18 Configuring Oracle Access Management
You need to perform certain tasks in order to extend the enterprise deployment domain with the Oracle Access Management. This includes installing the Oracle Identity and Access Management, extending the domain for Oracle Access Management and completing post-configuration and verification tasks.
This chapter provides information on installing the Oracle Identity and Access Management, extending the domain for Oracle Access Management and completing post-configuration and verification tasks.
- Variables Used in This Chapter
This topic lists the variables used in this chapter. - Configuring and Integrating with LDAP
- Updating WebGate Agents
- Updating Host Identifiers
- Adding Missing Policies to OAM
- Updating Federation Service Details
Now that Oracle Access Management (OAM) is configured, you must update the Federation services to access the Federation via the load balancer URL. - Updating Idle Timeout Value
- Validating the Authentication Providers
- Starting the Managed Servers in the Domain
Start the Managed Servers in the following order: - Validating Access Manager
- Enabling Forgotten Password
- Enabling Exalogic Optimizations
- Backing Up the Configuration
It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.
Parent topic: Configuring the Enterprise Deployment
Variables Used in This Chapter
This topic lists the variables used in this chapter.
Variables
-
PRIMARY_OAM_SERVERS
-
WEBGATE_TYPE
-
ACCESS_GATE_ID
-
OAM11G_OIM_WEBGATE_PASSWD
-
COOKIE_DOMAIN
-
COOKIE_EXPIRY_INTERVAL
-
OAM11G_WG_DENY_ON_NOT_PROTECTED
-
OAM11G_IDM_DOMAIN_OHS_HOST
-
OAM11G_IDM_DOMAIN_OHS_PORT
-
OAM11G_IDM_DOMAIN_OHS_PROTOCOL
-
OAM11G_SERVER_LBR_HOST
-
OAM11G_SERVER_LBR_PORT
-
OAM11G_SERVER_LBR_PROTOCOL
-
OAM11G_OAM_SERVER_TRANSPORT_MODE
-
OAM_TRANSFER_MODE
-
OAM11G_SSO_ONLY_FLAG
-
OAM11G_IMPERSONATION_FLAG
-
OAM11G_IDM_DOMAIN_LOGOUT_URLS
-
OAM11G_OIM_INTEGRATION_REQ
-
OAM11G_OIM_OHS_URL
-
IDSTORE_PWD_OAMSOFTWAREUSER
-
IDSTORE_PWD_OAMADMINUSER
-
OAM11G_WLS_ADMIN_PASSWD
-
IAD_MSERVER_HOME
-
IAD_ASERVER_HOME
-
WLS_AMA
-
WebGate_IDM
-
COMMON_IDM_PASSWORD
-
WLS_OAM1
-
WLS_AMA1
-
WLS_OAM2
-
WLS_AMA2
-
JAVA_HOME
-
OAM_PROXY_PORT
-
IAD_HTTP_PORT
-
IAD_ORACLE_HOME
Parent topic: Configuring Oracle Access Management
Configuring and Integrating with LDAP
This section describes how to configure and integrate Oracle Access Manager with LDAP.
This section contains the following topics:
- Setting a Global Passphrase
- Configuring Access Manager to use the LDAP Directory
- Adding LDAP Groups to WebLogic Administrators
Parent topic: Configuring Oracle Access Management
Setting a Global Passphrase
By default, Access Manager is configured to use the Open security model. If you plan to change this mode using idmConfigTool
, you must set a global passphrase. Although you need not set the global passphrase and the Web gate access password to be the same, Oracle recommends doing so.
To set a global passphrase:
Parent topic: Configuring and Integrating with LDAP
Configuring Access Manager to use the LDAP Directory
Now that the initial installation is done and the security model set, you must now associate Access Manager and your LDAP directory. In this release, Oracle Unified Directory (OUD) directory is supported.
To associate Access Manager and your LDAP directory, perform the following tasks:
- Creating a Configuration File
- Integrating Access Manager and LDAP Using the idmConfigTool
- Validating the OAM LDAP Configuration
Parent topic: Configuring and Integrating with LDAP
Creating a Configuration File
Configuring Oracle Access Management to use LDAP requires running the idmConfigTool
utility. Therefore, you must create a configuration file called oam.props
to use during the configuration. The contents of this file will be the same as the Configuration file created in Creating a Configuration File with the following additions:
# OAM Properties OAM11G_IDSTORE_NAME: OAMIDSTORE PRIMARY_OAM_SERVERS: OAMHOST1.example.com:5575,OAMHOST2.example.com:5575 WEBGATE_TYPE: ohsWebgate12c ACCESS_GATE_ID: Webgate_IDM OAM11G_OIM_WEBGATE_PASSWD: Password COOKIE_DOMAIN: .example.com COOKIE_EXPIRY_INTERVAL: 120 OAM11G_WG_DENY_ON_NOT_PROTECTED: true OAM11G_IDM_DOMAIN_OHS_HOST: login.example.com OAM11G_IDM_DOMAIN_OHS_PORT: 443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https OAM11G_SERVER_LBR_HOST: login.example.com OAM11G_SERVER_LBR_PORT: 443 OAM11G_SERVER_LBR_PROTOCOL: https OAM11G_OAM_SERVER_TRANSFER_MODE: simple OAM_TRANSFER_MODE: simple OAM11G_SSO_ONLY_FLAG: false OAM11G_IMPERSONATION_FLAG: false OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp OAM11G_OIM_INTEGRATION_REQ: false OAM11G_OIM_OHS_URL: https://prov.example.com:443/ # WebLogic Properties WLSHOST: IADADMINVHN.example.com WLSPORT: 7001 WLSADMIN: weblogic IDSTORE_WLSADMINUSER: weblogic_iam IDSTORE_WLSADMINGROUP: WLSAdministrators
OAM Property Descriptions:
-
OAM11G_IDSTORE_NAME is the name you wish to assign to the ID store in OAM. This is an optional parameter.
-
PRIMARY_OAM_SERVERS a comma-separated list of all of the OAM managed servers that are in the deployment. The format of this is Server Running the OAM Managed Server: OAM Proxy port. Note the proxy port used is not the OAM managed server listen port. The OAM Proxy port can be found in the worksheet (OAM_PROXY_PORT)
-
WEBGATE_TYPE The type of webgate profile to create. This should always be
ohsWebgate12c
-
ACCESS_GATE_ID is the name of the Webgate Agent to create.
-
OAM11G_OIM_WEBGATE_PASSWD is the password you wish to assign to the webgate agent you will be creating.
-
COOKIE_DOMAIN is the domain you wish to associate the OAM cookie with this is normally the same as the IDSTORE_SEARCH_BASE in domain format. The search base can be found in the worksheet (REALM_DN).
-
COOKIE_EXPIRY_INTERVAL the amount of time before a cookie is expired.
-
OAM11G_WG_DENY_ON_NOT_PROTECTED this should always be set to true. It ensures that any attempt to access a resource not explicitly stated in the OAM Resource list will be rejected.
-
OAM11G_IDM_DOMAIN_OHS_HOST this is the name of the Oracle HTTP Server (OHS) server which fronts the IAMAccessDomain. In the case of an enterprise deployment this will be the load balancer name.
-
OAM11G_IDM_DOMAIN_OHS_PORT this is the port on which the OHS server fronting the IAMAccessDomain listens. In the case of an Enterprise Deployment, this will be the load balancer port. This is the IAD_HTTPS_PORT in the worksheet.
-
OAM11G_IDM_DOMAIN_OHS_PROTOCOL this determines which process is being used when accessing the OHS server fronting the IAMAccessDomain.In the case of an Enterprise Deployment this will be the load balancer protocol. In the Enterprise Deployment Blueprint SSL is terminated at the load balancer. But the URL will always have the HTTPS prefix, so this value should be set to
https
. -
OAM11G_SERVER_LBR_HOST this is the name of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_HOST.
-
OAM11G_SERVER_LBR_PORT this is the port of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_PORT.
-
OAM11G_SERVER_LBR_PROTOCOL this is the protocol of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_PROTOCOL.
-
OAM11G_OAM_SERVER_TRANSPORT_MODE this is the type of OAM security transport to be used. This should be
Simple
for all platforms, except for AIX where it should beOpen
. You can specifycert
if extra security is required. If you wish to usecert
, refer to the Oracle Access Manager documentation for how to configure this. -
OAM_TRANSFER_MODE this is the type of OAM security transport to be used. This should be the same as OAM11G_OAM_SERVER_TRANSPORT_MODE
-
OAM11G_SSO_ONLY_FLAG this is used to determine whether authentication mode is going to be used. For Enterprise Deployments this should be set to
false
. -
OAM11G_IMPERSONATION_FLAG determines whether OAM be configured for impersonation. Impersonation is typically used in help desk type applications where a support user "impersonates" and actual user for the purposes of providing support.
-
OAM11G_IDM_DOMAIN_LOGOUT_URLS is a list of URLs that various products can invoke for the purposes of logging out.
