29 Sanity Checks

The sanity tests described in this chapter are over and above the normal tests detailed in the guide. They are designed to test the in-depth functionality of Oracle Access Management (OAM) and Oracle Identity Manager (OIM).

This chapter includes the following topics:

• Sanity Checks for Oracle Access Management
  Learn about the sanity checks applicable for Oracle Access Management (OAM).
• Sanity Checks for Oracle Identity Governance
  Learn about the sanity checks applicable for Oracle Identity Governance (OIG).
• Sanity Checks for Oracle Advanced Authentication
  Learn about the sanity checks applicable to Oracle Advanced Authentication (OAA).

Sanity Checks for Oracle Access Management

Learn about the sanity checks applicable for Oracle Access Management (OAM).

This section explains the following sanity checks:

• Verifying LDAP Authentication for OAM Agent Protected Application for Valid User
  
• Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Password
  
• Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Username
  
• Verifying Access of OAM Agent Protected Unavailable Resource
  
• Verifying Access of Resource that was Recently Deleted or Replaced from the Policy
  

Verifying LDAP Authentication for OAM Agent Protected Application for Valid User

To verify the LDAP authentication for OAM agent protected application for valid user, do the following:

1. Access an application protected by an OAM WebGate which is configured to OAM server.
2. Check out the URL that is being redirected to for authentication is from OAM server.
3. Provide a valid username and password from the OUD authentication form and click Login.
4. Check the cookies that are created in the browser.

Expected Result:

• OAM agent protected Application can be accessed on providing valid credentials.

• ObSSOcookie and OAM_ID cookies are created in the browser session.

Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Password

To verify the LDAP authentication failure for OAM agent protected application for invalid password, do the following:

1. Access an application protected by an OAM WebGate which is configured to OAM server.
2. Check out the URL that is being redirected to for authentication is from OAM server.
3. Provide a valid username and an invalid password in the authentication form.

Expected Result:

• User authentication fails.

• Appropriate error message is displayed.

• Resource cannot be accessed by the user.

Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Username

To verify the LDAP authentication failure for OAM agent protected application for invalid username, do the following:

1. Access an application protected by an OAM WebGate which is configured to OAM server.
2. Check out the URL that is being redirected to for authentication is from OAM server.
3. Provide an invalid username and any password in the authentication form.

Expected Result:

• User authentication fails.

• Appropriate error message is displayed.

• Resource cannot be accessed by the user.

Verifying Access of OAM Agent Protected Unavailable Resource

If you access an OAM agent protected unavailable resource, an appropriate error message is displayed though the credentials provided are valid. To verify this, do the following:

1. Access a resource url protected by an OAM WebGate which is configured to OAM server when that resources is not available.
2. Check out the URL that is being redirected to for authentication is from OAM server.
3. Provide a valid username and password in the authentication form.
4. Check the cookies that are created in the browser.

Expected Result:

OAM WebGate protected application cannot be accessed and a proper error message should be displayed.

Verifying Access of Resource that was Recently Deleted or Replaced from the Policy

If you access a resource which was recently deleted or replaced from the policy, the authentication is not required and the access is granted. To verify this, do the following:

1. Remove a resource and replace it with new one in the policy.xml or UI.
2. Access the application or resource that you deleted or replaced in the previous step. This application must be protected by an OAM WebGate which is configured to OAM server.
3. Check if the user is not asked for authentication without having to restart the OAM 11g Server or WebLogic Server.
4. Check if user is able to access the resource.

Expected Result:

Resource or Application can be accessed without having to authenticate user and without having to restart the OAM 11g Server or WebLogic Server.

Sanity Checks for Oracle Identity Governance

Learn about the sanity checks applicable for Oracle Identity Governance (OIG).

This section explains the following sanity checks:

• Creating Organization
  
• Creating a User Name
  
• Creating Role
  
• Managing Sandboxes
  
• Publishing a Sandbox
  
• Adding User Defined Field (UDF) for a User
  
• Creating a Disconnected Application and Provision
  
• Importing and Configuring DB User Management
  
• Creating an Access Policy and Provision
  
• Creating End User Request for Accounts, Entitlements, and Roles
  
• Resetting Account Password
  
• Creating a Certification and Approving
  
• Creating Identity Audit Scan Definitions and Viewing its Results
  
• Testing Identity Audit
  

Creating Organization

To create an organization, do the following:

1. Log in to the Identity Console as xelsysadm using the following URL:

   https://prov.example.com/identity

2. Click Manage, and then click Organization.
3. Click Create, and specify the org name as TestOrg.
4. After you have entered the details of your organization, click Save to store the changes.

