate" in Oracle Fusion Middleware Installing WebGates for Oracle Access Manager.

14.2.2.8.2 Copy the Access Management 11g SSO Agent Artifacts

Copy the Access Management 11g SSO Agent artifacts created after registering the Agent to the IHS WebGate configuration location. For information, see "Copying Generated Files and Artifacts to the HTTP Server WebGate Instance Location" in Oracle Fusion Middleware Installing WebGates for Oracle Access Manager.

14.2.2.8.3 Starting the IBM HTTP Server

Start the IHS Server. For information, see "Starting the IHS Server and Accessing the IHS Resource" in Oracle Fusion Middleware Installing WebGates for Oracle Access Manager.

Once you start the IHS Web Server, log in to the IHS Web Server. For example:

http://machine_name.my.company.com:port

WebGate intercepts the request and redirects you to the Oracle Access Management Console. Enter the username and password, and you are redirected to the IBM HTTP Server.

14.2.2.9 Setting Up Access Manager for Integration with OAAM and Register OAAM as Thirdparty in Access Manager

To register the OAAM Server as a trusted partner application to Access Manager, follow the steps in "Registering the OAAM Server as a Partner Application to Access Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

Note:

Ensure that the IBM WebSphere Deployment Manager where Access Manager is installed is running.

Set up the environment for WSADMIN.
Navigate to the IAM_ORACLE_HOME/common/bin directory.
Execute wsadmin.sh to enter the wsadmin.

For example:
```
./wsadmin.sh -port 8879 -user wasadmin -password some-value -conntype soap -lang jython 
```
port is SOAP PORT for deployment manager

For information on figuring the SOAP port, see the IBM WebSphere documentation.
In another terminal window, create the keystore directory by executing the following:
```
mkdir IAM_ORACLE_HOME/TAP/TapKeyStore
```

Using the WSADMIN shell, run the Oam.registerThirdPartyTAPPartner command:

Oam.registerThirdPartyTAPPartner(partnerName="partnerName", 
keystoreLocation= "path_to_keystore" , password="keystore_password", 
tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="OAAM login URL")

The command registers any third party as a Trusted Authentication Protocol (TAP) Partner.

An example is provided below.

Oam.registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner",
keystoreLocation= "IAM_ORACLE_HOME/TAP/TapKeyStore/mykeystore.jks" ,
password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme",
tapRedirectUrl="http://OAAM_ Managed_server_host:14300/
oaam_server/oamLoginPage.jsp")

Table 14-3 TAP Partner Setup

Parameter	Details
partnerName	The name of the partner should be unique. It can be any name used for identifying the third party partner. If the partner exists in Access Manager, the configuration will be overwritten.
keystoreLocation	The keystore location is an existing location. If the directory path specified is not present, an error occurs. You must provide the complete path including the keystore file name. In the example shown earlier, the keystore location was `IAM_ORACLE_HOME/TAP/TapKeyStore/mykeystore.jks`. Another example is `keystoreLocation= "/scratch/jsmith/dwps1tap/TapKeyStore/mykeystore.jks"`. When you run the command `registerThirdPartyTAPPartner`, the keystore file is created in that location specified.
password	The keystore password used to encrypt the keystore. The keystore is created by running command "registerThirdPartyTAPPartner" in the location as specified for parameter "keystoreLocation". Make a note of the password as you will need it later.
tapTokenVersion	Version of the Trusted Authentication Protocol. `tapTokenVersion` is always `v2.0` for 11.1.1.5.0 and 11.1.2.0. If using IDContext Claims, it is `v2.1`.
tapScheme	Trusted Authentication Protocol Authentication Scheme (TAPScheme out of the box.) This is the authentication scheme that will be updated. If you want two tap partners with different tapRedirectUrls, create a new authentication scheme using the Oracle Access Management Console and use that scheme here. The authentication scheme will be created automatically while you are running the `registerThirdPartyTAPPartner` command in the instructions above. The name of `TAPScheme` will be passed as parameter to that command. The example command has `tapScheme="TAPScheme`".
tapRedirectUrl	Third party access URL. The TAP redirect URL should be accessible. If it is not, registration of the partner fails with the message: `Error! Hyperlink reference not valid`. `tapRedirectUrl` is constructed as follows: `http://`oaamserver_host:oaamserver_port/`oaam_server/oamLoginPage.jsp` Ensure that the OAAM server is running; otherwise registration will fail. The credential collector page will be served by the OAAM Server. The authentication scheme created by `registerThirdPartyTAPPartner` (TAPScheme) points to the OAAM Server credential collector page as the redirectURL.

