4.2.3.3 OAM Requirements for Oracle Universal Authenticator
The following OAM prerequisite steps are required for Oracle Universal Authenticator (OUA) installations. If you are performing an installation of OAA and/or OARM without OUA, you can ignore this section.
Enabling the OAM Session Management APIs
Perform the following steps to enable the OAM Session Management API's
within the
oam-config.xml
.
- Create a file called
session.xml
that contains the following:<Configuration> <Setting Name="RequireAuthorizationHeader" Type="xsd:boolean" Path="/DeployedComponent/Server/NGAMServer/Profile/RestServices/Token/RequireAuthorizationHeader">true</Setting> </Configuration>
- Run the following command to update
oam-config.xml
:
For example:curl -s -u <WLSADMIN_USER>:<WLSADMIN_PWD> -H 'Content-Type: text/xml' -X \ PUT http://<OAMAdminHost>:<OAMAdminPort>/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/RestServices/Token/RequireAuthorizationHeader \ -d @./session.xml
curl -s -u weblogic:<password> -H 'Content-Type: text/xml' -X \ PUT http://oam.example.com:7001/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/RestServices/Token/RequireAuthorizationHeader \ -d @./session.xml
- Verify the change by locating the following lines in the
<OAM_DOMAIN_HOME>/config/fmwconfig/oam-config.xml
:<Setting Name="Token" Type="htf:map"> <Setting Name="Enabled" Type="xsd:boolean">true</Setting> <Setting Name="RequireAuthorizationHeader" Type="xsd:boolean">true</Setting>
Enabling the OAM Identity Service
Perform the following steps to enable the OAM Identity Service within the
oam-config.xml
.
- Create a file called
service.xml
that contains the following:<Configuration> <Setting Name="IdentityServiceEnabled" Type="xsd:boolean" Path="DeployedComponent/Server/NGAMServer/Profile/IdentityManagement/IdentityServiceConfiguration/IdentityServiceEnabled">true</Setting> </Configuration>
- Run the following command to update
oam-config.xml
:
For example:curl -s -u <WLSADMIN_USER>:<WLSADMIN_PWD> -H 'Content-Type: text/xml' -X \ PUT http://<OAMAdminHost>:<OAMAdminPort>/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/IdentityManagement/IdentityServiceConfiguration/IdentityServiceEnabled \ -d @./service.xml
curl -s -u weblogic:<password> -H 'Content-Type: text/xml' -X \ PUT http://oam.example.com:7001/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/IdentityManagement/IdentityServiceConfiguration/IdentityServiceEnabled \ -d @./service.xml
- Verify the change by locating the following lines in the
<OAM_DOMAIN_HOME>/config/fmwconfig/oam-config.xml
:<Setting Name="IdentityManagement" Type="htf:map"> <Setting Name="IdentityServiceConfiguration" Type="htf:map"> <Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting> <Setting Name="IdentityServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.OracleIdentityServiceProvider</Setting> <Setting Name="AnonymousAuthLevel" Type="xsd:integer">0</Setting> <Setting Name="IdentityServiceProviderConfiguration" Type="htf:map"> <Setting Name="DateFormatPattern" Type="xsd:string">yyyy-MM-dd'T'HH:mm:ss'Z'</Setting> <Setting Name="ForcedPasswordChangeURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="ChallengeSetupNotDoneURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="TimeFormatPattern" Type="xsd:string">yyyyMMddHHmmss'z'</Setting> <Setting Name="LockoutDurationSeconds" Type="xsd:long">1</Setting> <Setting Name="PasswordExpiredURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="AccountLockedURL" Type="xsd:string">/identity/faces/accountlocked</Setting> <Setting Name="IdentityManagementServer" Type="xsd:string">OIM-SERVER-1</Setting> <Setting Name="LockoutAttempts" Type="xsd:integer">5</Setting> </Setting> </Setting>
- Restart the OAM servers.
Enabling Persistent Login
OUA requires persistent login to be enabled in OAM.
