16 Configuring Oracle Access Management
You need to perform certain tasks in order to extend the enterprise deployment domain with the Oracle Access Management. This includes installing the Oracle Identity and Access Management, extending the domain for Oracle Access Management and completing post-configuration and verification tasks.
This chapter provides information on installing the Oracle Identity and Access Management, extending the domain for Oracle Access Management and completing post-configuration and verification tasks.
- Variables Used in This Chapter
This topic lists the variables used in this chapter. - Configuring and Integrating with LDAP
- Updating WebGate Agents
- Updating Host Identifiers
- Adding Missing Policies to OAM
If any policies are missing, you have to add to ensure that Oracle Access Manager functions correctly. - Updating Federation Service Details
Now that Oracle Access Management (OAM) is configured, you must update the Federation services to access the Federation via the load balancer URL. - Updating Idle Timeout Value
- Validating the Authentication Providers
- Configuring Oracle ADF and OPSS Security with Oracle Access Manager
Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign-on (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-leveljps-config.xml
file to enable these capabilities. - Starting the Managed Servers in the Domain
Start the Managed Servers in the following order: - Validating Access Manager
- Enabling Forgotten Password
- Backing Up the Configuration
It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.
Parent topic: Configuring the Enterprise Deployment
Variables Used in This Chapter
This topic lists the variables used in this chapter.
Variables
-
PRIMARY_OAM_SERVERS
-
WEBGATE_TYPE
-
ACCESS_GATE_ID
-
OAM11G_OIM_WEBGATE_PASSWD
-
COOKIE_DOMAIN
-
COOKIE_EXPIRY_INTERVAL
-
OAM11G_WG_DENY_ON_NOT_PROTECTED
-
OAM11G_IDM_DOMAIN_OHS_HOST
-
OAM11G_IDM_DOMAIN_OHS_PORT
-
OAM11G_IDM_DOMAIN_OHS_PROTOCOL
-
OAM11G_SERVER_LBR_HOST
-
OAM11G_SERVER_LBR_PORT
-
OAM11G_SERVER_LBR_PROTOCOL
-
OAM11G_OAM_SERVER_TRANSPORT_MODE
-
OAM_TRANSFER_MODE
-
OAM11G_SSO_ONLY_FLAG
-
OAM11G_IMPERSONATION_FLAG
-
OAM11G_IDM_DOMAIN_LOGOUT_URLS
-
OAM11G_OIM_INTEGRATION_REQ
-
OAM11G_OIM_OHS_URL
-
IDSTORE_PWD_OAMSOFTWAREUSER
-
IDSTORE_PWD_OAMADMINUSER
-
OAM11G_WLS_ADMIN_PASSWD
-
IAD_MSERVER_HOME
-
IAD_ASERVER_HOME
-
WLS_AMA
-
WebGate_IDM
-
COMMON_IDM_PASSWORD
-
WLS_OAM1
-
WLS_AMA1
-
WLS_OAM2
-
WLS_AMA2
-
JAVA_HOME
-
OAM_PROXY_PORT
-
IAD_HTTP_PORT
-
IAD_ORACLE_HOME
Parent topic: Configuring Oracle Access Management
Configuring and Integrating with LDAP
This section describes how to configure and integrate Oracle Access Manager with LDAP.
This section contains the following topics:
- Setting a Global Passphrase
- Obtaining the Default Global Passphrase
- Configuring Access Manager to Use the LDAP Directory
- Adding WebGate Load Balancer Details
- Adding LDAP Groups to WebLogic Administrators
Parent topic: Configuring Oracle Access Management
Setting a Global Passphrase
By default, Oracle Access Manager is configured to use the open security model. If
you plan to change this mode using idmConfigTool
, you must know the
global passphrase. By default, Oracle creates a global passphrase for you. You can
override this value, if required.
Note:
If you are using the latest 12c WebGate functionality by using OAP over REST calls, it is not important to change the security mode because REST calls do not use the OAP transport mode.To set a global passphrase:
Parent topic: Configuring and Integrating with LDAP
Obtaining the Default Global Passphrase
Parent topic: Configuring and Integrating with LDAP
Configuring Access Manager to Use the LDAP Directory
After completing the initial installation and setting the security model, you have to associate Oracle Access Manager with the LDAP directory. You can use Oracle Unified Directory (OUD) as the LDAP directory.
To associate Access Manager and the LDAP directory, perform the following tasks:
- Creating a Configuration File
- Integrating Access Manager and LDAP Using the idmConfigTool
- Validating the OAM LDAP Configuration
Parent topic: Configuring and Integrating with LDAP
Creating a Configuration File
Configuring Oracle Access Management to use LDAP requires running the idmConfigTool
utility. Therefore, you must create a configuration file called oam.props
to use during the configuration. The contents of this file will be the same as the Configuration file created in Creating a Configuration File with the following additions:
#IDSTORE PROPERTIES IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 1389 IDSTORE_BINDDN: cn=oudadmin IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_NEW_SETUP: true IDSTORE_DIRECTORYTYPE: OUD IDSTORE_WLSADMINUSER: weblogic_iam IDSTORE_WLSADMINGROUP: WLSAdministrators IDSTORE_OAMADMINUSER: oamadmin IDSTORE_OAMSOFTWAREUSER: oamLDAP # OAM Properties OAM11G_IDSTORE_NAME: OAMIDSTORE PRIMARY_OAM_SERVERS: OAMHOST1.example.com:5575,OAMHOST2.example.com:5575 WEBGATE_TYPE: ohsWebgate12c ACCESS_GATE_ID: Webgate_IDM OAM11G_OIM_WEBGATE_PASSWD: Password COOKIE_DOMAIN: .example.com COOKIE_EXPIRY_INTERVAL: 120 OAM11G_WG_DENY_ON_NOT_PROTECTED: true OAM11G_IDM_DOMAIN_OHS_HOST: login.example.com OAM11G_IDM_DOMAIN_OHS_PORT: 443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https OAM11G_SERVER_LBR_HOST: login.example.com OAM11G_SERVER_LBR_PORT: 443 OAM11G_SERVER_LBR_PROTOCOL: https OAM11G_OAM_SERVER_TRANSFER_MODE: open OAM_TRANSFER_MODE: open OAM11G_SSO_ONLY_FLAG: false OAM11G_IMPERSONATION_FLAG: false OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp OAM11G_OIM_INTEGRATION_REQ: false OAM11G_OIM_OHS_URL: https://prov.example.com:443/ # WebLogic Properties WLSHOST: IADADMINVHN.example.com WLSPORT: 7001 WLSADMIN: weblogic
OAM Property Descriptions:
-
OAM11G_IDSTORE_NAME is the name you wish to assign to the ID store in OAM. This is an optional parameter.
-
PRIMARY_OAM_SERVERS a comma-separated list of all of the OAM managed servers that are in the deployment. The format of this is Server Running the OAM Managed Server: OAM Proxy port. Note the proxy port used is not the OAM managed server listen port. The OAM Proxy port can be found in the worksheet (OAM_PROXY_PORT)
-
WEBGATE_TYPE The type of webgate profile to create. This should always be
ohsWebgate12c
-
ACCESS_GATE_ID is the name of the Webgate Agent to create.
-
OAM11G_OIM_WEBGATE_PASSWD is the password you wish to assign to the webgate agent you will be creating.
-
COOKIE_DOMAIN is the domain you wish to associate the OAM cookie with this is normally the same as the IDSTORE_SEARCH_BASE in domain format. The search base can be found in the worksheet (REALM_DN).
-
COOKIE_EXPIRY_INTERVAL the amount of time before a cookie is expired.
-
OAM11G_WG_DENY_ON_NOT_PROTECTED this should always be set to true. It ensures that any attempt to access a resource not explicitly stated in the OAM Resource list will be rejected.
-
OAM11G_IDM_DOMAIN_OHS_HOST this is the name of the Oracle HTTP Server (OHS) server which fronts the IAMAccessDomain. In the case of an enterprise deployment this will be the load balancer name.
-
OAM11G_IDM_DOMAIN_OHS_PORT this is the port on which the OHS server fronting the IAMAccessDomain listens. In the case of an Enterprise Deployment, this will be the load balancer port. This is the IAD_HTTPS_PORT in the worksheet.
-
OAM11G_IDM_DOMAIN_OHS_PROTOCOL this determines which process is being used when accessing the OHS server fronting the IAMAccessDomain.In the case of an Enterprise Deployment this will be the load balancer protocol. In the Enterprise Deployment Blueprint SSL is terminated at the load balancer. But the URL will always have the HTTPS prefix, so this value should be set to
https
. -
OAM11G_SERVER_LBR_HOST this is the name of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_HOST.
-
OAM11G_SERVER_LBR_PORT this is the port of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_PORT.
-
OAM11G_SERVER_LBR_PROTOCOL this is the protocol of the virtual host configured on the load balancer for logging in. This is usually the same as OAM11G_IDM_DOMAIN_OHS_PROTOCOL.
-
OAM11G_OAM_SERVER_TRANSPORT_MODE this is the type of OAM security transport to be used. This should be
Simple
for all platforms, except for AIX where it should beOpen
. You can specifycert
if extra security is required. If you wish to usecert
, refer to the Oracle Access Manager documentation for how to configure this. -
OAM_TRANSFER_MODE this is the type of OAM security transport to be used. This should be the same as OAM11G_OAM_SERVER_TRANSPORT_MODE
-
OAM11G_SSO_ONLY_FLAG this is used to determine whether authentication mode is going to be used. For Enterprise Deployments this should be set to
false
. -
OAM11G_IMPERSONATION_FLAG determines whether OAM be configured for impersonation. Impersonation is typically used in help desk type applications where a support user "impersonates" and actual user for the purposes of providing support.
-
OAM11G_IDM_DOMAIN_LOGOUT_URLS is a list of URLs that various products can invoke for the purposes of logging out.
-
OAM11G_OIM_INTEGRATION_REQ If you are intending Oracle Identity Governance to handle forgotten password functionality then this parameter should be set to
true
. If you are using the new OAM forgotten password functionality then this value should be set tofalse
. -
OAM11G_OIM_OHS_URL If you are planning on using OIM for Forgotten Password functionality then you need to specify the external entry point for OIG. This is the OIG URL to which OAM directs the requests. This url is made up of the following values from the worksheet:
https://prov.example.com:
IAG_HTTPS_PORT
/
-
WLSHOST: is the Admin Server listen address. For OAM configuration, this will be
IADADMINVHN.example.com
-
WLSPORT: is the Admin Server listen port. This is the IAD_WLS_PORT in the worksheet.
-
WLSADMIN the user used to connect to the Admin Server
Parent topic: Configuring Access Manager to Use the LDAP Directory
Integrating Access Manager and LDAP Using the idmConfigTool
This section describes how to integrate Oracle Access Manager and LDAP using the idmConfigTool
.
Note:
Before running theidmconfigTool
, ensure that the WLS_OAM1 and WLS_OAM2 Managed Servers are shut down.
Perform the following tasks on OAMHOST1:
Parent topic: Configuring Access Manager to Use the LDAP Directory
Validating the OAM LDAP Configuration
To validate that this has completed correctly:
Parent topic: Configuring Access Manager to Use the LDAP Directory
Adding WebGate Load Balancer Details
In Oracle 12c, Oracle Webgate communicates with Oracle Access Manager 12c using the
REST API calls rather than the traditional OAP calls. After running the
idmConfigTool
, you must manually update the WebGate Traffic
Load Balancer details:
To update the details:
Parent topic: Configuring and Integrating with LDAP
Adding LDAP Groups to WebLogic Administrators
Oracle Access Manager requires access to the MBeans stored within the Administration Server. To enable the LDAP users to log in to the WebLogic Console and Fusion Middleware Control, you must assign them the WebLogic administration rights. For Oracle Access Manager to invoke these Mbeans, users in the OAMAdministrators group must have the WebLogic administration rights.
When you implement single sign-on, you have to provide the LDAP group IDM administrators with the WebLogic administration rights to help them log in and perform the WebLogic administrative actions.
Using the WebLogic Console
To add the LDAP Groups OAMAdministrators
and
WLSAdministrators
to the WebLogic Administrators:
- Log in to the WebLogic Administration Server Console as the default
administrative user. For example,
weblogic
. - In the left pane of the console, click Security Realms.
- On the Summary of Security Realms page, click myrealm under the Realms table.
- On the Settings page for myrealm, click the Roles & Policies tab.
- On the Realm Roles page, expand the Global Roles entry under the Roles table.
- Click the Roles link to go to the Global Roles page.
- On the Global Roles page, click the Admin role to go to the Edit Global Roles page.
- On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
- On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
- On the Edit Arguments Page, Specify OAMAdministrators in the Group Argument field and click Add.
- Repeat for the Group WLSAdministrators.
- Click Finish to return to the Edit Global Roles page.
- The Role Conditions table now shows the groups OAMAdministrators or WLSAdministrators as role conditions.
- Click Save to finish adding the Admin role to the OAMAdministrators and IDM Administrators Groups.
Parent topic: Adding LDAP Groups to WebLogic Administrators
Updating WebGate Agents
When the idmConfigTool
is run, it changes the default OAM security model and creates a new WebGate SSO Agent. However, it does not change the existing WebGate SSO Agents to the new security model. After running the idmConfigTool
, you must update any WebGate agents that previously existed. This involves the following steps:
-
Change the security mode to match that of the OAM servers. Failure to do so results in a security mismatch error.
-
When WebGates are created at first install, they are unaware that a highly available (HA) installation is performed. After enabling HA, you must ensure that all of the OAM servers are included in the agent configuration, to ensure system continuity.
-
You must check that any logout URLs are redirected to the hardware load balancer than one of the local OAM servers.
-
Update the REST points for Oracle 12c WebGate HTTP OAM APIs.
-
A WebGate agent called IAMSuiteAgent is created out of the box. This is created without any password protection and needs to have one added.
To perform these actions, complete the following steps:
Parent topic: Configuring Oracle Access Management
Updating Host Identifiers
When you access your domain you enter using different load balancer entry points. Each of these entry points (virtual hosts) need to be added to the Policy list. This ensures that if you request access to a resource using login.example.com
OR prov.example.com
, you have access to the same set of policy rules.
Parent topic: Configuring Oracle Access Management
Adding Missing Policies to OAM
If any policies are missing, you have to add to ensure that Oracle Access Manager functions correctly.
You need to add the following additional policies:
Table 16-2 OAM Policy Information
Product | Resource Type | Host Identifier | Resource URL | Protection Level | Authentication Policy | Authorization Policy |
---|---|---|---|---|---|---|
ALL |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
ALL |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
OAM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
OAM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
OAM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
OIG |
HTTP |
IAMSuiteAgent |
|
Excluded |
|
|
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
OIG |
HTTP |
IAMSuiteAgent |
|
Excluded |
|
|
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
OIG |
HTTP |
IAMSuiteAgent |
/integration/** |
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
OUDSM |
HTTP |
IAMSuiteAgent |
/oudsm |
Excluded |
Note:
/otpfp
is only required if you have implemented the OAM forgotten password functionality.
To add these policies:
Parent topic: Configuring Oracle Access Management
Updating Federation Service Details
Now that Oracle Access Management (OAM) is configured, you must update the Federation services to access the Federation via the load balancer URL.
- Log in to the OAM Console at http://iadadmin.example.com/oamconsole.
- Click Configuration.
- In the settings pane, click View, and select Federation from the drop-down.
- On the Federation Settings Page, update the Provider ID to
https://login.example.com/oam/fed
. - Click Apply.
Parent topic: Configuring Oracle Access Management
Updating Idle Timeout Value
The default timeout value set in Access Manager is often too long and can cause issues such as, not logging a session out after that session has timed out. Therefore, it is recommended that this value is reduced to 15 minutes.
To update the idle timeout value:
- Log in to the OAM Console at http://iadadmin.example.com/oamconsole.
- Log in as the Access Manager administrator user you created during response file creation.
- Click Configuration.
- Select Common Settings under Settings.
- Change Idle Time out (minutes) to
15
. - Click Apply.
Parent topic: Configuring Oracle Access Management
Validating the Authentication Providers
Set the order of identity assertion and authentication providers in the WebLogic Server Administration console.
Parent topic: Configuring Oracle Access Management
Configuring Oracle ADF and OPSS Security with Oracle Access Manager
Some Oracle Fusion Middleware management consoles use Oracle Application
Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager
Single Sign-on (SSO). These applications can take advantage of Oracle Platform Security
Services (OPSS) SSO for user authentication, but you must first configure the domain-level
jps-config.xml
file to enable these capabilities.
The domain-level jps-config.xml
file is located in the following location after you create an Oracle Fusion Middleware domain:
ASERVER_HOME/config/fmwconfig/jps-config.xml
Note:
The domain-level jps-config.xml
should not be confused with the jps-config.xml
that is deployed with custom applications.
Parent topic: Configuring Oracle Access Management
Starting the Managed Servers in the Domain
Start the Managed Servers in the following order:
- Starting the WLS_OAM1 Managed Server
- Starting the WLS_AMA1 Managed Server
- Starting the WLS_OAM2 Managed Server
- Starting the WLS_AMA2 Managed Server
Parent topic: Configuring Oracle Access Management
Starting the WLS_OAM1 Managed Server
Parent topic: Starting the Managed Servers in the Domain
Starting the WLS_AMA1 Managed Server
Parent topic: Starting the Managed Servers in the Domain
Starting the WLS_OAM2 Managed Server
Parent topic: Starting the Managed Servers in the Domain
Starting the WLS_AMA2 Managed Server
Parent topic: Starting the Managed Servers in the Domain
Validating Access Manager
You can validate Access Manager by using the oamtest
tool. To do this, perform the following steps:
Parent topic: Configuring Oracle Access Management
Enabling Forgotten Password
This section describes how to set up the One Time Pin forgotten password functionality which is provided with Oracle Access Manager. If you want to configure the Challenge Question forgotten password functionality, as provided by Oracle Identity Governance, see Configuring and Integrating with LDAP and Integrating Oracle Identity Governance and Oracle Access Manager.
This section contains the following topics:
- Prerequisites for Enabling Forgotten Password
- Add Permissions to oamLDAP user
- Create an OTP Administrative Group in LDAP
- Enabling Adaptive Authentication Service
- Configuring Adaptive Authentication Plug-in
- Enabling Password Management in the Directory
- Storing User Messaging Credentials in CSF
- Setup for Forgot Password Link on Login Page
- Restarting the domain
- Validating the Forgotten Password Functionality
If you have set up the OAM Forgotten Password functionality, rather than off-loading to OIM, you can validate the forgotten password using thecurl
command, which shows you the password policies in force.
Parent topic: Configuring Oracle Access Management
Prerequisites for Enabling Forgotten Password
Forgotten Password Management in Oracle Access Manager takes the form of sending an Email or SMS message with a link to reset the password.
Email or SMS is sent using the Oracle User Messaging Service. Before enabling the Oracle Forgotten Password functionality, you first need to have an Oracle User Messaging deployment. This is often located inside the Oracle Governance Domain but can be located inside the Access Domain if that is all you are installing. Alternatively, it could be a completely independent domain.
Forgotten Password functionality works only if you have successfully configured Single Sign-On as described in Configuring Single Sign-On for an Enterprise Deployment.
Adding the User Messaging Service to the Access domain or creating a User Messaging Service domain is outside of the scope of the this EDG. For more information about installing and configuring the Oracle User Messaging Service, see Installing User Messaging Service and Configuring Oracle User Messaging Service in Administering Oracle User Messaging Service.
Parent topic: Enabling Forgotten Password
Add Permissions to oamLDAP user
When created out of the box the oamLDAP user (the user used to link OAM to LDAP) is granted privileges to read the LDAP directory. It is not however granted permission to update those users. You need to add these privileges for the OAM forgotten password functionality to work.
To do this you need to create an ldif file using your preferred text editor. This file will have the following content:
add_aci.ldif
dn: cn=oamLDAP,cn=systemids,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset
dn: cn=Users,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*")(targetfilter= "(objectclass=inetorgperson)")(targetscope = "subtree") (version 3.0; acl "iam admin changepwd"; allow (compare,search,read,selfwrite,add,write,delete) userdn = "ldap:///cn=oamLDAP,cn=systemids,dc=example,dc=com";)
Save the file.
On LDAPHOST1 action the file using the command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -D cn=oudadmin -h LDAPHOST1 -p 1389 -f ./add_aci.ldif
Parent topic: Enabling Forgotten Password
Create an OTP Administrative Group in LDAP
In order for the oamadmin group to be able to invoke forgotten password system calls it needs to be a member of the group OTPRestUserGroup. This group is not created by idmConfigTool and must therefore be created manually.
To do this you perform the following steps:
Parent topic: Enabling Forgotten Password
Enabling Adaptive Authentication Service
Forgotten password requires the following service to be enabled.
To enable Adaptive Authentication Service, perform the following steps:
Parent topic: Enabling Forgotten Password
Configuring Adaptive Authentication Plug-in
Now that the Authentication service is enabled, it needs to be informed about your User Messaging service.
To configure Adaptive Authentication Plug-In, perform the following steps:
Parent topic: Enabling Forgotten Password
Enabling Password Management in the Directory
By default OAM is not set to allow password management. This must be enabled through the OAM Console.
To enable Password Management in the Directory, perform the following steps:
Parent topic: Enabling Forgotten Password
Storing User Messaging Credentials in CSF
Before you can access the User Messaging Service, you need to store the credentials in the WebLogic credential store.
To do this, execute the following set of WLST commands:
IAD_ORACLE_HOME/oracle_common/common/bin/wlst.sh
connect()
Please Enter your username: weblogic
Please Enter your password: COMMON_IDM_PASSWORD
Please enter your server URL [t3://localhost:7001] :t3://IADADMINVHN.example.com:7001
You will now be connected to the domain. Execute the following commands:
createCred(map="OAM_CONFIG", key="umsKey", user="weblogic", password="password")
createCred(map="OAM_CONFIG", key="oam_rest_cred", user="oamadmin", password="password")
exit ()
The umsKey is used to provide the credentials to the unified messaging server which will send out your email or sms notifications.
The oam_rest_cred is the user allowed to invoke the Rest services in the OAM server.
In the above commands, weblogic
is the domain administrative user, and password
is its associated password.
Parent topic: Enabling Forgotten Password
Setup for Forgot Password Link on Login Page
The following REST API command enables the OTP forgot password link on the default login page in OAM.
curl -X PUT \
https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword/ \
-u oamadmin:Password \
-H 'content-type: application/json' \
-d '{"displayOTPForgotPassworLink":"true","defaultOTPForgotPasswordLink":"false","localToOAMServer":"true","forgotPasswordURL":"https://login.example.com/otpfp/pages/fp.jsp", "mode":"userselectchallenge"}'
Enter the required attributes and values:
Table 16-7 Forgot Password Link on Login Page
Attributes | Value |
---|---|
base_url |
Main entry point of OAM. For example,https://login.example.com |
mode |
distribution_mode The distribution mode determines how the password reset url is sent to the end user. Valid values are: email, sms, userchoose, userselectchallenge. The last entry allows the user to choose from masked values.
|
Note:
If you are using self signed certificates in the load balancer the curl command may object with a message similar to:curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
If you see this message and are sure, add -k after -u oamadmin:Password.
Verify that this has succeeded by accessing the followig URL in a browser:
https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword
When prompted, enter your oamadmin
account and password.
Note:
One of the OAM managed servers must be running for this command to succeed.
Parent topic: Enabling Forgotten Password
Restarting the domain
Shutdown and restart the Administration Server and all of the managed servers (WLS_AMA1, WLS_AMA2, WLS_OAM1, WLS_OAM2).
Parent topic: Enabling Forgotten Password
Validating the Forgotten Password Functionality
If you have set up the OAM Forgotten Password functionality, rather than off-loading
to OIM, you can validate the forgotten password using the curl
command,
which shows you the password policies in force.
curl
command:
curl -X GET https://login.example.com/oam/services/rest/access/api/v1/pswdmanagement/UserPasswordPolicyRetriever/oamadmin?description=true -u oamadmin:<password> -k
This command displays the password policies.
If this command works, access the protected URL listed below. After you enable single sign-on, you see a link for the forgotten password on the login page. Click this link and enter the user name for which you want to reset the password. Click Generate Pin to receive an email, which enables you to change the password.
http://iadadmin.example.com/console
Parent topic: Enabling Forgotten Password
Backing Up the Configuration
It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.
The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.
For information about backing up your configuration, see Performing Backups and Recoveries for an Enterprise Deployment.
Parent topic: Configuring Oracle Access Management