Identity Cloud Service: Configuring SAML

Introduction As we begin to deliver our Identity Cloud Service (IDCS) to the world(https://www.oracle.com/middleware/identity-management/index.html), we on the A-Team have been working to provide patterns and how-to posts to implement some of the common use cases we see in the field.  One of the more common use cases is integrating with third party Service Providers (SP) […]

MDC Switch – Configuring Multi-Data Center Types

INTRODUCTION This post discusses the steps required to configure a “master” data center to a “clone” data center and visa-versa. If you are not familiar with Multi-Data Center (MDC) implementation and Automated Policy Synchronization (APS) please read the following links: http://www.ateam-oracle.com/multi-data-center-implemenation-in-oracle-access-manager/ http://www.ateam-oracle.com/automated-policy-synchronization-aps-for-oam-cloned-environment/ All content listed on this page is the property of Oracle Corp. Redistribution […]

Oracle Access Manager – What’s new in PS2

Introduction Oracle Access Manager 11gR2 – PS2 is now out!  This post will cover some of the new features in PS2. There are six new features I will discuss: Dynamic Authentication Persistent Login (Remember Me) Policy Evaluation Ordering Delegated Administration Unified Administration Console Session Management Granular Idle Timeout Client Cookie based Session Main Article Dynamic […]

Multi-Data Center Implemenation in Oracle Access Manager

For obvious reasons, there is a high demand for Multi-Data Center (MDC) topology; which is now supported in Oracle Access Manager (OAM) 11g.  This post discusses some of the features of MDC as well as provide some detail steps on how to clone a secondary data center.  This post is based on R2PS1 code base.  […]

Webgate Reverse Proxy Farm

Introduction Some of our larger deployments are seeing the benefits of centralizing their Webgate deployments onto a server farm. This post discusses some of the architecture and recommendation when deploying such an architecture. All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

The importance of “orclguid” in Oracle Virtual Directory

Introduction This post will discuss the steps to configure the orclguid within Oracle Virtual Directory (OVD).  It is especially important when integrating OVD with Oracle Access Manager (OAM) and Weblogic Server (WLS).  I see many customers omitting this configuration which leads to errors in OAM.   Main Article All Lightweight Directory Access Protocol (LDAP) repositories […]

OAM 11g: The Policy Migration Strategy

Introduction The purpose of this post is to provide some tips when planning a policy migration from Oracle Access Manager (OAM) 10g to OAM 11g.  Before you begin, I recommend that you install the latest Bundle Patch (BP).  At the time of this writing, the latest BP for OAM 11gR2PS1 is patch 16872730.  Installing this […]

OAM/OVD JVM Tuning

Over the past few weeks I’ve been involved in several performance tuning exercises involving OAM and OVD.  I thought it would be helpful if I created a post sharing the process I use to analyse and improve performance in OVD and OAM. The scenario …

OAM 11g – IPM Integration

Here is a post that integrates OAM 11g with IPM.  This integration is implemented on top of the OAM/UCM integration I did back in December.

 

Prerequisites

  1. Install, configure and integrate UCM with OAM.  Click here for the post I did for OAM/UCM.
  2. Install and configure IPM with the same OHS proxy used to proxy the UCM application.

 

High Level Steps/Checklist

  1. Configure an OHS server to proxy all request to IPM (/imaging). 
  2. Register a webgate with the URL’s you want to protect.
  3. Configure an OAM Identity Asserter and LDAP/OVD provider in Weblogic. 
  4. Validate users can access IPM with WLS Security. 
  5. Install a webgate on OHS server and validate.
Notes:
Steps 2 through 4 may have been completed in the steps defined in the OAM-UCM integration.
Verifying the ‘/imaging’ URL may result in a “404 Not Found” error. This will occur if you have a webgate on the OHS server already installed and have not defined a policy to protect this URI. This is expected due to the webgate setting of ‘denyOnNotProtected’.

