D100926GC20 Ag
D100926GC20 Ag
D100926GC20 Ag
Activity Guide
D100926GC20 | D108300
This document contains proprietary information and is protected by copyright and other
Technical Contributor intellectual property laws. You may copy and print this document solely for your own use in
an Oracle training course. The document may not be modified or altered in any way.
and Reviewer Except where your use constitutes "fair use" under copyright law, you may not use, share,
Don Bates download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit,
or distribute this document in whole or in part without the express authorization of Oracle.
Editors The information contained in this document is subject to change without notice. If you find
any problems in the document, please report them in writing to: Oracle University, 500
Moushmi Mukherjee Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted
Aju Kumar to be error-free.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may
2004012020 be trademarks of their respective owners.
Table of Contents
Practices for Lesson 1: Course Overview ..................................................................................... 5
Practices for Lesson 1 .................................................................................................................... 6
Practices for Lesson 2: Introduction to Oracle Access Management ........................................ 7
Practices for Lesson 2 .................................................................................................................... 8
Practices for Lesson 3: Installation and Configuration ................................................................ 9
Practices for Lesson 3: Overview ................................................................................................... 10
Practice 3-1: Installing Fusion Middleware Infrastructure and Identity and Access Management
Products .......................................................................................................................................... 12
Practice 3-2: Configuring Oracle Access Manager Schema .......................................................... 16
Practices Overview
The following diagram is a topology representation of all the components that you will work with
in the practices. Take a moment to review it. It is recommended that you revisit this diagram
during your lab work to see how the topology is developed in each practice.
DB machine:
JDK_HOME=/u01/app/oracle/product/jdk
ORACLE_HOME=/u01/app/oracle/product/database/db_home
ORACLE_SID=orcl
PATH=$ORACLE_HOME/bin:$PATH
MW_HOME=/u01/app/oracle/product/middleware
OUD_HOME=$MW_HOME/oud_home
ODSM_DOMAIN=/u01/app/user_projects/domains/odsm_domain
OAM machine:
MW_HOME=/u01/app/oracle/product/middleware
JDK_HOME=/u01/app/oracle/product/jdk
ORACLE_HOME=$MW_HOME/iam_home
OHS_HOME=$MW_HOME/ohs_home
DOMAIN_HOME=/u01/app/oracle/admin/domains/oam_domain
d. There are two browsers, Firefox and Chrome, on the OAM machine:
Use Chrome to access Oracle Access Management Console, WLS Console, and
Overview
In this practice, you install Oracle Fusion Middleware and Oracle Identity and Access
Management products on the OAM machine.
Assumptions
To install Oracle Fusion Middleware, you should have installed Oracle Java Development Kit
(JDK) on the machine. In the practice environments, the JDK has already been installed.
Then source the file and repeat Step 1 to check your changes.
. ~/.bash_profile
Overview
In this practice, you create the OAM product schema in an Oracle DB (11.2.0.3) by using the
Repository Creation Utility (RCU).
2. Create Oracle Access Manager schema objects in the Oracle Database by using the
Repository Creation Utility.
a. Run the Repository Creation Utility.
$> cd $MW_HOME/oracle_common/bin
$> ./rcu
Overview
In this practice, you run the Configuration Wizard to create a new WLS domain and configure
the OAM server as part of the domain. Then you start the servers for the first time and configure
the boot.properties file to enable easy startup of WLS servers.
Tasks
1. Create a WLS domain with the OAM server by using the Domain Configuration Wizard.
a. On the OAM machine, launch config.sh from the common Oracle home.
2. Set up the Java heap size parameters to 1024m and 2048m. This will help start the servers
faster.
Edit the setDomainEnv.sh file in the $DOMAIN_HOME/bin folder to set up the heap size
parameters xms and xmx to 1024m and 2048m, respectively.
1) In a terminal window, change directory to the $DOMAIN_HOME/bin folder and
copy setDomainEnv.sh to setDomainEnv.sh.orig.
d. After the admin server has been started, click Start Policy Manager on the desktop. It
invokes a terminal window and starts the Policy Manager server.
When prompted, enter the username weblogic and the password Welcome1.
4. Create the boot.properties file for the admin server and two OAM servers so that you
are not prompted to enter username/password credentials for each stop or start operation.
a. Using the terminal window, create the boot.properties file in the
$DOMAIN_HOME/servers/oam_server1/security folder. For your convenience,
the file has already been created in the $HOME/labs/lesson03 folder. So you can
copy this file to the $DOMAIN_HOME/servers/oam_server1/security folder.
cd $DOMAIN_HOME/servers/oam_server1
mkdir security
cp $HOME/labs/lesson03/boot.properties ./security
b. Create the boot.properties file in the
$DOMAIN_HOME/servers/AdminServer/security folder.
cd $DOMAIN_HOME/servers/AdminServer
mkdir security
cp $HOME/labs/lesson03/boot.properties ./security
c. Similarly, create the boot.properties file in the
$DOMAIN_HOME/servers/oam_policy_mgr1/security folder.
cd $DOMAIN_HOME/servers/oam_policy_mgr1
mkdir security
cp $HOME/labs/lesson03/boot.properties ./security
d. Click Stop OAM Server on the desktop to stop the OAM server and then click Stop
Policy Manager on the desktop. You can alternately press CTRL-C in the terminal
window of the servers to stop them.
Note: You are not prompted for a username and password when stopping the servers,
because you have created the boot.properties file.
e. After the OAM server and Policy Manager have stopped, click Stop Node Manager
and Stop WLS Admin Server.
Overview
In this practice, you log in to the WLS Admin Console, the OAM Admin Console, and EM FMW
Control and then make a brief exploration of the management interfaces. You also validate the
OAM server application deployed on the oam_server1 managed server and the EM and OAM
console applications deployed on the WLS admin server.
Assumptions
Make sure that admin server and OAM managed server are up and running before you start the
practice. Perform the steps on the OAM machine.
Tasks
2. Check the default users and groups in the embedded LDAP server. Then set up the
console session timeout property to 86400 [seconds].
a. In the WLS Administration Console, navigate to Domain Structure > oam_domain >
Security Realms by using the left pane.
b. Click myrealm and then click the “Users and Groups” tab. Notice the weblogic user,
which is the default WLS administrator. Click weblogic and then click the Groups tab.
Notice that the weblogic user is a member of the Administrators group.
c. Click the oam_domain link in the domain structure and then click Lock and Edit in the
Change Center.
Note: If you do not see the Lock and Edit button in the Change Center of the console,
perform the following steps to change the WLS admin server from Development Mode to
Production Mode. (You should have selected Production Mode during the configuration of
the domain.)
Click oam_domain.
Select the check box next to Production Mode.
Click Save.
This change will take effect when you restart both servers in the next step.
3. Using the Access Management Console, set up session lifetime and idle timeout properties.
a. In the Chrome browser, click the OAM Console bookmark
(http://oam.example.com:7001/oamconsole). Log in as the weblogic user.
b. Observe the landing page for Oracle Access Management Console. It has three
buttons at the top. Each button opens a launch pad containing functional interfaces
grouped into tiles. The Quick Start Wizards tile on the Application Security tab contains
a link to the SSO Registration Wizard.
c. Access the Configuration Launch Pad in the Access Management Console; then in the
4. Stop and start the administration and managed servers in the OAM domain.
a. Stop the OAM managed server and Policy managed server by using the Stop OAM
Server and the Stop Policy Manager icons on the desktop. After the two managed
servers are stopped, stop the Node Manager and admin server by using the Stop
Node Manager and Stop Admin Server icons.
b. Start the WLS admin server first and then the Node Manager and OAM managed
servers by using the appropriate desktop icons.
Practices Overview
In these practices, you install, configure, and register three OHS instances and three OAM 12c
WebGates. In two cases, the WebGate registration is done by using the Remote Registration
(rreg) tool. In the other case, you use the OAM Console.
After registering the WebGates, you configure Oracle Unified Directory (OUD) as the user store
for OAM.
Finally, you configure the WebGates to communicate with the OAM server using certificate
mode.
Important Note
28 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
Practice 4-1: Configuring Oracle HTTP Server Instances
Overview
In this practice, you configure three Oracle HTTP Server instances: ohs1, ohs2, and ohs3, on
the OAM machine (even machine).
Assumptions
The oam_domain Admin server and oam_server1 are up and running.
3. Click the lock icon in the upper-right corner and select Lock & Edit.
5. Enter ohs1 for the Instance Name and select oam.example.com for the Machine Name.
6. Click OK.
9. Note the ports used for the instance for http, https, and administration.
Note: The ports should be 7777, 4443, and 9999, because these are the default ports for
the first OHS instance.
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 29
11. Edit the index.html file in
/u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/component
s/OHS/instances/ohs1/htdocs/ and set the title directive as follows:
<title>Oracle HTTP Server 12c: OHS1</title>
Launch the browser and enter the URL http://oam.example.com:7777. You should
see the OHS Welcome page with the title you have configured.
13. Open the welcome page for the two new instances to test them.
30 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
Practice 4-2: Installing and Configuring WebGates and Registering a
WebGate by Using the OAM Console
Overview
In this practice, you configure an OAM 12c WebGate on the ohs1 OHS instance. Then you run
the EditHttpConf utility, which copies the WebGate template from the WebGate home
directory to the WebGate instance location and updates httpd.conf with an additional line to
include webgate.conf.
You then register the OAM WebGate for the ohs1 instance by using the Access Management
Console.
When EM creates a new OHS instance, there are two directories that are created: the stage
directory and the runtime directory. Changes are propagated from the stage directory to the
Assumption
You completed the previous practice and created the OHS instances.
cd $MW_HOME/webgate/ohs/tools/deployWebGate
./deployWebGateInstance.sh -w \
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1 \
-oh $MW_HOME -ws ohs
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 31
cacert.pem and cakey.pem to
$DOMAIN_HOME/config/fmwconfig/components/OHS/
/ohs1/webgate/tools/openssl/simpleCA
oblog_config_wg.xml to
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/webgate/
config
2. Repeat Step 1 for the other two OHS instances, ohs2 and ohs3. Substitute the instance
directory name when you run the deployWebGateInstance.sh command.
./deployWebGateInstance.sh -w \
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2 \
-oh $MW_HOME -ws ohs
export LD_LIBRARY_PATH=$MW_HOME/lib
cd $MW_HOME/webgate/ohs/tools/setup/InstallTools
./EditHttpConf -w \
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1
tail \
$DOMAIN_HOME\
/config/fmwconfig/components/OHS/ohs1/httpd.conf
32 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
5. Repeat the EditHttpConf command for the other two OHS instances, ohs2 and ohs3.
a. For OHS2:
./EditHttpConf -w \
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2
b. For OHS3:
./EditHttpConf -w \
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs3
6. Next, you register the ohs1 WebGate with OAM. Log in to the OAM admin console as
weblogic/Welcome1.
8. In the SSO Agent Registration Wizard, select WebGate as the Agent Type and click Next.
9. In the Configure stage of the wizard, specify the following property values to register
WebGate:
Note: Because the port for ohs1 was automatically configured, replace 7777 with the port
assigned by EM.
Property Name Value
Name webgate1
Base URL http://oam.example.com:7777
Host Identifier webgate1
Security Open
Auto Create Policies Selected
Public Resource List Click Add and specify the Relative URI as
/public/index.html
11. Click Download and save the webgate1.zip file to the oracle user home directory.
cd \
$DOMAIN_HOME\
/config/fmwconfig/components/OHS/ohs1/webgate/config
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 33
unzip ~/webgate1.zip
rm ~/webgate1.zip
13. Next, you stop the ohs1 component using EM. Log in as weblogic/Welcome1.
http://oam.example.com:7001/em
Alternatively, you can use the command line and skip the next two steps.
cd $DOMAIN_HOME/bin
./stopComponent.sh ohs1
15. Select the row for ohs1 and click Stop. Click Yes to confirm. Click Close.
16. Stop the Node Manager and the Admin Server by pressing CTRL-C in the windows they
are running in or use the desktop icons.
17. Start the Admin Server and Node Manager using the desktop icons. Wait until you see the
message that the ohs1 instance has been updated in the Node Manager Console before
proceeding.
18. Log in to EM and navigate to Weblogic Domain > Administration > OHS Instances.
Note: You can also start ohs1 from the command line and skip the next step.
cd $DOMAIN_HOME/bin
./startComponent.sh ohs1
21. Log in as the weblogic user. The OHS Welcome page should be displayed.
34 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
Practice 4-3: Registering WebGates by Using Different Interfaces
Overview
In this practice, you run the rreg registration tool to register an OAM 12c agent in Out-of-Band
mode.
Suppose you have an external partner application called acme.com on the OAM
server. You do not want to give the acme.com application administrators direct
access to the OAM server. You can use Out-of-Band registration mode to register
this external partner application so that the application administrators do not have
access to the server.
The application administrator provides a Request.xml (possibly via email) to a
different OAM server administrator who has the required access to the OAM server.
Assumptions
The OHS instances ohs2 and ohs3 must be up and running. To verify, log in to
EM and navigate to WebLogic Domain > Administration > OHS Instances.
You have configured the WebGate on the ohs2 and ohs3 instances.
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 35
OAM11GRequest_ohs2.xml to $MW_HOME/idm/oam/server/rreg/input and ignore
the following three steps:
a. Navigate to $MW_HOME/idm/oam/server/rreg/input and copy
OAM11GRequest.xml.
$> cd $MW_HOME/idm/oam/server/rreg/input
$> cp OAM11GRequest.xml OAM11GRequest_ohs2.xml
3. Run the command-line agent registration utility to register the WebGate on ohs2.
a. Change the directory to $MW_HOME/idm/oam/server/rreg and run the oamreg
utility:
$> cd $MW_HOME/idm/oam/server/rreg
$> ./bin/oamreg.sh outofband input/OAM11GRequest_ohs2.xml
Enter weblogic for the admin username and the corresponding password.
Enter n for two subsequent questions.
You should get the following message after a successful run:
Outofband registration (Part 1) completed successfully! The Response.xml file is
created in the input folder.
Explore the input directory under $ORACLE_HOME/oam/server/rreg to see
the response file webgate2_Response.xml created by the utility. The security
administrator will email this file to the application administrator.
36 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
./bin/oamreg.sh outofband ./input/webgate2_Response.xml
4. Verify that the agent and host identifier have been created.
5. Copy the registered WebGate artifacts from the oam output webgate2 directory to the ohs2
webgate config directory.
a. In the terminal window, change the directory to
$MW_HOME/idm/oam/server/rreg/output/webgate2
b. Using the cp command, copy the WebGate artifacts to the WebGate configuration
location.
$> cd $MW_HOME/idm/oam/server/rreg/output/webgate2
$> cp -r * \
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2/webgate/config
6. Restart the environment and validate the results.
a. Stop the ohs2 OHS instance, followed by the Node Manager and the Admin Server.
b. Start the Admin Server and Node Manager. Wait until you see the message that the
ohs2 instance has been updated in the Node Manager Console before proceeding.
c. Start the ohs2 OHS instance.
d. In a new web browser window, access the now protected URL,
http://oam.example.com:7778.
Note: You should be redirected to the OAM SSO login page. If you get to the Welcome
page without challenge, clear all the cookies from your browser and try again.
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 37
e. Enter weblogic and the password for the user and click Login. The OHS Welcome
page should be displayed.
12. In the Policy Manager interface, click Download and save the webgate3.zip file to the
oracle user home directory.
14. Shut down OHS instance ohs3 using EM or the command line.
38 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
16. Start up the environment in the following order:
Admin Server
Node Manager
OHS instance ohs3
17. Invoke a new browser window and access ohs3 in the browser.
http://oam.example.com:7779. Log in as weblogic/Welcome1.
Notes
If you see the Welcome page without being challenged, clear all the cookies from
your browser. Go to Tools > Clear Recent History. Set “Time range to clear” to
Everything. Select the Cookies, Cache, and Active Logins check boxes and click
Clear Now.
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 39
Practice 4-4: Configuring a Delegated Administrator in the Embedded
LDAP
Overview
In this practice, you explore the WLS-embedded LDAP directory, which is used to authenticate
the weblogic user (an OAM and WLS administrator).
You also create a new user in WLS-embedded LDAP, and you log in to the OAM Console as
this user. You also prevent the weblogic user and users belonging to the administrators
group in WebLogic LDAP from being able to log in to the OAM Console.
An identity store is a centralized LDAP store in which an aggregation of administrator and user-
oriented data is kept and maintained in an organized way. You can have many user identity
Assumptions
You have completed all the practices until Practice 4-3.
40 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
d. Click the “Users and Groups” tab. Notice the weblogic user. Click weblogic and
notice that it is a member of the Administrators group (on the Groups tab). If you
want to create a new user to be a WLS administrator, that user must be a member of
the Administrators group.
e. On another tab of the web browser, log in to the OAM Console as the weblogic user.
Access the Configuration tab (top-right corner) and then click User Identity Stores.
Notice that the Default Store and System Store are set to UserIdentityStore1.
UserIdentityStore1 is used to authenticate WLS/OAM administrators as well as
users for LDAPScheme authentication.
f. Access the Configuration Launch Pad, and click Administration to view the group and
role information. Click Search. Notice that you see only the Administrators group.
Note: You create additional users with different roles in the following tasks.
3. Create two new users (domainadmin and agentadmin) in the WLS-embedded LDAP and
configure the user in OAM as an application domain administrator. This administrator has
delegated privileges across an application domain (for this practice, webgate1).
a. In the Chrome browser, invoke a new tab, log in to the WLS Administration Console as
the weblogic user, and navigate to Domain Structure > Security Realms.
b. Click myrealm and select the Users and Groups tab and click New.
c. Enter domainadmin for the name. Enter the password as Welcome1 and click OK.
d. Similarly (using steps b and c) create the agentadmin user.
e. Log out of the WLS Administration Console.
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 41
4. Configure the domainadmin user as an application administrator. This administrator has
delegated privileges across an application domain (for this practice, webgate1).
a. On the OAM Console tab, access the Configuration button on the top-right corner.
Then click the Administration tile. Click Grant on top of the table.
b. Enter domainadmin in the Name field and click the Search button.
c. Select the domainadmin user in the search result and Application Administrator in the
Role menu and click Add Selected.
d. Click the Application Security tab on the top and then click Application Domains in the
Access Manager tile. Click the Search button and click webgate1.
e. Click the Administration tab and then click Grant.
f. Click the Search button, select the domainadmin user, and click Add Selected.
6. Verify the change in the administration interface based on the user who has logged in.
a. Log in to the OAM Console as domainadmin. Note that only the tiles relating to
application administration are visible. Log out of the OAM Console by closing the
browser.
b. Log in to the OAM Console as agentadmin. Note that only the tiles and links related
to agent registration and administration are visible. Close the browser.
42 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
Practice 4-5: Configuring OUD as the Identity Store for OAM
Overview
By default, the OAM system store is set to use the WLS-Embedded LDAP. This allows the
authentication of users logging in to the OAM console and protected applications.
In this practice, you:
Configure an existing directory server instance of OUD as the user identity store and
set it as the default store in OAM. You set the LDAP authentication of users for
protected resources against OUD.
Configure an LDAP Authentication Scheme that points to the LDAP module that you
configure to use the OUD identity store.
Verify that you can log in to a protected resource as a user in OUD, which should be
Assumptions
You have completed all the practices until Practice 4-4.
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 43
d. Choose the Store type as OUD from the pick list. Specify the rest of the values as
shown:
Field Value
Store Name OUD_Store
Store Type OUD: Oracle Unified Directory
Description This is the LDAP repository that contains user
information and is the authentication provider for all the
users except for OAM administrators.
Location db.example.com:1389
Bind DN cn=Directory Manager
e. Click Test Connection. Click OK in the Connection Status window. Click Apply to save
the definition.
44 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
f. Access the User Identity Stores page, set Default Store to OUD_Store, and then click
Apply.
g. Sign out of the OAM Console.
2. Familiarize yourself with data in OUD by viewing the data by using Oracle Unified Directory
Services Manager (OUDSM).
a. In a Firefox browser, click the OUDSM bookmark. Use the following information to log
in:
Name oud1
Server db.example.com
Administration Port 4444
SSL Enabled Selected (You cannot change)
b. If the Server Certificate Validation pop-up window appears, click Yes, trust always.
c. On the Data Browser tab, navigate to the Root > dc=example,dc=com > ou=People
node and expand it. Notice that the uid=ahall user is listed. You will use this user
frequently in later practices.
d. Click the X beside the oud1 tab in the top-left corner to close the OUDSM connection.
e. In the web browser, clear all cookies and launch http://oam.example.com:7779
(welcome-index.html protected using webgate3). You are redirected to the OAM
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 45
SSO Login page. Log in as the oamadmin user with the password for the user. You
should be successful and be able to see the Welcome page.
f. Clear the cookies and try logging in as the ahall user with password Welcome1. The
ahall user is in OUD, but not in embedded LDAP.
Note: You see the message: “Authentication failed.”. The application domain is
protected using embedded LDAP. Because the ahall user is not present in
embedded LDAP, user authentication fails.
3. Create a new LDAP authentication module based on OUD_Store as the user identity store
and use this new module to attach to the LDAP scheme.
a. Log in to the OAM Console as the oamadmin user. Click the Authentication Modules
link in the Plug-ins tile.
Click Create and select Create LDAP Authentication Module. Enter LDAPOverOUD
46 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
Practice 4-6: Setting Communication Mode Between Server and
WebGates to Simple
Overview
OAM Security Modes: Secure communication on the NAP channel also requires that each
OAM server and each WebGate agent use the same security mode: Open, Simple, or Cert.
Open: Unencrypted communication. In Open mode, there is no authentication or
encryption between the WebGate and the OAM server. The WebGate does not ask for
proof of the OAM server’s identity, and the OAM server accepts connections from all
WebGates. Use Open mode if communication security is not an issue in your
deployment.
Simple: Encrypted communication through the Secure Sockets Layer (SSL) protocol
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 47
For Simple mode encryption, Oracle Access Manager ships a certificate authority with its own
private key, which is installed across all WebGates and OAM servers. For each public key, there
is a corresponding private key that Oracle Access Manager stores in the aaa_key.pem file.
The following files are used for Simple mode security:
cacert.pem: The certificate request, signed by the Oracle-provided openSSL
certificate authority
password.xml: Contains the random global passphrase that was designated during
installation, in obfuscated format. This is used to prevent other customers from using
the same CA. Oracle Access Manager performs an additional password check during
the initial handshake between the OAM agent and the OAM server.
aaa_key.pem: Contains your private key (generated by openSSL)
aaa_cert.pem: Signed certificates in PEM format
Tasks
1. Perform these steps on the OAM machine.
2. Set up the OAM server communication mode to Simple using OAM Console.
a. Log in to the OAM Console as oamadmin. Click the Configuration launch pad button.
Click Server Instances.
b. Click Search. In the results, click the oam_server1 link.
Notice that Security (mode of communication) is set to Open, as set up by default
during the installation.
c. Change the mode from Open to Simple. Click Apply and then click Yes in the Confirm
Edit window.
d. Use EM or the command line to shut down all the OHS Instances.
e. On the OAM Console, navigate to the Configuration Launch Pad. In the Settings tile,
click View > Access Manager. The global passphrase can be set here under Simple
Mode Configuration.
Do not change this value in this practice. The installer generates a random global
passphrase initially, and this can be edited as required by you later. However, note that
changing the global passphrase requires reregistration of all existing agents running in
Simple mode.
48 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
c. In a terminal window, navigate to the $DOMAIN_HOME/output directory and notice
that the webgate2 subdirectory has been updated. Observe that aaa_cert.pem,
aaa_key.pem, and password.xml are created along with cwallet.sso and
ObAccessClient.xml.
d. Copy the files from the $DOMAIN_HOME/output/webgate2 directory on the OAM
machine to the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2/webgate/config
directory on the (replace the existing ObAccessClient.xml and cwallet.sso).
$> cd
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2/webgate/config
$> cp -rp
/u01/app/oracle/admin/domains/oam_domain/output/webgate2/* .
f. Stop and start the OAM server, Node Manager, and WLS Admin Server to update the
webgate2 OHS instance runtime configuration. If the Policy Manager server is running,
you can stop it as well.
g. In the OAM Console, navigate to the Launch Pad on the Application Security tab and
click Application Domains in the Access Manager panel.
h. Click Search > webgate2 > Authentication Policies > Protected Resource Policy. Select
LDAPOUDScheme for the Authentication Scheme if it is not already selected. Click
Apply.
4. Clear the cache and use EM or the command line to start the OHS2 instance.
a. Remove the contents of $DOMAIN_HOME/servers/ohs2/cache.
cd $DOMAIN_HOME/servers/ohs2/cache
rm ./*
b. $DOMAIN_HOME/bin/startComponent.sh ohs2
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 49
6. Repeat steps 2-3 for webgate1 and webgate3. Note that ohs1 uses webgate1 and ohs3
uses webgate3.
7. Verify the change for webgate2 and webgate3 with the following URLs. Log in as ahall.
http://oam.example.com:7777
http://oam.example.com:7779
50 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
Practice 4-7: Configuring Server Certificates
Overview
In this practice, you generate a local certificate authority (CA) that provisions certificates for the
OAM server and WebGates. If you do not have a service contract with a CA or an existing
internal CA, you can easily create one by using the OpenSSL open-source tool. Access
Manager components use X.509 digital certificates in PEM format only.
You also generate both the certificate request (server_req.pem) and the private key
(server_key.pem) for the OAM server. The certificate request will be submitted to the local
CA for issuing the certificate in the next practice.
Prerequisites
b. Change the OpenSSL configuration file so that the SSL files you create are located in
the localCA directory you created.
As root user, edit the /etc/pki/tls/openssl.cnf file and set the dir parameter
to /home/oracle/localCA. Then exit the root user session.
$> su
Password:
#> vi /etc/pki/tls/openssl.cnf
...
[ CA_default]
dir = /home/oracle/localCA
...
#> exit
$>
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 51
2. Create the CA, which results in files for the private key and CA root certificate that are used
to sign certificate requests:
$> cd ~/localCA
$> openssl genrsa -aes256 -out rootCA.key 4096
$> openssl req -x509 -new -nodes -key rootCA.key -days 3650 -
sha256 -out aaa_chain.pem
Use the following table for response to the prompts from the openssl tool:
Window/Page Description Choices or Values
Enter a passphrase for rootCA.key Welcome1
Verifying - Enter passphrase for Welcome1
rootCA.key
Do not enter the physical host name in the Common Name field while creating the
root CA certificate. Instead, use the oam.example.com alias.
52 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
3. Generate the private key and certificate request for the OAM server.
openssl req -new -keyout server_key.pem -out server_req.pem -utf8 -sha256 -days
3650
Note: You must enter the OAM machine host name in the Common Name field value
(unlike the root CA certificate). Enter Welcome1 for the challenge password.
Window/Page Description Choices or Values
Enter PEM passphrase Welcome1
Verifying – Enter PEM passphrase Welcome1
Country Name (2 letter code) US
State or Province Name California
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 53
4. Submit the certificate request (server_req.pem) to the CA to get a signed certificate
(server_cert.pem).
Note: The command prompts you to enter the passphrase Welcome1 for the CA signing
key. Notice server_cert.pem (OAM server certificate) in the ~/localCA directory.
openssl x509 -in server_cert.pem -inform PEM -out server_cert.der -outform DER
openssl pkcs8 -topk8 -nocrypt -in server_key.pem -inform PEM -out server_key.der -
6. Obtain the password for the OAM keystore using FMW Control.
a. Invoke the Chrome browser and log in to FMW Control (EM bookmark) as weblogic
user.
b. Navigate to WebLogic Domain > System MBean Browser.
c. In the System MBean Browser, click the Operations tab.
d. Click the search icon and set the type of search to Operations. Enter
credentialFromUDM in the search text and press Enter.
e. Click the credentialFromUDM operation under the Operations tab.
54 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
f. Enter oracle.oam.OAMStore as parameter p1 and JKS as parameter p2. Then click
Invoke.
8. Import the private key, CA certificate, and OAM server certificate into the keystore.
a. In the terminal window, import a trusted certificate chain into the keystore by using
keytool: When prompted to trust this certificate, enter yes.
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 55
$> cd $JDK_HOME/bin
$> ./keytool -importcert -file ~/localCA/aaa_chain.pem -
trustcacerts -storepass <Password_from_MBean Browser> -keystore
$DOMAIN_HOME/config/fmwconfig/.oamkeystore -storetype JCEKS
Use the keystore password that you generated in the previous practice in place of
< Password_from_MBean Browser>.
$> cd $ORACLE_HOME/oam/server/tools/importcert
$> unzip importcert.zip
56 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
Note: The command prompts you to enter the Keystore password, which is the
password_from_MBean browser, and the Alias password: Welcome1.
9. Update the PEM keystore alias and password by using the OAM Console.
a. Launch the OAM Console as the oamadmin user and navigate to the Configuration
11. Stop and start the OAM Managed Server, Node Manager, and the Administration Server.
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 57
Practice 4-8: Configuring WebGates with Cert Mode
Overview
In this practice, you configure the WebGates with SSL certificates.
Note: aaa_key.pem and aaa_cert.pem (from aaa_req.pem) are reserved names that must
be used for a private key and the WebGate certificate.
Tasks
1. On the oam machine, generate a certificate request for the WebGates on
oam.example.com.
a. In a terminal window, change the directory to ~/localCA and run the openssl
command to generate the certificate request. Enter Welcome1 for the PEM
$> cd ~/localCA
$> openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8
-sha256
2. Submit the certificate request to the CA. Enter Welcome1 for the rootCA.key passphrase.
$> cd ~/localCA
$> openssl x509 -req -in aaa_req.pem -CA aaa_chain.pem -CAkey
rootCA.key -CAserial aaa_chain.srl -sha256 -out aaa_cert.pem -days
3650
58 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
3. Change the WebGate 12c definition to reflect Cert security mode and specify the agent key
password as Welcome1.
a. Invoke the web browser and access the OAM console. Log in as the oamadmin user.
b. Navigate to Agents > Search. Click the webgate2 agent. Change the security mode to
Cert for the agent and specify the agent key password as Welcome1. Click Apply.
Note: The Agent Key Password field appears only when you select the Cert option
button under Security. When you click Apply, the field disappears.
c. After you see the confirmation that WebGate is configured in Cert mode, click
Download and save the zip file.
Note: The configuration files are saved to the /home/oracle/downloads directory
as <webgate name>.zip.
d. Similarly, using the steps b and c, configure the Cert mode of communication for
$> cd
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2/webgate/config
$> unzip ~/webgate2.zip
$> cd
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs3/webgate/config
$> unzip ~/webgate3.zip
f. Copy the aaa_key.pem, aaa_cert.pem, and aaa_chain.pem files from
~/localCA in the OAM machine to the webgate/config directory of each
WebGate.
$> cd
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/webgate/config
$> cp /home/oracle/localCA/aaa*pem .
$> cd
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2/webgate/config
$> cp /home/oracle/localCA/aaa*pem .
$> cd
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs3/webgate/config
$> cp /home/oracle/localCA/aaa*pem .
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 59
4. Update the WebGate’s wallet.
cd $MW_HOME/oracle_common/bin
./orapki wallet add -wallet
/u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/component
s/OHS/ohs1/webgate/config -trusted_cert -cert
/u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/component
s/OHS/ohs1/webgate/config/aaa_chain.pem -auto_login_only
After running the orapki command three times (once for ohs1, ohs2 and ohs3), then:
Copy the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/webgate/config/cwallet.sso and
cwallet.sso.lck to the local wallet dir:
ex:
cd $DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/webgate/config
cp -rp cwallet* wallet
5. Verify that the Cert mode of communication is working between WebGate and the OAM
server.
a. Stop all the OHS instances using EM. Stop the OAM server, Node Manager, and
Admin server.
60 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
b. Remove the ObAccessClient.xml cached file copy from each WebGate:
cd $DOMAIN_HOME/servers
rm ohs1/cache/ObAccessClient.xml*
rm ohs2/cache/ObAccessClient.xml*
rm ohs3/cache/ObAccessClient.xml*
c. Start the Admin server, Node Manager, and OAM server.
Note: Make sure that you see a message in the node manager console that the
WebGate configurations are being updated, for example, “INFO: Updating instance
ohs2”.
d. After the Admin server has completed starting, start the OHS instances using EM,
command line, or the desktop icon.
e. Invoke the web browser and access http://oam.example.com:7777. Sign in as
jwalker.
Note: If you have trouble configuring cert mode and would like to continue with the
exercises, continue with the next step.
6. Optional: Set the security mode of WebGates and OAM server to Open mode.
a. In the OAM console, navigate to the Configuration panel > Server Instances >
Search > oam_server1.
b. Change the mode to Open. Click Apply. In the Warning window, click OK. In the
Confirm Edit window, click Yes.
c. Navigate to Application panel > Agents > Search. Click the webgate1 agent. Change
the security mode to Open for the agent. Click Apply.
d. Repeat the previous step for webgate2 and webgate3.
e. Stop all the OHS instances.
f. Stop the OAM server, Node Manager, and Admin server.
g. Start the Admin server, Node Manager, and OAM server.
h. Observe that all OHS instances are updated in the Node Manager console.
i. After the Admin server starts, start the OHS instances.
j. Test access to the following links:
http://oam.example.com:7777
http://oam.example.com:7778
http://oam.example.com:7779
Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources 61
Oracle Internal & Oracle Academy Use Only
62 Practices for Lesson 4: System Configuration: Agents, Servers, and Data Sources
Oracle Internal & Oracle Academy Use Only
Practices for Lesson 5:
Configuring DCC, Policies,
and Responses
Practices for Lesson 5: Overview
Practices Overview
In these practices, you deploy two different applications: My Bank and Bakery. You deploy the
My Bank application to WLS as a WAR file. You deploy the Bakery application directly to the
web server (OHS instance).
You then create authentication and authorization policies to protect various resources in these
two applications.
Important Notes
Whenever you obtain unexpected results during this lesson’s practices, it is a good
Overview
In this practice, you create a new managed server and deploy mybank.war to that managed
server.
Setting up OHS as the front end to mybank involves integrating the OHS and WebLogic
servers, because the requests need to be forwarded to the mybank application deployed on
WebLogic Server from the OHS.
Note: The My Bank application is a simple application that does not use a J2EE security model.
If you want to learn how to configure OAM 11g to work with J2EE applications with J2EE
3. Configure Oracle HTTP Server (ohs1) as the front end for the My Bank application.
a. In the terminal window on the OAM machine, navigate to the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1 directory, edit and
update the mod_wl_ohs.conf file as follows, and save the changes.
Note: For convenience, the required mod_wl_ohs.conf file is available in the
$HOME/labs/lesson05 folder. You can copy that file to the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1 directory.
<IfModule weblogic_module>
WebLogicHost db.example.com
WebLogicPort 7101
MatchExpression *.jsp
</IfModule>
<Location /mybank>
SetHandler weblogic-handler
#PathTrim /weblogic
#ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/
</Location>
Overview
In this practice, you configure webgate3 as the detached credential collector (DCC). You
change the configuration of webgate1 to use webgate3 as the DCC rather than its own
embedded credential collector (ECC).
c. Access the SSO Agents tab and click webgate1. Change the Logout Redirect URL to
http://oam.example.com:7779/oamsso-bin/logout.pl. Click Apply.
Overview
Resources represent a document, entity, or pieces of content that are stored on a server and
available for access by a large audience. Clients communicate with the server and request the
resource by using a particular protocol (for example, HTTP or HTTPS) that is defined by an
existing resource type.
In this practice, you configure a resource, /mybank/testheaders.jsp, and assign it to the
existing authentication policy, Protected Resource Policy.
After the user is authenticated, the authorization policy for the resource is evaluated to
determine whether the user is permitted access to the resource. Each resource can be
4. Incorporate access based on a temporal condition so that access is allowed only from 9 AM
to 9 PM on Saturdays and Sundays.
Note: The time_check condition is used to specify the day and time when an
authenticated user can access the testheaders.jsp page. If the current day and time
matches that specified in the condition, the check passes, and the user can access the
page.
a. Access the Authorization Policies tab and click Admin_Resource_Policy > Conditions.
Create a time_check condition of type Temporal.
b. In the TEMPORAL window, enter 09:00:00 for Start Time, 21:00:00 for End Time,
select Saturday and Sunday, and click OK.
Overview
Responses are optional actions that are to be taken. A response consists of two parameters (a
type and an expression) and a single output (the value).
The response type denotes the form of action to be taken with the value string. The four types
are:
a. Cookie: Set an HTTP cookie.
b. Header: Set an HTTP request header.
c. Session: Set an attribute on the user’s session.
d. Asserted Attribute: If the identity assertion is selected, then an assertion
Overview
In this practice, you enable password policy validation by OAM. Because users are
authenticated by LDAP, the LDAP password policy will also apply. The OUD installation in the
classroom environment is using the default LDAP policy, which does not impose any
restrictions.
Note: DCC can work with or without implementing OAM password policy validation.
There also can be password policy validation at the native LDAP layer.
cd ~/labs/lesson05
$OUD_HOME/bin/ldapmodify -c -h db.example.com -p 1389 -D
"cn=Directory Manager" -w Welcome1 -f OUD_OracleSchema.ldif
$OUD_HOME/bin/ldapmodify -c -h db.example.com -p 1389 -D
"cn=Directory Manager" -w Welcome1 -f OUD_OblixSchema.ldif
5. Click Apply.
cd $OUD_HOME/bin
./ldapmodify -h db.example.com -p 1389 -D “cn=Directory Manager” -w
Welcome1 -f ~oracle/labs/lesson05/disabled.ldif
Note: Do not use the ldapmodify command that is in the path.
curl -X POST
http://oam.example.com:14100/oam/services/rest/access/api/v1/pswdma
nagement/UserStatusChanger/disabled -u oamadmin:Welcome1 -H
'content-type: application/json' -d
'{"forcepwdchange":"false","locked":"false","disabled":"false"}'
Note: The user you are changing with the REST call is specified as the last part of the URL.
In this example,
http://oam.example.com:14100/oam/services/rest/access/api/v1/pswdma
nagement/UserStatusChanger/disabled.
19. Set the status of the user to force a password change, using REST.
curl -X POST
http://oam.example.com:14100/oam/services/rest/access/api/v1/pswdma
nagement/UserStatusChanger/force -u oamadmin:Welcome1 -H 'content-
type: application/json' -d
'{"forcepwdchange":"true","locked":"false","disabled":"false"}'
dn: uid=force,ou=people,dc=example,dc=com
orcluseraccountlocked: 0
orcluserpwdcantchange: 0
orcluserpwdexpirationdate: 20171224084739Z
orclpwdchangerequired: 1
orcluserpwdneverexpires: 0
orcllockedreason: -1
orcluserpwdwarndate: 20171207084739Z
dn: uid=warn,ou=people,dc=example,dc=com
changetype: add
objectclass: top
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: oblixPersonPwdPolicy
curl -X POST
http://oam.example.com:14100/oam/services/rest/access/api/v1/pswdma
nagement/UserStatusChanger/locked -u oamadmin:Welcome1 -H
'content-type: application/json' -d
'{"forcepwdchange":"false","locked":"false","disabled":"false"}'
Overview
Using the REST API, you can create multiple password policies and assign them to groups. If
multiple password policies apply to a specific user, the policy with the lowest priority is used.
In this practice, you perform the following:
a. Retrieve the default password policy.
b. Create a new group-specific password policy.
c. Test the new password policy.
[{"passwordPolicyInfo":{"id":"1","minLength":1,"minSpecialChars":1,"startsWithAlpha
bet":true,"firstNameDisallowed":false,"lastNameDisallowed":true,"userIdDisallowed":t
rue,"complexPolicy":false,"passwordExpiresAfterInDays":20,"passwordWarningAfterI
nDays":3,"requiredChars":[],"disallowedChars":[],"allowedChars":[],"disallowedSubstr
ings":[],"numPasswordsInHistory":3,"lockoutDuration":1,"maxIncorrectAttempts":3,"c
hSource":0,"chDefaultQuestions":"","chAllAtOnce":true,"chAllowDuplicateResponses
":false,"chSendMail":false,"chEnabled":false}}]
2. Create a new password policy for the Finance group. For your convenience, this command
is saved as ~/labs/lesson05/new_password_policy.txt.
curl -X POST
http://oam.example.com:14100/oam/services/rest/access/api/v1/policy
/PasswordPolicies -u oamadmin:Welcome1 -H 'content-type:
application/json' -d
'[{"passwordPolicyInfo":{"id":"2","minLength":6,"minSpecialChars":1
,"startsWithAlphabet":true,"firstNameDisallowed":false,"lastNameDis
allowed":true,"userIdDisallowed":true,"complexPolicy":false,"passwo
rdExpiresAfterInDays":60,"passwordWarningAfterInDays":53,"requiredC
hars":[],"disallowedChars":[],"allowedChars":[],"disallowedSubstrin
gs":[],"numPasswordsInHistory":3,"lockoutDuration":1,"maxIncorrectA
ttempts":3,"chSource":0,"chDefaultQuestions":"","chAllAtOnce":true,
"chAllowDuplicateResponses":false,"chSendMail":false,"chEnabled":fa
lse},"assignmentRule":{"idStoreRef":"OUD_Store","priority":2,"passw
ordPolicyID":"2","ruleType": 2,"ruleValue":"Finance"}}]
7. You can also use the REST API to confirm which password policy applies to the warn user.
curl -X GET
http://oam.example.com:14100/oam/services/rest/access/api/v1/pswdma
nagement/UserPasswordPolicyRetriever/warn -u oamadmin:Welcome1 -H
'content-type: application/json'
{"id":"2","minLength":6,"minSpecialChars":1,"startsWithAlphabet":true,"firstNameDis
allowed":false,"lastNameDisallowed":true,"userIdDisallowed":true,"complexPolicy":fa
lse,"passwordExpiresAfterInDays":60,"passwordWarningAfterInDays":53,"requiredC
hars":[],"disallowedChars":[],"allowedChars":[],"disallowedSubstrings":[],"numPasswo
rdsInHistory":3,"lockoutDuration":1,"maxIncorrectAttempts":3,"chSource":0,"chDefaul
tQuestions":"","chAllAtOnce":true,"chAllowDuplicateResponses":false,"chSendMail":f
alse,"chEnabled":false}
Practices Overview
In these practices, you will perform the following tasks:
Deploy and configure a customized login page.
Use the Session Management page to terminate a user session.
Configure the Oracle Access Manager server to constrain the number of concurrent
sessions that a user is allowed to have.
Set session management properties on a per-application level.
106 Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions
Practice 6-1: Deploying and Configuring a Custom Login Page with
DCC
Overview
In this practice, you customize the login page, demonstrate single sign-on and single logout,
and manage the Oracle Access Manager sessions. You configure Oracle Access Manager to
use a custom-branded login page for the Example Bakery website.
Example Bakery wants its employees to use a login page that has branding similar to the rest of
the Example Bakery site instead of the login page provided by Oracle Access Manager. You
configure Oracle Access Manager to use a customized login page to collect credentials.
2. Review the exploded application archive file that contains the customized login page:
a. Open the /home/oracle/labs/lesson06/login/examplelogin.jsp file in a
text editor.
b. Observe the following code in the file:
<form action="/oam/server/auth_cred_submit" method="post"/>
The form action statement posts back the required end point to the Oracle
Access Manager server.
The getParameter code retrieves request_id from the HTTP header and
stores it in a hidden field. The Oracle Access Manager server is provided with this
parameter as required.
3. Deploy the exploded WAR file that contains the customized login page to the managed
server running the My Bank application:
a. Log in to the WLS Admin Console of the OUD domain as the weblogic user.
b. Select odsm_domain > Deployments from the Domain Structure pane. The Summary
of Deployments page appears on the right side of the console window. Click Install.
c. The “Locate Deployment to Install and Prepare for Deployment” form appears. Specify
the value /home/oracle/labs/lesson06/login in the Path field. Click Next.
d. The Choose Targeting Style form appears. Select “Install this Deployment as an
Application” and click Next.
Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions 107
e. The Select Deployment Targets form appears. Select the mybank_svr target. Click
Next.
f. The Optional Settings form appears. Notice that the context for the application is login.
Click Finish.
g. The Summary of Deployments page reappears. The status of the login application
should be Active.
h. Log out of WLS Admin Console.
5. Specify the custom-branded login page for the LDAPOUDScheme authentication scheme:
a. Log in to Oracle Access Manager as oamadmin. Navigate to Access Manager panel >
Authentication Schemes > Search.
108 Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions
b. Click the LDAPOUDScheme authentication scheme. Change the following values and
click Apply:
Field Choices or Values
7. Verify that when you access the Example Bakery website, it uses the Example Bakery
custom-branded login page:
a. In the browser window, clear cookies and cache and restart the browser.
b. Access the Example Bakery home page: http://oam.example.com:7777/example.
Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions 109
c. Click Employees. The Example Bakery login page appears. This is the custom login
page specified:
110 Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions
Practice 6-2: Managing Sessions
Overview
In this practice, you use the session management feature of the OAM Console to view active
user sessions and terminate a user’s session. Both the Firefox and Chrome browsers are used
in this lesson.
2. Explore the cookies that are created in the login process for DCC deployment.
a. On the OAM machine, invoke the Firefox browser and clear cookies and cache.
Access the Bakery application (http://oam.example.com:7777/example) and click
Employees.
b. Navigate to Edit > Preferences > Privacy and click “remove individual cookies.” In the
Cookies window, expand oam.example.com.
c. Notice that OAMRequestContext_oam.example.com:7777_<string> and
DCCCtx_oam.example.com:7779 are set for the session. These cookies store the
state of the user’s original request with the resource webgate and authenticating
webgate, (that is, DCC).
d. Log in as jwalker. View the cookies again. Notice that
OAMRequestContext_oam.example.comoam.example.com:7777_<string> is
no longer listed. You should see authentication response
Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions 111
OAMAuthnCookie_oam.example.com:7777 and
OAMAuthnCookie_oam.example.com:7779
e. Click the Finance Department Site link (jwalker is a member of the Finance group).
View the cookies again. You should see one additional cookie: the authorization
response cookie (AuthZ_Cookie). You configured this cookie as a response in the
protected resource authorization policy.
f. Access the bank page (http://oam.example.com:7777/mybank), click Sign Off to log out
of the application by invoking the following URL, and observe the URL field.
g. View the cookies again. Notice that the
OAMAuthnCookie_oam.example.com:<port> cookies are no longer present.
These cookies disappear when the authenticated browser session ends.
112 Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions
c. On the OAM machine, using the Firefox browser, create a session as the jwalker
user.
1) Access the Firefox browser window. Clear the cookies and cache and restart
Firefox.
2) In Firefox, navigate to the Bakery application home page and then click
Employees. The Bakery application login page appears. Log in as jwalker. The
employee portal appears.
d. On the OAM machine, using Chrome browser, verify the number of sessions for
jwalker user.
1) Log in to the OAM Console by using the Chrome browser and click Session
Management node under the Application Security launch pad.
f. On the DB machine, create a session as the jwalker user by using the Firefox
browser.
1) Invoke the Firefox browser and clear the cookies and cache in the browser.
2) Navigate to the Bakery application home page. Click Employees and log in as
jwalker.
g. On the OAM machine, verify that the previous session has been stopped.
1) On the OAM machine, access the Firefox window in which you accessed the
Example Bakery application as the jwalker user.
Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions 113
2) Click any of the department links and notice that you are presented with a login
page.
The session from the OAM machine was terminated to adhere to the “Maximum
Number of Sessions per User” value of 1.
h. In the OAM Console session on the OAM machine, restore the “Maximum Number of
Sessions per User” parameter to 8 (under Common Settings). Do not forget to click
Apply after you change the value.
1) In the OAM Console, access the Configuration tab (at the top). Then click View >
Common Settings in the Common Settings panel.
2) Set “Maximum Number of Sessions per User” to 8 and click Apply.
114 Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions
Practice 6-3: Setting Up a Delegated Session Administrator
Overview
In this practice, you grant the Session REST API User role to a new administrator. With the role,
the user has access to manage sessions using the session REST API.
In the configuration of our lab environment, the WebLogic user repository is being used as the
System Store and OUD is being used for the Default Store. This means that administrative
users are in the WebLogic user repository and regular users are in OUD. For this practice, you
will add a new administrator to the WebLogic user repository.
3. Click New and create the David Rose user in the WebLogic repository. Click OK.
Name: drose
Password and Confirm Password: Welcome1
7. Click the Search button and note that only the Administrators group is listed.
Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions 115
9. In the Add Users and Groups dialog box, enter drose for the name and click Search.
10. Select the drose user from the results and set the role drop-down menu to Session REST
API User.
116 Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions
Practice 6-4: Deleting a User Session with REST
Overview
In this practice, you list a user’s sessions using the Session REST API, and then use the
session ID to delete the session.
The Session REST API uses basic authorization. You will first need to generate a basic
authorization header value for your administrator.
2. Using a terminal window, generate a basic authorization header value. (Perform this task
on the OAM machine.)
Select the output of the command and select Edit -> Copy.
3. Use curl to access the Session REST API and retrieve the list of sessions for the ahall
user. Replace the value of the Basic Authorization header with the output from the previous
command.
Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions 117
Oracle Internal & Oracle Academy Use Only
4. Because the session ID contains special characters, you must encode the value so that it
can be used as an http query parameter. Run the following Python command and replace
the value between the triple single quotation marks with the value of the sessionId tag
from the previous command.
Note: If multiple sessions from the previous step were returned, simply use the latest
session listed for this step.
118 Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions
5. Using the encoded session ID from the previous command, delete the user’s session.
Replace the sessionId query parameter value with the output from the previous
command.
http://oam.example.com:7777/example/internal/employeeHome.html
8. You will now delete the new session for the ahall user using only the userid.
Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions 119
9. Delete all sessions for the ahall user. The command returns details for the sessions.
120 Practices for Lesson 6: Configuring Single Sign-On and Managing Sessions
Oracle Internal & Oracle Academy Use Only
Practices for Lesson 7: Using
Oracle Access Management
with WebLogic Applications
Practices for Lesson 7: Overview
Practices Overview
These practices illustrate the use of the Oracle Access Manager identity assertion provider.
With the Oracle Access Manager identity assertion provider deployed in a WebLogic domain, an
application running in that domain can use Oracle Access Manager as the perimeter
authenticator. That application can then, as part of authentication, have the Oracle Access
Manager server assert the username so that the application can retrieve the username and use
it as needed.
You start these practices by reviewing a sample application that uses HTTP basic
authentication: one of the authentication mechanisms that are built into all J2EE web containers.
Then you deploy the application and run it. The web container handles application security, and
122 Practices for Lesson 7: Use Access Manager With WebLogic Applications
Practice 7-1: Deploying the Sample Application with Basic
Authentication
Overview
In this practice, you review the security configuration in your WebLogic domain. Then you
review code in the sample jee application and deploy the application on the WebLogic
administration server. Although the sample application is written in Java, you do not need to
know Java to complete this practice.
You examine the deployment descriptors in the sample application. Then you run the sample
application and observe its behavior.
Assumptions
2. Review the sample application that you have to deploy to WebLogic Server.
a. In a terminal window, copy the application to a temporary location.
$> cd ~/labs/lesson07
$> mkdir ~/lesson7_temp
$> cp -r jee ~/lesson7_temp
b. Open the Servlet1.java file in $HOME/lesson7_temp/jee/WEB-INF/source.
c. Locate the following line in the file:
out.println("<p>The servlet has received a GET. This is the
reply for " + request.getRemoteUser() + ".</p>");
The println method writes text to a dynamically generated HTML page.
The value of the variable is generated by the getRemoteUser method, which is a
method in the HttpServletRequest class. The getRemoteUser method
returns the username of the user who has authenticated to the system.
Practices for Lesson 7: Use Access Manager With WebLogic Applications 123
When you run the sample application, a line with the above text, followed by the
username with which you authenticated, appears.
d. Close the Servlet1.java file.
124 Practices for Lesson 7: Use Access Manager With WebLogic Applications
f. Click Finish in the Optional Settings form.
The “Summary of Deployments” page reappears. The jee application should appear in
the list with the Active status.
Verify that the status of the jee application is Active.
Practices for Lesson 7: Use Access Manager With WebLogic Applications 125
b. Try to log in as jwalker. The login page keeps repeating without showing the
resulting page.
c. Review browser cookies. Verify that no cookies associated with Oracle Access
Manager single sign-on are present. (You should see only the JSESSIONID cookie.)
126 Practices for Lesson 7: Use Access Manager With WebLogic Applications
Practice 7-2: Configuring OAM Authentication for a Sample
Application
Overview
In this practice, you perform the following:
Reconfigure the application to use OAM authentication rather than its own security.
Redeploy the revised application.
Modify the mod_wl_ohs.conf file of the Oracle HTTP Server instance on which
WebGate is installed.
After modifying the mod_wl_ohs.conf file, you restart the OHS instance so that the
changes take effect. Then you execute the sample application to verify that the sample
application is protected by WebGate.
Practices for Lesson 7: Use Access Manager With WebLogic Applications 127
</servlet-mapping>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
f. Rename weblogic.xml to weblogic.xml_old.
$> mv weblogic.xml weblogic.xml_old
3. On the OAM machine, configure OHS1 to front-end the application so that the application
can be protected using the WebGate.
a. In a terminal window, open the
$DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/mod_wl_ohs.con
f file with the gedit or vi text editor.
b. Append the following text lines at the end of the file:
<Location /jee>
SetHandler weblogic-handler
</Location>
Note: After appending the lines for /jee, the OHS instance will front-end both /mybank
and /jee.
c. Save and close mod_wl_ohs.conf.
d. On the OAM machine, stop the OHS1 component using EM. Stop the Node Manager
and admin server. Start the admin server, Node Manager, and OHS1.
128 Practices for Lesson 7: Use Access Manager With WebLogic Applications
4. Test the application access mechanism through OHS1 now.
a. In your browser window, clear cookies, cache, and active logins.
b. Close your browser and then restart it.
c. Access the jee sample application, but protected by Oracle Access Manager
WebGate. Enter the following URL in a browser:
http://oam.example.com:7777/jee/servlet1.
The DCC login page appears, demonstrating that the sample application is now being
protected by WebGate.
Note: The Bakery login page will appear. The
http://oam.example.com:7779/login/?resource_url= login URL confirms
that the DCC webgate is protecting the application.
d. Log in as the jwalker user.
c. Click the OUDAuthenticator link, set Control Flag to Sufficient, and click Save.
Practices for Lesson 7: Use Access Manager With WebLogic Applications 129
d. On the Provider Specific tab, specify the following and click Save:
Host: db.example.com
Port: 1389
Principal: cn=Directory Manager
Credential/Confirm Credential: Welcome1
User Base DN: ou=people, dc=example, dc=com
User Name Attribute: uid
Group Base DN: ou=groups, dc=example, dc=com
Note: The default values for the user and group base DN must be changed to reflect the
directory information in OUD.
e. Using the breadcrumb links at the top of the page, navigate to the Providers page.
Click the DefaultAuthenticator link and change the control flag to Sufficient. Click Save.
130 Practices for Lesson 7: Use Access Manager With WebLogic Applications
e. Note that OAM_REMOTE_USER is selected. The user identity will be extracted from the
HTTP header.
8. Stop and restart the mybank managed server and OUDSM domain admin server for the
changes to take effect.
10. The following message appears: “The servlet has received a GET. This is the reply for
ahall.”
Practices for Lesson 7: Use Access Manager With WebLogic Applications 131
Oracle Internal & Oracle Academy Use Only
132 Practices for Lesson 7: Use Access Manager With WebLogic Applications
Oracle Internal & Oracle Academy Use Only
Practices for Lesson 8:
Configuring Auditing and
Logging
Practices for Lesson 8: Overview
Practices Overview
In these practices, you configure the auditing and logging capabilities of Oracle Access
Manager, examine files, and run reports.
You review the configuration of Oracle Access Manager auditing as follows:
Capture auditing information
Write audit records to an Oracle database instead of to a flat file
After you perform these configuration tasks, you configure a preinstalled instance of Oracle
Business Intelligence Publisher (Oracle BI Publisher) to run Oracle Access Manager reports.
You then run a sample report.
For logging, you examine the default logging configuration and the logging output.
Overview
In this practice, you review the configuration of the auditing capabilities of Oracle Access
Manager.
Assumptions
N/A
Notice the auditlogs directory. This directory contains the bus stop file, audit.log,
for oam_server1.
b. Change the directory to the
$DOMAIN_HOME/servers/AdminServer/logs/auditlogs/OAM directory and,
using the tail or more command, view the audit.log file.
$> tail audit.log
8. Access the Example Bakery application so that several audit records are recorded.
a. Clear cookies and cache and restart the browser.
b. Navigate to the Bakery application home page: http://oam.example.com:7777/example.
c. Click Employees. The Bakery login page appears.
d. Log in as the ahunter user. The employee portal appears.
e. Log out of the Oracle Access Manager session by navigating to the central logout
page: http://oam.example.com:7779/logout.html.
10. Review the content in the IAU_BASE table in the Oracle database. Perform the following
steps on your database machine:
a. Verify that the sqlplus session is still active in the terminal window you opened
during a previous task. If sqlplus is not active, restart sqlplus and log in as the
DEV_IAU user.
Overview
In this practice, you configure Oracle BI Publisher so that you can run reports to analyze
auditing data captured by the Oracle Access Manager server. Oracle BI Publisher is preinstalled
on your DB machine.
You start Oracle BI Publisher and install templates for Oracle Fusion Middleware reports and for
Oracle Access Manager reports. Then you configure Oracle BI Publisher to access the
database in which audit records are located.
2. Copy the OAM reports from the OAM machine and set up OAM reports in Oracle BI
Publisher:
a. In a terminal window on the DB machine, navigate to the
$BI_DOMAIN/config/bipublisher/repository/Reports directory.
$> cd $BI_DOMAIN/config/bipublisher/repository/Reports
b. Copy the oam_audit_reports_11_1_2_0_0.zip file from
/u01/app/oracle/product/middleware/iam_home/oam/server/reports
on the OAM machine.
$> scp
@oam:/u01/app/oracle/product/middleware/idm/oam/server/reports/o
am_audit_reports_11_1_2_0_0.zip .
c. Unzip the oam_audit_reports_11_1_2_0_0.zip file.
$> unzip oam_audit_reports_11_1_2_0_0.zip
d. Delete the META-INF directory (rm -rf META-INF).
e. Also, create the Oracle_Fusion_Middleware_Audit/Component_Specific directory and
copy the reports there.
3. Configure the data source that Oracle BI Publisher uses to access the audit database and
configure Catalog Configuration:
a. Click the Administration link in the top-right corner of Oracle BI Publisher on the DB
machine.
b. Click JDBC Connection in Data Sources.
c. The Data Sources page appears. Verify that the JDBC tab is selected. If the JDBC tab
is not selected, click it.
d. Click Add Data Source.
6. Rerun the Authentication History report. Details about the unsuccessful authentication
event should appear in the Authentication History report.
8. To improve the performance of your practice environment, click the Stop BI Pub and Stop
BI Server1 icons on the desktop of your DB machine to shut down the BI Pub domain.
Note: The details links in the reports do not work. You can resolve this issue by upgrading
Overview
In this practice, you start working with the Oracle Fusion Middleware logging subsystem.
You start by shutting down the active servers and deleting the log files. You remove the log files
to ensure that the logging records that you examine are generated only by the activities
performed in this practice. Then you use FMW Control to review the default logging
configuration.
Assumptions
N/A
c. Select the entry for the odl-handler log file and click Edit.
d. The Edit Log File dialog box displays the logging configuration for the odl-handler
log file. Note the value of the Log Path:
${domain.home}/servers/${weblogic.Name}/logs/${weblogic.Name}-
6. Examine the impact of an invalid login on the log file when the default logging configuration
is in effect:
a. Clear cache and cookies for the browser.
b. Access the Bakery application and click the Employees link. Specify a valid user ID
and invalid password when you are prompted to authenticate. Click Login. You are not
granted access to the Bakery employee portal.
c. Now enter an invalid user ID and password and try to log in.
d. Navigate to the $DOMAIN_HOME/servers/oam_server1/logs directory.
e. Note the oam_server1-diagnostic.log file’s size. Compare the file size to the file
size you observed in a previous step. Make a note of the new file size for use in a
subsequent practice.
7. Open the oam_server1-diagnostic.log file and see if you can locate messages that
diagnose why the attempt to authenticate to the Oracle Access Manager server failed.
(Note: Search for the word ERROR or search by the user ID of the person.)
Practices Overview
In these practices, you:
Use Access Tester to test the connection between the OAM WebGate agent and the
Oracle Access Manager server
Retrieve diagnostics information by using WLST
Work with Fusion Middleware Control to view performance information
Overview
In these practices, you use Access Tester to test the connection between all the OAM WebGate
agents and the Oracle Access Manager server. You perform the “Is the resource protected?”
test for various resources protected by the OAM WebGate agent. You also observe the
authentication scheme used to protect a particular resource. You eventually use the credentials
to test authentication and authorization to access the resource.
You can also use the Access Tester GUI console to build dummy test cases and then generate
and run the script. You explore all the XML files generated during this process.
Note: You will receive a severe error message in the terminal window about the
incorrect NAP version being used. You can ignore this message for this version of
OAM.
b. In the Oracle Access Manager Test Tool window, in the Server Connection section,
enter the following and click Connect:
Field Choices or Values
Primary IP Address oam.example.com
Port 5575
Agent ID webgate1 (agent ID is case-sensitive.)
c. Read the messages in the Status section of the window. Also, notice the green check
mark next to the Connect button (to verify that the connection is successful).
Notice that after the connection is successful, you cannot change the connection
details. You have to restart Access Tester to specify a different connection.
Read the messages in the Status section of the window. Notice the user DN, session
ID, and cookie values.
Note: The IP address returned will vary as per your environment.
2. Capture the authentication and authorization test cases so that you can automate the tests
Oracle Internal & Oracle Academy Use Only
later on.
a. In the Oracle Access Manager Test Tool, click Edit > Clear All in the toolbar at the top
of the window.
c. In the User Identity section, enter jwalker as the username and the appropriate
password and click Authenticate.
d. Select File > Save Configuration.
1) In the Selection field, enter
/home/oracle/Desktop/EmployeeConfigHome.xml.
3. Capture the application access test case and run the test cases.
a. Invoke the Oracle Access Manager Test Tool again.
$> cd $ORACLE_HOME/oam/server/tester
$> java -jar oamtest.jar
b. In the Oracle Access Manager Test Tool, select File > Open Configuration.
1) Enter /home/oracle/Desktop in the Selection field.
2) Change Filter to *.xml.
3) Select the EmployeeConfigHome.xml file and click OK.
Overview
In these practices, you use the WebLogic Scripting Tool (WLST) to invoke commands related to
OAM. Diagnostic information, such as agent information, usage metrics, identity stores, and
topology, is available via WLST.
Overview
In this practice, you learn how to use FMW Control in an OAM environment.
Note: If you experience performance issues (especially in step 3), you may want to restart the
admin and managed servers.