oracle access management

BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENF

HAMBURG KOPENHAGEN LAUSANNE MÜNCHEN STUTTGART WIEN ZÜRICH

Oracle Access ManagementNeedful things to survive

Michael Mühlbeyer, Trivadis GmbH

Agenda

Oracle Access Management -Needful things to survive2 19.05.2015

1. Project and Architecture

2. Installation Oracle Access Management

3. SSO Agents

OSSO Agents

11g WebGates

4. Customize Login Pages

5. Summary


Project and Architecture

Project


Industry

Public Administration

Technologies and Products

Oracle Fusion Middleware

11gR1 and 11gR2

– Java JDK 1.6.0_45

– WebLogic Server 10.3.6

– Internet Directory 11.1.1.7

– Access Management 11.1.2.2

– Portal 11.1.1.7

– Discoverer 11.1.1.7

Oracle Database Appliance V1,

2.8.0.0

Database EE 11.2.0.4

Challenge

Migrate the existing Portal 10g

solution to the latest version

Install on new Hardware

Use Oracle Linux as OS

Solution

Migration Portal 10g to 11g including

Internet Directory, Access

Management and Discoverer

Replace SSO 10g with Access

Management 11g

Middleware Infrastructure Architecture Development


Partner

Weblogic

Cluster

Portal

Weblogic

Cluster

OAM

Weblogic

Cluster

OID

Weblogic

Cluster

Intranet

F5 LoadBalancer

LBVODA2ODAEW (RAC)

Middleware Infrastructure Architecture Test


QS Partner

Weblogic

Cluster

QS Portal

Weblogic

Cluster

QS OID

Weblogic

Cluster

Intranet

Internet

F5 LoadBalancer

ODAQS (RAC)

ODAQS STANDBY(RAC)

QS OAM

Weblogic

Cluster

Middleware Infrastructure Architecture Production


PROD Partner

Weblogic

Cluster

PROD Portal

Weblogic

Cluster

PROD OID

Weblogic

Cluster

Intranet

Internet

F5 LoadBalancer

ODAPROD(RAC)

ODAPROD STANDBY(RAC)

PROD OAM

Weblogic

Cluster

OAM Architecture


OAM Clusterknoten 1 OAM Clusterknoten 2

Firewall

SCAN Listener

ODAEW1

oda21

ODAEW2

oda22

RAC

ODAEW

AdminServer 8001

WebLogicCluster

oam_server1 14100 oam_server2 14100

LOAD BALANCER

BIG-IP 6900

Virtual Server für OAM

Database Architecture


Data Guard

Data Guard

ODA1 ODA2

RAC

ODAPROD

Internetprotokoll Version 4 (TCP/IPv4)

ODAPROD1

Primary1

ODAPROD2

Primary2

ODAPROD1

StandBy1

ODAPROD2

StandBy2

ODAEW1

Node1

ODAEW2

Node2

RAC

ODAPROD

RAC

ODAEW

ODAQS1

Standby1

ODAQS2

Standby2

RAC

ODAQS

ODAQS1

Primary1

ODAQS2

Primary2

RAC

ODAQS


Installation

Oracle Access Management

Installation


cd /u00/app/oracle/product/$ENV/middleware/oam11122/common/bin

./config.sh

Installation of binaries with silent mode and response file

Start configuration out of the Middlware_Home

Installation


Installation


export MW_HOME=/u00/app/oracle/product/$ENV/middleware/oam11122

cd $MW_HOME/oracle_common/bin

./psa

PatchSet Assistant after successful configuration

Installation


export MW_HOME=/u00/app/oracle/product/es/middleware/oam11121

export ORACLE_HOME=$MW_HOME/Oracle_OAM

export DOMAIN_HOME=$MW_HOME/user_projects/domains/OAMDomain

$MW_HOME/oracle_common/common/bin/wlst.sh

$ORACLE_HOME/common/tools/configureSecurityStore.py -d

$DOMAIN_HOME -m create -p <password>

Database Security Store creation

Installation


export PATH=$MW_HOME/oracle_common/common/bin:$PATH

cd $ORACLE_HOME/common/tools

wlst.sh configureSecurityStore.py -d $DOMAIN_HOME -m validate

...

