Enabling IP Validation in Load Balancer Environment using ProxyTrustedList & ProxyRemoteIPHeaderVar in OAM 11g

Why we are discussing this topic?

• It is important to understand the configuration required to be done in OAM for validating the IP addresses when the application server is behind the proxies.

What difference will it make if app server is behind the proxy?

• The client ip calculation will be different if proxy is present.

How client ip is fetched in OAM/Webgate?

• remote_addr contains the client ip, in case of proxy this remote_addr will have the last proxy IP Address.

How can i than validate the IP in this scenario where proxies are used?

• For such scenario we have to configure 2 user defined parameters in Webgate Profile:

• ProxyRemoteIPHeaderVar = <by default it is set to HTTP_X_FORWADED_FOR>

• ProxyTrustedIPList = <list of comma seperated IP Addresses>

• Along with these parameter we need to set the IP Validation flag in webgate profile.

How remote_addr & x_forwaded_for header are related?

• Remote_addr: Actually it contains the IP address of the client in general. But in scenarios where proxies are involved, this remote_addr conatins the last proxy IP Address.

• HTTP_X_FORWARDED_FOR: header is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

Considering the scenario such as:

Client -> Proxy1 -> Proxy2 -> OHS Server(having Webgate)
 

Thus in this scenario, the headers contains following values;

• REMOTE_ADDR = Proxy2 IP

• HTTP_X_FORWARDED_FOR = Client IP, Proxy1 IP

So how the ProxyTrustedIPList is to be configured?

• This parameter should have all the proxies IP Addresses that are present in the deployment or production environment.

How HTTP_X_FORWADED_FOR & ProxyTrustedIPList co-relates?

The IP Addresses present in x_forwaded_for header are backtracked against trustediplist & when the Ip is not found in TrustedList than that is considered to be the client ip.

Consider the scenario:
Client -> Proxy1 -> Proxy2 -> OHS Server(having Webgate)

Headers:

• HTTP_X_FORWADED_FOR = ClientIp, Proxy1

• REMOTE_ADDR = Proxy2

Configuration:

• ProxyTrustedIPList = Proxy1, Proxy2

 

Enjoy :-)

OAM - Deny if not protected Flag impact on webgate 10g and 11g

Ever wondered what does 'Deny if not protected 'flag signifies?

This flag is present in webgate profile, by default when you create a profile 10g or 11g, it is 'ON' or 'Checked'.

To whom does it impact?

Basically the significance of this flag is only for 10g webgate profiles. It has no impact on 11g webgates.

What impact does this flag has?

If this flag is set 'ON', than any resource which you are accessing & has no policy defined in OAM, than you will get 404 error. And the reason for this is 'Resource Access Denied'.

As in case of 10g you will face this problem, if this flag is set 'ON'.

Why this flag has no impact on 11g webgate?

The reason for this is: In case of 11g webgate by default access is denied for any resource whose policy is not defined in OAM.

If you want access for such resources than you have an option to make an unprotected/excluded resource type.

Enjoy :-)

OAM - Webgate NAP Tunneling in OTD (R2PS2, R2PS3 & 12C)

As of now we all are aware how to tunnel a request to OAM through webgate, also we have covered this in Webgate NAP Tunneling.

But there is a catch or you can say you need to do one more step to enable NAP Tunneling when using OTD (Oracle Traffic Director) Server.

I am assuming you have followed all the steps that are mentioned in Webgate NAP Tunneling post. At the very last you need to perform one more step i.e. only for OTD;

1. To enable NAP Tunneling in OTD, one needs to uncomment a line mentioned in
   <instance_name>-obj.conf file which is as follows;
   
   #Uncomment the below line  and  configure "from" paramater for enable
   tunneling.  The value of from parameter would be the tunneled URLS
   #NameTrans fn="pfx2dir" from="/oam" dir="/webgate/otd/lib"
   name="webgate_response"
   
   Above line need to be uncommented, to make nap tunneling enable.
   After doing above change one needs to restart the OTD instance.
   
   Note: 
1. This configuration change, to enable NAP Tunneling, is their since
   R2PS2(with a BP Patch),R2PS3 which is the same carried forward to latest release i.e. 12c as well..
2. In the change suggested above you will find the tunneled urls, that you need to provide here by default it is /oam. But it might be possible you want to tunnel /oamfed as well.. or any other. So all the tunneled urls are to be provided here as well.

Enjoy :-)

Enabling Diagnostics Trace Level Log for OAM SERVER

OAM Server Diagnostics Logging - Never so easy................ That's a myth now... ;-)

To capture OAM Server logs for diagnosis, we now just need to add few logger statement in logging.xml.

Important Point to note here is that NO SERVER RESTART IS REQUIRED ...........!!!!!!!

So first question that strikes where is this logging.xml is placed?

Ans - It is present in the weblogic server domains directory, like
/scratch/ckukreja/Oracle/Middleware/user_projects/domains/base_domain/config/fmwconfig/servers/wls_oam1/logging.xml

Note: My domain name is "base_domain" and oam server name is "wls_oam1"

Next question, why we need to see the OAM Server diagnostics?

Ans - It will help us to analyze the flow, like when webgate sends the IsRescProtected() NAP Call, in that case whether server is getting it or not. We can find it in the server logs. Moreover we can track that server thread, that what else operations it is performing. Whether sending success to webgate or failure. Or raising exception for performed operation.
All this can be very helpful while debugging an issue.

Now what logger statement need to be added?

Ans - Following are the logs statement need to be added:
<logger name='oracle.oam' level='TRACE:32'/>
<logger name='oracle.security.am' level='TRACE:32'/>
<logger name='oracle.oam.engine.policy' level='TRACE:32'/>
<logger name='oracle.oam.engine.session' level='TRACE:32'/>
<logger name='oracle.oam.engine.sso' level='TRACE:32'/>
<logger name='oracle.oam.engine.authz' level='TRACE:32'/>

Where to place the above snippet in the logging.xml?

Ans - You will find a statement "logger name='' level='ERROR:1'" in the file, place it just after its block.

<logger name='' level='ERROR:1'>
   <handler name='odl-handler'/>
   <handler name='wls-domain'/>
   <handler name='console-handler'/>
  </logger>
<logger name='oracle.oam' level='TRACE:32'/>
<logger name='oracle.security.am' level='TRACE:32'/>
<logger name='oracle.oam.engine.policy' level='TRACE:32'/>
<logger name='oracle.oam.engine.session' level='TRACE:32'/>
<logger name='oracle.oam.engine.sso' level='TRACE:32'/>
<logger name='oracle.oam.engine.authz' level='TRACE:32'/>

 Note: I have enabled the logs in TRACE level 32

Important Point to note here is that NO SERVER RESTART IS REQUIRED ...........!!!!!!!!

For more info related to logging, reference the below link:
http://www.ateam-oracle.com/logging-made-easy-in-oam-11g-with-this-simple-trick/


Enjoy :-)

Understanding the reason why to use OAAM

Understanding OAAM:

1) Risk Analysis: to find/detect the suspicious attack real time or offline.

• This involves keeping the logged in user activity prints, so that to understand the pattern performed. In case whenever pattern variance is detected, OAAM alarms the user.

2) Fraud Analysis: with this we can detect that whether a human is interacting with the system or some malware/bot is placed. To check such suspicious attack either by human or bot, OAAM offers:

• OTP
• KBA
• Fingerprint Detection
• Challenge Schemes...etc

 

Reference:
http://docs.oracle.com/cd/E23943_01/admin.1111/e14568/intro.htm#AAMAD636


Enjoy :-)

OAAM Basic vs Advance vs Advance using TAP Integration with OAM

What all we will be covering?

1. Understanding Basic OAAM Integration
2. Understanding Advance OAAM Integration
3. Understanding Advance TAP OAAM Integration

In this post we will be understanding Basic OAAM Integration

OAAM Basic Integration with OAM:

The basic integration of OAAM offers a limited set of functionality when integrated with OAM. There are extension libraries that bundles with OAM server itself, using which the basic integration is offered.

Knowledge Based Authentication is the only challenge mechanism offered in this basic integration.

What all is needed in this integration?

1) OAAM Admin Server
2) OAAM Database
3) OAM Admin + Managed Server

Note: Webgate 10g & 11g Agents are supported with this integration.

References:
http://docs.oracle.com/cd/E23943_01/doc.1111/e15740/aam.htm#AIING268


Enjoy :-)

OAM 11g - Webgate NAP Tunneling

 

What is NAP Tunneling?

NAP or OAP is the protocol that is used for communication mechanism between OAM Server & Webgate.
Webgate relies on this channel for communication with the server. This channel is webgate initiated i.e. the request is made by webgate via this NAP channel & server sends the response on this NAP itself.

Now what this tunneling is meant for? It is basically a mechanism via which one can access the resource that is actually deployed at the OAM Server.

So what does that mean by accessing a resource?
Ok, take an example. I want to use an app, which is actually deployed at the OAM Server. But as we know that resources are something which are placed in some resource server.
And to use this app i can't directly hit the resource url because it is not accessible directly.

Thus with webgate r2ps2, a new feature is added i.e. NAP Tunneling. With this we can actually configured the urls that need to be tunneled, like tunneled the request only when the requested url has '/oam' in the url. So by this webgate sends this tunnel request to the server, which in turn sends the resource to the webgate & it is the responsibility of the webgate to parse the response & redirect it back to the user's browser.

How to configure/enable NAP Tunneling Feature in OAM?

1) Define a user-defined parameter in the Webgate Artifact i.e.

     TunneledUrls=<url_path> (relative path not absolute)

Like - I want to tunnel all the request that has '/oam' or '/oamfed' or '/sample'

     TunneledUrls=/oam, /oamfed, /sample

2) The Urls path that we want to tunnel, they must use public resource policy both for authentication & authorization.


3) Make sure that the parameter "DirectAuthenticationServiceDescriptor" in oam-config.xml is set to true.

Note: This oam-config.xml file is placed at <Middleware_Home>/user_projects/domains/<domain_name>/config/fmwconfig/oam-config.xml



The above 3 steps are required for enabling tunneling for ECC. But in case you want to enable tunneling in DCC, than you need to perform few more steps;
 
Following post shows DCC NAP TUNNELING.


Enjoy :-)

Enabling DCC for OAM 11g & OIF

Enabling DCC for OAM & OIF:

This post is divided into following sections:

1) Understanding OIF
2) Installing OAM 11g, OHS, Webgate 11g
3) Integrating OIF & OAM 11g
4) DCC for OAM & OIF

Enjoy :-)

Cache Pragma Header OAM

In OAM SSO Agent configuration we have 2 caching headers:

1. Cache Control Header
2. Pragma Header

As per the RFC 2616, Pragma Header is their for backward compatibilty while in all the browers & client specfic system we all are using HTTP/1.1

Thus as per the HTTP/1.1 standard Cache-Control Header is in use.

So as the OAM Webgate 11g is developed as per the HTTP/1.1 statndard. Thus it makes use of this Cache-Control Header & Pragma is their just for backward compatibilty.

That's why you see that they both have same values & Pragma Header uses the same value as that of Cache-Control Header value.

Some more info related Cache Control Header:

HTTP 1.1 introduced a new class of headers, Cache-Control response headers, to give Web publishers more control over their content, and to address the limitations of Expires.

