OAAM 11g Lab
Task 1 - Installation and Configuration
Installing WLS 10.3.5
Run RCU
Install OIAM Suite
Configure OIAM
Start and Stop Admin, Managed Servers
Setting Up OAAM Base Env - Creating OAAM Admin User and Assigning OAAM Groups
Setting up OAAM Base Env - Command-Line Interface
Encryption and Database Credentials
Importing OAAM Snapshot
Importing IP Location Data
Setting Timezone
Credentials Stores to OID
Applying Bp01 Patch
Task 2 - OAAM Customizations
Adding a User-Defined Header and Footer to OAAM Login Pages
Adding a User-Defined Error Message in English and Spanish
Changing STyle Sheet for OAAM Login Pages
Changing Default Text and Adding a New Link on OAAM Login Page
modifying a Virtual Authentication DEvice (VAD)
Task 3 - Policies - Satatic, Patterns, and Predictive
Reviewing OAAM Pre-Authentication Policy for a Blacklisted User
Reviewing OAAM AuthenticationPad Policy
Blocking Requests from WebZip Browser
Patterns - Request from Odd Hours of Day
Patterns - Requests from Different IP Addresses
Task 4 - Native Integration
Natively Integrating Sample Application That is Running in OAAM Server Domain Using In-Proc Mode
Natively Integrating Sample Application That is Running in OAAM Server Domain Using SOAP Mode (with No Authentication)
Natively Integrating Sample Application That is Running in OAAM Server Domain Using SOAP Mode (with Authentication)
Natively Integrating Sample Application That is Running in Non-OAAM Server Domain Using SOAP Mode
Task 5 - Transactions
Running BigBank Sample Application
Creating a Customer Entity
Creating a Transaction Definition
Creating an Alert Group
Creating a New Policy
Testing the Internet Banking Transaction
Exploring the Sample Application and the API Calls
Create Configurable Actions
Auto-Generating a Fraud Case for Investigation
Importing a Transaction Definition and Polisy for Retail Ecommerce
Task 6 - Reporting and Auditing
Installing and Configuring Oracle BI Publisher Reports for OAAM Reports
COnfiguring OAAM to Write Audit Log Records to ORacle Database
COnfiguring and Viewing Oracle BI Publisher OAAM Audit Reports
Creating Cutom Reports
Task 7 - Monitoring and Diagnostics
Monitoring Key Metrics
Configuring and Viewing Logging
Reviewing Log Messages in FMW Control
Increasing the Log Level
Resetting the Log Level Back to Default Level
Task 8 - OAAM Offline and Job Scheduler
Initializing the OAAM Administration Environment and Configuring the OAAM Offline Server for Testing
Setting Up and Viewing the Recurring Auto-Increment Load and Run Job
Performing Ad Hoc Rules Testing
Scheduling Monitor Data Rollup Jobs and Viewing the Results
Install OIAM Suite
/u01/app/oraInventory/createCentralInventory.sh
Configure OIAM
cd $ORACLE_HOME/common/bin
./config.sh
Domain Source -
OAAM Admin Server, OAAM - Server, OAAM Offline
Start the Servers in following order
WLS Admin
OAAM Admin
OAAM Managed Server
OAAM Offline Server
Stop sequence
OAAM Offline Server
OAAM Managed Server
OAAM Admin Server
WLS Admin
Setting Up OAAM Base Env - Creating OAAM Admin User and Assigning OAAM Groups
Go to Weblogic Console -> Security -> myrealm -> User and Groups -> Users -> New -> oaam_admin ->
oaam_admin -> Assign all groups with "OAAM" keyword (total 7) -> Save
Now you can login to http://host:14200/oaam_admin using oaam_admin user
Setting up OAAM Base Env - Setting Command-Line Interface
Copy the CLI folder $ORACLE_HOME/oaam/cli to a working directory (oaam_cli)
cp -r $ORACLE_HOME/oaam/cli $ORACLE_MW_HOME/work/oaam_cli
Setting CSF Configuration
a> CSF without MBeans (Run OAAM CLI same computer as WLS, no need to give WLS admin, password)
b> CSF with MBeans (recommended if OAAM is clustered, need to give WLS admin, password)
edit bharosa_properties/oaam_cli.properties
Set the following
oaam.adminserver.hostname = hostname
oaam.adminserver.username = weblogic
oaam.adminserver.password = password
oaam.db.url = jdbc:oracle:thin.....
chmod +x *.sh
vi setCliEnv.sh
CLSPTH=...../wls_home/server/lib/wlclient.jar
CLSPTH=...../wls_home/server/lib/wljmxclient.jar
Setting OAAM DB Creds in CSF
Go to EM Console -> WebLogic Domain -> Right-click IAMDomain -> Security -> Credentials -> Expand oaam map -> Select oaam map -> Click Create ->
Key : oaam_db_key
Type : Password
User Name : DEV_OAAM
Password and Confirm Password :
Setting up Encryption and Database Credentials
Setting up Encoded Secret Key for Encrypting Configuration Values
edit $ORACLE_MW_HOME/work/oaam_cli/config_3des_input.properties
keystorepasswd=password
keystorealiaspasswd=password
keyFile=config_secret_key.file
./genEncodedKey.sh config_3des_input.properties
Generated Encoded key = oamKerhhfcehe/eihrfiherih
Copy it
Adding the Encoded Symmetric Ker for Encrypting Configuration Values to the CSF
Save the Encoded key in oaam map -> DESede_config_key_alias
Setting Up Encoded Secret Key for Encrypting Database Values
edit $ORACLE_MW_HOME/work/oaam_cli/db_3des_input.properties
./genEncodedKey.sh db_3des_input.properties
Generated Encoded key = jejerciojre/oiejfoirje
Copy and Save to EM Console -> oaam map -> DESede_db_key_alias
Setting Up OAAM DB Credentials in CSF
This is done
Backing Up DB Credentials and Encoded Secret Keys for Encrypting Database and Configuration Values
You should back upi all the encoded secret keys used. They will be needed in the event of re-create of OAAM domain
oaam_db_key , Password , DEV_OAAM ,
DESede_db_key_alias, genEncodedKey
DESede_config_key_alias , genEncodedKey
Importing OAAM Snapshot
Import oaam_base_snapshot.zip file into OAAM through OAAM Admin
$ORACLE_HOME/oaam/init
The snapshot contains
1> Challenge Questions
2> Entity Definitions - user, city, device and so on
3> Out-of-the-box patterns
4> Out-of-the-box configurable actions
5> Out-of-the-box Policies
6> Any groups - rules, user groups, and action and alert groups
For upgrades , this step is not required, as it will overwrite
Default patterns are in $ORACLE_HOME/oaam/init/OOB_patterns.zip
Base policies are in
$ORACLE_HOME/oaam/init/oaam_policies.zip
Configurable action templates are in
$ORACLE_HOME/oaam/init/OOTB_Configurable_Actions.zip
Base-authentication required entities are in
$ORACLE_HOME/oaam/init/Auth_EntityDefinition.zip
Importing IP Location Data
Edit $ORACLE_MW_HOME/work/oaam_cli/cli/bharosa_location.properties
location data should be from supported vendors (ip2location, maxmind, Quova)
location.data.provider=quova
location.data.file=/path/to/.dat.gz.file
location.data.ref.file=/path/to/ref.dat.gz.file
location.data.anonymizer.file=anonymizer.dat.gz.file
Run the loader command
./loadIPLocationData.sh
check ORACLE_MW_HOME, JAVA_HOME, oaam_cli.properties has corret DB and AdminServer
source setCliEnv.sh
Login to DB SQL plus
select count(*) from vcrypt_country;
select count(*) from vcrypt_ip_location_map;
the script may take up to 24 hours to run
let it run without closing the terminal window
Setting the Timezone
Property in OAAM Admin
oaam.adf.timezone = user.timezone (shows server time)
user.timezone = UTC
It will pick the OAAM Admin Server machine time as set in bash profile (TZ, EST, UTC)
List of timezones
oracle.adf.timezone=Americe/Los_Angeles
Migrating OAAM Access Policies, OPSS Authorization Policies, and Credential Stores to OID
Create jpsroot in OID using ldapadd
dn: cn=jpsroot_iam
cn: jpsroot_iam
objectclass: top
objectclass: orclcontainer
./ldapadd this file
Connect to weblogic (7001) using wlst
wlst> reassociateSecurityStore(domain="IAMDomain", admin="cn=orcladmin", password="password",ldapurl="ldap://host:3069",servertype="OID",jpsroot="cn=jpsroot_iam")
command takes 5 minutes
Restart WLS , OAAM Admin , OAAM Managed Servers
Login to ODSM :7005/odsm
you shall see cn=jpsroot_iam being populated with all the policy store data
----------------------Task 2 - OAAM Customizations--------
Login to OAAM Admin and Environment-> Properties
vcryptuser.customerid.generateIfNull -> from true to false (This property ensures that user ID is set to the same value as username. when true, user ID is a system-generated, random, and unique alpha)
Before login with a test user and register with test user
Go to http://host:14300/oaam_server
password is test
Click continue to register
Accept Security Device, Image and Phrase
"Get a new image and phrase"
Now you should get logged in to BigBank dummy app/oraInventory/createCentralInventory
Adding a User-Defined Header and Footer to OAAM login pages
edit $ORACLE_HOME/oaam/oaam_extensions/generic/oracle.oaam.extensions.war in a temp directory (copy it first)
unzip oracle.oaam.extensions.war
mkdir user_defined images
copy header.jsp and footer.jpg to images
copy header.jsp and footer.jsp to user_defined
Edit WEB-INF/classes/bharosa_properties/bharosa_server/properties
bharosa.uio.default.header=/user_defined/header.jsp
bharosa.uio.default.footer=/user_defined/footer.jsp
repack the war
Shut OAAM Admin and Server
Deploy the war to OAAM Admin, OAAM Offline and OAAM Server
Start the OAAM Admin and OAAM Server
Adding a User-Defined Error Message in English and Spanish
Files = client_resource_en.properties and client_resource_es.properties
bharosa.uio.default.login.invalid.user=Invalid username or password. Please try again.
Recreate the oracle.oaam.extensions.war file
To test spanish you need to change the locale settings of the browser
OAAM supports 26 languages
The default test and messages are in asa_msg_resource_locale.properties and asa_msg_resource.properties
Changing the Style Sheet for the OAAM Login Pages
File = bharosa_uio.css which is in $ORACLE_MW_HOME/user_projects/domains/domain-name/servers/oaam_server_server1/tmp/_WL_user/oaam_server_11.1.1.3.0/1iknvr/war/css
One more file = bharosa_uio_rtl.css (same location)
create mystylesheet.css in user_defined
Changes bharosa_server.properties
bharosa.uio.default.custom.css=/user_defined/mystylesheet.css
Recreate the oracle.oaam.extensions.war
Changing the Default Text and Adding a New Link on the OAAM Login Page
File = client_resource_en.properties
bharosa.uio.default.signon.page.button=Next
bharosa.uio.default.messages.enum.forgotusernamepopup.name= Forgot Username
bharosa.uio.default.messages.enum.forgotusernamepopup.description=If you have forgotten your username, please call customer service
bharosa.uio.default.signon.links.enum.forgottusername.description=Forgot username
This bharosa.uio.default.signon.page.button was set as Continue in asa_msg_resource.properties file but I override that in client_resource_en.properties
Edit bharosa_server.properties
bharosa.uio.default.messages.enum.forgotusernamepopup=99
bharosa.uio.default.messages.enum.forgotusernamepopup.name= Forgot Username
bharosa.uio.default.messages.enum.forgotusernamepopup.description=If you have forgotten your username, please call customer service
bharosa.uio.default.signon.links.enum.forgottusername.url=javascript:infoWindow('forgotusernamepopup');
bharosa.uio.default.signon.links.enum.forgottusername.enabled=true
After adding the preceding content the bharosa_server.properties file
To modify an existing enum, that is, modify the forgottusername.url and forgotusername.enabled elements of the signon.links enum
These two elements are defined in oaam _uio.properties file
bharosa.uio.default.signon.links.enum.forgottusername.url=#
bharosa.uio.default.signon.links.enum.forgottusername.enabled=false
Recreate oracle.oaam.extensions.war file
Deploy the war
Modifying a Virtual Authentication Device (VAD)
Access to http://host:14300/oaam_server
login with test user and password as test
If you get challenged by a KBA question answer and Click "User Preferences" in Welcome to BigBank app page
Click "Upgrade to higher security device"
Notice the English VAD
Continue and Logout
copy client_resource_de.properties(german) to /WEB-INF/classes
In WEB-INF/classes create 2 directory alphapad_bg and alphapad_skins_de
Copy the images and skins
Edit bharosa_server.properties
bharosa.authentipad.keypad.german.keyset.enum=German KeyPad Keyset Enum
Recreate , Deploy, Test, Change Browser locale
--------Task 3 - Policies - Static, Patterns, and Predictive------------
Reviewing the OAAM Pre-Authentication Policy for a Blacklisted User
OAAM Admin -> Groups -> Name -> OAAM Restricted Users -> + -> Add Test User
Now try access BigBank with test user , you will be stopped after enter username screen
"You are not authorized to login. Please contact customer service"
OAAM Admin -> Policies -> OAAM Pre-Authentication policy
OAAM Pre-Authentication
Summary Tab , Rules Tab , Trigger Combinations , Group Linking
Checkpoint : Pre-Authentication (dropdown)
Scoring Engines : Maximum
Weight : 100
Description : This policy stops fraud login attempts before the password is entered
Go to Rules Tab in the same Policy (OAAM Pre-Authentication)
Rules (6)
Blacklisted users
Blacklisted countries
Blacklisted ISPs
Blacklisted Devices
WEBZIP used
Blacklisted IPs
Rule Name : Blacklisted users
Policy Name : OAAM Pre-Authentication
Rule Status : Active
Rule Notes : This rule will trigger if a user has previously been black listed.
Conditions (tab) in Blacklisted users (rule)
Name : USER: In Group
If the user is in the given group
Is in group : True
User Group : OAAM Restricted users
Now if go to "OAAM Restricted Users" group in OAAM Admin , we will see the list of users added
The group also shows where in all the group is being used under Usage Tab ; mentions Policies and Rules within the Policies
Go back to "Blacklisted users" Rule
Go to Results Tab
Score : 1000
Weight : 100
Action Group : OAAM Block
Alert Group : OAAM Restricted User
Search for groups named : OAAM Block and OAAM Restricted User
OAAM Block Group
Actions :
Name : Block
Value : 2
Description : Block user from accessing the system
OAAM Restricted User
Alerts :
Alert Type : CSR
Alert Level : High
Alert Message : Login Attempt from a blacklisted User
Alert Type : Fraud
Alert Level : High
Alert Message : Blacklisted User login
Checkout Usage also -> Policies and Rules which are using this groups
Reviewing the OAAM AuthenticationPad Policy
Policies -> OAAM AuthenticationPas Policy (checkpoint = AuthenticationPad)
Scoring Engine : Average
Weight : 100
Description : Policy to determine the OAAM AuthenticationPad to use.
Rules:-
Register Challenge Questions
Check if mobile browser is being used ny user
Challenge SMS
Rgistered Image and Caption
Key Pad User
Challenge Email
Challenge Question
Trigger Combinations
These provide a way to create dependencies between the various independent rules defined on the Rules tab.
