ENABLING SSO AUTHENTICATION WITH OAM 11G R2 AND ENTERPRISE MANAGER 12C

Tags

, , ,

Enabling SSO Authentication with OAM 11g R2 and EM 12C

Overview

Oracle Enterprise Manager 12c authentication is the process of determining the validity of the user accessing Enterprise Manager. The authentication feature is available across the different interfaces such as Enterprise Manager Console and Enterprise Manager Command Line Interface (EM CLI).

Oracle Enterprise Manager’s authentication framework consists of pluggable authentication schemes that let you use the type of authentication protocol best suited to your environment.

Oracle Enterprise Manager 12c relies on the underlying WebLogic Server that is part of the OMS stack for external Authentication methods. For this reason, Enterprise Manager 12c can be authenticated using any authentication method that is supported by Oracle WebLogic Server.

Supported Authentication Schemes:

Enterprise Manager supports the following authentication schemes

  • Repository-Based Authentication
  • Oracle Access Manager (OAM) SSO
  • Oracle SSO Based Authentication
  • Enterprise User Security Based Authentication

In this document we will use the Oracle Access Manager Authentication Single Sign On Scheme to integrate with Oracle Enterprise Manager 12c.

Oracle Access Manager is the Oracle Fusion Middleware single sign-on solution. The underlying identity stores will be the Enterprise Directory Identity Stores being supported by Oracle Access Manager. This authentication scheme is used for data centers that have standardized on Oracle Access Manager as the central tool for authentication across all enterprise applications. If you want to support protocols, such as Kerberos, for authentication, you would configure OAM for this. For more information about OAM, see Oracle® Fusion Middleware Administrator’s Guide for Oracle Access Manager 12c Release 1 (11.1.1).

In our setup the underlying user data store is s OUD (Oracle Unified Directory).

Assumptions

We assume that on a host EM12c R3 is up and running while a host oam.example.com is identified where OAM is up and running using the OUD as user data store.

Description

This document is divided into three sections. Oracle Access Manager 11gR2, Oracle Enterprise Manager 12cR3 and SSO Integration with EM12c.

Each section would describe the activities needed to perform on the respective servers which are independently performed. Alongside, SSO integration would give the details on how the integration process has been achieved.

Oracle ACCESS MANAGER 11GR2

On the Oracle Access manager server the following steps have to be performed.

  1. Identify a host (oam.example.com) to install the OAM11gR2. Please refer the install guide here.
  2. Install OUD on the host oam.example.com. The install doc can be referred here.
  3. Make OUD as default user data store using OAM admin console and set it as system data store as in doc.
  4. Create 11g Webgate Agent in OAM admin console. Please refer the section OAM: Step 1 (CREATE WEBGATE AGENT)

Oracle ENTERPRISE MANAGER 12cR3

On the Oracle Enterprise manager server the following steps have to be performed.

  1. Identify a host to install EM12cR3. Install EM12cR3.
  2. Create OUD Authenticator and OAM ID Asserter using the EM Weblogic Admin Console. Please refer the section OEM: Step 2 (CREATE OUD AUTHENTICATOR PROVIDER) and  OEM: STEP 3 (CREATE OAM ID ASSERTER)
  3. Change the Order of Authenticators and Asserters. Please refer the section and OEM: STEP 4 (RE-ARRANGE THE PROVIDERS)
  4. As the web tier utilities have already been installed with EM12c, the only product installation is Webgate. Please refer the section OEM: STEP 5 (INSTALL WEBGATE)
  5. Configure the Webgate installed in previous step to rely on OAM for authentication. Please refer the section OEM: STEP 6 (CONFIGURE WEBGATE)
  6. Configure OMS for OAM integration. Please refer the section OEM: STEP 7 (CONFIGURE OMS)

SSO INTEGRATION WITH EM12c

The Integration steps of Oracle Enterprise manager and the OAM have been discussed below.

OAM: Step 1 (CREATE Webgate agent)

1. Create the new 11g Webgate agent using OAM admin console.

  • Login to OAM Admin Console.
  • Navigate to System Configuration -> Access Manager -> SSO Agents -> OAM Agents ->Create 11g Webgate
  • Provide the following details.

Name: OAMApplication

Password: Oracle123.

AutoCreate Policies: Checked  

Security: Open

Host Identifier : <Automatically Populated>

1-EM12c-OAM

  1. Click on Apply.

2-EM12c-OAM

3. Remember the path where OAM has generated Webgate agent artifacts. (e.g. /app/u01/middleware/user_projects/domains/idm_domain/output/OAMApplication)

OEM: Step 2 (CREATE OUD AUTHENTICATOR PROVIDER)

Click on Lock & Edit tab on the left side of the page before editing any configurations and click on activate changes after the changes have been done.

1. Login to the WebLogic Administration Console of OEM host.

3-EM12c-OAM

2. Navigate to Security -> Realms -> myrealm -> Providers.

4-EM12c-OAM

3. Click on New to create new provider and select “iPlanetAuthenticator” and enter the Name as “OUD Authenticator”.

5-EM12c-OAM

4. Click  OK

5. Click on Newly created Authenticator and set the Control Flag to “SUFFICIENT” and click on Save Button.

6-EM12c-OAM

6. Click on “Provider Specific” Tab and enter the OUD server details and select the Checkbox “Use Retrieve User name as Principal” and click on Save button.

7-EM12c-OAM

OEM: Step 3 (CREATE OAM ID ASSERTER)

Click on Lock & Edit tab on the left side of the page before editing any configurations and click on activate changes after the changes have been done.

1. Login to the Weblogic Administration Console of OAM host. The below is the snippet of the console.  Click on New provider and Select “OAMIdentityAsserter” provider and name it as “OAM ID Asserter”.

8-EM12c-OAM

2. Click on Newly created Authenticator and Ser the Control Flag to “REQUIRED” and Move “OAM_REMOTE_USER”, “ObSSOCookie” & “OAM_IDENTITY_ASSERTION” from Available to Chosen.

9-EM12c-OAM

3. Click Save.

OEM: Step 4 (RE-ARRANGE THE PROVIDERS)

Click on Lock & Edit tab on the left side of the page before editing any configurations and click on activate changes after the changes have been done.

1. Login to the Weblogic Administration Console of OAM host.
2. Navigate to Security -> realms -> myrealm -> Providers.

10-EM12c-OAM

3. Now click on Reorder.
4. Re-order the authentication as below and Click on OK.

  • OAMIDAsserter  (REQUIRED)
  • OUD Authenticator (SUFFICIENT)
  • Default Authenticator (SUFFICIENT)
  • Default IdentiyAsserter

5. Click OK

11-EM12c-OAM

OEM: Step 5 (Install WEBGATE)

1. Stage the binaries on the EM12c Server after downloading them and start a vncserver to get started with the webgate install.

12-EM12c-OAM

2. If at all it queries for the jdk location just before the install please key in the jdk location (/home/oracle/Middleware/jdk16/jdk)
3. The Oracle webgate binaries staged are of version 11.1.1.6.

13-EM12c-OAM

4. Click Next. It would check the Pre-reqs, Install Loc, Install Summary,
5. Install Progress as shown in figure.

14-EM12c-OAM

6. Key-In an Oracle Middleware Home and the Oracle Home Directory.

15-EM12c-OAM

7. Click Install.

16-EM12c-OAM

8. Install Progress….

17-EM12c-OAM

18-EM12c-OAM

9. Install Completed.

19-EM12c-OAM

10. Install specific details

20-EM12c-OAM

11. Click Finish to complete the Installation.

OEM: Step 6 (Configure WEBGATE)

1. Login to EM server machine and navigate to the location /home/oracle/Middleware/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate.

2. Make sure the MW_HOME, ORACLE_HOME, LD_LIBRARY_PATH are set as below.

export MW_HOME=/home/oracle/Middleware

export ORACLE_HOME=/home/oracle/Middleware/oms

export LD_LIBRARY_PATH = /home/oracle/Middleware/Oracle_WT/lib:/home/oracle/Middleware/Oracle_OAMWebGate1/webgate/ohs/lib

3. Execute the below command to deploy the webgate instance.

./deployWebGateInstance.sh -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>

./deployWebGateInstance.sh -w /home/oracle/gc_inst/WebTierIH1/config/OHS/ohs1 -oh /home/oracle/Middleware/Oracle_OAMWebGate1

21-EM12c-OAM

4. Navigate to the location /home/oracle/Middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools/ and run the below command.

./EditHttpConf -w /home/oracle/gc_inst/WebTierIH1/config/OHS/ohs1 -oh /home/oracle/Middleware/Oracle_OAMWebGate1

22-EM12c-OAM

5. Copy the generated artifacts to the Webgate directory on OEM server.

scp oracle@10.146.20.31:/app/u01/middleware/user_projects/domains/idm_domain/output/OAMApplication/* /home/oracle/gc_inst/WebTierIH1/config/OHS/ohs1/webgate/config/.

23-EM12c-OAM

6. Restart the Webgate on EM and ensure that requested URLS’s are protected by OAM.

24-EM12c-OAM

7. Restart the OMS server.

OEM: Step 7 (Configure OMS)

1. Run the following commands on OMS Machine-

cd /home/oracle/Middleware/oms/bin

 ./emctl set property -name “oracle.sysman.core.security.auth.is_external_authentication_enabled” -value “true”

 25-EM12c-OAM

./emctl set property -name “oracle.sysman.core.security.sso.type” -value “OAMSSO”

 26-EM12c-OAM

./emctl set property -name “oracle.sysman.core.security.sso.logout_url” -value “https://oam:14101/oam/server/logout&#8221;

27-EM12c-OAM

./emctl set property -name “oracle.sysman.emSDK.sec.DirectoryAuthenticationType”  -value “SSO”

28-EM12c-OAM

2. Registering Single Sign-On Users Using EM CLI

./emcli create_user -name=’shikhar’ -type=’EXTERNAL_USER’

29-EM12c-OAM

3. On the EM12c Console the SSO user can be seen.

31-EM12c-OAM

4. Backup and Edit the file /home/oracle/gc_inst/WebTierIH1/config/OHS/ohs1/httpd.conf with the entry  include  “/home/oracle/Middleware/oms/sysman/config/emcli_url_exclude.conf”

By-Passing the SSO Logon Page

If the OMS is configured with SSO or OAM or some other authentication method, you may want to by-pass the Single Sign-On or OAM authentication under certain circumstances. To bypass the SSO logon page, connect to the following URL:

Connect to https://ms_host:ms_https_port/em

ms_host & ms_https_port are WLS-managed server’s hostname & port#. These parameters can be found in the EM_INSTANCE_HOME/emgc.properties file. They are listed as EM_INSTANCE_HOST & MS_HTTPS_PORT in this file.

Log in using a repository user’s credentials.

REGISTRING EXTERNAL USERS AS OEM ADMINISTRATORS

Registering External Users as OEM Administrators

Option 1:

Create External User using EMCLI:

$emcli create_user -name='<username>’ -type=’EXTERNAL_USER’

Option 2:

Auto-provision external users to EM 12c – An external user is automatically added as an EM Administrator after successful login to OEM

Set the property as follows:

$emctl set property -name “oracle.sysman.core.security.auth.autoprovisioning” -value “true”

ENVIRONMENT NOTES

SEQUENCE TO START THE ENVIRONMENT

  1. OUD server
  2. Admin Server
  3. OAM server

Starting the EM12c server is independent of the above steps.