-
OAM11G_OIM_INTEGRATION_REQ If you are intending Oracle Identity Governance to handle forgotten password functionality then this parameter should be set to
true
. If you are using the new OAM forgotten password functionality then this value should be set tofalse
. -
OAM11G_OIM_OHS_URL If you are planning on using OIM for Forgotten Password functionality then you need to specify the external entry point for OIG. This is the OIG URL to which OAM directs the requests. This url is made up of the following values from the worksheet:
https://prov.example.com:
IAG_HTTPS_PORT
/
-
WLSHOST: is the Admin Server listen address. For OAM configuration, this will be
IADADMINVHN.example.com
-
WLSPORT: is the Admin Server listen port. This is the IAD_WLS_PORT in the worksheet.
-
WLSADMIN the user used to connect to the Admin Server
Parent topic: Configuring Access Manager to use the LDAP Directory
Integrating Access Manager and LDAP Using the idmConfigTool
This section describes how to integrate Oracle Access Manager and LDAP using the idmConfigTool
.
Note:
Before running theidmconfigTool
, ensure that the WLS_OAM1 and WLS_OAM2 Managed Servers are shut down.
Perform the following tasks on OAMHOST1:
Parent topic: Configuring Access Manager to use the LDAP Directory
Validating the OAM LDAP Configuration
To validate that this has completed correctly:
Parent topic: Configuring Access Manager to use the LDAP Directory
Adding LDAP Groups to WebLogic Administrators
Access Manager requires access to MBeans stored within the administration server. In order for LDAP users to be able to log in to the WebLogic console and Fusion Middleware control, they must be assigned the WebLogic Administration rights. In order for Access Manager to invoke these Mbeans, users in the OAMAdministrators group must have WebLogic Administration rights.
When Single Sign-on is implemented, provide the LDAP group IDM Administrators with WebLogic administration rights, so that you can log in using one of these accounts and perform WebLogic administrative actions.
To add the LDAP Groups OAMAdministrators
and WLSAdministrators
to the WebLogic Administrators:
- Log in to the WebLogic Administration Server Console as the default administrative user. For example,
weblogic
. - In the left pane of the console, click Security Realms.
- On the Summary of Security Realms page, click myrealm under the Realms table.
- On the Settings page for myrealm, click the Roles & Policies tab.
- On the Realm Roles page, expand the Global Roles entry under the Roles table.
- Click the Roles link to go to the Global Roles page.
- On the Global Roles page, click the Admin role to go to the Edit Global Roles page.
- On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
- On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
- On the Edit Arguments Page, Specify OAMAdministrators in the Group Argument field and click Add.
- Repeat for the Group WLSAdministrators.
- Click Finish to return to the Edit Global Roles page.
- The Role Conditions table now shows the groups OAMAdministrators or WLSAdministrators as role conditions.
- Click Save to finish adding the Admin role to the OAMAdministrators and IDM Administrators Groups.
Parent topic: Configuring and Integrating with LDAP
Updating WebGate Agents
When the idmConfigTool
is run, it changes the default OAM security model and creates a new WebGate SSO Agent. However, it does not change the existing WebGate SSO Agents to the new security model. After running the idmConfigTool
, you must update any WebGate agents that previously existed. This involves the following steps:
-
Change the security mode to match that of the OAM servers. Failure to do so will result in a security mismatch error.
-
When WebGates are created at first install, they are unaware that a highly available (HA) installation is performed. After enabling HA, you must ensure that all of the OAM servers are included in the agent configuration, to ensure system continuity.
-
When WebGates are created at first install, they are unaware that a highly available (HA) install is performed. You must check that any logout URLs are redirected to the hardware load balancer than one of the local OAM servers.
-
A WebGate agent called IAMSuiteAgent is created out of the box. This is created without any password protection and needs to have one added.
To perform these actions, complete the following steps:
Parent topic: Configuring Oracle Access Management
Updating Host Identifiers
When you access your domain you enter using different load balancer entry points. Each of these entry points (virtual hosts) need to be added to the Policy list. This ensures that if you request access to a resource using login.example.com
OR prov.example.com
, you have access to the same set of policy rules.
Parent topic: Configuring Oracle Access Management
Adding Missing Policies to OAM
If you are using Oracle Identity Governance, you must add the following policy to OAM.
Table 18-2 OAM Policy Information
Product | Resource Type | Host Identifier | Resource URL | Protection Level | Authentication Policy | Authorization Policy |
---|---|---|---|---|---|---|
ALL |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
ALL |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
OIG |
HTTP |
IAMSuiteAgent |
|
Excluded |
|
|
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
OIG |
HTTP |
IAMSuiteAgent |
|
Excluded |
|
|
Note:
/otpfp
is only required if you have implemented the OAM forgotten password functionality.
To add these policies:
Parent topic: Configuring Oracle Access Management
Updating Federation Service Details
Now that Oracle Access Management (OAM) is configured, you must update the Federation services to access the Federation via the load balancer URL.
- Log in to the OAM Console at http://iadadmin.example.com/oamconsole.
- Click Configuration.
- In the settings pane, click View, and select Federation from the drop-down.
- On the Federation Settings Page, update the Provider ID to
https://login.example.com/oam/fed
. - Click Apply.
Parent topic: Configuring Oracle Access Management
Updating Idle Timeout Value
The default timeout value set in Access Manager is often too long and can cause issues such as, not logging a session out after that session has timed out. Therefore, it is recommended that this value is reduced to 15 minutes.
To update the idle timeout value:
- Log in to the OAM Console at http://iadadmin.example.com/oamconsole.
- Log in as the Access Manager administrator user you created during response file creation.
- Click Configuration.
- Select Common Settings under Settings.
- Change Idle Time out (minutes) to
15
. - Click Apply.
Parent topic: Configuring Oracle Access Management
Validating the Authentication Providers
Set the order of identity assertion and authentication providers in the WebLogic Server Administration console.
Parent topic: Configuring Oracle Access Management
Starting the Managed Servers in the Domain
Start the Managed Servers in the following order:
- Starting the WLS_OAM1 Managed Server
- Starting the WLS_AMA1 Managed Server
- Starting the WLS_OAM2 Managed Server
- Starting the WLS_AMA2 Managed Server
Parent topic: Configuring Oracle Access Management
Starting the WLS_OAM1 Managed Server
Parent topic: Starting the Managed Servers in the Domain
Starting the WLS_AMA1 Managed Server
Parent topic: Starting the Managed Servers in the Domain
Starting the WLS_OAM2 Managed Server
Parent topic: Starting the Managed Servers in the Domain
Starting the WLS_AMA2 Managed Server
Parent topic: Starting the Managed Servers in the Domain
Validating Access Manager
You can validate Access Manager by using the oamtest
tool. To do this, perform the following steps:
Parent topic: Configuring Oracle Access Management
Enabling Forgotten Password
In Oracle Identity Management 12c forgotten password functionality is provided by Oracle Access Management rather than Oracle Identity Governance as in previous releases. This section contains the following topics:
- Prerequisites for Enabling Forgotten Password
- Add Permissions to oamLDAP user
- Create an OTP Administrative Group in LDAP
- Enabling Adaptive Authentication Service
- Configuring Adaptive Authentication Plug-in
- Enabling Password Management in the Directory
- Storing User Messaging Credentials in CSF
- Setup for Forgot Password Link on Login Page
- Restarting the domain
- Validating The Forgotten Password Functionality
Parent topic: Configuring Oracle Access Management
Prerequisites for Enabling Forgotten Password
Forgotten Password Management in Oracle Access Manager takes the form of sending an Email or SMS message with a link to reset the password.
Email or SMS is sent using the Oracle User Messaging Service. Before enabling the Oracle Forgotten Password functionality, you first need to have an Oracle User Messaging deployment. This is often located inside the Oracle Governance Domain but can be located inside the Access Domain if that is all you are installing. Alternatively, it could be a completely independent domain.
Forgotten Password functionality works only if you have successfully configured Single Sign-On as described in Configuring Single Sign-On for an Enterprise Deployment.
Adding the User Messaging Service to the Access domain or creating a User Messaging Service domain is outside of the scope of the this EDG. For more information about installing and configuring the Oracle User Messaging Service, see Installing User Messaging Service and Configuring Oracle User Messaging Service in Administering Oracle User Messaging Service.
Parent topic: Enabling Forgotten Password
Add Permissions to oamLDAP user
When created out of the box the oamLDAP user (the user used to link OAM to LDAP) is granted privileges to read the LDAP directory. It is not however granted permission to update those users. You need to add these privileges for the OAM forgotten password functionality to work.
To do this you need to create an ldif file using your preferred text editor. This file will have the following content:
add_aci.ldif
dn: cn=oamLDAP,cn=systemids,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset
dn: cn=Users,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*")(targetfilter= "(objectclass=inetorgperson)")(targetscope = "subtree") (version 3.0; acl "iam admin changepwd"; allow (compare,search,read,selfwrite,add,write,delete) userdn = "ldap:///cn=oamLDAP,cn=systemids,dc=example,dc=com";)
Save the file.
On LDAPHOST1 action the file using the command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -D cn=oudadmin -h LDAPHOST1 -p 1389 -f ./add_aci.ldif
Parent topic: Enabling Forgotten Password
Create an OTP Administrative Group in LDAP
In order for the oamadmin group to be able to invoke forgotten password system calls it needs to be a member of the group OTPRestUserGroup. This group is not created by idmConfigTool and must therefore be created manually.
