Oracle Access Manager 11g R2: Administration

Oracle Access Manager 11g R2: Administration
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Oracle Access Manager 11g R2:
Administration Essentials
Activity Guide
D77281GC30
Edition 3.0 | October 2015 | D91660
Learn more from Oracle University at oracle.com/education/
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and
print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way.
Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization
of Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please
report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United
States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted
by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.
e
Trademark Notice
s
n
e
lic
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
owners.
e
bl
a
r
fe
Da
ns
a
r
t
on- ฺ
n
a ide
Technical Contributors and Reviewers
s
a
u
h
Alessandro Leite, Alicia Shi-Yun Huang,)Brad
Herren,
Dave Silvestro, Don Bates,
G
t
uk den
ฺ
Dr. Volker Zell
o
ฺc Stu
s
b
y
QA Engineers
is
h
t
@
Drishya TM, Sravanti
tts Tatiraju
i
p
(d
s
t
t
This
Pibook was published using: oracletutor
d
i
v
Author
Shankar Raman
se
u
to
Table of Contents
User Passwords Document .............................................................................................................................I-1
User Passwords Document............................................................................................................................I-2
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices for Lesson 1: Course Overview .....................................................................................................1-1
Practices for Lesson 1....................................................................................................................................1-2
Practices for Lesson 2: Introduction to Oracle Access Manager ................................................................2-1
Practices for Lesson 2....................................................................................................................................2-2
Practices for Lesson 3: Installation and configuration .................................................................................3-1
Practices for Lesson 3: Overview ...................................................................................................................3-2
Practice 3-1: Configuring Oracle Access Manager Schema ..........................................................................3-4
Practice 3-2: Installing WebLogic Server and Identity Management Products ...............................................3-6
Practice 3-3: Configuring a WLS Domain for Oracle Access Manager ..........................................................3-9
Practice 3-4: Performing Sanity Checks .........................................................................................................3-15
e
Practices for Lesson 4: Agents and System Configuration .........................................................................4-1
s
n
e
lic
Practices for Lesson 4: Overview ...................................................................................................................4-2
Practice 4-1: Configuring Oracle HTTP Server Instances ..............................................................................4-3
Practice 4-2: Installing and Configuring WebGates and Registering a WebGate by Using the OAM Console
.......................................................................................................................................................................4-6
Practice 4-3: Registering WebGates by Using Different Interfaces ................................................................4-10
Practice 4-4: Configuring Delegated Administrator in Embedded LDAP ........................................................4-15
Practice 4-5: Configuring OUD as the Identity Store for OAM ........................................................................4-18
Practice 4-6: Working with IAMSuiteAgent.....................................................................................................4-22
e
bl
a
r
fe
Da
ns
a
r
t
on- ฺ
n
a ide
s
a
u ..........................................................5-1
h
G
)
Practices for Lesson 5: Configuring DCC, Policies,
and
Responses
t
uk den
ฺ
Practices for Lesson 5: Overview ...................................................................................................................5-2
o
tu OHS to Front-end the Application ...........................5-3
sฺc andsConfiguring
Practice 5-1: Deploying an Application
S
b
y
Practice 5-2: Configuring
a DetachedtCredential
hi Collector ............................................................................5-7
@
s
t
Practice 5-3: Configuring
pit Authentication and Authorization Policies ..............................................................5-10
d
Practice 5-4:
Managing Authentication and Authorization Responses ...........................................................5-14
(
itts5-5: Customizing Access Policies for a Web Application..................................................................5-17
Practice
P
vidPractice 6: Configuring Single Sign-On and Managing Sessions ...............................................................6-1
Practice 6: Overview ......................................................................................................................................6-2
Practice 6-1: Deploying and Configuring a Custom Login Page with DCC ....................................................6-3
Practice 6-2: Managing Sessions ...................................................................................................................6-7
Practice 6-3: Setting Up OUD to Enable Configuring Impersonation .............................................................6-11
Practice 6-4: Configuring and Testing Impersonation ....................................................................................6-14
Practices for Lesson 7: Use Access Manager With WebLogic Applications ..............................................7-1
Practices for Lesson 7: Overview ...................................................................................................................7-2
Practice 7-1: Deploying a Sample Application with BASIC Authentication .....................................................7-3
Practice 7-2: Configuring OAM Authentication for a Sample Application .......................................................7-6
Practices for Lesson 8: Configuring Auditng and Logging..........................................................................8-1
Practices for Lesson 8: Overview ...................................................................................................................8-2
Practice 8-1: Configuring OAM Audit Logs to be Written to a Database ........................................................8-3
Practice 8-2: Configuring Oracle BI Publisher to View Audit Reports.............................................................8-9
Practice 8-3: Reviewing Logs .........................................................................................................................8-13
Copyright © 2015. Oracle and/or its affiliates. All rights reserved.
Oracle Access Manager 11g R2: Administration Essentials Table of Contents
iii
se
u
to
Practices for Lesson 9: Troubleshooting and Management ........................................................................9-1
Practices for Lesson 9: Overview ...................................................................................................................9-2
Practice 9-1: Working with Access Tester ......................................................................................................9-3
Practice 9-2: Working with Fusion Middleware Control ..................................................................................9-9
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server ......................10-1
Practices for Lesson 10: Overview .................................................................................................................10-2
Practice 10-1: Setting Communication Mode Between Server and WebGates to "Simple". ..........................10-3
Practice 10-2: Configuring Server Certificates ...............................................................................................10-7
Practice 10-3: Configuring WebGates with Cert Mode ...................................................................................10-16
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015. Oracle and/or its affiliates. All rights reserved.
Oracle Access Manager 11g R2: Administration Essentials Table of Contents
iv
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
User Passwords
ans Document
-tr
n
o
Chapter
nI eฺ
a
s
id
a
u
h
k) ent G
u
ฺ
co Stud
ฺ
s
b
y
is
h
t
@
ts
it
p
d
(
ts
it
P
id
v
Da
Copyright © Oracle, 2015. All rights reserved.
User Passwords Document
Chapter I - Page 1
se
u
to
User Passwords Document
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Level / Tier
a. Operating System
User Name
Password
oracle
oracle
root
oracle
b. Database
SYS, system and all users
welcome1
c. Middleware
weblogic and all users
welcome1
d.LDAP (OUD)
All users in OUD
welcome1
e.Certificates / PKI
All passphrases and
passwords
welcome1
e
e
s
bl
a
r
fe
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © Oracle, 2015. All rights reserved.
User Passwords Document
Chapter I - Page 2
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practicesrfor
nsLesson 1:
a
t
Course
onOverview
n eฺ
a
s
Chapter
1uid
a
h
k) ent G
u
ฺ
co Stud
ฺ
s
b
y
this
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 1: Course Overview
Chapter 1 - Page 1
se
u
to
Practices for Lesson 1
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
There are no practices for this lesson.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 1: Course Overview
Chapter 1 - Page 2
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practicesrfor
nsLesson 2:
a
t
Introduction
on- ฺ to Oracle
n
e
Access
s a idManager
a Gu
h
)
nt 2
uk deChapter
ฺ
o
c
u
bsฺ is St
y
th
ts@
it
p
d
(
ts
it
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 2: Introduction to Oracle Access Manager
Chapter 2 - Page 1
se
u
to
Practices for Lesson 2
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
There are no practices for this lesson.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 2: Introduction to Oracle Access Manager
Chapter 2 - Page 2
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practicesrfor
nsLesson 3:
a
t
Installation
on- and configuration
n eฺ
a
s
Chapter
3uid
a
h
k) ent G
u
ฺ
co Stud
ฺ
s
b
y
this
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 1
se
u
to
Practices for Lesson 3: Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices Overview
The following diagram is a topology representation of all the components that you will work with
in the practice exercises. Take a moment to review it. It is recommended that you revisit this
diagram during your lab work to see how the topology is developed in each practice.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
Important Notes for All Practices
a. At the start of each day, restart the WLS admin and OAM managed servers.
Note: The best way to ensure that the servers are stopped is to open the terminal
window for each server console and press Ctrl + C. Also, restart a server if it becomes
slow or unresponsive, which is usually because of memory limitations on the physical
lab machines.
b. All practices requiring terminal window interaction are performed as the oracle OS
user, except when you are explicitly asked to perform a task as the root user.
itt
P
id
v
Da
tt
i
p
(d
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 2
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
c.
The following environment variables are preset in the bash profile for the oracle user
on the database and OAM machines:
DB machine:
JDK_HOME=/u01/app/oracle/product/jdk
ORACLE_HOME=/u01/app/oracle/product/database/db_home
ORACLE_SID=orcl
PATH=$ORACLE_HOME/bin:$PATH
MW_HOME=/u01/app/oracle/product/middleware
OUD_HOME=$MW_HOME/oud_home
OHS_HOME=$MW_HOME/ohs_home
ODSM_DOMAIN=/u01/app/user_projects/domains/odsm_domain
BI_HOME=/u01/app/oracle/product/bi_mw_home/Oracle_BI1
BI_DOMAIN=$BI_HOME/../user_projects/domains/bifoundation_domain
OAM machine:
MW_HOME=/u01/app/oracle/product/middleware
JDK_HOME=/u01/app/oracle/product/jdk
ORACLE_HOME=$MW_HOME/iam_home
DOMAIN_HOME=/u01/app/user_projects/domains/oam_domain
e
bl
a
r
fe
d.
ns
a
r
t
on- ฺ
n
a onidtheeOAM machine:
s
There are two browsers, Firefox and
Chrome,
a
u
h
G
)
t
k Access
•
Use Chrome to accessuOracle
n Management Console, WLS Console, and
e
ฺ
d
o
EM FMW Control.
ฺc Stu
bsaccess
•
Use Firefoxyto
applications such as the Banking application and
issample
h
t
@
the Bakery
application.
All
consoles
and applications should be bookmarked for
tts
i
you.
p
s (d
itt domain, ODSM, and BI Pub.
P
id
e.
Only Firefox is available on the DB machine. Use Firefox to access WLS – OUD
v
Da
e
s
n
e
lic
se
u
to
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 3
Practice 3-1: Configuring Oracle Access Manager Schema
Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
In this practice, you create OAM product schema in an Oracle DB (11.2.0.3) by using the
Repository Creation Utility (RCU).
Tasks [Perform these tasks on the DB machine]
1.
Set up the database initialization parameters to enable you to set up Oracle Identity and
Access Management products.
a. In a terminal window, ensure that you have logged in as the oracle user. Then
change directory to the setupfiles directory in the oracle user’s home directory.
$> whoami
oracle
$> cd $HOME/setupfiles
e
s
n
e
b. Invoke an SQL Plus session as a SYSDBA, and run init_oam.sql to set
up
lic
initialization parameters.
e
l
b
a
r
$> sqlplus / as sysdba
e
sf
...
n
a
-tr
SQL> @init_oam.sql
n
o
n eฺ
...
a
s
id
a
u
SQL>
h
t Gparameters to take effect.
k)the changed
n
c. Stop and start the database
for
u
e
ฺ
co Stud
ฺ
SQL> shutdown immediate
s
b
y
is
...
h
t
@
tts
SQL> startup
i
p
(d
...
s
t
t
i SQL> exit
id P
v
Da
...
$>
2.
Create Oracle Access Manager schema objects in the Oracle Database by using the
Repository Creation Utility.
a. Navigate to the /stage/rcu_11.1.2.3/bin directory and run the Repository
Creation Utility.
$> cd /stage/rcu_11.1.2.3/bin
$> ./rcu
b.
Use the following table as a guide to make choices and while creating the schema:
Step
Window Description
Choices or Values
a.
Welcome
Next
b.
Create Repository
Create
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 4
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Step
Window Description
Choices or Values
c.
Database Connection
Details
Database Type: Oracle Database
Host Name: db.example.com
Port: 1521
Service Name: orcl.example.com
Username: sys
Password: <password for sys user>
Role: SYSDBA
d.
Checking Prerequisites
OK
e.
Select Components
Select an existing Prefix: DEV.
Component: Expand Identity Management
node and select
• Oracle Access Manager
• Oracle Mobile Security Manager
Note: Oracle Audit Services and Oracle
Platform Security Service are selected
because they are prerequisites for OAM.
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
Checking Component
OK
s
a
u
h
G
Prerequisites
)
t
n
uk deUse
ฺ
o
Schema Passwords
the same passwords for all schemas.
ฺc Stu Password:
s
b
<as specified by your instructor>
y this
@
Confirm
Password:
<as specified by your
s
pitt
instructor>
f.
g.
d
vi
a
D
s
n
e
lic
(d
s
t
t
h.
Pi
Map Tablespaces
Next
i.
Confirmation
OK
j.
Creating Tablespaces
OK
k.
Summary
Create
l.
Completion Summary
Close
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 5
se
u
to
Practice 3-2: Installing WebLogic Server and Identity Management
Products
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you install Oracle WebLogic Server and Oracle Identity and Access
Management products on the oam machine.
Assumptions
To install Oracle WebLogic Server, you should have installed Oracle Java Development Kit
(JDK) on the machine. In the practice environments, the JDK has already been installed.
Tasks [Perform these tasks on the OAM machine]
1. Install Oracle WebLogic Server in the
/u01/app/oracle/product/middleware/wls_home folder.
You must install it in this specific folder to enable you to perform various tasks later using
scripts that rely on this path.
a. In the terminal window, verify that the JDK Java binary is in the path.
$> which java
/u01/app/oracle/product/jdk/jre/bin/java
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
no
n
Note: If /u01/app/oracle/product/jdk/jre/bin/java
is not returned, edit the
a ilines:
eฺ
d
s
~/.bash_profile file and set up the
following
a Gu
h
)
$> export JDK_HOME=/u01/app/oracle/product/jdk
uk dent
ฺ
$> export PATH=$JDK_HOME/jre/bin:$PATH:$HOME/bin
o
c
u
bsฺ is St
y
threpeat Step 1 to check your changes.
Then source
the file and
s@
t
t
i
p
. (~/.bash_profile
d
s
itt
P
id b. Remove any extraneous folders other than oracle folder in /u01/app directory.
v
Da
c.
•
$> cd /u01/app
$> shopt –s extglob
$> rm –rf !(oracle)
$
Launch the WLS installer and install WebLogic Server. Use the following table to guide
your choices during installation.
$> java -jar /stage/wls_10.3.6/wls1036_generic.jar
Use the following table as a guide to populate the fields:
Window
Choices or Values
Welcome
Next
Choose Middleware
Home Directory
Create a new Middleware home:
/u01/app/oracle/product/middleware
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 6
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Window
Choices or Values
Register for Security
Updates
Deselect “I wish to receive security updates via my Oracle
support.”
Are You Sure?
Yes. When you are back in the Register for Security
Updates, then click Next.
Email Address Not
Specified
Yes
Are You Sure?
Yes
Connection Failed
Select “I wish to remain uninformed of security issues in my
configuration or this machine has no internet access.”
Click Continue.
Choose Install Type
Custom
Choose Products and
Components
Deselect Evaluation Database [at the component level] and
Oracle Coherence [at the group level].
le
b
a
er
Choose Product
Product installation directories ─fWebLogic
Server:
s
n
/u01/app/oracle/product/middleware/wls_home
Installation Directories
tra
n
Installation Summary
Next
no eฺ
a
s Quickstart.
Installation Complete
DeselectaRun
id
u
h
Done
k) ent G
u
ฺ
co Stud
ฺ
s
b Access
2. Install Oracle Identityyand
Management in its own Oracle home.
s
i
h
t
a. In the terminal
ts@window, as the oracle user, run runInstaller (the installer for
t
i
p
Oracle
from the
(d Identity and Access Management products)
s
/stage/iam_11.1.2.3/iamsuite/Disk1
directory.
t
it $> cd /stage/iam_11.1.2.3/iamsuite/Disk1
P
id
JDK Selection
v
Da
e
s
n
e
lic
se
u
to
Select under Local JDK – Oracle 1.7.0_80.
$> ./runInstaller –jreLoc $JDK_HOME
b.
Use the following table as a guide to populate the fields:
Window
Choices or Values
Specify Inventory
Directory
Inventory Directory: /u01/app/oraInventory
Inventory Location
Confirmation Dialog
In a separate terminal window, as the super user [root] run
/u01/app/oraInventory/createCentralInventory.sh
.
$> su
Password: oracle
#>
/u01/app/oraInventory/createCentralInventory.
sh
Operating System Group name: oinstall
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 7
Window
Choices or Values
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
#>
Then click OK.
Welcome
Next
Install Software
Updates
Skip software updates.
Prerequisite Checks
Next
Specify Installation
Location
Oracle Middleware Home:
/u01/app/oracle/product/middleware
Oracle Home Directory: iam_home
Installation Summary
Install
Note: At 98%, the install wizard performs inventory update, and
then applies a few patches. These operations take about 15
minutes to complete.
e
Installation Progress
Next
Installation Complete
Finish
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 8
s
n
e
lic
se
u
to
Practice 3-3: Configuring a WLS Domain for Oracle Access Manager
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you run the Configuration Wizard to create a new WLS domain and configure
the OAM server as part of the domain. Then you configure the database security store for the
domain. You also configure the boot.properties file to enable easy startup of WLS servers.
Note: When you configure the database security store:
•
All domains in a logical OAM 11g R2 PS3 deployment share the same database
security store and use the same domain encryption key.
•
The DB security store is required before starting the servers for the first time. For the
first domain, the -m create option is used for the Python script. For each subsequent
domain, you use the -m join option for the existing DB security store.
Tasks
1.
Create a WLS domain with OAM server by using the Domain Configuration Wizard.
a. On the OAM machine, launch config.sh from the common Oracle home.
$> cd $MW_HOME/oracle_common/common/bin
$> ./config.sh
e
bl
a
r
fe
ns
a
r
t
Use the following table as a guide to populate the
onfields:
n
a idChoices
eฺ or Values
Window Description
s
a aG
uWebLogic domain.
h
Welcome
Create
new
)
t
n
uk Generate
e
ฺ
d
o
Select Domain Source
configured automatically to
ฺc Stusupport thea domain
s
following
products:
b
s
y
i
h
t
• Oracle Access Management and Mobile
tts@
i
p
Security Suite
s (d
b.
itt
P
id
Note: The following products are automatically
selected:
• Oracle Enterprise Manager
• Oracle WSM Policy Manager
• Oracle JRF
• Oracle Platform Security Service
• Oracle OPSS Metadata for JRF
v
Da
e
s
n
e
lic
Specify Domain Name and
Location
Domain name: oam_domain
Domain location:
/u01/app/user_projects/domains
Application location:
/u01/app/user_projects/applications
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 9
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Window Description
Choices or Values
Configure Administrator User
Name and Password
Name: weblogic
Password: <as specified by your instructor>
Confirm user password: <as specified by your
instructor>
Configure Server Start Mode
And JDK Selection
Production Mode
Available JDKs: Sun SDK 1.7.0_80
Configure JDBC Component
Schema
Select all the schemas in the table and change
only the following fields in the header.
Schema Password: <database user password>
DBMS/Service: orcl.example.com
Hostname: db.example.com
Port: 1521
e
Test JDBC Component
Schema
Next
Select Optional Configuration
Next [Do not select any component]
Configuration Summary
Create
e
bl
a
r
fe
s
n
e
lic
se
u
to
Da
ns
a
r
t
Creating Domain
When the progress
on- ฺcompletes 100%, click Done.
n
a ide
s
a
u and populate the store appropriately.
h
G
2. Create a database security store for
the
OAM
domain
)
t
en command to create the database security
ฺuktheufollowing
a. On the OAM machine, c
execute
d
o
store:
bsฺ is St
y
$> cd $MW_HOME/oracle_common/common/bin
th
@
s
t
t
i
$> ./wlst.sh
$ORACLE_HOME/common/tools/configureSecurityStore.py
p
d
(
$DOMAIN_HOME
-c IAM -m create -p <schema password>
s
t
t
i
P
vid
Note: In the WLST command:
•
–d specifies the OAM domain home directory.
•
–c specifies the component (and it should be IAM in this case).
•
-m specifies the mode of operation, create in this case.
• –p specifies the schema password.
You may notice a warning that “Audit operations cannot be done”. At this stage Audit
has not been configured. So ignore this message.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 10
-d
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
b.
Verify that the security store has been created correctly, by executing the following
command:
$> ./wlst.sh $ORACLE_HOME/common/tools/configureSecurityStore.py -d
$DOMAIN_HOME -m validate
Note: Verify that you see the “Validate operation has completed successfully” message
in the terminal window, as indicated in the following screenshot:
e
e
bl
a
r
fe
ns
a
r
t
3. Set up the Java heap size parameters to 1024m andn
- respectively. This will help start
o 2048m
the servers faster.
n
a ideฺ folder to set up the heap size
s
Edit the setupDomain.sh file in the $DOMAIN_HOME/bin
a Gu
h2048m
)
parameters xms and xmx to 1024mkand
nt respectively.
u
e
ฺ
d
o
1) In a terminal window,
udirectory to the $DOMAIN_HOME/bin folder and
ฺc change
tsetDomainEnv.sh.orig.
s
S
copy setDomainEnv.sh
to
b
y this
@
tts
i
p
(d
s
t
t
i
id P
v
Da
s
n
e
lic
se
u
to
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 11
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
2)
Then, using a text editor, change the parameters: XMS_SUN_64BIT=1024 and
XMX_SUN_64BIT=2048. Set up the WLS_MEM_ARGS=”-Xms1024m –Xmx2048m”
parameter for JAVA_VENDOR = Sun.
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
n and OAM Policy Manager.
uk server,
4. Start the admin server, OAM o
managed
e
ฺ
d
tuthe desktop. It invokes a terminal window and starts
a. Click Start WLS Admin
on
sฺc Server
S
b
s
y
the admin server
in the tOAM
hi domain.
@
s
t
it
Whenpprompted,
enter the username weblogic and the corresponding password.
d
(
sNote: It takes about 10 minutes to start the admin server.
t
t
i
id P You may see the processes waiting at warning messages such as “<Warning>
v
Da
s
n
e
lic
se
u
to
<oracle.oam.foundation.access> <BEA-000000> <Status file not
found>” , you can ignore these warnings.
Eventually in about 10 minutes, the server brings up the following message in the
terminal window:
<Server started in RUNNING mode>
You may also notice a few error and warning messages because the OAM server has
not yet been configured. You can ignore those messages.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 12
b.
After the admin server has been started, Click Start OAM Server on the desktop. It
invokes a terminal window and starts the OAM server.
When prompted, enter the username weblogic and the password.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Look for the <Server started in RUNNING mode> message in the terminal
window in, which shows that the OAM server is running.
c.
After the admin server has been started, click Start Policy Manager on the desktop. It
invokes a terminal window and starts the Policy Manager server.
When prompted, enter the username weblogic and the password.
Look for the <Server started in RUNNING mode> message in the terminal
window, which shows that OAM server is running.
5.
e
e
bl
a
r
fe
itt
P
id
v
s
n
e
lic
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
Similarly, create the boot.properties
uk denfile in the
ฺ
o
$DOMAIN_HOME/servers/oam_policy_mgr1/security
folder.
ฺc Stu
s
b
s
y
cd $DOMAIN_HOME/servers/oam_policy_mgr1
hi
t
@
s
t
mkdir itsecurity
p
cp(d$HOME/labs/lesson03/boot.properties ./security
s
b.
Da
se
u
to
Create the boot.properties file for the three servers so that you are not prompted to
enter username/password credentials for each stop or start operation.
a. Using the terminal window, create the boot.properties file in the
$DOMAIN_HOME/servers/oam_server1/security folder. For your convenience,
the file has already been created in the $HOME/labs/lesson03 folder. So you can
copy this file to the $DOMAIN_HOME/servers/oam_server1/security folder.
cd $DOMAIN_HOME/servers/oam_server1
mkdir security
cp $HOME/labs/lesson03/boot.properties ./security
c.
Create the boot.properties file in the
$DOMAIN_HOME/servers/AdminServer/security folder.
cd $DOMAIN_HOME/servers/AdminServer
mkdir security
cp $HOME/labs/lesson03/boot.properties ./security
d.
Click Stop OAM Server on the desktop to stop the OAM server and then click Stop
Policy Manager on the desktop.
Note: You are not prompted for username and password when stopping the servers,
because you have created the boot.properties file.
e.
After the OAM server and Policy Manager have stopped, click Stop WLS Admin
Server.
Start the admin server by using the desktop icon.
f.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 13
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
g.
