Enabling OCSP Validation using X.509 Authentication Scheme

Assumptions:

• You have already configured & tested the X.509 authentication use case. And now we are enabling certificate validation using OCSP Server.
• To setup OCSP we will be using 'openssl'. So before proceeding check if you installed openssl or not. If not go get it first.
• You have imported the user certificate in your browser as part of X.509 Authentication.

Brief about OCSP Server:

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

Steps to perform:

1) To setup OCSP Server: Steps to setup OCSP
2) Once you have setup OCSP, you will be having the following items with you;

• CA Authority certificate (self signed) - ca.pem
• CA private key - ca-key.pem
• OCSP Server URL -> i.e. host and port details http://abc.us.oracle.com:6060
• index.txt -> basically this is the file having the user certificates details which will be checked by the OCSP server for the received cert request. Based on this OCSP will respond 'good', 'revoked' or 'unknown'. It returns 'unknown' in case the cert entry is missing from the file.
• This file name could be any name of your choice.

a) OCSP server files;

 b) Staring OCSP server

2) Goto Access Manager Configuration Settings: Select Certificate Validation

3) Select OCSP/CDP Settings:

•  Enter OCSP Url

•  Provide the OCSP CA Authority Certificate Subject
• Apply the changes

4)  Now goto Authentication Scheme

5) Select X509Scheme

 6) Provide the details as required for enabling OCSP Validation

7) Now goto Authn Module

8) Select X509 Module

9) Remember to enable Cert Validation & OCSP. Provide the required details.

10) Now we need to attach the X509Scheme in our webgate profile Protected  Resource Policy.

11) Now when you fire a request from your browser, you will be asked for the user cert to be used for authentication. And if this user is not present in OCSP database i.e. the index.txt file or it is been revoked than you should get 'Authentication Failed' message.

12) To implement a use case to check certificate revocation:
Execute this command:
./openssl ca -revoke <user certificate name>
Eg: 
bash-3.2$ ./openssl ca -revoke user1\@oracle.com.crt
Using configuration from /scratch/ckukreja/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Revoking Certificate BE.
Data Base Updated

•  Here i have copied the cakey.pem, ca.pem & index.txt to 'demoCA' folder. Basically openssl refer to this folder as it is configured in my openssl.cnf file.
• After this your index.txt gets updated and you can actually see the difference as well. Now when you try to access the protected resource with the user cert who has been revoked in OCSP databse, so this time OCSP will say 'revoked' to OAM server. And hence you will get authentication failed message.

Note: Important points to help you debug;

a) Always check if the log.txt file provided with OCSP server startup is getting populated with request or not.
b) If request is landing on OCSP and its a good cert request but still it is failing to authenticate than check OAM server diagnostic logs. You must be getting an exception there.

Important Informative Links:

Managing Common Services and Certificate Validation
X.509 Certificate Revocation Checking Using OCSP protocol with Oracle WebLogic Server 12c
How to set up OCSP using OpenSSL - I-Space Research Labs



That's All Guys......
Enjoy :-)

Enabling IP Validation in Load Balancer Environment using ProxyTrustedList & ProxyRemoteIPHeaderVar in OAM 11g

Why we are discussing this topic?

• It is important to understand the configuration required to be done in OAM for validating the IP addresses when the application server is behind the proxies.

What difference will it make if app server is behind the proxy?

• The client ip calculation will be different if proxy is present.

How client ip is fetched in OAM/Webgate?

• remote_addr contains the client ip, in case of proxy this remote_addr will have the last proxy IP Address.

How can i than validate the IP in this scenario where proxies are used?

• For such scenario we have to configure 2 user defined parameters in Webgate Profile:

• ProxyRemoteIPHeaderVar = <by default it is set to HTTP_X_FORWADED_FOR>

• ProxyTrustedIPList = <list of comma seperated IP Addresses>

• Along with these parameter we need to set the IP Validation flag in webgate profile.

How remote_addr & x_forwaded_for header are related?

• Remote_addr: Actually it contains the IP address of the client in general. But in scenarios where proxies are involved, this remote_addr conatins the last proxy IP Address.

• HTTP_X_FORWARDED_FOR: header is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

Considering the scenario such as:

Client -> Proxy1 -> Proxy2 -> OHS Server(having Webgate)
 

Thus in this scenario, the headers contains following values;

• REMOTE_ADDR = Proxy2 IP

• HTTP_X_FORWARDED_FOR = Client IP, Proxy1 IP

So how the ProxyTrustedIPList is to be configured?

• This parameter should have all the proxies IP Addresses that are present in the deployment or production environment.

How HTTP_X_FORWADED_FOR & ProxyTrustedIPList co-relates?

The IP Addresses present in x_forwaded_for header are backtracked against trustediplist & when the Ip is not found in TrustedList than that is considered to be the client ip.

Consider the scenario:
Client -> Proxy1 -> Proxy2 -> OHS Server(having Webgate)

Headers:

• HTTP_X_FORWADED_FOR = ClientIp, Proxy1

• REMOTE_ADDR = Proxy2

Configuration:

• ProxyTrustedIPList = Proxy1, Proxy2

 

Enjoy :-)

OAM R2PS3 - why there is need for 2 cwallet.sso files in webgate profile

Did you ever wondered that why there are 2 cwallet.sso files generated for your webgate profile in OAM R2PS3?

Let's take a look of the directory structure of the webgate profile when you create it;

• Here you see a cwallet.sso file & a wallet folder. This wallet folder was never there in previous releases, but from R2PS3 onwards you will see this folder as well..

Let' see what this folder contains;

• On expanding this wallet folder you see one more cwallet.sso file present int it.

bash-3.2$ ls -ltr
total 12
drwxr----- 2 ckukreja dba 4096 Oct 20 10:42 wallet
-rw-r----- 1 ckukreja dba 2796 Oct 20 10:42 ObAccessClient.xml
-rw-rw-rw- 1 ckukreja dba    0 Oct 20 10:42 cwallet.sso.lck
-rw------- 1 ckukreja dba  433 Oct 20 10:42 cwallet.sso   ----> this R2PS2 compatible wallet
bash-3.2$ cd wallet/
bash-3.2$ ls -ltr
total 4
-rw-rw-rw- 1 ckukreja dba   0 Oct 20 10:42 cwallet.sso.lck
-rw------- 1 ckukreja dba 401 Oct 20 10:42 cwallet.sso  -------> this R2PS3 compatible wallet

So the answer for these 2 cwallet.sso files is as follows:

• The cwallet.sso file present in wallet folder is R2PS3 compatible wallet, which means if you try to use this cwallet.sso file with R2PS2 webgate, it won't work. You will get FATAL error that "unable to read agent key". And thus webgate is not initialized successfully. 
• This cwallet.sso is used by R2PS3 webgate, but there is a catch here. Consider you don't copy the wallet folder to webgate instance directory in that case R2PS3 webgate is intelligent enough to understand the R2PS2 cwallet.sso.
• So this means that R2PS3 webgate can work with R2PS2 cwallet.sso as well as R2PS3 cwallet.sso.
• While the other cwallet.sso present outside is R2PS2 compatible wallet file i.e. when you try to use R2PS3 OAM Server with R2PS2 WebServer having R2PS2 Webgate. This cwallet.sso will be used by the webgate to read the agent key.
• This means that if this cwallet.sso is not present in that case R2PS2 webgate will be unable to initialize as it won't be able to read the agent key i.e. is present in cwallet.sso.
• Hence to make R2PS2 webgate work with R2PS3 OAM server it is mandatory to use the cwallet.sso file presnet outside the wallet folder.

  

There is one more change done in the cwallet.sso files for R2PS2 & R2PS3 created by R2PS3 OAM Server i.e.

• If you open the cwallet.sso of R2PS2 or R2PS3 it only contains shared secret key, there are no default certs present.

  

      Remember: to set the JAVA_HOME before you use the orapki command.

• While the cwallet.sso created by R2PS2 OAM Server used to contain default certs and the shared key.

Note: 

• To open R2PS3 cwallet.sso present in wallet folder you need the latest orapki executable which comes with R2PS3 OAM server, this same orapki can open the R2PS2 cwallet.sso as well. 
• But the orapki that comes with R2PS2 OAM Server will be unable to open R2PS3 wallet & will ask for login password in-spite of the fact that the cwallet.sso is auto login wallet.

Enjoy :-)

User Defined Parameters in OAM 11G

The complete list of user defined parameters is described in the following oracle doc:

R2PS2:

http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/register.htm#AIAAG5856

R2PS1:

http://docs.oracle.com/cd/E28271_01/doc.1111/e15478/shared.htm

Understanding SSL Handshake Mechanism Between Webgate & OAM Server

Currently Webgate supports 3 modes of communication with OAM Server:

1. Open
2. Simple
3. Cert

With the SIMPLE & CERT Mode SSL comes in picture, but why at all we require it;

• The answer lies in the question it self i.e. security. OAM combined with Webgate is a security product that provides SSO & other features thus itself requires to be secure in talking terms.

From webgate-oam perspective we will be talking about NAP over SSL.

With SSL we ensure that the data transamitted b/w 2 parties is safe & sound as;

• Both the parties knows one another, but how because they do handshake before they start communication.
•  Once they start communicating, the packets or the data been transferred b/w them is secure as it is encrypted.

The 2 SSL modes of communication described above performs handshake process before they are sending data to each other; The handshake mechanism involves following steps;

Remember: In webgate & oam conversation, it is always the webgate who sends the request & server responds to it. So the request-response model is not vice-versa in OAM/Webgate case.   

1. In SSL Handshake first it is require for both client & server to ensure that they are talking to right or intended party only. So how webgate & oam do this;

1. It is the first INITIALIZE NAP message that is sent between both the parties;
2. This init_nap msg comprises of set of messages that they both exchange. And all this is done to ensure that the listener & receiver are not evil.
3. During this exchange webgate ask the server for the communication mode, if it is not open mode than webgate starts the SSL Handshake process. Describe in step 2.

2. At this step it is required to establish a secure connection between the webgate & oam. For this webgate prepare a CLIENT HELLO Message, which contains the following;

• Supported set of Cipher-suite like
  SSL_RSA_WITH_AES_256_CBC_SHA , SSL_RSA_WITH_3DES_EDE_CBC_SHA
• Which TLS Version to be supported; TLSv1.0, TLSv1.1, TLSv1.2; 
• Now webgate with r2ps3 also supports TLSv1.2 as well.

• Random Number - this number is of 32 bytes out of which 4 bytes contains date & time and rest are randomly generated. This random number will be used to prepare the master key (which is combination of client generated random number & server generated random number). This master key will be used for encrypting the data transferred b/w client & server once handshake is done.
• Session ID: a null session id is sent. If this is not the first time, than a valid value is been sent here as a session already exist b/w them.

 Cipher-suite: it is the algo that need to be used for encrypting the data.
 TLS version - it is the SSL supported version, latest one is TLSv1.2

3. Based on the Client Hello, server responds with SERVER HELLO, & in this server responds with;

• Supported cipher suite, that will be used in b/w webgate & oam for data encryption;
• Supported TLS version;
• And server sends its own certificate to webgate; And this is required to authenticate the server. Webgate does so by checking the cert in webgate truststore i.e. cwallet.sso. If webgate is able to verify the process is proceeded to next step, else it "TLS HANDSHAKE ERROR" is thrown.
• Possible reason for this:
• There is no trusted cert loaded in cwallet.sso, so webgate is unable to verify the server cert.
• Else the server provided cert is not a valid cert, hence server need to provide a valid cert.

• Random Number: server generated number same as client did while sending hello message.
• Session ID: server sends this newly generated id, that will be used in further communications. By this server can detect whether a session exist b/w webgate & server or not.

4. Key Exchange Phase: 

•  This phase is divided into 2 messages exchanged b/w client & server:
• SERVER KEY EXCHANGE
• CLIENT KEY EXCHANGE

Server key exchange - During this message exchange you will notice that while sending server hello, you see one more message along with it i.e. SERVER KEY EXCHANGE. This message is encrypted with server's private key and client decrypts it with the server's public key received with server's certificate.

• The SERVER KEY EXCHANGE Message is not mandatory to be sent by server, as it depends on the cipher suite selected for communication.
• DH_ANNON - for this cipher it will be sent
• RSA/MD5 - it will not be sent
• After this server key exchange, server hello is done. immediately after this from webgate side it is required to send CLIENT KEY EXCHANGE message. The data in this message is encrypted with server's public key.

Client key exchange -

• The purpose of sending this message is to share the master key, which client generates using the (client random number + server random number) encrypts it using the cipher suite selected & encrypts the whole message with public key shared by server in its certificate.

Note: 

• This above key exchange step is required so that to generate a master key that will be used as symmetric key b/w server & client for further data exchange.
• And to achieve this step we use asymmetric key, as we saw client used server public key for sending CLIENT KEY EXCHANGE Message while server used its private key to send SERVER KEY EXCHANGE Message.

5. FINISHED: at this point handshake process is done & now onwards client & server exchange the messages encrypted using the master key.


Note:

• It is possible that server will respond with error, if the list of cipher suite provided by webgate is not all supported not any one of it is supported or;
• The tls version provided by webgate is not supported by server.

6. Once client & server handshake is done successfully, after remaining INIT_NAP messages are excahnged b/w webgate & oam server.

7) Once above step is done successfully, than NAP channel is initialized b/w webgate & server. Basically this NAP channel in simple terms means a socket connection b/w webgate & server is established that will transmit the data over SSL.

Note: Once a NAP channel is initialized than for the requests been sent via this channel need not to do the SSL handshake again and again. It is a one time process per connection until unless that connections is to be refreshed or gets expired.


Hence the WEBGATE-OAM SSL Handshake finishes here.....



More Info: Related to SSL (nice article)
http://robertheaton.com/2014/03/27/how-does-https-actually-work/


Enjoy :-)

Configuring self signed SSL Certificates for OHS 11.1.1.7 or 11.1.1.9

Recently i came across a very good article by the a-team regarding configuring the SSL certificates signed by CA authority with the OHS.

Currently if we access a secured SSL port of OHS, our browser shows us a warning, and ask us whether to trust the certificate or not. Basically this certificate is the default one that comes with the OHS.
But in actual scenario's we need configure the SSL certificate of our organization that will be signed by CA authority like VeriSign.

It is also possible for us to generate the SSL Certificate & sign it by root CA i.e. basically our own CA, because for testing purpose we are not going to sign it by external CA.

So the article shared by a-team describes the steps to be followed to achieve the purpose.

http://www.ateam-oracle.com/setting-up-https-on-ohs-for-fusion-apps/



Enjoy :-)

What is Oracle Coherence

If someone is new to this Oracle Coherence term, than following things one might ask;
1) What it is?
2) Why to use it?
3) Where does it comes into picture?

It is answered very well in the below post;
http://www.mythics.com/about/blog/the-features-and-benefits-of-oracle-coherence

But yes one will see this Oracle Coherence mostly when you are installing weblogic server say 10.3.6
At that time you have the option to either use the typical installation mode or go for the custom mode.

If you select custom mode, than there you will see that Oracle Weblogic Server & Oracle Coherence are the 2 products that will get installed.
One can untick the Oracle Coherence if not required, else it will by default gets installed with the weblogic server.


Enjoy :-)

Unable to login to oam console with new identity store

Unable to login to OAM Console 11g:

Sometimes we get into a situation where we are unable to login to oamconsole when we change the identity store in OAM 11G oamonsole from EMBEDDED LDAP store to some other LDAP Store like OID, OVD or ODSEE etc...

In this case we should take caution by taking backup of oam-config.xml file; now the question comes in that why it is so important to take backup of this file?

This file contains all the configurations related info required for OAM Server and also it gets updated when update the server configuration.

For example: Default LDAP store configured in it will be like;

<Setting Name="UserIdentityStore" Type="htf:map">
     <Setting Name="SECURITY_PRINCIPAL" Type="xsd:string">cn=Admin</Setting>
    <Setting Name="GROUP_SEARCH_BASE" Type="xsd:string">ou=groups,ou=myrealm,dc=base_domain</Setting>
     <Setting Name="USER_NAME_ATTRIBUTE" Type="xsd:string">uid</Setting>
     <Setting Name="Type" Type="xsd:string">LDAP</Setting>
     <Setting Name="IsSystem" Type="xsd:boolean">true</Setting>
     <Setting Name="IsPrimary" Type="xsd:boolean">true</Sghetting>
     <Setting Name="Name" Type="xsd:string">UserIdentityStore1</Setting>
     <Setting Name="SECURITY_CREDENTIAL" Type="xsd:string">{AES}F8E3A9FAD9D662F753D842979423ED3D</Setting>
    <Setting Name="LDAP_PROVIDER" Type="xsd:string">EMBEDDED_LDAP</Setting>
    <Setting Name="USER_SEARCH_BASE" Type="xsd:string">ou=people,ou=myrealm,dc=base_domain</Setting>
    <Setting Name="ENABLE_PASSWORD_POLICY" Type="xsd:boolean">false</Setting>
    <Setting Name="LDAP_URL" Type="xsd:string">ldap://ldap-host:7001</Setting>
   <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
   </Setting>

Similarly when you configure a new LDAP Store, a same sort of entry will be created where you will notice that the new IDENTITY Store will become the primary store and its flag will be set as true while the embedded ldap store isPrimary flag turns false;

<Setting Name="IsPrimary" Type="xsd:boolean">true</Setting>

Possible way outs:
1) Check whether the user you are logging with has admins rights; i.e. is that user added to the administrators group of the LDAP Store.
2) If the step 1 is fine than you might not have done proper configuration in weblogic console;

• Check for the users&groups configuration, whether the added user is present under users tab or not,
• Check for the roles&policies, i.e. under global roles->Admin-> is your admin group is present.
• Check whether the identity store is placed at the top in the providers tab, if not you need to reorder it.

3) If step 2 is ok than check oamconsole settings, now you will ask when i am not able to login than how can i check those?

• So the answer lies in below mentioned explanations.

Thus in case you are enable to login to the oamconsole than just replace the oam-config.xml file with the old one. Remember whenever you do changes in oam server configuration after applying the changes a backup file gets generated automatically.

So either replace the current oam-config.xml with the last saved auto backed up file or with the one you have saved as a copy.

Than restart the admin & manged server, you should be able to login with the default credentials of embedded ldap store. 



Enjoy :-)

Understanding the reason why to use OAAM

Understanding OAAM:

1) Risk Analysis: to find/detect the suspicious attack real time or offline.

• This involves keeping the logged in user activity prints, so that to understand the pattern performed. In case whenever pattern variance is detected, OAAM alarms the user.

2) Fraud Analysis: with this we can detect that whether a human is interacting with the system or some malware/bot is placed. To check such suspicious attack either by human or bot, OAAM offers:

• OTP
• KBA
• Fingerprint Detection
• Challenge Schemes...etc

 

Reference:
http://docs.oracle.com/cd/E23943_01/admin.1111/e14568/intro.htm#AAMAD636


Enjoy :-)

OAAM Basic vs Advance vs Advance using TAP Integration with OAM

What all we will be covering?

1. Understanding Basic OAAM Integration
2. Understanding Advance OAAM Integration
3. Understanding Advance TAP OAAM Integration

In this post we will be understanding Basic OAAM Integration

OAAM Basic Integration with OAM:

The basic integration of OAAM offers a limited set of functionality when integrated with OAM. There are extension libraries that bundles with OAM server itself, using which the basic integration is offered.

Knowledge Based Authentication is the only challenge mechanism offered in this basic integration.

What all is needed in this integration?

1) OAAM Admin Server
2) OAAM Database
3) OAM Admin + Managed Server

Note: Webgate 10g & 11g Agents are supported with this integration.

References:
http://docs.oracle.com/cd/E23943_01/doc.1111/e15740/aam.htm#AIING268


Enjoy :-)

OAM 11g - Webgate NAP Tunneling

 

What is NAP Tunneling?

NAP or OAP is the protocol that is used for communication mechanism between OAM Server & Webgate.
Webgate relies on this channel for communication with the server. This channel is webgate initiated i.e. the request is made by webgate via this NAP channel & server sends the response on this NAP itself.

Now what this tunneling is meant for? It is basically a mechanism via which one can access the resource that is actually deployed at the OAM Server.

So what does that mean by accessing a resource?
Ok, take an example. I want to use an app, which is actually deployed at the OAM Server. But as we know that resources are something which are placed in some resource server.
And to use this app i can't directly hit the resource url because it is not accessible directly.

Thus with webgate r2ps2, a new feature is added i.e. NAP Tunneling. With this we can actually configured the urls that need to be tunneled, like tunneled the request only when the requested url has '/oam' in the url. So by this webgate sends this tunnel request to the server, which in turn sends the resource to the webgate & it is the responsibility of the webgate to parse the response & redirect it back to the user's browser.

How to configure/enable NAP Tunneling Feature in OAM?

1) Define a user-defined parameter in the Webgate Artifact i.e.

     TunneledUrls=<url_path> (relative path not absolute)

Like - I want to tunnel all the request that has '/oam' or '/oamfed' or '/sample'

     TunneledUrls=/oam, /oamfed, /sample

2) The Urls path that we want to tunnel, they must use public resource policy both for authentication & authorization.


3) Make sure that the parameter "DirectAuthenticationServiceDescriptor" in oam-config.xml is set to true.

Note: This oam-config.xml file is placed at <Middleware_Home>/user_projects/domains/<domain_name>/config/fmwconfig/oam-config.xml



The above 3 steps are required for enabling tunneling for ECC. But in case you want to enable tunneling in DCC, than you need to perform few more steps;
 
Following post shows DCC NAP TUNNELING.


Enjoy :-)

[OAM]: Start OAM Admin/Managed Server without getting prompt for username & password

The answer to this is boot.properties file, using this we can make the OAM Admin/Managed Server to start without getting prompt for the username & password.

Where to find this file & what does it contains?

When we install OAM in development mode, this file is created for AdminServer & placed under the <Domain_Home>/servers/AdminServer/security/ directory path.

Note: Domain Home in above directory is the place where you have created the user projects in the middleware home.

Under the above mentioned directory the boot.properties file is created & it contains the credentials details i.e.:
username=<encrypted text>
password=<encrypted text>

That's why in development mode you are not prompted for username & password when you start the Admin Server.

How to use this for Managed Server?

One can simply use the boot.properties file present in the AdminServer security directory & copy it to the oam_server security directory.

Note: This is true in case both the servers are in the same domain.

Like - in my case i have oam_server1 entry in
<domain_home>/servers/oam_server1

Inside this directory i couldn't locate the security folder, so i created a folder with the name 'security' & copies the 'boot.properties' file in it.

Now when i started my oam server it didn't asked me for the credentials.

What if i create my own boot.properties file?

One can create a new boot.properties files, that means it will contain plain text username & passowrd not the encrypted one.
When someone starts the oam server, it reads the credentials but it than encrypts the file. Thus the file contents are changed that means no more plain text is their.

I don't see a security folder in my server directory?

So create one a folder with name 'security' & create a file with name 'boot.properties. User credentials need to be entered in the properties file.

References:
http://docs.oracle.com/cd/E14571_01/web.1111/e13708/overview.htm#START128


Enjoy :-)

Understanding Oracle Identity Federation

Basics of OIF:

What exactly is OIF?

- Basically it enables the different entities to share their services using a global identity maintained by one of the organisation.

So what exactly it means?

Take an example to understand the usage of OIF:
- Let say a company ABC wants to use the service of a Health Care Company, so that ABC company employees can access Health Care Portal.
For this the health care company should have the ABC comapny employee database, so that when the ABC company employees wants to use the Health Care Services they can be authenticate & authorize to do so.
But ABC cann't share the database. So in this scenario how can Health Care Portal be able to become part of ABC comapny?

Answer is Federation.

Thus here ABC Company using the OAM SSO for their employees, decides to enable the Federation feature. And the similiar OAM setup needs to be done at the Health Care side.
So in this case ABC company acts as Identity Provider (IdP) while the Health Care company as Service Provider (SP). 

What are these 2 things? IdP & SP

Oracle Identity Federation supports two integration modes with Oracle Access Manager: authentication mode and SP mode.

• Authentication Mode (IdP)

In the authentication mode, Oracle Identity Federation delegates authentication of the user to Oracle Access Manager.
The user is redirected to an Oracle Identity Federation resource protected by WebGate, that triggers the Oracle Access Manager authentication flow. Once the user is identified, it will access the resource, and WebGate will provide to Oracle Identity Federation an HTTP header containing the user's identity.

• SP Mode

In the SP mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.

 

Use Case:
1) User access the ABC company portal, & hits the health care portal link. User is redirected to health care portal, where he is asked to enter his credentials.
 User submits his credentials which are actually saved in the ABC company database. Thus health care site sends the credentials submitted by user to the ABC comapny using SAMLv2.0 token form.
 ABC company replies in the SAMLv2.0 as well & health care portal reads the token returned by  

 ABC & based on the reply like user is valid & authorized or not. Health care portal takes the 

 decision. And makes the user to access the health care services based on that.
  
So in this way they get federated seamlessly.

References:

https://docs.oracle.com/cd/E23943_01/oid.1111/e10036/basics_14_oif_user.htm

http://docs.oracle.com/cd/E21764_01/core.1111/e12035/wiring.htm#IMEDG1184

Enjoy :-)

Enabling DCC for OAM 11g & OIF

Enabling DCC for OAM & OIF:

This post is divided into following sections:

1) Understanding OIF
2) Installing OAM 11g, OHS, Webgate 11g
3) Integrating OIF & OAM 11g
4) DCC for OAM & OIF

Enjoy :-)

Configuring Authorization Policy Conditions/Rules in OAM 11G R2PS2

Authorization Policy : Creating Condition/Rules

Basically if you are aware of the SSO thing, than you must know that once you are authenticated than you are checked for - WHETHER YOU ARE AUTHORIZED OR NOT.
And what does that means?

It means that if you are allowed to log in to the system than it needs to be checked that whether you are authorized to access the resource or not.

Generally we have Authorization Policy for Protected & Public Resources. But we can also specify our conditions & rules for these authorization policies.

So now the question arises what's the use of these condition & rules?

• Basically we can add our condition to allow or deny the user to access the resource.
• And thus we need to add these condition to the rules for allow or denial access.

Remember - You can create your condition & rules for each of the authorization policies created for the webgate profile. Their is no constraint of only single condition or so.

In this post we will be creating a condition for IP Range, for other condition soon i will be posting a new post.

Pre-Requisites:

• Webgate Profile is created.
• Working Webgate Instance is in place i.e. webgate is integrated with your server say OHS
• And You can properly access a protected resource.

Let's see how to configure Authorization policy:

1) Log in to oamconsole: http://host:port/oamconsole

2) Go to Application Domain -> Select Webgate Profile -> Go to Authorization policy

• Note: I will be adding condition with my Protected Authorization Policy
• By default there is just one condition added 'TRUE' which is also available in the Rules.
• This is allowable condition, & TRUE in all sense.

•  Now we will be adding a new condition, and this will be for IP Range testing.

• Apply the changes
• Now once it is added, than we need to add a condition in it. In the above step we have just created a condition entry, now we will be adding a condition to it.

• Here i will be adding a IP Range - i am blocking the IP Addresses starting from 10.0.0.0 to 10.255.255.255. Any IP Address coming for authorization having IP Range b/w this mentioned series. It will be not be able to access the resource.

 

• We need to add this condition in the rules table. You can see that we have 2 types of rule:
• Allow Rule
• Deny Rule

• Here we will be adding the condition in the 'deny rule' table.

• Apply the changes & we are good to go.
• Note: 
• We need not to restart the server instance, because the changes are done at the OAM Server side and as webgate talks to OAM via OAP/NAP connection. Thus OAM Server will tell the webgate about access or denial via this NAP only. That's why no restart required.
• But remember that in case we have done changes in the webgate profile, than server restart is a must.

• Lets test this by accessing the Protected Resource URL. And my ip address starts with 10.* series. Thus i will be getting a resource denial message.
• Access the resource. http://host:port/index.html
• Provide the credentials

•  Eureka....!!!! Did you see, we get the denial message for the resource index.html.

We are done with the Authorization IP Range Condition/Rules Testing....... Soon i will be adding the use cases for other condition tests as well....


Enjoy :-)

Cache Pragma Header OAM

In OAM SSO Agent configuration we have 2 caching headers:

1. Cache Control Header
2. Pragma Header

As per the RFC 2616, Pragma Header is their for backward compatibilty while in all the browers & client specfic system we all are using HTTP/1.1

Thus as per the HTTP/1.1 standard Cache-Control Header is in use.

So as the OAM Webgate 11g is developed as per the HTTP/1.1 statndard. Thus it makes use of this Cache-Control Header & Pragma is their just for backward compatibilty.

That's why you see that they both have same values & Pragma Header uses the same value as that of Cache-Control Header value.

Some more info related Cache Control Header:

HTTP 1.1 introduced a new class of headers, Cache-Control response headers, to give Web publishers more control over their content, and to address the limitations of Expires.

Useful Cache-Control response headers include:

• max-age=[seconds] — specifies the maximum amount of time that a representation will be considered fresh. Similar to Expires, this directive is relative to the time of the request, rather than absolute. [seconds] is the number of seconds from the time of the request you wish the representation to be fresh for.
• s-maxage=[seconds] — similar to max-age, except that it only applies to shared (e.g., proxy) caches.
• public — marks authenticated responses as cacheable; normally, if HTTP authentication is required, responses are automatically private.
• private — allows caches that are specific to one user (e.g., in a browser) to store the response; shared caches (e.g., in a proxy) may not.
• no-cache — forces caches to submit the request to the origin server for validation before releasing a cached copy, every time. This is useful to assure that authentication is respected (in combination with public), or to maintain rigid freshness, without sacrificing all of the benefits of caching.
• no-store — instructs caches not to keep a copy of the representation under any conditions.
• must-revalidate — tells caches that they must obey any freshness information you give them about a representation. HTTP allows caches to serve stale representations under special conditions; by specifying this header, you’re telling the cache that you want it to strictly follow your rules.
• proxy-revalidate — similar to must-revalidate, except that it only applies to proxy caches.

References:

https://www.mnot.net/cache_docs/


Enjoy :-)

Purpose of Max Session Time OAM

Purpose of Max Session Time field:

Max Session Time (hours)

Maximum time to keep server connections alive. The unit is based on the maxSessionTimeUnits user-defined parameter which can be 'minutes' or 'hours'. When maxSessionTimeUnits is not defined, the unit is defaulted to 'hours'.

What does this above definition means?

Basically this is the session time for the OAP/NAP connections made between Webgate & OAM Server.
This is the TTL (Time to live) of these OAP/NAP connections.

Is this field defines the time in minutes or hours?

By default it is in 'hours'. But when you create a Webgate Agent Profile there is a user defined parameter defined as 'maxSessionTimeUnits' & it has value 'minutes'.
Thus this makes the value configured in 'MAX SESSION TIME' in minutes.

• In this agent profile we have max session time configured as '2'. This is in minutes why?
• Because we have configured the user defined parameter 'maxSessionTimeUnits' & value of this parameter is 'minutes'.

But if you remove this parameter 'maxSessionTimeUnits' than MAX SESSION TIME will have 'hours' as its unit.

Note:

• User won't be challenged for credentials again because of the 'MAX Session time'. This time is not user session timeout. It is for the OAP/NAP connection timeout.

How will you test these connections?

bash$> netstat -anp | grep 5575 | grep httpd.worker

Note:

1. Port 5575 is the listening port used by the OAM Server. While creating webgate agent profile server connection port is mentioned.
2. 'httpd.worker'  is the OHS server process.
3. In this example 2 worker threads have made OAP/NAP connection with the OAM Server. 

After 2 minutes these connections are re-established, here is the proof.

Hope it clears your doubts.....!!!!!!


Reference Doc:
http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/register.htm#AIAAG631


Enjoy :-)