14.2.2.10 Setting the Agent Password

You will need to specify the Agent password in multiple places. OAAM needs this agent password in order to use the agent profile for integration.

14.2.2.10.1 Adding a Password to the IAMSuiteAgent Profile in the Oracle Access Management Console

When Access Manager is installed, a default agent profile called IAMSuiteAgent is created. This profile is used by OAAM when integrating with Access Manager. When the IAMSuiteAgent profile is first created, it has no password. You must set a password before the profile can be used by OAAM for integration. To do this, proceed as follows:

http://oam_adminserver_host:oam_adminserver_port/oamconsole

Enter the username and password.
In the Oracle Access Management Launch Pad, click SSO Agents in the Access Manager section.

The SSO Agents page opens with the WebGates tab open.
Click Search to list all WebGate agents including IAMSuiteAgent.
Double-click IAMSuiteAgent to edit the properties.
Specify the password in the Access Client Password field and click Apply to save the changes.

This is a required step.

14.2.2.11 Verifying TAP Partner Registration

To verify the TAP partner registration, follow the instructions below.

14.2.2.11.1 Verifying the Challenge URL

To validate the Access Manager configuration, perform the following steps:

http://oam_adminserver_host:oam_adminserver_port/oamconsole

Enter credentials.
In the Oracle Access Management Launch Pad, click Authentication Schemes in the Access Manager section.
In the Search Authentication Schemes, search for TAPScheme.
Click the TAPScheme link.
Verify that the Challenge Method is DAP and the Authentication Module is DAP.
Verify that Challenge URL shows part of the value of the tapRedirectUrl that had been specified when OAAM was registered with Access Manager as a partner application. For example, if the tapRedirectUrl is http://OAAM_Managed_server_host:14300/oaam_server/oamLoginPage.jsp, then Challenge URL should show /oaam_server/oamLoginPage.jsp. The host and port part of the URL is parameterized in Challenge Parameter. In the Challenge Parameters field, you will see both TAPPartnerId=OAAMPartner and SERVER_HOST_ALIAS=HOST_ALIAS_1.
Check the challenge parameters are set correctly.

14.2.2.11.2 Adding the MatchLDAPAttribute Challenge Parameter in the TAPScheme

You must add the MatchLDAPAttribute challenge parameter and set it to the User Name Attribute as specified in the LDAP Identity Store.

http://oam_adminserver_host:oam_adminserver_port/oamconsole

Enter credentials.
In the Oracle Access Management Launch Pad, click Authentication Schemes in the Access Manager section.
In the Search Authentication Schemes page, search for TAPScheme.
Click the TAPScheme link.
To add another parameter to an existing parameter, position your cursor in the Challenge Parameter field and press Enter using your keyboard.
In the new line, add an entry for the challenge parameter.

For example, MatchLDAPAttribute=uid

MatchLDAPAttribute must be set to the User Name Attribute as specified in the LDAP Identity Store. For example, uid, mail, cn, and so on.

Note:

The challenge parameter is case-sensitive.

For information, see "Managing User Identity Stores" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Click Apply to submit the change.
Dismiss the Confirmation window.

14.2.2.11.3 Validating the IAMSuiteAgent Setup

To validate the IAMSuiteAgent setup, proceed as follows:

Launch Oracle Access Management tester.

IAM_ORACLE_HOME/../jdk_version/bin/java -jar IAM_ORACLE_
HOME/oam/server/tester/oamtest.jar

The Oracle Access Management Tester Console appears.

In the Server Connection section provide server connection details:
1. IP Address: Access Manager Managed Server Host
2. Port: Oracle Access Management Oracle Access Protocol (OAP) Port
3. Agent ID: IAMSuiteAgent
4. Agent Password: Password provided in Section 14.2.2.10, "Setting the Agent Password."
The Server Connection section provides fields for the information required to establish a connection to the OAM Server.
Click Connect.

If you can connect to the server, the next section, Protected Resource URI, will be enabled.
The Protected Resource URI section provides information about a resource whose protected status needs to be validated.

