Showing posts with label webgate 11g R2PS2. Show all posts
Showing posts with label webgate 11g R2PS2. Show all posts

Wednesday, 21 October 2015

OAM R2PS3 - why there is need for 2 cwallet.sso files in webgate profile

Did you ever wondered that why there are 2 cwallet.sso files generated for your webgate profile in OAM R2PS3?

Let's take a look of the directory structure of the webgate profile when you create it;

  • Here you see a cwallet.sso file & a wallet folder. This wallet folder was never there in previous releases, but from R2PS3 onwards you will see this folder as well..

Let' see what this folder contains;
  • On expanding this wallet folder you see one more cwallet.sso file present int it.


bash-3.2$ ls -ltr
total 12
drwxr----- 2 ckukreja dba 4096 Oct 20 10:42 wallet
-rw-r----- 1 ckukreja dba 2796 Oct 20 10:42 ObAccessClient.xml
-rw-rw-rw- 1 ckukreja dba    0 Oct 20 10:42 cwallet.sso.lck
-rw------- 1 ckukreja dba  433 Oct 20 10:42 cwallet.sso   ----> this R2PS2 compatible wallet
bash-3.2$ cd wallet/
bash-3.2$ ls -ltr
total 4
-rw-rw-rw- 1 ckukreja dba   0 Oct 20 10:42 cwallet.sso.lck
-rw------- 1 ckukreja dba 401 Oct 20 10:42 cwallet.sso  -------> this R2PS3 compatible wallet

So the answer for these 2 cwallet.sso files is as follows:
  • The cwallet.sso file present in wallet folder is R2PS3 compatible wallet, which means if you try to use this cwallet.sso file with R2PS2 webgate, it won't work. You will get FATAL error that "unable to read agent key". And thus webgate is not initialized successfully. 
    • This cwallet.sso is used by R2PS3 webgate, but there is a catch here. Consider you don't copy the wallet folder to webgate instance directory in that case R2PS3 webgate is intelligent enough to understand the R2PS2 cwallet.sso.
    • So this means that R2PS3 webgate can work with R2PS2 cwallet.sso as well as R2PS3 cwallet.sso.
  • While the other cwallet.sso present outside is R2PS2 compatible wallet file i.e. when you try to use R2PS3 OAM Server with R2PS2 WebServer having R2PS2 Webgate. This cwallet.sso will be used by the webgate to read the agent key.
    • This means that if this cwallet.sso is not present in that case R2PS2 webgate will be unable to initialize as it won't be able to read the agent key i.e. is present in cwallet.sso.
    • Hence to make R2PS2 webgate work with R2PS3 OAM server it is mandatory to use the cwallet.sso file presnet outside the wallet folder.
  
There is one more change done in the cwallet.sso files for R2PS2 & R2PS3 created by R2PS3 OAM Server i.e.
  • If you open the cwallet.sso of R2PS2 or R2PS3 it only contains shared secret key, there are no default certs present.

  
      Remember: to set the JAVA_HOME before you use the orapki command.
  • While the cwallet.sso created by R2PS2 OAM Server used to contain default certs and the shared key.
Note
  • To open R2PS3 cwallet.sso present in wallet folder you need the latest orapki executable which comes with R2PS3 OAM server, this same orapki can open the R2PS2 cwallet.sso as well. 
  • But the orapki that comes with R2PS2 OAM Server will be unable to open R2PS3 wallet & will ask for login password in-spite of the fact that the cwallet.sso is auto login wallet.


Enjoy :-)

Monday, 16 March 2015

OAAM Basic vs Advance vs Advance using TAP Integration with OAM

What all we will be covering?

  1. Understanding Basic OAAM Integration
  2. Understanding Advance OAAM Integration
  3. Understanding Advance TAP OAAM Integration
In this post we will be understanding Basic OAAM Integration

OAAM Basic Integration with OAM:

The basic integration of OAAM offers a limited set of functionality when integrated with OAM. There are extension libraries that bundles with OAM server itself, using which the basic integration is offered.

Knowledge Based Authentication is the only challenge mechanism offered in this basic integration.

What all is needed in this integration?

1) OAAM Admin Server
2) OAAM Database
3) OAM Admin + Managed Server

Note: Webgate 10g & 11g Agents are supported with this integration.

References:
http://docs.oracle.com/cd/E23943_01/doc.1111/e15740/aam.htm#AIING268


Enjoy :-)

Wednesday, 14 January 2015

Configuring Detached Credential Collector Webgate 11g with Oracle Traffic Director Server

Pre-requisites:

  1. OTD is installed & is in running state.
  2. Origin Server like OHS is configured in origin server pool settings.
  3. WebGate 11g is configured with OTD - you are able to execute ECC Scenario (this step is just to verify that setup is done properly).

This chapter is divided into :

  • Configure OHS Server (here we have used OHS server as origin server with OTD)
  • Creating DCC Webgate Profile in OAM Server
  • Accessing OTD Protected resource.


Quickly i will show you the OTD Admin Console & Config done on it:







Let's begin the configuration process:


1) In order to enable DCC configuration in OTD, we need the resources used by DCC like login.pl, logout.pl etc present at OHS Server.

  • Now the question arises why at OHS not at OTD? Because in OTD we have to rely on origin server to provide the resources.
  • Now second question - from where we will get the resources. It is simple to answer. You can get these resources from OTD webgate installed directory.
bash$> ls /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso*




  • So simply copy these 2 folder in OHS server instance directory:
    • Copy the oamsso-bin folder:

bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso-bin /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/oamsso-bin/
    • Copy the oamsso folder under htdocs directory:
bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/htdocs/oamsso/ 
  • Ok, we have the resources with us. Now it is required to config the OHS httpd.conf file.

This is what we have added:
1) 
 ScriptAlias /oamsso-bin/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin/"
    Alias /oamsso/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/oamsso/"

2) 
<Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

  • Done.. We need to check whether we are able to access the resource. So how we will do this. Simple man - start the ohs server & access the resource.
bash$> cd /Middleware_Home/Oracle_WT1/instances/instance1/bin
bash$> ./opmnctl startall
Server started.....
    • Access the resource hit the url- http://<host:port>/oamsso-bin/login.pl

You will be able to see the login.pl resource.

2) We are done with OHS settings, now proceed to create a DCC webgate profile at OAM Server. to do this follow: Configure DCC Webgate Profile

  • Copy the created artifacts to the OTD Webgate instance directory.
bash$>cp /Middlware_Home/user_projects/domains/base_domain/output/dcc-9090/* /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/otd_instance/dcc-inst/config/

Note: My otd webgate instance is present in the otd installed directory itself. May be your directory structure might be different than mine. So no need to worry.


3) Now restart the OTD Instance:

bash$> cd /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/instances/bin/net-otd/
bash$> ./stopserv
Server Stopped....

bash$> ./startserv
Server Started....

You can restart/start/stop the otd instance from OTD Admin Console as well......

4) Access a protected resource like /index.html:
hostname - clk-host.us.com
OTD insatnce port - 9090
resource - index.html

http://clk-host.us.com:9090/index.html



Congrats you have done it.....!!!!!!

Enjoy :-)

Tuesday, 6 January 2015

Retrieve the Global Passphrase for Simple Mode

Understanding the Global Passphrase Funda:


When you install the OAM Server 11g R2PS2 a default global passphrase is set. This global passphrase is actually used for SIMPLE MODE Communication. Webgate use this global passphrase while performing handshake with OAM Server.

But you need to set this global passphrase explicitly while you are changing the SERVER Mode to Simple Mode. Otherwise you will get exceptions at webgate & server side both (Oracle AccessGateAPI not initialized)

Note: To configure Simple Mode follow Configure Simple Mode Communication


Retrieving Global Passphrase Password:


1) Goto to your Middleware Home:

bash$> cd /scratch/ckukreja/R2PS3/Middleware/

2) Goto Oracle_IDM directory:

bash$> cd Oracle_IDM1

  • Change directory to common/bin under IDM parent folder
bash$> cd common/bin
bash$> ls
/scratch/ckukreja/R2PS3/Middleware/Oracle_IDM1/common/bin/

3) Now we need to execute wlst script

bash$> ./wlst.sh



  • Connect with the Weblogic Server 


  •  Execute domainRunTime() 


  •  Now we need to display the global passphrase, for this use the command - displaySimpleModeGlobalPassphrase()


Note: Here you are seeing password as 'Welcome1' because i have updated this password in Access Manager Settings in Server.


So now you are good to go...!!!!! You can use this password with your OAM Tester Tool and other purposes will also be fulfilled.



Enjoy :-)


Wednesday, 17 December 2014

Configuring Authorization Policy Conditions/Rules in OAM 11G R2PS2

Authorization Policy : Creating Condition/Rules

Basically if you are aware of the SSO thing, than you must know that once you are authenticated than you are checked for - WHETHER YOU ARE AUTHORIZED OR NOT.
And what does that means?

It means that if you are allowed to log in to the system than it needs to be checked that whether you are authorized to access the resource or not.

Generally we have Authorization Policy for Protected & Public Resources. But we can also specify our conditions & rules for these authorization policies.

So now the question arises what's the use of these condition & rules?

  • Basically we can add our condition to allow or deny the user to access the resource.
  • And thus we need to add these condition to the rules for allow or denial access.
Remember - You can create your condition & rules for each of the authorization policies created for the webgate profile. Their is no constraint of only single condition or so.

In this post we will be creating a condition for IP Range, for other condition soon i will be posting a new post.

Pre-Requisites:





  • Webgate Profile is created.
  • Working Webgate Instance is in place i.e. webgate is integrated with your server say OHS
    • And You can properly access a protected resource.

Let's see how to configure Authorization policy:

1) Log in to oamconsole: http://host:port/oamconsole

2) Go to Application Domain -> Select Webgate Profile -> Go to Authorization policy




  • Note: I will be adding condition with my Protected Authorization Policy
  • By default there is just one condition added 'TRUE' which is also available in the Rules.
    • This is allowable condition, & TRUE in all sense.


  •  Now we will be adding a new condition, and this will be for IP Range testing.


  • Apply the changes
  • Now once it is added, than we need to add a condition in it. In the above step we have just created a condition entry, now we will be adding a condition to it.

  • Here i will be adding a IP Range - i am blocking the IP Addresses starting from 10.0.0.0 to 10.255.255.255. Any IP Address coming for authorization having IP Range b/w this mentioned series. It will be not be able to access the resource.


 


  • We need to add this condition in the rules table. You can see that we have 2 types of rule:
    • Allow Rule
    • Deny Rule


  • Here we will be adding the condition in the 'deny rule' table.

  • Apply the changes & we are good to go.
  • Note
    • We need not to restart the server instance, because the changes are done at the OAM Server side and as webgate talks to OAM via OAP/NAP connection. Thus OAM Server will tell the webgate about access or denial via this NAP only. That's why no restart required.
    • But remember that in case we have done changes in the webgate profile, than server restart is a must.
  • Lets test this by accessing the Protected Resource URL. And my ip address starts with 10.* series. Thus i will be getting a resource denial message.
    • Access the resource. http://host:port/index.html
    • Provide the credentials


    •  Eureka....!!!! Did you see, we get the denial message for the resource index.html.

We are done with the Authorization IP Range Condition/Rules Testing....... Soon i will be adding the use cases for other condition tests as well....


Enjoy :-)

Tuesday, 9 December 2014

Purpose of Max Session Time OAM

Purpose of Max Session Time field:


Max Session Time (hours)

Maximum time to keep server connections alive. The unit is based on the maxSessionTimeUnits user-defined parameter which can be 'minutes' or 'hours'. When maxSessionTimeUnits is not defined, the unit is defaulted to 'hours'.

What does this above definition means?

Basically this is the session time for the OAP/NAP connections made between Webgate & OAM Server.
This is the TTL (Time to live) of these OAP/NAP connections.

Is this field defines the time in minutes or hours?

By default it is in 'hours'. But when you create a Webgate Agent Profile there is a user defined parameter defined as 'maxSessionTimeUnits' & it has value 'minutes'.
Thus this makes the value configured in 'MAX SESSION TIME' in minutes.




  • In this agent profile we have max session time configured as '2'. This is in minutes why?
    • Because we have configured the user defined parameter 'maxSessionTimeUnits' & value of this parameter is 'minutes'.

But if you remove this parameter 'maxSessionTimeUnits' than MAX SESSION TIME will have 'hours' as its unit.

Note:

  • User won't be challenged for credentials again because of the 'MAX Session time'. This time is not user session timeout. It is for the OAP/NAP connection timeout.

How will you test these connections?

bash$> netstat -anp | grep 5575 | grep httpd.worker

Note:

  1. Port 5575 is the listening port used by the OAM Server. While creating webgate agent profile server connection port is mentioned.
  2. 'httpd.worker'  is the OHS server process.
  3. In this example 2 worker threads have made OAP/NAP connection with the OAM Server. 


After 2 minutes these connections are re-established, here is the proof.


Hope it clears your doubts.....!!!!!!


Reference Doc:
http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/register.htm#AIAAG631


Enjoy :-)

Thursday, 4 December 2014

Webgate Caches: Understanding the Webgate Caching

We will be discussing the following:


  1. When WebGate do the caching? At what time?
  2. Why it is required to cache?
  3. How it uses this cache?
  4. How to tune this cache?
  5. Webgate Caching Demo



1) When WebGate do the caching? At what time?

      Basically Webgate caches the information: 

    • At the time of Authentication & 
    • Authorization.

2) Why it is required to cache?

It is important to do the caching when we don't want the OAM Server to get overloaded.
And what does this means actually?

It means that if the webgate starts sending every similar request to the server, it is actually not adding any value. We are just asking the server to do the repetitive task.

But what if we can make these request a screening at webgate. What if webgate first looks to the request if found it has already served it than webgate takes the decision. As webgate already has the answer cached. And in case webgate doesn't have any info about the user request than it will make a trip to server asking for the same & hence caching it for future use.


3) So does it means that webgate caches the request for lifetime?

No, absolutely not. It do cache, but certainly it too have a life. And its life is depends on the configuration that we do while creating the Webgate Profile.


4) What all parameters do take care of caching in OAM?

    As discussed there are 2 types of caches:

    • Authentication &
    • Authorization
Parameters:
  1. Authentication Cache Configurable Parameters:
    1. Maximum Cache Elements
    2. Cache Timeout
  2. Authorization User Defined Parameters:
    1. maxAuthorizationResultCacheElems
    2. authorizationResultCacheTimeout  

5) Now the question comes that how these caches comes into picture? As in how webgate actually uses it?


Basically when user request comes to the webgate (obviously via a server where webgate is integrated), at that time a lookup is made to the cache. Now first look up is made to authentication cache for the required parameters & than look up is made to authorization cache.

Now the interesting point here is that in case cache miss hit occurs than a NAP/OAP call is made to the server, & the response is actually cached. So that next tym if the same request comes to the webgate before cache timeout than webgate has the capability to respond & do look up.

6) Tuning the webgate cache parameters:


As discussed at point (4), the parameters defined can be configured:
  • Max cache elements: If we configure this parameter as -1, than webgate will not cache the elements.
  • Cache Timeout: It tells after how much time will the cache drains out. If Max Cache Elements is configured as -1, than this parameter has no significance.
  • maxAuthorizationResultCacheElems - This user defined parameter will set the max number of authorization cache elements that can be cached. 
  • authorizationResultCacheTimeout - this is same a cache timeout but this is specifically for authorization cache. It has no impact on authentication cache. Default value is 15 seconds.
    • If authorizationResultCacheTimeout is set to 0, Authorization Cache is disabled.

Reference Docs: http://docs.oracle.com/cd/E27559_01/doc.1112/e28552/oam.htm#ASPER490



Enjoy :-)