Friday, 5 December 2014

[OID]: Disabling the User Account in OID

Let's disable the User Account in OID:

Note: We are considering that you have created a user account in OID. In case you have not follow  Creating User Account in OID

Follow the steps:

1) Before we lock/disable the user account, let's first access the protected resource.
  • Access the url: http://<host:port>/resource



Note: I have logged in using username - clk, that i will be disabling in the OID Server.

2) Now let's log in to the OID Server:
  • Log in to OID: http://<host:port>/odsm


  •  Choose the OID Connection:


  •  Provide the password & connect.



  •  Now open the 'Data Browser' tab & expand the 'dn=com' tree.


  •  Select the user you want to disable: I will be disabling 'clk' user

  • Now we need to add an attribute that will disable the account. Open the 'Attributes' tab on the right pane.
  • We need to add an optional attributes 'orclIsEnabled'.



       Note: Once you have added the 'orclIsEnabled' the attribute, than do 'Add Attributes'.


  •  Default value of  'orclIsEnabled' attribute is 'ENABLED' but we need to set it as 'DISABLED'


Note: 

    • Once you set the attribute value, click 'Apply' on the top right.
    • Also remember that value of this field has to be set as 'DISABLED' even if you set as 'FALSE' it won't work. Account will be still accessible.


3) 

  • Access the Protected Resource URL: http://<host:port>/resource
  • Provide the credentials, here i will be using 'clk' as username that i have disabled. 
  • And you see that when i tried to log in, it shows that 'User account is locked or            disabled'....



     Whooohoooh.... we have done it...

4) Now in case you need to enable the user account again, just set the attribute value:
    
    orclIsEnabled=ENABLED


Enjoy :-)

Thursday, 4 December 2014

Webgate Caches: Understanding the Webgate Caching

We will be discussing the following:


  1. When WebGate do the caching? At what time?
  2. Why it is required to cache?
  3. How it uses this cache?
  4. How to tune this cache?
  5. Webgate Caching Demo



1) When WebGate do the caching? At what time?

      Basically Webgate caches the information: 

    • At the time of Authentication & 
    • Authorization.

2) Why it is required to cache?

It is important to do the caching when we don't want the OAM Server to get overloaded.
And what does this means actually?

It means that if the webgate starts sending every similar request to the server, it is actually not adding any value. We are just asking the server to do the repetitive task.

But what if we can make these request a screening at webgate. What if webgate first looks to the request if found it has already served it than webgate takes the decision. As webgate already has the answer cached. And in case webgate doesn't have any info about the user request than it will make a trip to server asking for the same & hence caching it for future use.


3) So does it means that webgate caches the request for lifetime?

No, absolutely not. It do cache, but certainly it too have a life. And its life is depends on the configuration that we do while creating the Webgate Profile.


4) What all parameters do take care of caching in OAM?

    As discussed there are 2 types of caches:

    • Authentication &
    • Authorization
Parameters:
  1. Authentication Cache Configurable Parameters:
    1. Maximum Cache Elements
    2. Cache Timeout
  2. Authorization User Defined Parameters:
    1. maxAuthorizationResultCacheElems
    2. authorizationResultCacheTimeout  

5) Now the question comes that how these caches comes into picture? As in how webgate actually uses it?


Basically when user request comes to the webgate (obviously via a server where webgate is integrated), at that time a lookup is made to the cache. Now first look up is made to authentication cache for the required parameters & than look up is made to authorization cache.

Now the interesting point here is that in case cache miss hit occurs than a NAP/OAP call is made to the server, & the response is actually cached. So that next tym if the same request comes to the webgate before cache timeout than webgate has the capability to respond & do look up.

6) Tuning the webgate cache parameters:


As discussed at point (4), the parameters defined can be configured:
  • Max cache elements: If we configure this parameter as -1, than webgate will not cache the elements.
  • Cache Timeout: It tells after how much time will the cache drains out. If Max Cache Elements is configured as -1, than this parameter has no significance.
  • maxAuthorizationResultCacheElems - This user defined parameter will set the max number of authorization cache elements that can be cached. 
  • authorizationResultCacheTimeout - this is same a cache timeout but this is specifically for authorization cache. It has no impact on authentication cache. Default value is 15 seconds.
    • If authorizationResultCacheTimeout is set to 0, Authorization Cache is disabled.

Reference Docs: http://docs.oracle.com/cd/E27559_01/doc.1112/e28552/oam.htm#ASPER490



Enjoy :-)



    Monday, 1 December 2014

    [OAM]: Configuring pre authentication Advance Rules

    Configuring pre authentication Advance Rules:

    Pre-Requisites:
    • OAM Managed & Admin Server are up & running.
    • You have already created the 'Webgate Profile' & the artifacts are placed in the webgate instance directory. 