Useful Cache-Control response headers include:

• max-age=[seconds] — specifies the maximum amount of time that a representation will be considered fresh. Similar to Expires, this directive is relative to the time of the request, rather than absolute. [seconds] is the number of seconds from the time of the request you wish the representation to be fresh for.
• s-maxage=[seconds] — similar to max-age, except that it only applies to shared (e.g., proxy) caches.
• public — marks authenticated responses as cacheable; normally, if HTTP authentication is required, responses are automatically private.
• private — allows caches that are specific to one user (e.g., in a browser) to store the response; shared caches (e.g., in a proxy) may not.
• no-cache — forces caches to submit the request to the origin server for validation before releasing a cached copy, every time. This is useful to assure that authentication is respected (in combination with public), or to maintain rigid freshness, without sacrificing all of the benefits of caching.
• no-store — instructs caches not to keep a copy of the representation under any conditions.
• must-revalidate — tells caches that they must obey any freshness information you give them about a representation. HTTP allows caches to serve stale representations under special conditions; by specifying this header, you’re telling the cache that you want it to strictly follow your rules.
• proxy-revalidate — similar to must-revalidate, except that it only applies to proxy caches.

References:

https://www.mnot.net/cache_docs/


Enjoy :-)

Purpose of Max Session Time OAM

Purpose of Max Session Time field:

Max Session Time (hours)

Maximum time to keep server connections alive. The unit is based on the maxSessionTimeUnits user-defined parameter which can be 'minutes' or 'hours'. When maxSessionTimeUnits is not defined, the unit is defaulted to 'hours'.

What does this above definition means?

Basically this is the session time for the OAP/NAP connections made between Webgate & OAM Server.
This is the TTL (Time to live) of these OAP/NAP connections.

Is this field defines the time in minutes or hours?

By default it is in 'hours'. But when you create a Webgate Agent Profile there is a user defined parameter defined as 'maxSessionTimeUnits' & it has value 'minutes'.
Thus this makes the value configured in 'MAX SESSION TIME' in minutes.

• In this agent profile we have max session time configured as '2'. This is in minutes why?
• Because we have configured the user defined parameter 'maxSessionTimeUnits' & value of this parameter is 'minutes'.

But if you remove this parameter 'maxSessionTimeUnits' than MAX SESSION TIME will have 'hours' as its unit.

Note:

• User won't be challenged for credentials again because of the 'MAX Session time'. This time is not user session timeout. It is for the OAP/NAP connection timeout.

How will you test these connections?

bash$> netstat -anp | grep 5575 | grep httpd.worker

Note:

1. Port 5575 is the listening port used by the OAM Server. While creating webgate agent profile server connection port is mentioned.
2. 'httpd.worker'  is the OHS server process.
3. In this example 2 worker threads have made OAP/NAP connection with the OAM Server. 

After 2 minutes these connections are re-established, here is the proof.

Hope it clears your doubts.....!!!!!!


Reference Doc:
http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/register.htm#AIAAG631


Enjoy :-)

Webgate Caches: Understanding the Webgate Caching

We will be discussing the following:

1. When WebGate do the caching? At what time?
2. Why it is required to cache?
3. How it uses this cache?
4. How to tune this cache?
5. Webgate Caching Demo

1) When WebGate do the caching? At what time?

      Basically Webgate caches the information: 

• At the time of Authentication & 
• Authorization.

2) Why it is required to cache?

It is important to do the caching when we don't want the OAM Server to get overloaded.
And what does this means actually?

It means that if the webgate starts sending every similar request to the server, it is actually not adding any value. We are just asking the server to do the repetitive task.

But what if we can make these request a screening at webgate. What if webgate first looks to the request if found it has already served it than webgate takes the decision. As webgate already has the answer cached. And in case webgate doesn't have any info about the user request than it will make a trip to server asking for the same & hence caching it for future use.

3) So does it means that webgate caches the request for lifetime?

No, absolutely not. It do cache, but certainly it too have a life. And its life is depends on the configuration that we do while creating the Webgate Profile.

4) What all parameters do take care of caching in OAM?

