Robert Honeyman
Honeyman IT Consultinghttp://www.honeymanit.co.uk
Oracle Access Manager Basic Free OAM SSO license for
Forms and Reports on Weblogic Server
Custom Java Apps previously developed for 10g AS / OC4J
Link to license documentation http://docs.oracle.com/cd/E28280_01/doc.1111/e14860/oam_basic.htm
Restricted features and configurations apply to OAM
OAM Basic: Restricted Features No Access Manager SDK
No Custom Plug-Ins
LDAP only Oracle Internet Directory
Application Server OC4J or WebLogic
Web Server only OHS
No OAAM integration
No OIF intergation
OAM - Forms Certification
Forms 11.1.1.x (11g R1) – Legacy OSSO 10.1.4.3 only
Forms 11.1.2.x (11g R2)– Native OAM + Webgate
Forms 11.1.2.0
OID 11.1.1.5+
OAM 11.1.1.5 only
Legacy OSSO 10.1.4.3
Forms 11.1.2.1+
OID 11.1.1.5+
OAM 11.1.1.5+, 11.1.2.x
Legacy OSSO 10.1.4.3
OAM Basic + Forms: Latest Versions
Oracle Access Manager (11.1.2.2)
Oracle Internet Directory (11.1.1.7)
Forms and Reports (11.1.2.3)
Weblogic 11g R1 (10.3.6)
JDK 1.7u51
Database (11.2.0.4, 12.1)
IDM Directory Components
Oracle Internet Directory (LDAP)
OID Database
Weblogic (+JDK)
Oracle Directory Services Manager (ODSM)
Enterprise Manager – FMW Control
Identity Management (OID) Topology
Create OID Database Database creation for OID database OIDDB
Character set - AL32UTF8
Server parameters SHARED_POOL_SIZE=150M
SGA_MAX_SIZE=150M minimum (Set to 1GB)
PARALLEL_MAX_SERVERS=1
PROCESSES=500
OPEN_CURSORS=500
Dedicated Server connections
Prepare OID repository using RCU 11.1.1.7 Select only ‘Identity Management / Oracle Internet Directory’
ODS schema – fixed name, no prefixes / customization
OID Installation Install JDK + Weblogic 10.3.6 for ODSM
Create Weblogic domain IDMDomain for ODSM
Install Identity Management 11.1.1.x
Run Identity Management configuration tool
Select (Oracle Internet Directory, Management Components)
ORACLE_INSTANCE location must be specified
Specify default realm (dc=mycompany,dc=com)
OID Server Processes
OAM Components
Access Manager (SSO / Authentication / Access Control)
OAM Database (Policy Store / Session Persistence)
Weblogic (+ Coherence + JDK)
Web Tier (OHS + WebGate)
Audit Database (Optional)
OAM Topology
OAM Features and Config OAM Server
SSO, Authentication, Authorization, Sessions
WebGate talks Oracle Access Protocol to OAM Server
Admin Server
WebLogic / EM admin consoles
OAM console – policy configuration
OAM Database
Access control policies (resources, authentication, authorization)
OAM Session Data (optional persistent back up of in-memory)
Create OAM Database Database creation for OAM database OAMDB
Character set - AL32UTF8
Server parameters SHARED_POOL_SIZE=150M
SGA_MAX_SIZE=150M minmimum (set to 1GB)
Dedicated server connections
Prepare OAM repository using RCU 11.1.2.x Select ‘Identity Management / Oracle Access Manager’
option
Dependencies auto-selected (MDS, IAU, OPSS)
Multiple prefixed schemas, prefix customizable
OAM Installation Install JDK + Weblogic 10.3.6
Create separate domain for OAM – IAMDomain
Domain template - OAM, OEM, OPSS, JRF
Configure OAM Security Store before first startup
Prepare OID for use with OAM
Configure OAM to use OID
Create and Validate Security Store
Create the Security Store
${MW_HOME}/oracle_common/common/bin/wlst.sh \
${IAM_HOME}/common/tools/configureSecurityStore.py -d \
${DOMAIN_HOME} -c IAM -p <password> -m create
Validate the Security Store
${MW_HOME}/oracle_common/common/bin/wlst.sh \
${IAM_HOME}/common/tools/configureSecurityStore.py -d \
${DOMAIN_HOME} -m validate
OID as OAM Identity Store
Default ID Store is Weblogic Embedded LDAP
OID required for Forms - OAM integration
Oracle schema and OracleContext trees required
OAM heartbeats to check directory availability
OAM / OID Integration
idmConfigTool.sh – creates Identity Store in OID –preConfigIDStore
–prepareIDStore mode=WLS (weblogic)
–prepareIDStore mode=OAM (oamadmin)
Register Identity Store (OAM Console) cn=oamLDAP,dc=mycompany,dc=com (not cn=orcladmin)
Change System Identity Stores (OAM Console) System Store – admin accounts, groups, roles
Default Store – security token service / patching
LDAP Authentication Module (OAM Console)
OAM – Create OID Identity Store
OAM – OID system store 1
OAM – OID system store 2
OAM - LDAP Authentication Module
OAM / OID Integrated
OAMWLS oamserver
OIDLDAP server
OIDDBOAMDB
