D100926GC20 Ag

Oracle Internal & Oracle Academy Use Only
Oracle Access Management 12c:

Administration Essentials
Activity Guide
D100926GC20 | D108300
Learn more from Oracle University at education.oracle.com

Author Copyright © 2020, Oracle and/or its affiliates. All rights reserved.
Dave Silvestro Disclaimer
This document contains proprietary information and is protected by copyright and other
Technical Contributor intellectual property laws. You may copy and print this document solely for your own use in
an Oracle training course. The document may not be modified or altered in any way.
and Reviewer Except where your use constitutes "fair use" under copyright law, you may not use, share,
Don Bates download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit,
or distribute this document in whole or in part without the express authorization of Oracle.
Editors The information contained in this document is subject to change without notice. If you find
any problems in the document, please report them in writing to: Oracle University, 500
Moushmi Mukherjee Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted
Aju Kumar to be error-free.
Restricted Rights Notice

Graphic Designer
If this documentation is delivered to the United States Government or anyone using the
Komal Reenu documentation on behalf of the United States Government, the following notice is
applicable:

Publishers U.S. GOVERNMENT RIGHTS
The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or
Sujatha Nagendra disclose these training materials are restricted by the terms of the applicable Oracle license
Veena Narasimhan agreement and/or the applicable U.S. Government contract.
Pavithran Adka Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may
2004012020 be trademarks of their respective owners.
Table of Contents
Practices for Lesson 1: Course Overview ..................................................................................... 5
Practices for Lesson 1 .................................................................................................................... 6
Practices for Lesson 2: Introduction to Oracle Access Management ........................................ 7
Practices for Lesson 2 .................................................................................................................... 8
Practices for Lesson 3: Installation and Configuration ................................................................ 9
Practices for Lesson 3: Overview ................................................................................................... 10
Practice 3-1: Installing Fusion Middleware Infrastructure and Identity and Access Management
Products .......................................................................................................................................... 12
Practice 3-2: Configuring Oracle Access Manager Schema .......................................................... 16

Practice 3-3: Configuring a WebLogic Server (WLS) Domain for Oracle Access Manager ........... 19
Practice 3-4: Performing Sanity Checks ......................................................................................... 25
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources ............... 27
Practice 4-1: Configuring Oracle HTTP Server Instances .............................................................. 29
Practice 4-2: Installing and Configuring WebGates and Registering a WebGate by Using the
OAM Console .................................................................................................................................. 31
Practice 4-3: Registering WebGates by Using Different Interfaces ................................................ 35
Practice 4-4: Configuring a Delegated Administrator in the Embedded LDAP............................... 40
Practice 4-5: Configuring OUD as the Identity Store for OAM........................................................ 43
Practice 4-6: Setting Communication Mode Between Server and WebGates to Simple ............... 47
Practice 4-7: Configuring Server Certificates.................................................................................. 51
Practice 4-8: Configuring WebGates with Cert Mode ..................................................................... 58
Practices for Lesson 5: Configuring DCC, Policies, and Responses ......................................... 63
Practice 5-1: Deploying an Application and Configuring OHS to Front-End the Application ......... 65
Practice 5-2: Configuring a Detached Credential Collector ............................................................ 69
Practice 5-3: Configuring Authentication and Authorization Policies .............................................. 72
Practice 5-4: Managing Authentication and Authorization Responses ........................................... 77
Practice 5-5: Customizing Access Policies for a Web Application ................................................. 80
Practice 5-6: Implementing OAM Password Policy ........................................................................ 87
Practice 5-7: Configure Password Policy Using REST ................................................................... 102
Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions ......................... 105
Practice 6-1: Deploying and Configuring a Custom Login Page with DCC .................................... 107
Practice 6-2: Managing Sessions ................................................................................................... 111
Practice 6-3: Setting Up a Delegated Session Administrator ......................................................... 115
Practice 6-4: Deleting a User Session with REST .......................................................................... 117
Copyright © 2020, Oracle and/or its affiliates. All rights reserved.
Oracle Access Management 12c: Administration Essentials – Table of Contents iii

Practices for Lesson 7: Using Oracle Access Management with WebLogic Applications....... 121
Practice 7-1: Deploying the Sample Application with Basic Authentication ................................... 123
Practice 7-2: Configuring OAM Authentication for a Sample Application ....................................... 127
Practices for Lesson 8: Configuring Auditing and Logging ........................................................ 133
Practice 8-1: Configuring Oracle Access Management Server to Write Audit Log Records to an
Oracle Database ............................................................................................................................. 135
Practice 8-2: Configuring Oracle BI Publisher to View Audit Reports ............................................ 140
Practice 8-3: Reviewing Logs ......................................................................................................... 144
Practices for Lesson 9: Diagnostics and Troubleshooting ......................................................... 149

Practice 9-1: Working with Access Tester ...................................................................................... 151
Practice 9-2: Using WLST............................................................................................................... 156
Practice 9-3: Working with Fusion Middleware Control .................................................................. 157
iv Oracle Access Management 12c: Administration Essentials – Table of Contents

Course Overview
Practices for Lesson 1:

Practices for Lesson 1
There are no practices for this lesson.
6 Practices for Lesson 1: Course Overview

Introduction to Oracle
Access Management
Practices for Lesson 2
There are no practices for this lesson.
8 Practices for Lesson 2: Introduction to Oracle Access Management

Installation and Configuration
Practices for Lesson 3: Overview
Practices Overview
The following diagram is a topology representation of all the components that you will work with
in the practices. Take a moment to review it. It is recommended that you revisit this diagram
during your lab work to see how the topology is developed in each practice.

Important Notes for All Practices
a. At the start of each day, restart the WLS admin and OAM managed servers.
Note: The best way to ensure that the servers are stopped is to open the terminal
window for each server console and press Ctrl + C. Also, restart a server if it becomes
slow or unresponsive, which is usually because of memory limitations on the physical
lab machines.
b. All practices requiring terminal window interaction are performed as the oracle OS
user, except when you are explicitly asked to perform a task as the root user.
c. The following environment variables are preset in the bash profile for the oracle user
on the database and OAM machines:
DB machine:
JDK_HOME=/u01/app/oracle/product/jdk
ORACLE_HOME=/u01/app/oracle/product/database/db_home
ORACLE_SID=orcl
PATH=$ORACLE_HOME/bin:$PATH
MW_HOME=/u01/app/oracle/product/middleware
OUD_HOME=$MW_HOME/oud_home
ODSM_DOMAIN=/u01/app/user_projects/domains/odsm_domain
10 Practices for Lesson 3: Installation and configuration

BI_HOME=/u01/app/oracle/product/bi_mw_home/Oracle_BI1
BI_DOMAIN=$BI_HOME/../user_projects/domains/bifoundation_domain
OAM machine:
MW_HOME=/u01/app/oracle/product/middleware
JDK_HOME=/u01/app/oracle/product/jdk
ORACLE_HOME=$MW_HOME/iam_home
OHS_HOME=$MW_HOME/ohs_home
DOMAIN_HOME=/u01/app/oracle/admin/domains/oam_domain
d. There are two browsers, Firefox and Chrome, on the OAM machine:
 Use Chrome to access Oracle Access Management Console, WLS Console, and

EM FMW Control.
 Use Firefox to access sample applications such as the Banking application and
the Bakery application. All consoles and applications should be bookmarked for
you.
e. Firefox and Chrome are available on the DB machine. Use Firefox to access ODSM
and BI Pub.
Practices for Lesson 3: Installation and configuration 11

Practice 3-1: Installing Fusion Middleware Infrastructure and Identity
and Access Management Products
Overview
In this practice, you install Oracle Fusion Middleware and Oracle Identity and Access
Management products on the OAM machine.
Assumptions
To install Oracle Fusion Middleware, you should have installed Oracle Java Development Kit
(JDK) on the machine. In the practice environments, the JDK has already been installed.
Tasks (Perform these tasks on the OAM machine)

1. Install Oracle Fusion Middleware in the /u01/app/oracle/product/middleware
folder.
You must install it in this specific folder to enable you to perform various tasks later using
scripts that rely on this path.
a. In the terminal window, verify that the JDK Java binary is in the path.
$> which java
/u01/app/oracle/product/jdk/jre/bin/java
Note: If /u01/app/oracle/product/jdk/jre/bin/java is not returned, edit the

~/.bash_profile file and set up the following lines:
$> export JDK_HOME=/u01/app/oracle/product/jdk
$> export PATH=$JDK_HOME/jre/bin:$PATH:$HOME/bin
Then source the file and repeat Step 1 to check your changes.
. ~/.bash_profile
b. Launch the installer and install Fusion Middleware.

$> java -jar /stage/fmw_12.2.1.3.0_infrastructure.jar

 Use the following table as a guide to populate the fields:
Window Choices or Values
Installation Inventory Inventory Directory: /u01/app/oraInventory
Setup Operating System Group: oinstall
OK
In a separate terminal window, as the super user [root] run
/u01/app/oraInventory/createCentralInventory
.sh.
$> su
Password: <please verify with your instructor>
#>

/u01/app/oraInventory/createCentralInventory
.sh
#> exit
Welcome Next
Install Software Skip Auto Updates
Updates Next
Installation Location Oracle Home:
/u01/app/oracle/product/middleware
Next
Installation Type Fusion Middleware Infrastructure
Next
Prerequisite Checks Next
Installation Summary Install
Installation Progress Next
Installation Complete Finish
2. Install Oracle Identity and Access Management.

a. In the terminal window, as the oracle user, run the installer for Oracle Identity and
Access Management.
$> java -jar /stage/fmw_12.2.1.3.0_idm.jar

b. Use the following table as a guide to populate the fields:
Welcome Next
Auto Updates Skip Auto Updates
Next
Installation Location Oracle Home: /u01/app/oracle/product/middleware
Next
Installation Type Collocated Oracle Identity and Access Manager (Managed
through WebLogic Server)
Next

3. Install Oracle HTTP Server.

a. In the terminal window, as the oracle user, run the installer for Oracle HTTP Server.
$> cd /stage
$> ./fmw_12.2.1.3.0_ohs_linux64.bin

Welcome Next
Auto Updates Skip Auto Updates
Next
Installation Location Oracle Home: /u01/app/oracle/product/middleware
Next
Installation Type Collocated HTTP Server (managed through WebLogic Server)
Next
JDK Selection JDK Home: /u01/app/oracle/product/jdk

Next
Note: The installation will pause at 98%. Wait for the installation
to complete.

Practice 3-2: Configuring Oracle Access Manager Schema
Overview
In this practice, you create the OAM product schema in an Oracle DB (11.2.0.3) by using the
Repository Creation Utility (RCU).
Task (Perform this task on the DB machine)

1. Start the database using the Start DB desktop icon on the DB machine.
Note: All other tasks are performed on the OAM machine.

Tasks (Perform these tasks on the OAM machine)
1. Set up the database initialization parameters to enable you to set up Oracle Identity and
Access Management products.
a. In a terminal window, ensure that you have logged in as the oracle user.
$> whoami
oracle
2. Create Oracle Access Manager schema objects in the Oracle Database by using the
Repository Creation Utility.
a. Run the Repository Creation Utility.
$> cd $MW_HOME/oracle_common/bin
$> ./rcu

b. Use the following table as a guide to make choices and while creating the schema:
Step Window Description Choices or Values
a. Welcome Next
b. Create Repository Create Repository
System Load and Product Load
Next
c. Database Connection Database Type: Oracle Database
Details Connection String Format: Connection
Parameters
Host Name: db.example.com

Port: 1521
Service Name: orcl.example.com
Username: sys
Password: Welcome1
Role: SYSDBA
Next
d. Checking Prerequisites OK
e. Select Components Create a new Prefix: DEV
Component: Expand IDM Schemas and
select: Oracle Access Manager
Note: The following are selected because they

are prerequisites:
 Common Infrastructure Services
 Oracle Platform Security Services
 Audit Services
 Audit Services Append
 Audit Services Viewer
 Metadata Services
 WebLogic Services
Next
f. Checking Component OK
Prerequisites
g. Schema Passwords Use the same password for all schemas.
Password: Welcome1
Confirm Password: Welcome1
Next

Step Window Description Choices or Values
h. Map Tablespaces Next
i. Confirmation OK
j. Creating Tablespaces OK
k. Summary Create
l. Completion Summary Close

Practice 3-3: Configuring a WebLogic Server (WLS) Domain for Oracle
Access Manager
Overview
In this practice, you run the Configuration Wizard to create a new WLS domain and configure
the OAM server as part of the domain. Then you start the servers for the first time and configure
the boot.properties file to enable easy startup of WLS servers.
Tasks
1. Create a WLS domain with the OAM server by using the Domain Configuration Wizard.
a. On the OAM machine, launch config.sh from the common Oracle home.

$> cd $MW_HOME/oracle_common/common/bin
$> ./config.sh

Window Description Choices or Values
Create Domain Create a new domain
Domain Location:
/u01/app/oracle/admin/domains/oam_do
main
Next
Templates Create domain using product templates
 Oracle Access Management Suite
 Oracle HTTP Server (Collocated)
Note: The following products are automatically
selected:
 Oracle Enterprise Manager
 Oracle JRF
 WebLogic Coherence Cluster Extension
Next
Application Location Application location:
/u01/app/oracle/admin/applications/o
am_domain
Next

Administrator Account Name: weblogic
Password: Welcome1
Confirm user password: Welcome1
Next
Domain Mode and JDK Domain Mode: Production
JDK: Oracle HotSpot 1.8.0_131
/u01/app/oracle/product/jdk
Next
Database Configuration Type Specify AutoConfiguration options using: RCU

Data
Vendor: Oracle
Driver: Oracle’s Driver (Thin) for Service
connections
Connection Parameters
Host Name: db.example.com
DBMS/Service: orcl.example.com
Port: 1521
Schema Owner: DEV_STB
Schema Password: Welcome1
Get RCU Configuration
Next
Component Datasources Next
JDBC Component Schema Next
Test
Advanced Configuration Select Node Manager, Topology, and System
Components
Next
Node Manager Username: weblogic
Password: Welcome1
Confirm user password: Welcome1
Next
Managed Servers Next
Clusters Next
Server Templates Next

Coherence Clusters Next
Machines Click Add.
Name: oam.example.com
Node Manager Listen Address: localhost
Node Manager Listen Port: 5556
Next
Assign Servers to Machines Select a server on the left, select the
oam.example.com machine on the right, and
click the right arrow to assign to a machine on
the right. Repeat for all servers.
Next

Virtual Targets Next
Partitions Next
System Components Next
Configuration Summary Create
Configuration Progress Next
End of Configuration Finish
2. Set up the Java heap size parameters to 1024m and 2048m. This will help start the servers
faster.
Edit the setDomainEnv.sh file in the $DOMAIN_HOME/bin folder to set up the heap size
parameters xms and xmx to 1024m and 2048m, respectively.
1) In a terminal window, change directory to the $DOMAIN_HOME/bin folder and
copy setDomainEnv.sh to setDomainEnv.sh.orig.

2) Then, using a text editor, change the parameter:
WLS_MEM_ARGS_64BIT=”-Xms1024m -Xmx2048m”

3. Start the admin server, Node Manager, OAM managed server, and OAM Policy Manager.
a. Click Start WLS Admin Server on the desktop. It invokes a terminal window and starts
the admin server in the OAM domain. Enter weblogic for the username and
Welcome1 for the password.
Note: It can take up to 10 minutes to start the admin server.
You may see the processes waiting at warning messages such as “<DMS-50911>
<Duplicated metric table. Metric table domain_oracle_oam:
partner_request_rollup will be ignored.>”. You can ignore these
warnings.
Eventually, the server brings up the following message in the terminal window:
<Server started in RUNNING mode>
You may also notice a few error and warning messages because the OAM server has
not yet been configured. You can ignore those messages.

b. After the admin server has been started, click Start Node Manager on the desktop.
Wait for the message: “<Secure socket listener started on port 5556,
host localhost/127.0.0.1>”.
c. After the Node Manager server has started, click Start OAM Server on the desktop. It
invokes a terminal window and starts the OAM server.
When prompted, enter the username weblogic and the password Welcome1.
Look for the <Server started in RUNNING mode> message in the terminal
window, which shows that the OAM server is running.
d. After the admin server has been started, click Start Policy Manager on the desktop. It
invokes a terminal window and starts the Policy Manager server.
When prompted, enter the username weblogic and the password Welcome1.

Look for the <Server started in RUNNING mode> message in the terminal
window, which shows that the OAM server is running.
4. Create the boot.properties file for the admin server and two OAM servers so that you
are not prompted to enter username/password credentials for each stop or start operation.
a. Using the terminal window, create the boot.properties file in the
$DOMAIN_HOME/servers/oam_server1/security folder. For your convenience,
the file has already been created in the $HOME/labs/lesson03 folder. So you can
copy this file to the $DOMAIN_HOME/servers/oam_server1/security folder.
cd $DOMAIN_HOME/servers/oam_server1
mkdir security
cp $HOME/labs/lesson03/boot.properties ./security
b. Create the boot.properties file in the
$DOMAIN_HOME/servers/AdminServer/security folder.
cd $DOMAIN_HOME/servers/AdminServer
mkdir security
c. Similarly, create the boot.properties file in the
$DOMAIN_HOME/servers/oam_policy_mgr1/security folder.
cd $DOMAIN_HOME/servers/oam_policy_mgr1
mkdir security
d. Click Stop OAM Server on the desktop to stop the OAM server and then click Stop
Policy Manager on the desktop. You can alternately press CTRL-C in the terminal
window of the servers to stop them.
Note: You are not prompted for a username and password when stopping the servers,
because you have created the boot.properties file.
e. After the OAM server and Policy Manager have stopped, click Stop Node Manager
and Stop WLS Admin Server.

f. After the admin server has stopped, start the admin server by using the desktop icon.
g. After you see that the admin server is in RUNNING mode, start the Node Manager,
OAM server, and Policy Manager by using the desktop icons. You are not prompted for
a username and password when starting the servers.