    1) Log in to OAM Console: http://<host:port>/oamconsole



    2) Go to 'Application Domain' & select the webgate profile that you have created. Like in our case i am using 'dcc-7778'.



    3) Select 'Authentication Policies' tab:



    • Open 'Protected Resources':

    4) Now we need to select the 'Advanced Rules' tab: 


    • Let's create a pre-authenticate rule: Click the '+' sign
    • Fill the fields:
      • Rule Name - Provide the rule name.
      • Condition - This will be a condition which needs to be configured using Jython Script style.
      • Switch Authentication Scheme - If condition is true, than we will switch the Authentication Scheme.
      • Deny Access - If this flag is true, than no need to configure 'Switch Authentication Scheme'.
      • Click 'Add' to add the rule.
      • Apply the changes.

    5) The rule that we have created above states that if User IP Address starts with '10.' than switch the configured Authentication Scheme from the one we have configured to 'Basic Scheme'.

    6) Now we are good to test the changes done. Let's hit the request, it should ask for credentials but as per 'Basic Scheme'

    http://<host:port>/index.html


    Note: The Client IP Address here starts with '10.' 

    Reference: https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-1E9A2B43-140C-4A85-8DEA-521CE3F57B12.htm#AIAAG88930

    Hurray.... we are done... congrats... :-)

    Enjoy :-)

    Sunday, 30 November 2014

    Installing & Configuring Apache 2.2 (64bit) on Solaris x86-64 Box

    This post is divided into 3 sections: Installation, Configuration & Verification. 



    So let's start the process.........


    Installing Apache22-64bit-

    1. To install apache22, we need the source code & than need to build it. This will generate the binaries.
    2. Download the source code from http://httpd.apache.org/download.cgi#apache22 to your Solaris Sparc box.
    3. Now we need to 'export' some settings, i.e. per-requisites before we start the build process:
      1. export LD_LIBRARY_PATH=/usr/sfw/lib/amd64:/usr/local/lib/amd64
      2. export PATH=/usr/sfw/bin:/usr/ccs/bin:/usr/local/ccs/bin:/usr/local/bin:$PATH
      3. # if you want it 64 bits:
        1. export CFLAGS=”-m64″
      4. # if you want it 32 bits:
        1. # export CFLAGS=”-m32″
      5. export LDFLAGS=”-L/usr/sfw/lib/amd64″
      6.  
          4.  Unzip the downloaded apache22 source code.
          5.  Change the directory, move to the unzipped folder.
          6.  Now we need to configure the environment for building the source code, for this it is 
               required to execute the 'configure' script present in the directory.

               For eg: /scratch/ckukreja/apache22 is the directory where you have unzipped the 
                           source code
                           
                           bash$>ls -ltr configure

          7.  Execute the 'configure'  script.
               ./configure --with-included-apr --enable-so --prefix=/scratch/ckukreja/apache64



          8. Now we need to build & install the binaries. Do the following:
      • make



      • make install

         9. Now go to the directory where you have install apache22
      • Move to bin folder and execute the 'file' command on httpd executable file.
                     bash$> cd /home/ckukreja/apache22/bin 
                     bash$> file httpd
      • 'file httpd' - It's output will show you the type of file is it. Here it should show 64bit, if not than the binaries are of 32bit. Check the steps again.
        


    Configure Apache22 on Solaris Sparc Box:

     As you have installed the apache22 on your Solaris Machine. Now it is required to configure it before we start the server.
    1. Go to the apache22 installation directory. Move to conf folder.
             bash$> cd /home/ckukreja/apache22/conf  
         2. Open httpd.conf file to edit it. 

              bash$> vi httpd.conf
      • Change the port from '80' to the one you want. Like we use '8080'.
      • By default username & group are configured as 'daemon'. Change them to the one you are logged in with.
      • Save the changes & close the file.

          3. Now come out of the conf folder & change your directory to bin folder.
              
             bash$>cd /scratch/ckukreja/apache64/bin

          4. Execute the apachectl executable. It will start the httpd server process.
      • ./apachectl -k  start

    Verify the installation & configuration steps:

    Try to access the default resource present on apache22 server like index.html.
    Syntax: http://<hostname>:<port>/index.html
    Eg: http://hostname:8080/index.html

    It will display the "It Works!!!"



    So guys you are done with the Installation & Configuration of Apache22-64bit on your Solaris x86-64 Machine..........!!!!!!!!!!!!!! :-)


    Enjoy :-)

    Saturday, 29 November 2014

    Creating User in Oracle Internet Directory(OID)


    Follow below steps to create a new user in OID:


    1) Log in to weblogic console & check whether ODSM (Oracle Directory Server Management) console is up & running:

        http://<host:port>/console


        Note: The console for ODSM is 'wls_ods1' in my setup & running on port 7005.

    2) Now log in to the ODSM Console - http://<host:7005>/ODSM


         Note: This setup is a freshly created, so we need to create a connection first.


    3) Create a User Connection:




    • Provide the details such as hostname, password etc.



    4) New connection is created:




    5) Choose Data Browser Option:



    •  Expand the tree dc=com


    •  Double Click the user cn=orcladmin



    6) Now we need to create a user: Here i have selected the option 'Create a new entry like this one'




    7) Complete the process for new user creation:


    • Choose 'Next' on first page:


    •  Provide 'cn' entry name & choose the relative distinguished name as 'cn'


    •  On Optional Properties page, i have provided the new user password. Although this is a non-mandatory field.


    •  Choose 'Finish' to complete the process.


    •  New user is created.... Hurrahhhhh !!!!!!



    Enjoy :-)

    Friday, 28 November 2014

    Basics of OID, OVD & OIF


    What is OID?
    • Oracle Internet Directory is an LDAP directory that uses an Oracle Database for storage. 
    • Clients communicate with a directory server by means of the Lightweight Directory Access Protocol (LDAP).

    How DATA is stored in OID?
    • It is stored in hierarchical format i.e. DIT (Directory Information Tree).
    What all you can store in OID?

    • You can store passwords, connections information etc.

    What is Oracle Integration Platform?

    • It enables you to sync the data to & fro between the databases. Like from OID to Finance Database.

    What is the benefit of using OVD (Oracle Virtual Directory)?

    • OVD acts as an interface, which has adapters to connect to multiple data sources. It basically provides an LDAP Service using which you connect to different databases, directories.....
    • This adds an advantage to the organizations to use a single interface which actually in the background talking to multiple directories or databases.


    What is OIF (Oracle Identity Federation)?

    • Oracle Identity Federation enables companies to share the identity information with their partner organizations i.e. the end user does not need to log in again to the partner site once he/she gets logged in to his/her company account. 
    • With this feature the enterprises can federate seamlessly with the partner organizations and no compromise needs to do with security checks.


    Hope it solves some of your doubts......

    Enjoy :-)


    Tuesday, 25 November 2014

    [Weblogic]: How to Deploy a Web App on OAM Weblogic Console

    This post is divided into 3 sections:

    1) Create a web-app.
    2) Deploy it on the managed server.
    3) Accessing the web-app.


    Let's Start:

    1) Create an web-app: For this i have an already created web-app, which contains a headers.jsp page.

    • headers.jsp - This page will be used to display all the HTTP Headers that are set by the OAM-Weblogic.

    2) Deploy web-app:


    • Login to weblogic server: http://<host:port>/console

    • Once you gets logged in, select 'Deployment' option under Domain Structure.






    Note: Before you move to next step, copy the web-app folder to the domain directory i.e.

    Copy to this path: <MiddlewareHome>/user_projects/domains/<your_domain_name>/


    • Click 'install' button: This will lead you to deployment process.



    • Now select your app folder




    • Select the folder like here it is showing 'source' as it contains the app:


              Press Next....

    Note
      • Here the 'source' folder has the web app pages, thus when we need to actually access these resources from the browser. We will fire the request as:
             http://<host:port>/source/Login.jsp
      • Thus in case if your folder name is something else, than you will access it from that name only.
             Syntax: http://host:port/<webapp folder name>/<resource name>
    • On next page: nothing needs to be change as of now, keep on selecting the default option. Just press next.



    • Available Targets: Select 'oam_server1' or you can also deploy it on Admin Server and press Next.


    • General Assistance: This will show you the selected options, here you just need to press Next.

    Note: One thing that you need to make a note of is the deployment name. Because in future if you need to update the app, you need the name.

    • Finish: Click 'Finish' & it will deploy the app.




    Note: Click the 'Activate Changes' button on the top left, this will apply the changes & no restart is required.

    3) Accessing the web-app

    • We need to make changes in mod_wl_ohs.conf file, & we need to front end the deployed app.


            Note: Here i have front ended the app with OHS. 

      • '/source' is the app folder that we have chosen while deploying.
      • Mention the host name - this will be the host on which you have installed the OHS.
      • Mention the Port - this will be the port on which managed server is listening.
      • Save the changes.
      • Restart the OHS server.


    • Open the browser, fire the url - http://<host:port>/source/headers.jsp
    • It will redirect you to credential collector page. Provide the credentials.
    • And you will get the 'headers.jsp' resource.

    • Now you can even try to access other resources present on your OHS Server i.e. you have placed in htdocs folder. Like:
             http;//<host:port>/index.html

    • You will not be asked for the credentials again, as you have already logged in & your OAMAUthnCookie & OAM_ID cookies are present with your browser.



    Enjoy :-)