In this section, provide the protected resource URI as follows:
1. Host: IAMSuiteAgent
2. Port: 80
3. Resource: /oamTAPAuthenticate
  
  Note:
  
  You can test any other resource protected using TAPScheme other than oamTAPAuthenticate.
Click Validate

The Validate button is used to submit the Validate Resource server request. If the validation is successful, the next section for User Identity will be enabled.
In the User Identity section, provide User Identity and click Authenticate. If the authentication is successful, the setup is successful.

This section provides information about a user whose credentials need to be authenticated. The Authenticate button is used to submit the Authenticate User server request.

14.2.2.12 Setting Up OAAM for TAP Integration

To set up OAAM for TAP Integration, proceed as follows:

Run setupOAMTapIntegration.sh to configure Access Manager for TAP Integration as documented in "Setting Up Access Manager TAP Integration Properties in OAAM" in Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

Note:

The setupOAMTapIntegration script requires that you use the WebSphere Admin username and password.

For information on running CLI scripts, see Section 8.1.4, "Setting Up the CLI Environment for OAAM on IBM WebSphere."

14.2.2.13 Moving the /oamTAPAuthenticate URL

If you are planning to use the IAMSuiteAgent application domain to set as the TAPScheme, you must move the /oamTAPAuthenticate URL into a separate authentication policy.

To use TAPscheme for Identity Management product resources in the IAM Suite domain, Protected HigherLevel Policy, the following configuration must be performed:

Log in to the Oracle Access Management Console.
From the Oracle Access Management Console Launch Pad, click Application Domains in the Access Manager section.
Search for IAM Suite.
Click the Authentication Policies tab.
Click Protected Higher Level Policy.
In the Resources window, click /oamTAPAuthenticate.
Click Delete, and then Apply.
Create a new Authentication Policy in the IAMSuite application domain.
For authentication scheme, choose LDAP Scheme.
In the Resources window, click Add.
Select the resource /oamTAPAuthenticate.
Click Apply.

For Access Manager to be able to override the resource URL before handing it off to OAAM, you must set up the TAPOverrideResource challenge parameter in TAPScheme.

http://oam_adminserver_host:oam_adminserver_port/oamconsole

In the Oracle Access Management Launch Pad, click Authentication Schemes in the Access Manager section.
In the Search Authentication Schemes page, search for TAPScheme.
Click the TAPScheme link.
To add another parameter to an existing parameter, position your cursor in the Challenge Parameter field and press Enter using your keyboard.
In the new line, add TAPOverrideResource=http://IAMSuiteAgent:80/oamTAPAuthenticate for a challenge parameter of TAPScheme.
Click Apply.

14.2.2.14 Updating the Authentication Scheme in the Policy-Protected Resource Policy

To protect a resource with the OAAM TAPScheme, you must edit the policy-protected resource policy and update the authentication scheme. This section provides general steps to do this.

For detailed instructions, see the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

http://oam_adminserver_host:oam_adminserver_port/oamconsole

Check for the application domain that was created as part of the 11g WebGate registration.
Edit the authentication policy-protected resources policy.
Update the authentication scheme to TAPScheme specified as the tapScheme parameter in registerThirdPartyTAPPartner command.
Click Apply to save changes.

14.2.2.15 Validating the Access Manager and Oracle Adaptive Access Manager Integration

Try to access the protected resource. You should be redirected to OAAM for registration and challenge. The OAAM login page is shown instead of the Access Manager login page.

14.3 Integrating Access Manager, OAAM, and OIM on IBM WebSphere

Integration with Oracle Identity Manager provides users with richer password management functionality, including secure "Forgot Password" and "Change Password" flows.

14.3.1 Access Manager, OAAM, and OIM Integration Roadmap

Table 14-4 lists the high-level tasks for integrating Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.

Table 14-4 Integration Flow for Access Manager, OAAM, and OIM

No	Task	Information
1	Verify that all required components have been installed and configured prior to integration.	For information, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite and the IBM WebSphere documentation.
2	Install Access Manager, Oracle Adaptive Access Manager, and IBM WebSphere servers.	For information, see Chapter 2, "Installing and Configuring Oracle Identity and Access Management on IBM WebSphere."
3	Integrate Access Manager and Oracle Identity Manager.	For information, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
4	Enable LDAP synchronization for Oracle Identity Manager. This is required for integration between Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.	For information, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
5	Integrate Access Manager and Oracle Adaptive Access Manager.	For information, see Section 14.2.2, "Configuring OAAM Advanced Integration with Access Manager."
6	Set up the integration between Oracle Adaptive Access Manager and OIM.	For information, see Section 14.3.7, "Integrating Oracle Identity Manager and Oracle Adaptive Access Manager."
7	Migrate OAAM policies to the policy store	For information, see Section 14.3.8, "Migrating OAAM Policies."
8	Enable OAAM to generate HTTP post-based messages to Access Manager	For information, see Section 14.3.9, "Enabling OAAM to Generate HTTP Post-Based Messages to Access Manager."

14.3.2 Access Manager, Oracle Adaptive Access Manager, and OIM Integration Prerequisites

Prior to integrating Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Management, you must have installed all the required components, including any dependencies, and configured the environment in preparation of the integration tasks that follow.

For information on required components that must be installed and configured before the Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Management integration tasks are performed, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

The steps below are based on the assumption that Access Manager and Oracle Identity Manager are integrated using the out-of-the box integration.

14.3.3 Installing Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager

For information on installing Access Manager, OAAM, and OIM, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

For this integration, Oracle Identity Manager and OAAM must reside in a single cell.

When you run the was_config command to extend an Oracle Adaptive Access Manager cell to include the Oracle Identity Manager template, you may see the following warning:

Conflict detected
CFGFWK -42001: The following duplicate elements exists in a configuration, discarding new elements from a incomming template

You can safely ignore this error message.

14.3.4 Integrating Access Manager and Oracle Identity Manager

Integration between Oracle Identity Manager and Access Manager is required for integration between Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager. For more information, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

14.3.5 Enabling LDAP Synchronization for Oracle Identity Manager

Enabling LDAP synchronization for Oracle Identity Manager is required for integration between Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager. For more information, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

14.3.6 Integrating Access Manager and Oracle Adaptive Access Manager

Note:

In the integration of Access Manager, Oracle Identity Management, and Oracle Adaptive Access Manager, the IdentityManagerAccessGate profile should already exist since it is configured during the Access Manager and Oracle Identity Management integration. For details, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

Configure the Access Manager and Oracle Adaptive Access Manager integration so that the OAAM server acts as a trusted partner application. For information on integrating Oracle Adaptive Access Manager and Access Manager, refer to "Integrating Access Manager and OAAM on IBM WebSphere"

14.3.7 Integrating Oracle Identity Manager and Oracle Adaptive Access Manager

This section describes how to integrate Oracle Identity Management and Oracle Adaptive Access Manager for the three-way integration of Access Manager, Oracle Identity Management, and Oracle Adaptive Access Manager:

Adding OAAM Users and Groups from the OIM Console
Setting Oracle Identity Manager Properties for Oracle Adaptive Access Manager
Updating OAAM Properties to Enable Integration Between Oracle Identity Manager and OAAM
Configuring Oracle Identity Manager Credentials in the Credential Store Framework

14.3.7.1 Adding OAAM Users and Groups from the OIM Console

To be able to access the OAAM Admin Console, OAAM user and OAAM roles must be created in the identity store OIM is pointing to. You can add the users and groups from the Oracle Identity Manager System Administrative Console. For information, see "Managing Users" and "Managing Roles" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

14.3.7.2 Setting Oracle Identity Manager Properties for Oracle Adaptive Access Manager

In Oracle Identity Manager, the OIM.ChangePasswordURL and OIM.ChallengeQuestionModificationURL properties must be set to valid OAAM URLs, and OIM.DisableChallengeQuestions must be set to true for Oracle Adaptive Access Manager to provide the challenge questions functionality instead of Oracle Identity Manager.

To modify Oracle Identity Manager properties, take these steps:

Log in to the Oracle Identity Manager System Administrative Console.
Click Configuration in System Management and under System Management, click the System Configuration link.
In the pop-up window, click on Advanced Search.

Set the following properties and click Save.

Note:

For the URLs, use the hostnames as they were configured in Access Manager. For example, if a complete hostname (with domain name) was provided during Access Manager configuration, use the complete hostname for the URLs.

Table 14-5 Oracle Identity Manager Redirection

Property	Description and Value
OIM.DisableChallengeQuestions	TRUE
OIM.ChangePasswordURL	The URL for the change password page in Oracle Adaptive Access Manager is: http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/oimChangePassword.jsp In a high availability (HA) environment, set this property to point to the virtual IP URL for the OAAM server.
OIM.ChallengeQuestionModificationURL	The URL for the challenge questions modification page in Oracle Adaptive Access Manager is: http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/oimResetChallengeQuestions.jsp

Property

Description and Value

OIM.DisableChallengeQuestions

TRUE

OIM.ChangePasswordURL

The URL for the change password page in Oracle Adaptive Access Manager is:

http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/oimChangePassword.jsp

In a high availability (HA) environment, set this property to point to the virtual IP URL for the OAAM server.

