OAAM 11g Lab

Task 1 - Installation and Configuration 
        Installing WLS 10.3.5
        Run RCU 
        Install OIAM Suite
        Configure OIAM 
        Start and Stop Admin, Managed Servers
        Setting Up OAAM Base Env - Creating OAAM Admin User and Assigning OAAM Groups
        Setting up OAAM Base Env -    Command-Line Interface
                                    Encryption and Database Credentials
                                    Importing  OAAM Snapshot
                                    Importing IP Location Data
                                    Setting  Timezone
                                    Credentials Stores to OID
                                    Applying  Bp01 Patch
Task 2 - OAAM Customizations
        Adding a User-Defined Header and Footer to OAAM Login Pages
        Adding a User-Defined Error Message in English and Spanish
        Changing  STyle Sheet for OAAM Login Pages
        Changing  Default Text and Adding a New Link on  OAAM Login Page
        modifying a Virtual Authentication DEvice (VAD)
        
Task 3 - Policies - Satatic, Patterns, and Predictive
        Reviewing  OAAM Pre-Authentication Policy for a Blacklisted User
        Reviewing  OAAM AuthenticationPad Policy 
        Blocking Requests from WebZip Browser
        Patterns - Request from Odd Hours of  Day 
        Patterns - Requests from Different IP Addresses
        
Task 4 - Native Integration 
        Natively Integrating  Sample Application That is Running in OAAM Server Domain Using In-Proc Mode
        Natively Integrating Sample Application That is Running in OAAM Server Domain Using SOAP Mode (with No Authentication)
        Natively Integrating Sample Application That is Running in OAAM Server Domain Using SOAP Mode (with Authentication)
        Natively Integrating Sample Application That is Running in Non-OAAM Server Domain Using SOAP Mode
        
Task 5 - Transactions
        Running BigBank Sample Application
        Creating a Customer Entity 
        Creating a Transaction Definition 
        Creating an Alert Group 
        Creating a New Policy 
        Testing the Internet Banking Transaction
        Exploring the Sample Application and the API Calls
        Create Configurable Actions
        Auto-Generating a Fraud Case for Investigation 
        Importing a Transaction Definition and Polisy for Retail Ecommerce
        
Task 6 - Reporting and Auditing 
        Installing and Configuring Oracle BI Publisher Reports for OAAM Reports
        COnfiguring OAAM to Write Audit Log Records to ORacle Database
        COnfiguring and Viewing Oracle BI Publisher OAAM Audit Reports
        Creating Cutom Reports
        
Task 7 - Monitoring and Diagnostics
        Monitoring Key Metrics
        Configuring and Viewing Logging 
        Reviewing Log Messages in FMW Control
        Increasing the Log Level
        Resetting the Log Level Back to Default Level
        
Task 8 - OAAM Offline and Job Scheduler 
        Initializing the OAAM Administration Environment and Configuring the OAAM Offline Server for Testing 
        Setting Up and Viewing the Recurring Auto-Increment Load and Run Job 
        Performing Ad Hoc Rules Testing 
        Scheduling Monitor Data Rollup Jobs and Viewing the Results
        

Install OIAM Suite
/u01/app/oraInventory/createCentralInventory.sh

        Configure OIAM 
cd $ORACLE_HOME/common/bin
./config.sh
Domain Source - 
OAAM Admin Server, OAAM - Server, OAAM Offline

Start the Servers in following order
WLS Admin
OAAM Admin 
OAAM Managed Server
OAAM Offline Server

Stop sequence
OAAM Offline Server
OAAM Managed Server
OAAM Admin Server
WLS Admin

Setting Up OAAM Base Env - Creating OAAM Admin User and Assigning OAAM Groups

Go to Weblogic Console -> Security -> myrealm -> User and Groups -> Users -> New -> oaam_admin -> 
oaam_admin -> Assign all groups with "OAAM" keyword (total 7) -> Save

