Integrating Oracle Access Manager and LDAP

3 Integrating Oracle Access Manager and LDAP

Integrating Oracle Access Manager with LDAP involves preparing the LDAP directory, adding the missing object classes, and configuring OAM using automated script.

Topics include:

3.1 Configuring OAM Using Automated Script

Configure Oracle Access Manager using the idmConfig.sh automated script.

Create a file called oam.props with the following values:

#LDAP Properties

IDSTORE_HOST: ldaphost.example.com
IDSTORE_PORT: 1636
IDSTORE_KEYSTORE_FILE: /u01/oracle/config/keystores/idmTrustStore.p12
IDSTORE_KEYSTORE_PASSWORD:password
IDSTORE_SSL_ENABLED: true
IDSTORE_NEW_SETUP: true
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
OAM_SERVER_LOGIN_ATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_OAMSOFTWAREUSER: oamLDAP
OAM_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
IDSTORE_SYSTEMIDBASE: cn=SystemIDs,dc=example,dc=com
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_OIMADMINUSER: oimLDAP
IDSTORE_WLSADMINUSER : weblogic_iam
IDSTORE_WLSADMINGROUP : WLSAdministrators
OAM_SERVER_LOGIN_ATTRIBUTE: uid
OAM_IDSTORE_NAME: OAMIDSTORE

#OAM Properties
PRIMARY_OAM_SERVERS: oamhost1.example.com:5575
WEBGATE_TYPE: ohsWebgate12c
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: 120
OAM_WG_DENY_ON_NOT_PROTECTED: true
OAM_IDM_DOMAIN_OHS_HOST: login.example.com
OAM_IDM_DOMAIN_OHS_PORT: 443
OAM_IDM_DOMAIN_OHS_PROTOCOL: https
OAM_SERVER_LBR_HOST: login.example.com
OAM_SERVER_LBR_PORT: 443
OAM_SERVER_LBR_PROTOCOL: https
OAM_OAM_SERVER_TRANSFER_MODE: open
OAM_OAM_SSLENABLED: true
OAM_TRANSFER_MODE: open
OAM_SSO_ONLY_FLAG: false
OAM_IMPERSONATION_FLAG: false
OAM_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM_OIM_INTEGRATION_REQ: yes
OAM_OIM_OHS_URL: https://oim.example.com:443/
<username>: # WebLogic Properties
WLSHOST: oamhost1.example.com
WLSPORT: 9002
WLSADMIN: weblogic
WLS_IS_SSLENABLED: true
WLS_TRUSTSTORE: /u01/oracle/config/keystores/idmTrustStore.p12
WLS_TRUSTSTORE_PASSWORD: Manager1
WLS_SSL_HOST_VERIFICATION: true
# Passwords
IDSTORE_PWD_OAMSOFTWAREUSER: password
IDSTORE_PWD_OAMADMINUSER: password
IDSTORE_PASSWD:password
OAM_IDM_DOMAIN_WEBGATE_PASSWD:password
OAM_OIM_WEBGATE_PASSWD: password
WLSPASSWD: password
# Logger Properties
LOG_FILE: /home/oracle/automation_integ.log
LOG_LEVEL: ALL
SSL_DEBUG_ENABLE: FALSE

The following table provides descriptions of the parameters related to configuring OAM in the configOAM.config properties file example.

Table 3-1 Parameters in configOAM.config file

Property	Description	Sample Value
`ACCESS_GATE_ID`	Name to be assigned to the WebGate. This is the value specified during OAM configuration.	`Webgate_IDM`
`COOKIE_DOMAIN`	Enter the domain in which the WebGate functions.	`.example.com`
`COOKIE_EXPIRY_INTERVAL`	Enter the Cookie expiration period.	`120`
`IDSTORE_BINDDN`	An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.	OID: `cn=orcladmin` OUD: `cn=oudadmin` Active Directory: `cn=Administrator,cn=Users,dc=example.com,dc=example,dc=com`
`IDSTORE_GROUPSEARCHBASE`	Enter the location in the directory where groups are stored.	`cn=Groups,dc=example,dc=com`
`IDSTORE_HOST`	Enter the identity store host name.	`ldaphost.example.com`
`IDSTORE_LOGINATTRIBUTE`	Enter the login attribute of the identity store that contains the user's login name.	`uid`
`IDSTORE_OAMADMINUSER`	Enter the user you use to access your Oracle Access Management Console.	`oamadmin`
`IDSTORE_OAMSOFTWAREUSER`	Enter the user you use to interact with the LDAP server.	`oamLDAP`
`IDSTORE_PORT`	Enter the identity store port.	`1636`
`IDSTORE_SEARCHBASE`	Enter the location in the directory where users and groups are stored.	`dc=example,dc=com`
`IDSTORE_SYSTEMIDBASE`	Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container. For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.	`cn=SystemIDs,dc=example,dc=com`
`IDSTORE_USERNAMEATTRIBUTE`	Enter the username attribute used to set and search for users in the identity store.	`cn`
`IDSTORE_USERSEARCHBASE`	Enter the Container under which Access Manager searches for the users.	`cn=Users,dc=example,dc=com`
`OAM_TRANSFER_MODE`	Enter the security mode in which the access servers function. Supported value is OPEN and CERT.	`Open`
`OAM_IDM_DOMAIN_LOGOUT_URLS`	Set to the various logout URLs.	`/console/jsp/common/logout.jsp, /em/targetauth/emaslogout.jsp`
`OAM_IDM_DOMAIN_OHS_HOST`	Enter the load balancer that is in front of Oracle HTTP Server (OHS) in a high-availability configuration.	`login.example.com`
`OAM_IDM_DOMAIN_OHS_PORT`	Enter the load balancer port.	`443`
`OAM_IDM_DOMAIN_OHS_PROTOCOL`	Enter the Protocol to use when directing requests to the load balancer.	`https`
`OAM_IDSTORE_NAME`	Enter the name of the identity store configured in OAM. This will be set as the default/System ID Store in OAM.	`OAMIDSTORE`
`OAM_IDSTORE_ROLE_SECURITY_ADMIN`	Account to administer role security in identity store.	`OAMAdministrators`
`OAM_IMPERSONATION_FLAG`	It enables or disables the impersonation feature in the OAM Server.	`true`
`OAM_OAM_SERVER_TRANSFER_MODE`	Enter the security mode in which the access servers function. Supported value is OPEN.	`Open`
`OAM_OIM_INTEGRATION_REQ`	It specifies whether to integrate with Oracle Identity Governance or configure Access Manager in stand-alone mode. Set to `true` for integration.	`true`
`OAM_OIM_OHS_URL`	Enter the URL of the load balancer or Oracle HTTP Server (OHS) fronting the OIM server.	`https://oim.example.com:443/`
`OAM_SERVER_LBR_HOST`	Enter the OAM Server fronting your site.	`login.example.com`
`OAM_SERVER_LBR_PORT`	Enter the port that the load balancer is listening on (`HTTP_SSL_PORT`).	`443`
`OAM_SERVER_LBR_PROTOCOL`	Enter the Protocol to use when directing requests to the load balancer.	`https`
`OAM_SERVER_LOGIN_ATTRIBUTE`	Setting to uid ensures the validation of the username against the uid attribute in LDAP when the user logs in.	`uid`
`OAM_SSO_ONLY_FLAG`	Set it to configure Access Manager as authentication only mode or normal mode, which supports authentication and authorization. Default value is `true`.	`true`
`OAM_WG_DENY_ON_NOT_PROTECTED`	Set to deny on protected flag for 10g WebGate. Valid values are `true` and `false`.	`false`
`PRIMARY_OAM_SERVERS`	Enter comma-separated list of your Access Manager servers and the proxy ports they use.	`oamhost1.example.com:5575`
`SPLIT_DOMAIN`	Set to `true` is required to suppress the double authentication of Oracle Access Management Console.	`true`
`WEBGATE_TYPE`	Enter the WebGate agent type you want to create.	`ohsWebgate14c`
`WLSADMIN`	Enter the WebLogic Server administrative user account you use to log in to the WebLogic Server Administration Console in OAM domain.	`weblogic`
`WLSHOST`	Enter the Administration server host name in OAM domain.	`oamhost1.example.com`
`WLSPORT`	Enter the Administration server port in OAM domain. Note: If your domain is using the WebLogic Administration port then this should be entered here.	`9002`
`WLS_IS_SSLENABLED`	Set this to true if the OAM WebLogic Administration Server is SSL enabled.	`true`
`WLS_TRUSTSTORE`	If the Weblogic domain is SSL enabled use this parameter to specify the trust store that the domain is using.	`/u01/oracle/config/keystores/idmTrustStore.p12`
`WLS_TRUSTSTORE_PASSWORD`	If the Weblogic domain is SSL enabled use this parameter to specify the password of the trust store.	`password`
`WLS_SSL_HOST_VERIFICATION`	If the Weblogic domain is SSL enabled then set this to true if SSL Hostname validation should be performed.	`False`

Stop the policy server. See Starting and Stopping Managed WebLogic Servers and Access Manager Servers.
Shut down the policy manager servers.

Run the idmConfigTool to configure OAM and integrate it with LDAP.

export JAVA_HOME=/u01/oracle/products/jdk
export PATH=$JAVA_HOME/jdk/bin:$PATH
export DOMAIN_HOME=/u01/oracle/config/domains/oam
export ORACLE_HOME=$ORACLE_HOME/idm
$ORACLE_HOME/idmtools/bin/idmConfigTool.sh -configOAM input_file=loam.props log_level=FINEST mode=all

You have successfully executed the automated script for configuring Oracle Access Manager.

Restart the OAM domain servers along with the policy manager servers. See Starting and Stopping Managed WebLogic Servers and Access Manager Servers.
Verify the configuration.
1. Log in to the Oracle Access Management Console:
  http://oamhost.example.com:7001/oamconsole
  
  or
  
  https:///oamhost.example.com:7002/oamconsole
  
  Note:
  Log in by using the user you specified in IDSTORE_OAMADMINUSER.
2. In the Application Security page, click Agents.
  
  The Search SSO Agents page is displayed.
3. In the Search field, enter the WebGate name.
  
  Note:
  This is the value you specified for ACCESS_GATE_ID in the configOAM.config properties file.
4. In the Search Result Table, you can see the agent.

3.2 Adding Missing Object Classes Using Automated Script

Add the Missing Object Classes using the automated script for OIG-OAM integration, OIGOAMIntegration.sh. This script will add any missing object classes to existing users in the directory.

Update addMissingObjectClasses.config file (Located at ORACLE_HOME/idm/server/ssointg/config)with values for IDSTORE_HOST, IDSTORE_PORT, IDSTORE_BINDDN, IDSTORE_BINDDN_PWD, and IDSTORE_USERSEARCHBASE.

Example addMissingObjectClasses.config File

IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 1389
IDSTORE_SSL_ENABLED: true
IDSTORE_KEYSTORE_FILE: /u01/oracle/config/keystores/idmcerts.p12
IDSTORE_KEYSTORE_PASSWORD: password
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_BINDDN_PWD: <password>
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com

Table 3-2 Parameters in addMissingObjectClasses.config file

Property	Description	Sample Value
`IDSTORE_DIRECTORYTYPE`	Enter the identity store directory type. Valid options are OID, OUD, and AD.	`OUD`
`IDSTORE_HOST`	Enter the identity store host name.	`idstore.example.com`
`IDSTORE_PORT`	Enter the identity store port.	`1389`
`IDSTORE_SSL_ENABLED`	If you connect to your LDAP directory using SSL then set this parameter to true. The IDSTORE_PORT above must be the SSL port of your directory.	`true`
`IDSTORE_KEYSTORE_FILE`	If your directory is SSL enabled the tool must have access to a valid trust store with the CA of the directory included. Set this to the location of that trust store.	`/u01/oracle/config/keystores/idmcerts.p12`
`IDSTORE_KEYSTORE_PASSWORD`	The password of the ID_KEYSTORE_FILE, if not supplied the script will prompt for it.	`password`
`IDSTORE_BINDDN`	An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.	`cn=oudadmin`
`IDSTORE_BINDDN_PWD`	Enter the Password for administrative user in Oracle Internet Directory, Oracle Unified Directory or Microsoft Active Directory.	`<password>`
`IDSTORE_USERSEARCHBASE`	Location in the directory where users are stored. This property tells the directory where to search for users.	`cn=Users,dc=example,dc=com`

Run the automated script for OIG-OAM integration to enable OAM notifications.
```
export ORACLE_HOME=/u01/oracle/products/idm
```
```
OIGOAMIntegration.sh -addMissingObjectClasses
```

You have successfully executed the automated script to add object classes for existing users in LDAP directory.

Note:

This step depends on the number of users in the LDAP directory. It is estimated to take 10 minutes per 10000 users in the LDAP directory.