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Info: Data source is: opss-DBDS

INFO: Found persistence provider

"org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will

not be used.

WLS ManagedService is not up running. Fall back to use system

properties for configuration.

Info: Diagnostics data was saved to the credential store.

Info: Validate operation has completed successfully

Database Security Store validation

Installation


Due to the existing OAM configuration of the development some default ports had to

be adopted

– change OAM Proxy Port 5575 to 5675

– Change oam.coherence.localport 9095 to 9195

Second cluster node installation was done similar to node cluster node one

Extend Cluster

– pack.sh auf oamqs01

– unpack.sh auf oamqs02

– AdminServer WebLogic Console

– Setup servers oam01, oam02

– Server config oam_server1, oam_server2

– Cluster config qsoam_cluster


SSO Agents

Access Management Services


Access Management Services


General description

Provides Single Sign-On (SSO) through a common SSO Engine

– Central login and logout functionality

– Central login page

SSO Engine provides consistent service across multiple protocols and across

multiple network domains

Support for different identity stores

Project scope

Application SSO across multiple network domains

Integrated applications are Oracle Portal, Oracle Discoverer and several Java

applications

Oracle Internet Directory is used to store all user identities

SSO Components


Needed SSO components and basic functionality

OAM Server provides the SSO Engine for applications using SSO

Web applications are accessible through URLs within a network

Application URLs are protected using SSO Agents

The SSO Agent is a generic software component

– Controlling the access to the application

– Delegating authentication and authorization tasks to the OAM Server

– Installed in front of the application or part of the Web Server hosting the application

– Usually a HTTP Server with a specific module

Cookies are used to identify Authenticated Users

Access Manager Console is used for the configuration details

Connection Workflow



OSSO Agents

SSO Agent - OSSO Agent


Oracle Portal and Oracle Discoverer are using OSSO Agents

OSSO Agents are a special type of SSO Agents

– HTTP Server with module "mod_osso" is needed

Portal and Discoverer installation provide a HTTP Server including the module

"mod_osso"

This HTTP Server is used as OSSO Agent

Access Manager Console Configuration

– Create OSSO Agent

– Create User Identity Store

– Configure Authentication Scheme

– Configure Authentication Module

– Configure Authentication Policy of Application Domain

Create OSSO Agent


Create OSSO Agent

Values

– Name PortalIntra

– Base URL http://portal.intra.local:8090

– Host Identifier portal.intra

Creates a new application domain "PortalIntra"

Creates the configuration file "osso.conf" for the SSO agent

This file must be copied to the HTTP Server of the SSO Agent

Restart HTTP Server

Create User Identity Store


User identities of the project are stored in Oracle Internet Directory

Access Manager Console

Configuration

User Identity Stores

Values

– Name <storename>

– Store Type OID Oracle Internet Directory

– Location poid.local.intra:389

– Bind DN cn=orcladmin

– Passwort <pwd>

– Login ID Attribute uid

– User Password Attribute userPassword

– User Search Base cn=Users,dc=local,dc=intra

– Group Search Base cn=Groups,dc=local,dc=intra

OSSO Agent Configure Authentication Scheme


Configure Authentication Scheme

The Authentication Schema

is part of the Application Domain

References the User Identity Store

– Use LDAPScheme for OID

Defines the Authentication Module

– Depends on LDAPScheme

Defines the Challenge URL

– Forward to Login Page

OSSO Agent Configure Authentication Module


Configure Authentication Module

The Authentication Module

"LDAPPlugin" is pre-configured

and ready to use

– Provides two steps of User Authentication

– stepUI User Identification (Identify LDAP user entry)

– stepUA User Authentication (Compare User Password)

The parameter

KEY_IDENTITY_STORE_REF

must match the

User Identity Store

for each step

OSSO Agent Configure Authentication Policy


Configure Authentication Policy

The Authentication Policy

is part of the Application Domain

The Application Domain includes all details of the SSO Agent

The Authentication Policy defines public and protected resources of your application

The Protected Resource Policy must match the Authentication Schema

Changes directly affect the SSO Agent, no server restart is needed


11g WebGates

SSO Agent - WebGate


Java Web Applications hosted on WebLogic Server are using WebGates

11g WebGates are a special type of SSO Agents

– Installation HTTP Server software is required

– Installation and configuration of WebGate software is required

Access Manager Console Configuration

– Create 11g WebGate

– Configure Authentication Scheme (Same as OSSO Agent)

– Configure Authentication Module (Same as OSSO Agent)

– Configure Authentication Policy of Application Domain (Same as OSSO Agent)

11g WebGate Create 11g WebGate


Create 11g WebGate

Values

– Name

– Base URL

– Protected Resource List

– Public Resource List

– Use Option "AutoCreatePolicies"

Creates new application domain

Creates configuration files

– ObAccessClient.xml, cwallet.sso

Files must be copied to the WebGate

Restart HTTP Server

WebGate Configuration


WebLogic Server

Configure additional Security Provider within the Security Realm

– OAMIdentityAsserter

– OIDAuthentication

HTTP Server

WebGate Configuration (webgate.conf) is configured automatically

– Webgate should know where to find the OAM Server

Configure Virtual Hosts (virtual_hosts.conf)

– Needed in HA environments

Configure WebLogic Handler (mod_wl_ohs.conf)

– Defines weblogic-handler and weblogiccluster for each application


Customize Login Pages

Developing Custom Login Pages


Access Management provides standard Login Pages and also supports custom login

pages

Develop your own Java application containing a login page

Start developing using the Developer´s Guide

Developer's Guide for Oracle Access Management 11.1.2.2

The sample application does not work, but this will be fixed in future releases

Use examples from the Web

Project Scope

Simple Web Application containing a Java Server Page for a Form-based login

http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/toc.htm

login.jsp


Directory structure of the Web Applicationloginpages

deploy

custompages.war

custompages

META-INF

MANIFEST.MF

WEB-INF

lib

oamcustomui.jar

web.xml

pages

css

images

javascript

login.jsp

Include oamcustomui.jar from Access Management

login.jsp


Access Management provides standard Login Pages and also supports custom login

pages

OAM Server URL and Credential Collector Endpoint needed

Additional Parameter REQUEST_ID

<form action="<%=oamLoginServerBaseURL%>/oam/server/auth_cred_submit"

method="post">

<input type="TEXT" name="username" />

<input "PASSWORD" name="password" />

<input type="hidden" name="<%=GenericConstants.REQUEST_ID%>"

value="<%=requestId%>">

<% if (requestToken != null && requestToken.length() > 0) { %>

<input type="hidden"

name="<%=GenericConstants.AM_REQUEST_TOKEN_IDENTIFIER%>"

value="<%=requestToken%>">

<% } %>

</form>

Deployment and Configuration


The application must be deployed on the OAM Server when using the Embedded

Credential Collector

WebLogic Console for Deployment

Access Manager Console

Configure Authentication Schema

– Context Type = customWar

– Context Value = Application

Root Context

– Challenge URL = Path to the

Login Page


Summary

Needful Things to Survive


Needful Things

Start with 11g Release 2

Read the documentation, make familiar with the concepts

Advantages

Fully integrated with Oracle Fusion Middleware

Integration of Open Source Products possible

Disadvantages

Complex enterprise solutions and functions


Further information

Fusion Middleware Documentation Library 11.1.2.2

Installation Guide Oracle Directory and Access Management 11.1.2.2

Administrator's Guide for Oracle Access Management 11.1.2.2

Developer's Guide for Oracle Access Management 11.1.2.2

http://www.ateam-oracle.com/

http://fusionsecurity.blogspot.de/

http://docs.oracle.com/cd/E40329_01/index.htm

http://docs.oracle.com/cd/E40329_01/install.1112/e49521/toc.htm

http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/toc.htm

http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/toc.htm#BEGIN

http://www.ateam-oracle.com/

http://fusionsecurity.blogspot.de/

Questions & Answers

Michael Mühlbeyer

Trivadis GmbH

Phone +49 162 295 96 96

[email protected]

19.05.2015 Oracle Access Management -Needful things to survive44

oracle access management

Documents