Note:
For more information on persistent login, see Enabling Persistent Login.To enable persistent login in OAM:
- On the OAM server, launch a terminal window as
oracle
and enter the following command:
The output will look similar to the following:cd $OAM_ORACLE_HOME/oracle_common/common/bin /wlst.sh
Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands http://wls:/offline>
- Connect to the OAM Administration Server as
follows:
The output will look similar to the following:connect ('weblogic','<password>','t3://<OAMAdminHost>:<OAMAdminPort>')
Successfully connected to Admin Server "AdminServer" that belongs to domain "oam_domain". Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. wls:/oam_domain/serverConfig/>
- Run the following WLST command to configure persistent login:
configurePersistentLogin(enable="true", validityInDays="30", maxAuthnLevel="2", userAttribute="obPSFTID")
Note:
maxAuthnLevel
is the authentication level at which the user is authenticated through device authentication. See, Managing Authentication Schemes.
Registering OUA as a TAP Partner in OAM
The OAA installation requires OUA to be registered as a TAP partner in
OAM:
- In the same WLST session as above, run the following command to
register the OUA TAP
partner:
where :registerThirdPartyTAPPartner(partnerName = "<partner_name>", keystoreLocation= "<path_to_keystore>", password="<keystore_password>", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="<redirect_url>")
<partner_name>
is the name you want to give for the partner application.<path_to_keystore>
is the location and file name of the keystore to generate.<keystore_password>
is the password to create for the keystore generated.<redirect_url>
is any valid http(s) URL. The URL must reachable and return a 200 OK response.
The output will look similar to the following:registerThirdPartyTAPPartner(partnerName = "OUA-MFAPartner", keystoreLocation= "/tmp/OUAOAAKeyStore.jks", password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://oam.example.com:7777")
In the example above a keystoreRegistration Successful wls:/oam_domain/serverConfig/>
/tmp/OUAOAAKeyStore.jks
will be generated. This keystore must be copied to a local directory on the OAA installation host used in Installation Host Requirements.Note:
The partnerName, keystore, and password will be used later for the following parameters in theinstallOAA.properties
:- oua.tapAgentName=
<partner_name>
- oua.tapAgentFilePass=
<keystore_password>
- oua.tapAgentFileLocation=
<keystore>
- Run the following command to exit wlst:
exit()
Configuring User Identity Store Parameters
Perform the following steps to enable the required identity store
parameters:
- Log in to the OAM Administration Console
https://<OAMAdminHost>:<OAMAdminPort>/oamconsole/
using your administrator credentials. - Navigate to Configuration > User Identity
Stores, and ensure the Default Store is set to the store
where your OAM users reside, for example
OUDStore
. - Under OAM ID Stores, select the store and click
Edit. In the configuration page for your identity store, under
Password Management, select the following check boxes:
- Use Native ID Store Settings
- Enable Password Management
- Use Oblix User Schema
- Click Apply.
- Navigate to the Application Security Launchpad -> Plug-ins > Authentication Modules.
- Click Search and select the LDAP authentication
module. Make sure the User Identity Store is set to the same identity
store in Step 2, for example
OUDStore
.
Add OUA Resources to OAM
Perform the following steps to add the required OUA policies to OAM:
- Log in to the OAM Administration Console
https://<OAMAdminHost>:<OAMAdminPort>/oamconsole/
using your administrator credentials. - Navigate to Application Security > Access Manager > Application Domains. Click Search.
- Click the Application Domain for the WebGate used for OAM OAuth.
Click the Resources tab. Under Search Results click Create.
Enter the details as follows and click Apply:
- Type:
HTTP
- Host Identifier:
<webgate_hostidentifier>
- Resource URL:
/oua/**
- Protection level:
Excluded
- Type:
- Create another resource with the following details. Click
Apply:
- Type:
HTTP
- Host Identifier:
<webgate_hostidentifier>
- Resource URL:
/oua-admin-ui/**
- Protection level:
Excluded
- Type: