Showing posts with label oamconsole. Show all posts
Showing posts with label oamconsole. Show all posts

Monday 3 July 2017

Enable SSL in between OHS & Outbound Applications

Enabling SSL in between OHS & OutBound Applications

Prerequisites:
  1. OHS SSL is enabled.
  2. Outbound App SSL is enabled like OAM, Weblogic, OIM etc.
What we are aiming is to setup SSL in b/w OHS & outbound apps

Eg: Consider you want to proxy your OAM server via OHS as a load balancer/proxy call it any. This is a very normal usecase where you have your OAM servers sitting in your data-center & you don't want it's hostname/IP to be exposed. So what you usually do is proxy OAM via OHS.
  • Consider your OHS server name is https://abc.com. So if admin needs to access the oamconsole. Admin will fire the url as https://abc.com/oamconsole
  • To enable this usecase, /oamconsole is to be added in ssl.conf/mod_wl_ohs.conf file(usual way).
  • But the catch is that our OHS & OAM are in SSL mode.
  • This means that they will do handshake before starting to talk to each other.
  • As we all know that while doing handshake, server sends its user certificate, now this cert is verified by client i.e. here mod_wl_proxy of OHS. So the wallet used by it has to have the trusted certificate entry in it.

Steps you need to follow for this are as;

  • Import the certificate used by Outbound app such as Oracle WebLogic Server into the Oracle HTTP Server wallet as a trusted certificate.
    • To add trusted certificate you can use orapki utility or any of your choice.
    • <MW_HOME>/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert cacert.pem -auto_login_only 
    • Note: './' is used as we consider that you are running this command from the directory where your cwallet.sso is present. You can substitute it with directory path of cwallet.sso as well.
  •  Now you need to add 2 tags in ssl.conf or mod_wl_proxy.conf:
    • SecureProxy On
      WlSSLWallet "<wallet location>"

Complete Eg:

<Location /console>
SetHandler weblogic-handler
WebLogicHost xyz.us.domain.com
WebLogicPort 7001
SecureProxy ON
WlSSLWallet "/MW_HOME/keystores/newwallet"
</Location>


Now start your OHS server, and try to access the proxied url, you should be able to make a successful connection. You can also confirm the same by capturing wireshark traces. 

Hope this helps... :-)

Useful links:

Enjoy :-)
Posted by at No comments:
Labels: , , , , , , , ,

Sunday 18 October 2015

Unable to login to oam console with new identity store

Unable to login to OAM Console 11g:

Sometimes we get into a situation where we are unable to login to oamconsole when we change the identity store in OAM 11G oamonsole from EMBEDDED LDAP store to some other LDAP Store like OID, OVD or ODSEE etc...

In this case we should take caution by taking backup of oam-config.xml file; now the question comes in that why it is so important to take backup of this file?

This file contains all the configurations related info required for OAM Server and also it gets updated when update the server configuration.

For example: Default LDAP store configured in it will be like;

<Setting Name="UserIdentityStore" Type="htf:map">
     <Setting Name="SECURITY_PRINCIPAL" Type="xsd:string">cn=Admin</Setting>
    <Setting Name="GROUP_SEARCH_BASE" Type="xsd:string">ou=groups,ou=myrealm,dc=base_domain</Setting>
     <Setting Name="USER_NAME_ATTRIBUTE" Type="xsd:string">uid</Setting>
     <Setting Name="Type" Type="xsd:string">LDAP</Setting>
     <Setting Name="IsSystem" Type="xsd:boolean">true</Setting>
     <Setting Name="IsPrimary" Type="xsd:boolean">true</Sghetting>
     <Setting Name="Name" Type="xsd:string">UserIdentityStore1</Setting>
     <Setting Name="SECURITY_CREDENTIAL" Type="xsd:string">{AES}F8E3A9FAD9D662F753D842979423ED3D</Setting>
    <Setting Name="LDAP_PROVIDER" Type="xsd:string">EMBEDDED_LDAP</Setting>
    <Setting Name="USER_SEARCH_BASE" Type="xsd:string">ou=people,ou=myrealm,dc=base_domain</Setting>
    <Setting Name="ENABLE_PASSWORD_POLICY" Type="xsd:boolean">false</Setting>
    <Setting Name="LDAP_URL" Type="xsd:string">ldap://ldap-host:7001</Setting>
   <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
   </Setting>

