Go to main content
1/656
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in This Guide?
Updates in July 2017 Documentation Refresh for 11g Release 2 (11.1.2.3.0)
Updates in January 2017 Documentation Refresh for 11g Release 2 (11.1.2.3.0)
Updates in October 2016 Documentation Refresh for 11g Release 2 (11.1.2.3.0)
Updates in August 2016 Documentation Refresh for 11g Release 2 (11.1.2.3.0)
Product Enhancements for
Oracle Access Management
11.1.2.3.0
Product Enhancements for Oracle Access Management 11.1.2.2.0
Product Enhancements for Oracle Access Management 11.1.2.1.0
Product Enhancements in Oracle Access Management 11.1.2.0.0
November 2012 Book Refresh
August 2012 Book Refresh
Access Management Services
Access Tester
Attribute Type Authorization Condition
Deprecation
Detached Credential Collection
Dynamic Multi-Factor/Multi-Step Authentication
Identity Context
Integration with Third Party Products
LDAP Search Filters in Identity Conditions
Leverage SubjectAltName Extension Data/Integrate with Multiple OCSP Endpoints
Mobile and Social
Multiple Identity Store Support
OpenSSO Support
Password Policy Management
Query String Name and Value Parameters in a Resource Definition Pattern
Resource Type TokenServiceRP for Non-Browser Client-enabled WebGate
RESTful Services
Shared Secret Key: Access Client and Software Developer Kit Enhancement
Token Issuance Policy for Mobile and Social
Tuning Performance
User-Defined Parameters: 11g WebGate
Product and Component Name Changes with 11.1.2
Part I Introduction to Oracle Access Management
1
Introducing Oracle Access Management
1.1
Understanding Oracle Access Management Services
1.2
Understanding Oracle Access Management Access Manager
1.2.1
About Components in Access Manager
1.2.2
Understanding Access Manager Deployments
1.3
About Access Manager 11.1.2.3.0
1.3.1
Features of Access Manager 11.1.2.3.0
1.3.2
Features Not In Access Manager 11.1.2.3.0
1.4
System Requirements and Certification
1.5
Understanding Oracle Access Management Installation
1.5.1
About Oracle Access Management Installation
1.5.2
Oracle Access Management and WebGates
1.5.3
About Oracle Access Management Post-Installation Tasks
2
Getting Started with Oracle Access Management
2.1
Starting and Stopping Servers in Your Deployment
2.1.1
Starting Node Manager
2.1.2
Starting and Stopping WebLogic AdminServer
2.1.3
Starting and Stopping Managed WebLogic Servers and Access Manager Servers
2.2
About Oracle Access Management Administrators
2.3
Oracle Access Management Console and the Policy Manager Console
2.4
Understanding the Oracle Access Management Console
2.4.1
System Launch Pad
2.4.2
Access Manager Launch Pad
2.4.3
Agents Launch Pad
2.4.4
Help Desk Launch Pad
2.4.5
Self Service Launch Pad
2.5
About Logging Into the Oracle Access Management Console
2.5.1
Logging Into The Oracle Access Management Console
2.5.1.1
Accessing Oracle Access Manager protected resource when login page is bookmarked
2.5.2
Logging Into the Secure Oracle Access Management Console (HTTPS)
2.6
Using the Oracle Access Management Console
2.6.1
Logging Out of the Oracle Access Management Console
2.6.2
Accessing Online Help in the Oracle Access Management Console
2.6.3
SSO Agent Search Page
2.7
Command-Line Tools for Configuration
2.8
Logging, Auditing, Reporting, and Monitoring Performance
2.9
Configuring Oracle Access Management Login Options
2.9.1
Administering the Forgot Password URL
2.9.1.1
Setting a Forgot Password URL
2.9.1.2
Retrieving a Forgot Password URL
2.9.2
Choosing a User Login Language
2.9.2.1
User Login Language Code
2.9.2.2
Selecting A Language for Oracle Access Management Login
2.9.2.3
Language Preference Cookie
2.9.2.4
Propagating Language Preference and Application Integration
2.9.3
Understanding Persistent Login
2.9.3.1
Enabling Persistent Login
2.9.3.2
Troubleshooting Persistent Login
Part II Managing Common and System Configurations
3
Managing Common Services and Certificate Validation
3.1
Configuration Options in Oracle Access Management Console
3.2
Available Services of the Common Configuration Section
3.2.1
Enabling or Disabling Available Services
3.3
Common Settings
3.3.1
Managing Common Settings
3.3.2
Viewing Common Coherence Settings
3.4
Certificate Validation and Revocation
3.4.1
Enabling the Certificate Revocation List Functionality
3.4.2
Enabling OCSP Certificate Validation
3.4.3
Enabling CRL Distribution Point Extensions
3.4.4
Additional OCSP Configurations
3.4.4.1
Configuring Multiple OCSP Responders
3.5
WLST updateHTTPProxyConfig
3.6
WLST configureOAMOSCSPCertValidation
4
Delegating Administration
4.1
Understanding Administrator Roles
4.2
About Delegating the Identity Store
4.3
Assigning Roles Using the Administration Console
4.4
Understanding the Container Security Framework and MBeans
4.5
Using the Remote Registration Utility
4.6
About Auditing Reports
5
Managing Data Sources
5.1
Data Sources for Oracle Access Management
5.1.1
oam-config.xml Configuration Data File
5.1.2
About the Default LDAP Group
5.2
Registering and Managing User Identity Stores
5.2.1
Understanding User Identity Stores
5.2.2
About using the System Store for User Identities
5.2.2.1
Using the System Store for User Identities
5.2.3
About Using Multiple Identity Stores
5.2.3.1
Components of Oracle Access Management that use Identity Stores
5.2.4
User Identity Store Settings
5.2.5
Registering a New User Identity Store
5.2.6
Viewing or Editing a User Identity Store Registration
5.2.7
Deleting a User Identity Store Registration
5.3
Managing the Identity Directory Service User Identity Stores
5.3.1
Identity Directory Services
5.3.2
Creating an Identity Directory Service Profile
5.3.3
Editing or Deleting an Identity Directory Service Profile
5.3.4
Creating a Form-fill Application Identity Directory Service Profile
5.3.5
Understanding the Pre-Configured Identity Directory Service Profile
5.3.6
Creating an Identity Directory Service Repository
5.4
Managing Administrator Roles
5.4.1
Understanding Administrator Roles
5.4.2
Defining and Removing Administrator Roles
5.5
Managing the Policy and Session Database
5.5.1
About the Database Store for Policy, Password Management, and Sessions
5.5.2
About Database Deployment
5.5.3
Configuring a Separate Database for Access Manager Sessions
5.6
Introduction to Oracle Access Management Keystores
5.6.1
Access Manager Security Keys and the Embedded Java Keystore
5.6.2
Access Manager Keystores
5.6.3
Identity Federation Keystore
5.7
Integrating a Supported LDAP Directory with Oracle Access Manager
6
Managing Server Registration
6.1
Before You Register
6.2
Understanding OAM Server Registration and Management
6.2.1
About Individual OAM Server Registrations
6.2.2
About the Embedded Proxy Server and Backward Compatibility
6.2.3
About 11g SSO, Legacy 10g SSO in Combination with OSSO 10g
6.2.4
About Communication Between OAM Servers and WebGates
6.2.5
Conditions Requiring Server Restart
6.3
Managing Individual OAM Server Registrations
6.3.1
OAM Server Registration Page
6.3.1.1
OAM Proxy Settings
6.3.1.2
Coherence Settings for Individual Servers
6.3.2
Registering a Fresh OAM Server Instance
6.3.3
Viewing or Editing Individual OAM Server Registrations and Proxy Settings
6.3.4
Deleting an Individual Server Registration
Part III Logging, Auditing, Reporting and Monitoring Performance
7
Logging Component Event Messages
7.1
About Oracle Access Management Logging
7.2
Logging Component Event Messages
7.2.1
Component Loggers for Security Token Service and Access Manager
7.2.2
Sample Logger and Log Handler Definition
7.2.3
About Logging Levels
7.3
Configuring Logging for Access Manager
7.3.1
Modifying the Logger Level for Access Manager
7.3.2
Adding an Access Manager-Specific Logger and Log Handler
7.4
Configuring Logging for Security Token Service and Identity Federation
7.4.1
Configuring Logging for Security Token Service or Identity Federation
7.4.2
Defining Log Level and Log Details for Security Token Service or Identity Federation
7.5
Mobile and Social Logging
7.6
Logging for the Access Portal Service
7.7
Validating Run-time Event Logging Configuration
8
Auditing Administrative and Run-time Events
8.1
Introduction to Oracle Fusion Middleware Auditing
8.2
Oracle Access Management Auditing
8.2.1
Understanding Oracle Access Management Auditing
8.2.2
About Oracle Access Management Auditing Configuration
8.2.3
About Audit Record Storage
8.2.4
About Audit Reports and Oracle Business Intelligence Publisher
8.2.5
Oracle BI Enterprise Edition (Oracle BI EE)
8.2.6
About the Audit Log and Data
8.3
Access Manager Events You Can Audit
8.3.1
Access Manager Administrative Events You Can Audit
8.3.2
Access Manager Run-time Events You Can Audit
8.3.3
Auditing Authentication Events
8.3.4
Auditing Events for Delegated Administrators
8.4
Mobile and Social Events You Can Audit
8.4.1
REST Run-Time Audit Events
8.4.2
Mobile and Social Audit Events
8.5
Identity Federation Events You Can Audit
8.5.1
Session Management Events for Identity Federation
8.5.2
Protocol Flow Events for Identity Federation
8.5.3
Server Configuration Events for Identity Federation
8.5.4
Security Events for Identity Federation
8.6
Security Token Service Events You Can Audit
8.6.1
About Audit Record Content Common to All Events
8.6.2
Security Token Service Administrative Events You Can Audit
8.6.3
Security Token Service Run-time Events You Can Audit
8.7
Setting Up Auditing for Oracle Access Management
8.7.1
Setting Up the Audit Database Store
8.7.2
Preparing Oracle Business Intelligence Publisher EE
8.7.3
Using the Oracle Access Management Console for Audit Configuration
8.7.4
Adding, Viewing, or Editing Audit Settings
8.8
Validating Auditing and Reports
9
Logging WebGate Event Messages
9.1
Understanding Logging for WebGate instances
9.1.1
About Logging, Log Levels, and Log Output
9.1.2
Log Levels
9.1.3
Log Output
9.2
About Log Configuration File Paths and Contents
9.2.1
Log Configuration File Paths and Names
9.2.2
Log Configuration File Contents
9.2.2.1
When Changes to the File Take Effect
9.2.2.2
Comments in the Log File
9.3
About Directing Log Output to a File or the System File
9.4
Structure and Parameters of the WebGate Log Configuration File
9.4.1
Structure of WebGate Log Configuration XML File Header
9.4.2
Structure of WebGate Initial Compound List
9.4.3
Parameters in the WebGate Simple List and Logging Threshold
9.4.4
Parameters in the WebGate Second Compound List and Log Handlers
9.4.5
Parameters in the WebGate List for Per-Module Logging
9.4.6
Parameters in the WebGate Filter List
9.4.7
WebGate XML Element Order
9.5
Activating and Suppressing Logging Levels
9.5.1
About Log Handler Precedence
9.6
Mandatory Log Configuration File Parameters
9.6.1
Settings in the Default Log Configuration File
9.6.2
Description of the Settings in the Default Log Configuration File
9.7
Configuring Different Threshold Levels for Different Types of Data
9.7.1
About the MODULE_CONFIG Section
9.7.1.1
Location of the Per-Module Logging Section in the Log Configuration File
9.7.1.2
List of Modules That Can Be Logged
9.7.2
Configuring a Log Level Threshold for a Function or Module
9.8
Filtering Sensitive Attributes
10
Understanding Oracle Access Management Reports
10.1
About Reports in Oracle Access Management
10.2
Accessing Oracle Access Management Reports
10.3
Supported Output Formats
10.4
Classification of Reports for Access Manager
10.4.1
Account Management Reports
10.4.2
Authentication Reports
10.4.2.1
Authentication Statistics Report
10.4.2.2
AuthenticationFromIPByUser
10.4.2.3
AuthenticationPerIP
10.4.2.4
AuthenticationStatisticsPerServer Report
10.4.3
Errors and Exceptions
10.4.3.1
All Errors and Exceptions
10.4.3.2
Authentication Failures
10.4.3.3
User Activities
10.4.3.4
Authentication History
10.4.3.5
Authorization History
10.4.3.6
Multiple Logins From Same IP
10.5
About Creating Reports Using Third-Party Software
11
Monitoring Oracle Access Management Performance and Access Manager Health
11.1
Introduction to Performance Monitoring
11.2
Monitoring Server Metrics Using Oracle Access Management Console
11.2.1
Monitoring Server Instance Performance
11.2.2
Oracle Access Manager Server Metrics
11.3
Monitoring SSO Agent Metrics Using Oracle Access Management Console
11.3.1
WebGate Metrics
11.3.2
OSSO Agent Metrics
11.4
OAM Proxy Metrics and Tuning
11.4.1
OAM Proxy Metrics
11.4.2
OAM Proxy Server Tuning Parameters
11.5
Monitoring Metrics Using the DMS Console
11.5.1
Monitoring OAM Metrics
11.5.2
Monitoring Coherence Caches
11.5.3
Monitoring OpenSSO Proxy Metrics
11.5.3.1
Reviewing OpenSSO Metrics
11.5.3.2
OpenSSO Proxy Events and Metrics: Server
11.5.3.3
OpenSSO Proxy Metrics: Agent
11.6
Monitoring the Health of an Access Manager Server
11.6.1
Understanding WebGate and Access Manager Communications
11.6.2
Monitoring Access Manager Server Health
12
Monitoring Performance and Logs with Fusion Middleware Control
12.1
Introduction to Fusion Middleware Control
12.2
Logging In to and Out of Fusion Middleware Control
12.2.1
Logging In To Fusion Middleware Control
12.2.2
Logging Out of Fusion Middleware Control
12.3
Displaying Menus and Pages in Fusion Middleware Control
12.3.1
Farm Page in Fusion Middleware Control
12.3.2
Context Menus and Pages in Fusion Middleware Control
12.3.3
Displaying Context Menus and Target Details in Fusion Middleware Control
12.4
Viewing Performance in Fusion Middleware Control
12.4.1
Resulting Pages for Selected Nodes and Targets
12.4.2
Performance Overview Pages in Fusion Middleware Control
12.4.2.1
Access Manager Component Pages
12.4.2.2
Security Token Service Component Pages
12.4.3
Metrics Palette and the Performance Summary Page
12.4.4
Displaying Performance Metrics in Fusion Middleware Control
12.4.5
Displaying Component-Specific Performance Details
12.5
Managing Log Level Changes in Fusion Middleware Control
12.5.1
Dynamic Log Level Changes in Fusion Middleware Control
12.5.2
Setting Log Levels Dynamically Using Fusion Middleware Control
12.6
Managing Log File Configuration from Fusion Middleware Control
12.6.1
Log File Configuration Page in Fusion Middleware Control
12.6.2
Managing Log Files with Fusion Middleware Control
12.7
Viewing Log Messages in Fusion Middleware Control
12.7.1
About Finding, Viewing, and Exporting Log Messages
12.7.1.1
Log Messages Page in Fusion MIddleware
12.7.2
Viewing Logged Messages With Fusion Middleware Control
12.8
Displaying MBeans in Fusion Middleware Control
12.8.1
Fusion Middleware Control System MBean Browser
12.8.2
Managing Mbeans
Part IV Managing Access Manager Settings and Agents
13
Configuring Access Manager Settings
13.1
Oracle Access Management Overview
13.2
Managing Load Balancing
13.2.1
About Common Load Balancing Settings
13.2.2
Managing OAM Server Load Balancing Settings
13.3
Managing Secure Error Modes
13.3.1
OAM Server Error Modes
13.3.2
Viewing or Editing OAM Server Secure Error Modes
13.4
Managing SSO Tokens and IP Validation
13.4.1
Access Manager SSO Tokens and IP Validation Settings
13.4.2
Viewing or Editing SSO Tokens and IP Validation
13.5
Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security
13.5.1
OAM Proxy Simple and Cert Mode Transport Security
13.5.2
Configuration Settings of Common OAM Proxy Page for Secure Server Communications
13.5.3
Viewing or Editing Simple or Cert Settings for OAM Proxy
13.5.4
Configuring 64-bit WebGate in Cert Mode
13.5.5
Tuning the Simple Mode WebGate
13.6
Managing Run Time Policy Evaluation Caches
13.6.1
Settings for Run Time Policy Evaluation Caches
13.6.2
Managing Run Time Policy Evaluation Caches
14
Introduction to Agents and Registration
14.1
Introduction to Policy Enforcement Agents
14.1.1
Agent Types and Runtime Processing for OAM Agents
14.1.2
About 11g WebGate Configured as a Detached Credential Collector
14.1.3
About 11g WebGate Functionality for Mobile and Social
14.1.4
About the Pre-Registered 10g WebGate IAMSuiteAgent
14.2
Introduction to Agent Registration
14.2.1
Keys and Policies Generated during Agent Registration
14.2.2
File System Changes and Artifacts for Registered Agents
14.3
OAM Remote Registration
14.3.1
Performing In-Band Remote Registration
14.3.2
Performing Out-of-Band Remote Registration
14.3.3
Updating Agent Configuration Files
15
Registering and Managing OAM 11g Agents
15.1
Before Registering and Managing Agents
15.2
OAM Agent Registration Parameters in the Console
15.2.1
Creating OAM WebGate Page and Parameters
15.2.2
User-Defined WebGate Parameters
15.2.3
IP Address Validation for WebGates
15.2.3.1
IP Validation Exceptions List
15.2.3.2
IP Validation in Load Balanced Environments
15.2.3.2.1
ProxyTrustedIPList
15.2.3.2.2
ProxyRemoteIPHeaderVar
15.3
Registering an OAM Agent Using the Console
15.4
Bulk Updates to WebGates
15.4.1
Updating Multiple WebGate Profiles
15.4.1.1
Creating a WebGate Template and Mapping WebGates to that Template
15.4.2
WLST Commands for Bulk Updates to WebGate Profiles
15.4.2.1
createWebgateTemplate
15.4.2.2
updateWebgateTemplateToWebgateMapping
15.4.2.3
updateWebgateTemplateParams
15.4.2.4
removeWebgateTemplateParams
15.4.2.5
rollbackWebgatesToPreviousState
15.4.2.6
showWebgateTemplate
15.5
Configuring and Managing Registered OAM Agents Using the Console
15.5.1
Registered OAM Agent Configuration Parameters in the Console
15.5.2
WebGate Search Controls
15.5.2.1
Searching for an OAM Agent Registration
15.5.3
Viewing or Editing an OAM Agent Registration Page in the Console
15.5.4
Deleting OAM Agent Registration Using the Console
15.6
Remote Registration Tool, Modes, and Process
15.6.1
Remote Registration Command Arguments and Modes
15.6.2
Common Elements within Remote Registration Request Templates
15.6.3
Key Use, Generation, Provisioning, and Storage
15.6.3.1
Key Use
15.6.3.2
Key Generation Process
15.6.3.3
Key Accessibility and Provisioning
15.6.3.4
Key Storage
15.7
Remote Registration Templates: OAM Agents
15.7.1
OAM Agent Parameters for Remote Registration
15.8
Performing Remote Registration for OAM Agents
15.8.1
Acquiring and Setting Up the Remote Registration Tool
15.8.2
Creating Your Remote Registration Request
15.8.3
Performing In-Band Remote Registration
15.8.4
Performing Out-of-Band Remote Registration
15.9
Remote Agent Update Modes and Templates
15.9.1
Remote Agent Update Modes
15.9.2
Remote 11g OAM Agent Updates Template
15.10
Updating Agents Remotely
15.10.1
Updating Agent Registrations Remotely
15.10.2
Validating an Agent Registration Remotely
15.10.3
Removing an Agent Registration Remotely
15.11
Validating Remote Registration and Resource Protection
15.11.1
Validating Agent Registration using the Oracle Access Management Console
15.11.2
Verifying Authentication and Access After Remote Registration
15.12
Replacing the IAMSuiteAgent with an 11g WebGate
15.12.1
Registering a Replacement 11g WebGate for IAMSuiteAgent
15.12.2
Installing the Replacement 11g WebGate for IAMSuiteAgent
15.12.3
Updating the WebLogic Server Plug-in Configuration
15.12.4
Confirming the AutoLogin Host Identifier for an OAM / OIG Integration
15.12.5
Configuring OAM Security Providers for WebLogic
15.12.5.1
About Security Providers in a WebLogic Server Domain
15.12.5.2
Setting Up Security Providers for the 11g WebGate
15.12.6
Disabling IAMSuiteAgent
15.12.7
Verifying the Webgate Configuration
15.13
Managing the Preferred Host in 10g WebGates
15.14
setAllowEmptyHostIdentifier
16
Maintaining Access Manager Sessions
16.1
Introducing Access Manager Session Management
16.2
Understanding Server-Side Session Management
16.2.1
About Securing Access Manager Sessions
16.2.2
Access Manager Session Lifecycle, States, and Enforcement
16.2.2.1
Global Session Enforcement Checks for State Changes
16.2.2.2
Access Manager Session Removal
16.2.2.3
About Step-Up and Step-Down Authentication and Credentials
16.2.2.4
Optional Application-Specific Session Enforcement
16.2.2.5
About Timeout with Multiple-Agent Types: OSSO and OAM Agents
16.2.2.6
About OpenSSO Agents
16.2.3
Access Manager Sessions and the Role of Oracle Coherence
16.3
Server-Side Session Enforcement Examples
16.3.1
Example 1: Single Authentication Scheme
16.3.2
Example 2: Multiple Authentication Schemes
16.4
Configuring the Server-Side Session Lifecycle
16.4.1
Global Session Lifecycle Settings
16.4.2
Application-Specific Session Overrides
16.4.3
Viewing or Modifying Global Session Settings
16.4.4
Viewing or Modifying Optional Application-Specific Session Overrides
16.5
Managing Active Server-Side Sessions
16.5.1
Session Management Controls
16.5.2
Locating and Managing Active Sessions
16.6
Validating Server-Side Session Operations
16.7
Understanding Client-Side Session Management
16.8
Using WLST To Configure Session Management
16.8.1
displaySSOSessionType
16.8.1.1
Description
16.8.1.2
Syntax
16.8.1.3
Example
16.8.2
configSSOSessionType
16.8.2.1
Description
16.8.2.2
Syntax
16.8.2.3
Examples
Part V Implementing Multi-Data Centers
17
Understanding Multi-Data Centers
17.1
Introducing the Multi-Data Center
17.1.1
Understanding Cookies for Multi-Data Center
17.1.1.1
OAM_ID Cookie
17.1.1.2
OAMAuthn / ObSSO WebGate Cookies
17.1.1.3
OAM_GITO (Global Inactivity Time Out) Cookie
17.1.2
Session Adoption During Authorization
17.1.3
Session Indexing
17.1.4
Supported Multi-Data Center Topologies
17.1.4.1
The MDC Active-Active Mode
17.1.4.2
The MDC Active-Passive Mode
17.1.4.3
The MDC Active-Hot Standby Mode
17.2
Multi-Data Center Deployments
17.2.1
Session Adoption Without Re-authentication, Session Invalidation or Session Data Retrieval
17.2.2
Session Adoption Without Re-authentication But With Session Invalidation andSession Data Retrieval
17.2.3
Session Adoption Without Re-authentication and Session Invalidation But With On-demand Session Data Retrieval
17.2.4
Authentication and Authorization Requests Served By Different Data Centers
17.2.5
Logout and Session Invalidation
17.2.6
Stretch Cluster Deployments
17.3
Active-Active Multi-Data Center Topology Deployment
17.4
Load Balancing Between Access Management Components
17.5
Understanding Time Outs and Session Syncs
17.5.1
Maximum Session Constraints
17.5.2
Multi-Data Center Policy Configurations for Idle Timeout
17.5.3
Expiring Multi-Data Center Sessions
17.5.4
Session Synchronization and Multi-Data Center Fail Over
17.6
Replicating a Multi-Data Center Environment
17.6.1
Replicating Data Using the WLST
17.6.2
Syncing Data Using Automated Policy Synchronization
17.7
Multi-Data Center Recommendations
17.7.1
Using a Common Domain
17.7.2
Concerning the DCC and the OAM_GITO
17.7.3
Using an External Load Balancer
17.7.4
Honoring Maximum Sessions
17.7.5
WebGate Cookie Cannot Be Refreshed During Authorization
18
Configuring Multi-Data Centers
18.1
Before Setting Up a Multi-Data Center
18.2
Primary Multi-Data Center Use Cases
18.3
Setting Up a Multi-Data Center
18.3.1
Enabling the Master Data Center
18.3.2
Setting Up the Clone Data Center
18.4
Adding A Second Clone to An Existing Multi-Data Center Setup
18.5
Multi-Data Center Security Modes
18.5.1
OPEN Security Mode
18.5.2
SIMPLE Security Mode
18.5.3
CERT Security Mode
18.6
WLST Commands for Multi-Data Centers
18.7
enableMultiDataCentreMode
18.8
disableMultiDataCentreMode
18.9
addPartnerForMultiDataCentre
18.10
removePartnerForMultiDataCentre
18.11
setMultiDataCenterType
18.12
setMultiDataCenterWrite
18.13
setMultiDataCentreClusterName
18.14
validateMDCConfig
18.15
exportAccessStore
18.16
importAccessStore
19
Synchronizing Data In A Multi-Data Center
19.1
Understanding the Multi-Data Center Synchronization
19.1.1
How Replication Works
19.1.2
Understanding the Replication Agreement
19.1.3
About Synchronizing Data Manually in a Multi-Data Center
19.2
Enabling Data Replication
19.3
Synchronizing Master and Clone Metadata
19.3.1
Synchronizing the UDM Metadata
19.3.2
Creating a Replication Agreement
19.3.3
Modifying a Replication Agreement
19.4
Customizing Transformation Rules
19.5
Modifying a Rule Document
19.6
Using REST API for Replication Agreements
19.6.1
Querying for Replication Agreement Details
19.6.2
Modifying an Existing Replication Agreement
19.6.3
Deleting a Replication Agreement
19.7
Replicating Domains in Identity Manager Deployments
19.8
Best Practices for Replication
19.8.1
Enabling Replication Logs
19.8.2
Changing the User Identifier
20
Setting Up the Multi-Data Center: A Sequence
20.1
Before You Begin
20.2
Setting Up a Multi-Data Center
20.3
Enabling Automated Policy Synchronization
20.4
Troubleshooting the Multi-Data Center Setup
Part VI Managing Access Manager SSO, Policies, and Testing
21
Understanding Single Sign-On with Access Manager
21.1
Access Manager Single Sign-On Components
21.1.1
Multiple Network Domain SSO
21.1.2
Application SSO and Access Manager
21.1.3
Multiple WebLogic Server Domain SSO
21.1.4
Reverse-Proxy SSO
21.2
Access Manager Policy Model
21.3
Anatomy of an Application Domain and Policies
21.3.1
Resource Definitions for Policies
21.3.2
About Authentication Policies
21.3.3
About Authorization Policies
21.3.4
About Token Issuance Policies
21.4
Policy Conditions and Rules
21.5
Understanding SSO Cookies
21.5.1
Single Sign-On Cookies During User Login
21.5.2
Single Sign-On Server and Agent Cookies
21.5.2.1
OAM_ID cookie
21.5.2.2
OAMAuthnCookie for 11g OAM Webgates
21.5.2.3
ObSSOCookie for 10g Webgates
21.5.2.4
OAM_REQ Cookie
21.5.2.5
OAMRequestContext
21.5.2.6
DCCCtxCookie
21.5.2.7
DCCCtxCookie_COUNT
21.5.2.8
mod_osso Cookies
21.5.2.9
OpenSSO Cookie (iPlanetDirectoryPro)
21.6
Configuring Single Sign-On with Access Manager
22
Managing Authentication and Shared Policy Components
22.1
Prerequisites to Managing Authentication and Shared Policy Components
22.2
Configuring Shared Policy Components
22.3
Managing Resource Types
22.3.1
Resource Types and Their Use
22.3.2
Resource Type Page
22.3.3
Searching for a Specific Resource Type
22.3.4
Creating a Custom Resource Type
22.4
Managing Host Identifiers
22.4.1
About Host Identifiers
22.4.1.1
Host Identifier Usage
22.4.1.2
Host Identifier Guidelines
22.4.1.3
Host Identifier Variations
22.4.2
About Virtual Web Hosting
22.4.2.1
Placing a Webgate Behind a Reverse Proxy
22.4.2.2
Configuring Virtual Hosting for Non-Apache Web Servers
22.4.2.3
Associating a Webgate for Apache with Virtual Hosts, Directories, or Files
22.4.3
Host Identifier Page
22.4.4
Creating a Host Identifier
22.4.5
Searching for a Host Identifier Definition
22.4.6
Viewing or Editing a Host Identifier Definition
22.4.7
Deleting a Host Identifier Definition
22.5
Understanding Authentication Methods and Credential Collectors
22.5.1
Authentication Methods Supported by Access Manager
22.5.2
Embedded Credential Collector Versus Detached Credential Collector
22.5.3
Authentication Event Logging and Auditing
22.6
Managing Native Authentication Modules
22.6.1
Native Access Manager Authentication Modules
22.6.1.1
Native Kerberos Authentication Module
22.6.1.2
Native LDAP Authentication Modules
22.6.1.3
Native X.509 Authentication Module
22.6.2
Viewing or Editing Native Authentication Modules
22.6.3
Deleting a Native Authentication Module
22.7
Orchestrating Multi-Step Authentication with Plug-in Based Modules
22.7.1
Simple Form Versus Multi-Factor (Multi-Step) Authentication
22.7.2
Access Manager Plug-ins for Multi-Step Authentication Modules
22.7.3
Pre-populated Plug-ins for Configuring Access Manager with Multi-Step Authentication
22.7.4
Example: Leveraging SubjectAltName Extension Data and Integrating with Multiple OCSP Endpoints
22.7.5
Creating a Custom Authentication Module using Bundled Plug-ins
22.7.6
Steps and Plug-ins in Customized Step-up Authentication Module
22.7.7
Configuring Step-up Authentication
22.7.8
Configuring an HTTPToken Extractor Plug-in
22.7.9
JSON Web Token Plug-in
22.7.9.1
Understanding the JSON Web Token Plug-in
22.7.9.2
Configuring the JSON Web Token Plug-In
22.8
Deploying and Managing Individual Plug-ins for Authentication
22.8.1
About Managing Your Own Authentication Plug-ins
22.8.2
Making Custom Authentication Plug-ins Available for Use
22.8.3
Checking an Authentication Plug-in's Activation Status
22.8.4
Deleting Your Custom Authentication Plug-ins