Creating a User Name

To create a user, do the following:

1. Log in to the Identity Console as xelsysadm using the following URL:

   https://prov.example.com/identity

2. Click Manage, and then click User.
3. Click Create, and specify the user name as Rahul Dravid.
4. Select Org as TestOrg.
5. Set and confirm user password.
6. Log in as Rahul Dravid.
7. Set the challenge questions and answers.
8. Log in to the Identity Console and verify the user name.

Creating Role

To create a role, do the following:

1. Log in to the Identity Console as xelsysadm using the following URL:

   https://prov.example.com/identity

2. Click Manage, and then click Roles and Access Policies > Roles.
3. Click Create and provide the mandatory attributes (Name, Display Name) to create a Role named Coach.
4. Click Next repeatedly until the Publish Role to Organizations page is displayed.
5. On the Organizations page, click Add Organizations. Provide the organization name as TestOrg and click Search.
6. Select the organization TestOrg and click Add Selected. Click Select.
7. Click Next, and then click Finish.

Managing Sandboxes

A number of the operations below require the creation of a sandbox. A sandbox is a non-active area where things can be tried out prior to making them live.

Creating a Sandbox

You can crate sandboxes either from the System Administration Console or the Identity Console. The steps are the same. The following is an example for creating a sandbox in the System Administration Console.

To create a sandbox:

1.  Log in to the System Administration Console as xelsysadm using the following URL:

   http://IGDADMIN.example.com/sysadmin

2.  Click Sandboxes.
3. Click Create Sandbox.
4. Enter the below details in the Create Sandbox window.

   Table 29-1 Properties of the Sandbox Window

   Attribute	Value
   Name	TestSandbox
   Description	Enter a description

   Select Activate Sandbox.

5. Click Save and Close.

Publishing a Sandbox

Once the changes are fine, you publish the sandbox to make it live. This is achieved by performing the following steps:

1.  Log in to the System Administration Console as xelsysadm using the following URL:

   http://IGDADMIN.example.com/sysadmin

2.  Click Sandboxes.
3. A window appears with a list of the sandboxes.
4. Click a sandbox. For example: Test Sandbox.
5. Click Publish Sandbox to make the changes active.

Adding User Defined Field (UDF) for a User

To add a User Defined Field (UDF):

1. Log in to the System Administration Console as xelsysadmin using the following URL:

   http://IGDADMIN.example.com/sysadmin

2. Create & Activate Sandbox.
3. Click User from under System Entities.
4. Click Create under Action.
5. Select Text and click OK.
6. Enter Display Label and Name, select Searchable, and click on Save and Close. You have now created a user defined field (UDF) with the name you specified.
7. Publish Sandbox.
8. Log in to the Identity Console as xelsysadm using the following URL:

   http://prov.example.com/identity

9. Create and Activate Sandbox.
10. Click on Manage to show the management menu.
11. Open Users page, and click Create.
12. Click Customize at the top right of the screen.
13. Enter the details for all the attributes listed below.

    Table 29-2 User Defined Field Properties

    Attribute	Description
    First Name	Enter a name for example: John
    Last Name	Enter a last name for example: Doe
    Email	Enter an email address for example: john.doe@example.com
    Organisation	Enter or search for an Organization for example: TestOrg
    User Type	Select the type of user from the drop down list.
    User login	Enter the users login name for example: JohnDoe
    Password	Enter an initial password for the user to use.

