18 Configuring Oracle Access Management

You need to perform certain tasks in order to extend the enterprise deployment domain with the Oracle Access Management. This includes installing the Oracle Identity and Access Management, extending the domain for Oracle Access Management and completing post-configuration and verification tasks.

This chapter provides information on installing the Oracle Identity and Access Management, extending the domain for Oracle Access Management and completing post-configuration and verification tasks.

• Variables Used in This Chapter
  This topic lists the variables used in this chapter.
• Configuring and Integrating with LDAP
  
• Updating WebGate Agents
  
• Updating Host Identifiers
  
• Adding Missing Policies to OAM
  
• Updating Federation Service Details
  Now that Oracle Access Management (OAM) is configured, you must update the Federation services to access the Federation via the load balancer URL.
• Updating Idle Timeout Value
  
• Validating the Authentication Providers
  
• Starting the Managed Servers in the Domain
  Start the Managed Servers in the following order:
• Validating Access Manager
  
• Enabling Forgotten Password
  
• Enabling Exalogic Optimizations
  
• Backing Up the Configuration
  It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.

Variables Used in This Chapter

This topic lists the variables used in this chapter.

Variables

• PRIMARY_OAM_SERVERS

• WEBGATE_TYPE

• ACCESS_GATE_ID

• OAM11G_OIM_WEBGATE_PASSWD

• COOKIE_DOMAIN

• COOKIE_EXPIRY_INTERVAL

• OAM11G_WG_DENY_ON_NOT_PROTECTED

• OAM11G_IDM_DOMAIN_OHS_HOST

• OAM11G_IDM_DOMAIN_OHS_PORT

• OAM11G_IDM_DOMAIN_OHS_PROTOCOL

• OAM11G_SERVER_LBR_HOST

• OAM11G_SERVER_LBR_PORT

• OAM11G_SERVER_LBR_PROTOCOL

• OAM11G_OAM_SERVER_TRANSPORT_MODE

• OAM_TRANSFER_MODE

• OAM11G_SSO_ONLY_FLAG

• OAM11G_IMPERSONATION_FLAG

• OAM11G_IDM_DOMAIN_LOGOUT_URLS

• OAM11G_OIM_INTEGRATION_REQ

• OAM11G_OIM_OHS_URL

• IDSTORE_PWD_OAMSOFTWAREUSER

• IDSTORE_PWD_OAMADMINUSER

• OAM11G_WLS_ADMIN_PASSWD

• IAD_MSERVER_HOME

• IAD_ASERVER_HOME

• WLS_AMA

• WebGate_IDM

• COMMON_IDM_PASSWORD

• WLS_OAM1

• WLS_AMA1

• WLS_OAM2

• WLS_AMA2

• JAVA_HOME

• OAM_PROXY_PORT

• IAD_HTTP_PORT

• IAD_ORACLE_HOME

Configuring and Integrating with LDAP

This section describes how to configure and integrate Oracle Access Manager with LDAP.

This section contains the following topics:

• Setting a Global Passphrase
  
• Configuring Access Manager to use the LDAP Directory
  
• Adding LDAP Groups to WebLogic Administrators
  

Setting a Global Passphrase

By default, Access Manager is configured to use the Open security model. If you plan to change this mode using idmConfigTool, you must set a global passphrase. Although you need not set the global passphrase and the Web gate access password to be the same, Oracle recommends doing so.

To set a global passphrase:

1. Log in to the OAM console using the URL, as the WebLogic Administration user (for example, weblogic):

   http://iadadmin.example.com/oamconsole

2. Click the Configuration tab.
3. Select View, and then Access Manager from the Settings launch pad.
4. Update the Global Passphrase with a value of your choice and make a note of it.
5. Enter the value you set as the Global Passphrase.
6. Click Apply.

Configuring Access Manager to use the LDAP Directory

Now that the initial installation is done and the security model set, you must now associate Access Manager and your LDAP directory. In this release, Oracle Unified Directory (OUD) directory is supported.

