Tuesday, April 22, 2014

Oracle Access Manager (OAM) 11G R2 PS1 : Adding MobileJWTOAMTokenProviders

After upgrading or installing Oracle Access Manager (OAM) 11G R2 PS1, MobileJWTOAMToken is available but requires manual configuration to be enabled.

Follow the steps as below to manually configure the above provider



Shut down the OAM Server and Admin Server.
Edit the idaas.xml from “{MW_HOME}/user_projects/domains/{IAMDomain}/config/fmwconfig”
Add these 2 lines as highlighted in red


<ConsoleMetaData><implClassList name="AuthnServiceProviders" interface="oracle.security.idaas.rest.provider.token.TokenService">            <implClass>oracle.security.idaas.rest.provider.token.JWTTokenServiceProvider</implClass>            <implClass>oracle.security.idaas.rest.provider.token.OAMSDKTokenServiceProvider</implClass>            <implClass>oracle.security.idaas.rest.provider.token.MobileOAMTokenServiceProvider</implClass>            <implClass>oracle.security.idaas.rest.provider.token.MobileJWTTokenServiceProvider</implClass>            <implClass>oracle.security.idaas.rest.provider.token.MobileJWTOAMTokenServiceProvider</implClass>            <implClass>oracle.security.idaas.rest.provider.token.JWTOAMTokenServiceProvider</implClass> </implClassList>



Add 2 serviceproviders , make sure you change the values of server and other values[oracle.ids.name should point to User Profile Service Provider] as per the environment.

<ServiceProvider name="MobileJWTOAMToken" description="Out Of The Box User Profile Service Provider">        <serviceProviderImpl>oracle.security.idaas.rest.provider.token.MobileJWTOAMTokenServiceProvider</serviceProviderImpl>
        <serviceProviderType>Authentication</serviceProviderType>
        <param>
            <name>WEBGATE_ID</name>
            <value>accessgate-oic</value>
        </param>
        <param>
            <name>ENCRYPTED_PASSWORD</name>
            <value>idaas.ServiceProvider[MobileJWTOAMToken].param[ENCRYPTED_PASSWORD]</value>
        </param>
        <param>
            <name>OAM_SERVER_1</name>
            <value>hostname:5575</value>
        </param>
        <param>
            <name>OAM_SERVER_1_MAX_CONN</name>
            <value>4</value>
        </param>
        <param>
            <name>OAM_SERVER_2</name>
            <value>hostname:5575</value>
        </param>
        <param>
            <name>OAM_SERVER_2_MAX_CONN</name>
            <value>4</value>
        </param>
        <param>
            <name>jwt.Validity</name>
            <value>3600</value>
        </param>
        <param>
            <name>jwt.CryptoScheme</name>
            <value>RS512</value>
        </param>
        <param>
            <name>oracle.ids.name</name>
            <value>OIDUserProfile</value>
        </param>
        <param>
            <name>accessControl</name>
            <value>false</value>
        </param>
        <param>
            <name>adminGroup</name>
            <value>cn=Administrators,ou=groups,ou=myrealm,dc=base_domain</value>
        </param>
        <param>
            <name>selfEdit</name>
            <value>true</value>
        </param>
        <param>
            <name>TRANSPORT_SECURITY</name>
            <value>OPEN</value>
        </param>
        <param>
            <name>DEBUG_VALUE</name>
            <value>0</value>
        </param>
        <param>
            <name>OAM_VERSION</name>
            <value>OAM_11G</value>
        </param>
        <param>
            <name>UserAuthenticationInput</name>
            <value>UIDPASSWORD</value>
        </param>
        <param>
            <name>UserAuthenticationOutput</name>
            <value>USERTOKEN</value>
        </param>
        <param>
            <name>TokenExchangeInput</name>
            <value>JWT_UT+PIN</value>
        </param>
        <param>
            <name>TokenExchangeOutput</name>
            <value>USERTOKEN::OAMUT,USERTOKEN::OAMMT</value>
        </param>
    </ServiceProvider>
    <ServiceProvider name="JWTOAMToken" description="Out Of The Box Mobile Oracle Access Manager (OAM) Authentication Service Provider">
        <serviceProviderImpl>oracle.security.idaas.rest.provider.token.JWTOAMTokenServiceProvider</serviceProviderImpl>
        <serviceProviderType>Authentication</serviceProviderType>
        <param>
            <name>OAM_VERSION</name>
            <value>OAM_11G</value>
        </param>
        <param>
            <name>WEBGATE_ID</name>
            <value>accessgate-oic</value>
        </param>
        <param>
            <name>ENCRYPTED_PASSWORD</name>
            <value>idaas.ServiceProvider[JWTOAMToken].param[ENCRYPTED_PASSWORD]</value>
        </param>
        <param>
            <name>DEBUG_VALUE</name>
            <value>0</value>
        </param>
        <param>
            <name>TRANSPORT_SECURITY</name>
            <value>OPEN</value>
        </param>
        <param>
            <name>OAM_SERVER_1</name>
            <value>hostname:5575</value>
        </param>
        <param>
            <name>OAM_SERVER_1_MAX_CONN</name>
            <value>4</value>
        </param>
        <param>
            <name>OAM_SERVER_2</name>
            <value>hostname:5575</value>
        </param>
        <param>
            <name>OAM_SERVER_2_MAX_CONN</name>
            <value>4</value>
        </param>
        <param>
            <name>jwt.Validity</name>
            <value>315360000</value>
        </param>
        <param>
            <name>jwt.CryptoScheme</name>
            <value>RS512</value>
        </param>
        <param>
            <name>oracle.ids.name</name>
            <value>userrole</value>
        </param>
        <param>
            <name>UserAuthenticationInput</name>
            <value>UIDPASSWORD</value>
        </param>
        <param>
            <name>UserAuthenticationOutput</name>
            <value>USERTOKEN</value>
        </param>
        <param>
            <name>TokenExchangeInput</name>
            <value>JWT_UT+PIN</value>
        </param>
        <param>
            <name>TokenExchangeOutput</name>
            <value>USERTOKEN::OAMUT,USERTOKEN::OAMMT</value>
        </param>
    </ServiceProvider>

Add a service profile in the same file after the other service profiles
<ServiceProfile serviceEndPoint="/mobilejwtoamauthentication" name="MobileJWTOAMAuthentication" description="MobileJWTOAMAuthentication" enabled="true">

        <serviceProviderName>MobileJWTOAMToken</serviceProviderName>

        <supportedToken>CLIENTREGHANDLE</supportedToken>

        <supportedToken>CLIENTTOKEN</supportedToken>

        <supportedToken>ACCESSTOKEN</supportedToken>

        <supportedToken>USERTOKEN</supportedToken>

    </ServiceProfile>


Start the Admin Server and Check if the configurations have taken effect. You can manually add any values within web console if it is missing.
Go to the oam console
Mobile and Social à Mobile Services à Service Providers à MobileJWTOAMToken



Add the attribute “ENCRYPTED_PASSWORD” and the encrypted “accessgate-oic” password value.
Password value can be taken from opening OAMAuthentication and clicking “show in clear text”.




MobileJWTOAMAuthentication Service Profile settings



JWTOAMToken Settings



Update the MobileServiceDomain to use the new Authentication Service Provider.





Posted by at
Labels: ,