Create a oaam admin user for administration
Login to OAAM Admin Application on http://host:14200/oaam_admin (14200 default port)
Load oaam_base_snapshot.zip
Restore the snapshot
Import oaam_policies.zip by going to Policies->Import Policies
Path of policies file = C:\Oracle\Middleware\Oracle_IDM1\oaam\init\oaam_policies.zip
OAM Configuration
Create a Default User Identity Store
Create a directory where you will store the Keystore file.
Run Register Third Party Partner Utility.
registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner", keystoreLocation= "C:\\Oracle\\Middleware\\keystore\\TAP_OAAM_OAM\\TAPkeystore.jks" , password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://deepak-pc.mydomain.com:14300/oaam_server/oamLoginPage.jsp")
Update TAPScheme in OAM Console
Update the IAMSuiteAgent's profile and set Access Client Password
Update IAMSuiteAgent provider in WebLogic Security Realms with the same password
Below step is optional
Create a key in /em console for OAAM
Copy OAAM_HOME/oaam/cli to a Temporary location
Update C:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
with relevant values
Sample Data
#Overriding
properties for oaam_cli
#Following
properties are relevant when CSF is accessed using MBeans (usually in
command-line/J2SE programs).
#Note: This
is the preferred way of running OAAM command-line to avoid CSF related file
dependencies (which are usually on the Weblogic Admin Server).
#If neither
the oaam.adminserver.type property nor the APP_SERVER_TYPE environment
variable are set, OAAM command line will prompt the user for application
server type. To run OAAM command line
for WebLogic deployment, set oaam.adminserver.type to wls, set the
APP_SERVER_TYPE to weblogic, or select WebLogic when prompted. To run OAAM command line for WebSphere
deployment, set oaam.adminserver.type to was, set the APP_SERVER_TYPE to
websphere, or select WebSphere when prompted.
#In a
Windows environment, if the APP_SERVER_TYPE environment variable is not set,
then the OAAM command line will prompt the user for application server type
even if oaam.adminserver.type is set in this file.
#Make sure
for weblogic deployment weblogic jmx jars (wljmxclient.jar, wlclient.jar) and
JPS jars (jps-api.jar, jps-common.jar, jps-internal.jar) are in classpath
oaam.csf.useMBeans=true
oaam.adminserver.type=wls
#oaam.adminserver.type=was
oaam.adminserver.protocol=t3
oaam.adminserver.hostname=localhost
oaam.adminserver.port=7001
#Set this
properties if OAAM command-line is running in websphere deployment
oaam.was.client.sasPropFile=
#Set this
property with the fully qualified path of jps-config-jse.xml when non-MBeans
way of accessing CSF.
#Usually it
resides in config/fmwconfig folder of the domain folder.
#Specify
this path only if 'oaam.csf.useMBeans=false' and the OAAM command-line runs
on Weblogic Admin Server host where OAAM is deployed.
oaam.jps.config.filepath=
#Set this
property to true, if OAAM DB userName, password from CSF have to be used
instead of persistence.xml. Make sure to set the 'oaam.db.*' properties.
oaam.db.toplink.useCredentialsFromCSF=true
#Following
properties are used (instead of persistence.xml) to initialize Toplink when
'oaam.db.toplink.useCredentialsFromCSF=true'
#Specify
valid JDBC URL of OAAM database. For oracle databases the format is:
jdbc:oracle:thin:@<hostname>:<port>:<sid>
oaam.db.url=jdbc:oracle:thin:@localhost:1521:orcl
#In case of
non-oracle databases, change this to the relevant driver class name
oaam.db.driver=oracle.jdbc.driver.OracleDriver
oaam.db.min.read-connections=1
oaam.db.max.read-connections=25
oaam.db.min.write-connections=1
oaam.db.max.write-connections=25
#Specify the
filepath of any additional properties that need to be used while initializing
Toplink
oaam.db.additional.properties.file=
#Following
properties are relevant only for OAAM - OAM Integration.
#Location of
the Keystorefile generated using registerThirdPartyDAPPartner WLST command on
OAM Admin server. For example /rootdir/keystoreloc/oamoaamtap.jks
oaam.uio.oam.tap.keystoreFile=C:\\Oracle\\Middleware\\keystore\\TAP_OAAM_OAM\\TAPkeystore.jks
oaam.uio.oam.tap.keystoreType=JCEKS
oaam.uio.oam.tap.partnername=OAAMTAPPartner
oaam.uio.oam.tap.username.maxlength=40
#Access
Server host machine name. For example, host.oracle.com
oaam.uio.oam.host=deepak-pc.mydomain.com
#Access
Server Authentication Port (NAP Port); Default port : 5575
oaam.uio.oam.port=5575
#Webgate
Prefered host identifier. Default value is IAMSuiteAgent
oaam.uio.oam.webgate_id=IAMSuiteAgent
#Name of the
secondary Access Server host machine. This property is used for high
availability. You can specify the fail-over hostname using this property.
oaam.uio.oam.secondary.host=
#Port number
of the secondary Access Server. This property is used for high availability.
You can specify the fail-over port using this property.
oaam.uio.oam.secondary.host.port=
#Security
Mode - 1 (OPEN), 2 (SIMPLE), 3 (CERT)
oaam.uio.oam.security.mode=1
#Location of
the Keystorefile generated for root certificate. Requires for SIMPLE (2) /
CERT (2) Security mode. For multiple host OAAM Server installation make sure
the file exists there in all the host in the mentioned location
oam.uio.oam.rootcertificate.keystore.filepath=C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain\\output\\webgate-ssl\\oamclient-truststore.jks
#Location of
the Keystore file generated for private key certificate. Requires for SIMPLE
(2) / CERT (2) Security mode. For multiple host OAAM Server installation make
sure the file exists there in all the host in the mentioned location
oam.uio.oam.privatekeycertificate.keystore.filepath=C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain\\output\\webgate-ssl\\oamclient-truststore.jks
#This
property enables configuring credentials in the Credential Store Framework
instead of maintaining them using the properties editor. This step is
performed so that credentials can be securely stored in CSF.
oaam.oam.csf.credentials.enabled=true
|
Run setupOAMTapIntegration (Sample Output for reference)
C:\TEMP\cli>setupOAMTapIntegration.cmd
c:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
"Using
COMMON_COMPONENTS_HOME as c:\Oracle\Middleware , set in
COMMON_COMPONENTS_HOME in environment to override."
"Using
JRF_VERSION_PROP as , set in
JRF_VERSION_PROP in environment to override."
"Enter
Application Server Type, please select one of the following choices between
[1-2]:"
"1:
Weblogic Application Server"
"2:
Websphere Application Server"
Enter
Application Server Type: 1
Enter Weblogic
Server Home Directory for e,g
c:\Oracle\Middleware\wlserver_10.3
C:\Oracle\Middleware\wlserver_10.3
c:\Java\jdk1.6.0_45\bin\java "-Dcommon.components.home="
"-Djrf.version=" -Djava.security.policy=conf\jmx.policy -classpath
.;.\conf;C:\TEMP\cli\lib\
commons-codec-1.2.jar;C:\TEMP\cli\lib\drools-base-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-core-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-io-2.0-beta-21.ja
r;C:\TEMP\cli\lib\drools-java-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-jsr94-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-smf-2.0-beta-21.jar;C:\TEMP\cli\lib\
janino-2.0.16.jar;C:\TEMP\cli\lib\jsr94.jar;C:\TEMP\cli\lib\oaam_core.jar;C:\TEMP\cli\lib\oaam_uio.jar;c:\Oracle\Middleware\oracle_common\modules\orac
le.jps_11.1.1\jps-manifest.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-api.jar;c:\Oracle\Middleware\oracle_common\modules\ora
cle.jps_11.1.1\jps-common.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-internal.jar;c:\Oracle\Middleware\oracle_common\modules
\oracle.iau_11.1.1\fmw_audit.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jdbc_11.1.1\ojdbc6dms.jar;c:\Oracle\Middleware\oracle_common\module
s\oracle.idm_11.1.1\identitystore.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.osdt_11.1.1\osdt_xmlsec.jar;c:\Oracle\Middleware\oracle_common
\modules\oracle.pki_11.1.1\oraclepki.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jacc-spi.jar;c:\Oracle\Middleware\oracle_common\
modules\oracle.dms_11.1.1\dms.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.odl_11.1.1\ojdl.jar;c:\Oracle\Middleware\oracle_common\oui\jlib\xm
lparserv2.jar;c:\Oracle\Middleware\modules\glassfish.jaxb.xjc_1.0.0.0_2-1-12.jar;c:\Oracle\Middleware\modules\glassfish.jaxb_1.0.0.0_2-1-12.jar;c:\Ora
cle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-az-rt.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-ee.jar;c:\Oracle
\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-se.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-platform.jar;c:\Oracle
\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-az-management.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.igf_11.1.1\identitydirecto
ry.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.ldap_11.1.1\ldapjclnt11.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\wlclient.jar;C:\Ora
cle\Middleware\wlserver_10.3\server\lib\wljmxclient.jar;c:\Oracle\Middleware\modules\com.bea.core.apache.commons.collections_3.2.0.jar;c:\Oracle\Middl
eware\modules\com.bea.core.antlr_2.7.7.jar;c:\Oracle\Middleware\modules\javax.servlet_1.0.0.0_2-5.jar;c:\Oracle\Middleware\oracle_common\modules\oracl
e.toplink_11.1.1\eclipselink.jar;c:\Oracle\Middleware\modules\com.oracle.toplink_1.1.0.0_11-1-1-6-0.jar;c:\Oracle\Middleware\modules\javax.persistence
_1.1.0.0_2-0.jar;c:\Oracle\Middleware\modules\glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar;c:\Oracle\Middleware\modules\glassfish.jaxb_1.1.0.0_2-1-14.jar or
acle.oaam.integration.asa.IntegrationUtil
setupOAMTapIntegration readfromfile=c:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
30/04/2014
2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO:
CSFUtil.getCredential(): using passed in properties...
30/04/2014
2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO:
CSFUtil.getCredential(): using MBeans on Weblogic...
30/04/2014
2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO:
CSFUtil.getCredentialsFromConsole()
Enter OAAM
AdminServer User Name: weblogic
30/04/2014
2:53:12 PM oracle.oaam.common.util.CSFUtil
INFO:
CSFUtil.getCredentialsFromConsole()
Enter OAAM
AdminServer Password:
DB
Credentials are found in CSF store, do you want to overwrite it?
Enter 'Yes'
to give new DB credentials and overwrite in CSF store:
Yes
Enter OAAM
DB User name and press Enter key :
DEV_OAAM
Enter OAAM
DB User password and press Enter key :
30/04/2014
2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO:
CSFUtil.addPasswordCredentialToCSF()
30/04/2014
2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO:
CSFUtil.addCredential() with passed in properties...
30/04/2014
2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO:
CSFUtil.addCredential(): using MBeans on Weblogic...
Added
Password Credential to CSF with MapName [oaam], KeyName [oaam_db_key]
30/04/2014
2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential():
using passed in properties...
30/04/2014
2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO:
CSFUtil.getCredential(): using MBeans on Weblogic...
Enter OAM
TAP Key store file password and press Enter key :
30/04/2014
2:54:12 PM com.bharosa.common.util.UserDefEnumFactory
INFO:
Creating new instance of UserDefEnumFactory
30/04/2014
2:54:12 PM com.bharosa.common.util.UserDefEnumFactory
|
Responses given
1
C:\Oracle\Middleware\wlserver_10.3 weblogic password1 Yes DEV_OAAM password password |
Login to OAM Console and change the Authentication Scheme to TAPScheme for webgate11g_1 Application Domain
Update webgate11g_1 Application Domain to use TAPScheme in its Authentication Policy Protected Resource Policy
Try to access the protected resource on web server instance1.
User is redirected to OAAM Server for authentication
Enter Password
Setup Knowledge based Authentication
Register Device Image
Set your Security Question and Answers
Login Successful
Next Time you Login you will be asked password and one random question as security challenge