11g R2 and 11g R2 PS1 OAM Integration with OAAM

There are different types of integration 

Basic Integration:

Features: Authentication schemes, device fingerprinting, risk analysis, and the Knowledge-based Authentication (KBA) challenge mechanism KBA is the only challenge mechanism available in this integration. Libraries and configuration interface for different flows (challenge, registration, and so on). Many of the login security use cases available from OAAM

Advanced Integration:
Features:Authentication schemes, device fingerprinting, risk analysis, KBA challenge mechanisms
Advanced features and extensibility such as OTP Anywhere, challenge processor framework, shared library framework, and secure self-service password management flows. OAAM can also be integrated with third party single sign-on products via systems integrators if required.

Advanced Using TAP
Features: Authentication schemes, device fingerprinting, risk analysis, KBA challenge mechanisms, and additional advanced security access features, such as step up authentication
Advanced features and extensibility such as OTP Anywhere, challenge processor framework, shared library framework, and secure self-service password management flows.
OAAM can also be integrated with third party single sign-on products via systems integrators if required.

Pre-requisites : 

• For Advanced Integration OAAM should have separate OAAM managed server (Not in OAM managed server)
• OAAM Admin server is required. 
• OAAM Database is required
• Supported Agents
• 10g WebGate and Single Sign-On (OSSO) Agent (For Basic Integration)
• 10g WebGate  (For Advanced Integration)
• 10g and 11g WebGates (For Advanced using TAP Integration)

Steps: 

To perform Advanced using TAP first we need to integrate in Advanced mode and then do additional configuration for TAP Scheme.

•  Install OAM, OAAM, OHS Server, Webgate on OHS
• OAM and OAAM can be on same domain or on separate domains, if they are on separate domain then the oaam.csf.useMBeans property must be set to true. (refer : http://docs.oracle.com/cd/E37115_01/admin.1112/e27207/post.htm#AAMAD8640)

For External LDAP we need to configure IDStore using idmConfigTool. (http://docs.oracle.com/cd/E37115_01/integration.1112/e27123/idmcfgtool.htm#autoId7)

----------------------------------------------------------------------------------------------------------

Prerequisite OUD: (Run below batch files to extend OUD schems for supporting OAAM) :

idmConfigTool.bat -preConfigIDStore input_file=OUD.properties

 idmConfigTool.bat -prepareIDStore mode=OAAM input_file=OAAM.properties

----------------------------------------

Load Basic Snap Shot of OAAM

For OAAM Admin User and groups:

http://www.iamidm.com/2013/04/oaam-11g-r2-ps1-and-11g-r2-default.html

Login to OAAM Admin Console (http://localhost:14200/oaam_admin/) and click on System Shots then followed by Load from File

If you get following error :
Failed to load snapshot file The snapshot file should be a ZIP file

Then un-install any winrar or other softwares which are used to open zip files. 

Select oaam_base_snapshot.zip from %Middleware_Home%/Oracle_IDM1/oaam/init and click on load then click on Restore

------------------------------------------------------------------

Validating Initial

• Verify Login to OAM console (localhost:7001/oamconsole) and see if you are able to login or not. If you are able to login successfully then OAM validation is done. 
• Login to OAAM Server (http://host:port/oaam_server)
• Enter Any user name and click continue 

• Enter Password as test

• User should get Security Questions followed by Successful screen. 

--------------------------------------------------------------------------------
Validating OHS and Webgate Setup : 

• Make sure that OHS is installed
• Register Webgate with OHS Server 
• Make sure that http://OHSURL:PORT/ is protected using OAM 

----------------------------------------------------------------------------------

Register OAAM Server as Trusted Partner:

After Registration OAAM Server can communicate with OAM server using TAP (Trusted Application Protocol) and validates user Authentications with OAM so that OAM creates required cookies.

Steps to Register OAAM Server as Trusted Partner for OAM:

•  Make sure that Access Manager server is up and running
• Navigate to C:\Oracle\Middleware\Oracle_IDM1\common\bin using command prompt
• Run commands as shown below

• Create folder for TAP key store using other command prompt as shown below

• registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner", keystoreLocation= "C:/Oracle/Middleware/Oracle_IDM1/TAP/TapKeyStore/mykeystore.jks", password="Password123", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://chinni-pc:14300/oaam_server/oamLoginPage.jsp")

you should receive Registration successful message.

• exit() from WLST console 

-----------------------------------------------------------------

Setting Agent Password:

Agent password need to be set because it uses Agent password in multiple places for Integration

• Login to OAM Console --> System Configuration --> Access Manager --> SSO Agents --> open OAM Agents --> Search --> Open IAM Suite Agent --> Specify Access Client Password and click Apply 
• Login to Weblogic Console --> Security Realms --> myrealm --> Providers --> IAMSuiteAgent --> Provider Specific --> Enter Agent Password and Confirm Password and click Save

Restart all 4 server (Admin server, OAM managed server, OAAM Admin server and OAAM server)

---------------------------------------------------------------------------

Verify TAP Partner Registration: 

Login to OAM Console --> Policy Configuration --> Authentication Schemes --> TAP Scheme 

Check following parameters: 

Challenge Mode: DAP 

Authentication Module: DAP  

Challenge URL: /oaam_server/oamLoginPage.jsp

Challenge Parameters: 

TAPPartnerId=OAAMTAPPartner
SERVER_HOST_ALIAS=HOST_ALIAS_1

---------------------------------------------------------------------------
Adding Challenge Parameter in TAP authentication Scheme (in new line):

MatchLDAPAttribute=uid

---------------------------------------------------------------------------
Validate IAM SuiteAgent Setup:

• Launch OAMTest.jar 

• Test Following::

-------------------------------------------------------------------------------

Setting TAP Integration Parameters in OAAM:

• Make sure that OAAM Managed Server is up and running
• Create new folder temp under oaam folder
• Create oaam_cli under temp

• Copy all files from cli folder to temp/oaam_cli folder created in before step

• Navigate to C:\Oracle\Middleware\Oracle_IDM1\oaam\temp\oaam_cli\conf\bharosa_properties and open oaam_cli.properties using editor(notepad)

Edit file as shown below:

Run setupOAMTapIntegration conf/bharosa_properties/oaam_cli.properties

Provide Requested details. 

--------------------------------------------------------------------

Create New Resource Under application domain:

Login to OAM Console --> Policy Configuration --> Application Domains --> search --> IAM Suite --> Resources Tab --> New Resource --> Create one Resource.

Create Authentication Policy with TapScheme. 

-----------------------------------------------------------------------------

Testing Scenario: (Protecting Normal resource using Tap Scheme) 

Try to access the normal protected resource: 

Which should display OAAM login page instead of OAM login page

Document Reference: (for both 11g R2 PS1 and 11g R2)

http://docs.oracle.com/cd/E37115_01/integration.1112/e27123/aam.htm#CACGJAJC