robert honeyman honeyman it consulting access manager basic free oam sso license for forms and...

Robert Honeyman

Honeyman IT Consultinghttp://www.honeymanit.co.uk

rob.honeyman@honeymanit.co.uk

Oracle Access Manager Basic Free OAM SSO license for

Forms and Reports on Weblogic Server

Custom Java Apps previously developed for 10g AS / OC4J

Link to license documentation http://docs.oracle.com/cd/E28280_01/doc.1111/e14860/oam_basic.htm

Restricted features and configurations apply to OAM

OAM Basic: Restricted Features No Access Manager SDK

No Custom Plug-Ins

LDAP only Oracle Internet Directory

Application Server OC4J or WebLogic

Web Server only OHS

No OAAM integration

No OIF intergation

OAM - Forms Certification

Forms 11.1.1.x (11g R1) – Legacy OSSO 10.1.4.3 only

Forms 11.1.2.x (11g R2)– Native OAM + Webgate

Forms 11.1.2.0

OID 11.1.1.5+

OAM 11.1.1.5 only

Legacy OSSO 10.1.4.3

Forms 11.1.2.1+

OID 11.1.1.5+

OAM 11.1.1.5+, 11.1.2.x

Legacy OSSO 10.1.4.3

OAM Basic + Forms: Latest Versions

Oracle Access Manager (11.1.2.2)

Oracle Internet Directory (11.1.1.7)

Forms and Reports (11.1.2.3)

Weblogic 11g R1 (10.3.6)

JDK 1.7u51

Database (11.2.0.4, 12.1)

IDM Directory Components

Oracle Internet Directory (LDAP)

OID Database

Weblogic (+JDK)

Oracle Directory Services Manager (ODSM)

Enterprise Manager – FMW Control

Identity Management (OID) Topology

Create OID Database Database creation for OID database OIDDB

Character set - AL32UTF8

Server parameters SHARED_POOL_SIZE=150M

SGA_MAX_SIZE=150M minimum (Set to 1GB)

PARALLEL_MAX_SERVERS=1

PROCESSES=500

OPEN_CURSORS=500

Dedicated Server connections

Prepare OID repository using RCU 11.1.1.7 Select only ‘Identity Management / Oracle Internet Directory’

ODS schema – fixed name, no prefixes / customization

OID Installation Install JDK + Weblogic 10.3.6 for ODSM

Create Weblogic domain IDMDomain for ODSM

Install Identity Management 11.1.1.x

Run Identity Management configuration tool

Select (Oracle Internet Directory, Management Components)

ORACLE_INSTANCE location must be specified

Specify default realm (dc=mycompany,dc=com)

OID Server Processes

OAM Components

Access Manager (SSO / Authentication / Access Control)

OAM Database (Policy Store / Session Persistence)

Weblogic (+ Coherence + JDK)

Web Tier (OHS + WebGate)

Audit Database (Optional)

OAM Topology

OAM Features and Config OAM Server

SSO, Authentication, Authorization, Sessions

WebGate talks Oracle Access Protocol to OAM Server

Admin Server

WebLogic / EM admin consoles

OAM console – policy configuration

OAM Database

Access control policies (resources, authentication, authorization)

OAM Session Data (optional persistent back up of in-memory)

Create OAM Database Database creation for OAM database OAMDB

Character set - AL32UTF8

Server parameters SHARED_POOL_SIZE=150M

SGA_MAX_SIZE=150M minmimum (set to 1GB)

Dedicated server connections

Prepare OAM repository using RCU 11.1.2.x Select ‘Identity Management / Oracle Access Manager’

option

Dependencies auto-selected (MDS, IAU, OPSS)

Multiple prefixed schemas, prefix customizable

OAM Installation Install JDK + Weblogic 10.3.6

Create separate domain for OAM – IAMDomain

Domain template - OAM, OEM, OPSS, JRF

Configure OAM Security Store before first startup

Prepare OID for use with OAM

Configure OAM to use OID

Create and Validate Security Store

Create the Security Store

${MW_HOME}/oracle_common/common/bin/wlst.sh \

${IAM_HOME}/common/tools/configureSecurityStore.py -d \

${DOMAIN_HOME} -c IAM -p <password> -m create

Validate the Security Store

${MW_HOME}/oracle_common/common/bin/wlst.sh \

${IAM_HOME}/common/tools/configureSecurityStore.py -d \

${DOMAIN_HOME} -m validate

OID as OAM Identity Store

Default ID Store is Weblogic Embedded LDAP

OID required for Forms - OAM integration

Oracle schema and OracleContext trees required

OAM heartbeats to check directory availability

OAM / OID Integration

idmConfigTool.sh – creates Identity Store in OID –preConfigIDStore

–prepareIDStore mode=WLS (weblogic)

–prepareIDStore mode=OAM (oamadmin)

Register Identity Store (OAM Console) cn=oamLDAP,dc=mycompany,dc=com (not cn=orcladmin)

Change System Identity Stores (OAM Console) System Store – admin accounts, groups, roles

Default Store – security token service / patching

LDAP Authentication Module (OAM Console)

OAM – Create OID Identity Store

OAM – OID system store 1

OAM – OID system store 2

OAM - LDAP Authentication Module

OAM / OID Integrated

OAMWLS oamserver

OIDLDAP server

OIDDBOAMDB

ODSMWLS wls_ods

IAMDomain

Identity Data(Identity Store)

Policy / Session Data(Policy Store)

AdminServer

HTTP

7001

HTTP(S)

14100,14101

OAP 5575

IDMDomain

LDAP(S)

3060,3061

AdminServer

HTTP

7001

HTTP

7005

Forms: OAM Compatibility Review Forms 11.1.2.x (OAM 11.1.2.x or 11.1.1.5)

Native compatibility

OAM WebGate compatible

Forms 10.1.x, 11.1.1.x

No native OAM compatibility

OAM OSSO Legacy agent compatible

WebGate Installation

Install WebGate into Forms / Web Tier MW_HOME

Standalone Web Tier for Forms – use forms.conf

Deploy WebGate module to OHSdeployWebGateInstance.sh \

-w ${ORACLE_INSTANCE}/config/OHS/${ohs_instance} \

-oh ${WEBGATE_ORACLE_HOME}

Configure OHS directivesEditHttpConf \

-w ${ORACLE_INSTANCE}/config/OHS/${ohs_instance} \

-oh ${WEBGATE_ORACLE_HOME} \

-o webgate.conf

OAM – WebGate Agent Registration

WebGate Agent and Policy Registration RREG (XML config file) + oamreg.sh

OAM Console

After agent registration copy files to WebGate config

cwallet.sso

ObAccessClient.xml

Password.xml (if using Simple / Cert mode)

OAM RREG example<?xml version="1.0" encoding="UTF-8"?><OAM11GRegRequest><serverAddress>http://myhost.mycompany.com:7001</serverAddress>

<hostIdentifier>APPDEV</hostIdentifier><agentName>APPDEV</agentName><agentBaseUrl>http://myhost.mycompany.com:7777</agentBaseUrl><preferredHost>http://myhost.mycompany.com:7777</preferredHost><security>open</security><protectedResourcesList>

<resource>/forms/frmservlet?*oamMode=true*</resource></protectedResourcesList><publicResourcesList>

<resource>/</resource><resource>/.../</resource>

</publicResourcesList></OAM11GRegRequest>

OAM – Policy Configuration Host Identifiers – Virtual Hosting

Application Resources - URLs

Authentication Schemes

Methods for identity and credential verification

Authentication Policies

Link authentication schemes to resources

Authorization Policies

Rules to control access to resources

Forms: OAM Configuration OAM configure host identifiers, policies and protect

/forms/frmservlet?*oamMode=true*

OAM LDAP Authentication Scheme set ssoCookie=disablehttponly

Associate Forms with OID

Configure Forms SSO parameters (formsweb.cfg or FMW Control)

Configure Resource Access Descriptors (RADs) in OID Web SSO ID mapped to DB credentials LDAP entry in OID maintains mapping Defaults, pre-populated or created on first user login

OAM – Protected Authentication Policy

OAM – Public Authentication Policy

LDAP Authentication Scheme

Forms – Associate with OID

Forms: Key SSO Parameters ssoMode – instructs Forms of the type of SSO agent

webgate – Forms 11.1.2.x

mod_osso (true) – Forms 11.1.1.x

false – No SSO

ssoProxyConnect – use shared Proxy account Login Credentials / RAD used are for Proxy database account

Web SSO ID used as Named User database account

Privileges against Named User database account

ssoDynamicResourceCreate Allows Dynamic RAD creation

Proxy Users Application user must match SSO ID Proxy username name matches RAD

CREATE USER proxy_user IDENTIFIED BY <password>;

GRANT CREATE SESSION to proxy_user;

CREATE USER app_user IDENTIFIED BY <password>;

GRANT CREATE SESSION to app_user;

ALTER USER app_user

GRANT CONNECT THROUGH proxy_user;

proxy_user[app_user]/proxy_password@Database

Forms : RAD first login

Forms: OAM SSO

OAM

OIDOAM

DBPolicy

Datastore

Web Tier

WebGate

FORMS

OAP

Web Browser

Login requests

(HTTP)

Forms Requests

(HTTP)

OAM_ID

DB Resource Access

Descriptors

(LDAP)

SSO Identities

(LDAP)

FORMS

DB

Policy data

requests

(TNS)

ApplicationDatastore

App data

requests

(TNS)

WWW Requests

(HTTP)OAMAuthnCookie Redirect

EUS : Forms and SSO Enterprise Users stored in OID / LDAP

Individual user accounts not required on database

Shared schemas mapped to Enterprise Users Can use only one database account

LDAP subtree (partial dn) mapping Single map of multiple users to single shared schema

Password authentication included in Enterprise Edition

EUS : Register Database with OID

NetCA

ldap.ora

DBCA

Wallet creation and entry registration

cwallet.sso

Mappings in EM

EUS : Create schema

Private / Exclusive schema

CREATE USER username IDENTIFIED GLOBALLY AS

'<DN of directory user entry>';

Shared schema

CREATE USER username IDENTIFIED GLOBALLY AS '';

EUS : Proxy Permissions Create proxy permission for DB user

ALTER USER <shared schema> GRANT CONNECT THROUGH

ENTERPRISE USERS;

Select Enterprise Users as grantees