Now you can login to http://host:14200/oaam_admin using oaam_admin user

Setting up OAAM Base Env -    Setting Command-Line Interface

Copy the CLI folder $ORACLE_HOME/oaam/cli to a working directory (oaam_cli)

cp -r $ORACLE_HOME/oaam/cli $ORACLE_MW_HOME/work/oaam_cli

Setting CSF Configuration
a>    CSF without MBeans (Run OAAM CLI same computer as WLS, no need to give WLS admin, password)
b>    CSF with MBeans (recommended if OAAM is clustered, need to give WLS admin, password)

edit bharosa_properties/oaam_cli.properties

Set the following
oaam.adminserver.hostname = hostname
oaam.adminserver.username = weblogic
oaam.adminserver.password = password
oaam.db.url = jdbc:oracle:thin.....

chmod +x *.sh
vi setCliEnv.sh
CLSPTH=...../wls_home/server/lib/wlclient.jar
CLSPTH=...../wls_home/server/lib/wljmxclient.jar

Setting OAAM DB Creds in CSF

Go to EM Console -> WebLogic Domain -> Right-click IAMDomain -> Security -> Credentials -> Expand oaam map -> Select oaam map -> Click Create -> 
Key : oaam_db_key
Type : Password
User Name : DEV_OAAM 
Password and Confirm Password :

Setting up Encryption and Database Credentials

Setting up Encoded Secret Key for Encrypting Configuration Values
edit $ORACLE_MW_HOME/work/oaam_cli/config_3des_input.properties
keystorepasswd=password
keystorealiaspasswd=password
keyFile=config_secret_key.file

./genEncodedKey.sh config_3des_input.properties
Generated Encoded key = oamKerhhfcehe/eihrfiherih
Copy it 

Adding the Encoded Symmetric Ker for Encrypting Configuration Values to the CSF
Save the Encoded key in oaam map -> DESede_config_key_alias 

Setting Up Encoded Secret Key for Encrypting Database Values

edit $ORACLE_MW_HOME/work/oaam_cli/db_3des_input.properties
./genEncodedKey.sh db_3des_input.properties
Generated Encoded key = jejerciojre/oiejfoirje
Copy and Save to EM Console -> oaam map -> DESede_db_key_alias

Setting Up OAAM DB Credentials in CSF
This is done

Backing Up DB Credentials and Encoded Secret Keys for Encrypting Database and Configuration Values

You should back upi all the encoded secret keys used. They will be needed in the event of re-create of OAAM domain 

oaam_db_key , Password , DEV_OAAM , 
DESede_db_key_alias, genEncodedKey
DESede_config_key_alias , genEncodedKey

Importing  OAAM Snapshot

Import oaam_base_snapshot.zip file into OAAM through OAAM Admin 
$ORACLE_HOME/oaam/init

The snapshot contains
1> Challenge Questions
2> Entity Definitions - user, city, device and so on
3> Out-of-the-box patterns
4> Out-of-the-box configurable actions
5> Out-of-the-box Policies
6> Any groups - rules, user groups, and action and alert groups 

For upgrades , this step is not required, as it will overwrite

Default patterns are in $ORACLE_HOME/oaam/init/OOB_patterns.zip 

Base policies are in 
$ORACLE_HOME/oaam/init/oaam_policies.zip

Configurable action templates are in 
$ORACLE_HOME/oaam/init/OOTB_Configurable_Actions.zip

Base-authentication required entities are in 
$ORACLE_HOME/oaam/init/Auth_EntityDefinition.zip

Importing IP Location Data 

Edit $ORACLE_MW_HOME/work/oaam_cli/cli/bharosa_location.properties
location data should be from supported vendors (ip2location, maxmind, Quova)

location.data.provider=quova
location.data.file=/path/to/.dat.gz.file
location.data.ref.file=/path/to/ref.dat.gz.file
location.data.anonymizer.file=anonymizer.dat.gz.file

Run the loader command 
./loadIPLocationData.sh

check ORACLE_MW_HOME, JAVA_HOME, oaam_cli.properties has corret DB and AdminServer
source setCliEnv.sh

Login to DB SQL plus

select count(*) from vcrypt_country;
select count(*) from vcrypt_ip_location_map;

the script may take up to 24 hours to run
let it run without closing the terminal window

Setting the Timezone

Property in OAAM Admin 

oaam.adf.timezone = user.timezone (shows server time)
user.timezone = UTC 

It will pick the OAAM Admin Server machine time as set in bash profile (TZ, EST, UTC)
List of timezones 
oracle.adf.timezone=Americe/Los_Angeles

Migrating OAAM Access Policies, OPSS Authorization Policies, and Credential Stores to OID

Create jpsroot in OID using ldapadd

dn: cn=jpsroot_iam
cn: jpsroot_iam
objectclass: top
objectclass: orclcontainer

./ldapadd this file

Connect to weblogic (7001) using wlst 

wlst> reassociateSecurityStore(domain="IAMDomain", admin="cn=orcladmin", password="password",ldapurl="ldap://host:3069",servertype="OID",jpsroot="cn=jpsroot_iam")

command takes 5 minutes

Restart WLS , OAAM Admin , OAAM Managed Servers

Login to ODSM :7005/odsm
you shall see cn=jpsroot_iam being populated with all the policy store data

----------------------Task 2 - OAAM Customizations--------

Login to OAAM Admin and Environment-> Properties

vcryptuser.customerid.generateIfNull -> from true to false (This property ensures that user ID is set to the same value as username. when true, user ID is a system-generated, random, and unique alpha)

Before login with a test user and register with test user
Go to http://host:14300/oaam_server
password is test
Click continue to register
Accept Security Device, Image and Phrase
"Get a new image and phrase"
Now you should get logged in to BigBank dummy app/oraInventory/createCentralInventory

Adding a User-Defined Header and Footer to OAAM login pages

edit $ORACLE_HOME/oaam/oaam_extensions/generic/oracle.oaam.extensions.war in a temp directory (copy it first)

unzip oracle.oaam.extensions.war
mkdir user_defined images
copy header.jsp and footer.jpg to images
copy header.jsp and footer.jsp to user_defined

Edit WEB-INF/classes/bharosa_properties/bharosa_server/properties

bharosa.uio.default.header=/user_defined/header.jsp
bharosa.uio.default.footer=/user_defined/footer.jsp

repack the war
Shut OAAM Admin and Server
Deploy the war to OAAM Admin, OAAM Offline and OAAM Server

Start the OAAM Admin and OAAM Server

Adding a User-Defined Error Message in English and Spanish 

Files = client_resource_en.properties and client_resource_es.properties

bharosa.uio.default.login.invalid.user=Invalid username or password. Please try again.

Recreate the oracle.oaam.extensions.war file

To test spanish you need to change the locale settings of the browser

OAAM supports 26 languages
The default test and messages are in asa_msg_resource_locale.properties and asa_msg_resource.properties

Changing the Style Sheet for the OAAM Login Pages 

File = bharosa_uio.css which is in $ORACLE_MW_HOME/user_projects/domains/domain-name/servers/oaam_server_server1/tmp/_WL_user/oaam_server_11.1.1.3.0/1iknvr/war/css

One more file = bharosa_uio_rtl.css (same location)

create mystylesheet.css in user_defined

Changes bharosa_server.properties
bharosa.uio.default.custom.css=/user_defined/mystylesheet.css

Recreate the oracle.oaam.extensions.war

Changing the Default Text and Adding a New Link on the OAAM Login Page

File = client_resource_en.properties

bharosa.uio.default.signon.page.button=Next
bharosa.uio.default.messages.enum.forgotusernamepopup.name= Forgot Username
bharosa.uio.default.messages.enum.forgotusernamepopup.description=If you have forgotten your username, please call customer service
bharosa.uio.default.signon.links.enum.forgottusername.description=Forgot username

This bharosa.uio.default.signon.page.button was set as Continue in asa_msg_resource.properties file but I override that in client_resource_en.properties

Edit bharosa_server.properties

bharosa.uio.default.messages.enum.forgotusernamepopup=99
bharosa.uio.default.messages.enum.forgotusernamepopup.name= Forgot Username
bharosa.uio.default.messages.enum.forgotusernamepopup.description=If you have forgotten your username, please call customer service
bharosa.uio.default.signon.links.enum.forgottusername.url=javascript:infoWindow('forgotusernamepopup');
bharosa.uio.default.signon.links.enum.forgottusername.enabled=true

After adding the preceding content the bharosa_server.properties file

To modify an existing enum, that is, modify the forgottusername.url and forgotusername.enabled elements of the signon.links enum

These two elements are defined in oaam _uio.properties file

bharosa.uio.default.signon.links.enum.forgottusername.url=#
bharosa.uio.default.signon.links.enum.forgottusername.enabled=false

Recreate oracle.oaam.extensions.war file

Deploy the war

Modifying a Virtual Authentication Device (VAD)

Access to http://host:14300/oaam_server

login with test user and password as test 
If you get challenged by a KBA question answer and Click "User Preferences" in Welcome to BigBank app page
Click "Upgrade to higher security device"
Notice the English VAD
Continue and Logout 

copy client_resource_de.properties(german) to /WEB-INF/classes 

In WEB-INF/classes create 2 directory alphapad_bg and alphapad_skins_de

Copy the images and skins

Edit bharosa_server.properties
bharosa.authentipad.keypad.german.keyset.enum=German KeyPad Keyset Enum 

Recreate , Deploy, Test, Change Browser locale


--------Task 3 - Policies - Static, Patterns, and Predictive------------

Reviewing the OAAM Pre-Authentication Policy for a Blacklisted User

OAAM Admin -> Groups -> Name -> OAAM Restricted Users -> + -> Add Test User

Now try access BigBank with test user , you will be stopped after enter username screen 
"You are not authorized to login. Please contact customer service"

OAAM Admin -> Policies -> OAAM Pre-Authentication policy

OAAM Pre-Authentication
    Summary Tab , Rules Tab , Trigger Combinations , Group Linking 
    Checkpoint : Pre-Authentication (dropdown)
    Scoring Engines : Maximum 
    Weight : 100
    Description : This policy stops fraud login attempts before the password is entered
    
    Go to Rules Tab in the same Policy (OAAM Pre-Authentication)
    Rules (6)
        Blacklisted users
        Blacklisted countries
        Blacklisted ISPs
        Blacklisted Devices
        WEBZIP used
        Blacklisted IPs
    
    Rule Name : Blacklisted users
    Policy Name : OAAM Pre-Authentication
    Rule Status : Active
    Rule Notes : This rule will trigger if a user has previously been black listed.
    
    Conditions (tab) in Blacklisted users (rule)
    Name : USER: In Group
    If the user is in the given group
    Is in group : True
    User Group : OAAM Restricted users
    
    Now if go to "OAAM Restricted Users" group in OAAM Admin , we will see the list of users added
    
    The group also shows where in all the group is being used under Usage Tab ; mentions Policies and Rules within the Policies
    
    Go back to "Blacklisted users" Rule
        Go to Results Tab 
        Score : 1000
        Weight : 100
        Action Group : OAAM Block 
        Alert Group : OAAM Restricted User
    
    Search for groups named : OAAM Block and OAAM Restricted User
    
    OAAM Block Group
        Actions : 
                Name : Block 
                Value : 2
                Description : Block user from accessing the system 

    OAAM Restricted User
        Alerts : 
                Alert Type : CSR 
                Alert Level : High
                Alert Message : Login Attempt from a blacklisted User
                Alert Type : Fraud 
                Alert Level : High
                Alert Message : Blacklisted User login
                
    Checkout Usage also -> Policies and Rules which are using this groups
    
Reviewing the OAAM AuthenticationPad Policy

Policies -> OAAM AuthenticationPas Policy (checkpoint = AuthenticationPad)
Scoring Engine : Average
Weight : 100
Description : Policy to determine the OAAM AuthenticationPad to use.

Rules:-
        Register Challenge Questions 
        Check if mobile browser is being used ny user
        Challenge SMS
        Rgistered Image and Caption 
        Key Pad User
        Challenge Email
        Challenge Question 
        
Trigger Combinations
        These provide a way to create dependencies between the various independent rules defined on the Rules tab.
        

Review :  Registered Image and Caption (Rule)
        Conditons 
        USER: Authentication Image Assigned
        Is assigned : True
        Results : 
        Action Group : OAAM Personalized Pad
        
Search for Group : OAAM Personalized Pad
        

Reviewing the OAAM Registration Policy

Policies -> OAAM Registration Policy -> Checkpoint = Registration
Checkpoint : Registration
Scoring Engine : Weighted Average
Weight : 100

Rules:-
        Register Questions
        Register Image and Caption
        Check Registration
        Skipped registration more than 3 times
        Register User Information 
        
Rule Name : Check Registration
Policy Name : OAAM Registration Policy
Rule Status : Active
Rule Notes : Checks to see if user has completed registration & Personalization.


Conditions (in Rule above) 
        USER: Account Status
        User Account Status : Active
        Is : False
        
Go to Conditions Node
Search for Account Status

Go to Results tab in the Rule : Check Registration
Results    
        Score : 0 
        Weight : 100
        Action Group : OAAM Register
        Alert Group : None
        
Check out the Group "OAAM Register" , go to Actions tab of the OAAM Register group shows the actions taken 

Usage tab
        Policy Name , Rules , Action Group


If user is not registered , they are shown the standard text pad 
If the user is already registered, then they are shown a personalized pad (containing their own phrase and image)

After successful authentication , Registration checkpoint evaluates the OAAM Registration Policy (all 5 rules are triggered)

Get new image , Get new phrase

User can also upgrade to a higher security device (virtual keypad)

After personalized textpad or virtual keypad, they register the KBA Questions
These KBA questions gets triggered when the risk score crosses the threshold, that is, to ascertain the true identity of the user in high-risk situations

After registration , user gets to see the BigBank page

You can anytime change the password, change the personalized image and phrase, upgrade or downgrade to a virtual keypad or textpad, or change the KBA questions and answers by clicking "User Preferences" links

Blocking Requests from the WEBZIP Browser

Policy Name : OAAM Pre-Authentication
Rules : WEBZIP used
Rule Name : WEBZIP used
Policy Name : OAAM Pre-Authentication
Rule Status : Active
Rule Notes : if WEBZIP used

Conditions tab
        DEVICE: Browser header substring
        Description : Checks whether the supplied string is in browser header
        Substring to check for : WebZip
        
Results tab    
        Score : 1000
        Weight : 100
        Action Group : OAAM Block
        Alert Group : OAAM Restricted software
        
Double click Groups Node -> OAAM Block and OAAM Restricted software

Group Name : OAAM Block 
Group Type : Actions
Cache Type : Full Cache
Description : Block

        Actions tab    
        Block : Value = 2 : Description = Block user from accessing the system
        
        Usage tab    
        Policies, Rules , Groups

Group Name : OAAM Restricted software 
Group Type : Alerts
Cache Type : Full Cache
Description : Restricted software

        Alerts tab
        Alert Type = Fraud ; Alert Level = High ; Alert Message = Login attempt using restricted software
        
        Usage tab    
            Policies:OAAM Pre-Authentication
                Rules:WEBZIP used
                    Group: OAAM Restricted software

                    

Patterns - Request from Odd Hours of the Day

OAAM Admin -> Patterns Node -> Right Click -> New Patterns

Pattern Name : TimeLog10AM-5PM
Transaction Type : Authentication (dropdown)
Creation Method : Single-Bucket(dropdown)
Member Types : User(dropdown)
Evaluation Priority : High(dropdown)
Description : Capture User login 

A Pattern with same member configuration already exists
Are you sure you want to create a new pattern ?

Add Attributes to the pattern 
Attribute Name : TimeLog10AM-5PM
Label : Time
Definition : Time when the user is lgged in 
Status : Active
Description : Time Range between 10 AM to 5 PM
Compare Operator : Range
Start Value : 10
End Value : 17

Now Create a new Alert Group
OAAM Admin -> Groups -> Right Click -> "New Group"

Group Name : NightShiftLogin10AM-5PM
Group Type : Alerts
Cache Policy : Full Cache
Description : Alert Login

Alerts -> + add
        Create new Alerts (check), Search from existing Alerts (uncheck)
        Alert Type : Investigation
        Alert Level : Medium 
        Alert Message : Night Shift Login 
        
Create a New Policy 

Policy Name : TImeBetween10AM_1700
Policy Status : Active
Checkpoint : Post-Authentication
Scoring Engine : Maximum
Weight : 100
Description : yah yah

        Go to Rules tab
        Add Rule (+)
                Rule Name : User: Entity Pattern Count
                Policy Name : TImeBetween10AM_1700
                Rule Status : Active
                Rule Notes : Count the number of times
                
        Add Conditions (+)
                ENTITY: Entity is member of pattern N times
                
                Pattern hit count more than : 3
                Pattern Name for membership : TimeLog10AM-5PM
                Is Membership Count More than patternHitCountForUser : True
                Time period type for pattern membership : 24
                Member type for pattern membership : User
                Click Save
                
        Go to Results of Rule
                Score : 1000
                Weight : 100
                Action Group : None
                Alert Group : NightShiftLogin10AM-5PM
                
        Click Apply and OK

Create a User ID group for nightshiftusers. Right-click the Groups node and add the test user to this group

Group Name : nightshiftusers
Group Type : User ID
Cache Policy : Full Cache
Description : ejrfjer

Add the User in User ID tab

Go back to Policy : TimeLog10AM-5PM and link this policy to the group just created 
        Group Linking 
        Link Group to Policy Icon 
        Group Name : nightshiftusers
        Group Description
        Linking Notes : This policy is linked to all night shift users group
        
Check 3 properties
1> vcrypt.tracker.autolearning.use.tran.status.for.analysis = true
2> vcrypt.tracker.autolearning.use.auth.status.for.analysis = true
3> vcrypt.tracker.autolearning.enabled = true

Test the scenario by logging in more than 3 times

Check the Alerts in OAAM Admin
Marked in orange and Medium Alerts



Patterns - Requests from Different IP Addresses

Autolearning is a profiling process , administrator defines behaviour patterns
These patterns are in turn used by OAAM to dynamically create and populate buckets based on the pattern parameters
OAAM(Adaptive Risk Manager) automatically records and maintains the bucket memberships of users, devices, and locations (entities in general) over time so that the profiles that are created can be used to evaluate risk.

Import the snapshot "pattern_snapshot.zip" 
Login with test user 7-8 times 
Change the IP address using Modify Headers extension 
"X-forwarded-for" 
Log in to oaam_server as the same user (comes from  a new IP)                
The first few alerts generate some alert but after some time when the percentage falls below 20% from this new IP, alerts are stopped.


Backup before Import new snapshot
OAAM Admin - System Snapshots -> Double CLick -> Click -> Backup
Backup Type : Database and File
Name : backup_name
Notes : 
File Name (.ZIP) :


Go to Policies -> IP-based Pattern Demo Policy

Policy Name : IP-based Pattern Demo policy
Policy Status : Active
Checkpoint : Pre-Authentication
Scoring Engine : Average
Weight : 100
Description : This policy generate the alert if user's percentage of IP usage is below 20

Rules (only 1)
    Rule Name : User: IP Usage rule
    Policy Name : IP-based Pattern Demo Policy
    Rule Status : Active
    Rule Notes : Raise an alert if IP is used  less than 20% of time
    
Conditions tab (only 1)
    ENTITY: Entity is member of pattern less than some percent times
    Pattern Hit Percent less than : 20 
    Pattern name for membership : User-IP Tracking Pattern 
    Is Membership Count Less than patternHitPercent : True
    Time period type for pattern membership : 3
    Member type for pattern membership : User
    
Results tab
    Score : 1000
    Weight : 100
    Action Group : None
    Alert Group : IP Used less than percentage times for the User
    
Group Name : IP Used less than percentage times for the User
Group Type : Alerts
Cache Type : None
Description : Test Alert group for pattern

Alerts tab
    Alert Type : Investigation
    Alert Level : Medium
    Alert Message : Ip used less than percentage times for the User
    
Usage : Policies , Rules , Groups

Change the vcrypt.tracker.ip.detectProxiedIP = from false to true ; for X-forwarded-for to work and test

