Saturday, November 5, 2016

OAM 11g R2 Basic Lab

Tasks
Task 1-configure OUD as Default Store and System Store
Task 2-configure LDAP provider for OUD in weblogic Security Realms
Task 3-create and configure webgate 11g instances
Task 4-configure webgate11g_2 to act as DCC using Password Policy Validation Module
Task 5-Verify if DCC webgate works fine and validate LDAP errors for failed login
Task 6-Configure and validate Password Policy
Task 7-Configure and verify Session management features
Task 8-deploying and configuring custom WAR login page
Task 9-OAAM advanced integration with OAM using TAP


Task 1-configure OUD as Default Store and System Store

Data Sources -> User Identity Stores
store name : OUDStore1
store type : OUD : Oracle Unified Direcory

Store Type     OUD: Oracle Unified Directory
Location     oam.example.com:1389
Bind DN     cn=Directory Manager
Password     Oracle123
Username Attribute     uid
User Search Base     dc=example,dc=com
Group Name Attribute     cn
Group Search Base     dc=example,dc=com


Default Store : UserIdentityStore1
System Store : UserIdentityStore1

Change OUDStore1 as the Default and System Store

Access System Administrators : tom.dole
Access System Group : Administrators

Go to
System Configuration -> Access Manager -> Authentication Modules -> LDAP Authentication Module -> LDAP
Name : LDAP
User Identity Store : Change from UserIdentityStore1 to OUDStore1

Task 2-Configure LDAP Provider for OUD in Weblogic Security Realms

WebLogic Console -> Create a new Provider
be default 3 : DefaultAuthenticator, DefaultIdentityAsserter, IAMSuiteAgent

New Authentication Provider
Name: OUDAuthenticator
Type : IPlanetAuthenticator (No OUD Authenticator by default)

Change Order : DefaultAuthenticator(Sufficient),OUDAuthenticator(Sufficient) DefaultIdentityAsserter, IAMSuiteAgent

Configure OUDAuthenticator with Provider Specific Details

Restart Admin and Managed Server

Login to OAM Console using the OUD's user tom.dole

Task 3 - Create and configure Webgate 11g instances

System Configuration -> Access Manager -> SSO Agents -> OAM Agents

Name : webgate11g_1
Access Client Password
Security : Open, Simple, Cert
Auto Create Policies

Name : webgate11g_2
Access Client Password
Security : Open, Simple, Cert
Auto Create Policies


cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate

export LD_LIBRARY_PATH=/app/u01/middleware/Oracle_WT1/lib:/app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/lib

./deployWebGateInstance.sh -w /app/u01/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1

cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools/

./EditHttpConf -w /app/u01/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1

cp /app/u01/middleare/user_projects/domains/idm_domain/output/webgate11g_1/* /app/u01/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config/

Repeat same steps for webgate11g_2

cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate
./deployWebGateInstance.sh -w /app/u01/middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1
cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools/
./EditHttpConf -w /app/u01/middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1
cp /app/u01/middleare/user_projects/domains/idm_domain/output/webgate11g_2/* /app/u01/middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1/webgate/config/

Change the port of 2nd instance of OHS web server in SSL.conf or httpd.conf
Listen    24444
./opmnctl stopall startall

Access both the webservers to see if OAM intercepts

Cookies
1. OAM_ID
2. OAM_REQ
3. OAMAuthnCookie

Task 4 - Configure Webgate11g_2 to act as DCC using Password Policy Validation Module

cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin

Configuring 2nd instance of OHS webgate to act as DCC
Modify all perl files to use proper path of perl

/app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin
vi login.pl
#!/usr/bin/perl

For DCC to work , change the webgate profile of webgate11g_2
check mark all the below options
1. Allow Management Operations
2. Allow Token Scope Operations
3. Allow Master Token Retrieval
4. Allow Credential Collector Operations

Use always FQDN for SSO configuration

System Configuration -> Access Manager -> Access Manager Settings
Load Balancing
OAM Server Host : oam.example.com
OAM Server Port : 14100
OAM Server Protocol : http
Server Error Mode : Internal (we can show LDAP error messages on Login Page.)

Go to
Policy Configuration -> Authentication Schemes -> PasswordPolicyValidationScheme

* Name : PasswordPolicyValidationScheme
Description
* Authentication Level : 2
Default : No
* Challenge Method : FORM
Challenge Redirect URL : http://oam.example.com:7778/
* Authentication Module : Password Policy Validation Module
* Challenge URL : /oamsso-bin/login.pl
* Context Type : external
Challenge Parameters : OverrideRetryLimit=0

In Application Domain of webgate11g_2 create 2 new resources. Protection Level Excluded

Resource 1
Type : HTTP
Host Identifier : webgate11g_2
Resource URL : /favicon.ico
Query : (.) Name Value List , String
Operations Available : ALL , CONNECT , OPTIONS , PUT , POST , GET
Protection Level : Excluded

Resource 2
Type : HTTP
Host Identifier : webgate11g_2
Resource URL : /oamsso-bin/login.pl
Query : (.) Name Value List , String
Operations Available : ALL , CONNECT , OPTIONS , PUT , POST , GET
Protection Level : Excluded

Change the Authentication Policy of webgate11g_2 to use the PasswordPolicyValidationScheme as its Authentication Scheme

Authentication Policy
Name : Protected Resource Policy
Authentication Scheme : PasswordPolicyValidationScheme
Resources : Resource Type=HTTP,Host Identifier=webgate11g_2,Resource URL=/**

Modification of Plugin Parameters is optional as we have already set OUDStore1 as default Store

Common Configuration -> Plugins -> UserIdentificationPlugin

KEY_IDENTITY_STORE_REF : OUDStore1

UserAuthenticationPlugin
KEY_IDENTITY_STORE_REF : OUDStore1

UserPasswordPolicyPlugin
KEY_IDENTITY_STORE_REF : OUDStore1

Access Manager -> Authentication Modules -> Custom Modules -> Password Policy Validation Module
Change KEY_IDENTITY_STORE_REF for all 3 plugins used

User Identification Step
Plugin Name : UserIdentificationPlugin
KEY_IDENTITY_STORE_REF
KEY_LDAP_FILTER
KEY_SEARCH_BASE_URL

User Authentication Step
Plugin Name : UserAuthenticationPlugin
KEY_IDENTITY_STORE_REF
KEY_PROP_AUTHN_EXCEPTION

User Password Status Step
Plugin Name : UserPasswordPolicyPlugin
KEY_IDENTITY_STORE_REF
PLUGIN_EXECUTION_MODE : PSWDONLY
URI_ACTION : REDIRECT_POST

Modify System Configuration -> Password Policy
Set
Password Service URL : /oamsso-bin/login.pl
Restart OAM Managed Server

Task 5 - Verify if DCC webgate works fine and validate LDAP errors for failed login.

Access OHS 2 on 7778
Get Redirected to oam.example.com:7778/oamsso-bin/login.pl
instead of OAM Server login page
Provide wrong password
You will notice error message from the server as well as LDAP error message is displayed along with the code because the server error mode is set as internal
Provide right password to see if all works fine

DCC Cookies set
DCCCtxCookie_oam.example.com
OAMAuthnCookie_oam.example.com

Task 6 - Configure and validate Password Policy

Set maximum attempts to 1 and Lockout duration to 1 minute

Access the OHS 2 , DCC and try out the wrong password and wait more than 1 minute and try again with the right password.

Using any LDAP browser, set value of attribute obpasswordchangeflag to 1
if not available then add this attribute manually .
This will force the user to change password at his next login.

Try access OHS 2 (7778) with test user

you will be forced to change the password after authentication (old password, new password, confirm password)

Task 7 - Configure and verify Session Management Features

System Configuration -> Common Settings ->
Maximum Number of sessions per user = 2
Idle Timeout (minutes) = 2

Test
System Configuration -> Session Management
Search for Logged in users
Delete the test user session
You will be immediately logged out and should see a login page

Test 2 sessions by opening multiple browsers and testing out the 2 session limit

After login sit idle for 2 minutes and refresh the browser to test the 2 minute idle timeout setting

Task 8 - Deploying and configuring Custom WAR Login Page

Create Login.jsp, style.css, validate.jsp file for custom login page
Key point : action URL, request_id, username and password

action="http://oam.example.com:14100/oam/server/auth_cred_submit" method="post"

<input type="hidden" name="request_id" value="<%=reqId%>">
<input type="text" name="username" class="inputbox">
<input type="text" name="password" class="inputbox">

create war using jar command
Deploy war on weblogic server
Deploy on AdminServer and oam_server1

Create a new Authentication Scheme

* Name : Custom Page Authentication Scheme
Description : Custom Page Authentication Scheme
* Authentication Level : 2
Default : No
* Challenge Method : FORM
Challenge Redirect URL : /oam/server
* Authentication Module : LDAP
* Challenge URL : /login.jsp
* Context Type : customWar
Challenge Parameters :

Modify the Authentication Policy of webgate11g_1 to use the newly created custom login page Authentication Scheme

webgate11g_1
Authentication Policy : Protected Resource Policy
Authentication Scheme : Custom Page Authentication Scheme
Resource URL : /**
Host Identifier : webgate11g_1

Test
Access the OHS 1
Get redirected to custom login page
Authenticate and get the requested page