Similarly when you configure a new LDAP Store, a same sort of entry will be created where you will notice that the new IDENTITY Store will become the primary store and its flag will be set as true while the embedded ldap store isPrimary flag turns false;
<Setting Name="IsPrimary" Type="xsd:boolean">true</Setting>

Possible way outs:
1) Check whether the user you are logging with has admins rights; i.e. is that user added to the administrators group of the LDAP Store.
2) If the step 1 is fine than you might not have done proper configuration in weblogic console;
  • Check for the users&groups configuration, whether the added user is present under users tab or not,
  • Check for the roles&policies, i.e. under global roles->Admin-> is your admin group is present.
  • Check whether the identity store is placed at the top in the providers tab, if not you need to reorder it.
3) If step 2 is ok than check oamconsole settings, now you will ask when i am not able to login than how can i check those?
  • So the answer lies in below mentioned explanations.
Thus in case you are enable to login to the oamconsole than just replace the oam-config.xml file with the old one. Remember whenever you do changes in oam server configuration after applying the changes a backup file gets generated automatically.

So either replace the current oam-config.xml with the last saved auto backed up file or with the one you have saved as a copy.

Than restart the admin & manged server, you should be able to login with the default credentials of embedded ldap store. 



Enjoy :-)
Posted by at No comments:
Labels: , , , , , , ,

Monday 15 December 2014

Cache Pragma Header OAM

In OAM SSO Agent configuration we have 2 caching headers:
  1. Cache Control Header
  2. Pragma Header
As per the RFC 2616, Pragma Header is their for backward compatibilty while in all the browers & client specfic system we all are using HTTP/1.1

 Thus as per the HTTP/1.1 standard Cache-Control Header is in use.

 So as the OAM Webgate 11g is developed as per the HTTP/1.1 statndard. Thus it makes use of this Cache-Control Header & Pragma is their just for backward compatibilty.

 That's why you see that they both have same values & Pragma Header uses the same value as that of Cache-Control Header value.



Some more info related Cache Control Header:


HTTP 1.1 introduced a new class of headers, Cache-Control response headers, to give Web publishers more control over their content, and to address the limitations of Expires.
Useful Cache-Control response headers include:
  • max-age=[seconds] — specifies the maximum amount of time that a representation will be considered fresh. Similar to Expires, this directive is relative to the time of the request, rather than absolute. [seconds] is the number of seconds from the time of the request you wish the representation to be fresh for.
  • s-maxage=[seconds] — similar to max-age, except that it only applies to shared (e.g., proxy) caches.
  • public — marks authenticated responses as cacheable; normally, if HTTP authentication is required, responses are automatically private.
  • private — allows caches that are specific to one user (e.g., in a browser) to store the response; shared caches (e.g., in a proxy) may not.
  • no-cache — forces caches to submit the request to the origin server for validation before releasing a cached copy, every time. This is useful to assure that authentication is respected (in combination with public), or to maintain rigid freshness, without sacrificing all of the benefits of caching.
  • no-store — instructs caches not to keep a copy of the representation under any conditions.
  • must-revalidate — tells caches that they must obey any freshness information you give them about a representation. HTTP allows caches to serve stale representations under special conditions; by specifying this header, you’re telling the cache that you want it to strictly follow your rules.
  • proxy-revalidate — similar to must-revalidate, except that it only applies to proxy caches.

 References:

 https://www.mnot.net/cache_docs/
Enjoy :-)
Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)