14. Go to the Structure tab at the top left of the screen.
15. The user entry screen is displayed. Scroll down until you see the Basic Information section. As you move down the screen, certain areas are highlighted by a box. When the Entire Basic Information section is highlighted, including the title, click it. A dialogue box is displayed confirming that you want to edit the task flow. Click Edit. A structure window is displayed on the right.
16. Click PanelForm Layout.
17. Click Add Content.
18. Select Data Component - Catalog, and then click UserVO.
19. Find the User Defined Field you created in step 6 and Click Add. Select ADF Input Text w/Label. Your user defined Field will now be shown in the Basic Information section of the User screen.
20. Close the Add Content Selection screen.
21. Click Close at the top of the screen to close the editing window.
22. Close the structure form by clicking Close on the top right corner of the Identity Console window.
23. Publish the sandbox.
24. Log out and log in again.
25. Open the User Details page.
26. Create a user name populating the user defined field that you created in step 6 and verify if it is displayed properly in the user details page.

Creating a Disconnected Application and Provision

To create a disconnected application and provision:

1. Create a lookup by completing the following steps:

   1. Log in to the System Administration Console as xelsysadm using the following URL:

      http://igdadmin.example.com/sysadmin

   2. Go to System Configuration tab and click Lookups.

   3. Click the Create link under Action drop down list.

   4. Enter the meaning as Lookup.Disc, and enter the code as Lookup.Disc.

   5. Click Create link under Action drop down list.

   6. Enter the value HDD for Meaning, and HDD for Code.

   7. Repeat with the values of CD and CD for Meaning and Code.

   8. Click Save.

   9. Enter the value Lookup.Disc for Meaning, Lookup.Disc for code, and click Search.

   10. The values HDD and CD are displayed. Click OK.

2. Create disconnected application instances by completing the following steps:

   1. Log in to the System Administration Console as xelsysadm using the following URL:

      http://igadmin.example.com/sysadmin

   2. Click the Sandboxes link, and then click Create Sandbox.

   3. Enter the name Disc, and click Save and Close. Click OK to confirm. Sandbox is activated.

   4. Go to Provisioning configuration, and click Application Instances.

   5. Click Create. The Create App Instance page is displayed by enabling the Attribute tab.

   6. Enter the name as Disc, Description as Disc, and check the Disconnected check box. Click Save. Click OK to confirm. Feedback message is displayed to confirm that Application Instance Disc is created successfully.

   7. On the same page, go to the Attribute tab. Form field is added with the name Disc. Click Edit next to Form field.

      This step enables the Manage Disc tab with its subtab, Fields, opened. Click the Child Objects tab which is next to the Fields tab.

   8. Click Add, and enter the name as chdisc, description as chdisc, and Click OK.

   9. Click chdisc. This opens another page by enabling the Fields tab.

   10. Click Create link under Action drop down list and select Lookup as the Field type, and click OK.

   11. Enter Display Label and name as Disc, select Searchable. Click Lookup Type, and then click Search or look up icon (Magnifier icon). Enter the meaning as Lookup.Disc.

   12. Click Search. Values HDD and CD must be displayed. Click OK. Lookup must be selected. Default Value Label, One Drop down gets added. Click on that, and you will see the values: HDD and CD.

       If you enabled Entitlement, make sure that Searchable and Searchable Picklist are also selected. Keep the remaining ones with the default values.

   13. Click Save and Close.

   14. Click Back to Parent Object, and then click Regenerate view.

   15. Enable Parent Form + Child Tables (Master/Detail), keep the default setting. Click OK.

   16. Go to the Application Instance tab. Search for an Application Instance Disc.

   17. Click Refresh, and click Apply on Disc form.

   18. Go to System Configuration > Scheduler from the left navigation window.

   19. Enter the value Ent* in the Search Scheduled Jobs field, click Search or Go button.

   20. The results are displayed. Click on Entitlement List job name.

   21. Click Run now. A confirmation message is displayed saying the Job is running.

   22. Click Refresh. Verify that the execution status is successful. Close the window.

   23. Go to the Application instance's Entitlement tab. Two entitlements are displayed - HDD, CD. Select either of the the two and click Assign + from the window below.

   24. Search organization name, by entering the value Top, and click Search.

   25. Top organization should be displayed. Select that row / organization, and click Add Selected. Selected organization gets added successfully.

   26. Check Apply to Entitlement, and click Select. Selected Organization gets added successfully.

   27. Click Assign.

   28. Repeat steps x, y, z, and aa for the CD row.

   29. Search for the organization name TestOrg, and click Search.

   30. TestOrg organization is displayed. Select that row / organization, and click Add Selected.

   31. Selected organization gets added successfully. Check Apply to Entitlement and click Select. Selected organization gets added successfully.

   32. Go to the Application Instance's Attribute tab. Click Apply. A message is displayed stating that the Application instances disc is modified successfully.

   33. Click Sandboxes.

   34. Select the same sandbox Disc. Click Export sandbox button. Export sandbox generate .zip file sandbox_disc.zip. Click OK button. Zip file is saved and generated.

   35. After export is successfully completed, click Publish sandbox button. Click Yes to confirm.

   36. After you publish, the sandbox is listed under Publish Sandboxes link.

3. Provision the disconnected application instances and entitlements to user by completing the following steps:

   1. Log in to the Identity Console as xelsysadm using the following URL:

      https://prov.example.com/identity

   2. Click Manage and then click Users.

   3. Search for the user name Rahul Dravid, and click Search.

   4. The user Rahul Dravid is displayed. Click on that user link. User details are displayed.

   5. Go to Accounts tab, and then to the Request Account tab. Account access request page is displayed. Select Enabled Add access., and go to the Catalog tab. All available Application Instances are displayed.

   6. Click Add to cart of the Disc Disconnected application instances, and click Next. The cart detail page is displayed

   7. Click the Pen icon in the Request detail pane.

   8. Enter the account logging name as Rahul Dravid_123, and the password as <password>. Click Update.

   9. Click Submit. Request will be generated with a message Request for access completed successfully.

   10. Go to the Self Service tab. Click Provisioning task, and the go to the Manual Fulfillment tab. Manual fulfillment page is displayed.

   11. Click on that request. Request details are displayed. Verify the data. Click Complete, and then click Refresh.

   12. Go to the Manage tab, and then to the User tab. Open the same user Rahul Dravid.

   13. Go to the Account tab. Click Refresh. Verify that the account status is Provisioned.

   14. Select the same account name Rahul Dravid_123, and click Request Entitlement button. Entitlement Access request page is displayed. Enable Add Access and go to the Catalog tab.

   15. Click Add to cart for entitlement HDD. Click Next.

   16. Click Submit. Request will be generated with a message "Request for access completed successfully".

   17. Go to the Self service tab. Click on Provisioning task, and go to Manual Fulfillment tab. Manual fulfillment page is displayed

   18. Click on that request. Request details are displayed. Verify the data. Click Complete, and then click Refresh.

   19. Go to the Manage tab, and then to the User tab. Open the details of the same user - Rahul Dravid.

   20. Go to the Entitlement tab. Click Refresh. Verify that the Entitlement status is Provisioned.

Importing and Configuring DB User Management

To import and configure database user management:

1. Download the latest Database User Management Connector from the Oracle Identity Manager Connector Downloads page on Oracle Technology Network (OTN):

   http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html
   

2. Log in to the System Administration Console as xelsysadmin user using the following URL:

   http://igdadmin.example.com/sysadmin

3. Go to the System Configuration tab and click Import.
4. Select the file DBUserManagement-Oracle-ConnectorConfig.xml'. Sample location: D:\DBUM-12.2.1.4.0\xml
5. Click Open.
6. Click Next. You can either provide the ITResource details now or later. To provide the same later, click Next.
7. Click Selected Entities to view selections, and click Import. Once the import is successfully completed, click OK.
8. Copy the third party jars of target systems to the IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory/targetsystems-lib/DBUM-12.2.1.4.0 directory.

   Note:

   If the target is Oracle database, no driver jar is needed.

9. To configure a trusted source reconciliation, create and configure a new IT resource. For example, Oracle DB Trusted of type Oracle DBUM.
10. In the Configuration Lookup, update the trusted configuration lookup name as Lookup.DBUM.Oracle.Configuration.Trusted. This configures the ITResource for the target system.
11. Either you can create the ITResource and provide the following details or Open the existing ITResource 'Oracle DB' as specified below:

    ITResource Details:

    Configuration Lookup = Lookup.DBUM.Oracle.Configuration

    Connector Server Name =

    Connection Properties = Specify the connection properties for the target system database.

    Database Name = This field identifies database type (such as Oracle and MSSQL) and its used for loading respective scripts. Sample value: Oracle

    JDBC Driver = oracle.jdbc.driver.OracleDriver

    JDBC URL = For Oracle: jdbc:oracle:thin:@host:port:sid

    Login Password = Enter the password for the user name of the target system account to be used for connector operations.

    Login User = sys as sysdba

Creating an Access Policy and Provision

To create an access policy and provision:

1. Log in to the Identity Console as xelsysadm using the following URL: https://prov.example.com/identity.
2. Click Manage.
3. Click Roles and Access Policies -> Roles.
4. Create a Role named DBUMRole.
5. Click Home tab to select the main management options.
6. Click Users.
7. Click Create.
8. Create an user named Jean Wilson.
9. Click Home tab.
10. Click Roles and Access Policies -> Roles.
11. Select the Role DBUMRole.
12. The role page is displayed - Click Members.
13. Click Add.
14. In the add members dialogue box, search for the user Jean Wilson.
15. Click the user Jean Wilson.
16. Click Add Selected.
17. Click Apply.
18. Create another user named Patrick Morgan and assign the user role DBUMRole.
19. Click Manage and click Hometab.
20. Open the user details page of Jean Wilson and click Accounts tab. DBUM Account should be in Provisioned state.
21. Go to the Entitlements tab and verify all child data added are displayed.
22. Repeat the previous two steps for user Patrick Morgan.

Creating End User Request for Accounts, Entitlements, and Roles

To create an end user request for roles, do the following:

1. Create a user Arthur Hill.

2. Log in as Arthur Hill and open My Access page, and then Roles.

3. Click Request and in catalog, add DBUMRole to cart.

4. Submit request.

5. Log in as administrator and open Pending Approvals.

6. Open the request and approve.

7. As Arthur Hill,verify that the role is assigned successfully.

To create an end user request for accounts, do the following:

1. Create a user Bruce Parker.

2. Log in as Bruce Parker and open My Access page, and then Roles.

3. Click Request.

4. From the Catalog, select the DBUM App and add to cart.

5. Click Next and click Submit to submit the request.

6. Log in as administrator and open Inbox.

7. Open the request, verify the details, and approve request.

8. As Bruce Parker, verify that the Account is provisioned successfully.

To create an end user request for entitlements, do the following:

1. Log in as Jean Wilson.
2. Open the My Access page and go to the Accounts tab.
3. Select the DBUM app, and click Request Entitlements under Action.
4. Add any entitlement to cart and submit request.
5. Log in as administrator and open Inbox.
6. Open the request and approve.
7. As Jean Wilson, verify that the entitlement is provisioned successfully.

Resetting Account Password

To reset the account password:

1. Log in to the Identity Console as Jean Wilson.
2. Click My Access and go to the Accounts tab.
3. Select SSOTarget and click Reset Password in Action.
4. Provide a new password and submit.
5. Log out and re-login as xelsysadm.
6. Click Manage and then click Users.
7. Search for Jean Wilson and open the user details page.
8. Go to the Accounts tab and select DBUM App.
9. Click Resource History under Action and check if the Password Updated task is triggered and is in Completed status.

Creating a Certification and Approving

Complete the following prerequisites to create a certification and approve:

1. Log in to Identity Console as xelsysadm.

2. Launch the System Administration Console.

3. Go to the System Configuration tab and click Configuration Properties.

4. Look for the following system properties:

   Property name = Identity Auditor Feature Set Availability

   Keyword = OIG.IsIdentityAuditorEnabled

   Value = TRUE

5. Save the setting.

6. Restart the OIM server to see the Compliance tab in Identity Console.

To create a certification and approve:

1. Log in to the Identity Console as xelsysadm.
2. Go to compliance, Identity Certification, and then Definitions.
3. Create a user type certification with the following information:

   • General details page: Enter the name = UserCertification, Type = user; Enter Description and click Next.

   • Base Selection page: Selected only Users from Selected Organization and Add organization (TestOrg). Added organization is displayed. Select Users with Any Level of Risk as Risk Level, and click Next.