Cookies
OAMRequestContext_oam.example.com
JSESSIONID
OAM_ID
OAM_REQ
OAMAuthnCookie_oam.example.com

Task 9-OAAM advanced integration with OAM using TAP

Login to OAAM Admin Console
oam.example.com:14200/oaam_admin

Go to Environment -> System Snapshots -> Load from File
Uncheck backup current system now
upload oaam_base_snapshot.zip from /app/u01/middleare/Oracle_IDM1/oaam/init
After successful loading , shutdown oaam_admin_server1
Start oam_server1 and oaam_server_server1

create a directory where you will store the Keystore file
/app/Middleware/keystore/TAP_OAAM_OAM

Connect to wlst

/app/u01/middleare/Oracle_IDM1/common/bin
./wlst.sh

wls:/idm_domain/serverConfig> registerThirdPartyTAPPartner(partnerName="OAAMTAPPartner",keystoreLocation="/app/Middleware/keystore/TAP_OAAM_OAM/TAPkeystore.jks",password="Oracle123",tapTokenVersion="v2.0", tapScheme="TAPScheme",tapRedirectUrl="http://oam.example.com:14300/oaam_server/oamLoginPage.jsp")

Update the TAPScheme to have the MatchLDAPAttribute=uid

Authentication Scheme : TAPScheme
Description : TAPScheme
Authentication Level : 2
Default : No
Challenge Method : DAP
Challenge Redirect URL : /oam/server/
Authentication Module : DAP
Challenge URL : /oaam_server/oamLoginPage.jsp
Context Type : external
Challenge Parameters :
TAPPartberId=OAAMTAPPartner
SERVER_HOST_ALIAS=HOST_ALIAS_1
MatchLDAPAttribute=uid

Update IAMSuiteAgent's Access Client Password

Update the IAMSuiteAgent's password in Weblogic Security Realms

Realms -> myrealm -> Providers -> IAMSuiteAgent -> Provider Specific -> Agent Password

3 items must be restarted

Copy the cli directory to temporary location from  /app/Middleware/Oracle_IDM1/oaam/cli to a temporary location like /app/u05/tmp

go to /app/u05/tmp/cli/conf/bharosa_properties
edit oaam_cli.properties

Parameter Name    Parameter Values
ooaam.csf.useMbeans     true
oaam.adminserver.protocol     t3
oaam.adminserver.hostname     oam.example.com
oaam.adminserver.port     7001
oaam.db.toplink.useCredentialsFromCSF     true
oaam.db.url     jdbc:oracle:thin:@oam.example.com:1521:orcl
oaam.db.driver     oracle.jdbc.driver.OracleDriver
oaam.uio.oam.tap.keystoreFile     /app/u01/middleware/keystore/TAP_OAAM_OAM/TAPKeystore.jks
oaam.uio.oam.tap.partnername     OAAMTAPPartner
oaam.uio.oam.host     oam.example.com
oaam.uio.oam.port     5575
oaam.uio.oam.webgate_id     IAMSuiteAgent
oaam.uio.oam.rootcertificate.keystore.filepath     /app/u01/middleware/user_projects/domains/idm_domain/output/webgate-ssl/oamclient-truststore.jks
oaam.uio.oam.privatekeycertificate.keystore.filepath     /app/u01/middleware/user_projects/domains/idm_domain/output/webgate-ssl/oamclient-truststore.jks

pwd
/app/u05/tmp/cli
./setupOAMTapIntegration.sh /app/u05/tmp/cli/conf/bharosa_properties/oaam_cli.properties

Enter Weblogic Server Home Directory : /app/u01/middleare/wlserver_10.3
Enter OAAM AdminServer User Name : weblogic
Enter OAAM AdminServer Password :
Enter OAAM DB User Name : DEV_OAAM
Enter OAAM DB User password :
Enter OAM WebGate credentials to stored in the CSF :
Enter OAM TAP Key Store file password and press Enter :
SetupOAMIntegration script ran successfully

if setCliEnv.sh file not found fails with path error then fix the setupOAMTapIntegration.sh file
chmod 777 findjar.sh
give absolute path of findjar.sh in script file

Change the Application Domain : webgate11g_1
Change the Authentication Policy : Protected Resource Policy
Authentication Scheme : TAPScheme

Access OHS 1 (7777/index.html)
Redirected oaam_server login page
oam.example.com:14300/oaam_server/oamLoginPage.jsp

1st Page User
2nd Page Password
Hello World

Cookies
ora_oaam_vsc
JSESSIONID
OAM_ID
OAM_REQ
OAMAuthnCookie_oam.example.com

if User login fails
In oaam_admin , Set the Environment -> property
bharosa.uio.default.username.case.sensitive=false