OAAM Admin -> Patterns -> User-IP Tracking Pattern

Pattern Name : User-IP Tracking Pattern
Pattern Status : Active
Member Types : User
Evaluation Priority : High
Description : This pattern tracks user's IP.
Transaction Type : Authentication
Creation Method : Multi-Bucket

Attribute tab    
    Label : Remote IP
    Definition: Remote Ip
    Status : Active
    Description : IP of the user. X-forwarded-for
    Compare Operator : for Each
    


--------Native Integration-----------------------

Integrating sample applications with OAAM using in-proc and SOAP mode

DEploy the sample applications in a new Managed Server within the same OAAM domain. However in real life you will be deploying the sample application in a new Managed Server in a different WLS domain.
If the WLS domain is the same version as the IAM domain that is compatible with OAAM 11gR1PS1, you can use in-proc mode ; however , if it is a non IAM domain , or a non-WLS application server , or if the application is a non-Java-based application (.NET app) , you must use SOAP mode.

Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using In-Proc Mode

You deploy a sample customer application oaam_sample.zip on to a user-defined Managed Server
You also deploy oaam_native_lib.war as a shared library and target it to the new Managed Server

you create the new managed Server in the same IAMDomain where OAAM server resides; therefore oaam map and key values do not need to be updated or created
Also make sure OAAM_SERVER_DS data source is targeted to the new Managed Server and verify weblogic.xml file for the custom application has reference to the oaam_native_lib.war

Create a new server (7002)
Install oaam_native_lib.war 
Deploy oaam_sample 
OAAM_SERVER_DS, add new server as 1 of the targets
Activate Changes
Start customerServer
Access the application -> http://host:7002/oaam_sample
username scott password test
Get a new Image and phrase
KBA Q&A
Enter your mobile number
Login Successful with links on the left for Internet Banking and Retail Ecommerce

Now Stop the OAAM Managed Server and login to BigBank application
if you are successfully challenged and can register for KBA questions and OTP without the OAAM server running, it proves the assertion made in the lession that you do not need the OAAM server running if you are performing in-proc native integration because calls are made directly to the DB
Stop OAAM server
Access http://host:7002/oaam_sample
Try logging in to the BigBank Application using scott and test password. Registeration again because of bug in oaam_sample
Disable Rule : "Register User Information" in "OAAM Registeration" policy
Start OAAM Server


Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using SOAP Mode (with No Authentication)

Modify the bharosa_server.properties file to run the native integration with oaam_sample in SOAP mode

edit $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties

vcrypt.tracker.soap.url=http://host:14300/oaam_server/services

vcrypt.soap.auth=false
vcrypt.common.util.vcryptsoap.impl.classname=com.bharosa.vcrypt.common.impl.VCryptSOAPGenericImpl
vcrypt.soap.disable=false
vcrypt.tracker.soap.useSOAPServer=true
vcrypt.tracker.impl.classname=com.bharosa.common.util.BharosaConfigPropsImpl
vcrypt.soap.call.timeout=10000
bharosa.config.load.impl.classname=com.bharosa.common.util.BharosaConfigLoadPropsImpl
bharosa.authentipad.image.url=kbimage.jsp?action=kbimage&
bharosa.image.dirlist=/u01/app/oracle/product/middleware/iam_home/oaam/oaam_images/

Now go to EM Console and make changes to OAAM Webservices
Right-click oaam_server_server1 -> Select Web Services

Select all OAAM Web Services 
Click Attach Policies
Select policies
        oracle/no_authentication_service_policy
        oracle/no_authorization_service_policy
        
Click Attach button 
Restart OAAM Managed Server
Data Sources -> OAAM_SERVER_DS -> Remove customerServer from the targets
In SOAP mode , there is no direct call to the database. The request go through the OAAM Server, which in turn talks to the DB ; therefore you do not need to target the data source to the Managed Server that is running the customer application (customerServer)


Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using SOAP Mode (with Authentication)

Wbelogic COnsole -> Security -> Realms -> myrealm -> create a new user
Name : soap_user
Provider : DefaultAuthenticator
Password : password

Make the User member of OAAMSOAPServicesGroup 

Create a file named soap_key.file in $ORACLE_MW_HOME/work/oaam_cli/cli 
Content of file
password

Edit soap_3des_input.properties as below
keystorepasswd=password
keystorealiaspasswd=password
keyFile=soap_key.file
keystorefilename=system_soap.keystore
keystorealias=vcrypt.soap.call.passwd

./setCliEnv.sh
Run below command
$JAVA_HOME/bin/java -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.coomon.util.keyStoreUtil updateOrCreateKeyStore readFromFile=$ORACLE_MW_HOME/work/oaam_cli/cli/soap_3des_input.properties

This will generate KeyStore Password and Alias Password

Move the system_soap.keystore to the $ORACLE_HOME/oaam/oaam_sample/WEB_INF/classes

Shut down the customerServer where oaam_sample is running 


Modify bharosa_server.properties

Change vcrypt.soap.auth=true

Uncomment  and set values below
vcrypt.soap.auth.keystorePassword=passwordcopied
vcrypt.soap.auth.aliasPassword=aliasPwdCopied
vcrypt.soap.auth.username=soap_user
vcrypt.soap.auth.keystoreFile=system_soap.keystore

because sample application is in same domain as OAAM Server
Verify 
bharosa.cipher.encryption.algorithm.enum is commented out

Update oaam_sample app with bharosa_server.properties

Deploy and start the customer Server

Go to EM Console -> Locate oaam_server_server1 -> Right CLick -> Select Web Services -> Attach Policies -> Select all OAAM Webservices ->
Select oracle/wss_http_token_service_policy
Click Attach
Restart OAAM Managed Server
Deselect OAAM_SERVER_DS from customerServer as targets

Natively Integrating the Sample Application That is Running in the Non-OAAM Server Domain Using SOAP Mode

deploy sample application to a new Managed Server in a pure WLS domain (no IAM component)

Copy $ORACLE_HOME/oaam/oaam_libs/war/oaam_native_lib.war to the tmp folder $ORACLE_HOME/oaam/oaam_libs/war/tmp/oaam_native_lib.war

Navigate to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes

Restore the bharosa_server.properties file that you renamed in the preceding step.

cd $ORACLE_HOME/oaam/oaam_libs/war/tmp/WEB-INF/classes
cp -r bharosa_properties $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
cp *.properties $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
rm $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
mv $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties.backup $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties

Copy oaam_soap_client.jar file from $ORACLE_HOME/oaam/oaam_libs/jar to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/lib

Remove below tag from $ORACLE_HOME/oaam/oaam_sample/WEB-INF/weblogic.xml
<library-ref>
<library-name>oracle.oaam.libs</library>
</library-ref>

Go to $ORACLE_MW_HOME/work/oaam_cli/cli
Create config_secret_key.file with password
cp sample.config_3des_input.properties config_3des_input.properties

vi config_3des_input.properties

change keystorepasswd and keystorealiaspasswd values, specify config_secret_key.file for keyFile

./setCliEnv.sh

Run below command
$JAVA_HOME/bin/java -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.coomon.util.keyStoreUtil updateOrCreateKeyStore readFromFile=$ORACLE_MW_HOME/work/oaam_cli/cli/soap_3des_input.properties

Copy system_config.keystore to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes

Edit $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties

bharosa.cipher.encryption.algorithm.enum.DESede_config.keyRetrieval.classname=com.bharosa.common.util.cipher.KeystoreKeyRetrieval
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystoreFile=system_config.keystore
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystorePassword=jrhrhtfuher=
bharosa.cipher.encryption.algorithm.enum.DESede_config.aliasPassword=beruhfeh==

Create a new WLS Domain

Create a new Managed Server

Deploy the Sample Application

Start customerServer on the nonIAMDomain

Ensure oaam_sample goes to Active state

Test with scott, test on new app :8002/oaam_sample

Comments

Post a Comment

Popular posts from this blog

OIM 11g R2 PS2 : SOA Approval Workflow Sample

OHS 12c (12.1.3) webgate deployment and configuration

Oracle Identity Manager (OIM) Interview Questions