OAAM 11g Lab

-
Task 1 - Installation and Configuration
        Installing WLS 10.3.5
        Run RCU
        Install OIAM Suite
        Configure OIAM
        Start and Stop Admin, Managed Servers
        Setting Up OAAM Base Env - Creating OAAM Admin User and Assigning OAAM Groups
        Setting up OAAM Base Env -    Command-Line Interface
                                    Encryption and Database Credentials
                                    Importing  OAAM Snapshot
                                    Importing IP Location Data
                                    Setting  Timezone
                                    Credentials Stores to OID
                                    Applying  Bp01 Patch
Task 2 - OAAM Customizations
        Adding a User-Defined Header and Footer to OAAM Login Pages
        Adding a User-Defined Error Message in English and Spanish
        Changing  STyle Sheet for OAAM Login Pages
        Changing  Default Text and Adding a New Link on  OAAM Login Page
        modifying a Virtual Authentication DEvice (VAD)
       
Task 3 - Policies - Satatic, Patterns, and Predictive
        Reviewing  OAAM Pre-Authentication Policy for a Blacklisted User
        Reviewing  OAAM AuthenticationPad Policy
        Blocking Requests from WebZip Browser
        Patterns - Request from Odd Hours of  Day
        Patterns - Requests from Different IP Addresses
       
Task 4 - Native Integration
        Natively Integrating  Sample Application That is Running in OAAM Server Domain Using In-Proc Mode
        Natively Integrating Sample Application That is Running in OAAM Server Domain Using SOAP Mode (with No Authentication)
        Natively Integrating Sample Application That is Running in OAAM Server Domain Using SOAP Mode (with Authentication)
        Natively Integrating Sample Application That is Running in Non-OAAM Server Domain Using SOAP Mode
       
Task 5 - Transactions
        Running BigBank Sample Application
        Creating a Customer Entity
        Creating a Transaction Definition
        Creating an Alert Group
        Creating a New Policy
        Testing the Internet Banking Transaction
        Exploring the Sample Application and the API Calls
        Create Configurable Actions
        Auto-Generating a Fraud Case for Investigation
        Importing a Transaction Definition and Polisy for Retail Ecommerce
       
Task 6 - Reporting and Auditing
        Installing and Configuring Oracle BI Publisher Reports for OAAM Reports
        COnfiguring OAAM to Write Audit Log Records to ORacle Database
        COnfiguring and Viewing Oracle BI Publisher OAAM Audit Reports
        Creating Cutom Reports
       
Task 7 - Monitoring and Diagnostics
        Monitoring Key Metrics
        Configuring and Viewing Logging
        Reviewing Log Messages in FMW Control
        Increasing the Log Level
        Resetting the Log Level Back to Default Level
       
Task 8 - OAAM Offline and Job Scheduler
        Initializing the OAAM Administration Environment and Configuring the OAAM Offline Server for Testing
        Setting Up and Viewing the Recurring Auto-Increment Load and Run Job
        Performing Ad Hoc Rules Testing
        Scheduling Monitor Data Rollup Jobs and Viewing the Results
       

Install OIAM Suite
/u01/app/oraInventory/createCentralInventory.sh

        Configure OIAM
cd $ORACLE_HOME/common/bin
./config.sh
Domain Source -
OAAM Admin Server, OAAM - Server, OAAM Offline

Start the Servers in following order
WLS Admin
OAAM Admin
OAAM Managed Server
OAAM Offline Server

Stop sequence
OAAM Offline Server
OAAM Managed Server
OAAM Admin Server
WLS Admin

Setting Up OAAM Base Env - Creating OAAM Admin User and Assigning OAAM Groups

Go to Weblogic Console -> Security -> myrealm -> User and Groups -> Users -> New -> oaam_admin ->
oaam_admin -> Assign all groups with "OAAM" keyword (total 7) -> Save

Now you can login to http://host:14200/oaam_admin using oaam_admin user

Setting up OAAM Base Env -    Setting Command-Line Interface

Copy the CLI folder $ORACLE_HOME/oaam/cli to a working directory (oaam_cli)

cp -r $ORACLE_HOME/oaam/cli $ORACLE_MW_HOME/work/oaam_cli

Setting CSF Configuration
a>    CSF without MBeans (Run OAAM CLI same computer as WLS, no need to give WLS admin, password)
b>    CSF with MBeans (recommended if OAAM is clustered, need to give WLS admin, password)

edit bharosa_properties/oaam_cli.properties

Set the following
oaam.adminserver.hostname = hostname
oaam.adminserver.username = weblogic
oaam.adminserver.password = password
oaam.db.url = jdbc:oracle:thin.....

chmod +x *.sh
vi setCliEnv.sh
CLSPTH=...../wls_home/server/lib/wlclient.jar
CLSPTH=...../wls_home/server/lib/wljmxclient.jar

Setting OAAM DB Creds in CSF

Go to EM Console -> WebLogic Domain -> Right-click IAMDomain -> Security -> Credentials -> Expand oaam map -> Select oaam map -> Click Create ->
Key : oaam_db_key
Type : Password
User Name : DEV_OAAM
Password and Confirm Password :

Setting up Encryption and Database Credentials

Setting up Encoded Secret Key for Encrypting Configuration Values
edit $ORACLE_MW_HOME/work/oaam_cli/config_3des_input.properties
keystorepasswd=password
keystorealiaspasswd=password
keyFile=config_secret_key.file

./genEncodedKey.sh config_3des_input.properties
Generated Encoded key = oamKerhhfcehe/eihrfiherih
Copy it

Adding the Encoded Symmetric Ker for Encrypting Configuration Values to the CSF
Save the Encoded key in oaam map -> DESede_config_key_alias

Setting Up Encoded Secret Key for Encrypting Database Values

edit $ORACLE_MW_HOME/work/oaam_cli/db_3des_input.properties
./genEncodedKey.sh db_3des_input.properties
Generated Encoded key = jejerciojre/oiejfoirje
Copy and Save to EM Console -> oaam map -> DESede_db_key_alias

Setting Up OAAM DB Credentials in CSF
This is done

Backing Up DB Credentials and Encoded Secret Keys for Encrypting Database and Configuration Values

You should back upi all the encoded secret keys used. They will be needed in the event of re-create of OAAM domain

oaam_db_key , Password , DEV_OAAM ,
DESede_db_key_alias, genEncodedKey
DESede_config_key_alias , genEncodedKey

Importing  OAAM Snapshot

Import oaam_base_snapshot.zip file into OAAM through OAAM Admin
$ORACLE_HOME/oaam/init

The snapshot contains
1> Challenge Questions
2> Entity Definitions - user, city, device and so on
3> Out-of-the-box patterns
4> Out-of-the-box configurable actions
5> Out-of-the-box Policies
6> Any groups - rules, user groups, and action and alert groups

For upgrades , this step is not required, as it will overwrite

Default patterns are in $ORACLE_HOME/oaam/init/OOB_patterns.zip

Base policies are in
$ORACLE_HOME/oaam/init/oaam_policies.zip

Configurable action templates are in
$ORACLE_HOME/oaam/init/OOTB_Configurable_Actions.zip

Base-authentication required entities are in
$ORACLE_HOME/oaam/init/Auth_EntityDefinition.zip

Importing IP Location Data

Edit $ORACLE_MW_HOME/work/oaam_cli/cli/bharosa_location.properties
location data should be from supported vendors (ip2location, maxmind, Quova)

location.data.provider=quova
location.data.file=/path/to/.dat.gz.file
location.data.ref.file=/path/to/ref.dat.gz.file
location.data.anonymizer.file=anonymizer.dat.gz.file