   • Content selection page: Keep the default values, and click Next.

   • Configuration page: Keep the default and click Next.

   • Select the reviewer by searching for a user, for example, MSDhoni, and click Next.

   • Disable Incremental, and click Next.

   • Summary page: Click Create, and click Yes to confirm. Certification is created successfully.

4. Log in to the System Administration Console as xelsysadm.
5. Click Scheduler.
6. Search for a certification cert_UserCertification. Verify that the job is run successfully.
7. Log in to the Identity Console as xelsysadm, and log out.
8. Log in to the Identity Console as a reviewer (MSDhoni).
9. Go to Self service, and click Certification.
10. Open the same certification UserCertification [ MSDhoni ].
11. Certification details are displayed. You will see the user "Rahul Dravid".
12. Select user Rahul Dravid.
13. Verify, Role - Coach, Account - Disc, Entitlement - HDD.
14. Select all rows, and take the Complete action. Sign-off pop up should be displayed.
15. Enter the password (username = MSDhoni ; Password = <password>). Click OK. Certification is completed successfully. It should now reflect in your Inbox.
16. Log in to the Identity Console as MSDhoni / Xelsysadm.
17. Go to Complaince, Identity Certification, and then Dashboard. Dashboard details are displayed.
18. Select Completed from the Show Label. This displays all of the completed certifications.

Creating Identity Audit Scan Definitions and Viewing its Results

Complete the following prerequisites to create identity audit scan definitions:

1. Log in to the Identity Console as xelsysadm.

2. Launch the System Administration Console.

3. Go to the System Configuration tab, and click Configuration Properties.

4. Look for the following system properties:

   Property name = Identity Auditor Feature Set Availability

   Keyword = OIG.IsIdentityAuditorEnabled

   Value = TRUE

5. Save the setting.

6. Restart the OIM server to See the Compliance tab in the Identity Console.

To create a rule:

1. Log in to the Identity Console as xelsysadm.

2. Click Compliance, and then click Identity Audit.

3. Select Rules, and click Create.

4. Create an identity rule Identity Rule 1 by the following condition builder:

   user.Display Name; Equals ; Rahul Dravid

5. Click Create. The rule is created.

To create a policy:

1. Log in to the Identity Console as xelsysadm.

2. Click Compliance and then click Identity Audit.

3. Click Policies, and click Create.

4. Create a policy Identity Policy 1 by adding the rule Identity Rule 1.

5. Click Create.

To create scan definition:

1. Log in to the Identity Console as xelsysadm using the following URL:

   https://prov.example.com/identity

2. Click Compliance and then click Identity Audit.

3. Click Scan definitions, and then click Create.

4. Create a scan definition Identity Scan 1 by adding the policy Identity Policy 1.

5. On the Base selection page, select all users.

6. On the Configuration page, keep the default values.

7. On the Summary page, click Finish. Scan definition is added successfully.

8. Run the scan definition by selecting Identity Scan 1, and clicking Run now. Verify that the scan definition is run successfully.

9. Preview the scan definition result by doing the following:

   1. After you run the scan definition, select the scan definition row or record Identity Scan 1.

   2. Click View Scan. The scan definition results are displayed.

Testing Identity Audit

Complete the following steps to enable audit feature in Oracle Identity Manager:

1. Log in to the System Administration Console.
2. Click System Properties under System Configuration.
3. Search for the property OIG.IsIdentityAuditorEnabled and update the property value to TRUE.
4. Restart the Oracle Identity Manager Managed Server for the change to take effect.
5. Log in to the Identity Console as xelsysadm using the following URL:

   https://prov.example.com/identity

6. Click Compliance and then click Reports.

   Verify that the Reports page is opened successfully.

Sanity Checks for Oracle Advanced Authentication

Learn about the sanity checks applicable to Oracle Advanced Authentication (OAA).

To verify that Oracle Advanced Authentication is working you:

1. Create an HTTP test page.
2. Create an OAA test user.
3. Protect the test page with OAA.

When you access the test page, you are prompted to log in and are redirected to OAA, and then you are asked to key in the one-time pin sent to you by email. The test page is displayed after you enter the pin.

The following sections explain each of the above steps in detail:

• Creating a Test Page
  
• Creating an OAA Test User
  
• Creating a Protection Policy for the Test Page
  

Creating a Test Page

To create a test page:

1. Create a file called test_page.html with the following content:

   <!DOCTYPE html>
   <html>
   <body>
   
   <h1>This is a Test Page</h1>
   
   </body>
   </html>

2. Copy the file to the htdocs folder on the Oracle HTTP server. For example:/u02/private/oracle/config/domains/ohsDomain/config/fmwconfig/components/OHS/ohs1/htdocs.

Creating an OAA Test User

To create an OAA test user:

1. Create a file called test_user.ldif with the following content:

   dn: cn=<OAA_USER>,<LDAP_USER_SEARCHBASE>
   changetype: add
   objectClass: orclUserV2
   objectClass: oblixorgperson
   objectClass: person
   objectClass: inetOrgPerson
   objectClass: organizationalPerson
   objectClass: oblixPersonPwdPolicy
   objectClass: orclAppIDUser
   objectClass: orclUser
   objectClass: orclIDXPerson
   objectClass: top
   objectClass: OIMPersonPwdPolicy
   givenName: <OAA_USER>
   uid: <OAA_USER>
   orclIsEnabled: ENABLED
   sn: <OAA_USER>
   userPassword: <OAA_USER_PWD>
   mail: <OAA_USER_EMAIL>
   orclSAMAccountName: <OAA_USER>
   cn: <OAA_USER>
   postalCode: <OAA_USER_POSTCODE>
   obpasswordchangeflag: false
   ds-pwp-password-policy-dn: cn=FAPolicy,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,<LDAP_SEARCHBASE>
   
   dn:cn=<OAA_USER_GROUP>,<LDAP_GROUP_SEARCHBASE>
   changetype: modify
   add: uniqueMember
   uniqueMember: cn=<OAA_USER>,<LDAP_USER_SEARCHBASE>

   Table 29-3 Attributes and Their Descriptions

   Attribute	Description
   OAAUSER	The name of the user you want to create. For example: oaauser.
   USER_SEARCHBASE	The location in LDAP where the user names are stored. For example: cn=Users,dc=example,dc=com.
   OAA_USER_PWD	The password you want to assign to the user.
   OAA_USER_EMAIL	A valid email address where you want the one- time pins to be sent.
   OAA_USER_POSTCODE	An entry for the post code. This is required if you want to validate the authentication through the Oracle Mobile Authenticator.
   OAA_USER_GROUP	The the LDAP group you created for the OAA users. For example: OAA-App-User. See Creating Users and Groups in LDAP.
   GROUP_SEARCH_BASE	The location in your directory where user groups are stored. For example: cn=Groups,dc=example,dc=com.

2. Copy the file to your LDAP server. For example:

   kubectl cp test_user.ldif oudns/edg-oud-ds-rs-0:/u01/oracle/config-input

3. Load the ldif file to the LDAP directory.

   /u01/oracle/oud/bin/ldapmodify -h <OUD_POD_PREFIX>-oud-ds-rs-lbr-ldap.<OUDNS>.svc.cluster.local -p 1389 -D <LDAP_ADMIN_USER> -w <LDAP_ADMIN_PWD> -f /u01/oracle/config-input/test_user.ldif

   For example:

   /u01/oracle/oud/bin/ldapmodify -h edg-oud-ds-rs-lbr-ldap.oudns.svc.cluster.local -p 1389 -D cn=oudadmin -w <password> -f /u01/oracle/config-input/test_user.ldif
   

Creating a Protection Policy for the Test Page

To create an OAM protection policy for your test page:

1. Log in to the OAM Administration Console using the URL http://iadadmin.example.com/oamconsole.
2. In the Access Manager section of the launch screen, click Application Domains.
3. Click Search, and then click IAM Suite.
4. Click the Resources tab.
5. On the Resources screen, click Create and enter the following information:
   • Type : http
   • Resource URL: /test_page.html
   • Protection Level: Protected
   • Authentication Policy: OAA_MFA-Policy
   • Authorization Policy: Protected Resource Policy
6. Click Apply.

Validate that OAA is working by accessing the test page at https://login.example.com/test_page.html.