Tasks
Task 1-configure OUD as Default Store and System Store
Task 2-configure LDAP provider for OUD in weblogic Security Realms
Task 3-create and configure webgate 11g instances
Task 4-configure webgate11g_2 to act as DCC using Password Policy Validation Module
Task 5-Verify if DCC webgate works fine and validate LDAP errors for failed login
Task 6-Configure and validate Password Policy
Task 7-Configure and verify Session management features
Task 8-deploying and configuring custom WAR login page
Task 9-OAAM advanced integration with OAM using TAP
Task 1-configure OUD as Default Store and System Store
Data Sources -> User Identity Stores
store name : OUDStore1
store type : OUD : Oracle Unified Direcory
Store Type OUD: Oracle Unified Directory
Location oam.example.com:1389
Bind DN cn=Directory Manager
Password Oracle123
Username Attribute uid
User Search Base dc=example,dc=com
Group Name Attribute cn
Group Search Base dc=example,dc=com
Default Store : UserIdentityStore1
System Store : UserIdentityStore1
Change OUDStore1 as the Default and System Store
Access System Administrators : tom.dole
Access System Group : Administrators
Go to
System Configuration -> Access Manager -> Authentication Modules -> LDAP Authentication Module -> LDAP
Name : LDAP
User Identity Store : Change from UserIdentityStore1 to OUDStore1
Task 2-Configure LDAP Provider for OUD in Weblogic Security Realms
WebLogic Console -> Create a new Provider
be default 3 : DefaultAuthenticator, DefaultIdentityAsserter, IAMSuiteAgent
New Authentication Provider
Name: OUDAuthenticator
Type : IPlanetAuthenticator (No OUD Authenticator by default)
Change Order : DefaultAuthenticator(Sufficient),OUDAuthenticator(Sufficient) DefaultIdentityAsserter, IAMSuiteAgent
Configure OUDAuthenticator with Provider Specific Details
Restart Admin and Managed Server
Login to OAM Console using the OUD's user tom.dole
Task 3 - Create and configure Webgate 11g instances
System Configuration -> Access Manager -> SSO Agents -> OAM Agents
Name : webgate11g_1
Access Client Password
Security : Open, Simple, Cert
Auto Create Policies
Name : webgate11g_2
Access Client Password
Security : Open, Simple, Cert
Auto Create Policies
cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate
export LD_LIBRARY_PATH=/app/u01/middleware/Oracle_WT1/lib:/app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/lib
./deployWebGateInstance.sh -w /app/u01/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1
cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools/
./EditHttpConf -w /app/u01/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1
cp /app/u01/middleare/user_projects/domains/idm_domain/output/webgate11g_1/* /app/u01/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config/
Repeat same steps for webgate11g_2
cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate
./deployWebGateInstance.sh -w /app/u01/middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1
cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools/
./EditHttpConf -w /app/u01/middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1 -oh /app/u01/middleware/Oracle_OAMWebGate1
cp /app/u01/middleare/user_projects/domains/idm_domain/output/webgate11g_2/* /app/u01/middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1/webgate/config/
Change the port of 2nd instance of OHS web server in SSL.conf or httpd.conf
Listen 24444
./opmnctl stopall startall
Access both the webservers to see if OAM intercepts
Cookies
1. OAM_ID
2. OAM_REQ
3. OAMAuthnCookie
Task 4 - Configure Webgate11g_2 to act as DCC using Password Policy Validation Module
cd /app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin
Configuring 2nd instance of OHS webgate to act as DCC
Modify all perl files to use proper path of perl
/app/u01/middleware/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin
vi login.pl
#!/usr/bin/perl
For DCC to work , change the webgate profile of webgate11g_2
check mark all the below options
1. Allow Management Operations
2. Allow Token Scope Operations
3. Allow Master Token Retrieval
4. Allow Credential Collector Operations
Use always FQDN for SSO configuration
System Configuration -> Access Manager -> Access Manager Settings
Load Balancing
OAM Server Host : oam.example.com
OAM Server Port : 14100
OAM Server Protocol : http
Server Error Mode : Internal (we can show LDAP error messages on Login Page.)
Go to
Policy Configuration -> Authentication Schemes -> PasswordPolicyValidationScheme
* Name : PasswordPolicyValidationScheme
Description
* Authentication Level : 2
Default : No
* Challenge Method : FORM
Challenge Redirect URL : http://oam.example.com:7778/
* Authentication Module : Password Policy Validation Module
* Challenge URL : /oamsso-bin/login.pl
* Context Type : external
Challenge Parameters : OverrideRetryLimit=0
In Application Domain of webgate11g_2 create 2 new resources. Protection Level Excluded
Resource 1
Type : HTTP
Host Identifier : webgate11g_2
Resource URL : /favicon.ico
Query : (.) Name Value List , String
Operations Available : ALL , CONNECT , OPTIONS , PUT , POST , GET
Protection Level : Excluded
Resource 2
Type : HTTP
Host Identifier : webgate11g_2
Resource URL : /oamsso-bin/login.pl
Query : (.) Name Value List , String
Operations Available : ALL , CONNECT , OPTIONS , PUT , POST , GET
Protection Level : Excluded
Change the Authentication Policy of webgate11g_2 to use the PasswordPolicyValidationScheme as its Authentication Scheme
Authentication Policy
Name : Protected Resource Policy
Authentication Scheme : PasswordPolicyValidationScheme
Resources : Resource Type=HTTP,Host Identifier=webgate11g_2,Resource URL=/**
Modification of Plugin Parameters is optional as we have already set OUDStore1 as default Store
Common Configuration -> Plugins -> UserIdentificationPlugin
KEY_IDENTITY_STORE_REF : OUDStore1
UserAuthenticationPlugin
KEY_IDENTITY_STORE_REF : OUDStore1
UserPasswordPolicyPlugin
KEY_IDENTITY_STORE_REF : OUDStore1
Access Manager -> Authentication Modules -> Custom Modules -> Password Policy Validation Module
Change KEY_IDENTITY_STORE_REF for all 3 plugins used
User Identification Step
Plugin Name : UserIdentificationPlugin
KEY_IDENTITY_STORE_REF
KEY_LDAP_FILTER
KEY_SEARCH_BASE_URL
User Authentication Step
Plugin Name : UserAuthenticationPlugin
KEY_IDENTITY_STORE_REF
KEY_PROP_AUTHN_EXCEPTION
User Password Status Step
Plugin Name : UserPasswordPolicyPlugin
KEY_IDENTITY_STORE_REF
PLUGIN_EXECUTION_MODE : PSWDONLY
URI_ACTION : REDIRECT_POST
Modify System Configuration -> Password Policy
Set
Password Service URL : /oamsso-bin/login.pl
Restart OAM Managed Server
Task 5 - Verify if DCC webgate works fine and validate LDAP errors for failed login.
Access OHS 2 on 7778
Get Redirected to oam.example.com:7778/oamsso-bin/login.pl
instead of OAM Server login page
Provide wrong password
You will notice error message from the server as well as LDAP error message is displayed along with the code because the server error mode is set as internal
Provide right password to see if all works fine
DCC Cookies set
DCCCtxCookie_oam.example.com
OAMAuthnCookie_oam.example.com
Task 6 - Configure and validate Password Policy
Set maximum attempts to 1 and Lockout duration to 1 minute
Access the OHS 2 , DCC and try out the wrong password and wait more than 1 minute and try again with the right password.
Using any LDAP browser, set value of attribute obpasswordchangeflag to 1
if not available then add this attribute manually .
This will force the user to change password at his next login.
Try access OHS 2 (7778) with test user
you will be forced to change the password after authentication (old password, new password, confirm password)
Task 7 - Configure and verify Session Management Features
System Configuration -> Common Settings ->
Maximum Number of sessions per user = 2
Idle Timeout (minutes) = 2
Test
System Configuration -> Session Management
Search for Logged in users
Delete the test user session
You will be immediately logged out and should see a login page
Test 2 sessions by opening multiple browsers and testing out the 2 session limit
After login sit idle for 2 minutes and refresh the browser to test the 2 minute idle timeout setting
Task 8 - Deploying and configuring Custom WAR Login Page
Create Login.jsp, style.css, validate.jsp file for custom login page
Key point : action URL, request_id, username and password
action="http://oam.example.com:14100/oam/server/auth_cred_submit" method="post"
<input type="hidden" name="request_id" value="<%=reqId%>">
<input type="text" name="username" class="inputbox">
<input type="text" name="password" class="inputbox">
create war using jar command
Deploy war on weblogic server
Deploy on AdminServer and oam_server1
Create a new Authentication Scheme
* Name : Custom Page Authentication Scheme
Description : Custom Page Authentication Scheme
* Authentication Level : 2
Default : No
* Challenge Method : FORM
Challenge Redirect URL : /oam/server
* Authentication Module : LDAP
* Challenge URL : /login.jsp
* Context Type : customWar
Challenge Parameters :
Modify the Authentication Policy of webgate11g_1 to use the newly created custom login page Authentication Scheme
webgate11g_1
Authentication Policy : Protected Resource Policy
Authentication Scheme : Custom Page Authentication Scheme
Resource URL : /**
Host Identifier : webgate11g_1
Test
Access the OHS 1
Get redirected to custom login page
Authenticate and get the requested page
Cookies
OAMRequestContext_oam.example.com
JSESSIONID
OAM_ID
OAM_REQ
OAMAuthnCookie_oam.example.com
Task 9-OAAM advanced integration with OAM using TAP
Login to OAAM Admin Console
oam.example.com:14200/oaam_admin
Go to Environment -> System Snapshots -> Load from File
Uncheck backup current system now
upload oaam_base_snapshot.zip from /app/u01/middleare/Oracle_IDM1/oaam/init
After successful loading , shutdown oaam_admin_server1
Start oam_server1 and oaam_server_server1
create a directory where you will store the Keystore file
/app/Middleware/keystore/TAP_OAAM_OAM
Connect to wlst
/app/u01/middleare/Oracle_IDM1/common/bin
./wlst.sh
wls:/idm_domain/serverConfig> registerThirdPartyTAPPartner(partnerName="OAAMTAPPartner",keystoreLocation="/app/Middleware/keystore/TAP_OAAM_OAM/TAPkeystore.jks",password="Oracle123",tapTokenVersion="v2.0", tapScheme="TAPScheme",tapRedirectUrl="http://oam.example.com:14300/oaam_server/oamLoginPage.jsp")
Update the TAPScheme to have the MatchLDAPAttribute=uid
Authentication Scheme : TAPScheme
Description : TAPScheme
Authentication Level : 2
Default : No
Challenge Method : DAP
Challenge Redirect URL : /oam/server/
Authentication Module : DAP
Challenge URL : /oaam_server/oamLoginPage.jsp
Context Type : external
Challenge Parameters :
TAPPartberId=OAAMTAPPartner
SERVER_HOST_ALIAS=HOST_ALIAS_1
MatchLDAPAttribute=uid
Update IAMSuiteAgent's Access Client Password
Update the IAMSuiteAgent's password in Weblogic Security Realms
Realms -> myrealm -> Providers -> IAMSuiteAgent -> Provider Specific -> Agent Password
3 items must be restarted
Copy the cli directory to temporary location from /app/Middleware/Oracle_IDM1/oaam/cli to a temporary location like /app/u05/tmp
go to /app/u05/tmp/cli/conf/bharosa_properties
edit oaam_cli.properties
Parameter Name Parameter Values
ooaam.csf.useMbeans true
oaam.adminserver.protocol t3
oaam.adminserver.hostname oam.example.com
oaam.adminserver.port 7001
oaam.db.toplink.useCredentialsFromCSF true
oaam.db.url jdbc:oracle:thin:@oam.example.com:1521:orcl
oaam.db.driver oracle.jdbc.driver.OracleDriver
oaam.uio.oam.tap.keystoreFile /app/u01/middleware/keystore/TAP_OAAM_OAM/TAPKeystore.jks
oaam.uio.oam.tap.partnername OAAMTAPPartner
oaam.uio.oam.host oam.example.com
oaam.uio.oam.port 5575
oaam.uio.oam.webgate_id IAMSuiteAgent
oaam.uio.oam.rootcertificate.keystore.filepath /app/u01/middleware/user_projects/domains/idm_domain/output/webgate-ssl/oamclient-truststore.jks
oaam.uio.oam.privatekeycertificate.keystore.filepath /app/u01/middleware/user_projects/domains/idm_domain/output/webgate-ssl/oamclient-truststore.jks
pwd
/app/u05/tmp/cli
./setupOAMTapIntegration.sh /app/u05/tmp/cli/conf/bharosa_properties/oaam_cli.properties
Enter Weblogic Server Home Directory : /app/u01/middleare/wlserver_10.3
Enter OAAM AdminServer User Name : weblogic
Enter OAAM AdminServer Password :
Enter OAAM DB User Name : DEV_OAAM
Enter OAAM DB User password :
Enter OAM WebGate credentials to stored in the CSF :
Enter OAM TAP Key Store file password and press Enter :
SetupOAMIntegration script ran successfully
if setCliEnv.sh file not found fails with path error then fix the setupOAMTapIntegration.sh file
chmod 777 findjar.sh
give absolute path of findjar.sh in script file
Change the Application Domain : webgate11g_1
Change the Authentication Policy : Protected Resource Policy
Authentication Scheme : TAPScheme
Access OHS 1 (7777/index.html)
Redirected oaam_server login page
oam.example.com:14300/oaam_server/oamLoginPage.jsp
1st Page User
2nd Page Password
Hello World
Cookies
ora_oaam_vsc
JSESSIONID
OAM_ID
OAM_REQ
OAMAuthnCookie_oam.example.com
if User login fails
In oaam_admin , Set the Environment -> property
bharosa.uio.default.username.case.sensitive=false