Run the loader command
./loadIPLocationData.sh

check ORACLE_MW_HOME, JAVA_HOME, oaam_cli.properties has corret DB and AdminServer
source setCliEnv.sh

Login to DB SQL plus

select count(*) from vcrypt_country;
select count(*) from vcrypt_ip_location_map;

the script may take up to 24 hours to run
let it run without closing the terminal window

Setting the Timezone

Property in OAAM Admin

oaam.adf.timezone = user.timezone (shows server time)
user.timezone = UTC

It will pick the OAAM Admin Server machine time as set in bash profile (TZ, EST, UTC)
List of timezones
oracle.adf.timezone=Americe/Los_Angeles

Migrating OAAM Access Policies, OPSS Authorization Policies, and Credential Stores to OID

Create jpsroot in OID using ldapadd

dn: cn=jpsroot_iam
cn: jpsroot_iam
objectclass: top
objectclass: orclcontainer

./ldapadd this file

Connect to weblogic (7001) using wlst

wlst> reassociateSecurityStore(domain="IAMDomain", admin="cn=orcladmin", password="password",ldapurl="ldap://host:3069",servertype="OID",jpsroot="cn=jpsroot_iam")

command takes 5 minutes

Restart WLS , OAAM Admin , OAAM Managed Servers

Login to ODSM :7005/odsm
you shall see cn=jpsroot_iam being populated with all the policy store data

----------------------Task 2 - OAAM Customizations--------

Login to OAAM Admin and Environment-> Properties

vcryptuser.customerid.generateIfNull -> from true to false (This property ensures that user ID is set to the same value as username. when true, user ID is a system-generated, random, and unique alpha)

Before login with a test user and register with test user
Go to http://host:14300/oaam_server
password is test
Click continue to register
Accept Security Device, Image and Phrase
"Get a new image and phrase"
Now you should get logged in to BigBank dummy app/oraInventory/createCentralInventory

Adding a User-Defined Header and Footer to OAAM login pages

edit $ORACLE_HOME/oaam/oaam_extensions/generic/oracle.oaam.extensions.war in a temp directory (copy it first)

unzip oracle.oaam.extensions.war
mkdir user_defined images
copy header.jsp and footer.jpg to images
copy header.jsp and footer.jsp to user_defined

Edit WEB-INF/classes/bharosa_properties/bharosa_server/properties

bharosa.uio.default.header=/user_defined/header.jsp
bharosa.uio.default.footer=/user_defined/footer.jsp

repack the war
Shut OAAM Admin and Server
Deploy the war to OAAM Admin, OAAM Offline and OAAM Server

Start the OAAM Admin and OAAM Server

Adding a User-Defined Error Message in English and Spanish

Files = client_resource_en.properties and client_resource_es.properties

bharosa.uio.default.login.invalid.user=Invalid username or password. Please try again.

Recreate the oracle.oaam.extensions.war file

To test spanish you need to change the locale settings of the browser

OAAM supports 26 languages
The default test and messages are in asa_msg_resource_locale.properties and asa_msg_resource.properties

Changing the Style Sheet for the OAAM Login Pages

File = bharosa_uio.css which is in $ORACLE_MW_HOME/user_projects/domains/domain-name/servers/oaam_server_server1/tmp/_WL_user/oaam_server_11.1.1.3.0/1iknvr/war/css

One more file = bharosa_uio_rtl.css (same location)

create mystylesheet.css in user_defined

Changes bharosa_server.properties
bharosa.uio.default.custom.css=/user_defined/mystylesheet.css

Recreate the oracle.oaam.extensions.war

Changing the Default Text and Adding a New Link on the OAAM Login Page

File = client_resource_en.properties

bharosa.uio.default.signon.page.button=Next
bharosa.uio.default.messages.enum.forgotusernamepopup.name= Forgot Username
bharosa.uio.default.messages.enum.forgotusernamepopup.description=If you have forgotten your username, please call customer service
bharosa.uio.default.signon.links.enum.forgottusername.description=Forgot username

This bharosa.uio.default.signon.page.button was set as Continue in asa_msg_resource.properties file but I override that in client_resource_en.properties

Edit bharosa_server.properties

bharosa.uio.default.messages.enum.forgotusernamepopup=99
bharosa.uio.default.messages.enum.forgotusernamepopup.name= Forgot Username
bharosa.uio.default.messages.enum.forgotusernamepopup.description=If you have forgotten your username, please call customer service
bharosa.uio.default.signon.links.enum.forgottusername.url=javascript:infoWindow('forgotusernamepopup');
bharosa.uio.default.signon.links.enum.forgottusername.enabled=true

After adding the preceding content the bharosa_server.properties file

To modify an existing enum, that is, modify the forgottusername.url and forgotusername.enabled elements of the signon.links enum

These two elements are defined in oaam _uio.properties file

bharosa.uio.default.signon.links.enum.forgottusername.url=#
bharosa.uio.default.signon.links.enum.forgottusername.enabled=false

Recreate oracle.oaam.extensions.war file

Deploy the war

Modifying a Virtual Authentication Device (VAD)

Access to http://host:14300/oaam_server

login with test user and password as test
If you get challenged by a KBA question answer and Click "User Preferences" in Welcome to BigBank app page
Click "Upgrade to higher security device"
Notice the English VAD
Continue and Logout

copy client_resource_de.properties(german) to /WEB-INF/classes

In WEB-INF/classes create 2 directory alphapad_bg and alphapad_skins_de

Copy the images and skins

Edit bharosa_server.properties
bharosa.authentipad.keypad.german.keyset.enum=German KeyPad Keyset Enum

Recreate , Deploy, Test, Change Browser locale


--------Task 3 - Policies - Static, Patterns, and Predictive------------

Reviewing the OAAM Pre-Authentication Policy for a Blacklisted User

OAAM Admin -> Groups -> Name -> OAAM Restricted Users -> + -> Add Test User

Now try access BigBank with test user , you will be stopped after enter username screen
"You are not authorized to login. Please contact customer service"

OAAM Admin -> Policies -> OAAM Pre-Authentication policy

OAAM Pre-Authentication
    Summary Tab , Rules Tab , Trigger Combinations , Group Linking
    Checkpoint : Pre-Authentication (dropdown)
    Scoring Engines : Maximum
    Weight : 100
    Description : This policy stops fraud login attempts before the password is entered
   
    Go to Rules Tab in the same Policy (OAAM Pre-Authentication)
    Rules (6)
        Blacklisted users
        Blacklisted countries
        Blacklisted ISPs
        Blacklisted Devices
        WEBZIP used
        Blacklisted IPs
   
    Rule Name : Blacklisted users
    Policy Name : OAAM Pre-Authentication
    Rule Status : Active
    Rule Notes : This rule will trigger if a user has previously been black listed.
   
    Conditions (tab) in Blacklisted users (rule)
    Name : USER: In Group
    If the user is in the given group
    Is in group : True
    User Group : OAAM Restricted users
   
    Now if go to "OAAM Restricted Users" group in OAAM Admin , we will see the list of users added
   
    The group also shows where in all the group is being used under Usage Tab ; mentions Policies and Rules within the Policies
   
    Go back to "Blacklisted users" Rule
        Go to Results Tab
        Score : 1000
        Weight : 100
        Action Group : OAAM Block
        Alert Group : OAAM Restricted User
   
    Search for groups named : OAAM Block and OAAM Restricted User
   
    OAAM Block Group
        Actions :
                Name : Block
                Value : 2
                Description : Block user from accessing the system

    OAAM Restricted User
        Alerts :
                Alert Type : CSR
                Alert Level : High
                Alert Message : Login Attempt from a blacklisted User
                Alert Type : Fraud
                Alert Level : High
                Alert Message : Blacklisted User login
               
    Checkout Usage also -> Policies and Rules which are using this groups
   
Reviewing the OAAM AuthenticationPad Policy

Policies -> OAAM AuthenticationPas Policy (checkpoint = AuthenticationPad)
Scoring Engine : Average
Weight : 100
Description : Policy to determine the OAAM AuthenticationPad to use.

Rules:-
        Register Challenge Questions
        Check if mobile browser is being used ny user
        Challenge SMS
        Rgistered Image and Caption
        Key Pad User
        Challenge Email
        Challenge Question
       
Trigger Combinations
        These provide a way to create dependencies between the various independent rules defined on the Rules tab.
       

Review :  Registered Image and Caption (Rule)
        Conditons
        USER: Authentication Image Assigned
        Is assigned : True
        Results :
        Action Group : OAAM Personalized Pad
       
Search for Group : OAAM Personalized Pad
       

Reviewing the OAAM Registration Policy

Policies -> OAAM Registration Policy -> Checkpoint = Registration
Checkpoint : Registration
Scoring Engine : Weighted Average
Weight : 100

Rules:-
        Register Questions
        Register Image and Caption
        Check Registration
        Skipped registration more than 3 times
        Register User Information
       
Rule Name : Check Registration
Policy Name : OAAM Registration Policy
Rule Status : Active
Rule Notes : Checks to see if user has completed registration & Personalization.


Conditions (in Rule above)
        USER: Account Status
        User Account Status : Active
        Is : False
       
Go to Conditions Node
Search for Account Status

Go to Results tab in the Rule : Check Registration
Results   
        Score : 0
        Weight : 100
        Action Group : OAAM Register
        Alert Group : None
       
Check out the Group "OAAM Register" , go to Actions tab of the OAAM Register group shows the actions taken

Usage tab
        Policy Name , Rules , Action Group


If user is not registered , they are shown the standard text pad
If the user is already registered, then they are shown a personalized pad (containing their own phrase and image)

After successful authentication , Registration checkpoint evaluates the OAAM Registration Policy (all 5 rules are triggered)

Get new image , Get new phrase

User can also upgrade to a higher security device (virtual keypad)

After personalized textpad or virtual keypad, they register the KBA Questions
These KBA questions gets triggered when the risk score crosses the threshold, that is, to ascertain the true identity of the user in high-risk situations

After registration , user gets to see the BigBank page

You can anytime change the password, change the personalized image and phrase, upgrade or downgrade to a virtual keypad or textpad, or change the KBA questions and answers by clicking "User Preferences" links

Blocking Requests from the WEBZIP Browser

Policy Name : OAAM Pre-Authentication
Rules : WEBZIP used
Rule Name : WEBZIP used
Policy Name : OAAM Pre-Authentication
Rule Status : Active
Rule Notes : if WEBZIP used

Conditions tab
        DEVICE: Browser header substring
        Description : Checks whether the supplied string is in browser header
        Substring to check for : WebZip
       
Results tab   
        Score : 1000
        Weight : 100
        Action Group : OAAM Block
        Alert Group : OAAM Restricted software
       
Double click Groups Node -> OAAM Block and OAAM Restricted software

Group Name : OAAM Block
Group Type : Actions
Cache Type : Full Cache
Description : Block

        Actions tab   
        Block : Value = 2 : Description = Block user from accessing the system
       
        Usage tab   
        Policies, Rules , Groups

Group Name : OAAM Restricted software
Group Type : Alerts
Cache Type : Full Cache
Description : Restricted software

        Alerts tab
        Alert Type = Fraud ; Alert Level = High ; Alert Message = Login attempt using restricted software
       
        Usage tab   
            Policies:OAAM Pre-Authentication
                Rules:WEBZIP used
                    Group: OAAM Restricted software

                   

Patterns - Request from Odd Hours of the Day

OAAM Admin -> Patterns Node -> Right Click -> New Patterns

Pattern Name : TimeLog10AM-5PM
Transaction Type : Authentication (dropdown)
Creation Method : Single-Bucket(dropdown)
Member Types : User(dropdown)
Evaluation Priority : High(dropdown)
Description : Capture User login

A Pattern with same member configuration already exists
Are you sure you want to create a new pattern ?

Add Attributes to the pattern
Attribute Name : TimeLog10AM-5PM
Label : Time
Definition : Time when the user is lgged in
Status : Active
Description : Time Range between 10 AM to 5 PM
Compare Operator : Range
Start Value : 10
End Value : 17

Now Create a new Alert Group
OAAM Admin -> Groups -> Right Click -> "New Group"

Group Name : NightShiftLogin10AM-5PM
Group Type : Alerts
Cache Policy : Full Cache
Description : Alert Login

Alerts -> + add
        Create new Alerts (check), Search from existing Alerts (uncheck)
        Alert Type : Investigation
        Alert Level : Medium
        Alert Message : Night Shift Login
       
Create a New Policy

Policy Name : TImeBetween10AM_1700
Policy Status : Active
Checkpoint : Post-Authentication
Scoring Engine : Maximum
Weight : 100
Description : yah yah

        Go to Rules tab
        Add Rule (+)
                Rule Name : User: Entity Pattern Count
                Policy Name : TImeBetween10AM_1700
                Rule Status : Active
                Rule Notes : Count the number of times
               
        Add Conditions (+)
                ENTITY: Entity is member of pattern N times
               
                Pattern hit count more than : 3
                Pattern Name for membership : TimeLog10AM-5PM
                Is Membership Count More than patternHitCountForUser : True
                Time period type for pattern membership : 24
                Member type for pattern membership : User
                Click Save
               
        Go to Results of Rule
                Score : 1000
                Weight : 100
                Action Group : None
                Alert Group : NightShiftLogin10AM-5PM
               
        Click Apply and OK

Create a User ID group for nightshiftusers. Right-click the Groups node and add the test user to this group

Group Name : nightshiftusers
Group Type : User ID
Cache Policy : Full Cache
Description : ejrfjer

Add the User in User ID tab

Go back to Policy : TimeLog10AM-5PM and link this policy to the group just created
        Group Linking
        Link Group to Policy Icon
        Group Name : nightshiftusers
        Group Description
        Linking Notes : This policy is linked to all night shift users group
       
Check 3 properties
1> vcrypt.tracker.autolearning.use.tran.status.for.analysis = true
2> vcrypt.tracker.autolearning.use.auth.status.for.analysis = true
3> vcrypt.tracker.autolearning.enabled = true

Test the scenario by logging in more than 3 times

Check the Alerts in OAAM Admin
Marked in orange and Medium Alerts



Patterns - Requests from Different IP Addresses

Autolearning is a profiling process , administrator defines behaviour patterns
These patterns are in turn used by OAAM to dynamically create and populate buckets based on the pattern parameters
OAAM(Adaptive Risk Manager) automatically records and maintains the bucket memberships of users, devices, and locations (entities in general) over time so that the profiles that are created can be used to evaluate risk.

Import the snapshot "pattern_snapshot.zip"
Login with test user 7-8 times
Change the IP address using Modify Headers extension
"X-forwarded-for"
Log in to oaam_server as the same user (comes from  a new IP)               
The first few alerts generate some alert but after some time when the percentage falls below 20% from this new IP, alerts are stopped.


Backup before Import new snapshot
OAAM Admin - System Snapshots -> Double CLick -> Click -> Backup
Backup Type : Database and File
Name : backup_name
Notes :
File Name (.ZIP) :


Go to Policies -> IP-based Pattern Demo Policy

Policy Name : IP-based Pattern Demo policy
Policy Status : Active
Checkpoint : Pre-Authentication
Scoring Engine : Average
Weight : 100
Description : This policy generate the alert if user's percentage of IP usage is below 20

Rules (only 1)
    Rule Name : User: IP Usage rule
    Policy Name : IP-based Pattern Demo Policy
    Rule Status : Active
    Rule Notes : Raise an alert if IP is used  less than 20% of time
   
Conditions tab (only 1)
    ENTITY: Entity is member of pattern less than some percent times
    Pattern Hit Percent less than : 20
    Pattern name for membership : User-IP Tracking Pattern
    Is Membership Count Less than patternHitPercent : True
    Time period type for pattern membership : 3
    Member type for pattern membership : User
   
Results tab
    Score : 1000
    Weight : 100
    Action Group : None
    Alert Group : IP Used less than percentage times for the User
   
Group Name : IP Used less than percentage times for the User
Group Type : Alerts
Cache Type : None
Description : Test Alert group for pattern

Alerts tab
    Alert Type : Investigation
    Alert Level : Medium
    Alert Message : Ip used less than percentage times for the User
   
Usage : Policies , Rules , Groups

Change the vcrypt.tracker.ip.detectProxiedIP = from false to true ; for X-forwarded-for to work and test

OAAM Admin -> Patterns -> User-IP Tracking Pattern

Pattern Name : User-IP Tracking Pattern
Pattern Status : Active
Member Types : User
Evaluation Priority : High
Description : This pattern tracks user's IP.
Transaction Type : Authentication
Creation Method : Multi-Bucket

Attribute tab   
    Label : Remote IP
    Definition: Remote Ip
    Status : Active
    Description : IP of the user. X-forwarded-for
    Compare Operator : for Each
   


--------Native Integration-----------------------

Integrating sample applications with OAAM using in-proc and SOAP mode

DEploy the sample applications in a new Managed Server within the same OAAM domain. However in real life you will be deploying the sample application in a new Managed Server in a different WLS domain.
If the WLS domain is the same version as the IAM domain that is compatible with OAAM 11gR1PS1, you can use in-proc mode ; however , if it is a non IAM domain , or a non-WLS application server , or if the application is a non-Java-based application (.NET app) , you must use SOAP mode.

Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using In-Proc Mode

You deploy a sample customer application oaam_sample.zip on to a user-defined Managed Server
You also deploy oaam_native_lib.war as a shared library and target it to the new Managed Server

you create the new managed Server in the same IAMDomain where OAAM server resides; therefore oaam map and key values do not need to be updated or created
Also make sure OAAM_SERVER_DS data source is targeted to the new Managed Server and verify weblogic.xml file for the custom application has reference to the oaam_native_lib.war

Create a new server (7002)
Install oaam_native_lib.war
Deploy oaam_sample
OAAM_SERVER_DS, add new server as 1 of the targets
Activate Changes
Start customerServer
Access the application -> http://host:7002/oaam_sample
username scott password test
Get a new Image and phrase
KBA Q&A
Enter your mobile number
Login Successful with links on the left for Internet Banking and Retail Ecommerce

Now Stop the OAAM Managed Server and login to BigBank application
if you are successfully challenged and can register for KBA questions and OTP without the OAAM server running, it proves the assertion made in the lession that you do not need the OAAM server running if you are performing in-proc native integration because calls are made directly to the DB
Stop OAAM server
Access http://host:7002/oaam_sample
Try logging in to the BigBank Application using scott and test password. Registeration again because of bug in oaam_sample
Disable Rule : "Register User Information" in "OAAM Registeration" policy
Start OAAM Server


Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using SOAP Mode (with No Authentication)

Modify the bharosa_server.properties file to run the native integration with oaam_sample in SOAP mode

edit $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties

vcrypt.tracker.soap.url=http://host:14300/oaam_server/services

vcrypt.soap.auth=false
vcrypt.common.util.vcryptsoap.impl.classname=com.bharosa.vcrypt.common.impl.VCryptSOAPGenericImpl
vcrypt.soap.disable=false
vcrypt.tracker.soap.useSOAPServer=true
vcrypt.tracker.impl.classname=com.bharosa.common.util.BharosaConfigPropsImpl
vcrypt.soap.call.timeout=10000
bharosa.config.load.impl.classname=com.bharosa.common.util.BharosaConfigLoadPropsImpl
bharosa.authentipad.image.url=kbimage.jsp?action=kbimage&
bharosa.image.dirlist=/u01/app/oracle/product/middleware/iam_home/oaam/oaam_images/

Now go to EM Console and make changes to OAAM Webservices
Right-click oaam_server_server1 -> Select Web Services

Select all OAAM Web Services
Click Attach Policies
Select policies
        oracle/no_authentication_service_policy
        oracle/no_authorization_service_policy
       
Click Attach button
Restart OAAM Managed Server
Data Sources -> OAAM_SERVER_DS -> Remove customerServer from the targets
In SOAP mode , there is no direct call to the database. The request go through the OAAM Server, which in turn talks to the DB ; therefore you do not need to target the data source to the Managed Server that is running the customer application (customerServer)


Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using SOAP Mode (with Authentication)

Wbelogic COnsole -> Security -> Realms -> myrealm -> create a new user
Name : soap_user
Provider : DefaultAuthenticator
Password : password

Make the User member of OAAMSOAPServicesGroup

Create a file named soap_key.file in $ORACLE_MW_HOME/work/oaam_cli/cli
Content of file
password

Edit soap_3des_input.properties as below
keystorepasswd=password
keystorealiaspasswd=password
keyFile=soap_key.file
keystorefilename=system_soap.keystore
keystorealias=vcrypt.soap.call.passwd

./setCliEnv.sh
Run below command
$JAVA_HOME/bin/java -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.coomon.util.keyStoreUtil updateOrCreateKeyStore readFromFile=$ORACLE_MW_HOME/work/oaam_cli/cli/soap_3des_input.properties

This will generate KeyStore Password and Alias Password

Move the system_soap.keystore to the $ORACLE_HOME/oaam/oaam_sample/WEB_INF/classes

Shut down the customerServer where oaam_sample is running


Modify bharosa_server.properties

Change vcrypt.soap.auth=true

Uncomment  and set values below
vcrypt.soap.auth.keystorePassword=passwordcopied
vcrypt.soap.auth.aliasPassword=aliasPwdCopied
vcrypt.soap.auth.username=soap_user
vcrypt.soap.auth.keystoreFile=system_soap.keystore

because sample application is in same domain as OAAM Server
Verify
bharosa.cipher.encryption.algorithm.enum is commented out

Update oaam_sample app with bharosa_server.properties

Deploy and start the customer Server

Go to EM Console -> Locate oaam_server_server1 -> Right CLick -> Select Web Services -> Attach Policies -> Select all OAAM Webservices ->
Select oracle/wss_http_token_service_policy
Click Attach
Restart OAAM Managed Server
Deselect OAAM_SERVER_DS from customerServer as targets

Natively Integrating the Sample Application That is Running in the Non-OAAM Server Domain Using SOAP Mode

deploy sample application to a new Managed Server in a pure WLS domain (no IAM component)

Copy $ORACLE_HOME/oaam/oaam_libs/war/oaam_native_lib.war to the tmp folder $ORACLE_HOME/oaam/oaam_libs/war/tmp/oaam_native_lib.war

Navigate to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes

Restore the bharosa_server.properties file that you renamed in the preceding step.

cd $ORACLE_HOME/oaam/oaam_libs/war/tmp/WEB-INF/classes
cp -r bharosa_properties $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
cp *.properties $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
rm $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
mv $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties.backup $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties

Copy oaam_soap_client.jar file from $ORACLE_HOME/oaam/oaam_libs/jar to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/lib

Remove below tag from $ORACLE_HOME/oaam/oaam_sample/WEB-INF/weblogic.xml
<library-ref>
<library-name>oracle.oaam.libs</library>
</library-ref>

