Friday, 27 February 2015

OAM 11g - Webgate NAP Tunneling

 

What is NAP Tunneling?

NAP or OAP is the protocol that is used for communication mechanism between OAM Server & Webgate.
Webgate relies on this channel for communication with the server. This channel is webgate initiated i.e. the request is made by webgate via this NAP channel & server sends the response on this NAP itself.

Now what this tunneling is meant for? It is basically a mechanism via which one can access the resource that is actually deployed at the OAM Server.

So what does that mean by accessing a resource?
Ok, take an example. I want to use an app, which is actually deployed at the OAM Server. But as we know that resources are something which are placed in some resource server.
And to use this app i can't directly hit the resource url because it is not accessible directly.

Thus with webgate r2ps2, a new feature is added i.e. NAP Tunneling. With this we can actually configured the urls that need to be tunneled, like tunneled the request only when the requested url has '/oam' in the url. So by this webgate sends this tunnel request to the server, which in turn sends the resource to the webgate & it is the responsibility of the webgate to parse the response & redirect it back to the user's browser.

How to configure/enable NAP Tunneling Feature in OAM?

1) Define a user-defined parameter in the Webgate Artifact i.e.

     TunneledUrls=<url_path> (relative path not absolute)

Like - I want to tunnel all the request that has '/oam' or '/oamfed' or '/sample'

     TunneledUrls=/oam, /oamfed, /sample

2) The Urls path that we want to tunnel, they must use public resource policy both for authentication & authorization.


3) Make sure that the parameter "DirectAuthenticationServiceDescriptor" in oam-config.xml is set to true.


Note: This oam-config.xml file is placed at <Middleware_Home>/user_projects/domains/<domain_name>/config/fmwconfig/oam-config.xml



The above 3 steps are required for enabling tunneling for ECC. But in case you want to enable tunneling in DCC, than you need to perform few more steps;
 
Following post shows DCC NAP TUNNELING.


Enjoy :-)

Wednesday, 25 February 2015

[OAM]: Start OAM Admin/Managed Server without getting prompt for username & password

The answer to this is boot.properties file, using this we can make the OAM Admin/Managed Server to start without getting prompt for the username & password.

Where to find this file & what does it contains?

When we install OAM in development mode, this file is created for AdminServer & placed under the <Domain_Home>/servers/AdminServer/security/ directory path.

Note: Domain Home in above directory is the place where you have created the user projects in the middleware home.

Under the above mentioned directory the boot.properties file is created & it contains the credentials details i.e.:
username=<encrypted text>
password=<encrypted text>

That's why in development mode you are not prompted for username & password when you start the Admin Server.

How to use this for Managed Server?

One can simply use the boot.properties file present in the AdminServer security directory & copy it to the oam_server security directory.

Note: This is true in case both the servers are in the same domain.

Like - in my case i have oam_server1 entry in
<domain_home>/servers/oam_server1

Inside this directory i couldn't locate the security folder, so i created a folder with the name 'security' & copies the 'boot.properties' file in it.

Now when i started my oam server it didn't asked me for the credentials.

What if i create my own boot.properties file?

One can create a new boot.properties files, that means it will contain plain text username & passowrd not the encrypted one.
When someone starts the oam server, it reads the credentials but it than encrypts the file. Thus the file contents are changed that means no more plain text is their.

I don't see a security folder in my server directory?

So create one a folder with name 'security' & create a file with name 'boot.properties. User credentials need to be entered in the properties file.

References:
http://docs.oracle.com/cd/E14571_01/web.1111/e13708/overview.htm#START128


Enjoy :-)

Monday, 23 February 2015

Understanding Oracle Identity Federation

Basics of OIF:

What exactly is OIF?

- Basically it enables the different entities to share their services using a global identity maintained by one of the organisation.

So what exactly it means?

Take an example to understand the usage of OIF:
- Let say a company ABC wants to use the service of a Health Care Company, so that ABC company employees can access Health Care Portal.
For this the health care company should have the ABC comapny employee database, so that when the ABC company employees wants to use the Health Care Services they can be authenticate & authorize to do so.
But ABC cann't share the database. So in this scenario how can Health Care Portal be able to become part of ABC comapny?

Answer is Federation
.

Thus here ABC Company using the OAM SSO for their employees, decides to enable the Federation feature. And the similiar OAM setup needs to be done at the Health Care side.
So in this case ABC company acts as Identity Provider (IdP) while the Health Care company as Service Provider (SP). 

What are these 2 things? IdP & SP

Oracle Identity Federation supports two integration modes with Oracle Access Manager: authentication mode and SP mode.
  • Authentication Mode (IdP)
In the authentication mode, Oracle Identity Federation delegates authentication of the user to Oracle Access Manager.
The user is redirected to an Oracle Identity Federation resource protected by WebGate, that triggers the Oracle Access Manager authentication flow. Once the user is identified, it will access the resource, and WebGate will provide to Oracle Identity Federation an HTTP header containing the user's identity.
  • SP Mode
In the SP mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.
 

Use Case:
1) User access the ABC company portal, & hits the health care portal link. User is redirected to health care portal, where he is asked to enter his credentials.
 User submits his credentials which are actually saved in the ABC company database. Thus health care site sends the credentials submitted by user to the ABC comapny using SAMLv2.0 token form.
 ABC company replies in the SAMLv2.0 as well & health care portal reads the token returned by  
 ABC & based on the reply like user is valid & authorized or not. Health care portal takes the 
 decision. And makes the user to access the health care services based on that.
  
So in this way they get federated seamlessly.


References:


Enjoy :-)

Sunday, 22 February 2015

Enabling DCC for OAM 11g & OIF

Enabling DCC for OAM & OIF:


This post is divided into following sections:

1) Understanding OIF
2) Installing OAM 11g, OHS, Webgate 11g
3) Integrating OIF & OAM 11g
4) DCC for OAM & OIF



Enjoy :-)

Wednesday, 14 January 2015

Configuring Detached Credential Collector Webgate 11g with Oracle Traffic Director Server

Pre-requisites:

  1. OTD is installed & is in running state.
  2. Origin Server like OHS is configured in origin server pool settings.
  3. WebGate 11g is configured with OTD - you are able to execute ECC Scenario (this step is just to verify that setup is done properly).

This chapter is divided into :

  • Configure OHS Server (here we have used OHS server as origin server with OTD)
  • Creating DCC Webgate Profile in OAM Server
  • Accessing OTD Protected resource.


Quickly i will show you the OTD Admin Console & Config done on it:







Let's begin the configuration process:


1) In order to enable DCC configuration in OTD, we need the resources used by DCC like login.pl, logout.pl etc present at OHS Server.

  • Now the question arises why at OHS not at OTD? Because in OTD we have to rely on origin server to provide the resources.
  • Now second question - from where we will get the resources. It is simple to answer. You can get these resources from OTD webgate installed directory.
bash$> ls /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso*




  • So simply copy these 2 folder in OHS server instance directory:
    • Copy the oamsso-bin folder:

bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso-bin /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/oamsso-bin/
    • Copy the oamsso folder under htdocs directory:
bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/htdocs/oamsso/ 
  • Ok, we have the resources with us. Now it is required to config the OHS httpd.conf file.

This is what we have added:
1) 
 ScriptAlias /oamsso-bin/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin/"
    Alias /oamsso/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/oamsso/"

2) 
<Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

  • Done.. We need to check whether we are able to access the resource. So how we will do this. Simple man - start the ohs server & access the resource.
bash$> cd /Middleware_Home/Oracle_WT1/instances/instance1/bin
bash$> ./opmnctl startall
Server started.....
    • Access the resource hit the url- http://<host:port>/oamsso-bin/login.pl

You will be able to see the login.pl resource.

2) We are done with OHS settings, now proceed to create a DCC webgate profile at OAM Server. to do this follow: Configure DCC Webgate Profile

  • Copy the created artifacts to the OTD Webgate instance directory.
bash$>cp /Middlware_Home/user_projects/domains/base_domain/output/dcc-9090/* /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/otd_instance/dcc-inst/config/

Note: My otd webgate instance is present in the otd installed directory itself. May be your directory structure might be different than mine. So no need to worry.


3) Now restart the OTD Instance:

bash$> cd /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/instances/bin/net-otd/
bash$> ./stopserv
Server Stopped....

bash$> ./startserv
Server Started....

You can restart/start/stop the otd instance from OTD Admin Console as well......

4) Access a protected resource like /index.html:
hostname - clk-host.us.com
OTD insatnce port - 9090
resource - index.html

http://clk-host.us.com:9090/index.html



Congrats you have done it.....!!!!!!

Enjoy :-)

Tuesday, 6 January 2015

Retrieve the Global Passphrase for Simple Mode

Understanding the Global Passphrase Funda:


When you install the OAM Server 11g R2PS2 a default global passphrase is set. This global passphrase is actually used for SIMPLE MODE Communication. Webgate use this global passphrase while performing handshake with OAM Server.

But you need to set this global passphrase explicitly while you are changing the SERVER Mode to Simple Mode. Otherwise you will get exceptions at webgate & server side both (Oracle AccessGateAPI not initialized)

Note: To configure Simple Mode follow Configure Simple Mode Communication


Retrieving Global Passphrase Password:


1) Goto to your Middleware Home:

bash$> cd /scratch/ckukreja/R2PS3/Middleware/

2) Goto Oracle_IDM directory:

bash$> cd Oracle_IDM1

  • Change directory to common/bin under IDM parent folder
bash$> cd common/bin
bash$> ls
/scratch/ckukreja/R2PS3/Middleware/Oracle_IDM1/common/bin/

3) Now we need to execute wlst script

bash$> ./wlst.sh



  • Connect with the Weblogic Server 


  •  Execute domainRunTime() 


  •  Now we need to display the global passphrase, for this use the command - displaySimpleModeGlobalPassphrase()


Note: Here you are seeing password as 'Welcome1' because i have updated this password in Access Manager Settings in Server.


So now you are good to go...!!!!! You can use this password with your OAM Tester Tool and other purposes will also be fulfilled.



Enjoy :-)


Wednesday, 17 December 2014

Configuring Authorization Policy Conditions/Rules in OAM 11G R2PS2

Authorization Policy : Creating Condition/Rules

Basically if you are aware of the SSO thing, than you must know that once you are authenticated than you are checked for - WHETHER YOU ARE AUTHORIZED OR NOT.
And what does that means?

It means that if you are allowed to log in to the system than it needs to be checked that whether you are authorized to access the resource or not.

Generally we have Authorization Policy for Protected & Public Resources. But we can also specify our conditions & rules for these authorization policies.

So now the question arises what's the use of these condition & rules?

  • Basically we can add our condition to allow or deny the user to access the resource.
  • And thus we need to add these condition to the rules for allow or denial access.
Remember - You can create your condition & rules for each of the authorization policies created for the webgate profile. Their is no constraint of only single condition or so.

In this post we will be creating a condition for IP Range, for other condition soon i will be posting a new post.

Pre-Requisites:





  • Webgate Profile is created.
  • Working Webgate Instance is in place i.e. webgate is integrated with your server say OHS
    • And You can properly access a protected resource.

Let's see how to configure Authorization policy:

1) Log in to oamconsole: http://host:port/oamconsole

2) Go to Application Domain -> Select Webgate Profile -> Go to Authorization policy




  • Note: I will be adding condition with my Protected Authorization Policy
  • By default there is just one condition added 'TRUE' which is also available in the Rules.
    • This is allowable condition, & TRUE in all sense.


  •  Now we will be adding a new condition, and this will be for IP Range testing.


  • Apply the changes
  • Now once it is added, than we need to add a condition in it. In the above step we have just created a condition entry, now we will be adding a condition to it.

  • Here i will be adding a IP Range - i am blocking the IP Addresses starting from 10.0.0.0 to 10.255.255.255. Any IP Address coming for authorization having IP Range b/w this mentioned series. It will be not be able to access the resource.


 


  • We need to add this condition in the rules table. You can see that we have 2 types of rule:
    • Allow Rule
    • Deny Rule


  • Here we will be adding the condition in the 'deny rule' table.

  • Apply the changes & we are good to go.
  • Note
    • We need not to restart the server instance, because the changes are done at the OAM Server side and as webgate talks to OAM via OAP/NAP connection. Thus OAM Server will tell the webgate about access or denial via this NAP only. That's why no restart required.
    • But remember that in case we have done changes in the webgate profile, than server restart is a must.
  • Lets test this by accessing the Protected Resource URL. And my ip address starts with 10.* series. Thus i will be getting a resource denial message.
    • Access the resource. http://host:port/index.html
    • Provide the credentials


    •  Eureka....!!!! Did you see, we get the denial message for the resource index.html.

We are done with the Authorization IP Range Condition/Rules Testing....... Soon i will be adding the use cases for other condition tests as well....


Enjoy :-)