oracle access management
TRANSCRIPT
BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENF
HAMBURG KOPENHAGEN LAUSANNE MÜNCHEN STUTTGART WIEN ZÜRICH
Oracle Access ManagementNeedful things to survive
Michael Mühlbeyer, Trivadis GmbH
Agenda
Oracle Access Management -Needful things to survive2 19.05.2015
1. Project and Architecture
2. Installation Oracle Access Management
3. SSO Agents
OSSO Agents
11g WebGates
4. Customize Login Pages
5. Summary
Oracle Access Management -Needful things to survive3 19.05.2015
Project and Architecture
Project
Oracle Access Management -Needful things to survive4 19.05.2015
Industry
Public Administration
Technologies and Products
Oracle Fusion Middleware
11gR1 and 11gR2
– Java JDK 1.6.0_45
– WebLogic Server 10.3.6
– Internet Directory 11.1.1.7
– Access Management 11.1.2.2
– Portal 11.1.1.7
– Discoverer 11.1.1.7
Oracle Database Appliance V1,
2.8.0.0
Database EE 11.2.0.4
Challenge
Migrate the existing Portal 10g
solution to the latest version
Install on new Hardware
Use Oracle Linux as OS
Solution
Migration Portal 10g to 11g including
Internet Directory, Access
Management and Discoverer
Replace SSO 10g with Access
Management 11g
Middleware Infrastructure Architecture Development
Oracle Access Management -Needful things to survive5 19.05.2015
Partner
Weblogic
Cluster
Portal
Weblogic
Cluster
OAM
Weblogic
Cluster
OID
Weblogic
Cluster
Intranet
F5 LoadBalancer
LBVODA2ODAEW (RAC)
Middleware Infrastructure Architecture Test
Oracle Access Management -Needful things to survive6 19.05.2015
QS Partner
Weblogic
Cluster
QS Portal
Weblogic
Cluster
QS OID
Weblogic
Cluster
Intranet
Internet
F5 LoadBalancer
ODAQS (RAC)
ODAQS STANDBY(RAC)
QS OAM
Weblogic
Cluster
Middleware Infrastructure Architecture Production
Oracle Access Management -Needful things to survive7 19.05.2015
PROD Partner
Weblogic
Cluster
PROD Portal
Weblogic
Cluster
PROD OID
Weblogic
Cluster
Intranet
Internet
F5 LoadBalancer
ODAPROD(RAC)
ODAPROD STANDBY(RAC)
PROD OAM
Weblogic
Cluster
OAM Architecture
Oracle Access Management -Needful things to survive8 19.05.2015
OAM Clusterknoten 1 OAM Clusterknoten 2
Firewall
SCAN Listener
ODAEW1
oda21
ODAEW2
oda22
RAC
ODAEW
AdminServer 8001
WebLogicCluster
oam_server1 14100 oam_server2 14100
LOAD BALANCER
BIG-IP 6900
Virtual Server für OAM
Database Architecture
Oracle Access Management -Needful things to survive9 19.05.2015
Data Guard
Data Guard
ODA1 ODA2
RAC
ODAPROD
Internetprotokoll Version 4 (TCP/IPv4)
ODAPROD1
Primary1
ODAPROD2
Primary2
ODAPROD1
StandBy1
ODAPROD2
StandBy2
ODAEW1
Node1
ODAEW2
Node2
RAC
ODAPROD
RAC
ODAEW
ODAQS1
Standby1
ODAQS2
Standby2
RAC
ODAQS
ODAQS1
Primary1
ODAQS2
Primary2
RAC
ODAQS
Oracle Access Management -Needful things to survive10 19.05.2015
Installation
Oracle Access Management
Installation
Oracle Access Management -Needful things to survive11 19.05.2015
cd /u00/app/oracle/product/$ENV/middleware/oam11122/common/bin
./config.sh
Installation of binaries with silent mode and response file
Start configuration out of the Middlware_Home
Installation
Oracle Access Management -Needful things to survive12 19.05.2015
Installation
Oracle Access Management -Needful things to survive13 19.05.2015
Installation
Oracle Access Management -Needful things to survive14 19.05.2015
Installation
Oracle Access Management -Needful things to survive15 19.05.2015
Installation
Oracle Access Management -Needful things to survive16 19.05.2015
export MW_HOME=/u00/app/oracle/product/$ENV/middleware/oam11122
cd $MW_HOME/oracle_common/bin
./psa
PatchSet Assistant after successful configuration
Installation
Oracle Access Management -Needful things to survive17 19.05.2015
export MW_HOME=/u00/app/oracle/product/es/middleware/oam11121
export ORACLE_HOME=$MW_HOME/Oracle_OAM
export DOMAIN_HOME=$MW_HOME/user_projects/domains/OAMDomain
$MW_HOME/oracle_common/common/bin/wlst.sh
$ORACLE_HOME/common/tools/configureSecurityStore.py -d
$DOMAIN_HOME -m create -p <password>
Database Security Store creation
Installation
Oracle Access Management -Needful things to survive18 19.05.2015
export PATH=$MW_HOME/oracle_common/common/bin:$PATH
cd $ORACLE_HOME/common/tools
wlst.sh configureSecurityStore.py -d $DOMAIN_HOME -m validate
...
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Info: Data source is: opss-DBDS
INFO: Found persistence provider
"org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will
not be used.
WLS ManagedService is not up running. Fall back to use system
properties for configuration.
Info: Diagnostics data was saved to the credential store.
Info: Validate operation has completed successfully
Database Security Store validation
Installation
Oracle Access Management -Needful things to survive19 19.05.2015
Due to the existing OAM configuration of the development some default ports had to
be adopted
– change OAM Proxy Port 5575 to 5675
– Change oam.coherence.localport 9095 to 9195
Second cluster node installation was done similar to node cluster node one
Extend Cluster
– pack.sh auf oamqs01
– unpack.sh auf oamqs02
– AdminServer WebLogic Console
– Setup servers oam01, oam02
– Server config oam_server1, oam_server2
– Cluster config qsoam_cluster
Oracle Access Management -Needful things to survive20 19.05.2015
SSO Agents
Access Management Services
Oracle Access Management -Needful things to survive21 19.05.2015
Access Management Services
Oracle Access Management -Needful things to survive22 19.05.2015
General description
Provides Single Sign-On (SSO) through a common SSO Engine
– Central login and logout functionality
– Central login page
SSO Engine provides consistent service across multiple protocols and across
multiple network domains
Support for different identity stores
Project scope
Application SSO across multiple network domains
Integrated applications are Oracle Portal, Oracle Discoverer and several Java
applications
Oracle Internet Directory is used to store all user identities
SSO Components
Oracle Access Management -Needful things to survive23 19.05.2015
Needed SSO components and basic functionality
OAM Server provides the SSO Engine for applications using SSO
Web applications are accessible through URLs within a network
Application URLs are protected using SSO Agents
The SSO Agent is a generic software component
– Controlling the access to the application
– Delegating authentication and authorization tasks to the OAM Server
– Installed in front of the application or part of the Web Server hosting the application
– Usually a HTTP Server with a specific module
Cookies are used to identify Authenticated Users
Access Manager Console is used for the configuration details
Connection Workflow
Oracle Access Management -Needful things to survive24 19.05.2015
Oracle Access Management -Needful things to survive25 19.05.2015
OSSO Agents
SSO Agent - OSSO Agent
Oracle Access Management -Needful things to survive26 19.05.2015
Oracle Portal and Oracle Discoverer are using OSSO Agents
OSSO Agents are a special type of SSO Agents
– HTTP Server with module "mod_osso" is needed
Portal and Discoverer installation provide a HTTP Server including the module
"mod_osso"
This HTTP Server is used as OSSO Agent
Access Manager Console Configuration
– Create OSSO Agent
– Create User Identity Store
– Configure Authentication Scheme
– Configure Authentication Module
– Configure Authentication Policy of Application Domain
Create OSSO Agent
Oracle Access Management -Needful things to survive27 19.05.2015
Create OSSO Agent
Values
– Name PortalIntra
– Base URL http://portal.intra.local:8090
– Host Identifier portal.intra
Creates a new application domain "PortalIntra"
Creates the configuration file "osso.conf" for the SSO agent
This file must be copied to the HTTP Server of the SSO Agent
Restart HTTP Server
Create User Identity Store
Oracle Access Management -Needful things to survive28 19.05.2015
User identities of the project are stored in Oracle Internet Directory
Access Manager Console
Configuration
User Identity Stores
Values
– Name <storename>
– Store Type OID Oracle Internet Directory
– Location poid.local.intra:389
– Bind DN cn=orcladmin
– Passwort <pwd>
– Login ID Attribute uid
– User Password Attribute userPassword
– User Search Base cn=Users,dc=local,dc=intra
– Group Search Base cn=Groups,dc=local,dc=intra
OSSO Agent Configure Authentication Scheme
Oracle Access Management -Needful things to survive29 19.05.2015
Configure Authentication Scheme
The Authentication Schema
is part of the Application Domain
References the User Identity Store
– Use LDAPScheme for OID
Defines the Authentication Module
– Depends on LDAPScheme
Defines the Challenge URL
– Forward to Login Page
OSSO Agent Configure Authentication Module
Oracle Access Management -Needful things to survive30 19.05.2015
Configure Authentication Module
The Authentication Module
"LDAPPlugin" is pre-configured
and ready to use
– Provides two steps of User Authentication
– stepUI User Identification (Identify LDAP user entry)
– stepUA User Authentication (Compare User Password)
The parameter
KEY_IDENTITY_STORE_REF
must match the
User Identity Store
for each step
OSSO Agent Configure Authentication Policy
Oracle Access Management -Needful things to survive31 19.05.2015
Configure Authentication Policy
The Authentication Policy
is part of the Application Domain
The Application Domain includes all details of the SSO Agent
The Authentication Policy defines public and protected resources of your application
The Protected Resource Policy must match the Authentication Schema
Changes directly affect the SSO Agent, no server restart is needed
Oracle Access Management -Needful things to survive32 19.05.2015
11g WebGates
SSO Agent - WebGate
Oracle Access Management -Needful things to survive33 19.05.2015
Java Web Applications hosted on WebLogic Server are using WebGates
11g WebGates are a special type of SSO Agents
– Installation HTTP Server software is required
– Installation and configuration of WebGate software is required
Access Manager Console Configuration
– Create 11g WebGate
– Configure Authentication Scheme (Same as OSSO Agent)
– Configure Authentication Module (Same as OSSO Agent)
– Configure Authentication Policy of Application Domain (Same as OSSO Agent)
11g WebGate Create 11g WebGate
Oracle Access Management -Needful things to survive34 19.05.2015
Create 11g WebGate
Values
– Name
– Base URL
– Protected Resource List
– Public Resource List
– Use Option "AutoCreatePolicies"
Creates new application domain
Creates configuration files
– ObAccessClient.xml, cwallet.sso
Files must be copied to the WebGate
Restart HTTP Server
WebGate Configuration
Oracle Access Management -Needful things to survive35 19.05.2015
WebLogic Server
Configure additional Security Provider within the Security Realm
– OAMIdentityAsserter
– OIDAuthentication
HTTP Server
WebGate Configuration (webgate.conf) is configured automatically
– Webgate should know where to find the OAM Server
Configure Virtual Hosts (virtual_hosts.conf)
– Needed in HA environments
Configure WebLogic Handler (mod_wl_ohs.conf)
– Defines weblogic-handler and weblogiccluster for each application
Oracle Access Management -Needful things to survive36 19.05.2015
Customize Login Pages
Developing Custom Login Pages
Oracle Access Management -Needful things to survive37 19.05.2015
Access Management provides standard Login Pages and also supports custom login
pages
Develop your own Java application containing a login page
Start developing using the Developer´s Guide
Developer's Guide for Oracle Access Management 11.1.2.2
The sample application does not work, but this will be fixed in future releases
Use examples from the Web
Project Scope
Simple Web Application containing a Java Server Page for a Form-based login
login.jsp
Oracle Access Management -Needful things to survive38 19.05.2015
Directory structure of the Web Applicationloginpages
deploy
custompages.war
custompages
META-INF
MANIFEST.MF
WEB-INF
lib
oamcustomui.jar
web.xml
pages
css
images
javascript
login.jsp
Include oamcustomui.jar from Access Management
login.jsp
Oracle Access Management -Needful things to survive39 19.05.2015
Access Management provides standard Login Pages and also supports custom login
pages
OAM Server URL and Credential Collector Endpoint needed
Additional Parameter REQUEST_ID
<form action="<%=oamLoginServerBaseURL%>/oam/server/auth_cred_submit"
method="post">
<input type="TEXT" name="username" />
<input "PASSWORD" name="password" />
<input type="hidden" name="<%=GenericConstants.REQUEST_ID%>"
value="<%=requestId%>">
<% if (requestToken != null && requestToken.length() > 0) { %>
<input type="hidden"
name="<%=GenericConstants.AM_REQUEST_TOKEN_IDENTIFIER%>"
value="<%=requestToken%>">
<% } %>
</form>
Deployment and Configuration
Oracle Access Management -Needful things to survive40 19.05.2015
The application must be deployed on the OAM Server when using the Embedded
Credential Collector
WebLogic Console for Deployment
Access Manager Console
Configure Authentication Schema
– Context Type = customWar
– Context Value = Application
Root Context
– Challenge URL = Path to the
Login Page
Oracle Access Management -Needful things to survive41 19.05.2015
Summary
Needful Things to Survive
Oracle Access Management -Needful things to survive42 19.05.2015
Needful Things
Start with 11g Release 2
Read the documentation, make familiar with the concepts
Advantages
Fully integrated with Oracle Fusion Middleware
Integration of Open Source Products possible
Disadvantages
Complex enterprise solutions and functions
Oracle Access Management -Needful things to survive43 19.05.2015
Further information
Fusion Middleware Documentation Library 11.1.2.2
Installation Guide Oracle Directory and Access Management 11.1.2.2
Administrator's Guide for Oracle Access Management 11.1.2.2
Developer's Guide for Oracle Access Management 11.1.2.2
http://www.ateam-oracle.com/
http://fusionsecurity.blogspot.de/
Questions & Answers
Michael Mühlbeyer
Trivadis GmbH
Phone +49 162 295 96 96
19.05.2015 Oracle Access Management -Needful things to survive44