 

Detail Steps

  1. Follow the documentation to configure OAM Access Manager 11g with Oracle IPM, Section 2.3.5: http://download.oracle.com/docs/cd/E17904_01/admin.1111/e12782/c02_security.htm#CDDFAFAC
     
    2.3.5 – Integrating Oracle IPM With Oracle Access Manager 11g
    1. OAM/Webgate have already been configured and installed.
    2. Modify the mod_wl_ohs.conf file with the forwarding URL
    • <Location /imaging>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
      </Location>
       

       

  2. Use the remote registration tool oamreg as follows in section 15.2.2.2:http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/osso_b_oam11g.htm#JISEC9104
    15.2.2.2 – Provision with 11g Webgate
    1. Acquire the tool
  • The rreg tool can be found and executed on the same box where OAM is installed. No need to un-tar.
  • Created a new IPM-Request.xml. Since the same OHS server used to proxy UCM, is being used to forward/proxy the IPM app, use the same host identifier and agent name as defined for UCM. The only difference being the protected and public resources.
  • <OAM11GRegRequest>
    <serverAddress>http://ateam-hq66.us.oracle.com:7003</serverAddress><hostIdentifier>UCM-INT</hostIdentifier>
    <agentName>UCM-INT</agentName>

    <protectedResourcesList> 
    <resource>/imaging/faces</resource> 
    </protectedResourcesList>
    <publicResourcesList> 
    <resource>/imaging</resource> 
    </publicResourcesList></OAM11GRegRequest>
     

 

  • On the command line, execute the following:

 

 
./bin/oamreg.sh inband input/IPM-Request.xml
When asked to enter the admin and password, make sure the user is part of the system store you configured for OAM (e.g testuser1/welcome1) 
 

NOTE: Make sure you copy the new artifacts from the RREG output directory to the OHS webgate directory (i.e. …/Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config) and restart the OHS server.

 

Steps 4 and 5 from Section 2.3.5 was already completed during the UCM/OAM setup.

 

Trouble shooting tips:

  • Cannot login via OAM – A few things to verify:
    • Make sure that the LDAP Authentication Module in the OAM console is pointing to the correct data store.
    • Make sure that the WLS provider matches the same OAM data store configuration.

OAM 11g – UCM Integration

I have been involved with many customer’s who are integrating OAM 11g with Universal Content Manager 11g (UCM) and I know that trying to follow the OAM documentation can be daunting. So I put together my own integration document/Blog. Not to re-invent the wheel, this post utilizes what we already have in terms of documentation. Think of this as a checklist and the steps that I implemented to get my own internal environment working.


Prerequisites

  1. Install and configure UCM
  2. Install a weblogic plug-in on OHS that fixes a bug for UCM. http://www.oracle.com/technetwork/middleware/ias/downloads/wls-plugins-096117.html

High Level Steps/Checklist

  1. Configure an OHS server to proxy all request to UCM (/cs, /adfAuthentication and /_ocsh).
  2. Register a webgate with the URL’s you want to protect.
  3. Configure an OAM Identity Asserter and LDAP/OVD provider in Weblogic.
  4. Validate users can access UCM with WLS Security.
  5. Install a webgate on OHS server and validate.

 

Detail Steps

  1. Follow the documentation to configure OAM Access Manager 11g with Oracle UCM, Section 5.2.3.1: http://download.oracle.com/docs/cd/E21764_01/doc.1111/e10792/c03_security.htm#CDDHGCCC

Note: The documentation is not clear whether to install the Webgate on the OHS server first. Recommend to install the webgate at the end.


5.2.3.1 – Configuring Oracle Access Manager 11g with Oracle UCM
1.
a. In our use case, we only need to protect the UCM URI’s below.

# UCM Content Server

<Location /cs>

SetHandler weblogic-handler

WebLogicHost <hostname>

WebLogicPort <portnumber>

</Location>

# UCM Content Server authentication

<Location /adfAuthentication>

SetHandler weblogic-handler

WebLogicHost<hostname>

WebLogicPort <portnumber>

</Location>

#UCM online help

<Location /_ocsh>

SetHandler weblogic-handler

WebLogicHost <hostname>

WebLogicPort <portnumber>

</Location>

 

b. Use the remote registration tool oamreg as follows in section 15.2.2.2:

http://download.oracle.com/docs/cd/E21764_01/core.1111/e100/osso_b_oam11g.htm#JISEC9104


15.2.2.2 – Provision with 11g Webgate
1. Acquire the tool
a. The rreg tool can be found and executed on the same box where OAM is installed. No need to un-tar.
2. Created a new UCM-Request.xml:

<OAM11GRegRequest>

<serverAddress>http://ateam-hq66.us.oracle.com:7003</serverAddress>

<hostIdentifier>UCM-INT</hostIdentifier>

<agentName>UCM-INT</agentName>

<protectedResourcesList>

<resource>/adfAuthentication</resource>

</protectedResourcesList>

<publicResourcesList>

<resource>/cs</resource>

<resource>/_ocsh</resource>

</publicResourcesList>

</OAM11GRegRequest>

3. On the command line, execute the following:

./bin/oamreg.sh inband input/UCM-Request.xml

When asked to enter the admin and password, make sure the user is part of the system store you configured for OAM (e.g testuser1/welcome1)

2. Continuing Section 5.2.3.1
Notes:

You can configure the OAM Asserter and LDAP/OVD Authenticator before installing a webgate. Once the LDAP/OVD authenticator is configured, recommend to test UCM and make sure that you can bind to a user that is created within the provider you configured.

The order of the provider’s should be as follows:


OAM Identity Asserter
The following ‘Common’ parameters should be set as:


Leave the default values for the ‘Provider Specific’ tab.

OVD Provider
‘Common’ tab:


‘Provider Specific’ tab:

Based on the backend LDAP repository, make sure that you specify the correct object class and user name attribute within the LDAP filters. In our case, we used ‘inetorgperson’ and ‘uid’ for a user object and ‘groupofuniquenames’ and ‘uniqumembers’ for groups.

 

3. After Installing and configuring OAM 11g……

a. Recommend installing the webgate now. No good links in the documentation to install webgate 11g. Use the following: http://download.oracle.com/docs/cd/E21764_01/install.1111/e12002/webgate.htm#CACCBCFF

Notes:
Section 20.2.4
You will need the gcc libraries. Can get them here:
http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html

Look for ‘GCC Libraries for Oracle Identity Federation’

Use the following cpio file to extract the gcc libraries:
cpio -idvm <cpio-file>
<cpio_file>

Section 20.4
Step 2 – Ran the command:
./deployWebgateInstance.sh –w /u0/Oracle/Middleware11.1.1.5/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /u0/Oracle/Middleware11.1.1.5/Oracle_OAMWebgate1

Step 3 –
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/u01/Oracle/Middleware11.1.1.5/Oracle_WT1/lib

Step 5 – Ran the command:
./EditHttpConf –w /u01/Oracle/Middleware11.1.1.5/Oracle_WT1/instances/instance1/config/OHS/.ohs1

b. Next you will need to copy the artifacts that were generated in step 3 from section 15.2.2.2. Copy the ‘ObAccessClient.xml’ and ‘cwallet.sso’ located in the ‘output/UCM-INT’ directory under ‘rreg’ to the /config directory.

Webgate installation completed. Make sure that the oam managed server is running and restart the OHS server.

 

Trouble shooting tips:

  • Cannot login via OAM – A few things to verify:
  • Make sure that the LDAP Authentication Module in the OAM console is pointing to the correct data store.
  • Make sure that the OVD provider in WLS matches the same OAM data store configuration.
  • Login looping issue
  • In some cases we see a looping issue when using IE when the time sync of off between the webgate machine and the OAM server machine.
  • Logout not working
    • Please follow the instructions to configure UCM logout with OAM. http://download.oracle.com/docs/cd/E17904_01/doc.1111/e14770/ucm.htm#ASRLA3579

In my next post, I will continue to integrate my OAM environment to include the Image Processing Management (IPM) tool, which requires UCM.

 

OAM 11g: Configuring Data Sources

Wanted to share an experience I encountered recently configuring the OAM Console.This is specific to OAM 11.1.1.5(PS1). 

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available

When you first install OAM 11g one of the first things a customer will do is to setup a new data store. But first let’s take a look at the default configuration. If you take a look at the ‘UserIdentityStore1’ data source you will notice a new feature where a data source can be a ‘Default’ store, a ‘System’ store or both. This data store (WebLogic Embedded LDAP) is set to both the ‘Default’ store and ‘System’ store.
 
 
 
The ‘Default’ data store is used by Security Token Service. The ‘System’ store is what is used to authenticate an OAM administrator. When you select a data store to be the system store, you will need to define user(s) to the administrators group. You can read here for more information on data sources:
http://download.oracle.com/docs/cd/E21764_01/doc.1111/e15478/datasrc.htm#CHDIEEGA
Now again a customer will most likely need to configure a new data store and possibly use that data store as the default and/or system store. Be aware that once you change the ‘system’ store you can potentially lock yourself out of the OAM console!
Here is a screen shot of the data store I configured:
 
 
 
The data store is pointing to an OID back end with test users. I created a user ‘testuser1’ as the administrator for the ‘system’ store as shown above.
When you ‘Apply’ this setting you will see a Warning:
 
 
 
You will also be asked to validate the administrator. I validated using ‘testuser1’.
 
Now let’s look at the WLS configuration. Out of the box it still had the default settings as seen here:
 
 
 
Now this is where you could run into some trouble. Remember the warning we received when configuring the ‘system’ store. You need to make sure that the data store you specified as the ‘system’ store is reflected somewhere in your providers list in WLS Console.
Now let’s say that you forget to add an LDAP provider within WLS or more likely the provider was configured incorrectly where the testuser1 does not exists. In my example, when you try to login to the OAM console as ‘weblogic’ user, you will get an access denied page. If you try to login as ‘testuser1’, you will receive an incorrect username/password page.
When logging in as the ‘weblogic’ user, this user exists in the Default Authenticator, but is not part of the Administrators group as defined in the system store, thus the access denied page. For my ‘testuser1’, this user does not exist in the default authenticator, thus the incorrect username/password error.
Now there are two ways to get you back into the OAM Console:
1) Create the uid ‘testuser1’ in Embedded LDAP used by WLS. This is assuming that the Default Authentication provider is listed. This is not recommended however, better yet…
2)Stop the managed server ‘oam_server1’. Now you should be able to log in with the original ‘weblogic’ user you created when installing the domain.
Remember the warning we got when assigning a new ‘system’ store? Well that basically means that you need to make sure that one of the WLS providers are in sync with the system store defined in the OAM console.

OVD 11g LDAP Error 2 : Bad LDAP Filter

Hi everyone, just a quick post on an issue I encountered with OVD 11g (11.1.1.2) and how it handles LDAP filtering.

For this post let’s use the following DN as our example:

“cn=OVD (11g), dc=us, dc=oracle, dc=com”

This is a perfectly valid DN, however, it has been discovered that DNs with parenthesis have issues within OVD.Within the logs you may see “Bad LDAP Filter” errors:

! com.octetstring.vde.util.DirectoryException: LDAP Error 2 : Bad LDAP
Filter.
at com.octetstring.vde.util.ParseFilter.parse(ParseFilter.java:291)…

You may have guessed that the solution is to encode the ‘cn’ attribute.Here is a description of how to encode as described in RFC 2254.

 

If a value should contain any of the following characters

 

CharacterASCII value

—————————

*0x2a

(0x28

)0x29

\0x5c

NUL0x00

 

the character must be encoded as the backslash ‘\’ character (ASCII

0x5c) followed by the two hexadecimal digits representing the ASCII

value of the encoded character. The case of the two hexadecimal

digits is not significant.

So using the above example, the ‘cn’ should now be encoded as follows: “cn=OVD \5c2811g\5c29”.So when creating entries into your LDAP repository, make sure you encode the backslash ‘\’ character and both parenthesis ‘()’ as described above.

I know what you are thinking.What if I already have thousands of users that contain these special characters?I’m certainly not going to go back and encode the ‘cn’ for each user!Well, for that there is a patch coming out to address this problem.As of this writing the solution has been identified and is due out for 11.1.1.4.

OAM 11g Connecting to an LDAP ID store over SSL (LDAPS)

Connecting to an LDAP ID store in OAM 11g over SSL (LDAPS) is a common scenario that many customers may need to implement. Unfortunately the documentation on this subject is scant and can be misleading. So as part of the OAM 11g Academy series, I’d l…

HTTP Basic authentication in OAM 11g

Hi everyone, this is my first posting so I wanted to first introduce myself. My name is Vinay Kalra and I’m also part of the A-team at Oracle. I came to Oracle in 2005 as part of the Oblix acquisition that brought with it Oracle Access Manager (OAM).Fr…