Posts

Showing posts from December, 2017

OAM - Failover URL, Primary/Secondary, Chained Authentication

In this post, I will talk about the different strategies to configure the failover URL for authentication in case the primary mode of authentication fails. This also allows you to configure a kind of chained authentication. 1) Failure URL: Via the Application Domain through the authentication policies The standard way to redirect to a particular URL on authentication or authorization failure is to set the Failure URL value in the Application Domain Protected Resource Policy for authentication (or authorization). 2) Custom Plugin: Via the Authentication Module-> Steps-> Oechestration-> Authentication Plugin -> Java Code. In Authentication policy with LDAPScheme you have to configure the Failure URL to point to a static JSP/HTML page/URL.  Make sure this is the absolute full address eg. http://server/index.htm.  That static HTML page/URL should be protected with another authentication policy that is configured for BasicScheme authentication. When you attempt to

OHS 12c - Adding Self Generated Custom Cert in OHS 12c

In this post, I will cover the steps required to generate and add self signed certs in OHS. My OHS 12c is installed at  /app/oracle/deepakdubeyfusion mkdir /var/oracle/deepakdubeywallets/ cd /var/oracle/deepakdubeywallets/ export JAVA_HOME=/app/oracle/deepakdubeyjava/jdk1.7.0_40/ /app/oracle/deepakdubeyfusion/oracle_common/bin/orapki wallet create -wallet /var/oracle/deepakdubeywallets/test1 -auto_login -pwd Welcome1 /app/oracle/deepakdubeyfusion/oracle_common/bin/orapki wallet add -wallet /var/oracle/deepakdubeywallets/test1 -dn cn=hostname.domainname.com -keysize 2048 -self_signed -validity 3650 /app/oracle/deepakdubeyfusion/oracle_common/bin/orapki wallet display -wallet /var/oracle/deepakdubeywallets/test1 then  in ssl.conf file add this line uncomment the existing SSLWallet   SSLWallet "/var/oracle/deepakdubeywallets/test1" restart the ohs server

Oracle Access Manager Authentication Model

In this post, I will talk about the top down authentication flow that starts from a URL and goes all the way down to an authentication plug in which handles the authentication and authorization logic. To start with when a user enter a URL and requests for a resource. Web gate intercept and looks for that URL  in the application domain.  Remember that application domain is tightly coupled to the Web gate. Web gate matches all the URL or resources to say and matches with closest resource defined. Next it looks for authentication scheme that is defined to protect that resource. Authentication scheme in turn invokes Authentication module that is defined.  It is here that you can define identification, Authentication, success, failure or any other steps or work flow that you want. Authentication module finally invokes Authentication plug in that points to a java code that performs the Auth or any other logic that you want to perform.  You can pass in input parameters and get

Apache Web Server 2.2.31 installation on unix host

In this post, I will talk about the how to build/install apache web server from the source and install it on a unix machine (RHEL in my case).  tar -zxvf httpd-2.2.31.tar.gz ./configure --prefix=/opt/apache-2.2/apache_2.2.31 --enable-mods-shared=all --enable-proxy --enable-expires --enable-vhost-alias configure: error: no acceptable C compiler found in $PATH yum install gcc yum install zlib-devel make make install mount -o remount,noexec /tmp/ /usr/sbin/groupadd oinstall /usr/sbin/useradd -g oinstall oracle passwd oracle export LD_LIBRARY_PATH=/oracle/apps/webgate/webgate/apache/lib/ ./deployWebGateInstance.sh -w /oracle/apps/webgateinstance -oh /oracle/apps/webgate -ws apache

OHS 12c (12.1.3) webgate deployment and configuration

In this post, I will cover the deployment and configuration of webgate 12c webgate. OHS 12c comes pre-bundled with a webgate so we don't have to separately download and install any webgate. If you have installed OHS then you have a webgate which you can configure to protect OHS. Also there is no gui screens involved as all configurations are done via command line tools. In the previous post i covered installation and configuration of OHS 12c. This post builds on top of that. Step 1 deploy webgate ./deployWebGateInstance.sh -w /OHS_12c_WEBSERVER_HOME/webserver/instances/instance1/config/fmwconfig/components/OHS/ohs1 -oh /OHS_12c_MW_HOME/ Copying files from WebGate Oracle Home to WebGate Instancedir Step 2 Config webgate export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/OHS_12c_MW_HOME/lib cd /OHS_12c_MW_HOME/webgate/ohs/tools/setup/InstallTools/ ./EditHttpConf -w /OHS_12c_WEBSERVER_HOME/webserver/instances/instance1/config/fmwconfig/components/OHS/ohs1 -oh /OHS_12c_MW_HO

OAM 11G - Custom Authentication Module

Jar needed for compilation felix.jar"/>              identity-provider.jar"/>  oam-plugin.jar"/>         utilities.jar"/>          package deepakdubey; import java.util.ArrayList; import java.util.List; import java.util.Map; import java.util.logging.Level; import java.util.logging.Logger; import oracle.security.am.engines.common.identity.api.IdentityStoreContext; import oracle.security.am.engines.common.identity.api.IdmUser; import oracle.security.am.plugin.ExecutionStatus; import oracle.security.am.plugin.GenericTransportContext; import oracle.security.am.plugin.MonitoringData; import oracle.security.am.plugin.PluginConfig; import oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn; import oracle.security.am.plugin.authn.AuthenticationContext; import oracle.security.am.plugin.authn.AuthenticationException; import oracle.security.am.plugin.authn.Credential; import oracle.security.am.plugin.authn.CredentialParam; import

OAM OBIEE SSO Integration

Image
Add new providers as below in obiee server Update the obiee via /em console Modify the instanceconfig.xml /OBIEE_MW_HOME/instances/instance1/config/OracleBIPresentationServicesComponent/coreapplication_obips1 <Authentication> <!--This Configuration setting is managed by Oracle Enterprise Manager Fusion Middleware Control--> <EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,SSO</EnabledSchemas> </Authentication> Restart the obiee servers and AdminServers Restart the opmnctl stopall and startall

OAM - Apache Server - WebGate - https failing back to http instead of https

If you encounter this issue , you will have  set the correct secure HTTP headers If it is not possible to make modifications to the reverse proxy then it is possible to configure OAM to pass the required SSL headers as well.  To ensure that the WebGate checks SSL on a reverse proxy server do the following: Go to Access System Console -> Access System Configuration -> Access Gate configuration and modify the accessgate. Add a ProxySSLHeaderVar entry to the "User Defined Parameters" section at the bottom of the form. The value of the proxySSLHeaderVar parameter defines the name of the header variable the proxy must set. The value of the header variable must be "ssl" or "nonssl". For example: ProxySSLHeaderVar:IS_SSL In the loadbalancer, add an HTTP custom header variable that contains the name specified above and set its value to “ssl”.

OAAM 11g Lab

Task 1 - Installation and Configuration          Installing WLS 10.3.5         Run RCU          Install OIAM Suite         Configure OIAM          Start and Stop Admin, Managed Servers         Setting Up OAAM Base Env - Creating OAAM Admin User and Assigning OAAM Groups         Setting up OAAM Base Env -    Command-Line Interface                                     Encryption and Database Credentials                                     Importing  OAAM Snapshot                                     Importing IP Location Data                                     Setting  Timezone                                     Credentials Stores to OID                                     Applying  Bp01 Patch Task 2 - OAAM Customizations         Adding a User-Defined Header and Footer to OAAM Login Pages         Adding a User-Defined Error Message in English and Spanish         Changing  STyle Sheet for OAAM Login Pages         Changing  Default Text and Adding a New Link on  OAAM Log