ODSMWLS wls_ods
IAMDomain
Identity Data(Identity Store)
Policy / Session Data(Policy Store)
AdminServer
HTTP
7001
HTTP(S)
14100,14101
OAP 5575
IDMDomain
LDAP(S)
3060,3061
AdminServer
HTTP
7001
HTTP
7005
Forms: OAM Compatibility Review Forms 11.1.2.x (OAM 11.1.2.x or 11.1.1.5)
Native compatibility
OAM WebGate compatible
Forms 10.1.x, 11.1.1.x
No native OAM compatibility
OAM OSSO Legacy agent compatible
WebGate Installation
Install WebGate into Forms / Web Tier MW_HOME
Standalone Web Tier for Forms – use forms.conf
Deploy WebGate module to OHSdeployWebGateInstance.sh \
-w ${ORACLE_INSTANCE}/config/OHS/${ohs_instance} \
-oh ${WEBGATE_ORACLE_HOME}
Configure OHS directivesEditHttpConf \
-w ${ORACLE_INSTANCE}/config/OHS/${ohs_instance} \
-oh ${WEBGATE_ORACLE_HOME} \
-o webgate.conf
OAM – WebGate Agent Registration
WebGate Agent and Policy Registration RREG (XML config file) + oamreg.sh
OAM Console
After agent registration copy files to WebGate config
cwallet.sso
ObAccessClient.xml
Password.xml (if using Simple / Cert mode)
OAM RREG example<?xml version="1.0" encoding="UTF-8"?><OAM11GRegRequest><serverAddress>http://myhost.mycompany.com:7001</serverAddress>
<hostIdentifier>APPDEV</hostIdentifier><agentName>APPDEV</agentName><agentBaseUrl>http://myhost.mycompany.com:7777</agentBaseUrl><preferredHost>http://myhost.mycompany.com:7777</preferredHost><security>open</security><protectedResourcesList>
<resource>/forms/frmservlet?*oamMode=true*</resource></protectedResourcesList><publicResourcesList>
<resource>/</resource><resource>/.../</resource>
</publicResourcesList></OAM11GRegRequest>
OAM – Policy Configuration Host Identifiers – Virtual Hosting
Application Resources - URLs
Authentication Schemes
Methods for identity and credential verification
Authentication Policies
Link authentication schemes to resources
Authorization Policies
Rules to control access to resources
Forms: OAM Configuration OAM configure host identifiers, policies and protect
/forms/frmservlet?*oamMode=true*
OAM LDAP Authentication Scheme set ssoCookie=disablehttponly
Associate Forms with OID
Configure Forms SSO parameters (formsweb.cfg or FMW Control)
Configure Resource Access Descriptors (RADs) in OID Web SSO ID mapped to DB credentials LDAP entry in OID maintains mapping Defaults, pre-populated or created on first user login
OAM – Protected Authentication Policy
OAM – Public Authentication Policy
LDAP Authentication Scheme
Forms – Associate with OID
Forms: Key SSO Parameters ssoMode – instructs Forms of the type of SSO agent
webgate – Forms 11.1.2.x
mod_osso (true) – Forms 11.1.1.x
false – No SSO
ssoProxyConnect – use shared Proxy account Login Credentials / RAD used are for Proxy database account
Web SSO ID used as Named User database account
Privileges against Named User database account
ssoDynamicResourceCreate Allows Dynamic RAD creation
Proxy Users Application user must match SSO ID Proxy username name matches RAD
CREATE USER proxy_user IDENTIFIED BY <password>;
GRANT CREATE SESSION to proxy_user;
CREATE USER app_user IDENTIFIED BY <password>;
GRANT CREATE SESSION to app_user;
ALTER USER app_user
GRANT CONNECT THROUGH proxy_user;
proxy_user[app_user]/proxy_password@Database
Forms : RAD first login
Forms: OAM SSO
OAM
OIDOAM
DBPolicy
Datastore
Web Tier
WebGate
FORMS
OAP
Web Browser
Login requests
(HTTP)
Forms Requests
(HTTP)
OAM_ID
DB Resource Access
Descriptors
(LDAP)
SSO Identities
(LDAP)
FORMS
DB
Policy data
requests
(TNS)
ApplicationDatastore
App data
requests
(TNS)
WWW Requests
(HTTP)OAMAuthnCookie Redirect
EUS : Forms and SSO Enterprise Users stored in OID / LDAP
Individual user accounts not required on database
Shared schemas mapped to Enterprise Users Can use only one database account
LDAP subtree (partial dn) mapping Single map of multiple users to single shared schema
Password authentication included in Enterprise Edition
EUS : Register Database with OID
NetCA
ldap.ora
DBCA
Wallet creation and entry registration
cwallet.sso
Mappings in EM
EUS : Create schema
Private / Exclusive schema
CREATE USER username IDENTIFIED GLOBALLY AS
'<DN of directory user entry>';
Shared schema
CREATE USER username IDENTIFIED GLOBALLY AS '';
EUS : Proxy Permissions Create proxy permission for DB user
ALTER USER <shared schema> GRANT CONNECT THROUGH
ENTERPRISE USERS;
Select Enterprise Users as grantees