After you see that the admin server is in RUNNING mode, start the OAM server and
Policy Manager by using the desktop icons. You are not prompted for username and
password when starting the servers.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 14
s
n
e
lic
se
u
to
Practice 3-4: Performing Sanity Checks
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you log in to the WLS Admin Console, the OAM Admin Console, and EM FMW
Control and then make a brief exploration of the management interfaces. You also validate the
OAM server application deployed on the oam_server1 managed server and the EM and OAM
console applications deployed on the WLS admin server.
Assumptions
Make sure that admin server and OAM managed server are up and running before you start the
practice. Perform the steps on the OAM machine.
Tasks
1.
e
e
bl
a
r
fe
s
n
e
lic
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
ฺcgroupsSintuthe embedded LDAP server. Then set up the
sand
2. Check the default users
b
y
is to 86400 [seconds].
console session @
timeout property
h
t
ttsAdministration Console, navigate to Domain Structure > oam_domain >
i
a. In thepWLS
(d Realms by using the left pane.
Security
s
t
t
i Click myrealm and then click the “Users and Groups” tab. Notice the weblogic user,
b.
id P
v
Da
se
u
to
Check the status of Fusion Middleware Control, OAM managed server, and the OAM
Administration Console.
a. On the OAM machine, launch the Chrome browser, click the WLS Admin Console
bookmark, and access the WebLogic Administration Console
(http://oam.example.com:7001/console).
b. Log in with weblogic as the username. If an alert comes up in Chrome at the top of
the browser, prompting you to save the password, do not save the password.
c. To check the status of the admin and managed servers, navigate by using the Domain
Structure navigation pane, oam_domain > Environment > Servers. You should see all
the servers: AdminServer, oam_policy_mgr1, and oam_server1, in RUNNING state
using ports 7001, 14150, and 14100 respectively
which is the default WLS administrator. Click weblogic and then click the Groups tab.
Notice that the weblogic user is a member of the Administrators group.
c.
Click the oam_domain link in the domain structure, then click Lock and Edit in the
Change Center
Note: If you do not see the Lock and Edit button in the Change Center of the console,
perform the following steps to change the WLS admin server from development mode to
production mode. [You should have selected production mode during the configuration of
the domain.]
− Click oam_domain.
− Select the check box next to Production Mode.
− Click Save.
This change will take effect when you restart both servers in the next step.
d. In the right pane, expand the Advanced section and change the Console Session
Timeout property from 3600 seconds to 86400 seconds. Click Save and then click
Activate Changes. Notice the message that 3 items must be restarted for the changes
to take effect.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 15
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
3.
Using the Access Management Console, set up session lifetime and idle timeout properties.
a. In the Chrome browser, click the OAM Console bookmark
(http://oam.example.com:7001/oamconsole). Log in as the weblogic user.
b. Observe the new landing page for Oracle Access Management Console. It has four
tabs at the top. Each tab has a launch pad containing functional interfaces grouped into
tiles. The Quick Start Wizards tile on the Application Security tab contains links to
Application Registration and SSO Registration Wizards.
c. Access the Configuration tab in the Access Management Console, then in the Settings
tile, click View > Common Settings.
d. On the Common Settings page, change Session Lifetime and Idle Timeout properties
to 1440 minutes and 240 minutes respectively and click Apply.
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
h browser. Access Policy Manager
e. Open a new
tab on the tChrome
@
s
t
t
i
[http://oam.example.com:14150/access].
that you are not prompted for your
p because you have an ongoingNotice
d
(
credentials,
session
with OAM Console.
s
t
t
i
f. Notice that the Policy Manager Console is similar to the Access Management Console.
id P
v
Da
s
n
e
lic
se
u
to
g.
h.
i.
4.
Notice also that the Authentication Plug-In link in the Plug-Ins tile is disabled. OAM
Console is the recommended interface for manager plug-in modules.
Access the Mobile Security tab in Policy Manager. Notice that it has four tiles.
Access the Mobile Security tab in OAM Console. Notice it has only two tiles. Policy
Manager is the recommended administration interface in an OMSS environment.
Click weblogic > Sign out to log out of Policy Manager Console. Then close that
Chrome tab. Similarly log out of OAM Console, and WLS.
Stop and start the administration and managed servers in the OAM domain.
a. Stop the OAM managed server and Policy managed server by using the Stop OAM
Server and the Stop Policy Manager icons on the desktop. After the two managed
servers are stopped, stop the admin server by using the Stop WLS Admin Server
icon.
b. Start the WLS admin server first and then the OAM managed servers by using the
appropriate desktop icons.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 3: Installation and configuration
Chapter 3 - Page 16
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practicesrfor
nsLesson 4:
a
t
- System
Agents
onand
n
ฺ
Configuration
s a ide
a Gu
h
)
nt 4
uk deChapter
ฺ
o
c
u
bsฺ is St
y
th
ts@
it
p
d
(
ts
it
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 1
se
u
to
Practices for Lesson 4: Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices Overview
In these practices, you install, configure, and register three OAM 11g WebGates, one for each
of the three OHS instances. In two cases, the registration is done by using the Remote
Registration (rreg) tool. In the other case, you use the OAM Console.
After registering the WebGates, you configure Oracle Unified Directory (OUD) as the user store
for OAM. Finally, you work with the IAMSuiteAgent agent that was preinstalled and configured
with the product for protecting console access.
Important Note
Whenever you see unexpected results during this lesson’s practices, it is a good idea to close
all browser windows (by selecting File > Exit rather than clicking the X icon to exit) and then
relaunch a new Firefox or Chrome browser and clear all the cookies explicitly.
•
For a Firefox browser, select Tools > Clear Recent History > Clear Now. Make sure
that “Time range to clear” is set to Everything and that at least Cookies, Cache, and
Active Logins are selected.
•
For a Chrome browser, click “Customize and control Google Chrome” and then select
History > Clear all browsing data.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 2
s
n
e
lic
se
u
to
Practice 4-1: Configuring Oracle HTTP Server Instances
Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
In this practice, you configure three Oracle HTTP Server instances: ohs_7777, ohs_7778, and
ohs_7779 on the DB machine (odd machine).
Assumptions
Before you start this practice, make sure that you can log in to the WLS Console for the OUD
domain. The OUD processes should be up and running. To verify, click the “WLS Console –
ODSM” bookmark in the Firefox browser on the DB machine. Log in as the weblogic user with
the password provided.
If you cannot log in, then start the OUD processes by using the Start OUD icon on the desktop.
Tasks [Perform these tasks on the DB machine]
1.
Configure the first OHS instance that uses port 7777.
a. On the DB machine (odd machine), launch the WebTier Configuration Wizard
(config.sh) from $OHS_HOME/bin.
$> cd $OHS_HOME/bin
$> ./config.sh
e
bl
a
r
fe
ns
a
r
t
othenfields:
Use the following table as a guide to populate
n
a
eฺ
Window/Page
Choices a
orsValues uid
h tG
Description
)
k
u den
ฺ
o
Welcome
Next
sฺc s Stu
b
y
Configure
hiKeep the following selected:
t
@
s
t
Components
• Oracle HTTP Server
pit
d
(
• Associate Selected Components with WebLogic Domain
s
b.
itt
P
id
D
av
e
s
n
e
lic
se
u
to
Deselect Oracle Web Cache.
Specify WebLogic
Domain
Domain Host Name: oam.example.com
Note: Make sure it is the OAM host name and not the DB host name.
Domain Port No.: 7001
Username: weblogic
Password: <Password for Weblogic User>
Specify Component
Details
Instance Home Location: /u01/app/instances/ohs_7777
Instance Name: ohs_7777
OHS Component Name: ohs7
Configure Ports
Select Specify Ports Using Configuration File, and specify
/home/oracle/labs/lesson04/ohs_7777_port.ini
Specify Security
Updates
Deselect “I wish to receive security updates from My Oracle Support.”
Select Yes in the Warning pop-up window.
Installation Summary
Configure
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 3
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Window/Page
Description
Choices or Values
Configuration
Progress
Next
Installation Complete
Finish
c.
Edit the welcome-index.html file in
/u01/app/instances/ohs_7777/config/OHS/ohs7/htdocs/ and set the title
directive as follows:
<title>Welcome to Oracle Fusion Middleware - OHS:7777</title>
d.
Launch the browser and enter the URL http://db.example.com:7777. You
should see the OHS Welcome page with the title you have configured:
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u and ohs_7779.
h
2. Configure two more OHS instances )named
ohs_7778
G
t
n
uk to $OHS_HOME/bin
e
ฺ
a. In the terminal window, navigate
and run config.sh.
d
o
c
u
ฺ
t
s
S
$> cd $OHS_HOME/bin
b
s
y
i
h
t
$> ./config.sh
tts@
i
p
(dthe following table to set up ohs_7778 and ohs_7779 instances.
s
t
b.
Use
t
i
id P
v
Da
s
n
e
lic
se
u
to
Window
For ohs_7778 instance
For ohs_7779 instance
Welcome
Next
Next
Configure
Components
Deselect Oracle Web Cache.
Deselect Oracle Web Cache.
Specify
WebLogic
Domain
Domain Host Name:
oam.example.com
Note: Make sure it is the OAM host
name and not the DB host name.
Domain Port No.: 7001
Username: weblogic
Domain Host Name:
oam.example.com
Note: Make sure it is the OAM host
name and not the DB host name.
Domain Port No.: 7001
Username: weblogic
Password: Password for
weblogic user
Password: Password for
weblogic user
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 4
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Window
For ohs_7778 instance
For ohs_7779 instance
Specify
Component
Details
Instance Home Location:
/u01/app/instances/ohs_7778
Instance Home Location:
/u01/app/instances/ohs_7779
Instance Name: ohs_7778
Instance Name: ohs_7779
OHS Component Name: ohs8
OHS Component Name: ohs9
Select Specify Ports Using
Configuration File, and specify
Select Specify Ports Using
Configuration File, and specify
/home/oracle/labs/lesson04/ohs
_7778_port.ini
/home/oracle/labs/lesson04/ohs_
7779_port.ini
Specify
Security
Updates
Deselect “I wish to receive security
updates from My Oracle Support.”
Select Yes in the Warning pop-up
windows.
Deselect “I wish to receive security
updates from My Oracle Support.”
Select Yes in the Warning pop-up
windows.
Installation
Summary
Configure
Configure
Configuration
Progress
Next
Next
Installation
Complete
Finish
Configure
Ports
e
bl
a
r
fe
nsFinish
a
r
t
on- ฺ
n
a ide
s
Edit the welcome-index.html page
for ohs_7778
a
u and ohs_7779 and append the
h
G
)
t
text - OHS:7778 and - OHS:7779
to
the
title
tag text, Welcome to Oracle Fusion
uk den
ฺ
o
Middleware.
c
u
bsฺ is St
y
@ andthverify the title for http://db.example.com:7778.
Launch the
sbrowser
t
t
i
p
d
(
s
c.
d.
itt
P
id
v
Da
e
s
n
e
lic
se
u
to
and http://db.example.com:7779
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 5
Practice 4-2: Installing and Configuring WebGates and Registering a
WebGate by Using the OAM Console
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you install an OAM 11g R2 WebGate on a preinstalled OHS instance. Then you
run the EditHttpConf utility, which copies OUI-instantiated WebGate template from the
WebGate home directory to the WebGate instance location, and updates httpd.conf with an
additional line to include webgate.conf.
You also register the OAM WebGate for OHS-7777 by using the Access Management Console.
Assumptions
The OHS server should be installed and an instance of OHS running in the same Middleware
home where you intend to install the OAM 11g R2 WebGate.
Task [Perform these tasks on the DB machine]
1.
e
s
n
e
lic
se
u
to
Install the WebGate on the DB machine and ensure that the Middleware home is the same
as the OHS you have already installed.
a. Check whether the OHS is running by executing opmnctl status from
/u01/app/instances/ohs_7777/bin.
$> /u01/app/instances/ohs_7777/bin/opmnctl status
Processes in Instance: ohs_7777
---------------+---------------+---------+--------ias-component | process-type |
pid | status
---------------+---------------+---------+--------ohs7
| OHS
|
25942 | Alive
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
Da
v
itt
P
id
tt
i
p
(d
Note: If the status indicates “Not running,” enter opmnctl startall from
/u01/app/instances/ohs_7777/bin.
b.
In the terminal window, navigate to the /stage/webgate_11.1.2.3/Disk1 directory
and launch runInstaller as follows:
$> cd /stage/webgate_11.1.2.3/Disk1
$> ./runInstaller –jreLoc $JDK_HOME
c.
Use the following table as a guide to populate the fields:
Window/Page Description
Choices or Values
Welcome
Next
Install Software Updates
Skip Software Updates
Prerequisite Checks
Next
Specify Installation Location
Oracle Middleware Home:
/u01/app/oracle/product/middleware
Oracle Home directory: webgate_home
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 6
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Window/Page Description
2.
Choices or Values
Install Summary
Install
Installation Progress
Next
Installation Complete
Finish
Deploy WebGates on the DB machine by using the command line.
a. In a terminal window on the DB machine, navigate to the
$MW_HOME/webgate_home/webgate/ohs/tools/deployWebGate directory and
run the deployWebGateInstance.sh script.
$> cd $MW_HOME/webgate_home/webgate/ohs/tools/deployWebGate
$> ./deployWebGateInstance.sh –w
/u01/app/instances/ohs_7777/config/OHS/ohs7 -oh
$MW_HOME/webgate_home
se
u
to
se
n
e
Copying files from WebGate Oracle Home to WebGate Instancedir
lic
e
l
b
a
r
e
Note: This command creates a webgate directory in
sf
n
a
/u01/app/instances/ohs_7777/config/OHS/ohs7
tr and copies the configuration
n
files necessary for the WebGate process.
o ฺ
n
a
e
− cacert.pem and cakey.pem to
d
s
i
a
u
/u01/app/instances/ohs_7777/config/OHS/ohs7/webgate/tools/o
h tG
penssl/simpleCA uk)
n
e
ฺ
d
o
c
u
− oblog_config_wg.xml
bsฺ is Stot
/u01/app/instances/ohs_7777/config/OHS/ohs7/webgate/config
y
th
s@
t
t
i
p Step a above for the other two OHS instances, ohs_7778 and ohs_7779.
d
b. Repeat
(
ittsSubstitute the instance directory name when you run the
P
deployWebGateInstance.sh command.
id
v
Da
$> ./deployWebGateInstance.sh –w
/u01/app/instances/ohs_7778/config/OHS/ohs8 -oh
$MW_HOME/webgate_home
...
$> ./deployWebGateInstance.sh –w
/u01/app/instances/ohs_7779/config/OHS/ohs9 -oh
$MW_HOME/webgate_home
3.
Configure the OAM 11g WebGate by using the EditHttpConf utility.
a.
In the terminal window, set the LD_LIBRARY_PATH environment variable to
ohs_home/lib. To do this, enter the following at the prompt:
$> export LD_LIBRARY_PATH=$OHS_HOME/lib
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 7
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
b.
Navigate to the
$MW_HOME/webgate_home/webgate/ohs/tools/setup/InstallTools
directory and run the EditHttpConf utility.
$> cd $MW_HOME/webgate_home/webgate/ohs/tools/setup/InstallTools
$> ./EditHttpConf -w /u01/app/instances/ohs_7777/config/OHS/ohs7
It should show the following message:
The web server configuration file was successfully updated.
/u01/app/instances/ohs_7777/config/OHS/ohs7/httpd.conf has been
backed up as
/u01/app/instances/ohs_7777/config/OHS/ohs7/httpd.conf.ORIG
c.
Verify that /u01/app/instances/ohs_7777/config/OHS/ohs7 has the
webgate.conf, httpd.conf.ORIG (backup file) and httpd.conf files. The last
line in httpd.conf should be:
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
include
"/u01/app/instances/ohs_7777/config/OHS/ohs7/webgate.conf"
4.
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
ฺc Stu
For OHS 7779: ybs
is/u01/app/instances/ohs_7779/config/OHS/ohs9
h
t
@
$> ./EditHttpConf
-w
tts
i
p
s (d
Repeat the EditHttpConf command for the other two OHS instances, ohs_7778 and
ohs_7779.
a. For OHS 7778:
$> ./EditHttpConf -w /u01/app/instances/ohs_7778/config/OHS/ohs8
b.
itt
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 8
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
5.
Register the OAM 11g R2 WebGate on OHS_7777 with the OAM Server by using the
Access Management Console. Then verify that the OHS_7777 landing page is protected.
a. Using Firefox on the DB machine, log in to the Access Management Console
(http://oam.example.com:7001/oamconsole) as the weblogic user.
b. Click SSO Agent Registration in the Quick Start Wizards pane.
c. In the SSO Agent Registration Wizard, select WebGate as the Agent Type and click
Next.
d. In the Configure stage of the wizard, specify the following property values to register
the OAM 11g WebGate:
Property Name
e.
f.
g.
Version
11g
Name
webgate_7777
Base URL
http://db.example.com:7777
Host Identifier
hostid7777
Security
Open
Auto Create Policies
Selected
Public Resource List
Click Add and specify the Relative URI as
/public/index.html
h.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
on- ฺ
n
s a umessage.
ide
a
Click Finish when done. Notice thehconfirmation
)
t G file to the $HOME/Downloads
kwebgate_7777.zip
Click Download and save the
n
u
e
ฺ
d
o OAMtConsole.
folder. Then sign out of
cthe
u
ฺ
s
Sto
b navigate
s
In a terminal window,
y
i
h
t
/u01/app/instances/ohs_7777/config/OHS/ohs7/webgate/config
and
ts@
t
i
p
extract
the
contents
of
the
webgate_7777.zip
file.
s (d
itt $>
P
$>
id
v
Da
Value
cd /u01/app/instances/ohs_7777/config/OHS/ohs7/webgate/config
unzip $HOME/Downloads/webgate_7777.zip
Restart the ohs_7777 component by using the following command:
$> /u01/app/instances/ohs_7777/bin/opmnctl restartproc iascomponent=ohs7
i. Access ohs_7777 in a browser. URL: http://db.example.com:7777.
Note: You should be redirected to the OAM SSO login page (notice that the redirect URL
now points to OAM server 14100 port hosted on the OAM machine).
If you see the Welcome page without being challenged, clear all the cookies from your
browser. Go to Tools > Clear Recent History. Set Time range to clear to Everything.
Select the Cookies, Cache, and Active Logins check boxes, and click Clear Now.
j.
Log in as the weblogic user. The OHS Welcome page should be displayed.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 9
Practice 4-3: Registering WebGates by Using Different Interfaces
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you run the rreg registration tool to register an OAM 11g agent in Out-of-Band
mode.
•
Suppose you have an external partner application called acme.com on the OAM
server. You do not want to give the acme.com application administrators direct access
to the OAM 11g server. You can use Out-of-Band registration mode to register this
external partner application so that the application administrators do not have access
to the server.
•
•
The application administrator provides a Request.xml (possibly via email) to a
different OAM server administrator who has the required access to the OAM 11g
server.
The OAM server administrator runs the registration on behalf of the application
administrator in Out-of-Band mode. This step needs the OAM server to be up because
the agent profile is created by the OAM server.
se
u
to
se
n
e
c
•
The OAM administrator sends the resulting *Response.xml back to theliapplication
e
l
administrator (possibly via email).
b
a
r
e
•
Then, the application administrator runs Out-of-Band registration
sf on the response file
n
a
to get the artifacts (config files). This run is local to the
WebGate,
and does not need
tr
n
the OAM server to be up.
o ฺ
nPolicy
In this practice, you also register a WebGate by using
a
deManager.
s
i
a
u
h tG
)
k
Assumptions
u den
ฺ
o
•
The OHS instances s
ฺc Sand
tu ohs_7778 must be up and running. To verify, run
b ohs_7778
s
the command /u01/app/instances/ohs_7778/bin/opmnctl
status.
y
i
h
t
@
•
You have
ttsconfigured the WebGate on the ohs_7778 and ohs_7779 instances.
i
p
(d
s
t
t
Tasks
[Perform
these tasks on the OAM machine]
i
P
vid1. Ensure that the OAM server and Policy Manager server are started.
Da
a.
b.
2.
Check if the OAM Server window is up on the oam machine. If not, then click the Start
OAM Server desktop icon to start OAM server.
Check if the Policy Manager window is up. If not, then click the Start Policy Mgr
desktop icon to start Policy Manager.
Create a WebGate registration request (OAM11GRequest.xml) file for registering the
WebGate on ohs_7778 with the OAM server. (Usually the application administrator
provides the metadata details in the registration request file and emails this file to the
security administrator.)
Note: For your convenience, a working copy of the OAM11GRequest.xml_7778 file is
available as $HOME/labs/lesson04/OAM11GRequest.xml_7778. You can copy
OAM11GRequest.xml_7778 to $MW_HOME/iam_home/oam/server/rreg/input and
ignore the following steps.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 10
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
a.
Navigate to $MW_HOME/iam_home/oam/server/rreg/input and copy
OAM11GRequest.xml to OAM11GRequest.ORIG
$> cd $MW_HOME/iam_home/oam/server/rreg/input
$> cp OAM11GRequest.xml OAM11GRequest.xml_7778
b.
Edit OAM11GRequest.xml_7778 as follows:
Parameter
c.
<serverAddress>
<serverAddress>http://oam.example.com:7001</
serverAddress>
<hostIdentifier>
<hostIdentifier>hostid7778</hostIdentifier>
<agentName>
<agentName>webgate_7778</agentName>
<agentBaseUrl>
<agentBaseUrl>http://db.example.com:7778</ag
entBaseUrl>
<applicationDomain>
<applicationDomain>rreg_outofband_app_domain
</applicationDomain>
Save and close the file.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
3. Run the command-line agent registration utility to register
n- the WebGate on ohs_7778.
o
n
ฺ
a. Change directory to $MW_HOME/iam_home/oam/server/rreg
and run the oamreg
a
e
d
s
i
utility:
a Gu
h
)
$> cd $MW_HOME/iam_home/oam/server/rreg
k ent
u
ฺ
o
$> export JAVA_HOME=$JDK_HOME
c Stud
ฺ
s
b
$> chmod +x y
./bin/*sh
is
h
t
@
$> ./bin/oamreg.sh
outofband input/OAM11GRequest.xml_7778
tts
i
p
(d
s
t
t
−
i Enter weblogic for the admin username and the corresponding password.
P
id
v
Da
Value
− Enter n for two subsequent questions.
− You should get the following message after a successful run:
Outofband registration (Part 1) completed successfully! Response.xml file is
created in input folder.
− Explore the input directory under $ORACLE_HOME/oam/server/rreg to see the
response file webgate_7778_Response.xml created by the utility. The security
administrator will email this file to the application administrator.
b.
In the command-line window, navigate to $ORACLE_HOME/oam/server/rreg, and
run the following command:
./bin/oamreg.sh outofband ./input/webgate_7778_Response.xml
You should get this message after a successful run:
Outofband registration (Part 2) completed successfully! Output
artifacts are created in the output folder.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 11
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Notice that when you ran oamreg.sh this time, it did not prompt you for the agent
username or password. This can be run locally by the application administrator with no
connection to the WLS admin server. Explore the output/ webgate_7778 directory
under $MW_HOME/iam_home/oam/server/rreg to see the cwallet.sso and
ObAccessClient.xml artifact files created by the utility.
4.
Verify that the agent and host identifier have been created.
a. In the browser window, log in to the Access Management Console at the URL
http://oam.example.com:7001/oamconsole as weblogic user. Then click the icon in
the Agents tile. Select the WebGates tab, and click Search.
b. In the search results, expand the Name column suitably so that you can see the names
of agents completely. Then click webgate_7778 to see the details of the agent you
created.
c. Access the Launch Pad, and click Application Domains in the Access Manager panel.
d. In the Search Application Domains page, click Search. In the results table, click
rreg_outofband_app_domain. On the rreg_outofband_app_domain Application Domain
page, click the Resources tab and then Search. Notice that the default resources are
listed for rreg_outofband_app_domain.
e
e
5.
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u to the WebGate configuration
Using the scp command, copy thehWebGateG
artifacts
)
t
k theepassword
n
location on the db machine.
for the oracle operating system user
u(Enter
ฺ
d
o
when prompted by the
tu
sฺcscpscommand):
S
b
y
$> cd $ORACLE_HOME/oam/server/rreg/output/webgate_7778
hi
t
@
s
t
$> scpit –r *
p
d
db:/u01/app/instances/ohs_7778/config/OHS/ohs8/webgate/config
(
s
Copy registered WebGate artifacts from the oam machine to the db machine.
a. In the terminal window, change directory to
$ORACLE_HOME/oam/server/rreg/output/webgate_7778
b.
itt
P
id[Perform this task on the DB machine]
v
Da
6.
s
n
e
lic
se
u
to
Restart the ohs_7778 instance and validate the results.
a. On the db machine, restart the OHS instance by using the following command:
$> /u01/app/instances/ohs_7778/bin/opmnctl restartproc iascomponent=ohs8
b. In a new web browser window, access the now protected URL,
http://db.example.com:7778.
Note: You should be redirected to the OAM SSO login page. If you get to the Welcome
page without challenge, clear all the cookies from your browser and try again.
c. Enter weblogic and the password for the user and click Login. The OHS Welcome
page should be displayed.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 12
[Registering WebGate Using Policy Manager – Perform these tasks on the DB
machine.]
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
7.
Register the OAM 11g R2 WebGate on OHS_7779 with the OAM server by using the Policy
Manager
a. Log in to the Policy Manager (http://oam.example.com:14150/access) as the
weblogic user.
b. Click SSO Agent Registration in the Quick Start Wizards tile.
c. In the SSO Agent Registration Wizard, select WebGate as the Agent Type and click
Next.
d. In the Configure stage of the wizard, specify the following property values to register
the OAM 11g WebGate:
Property Name
Version
11g
se
u
to
se
n
e
http://db.example.com:7779 ic
Base URL
l
e
l
hostid7779
Host Identifier
b
a
r
e
Open
sf
Security
n
a
r
Selected n-t
Auto Create Policies
o
n specify
Public Resource List
Click a
Add andd
eฺ the Relative URI as
s
i
a Gu
/public/index.html
h
)
uk dent
ฺ
o
c Sthe
e. Click Finish when done.
tuconfirmation message.
bsฺ Notice
s
y
hi
t
@
s
t
8. Copy the agent
artifacts
to
the
folder where WebGate has been configured.
t
i
p
d Policy Manager interface, click Download, and save the webgate_7779.zip
a. In(the
s
t
t
i file to the $HOME/Downloads folder. Then click weblogic > Sign out to log out of Policy
id P Manager, and close the browser window.
Name
v
Da
Value
b.
webgate_7779
In a terminal window, navigate to
/u01/app/instances/ohs_7779/config/OHS/ohs9/webgate/config and
extract the contents of the webgate_7779.zip file.
$> cd /u01/app/instances/ohs_7779/config/OHS/ohs9/webgate/config
$> unzip $HOME/Downloads/webgate_7779.zip
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 13
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
9.
Restart OHS_7779 and verify that the resources in OHS_7779 are protected by a WebGate.
a. Restart the OHS instance by using the following command:
$> cd /u01/app/instances/ohs_7779/bin
$> ./opmnctl restartproc ias-component=ohs9
b.
Invoke a new browser window and access OHS_7779 in the browser. URL:
http://db.example.com:7779.
Note
− If you see the Welcome page without being challenged, clear all the cookies from
your browser. Go to Tools > Clear Recent History. Set “Time range to clear” to
Everything. Select the Cookies, Cache, and Active Logins check boxes, and click
Clear Now.
− If you see an OAM Operation Error, restart the OAM managed server
(oam_server1) and try again. If you still receive the error, check the previous
practices in this lesson.
− You should be redirected to the OAM SSO login page (notice that the redirect URL
now points to OAM server 14100 port hosted on the OAM machine). Log in as the
weblogic user. The OHS Welcome page should be displayed.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 14
s
n
e
lic
se
u
to
Practice 4-4: Configuring Delegated Administrator in Embedded LDAP
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you explore the WLS-embedded LDAP directory, which is used to authenticate
the weblogic user (an OAM and WLS administrator).
You also create a new user in WLS-embedded LDAP, and you log in to the OAM Console as
this user. You also prevent the weblogic user and users belonging to the administrators
group in WebLogic LDAP from being able to log in to the OAM Console.
An identity store is a centralized LDAP store in which an aggregation of administrator and useroriented data is kept and maintained in an organized way. You can have many user identity
stores configured, and you can reference them in different custom-defined LDAP modules.
•
The system store is used to authenticate administrators signing in to the OAM
Administration Console or to use custom administrative commands in WLST.
•
The default store is used to authenticate users that log in to protected resources.
Both the default store and the system store can be configured in the OAM Console.
During the initial WebLogic domain configuration using the Oracle Fusion Middleware
Configuration Wizard, the embedded LDAP is configured as the user and system identity store.
Within the embedded LDAP, the Administrators group is created with member weblogic
as the default administrator.
After registering the identity store, administrators can reference it in one or more authentication
modules that form the basis for authentication schemes. Only the default user identity store is
used for user authentication with the default LDAP scheme.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
Assumptions
sฺc s Stu
b
y
You have completed @
all the practices
hi until Practice 4-3.
t
s
t
pit these tasks on the OAM machine]
d
Tasks [Perform
(
itts through the identity store created by default in WLS embedded LDAP.
1. PNavigate
vid a. In a web browser, log in to the WLS administrator console (URL
Da
http://oam.example.com:7001/console), as the weblogic user.
b.
Click Security Realms under Domain Structure > oam_domain in the left navigator.
c.
Click myrealm. Click the Providers tab and notice the three providers:
− DefaultAuthenticator
− DefaultIdentityAsserter
− IAMSuiteAgent
d.
Click the “Users and Groups” tab. Notice the weblogic user. Click weblogic and
notice that it is a member of the Administrators group (on the Groups tab). If you
want to create a new user to be a WLS administrator, that user must be a member of
the Administrators group.
e.
On another tab of the web browser, log in to the OAM Console as the weblogic user.
Access the Configuration tab (top right) and then click User Identity Stores.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 15
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
f.
Notice that the Default Store and System Store are set to UserIdentityStore1.
UserIdentityStore1 is used to authenticate WLS/OAM administrators as well as
users for LDAPScheme authentication.
Access the Launch Pad, and click Administration to view the group and role
information. Click Search. Notice that you see only the Administrators group.
Note: You create additional users with different roles in the following tasks.
2.
Create the oamadmin user in the DefaultAuthenticator store (WLS embedded LDAP)
by using the WLS Administration Console.
a. On the WLS Administration Console tab of the Chrome web browser, navigate to
Security Realms, and click myrealm.
b. Go to the “Users and Groups” tab on top and click New.
c. Add a new user called oamadmin. Note that the Provider is set to
DefaultAuthenticator, which is a WLS-embedded LDAP store.
d. Set the password for this user as indicated by your instructor. Confirm the same
password. Click OK.
e. Click the oamadmin user link and access the Groups tab. Select Administrators
from the Available list and click the > icon so that the Administrators group is listed in
the Chosen list. Click Save.
f. Log out of the WLS Admin Console and OAM Console. Then close the web browser
window.
g. Invoke the Chrome web browser, access the OAM Console, and log in as the
oamadmin user with the password you gave in the previous step. You should
successfully log in to the OAM Console. Notice that all the tiles and tabs are visible to
the oamadmin user.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
3.
s
itt
P
id
v
tt
i
p
(d
Create two new users (domainadmin and agentadmin) in the WLS embedded LDAP and
configure the user in OAM as an application domain administrator. This administrator has
delegated privileges across an application domain (for this practice, webgate_7777).
a. In the Chrome browser, invoke a new tab, and log in to the WLS Administration
Console as the weblogic user and navigate to Domain Structure > Security Realms.
s
Da
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
b.
Click myrealm and select the Users and Groups tab, and click New.
c.
Enter domainadmin for the name. Enter the password as indicated by your instructor,
and click OK.
Similarly (using b and c above) create the agentadmin user.
Log out of the WLS Administration Console.
d.
e.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 16
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
4.
Configure the domainadmin user as an application administrator. This administrator has
delegated privileges across an application domain (for this practice, webgate_7777).
a. On the OAM Console tab, access the Configuration tab on the top right. Then click the
Administration tile. Click Grant on top of the table.
b. Enter domainadmin in the Name field and click the Search button.
c.
d.
e.
f.
5.
Select the domainadmin user in the search result, Application Administrator in the
Role menu, and click Add Selected.
Click the Application Security tab on the top, and then click Application Domains in the
Access Manager tile. Click the Search button and click webgate_7777.
Click the Administration tab, and then click Grant.
Click the Search button, select the domainadmin user, and click Add Selected.
e
s
n
e
lic
le
b
a
er
c. Select the agentadmin user in the search result, Agent Administrator
in the Role
f
s
n
menu, and click Add Selected.
tra
n
d. Sign out of the OAM Console.
no eฺ
a
s based
idon the user who has logged in.
a
u
6. Verify the change in the administrationh
interface
)
t G Note that only the tiles relating to
n
a. Log in to the OAM Consoleฺu
askdomainadmin.
e
coare S
udLog out of the OAM Console.
application administration
visible.
ฺ
t
s
bConsoleisas agentadmin. Note that only the tiles and links related
y
b. Log in to the OAM
s@ andthadministration are visible. Log out of the OAM Console.
t
to agentitregistration
p
d
(
itts
P
id
v
Da
se
u
to
Configure the agentadmin user as an agent administrator. This administrator has
delegated privileges to create and manage agents such as WebGates.
a. On the OAM Console tab, access the Configuration tab on the top right. Then click the
Administration tile. Click Grant on top of the table.
b. Enter agentadmin in the Name field and click the Search button.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 17
Practice 4-5: Configuring OUD as the Identity Store for OAM
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
By default, the OAM system store is set to use the WLS-Embedded LDAP. This allows the
authentication of users logging in to the OAM Console and allows running the rreg command
to be performed against WLS-Embedded LDAP.
In this practice, you:
•
Configure an existing directory server instance of OUD as the user identity store and
you set it as the default store in OAM. You set the LDAP authentication of users for
protected resources against OUD.
•
Configure an LDAP Authentication Scheme that points to the LDAP module that you
configure to use the OUD identity store
•
Verify that you can log in to a protected resource as a user in OUD, which should be
successful
•
e
Try logging in as the weblogic or oamadmin user. This login should fail because the
weblogic user is not in OUD.
e
Assumptions
bl
a
r
fe
s
n
e
lic
ns
a
r
t
Tasks [Perform these tasks on the DB machine]
on- ฺ
n
a OUD itype.
1. Create a new User Identity Store definitionswith
de
a
u
h to t/u01/app/domains/oud_domain/bin
G
a. In a terminal window, change directory
and take
)
k
n
u
a backup of the start and stop
scripts.
e
ฺ
co Stud
ฺ
$> cd /u01/app/user_projects/domains/oud_domain/bin
s
yb this
$> mkdir @
../bin_bak
ts ../bin_bak
t*sh
i
$> cp
p
(d directory to $HOME/setupfiles and run the set_hostname.sh script.
b. tsChange
t
i
id P $> cd $HOME/setupfiles
You have completed all the practices until Practice 4-4.
v
Da
se
u
to
c.
d.
e.
f.
$> ./set_hostname.sh
Click Start OUD desktop shortcut to start the OUD Server. Wait for the OUD Server to
reach RUNNING mode.
Invoke a web browser on the db machine and log in to the OAM Console
(http://oam.example.com:7001/oamconsole) as the oamadmin user.
Click the Configuration tab (top right), then click User Identity Stores. Click Create in
the OAM ID Stores section.
Choose the Store type as OUD from the pick list. Specify the rest of the values as
shown:
Field
Value
Store Name
OUD_Store
Store Type
OUD: Oracle Unified Directory
Description
This is the LDAP repository that contains user
information and is the authentication provider for all the
users except for OAM and WLS administrators.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 18
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Field
Value
Location
db.example.com
Bind DN
cn=Directory Manager
Password
Password for Directory Manager user
Logon ID Attribute
uid
User Password Attribute
userPassword
User Search Base
ou=People,dc=example,dc=com
Group Name Attribute
cn
Group Search Base
ou=Groups,dc=example,dc=com
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
g.
h.
i.
Click Test Connection. Click OK in the Connection Status window. Click Apply to save
the definition.
Access the User Identity Stores page, set Default Store to OUD_Store, and then Click
Apply.
Sign out from the OAM Console.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 19
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
2.
Familiarize yourself with data in OUD by viewing the data by using Oracle Directory
Services Manager (ODSM).
a. In a Firefox browser, click the ODSM bookmark. Use the following information to log in:
− Name
oud1
− Server
db.example.com
− Administration Port
4444
− SSL Enabled
Selected (You cannot change)
− User Name
cn=Directory Manager
− Password
Password for Directory Manager user
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
b.
c.
v
Da
s
itt
P
id
d.
e.
f.
tt
i
p
(d
If the Server Certificate Validation pop-up window appears. Click Yes, trust always.
On the Data Browser tab navigate to the Root > dc=example,dc=com > ou=People
node. Notice that the uid=ahall user is listed. You will use this user frequently in
later practices.
Click the X beside the oud1 tab in the top left to close the ODSM connection.
In the web browser, clear all cookies and launch http://db.example.com:7779
(welcome-index.html protected using webgate_7779). You are redirected to the
OAM SSO Login page. Log in as the oamadmin user with the password for the user.
You should be successful and be able to see the Welcome page.
Clear the cookies and try logging in as the ahall user in OUD, but not in embedded
LDAP.
Note: You see the message: “An incorrect Username or Password was specified”. The
application domain is protected using embedded LDAP. Because the ahall user is
not present in embedded LDAP, user authentication fails.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 20
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
3.
Create a new LDAP authentication module based on OUD_Store as the user identity store
and use this new module to attach to the LDAP scheme.
a. Log in to the OAM Console as the oamadmin user. Click the Authentication Modules
link in the Plug-ins tile.
b. Click Create and select Create LDAP Authentication Module. Enter LDAPOverOUD
as Name, and select OUD_Store as User Identity Store. Click Apply.
c. Access the Launch Pad, and click the Authentication Schemes link in the Access
Manger tile. In the Search Authentication Schemes page, click Search. Select the
LDAPScheme row in the search result and click Edit.
In the LDAPScheme, click Duplicate. It creates a new scheme with the name
CopyofLDAPScheme. Change this scheme as follows, and then click Apply.
Field
Choices or Values
Name
LDAPOUDScheme
Description
LDAP Scheme Over OUD
Authentication Module
LDAPOverOUD
le
b
a
Then click Set As Default and then click OK in the confirmation
erpop-up.
f
s
Close the LDAPOUDScheme, LDAP Scheme, Authentication
an Schemes, and
r
t
LDAPOverOUD pages.
n
o
n
In the Launch Pad, click the Application Domains
a idlinkeinฺ the Access Manger tile. In the
s
Search Application Domains page, click
a Search.
uClick the webgate_7779 application
h
G
)
t
domain.
n
u>kProtected
e
ฺ
d
o
Click Authentication Policies
and observe that the
ฺcis set toSLDAPOUDScheme.
tu Resource Policy
s
authentication scheme
Sign
out
of the OAM Console.
b
s
y
i
h
t
Clear thetcache
and cookies. Launch http://db.example.com:7779 again. You are
t sto@
i
redirected
the
OAM Login page. Log in as the ahall user. This time you should be
p
d
(
ssuccessful and should see the Oracle Fusion Middleware Welcome page.
d.
e.
f.
g.
h.
itt
P
id
v
Da
e
s
n
e
lic
se
u
to
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 21
Practice 4-6: Working with IAMSuiteAgent
Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
In this practice, you:
•
Review the IAMSuiteAgent provider and the bootstrap configuration
•
Review the default IAM Suite application domain (for IAMSuiteAgent)
Assumption
You have completed all the practices in Practice 3 and Practices 4-1 thru 4-5.
Tasks [Perform these tasks on OAM machine]
1.
View the configuration of IAMSuiteAgent in the WLS Administration Console.
a.
e
b.
c.
e
bl
a
r
fe
s
n
e
lic
ns
a
r
t
on- ฺ
n
a ide
s
d.
a
u
h
G
)
t
uk den
ฺ
o
2. Review the IAMSuiteAgentฺc
provider and
tu bootstrap configuration:
s
S
b
s
y
a. In the browser window, clean
thi the browser’s cookies and cache, and then access OAM
@http://oam.example.com:7001/oamconsole).
s
Consolet(URL:
t
i cookies in the browser as part of the request for the OAM Console (it should
pthe
d
b. Check
(
ittsshow OAM_REQ cookie).
P
1) In Chrome, access Settings > Show Advanced Settings > Privacy > Content
id
v
Da
se
u
to
Log in to the WLS Console with weblogic as the username and the password for
the user. Access the Security Realm in the left pane, and then click myrealm >
Providers tab.
Verify that the IAMSuiteAgent provider exists. Click IAMSuiteAgent and notice that
IAMSuiteAgent uses OAMAuthnCookie (on the Common tab).
Access the Provider Specific tab. Note that the Primary Access Server uses port 5575,
which is the proxy server port. The actual port for the OAM server is 14100.
Note: If you change any of these parameters in the Provider definition, you must
restart the admin and managed servers.
Click Log out and log out of the WLS Administration Console.
2)
Settings > All cookies and site data.
In Firefox, navigate to Edit > Preferences > Privacy > remove individual cookies.
Do not remove any cookies; just click Close in the Cookies and Preferences
windows.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 22
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
c.
Log in to the OAM Console as the oamadmin user.
d.
Check for generated cookies. OAMAuthnCookie (domain cookie), OAM_ID (server
cookie) and OAMSESSIONID cookies should exist. The OAM_ID cookie is produced by
the OAM 11g server, and OAMAuthnCookie is an IAMSuiteAgent cookie. All the
cookies, with the exception of OAM_LANG_PREF, are session cookies. They are
removed when the browser quits.
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u domain policies in the OAM Console.
h
3. Review the default IAMSuiteAgent) and
application
G
t
ukicon indethenAgents tile, and click Search on the Search
ฺ
a. In the OAM Console, click
the
o
tu
SSO Agents page. sฺc
S
b
s
y
b. In the Search
Results table,
hi click IAMSuiteAgent.
t
@
s
t
itthe Preferred host, Primary Cookie Domain, Security, State, and Primary
c. Observe
p
d
(
sServer List properties of the agent:
t
t
i
d. Click Launch Pad, and then click the Application Domains link in the Access Manager
id P
v
Da
s
n
e
lic
se
u
to
e.
tile. Click Search on the Search Application Domains page. In the Search Results
table, click IAM Suite. Then access the Resources tab and click Search. Notice that
IAMSuiteAgent:/oamconsole/** is one of the resources.
Note: You may have to scroll down in the Search Results table.
On the Authentication Policies tab, click OAM Admin Console Policy.
1) Notice that the authentication scheme for OAM Admin Console Policy is set to
OAMAdminConsoleScheme.
2) You should see /oamconsole/** as one of the resources in the list.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 23
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
f.
Click oamadmin > Sign out. Wait for a couple of seconds, and then view the cookies.
OAM_ID and OAMAuthNCookie do not appear any longer.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 4: Agents and System Configuration
Chapter 4 - Page 24
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practicesrfor
nsLesson 5:
a
t
Configuring
on- ฺ DCC, Policies,
n
and
s a Responses
ide
a Gu
h
)
nt 5
uk deChapter
ฺ
o
c
u
bsฺ is St
y
th
ts@
it
p
d
(
ts
it
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 1
se
u
to
Practices for Lesson 5: Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices Overview
In these practices, you deploy two different applications: My Bank and Bakery. You deploy the
My Bank application to WLS as a WAR file. You deploy the Bakery application directly to the
web server (OHS instance).
You then create authentication and authorization policies to protect various resources in these
two applications.
Important Notes
•
Whenever you obtain unexpected results during this lesson’s practices, it is a good
idea to close all Firefox browser windows and clear the cookies.
•
My Bank is a dummy application. Not all links in this application are working or
enabled. Follow the exact instructions as specified in the practice steps to achieve the
correct results.
•
You can use the Live HTTP Headers add-on for the Firefox browser to observe the
headers and request flow. It is already installed.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 2
s
n
e
lic
se
u
to
Practice 5-1: Deploying an Application and Configuring OHS to Frontend the Application
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you create a new managed server and deploy mybank.war to that managed
server.
Setting up OHS as the front-end to mybank involves integrating the OHS and WebLogic
servers, because the requests need to be forwarded to the mybank application deployed on
WebLogic Server from the OHS.
Note: The My Bank application is a simple application that does not use a J2EE security model.
If you want to learn how to configure OAM 11g to work with J2EE applications with J2EE
security built into the application, see the “Configuring Single Sign-On in Oracle Fusion
Middleware” chapter in Oracle Fusion Middleware Application Security Guide 11g.
Detailed discussions of OPSS, the J2EE Security model, and its integration with OAM 11g are
beyond the scope of this course.
e
Tasks [Perform these tasks on the DB machine]
1.
Create a Managed Server in the OUD domain by using the WLS Administration Console
with the following details.
ns
a
r
t
on- ฺ
− Port:
7101
n
a iofdethe ODSM Domain as the
s
In the db machine, log in to WLS Admin
Console
a
u
h
G
weblogic user (db.example.com:7001/console).
)
t
n and click New.
uk >dServers),
e
ฺ
Navigate to Servers (Environment
o
c Stu
On the Create ayNew
page, enter the following and click Finish.
bsฺServer
s
i
h
t
@
− Serverts
mybank_svr
t Name:
i
p
d Listen Port:
7101
s− (Server
− Name:
a.
b.
c.
mybank_svr
itt After the managed server is created, click Log Out and close the browser window.
d.
P
id
v
Da
e
bl
a
r
fe
s
n
e
lic
se
u
to
e.
In the terminal window, execute the startMyBank.sh script from $HOME/setupfiles
directory. [Enter weblogic as the username to boot the server, and the corresponding
password when prompted.]
$> cd $HOME/setupfiles
$> ./startMyBank.sh
Wait till you see the message <Server Started in RUNNING mode> before you
continue with the next steps.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 3
2.
Deploy the My Bank application to mybank_svr.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
a.
b.
c.
Access the WLS Admin Console for the ODSM domain as the weblogic user.
Click Deployments. On the Deployments page, click Install.
In the Path field, enter /home/oracle/labs/lesson05/mybank.war. Ensure that
mybank.war is selected, and click Next.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
d. Select “Install this deployment as an application.”
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
s@
t
t
i
p
d
(
itts
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 4
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e.
Target this application to mybank_svr.
e
f.
g.
s
n
e
lic
se
u
to
Click Finish to complete the deployment.
With another instance of the Firefox browser, enter
http://db.example.com:7101/mybank. The login page is displayed.
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
3. Configure Oracle HTTP Serverฺ(ohs_7777)
uk denas the front end for the My Bank application.
o
c S
a. In the terminal window
DBtu
machine, navigate to the
bsฺ on ithe
s
y
/u01/app/instances/ohs_7777/config/OHS/ohs7
directory and edit and
h
t
@
update ithe
ttsmod_wl_ohs.conf file as follows, and save the changes.
p
Note:
(d For convenience, the required mod_wl_ohs.conf file is available in the
s
t
t
$HOME/labs/lesson05
folder. You can copy that file to the
i
P
/u01/app/instances/ohs_7777/config/OHS/ohs7 directory.
id
Note: In the mybank application, main_page.jsp is set as the welcome page, and
main_page.jsp refers to header.jsp from the includes directory. header.jsp
checks if OAM_REMOTE_USER is null and if it is, then redirects to the login.jsp page.
v
Da
<IfModule weblogic_module>
WebLogicHost db.example.com
WebLogicPort 7101
#Debug ON
#WLLogFile /tmp/weblogic/log
MatchExpression *.jsp
</IfModule>
<Location /mybank>
SetHandler weblogic-handler
#PathTrim /weblogic
#ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/
</Location>
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 5
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
b.
Restart OHS for the changes to take effect, by using the following command:
$> cd /u01/app/instances/ohs_7777/bin/
$> ./opmnctl restartproc ias-component=ohs7
c.
Open the Firefox browser and access http://db.example.com:7777/mybank.
Note: The port is 7777 instead of 7101. You will be redirected to the login page from
OAM Server, per the policy for this application domain.
d.
Log in as the ahall user. You should see main_page.jsp.
Note: OAM_REMOTE_USER is no longer null. As a result, the ID ahall is displayed next
to the Sign Off link.
e.
e
f.
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
se
u
to
Access the URL http://db.example.com:7777/mybank/testheaders.jsp. Observe all the
contents, especially OAM_REMOTE_USER and the cookie values on this page.
Access the main page of the bank [http://db.example.com:7777/mybank] and then click
Sign off.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 6
s
n
e
lic
Practice 5-2: Configuring a Detached Credential Collector
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you configure webgate_7779 as the detached credential collector (DCC). You
change the configuration of webgate_7777 to use webgate_7779 as the DCC rather than its
own embedded credential collector (ECC).
Tasks [Perform these tasks on the DB machine]
1.
Reconfigure webgate_7779 to collect credentials, and then reconfigure the logout redirect
for webgate_7777 so that it goes through webgate_7779.
a.
b.
Log in to the OAM Console as oamadmin. Click the Agents icon, then click Search. In
the search results, click webgate_7779.
On the webgate_7779 page, select Allow Credential Collector Operations and Click
Apply.
e
e
bl
a
r
fe
s
n
e
lic
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
tt
i
p
(d
Da
v
itts
P
id c. Access the SSO Agents tab, and click webgate_7777. Change the Logout Redirect
URL to http://db.example.com:7779/oamsso-bin/logout.pl. Click Apply.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 7
se
u
to
2.
Reconfigure LDAPOUDScheme with challenge properties.
a. Access Launch Pad and click Authentication Schemes in the Access Manager tile.
Then click Search > LDAPOUDScheme. Change the properties of LDAPOUDScheme as
follows, and click Apply:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Parameter
Challenge Redirect URL
Choices or Values
Challenge URL:
http://db.example.com:7779/
/oamsso-bin/login.pl
Context Type
external
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 8
s
n
e
lic
se
u
to
b.
In Launch Pad, click Application Domains in the Access Manager tile. Search and click
webgate_7779. On the webgate_7779 page, access the Resources tab and click
Create. Use the following parameters to create the resource, and click Apply.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Parameter
Choices or Values
Type
HTTP
Host identifier
hostid7779
Resource URL
/favicon.ico
Protection Level
Excluded
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
tt
i
p
(d
Da
v
ic.ttsSign out of OAM Console and close the browser window.
P
id
d.
In a terminal window, navigate to $MW_HOME/webgate_home/webgate/ohs/oamsso-bin.
Edit login.pl and logout.pl and change the Perl location on the first line of the script from
/usr/local/bin/perl to /usr/bin/perl.
e.
Restart the ohs_7777 and ohs_7779 instances.
$> /u01/app/instances/ohs_7777/bin/opmnctl restartproc
ias-component=ohs7
$> /u01/app/instances/ohs_7779/bin/opmnctl restartproc
ias-component=ohs9
Open the Firefox browser, access http://db.example.com:7777/mybank, and log in as
the ahall user.
Note: The port is 7777 instead of 7101. You will be redirected to the login page
through WebGate_7779, the DCC. The ID ahall is displayed next to the Sign Off link.
Click Sign-off and notice that you are redirected to
http://db.example.com:7779/oamsso/logout.html
f.
g.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 9
Practice 5-3: Configuring Authentication and Authorization Policies
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
Resources represent a document, entity, or pieces of content that are stored on a server and
available for access by a large audience. Clients communicate with the server and request the
resource by using a particular protocol (for example, HTTP or HTTPS) that is defined by an
existing resource type.
In this practice, you configure a resource, /mybank/testheaders.jsp, and assign it to the
existing authentication policy, Protected Resource Policy.
After the user is authenticated, the authorization policy for the resource is evaluated to
determine whether the user is permitted access to the resource. Each resource can be
protected by only one authorization policy.
In this practice, you also create a new Admin_Resource_Policy and add the resource URL
/mybank/testheaders.jsp so that this policy can be evaluated separately from the other
policies.
e
Tasks [Perform these tasks on the OAM machine]
le
b
a
er user.
a. Using Chrome browser, log in to the OAM console as the oamadmin
f
s
n Search on the Search
aClick
b. Click Application Domains in the Access Manager -tile.
r
t
Application Domains page.
on ฺ
n
a Application
e Domain page, access the
c. Click webgate_7777. On the webgate_7777
d
s
i
a
u
Resources tab, and click Create. h
) Apply.
tG
kclick
n
Enter the following values, ฺand
u
e
co Stud Choices or Values
ฺ
s
Parameter
b
y
his HTTP
t
Type ts@
it
pIdentifier
d
hostid7777
Host
(
s
t
t
i
/mybank/testheaders.jsp
id P Resource URL
1.
v
Da
s
n
e
lic
Configure an authentication policy for the ohs_7777 application domain.
Protection level
Protected
Authentication Policy
Protected Resource Policy
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 10
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
d.
Access the webgate_7777 tab (at the top). In this domain, access the Authentication
Policies tab and click the Protected Resource Policy link. You should notice that the
resources are protected using the LDAPOUDScheme authentication scheme. Notice that
the /mybank/testheaders.jsp resource is assigned to this policy.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
Da
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
ฺc Stu and add /mybank/testheaders.jsp as the
2. Create a new Admin_Resource_Policy
s
b
y
resource so that this authorization
is policy can be evaluated separately.
h
t
@
a. On the iwebgate_7777
application domain page, access the Authorization Policies tab.
tts
p
Click
(d Create.
s
t
t
Admin_Resource_Policy in the name field and click the Resources tab. Click
Pb.i Enter
d
Add.
Click
Search and select the /mybank/testheaders.jsp row, and click Add Selected.
i
v
c.
Click the Conditions tab. Click Add. Enter the following values, and then click Add
Selected
•
d.
Name
Group_Check
•
Type
Identity
Note: This condition is used to check for membership in a group.
Select the newly added row. Condition Details: Group Check section is shown in the
bottom pane. Click Add > Add Users and Groups in the Condition Details pane.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 11
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e.
In the Add Identities window, set Store Name to OUD_Store, Entity Type to All or
Group, and Entity Name to QA, and click Search. Select the QA Managers row, and
click Add Selected.
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
f. Click the Rules tab. In the Allow
section,
n move the Group_Check (Identity)
uk Rule
e
ฺ
d
o
condition to Selected ฺConditions.
Click
Apply.
s c stoSlogtuout of the OAM Console.
g. Click oamadminy>bSign Out
handi access http://db.example.com:7777/mybank. Log in as
t
@
s
h. Open aiFirefox
browser
t
t should be successful.
p You
ahall.
d
(
i.ittsAccess http://db.example.com:7777/mybank/testheaders.jsp. You should be denied
P
access, because the ahall user is not in the QA Managers group.
id
v
Da
s
n
e
lic
se
u
to
j.
k.
l.
3.
Access the bank page [http://db.example.com:7777/mybank] again and click Sign Off.
In Firefox browser access the URL:
http://db.example.com:7777/mybank/testheaders.jsp and log in as jwalker. This user
is a member of the QA Managers group, so you are granted access.
Access the bank page [http://db.example.com:7777/mybank] again and click Sign Off..
Create and test the IP Range (deny rule) condition in Admin_Resource_Policy.
Note: The ip_check condition is used to check the IP address of the user. If the IP
address matches the address of the database machine, the check passes, and the user
can access the page.
a. In the Chrome browser, login to OAM Console, as oamadmin, access the Authorization
Policies tab of webgate_7777 application domain, and click Admin_Resource_Policy
> Conditions. Create a condition with the name ip_check of type IP Range.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 12
b.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
c.
In the Condition Details: ip_check, add IP range (start and end values to be the IP of
your oam machine).
Note: Use the IP address of the oam machine. (Use the hostname -i command to
get the IP address of the host.)
Click the Rules tab. In the Deny Rule section, move the ip_check condition to
Selected Conditions. Select Any of the selected conditions, and click Apply.
Test whether you can access the testheaders.jsp page from the oam machine (to test
ip_check) as QA Manager (jwalker). Your access is denied because you are
accessing from an IP range in a denied rule.
On the Rules tab of the OAM Console (in the db machine), remove ip_check from
Selected Conditions, and click Apply.
d.
e.
4.
Incorporate access based on a temporal condition, so that access is allowed only from 9
am to 9 pm on Saturdays and Sundays.
Note: The time_check condition is used to specify the day and time when an
authenticated user can access the testheaders.jsp page. If the current day and time
matches that specified in the condition, the check passes, and the user can access the
page.
a. Access the Authorization Policies tab and click Admin_Resource_Policy > Conditions.
Create a time_check condition of type Temporal.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
b.
ns
a
r
t
- Time, 21:00:00 for End Time,
In the TEMPORAL window, enter 09:00:00nfor
onStart
aOK. ideฺ
select Saturday and Sunday, and click
s
a Gu
h
)
uk dent
ฺ
o
c
u
bsฺ is St
y
th
s@
t
t
i
p
d
(
s
itt
P
id
v
Da
c.
d.
e.
f.
Click the Rules tab. In the Allow Rule section, move the time_check condition to
Selected Conditions, and click Apply.
Test whether you can access the testheaders.jsp page from the DB machine (to test
ip_check) as QA Manager (jwalker). You cannot access the page because this is a
weekday.
On the Rules tab of the OAM Console, remove the time_check condition from
Selected Conditions, and click Apply to restore access to the page.
Access the Firefox browser and click refresh. You should be able to view the
testheadres.jsp page.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 13
Practice 5-4: Managing Authentication and Authorization Responses
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
Responses are optional actions that are to be taken. A response consists of two parameters (a
type and an expression) and a single output (the value).
The response type denotes the form of action to be taken with the value string. In OAM 11g R2
PS3 Release (11.1.2.3), four types are included:
•
Cookie: Set an HTTP cookie.
•
Header: Set an HTTP request header.
•
Session: Set an attribute on the user’s session.
•
Asserted Attribute: If the identity assertion is selected, then an assertion
(optionally containing any Asserted Attribute), is generated for the user. Identity
assertion is used to propagate security tokens outside of the original session.
Policy responses provide the ability to insert information into a session and pull it back at any
later point. This is more robust and flexible than in OAM 10g, which provided data passage to
(and between) applications by redirecting to URLs in a specific sequence.
In this practice you create a session response during the authentication process. You retrieve
this session response and use it in HTTP_HEADERS during the authorization response.
e
e
bl
a
r
fe
ns
a
r
t
Tasks
no
n
1. Configure authentication response headers and
a a cookie
eforฺ the webgate_7777
d
s
i
application domain.
a Gu
h
)
t Console as oamadmin.if you have not
a. Using the Chrome browser,u
log
in
to
k the
nOAM
e
ฺ
d
o
already logged in.
c Stu
bsฺ isin the
b. Click ApplicationyDomains
Access Manager tile. Then click Search and click
h
t
@
webgate_7777
.
On
the
webgate_7777
Application Domain page, click the
tts Policies tab. Click Admin_Resource_Policy,
i
Authorization
access the Responses tab,
p
d
(
and
select
Identity
Assertion.
itts
P
id
v
Da
s
n
e
lic
se
u
to
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 14
c.
Click Add, and in the ensuing pop-up, enter details from each row from the following
table and click Add. Then Click Add on the Responses tab to add the next row. After all
the rows have been added, click Apply:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Type
Name
Value
Cookie
OAM_Cookie_Simple
SimpleCookie
Header
OAM_Header_Simple
SimpleHeader
Header
OAM_Header_Advanced
User $user.attr.uid from
$request.client_ip used
agent $request.agent_id
Header
Group_Membership
$user.groups
Asserted
Attribute
oracle:idm:claims:session:a $request.policy_name
pppolicy
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
ththe testheaders.jsp page – http://db.example.com:7777/
d. Refresh the
browser with
s@
t
t
i
mybank/testheaders.jsp
(you may have to re-authenticate if the session has timed out).
p
d
(
Log
in
as
jwalker
(jwalker
is a member of the QA Manager group in OUD).
s
t
t
i
id Pe. Observe Group_Membership, OAM_Header_Simple, OAM_Header_Advanced, and
v
Da
s
n
e
lic
se
u
to
OAM_IDENTITY_ASSERTION. Note this may take a few minutes before the header
values appear.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 15
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
2.
Configure response header variables.
a. In the Chrome browser window, open a new tab and access ODSM
(http://db.example.com:7001/odsm). Double-click oud1 under Saved Connections.
Enter the password, and log in.
b. Navigate to Data Browser > dc=example, dc=com > ou=People > uid=jwalker. In
the right pane, set the title of jwalker to Senior QA Manager. Click Apply. Then close
the browser tab.
c. In the OAM Console as oamadmin, navigate to the webgate_7777 application
domain. Access Authentication Policies > Protected Resource Policy. Click the
Responses tab, then click Add. In the Add Response window, enter the following
values, and then click Add.:
Variable
itt
P
id
v
e.
Type
Session
Name
OAM_SESSION
Value
User $user.attr.uid
as $user.attr.title
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
Click the webgate_7777 tab (on
top)
and
the
Authorization
Policies tab within the
t
k Click
n Admin_Resource_Policy.
udomain.
e
ฺ
webgate_7777 application
Click the
d
o
c Enter
u
ฺ
t
Responses tab. Click
Add.
the
following
values
in
the
Add
Response
window,
s
S
b click Apply
s
y
i
and click Add.
Then
in
Admin_Resource_Policy.
th
s@
t
t
i
Parameter
Value
p
d
(
s
d.
Da
Choices or Values
Type
Header
Name
OAM_HEADER_WITH_SESSION
Value
$session.attr.OAM_SESSION has policy
$request.policy_name matched in $request.res_url
URL from $request.policy_appdomain domain.
In a new Firefox browser session, access the URL
http://db.example.com:7777/mybank/testheaders.jsp as the jwalker user and verify
OAM_HEADER_WITH_SESSION.
Note: To ensure you see the correct values, you should clear the cookies and close
the browser session. Then start the browser and access
http://db.example.com:7777/mybank/testheaders.jsp as jwalker user to see the correct
values.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 16
Practice 5-5: Customizing Access Policies for a Web Application
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you perform the following:
•
Deploy the Bakery application on the OHS instance (ohs_7777).
•
Unprotect the Bakery application so that anyone can view the page.
•
Protect internal pages to ensure that only employees (only users in OUD in this case)
can view those pages.
•
Create authorization rules so that each department page can be accessed by the
employees from the corresponding department.
Tasks
1.
se
u
to
Deploy the Bakery web application on the ohs_7777 instance, and verify that you can
access the application. [Perform this task on DB machine]
a. On the DB machine, copy the example directory from $HOME/labs/lesson05 to
/u01/app/instances/ohs_7777/config/OHS/ohs7/htdocs.
$> cd /u01/app/instances/ohs_7777/config/OHS/ohs7/htdocs
$> cp -r $HOME/labs/lesson05/example .
b. Open a new browser window and access http://db.example.com:7777/example. You
should be redirected to the login page.
c. Log in with the credentials of the ahall user. You should see the Welcome page of
the Bakery application.
Note: The reason you are seeing the login page is because you have an OAM 11g
WebGate deployed on the ohs_7777 instance with a policy that is protecting all the
resources under /.
d. Explore the application by clicking Products, On-line Store, Baker’s Corner, and About.
e
e
bl
a
r
fe
s
n
e
lic
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
tt
i
p
(d
tts
i
P
id2. Unprotect the launch page (/example) of the Bakery application, by creating the resource
Perform the following tasks on OAM machine.
v
Da
as Unprotected.
a.
b.
Log in to the OAM Console as oamadmin. Navigate to Access Manager panel >
Application Domains > Search > webgate_7777 application domain.
On the Resources tab of the webgate_7777 application domain, click Create and
create two resources /example, /example/.../*. Click Apply after creating each resource
URL.
Name
Value
Type
HTTP
Description
Bakery application launch page
Host Identifier
hostid7777
Resource URLs
/example and /example/.../*
Protection Level
Unprotected
Authentication Policy
Public Resource Policy
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 17
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
c.
3.
Close all Firefox sessions and start a new Firefox browser session, and access the
bakery application [URL http://db.example.com:7777/example]. You should see the
Bakery main page (without being challenged for credentials).
Note: This opens up all the doors in the Bakery application to public, including the
Employee login link. Click the Employees link and you should be able to see the
employeeHome.html page without being challenged to log in as an employee.
Create resources for internal pages and each department page.
a. In the OAM Console as oamadmin, navigate to Access Manager > Application
Domains > Search > webgate_7777 application domain
b. On the Resources tab, click Create and create resources as described in the following
table. Click Apply after entering the values for each resource URL, and then click the
webgate_7777 tab to create the next resource.
Name
itt
P
id
v
e
Type
HTTP
Description
Employee pages
Host Identifier
hostid7777
Resource URLs
/example/internal
/example/internal/.../*
Type
HTTP
Description
HR Page
Host Identifier
hostid7777
Resource URL
/example/internal/hr
Protection Level
Protected
Authentication Policy
Protected Resource Policy
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
on- ฺ
n
Protection Level
Protected
a ide
s
a
u
h
G
Authentication Policy
Protected
Resource Policy
)
t
uk den
ฺ
o
ฺc Stu (/example/internal/hr). Click Apply after
Create resources b
forsthe HR department
s
y
entering the@
values. thi
tts Name
i
p
Value
s (d
c.
Da
Value
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 18
d.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e.
Click Duplicate, and change the Resource URL to /example/internal/hr/.../*
and then click Apply.
Access the Resource tab of the webgate_7777 application domain, and click Create to
add resources for the Finance department (/example/internal/finance). Click
Apply after entering the values for each resource URL.
Name
Value
Type
HTTP
Description
Finance Page
Host Identifier
hostid7777
Resource URLs
/example/internal/finance
Protection Level
Protected
Authentication Policy
Protected Resource Policy
e
f.
Click Duplicate, and change the Resource URL to
/example/internal/finance/.../* and then click Apply.
Access the Resource tab of the webgate_7777 application domain, and click Create to
add resources for the Engineering department (/example/internal/eng). Click
Apply after entering the values for the resource URL.
e
g.
s
n
e
lic
se
u
to
bl
a
r
fe
ns
a
r
t
Name
on- ฺ Value
n
a ide
Type
HTTP
s
a
u
h
G
)
Description
Engineering
t
uk den Page
ฺ
o
Host Identifier
ฺc Stuhostid7777
s
b
y this /example/internal/eng
Resource URLs
@
tts Level
i
Protection
Protected
p
d
(
s
Da
v
itt
P
id
h.
Authentication Policy
Protected Resource Policy
Click Duplicate, and change the Resource URL to /example/internal/eng/.../*
and then click Apply.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 19
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
4.
Create policy conditions to ensure that HR pages can be accessed only by employees from
the HR department.
a. Navigate to webgate_7777 Application Domains, and access the Authorization
Policies tab. Click Create to add a new authorization policy as shown in the following
table:
Name
Name
Bakery_HR
Description
Policy to protect HR department page so that it
is viewable only by HR Employees.
Resources subtab
Click Add, and then click Search and select
the following two URLs and click Add
Selected.
/example/internal/hr
/example/internal/hr/…/*
e
s
n
e
lic
se
u
to
b.
Click the Conditions tab. Click Add, and in the Add Conditions window, enter the
following and click Add Selected:
d.
Select both HR Managers and Human Resources rows in the search results table, and
click Add Selected.
On the Create Authorization Policy page, click Apply.
On the Rules tab, in the Allow Rule section, move the HR_Only condition from
Available Conditions to Selected Conditions.
Click the Responses tab. Click Add and enter values as shown in the following table,
and click Add:
le
b
a
Name
Value
er
f
s
an
Name
HR_Only
r
t
n
Type
Identity no
ฺ
a
e
d
s
i
c. Back in Condition Details: HR Only, a
click Add >uAdd Users and Groups, enter the
h
G and click Search.
)
condition details as shown in the
following
k enttable,
u
ฺ
d
Name ฺco
Value
u
t
s
S
b
s
y
Store Name
OUD_Store
hi
t
@
s
t
t
Entity
Group
piType
d
(
Type H and click Search.
itts Entity Name
P
id
v
Da
Value
e.
f.
g.
Name
h.
Value
Type
Cookie
Name
AuthZ_Cookie
Value
$user.attr.uid is authorized to view this
page as member of HR department. This is
the AuthZ response.
Click Apply on the Create Authorization Policy page.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 20
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
5.
Create policy conditions to ensure that the Finance pages can be accessed only by
employees from HR department.
a. Navigate to webgate_7777 Application Domains, and access the Authorization
Policies tab. Click Create to add a new authorization policy as shown in the following
table:
Name
Name
Bakery_Finance
Description
Policy to protect Finance department page so
that it is viewable only by Finance Employees.
Resources subtab,
Click Add, and then click Search and select
the following two URLs and click Add
Selected.
/example/internal/finance
/example/internal/finance/…/*
e
s
n
e
lic
se
u
to
b.
Click the Conditions tab. Click Add, and in the Add Conditions window, enter the
following and click Add Selected:
d.
e.
Select the Finance row in the search results table, and click Add Selected.
On the Rules tab, in the Allow Rule section, move the condition Fin_Only to Selected
Conditions.
Click the Responses tab. Click Add, enter values as shown in the following table, and
click Add:
le
b
a
Name
Value
er
f
s
an
Name
Fin_Only
r
t
n
Type
Identity no
ฺ
a
e
d
s
i
c. Back in Condition Details: Fin Only, a
click Add >uAdd Users and Groups, enter the
h
G and click Search.
)
condition details as shown in the
following
k enttable,
u
ฺ
d
Name ฺco
Value
u
t
s
S
b
s
y
Store Name
OUD_Store
hi
t
@
s
t
t
Entity
Group
piType
d
(
Finance
itts Entity Name
P
id
v
Da
Value
f.
Name
g.
Value
Name
AuthZ_Cookie
Type
Cookie
Value
$user.attr.uid is authorized to view this
page as member of Finance department. This
is the AuthZ response.
Click Apply on the Create Authorization Policy page.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 21
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
6.
Create policy conditions to ensure that Engineering pages can be accessed only by
employees from the Engineering department.
a. Navigate to webgate_7777 Application Domains, and access the Authorization
Policies tab. Click Create to add a new authorization policy as shown in the following
table:
Name
Name
Bakery_Eng
Description
Policy to protect Engineering department page
so that it is viewable only by Engineering
Employees.
Resources subtab
Click Add, click Search and select the
following two URLs, and click Add Selected.
/example/internal/eng
/example/internal/eng/…/*
e
s
n
e
lic
se
u
to
b.
Click the Conditions tab. Click Add, and in the Add Conditions window, enter the
following and click Add Selected:
d.
e.
f.
Select the Engineering row in the search results table, and click Add Selected.
On the Rules tab, in the Allow Rule section, move the condition Eng_Only to the right.
Click the Responses tab. Click Add and enter values as shown in the following table,
and click Add:
le
b
a
Name
Value
er
f
s
an
Name
Eng_Only
r
t
n
Type
Identity no
ฺ
a
e
d
s
i
c. Back in Condition Details: Eng Only,aclick Add >
uAdd Users and Groups, enter the
h
G
)
condition details as shown in the
following
table,
and click Search.
t
uk den
ฺ
o
Name ฺc
Value
s s Stu
b
y
Store Name
OUD_Store
hi
t
@
s
t
t
Entity
Group
piType
d
(
Engineering
itts Entity Name
P
id
v
Da
Value
Name
g.
h.
Value
Name
AuthZ_Cookie
Type
Cookie
Value
$user.attr.uid is authorized to view this
page as member of the Engineering
department. This is the AuthZ response.
Click Apply on the Create Authorization Policy page.
Sign out of OAM Console. Close the browser window.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 22
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
7.
Verify that the access policies for the Bakery application are correctly set up.
a. Invoke the Firefox browser, remove all cookies from the browser, and access the URL
http://db.example.com:7777/example. You should see the unprotected main page of
the Example Bakery application.
b. Click the Employees link. You should be challenged for credentials. Log in as
kvaughan. You should see the Example Bakery Employee portal page. Now, click
Human Resource Department Site. You should be able to view the HR department
page because the kvaughan user is a member of the HR department.
c. Navigate to the browser’s menu option: Edit > Preferences > Privacy > remove
individual cookies > expand db.example.com site, and click to view the AuthZ_Cookie
cookie value. Also note down all the cookies pertaining to OAM. Click Close in the
Cookies window, and then click Close in Firefox Preferences.
d. Click the Employees link and then click Finance Department Site. portal page by using
the Back browser button and click the Finance department site. You should see the
“Oracle Access Manager Operation Error” page, which states that access has been
denied to the user.
e. Close the browser window. Open it again, and verify if you can access the Finance
page as the abergin user.
e
s
n
e
lic
le
b
a
f. Similarly, verify if you can access the Engineering page as ahall.
r Try to access the
feallowed.
s
Finance page as the ahall user and notice that you arennot
tra
n
no eฺ
a
s
id
a
u
h
k) ent G
u
ฺ
co Stud
ฺ
s
b
y
is
h
t
@
tts
i
p
(d
s
t
t
i
id P
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 23
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 5: Configuring DCC, Policies, and Responses
Chapter 5 - Page 24
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practices for
nsLesson 6:
a
r
t
Configuring
on- ฺ Single Sign-On
n
and
Sessions
s a Managing
ide
a Gu
h
)
nt 6
uk deChapter
ฺ
o
c
u
bsฺ is St
y
th
ts@
it
p
d
(
ts
it
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 1
se
u
to
Practices for Lesson 6: Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices Overview
In these practices, you will perform the following tasks:
• Deploy and configure a customized login page.
• Use the Session Management page to terminate a user session.
• Configure the Oracle Access Manager server to constrain the number of concurrent
sessions that a user is allowed to have.
• Set session management properties on a per-application level.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 2
s
n
e
lic
se
u
to
Practice 6-1: Deploying and Configuring a Custom Login Page with
DCC
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you customize the login page, demonstrate single sign-on and single logout,
and manage the Oracle Access Manager sessions. You configure Oracle Access Manager to
use a custom-branded login page for the Example Bakery website.
Example Bakery wants its employees to use a login page that has branding that is similar to the
rest of the Example Bakery site instead of the login page provided by Oracle Access Manager.
You configure Oracle Access Manager to use a customized login page to collect credentials.
Tasks [Perform these steps on the DB machine]
1.
Verify that, when you access the Example Bakery website on the OHS instance protected
by the 11g R2 WebGate, and Oracle Access Manager uses its standard login page:
a. In your browser, access the Example Bakery home page URL:
http://db.example.com:7777/example.
b. Click Employees. The standard Oracle Access Manager login page appears.
c. Log in as the jwalker user. The Example Bakery Employee portal page appears.
d. Close the browser window.
e
e
bl
a
r
fe
ns
a
r
t
on- the
2. Review the exploded application archive file thatn
contains
ฺ customized login page:
a
e
d
a. Open the /home/oracle/labs/lesson05/login/examplelogin.jsp
file in a
as Gui
h
text editor.
)
nt
uinkthe file:
e
ฺ
b. Observe the following code
d
o
c
u
<form action="/oam/server/auth_cred_submit"
method="post"/>
bsฺ is St
y
h
t
•
The form
action statement posts back the required end point to the Oracle
tts@
i
Access
Manager server.
p
(dThe getParameter code retrieves request_id from the HTTP header and
s
•
t
t
i
stores it in a hidden field. The Oracle Access Manager server is provided this
id P
v
Da
s
n
e
lic
se
u
to
parameter as required.
3.
Deploy the exploded WAR file that contains the customized login page to the managed
server running the My Bank application:
a. Log in to the WLS Admin Console of the OUD domain as the weblogic user.
b. Select oud_domain > Deployments from the Domain Structure pane. The Summary of
Deployments page appears on the right side of the console window. Click Install.
c. The “Locate Deployment to Install and Prepare for Deployment” form appears. Specify
the value /home/oracle/labs/lesson05/login in the Path field. Click Next.
d. The Choose Targeting Style form appears. Select “Install this Deployment as an
Application” and click Next.
e. The Select Deployment Targets form appears. Select the mybank_svr target. Click
Next.
f. The Optional Settings form appears. Notice that the context for the application is login.
Click Finish.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 3
g.
h.
The Summary of Deployments page reappears. The status of the login application
should be Active.
Log out of WLS Admin Console.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
4.
Configure OHS_7779 to front-end the login application, and restart OHS_7779.
a. In the terminal window on the DB machine, navigate to the
/u01/app/instances/ohs_7779/config/OHS/ohs9 directory, edit and update
the mod_wl_ohs.conf file as follows, and save the changes.
LoadModule weblogic_module
“${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so”
<IfModule weblogic_module>
WebLogicHost db.example.com
WebLogicPort 7101
MatchExpression *.jsp
</IfModule>
<Location /login>
SetHandler weblogic-handler
</Location>
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 4
s
n
e
lic
se
u
to
b.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
5.
Restart the OHS for the changes to take effect by using the following commands:
$> cd /u01/app/instances/ohs_7779/bin/
$> ./opmnctl restartproc ias-component=ohs9
Specify the custom-branded login page for the LDAPOUDScheme authentication scheme:
a.
b.
Log in to Oracle Access Manager as oamadmin. Navigate to Access Manager panel >
Authentication Schemes > Search.
Click the LDAPOUDScheme authentication scheme. Change the following values and
click Apply:
Field
Choices or Values
Challenge URL
/login
Context Type
<Blank>
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
Da
v
itt
P
id
6.
tt
i
p
(d
Create /login resource in the webgate_7779 application domain. Set the protection
level to Excluded.
a. Access the Resource tab of the webgate_7779 application domain, and click Create
to add resources for the custom login module as indicated in the table and click Apply.
Name
b.
Value
Type
HTTP
Description
Custom Login Page
Host Identifier
hostid7779
Resource URL
/login
Protection Level
Excluded
Click Duplicate, change the resource URL to /login/.../*, and then click Apply.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 5
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
7.
Verify that when you access the Example Bakery website, it uses the Example Bakery
custom-branded login page:
a. In the browser window, clear cookies and cache and restart the browser.
b. Access the Example Bakery home page: http://db.example.com:7777/example.
c. Click Employees. The Example Bakery login page appears. This is the custom login
page specified:
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u Employee portal page appears.
d. Log in as the jwalker user. The h
Example Bakery
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
s@
t
t
i
p
d
(
itts
P
id
v
Da
s
n
e
lic
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 6
se
u
to
Practice 6-2: Managing Sessions
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you use the session management feature of the OAM Console to view active
user sessions and to terminate a user’s session. Both the Firefox and Chrome browsers are
used in this lesson.
Assumptions
Tasks
1.
View the current sessions for a particular user, and delete a user session.
a. On the OAM machine, access the Firefox and Chrome browsers. Clear cookies and
cache, and restart the Firefox and Chrome browsers.
b. In the Chrome browser, log in to the OAM Console as the oamadmin user, and click
Session Management.
c. Type oamadmin in the User ID field and click Search. Details of the session for the
oamadmin user appear in the session list. You may see multiple active sessions for
oamadmin.
d. In the Firefox browser, navigate to the Bakery application home page:
http://db.example.com:7777/example, click Employees, and log in as the jwalker
user.
e. Return to the Session Management page displayed in the Chrome browser. Type
jwalker in the UserID field and click the Search button. Details of the session for the
jwalker user appear in the session list.
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
u
sฺcexists forStthe
bmight
y
Multiple sessions
jwalker user because some sessions were
i
h
t
@
created tearlier
ts that were not logged out. If multiple sessions exist, use the Creation
i
p
Instant
field
to locate the most recently created session.
(d
s
t
f.it Highlight the most recently created session for the jwalker user and click Delete (X
P
icon).
id
v
Da
s
n
e
lic
se
u
to
g.
h.
2.
Return to the Firefox browser window and click Employees. You are prompted to
authenticate because your session was terminated by administrative action.
Close the Firefox browser.
Explore the cookies that are created in the login process for DCC deployment.
a. On the OAM machine, invoke the Firefox browser, and clear cookies and cache.
Access the Bakery application (http://db.example.com:7777/example).
b. Navigate Edit > Preferences > Privacy and click “remove individual cookies.” In the
Cookies window, expand the db.example.com node, and oam.example.com.
c. Notice that OAMAuthNCookie_db.example.com:7777 is set for the application.
This cookie created for the session with the 11g WebGate.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 7
d.
In the Firefox window, click Employees. View the cookies again. Notice the two new
cookies:
− DCCCtxCookie_... is similar to OAM_REQ and is used for DCC.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
− OAMRequestContext_... stores the state about the user’s original request.
e.
Log in as jwalker. View the cookies again. Notice that
OAMRequestContext_db.example.comdb.example.com:7777_<string> is no
longer listed. You should see two new cookies: the authentication response cookie that
is set in the authentication policy for the resource itself and the new
OAMAuthnCookie_db.example.com:7779.
f.
Click the Finance Department Site link (jwalker is a member of the Finance group).
View the cookies again. You should see one additional cookie: the authorization
response cookie (AuthZ_Cookie). You configured this cookie as a response in the
protected resource authorization policy.
Access the bank page [http://db.example.com:7777/mybank] and then click Sign Off to
log out of the application by invoking the following URL and observe the URL field.
View the cookies again, after a few minutes of logout. It takes some time for the first
time refresh. Subsequently the cookie refresh happens immediately. Notice that all the
cookies are the same, except that the OAMAuthNCookie_db.example.com:<port>
cookies are no longer present. These cookies disappear when the browser session
ends.
g.
h.
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
3. Constrain the number of active sessions to one
a for alliusers.
de Then attempt to start two
s
a
concurrent authentication sessions, and
observe
the
results.
u
h tG
)
k
a. Set the allowed active sessions
to
n the OAM Console from the OAM
u 1dbyeusing
ฺ
o
machine.
c Stu
bsฺ Console
1) Log in to theyOAM
is and click the Session Management icon.
h
t
@
s All User Sessions, and then click Yes in the Warning dialog box.
2) Click
ttDelete
i
p
Because
you just deleted all active sessions, including the oamadmin user
(dsession, you
s
t
are logged out of the console.
it
P
3) Log back in as the oamadmin user, and access the Configuration tab (at the top).
id
v
Da
s
n
e
lic
se
u
to
4)
5)
6)
Then click View > Common Settings in the Common Settings panel. Notice that
“Database Persistence of Active Sessions Enabled” is selected.
Set “Maximum Number of Sessions per User” to 1, and click Apply.
Navigate to the Application Security tab (at the top) and click Session
Management. Search for all user sessions by using the wildcard *.
Notice that users can still have more than two active sessions, even though the
maximum number of sessions per user has been set to 1. The session constraint
applies to newly created sessions only.
Click Delete All User Sessions, and then click Yes in the Warning dialog box.
Because you just deleted all active sessions, including the oamadmin user
session, you are logged out of the console.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 8
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
b.
On the DB machine, using a SQL session, verify that there are no active sessions.
Invoke a SQL session, connect to the database as the DEV_OAM user, and run the
following query:
$> sqlplus /nolog
SQL> connect DEV_OAM
Enter password:
Connected.
SQL> desc oam_session;
SQL> select userid,create_time from oam_session;
Confirm that you see “no rows selected”.
c.
e
On the OAM machine, using the Firefox browser, create a session as the jwalker
user.
1) Access the Firefox browser window. Clear the cookies and cache and restart
Firefox.
2) In Firefox, navigate to the Bakery application home page, then click Employees.
The Bakery application login page appears. Log in as jwalker. The employee
portal appears.
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
tu browser, verify the number of sessions for
d. On the OAM machine,
sฺcusings Chrome
S
b
y
jwalker user.
hi
t
@
s
t
1) Log
pitin to the OAM Console by using the Chrome browser, and double-click the
d
(
Session Management node under Common Configuration.
itts2) Search for user sessions for jwalker. You should see one session for the
P
id
v
Da
e
s
n
e
lic
se
u
to
3)
e.
jwalker user.
Note the Client IP address. It should show an IP address of the OAM machine
where the session was started.
In the DB machine, using SQL, verify the number of session records.
1) On the DB machine, invoke a SQL session and run the same SQL query.
2) Invoke a SQL session, connect to the database as the DEV_OAM user and run the
following query:
$> sqlplus /nolog
SQL> connect DEV_OAM
Enter password:
Connected.
SQL> desc oam_session;
SQL> select user_id, create_time from oam_session;
This time, you should see one record for jwalker.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 9
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
f.
On the DB machine, create a session as the jwalker user by using the Firefox
browser.
1) Invoke the Firefox browser, clear the cookies and cache in the browser.
2) Navigate to the Bakery application home page. Click Employees and log in as
jwalker.
g.
On the OAM machine, verify that the previous session has been stopped.
1) On the OAM machine, access the Firefox window in which you accessed the
Example Bakery application as the jwalker user.
2) Click any of the department links, and notice that you are presented with a login
page.
The session from the OAM machine was terminated to adhere to the “Maximum
Number of Sessions per User” value of 1.
e
h.
In the OAM Console session on the OAM machine, restore the “Maximum Number of
Sessions per User” parameter to 8 (under Common Settings). Do not forget to click
Apply after you change the value.
1) In the OAM Console, access the Configuration tab (at the top). Then click View >
Common Settings in the Common Settings panel.
2) Set “Maximum Number of Sessions per User” to 8, and click Apply.
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
se
u
to
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 10
s
n
e
lic
Practice 6-3: Setting Up OUD to Enable Configuring Impersonation
Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
In this practice, you set up OUD for configuring the impersonation feature.
Tasks
1.
Set up the oblixorgperson and oblixPersonPwdPolicy object classes and apply the
classes to all the users in OUD.
a. Copy the OUD_PWDPersonSchema.ldif file from the OAM machine to the DB
machine by using the scp command in a terminal window. Perform this step from the
OAM machine:
$> cd $ORACLE_HOME/oam/server/pswdservice/ldif
$> scp OUD_PWDPersonSchema.ldif db:/home/oracle/labs/lesson05
The user data object definition in the Access Manager schema is extended with
attributes that enable password user status and password history maintenance. This
definition is provided in a LDIF file and must be added to each user identity store.
e
b.
c.
d.
On the DB machine, navigate to $OUD_HOME/bin and execute the following
ldapmodify command to extend the OUD schema:
$> cd $OUD_HOME/bin
$> ./ldapmodify -D “cn=Directory Manager” -w <OUD User Password>
-f ~/labs/lesson05/OUD_PWDPersonSchema.ldif
ns
a
r
t
on- ฺ
n
a ide
s
a
uto the user population so that it can
h
Add the oblixPersonPwdPolicy
object class
G
)
t
n policy validation.
inherit all the attributes required
uk for dpassword
e
ฺ
o
$> cd $OUD_HOME/bin
sฺc s Stu
b
y
i
$> ./ldapmodify
–D
Manager” –w <OUD User Password>
h“cn=Directory
t
@
s
t
–f /home/oracle/labs/lesson05/oblixPersonPwdPolicy.ldif
pit
d
(
On
the DB machine, invoke the browser and log in to ODSM using the oud1 saved
s
itt connection.
P
id
v
Da
e
bl
a
r
fe
s
n
e
lic
se
u
to
e.
In the Data Browser tab, expand dc=example,dc=com and select ou=People. Then
using the Create menu, click Create > Entry.
1) In the Object Class stage, specify the following and click Next.
Property
Choices or Values
Parent Entry
ou=People,dc=example,dc=com
Objectclass
(use Add button for each class)
person, organizationalPerson,
inetOrgPerson, oblixPersonPwdPolicy,
oblixorgperson, top
2)
In the Mandatory Properties stage, specify the following and click Next.
cn
oamadmin
sn
oamadmin
3)
In the Optional Properties stage, specify the following and click Next.
uid (use Add button)
oamadmin
userpassword (use Add button)
<OUD User Password>
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 11
4)
5)
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
f.
In the RDN Specification stage, select uid as the RDN attribute, and click Next.
In the Summary stage, verify the properties are set as required and click Finish.
Navigate to ou=Groups > cn=Engineering. Click the “Create an Entry like the
Selected Entry” icon. Specify the following property values for the new entry, and then
click Create:
− Common Name: OAMAdministrators
− Description: People who can log in to the OAM console
− Member Info: uid=oamadmin,ou=people,dc=example,dc=com
g.
2.
Refresh the subtree entries for ou=Groups and make sure you can see
cn=OAMAdministrators
se
u
to
On the db machine, using ODSM, configure the orclIDXPerson object class in the OUD
schema. Then enable two users, drose and dward with the orclIDXPerson class.
e
e
a.
s
n
e
lic
Click the Schema tab. Search for and review the orclIDXPerson object class.
Search for and review the following two attributes. These are part of the
orclIDXPerson object class:
bl
a
r
fe
ns
a
r
t
no
n
− orclimpersonationgranter
a ideฺ
s
a Gu
h
)
Add the orclIDXPerson impersonation
k entobject class to two users (dward and
u
ฺ
o
drose)
c Stud
ฺ
s
bscenario,isyou may apply the object class to the entire user
Note: In an actual
y
th by using this object class, so that any one may be able to
population
your directory
sin@
t
t
i
usedthe
p feature.
(
s
− orclimpersonationgrantee
b.
itt
P
id
v
Da
1)
Navigate to the Data Browser tab and find the dward user in the
ou=people,dc=example,dc=com tree structure.
2)
On the Properties tab, add the orclIDXPerson object class to the user definition.
Click Apply when you are finished.
Perform the previous two steps for the drose user definition.
3)
Note: Assume that drose is the impersonator and dward is the impersonatee (target).
c.
Obtain orclGUID and entryUUID of the impersonator (drose) user by using the
following commands in a terminal window:
$> cd /u01/app/oud_instances/oud1/OUD/bin
$> ./ldapsearch –p 1389 -b “ou=people,dc=example,dc=com” -s sub
-D “cn=Directory Manager” -w <OUD User Password> \(uid=drose\)
orclguid entryuuid
Note: orclGUID is the same as entryUUID except the separator hyphens (-).You will
use orclGUID.
d.
Copy the value of orclGUID.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 12
e.
f.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
g.
In the Data Browser page of ODSM, navigate to the impersonatee (uid=dward) node.
In the properties tab, expand Optional Properties. Then click Show Attributes, and
enable the orclImpersonationgrantee and orclImpersonationgranter
attributes to be visible.
When the orclimpersonationgrantee attribute is visible in the Optional Properties
section, you add the value for the attribute by clicking the Add button.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
For example, specify
ฺc valueSastuc9318c911be641869b1ab3a4309a52b8|
bsthe
20150501235959Z|20201231235959Z
(that is, orclGUID of
y
is
h
t
@
impersonator(drose)|start_date|end_date).
tts
i
p
s (d
itt
P
id
v
Da
h.
i.
Click Apply to save the changes.
On the Data Browser tab, click
cn=OAMAdministrators,ou=Groups,dc=example,dc=com. In the right panel, click Add
in Member Information and add uid=drose,ou=People,dc=example,dc=com to the
OAMAdministrators group. Click Apply.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 13
Practice 6-4: Configuring and Testing Impersonation
Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
In this practice, you configure impersonation by using OAM, and test the feature.
Tasks
1.
Set up OUD as the system store in the OAM Console. (Perform this task on the OAM
machine.)
a. Log in to the OAM Console and access the Configuration tab. Click the User Identity
Stores icon.
b. In the Default and System Store section, select OUD_Store as the System Store.
Under Access System Administrators, and click Add.
c. In Add System Administrator Roles, search for OAMAdministrators of type Group.
Select OAMAdministrators and click Add Selected.
d. Click Apply.
e. In the warning window, click OK.
f. In the Validate System Administrator window, enter oamadmin/<OUD User
Password> and click Validate. When it is successful, notice the confirmation message
that changes have been saved successfully.
g. Access the Application Security tab, and click the Authentication Schemes link in the
Access Manager panel.
h. Click Search and click OAMAdminConsoleScheme in the result. View the properties of
OAMAdminConsoleScheme. Notice that it uses the LDAP authentication module.
i. Go to the Launch Pad of the Application Security tab. Click the Authentication Modules
link in the Plug-ins panel.
j. Click Search. Select LDAP. Change the User Identity Store from
UserIdentityStore1 to OUD_Store, and click Apply.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
k.
Sign out of OAM Console, and close the browser window.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 14
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
2.
Set up an IPlanetAuthenticator provider in the WLS Console. (Perform this task on
the OAM machine]
a. Log in to the WLS Console as weblogic user. Select Security Realms > myrealm >
Providers (tab). Click “Lock and Edit” in the Change Center.
b. Click the New button, and specify the following values and click OK:
− Name: OUDAuthenticator
− Type: IPlanetAuthenticator
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
Da
v
tts
i
p
(d the OUDAuthenticator link and set Control Flag to Sufficient, and click Save.
c. sClick
t
t
i On the Provider Specific tab, specify the following and click Save.:
d.
id P
− Host: db.example.com
− Port: 1389
− Principal: cn=Directory Manager
− Credential/Confirm Credential: <OUD User Password>
− User Base DN: ou=people,dc=example,dc=com
− User Name Attribute: uid
− Group Base DN: ou=groups,dc=example,dc=com
Note: The default values for the user and group base DN must be changed to reflect the
directory information in OUD.
e. Using the breadcrumb links at the top of the page, navigate to the Providers page.
Click the DefaultAuthenticator link and change the control flag to Sufficient. Click Save.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 15
f.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
g.
h.
Click the Providers breadcrumb link to navigate back to the Providers page. Click the
Reorder button and move OUDAuthenticator to the top of the list of providers. Click
OK.
Click the Activate Changes button under Change Center. Then close the browser.
Stop the OAM managed server and WLS admin server by using the desktopshortcuts.
3.
Enable the impersonation in the oam-config.xml file.
a. In the terminal window of the OAM machine, navigate to
$DOMAIN_HOME/config/fmwconfig and edit the oam-config.xml file.
b.
c.
d.
e.
Change the EnableImpersonation parameter flag from false to true, and
increment the Version parameter in the file by 10. If it is 95, change it to 105. This
ensures that the database will pick up the configuration change.
Save the file.
Start the WLS admin and OAM servers using the desktop shortcuts.
After the WLS admin and managed servers have started, in a web browser, access the
OAM Console and log in as the drose user in OUD, who is a member of the
OAMAdministrators group.
e
e
4.
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
Set up a policy rule with Boolean condition True.
a. Using the Chrome browser, log in to the OAM Console as the oamadmin user
b. Click the Application Domain link in the Access Manager panel.
c. In the Search Application Domains, click Search. Click webgate_7777 Application
Domain.
d. Access the Authorization Policies tab and click Admin_Resource_Policy. On the
Condition tab, click Add. Specify Name: TRUE and Type: True, and click Add Selected.
e. On the Rules tab, in Allow Rules, select the TRUE condition from Available Conditions
and move it to Selected Conditions. Move any other conditions in Selected Conditions
out.
f. Click Apply.
s
s
itt
P
id
v
Da
s
n
e
lic
se
u
to
tt
i
p
(d
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 16
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
5.
Test the impersonation feature. (Test Case 1: The impersonator logs in to the OAM
Console and starts the impersonation URL):
a. Sign out of any existing OAM Console sessions. In the Chrome browser, log in to the
OAM Console as the impersonator (drose).
e
e
bl
a
r
fe
s
n
e
lic
ns
a
r
t
n-enter the start impersonation URL:
Open a new tab in the same Chrome browser o
and
n
a ideฺ
http://oam.example.com:14100/oam/server/impersonate/start?userid=dward&success_
s
a Gu
url=http://db.example.com:7777/mybank/testheaders.jsp&failure_url=http://oam.exampl
h
)
e.com:7001.
uk dent
ฺ
o
You should be redirected
the impconsent.jsp
page, where the impersonator (drose)
tu
sฺcan toimpersonation
S
bstart
s
enters consent to
session
on behalf of the impersonatee
y
i
h
t
@
(dward)tby
tsentering the impersonator’s password (drose’s password).
i
p
s (d
b.
itt
P
id
v
Da
se
u
to
You should be redirected to the DCC login page for testheaders.jsp (which is a
protected resource).
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 17
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Note
− This DCC login page appears because the OAM Admin Console is protected using
the ECC login page and there is no single sign-on between DCC-protected
applications (/mybank/testheaders.jsp) and ECC-protected applications
(/oamconsole). If your protected application (/mybank/testheaders.jsp) was
also protected via ECC, you would not see the login page after the consent form
page (because there is transparent SSO between the applications).
c.
− If the impersonator (drose) already has a DCC-protected app login session, then
the impersonator does not see the DCC login page after the impersonation consent
form.
− The impersonation functionality is currently restricted to OAM administrators only.
Click Confirm.
You should now see the DCC login page for the protected application
(/mybank/testheaders.jsp). Log in as the impersonator (drose).
d.
