Saturday, May 3, 2014

OAM - OAAM 11g R2 PS2 (11.1.2.2.0) Advanced integration

This post covers the integration between OAM OAAM 11g R2 PS2 (11.1.2.2.0) .


Create a oaam admin user for administration






















                                                                                                                                                                
                                                                                                                                                              
Login to OAAM Admin Application on http://host:14200/oaam_admin (14200 default port)


Load oaam_base_snapshot.zip



























Restore the snapshot

Import oaam_policies.zip by going to Policies->Import Policies
Path of policies file = C:\Oracle\Middleware\Oracle_IDM1\oaam\init\oaam_policies.zip

OAM Configuration

Create a Default User Identity Store












                                                                                                                                                                 
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                                 

Create a directory where you will store the Keystore file.










 

 








Run Register Third Party Partner Utility.







































registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner", keystoreLocation= "C:\\Oracle\\Middleware\\keystore\\TAP_OAAM_OAM\\TAPkeystore.jks" , password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://deepak-pc.mydomain.com:14300/oaam_server/oamLoginPage.jsp")


Update TAPScheme in OAM Console







Update the IAMSuiteAgent's profile and set Access Client Password


















                                                                                                                                                                
                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Update IAMSuiteAgent provider in WebLogic Security Realms with the same password






                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Below step is optional

Create a key in /em console for OAAM





                                                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                       

                                                                                                                                                          
Copy OAAM_HOME/oaam/cli to a Temporary location

Update C:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
with relevant values

Sample Data




#Overriding properties for oaam_cli

#Following properties are relevant when CSF is accessed using MBeans (usually in command-line/J2SE programs).
#Note: This is the preferred way of running OAAM command-line to avoid CSF related file dependencies (which are usually on the Weblogic Admin Server).
#If neither the oaam.adminserver.type property nor the APP_SERVER_TYPE environment variable are set, OAAM command line will prompt the user for application server type.  To run OAAM command line for WebLogic deployment, set oaam.adminserver.type to wls, set the APP_SERVER_TYPE to weblogic, or select WebLogic when prompted.  To run OAAM command line for WebSphere deployment, set oaam.adminserver.type to was, set the APP_SERVER_TYPE to websphere, or select WebSphere when prompted.
#In a Windows environment, if the APP_SERVER_TYPE environment variable is not set, then the OAAM command line will prompt the user for application server type even if oaam.adminserver.type is set in this file.
#Make sure for weblogic deployment weblogic jmx jars (wljmxclient.jar, wlclient.jar) and JPS jars (jps-api.jar, jps-common.jar, jps-internal.jar) are in classpath
oaam.csf.useMBeans=true
oaam.adminserver.type=wls
#oaam.adminserver.type=was
oaam.adminserver.protocol=t3
oaam.adminserver.hostname=localhost
oaam.adminserver.port=7001

#Set this properties if OAAM command-line is running in websphere deployment
oaam.was.client.sasPropFile=

#Set this property with the fully qualified path of jps-config-jse.xml when non-MBeans way of accessing CSF.
#Usually it resides in config/fmwconfig folder of the domain folder.
#Specify this path only if 'oaam.csf.useMBeans=false' and the OAAM command-line runs on Weblogic Admin Server host where OAAM is deployed. 
oaam.jps.config.filepath=

#Set this property to true, if OAAM DB userName, password from CSF have to be used instead of persistence.xml. Make sure to set the 'oaam.db.*' properties.
oaam.db.toplink.useCredentialsFromCSF=true

#Following properties are used (instead of persistence.xml) to initialize Toplink when 'oaam.db.toplink.useCredentialsFromCSF=true'
#Specify valid JDBC URL of OAAM database. For oracle databases the format is: jdbc:oracle:thin:@<hostname>:<port>:<sid>
oaam.db.url=jdbc:oracle:thin:@localhost:1521:orcl
#In case of non-oracle databases, change this to the relevant driver class name
oaam.db.driver=oracle.jdbc.driver.OracleDriver
oaam.db.min.read-connections=1
oaam.db.max.read-connections=25
oaam.db.min.write-connections=1
oaam.db.max.write-connections=25
#Specify the filepath of any additional properties that need to be used while initializing Toplink
oaam.db.additional.properties.file=



#Following properties are relevant only for OAAM - OAM Integration.
#Location of the Keystorefile generated using registerThirdPartyDAPPartner WLST command on OAM Admin server. For example /rootdir/keystoreloc/oamoaamtap.jks
oaam.uio.oam.tap.keystoreFile=C:\\Oracle\\Middleware\\keystore\\TAP_OAAM_OAM\\TAPkeystore.jks
oaam.uio.oam.tap.keystoreType=JCEKS
oaam.uio.oam.tap.partnername=OAAMTAPPartner
oaam.uio.oam.tap.username.maxlength=40

#Access Server host machine name. For example, host.oracle.com
oaam.uio.oam.host=deepak-pc.mydomain.com
#Access Server Authentication Port (NAP Port); Default port :  5575
oaam.uio.oam.port=5575
#Webgate Prefered host identifier. Default value is IAMSuiteAgent
oaam.uio.oam.webgate_id=IAMSuiteAgent
#Name of the secondary Access Server host machine. This property is used for high availability. You can specify the fail-over hostname using this property.
oaam.uio.oam.secondary.host=
#Port number of the secondary Access Server. This property is used for high availability. You can specify the fail-over port using this property.
oaam.uio.oam.secondary.host.port=
#Security Mode - 1 (OPEN), 2 (SIMPLE), 3 (CERT)
oaam.uio.oam.security.mode=1
#Location of the Keystorefile generated for root certificate. Requires for SIMPLE (2) / CERT (2) Security mode. For multiple host OAAM Server installation make sure the file exists there in all the host in the mentioned location
oam.uio.oam.rootcertificate.keystore.filepath=C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain\\output\\webgate-ssl\\oamclient-truststore.jks
#Location of the Keystore file generated for private key certificate. Requires for SIMPLE (2) / CERT (2) Security mode. For multiple host OAAM Server installation make sure the file exists there in all the host in the mentioned location
oam.uio.oam.privatekeycertificate.keystore.filepath=C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain\\output\\webgate-ssl\\oamclient-truststore.jks

#This property enables configuring credentials in the Credential Store Framework instead of maintaining them using the properties editor. This step is performed so that credentials can be securely stored in CSF.
oaam.oam.csf.credentials.enabled=true





Run setupOAMTapIntegration (Sample Output for reference)






C:\TEMP\cli>setupOAMTapIntegration.cmd c:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
"Using COMMON_COMPONENTS_HOME as c:\Oracle\Middleware , set in COMMON_COMPONENTS_HOME in environment to override."
"Using JRF_VERSION_PROP as  , set in JRF_VERSION_PROP in environment to override."
"Enter Application Server Type, please select one of the following choices between [1-2]:"
"1: Weblogic Application Server"
"2: Websphere Application Server"
Enter Application Server Type: 1
Enter Weblogic Server Home Directory  for e,g c:\Oracle\Middleware\wlserver_10.3
C:\Oracle\Middleware\wlserver_10.3
c:\Java\jdk1.6.0_45\bin\java  "-Dcommon.components.home=" "-Djrf.version=" -Djava.security.policy=conf\jmx.policy -classpath .;.\conf;C:\TEMP\cli\lib\
commons-codec-1.2.jar;C:\TEMP\cli\lib\drools-base-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-core-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-io-2.0-beta-21.ja
r;C:\TEMP\cli\lib\drools-java-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-jsr94-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-smf-2.0-beta-21.jar;C:\TEMP\cli\lib\
janino-2.0.16.jar;C:\TEMP\cli\lib\jsr94.jar;C:\TEMP\cli\lib\oaam_core.jar;C:\TEMP\cli\lib\oaam_uio.jar;c:\Oracle\Middleware\oracle_common\modules\orac
le.jps_11.1.1\jps-manifest.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-api.jar;c:\Oracle\Middleware\oracle_common\modules\ora
cle.jps_11.1.1\jps-common.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-internal.jar;c:\Oracle\Middleware\oracle_common\modules
\oracle.iau_11.1.1\fmw_audit.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jdbc_11.1.1\ojdbc6dms.jar;c:\Oracle\Middleware\oracle_common\module
s\oracle.idm_11.1.1\identitystore.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.osdt_11.1.1\osdt_xmlsec.jar;c:\Oracle\Middleware\oracle_common
\modules\oracle.pki_11.1.1\oraclepki.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jacc-spi.jar;c:\Oracle\Middleware\oracle_common\
modules\oracle.dms_11.1.1\dms.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.odl_11.1.1\ojdl.jar;c:\Oracle\Middleware\oracle_common\oui\jlib\xm
lparserv2.jar;c:\Oracle\Middleware\modules\glassfish.jaxb.xjc_1.0.0.0_2-1-12.jar;c:\Oracle\Middleware\modules\glassfish.jaxb_1.0.0.0_2-1-12.jar;c:\Ora
cle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-az-rt.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-ee.jar;c:\Oracle
\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-se.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-platform.jar;c:\Oracle
\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-az-management.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.igf_11.1.1\identitydirecto
ry.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.ldap_11.1.1\ldapjclnt11.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\wlclient.jar;C:\Ora
cle\Middleware\wlserver_10.3\server\lib\wljmxclient.jar;c:\Oracle\Middleware\modules\com.bea.core.apache.commons.collections_3.2.0.jar;c:\Oracle\Middl
eware\modules\com.bea.core.antlr_2.7.7.jar;c:\Oracle\Middleware\modules\javax.servlet_1.0.0.0_2-5.jar;c:\Oracle\Middleware\oracle_common\modules\oracl
e.toplink_11.1.1\eclipselink.jar;c:\Oracle\Middleware\modules\com.oracle.toplink_1.1.0.0_11-1-1-6-0.jar;c:\Oracle\Middleware\modules\javax.persistence
_1.1.0.0_2-0.jar;c:\Oracle\Middleware\modules\glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar;c:\Oracle\Middleware\modules\glassfish.jaxb_1.1.0.0_2-1-14.jar  or
acle.oaam.integration.asa.IntegrationUtil setupOAMTapIntegration readfromfile=c:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
30/04/2014 2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using passed in properties...
30/04/2014 2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using MBeans on Weblogic...
30/04/2014 2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredentialsFromConsole()
Enter OAAM AdminServer User Name: weblogic
30/04/2014 2:53:12 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredentialsFromConsole()

Enter OAAM AdminServer Password:
DB Credentials are found in CSF store, do you want to overwrite it?
Enter 'Yes' to give new DB credentials and overwrite in CSF store:
Yes
Enter OAAM DB User name and press Enter key :
DEV_OAAM
Enter OAAM DB User password and press Enter key :


30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.addPasswordCredentialToCSF()
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.addCredential() with passed in properties...
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.addCredential(): using MBeans on Weblogic...
Added Password Credential to CSF with MapName [oaam], KeyName [oaam_db_key]
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using passed in properties...
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using MBeans on Weblogic...

Enter OAM TAP Key store file password and press Enter key :

30/04/2014 2:54:12 PM com.bharosa.common.util.UserDefEnumFactory
INFO: Creating new instance of UserDefEnumFactory
30/04/2014 2:54:12 PM com.bharosa.common.util.UserDefEnumFactory


Responses given








1
C:\Oracle\Middleware\wlserver_10.3
weblogic
password1
Yes
DEV_OAAM
password
password












                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Login to OAM Console and change the Authentication Scheme to TAPScheme for webgate11g_1 Application Domain

Update webgate11g_1 Application Domain to use TAPScheme in its Authentication Policy Protected Resource Policy











                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Try to access the protected resource on web server instance1.






                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
User is redirected to OAAM Server for authentication









Enter Password







Setup Knowledge based Authentication









Register Device Image

































Set your Security Question and Answers













                                                                                                                                                                                                                                                                               
                                                                                                                                                      
Login Successful






                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                

                                                                                                                                                                 
Next Time you Login you will be asked password and one random question as security challenge