OIM.ChallengeQuestionModificationURL

The URL for the challenge questions modification page in Oracle Adaptive Access Manager is:

http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/oimResetChallengeQuestions.jsp

Restart the Oracle Identity Manager managed server.

14.3.7.3 Updating OAAM Properties to Enable Integration Between Oracle Identity Manager and OAAM

To set OAAM properties for Oracle Identity Manager:

Log in to the OAAM Administration Console:
```
http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin
```
You must log in as a user with access to the Properties Editor.
In the navigation tree, double-click Properties under the Environment node. The Properties search page is displayed.
Enter the name of the property you want to set in the Name field and click Search.

Note:

If the search for a property displays no records, you must create the property. For instructions on creating a property, see "Creating a New Database Type Property" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Click to select the property in the Search Results section.
In the Value field, enter the new value and click Save.

A confirmation dialog is displayed.
Click OK to dismiss the dialog.

For the following properties, set the values according to your deployment:

Table 14-6 Oracle Identity Manager Integration Properties

Property Name	Property Values
bharosa.uio.default.user.management.provider.classname	com.bharosa.vcrypt.services.OAAMUserMgmtOIM
oaam.oim.auth.login.config	${oracle.oaam.home}/../designconsole/config/authws.conf Note: `authws.conf` is not the out-of-the-box value.
oaam.oim.url	corbaloc:iiop:host:port port is the bootstrap port of the OIM server
oaam.oim.xl.homedir	${oracle.oaam.home}/../designconsole
bharosa.uio.default.signon.links.enum.selfregistration.url	The URL for Self Registrations is as follows: http://OIM-Managed-Server-Host: OIM-Managed-Server-Port/identity/faces/register?&backUrl=backURL Note: If IBM HTTP Server is configured in front of OIM, then the IBM HTTP Server host and port should be used in the value instead of the OIM managed server host and port. For example: http://IHS-HOST:IHS-PORT/identity/faces/register?&backUrl=http://IHS-HOST:IHS-PORT/identity
bharosa.uio.default.signon.links.enum.trackregistration.url	The URL for Track Registrations is as follows: http://OIM-Managed-Server-Host: OIM-Managed-Server-Port/identity/faces/trackregistration?&backUrl=backURL Note: If IBM HTTP Server is configured in front of OIM, then the IBM HTTP Server host and port should be used in the value instead of the OIM managed server host and port. For example: http://IHS-HOST:IHS-PORT/identity/faces/trackregistration?&backUrl=http://IHS-HOST:IHS-PORT/identity
bharosa.uio.default.signon.links.enum.trackregistration.enabled	`true`
bharosa.uio.default.signon.links.enum.selfregistration.enabled	`true`
bharosa.uio.default.singlelogin.links.enum.selfregistration.enabled	Set this property to `true` to enable the Self Registration link only if Single Login Page mode is enabled. Single Login Page mode, where user name and password inputs are on the same page, is enabled through OAAM customization. For more information about the Single Login Page mode, see "Configuring a Single Login Page" in Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.
bharosa.uio.default.singlelogin.links.enum.selfregistration.url	The URL for the Self Registration link if Single Login Page mode is enabled.
bharosa.uio.default.singlelogin.links.enum.trackregistration.enabled	Set this property to `true` to enable the Track Registration link only if Single Login Page mode is enabled. Single Login Page mode, where user name and password inputs are on the same page, is enabled through OAAM customization. For more information about the Single Login Page mode, see "Configuring a Single Login Page" in Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.
bharosa.uio.default.singlelogin.links.enum.trackregistration.url	The URL for the Track Registration link if Single Login Page mode is enabled.
oaam.oim.csf.credentials.enabled	`true` This property enables the configuring of credentials in the Credential Store Framework as opposed to maintaining them using the Properties Editor. This step is performed so that credentials can be securely stored in CSF.
oaam.oim.passwordflow.unlockuser	`true` This property enables automatic unlocking of the user in the Forgot Password flow.
oaam.oim.initial.context.factory	com.ibm.websphere.naming.WsnInitialContextFactory

14.3.7.4 Configuring Oracle Identity Manager Credentials in the Credential Store Framework

Oracle Adaptive Access Manager must have the credentials of an OIM Administrator in order to perform various activities. A key for Oracle Identity Manager WebGate credentials is created in MAP oaam. So that the OIM credentials can be securely stored in the Credential Store Framework, follow the steps below to add a password credential to the OAAM domain.