To do this you perform the following steps:
Parent topic: Enabling Forgotten Password
Enabling Adaptive Authentication Service
Forgotten password requires the following service to be enabled.
To enable Adaptive Authentication Service, perform the following steps:
Parent topic: Enabling Forgotten Password
Configuring Adaptive Authentication Plug-in
Now that the Authentication service is enabled, it needs to be informed about your User Messaging service.
To configure Adaptive Authentication Plug-In, perform the following steps:
Parent topic: Enabling Forgotten Password
Enabling Password Management in the Directory
By default OAM is not set to allow password management. This must be enabled through the OAM Console.
To enable Password Management in the Directory, perform the following steps:
Parent topic: Enabling Forgotten Password
Storing User Messaging Credentials in CSF
Before you can access the User Messaging Service, you need to store the credentials in the WebLogic credential store.
To do this, execute the following set of WLST commands:
IAD_ORACLE_HOME/oracle_common/common/bin/wlst.sh
connect()
Please Enter your username: weblogic
Please Enter your password: COMMON_IDM_PASSWORD
Please enter your server URL [t3://localhost:7001] :t3://IADADMINVHN.example.com:7001
You will now be connected to the domain. Execute the following commands:
createCred(map="OAM_CONFIG", key="umsKey", user="weblogic", password="password")
createCred(map="OAM_CONFIG", key="oam_rest_cred", user="oamadmin", password="password")
exit ()
The umsKey is used to provide the credentials to the unified messaging server which will send out your email or sms notifications.
The oam_rest_cred is the user allowed to invoke the Rest services in the OAM server.
In the above commands, weblogic
is the domain administrative user, and password
is its associated password.
Parent topic: Enabling Forgotten Password
Setup for Forgot Password Link on Login Page
The following REST API command enables the OTP forgot password link on the default login page in OAM.
curl -X PUT \
https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword/ \
-u oamadmin:Password \
-H 'content-type: application/json' \
-d '{"displayOTPForgotPassworLink":"true","defaultOTPForgotPasswordLink":"false","localToOAMServer":"true","forgotPasswordURL":"https://login.example.com/otpfp/pages/fp.jsp", "mode":"userselectchallenge"}'
Enter the required attributes and values:
Table 18-6 Forgot Password Link on Login Page
Attributes | Value |
---|---|
base_url |
Main entry point of OAM. For example,https://login.example.com |
mode |
distribution_mode The distribution mode determines how the password reset url is sent to the end user. Valid values are: email, sms, userchoose, userselectchallenge. The last entry allows the user to choose from masked values.
|
Note:
If you are using self signed certificates in the load balancer the curl command may object with a message similar to:curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
If you see this message and are sure, add -k after -u oamadmin:Password.
Verify that this has succeeded by accessing the followig URL in a browser:
https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword
When prompted, enter your oamadmin
account and password.
Note:
One of the OAM managed servers must be running for this command to succeed.
Parent topic: Enabling Forgotten Password
Restarting the domain
Shutdown and restart the Administration Server and all of the managed servers (WLS_AMA1, WLS_AMA2, WLS_OAM1, WLS_OAM2).
Parent topic: Enabling Forgotten Password
Validating The Forgotten Password Functionality
To validate the configuration
You can validate forgotten password by running the following command which shows you the password policies in force:
curl -X GET https://login.example.com/oam/services/rest/access/api/v1/pswdmanagement/UserPasswordPolicyRetriever/oamadmin?description=true -u oamadmin:<password> -k
This should tell you the password policies.
If this works, try accessing a protected url listed below. (After you have enabled single sign-on) on the login page you should see a link for forgotten password. Click this link enter the user name of the user you wish to reset the password. Click on Generate Pin. Check your mailbox and you should have an email which will allow you to change your password.
http://iadadmin.example.com/console
Parent topic: Enabling Forgotten Password
Enabling Exalogic Optimizations
This section describes the tasks specific to Exalogic optimization. This sections contains the following topic:
Parent topic: Configuring Oracle Access Management
Enabling Oracle Access Management Persistence Optimizations
You can speed up Oracle Access Management (OAM) persistence by enabling OAM Exalogic optimizations by adding a new parameter to the server start options for each OAM managed server.
To enable OPMS optimizations:
Parent topic: Enabling Exalogic Optimizations
Backing Up the Configuration
It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.
The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.
For information about backing up your configuration, see Performing Backups and Recoveries for an Enterprise Deployment.
Parent topic: Configuring Oracle Access Management