Go to $ORACLE_MW_HOME/work/oaam_cli/cli
Create config_secret_key.file with password
cp sample.config_3des_input.properties config_3des_input.properties

vi config_3des_input.properties

change keystorepasswd and keystorealiaspasswd values, specify config_secret_key.file for keyFile

./setCliEnv.sh

Run below command
$JAVA_HOME/bin/java -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.coomon.util.keyStoreUtil updateOrCreateKeyStore readFromFile=$ORACLE_MW_HOME/work/oaam_cli/cli/soap_3des_input.properties

Copy system_config.keystore to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes

Edit $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties

bharosa.cipher.encryption.algorithm.enum.DESede_config.keyRetrieval.classname=com.bharosa.common.util.cipher.KeystoreKeyRetrieval
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystoreFile=system_config.keystore
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystorePassword=jrhrhtfuher=
bharosa.cipher.encryption.algorithm.enum.DESede_config.aliasPassword=beruhfeh==

Create a new WLS Domain

Create a new Managed Server

Deploy the Sample Application

Start customerServer on the nonIAMDomain

Ensure oaam_sample goes to Active state

Test with scott, test on new app :8002/oaam_sample


Posted by at  
Labels: 

Saturday, November 5, 2016

OAM 11g R2 Basic Lab

Tasks
Task 1-configure OUD as Default Store and System Store
Task 2-configure LDAP provider for OUD in weblogic Security Realms
Task 3-create and configure webgate 11g instances
Task 4-configure webgate11g_2 to act as DCC using Password Policy Validation Module
Task 5-Verify if DCC webgate works fine and validate LDAP errors for failed login
Task 6-Configure and validate Password Policy
Task 7-Configure and verify Session management features
Task 8-deploying and configuring custom WAR login page
Task 9-OAAM advanced integration with OAM using TAP


Task 1-configure OUD as Default Store and System Store

Data Sources -> User Identity Stores
store name : OUDStore1
store type : OUD : Oracle Unified Direcory

Store Type     OUD: Oracle Unified Directory
Location     oam.example.com:1389
Bind DN     cn=Directory Manager
Password     Oracle123
Username Attribute     uid
User Search Base     dc=example,dc=com
Group Name Attribute     cn
Group Search Base     dc=example,dc=com


Default Store : UserIdentityStore1
System Store : UserIdentityStore1

Change OUDStore1 as the Default and System Store

Access System Administrators : tom.dole
Access System Group : Administrators

Go to
System Configuration -> Access Manager -> Authentication Modules -> LDAP Authentication Module -> LDAP
Name : LDAP
User Identity Store : Change from UserIdentityStore1 to OUDStore1

Task 2-Configure LDAP Provider for OUD in Weblogic Security Realms

WebLogic Console -> Create a new Provider
be default 3 : DefaultAuthenticator, DefaultIdentityAsserter, IAMSuiteAgent

New Authentication Provider
Name: OUDAuthenticator
Type : IPlanetAuthenticator (No OUD Authenticator by default)

Change Order : DefaultAuthenticator(Sufficient),OUDAuthenticator(Sufficient) DefaultIdentityAsserter, IAMSuiteAgent

Configure OUDAuthenticator with Provider Specific Details

Restart Admin and Managed Server

Login to OAM Console using the OUD's user tom.dole

Task 3 - Create and configure Webgate 11g instances

System Configuration -> Access Manager -> SSO Agents -> OAM Agents

Name : webgate11g_1
Access Client Password
Security : Open, Simple, Cert
Auto Create Policies

Name : webgate11g_2
Access Client Password
Security : Open, Simple, Cert
Auto Create Policies


cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate

export LD_LIBRARY_PATH=/app/u01/middleware/Oracle_WT1/lib:/app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/lib

./deployWebGateInstance.sh -w /app/u01/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1

cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools/

./EditHttpConf -w /app/u01/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1

cp /app/u01/middleare/user_projects/domains/idm_domain/output/webgate11g_1/* /app/u01/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config/

Repeat same steps for webgate11g_2

cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate
./deployWebGateInstance.sh -w /app/u01/middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1
cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools/
./EditHttpConf -w /app/u01/middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1
cp /app/u01/middleare/user_projects/domains/idm_domain/output/webgate11g_2/* /app/u01/middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1/webgate/config/

Change the port of 2nd instance of OHS web server in SSL.conf or httpd.conf
Listen    24444
./opmnctl stopall startall

Access both the webservers to see if OAM intercepts

Cookies
1. OAM_ID
2. OAM_REQ
3. OAMAuthnCookie

Task 4 - Configure Webgate11g_2 to act as DCC using Password Policy Validation Module

cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin

Configuring 2nd instance of OHS webgate to act as DCC
Modify all perl files to use proper path of perl

/app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin
vi login.pl
#!/usr/bin/perl

For DCC to work , change the webgate profile of webgate11g_2
check mark all the below options
1. Allow Management Operations
2. Allow Token Scope Operations
3. Allow Master Token Retrieval
4. Allow Credential Collector Operations

Use always FQDN for SSO configuration

System Configuration -> Access Manager -> Access Manager Settings
Load Balancing
OAM Server Host : oam.example.com
OAM Server Port : 14100
OAM Server Protocol : http
Server Error Mode : Internal (we can show LDAP error messages on Login Page.)

Go to
Policy Configuration -> Authentication Schemes -> PasswordPolicyValidationScheme

* Name : PasswordPolicyValidationScheme
Description
* Authentication Level : 2
Default : No
* Challenge Method : FORM
Challenge Redirect URL : http://oam.example.com:7778/
* Authentication Module : Password Policy Validation Module
* Challenge URL : /oamsso-bin/login.pl
* Context Type : external
Challenge Parameters : OverrideRetryLimit=0

In Application Domain of webgate11g_2 create 2 new resources. Protection Level Excluded

Resource 1
Type : HTTP
Host Identifier : webgate11g_2
Resource URL : /favicon.ico
Query : (.) Name Value List , String
Operations Available : ALL , CONNECT , OPTIONS , PUT , POST , GET
Protection Level : Excluded

Resource 2
Type : HTTP
Host Identifier : webgate11g_2
Resource URL : /oamsso-bin/login.pl
Query : (.) Name Value List , String
Operations Available : ALL , CONNECT , OPTIONS , PUT , POST , GET
Protection Level : Excluded

Change the Authentication Policy of webgate11g_2 to use the PasswordPolicyValidationScheme as its Authentication Scheme

Authentication Policy
Name : Protected Resource Policy
Authentication Scheme : PasswordPolicyValidationScheme
Resources : Resource Type=HTTP,Host Identifier=webgate11g_2,Resource URL=/**

Modification of Plugin Parameters is optional as we have already set OUDStore1 as default Store

Common Configuration -> Plugins -> UserIdentificationPlugin

KEY_IDENTITY_STORE_REF : OUDStore1

UserAuthenticationPlugin
KEY_IDENTITY_STORE_REF : OUDStore1

UserPasswordPolicyPlugin
KEY_IDENTITY_STORE_REF : OUDStore1

Access Manager -> Authentication Modules -> Custom Modules -> Password Policy Validation Module
Change KEY_IDENTITY_STORE_REF for all 3 plugins used

User Identification Step
Plugin Name : UserIdentificationPlugin
KEY_IDENTITY_STORE_REF
KEY_LDAP_FILTER
KEY_SEARCH_BASE_URL

User Authentication Step
Plugin Name : UserAuthenticationPlugin
KEY_IDENTITY_STORE_REF
KEY_PROP_AUTHN_EXCEPTION

User Password Status Step
Plugin Name : UserPasswordPolicyPlugin
KEY_IDENTITY_STORE_REF
PLUGIN_EXECUTION_MODE : PSWDONLY
URI_ACTION : REDIRECT_POST

Modify System Configuration -> Password Policy
Set
Password Service URL : /oamsso-bin/login.pl
Restart OAM Managed Server

Task 5 - Verify if DCC webgate works fine and validate LDAP errors for failed login.

Access OHS 2 on 7778
Get Redirected to oam.example.com:7778/oamsso-bin/login.pl
instead of OAM Server login page
Provide wrong password
You will notice error message from the server as well as LDAP error message is displayed along with the code because the server error mode is set as internal
Provide right password to see if all works fine

DCC Cookies set
DCCCtxCookie_oam.example.com
OAMAuthnCookie_oam.example.com

Task 6 - Configure and validate Password Policy

Set maximum attempts to 1 and Lockout duration to 1 minute

Access the OHS 2 , DCC and try out the wrong password and wait more than 1 minute and try again with the right password.

Using any LDAP browser, set value of attribute obpasswordchangeflag to 1
if not available then add this attribute manually .
This will force the user to change password at his next login.

Try access OHS 2 (7778) with test user

you will be forced to change the password after authentication (old password, new password, confirm password)

Task 7 - Configure and verify Session Management Features

System Configuration -> Common Settings ->
Maximum Number of sessions per user = 2
Idle Timeout (minutes) = 2

Test
System Configuration -> Session Management
Search for Logged in users
Delete the test user session
You will be immediately logged out and should see a login page

Test 2 sessions by opening multiple browsers and testing out the 2 session limit

After login sit idle for 2 minutes and refresh the browser to test the 2 minute idle timeout setting

Task 8 - Deploying and configuring Custom WAR Login Page

Create Login.jsp, style.css, validate.jsp file for custom login page
Key point : action URL, request_id, username and password

action="http://oam.example.com:14100/oam/server/auth_cred_submit" method="post"

<input type="hidden" name="request_id" value="<%=reqId%>">
<input type="text" name="username" class="inputbox">
<input type="text" name="password" class="inputbox">

create war using jar command
Deploy war on weblogic server
Deploy on AdminServer and oam_server1

Create a new Authentication Scheme

* Name : Custom Page Authentication Scheme
Description : Custom Page Authentication Scheme
* Authentication Level : 2
Default : No
* Challenge Method : FORM
Challenge Redirect URL : /oam/server
* Authentication Module : LDAP
* Challenge URL : /login.jsp
* Context Type : customWar
Challenge Parameters :

Modify the Authentication Policy of webgate11g_1 to use the newly created custom login page Authentication Scheme

webgate11g_1
Authentication Policy : Protected Resource Policy
Authentication Scheme : Custom Page Authentication Scheme
Resource URL : /**
Host Identifier : webgate11g_1

Test
Access the OHS 1
Get redirected to custom login page
Authenticate and get the requested page

Cookies
OAMRequestContext_oam.example.com
JSESSIONID
OAM_ID
OAM_REQ
OAMAuthnCookie_oam.example.com

Task 9-OAAM advanced integration with OAM using TAP

Login to OAAM Admin Console
oam.example.com:14200/oaam_admin

Go to Environment -> System Snapshots -> Load from File
Uncheck backup current system now
upload oaam_base_snapshot.zip from /app/u01/middleare/Oracle_IDM1/oaam/init
After successful loading , shutdown oaam_admin_server1
Start oam_server1 and oaam_server_server1

create a directory where you will store the Keystore file
/app/Middleware/keystore/TAP_OAAM_OAM

Connect to wlst

/app/u01/middleare/Oracle_IDM1/common/bin
./wlst.sh

wls:/idm_domain/serverConfig> registerThirdPartyTAPPartner(partnerName="OAAMTAPPartner",keystoreLocation="/app/Middleware/keystore/TAP_OAAM_OAM/TAPkeystore.jks",password="Oracle123",tapTokenVersion="v2.0", tapScheme="TAPScheme",tapRedirectUrl="http://oam.example.com:14300/oaam_server/oamLoginPage.jsp")

Update the TAPScheme to have the MatchLDAPAttribute=uid

Authentication Scheme : TAPScheme
Description : TAPScheme
Authentication Level : 2
Default : No
Challenge Method : DAP
Challenge Redirect URL : /oam/server/
Authentication Module : DAP
Challenge URL : /oaam_server/oamLoginPage.jsp
Context Type : external
Challenge Parameters :
TAPPartberId=OAAMTAPPartner
SERVER_HOST_ALIAS=HOST_ALIAS_1
MatchLDAPAttribute=uid

Update IAMSuiteAgent's Access Client Password

Update the IAMSuiteAgent's password in Weblogic Security Realms

Realms -> myrealm -> Providers -> IAMSuiteAgent -> Provider Specific -> Agent Password

3 items must be restarted

Copy the cli directory to temporary location from  /app/Middleware/Oracle_IDM1/oaam/cli to a temporary location like /app/u05/tmp

go to /app/u05/tmp/cli/conf/bharosa_properties
edit oaam_cli.properties

Parameter Name    Parameter Values
ooaam.csf.useMbeans     true
oaam.adminserver.protocol     t3
oaam.adminserver.hostname     oam.example.com
oaam.adminserver.port     7001
oaam.db.toplink.useCredentialsFromCSF     true
oaam.db.url     jdbc:oracle:thin:@oam.example.com:1521:orcl
oaam.db.driver     oracle.jdbc.driver.OracleDriver
oaam.uio.oam.tap.keystoreFile     /app/u01/middleware/keystore/TAP_OAAM_OAM/TAPKeystore.jks
oaam.uio.oam.tap.partnername     OAAMTAPPartner
oaam.uio.oam.host     oam.example.com
oaam.uio.oam.port     5575
oaam.uio.oam.webgate_id     IAMSuiteAgent
oaam.uio.oam.rootcertificate.keystore.filepath     /app/u01/middleware/user_projects/domains/idm_domain/output/webgate-ssl/oamclient-truststore.jks
oaam.uio.oam.privatekeycertificate.keystore.filepath     /app/u01/middleware/user_projects/domains/idm_domain/output/webgate-ssl/oamclient-truststore.jks

pwd
/app/u05/tmp/cli
./setupOAMTapIntegration.sh /app/u05/tmp/cli/conf/bharosa_properties/oaam_cli.properties

Enter Weblogic Server Home Directory : /app/u01/middleare/wlserver_10.3
Enter OAAM AdminServer User Name : weblogic
Enter OAAM AdminServer Password :
Enter OAAM DB User Name : DEV_OAAM
Enter OAAM DB User password :
Enter OAM WebGate credentials to stored in the CSF :
Enter OAM TAP Key Store file password and press Enter :
SetupOAMIntegration script ran successfully

if setCliEnv.sh file not found fails with path error then fix the setupOAMTapIntegration.sh file
chmod 777 findjar.sh
give absolute path of findjar.sh in script file

Change the Application Domain : webgate11g_1
Change the Authentication Policy : Protected Resource Policy
Authentication Scheme : TAPScheme

Access OHS 1 (7777/index.html)
Redirected oaam_server login page
oam.example.com:14300/oaam_server/oamLoginPage.jsp

1st Page User
2nd Page Password
Hello World

Cookies
ora_oaam_vsc
JSESSIONID
OAM_ID
OAM_REQ
OAMAuthnCookie_oam.example.com

if User login fails
In oaam_admin , Set the Environment -> property
bharosa.uio.default.username.case.sensitive=false





Posted by at  
Labels: 

Monday, October 27, 2014

OAAM Web Services

OAAM Web Services end points 

In this post, I will list down the web services that are available in OAAM Server.
This are not listed if you directly hit the http://host:port/oaam_server/services.
This can be found by opening web.xml in oaam_server.war in oaam_server.ear.
So here is the list.

