Introduction

Occasionally, it is necessary to make changes to OAM 11g configuration by directly updating the oam-config,xml file, rather than using the OAM console.  In this post, we describe the correct way to make changes to this file. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Editing oam-config.xml

Correctly making durable edits to oam-config,xml involves the following steps, which must always be followed exactly.

1. 1. Shut down the entire domain, including the WebLogic Admin Server and all OAM Managed Servers
2. 2. Locate the correct “oam-config.xml” file. This will be located on the Admin Server node in the following location: <DOMAIN_HOME>/config/fmwconfig/oam-config.xml
3. 3. Make a backup of the existing file prior to editing
4. 4. When editing the file, be sure to increment the version number by 1 to ensure that the changes are not overwritten by the console. See below for details on how to do this.
5. 5. Once the change has been saved, restart the WebLogic Admin Server, followed by the OAM Managed Servers.
6. 6. As a verification step, check <DOMAIN_HOME>/config/fmwconfig/oam-config.xml on each of the OAM Managed Server nodes to ensure that the updated version has propagated correctly.

Incrementing the version number

The location of the version number that needs to be incremented is highlighted in the following snippet from the oam-config.xml file. The version number will occur near the top of the file.

<Setting xmlns="http://www.w3.org/2001/XMLSchema" Name="NGAMConfiguration" Type="htf:map">
...
<Setting Name="Version" Type="xsd:integer">175</Setting>
...
</Setting>

In our case, we would need to increment the number from “175” to “176” prior to saving oam-config.xml.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

In this post, we investigate a complication that can occur if you require a firewall between your WebGate agents and your OAM 11g servers within your deployment topology. We provide some guidance related to how to configure your WebGates in this case. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

The problem we are trying to solve

Imagine a fairly-typical scenario where an organisation has a number of web servers, within a demilitarized zone (DMZ) that they want to protect with OAM. WebGate plugins will, of course, need to be deployed to these web servers and those plugins will need to establish and maintain Oracle Access Protocol (OAP) connections back to one or more OAM 11g Servers.  It is quite likely that these OAP connections will need to pass through a firewall (or two) on their journey from the WebGates to the OAM servers, which is not, in itself, too much of a problem.

An issue frequently does occur, though, in the case that the firewall imposes either a maximum connection TTL (time to live) or idle timeout – and to be honest, most firewalls will do this as a matter of course. OAP, as has already been widely discussed, is a long-lived protocol and as such, the standard behaviour of an OAP client (such as WebGate) is to initially establish a number of connections to a server and then use those connections repeatedly over a long period of time. OAP clients in general (and WebGates in particular) typically do not react well to an established OAP session being “torn down” ungracefully – and this is exactly what a typical firewall will do if, according to its configuration, a connection has exceeded either its maximum TTL, or its inactive timeout.

The term “ungracefully” above simply means the scenario where the firewall does not send a TCP connection reset message to the client when invalidating the connection. Should you have a well-mannered firewall that does notify the WebGate in this way once it does close the connection, all should be fine and you can probably stop reading at this point. The reality, though, is that most firewalls will not fit into this “polite” category.

When a firewall does invalidate or tear down an OAP connection that WebGate “thinks” is still good, the first time the WebGate attempts to use that connection, the request will obviously fail, Depending on various configuration parameters and the number of connections available, the WebGate may indeed recover from this situation without any major impact to end users (apart from somewhat degraded performance as the WebGate hunts around for a good connection within its pool). It is always possible, though, that all connections could be invalid at once, such as the case of a system that sees little traffic outside of office hours having all of its connections timed out due to inactivity overnight and in this event, there will be a definite impact to end users, with requests failing until WebGate has managed to re-establish its connection pool.

 How to prevent the firewall closing connections

The way to avoid this problem is to ensure that the firewall is never given cause to close a WebGate connection – in other words, ensuring that WebGate connections never exceed the configured TTL or inactivity timeout as defined at the firewall. This is achieved by configuring a maximum connection lifespan, or TTL, at the WebGate side that is less than the firewall’s maximum TTL or idle timeout.

As an example, let’s assume that our firewall imposes an idle timeout of 30 minutes for TCP connections. In this case, we would need to configure WebGate to automatically re-establish any connection older than, say, 25 minutes in order to ensure that the firewall would never need to time out one of its OAP connections. This is done by altering a WebGate setting called “Max Session Time”.

Now, we need to have a bit of a discussion about this particular setting, for a number of reasons. The first is that it really isn’t very well named, considering what it does; it has nothing to do with sessions, but everything to do with connections back to the OAM server and how long they will be allowed to last before being re-established. It should, correctly, be called something like “Max Connection Time” and perhaps in a later version of OAM it will be. As of the time of writing, though (when OAM 11.1.2.1 is the most recent version) we will have to live with the current name.

Perhaps more confusing, though, is the fact that, over the various incarnations of the 11g OAM product, the OAM Console page that allows this WebGate parameter to be defined has been changed repeatedly – consider the screenshots below:

As we can see above, the OAM Console UI, across several releases, has changed the expected unit of time in which this parameter is specified, starting with no unit at all, then moving to hours and then to seconds. What’s more, the default value tends to vary as well, depending on the version you are using and the mechanism that was used to create the initial WebGate profile. The reality of the situation, though, is that you can and should ignore the unit of time that is reflected in the UI, because the default unit for this setting is (and always has been) hours. That probably worth repeating and highlighting, just to be completely clear:

In all OAM 11g versions up through the current release, 11.1.2.1, the default unit for Max Session Time is hours, regardless of what is reflected in the OAM Console UI.

This means that the default maximum TTL for a WebGate connection in OAM 11.1.2.0 and 11.1.2.1 is, in fact 3600 hours! We did say it was meant to be a long-lived connection…

Understanding the default value and the default unit is great, of course, provided that your firewall is (or can be) configured to allow connections to last (or remain idle) for at least an hour. This is often not the case, though.

But what if my firewall timeout is less than an hour?

The good news that that OAM 11g WebGates support a user defined parameter that can be used to change the unit used for Max Session Time. In order to change the unit from “hours” to “minutes”, add the following to the “User Defined Parameters” section in the WebGate profile:

maxSessionTimeUnits=minutes

 Once you’ve done that, then whatever number you’ve entered in the “Max Session Time” box will be interpreted in minutes, rather than hours (again, regardless of what the UI label tells you).

When the change is reflected in the WebGate’s ObAccessClient.xml file, you should see entries similar to the following (these reflect the correct settings for our “25 minute” example above.

...
<SimpleList>
        <NameValPair
            ParamName="maxSessionTime"
            Value="25"></NameValPair>
    </SimpleList>
...

<userDefinedParameters>
<name>maxSessionTimeUnits</name>
<value>minutes</value>
</userDefinedParam>

Remember again – if the maxSessionTimeUnits parameter is not specified, then maxSessionTime will be interpreted in hours.

Seeing the effect

Once you’ve made the appropriate changes, it’s always a good idea to verify that things are working as expected. In order to do this, you should increase the log level of your WebGate to at least “INFO” and then filter out lines from the WebGate log file (oblog.log) containing the string “CONN_MGMT”.

That will allow you to monitor the connections that are opened and closed by WebGate over time. I include a log snippet from my own system (when I set the Max Session Time value to 2 minutes) to highlight the messages to look out for. Note that, just to increase confusion further, the timeout value in the log is printed in seconds, rather than minutes or hours.

2013/12/05@18:30:59.01090       15928   15999   CONN_MGMT       INFO    0x00001C04      /ade/brmohant_17700080/ngamac/src/palantir/aaa_client/src/watcher_thread.cpp:504        "Session expired"       Connection^object{ObConnectionAAA:0x7F2390019D80{_socket=object{ObSocket:0x0241C020{_sock=17}{_my_addr=}{_my_port=0}{_remote_addr=192.168.56.245}{_remote_port=5576}{_use_blocking_calls=false}{_timeout=10000}{_req_pending=0}}}{_state=ObConnUp}{_priority=1}{_debug=false}{_host=oamr2ps1.oracle.com}{_port=5576}{replyMapSize=0}{_seqno=9}{_isSpare=false}{_createTime=1386268079}{_closedTime=0}{_retries=0}}      Maximum Session Time^120        Current Time^1386268259
2013/12/05@18:30:59.01573       15928   15999   CONN_MGMT       INFO    0x00001C02      /ade/brmohant_17700080/ngamac/src/palantir/aaa_client/src/watcher_thread.cpp:474        "New connection opened to Access Server"        Connection^object{ObConnectionAAA:0x7F2390306270{_socket=object{ObSocket:0x023E8390{_sock=19}{_my_addr=}{_my_port=0}{_remote_addr=192.168.56.245}{_remote_port=5576}{_use_blocking_calls=false}{_timeout=10000}{_req_pending=0}}}{_state=ObConnUp}{_priority=1}{_debug=false}{_host=oamr2ps1.oracle.com}{_port=5576}{replyMapSize=0}{_seqno=0}{_isSpare=true}{_createTime=1386268259}{_closedTime=0}{_retries=0}}
2013/12/05@18:30:59.01584       15928   15999   CONN_MGMT       INFO    0x00001C04      /ade/brmohant_17700080/ngamac/src/palantir/aaa_client/src/watcher_thread.cpp:504        "Session expired"       Connection^object{ObConnectionAAA:0x7F239028F770{_socket=object{ObSocket:0x023D3000{_sock=18}{_my_addr=}{_my_port=0}{_remote_addr=192.168.56.245}{_remote_port=5576}{_use_blocking_calls=false}{_timeout=10000}{_req_pending=0}}}{_state=ObConnUp}{_priority=1}{_debug=false}{_host=oamr2ps1.oracle.com}{_port=5576}{replyMapSize=0}{_seqno=9}{_isSpare=false}{_createTime=1386268079}{_closedTime=0}{_retries=0}}      Maximum Session Time^120        Current Time^1386268259
2013/12/05@18:31:59.10580       15928   15999   CONN_MGMT       INFO    0x00001C02      /ade/brmohant_17700080/ngamac/src/palantir/aaa_client/src/watcher_thread.cpp:474        "New connection opened to Access Server"        Connection^object{ObConnectionAAA:0x7F239028F770{_socket=object{ObSocket:0x0241C020{_sock=17}{_my_addr=}{_my_port=0}{_remote_addr=192.168.56.245}{_remote_port=5576}{_use_blocking_calls=false}{_timeout=10000}{_req_pending=0}}}{_state=ObConnUp}{_priority=1}{_debug=false}{_host=oamr2ps1.oracle.com}{_port=5576}{replyMapSize=0}{_seqno=0}{_isSpare=false}{_createTime=1386268319}{_closedTime=0}{_retries=0}}

As a closing note, remember to reduce the log level of your production WebGates again once you’ve verified that the correct connection time setting is in force.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

In a previous post, we discussed some of the complications that can occur when a firewall is placed between WebGates and OAM Servers in a typical deployment. This post follows on from that discussion, to explore an analogous topic- firewalls between the OAM Server and the LDAP Identity Store. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

The problem we are trying to solve

Without repeating the discussion from the previous post, the problem, in a nutshell, is preventing an over-eager firewall from tearing down an LDAP Identity Store connection that OAM still needs to use. Should this happen, OAM requests sent over that connection will fail, leading to degraded performance as the LDAP connection is re-established and the operation re-tried. Once again, the solution lies in configuring OAM’s LDAP Connection Pool to refresh connections on its own accord, by appropriately setting the Identity Store’s connection TTL (time to live) as below.

This procedure works for OAM versions from 11.1.1.5 up to and including 11.1.2.1.

 How to prevent the firewall closing connections

The way to avoid this problem is to ensure that the firewall is never given cause to close an LDAP connection – in other words, ensuring that LDAP connections never exceed the configured TTL or inactivity timeout as defined at the firewall. This is achieved by configuring a maximum LDAP connection lifespan, or TTL, at the OAM side that is less than the firewall’s maximum TTL or idle timeout.

This is achieved by adding the MaxConnectionReuseTime setting to the Identity Store configuration in oam-config.xml, as per the below snippet. The value is specified in seconds.

<Setting Name="LDAP" Type="htf:map">
        <Setting Name="E9ABCBCF59F0CDEC56" Type="htf:map">
          .....         
          <Setting Name="LDAP_URL" Type="xsd:string">ldap://idstore.example.com:389</Setting>
          <Setting Name="ReferralPolicy" Type="xsd:string">follow</Setting>
          <Setting Name="GroupCacheSize" Type="xsd:integer">10000</Setting>
          <Setting Name="MaxConnectionReuseTime" Type="xsd:string">1740</Setting>
          <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
        </Setting>
       .....
</Setting>

In the above example, MaxConnectionReuseTime has been set to 1740 seconds, or 29 minutes. This would be an appropriate setting for a firewall that times connections out after 30 minutes, since the OAM TTL should always be lower than that enforced by the firewall. Be sure to set MaxConnectionReuseTime to an appropriate value for your own environment.

Be sure to follow the correct procedure for making manual edits to oam-config.xml, as described in this post

 As a closing comment, be aware that you may additionally need to configure your LDAP server to enforce a connection TTL; in this case, though, the server-side timeout should be higher than that set by the firewall – and obviously also higher than OAM’s MaxConnectionReuseTime.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

For obvious reasons, there is a high demand for Multi-Data Center (MDC) topology; which is now supported in Oracle Access Manager (OAM) 11g.  This post discusses some of the features of MDC as well as provide some detail steps on how to clone a secondary data center.  This post is based on R2PS1 code base.  With PS2 there are some new features I will cover below.  Here is the PS2 document library for reference.

Main Article

Here is an conceptual topology for an MDC deployment.

This should be pretty self-explanatory.  Notice the Global Load Balancers (GLBR); both the New York and London data centers must be front-ended with a GLBR for MDC support.  This allows the a user request to be routed to a different data center when:

• The data center goes down.
• There is a load spike causing redistribution of traffic.
• Certain applications are deployed in only one data center.
• WebGates are configured to load balance within one data center but failover across data centers.

Deployment

There are two parts to deploying MDC. The first part is ‘cloning’ the configuration from the master site to a secondary site using the Test-to-Production (T2P) process. The second part is to enable the MDC configuration so that each partner site is aware of each other.   This post will only cover the T2P procedure.  T2P is not new; however, many of our legacy OAM customers may not be familiar with T2P.  I will describe the commands I executed to clone a master site to a secondary site using T2P.

More details on T2P can be found in Oracle Fusion Middleware guide here.

MDC supports both active-active and active-passive/stand-by scenarios.  The following prerequisites must be satisfied before deploying Multi-Data Centers:

• All Data Center clusters must be front ended by a single Load Balancer.
• Clocks on the machines in which Access Manager and agents are deployed must be in sync. Non-MDC Access Manager clusters require the clocks of WebGate agents be in sync with Access Manager servers. This requirement applies to the MDC as well. If the clocks are out of sync, token validations will not be consistent resulting in deviations from the expected behaviors regarding the token expiry interval, validity interval, timeouts and the like.
• The identity stores in a Multi-Data Center topology must have the same Name.

High-level Steps:

• The first Data Center is designated as Master and will be cloned (using T2P tools) for additional Data Centers.
• All configuration and policy changes are propagated from the Master to the Clone using the WLST commands provided as part of the T2P Tooling.
• Each Data Center is a separate WebLogic Domain and the install topology is the same.

Below are the steps I used to clone a master data center of two OAM servers in a cluster to a secondary data center.

For more details on the scripts I used , please check the documentation here.

Detailed steps:

The two steps below are only required for OAM version R2PS1.  Exporting/importing the schema in PS2 is no longer required.  There is a new feature called ‘Automatic Policy Synchronization’ (APS).  Click here to learn more.

• Export the OPSS schema from the ‘master’ DB instance.  Set the ORACLE_HOME to the db home directory and execute the ‘expdp’ command.

export ORACLE_HOME=/u01/DB/product/11.2.0/dbhome_1/bin

./expdp system/welcome1@db11g DIRECTORY=DATA_PUMP_DIR SCHEMAS=STMTEST_OPSS DUMPFILE=export_TEST.dmp PARALLEL=2 LOGFILE=export.log

 Dump file set for SYSTEM.SYS_EXPORT_SCHEMA_01 is:
/u01/db11g/admin/db11g/dpdump/export_TEST.dmp

• Import the OPSS schema to the secondary/cloned DB.  Make sure that the schema on the secondary/cloned DB instance is loaded via RCU. Load both the OAM and OPSS schema on the secondary DB instance and note down the schema names.

./impdp system/welcome1@orcl DIRECTORY=DATA_PUMP_DIR DUMPFILE=export_TEST.dmp PARALLEL=2 LOGFILE=import.log remap_schema=STMTEST_OPSS:STMPROD_OPSS remap_tablespace=STMTEST_IAS_OPSS:STMPROD_IAS_OPSS TABLE_EXISTS_ACTION=REPLACE

• On the ‘master’ machine you need to copy the binaries. Server state is immaterial. Make sure to create the /oam_cln_log directory first.  I also recommend you create a separate directory to store MDC related artifacts; for example /u01/MDC_FILES.

cd /u01/IAM1/Middleware/oracle_common/bin

copyBinary.sh -javaHome /home/oracle/java/jdk1.7.0_10 -archiveLoc /u01/MDC_FILES/oamt2pbin.jar -sourceMWHomeLoc /u01/IAM1/Middleware -idw true -ipl /u01/IAM1/Middleware/oracle_common/oraInst.loc -silent true -ldl /u01/MDC_FILES/oam_cln_log

• On the ‘master’ machine you need to copy the configuration. Both the administration server and all managed servers need to up and running. The Weblogic server must also be in production mode.

copyConfig.sh -javaHome /home/oracle/java/jdk1.7.0_10 -archiveLoc /u01/MDC_FILES/oamt2pConfig.jar -sourceDomainLoc /u01/IAM1/Middleware/user_projects/domains/IAMDomain -sourceMWHomeLoc /u01/IAM1/Middleware -domainHostName iam1.us.oracle.com -domainPortNum 7001 -domainAdminUserName weblogic -domainAdminPassword /u01/MDC_FILES/t2p_domain_pass.txt -silent true -ldl /u01/MDC_FILES/oam_cln_log_config

The following commands are to be executed on the ‘clone’ machine.

• Copy the following files from the master environment: oamt2pbin.jar, oamt2pConfig.jar, pasteBinary.sh, oraInst.loc and cloningclient.jar.  The oamt2pbin and oamt2pConfig jar files should have been created with the copy commands above.  The cloningclient.jar, pasteBinary.sh and oraInst.loc can be found within the /oracle_common directory.
• Using the pasteBinary.sh script will copy the binary data (oamt2pbin.jar) to the new server.  No Oracle software with the exception of the Java should be installed on the new machine.  In this example, a place-holder directory /u01/IAM1 and /u01/MDC_FILES/oam_cln_log needs to exists before running the command below.

./pasteBinary.sh -javaHome /home/oracle/java/jdk1.7.0_10 -al /u01/MDC_FILES/oamt2pbin.jar -tmw /u01/IAM1/Middleware -silent true -idw true -esp false -ipl /u01/MDC_FILES/oraInst.loc -ldl /u01/MDC_FILES/oam_cln_log -silent true

• Next we need to extract a move plan file.  This file allows you to modify some of the details of the new environment.  The script is called ‘extractMovePlan.sh’ and is located under /oracle_common/bin.

./extractMovePlan.sh -javaHome /home/oracle/java/jdk1.7.0_10 -al /u01/MDC_FILEYou should now be able to start the Administration/OAM servers on the clone machine.S/oamt2pConfig.jar -planDirLoc /u01/MDC_FILES/moveplan/

Once the ‘moveplan.xml’ was created, I changed the following:

• All host names endpoints.  For example, my Master host name was iam1.us.oracle.com, I changed this to iam2.us.oracle.com.  If you have multiple components on the same machine make sure you modify all properties that make sense in you deployment.

                     <configProperty>
                        <name>Listen Address</name>
                        <value>iam2.us.oracle.com</value>
                        <itemMetadata>
                            <dataType>STRING</dataType>
                            <scope>READ_WRITE</scope>
                        </itemMetadata>
                    </configProperty>

• WLS machine name and Node Manager host name.

            <configGroup>
                <type>MACHINE_CONFIG</type>
                <configProperty id="Machine1">
                    <configProperty>
                        <name>Machine Name</name>
                        <value>IAM2</value>
                        <itemMetadata>
                            <dataType>STRING</dataType>
                            <scope>READ_WRITE</scope>
                        </itemMetadata>
                    </configProperty>
                    <configProperty>
                        <name>Node Manager Listen Address</name>
                        <value>iam2.us.oracle.com</value>
                        <itemMetadata>
                            <dataType>STRING</dataType>
                            <scope>READ_WRITE</scope>
                        </itemMetadata>
                    </configProperty>
                    <configProperty>
                        <name>Node Manager Listen Port</name>
                        <value>5556</value>
                        <itemMetadata>
                            <dataType>INTEGER</dataType>
                            <scope>READ_WRITE</scope>
                        </itemMetadata>
                    </configProperty>
                </configProperty>
            </configGroup>

• Schema owners.  Make sure you change both the OPSS and OAM schema configuration property.

                    <configProperty>
                        <name>User</name>
                        <value>MDC2_OPSS</value>
                        <itemMetadata>
                            <dataType>STRING</dataType>
                            <scope>READ_WRITE</scope>
                        </itemMetadata>
                    </configProperty>

                    <configProperty>
                        <name>User</name>
                        <value>MDC2_OAM</value>
                        <itemMetadata>
                            <dataType>STRING</dataType>
                            <scope>READ_WRITE</scope>
                        </itemMetadata>
                    </configProperty>

• Now we paste the configuration on the target/clone machine using the ‘moveplan.xml’ we just modified.

./pasteConfig.sh -javaHome /home/oracle/java/jdk1.7.0_10 -archiveLoc /u01/MDC_FILES/oamt2pConfig.jar -targetMWHomeLoc /u01/IAM1/Middleware -targetDomainLoc /u01/IAM1/Middleware/user_projects/domains/IAMDomain -movePlanLoc /u01/MDC_FILES/moveplan/moveplan.xml -domainAdminPassword /u01/MDC_FILES/t2p_domain_pass.txt -ldl /u01/MDC_FILES/oam_cln_log_paste -silent true

You should now be able to start the Administration/OAM servers on the secondary/cloned machine.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

Oracle Access Manager 11gR2 – PS2 is now out!  This post will cover some of the new features in PS2.

There are six new features I will discuss:

• Dynamic Authentication
• Persistent Login (Remember Me)
• Policy Evaluation Ordering
• Delegated Administration
• Unified Administration Console
• Session Management
  • Granular Idle Timeout
  • Client Cookie based Session

Main Article

Dynamic Authentication

Dynamic authentication is the ability to define what authentication scheme should be presented to a user base on some condition.   For example, if a user is using a specific browser, say ‘FireFox’, then present them with a specific scheme only for Firefox users.  Here are some screen shots:

Select the ‘Advance Tab’

Specify the condition and define what scheme you want.

Persistent Login (Remember Me)

Persistent Login is the ability to let users login without credentials after the first-time login.  This feature is disabled by default and can be set at the application domain level.  Again here are some screen shots:

Policy Evaluation Ordering

The out-of-the -box algorithm is based on the “best match” algorithm for evaluating policies.  In PS2 you now have the option to specify a custom order for policies for a particular application domain.  Also if you are doing a migration from 10g the policy order is maintained.

Delegated Administration

Ah our old friend is back!  For those of you who remember; in older versions of OAM (10g and prior) you had the ability to select users who can administer their own application domains.  In PS2, there is a new role called ‘Application Domain Admin Role’.  These users now have full access to application domains.  Also the migration from 10g will preserve the admin configuration.  This is supported via the UI as well as the REST API.

Unified Administration Console

The console screen has a new look; a new single ‘Launch Pad’ screen with services that are enabled based on user roles.  The tree navigation has been removed.

Session Management

Granular Idle Timeout

You now have the ability to set idle session timeout’s at the application domain level; this will override the global settings.  In this example, the idle session timeout is set to fifteeen minutes as the global setting; whereas it is set to five minutes in the application domain.

Client Cookie based Session

Cookie based sessions are more scalable such that all session data is maintain on the client side (browser).  This is designed for very large deployments where server side sessions can be more expensive; making the server stateless.  This is very similar to OAM 10g; however, this will not support the following:

• Session Management, session limits
• Identity Context
• Granular Timeout
• Session attribute based on authorization policies

Additional features

This is just a short list of improvements in PS2.  Other enhancements include:

• Upgrade Enhancements
• Install/Patching Automation for IDM
• Multi-Data-Center Deployment.  You can read more here.
• Automated Replication
• Performance Enhancements
• SHA-2 Encryption for Webgates
• IPV6 Support
• Customized Error Pages
• Complete convergence for Federation – Service Provider(SP) & Identity Provider(IDP)

I want to thank our OAM PM, Venu Shastri for providing this list of new features.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Many Oracle Access Management 11g customers opt to deploy a combination of Oracle Access Manager and Oracle Adaptive Access Manager using the Advanced Integration option. This combination of product features can provide strong, adaptive authentication and fraud mitigation for online applications. In this post, we examine a number of strategies for configuring the connectivity between these components in order to provide scalability and high availability for production deployments.

The information in this post applies to the 11g R2 versions of OAAM and OAM only ( at the time of writing, 11.1.2.0, 11.1.2.1 and 11.1.2.2).

Before continuing, readers are advised to consult the Appendix C of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite (11.1.2.2 release here) to familiarize themselves with the Advanced Integration option, in terms of its features, benefits and configuration steps. This post will concentrate only on the configuration of the necessary parameters controlling the OAP communication pool between OAAM and OAM.

The problem we are trying to solve

When OAM and OAAM are deployed using the Advanced Integration pattern, the two product components play different role during the authentication process. Through the use of the OAAM Authentication Scheme in OAM, the process of collecting credentials (and thus handling the entire authentication flow with the user’s browser) is handled by OAAM. The actual authentication (or, in fact, credential validation) step is still performed by OAM via a back-channel OAP (Oracle Access Protocol) call from OAAM. OAAM uses its configured logic to collect username and password from the user, with the aid of virtual strong authentication devices, fraud detection rules and the like. Once it has collected these credentials, it uses an embedded OAM Access SDK client (or custom AccessGate) to pass these credentials to the OAM server. OAM validates the credentials against its configured LDAP identity store and returns the result to OAAM. Should the authentication succeed, OAAM then generates a Delegated Authentication Protocol (DAP) token and redirects the user back to OAM with this token in order to create the necessary OAM session.

In order to ensure sufficient performance and availability for production deployments, it is thus critical to ensure that this OAP connection mechanism between OAAM and OAM is correctly configured to meet the applicable requirements.

How OAAM manages connections to OAM

Unlike OAM webgates, which are completely configurable via the webgate profile in the OAM console (which in turn generates the ObAccessClient.xml file), OAM Access SDK clients (such as OAAM) do not use the webgate profile for anything other than basic authentication to the OAM server. What this means is that while the webgate ID and password are important, OAAM will essentially ignore any other settings on the webgate profile – in particular, those settings controlling the number of primary and secondary OAP connections that should be created against each OAM server, which allow for load balancing and high availability when configuring webgates. Instead, OAAM’s connection pool is configured via a number of OAAM properties, which provide somewhat less flexibility in terms of support for load balancing. We’ll explore these properties below, before discussing a number of strategies that can be used to ensure a production-ready deployment. Please also see Appendix C of the Oracle Fusion Middleware Administrator’s Guide for Oracle Adaptive Access Manager (11.1.2.2 release here)

• oaam.uio.oam.webgate_id – defines the webgate ID used by OAAM. This defaults to IAMSuiteAgent and should not be changed.
• oaam.oam.csf.credentials.enabled – this property, when set, uses the Fusion Middleware Credential Store Framework (CSF) to securely store password, such as the webgate password. This should always be set to true.
• oaam.uio.oam.security.mode – defines the communication security between OAAM and OAM, can be either 1 (open), 2 (simple) or 3 (cert). Open is the default.
• oaam.uio.oam.host – defines the primary OAM hostname to which OAP connections should be established.
• oaam.uio.oam.port – defines the OAP port for the primary OAM host (this defaults to 5575)
• oaam.uio.oam.secondary.host – defines the secondary, or failover, OAM hostname. OAP connections will only be established to this host if connections to the primary OAM host fail.
• oaam.uio.oam.secondary.host.port – defines the OAP port for the secondary OAM host (this defaults to 5575)
• oaam.oam.oamclient.minConInPool – defines the minimum number of OAP connections that OAAM will maintain in its pool. This setting will obviously be respected by each OAAM server.
• oaam.uio.oam.num_of_connections – defines the target (maximum) number of OAP connections to the primary OAM server that OAAM will maintain in its pool. This setting will obviously be respected by each OAAM server. The default value is 5.
• oaam.uio.oam.secondary.host.num_of_connections – defines the target (maximum) number of OAP connections to the secondary OAM server that OAAM will maintain in its pool. This setting will obviously be respected by each OAAM server. The default value is 5.
• oaam.oam.oamclient.timeout – the period in seconds that a request will wait for an available OAP connection before timing out. The default is 3600 seconds (1 hour) which is way too high and should always be reduced to not more than 60 seconds  in production.
• oaam.oam.oamclient.periodForWatcher – defines the rest period (in seconds) for the OAAM Pool Watcher thread, a thread which periodically checks the health of connections in the pool. The default is 3600 seconds (1 hour)  which should probably be reduced to around 300 (5 minutes) for production deployments.
• oaam.oam.oamclient.initDelayForWatcher –  defines the initial delay (in seconds) before the OAAM Pool Watcher thread starts to check connections. The default is 3600 seconds (1 hour)  which should probably be reduced to around 300 (5 minutes) for production deployments.

Perusing the above properties, the immediate observation is that only a single primary and single secondary OAM server can be specified. This is obviously of limited usefulness for large-scale production deployments, where it is a fairly obvious requirement to want to load balance requests from OAAM across a number of OAM servers. Below, we explore a number of options that can work.

 Options for OAAM to OAM connection load balancing

1: Override deployment-wide properties on a per-host basis

In a deployment where the number of OAAM nodes matches the number of OAM nodes exactly, then a fairly sensible and robust load balancing approach is simply to allocate a single primary and a single secondary OAM server to each OAAM server. This can be achieved by overriding the deployment-wide oaam.uio.oam.host and  oaam.uio.oam.secondary.host settings on each individual OAAM host. In order to do this, first ensure that you delete the applicable property values from the OAAM database via the OAAM console. Then pass a unique value to each OAAM server instance at startup via a java property, e.g.

-Doaam.uio.oam.host=<primary_host_name> and -Doaam.uio.oam.secondary.host=<secondary_host_name>

Consider a deployment comprising two OAAM hosts (Host A and Host B) and two further OAM hosts (Host C and Host D). Using this approach, Host A would be configured with the following settings:

oaam.uio.oam.host: Host C and oaam.uio.oam.secondary.host: Host D

while Host B would be configured with

oaam.uio.oam.host: Host D and oaam.uio.oam.secondary.host: Host C

This configuration would ensure that both OAM hosts received an equivalent number of connections, thus providing load balancing, while also providing resilience in case either OAM server should become unavailable.

This approach, though, would suffer from a number of drawbacks, including the following:

• unsuitable for deployments where the number of OAM and OAAM nodes is asymmetric and not even.
• manageability is reduced as OAAM console cannot be used to configure per-host parameter values.
• would not scale much beyond two nodes while still providing high availability. The loss of more than one OAM node at any one time would potentially render certain OAAM nodes unusable.
• no way to rebalance load across OAM nodes in case an OAAM node goes down.

2: Use virtual hostnames

The second option is similar to the first, in that it allows for the definition of a single primary and a single secondary OAM server for each OAAM server. In this case, though, rather than overriding domain-wide property values, the approach is to user virtual hostnames to define the OAM servers.

For example, we would define the following:

oaam.uio.oam.host: oam-primary.domain.com

oaam.uio.oam.secondary.host: oam-secondary.domain.com

We would then use the /etc/hosts file on each OAAM node to define exactly which physical OAM server IP address the virtual hostnames oam-primary and oam-secondary should resolve to. In our above scenario, OAAM HOST A would have entries in its hosts file mapping oam-primary to the IP address for OAM Host C and oam-secondary to the IP address for OAM Host D. HOST B would instead map oam-primary to the IP address for OAM Host D and oam-secondary to the IP address for OAM Host C.

In cases where OAAM and OAM servers are co-located on the same hardware, we can use a shortcut and specify “localhost” as the oaam.uio.oam.host value.

This approach provides pretty much exactly the same benefits as the first option and incurs the same drawbacks, with the possible exception that it may prove somewhat easier to manage in production. In particular, the fact that any of the virtual mappings could be changed dynamically (without needing to restart OAAM) would be a definite advantage of this strategy.

3: Use an external load balancer

Perhaps the most obvious solution to this problem is to insert some form of external load balancer between OAAM and OAM. In this case, OAAM is configured such that the oaam.uio.oam.host property points to the address of the load balancer, which then in turn distributes requests to the OAM servers according to whatever algorithm is desired. In this scenario, it does not even make sense to define the oaam.uio.oam.secondary.host property (unless there is a second, redundant load balancer in place) since it’s assumed that the load balancer itself will only route requests to active OAM nodes.

This approach has a number of benefits when compared to options 1 and 2 above, including the following:

• can be used to balance load from any number of OAAM servers to any number of OAM servers; there is no requirement for symmetry
• better scalability beyond 2 nodes
• better manageability via load balancer console, rather than host files/command-line switches

These benefits do come at a cost, however, in terms of increased complexity within the deployment. There will obviously also be a physical cost to procuring and commissioning the necessary load balancing device.

In addition, some caveats need to be mentioned at this point.

Firstly, while it may seem an obvious point, it’s worth remembering that OAP is a long-lived, TCP-based protocol and thus the load balancer used must be able to handle such a protocol. OAP is not HTTP, thus an HTTP-only load balancer can not be used here.

The fact that OAP connections are long-lived can introduce some unforseen complications, like the ones described in this excellent post by Chris Johnson. Unless the load balancer is able to dynamically rebalance connections, it is possible that an OAM server outage could result in an unbalanced connection load even after the troublesome server is brought back on-line. The only way to mitigate this situation would be to perform a managed rolling restart of the OAAM cluster once all the OAM servers are up again.

The comments in this blog post about connection timeouts are also applicable; it is best to configure the load balancer so as not to time out idle/long-lived connections if possible. If not, these time-outs should be set for as long as possible, since we do not have the equivalent of the webgate “Max Session Time” parameter available through OAAM’s configuration properties. If it is not possible to avoid connection time outs, then as a mitigation, be sure to set the oaam.oam.oamclient.periodForWatcher property to a low enough value, to increase the likelihood that the OAAM pool watcher will detect and re-establish a timed-out connection before a real client request attempts to use it.

 4: Use a combination of the above

While there is obviously no perfect answer or one-size-fits-all solution here, the most sensible approach may well be to combine the above options; a number of the more unpleasant side effects caused by load balancing OAP can be avoided by using a direct host connection (either option 1 or 2) for the primary OAM server connection. If a load balancer is available, it could be used as the secondary, thus allowing the solution to scale beyond two nodes without compromising availability.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

In “Part 1: How To Load Test OAM11g using Apache JMeter” I talked about an example plan that could be used to load test OAM11g, which included some common configuration elements, some samplers for login, authorization, logout, and some listeners that provided result analysis.   In Part 2, I wanted to expand on an option to make JMeter send random logins and I will explain why, and then cover how to leverage JMeter to load test an LDAP server like OUD, OID, ODSE, or OVD.

Main Article

How to get JMeter to do Random Logins

As I mentioned before in Part 1 the load test was simply going through a list of users and each would login.  As the test plan is run a second time OAM would have cached authorization for the purpose of improved performance, but each time you would run the load test it would be skewed a bit and the test results may be inconsistent and therefore harder to determine if tuning or other changes have improved results.  I want to note that OAM does not cache login data like passwords or usernames, the caching is more about policies for authorizations.

So why care about randomizing login requests in a load test?  Randomizing in my opinion provides a way to try and simulate a little more realistic load test since in real life you would not expect Brian to login just before Pardha every single time.  So one option to avoid this dilemma is to restart the environment after each load test, and this is often a common practice, but that can cost a lot of time.  The approach I am proposing generates random logins in a little more realistic anyway, so why not do it?

It would be really nice if the CSV Data Set Config element had an option to randomly select users from the list in the file, but unfortunately it doesn’t.  So I spent a little time trying to come up with a good way to accomplish random logins and it was not as easy as I had hoped.   I finally came up with an approach that works pretty well, though I would love to get feedback if there is another way to do it.  The approach I came up with has some additional benefits, more on that later. So to get started please download the OAM11g_AdvLoadTest.jmx.zip [CLICK TO DOWNLOAD] Test Plan and follow through the remaining sections.

Split the User List

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

With the recent IDM 11gR2PS2 release Oracle has developed a new deployment tool that aims to automate and reduce the time required to install and configure Oracle Identity and Access Management Components.
In this post we are going to present the benefits, supported topologies and components and key points to keep in mind to conduct a successful IDM deployment.

Architecture and Components

Currently the Deployment Wizard Supports two types of topologies:

• Single Host/Domain: All components are installed in one host under a single domain. This is recommended for testing and demos but not for production due to the lack of redundancy.
• Multi Host/Domain: Components are installed in multiple hosts and split in two domains for High Availability, AccessDomain (OAM) and GovernanceDomain (OIM). By having OAM and OIM in different domains also helps to maintain and patch each component separately.

This approach also offers a mix of options:

• Distributed: 8 hosts, consisting of 2 web hosts, 2 OAM hosts, 2 OIM hosts and 2 directory hosts.
• Consolidated: 4 hosts, consisting of 2 web hosts, 2 IAM hosts (OIM + OAM + LDAP)

There is also an option to install just OIM or just OAM but I will not cover those in this post.
The tool supports OUD, OAM, OAAM *, OIM, SOA and OHS/Webgate but there are plans to include other IDM products in future releases.
*OAAM is supported through an EDG-documented scale-out procedure.

Automated x Manual Installation

There are a few advantages and disadvantages for both cases, let’s discuss each option.

• Automated. The biggest advantage is the time spent in deploying the components. The deployment of a HA, split domain, consolidated topology can be done in a couple of days work. Also, the complexity and numbers of manual steps required is greatly reduced, translating in fewer errors, issues and planning time. Rather than having to manually install and configure each component (JRE, WLS, OUD, OAM, SOA, OIM), this new tool allows you to run a few commands to install and configure the whole stack. Another advantage is the ability to reproduce a successful install: once you created a response file, is easy to just change its values (hostnames, port numbers, passwords, etc, etc) and run the deployment tool again on another environment. That also leads to consistency between your environments as they will all have the same basic structure and configuration.
• Manual. The manual approach gives you more freedom and flexibility, as to which components, architecture and products you want to install (though future releases will probably reduce this gap). The manual installation requires a considerable amount of time to plan, install and configure all components, and if not followed the exact process can lead to a problematic environment down the road. The number of required manual steps is estimated in over a thousand and it will require more than a week (if you’re already familiar with the process) to get a full working OAM-OIM integrated environment in a High Available architecture. Reproducibility is another problem. Trying to recreate a second environment (Development, Test, Production, DR, etc) requires a controlled and documented installation process and I’ve seen many customers failing to do so.

Things to watch out when deploying with the new tool

The new tool isn’t a silver bullet and will require at least a minimum of preparation before starting. The tool has a “preverify” phase where it will try to validate your environment but it will not catch all the missing configuration and it will fail later. Failing to follow some of the recommendations will result in errors down the road requiring you to start the whole deployment process all over. So, in order to prepare and have a smooth installation, based on my first impressions, I would recommend:

• Get familiar with the 11gR2PS2 Enterprise Deployment Guide (http://docs.oracle.com/cd/E40329_01/doc.1112/e48618/toc.htm). It will help you understand the new concept and to make the required preparations before starting the deployment;
• Stick to the recommended architecture, whichever you choose, single domain or split domain, and to the number of hosts/components;
• Having a NFS shared mounting point to host the installation files makes the process even faster and easier. Make sure to mount the installation directory in the web hosts too, you can unmount it later after the installation completes.
• Dedicate some time to verify if all the hosts and infrastructure are correctly configured. Check if all hosts are resolvable both in through DNS and hosts files (again, you can isolate the web hosts later, after installation finishes), kernel parameters, mounting points, database, available disk space and temp directory, load balancer, etc. Refer to the EDG guide and make notes of all the requirements before starting the deployment.
• When you create the Database Schemas with RCU, use two prefixes, but make sure to create the ORASDPM schema for both OIM and OAM. For example:

• Before even start to run the tool check the Support Note 1662923.1. There are some required manual steps that need to be executed before and right after executing the tool.
• In case you encounter an error, the clean up procedure basically instructs you to erase everything and start all over. In my experience I found some minor issues (low /tmp space or hosts not resolvable) that were not caused by the tool itself. In my case just deleting the /stage/lcm/provisioning/phaseguards files for that particular phase lured the tool into thinking it hasn’t started the phase yet and it allowed me to correct the issue and run phase again. Might worth a try before erasing everything and starting over.
• After the installation (and the manual steps described in Support Note 1662923.1, https://support.oracle.com/epmos/faces/DocumentDisplay?id=1662923.1) completes, there are still a couple of manual steps that need to be executed. Don’t forget to check the EDG guide and follow them through.

Conclusions

Although the new deployment tool does not fit all needs and it currently support a few components, options and features, it’s a great step towards a more simple and effective way to install and configure IDM components. In future releases there will be more flexibility and a more refined and robust tool available. We hope that this tool will help to provide customer with an easier way to test and deploy our products and reduce the number of issues and required time to install IDM.

References

• IDM 11gR2PS2 EDG: http://docs.oracle.com/cd/E40329_01/doc.1112/e48618/toc.htm
• Identity Management Deployment Repository Download Page: http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html
• Support Note 1662923.1 – https://support.oracle.com/epmos/faces/DocumentDisplay?id=1662923.1

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

I have been asked several times over the years if there is a way to customize the following error message a User is presented in their Internet browser when the WebGate fails to contact any of the Access Servers.

Oracle Access Manager Operation Error

The WebGate plug-in is unable to contact any Access Servers.

Contact your website administrator to remedy this problem.

Though this error is without a doubt accurate, many clients would rather display something a little more friendly or have other reasons to change it.  Interestingly this error has been the same message going back to the early days of OAM when it was still Oblix.  Incidently there is a great My Oracle Support document 555137.1 that provides steps on how to customize the error message, but it refers to OAM 10g.  So this begs the question will this work with the newer OAM 11g, and more specifically 11g WebGates.  I am here to say, “Yes it does”, I have tested this and this article covers this option and a bit more.

Lets Get Some Questions Out of the Way

I have been asked if there are alternate ways of customizing the error message. For example if using Apache or OHS, why not put a customized message in the ErrorDocument 500 inside the httpd.conf file; http://httpd.apache.org/docs/2.2/mod/core.html – error document. Good question because the WebGate does use a parameter HTMLpage500 so you would think it can just be as simple as modifying the 500 error.  However I tried and this does not work and for good reasons. The WebGate becomes the main gatekeeper, so if it cannot communicate to any Access Servers to make security decisions it will basically shutdown and reject all traffic to make sure nothing is compromised hence why it immediately lets people know the OAM Access Servers are down…do something!!

Then what about telling a load balancer in front of the web servers that have the WebGates to redirect to an alternate place? One problem is the load balancer is not intelligent enough to know if the WebGate is down. Another is if you could redirect, how is security taken care of? It is not as simple as it sounds.

At this point the best option is to leverage the article I mentioned, I feel this option is the best right now and it is not that complicated to implement.  So let’s move on and find out how to do it.

How to Create Your Custom Error Page

As I mentioned earlier, there is an article OAM 10g: How To Display A Custom Error Page When the Access Server Is Down? / WebGate Plug-in is Unable to Contact any Access Servers (Doc ID 555137.1), which I spent a lot of time validating that it works for 11g WebGates, and as I said it does.  Though I don’t really provide any additional ways that the article shows on how to generate a custom error message, I do go a little beyond the article and explain an easy way to make the custom message.  So lets get into it now.

1. Update the WebGate.xml file message tag ErrEngineDown
The key to this customization is updating a file called WebGate.xml. It is located in the WebGate install path under <WebGate install path>/wg1_home/webgate/ohs/lang/en-us. Now I used “en-us” for English, but if your environment requires a different language, look under “/lang/” and you will see other languages and within each language is a WebGate.xml file. So make sure the correct WebGate.xml file is being updated. Use an editor and open the WebGate.xml file and search for ErrEngineDown. Now change the default ErrEngineDown message “The WebGate plug-in is unable to contact any Access Servers.” with the custom message you want. This text will be output to the error page when the WebGate cannot contact any of the Access Servers for some reason.  Be sure to make a backup of the original WebGate.xml file in case you need to revert back.

2. Make your HTML Custom Error Page
Next there is another message tag inside the WebGate.xml file called HTMLpage500.  This tag can actually hold a real HTML page that will be displayed for the end user, so it is a lot more flexible.  So the best thing is to create some basic HTML you want the custom page to display, and note if possible try to avoid images. If you require images the reference to the images will need to point to some other external web server because when the OAM servers are down, the WebGate will basically not even let the web server work because it is trying to stop anyone from getting in; this is a security feature by design. So go ahead and create the HTML page you want to display for the end user.  Note toward the end of this article there is a neat little trick you can do.

3. Convert the HTML to XML
Now in the previous step you created some custom HTML page, but before you insert this custom message into the WebGate.xml it needs to be converted to XML.  To better understand, the less than sign < needs to be converted to &lt; and a greater than sign > needs to be converted to &gt;.  This certainly could tediously be done manually, but a much easier way is take the HTML, copy and paste it into this online HTML to XML converter https://sites.google.com/site/infivivek/resourse-centre/online-resources/html-to-xml-converter,  click the Convert button, and whala you have XML. Once you have the XML version of the HTML, copy it and go to the next step.

4. Update the WebGate.xml file message tag HTMLpage500 with the new XML.
The custom HTML page created earlier that was converted to XML can now be pasted into the WebGate.xml file. Edit the WebGate.xml file and search for HTMLpage500. Just like the ErrEngineDown message value, you will replace the default message with the XML copied from the previous step. This XML will be presented by the WebGate when the Access Servers are unavailable as an HTML page.  Be sure to save the WebGate.xml file.

5. Restart the Web Server
For the WebGate.xml file to take affect restart the web server.

6. Repeat
Since each web server will have its own WebGate install, you will need to repeat the same process above and update each WebGate.xml.  Alternatively an easier option is to simply copy the WebGate.xml file to the other WebGate install locations, there is no path reference to the install so copying the file is a safe and easy option.  Your WebGate install may be installed in a common mount If using a UNIX operating system and if that is true you may not need to copy or update the WebGate.xml file across several web servers.

7. Test the Custom Message by shutting down the OAM Access Servers
Finally we need to make sure it works.  To test the custom message, login to a WebGate protected application or page. Then shut down all the OAM Access Servers so that the  WebGate will act on this error.  Once all the Access Servers are down, refresh the browser and you should see the new custom message.  If not, review the WebGate oblog.log file to see if there are any errors that can help troubleshoot, or make sure the WebGate.xml file is correct.

Another HTMLpage500 option

The MOS article 555137.1 has a good option that adds a little META http-equiv=”REFRESH” method redirect, which redirects in zero seconds the browser to an alternate web page all together.  This trick will work on all web browsers.  However It would require an alternate web server that is running, and that web server could not have a WebGate because if it did that web server would also stop serving up HTML content. It is a clever option and certainly something worth thinking about.

Optional Actual HTML

<HTML>
<HEAD>
<TITLE>OAM Engine Down</TITLE>
<meta http-equiv=”REFRESH” content=”0;url=http://www.oracle.com/index.html”>
</HEAD>
<BODY>
</BODY>
</HTML>

Converted HTML to XML

&lt;HTML&gt;
&lt;HEAD&gt;
&lt;TITLE&gt;OAM Engine Down&lt;/TITLE&gt;
&lt;meta http-equiv=&quot;REFRESH&quot; content=&quot;0;url=http://www.oracle.com/index.html&quot;&gt;
&lt;/HEAD&gt;
&lt;BODY&gt;
&lt;/BODY&gt;
&lt;/HTML&gt;

In summary, this solution will provide a working option to create a custom error page when the OAM Access Servers are down. Feel free to play around with different messages and most of all test them to make sure they work.  Enjoy!

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

This post describes the necessary configuration for propagating an end user identity from OAG (Oracle API Gateway) to REST APIs protected by OWSM (Oracle Web Services Manager).

The requirements are:

1) Have a Java Subject established in the REST API implementation.

2) Prevent direct access to the REST API, i.e., only OAG should be able to successfully invoke it.

A recurrent question is how OWSM protects REST APIs and which types of tokens it supports when doing so.

If we look at the current OWSM (11.1.1.7) predefined policies, we notice a policy named

oracle/multi_token_rest_service_policy, described (verbatim) as:

“This policy enforces one of the following authentication policies, based on the token sent by the client:

HTTP Basic—Extracts username and password credentials from the HTTP header.

SAML 2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.

HTTP OAM security—Verifies that the OAM agent has authenticated user and establishes identity.

SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) Kerberos token from the HTTP header.”

In this specific use case, we are assuming the end user has already been authenticated by some other means before reaching OAG. In other words, we are assuming OAG gets some sort of token and validates the user locally, thus populating its authentication.subject.id attribute. This token OAG receives can be an OAM token, a Kerberos token, SAML token, you name it. It is matter of a design decision based on OAG’s client capabilities.

In a use case like this, it’s very unlikely that OAG will have the end user password, which eliminates the HTTP Basic header option. The remaining three are all good candidates. In this post we deal with a SAML 2.0 Bearer token in the HTTP Header. Our flow ends up being something like this: OAG Client -> “some token” -> OAG -> SAML 2.0 Bearer -> OWSM -> REST API.

We’re going to examine all necessary configuration in OAG, OWSM and in the REST API application. Buckle up, folks! And let’s do it backwards.

Main Article

REST API Web Application

package ateam.rest.impl;

import java.security.Principal;
import javax.security.auth.Subject;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import weblogic.security.Security;

@Path("/carmodels")
public class CarModels {
    public CarModels() {
        super();
    }

    @GET
    @Produces("application/json")
    public String getModels() {

        Subject s = Security.getCurrentSubject();
        System.out.println("[CarModels] Principals established for the propagated user id:");
        for (Principal p : s.getPrincipals()) {
            System.out.println(p.getName());
        }

        String json = "{\"models\":[\"Nice Car\",\"Fast Car\",\"Lightweight Car\",\"Sports Car\",\"Lovely Car\",\"Family Car\"]}";
        return json;
    }
}

<filter>
    <filter-name>OWSM Security Filter</filter-name>
    <filter-class>oracle.wsm.agent.handler.servlet.SecurityFilter</filter-class>
    <init-param>
      <param-name>servlet-name</param-name>
      <param-value>ateam.rest.impl.Services</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>OWSM Security Filter</filter-name>
    <servlet-name>ateam.rest.impl.Services</servlet-name>
</filter-mapping>

package ateam.rest.impl;

import javax.ws.rs.core.Application;
import javax.ws.rs.ApplicationPath;
import java.util.Set;
import java.util.HashSet;

@ApplicationPath("resources")
public class Services extends Application {
    public Set<java.lang.Class<?>> getClasses() {
        Set<java.lang.Class<?>> s = new HashSet<Class<?>>();
        s.add(CarModels.class);
        return s;
    }
}

<servlet>
    <servlet-name>ateam.rest.impl.Services</servlet-name>
    <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
    <init-param>
        <param-name>javax.ws.rs.Application</param-name>
        <param-value>ateam.rest.impl.Services</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

> connect('weblogic','*****','t3://<admin-server-name>:<admin-port>') 
> beginRepositorySession()
> createPolicySet('owsm-policy-set-multi-token','rest-resource','Domain("<domain-name>")')
> attachPolicySetPolicy('oracle/multi_token_rest_service_policy')
> commitRepositorySession()

> keytool -import -file ~/oag_cert.cer -keystore ./config/fmwconfig/default-keystore.jks -storepass <keystore-password> -alias oag_cert -keypass welcome1

importPackage(Packages.java.util.zip);
importPackage(Packages.java.io);
importPackage(Packages.javax.xml.transform);
importPackage(Packages.javax.xml.transform.dom);
importPackage(Packages.javax.xml.transform.stream);
importPackage(Packages.java.lang);
importPackage(Packages.oracle.security.xmlsec.util);
importPackage(Packages.com.vordel.trace);

function invoke(msg)         {        

   var data = msg.get("saml.assertion");  

   var source = new DOMSource(data.get(0).getOwnerDocument());
   var baos = new ByteArrayOutputStream();
   var result = new StreamResult(baos);
   var factory = TransformerFactory.newInstance();
   var transformer = factory.newTransformer();
   transformer.transform(source, result);
   var tokba = baos.toByteArray();

   baos = new ByteArrayOutputStream();
   var gzos = new GZIPOutputStream(baos);
   gzos.write(tokba);
   gzos.flush();
   gzos.finish();
   var gzdata = baos.toByteArray();

   var b64 = new Base64(); 
   b64.setUseLineBreaks(false);
   var b64tok = b64.encode(gzdata);

   msg.put("data.base64", b64tok);
   return true;         
}

<?xml version="1.0"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="Id-cffa4f53f9490000090000004f131aad-1" IssueInstant="2014-04-17T16:01:19Z" Version="2.0">
  <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">www.oracle.com</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Id-0001397750479781-ffffffffd55f69c1-1">
      <dsig:SignedInfo>
        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <dsig:Reference URI="#Id-cffa4f53f9490000090000004f131aad-1">
          <dsig:Transforms>
            <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </dsig:Transforms>
          <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <dsig:DigestValue>87KiwbLN11S3qwJw23Zm0Odh9QQ=</dsig:DigestValue>
        </dsig:Reference>
      </dsig:SignedInfo>
      <dsig:SignatureValue>UO6S7++uxuqqLPl4cege7vmZpQ1q6MXL51s/e/fDd74aZdrEOx+G1tqA4YQtVQIh
fTuOcd1CtOyEUqOLNy9F4e87Ld/cqNcr8iWGlokPEPP153r19MIaWSYDslYq10xe
cArsGeayx0PpWjXo0VSH+u26grsTWIY+YATuU7BcKnqrrWFjmRxHAK/towXtuiPL
NtNYVgI6dPXVzJ+2lGSiZKBDBFoV9zUFE98kU0f050e3mq2x2BwvQ7MQUkPYyadt
b+Ifn0Hcr77Fp7FYfM0gPAMt3X0Dm5qsrEo5WS47RkWDq6EEdQx9HFEQJMLdwABL
xC8gNTETalZs73xUUQu2CA==</dsig:SignatureValue>
      <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Id-0001397750479781-ffffffffd55f69c1-2">
        <dsig:X509Data>
          <dsig:X509Certificate>
MIICtjCCAZ4CBgE9RZO/rjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9TYW1wbGVzIFRlc3Qg
Q0EwHhcNMTMwMzA3MTU1ODAwWhcNMzcwMTEwMTA1NjAwWjAjMSEwHwYDVQQDExhTYW1wbGVzIFRl
c3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQClSoXx8QPLrHMS
Ff/5m3uLrDhxHycPYkamDCouu89mSKhD7aEZy3QS0mvZHvY2N1TmuQcdTuOgSE5qyT20mBEUVBnU
1y4WLQqM5fKu0TmIAajtYWTOdTnSuwR3f9W4poSwRMDNkUb8gPiXZNHZiyzriRMus29ER61eYAdr
XFlv5emXqi2ZK2bpBdtO6Q641TM9kUWB4ZyMqkGtRys9m2hNaXVR8e7r2WUrA9LEx3bRpku/OodI
GS6Qy0C2vueHDrdLYhYGKfNIllagEXY+dBQI8t2qH7rXBmr16lYyKK8VYJqeud9/NCAxD78vzOLY
0q6WaisVCa6FE/KpgpNF8sbZAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAH3W3yCTSORmIq5uhNTC
Zvd6wPz+zNXT19GqKgeDgjYMJj/Bl8czRO9YZo5MslwHILLgDVdz+ux4nSS3mCZ+PQGO42p/6o6n
IQ31yGzfYjTZ/1+1//CWyVtEhuSv5oFE+Le5mvkf1kNUrW4//qOXtfwXy/Hq09E9eaXlnBxUTHls
cQkpfQW5bi5Go7FDUNpW5EXUgXrQ96qKWMMK7i1hm7r5o6TldxCq5ANlPo/sObFNooQDkBWSKJ5t
GTtPiXO8kqYWdNBvnSRDk1Qqsn6fdFz485WB0e0pqWg2SuZa1026gIqtQPekJDQzTm0qvAnh/Aoh
oKs1dNQxruBf+MFLisw=
        </dsig:X509Certificate>
      </dsig:X509Data>
    </dsig:KeyInfo>
  </dsig:Signature>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">cn=jane,cn=Users,dc=us,dc=oracle,dc=com</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
  </saml:Subject>
  <saml:Conditions NotBefore="2014-04-17T16:01:18Z" NotOnOrAfter="2014-04-17T16:06:18Z"/>
  <saml:AuthnStatement AuthnInstant="2014-04-17T16:01:19Z">
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
</saml:Assertion>

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

When it comes to defining a strategy for web API security, OAG (Oracle API Gateway) and OES (Oracle Entitlements Server) together present a very interesting choice and are a very powerful combination indeed.

In this post we’re going to take a look at what each component brings in (the skin) and then get our hands on actually describing the integration in detail (the guts).

OAG is designed to inspect and act on various types of messages that are delivered to it or just pass through it. It’s usually positioned to be deployed on the DMZ (the De-Militarized Zone) within corporate networks. As such, it can block malicious traffic, authenticate users with a variety of protocols, integrate with anti-virus products, perform message throttling, thus delivering only the good stuff to your intranet servers and also off-loading them, decisively contributing to achieve some IT operational SLAs. More than that, OAG can switch protocols and transform messages. For instance, an organization may have SOAP-based web services and want to expose them as REST without any re-writing. Or implement SAML federation without touching origin systems. Or talk Kerberos or OAuth with clients and speak SAML with back-end servers. Or use it as an FTP server so that incoming files are immediately sent to a processing pipeline. The possibilities are numerous. Having mentioned these few features and examples, it’s not unreasonable to think deploying OAG inside intranets. And that’s not unusual, actually. It is a nice bridge with obvious benefits.

OES is designed to provide fine-grained authorization with externalized policies to client applications. It takes the coding of access decisions away from developers. Besides the obvious security pro, it shortens the change cycle, when a new security policy needs to be deployed. You simply avoid going through all the phases required for re-deploying your application just because of that change. It’s true the new policy needs testing, but that’s nowhere near when compared to what it takes to re-deploy a new application version. The time to market is drastically reduced. Now to the fine-grained part. OES can take a bunch of aspects in consideration when authorizing: the user identity, user roles, user attributes, context information about the request being made (like originating IP address), factors external to the request (like time of day, day of week, etc) and, of course, request data. Those combined makes it a very powerful authorization engine. It’s not coincidence that OES is the component behind OAM’s (Oracle Access Manager) authorization engine.

While OAG itself brings in authorization capabilities, in this field OES offers a much richer model. And if the organization already employs OES elsewhere, integrating it with OAG makes a lot of sense, because we end up with a single and consistent approach for authorization across applications.

Main Article

The Integration

OES basic architecture comprises a server and different client modules, called SMs (Security Modules). The server connects to a repository where policies are physically kept. The SMs are attached to client applications and connect either to OES server or to the repository directly, depending on their configured mode (I will touch up on this later). There are SMs available for Java, RMI, web services, Weblogic server, Websphere, JBoss, MS Sharepoint. When integrating with OAG, a Java SM is used. Despite its core being a C process, OAG forks up a JVM for some of its functions.

The integration hook between OAG and OES is the “OES 11g Authorization” filter, as seen below:

This is how OAG delegates authorization decisions to OES. Under the covers, an OpenAZ API authorization call is made to the SM. In the filter, we observe the following:

Resource: the OES resource for which authorization is being requested. There’s an implicit formation rule here: <OES_APPLICATION_NAME>/<OES_RESOURCE_TYPE>/<OES_RESOURCE_NAME>

Later on I show how these placeholders map to the OES policy.

Action: the action supported by the policy. More later on the OES policy.

Environmental/Context attributes: any extra information that you want to pass in to OES. These map to attributes in the OES policy. In this example, INVOKING_APPLICATION is an attribute used in a policy condition.

Besides, OAG always passes what’s in the message authentication.subject.id attribute, who basically defines the authenticated user principal name within the executing OAG circuit instance.

Ok, with these in mind, let’s look at what the OES policy looks like:

Read back again the OAG filter description and realize the mappings. What isn’t shown in the OES policy is <OES_RESORCE_TYPE> and the authenticated user.

As for <OES_RESOURCE_TYPE>, it suffices saying that the target name /resources/empSalaries is of type restapi, as shown:

The authenticated users is implicit in the policy. And in this case, it is going to be authorized only if it has Managers as one of its application roles.

So far, so good, but OAG can only talk to OES if it has the SM properly installed and configured.

Installing and Configuring OES SM for OAG

1 – Download and install OES Client in the same machine as OAG. It’s an Oracle installer and simply copies the binaries to a given location. Let’s call it OES_CLIENT_HOME.

2 – Create the SM in OES Console. Bind the applications to it. In the screen shot below, oag_sm Security Module is bound to MyServices application.

3 – Edit $OES_CLIENT_HOME/oessm/SMConfigTool/srmconfig.java.controlled.prp, pointing it to OES admin server. The following properties are to be edited:

• oracle.security.jps.runtime.pd.client.policyDistributionMode=controlled-push <change this only if you want to have another distribution mode>
• oracle.security.jps.runtime.pd.client.RegistrationServerHost=<OES Admin Server>
• oracle.security.jps.runtime.pd.client.RegistrationServerPort=<OES Admin Server SSL port>

OES supports 3 distribution modes: controlled-push, controlled-pull and uncontrolled.

controlled-push means that policies are distributed from OES server to the SM. The SM provides a listener that the OES server connects to. In OES Console, once the Distribute button is clicked, policies are *immediately* distributed to the configured SMs. The Distribute button doesn’t actually distribute policies. It simply marks policies as “Ready for Distribution”. In the case of push, policies are distributed right after. From this point on, SM needs no connection at all to the OES server (it can even be shut down), since policies are all local to the SM.

I am only showing the image to illustrate. Trying to distribute policies at this point is going to generate an error, because the SM isn’t yet registered with OES server.

controlled-pull means that the SM pulls policies on a defined frequency (default 10 min) directly from the *OES repository* into its local cache. It doesn’t get policies through OES server. But still, in other to be pulled, policies do need to be marked “Ready for Distribution” in OES Console.

uncontrolled means that SMs read policies directly from OES repository on demand and updates the local cache if the requested policy is not available locally. And the SM still pulls new policies and changes from OES repository periodically. As a result, OES repository is supposed to be up and reachable by SMs at all times. Policies don’t need to be marked “Ready for Distribution”, i.e., there’s no further control once policies are created/changed in OES.

Controlled distribution modes are only supported if the repository is database-based.

4 – Run

$OES_CLIENT_HOME/oessm/bin/config.sh -smConfigId <sm_name> -prpFileName $OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.java.controlled.prp

<sm_name> MUST match the SM you’ve created in step 2 before. In this case, oag_sm.

In this step you’re basically enrolling the SM, but no configuration gets written to OES server. A couple of files are generated at this point under $OES_CLIENT_HOME/oes_sm_instances/<sm_name>. All of them are important, but the most relevant one is ./config/jps-config.xml, where you can find the following configuration data about the SM. The DistributionServicePort is a random port number picked at enrollment time used by the SM to listen for policy distribution events.

<serviceInstance name="pdp.service" provider="pdp.service.provider">
            <description>Runtime PDP service instance</description>
            <property name="oracle.security.jps.runtime.pd.client.policyDistributionMode" value="controlled-push"/>
            <property name="oracle.security.jps.runtime.pd.client.sm_name" value="oag_sm"/>
            <property name="oracle.security.jps.runtime.pd.client.SMinstanceType" value="java"/>
            <property name="oracle.security.jps.runtime.pd.client.RegistrationServerURL" value="https://slc05ylp.us.oracle.com:3002/pd-server"/>
            <property name="oracle.security.jps.runtime.pd.client.DistributionServicePort" value="16933"/>
            <property name="oracle.security.jps.pd.client.sslMode" value="two-way"/>
            <property name="oracle.security.jps.pd.client.ssl.identityKeyStoreFileName" value="/scratch/fmwapps/oes11gps2_client/oes_sm_instances/oag_sm/security/identity.jks"/>
            <property name="oracle.security.jps.pd.client.ssl.trustKeyStoreFileName" value="/scratch/fmwapps/oes11gps2_client/oes_sm_instances/oag_sm/security/trust.jks"/>
</serviceInstance>

5 – Create a file named jvm.xml under $OAG_INSTALL_HOME/apigateway/conf with the following contents. It tells OAG about OES jar files and the Security Module name. It also defines system properties used by OAG, like log4j properties file (used for dumping out SM’s authorization decisions)

<ConfigurationFragment>
<Environment name="JRE_HOME" value="/scratch/fmwapps/oag_11.1.2.2.0/apigateway/Linux.x86_64/jre" />
<!-- OES Settings -->
<Environment name="OES_CLIENT_HOME" value="/scratch/fmwapps/oes11gps2_client" />
<Environment name="SM_NAME" value="oag_sm" />
<Environment name="INSTANCE_HOME" value="$OES_CLIENT_HOME/oes_sm_instances/$SM_NAME" />
<!-- Add OES Client to classpath -->
<ClassPath name="$OES_CLIENT_HOME/modules/oracle.oes.sm_11.1.1/oes-client.jar" />
<VMArg name="-Doracle.security.jps.config=$INSTANCE_HOME/config/jps-config.xml"/>
<VMArg name="-Djava.util.logging.config.file=$JRE_HOME/lib/logging.properties"/>
</ConfigurationFragment>

6 – Restart the API Gateway process. No need to restart the OAG Node Manager.

At this point, OAG’s “OES 11g Authorization” filter can be safely invoked. The filter is natively aware of jvm.xml settings, so that no external resource is required to be configured in OAG Policy Studio.

If you’ve really followed through, at this point you might be wondering how come the filter is going to work if policies were not distributed (supposing we’re in some controlled mode). The answer is that, exceptionally, policies get distributed to the SM upon the very first usage of OAG filter. We can clearly see this if we analyze the following log snippets:

OAG log snippet upon first usage of “OES 11g Authorization” filter:

DEBUG 21/May/2014:11:28:55.369 [b9da8700] run filter [Call 'Authorize Access'] {
DEBUG 21/May/2014:11:28:55.369 [b9da8700] run circuit "Authorize Access"...
DEBUG 21/May/2014:11:28:55.369 [b9da8700] run filter [Authorize Access (OES 11g Authorization)] {
DEBUG 21/May/2014:11:28:55.369 [b9da8700] creating subject from 'jane'
DEBUG 21/May/2014:11:28:55.373 [b9da8700] checking 'GET' to resource: MyServices/restapi//resources/empSalaries
DEBUG 21/May/2014:11:28:55.373 [b9da8700] env attribute name: 'INVOKING_APPLICATION' env attribute value: 'OAG'
DEBUG 21/May/2014:11:28:55.634 [b9da8700] parsing (options value 2052) XML body from input stream of type java.io.ByteArrayInputStream. ContentSource is of type java InputStream
DATA 21/May/2014:11:28:55.637 [b9da8700] getting class com.vordel.jaxprovider.libxml.XPathExpressionImpl with classLoader.loadClass()
DATA 21/May/2014:11:28:55.638 [b9da8700] loaded class com.vordel.jaxprovider.libxml.XPathExpressionImpl
DATA 21/May/2014:11:28:55.638 [b9da8700] getting class javax.xml.xpath.XPath with classLoader.loadClass()
DATA 21/May/2014:11:28:55.638 [b9da8700] loaded class javax.xml.xpath.XPath
DATA 21/May/2014:11:28:55.638 [b9da8700] getting class javax.xml.xpath.XPathConstants with classLoader.loadClass()
DATA 21/May/2014:11:28:55.638 [b9da8700] loaded class javax.xml.xpath.XPathConstants
DATA 21/May/2014:11:28:55.638 [b9da8700] getting class javax.xml.namespace.QName with classLoader.loadClass()
DATA 21/May/2014:11:28:55.638 [b9da8700] loaded class javax.xml.namespace.QName
DATA 21/May/2014:11:28:55.639 [b9da8700] getting class javax.xml.namespace.NamespaceContext with classLoader.loadClass()
DATA 21/May/2014:11:28:55.639 [b9da8700] loaded class javax.xml.namespace.NamespaceContext
DEBUG 21/May/2014:11:28:55.656 [b9da8700] Loaded XML file /scratch/fmwapps/oes11gps2_client/oes_sm_instances/oag_sm/config/jps-config.xml
DEBUG 21/May/2014:11:28:55.656 [b9da8700] parsing (options value 2052) XML body from input stream of type java.io.FileInputStream. ContentSource is of type java InputStream
DEBUG 21/May/2014:11:28:55.656 [b9da8700] release system resources for the loaded XML
DEBUG 21/May/2014:11:28:56.216 [b9da8700] parsing (options value 2052) XML body from input stream of type sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream. ContentSource is of type java InputStream
DEBUG 21/May/2014:11:28:56.253 [b9da8700] parsing (options value 2052) XML body from input stream of type sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream. ContentSource is of type java InputStream
DEBUG 21/May/2014:11:28:58.742 [31663700] parsing (options value 2052) XML body from input stream of type java.io.ByteArrayInputStream. ContentSource is of type java InputStream
DEBUG 21/May/2014:11:28:58.771 [31663700] parsing (options value 2052) XML body from input stream of type java.io.ByteArrayInputStream. ContentSource is of type java InputStream
DEBUG 21/May/2014:11:28:58.775 [31663700] parsing (options value 2052) XML body from input stream of type java.io.ByteArrayInputStream. ContentSource is of type java InputStream
DEBUG 21/May/2014:11:28:58.778 [31663700] parsing (options value 2052) XML body from input stream of type java.io.ByteArrayInputStream. ContentSource is of type java InputStream
DEBUG 21/May/2014:11:28:59.071 [31663700] parsing (options value 2052) XML body from input stream of type java.io.ByteArrayInputStream. ContentSource is of type java InputStream
DEBUG 21/May/2014:11:28:59.077 [31663700] parsing (options value 2052) XML body from input stream of type java.io.ByteArrayInputStream. ContentSource is of type java InputStream
DEBUG 21/May/2014:11:28:59.988 [b9da8700] Request: {jane, GET, MyServices/restapi//resources/empSalaries}
Result: true
DEBUG 21/May/2014:11:28:59.988 [b9da8700] result from OES: true
DEBUG 21/May/2014:11:28:59.989 [b9da8700] } = 1, filter [Authorize Access (OES 11g Authorization)]
DEBUG 21/May/2014:11:28:59.989 [b9da8700] Filter [Authorize Access (OES 11g Authorization)] completes in 4620 milliseconds.
DEBUG 21/May/2014:11:28:59.989 [b9da8700] ..."Authorize Access" complete.
DEBUG 21/May/2014:11:28:59.989 [b9da8700] } = 1, filter [Call 'Authorize Access']
DEBUG 21/May/2014:11:28:59.989 [b9da8700] Filter [Call 'Authorize Access'] completes in 2620 milliseconds.

See last line for how long it took. This is because the SM had to be registered into OES and policies distributed. Look at what happens in OES:

[2014-05-21T11:28:57.664-07:00] [AdminServer] [TRACE] [] [oracle.jps.policymgmt] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 6af0f0aa917fd32e:-4e07427f:1461efea049:-8000-00000000000004ac,0] [APP: oracle.oes.admin.pd.ssl#11.1.1.3.0] [SRC_CLASS: oracle.security.jps.internal.policystore.entitymanager.impl.PDPRegistrationManagerImpl] [SRC_METHOD: registerPDP] registerPDP: PDPInfoEntry: {address=https://slc05ylp.us.oracle.com:16933/pd/PDClient, configurationID=oag_sm, instanceName=oagB_sm_slc03rfc.us.oracle.com__scratch_fmwapps_oes11gps2_client_oes_sm_instances_oagB_sm_config_jps-config_xml, isFusionApp=false, isTransactionalMode=false, appVersions={}}
[2014-05-21T11:28:57.665-07:00] [AdminServer] [TRACE] [] [oracle.jps.policymgmt] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 6af0f0aa917fd32e:-4e07427f:1461efea049:-8000-00000000000004ac,0] [APP: oracle.oes.admin.pd.ssl#11.1.1.3.0] [SRC_CLASS: oracle.security.jps.internal.policystore.rdbms.DBStoreManager] [SRC_METHOD: getDataManagerInternal] JpsDataManager ThreadLocal: current='null', new='oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager@49fb3c8'
[2014-05-21T11:28:57.666-07:00] [AdminServer] [TRACE] [] [oracle.jps.policymgmt] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 6af0f0aa917fd32e:-4e07427f:1461efea049:-8000-00000000000004ac,0] [APP: oracle.oes.admin.pd.ssl#11.1.1.3.0] [SRC_CLASS: oracle.security.jps.internal.policystore.entitymanager.impl.PDPRegistrationManagerImpl] [SRC_METHOD: registerPDP] PDP registration: create a new PDPInfo.
[2014-05-21T11:28:57.666-07:00] [AdminServer] [TRACE] [] [oracle.jps.policymgmt] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 6af0f0aa917fd32e:-4e07427f:1461efea049:-8000-00000000000004ac,0] [APP: oracle.oes.admin.pd.ssl#11.1.1.3.0] [SRC_CLASS: oracle.security.jps.internal.policystore.ldap.JpsLdapAttributeMapper] [SRC_METHOD: prepEntryForPersist] entryType PDP_INFO, contextID cn=oes_domain,cn=JPSContext,cn=jpsroot, Updated Attributes: {orcloespdpstarttime=orclOESPDPStartTime: Wed May 21 11:28:57.666 PDT 2014, orcloespdpaddress=orclOESPDPAddress: https://slc05ylp.us.oracle.com:16933/pd/PDClient, orcloespdpheartbeattime=orclOESPDPHeartBeatTime: Wed May 21 11:28:57.666 PDT 2014, orcloespdpconfigurationid=orclOESPDPConfigurationID: oagB_sm, objectclass=objectclass: top, orclOESPDPInfo, orcloespdpstatus=orclOESPDPStatus: registered, orcloespdpinstancename=orclOESPDPInstanceName: oagB_sm_slc03rfc.us.oracle.com__scratch_fmwapps_oes11gps2_client_oes_sm_instances_oagB_sm_config_jps-config_xml, cn=cn: https://slc05ylp.us.oracle.com:16933/pd/PDClient}

Once policies are distributed, notice a folder named “work” appears under $OES_CLIENT_HOME/oes_sm_instances/$SM_NAME/config. That’s where the SM keeps local policies. That folder is updated every time a successful distribution occurs.

“OES 11g Authorization” filter will finish way much faster in subsequent executions, like:

DEBUG 21/May/2014:11:47:56.791 [ba3ae700] run filter [Call 'Authorize Access'] {
DEBUG 21/May/2014:11:47:56.791 [ba3ae700] run circuit "Authorize Access"...
DEBUG 21/May/2014:11:47:56.791 [ba3ae700] run filter [Authorize Access (OES 11g Authorization)] {
DEBUG 21/May/2014:11:47:56.791 [ba3ae700] creating subject from 'jane'
DEBUG 21/May/2014:11:47:56.791 [ba3ae700] checking 'GET' to resource: MyServices/restapi//resources/empSalaries
DEBUG 21/May/2014:11:47:56.792 [ba3ae700] env attribute name: 'INVOKING_APPLICATION' env attribute value: 'OAG'
DEBUG 21/May/2014:11:47:56.811 [ba3ae700] Request: {jane, GET, MyServices/restapi//resources/empSalaries}
Result: true
DEBUG 21/May/2014:11:47:56.811 [ba3ae700] result from OES: true
DEBUG 21/May/2014:11:47:56.811 [ba3ae700] } = 1, filter [Authorize Access (OES 11g Authorization)]
DEBUG 21/May/2014:11:47:56.811 [ba3ae700] Filter [Authorize Access (OES 11g Authorization)] completes in 20 milliseconds.
DEBUG 21/May/2014:11:47:56.811 [ba3ae700] ..."Authorize Access" complete.
DEBUG 21/May/2014:11:47:56.811 [ba3ae700] } = 1, filter [Call 'Authorize Access']
DEBUG 21/May/2014:11:47:56.811 [ba3ae700] Filter [Call 'Authorize Access'] completes in 11 milliseconds.

Debugging OES SM in OAG

If you ever want to debug OES authorization decisions in OAG, refer back to jvm.xml.  There you find the entry

<VMArg name=”-Djava.util.logging.config.file=$JRE_HOME/lib/logging.properties”/>

Specify the following properties in logging.properties. You’re basically configuring a FileHandler to log FINEST level messages about OES authorization decisions to a file named java?.log in the user’s home directory.

handlers= java.util.logging.FileHandler
.level=INFO
# default file output is in user's home directory.
java.util.logging.FileHandler.pattern = %h/java%u.log
java.util.logging.FileHandler.limit = 50000
java.util.logging.FileHandler.count = 1
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter
# OES logging
oracle.jps.authorization.level=FINEST
oracle.jps.openaz.level=FINEST

As a result, a typical debug output message is like:

FINE: ========== Start Of Policy Evaluation Info ==========
Application: MyServices
Requested Resource Type: restapi
Requested Resource: resources/empSalaries
Requested Resource Present: false
Requested Action: GET
Request Subject Principals:
class weblogic.security.principal.WLSUserImpl:jane
Effective Roles Granted: [authenticated-role, Managers]
Role-Mapping Policies: NONE
Static Role Grants: NONE
Denied Static Role Grants: NONE
Authorization Policies:
1.Policy Name: permit_EmpSalaries
Matched Policy Principals:
class oracle.security.jps.service.policystore.ApplicationRole:Managers
Policy Principals Semantics: OR
Matched Policy Resource-Actions:
Resource = /resources/empSalaries, Action = GET
Policy Obligations: NONE
Policy Evaluation Result: GRANT
Policy Rules:
Rule Name: GetCarModelsPOLICY_RULE
Rule Effect: GRANT
Rule Condition: STRING_IS(INVOKING_APPLICATION,OAG)
Evaluated Rule Attributes and Functions:
INVOKING_APPLICATION(Dynamic, String) = OAG
Rule Evaluation Result: GRANT
========== End Of Policy Evaluation Info ==========

Wrapping Up…

As we can see, OAG and OES are a powerful combination when protecting web APIs. In this post we showed what to expect from this integration, how to configure policies on both sides, how to install OES SM in OAG and how to debug authorization decisions. Hopefully this is useful for some of you out there.

See you next time!

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

In this post, we look at a simple way to configure a chained LDAP authentication scheme in OAM 11g R2. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

The problem we are trying to solve

Consider a situation where the users that need to be authenticated by Oracle Access Manager do not all reside within the same LDAP directory. This is a fairly common situation which can arise as a result of mergers and acquisitions, or even of IT consolidation between different departments or business units within a single organisation. While it may well be desirable to consolidate all user records into a single LDAP structure over time, often the immediate needs of the business are such that this simply wouldn’t be feasible in the short term, particularly if there are challenges in terms of data consistency, format, password storage and so on that would need to be overcome as part of a migration project.

While it is possible (and quite common) to address requirements of this nature using Oracle Virtual Directory – in short, inserting OVD in between OAM and the physical LDAP repositories in order to construct a single virtual tree – one can also use OAM’s pre-built authentication plugins to accomplish essentially the same thing, in a simpler way.

The solution described below has been built and tested against OAM 11g R2 PS2 (11.1.2.2). I cannot guarantee that it will work against older versions.

Creating a Chained LDAP Authentication Module

The first step here is to ensure that all directories containing user information are correctly configured as User Identity Stores within OAM. To demonstrate the concept, I installed two separate Oracle Unified Directory instances on my test server and added both as Identity Stores using the OAM console – the below screenshot shows OUDStore and OUDStore2, which refer to distinct directory instances as can be seen from the differing port numbers:

We then configure a custom Authentication Module, which will attempt to match the provided user ID against each of the directories in turn. In this simple example, the module will first do a lookup against the first directory (OUDStore). If that lookup succeeds, it will attempt authentication against OUDStore using the provided password. Should the intitial lookup fail, it will attempt the lookup against the second directory (OUDStore2). Again, should that lookup succeed, it will attempt authentication against OUDStore2 using the provided password. Should both lookups (or either password authentication step) fail, then the entire authentication attempt will fail.

We configure the module by including two instances of both the UserIdentificationPlugin and the UserAuthenticationPlugin. Both are standard OAM plugins that ship with the product.

The screenshots below demonstrate the configuration of our ChainedLDAP custom Authentication Module:

This next screenshot shows the orchestration flow through the various steps:

Note that “OUD1ID” (User Identification against OUD 1) is the first step. On failure of this step, we execute “OUD2ID” (User Identification against OUD 2). Note also that successful completion of either of the two User Authentication steps will result in a successful result for the orchestration as a whole.

The only remaining step is to build and Authentication Scheme that uses this new module. That can be done by cloning the standard “LDAPScheme” and changing the Authentication Module, as below:

When we assign the above Authentication Scheme to a resource within an Application Domain, we see that we can successfully authenticate using credentials from either of the OUD instances.

What about Authorization?

Extending the use case a little, we can build authorization conditions that make sense in this case by specifying group membership rules across both directories. In the screenshots below, as an illustration, I’ve included separate group membership conditions for each OUD instance, with an OR rule to ensure that either will allow access.

Some practical considerations and limitations

As with all approaches described on this site, this one is not a silver bullet. While it offers a simple way to allow OAM to authenticate users against more than one directory, it has a number of limitations, of which the below are just a few:

• Collision of user names is not handled well. In the case where the same user ID existed in both directories, only the first would be checked. It is, of course, not possible for a single login process to handle the case where ore than one distinct user has the same user ID in any case, but it is important to be aware of this limitations regardless.
• It is unlikely that this approach will scale particularly well beyond a handful of directories. You certainly wouldn’t want to check a user name against each of a large number of directories in sequence, for performance reasons.
• The complexities of defining meaningful authorization policies based on group memberships across multiple directories shouldn’t be underestimated. This approach is probably best used in situations where authorization requirements are not stringent (such as allowing all users within all directories to access resources)

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

Oracle provides documentation on developing an Access Client for the OAM 11g ASDK http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/as_api.htm#autoId0, but getting it to work can be challenging when running the Access Servers in Simple or Cert Mode.  In this article I will not explain how to create an Access Client, there are already good examples out there for that.  What I want to cover is the correct structure of the Access Client configuration including all the required files and code snippets to hopefully save you a lot of time.

What is an Access Client?

An Access Client is basically a way to developed a custom WebGate using the OAM Access Server SDK — AKA ASDK.  The SDK and API can be used to develop anything from your own custom authentication web service, a way to validate a Users token, to a simple mechanism to enhance a User’s login with additional session information.

At the time of this article the latest ASDK 11.1.2.2.0 can be downloaded by going to
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html. The newer ASDK is backward compatible with 10g, but also provides many new features:
* Enumerating sessions for the given user
* Terminating the given session
* Setting attributes in the given user session
* Retrieving attributes set in the given session
* ++ Validating user credentials without establishing a session
* ++ Validating user credentials without establishing a session and performing authorization in the same request
————————————————————————————————————————————————–
++ The last two functions are also provided with the com.oblix.access package in the Access Manager 11g Access SDK. Additionally, the Access SDK provides a modified implementation of the user logout functionality for removing the server side session. This functionality is not supported with 10g OAM Server.

Step 1 ) Creating the Configuration Structure

The latest 11.1.2.2.0 OAM Development Guide provides a section 2.52. Configuration Requirements http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/as_api.htm#autoId26, which provides plenty of information on various configuration requirements, but it lacks information on how to properly structure the configuration directories and where each required file related to OAP communication should come from. Knowing this information is key to getting an Access Client to work in SIMPLE or CERT mode, and even parts of it is required just to get it to work in OPEN mode. Below illustrates the directory structure of where the configuration files are stored, which files go where, and what exactly is needed for either OPEN, SIMPLE, or CERT modes. Start by creating this directory structure in your Java project along with copying or importing the appropriate files into your project as follows. See Table 1 to learn where to get all the required files found in the Access Client Configuration structure.

Access Client Configuration Certificate Structure -

config/
|
|– cwallet.sso (Get from WebGate – **)
|– jps-config.xml (Get from ASDK Sample – **)
|
`– oblix/
|
|– config/
|   |– password.xml (Get from WebGate – **)
|   |
|   `– simple/
|       |– oamclient-keystore.jks (Get from OAM Domain – **)
|       `– oamclient-truststore.jks (Get from OAM Domain – **)
`– lib/
     `– ObAccessClient.xml (Get from WebGate – *)

 Important Information -
*  - Required for All modes
** - Required for 11g Simple or Cert Mode
NOTE: If using Cert Mode then aaa_cert.pem and aaa_key.pem would be replaced by a third party CA 
(Certificate Authority) generated certificate along with importing the CA certificate into the 
OAM trust store.

As a side note If you need to switch your Access Servers from OPEN to SIMPLE mode, the following link provides the basic steps
http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/keytool.htm#AIAAG5632.

Step 2) Setting the credstore location in the jps.config.xml

In OAM 11g the jps-config.xml file is used for a variety of things, but for the 11g ASDK it is used to let the ASDK know where the configuration structure is located. The jps-config.xml file is found within the OAM 11g ASDK download file. In the previous config structure you can see that the jps-config.xml file is under the root folder, in this case “config”. Since all the required files are below this the location parameter only needs to be set to the current directory. So below you can see location=”.” for current directory. This should already be default as “.”, if so no changes are required.

<!– Specify agent key wallet location relative to this jps-config.xml location –>
<serviceInstance name=”credstore” provider=”credstoressp” location=”.”>
     <description>File Based Credential Store Service Instance</description>
</serviceInstance>

Now we can set a variable that references the cred store following snippet line of code and should be placed toward the top of the Access Client where all the variables are defined. I used “./config” because in my example the top directory path for the certificate files is “config”, and as long as the compiled Java Access Client is placed in the path of ./config it will find all the right files as long as the lower part of the tree is structured as mentioned earlier.

// Declaring variables
public static final String m_configLocation = “./config”;

Step 3) Creating the Access Client Instance

Now that the structure is created in your project, the correct files are imported, the jps-config.xml is correctly set, and a static string has been defined to reference the configuration location, we can now create the Access Client instance.

Just below the main area of the Access Code an instance of the Access Client is normally created.  You will need to include the public static variable from earlier as a parameter.  The following code snippet is an example has the m_configuration variable, which is of course the variable pointing to the configuration. Using m_configuration without additional parameters tells the ASDK to default to a 11g Access Client which requires a 11g WebGate profile. This is in contrast to using ac = AccessClient.createDefaultInstance(m_configLocation, AccessClient.CompatibilityMode.OAM_10G); which would only be used if using a WebGate 10g profile. In our case we are better off using 11g. Another option is to us ac = AccessClient.createDefaultInstance(m_configLocation, AccessClient.CompatibilityMode.OAM_11G), but leaving it to just plain m_configLocation is fine and what is recommended.

// Creating an Access Client instance
ac = AccessClient.createDefaultInstance(m_configLocation);

Now build your code to see if it works.

Reference Table of Configuration Files with Explanations

To further help I am providing a table that includes all the important files used within the config directory along with explanations on the purpose behind these configuration files. For additional information on the files you can also see section 2.5.2 Configuration Requirements documentation http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/as_api.htm#autoId26. The table also provides locations on where to get all the required files, which you would then place into the config structure that was described earlier.

Tips on Validating the TrustStore and PEM Certificate

There may be times where you get complaints about the certs or keys, but hopefully if you take the following steps it will work out the first time.

1) Configure SIMPLE mode if not already done using http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/keytool.htm#AIAAG5632 that was already mentioned earlier.

2) Register the 11g WebGate in SIMPLE mode from the OAM Console and get the following files from $ORACLE_HOME/user_projects/domains/<oam_domain>/output/<RREG_WEBGATE> to the respective config location.
• cwallet.sso
• ObAccessClient.xml

3) Copy the following files from $ORACLE_HOME/user_projects/domains/<oam_domain>/output/webgate-ssl to the respective config location.
• oamclient-truststore.jks
• oamclient-keystore.jks
• aaa_cert.pem
• aaa_key.pem
• password.xml

4) Get the jps-config.xml file from the ASDK download http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html and copy it to the respective config location.  Leaving the default config location in the jps-config.xml file should be fine unless you find a reason to change it.

5) For CERT mode the only changes would be following section 2.5.4.2 Cert Transport Security Mode http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/as_api.htm#autoId30 and making sure you import the third party CA certificate into the oamclient-truststore.jks file.

If you still find errors relating to the certs, you can validate your truststore and cert using some common tools. For the oamclient-truststore.jks file run the keytool command as follows.

keytool –list –keystore oamclient-truststore.jks –v

You will get a prompt for a password, but you can just press enter to continue which should present you with something similar to this. Pay attention to the Owner and Issuer. This is the built in OAM CA and should also be present in the WebGate aaa_cert.pem file.

***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: oam.simple.ca
Creation date: Jul 7, 2014
Entry type: trustedCertEntry
Owner: CN=NetPoint Simple Security CA - Not for General Use, OU=NetPoint, O="Oblix, Inc.", L=Cupertino, ST=California, C=US
Issuer: CN=NetPoint Simple Security CA - Not for General Use, OU=NetPoint, O="Oblix, Inc.", L=Cupertino, ST=California, C=US
Serial number: 0
Valid from: Wed Apr 01 07:57:22 CDT 2009 until: Thu Mar 28 07:57:22 CDT 2024
Certificate fingerprints:
      MD5: 05:F4:8C:84:85:37:DB:E3:66:87:EF:39:E0:E6:B2:3F
      SHA1: 97:B0:F8:19:7D:0E:22:6B:40:2A:73:73:1B:27:B2:7B:8D:64:82:21
      Signature algorithm name: MD5withRSA
      Version: 1
*******************************************
*******************************************

If you run the keytool command and get the following error “keytool error: gnu.javax.crypto.keyring.MalformedKeyringException: incorrect magic”, that means the keytool being used is probably incorrect.  Use the keytool found in the JAVA home under $JAVA_HOME/bin directory.

Just in case you are using the aaa_cert.pem file you can use OpenSSL to list the certificate chain to make sure the CA matches the truststore. Run the following command openssl command; OpenSSL should be part of Linux.

openssl –x509 aaa_cert.pem –text

 If openssl command is not found you can use the openssl that is included in the WebGate or AccessServerSDK install under the <Install Path>/oblix/tools/openssl directory.

You should see the beginning of the output that similar to below.  The CA should be found in the Issuer, but in a reverse order of what you saw from the oamclient-truststore.jks output.   If this is CERT mode then you would verify that the CA matches the third party certificate that was imported into the oamclient-truststore.jks file.

Certificate:
  Data:
     Version: 1 (0x0)
     Serial Number: 10 (0xa)
     Signature Algorithm: md5WithRSAEncryption
     Issuer: C=US, ST=California, L=Cupertino, O=Oblix, Inc., OU=NetPoint, CN=NetPoint Simple Security    CA - Not for General Use
     Validity
        Not Before: Jul 7 23:27:28 2014 GMT
        Not After : Jul 4 23:27:28 2024 GMT
     Subject: CN=oam.simple.cert
     Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (1024 bit)
           Modulus (1024 bit):
           00:b6:61:b1:d6:1e:50:98:1e:03:05:b5:9f:2d:61:
           a8:ce:a0:c2:02:04:bd:ec:fe:2a:be:29:1d:98:74:
           38:49:79:1a:51:69:c5:8b:6e:15:32:a4:a9:5e:3a:

Summary

Though this article does not provide all the information in creating an Access Client, nor could it, it should still provide some key information that is missing in the official Oracle Developer’s Guide for OAM that can certainly save you a lot of frustration in getting an Access Client to work especially when running in SIMPLE or CERT mode. Using what has been covered along with the existing documentation and the basic sample Access Client found in section 2.2.3 Sample Code: Simple Access Client http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/as_api.htm#autoId10 should help get you up and running in no time. Good luck!

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

INTRODUCTION

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Logging is extremely helpful when trying to troubleshoot issues and normally when you see instructions to log in OAM 11g there is documentation on using WLST commands with several steps or Enterprise Manager that can be used to set various log levels, but in both cases this can be a bit tedious.  Wouldn’t it be great if you could just update some file like in the old OAM 10g days using the oblog_config.xml or something similar; see  http://docs.oracle.com/cd/E12530_01/oam.1014/b32419/log.htm.  Well I am going to give you a little known trick that can provide you this very thing.  Welcome to updating the logging.xml file and it does this in real time without any restarts needed to add or remove logging!!  Read on….

How to Configure Logging using a simple XML file.

There is a little known secret where you can update the logging.xml file.  The following steps will show you how to add logging that is persistent even if you restart the managed server.  NOTE: Now in 11.1.2.2.0 or later in Enterprise Manager there is an option to make logging persistent by using a check box.

2. 1. Go to $IAM_DOMAIN/config/fmwconfig/servers/<ServerName>/; where <ServerName> is the server name to change logging like oam_server1.
3.  

4. 2. Make a backup of logging.xml
5.  

6. 3. Edit logging.xml
7.  

8. 4. Search  for “loggers”, you should find the first line below <logger name=” level=’WARNING:1′>.
9.  

10. 5. You can add one or more lines as needed above <logger name=” level=’WARNING:1′> as follows; below are a couple examples showing two loggers.
    <logger name=’oracle.oam.user.identity.provider’ level=’TRACE:16’/>
    <logger name=’oracle.ods.virtualization’ level=’TRACE:16’/>
11.  

12. 6. NO RESTART — Once you save the change logging should start after a few seconds.
13.  

14. 7. Follow this link to learn more details on various modules you can use in the logging.xml file http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/logging.htm#CHDIBAHF.
15.  

17. 8. To stop the logging simply remove the lines that were added from the logging.xml and save, or revert the logging.xml backup file.
18.  

The key is adding the proper module to the name=’<MODULE>‘ value and the logging level=’<LEVEL>‘ for the logging level where <MODULE> is something like oracle.ods.virtualization and <LEVEL> is the logging level like TRACE:16; note TRACE:32 may also been required to get more fine grain detail depending on the problem you are troubleshooting.  Be careful when updating the logging.xml file for formatting and using the correct loggers.  To be safe use the examples I give as a template along with finding the right module to log.  If you do not feel comfortable doing this I would highly recommend using Enterprise Manager because there is no room for error.

Summary

This trick may not be for everyone.  For example in a production environment there may be security lock downs for good reason to prevent updating or even accessing certain files, so Enterprise Manager still may be the best choice.  However for those that may be working in a non-production environment that have access to this configuration file, this trick may be your very best friend.  Happy logging!!

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

The Detached Credential Collector (DCC) feature was introduced with the release of OAM 11gR2 — 11.1.2.0.0.   DCC brought some very interesting changes in the authentication model that in my opinion are very welcome; more on that later.  There is already Oracle documentation out there on this feature, along with an A-Team blog article Debasish Bhattacharya created (Detached Credential Collector Configuration – OAM 11GR2) , which adds some more insight on configuring DCC.  This blog is to enlighten everyone with some more information on what is going on with DCC, both for login and logout.  Then in Part 2 – Custom Login and Logout with Detached Credential Collector, I want to clear up some confusion on how many may think using DCC can only be done with the Oracle supplied login.pl and logout.pl Perl scripts; that is far from the truth.   So let’s dig in and expose some of the mysteries of the Detached Credential Collector.

 Main Article

About DCC (Detached Credential Collector)

As I mentioned in the introduction, Detached Credential Collector is a capability that came with the release of OAM 11gR2 (11.1.2.0.0), and note this is for 11g WebGates only.  If you login to the OAM Console and look at an 11g WebGate profile you will see the checkbox option “Allow Credential Collector Operations”.  See the graphic below that highlights the option.  This checkbox is the only difference that makes a DCC WebGate what it is from a configuration standpoint.

The term Detached Credential Collector (AKA Authenticating WebGate), relates more to the way credentials are collected when submitting the login.  For example with DCC the login credentials are collected at the DCC WebGate versus ECC (Embedded Credential Collector) where the credentials are collected directly by the OAM Server.  This is a key difference between DCC and ECC, which greatly changes the authentication model.

How the DCC and ECC Authentication Model differ?

The Oracle documentation Administrator’s Guide for Oracle Access Management
11g Release 2 (11.1.2) in section 16.5.2 Comparing Embedded Credential Collector with Detached Credential Collector has a very nice table comparing DCC to ECC.  If you compare each row side by side you will find that DCC compares pretty much the same as ECC, but one big difference is the method of where the credentials are collected, as I mentioned earlier.  I like to use illustrations to explain something because I think it helps make a complicated subject easier to understand.  Just keep in mind the diagram is very simplified, so there are certainly other request and response trips between the WebGates and OAM Servers, but I really wanted to keep it high level to capture the essence of DCC vs ECC authentication model.

The diagram above is trying to illustrate at a high level the differences between the DCC and ECC authentication model.  The DCC flow is in blue and you can see in sequence 2 the User submits their login credentials directly to the DCC WebGate.  In the ECC model the User submits the credentials to the OAM Server, which is located in the mid tier — very interesting.

So the big “Ah Ha” moment here is that the DCC model completely separates the client from the OAM Servers in the Mid Tier, a model which many consider to be more secure!    Particularly for internet-facing deployments of OAM, where the ECC-model requirement to allow HTTP access to the OAM server (for credential submission) can present challenges in terms of ensuring adequate security.

There are, of course, ways to mitigate security concerns in the ECC model such as a firewall and or a load balancer to setup rules to prevent any malicious traffic being sent directly to the OAM Servers.  This is security 101 that should be incorporated into a good architecture anyway; doing it for the OAM Servers using ECC should be done by default.  In addition, OAM already has built in features to help mitigate things like buffer overflows and such, so don’t be too alarmed.

That said, you can see how much simpler security could be using the DCC model.  DCC makes security a little less complicated by separating the WebGates in the Web Tier from the OAM Servers all together.  In a way the DCC model is similar to the old OAM 10g model where your login credentials are submitted directly to the WebGate, and the WebGate communicates back to the OAM Servers over OAP which mitigates any chance that a rogue user will send direct requests to the OAM Servers in the mid tier.  So DCC is something to really consider.  In my opinion this is a very welcome feature of DCC.

Let’s look at some HTTP Traces

I like to start by capturing some HTTP traces to see what is going on, so let’s dive down a couple layers and see what is going on.  Before I do, I first want to point out that for the DCC HTTP Traces I am presenting I used the out of the box login.pl and logout.pl scripts.  However I want to let you know that it is completely possible – and perhaps even advisable – to replace these scripts with custom functionality.  So for illustration and to build on Debasish Bhattacharya’s Detached Credential Collector Configuration – OAM 11GR2  blog I wanted to start by keeping things simple; in Part 2 I will expand in more detail on how to create a custom login and logout which does not use the Perl scripts and includes very important information needed to make it all work perfectly.

Below is a sequence diagram that shows a flow of a user logging into the Acme Portal, but also requesting a second completely different domain (Globex Portal) where the user is not challenged again because of SSO, and finally the logout of all domains.   I will try to keep this interesting, but then in Part 2 I will go further to show all the details for a custom login and logout.

SEQ 1 – Initial HTTP Request

Sequence 1 shows that the initial request is to http://acme.melander.us/.  This sequence is pretty normal and looks exactly the same for ECC.  Below you can see the GET to acme.melander.us, but in sequence 2 things change a bit and start to differ between DCC and ECC.

GET / HTTP/1.1
Host: acme.melander.us
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

SEQ 2 – Redirect to DCC Login Response

In sequence 2 the Resource WebGate realizes the browser does not have an OAMAuthnCookie SSO token so then tells it to do a HTTP 302 and redirects it to the DCC WebGate web server.  In the HTTP trace below it shows a HTTP 302 along with the obrareq.cgi, which is really no different than what is seen in an ECC HTTP Trace.

HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 595
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 12 Sep 2014 12:03:59 GMT
Keep-Alive: timeout=5, max=100
Location: http://sso.melander.us/obrareq.cgi?encquery%3DShtPLKTcR3ddwuuVUNKCo8d1wy5tSOb7qqKXkir9P40L6lyHvskOs%2FzhPfjjuTJ2f43Dj7tU2NDKk27tII2zKcEznG%2FiojLgapQxWTrH5yxVNo9Dusv6sHSQdkHasWnyX6W5TAeoS7Hvp6ViajGsusRxEClG%2BuDJWEmPz%2BkUYwDHcdFFXFcy98QlU37r6EL3NS0IAPqSY%2FUVaFRdpflMLO2YTjbLKFmHN2KbanzgMfLiG716VxGMEXTFNJsMdkdyrle%2BF1Q155cDfRVQKk4qCg%3D%3D%20agentid%3DACME%20ver%3D1%20crmethod%3D2
Server: Oracle-Application-Server-11g
Set-Cookie: OAMAuthnHintCookie=0@1410523439; httponly; path=/; domain=.melander.us
Set-Cookie: OAMRequestContext_acme.melander.us:80_696f34=io4lVtGlkrIosz2NHpKjEA==;max-age=300; httponly; path=/

The main reason for the redirect to the DCC WebGate is because the authentication scheme is configured for DCC.  Refer to the graphic below that shows side-by-side screenshots of a DCC authentication scheme (On the Left), and an ECC Authentication Scheme (Default LDAPScheme On the Right).  Notice the differences between the Challenge Redirect URL and Challenge URL?  In the DCC Authentication scheme the Challenge Redirect URL points to the hostname where the DCC WebGate is located which could also be a Virtual hostname for a Load Balancer.  The Challenge URL for the DCCAuthnScheme points to the location of the out-of-the-box login.pl.

SEQ 3 – Set DCCCtxCookie and redirect to login page

In sequence 3 this is where things get a little more interesting.  In the HTTP trace a new type of cookie is created, this is the DCCCtxCookie cookie.  In my trace the DCCCtxCookie is set for the sso.melander.us domain; the DCC WebGate host configured in the DCC Authentication Scheme.   The DCC WebGate looks for a DCCCtxCookie and if not present will generate one.  The DCCCtxCookie is basically used by the DCC WebGate to save context information during authentication.   More details on this cookie can be found in section 15.6.2.5 DCCCtxCookie of the OAM Administration Guide 11gR2 release.   Something else that shows up in the HTTP trace is a resource_url query string parameter that contains the last requested URL. This lets the DCC WebGate know where to redirect the browser after successful authentication.

HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 277
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 12 Sep 2014 12:03:18 GMT
Keep-Alive: timeout=5, max=100
Location: /oamsso-bin/login.pl?resource_url=http%3A%2F%2Facme.melander.us%2F
Server: Oracle-Application-Server-11g
Set-Cookie: DCCCtxCookie_sso.melander.us:80=encdata%3DEKHXNSVKumgJQBImv1RLbxh8kT8E23bIKJeEmH87GvOrWLXD6YLv8adLGuGA%2FymjsB03bbu45t3%2FBJl17Xc5nBAHAsGt%2BoFbzTwwNRXvMI2TyAiKYFPI3gDXKjeA9SabxjC2UpDJe0DQ6yD0xwaezuoDZiLUbrMKe6B0otlfjvayuxK0yqDReA8F3pE6nNElH2Ln31hKt1W2dHKI%2BPzEJW8bdcYzCNLZ%2BPxGBTj%2FdN6E8uV32Yp8C%2BZemDusLFpFt6RhQdQheZUFRTyvYKPsralO3UGmFPW9T7r5Weo3nxU%3D; httponly; path=/oam/server/auth_cred_submit

SEQ 4 – Submit Credentials

This sequence is where the login page submits the username and password.  There are some very important points to know here.

1. 1) In this example my authentication scheme is very simple; I only require a username and password.  In the POST you would see the username and password input fields along with the actual values.  Normally using ECC you would also post the OAM_REQ or request_id.  However if the DCC Authentication Scheme was setup to do multi step authentication, the OAM_REQ would actually show up and it would also be required at the time of posting the credentails.
2. 2) Notice that the credentials are directly posted at the DCC WebGate host? This is quite different than ECC where the post is sent directly to the OAM Servers. The DCC WebGate becomes the credential collector; hence the name Detached Credential Collector. Also notice that the URI that is posted is /oam/server/auth_cred_submit, which is the same as ECC – the major difference is that this URI is served to the DCC WebGate, rather than the OAM Server.

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: Keep-Alive
Content-Language: en
Content-Type: text/html; charset=UTF-8
Date: Fri, 12 Sep 2014 12:03:18 GMT
Expires: 0
Generated-By: login.pl
Keep-Alive: timeout=5, max=99
Pragma: no-cache
Server: Oracle-Application-Server-11g
Transfer-Encoding: chunked

POST /oam/server/auth_cred_submit HTTP/1.1
Host: sso.melander.us
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Cookie: DCCCtxCookie_sso.melander.us:80=encdata%3DEKHXNSVKumgJQBImv1RLbxh8kT8E23bIKJeEmH87GvOrWLXD6YLv8adLGuGA%2FymjsB03bbu45t3%2FBJl17Xc5nBAHAsGt%2BoFbzTwwNRXvMI2TyAiKYFPI3gDXKjeA9SabxjC2UpDJe0DQ6yD0xwaezuoDZiLUbrMKe6B0otlfjvayuxK0yqDReA8F3pE6nNElH2Ln31hKt1W2dHKI%2BPzEJW8bdcYzCNLZ%2BPxGBTj%2FdN6E8uV32Yp8C%2BZemDusLFpFt6RhQdQheZUFRTyvYKPsralO3UGmFPW9T7r5Weo3nxU%3D; OAMAuthnHintCookie=0@1410523439
Origin: http://sso.melander.us

SEQ 5 & 6 – OAM Server evaluates the Credentials

In these two sequences the DCC WebGate sends the credentials to the OAM Server over OAP on port 5575 and you can see in the following OAM diagnostic trace log the authentication is successful.  The success is sent back to the DCC WebGate so it can continue to finish setting the next cookie and redirecting the browser back to its original requested URL.

[2014-09-12T12:04:00.488-04:00] [oam_server1] [TRACE] [OAMSSA-20097] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 4228756130348ab3:7de41016:1487a914541:-8000-0000000000003cd0,0] [APP: oam_server#11.1.2.0.0] [SRC_CLASS: oracle.security.am.engines.common.identity.provider.impl.ids.IDSUserProviderImpl] [SRC_METHOD: authenticateUserByName] User abarnes in idstore OUDIdStore authenticated successfully

 SEQ 7 – Now Redirect back and include the Session Token

In this sequence the DCC WebGate sends a HTTP 302 back to the originally requested URL, http://acme.melander.us, but also notice it includes the obrar.cgi?encreply= value.  The obrar.cgi contains the encrypted session token which we will need when we get back to the acme.melander.us Resource WebGate.

HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 1194
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 12 Sep 2014 12:03:21 GMT
Keep-Alive: timeout=5, max=98
Location: http://acme.melander.us/obrar.cgi?encreply=n8OSU11hQvFoB44j/eb8hUbwsopUla62fbjmZtMP8J+fSQTJsyOLfHZnSjul4Z+kj08e5xiYARwuk4RwtIW7Hbj5/SgeUoPo62EtEiKLgmE76OQUFo3hRzSdhwG0w/fEAvLOSSjMrn7CB/hIIips27FksoQTbIrtt1aQ54mFsXRrViQSleRlQcVhHFCMo5nDhljHEH/IYVkaXzFEB8PwkoosKs7G7doqSlFgubxAYYID+6ZfxyLYpzWbNsRLBgMWqMe6pKnDQ2Bq1jPHdy1F6Ye8gMdfSzKHKVfeY2Y9RnBmV+jEeAS2yDevuIOP3/18jTAcfHYtS7rZvaZApFb3AYrwWNGeL1aY7SxLvEZWK7kdIZfqifwxjWZHHp9PMIQ2KfmR5ij9ovi8W+k72TN9uJDLZV/iWvJHiRKR84HMGjjj/QwNkgygtxslILimy8Qqfcpt5lECT3nbdTTsF82hzZnxCvCA1cP3SaVHjR8dQCiS4np1rr//bxgyAwX7gxnLJt7OBB9QbUcasfOoH1uIp5zcPYamTyIrqX64YEzXtGk2eIJl6KWbeV7xsWbs31U4B09HawJa420hveUO0wKdEmTKMZIYBggsRHN7rVyovIUf6fp/rat8n2rqsdb5nlLAAEI7GxfXi0G206iEK+7vZ1inioY9YPLa+TocaGJe7/fgDGkk3Wsxj6cidIAyRVLi5Dy2OdZ6tSKfpaH6Y7iJptFKrdkoRGoeELYOANIzSRyW/wi+9C/DIvwypgnHfuv5/BpPAEnm2jHBwkS4ZPQFNw00t2H4nxv1x115j6ToDa0PJaqwsUwOFUE4GCyGshD/42BlqF3Ycnbsgeie5VJ2xNCMg+p2h3gwD9tExJCa1jNo3dn7h2yAKLTMq4vc7MyOUMfCjDDu3JILOM3epT51OFkGRRqAyfx/vZbHdbLe1CM=
Server: Oracle-Application-Server-11g
Set-Cookie: OAMAuthnCookie_sso.melander.us:80=XiuQpggJbUzLaMtekqbd8HH6jtIcoNDmrzCkMBO0pf6SN3I1Pfnh8kfkzDAV3CHAMvcfjBZmAZLcef1G5tmTk51Nv664AO4mxKR9SCk07nCMPZdnUkZJldEL%2FP3N%2B18Ms3pZS%2Bm9kERpFCbBKCJf19%2FXjXWf%2B5VyLFOO3P88pHD6Rwcklfbcw6s2Oq5RR32UFZcpfVS79EWv8wocT4isczlTv5QkAVF0SpDocuEzhPE52GAxOSz%2Fjew5Q2pStKCF%2BA%2ByMR2pD2I3JFqAmt%2BZvxWlInEwOCCAC2RzMQzjPKvgy3EFv5iFLkd0ym1pXbkwR115I0lGQhRC9QM2vrQOyMd2Fmpmn%2BUpi9iT7juia0W5iJfd7MrpJPtebbNfBkTTnFJxGw5yVcecEOLPrGj1ubsNhtsKHwsP%2Bh18D4F6FsW2GoUx95X4NpxtG4MoORaYYGODr7roS7axEZSqBJzNRYBPZEMlPfz%2BQDxy3MicS6A%3D; httponly; path=/
Set-Cookie: DCCCtxCookie_sso.melander.us:80=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/

SEQ 8 – Set the OAMAuthnCookie for acme.melander.us

In this sequence the Resource WebGate for acme.melander.us gets the session token and then sets the OAMAuthnCookie for the acme.melander.us domain.  We now finally have SSO and the WebGate then grants the access to the content served up by the application server in sequence 9.

HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 212
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 12 Sep 2014 12:04:02 GMT
Keep-Alive: timeout=5, max=99
Location: /
Server: Oracle-Application-Server-11g
Set-Cookie: OAMRequestContext_acme.melander.us:80_696f34=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/
Set-Cookie: OAMAuthnCookie_acme.melander.us:80=KeXCJKNeD4%2BKHMDKkBVFYrsZ94DcSb4JAbxuaCaUuvwoBDm3ljelAGlA30YsNi30IBGq4o8oRsTsTHkgity88Fl%2BvmSXHKCIhV5Ud0kyb3yErIWjjymaUWlbktnDhZaxvsq3we9viOESHKPCz6TZblUmLgnLbRxBLZmH0QvS32S5NexWSylBKlcHDBPOr78irmnE2S1Q1Bpp%2FmaFk6X3oE%2FP8LNRe0FVN4h7HNLz7q%2FUERIQbsulch8dsFdl2z97xWrz2PsUifvtlF5jG72xWLyaZbnRE8ERWxkotWD8wyDQha7xaBXIhWpOBnR5O5nRCvUUyzRTxE%2FnrNQRPucF%2F%2F9P2NaEazAEXWfAzf1cWKQ8GC1gjG%2BzN7E0BroGEPwaQ4EOI66mSbAA%2BVJ7QWvkIQt%2F7FHSbQGHFizqjC%2FJiueFRU6mFsO%2FwYUQ%2B6TeYzqoXZ03Xe%2F07ru5%2BBrdGbRzFoitRFCSwrFMtP0O5wm%2BGZQ%3D; httponly; path=/

Keep that Session Going with Multi-Domain SSO

Let’s keep going using the SSO Session and try to request globex.idfocus.com, which also is using the same DCC Authentication Scheme.  So using the same sequence diagram we can continue our learning.

SEQ 10 – Request globex.idfocus.com application

Much like sequence 1, this sequence is just a GET for the globex.idfocus.com.  No frills or thrills in the HTTP trace below, just as expected.

GET / HTTP/1.1
Host: globex.idfocus.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

SEQ 11 – Encrypt and send the session token to the DCC WebGate

In this sequence something familiar happens just like in any multi-domain SSO configuration with OAM.  The Resource WebGate for domain globex.idfocus.com does not have a valid session yet to satisfy authentication, so similar to sequence 2 it redirects the browser back to the DCC WebGate at sso.melander.us for authentication and includes the original requested URL and some other information encrypted in the encquery parameter value as seen below in the HTTP trace.

HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 623
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 12 Sep 2014 12:04:05 GMT
Keep-Alive: timeout=5, max=100
Location: http://sso.melander.us/obrareq.cgi?encquery%3DR9T1bzgn2ARi3h9h6fS4x0brZ2JTAeoaEy7uzqo5YA%2FGai0y%2B4xpJ%2B1%2BoqVxziO1YZ2jFd9IHLeEBmJkasL5GG4Yw1B%2FIzR%2Fzahx4FV3pbntKMYL%2BdfHxsIgrf1MCUTwrMsL8zuzmXUgj6SwuzeFOF606C6SlNoGehhgXnRhD88zvXnMsdnvCnaGy7Q%2F8W5SNQf8QHt9zN2wzMVhQn%2BGvGexLAwclWZthZbKgpUbMsnQ5tpTTtua%2B0dYt2XuhYn5q09ihY3gozRoTGyTY3riS7DzjMPiwr9TK4SMgdMJv6U%3D%20agentid%3DGLOBEX%20ver%3D1%20crmethod%3D2
Server: Oracle-Application-Server-11g
Set-Cookie: OAMAuthnHintCookie=0@1410523445; httponly; path=/; domain=.idfocus.com
Set-Cookie: OAMRequestContext_globex.idfocus.com:80_783376=x3vA+i4lAGQmfHXaX0XW6A==;max-age=300; httponly; path=/

SEQ 12 – Encrypt and Send the Session Token back to globex.idfocus.com

In sequence 11 we saw some encrypted data and now the DCC WebGate intercepts it and determines that needs to now encrypt the token in the obrar.cgi encreply parameter string, which is basically the authentication response from the 11g WebGate.

HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 1202
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 12 Sep 2014 12:03:24 GMT
Keep-Alive: timeout=5, max=97
Location: http://globex.idfocus.com/obrar.cgi?encreply=vQrCrUuQgsRYwGM3ttT22vAsZ6S1aYVO2oqKEgmd+WDJV8heYYJ8BSWMFxYarlUE+ku2+dFzgoTka6YFkTN7k2Cksc7jbL/WPOJSH9kv15y/HrJ2TUeQZzsvxKgQ+QbTpQLWqA4RuUAssgF3BhSvpeE9SNYTIdmMWl7cnk2iykuH2nwqbfmHTeFnazby8ueaNghwSMabgaLQWQCGwkYQc1WFOGa46SPPJHH6mmf1RUZFXdKPaEsBRuD9gf/rJ8mSCjTXbzRax/dM825r53yno5l3claGFY4BTTVPLtcfQpT5ihwbAIJZNGZZp60jdK9NlpIwXlW9USLDwlAJKqvAtMvJApeb1e2kfqdWk3l88p4FHfJAUD/EwjQJW/oESYVbIoPWr4p82FueprzqZnQcUO8SUovFzgjWh/2OaV4XXdzXwLFzkC7iVQLFxUpBwyC7jILDk5wHoCVuJgpAmwIawIo/BCmkcInFiem9UbpyezqhPVvf6vO1k6exG3htluiXFCO0FhmU+LuSjlR0ajX0Esp91YB4uZMpAR0JBA+aEcICkQNFKl/gveIAxBx9RbIdBRHwzwROOxn0NWr2mRxhvkcEKIoqk05ygethfLx7n5vENk6bhU2PJGsEP8EmPVV0XLuy00z58NpWN2x6XvVlUKE2sMu8jTmr3X8IOTFAgJcbWYP+JxOmXh2thhmlarFAShAiUqT1AXmKcAoHLx+Z/X+2ZQbAGbJtWhtAOWzd8oqj2QiN97M3s4I6ifC38cQ7GaJ9hG0g5Q7/Ton8Be87G+cerTNHZ5ZnYSSpVtyhcOIyCqafSf4C4pkmusNSRA9KVnkbcUeSHud/1AGAAipCMxur8FUR9JqLFdEiThlM4ZqUtecb21YAHz2v07qLzArjUisOrw1wU2mEqVwwQxaiZoQST/97jJc35qi54Vpgqfo=
Server: Oracle-Application-Server-11g

SEQ 13 – Resource WebGate globex.idfocus.com sets OAMAuthnCookie

The browser gets a HTTP 302 to go back to http://globex.idfocus.com/ and when the Resource WebGate gets the encrypted token it validates that this is a valid session.  At this point an OAMAuthnCookie for globex.idfocus.com is generated and now the browser has a token set for both globex.idfocus.com and acme.melander.us.  So the browser is never challenged a second time.  Surprisingly this functionality is nothing special to do with DCC, it is a normal way that the 11g WebGates work together in a multi-domain SSO fashion.  But I wanted to point this out so that there are misconceptions that DCC is special in this regard.

HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 212
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 12 Sep 2014 12:04:05 GMT
Keep-Alive: timeout=5, max=99
Location: /
Server: Oracle-Application-Server-11g
Set-Cookie: OAMRequestContext_globex.idfocus.com:80_783376=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/
Set-Cookie: OAMAuthnCookie_globex.idfocus.com:80=vh4qf6d43e5MU0UVWdzO%2BZ43786Zl1C%2F3kHaW6XM%2Bz%2BrLD%2F%2FKC4sJQdZZYLcrcM7WnYjZCQFRqM5YvGypLkxDyQMuFxdQcrltEseZC1FNErkGHaL5HDR8FJxxf%2B3KP5XPL6z882pWt2P4IaHe3V630%2BaHePEabNeL%2BtU6VD5hgFXPxJRo9tM6FZB%2BRy47QkWhBqqWlI1opTk8r71M8q5mi7tG3VeayG1eT1nj1FjGC1dRn0Py280pMQf9BR6WKKW5De%2BblW0PE3b4aa%2BWuC2Dxc1hzzjTQzIbuaxTsaGIGoY13Ri2uxwY%2BMvhTk0rMtl9u2QSmJwX4cmwKRdvM47wRCxvZ%2BaMTU8UhcdIOZWHh4S2A77jwMr2507SYdPXOwXMUwksSlF4WyjIQSkksmhr3ZbMVYMxP3QLfFwqN19Q05OT8ZM1lNtYF3L%2FPD3orcwBb9OjJ%2FiMsfhSUZsfNB9ngaFBrNbR49FI2HkLgVPW9g%3D; httponly; path=/

Let’s exit this party with multi-domain Logout

The reason I dragged you through sequence 13 where we got to http://globex.idfocus.com/ via the SSO session is so I can get into the multi-domain logout.  A lot of focus seems to always be on the login, but I feel the logout is often forgotten because frankly —- it’s not as sexy.  I aim to change that.  Logout can also be a bit tricky and especially multi-domain logout.  In this section I want to continue with the same sequence diagram to close this article and give some important bits on this type of logout, but again in Part 2 I will get into more detail with the configuration needed to accomplish it.

SEQ 15 – Request the logout.pl page to logout!

This sequence shows the browser sitting at the globex.idfocus.com domain and then requests a logout.  Logout is configured in the WebGate profile, which is fairly normal.  However with DCC the logout is a bit different and it requires some configuration on both the Resource WebGate and DCC WebGate profiles.   In addition the logout.pl has to be on the DCC WebGate and does some tricks of its own, more on that in sequence 17.   So in this HTTP trace you can see that the logout request is for the relative URL /sso/logout; this triggers the logout sequence and is the actual value found in the Logout URL parameter of the Resource WebGate.  Then the end_url is the Logout Target URL parameter that holds the landing page the browser needs to go to after it has completed destroying all the session cookies and the session in OAM.

GET /sso/logout?end_url=http://sso.melander.us/sso/logout.html HTTP/1.1
Host: globex.idfocus.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: OAMAuthnCookie_globex.idfocus.com:80=vh4qf6d43e5MU0UVWdzO%2BZ43786Zl1C%2F3kHaW6XM%2Bz%2BrLD%2F%2FKC4sJQdZZYLcrcM7WnYjZCQFRqM5YvGypLkxDyQMuFxdQcrltEseZC1FNErkGHaL5HDR8FJxxf%2B3KP5XPL6z882pWt2P4IaHe3V630%2BaHePEabNeL%2BtU6VD5hgFXPxJRo9tM6FZB%2BRy47QkWhBqqWlI1opTk8r71M8q5mi7tG3VeayG1eT1nj1FjGC1dRn0Py280pMQf9BR6WKKW5De%2BblW0PE3b4aa%2BWuC2Dxc1hzzjTQzIbuaxTsaGIGoY13Ri2uxwY%2BMvhTk0rMtl9u2QSmJwX4cmwKRdvM47wRCxvZ%2BaMTU8UhcdIOZWHh4S2A77jwMr2507SYdPXOwXMUwksSlF4WyjIQSkksmhr3ZbMVYMxP3QLfFwqN19Q05OT8ZM1lNtYF3L%2FPD3orcwBb9OjJ%2FiMsfhSUZsfNB9ngaFBrNbR49FI2HkLgVPW9g%3D; OAMAuthnHintCookie=1; oam_cn=Anne-Louise Barnes; oam_email=abarnes@acme.com; oam_userid=abarnes
Referer: http://globex.identityfocus.com/

SEQ 16 – Process logout.pl to logout

This sequence shows the browser getting the HTTP 302 to redirect to the logout.pl page along with the URL encoded value for the end_url.  Notice the Expires -1, this is basically the Resource WebGate on globex.idfocus.com killing the session cookie for the OAMAuthnCookie_globex.idfocus.com.  However we are not over yet because we need to destroy the sessions for all the other domains, in this case acme.melander.us and globex.idfocus.com.

HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Connection: Keep-Alive
Content-Length: 311
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 12 Sep 2014 12:04:08 GMT
Expires: -1
Keep-Alive: timeout=5, max=96
Location: http://sso.melander.us/oamsso-bin/logout.pl?end_url=http%3A%2F%2Fsso.melander.us%2Fsso%2Flogout.html
Pragma: no-cache
Server: Oracle-Application-Server-11g
Set-Cookie: OAMAuthnCookie_globex.idfocus.com:80=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/
Set-Cookie: OAMAuthnHintCookie=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/; domain=.identityfocus.com

SEQ 17 – Kill those OAM Login Sessions now!

This is in my opinion one of the most interesting sequences of them all.  That is the sequence that makes a call to /oam_logout_success.  This URI is triggered because of the Logout Callback URL configuration in the WebGate profile.  It is responsible for killing all the remaining OAM SSO sessions.  In fact to verify all one does is logout and make sure the oam_logout_success is called as I explained, and then go into the OAM Console and go into the Session Management tab to search for the Username.   Before logout you would see the account session and then after the logout it should disappear.   In Part 2 I will get into more detail on logout configuration and how to customize the logout.

HTTP/1.1 200 OK
Date: Fri, 12 Sep 2014 12:04:08 GMT
Server: Oracle-Application-Server-11g
Pragma: no-cache, no-cache
Expires: -1, 0
Cache-Control: no-cache, no-store, no-cache, no-store
Generated-By: login.pl
Set-Cookie: OAMAuthnHintCookie=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/; domain=.melander.us
Set-Cookie: OAMAuthnCookie_sso.melander.us:80=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Language: en
----------------------------------------------------------
http://acme.melander.us/oam_logout_success

SEQ 18 & 19 – Redirect to the logout landing page.

If you remember from sequence 15, there was an end_url, which basically was the parameter that held the value for where the browser will end up after the logout process is complete.  This value could be anything you want and in my case I decided to have it land at /sso/logout.html on the sso.melander.us DCC WebGate; just make sure this URL is unprotected or excluded in the policy.  So this ends the logout.

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, no-cache, no-store
Connection: Keep-Alive
Content-Language: en
Content-Type: text/html; charset=UTF-8
Date: Fri, 12 Sep 2014 12:03:28 GMT
Expires: -1, 0
Generated-By: login.pl
Keep-Alive: timeout=5, max=96
Pragma: no-cache, no-cache
Server: Oracle-Application-Server-11g
Set-Cookie: OAMAuthnCookie_sso.melander.us:80=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/
Set-Cookie: OAMAuthnHintCookie=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/; domain=.melander.us
Transfer-Encoding: chunked

GET /sso/logout.html? HTTP/1.1
Host: sso.melander.us
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Referer: http://sso.melander.us/oamsso-bin/logout.pl?end_url=http%3A%2F%2Fsso.melander.us%2Fsso%2Flogout.html

What have we learned?

So what we have learned from the HTTP Traces is that both ECC and DCC submit credentials to the URI /oam/server/auth_cred_submit, but DCC submits those credentials directly to the DCC WebGate host.   The DCC WebGate creates its own unique DCCCtxCookie and all other Resource WebGates still create OAMAuthnCookie SSO tokens whether they are used for DCC or ECC scenarios.  At the end of the day the biggest difference we can gather is that DCC makes it easier to secure the OAM Server, as I mentioned earlier, because there is no point where requests from the browser are sent to the OAM Server and therefore mitigates any risk of exposing the Mid Tier in regard to OAM.   However logout is a bit different in regards that it has to run from the DCC WebGate and if you have a multi-domain SSO configuration like I had oam_logout_success is required to be configured and called by the logout.pl or possibly another way using a custom logout.  Until Part 2, I hope you have a little deeper understanding of what is going on under the covers of DCC.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

INTRODUCTION

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

I recently was working on one of my virtual environments that had three servers, which included OAM 11gR2PS2, though this could happen with pretty much any version of OAM. It started with my browser requesting a protected resource, and I was presented with the login page as expected, but after logging in I was issued a HTTP 404 right at the page I wanted to get to. So I ran a HTTP Trace and realized it was in an infinite loop that abruptly stopped. I was able to quickly get this fixed, but I know for many this can be very puzzling because it is very difficult to determine what the problem is even though it is pretty simple. If this has ever happened to you let me explain what is going on, how to fix it, and how to prevent this behavior along with other problems that can be a result of the root cause.

MAIN ARTICLE

What is the root cause?

To get to the crux of it the root cause was that one of the system clocks of the OAM or the WebGate servers was out of sync. In my example one server was accidently on a different time zone, but this could very well happen if the clocks are out of sync by even a minute.

What is happening to cause this?

When the time is out of sync on a WebGate or OAM Server, the time stamp in the OAMAuthnCookie token is basically expired and thereby causes OAM to reject the token and redirect the browser back to the OAM server to get a new one, and again, and again, and again; hence the infinite loop.

How to Fix the Problem

This fix is pretty simple. All that is required is to reset all the dates and time on the WebGate and OAM Servers to make sure they are all in sync within 60 seconds. It may require restarting the web server for the WebGates or the OAM Servers, but it is fairly painless to solve.

But there is more…

When the system clocks are out of sync on any of the WebGate or OAM Servers other odd behavior can bubble up such as:

• High CPU usage at both Webgate agent and OAM Server.
  User experiences a hang.  Agent keeps going back to Server to re-issue the token because the Agent issued by the token thinks it is invalid.  I.E. OAM 11g: Redirect Loop Between OAM and WebGate Instance (Doc ID 1335301.1)
• Login failure.
  Errors are thrown in OAM logs when trying to authenticate.  Token is rejected because the OAM server rejects the time difference between the Agent and OAM Server.  I.E. [OAMSSA-20005] Error Thrown In OAM 11g When Attempting To Authenticate (Doc ID 1394157.1)
• Webgate is unable to contact an Access Server OR Webgate initialization error.
  Part of the OAP protocol is to check the time differences between the Agent and OAM Access Server.  If time is outside of 60 seconds failures can start happening, which will fail logins and even shutdown access to resources being protected by the Webgate agents.  I.E.  OAM 11g: Webgate initialize error – apache2entry_web_gate.cpp:592 – The AccessGate is unable to contact any Access Servers. raw_code^301 (Doc ID 1471768.1)

How to prevent this problem

Setting up NTP (Network Time Protocol) on all the WebGate and OAM Servers is one way to ensure the clocks are all in sync. Even if you would setup OAM for MDC (Multi Data Center) syncing the clocks across the data centers is critical. You may think that there is some product defect, but actually OAM is doing its job to be certain a rogue user is not replaying an old token in order to try and get in. Basically part of the SSO token in the OAMAuthnCookie contains a time stamp and the WebGates and OAM Servers pay very close attention to this time stamp because if it gets something that seems to look like it is old, OAM will automatically reject it; hence all the symptoms I described.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

INTRODUCTION

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

In Part 1: Getting under the covers of Detached Credential Collector (DCC), I spent time talking about DCC in general and walked through a sequence diagram explaining what is happening with DCC, to try and explain how it works including contrasting it with ECC. So in this blog, Part 2, I want to expand into a more practical angle on the requirements of a totally custom login and logout. Creating a custom login and logout does not require the Perl scripts login.pl or logout.pl, though these are perfectly great options and can also be customized. If you do want to take the route of using the OAM out-of-the-box Perl scripts you can find more information about it and its implementation in the Oracle Developer Guide for OAM 11g (11.1.2) in section 4.4 Developing User the Detached Credential Collector or see Debasish Bhattacharya’s blog article Detached Credential Collector Configuration — OAM 11gR2. Moving forward, and as promised, I am going to guide you on how to create a totally custom login and logout using DCC without requiring any hardcore developer skills — I promise.

MAIN ARTICLE

Getting Started

To keep everything less confusing I am going to break out two main sections of this blog into the “Login” and “Logout”. I will provide enough detail for you to gain the knowledge of making a functional customized login and logout. The operative word is “functional”, which basically means I will show you the mechanics on how to make it work, but it is up to you to add the bling. Fair enough? So let’s get started.

How to Create a DCC Custom Login

Though DCC will work with several types of authentication schemes I want to keep everything simple so we can understand the basic concepts. Form Login is one of the most common types of authentication customers use, so this is a good one to cover. I want to cover a simple Custom Form Login authentication scheme, which coincidently is similar to an External Form Login authentication scheme. This should help understand the concepts and then give the foundation on how to expand into other authentication scheme options.

STEP 1: The DCC Custom Form Authentication Scheme Requirements

The foundation is to start with the authentication scheme itself. A good way to understand our authentication scheme for DCC is to compare how it is configured versus the OOTB (Out-Of-The-Box) ECC form authentication scheme. The table below compares the two authentication schemes and includes each parameter with some examples. I have highlighted DCC parameter values in red that stand out from ECC, so pay attention to the highlighted values; more details on the highlighted parameters coming up.

Table 1 – DCC Custom Form Authentication Scheme Comparison

As an additional visual aid I am including a screenshot of a DCC Custom Form Authentication Scheme from the OAM Console. You can compare the configuration in the screenshot to the table above to solidify how the scheme is defined and how it varies from a Form Login using ECC.

Figure 1 – Example DCC Custom Form Login Authentication Scheme

Getting into the details of DCC vs ECC Authentication Scheme differences

I wanted to expand a little more on the more critical parameters that I highlighted in red to understand why the values are set that way and how you may want to change some of them for your own needs.

Challenge Redirect URL

The Challenge Redirect URL must hold the URL that includes the hostname and port of the DCC WebGate. In a High Availability (HA) configuration, the hostname would be a virtual IP of the load balancer, and of course the load balancer would then send requests back to all the DCC WebGate hosts. In my example sso.melander.us is the hostname of my DCC WebGate, and therefore in my case the actual value for this parameter is https://sso.melander.us. This is a big contrast from ECC because with ECC the hostname dynamically comes from the Access Manager Settings > Load Balancing > OAM Server Host and OAM Server Port values. I have mentioned this before, but to recap the reason we send the browser to the hostname and port of the DCC WebGate is because 1) we need to get the DCCCtxCookie, and 2) the credentials need to be posted to the DCC WebGate either directly or through the load balancer virtual host as I mentioned.

Challenge URL

The Challenge URL will be the relative URI of the custom login page that is served up from the DCC WebGate. This is similar to how you would configure a custom external Form Login. I want to add that where the page is located is not as important as long as the URI goes through the DCC WebGate. For example the login page could be a JSP hosted on WebLogic, and the web tier OHS web server that has the DCC WebGate on it could be configured with the weblogic_module that points the URI back to the WebLogic application server. In my case I just used a simple static login.html page served up from the web tier OHS server. Basically what happens is the Challenge Redirect URL combines with the Challenge URL to point the browser to the login page. Using my example from the previous table values, the browser would be redirected to login at https://sso.melander.us/sso/login.html.

Context Type

DCC does not use this. This parameter tells OAM how to build the final URL after being redirected to the login page. Notice that with DCC, the selection is blank. This means that OAM will not do anything special to build the final URL except provide the original requested URL. If you refer to sequence 3 in my Part 1: Getting under the covers of Detached Credential Collector (DCC) notice that the URL is very clean on the final login destination, and only includes a single query string parameter “?resource_url=” which contains a URL encoded value of the original requested URL used to tell OAM where to send the browser back to its original requested HTTP resource after a successful login.

Context Value

DCC does not use this. Since nothing is selected for the Context Type, the authentication scheme will not even make this an available option.

Challenge Parameters

The Challenge Parameter field is to provide any required special credential input, but if this field is left blank, the default values for the login form minimally require username and password. In my authentication scheme I left this field blank, so the form login only included the minimum username and password as follows.

<input id="username" maxlength="25" name="username" type="text" />
<input id="password" name="password" type="password" />

STEP 2: The DCC Custom Login Form Page Requirements

Now that we have created the DCC authentication scheme, let’s create the DCC Form Login page.

Credential Input Fields

The credential input fields are actually similar to ECC in many ways. By default as mentioned earlier, username and password are minimally required if the Challenge Parameters field in the authentication scheme is left empty. However there are other special parameters options that can be used for various reasons. Please refer to the OAM Administration Guide for 11g Release 2 (11.1.2) section Table 16-22 User-Defined Challenge Parameters for Authentication Schemes, which lists a number of parameters, and some dedicated specifically to DCC like like “creds=” or “extracreds=”. However, in the context of this blog, I am keeping it simple (KISS — Keep It Simple Stupid) to mitigate complexity and confusion. So my input fields for the login page are simply username and password. The following is an example of the HTML source code of the credential input fields for a login form.

<input id="username" maxlength="25" name="username" type="text" />
<input id="password" name="password" type="password" />

OAM_REQ Hidden Field

The OAM_REQ stores the OAM Server state. I am sure for those that have created custom logins before the OAM_REQ parameter is already something familiar. DCC is not much different, but if your custom login only uses username and password, the WebGate will not return an OAM_REQ parameter at all and therefore you need not bother to submit this input with the credentials. However, if the custom DCC authentication uses a multi-step authentication, the OAM_REQ will show up and therefore the login page needs to handle the OAM_REQ parameter and submit it with the form in order for authentication to work properly. The value comes across as a header, so you will need some way to dynamically grab OAM_REQ header whether it be JSP, ASP, PHP, etc. Then once retrieved the input field should then be hidden, the value populated in the hidden input field, and then submitted with the other credentials. The following is an example source code to retrieve the OAM_REQ using Java Server Pages (JSP).

<input name="OAM_REQ" type="hidden" value=”<%= request.getHeader("OAM_REQ”) %>“>

Form Method

The form method is almost always POST. There may be cases where POST could be a GET, but from a security stand point POST is generally always used. My simple example uses the POST method. I mentioned this earlier, it is important that the form be submitted whether POST or GET to the DCC WebGate. This could either be directly to a single web server that has the DCC WebGate or the Load Balancer virtual host that sends the requests to the DCC WebGates, but the main point is the form has to be submitted to the DCC WebGate(s). The following is an example HTML source code of the form action. Maybe mention SSL here….

<form action="/oam/server/auth_cred_submit" method="post" name="form">

Form Action

The ACTION URI can be the default “/oam/server/auth_cred_submit”. This is exactly what an external custom form login uses. However if you do not want to use the default ACTION URI, there is a special parameter “action=” that is specifically designed for DCC that can be added in the “Challenge Parameters” field of the Authentication Scheme to change it; for more details on this parameter and others see the OAM Administration Guide for 11g Release 2 (11.1.2) section Table 16-22 User-Defined Challenge Parameters for Authentication Schemes. The following is an example of the HTML source code of the form action.

<form action="/oam/server/auth_cred_submit" method="post" name="form">

TempStateMode

Last but not least I want to mention a parameter named “TempStateMode”. This User-Defined parameter can be configured in the Authentication Scheme “Challenge Parameters” field. Oracle provides details on this parameter in the OAM Administration Guide for 11g Release 2 (11.1.2) section Table 16-22 User-Defined Challenge Parameters for Authentication Schemes. TempStateMode controls how the DCC stores the OAM server state, whether it is cookie or form depending on what serverRequestCacheType is configured. The serverRequestCacheType parameter is found in the oam-config.xml configuration file of the OAM Server. Basically the TempStateMode can tweak how the DCCCtxCookie stores the OAM Server state. The relevance of this parameter is in case the server state cookie value size explodes beyond its limit, which in that case the default value TempStateMode=form should prevent this. If this parameter is not set in the User Defined Parameters the default is “form” and should be fine for nearly every case.

Example Login Form

So to put it all together the following is an example JSP Login Form. Remember if you are doing a very simple login form that does not use multi-step authentication, you can exclude the input field OAM_REQ.

Code Example 1 – My Simple DCC Custom JSP Login Form

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head></head>
<body>
<h2> Enter your credentials </h2>
<form action="/oam/server/auth_cred_submit" method="post" name="form">
Username: <input name="username" type="text" maxlength="25">
Password: <input name="password" type="password">
<input name="OAM_REQ" type="hidden" value=”<%= request.getHeader("OAM_REQ”) %>“>
<input type="image" name="login" src="images/login.png" onclick="document.form.submit();"/>
</form>
</body>
</html>

STEP 3: Applying the Custom DCC Login Form

Now that the authentication scheme has been created, and the login page has been built, all that remains is to change the authentication scheme in the Application Domain and test it. So go into the OAM Console > open the Application Domain > Authentication Policy > Protected Resource Policy and change the authentication to the new DCC Authentication Scheme. Once changed give it a test to see if everything functionally works as expected.

If authentication it is not working please refer to my first blog on DCC, Part 1: Getting under the covers of Detached Credential Collector (DCC), and read through the sequence diagram to understand what should be happening. You may want to install or use some HTTP Trace on your browser to make sure you are getting the right cookies, redirected to the correct hosts, etc. Another troubleshooting tip is to set the WebGate oblog to TRACE along with setting the OAM Server module “oracle.oam.proxy.oam“ to TRACE.

This pretty much covers it for DCC login; it is fairly straightforward. I hope this helps understand the special needs of DCC Login. Now let’s continue to the logout, which is a bit more complicated. We need to make sure the login form is unprotected, too?

How to Create a DCC Custom Logout

The logout is often neglected because, well, it is not quite as sexy as single sign-on (SSO). In fact sometimes it can be even more complicated that the login. For example with multiple domains there are OAMAuthnCookies that need to be terminated, there could be backend application sessions that also need to be terminated, and don’t forget about session timeouts. If an application session ends before the OAM session, the user could experience a partial logout, which can create odd unwanted behavior. Unfortunately it is outside the scope of this article to answer all the logout nuisances and recommendations, so minimally I want to focus on the DCC logout requirements only.

There are two distinct types of WebGates in the context of this article, the DCC and the Resource WebGates. Each WebGate profile will require slightly different logout configurations. We already know about the “Allow Credential Collector Operations” option in the WebGate Agent profile to make it a DCC WebGate. However when it comes to logout there are also special considerations when it comes to a DCC WebGate. As a quick preview summary, the following table shows the difference between the DCC and Resource WebGate logout configurations.

Table 2 – DCC vs Resource WebGate Profile Logout Configuration

As you can tell from the above table the DCC WebGate includes the URI of the logout page, /sso/signout.jsp, where as the Resource WebGate contains a different URI all together and actually not even a real location. Also the DCC WebGate does not even contain a value for the Logout Redirect URL where the Resource WebGate does, and points the absolute URL of the DCC Logout page. So let’s get into the differences and explain the configurations.

STEP 1: The DCC WebGate Agent Profile Logout Setting Requirements

The following table lists the parameters and values required for the DCC WebGate. I have provided important comments in, you guessed it, the “Comments” column. In the next step for the Resource WebGate Agent profile I will tie together how important the DCC WebGate Agent logout configurations are and why it is really important that the settings all be intelligently configured to work together and successfully make the logout work properly.

Table 3 – DCC Agent Profile Logout Configurations

The following screenshot shows my DCC WebGate Agent profile.

Figure 2 – DCC WebGate Agent Profile

STEP 2: The Resource WebGate Agent Profile Logout Setting Requirements

The Resource WebGate is all other WebGates that do not use the “Allow Credential Collector Operations” checked like with the DCC WebGate; this was mentioned in my Part 1: Getting under the covers of Detached Credential Collector (DCC) blog.  The following table lists the parameters and values required for each Resource WebGate.

Table 4 – Resource Agent Profile Logout Configurations

The following screenshot shows what my Resource WebGate Agent profile looks like.  Notice the Logout Redirect URL points directly to the same DCC WebGate Logout URL; e.g. the absolute URL is https:/sso.melander.us/sso/signout.jsp; this is important to understand how this works.

Figure 3 – Resource Agent Profile

So for example the logout link is on the application page, the HREF link is really just the URI defined in the Resource WebGate Agent Logout URL, in my case it is “/sso/logout”.  When the user clicks on the logout link or button, the browser requests the relative URI “/sso/logout”.  The WebGate knows about this special URI, which triggers the logout process.  The Resource WebGate will then expire the OAMAuthnCookie for that domain, and next send the browser to the Logout Redirect URL https://sso.melander.us/sso/signout.jsp defined in the Resource WebGate Agent.  Once the browser lands on the logout page https://sso.melander.us/sso/signout.jsp, it also expires the OAMAuthnCookie for the DCC WebGate host.  However, if we have gone to multiple domains, the show is not over.  We still need to deal with all the other domain cookies to complete our logout because at this point we are only logged out of the DCC WebGate and the Resource WebGate domain we clicked the logout link or button from.  This is where the Logout Callback URL comes in, and I want to spend time talking about this next in its own section.

STEP 3: Using the Logout Callback URL to terminate remaining OAMAuthnCookies

Normally when using ECC, OAM automatically makes a call back to one of the OAMAuthnCookie domains with a special URI named “/oam_logout_success”; remember this value defined in the Logout Callback URL parameter of the WebGate profile?  When a logout process is requested using ECC, OAM begins to make callback requests to all the domains a browser accessed in the form of a HTTP request; e.g. request 1) http://app.domain1.com/oam_logout_success, request 2) http://app.domain2.com/oam_logout_success, and so forth until all the OAMAuthnCookie hosts are expired.  If this were not done, the browser would only be logged out of the current domain it clicked the logout from.

The DCC WebGate is unique because it puts all the interaction with the browser at the front end where normally with ECC the browser can have all this interaction with the OAM server to make all these callbacks to terminate the session.  So DCC does it a little differently.  Let’s take a look at a WireShark TCP trace taken from the DCC WebGate to better understand what is going on.

Figure 4  – WireShark Trace showing HTTP_OAM_LOGOUT_CALLBACK_URLS Header

The above WireShark trace was captured when using the out-of-the-box logout.pl configuration.  So what we find is during the logout using DCC there is a special HTTP Header called “HTTP_OAM_LOGOUT_CALLBACK_URLS“ that shows up at the point of accessing the logout.pl.  The header HTTP_OAM_LOGOUT_CALLBACK_URLS can hold multiple callback URLs that come from all the domains the browser has been to (see the highlight in yellow).  Notice the header value http://acme.melander.us/oam_logout_success?

In the next WireShark screenshot trace we see that the logout.pl uses this header to dynamically build an image tag and uses the Logout Callback URL from the header as the source of the image.  But WAIT, this is not really an image is it!! Cleverly even though this source is not an image, it forces the browser to load what it thinks is an image, but in reality makes the browser do a HTTP request to the Logout Callback URL, which ultimately expires the OAMAuthnCookie session for that domain.

Figure 5 – Dynamic Invisible Image Tag

Notice there is only one image tag for the Logout Callback URL in the WireShark trace?  If the browser accessed multiple domains the OAM_LOGOUT_CALLBACK_URLS header would store a delimited list of Logout Callback URLs and the logout.pl is designed to iterate through them to build multiple image tags.   Making multiple HTTP requests using these invisible image tags expires all the OAMAuthnCookie domains; pretty clever right?

If there is a case where only one of which should be many Logout Callback URLs AKA Partners are not presented in the OAM_LOGOUT_CALLBACK_URLS header, the Partner logouts may not be complete.  Meaning, post DCC logout, the OAMAuthnCookies for the other domains may not get cleared.  However, not to worry, because on the server side these sessions get cleared as a result of the logout leaving the uncleared OAMAuthnCookies obsolete.  So if this happens the risk is low and the browser will ultimately be logged out.

How to Leverage the OAM_LOGOUT_CALLBACK_URLS Header

I spent all this time to help you understand the importance of the Logout Callback URL and how the logout.pl leverages the OAM_CALLBACK_URLS header so that I can now show you how to use this same trick to complete your logout successfully using a custom logout page.  So the question is, how do we take advantage of this magical OAM_LOGOUT_CALLBACK_URLS header?   There are four things;

To help kick start you, the following is an example Java Server Pages logout page to do the job.  So when you are redirected to the signout.jsp, it grabs the OAM_LOGOUT_CALLBACK_URLS header, iterates through the Logout Callback URLs, and dynamically inserts invisible image tags in the logout page.

Code Example 2 – Java Server Pages signout.jsp page

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<!-- COPYRIGHT (c) 2014 ORACLE A-TEAM -->
<!-- THIS SAMPLE CODE IS PROVIDED FOR EDUCATIONAL PURPOSES OR     -->
<!-- TO ASSIST YOUR DEVELOPMENT OR ADMINISTRATION EFFORTS AND     -->
<!-- PROVIDED "AS IS" AND IS NOT SUPPORTED BY ORACLE CORPORATION. -->
<%@ page contentType="text/html;charset=UTF-8"%>
<%@ page import="java.util.Enumeration" %>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>OAM DCC Logout</title>
  </head>
  <body>
       
    <h1 align="center">
      You have successfully logged out!
    </h1>
    <% 
    String imgBeg="<img border=\"0\" width=\"0\" height=\"0\" src=\"";
    String imgEnd="\"/>";
    Enumeration e = request.getHeaders("OAM_LOGOUT_CALLBACK_URLS");
    while (e.hasMoreElements()) {
        String headerVal = (String) e.nextElement();
        out.write(imgBeg+headerVal+imgEnd);
    }
    %>
  </body>
</html>

Based on the Java Server Pages signout.jsp page above, you can see in the figure below an example of what the HTML source output of the page would look like after it renders.  As the page loads the Logout Callback URL are requested, cleverly as invisible images, but despite not being a real image it makes the necessary HTTP request for each Logout Callback URL domain and completes the expiration of the remaining cookies — Nifty right?

Code Example 3 – HTML source output of the signout.jsp page

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<!-- COPYRIGHT (c) 2014 ORACLE A-TEAM --> 
<!-- THIS SAMPLE CODE IS PROVIDED FOR EDUCATIONAL PURPOSES OR     --> <!-- TO ASSIST YOUR DEVELOPMENT OR ADMINISTRATION EFFORTS AND     --> <!-- PROVIDED "AS IS" AND IS NOT SUPPORTED BY ORACLE CORPORATION. -->   <html>
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
     <title>OAM DCC Logout</title>
   </head>
   <body>
        
     <h1 align="center">
       You have successfully logged out!     </h1>
          
<img border="0" width="0" height="0" src="http://acme.melander.us/oam_logout_success"/>
   </body>
 </html>

Note if you are using Java Server Pages, you will need to configure your web server for the WebLogic module.  Of course if you are using some other dynamic web programming language, the same would apply per your choice of web technology.  In my example I modified the following Oracle HTTP Server (OHS) mod_wl_ohs.conf file though your configuration would be a little more robust to also include a cluster.

<IfModule weblogic_module>
      WebLogicHost weblogichost.com
      WebLogicPort 7001
      WLLogFile /tmp/weblogic.log
      MatchExpression *.jsp
</IfModule>

What if I don’t have a dynamic logout page to get the HTTP header?

Since the OAM_LOGOUT_CALLBACK_URLS does only show up on the server side, getting the header can present a big challenge if you don’t have some type of dynamic web language technology. If this is your situation and you don’t have a way to use a web technology like Java Server Pages (JSP), PHP Hypertext Preprocessor (PHP), Active Server Pages eXtension (ASPX) or something similar for any reason; not to worry, you can still get the logout job done, but at a cost.

Let’s say you know that you will only have two domains a browser will ever be accessing, say portal.acme.com and sales.oceanicair.com, then you can hard code the two invisible image tags in the page as follow.

Code Example 3 – Example HTML source output of a static logout page

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<!-- COPYRIGHT (c) 2014 ORACLE A-TEAM --> 
<!-- THIS SAMPLE CODE IS PROVIDED FOR EDUCATIONAL PURPOSES OR     --> <!-- TO ASSIST YOUR DEVELOPMENT OR ADMINISTRATION EFFORTS AND     --> <!-- PROVIDED "AS IS" AND IS NOT SUPPORTED BY ORACLE CORPORATION. -->   <html>
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
     <title>OAM DCC Logout</title>
   </head>
   <body>
        
     <h1 align="center">
       You have successfully logged out!     </h1>
          
<img border="0" width="0" height="0" src="http://portal.acme.com/oam_logout_success"/>
<img border="0" width="0" height="0" src="http://sales.oceanicair.com/oam_logout_success"/>

   </body>
 </html>

Let’s say you know that you will only have two domains a browser will ever be accessing, say portal.acme.com and sales.oceanicair.com, then you can hard code the two invisible image tags in the page as follow.

First, the bad news…each time a domain changes whether it be added, changed, or removed, you will need to update the logout page across all environments.  Something to keep in mind, if your WebGate preferred hostname is say “.acme.com”, then if you go to portal.acme.com and sales.acme.com, both are different OAMAuthnCookie domains, so a Logout Callback URL will be required for both.  The earlier approach would take care of this automatically, but the approach of hard coding the image tags in a static logout page as you can see will become unwieldy.  This approach can be error prone and additional administration overhead is required to manage changes each time one is made.  The good news, although not the most elegant method, it will get the job done and you can be sure your logout is successful from all domains.

Summary

So now you have some idea of the requirements that encompass how to create a custom login and logout page that works with DCC.   For those that want to use the DCC feature, I hope this article alleviates the concern of thinking you are stuck using the Oracle OAM DCC Perl scripts, login.pl and logout.pl.  The Perl scripts are certainly a viable option, but I would think most customers are more oriented to creating their own customized branded login and logout pages.  Good luck!

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

Social Federation: a somewhat fancy name for a simple concept. We want to leverage identities in Social Network providers in our own applications. For example, granting access to either cloud or on-premise applications to end users using their Google identities. In this post we’re going to take a close look at the necessary configuration in OAM M&S (Oracle Access Manager Mobile & Social) server to have Java Web applications leveraging Google and LinkedIn identities.

Conceptually, this is very similar to SAML-based federation model indeed. The difference is that we are now dealing with different protocols, like OpenID and OAuth. And the main appeal for federation keeps being the acceptance of third party identities by a service provider (a.k.a. relying party) without the need of having end user passwords stored locally.

For SAML-based federation, just search for SAML in our blog. I’ve posted quite some articles on the topic.

OAM M&S works both as an identity provider or as a service provider. In the former case, it works as the entity providing authenticated tokens to interested parties. In the later, it is the entity consuming authenticated tokens generated by some other identity provider. In the use case we have in mind for this post, OAM M&S is the service provider. At the end of the day, we want to provide access to a java servlet hosted in Weblogic server accessed through OHS (Oracle HTTP Server).

Leaving federation out for a moment, in the typical OAM use case, OAM generates a token based on username/password entered by the end user. The user credentials are validated against OAM backend user store.

With federation, the user is authenticated by the remote identity provider. Following that, OAM generates a token based on the token sent by the remote identity provider.

That means, from the viewpoints of the servlet application and Weblogic server hosting the servlet, with federation, there are no extra requirements than those already known for the typical OAM use case: CLIENT-CERT authentication method in web.xml and OAM Identity Asserter in the Weblogic security realm.

The following is the step-by-step configuration to implement the same use case you see here in the M&S documentation.

For your convenience, here’s the sequence diagram:

Authentication Flow Sequence Diagram

Main Article

OAM M&S Configuration

1 – OICScheme Authentication Scheme

In the Application Policy Domain, define OICScheme as the Authentication Policy authentication scheme for the protected resource.

OICScheme in Authentication Policy

OICScheme

Special mention to MatchLDAPAttribute=uid Challenge Parameter. It means the LDAP uid attribute is used for finding the user in OAM’s user store. Yes, in the case where M&S is integrated with Access Manager, a shadow user entry is created for every federated user (password attribute is optional). Therefore, watch the populated attributes once user attributes are mapped. More on this later when we talk about the necessary mappings for each identity provider.

2 – M&S Application Profile Definition

Under Social Identity, create an Application Profile with the same name as your Application Policy Domain (HQ_Apps, in my case). Use the OOTB OAMApplication profile as a template.

Social Identity Main Screen

The Application Profile screen defines attribute mappings between the Application User and the Registration Service as well as between the Application User and the Identity Provider. It also defines, among other things, the properties controlling how the login screen is presented and whether user registration should be skipped (not applicable when M&S is integrated with Access Manager).

With regarding to profile properties, observe the screen shot below:

HQ_Apps Application Profile Properties

Notice the UserID Attribute. It’s used by M&S to uniquely identify users and must be defined in the Application User Attribute list.

As for the mappings, observe the 3 sections in my sample HQ_Apps Application Profile below:

HQ_Apps Application Profile Mappings

Application User Attribute section lists the attributes to be handled by the profile. You can list any attribute, as long as it gets properly mapped in the subsequent sections. These attributes are the link between the Social Identity provider and the local backend user store.

Registration Service Detail with Application User Attribute Mapping section defines the fields that are going to show up in the Registration form once the authentication flow gets back to M&S after successful authentication by the Identity Provider.

Notice the uid attribute in the Registration Service Details. This is how we populate it in local backend identity store for further lookup by OAM’s OICScheme.

An important and related aspect for integrating with Java web applications running on Weblogic server is how we configure the LDAP authenticator. Remember: the OAM Identity Asserter in Weblogic makes use of an authenticator when asserting the user identity for the container. Specifically, special attention to the User Name Attribute. The value pointed by it must match whatever value is propagated to Weblogic (usually done via OAM_REMOTE_USER or OAM_IDENTITY ASSERTION HTTP headers).

OID Authenticator in Weblogic

Application User Attribute and Internet Identity Provider User Attributes Mapping is self-describing and it is done per Identity Provider. The displayed mapping is for Google_OAuth2 provider. The Internet Identity Provider User Attributes need to first be defined in the provider. Check section 3.1 below.

3 – Social Identity Providers Configuration

Google supports OpenID (Google has deprecated OpenID 2.0 and is now supporting OpenID Connect)  while LinkedIn uses OAuth.

3.1 – Configuring Google OpenID Connect

OpenID Connect is an identity layer on top of OAuth 2.0. It’s an API friendly protocol for verifying end user identity and obtaining basic profile information about the end user.

As of M&S 11.1.2.2, there’s no OOTB (Out Of The Box) Provider for Google with OpenID Connect. So we need to create one from scratch. The screenshot below shows my sample setup. All fields except Name, Description, Icon Path, Consumer Key and Consumer Secret must be informed as is. Notice the Protocol is OAuth.

Google OpenID Connect Configuration

Couple of important observations:

1 – Consumer Key and Consumer Secret are obtained from Google’s Developer Console.

Follow this document for creating the necessary OAuth 2.0 footprint in Google.

When creating the Client ID and Client Secret in Google’s Developers Console, make sure the Authorized Redirect Endpoint gets set to http://<oam-server>:<oam-port>/oic_rp/return, like in the following screenshot. It is used to send the OAuth token back to M&S server.

Client ID Creation in Google Developers Console

When configuring Google’s Consent Screen in Google’s Developers Console, make sure the PRODUCT NAME matches the Application Profile name in M&S:

Google Consent Screen

2 – Notice Google URLs. They are all HTTPS.

Take a look at the SSL Advanced properties in OAM managed server. The OOTB Hostname Verifier (BEA Hostname Verifier) doesn’t support wildcards in the certificate CN it receives from the other end, which is what Google may send back during the handshake. This will get you an error like the one below and will prevent the federation flow to complete.

####<Oct 13, 2014 1:09:23 PM PDT> <Warning> <Security> <slc05ylp.us.oracle.com> <oam_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <6af0f0aa917fd32e:-103bce24:1490b1effb4:-8000-00000000000000f1> <1413230963819> <BEA-090504> <Certificate chain received from www-proxy.us.oracle.com - 148.87.19.20 --> www.googleapis.com failed hostname verification check. Certificate contained *.googleapis.com but check expected www.googleapis.com>

Fortunately, Weblogic ships a Custom Hostname Verifier that supports wildcards, named weblogic.security.utils.SSLWLSWildcardHostnameVerifier.

Change the OAM server SSL Advanced settings using values below and restart the server.

Hostname Verification: “Custom Hostname Verifier”

Custom Hostname Verifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier

WLS SSL Settings

Following our Google_OAuth2 provider configuration in OAM Console, the attributes to be returned by the provider are defined as:

Google OAuth Attributes

3.2 – Configuring LinkedIn OAuth

For LinkedIn (as for Google and any OAuth provider), it is necessary to first register our client in LinkedIn for obtaining a consumer key and secret. The steps are described here.

Upon successful registration, LinkedIn outputs something like:

Client Registration in LinkedIn

Copy API Key and Secret Key values above and paste them into LinkedIn’s Consumer Key and Consumer Secret fields in the M&S LinkedIn provider, as shown below:

LinkedIn Profile in M&S

In my experience, LinkedIn doesn’t use wildcards in their certificate. At least, Weblogic doesn’t complain.

Testing

With this configuration in place, we’re now ready for testing. When accessing the protected resource, OAM Web Gate would present us a login screen like:

Social Login Screen

Upon choosing any of the Identity Providers links, the browser gets redirected and the user is prompted for authentication by the Social Network identity provider. In the case of LinkedIn, for instance:

LInkedIn OAuth Authentication

If this is the first time access, a registration form is presented and it must be filled in, or login fails. Notice how the form mirrors the attribute mappings in the Registration Service Details with Application User Attribute Mappings showed previously.

LinkedIn User Registration in M&S

Upon successful registration, the user entry is created in the backend local user store, a session is created in OAM and the browser is redirected to the originally requested resource.

In subsequent accesses, the user registration step is skipped.

Here’s OAM session entry based on LInkedIn’s federated identity displayed in OAM Console:

OAM User Session

I hope this is useful for people out there starting with Social Federation with OAM M&S. Time allowing, I will come back with more advanced use cases on the topic.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Since OAM 10g days, keeping track of Protected Resource that user wanted to access throughout custom authentication process has been a challenge. In OAM 10g, it was possible to create custom OBFormLoginCookie to overcome that challenge. With the introduction of Encrypted OAM_REQ cookie in OAM 11g, it is not feasible. That makes it difficult to do post Authentication operations or any customizations in Authentication process.

OAM 11gR2 introduced a feature where you can redirect user to a URL post successful Authentication (On Authentication success event in Authentication policy as defined in the screen shot below). OAM while doing that redirect, adds end_url query parameter to URL with the value of protected resource that user tried to access. You can do any post Authentication processing required on Authentication success URL and then redirect user to end_url.

One of the use cases of the feature is, when you do OAM-OAAM integration, you can invoke OAAM post Authentication rules before redirecting user to protected resource the user was trying to access. Here is the Architecture diagram for the use case described above.

Note: Architecture diagram below is representative diagram for the use case and does not represent Oracle recommended Architecture for OAM deployment.

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission

Introduction

Security systems, including OAM, reside in a dynamic environment where the parameters that affect system performance are ever changing. On top of that, access management Infrastructure like OAM serve as the front door or gate to every application/system in an organization. Therefore continuous monitoring of such key components is mandatory to ensure continuous success of not just your access and SSO solution but indeed your very applications themselves. Effective monitoring involves two types of controls; preventive monitoring and detective monitoring. Preventive monitoring makes sure failure does not take place and detective monitoring helps you detect any failure if it occurred and take corrective measures. OAM has features to facilitate both the types of monitoring. We will go over all the monitoring capabilities offered by the product.

1. 1. HealthCheck URL

Starting R2PS2, OAM provides health check URL that either Load Balancer or Infrastructure monitoring (or any perimeter devices) can leverage to check if OAM server is running healthy. This is preventive monitoring where it helps prevent sending user request to unhealthy server and in turn prevent failure. The HealthCheck URL is

http://$MANAGED_SERVER_HOST:$MANAGED_SERVER_PORT/oam/server/HeartBeat

Replace $MANAGER_SERVER_HOST with OAM Managed server host name and $MANAGED_SERVER_PORT with OAM Managed server port number (Default port number is 14100).

When you hit HeartBeat URL, Access Manager checks following services

• User data store connectivity
• Policy store connectivity
• Validate credentials collector is reachable
• NAP service connectivity (WebGates use NAP service to communicate with OAM server)
• Validate coherence service

If all these tests are successful, then OAM server responds back with “HTTP 200” response with blank body. If any of the above mentioned tests is unsuccessful, OAM server responds back with “HTTP 404” response.

If I shutdown user data store that is OVD in this environment, I will get HTTP 404 response back instead of HTTP 200.

1. 2. Monitor Performance Metrics

There are a couple of avenues to monitor performance for OAM. One of them is DMS (Dynamic Monitoring Service) and Second one is EM (Enterprise Manager). However both DMS and EM are separate applications than OAM Admin console running on domain Admin Server. OAM R2PS2 introduced a new feature in OAM Admin console itself to monitor OAM system and performance. Users with valid Administrative privileges can check various metrics of OAM server instances and WebGates. Based on these metrics, OAM Administrator can take preemptive measures to sustain growing load and take corrective measures if any service failure is detected. Here is how you can monitor OAM server instance and SSO agent instance. This is detective form of monitoring where Administrator can look for any failures or impact on performance due to growth and take corrective measures.

• OAM Server Instance Monitoring

• SSO Agent Monitoring

• OAM Server Instance or SSO Agent failure detection

2. 3. DMS (Dynamic Monitoring Service) Monitoring

Oracle DMS (Dynamic Monitoring Service) is a key component of Oracle Fusion Middleware that captures and provides an interface to access data regarding component’s performance, state and on-going behavior. It can be leveraged to monitor any Fusion Middleware product. Enterprise Manager also uses DMS service to fetch and report system performance data. The URL to browse DMS (It is an application deployed on OAM domain Admin Server) is,

http://$ADMIN_SERVER_HOST:$ADMIN_SERVER_PORT/dms

Replace $ADMIN_SERVER_HOST with hostname of OAM Admin server and replace $ADMIN_SERVER_PORT with OAM Admin server port number.

There are number of OAM metrics (as shown in the screen below with Red ink) that you can check.

More information about DMS monitoring and its effective usage can be found here.

1. 4. Enterprise Manager Monitoring

There are two parts to Enterprise Manager. One is Enterprise Manager Application installed as part of OAM domain and the other is Enterprise Manager 12c application. Most of the metrics that Administrator user can monitor from DMS service, can be monitored from Enterprise Manager application as well. However Enterprise Manager 12c is full fledged monitoring product that monitors not only OAM product related metrics but also monitors system state (CPU usage, Memory usage, Free memory available on the server, OAM process running on the server). Apart from that, It allows Administrator to define thresholds on performance metrics or define SLAs and if performance is below threshold or if SLA breaks, It can alert Administrator so Administrator can take corrective measures. Enterprise Manager is feature rich product with many advanced monitoring features and alert mechanisms. More about those features is for next blog post. Until then, Happy Reading!

All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission