The Ultimate Apache/OHS11g Tuning Guide for OAM11g WebGate

Introduction OK, maybe “Ultimate” could be stretching it, but it caught your eye so you can be the judge. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available here. Though OAM11g is […]

OAM 11g Webgate Tuning

INTRODUCTION This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. People typically are introduced to Webgate tuning in one of two ways, either forced into it because of a crisis or […]

Retrieving the OAM SessionID for Fun and Profit!

Introduction I recently worked with a customer who needed to do some OAM session manipulation via custom code in order to implement a complex use case. While the focus of this post is not to go into details about a specific implementation, I did want to share some advice on a very necessary building block […]

Part 2: Custom Login and Logout with Detached Credential Collector (DCC)

INTRODUCTION This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. In Part 1: Getting under the covers of Detached Credential Collector (DCC), I spent time talking about DCC in general […]

OAM11g — The Redirect Infinite Loop

INTRODUCTION This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. I recently was working on one of my virtual environments that had three servers, which included OAM 11gR2PS2, though this […]

Part 1: Getting under the covers of Detached Credential Collector (DCC)

Introduction This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. The Detached Credential Collector (DCC) feature was introduced with the release of OAM 11gR2 — 11.1.2.0.0.   DCC brought some very […]

Logging made easy in OAM 11g with this simple trick!

INTRODUCTION   This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. Logging is extremely helpful when trying to troubleshoot issues and normally when you see instructions to log in OAM 11g […]

Understanding OAM 11g ASDK Configuration and Cert Requirements

Introduction Oracle provides documentation on developing an Access Client for the OAM 11g ASDK http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/as_api.htm#autoId0, but getting it to work can be challenging when running the Access Servers in Simple or Cert Mode.  In this article I will not explain how to create an Access Client, there are already good examples out there for that.  What […]

Chained LDAP Authentication in OAM 11g

Introduction In this post, we look at a simple way to configure a chained LDAP authentication scheme in OAM 11g R2. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. All […]

How To Display A Custom Error Page When the Access Server Is Down?

I have been asked several times over the years if there is a way to customize the following error message a User is presented in their Internet browser when the WebGate fails to contact any of the Access Servers. Oracle Access Manager Operation Error The WebGate plug-in is unable to contact any Access Servers. Contact […]

OAM LDAP connections through firewalls

Introduction In a previous post, we discussed some of the complications that can occur when a firewall is placed between WebGates and OAM Servers in a typical deployment. This post follows on from that discussion, to explore an analogous topic- firewalls between the OAM Server and the LDAP Identity Store. This post is part of […]

OAM WebGate connections through firewalls

Introduction In this post, we investigate a complication that can occur if you require a firewall between your WebGate agents and your OAM 11g servers within your deployment topology. We provide some guidance related to how to configure your WebGates in this case. This post is part of a larger series on Oracle Access Manager 11g […]

How to (correctly) make manual edits to oam-config.xml

Introduction Occasionally, it is necessary to make changes to OAM 11g configuration by directly updating the oam-config,xml file, rather than using the OAM console.  In this post, we describe the correct way to make changes to this file. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager […]

A first look at POST data preservation in OAM 11g R2 PS1

Introduction In this post, we have a quick look at POST data preservation, a new feature introduced in the 11g R2 PS1 (or 11.1.2.1) version of Oracle Access Manager. We’ll explain the problem that this feature solves and walk through a simple example explaining how to configure and use the feature. This post is part […]

Part 1: How To Load Test OAM11g using Apache JMeter

Introduction Exciting, it is Go Live day, the system goes online, everything seems ok for a while, and then Kerplunk! Thousands of things could have happened and everyone scrambles to figure it out. What went wrong? My first question is, “Was a proper load test completed?” Yes, Load Test. Functionally the software may have worked, […]

Part 3: OAM11g WNA Identity Store Considerations and Configurations

Introduction This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. This is the final post of a three part series.  In “Part 1: Under the Covers of OAM11g WNA integration […]

Part 2: How to Configure OAM11g WNA for Multiple AD Forests

Introduction This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy.  An index to the entire series with links to each of the separate posts is available. This is the second post of a three part series.  In “Part 1: Under the Covers of OAM11g WNA integration […]

Unsolicited login with OAM 11gR2

In a previous post Chris Johnson has discussed unsolicited login with OAM 11g.

In OAM 11gR2 this functionality is supported out of the box and with little effort you can implement Unsolicited Login.
 
 
This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

 

 
 
If you’re interested to authenticate using unsolicited POST, please read on…
 
 

The complete procedure is explained in the official documentation here, but the docs are not clear on some aspects of the configuration.
 
 
To begin with, the documentation states that you have to manually edit the oam-config.xml file, but it does not say where to find it or which one to edit.
 
 
In my lab installation, I found six different oam-config.xml scattered across several folders.
 
After some trial and error I found out that the correct one to edit is OAM_DOMAIN/config/fmwconfig/oam-config.xml
 
Where OAM_DOMAIN is the WLS domain folder for the OAM domain.
 
 
Don’t forget to bounce Admin and Managed Servers after editting the oam-config.xml.
 
Note that in a distributed environment you want to make changes to the file on the admin server and it will then get pushed out to the managed servers after restarts.
 
Now all you have to do is post the login info to the endpoint https://oam_host:oam_port/oam/server/authentication.
 
 
The required information you need to post to the endpoint is:
 
  • username
  • password
  • successurl
     If the authentication succeeds, you will be redirected to the successurl you passed to the endpoint.
 
 
     In case the authentication fails, you will be redirected to the default OAM error page:
 
 
      Now, that isn’t very nice, right?
 
        If you want to get redirected to a custom error page, for instance, to the same login page with the error message displayed in it so you can try to login again, you just need to edit the Authentication Policy for the /oamDirectAuthentication resource (we will talk about this resource further on).
 
 
      To do so, go to Application Domains, IAM Suite, Resources and search for /oamDirectAuthentication.
 
        Open it and edit its Authentication Policy to include the Failure URL to the page you want to be redirected in case of authentication errors.
 
 
 
        If you don’t want to mess with the default Authentication Policy, which is used by other Resources, you can create another Authentication Policy for this resource and make the required changes.
 
        To display the errors messages, check out the docs about creating Custom Error Pages here 
 
        To test the whole thing, you can use a simple JSP to post the info to OAM:
 
 
        And for the JSP of the success URL I print all the request parameters, headers and session attributes:
 
 
         From this point on, you’re already authenticated to OAM and you can access any resources you’re authorized to.
 
        The documentation also describes how you can combine different HTTP operations (POST, GET, DELETE, etc) with different Authentication Schemes (FORM, CERT, etc).
 
        If you have specific requirements for the unsolicited login, you can create/edit the /oamDirectAuthentication Resource of IAM Suite Domain. This resource controls all the specifics of unsolicited authentication, for example, allowing only for HTTP POST and FORM based authentication.
 
        The resource /oamDirectAuthentication is a virtual resource that is defined in the system that represents the physical endpoint for unsolicited login. 
 
        So, when it comes to policy configuration you will always deal with /oamDirectAuthentication, however when it comes to the physical endpoint (the actual servlet URL for posting information) you will use /oam/server/authentication.

 

X509 Fallback to Form


OAM 11G does not provide an out of box solution for falling back to FORM authentication if X509 Certificate is not available or if the certificate is not accepted by the user. I have seen this requirement coming from customers and found a solution after brainstorming with my colleagues (special thanks to Chris Johnson and Brian Eidelman). The solution is not very difficult, though it needs some additional configurations and coding.

It should be noted that this solution is not for the use case where the user’s authentication is rejected due to an invalid certificate by OAM and then the user needs to fallback to a FORM for another authentication attempt.

Overview

The solution needs configuring a X509 (Cert) Authentication Scheme and a Form Authentication Scheme. The real resource needs to be protected by the Cert Authentication scheme whereas a secondary resource needs to be protected by the Form Authentication scheme. The configuration of the Form Authentication is standard whereas the configuration of the Cert Authentication scheme is little different. The Challenge URL of the Cert Authentication scheme is a custom credential collector (different than the out of the box configuration). This custom credential collector is a servlet and needs to be deployed to the OAM managed server(s).

 
Prerequisites
All the necessary configurations in Weblogic and OAM are configured with SSL and make sure that the default out of box X509 Authentication is working as desired. 
Make sure while configuring the SSL for the OAM Server in the Weblogic Configuration (Weblogic-Domain->Environment->Servers->oam_server->SSL->Advanced), in the Two Way Client Cert Behavior, you select “Client Certs Requested but Not Enforced”.

Note:

If the OAM server is front ended with OHS/Apache please read the following post about how to offload SSL with reference to a Weblogic server:
http://fusionsecurity.blogspot.com/2012/02/ssl-offloading-and-weblogic-server.html
And also make sure that the directive “SSLVerifyClient” is set to optional in the httpd.conf file.

 
OAM Configuration

Authentication Scheme Configuration:

Create a new Authentication Scheme, named X509CustomCred as below:

Challenge Method: X509
Challenge Redirect URL: /oam/server
Authentication Module: X509Plugin
The Challenge URL is the URL for the custom credential collector (a Servlet) and as follows: https://oam.oracleateam.com:14101/customcred/getcreds

(In this post, it is assumed that the Weblogic’s SSL port is 14101)

A snapshot of Authentication scheme will look like:

 

Configure X509Plugin Authentication Module:

With this plug-in, the root and sub CA certificates must be added to the DOMAIN_HOME/config/fmwconfig/amtruststore because the X509CredentialExtractor plug-in loads certificates from this location.
Also, make sure about the following:

Go to System Configuration->Custom Authentication Module->X509Plugin

Under stepX509:

set KEY_IS_CERT_VALIDATION_ENABLED to true
set KEY_CERTIFICATE_ATTRIBUTE_TO_EXTRACT to the certificate attribute to be used to bind the public key (attributes within subject, for example: subject.DN, issuer.DN, subject.EMAIL etc. or within subjectAltName as mentioned in http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/oam_set.htm ).

Under stepUI:

If the Identity Store is different than the default Identity Store, configure this as required.

Policy Configuration

The target resource is protected by the X509CustomCred Authentication Scheme (created above).

We will configure another resource, for example, a Resource URL /form/*, protected by the default LDAPScheme. Both the X509CustomCred and the LDAPScheme should be at the same Authentication Level.

A snapshot of  the Policy for this secondary resource will look like:

 

Custom Credential Collector

Deployment descriptor:

The custom credential collector is a Servlet and deployed as a warfile. This is a Servlet where OAM redirects to collect the credentials.
For the Challenge URL as mentioned above, the servlet-mapping of the deployment descriptor (web.xml) will look like:
<servlet-mapping>
<servlet-name>GetCreds</servlet-name>
<url-pattern>/getcreds</url-pattern>
</servlet-mapping>

And the deployment descriptor for the warfile, that is, the context root of the weblogic.xml will look like:
<context-root>/customcred</context-root>

Code:

The logic of the Servlet is as follows:
If the X500Principal is available then we forward the request to “/oam/server/auth_cred_submit”. If it is not available then we redirect to a page which is protected by a default LDAPScheme with a FORM Challenge.

A typical code can be implemented like this:

public void doGet(HttpServletRequest request,   HttpServletResponse response) throws ServletException,  IOException {
try {
         X509Certificate  x509Cert[] = (X509Certificate[]) request.getAttribute       ( “javax.servlet.request.X509Certificate”);
        String x500Prin = x509Cert[0].getSubjectX500Principal().getName();
        if(x500Prin != null) {
                doPost(request, response);  
         }  
      } catch (Exception e)     {
            String target = request.getParameter(“resource_url”);           
            String  redirectURL = formURL  + “?TARGET=” + target;
            response.sendRedirect(redirectURL);
        }
    }

protected void doPost(HttpServletRequest request, HttpServletResponse response)  throws ServletException, IOException   {
        String authCredServletPath = “/server/auth_cred_submit”;              
        ServletContext sc1 = getServletContext();
        ServletContext sc2 = sc1.getContext(“/oam”);
        RequestDispatcher rd = sc2.getRequestDispatcher(authCredServletPath);       
        rd.forward(request, response);
    }

Note:

In the doGet method, the String “formURL” is the URL of the resource protected by the LDAPScheme. This resource can be a JSP (refer to Sample JSP for Redirection to Original Resource), a Servlet or may be a simple HTML with Javascript. This page will extract the TARGET from the query parameter which is the original “resource_url” and will redirect to that.
For example, if:

The original resource URL (the original target) is: http://oam.oracleateam.com:7778/test.html  (protected by the Custom Credential Collector with X509 Challenge)

The formURL  is: http://oam.oracleateam.com:7778/form/redirect.jsp (protected by the LDAPScheme with FORM Challenge)

The redirectURL will be formed as: http://oam.oracleateam.com:7778/form/redirect.jsp?TARGET=http%3A%2F%2Foam.oracleateam.com%3A7778%2Ftest.html

Sample JSP (redirect.jsp as above) for Redirection to Original Resource

JSP Code:

 <%
  String query = request.getQueryString();
  String target = null;
  String decodedTarget = null;
  int tokenN = -1;
  if (null != query) {
   tokenN = query.indexOf(“TARGET=”);
    if (-1 != tokenN)
    target = query.substring (tokenN + “TARGET=”.length());
    if (null != target)      
     decodedTarget = java.net.URLDecoder.decode(target);
    if(decodedTarget != null) 
        response.sendRedirect(decodedTarget);    
    else
         out.println (“No Target to redirect”);
  }
  else {
  out.println (“No Query found to extract Target”);
  }
   %>

Results

The user tries to access the resource which is protected by the authentication scheme X509CustomCred. 

If the browser has the certificate installed, the user is prompted by an X509 Certificate and if the user accepts it, the user can access the resource and this is the desired behavior with X509.

If the user does not accept it or if the browser does not have the certificate:

  1. The user will be redirected to a secondary resource which is protected by a HTML Form with a TARGET query parameter of the original resource URL. 
  2. The user enters username and password and hits the Submit button.
  3. Upon successful authentication and authorization, the secondary resource ( it may be JSP, a Servlet or a HTML page with javascript)  will extract the TARGET query parameter of the original resource URL and will redirect to that.
  4. The user can access the original resource URL.