<servlet-mapping>
        <servlet-name>PingServlet</servlet-name>
        <url-pattern>/ping</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptAuthRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptAuthWS</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptTrackerRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptTrackerWS</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptCommonRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptCommonWS</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptCCRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptCCWS</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>oracle.oaam.webservices.impl.VCryptRulesEngineRemoteImpl</servlet-name>
        <url-pattern>/services/VCryptRulesEngineWS</url-pattern>
    </servlet-mapping>

 

 

 

Posted by at  
Labels: 

Saturday, May 3, 2014

OAM - OAAM 11g R2 PS2 (11.1.2.2.0) Advanced integration

This post covers the integration between OAM OAAM 11g R2 PS2 (11.1.2.2.0) .


Create a oaam admin user for administration






















                                                                                                                                                               
                                                                                                                                                              
Login to OAAM Admin Application on http://host:14200/oaam_admin (14200 default port)


Load oaam_base_snapshot.zip



























Restore the snapshot

Import oaam_policies.zip by going to Policies->Import Policies
Path of policies file = C:\Oracle\Middleware\Oracle_IDM1\oaam\init\oaam_policies.zip

OAM Configuration

Create a Default User Identity Store












                                                                                                                                                                 
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                                 

Create a directory where you will store the Keystore file.










 

 








Run Register Third Party Partner Utility.







































registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner", keystoreLocation= "C:\\Oracle\\Middleware\\keystore\\TAP_OAAM_OAM\\TAPkeystore.jks" , password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://deepak-pc.mydomain.com:14300/oaam_server/oamLoginPage.jsp")


Update TAPScheme in OAM Console







Update the IAMSuiteAgent's profile and set Access Client Password


















                                                                                                                                                                
                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Update IAMSuiteAgent provider in WebLogic Security Realms with the same password






                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Below step is optional

Create a key in /em console for OAAM





                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                      

                                                                                                                                                          
Copy OAAM_HOME/oaam/cli to a Temporary location

Update C:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
with relevant values

Sample Data




#Overriding properties for oaam_cli

#Following properties are relevant when CSF is accessed using MBeans (usually in command-line/J2SE programs).
#Note: This is the preferred way of running OAAM command-line to avoid CSF related file dependencies (which are usually on the Weblogic Admin Server).
#If neither the oaam.adminserver.type property nor the APP_SERVER_TYPE environment variable are set, OAAM command line will prompt the user for application server type.  To run OAAM command line for WebLogic deployment, set oaam.adminserver.type to wls, set the APP_SERVER_TYPE to weblogic, or select WebLogic when prompted.  To run OAAM command line for WebSphere deployment, set oaam.adminserver.type to was, set the APP_SERVER_TYPE to websphere, or select WebSphere when prompted.
#In a Windows environment, if the APP_SERVER_TYPE environment variable is not set, then the OAAM command line will prompt the user for application server type even if oaam.adminserver.type is set in this file.
#Make sure for weblogic deployment weblogic jmx jars (wljmxclient.jar, wlclient.jar) and JPS jars (jps-api.jar, jps-common.jar, jps-internal.jar) are in classpath
oaam.csf.useMBeans=true
oaam.adminserver.type=wls
#oaam.adminserver.type=was
oaam.adminserver.protocol=t3
oaam.adminserver.hostname=localhost
oaam.adminserver.port=7001

#Set this properties if OAAM command-line is running in websphere deployment
oaam.was.client.sasPropFile=

#Set this property with the fully qualified path of jps-config-jse.xml when non-MBeans way of accessing CSF.
#Usually it resides in config/fmwconfig folder of the domain folder.
#Specify this path only if 'oaam.csf.useMBeans=false' and the OAAM command-line runs on Weblogic Admin Server host where OAAM is deployed. 
oaam.jps.config.filepath=

#Set this property to true, if OAAM DB userName, password from CSF have to be used instead of persistence.xml. Make sure to set the 'oaam.db.*' properties.
oaam.db.toplink.useCredentialsFromCSF=true

#Following properties are used (instead of persistence.xml) to initialize Toplink when 'oaam.db.toplink.useCredentialsFromCSF=true'
#Specify valid JDBC URL of OAAM database. For oracle databases the format is: jdbc:oracle:thin:@<hostname>:<port>:<sid>
oaam.db.url=jdbc:oracle:thin:@localhost:1521:orcl
#In case of non-oracle databases, change this to the relevant driver class name
oaam.db.driver=oracle.jdbc.driver.OracleDriver
oaam.db.min.read-connections=1
oaam.db.max.read-connections=25
oaam.db.min.write-connections=1
oaam.db.max.write-connections=25
#Specify the filepath of any additional properties that need to be used while initializing Toplink
oaam.db.additional.properties.file=



#Following properties are relevant only for OAAM - OAM Integration.
#Location of the Keystorefile generated using registerThirdPartyDAPPartner WLST command on OAM Admin server. For example /rootdir/keystoreloc/oamoaamtap.jks
oaam.uio.oam.tap.keystoreFile=C:\\Oracle\\Middleware\\keystore\\TAP_OAAM_OAM\\TAPkeystore.jks
oaam.uio.oam.tap.keystoreType=JCEKS
oaam.uio.oam.tap.partnername=OAAMTAPPartner
oaam.uio.oam.tap.username.maxlength=40

#Access Server host machine name. For example, host.oracle.com
oaam.uio.oam.host=deepak-pc.mydomain.com
#Access Server Authentication Port (NAP Port); Default port :  5575
oaam.uio.oam.port=5575
#Webgate Prefered host identifier. Default value is IAMSuiteAgent
oaam.uio.oam.webgate_id=IAMSuiteAgent
#Name of the secondary Access Server host machine. This property is used for high availability. You can specify the fail-over hostname using this property.
oaam.uio.oam.secondary.host=
#Port number of the secondary Access Server. This property is used for high availability. You can specify the fail-over port using this property.
oaam.uio.oam.secondary.host.port=
#Security Mode - 1 (OPEN), 2 (SIMPLE), 3 (CERT)
oaam.uio.oam.security.mode=1
#Location of the Keystorefile generated for root certificate. Requires for SIMPLE (2) / CERT (2) Security mode. For multiple host OAAM Server installation make sure the file exists there in all the host in the mentioned location
oam.uio.oam.rootcertificate.keystore.filepath=C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain\\output\\webgate-ssl\\oamclient-truststore.jks
#Location of the Keystore file generated for private key certificate. Requires for SIMPLE (2) / CERT (2) Security mode. For multiple host OAAM Server installation make sure the file exists there in all the host in the mentioned location
oam.uio.oam.privatekeycertificate.keystore.filepath=C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain\\output\\webgate-ssl\\oamclient-truststore.jks

#This property enables configuring credentials in the Credential Store Framework instead of maintaining them using the properties editor. This step is performed so that credentials can be securely stored in CSF.
oaam.oam.csf.credentials.enabled=true





Run setupOAMTapIntegration (Sample Output for reference)






C:\TEMP\cli>setupOAMTapIntegration.cmd c:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
"Using COMMON_COMPONENTS_HOME as c:\Oracle\Middleware , set in COMMON_COMPONENTS_HOME in environment to override."
"Using JRF_VERSION_PROP as  , set in JRF_VERSION_PROP in environment to override."
"Enter Application Server Type, please select one of the following choices between [1-2]:"
"1: Weblogic Application Server"
"2: Websphere Application Server"
Enter Application Server Type: 1
Enter Weblogic Server Home Directory  for e,g c:\Oracle\Middleware\wlserver_10.3
C:\Oracle\Middleware\wlserver_10.3
c:\Java\jdk1.6.0_45\bin\java  "-Dcommon.components.home=" "-Djrf.version=" -Djava.security.policy=conf\jmx.policy -classpath .;.\conf;C:\TEMP\cli\lib\
commons-codec-1.2.jar;C:\TEMP\cli\lib\drools-base-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-core-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-io-2.0-beta-21.ja
r;C:\TEMP\cli\lib\drools-java-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-jsr94-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-smf-2.0-beta-21.jar;C:\TEMP\cli\lib\
janino-2.0.16.jar;C:\TEMP\cli\lib\jsr94.jar;C:\TEMP\cli\lib\oaam_core.jar;C:\TEMP\cli\lib\oaam_uio.jar;c:\Oracle\Middleware\oracle_common\modules\orac
le.jps_11.1.1\jps-manifest.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-api.jar;c:\Oracle\Middleware\oracle_common\modules\ora
cle.jps_11.1.1\jps-common.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-internal.jar;c:\Oracle\Middleware\oracle_common\modules
\oracle.iau_11.1.1\fmw_audit.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jdbc_11.1.1\ojdbc6dms.jar;c:\Oracle\Middleware\oracle_common\module
s\oracle.idm_11.1.1\identitystore.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.osdt_11.1.1\osdt_xmlsec.jar;c:\Oracle\Middleware\oracle_common
\modules\oracle.pki_11.1.1\oraclepki.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jacc-spi.jar;c:\Oracle\Middleware\oracle_common\
modules\oracle.dms_11.1.1\dms.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.odl_11.1.1\ojdl.jar;c:\Oracle\Middleware\oracle_common\oui\jlib\xm
lparserv2.jar;c:\Oracle\Middleware\modules\glassfish.jaxb.xjc_1.0.0.0_2-1-12.jar;c:\Oracle\Middleware\modules\glassfish.jaxb_1.0.0.0_2-1-12.jar;c:\Ora
cle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-az-rt.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-ee.jar;c:\Oracle
\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-se.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-platform.jar;c:\Oracle
\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-az-management.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.igf_11.1.1\identitydirecto
ry.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.ldap_11.1.1\ldapjclnt11.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\wlclient.jar;C:\Ora
cle\Middleware\wlserver_10.3\server\lib\wljmxclient.jar;c:\Oracle\Middleware\modules\com.bea.core.apache.commons.collections_3.2.0.jar;c:\Oracle\Middl
eware\modules\com.bea.core.antlr_2.7.7.jar;c:\Oracle\Middleware\modules\javax.servlet_1.0.0.0_2-5.jar;c:\Oracle\Middleware\oracle_common\modules\oracl
e.toplink_11.1.1\eclipselink.jar;c:\Oracle\Middleware\modules\com.oracle.toplink_1.1.0.0_11-1-1-6-0.jar;c:\Oracle\Middleware\modules\javax.persistence
_1.1.0.0_2-0.jar;c:\Oracle\Middleware\modules\glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar;c:\Oracle\Middleware\modules\glassfish.jaxb_1.1.0.0_2-1-14.jar  or
acle.oaam.integration.asa.IntegrationUtil setupOAMTapIntegration readfromfile=c:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
30/04/2014 2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using passed in properties...
30/04/2014 2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using MBeans on Weblogic...
30/04/2014 2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredentialsFromConsole()
Enter OAAM AdminServer User Name: weblogic
30/04/2014 2:53:12 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredentialsFromConsole()

Enter OAAM AdminServer Password:
DB Credentials are found in CSF store, do you want to overwrite it?
Enter 'Yes' to give new DB credentials and overwrite in CSF store:
Yes
Enter OAAM DB User name and press Enter key :
DEV_OAAM
Enter OAAM DB User password and press Enter key :


30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.addPasswordCredentialToCSF()
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.addCredential() with passed in properties...
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.addCredential(): using MBeans on Weblogic...
Added Password Credential to CSF with MapName [oaam], KeyName [oaam_db_key]
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using passed in properties...
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using MBeans on Weblogic...

Enter OAM TAP Key store file password and press Enter key :

30/04/2014 2:54:12 PM com.bharosa.common.util.UserDefEnumFactory
INFO: Creating new instance of UserDefEnumFactory
30/04/2014 2:54:12 PM com.bharosa.common.util.UserDefEnumFactory


Responses given








1
C:\Oracle\Middleware\wlserver_10.3
weblogic
password1
Yes
DEV_OAAM
password
password












                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Login to OAM Console and change the Authentication Scheme to TAPScheme for webgate11g_1 Application Domain

Update webgate11g_1 Application Domain to use TAPScheme in its Authentication Policy Protected Resource Policy











                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Try to access the protected resource on web server instance1.






                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
User is redirected to OAAM Server for authentication









Enter Password







Setup Knowledge based Authentication









Register Device Image

































Set your Security Question and Answers













                                                                                                                                                                                                                                                                               
                                                                                                                                                      
Login Successful






                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Next Time you Login you will be asked password and one random question as security challenge
























Comments

Post a Comment

Popular posts from this blog

OIM 11g R2 PS2 : SOA Approval Workflow Sample

-
Image
In this post I am posting the sample code for a sample SOA approval workflow. Some of the features that this workflow addresses are Approval to Manager or Role Owners is dynamic based on the custom OIM system property "approval-condition". Value is set either "AND" or "OR". Manager or Role Owner can be set to be notified only with no approval required. In this case only email is sent to notify them but no approval is required from them. Custom OIM system property are created to address this.   manager-notify-only = TRUE or FALSE  TRUE = only notify the manager no approval request sent. FALSE = notify the manager and send an approval request.   roleowner-notify-only = TRUE or FALSE  TRUE = only notify the role owner no approval request sent. FALSE = notify the role owner and send an approval request. Third Level System Notification was required but it should be dynamic.  Custom OIM system property are created to address this sysadmin-...
Read more

OIM OIA Custom Code Integration via Web Services

-
This post covers the OIM OIA custom integration via web services. What this integration code does is listen for create or modify event in OIM and if that change is detected for a user profile then propagates it to OIA user in real time. If a user is created in OIM, then create the user in OIA. If a user is modified in OIM, then modify the user in OIA.  OIM changes are detected via Event Handler. OIA web services are invoked to create or modify the user in OIA. OIM Event Handler 1 package com.dubey.deepak.oim.oia.intg; 2 3 import Thor.API.Exceptions.tcAPIException; 4 import Thor.API.Exceptions.tcStaleDataUpdateException; 5 import Thor.API.Exceptions.tcUserNotFoundException; 6 7 import com.dubey.deepak.oim.oia.intg.ItResourceObj; 8 import com.dubey.deepak.oim.oia.intg.OIADBConnector; 9 import com.dubey.deepak.oim.oia.intg.OIAIntegrationConstants; 10 import com.dubey.deepak.oim.oia.intg.OIARequest; 11 import com.dubey.deepak.oim.oia.intg.OIA...
Read more

OIM 11g Custom ADF Application Development

-
Image
In this post , I will cover the steps required to create a custom ADF web application. What this application does is facilitate Account Claim Process. Users has been migrated from some other IAM product to OIM and exist in disabled state and hence cannot login to perform Self Service operations. User needs to identify themselves by providing their personal details like personal identification number, zip code and dob etc. After successfully Identifying themselves they will be able to set a new password and set their challenge questions and answers. During this process the application will activate their account and set the new password and QnA. At the end of the process, they will be able to login OIM with their new password set. The application has been developed using JDeveloper using ADF technology to render user interfaces and MVC design pattern to keep the concerns separate. Application Structure              ...
Read more