1. Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
  2. Installing Oracle Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal Authenticator
  3. Procedure for Installing OAA, OARM, and OUA
  4. Prerequisite Configurations for Installing OAA, OARM, and OUA
  5. Oracle Access Management Requirements
  6. OAM Requirements for Oracle Universal Authenticator

4.2.3.3 OAM Requirements for Oracle Universal Authenticator

The following OAM prerequisite steps are required for Oracle Universal Authenticator (OUA) installations. If you are performing an installation of OAA and/or OARM without OUA, you can ignore this section.

Enabling the OAM Session Management APIs

Perform the following steps to enable the OAM Session Management API's within the oam-config.xml.
  1. Create a file called session.xml that contains the following: 
    
<Configuration>
  <Setting Name="RequireAuthorizationHeader" Type="xsd:boolean" Path="/DeployedComponent/Server/NGAMServer/Profile/RestServices/Token/RequireAuthorizationHeader">true</Setting>
</Configuration>
  2. Run the following command to update oam-config.xml: 
    curl -s -u <WLSADMIN_USER>:<WLSADMIN_PWD> -H 'Content-Type: text/xml' -X \
PUT http://<OAMAdminHost>:<OAMAdminPort>/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/RestServices/Token/RequireAuthorizationHeader \
-d @./session.xml
    For example:
    curl -s -u weblogic:<password> -H 'Content-Type: text/xml' -X \
PUT http://oam.example.com:7001/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/RestServices/Token/RequireAuthorizationHeader \
-d @./session.xml
  3. Verify the change by locating the following lines in the <OAM_DOMAIN_HOME>/config/fmwconfig/oam-config.xml:
    
<Setting Name="Token" Type="htf:map">
  <Setting Name="Enabled" Type="xsd:boolean">true</Setting>
  <Setting Name="RequireAuthorizationHeader" Type="xsd:boolean">true</Setting>

Enabling the OAM Identity Service

Perform the following steps to enable the OAM Identity Service within the oam-config.xml.
  1. Create a file called service.xml that contains the following: 
    
<Configuration>  
  <Setting Name="IdentityServiceEnabled" Type="xsd:boolean" Path="DeployedComponent/Server/NGAMServer/Profile/IdentityManagement/IdentityServiceConfiguration/IdentityServiceEnabled">true</Setting>
</Configuration>
  2. Run the following command to update oam-config.xml: 
    curl -s -u <WLSADMIN_USER>:<WLSADMIN_PWD> -H 'Content-Type: text/xml' -X \
PUT http://<OAMAdminHost>:<OAMAdminPort>/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/IdentityManagement/IdentityServiceConfiguration/IdentityServiceEnabled \
-d @./service.xml
    For example:
    curl -s -u weblogic:<password> -H 'Content-Type: text/xml' -X \
PUT http://oam.example.com:7001/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/IdentityManagement/IdentityServiceConfiguration/IdentityServiceEnabled \
-d @./service.xml
  3. Verify the change by locating the following lines in the <OAM_DOMAIN_HOME>/config/fmwconfig/oam-config.xml:
    
<Setting Name="IdentityManagement" Type="htf:map">
       <Setting Name="IdentityServiceConfiguration" Type="htf:map">
         <Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting>
         <Setting Name="IdentityServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.OracleIdentityServiceProvider</Setting>
         <Setting Name="AnonymousAuthLevel" Type="xsd:integer">0</Setting>
         <Setting Name="IdentityServiceProviderConfiguration" Type="htf:map">
           <Setting Name="DateFormatPattern" Type="xsd:string">yyyy-MM-dd'T'HH:mm:ss'Z'</Setting>
           <Setting Name="ForcedPasswordChangeURL" Type="xsd:string">/identity/faces/firstlogin</Setting>
           <Setting Name="ChallengeSetupNotDoneURL" Type="xsd:string">/identity/faces/firstlogin</Setting>
           <Setting Name="TimeFormatPattern" Type="xsd:string">yyyyMMddHHmmss'z'</Setting>
           <Setting Name="LockoutDurationSeconds" Type="xsd:long">1</Setting>
           <Setting Name="PasswordExpiredURL" Type="xsd:string">/identity/faces/firstlogin</Setting>
           <Setting Name="AccountLockedURL" Type="xsd:string">/identity/faces/accountlocked</Setting>
           <Setting Name="IdentityManagementServer" Type="xsd:string">OIM-SERVER-1</Setting>
           <Setting Name="LockoutAttempts" Type="xsd:integer">5</Setting>
         </Setting>
       </Setting>
  4. Restart the OAM servers.

Enabling Persistent Login

OUA requires persistent login to be enabled in OAM.

Note:

For more information on persistent login, see Enabling Persistent Login.
To enable persistent login in OAM:
  1. On the OAM server, launch a terminal window as oracle and enter the following command:
    cd $OAM_ORACLE_HOME/oracle_common/common/bin
/wlst.sh
    The output will look similar to the following:
    Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands
http://wls:/offline>
  2. Connect to the OAM Administration Server as follows:
    connect ('weblogic','<password>','t3://<OAMAdminHost>:<OAMAdminPort>')
    The output will look similar to the following:
    Successfully connected to Admin Server "AdminServer" that belongs to domain "oam_domain".
Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.
wls:/oam_domain/serverConfig/>
  3. Run the following WLST command to configure persistent login: 
    configurePersistentLogin(enable="true", validityInDays="30", maxAuthnLevel="2", userAttribute="obPSFTID")

    Note:

    maxAuthnLevel is the authentication level at which the user is authenticated through device authentication. See, Managing Authentication Schemes.

Registering OUA as a TAP Partner in OAM

The OAA installation requires OUA to be registered as a TAP partner in OAM:
  1. In the same WLST session as above, run the following command to register the OUA TAP partner:
    registerThirdPartyTAPPartner(partnerName = "<partner_name>", keystoreLocation= "<path_to_keystore>", password="<keystore_password>", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="<redirect_url>")
    where :
    • <partner_name> is the name you want to give for the partner application.
    • <path_to_keystore> is the location and file name of the keystore to generate.
    • <keystore_password> is the password to create for the keystore generated.
    • <redirect_url> is any valid http(s) URL. The URL must reachable and return a 200 OK response.
    For example:
    registerThirdPartyTAPPartner(partnerName = "OUA-MFAPartner", keystoreLocation= "/tmp/OUAOAAKeyStore.jks", password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://oam.example.com:7777")
    The output will look similar to the following:
    Registration Successful wls:/oam_domain/serverConfig/>
    In the example above a keystore /tmp/OUAOAAKeyStore.jks will be generated. This keystore must be copied to a local directory on the OAA installation host used in Installation Host Requirements.

    Note:

    The partnerName, keystore, and password will be used later for the following parameters in the installOAA.properties:
    • oua.tapAgentName=<partner_name>
    • oua.tapAgentFilePass=<keystore_password>
    • oua.tapAgentFileLocation=<keystore>
    For further details, see Preparing the Properties file for Installation.
  2. Run the following command to exit wlst: 
    exit()

Configuring User Identity Store Parameters

Perform the following steps to enable the required identity store parameters:
  1. Log in to the OAM Administration Console https://<OAMAdminHost>:<OAMAdminPort>/oamconsole/ using your administrator credentials.
  2. Navigate to Configuration > User Identity Stores, and ensure the Default Store is set to the store where your OAM users reside, for example OUDStore.
  3. Under OAM ID Stores, select the store and click Edit. In the configuration page for your identity store, under Password Management, select the following check boxes:
    • Use Native ID Store Settings
    • Enable Password Management
    • Use Oblix User Schema
  4. Click Apply.
  5. Navigate to the Application Security Launchpad -> Plug-ins > Authentication Modules.
  6. Click Search and select the LDAP authentication module. Make sure the User Identity Store is set to the same identity store in Step 2, for example OUDStore.

Add OUA Resources to OAM

Perform the following steps to add the required OUA policies to OAM:
  1. Log in to the OAM Administration Console https://<OAMAdminHost>:<OAMAdminPort>/oamconsole/ using your administrator credentials.
  2. Navigate to Application Security > Access Manager > Application Domains. Click Search.
  3. Click the Application Domain for the WebGate used for OAM OAuth. Click the Resources tab. Under Search Results click Create. Enter the details as follows and click Apply:
    • Type: HTTP
    • Host Identifier: <webgate_hostidentifier>
    • Resource URL: /oua/**
    • Protection level: Excluded
  4. Create another resource with the following details. Click Apply:
    • Type: HTTP
    • Host Identifier: <webgate_hostidentifier>
    • Resource URL: /oua-admin-ui/**
    • Protection level: Excluded