To associate Access Manager and your LDAP directory, perform the following tasks:

• Creating a Configuration File
  
• Integrating Access Manager and LDAP Using the idmConfigTool
  
• Validating the OAM LDAP Configuration
  

Creating a Configuration File

Configuring Oracle Access Management to use LDAP requires running the idmConfigTool utility. Therefore, you must create a configuration file called oam.props to use during the configuration. The contents of this file will be the same as the Configuration file created in Creating a Configuration File with the following additions:

# OAM Properties
OAM11G_IDSTORE_NAME: OAMIDSTORE
PRIMARY_OAM_SERVERS: OAMHOST1.example.com:5575,OAMHOST2.example.com:5575
WEBGATE_TYPE: ohsWebgate12c
ACCESS_GATE_ID: Webgate_IDM
OAM11G_OIM_WEBGATE_PASSWD: Password
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_WG_DENY_ON_NOT_PROTECTED: true
OAM11G_IDM_DOMAIN_OHS_HOST: login.example.com
OAM11G_IDM_DOMAIN_OHS_PORT: 443
OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https
OAM11G_SERVER_LBR_HOST: login.example.com
OAM11G_SERVER_LBR_PORT: 443
OAM11G_SERVER_LBR_PROTOCOL: https
OAM11G_OAM_SERVER_TRANSFER_MODE: simple
OAM_TRANSFER_MODE: simple
OAM11G_SSO_ONLY_FLAG: false
OAM11G_IMPERSONATION_FLAG: false
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_OIM_INTEGRATION_REQ: false 
OAM11G_OIM_OHS_URL: https://prov.example.com:443/
# WebLogic Properties
WLSHOST: IADADMINVHN.example.com
WLSPORT: 7001
WLSADMIN: weblogic
IDSTORE_WLSADMINUSER: weblogic_iam
IDSTORE_WLSADMINGROUP: WLSAdministrators

OAM Property Descriptions:

• OAM11G_IDSTORE_NAME is the name you wish to assign to the ID store in OAM. This is an optional parameter.

• PRIMARY_OAM_SERVERS a comma-separated list of all of the OAM managed servers that are in the deployment. The format of this is Server Running the OAM Managed Server: OAM Proxy port. Note the proxy port used is not the OAM managed server listen port. The OAM Proxy port can be found in the worksheet (OAM_PROXY_PORT)

• WEBGATE_TYPE The type of webgate profile to create. This should always be ohsWebgate12c

• ACCESS_GATE_ID is the name of the Webgate Agent to create.

• OAM11G_OIM_WEBGATE_PASSWD is the password you wish to assign to the webgate agent you will be creating.

• COOKIE_DOMAIN is the domain you wish to associate the OAM cookie with this is normally the same as the IDSTORE_SEARCH_BASE in domain format. The search base can be found in the worksheet (REALM_DN).

• COOKIE_EXPIRY_INTERVAL the amount of time before a cookie is expired.

• OAM11G_WG_DENY_ON_NOT_PROTECTED this should always be set to true. It ensures that any attempt to access a resource not explicitly stated in the OAM Resource list will be rejected.

• OAM11G_IDM_DOMAIN_OHS_HOST this is the name of the Oracle HTTP Server (OHS) server which fronts the IAMAccessDomain. In the case of an enterprise deployment this will be the load balancer name.

• OAM11G_IDM_DOMAIN_OHS_PORT this is the port on which the OHS server fronting the IAMAccessDomain listens. In the case of an Enterprise Deployment, this will be the load balancer port. This is the IAD_HTTPS_PORT in the worksheet.

• OAM11G_IDM_DOMAIN_OHS_PROTOCOL this determines which process is being used when accessing the OHS server fronting the IAMAccessDomain.In the case of an Enterprise Deployment this will be the load balancer protocol. In the Enterprise Deployment Blueprint SSL is terminated at the load balancer. But the URL will always have the HTTPS prefix, so this value should be set to https.

• OAM11G_SERVER_LBR_HOST this is the name of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_HOST.

• OAM11G_SERVER_LBR_PORT this is the port of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_PORT.

• OAM11G_SERVER_LBR_PROTOCOL this is the protocol of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_PROTOCOL.

• OAM11G_OAM_SERVER_TRANSPORT_MODE this is the type of OAM security transport to be used. This should be Simple for all platforms, except for AIX where it should be Open. You can specify cert if extra security is required. If you wish to use cert, refer to the Oracle Access Manager documentation for how to configure this.

• OAM_TRANSFER_MODE this is the type of OAM security transport to be used. This should be the same as OAM11G_OAM_SERVER_TRANSPORT_MODE

• OAM11G_SSO_ONLY_FLAG this is used to determine whether authentication mode is going to be used. For Enterprise Deployments this should be set to false.

• OAM11G_IMPERSONATION_FLAG determines whether OAM be configured for impersonation. Impersonation is typically used in help desk type applications where a support user "impersonates" and actual user for the purposes of providing support.

• OAM11G_IDM_DOMAIN_LOGOUT_URLS is a list of URLs that various products can invoke for the purposes of logging out.

• OAM11G_OIM_INTEGRATION_REQ If you are intending Oracle Identity Governance to handle forgotten password functionality then this parameter should be set to true. If you are using the new OAM forgotten password functionality then this value should be set to false.

• OAM11G_OIM_OHS_URL If you are planning on using OIM for Forgotten Password functionality then you need to specify the external entry point for OIG. This is the OIG URL to which OAM directs the requests. This url is made up of the following values from the worksheet:

  https://prov.example.com:IAG_HTTPS_PORT/

• WLSHOST: is the Admin Server listen address. For OAM configuration, this will be IADADMINVHN.example.com

• WLSPORT: is the Admin Server listen port. This is the IAD_WLS_PORT in the worksheet.

• WLSADMIN the user used to connect to the Admin Server

Integrating Access Manager and LDAP Using the idmConfigTool

This section describes how to integrate Oracle Access Manager and LDAP using the idmConfigTool.

Note:

Before running the idmconfigTool, ensure that the WLS_OAM1 and WLS_OAM2 Managed Servers are shut down.

Perform the following tasks on OAMHOST1:

1. Set the environment variables MW_HOME, JAVA_HOME and ORACLE_HOME.

   Set ORACLE_HOME to IAD_ORACLE_HOME/idm.
   MW_HOME to IAD_ORACLE_HOME
   

2. Run the idmConfigTool utility to perform the integration.

   The syntax of the command on Linux is:

   cd IAD_ORACLE_HOME/idm/idmtools/bin
   idmConfigTool.sh -configOAM input_file=configfile 
   

   For example:

   idmConfigTool.sh -configOAM input_file=oam.props
   

   When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to these accounts:

   • IDSTORE_PWD_OAMSOFTWAREUSER

   • IDSTORE_PWD_OAMADMINUSER

   • OAM11G_WLS_ADMIN_PASSWD

3. Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool.
4. Restart the Administration console.

   Note:

   After you run idmConfigTool, several files are created that you need for subsequent tasks. Keep these in a safe location.

   The following files exist in the following directory:

   IAD_ASERVER_HOME/output/Webgate_IDM
   

   You need these when you install the WebGate software.

   • cwallet.sso

   • ObAccessClient.xml

   • password.xml

   • aaa_cert.pem

   • aaa_key.pem

   Note:

   If the WLS_AMA servers were running when configOAM was run, then the WebGate_IDM artifacts may have been created in IAD_MSERVER_HOME/output. If this is the case, move them back to IAD_ASERVER_HOME/output.

Validating the OAM LDAP Configuration

To validate that this has completed correctly:

1. Access the OAM console using the following URL:

   http://iadadmin.example.com/oamconsole
   

2. Log in as the Access Manager administration user you created when you prepared the ID Store. For example oamadmin.
3. Click Agents from the Application Security screen.
4. When the Search SSO Agents screen appears, click Search.
5. You should see the Web Gate agent Webgate_IDM.
6. Log in to the WebLogic Administration Server Console as the default administrative user. For example, weblogic.
7. Click Security Realms on the left navigation pane.
8. On the Summary of Security Realms page, click myrealm under the Realms table.
9. On the Settings page for myrealm, go to the Users and Groups Tab.
10. On to the users tab and check to see that LDAP users are displayed from your directory connector. For example: OUDAuthenticator.
11. On to the Groups tab and check to see that LDAP groups are displayed from your directory connector. For example: OUDAuthenticator.

Adding LDAP Groups to WebLogic Administrators

Access Manager requires access to MBeans stored within the administration server. In order for LDAP users to be able to log in to the WebLogic console and Fusion Middleware control, they must be assigned the WebLogic Administration rights. In order for Access Manager to invoke these Mbeans, users in the OAMAdministrators group must have WebLogic Administration rights.

When Single Sign-on is implemented, provide the LDAP group IDM Administrators with WebLogic administration rights, so that you can log in using one of these accounts and perform WebLogic administrative actions.

To add the LDAP Groups OAMAdministrators and WLSAdministrators to the WebLogic Administrators:

1. Log in to the WebLogic Administration Server Console as the default administrative user. For example, weblogic.
2. In the left pane of the console, click Security Realms.
3. On the Summary of Security Realms page, click myrealm under the Realms table.
4. On the Settings page for myrealm, click the Roles & Policies tab.
5. On the Realm Roles page, expand the Global Roles entry under the Roles table.
6. Click the Roles link to go to the Global Roles page.
7. On the Global Roles page, click the Admin role to go to the Edit Global Roles page.
8. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
9. On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
10. On the Edit Arguments Page, Specify OAMAdministrators in the Group Argument field and click Add.
11. Repeat for the Group WLSAdministrators.
12. Click Finish to return to the Edit Global Roles page.
13. The Role Conditions table now shows the groups OAMAdministrators or WLSAdministrators as role conditions.
14. Click Save to finish adding the Admin role to the OAMAdministrators and IDM Administrators Groups.

Updating WebGate Agents

When the idmConfigTool is run, it changes the default OAM security model and creates a new WebGate SSO Agent. However, it does not change the existing WebGate SSO Agents to the new security model. After running the idmConfigTool, you must update any WebGate agents that previously existed. This involves the following steps:

• Change the security mode to match that of the OAM servers. Failure to do so will result in a security mismatch error.

• When WebGates are created at first install, they are unaware that a highly available (HA) installation is performed. After enabling HA, you must ensure that all of the OAM servers are included in the agent configuration, to ensure system continuity.

• When WebGates are created at first install, they are unaware that a highly available (HA) install is performed. You must check that any logout URLs are redirected to the hardware load balancer than one of the local OAM servers.

• A WebGate agent called IAMSuiteAgent is created out of the box. This is created without any password protection and needs to have one added.

To perform these actions, complete the following steps:

1. Log in to the OAM Console at http://iadadmin.example.com/oamconsole using the OAM Administration user (oamadmin).
2. Click Agents pad on the Application Security screen.
3. Ensure that the WebGates tab is selected.
4. Click Search.
5. Click an Agent, for example: IAMSuiteAgent.
6. Set the Security value to the same value defined to OAM Transfer Mode on the Access Manager Configuration screen during response file creation.

   If you have changed the OAM security model using the idmConfigTool, change the security model used by any existing Webgates to reflect this change.

   Click Apply.

7. In the Primary Server list, click + and add any missing Access Manager Servers.
8. If a password has not already been assigned, enter a password into the Access Client Password field and click Apply.

   Assign an Access Client Password, such as the Common IAM Password (COMMON_IDM_PASSWORD) you used during the response file creation or an Access Manager-specific password, if you have set one.

9. Set Maximum Connections to 20. This is the total maximum number of connections for the primary servers, which is 10 x WLS_OAM1 connections plus 10 x WLS_OAM2 connections.
10. If you see the following in the User Defined Parameters or the Logout redirect URL:

    logoutRedirectUrl=http://OAMHOST1.example.com:14100/oam/server/logout
    

    Change it to:

    logoutRedirectUrl=https://login.example.com/oam/server/logout
    

11. Click Apply.
12. Repeat Steps through for each WebGate.
13. Check that the security setting matches that of your Access Manager servers.

Updating Host Identifiers

When you access your domain you enter using different load balancer entry points. Each of these entry points (virtual hosts) need to be added to the Policy list. This ensures that if you request access to a resource using login.example.com OR prov.example.com, you have access to the same set of policy rules.

1. Access the OAM console at http://iadadmin.example.com/oamconsole.
2. Log in as the Access Manager administration user you created when you prepared the ID Store. For example oamadmin.
3. Select Launch Pad if not already displayed.
4. Click on Host Identifiers under Access Manager.
5. Click Search.
6. Click on IAMSuiteAgent.
7. Click + in the operations box.
8. Enter the following information.

   Table 18-1 Host Name Port Values

   Host Name	Port
   iadadmin.example.com	80
   igdadmin.example.com	80
   igdinternal.example.com	7777
   prov.example.com	443
   login.example.com	443

9. Click Apply.

Adding Missing Policies to OAM

If you are using Oracle Identity Governance, you must add the following policy to OAM.

Table 18-2 OAM Policy Information

Product	Resource Type	Host Identifier	Resource URL	Protection Level	Authentication Policy	Authorization Policy
ALL	HTTP	IAMSuiteAgent	/consolehelp/**	Excluded
ALL	HTTP	IAMSuiteAgent	/otpfp/**	Excluded
OIG	HTTP	IAMSuiteAgent	/OIGUI/**	Protected	Protected Higher Level Policy	Protected Resource Policy
OIG	HTTP	IAMSuiteAgent	/iam/**	Protected	Protected Higher Level Policy	Protected Resource Policy
OIG	HTTP	IAMSuiteAgent	/iam/governance/token/**	Excluded
OIG	HTTP	IAMSuiteAgent	/FacadeWebApp/**	Protected	Protected Higher Level Policy	Protected Resource Policy
OIG	HTTP	IAMSuiteAgent	/IdentityAuditCallbackService/**	Excluded

Note:

/otpfp is only required if you have implemented the OAM forgotten password functionality.

To add these policies:

1. Log in to the OAM Console at http://iadadmin.example.com/oamconsole using the user oamadmin.
2. From the Launchpad click Application Domains in the Access Manager section.
3. Click Search on the Search page.

   A list of Application domains appears.

4. Click the domain IAM Suite.
5. Click the Resources Tab.
6. Click Create.
7. Enter the information specified in the table above.
8. Click Apply.

Updating Federation Service Details

Now that Oracle Access Management (OAM) is configured, you must update the Federation services to access the Federation via the load balancer URL.

To do this:

1. Log in to the OAM Console at http://iadadmin.example.com/oamconsole.
2. Click Configuration.
3. In the settings pane, click View, and select Federation from the drop-down.
4. On the Federation Settings Page, update the Provider ID to https://login.example.com/oam/fed.
5. Click Apply.

Updating Idle Timeout Value

The default timeout value set in Access Manager is often too long and can cause issues such as, not logging a session out after that session has timed out. Therefore, it is recommended that this value is reduced to 15 minutes.

To update the idle timeout value:

1. Log in to the OAM Console at http://iadadmin.example.com/oamconsole.
2. Log in as the Access Manager administrator user you created during response file creation.
3. Click Configuration.
4. Select Common Settings under Settings.
5. Change Idle Time out (minutes) to 15.
6. Click Apply.

Validating the Authentication Providers

Set the order of identity assertion and authentication providers in the WebLogic Server Administration console.

1. Log in to the WebLogic Server Administration Console, if not already logged in.
2. Click Lock & Edit.
3. From the left navigation, select Security Realms.
4. Click the myrealm default realm entry.
5. Click the Providers tab.
6. From the table of providers, click the DefaultAuthenticator.
7. Set the Control Flag to SUFFICIENT.
8. Click Save to save the settings.
9. From the navigation breadcrumbs, click Providers to return to the list of providers.
10. Click Reorder.
11. Sort the providers to ensure that the OAM Identity Assertion provider is first and the DefaultAuthenticator provider is last.

    Table 18-3 Sort order

    Sort Order	Provider	Control Flag
    1	OAMIDAsserter	REQUIRED
    2	LDAP Authentication Provider	SUFFICIENT
    3	DefaultIdentityAsserter	N/A
    4	Trust Service Identity Asserter	N/A
    5	DefaultAuthenticator	SUFFICIENT

12. Click OK.
13. Click Activate Changes to propagate the changes.
14. Shut down the Administration Server, Managed Servers, and any system components, as applicable.
15. Restart the Administration Server.
16. If you are going to configure ADF consoles with SSO, you can keep the managed servers down and restart them later. If not, you need to restart managed servers now.

Starting the Managed Servers in the Domain

Start the Managed Servers in the following order:

• Starting the WLS_OAM1 Managed Server
  
• Starting the WLS_AMA1 Managed Server
  
• Starting the WLS_OAM2 Managed Server
  
• Starting the WLS_AMA2 Managed Server
  

Starting the WLS_OAM1 Managed Server

To start the WLS_OAM1 Managed Server:

1. Log in to the Oracle WebLogic Server Administration Console.

   http://iadadmin.example.com/console

2. Start the WLS_OAM1 Managed Server using the WebLogic Server Administration Console, as follows:
   1. Expand the Environment node in the Domain Structure tree on the left.
   2. Click Servers.
   3. On the Summary of Servers page, open the Control tab.
   4. Select WLS_OAM1, and then click Start.
3. Verify that the server status is reported as Running in the Administration Console. If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported (such as Admin or Failed), check the server output log files for errors.

Starting the WLS_AMA1 Managed Server

To start the WLS_AMA1 Managed Server:

1. Log in to the Oracle WebLogic Server Administration Console.

   http://iadadmin.example.com/console

2. Start the WLS_AMA1 Managed Server using the WebLogic Server Administration Console, as follows:
   1. Expand the Environment node in the Domain Structure tree on the left.
   2. Click Servers.
   3. On the Summary of Servers page, open the Control tab.
   4. Select WLS_AMA1, and then click Start.
3. Verify that the server status is reported as Running in the Administration Console. If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported (such as Admin or Failed), check the server output log files for errors.

Starting the WLS_OAM2 Managed Server

To start the WLS_OAM2 Managed Server:

1. Log in to the Oracle WebLogic Server Administration Console.

   http://iadadmin.example.com/console

2. Start the WLS_OAM2 Managed Server using the WebLogic Server Administration Console, as follows:
   1. Expand the Environment node in the Domain Structure tree on the left.
   2. Click Servers.
   3. On the Summary of Servers page, open the Control tab.
   4. Select WLS_OAM2, and then click Start.
3. Verify that the server status is reported as Running in the Administration Console. If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported (such as Admin or Failed), check the server output log files for errors.

Starting the WLS_AMA2 Managed Server

To start the WLS_AMA2 Managed Server:

1. Log in to the Oracle WebLogic Server Administration Console.

   http://iadadmin.example.com/console

2. Start the WLS_AMA2 Managed Server using the WebLogic Server Administration Console, as follows:
   1. Expand the Environment node in the Domain Structure tree on the left.
   2. Click Servers.
   3. On the Summary of Servers page, open the Control tab.
   4. Select WLS_AMA2, and then click Start.
3. Verify that the server status is reported as Running in the Administration Console. If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported (such as Admin or Failed), check the server output log files for errors.

Validating Access Manager

You can validate Access Manager by using the oamtest tool. To do this, perform the following steps:

1. Ensure that wls_oam managed server is up and running.
2. Ensure that JAVA_HOME is set in your environment by adding JAVA_HOME/bin to your path. For example:

   export PATH=$JAVA_HOME/bin:$PATH
   

3. Change the directory to the following:

   IAD_ORACLE_HOME/idm/oam/server/tester
   

4. Start the test tool in a terminal window using the command:

   java -jar oamtest.jar
   

5. When the OAM test tool starts, enter the following information in the Server Connection section of the page:

   • Primary IP Address: OAMHOST1.example.com

   • Port: 5575 (OAM_PROXY_PORT)

   • Agent ID: Webgate_IDM

   • Agent Password: webgate password

   • Mode: Simple

   • Global Passphrase: Enter the value you set as the global password in Setting a Global Passphrase.

6. Click Connect.
   In the status window you’ll see: response] Connected to primary access server.
7. In the Protected Resource URI section, enter the following information:

   • Scheme: http

   • Host: iadadmin.example.com

   • Port: 80 (IAD_HTTP_PORT)

   • Resource: /oamconsole

     Click Validate.

     In the status window you see: [request] [validate] yes.

8. In the User Identity window, enter:

   • Username: oamadmin

   • Password: oamadmin password

   • Click Authenticate.

   • In the status window, you see: [request] [authenticate] yes

   • Click Authorize.

   • In the status window you see. [request] [authorize] yes

Enabling Forgotten Password

In Oracle Identity Management 12c forgotten password functionality is provided by Oracle Access Management rather than Oracle Identity Governance as in previous releases. This section contains the following topics:

• Prerequisites for Enabling Forgotten Password
  
• Add Permissions to oamLDAP user
  
• Create an OTP Administrative Group in LDAP
  
• Enabling Adaptive Authentication Service
  
• Configuring Adaptive Authentication Plug-in
  
• Enabling Password Management in the Directory
  
• Storing User Messaging Credentials in CSF
  
• Setup for Forgot Password Link on Login Page
  
• Restarting the domain
  
• Validating The Forgotten Password Functionality
  

Prerequisites for Enabling Forgotten Password

Forgotten Password Management in Oracle Access Manager takes the form of sending an Email or SMS message with a link to reset the password.

Email or SMS is sent using the Oracle User Messaging Service. Before enabling the Oracle Forgotten Password functionality, you first need to have an Oracle User Messaging deployment. This is often located inside the Oracle Governance Domain but can be located inside the Access Domain if that is all you are installing. Alternatively, it could be a completely independent domain.

Forgotten Password functionality works only if you have successfully configured Single Sign-On as described in Configuring Single Sign-On for an Enterprise Deployment.

Adding the User Messaging Service to the Access domain or creating a User Messaging Service domain is outside of the scope of the this EDG. For more information about installing and configuring the Oracle User Messaging Service, see Installing User Messaging Service and Configuring Oracle User Messaging Service in Administering Oracle User Messaging Service.

Add Permissions to oamLDAP user

When created out of the box the oamLDAP user (the user used to link OAM to LDAP) is granted privileges to read the LDAP directory. It is not however granted permission to update those users. You need to add these privileges for the OAM forgotten password functionality to work.

To do this you need to create an ldif file using your preferred text editor. This file will have the following content:

add_aci.ldif

dn: cn=oamLDAP,cn=systemids,dc=example,dc=com  changetype: modify add: ds-privilege-name ds-privilege-name: password-reset

dn: cn=Users,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*")(targetfilter= "(objectclass=inetorgperson)")(targetscope = "subtree") (version 3.0; acl "iam admin changepwd"; allow (compare,search,read,selfwrite,add,write,delete) userdn = "ldap:///cn=oamLDAP,cn=systemids,dc=example,dc=com";)

Save the file.

On LDAPHOST1 action the file using the command:

OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -D cn=oudadmin -h LDAPHOST1 -p 1389 -f ./add_aci.ldif

Create an OTP Administrative Group in LDAP

In order for the oamadmin group to be able to invoke forgotten password system calls it needs to be a member of the group OTPRestUserGroup. This group is not created by idmConfigTool and must therefore be created manually.

To do this you perform the following steps:

1. Create a file called create_otp_group.ldif with the following contents:

   dn: cn=OTPRestUserGroup,cn=Groups,dc=example,dc=com
   changetype: add
   objectClass: top
   objectClass: orclgroup
   objectClass: groupofuniquenames
   cn: OTPRestUserGroup
   description: Forgotten Password Admin group
   displayName: OTPRestUserGroup
   uniquemember: cn=oamadmin,cn=Users,dc=example,dc=com

2. Use the ldapmodify command to add the group to LDAP. For example:

   OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -D cn=oudadmin -h LDAPHOST1 -p 1389 -f create_otp_group.ldif

Enabling Adaptive Authentication Service

Forgotten password requires the following service to be enabled.

To enable Adaptive Authentication Service, perform the following steps:

1. Log in to the Oracle Access Management Administration console as the oamadmin user, using the following URL:
   http://iadadmin.example.com/oamconsole
2. Click Configuration.
3. Click Available Services.
4. Click Enable Service next to Adaptive Authentication Service.
5. When prompted, confirm that you wish to enable the service.

Configuring Adaptive Authentication Plug-in

Now that the Authentication service is enabled, it needs to be informed about your User Messaging service.

To configure Adaptive Authentication Plug-In, perform the following steps:

1. Log in to the Oracle Access Management Administration console as the oamadmin user, using the following URL:
   http://iadadmin.example.com/oamconsole
2. From the Application Security Launch Pad, click Authentication Plug-ins in the Plug-ins panel. From the Authentication Plug-in tab, type Adaptive in the quick search box above the Plug-in Name column and hit Enter.
   The AdaptiveAuthenticationPlugin is displayed.
3. Enter the following plug in properties:

   Table 18-4 AdaptiveAuthentication Plug-In Properties

   Attribute	Value
   UmsAvailable	True
   UmsClientURL	Specify the entry point of your User Messaging service. If you have configured Oracle Identity Manager, then this will be:http://igdinternal.example.com:7777/ucs/messaging/webservice

4. Click Save.

Enabling Password Management in the Directory

By default OAM is not set to allow password management. This must be enabled through the OAM Console.

To enable Password Management in the Directory, perform the following steps:

1. Log in to the Oracle Access Management Administration console as the oamadmin user, using the following URL:
   http://iadadmin.example.com/oamconsole
2. Click Configuration.
3. Click User Identity Stores.
4. Click on your LDAP identity store in the OAM Identity Store section. For example, OAMIDSTORE
5. Click Edit
6. Select Enable Password Management.
7. Enter the details in the user information field.

   Table 18-5 User Information Details

   Attribute	Description
   Global Common ID	Unique identifier in LDAP for the user for example: uid.
   First Name	LDAP attribute which holds the users name, For example: cn.
   Last Name	LDAP attribute which holds the users last name, For example: sn.
   Email Address	This is the email address that will appear in the From section of sent emails.

8. Click Apply.

Storing User Messaging Credentials in CSF

Before you can access the User Messaging Service, you need to store the credentials in the WebLogic credential store.

To do this, execute the following set of WLST commands:

IAD_ORACLE_HOME/oracle_common/common/bin/wlst.sh
connect()
Please Enter your username: weblogic
Please Enter your password: COMMON_IDM_PASSWORD
Please enter your server URL [t3://localhost:7001] :t3://IADADMINVHN.example.com:7001
You will now be connected to the domain. Execute the following commands:
createCred(map="OAM_CONFIG", key="umsKey", user="weblogic", password="password")
createCred(map="OAM_CONFIG", key="oam_rest_cred", user="oamadmin", password="password")
exit ()

The umsKey is used to provide the credentials to the unified messaging server which will send out your email or sms notifications.

The oam_rest_cred is the user allowed to invoke the Rest services in the OAM server.

In the above commands, weblogic is the domain administrative user, and password is its associated password.

Setup for Forgot Password Link on Login Page

The following REST API command enables the OTP forgot password link on the default login page in OAM. 

 curl -X PUT \
  https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword/ \
  -u oamadmin:Password \
  -H 'content-type: application/json' \
  -d '{"displayOTPForgotPassworLink":"true","defaultOTPForgotPasswordLink":"false","localToOAMServer":"true","forgotPasswordURL":"https://login.example.com/otpfp/pages/fp.jsp", "mode":"userselectchallenge"}'

Enter the required attributes and values:

Table 18-6 Forgot Password Link on Login Page

Attributes	Value
base_url	Main entry point of OAM. For example,https://login.example.com
mode	distribution_mode The distribution mode determines how the password reset url is sent to the end user. Valid values are: email, sms, userchoose, userselectchallenge. The last entry allows the user to choose from masked values. Email -- OTP will be sent to the email configured in the mail field. SMS -- OTP will be sent to the mobile number configured in the mobile field. Userchoose -- OTP will be sent by letting the user choose either the email or the mobile option, without the exact values.  Userselectchallenge -- User can see the masked values either as email or the mobile and select one of the options.

Note:

If you are using self signed certificates in the load balancer the curl command may object with a message similar to:

curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might  not match the domain name in the URL). If you like to turn off curl's verification of the certificate, use  the -k (or --insecure) option.

If you see this message and are sure, add -k after -u oamadmin:Password.

Verify that this has succeeded by accessing the followig URL in a browser:

https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword

When prompted, enter your oamadmin account and password.

Note:

One of the OAM managed servers must be running for this command to succeed.

Restarting the domain

Shutdown and restart the Administration Server and all of the managed servers (WLS_AMA1, WLS_AMA2, WLS_OAM1, WLS_OAM2).

Validating The Forgotten Password Functionality

To validate the configuration

You can validate forgotten password by running the following command which shows you the password policies in force:

curl -X GET https://login.example.com/oam/services/rest/access/api/v1/pswdmanagement/UserPasswordPolicyRetriever/oamadmin?description=true  -u oamadmin:<password> -k 

This should tell you the password policies.

If this works, try accessing a protected url listed below. (After you have enabled single sign-on) on the login page you should see a link for forgotten password. Click this link enter the user name of the user you wish to reset the password. Click on Generate Pin. Check your mailbox and you should have an email which will allow you to change your password.

http://iadadmin.example.com/console

Enabling Exalogic Optimizations

This section describes the tasks specific to Exalogic optimization. This sections contains the following topic:

• Enabling Oracle Access Management Persistence Optimizations
  

Enabling Oracle Access Management Persistence Optimizations

You can speed up Oracle Access Management (OAM) persistence by enabling OAM Exalogic optimizations by adding a new parameter to the server start options for each OAM managed server.

To enable OPMS optimizations:

1. Log in to the WebLogic Console in the IAMAccessDomain using the URL:

   http://iadadmin.example.com/console

2. Navigate to Environment, and then Servers.
3. Click Lock and Edit.
4. Click on the server WLS_OAM1.
5. Click on the Server Start subtab.
6. Add the following to the Arguments field:

   -Doracle.oam.sme.elo=true
   

7. Click Save.
8. Repeat Steps 4-7 for the managed server WLS_OAM2.
9. Click Activate Changes.

Backing Up the Configuration

It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.

The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.

For information about backing up your configuration, see Performing Backups and Recoveries for an Enterprise Deployment.