Apex OIM Integration

Oracle Access Manager 11g: Administration Activity Guide

D63114GC10 Edition 1.0 July 2011 D71612

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Disclaimer

This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice

If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Authors

Vishal Parashar, David Goldsmith Technical Contributors and Reviewers

Amjad Afanah, Jeremy Banford, Abhijit Bhatode, Rama Bollu, Vikas Pooven Chathoth, Toby Close, Jui Deshpande , Steve Doinidis, Sunil Gupta , Beomsuk Kim, Ashish Kolli, Vadim Lander, Derick Leo, Mayank Maria, Madhu Martin, Vamsi Motukuru, Rey Ong, Vimal Patel, Peter Povinec, Deepak Ramakrishnan, Shankar Raman, Chitra Sabapathy, Narasimhaiah Sreehari, Ramya Subramanya, Ramana Turlapati, Venkat Venkatnarayan, Weifang Xie This book was published using:

Oracle Tutor

Table of Contents Practices for Lesson 1 ........................................................................................................................................ 1-1 Overview of Practices for Lesson 1 ................................................................................................................... 1-2 Practices for Lesson 2 ........................................................................................................................................ 2-1 Practices for Lesson 2 (Optional) ...................................................................................................................... 2-2 Practice 2-1: Explore Salient New Features of OAM 11g .................................................................................. 2-3 Practices for Lesson 3 ........................................................................................................................................ 3-1 Practices for Lesson 3....................................................................................................................................... 3-2 Practice 3-1: Run Repository Creation Utility .................................................................................................... 3-5 Practice 3-2: Install Oracle W ebLogic Server 10.3.3 ......................................................................................... 3-7 Practice 3-3: Install Oracle Identity Management 11g ....................................................................................... 3-8 Practice 3-4: Create a New Domain and Configure the OAM Server ................................................................ 3-9 Practice 3-5: Start the Administration and Managed Server ............................................................................. 3-14 Practice 3-6: Sanity Checks and Walkthrough of Management Interfaces........................................................ 3-16 Practices for Lesson 4 ........................................................................................................................................ 4-1 Practices for Lesson 4....................................................................................................................................... 4-2 Practice 4-1: Remove SSO Policies for EM and WLS Console ........................................................................ 4-3 Practice 4-2: Install and Configure OHS 11g Instances .................................................................................... 4-4 Practice 4-3: Install OAM 11g WebGate ........................................................................................................... 4-9 Practice 4-4: Create an OAM 11g WebGate Instance....................................................................................... 4-10 Practice 4-5: Configure OAM 11g WebGate ..................................................................................................... 4-11 Practice 4-6: Register OAM 11g WebGate with OAM 11g Server..................................................................... 4-12 Practice 4-7: Restart OHS and Validate the results .......................................................................................... 4-15 Practice 4-8: View the Agent Details by Using OAM Admin Console ................................................................ 4-16 Practice 4-9: Register OAM 10g WebGate by Using OAM Admin Console ...................................................... 4-17 Practice 4-10: Install OAM 10g WebGate ......................................................................................................... 4-18 Practice 4-11: Restart OHS and Validate the Results ....................................................................................... 4-20 Practice 4-12: Register OSSO10g Agent (mod_osso) with OAM 11g Server ................................................... 4-21 Practice 4-13: Restart OHS and Validate the Results ....................................................................................... 4-27 Practice 4-14: View the Agent Details by Using OAM Admin Console .............................................................. 4-28 Practice 4-15: Explore WLS Embedded LDAP Directory and Default OAM User Identity Store ....................... 4-29 Practice 4-16: Create a New User in WLS Embedded LDAP as OAM Admin and W LS Admin User ............... 4-31 Practice 4-17: Configure OID as the New Identity Store for OAM ..................................................................... 4-32 Practice 4-18: Verify the Need to Configure OID Authenticator ........................................................................ 4-34 Practice 4-19: Create OID Authenticator ........................................................................................................... 4-35 Practice 4-20: Verify the Use of OID as the User Store for OAM Authentication .............................................. 4-36 Practice 4-21: Working with WLS Agent ........................................................................................................... 4-37 Practice 4-22: Mode of Communication: WebGate and OAM 11g Server - Setting Server Mode to Simple ..... 4-39 Practice Mode of Communication: WebGate and OAM 11g Server - Setting OAM 11g WebGate 4-41 Mode to4-23: Simple ............................................................................................................................................... Practice 4-24: Restart the OHS Instance and Verify the Results ...................................................................... 4-42 Practice 4-25: Change Server Mode to Open and Test WebGate Communication........................................... 4-43 Practices for Lesson 5 ........................................................................................................................................ 5-1 Practices for Lesson 5....................................................................................................................................... 5-2 Practice 5-1: Deploy the My B ank Application .................................................................................................. 5-4 Practice 5-2: Configure Single Sign-On for mybank Application ....................................................................... 5-6 Practice 5-3: Managing Resources ................................................................................................................... 5-7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Access Manager 11g: Administration Table of Contents i

Practice 5-4: Managing Authentication Policies ................................................................................................ 5-8 Practice 5-5: Managing Authorization Policies .................................................................................................. 5-9 Practice 5-6: Managing Authentication and Authorization Responses: Headers and Cookies .......................... 5-10 Practice 5-7: Managing Authentication and Authorization Responses: Session Variables ............................... 5-12 Practice 5-8: Managing Constraints .................................................................................................................. 5-14 Practice 5-9: Deploy Bakery Application ........................................................................................................... 5-16 Practice 5-10: Unprotect Bakery Application ..................................................................................................... 5-17 Practice 5-11: Protect Employee Home Page Within Bakery Application ......................................................... 5-19 Practice 5-12: Protect Department Sites with Authorization Rules .................................................................... 5-22 Practice 5-13: Demo CGI Scripts to View Responses in Application ................................................................ 5-31 Practice 5-14: Workaround/Patch for HA Lab ................................................................................................... 5-37 Practices for Lesson 6 ........................................................................................................................................ 6-1 Practices for Lesson 6....................................................................................................................................... 6-2 Practice 6-1: Customizing the Login Page ........................................................................................................ 6-3 Practice 6-2: Deploying and Protecting the Example Bakery Web Site on the Two Other OHS Instances ....... 6-8 Practice 6-3: Reviewing Web Site Protection in Your Deployment ................................................................... 6-14 Practice 6-4: Demonstrating Single Sign-On ..................................................................................................... 6-15 Practice 6-5: Examining Browser Cookies During Single Sign-On and Single Logout ...................................... 6-16 Practice 6-6: Using the Session Management Utility......................................................................................... 6-20 Practice 6-7: Examining a Multi-Browser Scenario ........................................................................................... 6-22 Practice 6-8: Constraining the Number of User Sessions ................................................................................. 6-24 Practices for Lesson 7 ........................................................................................................................................ 7-1 Practices for Lesson 7....................................................................................................................................... 7-2 Practice 7-1: Deploying the Sample Application................................................................................................ 7-3 Practice 7-2: Reviewing HTTP Basic Authentication in the Sample Application ............................................... 7-5 Practice 7-3: Preparing the Sample Application for Authentication by Oracle Access Manager ....................... 7-7 Practice 7-4: Configuring the OHS Instance Protected by the 11g WebGate to Access the Sample Application ...................................................................................................................................................... 7-9 Practice 7-5: Configuring WebLogic Server to Use the Oracle Access Manager Identity Assertion Provider ... 7-11 Practice 7-6: Resetting Your Lab System ......................................................................................................... 7-14 Practices for Lesson 8 ........................................................................................................................................ 8-1 Practices for Lesson 8....................................................................................................................................... 8-2 Practice 8-1: Changing the Audit Filter Preset .................................................................................................. 8-3 Practice 8-2: Configuring the Oracle Access Manager Server to W rite Audit Log Records to an Oracle Database......................................................................................................................................................... 8-5 Practice 8-3: Configuring Oracle Business Intelligence Publisher for Oracle Fusion Middleware and Oracle Access Manager Reports .................................................................................................................... 8-12 Practice 8-4: Examining the Default Logging Configuration .............................................................................. 8-15 Practice 8-5: Reviewing Log Messages in FMW Control .................................................................................. 8-18 Practice 8-6: Increasing the Log Level .............................................................................................................. 8-20 Practice 8-7: Resetting the Log Level Back to the Default Level ....................................................................... 8-22 Practices for Lesson 9 ........................................................................................................................................ 9-1 Practices for Lesson 9....................................................................................................................................... 9-2 Practice 9-1: Verify OSSO 10g Server and Configure New OHS Instance ....................................................... 9-8 Practice 9-2: Configure OSSO 10g to Work with Load Balancer ...................................................................... 9-10 Practice 9-3: Register Partner OHS with OSSO 10g......................................................................................... 9-12 Practice 9-4: Restart OHS Partner Instance and Verify SSO to Partner Application ......................................... 9-15 Practice 9-5: Run the Upgrade Assistant .......................................................................................................... 9-16 Practice 9-6: View the Migrated Content and Configure User Identity Store in OAM Admin Console ............... 9-18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Access Manager 11g: Administration Table of Contents ii

Practice 9-7: Coexistence Verification............................................................................................................... 9-19 Practice 9-8: Replace mod_osso with OAM 11g W ebGate Agent..................................................................... 9-21 Practices for Lesson 10 ...................................................................................................................................... 10-1 Practices for Lesson 10..................................................................................................................................... 10-2 Practice 10-1: Working with Access Tester ....................................................................................................... 10-3 Practice 10-2: Using OAM-Specific WLST Commands ..................................................................................... 10-6 Practice 10-3: Working with Oracle Enterprise Manager Fusion Middleware Control ....................................... 10-7 Practices for Lesson 11 ...................................................................................................................................... 11-1 Practices for Lesson 11 (Optional) .................................................................................................................... 11-2 Practice 11-1: Prepare the Environment: Configure the Linux Box Before the Migration .................................. 11-3 Practice 11-2: Perform Horizontal Migration ..................................................................................................... 11-11 Practice 11-3: Perform Post-Migration Task ..................................................................................................... 11-14 Practice 11-4: Verify a Successful Horizontal Migration.................................................................................... 11-17 Practice 11-5: Prepare the Environment for HA Lab ......................................................................................... 11-18 Practices for Lesson 12 ...................................................................................................................................... 12-1 Practices for Lesson 12..................................................................................................................................... 12-2 Practice 12-1: Creating a WebLogic Server Cluster.......................................................................................... 12-3 Practice 12-2: Adding the WebLogic Managed Server Instance and Targeting Oracle Access Manager Applications and Data Sources to the Cluster ................................................................................................. 12-4 Practice 12-3: Creating a Second WebLogic Managed Server Instance Running Oracle Access Manager Server .............................................................................................................................................. 12-7 Practice 12-4: Adding the Second Instance to the Oracle Access Manager Configuration ............................... 12-8 Practice 12-5: Changing the Request Cache Type and Restarting the Oracle Access Manager Servers......... 12-10 Practice 12-6: Creating a New OHS Instance That Will Load-Balance Oracle Access Manager Server Instances......................................................................................................................................................... 12-12 Practice 12-7: Configuring the New OHS Instance as a Load Balancer............................................................ 12-14 Practice 12-8: Configuring the Load Balancer Port Number in the Oracle Access Manager Configuration ...... 12-15 Practice 12-9: Modifying the Definition for the Oracle Access Manager 11g WebGate and Reconfiguring the WebGate ............................................................................................................................ 12-16 Practice 12-10: Testing the High Availability Deployment ................................................................................. 12-19 Practices for Lesson 4 (Advanced) ................................................................................................................... 13-1 Practices for Lesson 4 (Advanced) (Optional)................................................................................................... 13-2 Practice 4-1: Generate the Certificate Request and Private Key for OAM Server ............................................. 13-3 Practice 4-2: Obtain OAM Server Certificate and CA Certificate from MS Certificate Service .......................... 13-4 Practice 4-3: Encrypt the OAM Server Private Key by Using a Password ........................................................ 13-6 Practice 4-4: Retrieve the OAM Keystore Password ......................................................................................... 13-7 Practice 4-5: Import Private Key, CA Certificate and OAM Server Certificate into Keystore ............................. 13-8 Practice 4-6: Change OAM Server Common Properties and Server Instance Property.................................... 13-11 Practice 4-7: Generate the Certificate Request and Private Key for WebGate ................................................. 13-13 Practice 4-8: Obtain WebGate Certificate and CA Certificate from MS Certificate Service ............................... 13-14 Practice 4-9: Encrypt the W ebGate Private Key by Using a Password ............................................................. 13-16 Practice 4-10: Modify WebGate 11g Definition by Using OAM Admin Console ................................................ 13-17 Practice 4-11: Restart OHS and OAM 11g Server ............................................................................................ 13-18 Practice 4-12: Verify Cert Mode of Communication Between W ebGate 11g and OAM 11g Server .................. 13-19

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Access Manager 11g: Administration Table of Contents iii

Practices for Lesson 1 Chapter 1


Practices for Lesson 1 Chapter 1 - Page 1

Overview of Practices for Lesson 1 Practices for Lesson 1 There are no practices for this lesson.






Practices for Lesson 2 (Optional) Practices Overview In these practices, you play a Viewlet to explore some of the key new features of OAM 11 g.



Practice 2-1: Explore Salient New Features of OAM 11 g Overview In this practice, you explore the following new features of OAM 11 g: a) mod_osso Agent Registration with OAM 11 g Server (Covered in Lesson 4) – Start time in Viewlet 0:00 b) WebGate 11g Registration with OAM 11 g Server (Covered in Lesson 4) – Start time in Viewlet 3:26 c) AuthZ Constraints Example – Identity Constraint (Covered in Lesson 5) – Start time in Viewlet 6:42 d) AuthN Schemes – Step Up AuthN (Covered in Lesson 4) – Start time in Viewlet 8:49 e) Session Management – Search and Terminate Sessions (Covered in Lesson 6) – Start time in Viewlet 9:51 f) Agent and Server Monitoring (Covered in Lesson 10) – Start time in Viewlet 10:29

Assumptions N/A Task Note: You can either play these clips at this point, or you can play them before starting the

practices for the respective lessons where the concepts are covered. 1.

Navigate to d:\labs\lesson02. Double-click OAM11gR1_NewFeatures_Viewlet.htm to play the Viewlet.








Practices for Lesson 3 Practices Overview The following diagram is a topology representation of all the components you will work with in the lab exercises. Take a moment to review it. It is recommended that you revisit this diagram during the course of the lab development to get a better perspective on how this topology is developed in each lab.



In these practices, you install and configure OAM 11g (and all the supporting products that have to be installed as prerequisite). You perform post install/configure checks. You also learn how to start and stop the servers and, finally, take a walkthrough of the various consoles (OAM admin console, FMW Control, WLS admin console).



Important Note for all the Practices: At the end of each day, stop the managed server, admin server and node manager. At the start of each day, start the node manager, admin server and managed server.



Practice 3-1: Run Repository Creation Utility Overview In this practice, you run RCU against an Oracle DB (11.2.0.1) to seed an OAM product schema. Assumptions Make sure you are running the commands as the oracle user. To ascertain this, enter whoami on the terminal window. For this practice, you work on your Linux machine, which has a pre-installed and configured Oracle Database 1. From the terminal window, navigate to the /modules/stage/rcu/bin directory and run rcu. cd /modules/stage/rcu/bin ./rcu 2. Use the table as a guide to populate the fields: Step

Window/Page Description

Choices or Values

a.

Welcome

Next

b.

Create Repository

Create

c.

Database Connection Details

Database Type: Oracle Database Hostname: .us.oracle.com Port: 1521 Service Name: orcl.us.oracle.com Username: sys Password: Welcome1 Role: SYSDBA

d.

Checking Global Prerequisites

OK

e.

Select Components

Create a new Prefix: DEV Component: Identity Management - Oracle Access Manager (Note: Audit services will be automatically selected)

f.

Checking Component Prerequisites

OK

g.

Schema Passwords

Use the same passwords for all schemas. Password: Welcome1

h.

Map Tablespaces

i.

Repository Creation Utility pop-up window

OK

j.

Creating Tablespaces

OK

k.

Summary

Create

Confirm Password: Welcome1 Next



Step

l.


Completion Summary

Choices or Values

Close



Practice 3-2: Install Oracle WebLogic Server 10.3.3 Overview In this practice, you create an Oracle WebLogic Server home directory under the Oracle Middleware home directory by installing Oracle WebLogic Server 10.3.3. Tasks Switch to the Windows machine for this lab. (Note: From here on, unless explicitly stated, all the practices should be, by default, completed on the Windows machine.) 1. Open a command prompt and navigate to the D:\Program Files\Java\jdk1.6.0_17\bin directory. cd “D:\Program Files\Java\jdk1.6.0_17\bin” 2. Enter the following command to launch the WLS installer: java –jar d:\stage\wls_1033\wls1033_generic.jar 3. Use the table as a guide to populate the fields: Step


Choices or Values

a.

Welcome

Next

b.

Choose Middleware Home Directory

Create a new Middleware home: d:\middleware Note: Click Yes on the warning box that “D:\middleware is not empty and if you would want to proceed” (in your case, the middleware directory contains BI Publisher pre-installed).

c.

Register for Security Updates

Deselect “I wish to receive security updates via my Oracle support”

d.

Are You Sure?

Yes

e.

Choose Install Type

Typical

f.

JDK Selection

Select under Local JDK – Sun SDK1.6.0_17

g.

Choose Product Installation Directories

WebLogic Server: d:\middleware\wls_home Oracle Coherence: d:\middleware\coherence_home

h.

Choose Shortcut Location

“All Users” start menu folder

i.

Installation Summary

Next

j.

Installation Complete

Deselect Run Quickstart Done



Practice 3-3: Install Oracle Identity Management 11g Overview In this practice, you create an Oracle home for Oracle Identity Management 11 g (11.1.1.3.0). This stages all the binaries for Oracle Identity Management 11g within the Oracle home. Assumptions Make sure Oracle WebLogic Server is installed before you start this practice. Tasks 1. Double-click setup.exe from the d:\stage\iamsuite\disk1 directory. 2. Use the following table as a guide to populate the fields: Step


Choices or Values

a.

Oracle Universal Installer: Command Line Window

Please specify the JRE/JDK location: D:\Program Files\Java\JDK1.6.0_17

b.

Welcome

Next

c.

Prerequisite Checks

Next

d.

Specify Installation Location

Oracle Middleware Home: D:\middleware Oracle Home Directory: idm_home

e.


Install

f.

Installation Progress

Next

g.


Finish

h.

Windows “After Installation” Screen

Next

i.

Finish Admin Install

Finish



Practice 3-4: Create a New Domain and Configure the OAM Server Overview In this practice, you run the Configuration Wizard to create a new WLS domain and configure the OAM server as part of the domain. Assumptions The previous three practices must be completed to successfully complete this practice. Tasks 1. Double-click config.cmd from the d:\middleware\oracle_common\common\bin directory. 2. Use the table as a guide to populate the fields: Step


Choices or Values

a.

Welcome

Create a new WebLogic domain

b.

Select Domain Source

Generate a domain configured automatically to support the following products: Oracle Access Manager with Database Policy Store Oracle Enterprise Manager Note: Oracle JRF – 11.1.1.0 [oracle_common] (Java Required Files) will automatically be selected. •

•

Note: Basic WebLogic Server domain is automatically

selected and disabled. c.

Specify Domain Name and Location

Domain name: oam_domain Domain location: D:\middleware\user_projects\domains Application location: D:\middleware\user_projects\applications

d.

Configure Administrator Username and Password

Name: weblogic Password: Welcome1 Confirm user password: Welcome1

e.

Configure Server Start Mode And JDK

Production Mode Available JDKs: Sun SDK 1.6.0_17

f.

Configure JDBC Component Schema

Select OAM Infrastructure Schema Password: Welcome1 DBMS/Service: orcl.us.oracle.com Hostname: .us.oracle.com Port: 1521 Note: Hostname is of the Linux DB machine.

g.

Test Component Schema

Next



Step


Choices or Values

h.

Select Optional Configuration

Select Administration Server Select Managed Servers, Clusters and Machines

i.

Configure the Administration Server

Next

j.

Configure Managed Servers

Next

k.

Configure Clusters

Next

l.

Configure Machines

Click Add Name: Windows_Machine

m.

Assign Servers to Machines

Click on Right Arrow right

n.

Configuration Summary

Create

o.

Creating Domain

Done

to select both servers to the

3.

Now you apply BP01 (Bundled PatchSet 1) – 11.1.1.3.1. This step is required to fix base bug 10094106. Open a command line window and set the ORACLE_HOME environment variable to d:\middleware\idm_home, and set the PATH environment variable to include d:\middleware\idm_home\bin and d:\middleware\idm_home\OPatch directories. Now execute the OPatch command and retrieve the OPatch version number. The OPatch version number should be 11.1.0.8.0 or higher to successfully apply this patch (as detailed in Readme.txt file for the BP01 patch).

4.

Verify the OUI (Oracle Universal Installer) Inventory. OPatch needs access to a valid OUI inventory to apply patches. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Validate the OUI inventory with the following command: opatch lsinventory Notice that there is one product installed in d:\middleware\idm_home (Oracle Home) which is the 11.1.1.3.0 Oracle IDM Suite.

5.

Create a location for storing the unzipped patch. This location is sometimes referred to as PATCH_TOP. Unzip the patch zip file ( d:\stage\p10094106_111130_Generic.zip) under d:\stage\bp01. Hence bp01 under d:\stage directory is our PATCH_TOP.

6.

On the command line window, navigate to the d:\stage\bp01\10094106 directory. Apply the patch by using OPatch apply

Is the local system ready for patching? [y|n] y





7.

Once the patch has been successfully applied, you can query the inventory to see the bugs fixed as part of this patch: OPatch lsinventory

Note: ORACLE_HOME and PATH must be set on the MS DOS window where you execute the above command or you have to navigate to d:\middleware\idm_home\OPatch directory to issue this command.



Practice 3-5: Start the Administration and Managed Server Overview In this practice, you learn how to start the administration and managed servers by using the WLS admin console. Assumptions Practice 3-4 must be successfully completed before you start this practice. Tasks Following are the steps to start the admin and managed servers by using the WLS admin console: 1. Double-click the setNMProps.cmd file located in D:\middleware\oracle_common\common\bin 2. Start the node manager by double-clicking on startNodeManager.cmd located in d:\middleware\wls_home\server\bin Note: Minimize the MS-DOS window where the node manager is started and running. 3. Start the admin server by double-clicking startWebLogic.cmd located in the d:\middleware\user_projects\domains\oam_domain directory. When prompted for username and password, enter weblogic and Welcome1. Note: Wait till you see the “Server started in RUNNING mode” message on the command line window to ensure that the admin server has been started. Note: This is the first time you are starting the admin server; hence it may take an

4.

5. 6.

7.

unusually long time start up (15 to domain 20 minutes in somenon-functional cases). Please do fatal not kill the startup process; thistocan cause your to become with consequences (requiring a re-run of RCU with a different prefix name, followed by deleting and recreating the oam_domain). Start the Firefox browser by double-clicking on the Firefox browser icon on your desktop (or by using the Start > Programs menu option). Enter the URL for the WLS admin console: http://.us.oracle.com:7001/console Note: 7001 is the admin server port. Log in by using the weblogic and Welcome1 credentials. On the left navigator, under Domain Structure, expand the Environment node and click the Servers node. On the right pane, click on the Control tab, select the check box next to oam_server1 and click Start. Click Yes on the Server Life Cycle Assistant page. Note: (Do not perform this step now): You can stop admin and managed servers in a similar way by selecting the check box next to the server names and clicking Shutdown > Force Shutdown Now. Note: You cannot start the admin server by using the WLS admin console; it has to be done via the command line. As part of last step of applying BP01 patch, you may need to delete the following directory content: D:\middleware\user_projects\domains\oam_domain\servers\oam_serve r1\tmp\_WL_user\oam_server\xrd2uw\jsp_servlet\_pages\*

That is, remove all the class files under the _pages directory. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Note: In your lab environment you may not see jsp_servlet\_pages\* directory. Hence,

8.

ignore this step. Restart the admin and managed servers.

Alternative ways to start and stop admin and managed servers: To start and stop the admin and managed servers by using command-line options, you can use the following: Start admin server: Double-click d:\middleware\user_projects\domains\oam_domain\startWebLogic.cmd Startd:\middleware\user_projects\domains\oam_domain\bin managed server: From the command prompt, navigate to . Run the following command: startManagedWebLogic.cmd oam_server1 You will be challenged with username and password (use weblogic and Welcome1) in both cases. Watch out for the “RUNNING” message on the window, which indicates the servers are up and running. To stop the admin and managed servers, type Ctrl + C on the MS-DOS command line windows from where they are running. You can also use the Windows menu option - Start > Programs > Oracle WebLogic > User Projects > oam_domain > Start Admin Server for Weblogic Domain and Stop Admin Server to start and stop the admin server. You can use the Windows menu option – Start > Programs > Oracle WebLogic > WebLogic Server 11gR1 > Tools > Node Manager to start the node manager.



Practice 3-6: Sanity Checks and Walkthrough of Management Interfaces Overview In this practice, you log in to the WLS admin console, OAM admin console, and EM FMW Control and take a brief walkthrough of the management interfaces. You will also validate the OAM application deployed on the oam_server1 managed server and the EM application deployed on the admin server. Assumptions Make sure the admin and managed servers are up and running before you start the practice. Tasks 1. Launch Firefox and enter the URL for the WLS admin console: http://.us.oracle.com:7001/console. (Add this page to the Bookmark Toolbar.) Important: Only add http://.us.oracle.com:7001/console to the bookmark; remove the rest of the string. Log in by using weblogic and Welcome1 as username and password. 2. To check the status of the admin and managed servers, navigate by using the left pane, Domain Structure > oam_domain > Environment > Servers. You should be able to see the state of both the servers as RUNNING. 3. To check the status of EM FMW Control (application deployed on the admin server), click AdminServer (admin) > click the Deployments tab. Notice the state of the em application is Active. Click the em application, which shows you more detailed Properties pages. 4. To check the status of the OAM admin console application (application deployed on the admin server), click the AdminServer hyperlink (by using the locator link at the top of the page) > click the Deployments tab. Notice that the state of oam_admin (11.1.1.3.0) is Active. Click the oam_admin (11.1.1.3.0) application, which shows you more detailed Properties pages. 5. To check the status of the OAM server (deployed on the oam_server1 managed server), navigate by using the left pane to the Servers home page (click the Servers node). Click the oam_server1 managed server. Click the Deployments tab. Notice that the state of oam_server application is Active. Click the oam_server application, which shows you more detailed Properties pages. 6. If you want to start or stop individual applications (such as EM FMW Control or OAM admin console), you could achieve that by navigating to the Domain Structure > oam_domain > Deployments page. From here, you can individually select the application you want to start or stop by using the check boxes next to them and then clicking the Start or Stop buttons. Note: Do not start/stop any application at this point.

7.

To check the default users and groups in the WLS embedded LDAP server, navigate to Domain Structure > oam_domain > Security Realms by using the left pane. Notice the default security realm, myrealm. Click myrealm and then click the Users and Groups tab. Notice the weblogic user which, is the default WLS administrator. Click the weblogic user and then click the Groups tab. Notice that the user weblogic is a member of Administrators group.



8.

Enter the URL for the OAM admin console: http://.us.oracle.com:7001/oamconsole. (Add this page to the Bookmark Toolbar.) Important: Only add http://.us.oracle.com:7001/oamconsole to the bookmark; remove the rest of the string. Log in by using weblogic and Welcome1 as the username and password. 9. Observe the left-hand pane and the right-hand pane. The left-hand pane contains the configuration settings (Policy and System) required for the OAM 11g server to run. Clicking any of the settings will bring up the results on the right-hand side pane. 10. View the two tabs: Policy Configuration, that allows you to set Host Identifiers, create policies, resources and so on; and System Configuration, that allows you to manage various agents, data sources such as LDAP, databases and so on, configure authentication modules, manage sessions and so on. 11. To view the properties for a particular object selected on the left pane, simply double-click or click and press the Edit (pencil) icon. As you open up the properties of different objects on the right pane, they appear on different tabs. A maximum of 10 tabs can be opened at any time. When the number of tabs exceeds 10, the application asks you to close all or some tabs. You can also explicitly close multiple or single tabs by using the icons at the top-right corner of the tabs on the right pane. The menu options—Action and View—on the top of the left pane allow you to view (expand and collapse various nodes and so on) and perform various actions (delete, create, monitor and so on) on the node objects. Using the Search option on the top of the left pane allows you to quickly find the objects in the system and configuration tabs. 12. Enter the URL for EM FMW Control: http://.us.oracle.com:7001/em (Add this page to the Bookmark Toolbar.) Important: Only add http://.us.oracle.com:7001/em to the bookmark; remove

the rest of the string. Log in by using weblogic and Welcome1 as the username and password. 13. On the left pane, you can see the nodes under the Farm_oam_domain node to manage application deployments, WebLogic Domain Servers and Web tier components (OHS and so on.) Note: At this point you haven't configured any OHS (which is a web tier component) - in practice 4 when you start configuring the OHS instances, you will see them in EM. 14. You can view the Farm topology by clicking the Topology link on the top of the left pane. 15. Expand the Identity and Access node on the left pane. Click the oam_server node under the OAM parent node. On the right pane, you can see the properties of oam_server (Key metrics, Performance Overview, Access Clients and Application Domains). Explore the menu options by clicking the Oracle Access Manager link on the top-left corner of the right pane.








Practices for Lesson 4 Practices Overview In these practices, you install, configure, and register an OAM 11 g WebGate, and an OAM 10g WebGate with OHS instances. The registration is done via the rreg tool in one case, and OAM admin console in the other case. WebGates are policy enforcement agents that reside embedded in a Web server, such as the OHS Web server. These agents intercept requests and redirect for authentication as well as to the protected resources. A policy enforcement agent is any front-ending entity that acts as an access client to enable single sign-on across enterprise applications. To secure access to protected resources, a Web server, application server, or third-party application must be associated with a registered policy enforcement agent. The agent acts as a filter for HTTP requests, and must be installed on the computer hosting the Web server where the application resides. Individual agents must be registered with Oracle Access Manager 11g after agent installation. Registering an agent sets up the required trust mechanism between the agent and Oracle Access Manager 11g SSO engine. Registered agents delegate authentication tasks to the OAM server. Oracle Access Manager 11 g supports the following types of policy enforcement agents in any combination. OAM Agents: A WebGate is one type of agent. It is a Web server plug-in that acts as an access client. WebGate intercepts HTTP requests for Web resources and forwards them to the OAM server for authentication and authorization. 1. WebGate 11g: An out-of-the box OAM 11g WebGate communicates with Oracle Access Manager 11g services by using the OAM proxy. 2. WebGate 10g: An out-of-the-box 10gManager WebGate. registration, 10 g WebGates directly communicate with OracleOAM Access 11 gAfter services throughOAM a Java-based OAM proxy that acts as a bridge. 3. AccessGate 10g: A custom OAM 10 g WebGate that was created by using the Access Manager software developer kit (SDK) OSSO Agent (mod_osso 10g): After registration with Oracle Access Manager, OSSO 10g agents communicate directly with Oracle Access Manager 11 g services through an OSSO proxy. The OSSO proxy supports existing OSSO agents when upgrading to OAM 11g. The OSSO proxy handles requests from OSSO agents and translates the OSSO protocol into a protocol for Oracle Access Manager 11 g authentication services. Important Note: Any time you get unexpected results during this lesson’s practices, it is a good idea to close all browser windows (using File > Exit; do not using X icon to exit) and then relaunch a new Firefox browser and clear all the cookies explicitly by going to the Firefox browser’s Tools > Clear Recent History > Clear Now (make sure Time range to clear is set to Everything and at least Cookies, Cache, and Active Logins are selected).



Practice 4-1: Remove SSO Policies for EM and WLS Console Overview Before you start the rest of the practices for this lesson, you remove the SSO protection for EM and WLS console (Release Note: 9925717). Release Note states: Oracle recommends customers to remove the policies to protect WLS and EM consoles (that is. "/em", "/em/.../*" and "/console", "/console/.../*") this means that SSO (using the DomainAgent, a.k.a. WLSAgent) would not be used for these consoles). Tasks 1. Log in to the OAM admin console by using weblogic and Welcome1. Navigate to Policy Configuration > Application Domains > IDMDomainAgent > Authentication Policies > Protected Higher Level Policy 2. Open the policy and the list of resources for the policy is displayed on the right panel. 3. Remove the following resources from the authentication policy (click to the right of the dropdown list for the resource and click the Delete icon): a) IDMDomain:/console b) IDMDomain:/console/.../* c) IDMDomain:/em d) IDMDomain:/em/.../* 4. Click Apply. 5. Navigate to Policy Configuration > Application Domains > IDMDomainAgent > 6. 7.

8.

Authorization Policies > Protected Resource Policy. Open the policy and the list of resources for the policy is displayed on the right panel. Remove the following resources from the authorization policy (click to the right of the dropdown list for the resource and click the Delete icon): a) IDMDomain:/console b) IDMDomain:/console/.../* c) IDMDomain:/em d) IDMDomain:/em/.../* Click Apply.



Practice 4-2: Install and Configure OHS 11 g Instances Overview In this practice, you install OHS 11 g (11.1.1.2.0) and configure three instances— ohs_webgate11g, ohs_webgate10g, and ohs_osso10g—to use later in this lesson practice to configure WebGates 11 g, 10g, and mod_osso agents. This practice takes approximately 30 minutes. Assumptions N/A Tasks 1. Start OSSO 10g and OID 10g instances (These have been pre-installed and configured on the Windows machine.) Double-click the start_osso10g.bat icon on the desktop. Make sure the database and processes are up and running as shown below:



Note: dcm-daemon may show Down status sometimes. Please ignore it. 2.

Navigate to d:\stage\WebTier_11.1.1.2.0\disk1 and double-click setup.exe.



3.

Use the following table as a guide to populate the fields: Step


Choices or Values

a.

Welcome

Next

b.

Select Installation Type

Install and Configure

c.

Prerequisite Checks

Next

d.

Specify Installation

Oracle Middleware home: d:\middleware

Location

Oracle home directory: ohs_home

e.

Configure Components

Uncheck Oracle Web Cache

f.

Specify WebLogic Domain

Domain Host Name: .us.oracle.com Domain Port No.: 7001 User Name: weblogic

g.

Specify Component Details

Password: Welcome1 Instance Home Location: d:\middleware\ohs_home\instances\ohs_webgate11g Note: Replace instance1 with ohs_webgate11g for location

Instance Name: ohs_webgate11g OHS Component Name: ohs1

4.

h.

Configure Ports

Auto Port Configuration

i.

Specify Security Updates

Deselect “I wish to receive security updates from My Oracle Support.” Select Yes on the Warning Pop-up windows

j.


Install

k.

Configuration Progress

Next

l.


Finish

m.


Next

n.

Finish Admin Install

Finish

Navigate to D:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\htd ocs. Rename the welcome-index.html as welcome-index.html.bak. Copy welcome-index.ohs_webgate11g.html from d:\labs\lesson04 to D:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\htd ocs. Rename welcome-index.ohs_webgate11g.html as welcome-index.html. Launch the browser and enter the URL http://.us.oracle.com:7778. You should see the OHS Welcome page with the message “WELCOME TO THE OHS_WEBGATE11G INSTANCE RUNNING ON PORT 7778.” Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


5. 6.

Now you configure two more instances of OHS: ohs_webgate10g and ohs_osso10g. Navigate to d:\middleware\ohs_home\bin and double-click config.bat. Use the following table as a guide to populate the fields: Step


Choices or Values

a.

Welcome

Next

b.


Deselect Oracle Web Cache

c.

Specify WebLogic Domain

Domain Host Name: .us.oracle.com Domain Port No.: 7001 User Name: weblogic Password: Welcome1

d.


Instance home location: d:\middleware\ohs_home\instances\ohs_webgate10g Note: Replace instance1 with ohs_webgate10g for location

Instance Name: ohs_webgate10g OHS Component Name: ohs1

7.

e.

Configure Ports

Auto Port Configuration

f.


Deselect “I wish to receive security updates from My Oracle Support.” Select Yes on the Warning Pop-up windows

g.


Configure

h.


Next

i.


Finish

Navigate to D:\middleware\ohs_home\instances\ohs_webgate10g\config\OHS\ohs1\htd ocs. Rename the welcome-index.html as welcome-index.html.bak. Copy welcome-index.ohs_webgate10g.html from d:\labs\lesson04 to D:\middleware\ohs_home\instances\ohs_webgate10g\config\OHS\ohs1\htd ocs. Rename welcome-index.ohs_webgate10g.html as welcome-index.html. Launch the browser and enter the URL http://.us.oracle.com:7779. You should see the OHS Welcome page with the message “WELCOME TO THE OHS_WEBGATE10G INSTANCE RUNNING ON PORT 7779.”



8.

Rerun config.bat from d:\middleware\ohs_home\bin and use the same values specified in Step 5, except the following: Specify Component Details

Instance home location: d:\middleware\ohs_home\instances\ohs_osso10g Note: Replace instance1 with ohs_osso10g for location

Instance Name: ohs_osso10g OHS Component Name: ohs1 9.

Navigate to D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\htdocs . Rename the welcome-index.html as welcome-index.html.bak. Copy welcomeindex.ohs_osso10g.html from d:\labs\lesson04 to D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\htdocs. Rename welcome-index.ohs_osso10g.html as welcome-index.html. Launch the browser and enter the URL http://.us.oracle.com:7780. You should see the OHS Welcome page with the message “WELCOME TO THE OHS_OSSO10G INSTANCE RUNNING ON PORT 7780.”



Practice 4-3: Install OAM 11 g WebGate Overview In this practice, you install an OAM 11g WebGate on a pre-installed OHS instance. Assumptions OHS server instance (11.1.1.2.0) should be installed and running in the same Middleware home where you intend to install the OAM 11g WebGate. 1. Check if OHS is running by executing opmnctl status from d:\middleware\ohs_home\instances\ohs_webgate11g\bin. 2. If the status indicates "Not running" then enter opmnctl startall. 4. On the browser window, enter the URL: http://:7778/ and press Enter 5. The Welcome page of OHS is displayed Task 1. Navigate to d:\stage\webgate11g\Disk1 directory and double-click setup.exe 2. Use the table as guide to populate the fields: Step


Choices or Values

a.

Oracle Universal Installer Command Line Window

Please specify JRE/JDK location: d:\Program Files\Java\jdk1.6.0_17

b.

Welcome

Next

c.

Prerequisite Checks

Next

d.


Oracle Middleware Home: d:\middleware Oracle Home directory: WebGate11g_home

e.

Install Summary

Install

f.

Installation Progress

Next

g.


Finish

h.


Next

i.


Finish



Practice 4-4: Create an OAM 11g WebGate Instance Overview In this practice, you create a WebGate instance that will copy required bits of the agent from WEBGATE_HOME to the WebGate instance location that shares the same INSTANCE_HOME with OHS. Assumptions A WebGate home must exist before attempting this practice. Task 1. Open a command prompt and navigate to the D:\middleware\WebGate11g_home\webgate\ohs\tools\deployWebGate directory. 2. Run the following command: deployWebGateInstance.bat -w d:\middleware\ohs_Home\instances\ohs_webgate11g\config\OHS\ohs1 -oh D:\middleware\WebGate11g_home The -w flag indicates the OHS instance folder and the -oh indicates the WebGate Oracle home. This command will create a WebGate folder under d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 and copy the configuration files (shown below) necessary for the WebGate process under d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web gate\tools\openssl\simpleCA (cacert.pem and cakey.pem) and d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web gate\config (oblog_config_wg.xml) directories. The output of the above command should looks something like this: copying files d:\middleware\webgate11g_home\webgate\ohs\config\oblog_config_wg .xml 1 File(s) copied copying files d:\middleware\webgate11g_home\webgate\ohs\tools\openssl\simpleCA \cacert.pem 1 File(s) copied copying files d:\middleware\webgate11g_home\webgate\ohs\tools\openssl\simpleCA \cakey.pem 1 File(s) copied



Practice 4-5: Configure OAM 11g WebGate Overview In this practice, you run the EditHttpConf utility, which will copy OUI-instantiated apache_webgate.template from WEBGATE_HOME to the WebGate instance location (which is renamed to webgate.conf), and update the httpd.conf with one additional line to include webgate.conf. Assumptions Make sure a WebGate instance is created before you start this practice. Tasks 1. Set the PATH environment variable. Right Click on My Computer () icon on your desktop, select Properties, click the Advanced tab, and click the Environment Variables button. Under System Variables, edit the path environment variable. At the end of the variable value string, add the following: ;D:\middleware\ohs_home\lib Click the OK button three times to save and close the windows. 2. Open a new command line window (so that the PATH environment variable has taken effect) and navigate to the d:\middleware\webgate11g_home\webgate\ohs\tools\EditHttpConf directory. 3. Run the following command: EditHttpConf.exe -w d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 -oh D:\middleware\WebGate11g_home -o webgate.conf It should show the following message: The web server configuration file was successfully updated d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1/ httpd.conf has been backed up as d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1/ httpd.conf.ORIG Verify that D:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 has the webgate.conf, httpd.conf.ORIG (backup file) and httpd.conf files. The last line in httpd.conf should be: include "D:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1/webga te.conf"



Practice 4-6: Register OAM 11g WebGate with OAM 11g Server Overview In this practice, you run the rreg registration tool, which will register the OAM 11g WebGate. This exercise uses the in-band mode for the registration. The registration can also be done via the OAM admin console UI. Assumptions The previous three practices must be completed to successfully complete this practice. Tasks 1. Navigate to D:\middleware\idm_home\oam\server\rreg\input and, by using WordPad, edit OAM11GRequest.xml as follows: Original Value

Replace With

http://{oam_ad min_server_host}:{oam_admi n_server_port}

http://.us.o racle.com:7001

RREG_HostId11 G

OAM11gHostId

RREG_OAM11G

OAM11g_WebGate

http://{web_ser ver_host}:{web_server_port }

http://.us.or acle.com:7778

RREG_OAM11 G

OAM11g_WebGate

Save and close the file. 2. Navigate to D:\middleware\idm_home\oam\server\rreg\bin. Edit oamreg.bat by using WordPad as shown below: Step


Choices or Values

a.

set OAM_REG_HOME="D:\Remote Registration\RREG client kit\rreg"

set OAM_REG_HOME=D:\middleware\idm_home\oa m\server\rreg Note: No quotes.

b.

set JDK_HOME=%JAVA_HOME%

set JDK_HOME=”%JAVA_HOME%” Note: With quotes

Save and close the oamreg.bat file. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


3.

Set the environment variable JAVA_HOME. Right-click My Computer () icon on your desktop. Select Properties, click the Advanced tab, and click the Environment Variables button. Under System Variables, click New. Enter the Variable Name as JAVA_HOME and the Variable Value as D:\Program Files\Java\jdk1.6.0_17. Click the OK button three times to save and close the windows. 4. Open a new command line window and navigate to D:\middleware\idm_home\oam\server\rreg and run the following command: bin\oamreg.bat inband input\OAM11GRequest.xml

Enter weblogic for agent username and Welcome1 for agent password. Enter n when prompted to answer two subsequent questions.

Explore the output/OAM11g_WebGate folder under D:\middleware\idm_home\oam\server\rreg to see the artifacts created by the utility. The ObAccessClient.xml (storing WebGate CONFIG parameters) and Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


5.

cwallet.sso (storing the agent key) files must be copied to the webgate instance config folder. cwallet.sso contains the SSKPWG (Shared Secret Key Per WebGate). Copy cwallet.sso and ObAccessClient.xml from D:\middleware\idm_home\oam\server\rreg\output\oam11g_webgate to D:\middleware\OHS_Home\instances\ohs_webgate11g\config\OHS\ohs1\web gate\config.



Practice 4-7: Restart OHS and Validate the results Overview In this practice, you restart the Web server (OHS) for the changes you made in Step 5 of the previous practice to take effect. Then you validate the result of registering the OAM 11g WebGate with the OAM 11g server deployed on the OHS. Assumptions All previous practices for Lesson 4 must be successfully completed before you start this practice. Tasks 1. On the command line window, navigate to d:\middleware\ohs_home\instances\ohs_webgate11g\bin. Restart the OHS instance by using the following command: opmnctl stopall opmnctl startall Note: You can also use the Windows menu option to start or stop the OHS instance and start or stop OPMN Start > Programs > Oracle Web Tier instance < Instance_Name > > Start/Stop Oracle HTTP Server and Start/Stop Oracle Process Manager. 2. Now you verify the WebGate configuration by accessing the protected URL http://.us.oracle.com:7778. Close all browsers gracefully (File > Exit). Open a new browser window, enter the URL http://.us.oracle.com:7778 and press Enter. Note: In case you see the Welcome page without being challenged, clear all the cookies from

3. 4. 5.

your browser. Go to Tools > Clear Recent History. Set Time range to clear to Everything. Select the Cookies, Cache, and Active Logins check boxes, and click Clear Now. Note: In case you see OAM Operation Error, restart OAM managed server (oam_server1) and try again. You should be redirected to the OAM SSO login page. Enter weblogic and Welcome1 for user ID and password Click Login. The OHS Welcome page should be displayed.



Practice 4-8: View the Agent Details by Using OAM Admin Console Overview In this practice, you log in to the OAM admin console and explore the OAM 11g WebGate agent that was registered with the OAM 11 g server in Practice 4-5. You can also monitor the agent and view informational and operational details about the agent. Assumptions OAM 11g WebGate agent must be registered with the OAM 11g server. Tasks 1. Log in to http://.us.oracle.com:7001/oamconsole by using weblogic and Welcome1. 2. Go to the System Configuration tab. 3. Select OAM11g_WebGate from the 11g WebGates list. 4. Edit (by using the pencil icon or double-clicking) to view the detailed properties. 4. Select the Monitor option from Action list menu option. 5. View some information about the agent by using the Information and Connectivity tabs from Agent Metrics frame (Note: It might show “No Data available” right now, but you will use this option later in the practices).



Practice 4-9: Register OAM 10g WebGate by Using OAM Admin Console Overview In this practice, you register an OAM 10g WebGate (10.1.4.3) deployed on an OHS instance— ohs_webgate10g—by using the OAM admin console. In Practices 4-5, you registered an OAM 11g WebGate using rreg tool. Now you learn how to perform agent registration by using a GUI. Assumptions ohs_webgate10g An OHS instance— be up and running before you start this practice. On the command line window, navigate—must to d:\middleware\ohs_home\instances\ohs_webgate10g\bin and enter opmnctl status.

Tasks 1. Log in to the OAM admin console—http://.us.oracle.com:7001/oamconsole—by using weblogic and Welcome1. 2. Click on the System Configuration tab, click 10g WebGates (under Agents > OAM agents). Click the Create icon on the menu toolbar and specify the following property values for registering an OAM 10g WebGate agent with the OAM 11g server: Step

Property Name

Value

oam10g_webgate

a.

Name

b.

Base URL

http://.us.oracle.com:7779

c.

Host Identifier

oam10gHostID

d.

Public Resource List

/public/index.html Note: Click the plus sign (+) in the Public Resource List table and enter /public/index.html

Click Apply when done. To see the output file—ObAccessClient.xml—generated as part of registration process, navigate to the d:\middleware\user_projects\domains\oam_domain\output\oam10g_webgate directory. Note: You will not need to copy this file from the D:\middleware\user_projects\domains\oam_domain\output\oam10g_webgate to the D:\middleware\webgate10g_home\access\oblix\lib directory (similar to what you did for the OAM 11g WebGate registration) because, in this practice, you are installing an OAM 10g WebGate for the first time. The WebGate will automatically configure the file for you based on configuration information that you provide during installation steps in the next practice. If your OAM 10g WebGate is already installed, and now you are trying to replace the ObAccessClient.xml in the \config\OHS\ohs1\webgate\config location with the newly registered agent, you need to copy ObAccessClient.xml manually from the D:\middleware\user_projects\domains\oam_domain\output\oam10g_webgate directory to D:\middleware\webgate10g_home\access\oblix\lib.



Practice 4-10: Install OAM 10g WebGate Overview In this practice, you install an OAM 10g (10.1.4.3) WebGate. Tasks 1. Navigate to D:\stage\webgate10g and double-click Oracle_Access_Manager_10_1_4_3_0_Win64_OHS11g_WebGate.exe 2. Use the table as a guide to populate the fields of the installer: Click Next on the Welcome and Run installer with administrative privileges. Step Name Value a.

Destination Name

D:\middleware\webgate10g_home Note: Click Next on the Confirmation dialog box.

b.

Replace Existing File

When Prompted to replace the older version of D:\WINNT\system32\msvcirt.dll, click No (Important).

c.

Transport Security Mode

Open

d.

WebGate ID

oam10g_webgate Note: This ID must match the agent name and case specified in Practice 4-9

e.

Password for WebGate

f.

Access Server ID

AAA Note: This ID could be any string of your choice.

g.

Host name where an Access Server is installed

.us.oracle.com

h.

Port Number the Access Server Listens to

This port number can be confirmed by looking at the OAM admin console > System Configuration > oam10g_webgate > Server Lists > Host Port This is the OAP port. The OAM proxy receives requests sent over this port. 5575 Note: If you see an error: “Preparing to connect to Access Server. Please

i.

Proceed with

wait. Client authentication failed, please verify your WebGate I,” make sure the WebGate information is correct, and if you still get the error, try restarting the admin and managed servers. Yes Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Step

Name Automatic Update of httpd.co nf?

Value

j.

Enter the absolute path of httpd.co nf file in your webserve r config directory

D:\middleware\ohs_home\instances\ohs_webgate10g\config \OHS\ohs1\httpd.conf

k.

Configure WebServer

Next

l.

Pl. read the information below

Next followed by Finish



Practice 4-11: Restart OHS and Validate the Results Overview In this practice, you restart the Web server (OHS) for the changes you made in previous practice to take effect. Then you validate the result of registering an OAM 10 g WebGate with an OAM 11g server deployed on the OHS.

Assumptions Practices 4-7 and 4-8 must be successfully completed before you start this practice. Tasks 1. Restart e OHS instance by navigating to d:\middleware\ohs_home\instances\ohs_webgate10g\bin on command line window and run the following commands: opmnctl stopall opmnctl startall 2.

3.

4. 5.

Now you will verify the WebGate configuration by accessing the protected URL http://.us.oracle.com:7779. Close all browsers gracefully (File > Close Window). Open a new browser window, enter URL http://.us.oracle.com:7779 and press Enter. You should be redirected to the OAM SSO login page. Note: In case you get to the Welcome page without challenge, clear all the cookies from your browser and try again. To clear cookies, go to Tools > Options > Privacy > Remove Individual Cookies > Remove all cookies. Press the Close button followed by OK. Enter weblogic and Welcome1 for user ID and password. Click Login. The OHS Welcome page should be displayed.



Practice 4-12: Register OSSO10g Agent (mod_osso) with OAM 11g Server Overview In this practice, you run the rreg registration tool which will register the OSSO10g agent. This exercise uses the out-of-band mode for registration. The registration can also be done via OAM admin console UI. The idea behind having an out-of-band registration mode is in the case of registering external partner applications; for example, acme.com with the OAM server, where you do not want to give theInadministrators the application acme.com directly the OAM 11 g server. that case, theofapplication administrator (foradmin acme)access does not haveto access to the OAM11g server. Hence, as Step 1, the application administrator can pass the Request.xml (possibly via email) to a different OAM server administrator (called, say, “security admin”) who has the required access to the OAM 11 g server. The OAM server admin will, in turn, run registration on behalf of application administrator in the out-of-band mode. This step needs the OAM server to be up because it has to do the actual creation of the agent profile in the server back end. The OAM admin will pass the resulting Response xml back to the application administrator (again possibly via email). Then, as Step 2, the application administrator runs out-of-band registration on the response file to get the artifacts (CONFIG files). This is a local run, which does not need the OAM 11 g server to be up. Steps: Application Administrator > Request.xml > Security Administrator Step 1: Security Administrator > Agent registration > Response.xml > Application Administrator Step 2: Application Administrator > Run Response.xml in out-of-band mode > output artifacts Example: Step 1: ./oamreg.sh outofband Request.xml Output: _Response.xml Step 2: ./oamreg.sh outofband input/_Response.xml Output:

osso.conf (for OSSO agents) ObAccessClient.xml (for OAM 10g and 11g agents)

Assumptions The OHS instance ohs_osso10g must be up and running. On the command line window, navigate to d:\middleware\ohs_home\instances\ohs_osso10g\bin and enter opmnctl status.



Tasks 1. Pretend that you are the application administrator. As an application administrator, navigate to D:\middleware\idm_home\oam\server\rreg\input and, by using WordPad, edit OSSORequest.xml as follows:

2.

Original Value

Replace With

http://{oam_adm in_server_host}:{oam_admin_ server_port}

http://.us. oracle.com:7001

RREG_HostId

OSSO10gHostid

RREG_OSSO

OSSO10g_agent

http://{web_serv er_host}:{web_server_port}< /agentBaseUrl>

http://.us.o racle.com:7780

RREG_OSSO

OSSO10g_agent

Save and Close the file. The application administrator provides the metadata details in the request.xml file and emails this file to security admin. Now pretend that you are security admin (who has access to OAM admin console or privileges to run rreg; that is, be a member of Role Mapping, the OAM Administrator’s Role). Navigate to D:\middleware\idm_home\oam\server\rreg\bin. Edit oamreg.bat by using WordPad and make sure OAM_REG_HOME has been set correctly (this has already been set correctly in Practice 4-5): Step

a.


Choices or Values

OAM_REG_HOME="D:\Remote Registration\RREG client kit\rreg"

OAM_REG_HOME=D:\middleware\idm_home\oam \server\rreg

Note: No double quotes.

Save and close the oamreg.bat file. 3.

4.

Make sure the environment variable JAVA_HOME is set correctly (this has already been set correctly in Practice 4-5). Right-click My Computer() icon on your desktop. Select Properties, click the Advanced tab, and click the Environment Variable button. Under System Variables, locate JAVA_HOME and make sure the value is set to D:\Program Files\Java\jdk1.6.0_17. Click the OK button three times to save and close the windows. Edit the httpd.conf file under d:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1. Search for ServerName .us.oracle.com. Replace the value with the following in lower case: Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


5.

ServerName .us.oracle.com:7780 Make sure .us.oracle.com is in lower case. As security admin, open a new command line window and navigate to D:\middleware\idm_home\oam\server\rreg and run the following command: bin\oamreg.bat outofband input\OSSORequest.xml

Enter weblogic for agent username and Welcome1 for agent password (here security admin is the weblogic user). You should get this message after a successful run:



6.

Explore the input folder under D:\middleware\idm_home\oam\server\rreg to see the response file OSSO10g_agent_Response.xml file created by the utility. Security admin will email this file to the application administrator. Now pretend that you are the application administrator (this user need not be member of OAM Administrator role or an LDAP user). Open a new command line window and navigate to D:\middleware\idm_home\oam\server\rreg and run the following command: bin\oamreg.bat outofband input\OSSO10g_agent_Response.xml Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


You should get this message after a successful run: -----------------------------------------------Welcome to OAM Remote Registration Tool! Parameters passed to the registration tool are: Mode: outofband Filename: D:\middleware\idm_home\oam\server\rreg\input\OSSO10g_agent_Response .xml Outofband registration (Part 2) completed successfully! Output artifacts are created in the output folder.

7.

Notice that this time, when youberan it did not prompt you forwith agent or password. Hence, this can runoamreg.bat, local by the application administrator no username connection to the WLS admin server. Explore the output\osso10g_agent folder under D:\middleware\idm_home\oam\server\rreg to see the artifact file osso.conf created by the utility Copy the osso.conf from D:\middleware\idm_home\oam\server\rreg\output\OSSO10g_agent to the OHS location at D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1

8.

Copy the mod_osso.conf file from D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\disabl ed to D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\module conf folder.

9.

Edit mod_osso.conf in

D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\module conf folder to resemble the following text (changes highlighted in bold text): LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so" OssoIpCheck off OssoIdleTimeout off OssoConfigFile d:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\osso.c onf OssoSecureCookies off OssoHttpOnly off

# # Insert Protected Resources: (see Notes below for # how to protect resources) #

#____# Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


# Notes # #______# # 1. Here's what you need to add to protect a resource, # e.g. /htdocs/private: # require valid-user AuthType Osso

# # # # # # #

If you would like to have short hostnames redirected to fully qualified hostnames to allow clients that need authentication via mod_osso to be able to enter short hostnames into their browsers uncomment out the following lines

#PerlModule Apache::ShortHostnameRedirect #PerlHeaderParserHandler Apache::ShortHostnameRedirect 10. Make sure the line: include "moduleconf/*.conf" is uncommented from the d:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\httpd. conf file.



Practice 4-13: Restart OHS and Validate the Results Overview In this practice, you restart the Web server (OHS) for the changes you made in Step 6 through 9 of the previous practice to take effect. Then, you validate the result of registering an OSSO 10 g agent with an OAM 11g server deployed on the OHS. Tasks 1. On the command line window, navigate to d:\middleware\ohs_home\instances\ohs_osso10g\bin. Restart the OHS instance by using the following command: opmnctl stopall opmnctl startall 2.

3.

4. 5.

Now you verify the WebGate configuration by accessing the protected URL http://.us.oracle.com:7780. Close all browsers gracefully (File > Close Window). Open a new browser window, enter URL http://.us.oracle.com:7780 and press Enter You should be redirected to the OAM SSO login page Note: In case you get to the Welcome page without challenge, clear all the cookies from your browser and try again. To clear cookies, go to Tools > Clear Recent History. Click the Clear Now button. Enter weblogic and Welcome1 for user ID and password. Click Login. The OHS Welcome page should be displayed.



Practice 4-14: View the Agent Details by Using OAM Admin Console Overview In this practice, you log in to the OAM admin console and explore the OAM 10g agent that was registered with the OAM 11g server in practice 4-11. You can also monitor the agent and view informational and operational details about the agent. Assumptions The OSSO10g agent must be registered with the OAM 11g server. Tasks 1. Log in to http://.us.oracle.com:7001/oamconsole 2. Go to the System Configuration tab. 3. Select Agents > OSSO Agents > osso10g_agent 4. Edit (by using the pencil icon or double-click) to view the detailed properties.



Practice 4-15: Explore WLS Embedded LDAP Directory and Default OAM User Identity Store Overview In this practice, you explore WLS embedded LDAP directory, which is used to authenticate against the weblogic user (an OAM admin and WLS admin user). Administrator and user identities are stored within an LDAP user identity store, a user identity store is a centralized LDAP store in which an aggregation of administrator-and user-oriented data is kept and maintained in an organized way. Only identity user and group data are stored in administrators the centralizedsigning LDAP store. Only the primary user store canidentity be used to authenticate in to use the OAM administration console or custom administrative commands for OAM 11 g in WLST. In the OAM 11g administration console, user identity store registrations are organized under the Data Sources node of the System Configuration tab. Administrators can register, view, modify, and delete user identity store registrations by using either the OAM administration console or custom WLST commands for OAM 11 g. During initial WebLogic domain configuration using the Oracle Fusion Middleware Configuration Wizard, the embedded LDAP is configured as the one and only user identity store. Within the embedded LDAP, the OracleSystemUser (Oracle application software system user) and OracleSystemGroup are created. The Administrators group is also created and "weblogic" is seeded as the default administrator. After registering the identity store, administrators can reference it in one or more authentication modules that form the basis for authentication schemes. Only the primary user identity store is used for administrator and user authentication. The other data sources in OAM 11g are: OAM 11 g system configuration data is stored in a file. Security policies are stored within Oracle Database. Security keys are stored in a keystore. Session data is stored in-memory by using Oracle Coherence, and is propagated to Oracle Database. Audit data is stored within audit files and can be stored in a separate Oracle Database (not the policy store). • • • •

•

Tasks 1. Launch the WLS admin console—http://.us.oracle.com:7001/console—and log in by using weblogic and Welcome1. Click Security Realms under Domain Structure > oam_domain in the left navigator. 2.

myrealm. Click DefaultIdentityAsserter Click the Providers tab and notice the three providers: DefaultAuthenticator, and IDMDomainAgent. More specifically, notice the DefaultAuthenticator, which is WLS authentication provider. WLS embedded LDAP store is used to authenticate users to WLS such as the weblogic user. If you want to change the WLS authentication to a different LDAP store, this is where you create a new LDAP provider (say for OID or ODSEE, formerly Sun LDAP). If you want to learn more about this, review the OBE http://www.oracle.com/technology/obe/fusion_middleware/wls103/InstallConfig/wls_authn_s unds/wls_authn_sunds.htm Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


3.

4.

Click the Users and Groups tab. Notice the weblogic seeded user. Click the weblogic user and notice that it is member of the Administrators group (under the Groups tab). If you want to create a new user to be a WLS admin, then that user must be a member of the Administrators group. Launch the OAM admin console—http://.us.oracle.com:7001/oamconsole— and log in by using weblogic and Welcome1. Navigate to System Configuration > Data Sources > User Identity Stores > UserIdentityStore1. Double-click the UserIdentityStore1 node. Notice on the right pane, the primary identity store for OAM authentication is set to WLS Embedded LDAP. Since WLS Embedded LDAP is the primary identity store (select the Primary checkbox), OAM is going to authenticate users against the WLS embedded LDAP store. Also, notice that in the Role Mapping section, OAM Administrator’s role is set to the Administrators group. This means any user who is a member of the Administrators group in WLS embedded LDAP would be an OAM admin; that is, able to log in to OAM admin console. This is the reason why the weblogic user in WLS embedded LDAP can log in to the OAM admin console.



Practice 4-16: Create a New User in WLS Embedded LDAP as OAM Admin and WLS Admin User Overview In this practice, you create a new user in WLS embedded LDAP and log in to the WLS admin console and OAM admin console as that user.

Tasks 1.

Go to http://.us.oracle.com:7001/console and enter the credentials weblogic and Welcome1 on the login page.

2. 3. 4.

In the left pane, go to Security Realms and select myrealm. Go to the Users and Groups tab on top and click New. Add a new user, say wlsuser. Note the Provider is set to DefaultAuthenticator, which is WLS embedded LDAP store. Set the password for this user as Welcome1. Confirm the same password. Click OK. Click the wlsuser link and go to the Groups tab for this user and select the Administrators group for this user by moving it to the right (using the right arrow icon). Click Save. Adding wlsuser to this group will now give him or her, the privileges to run the remote registration utility, and also to log in to the OAM admin console and WLS admin console. Verify: Launch the OAM admin console and WLS admin console and try to log in to each of the GUI consoles by using wlsuser and Welcome1.

5.

6.



Practice 4-17: Configure OID as the New Identity Store for OAM Overview In this practice, you add a set of users to OID 10 g (10.1.4.0.1) and create a new group, oam_admin. Assign a user—Vishal Parashar—as a member of oam_admin group. Log in to the OAM admin console by using Vishal; it should succeed. Log in to the OAM admin console as David Goldsmith; it should fail because David is not a member of the oam_admin group. However, both Vishal and David should be able to log in to access http://.us.oracle.com:7778 because they are OAM authenticated users.

Tasks 1. View the OAM_SampleUsers.ldif file in the d:\labs\lesson04 directory. Notice that at the end it also contains an entry for adding oam_admin group with Vishal Parashar as a member of the group. 2. Navigate to the d:\osso10g\bin directory on the command line window and run the following command to load users into OID (when prompted, enter the password for cn=orcladmin as Welcome1): ldapadd -h .us.oracle.com -p 13060 -D cn=orcladmin -q -f d:\labs\lesson04\OAM_SampleUsers.ldif 3. Validate the users have been added by using Oracle Directory Manager. Start ODM by using the Start windows menu option > Programs > Oracle Application Server Infrastructure – oracleas > Integrated Management Tools > Oracle Directory Manager. Click OK on the Directory Server Connection window. Click Add on the Directory Server Name Manager

4.

5.

window. In >.us.oracle.com the Directory Server window, Server as Oracle Directory < your_host and Connection Port as 13060. Click specify OK twice. On the Manager Connect window, specify user as cn=orcladmin with the password as Welcome1. Maximize the ODM window. Under the Entry Management node on the left pane, expand dc=com, dc=oracle, dc=us. All the uploaded users should be under cn=users node (including Vishal and David) and the oam_admin group should be under cn=groups node. Click cn=oam_admin group under the cn=groups node. Notice the value for uniquemember attribute on the right pane for oam_admin group; it has Vishal Parashar as the sole member of this group. Log in to the OAM admin console with weblogic and Welcome1 and navigate to the User Identity Store definition node - System Configuration > Data Sources > User Identity Stores. Create a new User Identity Store definition by using the Create icon. Choose the LDAP Provider as OID from the pick list. Specify the rest of the values as shown below: Step


Choices or Values

•

Name

OID_UserStore

•

LDAP URL

ldap://.us.oracle.com:13060

•

Principal

cn=orcladmin

•

Credential

Welcome1

•

User Search Base

cn=users,dc=us,dc=oracle,dc=com



Step


Choices or Values

•

Group Search Base

cn=groups,dc=us,dc=oracle,dc=com

•

User Name Attribute

uid

•

OAM Administrator’s Role

oam_admin

Click Test Connection. Click OK on the Connection Status window with the message, “Connection to the User Identity Store successful”. Click Apply to save the definition. On the left pane, you should now see OID_UserStore along with the primary UserIdentityStore1 (WLS embedded LDAP). Note: Sometimes you may have to refresh the screen to see the update; use the Refresh icon on the left pane menu bar. Close the active tab (OID_UserStore) using x (close single tab) icon on the top right corner. 6. Change OID_UserStore to the primary user identity store. Double-click the OID_UserStore node on the left pane to see the properties of the definition displayed on the right pane. Click the Set as Primary button on the right pane. Click Apply. A disabled Primary check box should now appear on the Properties page. Edit the properties of UserIdentityStore1 (either by double-clicking or using the pencil icon) and notice the Primary check box is now deselected. Click Sign out to exit the OAM Admin console.



Practice 4-18: Verify the Need to Configure OID Authenticator Overview In this practice, you try to log in to the OAM admin console by using Vishal.Parashar and Welcome1 (the user in OID who is a member of the oam_admin group). This demonstrates the need to create an OID authenticator in the WLS admin console. Tasks 1. Log in to the OAM admin console by using Vishal.Parashar and Welcome1. The IDMDomain agent that protects all the identity management consoles including the OAM admin console is unable to authenticate the user Vishal.Parashar in WLS embedded LDAP (Default Authenticator). Hence, authentication fails and there is a hand-off to the native OAM admin console Sign on page: http://.us.oracle.com:7001/oamconsole/faces/login.jspx (unlike the Single SignOn login page: http://.us.oracle.com:14100/oam/server/obrareq.cgi). You have configured the user identity store definition in the OAM admin console in the previous practice for OID and set it as the primary identity store; hence when you sign in by using Vishal.Parashar and Welcome1 on the native login page, you are successfully authenticated and able to log in to the OAM admin console. In the next practice, you create a new OID authenticator by using the WLS admin console to make the single sign-on to the OAM admin console successfully work again.



Practice 4-19: Create OID Authenticator Overview In this practice, you create the OID authenticator provider in the WLS admin console and reorder this provider to be placed above the DefaultAuthenticator (WLS embedded LDAP). Finally, you change the control flag for the OID authenticator to Sufficient, and of the default authenticator to Sufficient. Tasks 1. Log in to the WLS console with weblogic and Welcome1. Navigate to oam_domain > Security Realm > myrealm > Providers. Click Lock and Edit on the Change Center section (top left). 2. Click the New button. Specify Name and Type as OIDAuthenticator and OracleInternetDirectoryAuthenticator respectively. Click OK 3. Click the OIDAuthenticator link. Set the following properties: Step

4.

5. 6. 7.


Choices or Values

Sufficient. Click Save.

a.

Common > Control Flag

b.

Provider Specific > Host

.us.oracle.com

c.

Provider Specific > Port

13060

d.

Provider Specific > Principal

cn=orcladmin

e.

Provider Specific > Credential and Confirm Credential

Welcome1

f.

Provider Specific > User Base DN


g.

Provider Specific > All Users Filter

(&(uid=*)(objectclass=person))

h.

Provider Specific > User From Name Filter

(&(uid=%u)(objectclass=person))

i.

Provider Specific > User Name Attribute

uid

j.

Provider Specific > Group Base DN

cn=groups, dc=us,dc=oracle,dc=com Click Save

Navigate back to the Providers Page (by using the locator link at the top). Click the Reorder button and move OIDAuthenticator above DefaultAuthenticator by using the Up arrow. Click OK. Click the DefaultAuthenticator link. Change the control flag to Sufficient. Click Save. Click on Activate Changes on the top left Change Control section. Restart the admin and managed servers (by using the command line or the WLS admin console).



Practice 4-20: Verify the Use of OID as the User Store for OAM Authentication Overview In this practice, you log in to the OAM admin console as a user in OID who is member of the oam_admin group, Vishal. You try to log in to the WLS admin console as the same user without success (because WLS embedded LDAP is the default authenticator and Vishal is not in the embedded LDAP). Next, you try to log in to http:.us.oracle.com:7778 as Vishal and as David with success, because both the users are in the OID even though David is not a member of the oam_admin group. Also, try to log in to the OAM admin console as the srcinal user, weblogic. This should fail because the weblogic user is not in the OID. Tasks 1. Launch the OAM admin console. Log in to the console by using Vishal.Parashar and Welcome1. You should have success and be able to see “Signed in as Vishal.Parashar” on the top right-hand corner. Note: You should not see the Redirect to Native Login screen as you saw in the previous practice. Click Sign out. 2. Try to log in to the OAM admin console with weblogic and Welcome1. You should be unsuccessful because the weblogic user is not in the OID. 3. Try to log in to the OAM admin console with David.Goldsmith and Welcome1. You should see Access Denied page. The AuthZ was unsuccessful even though David is in the OID (AuthN user). This is because David is not a member of the oam_admin group. 4. Try to log in to the WLS admin console with Vishal.Parashar and Welcome1. You should see the Authentication Denied message because Vishal is not in embedded LDAP and WLS’s default authenticator is set to WLS embedded LDAP. For Vishal to be successfully able to log in to the WLS admin console, he should not only be in the WLS embedded LDAP store but also be a member of the Administrators group. 5. Clear all cookies and launch http://.us.oracle.com:7778 (the welcomeindex.html protected via a WebGate 11g). You are redirected to the OAM Login page. Enter Vishal.Parashar and Welcome1. You should have success and be able to see the Oracle Fusion Middleware 11g R1 Welcome page. Close the browser (Note: Always remember to close the browser gracefully or explicitly clear all the cookies). 6. Launch http://.us.oracle.com:7778 again. You are redirected to the OAM Login page. Enter David.Goldsmith and Welcome1. You should have success and be able to see the Oracle Fusion Middleware 11g R1 Welcome page. Even though David is not a member of the oam_admin group, David is a valid authenticated user in OID. Note: The OAM admin console requires a user to be a member of the oam_admin group to gain access, and we have not set up any restrictions for the welcome-index.htmlprotected resource on ohs_webgate11g. Note: From here on, you should log in to the OAM admin console as Vishal.Parashar and Welcome1.



Practice 4-21: Working with WLS Agent Overview In this practice you: Review WLSAgent provider and bootstrap configuration Review OOTB IDMDomainAgent policies Enable and disable WLSAgent to protect the OAM console Note: WLSAgent and IDMDomainAgent terms are used interchangeably. • • •

Tasks Review WLSAgent provider and bootstrap configuration: 1. Make sure the admin server is up and running. 2. In your browser, clean cookies. Using Firefox, go to menu > Tools > Clear Recent History. 3. On the browser window explicitly enter: http://.us.oracle.com:7001/oamconsole. Note: If using the bookmark, make sure the bookmark URL is http://.us.oracle.com:7001/oamconsole with no string after that. Observe the redirect URL for the OAM server (port 14100) and notice that the login text says “Sign SignOn.” Log in to the OAM admin console as vishal.parashar and Welcome1. 4. Using Firefox, go to menu > Tools > Options > Privacy > Show Cookies > Expand the Site nodes. Check generated cookies. OAMAuthnCookie (domain cookie) and OAM_ID (server cookie) should exist (besides OAMSESSIONID cookie). An OAM_ID cookie is produced by

5. 6.

7. 8.

the OAM 11g server and OAMAuthnCookie is a WLSAgent cookie. Click Close followed by OK. Click Sign out and close the browser gracefully. Open a new browser and log in to the WLS console by using http://.us.oracle.com:7001/console as weblogic/Welcome1. Access the Security Realm on the left pane > myrealm > Providers tab Verify IDMDomainAgent provider exists, and access it to see its configuration. Notice that the WLS agent uses an OAMAuthnCookie (on the Common tab) Access the Provider Specific tab, notice the Agent Name (IDMDomainAgent: seeded agent which you can view via the OAM admin console) and Primary Access Server (localhost:5575). 5575 is the proxy server port for the OAM Server (the OAM server port is 14100). Note: If you change any of these parameters on the Provider definition, it requires a domain restart (restart admin and managed servers).

9. Close your browser. Review the default IDMDomainAgent policies: 1. Log in to the OAM admin console. 2. Click Policy Configuration > Application Domains and review the existing policies under the IDMDomainAgent application domain. Under Resources, notice that IDMDomainAgent:/oamconsole is one of the resources. Under Authentication Policies > Protected HigherLevel Policy, you should see IDMDomainAgent:/oamconsole as one of the resources in the list. 3. Log out of the OAM admin console Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Disable WLSAgent: By default, WLSAgent is enabled; therefore providing seamless SSO authentication by using OAM 11g for all IDM deployed applications (Oracle Identity Navigator, Oracle Adaptive Access Manager, Oracle Identity Manager, Oracle Access Manger and so on). In this practice, you disable WLSAgent and observe the native login page (rather than the SSO page) appear when you try to log in to the OAM admin console. 1. Stop AdminServer by using WLS Admin Console > oam_domain > Environment > Servers > Control Tab > Select the check box next to AdminServer > Shutdown > Force Shutdown now or just close the command line window from where you started 2.

3.

4.

5. 6. 7. 8.

AdminServer. Right-click My Computer (your_hostname) > Properties > Advanced > Environment Variables. Under System Variables, click New. Specify WLSAGENT_DISABLED as the variable name and “true” as the variable value. Open a new command line window. Make sure the environment variable WLSAGENT_DISABLED is set to “true” on the window by entering the following command: echo %WLSAGENT_DISABLED% Start the admin server by navigating to the directory d:\middleware\user_projects\domains\oam_domain and then enter the startWeblogic.cmd When the admin server startups, clear the cookies and access OAM Admin Console (http://.us.oracle.com:7001/oamconsole) Notice the login page doesn’t have “Sign Sign-On” in the text and notice the native login page in the URL (unlike the SSO URL you observed in earlier practices). Provide credentials (vishal.parashar and Welcome1) and log in. Verify that there is no OAMAuthnCookie or OAM_ID cookie generated by going to Firefox menu > Tools > Options > Privacy > Show Cookies. Expand the Site node. The only cookie you should see is the OAMSESSIONID cookie.

9. Enable back WLSAgent by deleting the environment variable WLSAGENT_DISABLED. 10. Restart the admin server. 11. Clear all cookies and access the admin console. Notice now that the SSO login page (on 14100) appears as expected (and not the native login page on 7001).



Practice 4-22: Mode of Communication: WebGate and OAM 11 g Server - Setting Server Mode to Simple Overview OAM Security Modes: Secure communication on the NAP channel also requires that each OAM server and each WebGate agent use the same security mode, either: Open: Un-encrypted communication In Open mode, there is no authentication or encryption between the WebGate and OAM server. The WebGate does not ask for proof of the OAM server's identity and the OAM server accepts connections from all WebGates. Use Open mode if communication security is not an issue in your deployment. Simple: Encrypted communication through the Secure Sockets Layer (SSL) protocol with a public key certificate issued by Oracle Use Simple mode if you have some security concerns, such as not wanting to transmit passwords as plain text, but you do not manage your own Certificate Authority (CA). In this case, OAM 11g servers and WebGates use the same certificates, issued and signed by Oracle CA (self-signed cert). Cert: Encrypted communication through SSL with a public key certificate issued by a trusted third-party certificate authority Use Cert mode if you want different certificates on OAM 11g servers and WebGates and you have access to a trusted third-party CA. In this mode, you must encrypt the private key by using the DES algorithm. Oracle Access Manager components use X.509 digital certificates in PEM format only. PEM refers to Privacy Enhanced Mail, which requires a passphrase. The PEM (Privacy Enhanced Mail) format is preferred for private keys, digital certificates, and trusted certificate authorities (CAs). The preferred keystore format is the JKS (Java Keystore) format. In cryptography, a public key is a value provided by a designated authority to be used as an encryption key. The system for using public keys is called a public key infrastructure (PKI). As part of a public key infrastructure, a certificate authority checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. When the RA verifies the requestor's information, the CA can issue a certificate. Private keys can be derived from a public key. Combining public and private keys is known as asymmetric cryptography, which can be used to effectively encrypt messages and digital signatures. Depending on the public key infrastructure, the digital certificate establishes credentials for Web-based transactions based on: Certificate owner's name Certificate serial number • •

Certificate expiration date A copy of the certificate holder's public key, which is used to encrypt messages and digital signatures The digital signature of the certificate-issuing authority is provided so that a recipient can verify that the certificate is real Digital certificates can be stored in a registry from which authenticating users can look up the public keys of other users. • •

•



For Simple mode encryption, Oracle Access Manager ships a certificate authority with its own private key, which is installed across all WebGates and OAM servers. For each public key, there is a corresponding private key that Oracle Access Manager stores in the aaa_key.pem file. A program named openSSL in the \tools subdirectory automatically generates the key pair and the following files for Simple mode security: •

•

•

cacert.pem: the certificate request, signed by the Oracle-provided openSSL Certificate Authority. password.xml contains the random global passphrase that was designated during installation, in obfuscated format. This is used to prevent other customers from using the same CA. Oracle Access Manager performs an additional password check during the initial handshake between the OAM agent and OAM server. aaa_key.pem contains your private key (generated by openSSL).

aaa_cert.pem signed certificates in PEM format. The transport security communication mode is chosen during OAM installation. The installer generates a random global passphrase initially, which can be edited as required later. When you register an OAM agent or a new OAM server, you can specify the mode. However, changing the global passphrase requires that you reconfigure all agents to use Simple mode and the new global passphrase. •

Tasks 1. Log in to the OAM admin console with vishal.parashar and Welcome1. Navigate to System Configuration > Agents > 11g WebGates > OAM11g_Webgate. Edit OAM11g_webgate and notice the mode of communication (security) is set to Open. The mode of communication at install time was set to Open; hence you need to edit the agent registration through the OAM admin console and change the security mode (you will perform this in the next practice). 2. Expand the Server Instances node and edit the properties of oam_server1. On the Proxy tab, change the mode from Open to Simple for the OAM Server oam_server1. Click Apply and then click Yes on the Confirm Edit window. 3. On the browser window, open a new tab. Enter http://.us.oracle.com:7778. Notice the error “Oracle Access Manager Operation Error.” Check out the oam_server1diagnostic.log file under d:\middleware\user_projects\domains\oam_domain\servers\oam_server1\ logs. Notice the log message (near the end of the file): Channel unsecure. Details: Channel Mode: open Minimum Server Mode: simple Agent Id: OAM11G_webgate] Channel security mode is different as specified in configuration Channel unsecure. Double-click the Server Instances node and OAM Common Server Properties pane appears on the right. Click the OAM Proxy tab. Under Simple Mode Configuration there is the property, Global passphrase. The installer generates a random global passphrase initially, and this can be edited as required by you later. However, please note that changing the global passphrase requires reregistration of all existing agents running in Simple mode.



Practice 4-23: Mode of Communication: WebGate and OAM 11 g Server - Setting OAM 11g WebGate Mode to Simple Overview In this practice, you set the mode of communication for oam11g_webgate to Simple by editing the registered OAM 11g WebGate with the OAM 11g server. Hence, by the end of this practice, both server and WebGate will be running in Simple mode.

Tasks 1. Note that d:\middleware\ user_projects\domains\oam_domain\output\OAM11g_WebGate folder does not yet exist (because the OAM 11 g WebGate was registered by using the rreg tool rather than by using the OAM admin console). 2. Log in to the OAM admin console by using vishal.parashar and Welcome1. Navigate to System Configuration > Agents > 11g WebGates > OAM11g_Webgate. Edit the agent by using the pencil icon on the menu bar. 3. Enter the details as shown below: Window/Page Description

Security

Choices or Values

Simple

Click Apply. 4. Observe the extra files (compared to when you registered WebGate 11g agent in Open mode) aaa_cert.pem, aaa_key.pem and password.xml that are created along with cwallet.sso and ObAccessClient.xml in the d:\middleware\user_projects\domains\oam_domain\output\oam11g_webgat e folder. 5.

Copy the ObAccessClient.xml, cwallet.sso and password.xml file from the d:\middleware\user_projects\domains\oam_domain\output\oam11g_webgat e folder to d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web gate\config (replace ObAccessClient.xml and cwallet.sso).

6.

Copy aaa_cert.pem and aaa_key.pem from the d:\middleware\user_projects\domains\oam_domain\output\oam11g_webgat e folder to the d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web gate\config\simple folder. Note: The PEM files need to copied under the simple directory of the config folder



Practice 4-24: Restart the OHS Instance and Verify the Results Overview In this practice, you restart the Web server (OHS) for the changes you made in Step 5 of the previous practice to take effect. Then you validate the result of changing the mode of communication between the WebGate and the OAM 11g server by trying to get to the Welcome page for the OHS server: http://< your_host>.us.oracle.com:7778 (Note: In practice 4-22, Step 3, you received an error due to mode incompatibility). Tasks 1.

2.

3. 4. 5.

On the command line window, navigate to d:\middleware\ohs_home\instances\ohs_webgate11g\bin. Restart the OHS instance using the following command: opmnctl stopall opmnctl startall Clear all browser cookies. Now you verify if Simple mode of communication is configured successfully by accessing the protected URL http://.us.oracle.com:7778. Enter URL http://.us.oracle.com:7778 and press Enter. You should be redirected to the OAM SSO login page. Enter vishal.parashar and Welcome1 for user ID and password. Click Login. The OHS Welcome page should be displayed.



Practice 4-25: Change Server Mode to Open and Test WebGate Communication Overview In this practice, you switch the OAM 11 g server mode back to Open and test if you can continue to access the Welcome page application, showcasing the fact that a WebGate in Simple mode (or even Cert mode) can talk to a server in Open mode. The prerequisite for configuring the agent security mode is that at least one OAM server instance should be running in the specified agent security mode. Else, the registration will fail. Therefore, at the time of registration, it is important to have mode compatibility between the agent mode and one of the OAM server instance modes (if there is only one OAM server, then both must be in the same mode). However, after the WebGate registration is complete, the OAM server mode can be changed. The communication between agent and server would continue to work as long as the WebGate mode is at least at the same level as the server mode (it could be higher but cannot be lower) for example, if the server mode is Open, agents can communicate with the server in Open, Simple, or Cert mode. If the server mode is Simple, agents can communicate with the server in Simple or Cert mode. If server mode is Cert, agents can communicate with the server in Cert mode only. You will showcase this by changing the server mode back to Open and making sure WebGates in Simple mode can continue to communicate with the server in Open mode. Tasks 1. Log in to the OAM admin console. Notice, you will see the OAM native authentication page (as opposed to the SSO page). This is due to known limitation of WLS agent (Bug 9467206: WLS agent does not support Simple or Cert mode**). Navigate to System Configuration >

2. 3.

4. 5. 6. 7.

Server Instances > oam_server1. Edit the properties and change the Mode to Open on the Proxy tab. Click Apply. On the On Confirm Edit window, click Yes. Restart the admin and managed servers. Open a new browser (clear cookies and cache - Go to Tools > Clear Recent History) and verify if with WebGate running in Simple mode of communication and the server running on Open, you are successfully able to access the protected URL http://.us.oracle.com:7778. Enter URL http://.us.oracle.com:7778 and press Enter. You should be redirected to the OAM SSO login page. Enter vishal.parashar and Welcome1 for user ID and password. Click Login. The OHS Welcome page should be displayed. Also, validate that the login page for the OAM admin console is now the SSO login page (as opposed to the native login page) by launching your browser and entering http://.us.oracle.com:7001/oamconsole. Note: At the end of all the labs for this course, there is a lab exercise on enabling CERT mode communication between a WebGate and an OAM 11g server. This is a key requirement in a

production environment. You will perform Practice 4 (Advanced), on Friday. This practice covers how to secure WebGate and OAM server traffic by using SSL certificates.



Note: ** Possible workarounds for this issue are as follows:

a)

Continue to use the native login page for the OAM console. Or,

b)

Protect the OAM console by using WebGate 11g (the port for oamconsole will change from 7001 to OHS port where the WebGate is deployed; for example, 7778 for WebGate 11g). However, the only concern here is that the availability of the OAM console now becomes dependent on the availability of the WebGate.






Practices for Lesson 5 Practices Overview In these practices, you deploy two different applications: My Bank and Example Bakery. The first one, you deploy onto WLS as a WAR file; whereas the second, you deploy directly to Web server (OHS instance). Next you create policies (AuthN and AuthZ rules) to protect various resources within these two applications. Three important Notes: 1. Any time you get unexpected results during this lesson practice, it is a good idea to close all browser windows (using File > Exit; do not use the X icon to exit) and then relaunch a new Firefox browser. Also, clear all the cookies explicitly by going to the Firefox browser’s Tools > Clear Recent Histrory > Clear Now (make sure Time range to clear is set to Everything and at least Cookies, Cache, and Active Logins are selected). 2. My Bank is a dummy application. Not all links of this application are working or enabled. Please follow the exact instructions as specified in the lab steps to achieve the results for the labs. 3. Any time you want to observe the request flow, redirects, cookies and headers and so on, you can view the Live HTTP Headers add-on to the Firefox browser that has been pre-installed. Go to Tools > Live HTTP Headers. Do not close the Live HTTP Headers window; keep it minimized to observe the variables and monitor the request flow. This is a free add-on to Firefox. Here is a quick recap of what you learned in Lesson 5: In OAM 11g, default behavior is to deny access when a resource is not protected by a policy that explicitly allows access. The OAM 10g default behavior allowedaccess when a resource was not protected by a rule or policy that explicitly denied access. This limited the number of WebGate queries to the accessserver with OAM 10g. The Oracle Access Manager 11g policy model enables you to control who can access resources when you define an applicationdomain that is used to discriminate between authenticated users who are authorized to access a particular resource and those who are not authorized for access to a particular resource An application domain logically groups resources and security policies in a flexible way. Each Application domain can be made to contain policy elements related to an entire application deployment, a particular tier of the deployment, or a single host. Application domains do not have any hierarchical relationship to oneanother. Each application domain references an existing host identifier and an existing authentication scheme. Within the application domain, specificresources are identified as well as the security policies that govern each resource. Authentication and authorization policies include administratorconfigured responses that insert information into either a header or session cookie. Authorization policies include administrator-configured constraints that define who gets access. Each application domain must have a unique name (a brief description is optional). Each domain is seeded with a resource container and policy containers where administrators can define resources and security policies. Resources represent a document, or entity, or pieces of content stored on a server and available for access by a large audience. Clients communicate with the server and request



the resource by using a particular protocol (HTTP or HTTPS, for example) that is defined by an existing resource type. Authentication is the process of proving that a user is who he or she claims to be. To authenticate a user, Oracle Access Manager presents the user's browser with a request for authentication credentials in the form of a challenge. The challenge is referred to as a challenge method. Authorization is the process of determining if a user has a right to access a requested resource. Administrators can create one or more authorization policies to specify the conditions under which a subject or identity has access to a resource. A user might want to see data or run an application programprotected by a policy. The requested resource must belong to an application domain and be covered within that domain by a specific authorization policy. Responses: Administrator-defined policy responses declare optional actions to be taken in addition to the above. Policy responses provide the ability to insertinformation into a session and pull it back out at any later point. This is more robust and flexible than OAM 10g, which provided data passage to (andbetween) applications by redirecting to URLs in a specific sequence. Constraints: An authorization constraint is a rule that grants or denies access to a particular resource based on the context of the request for that resource.Authorization constraints define the obligations (requirements) that must be fulfilled before responding to a client's request. Evaluation of constraintsdetermines if the authorization policy applies to the incoming request. The appropriate obligations take affect after successful authentication.



Practice 5-1: Deploy the My Bank Application Overview In this practice, you deploy mybank.war to a WLS admin server. Note: Even though you deploy the application to the admin server in this lab due to memory and resource constraints, in a real-world production environment it is always a good practice to deploy your applications on a user defined managed server. Note: The My Bank application is a simple WAR; that is, not using a J2EE security model (Use of OPSS: Oracle Platform Security Services). If you want to learn how to configure OAM 11g to work with J2EE applications with the J2EE security in-built into the application, refer to http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/osso.htm#BABJJFAI (Chapter 9, “Configuring Single Sign-On in Oracle Fusion Middleware”). Chapter 9 is part of Oracle Fusion Middleware Application Security Guide11g Release 1 (11.1.1) Part Number E10043-06. Discussion on OPSS, J2EE Security model and its integration with OAM 11 g are beyond the scope of this course. Tasks 1. Navigate to d:\Labs\Lesson05 and open and extract the contents of mybank.war by using Winzip (Right-click > Open > Select Program - choose Winzip > Extract) into d:\labs\lesson05\mybank directory. Observe the files; namelymain_page.jsp and testheaders.jsp. Note: The main_page.jsp includes a check to see if OAM_REMOTE_USER is null and, if

2. 3.

4.

5. 6.

found null, it redirects to the login.jsp. The testheaders.jsp displays all cookies and headers available. Log in to the WLS admin console – http://.us.oracle.com:7001/console with weblogic and Welcome1. Click the deployments under oam_domain in the domain structure. Click Lock and Edit under the Change Center section on top-left corner. Click the Install button that has now become enabled. Navigate to the path d:\labs\lesson05\mybank. Select mybank (open directory). Click Next. Note: Here, you are deploying an exploded WAR file rather than .war. This allows you to update the files deployed dynamically without having to redeploy manually to WLS. Ensure “Install this deployment as an application” is selected. Click Next. Select the admin server as the deployment target for the mybank application. Click Next.

7. Ensure mybank is the name of the application (Note: Lowercase). Scroll down. Select I“ will make the deployment accessible from the following location.” Click Next. 8. Click Finish. 9. Click the Activate Changes button, under the Change Center section. 10. On the deployments page (oam_domain > Deployments), find the mybank application (Click Next to get to the next page). Note that the State of the application is Prepared. Select the check box next to the mybank application and click Start > Servicing all Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


requests. On the Start Application Assistant page, click Yes. Now the state of the application should change from Prepared to Active. 11. Now, with another instance of Firefox browser, enter http://.us.oracle.com:7001/mybank The login page is displayed. Note: Observe the web.xml under the mybank/WEB-INF folder. You will observe that the main_page.jsp is set as the Welcome page. The main_page.jsp includes a header.jsp from the includes folder. This JSP, along with other functions, checks for the OAM_REMOTE_USER being null. If null, it redirects to the login.jsp page.



Practice 5-2: Configure Single Sign-On for mybank Application Overview Setting up single sign-on to mybank involves integrating theOHS and WebLogic Servers, since the requests need to be forwarded to themybank application deployed on WebLogic Server from the OHS. This is achieved by modifying themod_wl_ohs.conf under the config directory of the OHS 11g instance. Task 1. Navigate to the D:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 directory and edit and update the mod_wl_ohs.conf file as shown below: WebLogicHost .us.oracle.com WebLogicPort 7001

#Debug ON #WLLogFile /tmp/weblogic/log MatchExpression *.jsp

SetHandler weblogic-handler

#PathTrim /weblogic #ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/

Save the changes. 2. Restart the OHS for the changes to take effect. From the command line, navigate to D:\middleware\ohs_home\instances\ohs_webgate11g\bin and issue the following commands: opmnctl stopall opmnctl startall 3.

Open the Firefox browser and enter http://.us.oracle.com:7778/mybank. You will be redirected to theSSO page. Enter the credentialsvishal.parashar and Welcome1. Click Login. You should see the main_page.jsp. Note: Now the OAM_REMOTE_USER is not null hence the ID—Vishal.Parashar—is displayed next to the Sign Off link.

4.

Type http://.us.oracle.com:7778/mybank/testheaders.jsp. Observe all the contents on this page. Keep an eye on theOAM_REMOTE_USER and the cookie values.



Practice 5-3: Managing Resources Overview Resources represent a document, or entity, or pieces of content stored on a server and available for access by a large audience. Clients communicate with the server and request the resource by using a particular protocol (HTTP or HTTPS, for example) that is defined by an existing resource type. You now configure a resource /mybank/testheaders.jsp and use it in the later practices. Task 1. Using the Firefox browser, go to thehttp://.us.oracle.com:7001/oamconsole. Log in by using the credentialsvishal.parashar and Welcome1. 2. Navigate to Application Domains > OAM11g_WebGate > Resources. Click the Create icon. 3. Enter the following values: Step

4.


Choices or Values

a.

Type

HTTP

b.

Host Identifier

OAM11gHostId

c.

Resource URL

/mybank/testheaders.jsp

Click Apply.



Practice 5-4: Managing Authentication Policies Overview Authentication is the process of proving that a user is, who he or she claims to be. To authenticate a user, Oracle Access Manager presents the user's browser with a request for authentication credentials in the form of a challenge. The challenge is referred to as a challenge method. This exercise modifies an existing authentication policy and adds the record OAM11gHostId:/mybank/testheaders.jsp Tasks 1. Navigate to Application Domains > OAM11g_WebGate > Authentication Policies > Protected Resource Policy. Click the Edit icon. Note: Observe the authentication scheme is set to LDAPScheme. You can add a new authentication policy, but for now, use an existing policy and add the new resource. 2. On the right pane, under the Resources tab, click the + (add) icon. From the drop-down menu, select OAM11gHostId:/mybank/testheaders.jsp 3. Click Apply.



Practice 5-5: Managing Authorization Policies Overview Authorization is the process of determining if a user has a right to access a requested resource. This exercise creates a new Admin_Resource_Policy and will add the resource URL OAM11gHostId:/mybank/testheaders.jsp, so that this policy can be evaluated separately from the other policies. Tasks 1. Navigate to Application Domains > OAM11g_WebGate > Authorization Policies. Click the Create icon. 2. Enter the following values: Original Value

Replace With

Name

Admin_Resource_Policy

Resources

OAM11gHostId:/mybank/testheaders.jsp

Click Apply.



Practice 5-6: Managing Authentication and Authorization Responses: Headers and Cookies Overview Responses declare optional actions to be taken additionally (hence their OAM 10g name “Actions”). In OAM 11g, responses are much more declarative and powerful, able to support things that used to require custom AuthZ plug-ins before. A response consists of two inputs, a type and an expression; and a single output, the value. The response type denotes the form of action to be taken with the value string. For OAM 11g R1 BP01 Release (11.1.1.3.1) three types are included: Cookie – set an HTTP cookie whose value is the value string

Header – set an HTTP request header using the value Session – set an attribute on the user’s session using the value

Tasks 1. Navigate to Application Domains > OAM11g_WebGate > Authorization Policies > Admin_Resource_Policy. Click the Edit icon. Click the Responses tab. Click the + (add) icon. 2. Enter the following values: Name

Type

Value

OAM_Cookie_Simple

Cookie

SimpleCookie

OAM_Header_Simple

Header

SimpleHeader

Click Apply. 3. Using the Firefox browser, enter http://.us.oracle.com:7778/mybank. Log in by using the credentialsvishal.parashar and Welcome1 (if not already logged in or if the session has expired). Now type in the URL: http://.us.oracle.com:7778/mybank/testheaders.jsp. Observe the OAM_HEADER_SIMPLE and the value SimpleHeader. 4. To view the cookie, refresh the page, because the cookie will be displayed only after being set in the browser. The first time the cookie is sent as an HTTP header by a Web server to a Web browser and then sent back unchanged by the browser each time it accesses that server, therefore the second refresh would display the cookie: OAM_Cookie_Simple with the value of SimpleCookie. 5.

6.

Log in to the OAM admin console by using vishal.parashar and Welcome1 and navigate to Application Domains > OAM11g_WebGate > Authorization Policies > Admin_Resource_Policy. Click the Edit icon. Click the Responses tab. Click the + (add) icon. Enter the following values: Name

Type

OAM_Header_Advanced

Header

Value

User $user.attr.uid from $request.client_ip used agent $request.agent_id

Note: $ signifies variables, Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


$user.attr.uid is a keyword that retrieves the UID for the user from the primary identity store (OID) that is configured for this domain. $request.client_ip is a keyword that retrieved the requested client's IP address. $request.agent_id is a keyword that retrieves the agent_id protecting this domain. 7.

Click Apply.

8.

Refresh the browser with the testheaders.jsp page – http://.us.oracle.com:7778/ mybank/testheaders.jsp (you may have to reauthenticate if the session has timed out). Observe the header name OAM_HEADER_ADVANCED with the value as:

9.

User Vishal.Parashar from used agent OAM11g_WebGate



Practice 5-7: Managing Authentication and Authorization Responses: Session Variables Overview Policy responses provide the ability to insert information into a session and pull it back at any later point. This is more robust and flexible than OAM 10 g, which provided data passage to (and between) applications by redirecting to URLs in a specific sequence.

You now create a session response during the authentication policy response, and retrieve this session and use it in theHTTP_HEADERS during authorization response. Tasks 1. Log in to Oracle Directory Manager to view user information about vishal.parashar in OID. Go to Start > Programs > Oracle Application Server Infrastructure – oracleas > Integrated Management Tools > Oracle Directory Manager. Log in by using cn=orcladmin and Welcome1 (ensure the server is .us.oracle.com and port is 13060). 2. Navigate to Entry Management > dc=com > dc=oracle > dc=us > cn=Users > uid=vishal.parashar. Scroll down on the right-hand side pane and observe thetitle of vishal.parashar is Administrator. 3. From the OAM admin console window, click Policy Configuration > Application Domains > OAM11g_WebGate > Authentication Policies > Protected Resource Policy. 4. Click the Responses Tab (you will create a session response in the authentication policy and use this session variable in the authorization policies) 5.

Click Add (+) Record icon. Enter the following values: Name Type Value OAM_SESSION

Session

User $user.attr.uid has title $user.attr.title

Click Apply. 6. Navigate to Application Domains > OAM11g_WebGate > Authorization Policies > Admin_Resource_Policy. Click the Edit (pencil) icon. 7. Click the Responses tab. Click Add Record (+) iIcon. Enter the following values: Name

Type

Value

OAM_HEADER_WITH_SESSION

Header

$session.attr.OAM_SESSION has policy $request.policy_name matched in domain $request.policy_appdomain from URL $request.res_url

Click Apply.



Note: $session.attr.OAM_SESSION—the session variable created in the step 5—User vishal.parashar has title Administrator.

$request.policy_name—the policy for this response—Admin_Resource_Policy. $request.policy_appdomain—the domain for this policy/response—OAM11g_webgate $request.res_url—the resource URL—/mybank/testheaders.jsp 8.

9.

Refresh the testheaders.jsp page to check the headers (you may have to reauthenticate with vishal.parashar and Welcome1 if the session has timed out). Observe OAM_HEADER_WITH_SESSION (if you are not getting the value for OAM_HEADER_WITH_SESSION or getting a NOT_FOUND value, close all browsers gracefully. Launch a new Firefox browser window; enter http://.us.oracle.com:7778/mybank. Log in by using vishal.parashar and Welcome1. Then type in http://< your_host>.us.oracle.com:7778/mybank/testheaders.jsp. Now observe the OAM_HEADER_WITH_SESSION value).



Practice 5-8: Managing Constraints Overview An authorization constraint is a rule that grants or denies access to a particular resource based on the context of the request for that resource. Authorization constraints define the obligations (requirements) that must be fulfilled before responding to a client's request. Evaluation of constraints determines if the authorization policy applies to the incoming request. The appropriate obligations take effect after successful authentication. Administrators must define the constraints that apply to the resources assigned to the authorization policy. In this practice, you create a couple of constraints and use them during the evaluation of mybank/testheaders.jsp. Tasks 1. Log in to the OAM admin console—http://.us.oracle.com:7001/oamconsole—by using vishal.parashar and Welcome1. 2. Navigate to Policy Configuration > Application Domains > OAM11g_WebGate > Authorization Policies > Admin_Resource_Policy. Click the Edit icon. Click the Constraints tab. Click the Add (+) icon. Enter the following values: Name

Admin_Check

Class

Identity

Type

Allow

Click Add Selected. Click Apply. 3.

Click the row with the above details. Constraint details are shown in the bottom pane. Click the Add (+) icon in the Constraint Detail section to select oam_admin group. Ensure that Type is selected as Allow. Note: Type Allow is a radio button above the entry for the oam_admin group.

4.

Click Save button on the Constraint Details section. Click Apply on the top section. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Note: Close the current tab. Reopen the Admin_Resource_Policy (AuthZ policy). Make

5.

6. 7.

sure you can view the constraint. If you cannot, recreate the constraint. Add a dummy response in the responses tab – Click Apply. Close the tab. Reopen the AuthZ policy – Admin_Resource_Policy. Make sure you can view the constraint. Delete the dummy response. Click Apply. Close all browser windows gracefully. Re-open a Firefox browser and enter http://.us.oracle.com:7778/mybank. Log in as David.Goldsmith, who is not an administrator. You should be able to log in and view the main page. Now type http://.us.oracle.com:7778/mybank/testheaders.jsp and press Enter. You should be denied access.



Practice 5-9: Deploy Bakery Application Overview In this practice, you deploy a bakery application on the OHS instance (ohs_webgate11g) and, in the subsequent labs, you try to protect this application by using the OAM 11g server. Tasks 1. Copy and paste the example folder from d:\labs\lesson05 to d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\htd ocs. 2. Close all browsers. Open a new browser and enter: http://.us.oracle.com:7778/example and you should be redirected to a single sign-on login page. Enter the credentials vishal.parashar and Welcome1 and click Login. You should see the welcome-index.html page of the bakery application. Note: The reason you are seeing the login page is because you have an OAM 11 g WebGate deployed on the ohs_webgate11g instance with the application domain and protected resources policy created. Explore the application domain—OAM11g_WebGate—and make sure you understand the above point. Note: In the next practice, you change this behavior so that the main bakery home page is unprotected. 3. Explore the application by clicking Products, On-line Store, Baker’s Corner and About links. 4. Right now, anyone can click the Employee link without being challenged for credentials to make sure only employees can get to the page behind the link (employeeHome.html). In the subsequent practices, you protect the employeeHome.html page. The Employee link should be accessible to employees only. When you click the Employee link, it should challenge you for credentials and, only if you are an employee, it should grant you access. 5. Finally, the HR, Finance, and Engineering department sites should be accessible to employees in HR, Finance, and Engineering respectively. In the subsequent practices, you make sure an employee in say, HR cannot access the Engineering department site.



Practice 5-10: Unprotect Bakery Application Overview In this practice, you unprotect the bakery application so any user can view the various pages including welcome-index.html (launch page). Tasks 1. Log in to the OAM admin console by using vishal.parashar and Welcome1. Navigate to Policy Configuration > Application Domains > OAM11g_WebGate > Resources. 2.

Click the Create icon to create two resources one after the other. Step Name

Value

a.

Type

Http

b.

Description

Bakery app launch page

c.

Host Identifier

OAM11gHostId

d.

Resource URL

/example

Click Apply. Step

Name

Value

e.

Type

Http

f.

Description

Bakery app

g. h.

Host Identifier Resource URL

OAM11gHostId /example/…/*

Click Apply. 3. Navigate to Application Domains > OAM11g_WebGate > Authentication Policies > Public Resource Policy. Click the Edit icon. On the Resources tab, Click the Create (+) icon to add the two resources created above (select OAM11gHostId:/example and OAM11gHostId:/example/…/* from drop-down menu) to be protected by using the Anonymous Scheme (public access). Click Apply when done.



4.

Close all browsers. Open a new browser and enter: http://.us.oracle.com:7778/example or http://.us.oracle.com:7778/example/welcome-index.html . You should see the bakery main page (without being challenged for credentials).

5.

However, note that this opens up all the doors within the bakery application, including the Employee login link. Click the Employees link and you should be able to see the employeeHome.html page without being challenged to log in as an employee; that is, all the pages of the Example Bakery application become accessible to the public. This of course needs to be corrected, which you will set up in the next practice.



Practice 5-11: Protect Employee Home Page Within Bakery Application Overview In this practice, you make sure that only employees—only users in OID (in this case)—can log in to employee pages. All anonymous users must be challenged to authenticate themselves and only employees should be able to access those internal pages. Tasks 1. Log in to the OAM admin console by using and . Navigate vishal.parashar to Application Domains > OAM11g_WebGate > Resources. Click theWelcome1 Create icon to create a new resource as shown below: Step

Name

Value

a.

Type

http

b.

Description

Employee Home page

c.

Host Identifier

OAM11gHostId

d.

Resource URL

/example/internal/…/*

Click Apply.

2.

Navigate to Application Domains > OAM11g_WebGate > Authentication Policies > Protected Resource Policy. Click the Edit icon. On the Resources tab, click the Add (+) icon. From the drop-down list, select OAM11gHostId:/example/internal/…/*. Click Apply.



3.

Click the Responses tab. Click the Add icon and provide the following details: Name

Type

AuthN_Cookie Cookie

Value

$user.attr.uid has been successfully authenticated as an employee. This is the AuthN response.

Click Apply.



4.

5.

Remove all the cookies. Open LiveHTTPHeader by using Tools > LiveHTTPHeader and minimize the window. Enter http://.us.oracle.com:7778/example. You should see the unprotected main page of the Example Bakery application. Now, click the Employees link. You should get challenged for SSO credentials. Enter Vishal.Parashar and Welcome1. You should now see employeeHome.html page; that is, the employee’s home page. Vishal Parashar is an authenticated employee in OID. From the browser’s menu options, navigate to Tools > Options > Privacy > Show Cookies. Expand the Site node and notice the AuthN_Cookie cookie. Click the cookie name to see the value in the bottom pane. (You can also view the cookie and its value by using LiveHTTPHeader).



Practice 5-12: Protect Department Sites with Authorization Rules Overview In this practice, you create authorization rules such that department employees can only access the department home page and not HR or Finance home pages; and similarly, HR and Finance employees can only access their respective department home page. Tasks 1. Log in to the OAM admin console with vishal.parashar and Welcome1. On the Policy Configuration tab, navigate to Application Domains > OAM11g_WebGate > Resources. Click the Create icon to create a new resource as shown below: Step

2.

3.

4.

5.

6.

7.

Name

Value

a.

Type

http

b.

Description

HR page

c.

Host Identifier

OAM11gHostId

d.

Resource URL

/example/internal/hr

Click Apply. Navigate to Application Domains > OAM11g_WebGate > Resources > OAM11gHostId: /example/internal/hr. Click the Duplicate icon from the toolbar and change the Resource URL from copy of /example/internal/hr to /example/internal/hr/…/* Click Apply. Click the Duplicate icon from the toolbar and change the Resource URL from copy of /example/internal/hr to /example/internal/finance. Change the Description from HR page to Finance page. Click Apply. Click the Duplicate icon from the toolbar and change the Resource URL from copy of /example/internal/hr to /example/internal/finance/…/* Change the Description from HR page to Finance page. Click Apply. Click the Duplicate icon from the toolbar and change the Resource URL from copy of /example/internal/hr to /example/internal/eng. Change the Description from HR page to Engineering page. Click Apply. Click the Duplicate icon from the toolbar and change the Resource URL from copy of /example/internal/hr to /example/internal/eng/…/* Change the Description from HR page to Engineering page. Click Apply. Navigate to Application Domains > OAM11g_WebGate > Authorization Policies. Click the Create icon to create a new authorization policy as shown below: Step

a.

Name

Name

Value

ExampleBakery_HR Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Step

Name

Value

b.

Description

Policy to protect only HR Employees from viewing HR department page

c.

Resources tab: Resource URLs

OAM11gHostId:/example/internal/hr OAM11gHostId:/example/internal/hr/…/*

Click Apply. Close the confirmation message by clicking the Hide (x) icon to the right.

Click on the Constraints tab and fill the information as shown below: Step

Name

Value

a.

Name

HR_Employees_Only

b.

Class

Identity

c.

Type

Allow

Click Add Selected. Click the HR_Employee_Only constraint line. Click the Collapse Pane icon at the top-right corner of the Constraint Details pane and fill the constraint details as shown below: Step

a.

b.

Name

Value

Selected User and Groups: Name Type

HR Group

Type

Allow

Click Add Selected. Click Save followed by the Apply button.



Click on the Responses tab and fill the information as shown below: Step

Name

Value

a.

Name

AuthZ_Cookie

b.

Type

Cookie

c.

Value

$user.attr.uid has been successfully authorized to view this page as member of HR department. This is the AuthZ response.

Click Apply



8.

Navigate to Application Domains > OAM11g_WebGate > Authorization Policies. Click the Create icon to create a new authorization policy as shown below: Step

Name

Value

a.

Name

ExampleBakery_Finance

b.

Description

Policy to protect only Finance Employees from viewing Finance department page

c.


OAM11gHostId:/example/internal/finance OAM11gHostId:/example/internal/finance/…/*




Click the Constraints tab and fill the information as shown below: Step

Name

Value

a.

Name

Finance_Employees_Only

b.

Class

Identity

c.

Type

Allow

Click Add Selected. Click Apply. Click the Finance_Employee_Only constraint line. Click the Collapse Pane icon and fill the constraint details as shown below: Step

a.

b.

Name

Value


Finance Group

Type

Allow

Click Save followed by the Apply button.



Click the Responses tab and fill the information as shown below: Step

Name

Value

a.

Name

AuthZ_Cookie

b.

Type

Cookie

c.

Value

$user.attr.uid has been successfully authorized to view this page as member of Finance department. This is the AuthZ response.

Click Apply.

9.

Navigate to Application Domains > OAM11g_WebGate > Authorization Policies. Click the Create icon to create a new authorization policy as shown below: Step

Name

Value

a.

Name

ExampleBakery_Engineering

b.

Description

Policy to protect only Engineering Employees from viewing Engineering department page

c.


OAM11gHostId:/example/internal/eng OAM11gHostId:/example/internal/eng/…/*




Click the Constraints tab and fill the information as shown below: Step

Name

Value

a.

Name

Engineering_Employees_Only

b. c.

Class Type

Identity Allow

Click Add Selected. Click the Engineering_Employee_Only constraint line. Click the Collapse Pane icon and fill the constraint details as shown below: Step

a.

b.

Name

Value


Engineering Group

Type

Allow

Click Save followed by the Apply button.



Click the Responses tab and fill the information as shown below: Step

Name

Value

AuthZ_Cookie

a.

Name

b.

Type

Cookie

c.

Value

$user.attr.uid has been successfully authorized to view this page as member of Engineering department. This is the AuthZ response.

Click Apply.



10. Remove all cookies from the browser. Enter: http://.us.oracle.com:7778/example. You should see the unprotected main page of the Example Bakery application. Now, click the Employee Login link. You should get challenged for SSO credentials. Log in by using mina.rather and Welcome1 (Mina is a member of the HR department). You should see the Example Bakery Employee portal page (employeeHome.html). Now click the Human Resource department site link and you should be able to view the HR department home page. Navigate to browser’s menu option: Tools > Options > Privacy > Show Cookies to view the AuthZ_Cookie cookie value. Click Close followed by OK. 11. Go back to the employee portal page by using the Back browser button and click the Finance department site. You should see the OAM Operation Error page, which states that you are not authorized to view the page. Retry Steps 10 and 11 by using Finance (lori.lenox) and Engineering (vishal.parashar) employees to make sure employees can only view their own respective department home pages.



Practice 5-13: Demo CGI Scripts to View Responses in Application Overview In this practice, you use CGI applications or scripts to learn how to generate responses of various kinds, from very simple to more complex, in your applications. Tasks 1.

Create the following three new resources under Application Domains > OAM11g_WebGate > Resources: Name

Value

Type

http

Description

This resource is for basic responses demo

Host Identifier

OAM11gHostId

Resource URL

/cgi-bin/protected1

Click Apply. Use the Duplicate icon to create the next two resources. Navigate to OAM11g_WebGate > Resources > /cgi-bin/protected1. Click the Duplicate icon. Name

Value

Type

http

Description Host Identifier

This resource is for simple responses demo OAM11gHostId

Resource URL

/cgi-bin/protected2

Click Apply. Click the Duplicate icon. Name

Value

Type

http

Description

This resource is for advanced responses demo

Host Identifier

OAM11gHostId

Resource URL

/cgi-bin/protected3

Click Apply. 2.

Create three new authorization policies (under Application Domains > OAM11g_WebGate > Authorization Policies) to allow access to the above created resources and set the following responses in each resource : Note: For the rest of the fields, take the default values. Name

Name

Value

AuthZ_Protected1_App Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Name

Value

Description

literal string as response

Resources

OAM11gHostId: /cgi-bin/protected1

Responses tab: Name

OAM_RESP_LITERALC

Type

Cookie

Value

Responses demo cookie

Name Type

OAM_RESP_LITERALH Header

Value

Responses demo header

Click Apply.



Name

Value

Name

AuthZ_Protected2_App

Description

response value with a variable

Resources


Responses tab: Name

OAM_RESP_HSIMPLE

Type

Header

Value

User $user.attr.uid came from $request.client_ip using $request.agent_id

Name

response_test

Type

Session

Value

User info for later: mail ${user.attr.mail}, created at

${user.attr.createtimestamp} Click Apply.



Name

Value

Name

AuthZ_Protected3_App

Description

response value with literals and variables

Resources


Responses tab: Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Name

Value

Name

OAM_RESP_HADVANCED1

Type

Header

Value

Policy matched for requested URL [${request.res_url}]: $request.policy_name using [${request.policy_res}], in domain [${request.policy_appdomain}]

Name Type

OAM_RESP_HADVANCED2 Header

Value

Read out user info from session attr response_test : $session.attr.response_test

Click Apply.



3.

4.

Copy the CGI Perl scripts and accompanying CSS/JS from D:\labs\lesson05\oamresponse-demo to the following location in the OHS instance: d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\cgi -bin. Remove all browser cookies. Access each CGI in turn (you will need to log in with Vishal.Parashar and Welcome1 before seeing the first one: http://.us.oracle.com:7778/cgi-bin/protected1) and examine the results. Note: The header variables are visible instantly, but the cookie should be visible on the second access of the resource; this is because the first time you access the application, the WebGate requests the browser to set a cookie when the response is coming back from the application.



Practice 5-14: Workaround/Patch for HA Lab Overview In this practice, you make favorites icon ( favicon.ico) a public resource. This is just a workaround for the HA lab and has been identified as a potential bug which will be addressed in the patch release for the product. Tasks 1. Launch the admin console. Navigate to Policy Configuration > Application Domains > OAM11g_WebGate > Resources. Add a resource /favicon.ico.

2.

Click Apply. Navigate to Policy Configuration > Application Domains > OAM11g_WebGate > Authentication Policy > Public Resource Policy. Edit the Public Resource Policy and add the /favicon.ico resource.



Click Apply.






Practices for Lesson 6 Practices Overview In these practices, you customize the login page, demonstrate single sign-on and single logout, and manage Oracle Access Manager sessions. First, you customize the login page. Example Bakery wants its employees to use a login page that has branding that is similar to the rest of the Example Bakery site instead of the login page provided by Oracle Access Manager. You configure Oracle Access Manager to use a customized login page to collect credentials. Next,access you demonstrate single-sign on andbysingle logout. Thefilter, demonstration shows how a user can resources that are protected the mod_osso an Oracle Access Manager 10g WebGate, and an Oracle Access Manager 11g WebGate while authenticating only once. In order to perform this demonstration, you first need to deploy the sample Web site to the Oracle HTTP Server instances on which the mod_osso filter and the 10g WebGate are installed. Then, you define policies so that the internal-access parts of the sites protected by the mod_osso filter and the 10g WebGate are restricted. Then you demonstrate single sign-on and single logout, by using the Live HTTP Headers add-on to examine cookies being set on the browser. Next, you perform typical session management tasks. You use the Session Management page in the Oracle Access Manager console to terminate a user session, and you configure Oracle Access Manager server to constrain the number of concurrent sessions that a user is allowed to have.



Practice 6-1: Customizing the Login Page Overview In this practice, you configure Oracle Access Manager to use a custom-branded login page for the Example Bakery Web site. Assumptions You completed practices 3 through 6 successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Verify that when you access the Example Bakery Web site on the OHS instance protected by the 11g WebGate, Oracle Access Manager uses its standard login page: a. If it is not already running, start the Firefox browser. Use the Firefox browser—not Internet Explorer—for this set of practices unless explicitly directed. b. Enter the following URL to navigate to the Example Bakery home page: http://your_host.us.oracle.com:7778/example. c. Click Employees. The standard Oracle Access Manager login page appears.

d. 2. 3.

Log in as user Vishal.Parashar with password Welcome1. The Example Bakery Employee portal page appears. Log in to the Oracle Access Manager console as user Vishal.Parashar. The password is Welcome1. Create the ExampleLDAPScheme authentication scheme. This authentication scheme has the same configuration as the LDAPScheme authentication scheme. You will use the ExampleLDAPScheme authentication scheme to protect the Example Bakery Web site. Creating a separate authentication scheme reduces the risk of misconfiguring the LDAPScheme authentication scheme and creating a situation where you cannot log in to the Oracle Access Manager console, which is protected by the LDAPScheme authentication scheme. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


a. b. c.

In the Policy Configuration tab, navigate to Shared Components > Authentication Schemes. Select LDAPScheme and click Duplicate. A new authentication scheme named copy of LDAPScheme appears in the right window pane. Rename the new authentication scheme to ExampleLDAPScheme.

d. 4.

Click Apply. The ExampleLDAPScheme authentication scheme appears on the left window pane, in the list of authentication schemes. Change the authentication scheme protecting the Example Bakery Web site from the LDAPScheme authentication scheme to the ExampleLDAPScheme authentication scheme: a.

5.

6.

In the Policy Configuration navigate to Application Domains > OAM11g_WebGate > Authentication Policies > tab, Protected Resource Policy and click Edit. b. In the right window pane, change the authentication scheme from the LDAPScheme authentication scheme to the ExampleLDAPScheme authentication scheme. c. Click on Response tab before you click Apply (Bug 10074740). d. Click Apply. Verify that when you access the Example Bakery Web site on the OHS instance protected by the 11g WebGate, Oracle Access Manager still uses its standard login page. The Web site is protected by the ExampleLDAPScheme authentication scheme, but that authentication scheme has not yet been customized to use a customized login page. a. Clear cookies and cache, close your browser, and restart the browser. Note: These practices require you to clear your browser’s cookies and cache and restart the browser frequently. To clear the cookies and cache, you can select Tools > Clear Recent History in Firefox, click Details, select the Cookies and Cache check boxes, then click Now. check box settings are persistent, so when subsequent tasksClear require youThe to clear cookies and cache, you can simply select Tools > Clear Recent History in Firefox, then click Clear Now. To close the browser, always use File > Exit. Do not use the close box. b. Enter the following URL to navigate to the Example Bakery home page: http://your_host.us.oracle.com:7778/example. c. Click Employees. The standard Oracle Access Manager SSO login page appears. Review the exploded WAR file that contains the customized login page: a. Using Notepad, open the d:\labs\lesson06\login\examplelogin.jsp file. b. Observe the following code in the file: •

•

7.

The form statement that submits back to the required end point— /oam/server/auth_cred_submit —on the Oracle Access Manager server. To locate this statement, search for the string, form. The Java and HTML code that retrieves the request ID from the HTTP header and

stores the request ID in a hidden field, so that it is returned to the Oracle Access Manager server as required. To locate this code, search for the string, GetParameter. Review this line of Java code, and the HTML input statement that follows. Deploy the exploded WAR file that contains the customized login page to the WebLogic server running the Oracle Access Manager server: a. Navigate to the following URL to start the WebLogic console: http://your_host.us.oracle.com:7001/console. Log in as the weblogic user. The password is Welcome1. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


b. c. d. e. f.

Click Lock and Edit in the Change Center pane. Select oam_domain > Deployments from the Domain Structure pane. The Summary of Deployments page appears on the right side of the console window. Click Install. The Locate Deployment to Install and Prepare for Deployment form appears. Specify the value d:\labs\lesson06\login in the Path field. Click Next. The Choose Targeting Style form appears. Select Install this Deployment as an Application and click Next. The Select Deployment Targets form appears. Select the oam_server1 target. Click Next.

g. h.

8.

The form appears. Click Finish.Click Next under the Deployments The Optional SummarySettings of Deployments page reappears. table. The login application should appear in the list with the Distribute Initializing status. i. Click Activate Changes in the Change Center pane. The login application’s status changes to Prepared. j. Select the check box next to the login application. Click Start > Servicing All Requests, then click Yes. The Summary of Deployments page reappears. Click Next under the Deployments table to view the status of the login application. The status should be Active. Specify the custom-branded login page for the ExampleLDAPScheme authentication scheme: a. Log in to the Oracle Access Manager console as user Vishal.Parashar. The password is Welcome1. b. c.

d.

In the Policy Configuration tab, navigate to Shared Components > Authentication Schemes. Select the ExampleLDAPScheme authentication scheme and click Edit. Configuration details for the ExampleLDAPScheme authentication scheme appear in the right window pane. Change the following values for the ExampleLDAPScheme authentication scheme: Field

Choices or Values

Challenge URL

/examplelogin.jsp

Context Type

customWAR

Context Value

/login



e. Click Apply. 10. Verify that when you access the Example Bakery Web site on the OHS instance protected by the 11g WebGate, Oracle Access Manager now uses the Example Bakery custombranded login page: a. Clear cookies and cache, close your browser, and restart the browser. b. Enter the following URL to navigate to the Example Bakery home page: http://your_host.us.oracle.com:7778/example.



c.

Click Employees. The Example Bakery login page appears. This is the custom login page specified:

d.

Log in as user Vishal.Parashar with password Welcome1. The Example Bakery Employee portal page appears.



Practice 6-2: Deploying and Protecting the Example Bakery Web Site on the Two Other OHS Instances Overview In your current deployment, the Example Bakery Web site is deployed on the OHS instance running on port 7778, which is protected by an Oracle Access Manager 11g WebGate. In this practice, you deploy the same Web site to the other two OHS instances: The OHS instance running on port 7779, which is protected by an Oracle Access Manager 10g WebGate •

The OHS instance running on port 7780, which is protected by the mod_osso filter After you install the Example Bakery Web site on these two servers, you protect the employee pages on the sites by configuring appropriate policy in Oracle Access Manager. In subsequent practices, you will demonstrate single sign-on by authenticating at one of the three Web sites, then accessing the other two Web sites without having to authenticate again. •

Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Deploy the Example Bakery Web site to the OHS instances running on ports 7779 and 7780: a. Copy the D:\Labs\Lesson05\example folder to the

2.

D:\Middleware\ohs_home\instances\ohs_webgate10g\config\OHS\ ohs1\htdocs folder. b. Verify that you can view the Example Bakery Web site running on the OHS instance running on port 7779 by navigating to the URL, http://your_host.us.oracle.com:7779/example. Notice that you will have to log in (with Vishal.Parashar and Welcome1) on the SSO login page because you have not unprotected the Example Bakery launch page under oam10g_webgate or OSSO10g_agent application domains. c. Copy the D:\Labs\Lesson05\example folder to the D:\Middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\ htdocs folder. d. Verify that you can view the Example Bakery Web site running on the OHS instance running on port 7780 by navigating to the URL, http://your_host.us.oracle.com:7780/example. Define resources required to protect the Example Bakery Web site running on the OHS instance running on port 7779: a. Log in to the Oracle Access Manager console as user Vishal.Parashar with password Welcome1. e. Navigate to Policy Configuration > Application Domains > oam10g_webgate > Resources. f. Click the Create icon to create the OAM10gHostId:/example resource. The Resource page appears. Fill in values in the Resources page as follows: Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Screen/Page Description

Choices or Values

Type

HTTP

Description

Bakery Web site launch page

Host Identifier

OAM10gHostId

Resource URL

/example

g.

Click Apply.

h.

Click the Create icon again to create the OAM10gHostId:/example/…/* resource. Fill in values in the Resources page as follows: Screen/Page Description

Choices or Values

Type

HTTP

Description

Bakery Web site

Host Identifier

OAM10gHostId

Resource URL

/example/…/*

i. j.

Click Apply. Click the Create icon to create the OAM10gHostId:/internal resource. The Resource page appears. Fill in values in the Resources page as follows: Screen/Page Description

Choices or Values

Type

HTTP

Description

Bakery Web site employee-only pages

Host Identifier

OAM10gHostId

Resource URL

/example/internal Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


k. l.

Click Apply. Click the Create icon again to create the OAM10gHostId:/internal/…/* resource. Fill in values in the Resources page as follows: Screen/Page Description

3.

Choices or Values

Type

HTTP

Description


Host Identifier Resource URL

OAM10gHostId /example/internal/…/*

m. Click Apply. Configure Oracle Access Manager to provide public access to the public portions of the Web site deployed to the OHS instance running on port 7779. The public portion of the Web site comprises all of the Web site except for the employee portal and department pages. a. Navigate to Application Domains > oam10g_webgate > Authentication Policies > Public Resource Policy. b. Click the Edit icon. The Authentication Policy page appears on the right side of the console. c. In the Resources tab, click the Add icon. A blank line appears in the Resources list. Select the OAM10gHostId:/example resource from the drop-down list.

d. e.

In the Resources tab, click the Add icon. A blank line appears in the Resources list. Select the OAM10gHostId:/example/…/* resource from the drop-down list. Click Apply. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


4.

Configure Oracle Access Manager to protect the private portions of the Web site deployed to the OHS instance running on port 7779. The private portion of the Web site comprises the employee portal and department pages, which are located in the site’s internal directory. a. Navigate to Application Domains > oam10g_webgate > Authentication Policies > Protected Resource Policy. b. Click the Edit icon. The Authentication Policy page appears on the right side of the console. c. In the Resources tab, click the Add icon. A blank line appears in the Resources list. Select the OAM10gHostId:/example/internal resource from the drop-down list. d.

5.

6.

In the Resources tab, click the Add icon again. A blank line appears in the Resources list. Select the OAM10gHostId:/example/internal/…/* resource from the dropdown list. e. Select the ExampleLDAPScheme authentication scheme so that the site uses the Example Bakery custom-branded login page. f. Click Apply. Test the policy configuration: a. Clear cookies and cache, close your browser, and restart the browser. b. Navigate to the home page for the Example Bakery Web site, http://your_host.us.oracle.com:7779/example. You should be able to see the page without authenticating. c. Click all the links except the Employees link. You should be able to access these links without authenticating. d. Click the Employees link. The Example Bakery custom-branded login page should appear. Define resources required to protect the Example Bakery Web site running on the OHS instance running on port 7780: a. Log in to the Oracle Access Manager console as user Vishal.Parashar with password Welcome1. b. Navigate to Policy Configuration > Application Domains > osso10g_agent > Resources. c. Click the Create icon to create the OSSO10gHostId:/example/internal resource. The Resources page appears. Fill in values in the Resources page as follows: Screen/Page Description

Choices or Values

Type

HTTP

Description


Host Identifier

OSSO10gHostId

Resource URL

/example/internal

d. e.

Click Apply. Click the Create icon again to create the OSSO10gHostId:/example/internal/…/* resource. Fill in values in the Resources page as follows: Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Screen/Page Description

HTTP

Description


Host Identifier

OSSO10gHostId

Resource URL

/example/internal/…/*

f. 7.

Choices or Values

Type

Click Apply.

Note: Since the mod_osso filter forwards only requests for protected resources; there

is no need to create policies for public resources. Configure the mod_osso.conf file to filter requests for protected resources on the Example Bakery site: a. Open the D:\Middleware\ohs_home\instances\ohs_osso10g\config\ OHS\ohs1\moduleconf\mod_osso.conf file. b.

Locate the following lines in the mod_osso.conf file:

require valid-user AuthType Osso

c.

8.

Change the text, to . Note: This change insures that the mod_osso filter passes URLs starting with the string, /example/internal, to the single sign-on provider.

d. Save the file and restart ohs_osso10g instance by using opmnctl. Configure Oracle Access Manager to protect the private portions of the Web site deployed to the OHS instance running on port 7780. The private portion of the Web site comprises the employee portal and department pages, which are located in the site’s internal directory. a. Navigate to Application Domains > OSSO10g_agent > Authentication Policies > Protected Resource Policy. b. Click the Edit icon. The Authentication Policy page appears on the right side of the console. c. In the Resources tab, click the Add icon. A blank line appears in the Resources list. Select the OSSO10gHostId:/example/internal resource from the drop-down list. d.

9.

In the Resources tab, click the Add icon again. A blank line appears on the Resources list. Select the OSSO10gHostId:/example/internal/…/* resource from the dropdown list. e. Select the ExampleLDAPScheme authentication scheme so that the site uses the Example Bakery custom-branded login page. f. Click Apply. Test the policy configuration: a. Clear cookies and cache, close your browser, and restart the browser. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


b.

Navigate to the home page for the Example Bakery Web site, http://your_host.us.oracle.com:7780/example. You should be able to see the page without authenticating. c. Click all the links except the Employees link. You should be able to access these links without authenticating. 10. Click the Employees link. The Example Bakery custom-branded login page should appear.



Practice 6-3: Reviewing Web Site Protection in Your Deployment Overview In this practice, you review the protection mechanisms for the three Example Bakery Web sites you have deployed so far: The site running on port 7778, which is protected by an Oracle Access Manager 11 g WebGate The site running on port 7779, which is protected by an Oracle Access Manager 10 g WebGate •

•

•

The site running on port 7780, which is protected by the mod_osso filter

Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. If necessary, start the Firefox browser. 2. Clear cookies and cache. 3. Attempt to access a protected page on the Web site protected by the Oracle Access Manager 11g WebGate by typing the following URL in your browser’s address bar: http://your_host:7778/example/internal/employeeHome.html. The Example Bakery login page should appear. Do not authenticate now. 4. Attempt to access a protected page on the Web site protected by the Oracle Access Manager 10g WebGate by typing the following URL in your browser’s address bar: http://your_host:7779/example/internal/employeeHome.html. The Example Bakery login page should appear. Do not authenticate now. 5. Attempt to access a protected page on the Web site protected by the mod_osso filter by typing the following URL in your browser’s address bar: http://your_host:7780/example/internal/employeeHome.html. The Example Bakery login page should appear. Do not authenticate now. Resources on all three sites are protected by Oracle Access Manager.



Practice 6-4: Demonstrating Single Sign-On Overview In this practice, you observe Oracle Access Manager single sign-on. With single sign-on, you need only authenticate once to access multiple protected pages. Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Clear cookies and cache and restart the browser. 2. Demonstrate single sign-on by accessing protected pages on your three Web sites. After you authenticate to gain access to the first protected page, you are not prompted to authenticate when you attempt to access other protected pages. a. Attempt to access a protected page on the Web site protected by the Oracle Access Manager 11g WebGate by typing the following URL in your browser’s address bar: http://your_host:7778/example/internal/employeeHome.html. The Example Bakery login page should appear. b. Authenticate as user David.Goldsmith with password Welcome1. The Example Bakery employee portal appears. c. Attempt to access a protected page on the Web site protected by the Oracle Access Manager 10g WebGate by typing the following URL in your browser’s address bar: http://your_host:7779/example/internal/employeeHome.html. This time, you are not

d.

prompted authenticate employee to portal appears. as you were in the previous practice. The Example Bakery Attempt to access a protected page on the Web site protected by the mod_osso filter by typing the following URL in your browser’s address bar: http://your_host:7780/example/internal/employeeHome.html. Once again, you are not prompted to authenticate as you were in the previous practice. The Example Bakery employee portal appears.



Practice 6-5: Examining Browser Cookies During Single Sign-On and Single Logout Overview In this practice, you use the Firefox Live HTTP Headers add-on, pre-installed on your Windows lab system, to review cookie creation. First, you access protected resources on the following three Web sites: The site running on port 7778, which is protected by an Oracle Access Manager 11 g WebGate •

•

The site running on port 7779, which is protected by an Oracle Access Manager 10 g WebGate

The site running on port 7780, which is protected by the mod_osso filter You attempt to access each of the three sites and are prompted to authenticate to Oracle Access Manager server. You examine cookies before and after authentication. Then you execute the same single sign-on scenario that you executed in the previous practice. At various points in this single sign-on scenario, you examine browser cookies. Finally, you log out of the single sign-on session and examine the effect on the browser cookies. •

Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. 2.

3.

Clear cookies and cache and restart the browser. Enable the Live HTTP Headers add-on by selecting Tools > Live HTTP headers. The Live HTTP Headers window appears. Note: Locating text in the Live HTTP Headers window can be difficult if there is a lot of text in the window. You can use the Save All button to copy the text in the Live HTTP Headers window to a file, which you can then open with any text editor and search. Using the Clear button to clear out all the text in the Live HTTP Headers window can also make locating text easier. Review Oracle Access Manager and WebGate 11g cookie usage: a. Attempt to access a protected page on the Web site protected by the Oracle Access Manager 11g WebGate by typing the following URL in your browser’s address bar: http://your_host:7778/example/internal/employeeHome.html. The Example Bakery login page should appear. b. Locate the Set-Cookie statements for the OAMAuthnCookie_host:port and OAMRequestContext_host:port cookies in the Live HTTP Headers window. Note that the value of the OAMAuthnCookie cookie is set to the value loggedoutcontinue. Note the value of OAMRequestContext cookie as well. Note: The JSESSIONID cookie is set by OHS and is not pertinent to Oracle Access

Manager.



c.

4.

Authenticate as user David.Goldsmith with password Welcome1. The Example Bakery employee portal appears. d. Locate the Set-Cookie statement for the OAM_ID cookie in the Live HTTP Headers window. e. Locate the most recent Set-Cookie statement for the OAMAuthnCookie cookie in the Live HTTP Headers window. Note that the value of the OAMAuthnCookie cookie has changed. This cookie now contains a reference to the Oracle Access Manager session. Compare the value with what you noted in Step 3b. f. Locate the most recent Set-Cookie statement for the OAMRequestContext cookie in the Live HTTP Headers window. This transient cookie should now be expired. Compare the value with what you noted in Step 3b. Review WebGate 10g cookie usage: a. Clear cookies and cache and restart the browser. b. Clear the contents of Live HTTP Headers add-on by clicking the clear button. c. Attempt to access a protected page on the Web site protected by the Oracle Access Manager 10g WebGate by typing the following URL in your browser’s address bar: http://your_host:7779/example/internal/employeeHome.html. The Example Bakery login page should appear. d.

Locate the Set-Cookie statements for the ObSSOCookie cookie in the Live HTTP Headers window. Note that the value of the ObSSOCookie cookie is set to the value loggedoutcontinue.

e.

Authenticate as user David.Goldsmith with password Welcome1. The Example Bakery employee portal appears. Locate the most recent Set-Cookie statement for the ObSSOCookie cookie in the Live HTTP Headers window. Note that the value of the ObSSOCookie cookie has changed. This cookie now contains a reference to the Oracle Access Manager session.

f.



g.

5.

Locate the Set-Cookie statement for the OAM_ID cookie in the Live HTTP Headers window. Review mod_osso agent cookie usage: a. Clear cookies and cache and restart the browser. b. Clear the contents of the Live HTTP Headers add-on by clicking the clear button. c. Attempt to access a protected page on the Web site protected by the Oracle Access Manager 10g WebGate by typing the following URL in your browser’s address bar: http://your_host:7780/example/internal/employeeHome.html. The Example Bakery login page should appear. d.

Set-Cookie Look through Live Access HTTP Headers should not find any statements forthe Oracle Manageroutput. serverYou cookies. Remember that the JSESSIONID cookie is an OHS cookie.

e.

6.

Authenticate as user David.Goldsmith with password Welcome1. The Example Bakery employee portal appears. f. Locate Set-Cookie statements for the OAM_ID and OHS-host-7780 cookies in the Live HTTP Headers window. Review cookie usage during a single sign-on scenario: a. Clear cookies and cache and restart the browser. b. Clear the contents of the Live HTTP Headers add-on by clicking the clear button c. Attempt to access a protected page on the Web site protected by the Oracle Access Manager 11g WebGate by typing the following URL in your browser’s address bar: http://your_host:7778/example/internal/employeeHome.html. The Example Bakery login page should appear. d.

Locate the Set-Cookie statements for the OAMAuthnCookie_host:port and OAMRequestContext_host:port cookies in the Live HTTP Headers window. Note that the value of the OAMAuthnCookie cookie is set to the value loggedoutcontinue. Note: The JSESSIONID cookie is set by OHS and is not pertinent to Oracle Access

e. f. g. h.

i. j. k.

Manager. Clear the Live HTTP Headers window. Authenticate as user David.Goldsmith with password Welcome1. The Example Bakery employee portal appears. Locate the Set-Cookie statement for the OAM_ID cookie in the Live HTTP Headers window. Locate the most recent Set-Cookie statement for the OAMAuthnCookie cookie in the Live HTTP Headers window. Note that the value of the OAMAuthnCookie cookie has changed. This cookie now contains a reference to the Oracle Access Manager session. Locate the most recent Set-Cookie statement for the OAMRequestContext cookie in the Live HTTP Headers window. This transient cookie should now be expired. Clear the Live HTTP Headers window. Attempt to access a protected page on the Web site protected by the Oracle Access Manager 10g WebGate by typing the following URL in your browser’s address bar: http://your_host:7779/example/internal/employeeHome.html. This time, you are not prompted to authenticate. The Example Bakery employee portal appears. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


l.

7.

Locate the Set-Cookie statements for the ObSSOCookie cookie in the Live HTTP Headers window. Note that the value of the ObSSOCookie cookie is initially set to the value loggedoutcontinue, and then is set to contain a reference to the Oracle Access Manager session. Note: Close examination of the Live HTTP Headers output reveals that a second SetCookie statement for the OAM_ID cookie appears, and that the OAM_ID cookie value is not the same as the srcinal cookie value. The cookie is set each time some details are changed in the session on the Oracle Access Manager server. m. Clear the Live HTTP Headers window. n. Attempt to access a protected page on the Web site protected by the mod_osso filter by typing the following URL in your browser’s address bar: http://your_host:7780/example/internal/employeeHome.html. Once again, you are not prompted to authenticate. The Example Bakery employee portal appears. o. Locate the Set-Cookie statement for the OHS-host-7780 cookie in the Live HTTP Headers window. Note: You can see all four cookies: obSSOCookie, OAM_ID, OHS-host-port, OAMAuthnCookie_host:port. Review cookie usage during a logout: a. Clear the Live HTTP Headers window. b. Access the logout URL, http://your_host:7778/logout1.html. c. Locate the Set-Cookie statements in the Live HTTP Headers output. You should be able to locate Set-Cookie statements that cause the OAMAuthnCookie, OAM_ID, and OHS-host-7780 cookies to expire. Notice that as discussed in the lesson, there is no Set-Cookie statement that causes the ObSSOCookie to expire. d. In Firefox, select Tools > Options. The Options dialog box appears. Click Privacy. Click Show Cookies. The list of cookies active in your browser session appears. e. Locate the ObSSOCookie cookie. This cookie has a value that references the session you had with the Oracle Access Manager server. f. Prove that the value in this cookie no longer references an active Oracle Access Manager session by typing the following URL in your browser’s address bar: http://your_host:7779/example/internal/employeeHome.html. You are prompted to authenticate to the Oracle Access Manager server. If the session was still active, you would not be prompted to authenticate, but would be granted access to the employee portal page without authenticating.



Practice 6-6: Using the Session Management Utility Overview In this practice, you use the Oracle Access Manager console’s session management utility to view active user sessions and to terminate a user’s session. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Clear cookies and cache and restart the browser. 2. Start the Oracle Access Manager console by navigating to the following URL: http://your_host:7001/oamconsole. Log in as user Vishal.Parashar with password Welcome1. 3. Navigate to the Session Management page: a. Select the System Configuration tab and navigate to System Utilities > Session Management. b. Double-click Session Management. The Session Management page appears in the right window pane. 4. Type Vishal.Parashar in the Username field and click the arrow to the right of the Username field. Details of the session for the Vishal.Parashar user appear in the session list. Note: The Vishal.Parashar session the createdconsole when you logged in to the console. If you werefor not using the IDM Domain user Agentwas to protect logins, Oracle Access Manager sessions would not be created for console logins.

5. 6. 7.

8.

Start the Internet Explorer browser. Note: Do not make this browser the default browser. Navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example.

Click Employees. The Example Bakery login page appears. Log in as user David.Goldsmith with password Welcome1. Click the option to not remember any more passwords. The employee portal appears. Return to the Session Management page displayed in the Firefox browser. Type David.Goldsmith in the Username field and click the arrow to the right of the Username field. Details of the session for the David.Goldsmith user appear in the session list. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


9.

10. 11. 12. 13.

Multiple sessions might exist for the David.Goldsmith user because some sessions were created earlier that were not logged out. If multiple sessions exist, use the Creation Time field to locate the most recently created session. Highlight the most recently created session for the David.Goldsmith user and click the Delete (X icon). Click Yes in the Confirm Delete dialog box. Return to the Internet Explorer browser window and click Employees. You are prompted to authenticate because your session was terminated by administrative action. Close the Internet Explorer browser. Return to the Session Management page displayed in the Firefox browser. Type Vishal.Parashar in the Username field and click the arrow to the right of the Username field. Details of the session for the Vishal.Parashar user appear in the session list.

14. Highlight the session for the Vishal.Parashar user and click Delete. Click Yes in the Confirm Delete dialog box. The login screen appears because you just terminated the Vishal.Parashar user’s console login session.



Practice 6-7: Examining a Multi-Browser Scenario Overview In this practice, you log in to the Example Bakery Web site on Internet Explorer; then attempt to access the site on Firefox to determine whether single sign-on works across browsers. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Start the Internet Explorer browser. 2. Navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example. 3. Click Employees. The Example Bakery login page appears. Log in as user Vishal.Parashar with password Welcome1. The employee portal appears. 4. Clear cookies and cache for the Firefox browser, then restart the Firefox browser. 5. By using the Firefox browser, navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example. Click Employees. Even though you authenticated to the Oracle Access Manager server when you used Internet Explorer, you are forced to authenticate again when using Firefox. Log in as user Vishal.Parashar with password Welcome1. The employee portal appears. 6. Press Ctrl + T to open a second tab page in the Firefox browser. 7. Start the Oracle Access Manager console in the second tab page in the Firefox browser by navigating to the following URL: http:// your_host:7001/oamconsole. Notice that you are not required to authenticate to access the console, because the Vishal.Parashar user already has an active login session on the Firefox browser. 8. Do the same exercise as Step 7 by using Ctrl + N to open a new Firefox window; that is, try to access the OAM console. You do not need to authenticate again. 9. Do the same exercise as Step 7 by opening a new Firefox window by using the Firefox icon on the desktop; that is, try to access OAM console. You do not need to authenticate again. 10. Navigate back to the Internet Explorer browser. Press Ctrl + N to open a new Internet Explorer window. Perform steps 2 and 3. Notice that you do not get challenged to log in again. 11. Start a new Internet Explorer browser by using the Internet Explorer icon on the desktop. Perform steps 2 ad 3. Notice that you do get challenged to log in. This goes to show that session management also depends on browser type and browser version.



12. On the Firefox browser, navigate to the Session Management page: a. Select the System Configuration tab and navigate to System Utilities > Session Management. b. Double-click Session Management. The Session Management page appears on the right window pane. 13. Type Vishal.Parashar in the Username field and click the arrow to the right of the Username field. Details of the sessions for the Vishal.Parashar user appear in the session list. There should be two sessions: one for the session on the Firefox browser, and the second for the session on the Internet Explorer browser. 14. Leave the Oracle Access Manager console open for the next practice.



Practice 6-8: Constraining the Number of User Sessions Overview In this practice, you constrain the number of active sessions to one. Then you attempt to start two concurrent Oracle Access Manager sessions, and observe the results. At the end of this practice, you restore the number of active sessions allowed to the default value, eight. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. The Oracle Access Manager console is open and you are be logged in to the console as user Vishal.Parashar. • • •

Tasks 1. Navigate to the Server Common Properties page in the console: a. Select the System Configuration tab and navigate to Server Instances > oam_server1. b. Double-click oam_server1. The oam_server1 page appears in the right window pane. c. Click the Server Common Properties link in the right window pane. The OAM Server Common Properties page appears. 2. Click the Session tab. The session properties appear.

3.

Set the Maximum Number of Sessions per User to the value 1.

4.

Click Apply. Note: With session constraints in effect, it is extremely important that you follow the instructions exactly as they are written for the rest of this practice. You will need an available session for user Vishal.parashar to log in to the Oracle Access Manager server to reset the session constraint, and if you follow the instructions as provided, a session will be available .

5.

Return to the Session Management page. Refresh the session list for the user Vishal.Parashar. This user should still have two active sessions, even though the Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


6.

7. 9. 10.

11.

12.

13.

14.

maximum number of sessions per users has been set to 1. Session constraint only applies to newly created sessions. Click Delete All User Sessions, then click Yes to respond to the confirmation dialog box. Because you just deleted your Oracle Access Manager console login session, you are automatically logged out of the console. Clear cookies and cache and restart the Firefox browser. Restart the Internet Explorer browser. In the Internet Explorer browser, navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example. Click Employees. The Example Bakery login page appears. Log in as user David.Goldsmith with password Welcome1. Be sure to log in as user David.Goldsmith and not as user Vishal.Parashar. The employee portal appears. In the Firefox browser, navigate to the Example Bakery home page, http://your_ host.us.oracle.com:7778/example. Click Employees. The Example Bakery login page appears. Authenticate as user David.Goldsmith. Again, be sure to log in as user David.Goldsmith and not as user Vishal.Parashar. The message, “The user has already reached maximum allowed number of sessions” appears because of the session constraint you set. Start the Oracle Access Manager console in the Firefox browser by navigating to the following URL: http://your_host:7001/oamconsole. Log in as user Vishal.Parashar with password Welcome1. Restore the Maximum Number of Sessions per User to the value 8. Do not forget to click Apply after you have changed the value in the Maximum Number of Sessions per User field. Note: It is extremely important that you complete the preceding step correctly. Subsequent practices depend on the availability of multiple sessions per user. If you are not sure that you have performed this step correctly, ask your instructor.








Practices for Lesson 7 Practices Overview These practices illustrate the use of the Oracle Access Manager identity assertion provider. With the Oracle Access Manager identity assertion provider deployed in a WebLogic domain, applications running in that domain can use Oracle Access Manager as the perimeter authenticator; then, as part of authentication, have the Oracle Access Manager server assert the username, so that the application can retrieve the username and use it as needed. You start these practices by reviewing a sample application that uses HTTP basic authentication: one of the authentication builthandles in to allapplication J2EE Websecurity, containers. you deploy the application and run it. Themechanisms Web container andThen the application can retrieve the username, but single sign-on is not available. Then you modify the sample application so that it no longer uses HTTP basic authentication, but instead specifies a mechanism that enables an external authenticator. You configure the OHS instance on which the 11g WebGate is installed to serve the sample application, thus allowing the WebGate to protect the sample application. Then you configure the security realm in WebLogic Server to use the Oracle Access Manager identity assertion provider. When you test the sample application after performing these steps, you observe the following: The Oracle Access Manager server collects users’ credentials and authenticates users. The Oracle Access Manager identity assertion provider makes the username available to the application. Single sign-on is available for the user. • •

•



Practice 7-1: Deploying the Sample Application Overview In this practice, you review the security configuration in your WebLogic domain. Then you review code in the sample jee application and deploy the application on the WebLogic administration server. Although the sample application is written in Java, you do not need to know Java to complete this practice. Note: In a production environment, it is not a best practice to deploy end-user applications on the WebLogic administration server. You do so in this practice only for convenience in the classroom environment.

Assumptions You have completed Practices 3 through 6 successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Log in to the WebLogic Server administration console as the weblogic user. The password is Welcome1. 2. Review the security configuration in the myrealm security realm: a. Select oam_domain > Security Realms from the Domain Structure pane. The Summary of Security Realms page appears on the right side of the console window. b. Select the myrealm security realm. The Settings for the My Realm page appear. c. d.

Click the Providers tab. The Authentication Providers page appears. Observe that the OIDAuthenticator and DefaultAuthenticator providers appear in the list: •

You added the OIDAuthenticator provider in a previous practice so that users could authenticate to Oracle Internet Directory.

The DefaultAuthenticator provider, which enables user authentication to the WebLogic Server embedded LDAP server, is configured in security realms by default. Open the D:\Labs\Lesson07\jee\WEB-INF\source\Servlet1.java file with the WordPad text editor. Locate the following line in the file: •

3. 4.

out.println("
The servlet has received a GET. This is the reply for " + request.getRemoteUser() + ".
");

5.

The println method writes text to a dynamically-generated HTML page. It writes the text, “The servlet has received a GET. This is the reply for,” followed by a variable. The value of the variable is generated by the getRemoteUser method, which is a method in the HttpServletRequest class. The getRemoteUser method returns the username of the user who has authenticated to the system. When you run the sample application, a line with the above text, followed by the username with which you authenticated, appears on the screen. Close the D:\Labs\Lesson07\jee\WEB-INF\source\Servlet1.java file.

6.

Deploy the sample jee application: Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


a. e. f.

g. h. i. j. k. l.

Click Lock and Edit in the Change Center pane. Select oam_domain > Deployments from the Domain Structure pane. The Summary of Deployments page appears on the right side of the console window. Click Install. The Locate deployment to Install and prepare for deployment form appears. Navigate to the path, d:\Labs\Lesson07\jee, and make sure that in the Current Location field, the button to the left of the value jee is selected. Click Next. The Choose targeting style form appears. Select Install this deployment as an application and click Next. The Select deployment targets form appears. Select the AdminServer target. Click Next. The Optional Settings form appears. Click Finish. The Summary of Deployments page reappears. The jee application should appear in the list with the Distribute Initializing status. Click Activate Changes in the Change Center pane. The jee application’s status changes to Prepared. Select the check box next to the jee application. Click Start > Servicing All Requests, then click Yes. The Summary of Deployments page reappears. Verify that the status of the jee application is the Active status.



Practice 7-2: Reviewing HTTP Basic Authentication in the Sample Application Overview In this practice, you examine the deployment descriptors in the sample application. Then you run the sample application and observe its behavior. Assumptions You have completed all previous practices successfully. • •

You perform this practice on your Windows lab system. Tasks 1. Open the D:\Labs\Lesson07\jee\WEB-INF\web.xml file with the WordPad text editor. 2. Locate the following line in the file: BASIC The statement specifies the HTTP basic authentication method. The HTTP basic authentication method displays a dialog box to collect the username and password. When you modify the jee application to use an identity assertion provider in a subsequent practice, you will change the statement. 3.

Review the and sections of the web.xml file. These sections, required for the HTTP basic authentication method, describe how the application should be protected. Application security is defined as follows: •

section – HTTP GET, POST, DELETE, PUT, HEAD, OPTIONS, AND TRACE operations on the URL, /servlet1, are permitted for users in the all-authenticated-users role.

section – The only role used by the Web application is the allauthenticated-users role. Note: The weblogic.xml file maps the all-authenticated-users role named in the web.xml file to the users group in the WebLogic Server security domain. The users group is a default WebLogic Server group containing all users who have been authenticated. The users group does not appear in the WebLogic console. Close the D:\Labs\Lesson07\jee\WEB-INF\web.xml file. Clear cookies, cache, and active logins; then close your browser, and restart the browser. Run the jee sample application deployed to the administration server. Enter the following URL in a browser: http:// your_host .us.oracle.com:7001/jee/servlet1. The HTTP basic authentication dialog box appears: •

4. 5. 6.



7.

Log in as user weblogic with password Welcome1. The following message appears on the screen: “The servlet has received a GET. This is the reply for weblogic.” The weblogic user is present in the WebLogic embedded LDAP database. Therefore, WebLogic Server uses the DefaultAuthenticator provider for authentication.

8.

The getRemoteUser method returned the name of the user who has authenticated to the system: the weblogic user. Review browser cookies: a. In Firefox, select Tools > Options. The Options dialog box appears. b. Click Privacy. c. Click Show Cookies. The Cookies dialog box appears. d. Expand the Site node in the Cookies dialog box. Verify that no cookies associated with Oracle Access Manager single sign-on are present. Note: You should see only the JSESSIONID cookie.

e. Close the Cookies and Options dialog boxes. 9. Clear cookies, cache, and active logins; then close your browser, and restart the browser. 10. Run the jee sample application again by entering the URL, http://your_host.us.oracle.com:7001/jee/servlet1. 11. Log in as user David.Goldsmith with password Welcome1. The following message appears on the screen: “The servlet has received a GET. This is the reply for David.Goldsmith.” The David.Goldsmith user is present in the Oracle Internet Directory database. Therefore, WebLogic Server uses the OIDAuthenticator provider for authentication. The getRemoteUser method returned the name of the user who has authenticated to the system: the David.Goldsmith user. 12. Review browser cookies. Verify that no cookies associated with Oracle Access Manager single sign-on are present (you should see only the JSESSIONID cookie).



Practice 7-3: Preparing the Sample Application for Authentication by Oracle Access Manager Overview In this practice, you modify the sample application so that it will work with the Oracle Access Manager identity assertion provider after you deploy that provider in a subsequent practice. After modifying the sample application, you redeploy the application on the WebLogic administration server. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Modify the jee sample application’s deployment descriptor: a. Make a backup copy of the D:\Labs\Lesson07\jee\WEB-INF\web.xml. Name the backup file web.xml.sav (using Ctrl + C and Ctrl + V for the web.xml file in the same directory) b. Open the D:\Labs\Lesson07\jee\WEB-INF\web.xml file with the WordPad text editor. c. Remove the following sections from the D:\Labs\Lesson07\jee\WEBINF\web.xml file:

d.

e.

•

The section starting with the tag and ending with the

•

tag The section starting with the tag and ending with the tag

Change the authentication method. Modify the line with the tag to have the following content: CLIENT-CERT. Specifying the value, CLIENT-CERT, in the tag triggers WebLogic Server to use an external authentication method determined by the WebLogic Server security domain. Verify that the D:\Labs\Lesson07\jee\WEB-INF\web.xml file has the following content:

Servlet1 jee.Servlet1 Servlet1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


/servlet1 CLIENT-CERT myrealm f. 2.

Save and close the D:\Labs\Lesson07\jee\WEB-INF\web.xml file.

Rename the D:\Labs\Lesson07\jee\WEB-INF\weblogic.xml. to weblogic.xml.sav. The content in the weblogic.xml file is no longer needed in the deployment descriptor because of your modifications to the web.xml file. By renaming the weblogic.xml file to weblogic.xml.sav, this file is not used when you redeploy the jee application.

3.

Log in to the WebLogic Server administration console as the weblogic user. The password is Welcome1.

4.

Redeploy the jee sample application: a. Click Lock and Edit in the Change Center pane. b. Select oam_domain > Deployments from the Domain Structure pane. The Summary of Deployments page appears on the right side of the console window. c. Locate the entry for the jee application in the list of deployed applications. d.

Select the check box to the left of the entry for the jee application.

e. f. g. h.

Click Update. The Update Application Assistant appears. Click Finish. Click Activate Changes in the Change Center pane. The status of jee application should be Active.



Practice 7-4: Configuring the OHS Instance Protected by the 11 g WebGate to Access the Sample Application Overview In this practice, you modify the mod_wl_ohs.conf file of the Oracle HTTP Server instance on which the 11g WebGate is installed. The modifications provide 11g WebGate protection for the sample jee application. After modifying the mod_wl_ohs.conf file, you restart the OHS instance to make the changes take effect. Then you execute the sample application to verify that the sample application is protected by the 11g WebGate.


Tasks 1. Open the D:\Middleware\ohs_home\instances\ohs_webgate11g\config\ OHS\ohs1\mod_wl_ohs.conf file with the WordPad text editor. 2. Add the following text at the end of the file: SetHandler weblogic-handler 3. 4.

Save and close the D:\Middleware\ohs_home\instances\ohs_webgate11g\ config\OHS\ohs1\mod_wl_ohs.conf file. Execute the following commands to stop and start the OHS instance protected by the 11g WebGate:

cd d:\Middleware\ohs_home\instances\ohs_webgate11g\bin opmnctl stopall opmnctl startall 5. 6.

Clear cookies, cache, and active logins; then close your browser, and restart the browser. Run the jee sample application deployed to the administration server, but protected by the Oracle Access Manager 11g WebGate. Enter the following URL in a browser: http://your_host.us.oracle.com:7778/jee/servlet1. The Example Bakery appears, demonstrating that the sample application is now being protected by thelogin 11g page WebGate.



7.

8.

Log in as user David.Goldsmith with password Welcome1. The following message appears on the screen: “The servlet has received a GET. This is the reply for null.” The application is unable to determine that you logged in as the David.Goldsmith user. Deployment of the identity assertion provider in the next practice lets the application determine the username of the authenticating user when an external authentication mechanism is used. Review browser cookies. Verify that cookies associated with Oracle Access Manager single sign-on are present.



Practice 7-5: Configuring WebLogic Server to Use the Oracle Access Manager Identity Assertion Provider Overview In this practice, you configure the WebLogic Server security realm to use the Oracle Access Manager identity assertion provider. Once this provider is added to the configuration, you rerun the sample application to demonstrate the results. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Log in to the WebLogic Server administration console as the weblogic user. The password is Welcome1. 2. Click Lock and Edit in the Change Center pane. Note: If Lock and Edit is disabled, click Release Configuration before you click Lock and Edit. 3. Select oam_domain > Security Realms from the Domain Structure pane. The Summary of Security Realms page appears on the right side of the console window. 4. Select the myrealm security realm. The Settings for the My Realm page appear. 5. Add an OAM identity assertion provider as an authentication provider: a. Click the Providers tab. The Authentication Providers page appears. b. Click New. The Create a New Authentication Provider page appears. Fill in the fields in the Create a New Authentication Provider page as follows: Field Choices or Values Name

OAM Identity Assertion Provider

Type

OAMIdentityAsserter

c. 6.

Click OK. The Authentication Providers page reappears. The OAM Identity Assertion Provider authentication provider appears in the list of authentication providers. Configure the OAM identity assertion provider to recognize the OAM_REMOTE_USER HTTP header variable: a. Select the OAM Identity Assertion Provider authentication provider. The Settings for OAM Identity Assertion Provider page appears. b. Locate the OAM_REMOTE_USER entry under Active Types > Available. c.

Select the check box for the OAM_REMOTE_USER entry.

d.

Click the arrow to move the OAM_REMOTE_USER entry from the Available column to the Chosen column. Verify that the OAM_REMOTE_USER and ObSSOCookie entries are in the Chosen column. Click Save. The message, “Settings updated successfully,” appears at the top of the Settings for OAM Identity Assertion Provider page.

e. f.



g.

7.

8.

Click Activate Changes in the Change Center pane. The message, “All changes have been activated. However 2 items must be restarted for the changes to take effect” appears at the top of the Settings for OAM Identity Assertion Provider page. h. In the Change Center pane, click View Changes and Restarts. The Changes and Restarts page appears on the right side of the console window. i. Select the Restart Checklist tab. The AdminServer and oam_server1 servers are listed. Shut down the oam_server1 and AdminServer: a. Select oam_domain > Environment > Servers in the Domain Structure pane. The Summary of Servers page appears on the right side of the console window. b. Select the Control tab. c. Select the check box for the oam_server1 and AdminServer. d. Click Shutdown > Force Shutdown Now. e. Click Yes in response to the confirmation page. Start the administration server: a. Open a Windows Explorer window to the d:\Middleware\user_projects\domains\oam_domain directory. b.

Double-click the startWebLogic.cmd file to start the WebLogic administration server. When prompted to enter the username, type weblogic, then press Enter. When prompted to enter the password, type Welcome1, then press Enter. Note: If the WebLogic administration server has not yet shut down completely, the administration server startup window closes without prompting you for a user ID. Wait several seconds; then try starting the administration server again.

j. 9.

Observe the messages in the administration server startup window. Startup is complete when the “Server started in RUNNING mode” message appears. Start the oam_server1 server: a. b. c. d.

e. f.

Start the WebLogic console and log in as the weblogic user. Select oam_domain > Environment > Servers in the Domain Structure pane. The Summary of Servers page appears on the right side of the console window. Select the Control tab. Select the check box for the oam_server1 server. Note: Make sure the node manager is running before you start the managed server from the OAM admin console. Start the node manager by double-clicking d:\middleware\wls_home\server\bin\startNodeManager.cmd. Click Start. Click Yes in response to the confirmation page.

g.

Click the Refresh icon, column which appears above the text “Customize thischange table.” to Observe the values in the State for the two servers. When the values RUNNING, server restart is complete. h. Click the Refresh icon to end the page refresh behavior. 10. Clear cookies, cache, and active logins; then close your browser, and restart the browser. 11. Run the jee sample application deployed to the administration server and protected by the Oracle Access Manager 11g WebGate. Enter the following URL in a browser: http://your_host.us.oracle.com:7778/jee/servlet1. The Example Bakery login page appears. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


12. Log in as user David.Goldsmith with password Welcome1. The following message appears on the screen: “The servlet has received a GET. This is the reply for David.Goldsmith.” With the identity assertion provider active, the application is now able to determine that you logged in as the David.Goldsmith user. 13. Review browser cookies. Verify that cookies associated with Oracle Access Manager single sign-on are present.



Practice 7-6: Resetting Your Lab System Overview In this practice, you reset your lab system so that the changes you made to the WebLogic Server configuration do not impact subsequent labs. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Remove the OAM Identity Assertion Provider authentication provider from the WebLogic Server configuration: a. Start the WebLogic console and log in as the weblogic user. b. Click Lock and Edit in the Change Center pane. c. Select oam_domain > Security Realms from the Domain Structure pane. The Summary of Security Realms page appears in the right side of the console window. d. Select the myrealm security realm. The Settings for the My Realm page appear. e. Select the Providers tab. The Authentication Providers page appears. f. Select the check box for the OAM Identity Assertion Provider authentication provider. g. Click Delete then click Yes to confirm deletion. The message, “Selected Authentication Providers have been deleted” appears at the top of the page. h. 2.

Click Activate Changes in the Change Center pane. The message, “All changes have been activated. However 2 items must be restarted for the changes to take effect” appears at the top of the Settings for the My Realm page. Restart the AdminServer and oam_server1 servers. If you are not certain how to restart the servers, refer to the tasks in the previous practices.






Practices for Lesson 8 Practices Overview In these practices, you configure the auditing and logging capabilities of Oracle Access Manager, examine files, and run reports. You configure Oracle Access Manager auditing as follows: Capture more auditing information Write audit records to an Oracle Database instead of to a flat file After you perform these configuration tasks, you configure a pre-installed instance of Oracle Business Intelligence Publisher (Oracle BI Publisher) to run Oracle Access Manager reports. Then you run a sample report. For logging, you examine the default logging configuration and examine logging output when the default configuration is in effect. Then you increase the logging level so that debug-level logging records are produced, and examine the output. At the end of these practices, you reset the logging level to the default level. • •



Practice 8-1: Changing the Audit Filter Preset Overview In this practice, you examine the level of audit output produced when the default Oracle Access Manager settings are in effect. Then you change the settings, take actions in Oracle Access Manager to generate several audit records, and examine the changes to the output. Assumptions You have completed Practices 3 through 7 successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Verify that the Oracle Access Manager auditing system is capturing only very high-level system events: a. Open the D:\Middleware\user_projects\domains\oam_domain\ servers\oam_server1\logs\auditlogs\OAM\audit.log file with any text editor and examine the output. By default, the Oracle Access Manager server writes audit records to this file. b. Review the audit records in the audit.log file. You should see only records with the ServerStartup and ServerShutDown event types.

2.

Change the audit filter preset level from Low to All: a. Log in to the Oracle Access Manager console as user Vishal.Parashar. The password is Welcome1. b. c.

Select the System Configuration tab. Navigate to Server Instances > oam_server1.

d.

Double-click oam_server1. The oam_server1 page appears in the right window pane. Click Server Common Properties in the right window pane. The OAM Server Common Properties page appears. Select the Audit Configuration tab. Change the value of the Filter Preset field from Low to All.

e. f. g.



3.

4.

5.

h. Click Apply. i. Log out of the Oracle Access Manager console. After you change the auditing configuration, you must restart both the WebLogic administration server and the managed server instance that runs the Oracle Access Manager server before the changes take effect. Restart the server instances on your lab system. Generate an audit record by accessing the Example Bakery employee portal, which requires user authentication: a. Clear cookies and cache and restart the browser. b. Navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example. c. Click Employees. The Example Bakery login page appears. d. Log in as user David.Goldsmith with password Welcome1. The employee portal appears. Verify that the Oracle Access Manager server auditing system captures more information after you change the audit filter preset: a. Open the D:\Middleware\user_projects\domains\oam_domain\ servers\oam_server1\logs\auditlogs\OAM\audit.log file with any text editor and examine the output. b. Review the audit records in the audit.log file. The file should now contain records with event types other than the ServerStartup and ServerShutDown event types; for example, the Authentication, CredentialValidation, SessionCreation, and Login event types. c. d.

Navigate to the central logout page, http://your_host.us.oracle.com:7778/logout1.html. Verify that SessionDestroy and Logout events were written to the audit.log file.



Practice 8-2: Configuring the Oracle Access Manager Server to Write Audit Log Records to an Oracle Database Overview In this practice, you configure OAM server to write audit log records to the Oracle Database on your Linux lab system. At the end of this practice, you take actions in Oracle Access Manager that generate several audit records and review the content in the Oracle Database. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows and Linux lab systems. Because you use both lab systems in this practice, the practice explicitly tells you which lab system you need to use when performing tasks. • •

Tasks 1. Verify that the Oracle Database tables that are used to hold Oracle Access Manager server audit records are empty. Perform the following steps on your Linux lab system as the oracle user: a. If necessary, open a terminal window on the system. b. Set environment variables required to run the sqlplus utility: ORACLE_HOME=/u01/app/oracle/product/11.2.0.1/db_1 export ORACLE_HOME ORACLE_SID=orcl export ORACLE_SID c.

Start the sqlplus utility:

cd $ORACLE_HOME/bin ./sqlplus Note: If the error message, “ORA-27101: shared memory realm does not exist,”

appears, you might have defined the ORACLE_HOME environment variable incorrectly. The ORACLE_HOME environment variable must not have a slash (“/”) at the end of its value. To correct the problem, terminate the sqlplus utility, re-execute the command to set the ORACLE_HOME environment variable, and re-execute the sqlplus utility. d.

e.

Log in to the sqlplus utility as the DEV_IAU user with password Welcome1. When you ran the Repository Creation Utility (RCU) to initialize tables used by Oracle Fusion Middleware, the RCU created the DEV_IAU user and the schema for the tables used by audit logging. Execute the select command to display a list of tables created by the RCU:

SQL> select TABLE_NAME from USER_TABLES;



The list of tables created when you ran RCU in a previous practice appears in the terminal window:

TABLE_NAME -----------------------------IAU_BASE WEBCACHECOMPONENT OVDCOMPONENT OIDCOMPONENT OWSM_PM_EJB OWSM_AGENT DIP OHSCOMPONENT JPS ADMINSERVER REPORTSSERVERCOMPONENT TABLE_NAME -----------------------------WEBSERVICES WS_POLICYATTACHMENT OIF OAAM OAM IAU_DISP_NAMES_TL IAU_LOCALE_MAP_TL 18 rows selected. f.

The IAU_BASE table is the table to which the audit framework writes audit records. Execute the describe command to show the names of the IAU_BASE table’s columns:

SQL> describe IAU_BASE; The column names and their data types appear in the terminal window:

Name Null? ------------------------ -------IAU_ID IAU_ORGID IAU_COMPONENTID IAU_COMPONENTTYPE IAU_INSTANCEID IAU_HOSTINGCLIENTID

Type ---------------------------NUMBER VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255)



IAU_HOSTID IAU_HOSTNWADDR IAU_MODULEID IAU_PROCESSID IAU_ORACLEHOME IAU_HOMEINSTANCE IAU_UPSTREAMCOMPONENTID IAU_DOWNSTREAMCOMPONENTID IAU_ECID IAU_RID IAU_CONTEXTFIELDS IAU_SESSIONID IAU_SECONDARYSESSIONID IAU_APPLICATIONNAME IAU_TARGETCOMPONENTTYPE IAU_EVENTTYPE IAU_EVENTCATEGORY IAU_EVENTSTATUS IAU_TSTZORIGINATING IAU_THREADID IAU_COMPONENTNAME IAU_INITIATOR IAU_MESSAGETEXT IAU_FAILURECODE IAU_REMOTEIP IAU_TARGET IAU_RESOURCE IAU_ROLES IAU_AUTHENTICATIONMETHOD IAU_TRANSACTIONID IAU_DOMAINNAME g.

VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(2000) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) NUMBER TIMESTAMP(6) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(2000) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255) VARCHAR2(255)

Execute the select command to display the content in the IAU_BASE table:

SQL> select * from IAU_BASE;

2.

The “No rows selected” message appears, indicating that the table is empty. Configure a JDBC data source for the audit database in WebLogic Server. Perform the following steps on your Windows lab system: a. Navigate to the following URL to start the WebLogic console: http://your_host.us.oracle.com:7001/console. Log in as the weblogic user. The password is Welcome1. b. Click Lock and Edit in the Change Center pane. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


c.

d.

Select oam_domain > Services > JDBC > Data Sources in the Domain Structure pane. The Summary of JDBC Data Sources page appears on the right side of the console window. Click New. The Create a New JDBC Data Source wizard starts. The first page that appears is the JDBC Data Source Properties page. Fill in the fields in the JDBC Data Source Properties page as follows: Field

Choices or Values

Name

AuditDB

JNDI Name

jdbc/AuditDB

Database Type

Oracle

e. f. g.

Click Next. A second JDBC Data Source Properties page appears. Click Next to accept the default database driver. The Transaction Options page appears. Click Next. The Connection Properties page appears. Fill in the fields in the Transaction Properties page as follows: Field

Choices or Values

Database Name

orcl

Host Name

your_Linux_host

Port

1521

Database User Name Password

DEV_IAU Welcome1

Confirm Password

Welcome1

h.

Click Next. The Test Database Connection form appears. Click Test Configuration. If you configured the AuditDB data source correctly, the message “Connection test succeeded” appears in the WebLogic console:



Click Next. The Select Targets form appears. Select the check boxes for the AdminServer and oam_server1 servers. Note: Other Oracle Fusion Middleware components besides Oracle Access Manager can use the database audit logging capability. If you do not deploy the AuditDB data source definition to the administration server, multiple IAU-5048 messages appear in the administration server logs when you start recording audit records in the database. b. Click Finish. c. Click Activate Changes in the Change Center pane. d. Log out of the WebLogic console. Use FMW Control to configure the audit subsystem to write records to the Oracle Database. Perform the following steps on your Windows lab system: a. Navigate to the following URL to start FMW Control: http://your_host.us.oracle.com:7001/em. Log in as the weblogic user. The password is Welcome1. b. In the left window pane, navigate to Farm_oam_domain > WebLogic Domain > oam_domain a.

3.



c.

4.

5.

6.

Click oam_domain. The oam_domain page appears in the right window pane. A menu with options to view configuration objects appears below the oam_domain label. d. Select WebLogic Domain > Security > Audit Store from the menu. e. The Audit Store page appears. A message appears indicating that auditing is still configured to write records to a flat file: “The default audit store is file-based. Data Source JNDI name is empty when the audit store is file-based.” f. Click the Search icon to the right of the empty Data Source JNDI Name field. g. The Select Data Source dialog box appears. Click the jdbc/AuditDB entry; then click OK. h. The Audit Store page appears again, with the configuration details for the AuditDB JDBC data source listed. Click Apply. Notice the information message, “All changes made in this page require a server restart to take effect.” i. Log out of FMW Control. After you change the audit repository type, you must restart both the WebLogic administration server and the managed server instance(s) that run the Oracle Access Manager server before the changes take effect. Restart the server instances on your Windows lab system: a. Stop the AdminServer and oam_server1 servers. Note: If you have forgotten how to stop and start the WebLogic Server instances on your lab system, refer to the procedure detailed previously in these practices. b. Delete the D:\Middleware\user_projects\domains\oam_domain\ servers\oam_server1\logs\auditlogs\OAM\audit.log file. By deleting the flat file to which the auditing subsystem previously logged audit records, you can easily see whether the file is changed after the audit subsystem starts recording log records to Oracle Database. Note: You cannot delete the audit.log file until the WebLogic administration server has shut down completely. If you are unable to delete the audit.log file, wait several seconds, and then try deleting the file again. c. Restart the AdminServer and oam_server1 servers. Access the Example Bakery application so that several audit records are recorded. Perform the following steps on your Windows lab system: a. Clear cookies and cache and restart the browser. b. Navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example. c. Click Employees. The Example Bakery login page appears. d. Log in as user David.Goldsmith with password Welcome1. The employee portal appears. e. Navigate to the central logout page, http://your_host.us.oracle.com:7778/logout1.html, to log out of the Oracle Access Manager session. Open the D:\Middleware\user_projects\domains\oam_domain\ servers\oam_server1\logs\auditlogs\OAM\audit.log file on your Windows lab system and review the content in the file. Notice that records are still being recorded in the audit.log file. The auditing subsystem uses this file as a “bus stop”: an intermediate cache for audit records before the records are written to the audit database. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


7.

Review the content in the IAU_BASE table in the Oracle Database. The table should no longer be empty. Perform the following steps on your Linux lab system as the oracle user: a.

Verify that sqlplus session is still active in the terminal window you opened during a previous task. If the sqlplus is not active, restart sqlplus and log in as the DEV_IAU user with password Welcome1.

b.

Execute the select command to display the number and values of recorded event types in the IAU_BASE table:

SQL> select count(*) from IAU_BASE; SQL> select distinct IAU_EVENTTYPE from IAU_BASE order by 1; c.

d.

Review the output from the select command. The output should contain records with event types such as the Authorization, CredentialValidation, SessionValidation, and Login event types. The presence of these values in the database indicates that audit records are now being recorded in the Oracle Database. Exit sqlplus :

SQL> exit;



Practice 8-3: Configuring Oracle Business Intelligence Publisher for Oracle Fusion Middleware and Oracle Access Manager Reports Overview In this practice, you configure Oracle BI Publisher so that you can run reports for analyzing auditing data captured by the Oracle Access Manager server. Oracle BI Publisher is pre-installed on your Windows lab system. In the first task in this practice, you start Oracle BI Publisher to verify the installation. Next, you install templates for Oracle Fusion Middleware reports and for Oracle Access Manager reports. Then you configure Oracle BI Publisher to access the database in which audit records are located.


Tasks 1. Start Oracle BI Publisher and verify that no reports specific to Oracle Fusion Middleware or Oracle Access Manager have been installed: a. Start OC4J in which the Oracle BI Publisher runs. Select Start > Programs > Oracle BIPHome1 > Start BI Publisher. A command prompt window appears, and startup messages appear in the window. Oracle BI Publisher startup is complete when the message, “Oracle Containers for J2EE 10g (10.1.3.1.0) initialized” appears. b. Start a browser and navigate to the Oracle BI Publisher application at the following URL: http://your_host .us.oracle.com:9704/xmlpserver. Log in to Oracle BI Publisher as the Administrator user with password Administrator. c. Click Shared Folders. No reports specific to Oracle Fusion Middleware or Oracle Access Manager appear among the available reports. 2. Install Oracle Fusion Middleware reports in Oracle BI Publisher: a. Copy the file containing the Oracle Fusion Middleware reports— D:\Middleware\oracle_common\modules\oracle.iau_11.1.1\reports\ AuditReportTemplates.jar— to the Oracle BI Publisher reports folder— D:\Middleware\bipub\xmlp\XMLP\Reports\. b. Unjar the Oracle Fusion Middleware reports. Open an MS-DOS terminal window and enter the following commands: cd D:\Middleware\bipub\xmlp\XMLP\Reports PATH=%PATH%;"D:\Program Files\Java\jdk1.6.0_17\bin" jar.exe –xvf AuditReportTemplates.jar Note: This command takes a few minutes to run. c. Run the dir command in the terminal window. You should see the Oracle_Fusion_Middleware_Audit directory listed among the other report directories. Leave the terminal window open for the next task. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


d. 3.

On the browser, refresh the Shared Folders page in Oracle BI Publisher. A new folder, Oracle_Fusion_Middleware_Audit, appears in the set of available reports. Install Oracle Access Manager reports in Oracle BI Publisher: a. Copy the file containing the Oracle Access Manager reports— D:\Middleware\idm_home\oam\server\reports\ oam_audit_reports_11_1_1_3_0.zip— to the Oracle Fusion Middleware component-specific reports folder—D:\Middleware\bipub\xmlp\XMLP\ Reports\Oracle_Fusion_Middleware_Audit\Component_Specific. b. Unzip the Oracle Access Manager reports. Open an MS-DOS terminal window which you used in Step 2 and enter the following commands:

cd Oracle_Fusion_Middleware_Audit\Component_Specific unzip oam_audit_reports_11_1_1_3_0.zip c.

4.

Run the dir command in the terminal window. You should see the Oracle_Access_Manager directory listed among the other report directories. d. In Oracle BI Publisher, click the Component_Specific link under Oracle_Fusion_Middleware_Audit. You should see the Oracle_Access_Manager report folder listed among the other report folders. Configure the data source that Oracle BI Publisher uses to access the audit database: a. Select the Admin tab in Oracle BI Publisher. b. Click JDBC Connection under Data Sources. c. The Data Sources page appears. Verify that the JDBC tab is selected. If the JDBC tab is not selected, select it. d. e.

Click Add Data Source. The Add Data Source page appears. Fill in fields in the Add Data Source page as follows: Field

Choices or Values

Data Source Name

Audit

Driver Type

Oracle 11g

Database Driver Class

oracle.jdbc.OracleDriver

Connection String

jdbc:oracle:thin: @your_Linux_host:1521:orcl

Username

DEV_IAU

Password

Welcome1

f.

5.

Click Test Connection. The message, “Connection established successfully,” should appear. If the connection test is unsuccessful, fix incorrect values in the Add Data Source page and repeat the connection test. g. Click Apply. The Data Sources page appears, with the Audit data source listed among the available JDBC data sources. Run an Oracle Access Manager audit report in Oracle BI Publisher: a. In Oracle BI Publisher, select the Reports tab. b. Click Shared Folders. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


c. d. e. f.

Click Oracle_Fusion_Middleware_Audit. Click Component_Specific. Click Oracle_Access_Manager. Click Authentication_History under User_Activities. The Authentication History report appears. Review the data in the Authentication History report. The report should list recent authentications to the Oracle Access Manager server. The report includes console logins, because the Oracle Access Manager console is protected by the IDM Domain Agent. g. Click the Details link for any of the authentications. A new page appears with details about the authentication event. 6. Access the Example Bakery application and click the Employees link. Specify an invalid user ID and password when you are prompted to authenticate. Click Login. You are not granted access to the Example Bakery employee portal. 7. Rerun the Authentication History report. Details about the unsuccessful authentication event should appear in the Authentication History report. Note: You can use the locator link at the top to navigate to Home > Shared Folders > Oracle_Fusion_Middleware_Audit > Component_Specific > Oracle_Access_Manager. 8. Run the following Oracle Access Manager reports in Oracle BI Publisher: The All_Errors_and_Exceptions report (under Errors_and_Exceptions). The AuthenticationFromIPByUser report (under Authentication_Statistics). Run this report twice, specifying the SUCCESS authentication status once and the FAILURE authentication status once (select Authentication Status to Success or Failure and click View). The AuthenticationPerIP report (under Authentication_Statistics). Run this report twice, specifying the SUCCESS authentication status once and the FAILURE authentication status once. Review the data in each report after you run the report. The results should be consistent with Oracle Access Manager activity. If you have time, use the Example Bakery and My Bank applications to generate more Oracle Access Manager audit events, then run reports and review how the events are captured in the audit reports. 9. Sign out of the Oracle BI Publisher application. 10. In order to improve performance of your lab system, stop OC4J in which the Oracle BI Publisher runs. Select Start > Programs > Oracle - BIPHome1 > Stop BI Publisher. The command prompt window running the Oracle BI Publisher OC4J process disappears. • •

•



Practice 8-4: Examining the Default Logging Configuration Overview In this practice, you start working with the Oracle Fusion Middleware logging subsystem. You start by shutting down the active servers and deleting the log files. You remove the log files to ensure that the logging records you examine in this practice are generated only by the activities performed in this practice. Then you use the FMW Control application to review the default logging configuration. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Stop the WebLogic administration server and the managed server instance that runs the Oracle Access Manager server, delete the log files, and then restart the server instances: a. Stop the AdminServer and oam_server1 servers. Note: If you have forgotten how to stop and start the WebLogic Server instances on your lab system, refer to the procedure detailed previously in these practices. b. Open a Windows Explorer window and navigate to the D:\Middleware\ user_projects\domains\oam_domain\servers\oam_server1\logs directory. Delete all files that have names starting with the string, oam_server1-diagnostic. If you are not able to delete the oam_server1-diagnostic.log file, wait several

2.

3.

seconds and delete this file.try again. The servers must be completely shut down before you can Note: The oam_server1-diagnostic.log file is the active Oracle Access Manager server log file. Files with the name oam_server1-diagnostic-xx.log, where xx is a number, are archived log files. You configure the max file size and max directory size of archived log files in the Audit Configuration tab page of the Server Common Properties page in the Oracle Access Manager console. c. Start the AdminServer and oam_server1 servers. Navigate to the following URL to start FMW Control: http://your_host.us.oracle.com:7001/em. Log in as the weblogic user. The password is Welcome1. Navigate to the logging configuration: a. In the left window pane, navigate to Farm_oam_domain > WebLogic Domain > oam_domain > oam_server1. Click oam_server1. The oam_server1 page appears in the right window pane. A menu with options to view configuration objects appears below the oam_server1 label. c. Select WebLogic Server > Logs > Log Configuration from the menu. The Log Configuration page appears in FMW Control. Examine the default log levels in the logging configuration: a. Select the Log Levels tab. b.

4.



b.

Expand the Root Logger > oracle > oracle.oam node in the navigator that appears in the Logger Name column. Loggers in the oracle.oam node should now be visible:

c.

Locate the log level for the oracle logger: the parent logger for all Oracle Fusion Middleware loggers. The oracle logger’s log level is set to the NOTIFICATION:1 level. Locate the log level for the oracle.oam logger. The oracle.oam logger’s level is set to the NOTIFICATION:1 level and is inherited from its parent logger.

d. e. 5.

Browse the list of child loggers of the oracle.oam logger. Each child logger’s log level is set to the NOTIFICATION:1 level and is inherited from its parent logger. Examine the log file settings in the logging configuration: a. Review the log file column for the Oracle Fusion Middleware loggers. The odlb. c. d.

handler log file is listed for all Oracle Fusion Middleware loggers. Select the Log Files tab. Select the entry for the odl-handler log file and click Edit Configuration. The Edit Log File dialog box appears, displaying the logging configuration for the odlhandler log file. Note the value of the Log Path: D:\Middleware\ user_projects\domains\oam_domain\servers\oam_server1\logs\ oam_server1-diagnostic.log. This path is the default location of the Oracle Access Manager server log file. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


e.

6.

7.

Click Cancel to close the Edit Log File dialog box without changing the log file configuration. f. Log out of FMW Control. Review the logging file’s current size and content: a. Open a Windows Explorer window and navigate to the D:\Middleware\ user_projects\domains\oam_domain\servers\oam_server1\logs directory. b.

Note the oam_server1-diagnostic.log file’s size for use in a subsequent step.

c.

Open the oam_server1-diagnostic.log file and browse the log messages in the file. The third column of the log file contains the message log level. Verify that only

messages with the log levels NOTIFICATION, WARNING, and ERROR should be in the log file. Examine the impact of an invalid login on the log file when the default logging configuration is in effect: a. Clear cache and cookies for the browser. b. Access the Example Bakery application and click the Employees link. Specify an invalid user ID and password when you are prompted to authenticate. Click Login. You are not granted access to the Example Bakery employee portal. c. Open a Windows Explorer window and navigate to the D:\Middleware\ user_projects\domains\oam_domain\servers\oam_server1\logs directory. d.

8.

Note the oam_server1-diagnostic.log file’s size. Compare the file size to the file size you noted in a previous step. The difference in the file size should be relatively small (under 100 KB) if you performed the previous two steps relatively quickly. Note the new file size for use in a subsequent practice.

(Optional): Open the oam_server1-diagnostic.log andOracle see if Access you canManager locate messages that diagnose why the attempt to authenticate file to the server failed. (Note: Search for the word “Error”).



Practice 8-5: Reviewing Log Messages in FMW Control Overview In this practice, you use the tools available in FMW Control to locate, review, and analyze log messages. In one task in this practice, you view messages associated with an execution context. The execution context ID (ECID) is a globally unique identifier associated with a thread of execution. Using the ECID, you can correlate log messages. By searching related messages using the message correlation information, multiple messages can be examined and the component that first generates a problem can be identified. Message correlation data can help establish a clear path for a diagnostic message across components, within which errors and related behavior can be understood. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Navigate to the following URL to start FMW Control: http://your_host.us.oracle.com:7001/em. Log in as the weblogic user. The password is Welcome1. 2. In FMW Control, select WebLogic Server > Logs > View Log Messages. The Log Messages page appears. 3. Review the types of messages that appear in the message list and observe the check box

4.

settings the Message Types field. By default, only ERROR level messages appear in the messageinlist. Locate the error message that was logged when you attempted to authenticate to the Example Bakery site with an invalid user ID. The message ID for the error message has the following value: OAMSSA-20023.

5.

Select the OAMSSA-20023 error message so that it is highlighted. Details about the error appear in the window pane below the message list:

6.

Review messages in the execution context that produced the authentication failure: a. Click the ECID link in the message details. Log messages pertaining to the execution event that caused the failed login to appear in the message list. Observe that messages with the NOTIFICATION log level are now present in the message list. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


b.

7.

Locate the message that indicates that the ExampleLDAPScheme authentication scheme was used in the authentication operation. c. Locate the message that indicates that credential collection was part of the execution thread. d. Click the Log Messages link in the locator link above the message list. The srcinal message list, containing only ERROR level messages, reappears. Locate a set of log messages that pertain to a successful authentication: a. Authenticate successful to the Example Bakery employee portal as user David.Goldsmith. b.

Selectinthe Notification page FMW Control. check box in the Message Types field of the Log Messages

c. d.

Click Search. NOTIFICATION level messages now appear in the Log Messages page. Further constrain the search by typing employeeHome.html in the Message field and click Search.

e.

Select one of the messages that log an isResourceProtected() call. Review the details that appear in the window pane below the message list. Click the ECID in the message detail pane. All the messages in the execution context appear in the messages list.

f.



Practice 8-6: Increasing the Log Level Overview In this practice, you increase the log level for the oracle.oam logger to the TRACE:32 log level. Then you examine the impact of the increased log level on logger output. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. • • • •

You are still logged in to FMW Control. You noted the oam_server1-diagnostic.log file’s size in a previous practice.

Tasks 1. Increase the log level in FMW Control: a. In the menu on the right window pane, select WebLogic Server > Logs > Log Configuration. b. Select the Log Levels tab. c. Expand the navigator in the Logger Name column to the Root Logger > oracle node. d. Locate the entry for the oracle.oam logger. e. Set the log level for the oracle.oam logger to the TRACE:32 (FINEST) log level. f. Click Apply. g. Click Close to close the Confirmation dialog box. 2. 3.

4.

Note the D:\Middleware\user_projects\domains\oam_domain\servers \oam_server1\logs\oam_server1-diagnostic.log file’s current size. Perform several access management operations so that the Oracle Access Manager server generates log records: a. Log out of the Example Bakery application by navigating to the central logout page, http://your_host.us.oracle.com:7778/logout1.html. b. Access the Example Bakery application and click the Employees link. Specify an invalid user ID and password when you are prompted to authenticate. Click Login. You are not granted access to the Example Bakery employee portal. c. Authenticate successful to the Example Bakery employee portal as user David.Goldsmith. d. Log out of the Example Bakery application by navigating to the central logout page, http://your_host.us.oracle.com:7778/logout1.html. Compare the size of the D:\Middleware\user_projects\domains\oam_domain\ file to the size you servers\oam_server1\logs\oam_server1-diagnostic.log recorded before performing the access management operations. The file should have grown considerably; much more than when you observed changes to the file size when the log level for the oracle.oam logger was the NOTIFICATION log level. Note: It is possible that the file has grown so large that the contents of the file have rolled over to the archive file oam_server1-diagnostic-1.log. In this case, oam_server1diagnostic.log file may be smaller in size compared to the size of the file you recorded prior to the start of this practice.



5.

Open the oam_server1-diagnostic.log file. Observe the presence of a large number of TRACE level messages in the log file.



Practice 8-7: Resetting the Log Level Back to the Default Level Overview In this practice, you reset the oracle.oam logger’s log level back to the NOTIFICATION level. Reducing log level reduces the amount of log output and improves Oracle Access Manager server performance for subsequent practices. Assumptions You have completed all previous practices successfully. You perform this practice on your Windows lab system. You are still logged in to FMW Control. • • •

Tasks 1. Reset the log level in FMW Control: a. In the menu in the right window pane, select WebLogic Server > Logs > Log Configuration. b. Select the Log Levels tab. c. Expand the Root Logger > oracle node in the navigator that appears in the Logger Name column. d. Locate the entry for the oracle.oam logger. e. Set the log level for the oracle.oam logger to the NOTIFICATION:1 (INFO) log level. f. Click Apply. 2.

3.

g. Click Close to close the Confirmation dialog box. Perform several access management operations so that the Oracle Access Manager server generates log records: a. Access the Example Bakery application and click the Employees link. Specify an invalid user ID and password when you are prompted to authenticate. Click Login. You are not granted access to the Example Bakery employee portal. b. Authenticate successful to the Example Bakery employee portal as user David.Goldsmith. c. Log out of the Example Bakery application by navigating to the central logout page, http://your_host.us.oracle.com:7778/logout1.html. Verify that the NOTIFICATION log level is now in effect: a. b. c.

Open the oam_server1-diagnostic.log file. (or oam_server1-diagnosticX.log in case of log file rollover) Scroll to the bottom of the file. Verify that the most recently generated log messages are all NOTIFICATION level messages.






Practices for Lesson 9 Practices Overview Typically, in an enterprise, single sign-on is not provided by a single SSO sever but a number of servers behind a load balancer. When the SSO server needs to be upgraded from OSSO 10 g to OAM 11g, all the partners registered with the OSSO server need to be migrated. Following that, every OSSO server in the cluster needs to be replaced by an OAM server. Therefore, while upgrading OSSO 10g to OAM 11g, both the servers have to coexist. The load balancer can route the authentication request to any of the SSO servers. Once a user is authenticated by either of the servers, the user must be able to access any of the partner applications without logging in again. However, currently, a user authenticated by the OAM server is not recognized by the OSSO server and vice-versa. That is because the 10g server uses a cookie called SSO_ID to manage session details, and OAM 11 g uses another cookie called OAM_ID to manage its session details. To elaborate further, the 10g SSO server understands only the SSO_ID cookie, and OAM 11g understands only the OAM_ID cookie. In order to provide coexistence of both the servers, the 11g OAM server needs to be modified to be able to understand the 10 g SSO_ID cookie, and also be able to create a 10 g SSO_ID cookie. This will ensure coexistence of 10 g SSO servers and 11g OAM servers in a cluster. In coexistence mode, the OAM servers will generate and update 10g SSO_ID cookies so that, no matter where the user's authentication request is routed to, the user session is intact. OAM 11g coexistence with OSSO 10g servers: The 11g OAM server keeps track of its session by setting an OAM_ID cookie. The 10g SSO server keeps track of its session details by setting an SSO_ID Cookie. Because these cookies are of different formats, the 11 g OAM server cannot understand the 10g SSO cookie format and vice-versa. To aid understanding, consider the following setup and understand the behavior in both the normal and the coexistence scenario:





A load balancer is front-ending both SSO 10g and OAM 11g servers. A partner OHS, which is registered with the 10g SSO server, and the 10g SSO partners are migrated to the 11g OAM server. Without coexistence: If the user is authenticated by using the 10g SSO server, an SSO_ID cookie is created and set. If the user tries to access the resource again, and if the LBR routes the request to the 11g OAM server, the 11g OAM server checks for an OAM_ID cookie and shows a login page for user authentication because it is unable to read the SSO_ID cookie and recognize the session. With coexistence: If the user is authenticated by using the 10g SSO server, an SSO_ID cookie is created and set. If the user tries to access the resource again, and if the LBR routes the request to the 11g OAM server, the 11g OAM server has the in-built capability to read and understand the SSO_ID cookie, thereby validating the user without asking the user to enter credentials again. Key Lab Steps: 1. Install an OHS 11g server named Partner OHS in this lab. (Note: OSSO 10g along with 10g OHS has been pre-installed.) 2. Install a partner application on this OHS. This can be a simple HTML page (or you can protect the index.html welcome page as well).



3. Register this partner application with the OSSO 10g server. Here, note that since the load balancer is front-ending the OSSO 10g servers, partner registration must be done with the load balancer URL. Copy the generated configuration file to the OHS server. 4. Access the partner application. Now this partner application should be protected by the OSSO 10g server. 5. Front-end the OAM 11g server with the same load balancer that frond-ends the OSSO 10g server. 6. Upgrade the existing OSSO 10g servers to OAM 11 g server (run the Upgrade Assistant). (Back end upgrade.) 7. View the partner application migration to the OAM 11g server by using the OAM admin console. 8. Verify coexistence: Now that the OAM and OSSO 10g servers are working in coexistence mode, try to access the partner applications and verify that single sign-on works. Also, verify that a user does not have to log in if the user is already authenticated by either the OAM 11g or OSSO 10g servers. Shut down one of the OSSO servers and make sure that the partner application is still protected. 9. After a successful upgrade, you now upgrade the mod_osso agent to a WebGate agent. WebGate agents are more popular than mod_osso because of the extra authorization capabilities available at run time as well as the centralized session management capabilities, for instance, an administrator can delete sessions from the OAM admin UI console, so that the user in question is forced to re-authenticate. 10. Configure WebGate 11g on the new OHS (created in Step 1). 11. Remove mod_osso. 12. Restart OHS and verify the successful upgrade from mod_osso to WebGate 11g. (Front end upgrade.) Pictorial representation of the use case to show upgrade and test-to-production (horizontal migration) is as follows:







Practice 9-1: Verify OSSO 10g Server and Configure New OHS Instance Overview In this practice, you validate that the pre-installed OSSO 10g server (including infrastructure) instance is up and running. Next, you configure a new OHS instance: ohs_partner. Tasks 1. 2. 3. 4.

5. 6. 7. 8.

From the browser window, enter http://.us.oracle.com:18100. Enter ias_admin and Welcome1 on the login page. Click the Standalone Instance link. Make sure that all the components are up and running (status green up arrow). Note: You can also check the status of components by navigating to d:\osso10g\opmn\bin on the command line window and using the opmnctl status command. Note: DSA and LogLoader components will show a status of “down.” Navigate to Start > Programs > Oracle Application Server Infrastructure-oracleas > Integrated Management Tools > Oracle Directory Manager. Log in by using orcladmin and Welcome1. From the browser window, enter http://.us.oracle.com:7777/sso: SSO home page. Click the Login link on the top-right corner and log in as any authenticated user, such as

orcladmin with the password Welcome1. You should see all the partner applications registered with the OSSO 10g server. 9. Navigate to d:\middleware\ohs_home\bin and double-click config.bat. Use the table as a guide to configure a new OHS instance ohs_partner: Step


Choices or Values

a.

Welcome

Next

b.


Deselect Oracle Web Cache. Deselect Associate Selected Components with WebLogic Domain.

c.


Instance Home Location:d:\middleware\ohs_home\instances\ohs_partner Instance Name: ohs_partner OHS Component Name: ohs1 Auto Ports Configuration

d.

Configure Ports

e.


Deselect “I wish to receive security updates from My Oracle Support.” Select Yes on the Warning pop-up windows.

f.


Configure Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Step


Choices or Values

g.


Next

h.


Finish

10. Navigate to D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\htdocs. Rename welcome-index.html as welcome-index.html.bak. Copy welcomeindex.ohs_partner.html from d:\labs\lesson09 to D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\htdocs . Rename welcome-index.ohs_partner.html as welcome-index.html 11. On the command line, navigate to d:\middleware\ohs_home\instances\ohs_partner\bin and issue the following command: opmnctl status –l Notice the HTTP listen port of 7781. 12. On the browser window, type http://.us.oracle.com:7781 to get to the Welcome page of Oracle Fusion Middleware. Notice the message, “Welcome to the OHS_Partner Instance Running on Port 7781.”



Practice 9-2: Configure OSSO 10 g to Work with Load Balancer Overview In this practice, you configure OSSO 10g to work with the software load balancer: HAProxy. Tasks 1. Move to a Linux machine. From the terminal window, navigate to /home/oracle/haproxy-1.4.8 and edit the oamconfig.txt file as shown below: cd /home/oracle/haproxy-1.4.8 vi oamconfig.txt Read the file, paying close attention to the following four lines: listen oam-ha edtdr35p1.us.oracle.com:8888 balance roundrobin server OHSSrv1_10g edtdr35p2.us.oracle.com:7777 cookie OHSSrv1_10g check inter 1000 server OAMSrv2_11g edtdr35p2.us.oracle.com:14100 cookie OAMSrv2_11g check inter 1000 The first line is the URL for the LBR, and the third and fourth are the redirect URLs for OSSO 10g and OAM 11g [using a round robin algorithm (second line).] Replace the host name edtdr35p1 to your Linux machine host name and edtdr35p2 to your Windows machine host name. Press i (Insert mode) to make the change followed by Esc (Exit insert mode) and finally :wq! (save and quit). 2. Start the load balancer by using the following command: cd /home/oracle/haproxy-1.4.8 ./haproxy –f oamconfig.txt Note: You may see a warning stating, “logformat ignored for proxy ‘oam-ha’ since it has no log address.” Ignore this warning. 3. Keep this terminal window open. Note: If you have to stop the HAProxy load balancer at any point, enter Ctrl + C on this terminal window. OR open a new terminal window and navigate to /home/oracle/haproxy-1.4.8 and issue the command: killall haproxy. 4. Move back to the Windows machine. Open the httpd.conf file for the OHS front-ending the OSSO 10g server under d:\osso10g\Apache\Apache\conf and find and replace the following entries: Change the ServerName entry to the LBR host name (.us.oracle.com), that is, ServerName .us.oracle.com Change the Port entry to point to the LBR port number (8888). That is, Port 8888 Click Save. 5. For the above changes to take effect, you need to restart the OHS. Navigate to d:\osso10g\opmn\bin on the command line window, and enter: opmnctl stopproc ias-component=HTTP_Server opmnctl startproc ias-component=HTTP_Server Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


6.

Run the following script from the command line window: set ORACLE_HOME=d:\osso10g cd d:\osso10g\sso\bin ssocfg.bat http .us.oracle.com 8888 It should return the message, “SSO Server re-configuration finished.” This script configures the single sign-on server to accept authentication requests from the externally published address (LBR).

7. 8.

Bring down oam_server1 by using either Ctrl + C on the command line window from where it was started, or by using the WLS admin console. Verify that the LBR setup is working correctly. Close all browsers. Open a new browser window, and try accessing the OSSO 10g home page using LBR by entering: http://.us.oracle.com:8888/sso. This should bring up the OSSO home page. Also, try accessing the OSSO home page by using the srcinal URL: http://.us.oracle.com:7777/sso. This should bring up the OSSO 10 g server’s home page. Notice the URL. It should look like this: http://.us.oracle.com:8888/sso/pages/index.jsp



Practice 9-3: Register Partner OHS with OSSO 10 g Overview In this practice, you register the newly configured OHS partner instance with the OSSO 10g server. Tasks 1. Open a new command line window, and set the ORACLE_HOME environment variable as follows: Set ORACLE_HOME=d:\osso10g Make sure the environment variable is set by issuing the following command: echo %ORACLE_HOME% 2.

Navigate to d:\osso10g\sso\bin and run the following command to register partner OHS with OSSO 10g: ssoreg.bat -oracle_home_path d:\osso10g -site_name .us.oracle.com:7781 -config_mod_osso TRUE mod_osso_url http://.us.oracle.com:7781 remote_midtier -config_file D:\osso10g\Apache\Apache\conf\osso\_7781_osso .conf A successful run of the above command should return the message, “SSO registration tool finished successfully.”

3.

Check the logs—d:\osso10g\sso\log\ssoreg.log—to see the details on the ssoreg tool registration. Move the _7781_osso.conf file (this is an obfuscated file) from d:\osso10g\Apache\Apache\conf\osso to d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1.

4.

5.

Copy mod_osso.conf from the disabled directory (under D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1) to the Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


6.

moduleconf directory (under D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1). Edit d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\module conf\mod_osso.conf using notepad and change the entries as follows (the ones in bold are changes to be made): LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so" OssoIpCheck off off OssoIdleTimeout OssoSecureCookies off OssoConfigFile d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\_7781_osso.conf

# # Insert Protected Resources: (see Notes below for # how to protect resources) #

#______# # Notes # #______# # 1. Here's what you need to add to protect a resource, # e.g. /htdocs/private: # require valid-user AuthType Osso

# # If you would like to have short hostnames redirected to # fully qualified hostnames to allow clients that need # authentication via mod_osso to be able to enter short Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


# hostnames into their browsers uncomment out the following # lines # #PerlModule Apache::ShortHostnameRedirect #PerlHeaderParserHandler Apache::ShortHostnameRedirect Note: The mod_osso.conf file contains all the configurations for enabling OSSO, such as where the _7781_osso.conf file is located, what URLs to

protect, whether ObOssoCookie is secured and so on. The

7.

_7781_osso.conf file contains the configurations on how to connect to the OSSO server (host:port and so on). You copy the mod_osso.conf file to the moduleconf directory because the path to this folder is configured in the httpd.conf directory. Edit the d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\httpd. conf file, search on ServerName directive, and replace the value as shown below (in all lowercase): ServerName .us.oracle.com:7781 Note: You make this change so that the OSSO server can perform a correct reverse-lookup

during redirection after authentication.



Practice 9-4: Restart OHS Partner Instance and Verify SSO to Partner Application Overview In this practice, you restart the OHS partner instance for the changes made in the previous practice to take effect, and then test to make sure the partner application URL http://.us.oracle.com:7781 is protected by using OSSO 10 g. Tasks 1. On the command line window, navigate to d:\middleware\ohs_home\instances\ohs_partner\bin. Restart the OHS instance by using the following command: opmnctl stopall opmnctl startall 2.

3. 4. 5.

Now you verify the configuration by accessing the protected application URL http://.us.oracle.com:7781. Enter URL http://.us.oracle.com:7781 and press Enter. You should be redirected to the OSSO 10g login page (Also note that the URL contains and 8888 as port). Enter orcladmin and Welcome1 as the user ID and password. Click Login. The OHS Welcome page should be displayed.



Practice 9-5: Run the Upgrade Assistant Overview In order to perform the partner migration to migrate the OSSO 10g partners and the user store to the OAM 11g server, you run the Upgrade Assistant tool, which is available under \idm_home \bin Tasks 1. Navigate to d:\middleware\idm_home\bin and double-click ua.bat. 2. Use the table as a guide to populate the fields of the Upgrade Assistant: Step


Choices or Values

a.

Welcome

Next

b.

Specify Operation

Upgrade Oracle Access Manager Middle Tier

c.

Specify Source Details

Properties File: D:\osso10g\sso\conf\policy.properties Database Host: .us.oracle.com Note: Use your Windows machine because the infrastructure database for OSSO10g is installed on it. Database Port: 1521 Database Service: asdb.us.oracle.com SYS Password: Welcome1

d.

Specify OID Details

OID Host: .us.oracle.com Note: This OID is the OSSO 10g user directory and not the OAM11g user directory. In this exercise, they happen to be same OID directory server instance so as to make the footprint of the lab machines manageable and avoid having multiple OID instances running on the boxes. However, in reality, these two OID instances could very well be distinct. OID SSL Port: 13130 Note: You can find this port from d:\osso10g\install\portlist.ini OID Password: Welcome1

e.

Specify WebLogic Server

Host: .us.oracle.com Port: 7001 Username: weblogic Password: Welcome1

f.

Specify Upgrade Options

Make sure “Start Destination Components after Successful Upgrade” is selected

g.

Examining Components

Next



Step

3.


Choices or Values

h.

Upgrade Summary

Upgrade Note: The WebLogic node manager is invoked by the Upgrade Assistant to start the oam_server1. If you didn’t configure the node manager or if it is not started, you can start the oam_server1 manually.

i.

Start Destination

OK

j.

Upgrading Components

Next

k.

Upgrade Complete

Before you click Close, read the Upgrade Summary carefully. This summary is also available at D:\middleware\idm_home\upgrade\logs\postupgrade.txt. View the logfile by clicking the d:\middleware\idm_home\upgrade\logs\ua.log link.

Open the oam-config.xml file in WordPad under D:\middleware\user_projects\domains\oam_domain\config\fmwconfig to check if the CoexistMode is set to true in the oam-config.xml. This implies that the 11g OAM server is now configured to work in the coexist mode.



Practice 9-6: View the Migrated Content and Configure User Identity Store in OAM Admin Console Overview As part of the upgrade process, the Upgrade Assistant not only migrates the partner applications from OSSO 10g to OAM 11g server, but also migrates the user store definition for OSSO 10g (OID 10.1.4.0.1). However, after the upgrade, it does not automatically make this user store the primary user store. Hence, in your labs, after the upgrade, you need to set the new user identity store as the primary store. (The new user identity store definition is visible through the OAM admin console.) Also note that it maps the Administrators group as the OAM administrator’s role in the new OID user identity store definition in the OAM admin console. Before you set the migratedUserIdentityStore as the primary store, you can either create a group named cn=Administrators,cn=groups,dc=us,dc=oracle,dc=com in OID or you could change the OAM administrator’s role value from Administrators to a group already present in OID, such as, oam_admin (in this case). Finally, you can add users to that group. These users would be able to log in to the OAM admin console. In this practice, you view the migrated contents by using the OAM admin console to verify that the partner migration was successful and is ready for coexistence. Tasks 1. Log in to the OAM admin console by using Vishal.Parashar and Welcome1. Navigate to System Configuration > Agents > OSSO Agents. Explore by editing the two new OSSO agents [for each mod_osso that was registered with the OSSO server on port 7777 (front 2.

3. 4.

end OHS) and 7781(partner OHS) registered as a result of the migration.] Navigate to Data Sources > User Identity Stores > Migrated UserIdentityStore. This is the new identity store definition after the migration. It is for OID 10 g (on the SSL port 13130). Notice the OAM administrator’s role mapped to Administrators. Notice: There is a second user identity store definition on port 13060: OID_UserStore. This is the one you had created in Practice 4. Change the OAM administrator’s role from Administrators to oam_admin. Click Apply. Click Set as Primary. Click Apply. Navigate to the Policy Configuration tab and view the properties of new host identifier, migratedSSOPartners. Observe the host names set to this host identifier. View the properties of new application domain, migratedSSOPartners. Notice that there are no authorization policies; only an authentication policy. Explore the authentication policy for migratedSSOPartners. Notice: The authentication scheme—SSOCoexistMigrateScheme—is attached to the authentication policy.Components). View the properties of this scheme under the Authentication Schemes node (under Shared



Practice 9-7: Coexistence Verification Overview In this practice, you test the coexistence. You access the partner applications and check the cookies. Next, you shut down the OSSO server and verify if OAM 11 g is able to recognize the SSO_ID cookie and, in turn, is able to create the cookie for new authentications. Next, you bring the SSO 10g server up, and the OAM 11g server down. Try accessing the protected resource (index.html). You should be redirected to the SSO 10g server, via the load balancer. Enter your credentials. After successful authentication, you should be redirected to the index.html resource. Now check the cookies to see if an SSO_ID cookie is created. Now bring SSO 10g server down, and bring up the OAM 11 g server. On the same browser, delete the OHS cookie (Note: Do not delete the SSO 10g cookie, SSO_ID cookie) and try accessing the resource again. Now, you should not be shown a login page, but should be given access to the protected resource. If you now check the cookies in the browser, you should be able to see the SSO_ID and the OAM_ID (which means, the OAM server was able to interpret the SSO 10g server's SSO_ID cookie, recognize the session, and create an OAM_ID cookie based on the SSO_ID already present). Tasks 1. Close all existing browsers and delete all cookies by using Tools > Clear Recent History. 2. Shut down oam_server1 by using either the WLS admin console [Domain (oam_domain) > Environment > Servers > Control tab > oam_server1 > Shutdown > Force Shutdown Now] or the command line (stopManagedWebLogic oam_server1). 3.

4. 5.

6. 7.

8.

Make sure the OSSO server all itsthe components are up andfrom running by navigating d:\osso10g\opmn\bin andand issuing following command the command line:to opmnctl status Note: DSA and LogLoader should be down as expected. If dcm-daemon is down, you can start it by using opmnctl startproc ias-component=dcm-daemon Use the Firefox browser. Open the Live HTTP Headers console (Tools > Live HTTP Headers) and minimize the console. Try to access the protected application for the partner OHS (http://.us.oracle.com:7781). You should be redirected to the OSSO 10g Login page. Enter the credentials orcladmin and Welcome1 and FMW Welcome page should be displayed. View the SSO_ID cookie on the Live HTTP Header console. Click Clear and minimize the console. On the Firefox browser menu, go to Tools > Options > Privacy > Show Cookies. Expand your_host the nodes and remove only and the OHS-< the Site SSO_ID cookie. Click Close then click OK. >.us.oracle.com-7781 cookie and not Note: Deleting OHS-.us.oracle.com-7781 will redirect the request to the backend server. Now stop the OSSO 10g server by executing: opmnctl stopproc ias-component=HTTP_Server and opmnctl stopproc ias-component=OC4J

from d:\osso10g\opmn\bin. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


9.

Now bring up the oam_server1 by either starting it from the WLS admin console or executing the following command from d:\middleware\user_projects\domains\oam_domain\bin: startManagedWebLogic oam_server1. 10. Now, by using the Firefox browser, refresh the browser (where you had initially accessed http://.us.oracle.com:7781). You should see the FMW Welcome page (without being challenged). 11. View the SSO_ID and OAM_ID cookies on the Live HTTP Header console. You can also view the same details from Tools > Options > Privacy > Show Cookies. Observe the SSO_ID cookie (OSSO 10g server cookie) which was recognized by the OAM 11g server. (Hence, the resource was shown without your being challenged.) Observe also that the OAM_ID cookie, which is the server side cookie that was generated when accessing the OAM 11g server.



Practice 9-8: Replace mod_osso with OAM 11g WebGate Agent Overview At the end of the practice, you should be able to successfully replace a mod_osso agent with OAM 11g WebGate agent. WebGate agents are more popular than mod_osso because of the extra authorization capabilities available at run time as well as the centralized session management capabilities. For instance, an administrator can delete sessions from the OAM admin UI console, so that the user in question is forced to re-authenticate. Tasks Set the primary data source to the OAM 11g data source: OID_UserStore. 1. Set the primary data source to the OAM 11g user data source, OID_UserStore. Note: Even though in your lab the user data sources for both OSSO 10 g (migratedUserIdentityStore) and OAM 11g (OID_UserStore) point to the same OID instance, pretend that they are different OID instances. In this step, you set the OAM 11g user data source as the primary. Log in to the OAM admin console with Vishal.Parashar and Welcome1. Navigate to System Configuration > Data Sources > User Identity Stores > OID_UserStore. Doubleclick the node to view the properties on the right pane. Click the Set as Primary button. Click Apply. 2. Click the Policy Configuration tab. Click Application Domains > migratedSSOPartners > Authentication Policies > Protected Resource Policy. Click the Edit icon. Observe that the authentication scheme is set to SSOCoexistMigrateScheme. 3. 4.

Click Shared Components > Authentication > SSOCoexistMigrateScheme. Click /ngam (NGAM edit icon. Observe the context value is set asSchemes stands for Next Generation Access Manager). Now click Shared Components > Authentication Schemes > LDAPScheme. Click the Edit icon. Observe the context value is set to /oam. Therefore, to replace the mod_osso agent with OAM 11g WebGate, you cannot reuse the authentication policies of migratedSSOPartners, which is specific to mod_osso agent. You have to use the authentication scheme, LDAPScheme.

Configure OAM 11g WebGate on OHS Partner Instance (Port 7781) by Using the OAM Admin Console 5. Open a command prompt and navigate to the D:\middleware\WebGate11g_home\webgate\ohs\tools\deployWebGate directory. 6. Run the following command: deployWebGateInstance.bat -w d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1 -oh D:\middleware\WebGate11g_home -w flag indicates the OHS instance folder and the -oh indicates the WebGate Oracle home. This command will create a WebGate folder under d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1 and copy the configuration files (shown below) necessary for the WebGate process under d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\webgat Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


e\tools\openssl\simpleCA (cacert.pem and cakey.pem) and d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\webgat e\config (oblog_config_wg.xml) directories. The output of the above command should looks like:

7. 8.

Open a new command line window and navigate to d:\middleware\webgate11g_home\webgate\ohs\tools\EditHttpConf directory. Run the following command: EditHttpConf.exe -w d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1 -oh D:\middleware\WebGate11g_home -o webgate.conf Verify that D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1 has webgate.conf, httpd.conf.ORIG (backup file) and httpd.conf files. The last line in httpd.conf should be: include "D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1/we bgate.conf"

9.

Log in to the OAM admin console, http://.us.oracle.com:7001/oamconsole, by using vishal.parashar and Welcome1. 10. Click the System Configuration tab, click 11g WebGates (under Agents > OAM agents). Click the Create icon on the menu toolbar and specify the following property values for registering an OAM 11g WebGate agent with the OAM 11g server: Step

Property Name

Value

oam11g_webgate_partner

a.

Name

b.

Base URL

http://.us.oracle.com:7781

c.

Security

Open

d.

Host Identifier

oam11gHostID_Partner

e.

Public Resource List

/public/index.html



Step

f.

Property Name

Auto Create Policies

Value

Selected

Click Apply. To see the output file—ObAccessClient.xml and cwallet.sso— generated as part of registration process, navigate to the d:\middleware\user_projects\domains\oam_domain\output\oam11g_webgat e_partner directory. 11. Copy the ObAccessClient.xml and cwallet.sso files from D:\middleware\user_projects\domains\oam_domain\output\oam11g_webgat e_partner to the

D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\webgat e\config directory.

Remove mod_osso Configuration from OHS Partner (7781) In this case, all you have to do is remove or rename the mod_osso.conf file so that the OHS server does not load this in-memory when it is started. 12. Navigate to D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\module conf and rename mod_osso.conf as mod_osso.conf.bak. 13. Restart OHS partner for the above changes to take effect. On the command line window, navigate to d:\middleware\ohs_home\instances\ohs_partner\bin and issue the following commands: opmnctl stopall opmnctl startall 14. Open the Firefox browser (clear all cookies and browser history) and type http://.us.oracle.com:7781. You should be redirected to the OAM 11g login page (as OSSO 10g is down and LBR routes the request to OAM 11g). Log in with vishal.parashar and Welcome1. You should now see the FMW Welcome page. 15. View the OAM_ID and OAMAuthnCookie_.us.oracle.com:7781 cookies on the Live HTTP Header console. You can also view the same details from Tools > Options > Privacy > Show Cookies.








Practices for Lesson 10 Practices Overview In these practices, you use Access Tester to test the connection between all the OAM 11g WebGate agents and the Oracle Access Manager 11g server. You also perform the “Is the resource protected?” test for various resources protected by OAM11 g_WebGate agent. You also observer the authentication scheme used to protect that particular resource. You eventually use the credentials to test authentication and authorization to access the resource.



Practice 10-1: Working with Access Tester Overview In this practice, you successfully test the connection between agents and the server, and then try to answer the three key questions that Access Tester helps you address: a) Is the resource protected? b) Can you successfully authenticate? c) Are you successfully allowed to access the resource? You also use the Access Tester GUI console to build dummy test cases and then generate and run the script. You explore all the XML files generated during this process.

Task 1.

2.

3.

For this practice, change the OAM 11g WebGate to Open mode. Navigate to the OAM admin console > System Configuration > Agents > OAM Agents > 11 g webgates > OAM11g_WebGate. Edit the properties of the agent and set Security to Open. Click Apply. Launch Access tester. On the command line window, navigate to D:\Program Files\Java\jdk1.6.0_17\bin and enter: java – Dlog.traceconnfile=”d:\middleware\idm_home\oam\server\tester\tra ceconnfile.txt” –jar d:\middleware\idm_home\oam\server\tester\oamtest.jar On the Oracle Access Manager Test Tool window, under the Server Connection section, type in the following: Field

4.

5.

Choices or Values

Primary IP Address

.us.oracle.com

Port

5575

Agent ID

OAM11g_WebGate (agent ID is case sensitive)

Click the Connect button. Read the messages on the Status section of the window. Also notice the green check mark next to the Connect button (if the connection is successful). Notice that once the connection is successful, you cannot change the connection details. You have to re-launch Access Tester to specify a different connection. In the Protected Resource URI section, enter the following details: Field

6. 7.

Choices or Values

Host

.us.oracle.com

Port

7778

Resource

/cgi-bin/protected1

Click the Validate button. Read the messages on the Status section of the window. Notice the Authentication Schema and the Redirect URL (this is a protected resource) specified. In the User Identity section, enter the following details: Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Field

8. 9.

Choices or Values

Username

Vishal.Parashar

Password

Welcome1

Click the Authenticate button. Read the messages on the Status section of the window. Notice the user DN, session ID, and cookie values. Now, click the Authorize button and observer the messages (request and responses) on the

status window. 10. Click the Clear All icon on the menu toolbar at the top of the window. Perform Steps 5 through 9 for the /mybank/testheaders.jsp resource. (You have to enter the IP address field for your host under the User Identity section. Obtain the IP address by using the ipconfig command on the command line window.) 11. Click the Clear All icon on the menu toolbar at the top of the window. Perform Steps 5 through 9 for the /example/internal/employeeHome.html resource. (You have to enter the IP address field under the User Identity section.) 12. Click the File > Save Configuration menu option and specify the Save in location as Desktop and the filename as “EmployeeHomeConfig” with the file type set as XML (by default). Click Save. 13. Close the Oracle Access Manager Tester Tool window. Navigate to d:\middleware\idm_home\oam\server\tester and open and explore the traceconnfile.txt file. 14. Open and explore the EmployeeHomeConfig.xml file in WordPad from Desktop. 15. Invoke the Oracle Access Manager Tester Tool again (by using the instructions in Step 2). 16. Open the saved configuration—EmployeeHomeConfig.xml by using the File > Open Configuration option. Select Look in to Desktop and File of type to All files. 17. Click the Connect button followed by the Validate button. 18. Start preparing a test case by using Test > Capture Last “validate” Request. 19. Click the Authenticate button. Continue building the test case by using Test > Capture Last “authenticate” Request. 20. Finally, click the Authorize button. Continue building the test case by using Test > Capture Last “authorize” Request. 21. Finish building the test case by using Test > Generate Script option. Specify the file name as “EmployeeHomeScript” with the file type set as XML (by default). Save the file to your Desktop. Click Save. 22. On the Save Warning window, click Yes to clear the captured test case queue. 23. In the Status section, notice the message, Generated Script “d:\winnt\profiles\Administrator\Desktop\EmployeeHomeScript.xml” with three cases. 24. Click the Clear Status Messages icon (bottom-right corner). 25. Run the generated test cases by using the Test > Run Script menu option. Select All Files for the Files of Type option and select Save in as Desktop. Click on EmployeeHomeScript and press Save. Read the messages on the Status window. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


26. Close the Oracle Access Manager Tester Tool. Navigate to the d:\program files\java\jdk1.6.0_17\bin directory. Open and explore the following files by using WordPad: oamtest__stats.xml (Statistic log) and oamtest__target.xml (Target script). Also, explore EmployeeHomeScript.xml located on your Desktop. Note on Access Tester tool: a) A long URL can be imported into the Resource panel by copying the resource from the browser's URL field and then clicking the Import button. b) Also note that if you click the Authentication button a few times and observe the session ID, it does not change. The tester reuses the same session if the credentials don't change. To change the session, you need to change the credentials. A regular agent does not do this, but the Access Tester demonstrates this behavior because it could overload the server with "test" sessions.



Practice 10-2: Using OAM-Specific WLST Commands Overview In this practice, you explore some of the OAM-specific commands.

Tasks 1. From the command line window, navigate to d:\middleware\idm_home\common\bin. Type wlst and press Enter. 2. 3. 4.

Issue the command connect() to get into online mode (that is, connected to the admin server). Press Enter to accept the default username as weblogic. Enter Welcome1 for the password. Press Enter to accept the default for the admin server URL. Issue the following commands one after the other and observe the output:

Step

Commands

a.

help(‘oam’)

b.

displayWebgate11gAgent(“OAM11g_WebGate”)

c.

help(‘displayOAMMetrics’)

d.

displayOAMMetrics()

e.

displayTopology()

f.

displayOAMServer(host=”.us.oracle.com”,port=”14100”)

g.

displayUserIdentityStore(name=”UserIdentityStore1”)

h.

displayUserIdentityStore(name=”OID_UserStore”)

i.

displayWebgateAgent(“oam10g_webgate”)

j.

displayOssoAgent(“OSSO10g_agent”)

5.

Exit the WLST by using exit().



Practice 10-3: Working with Oracle Enterprise Manager Fusion Middleware Control Overview In this practice, you explore EM FMW Control to understand how you can use this in conjunction with the WLS console, the OAM admin console, and command line WLST as a set of comprehensive management tools to operate in an OAM environment. Note: If you experience performance issues (especially on Step 3), you may want to restart the admin and managed servers. Tasks 1. Launch EM FMW Control from the browser: http://.us.oracle.com:7001/em. Log in by using weblogic and Welcome1 credentials (both WLS console and EM FMW Control are applications deployed on the admin server and use the WLS embedded LDAP by default for authentication). 2. You should see the oam_domain farm page (Farm_oam_domain). Notice the various system components and applications: a) Internal applications deployed on the admin or managed servers b) WebLogic domain components: admin (AdminServer) and managed server (oam_server1) c) OAM 11g server under Identity and Access node d) All the Web tier components: Various OHS instances registered with the domain, oam_domain. (Note: You do not see ohs_partner instance as this instance is not registered with the domain; that is, it is a stand-alone instance.) 3. Click the Topology link on the top-left corner to see the topology of OAM domain environment. The image shows you the topology of the environment. a) Expand the + sign above AdminServer and oam_server1. You can view all the components including applications deployed. b) Place your cursor above the icons to see metrics, status, and other operational details. c) From this page, you can not only save or print this topology diagram, but also view the logs and create and delete components (explore View and Farm menu options on the top-left corner). d) Close the Topology window. 4. From the left navigator pane, or by using links on the farm home page, navigate to the oam_server home page (Identity and Access > OAM > oam_server). Explore the menu option named Oracle Access Manager; in particular: Control, Performance Summary, General Information, and WLS admin console. 5. Select the menu option Oracle Access Manager > System MBean Browser. On the left side pane, collapse the nodes to view three categories of MBeans: Configuration, Runtime and Application Defined. a) Expand Application Defined MBeans >com.oracle.oam > Server:AdminServer > Application:oam_admin > oam.wlst > OamWLST . On the right pane, notice all the OAMspecific WLST commands under Operations tab. Click displayWebgate11gAgent. For the value field, type in OAM11g_WebGate and press Invoke. Notice the Return Value at the bottom. b) Expand Runtime MBeans > Security > domain:oam_domain > myrealmOIDAuthenticator. Click the Operations tab on the right pane. Click userExists. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


6.

7.

In the Value field, specify vishal.parashar and press Invoke. Notice the return value of “true.” Now enter weblogic in the Value field and press Invoke; notice the “false” return value. Weblogic user exists in WLS embedded LDAP and not in OID. Select the menu option Oracle Access Manager > Performance Summary. Notice the past 15 minutes of metrics. You can change the slider at the top right to see the performance metrics at a particular point in time. You can also set the time range for the performance metrics to be displayed by clicking the Enter Time icon next to the slider. Click the Show Metrics Palette button on the top right to select more graphs and tables showing various metrics on the Performance Summary page. Expand the OAM Client node on the Metric Palette page. Expand Agent_OAM11g_WebGate and select all the check

boxes below the node. Click the Hide Metrics Palette button. You should now see the new performance metrics charts and table on the Performance Summary page. 8. Select the menu option Oracle Access Manager > General Information to see the high-level information on the domain: Host, Oracle Home, Middleware Home, Domain Home, Version, Target Name. 9. You can also start and shut down oam_server by using the menu option Oracle Access Manager > Control (Do not perform shutdown at this point). 10. You can also try to explore the following options (from the left navigator pane or from the Farm home page): a) WebLogic Domain > oam_domain > AdminServer and oam_server1 b) Web Tier > ohs1 (any one of the OHS instances) c) Application Deployments > Internal Applications > em (AdminServer) Application Deployments > My Bank






Practices for Lesson 11 (Optional) Practices Overview In these practices, you perform horizontal migration, which is the process of moving from the development stage to the production environment. You perform the golden template migration, which is moving all the partner and policy from source (stage) to target (production). In this exercise, you assume that your current OAM environment on the Windows machine is the stage environment, and you move this to the Linux machine, which serves as your production environment. However, note that the production OAM server will continue to communicate with WebGates which reside on the test machine. Important notes:

a) It is important to note that the time stamp for WebGate machines must match that of the OAM server machine; that is, in your case, the Windows and the Linux machines must have same time stamp. You can check the timestamp on Linux machine by issuing “date” command on the terminal window. b) In this lab, you create a production domain from the beginning (a completely new domain). There is another way to create a production domain: by using WLS Template Builder to package the test domain and then use this template as a source to create the production domain. The difference between these two approaches is as follows: When creating a production domain from the beginning (a new domain), all the applications (mybank and jee) have to redeployed on the new domain along with any JDBC definitions (AuditDB) or security providers (OIDAuthenticator). This definitely adds to the work of getting the environment set up on the production machine. You also have to change the hostname in the primary server list for WebGates 10g and 11g and the logout redirect URL field. On the hand, creating a new production domain using by theusing Template Builder, you have toother change the when host name value for server instance definition the OAM console. Also, you have to change the serverhost value for OAMServerProfile in oam-config.xml. And much like the first approach, you have to change the host name in the primary server list for WebGates 10g and 11g and the logout redirect URL field. However, the advantage of this approach is that all the artifacts (WLS applications, JDBC definitions, security providers) in the WLS domain do not have to be recreated on the production domain (as they are packaged and moved over as part of template building process). Another difference between the two approaches is that when creating a new production domain without Template Builder partner data (along with policy data) has to be migrated explicitly by using exportPartners and importPartners commands. This is unlike the other approach, where partner data is migrated implicitly as a part of the domain creation process using the template. In this lab you will use the first approach - creating production domain without using the template builder.



Practice 11-1: Prepare the Environment: Configure the Linux Box Before the Migration Overview In this practice, you configure your Linux machine as follows: a) Install WLS 10.3.3. b) Install Oracle Identity Management 11.1.1.3.0 software. c) Create new production schemas for OAM and audit services by using RCU on the existing 11.2.0.1 database hosted on the Linux machine. d) Create a new production domain for OAM 11g. e) Configure the identity store for the production environment to point to OID (which was used on the stage environment). f) Remove SSO policies for EM and WLS Console. g) Create OIDAuthenticator on the production WLS domain. h) Apply a BP01 patch.

Task Install WLS 10.3.3.

Switch to the Linux machine for this lab and perform all tasks on the Linux machine unless explicitly asked to perform an operation on the Windows machine.

1. 2.

Enter the following command to launch the WLS installer: java –jar /modules/stage/wls_1033/wls1033_generic.jar Use the table as a guide to populate the fields: Step


Choices or Values

a.

Welcome

Next

b.

Choose Middleware Home Directory

Create a new Middleware home – /u01/app/oracle/product/middleware

c.

Register for Security Updates

Deselect “I wish to receive security updates via my Oracle support”

d.

Are you sure?

Yes

e.

Choose Install Type

Typical

f. g.

JDK Selection Choose Product Installation Directories

Check under Local JDK – Sun SDK1.6.0_17 WebLogic Server – /u01/app/oracle/product/middleware/wls_home Oracle Coherence – /u01/app/oracle/product/middleware/coherence_h ome

h.


Next Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Step

i.



Choices or Values

Deselect “Run QuickStart” Done

Install Oracle Identity Management 11.1.1.3.0 software

3.

Navigate to the /modules/stage/iamsuite/Disk1 directory. cd /modules/stage/iamsuite/Disk1

4. 5.

Launch the installer by using: ./runInstaller Use the table as a guide to populate the fields of the Install Wizard: Step


Choices or Values

a.

Oracle Universal Installer – command line window

Please specify the JRE/JDK location: /usr/java/jdk1.6.0_17

b.

Welcome

Next

c.

Prerequisite Checks

Next

d.


Oracle Middleware Home – /u01/app/oracle/product/middlew are

e.


Install

f. g.

Installation Progress Installation Complete

Next Finish

Oracle home directory – idm_home

Create new production schemas for OAM and audit services by using RCU on the existing 11.2.0.1 database hosted on the Linux machine.

6.

7.

From the terminal window, navigate to the /modules/stage/rcu/bin directory and run rcu cd /modules/stage/rcu/bin ./rcu Use the table as a guide to populate the fields: Step


Choices or Values

a. b.

Welcome Create Repository

Next Create

c.

Database Connection Details

Database Type: Oracle Database Hostname: .us.oracle.com Port: 1521 Service Name: orcl.us.oracle.com



Step


Choices or Values

Username: sys Password: Welcome1 Role: SYSDBA d.

Checking Global Prerequisites

OK

e.

Select Components

Create a new Prefix: PROD Component: Identity Management: Oracle Access Manager (Note: Audit Services will

f.

Checking Component Prerequisites

g.

Schema Passwords

Use the same password for all schemas. Password: Welcome1

h.

Map Tablespaces

Next

i.

Repository Creation Utility pop-up window

OK

j.

Creating Tablespaces

OK

k.

Summary

Create

l.

Completion Summary

Close

be automatically selected) OK

Confirm Password: Welcome1

Create a new production domain for OAM 11g

8.

On the terminal window navigate to /u01/app/oracle/product/middleware/oracle_common/common/bin.

Launch config.sh: ./config.sh. 9. Use the table as a guide to populate the fields: Step


Choices or Values

a.

Welcome

Create a new WebLogic domain

b.

Select Domain Source

Generate a domain configured automatically to support the following products: Oracle Access Manager with Database Policy Store •

•

Oracle Enterprise Manager

Note: Oracle JRF – 11.1.1.0 [oracle_common] (Java

Required Files) will automatically be selected. Note: Basic WebLogic Server domain is automatically selected and disabled. c.

Specify Domain Domain name: prod_domain Name and Location Domain location: /u01/app/oracle/product/middleware/user_projec Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Step


Choices or Values

ts/domains Application Location: /u01/app/oracle/product/middleware/user_ projects/ applications d.

Configure

Name: weblogic

Administrator User Name and Password

Password: Welcome1 Conform Password: Welcome1

e.

Configure Server Start Mode and JDK

Production Mode Available JDKs: Sun SDK 1.6.0_17

f.

Configure JDBC Component Schema

Select OAM Infrastructure Schema Owner: prod_oam

g.

Test Component

Next

h.

Schema Select Optional Configuration

Select “Administration Server” Select “Managed Servers, Clusters and Machines”

Schema Password: Welcome1 DBMS/Service: orcl.us.oracle.com Hostname: .us.oracle.com Port: 1521

i.

Configure the Administration Server

Next

j.

Configure Managed Servers

Next

k.

Configure Clusters

Next

l.

Configure Machines

Next

m.

Configuration Summary

Create

n.

Creating Domain

Done

10. Start the admin and managed servers by issuing the following commands from terminal windows: cd /u01/app/oracle/product/middleware/user_projects/domains/prod_do main/bin Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


./startWebLogic.sh ./startManagedWebLogic.sh oam_server1 11. Stop the admin and managed servers by pressing Ctrl + C on the terminal windows from where the admin and managed servers were started. 12. Every time you start the admin and managed server, you have to enter the weblogic username and password. If you want to avoid doing that, you can create a boot.properties file with the username and password values. Now, when you start the admin and managed servers, it reads the username and password from this file and starts the servers. On the terminal window, navigate to /u01/app/oracle/product/middleware/user_projects/domains/prod_domai n/servers/AdminServer. Make a new directory named – security. Within it, create a boot.properties file with the contents as: username=weblogic password=Welcome1 cd /u01/app/oracle/product/middleware/user_projects/domains/prod_do main/servers/AdminServer mkdir security cd security vi boot.properties [press i] username=weblogic password=Welcome1 [Press Esc] [Enter :wq!] Note: The first time you start AdminServer, the contents of the boot.properties file get

obfuscated. When you use the boot.properties file, it does not prompt you to enter username and password. 13. Perform similar steps to create a boot.properties file for oam_server1 (create a boot.properties file in the security directory under /u01/app/oracle/product/middleware/user_projects/domains/prod_domain/servers/oam_serv er1). 14. Start the admin and managed servers. Notice that you do not get challenged for a username and password. Configure the identity store for the production environment to point to OID (which was used on the stage environment).

15. On the Linux machine, log in to the OAM admin console by using weblogic and Welcome1, and navigate to the User Identity Store definition node: System Configuration > Data Sources > User Identity Stores. Create a new user identity store definition by using the Create icon. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


16. Chose the LDAP provider as OID from the pick list. Specify the rest of the values as shown below: Step


Choices or Values

•

Name

OID_UserStore

•

LDAP URL

ldap://.us.oracle.com:13 060

•

Principal

cn=orcladmin

•

Credential

Welcome1

•

User Search Base


•

Group Search Base

cn=groups,dc=us,dc=oracle,dc=com

•

User Name Attribute

uid

•

OAM Administrator’s Role

oam_admin

Click Test Connection. Click OK on the Connection Status window with the message, “Connection to the User Identity Store successful.” Click Apply to save the definition. On the left pane, you should now see OID_UserStore along with the primary UserIdentityStore1 (WLS Embedded LDAP). Note: Sometimes, you may have to refresh the screen to see the update; use the Refresh icon on the left pane menu bar. Close the active tab (OID_UserStore) by using the X (close single tab) icon on the top-right corner. 17. Change the OID_UserStore to the primary user identity store. Double-click the OID_UserStore node on the left pane to see the properties of the definition displayed on the right pane. Click the Set as Primary button on the right pane. Click Apply. The Primary check box should now appear as disabled on the properties page. Edit the properties of UserIdentityStore1 (either by double-clicking or by using the pencil icon) and notice the Primary check box is now deselected. Do not logout of OAM Admin console. Remove SSO policies for EM and WLS Console. 18. In OAM Admin console, navigate to Policy Configuration > Application Domains > IDMDomainAgent > Authentication Policies > Protected Higher Level Policy 19. Open the policy and the list of resources for the policy is displayed on the right panel. 20. Remove the following resources from the authentication policy (click to the right of the dropdown list for the resource and click the Delete icon): a) IDMDomain:/console b) IDMDomain:/console/.../* c) IDMDomain:/em d) IDMDomain:/em/.../* 21. Click Apply. 22. Navigate to Policy Configuration > Application Domains > IDMDomainAgent > Authorization Policies > Protected Resource Policy. 23. Open the policy and the list of resources for the policy is displayed on the right panel. 24. Remove the following resources from the authorization policy (click to the right of the dropdown list for the resource and click the Delete icon): Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


a) IDMDomain:/console b) IDMDomain:/console/.../* c) IDMDomain:/em d) IDMDomain:/em/.../* 25. Click Apply. Create OIDAuthenticator on production WLS domain.

26. Log in to the WLS console on the production Linux machine (http://.us.oracle.com:7001/console) by using weblogic and Welcome1. Navigate to prod_domain > Security Realm > myrealm > Providers. Click Lock and Edit on the Change Center section (top left). 27. Click the New button. Specify Name and Type as OIDAuthenticator and OracleInternetDirectoryAuthenticator respectively. Click OK. 28. Click the OIDAuthenticator link. Set the following properties: Step


Choices or Values

a.

Common > Control Flag

Sufficient. Click Save.

b.

Provider Specific > Host

.us.oracle.com

c.

Provider Specific > Port

13060

d.

Provider Specific > Principal

cn=orcladmin

e.

Provider Specific > Credential and Confirm Credential

Welcome1

f. g.

Provider Specific > User Base DN Provider Specific > All Users Filter

cn=users,dc=us,dc=oracle,dc=com (&(uid=*)(objectclass=person))

h.

Provider Specific > User From Name Filter

(&(uid=%u)(objectclass=person))

i.

Provider Specific > User Name Attribute

uid

j.

Provider Specific > Group Base DN

cn=groups, dc=us,dc=oracle,dc=com Click Save.

29. Navigate back to the Providers page (by using the locator link at the top). Click the Reorder button and move OIDAuthenticator above DefaultAuthenticator by using the Up arrow. Click OK. 30. Click the DefaultAuthenticator link. Change the Control Flag to Sufficient. Click Save. 31. Click Activate Changes on the top-left of the Change Control section. 32. Restart the admin and managed servers on the Linux machine by using the command line (Ctrl + C to kill the running servers and then startWebLogic.sh and startManagedWebLogic.sh oam_server1 to start the servers). Apply BP01 patch (11.1.1.3.1). 33. Open a terminal window and set ORACLE_HOME and PATH environment variables as shown below: Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


export ORACLE_HOME=/u01/app/oracle/product/middleware/idm_home export PATH= $PATH:$ORACLE_HOME/bin:$ORACLE_HOME/OPatch 34. Verify the OUI (Oracle Universal Installer) inventory. OPatch needs access to a valid OUI inventory to apply patches. Validate the OUI inventory with the following command: opatch lsinventory Notice that there is one product installed in /u01/app/oracle/product/middleware/idm_home (Oracle home), which is 11.1.1.3.0 Oracle IDM Suite. 35. Create a location forthe storing patch. This location is sometimes referred to as PATCH_TOP . Unzip patchthe ZIPunzipped file (/modules/stage/p10094106_111130_Generic.zip) under /modules/stage/bp01. Hence, bp01 under /modules/stage/bp01 directory is your PATCH_TOP. 36. Stop the admin and managed servers on the Linux machine by using Ctrl + C to kill the running servers on the terminal windows where they are running. 37. On the terminal window, navigate to the /modules/stage/bp01/10094106 directory. Apply the patch by using – opatch apply Is the local system ready for patching? [y|n] y 38. Once the patch has been successfully applied, you can query the inventory to see the bugs fixed as part of this patch: opatch lsinventory 39. Start the admin and managed servers.



Practice 11-2: Perform Horizontal Migration Overview In this practice, you export partners and policy data from the test machine (Windows) and then import this partner and policy data to the production machine (Linux). Tasks 1.

On your Windows machine, connect to WLST in online mode. On the command line window, navigate to d:\middleware\idm_home\common\bin and issue the wlst command:

Connect to AdminServer for oam_domain (test environment) by using the following values at the prompts: connect() Press Enter Welcome1 Press Enter

Note: If you receive a message that an insecure protocol was used to connect to the server,

you can safely ignore the message. 2.

Export partner and policy data to a temporary staging location, d:\labs\myPolicies and d:\labs\mypartners. Issue the following exportPolicy and exportPartners commands and then exit the WLST shell:

Note: The exportPolicy command runs for several minutes.

3.

Navigate to d:\labs to make sure the partners and policy data has been successfully exported. Note that multiple policy files ( myPolicy.@.) are created for internal tracking and version control. The myPolicies file is the main source file which you use to import into the production environment. Open the myPolicies file in WordPad and review its contents.

4.

Note: The myPartners file is in an unreadable format as it contains sensitive information about the agents. Transfer the files—myPartners and myPolicies—from the Windows machine to the Linux machine by using psftp. On the Windows machine, invoke psftp from d:\other\putty directory and issue the following commands: Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


open .us.oracle.com login as: oracle Enter password: oracle lcd d:\Labs put myPartners put myPolicies

5.

Navigate to the Linux machine and make sure you can see the myPartners and myPolicies files under the /home/oracle directory. Import the policy and partner data—myPolicies and myPartners—into the production environment domain (prod_domain) by using importPartners and importPolicy commands.

Note: The importPolicy command runs for several minutes.

6.

7.

Log in to the OAM admin console for the prod_domain— your_linux_host http://< >.us.oracle.com:7001/oamconsole—by using vishal.parashar and Welcome1. Make sure that you can see all the partner and policy data imported from the test environment into the production environment. Edit the protected resource policy under Authentication Policies for the OAM11g_WebGate application domain (on the Policy Configuration tab). Change the authentication scheme from ExampleLDAPScheme to LDAPScheme. Click the Response tab Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


(Note: Clicking the Response tab is required before Clicking Apply due to a bug which throws a Null Pointer Exception). Click Apply. Note: The reason you are changing the authentication scheme is because otherwise, you would have to redeploy the custom login JSP (Practice 6-1 Step 7) on the production domain. For convenience, you use the standard SSO login page which comes with the LDAPScheme.



Practice 11-3: Perform Post-Migration Task Overview In this practice, you perform two post-migration tasks. a) Change the host name to the value of the production machine host name (Linux machine). Change the primary server host names for 10g and 11g WebGate definitions, and change the host name in the Logout Redirect URL field for OAM 11g WebGates. Change the Security mode to Open (as we are performing re-registration of webgate with OAM 11g server, server and webgate must be in the same security mode.) b) Replace obAccessClient.xml and cwallet.sso for OAM 11g WebGates from /output/ directory on the Linux machine to \config\OHS\ohs1\webgate\config directory on the Windows machine. Replace obAccessClient.xml for OAM 10g WebGates from /output/ directory on the Linux machine to \access\oblix\lib directory on the Windows machine. Tasks 1. On the Linux machine, log in to the OAM admin console for the prod_domain— http://.us.oracle.com:7001/oamconsole—by using vishal.parashar and Welcome1. 2. Navigate to the System Configuration tab and edit each one of the OAM 10g (except IDMDomainAgent) and OAM 11 g WebGate definitions (oam10g_webgate, OAM11g_WebGate and oam11g_webgate_partner) to change the server name under the primary server list to oam_server1. After doing so, the host name field should change to the host name of the Linux machine. Change the Security to Open. Also, for both OAM 11g WebGates, change the host name in the Logout Redirect URL field to the host name for the Linux machine. Click Apply.



Note: To change IDMDomainAgent properties, you have to edit oam-config.xml. IDMDomainAgent is a special WebGate 10 g agent. Editing the properties through the OAM

3.

4.

5.

6.

7.

8.

9.

admin console for this agent will not work. Switch to the Windows machine. Double-click d:\Other\putty\psftp.exe. Transfer ObAccessClient.xml and cwallet.sso (in case of OAM 11g WebGates) from /u01/app/oracle/product/middleware/user_projects/domains/prod_domai n/output/OAM11g_WebGate on the Linux machine to d:\stage directory on the Windows machine.

Save backups of the ObAccessClient.xml and cwallet.sso files in the d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web

gate\config directory. Rename the files ObAccessClient.xml.test and cwallet.sso.test. Move (Ctrl + X > Ctrl + V or Cut and Paste) ObAccessClient.xml and cwallet.sso from d:\stage directory to d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web gate\config. Perform similar Steps 3, 4, and 5 to transfer ObAccessClient.xml and cwallet.sso from /u01/app/oracle/product/middleware/user_projects/domains/prod_domai n/output/oam11g_webgate_partner on the Linux machine to the d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\webgat e\config directory on the Windows machine for oam11g_webgate_partner. Transfer ObAccessClient.xml (in case of an OAM 10g WebGate) from /u01/app/oracle/product/middleware/user_projects/domains/prod_domai n/output/oam10g_webgate on the Linux machine to the d:\stage directory on Windows (see Step 5). Save a backup of the ObAccessClient.xml in the D:\Middleware\webgate10g_home\access\oblix\lib directory. Rename the file ObAccessClient.xml.test. Move (Ctrl + X > Ctrl + V or Cut and Paste) ObAccessClient.xml from the d:\stage directory to the D:\Middleware\webgate10g_home\access\oblix\lib directory.



10. Modify mod_wl_ohs.conf under D:\Middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 as shown below and specify the Linux host name for WebLogicHost. Click Save. Note: This step is only required for mybank and jee applications (applications which are directly deployed on WLS ). Note: If you want to test mybank or jee applications on the production environment, you have to redeploy them on the production domain before you test them. If you were using the approach of creating a production domain by using the template builder, this step would be implicitly done as part of building the production domain by using the test domain template.

11. Restart the OHS instances: ohs_webgate11g, ohs_webgate10g, ohs_partner. Use opmnctl under /bin directory to issue stopall and startall commands.



Practice 11-4: Verify a Successful Horizontal Migration Overview In this practice, you test to make sure the horizontal migration was successful. Tasks 1. Switch to the Windows machine and stop administration and managed servers by using the OAM admin console or enter Ctrl + C on the command line windows from where the two servers were started. 2. Verify that you can access example applications by using http://.us.oracle.com:7778/example. Click the Employees link and you should see the SSO login page (note that the host name in the URL is pointing to the production machine). Make sure you can successfully log in by using vishal.parashar and Welcome1. Click the Engineering link and you should be able to view the engineering department home page. If you try to access HR or finance department home pages, it should give you an error message.



Practice 11-5: Prepare the Environment for HA Lab Overview In this practice, you revert to the test environment. Tasks 1. Stop the admin and managed servers on the Linux machine. 2. Switch to the Windows machine and rename the ObAccessClient.xml and cwallet.sso files as ObAccessClient.xml.prod and cwallet.sso.prod. Also, rename ObAccessClient.xml.test and cwallet.sso.test as ObAccessClient.xml and cwallet.sso. Navigate to D:\Middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web gate\config and rename ObAccessClient.xml and cwallet.sso as ObAccessClient.xml.prod and cwallet.sso.prod. Rename ObAccessClient.xml.test and cwallet.sso.test as ObAccessClient.xml and cwallet.sso. Navigate to D:\Middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\webgat e\config and rename ObAccessClient.xml and cwallet.sso as ObAccessClient.xml.prod and cwallet.sso.prod Rename ObAccessClient.xml.test and cwallet.sso.test as ObAccessClient.xml and cwallet.sso. Navigate to D:\Middleware\webgate10g_home\access\oblix\lib and rename ObAccessClient.xml as ObAccessClient.xml.prod Rename ObAccessClient.xml.test as ObAccessClient.xml 3.

4.

5.

Modify mod_wl_ohs.conf under D:\Middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 and specify the Windows host name for WebLogicHost. Click Save. Restart OHS instances: ohs_webgate11g, ohs_webgate10g, ohs_partner. Use opmnctl under the /bin directory to issue stopall and startall commands. Start the admin and managed servers on the Windows machine.






Practices for Lesson 12 Practices Overview At this stage of the course, an 11g WebGate running on port 7778 sends requests to a single Oracle Access Manager server instance running on port 14100. In these practices, you modify your deployment so that the 11g WebGate sends requests to a cluster of load-balanced Oracle Access Manager servers in order to achieve high availability. You start by creating a WebLogic cluster. Then you retarget the data sources and applications that are targeted to the single server instance to the cluster. You add the srcinal server to the cluster, and clone the srcinal server instance to create a second server instance in the cluster. Then you change the Oracle Access Manager configuration to recognize a second instance, and you configure Oracle Access Manager server to write a cookie that is used transiently during authentication. Next, you create an Oracle HTTP Server (OHS) instance and configure it as a load balancer for the cluster. Finally, you configure the Oracle Access Manager 11g WebGate to recognize the multi-server configuration, and re-register the WebGate. After performing these steps, you have a configuration that supports both server failover and request load-balancing. You run tests that prove: Requests to the Oracle Access Manager server are balanced between the two server instances If one of the server instances shuts down, requests to the Oracle Access Manager •

•

server are still serviced



Practice 12-1: Creating a WebLogic Server Cluster Overview In this practice, create a WebLogic Server cluster. In the next practice, you add the WebLogic managed server instance on which Oracle Access Manager server runs to the cluster. Later in these practices, you create a second managed server instance running Oracle Access Manager server, and add that instance to the cluster. Assumptions You completed practices 3 through 11 successfully. You perform this practice on your Windows lab system. • •

Tasks 1.

Shutdown the oam_server1 managed server instance.

2.

Create the WebLogic Server cluster: a. Select oam_domain > Environment > Clusters in the Domain Structure pane. The Summary of Clusters page appears in the right side of the console window. The cluster list is empty. b. Click Lock and Edit in the Change Center pane. c. Click New. The Create a New Cluster page appears. d. Fill in the Name field with the value, oam_cluster. Let all other fields take the default e.

f. g.

values. Click OK. The Summary of Clusters page reappears, with the oam_cluster cluster appearing in the cluster list. Note: The value Round Robin appears in the Default Load Algorithm column for the oam_cluster cluster. Round robin load-balancing ensures that each clustered server receives an equal number of requests. Click Activate Changes in the Change Center pane. Notice the following message that appears above the Summary of Clusters heading: “All changes have been activated. No restarts are necessary.” Leave the WebLogic console open at the Summary of Clusters page for the next task.



Practice 12-2: Adding the WebLogic Managed Server Instance and Targeting Oracle Access Manager Applications and Data Sources to the Cluster Overview In this practice, you add the oam_server1 WebLogic managed server instance on which the Oracle Access Manager server runs to the oam_cluster cluster that you created in the previous practice. Then you configure applications and data sources that were targeted to the oam_server1 server to be targeted to the oam_cluster cluster. Doing so ensures that when you create a second server instance on the cluster, the correct set of applications are deployed to the new server instance.

Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. The WebLogic console is open at the Summary of Clusters page. • • •

Tasks 1. Add the oam_server1 server to the oam_cluster cluster: a. Click Lock and Edit in the Change Center pane. b. Click the oam_cluster link in the cluster list. The Settings for the oam_cluster page appears. c. d. e.

Select the Servers tab. Click Add. The Add a Server to Cluster page appears. Verify that the value in the Select a Server field is the value oam_server1.

f.

2.

Click Finish. The Settings for oam_cluster reappear, with the oam_server1 server appearing in the server list. g. Click Activate Changes in the Change Center pane. h. Notice the following message that appears above the Settings for oam_cluster heading: “All changes have been activated. No restarts are necessary.” Retarget the oam_server application—a component of Oracle Access Manager—so that it is deployed to the oam_cluster cluster instead of to the oam_server1 server. By doing so, when you add new servers to the oam_cluster cluster, the oam_server application will automatically be deployed to the new servers. a. Click Lock and Edit in the Change Center pane. b. Select oam_domain > Deployments in the Domain Structure pane. The Summary of Deployments page appears in the right side of the console window. c. Click Next to bring up the second page in the deployments list. d. Locate the oam_server application in the deployments list. e. Click oam_server. The Settings for oam_server page appears. f. Select the Targets tab. The Target Assignments list appears. The oam_server1 server is listed in the Current Targets column. g. Select the check box for the oam_server application. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


h. i. j. k.

3.

Click Change Targets. Select All Servers in the Cluster. Click Yes. The Target Assignments list appears. Observe that the oam_cluster cluster is now listed in the Current Targets column. l. Click Activate Changes in the Change Center pane. Following steps similar to the steps for retargeting the oam_server application to the oam_cluster cluster, retarget the login application to the oam_cluster cluster. The login application is the WAR file that contains the custom-branded login page for the Example Bakery application. The DMS Application application, which is a component of Oracle Access Manager The oamsso_logout application, which is a component of Oracle Access Manager

4.

The login application, which is the WAR file that contains the custom-branded login page for the Example Bakery application The DMS Application, oamsso_logout, and wsil-wls applications—components of Oracle Access Manager—are currently targeted to both the oam_server1 and AdminServer servers. Reconfigure these three applications so that they are targeted to the AdminServer server and the oam_cluster cluster. Note: The AdminServer server is not part of the oam_cluster cluster.

5.

The oamDS data source is currently targeted to both the oam_server1 and AdminServer servers. Reconfigure the oamDS data source so that it is targeted to the AdminServer server and the oam_cluster cluster: a. Click Lock and Edit in the Change Center pane. b. Select oam_domain > Services > JDBC > Data Sources in the Domain Structure pane. The Summary of JDBC Data Sources page appears in the right side of the console window. c. Click oamDS. The Settings for oamDS page appear. d. Select the Targets tab. A page with a target assignments list appears. The AdminServer and oam_server1 servers are listed as targets. e.

Select All Servers in the Cluster. The AdminServer server and oam_cluster cluster should both be selected:



6.

f. Click Save. g. Click Activate Changes in the Change Center pane. Following steps similar to the steps for retargeting the oamDS data source to the AdminServer server and the oam_cluster cluster, reconfigure the AuditDB data source so that it is targeted to the AdminServer server and the oam_cluster cluster.



Practice 12-3: Creating a Second WebLogic Managed Server Instance Running Oracle Access Manager Server Overview In this practice, you create the second WebLogic managed server instance on which Oracle Access Manager server runs. Then you add that managed server instance to your WebLogic Server cluster. Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. The WebLogic console is open. • • •

Tasks 1. Select oam_domain > Environment > Servers in the Domain Structure pane. The Summary of Servers page appears in the right side of the console window. 2. Click Lock and Edit in the Change Center pane. 3. Clone the oam_server1 server to create the oam_server2 server: a. Select the check box for the oam_server1 server. b. Click Clone. The Clone a Server page appears. c. Fill in fields in the Clone a Server page as follows: Fields

Choices or Values

Server Name Server Listen Address

oam_server2 (leave blank)

Server Port

15100

d.

Click OK. The Summary of Servers page reappears, with the oam_server2 server in the server list. Note the following information in the server list: •

•

•

The oam_server2 server is a member of the oam_cluster cluster. The oam_server2 server is assigned to the Windows_Machine machine. The status of the oam_server2 server is listed as Unknown.

e. 4.

Click Activate Changes in the Change Center pane. The status of the oam_server2 server changes to SHUTDOWN. Review the list of servers in the oam_cluster cluster to verify that the oam_server2 server is a member of the cluster: a. Select oam_domain > Environment > Clusters. b. Click oam_cluster. c. Select the Servers tab. The servers list appears and contains the oam_server1 and oam_server2 servers. Leave the WebLogic console open for the next practice.



Practice 12-4: Adding the Second Instance to the Oracle Access Manager Configuration Overview At this stage of your deployment, the Oracle Access Manager configuration contains the definition for the Oracle Access Manager server running on port 14100, but not for the new server running on port 15100. In this practice, you define the second Oracle Access Manager server running on port 15100 in the Oracle Access Manager configuration. Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. The WebLogic administration console is started. • • •

Tasks 1. Start the oam_server1 managed server instance: a. In the WebLogic console, select oam_domain > Environment > Servers in the Domain Structure pane. The Summary of Servers page appears in the right side of the console window. b. Select the Control tab. c. Select the check box for the oam_server1 server. d. Click Start. e. f.

2.

3. 4. 5. 6.

Click Yes in response to the confirmation page. Click the Refresh icon, which appears above the text “Customize this table.” Observe the value in the State column for the oam_server1 server. When the value changes to RUNNING, server startup is complete. g. Click the Refresh icon to end the page refresh behavior. Navigate to the following URL to start the Oracle Access Manager console: http://your_host.us.oracle.com:7001/oamconsole. Log in as the Vishal.Parashar user. The password is Welcome1. Select the System Configuration tab. Click Server Instances. Click the Create icon. The Create: OAM Server page appears. Fill in fields in the Clone a Server page as follows: Main Page or Tab Page

Field

Value

Main Page

Server Name

oam_server2

Main Page

Host

your_host.us.oracle.com

Main Page

Port

15100

Proxy Tab Page

Port

6575

Proxy Tab Page

Proxy Server ID

OAMServer2Proxy



Main Page or Tab Page

Field

Value

Proxy Tab Page

Mode

OPEN

Coherence Tab Page

Log Level

3

Coherence Tab Page

Local Port

9095

Coherence Tab Page

Log Limit

4096

7.

Click Apply. The oam_server2 server now appears under Server Instances on the left side

8. 9.

of the console window. Log out of the Oracle Access Manager console. Shut down the oam_server1 managed server instance.



Practice 12-5: Changing the Request Cache Type and Restarting the Oracle Access Manager Servers Overview Authentication to Oracle Access Manager requires multiple HTTP messages between the Oracle Access Manager server and the client. In a high availability configuration, with multiple Oracle Access Manager servers, it is important that the client communicates with the same Oracle Access Manager server instance from the beginning to the end of the authentication process. One possible way of ensuring same-server communication is to require the use of a sticky cookie, which would force the load balancer to send the HTTP communication to the same server. But Oracle Access Manager server does not require the use of sticky cookies. Instead, Oracle Access Manager server writes login state information to the URL string to ensure sameserver communication. When configuring Oracle Access Manager server for high-availability deployments, you can enable an option to write the login state information to a cookie, thereby decreasing the size of the URL string. This might be necessary in environments in which users’ browsers enforce a limited URL size. Once the authentication process has completed, there is no requirement for client requests to be processed on the same server instance. In this practice you change the cache request type from the BASIC type to the COOKIE type. Support to change the cache request type is not available in the Oracle Access Manager console; therefore, you make the change by using the WLST utility. Then you delete the audit.log file—the “bus stop” to which Oracle Access Manager server logs audit data before to the Oracle Database—for the Access oam_server1 audit.log server.the Youaudit can loader safely writes delete the the data files because the Oracle Manager server is down. You delete this file (and the corresponding file for the oam_server2 server) in a subsequent practice when both Oracle Access Manager servers are running in order to verify that activity is occurring on both servers. Note: The audit.log file for the oam_server2 server does not exist yet, because you have not started this server yet. At the end of this practice, you restart the administration server and both managed server instances running Oracle Access Manager server. Restarting the administration server is required after changing the cache request type.

Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. The WebLogic administration server for the oam_domain domain is running. Both managed server instances running Oracle Access Manager server are shut down. • •

•

•

Tasks 1. If necessary, open a terminal window. 2. Start the WLST utility: cd d:\Middleware\idm_home\common\bin wlst.cmd Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


After a series of messages that contain settings for the WLST environment are displayed, the following messages appear in the terminal window:

Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands wls:/offline> 3.

Connect to the administration server:

connect("weblogic","Welcome1","t3://your_host.us.oracle.com:7001 ") The following messages appear in the terminal window:

Connecting to t3://your_host.us.oracle.com:7001 with weblogic ... Successfully connected to Admin Server 'AdminServer' belongs to domain 'oam_domain'. Warning: An insecure protocol was used to connect to server. To ensure on-the-wire security, the SSL port Admin port should be used instead. wls:/oam_domain/serverConfig> 4.

userid that the or

Display the current request cache type:

displayRequestCacheType() A message should appear stating that the request cache type is type BASIC. 5.

Change the request cache type to type COOKIE:

configRequestCacheType(type="COOKIE") 6. 7.

Run the displayRequestCacheType command again to display the request cache type. The request cache type should be type COOKIE now. Terminate the WLST utility:

exit() 8.

Delete the audit “bus stop” files for the oam_server1 server: a.

Open a Windows Explorer window to the D:\Middleware\user_projects\

domains\oam_domain\servers\oam_server1\logs\auditlogs\OAM directory. Delete the audit.log file from this directory. Restart the WebLogic administration server for the oam_domain domain. b.

9.

10. Start both managed server instances in the WebLogic cluster.



Practice 12-6: Creating a New OHS Instance That Will Load-Balance Oracle Access Manager Server Instances Overview In this practice, you define a new Oracle HTTP Server instance that runs on port 7790. You use this instance as the WebLogic Server cluster load balancer in subsequent practices. Assumptions You completed all previous practices successfully. • • •

You perform this practice on your Windows lab system. All three servers in the oam_domain domain—the administration server and the oam_server1 and oam_server2 managed server instances—are started.

Tasks 1. Open a Windows Explorer window to the d:\Middleware\ohs_home\bin directory. 2. Double-click the config.bat file. The Oracle Fusion Middleware 11g Web Tier Utilities Configuration Wizard starts, and the Welcome (Step 1 of 9) dialog box appears. 3. Fill in fields and values in the Configuration Wizard as follows: a. Click Next. The Configure Components (Step 2 of 9) dialog box appears. b. Deselect the check box for Oracle Web Cache and click Next. The Specify WebLogic Domain (Step 3 of 9) dialog box appears. c. Fill in values in the Specify WebLogic Domain (Step 3 of 9) dialog box as follows: Field

Choices or Values

Domain Host Name

your_host.us.oracle.com

Domain Port No

7001

User Name

weblogic

Password

Welcome1

d. e.

Click Next. The Specify Component Details (Step 4 of 9) dialog box appears. Fill in values in the Specify Component Details (Step 4 of 9) dialog box as follows: Field

Choices or Values

Instance Name

D:\Middleware\ohs_home\instances\ ohs_lb ohs_lb

OHS Component Name

ohs1

Instance Home Location

f. g. h.

Click Next. The Configure Ports (Step 5 of 9) dialog box appears. Click Specify Ports Using Configuration File. Click View/Edit File. A text box opens.



i.

Enter the following text in the text box:

[OPMN] [OHS] OHS Port = 7790 [WEBCACHE] j. k.

4.

Click Save. The message, “File saved successfully,” appears in the Configure Ports (Step 5 of 9) dialog box. Click Next. The Specify Security Updates (Step 6 of 9) dialog box appears.

l. Deselect the check box for “I Wish to Receive Security Updates” and click Next. m. Click Yes to confirm that you do not want to receive security updates. The Installation Summary (Step 7 of 9) dialog box appears. n. Click Configure. The Configuration Progress (Step 8 of 9) dialog box appears. Progress messages inform you about the configuration operation’s status. o. When configuration is 100% complete, click Next. The Installation Complete (Step 9 of 9) dialog box appears. p. Click Finish. Verify that the new OHS instance is operational by navigating to the URL, http://your_host.us.oracle.com:7790. The OHS welcome page should appear.



Practice 12-7: Configuring the New OHS Instance as a Load Balancer Overview In this practice, you configure the OHS instance running on port 7790 as a load balancer. Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Create the D:\Middleware\ohs_home\instances\ohs_lb\config\OHS\ ohs1\moduleconf\oam.conf file with the following content: NameVirtualHost *:7790 ServerName your_host.us.oracle.com:7790 RewriteEngine On RewriteOptions inherit SetHandler weblogic-handler WebLogicCluster your_host_FQHN:14100,your_host_FQHN:15100 SetHandler weblogic-handler WebLogicCluster your_host_FQHN:14100,your_host_FQHN:15100

2.

In the preceding example, replace the variable your_host_FQHN with your Windows system’s fully qualified host name, for example, your_host.us.oracle.com. Restart the OHS instance running on port 7790: a. If necessary, open a terminal window. b. Execute the following commands to stop and start the OHS instance:

cd d:\Middleware\ohs_home\instances\ohs_lb\bin opmnctl stopall opmnctl startall



Practice 12-8: Configuring the Load Balancer Port Number in the Oracle Access Manager Configuration Overview In this practice, you change the Oracle Access Manager server port number to port 7790, the port number of the OHS instance acting as a load balancer. Assumptions You completed all previous practices successfully. • •

You perform this practice on your Windows lab system. Tasks 1. Navigate to the following URL to start the Oracle Access Manager console: http://your_host.us.oracle.com:7001/oamconsole. Log in as the Vishal.Parashar user. The password is Welcome1. 2. Select the System Configuration tab. 3. Double-click Server Instances on the left side of the console window. The OAM Server Common Properties page appears in the right side of the console window. 4. Select the SSO Engine tab in the OAM Server Common Properties page. 5. Change the value of the OAM Server Port field from 14100 to 7790, the port number of the OHS instance acting as a load balancer. 6. Click Apply. Leave the Oracle Access Manager console open for the next task.



Practice 12-9: Modifying the Definition for the Oracle Access Manager 11g WebGate and Reconfiguring the WebGate Overview In this practice, you configure the Oracle Access Manager 11g WebGate definition to include the new Oracle Access Manager server. The WebGate configuration includes lists of Oracle Access Manager servers with which the WebGate communicates directly over a back channel by using the OAP protocol. At this stage of the deployment, the server list in the WebGate configuration in Oracle Access Manager includes only the srcinal server; the server that uses port 5575 for back-channel OAP communication. After you edit and save the WebGate configuration in the Oracle Access Manager console, Oracle Access Manager generates files that are necessary for the WebGate’s configuration in OHS. You copy these files into the WebGate’s OHS configuration and restart the OHS instance running the WebGate. Note: In the interest of time, you do not configure the OHS instances protected by the 10g WebGate and the mod_osso filter to work with the load-balanced configuration. In a production deployment, you would configure all agents to work with the load-balanced configuration. Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. The Oracle Access Manager console is open. • • •

Tasks 1.

Review the content in the output\OAM11g_WebGate directory: a. Open a Windows Explorer window to the D:\Middleware\user_projects\ domains\oam_domain\output\OAM11g_WebGate directory. b. c.

2.

Open the ObAccessClient.xml file in the Firefox browser. Search for the primary server list. Note that the server list contains the definition for the Oracle Access Manager server that uses port 5575 for OAP communication, but not for the Oracle Access Manager server that uses port 5675. During partner registration, the files in the output\OAM11g_WebGate directory are copied to the 11g WebGate configuration directory. But in the current stage of deployment, the data in the files in the output\OAM11g_WebGate directory—and in the 11g WebGate configuration directory—is stale. In order for the 11g WebGate to work with the load-balanced Oracle Access Manager configuration, you must update the 11g WebGate configuration. Change the 11g WebGate definition in the Oracle Access Manager console: a. b. c. d.

Select the System Configuration tab. On the left side of the console window, select Agents > OAM Agents > 11g Webgates > OAM11g_WebGate. Click the Edit icon. The OAM11g_WebGate page appears in the right side of the console window. If the value of Security is Simple, change its value to Open.



3.

You need to verify that the security mode is Open mode because OAM requires equivalent security modes for WebGates and OAM servers when reconfiguring WebGates. e. In the Logout Redirect URL field, change the port number from 14100 to 7790. f. Locate the Primary Server List on the right side of the console window. g. Click the Primary Server List Add icon; the plus sign that appears to the right of the label Primary Server List. A new empty line appears in the primary server list. h. In the Server Name field in the new line in the Primary Server List, select the value oam_server2. Other details for the oam_server2 server are filled in the new line automatically. i. Change the value in the Max Number of Connections field to 1. Note: The number of connections impacts the load-balancing algorithm used by the WebGate to communicate with the Oracle Access Manager server over the OAP port. For this practice, you keep the number of connections small, in order to more easily demonstrate load balancing activity. In production environments, the value for this field would typically be higher. j. Click Apply. Review the content in the output\OAM11g_WebGate directory: a. b. c.

Open a Windows Explorer window to the D:\Middleware\user_projects\ domains\oam_domain\output\OAM11g_WebGate directory. Note the time stamps of the files in the directory. The time stamps should reflect the fact that the files were just recreated. Open the ObAccessClient.xml file in the Firefox browser.

d. 4.

Search for the Access primaryManager server list. The primary server now contains theOAP definitions for the Oracle servers that use ports list 5575 and 6575 for communication. Copy the following files from the D:\Middleware\user_projects\domains\ oam_domain\output\OAM11g_WebGate directory to the D:\Middleware\ ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\webgate\config directory: •

The cwallet.sso file

The ObAccessClient.xml file A dialog box appears asking if you want to replace the existing files with the same names. Click Yes. Restart the OHS instance protected by the Oracle Access Manager 11g WebGate: a. If necessary, open a terminal window. b. Execute the following commands to stop and start the OHS instance: •

5.

cd d:\Middleware\ohs_home\instances\ohs_webgate11g\bin opmnctl stopall opmnctl startall 6.

Restart the administration server and the two managed server instances running Oracle Access Manager: a. Shut down the oam_server1 and oam_server2 WebLogic managed server instances. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


b. c. d.

Shut down the WebLogic administration server. Start up the WebLogic administration server. Start up the oam_server1 and oam_server2 WebLogic managed server instances.



Practice 12-10: Testing the High Availability Deployment Overview In this practice, you test the high availability deployment. First, you verify that you can still authenticate to the Example Bakery application. Next, you shut down one of the managed server instances and authenticate. Then you start the managed server instance that you just stopped, restart the other managed server instance and verify that you can still run the application without having to re-authenticate. Assumptions You completed all previous practices successfully. You perform this practice on your Windows lab system. • •

Tasks 1. Demonstrate Oracle Access Manager server request load balancing: a. Clear cookies and cache and restart the browser. b. Navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example. c. Click Employees. The Example Bakery login page appears. d. Log in as user David.Goldsmith with password Welcome1. The employee portal appears. e. Clear cookies and cache and restart the browser. f. Navigate to the Example Bakery home page. g. h. i.

Click Employees. The Example Bakery login page appears. Log in as user Vishal.Parashar with password Welcome1. The employee portal appears. Examine the two audit log “bus stop” files for the oam_server1 and oam_server2 servers: •

•

2.

The D:\Middleware\user_projects\domains\oam_domain\ servers\oam_server1\logs\auditlogs\OAM\audit.log file The D:\Middleware\user_projects\domains\oam_domain\ servers\oam_server2\logs\auditlogs\OAM\audit.log file

Review the records in the audit.log files to verify that both active Oracle Access Manager servers have received and handled requests. Demonstrate session recovery after a single Oracle Access Manager server in a cluster goes down: a. Using the WebLogic console, shut down the managed server instance. If you do not remember how to shut down theoam_server1 server, refer to previous practices that provide the steps for shutting down WebLogic managed server instances. b. Clear cookies and cache and restart the browser. c. Navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example. d. Click Employees. The Example Bakery login page appears. e. Log in as user David.Goldsmith with password Welcome1. The employee portal appears. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


f. g.

The login session was created by the oam_server2 server, because the oam_server1 server is shut down. Start the WebLogic console in a second tab page. Using the WebLogic console, start up the oam_server1 managed server instance.

h. i.

Using the WebLogic console, shut down the oam_server2 managed server instance. Clear your browser’s cache but not cookies. In the next test you perform, you verify that the user can still access protected resources without re-authenticating, even though the server on which the user authenticated is not active.

j.

Return to the tab page in which the Example Bakery application appears. Click Employees. The browser cache is refreshed, and the employee portal appears. You should not be prompted to authenticate. Examine the two audit log “bus stop” files for the oam_server1 and oam_server2 servers as you did in the previous tasks. Time stamps show that session validation for the David.Goldsmith user occurred after the oam_server1 server was shut down.

k.



Practices for Lesson 4 (Advanced) Chapter 13


Practices for Lesson 4 (Advanced) Chapter 13 - Page 1

Practices for Lesson 4 (Advanced) (Optional) Practices Overview In these practices, you enable SSL certificate-based communication mode between an OAM 11g WebGate and OAM 11g server. This is the typical way in which most production deployments have the communication mode configured. When you installed and configured WebGate and OAM server in Lesson 3, you selected Open mode for communication. In Lesson 4 Practices, you learned how to configure Simple mode between a WebGate and OAM 11g server as a post-install or post-configuration process (even though the option to configure Simple as well as Cert mode exists right at the time you perform an installation or configuration). In these practices, you will assume that the mode of communication is set at the time of install and configure to Open, and now you want to configure Cert mode in the soon-to-go-live production environment.



Practice 4-1: Generate the Certificate Request and Private Key for OAM Server Overview In this practice, you generate both the certificate request (server_req.pem) and the private key (server_key.pem). The certificate request will be sent to a CA for issuing the certification in the next practice. All the tasks in Lesson 4 (Advanced) labs are to be performed on the Windows machine. Task 1.

On the command line, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and issue the command as shown below:

2.

Using Windows Explorer, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and make sure you can see the two files: server_req.pem and server_key.pem.



Practice 4-2: Obtain OAM Server Certificate and CA Certificate from MS Certificate Service Overview In this practice, you will perform three things: a) Download a CA certificate in Base64 as ca_cert.pem b) Submit a certificate request (server_req.pem) to a trusted CA (in this case, MS Certificate Authority) c) Download a certificate in DER format as server_cert.der Tasks 1. Launch Internet Explorer (not Firefox). Go to http://.us.oracle.com/certsrv. 2. Click Download a CA Certificate, certificate chain, or CRL link. 3. Select the Base64 radio button and then click the Download CA Certificate link. 4. Click the Save button. 5. In the Save As window, select Desktop in the Save in option, select All Files in the Save as Type option, and specify the file name as ca_cert.pem. 6. Using Windows Explorer, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and open up server_req.pem by using WordPad. 7. Remove the carriage return at the end of the paragraph (line below End Certificate Request line) and then copy the entire text as shown below:

8. 9. 10. 11.

Navigate back to http://.us.oracle.com/certsrv on Internet Explorer. Click the Request a Certificate link. Click the Advanced Certificate Request link. Click Submit a Certificate Request by using a Base64-encoded CMC or PKCS #10 file, or submit a renewal request by using a Base64-encoded PKCS #7 file link. Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


12. Right-click and choose Paste in the Saved Request dialog box. Click Submit. Note the current time of day. 13. Go to Windows Start > Programs > Administrative Tools > Certification Authority. 14. Expand the node and click the Issued Certificates folder. 15. Locate your certificate by its time stamp. Double-click your certificate (in the right pane). Click the Details tab followed by the Copy to File button. 16. Click Next on Welcome to the Certificate Export Wizard. Make sure the DER option is selected and click Next. Click the Browse button. On the Save As window, select Desktop in the Save in option. Select All Files in the Save as Type option and specify file name as server_cert.der. Click Save. Click Next, followed by Finish. Click OK on the Export was Successful message window. 17. Navigate to your desktop and make sure you can see both the certificates: ca_cert.pem and server_cert.der.cer. Rename server_cert.der.cer to server_cert.der (on the confirmation window to rename the file, click Yes).



Practice 4-3: Encrypt the OAM Server Private Key by Using a Password Overview In this practice, you encrypt the OAM server private key by using the password Welcome1. Tasks 1. On the command line, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and issue the command as shown below:

2.

Using Windows Explorer, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and inspect the date modified of the server_key.pem file. It should be updated with the current time.



Practice 4-4: Retrieve the OAM Keystore Password Overview In this practice, you retrieve OAM keystore password, which you will need to import CA certificates into the keystore in subsequent practices. This OAM keystore ( .oamkeystore) is like a secure locker where the OAM server certificate, CA certificate, and private key for OAM server certificate are kept. Tasks 1. From the command line window, navigate to d:\middleware\idm_home\common\bin and execute wlst. 2. In the WLST shell, enter the command connect(). You will be prompted for the admin server host, port, and credentials for connection. Press Enter. Type Welcome1 and press Enter. Press Enter. 3. After successful connection to the admin server, enter the command domainRuntime() 4. Enter the command listCred(map="OAM_STORE",key="jks") The password of .oamkeystore will be printed. Note this password because it will be required to import the certificates.

5.

Exit WLST by using the exit() command.



Practice 4-5: Import Private Key, CA Certificate and OAM Server Certificate into Keystore Overview In this practice, you perform three key steps: a) Import a trusted certificate into the keystore by using keytool. b) Convert a private key to DER format by using openSSL. c) Run the importcert tool to import a private key and CA-signed certificate into the keystore. Tasks 1. Import a trusted certificate chain into the keystore by using keytool. On the command line window, navigate to d:\middleware\ohs_home\jdk\bin and issue the following command: keytool -importcert -file d:\winnt\Profiles\Administrator\Desktop\ca_cert.pem -trustcacerts -storepass {keystorepassword_from_previous_practice} -keystore d:\middleware\user_projects\domains\oam_domain\config\fmwconfig\ .oamkeystore -storetype JCEKS When prompted to trust this certificate, enter yes.



2.

Convert the private key to DER format by using openSSL. On the command line window, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl Issue the following command: openssl pkcs8 -topk8 -nocrypt -in server_key.pem -inform PEM -out server_key.der -outform DER When prompted to enter the passphrase for server_key.pem, enter Welcome1 (specified in Practice 4-3).



3.

Using Windows Explorer, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and make sure you can see the server_key.der file.

4.

Run the importcert tool to import a private key and CA-signed certificate into the keystore. Using Windows Explorer, navigate to D:\Middleware\idm_home\oam\server\tools\importcert and unzip importcert.zip (right-click > Winzip > Extract to here). Using the command line window, navigate to D:\Middleware\idm_home\oam\server\tools\importcert, set the %PATH% variable to include the JDK, and run the importcert utility: set PATH=”D:\Program Files\Java\jdk1.6.0_17\bin”;%PATH%

5.

java -cp importcert.jar;$CLASSPATH oracle.security.am.common.tools.importcerts.CertificateImport -keystore d:\middleware\user_projects\domains\oam_domain\config\fmwconfig\ .oamkeystore -keystorepassword qvepofo1nimjcai212dqgbejgt -privatekeyfile D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl\server_k ey.der -signedcertfile D:\WINNT\Profiles\Administrator\Desktop\server_cert.der -alias mycert -aliaspassword Welcome1 Note: Use the screenshot shown below as help to enter the command.



Practice 4-6: Change OAM Server Common Properties and Server Instance Property Overview In this practice, you will update the PEM Keystore alias and password by using the OAM admin console. Tasks

1.

Launch the OAM admin and navigate to System Configuration > Server node. Click the Edit icon.console On the right pane, select the OAM Proxy tab and underInstances the Cert Mode Configuration, specify the PEM Keystore Alias as mycert (specified in previous practice) and PEM Keystore alias password as Welcome1 (specified in previous practice). Click Apply.

2.

Change the Server Instance Property mode to Cert. Navigate to System Configuration > Server Instances > oam_server1. Click the Edit icon. On the Proxy tab, change the Mode to Cert. Click Apply. On the Confirm window, click Yes. Then perform the same action for oam_server2. Note: Your deployment currently contains two clustered OAM servers. You should

configure both OAM servers to user cert mode. When you perform this practice, only oam_server1 is running, but if you were to start oam_server2 at the end of the practice, the cert mode deployment should still work.





Practice 4-7: Generate the Certificate Request and Private Key for WebGate Overview In this practice, you generate both the certificate request (aaa_req.pem) and the private key (aaa_key.pem). A certificate request will be sent to the CA for issuing the certification in the next practice. Note: aaa_key.pem and aaa_cert.pem (from aaa_req.pem) are reserved names that have to be used for a private key and WebGate certificate. Task 1.

On the command line, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and issue the command as shown below:

2.

Using Windows Explorer, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and make sure you can see the two files: aaa_req.pem and aaa_key.pem.



Practice 4-8: Obtain WebGate Certificate and CA Certificate from MS Certificate Service Overview In this practice, you will perform three things: a) Download a CA certificate in Base64 as aaa_chain.pem. (This step has already been done in Practice 4-2. However, the CA cert was named ca_cert.pem.) b) Submit a certificate request (aaa_req.pem) to a trusted CA (in this case, MS Certificate Authority). c) Download a certificate in Base64 format as aaa_cert.pem. Note: In the case of an OAM server certificate, you had to download the OAM server certificate in DER format as you need to use DER format for storing private key and server certificates in .oamkeystore, whereas in the case of a WebGate, you require PEM format for both a private key and WebGate client certificate (not DER). Note: The OAM server uses .oamkeystore to store X.509 artifacts, whereas a WebGate uses a file system. Note: A WebGate requires special reserved names for X.509 artifacts—aaa_key.pem, aaa_cert.pem and aaa_chain.pem—whereas for the OAM server, there is no such restriction.

Tasks 1. Download a CA certificate as aaa_chain.pem. Launch Internet Explorer (not Firefox). Go to http://.us.oracle.com/certsrv. 2. 3. 4. 5. 6.

7.

Click Download a CA Certificate, certificate chain, or CRL link. Select the Base64 radio button and then click the Download CA Certificate link. Click the Save button. On the Save As window, select Desktop in the Save in option, select All Files in the Save as Type option, and specify file name as aaa_chain.pem. Using Windows Explorer, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and open up aaa_req.pem by using WordPad. Remove the carriage return at the end of the paragraph (line below End Certificate Request line) and then copy the entire text as shown below:



8. 9. 10. 11.

Navigate back to http://.us.oracle.com/certsrv on Internet Explorer. Click the Request a Certificate link. Click the Advanced Certificate Request link. Click Submit a Certificate Request by using a Base64-encoded CMC or PKCS #10 file, or submit a renewal request by using a Base64-encoded PKCS #7 file link.

12. Right-click choose Paste in the Saved Request dialog box. Click Submit. Note the current timeand of day. 13. Go to Windows Start > Programs > Administrative Tools > Certificate Authority. 14. Expand the node and click the Issued Certificates folder. 15. Locate your certificate by its timestamp. Double-click your certificate in the right pane. Click the Details tab followed by the Copy to File button. 16. Click Next Welcome to the Certificate Export Wizard. Make sure Base64-encoded X.509 option is selected and click Next. Click the Browse button, On the Save As window, select Desktop in the Save in option. Select All Files in the Save as Type option, and specify file name as aaa_cert.pem. Click Save. Click Next followed by Finish. Click OK on the “Export was Successful” message window. 17. Navigate to your desktop and make sure you can see the certificate aaa_cert.pem.cer. Rename the file to aaa_cert.pem (on the confirmation window to rename the file, click Yes).



Practice 4-9: Encrypt the WebGate Private Key by Using a Password Overview In this practice, you encrypt the WebGate private key by using the password Welcome1. Tasks 1. On the command line, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and issue the command as shown below:

2.

Using Windows Explorer, navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and inspect the date modified of the aaa_key.pem file. It should be updated with the current time.



Practice 4-10: Modify WebGate 11g Definition by Using OAM Admin Console Overview In this practice, you change the WebGate 11g definition to reflect the security mode Cert and specify the agent key password as Welcome1 (the private key encryption password specified in Practice 4-9). Tasks 1.

Launch the>OAM admin console and System Configuration > Agents 11g and WebGates OAM11g_webgate. Clicknavigate the Edit to icon. Change the security mode to>Cert specify agent key password as Welcome1. Click Apply.

2.

Copy ObAccessClient.xml, cwallet.sso and password.xml files from d:\middleware\user_projects\domains\oam_domain\output\oam11g_webgat e to d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web gate\config. When asked to replace the existing files, Click Yes to All.

3.

Copy aaa_key.pem (from D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl), aaa_cert.pem and aaa_chain.pem files (from D:\WINNT\Profiles\Administrator\Desktop) to the d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web gate\config directory.



Practice 4-11: Restart OHS and OAM 11g Server Overview In this practice, you restart the ohs_webgate11g instance and oam_server1 server for the changes to take effect. Tasks 1. From the command line window, navigate to d:\middleware\ohs_home\instances\ohs_webgate11g\bin and issue the following commands: opmnctl stopall opmnctl startall 2. Launch the WLS admin console. Using the left pane navigator, navigate to oam_domain > Environment > Servers. Click the Control tab on the right pane. Select the check box next to oam_server1 and select Shutdown > Force Shutdown Now. On the Server Life Cycle Assistant page, click Yes. 3. Select the check box next to oam_server1 and click Start. On the Server Life Cycle Assistant page, click Yes. Note: If you are unable to start, make sure the node manager is running (if it is down, start the node manager by using Start > Programs > Oracle WebLogic > WebLogic Server 11gr1 > Tools > Node Manager or D:\Middleware\wls_home\server\bin\startNodeManager from command line).



Practice 4-12: Verify Cert Mode of Communication Between WebGate 11g and OAM 11g Server Overview In this practice, you try to access a resource (Example Bakery) that is protected by using WebGate 11g. You access employee-only pages and make sure authentication is working as expected. This would verify the secure communication using SSL certificates between the WebGate and OAM server is working correctly. For making sure that the data packets between WebGate and OAM servers are being sent encrypted over the wire, you can also use third-party tools such as Wire Shark. Note: You cannot use Access Tester to test the connection between a WebGate and the OAM server because the mode is Cert, which is not supported by Access Tester (only Open and Simple modes are supported). Tasks Try accessing a protected Web site served through WebGate 11g, such as http://.us.oracle.com:7778/example. Access the Employee link. Sign in by using Vishal.Parashar and Welcome1. Click the Engineering Department Site link. Vishal should be able to see the Engineering home page. Since the Example Bakery Web site is protected by using WebGate 11g and is serving content using the AuthN and AuthZ policies configured on the OAM server, this goes to show that the SSL communication between WebGate 11g and OAM 11g server is working correctly.





Apex OIM Integration

Recommend Documents