MANAGE OUD SERVER

  1. Login to OAM Server machine as oracle user
  2. Navigate to /home/oracle/Desktop/Startup_Scripts
  3. To start OUD, execute the script ./startOUD.sh

MANAGE ADMIN AND OAM SERVER

  1. Login to OAM Server machine as oracle user
  2. Navigate to /home/oracle/Desktop/Startup_Scripts
  3. To start Admin and OAM server, execute the script ./startAdmin.sh and ./startOAM.sh

MANAGE OPMNCTL

  1. Login to EM12c Server as oracle user
  2. Navigate to $OMS_HOME/../Oracle_WT/opmn/bin
  3. To start/stop  and check the status of opmnctl

30-EM12c-OAM

LOGGING IN WITH SINGLE SIGN ON USER

1. Open a browser. Key-in the URL.

32-EM12c-OAM

2. This would NOT navigate to OAM machine.

33-EM12c-OAM

3. Key in the credentials to login. Say SYSMAN user credentials.

34-EM12c-OAM

4. Once the credentials are repository authenticated the EM home page lands up.

35-EM12c-OAM

REFERENCES

  1. MY Oracle Support.
  2. EM12c documentation
  3. OAM documentation
  4. MOS doc id: 1620784.1

OES 11g R2 Context Attributes

Tags

, , , ,

Invoke authorization decision using Context Attribute calls (OES Java SM) to deny or allow the access to a sample application

1- Create New Attribute (go to HelloWBApplication > Extensions > Attributes)

  1-OES Context Attribute

2- Go to Resource Type for this Application and click open

 2-OES Context Attribute

3- In Attribute section Click on Add, Select Type as String and click on search

  3-OES Context Attribute

4- Click on Add and then click on Apply.

 4-OES Context Attribute

5- Go to Authorization Policy for this Application and click open

 5-OES Context Attribute

6- Go to Condition Tab and click on Edit Condition

 6-OES Context Attribute

7- Select Location attribute from RHS and click Add.

 7-OES Context Attribute

8- In the value provide any city name (e.g. Delhi)

 8-OES Context Attribute

9- Click Done and then Click on Apply.

 9-OES Context Attribute

10- Go to HelloWBWorld Application, click on Policy Distribution, select SM_WB_JAVA SM and click on distribute

 10-OES Context Attribute

11- Make sure your old Java application still works

12- Open new window and check whether classpath is set to oes-client.jar. if not set it-

export classpath=.:$OES_CLIENT_HOME/modules/oracle.oes.sm_11.1.1/oes-client.jar:$OES_CLIENT_HOME/modules/oracle.oes.sm_11.1.1/wssm_stubs.jar

11-OES Context Attribute

13- Compile the HelloWBworld.java with following command-

javac -cp $classpath HelloWBworld.java

14-   Run the class file with following command-

java -cp $classpath -Doracle.security.jps.config=./config/jps-config.xml HelloWBworld

NOTE- This should give output as false (We have added attribute related condition but not made any modification to the request) 

12-OES Context Attribute

15-   Now Update the Java file with following values-

HashMap<String, String> ctxMap = new HashMap<String, String>();

ctxMap.put(“l”,”Delhi”);

System.out.println(“HelloWBworld :: ctxMap:: “+ctxMap);

while (true)

{

System.out.println(“HelloWBworld :: while start “);

try {

// get Authorization response from OES

PepResponse response =

PepRequestFactoryImpl.getPepRequestFactory()

.newPepRequest(

user,

action,

resourceString,

ctxMap).decide();

16-   Compile the HelloWBworld.java with following command-

javac -cp $classpath HelloWBworld.java

17-   Run the class file with following command-

java -cp $classpath -Doracle.security.jps.config=./config/jps-config.xml HelloWBworld

NOTE- This should evaluate to true

13-OES Context Attribute

18-   Now open the Authorization Policy and update the condition (Replace Delhi by London)

14-OES Context Attribute

19- Click Done and Click on Apply.

15-OES Context Attribute

20- Go to HelloWBWorld Application, click on Policy Distribution, select SM_WB_JAVA SM and click on distribute

 16-OES Context Attribute

21- Compile the HelloWBworld.java with following command-

javac -cp $classpath HelloWBworld.java

22- Run the class file with following command-

java -cp $classpath -Doracle.security.jps.config=./config/jps-config.xml HelloWBworld

NOTE- This should evaluate to false

17-OES Context Attribute

OES 11g R2 Delegated Admin Setup

Tags

,

Demonstrate a use case on delegation administration using Application level delegation, System level delegation and Policy domain level delegation.

 Before we proceed further, we need to create some users in embedded LDAP server.

1- Make sure that Oracle Entitlements Server Admin server is up and running.

2- Log into WebLogic Console for Oracle Entitlements Server Admin Server. Use same login name/password as Oracle Entitlements Server Admin (e.g. http://localhost:7001/console)

3- Click on your domain name in the left frame (e.g. oes11g_domain)

4- Start LDAP browser (I am using  Gawor LDAP Browser)

5- Connect to WebLogic Embedded LDAP Server

6- My LDAP connectivity info is show below, but your values may be different. Remember that WebLogic’s embedded LDAP runs on the same host and port number as WebLogic console.

1-OES Delegated Admin

2-OES Delegated Admin

7- Go to Admin Browser and go to(Home >$DOMAIN NAME >Summary of Security Realms > myrealm > Users and Groups) and create following users and groups-

User Name Role
Alice CEO
Bob Sales_Manager
Charlie QA_Manager
David Dev_Manager
Emily Recruiter
Gary Pay_Admin
Helen Sales_VP
John Dev_VP
Lisa HR_VP

 3-OES Delegated Admin

4-OES Delegated Admin

8- Repeat the above steps for all users and groups

 5-OES Delegated Admin

6-OES Delegated Admin

9- Now update the users’s group information-

a. Open a user and go to Groups Tab and add Appropriate Group and save.

7-OES Delegated Admin

10- Now refresh your LDAP tree and see whether the value of Location has been updated to the user.

8-OES Delegated Admin

Creation of System Level Delegated Admin

1- Create New Application (go to Authorization management > Application > click new Application)

Create 2 applications-

9-OES Delegated Admin

10-OES Delegated Admin

2- Click on System Configuration Tab > Administrators > Administrator Roles

3- Click on “New”

4- Fill in “Read_Only_Admin” for Name and Display Name

11-OES Delegated Admin

5- Click on Create and verify that only view radio box is selected.

12-OES Delegated Admin

6- Click on External User Mapping tab

7- Click on “Add” then  click on “Search” then select “Alice” then Click on “Add Selected”

13-OES Delegated Admin

8- Click on Add Principals, you should see

 14-OES Delegated Admin

9- Log out of the Oracle Entitlements Server Admin UI and log back in as Alice

15-OES Delegated Admin

10- You will see that menu items which allow you to perform operations create/update are disabled

 16-OES Delegated Admin

11- Navigate around the UI and try to make changes and you will see that create/update is disabled in all the menu items.

17-OES Delegated Admin

 Creation of Application Level Delegated Admin

1- Login to OES Admin Console as System Administrator

2- Click on “Applications” on the left and open the sub tree

3- Double click on “HelloWBWorld”

4- Click on “Delegate Administrators”

5- Select HelloWBWorld and click on “New”

 18-OES Delegated Admin

6- Click on OK

 19-OES Delegated Admin

7- Select “Delegated_App_Admin”

8- Under “Role Details” tab, click on Edit

9- In the pop-up, click on Set All Privileges to View and manage.

 20-OES Delegated Admin

10- Click on Save

 21-OES Delegated Admin

11- Click on External Role Mappings

12- Click on “Add” then  click on “Search” then select “Sales_Manager” then Click on “Add Selected”

 22-OES Delegated Admin

13- Click on Add Principal

 23-OES Delegated Admin

14- Log out of the Oracle Entitlements Server Admin UI and log back in as Bob

24-OES Delegated Admin

15- You will see that Only HelloWBWorld application is shown and this user has no access to any other application.

(In R2 you will be able to see all applications with Read-Only Mode)

 25-OES Delegated Admin

16- Navigate around the UI and try to make changes and you will see that create/update is disabled in all the menu items except HelloWBWorld.

 26-OES Delegated Admin

 Creation of Policy Domain Level Delegated Admin

1- Login to OES Admin Console as System Administrator

2- In the left browse tree, right click on “HelloWBWorld” and click on “New”

 27-OES Delegated Admin

28-OES Delegated Admin

3- In the left browse tree, right click on “HelloWBWorld” and select “Expand All Below”, you will see something like-

 29-OES Delegated Admin

4- Double click on “HelloWBWorld” application in the left browse tree and Click on Delegated Administrators Tab and you should see something like-

 30-OES Delegated Admin

5- Open “Sub_Policy_Domain” subtree and then click on PolicyDomainAdmin then Click on “External Role Mapping” and Click on Add

 31-OES Delegated Admin

6- Click on Add Principals

 32-OES Delegated Admin

7- Log out of the Oracle Entitlements Server Admin UI and log back in as Charlie

33-OES Delegated Admin

8- In the left browse tree, expand “Applications”.

9- Right click on “HelloWBWorld” and click on “Expand All Below”

10-   You will see that “Default Policy Domain” is missing. This is because Charlie does not have the privilege at the application level

 34-OES Delegated Admin

11-   Navigate around the UI and try to make changes and you will see that create/update is disabled in all the menu items except HelloWBWorld.

 35-OES Delegated Admin

APEX (4.2.3) integration with OVD 11gR2 – AD2008

Tags

, , , , , ,

APEX (4.2.3) integration with OVD 11gR2 – AD2008

1. Create Access Control Lists (ACLs) Apex.

2. In order to create the appropriate ACLs for the hostname and schemas, connect to the Apex Database as system user and execute the scripts below.

a.  Provide connect and resolve privileges to APEX_TEST and assign ACL for the LDAP Host.

NOTE – APEX_TEST is the schema created during the workspace creation.