    As discussed there are 2 types of caches:

• Authentication &
• Authorization

Parameters:

1. Authentication Cache Configurable Parameters:
1. Maximum Cache Elements
2. Cache Timeout
2. Authorization User Defined Parameters:
1. maxAuthorizationResultCacheElems
2. authorizationResultCacheTimeout  

5) Now the question comes that how these caches comes into picture? As in how webgate actually uses it?

Basically when user request comes to the webgate (obviously via a server where webgate is integrated), at that time a lookup is made to the cache. Now first look up is made to authentication cache for the required parameters & than look up is made to authorization cache.

Now the interesting point here is that in case cache miss hit occurs than a NAP/OAP call is made to the server, & the response is actually cached. So that next tym if the same request comes to the webgate before cache timeout than webgate has the capability to respond & do look up.

6) Tuning the webgate cache parameters:

As discussed at point (4), the parameters defined can be configured:

• Max cache elements: If we configure this parameter as -1, than webgate will not cache the elements.
• Cache Timeout: It tells after how much time will the cache drains out. If Max Cache Elements is configured as -1, than this parameter has no significance.
• maxAuthorizationResultCacheElems - This user defined parameter will set the max number of authorization cache elements that can be cached. 
• authorizationResultCacheTimeout - this is same a cache timeout but this is specifically for authorization cache. It has no impact on authentication cache. Default value is 15 seconds.
• If authorizationResultCacheTimeout is set to 0, Authorization Cache is disabled.

Reference Docs: http://docs.oracle.com/cd/E27559_01/doc.1112/e28552/oam.htm#ASPER490



Enjoy :-)

[OAM]: Configuring pre authentication Advance Rules

Configuring pre authentication Advance Rules:

Pre-Requisites:

• OAM Managed & Admin Server are up & running.
• You have already created the 'Webgate Profile' & the artifacts are placed in the webgate instance directory. 

1) Log in to OAM Console: http://<host:port>/oamconsole

2) Go to 'Application Domain' & select the webgate profile that you have created. Like in our case i am using 'dcc-7778'.

3) Select 'Authentication Policies' tab:

• Open 'Protected Resources':

4) Now we need to select the 'Advanced Rules' tab: 

• Let's create a pre-authenticate rule: Click the '+' sign

• Fill the fields:
• Rule Name - Provide the rule name.
• Condition - This will be a condition which needs to be configured using Jython Script style.
• Switch Authentication Scheme - If condition is true, than we will switch the Authentication Scheme.
• Deny Access - If this flag is true, than no need to configure 'Switch Authentication Scheme'.

• Click 'Add' to add the rule.

• Apply the changes.

5) The rule that we have created above states that if User IP Address starts with '10.' than switch the configured Authentication Scheme from the one we have configured to 'Basic Scheme'.

6) Now we are good to test the changes done. Let's hit the request, it should ask for credentials but as per 'Basic Scheme'

http://<host:port>/index.html

Note: The Client IP Address here starts with '10.' 

Reference: https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-1E9A2B43-140C-4A85-8DEA-521CE3F57B12.htm#AIAAG88930

Hurray.... we are done... congrats... :-)

Enjoy :-)

Basics of OID, OVD & OIF

What is OID?

• Oracle Internet Directory is an LDAP directory that uses an Oracle Database for storage. 
• Clients communicate with a directory server by means of the Lightweight Directory Access Protocol (LDAP).

How DATA is stored in OID?

• It is stored in hierarchical format i.e. DIT (Directory Information Tree).

What all you can store in OID?

• You can store passwords, connections information etc.

What is Oracle Integration Platform?

• It enables you to sync the data to & fro between the databases. Like from OID to Finance Database.

What is the benefit of using OVD (Oracle Virtual Directory)?

• OVD acts as an interface, which has adapters to connect to multiple data sources. It basically provides an LDAP Service using which you connect to different databases, directories.....
• This adds an advantage to the organizations to use a single interface which actually in the background talking to multiple directories or databases.

What is OIF (Oracle Identity Federation)?

• Oracle Identity Federation enables companies to share the identity information with their partner organizations i.e. the end user does not need to log in again to the partner site once he/she gets logged in to his/her company account. 
• With this feature the enterprises can federate seamlessly with the partner organizations and no compromise needs to do with security checks.

Hope it solves some of your doubts......

Enjoy :-)

[Weblogic]: How to Deploy a Web App on OAM Weblogic Console

This post is divided into 3 sections:

1) Create a web-app.

2) Deploy it on the managed server.

3) Accessing the web-app.

Let's Start:

1) Create an web-app: For this i have an already created web-app, which contains a headers.jsp page.

• headers.jsp - This page will be used to display all the HTTP Headers that are set by the OAM-Weblogic.

2) Deploy web-app:

• Login to weblogic server: http://<host:port>/console

• Once you gets logged in, select 'Deployment' option under Domain Structure.

Note: Before you move to next step, copy the web-app folder to the domain directory i.e.

Copy to this path: <MiddlewareHome>/user_projects/domains/<your_domain_name>/

• Click 'install' button: This will lead you to deployment process.

• Now select your app folder

• Select the folder like here it is showing 'source' as it contains the app:

          Press Next....

Note: 

• Here the 'source' folder has the web app pages, thus when we need to actually access these resources from the browser. We will fire the request as:

         http://<host:port>/source/Login.jsp

• Thus in case if your folder name is something else, than you will access it from that name only.

         Syntax: http://host:port/<webapp folder name>/<resource name>

• On next page: nothing needs to be change as of now, keep on selecting the default option. Just press next.

• Available Targets: Select 'oam_server1' or you can also deploy it on Admin Server and press Next.

• General Assistance: This will show you the selected options, here you just need to press Next.

Note: One thing that you need to make a note of is the deployment name. Because in future if you need to update the app, you need the name.

• Finish: Click 'Finish' & it will deploy the app.

Note: Click the 'Activate Changes' button on the top left, this will apply the changes & no restart is required.

3) Accessing the web-app: 

• We need to make changes in mod_wl_ohs.conf file, & we need to front end the deployed app.

        Note: Here i have front ended the app with OHS. 

• '/source' is the app folder that we have chosen while deploying.
• Mention the host name - this will be the host on which you have installed the OHS.
• Mention the Port - this will be the port on which managed server is listening.
• Save the changes.
• Restart the OHS server.

• Open the browser, fire the url - http://<host:port>/source/headers.jsp
• It will redirect you to credential collector page. Provide the credentials.

• And you will get the 'headers.jsp' resource.

• Now you can even try to access other resources present on your OHS Server i.e. you have placed in htdocs folder. Like:

         http;//<host:port>/index.html

• You will not be asked for the credentials again, as you have already logged in & your OAMAUthnCookie & OAM_ID cookies are present with your browser.

Enjoy :-)

Enable Debug Logs for OAM Server from Weblogic Console

Enabling Debug logs:

Let's start the process:

1) Log in to weblogic console: httpd://<host:port>/console

2) Select Environment option under Domain Structure:

• Select Servers option:

3) Select oam_server1: As we need to enable the debug log for a specific component.

• Select 'Debug' tab

4) Select the 'weblogic' & expand its view.

5) Select the component/s for which you want to enable the logging.

• Click 'Enable' to apply changes.

Note:

• Remember, it is possible that you might require to first select "Lock & Edit" option on top left of the screen. And than you need to "Activate Changes". So that it starts reflecting.

 
6) Now for the selected component you will start getting logging trace. You can view the logs for the same under:

• Log File Path: <Middleware_Home>/user_projects/domains/<domain_name>/servers/oam_server1/logs/

• File Name:

1. oam_server1.log
2. oam_server1-diagnostic.log

You are good to go.... Enjoy Debugging.....


Enjoy:-)