You should see the testheaders.jsp page similar to the following:
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 18
e
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e.
Navigate to the OAM Console tab. Go to Access Manager panel > Session
Management, and search for sessions starting with d*. One of the records should
display the session for dward (the impersonatee). Notice that the Impersonating flag is
set to true and shows the name of the impersonator (drose).
The other record shows drose logged in to the OAM Console as the OAM
administrator.
6.
se
u
to
Perform the test case 2: The impersonator logs in to the OAM Console and also logs in to
any DCC-protected application (for example,
/example/internal/employeeHome.html). The impersonator starts the
impersonation URL.
a. Click “Delete All User Sessions.”
b. Clear the cookies and cache for the Chrome browser.
c. In Chrome, log in to the OAM Console as the impersonator (drose).
d. Open a new tab in the same Chrome browser and invoke the Bakery application:
http://db.example.com:7777/example. Click the Employees link. If required, enter the
credential for drose to log in.
e. Open a new tab in the same Chrome browser and enter the start impersonation URL:
http://oam.example.com:14100/oam/server/impersonate/start?userid=dward&success_
url=http://db.example.com:7777/mybank/testheaders.jsp&failure_url=
http://oam.example.com:7001
f. You should be redirected to the impconsent.jsp page, where the impersonator
(drose) enters consent to start an impersonation session on behalf of the
impersonatee (dward) by entering the password.
e
e
bl
a
r
fe
s
n
e
lic
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
v
Da
g.
7.
tt
i
p
(d
You should now be transparently logged in to testheaders.jsp, which is a
protected resource (because a DCC cookie already exists for drose, and drose is
impersonating the session on dward’s behalf).
End the impersonation session.
a. To end the impersonation session, invoke the following URL on the testheaders.jsp
tab:
http://oam.example.com:14100/oam/server/impersonate/end?userid=dward&end_url=h
ttp://db.example.com:7777/mybank/testheaders.jsp&failure_url=http://oam.example.co
m:7001
b. Refresh the Session Management panel in the OAM Console and notice the following:
− The user ID changes from dward to drose.
− The Impersonating flag switches to false.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 19
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
− The Impersonator field is empty.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practice 6: Configuring Single Sign-On and Managing Sessions
Chapter 6 - Page 20
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practicesrfor
nsLesson 7: Use
a
t
Access
With
on-Manager
n
ฺ
WebLogic
s a ide Applications
a Gu
h
)
nt 7
uk deChapter
ฺ
o
c
u
bsฺ is St
y
th
ts@
it
p
d
(
ts
it
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 1
se
u
to
Practices for Lesson 7: Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices Overview
These practices illustrate the use of the Oracle Access Manager identity assertion provider.
With the Oracle Access Manager identity assertion provider deployed in a WebLogic domain, an
application running in that domain can use Oracle Access Manager as the perimeter
authenticator. That application can then, as part of authentication, have the Oracle Access
Manager server assert the username so that the application can retrieve the username and use
it as needed.
You start these practices by reviewing a sample application that uses HTTP basic
authentication: one of the authentication mechanisms that are built in to all J2EE web
containers. Then you deploy the application and run it. The web container handles application
security and the application can retrieve the username, but single sign-on is not available.
You then modify the sample application so that it uses an external authenticator. You configure
the OHS instance on which the 11g WebGate is installed to serve the sample application, thus
allowing the WebGate to protect the sample application. Then you configure the security realm
in WebLogic Server to use the Oracle Access Manager identity assertion provider.
When you test the sample application after performing these steps, you observe the following:
•
The Oracle Access Manager server collects user credentials and authenticates users.
•
The Oracle Access Manager identity assertion provider makes the username available
to the application.
•
Single sign-on is available for the user.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 2
s
n
e
lic
se
u
to
Practice 7-1: Deploying a Sample Application with BASIC
Authentication
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you review the security configuration in your WebLogic domain. Then you
review code in the sample jee application and deploy the application on the WebLogic
administration server. Although the sample application is written in Java, you do not need to
know Java to complete this practice.
You examine the deployment descriptors in the sample application. Then you run the sample
application and observe its behavior.
Assumptions
N/A
Tasks [Perform these tasks on the DB machine]
1.
e
s
n
e
lic
se
u
to
Review the security configuration in the myrealm security realm in the OUD domain on the
DB machine.
a. On the DB machine, log in to the WLS Admin Console for the OUD domain as the
weblogic user.
b. Select oud_domain > Security Realms in the Domain Structure pane. The “Summary of
Security Realms” page appears on the right side of the console window.
c. Select the myrealm security realm. The settings for the My Realm page appear.
d. Click the Providers tab. The Authentication Providers page appears.
e. Observe that the DefaultAuthenticator provider appears. It enables user authentication
to the WebLogic Server embedded LDAP server, is configured in security realms by
default.
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
tts
i
p
2. Review(d
the sample application you are to deploy to WebLogic Server.
s
t
t
i In a terminal window, copy the application to a temporary location.
a.
id P
v
Da
$> cd ~/labs/lesson07
$> mkdir ~/lesson7_temp
$> cp –r * ~/lesson7_temp
b.
c.
d.
Open the Servlet1.java file in $HOME/lesson7_temp/jee/WEB-INF/source.
Locate the following line in the file:
out.println("<p>The servlet has received a GET. This is the
reply for " + request.getRemoteUser() + ".</p>");
− The println method writes text to a dynamically generated HTML page.
− The value of the variable is generated by the getRemoteUser method, which is a
method in the HttpServletRequest class. The getRemoteUser method
returns the username of the user who has authenticated to the system.
− When you run the sample application, a line with the above text, followed by the
username with which you authenticated, appears.
Close the Servlet1.java file.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 3
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
3.
Review the security constraints in the application.
a. In a terminal window, change directory to $HOME/lesson7_temp/jee/WEB-INF and
open the web.xml file and locate the following line in the file:
<auth-method>BASIC</auth-method>
The <auth-method> statement specifies the HTTP basic authentication method. The
HTTP basic authentication method displays a dialog box to collect the username and
password.
When you modify the jee application to use an identity assertion provider in a
subsequent practice, you change the <auth-method> statement.
b.
Review the <security-constraint> and <security-role> sections of the
web.xml file.
These sections, which are required for the HTTP basic authentication method, describe
how the application should be protected. Application security is defined as follows:
se
u
to
− <security-constraint> section: HTTP GET, POST, DELETE, PUT, HEAD,
OPTIONS, and TRACE operations on the /servlet1 URL are permitted for users in the
all-authenticated-users role. HTTP methods are defined by RFC 7231 for the HTTP
1.1 specification.
e
s
n
e
lic
Da
v
le
b
a
− <security-role> section: The only role used by this web
erapplication is the allf
s
authenticated-users role.
an
r
t
c. Close the web.xml file.
non eฺ
Note: The weblogic.xml file maps the a
all-authenticated-users
role named in the
d
s
i
web.xml file to the users group in the
a WebLogic
u Server security domain. The users
h
G
)
t
group is a default WebLogic Server
group
containing
users who have been
nappear in theallWebLogic
uk doesdnot
e
ฺ
authenticated. The users
group
Console.
o
c Stu
ฺ
s
b
y
is to mybank_svr in the OUD domain.
h
t
@
4. Deploy the sample
jee
application
ttsAdmin Console for the OUD domain, select oud_domain > Deployments in
i
p
a. In(the
WLS
d
s
the
Domain Structure pane.
t
t
i
P
The “Summary of Deployments” page appears on the right side of the console window.
id
b.
c.
d.
e.
f.
Click Install.
The “Locate deployment to Install and prepare for deployment” form appears.
Enter /home/oracle/lesson7_temp/jee in the location field, and make sure that,
in the Current Location field, the option button to the left of the value jee is selected.
Then Click Next.
Select “Install this deployment as an application” and click Next.
Select the mybank_svr as the target in the “Select deployment targets” form and click
Next.
Click Finish in the Optional Settings form.
The “Summary of Deployments” page reappears. The jee application should appear in
the list with the Active status.
Verify that the status of the jee application is Active.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 4
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
5.
Verify the access to the application.
a. In the browse window, log out of the WLS Admin Console.
b. Clear cookies, cache, and active logins.
c. Close your browser and then restart it.
d. Access the http://db.example.com:7101/jee/servlet1URL in a browser.
The HTTP basic authentication dialog box appears:
e
e.
Log in as the weblogic user.
The following message appears: “The servlet has received a GET. This is the reply for
weblogic.”
ns
a
r
t
nembedded
The weblogic user is present in the WebLogic
LDAP database. Therefore,
o
n
ฺ
WebLogic Server uses the DefaultAuthenticator
a ide provider for authentication.
s
a
u of the user who has authenticated to
The getRemoteUser method returned
the G
name
h
)
t
the system: the weblogicฺuser.
uk den
o
sฺc s Stu
b
y
6. Review browser cookies:
hi
t
@
s
t
a. In the browser,
select Edit > Preferences > Privacy > Remove Individual Cookies.
it
p
d
(
b. sExpand the Site node in the Cookies dialog box. Verify that no cookies associated with
itt Oracle Access Manager single sign-on are present.
P
id
v
Da
e
bl
a
r
fe
s
n
e
lic
se
u
to
c.
d.
7.
Note: You should see only the JSESSIONID cookie.
Close the dialog boxes.
Clear cookies, cache, and active logins. Close your browser and then restart it.
Access the jee sample application as the jwalker user.
a. In the browser window, access the URL http://db.example.com:7101/jee/servlet1.
b. Try to log in as jwalker, the login page keeps repeating without showing the
resulting page.
c. Review browser cookies. Verify that no cookies associated with Oracle Access
Manager single sign-on are present (you should see only the JSESSIONID cookie).
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 5
Practice 7-2: Configuring OAM Authentication for a Sample
Application
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you perform the following:
•
Reconfigure the application to use OAM authentication rather than its own security.
•
Redeploy the revised application.
•
Modify the mod_wl_ohs.conf file of the Oracle HTTP Server instance on which
WebGate 11g is installed.
•
After modifying the mod_wl_ohs.conf file, you restart the OHS instance so that the
changes take effect. Then you execute the sample application to verify that the sample
application is protected by WebGate 11g.
Tasks [Perform these tasks on the DB machine]
1.
se
n
e
Make a backup copy of $HOME/lesson7_temp/jee/WEB-INF/web.xml.
lic
e
l
b
$> cd ~/lesson7_temp/jee/WEB-INF
a
r
e
$> cp web.xml web.xml_old
sf
n
a
-tr
n
Edit the web.xml file and remove the following
sections from the file:
o
n eฺ
a
•
The section starting with the <security-constraint>
tag and ending with the
s
id
a
u
h
</security-constraint>
) tag nt G
k
u
ฺ
•
The section starting o
with the <security-role>
tag and ending with the
de
c
u
ฺ
t
s
</security-role>
tag
S
b
s
y
i
h
t
Change the
authentication method. Modify the line with the <auth-method> tag to
s@
ttfollowing
i
have p
the
content: <auth-method>CLIENT-CERT</auth-method>.
d
(
s
Modify the jee sample application’s deployment descriptor:
a.
b.
c.
itt Server to use an external authentication method determined by the WebLogic Server
P
id
Specifying the value CLIENT-CERT in the <auth-method> tag triggers WebLogic
v
Da
se
u
to
d.
security domain.
Verify that the web.xml file has the following content:
<?xml version = '1.0' encoding = 'UTF-8'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
<servlet>
<servlet-name>Servlet1</servlet-name>
<servlet-class>jee.Servlet1</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Servlet1</servlet-name>
<url-pattern>/servlet1</url-pattern>
</servlet-mapping>
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 6
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
e.
Rename weblogic.xml to weblogic.xml_old.
$> mv weblogic.xml weblogic.xml_old
The content in the weblogic.xml file is no longer needed in the deployment
descriptor because of your modifications to the web.xml file. By renaming this file is
not used when you redeploy the jee application.
2.
Redeploy the jee sample application:
a. Select oud_domain > Deployments in the Domain Structure pane. The “Summary of
Deployments” page appears on the right side of the console window.
b. Locate the entry for the jee application in the list of deployed applications.
e
s
n
e
lic
le
b
a
c. Select the check box to the left of the entry for the jee application.
er
f
s
d. Click Update. The Update Application Assistant appears.
an
r
t
e. Click Finish.
on ฺ
n
f. Click Activate Changes.
a ide
s
a
u
g. The status of jee application should
be Active.
h
G
)
t
uk den
ฺ
o
ฺc S
3. Configure OHS_7777 tos
front-end
thetu
application on the DB machine, so that the
b
s
y
i
application can be protected h
using
the WebGate.
t
s@
t
t
a. In a terminal
window, open the
i
p
d
/u01/app/instances/ohs_7777/config/OHS/ohs7/mod_wl_ohs.conf
file
(
s
t
t
i with the gedit or vi text editor.
id P
v
Da
4.
b.
Append the following text lines at the end of the file:
<Location /jee>
SetHandler weblogic-handler
</Location>
c.
d.
Save and close mod_wl_ohs.conf.
Execute the following commands to stop and start the OHS instance protected by
WebGate 11g:
$> cd /u01/app/instances/ohs_7777/bin
$> ./opmnctl restartproc ias-component=ohs7
Test the application access mechanism through the OHS_7777 now.
a. In your browser window, clear cookies, cache, and active logins.
b. Close your browser and then restart it.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 7
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
c.
d.
Access the jee sample application, but protected by Oracle Access Manager
WebGate 11g. Enter the following URL in a browser:
http://db.example.com:7777/jee/servlet1.
The DCC login page appears, demonstrating that the sample application is now being
protected by WebGate 11g.
Log in as the jwalker user.
You may be presented with the login page from myrealm of the OUD Domain, if you
had not cleared the cookies.
5.
Set up an IPlanetAuthenticator provider for OUD Domain.
a. Log in to the WLS Console as weblogic user. Select Security Realms > myrealm >
Providers (tab).
b. Click the New button, and specify the following values and click OK:
− Name: OUDAuthenticator
e
− Type: IPlanetAuthenticator
e
bl
a
r
fe
s
n
e
lic
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
c.
d.
Click the OUDAuthenticator link and set Control Flag to Sufficient, and click Save.
On the Provider Specific tab, specify the following and click Save.:
− Host: db.example.com
− Port: 1389
− Principal: cn=Directory Manager
− Credential/Confirm Credential: <As indicated in the Password Doc>
− User Base DN: ou=people, dc=example, dc=com
− User Name Attribute: uid
− Group Base DN: ou=groups, dc=example, dc=com
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 8
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Note: The default values for the user and group base DN must be changed to reflect the
directory information in OUD.
e. Using the breadcrumb links at the top of the page, navigate to the Providers page.
Click the DefaultAuthenticator link and change the control flag to Sufficient. Click Save.
f. Click the Providers breadcrumb link to navigate back to the Providers page. Click the
Reorder button and move OUDAuthenticator to the top of the list of providers. Click
OK.
g. Click Log out. Then close the browser.
h. Stop My Bank Server using the stopMyBank.sh script from $HOME/setupfiles folder.
Enter username as weblogic and the corresponding password when prompted.
i. Stop and start the OUD, using the desktop icons.
j. Then start My Bank Server using the startMyBank.sh script from $HOME/setupfiles
folder. Enter username as weblogic and the corresponding password when prompted.
6.
Verify access to the jee/servlet1.
a. Stop all browser windows.
b. Invoke a fresh browser window, and clear all cokies.
c. Access the jee servlet at http://db.example.com:7777/jee/servlet1 and
login as ahall user.
The following message appears: “The servlet has received a GET. This is the reply for
null.”
The application is unable to determine that you logged in as the ahall user, because
the application has not been enabled to read and print the OAM_REMOTE_USER.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
se
u
to
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 9
s
n
e
lic
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 7: Use Access Manager With WebLogic Applications
Chapter 7 - Page 10
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practicesrfor
nsLesson 8:
a
t
Configuring
on- ฺ Auditng and
n
Logging
s a ide
a Gu
h
)
nt 8
uk deChapter
ฺ
o
c
u
bsฺ is St
y
th
ts@
it
p
d
(
ts
it
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 1
se
u
to
Practices for Lesson 8: Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices Overview
In these practices, you configure the auditing and logging capabilities of Oracle Access
Manager, examine files, and run reports.
You configure Oracle Access Manager auditing as follows:
•
Capture more auditing information.
•
Write audit records to an Oracle database instead of to a flat file.
After you perform these configuration tasks, you configure a preinstalled instance of Oracle
Business Intelligence Publisher (Oracle BI Publisher) to run Oracle Access Manager reports.
You then run a sample report.
For logging, you examine the default logging configuration and examine logging output when
the default configuration is in effect. You increase the logging level so that debug-level logging
records are produced, and you examine the output. At the end of these practices, you reset the
logging level to the default level.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 2
s
n
e
lic
se
u
to
Practice 8-1: Configuring OAM Audit Logs to be Written to a Database
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you examine the level of audit output produced when the default audit settings
are in effect. You then change the settings, perform some access operations to generate audit
records, and examine the changes to the output.
You also configure the OAM server to write audit log records to an Oracle database, perform
access operations to generate audit records, and review the audit records in the Oracle
database.
Assumptions
N/A
Tasks [Perform these tasks on the OAM machine]
1.
Verify that the Oracle Access Manager auditing system is capturing only very high-level
system events:
a. In a terminal window on the OAM machine, change directory to
$DOMAIN_HOME/servers/oam_server1/logs.
$> cd $DOMAIN_HOME/servers/oam_server1/logs
$> ls
access.log
...
e
e
bl
a
r
fe
b.
ns
a
r
t
on- ฺ
n
a directory.
Notice that you do not have the auditlogs
de
s
i
a
u
h tG
Change directory to
)
k
u den
$DOMAIN_HOME/servers/AdminServer/logs/auditlogs/OAM
directory and,
ฺ
o
c
u
ฺ
t
using the tail or more
command,
view
the
audit.log
file.
bs is S
y
$> tail audit.log
th
@
... itts
p
d
(
2015-04-23
17:36:02.646 "" "ConsoleLogin" true
s
itt "UserLogoutSuccess" "drose"
P
SystemStore_Name=OUD_Store"
id
v
Da
s
n
e
lic
se
u
to
"SystemStore_ID=B789942B01BE2D09D5
- - - - "oam_admin(11.1.2.0.0)" - -
- - - - - - - - "oam_domain"
"a768ca30fc28181c:5c5aa003:14ce290c3db:-8000-0000000000000b04"
"AdminConsole" - - - - - - - "edddr1p2" - "10.150.30.62" - - - - - - - - - - - "0" - "" - - - - - - - - - - - - - "AdminServer"
- - - - - - - - - - - "67" - - - 2015-04-23 17:37:18.345 "UserName=drose
Roles:Groups=OAMSystemAdminGroup OAMAdministrators "
"ConsoleLogin" true "UserAuthorizationSuccess" "drose"
"SystemStore_ID=B789942B01BE2D09D5 SystemStore_Name=OUD_Store" - - - "oam_admin(11.1.2.0.0)" - - - - - - - - - - "oam_domain"
"a768ca30fc28181c:5c5aa003:14ce290c3db:-8000-0000000000000b16"
"AdminConsole" - - - - - - - "edddr1p2" - "10.150.30.62" - - - - - - - - - - - "0" - "10.150.30.62" - - - - - - - - - - - - "AdminServer" - - - - - - - - - - - "12" - - - -
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 3
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
2.
Change the audit filter setting to all.
a. Log in to the OAM Console as the oamadmin user in the Chrome browser.
b. On the Configuration tab, and in the Settings panel, click View > Common Settings,
and view the Audit Configuration section.
e
e
bl
a
r
fe
s
n
e
lic
s
c.
d.
e.
f.
itt Stop the OAM server and WLS admin server by using the desktop icons.
P
Start the WLS admin server, and OAM server by using the desktop icons.
id
v
Da
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c S
tu
Notice that Filter Preset
to Low.
bsฺ is iset
s
y
h and click Apply.
Change Filter
s@Preset totAll
t
t
i
p of the OAM Console.
Sign
out
d
(
s
3.
Review the audit filter setting in the configuration files.
a. In a command window, using the more command, view the oam-config.xml,
component_events.xml (all events defined here), and jps-config.xml files in
the $DOMAIN_HOME/config/fmwconfig directory.
b.
You can use the grep command and search for audit, FilterPreset,
auditbusstop, componentEventsFile keyword in oam-config.xml.
c.
Also search for the FilterPresetDefinition keyword in
component_events.xml.
d.
Review the audit.log file in the
$DOMAIN_HOME/servers/oam_server1/logs/auditlogs/OAM directory.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 4
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
4.
Generate an audit record by accessing the Example Bakery employee portal, which
requires user authentication:
a. Clear cookies and cache and restart the browser.
b. Navigate to the Bakery application home page.
c. Click Employees. The Example Bakery login page appears.
d. Log in as the ahel user. The employee portal appears.
e. Click the Finance department site. It should display “Oracle Access Manager Operation
Error. Access to the URL /example/internal/finance/financeHome.html has been denied
for user. Contact your website administrator to remedy this problem.” The ahel user is
not in the Finance group and has been denied access per the authorization policy.
f. Log out by invoking the http://db.example.com:7777/logout.html URL.
5.
Verify that the Oracle Access Manager server auditing system captures more information
after you change the audit filter preset to All:
a. Open the $DOMAIN_HOME/
servers/oam_server1/logs/auditlogs/OAM/audit.log file with any text
editor and examine the output.
b. Search the audit file for the ahel keyword. The file should now contain records with
initiator as ahel and event types such as Authentication,
CredentialValidation, SessionCreation, Login, SessionValidation,
CheckAuthorization, Authorization, SessionDestroy, Logout, and so on.
You have now confirmed the new audit log filter setting.
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
n
Perform the following task on the
ukDB machine.
e
ฺ
d
o
tuthat are used to hold OAM audit records are empty.
6. Verify that the Oracle Database
sฺc stables
S
b
y
i DB system, invoke SQL Plus and connect as the DEV_IAU
a. In a terminal@
window onth
the
s
t
user. it
p
d
(
$>
sqlplus
/nolog
s
t
t
i
SQL> connect DEV_IAU
id P
v
Da
s
n
e
lic
se
u
to
Enter password:
Connected.
b.
Execute the select command to display a list of tables created by the RCU:
SQL> select TABLE_NAME from USER_TABLES order by 1;
...
IAU_AUDITSERVICE
IAU_BASE
IAU_COMMON
...
28 rows selected.
c.
Execute the select count(*) command to see the number of records in the table.
SQL> select count(*) from IAU_BASE;
0
You should see 0 as a result to ensure there are no records in the table.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 5
Perform these tasks on the OAM machine.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
7.
Configure a JDBC data source for the audit database in WebLogic Server.
a. On the OAM machine, access the Chrome browser, access the WebLogic Console:
http://oam.example.com:7001/console, and log in as the weblogic user.
b. Click “Lock and Edit” in the Change Center pane.
c. Navigate to oam_domain > Services > Data Sources in the Domain Structure
pane. The “Summary of JDBC Data Sources” page appears on the right panel.
d. Select New > Generic Data Source. The Create a New JDBC Data Source Wizard
starts.
e. Enter the following values on the JDBC Data Source Properties page, and click Next:
Field
Name
AuditDB
JNDI Name
jdbc/AuditDB
Database Type
Oracle
e
e
f.
bl
a
r
fe
s
n
e
lic
On the second JDBC Data Source Properties page, click Next to accept the default
database driver.
On the Transaction Options page, click Next. The Connection Properties page
appears.
Complete the fields on the Connection Properties page as follows and click Next:
ns
a
r
t
on- ฺ
n
a ide
s
a
uChoices or Values
h
G
Field
)
t
n
uk orcl
e
ฺ
d
o
Database Name
sฺc s Studb.example.com
b
y
Host Name
hi
t
@
s
t
1521
Portpit
d
(
s
g.
h.
itt
P
id
v
Da
Choices or Values
Database User Name
DEV_IAU
Password
As mentioned when creating the schemas
using RCU.
Confirm Password
As mentioned when creating the schemas
using RCU.
i.
The Test Database Connection form appears. Click Test Configuration.
If you configured the AuditDB data source correctly, the message “Connection test
succeeded” appears in the WebLogic Console.
j.
k.
Click Next. The Select Targets form appears.
Select the check boxes for the AdminServer and oam_server1 servers.
Note: In addition to Oracle Access Manager, other Oracle Fusion Middleware
components can use the database audit-logging capability. If you do not deploy the
AuditDB data source definition to the administration server, multiple IAU-5048
messages appear in the administration server logs when you start recording audit
records in the database.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 6
se
u
to
l.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
8.
Click Finish. Then click Activate Changes in the Change Center pane.
Use FMW Control to configure the audit subsystem to write records to the Oracle database.
a. In the Chrome browser access the FMW Control (URL:
http://oam.example.com:7001/em), and log in as the weblogic user.
b. In the navigation pane, navigate to Farm_oam_domain > WebLogic Domain >
oam_domain, and click oam_domain.
The oam_domain page appears in the right pane. A menu with options to view
configuration objects appears below the oam_domain label.
c. Select WebLogic Domain > Security > Security Provider Configuration from the menu.
d. Expand the Audit Service section and click the Configure button.
The Audit Store page appears. A message appears indicating that auditing is currently
configured to write records to a flat file: “The default audit store is file-based. Data
Source JNDI name is empty when the audit store is file-based.”
e. Click the Search icon to the right of the empty Data Source JNDI Name field.
f. The Select Data Source dialog box appears. Click the jdbc/AuditDB entry, and then
click OK.
The Audit Service Configuration page appears again, with the configuration details for
the AuditDB JDBC data source listed.
g. Click Apply for Audit Data Store Configuration. Notice the information message “All
changes made in this page require a server restart to take effect.”
h. Navigate to WebLogic Domain > Security > Audit Policy.
i. Select Oracle Access Manager from the Audit Component Name drop-down menu.
j. Select Custom from the Audit Level drop-down list and click the Audit All Events
button. Then click Apply.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 7
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
This enables a comprehensive audit for all events under User Sessions, Authorization,
Account Management, OAM Server, and OAM Admin Console.
You can also specify a comma-separated list containing users that are always audited
regardless of the audit level setting set above (“Users to Always Audit”).
9.
Restart both the WebLogic administration server and the managed server instance so the
changes take effect.
a. Using the desktop icons, stop the OAM server and WLS admin server.
b. Using the desktop icons, start the WLS admin server and OAM server.
10. Access the Example Bakery application so that several audit records are recorded.
a. Clear cookies and cache and restart the browser.
b. Navigate to the Bakery application home page: http://db.example.com:7777/example.
c. Click Employees. The Bakery login page appears.
d. Log in as the ahunter user. The employee portal appears.
e. Log out of the Oracle Access Manager session by navigating to the central logout
page: http://db.example.com:7779/logout.html.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
n in the audit.log file. The auditing
Notice that the records areฺstill
ukbeingdrecorded
e
o
cas a “bus
subsystem uses thissfile
tustop,” that is, an intermediate cache for audit records
S
b ฺ to the
before they are y
written
audit
database.
s
i
h
t
@
tts
i
p
12. Review(d
the content in the IAU_BASE table in the Oracle database. The table should no
s
t
longer
be
empty. Perform the following steps on your database machine:
t
i
P
id a. Verify that the sqlplus session is still active in the terminal window you opened
11. View the bus stop of the audit log file.
Open the audit.log file in the $DOMAIN_HOME/
servers/oam_server1/logs/auditlogs/OAM directory on the OAM machine and
review the content in the file. Search for the ahunter keyword.
v
Da
during a previous task. If sqlplus is not active, restart sqlplus and log in as the
DEV_IAU user.
b.
Execute the select command to display the number and values of recorded event
types in the IAU_BASE table:
SQL> select count(*) from IAU_BASE;
SQL> select distinct IAU_EVENTTYPE from IAU_BASE order by 1;
c.
Review the output from the select command. The output should contain records with
event types such as Authorization, CredentialValidation,
SessionValidation, and Login. The presence of these values in the database
indicates that audit records are now being recorded in the Oracle database.
d.
Exit sqlplus:
SQL> exit
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 8
Practice 8-2: Configuring Oracle BI Publisher to View Audit Reports
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you configure Oracle BI Publisher so that you can run reports to analyze
auditing data captured by the Oracle Access Manager server. Oracle BI Publisher is preinstalled
on your DB machine.
You start Oracle BI Publisher and install templates for Oracle Fusion Middleware reports and for
Oracle Access Manager reports. Then you configure Oracle BI Publisher to access the
database in which audit records are located.
Tasks [Perform these tasks in DB machine]
1.
Start Oracle BI Publisher and verify that no reports that are specific to Oracle Fusion
Middleware or Oracle Access Manager have been installed:
a. Double-click the Start BI Pub icon on the DB machine desktop. Enter weblogic as
username and the password if prompted.
You are starting the admin server for a WLS installation that is separate from the
ODSM server.
b. Open a browser access the FMW Control for Oracle BI Publisher installation [URL:
http://db.example.com:7002/em]. Log in as the weblogic user.
c. If the BI Publisher [bipublisher(11.1.1) application is running, then go to step d.
1) If bipublisher has not been started, then navigate Farm_bifoundation_domain >
Application Deployments > Internal Applications and click bipublisher.
2) From the Application Deployment menu, click Control > Startup.
3) Once the process has completed startup, click Close to close the Confirmation
dialog.
d. Log out of FMW Control. Then access the Oracle BI Publisher application at the URL:
http://db.example.com:7002/xmlpserver (or simply click the BI Pub bookmark). Log in
to Oracle BI Publisher as the weblogic user.
e. Click Catalog. Expand Shared Folders > Components. No reports that are specific to
Oracle Fusion Middleware or Oracle Access Manager appear among the available
reports.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
v
Da
2.
tt
i
p
(d
Copy the OAM reports from the OAM machine and set up OAM reports in Oracle BI
Publisher:
a. In a terminal window on the DB machine, navigate to the
$BI_HOME/../user_projects/domains/bifoundation_domain/config/bip
ublisher/repository/Reports directory.
$> cd
$BI_HOME/../user_projects/domains/bifoundation_domain/config/bip
ublisher/repository/Reports
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 9
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
b.
Copy the oam_audit_reports_11_1_2_0_0.zip file from
/u01/app/oracle/product/middleware/iam_home/oam/server/reports
on the OAM machine.
$> scp
@oam:/u01/app/oracle/product/middleware/iam_home/oam/server/repo
rts/oam_audit_reports_11_1_2_0_0.zip .
c.
Unzip the oam_audit_reports_11_1_2_0_0.zip file.
$> unzip oam_audit_reports_11_1_2_0_0.zip
d.
Delete the META-INF directory (rm –rf META-INF).
e.
In the browser Oracle BI Publisher window, refresh the /Shared Folders page. A
new folder, OAM, appears in the set of available reports with four groups of reports:
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
sฺc s Stu
b
y
Note: If you@
want to display
hi FMW reports as well (along with OAM-specific reports for
t
s
t
the 11.1.2
release), you can transfer AuditReportTemplates.jar from the OAM
pit($MW_HOME/oracle_common/modules/oracle.iau_11.1.1/reports
d
machine
(
s
itt directory) to the DB machine
P
(/u01/app/oracle/product/bi_mw_home/user_projects/domains/bifoun
id
v
Da
dation_domain/config/bipublisher/repository/Reports directory) and
explode the .jar file. However, you do not perform this step in this practice.
3.
Configure the data source that Oracle BI Publisher uses to access the audit database and
configure Catalog Configuration:
a. Click the Administration link in the top-right corner of Oracle BI Publisher on the DB
machine.
b. Click JDBC Connection in Data Sources.
c. The Data Sources page appears. Verify that the JDBC tab is selected. If the JDBC tab
is not selected, click it.
d. Click Add Data Source.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 10
e.
The Add Data Source page appears. Complete the fields on the Add Data Source page
as follows:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Field
f.
g.
4.
Choices or Values
Data Source Name
Audit
Driver Type
Oracle 11g
Database Driver Class
oracle.jdbc.OracleDriver
Connection String
jdbc:oracle:thin:@db.example.com:1521:orcl
Username
DEV_IAU
Password
<Password used when creating the schema
using RCU>
Click Test Connection. The message “Connection established successfully” should
appear.
Click Apply. The Data Sources page appears, with the Audit data source listed
among the available JDBC data sources.
e
e
bl
a
r
fe
s
n
e
lic
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
Run an Oracle Access Manager audit report in Oracle BI Publisher:
a. In Oracle BI Publisher, click the Catalog link.
b. Expand Shared Folders.
c. Expand OAM.
d. Click Authentication_History under User_Activities. The Authentication History report
appears.
Review the data in the Authentication History report. The report should list recent
authentications to the Oracle Access Manager server. The report includes console
logins.
s
tt
i
p
(d
tts
i
P
id5. Perform a few access operations to generate records in the audit repository.
v
Da
a.
b.
In another browser window, access the Bakery application and click the Employees
link.
Specify an invalid user ID (testerID) and password when you are prompted to
authenticate. Click Login.
You are not granted access to the Bakery employee portal.
6.
Rerun the Authentication History report. Details about the unsuccessful authentication
event should appear in the Authentication History report.
7.
Run the following Oracle Access Manager reports in Oracle BI Publisher:
•
The All_Errors_and_Exceptions report (under Errors_and_Exceptions)
•
The AuthenticationFromIPByUser report (under Authentication_Statistics). Run this
report twice, specifying the Success authentication status once and the Failure
authentication status once (set the Authentication Status to Success or Failure and
click View).
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 11
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
•
The AuthenticationPerIP report (under Authentication_Statistics). Run this report twice,
specifying the Success authentication status once and the Failure authentication status
once.
•
Dashboard Report (under User Activities)
•
Authentication_Statistics (under Authentication_Statistics)
Review the data in each report after you run the report. The results should be consistent
with Oracle Access Manager activity.
If you have time, use the Bakery and My Bank applications to generate more Oracle Access
Manager audit events, and then run reports. Review how the events are captured in the
audit reports.
8.
To improve the performance of your practice environment, click the Stop BI Pub icon on the
desktop of your DB machine to shut down the BI Pub domain.
Note: The details links in the reports do not work. You can resolve this issue by upgrading
the 10g format reports by using the following link. Do not do this for this practice.
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1549828.1
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 12
s
n
e
lic
se
u
to
Practice 8-3: Reviewing Logs
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you start working with the Oracle Fusion Middleware logging subsystem.
You start by shutting down the active servers and deleting the log files. You remove the log files
to ensure that the logging records that you examine are generated only by the activities
performed in this practice. Then you use FMW Control to review the default logging
configuration.
Assumptions
N/A
Tasks [Perform these tasks from OAM machine unless specifically stated
otherwise]
Da
v
se
u
1. Stop the WebLogic administration server and the managed server instances that run the to
Oracle Access Manager server, delete the log files, and then restart the server instances:
se
n
e
a. Stop the AdminServer and oam_server1 servers.
lic
e
l
bdirectory.
b. Navigate to the $DOMAIN_HOME/servers/oam_server1/logs
a
r
e
Delete all files that have names starting with the string oam_server1-diagnostic.
sf
n
a
If you are not able to delete the oam_server1-diagnostic.log
file, wait several
-tr
n
o
seconds and try again. The servers must ben
completely shut down before you can
a
eฺ
delete this file.
d
s
i
a Gufile is the active Oracle Access Manager
h
Note: The oam_server1-diagnostic.log
)
k oam_server1-diagnostic-xx.log
nt
uname
server log file. Files with o
the
(where xx is
e
ฺ
d
c
u
ฺ
t
a number) are archived
log files.
the max file size and max directory size
S You >configure
bsin OAM
s
y
of archived log files
Console
System
Configuration
> Common Configuration
i
h Configuration section.
t
@
s
> Common
Settings
>
Audit
t
ptheitAdminServer and oam_server1 servers.
d
c. Start
(
itts
P
id
2.
Navigate to the following URL to start FMW Control: http://oam.example.com:7001/em (or
click the EM bookmark in Chrome). Log in as the weblogic user.
a. Navigate to the logging configuration, in the left pane, navigate to Farm_oam_domain >
WebLogic Domain > oam_domain > oam_server1.
b. Click oam_server1. The oam_server1 page appears in the right pane. A menu with
options to view configuration objects appears below the oam_server1 label.
c. Select WebLogic Server > Logs > Log Configuration from the menu. The Log
Configuration page appears in FMW Control.
3.
Examine the default log levels in the logging configuration:
a. Click the Log Levels tab.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 13
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
b.
Expand the Root Logger > oracle > oracle.oam node in the navigator that appears in
the Logger Name column. Loggers in the oracle.oam node should now be visible:
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 14
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
c.
Locate the log level for the oracle logger, which is the parent logger for all Oracle
Fusion Middleware loggers. The oracle logger’s log level is set to the
NOTIFICATION:1(INFO) level.
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
4.
d.
Locate the log level for the oracle.oam logger. The oracle.oam logger’s level is set
to the NOTIFICATION:1 level and is inherited from its parent logger.
e.
Browse the list of child loggers of the oracle.oam logger. Each child logger’s log level
is set to the NOTIFICATION:1 level and is inherited from its parent logger.
Examine the log file settings in the logging configuration:
a. Review the log file column for the Oracle Fusion Middleware loggers. The odl-handler
log file is listed for all Oracle Fusion Middleware loggers.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 15
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
b.
se
u
d. The Edit Log File dialog box displays the logging configuration for the odl-handlerto
se
log file. Note the value of the Log Path:
n
e
$DOMAIN_HOME/servers/<server_name>/logs/<server_name>c
liManager
e
diagnostic.log. This path is the default location of the Oracle Access
l
b
a
r
server and admin server log file.
e
sfthe rotation policy for the
n
e. Notice that the default format is ODL text format. Notice
that
a
-tr
log files can be set to Size Based or Time Based.
n
o
nbox without
f. Click Cancel to close the Edit Log File dialog
a
eฺ changing the log file
d
s
i
configuration.
a Gu
h
)
k ent
u
ฺ
dcontent:
o
5. Review the logging file’s current
and
c size
u
ฺ
t
s
S
b
a. Navigate to the y
$DOMAIN_HOME/servers/oam_server1/logs
directory.
s
i
h
t
@
s
b. Note thettoam_server1-diagnostic.log
file’s size for use in a subsequent step.
i
p
c. Open
(d the oam_server1-diagnostic.log file and browse the log messages in the
s
t
t
file.
The third column of the log file contains the message log level. Verify that only
i
P
messages
with the log levels NOTIFICATION, WARNING, and ERROR should be in the
id
c.
v
Da
Click the Log Files tab.
Select the entry for the odl-handler log file and click Edit Configuration.
log file.
6.
Examine the impact of an invalid login on the log file when the default logging configuration
is in effect:
a. Clear cache and cookies for the browser.
b. Access the Bakery application and click the Employees link. Specify a valid user ID
and invalid password when you are prompted to authenticate. Click Login. You are not
granted access to the Bakery employee portal.
c. Now enter an invalid user ID and password and try to log in.
d. Navigate to the $DOMAIN_HOME/servers/oam_server1/logs directory.
e.
Note the oam_server1-diagnostic.log file’s size. Compare the file size to the file
size you observed in a previous step. Make a note of the new file size for use in a
subsequent practice.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 16
7.
Open the oam_server1-diagnostic.log file and see if you can locate messages that
diagnose why the attempt to authenticate to the Oracle Access Manager server failed.
(Note: Search for the word ERROR or search by the user ID of the person).
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
A user tried to log in as ahunter (a valid user) with an incorrect password:
…
A user tried to log in as vishal (an invalid user):
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 17
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 8: Configuring Auditng and Logging
Chapter 8 - Page 18
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practicesrfor
nsLesson 9:
a
t
Troubleshooting
and
on- ฺ
n
Management
s a ide
a Gu
h
)
nt 9
uk deChapter
ฺ
o
c
u
bsฺ is St
y
th
ts@
it
p
d
(
ts
it
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 1
se
u
to
Practices for Lesson 9: Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices Overview
In these practices, you use Access Tester to test the connection between all the OAM 11g
WebGate agents and the Oracle Access Manager 11g server. You perform the “Is the resource
protected?” test for various resources protected by the OAM 11g WebGate agent. You also
observe the authentication scheme used to protect a particular resource. You eventually use the
credentials to test authentication and authorization to access the resource.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 2
s
n
e
lic
se
u
to
Practice 9-1: Working with Access Tester
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you use Access Tester to simulate an agent communicating with the OAM
server to test policies.
You can also use the Access Tester GUI console to build dummy test cases and then generate
and run the script. You explore all the XML files generated during this process.
Task [Perform these tasks on the OAM machine]
1.
Invoke Access Tester and verify access to the Example Bakery application.
a. In the command-line window, on the OAM machine, navigate to
$ORACLE_HOME/oam/server/tester and enter the following to launch Access
Tester:
$> cd $ORACLE_HOME/oam/server/tester
$> java –Dlog.traceconnfile=traceconnfile.txt –jar oamtest.jar
e
s
n
e
lic
le
b
a
b. In the Oracle Access Manager Test Tool window, in the Server
erConnection section,
f
s
enter the following, and click Connect:
an
r
t
Field
or Values
on Choices
n
ฺ
a ide
Primary IP Address
oam.example.com
s
a
u
h
G
Port
5575
)
t
n
uk dewebgate_7777
ฺ
o
Agent ID
(agent ID is case sensitive)
ฺc Stu
s
b
y this
@
tts
i
p
(d
s
t
t
i
id P
v
Da
c.
Read the messages in the Status section of the window. Also notice the green check
mark next to the Connect button (to verify that the connection is successful).
Notice that after the connection is successful, you cannot change the connection
details. You have to restart Access Tester to specify a different connection.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 3
se
u
to
d.
In the Protected Resource URI section, enter the following, and click Validate:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Field
Choices or Values
Host
db.example.com
Port
7777
Resource
/example
e
e
e.
f.
se
u
to
Read the messages in the Status section of the window. Notice the authentication
schema and the redirect URL (this is a protected resource) that are specified.
Because the resource is protected via an anonymous scheme, you cannot enter a
username and password.
Change the Resource field value to /example/internal/employeeHome.html.
Click Validate.
Notice the authentication scheme and the redirect URL values in the bottom panel.
In the User Identity section, enter jwalker as username and the password, and then
click Authenticate:
bl
a
r
fe
s
n
e
lic
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
tt
i
p
(d
Da
v
itts
P
Read the messages in the Status section of the window. Notice the user DN, session
id
ID, and cookie values.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 4
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
g.
Click the Authorize button and observe the messages (request and responses) in the
status window.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 5
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
2.
Capture the authentication and authorization test cases so that you can automate the tests
later on.
a. In the Oracle Access Manager Test Tool, click Edit > Clear All in the toolbar at the top
of the window.
b. In the Protected Resource URI section, enter the following, and click Validate:
Field
c.
Choices or Values
Host
db.example.com
Port
7777
Resource
/mybank/testheaders.jsp
d.
In the User Identity section, enter jwalker as the username and the appropriate
password, and click Authenticate.
Select File > Save Configuration.
1) In the Selection field, enter
/home/oracle/Desktop/EmployeeConfigHome.xml.
e
2)
3)
Change the Filter from All Files to *.xml
Click OK.
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
e.
Close the Oracle Access Manager Test Tool window.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 6
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
3.
Capture the application access test case and run the test cases.
a. Invoke the Oracle Access Manager Test Tool again.
$> cd $ORACLE_HOME/oam/server/tester
$> java –Dlog.traceconnfile=traceconnfile.txt –jar oamtest.jar
b. In the Oracle Access Manager Test Tool, select File > Open Configuration.
1) Enter /home/oracle/Desktop in the Selection field.
2)
Change Filter to *.xml.
c.
d.
e.
f.
g.
h.
3) Select the EmployeeConfigHome.xml file and click OK.
Click Connect and then click Validate.
Select Test > Capture Last ‘validate’ request to initiate capturing the test case.
Click Authenticate.
Select Test > Capture Last ‘authenticate’ request to continue building the test case.
Click Authorize.
Select Test > Capture Last ‘authorize’ request to continue building the test case. Notice
that the Capture Queue shows that test cases.
Select Test > Generate Script to finish building the test case.
1) Enter/home/oracle/Desktop/EmployeeHomeScript.xml in Selection field.
e
e
i.
bl
a
r
fe
s
n
e
lic
se
u
to
s
j.
k.
l.
s
s
itt
P
id
v
Da
4.
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
2) Change Filter to *.xml.
3) Click OK.
In the Save Warning window, click Yes to clear the captured test case queue.
In the Status section, notice the message Generated Script
‘/home/oracle/Desktop/EmployeeHomeScript.xml’ with 3 cases.
Click the Clear Status Messages icon (bottom-right corner).
Select Test > Run Script to run the generated test cases. In the Selection field, type
/home/oracle/Desktop and press Enter. Select EmployeeHomeScript.xml and
press OK. Read the messages in the Status window, and note the name of the log file
generated.
tt
i
p
(d
View the test run log file.
a. Close the Oracle Access Manager Test Tool.
b. In a terminal window, navigate to the $ORACLE_HOME/oam/server/tester
directory.
c. Using more or gedit, explore the following files:
− oamtest_<number>_log.log (log file)
− oamtest_<number>_stats.xml (statistic log)
− oamtest_<number>_target.xml (target script)
Notes About Access Tester
•
A long URL can be imported into the Resource panel by copying the resource from the
browser’s URL field and then clicking the Import button.
•
If you click the Authentication button a few times and observe the session ID, it does
not change. The tester reuses the same session if the credentials do not change. To
change the session, you must change the credentials.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 7
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
5.
Invoke WLST and explore the OAM-specific commands.
a. On the OAM machine, from the command-line window, navigate to
$ORACLE_HOME/common/bin. Type ./wlst.sh and press Enter.
b.
Issue the connect()command to get into online mode (that is, connected to the
admin server, AdminServer).
c.
Enter weblogic for the username and the appropriate password. Press Enter to
accept the default for the admin server URL.
Issue the following commands one after the other and observe the output:
d.
Step
Commands
A.
help('oam'): Displays all the commands that are relevant to OAM
B.
displayWebgate11gAgent(agentName="webgate_7777")
C.
help('displayOAMMetrics')
D.
displayOAMMetrics()
E.
displayTopology()
F.
displayOAMServer(host="oam.example.com",port="14100")
e
e
bl
a
r
fe
ns
a
r
t
H.
no
n
displayWebgateAgent("IAMSuiteAgent")
I.
a ideฺ
s
a Gu
h
Exit the WLST by using exit().
)
uk dent
ฺ
o
c
u
bsฺ is St
y
th
s@
t
t
i
p
d
(
s
G.
displayUserIdentityStore(name="UserIdentityStore1")
displayUserIdentityStore(name="OUD_Store")
e.
itt
P
id
v
Da
s
n
e
lic
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 8
se
u
to
Practice 9-2: Working with Fusion Middleware Control
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you learn how to use FMW Control in an OAM environment.
Note: If you experience performance issues (especially in step 3), you may want to restart the
admin and managed servers.
Tasks [Perform these tasks on the OAM machine]
1.
Invoke FMW Control on the OAM machine.
a. Open the Chrome web browser and access: http://oam.example.com:7001/em.
b. Log in as the weblogic user.
Note: Both WLS Console and EM FMW Control are applications deployed on the admin
server and use WLS embedded LDAP by default for authentication.
You should see the oam_domain farm page (Farm_oam_domain).
c. Notice the various system components and applications:
1) Internal applications deployed on the admin or managed servers
2) WebLogic domain components: admin server (AdminServer) and managed
server (oam_server1)
3) OAM 11g server under the “Identity and Access” node
4) All the web tier components (various OHS instances registered with the domain
oam_domain)
e
e
bl
a
r
fe
ns
a
r
t
on- ฺ
n
a ide
s
a
u
h
G
)
t
k en on the farm home page, navigate to the
2. From the left navigator pane,o
orฺu
by usingdlinks
u > OAM > oam_server). Explore the Oracle
ฺc and
tAccess
oam_server home page s
(Identity
S
b
s
y
Access Manager menu options,
i especially Control, Performance Summary, General
thConsole.
@
s
Information, tand
WLS Admin
t
pi
d
(
itts the menu option Oracle Access Manager > System MBean Browser. In the left pane,
3. Select
P
id collapse the nodes to view three categories of MBeans: Configuration, Runtime, and
v
Da
s
n
e
lic
se
u
to
Application Defined.
a. Expand Application Defined MBeans > com.oracle.oam > Server:AdminServer >
Application:oam_admin > oam.wlst > OamWLST. In the right pane, notice all the OAMspecific WLST commands on the Operations tab. Click displayWebgate11gAgent. For
the value field, type webgate_7778 and click Invoke. Notice the Return Value at the
bottom.
b. Expand Runtime MBeans > Security > Domain:oam_domain >
myrealmOUDAuthenticator. Click the Operations tab in the right pane. Click
userExists. In the Value field, specify jwalker and click Invoke. Notice the return
value of true. Now enter weblogic in the Value field and click Invoke; notice the
false return value. The weblogic user exists in WLS-embedded LDAP and not in
OUD. You can verify this by clicking myrealmDefaultAuthenticator. Click the
Operations tab in the right pane. Click userExists. In the Value field, specify
weblogic and click Invoke. Notice the true return value.
Note: OUDAuthenticator uses the OUD user store while the DefaultAuthenticator uses
the WLS built-in user store.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 9
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
4.
Select the menu option Oracle Access Manager > Performance Summary. Notice the past
15 minutes of metrics. You can change the slider at the top right to see the performance
metrics at a particular point in time. You can also set the time range for the performance
metrics to be displayed by clicking the Enter Time icon next to the slider.
5.
Click the Show Metric Palette button at the top right to select more graphs and tables
showing various metrics on the Performance Summary page. Expand the OAM Client node
on the Metric Palette page. Expand Agent_ webgate_7777 and select all the check boxes
below the node. Click the Hide Metric Palette button. You should now see the new
performance metric charts and tables on the Performance Summary page.
6.
Select the menu option Oracle Access Manager > General Information to see high-level
information about the domain: Host, Oracle Home, Middleware Home, Domain Home,
Version, and Target Name.
7.
le
b
a
r or from the Farm
8. You can also explore the following options (from the left navigator
epane
f
s
home page):
an
r
t
a. WebLogic Domain > oam_domain > AdminServer
n and oam_server1
o
n
b. Web Tier > ohs7, ohs8, or ohs9 (any oneaof the OHS
eฺinstances)
d
s
i
a Gu
h
)
uk dent
ฺ
o
c
u
bsฺ is St
y
th
s@
t
t
i
p
d
(
itts
P
id
v
Da
e
s
n
e
lic
You can start and shut down oam_server by using the menu option Oracle Access
Manager > Control. (Do not perform shutdown at this point.)
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 9: Troubleshooting and Management
Chapter 9 - Page 10
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e
e
bl
a
r
fe
s
n
e
lic
Practicesrfor
nsLesson 10:
a
t
Securing
on- Communication
n
ฺ
a ideWebGates
Between
and OAM
s
u
haServer
nt G
k) e
u
ฺ
co Stud Chapter 10
ฺ
s
b
y
this
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 1
se
u
to
Practices for Lesson 10: Overview
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Practices Overview
In these practices, you enable simple SSL and SSL certificate–based communication mode
between an OAM 11g WebGate and the OAM 11g server.
When you installed and configured WebGate and the OAM server in Practice 3, you selected
Open mode for communication. The option to configure Simple as well as Cert mode exists at
the time you perform an installation or configuration.
In these practices, you assume that the mode of communication is set at the time of installation
and configured to Open, and now you want to configure Simple or Cert mode in the production
environment that is soon to go live.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 2
s
n
e
lic
se
u
to
Practice 10-1: Setting Communication Mode Between Server and
WebGates to “Simple”
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
OAM Security Modes: Secure communication on the NAP channel also requires that each
OAM server and each WebGate agent use the same security mode: Open, Simple, or Cert.
•
Open: Unencrypted communication. In Open mode, there is no authentication or
encryption between the WebGate and the OAM server. The WebGate does not ask for
proof of the OAM server’s identity, and the OAM server accepts connections from all
WebGates. Use Open mode if communication security is not an issue in your
deployment.
•
Simple: Encrypted communication through the Secure Sockets Layer (SSL) protocol
with a public key certificate issued by Oracle. Use Simple mode if you have security
concerns (such as not wanting to transmit passwords as plain text) but you do not
manage your own certificate authority (CA). In this case, OAM 11g servers and
WebGates use the same certificates, which are issued and signed by Oracle.
•
Cert: Encrypted communication through SSL with a public key certificate issued by a
trusted third-party certificate authority. Use Cert mode if you want different certificates
on OAM 11g servers and WebGates and you have access to a trusted third-party CA.
In this mode, you must encrypt the private key by using the DES algorithm. Oracle
Access Manager components use X.509 digital certificates in the PEM format only.
PEM refers to Privacy Enhanced Mail, which requires a passphrase. The PEM format
is preferred for private keys, digital certificates, and trusted CAs. The preferred
keystore format is the JKS (Java Keystore) format.
In cryptography, a public key is a value that is provided by a designated authority to be used as
an encryption key. The system for using public keys is called a public key infrastructure (PKI).
As part of a public key infrastructure, a certificate authority checks with a registration authority
(RA) to verify information provided by the requestor of a digital certificate. When the RA verifies
the requestor’s information, the CA can issue a certificate.
Private keys can be derived from a public key. Combining public and private keys is known as
asymmetric cryptography, which can be used to effectively encrypt messages and digital
signatures.
Depending on the public key infrastructure, the digital certificate establishes credentials for webbased transactions based on:
•
Certificate owner’s name
•
Certificate serial number
•
Certificate expiration date
•
A copy of the certificate holder’s public key, which is used to encrypt messages and
digital signatures. The digital signature of the certificate-issuing authority is provided so
that a recipient can verify that the certificate is real. Digital certificates can be stored in
a registry from which authenticating users can look up the public keys of other users.
For Simple mode encryption, Oracle Access Manager ships a certificate authority with its own
private key, which is installed across all WebGates and OAM servers. For each public key, there
is a corresponding private key that Oracle Access Manager stores in the aaa_key.pem file.
The following files are used for Simple mode security:
e
e
bl
a
r
fe
s
n
e
lic
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
Da
v
itt
P
id
•
tt
i
p
(d
cacert.pem: The certificate request, signed by the Oracle-provided openSSL
certificate authority
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 3
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
•
password.xml: Contains the random global passphrase that was designated during
installation, in obfuscated format. This is used to prevent other customers from using
the same CA. Oracle Access Manager performs an additional password check during
the initial handshake between the OAM agent and the OAM server.
•
aaa_key.pem: Contains your private key (generated by openSSL)
•
aaa_cert.pem: Signed certificates in the PEM format
The initial communication mode is chosen during OAM installation. The installer generates a
random global passphrase initially, which can be edited as required later.
When you register an OAM agent or a new OAM server, you can specify the mode. However,
changing the global passphrase requires that you reconfigure all agents to use Simple mode
and the new global passphrase.
Tasks
1.
se
u
to
Set up the OAM server communication mode to Simple using OAM Console.
a. Log in to the OAM Console as oamadmin. In the Launch Pad of the Application
Security tab, click the icon in Agents tile.
b. Click Search. In the results, click the webgate_7778 link.
Notice that Security (mode of communication) is set to Open as setup by default during
the installation.
c. Access the Configuration tab. Click icon in the Server Instances tile.
d. Click Search, and click oam_server1 in Search Results.
e. Change the mode from Open to Simple. Click Apply and then click Yes in the Confirm
Edit window.
f. On the DB machine, shut down all the OHS instances by using the Stop OHS desktop
icon. (Select to stop all OHS instances).
g. On the OAM Console, navigate to the Launch Pad of the Configuration tab. In the
Settings tile, click View > Access Manager and view the property global passphrase is
set under Simple Mode Configuration.
Do not change this value in this practice. The installer generates a random global
passphrase initially, and this can be edited as required by you later. However, note that
changing the global passphrase requires reregistration of all existing agents running in
Simple mode.
e
e
bl
a
r
fe
s
n
e
lic
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
v
Da
2.
tt
i
p
(d
Set up the communication mode for webgate_7778 to Simple.
a. On the OAM Console as oamadmin access the Application Security tab [on the top
right] and access the webgate_7778 agent page.
b. Change Security from Open to Simple. Click Apply.
c. In a terminal window, navigate to the $DOMAIN_HOME/output directory and notice
that the webgate_7778 subdirectory has been created. Observe that aaa_cert.pem,
aaa_key.pem, and password.xml that are created along with cwallet.sso and
ObAccessClient.xml.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 4
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
d.
On the DB machine: In a terminal window, using scp, copy the files from the
$DOMAIN_HOME/output/ webgate_7778 directory on the OAM machine to the
/u01/app/instances/ohs_7778/config/OHS/ohs8/webgate/config
directory on the database machine (replace the existing ObAccessClient.xml and
cwallet.sso).
$> cd /u01/app/instances/ohs_7778/config/OHS/ohs8/webgate/config
$> scp –r oam:/u01/app/user_projects/domains/oam_domain/output/
webgate_7778/* .
e.
On the DB machine: Move aaa_cert.pem and aaa_key.pem to the
/u01/app/instances/ohs_7778/config/OHS/ohs8/webgate/config/simpl
e directory .
Note: The PEM files need to be copied under the simple directory of the config
directory. Use the following commands
$> cd /u01/app/instances/ohs_7778/config/OHS/ohs8/webgate/config
$> mkdir –p simple
$> mv *.pem simple
e
e
ns
a
r
t
on- ฺ
g.
n
a ide
s
a
u
h
G
)
t
k verifyethen result of changing the communication mode.
uand
ฺ
3. Restart the OHS_7778 instance
d
o
c
u
ฺ
t
s
Sthe OHS_7778 instance by using the Start OHS
a. On the database machine,
start
b
s
y
i
h
desktop shortcut
and
selecting
OHS-7778 to start.
t
@
s
t
t
i
b. In your
p browser window, clear all browser cookies, and access
d
(
http://db.example.com:7778.
ittsYou should be redirected to the OAM SSO login page.
P
id
v
Da
bl
a
r
fe
s
n
e
lic
se
u
to
4.
f.
In the OAM Console navigate to the Launch Pad of Application Security tab, and click
Application Domains in Access Manager panel.
Click Search > rreg_outofbound_app_domain > Authentication Policies > Protected
Resource Policy. Select LDAPScheme for the Authentication Scheme. Click Apply.
c.
Log in as ahall and view the OHS Welcome page.
Reset the server and WebGate communication mode back to Open.
a. On the OAM machine, log in to the OAM console as oamadmin.
b. Navigate to the Configuration panel > Server Instances > Search > oam_server1.
Change the security mode to Open. Click Apply. In the Confirm Edit window, click Yes.
c. Stop the OAM managed server and OAM WLS admin server by using the desktop
shortcuts.
d. Start the OAM WLS admin server and OAM managed server by using the desktop
shortcuts.
e. Open a new browser (clear cookies and cache) and access the URL
http://db.example.com:7778.
f. Log in as ahall and the OHS Welcome page should be displayed.
g. Close the browser.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 5
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
h.
Validate that the login page for the OAM Console is now the SSO login page (instead
of the native login page) by accessing the OAM Console
http://oam.example.com:7001/oamconsole in your browser.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 6
s
n
e
lic
se
u
to
Practice 10-2: Configuring Server Certificates
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you generate a local Certificate Authority (CA) that provisions certificates for the
OAM server and WebGates. If you do not have a service contract with a CA or an existing
internal CA, you can easily create one by using the OpenSSL open-source tool. Access
Manager components use X.509 digital certificates in PEM format only.
You also generate both the certificate request (server_req.pem) and the private key
(server_key.pem) for the OAM server. The certificate request will be submitted to the local
CA for issuing the certificate in the next practice.
Prerequisites
You should have completed all the practices including Practice 10-1: Setting Communication
Mode Between Server and WebGates to “Simple”.
se
n
e
1. Create the root certificate and private key for the local certificate authority by
icusing
l
e
openssl of the Linux operating system.
bl
a
r
a. Create a /home/oracle/localCA directory, and the initialfe
files for the local CA by
s
n
using the following commands:
tra
$> cd
n
no eฺ
$> mkdir localCA
a
s
id
a
u
$> cd localCA
h
k) ent G
$> mkdir private newcerts
u
ฺ
co Stud
ฺ
$> echo 01 > serial
s
yb this
$> touch @
index.txt
tts
i
p
(d the OpenSSL configuration file so that the SSL files you create are located in
b. tsChange
t
i the localCA directory you created.
id P
Tasks [Perform these tasks on the OAM machine]
v
Da
se
u
to
As root user, edit the /etc/pki/tls/openssl.cnf file and set dir parameter to
/home/oracle/localCA. Then exit the root user session.
$> su
Password:
#> vi /etc/pki/tls/openssl.cnf
...
[ CA_default]
dir = /home/oracle/localCA
...
#> exit
$>
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 7
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
c.
Create the CA private key and CA root certificate that are used to sign certificate
requests:
$> cd ~/localCA
$> openssl req -new -x509 -keyout private/cakey.pem -out
cacert.pem
-days 3650
Use the following table for response to the prompts from openssl tool:
Window/Page Description
d
avi
Choices or Values
Enter PEM pass phrase
welcome1
Verifying – Enter PEM passphrase
welcome1
Country Name (2 letter code)
US
State or Province Name
California
Locality Name
Belmont
Organization Name
Example
Organizational Unit
Practice
Common Name
oam.example.com
Email Address
admin@example.com
e
e
bl
a
r
fe
s
n
e
lic
ns
a
r
t
n- a root certificate named
This uses the key pair in the file cakey.pem toocreate
n
cacert.pem that expires in 10 years. a
eฺ
d
s
i
a hostGname
u in the Common Name field
You do not have to enter the physical
h
)
t
k en
while creating the root CA
ucertificate.
ฺ
o
c Stud
ฺ
s
b
y
is
h
t
@
tts
i
p
(d
ti ts
P
D
In the localCA directory, you now have a root certificate, cacert.pem, and the
private key in private/cakey.pem.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 8
se
u
to
2.
Generate the certificate request (server_req.pem) and the private key
(server_key.pem) for the OAM server.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
a.
Use the openssl req command to create the private key and certificate request.
$> cd ~/localCA
$> openssl req -new -keyout server_key.pem -out server_req.pem
-utf8 -nodes
Note: You must enter the OAM machine host name in the Common Name field value
(unlike the root CA certificate). Enter welcome1 for the challenge password.
Window/Page Description
Choices or Values
Country Name (2 letter code)
US
State or Province Name
California
Locality Name
Belmont
Organization Name
Example
Organizational Unit
Practice
Common Name
oam.example.com
Email Address
admin@example.com
Challenge password
welcome1
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
b.
Make sure you can see the two files: server_req.pem and server_key.pem in the
localCA directory.
$> ls ~/localCA
... server_key.pem ... server_req.pem ...
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 9
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
3.
Run the openssl command with the input parameters of the OAM server certificate
request to generate the OAM server certificate.
a. Use the openssl ca command to issue the new certificate for the OAM server.
$> cd ~/localCA
$> openssl ca -in server_req.pem -out server_cert.pem
Note:
The command prompts you to enter the passphrase welcome1 for cakey.pem.
Also enter y in response to the other two questions.
Notice server_cert.pem (OAM server certificate) in the ~/localCA directory.
4.
Encrypt the OAM server private key by using the passphrase welcome1.
a.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
se
u
to
Using openssl, encrypt the OAM server private key. Ensure that the time stamp of the
file has been updated, since you replace the file with the openssl command
$> cd ~/localCA
$> ls -l server_key.pem
$> openssl rsa -in server_key.pem -passin pass: -out
server_key.pem -passout pass:welcome1 -des
$> ls -l server_key.pem
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 10
s
n
e
lic
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
5.
Obtain the password for the OAM keystore using FMW Control.
a. Invoke the Chrome browser, and login to FMW Control [EM bookmark] as weblogic
user.
b. Navigate to Farm_oam_domain > WebLogic Domain > oam_domain.
c. Click WebLogic Domain menu [top left in the right panel] > System MBean Browser.
d. In System MBean Browser, navigate to Application Defined MBeans > com.oracle.jps >
Domain: oam_domain > JpsCredentialStore and click the JpsCredentialStore in the
JpsCredentialStore container.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 11
s
n
e
lic
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
e.
In right portion, click Operations tab, to view the operations defined on
JpsCredentialStore MBean. Click getPortableCredential.
e
e
bl
a
r
fe
s
n
e
lic
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
sEnter OAM_Store as parameter p1, and jks as parameter p2. Then click Invoke.
t
t
i
P
f.
d
vi
a
D
tt
i
p
(d
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 12
se
u
to
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
g.
The Return Value table contains password field. Copy the password value and paste it
into a temporary text file, so that you can use it later.
se
u
to
se
n
e
6. Import the private key, CA certificate, and OAM server certificate into the keystore.
lic
e
l
b
a. In the terminal window, import a trusted certificate chain into the a
keystore
by using
r
e
keytool: When prompted to trust this certificate, enter yes
sf
n
a
$> keytool -importcert -file ~/localCA/cacert.pem
-trustcacerts
tr
n
o ฺ
>
-storepass <Password_from_MBean n
Browser
a
e
-keystore $DOMAIN_HOME/config/fmwconfig/.oamkeystore
-storetype
d
as Gui
h
JCEKS
)
k you generated
nt in the previous practice in place of
uthat
e
ฺ
Use the keystore password
d
o
c Stu
< Password_from_MBean
bsฺ is Browser>.
y
th
s@
t
t
i
p
d
(
itts
P
id
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 13
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
b.
Convert the OAM server private key from PEM format to DER format by using
openssl.
$> cd ~/localCA
$> openssl pkcs8 -topk8 -nocrypt -in server_key.pem -inform PEM
-out server_key.der -outform DER
When prompted to enter the passphrase for server_key.pem, enter welcome1.
c.
se
u
d. Run the importcert tool to import a private key (server_key.der) and CA-signed
to
e
certificate (server_cert.der) into the keystore.
s
cen
i
In a terminal window, navigate to
l
le
$ORACLE_HOME/oam/server/tools/importcert and run thebimportcert
utility:
a
r
fe
s
n
$> cd $ORACLE_HOME/oam/server/tools/importcert
tra
n
$> unzip importcert.zip
no eฺ
a
s
id
a
u
h
$> java -cp importcert.jar
k) ent G
u
oracle.security.am.common.tools.importcerts.CertificateImport
ฺ
co Stud
-keystore $DOMAIN_HOME/config/fmwconfig/.oamkeystore
ฺ
s
b ~/localCA/server_key.der
privatekeyfile
-signedcertfile
s
y
hi
t
@
~/localCA/server_cert.der
-alias myoamcert
s
t
t
i
p
(d
s
t
Note:
The command prompts you to enter the Keystore password, which is the
t
i
P
id
password_from_MBean browser
, and the Alias
v
Da
Similarly, convert the OAM server certificate (server_cert.pem) from PEM to DER
format.
$> openssl x509 -in server_cert.pem -inform PEM -out
server_cert.der -outform DER
password: welcome1.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 14
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
7.
Update the PEM keystore alias and password by using the OAM Console.
a. Launch the OAM Console as oamadmin user, and navigate to the Configuration tab >
Settings [View] > Access Manager.
b. Specify the PEM keystore alias as myoamcert (specified in the previous practice) and
the PEM keystore alias password as welcome1 (specified in the previous practice).
c. Click Apply.
d. Navigate to the Configuration panel > Server Instances > Search > oam_server1.
e. Change the mode to Cert. Click Apply. In the Warning window, click OK. In the Confirm
Edit window, click Yes.
f. Stop and start the OAM Managed Server and the Administration Server.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 15
s
n
e
lic
se
u
to
Practice 10-3: Configuring WebGates with Cert Mode
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
Overview
In this practice, you configure the WebGates with the certificates you generated in the previous
practice by using the local certificate authority.
Note: aaa_key.pem and aaa_cert.pem (from aaa_req.pem) are reserved names that must
be used for a private key and WebGate certificate.
Tasks
1. On the oam machine, generate a certificate request for WebGates on db.example.com.
a. In a terminal window, change directory to ~/localCA and run the openssl command to
generate the certificate request: Use the following table to respond to the prompts:
Window/Page Description
Choices or Values
Country Name (2 letter code)
US
State or Province Name
California
Locality Name
Belmont
Organization Name
Example
e
e
bl
a
r
fe
s
n
e
lic
se
u
to
ns
a
r
t
on- ฺ
Organizational Unit
Practice
n
a ide
s
a
u
Common Name
oam.example.com
h
G
)
t
uk den admin@example.com
Email Address
ฺ
o
c
u
Challenge password
welcome1
bsฺ is St
y
h
t
tts@
i
p
$> cd ~/localCA
s (d
itt $> openssl
P
–nodes
id
req -new -keyout aaa_key.pem -out aaa_req.pem -utf8
v
Da
2.
Copy the Certificate Authority and the server certificates for WebGate usage.
a. On the OAM machine, navigate to the ~/localCA directory copy the cacert.pem file
as aaa_chain.pem.
$> cd ~/localCA
$> cp cacert.pem aaa_chain.pem
b. Copy the server key and certificate files with aaa name so that WebGate can use.
$> cp server_cert.pem aaa_cert.pem
$> cp server_key.pem aaa_key.pem
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 16
Perform this task on DB machine.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
3.
Change the WebGate 11g definition to reflect Cert security mode, and specify the agent key
password as welcome1.
a. Invoke the web browser, and access the OAM console. Log in as the oamadmin user.
Note: You may see the native login page instead of the IAMSuiteAgent SSO login
page.
b. Navigate to Agents > Search. Click the webgate_7778 agent. Change the security
mode to Cert for the agent and specify the agent key password as welcome1. Click
Apply.
Note: The Agent Key Password field appears only when you select the Cert radio
button under Security. When you click Apply, the field disappears.
e
s
n
e
lic
c. After you see the confirmation that WebGate is configured in Cert mode, click
Download, and save the zip file.
Note: The configuration files are saved to the /home/oracle/Downloads directory as
<webgate name>.zip.
e
bl
a
r
fe
d.
e.
ns
a
r
t
- Cert mode of communication for
Similarly using the step b and c above, configure n
the
webgate_7777 and webgate_7779 agents. no
a ideฺ
s
a Gu
h
)
t webgate/config directory on the db
Extract the WebGate configuration
files
uk detoneach
ฺ
machine.
o
c
u
$> cd /u01/app/instances/ohs_7777/config/OHS/ohs7/webgate/config
bsฺ is St
y
th
$> unzip
~/Downloads/webgate_7777.zip
s@
t
t
i
p
d
(
s
itt $>
P
$>
id
v
Da
se
u
to
cd /u01/app/instances/ohs_7778/config/OHS/ohs8/webgate/config
unzip ~/Downloads/webgate_7778.zip
$> cd /u01/app/instances/ohs_7779/config/OHS/ohs9/webgate/config
$> unzip ~/Downloads/webgate_7779.zip
f.
Copy the aaa_key.pem, aaa_cert.pem, and aaa_chain.pem files from
~/localCA in the OAM machine to the webgate/config directory of each WebGate.
$> cd /u01/app/instances/ohs_7777/config/OHS/ohs7/webgate/config
$> scp oam:/home/oracle/localCA/aaa*pem .
$> cd /u01/app/instances/ohs_7778/config/OHS/ohs8/webgate/config
$> scp oam:/home/oracle/localCA/aaa*pem .
$> cd /u01/app/instances/ohs_7779/config/OHS/ohs9/webgate/config
$> scp oam:/home/oracle/localCA/aaa*pem .
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 17
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2017, Oracle and/or its affiliatesฺ
5.
Verify that the Cert mode of communication is working between WebGate and the OAM
server.
a. Stop all the OHS instances, and then start the OHS instances using the desktop icon.
b. Start the MyBank application using the startMyBank.sh script in the ~/setupfiles
directory. [When prompted, enter weblogic as the username, and the password
provided to you].
c. Invoke the web browser and access http://db.example.com:7777/example.
Access the Employee link. Sign in as jwalker.
Because the Bakery website is protected by using WebGate 11g and is serving content
using the AuthN and AuthZ policies configured on the OAM server, you have verified
that the Cert mode of communication between WebGate 11g and the OAM 11g server
is working correctly.
e
e
bl
a
r
fe
s
an
r
t
on ฺ
n
a ide
s
a
u
h
G
)
t
uk den
ฺ
o
c
u
bsฺ is St
y
th
@
s
s
itt
P
id
tt
i
p
(d
v
Da
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Practices for Lesson 10: Securing Communication Between WebGates and OAM Server
Chapter 10 - Page 18
s
n
e
lic
se
u
to
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising