Thursday 26 November 2015

OAM - allowedaccessgatelist user defined parameter

Ever wondered what this "allowedaccessgatelist" parameter does or why it is their ....... Let's understand it.....

  

First of all what does Oracle doc tell you about this paramtere;

allowedAccessGateList= Authentication Scheme challenge parameter configured with SPACE separated list of WebGate IDs defining those WebGates that are allowed to enforce authentication by this scheme. 
For example:
allowedAccessGateList=WebgateID1 WebgateID2


Where to configure it & how?

This parameter is applicable for Authn Scheme configured as user defined parameter. 
  •  for 11g -> allowedAccessGateList=WebgateID1 WebgateID2
  • for 10g -> allowedAccessGateList:WebgateID1 WebgateID2
 The only difference is that '=' is used in 11g while ':' is used in 10g

What does it do if configured?

It ensures that the no other webgate profile can use the authn scheme other than configured in this parameter.
Like;
allowedAccessGateList=WebgateID1 WebgateID2

If while accessing the resource it is found that the webgate id profile mismatches with the one configured, what will happen?

User will not be able to access the resource even if the provided creds are correct.

Demo:  

ECC & DCC : Call flow with allowedAccessGateList parameter defined in authn scheme;



Configuration Steps:

  •  Open /oamconsole

  •  I have created an auth scheme that i will use for ECC

  •  In user defined parameter define the allowedAccessGateList parameter with its value.

  •  I have already created DCC Authn Scheme that i will with for RWG protected resources.


  •  Goto ur ECC & RWG Profile in Application Domain;

  •  Assign the respective Authn Scheme in the Protected Resource Policy;


In the shown configuration, i have configured corrected webgate id in the allowedAccessGateList parameter; 
In case their is a mismatch following errors are shown by ECC & RWG webgate when protected resource is accessed:

ECC:


 

RWG:




Hope it clears the funda.... !!!!

Enjoy :-)

Posted by at No comments:
Labels: , , , , ,

Wednesday 4 November 2015

OAM Webgate DCC NAP TUNNELING

Enabling DCC NAP TUNNELING:

NOTE: DCC as a Resource Webgate doesn't support NAP Tunneling, which means if you want to access a resource protected by DCC itself than in that case NAP TUNNELING is not supported.
You have to have a separate resource webgate which is DCC Protected & in DCC webgate you have enabled nap tunneling.
  • Supported Case:
  • Non-Supported Case:

Prerequisites:

  • 2 profiles has already been created i.e.
    • One for resource webgate.
    • Other one for DCC Webgate
  • If possible do test whether you are able to access a resource protected by DCC. So that we are sure that things are working in DCC Mode & we just need to test NAP Tunneling via DCC.
Note: I will be demonstrating Login Page NAP Tunneling Via DCC Webgate.

Let's Start:


 1) Make sure the parameter "DirectAuthenticationServiceDescriptor" is set to true in oam-config.xml file.


2) Create an authentication scheme, that will be used to protect the resources on Resource Webgate.
3) Now update the authentication scheme, in the protected resource policy of the resource webgate profile;

Note: This policy scheme needs to be updated for RESOURCE WEBGATE PROFILE not for DCC WEBGATE PROFILE
4) Once done, now we need to update DCC WEBGATE PROFILE:
  • Update the user defined parameter; add the tunneled url information, i.e. which url you want to tunnel.


 Note: here i have tunneled '/oam' url, thus any request landing on dcc webgate having /oam in the url will be tunneled to oam server.
  • Now we need to create a new resource in dcc webgate profile; goto the launch pad -> Application domain -> <DCC WEBGATE PROFILE> -> Resources -> Create new resource.
    • This new resource name should be the one that you have added in the tunneled url above.
    • And this resource should use PUBLIC RESOURCE POLICY.
    • Keep one thing in mind, if you have tunneled 2 urls, like /oam,/oamfed than 2 resources should be created.


Note:
  • In the above step you can see we have added a resource '/oam/**' as a public resource which means, any url which has /oam, will be treated as public resource by DCC WEBGATE PROFILE.
  • Also, you can see i have added 3 more resources i.e. for the DCC WEBGATE itself. It has nothing to do with the NAP TUNNELING. You can skip this as well.

Demo:
1) Say you access a resource /index.html, that is protected by DCC & in DCC NAP TUNNELING is enabled;
2) DCC Webgate need to show the OAM server login page rather than its own, thats what we intent to see in this demo.

 resource webgate: abc.com
dcc webgate - xyx.com





So we are able to tunnel the login page, & thus DCC shows the oam server login page instead of the one that is present on DCC itself.
But it doesn't mean that credential collection will be done by OAM SERVER.... no no no....
It is just that DCC has shown the login page of oam server that it has received via NAP tunnel. Rest all functionality remains the same.
Enjoy :-)

Posted by at No comments:
Labels: , , , , ,

Thursday 29 October 2015

OAM - Deny if not protected Flag impact on webgate 10g and 11g

Ever wondered what does 'Deny if not protected 'flag signifies?

This flag is present in webgate profile, by default when you create a profile 10g or 11g, it is 'ON' or 'Checked'.

To whom does it impact?

Basically the significance of this flag is only for 10g webgate profiles. It has no impact on 11g webgates.

What impact does this flag has?

If this flag is set 'ON', than any resource which you are accessing & has no policy defined in OAM, than you will get 404 error. And the reason for this is 'Resource Access Denied'.

As in case of 10g you will face this problem, if this flag is set 'ON'.

Why this flag has no impact on 11g webgate?

The reason for this is: In case of 11g webgate by default access is denied for any resource whose policy is not defined in OAM.
If you want access for such resources than you have an option to make an unprotected/excluded resource type.


Enjoy :-)
Posted by at No comments:
Labels: , , , , , ,

Wednesday 28 October 2015

OAM Webgate - Unable to get https redirect back to load balancer

Problem Description:

Load Balancer running on 'https' i.e. SSL enabled and behind it their is a web server (OTD/OHS/APACHE...any) on which webgate is integrated. 

The web server may be SSL enabled or may be not. But this webserver expects that the load balancer will tell about its SSL  state i.e. http or https. And this info actually not provided

Lets Understand the Use Case:

Say Load Balancer listening on - https://abc.com, the web server behind it is listening on http://xyz.abc.com:7777.

Now when the request lands on the load balancer it gives this request to the proxied web server where webgate redirects this to OAM Server by making a http://<host:port>/obrareq.cgi?<querystring> request.
OAM Server authenticates/authorizes the user's request & thus makes a redirect back to the server by making a http://<host:port>/obrar.cgi?<quesrystring> request. 

Thus here lies the issue, this obrar.cgi redirect should be on https:// rather it is on http://

 Ever wondered why so; the reason is that the load balancer has not sent any info about its SSL state, that whether it is running in http or https mode.
That's why webgate has not given this same info to OAM Server, thus OAM server makes the obrar.cgi redirect on http instead of https.
 

Solution:

IS_SSL header is the solution; this header need to be set in the load balancer config file;
Now if load balancer is;
  • Apache/OHS than one need to set this header in the virtual host config
    • RequestHeader set IS_SSL ssl
  • OTD; one need to set this in the server obj conf file;
    • AuthTrans fn="set-variable" set-headers="is_ssl=ssl"     ;
After this restart the load balancer  ; test the use case & the issue is resolved;

 Read More:
http://fusionsecurity.blogspot.in/2011/04/ssl-offloading-and-weblogic-server.html
Enjoy :-)
Posted by at No comments:
Labels: , , , , , , , ,

Wednesday 21 October 2015

OAM R2PS3 - why there is need for 2 cwallet.sso files in webgate profile

Did you ever wondered that why there are 2 cwallet.sso files generated for your webgate profile in OAM R2PS3?

Let's take a look of the directory structure of the webgate profile when you create it;

  • Here you see a cwallet.sso file & a wallet folder. This wallet folder was never there in previous releases, but from R2PS3 onwards you will see this folder as well..

Let' see what this folder contains;
  • On expanding this wallet folder you see one more cwallet.sso file present int it.


bash-3.2$ ls -ltr
total 12
drwxr----- 2 ckukreja dba 4096 Oct 20 10:42 wallet
-rw-r----- 1 ckukreja dba 2796 Oct 20 10:42 ObAccessClient.xml
-rw-rw-rw- 1 ckukreja dba    0 Oct 20 10:42 cwallet.sso.lck
-rw------- 1 ckukreja dba  433 Oct 20 10:42 cwallet.sso   ----> this R2PS2 compatible wallet
bash-3.2$ cd wallet/
bash-3.2$ ls -ltr
total 4
-rw-rw-rw- 1 ckukreja dba   0 Oct 20 10:42 cwallet.sso.lck
-rw------- 1 ckukreja dba 401 Oct 20 10:42 cwallet.sso  -------> this R2PS3 compatible wallet

So the answer for these 2 cwallet.sso files is as follows:
  • The cwallet.sso file present in wallet folder is R2PS3 compatible wallet, which means if you try to use this cwallet.sso file with R2PS2 webgate, it won't work. You will get FATAL error that "unable to read agent key". And thus webgate is not initialized successfully. 
    • This cwallet.sso is used by R2PS3 webgate, but there is a catch here. Consider you don't copy the wallet folder to webgate instance directory in that case R2PS3 webgate is intelligent enough to understand the R2PS2 cwallet.sso.
    • So this means that R2PS3 webgate can work with R2PS2 cwallet.sso as well as R2PS3 cwallet.sso.
  • While the other cwallet.sso present outside is R2PS2 compatible wallet file i.e. when you try to use R2PS3 OAM Server with R2PS2 WebServer having R2PS2 Webgate. This cwallet.sso will be used by the webgate to read the agent key.
    • This means that if this cwallet.sso is not present in that case R2PS2 webgate will be unable to initialize as it won't be able to read the agent key i.e. is present in cwallet.sso.
    • Hence to make R2PS2 webgate work with R2PS3 OAM server it is mandatory to use the cwallet.sso file presnet outside the wallet folder.
  
There is one more change done in the cwallet.sso files for R2PS2 & R2PS3 created by R2PS3 OAM Server i.e.
  • If you open the cwallet.sso of R2PS2 or R2PS3 it only contains shared secret key, there are no default certs present.

  
      Remember: to set the JAVA_HOME before you use the orapki command.
  • While the cwallet.sso created by R2PS2 OAM Server used to contain default certs and the shared key.
Note
  • To open R2PS3 cwallet.sso present in wallet folder you need the latest orapki executable which comes with R2PS3 OAM server, this same orapki can open the R2PS2 cwallet.sso as well. 
  • But the orapki that comes with R2PS2 OAM Server will be unable to open R2PS3 wallet & will ask for login password in-spite of the fact that the cwallet.sso is auto login wallet.


Enjoy :-)
Posted by at No comments:
Labels: , , , , , , , , ,

Tuesday 20 October 2015

OAM - Webgate NAP Tunneling in OTD (R2PS2, R2PS3 & 12C)

As of now we all are aware how to tunnel a request to OAM through webgate, also we have covered this in Webgate NAP Tunneling.

But there is a catch or you can say you need to do one more step to enable NAP Tunneling when using OTD (Oracle Traffic Director) Server.

I am assuming you have followed all the steps that are mentioned in Webgate NAP Tunneling post. At the very last you need to perform one more step i.e. only for OTD;

  1. To enable NAP Tunneling in OTD, one needs to uncomment a line mentioned in
    <instance_name>-obj.conf file which is as follows;

    #Uncomment the below line  and  configure "from" paramater for enable
    tunneling.  The value of from parameter would be the tunneled URLS
    #NameTrans fn="pfx2dir" from="/oam" dir="/webgate/otd/lib"
    name="webgate_response"

    Above line need to be uncommented, to make nap tunneling enable.
    After doing above change one needs to restart the OTD instance.

    Note
    1. This configuration change, to enable NAP Tunneling, is their since
      R2PS2(with a BP Patch),R2PS3 which is the same carried forward to latest release i.e. 12c as well..
    2. In the change suggested above you will find the tunneled urls, that you need to provide here by default it is /oam. But it might be possible you want to tunnel /oamfed as well.. or any other. So all the tunneled urls are to be provided here as well.


 Enjoy :-)
Posted by at No comments:
Labels: , , , , , , , , ,

User Defined Parameters in OAM 11G

The complete list of user defined parameters is described in the following oracle doc:

R2PS2:

http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/register.htm#AIAAG5856

R2PS1:

http://docs.oracle.com/cd/E28271_01/doc.1111/e15478/shared.htm
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)