Review : Registered Image and Caption (Rule)
Conditons
USER: Authentication Image Assigned
Is assigned : True
Results :
Action Group : OAAM Personalized Pad
Search for Group : OAAM Personalized Pad
Reviewing the OAAM Registration Policy
Policies -> OAAM Registration Policy -> Checkpoint = Registration
Checkpoint : Registration
Scoring Engine : Weighted Average
Weight : 100
Rules:-
Register Questions
Register Image and Caption
Check Registration
Skipped registration more than 3 times
Register User Information
Rule Name : Check Registration
Policy Name : OAAM Registration Policy
Rule Status : Active
Rule Notes : Checks to see if user has completed registration & Personalization.
Conditions (in Rule above)
USER: Account Status
User Account Status : Active
Is : False
Go to Conditions Node
Search for Account Status
Go to Results tab in the Rule : Check Registration
Results
Score : 0
Weight : 100
Action Group : OAAM Register
Alert Group : None
Check out the Group "OAAM Register" , go to Actions tab of the OAAM Register group shows the actions taken
Usage tab
Policy Name , Rules , Action Group
If user is not registered , they are shown the standard text pad
If the user is already registered, then they are shown a personalized pad (containing their own phrase and image)
After successful authentication , Registration checkpoint evaluates the OAAM Registration Policy (all 5 rules are triggered)
Get new image , Get new phrase
User can also upgrade to a higher security device (virtual keypad)
After personalized textpad or virtual keypad, they register the KBA Questions
These KBA questions gets triggered when the risk score crosses the threshold, that is, to ascertain the true identity of the user in high-risk situations
After registration , user gets to see the BigBank page
You can anytime change the password, change the personalized image and phrase, upgrade or downgrade to a virtual keypad or textpad, or change the KBA questions and answers by clicking "User Preferences" links
Blocking Requests from the WEBZIP Browser
Policy Name : OAAM Pre-Authentication
Rules : WEBZIP used
Rule Name : WEBZIP used
Policy Name : OAAM Pre-Authentication
Rule Status : Active
Rule Notes : if WEBZIP used
Conditions tab
DEVICE: Browser header substring
Description : Checks whether the supplied string is in browser header
Substring to check for : WebZip
Results tab
Score : 1000
Weight : 100
Action Group : OAAM Block
Alert Group : OAAM Restricted software
Double click Groups Node -> OAAM Block and OAAM Restricted software
Group Name : OAAM Block
Group Type : Actions
Cache Type : Full Cache
Description : Block
Actions tab
Block : Value = 2 : Description = Block user from accessing the system
Usage tab
Policies, Rules , Groups
Group Name : OAAM Restricted software
Group Type : Alerts
Cache Type : Full Cache
Description : Restricted software
Alerts tab
Alert Type = Fraud ; Alert Level = High ; Alert Message = Login attempt using restricted software
Usage tab
Policies:OAAM Pre-Authentication
Rules:WEBZIP used
Group: OAAM Restricted software
Patterns - Request from Odd Hours of the Day
OAAM Admin -> Patterns Node -> Right Click -> New Patterns
Pattern Name : TimeLog10AM-5PM
Transaction Type : Authentication (dropdown)
Creation Method : Single-Bucket(dropdown)
Member Types : User(dropdown)
Evaluation Priority : High(dropdown)
Description : Capture User login
A Pattern with same member configuration already exists
Are you sure you want to create a new pattern ?
Add Attributes to the pattern
Attribute Name : TimeLog10AM-5PM
Label : Time
Definition : Time when the user is lgged in
Status : Active
Description : Time Range between 10 AM to 5 PM
Compare Operator : Range
Start Value : 10
End Value : 17
Now Create a new Alert Group
OAAM Admin -> Groups -> Right Click -> "New Group"
Group Name : NightShiftLogin10AM-5PM
Group Type : Alerts
Cache Policy : Full Cache
Description : Alert Login
Alerts -> + add
Create new Alerts (check), Search from existing Alerts (uncheck)
Alert Type : Investigation
Alert Level : Medium
Alert Message : Night Shift Login
Create a New Policy
Policy Name : TImeBetween10AM_1700
Policy Status : Active
Checkpoint : Post-Authentication
Scoring Engine : Maximum
Weight : 100
Description : yah yah
Go to Rules tab
Add Rule (+)
Rule Name : User: Entity Pattern Count
Policy Name : TImeBetween10AM_1700
Rule Status : Active
Rule Notes : Count the number of times
Add Conditions (+)
ENTITY: Entity is member of pattern N times
Pattern hit count more than : 3
Pattern Name for membership : TimeLog10AM-5PM
Is Membership Count More than patternHitCountForUser : True
Time period type for pattern membership : 24
Member type for pattern membership : User
Click Save
Go to Results of Rule
Score : 1000
Weight : 100
Action Group : None
Alert Group : NightShiftLogin10AM-5PM
Click Apply and OK
Create a User ID group for nightshiftusers. Right-click the Groups node and add the test user to this group
Group Name : nightshiftusers
Group Type : User ID
Cache Policy : Full Cache
Description : ejrfjer
Add the User in User ID tab
Go back to Policy : TimeLog10AM-5PM and link this policy to the group just created
Group Linking
Link Group to Policy Icon
Group Name : nightshiftusers
Group Description
Linking Notes : This policy is linked to all night shift users group
Check 3 properties
1> vcrypt.tracker.autolearning.use.tran.status.for.analysis = true
2> vcrypt.tracker.autolearning.use.auth.status.for.analysis = true
3> vcrypt.tracker.autolearning.enabled = true
Test the scenario by logging in more than 3 times
Check the Alerts in OAAM Admin
Marked in orange and Medium Alerts
Patterns - Requests from Different IP Addresses
Autolearning is a profiling process , administrator defines behaviour patterns
These patterns are in turn used by OAAM to dynamically create and populate buckets based on the pattern parameters
OAAM(Adaptive Risk Manager) automatically records and maintains the bucket memberships of users, devices, and locations (entities in general) over time so that the profiles that are created can be used to evaluate risk.
Import the snapshot "pattern_snapshot.zip"
Login with test user 7-8 times
Change the IP address using Modify Headers extension
"X-forwarded-for"
Log in to oaam_server as the same user (comes from a new IP)
The first few alerts generate some alert but after some time when the percentage falls below 20% from this new IP, alerts are stopped.
Backup before Import new snapshot
OAAM Admin - System Snapshots -> Double CLick -> Click -> Backup
Backup Type : Database and File
Name : backup_name
Notes :
File Name (.ZIP) :
Go to Policies -> IP-based Pattern Demo Policy
Policy Name : IP-based Pattern Demo policy
Policy Status : Active
Checkpoint : Pre-Authentication
Scoring Engine : Average
Weight : 100
Description : This policy generate the alert if user's percentage of IP usage is below 20
Rules (only 1)
Rule Name : User: IP Usage rule
Policy Name : IP-based Pattern Demo Policy
Rule Status : Active
Rule Notes : Raise an alert if IP is used less than 20% of time
Conditions tab (only 1)
ENTITY: Entity is member of pattern less than some percent times
Pattern Hit Percent less than : 20
Pattern name for membership : User-IP Tracking Pattern
Is Membership Count Less than patternHitPercent : True
Time period type for pattern membership : 3
Member type for pattern membership : User
Results tab
Score : 1000
Weight : 100
Action Group : None
Alert Group : IP Used less than percentage times for the User
Group Name : IP Used less than percentage times for the User
Group Type : Alerts
Cache Type : None
Description : Test Alert group for pattern
Alerts tab
Alert Type : Investigation
Alert Level : Medium
Alert Message : Ip used less than percentage times for the User
Usage : Policies , Rules , Groups
Change the vcrypt.tracker.ip.detectProxiedIP = from false to true ; for X-forwarded-for to work and test
OAAM Admin -> Patterns -> User-IP Tracking Pattern
Pattern Name : User-IP Tracking Pattern
Pattern Status : Active
Member Types : User
Evaluation Priority : High
Description : This pattern tracks user's IP.
Transaction Type : Authentication
Creation Method : Multi-Bucket
Attribute tab
Label : Remote IP
Definition: Remote Ip
Status : Active
Description : IP of the user. X-forwarded-for
Compare Operator : for Each
--------Native Integration-----------------------
Integrating sample applications with OAAM using in-proc and SOAP mode
DEploy the sample applications in a new Managed Server within the same OAAM domain. However in real life you will be deploying the sample application in a new Managed Server in a different WLS domain.
If the WLS domain is the same version as the IAM domain that is compatible with OAAM 11gR1PS1, you can use in-proc mode ; however , if it is a non IAM domain , or a non-WLS application server , or if the application is a non-Java-based application (.NET app) , you must use SOAP mode.
Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using In-Proc Mode
You deploy a sample customer application oaam_sample.zip on to a user-defined Managed Server
You also deploy oaam_native_lib.war as a shared library and target it to the new Managed Server
you create the new managed Server in the same IAMDomain where OAAM server resides; therefore oaam map and key values do not need to be updated or created
Also make sure OAAM_SERVER_DS data source is targeted to the new Managed Server and verify weblogic.xml file for the custom application has reference to the oaam_native_lib.war
Create a new server (7002)
Install oaam_native_lib.war
Deploy oaam_sample
OAAM_SERVER_DS, add new server as 1 of the targets
Activate Changes
Start customerServer
Access the application -> http://host:7002/oaam_sample
username scott password test
Get a new Image and phrase
KBA Q&A
Enter your mobile number
Login Successful with links on the left for Internet Banking and Retail Ecommerce
Now Stop the OAAM Managed Server and login to BigBank application
if you are successfully challenged and can register for KBA questions and OTP without the OAAM server running, it proves the assertion made in the lession that you do not need the OAAM server running if you are performing in-proc native integration because calls are made directly to the DB
Stop OAAM server
Access http://host:7002/oaam_sample
Try logging in to the BigBank Application using scott and test password. Registeration again because of bug in oaam_sample
Disable Rule : "Register User Information" in "OAAM Registeration" policy
Start OAAM Server
Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using SOAP Mode (with No Authentication)
Modify the bharosa_server.properties file to run the native integration with oaam_sample in SOAP mode
edit $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
vcrypt.tracker.soap.url=http://host:14300/oaam_server/services
vcrypt.soap.auth=false
vcrypt.common.util.vcryptsoap.impl.classname=com.bharosa.vcrypt.common.impl.VCryptSOAPGenericImpl
vcrypt.soap.disable=false
vcrypt.tracker.soap.useSOAPServer=true
vcrypt.tracker.impl.classname=com.bharosa.common.util.BharosaConfigPropsImpl
vcrypt.soap.call.timeout=10000
bharosa.config.load.impl.classname=com.bharosa.common.util.BharosaConfigLoadPropsImpl
bharosa.authentipad.image.url=kbimage.jsp?action=kbimage&
bharosa.image.dirlist=/u01/app/oracle/product/middleware/iam_home/oaam/oaam_images/
Now go to EM Console and make changes to OAAM Webservices
Right-click oaam_server_server1 -> Select Web Services
Select all OAAM Web Services
Click Attach Policies
Select policies
oracle/no_authentication_service_policy
oracle/no_authorization_service_policy
Click Attach button
Restart OAAM Managed Server
Data Sources -> OAAM_SERVER_DS -> Remove customerServer from the targets
In SOAP mode , there is no direct call to the database. The request go through the OAAM Server, which in turn talks to the DB ; therefore you do not need to target the data source to the Managed Server that is running the customer application (customerServer)
Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using SOAP Mode (with Authentication)
Wbelogic COnsole -> Security -> Realms -> myrealm -> create a new user
Name : soap_user
Provider : DefaultAuthenticator
Password : password
Make the User member of OAAMSOAPServicesGroup
Create a file named soap_key.file in $ORACLE_MW_HOME/work/oaam_cli/cli
Content of file
password
Edit soap_3des_input.properties as below
keystorepasswd=password
keystorealiaspasswd=password
keyFile=soap_key.file
keystorefilename=system_soap.keystore
keystorealias=vcrypt.soap.call.passwd
./setCliEnv.sh
Run below command
$JAVA_HOME/bin/java -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.coomon.util.keyStoreUtil updateOrCreateKeyStore readFromFile=$ORACLE_MW_HOME/work/oaam_cli/cli/soap_3des_input.properties
This will generate KeyStore Password and Alias Password
Move the system_soap.keystore to the $ORACLE_HOME/oaam/oaam_sample/WEB_INF/classes
Shut down the customerServer where oaam_sample is running
Modify bharosa_server.properties
Change vcrypt.soap.auth=true
Uncomment and set values below
vcrypt.soap.auth.keystorePassword=passwordcopied
vcrypt.soap.auth.aliasPassword=aliasPwdCopied
vcrypt.soap.auth.username=soap_user
vcrypt.soap.auth.keystoreFile=system_soap.keystore
because sample application is in same domain as OAAM Server
Verify
bharosa.cipher.encryption.algorithm.enum is commented out
Update oaam_sample app with bharosa_server.properties
Deploy and start the customer Server
Go to EM Console -> Locate oaam_server_server1 -> Right CLick -> Select Web Services -> Attach Policies -> Select all OAAM Webservices ->
Select oracle/wss_http_token_service_policy
Click Attach
Restart OAAM Managed Server
Deselect OAAM_SERVER_DS from customerServer as targets
Natively Integrating the Sample Application That is Running in the Non-OAAM Server Domain Using SOAP Mode
deploy sample application to a new Managed Server in a pure WLS domain (no IAM component)
Copy $ORACLE_HOME/oaam/oaam_libs/war/oaam_native_lib.war to the tmp folder $ORACLE_HOME/oaam/oaam_libs/war/tmp/oaam_native_lib.war
Navigate to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
Restore the bharosa_server.properties file that you renamed in the preceding step.
cd $ORACLE_HOME/oaam/oaam_libs/war/tmp/WEB-INF/classes
cp -r bharosa_properties $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
cp *.properties $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
rm $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
mv $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties.backup $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
Copy oaam_soap_client.jar file from $ORACLE_HOME/oaam/oaam_libs/jar to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/lib
Remove below tag from $ORACLE_HOME/oaam/oaam_sample/WEB-INF/weblogic.xml
<library-ref>
<library-name>oracle.oaam.libs</library>
</library-ref>
Go to $ORACLE_MW_HOME/work/oaam_cli/cli
Create config_secret_key.file with password
cp sample.config_3des_input.properties config_3des_input.properties
vi config_3des_input.properties
change keystorepasswd and keystorealiaspasswd values, specify config_secret_key.file for keyFile
./setCliEnv.sh
Run below command
$JAVA_HOME/bin/java -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.coomon.util.keyStoreUtil updateOrCreateKeyStore readFromFile=$ORACLE_MW_HOME/work/oaam_cli/cli/soap_3des_input.properties
Copy system_config.keystore to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
Edit $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
bharosa.cipher.encryption.algorithm.enum.DESede_config.keyRetrieval.classname=com.bharosa.common.util.cipher.KeystoreKeyRetrieval
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystoreFile=system_config.keystore
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystorePassword=jrhrhtfuher=
bharosa.cipher.encryption.algorithm.enum.DESede_config.aliasPassword=beruhfeh==
Create a new WLS Domain
Create a new Managed Server
Deploy the Sample Application
Start customerServer on the nonIAMDomain
Ensure oaam_sample goes to Active state
Test with scott, test on new app :8002/oaam_sample
Installing WLS 10.3.5
Run RCU
Install OIAM Suite
Configure OIAM
Start and Stop Admin, Managed Servers
Setting Up OAAM Base Env - Creating OAAM Admin User and Assigning OAAM Groups
Setting up OAAM Base Env - Command-Line Interface
Encryption and Database Credentials
Importing OAAM Snapshot
Importing IP Location Data
Setting Timezone
Credentials Stores to OID
Applying Bp01 Patch
Task 2 - OAAM Customizations
Adding a User-Defined Header and Footer to OAAM Login Pages
Adding a User-Defined Error Message in English and Spanish
Changing STyle Sheet for OAAM Login Pages
Changing Default Text and Adding a New Link on OAAM Login Page
modifying a Virtual Authentication DEvice (VAD)
Task 3 - Policies - Satatic, Patterns, and Predictive
Reviewing OAAM Pre-Authentication Policy for a Blacklisted User
Reviewing OAAM AuthenticationPad Policy
Blocking Requests from WebZip Browser
Patterns - Request from Odd Hours of Day
Patterns - Requests from Different IP Addresses
Task 4 - Native Integration
Natively Integrating Sample Application That is Running in OAAM Server Domain Using In-Proc Mode
Natively Integrating Sample Application That is Running in OAAM Server Domain Using SOAP Mode (with No Authentication)
Natively Integrating Sample Application That is Running in OAAM Server Domain Using SOAP Mode (with Authentication)
Natively Integrating Sample Application That is Running in Non-OAAM Server Domain Using SOAP Mode
Task 5 - Transactions
Running BigBank Sample Application
Creating a Customer Entity
Creating a Transaction Definition
Creating an Alert Group
Creating a New Policy
Testing the Internet Banking Transaction
Exploring the Sample Application and the API Calls
Create Configurable Actions
Auto-Generating a Fraud Case for Investigation
Importing a Transaction Definition and Polisy for Retail Ecommerce
Task 6 - Reporting and Auditing
Installing and Configuring Oracle BI Publisher Reports for OAAM Reports
COnfiguring OAAM to Write Audit Log Records to ORacle Database
COnfiguring and Viewing Oracle BI Publisher OAAM Audit Reports
Creating Cutom Reports
Task 7 - Monitoring and Diagnostics
Monitoring Key Metrics
Configuring and Viewing Logging
Reviewing Log Messages in FMW Control
Increasing the Log Level
Resetting the Log Level Back to Default Level
Task 8 - OAAM Offline and Job Scheduler
Initializing the OAAM Administration Environment and Configuring the OAAM Offline Server for Testing
Setting Up and Viewing the Recurring Auto-Increment Load and Run Job
Performing Ad Hoc Rules Testing
Scheduling Monitor Data Rollup Jobs and Viewing the Results
Install OIAM Suite
/u01/app/oraInventory/createCentralInventory.sh
Configure OIAM
cd $ORACLE_HOME/common/bin
./config.sh
Domain Source -
OAAM Admin Server, OAAM - Server, OAAM Offline
Start the Servers in following order
WLS Admin
OAAM Admin
OAAM Managed Server
OAAM Offline Server
Stop sequence
OAAM Offline Server
OAAM Managed Server
OAAM Admin Server
WLS Admin
Setting Up OAAM Base Env - Creating OAAM Admin User and Assigning OAAM Groups
Go to Weblogic Console -> Security -> myrealm -> User and Groups -> Users -> New -> oaam_admin ->
oaam_admin -> Assign all groups with "OAAM" keyword (total 7) -> Save
Now you can login to http://host:14200/oaam_admin using oaam_admin user
Setting up OAAM Base Env - Setting Command-Line Interface
Copy the CLI folder $ORACLE_HOME/oaam/cli to a working directory (oaam_cli)
cp -r $ORACLE_HOME/oaam/cli $ORACLE_MW_HOME/work/oaam_cli
Setting CSF Configuration
a> CSF without MBeans (Run OAAM CLI same computer as WLS, no need to give WLS admin, password)
b> CSF with MBeans (recommended if OAAM is clustered, need to give WLS admin, password)
edit bharosa_properties/oaam_cli.properties
Set the following
oaam.adminserver.hostname = hostname
oaam.adminserver.username = weblogic
oaam.adminserver.password = password
oaam.db.url = jdbc:oracle:thin.....
chmod +x *.sh
vi setCliEnv.sh
CLSPTH=...../wls_home/server/lib/wlclient.jar
CLSPTH=...../wls_home/server/lib/wljmxclient.jar
Setting OAAM DB Creds in CSF
Go to EM Console -> WebLogic Domain -> Right-click IAMDomain -> Security -> Credentials -> Expand oaam map -> Select oaam map -> Click Create ->
Key : oaam_db_key
Type : Password
User Name : DEV_OAAM
Password and Confirm Password :
Setting up Encryption and Database Credentials
Setting up Encoded Secret Key for Encrypting Configuration Values
edit $ORACLE_MW_HOME/work/oaam_cli/config_3des_input.properties
keystorepasswd=password
keystorealiaspasswd=password
keyFile=config_secret_key.file
./genEncodedKey.sh config_3des_input.properties
Generated Encoded key = oamKerhhfcehe/eihrfiherih
Copy it
Adding the Encoded Symmetric Ker for Encrypting Configuration Values to the CSF
Save the Encoded key in oaam map -> DESede_config_key_alias
Setting Up Encoded Secret Key for Encrypting Database Values
edit $ORACLE_MW_HOME/work/oaam_cli/db_3des_input.properties
./genEncodedKey.sh db_3des_input.properties
Generated Encoded key = jejerciojre/oiejfoirje
Copy and Save to EM Console -> oaam map -> DESede_db_key_alias
Setting Up OAAM DB Credentials in CSF
This is done
Backing Up DB Credentials and Encoded Secret Keys for Encrypting Database and Configuration Values
You should back upi all the encoded secret keys used. They will be needed in the event of re-create of OAAM domain
oaam_db_key , Password , DEV_OAAM ,
DESede_db_key_alias, genEncodedKey
DESede_config_key_alias , genEncodedKey
Importing OAAM Snapshot
Import oaam_base_snapshot.zip file into OAAM through OAAM Admin
$ORACLE_HOME/oaam/init
The snapshot contains
1> Challenge Questions
2> Entity Definitions - user, city, device and so on
3> Out-of-the-box patterns
4> Out-of-the-box configurable actions
5> Out-of-the-box Policies
6> Any groups - rules, user groups, and action and alert groups
For upgrades , this step is not required, as it will overwrite
Default patterns are in $ORACLE_HOME/oaam/init/OOB_patterns.zip
Base policies are in
$ORACLE_HOME/oaam/init/oaam_policies.zip
Configurable action templates are in
$ORACLE_HOME/oaam/init/OOTB_Configurable_Actions.zip
Base-authentication required entities are in
$ORACLE_HOME/oaam/init/Auth_EntityDefinition.zip
Importing IP Location Data
Edit $ORACLE_MW_HOME/work/oaam_cli/cli/bharosa_location.properties
location data should be from supported vendors (ip2location, maxmind, Quova)
location.data.provider=quova
location.data.file=/path/to/.dat.gz.file
location.data.ref.file=/path/to/ref.dat.gz.file
location.data.anonymizer.file=anonymizer.dat.gz.file
Run the loader command
./loadIPLocationData.sh
check ORACLE_MW_HOME, JAVA_HOME, oaam_cli.properties has corret DB and AdminServer
source setCliEnv.sh
Login to DB SQL plus
select count(*) from vcrypt_country;
select count(*) from vcrypt_ip_location_map;
the script may take up to 24 hours to run
let it run without closing the terminal window
Setting the Timezone
Property in OAAM Admin
oaam.adf.timezone = user.timezone (shows server time)
user.timezone = UTC
It will pick the OAAM Admin Server machine time as set in bash profile (TZ, EST, UTC)
List of timezones
oracle.adf.timezone=Americe/Los_Angeles
Migrating OAAM Access Policies, OPSS Authorization Policies, and Credential Stores to OID
Create jpsroot in OID using ldapadd
dn: cn=jpsroot_iam
cn: jpsroot_iam
objectclass: top
objectclass: orclcontainer
./ldapadd this file
Connect to weblogic (7001) using wlst
wlst> reassociateSecurityStore(domain="IAMDomain", admin="cn=orcladmin", password="password",ldapurl="ldap://host:3069",servertype="OID",jpsroot="cn=jpsroot_iam")
command takes 5 minutes
Restart WLS , OAAM Admin , OAAM Managed Servers
Login to ODSM :7005/odsm
you shall see cn=jpsroot_iam being populated with all the policy store data
----------------------Task 2 - OAAM Customizations--------
Login to OAAM Admin and Environment-> Properties
vcryptuser.customerid.generateIfNull -> from true to false (This property ensures that user ID is set to the same value as username. when true, user ID is a system-generated, random, and unique alpha)
Before login with a test user and register with test user
Go to http://host:14300/oaam_server
password is test
Click continue to register
Accept Security Device, Image and Phrase
"Get a new image and phrase"
Now you should get logged in to BigBank dummy app/oraInventory/createCentralInventory
Adding a User-Defined Header and Footer to OAAM login pages
edit $ORACLE_HOME/oaam/oaam_extensions/generic/oracle.oaam.extensions.war in a temp directory (copy it first)
unzip oracle.oaam.extensions.war
mkdir user_defined images
copy header.jsp and footer.jpg to images
copy header.jsp and footer.jsp to user_defined
Edit WEB-INF/classes/bharosa_properties/bharosa_server/properties
bharosa.uio.default.header=/user_defined/header.jsp
bharosa.uio.default.footer=/user_defined/footer.jsp
repack the war
Shut OAAM Admin and Server
Deploy the war to OAAM Admin, OAAM Offline and OAAM Server
Start the OAAM Admin and OAAM Server
Adding a User-Defined Error Message in English and Spanish
Files = client_resource_en.properties and client_resource_es.properties
bharosa.uio.default.login.invalid.user=Invalid username or password. Please try again.
Recreate the oracle.oaam.extensions.war file
To test spanish you need to change the locale settings of the browser
OAAM supports 26 languages
The default test and messages are in asa_msg_resource_locale.properties and asa_msg_resource.properties
Changing the Style Sheet for the OAAM Login Pages
File = bharosa_uio.css which is in $ORACLE_MW_HOME/user_projects/domains/domain-name/servers/oaam_server_server1/tmp/_WL_user/oaam_server_11.1.1.3.0/1iknvr/war/css
One more file = bharosa_uio_rtl.css (same location)
create mystylesheet.css in user_defined
Changes bharosa_server.properties
bharosa.uio.default.custom.css=/user_defined/mystylesheet.css
Recreate the oracle.oaam.extensions.war
Changing the Default Text and Adding a New Link on the OAAM Login Page
File = client_resource_en.properties
bharosa.uio.default.signon.page.button=Next
bharosa.uio.default.messages.enum.forgotusernamepopup.name= Forgot Username
bharosa.uio.default.messages.enum.forgotusernamepopup.description=If you have forgotten your username, please call customer service
bharosa.uio.default.signon.links.enum.forgottusername.description=Forgot username
This bharosa.uio.default.signon.page.button was set as Continue in asa_msg_resource.properties file but I override that in client_resource_en.properties
Edit bharosa_server.properties
bharosa.uio.default.messages.enum.forgotusernamepopup=99
bharosa.uio.default.messages.enum.forgotusernamepopup.name= Forgot Username
bharosa.uio.default.messages.enum.forgotusernamepopup.description=If you have forgotten your username, please call customer service
bharosa.uio.default.signon.links.enum.forgottusername.url=javascript:infoWindow('forgotusernamepopup');
bharosa.uio.default.signon.links.enum.forgottusername.enabled=true
After adding the preceding content the bharosa_server.properties file
To modify an existing enum, that is, modify the forgottusername.url and forgotusername.enabled elements of the signon.links enum
These two elements are defined in oaam _uio.properties file
bharosa.uio.default.signon.links.enum.forgottusername.url=#
bharosa.uio.default.signon.links.enum.forgottusername.enabled=false
Recreate oracle.oaam.extensions.war file
Deploy the war
Modifying a Virtual Authentication Device (VAD)
Access to http://host:14300/oaam_server
login with test user and password as test
If you get challenged by a KBA question answer and Click "User Preferences" in Welcome to BigBank app page
Click "Upgrade to higher security device"
Notice the English VAD
Continue and Logout
copy client_resource_de.properties(german) to /WEB-INF/classes
In WEB-INF/classes create 2 directory alphapad_bg and alphapad_skins_de
Copy the images and skins
Edit bharosa_server.properties
bharosa.authentipad.keypad.german.keyset.enum=German KeyPad Keyset Enum
Recreate , Deploy, Test, Change Browser locale
--------Task 3 - Policies - Static, Patterns, and Predictive------------
Reviewing the OAAM Pre-Authentication Policy for a Blacklisted User
OAAM Admin -> Groups -> Name -> OAAM Restricted Users -> + -> Add Test User
Now try access BigBank with test user , you will be stopped after enter username screen
"You are not authorized to login. Please contact customer service"
OAAM Admin -> Policies -> OAAM Pre-Authentication policy
OAAM Pre-Authentication
Summary Tab , Rules Tab , Trigger Combinations , Group Linking
Checkpoint : Pre-Authentication (dropdown)
Scoring Engines : Maximum
Weight : 100
Description : This policy stops fraud login attempts before the password is entered
Go to Rules Tab in the same Policy (OAAM Pre-Authentication)
Rules (6)
Blacklisted users
Blacklisted countries
Blacklisted ISPs
Blacklisted Devices
WEBZIP used
Blacklisted IPs
Rule Name : Blacklisted users
Policy Name : OAAM Pre-Authentication
Rule Status : Active
Rule Notes : This rule will trigger if a user has previously been black listed.
Conditions (tab) in Blacklisted users (rule)
Name : USER: In Group
If the user is in the given group
Is in group : True
User Group : OAAM Restricted users
Now if go to "OAAM Restricted Users" group in OAAM Admin , we will see the list of users added
The group also shows where in all the group is being used under Usage Tab ; mentions Policies and Rules within the Policies
Go back to "Blacklisted users" Rule
Go to Results Tab
Score : 1000
Weight : 100
Action Group : OAAM Block
Alert Group : OAAM Restricted User
Search for groups named : OAAM Block and OAAM Restricted User
OAAM Block Group
Actions :
Name : Block
Value : 2
Description : Block user from accessing the system
OAAM Restricted User
Alerts :
Alert Type : CSR
Alert Level : High
Alert Message : Login Attempt from a blacklisted User
Alert Type : Fraud
Alert Level : High
Alert Message : Blacklisted User login
Checkout Usage also -> Policies and Rules which are using this groups
Reviewing the OAAM AuthenticationPad Policy
Policies -> OAAM AuthenticationPas Policy (checkpoint = AuthenticationPad)
Scoring Engine : Average
Weight : 100
Description : Policy to determine the OAAM AuthenticationPad to use.
Rules:-
Register Challenge Questions
Check if mobile browser is being used ny user
Challenge SMS
Rgistered Image and Caption
Key Pad User
Challenge Email
Challenge Question
Trigger Combinations
These provide a way to create dependencies between the various independent rules defined on the Rules tab.
Review : Registered Image and Caption (Rule)
Conditons
USER: Authentication Image Assigned
Is assigned : True
Results :
Action Group : OAAM Personalized Pad
Search for Group : OAAM Personalized Pad
Reviewing the OAAM Registration Policy
Policies -> OAAM Registration Policy -> Checkpoint = Registration
Checkpoint : Registration
Scoring Engine : Weighted Average
Weight : 100
Rules:-
Register Questions
Register Image and Caption
Check Registration
Skipped registration more than 3 times
Register User Information
Rule Name : Check Registration
Policy Name : OAAM Registration Policy
Rule Status : Active
Rule Notes : Checks to see if user has completed registration & Personalization.
Conditions (in Rule above)
USER: Account Status
User Account Status : Active
Is : False
Go to Conditions Node
Search for Account Status
Go to Results tab in the Rule : Check Registration
Results
Score : 0
Weight : 100
Action Group : OAAM Register
Alert Group : None
Check out the Group "OAAM Register" , go to Actions tab of the OAAM Register group shows the actions taken
Usage tab
Policy Name , Rules , Action Group
If user is not registered , they are shown the standard text pad
If the user is already registered, then they are shown a personalized pad (containing their own phrase and image)
After successful authentication , Registration checkpoint evaluates the OAAM Registration Policy (all 5 rules are triggered)
Get new image , Get new phrase
User can also upgrade to a higher security device (virtual keypad)
After personalized textpad or virtual keypad, they register the KBA Questions
These KBA questions gets triggered when the risk score crosses the threshold, that is, to ascertain the true identity of the user in high-risk situations
After registration , user gets to see the BigBank page
You can anytime change the password, change the personalized image and phrase, upgrade or downgrade to a virtual keypad or textpad, or change the KBA questions and answers by clicking "User Preferences" links
Blocking Requests from the WEBZIP Browser
Policy Name : OAAM Pre-Authentication
Rules : WEBZIP used
Rule Name : WEBZIP used
Policy Name : OAAM Pre-Authentication
Rule Status : Active
Rule Notes : if WEBZIP used
Conditions tab
DEVICE: Browser header substring
Description : Checks whether the supplied string is in browser header
Substring to check for : WebZip
Results tab
Score : 1000
Weight : 100
Action Group : OAAM Block
Alert Group : OAAM Restricted software
Double click Groups Node -> OAAM Block and OAAM Restricted software
Group Name : OAAM Block
Group Type : Actions
Cache Type : Full Cache
Description : Block
Actions tab
Block : Value = 2 : Description = Block user from accessing the system
Usage tab
Policies, Rules , Groups
Group Name : OAAM Restricted software
Group Type : Alerts
Cache Type : Full Cache
Description : Restricted software
Alerts tab
Alert Type = Fraud ; Alert Level = High ; Alert Message = Login attempt using restricted software
Usage tab
Policies:OAAM Pre-Authentication
Rules:WEBZIP used
Group: OAAM Restricted software
Patterns - Request from Odd Hours of the Day
OAAM Admin -> Patterns Node -> Right Click -> New Patterns
Pattern Name : TimeLog10AM-5PM
Transaction Type : Authentication (dropdown)
Creation Method : Single-Bucket(dropdown)
Member Types : User(dropdown)
Evaluation Priority : High(dropdown)
Description : Capture User login
A Pattern with same member configuration already exists
Are you sure you want to create a new pattern ?
Add Attributes to the pattern
Attribute Name : TimeLog10AM-5PM
Label : Time
Definition : Time when the user is lgged in
Status : Active
Description : Time Range between 10 AM to 5 PM
Compare Operator : Range
Start Value : 10
End Value : 17
Now Create a new Alert Group
OAAM Admin -> Groups -> Right Click -> "New Group"
Group Name : NightShiftLogin10AM-5PM
Group Type : Alerts
Cache Policy : Full Cache
Description : Alert Login
Alerts -> + add
Create new Alerts (check), Search from existing Alerts (uncheck)
Alert Type : Investigation
Alert Level : Medium
Alert Message : Night Shift Login
Create a New Policy
Policy Name : TImeBetween10AM_1700
Policy Status : Active
Checkpoint : Post-Authentication
Scoring Engine : Maximum
Weight : 100
Description : yah yah
Go to Rules tab
Add Rule (+)
Rule Name : User: Entity Pattern Count
Policy Name : TImeBetween10AM_1700
Rule Status : Active
Rule Notes : Count the number of times
Add Conditions (+)
ENTITY: Entity is member of pattern N times
Pattern hit count more than : 3
Pattern Name for membership : TimeLog10AM-5PM
Is Membership Count More than patternHitCountForUser : True
Time period type for pattern membership : 24
Member type for pattern membership : User
Click Save
Go to Results of Rule
Score : 1000
Weight : 100
Action Group : None
Alert Group : NightShiftLogin10AM-5PM
Click Apply and OK
Create a User ID group for nightshiftusers. Right-click the Groups node and add the test user to this group
Group Name : nightshiftusers
Group Type : User ID
Cache Policy : Full Cache
Description : ejrfjer
Add the User in User ID tab
Go back to Policy : TimeLog10AM-5PM and link this policy to the group just created
Group Linking
Link Group to Policy Icon
Group Name : nightshiftusers
Group Description
Linking Notes : This policy is linked to all night shift users group
Check 3 properties
1> vcrypt.tracker.autolearning.use.tran.status.for.analysis = true
2> vcrypt.tracker.autolearning.use.auth.status.for.analysis = true
3> vcrypt.tracker.autolearning.enabled = true
Test the scenario by logging in more than 3 times
Check the Alerts in OAAM Admin
Marked in orange and Medium Alerts
Patterns - Requests from Different IP Addresses
Autolearning is a profiling process , administrator defines behaviour patterns
These patterns are in turn used by OAAM to dynamically create and populate buckets based on the pattern parameters
OAAM(Adaptive Risk Manager) automatically records and maintains the bucket memberships of users, devices, and locations (entities in general) over time so that the profiles that are created can be used to evaluate risk.
Import the snapshot "pattern_snapshot.zip"
Login with test user 7-8 times
Change the IP address using Modify Headers extension
"X-forwarded-for"
Log in to oaam_server as the same user (comes from a new IP)
The first few alerts generate some alert but after some time when the percentage falls below 20% from this new IP, alerts are stopped.
Backup before Import new snapshot
OAAM Admin - System Snapshots -> Double CLick -> Click -> Backup
Backup Type : Database and File
Name : backup_name
Notes :
File Name (.ZIP) :
Go to Policies -> IP-based Pattern Demo Policy
Policy Name : IP-based Pattern Demo policy
Policy Status : Active
Checkpoint : Pre-Authentication
Scoring Engine : Average
Weight : 100
Description : This policy generate the alert if user's percentage of IP usage is below 20
Rules (only 1)
Rule Name : User: IP Usage rule
Policy Name : IP-based Pattern Demo Policy
Rule Status : Active
Rule Notes : Raise an alert if IP is used less than 20% of time
Conditions tab (only 1)
ENTITY: Entity is member of pattern less than some percent times
Pattern Hit Percent less than : 20
Pattern name for membership : User-IP Tracking Pattern
Is Membership Count Less than patternHitPercent : True
Time period type for pattern membership : 3
Member type for pattern membership : User
Results tab
Score : 1000
Weight : 100
Action Group : None
Alert Group : IP Used less than percentage times for the User
Group Name : IP Used less than percentage times for the User
Group Type : Alerts
Cache Type : None
Description : Test Alert group for pattern
Alerts tab
Alert Type : Investigation
Alert Level : Medium
Alert Message : Ip used less than percentage times for the User
Usage : Policies , Rules , Groups
Change the vcrypt.tracker.ip.detectProxiedIP = from false to true ; for X-forwarded-for to work and test
OAAM Admin -> Patterns -> User-IP Tracking Pattern
Pattern Name : User-IP Tracking Pattern
Pattern Status : Active
Member Types : User
Evaluation Priority : High
Description : This pattern tracks user's IP.
Transaction Type : Authentication
Creation Method : Multi-Bucket
Attribute tab
Label : Remote IP
Definition: Remote Ip
Status : Active
Description : IP of the user. X-forwarded-for
Compare Operator : for Each
--------Native Integration-----------------------
Integrating sample applications with OAAM using in-proc and SOAP mode
DEploy the sample applications in a new Managed Server within the same OAAM domain. However in real life you will be deploying the sample application in a new Managed Server in a different WLS domain.
If the WLS domain is the same version as the IAM domain that is compatible with OAAM 11gR1PS1, you can use in-proc mode ; however , if it is a non IAM domain , or a non-WLS application server , or if the application is a non-Java-based application (.NET app) , you must use SOAP mode.
Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using In-Proc Mode
You deploy a sample customer application oaam_sample.zip on to a user-defined Managed Server
You also deploy oaam_native_lib.war as a shared library and target it to the new Managed Server
you create the new managed Server in the same IAMDomain where OAAM server resides; therefore oaam map and key values do not need to be updated or created
Also make sure OAAM_SERVER_DS data source is targeted to the new Managed Server and verify weblogic.xml file for the custom application has reference to the oaam_native_lib.war
Create a new server (7002)
Install oaam_native_lib.war
Deploy oaam_sample
OAAM_SERVER_DS, add new server as 1 of the targets
Activate Changes
Start customerServer
Access the application -> http://host:7002/oaam_sample
username scott password test
Get a new Image and phrase
KBA Q&A
Enter your mobile number
Login Successful with links on the left for Internet Banking and Retail Ecommerce
Now Stop the OAAM Managed Server and login to BigBank application
if you are successfully challenged and can register for KBA questions and OTP without the OAAM server running, it proves the assertion made in the lession that you do not need the OAAM server running if you are performing in-proc native integration because calls are made directly to the DB
Stop OAAM server
Access http://host:7002/oaam_sample
Try logging in to the BigBank Application using scott and test password. Registeration again because of bug in oaam_sample
Disable Rule : "Register User Information" in "OAAM Registeration" policy
Start OAAM Server
Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using SOAP Mode (with No Authentication)
Modify the bharosa_server.properties file to run the native integration with oaam_sample in SOAP mode
edit $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
vcrypt.tracker.soap.url=http://host:14300/oaam_server/services
vcrypt.soap.auth=false
vcrypt.common.util.vcryptsoap.impl.classname=com.bharosa.vcrypt.common.impl.VCryptSOAPGenericImpl
vcrypt.soap.disable=false
vcrypt.tracker.soap.useSOAPServer=true
vcrypt.tracker.impl.classname=com.bharosa.common.util.BharosaConfigPropsImpl
vcrypt.soap.call.timeout=10000
bharosa.config.load.impl.classname=com.bharosa.common.util.BharosaConfigLoadPropsImpl
bharosa.authentipad.image.url=kbimage.jsp?action=kbimage&
bharosa.image.dirlist=/u01/app/oracle/product/middleware/iam_home/oaam/oaam_images/
Now go to EM Console and make changes to OAAM Webservices
Right-click oaam_server_server1 -> Select Web Services
Select all OAAM Web Services
Click Attach Policies
Select policies
oracle/no_authentication_service_policy
oracle/no_authorization_service_policy
Click Attach button
Restart OAAM Managed Server
Data Sources -> OAAM_SERVER_DS -> Remove customerServer from the targets
In SOAP mode , there is no direct call to the database. The request go through the OAAM Server, which in turn talks to the DB ; therefore you do not need to target the data source to the Managed Server that is running the customer application (customerServer)
Natively Integrating the Sample Application That Is Running in the OAAM Server Domain Using SOAP Mode (with Authentication)
Wbelogic COnsole -> Security -> Realms -> myrealm -> create a new user
Name : soap_user
Provider : DefaultAuthenticator
Password : password
Make the User member of OAAMSOAPServicesGroup
Create a file named soap_key.file in $ORACLE_MW_HOME/work/oaam_cli/cli
Content of file
password
Edit soap_3des_input.properties as below
keystorepasswd=password
keystorealiaspasswd=password
keyFile=soap_key.file
keystorefilename=system_soap.keystore
keystorealias=vcrypt.soap.call.passwd
./setCliEnv.sh
Run below command
$JAVA_HOME/bin/java -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.coomon.util.keyStoreUtil updateOrCreateKeyStore readFromFile=$ORACLE_MW_HOME/work/oaam_cli/cli/soap_3des_input.properties
This will generate KeyStore Password and Alias Password
Move the system_soap.keystore to the $ORACLE_HOME/oaam/oaam_sample/WEB_INF/classes
Shut down the customerServer where oaam_sample is running
Modify bharosa_server.properties
Change vcrypt.soap.auth=true
Uncomment and set values below
vcrypt.soap.auth.keystorePassword=passwordcopied
vcrypt.soap.auth.aliasPassword=aliasPwdCopied
vcrypt.soap.auth.username=soap_user
vcrypt.soap.auth.keystoreFile=system_soap.keystore
because sample application is in same domain as OAAM Server
Verify
bharosa.cipher.encryption.algorithm.enum is commented out
Update oaam_sample app with bharosa_server.properties
Deploy and start the customer Server
Go to EM Console -> Locate oaam_server_server1 -> Right CLick -> Select Web Services -> Attach Policies -> Select all OAAM Webservices ->
Select oracle/wss_http_token_service_policy
Click Attach
Restart OAAM Managed Server
Deselect OAAM_SERVER_DS from customerServer as targets
Natively Integrating the Sample Application That is Running in the Non-OAAM Server Domain Using SOAP Mode
deploy sample application to a new Managed Server in a pure WLS domain (no IAM component)
Copy $ORACLE_HOME/oaam/oaam_libs/war/oaam_native_lib.war to the tmp folder $ORACLE_HOME/oaam/oaam_libs/war/tmp/oaam_native_lib.war
Navigate to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
Restore the bharosa_server.properties file that you renamed in the preceding step.
cd $ORACLE_HOME/oaam/oaam_libs/war/tmp/WEB-INF/classes
cp -r bharosa_properties $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
cp *.properties $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
rm $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
mv $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties.backup $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
Copy oaam_soap_client.jar file from $ORACLE_HOME/oaam/oaam_libs/jar to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/lib
Remove below tag from $ORACLE_HOME/oaam/oaam_sample/WEB-INF/weblogic.xml
<library-ref>
<library-name>oracle.oaam.libs</library>
</library-ref>
Go to $ORACLE_MW_HOME/work/oaam_cli/cli
Create config_secret_key.file with password
cp sample.config_3des_input.properties config_3des_input.properties
vi config_3des_input.properties
change keystorepasswd and keystorealiaspasswd values, specify config_secret_key.file for keyFile
./setCliEnv.sh
Run below command
$JAVA_HOME/bin/java -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.coomon.util.keyStoreUtil updateOrCreateKeyStore readFromFile=$ORACLE_MW_HOME/work/oaam_cli/cli/soap_3des_input.properties
Copy system_config.keystore to $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes
Edit $ORACLE_HOME/oaam/oaam_sample/WEB-INF/classes/bharosa_server.properties
bharosa.cipher.encryption.algorithm.enum.DESede_config.keyRetrieval.classname=com.bharosa.common.util.cipher.KeystoreKeyRetrieval
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystoreFile=system_config.keystore
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystorePassword=jrhrhtfuher=
bharosa.cipher.encryption.algorithm.enum.DESede_config.aliasPassword=beruhfeh==
Create a new WLS Domain
Create a new Managed Server
Deploy the Sample Application
Start customerServer on the nonIAMDomain
Ensure oaam_sample goes to Active state
Test with scott, test on new app :8002/oaam_sample
nice explanation.thanks
ReplyDelete