Log in to the Oracle Fusion Middleware Enterprise Manager Console:
```
http://websphere_host:OracleAdminServer_port/em
```
where port is OracleAdminServer HTTP port.

You must log in as an IBM WebSphere Administrator. For example, wasadmin.
Expand the Websphere Cell icon in the navigation tree in the left pane.
Select your IBM WebSphere cell, right-click, and select the menu option Security and then the option Credentials in the submenu.
Click oaam to select the map, then click Create Key.
In the pop-up dialog, ensure that Select Map is oaam.

Provide the following properties and click OK.

Table 14-7 Oracle Identity Manager Credentials

Property	Value
Map Name	`oaam`
Key Name	`oim.credentials`
Key Type	Password
UserName	User name of Oracle Identity Manager Administrator
Password	Password of Oracle Identity Manager Administrator

14.3.8 Migrating OAAM Policies

Follow these steps to migrate the OAAM policies:

From the IBM WebSphere Administrative Console, click System administration > Deployment manager to display the Configuration tab.
Expand Java and Process Management, and then click Process definitions.
Under Additional Properties, click Java Virtual Machine.
Under Additional Properties, click Custom Properties.

All custom properties are listed on the next page.
Click the custom property ws.ext.dirs to edit its value. If the custom property is not displayed in the same page, you can use the Next button at the bottom of the page to navigate to the property or to search for the property in the list.
For the entry named ws.ext.dirs, which is the deployment manager's JVM custom property, edit the value in the Value field to append the absolute path to the location where the oamAuthnProvider.jar file is stored. Use delimiter as ":" without quotes.

The value to append is
```
${oracle.as.jrf_11.1.1.7.0_oracle_common_ORACLE_HOME}/modules/
oracle.oamprovider_11.1.1/oamAuthnProvider.jar
```
where ${oracle.as.jrf_11.1.1.7.0_oracle_common_ORACLE_HOME} is the absolute path to the oracle_common directory, i.e., Oracle Common home.

Note: The value of ws.ext.dirs contains the path to the Oracle Common home. Use this path value as part of the new value that you will be appending. Refer to the example below.

The example is as follows:

If the existing value of ws.ext.dirs is:
```
${oracle.as.jrf_11.1.1.7.0_oracle_common_ORACLE_HOME}/modules/
oracle.jrf_11.1.1/jrf-was.jar
```
Then the new value after appending the path to oamAuthnProvider.jar is:
```
${oracle.as.jrf_11.1.1.7.0_oracle_common_ORACLE_HOME}/modules/
oracle.jrf_11.1.1/jrf-was.jar:${oracle.as.jrf_11.1.1.7.0_oracle_common_ORACLE_
HOME}/modules/oracle.oamprovider_11.1.1/oamAuthnProvider.jar
```
Click Save to save the changes.
Restart the Deployment Manager.
Verify that the policies were migrated successfully by using Oracle Enterprise Manager Fusion Middleware Control.

For example:

From Oracle Enterprise Manager Fusion Middleware Control, right-click Cell_Websphere. Navigate to Security > Application Policies. Search with application as oaam_admin_11.2.0.0. If policies are migrated, you should see rows with names OAAM*Group.

14.3.9 Enabling OAAM to Generate HTTP Post-Based Messages to Access Manager

Access Manager and OAAM communication involves transferring information required to perform authentication, preserving Access Manager context data, and providing the TAP token. In cases where context data is large, such as form data, OAAM can be configured to generate HTTP POST-based responses back to Access Manager to preserve up to 8K of the client application's form data.

To enable OAAM to generate POST-based responses so that Access Manager's context data is preserved, you must set oaam.uio.oam.dopost to true.

Log in to the OAAM Administration Console:
```
http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin
```
You must log in as a user with access to the Properties Editor.
In the navigation tree, double-click Properties under the Environment node. The Properties search page is displayed.
Enter oaam.uio.oam.dopost in the Name field and click Search.

Note:

If the search for a property displays no records, you must create the property. For instructions on creating a property, see "Creating a New Database Type Property" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Click to select the property in the Search Results section.
Enter true in the Value field and click Save.

A confirmation dialog is displayed.
Click OK to dismiss the dialog.