1-APEX-OVD-AD

b. Provide connect and resolve privileges to APEX_040200 and assign ACL for the LDAP Host

begin

dbms_network_acl_admin.create_acl (

acl => ‘ovd_ad_ldap.xml’,

description => ‘Allow ldap queries’,

principal => ‘APEX_040200’,

is_grant => TRUE,

privilege => ‘connect’

);

end;

/

begin

dbms_network_acl_admin.add_privilege (

acl => ‘ovd_ad_ldap.xml’,

principal => ‘APEX_040200’,

is_grant => TRUE,

privilege => ‘resolve’

);

end;

/

begin

dbms_network_acl_admin.assign_acl(

acl => ‘ovd_ad_ldap.xml’,

host => ‘oam.example.com’

);

end;

/

Commit

2-APEX-OVD-AD

c. Provide connect and resolve privileges to APEX_TEST and assign ACL for the LDAP Host

begin

dbms_network_acl_admin.add_privilege (

acl => ‘ovd_ad_ldap.xml’,

principal => ‘APEX_TEST’,

is_grant => TRUE,

privilege => ‘connect’

);

end;

/

begin

dbms_network_acl_admin.add_privilege (

acl => ‘ovd_ad_ldap.xml’,

principal => ‘APEX_TEST’,

is_grant => TRUE,

privilege => ‘resolve’

);

end;

/

begin

dbms_network_acl_admin.assign_acl(

acl => ‘ovd_ad_ldap.xml’,

host => ‘10.176.247.18’

);

end;

/

Commit

4-APEX-OVD-AD

3. Verify the ACLs created for the LDAP Host

a. Run following queries-

select host,  acl from dba_network_acls where acl like ‘%ad%’;

4-APEX-OVD-AD

select acl, principal, privilege,is_grant from dba_network_acl_privileges;

5-APEX-OVD-AD

4. Create the Authentication Scheme in APEX

5. Login to Apex admin console using

http://hostname:port/apex/

Where:

hostname is the name of the system where Oracle HTTP Server is installed.

port is the port number assigned to Oracle HTTP Server. In a default installation, this number is 7777.

apex is the database access descriptor (DAD) defined in the mod_plsql configuration file.

6. On the Login page:

– Workspace field – Enter the name of your workspace.

– In Username – Enter your user name.

– In Password – Enter your case-sensitive password.

Click Login to Application Express

7. Click Login to Application Express.

6-APEX-OVD-AD

8. Go to Application Builder

7-APEX-OVD-AD

9. Click ‘Edit’ on your application which you want to authenticate using LDAP. (e.g. Opportunity Tracker in my case)

8-APEX-OVD-AD

10. Select Shared Components.

9-APEX-OVD-AD

11. Select Authentication Schemes.

10-APEX-OVD-AD

12. Select Based on a pre-configured scheme from the gallery, click Next.

11-APEX-OVD-AD

13. Enter a Name, select Scheme Type of LDAP Directory.

12-APEX-OVD-AD

14. Provide LDAP Details.

Note- The substitution string %LDAP_USER% will contain the username that you will enter in the login screen.

 13-APEX-OVD-AD

15. Click on Create Authentication Scheme.

 14-APEX-OVD-AD

16. Test the LDAP connectivity from SQL Workshop.

a. Go to SQL Workshop > SQL Commands.

15-APEX-OVD-AD

b. Use the following script in SQL command window and click on Run.

DECLARE

vSession DBMS_LDAP.session;

vResult PLS_INTEGER;

BEGIN

DBMS_LDAP.use_exception := TRUE;

vSession := DBMS_LDAP.init

( hostname => ‘ad2008.example.com’

, portnum => 389

);

vResult := DBMS_LDAP.simple_bind_s

( ld => vSession

, dn => ‘cn=Administrator,cn=Users,dc=example,dc=com’

, passwd => ‘Oracle123’

);

DBMS_Output.put_line(‘User authenticated!’);

vResult := DBMS_LDAP.unbind_s(vSession);

END;

16-APEX-OVD-AD

Test the Application from the Login Form

1. Go to run and click on Run for the ‘Opportunity Tracker’ Application

18-APEX-OVD-AD

2. Enter the user details from OVD

18-APEX-OVD-AD

3. Click on Login. Home page will be displayed after successful authentication.

19-APEX-OVD-AD

4. OVD-AD Users view from LDAP Browser.

20-APEX-OVD-AD

OAM integration with Apex application with Oracle HTTP Server (mod_plsql)

Tags

, , , ,

 OAM integration with Apex application with Oracle HTTP Server (mod_plsql)

 APEX Installation and Configuration

1. Download Apex from OTN and unzip the file.

1-OAM-APEX

2. Go to command line and Change the working directory to apex.

3. Run the command sqlplus and connect with sys as sysdba.

4. Run command  @apexins.sql passing the following four arguments in the order shown:

cd $APEX_UNZIP_PATH

@apexins.sql tablespace_apex tablespace_files tablespace_temp images

Where:

– tablespace_apex is the name of the tablespace for the Oracle Application Express application user.

– tablespace_files is the name of the tablespace for the Oracle Application Express files user.

– tablespace_temp is the name of the temporary tablespace or tablespace group.

– images is the virtual directory for Oracle Application Express images. To support future Oracle Application Express upgrades, define the virtual image directory as /i/.

2-OAM-APEX

5. Output will be like- (It will take some time to install apex, wait patiently)

3-OAM-APEX

4-OAM-APEX

5-OAM-APEX

6. It creates 3 schemas.

APEX_040200 – The account that owns the Oracle Application Express schema and metadata.

FLOWS_FILES – The account that owns the Oracle Application Express uploaded files.

APEX_PUBLIC_USER – The minimally privileged account used for Oracle Application Express configuration with Oracle Application Express Listener or Oracle HTTP Server and mod_plsql.

6-OAM-APEX

7. You must change the password of the internal ADMIN account

8. Go to command line and Change the working directory to apex.

9. Run the command sqlplus and connect with sys as sysdba.

10. Run command  @apxchpwd.sql:

11. When prompted provide new password of Admin account (e.g. Oracle_123)

7-OAM-APEX

12. After you install Oracle Application Express, you must restart the processes that you stopped before you began the installation. In addition, restart Oracle HTTP Server.

8-OAM-APEX

13. The APEX_PUBLIC_USER account is locked at the end of a new installation of Oracle Application Express. You must unlock this account before configuring the database access descriptor (DAD) in a new installation.

14. Run the following command to unlock APEX_PUBLIC_USER

Alter user apex_public_user account unlock;

9-OAM-APEX

15. The APEX_PUBLIC_USER account is created with a random password in a new installation of Oracle Application Express. You must change the password for this account before configuring the database access descriptor (DAD) in a new installation.

16. Run the following command to change the password of APEX_PUBLIC_USER

 ALTER USER APEX_PUBLIC_USER IDENTIFIED BY Oracle_123;

10-OAM-APEX

17. You must copy the images directory from the top level of the apex\images directory, for example /app/apex, to the location on the file system containing the Oracle home for Oracle HTTP Server.

18. Run the following command to copy images directory.

cp -rf $APEX_HOME/images $HTTPSERVER_HOME /instances/<$INSTANCE_NAME>/config/OHS/ohs1

ORACLE_HOME is the directory where the Oracle Application Express software was unzipped, for example C:\TEMP if installing on Windows.

HTTPSERVER_HOME is the existing Oracle Application Server or Oracle HTTP Server Oracle home.

INSTANCE_NAME is the name of web server instance where APEX will be deployed.

11-OAM-APEX

12-OAM-APEX

19. If this is a new installation of Oracle Application Express, you must edit the dads.conf file. The dads.conf file contains the information about the Database Access Descriptor (DAD) to access Oracle Application Express.

20. Open the dads.conf file. (located in $HTTPSERVER_HOME /instances/<$INSTANCE_NAME>/config/OHS/ohs1/mod_plsql)

21. In the dads.conf file, replace ORACLE_HTTPSERVER_HOME, host, port, service_name, and apex_public_user_password with values appropriate for your environment

13-OAM-APEX

22. By default, the ability to interact with network services is disabled in Oracle Database 11g Release 1 or 2. Therefore, if you are running Oracle Application Express with Oracle Database 11g Release 1 or 2, you must use the new DBMS_NETWORK_ACL_ADMIN package to grant connect privileges to any host for the APEX_040200 database user. Failing to grant these privileges results in issues with:

  • Sending outbound mail in Oracle Application Express. Users can call methods from the APEX_MAIL package, but issues arise when sending outbound email.
  • Using Web services in Oracle Application Express.
  • PDF/report printing.

23. The following example demonstrates how to grant connect privileges to any host for the APEX_040200 database user. This example assumes you connected to the database where Oracle Application Express is installed as SYS specifying the SYSDBA role.

24.   Run the following script-

DECLARE

ACL_PATH VARCHAR2(4000);

BEGIN

— Look for the ACL currently assigned to ‘*’ and give APEX_040200

— the “connect” privilege if APEX_040200 does not have the privilege yet.

SELECT ACL INTO ACL_PATH FROM DBA_NETWORK_ACLS

WHERE HOST = ‘*’ AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL;

IF DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE (ACL_PATH, ‘APEX_040200’,

‘connect’) IS NULL THEN

DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE (ACL_PATH,

‘APEX_040200’, TRUE, ‘connect’);

END IF;

EXCEPTION

— When no ACL has been assigned to ‘*’.

WHEN NO_DATA_FOUND THEN

DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(‘power_users.xml’,

‘ACL that lets power users to connect to everywhere’,

‘APEX_040200’, TRUE, ‘connect’);

DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(‘power_users.xml’,’*’);

END;

/

COMMIT;

14-OAM-APEX

25. Restart the Oracle HTTP Server.

15-OAM-APEX

26. In a Web browser, navigate to the Oracle Application Express Administration Services application.

27. Because your setup uses Apache and mod_plsql, go to:

 http://hostname:port/apex/apex_admin

Where:

hostname is the name of the system where Oracle HTTP Server is installed.

port is the port number assigned to Oracle HTTP Server. In a default installation, this number is 7777.

apex is the database access descriptor (DAD) defined in the mod_plsql configuration file.

28. On the Login page:

In Username, enter admin.

In Password, enter the Oracle Application Express administrator account

Click Login to Administration

16-OAM-APEX

29. Click Manage Workspaces.

17-OAM-APEX

30. Under Workspace Actions, click Create Workspace.

18-OAM-APEX

31. Enter the following details and click on Next:

19-OAM-APEX

32. For Identify Schema, if you are creating a new schema:

For Re-use existing schema, select No.

Enter a schema name and password. (e.g. APEX_TEST and Oracle_123)

Specify a space quota.

Click Next.

20-OAM-APEX

33. For Identify Administrator, enter the Workspace administrator information and click Next.

Password – Oracle_123

21-OAM-APEX

34. Confirm your selections and click Create Workspace.

22-OAM-APEX

23-OAM-APEX

24-OAM-APEX

To create an Oracle Application Express user account:

35. Log in to Oracle Application Express Administration Services as described in the previous section.

36. Click the Manage Workspaces icon.

37. Click Manage Developers and Users.

25-OAM-APEX

38. Click Create User.

26-OAM-APEX

a. Under User Attributes, enter:

Username – Enter the username used to log in to the system. Restrictions include:

– Maximum length of 100 characters

– No spaces

– Only these special characters are permitted: ampersand (@) and period (.)

Email Address – Enter the valid email address for this user.

First Name – Enter the first or given name to further identify the user.

Last Name – Enter the last or family name to further identify the user.

Description – Enter comments about this user.

Default Date Format – Enter the default Oracle date format for the user. This controls the default date format within SQL Workshop.

b. Under Account Privileges enter:

Workspace – Select a workspace from the list.

Default Schemas – Specify the default schema used for data browsing, application creation, and SQL script execution.

When using workspaces that have more than one schema available, this schema is the default. This setting does not control security, only the user’s preference.

User is a workspace administrator – Specify if this user should have workspace administrator privileges.

27-OAM-APEX

28-OAM-APEX

29-OAM-APEX

30-OAM-APEX

40. Once you create a workspace, you must log in to it using your login credentials (that is, the workspace name, user name, and password).

41. In a Web browser, navigate to the Oracle Application Express Administration Services application.

42. Because your setup uses Apache and mod_plsql, go to:

http://hostname:port/apex/

Where:

hostname is the name of the system where Oracle HTTP Server is installed.

port is the port number assigned to Oracle HTTP Server. In a default installation, this number is 7788.

apex is the database access descriptor (DAD) defined in the mod_plsql configuration file.

43. On the Login page:

– Workspace field – Enter the name of your workspace.

– In Username – Enter your user name..

– In Password – Enter your case-sensitive password.

Click Login to Application Express

44. Click Login to Application Express.

31-OAM-APEX

32-OAM-APEX

 OAM Configuration

1. Start OAM Admin and OAM Server.

2. Login to OAM admin console, on home page click on ‘New OAM 11g Webgate’.

33-OAM-APEX

3. Provide the Webgate details as follows.

34-OAM-APEX

35-OAM-APEX

36-OAM-APEX

4. Run the following commands to register Webgate with OAM.

Commands are as follows:

cd $MW_HOME/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate

 ./deployWebGateInstance.sh -w

$MW_HOME/Oracle_WT1/instances/<WEBGATE_INSTANCE>/config/OHS/ohs1             

-oh $MW_HOME/Oracle_OAMWebGate1

 cd $MW_HOME/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools/

 ./EditHttpConf -w $MW_HOME/Oracle_WT1/instances/<WEBGATE_INSTANCE>/config/OHS/ohs1

-oh $MW_HOME/Oracle_OAMWebGate1

 cp $MW_HOME/user_projects/domains/idm_domain/output/<WEBGATE_INSTANCE_NAME>/*

$MW_HOME/Oracle_WT1/instances/<WEBGATE_INSTANCE>/config/OHS/ohs1/webgate/config

37-OAM-APEX

5. Start the Webgate

38-OAM-APEX

6. Go to Browser and access index.html

39-OAM-APEX

NOTE- Port Number may be different in your system. View/change the port in ssl.conf and restart HTTP server.

40-OAM-APEX

7. It will redirect you to OAM Login Page. Please provide the credentials and click Login.

41-OAM-APEX

8. If authentication is successful, following will be displayed.

42-OAM-APEX

9. Now Login to OAM admin console, Go to Policy Configuration > Application Domains.

10. Search for your Webgate agent. Click it to open.

43-OAM-APEX

11. Click on Resources. Click on “New Resource” and specify the following information:

Type – HTTP

Host Identifier – webgate11g_3

Resource URL – /apex/apex_authentication.callback

Protection Level – Protected

Authentication Policy – Protected Resource Policy

Authorization Policy – Protected Resource Policy

44-OAM-APEX

45-OAM-APEX

46-OAM-APEX

12. Click on Apply.

47-OAM-APEX

13. The screen will look like-

48-OAM-APEX

14. Expand the ‘Authorization Policies’ and click on the ‘Protected Resource Policy’.

49-OAM-APEX

15. Select the ‘Responses’ tab and click on the add icon (green plus sign) to add the responses.

16. Response details are:

Name: OAM_REMOTE_USER_GROUPS; Type: Header; Value: $user.groups

Name: OAM_REMOTE_USER_EMAIL; Type: Header; Value: $user.attr.mail

50-OAM-APEX

17. The screen will look like-

51-OAM-APEX

18. Click on Apply.

52-OAM-APEX

19. Go to Authentication Policy and set Auth Scheme as ‘Basic Scheme’.

53-OAM-APEX

53_1-OAM-APEX

  APEX Configuration

1. In a Web browser, navigate to the Oracle Application Express Administration Services application.

2. Because your setup uses Apache and mod_plsql, go to:

http://hostname:port/apex/

Where:

hostname is the name of the system where Oracle HTTP Server is installed.

port is the port number assigned to Oracle HTTP Server. In a default installation, this number is 7788.

apex is the database access descriptor (DAD) defined in the mod_plsql configuration file.

3. On the Login page:

– Workspace field – Enter the name of your workspace.

– In Username – Enter your user name.

– In Password – Enter your case-sensitive password.

Click Login to Application Express

4. Click Login.

54-OAM-APEX

5. Click on Application Builder.

55-OAM-APEX

6. Open the Application you want to SSO.

56-OAM-APEX

7. Click to open Shared Components.

57-OAM-APEX

8. Select Authentication Schemes.

58-OAM-APEX

9. Select Based on a pre-configured scheme from the gallery, click Next.

59-OAM-APEX

10. Enter a Name, select Scheme Type of HTTP Header Variable, enter HTTP Header Variable Name OAM_REMOTE_USER

60-OAM-APEX

11. Click on Create Authentication Scheme.

61-OAM-APEX

 

 TESTING

1. Create ‘admin’ user in OAM Repository (e.g. embedded LDAP)

NOTE- Password need not be same as admin user created in APEX application.

62-OAM-APEX

2. Go to http://<HostName&gt;:<Port>/apex/f?p=111:1:15889139804492:::::

(URL for System Catalog application)

3. Provide credentials of ‘admin’ user.

63-OAM-APEX

4. System Catalog home page is shown.

 64-OAM-APEX

OAAM 11g R2- Enabling OAAM OTP Feature

Tags

, , , , , ,

Enabling OAAM OTP Feature

OAAM Configuration

1. Open  browser and access OAAM Admin interface by URL http://<HOST&gt;:<PORT>/oaam_admin

 1-OAAM-OTP

2. Provide admin user credentials and click on Login.

 2-OAAM-OTP

3. In the home page Double click Properties from the left menu

3-OAAM-OTP

4. Edit the properties

a.  bharosa.uio.default.register.userinfo.enabled to true and click on Save.

b. bharosa.uio.default.userpreferences.userinfo.enabled to true and click on Save.

 4-OAAM-OTP

 5. Login to Enterprise Manager on Admin Server where SOA Server is deployed e.g. http://<ADM IN_HOST>:<ADMIN_PORT>/em

 5-OAAM-OTP

6. Navigate to the User Messaging Service home page.

7. Click usermessagingserver(soa_server1). The Associated Drivers page appears.

6-OAAM-OTP

8. Select the Local tab to access the drivers collocated with the UMS server instance. These drivers may or may not be registered with the UMS server depending on whether they are properly configured. The ALL tab lists all drivers that are deployed in the domain and registered to all the UMS server instances.

9. Find the email driver in the list, and then click the adjacent Configure Driver icon.

10. The configuration page is displayed.

11. If needed, expand the Driver-Specific Configuration section and configure the driver parameters.

7-OAAM-OTP

12. To configure Email as OTP delivery mechanism, we need to set following properties

a- bharosa.uio.default.ums.integration.webservice – UMS Web service URL

8-OAAM-OTP

b- bharosa.uio.default.ums.integration.parlayx.endpointUMS ParlayX URL

c- bharosa.uio.default.ums.integration.useParlayX=false – Configures use of Web service or parlayx API. Value is false by default (preferred)

d- bharosa.uio.default.ums.integration.userName – UMS integration user name

9-OAAM-OTP

e- bharosa.uio.default.ums.integration.password – UMS integration password

10-OAAM-OTP

f- bharosa.uio.default.ums.integration.fromAddress – UMS From Address

11-OAAM-OTP

g- bharosa.uio.default.otp.optOut.enabled – Enable Opt Out button

11_1-OAAM-OTP

Configuring Checkboxes and Fields on the Registration Pages

To configure terms and conditions checkboxes and fields in the OTP registration page, add the properties in the sections following to the oaam_custom.properties file.

To configure checkboxes and fields, follow these steps:

1. Create a work folder called oaam_extensions. (The folder can be created anywhere as long as it is outside the installation folder.)

2. Locate oracle.oaam.extensions.war, which is located in the IAM_Home/oaam/oaam_extensions/generic directory.

3. Explode oracle.oaam.extensions.war into the oaam_extensions folder.

12-OAAM-OTP

4. Open the oaam_custom.properties file in the WEB-INF/classes/bharosa_properties directory of the oracle.oaam.extensions.war file.

13-OAAM-OTP

5. Add following properties –

bharosa.uio.default.userinfo.inputs.enum.terms=4 

bharosa.uio.default.userinfo.inputs.enum.terms.name=Terms and Conditions      

bharosa.uio.default.userinfo.inputs.enum.terms.description=Terms and Conditions

bharosa.uio.default.userinfo.inputs.enum.terms.inputname=terms

bharosa.uio.default.userinfo.inputs.enum.terms.inputtype=checkbox

bharosa.uio.default.userinfo.inputs.enum.terms.values=true

bharosa.uio.default.userinfo.inputs.enum.terms.maxlength=40

bharosa.uio.default.userinfo.inputs.enum.terms.required=true

bharosa.uio.default.userinfo.inputs.enum.terms.order=5

bharosa.uio.default.userinfo.inputs.enum.terms.enabled=true

bharosa.uio.default.userinfo.inputs.enum.terms.regex=.+

bharosa.uio.default.userinfo.inputs.enum.terms.errorCode=otp.invalid.terms

bharosa.uio.default.userinfo.inputs.enum.terms.managerClass=com.bharosa.uio.manager.user.DefaultContactInfoManager

               

bharosa.uio.default.userinfo.inputs.enum.email=1

bharosa.uio.default.userinfo.inputs.enum.email.name=Email Address

bharosa.uio.default.userinfo.inputs.enum.email.description=Email Address

bharosa.uio.default.userinfo.inputs.enum.email.inputname=email

bharosa.uio.default.userinfo.inputs.enum.email.inputtype=text

bharosa.uio.default.userinfo.inputs.enum.email.maxlength=40

bharosa.uio.default.userinfo.inputs.enum.email.required=true

bharosa.uio.default.userinfo.inputs.enum.email.order=2

bharosa.uio.default.userinfo.inputs.enum.email.enabled=true

bharosa.uio.default.userinfo.inputs.enum.email.regex=.+@[a-zA-Z_]+?\\.[a-zA-Z]{2,3}

bharosa.uio.default.userinfo.inputs.enum.email.errorCode=otp.invalid.email

bharosa.uio.default.userinfo.inputs.enum.email.managerClass=com.bharosa.uio.manager.user.DefaultContactInfoManager

14-OAAM-OTP

6. Rejar oracle.oaam.extensions.war from the parent folder of oaam_extensions using the command:

jar -cvfm oracle.oaam.extensions.war oaam_extensions\META-INF\MANIFEST.MF -C oaam_extensions/ .

 15-OAAM-OTP

 7. Shut down the OAAM Admin and OAAM Server managed servers.

8. Start the WebLogic Server where Oracle Adaptive Access Manager is deployed and log in to the WebLogic Administration Console.

9. Navigate to Domain Environment > Deployments and lock the console.

10. Click the Install button.

16-OAAM-OTP

11. Browse to the location of the oracle.oaam.extensions.war file and select it by clicking the radio button next to the .war file and clicking Next.

17-OAAM-OTP

12.  Ensure Install this deployment as a library is selected and click Next.

18-OAAM-OTP

13.  Select deployment targets, OAAM Admin and OAAM Server.

19-OAAM-OTP

14. Click Next again to accept the defaults in this next page and then click Finish.

15. Click the Save button and then Activate Changes.

16. Start the OAAM Admin and OAAM managed servers.


Configuring Policies and Rules to Use OTP Challenge

Policies in the Challenge checkpoint determine the type of challenge to present the user. To configure a policy with a rule that OTP-challenge users for specific scenarios, perform the following steps:

1. Log in to the OAAM Administration Console.

2. Double click Policies from the left menu

 20-OAAM-OTP

3. In the Policies Search page, click the New Policy button.

4. The New Policy page appears. In the Summary tab, create a post-authentication security policy:

a. For Policy Name, enter OTP Challenge for Many Failures.

b. For Description, enter a description for the policy.

c. For Checkpoint, select Post-Authentication.

d. Modify the policy status, scoring engine, and weight according to your requirements.

21-OAAM-OTP

5. By default, the policy status is Active. A policy that is disabled is not enforced at the checkpoint.

6. Click Apply.

7. Click OK to dismiss the confirmation dialog.

22-OAAM-OTP

8. Click the Rules tab to select it.

a. Add general summary information about the rule.

23-OAAM-OTP

b. On the conditions tab, add User: Check OTP failures condition or other OTP-related conditions.

24-OAAM-OTP

c. On the Results tab, specify OAAM challenge as the Action group.

25-OAAM-OTP

d. Link the policy to all users.

26-OAAM-OTP

9. In default policies, if OTP is enabled, KBA challenges occur after a user is OTP blocked.

10.   High risk users are OTP challenged. The user is presented with the appropriate virtual authentication device and receives the OTP through the proper channel. If the user fails the OTP challenge, he is KBA-challenged.

11.   OAAM Challenge Policy trigger combinations are defined as follows-

27-OAAM-OTP 

Note- I am still trying to figure out how to arrange these so that if Challenge Email is available then OTP triggers and if Challenge Email is not available then KBA triggers.

 

Customizing OTP Registration Text and Messaging

The registration page text, the challenge type message subject, the body of the message, and the message itself could be fully customized by specifying the custom values in resource bundle files and deploying the changes via OAAM extension shared libraries.

To customize content and messaging of the registration pages you will add properties, described in the sections following, to the client_resource_locale.properties file.

1. Create a work folder called oaam_extensions. (The folder can be created anywhere as long as it is outside the installation folder.)

2. Locate oracle.oaam.extensions.war, which is located in the IAM_Home/oaam/oaam_extensions/generic directory.

3. Explode oracle.oaam.extensions.war, into the oaam_extensions folder.

4. Create a client_resource_locale.properties in IAM_Home\oaam\oaam_extensions\generic\WEB-INF\classes.

5. Add the customized text and messages to this file.

For example, to customize the terms and conditions, add the following line to client_resource_locale.properties:

bharosa.uio.default.userinfo.inputs.enum.terms.name=I agree to the COMPANY A terms & conditions. Click to view full <a href="javascript:infoWindow('terms');">Terms & Conditions</a> and <a href="javascript:infoWindow('privacy');">Privacy Policy</a>.

For example, to customize the message displayed when a user registers his mobile phone, add the following line to client_resource_locale.properties:

bharosa.uio.default.register.userinfo.message=For your protection please enter your mobile telephone number so we may use it to verify your identity in the future. Please ensure that you have text messaging enabled on your phone.

6. Rejar oracle.oaam.extensions.war from the parent folder of oaam_extensions using the command:

jar -cvfm oracle.oaam.extensions.war oaam_extensions\META-INF\MANIFEST.MF -C oaam_extensions/ .

28-OAAM-OTP

7. Shut down the OAAM Admin and OAAM Server managed servers.

8. Start the WebLogic Server where Oracle Adaptive Access Manager is deployed and log in to the WebLogic Administration Console.

9. Navigate to Domain Environment > Deployments and lock the console.

10. Click the Install button.

29-OAAM-OTP

11. Browse to the location of the oracle.oaam.extensions.war file and select it by clicking the radio button next to the .war file and clicking Next.

30-OAAM-OTP

12. Ensure Install this deployment as a library is selected and click Next.

31-OAAM-OTP

13. Select deployment targets, OAAM Admin and OAAM Server.

32-OAAM-OTP

14. Click Next again to accept the defaults in this next page and then click Finish.

15. Click the Save button and then Activate Changes.

16. Start the OAAM Admin and OAAM managed servers.

Configuring One Time Password Expiry Time

Note: This property works for the OTP API, but as of now OAAM Server does not use the API. Hence, by default, OAAM Server OTP is valid for the session or until used.

1. To set up OTP email password expiry time, add the following property:

bharosa.uio.default.challenge.type.enum.ChallengeEmail.otpexpirytimeMs to oaam_custom.properties.

The time is in milliseconds. If the value is not in milliseconds, you will have to perform a conversion. For example, if you want to set the expiration time for OTP to be 5 minutes, then you need to set the property to 300000 ms (5 minutes).

Configure One-Time Password Generation

1. You can configure the one-time password through properties edits. The following properties are used to generate the OTP:

# OTP pin generation config

bharosa.uio.otp.generate.code.length = 5

bharosa.uio.otp.generate.code.characters = 1234567890

bharosa.uio.default.userinfo.inputs.enum.mobile.enabled=false

bharosa.uio.default.userinfo.inputs.enum.mobile.required=false

33-OAAM-OTP

2. The default OTP codes will be 5 characters made up of the numbers 0-9 (for example: 44569).

bharosa.uio.otp.generate.code.length – designates the length of the OTP.

bharosa.uio.otp.generate.code.characters – designates the characters to use when generating the OTP.

3. An example is shown below for generating a 4 character OTP code with numbers 0-9 and letters a-d (for example: 0c6a):

bharosa.uio.otp.generate.code.length = 4

bharosa.uio.otp.generate.code.characters = 1234567890abcd

 

  Configuring Failure Counter

When a user fails the OTP challenge, a counter is updated to indicate that user has had a failure.

The failure counter is set by default in the OAAM Challenge Policy, but you can customize it by following these instructions:

1. Open the OAAM Challenge Policy.

2. Open the appropriate maximum failed OTP rule and edit the appropriate properties.

34-OAAM-OTP

Rule Rule Condition and Parameters Results
Max failed Email attempts User: Check OTP failuresOTP Challenge Type = ChallengeEmailFailure More than or Equal To = 3If above or equal = TRUE Action = NONEAlert = NONEScore = 0
Max failed Question attempts User: Challenge Maximum FailuresNumber of Failures More than or equal to = 3Current Question Count only? = FalseIf above or equal, return = True Action = NONEAlert = NONEScore = 0

Configuring Challenge Type Devices for OTP

If you want to change the default challenge type devices used for challenges, proceed as follows:

1. Log in to the OAAM Administration Console.

2. In the Navigation pane, double-click Properties under the Environment node. The Properties Search page is displayed.

3. Enter bharosa.uio.default.use.authentipad.checkpoint in the Name field and click Search.

4. Click to select the property in the Search Results section.

5. Change the value to false, and click Save.

 35-OAAM-OTP

6. Click the New Property button to add a new property:

bharosa.uio.default.ChallengeType.authenticator.device=<DeviceType>

 7. Then click Save to save the property.

8. Examples of configuring SMS and Email challenges to use the device TextPad and PinPad are shown below:

bharosa.uio.default.ChallengeSMS.authenticator.device=DeviceTextPad

bharosa.uio.default.ChallengeEmail.authenticator.device=DevicePinPad

 36-OAAM-OTP

 

OAM Configuration

1. Open browser and access OAM admin console by accessing URL-   http://<host&gt;:<port>/oamconsole

37-OAAM-OTP

2. Provide the admin user credentials and click on login.

38-OAAM-OTP

3. In the home page go to Policy Configuration > Application Domains.

39-OAAM-OTP

4. In the Application Domain click on the domain you want to protect with OAAM.

 40-OAAM-OTP

5. Go to Authentication Policy tab and click on Protected Resource Policy.

41-OAAM-OTP

6. Select TAP Scheme as Authentication Scheme and click on Apply.

42-OAAM-OTP

7. Final Screen will look like-

 43-OAAM-OTP

 Testing

 NOTE- This use case is valid for First Time Login of User.

1. Start Webgate for which you have configured TAP Scheme.

44-OAAM-OTP

2. Access the protected Application URL – http://<WEBGATE_HOST&gt;:<WEBGATE_PORT>/index.html

 45-OAAM-OTP

3. User will be redirected to OAAM Login Page. Provide the user name and click on Continue.

 46-OAAM-OTP

4. Provide the Password of user and click on enter.

47-OAAM-OTP

5. If its user’s first login then system will show following screen. Click on Continue to register the user.

48-OAAM-OTP

6. System will select default image, image phrase and default virtual authentication device on behalf of user.

49-OAAM-OTP

7. If user wants to accept the default settings then click on Continue. Else user can change any of the default settings.

 50-OAAM-OTP

51-OAAM-OTP

8. User change the settings and click on continue.

52-OAAM-OTP

9. User selects the Security Questions and Answers.

53-OAAM-OTP

10. User clicks on enter.

 54-OAAM-OTP

11.  OTP Challenge screen will be shown to set email and mobile phone.

55-OAAM-OTP

12.  After Successful Registration, Protected Resource will be displayed.

 56-OAAM-OTP

13. Now user should logout and login again.

 57-OAAM-OTP

 14. User selected device, image and phrase will be displayed.

 58-OAAM-OTP

 15. Provide the Password of user and click on enter.

59-OAAM-OTP

16. If user name and password successful then system will send OTP in the registered mail.

NOTE- Following screen will be displayed only if Second Factor rule is Active. Otherwise user will be authenticated after step 14 itself.

60-OAAM-OTP

17. User will receive Email with OTP.

 61-OAAM-OTP

18.   User will provide the OTP using the virtual PIN pad and click on enter.

 62-OAAM-OTP

19.   If successful then protected page will be displayed.

 63-OAAM-OTP

 

OAAM 11g R2- Enabling OAAM for User Geo Location based Pre-Authentication

Tags

, , , ,

Enabling OAAM for User Geo Location based Pre-Authentication

OAAM Configuration

1. Open  browser and access OAAM Admin interface by URL http://<HOST&gt;:<PORT>/oaam_admin

 1-OAAM-Geo Location

 2. Provide admin user credentials and click on Login.

 2-OAAM-Geo Location

3. In the home page, Double click Groups from the left menu

3-OAAM-Geo Location

4. Select Group Name as IP and Click on Search button.

4-OAAM-Geo Location

5. Open My IP Range group-  

 5-OAAM-Geo Location

6. Click the IP Ranges tab

6-OAAM-Geo Location

7. Click on (+) icon.

7-OAAM-Geo Location

8.  Provide the IP range and click on Add Button.

8-OAAM-Geo Location

9.  IP range will be successfully added.

9-OAAM-Geo Location

10.   Final screen will look like-

10-OAAM-Geo Location

11.   Double click Policies from the left menu

 11-OAAM-Geo Location

12.   Search and click to open the IP Check

12-OAAM-Geo Location

13.   Select the Rules tab

13-OAAM-Geo Location

14.   Click on (+) icon

 14-OAAM-Geo Location

15.   Provide the following details.

Rule Name: Restricted IPs

Policy Name: IP Check

Rule Status: Active

Rule Notes: Restricted IPs

15-OAAM-Geo Location

16.   Go to Conditions tab and click on (+) icon.

16-OAAM-Geo Location

17.   Search for IP in Range condition. Select and Click on Add.

17-OAAM-Geo Location

18.   Select LOCATION: IP in Range condition and provide following values-

Is IP in IP range group: True

IP range group: My IP Range

 18-OAAM-Geo Location

19.   Click the Save button

19-OAAM-Geo Location

20.   Go to Results tab. Provide the following details-

Action Group: OAAM Block

Alert Group: OAAM Restricted IP

20-OAAM-Geo Location

21.   Click on Apply.

 21-OAAM-Geo Location

Testing

1. Start Webgate for which you have configured TAP Scheme.

22-OAAM-Geo Location

2. Access the protected Application URL – http://<WEBGATE_HOST&gt;:<WEBGATE_PORT>/index.html

 23-OAAM-Geo Location

 3. User will be redirected to OAAM Login Page. Provide the user name and click on Continue.

 24-OAAM-Geo Location

 4. As my System’s IP is in blocked IP Address range, following message will be displayed.

 25-OAAM-Geo Location

5. Open My IP Range group-  

 26-OAAM-Geo Location

 6. Click the IP Ranges tab

 27-OAAM-Geo Location

7. Select and open the IP Range.

28-OAAM-Geo Location

8. Provide the IP Range that is outside of your System’s IP and click on OK Button.

29-OAAM-Geo Location

9. IP range will be successfully added.

30-OAAM-Geo Location

10.  Final screen will look like-

31-OAAM-Geo Location

11. Logout and Login.

 32-OAAM-Geo Location

12.   User will be redirected to OAAM Login Page. Provide the user name and click on Continue.

 33-OAAM-Geo Location

13.   User selected device, image and phrase will be displayed.

 34-OAAM-Geo Location

14.   Provide the Password of user and click on enter.

35-OAAM-Geo Location

15.   If user name and password successful then if KBA is enabled, following page will be displayed.

36-OAAM-Geo Location

16.   User provides the answer to the question and click on enter.

37-OAAM-Geo Location

17.   If answer to the question is correct then protected page will be displayed.

 38-OAAM-Geo Location

OAAM 11g R2- Enabling OAAM for User Group based Challenge

Tags

, ,

Enabling OAAM for User Group based Challenge

OAAM Configuration

  1. Open  browser and access OAAM Admin interface by URL http://<HOST&gt;:<PORT>/oaam_admin

 1-OAAM-Group based Challenge

 2.  Provide admin user credentials and click on Login.

 2-OAAM-Group based Challenge

 3. In the home page, Double click Groups from the left menu

3-OAAM-Group based Challenge

4. Click on New Group button.

 4-OAAM-Group based Challenge

 5. Provide the following details-

Group Name: XYZ

Group Type: User ID

Cache Policy: None

Enter a description: Group used to enforce Second Factor Authentication Challenge

 5-OAAM-Group based Challenge

 6.  Click the Create Button

 7. Select User ID tab and click on (+) icon.

 7-OAAM-Group based Challenge

 8. Search the user and click on Add button.

8-OAAM-Group based Challenge

9. User will be successfully added.

9-OAAM-Group based Challenge

10.   Final screen will look like-

10-OAAM-Group based Challenge

11.   Double click Policies from the left menu

 11-OAAM-Group based Challenge

12.   Search and click to open the OAAM Post-Authentication Security

12-OAAM-Group based Challenge

13.   Select the Rules tab

13-OAAM-Group based Challenge

14.   Click to open Second Factor rule

 14-OAAM-Group based Challenge

15.   Select the Conditions tab and Click on (+) icon.

15-OAAM-Group based Challenge

16.   Search for user: In Group condition. Select it and click on Add.

16-OAAM-Group based Challenge

17.   Click the User: In Group condition and select the following values.

Is in Group: True

User Group: XYZ

 17-OAAM-Group based Challenge

18.   Click the Save button

18-OAAM-Group based Challenge

Testing

1. Start Webgate for which you have configured TAP Scheme.

19-OAAM-Group based Challenge

2. Access the protected Application URL – http://<WEBGATE_HOST&gt;:<WEBGATE_PORT>/index.html

 20-OAAM-Group based Challenge

 3. User will be redirected to OAAM Login Page. Provide the user name and click on Continue.

 21-OAAM-Group based Challenge

 4. User selected device, image and phrase will be displayed.

 22-OAAM-Group based Challenge

 5. Provide the Password using virtual keypad of user and click on enter.

23-OAAM-Group based Challenge

6. If user name and password successful then system will ask for answer to random Security Question selected during registration.

NOTE- This page is displayed because user.7 belongs to XYZ group.

24-OAAM-Group based Challenge

7. User provide the answer and click on enter.

25-OAAM-Group based Challenge

8. If Successful then protected page will be displayed.

26-OAAM-Group based Challenge

9. Logout and Login again using user who does not belong to XYZ group.

 27-OAAM-Group based Challenge

10.   User will be redirected to OAAM Login Page. Provide the user name and click on Continue.

 28-OAAM-Group based Challenge

11.   User selected device, image and phrase will be displayed.

 29-OAAM-Group based Challenge

12.   Provide the Password of user and click on enter.

30-OAAM-Group based Challenge

13.   If user name and password successful then protected page will be displayed.

31-OAAM-Group based Challenge

NOTE- User is not challenged for Questions/Answer verification because ramsita does not belongs to XYZ group.

OES 11g R2 -OAM 11g R2 Integration with MOSS 2010

Tags

, , , , , ,

OES 11g R2 -OAM 11g R2 Integration with MOSS 2010

1.  Go to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\GLOBAL and Edit default.master file as follows.

 Add the line (in yellow) in the following block of lines-

<head runat=”server”>

<meta name=”GENERATOR” content=”Microsoft SharePoint”>

<meta name=”progid” content=”SharePoint.WebPartPage.Document”>

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″>

<meta http-equiv=”Expires” content=”0″>

<SharePoint:RobotsMetaTag runat=”server”/>

<title id=”onetidTitle”><asp:ContentPlaceHolder id=”PlaceHolderPageTitle” runat=”server”/></title>

<SharePoint:CssLink runat=”server”/>

<SharePoint:Theme runat=”server”/>

<SharePoint:ULSClientConfig runat=”server”/>

<SharePoint:ScriptLink language=”javascript” name=”core.js” defer=”true” runat=”server” />

<SharePoint:CustomJSUrl runat=”server” />

<SharePoint:SoapDiscoveryLink runat=”server” />

<asp:ContentPlaceHolder id=”PlaceHolderAdditionalPageHead” runat=”server”/>

<SharePoint:DelegateControl runat=”server” ControlId=”AdditionalPageHead” AllowMultipleControls=”true”/>

<asp:ContentPlaceHolder id=”PlaceHolderBodyAreaClass” runat=”server”/>

<SharePoint:DelegateControl runat=”server” ControlId=”PageHeader”/>

</head>

 1-OES-OAM-MOSS2010

 Create Site in MOSS2010

1. Go to Startup > click on SharePoint Central Administration

2. If It will ask for Username and password (provide username/password used for windows login)

2-OES-OAM-MOSS2010

3. In the home page click on Application Management

3-OES-OAM-MOSS2010

4. Click on Create New Web Application.

4-OES-OAM-MOSS2010

5. Provide the following Information

5-OES-OAM-MOSS2010 6-OES-OAM-MOSS2010 7-OES-OAM-MOSS2010 8-OES-OAM-MOSS2010

6.  Click on OK.

9-OES-OAM-MOSS2010 10-OES-OAM-MOSS2010

7.  Click on Create Site Collection link and provide the following information

11-OES-OAM-MOSS2010

8. Provide the Administrator Name.

12-OES-OAM-MOSS2010 13-OES-OAM-MOSS2010

9. Click on OK.

 14-OES-OAM-MOSS2010

15-OES-OAM-MOSS2010

10. Click on the link a prompt will be displayed, provide site admin credentials.

16-OES-OAM-MOSS2010

11. Home page will be displayed.

17-OES-OAM-MOSS2010

12. Click on All Site Content.

18-OES-OAM-MOSS2010

13.   Create Announcement/ event and add new link as required.

19-OES-OAM-MOSS2010 20-OES-OAM-MOSS2010 21-OES-OAM-MOSS2010 22-OES-OAM-MOSS2010 23-OES-OAM-MOSS2010 24-OES-OAM-MOSS2010

http://ad2008:38914/HIX/SitePages/Home.aspx

14.  To create WS SM Edit the following file: $OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.ws.controlled.prp

#  Policy dustribution mode. Possible values:

#   controlled-push – if this mode is set you need to configire Policy Distribution configiration parameters

oracle.security.jps.runtime.pd.client.policyDistributionMode=controlled-push

#  ——– Policy Distributor connectivity information – required for controlled-push distribution mode

oracle.security.jps.runtime.pd.client.RegistrationServerHost=oeseval.oeseval

oracle.security.jps.runtime.pd.client.RegistrationServerPort=7002

#———- ONLY for  WS SM  —————————–

# port number to accept authorization requests

oracle.security.jps.pdp.wssm.WSServiceRegistryPortNumber=9000

# SM name

oracle.security.jps.runtime.pd.client.sm_name=MOSS_WS_SM

# >>>>>>>>>>>>OPTIONAL PARAMETERS<<<<<<<<<<<<<<<<<

# ———— Only for Java SM, WS SM, and RMI SM in controlled-push mode ——————–

#  port to listen for policy distribution. Picked automatically by SM config tool if not specified

oracle.security.jps.runtime.pd.client.DistributionServicePort=

oracle.security.jps.runtime.pd.client.sm_type=ws

15.   Run the config.cmd ($OES_CLIENT_HOME/oessm/bin)

config.cmd –smConfigId <SM_NAME_AS _IN_PRP_FILE> -WSListeningPort 9000        -prpFileName  $OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.ws.controlled.prp

25-OES-OAM-MOSS2010

16.   To create MOSS SM Edit the following file: $OES_CLIENT_HOME/oessm/mosssm/adm/configtool/moss_config.properties

### This files lists properties for SMConfigTool to configure MOSS Server

################################################################################################

#### Follwoing section are mandatory properties, make sure the properties are set ## ###### correctly ####

################################################################################################

### Microsoft .NET Framework Global Assembly Cache Utility Location

gac.utility=C:/Program Files/Microsoft SDKs/Windows/v7.1/Bin/gacutil.exe

### WINDOWS 2003 and .NET 3.0 Global Assembly Cache Utility Location

## gac.utility=C:\\WINDOWS\\Microsoft.NET\\Framework\\v1.1.4322\\gacutil.exe

### Location of Microsoft Sharepoint web server extensions, which is the “location” value of

### registry key “HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\12.0\”(MOSS 2007) or

### “HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\14.0\”(MOSS 2010).

## FOR MOSS 2010 ##########

moss.webextension.location=C:/Program Files/Common Files/Microsoft Shared/Web Server Extensions/14/

## FOR MOSS 2007 ##########

## moss.webextension.location=C:\\Program Files\\Common Files\\Microsoft Shared\\web server extensions\\12\\

### moss web config file

moss.web.config=C:\\Inetpub\\wwwroot\\wss\\VirtualDirectories\\32992\\web.config

 NOTE- 32992 is the port number of site created (refer your site’s web config)

### OES webservice uri

moss.SmUrl = http://ad2008.example.com:9000

### log4net configuration file

moss.log4NetXmlfile= C:/oracle/product/11.1.1/as_1/oessm/mosssm/adm/runtime/log4net.xml

### moss site uri that OES is to protect

moss.sharepointSite= http://ad2008.example.com:38914

### the application ID to represent the protected MOSS web application

application.id = MossApp

### OES resourcetype name of all the MOSS resources

moss.resourcetype = MossResourceType

### resource extensions that is ignored when doing authorization, for example, the js and css scripts are usually ignored.

moss.IgnoredExtensions=png,js,css,axd

### URL expression that is ignored of OES authorization, for example, the login pages should usually be ignored.

### Following value gives a sample of which URL should be ignored for MOSS2010 FBA site if default login page is used.

### For MOSS 2007 FBA site, _layouts/login.aspx should be ignored if the default login page is used.

moss.IgnoredURLExpression=/_layouts/Authenticate.aspx,/_login/default.aspx,/_forms/default.aspx

######################################################################################

#### Following are the optional properties, default value will be used if not set ####

######################################################################################

### operation for MOSS configuration, config or remove, default to config

moss.operation = config

### MOSS version,supported versions are 2007 and 2010, default to 2010

moss.version=2010

### enable OES: default is true

moss.enableOES=true

17.   Run the config.cmd ($OES_CLIENT_HOME/oessm/bin)

config.cmd –smType moss  -prpFileName $OES_CLIENT_HOME\oessm\SMConfigTool\smconfig.ws.controlled.prp

-mossprpFileName $OES_CLIENT_HOME\oessm\mosssm\adm\configtool\moss_config.properties

NOTE- If copy/paste does not work properly then enter the details manually.

 26-OES-OAM-MOSS2010

NOTE- If in the execution of command it shows error stating installation of MOSS DLL then add the (log4net.dll and OES.Sharepoint.dll) using the following command.

 gacutil.exe -i “$OES_CLIENT_HOME\oessm\mosssm\lib\log4net.dll”

gacutil.exe -i “$OES_CLIENT_HOME\oessm\mosssm\lib\OES.Sharepoint.dll”

 27-OES-OAM-MOSS2010

NOTE- If the site is created with Classic Mode Authentication, then existing OES.Sharepoint.dll may not work. Please let me know for the updated dll to support Classic mode authentication. It will be scheduled to be released on PS2.

18.   Run the following command from $OES_CLIENT_HOME\oessm\mosssm\lib

 MOSSResourceDiscovery.exe

 Enter the folder path where you want to create OES policy file

C:\MOSSResource   (This should be created beforehand)

Enter Path where Admin Url file is located

$OES_CLIENT_HOME \oessm\mosssm\adm\discovery\AdmUrls.txt

Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01

http://ad2008.example.com:38914

Enter Application Name of the MOSS application to be protected by OES. e.g. MossApp

MossApp (this is same as in moss_config.properties)

Enter Resource Type of all the MOSS resources. e.g. MossResourceType

MossResourceType

 28-OES-OAM-MOSS2010 29-OES-OAM-MOSS2010

 19.   The directory will contain the following files-

 30-OES-OAM-MOSS2010

 20.   Open the $OES_CLIENT_HOME\oes_sm_instacnes\<INSTANCE_HOME>\config\wsclient\jps-config.xml  then made the highlighted changes to it –

    <propertySets>

…………………………………………….

<propertySet name=”props.db.1″>

<property value=”cn=<DOMAIN_IN_WEBLOGIC>” name=”oracle.security.jps.farm.name” />

<property value=”DB_ORACLE” name=”server.type” />

<property value=”cn=jpsroot” name=”oracle.security.jps.ldap.root.name” /> <property name=”jdbc.url” value=”jdbc:oracle:thin:@<OPSS_SCHEMA_HOST>:<PORT>/<SID>” />

<property name=”jdbc.driver” value=”oracle.jdbc.driver.OracleDriver” />

<property name=”security.principal” value=”<OPSS_SCHEMA_NAME>” />

<property name=”security.credential” value=”<OPSS_SCHEMA_PASSWORD>” />

</propertySet>

…………………………………….

</propertySets>

    <serviceProviders>

……………………………………………………………….

<serviceProvider type=”POLICY_STORE” name=”policy.rdbms”>

<property name=”policystore.type” value=”DB_ORACLE”/>

</serviceProvider>

…………………………………………………….

</serviceProviders>

    <serviceInstances>

………………………………………………………………………………….

<serviceInstance name=”credstore.enroll” provider=”credstoressp” location=”D:\oracle\product\11.1.1\as_1\oes_sm_instances\MOSS_WS_SM\config\enroll”/>

<serviceInstance name=”pdp.service” provider=”pdp.service.provider”>

<property name=”oracle.security.jps.pdp.PDPTransport” value=”WS”/>

<property name=”oracle.security.jps.pdp.proxy.PDPAddress” value=”http://ad2008:9000″/&gt;

<property name=”oracle.security.jps.pdp.proxy.RequestTimeoutMilliSecs” value=”10000″/>

<property name=”oracle.security.jps.pdp.proxy.FailureRetryCount” value=”3″/>

<property name=”oracle.security.jps.pdp.proxy.FailbackTimeoutMilliSecs” value=”180000″/>

<property name=”oracle.security.jps.pdp.proxy.SynchronizationIntervalMilliSecs”  value=”60000″/>

</serviceInstance>

<serviceInstance name=”policystore.db” provider=”policy.rdbms”>

<property name=”policystore.type” value=”DB_ORACLE” />

<propertySetRef ref=”props.db.1″ />

</serviceInstance>

</serviceInstances>

<jpsContexts default=”default”>

<jpsContext name=”default”>

<serviceInstanceRef ref=”pdp.service”/>

<serviceInstanceRef ref=”policystore.db”/>

</jpsContext>

……………………………………………………….

</jpsContexts>

</jpsConfig>

21. Go to $OES_CLIENT_HOME\oessm\bin and open the ‘manage-policy.cmd’ file and set the following variables-

SET OES_CLIENT_HOME=”C:\oracle\product\11.1.1\as_1”

SET OES_INSTANCE_NAME=MOSS_WS_SM

22.   Run the following command ‘manage-policy.cmd’ and give parameter values as configured in earlier steps.

 NOTE- Run the command for object1.

 31-OES-OAM-MOSS2010

 23.   The output will be something like-

 32-OES-OAM-MOSS2010

24.   Now go to APM console and verify that the Application and Resource Type is created.

33-OES-OAM-MOSS2010

  • 25.   Resources are also created.
  • 34-OES-OAM-MOSS2010

26.   Entitlement is also created.

35-OES-OAM-MOSS2010

  • 27.   A default authorization policy is also created.

 36-OES-OAM-MOSS2010

28.   Copy the $JAVA_HOME\jre\lib\logging.properties file to $OES_INSTANCE_HOME\config and change the following highlighted values-

………………………………………………………………………………………………..

# handlers= java.util.logging.ConsoleHandler

Note– Disable the above handler.

# To also add the FileHandler, use the following line instead.

handlers= java.util.logging.FileHandler

.level = FINE

…………………………………………………………………………………………………………………….

# default file output is in user’s home directory.

java.util.logging.FileHandler.pattern = C:/Logs/SMLogs/Java_%u.log (path of log file to be created)

java.util.logging.FileHandler.limit = 50000

java.util.logging.FileHandler.count = 1

java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter

# Limit the message that are printed on the console to INFO and above.

# java.util.logging.ConsoleHandler.level = INFO

#java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter

………………………………………………………………………………………………………………………………

29.   Edit the log4net.xml located in $OES_CLIENT_HOME\oessm\mosssm\adm\runtime

And change the following highlighted values-

 <log4net>

<appender name=”RollingFileAppender” type=”log4net.Appender.RollingFileAppender”>

<file value=”C:\\Logs\\OES.Sharepoint.log” />

<rollingStyle value=”Size” />

<appendToFile value=”true” />

<maximumFileSize value=”1024KB” />

<maxSizeRollBackups value=”10″ />

<layout type=”log4net.Layout.PatternLayout”>

<conversionPattern value=”%level %d  %logger – %message%newline” />

</layout>

<lockingModel type=”log4net.Appender.FileAppender+MinimalLock” />

</appender>

<root>

<level value=”DEBUG” />

<appender-ref ref=”RollingFileAppender” />

</root>

</log4net>

30.   Start the WS SM $OES_CLIENT_HOME\oes_sm_instances\WEB_SERVICE_SM\startWSServer.cmd

 37-OES-OAM-MOSS2010

31.   Go to the APM Console and Follow the steps to complete the integration.

 38-OES-OAM-MOSS2010 39-OES-OAM-MOSS2010 40-OES-OAM-MOSS2010

 NOTE- You will now be able to create and push policies to the PDP.

32.   Click On Authorization Management. Then Select the application created during this set up and click New under Authorization Polices.

 41-OES-OAM-MOSS2010

 33.   Now Create a new authorization policy to grant view to all users on all resources- 

Effect Permit
Principals Authenticated-Role, Anonymous Role
Resource Expression .*
Targets View,ANY

 42-OES-OAM-MOSS2010

 34.   Now select the + for Targets and click on Resources > Resource Expression and enter the details as mentioned in the screenshot.

 43-OES-OAM-MOSS2010

 35.   Then select both the actions.

 44-OES-OAM-MOSS2010

 36.   Now the policy will look like below. Save the Policy.

 45-OES-OAM-MOSS2010

37.   After Authorization policy is created and saved, Click on the Application name at the top and then Click Policy Distribution tab. Then Click Distribute.

 46-OES-OAM-MOSS2010

NOTE- In the case of integration with OAM, All header variables need to be created as dynamic Attribute Extensions in each domain if Header variables need to be used as condition in Authorization Policy.

38.   Copy the old class file (HelloWBWorld) to “$OES_CLIENT_HOME/oes_sm_instances/ MOSS_WS_SM”

39.   Start Web Services SM Server:

           a. Open a new window

b. cd to “$OES_CLIENT_HOME/oes_sm_instances/MOSS_WS_SM”

c. Start Web services SM process by running “./startWSServer.sh”

d. Wait till you see “WS SM has started”

47-OES-OAM-MOSS2010

40.   Open new window and check whether classpath is set to oes-client.jar. if not set it-

set JAVA_HOME=c:\Java\jdk1.6.0_35

set PATH=d:\Java\jdk1.6.0_35\bin;%PATH%

set CLASSPATH=.;c:\oracle\product\11.1.1\as_1\modules\oracle.oes.sm_11.1.1\oes-client.jar

48-OES-OAM-MOSS2010

41.   Change the resource name and action in the file as per the artifacts created.

 42.   Compile the HelloWBworld.java with following command-

javac -cp %CLASSPATH% HelloWBWorld.java

43.   Run the class file with following command-

java -cp %CLASSPATH% -Doracle.security.jps.config=./config/wsclient/jps-config.xml HelloWBWorld

49-OES-OAM-MOSS2010

44.   Now change the action name in the file and run the program again.

50-OES-OAM-MOSS2010 

 45.   Create a user In AD and give them permissions to act like OS.

46.   Open AD and Click add user.

51-OES-OAM-MOSS2010

47.   Create MOSSAdminUser and set the password to never expire

 52-OES-OAM-MOSS2010 53-OES-OAM-MOSS2010

54-OES-OAM-MOSS2010

 48.   Now open up Local Security Policy expand Local Policies and Click on User Rights Assignment. Then Right Click on Act as part of the operating system and select properties.

 55-OES-OAM-MOSS2010 56-OES-OAM-MOSS2010 57-OES-OAM-MOSS2010 58-OES-OAM-MOSS2010

 

Set up OAM to protect SharePoint

1. Go to the OAM admin Console to create a webgate. Click New OAM 10g Webgate

59-OES-OAM-MOSS2010

  • 2.  Give it the name IIS host identifier will automatically be filled in. click apply
  • 60-OES-OAM-MOSS2010

3.  In the next screen give it the user we created with OS level permissions and click apply.

61-OES-OAM-MOSS2010

4.  Install the webgate on the sharepoint box. Unzip oam_int_win_v12_cd1.

5. Unzip oam_int_win_v12_cd1

6. Run Oracle_Access_Manager10_1_4_3_0_CR2_Win64_ISAPI_WebGate.exe

7.  Click next twice

62-OES-OAM-MOSS2010

8. Select IIS

63-OES-OAM-MOSS2010

9. Select Install Directory. Select Next

 64-OES-OAM-MOSS2010

10. Select Next

 65-OES-OAM-MOSS2010

11. Click Yes to All

66-OES-OAM-MOSS2010

12.   Select open mode

67-OES-OAM-MOSS2010

13.   Fill it in with the information from oam admin console for configuration of Webgate.

68-OES-OAM-MOSS2010

14.   Go to OAM Admin console.

69-OES-OAM-MOSS2010

NOTE- Before hitting next on the following screen we need to copy the ObAccessClient.xml file from the directory it shows And copy to <NetPoint webgate Install Home>\webgate\access\oblix\lib

15.   Hit Next.

70-OES-OAM-MOSS2010 71-OES-OAM-MOSS2010

16.   Now return to the installer and click Next

72-OES-OAM-MOSS2010

17.   Click Next and Restart IIS

73-OES-OAM-MOSS2010 74-OES-OAM-MOSS2010 75-OES-OAM-MOSS2010 76-OES-OAM-MOSS2010

18.   Open IIS Manager and select IIS domain and open ISAPI and CGI restrictions.

77-OES-OAM-MOSS2010

19.   Verify that following dlls are added in this.

78-OES-OAM-MOSS2010

20.   Open sharepoint site (e.g. OESDemo) and open ISAPI Filters.

79-OES-OAM-MOSS2010

21.   Verify that following dll is added in this.

80-OES-OAM-MOSS2010

22.   Open sharepoint site (e.g. OESDemo) and open Handler Mappings.

81-OES-OAM-MOSS2010

23.   Right click and select Add Wildcard Script Map.

82-OES-OAM-MOSS2010

24.   Add the following dll.

118-OES-OAM-MOSS2010

25.   Popup will open. Click on Yes.

83-OES-OAM-MOSS2010

26.   This will look like.

84-OES-OAM-MOSS2010

NOTE- If at the time of testing the integration some issue occurs stating “Trial Period Expired.” Then please delete this mapping, restart the IIS server and test it again.

27.   Select Sharepoint Site and right click on it. Select Add Virtual Directory.

85-OES-OAM-MOSS2010

28.   Add alias as ‘access’ and Physical path as (<Webgate installation HOME>/access). Click on Test Settings and if successful click OK.

86-OES-OAM-MOSS2010

29.   Open sharepoint site (e.g. OESDemo) and open Authentication.

87-OES-OAM-MOSS2010

30.   Verify ASP.NET Impersonation and Windows Authentication enabled for Sharepoint site.

88-OES-OAM-MOSS2010

31.   Make sure below users have “Modify” permission on “access” folder of SSO agent.

        a.  IUSR

        b.  IIS_IUSRS

        c.  NETWORK

        d.  NETWORK SERVICE   

        e.  ADMINISTRATORS ( group)

89-OES-OAM-MOSS2010 90-OES-OAM-MOSS2010

32.   Restart the IIS server.

91-OES-OAM-MOSS2010

33.   Add AD Adapter in OVD

92-OES-OAM-MOSS2010 

34.   Provide AD details and click next.

93-OES-OAM-MOSS2010

35.   Verify that details are correct and click Next.

94-OES-OAM-MOSS2010

36.   Provide the details and click Next.

95-OES-OAM-MOSS2010

37.   Verify the details and Click Finish.

96-OES-OAM-MOSS2010

38.   After the configuration it will look like-

 97-OES-OAM-MOSS2010

 39.   Go back to the OAM console and Click System Configuration.

40.   Then expand Data Sources, Highlight User Identity Stores and Click Create.

41.   Create a New Identity store to use OVD and the AD root configured earlier.

98-OES-OAM-MOSS2010 99-OES-OAM-MOSS2010

42.   Click on apply.

100-OES-OAM-MOSS2010

43.   Go to Application Domain > IIS and click on Edit.

101-OES-OAM-MOSS2010

44.   Go to Resource and New Resource.

102-OES-OAM-MOSS2010 103-OES-OAM-MOSS2010

45.   Go to Authorization Policies > Protected Resource Policy and click on Edit.

104-OES-OAM-MOSS2010

46.   Go to Responses tab and Add following Responses.

105-OES-OAM-MOSS2010 106-OES-OAM-MOSS2010

47.   Click on Apply.

107-OES-OAM-MOSS2010

48.   Now Go to System Configuration > Access Manager > Authentication Module > LDAP and set User Identity Store as OVD-AD. Now click on Apply.

108-OES-OAM-MOSS2010

49.   Now Go back to the IIS tab and Click Authentication Polices and Click Protected Resource Policy

109-OES-OAM-MOSS2010

50.   Now go to C:\inetpub\wwwroot\wss\VirtualDirectories\<YOUR_SITE_PORT>\web.config file and add the following lines between <system.web></system.web>

  </system.web>

——————————————————————————————

——————————————————————————————-

<roleManager enabled=”true” defaultProvider=”SimpleRoleProvider”>

      <providers>

        <clear/>

        <add name=”SimpleRoleProvider” type=”WebMatrix.WebData.SimpleRoleProvider, WebMatrix.WebData”/>

      </providers>

    </roleManager>

    <membership defaultProvider=”SimpleMembershipProvider”>

      <providers>

        <clear/>

        <add name=”SimpleMembershipProvider”

             type=”WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData”/>

      </providers>

    </membership>

——————————————————————————————

——————————————————————————————-

  </system.web>

110-OES-OAM-MOSS2010

51.   Restart the IIS server, OES Server and OAM Admin/ OAM Server.

 Testing

1.  Start the Webservice SM.

111-OES-OAM-MOSS2010

2.  Go to the and open site http://<host&gt;:<port>/HIX

112-OES-OAM-MOSS2010

3. It will be redirected to Webgate.

113-OES-OAM-MOSS2010

  • 4. Provide user credentials.
  • 114-OES-OAM-MOSS2010
  • 5. The Site Home page will be displayed.

115-OES-OAM-MOSS2010

  • 6. If the following error occurred at the time of authentication.

116-OES-OAM-MOSS2010

  • 7. Then please remove the steps 23, 24, 25 from Set up OAM to protect SharePoint. Restart the IIS Server and test it again.

8.  If the following error occurred at the time of authentication.

 117-OES-OAM-MOSS2010

9.  Then please remove the steps 50 from Set up OAM to protect SharePoint. Restart the IIS Server and test it again.

OAAM 11g R2- Enable Knowledge based Authentication

Tags

, , , ,

Enabling Knowledge based Authentication

OAAM Configuration

1. Go to OAAM installation folder ($MIDDLEWARE_HOME\Oracle_IDM1\oaam) and verify that OOTB zip files are present.

1

NOTE- to configure OAAM at start, you can import default data and start working on it. Then later on make changes as per the requirement.

2. Open  browser and access OAAM Admin interface by URL http://<HOST&gt;:<PORT>/oaam_admin

 2

 3. Provide admin user credentials and click on Login.

 3

4. Double click on KBA-> Questions  from the left menu

4

5. Click on Import Questions.

5

6. Select the file and click on Import.

6

7. Default set of Questions will be imported to OAAM.

7

NOTE- Import the other OOTB data in the same manner (e.g. Policies, Rule Conditions, Patterns, actions etc.)

8. Double click Policies from the left menu

8

9. Search and click to open the OAAM Registration Policy

9

10. Select the Rules tab

10

11. Ensure that Rule Register Questions rule is Active. If not then open rule and activate it.

11

12.   Click the Apply Button

 12

 13.   Double click Properties from the left menu.

13

14.   Search for the following properties and verify that the value should be set to true.

bharosa.uio.default.register.info.section2.enabled

bharosa.uio.default.register.questions.registerdevice.enabled

 14

15.   Double click Policies from the left menu

15

16.   Search for and click to open the OAAM Post-Authentication Security

16

17.   Select the Rules tab

NOTE- The Second Factor rule is configured to force a second authentication factor in all logins (except registrations). This can be disabled to prevent the second factor from always triggering.

17

18.   Open the Second Factor rule and Select the Pre Conditions tab.

18

19.   Change the Device Risk Gradient to 600.

19

20.   Select the Results tab.

20

21.   Change the Score to 600.

21

22.   Make sure that Action Group is selected to OAAM Challenge.

22

23.   Click on Apply.

23

24.   Search and click to open the OAAM Challenge Security

24

25.   Select the Trigger Combinations tab

25

NOTE- Review each Trigger Combination column and the associated Action Group at the bottom of the column. These trigger combinations determine host OAAM will process risk based authentication.

26.   Change the following values-

In trigger columns 3 modify the Maximum Failed Questions to Any

In trigger columns 3 modify the Check for High Risk Score to Any

26

27.   Click the Apply Button

27 

 28.   Restart the OAAM Admin, OAAM Server.

 Testing

1. Start Webgate for which you have configured TAP Scheme.

28

2.  Access the protected Application URL – http://<WEBGATE_HOST&gt;:<WEBGATE_PORT>/index.html

29

 3. User will be redirected to OAAM Login Page. Provide the user name and click on Continue. 

30

4. User selected device, image and phrase will be displayed.

31

5.  Provide the Password using virtual keypad of user and click on enter.

32

6.  If username and password successful then system will ask for answer to random Security Question selected during registration.

33

7.  User provide the answer and click on enter.

34

8.  If successful then protected page will be displayed.

 35