22.9
Managing Authentication Schemes
22.9.1
Authentication Schemes and Pages
22.9.1.1
Pre-configured Authentication Schemes
22.9.1.2
Credential Challenge Methods
22.9.1.3
Challenge Parameters for Authentication Schemes
22.9.2
Understanding Multi-Level and Step-Up Authentication
22.9.2.1
About Multi-Level and Step-Up Authentication
22.9.2.2
Detection of Insufficient Authentication Level by OAM Agent
22.9.2.3
Changing Security Level of an Authentication Scheme during the Authentication Process
22.9.2.4
Multi-Level Authentication Processing with 10g OSSO Agent
22.9.3
Creating an Authentication Scheme
22.9.4
Searching for an Authentication Scheme
22.9.5
Viewing, Editing, or Deleting an Authentication Scheme
22.10
Extending Authentication Schemes with Advanced Rules
22.10.1
Advanced Rules Use Cases
22.10.2
Context Data for Advanced Rules
22.11
Configuring Challenge Parameters for Encrypted Cookies
22.11.1
Challenge Parameters for Encrypted Cookies
22.11.2
Configuring Challenge Parameters for Security of Encrypted Cookies
22.11.3
Setting Challenge Parameters for Persistence of Encrypted Cookies
22.12
Configuring Authentication POST Data Handling
22.12.1
Authentication POST Data Preservation and Restoration
22.12.2
Authentication POST Data Handling
22.12.3
Post Data Size Limits
22.12.4
Configuring Authentication POST Data Handling
22.12.5
Testing POST Data Handling Configuration
22.13
Long URL Handling During Authentication
22.13.1
About Long URLs and Authentication Handling
22.13.2
Configuration Requirements for Long URL Handling
22.14
Using Application Initiated Authentication
23
Understanding Credential Collection and Login
23.1
Overview of Access Manager Credential Collection
23.1.1
Overview of the Login process with Self-Service Provisioning Applications
23.1.2
Overview of the Login Process with Access Manager-Protected Resources
23.2
Overview of the SSO Login Process with OAM Agents and ECC
23.3
Overview of the SSO Login Process with OAM Agents and DCC
23.4
Overview of the SSO Login Process with OSSO Agents (mod_osso) and ECC
23.5
Configuring 11g WebGate and Authentication Policy for DCC
23.5.1
Enabling DCC Credential Operations
23.5.2
Locating and Updating DCC Forms for Password Policy
23.5.3
Adding PasswordPolicyValidationScheme to Authentication Policy for DCC
23.5.4
Supporting Federation Flows With DCC
23.6
Tunneling from DCC to Access Manager Over Oracle Access Protocol
23.6.1
How DCC Tunneling with OAP Works
23.6.2
Configuring OAP Tunneling
23.7
Configuring a DCC WebGate for X509 Authentication
23.7.1
Configuring the WebLogic Server
23.7.1.1
Creating the Server and Trust Store
23.7.1.2
Configuring the WebLogic Server Instance
23.7.1.3
Creating the User Certificate
23.7.1.4
Adding the Root CA Certificate
23.7.2
Configuring a WebGate For DCC
23.7.3
Converting the DCC WebGate to SSL
23.7.3.1
Generating Server Certificates
23.7.3.2
Generating and Importing Client Certificates
24
Using Password Policy
24.1
Understanding Password Management
24.2
Enabling Password Management
24.3
Accessing Password Policy Configuration Page
24.3.1
Password Policy Configuration Page
24.4
Specifying Credential Collector URLs with Password Policy
24.5
Oracle-Provided Password Forms
24.6
Managing Global Password Policy
24.6.1
Defining Your Global Password Policy
24.6.2
Designating the Default Store for Your Password Policy
24.6.3
Adding Key Password Attributes to the Default Store
24.6.3.1
LDIF Files and Key Password Attributes for Password Policy
24.6.3.2
Extending the Default Store Schema with Password Policy Attributes
24.6.4
Adding an Administrator to Change User Attributes After a Password Change
24.7
Configuring Password Policy Authentication
24.7.1
Password Policy Validation Authentication Module
24.7.2
Configuring the PasswordPolicyValidationScheme
24.7.3
Adding Your PasswordPolicyValidationScheme to ECC Authentication Policy
24.7.4
Supporting DCC Authentication Schemes with Pre-Authentication Rules
24.8
Completing Password Policy Configuration
24.8.1
Setting the Error Message Mode for Password Policy Messages
24.8.2
Overriding Native LDAP Password Policy Validation
24.8.3
Disabling ECC Operation and Using DCC Exclusively
24.8.4
Testing Your Multi-Step Authentication
24.9
Configuring the IPFUserPasswordPolicyPlugin
24.9.1
Enabling the IPF Password Service
24.9.2
Configuring Password Policy for IPF Password Service
24.9.3
Extending the LDAP Definitions
24.9.4
Configuring the Password Policy Validation Authentication Module and Scheme
24.9.5
Setting Up the Forgot Password Module
25
Managing Policies to Protect Resources and Enable SSO
25.1
Prerequisites to Managing Policies and Protecting Resources
25.2
Introduction to Application Domain and Policy Creation
25.2.1
About Generating Application Domains and Policies Automatically
25.2.2
About Managing Application Domains and Policies Remotely
25.2.3
Creating or Managing an Application Domain and Policies
25.3
Understanding Application Domain and Policy Management
25.3.1
Application Domain Pages
25.3.2
Application Domain Summary Page
25.3.3
Resource Container in an Application Domain
25.3.4
Authentication Policy Pages
25.3.5
Authorization Policy Pages
25.3.6
Token Issuance Policy Pages
25.4
Managing Application Domains Using the Console
25.4.1
Creating a New Application Domain
25.4.2
Searching for an Existing Application Domain
25.4.3
Viewing or Editing an Application Domain
25.4.4
Deleting an Application Domain and Its Contents
25.5
Adding and Managing Policy Resource Definitions
25.5.1
Resources in an Application Domain
25.5.1.1
Resource Type in a Resource Definition
25.5.1.2
Host Identifier in a Resource Definition
25.5.1.3
Resource URL, Prefixes, and Patterns
25.5.1.4
Query String Name and Value Parameters for Resource Definitions
25.5.1.5
Literal Query Strings in Resource Definitions
25.5.1.6
Run Time Resource Evaluation
25.5.2
Defining Resources in an Application Domain
25.5.3
Searching for a Resource Definition
25.5.3.1
Search Elements and Results for Resource Definitions in an Application Domain
25.5.3.2
Searching for a Specific Resource Definition
25.5.4
Viewing, Editing, or Deleting a Resource Definition
25.6
Defining Authentication Policies for Specific Resources
25.6.1
Authentication Policy Page
25.6.1.1
Resources in an Authentication Policy
25.6.2
Creating an Authentication Policy for Specific Resources
25.6.3
Searching for an Authentication Policy
25.6.4
Viewing or Editing an Authentication Policy
25.6.5
Deleting an Authentication Policy
25.7
Defining Authorization Policies for Specific Resources
25.7.1
Authorization Policies for Specific Resources
25.7.2
Creating an Authorization Policy and Specific Resources
25.7.3
Searching for an Authorization Policy
25.7.4
Viewing or Editing an Authorization Policy and Resources
25.7.5
Deleting an Entire Authorization Policy
25.8
Configuring Success and Failure URLs for Authorization Policies
25.9
Introduction to Authorization Policy Rules and Conditions
25.9.1
About Allow or Deny Rules
25.9.2
Authorization Policy Conditions
25.9.3
About Classifying Users and Groups for Conditions
25.9.4
Guidelines for Authorization Responses Based on Conditions
25.10
Defining Authorization Policy Conditions
25.10.1
Choosing a Condition Type
25.10.1.1
Condition Window and Elements
25.10.1.2
Choosing a Condition Type
25.10.2
Defining Identity Conditions
25.10.2.1
About Identity Conditions
25.10.2.1.1
Identity Conditions and User Populations
25.10.2.1.2
LDAP Search Filter Support in Identity Conditions
25.10.2.1.3
LDAP Search Filter Syntax
25.10.2.2
Specifying Identity Type Conditions
25.10.3
Defining IP4 Range Conditions
25.10.3.1
IP4 Range Condition Types
25.10.3.2
Defining IP4 Range Conditions
25.10.4
Defining Temporal Conditions
25.10.4.1
Temporal Conditions
25.10.4.2
Defining Temporal Conditions
25.10.5
Defining Attribute Conditions
25.10.5.1
Attribute-Type Conditions
25.10.5.2
Defining Attribute Type Conditions
25.10.6
Viewing, Editing, or Deleting Authorization Policy Conditions
25.11
Defining Authorization Policy Rules
25.11.1
Authorization Policy Rules
25.11.2
Expressions and Expression-Based Policy
25.11.2.1
Expression Evaluation in Authorization Rules
25.11.3
Defining Rules in an Authorization Policy
25.12
Configuring Policy Ordering
25.13
Introduction to Policy Responses for SSO
25.13.1
Authentication and Authorization Policy Responses for SSO
25.13.2
About the Policy Response Language
25.13.3
Namespace and Variable Names for Policy Responses
25.13.4
About Constructing a Policy Response for SSO
25.13.4.1
Simple Responses
25.13.4.2
Compound and Complex Responses
25.13.4.3
Multi-Valued Responses
25.13.5
About Policy Response Processing
25.13.6
Assertion Claims and Processing
25.14
Adding and Managing Policy Responses for SSO
25.14.1
Adding a Policy Response for SSO
25.14.2
Viewing, Editing, or Deleting a Policy Response for SSO
25.15
Validating Authentication and Authorization in an Application Domain
25.16
Understanding Remote Policy and Application Domain Management
25.16.1
Remote Policy Management Modes, Templates, and Flags
25.16.2
Create Policy Request Template
25.16.3
Update Policy Request Template
25.16.4
Remote Policy Management Template Elements
25.17
Managing Policies and Application Domains Remotely
25.18
Application and Application-types
26
Validating Connectivity and Policies Using the Access Tester
26.1
Prerequisites to Using the Access Tester to Validate Connectivity and Policies
26.2
Introduction to the Access Tester for Access Manager 11g
26.2.1
About OAM Agent and Server Interoperability
26.2.2
About Access Tester Security and Processing
26.2.3
About Access Tester Modes and Administrator Interactions
26.3
Installing and Starting the Access Tester
26.3.1
Installing the Access Tester
26.3.2
System Properties Supported by the Access Tester
26.3.3
Starting the Tester Without System Properties For Use in Tester Console Mode
26.3.4
Starting the Access Tester with System Properties For Use in Command Line Mode
26.3.4.1
About the Access Tester Command Line Mode
26.3.4.2
Starting the Access Tester with System Properties
26.4
Access Tester Console, Navigation, and Controls
26.4.1
Access Tester Menus and Command Buttons
26.5
Testing Connectivity and Policies from the Access Tester Console
26.5.1
Establishing a Connection Between the Access Tester and the OAM Server
26.5.1.1
Server Connection Panel in the Access Tester
26.5.1.2
Connecting the Access Tester with the OAM Server
26.5.2
Validating Resource Protection from the Access Tester Console
26.5.2.1
Protected Resource URI Panel in the Access Tester
26.5.2.2
Validating Resource Protection
26.5.3
Testing User Authentication from the Access Tester Console
26.5.3.1
User Identity Panel in the Access Tester
26.5.3.2
Testing User Credential Authentication
26.5.4
Testing User Authorization from the Access Tester Console
26.5.5
Observing Request Latency
26.6
Creating and Managing Test Cases and Scripts
26.6.1
About Test Cases and Test Scripts
26.6.2
Capturing Test Cases
26.6.3
Generating an Input Test Script
26.6.3.1
About Input Test Script
26.6.3.2
Generating an Input Test Script
26.6.4
Personalizing an Input Test Script
26.6.4.1
Test Script Control Parameters
26.6.4.2
Customizing a Test Script
26.6.5
Executing a Test Script
26.6.5.1
About Test Script Execution
26.6.5.2
Running a Test Script
26.7
Evaluating Scripts, Log File, and Statistics
26.7.1
About Evaluating Test Results
26.7.2
Saved Connection Configuration File
26.7.3
Generated Input Test Script
26.7.4
Target Output File Containing Test Run Results
26.7.5
Statistics Document
26.7.6
Execution Log
26.8
Validating User Authentication without Password
27
Configuring Centralized Logout for Sessions Involving 11g WebGates
27.1
Prerequisites for the Configuration of Centralized Logout Sessons Involving 11g WebGates
27.2
Introduction to Centralized Logout for Access Manager 11g
27.2.1
About Centralized Logout for 11g WebGates
27.2.2
About Logout Parameters for 11g WebGates
27.3
Configuring Centralized Logout for 11g WebGates
27.3.1
Configuring Centralized Logout for 11g WebGates When the ECC is Used
27.3.2
Configuring Logout When Using Detached Credential Collector-Enabled WebGate
27.4
Validating Global Sign-On and Centralized Logout
27.4.1
Confirming Global Sign-On
27.4.2
Validating Global Sign-On with Mixed Agent Types
27.4.3
Observing Centralized Logout
Part VII Registering and Using Agents with Access Manager
28
Registering and Managing Legacy OpenSSO Agents
28.1
Introduction to OpenSSO, Agents, Migration and Co-existence
28.1.1
About Migration and Co-existence Between OpenSSO and Access Manager
28.1.1.1
OpenSSO Policy Migration
28.1.1.2
Application Domain Creation During OpenSSO Migration
28.1.1.3
OpenSSO Authentication Policy Migration
28.1.1.4
Host Identifier Creation in Access Manager
28.1.2
OpenSSO Agent Reliance on Access Manager
28.2
Runtime Processing Between OpenSSO Agents and Access Manager
28.3
Understanding OpenSSO Agent Registration Parameters
28.3.1
OpenSSO Agent Registration Parameters
28.3.2
The Expanded OpenSSO Agent Page and Parameters
28.4
Registering and Managing OpenSSO Agents Using the Console
28.4.1
Registering an OpenSSO Agent using the
Oracle Access Management Console
28.4.2
Configuring and Managing Registered OpenSSO Agents Using the Console
28.5
Performing Remote Registration for OpenSSO Agents
28.5.1
Request Templates for OpenSSO Agent Remote Registration
28.5.2
OpenSSO Bootstrap Configuration Mappings
28.5.3
Performing In-Band Remote Registration with OpenSSO Agents
28.5.4
Performing Out-of-Band Remote Registration with OpenSSO Agents
28.6
Open SSO Remote Registration versus Remote Updates
28.6.1
Updating OpenSSO Agents Remotely
28.7
Other OpenSSO Agent Information in this Guide
29
Registering and Managing Legacy OSSO Agents
29.1
Understanding OSSO Agents with Access Manager
29.1.1
About OSSO Agents with Access Manager
29.1.2
Comparing Access Manager 11g SSO versus OSSO 10g
29.2
Registering OSSO Agents Using Oracle Access Management Console
29.2.1
Understanding the Create OSSO Agent Registration Page and Parameters
29.2.1.1
About the OSSO Agent Configuration File
29.2.2
Registering an OSSO Agent (mod_osso) Using the Console
29.3
Configuring and Managing Registered OSSO Agents Using the Console
29.3.1
About the Expanded OSSO Agent Page in the Console
29.3.2
Searching for an OSSO Agent (mod_osso) Registration
29.3.3
Viewing or Editing OSSO Agent (mod_osso) Registration
29.3.4
Deleting an OSSO Agent (mod_osso) Registration
29.4
Performing Remote Registration for OSSO Agents
29.4.1
About Request Templates for OSSO Remote Registration
29.4.2
Performing In-Band Remote Registration of OSSO Agents
29.4.3
Performing Out-of-Band Remote Registration for OSSO Agents
29.5
Updating Registered OSSO Agents Remotely
29.6
Configuring Logout for OSSO Agents with Access Manager 11.1.2
29.6.1
About Centralized Logout with OSSO Agents (mod_OSSO) and Access Manager
29.6.2
Removing Custom mod_osso Cookies on Logout
29.7
Locating Other OSSO Agent Information
30
Registering and Managing 10g WebGates with Access Manager 11g
30.1
Prerequisites for Registering and Managing 10g WebGates with Access Manager 11g
30.2
Introduction to 10g OAM Agents for Access Manager 11g
30.2.1
About IAMSuiteAgent: A Pre-Configured 10g WebGate Registered with Access Manager
30.2.2
About Legacy Oracle Access Manager 10g Deployments and WebGates
30.2.3
About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2
30.2.3.1
Task Overview: Registering and installing a 10g WebGate for Access Manager 11g
30.2.4
About Centralized Logout with 10g OAM Agents and 11g OAM Servers
30.3
Comparing Access Manager 11.1.2 and 10g
30.3.1
Comparing Access Manager 11g versus 10g
30.3.2
Comparing Access Manager 11g versus 10g Policy Model
30.4
Configuring Centralized Logout for IAMSuiteAgent
30.5
Registering a 10g WebGate with Access Manager 11g Remotely
30.6
Managing 10g OAM Agents Remotely
30.7
Locating and Installing the Latest 10g WebGate for Access Manager 11g
30.7.1
Preparing for a Fresh 10g WebGate Installation with Access Manager 11g
30.7.2
Locating and Downloading 10g WebGates for Use with Access Manager 11g
30.7.3
Starting WebGate 10g Installation
30.7.4
Specifying a Transport Security Mode
30.7.5
Requesting or Installing Certificates for Secure Communications
30.7.6
Specifying WebGate Configuration Details
30.7.7
Updating the WebGate Web Server Configuration
30.7.7.1
Manually Configuring Your Web Server
30.7.8
Finishing WebGate Installation
30.7.9
Installing Artifacts and Certificates
30.7.10
Confirming WebGate Installation
30.8
Configuring Centralized Logout for 10g WebGate with 11g OAM Servers
30.8.1
About Centralized Logout Processing for 10g WebGate with 11g OAM Server
30.8.1.1
Process Overview: Centralized Logout for 10g WebGate with 11g OAM Server
30.8.2
Centralized Logout Script for 10g WebGates with 11g OAM Servers
30.8.2.1
Process Overview: Logic in logout.html
30.8.2.2
Guidelines for the end_url parameter in logout.html
30.8.3
Configuring Centralized Logout for 10g WebGates with Access Manager
30.9
Removing a 10g WebGate from the Access Manager 11g Deployment
31
Configuring Apache, OHS, IHS for 10g WebGates
31.1
Prerequisites for Configuring Apache, OHS, IHS for 10g WebGates
31.2
About Oracle HTTP Server and Access Manager
31.3
About Access Manager with Apache and IHS v2 Webgates
31.3.1
About the Apache HTTP Server
31.3.2
About the IBM HTTP Server
31.3.3
About the Apache and IBM HTTP Reverse Proxy Server
31.4
About Apache v2 Architecture and Access Manager
31.4.1
Requirements or Webgates Installed with IHS and Apache v2
31.4.2
Limitations of Apache and IHS v2 Web Servers
31.5
Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers
31.5.1
Requirements for IHS2 Web Servers
31.5.2
Requirements for Apache and IHS v2 Reverse Proxy Servers
31.5.3
Requirements for Apache v2 Web Servers
31.6
Preparing Your Web Server
31.6.1
Preparing the IHS v2 Web Server
31.6.1.1
Preparing the Host for IHS v2 Installation
31.6.1.2
Installing the IBM HTTP Server v2
31.6.1.3
Setting Up SSL-Capability
31.6.1.4
Starting an IHS v2 Secure Virtual Host
31.6.2
Preparing Apache and Oracle HTTP Server Web Servers on Linux
31.6.3
Preparing Oracle HTTP Server Web Servers on Linux and Windows Platforms
31.6.4
Setting Oracle HTTP Server Client Certificates
31.6.5
Preparing the Apache v2 Web Server on UNIX
31.6.5.1
Preparing plain Apache v2 for UNIX
31.6.5.2
Preparing SSL-capable Apache v2 on UNIX
31.6.6
Preparing the Apache v2 SSL Web Server on AIX
31.6.7
Apache v2 Installation on Windows versus Installation on UNIX
31.6.8
Preparing Apache v2 for Windows
31.7
Activating Reverse Proxy for Apache v2 and IHS v2
31.7.1
Activating Reverse Proxy For Apache v2 Web Servers
31.7.2
Activating Reverse Proxy For IHS v2 Web Servers
31.8
Verifying httpd.conf Updates for Webgates
31.8.1
Verifying Webgate Details
31.8.1.1
Starting httpd.conf updates anew
31.8.2
Verifying Language Encoding
31.9
Tuning Oracle HTTP Server Webgates for Access Manager
31.10
Tuning OHS /Apache Prefork and Worker MPM Modules for OAM
31.10.1
Oracle HTTP Server /Apache Prefork MPM Module Parameters
31.10.2
Oracle HTTP Server /Apache Worker MPM Module Parameters
31.10.3
Kernel Parameters
31.11
Starting and Stopping Oracle HTTP Server Web Servers
31.12
Tuning Apache/IHS v2 Webgates for Access Manager
31.12.1
About Apache v2 bundled with Security-Enhanced Linux
31.12.2
About Apache v2 bundled SELinux-enabled Linux Distribution
31.12.2.1
Adding Access Manager Policies to Apache bundled with Red Hat Enterprise Linux 4
31.12.3
Apache v2 Directives
31.13
Removing Web Server Configuration Changes After Uninstall
31.14
Helpful Information about Building an Apache Release and Source Code
32
Configuring the ISA Server for 10g WebGates
32.1
Prerequisites for Configuring the ISA Server for 10g WebGates
32.2
About Access Manager and the ISA Server
32.3
Compatibility and Platform Support
32.4
Installing and Configuring Webgate for the ISA Server
32.4.1
Installing Webgate with ISA Server
32.4.2
Changing /access Directory Permissions
32.5
Configuring the ISA Server for the ISAPI Webgate
32.5.1
Registering Access Manager Plug-ins as ISA Server Web Filters
32.5.2
Configuring ISA Firewall Policies for ISA Web Filters
32.5.3
Ordering the ISAPI Filters
32.6
Starting, Stopping, and Restarting the ISA Server
32.7
Removing Access Manager Filters Before Webgate Uninstall on ISA Server
33
Configuring the IIS Web Server for 10g WebGates
33.1
Prerequisites for Configuring the IIS Web Server for 10g WebGates
33.2
About WebGate Guidelines for IIS Web Servers
33.2.1
About Guidelines for ISAPI WebGates
33.2.1.1
Webgates for IIS v7
33.2.1.2
Webgates for IIS v6
33.2.1.3
De-coupling an Earlier Webgate/Policy Manager
33.2.1.4
Multiple Webgates with a Single IIS 6 Instance
33.3
Prerequisites for Installing Webgate for IIS 7
33.3.1
Prerequisites for Installing Any 10g Webgate for IIS 7
33.3.1.1
Locating and Removing the
<add segment="bin"/>
Entry
33.3.2
Prerequisite for Installing a 32-bit Webgate for IIS 7
33.3.3
Adding the IIS 6 Management Compatibility Module for a 32-bit Webgate for IIS and Simple or Cert Security
33.4
Updating IIS 7 Web Server Configuration on Windows 2008
33.5
Completing Webgate Installation with IIS
33.5.1
Enabling Client Certificate Authentication on the IIS Web Server
33.5.2
Ordering the ISAPI Filters
33.5.3
Enabling Pass-Through Functionality for POST Data
33.5.3.1
About ISAPI Webgate 10.1.4.2.3
33.5.3.2
About Pass-Through Functionality for POST Data
33.5.3.3
Implementing Pass-Through: IIS 6.0 in Worker Process Isolation Mode
33.5.3.3.1
Setting the UseWebGateExtForPassthrough Parameter in the Webgate Profile
33.5.3.3.2
Configuring webgate.dll as an ISAPI Extension
33.5.3.4
Implementing Pass-Through with IIS 6.0 Web Server in IIS 5.0 Isolation Mode
33.5.3.4.1
Setting Up IIS 6.0 Web Server in IIS 5.0 Isolation Mode
33.5.3.4.2
Installing the Postgate ISAPI Filter
33.5.4
Protecting a Web Site When the Default Site is Not Setup
33.6
Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance
33.6.1
Installing Each IIS 7 Webgate in a Multiple Webgate Scenario
33.6.2
Setting the Impersonation DLL for Multiple IIS 7 Webgates
33.6.3
Enabling Client Certification for Multiple IIS 7 Webgates
33.6.4
Configuring IIS 7 Webgates for Pass Through Functionality
33.6.5
Confirming IIS 7 Webgate Installation
33.7
Installing and Configuring Multiple Webgates for a Single IIS 6 Instance
33.7.1
Installing Each Webgate in a Multiple Webgate Scenario
33.7.2
Setting the Impersonation DLL for Multiple Webgates
33.7.3
Enabling SSL and Client Certification for Multiple Webgates
33.7.4
Confirming Multiple Webgate Installation
33.8
Finishing 64-bit Webgate Installation
33.8.1
Setting Access Permissions, ISAPI filters, and Directory Security Authentication
33.8.2
Setting Client Certificate Authentication
33.9
Confirming Webgate Installation on IIS
33.10
About Starting, Stopping, and Restarting the IIS Web Server
33.11
Removing Web Server Configuration Changes Before Uninstall
34
Configuring Lotus Domino Web Servers for 10g WebGates
34.1
Prerequisites for Configuring Lotus Domino Web Servers for 10g WebGates
34.2
Installing the Domino Web Server
34.3
Setting Up the First Domino Web Server
34.4
Starting the Domino Web Server
34.5
Enabling SSL by Generating a Keyring and a Stash File
34.6
Installing a Domino Security (DSAPI) Filter
34.6.1
Completing the WebGate Installation
Part VIII Managing the Adaptive Authentication Service and Oracle Mobile Authenticator
35
Introducing the Adaptive Authentication Service
35.1
About Adaptive Authentication Service
35.2
Working with the Adaptive Authentication Service
35.2.1
Understanding the One Time Password Option
35.2.1.1
About using OTP through Email or SMS
35.2.1.2
About using OTP from Oracle Mobile Authenticator
35.2.2
Understanding the Access Request (Push) Notification Option
35.2.3
Using the Oracle Mobile Authenticator with OTP And Access Request
35.3
Understanding Adaptive Authentication Service and OMA Configurations
35.4
Configuring an Adaptive Authentication Service
35.4.1
Generating a Secret Key for the Oracle Mobile Authenticator
35.4.2
Configuring Mobile OAuth Services to Protect a Secret Key
35.4.3
Configuring the Adaptive Authentication Plug-in in the Oracle Access Management Console
35.4.4
Setting Credentials for UMS, iOS, and Android
35.4.5
Creating a Java KeyStore for iOS Access Request (Push) Notifications
35.4.6
Configuring Host Name Verifier for Android Access Request (Push) Notifications
35.4.7
Configuring Access Manager for VPN in a Use Case
36
Configuring the Oracle Mobile Authenticator
36.1
Understanding Oracle Mobile Authenticator Configuration
36.2
Using the Oracle Mobile Authenticator App on iOS
36.2.1
Configuring the Oracle Mobile Authenticator for iOS
36.2.2
Initializing the Oracle Mobile Authenticator on iOS
36.2.2.1
Initializing the Oracle Mobile Authenticator for OTP Generation on iOS
36.2.2.2
Adding a OTP Generation Account Manually on iOS
36.2.2.3
Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications Using Apple Push Notifications
36.2.2.4
Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications and OTP Generation on iOS
36.2.2.5
Configuring Oracle Mobile Authenticator for Offline OTP Generation on iOS
36.2.3
Copying a One-Time Password from the Oracle Mobile Authenticator on iOS
36.2.4
Editing an Account on the Oracle Mobile Authenticator on iOS
36.2.5
Deleting an Account on the Oracle Mobile Authenticator on iOS
36.2.6
Responding to Access Request (Push) Notifications on iOS
36.2.7
Displaying Access Request (Push) Notifications History on iOS
36.2.8
Displaying Service Account Details on iOS
36.2.9
Displaying Access Manager Registered Accounts on iOS
36.2.10
Displaying the OMA Version on iOS
36.3
Using the Oracle Mobile Authenticator App on Android
36.3.1
Configuring the Oracle Mobile Authenticator for Android
36.3.2
Initializing the Oracle Mobile Authenticator on Android
36.3.2.1
Initializing the Oracle Mobile Authenticator for OTP Generation on Android
36.3.2.2
Adding a OTP Generation Account Manually on Android
36.3.2.3
Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications Using Google Cloud Messaging
36.3.2.4
Initializing Oracle Mobile Authenticator for Access Request (Push) Notifications and OTP Generation on Android
36.3.2.5
Configuring Oracle Mobile Authenticator for Offline OTP Generation on Android
36.3.3
Copying a One-Time Password from the Oracle Mobile Authenticator on Android
36.3.4
Editing an Account on the Oracle Mobile Authenticator on Android
36.3.5
Deleting an Account on the Oracle Mobile Authenticator on Android
36.3.6
Responding to Access Request (Push) Notifications on Android
36.3.7
Displaying Access Request (Push) Notifications History on Android
36.3.8
Displaying Service Account Details on Android
36.3.9
Displaying Access Manager Registered Accounts on Android
36.3.10
Displaying the OMA Version on Android
36.4
Configuring the Google Authenticator App
36.5
Using a QR Code for Configuration
Part IX Managing Oracle Access Management Identity Federation
37
Introducing Identity Federation in Oracle Access Management
37.1
Integrating Identity Federation with Access Manager
37.2
Deploying Identity Federation with Oracle Access Management
37.3
Understanding How Identity Federation Works
37.4
Using Identity Federation
37.4.1
Achieving SSO
37.4.2
Logging Out
37.4.3
Authorizing
37.4.4
Forcing Authentication
37.4.5
Indicating a Passive Identity Provider
37.4.6
User and Assertion Mapping
37.4.7
Platform Dependencies
37.5
Initiating Federation SSO
37.5.1
IdP Initiated Federation SSO Service
37.5.1.1
Multivalue Attributes in SAML Assertion
37.5.2
SP Initiated Federation SSO Service
37.5.3
Attribute Consuming Service
37.5.3.1
Elements Of Attribute Consuming Service
37.5.3.2
WLST Commands For Attribute Consuming Service
37.5.3.2.1
getDefaultACS
37.5.3.2.2
getAllRqstAttrsForACS
37.5.3.2.3
getAllACS
37.5.3.2.4
getACS
37.5.3.2.5
addACS
37.5.3.2.6
addRqstAttrToACS
37.5.3.2.7
updateACS
37.5.3.2.8
updateRqstAttrForACS
37.5.3.2.9
deleteACS
37.5.3.2.10
deleteRqstAttrForACS
37.6
Exchanging Identity Federation Data
37.6.1
Using SAML 2.0
37.6.1.1
SAML 2.0 Bindings for SSO and Federation
37.6.1.2
SAML 2.0 Bindings for Single Logout
37.6.1.3
SAML 2.0 NameID Formats
37.6.1.4
Securing SAML 2.0 Data
37.6.1.5
SAML 2.0 Service Details
37.6.2
Using SAML 1.1
37.6.2.1
SAML 1.1 Profiles for Web Browser SSO
37.6.2.2
SAML 1.1 Logout Profile
37.6.2.3
SAML 1.1 NameID Formats
37.6.2.4
About SAML 1.1 Data Security
37.6.2.5
SAML 1.1 Service Details
37.6.3
Using OpenID 2.0
37.6.3.1
OpenID 2.0 Authentication/SSO
37.6.3.2
OpenID 2.0 Logout
37.6.3.3
OpenID 2.0 NameID Format
37.6.3.4
About OpenID 2.0 Data Security
37.6.3.5
OpenID 2.0 Extensions
37.6.3.6
OpenID 2.0 Service Details
37.6.4
Using WS-Federation 1.1
37.7
Administrating Identity Federation
37.8
Enabling Identity Federation
38
Managing Identity Federation Partners
38.1
Understanding Federation And Partners
38.2
Managing Federation Partners
38.3
Administering Identity Federation As A Service Provider
38.3.1
Creating Remote Identity Provider Partners
38.3.1.1
Defining a New SAML 2.0 Identity Provider for Federation
38.3.1.2
Defining a New SAML 1.1 Identity Provider for Federation
38.3.1.3
Defining a New OpenID 2.0 Identity Providers for Federation
38.3.1.4
Enabling OpenID Simple Registration
38.3.1.5
Disabling OpenID Simple Registration
38.3.2
Managing the Remote Identity Provider Partners
38.3.2.1
Searching for Existing Identity Providers
38.3.2.2
Updating Identity Providers for Federation
38.4
Administering Identity Federation As An Identity Provider
38.4.1
Creating Remote Service Provider Partners
38.4.2
Managing the Remote Service Provider Partners
38.5
Using Attribute Mapping Profiles
38.5.1
Using the SP Attribute Mapping Profile
38.5.2
Using the IdP Attribute Mapping Profile
38.6
Mapping Federation Authentication Methods to Access Manager Authentication Schemes
38.6.1
Understanding Federation SSO As An IdP
38.6.2
Understanding Federation SSO As An SP
38.6.3
Configuring an Alternate Authentication Scheme
38.6.4
Using WLST For Mapping Administration
38.7
Using the Attribute Sharing Plug-in for the Attribute Query Service
38.7.1
Understanding the Plug-in and Query Service Design
38.7.1.1
Using the SP Attribute Requester
38.7.1.2
Using the IdP Attribute Responder
38.7.1.3
Using the SOAP Endpoint
38.7.2
Configuring for Attribute Sharing
38.7.2.1
NameID
38.7.2.2
NameID Format
38.7.2.3
IdP
38.7.2.4
RequestedAttributes
38.8
Using the Federation Proxy
38.9
Using WLST for Identity Federation Administration
39
Managing Settings for Identity Federation
39.1
Prerequisites for Settings in Federation Identity
39.2
About Federation Settings
39.3
Managing General Federation Settings
39.3.1
About Managing General Federation Settings
39.3.2
Managing General Federation Settings
39.3.2.1
Prerequisites for General Federation Settings
39.3.2.2
Setting or Modifying General Settings for Federation
39.4
Managing Proxy Settings for Federation
39.4.1
About Proxy Settings for Federation
39.4.2
Managing Proxy Settings for Identity Federation
39.4.2.1
Prerequisites for Proxy Settings for Identity Federation
39.4.2.2
Setting or Modifying Proxy Settings for Federation
39.5
Defining Keystore Settings for Federation
39.5.1
About Managing Keytore Settings for Identity Federation
39.5.2
Managing Identity Federation Encryption/Signing Keys
39.5.2.1
Task Overview: Managing Identity Federation Encryption/Signing Keys
39.5.2.2
Resetting the System (.oamkeystore) and Trust (amtruststore) Keystore Password
39.5.2.3
Adding a New Key Entry to the System Keystore (.oamkeystore)
39.5.2.3.1
Task Overview: Adding a New Key Entry to the System Keystore (.oamkeystore)
39.5.2.3.2
Adding a New Entry in the .oamkeystore
39.5.2.3.3
Adding a New Entry in the Identity Federation Settings
39.5.2.3.4
Configuring the Signing and Encryption Key
39.5.2.3.5
Using WLST for Key Transport Algorithm
39.6
Exporting Metadata
40
Managing Federation Schemes and Policies
40.1
Use of Identity Federation and Access Manager Together
40.2
Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2)
40.2.1
About the FederationScheme Authentication Scheme
40.2.2
About the FederationMTScheme
40.2.3
About the FederationPlugin Authentication Module
40.2.4
Managing Authentication with Identity Federation in 11g Release 2
40.2.4.1
Prerequisites for the Authentication with Identity Federation in 11g Release 2
40.2.4.2
Viewing or Modifying FederationScheme
40.2.4.3
Viewing or Modifying FederationPlugin
40.2.4.4
Adding an Authentication Policy with FederationScheme
40.3
Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1
40.3.1
About Scheme OIFScheme
40.3.2
About the OIFMTLDAPPlugin Authentication Module
40.3.3
Managing Authentication with Oracle Identity Federation Release 11gR1
40.3.3.1
Prerequisites for Authentication with Oracle Identity Federation Release 11gR1
40.3.3.2
Viewing or Modifying the OIFScheme Authentication Scheme
40.3.3.3
Prerequisites for Viewing or Modifying the OIFMTLDAPPlugin Authentication
40.3.3.4
Viewing or Modifying the OIFMTLDAPPlugin Authentication
40.3.3.5
Adding an Authentication Policy with OIFScheme
40.4
Managing Access Manager Policies for Use with Identity Federation
40.4.1
About Policy Responses with Assertion Attributes for Identity Federation
40.4.2
Defining Policy Responses with Assertion Attributes for Identity Federation
40.4.2.1
Background on Conditions and Responses for Identity Federation
40.4.2.2
Prerequisites for Viewing and Configuring Policy Responses with Assertion Attributes
40.4.2.3
Viewing or Configuring Responses with Assertion Attributes
40.5
Testing Identity Federation Configuration
40.5.1
Test SP Module
40.5.1.1
Enabling or Disabling the Test SP Module
40.5.2
Accessing the Test SP Module and Performing a Federation SSO Operation
40.5.3
Troubleshooting Errors During Federation Configuration After an Upgrade
40.6
Using the Default Identity Provisioning Plug-in
40.6.1
Why Use a Provisioning Plug-in?
40.6.2
About the Default Provisioning Plug-in
40.6.3
Using the Default Provisioning Plug-in
40.6.4
Switching to a Custom Provisioning Plug-in
40.7
Configuring the Identity Provider Discovery Service
40.7.1
Configuring the Bundled IdP Discovery Service
40.7.2
Configuring Identity Federation with a Custom IdP Discovery Service
40.7.3
Disabling the use of an IdP Discovery Service
40.8
Configuring the Federation User Self-Registration Module
40.8.1
Enabling or Disabling a User Self Registration Module
40.8.2
Configuring User Registration Properties
40.9
Integrating OAM Identity Provider With Microsoft Office 365 Service Provider
40.9.1
Configuring Microsoft Office 365 for OAM Integration
40.9.2
Configuring OAM for Microsoft Office 365 Integration
40.9.2.1
Configuring for Web and Non-Web Clients
40.9.2.2
Additional Configurations for Non-Web Clients
40.9.3
Verifying Federation Single Sign-On
40.9.3.1
Verifying SP-Initiated SSO
40.9.3.2
Verifying IDP-Initiated SSO
40.9.3.3
Verifying Federation with Non Web-based Clients
Part X Managing Oracle Access Management Security Token Service
41
Introducing the Oracle Access Management Security Token Service
41.1
About the Security Token Service
41.2
Using the Security Token Service
41.3
About Security Token Service Key Terms and Concepts
41.4
Integrating the Oracle Web Services Manager
41.5
About the Architecture of the Security Token Service
41.6
Security Token Service Supported Token Matrix
41.7
Deploying Security Token Service
41.7.1
About the Centralized Token Authority Deployment
41.7.2
About Tokens Behind a Firewall Deployment
41.7.3
About Web Services SSO Deployment
41.8
About the Installation of the Security Token Service
41.8.1
About Security Token Service Cluster in Single WLS Domain
41.8.2
About Endpoint Exposure through a Web Server Proxy
41.8.3
About Interoperability of Requester and Relying Party with Other Oracle WS-Trust based Clients
41.8.4
About Security Token Service Installation Overview
41.8.5
Post-Installation Tasks: Security Token Service
41.9
Administrating the Security Token Service
42
Security Token Service Implementation Scenarios
42.1
Typical Token Ecosystem
42.1.1
Actors and Process Overview: In a typical token ecosystem
42.2
Scenario: Identity Propagation with the Access Manager Token
42.2.1
Actors and Process Overview: Identity Propagation
42.2.2
About Component Processing: Identity Propagation with the OAM Token
42.2.2.1
Process overview: Component interactions for Identity Propagation
42.2.3
Request Security Token Attributes and Run Time Processing
42.2.3.1
RST Attributes for Identity Propagation with the OAM Token
42.2.3.2
Process overview: Identity Propagation with the OAM Token
42.2.4
Configuration Requirements: Identity Propagation with the OAM Token
42.2.4.1
Configuration Overview: Identity Propagation with the OAM Token
42.2.4.2
WebLogic Server Identity Assertion Providers
42.2.4.3
Access Manager Identity Asserter Details
42.2.4.4
LDAP Authentication Provider Details
42.2.4.5
Default Identity Store Configuration
42.2.4.6
Token Issuance Policy
42.2.4.7
Authentication Policy Response for Identity Assertion by Webgate
42.2.4.8
Endpoint Configuration
42.2.4.9
Issuance Template Configuration
42.2.4.10
Partner Configuration: Requester
42.2.4.11
Partner Profile: Relying Party
42.2.4.12
Partner Profile: Requester
42.2.4.13
Validation Template for WS-TRUST
42.2.5
Testing Your Implementation
42.2.5.1
Cookies and Headers (Truncated)
42.2.5.2
Request Security Token Sent By the Client (Truncated)
42.2.5.3
Request Security Token Response sent by the Security Token Service (Truncated)
42.3
Scenario: Web Service Security On Behalf Of Username Token
42.3.1
Component interactions for Identity Propagation with Username Token
42.3.2
RST Attributes and Processing for Identity Propagation with a Username Token
42.3.2.1
RST Attributes for Identity Propagation with a Username Token
42.3.2.2
Process overview: Identity Propagation with the OAM Token
42.3.3
Configuration Requirements: Identity Propagation with the Username Token
42.3.3.1
Configuration overview: Identity Propagation with the Username Token
42.3.3.2
Default Identity Store Configuration
42.3.3.3
Token Issuance Policy
42.3.3.4
Endpoint Configuration
42.3.3.5
Issuance Template Configuration
42.3.3.6
Partner Configuration: Requester
42.3.3.7
Partner Profile: Relying Party
42.3.3.8
Partner Profile: Requester
42.3.3.9
Validation Template for WS-TRUST
43
Configuring Security Token Service Settings
43.1
Prerequisites for the Configuration of Security Token Service Settings
43.2
Introduction to Security Token Service Configuration
43.2.1
Post-Installation Configuration
43.2.1.1
Task Overview: Security Service Token
43.2.2
About OAM Servers and Security Token Service
43.2.3
About Security Token Service Clients
43.2.4
About Agents and Security Token Service
43.2.5
About Security Token Service End Points and Policies
43.2.5.1
Task Overview: Using and Modifying WS-S Policies
43.3
Enabling and Disabling Security Token Service
43.3.1
About Security Token Service and the Oracle Access Management Console
43.3.1.1
About Security Token Service Administrators
43.3.1.2
About Logging In To, and Signing Out Of, Security Token Service
43.3.2
About Enabling Services for Security Token Service
43.3.3
Enabling and Disabling Services for Security Token Service
43.3.3.1
Prerequisites for Enabling and Disabling Services for Security Token Service
43.3.3.2
Enabling or Disabling Security Token Service
43.4
Defining Security Token Service Settings
43.4.1
About Security Token Service Settings
43.4.2
Managing Security Token Service Settings
43.4.2.1
Prerequisites for Managing Security Token Service Settings
43.4.2.2
Viewing or Editing Security Token Service Settings
43.5
Using and Managing WSS Policies for Oracle WSM Agents
43.5.1
Using and Modifying Oracle Workspace Studio Policies
43.5.2
Managing WSS Policies for Security Token Service: Classpath
43.5.2.1
Task Overview: Managing WSS Policies for Security Token Service: Classpath
43.5.3
Managing WSS Policies for Security Token Service: Oracle WSM Policy Manager
43.5.3.1
Task Overview: Managing WSS Policies for Security Token Service: OWSM Policy Manager
43.6
Configuring OWSM for WSS Protocol Communication
43.6.1
Task Overview: Configuring Communication with Oracle WSM Agents
43.6.2
About Oracle WSM Agent WS-Security Policies for Security Token Service
43.6.3
Retrieving the Oracle WSM Keystore Password
43.6.3.1
Retrieving the Oracle WSM Keystore Password
43.6.4
Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate
43.6.4.1
Prerequisites for the Oracle STS/Oracle WSM Signing and Encryption Certificate
43.6.4.2
Exporting the Signing and Encryption Certificate
43.6.5
Adding Trusted Certificates to the Oracle WSM Keystore
43.6.5.1
Prerequisites for Adding Trusted Certificates to the Oracle WSM Keystore
43.6.5.2
Adding Trusted Certificates to the Oracle WSM Keystore
43.6.6
Validating Trusted Certificates in the Oracle WSM Keystore
43.6.7
Configuring Oracle WSM Agent for WSS Kerberos Policies
43.7
Managing and Migrating Security Token Service Policies
43.7.1
About Managing and Migrating Security Token Service Policies
43.7.2
Managing Security Token Service Policies
43.7.2.1
Task Overview: Updating Policies and stspolicies.prop
43.7.3
Migrating Security Token Service Policies
43.8
Logging Security Token Service Messages
43.9
Auditing the Security Token Service
43.9.1
About Security Token Service Audit Record Storage
43.9.2
About Audit Reports and Oracle Business Intelligence Publisher
43.9.3
About the Audit Log
43.9.4
About Auditing Security Token Service Events
44
Managing Security Token Service Certificates and Keys
44.1
Prerequisites for Managing Security Token Service Certificates and Keys
44.2
Introduction to Security Token Service Certificates and Keys
44.2.1
About Keystores and Security Token Service
44.2.2
About the Oracle Web Services Manager Keystore (default-keystore.jks)
44.2.3
About Using the OPSS Keystore for Requester Certificates
44.3
Managing Security Token Service Encryption and Signing Keys
44.3.1
Task Overview: Managing Security Token Service Encryption/Signing Keys
44.3.2
Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password
44.3.2.1
Resetting System and Trust Keystore Passwords
44.3.3
Adding a New Key Entry to the System Keystore (.oamkeystore)
44.3.3.1
Adding a New Entry
44.3.3.2
Configuring a SAML Issuance Template to Use a Signing Key
44.3.3.3
Setting the Default Encryption Key
44.3.4
Extracting an Security Token Service Certificate
44.3.4.1
Using the Certificate Retrieval Service
44.4
Managing Partner Keys for WS-Trust Communications
44.4.1
About Partner Certificates
44.4.2
About Downloading the Relying Party's Certificate at Run Time
44.4.3
Setting the Partner's Signing or Encryption Certificate
44.5
Managing Certificate Validation
44.5.1
Managing the Trust Anchors Store (amtruststore)
44.5.2
Managing Certificate Revocation Lists
44.5.2.1
Prerequisites for Managing Certificate Revocation Lists
44.5.2.2
Task Overview: Manage Certificate Validation and Revocation Lists
44.5.3
Using a Custom Trust Anchor Store for Security Token Service
44.5.3.1
Task Overview: Deploying a Custom Keystore for Trusted Certificates
45
Managing Templates, Endpoints, and Policies
45.1
Introduction
45.2
Searching for an Existing Template
45.2.1
About Template Search Controls
45.2.2
Searching For a Template
45.3
Managing Token Issuance Templates
45.3.1
About Managing Token Issuance Templates
45.3.2
Managing a Token Issuance Template
45.4
Managing Token Validation Templates
45.4.1
About Managing Token Validation Templates
45.4.2
Managing Token Validation Templates
45.5
Managing Security Token Service Endpoints
45.5.1
About Managing Endpoints
45.5.2
Managing EndPoints
45.6
Managing Token Issuance Policies, Conditions, and Rules
45.6.1
About Token Issuance Policies
45.6.2
About Managing Token Issuance Conditions and Rules
45.6.3
Managing Token Issuance Policies and Conditions
45.6.3.1
Prerequisites for Managing Token Issuance Policies and Conditions
45.6.3.2
Managing Token Issuance Policies and Conditions
45.7
Managing TokenServiceRP Type Resources
45.7.1
About Managing TokenServiceRP Type Resources in Access Manager
45.7.2
Managing TokenServiceRP Type Resources in Application Domains
45.8
Making Custom Classes Available
45.8.1
About Making Classes Available
45.8.1.1
Task Overview: Adding Custom Tokens for Custom Classes
45.8.2
About Narrowing a Search for Custom Tokens
45.8.3
Managing Custom Tokens
45.8.3.1
Prerequisites for Managing Custom Tokens
45.8.3.2
Making Custom Classes Available
45.9
Managing a Custom Security Token Service Configuration
45.9.1
Creating a Validation Template
45.9.2
Creating the Issuance Template for a Custom Token
45.9.3
Adding the Custom Token to a Requester Profile
45.9.3.1
Prerequisites for Adding a Custom Token to a Requester Profile
45.9.3.2
Adding or Editing a Requester Profile for a Custom Token
45.9.4
Adding a Custom Token to a Relying Party Profile
45.9.4.1
Prerequisites for Adding a Custom Token to a Relying Party Profile
45.9.4.2
Editing a Requester Profile for a Custom Module
45.9.5
Mapping the Token to a Requestor
45.9.6
Creating an /wssuser EndPoint
45.9.6.1
Prerequisites for the Creation of an /wssuser EndPoint
45.9.6.2
Creating an Endpoint
46
Managing Token Service Partners and Partner Profiles
46.1
Prerequisites to Using Token Service Partners and Partner Profiles
46.2
Introduction to Token Service Partners and Partner Profiles
46.2.1
About Token Service Partners
46.2.2
About Security Token Service Partner Profiles
46.2.2.1
Partner Entries
46.2.2.2
Partner Profile Data
46.3
Managing Token Service Partners
46.3.1
New Requester Partner Page
46.3.2
Managing a Token Service Partner
46.3.3
Refining Partner Searches
46.4
Managing Token Service Partner Profiles
46.4.1
About Managing Partner Profiles
46.4.1.1
Requester Profile: General
46.4.1.2
Requester Profile: Token and Attributes
46.4.1.3
Relying Party Profile: Token and Attributes
46.4.1.4
Relying Party Profile Attributes
46.4.1.5
Issuing Authority Profile: Token and Attributes
46.4.1.6
Issuing Authority Profile: Token Mapping
46.4.2
Managing a Token Service Partner Profile
46.4.3
Refining a Profile Search
47
Troubleshooting Security Token Service
47.1
Authorization Issues
47.2
Endpoint Issues
47.3
Mapping Operation Issues
Part XI Managing Oracle Access Management Mobile and Social
48
Understanding Mobile and Social
48.1
Introducing Mobile and Social
48.1.1
Installation Combinations for Mobile and Social
48.1.2
Deployment Constraints for Mobile and Social
48.1.3
Enabling Mobile and Social
48.2
Understanding Mobile and Social Services
48.2.1
Mobile and Social Components
48.2.2
Introducing Authentication Services and Authorization Services
48.2.3
Understanding the Mobile and Social Services Authorization Flow
48.2.4
Understanding Single Sign-on (SSO) for Mobile and Social Services
48.2.5
Introducing the Mobile and Social Services Client SDK
48.2.6
Introducing User Profile Services
48.3
Understanding the Mobile and Social Services Processes
48.3.1
Registration Flow for a Mobile Device With User Authentication
48.3.2
Authentication Flow for a User With a Registered Device
48.3.3
Flow of REST Calls for User Authentication
48.3.4
Authentication Flow for User With a Mobile Browser-Based Web App
48.3.5
Authorization Using the Mobile OAuth Authorization Flow
48.4
Using Mobile and Social Services
48.4.1
Protecting the Mobile Client Registration Endpoint
48.4.2
Token Requirements for Mobile and Social Server
48.4.3
Protecting User Profile Services And Authorization Services
48.4.4
How Mobile and Social Services Work with Oracle Access Manager
48.4.5
How Mobile and Social Services Work with Oracle Adaptive Access Manager Services
48.5
Understanding Social Identity
48.6
Understanding Social Identity Processes
48.6.1
Basic Flow for Social Identity Authentication
48.6.2
Authentication Flow for a Returning User With a Local Account
48.6.3
Authentication Flow for a New User With No Local Account
48.6.4
OAuth Flow For Access Token Retrieval
48.6.5
Authentication Flow for a User With Access Manager and Social Identity
48.6.6
Authentication Flow for a Local User
48.7
Using Social Identity
48.7.1
How Social Identity Works with Oracle Access Manager
48.7.2
How Social Identity Works with Mobile and Social Services
48.7.3
About the Social Identity SDK
49
Configuring Mobile and Social Services
49.1
Opening the Mobile and Social Services Configuration Page
49.2
About Mobile and Social Services Configuration
49.2.1
Service Providers
49.2.2
Service Profiles
49.2.3
Security Handler Plug-ins
49.2.4
Application Profiles
49.2.5
Service Domains
49.3
Defining Service Providers
49.3.1
Defining, Modifying or Deleting an Authentication Service Provider
49.3.1.1
Pre-Configured Authentication Service Providers
49.3.1.2
JWT-OAM Token Authentication Service Provider
49.3.1.3
Creating an Authentication Service Provider
49.3.1.4
Editing or Deleting an Authentication Service Provider
49.3.1.5
Using User Credentials to Exchange a JWT Token for an OAM Token
49.3.1.6
Configuring OAM to use the JWT-OAM and PIN Token Service Provider
49.3.2
Defining, Modifying or Deleting an Authorization Service Provider
49.3.2.1
Creating an Authorization Service Provider
49.3.2.2
Editing or Deleting an Authorization Service Provider
49.3.2.3
Pre-Configured Authorization Service Provider
49.3.3
Defining, Modifying or Deleting a User Profile Service Provider
49.3.3.1
Creating a User Profile Service Provider
49.3.3.2
Editing or Deleting a User Profile Service Provider
49.3.3.3
User Profile Service Provider Configuration Properties
49.3.3.4
Pre-Configured User Profile Service Provider
49.4
Defining Service Profiles
49.4.1
Defining, Modifying, and Deleting an Authentication Service Profile
49.4.1.1
Creating an Authentication Service Profile
49.4.1.2
Editing or Deleting an Authentication Service Profile
49.4.2
Defining, Modifying and Deleting an Authorization Service Profile
49.4.2.1
Creating an Authorization Service Profile
49.4.2.2
Editing or Deleting an Authorization Service Profile
49.4.3
Defining, Modifying and Deleting a User Profile Service Profile
49.4.3.1
Creating a User Profile Service Profile
49.4.3.2
Editing or Deleting a User Profile Service Profile
49.5
Defining Security Handler Plug-ins
49.5.1
Creating a Security Handler Plug-in
49.5.2
Editing or Deleting a Security Handler Plug-in
49.5.3
Device Fingerprinting and Device Profile Attributes
49.6
Defining Application Profiles
49.6.1
Creating an Application Profile
49.6.2
Editing or Deleting an Application Profile
49.6.3
Application Profile Properties
49.7
Defining Service Domains
49.7.1
Creating a Service Domain
49.7.2
Editing or Deleting a Service Domain
49.8
Using the Jailbreak Detection Policy
49.8.1
Creating a New Jailbreak Detection Policy with the Oracle Access Management Console
49.8.2
Editing a Jailbreak Detection Policy
49.9
Configuring Mobile and Social Services with Other Oracle Products
49.9.1
Configuring Mobile and Social Services for Access Manager
49.9.1.1
Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode
49.9.1.2
Configuring an Authentication Service Provider for Remote Oracle Access Manager Server 10g
49.9.1.3
Configuring an Authentication Service Provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1
49.9.2
Configuring Mobile and Social Services for Oracle Adaptive Access Manager
49.9.2.1
OAAM Support in Mobile and Social
49.9.2.2
Configuring the WebLogic Administration Domain
49.9.2.2.1
Creating an Administrator for OAAM Administration
49.9.2.2.2
Adding Oracle Access Management Server as Target of OAAM Data Source
49.9.2.3
Configuring OAAM if Social Identity Authentication is Enabled in Mobile and Social Services
49.9.2.4
Setting up a Lost or Stolen Device Rule
49.9.2.5
Configuring Blacklisted Devices and Applications
49.9.2.5.1
Setting up a Blacklisted Device Rule
49.9.2.5.2
Setting up a Blacklisted Application Rule
49.9.2.6
About OAAM Sessions for Mobile Applications
49.9.2.7
Registering Users for OAAM Authentication
49.9.2.7.1
Setting up OAAM Knowledge-Based Authentication
49.9.2.7.2
Setting up OAAM One Time Password
50
Configuring Social Identity
50.1
Opening the Manage Social Identity Page
50.2
Understanding Social Identity Configuration
50.2.1
Social Identity Providers
50.2.2
Service Provider Interfaces
50.2.3
Application Profiles
50.3
Defining Social Identity Providers
50.3.1
Creating a Social Identity Provider
50.3.2
Editing or Deleting a Social Identity Provider
50.3.3
Generating the Consumer Key and Consumer Secret for OAuth Providers
50.3.3.1
Generating a Consumer Key and Consumer Secret for Facebook
50.3.3.2
Generating a Consumer Key and Consumer Secret for Twitter
50.3.3.3
Generating a Consumer Key and Consumer Secret for LinkedIn
50.3.3.4
Generating a Consumer Key and Consumer Secret for Foursquare
50.3.3.5
Generating a Consumer Key and Consumer Secret for Windows Live
50.3.3.6
Generating a Consumer Key and Consumer Secret for Google
50.3.4
Troubleshooting Facebook Social Identity Providers
50.3.4.1
Configuring WebLogic Server for Facebook Compatibility
50.3.4.2
Configuring WebLogic Server 10.3.5 and Older for Facebook Compatibility
50.4
Defining Service Provider Interfaces
50.4.1
Creating a Service Provider Interface
50.4.2
Editing or Deleting an Service Provider Interface
50.4.3
Adding a Custom Service Provider Interface Implementation
50.5
Defining Application Profiles
50.5.1
Creating an Application Profile
50.5.2
Editing or Deleting an Application Profile
50.6
Integrating Social Identity With Mobile Applications
50.7
Linking Social Identity Provider Accounts
50.7.1
Social Identity Provider Account Linking Flow
50.7.2
Social Identity Provider Account Linking Configuration
51
Configuring Social Identity System Settings
51.1
Accessing the Social Identity Settings Interface
51.1.1
Social Identity Settings Page
51.2
Logging and Auditing
51.3
Deploying Mobile and Social With Oracle Access Manager
51.4
Configuring a Webgate to Support Social Identity
51.5
Configuring Social Identity After Running Test-to-Production Scripts
51.6
Configuring Social Identity for High Availability (HA)
51.7
Enabling the REST Client to Specify a Tenant Name
Part XII Managing the Oracle Access Management OAuth Service
52
Understanding OAuth Services
52.1
About Oracle Access Management OAuth Services
52.2
Understanding OAuth Services Authorization for Web Clients
52.2.1
Understanding 3-Legged Authorization
52.2.2
Understanding 2-Legged Authorization
52.3
Understanding OAuth Services Authorization for Mobile Clients
52.4
Understanding the OAuth Services Components
52.4.1
Identity Domains - Identity Federation and OAuth Services
52.4.2
Service Profiles - Identity Federation and OAuth Services
52.4.3
Clients - Identity Federation and OAuth Services
52.4.4
Service Providers - Identity Federation and OAuth Services
52.4.5
Resource Servers
- Identity Federation and OAuth Services
52.4.5.1
User Profile Services
52.4.5.1.1
Proxy Authentication
52.4.5.1.2
Securing User Profile Services Activity
52.4.5.1.3
Entity Relationship
52.4.5.2
Consent Management Services
52.4.6
Plug-Ins - Identity Federation and OAuth Services
52.4.7
Server Settings - Identity Federation and OAuth Services
52.4.8
Jailbreak Detection Policy - OAuth Services
52.4.9
Token Life Cycle Management - Identity Federation and OAuth Services
52.5
About OAuth Services Tokens
52.5.1
OAuth Services Access Tokens
52.5.2
OAuth Services Refresh Tokens
52.5.3
Mobile OAuth Services Client Tokens
52.6
Understanding the Authorization and Authentication Endpoints
52.7
Enforcing Access Control
52.8
Understanding Mobile OAuth Services Server-Side Single Sign-on
52.8.1
Understanding the Server-Side Single Sign-On Credential Collection Options
52.8.1.1
External Browser Approach
52.8.1.2
Embedded Browser Approach
52.8.1.3
Native App Proxy Approach
52.8.2
Understanding Server-Side SSO For Mobile OAuth Services 3-Legged Flows
52.8.3
Understanding Server-Side SSO For Mobile OAuth Services 2-Legged Flows
52.8.3.1
OAuth Mobile SSO Servlet Authentication
52.8.3.2
Using SSO Between Native Apps and an External Browser
52.9
OAuth Services Plug-ins
53
Configuring OAuth Services
53.1
Enabling OAuth Services
53.2
Configuring OAuth Services Components in an Identity Domain
53.3
Configuring OAuth Services Settings
53.3.1
Configuring Identity Domains
53.3.1.1
Creating an Identity Domain
53.3.1.2
Editing or Deleting an OAuth Identity Domain
53.3.1.3
Identity Domain Configuration Page - Summary Tab
53.3.1.4
Create Identity Domain Wizard Flow Page
53.3.2
Configuring Service Profiles
53.3.2.1
Creating a Service Profile
53.3.2.2
Editing or Deleting a Service Profile
53.3.2.3
Service Profile Configuration Page
53.3.3
Configuring Clients
53.3.3.1
Creating a Client
53.3.3.2
Editing or Deleting a Client
53.3.3.3
Web Clients Configuration Page
53.3.3.4
Public Clients Configuration Page
53.3.3.5
Mobile Clients Configuration Page
53.3.4
Configuring the Service Provider
53.3.4.1
Editing or Deleting the Service Provider
53.3.4.2
Service Provider Configuration Page
53.3.5
Configuring Custom Resource Servers
53.3.5.1
Creating a Custom Resource Server
53.3.5.2
Editing or Deleting a Resource Server
53.3.5.3
Custom Resource Servers Configuration Page
53.3.6
Configuring User Profile Services
53.3.6.1
Creating a New User Profile Service
53.3.6.2
Editing the User Profile Service
53.3.6.3
User Profile Services Configuration Page
53.3.7
Configuring Consent Management Services
53.3.7.1
Creating a New Consent Management Service
53.3.7.2
Editing an Existing Consent Management Service
53.3.7.3
Consent Management Services Configuration
53.3.8
Configuring Plug-Ins
53.3.8.1
Creating a new Plug-in
53.3.8.2
Plug-in Configuration Page
53.3.9
Server Settings
53.3.10
Jailbreak Detection Policy
53.3.11
Token Life Cycle Management
53.4
Configuring OAuth Services for Third-Party JWT Bearer Assertions
53.4.1
Default Service Profile Keystore
53.4.2
Finding Credentials with Oracle Enterprise Manager Fusion Middleware Control Console
53.4.3
Creating a Non-Default Keystore for a Service Profile
53.4.3.1
Creating a Seperate Keystore to Store Third-Party Certificates
53.4.3.2
Loading or Importing the Certificates Into the Keystore
53.4.3.3
Adding the Keystore Instance to jps-config.xml
53.4.3.4
Creating a CSF Entry for the Keystore Service Instance
53.4.3.5
Adding the Provider Service Name to the Service Profile
53.4.4
Configuring a Third-Party JWT Trust Issuer
53.5
Configuring a WebGate to Protect OAuth Services
53.6
Configuring OAM Session Synchronization
53.7
Configuring Mobile OAuth for SSO Servlet Authentication
53.7.1
Configuring OAM and Your App to use the Mobile SSO Servlet
53.7.2
Configuring the MobileSSOServlet Authentication Scheme
53.8
Configuring the Mobile Security Manager Plug-in
Part XIII Managing Oracle Access Management Oracle Access Portal
54
Configuring the Access Portal Service
54.1
Prerequisites for Deploying the Access Portal Service
54.2
Overview of the Access Portal Service Deployment Process
54.3
Deploying the Access Portal Service
54.3.1
Deploying Java Cryptography Extension Policy Files
54.3.2
Identity Store Configuration File
54.3.3
Oracle Access Manager Configuration File
54.3.4
Understanding the Access Portal Service Repository Objects
54.3.5
Preparing and Enabling the Access Portal Service on an Oracle Repository
54.3.6
Preparing and Enabling the Access Portal Service on Microsoft Active Directory
54.3.7
(Active Directory Only) Deploying the OAMAgent Web Application
54.3.8
Setting the Policy Cache Refresh Interval
54.3.9
About Integrating with Oracle Privileged Account Manager
54.3.9.1
Installing Oracle Privileged Account Manager Certificates
54.3.9.2
Configuring the Oracle Privileged Account Manager Server
54.3.9.3
Creating the Required Template Mapping on the Provisioning Gateway Server
54.3.10
Deploying the Oracle Traffic Director Administration Server
54.3.11
Deploying Webgate Binaries and Secure Trust Artifacts
54.3.12
(Optional) Configuring the ESSOProvisioning Plugin
54.3.13
Creating an Oracle Traffic Director Configuration
54.3.14
Protecting the Oracle Traffic Director Instance with the Webgate Plugin
54.3.14.1
Generating Secure Trust Artifacts
54.3.14.2
Loading Required WebGate Libraries into an OTD Instance
54.3.14.3
Deploying Configuration Changes
54.3.14.4
Testing the WebGate
54.3.15
(Optional) Enabling the Detached Credential Collector for the Target Webgate
54.3.15.1
Enabling Detached Credential Collector Operations
54.3.15.2
Creating and Applying a Detached Credential Collector Authentication Scheme
54.3.15.3
Deploying Detached Credential Collector Pages on an Oracle HTTP Server
54.3.15.4
Routing Oracle Traffic Director Authentication Requests through a Detached Credential Collector
54.3.16
Configuring Logon Manager for Compatibility with the Access Portal Service
54.3.16.1
Modifying the Access Portal Service Configuration
54.3.16.2
Modifying the Logon Manager Configuration
54.4
Enabling Form-Fill Single Sign-On for an Application
54.4.1
Configuring a Form-Fill Application Policy
54.4.1.1
Creating a Form-Fill Application Policy
54.4.1.2
Adding a Proxy-Enabled URL to a Form Fill Application Policy
54.4.1.3
Configuring Mock Credential Field Values
54.4.1.4
Configuring Form Masking
54.4.1.5
Publishing a Policy to the Repository
54.4.1.6
(Optional) Importing the Policy in the Oracle Access Manager Console
54.4.1.7
Testing the Configuration of the Policy
54.4.2
Configuring the OTD EssoDirectSubmit Server Application Function
54.4.3
Configuring Proxy Rules for an Oracle Access Portal Application
54.4.3.1
Adding an Oracle Access Portal Application to Oracle Traffic Director
54.4.3.2
Path Rewriting Guidelines for HTTP Request/Response Headers
54.4.3.3
Path Rewriting Guidelines for Browser Cookies
54.4.3.4
Path Rewriting Guidelines for Page Content
54.4.4
Configuring the Webgate Request Filtering
54.4.4.1
JavaScript Injection Filter
54.4.4.2
Dynamic Proxy Support
54.4.4.3
Configuring the Mock Credentials Filter
54.4.4.4
Configuring HTTP Basic Authentication
54.4.4.5
HTTP Request Sanitizer
54.5
Adding a Federated Partner Provider Application
54.6
Adding an Oracle SSO Agent Application
54.7
Creating an Application Configuration Package
54.7.1
Contents of the Application Configuration Package
54.7.2
Required Environment-Specific Configuration Data
54.7.3
Customizing an Application Configuration Package to the Target Environment
54.7.3.1
Preprocessor Directives for the Oracle Traffic Director Configuration Data
54.7.3.2
Rewriting Directives (object.conf)
54.7.3.3
Origin Server Pools (server.xml)
54.7.3.4
Routing Conditions (routes.conf)
54.7.4
Generating the Customized Application Configuration Package
54.7.5
Deploying the Customized Application Configuration Package
54.8
Password Generation Policies
54.8.1
Searching for an Existing Password Generation Policy
54.8.2
Creating a New Password Generation Policy
54.8.3
Managing
Policy Subscribers
54.9
Managing Credential Sharing Groups
54.9.1
Searching for a Credential Sharing Groups
54.9.2
Creating a Credential Sharing Group
54.9.3
Managing Applications in
Credential Sharing Groups
54.10
Managing Global Agent Settings
54.10.1
Searching for Sets of Global Agent Settings
54.10.2
Importing an INI File with a Global Agent Settings Configuration
54.10.3
Creating a Set of Global Agent Settings
Part XIV Using Identity Context
55
Using Identity Context
55.1
Introducing Identity Context
55.2
Understanding Identity Context
55.3
Working With the Identity Context Service
55.3.1
Identity Context Dictionary
55.3.2
Identity Context Runtime
55.4
Identity Context API
55.5
Configuring the Identity Context Service Components
55.5.1
Configuring Oracle Fusion Middleware
55.5.2
Configuring Access Manager
55.5.2.1
Identity Assertion
55.5.2.2
Federation Attributes
55.5.2.3
Session Attributes
55.5.2.4
Identity Store Attributes
55.5.3
Configuring Oracle Adaptive Access Manager
55.5.3.1
Setting Up Oracle Adaptive Access Manager
55.5.3.2
Configuring Access Manager for OAAM Integration
55.5.3.3
Validating Identity Context Data Published by OAAM
55.5.4
Configuring Web Service Security Manager
55.5.5
Configuring Oracle Entitlements Server
55.5.6
Configuring Oracle Enterprise Single Sign On
55.5.7
Configuring Oracle Access Management Mobile and Social
55.6
Validating Identity Context
Part XV Integrating Access Manager with Other Products
56
Integrating RSA SecurID Authentication with Access Manager
56.1
Introduction to Access Manager and RSA SecurID Authentication
56.2
RSA Features Supported by Access Manager
56.3
Components Required for SecurID Authentication
56.3.1
Supported Versions and Platforms
56.3.2
Required RSA Components
56.3.2.1
RSA Authentication Manager
56.3.2.2
RSA SecurID Tokens
56.3.3
Installation and Configuration Requirements
56.4
SecurID Authentication Modes
56.4.1
Standard SecurID Authentication
56.4.2
SecurID Next Tokencode Authentication
56.4.3
SecurID New PIN Authentication
56.5
Configuring Access Manager for RSA SecurID Authentication
56.6
Running a Custom RSA Plug-in
57
Configuring Access Manager for Windows Native Authentication
57.1
Introducing Access Manager with Windows Native Authentication
57.1.1
Understanding Access Manager WNA Login and Fall Back Authentication
57.1.1.1
Successful Access Manager WNA Authentication
57.1.1.2
Access Manager WNA Fallback Authentication
57.1.2
Supported Kerberos Authentication Modules
57.2
About Preparing Your Active Directory and Kerberos Topology
57.2.1
Preparing Active Directory and Kerberos
57.2.1.1
Configuring WNA for Multi-Forest Environment with No Cross-Forest Trust
57.3
Confirming Access Manager Operations
57.4
Enabling the Browser to Return Kerberos Tokens
57.4.1
Enabling Kerberos Tokens in Internet Explorer
57.4.2
Enabling Kerberos Tokens in Mozilla Firefox
57.5
Integrating KerberosPlugin with Oracle Virtual Directory
57.5.1
Preparing Oracle Virtual Directory for Integration
57.5.2
Registering Oracle Virtual Directory as the Default Store for WNA
57.5.3
Setting Up Authentication with Access Manager KerberosPlugin and OVD
57.6
Integrating the KerberosPlugin with Search Failover
57.6.1
Registering Microsoft Active Directory Instances with Access Manager
57.6.2
Setting Up the KerberosPlugin for ADGCs
57.7
Configuring Access Manager for Windows Native Authentication
57.7.1
Creating the Authentication Scheme for Windows Native Authentication
57.7.2
Configuring Policies for Windows Native Authentication
57.7.3
Configuring WNA for NTLM Fallback
57.7.4
Configuring WNA Fallback to FORM-based Authentication Scheme
57.7.5
Verifying the Access Manager Configuration File
57.8
Validating WNA with Access Manager Protected Resources
57.9
Configuring WNA For Use With DCC
57.9.1
Initializing the Kerberos Protocol
57.9.2
Configuring Access Manager
57.10
Troubleshooting WNA Configuration
57.10.1
Kinit Fails
57.10.2
"An Incorrect Username or Password was Specified" Is Displayed
57.10.3
User Identity Store is Not Registered Correctly
57.10.4
Two BASIC Authentication Prompts Are Displayed
58
Integrating JBoss with Access Manager
58.1
Overview of JBoss Integration with Access Manager
58.1.1
Configuration and Processing by the JBoss Agent
58.1.2
Configuration and Processing by the Login Module
58.1.3
Login Module Process in usernamePassword Mode
58.1.4
Login Module Process in tokenBased Mode
58.2
Understanding the Integration Topology
58.2.1
Topology: Access Manager with JBoss Agent
58.2.2
Topology: JBoss Agent Behind Web Server Configured with WebGate
58.2.3
Sample Integration Topology
58.3
Preparing Your Environment for JBoss 6.x Integration
58.4
Preparing Your Environment for JBoss 5.x Integration
58.5
Protecting JBoss-Specific Resources
58.5.1
Registering the JBoss Agent with Automatic Policy Creation
58.5.2
Creating a Custom Policy for JBoss Resource Protection
58.6
Protecting Web Applications with the JBoss Agent
58.6.1
Creating Configuration Properties for the JBoss Agent
58.6.2
Configuring the Authentication Valve
58.6.2.1
Adding the Authentication Valve to context.xml
58.6.2.2
Adding the Authentication Valve to the Application's Deployment
58.6.3
Mapping the Filter in the Application's web.xml File
58.6.4
Configuring the JBoss Login Module to Use Access Manager Policies
58.7
Configuring JBoss Server to Access a Host Name (not localhost)
58.8
Configuring the Login Module to Secure EJBs
58.8.1
Configuring the Server to Secure EJBs
58.8.2
Configuring the Client Side for Login Module to Secure EJBs
58.9
Configuring the Login Module to Secure Web Service Access
58.9.1
Configuring the Server to Secure Web Services Access
58.9.2
Configuring the Client to Secure Web Services Access
58.10
Configuring Logging for the JBoss Agent and Login Module
58.11
Validating Your Configuration
59
Integrating Microsoft SharePoint Server with Access Manager
59.1
What is Supported in This Release?
59.2
Introduction to Integrating With the SharePoint Server
59.2.1
About Windows Impersonation
59.2.2
Form Based Authentication With This Integration
59.2.3
Authentication With Windows Impersonation and SharePoint Server Integration
59.2.4
Access Manager Support for Windows Native Authentication
59.3
Integration Requirements
59.3.1
Requirements Confirmation
59.3.2
Required Access Manager Components
59.3.3
Required Microsoft Components
59.4
Preparing for Integration With SharePoint Server
59.5
Integrating With Microsoft SharePoint Server
59.5.1
Creating a New Web Application in Microsoft SharePoint Server
59.5.2
Creating a New Site Collection for Microsoft SharePoint Server
59.6
Setting Up Microsoft Windows Impersonation
59.6.1
Creating Trusted User Accounts
59.6.2
Assigning Rights to the Trusted User
59.6.3
Binding the Trusted User to Your WebGate
59.6.4
Adding an Impersonation Response to an Authorization Policy
59.6.5
Adding an Impersonation DLL to IIS
59.6.5.1
Configuring and Registering ImpersonationModule to IIS.
59.6.5.2
Configuring Site Level Native Modules for Web Sites
59.6.6
Testing Impersonation
59.6.6.1
Creating an IIS Virtual Site Not Protected by SharePoint Server
59.6.6.2
Testing Impersonation Using the Event Viewer
59.6.6.3
Testing Impersonation using a Web Page
59.6.6.4
Negative Testing for Impersonation
59.7
Completing the SharePoint Server Integration
59.7.1
Configuring IIS Security
59.8
Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider
59.8.1
About Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider
59.8.2
Installing Access Manager for Microsoft SharePoint Server Configured With LDAP Membership Provider
59.8.3
Configuring an Authentication Scheme for Use With LDAP Membership Provider
59.8.4
Updating the Application Domain Protecting the SharePoint Web Site
59.8.5
Creating an Authorization Response for Header Variable SP_SSO_UID
59.8.6
Creating an Authorization Response for the OAMAuthCookie
59.8.7
Configuring and Deploying OAMCustomMembershipProvider
59.8.8
Enabling Logging for CustomMemberShipProvider
59.8.9
Ensuring Directory Servers are Synchronized
59.8.10
Testing the Integration
59.9
Configuring Single Sign-On for Office Documents
59.10
Configuring Single Sign-off for Microsoft SharePoint Server
59.10.1
Configuring a Custom Logout URL in SharePoint Server
59.10.2
Configuring Logout in SharePoint Server With Impersonation
59.11
Setting Up Access Manager and Windows Native Authentication
59.11.1
Setting Up Access Manager WNA
59.11.2
Setting Up WNA With SharePoint Server
59.11.3
Installing Access Manager for WNA and SharePoint Server
59.11.4
Testing Your WNA Implementation
59.12
Synchronizing User Profiles Between Directories
59.13
Testing Your Integration
59.13.1
Testing the SharePoint Server Integration
59.13.2
Testing Single Sign-On for the SharePoint Server Integration
59.14
Troubleshooting
59.14.1
Internet Explorer File Downloads Over SSL Might Not Work
60
Integrating Access Manager with Outlook Web Application
60.1
What is New in This Release?
60.2
Introduction to Integration with Outlook Web Application
60.2.1
About Impersonation Provided by Microsoft Windows
60.2.2
Access Manager 11g Support for Windows Impersonation
60.2.3
Single Sign-On for Authenticated Access Manager Users into Exchange
60.2.4
Confirming Requirements
60.3
Enabling Impersonation With a Header Variable
60.3.1
Requirements for Impersonation with a Header Variable
60.3.2
Creating an Impersonator as a Trusted User
60.3.3
Assigning Rights to the Trusted User
60.3.4
Binding the Trusted User to Your WebGate
60.3.5
Adding an Impersonation Response to An Application Domain
60.3.6
Adding an Impersonation DLL to IIS
60.3.7
Testing Impersonation
60.3.7.1
Creating an IIS Virtual Site
60.3.7.2
Testing Impersonation Using the Event Viewer
60.3.7.3
Testing Impersonation using a Web Page
60.4
Setting Up Impersonation for Outlook Web Application (OWA)
60.4.1
Prerequisites to Setting Impersonation for Outlook Web Application
60.4.2
Creating a Trusted User Account for Outlook Web Application
60.4.3
Assigning Rights to the Outlook Web Application Trusted User
60.4.4
Binding the Trusted Outlook Web Application User to Your WebGate
60.4.5
Adding an Impersonation Action to an Application Domain for Outlook Web Application
60.4.6
Adding an Impersonation dll to IIS
60.4.7
Configuring IIS Security
60.4.8
Testing Impersonation for Outlook Web Application
60.4.8.1
Testing Impersonation Using the Event Viewer
60.4.8.2
Testing Impersonation using a Web Page
60.4.8.3
Conducting Negative Testing for Impersonation
60.5
Setting Up Access Manager WNA for Outlook Web Application
61
Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager
61.1
What is New in This Release?
61.2
Introduction to Integration with TMG Server 2010
61.2.1
About This Integration
61.2.2
About Confirming Certification Requirements
61.3
Creating a Forefront TMG Policy and Rules
61.3.1
Creating a Custom Policy for Forefront TMG
61.3.2
Creating a Forefront TMG Firewall Policy Rule
61.3.3
Verifying Forefront TMG Proxy Configuration
61.4
Installing and Configuring 10g Webgate for Forefront TMG Server
61.4.1
Installing 10g Webgate with TMG Server
61.4.2
Changing /access Directory Permissions
61.5
Configuring the TMG 2010 Server for the ISAPI 10g Webgate
61.5.1
Registering Access Manager Plug-ins as TMG Server Web Filters
61.5.2
Ordering the ISAPI Filters
61.5.3
Verifying Form-based Authentication
61.6
Starting, Stopping, and Restarting the TMG Server
61.7
Removing Access Manager Filters Before WebGate Uninstall on TMG Server
61.8
Troubleshooting
62
Integrating Access Manager with SAP NetWeaver Enterprise Portal
62.1
What is Supported in This Release?
62.2
Supported Versions and Platforms
62.3
Integration Architecture
62.3.1
Process Overview: Integration with SAP NetWeaver Enterprise Portal
62.4
Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.
x
62.4.1
Before You Begin Configuring OAM and NetWeaver Enterprise Portal 7.0.x
62.4.2
Configuring the Apache HTTP Server as a Proxy
62.4.3
Configuring SAP NetWeaver Enterprise Portal for External Authentication
62.4.4
Adjusting the Login Module Stacks for using Header Variables
62.4.5
Configuring Access Manager for SAP Enterprise Portal
62.5
Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.
x
62.5.1
Before You Begin Configuring OAM and NetWeaver Enterprise Portal 7.4.x
62.5.2
Configuring Access Manager for SAP NetWeaver Enterprise Portal 7.4.
x
62.5.3
Configuring Apache Web Server 2.0.
x
or 2.2.
x
62.5.4
Configuring SAP Enterprise Portal 7.4 for External Authentication
62.5.5
Adjusting the Login Module Stacks for Using Header Variables
62.6
Testing the Integration
62.7
Troubleshooting the Integration
63
Integrating Oracle Access Manager with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2
63.1
What is Supported in This Release?
63.2
Registering the OpenSSO Agent
63.3
Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise Portal
63.3.1
Post-Installation Steps
63.4
Deploying the Agent Software Delivery Archive
63.5
Making a Class Loader Reference to the Login Module
63.6
Modifying the SAP Enterprise Portal 7.0 / Web Application Server 7.0 Class Path
63.7
Deploying and Starting the Agentapp.war File
63.8
Using Telnet to Create a Reference Between agentapp and Library AmSAPAgent2.2
63.9
Adding the Login Module to the Stack
63.10
Modifying the Login Module Stack
63.11
Updating the ume.logoff.redirect.uri
63.12
Configuring the AMAgent.properties File
63.13
Testing the Integration
Appendixes
A
Integrating Oracle ADF Applications with Access Manager SSO
A.1
Introducing Oracle Platform Security Services and Oracle Application Developer Framework
A.1.1
Oracle Platform Security Services Single Sign-on Framework
A.1.2
Oracle Application Developer Framework
A.2
Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework
A.2.1
Sample SSO Configuration for Access Manager
A.2.2
SSO Provider Configuration Details
A.3
Configuring Centralized Logout for Oracle ADF-Coded Applications
A.3.1
Centralized Logout Processing for Applications Coded to Oracle ADF Standards
A.3.2
Configuring Centralized Logout for ADF-Coded Applications with Access Manager
A.4
Confirming Application-Driven Authentication During Runtime
B
Internationalization and Multibyte Data Support for 10g WebGates
B.1
Internationalization and Multibyte Data Support on Oracle Access Manager
B.1.1
Languages For Localized Messages
B.1.2
Bi-directional Language Support
B.1.3
UTF-8 Encoding
C
Securing Communication
C.1
Prerequisites to Setting up a Secure Communication between OAM Servers and Webgates
C.2
Securing Communication Between OAM Servers and WebGates
C.2.1
About Certificates, Authorities, and Encryption Keys
C.2.2
About Security Modes and X509Scheme Authentication
C.2.3
The Importcert Tool
C.3
Generating Client Keystores for OAM Tester in Cert Mode
C.4
Configuring Cert Mode Communication for Access Manager
C.4.1
About Cert Mode Encryption and Files
C.4.2
Generating a Certificate Request and Private Key for OAM Server
C.4.3
Retrieving the OAM Keystore Alias and Password
C.4.4
Importing the Trusted, Signed Certificate Chain Into the Keystore
C.4.5
Adding Certificate Details to Access Manager Settings
C.4.6
Generating a Private Key and Certificate Request for WebGates
C.4.7
Updating WebGate to Use Certificates
C.5
Configuring Simple Mode Communication with Access Manager
C.5.1
About Simple Mode, Encryption, and Keys
C.5.2
Retrieving the Global Passphrase for Simple Mode
C.5.3
Updating WebGate Registration for Simple Mode
C.5.4
Verifying SIMPLE Mode Configuration
D
Reviewing Bundled, Generated, and Migrated Artifacts
D.1
Bundled 10g IAMSuiteAgent Artifacts
D.1.1
Pre-Registered 10g IAMSuiteAgent
D.1.2
IAMSuiteAgent Security Provider Settings, WebLogic Administration Console
D.1.3
IAMSuiteAgent Registration
D.1.4
Resources Protected by IAMSuiteAgent
D.1.5
Pre-seeded IAM Suite Application Domain and Policies
D.2
Generated Artifacts: OpenSSO
D.2.1
Generated OpenSSOAgentAuthPlugin
D.2.2
Generated Host Identifier: OpenSSOAgent1
D.2.3
Generated Application Domain: OpenSSOAgent1
D.2.4
Generated Resources: OpenSSOAgent1
D.2.5
Generated Authentication Policy: OpenSSOAgent Application Domain
D.2.6
Generated Authorization Policy: OpenSSOAgent Application Domain
D.3
Migrated Artifacts: OpenSSO
D.3.1
Migrated User Identity Store: OpenSSOAgent1
D.3.2
Migrated Agents: OpenSSOAgent1
D.3.3
Migrated Authentication Module: OpenSSOAgent1
D.3.4
Migrated Host Identifier: OpenSSOAgent1
D.3.5
Migrated Application Domain: OpenSSOAgent1
D.3.6
Migrated Resources: OpenSSOAgent1
D.3.7
Migrated Authentication Policy: OpenSSOAgent1
D.3.8
Migrated Authorization Policy: OpenSSOAgent1
E
Troubleshooting
E.1
Introduction to Oracle Access Management Troubleshooting
E.1.1
System Analysis and Problem Scenarios
E.1.2
LDAP Server or Identity Store Issues
E.1.3
OAM Server or Host Issues
E.1.4
Agent-Side Configuration and Load Issues
E.1.5
Runtime Database (Audit or Session Data) Issues
E.1.6
Change Propagation or Activation Issues
E.1.7
Policy Store Database Issues
E.2
My Oracle Support for Additional Troubleshooting Information
E.3
Administrator Lockout
E.4
Error During Federation Configuration After Upgrade from PS1 to PS2
E.5
Oracle Access Management Console Inconsistent State
E.6
AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation
E.7
Agent Naming Not Unique
E.8
Application URL Requirements
E.9
Authentication Issues
E.9.1
Anonymous Authentication Issues
E.9.2
X.509Scheme and SSL Handshake Issues
E.9.2.1
Configuration Issues
E.9.2.2
Trust Issues
E.9.2.3
Certificate Validation Issues
E.9.3
X.509 Protected Resource and Single Sign Off
E.9.4
X509CredentialExtractor Certificate Validation Error
E.10
Authorization Issues
E.10.1
Authorization Condition Error
E.10.2
LDAP Search Filter Test Results
E.10.3
Authorization Header Response Names
E.11
Cannot Access Authentication LDAP or Database
E.12
Cannot Find Configuration
E.12.1
Configuration Does Not Exist ...
E.13
Co-existence Between OSSO and Access Manager
E.14
Could Not Find Partial Trigger
E.15
Denial of Service Attacks
E.15.1
Protecting the OAM Server from Crashing Under Load
E.15.2
Compensating for Network Latency
E.15.3
Protecting OAM Servers from a Flood of HTTP Requests
E.16
Deployments with Freshly Installed 10g Webgates
E.16.1
Authentication Issues with 10g Webgates
E.16.2
Logout Issues with 10g Webgates
E.17
Diagnosing Initialization and Performance Issues
E.17.1
Diagnosing an Initialization Issue
E.17.2
Diagnosing a Performance Issue
E.17.3
Diagnosing Out-of-Memory Issues With a Heap Dump
E.18
Disabling Windows Challenge/Response Authentication on IIS Web Servers
E.19
Changing UserIdentityStore1 Type Can Lock Out Administrators
E.20
IIS Web Server Issues
E.20.1
Form Authentication or Pass-Through Not Working
E.20.2
IIS and General Web Component Guidelines
E.20.3
Issues with IIS v6 Web Servers
E.20.4
Page Cannot Be Displayed Error
E.20.5
Removing and Reinstalling IIS DLLs
E.21
Import and File Upload Limits
E.22
jps Logger Class Instantiation Warning is Logged on Authentication
E.23
Internationalization, Languages, and Translation
E.23.1
Automatically Generated Descriptions Are Not Translated
E.23.2
Console Looks Messy
E.23.3
Authentication Fails: Users with Non-ASCII Characters
E.23.4
Access Tester Does Not Work with Non-ASCII Agent Names
E.23.5
Locales, Languages, and Oracle Access Management Console Login Page
E.24
Login Failure for a Protected Page
E.25
OAM Metric Persistence Timer IllegalStateException: SafeCluster
E.26
Partial Cluster Failure and Intermittent Login and Logout Failures
E.27
RSA SecurID Issues and Logs
E.28
Registration Issues
E.28.1
Problem: Remote Registration Tool Failure
E.28.2
Problem: No ObAccessClient.xml File Generated
E.28.3
Problem: Partner Registration Failure
E.29
Rowkey does not have any primary key attributes Error
E.30
SELinux Issues
E.31
Session Issues
E.31.1
Session Impersonation Not Enabled by Default
E.31.2
Sessions with Oracle Access Manager 11.1.1 Integrated with Oracle Identity Federation 11.1.1
E.32
SSL versus Open Communication
E.33
Start Up Issues
E.33.1
AdminServer Startup (or Remote Registration Tool Failure) on AIX Platforms
E.33.2
Connection to OAM Server could not be established: Exception in connecting to server. Connection refused.
E.34
Synchronizing OAM Server Clocks
E.35
Trivial server error popup in Policy Manager
E.36
Using Coherence
E.37
Validation Errors
E.37.1
Resource not added to Authentication or Authorization Policy
E.37.2
Validation Failure - "description" attribute is not valid
E.38
Web Server Issues
E.38.1
Server Fails on an Apache Web Server
E.38.2
Apache v2 on HP-UX
E.38.3
Apache v2 Bundled with Red Hat Enterprise Linux 4
E.38.4
Apache v2 Bundled with Security-Enhanced Linux
E.38.5
Apache v2 on UNIX with the mpm_worker_module for Webgate
E.38.6
Domino Web Server Issues
E.38.7
Errors, Loss of Access, and Unpredictable Behavior
E.38.8
Known Issues for ISA Web Server
E.38.9
Oracle HTTP Server Fails to Start with LinuxThreads
E.38.10
Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4
E.38.11
Oracle HTTP Server Web Server Configuration File Issue
E.38.12
Issues with IIS v6 Web Servers
E.38.13
PCLOSE Error When Starting Sun Web Server
E.38.14
Removing and Reinstalling IIS DLLs
E.39
Windows Native Authentication
Scripting on this page enhances content navigation, but does not change the content in any way.