Practice 3-4: Performing Sanity Checks
Overview
In this practice, you log in to the WLS Admin Console, the OAM Admin Console, and EM FMW
Control and then make a brief exploration of the management interfaces. You also validate the
OAM server application deployed on the oam_server1 managed server and the EM and OAM
console applications deployed on the WLS admin server.
Assumptions
Make sure that admin server and OAM managed server are up and running before you start the
practice. Perform the steps on the OAM machine.
Tasks

1. Check the status of Fusion Middleware Control, OAM managed server, and the OAM
Administration Console.
a. On the OAM machine, launch the Chrome browser, click the WLS Admin Console
bookmark, and access the WebLogic Administration Console
(http://oam.example.com:7001/console).
b. Log in with weblogic as the username. If an alert comes up in Chrome at the top of
the browser, prompting you to save the password, do not save the password.
c. To check the status of the admin and managed servers, navigate by using the Domain
Structure navigation pane, oam_domain > Environment > Servers. You should see all
the servers: AdminServer, oam_policy_mgr1, and oam_server1, in RUNNING state
using ports 7001, 14150, and 14100, respectively
2. Check the default users and groups in the embedded LDAP server. Then set up the
console session timeout property to 86400 [seconds].
a. In the WLS Administration Console, navigate to Domain Structure > oam_domain >
Security Realms by using the left pane.
b. Click myrealm and then click the “Users and Groups” tab. Notice the weblogic user,
which is the default WLS administrator. Click weblogic and then click the Groups tab.
Notice that the weblogic user is a member of the Administrators group.
c. Click the oam_domain link in the domain structure and then click Lock and Edit in the
Change Center.
Note: If you do not see the Lock and Edit button in the Change Center of the console,
perform the following steps to change the WLS admin server from Development Mode to
Production Mode. (You should have selected Production Mode during the configuration of
the domain.)
 Click oam_domain.
 Select the check box next to Production Mode.
 Click Save.
This change will take effect when you restart both servers in the next step.

d. In the right pane, expand the Advanced section and change the Console Session
Timeout property from 3600 seconds to 86400 seconds. Click Save and then click
Activate Changes. Notice the message that three items must be restarted for the
changes to take effect.
3. Using the Access Management Console, set up session lifetime and idle timeout properties.
a. In the Chrome browser, click the OAM Console bookmark
(http://oam.example.com:7001/oamconsole). Log in as the weblogic user.
b. Observe the landing page for Oracle Access Management Console. It has three
buttons at the top. Each button opens a launch pad containing functional interfaces
grouped into tiles. The Quick Start Wizards tile on the Application Security tab contains
a link to the SSO Registration Wizard.
c. Access the Configuration Launch Pad in the Access Management Console; then in the

Settings tile, click View > Common Settings.
d. On the Common Settings page, change Session Lifetime and Idle Timeout properties
to 1440 minutes and 240 minutes, respectively, and click Apply.
e. Open a new tab on the Chrome browser. Access Policy Manager

[http://oam.example.com:14150/access]. Log in as the weblogic user.
f. Notice that the Policy Manager Console is similar to the Access Management Console.
Notice also that the Authentication Plug-In link in the Plug-Ins tile is disabled. OAM
Console is the required interface to manage plug-in modules.
4. Stop and start the administration and managed servers in the OAM domain.
a. Stop the OAM managed server and Policy managed server by using the Stop OAM
Server and the Stop Policy Manager icons on the desktop. After the two managed
servers are stopped, stop the Node Manager and admin server by using the Stop
Node Manager and Stop Admin Server icons.
b. Start the WLS admin server first and then the Node Manager and OAM managed
servers by using the appropriate desktop icons.

System Configuration:
Agents, Servers, and Data
Sources
Practices Overview
In these practices, you install, configure, and register three OHS instances and three OAM 12c
WebGates. In two cases, the WebGate registration is done by using the Remote Registration
(rreg) tool. In the other case, you use the OAM Console.
After registering the WebGates, you configure Oracle Unified Directory (OUD) as the user store
for OAM.
Finally, you configure the WebGates to communicate with the OAM server using certificate
mode.
Important Note

Whenever you see unexpected results during this lesson’s practices, it is a good idea to close
all browser windows (by selecting File > Exit rather than clicking the X icon to exit) and then
relaunch a new Firefox or Chrome browser and clear all the cookies explicitly.
 For a Firefox browser, select Tools > Clear Recent History > Clear Now. Make sure
that “Time range to clear” is set to Everything and that at least Cookies, Cache, and
Active Logins are selected.
 For a Chrome browser, click “Customize and control Google Chrome” and then
select History > Clear all browsing data.
28 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
Practice 4-1: Configuring Oracle HTTP Server Instances
Overview
In this practice, you configure three Oracle HTTP Server instances: ohs1, ohs2, and ohs3, on
the OAM machine (even machine).
Assumptions
The oam_domain Admin server and oam_server1 are up and running.
Tasks (Perform these tasks on the OAM machine.)

1. Log in to EM on the OAM server as weblogic/Welcome1.
http://oam.example.com:7001/em

2. Navigate to Weblogic Domain > Administration > OHS Instances.
3. Click the lock icon in the upper-right corner and select Lock & Edit.
4. Click the Create button.
5. Enter ohs1 for the Instance Name and select oam.example.com for the Machine Name.
6. Click OK.
7. Click the lock icon and select Activate Changes.
8. Select ohs1 to view the details of the new OHS instance.
9. Note the ports used for the instance for http, https, and administration.
Note: The ports should be 7777, 4443, and 9999, because these are the default ports for
the first OHS instance.
10. Click Start Up. Click Close in the confirmation window.
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 29
11. Edit the index.html file in
/u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/component
s/OHS/instances/ohs1/htdocs/ and set the title directive as follows:
<title>Oracle HTTP Server 12c: OHS1</title>
Launch the browser and enter the URL http://oam.example.com:7777. You should
see the OHS Welcome page with the title you have configured.

12. Repeat steps 1 to 10 twice to create two more OHS instances named ohs2 and ohs3.
Note: The http ports assigned to ohs2 and ohs3 should be 7778 and 7779.
13. Open the welcome page for the two new instances to test them.
Practice 4-2: Installing and Configuring WebGates and Registering a
WebGate by Using the OAM Console
Overview
In this practice, you configure an OAM 12c WebGate on the ohs1 OHS instance. Then you run
the EditHttpConf utility, which copies the WebGate template from the WebGate home
directory to the WebGate instance location and updates httpd.conf with an additional line to
include webgate.conf.
You then register the OAM WebGate for the ohs1 instance by using the Access Management
Console.
When EM creates a new OHS instance, there are two directories that are created: the stage
directory and the runtime directory. Changes are propagated from the stage directory to the

runtime directory when the environment is restarted. The directories are:
Stage: $DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1
Runtime: $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1
You make changes to the stage directory and then propagate them with the following restart
procedure:
 Stop OHS
 Stop Node Manager
 Stop Admin Server
 Start Admin Server
 Start Node Manager
 Start OHS
Assumption
You completed the previous practice and created the OHS instances.

1. Deploy the WebGate to the OHS instance using deployWebGateInstance.sh.
cd $MW_HOME/webgate/ohs/tools/deployWebGate
./deployWebGateInstance.sh -w \
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1 \
-oh $MW_HOME -ws ohs
Note: This command creates a webgate directory in

$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1 and copies the
configuration files necessary for the WebGate process.
 cacert.pem and cakey.pem to
$DOMAIN_HOME/config/fmwconfig/components/OHS/
/ohs1/webgate/tools/openssl/simpleCA
 oblog_config_wg.xml to
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/webgate/
config
2. Repeat Step 1 for the other two OHS instances, ohs2 and ohs3. Substitute the instance
directory name when you run the deployWebGateInstance.sh command.

3. Configure the ohs1 WebGate by using the EditHttpConf utility.
export LD_LIBRARY_PATH=$MW_HOME/lib
cd $MW_HOME/webgate/ohs/tools/setup/InstallTools
./EditHttpConf -w \
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1
You should see the following message:

The web server configuration file was successfully updated
/u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/compon
ents/OHS/ohs1/httpd.conf has been backed up as
/u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/compon
ents/OHS/ohs1/httpd.conf.ORIG
4. Verify that the last line in httpd.conf has been updated.
tail \
$DOMAIN_HOME\
/config/fmwconfig/components/OHS/ohs1/httpd.conf
The last line should be:

include "webgate.conf"
5. Repeat the EditHttpConf command for the other two OHS instances, ohs2 and ohs3.
a. For OHS2:
./EditHttpConf -w \
b. For OHS3:
./EditHttpConf -w \
6. Next, you register the ohs1 WebGate with OAM. Log in to the OAM admin console as
weblogic/Welcome1.

http://oam.example.com:7001/oamconsole
7. Click SSO Agent Registration in the Quick Start Wizards pane.
8. In the SSO Agent Registration Wizard, select WebGate as the Agent Type and click Next.
9. In the Configure stage of the wizard, specify the following property values to register
WebGate:
Note: Because the port for ohs1 was automatically configured, replace 7777 with the port
assigned by EM.
Property Name Value
Name webgate1
Base URL http://oam.example.com:7777
Host Identifier webgate1
Security Open
Auto Create Policies Selected
Public Resource List Click Add and specify the Relative URI as
/public/index.html
10. Click Finish. Notice the confirmation message.
11. Click Download and save the webgate1.zip file to the oracle user home directory.
12. In a terminal window, navigate to

$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/webgate/config and
extract the contents of the webgate1.zip file.
cd \
$DOMAIN_HOME\
/config/fmwconfig/components/OHS/ohs1/webgate/config
unzip ~/webgate1.zip
rm ~/webgate1.zip
13. Next, you stop the ohs1 component using EM. Log in as weblogic/Welcome1.
http://oam.example.com:7001/em
Alternatively, you can use the command line and skip the next two steps.
cd $DOMAIN_HOME/bin
./stopComponent.sh ohs1
Enter Welcome1 for the Node Manager password.

14. Navigate to Weblogic Domain > Administration > OHS Instances.
15. Select the row for ohs1 and click Stop. Click Yes to confirm. Click Close.
16. Stop the Node Manager and the Admin Server by pressing CTRL-C in the windows they
are running in or use the desktop icons.
17. Start the Admin Server and Node Manager using the desktop icons. Wait until you see the
message that the ohs1 instance has been updated in the Node Manager Console before
proceeding.
18. Log in to EM and navigate to Weblogic Domain > Administration > OHS Instances.
Note: You can also start ohs1 from the command line and skip the next step.
cd $DOMAIN_HOME/bin
./startComponent.sh ohs1
19. Start the ohs1 OHS instance.
20. Access ohs1 in a browser. URL: http://oam.example.com:7777.

Note: You should be redirected to the OAM SSO login page (notice that the redirect URL
now points to the OAM server on port 14100).
If you see the Welcome page without being challenged, clear all the cookies from your
browser. Go to Tools > Clear Recent History. Set Time range to clear to Everything.
Select the Cookies, Cache, and Active Logins check boxes and click Clear Now.
21. Log in as the weblogic user. The OHS Welcome page should be displayed.
Practice 4-3: Registering WebGates by Using Different Interfaces
Overview
In this practice, you run the rreg registration tool to register an OAM 12c agent in Out-of-Band
mode.
 Suppose you have an external partner application called acme.com on the OAM
server. You do not want to give the acme.com application administrators direct
access to the OAM server. You can use Out-of-Band registration mode to register
this external partner application so that the application administrators do not have
access to the server.
 The application administrator provides a Request.xml (possibly via email) to a
different OAM server administrator who has the required access to the OAM server.

 The OAM server administrator runs the registration on behalf of the application
administrator in Out-of-Band mode. This step needs the OAM server to be up
because the agent profile is created by the OAM server.
 The OAM administrator sends the resulting *Response.xml back to the application
administrator (possibly via email).
 Then the application administrator runs Out-of-Band registration on the response file
to get the artifacts (config files). This run is local to the WebGate and does not need
the OAM server to be up.
In this practice, you also register a WebGate by using Policy Manager.
Assumptions
 The OHS instances ohs2 and ohs3 must be up and running. To verify, log in to
EM and navigate to WebLogic Domain > Administration > OHS Instances.
 You have configured the WebGate on the ohs2 and ohs3 instances.

1. Ensure that the OAM server and Policy Manager server are started.
a. Check if the OAM Server window is up on the oam machine. If not, click the Start OAM
Server desktop icon to start the OAM server.
b. Check if the Policy Manager window is up. If not, click the Start Policy Mgr desktop
icon to start Policy Manager.
2. Create a WebGate registration request (OAM11GRequest.xml) file for registering the

WebGate on ohs2 with the OAM server. (Usually the application administrator provides the
metadata details in the registration request file and emails this file to the security
administrator.)
Note: For your convenience, a working copy of the OAM11GRequest.xml file is available
as $HOME/labs/lesson04/OAM11GRequest_ohs2.xml. You can copy
OAM11GRequest_ohs2.xml to $MW_HOME/idm/oam/server/rreg/input and ignore
the following three steps:
a. Navigate to $MW_HOME/idm/oam/server/rreg/input and copy
OAM11GRequest.xml.
$> cd $MW_HOME/idm/oam/server/rreg/input
$> cp OAM11GRequest.xml OAM11GRequest_ohs2.xml
b. Edit OAM11GRequest_ohs2.xml as follows:

Parameter Value
<serverAddress> <serverAddress>http://oam.example.com:7001</
serverAddress>

<hostIdentifier> <hostIdentifier>webgate2</hostIdentifier>
<agentName> <agentName>webgate2</agentName>
<agentBaseUrl> <agentBaseUrl>http://oam.example.com:7778</a
gentBaseUrl>
<applicationDomain> <applicationDomain>webgate2</applicationDoma
in>
c. Remove references to machines that don’t exist, such as oam_server2, oam_server3,
oam_server4, and so on.
d. Save and close the file.
3. Run the command-line agent registration utility to register the WebGate on ohs2.
a. Change the directory to $MW_HOME/idm/oam/server/rreg and run the oamreg
utility:
$> cd $MW_HOME/idm/oam/server/rreg
$> ./bin/oamreg.sh outofband input/OAM11GRequest_ohs2.xml
 Enter weblogic for the admin username and the corresponding password.
 Enter n for two subsequent questions.
 You should get the following message after a successful run:
 Outofband registration (Part 1) completed successfully! The Response.xml file is
created in the input folder.
 Explore the input directory under $ORACLE_HOME/oam/server/rreg to see
the response file webgate2_Response.xml created by the utility. The security
administrator will email this file to the application administrator.
b. In the command-line window, navigate to $MW_HOME/idm/oam/server/rreg and

run the following command:
./bin/oamreg.sh outofband ./input/webgate2_Response.xml
You should get this message after a successful run:

Outofband registration (Part 2) completed successfully! Output
artifacts are created in the output folder.
Notice that when you ran oamreg.sh this time, it did not prompt you for the agent
username or password. This can be run locally by the application administrator with no
connection to the WLS admin server. Explore the output/webgate directory under
$MW_HOME/idm/oam/server/rreg to see the cwallet.sso and
ObAccessClient.xml artifact files created by the utility.
4. Verify that the agent and host identifier have been created.

a. In the browser window, log in to the Access Management Console at the URL
http://oam.example.com:7001/oamconsole as the weblogic user. Then click the icon
in the Agents tile. Click Search.
b. In the search results, expand the Name column suitably so that you can see the names
of agents completely. Then click webgate2 to see the details of the agent you created.
c. Access the Launch Pad and click Application Domains in the Access Manager panel.
d. In the Search Application Domains page, click Search. In the results table, click
webgate2. On the webgate2 Application Domain page, click the Resources tab and
then Search. Notice that the default resources are listed for webgate2.
5. Copy the registered WebGate artifacts from the oam output webgate2 directory to the ohs2
webgate config directory.
a. In the terminal window, change the directory to
$MW_HOME/idm/oam/server/rreg/output/webgate2
b. Using the cp command, copy the WebGate artifacts to the WebGate configuration
location.
$> cd $MW_HOME/idm/oam/server/rreg/output/webgate2
$> cp -r * \
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2/webgate/config
6. Restart the environment and validate the results.
a. Stop the ohs2 OHS instance, followed by the Node Manager and the Admin Server.
b. Start the Admin Server and Node Manager. Wait until you see the message that the
ohs2 instance has been updated in the Node Manager Console before proceeding.
c. Start the ohs2 OHS instance.
d. In a new web browser window, access the now protected URL,
http://oam.example.com:7778.
Note: You should be redirected to the OAM SSO login page. If you get to the Welcome
page without challenge, clear all the cookies from your browser and try again.
e. Enter weblogic and the password for the user and click Login. The OHS Welcome
page should be displayed.
(Registering WebGate Using Policy Manager—Perform these tasks on the OAM

machine.)
7. Register the oam3 WebGate with the OAM server by using the Policy Manager. Log in to
the Policy Manager (http://oam.example.com:14150/access) as the weblogic
user.
8. Click SSO Agent Registration in the Quick Start Wizards tile.
9. In the SSO Agent Registration Wizard, select WebGate as the Agent Type and click Next.
10. In the Configure stage of the wizard, specify the following property values to register the
OAM WebGate:

Property Name Value
Name webgate3
Base URL http://oam.example.com:7779
Host Identifier Webgate3
Security Open
Auto Create Policies Selected
Public Resource List Click Add and specify the Relative URI as
/public/index.html
11. Click Finish when done. Notice the confirmation message.
12. In the Policy Manager interface, click Download and save the webgate3.zip file to the
oracle user home directory.
13. In a terminal window, navigate to

$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs3/webgate/config and
extract the contents of the webgate3.zip file.
$> cd \
$> unzip ~/webgate3.zip
$> rm ~/webgate3.zip
14. Shut down OHS instance ohs3 using EM or the command line.
15. Shut down the environment in the following order:

 Node Manager
 Admin Server
16. Start up the environment in the following order:
 Admin Server
 Node Manager
 OHS instance ohs3
17. Invoke a new browser window and access ohs3 in the browser.
http://oam.example.com:7779. Log in as weblogic/Welcome1.
Notes
 If you see the Welcome page without being challenged, clear all the cookies from
your browser. Go to Tools > Clear Recent History. Set “Time range to clear” to
Everything. Select the Cookies, Cache, and Active Logins check boxes and click
Clear Now.

 If you see an OAM Operation Error, restart the OAM managed server
(oam_server1) and try again. If you still receive the error, check the previous
practices in this lesson.
Practice 4-4: Configuring a Delegated Administrator in the Embedded
LDAP
Overview
In this practice, you explore the WLS-embedded LDAP directory, which is used to authenticate
the weblogic user (an OAM and WLS administrator).
You also create a new user in WLS-embedded LDAP, and you log in to the OAM Console as
this user. You also prevent the weblogic user and users belonging to the administrators
group in WebLogic LDAP from being able to log in to the OAM Console.
An identity store is a centralized LDAP store in which an aggregation of administrator and user-
oriented data is kept and maintained in an organized way. You can have many user identity

stores configured, and you can reference them in different custom-defined LDAP modules.
 The system store is used to authenticate administrators signing in to the OAM
Administration Console or to use custom administrative commands in WLST.
 The default store is used to authenticate users that log in to protected resources.
Both the default store and the system store can be configured in the OAM Console.
During the initial WebLogic domain configuration using the Oracle Fusion Middleware
Configuration Wizard, the embedded LDAP is configured as the user and system identity store.
Within the embedded LDAP, the Administrators group is created with member weblogic
as the default administrator.
After registering the identity store, administrators can reference it in one or more authentication
modules that form the basis for authentication schemes. Only the default user identity store is
used for user authentication with the default LDAP scheme.
Assumptions
You have completed all the practices until Practice 4-3.

1. Navigate through the identity store created by default in WLS-embedded LDAP.
a. In a web browser, log in to the WLS administrator console
(http://oam.example.com:7001/console) as the weblogic user.
b. Click Security Realms under Domain Structure > oam_domain in the left navigator.
c. Click myrealm. Click the Providers tab and notice the three providers:
 DefaultAuthenticator
 DefaultIdentityAsserter
 Trust Service Identity Asserter
d. Click the “Users and Groups” tab. Notice the weblogic user. Click weblogic and
notice that it is a member of the Administrators group (on the Groups tab). If you
want to create a new user to be a WLS administrator, that user must be a member of
the Administrators group.
e. On another tab of the web browser, log in to the OAM Console as the weblogic user.
Access the Configuration tab (top-right corner) and then click User Identity Stores.
Notice that the Default Store and System Store are set to UserIdentityStore1.
UserIdentityStore1 is used to authenticate WLS/OAM administrators as well as
users for LDAPScheme authentication.
f. Access the Configuration Launch Pad, and click Administration to view the group and
role information. Click Search. Notice that you see only the Administrators group.
Note: You create additional users with different roles in the following tasks.

2. Create the oamadmin user in the DefaultAuthenticator store (WLS-Embedded
LDAP) by using the WLS Administration Console.
a. On the WLS Administration Console tab of the Chrome web browser, navigate to
Security Realms and click myrealm.
b. Go to the “Users and Groups” tab on top and click New.
c. Add a new user called oamadmin. Note that the Provider is set to
DefaultAuthenticator, which is a WLS-embedded LDAP store.
d. Set the password for this user as Welcome1. Confirm the same password. Click OK.
e. Click the oamadmin user link and access the Groups tab. Select Administrators
from the Available list and click the > icon so that the Administrators group is listed in
the Chosen list. Click Save.
f. Log out of the WLS Admin Console and OAM Console. Then close the web browser
window.
g. Invoke the Chrome web browser, access the OAM Console, and log in as the
oamadmin user with the password you gave in the previous step. You should
successfully log in to the OAM Console. Notice that all the tiles and tabs are visible to
the oamadmin user.
3. Create two new users (domainadmin and agentadmin) in the WLS-embedded LDAP and
configure the user in OAM as an application domain administrator. This administrator has
delegated privileges across an application domain (for this practice, webgate1).
a. In the Chrome browser, invoke a new tab, log in to the WLS Administration Console as
the weblogic user, and navigate to Domain Structure > Security Realms.
b. Click myrealm and select the Users and Groups tab and click New.
c. Enter domainadmin for the name. Enter the password as Welcome1 and click OK.
d. Similarly (using steps b and c) create the agentadmin user.
e. Log out of the WLS Administration Console.
4. Configure the domainadmin user as an application administrator. This administrator has
delegated privileges across an application domain (for this practice, webgate1).
a. On the OAM Console tab, access the Configuration button on the top-right corner.
Then click the Administration tile. Click Grant on top of the table.
b. Enter domainadmin in the Name field and click the Search button.
c. Select the domainadmin user in the search result and Application Administrator in the
Role menu and click Add Selected.
d. Click the Application Security tab on the top and then click Application Domains in the
Access Manager tile. Click the Search button and click webgate1.
e. Click the Administration tab and then click Grant.
f. Click the Search button, select the domainadmin user, and click Add Selected.

5. Configure the agentadmin user as an agent administrator. This administrator has
delegated privileges to create and manage agents such as WebGates.
a. On the OAM Console tab, access the Configuration tab on the top-right corner. Then
click the Administration tile. Click Grant on top of the table.
b. Enter agentadmin in the Name field and click the Search button.
c. Select the agentadmin user in the search result, Agent Administrator in the Role
menu, and click Add Selected.
d. Sign out of the OAM Console by closing the browser.
6. Verify the change in the administration interface based on the user who has logged in.
a. Log in to the OAM Console as domainadmin. Note that only the tiles relating to
application administration are visible. Log out of the OAM Console by closing the
browser.
b. Log in to the OAM Console as agentadmin. Note that only the tiles and links related
to agent registration and administration are visible. Close the browser.
Practice 4-5: Configuring OUD as the Identity Store for OAM
Overview
By default, the OAM system store is set to use the WLS-Embedded LDAP. This allows the
authentication of users logging in to the OAM console and protected applications.
In this practice, you:
 Configure an existing directory server instance of OUD as the user identity store and
set it as the default store in OAM. You set the LDAP authentication of users for
protected resources against OUD.
 Configure an LDAP Authentication Scheme that points to the LDAP module that you
configure to use the OUD identity store.
 Verify that you can log in to a protected resource as a user in OUD, which should be

successful.
 Try logging in as the weblogic or oamadmin user. This login should fail because
the weblogic user is not in OUD.
Assumptions
You have completed all the practices until Practice 4-4.
Tasks (Perform these tasks on the DB machine.)

1. Create a new User Identity Store definition with OUD type.
a. Click the Start OUD and Start OUDSM desktop shortcuts to start the OUD Server and
OUDSM domain.
b. Invoke a web browser on the db machine and log in to the OAM Console
(http://oam.example.com:7001/oamconsole) as the oamadmin user.
c. Click the Configuration tab (top right) and then click User Identity Stores. Click Create
in the OAM ID Stores section.
d. Choose the Store type as OUD from the pick list. Specify the rest of the values as
shown:
Field Value
Store Name OUD_Store
Store Type OUD: Oracle Unified Directory
Description This is the LDAP repository that contains user
information and is the authentication provider for all the
users except for OAM administrators.
Location db.example.com:1389
Bind DN cn=Directory Manager

Password Welcome1
Logon ID Attribute Uid
User Password Attribute userPassword
User Search Base ou=People,dc=example,dc=com
Group Name Attribute Cn
Group Search Base ou=Groups,dc=example,dc=com
e. Click Test Connection. Click OK in the Connection Status window. Click Apply to save
the definition.
f. Access the User Identity Stores page, set Default Store to OUD_Store, and then click
Apply.
g. Sign out of the OAM Console.
2. Familiarize yourself with data in OUD by viewing the data by using Oracle Unified Directory
Services Manager (OUDSM).
a. In a Firefox browser, click the OUDSM bookmark. Use the following information to log
in:
 Name oud1
 Server db.example.com
 Administration Port 4444
 SSL Enabled Selected (You cannot change)

 User Name cn=Directory Manager
 Password Welcome1
Note: You can also select oud1 under Saved Connections.
b. If the Server Certificate Validation pop-up window appears, click Yes, trust always.
c. On the Data Browser tab, navigate to the Root > dc=example,dc=com > ou=People
node and expand it. Notice that the uid=ahall user is listed. You will use this user
frequently in later practices.
d. Click the X beside the oud1 tab in the top-left corner to close the OUDSM connection.
e. In the web browser, clear all cookies and launch http://oam.example.com:7779
(welcome-index.html protected using webgate3). You are redirected to the OAM
SSO Login page. Log in as the oamadmin user with the password for the user. You
should be successful and be able to see the Welcome page.
f. Clear the cookies and try logging in as the ahall user with password Welcome1. The
ahall user is in OUD, but not in embedded LDAP.
Note: You see the message: “Authentication failed.”. The application domain is
protected using embedded LDAP. Because the ahall user is not present in
embedded LDAP, user authentication fails.
3. Create a new LDAP authentication module based on OUD_Store as the user identity store
and use this new module to attach to the LDAP scheme.
a. Log in to the OAM Console as the oamadmin user. Click the Authentication Modules
link in the Plug-ins tile.
Click Create and select Create LDAP Authentication Module. Enter LDAPOverOUD

b.
as Name and select OUD_Store as User Identity Store. Click Apply.
c. Access the Launch Pad and click the Authentication Schemes link in the Access
Manager tile. In the Search Authentication Schemes page, click Search. Select the
LDAPScheme row in the search result and click Edit.
In the LDAPScheme, click Duplicate. It creates a new scheme with the name Copy of
LDAPScheme. Change this scheme as follows and then click Apply.
Field Choices or Values
Name LDAPOUDScheme
Description LDAP Scheme Over OUD
Authentication Module LDAPOverOUD
d. Then click Set As Default and click OK in the confirmation pop-up.

e. Close the LDAPOUDScheme, LDAP Scheme, Authentication Schemes, and
LDAPOverOUD pages.
f. In the Launch Pad, click the Application Domains link in the Access Manager tile. On
the Search Application Domains page, click Search. Click the webgate3 application
domain.
g. Click Authentication Policies > Protected Resource Policy and observe that the
authentication scheme is set to LDAPOUDScheme. Sign out of the OAM Console.
h. Clear the cache and cookies. Launch http://oam.example.com:7779 again. You are
redirected to the OAM Login page. Log in as the ahall user. This time you should be
successful and should see the Oracle Fusion Middleware Welcome page.
Practice 4-6: Setting Communication Mode Between Server and
WebGates to Simple
Overview
OAM Security Modes: Secure communication on the NAP channel also requires that each
OAM server and each WebGate agent use the same security mode: Open, Simple, or Cert.
 Open: Unencrypted communication. In Open mode, there is no authentication or
encryption between the WebGate and the OAM server. The WebGate does not ask for
proof of the OAM server’s identity, and the OAM server accepts connections from all
WebGates. Use Open mode if communication security is not an issue in your
deployment.
 Simple: Encrypted communication through the Secure Sockets Layer (SSL) protocol

with a public key certificate issued by Oracle. Use Simple mode if you have security
concerns (such as not wanting to transmit passwords as plain text), but you do not
manage your own certificate authority (CA). In this case, OAM 12c servers and
WebGates use the same certificates, which are issued and signed by Oracle.
 Cert: Encrypted communication through SSL with a public key certificate issued by a
trusted third-party certificate authority. Use Cert mode if you want different certificates
on OAM 12c servers and WebGates and you have access to a trusted third-party CA.
In this mode, you must encrypt the private key by using the DES algorithm. Oracle
Access Manager components use X.509 digital certificates in PEM format only. PEM
refers to that which requires a passphrase. The PEM format is preferred for private
keys, digital certificates, and trusted CAs. The preferred keystore format is the JKS
(Java Keystore) format.
In cryptography, a public key is a value that is provided by a designated authority to be used as
an encryption key. The system for using public keys is called a public key infrastructure (PKI).
As part of a public key infrastructure, a certificate authority checks with a registration authority
(RA) to verify information provided by the requestor of a digital certificate. When the RA verifies
the requestor’s information, the CA can issue a certificate.
Private keys can be derived from a public key. Combining public and private keys is known as
asymmetric cryptography, which can be used to effectively encrypt messages and digital
signatures.
Depending on the public key infrastructure, the digital certificate establishes credentials for web-
based transactions based on:
 Certificate owner’s name
 Certificate serial number
 Certificate expiration date
 A copy of the certificate holder’s public key, which is used to encrypt messages and
digital signatures. The digital signature of the certificate-issuing authority is provided so
that a recipient can verify that the certificate is real. Digital certificates can be stored in
a registry from which authenticating users can look up the public keys of other users.
For Simple mode encryption, Oracle Access Manager ships a certificate authority with its own
private key, which is installed across all WebGates and OAM servers. For each public key, there
is a corresponding private key that Oracle Access Manager stores in the aaa_key.pem file.
The following files are used for Simple mode security:
 cacert.pem: The certificate request, signed by the Oracle-provided openSSL
certificate authority
 password.xml: Contains the random global passphrase that was designated during
installation, in obfuscated format. This is used to prevent other customers from using
the same CA. Oracle Access Manager performs an additional password check during
the initial handshake between the OAM agent and the OAM server.
 aaa_key.pem: Contains your private key (generated by openSSL)
 aaa_cert.pem: Signed certificates in PEM format

The initial communication mode is chosen during OAM installation. The installer generates a
random global passphrase initially, which can be edited as required later.
When you register an OAM agent or a new OAM server, you can specify the mode. However,
changing the global passphrase requires that you reconfigure all agents to use Simple mode
and the new global passphrase.
Tasks
1. Perform these steps on the OAM machine.
2. Set up the OAM server communication mode to Simple using OAM Console.
a. Log in to the OAM Console as oamadmin. Click the Configuration launch pad button.
Click Server Instances.
b. Click Search. In the results, click the oam_server1 link.
Notice that Security (mode of communication) is set to Open, as set up by default
during the installation.
c. Change the mode from Open to Simple. Click Apply and then click Yes in the Confirm
Edit window.
d. Use EM or the command line to shut down all the OHS Instances.
e. On the OAM Console, navigate to the Configuration Launch Pad. In the Settings tile,
click View > Access Manager. The global passphrase can be set here under Simple
Mode Configuration.
Do not change this value in this practice. The installer generates a random global
passphrase initially, and this can be edited as required by you later. However, note that
changing the global passphrase requires reregistration of all existing agents running in
Simple mode.
3. Set up the communication mode for webgate2 to Simple.

a. On the OAM Console, as oamadmin, access the Application Security launch pad and
then Agents. Click Search and then the webgate2 agent page.
b. Change Security from Open to Simple. Click Apply.
c. In a terminal window, navigate to the $DOMAIN_HOME/output directory and notice
that the webgate2 subdirectory has been updated. Observe that aaa_cert.pem,
aaa_key.pem, and password.xml are created along with cwallet.sso and
ObAccessClient.xml.
d. Copy the files from the $DOMAIN_HOME/output/webgate2 directory on the OAM
machine to the
directory on the (replace the existing ObAccessClient.xml and cwallet.sso).
$> cd
$> cp -rp
/u01/app/oracle/admin/domains/oam_domain/output/webgate2/* .

e. Move aaa_cert.pem and aaa_key.pem to the simple directory.
Note: The PEM files need to be copied under the simple directory of the config
directory. Use the following commands:
$> cd
$> mkdir -p simple
$> mv *.pem simple
f. Stop and start the OAM server, Node Manager, and WLS Admin Server to update the
webgate2 OHS instance runtime configuration. If the Policy Manager server is running,
you can stop it as well.
g. In the OAM Console, navigate to the Launch Pad on the Application Security tab and
click Application Domains in the Access Manager panel.
h. Click Search > webgate2 > Authentication Policies > Protected Resource Policy. Select
LDAPOUDScheme for the Authentication Scheme if it is not already selected. Click
Apply.
4. Clear the cache and use EM or the command line to start the OHS2 instance.
a. Remove the contents of $DOMAIN_HOME/servers/ohs2/cache.
cd $DOMAIN_HOME/servers/ohs2/cache
rm ./*
b. $DOMAIN_HOME/bin/startComponent.sh ohs2
5. Verify the result of changing the communication mode.

a. In your browser window, clear all browser cookies and access
http://oam.example.com:7778.
You should be redirected to the OAM SSO login page.
Note: If you receive an error message, check that the cache directory referenced in
step 3b has updated files. If they are not current, remove them and repeat step 2f.
b. Log in as ahall and view the OHS Welcome page.
6. Repeat steps 2-3 for webgate1 and webgate3. Note that ohs1 uses webgate1 and ohs3
uses webgate3.
7. Verify the change for webgate2 and webgate3 with the following URLs. Log in as ahall.
http://oam.example.com:7777
Practice 4-7: Configuring Server Certificates
Overview
In this practice, you generate a local certificate authority (CA) that provisions certificates for the
OAM server and WebGates. If you do not have a service contract with a CA or an existing
internal CA, you can easily create one by using the OpenSSL open-source tool. Access
Manager components use X.509 digital certificates in PEM format only.
You also generate both the certificate request (server_req.pem) and the private key
(server_key.pem) for the OAM server. The certificate request will be submitted to the local
CA for issuing the certificate in the next practice.
Prerequisites

You should have completed all the practices including “Practice 4-6: Setting Communication
Mode Between Server and WebGates to Simple.”

1. Set up a new directory for a local certificate authority (CA).
a. Create a /home/oracle/localCA directory and the initial files for the local CA by
using the following commands:
$> cd
$> mkdir localCA
b. Change the OpenSSL configuration file so that the SSL files you create are located in
the localCA directory you created.
As root user, edit the /etc/pki/tls/openssl.cnf file and set the dir parameter
to /home/oracle/localCA. Then exit the root user session.
$> su
Password:
#> vi /etc/pki/tls/openssl.cnf
...
[ CA_default]
dir = /home/oracle/localCA
...
#> exit
$>
2. Create the CA, which results in files for the private key and CA root certificate that are used
to sign certificate requests:
$> cd ~/localCA
$> openssl genrsa -aes256 -out rootCA.key 4096
$> openssl req -x509 -new -nodes -key rootCA.key -days 3650 -
sha256 -out aaa_chain.pem
Use the following table for response to the prompts from the openssl tool:
Window/Page Description Choices or Values
Enter a passphrase for rootCA.key Welcome1
Verifying - Enter passphrase for Welcome1
rootCA.key

Country Name (2 letter code) US
State or Province Name California
Locality Name Belmont
Organization Name Example
Organizational Unit Practice
Common Name oam.example.com
Email Address admin@example.com
Do not enter the physical host name in the Common Name field while creating the
root CA certificate. Instead, use the oam.example.com alias.
3. Generate the private key and certificate request for the OAM server.
openssl req -new -keyout server_key.pem -out server_req.pem -utf8 -sha256 -days
3650
Note: You must enter the OAM machine host name in the Common Name field value
(unlike the root CA certificate). Enter Welcome1 for the challenge password.
Enter PEM passphrase Welcome1
Verifying – Enter PEM passphrase Welcome1

Common Name oam.example.com
Challenge password Welcome1
In the localCA directory, you now have a server certificate request,

server_req.pem, and the private key server_key.pem.
4. Submit the certificate request (server_req.pem) to the CA to get a signed certificate
(server_cert.pem).
openssl x509 -req -in server_req.pem -CA aaa_chain.pem -CAkey rootCA.key -

CAcreateserial -sha256 -out server_cert.pem -days 3650
Note: The command prompts you to enter the passphrase Welcome1 for the CA signing
key. Notice server_cert.pem (OAM server certificate) in the ~/localCA directory.
5. Convert the server certificate and key to the DER format.
openssl x509 -in server_cert.pem -inform PEM -out server_cert.der -outform DER
openssl pkcs8 -topk8 -nocrypt -in server_key.pem -inform PEM -out server_key.der -

outform DER
6. Obtain the password for the OAM keystore using FMW Control.
a. Invoke the Chrome browser and log in to FMW Control (EM bookmark) as weblogic
user.
b. Navigate to WebLogic Domain > System MBean Browser.
c. In the System MBean Browser, click the Operations tab.
d. Click the search icon and set the type of search to Operations. Enter
credentialFromUDM in the search text and press Enter.
e. Click the credentialFromUDM operation under the Operations tab.
f. Enter oracle.oam.OAMStore as parameter p1 and JKS as parameter p2. Then click
Invoke.

g. The Return Value section contains password value. Copy the password value and
paste it into a temporary text file so that you can use it later.
7. Download the OAM artifacts from the database.

cd $MW_HOME/oracle_common/common/bin
./wlst.sh
downloadAccessArtifacts(domainHome="/u01/app/oracle/admin/domains/o
am_domain", propsFile="/home/oracle/labs/lesson04/dbschema.props")
exit()
8. Import the private key, CA certificate, and OAM server certificate into the keystore.
a. In the terminal window, import a trusted certificate chain into the keystore by using
keytool: When prompted to trust this certificate, enter yes.
$> cd $JDK_HOME/bin
$> ./keytool -importcert -file ~/localCA/aaa_chain.pem -
trustcacerts -storepass <Password_from_MBean Browser> -keystore
$DOMAIN_HOME/config/fmwconfig/.oamkeystore -storetype JCEKS
Use the keystore password that you generated in the previous practice in place of
< Password_from_MBean Browser>.

b. Run the importcert tool to import a private key (server_key.der) and CA-signed
certificate (server_cert.der) into the keystore.
In a terminal window, navigate to
$ORACLE_HOME/oam/server/tools/importcert and run the importcert utility:
$> cd $ORACLE_HOME/oam/server/tools/importcert
$> unzip importcert.zip
Enter n to not overwrite the README file.
$> java -cp importcert.jar

oracle.security.am.common.tools.importcerts.CertificateImport
-keystore $DOMAIN_HOME/config/fmwconfig/.oamkeystore -
privatekeyfile ~/localCA/server_key.der -signedcertfile
~/localCA/server_cert.der -alias myoamcert
Note: The command prompts you to enter the Keystore password, which is the
password_from_MBean browser, and the Alias password: Welcome1.
9. Update the PEM keystore alias and password by using the OAM Console.
a. Launch the OAM Console as the oamadmin user and navigate to the Configuration

launchpad > Settings [View] > Access Manager.
b. Specify the PEM keystore alias as myoamcert (specified in the previous practice) and
the PEM keystore alias password as Welcome1 (specified in the previous practice).
c. Click Apply.
d. Navigate to the Configuration panel > Server Instances > Search > oam_server1.
e. Change the mode to Cert. Click Apply. In the Warning window, click OK. In the Confirm
Edit window, click Yes.
10. Save the OAM artifacts to the database.

cd $MW_HOME/oracle_common/common/bin
./wlst.sh
saveAccessArtifacts(domainHome="/u01/app/oracle/admin/domains/oam_d
omain", propsFile="/home/oracle/labs/lesson04/dbschema.props")
exit()
11. Stop and start the OAM Managed Server, Node Manager, and the Administration Server.
Practice 4-8: Configuring WebGates with Cert Mode
Overview
In this practice, you configure the WebGates with SSL certificates.
Note: aaa_key.pem and aaa_cert.pem (from aaa_req.pem) are reserved names that must
be used for a private key and the WebGate certificate.
Tasks
1. On the oam machine, generate a certificate request for the WebGates on
oam.example.com.
a. In a terminal window, change the directory to ~/localCA and run the openssl
command to generate the certificate request. Enter Welcome1 for the PEM

passphrase. Use the following table to respond to the prompts:
Enter PEM passphrase Welcome1
Verifying – Enter PEM passphrase Welcome1
Common Name webgate
Challenge password Welcome1
$> cd ~/localCA
$> openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8
-sha256
2. Submit the certificate request to the CA. Enter Welcome1 for the rootCA.key passphrase.
$> cd ~/localCA
$> openssl x509 -req -in aaa_req.pem -CA aaa_chain.pem -CAkey
rootCA.key -CAserial aaa_chain.srl -sha256 -out aaa_cert.pem -days
3650
3. Change the WebGate 12c definition to reflect Cert security mode and specify the agent key
password as Welcome1.
a. Invoke the web browser and access the OAM console. Log in as the oamadmin user.
b. Navigate to Agents > Search. Click the webgate2 agent. Change the security mode to
Cert for the agent and specify the agent key password as Welcome1. Click Apply.
Note: The Agent Key Password field appears only when you select the Cert option
button under Security. When you click Apply, the field disappears.
c. After you see the confirmation that WebGate is configured in Cert mode, click
Download and save the zip file.
Note: The configuration files are saved to the /home/oracle/downloads directory
as <webgate name>.zip.
d. Similarly, using the steps b and c, configure the Cert mode of communication for

webgate1 and webgate3 agents.
e. Extract the WebGate configuration files to each webgate/config directory on the db
machine. Enter A when prompted to overwrite any existing files.
$> cd
$> cd
$> cd
f. Copy the aaa_key.pem, aaa_cert.pem, and aaa_chain.pem files from
~/localCA in the OAM machine to the webgate/config directory of each
WebGate.
$> cd
$> cp /home/oracle/localCA/aaa*pem .
$> cd
$> cd
4. Update the WebGate’s wallet.
cd $MW_HOME/oracle_common/bin
./orapki wallet add -wallet
s/OHS/ohs1/webgate/config -trusted_cert -cert
s/OHS/ohs1/webgate/config/aaa_chain.pem -auto_login_only


Oracle PKI Tool: Version 12.2.1.3.0

Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
After running the orapki command three times (once for ohs1, ohs2 and ohs3), then:
Copy the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/webgate/config/cwallet.sso and
cwallet.sso.lck to the local wallet dir:
ex:
cd $DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/webgate/config
cp -rp cwallet* wallet
important: Repeat this copy for ohs2 and ohs3 also.
5. Verify that the Cert mode of communication is working between WebGate and the OAM
server.
a. Stop all the OHS instances using EM. Stop the OAM server, Node Manager, and
Admin server.
b. Remove the ObAccessClient.xml cached file copy from each WebGate:
cd $DOMAIN_HOME/servers
rm ohs1/cache/ObAccessClient.xml*
c. Start the Admin server, Node Manager, and OAM server.
Note: Make sure that you see a message in the node manager console that the
WebGate configurations are being updated, for example, “INFO: Updating instance
ohs2”.
d. After the Admin server has completed starting, start the OHS instances using EM,
command line, or the desktop icon.
e. Invoke the web browser and access http://oam.example.com:7777. Sign in as
jwalker.

Because the website is protected by using WebGate 12c and is serving content using
the AuthN policies configured on the OAM server, you have verified that the Cert mode
of communication between WebGate 12c and the OAM 12c server is working correctly.
f. Repeat the previous step for ohs2 on port 7778 and ohs3 on port 7779.
Note: If you have trouble configuring cert mode and would like to continue with the
exercises, continue with the next step.
6. Optional: Set the security mode of WebGates and OAM server to Open mode.
a. In the OAM console, navigate to the Configuration panel > Server Instances >
Search > oam_server1.
b. Change the mode to Open. Click Apply. In the Warning window, click OK. In the
Confirm Edit window, click Yes.
c. Navigate to Application panel > Agents > Search. Click the webgate1 agent. Change
the security mode to Open for the agent. Click Apply.
d. Repeat the previous step for webgate2 and webgate3.
e. Stop all the OHS instances.
f. Stop the OAM server, Node Manager, and Admin server.
g. Start the Admin server, Node Manager, and OAM server.
h. Observe that all OHS instances are updated in the Node Manager console.
i. After the Admin server starts, start the OHS instances.
j. Test access to the following links:
Configuring DCC, Policies,
and Responses
Practices Overview
In these practices, you deploy two different applications: My Bank and Bakery. You deploy the
My Bank application to WLS as a WAR file. You deploy the Bakery application directly to the
web server (OHS instance).
You then create authentication and authorization policies to protect various resources in these
two applications.
Important Notes
 Whenever you obtain unexpected results during this lesson’s practices, it is a good

idea to close all Firefox browser windows and clear the cookies.
 My Bank is a dummy application. Not all links in this application are working or
enabled. Follow the exact instructions as specified in the practice steps to achieve the
correct results.
64 Practices for Lesson 5: Configuring DCC, Policies, and Responses

Practice 5-1: Deploying an Application and Configuring OHS to
Front-End the Application
Overview
In this practice, you create a new managed server and deploy mybank.war to that managed
server.
Setting up OHS as the front end to mybank involves integrating the OHS and WebLogic
servers, because the requests need to be forwarded to the mybank application deployed on
WebLogic Server from the OHS.
Note: The My Bank application is a simple application that does not use a J2EE security model.
If you want to learn how to configure OAM 11g to work with J2EE applications with J2EE

security built into the application, see the “Configuring Single Sign-On in Oracle Fusion
Middleware” lesson in Oracle Fusion Middleware Application Security Guide 11g.
Detailed discussions of OPSS, the J2EE Security model, and its integration with OAM 11g are
beyond the scope of this course.

1. Create a managed server in the OUDSM domain by using the WLS Administration Console
with the following details.
 Name: mybank_svr
 Port: 7101
a. In the DB machine, log in to WLS Admin Console of the OUDSM Domain as the
weblogic user (db.example.com:7001/console).
b. Navigate to Servers (Environment > Servers) and click New.
c. On the Create a New Server page, enter the following and click Finish.
 Server Name: mybank_svr
 Server Listen Port: 7101
d. After the managed server is created, click Log Out and close the browser window.
e. In the terminal window, execute the startMyBank.sh script from the
$HOME/setupfiles directory. (Enter weblogic as the username to boot the server
and the corresponding password when prompted.)
$> cd $HOME/setupfiles
$> ./startMyBank.sh
Wait till you see the message <Server Started in RUNNING mode> before you
continue with the next steps.
Practices for Lesson 5: Configuring DCC, Policies, and Responses 65

2. Deploy the My Bank application to mybank_svr.
a. Access the WLS Admin Console for the OUDSM domain as the weblogic user.
b. Click Deployments. On the Deployments page, click Install.
c. In the Path field, enter /home/oracle/labs/lesson05/mybank.war. Ensure that
mybank.war is selected and click Next.

d. Select “Install this deployment as an application.” Click Next.

e. Target this application to mybank_svr. Click Next.

f. Click Finish to complete the deployment.
g. With another instance of the Firefox browser, enter
http://db.example.com:7101/mybank. The login page is displayed.
Note: In the mybank application, main_page.jsp is set as the welcome page, and
main_page.jsp refers to header.jsp from the includes directory. header.jsp
checks if OAM_REMOTE_USER is null, and if it is, then redirects to the login.jsp page.
3. Configure Oracle HTTP Server (ohs1) as the front end for the My Bank application.
a. In the terminal window on the OAM machine, navigate to the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1 directory, edit and
update the mod_wl_ohs.conf file as follows, and save the changes.
Note: For convenience, the required mod_wl_ohs.conf file is available in the
$HOME/labs/lesson05 folder. You can copy that file to the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1 directory.
<IfModule weblogic_module>
WebLogicHost db.example.com
WebLogicPort 7101
MatchExpression *.jsp
</IfModule>
<Location /mybank>
SetHandler weblogic-handler
#PathTrim /weblogic
#ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/
</Location>

b. Restart the OHS instance for the changes to take effect, by stopping and starting the
environment in the following order.
Stop: ohs1, Node Manager, admin server
Start: admin server, Node Manager, ohs1
c. Open the Firefox browser and access http://oam.example.com:7777/mybank.
Note: The port is 7777 instead of 7101. You will be redirected to the login page from
OAM Server, as per the policy for this application domain.
d. Log in as the ahall user. You should see main_page.jsp.
Note: OAM_REMOTE_USER is no longer null. As a result, the ID ahall is displayed next
to the Sign-Off link.
e. Access the URL http://oam.example.com:7777/mybank/testheaders.jsp. Observe all

the contents, especially OAM_REMOTE_USER and the cookie values on this page.
f. Access the main page of the bank [http://oam.example.com:7777/mybank] and then
click Sign-Off.

Practice 5-2: Configuring a Detached Credential Collector
Overview
In this practice, you configure webgate3 as the detached credential collector (DCC). You
change the configuration of webgate1 to use webgate3 as the DCC rather than its own
embedded credential collector (ECC).

1. Reconfigure webgate3 to collect credentials and then reconfigure the logout redirect for
webgate1 so that it goes through webgate3.
a. Log in to the OAM Console as oamadmin. Click the Agents icon and then click Search.

In the search results, click webgate3.
b. On the webgate3 page, select Allow Credential Collector Operations and click Apply.
c. Access the SSO Agents tab and click webgate1. Change the Logout Redirect URL to
http://oam.example.com:7779/oamsso-bin/logout.pl. Click Apply.

2. Reconfigure LDAPOUDScheme with challenge properties.
a. Access Launch Pad and click Authentication Schemes in the Access Manager tile.
Then click Search > LDAPOUDScheme. Change the properties of LDAPOUDScheme as
follows and click Apply:
Parameter Choices or Values
Challenge Redirect URL http://oam.example.com:7779/
Challenge URL: /oamsso-bin/login.pl
Context Type External

b. In Launch Pad, click Application Domains in the Access Manager tile. Search and click
webgate3. On the webgate3 page, access the Resources tab and click Create. Use the
following parameters to create the resource and click Apply.
Type HTTP
Host Identifier Webgate3

Resource URL /favicon.ico
Protection Level Excluded

c. Sign out of OAM Console and close the browser window.
d. In a terminal window, navigate to $MW_HOME/webgate/ohs/oamsso-bin. Edit
login.pl and logout.pl and change the Perl location on the first line of the script
from /usr/local/bin/perl to /usr/bin/perl.
e. Use EM to restart the ohs1 and ohs3 instances.
f. Open the Firefox browser, access http://oam.example.com:7777/mybank, and log in as
the ahall user.
Note: The port is 7777 instead of 7101. You will be redirected to the login page
through webgate3, the DCC. The ID ahall is displayed next to the Sign-Off link.
g. Click Sign-off and notice that you are redirected to
http://oam.example.com:7779/oamsso/logout.html.

Practice 5-3: Configuring Authentication and Authorization Policies
Overview
Resources represent a document, entity, or pieces of content that are stored on a server and
available for access by a large audience. Clients communicate with the server and request the
resource by using a particular protocol (for example, HTTP or HTTPS) that is defined by an
existing resource type.
In this practice, you configure a resource, /mybank/testheaders.jsp, and assign it to the
existing authentication policy, Protected Resource Policy.
After the user is authenticated, the authorization policy for the resource is evaluated to
determine whether the user is permitted access to the resource. Each resource can be

protected by only one authorization policy.
In this practice, you also create a new Admin_Resource_Policy and add the resource URL
/mybank/testheaders.jsp so that this policy can be evaluated separately from the other
policies.
1. Configure an authentication policy for the ohs1 application domain.

a. Using Chrome browser, log in to the OAM console as the oamadmin user.
b. Click Application Domains in the Access Manager tile. Click Search on the Search
Application Domains page.
c. Click webgate1. On the webgate1 Application Domain page, access the Resources tab
and click Create.
Enter the following values and click Apply.
Type HTTP
Resource URL /mybank/testheaders.jsp
Protection Level Protected
Authentication Policy Protected Resource Policy

d. Access the webgate1 tab (at the top). In this domain, access the Authentication
Policies tab and click the Protected Resource Policy link. You should notice that the
resources are protected using the LDAPOUDScheme authentication scheme. Notice that
the /mybank/testheaders.jsp resource is assigned to this policy.

2. Create a new Admin_Resource_Policy and add /mybank/testheaders.jsp as the
resource so that this authorization policy can be evaluated separately.
a. On the webgate1 application domain page, access the Authorization Policies tab. Click
Create.
b. Enter Admin_Resource_Policy in the name field and click the Resources tab. Click
Add. Click Search and select the /mybank/testheaders.jsp row, and click Add Selected.
c. Click the Conditions tab. Click Add. Enter the following values and then click Add
Selected:
- Name: Group_Check
- Type: Identity
Note: This condition is used to check for membership in a group.
d. Select the newly added row. Condition Details: Group Check section is shown in the
bottom pane. Click Add > Add Users and Groups in the Condition Details pane.

e. In the Add Identities window, set Store Name to OUD_Store, Entity Type to All or
Group, and Entity Name to QA* and click Search. Select the QA Managers row and
click Add Selected.

f. Click the Rules tab. In the Allow Rule section, move the Group_Check (Identity)
condition to Selected Conditions. Click Apply.
g. Click oamadmin > Sign Out to log out of the OAM Console.
h. Open a Firefox browser and access http://oam.example.com:7777/mybank. Log in as
ahall. You should be successful.
i. Access http://oam.example.com:7777/mybank/testheaders.jsp. You should be denied
access, because the ahall user is not in the QA Managers group.
j. Access the bank page (http://oam.example.com:7777/mybank) again and click Sign-
Off.
k. In the Firefox browser, access the URL:
http://oam.example.com:7777/mybank/testheaders.jsp and log in as jwalker. This
user is a member of the QA Managers group, so you are granted access.
l. Access the bank page (http://oam.example.com:7777/mybank) again and click Sign-
Off.

3. Create and test the IP Range (deny rule) condition in Admin_Resource_Policy.
Note: The ip_check condition is used to check the IP address of the user. If the IP
address matches the address of the database machine, the check passes, and the user
can access the page.
a. In the Chrome browser, log in to OAM Console as oamadmin, access the Authorization
Policies tab of the webgate1 application domain, and click Admin_Resource_Policy >
Conditions. Create a condition with the name ip_check of type IP Range.
b. In the Condition Details: ip_check, add IP range (start and end values to be the IP of
your oam machine).
Note: Use the IP address of the oam machine. (Use the hostname -i command to
get the IP address of the host.)

c. Click the Rules tab. In the Deny Rule section, move the ip_check condition to
Selected Conditions. Select any of the selected conditions and click Apply.
d. Test whether you can access the testheaders.jsp page from the oam machine (to test
ip_check) as QA Manager (jwalker). Your access is denied because you are
accessing from an IP range in a denied rule.
e. On the Rules tab of the OAM Console (in the OAM machine), remove ip_check from
Selected Conditions and click Apply.
4. Incorporate access based on a temporal condition so that access is allowed only from 9 AM
to 9 PM on Saturdays and Sundays.
Note: The time_check condition is used to specify the day and time when an
authenticated user can access the testheaders.jsp page. If the current day and time
matches that specified in the condition, the check passes, and the user can access the
page.
a. Access the Authorization Policies tab and click Admin_Resource_Policy > Conditions.
Create a time_check condition of type Temporal.
b. In the TEMPORAL window, enter 09:00:00 for Start Time, 21:00:00 for End Time,
select Saturday and Sunday, and click OK.

c. Click the Rules tab. In the Allow Rule section, move the time_check condition to
Selected Conditions and click Apply.
d. Test whether you can access the testheaders.jsp page from the DB machine (to test
ip_check) as QA Manager (jwalker). You cannot access the page because it is a
weekday.
e. On the Rules tab of the OAM Console, remove the time_check condition from
Selected Conditions and click Apply to restore access to the page.
f. Access the Firefox browser and click Refresh. You should be able to view the
testheaders.jsp page. You may need to click Refresh a few times before the change is
made effective.

Practice 5-4: Managing Authentication and Authorization Responses
Overview
Responses are optional actions that are to be taken. A response consists of two parameters (a
type and an expression) and a single output (the value).
The response type denotes the form of action to be taken with the value string. The four types
are:
a. Cookie: Set an HTTP cookie.
b. Header: Set an HTTP request header.
c. Session: Set an attribute on the user’s session.
d. Asserted Attribute: If the identity assertion is selected, then an assertion

(optionally containing any Asserted Attribute) is generated for the user. Identity
assertion is used to propagate security tokens outside of the original session.
Policy responses provide the ability to insert information into a session and pull it back at any
later point.
In this practice, you create a session response during the authentication process. You retrieve
this session response and use it in HTTP_HEADERS during the authorization response.

1. Configure authentication response headers and a cookie for the webgate1 application
domain.
a. Using the Chrome browser, log in to the OAM Console as oamadmin if you have not
already logged in.
b. Click Application Domains in the Access Manager tile. Then click Search and click
webgate1. On the webgate1 Application Domain page, click the Authorization
Policies tab. Click Admin_Resource_Policy and access the Responses tab.

c. Click Add, and in the ensuing pop-up menu, enter details from each row from the
following table and click Add. Then click Add on the Responses tab to add the next
row. After all the rows have been added, click Apply:
Type Name Value
Cookie OAM_Cookie_Simple SimpleCookie
Header OAM_Header_Simple SimpleHeader
Header OAM_Header_Advanced User $user.attr.uid from
$request.client_ip used
agent $request.agent_id
Header Group_Membership $user.groups

d. Refresh the browser with the testheaders.jsp page – http://oam.example.com:7777/
mybank/testheaders.jsp (you may have to reauthenticate if the session has timed out).
Log in as jwalker (jwalker is a member of the QA Manager group in OUD).
e. Observe Group_Membership, OAM_Header_Simple, and OAM_Header_Advanced.
Note this may take a few minutes before the header values appear.
2. Configure response header variables.

a. In the Chrome browser window, open a new tab and access OUDSM
(http://db.example.com:7001/oudsm). Double-click oud1 under Saved Connections.
Enter the password and log in.
b. Navigate to Data Browser > dc=example, dc=com > ou=People > uid=jwalker. In the
right pane, set the title of jwalker to Senior QA Manager. Click Apply. Then close the
browser tab.

c. In the OAM Console, as oamadmin, navigate to the webgate1 application domain.
Access Authentication Policies > Protected Resource Policy. Click the Responses tab
and then click Add. In the Add Response window, enter the following values and then
click Add.
Variable Choices or Values
Type Session
Name OAM_SESSION
Value User $user.attr.uid
as $user.attr.title

Click Apply.
d. Click the webgate1 tab (on top) and the Authorization Policies tab within the webgate1
application domain. Click Admin_Resource_Policy. Click the Responses tab. Click
Add. Enter the following values in the Add Response window and click Add. Then click
Apply in Admin_Resource_Policy.
Parameter Value
Type Header
Name OAM_HEADER_WITH_SESSION
Value $session.attr.OAM_SESSION has policy
$request.policy_name matched in $request.res_url
URL from the $request.policy_appdomain domain.
e. In a new Firefox browser session, access the URL
http://oam.example.com:7777/mybank/testheaders.jsp as the jwalker user and verify
OAM_HEADER_WITH_SESSION.
Note: To ensure you see the correct values, you should clear the cookies and close
the browser session. Then start the browser and access
http://oam.example.com:7777/mybank/testheaders.jsp as the jwalker user to see the
correct values.

Practice 5-5: Customizing Access Policies for a Web Application
Overview
In this practice, you perform the following:
a. Deploy the Bakery application on the OHS instance (ohs1).
b. Unprotect the Bakery application so that anyone can view the page.
c. Protect internal pages to ensure that only employees (only users in OUD in this case)
can view those pages.
d. Create authorization rules so that each department page can be accessed by the
employees from the corresponding department.

1. Deploy the Bakery web application on the ohs1 instance and verify that you can access the
application.
a. On the OAM machine, copy the example directory from $HOME/labs/lesson05 to
$DOMAIN_HOME \
/config/fmwconfig/components/OHS/instances/ohs1/htdocs.
$> cd $DOMAIN_HOME\
/config/fmwconfig/components/OHS/instances/ohs1/htdocs
$> cp -r $HOME/labs/lesson05/example.
b. Open a new browser window and access http://oam.example.com:7777/example. You
should be redirected to the login page.
c. Log in with the credentials of the ahall user. You should see the Welcome page of
the Bakery application.
Note: The reason you are seeing the login page is because you have an OAM
WebGate deployed on the ohs1 instance with a policy that is protecting all the
resources under /.
d. Explore the application by clicking Products, On-line Store, Baker’s Corner, and About.
2. Unprotect the launch page (/example) of the Bakery application by creating the resource
as Unprotected.
a. Log in to the OAM Console as oamadmin. Navigate to Application Security
launchpad > Application Domains > Search > webgate1 application domain.
b. On the Resources tab of the webgate1 application domain, click Create and create the
resources /example/** . Click Apply after creating each resource URL.
Name Value
Type HTTP
Description Bakery application launch page

Name Value
Resource URL /example/**
c. Close all Firefox sessions, start a new Firefox browser session, and access the bakery
application [URL http://oam.example.com:7777/example]. You should see the Bakery
main page (without being challenged for credentials).
Note: This opens up all the doors in the Bakery application to the public, including the
Employee login link. Click the Employees link, and you should be able to see the
employeeHome.html page without being challenged to log in as an employee.
3. Create resources for internal pages and for each department page.

a. In the OAM Console, as oamadmin, navigate to Access Manager > Application
Domains > Search > webgate1 application domain.
b. On the Resources tab, click Create and create a resource as described in the following
table. Click Apply after entering the values for the resource URL and then click the
webgate1 tab to create the next resource.
Name Value
Type HTTP
Description Employee pages
Resource URL /example/internal/**
c. Create the resource for the HR department (/example/internal/hr). Click Apply

after entering the values.
Name Value
Type HTTP
Description HR Page
Resource URL /example/internal/hr/**

d. Access the Resource tab of the webgate1 application domain and click Create to add a
resource for the Finance department (/example/internal/finance). Click Apply
after entering the values for the resource URL.
Name Value
Type HTTP
Description Finance Page
Resource URLs /example/internal/finance/**

e. Access the Resource tab of the webgate1 application domain and click Create to add a
resource for the Engineering department (/example/internal/eng). Click Apply
after entering the values for the resource URL.
Name Value
Type HTTP
Description Engineering Page
Resource URLs /example/internal/eng/**
4. Create policy conditions to ensure that HR pages can be accessed only by employees from
the HR department.
a. Navigate to webgate1 Application Domains and access the Authorization Policies tab.
Click Create to add a new authorization policy as shown in the following table:
Name Value
Name Bakery_HR
Description Policy to protect the HR department page so
that it is viewable only by HR Employees
Resources subtab Click Add and Search, select the following
URL, and click Add Selected.
/example/internal/hr/**

b. Click the Conditions tab. Click Add, and in the Add Conditions window, enter the
following and click Add Selected:
Name Value
Name HR_Only
Type Identity
c. Back in Condition Details: HR Only, click Add > Add Users and Groups, enter the
condition details as shown in the following table, and click Search.
Name Value
Entity Type Group

Entity Name Type H* and click Search.
d. Select both HR Managers and Human Resources rows in the search results table and
click Add Selected.
e. On the Create Authorization Policy page, click Apply.
f. On the Rules tab, in the Allow Rule section, move the HR_Only condition from
Available Conditions to Selected Conditions.
g. Click the Responses tab. Click Add and enter values as shown in the following table,
and click Add:
Name Value
Type Cookie
Name AuthZ_Cookie
Value $user.attr.uid is authorized to view this
page as a member of the HR department. This
is the AuthZ response.
h. Click Apply on the Create Authorization Policy page.

5. Create policy conditions to ensure that the Finance pages can be accessed only by
employees from the HR department.
Name Value
Name Bakery_Finance
Description Policy to protect the Finance department page
so that it is viewable only by Finance
employees.
Resources subtab, Click Add and Search, select the following

/example/internal/finance/**
Name Value
Name Fin_Only
Type Identity
c. Back in Condition Details: Fin Only, click Add > Add Users and Groups, enter the
Name Value
Entity Type Group
Entity Name Finance
d. Select the Finance row in the search results table and click Add Selected.
e. On the Rules tab, in the Allow Rule section, move the condition Fin_Only to Selected
Conditions.
f. Click the Responses tab. Click Add, enter values as shown in the following table, and
click Add:
Name Value
Name AuthZ_Cookie
Type Cookie
page as a member of the Finance department.
This is the AuthZ response.
g. Click Apply on the Create Authorization Policy page.

6. Create policy conditions to ensure that Engineering pages can be accessed only by
employees from the Engineering department.
Name Value
Name Bakery_Eng
Description Policy to protect the Engineering department
page so that it is viewable only by Engineering
employees
Resources subtab Click Add and Search, select the following

/example/internal/eng/**
Name Value
Name Eng_Only
Type Identity
c. Back in Condition Details: Eng Only, click Add > Add Users and Groups, enter the
Name Value
Entity Type Group
Entity Name Engineering
d. Select the Engineering row in the search results table and click Add Selected.
e. On the Rules tab, in the Allow Rule section, move the condition Eng_Only to the right.
f. Click the Responses tab. Click Add and enter values as shown in the following table,
and click Add:
Name Value
Name AuthZ_Cookie
Type Cookie
page as a member of the Engineering
department. This is the AuthZ response.
g. Click Apply on the Create Authorization Policy page.
h. Sign out of OAM Console. Close the browser window.

7. Verify that the access policies for the Bakery application are correctly set up.
a. Invoke the Firefox browser, remove all cookies from the browser, and access the URL
http://oam.example.com:7777/example. You should see the unprotected main page of
the Example Bakery application.
b. Click the Employees link. You should be challenged for credentials. Log in as
kvaughan. You should see the Example Bakery Employee portal page. Now, click the
Human Resource Department site. You should be able to view the HR department
page because the kvaughan user is a member of the HR department.
c. Navigate to the browser’s menu option: Edit > Preferences > Privacy > remove
individual cookies > expand oam.example.com site and click to view the AuthZ_Cookie
cookie value. Also, note down all the cookies pertaining to OAM. Click Close in the
Cookies window and then click Close in Firefox Preferences.

d. Click the Employees link and then click the Finance Department site. You should see
the “Oracle Access Manager Operation Error” page, which states that access has been
denied to the user.
e. Close the browser window. Open it again and verify if you can access the Finance
page as the abergin user.
f. Similarly, verify if you can access the Engineering page as ahall. Try to access the
Finance page as the ahall user and notice that you are not allowed.

Practice 5-6: Implementing OAM Password Policy
Overview
In this practice, you enable password policy validation by OAM. Because users are
authenticated by LDAP, the LDAP password policy will also apply. The OUD installation in the
classroom environment is using the default LDAP policy, which does not impose any
restrictions.
Note: DCC can work with or without implementing OAM password policy validation.
There also can be password policy validation at the native LDAP layer.

Enable password management for the user identity store, OUD_Store.
1. Update the OUD schema for OAM password management. The schema LDIF files were
copied from $ORACLE_HOME/modules/oracle.idm.ipf_12.2.2/scripts/ldap on
the OAM server. The user data object definition in the Access Manager schema is extended
with attributes that enable password user status and password history maintenance. This
definition is provided in an LDIF file and must be added to each user identity store by using
the ldapmodify command.
Run the following commands:
cd ~/labs/lesson05
$OUD_HOME/bin/ldapmodify -c -h db.example.com -p 1389 -D
"cn=Directory Manager" -w Welcome1 -f OUD_OracleSchema.ldif
$OUD_HOME/bin/ldapmodify -c -h db.example.com -p 1389 -D
"cn=Directory Manager" -w Welcome1 -f OUD_OblixSchema.ldif
2. Log in to the OAM console (http://oam.example.com:7001/oamconsole) as

oamadmin/Welcome1. Modify the password policy under Application Security launch pad >
Password Policy.
Warn After = 3
Expire After = 20
Minimum Password length = 6
Disallow Previous Passwords = 3
Permanent Lockout disabled (deselect)
Maximum Attempts = 3
Lockout Duration = 1
Note: The default value is 1 for minimum special characters.

Click Apply.

3. Navigate to Configuration Launch Pad > User Identity Stores.
4. Select OUD_Store and click Edit. Expand the Password Management section and select
the Enable Password Management check box.
5. Click Apply.

6. Log in to OUDSM on the DB machine and view the attributes and object classes seeded as
part of extending the schema:
http://db.example.com:7001/oudsm

7. Click the schema tab and enter ob* for the search term for both attributes and
objectclasses. You extended the LDAP schema with new objectclasses and attributes that
all start with “ob”.

Configure the Password Policy Validation Authentication Module.
8. In the OAM Console, navigate to Application Security launchpad > Authentication
Modules > Search > PasswordPolicyManagementModule.

9. Click the Steps tab and specify OUD_Store for the KEY_IDENTITY_STORE_REF parameter
for the User Identification Step, User Authentication Step, and the User Password Status
Step, as shown in the following screenshots:


10. Click Save for each step and then Apply for the module changes.
Set the PasswordPolicyValidationScheme to use the PasswordPolicyManagementModule

authentication module.
11. Navigate to Application Security launchpad > Authentication Schemes > Search >
PasswordPolicyValidationScheme. Change the properties as follows:
Challenge Redirect URL: /oam/server/
Authentication Module: PasswordPolicyManagementModule
Challenge URL: /pages/login.jsp
Context Type: default
Context Value: /oam

12. Click Apply.
Change the webgate2 application domain to use the PasswordPolicyValidationScheme

for the Protected Resource Policy.
13. Navigate to Application Security launchpad > Application Domains > Search > webgate2 >
Authentication Policies. Change the Authentication Scheme property for the Protected
Resource Policy to point to PasswordPolicyValidationScheme.

14. Click Apply.
Testing User Scenarios

To be able to test the scenarios, you create new users to test the various scenarios. On the DB
machine, upload the sample LDIF files. Then try logging in as an employee (with password
Welcome1) who has been disabled, locked, has an expired password, or has been given a
warning to change their password. Authenticate against the webpage at
http://oam.example.com:7778, which is where you changed the policy for password policy
validation.
Testing a Disabled User

15. When orclaccountenabled is set to zero, the user is disabled. Add the user with the
following commands:
cd $OUD_HOME/bin
./ldapmodify -h db.example.com -p 1389 -D “cn=Directory Manager” -w
Welcome1 -f ~oracle/labs/lesson05/disabled.ldif
Note: Do not use the ldapmodify command that is in the path.

16. Log in as disabled/Welcome1 to http://oam.example.com:7778.

17. To enable an account that has been disabled, you can use the password management
REST API. Enter the following command to enable the user:
curl -X POST
http://oam.example.com:14100/oam/services/rest/access/api/v1/pswdma
nagement/UserStatusChanger/disabled -u oamadmin:Welcome1 -H
'content-type: application/json' -d
'{"forcepwdchange":"false","locked":"false","disabled":"false"}'
Note: The user you are changing with the REST call is specified as the last part of the URL.
In this example,
nagement/UserStatusChanger/disabled.
Testing Force Change Password

18. Because several of the user attributes are time based, you will use the REST API to set the
status of the user. First, create a new user.

Welcome1 -f ~oracle/labs/lesson05/force.ldif
19. Set the status of the user to force a password change, using REST.
curl -X POST
nagement/UserStatusChanger/force -u oamadmin:Welcome1 -H 'content-
type: application/json' -d
'{"forcepwdchange":"true","locked":"false","disabled":"false"}'

20. Display the user attributes and note the orclpwdchangerequired attribute that was set
as a result of changing the user status.
./ldapsearch -h db.example.com -p 1389 -D 'cn=Directory Manager' -w

Welcome1 -s sub -b dc=example,dc=com '(uid=force)'
dn: uid=force,ou=people,dc=example,dc=com
orcluseraccountlocked: 0
orcluserpwdcantchange: 0
orcluserpwdexpirationdate: 20171224084739Z
orclpwdchangerequired: 1
orcluserpwdneverexpires: 0
orcllockedreason: -1
orcluserpwdwarndate: 20171207084739Z

orcluserpwdresetattemptsctr: 0
orcluserpwdgenerated: 0
orclaccountenabled: 1
orcllockouttime: 0
orclloginattemptsctr: 0
orcllastsuccessfullogindate: 20171204084547Z
sn: force
cn: force
objectClass: oblixPersonPwdPolicy
objectClass: top
objectClass: orclIDXIPFPerson
objectClass: oblixorgperson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword:
{SSHA512}0apSXrRQlr+zfHqJrl1LEhLSYun0gKKNxX4T5PXKj757uONBxUVZ+q
9yO
PRv+ZxaPGXpQX1kSip0O2Pl7QG1hUeqvM6EUs4S
orcluserpwdcreationdate: 20171204084739Z
uid: force

21. Log in to webgate2 as force/Welcome1. http://oam.example.com:7778

22. Notice the pwd policy rules that were set in the OAM console for the password policy. Enter
Welcome2! for the new password and log in.
Testing an Expired User

23. Create a new user with an expired password. The date and time of the password expiration
is stored in the orcluserpwdexpirationdate attribute.

Welcome1 -f ~oracle/labs/lesson05/expired.ldif
24. Log in to webgate2 (http://oam.example.com:7778) as expired/Welcome1. Because the

password has expired, you are forced to change the password.
25. Change the password to Welcome2! and log in.

Testing “Warn” for Password Expiration
26. Before you add a new user for the password expiration warning case, you must edit the
warn.ldif file and set the orcluserpwdwarndate attribute to yesterday’s date. Edit the
~/labs/lesson05/warn.ldif file and change the orcluserpwdwarndate attribute.
The first 4 digits are the year, the next two are the month, and digits 7 and 8 are the day.
dn: uid=warn,ou=people,dc=example,dc=com
changetype: add
objectclass: top
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: oblixPersonPwdPolicy

objectclass: oblixorgperson
objectclass: orclIDXIPFPerson
cn: warn
sn: warn
uid: warn
userpassword: Welcome1
orcluserpwdwarndate: 20171020081011Z
27. Add the warn user.

Welcome1 -f ~oracle/labs/lesson05/warn.ldif
28. Log in to webgate2 (http://oam.example.com:7778) as warn/Welcome1.
29. Select Click here to continue without changes.

Testing a Locked User
30. Add the locked user.

Welcome1 -f ~oracle/labs/lesson05/locked.ldif
31. Log in to webgate2 (http://oam.example.com:7778) as locked/Welcome1.

32. Invoke the REST API to resolve the locked user.
curl -X POST
nagement/UserStatusChanger/locked -u oamadmin:Welcome1 -H
'content-type: application/json' -d
'{"forcepwdchange":"false","locked":"false","disabled":"false"}'
33. Log in to webgate2 as the locked user.

Practice 5-7: Configure Password Policy Using REST
Overview
Using the REST API, you can create multiple password policies and assign them to groups. If
multiple password policies apply to a specific user, the policy with the lowest priority is used.
a. Retrieve the default password policy.
b. Create a new group-specific password policy.
c. Test the new password policy.

1. Retrieve the default password policy.
curl -X GET
http://oam.example.com:14100/oam/services/rest/access/api/v1/policy
/PasswordPolicies -u oamadmin:Welcome1 -H 'content-type:
application/json'
[{"passwordPolicyInfo":{"id":"1","minLength":1,"minSpecialChars":1,"startsWithAlpha
bet":true,"firstNameDisallowed":false,"lastNameDisallowed":true,"userIdDisallowed":t
rue,"complexPolicy":false,"passwordExpiresAfterInDays":20,"passwordWarningAfterI
nDays":3,"requiredChars":[],"disallowedChars":[],"allowedChars":[],"disallowedSubstr
ings":[],"numPasswordsInHistory":3,"lockoutDuration":1,"maxIncorrectAttempts":3,"c
hSource":0,"chDefaultQuestions":"","chAllAtOnce":true,"chAllowDuplicateResponses
":false,"chSendMail":false,"chEnabled":false}}]
2. Create a new password policy for the Finance group. For your convenience, this command
is saved as ~/labs/lesson05/new_password_policy.txt.
curl -X POST
http://oam.example.com:14100/oam/services/rest/access/api/v1/policy
/PasswordPolicies -u oamadmin:Welcome1 -H 'content-type:
application/json' -d
'[{"passwordPolicyInfo":{"id":"2","minLength":6,"minSpecialChars":1
,"startsWithAlphabet":true,"firstNameDisallowed":false,"lastNameDis
allowed":true,"userIdDisallowed":true,"complexPolicy":false,"passwo
rdExpiresAfterInDays":60,"passwordWarningAfterInDays":53,"requiredC
hars":[],"disallowedChars":[],"allowedChars":[],"disallowedSubstrin
gs":[],"numPasswordsInHistory":3,"lockoutDuration":1,"maxIncorrectA
ttempts":3,"chSource":0,"chDefaultQuestions":"","chAllAtOnce":true,
"chAllowDuplicateResponses":false,"chSendMail":false,"chEnabled":fa
lse},"assignmentRule":{"idStoreRef":"OUD_Store","priority":2,"passw
ordPolicyID":"2","ruleType": 2,"ruleValue":"Finance"}}]

<?xml version="1.0" encoding="UTF-8"
standalone="yes"?><PasswordPolicyAssignments><PasswordPolicyAssignment>
<passwordPolicyInfo id="2">
<minLength>6</minLength>
<minSpecialChars>1</minSpecialChars>
<startsWithAlphabet>true</startsWithAlphabet>
<firstNameDisallowed>false</firstNameDisallowed>
<lastNameDisallowed>true</lastNameDisallowed>
<userIdDisallowed>true</userIdDisallowed>
<complexPolicy>false</complexPolicy>
<passwordExpiresAfterInDays>60</passwordExpiresAfterInDays>
<passwordWarningAfterInDays>53</passwordWarningAfterInDays>
<numPasswordsInHistory>3</numPasswordsInHistory>
<lockoutDuration>1</lockoutDuration>
<maxIncorrectAttempts>3</maxIncorrectAttempts>

<chSource>0</chSource>
<chDefaultQuestions></chDefaultQuestions>
<chAllAtOnce>true</chAllAtOnce>
<chAllowDuplicateResponses>false</chAllowDuplicateResponses>
<chSendMail>false</chSendMail>
<chEnabled>false</chEnabled>
</passwordPolicyInfo>
<assignmentRule idStoreRef="OUD_Store" priority="2" passwordPolicyID="2">
<ruleType>2</ruleType>
<ruleValue>Finance</ruleValue>
</assignmentRule>
</PasswordPolicyAssignment></PasswordPolicyAssignments>

3. Add the warn user to the Finance group so that the new password policy applies.
$OUD_HOME/bin/ldapmodify -h db.example.com -p 1389 -c -D
"cn=Directory Manager" -w Welcome1 -f
~/labs/lesson05/warn_finance.ldif
4. Log in to webgate2 (http://oam.example.com:7778) as warn/Welcome1.

5. Select “Change your password now”.
6. Note that the password rules have been changed.
7. You can also use the REST API to confirm which password policy applies to the warn user.
curl -X GET
nagement/UserPasswordPolicyRetriever/warn -u oamadmin:Welcome1 -H
'content-type: application/json'
{"id":"2","minLength":6,"minSpecialChars":1,"startsWithAlphabet":true,"firstNameDis
allowed":false,"lastNameDisallowed":true,"userIdDisallowed":true,"complexPolicy":fa
lse,"passwordExpiresAfterInDays":60,"passwordWarningAfterInDays":53,"requiredC
hars":[],"disallowedChars":[],"allowedChars":[],"disallowedSubstrings":[],"numPasswo
rdsInHistory":3,"lockoutDuration":1,"maxIncorrectAttempts":3,"chSource":0,"chDefaul
tQuestions":"","chAllAtOnce":true,"chAllowDuplicateResponses":false,"chSendMail":f
alse,"chEnabled":false}

Configuring Single Sign-On
and Managing Sessions
Practices Overview
In these practices, you will perform the following tasks:
 Deploy and configure a customized login page.
 Use the Session Management page to terminate a user session.
 Configure the Oracle Access Manager server to constrain the number of concurrent
sessions that a user is allowed to have.
 Set session management properties on a per-application level.
106 Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions
Practice 6-1: Deploying and Configuring a Custom Login Page with
DCC
Overview
In this practice, you customize the login page, demonstrate single sign-on and single logout,
and manage the Oracle Access Manager sessions. You configure Oracle Access Manager to
use a custom-branded login page for the Example Bakery website.
Example Bakery wants its employees to use a login page that has branding similar to the rest of
the Example Bakery site instead of the login page provided by Oracle Access Manager. You
configure Oracle Access Manager to use a customized login page to collect credentials.
Tasks (Perform these steps on the OAM machine.)

1. Verify that, when you access the Example Bakery website on the OHS instance protected
by the WebGate, Oracle Access Manager uses its standard login page:
a. In your browser, access the Example Bakery home page URL:
http://oam.example.com:7777/example.
b. Click Employees. The standard Oracle Access Manager login page appears.
c. Log in as the jwalker user. The Example Bakery Employee portal page appears.
d. Close the browser window.
2. Review the exploded application archive file that contains the customized login page:
a. Open the /home/oracle/labs/lesson06/login/examplelogin.jsp file in a
text editor.
b. Observe the following code in the file:
<form action="/oam/server/auth_cred_submit" method="post"/>
 The form action statement posts back the required end point to the Oracle
Access Manager server.
 The getParameter code retrieves request_id from the HTTP header and
stores it in a hidden field. The Oracle Access Manager server is provided with this
parameter as required.
3. Deploy the exploded WAR file that contains the customized login page to the managed
server running the My Bank application:
a. Log in to the WLS Admin Console of the OUD domain as the weblogic user.
b. Select odsm_domain > Deployments from the Domain Structure pane. The Summary
of Deployments page appears on the right side of the console window. Click Install.
c. The “Locate Deployment to Install and Prepare for Deployment” form appears. Specify
the value /home/oracle/labs/lesson06/login in the Path field. Click Next.
d. The Choose Targeting Style form appears. Select “Install this Deployment as an
Application” and click Next.
Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions 107
e. The Select Deployment Targets form appears. Select the mybank_svr target. Click
Next.
f. The Optional Settings form appears. Notice that the context for the application is login.
Click Finish.
g. The Summary of Deployments page reappears. The status of the login application
should be Active.
h. Log out of WLS Admin Console.
4. Configure ohs3 to front-end the login application and restart OHS3.

a. In the terminal window on the OAM machine, navigate to the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs3 directory, edit and
update the mod_wl_ohs.conf file as follows, and save the changes.

LoadModule weblogic_module
“${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so”
<IfModule weblogic_module>
WebLogicHost db.example.com
WebLogicPort 7101
MatchExpression *.jsp
</IfModule>
<Location /login>
</Location>
b. Restart the environment for the changes to take effect.

Stop the ohs3 instance, Node Manager, and the Admin server on oam.example.com.
Start the Admin server, Node Manager, and ohs3 instance.
5. Specify the custom-branded login page for the LDAPOUDScheme authentication scheme:
a. Log in to Oracle Access Manager as oamadmin. Navigate to Access Manager panel >
Authentication Schemes > Search.
b. Click the LDAPOUDScheme authentication scheme. Change the following values and
click Apply:
Challenge URL /login
Context Type <Blank>

6. Create the /login resource in the webgate3 application domain. Set the protection level to
Excluded.
a. Access the Resource tab of the webgate3 application domain, click Create to add
resources for the custom login module as indicated in the table, and click Apply.
Name Value
Type HTTP
Description Custom Login Page
Resource URL /login/**
b. Click Duplicate, change the resource URL to /login/.../*, and then click Apply.
7. Verify that when you access the Example Bakery website, it uses the Example Bakery
custom-branded login page:
a. In the browser window, clear cookies and cache and restart the browser.
b. Access the Example Bakery home page: http://oam.example.com:7777/example.
c. Click Employees. The Example Bakery login page appears. This is the custom login
page specified:

d. Log in as the jwalker user. The Example Bakery Employee portal page appears.
Practice 6-2: Managing Sessions
Overview
In this practice, you use the session management feature of the OAM Console to view active
user sessions and terminate a user’s session. Both the Firefox and Chrome browsers are used
in this lesson.

1. View the current sessions for a particular user and delete a user session.
a. On the OAM machine, access the Firefox and Chrome browsers. Clear cookies and
cache and restart the Firefox and Chrome browsers.
b. In the Chrome browser, log in to the OAM Console as the oamadmin user and click

Session Management.
c. In the Firefox browser, navigate to the Bakery application home page:
http://oam.example.com:7777/example, click Employees, and log in as the jwalker
user.
d. Return to the Session Management page displayed in the Chrome browser. Type
jwalker in the UserID field and click the Search button. Details of the session for the
jwalker user appear in the session list.
Multiple sessions might exist for the jwalker user because some sessions were
created earlier that were not logged out. If multiple sessions exist, use the Creation
Instant field to locate the most recently created session.
e. Highlight the most recently created session for the jwalker user and click Delete (X
icon).
f. Return to the Firefox browser window and click Employees. You are prompted to
authenticate because your session was terminated by administrative action.
g. Close the Firefox browser.
2. Explore the cookies that are created in the login process for DCC deployment.
a. On the OAM machine, invoke the Firefox browser and clear cookies and cache.
Access the Bakery application (http://oam.example.com:7777/example) and click
Employees.
b. Navigate to Edit > Preferences > Privacy and click “remove individual cookies.” In the
Cookies window, expand oam.example.com.
c. Notice that OAMRequestContext_oam.example.com:7777_<string> and
DCCCtx_oam.example.com:7779 are set for the session. These cookies store the
state of the user’s original request with the resource webgate and authenticating
webgate, (that is, DCC).
d. Log in as jwalker. View the cookies again. Notice that
OAMRequestContext_oam.example.comoam.example.com:7777_<string> is
no longer listed. You should see authentication response
OAMAuthnCookie_oam.example.com:7777 and
OAMAuthnCookie_oam.example.com:7779
e. Click the Finance Department Site link (jwalker is a member of the Finance group).
View the cookies again. You should see one additional cookie: the authorization
response cookie (AuthZ_Cookie). You configured this cookie as a response in the
protected resource authorization policy.
f. Access the bank page (http://oam.example.com:7777/mybank), click Sign Off to log out
of the application by invoking the following URL, and observe the URL field.
g. View the cookies again. Notice that the
OAMAuthnCookie_oam.example.com:<port> cookies are no longer present.
These cookies disappear when the authenticated browser session ends.

3. Constrain the number of active sessions to one for all users. Then attempt to start two
concurrent authentication sessions and observe the results.
a. Set the allowed active sessions to 1 by using the OAM Console from the OAM
machine.
1) Log in to the OAM Console and click the Session Management icon.
2) Click Delete All User Sessions.
3) Click Yes to confirm the delete.
4) Access the Configuration tab (at the top). Then click View > Common Settings in
the Common Settings panel.
5) Set “Maximum Number of Sessions per User” to 1 and click Apply.
Note: Users can still have more than two active sessions, even though the maximum
number of sessions per user has been set to 1. The session constraint applies to newly
created sessions only.
b. On the DB machine, using a SQL session, verify that there are no active sessions.
Invoke a SQL session, connect to the database as the DEV_OAM user, and run the
following query:
$> sqlplus /nolog
SQL> connect DEV_OAM

Enter password:
Connected.
SQL> desc am_session;
SQL> select userid,create_time from am_session;
Confirm that you see “no rows selected”.
c. On the OAM machine, using the Firefox browser, create a session as the jwalker
user.
1) Access the Firefox browser window. Clear the cookies and cache and restart
Firefox.
2) In Firefox, navigate to the Bakery application home page and then click
Employees. The Bakery application login page appears. Log in as jwalker. The
employee portal appears.
d. On the OAM machine, using Chrome browser, verify the number of sessions for
jwalker user.
1) Log in to the OAM Console by using the Chrome browser and click Session
Management node under the Application Security launch pad.

2) Search for user sessions for jwalker. You should see one session for the
jwalker user.
3) Note the Client IP address. It should show an IP address of the OAM machine
where the session was started.
e. In the DB machine, using SQL, verify the number of session records.

1) On the DB machine, invoke a SQL session and run the same SQL query.
2) Invoke a SQL session, connect to the database as the DEV_OAM user, and run the
following query:
$> sqlplus /nolog
SQL> connect DEV_OAM
Enter password:
Connected.
SQL> desc am_session;
SQL> select user_id, create_time from am_session;

This time, you should see one record for jwalker.
f. On the DB machine, create a session as the jwalker user by using the Firefox
browser.
1) Invoke the Firefox browser and clear the cookies and cache in the browser.
2) Navigate to the Bakery application home page. Click Employees and log in as
jwalker.
g. On the OAM machine, verify that the previous session has been stopped.
1) On the OAM machine, access the Firefox window in which you accessed the
Example Bakery application as the jwalker user.
2) Click any of the department links and notice that you are presented with a login
page.
The session from the OAM machine was terminated to adhere to the “Maximum
Number of Sessions per User” value of 1.
h. In the OAM Console session on the OAM machine, restore the “Maximum Number of
Sessions per User” parameter to 8 (under Common Settings). Do not forget to click
Apply after you change the value.
1) In the OAM Console, access the Configuration tab (at the top). Then click View >
Common Settings in the Common Settings panel.
2) Set “Maximum Number of Sessions per User” to 8 and click Apply.
Practice 6-3: Setting Up a Delegated Session Administrator
Overview
In this practice, you grant the Session REST API User role to a new administrator. With the role,
the user has access to manage sessions using the session REST API.
In the configuration of our lab environment, the WebLogic user repository is being used as the
System Store and OUD is being used for the Default Store. This means that administrative
users are in the WebLogic user repository and regular users are in OUD. For this practice, you
will add a new administrator to the WebLogic user repository.

1. Log in to the WebLogic console as weblogic.
2. Navigate to Security Realms > myrealm > Users and Groups.
3. Click New and create the David Rose user in the WebLogic repository. Click OK.
Name: drose
Password and Confirm Password: Welcome1
4. Log in to the OAM console as oamadmin.
5. Click Configuration to open the Configuration Launch Pad.
6. Click the Administration icon.
7. Click the Search button and note that only the Administrators group is listed.
8. Click Grant to add a new administrator.
9. In the Add Users and Groups dialog box, enter drose for the name and click Search.
10. Select the drose user from the results and set the role drop-down menu to Session REST
API User.

11. Click Add selected. You now have a new administrator who can only access the Session
REST API.
Practice 6-4: Deleting a User Session with REST
Overview
In this practice, you list a user’s sessions using the Session REST API, and then use the
session ID to delete the session.
The Session REST API uses basic authorization. You will first need to generate a basic
authorization header value for your administrator.

1. Create a new session for the ahall user by accessing the example bakery. Log in as
ahall.

http://oam.example.com:7777/example/internal/employeeHome.html
2. Using a terminal window, generate a basic authorization header value. (Perform this task
on the OAM machine.)
echo -ne "drose:Welcome1" | base64
Select the output of the command and select Edit -> Copy.
3. Use curl to access the Session REST API and retrieve the list of sessions for the ahall
user. Replace the value of the Basic Authorization header with the output from the previous
command.
curl -H "Authorization: Basic ZHJvc2U6V2VsY29tZTE=" -H "Content-

Type: application/json" -X POST -d '{"userid":"ahall"}'
http://oam.example.com:14100/oam/services/rest/access/api/v1/sessio
ns
4. Because the session ID contains special characters, you must encode the value so that it
can be used as an http query parameter. Run the following Python command and replace
the value between the triple single quotation marks with the value of the sessionId tag
from the previous command.
Note: If multiple sessions from the previous step were returned, simply use the latest
session listed for this step.
python -c "import urllib; print urllib.quote('''02fb3f34-eace-

4bfd-b81e-
6eeb07d66af0|+PX2A5v24URv0l2qQSv2+BcmKgiiBYhP2KBmVTHQv+Y=''')"
5. Using the encoded session ID from the previous command, delete the user’s session.
Replace the sessionId query parameter value with the output from the previous
command.
curl -H "Authorization: Basic ZHJvc2U6V2VsY29tZTE==" -H "Content-

Type: application/json" -X "DELETE"
"http://oam.example.com:14100/oam/services/rest/access/api/v1/sessi
on?sessionId=8054481b-5853-4fc6-9ed3-
6e1f98d6a764%7C%2BPX2A5v24URv0l2qQSv2%2BBcmKgiiBYhP2KBmVTHQv%2BY%3D
"
The details of the deleted session are returned.

6. In your browser session, refresh the page and note that you are forced to log in again to the
example bakery webpage.
http://oam.example.com:7777/example/internal/employeeHome.html
7. Log in to the example bakery application as ahall.
8. You will now delete the new session for the ahall user using only the userid.
9. Delete all sessions for the ahall user. The command returns details for the sessions.
curl -H "Authorization: Basic ZHJvc2U6V2VsY29tZTE=" -H "Content-

Type: application/json" -X "DELETE"
http://oam.example.com:14100/oam/services/rest/access/api/v1/sessio
n?userId=ahall
Practices for Lesson 7: Using
Oracle Access Management
with WebLogic Applications
Practices Overview
These practices illustrate the use of the Oracle Access Manager identity assertion provider.
With the Oracle Access Manager identity assertion provider deployed in a WebLogic domain, an
application running in that domain can use Oracle Access Manager as the perimeter
authenticator. That application can then, as part of authentication, have the Oracle Access
Manager server assert the username so that the application can retrieve the username and use
it as needed.
You start these practices by reviewing a sample application that uses HTTP basic
authentication: one of the authentication mechanisms that are built into all J2EE web containers.
Then you deploy the application and run it. The web container handles application security, and

the application can retrieve the username, but single sign-on is not available.
You then modify the sample application so that it uses an external authenticator. You configure
the OHS instance on which the WebGate is installed to serve the sample application, thus
allowing the WebGate to protect the sample application. Then you configure the security realm
in WebLogic Server to use the Oracle Access Manager identity assertion provider.
When you test the sample application after performing these steps, you observe the following:
 The Oracle Access Manager server collects user credentials and authenticates users.
 The Oracle Access Manager identity assertion provider makes the username available
to the application.
 Single sign-on is available for the user.
122 Practices for Lesson 7: Use Access Manager With WebLogic Applications
Practice 7-1: Deploying the Sample Application with Basic
Authentication
Overview
In this practice, you review the security configuration in your WebLogic domain. Then you
review code in the sample jee application and deploy the application on the WebLogic
administration server. Although the sample application is written in Java, you do not need to
know Java to complete this practice.
You examine the deployment descriptors in the sample application. Then you run the sample
application and observe its behavior.
Assumptions

N/A

1. Review the security configuration in the myrealm security realm in the OUD domain on the
DB machine.
a. On the DB machine, log in to the WLS Admin Console for the OUD domain as the
weblogic user.
b. Select odsm_domain > Security Realms in the Domain Structure pane. The “Summary
of Security Realms” page appears on the right side of the console window.
c. Select the myrealm security realm. The settings for the My Realm page appear.
d. Click the Providers tab. The Authentication Providers page appears.
e. Observe that the DefaultAuthenticator provider appears. It enables user authentication
to the WebLogic Server-embedded LDAP server and is configured in security realms
by default.
2. Review the sample application that you have to deploy to WebLogic Server.
a. In a terminal window, copy the application to a temporary location.
$> cd ~/labs/lesson07
$> mkdir ~/lesson7_temp
$> cp -r jee ~/lesson7_temp
b. Open the Servlet1.java file in $HOME/lesson7_temp/jee/WEB-INF/source.
c. Locate the following line in the file:
out.println("<p>The servlet has received a GET. This is the
reply for " + request.getRemoteUser() + ".</p>");
 The println method writes text to a dynamically generated HTML page.
 The value of the variable is generated by the getRemoteUser method, which is a
method in the HttpServletRequest class. The getRemoteUser method
returns the username of the user who has authenticated to the system.
Practices for Lesson 7: Use Access Manager With WebLogic Applications 123
 When you run the sample application, a line with the above text, followed by the
username with which you authenticated, appears.
d. Close the Servlet1.java file.
3. Review the security constraints in the application.

a. In a terminal window, change the directory to $HOME/lesson7_temp/jee/WEB-
INF, open the web.xml file, and locate the following line in the file:
<auth-method>BASIC</auth-method>
The <auth-method> statement specifies the HTTP basic authentication method. The
HTTP basic authentication method displays a dialog box to collect the username and
password.
When you modify the jee application to use an identity assertion provider in a
subsequent practice, you change the <auth-method> statement.

b. Review the <security-constraint> and <security-role> sections of the
web.xml file.
These sections, which are required for the HTTP basic authentication method, describe
how the application should be protected. Application security is defined as follows:
 <security-constraint> section: HTTP GET, POST, DELETE, PUT, HEAD,
OPTIONS, and TRACE operations on the /servlet1 URL are permitted for users in the
all-authenticated-users role. HTTP methods are defined by RFC 7231 for the HTTP
1.1 specification.
 <security-role> section: The only role used by this web application is the all-
authenticated-users role.
c. Close the web.xml file.
Note: The weblogic.xml file maps the all-authenticated-users role named in the
web.xml file to the users group in the WebLogic Server security domain. The users
group is a default WebLogic Server group containing all users who have been
authenticated. The users group does not appear in the WebLogic Console.
4. Deploy the sample jee application to mybank_svr in the OUD domain.

a. In the WLS Admin Console for the OUD domain, select odsm_domain > Deployments
in the Domain Structure pane.
The “Summary of Deployments” page appears on the right side of the console window.
b. Click Install.
The “Locate deployment to install and prepare for deployment” form appears.
c. Enter /home/oracle/lesson7_temp/jee in the location field and make sure that,
in the Current Location field, the option button to the left of the value jee is selected.
Then click Next.
d. Select “Install this deployment as an application” and click Next.
e. Select mybank_svr as the target in the “Select deployment targets” form and click Next.
f. Click Finish in the Optional Settings form.
The “Summary of Deployments” page reappears. The jee application should appear in
the list with the Active status.
Verify that the status of the jee application is Active.
5. Verify the access to the application.

a. In the browse window, log out of the WLS Admin Console.
b. Clear cookies, cache, and active logins.
c. Close your browser and then restart it.
d. Access the http://db.example.com:7101/jee/servlet1 URL in a browser.
The HTTP basic authentication dialog box appears:

e. Log in as the weblogic user.
The following message appears: “The servlet has received a GET. This is the reply for
weblogic.”
The weblogic user is present in the WebLogic-embedded LDAP database. Therefore,
WebLogic Server uses the DefaultAuthenticator provider for authentication.
The getRemoteUser method returned the name of the user who has authenticated to
the system: the weblogic user.
6. Review browser cookies:

a. In the browser, select Edit > Preferences > Privacy > Remove Individual Cookies.
b. Expand the Site node in the Cookies dialog box. Verify that no cookies associated with
Oracle Access Manager single sign-on are present.
Note: You should see only the JSESSIONID cookie.
c. Close the dialog boxes.
d. Clear cookies, cache, and active logins. Close your browser and then restart it.
7. Access the jee sample application as the jwalker user.

a. In the browser window, access the URL http://db.example.com:7101/jee/servlet1.
b. Try to log in as jwalker. The login page keeps repeating without showing the
resulting page.
c. Review browser cookies. Verify that no cookies associated with Oracle Access
Manager single sign-on are present. (You should see only the JSESSIONID cookie.)
Practice 7-2: Configuring OAM Authentication for a Sample
Application
Overview
 Reconfigure the application to use OAM authentication rather than its own security.
 Redeploy the revised application.
 Modify the mod_wl_ohs.conf file of the Oracle HTTP Server instance on which
WebGate is installed.
 After modifying the mod_wl_ohs.conf file, you restart the OHS instance so that the
changes take effect. Then you execute the sample application to verify that the sample
application is protected by WebGate.

1. Modify the jee sample application’s deployment descriptor:
a. Make a backup copy of $HOME/lesson7_temp/jee/WEB-INF/web.xml.
b. $> cd ~/lesson7_temp/jee/WEB-INF
$> cp web.xml web.xml_old
c. Edit the web.xml file and remove the following sections from the file:
 The section starting with the <security-constraint> tag and ending with the
</security-constraint> tag
 The section starting with the <security-role> tag and ending with the
</security-role> tag
d. Change the authentication method. Modify the line with the <auth-method> tag to
have the following content: <auth-method>CLIENT-CERT</auth-method>.
Specifying the value CLIENT-CERT in the <auth-method> tag triggers WebLogic
Server to use an external authentication method determined by the WebLogic Server
security domain.
e. Verify that the web.xml file has the following content. Save your changes to web.xml.
<?xml version = '1.0' encoding = 'UTF-8'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
<servlet>
<servlet-name>Servlet1</servlet-name>
<servlet-class>jee.Servlet1</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Servlet1</servlet-name>
<url-pattern>/servlet1</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
f. Rename weblogic.xml to weblogic.xml_old.
$> mv weblogic.xml weblogic.xml_old
The content in the weblogic.xml file is no longer needed in the deployment

descriptor because of your modifications to the web.xml file. By renaming, this file is
not used when you redeploy the jee application.

2. Redeploy the jee sample application:
a. Select odsm_domain > Deployments in the Domain Structure pane. The “Summary of
Deployments” page appears on the right side of the console window.
b. Locate the entry for the jee application in the list of deployed applications.
c. Select the check box to the left of the entry for the jee application.
d. Click Update. The Update Application Assistant appears.
e. Click Finish.
f. The status of the jee application should be Active.
3. On the OAM machine, configure OHS1 to front-end the application so that the application
can be protected using the WebGate.
a. In a terminal window, open the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/mod_wl_ohs.con
f file with the gedit or vi text editor.
b. Append the following text lines at the end of the file:
<Location /jee>
</Location>
Note: After appending the lines for /jee, the OHS instance will front-end both /mybank
and /jee.
c. Save and close mod_wl_ohs.conf.
d. On the OAM machine, stop the OHS1 component using EM. Stop the Node Manager
and admin server. Start the admin server, Node Manager, and OHS1.
4. Test the application access mechanism through OHS1 now.
a. In your browser window, clear cookies, cache, and active logins.
b. Close your browser and then restart it.
c. Access the jee sample application, but protected by Oracle Access Manager
WebGate. Enter the following URL in a browser:
http://oam.example.com:7777/jee/servlet1.
The DCC login page appears, demonstrating that the sample application is now being
protected by WebGate.
Note: The Bakery login page will appear. The
http://oam.example.com:7779/login/?resource_url= login URL confirms
that the DCC webgate is protecting the application.
d. Log in as the jwalker user.

You may be presented with the login page from myrealm of the OUD Domain, if you
had not cleared the cookies.
5. Set up an IPlanetAuthenticator provider for OUD Domain.

a. Log in to the WLS Console as the weblogic user. Select Security Realms > myrealm >
Providers (tab).
b. Click the New button, specify the following values, and click OK:
 Name: OUDAuthenticator
 Type: IPlanetAuthenticator
c. Click the OUDAuthenticator link, set Control Flag to Sufficient, and click Save.
d. On the Provider Specific tab, specify the following and click Save:
 Host: db.example.com
 Port: 1389
 Principal: cn=Directory Manager
 Credential/Confirm Credential: Welcome1
 User Base DN: ou=people, dc=example, dc=com
 User Name Attribute: uid
 Group Base DN: ou=groups, dc=example, dc=com
Note: The default values for the user and group base DN must be changed to reflect the
directory information in OUD.
e. Using the breadcrumb links at the top of the page, navigate to the Providers page.
Click the DefaultAuthenticator link and change the control flag to Sufficient. Click Save.

f. Click the Providers breadcrumb link to navigate back to the Providers page. Click the
Reorder button and move OUDAuthenticator to the top of the list of providers. Click
OK.
g. Click Log Out. Then close the browser.
h. Stop My Bank Server using the stopMyBank.sh script from $HOME/setupfiles folder.
Enter the username as weblogic and the corresponding password when prompted.
i. Stop and start the OUD using the desktop icons.
j. Then start My Bank Server using the startMyBank.sh script from $HOME/setupfiles
folder. Enter the username as weblogic and the corresponding password when
prompted.
6. Verify access to the jee/servlet1.

a. Stop all browser windows.
b. Invoke a fresh browser window and clear all cookies.
c. Access the jee servlet at http://oam.example.com:7777/jee/servlet1 and
log in as the ahall user.
The following message appears: “The servlet has received a GET. This is the reply for
null.”
The application is unable to determine that you logged in as the ahall user, so null is
returned. To correct this, you will configure the OAM Identity Asserter in WebLogic.
7. Configure the OAM Identity Asserter in the OUDSM WebLogic domain.

a. Log in as weblogic to the OUDSM domain admin console.
http://db.example.com:7001/console
b. Navigate to Security Realms > myrealm > Providers.
c. Click New and enter OAMAsserter as the name. Select OAMIdentityAsserter as the
type. Click OK.
d. Click the OAMAsserter provider.
e. Note that OAM_REMOTE_USER is selected. The user identity will be extracted from the
HTTP header.
8. Stop and restart the mybank managed server and OUDSM domain admin server for the
changes to take effect.
9. Access the jee servlet at http://oam.example.com:7777/jee/servlet1 and log in

as the ahall user.
10. The following message appears: “The servlet has received a GET. This is the reply for
ahall.”
Configuring Auditing and
Logging
Practices Overview
In these practices, you configure the auditing and logging capabilities of Oracle Access
Manager, examine files, and run reports.
You review the configuration of Oracle Access Manager auditing as follows:
 Capture auditing information
 Write audit records to an Oracle database instead of to a flat file
After you perform these configuration tasks, you configure a preinstalled instance of Oracle
Business Intelligence Publisher (Oracle BI Publisher) to run Oracle Access Manager reports.
You then run a sample report.
For logging, you examine the default logging configuration and the logging output.
134 Practices for Lesson 8: Configuring Auditing and Logging

Practice 8-1: Configuring Oracle Access Management Server to Write
Audit Log Records to an Oracle Database
Overview
In this practice, you review the configuration of the auditing capabilities of Oracle Access
Manager.
Assumptions
N/A

1. Verify that the Oracle Access Manager auditing system is capturing system events:

a. In a terminal window on the OAM machine, change directory to
$DOMAIN_HOME/servers/oam_server1/logs.
$> cd $DOMAIN_HOME/servers/oam_server1/logs
$> ls
Notice the auditlogs directory. This directory contains the bus stop file, audit.log,
for oam_server1.
b. Change the directory to the
$DOMAIN_HOME/servers/AdminServer/logs/auditlogs/OAM directory and,
using the tail or more command, view the audit.log file.
$> tail audit.log
You will see output similar to the following:
2015-04-23 17:36:02.646 "" "ConsoleLogin" true

"UserLogoutSuccess" "drose" "SystemStore_ID=B789942B01BE2D09D5
SystemStore_Name=OUD_Store" - - - - "oam_admin(11.1.2.0.0)" - -
- - - - - - - - "oam_domain"
"a768ca30fc28181c:5c5aa003:14ce290c3db:-8000-0000000000000b04"
"AdminConsole" - - - - - - - "edddr1p2" - "10.150.30.62" - - - -
- - - - - - - - "0" - "" - - - - - - - - - - - - - "AdminServer"
- - - - - - - - - - - "67" - - - -
2015-04-23 17:37:18.345 "UserName=drose
Roles:Groups=OAMSystemAdminGroup OAMAdministrators "
"ConsoleLogin" true "UserAuthorizationSuccess" "drose"
"SystemStore_ID=B789942B01BE2D09D5 SystemStore_Name=OUD_Store" -
- - - "oam_admin(11.1.2.0.0)" - - - - - - - - - - "oam_domain"
"a768ca30fc28181c:5c5aa003:14ce290c3db:-8000-0000000000000b16"
"AdminConsole" - - - - - - - "edddr1p2" - "10.150.30.62" - - - -
- - - - - - - - "0" - "10.150.30.62" - - - - - - - - - - - - -
"AdminServer" - - - - - - - - - - - "12" - - - -
Practices for Lesson 8: Configuring Auditing and Logging 135

2. Change the audit filter setting to All.
a. Log in to the OAM Console as the oamadmin user in the Chrome browser.
b. On the Configuration Launch Pad, and in the Settings panel, click View > Common
Settings and view the Audit Configuration section.

Notice that Filter Preset is set to Low.
c. Change Filter Preset to All and click Apply.
d. Sign out of the OAM Console.
e. Stop the OAM server and WLS admin server by using the desktop icons.
f. Start the WLS admin server and OAM server by using the desktop icons.
3. Review the audit filter setting in the configuration files.

a. In a command window, using the more command, view the oam-config.xml,
component_events.xml (all events defined here), and jps-config.xml files in
the $DOMAIN_HOME/config/fmwconfig directory.
b. You can use the grep command and search for audit, FilterPreset,
auditbusstop, componentEventsFile keywords in oam-config.xml.
c. Also, search for the FilterPresetDefinition keyword in
component_events.xml.
d. Review the audit.log file in the
$DOMAIN_HOME/servers/oam_server1/logs/auditlogs/OAM directory.

4. Generate an audit record by accessing the Example Bakery employee portal, which
requires user authentication:
a. Clear cookies and cache and restart the browser.
b. Navigate to the Bakery application home page.
c. Click Employees. The Example Bakery login page appears.
d. Log in as the ahel user. The employee portal appears.
e. Click the Finance department site. It should display “Oracle Access Manager Operation
Error. Access to the URL /example/internal/finance/financeHome.html has been denied
for user. Contact your website administrator to remedy this problem.” The ahel user is
not in the Finance group and has been denied access as per the authorization policy.
f. Log out by invoking the http://oam.example.com:7777/logout.html URL.

5. Verify that the Oracle Access Manager server auditing system captures more information
after you change the audit filter preset to All:
a. Open the $DOMAIN_HOME/
servers/oam_server1/logs/auditlogs/OAM/audit.log file with any text
editor and examine the output.
b. Search the audit file for the ahel keyword. The file should now contain records with
initiator as ahel and event types such as Authentication, SessionCreation,
Login, SessionValidation, CheckAuthorization, Authorization,
SessionDestroy, Logout, and so on. You have now confirmed the new audit log
filter setting.
Perform the following task on the DB machine.

6. Review the Oracle Database tables that are used to hold OAM audit records.
a. In a terminal window on the DB system, invoke SQL Plus and connect as the DEV_IAU
user.
$> sqlplus /nolog
SQL> connect DEV_IAU
Enter password:
Connected.
b. Execute the select command to display a list of tables created by the RCU:
SQL> select TABLE_NAME from USER_TABLES order by 1;
...
IAU_AUDITSERVICE
IAU_BASE
IAU_COMMON
...
31 rows selected.

c. Execute the select count(*) command to see the number of records in the table.
SQL> select count(*) from IAU_BASE;
You should see records in the database that have been written to the database. In
OAM 12c, writing audit records to the database is preconfigured.
Perform these tasks on the OAM machine.

7. Review the JDBC data sources for the audit database in WebLogic Server.
a. On the OAM machine, access the Chrome browser, access the WebLogic Console:
http://oam.example.com:7001/console, and log in as the weblogic user.
b. Navigate to oam_domain > Services > Data Sources in the Domain Structure
pane. The “Summary of JDBC Data Sources” page appears on the right panel.
c. Note that the following JDBC data sources have been created during the OAM

installation:
opss-audit-DBDS
opss-audit-viewDS
d. Navigate to opss-audit-DBDS > Connection Pool.
e. Note that Properties has user=DEV_IAU_APPEND. This property is used for the
connection to the database to append audit records.
8. Access the Example Bakery application so that several audit records are recorded.
a. Clear cookies and cache and restart the browser.
b. Navigate to the Bakery application home page: http://oam.example.com:7777/example.
c. Click Employees. The Bakery login page appears.
d. Log in as the ahunter user. The employee portal appears.
e. Log out of the Oracle Access Manager session by navigating to the central logout
page: http://oam.example.com:7779/logout.html.
9. View the bus stop of the audit log file.

a. Open the audit.log file in the $DOMAIN_HOME/
servers/oam_server1/logs/auditlogs/OAM directory on the OAM machine and
review the content in the file. Search for the ahunter keyword.
The auditing subsystem uses the audit.log file as a “bus stop,” that is, an intermediate
cache for audit records before they are written to the audit database.
10. Review the content in the IAU_BASE table in the Oracle database. Perform the following
steps on your database machine:
a. Verify that the sqlplus session is still active in the terminal window you opened
during a previous task. If sqlplus is not active, restart sqlplus and log in as the
DEV_IAU user.

b. Execute the select command to display the number and values of recorded event
types in the IAU_BASE table:
SQL> select count(*) from IAU_BASE;
SQL> select distinct IAU_EVENTTYPE from IAU_BASE order by 1;
c. Review the output from the select command. The output should contain records with
event types such as Authorization, CredentialValidation,
SessionValidation, and Login.
d. Exit sqlplus:
SQL> exit

Practice 8-2: Configuring Oracle BI Publisher to View Audit Reports
Overview
In this practice, you configure Oracle BI Publisher so that you can run reports to analyze
auditing data captured by the Oracle Access Manager server. Oracle BI Publisher is preinstalled
on your DB machine.
You start Oracle BI Publisher and install templates for Oracle Fusion Middleware reports and for
Oracle Access Manager reports. Then you configure Oracle BI Publisher to access the
database in which audit records are located.

1. Start Oracle BI Publisher and verify that no reports that are specific to Oracle Fusion

Middleware or Oracle Access Manager have been installed:
a. Stop the OUDSM domain admin server if it is running.
b. Double-click the Start BI Pub Admin and Start BI Pub Server1 icons on the DB
machine desktop. Enter weblogic as username and the password if prompted.
You are starting the admin and managed servers for a WLS installation that is separate
from the OUDSM server.
c. Access the Oracle BI Publisher application at http://db.example.com:9704/xmlpserver
(or simply click the BI Pub bookmark). Log in to Oracle BI Publisher as the weblogic
user.
d. Click Catalog. Expand Shared Folders > Components. No reports that are specific to
Oracle Fusion Middleware or Oracle Access Manager appear among the available
reports.
2. Copy the OAM reports from the OAM machine and set up OAM reports in Oracle BI
Publisher:
a. In a terminal window on the DB machine, navigate to the
$BI_DOMAIN/config/bipublisher/repository/Reports directory.
$> cd $BI_DOMAIN/config/bipublisher/repository/Reports
b. Copy the oam_audit_reports_11_1_2_0_0.zip file from
/u01/app/oracle/product/middleware/iam_home/oam/server/reports
on the OAM machine.
$> scp
@oam:/u01/app/oracle/product/middleware/idm/oam/server/reports/o
am_audit_reports_11_1_2_0_0.zip .
c. Unzip the oam_audit_reports_11_1_2_0_0.zip file.
$> unzip oam_audit_reports_11_1_2_0_0.zip
d. Delete the META-INF directory (rm -rf META-INF).
e. Also, create the Oracle_Fusion_Middleware_Audit/Component_Specific directory and
copy the reports there.

$> cd $BI_DOMAIN/config/bipublisher/repository/Reports
$> mkdir -p Oracle_Fusion_Middleware_Audit/Component_Specific
$> cd Oracle_Fusion_Middleware_Audit/Component_Specific
$> cp -rp $BI_DOMAIN/config/bipublisher/repository/Reports/OAM .
f. In the browser Oracle BI Publisher window, refresh the /Shared Folders page. A
new folder, OAM, appears in the set of available reports with four groups of reports:

Note: If you want to display FMW reports as well, you can transfer
AuditReportTemplates.jar from the OAM machine
($MW_HOME/oracle_common/modules/oracle.iau/reports directory) to the
DB machine ($BI_DOMAIN/config/bipublisher/repository/Reports
directory) and explode the .jar file. However, you do not perform this step in this
practice.
3. Configure the data source that Oracle BI Publisher uses to access the audit database and
configure Catalog Configuration:
a. Click the Administration link in the top-right corner of Oracle BI Publisher on the DB
machine.
b. Click JDBC Connection in Data Sources.
c. The Data Sources page appears. Verify that the JDBC tab is selected. If the JDBC tab
is not selected, click it.
d. Click Add Data Source.

e. The Add Data Source page appears. Complete the fields on the Add Data Source page
as follows:
Data Source Name Audit
Driver Type Oracle 11g
Database Driver Class oracle.jdbc.OracleDriver
Connection String jdbc:oracle:thin:@db.example.com:1521:orcl
Username DEV_IAU
Password Welcome1

f. Click Test Connection. The message “Connection established successfully” should
appear.
g. Click Apply. The Data Sources page appears, with the Audit data source listed
among the available JDBC data sources.
4. Run an Oracle Access Manager audit report in Oracle BI Publisher:

a. In Oracle BI Publisher, click the Catalog link.
b. Expand Shared Folders.
c. Expand OAM.
d. Click Authentication_History under User_Activities. The Authentication History report
appears.
Review the data in the Authentication History report. The report should list recent
authentications to the Oracle Access Manager server.
5. Perform a few access operations to generate records in the audit repository.

a. In another browser window, access the Bakery application and click the Employees
link.
b. Specify an invalid user ID (testerID) and password when you are prompted to
authenticate. Click Login.
You are not granted access to the Bakery employee portal.
6. Rerun the Authentication History report. Details about the unsuccessful authentication
event should appear in the Authentication History report.

7. Run the following Oracle Access Manager reports in Oracle BI Publisher:
 The All_Errors_and_Exceptions report (under Errors_and_Exceptions)
 Dashboard Report (under User Activities)
Review the data in each report after you run the report. The results should be consistent
with Oracle Access Manager activity.
If you have time, use the Bakery and My Bank applications to generate more Oracle Access
Manager audit events and then run reports. Review how the events are captured in the
audit reports.
8. To improve the performance of your practice environment, click the Stop BI Pub and Stop
BI Server1 icons on the desktop of your DB machine to shut down the BI Pub domain.
Note: The details links in the reports do not work. You can resolve this issue by upgrading

the 10g format reports by using the following link. Do not do this for this practice.
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1549828.1

Practice 8-3: Reviewing Logs
Overview
In this practice, you start working with the Oracle Fusion Middleware logging subsystem.
You start by shutting down the active servers and deleting the log files. You remove the log files
to ensure that the logging records that you examine are generated only by the activities
performed in this practice. Then you use FMW Control to review the default logging
configuration.
Assumptions
N/A

Tasks (Perform these tasks from the OAM machine unless specifically stated
otherwise.)
1. Stop the WebLogic administration server and the managed server instances that run the
Oracle Access Manager server, delete the log files, and then restart the server instances:
a. Stop the AdminServer, Node Manager, and oam_server1 servers.
b. Navigate to the $DOMAIN_HOME/servers/oam_server1/logs directory.
Delete all files that have names starting with the string oam_server1-diagnostic.
If you are not able to delete the oam_server1-diagnostic.log file, wait several
seconds and try again. The servers must be completely shut down before you can
delete this file.
Note: The oam_server1-diagnostic.log file is the active Oracle Access Manager
server log file. Files with the name oam_server1-diagnostic-xx.log (where xx is
a number) are archived log files. You configure the max file size and max directory size
of archived log files in OAM Console > System Configuration > Common
Configuration > Common Settings > Audit Configuration section.
c. Start the AdminServer, Node Manager, and oam_server1 servers.
2. Navigate to the following URL to start FMW Control: http://oam.example.com:7001/em (or

click the EM bookmark in Chrome). Log in as the weblogic user.
a. Navigate to the logging configuration, and in the left pane, navigate to WebLogic
Domain > Environment > Servers.
b. Click oam_server1. The oam_server1 page appears. A menu with options to view
configuration objects appears below the oam_server1 label.
c. Select WebLogic Server > Logs > Log Configuration from the menu. The Log
Configuration page appears in FMW Control.

3. Examine the default log levels in the logging configuration:
a. Click the Log Levels tab.
b. Expand the Root Logger > oracle > oracle.oam node in the navigator that appears in
the Logger Name column. Loggers in the oracle.oam node should now be visible:

c. Locate the log level for the oracle logger, which is the parent logger for all Oracle
Fusion Middleware loggers. The oracle logger’s log level is set to the
NOTIFICATION:1(INFO) level.

d. Locate the log level for the oracle.oam logger. The oracle.oam logger’s level is set
to the NOTIFICATION:1 level and is inherited from its parent logger.
e. Browse the list of child loggers of the oracle.oam logger. Each child logger’s log level
is set to the NOTIFICATION:1 level and is inherited from its parent logger.
4. Examine the log file settings in the logging configuration:

a. Review the log file column for the Oracle Fusion Middleware loggers. The odl-
handler log file is listed for all Oracle Fusion Middleware loggers.
b. Click the Log Files tab.
c. Select the entry for the odl-handler log file and click Edit.
d. The Edit Log File dialog box displays the logging configuration for the odl-handler
log file. Note the value of the Log Path:
${domain.home}/servers/${weblogic.Name}/logs/${weblogic.Name}-

diagnostic.log. This path is the default location of the Oracle Access Manager
server and admin server log file.
e. Notice that the default format is ODL text format. Notice that the rotation policy for the
log files can be set to Size Based or Time Based.
f. Click Cancel to close the Edit Log File dialog box without changing the log file
configuration.
5. Review the logging file’s current size and content:

a. Navigate to the $DOMAIN_HOME/servers/oam_server1/logs directory.
b. Note the oam_server1-diagnostic.log file’s size for use in a subsequent step.
c. Open the oam_server1-diagnostic.log file and browse the log messages in the
file. The third column of the log file contains the message log level. Verify that only

messages with the log levels NOTIFICATION, WARNING, and ERROR should be in the
log file.
6. Examine the impact of an invalid login on the log file when the default logging configuration
is in effect:
a. Clear cache and cookies for the browser.
b. Access the Bakery application and click the Employees link. Specify a valid user ID
and invalid password when you are prompted to authenticate. Click Login. You are not
granted access to the Bakery employee portal.
c. Now enter an invalid user ID and password and try to log in.
d. Navigate to the $DOMAIN_HOME/servers/oam_server1/logs directory.
e. Note the oam_server1-diagnostic.log file’s size. Compare the file size to the file
size you observed in a previous step. Make a note of the new file size for use in a
subsequent practice.
7. Open the oam_server1-diagnostic.log file and see if you can locate messages that
diagnose why the attempt to authenticate to the Oracle Access Manager server failed.
(Note: Search for the word ERROR or search by the user ID of the person.)
A user tried to log in as ahunter (a valid user) with an incorrect password:

A user tried to log in as vishal (an invalid user):

Diagnostics and
Troubleshooting
Practices Overview
In these practices, you:
 Use Access Tester to test the connection between the OAM WebGate agent and the
Oracle Access Manager server
 Retrieve diagnostics information by using WLST
 Work with Fusion Middleware Control to view performance information
150 Practices for Lesson 9: Troubleshooting and Management

Practice 9-1: Working with Access Tester
Overview
In these practices, you use Access Tester to test the connection between all the OAM WebGate
agents and the Oracle Access Manager server. You perform the “Is the resource protected?”
test for various resources protected by the OAM WebGate agent. You also observe the
authentication scheme used to protect a particular resource. You eventually use the credentials
to test authentication and authorization to access the resource.
You can also use the Access Tester GUI console to build dummy test cases and then generate
and run the script. You explore all the XML files generated during this process.
Task (Perform these tasks on the OAM machine.)

1. Invoke Access Tester and verify access to the Example Bakery application.
a. In the command-line window, on the OAM machine, navigate to
$ORACLE_HOME/oam/server/tester and enter the following to launch Access
Tester:
$> cd $ORACLE_HOME/oam/server/tester
$> java -jar oamtest.jar
Note: You will receive a severe error message in the terminal window about the
incorrect NAP version being used. You can ignore this message for this version of
OAM.
b. In the Oracle Access Manager Test Tool window, in the Server Connection section,
enter the following and click Connect:
Primary IP Address oam.example.com
Port 5575
Agent ID webgate1 (agent ID is case-sensitive.)
c. Read the messages in the Status section of the window. Also, notice the green check
mark next to the Connect button (to verify that the connection is successful).
Notice that after the connection is successful, you cannot change the connection
details. You have to restart Access Tester to specify a different connection.
Practices for Lesson 9: Troubleshooting and Management 151

d. In the Protected Resource URI section, enter the following and click Validate:
Host oam.example.com
Port 7777
Resource /example/internal

Read the messages in the Status section of the window. Notice the authentication
schema and the redirect URL (this is a protected resource) that are specified.
e. In the User Identity section, enter jwalker as the username and the password and
then click Authenticate:
Read the messages in the Status section of the window. Notice the user DN, session
ID, and cookie values.
Note: The IP address returned will vary as per your environment.

f. Click the Authorize button and observe the messages (request and responses) in the
status window.
2. Capture the authentication and authorization test cases so that you can automate the tests
later on.
a. In the Oracle Access Manager Test Tool, click Edit > Clear All in the toolbar at the top
of the window.

b. In the Protected Resource URI section, enter the following and click Validate:
Host oam.example.com
Port 7777
Resource /mybank/testheaders.jsp
c. In the User Identity section, enter jwalker as the username and the appropriate
password and click Authenticate.
d. Select File > Save Configuration.
1) In the Selection field, enter
/home/oracle/Desktop/EmployeeConfigHome.xml.

2) Change the Filter from All Files to *.xml.
3) Click OK.
e. Close the Oracle Access Manager Test Tool window.
3. Capture the application access test case and run the test cases.
a. Invoke the Oracle Access Manager Test Tool again.
$> cd $ORACLE_HOME/oam/server/tester
$> java -jar oamtest.jar
b. In the Oracle Access Manager Test Tool, select File > Open Configuration.
1) Enter /home/oracle/Desktop in the Selection field.
2) Change Filter to *.xml.
3) Select the EmployeeConfigHome.xml file and click OK.

c. Click Connect and then click Validate.
d. Select Test > Capture Last ‘validate’ request to initiate capturing the test case.
e. Click Authenticate.
f. Select Test > Capture Last ‘authenticate’ request to continue building the test case.
g. Click Authorize.
h. Select Test > Capture Last ‘authorize’ request to continue building the test case. Notice
that the Capture Queue shows the test cases.
i. Select Test > Generate Script to finish building the test case.
1) Enter /home/oracle/Desktop/EmployeeHomeScript.xml in the Selection
field.
2) Change Filter to *.xml.

3) Click OK.
j. In the Save Warning window, click Yes to clear the captured test case queue.
In the Status section, notice the message Generated Script
‘/home/oracle/Desktop/EmployeeHomeScript.xml’ with three cases.
k. Click the Clear Status Messages icon (bottom-right corner).
l. Select Test > Run Script to run the generated test cases. In the Selection field, type
/home/oracle/Desktop and press Enter. Select EmployeeHomeScript.xml and
press OK. Read the messages in the Status window and note the name of the log file
generated.
4. View the test run log file.

a. Close the Oracle Access Manager Test Tool.
b. In a terminal window, navigate to the $ORACLE_HOME/oam/server/tester
directory.
c. Using more or gedit, explore the following files:
 oamtest_<number>_log.log (log file)
 oamtest_<number>_stats.xml (statistic log)
 oamtest_<number>_target.xml (target script)
Notes About Access Tester

 A long URL can be imported into the Resource panel by copying the resource from the
browser’s URL field and then clicking the Import button.
 If you click the Authentication button a few times and observe the session ID, it does
not change. The tester reuses the same session if the credentials do not change. To
change the session, you must change the credentials.

Practice 9-2: Using WLST
Overview
In these practices, you use the WebLogic Scripting Tool (WLST) to invoke commands related to
OAM. Diagnostic information, such as agent information, usage metrics, identity stores, and
topology, is available via WLST.
Task (Perform these tasks on the OAM machine.)
1. Invoke WLST and explore the OAM-specific commands.

a. On the OAM machine, from the command-line window, navigate to
$ORACLE_HOME/common/bin. Type ./wlst.sh and press Enter.

b. Issue the connect()command to get into online mode (that is, connected to the
admin server, AdminServer).
c. Enter weblogic for the username and the appropriate password. Press Enter to
accept the default for the admin server URL.
d. Issue the following commands one after the other and observe the output:
Step Commands
A. help('oam'): Displays all the commands that are relevant to OAM
B. displayWebgate11gAgent(agentName="webgate1")
C. displayOAMMetrics()
D. displayTopology()
E. displayOAMServer(host="oam.example.com",port="14100")
F. displayUserIdentityStore(name="UserIdentityStore1")
G. displayUserIdentityStore(name="OUD_Store")
e. Exit WLST by using exit().

Practice 9-3: Working with Fusion Middleware Control
Overview
In this practice, you learn how to use FMW Control in an OAM environment.
Note: If you experience performance issues (especially in step 3), you may want to restart the
admin and managed servers.

1. Invoke FMW Control on the OAM machine.
a. Open the Chrome web browser and access: http://oam.example.com:7001/em.
b. Log in as the weblogic user.

Note: Both WLS Console and EM FMW Control are applications deployed on the
admin server and use WLS-embedded LDAP by default for authentication.
You should see the oam_domain page.
c. Notice the various system components and applications:
1) Internal applications deployed on the admin or managed servers under
Deployments
2) WebLogic domain components: admin server (AdminServer) and managed
server (oam_server1) under Servers
2. Click oam_server1 under Servers. Explore the WebLogic Server menu options, especially
Control, Monitoring, Deployments, and Administration.
3. Select the menu option WebLogic Server > System MBean Browser. In the left pane,
collapse the nodes to view three categories of MBeans: Configuration, Runtime, and
Application Defined.
a. Expand Application Defined MBeans > com.oracle.oam > Server:AdminServer >
Application:oam_admin > oam.wlst > OamWLST. In the right pane, notice all the OAM-
specific WLST commands on the Operations tab. Click displayWebgateAgent. For the
value field, type webgate2 and click Invoke. Notice the Return Value at the bottom.
b. Expand Runtime MBeans > Security > Server: AdminServer >
myrealmOUDAuthenticator. Click the Operations tab in the right pane. Click
userExists. In the Value field, specify jwalker, and click Invoke. Notice the return
value of true. Now enter weblogic in the Value field and click Invoke; notice the
false return value. The weblogic user exists in WLS-embedded LDAP and not in
OUD. You can verify this by clicking myrealmDefaultAuthenticator. Click the
Operations tab in the right pane. Click userExists. In the Value field, specify
weblogic, and click Invoke. Notice the true return value.
Note: OUDAuthenticator uses the OUD user store while the DefaultAuthenticator uses
the WLS built-in user store.

4. Select the menu option WebLogic Server > Monitoring > Performance Summary. Notice the
past 15 minutes of metrics. You can change the slider at the top-right corner to see the
performance metrics at a particular point in time. You can also set the time range for the
performance metrics to be displayed by clicking the Enter Time icon next to the slider.
5. Click the Show Metric Palette button at the top-right corner to select more graphs and
tables showing various metrics on the Performance Summary page. Under Targets, expand
Related Targets > oam_domain and select OAM. Under Metrics, expand Authentication
Aggregates and select all the check boxes below the node. Click the Hide Metric Palette
button. You should now see the new performance metric charts and tables on the
Performance Summary page under Other Targets.
6. You can start and shut down oam_server by using the menu option WebLogic Server >
Control. (Do not perform shutdown at this point.)
7. Explore the options for managing OHS instances. Navigate to WebLogic Domain >

Administration > OHS Instances.
8. Click the ohs1 link and note the options under the Oracle HTTP Server menu. Select Port
Usage to review the ports used by this instance.

D100926GC20 Ag

Uploaded by

Copyright:

Available Formats

D100926GC20 Ag

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D100926GC20 Ag

Uploaded by

Copyright:

Available Formats

Oracle Internal & Oracle Academy Use Only

Oracle Access Management 12c:

Learn more from Oracle University at education.oracle.com

Dave Silvestro Disclaimer

Restricted Rights Notice

Oracle Internal & Oracle Academy Use Only

Pavithran Adka Trademark Notice

Oracle Internal & Oracle Academy Use Only

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

Oracle Access Management 12c: Administration Essentials – Table of Contents iii

Oracle Internal & Oracle Academy Use Only

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

iv Oracle Access Management 12c: Administration Essentials – Table of Contents

Oracle Internal & Oracle Academy Use Only

There are no practices for this lesson.

Oracle Internal & Oracle Academy Use Only

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

6 Practices for Lesson 1: Course Overview

There are no practices for this lesson.

Oracle Internal & Oracle Academy Use Only

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

8 Practices for Lesson 2: Introduction to Oracle Access Management

Oracle Internal & Oracle Academy Use Only

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

10 Practices for Lesson 3: Installation and configuration

Oracle Internal & Oracle Academy Use Only

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Installation and configuration 11

Tasks (Perform these tasks on the OAM machine)

Oracle Internal & Oracle Academy Use Only

Note: If /u01/app/oracle/product/jdk/jre/bin/java is not returned, edit the

b. Launch the installer and install Fusion Middleware.

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

12 Practices for Lesson 3: Installation and configuration

Oracle Internal & Oracle Academy Use Only

2. Install Oracle Identity and Access Management.

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Installation and configuration 13

Oracle Internal & Oracle Academy Use Only

3. Install Oracle HTTP Server.

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

14 Practices for Lesson 3: Installation and configuration

Oracle Internal & Oracle Academy Use Only

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Installation and configuration 15

Task (Perform this task on the DB machine)

Oracle Internal & Oracle Academy Use Only

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

16 Practices for Lesson 3: Installation and configuration

Oracle Internal & Oracle Academy Use Only

Note: The following are selected because they

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Installation and configuration 17

Oracle Internal & Oracle Academy Use Only

Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

18 Practices for Lesson 3: Installation and configuration

Oracle Internal & Oracle Academy Use Only

b. Use the following table as a guide to populate the fields: