Pages

Tuesday, April 30, 2013

11g R2 and 11g R2 PS1 OAM Integration with OAAM

There are different types of integration 

Basic Integration:
Features: Authentication schemes, device fingerprinting, risk analysis, and the Knowledge-based Authentication (KBA) challenge mechanism KBA is the only challenge mechanism available in this integration. Libraries and configuration interface for different flows (challenge, registration, and so on). Many of the login security use cases available from OAAM

Advanced Integration:
Features:Authentication schemes, device fingerprinting, risk analysis, KBA challenge mechanisms
Advanced features and extensibility such as OTP Anywhere, challenge processor framework, shared library framework, and secure self-service password management flows. OAAM can also be integrated with third party single sign-on products via systems integrators if required.

Advanced Using TAP
Features: Authentication schemes, device fingerprinting, risk analysis, KBA challenge mechanisms, and additional advanced security access features, such as step up authentication
Advanced features and extensibility such as OTP Anywhere, challenge processor framework, shared library framework, and secure self-service password management flows.
OAAM can also be integrated with third party single sign-on products via systems integrators if required.

Pre-requisites : 

  • For Advanced Integration OAAM should have separate OAAM managed server (Not in OAM managed server)
  • OAAM Admin server is required. 
  • OAAM Database is required
  • Supported Agents
    • 10g WebGate and Single Sign-On (OSSO) Agent (For Basic Integration)
    • 10g WebGate  (For Advanced Integration)
    • 10g and 11g WebGates (For Advanced using TAP Integration)

Steps: 

To perform Advanced using TAP first we need to integrate in Advanced mode and then do additional configuration for TAP Scheme.

For External LDAP we need to configure IDStore using idmConfigTool. (http://docs.oracle.com/cd/E37115_01/integration.1112/e27123/idmcfgtool.htm#autoId7)

----------------------------------------------------------------------------------------------------------
Prerequisite OUD: (Run below batch files to extend OUD schems for supporting OAAM) :

idmConfigTool.bat -preConfigIDStore input_file=OUD.properties


 idmConfigTool.bat -prepareIDStore mode=OAAM input_file=OAAM.properties





----------------------------------------

Load Basic Snap Shot of OAAM

For OAAM Admin User and groups:

http://www.iamidm.com/2013/04/oaam-11g-r2-ps1-and-11g-r2-default.html

Login to OAAM Admin Console (http://localhost:14200/oaam_admin/) and click on System Shots then followed by Load from File



If you get following error :
Failed to load snapshot file The snapshot file should be a ZIP file



Then un-install any winrar or other softwares which are used to open zip files. 


Select oaam_base_snapshot.zip from %Middleware_Home%/Oracle_IDM1/oaam/init and click on load then click on Restore




------------------------------------------------------------------

Validating Initial

  • Verify Login to OAM console (localhost:7001/oamconsole) and see if you are able to login or not. If you are able to login successfully then OAM validation is done. 
  • Login to OAAM Server (http://host:port/oaam_server)
  • Enter Any user name and click continue 



  • Enter Password as test



  • User should get Security Questions followed by Successful screen. 



--------------------------------------------------------------------------------
Validating OHS and Webgate Setup : 

  • Make sure that OHS is installed
  • Register Webgate with OHS Server 
  • Make sure that http://OHSURL:PORT/ is protected using OAM 
----------------------------------------------------------------------------------
Register OAAM Server as Trusted Partner:


After Registration OAAM Server can communicate with OAM server using TAP (Trusted Application Protocol) and validates user Authentications with OAM so that OAM creates required cookies.

Steps to Register OAAM Server as Trusted Partner for OAM:

  •  Make sure that Access Manager server is up and running
  • Navigate to C:\Oracle\Middleware\Oracle_IDM1\common\bin using command prompt
  • Run commands as shown below



  • Create folder for TAP key store using other command prompt as shown below

  • registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner", keystoreLocation= "C:/Oracle/Middleware/Oracle_IDM1/TAP/TapKeyStore/mykeystore.jks", password="Password123", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://chinni-pc:14300/oaam_server/oamLoginPage.jsp")


you should receive Registration successful message.

  • exit() from WLST console 
-----------------------------------------------------------------


Setting Agent Password:

Agent password need to be set because it uses Agent password in multiple places for Integration


  • Login to OAM Console --> System Configuration --> Access Manager --> SSO Agents --> open OAM Agents --> Search --> Open IAM Suite Agent --> Specify Access Client Password and click Apply 
  • Login to Weblogic Console --> Security Realms --> myrealm --> Providers --> IAMSuiteAgent --> Provider Specific --> Enter Agent Password and Confirm Password and click Save
Restart all 4 server (Admin server, OAM managed server, OAAM Admin server and OAAM server)

---------------------------------------------------------------------------

Verify TAP Partner Registration: 

Login to OAM Console --> Policy Configuration --> Authentication Schemes --> TAP Scheme 

Check following parameters: 
Challenge Mode: DAP 
Authentication Module: DAP  
Challenge URL: /oaam_server/oamLoginPage.jsp
Challenge Parameters: 


TAPPartnerId=OAAMTAPPartner
SERVER_HOST_ALIAS=HOST_ALIAS_1

---------------------------------------------------------------------------
Adding Challenge Parameter in TAP authentication Scheme (in new line):

MatchLDAPAttribute=uid

---------------------------------------------------------------------------
Validate IAM SuiteAgent Setup:

  • Launch OAMTest.jar 



  • Test Following::


-------------------------------------------------------------------------------
Setting TAP Integration Parameters in OAAM:
  • Make sure that OAAM Managed Server is up and running
  • Create new folder temp under oaam folder
  • Create oaam_cli under temp


  • Copy all files from cli folder to temp/oaam_cli folder created in before step

  • Navigate to C:\Oracle\Middleware\Oracle_IDM1\oaam\temp\oaam_cli\conf\bharosa_properties and open oaam_cli.properties using editor(notepad)



Edit file as shown below:




Run setupOAMTapIntegration conf/bharosa_properties/oaam_cli.properties


Provide Requested details. 


--------------------------------------------------------------------
Create New Resource Under application domain:

Login to OAM Console --> Policy Configuration --> Application Domains --> search --> IAM Suite --> Resources Tab --> New Resource --> Create one Resource.

Create Authentication Policy with TapScheme. 



-----------------------------------------------------------------------------
Testing Scenario: (Protecting Normal resource using Tap Scheme) 
Try to access the normal protected resource: 

Which should display OAAM login page instead of OAM login page










Document Reference: (for both 11g R2 PS1 and 11g R2)

Sunday, April 28, 2013

OAAM 11g R2 PS1 and 11g R2 Default Ports and Configuration

OAAM User Creation:

Before login to OAAM Admin we need to create user in weblogic default LDAP store and we need to add him to OAAM groups:

OAAM Groups:

OAAMCSRGroup - Support Personnel

OAAMCSRManagerGroup - Support Personnel

OAAMInvestigatorGroup - Investigators

OAAMInvestigationManagerGroup - Investigators

OAAMRuleAdministratorGroup - Security Administrators

OAAMEnvAdminGroup - System Administrators

OAAMSOAPServicesGroup - Users are granted this role in order to access the URL: /oaam_server/services


Click on Security Realms --> Click on Users and Groups --> Click New


Provide username and password

Click on Groups --> Add OAAM related groups



Login using created username and password: 





Username: Any name
Password: test

Password should be always test for any user to login




Thanks !!! 

Wednesday, April 24, 2013

Steps to Apply Patch and remove patch SOA, OIM, OAM

Here are the Steps, How to apply patches in OIM:

1) Download required patch from oracle support

2) Unzip downloaded patch file.


3) Open README.txt file and check while path need to be set for ORACLE_HOME (Example: Usually it will be path of SOA server if you are applying patch for SOA)

In this example I am applying patch for SOA server.


4) Set Environment path C:\Oracle\Middleware\Oracle_SOA1\OPatch (only for SOA, for remaining servers path varies)


5) Navigate to patch exacted folder and run Opatch.bat apply




 6) If it is successful it shows following message.



Remove SOA or OIM or OAM applied Patch: 

1) Repeat above 4 steps.

2) Navigate to patch location and run

Opatch rollback -id PatchID



Thanks !!! 

SOA Errors While Installing OIM 11G R2 PS1

The Following are common SOA errors while installing OIM 11G R2 PS1:

1) INST-6192: Unable to connect to SOA Managed Server

In OIM 11g R2 while configuring OIM, SOA server should be up and running. To resolve below error start SOA managed server.



Error 2: 

While configuring OIM configuration following error may be experienced:

INST-6193: The attribute JpsContextName in MBean com.oracle.sdp.messaging:Location=soa_server1, name=ServerConfig, type=SDPMessagingServerConfig,Application=usermessagingserver not found. 

Check the SOA version comparability. 

This error occurs because SOA server need to be applied with some patches. Following patches need to be applied:

Refer to following link to know how to apply patches:

http://www.iamidm.com/2013/04/steps-to-apply-patch-and-remove-patch.html

Note: No need to install all patches and some patches below are dependency patches, even if you install one patch it allows OIM configuration. 





Refer: http://docs.oracle.com/cd/E37115_01/relnotes.1112/e39887/install.htm#ASIRN4622

Thanks !!

OIM, OAM 11G R2 PS1 Installation Overview

Versions need/can to be used while installation: (Need to be downloaded from oracle Edelivery)

  • Oracle Database 11g Release 2 (11.2.0.1.0)
  • Oracle WebLogic Server 11gR1 (10.3.6) Generic and Coherence
  • Oracle Fusion Middleware Repository Creation Utility 11g (11.1.2.1.0) (Only 32 Bit available)
  • Oracle SOA Suite 11g Patch Set 5 (11.1.1.6.0) (Need SOA patches also check next post)
      Required SOA patches:
      Refer Oracle Docs

Note: No need to install all patches and some patches below are dependency patches, even if you install one patch it allows OIM configuration. 


  • Oracle Identity and Access Management 11g (11.1.2.1.0) 

Steps:

1) Install Database
2) Run RCU and create Schema for required products
3) Install Weblogic Server
4) Install SOA Server and Install SOA patches shown above
5) Install IDM Server
6) Create Domains 
7) Configure Security Store Python Script
8) Start both Admin server and SOA server (in 11g R2 SOA server is not required )
9) Configure OIM and Design Console ( if you face any error regarding SOA error refer following post)
10) Start OIM and OAM managed servers


Thanks !!! 


Error while running GTC Trusted Recon Schedule: Solution


Caused by: oracle.iam.reconciliation.exception.ConfigNotFoundException: Invalid Profile - GTC_FLATFILE_GTC
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl$ProfileMarshaller.unMarshal(CoreProfileManagerImpl.java:521)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl$ProfileMarshaller.unMarshal(CoreProfileManagerImpl.java:504)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl$ProfileMarshaller.access$100(CoreProfileManagerImpl.java:454)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl.readProfileFromXML(CoreProfileManagerImpl.java:411)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl.getProfileFromMDS(CoreProfileManagerImpl.java:391)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl.getProfile(CoreProfileManagerImpl.java:381)
at oracle.iam.reconciliation.impl.config.ProfileManagerImpl.getProfile(ProfileManagerImpl.java:163)
at sun.reflect.GeneratedMethodAccessor2185.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy773.getProfile(Unknown Source)
at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.getProfile(ReconOperationsServiceImpl.java:2119)
... 83 more
Caused by: javax.xml.bind.UnmarshalException
 - with linked exception:
[org.xml.sax.SAXParseException; cvc-minLength-valid: Value '' with length = '0' is not facet-valid with respect to minLength '1' for type 'matchingRuleType'.]
at javax.xml.bind.helpers.AbstractUnmarshallerImpl.createUnmarshalException(AbstractUnmarshallerImpl.java:335)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.createUnmarshalException(UnmarshallerImpl.java:522)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:334)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:305)
at javax.xml.bind.helpers.AbstractUnmarshallerImpl.unmarshal(AbstractUnmarshallerImpl.java:127)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl$ProfileMarshaller.unMarshal(CoreProfileManagerImpl.java:512)
... 100 more
Caused by: org.xml.sax.SAXParseException; cvc-minLength-valid: Value '' with length = '0' is not facet-valid with respect to minLength '1' for type 'matchingRuleType'.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.elementLocallyValidType(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.processElementContent(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.handleEndElement(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.endElement(Unknown Source)
at org.apache.xerces.jaxp.validation.ValidatorHandlerImpl.endElement(Unknown Source)
at com.sun.xml.bind.v2.runtime.unmarshaller.ValidatingUnmarshaller.endElement(ValidatingUnmarshaller.java:106)
at com.sun.xml.bind.v2.runtime.unmarshaller.InterningXmlVisitor.endElement(InterningXmlVisitor.java:81)
at com.sun.xml.bind.v2.runtime.unmarshaller.SAXConnector.endElement(SAXConnector.java:158)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:255)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:281)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:250)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:281)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:250)
at com.sun.xml.bind.unmarshaller.DOMScanner.scan(DOMScanner.java:127)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:322)
... 103 more


Solution:

Check Matching Only check box. 


Verify: 


Login to Design Console and verify Reconciliation Rule (same as GTC Connector Name) 




Retry running Schedule Job


Thanks !!!