Professional Documents
Culture Documents
Authors
Vishal Parashar David Goldsmith
Copyright 2010, Oracle and/or it affiliates. All rights reserved. Disclaimer This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Editor s
Smita Kommini Priti Goswami
Gr aphic Designer
Satish Bettegowda
Publisher s
Sujatha Nagendra Giri Venugopal
Contents
Course Overview Course Objectives 1-2 Course Agenda: Day 1 1-4 Course Agenda: Day 2 1-5 Course Agenda: Day 3 1-6 Course Agenda: Day 4 1-7 Course Agenda: Day 5 1-8 Practice Environment: Overview 1-9 Introduction to Oracle Access Manager Objectives 2-2 Oracle Identity Management: Oracle + Sun Combination 2-3 Oracle Access Management Suite Plus 2-6 Salient Features of OAM 2-8 OAM 11g Architecture 2-10 Enterprise Deployment Architecture 2-11 SSO Login Processing with OAM Agents 2-15 Installation and Configuration 2-18 Installation and Configuration Configuration Wizard Screenshot: Templates 2-20 OAM 11g R1 Run-Time Architecture 2-21 Management Interfaces 2-23 Backward Compatibility of Agents in a Heterogeneous Environment 2-25 Coexistence of OAM 10g and 11g Servers 2-26 Coexistence of OSSO 10g and OAM 11g Servers 2-27 Session Management 2-28 Oracle Coherence in Session Management 2-30 Usability and Life Cycle Management Enhancements 2-32 Usability and Life Cycle Management Enhancements: Operational Metrics 2-33 Windows Native Authentication 2-34 Upgrade for OracleAS Single Sign-On 10.1.4.3.0 2-35 Rich ADF-Based UI 2-36 Connection Simulator: Access Tester 11g 2-37 Access Tester 11g 2-38 Key Enhancements in OAM 11g 2-39 Oracle Access Manager 11g Comparison with Oracle Access Manager 10g 2-42
iii
Oracle Access Manager 11g Policy Object Comparison 2-46 Product Component Mapping 2-47 Summary 2-48 Quiz 2-49 Practice 2 Overview: Viewing New Features Viewlet 2-53 3 Installation and Configuration Objectives 3-2 Road Map 3-3 Domain: Overview 3-4 Domain Diagram 3-6 Domain Restrictions 3-8 Server 3-10 Administration Server 3-11 Managed Server 3-13 Interaction Between the Administration Server and Managed Servers 3-14 What Is a Machine? 3-15 Relationship of Machines to Other Components 3-16 Cluster 3-17 Cluster Guidelines 3-19 WebLogic Scripting Tool (WLST) 3-20 WLST Modes 3-21 WLST Example 3-22 Oracle WebLogic Server ILT Courses 3-23 Road Map 3-24 Oracle Fusion Middleware Home and Oracle WebLogic Server Home 3-25 Oracle Home 3-26 Installing and Configuring Oracle Identity Management: Sequence of Steps 3-27 Wizards: Installation Versus Configuration 3-28 System Requirements for Oracle Identity Management 11g R1(11.1.1.3.0) 3-29 Road Map 3-30 Oracle WebLogic Server 11g R1 PS 2 (10.3.3) Installation 3-31 System Requirements for Oracle WebLogic Server 3-33 GUI Mode Installation 3-35 Choosing or Creating a Home Directory 3-36 Registering for Support 3-37 Choosing an Installation Type and Products 3-38 Choosing the JDK and Product Directory 3-39 Windows-Specific Screens 3-40 Installation and Summary 3-41 QuickStart 3-42
iv
Console and Silent Mode Installations 3-43 Post-Installation: Middleware Home 3-44 Oracle WebLogic Server Directory Structure 3-45 Setting Environment Variables 3-47 Practice 3 Overview: Installing Oracle WebLogic Server 10.3.3 3-48 Road Map 3-49 Installing Oracle Database 3-50 Creating Schemas by Using RCU 3-51 Practice 3 Overview: Running the Repository Creation Utility 3-55 Road Map 3-56 Installing Oracle Identity Management: Welcome and Prerequisite Checks 3-57 Installing Oracle Identity Management: Install Location and Summary 3-58 Installing Oracle Identity Management: Progress Bar and Install Complete 3-59 Practice 3 Overview: Installing Oracle Identity Management 11g 3-61 Road Map 3-62 Configuration Wizard: Creating Domain and Domain Source 3-63 Configuration Wizard: Domain and Administrator Settings 3-65 Configuration Wizard: Server Start Mode, JDK, and Customization Options 3-66 Configuring JDBC Data Source: OAM with Database Policy Store 3-68 Configuration Wizard: Administration and Managed Servers 3-69 Configuration Wizard: Clusters and Machines 3-72 Configuration Wizard: Assigning Servers to Machines and Target Deployments 3-75 Configuration Wizard: Target Services and RDBMS Security Store 3-77 Configuration Wizard: Configuration Summary and Creating Domain 3-79 Configuring OHS For Oracle WebLogic Server 3-80 Practice 3 Overview: Creating a New Domain and Configuring OAM Server 3-83 Configuration Wizard: Extending Domain and Domain Source 3-84 Output of Configuration Wizard: Directory Structure 3-92 Road Map 3-94 Starting Oracle Access Manager 3-95 Practice 3 Overview: Starting Administration and Managed Server 3-97 Validating a Successful Installation and Configuration 3-98 Oracle WebLogic Server Administration Console 3-99 Oracle WebLogic Server Administration Console: Server Status 3-100 OAM_Server1: Applications Deployed 3-101 AdminServer: Applications Deployed 3-102 Oracle Access Manager Administration Console 3-103 Oracle Enterprise Manager Fusion Middleware Control 3-105 Relationship Between Farm and Domain 3-107
Practice 3 Overview: Sanity Checks and Walkthrough of Management Interfaces 3-108 Road Map 3-109 Uninstalling Oracle WebLogic Server 3-110 Uninstalling Oracle Identity Management Home 3-111 Uninstalling Oracle Common Home and Deleting Domain Home 3-112 Summary 3-113 Quiz 3-114 4 System Configuration: Servers, Data Sources, and Agents Objectives 4-2 Practice 4 Overview: Installing and Configuring OHS 11g 4-3 Road Map 4-4 Servers 4-5 Creating and Deleting a New Managed Server 4-7 Managing Servers 4-8 Individual Server Properties 4-9 OAM Proxy 4-11 Managing Servers from WLS Admin Console and Command Line 4-12 Road Map 4-13 Agents 4-14 WebGate Provisioning and Installation 4-17 Installing and Configuring WebGate 11g 4-18 Practice 4 Overview: Installing, Creating, and Configuring an OAM 11g WebGate 4-21 Road Map 4-22 Registering Agents 4-23 Creating or Registering OAM Agents by Using OAM Admin Console 4-26 Viewing and Editing OAM Agent Registration by Using OAM Admin Console 4-28 Creating or Registering OSSO Agents by Using OAM Admin Console 4-32 Viewing and Editing OSSO Agent Registration by Using OAM Admin Console 4-33 Configuring OAM 10g WebGate in an Existing OAM 10g Deployment to Use OAM 11g Server 4-35 In-Band Versus Out-of-Band Registration of Agents 4-37 Registration Tool 4-39 Output Files 4-42 Registration Tool 4-43 Request File 4-45 Sample Request File: Short Version 4-47 Key Request Parameters 4-51 Request File: Parameter Guidelines 4-52
vi
Out-of-Band Registration Using oamreg Tool 4-58 Remote Registration: Common Issues 4-62 10g WebGate Installation: General Comments 4-63 Practice 4 Overview: Registering Agents: OAM Admin Console, In-Band, Out-Of-Band Modes 4-64 Road Map 4-65 WLS Agent (or OAM Agent) Topology 4-66 General Features of OAM Agent 4-68 WLS Agent Configuration 4-70 Resources Protected via WLS Agent 4-73 Road Map 4-74 Data Sources 4-75 Data Repositories 4-77 User Identity Store: WLS Embedded LDAP Server 4-78 User Identity Store: Managing LDAP Servers 4-80 Testing LDAP Connection 4-84 Practice 4 Overview: WLS Embedded LDAP, OID as LDAP Store, WLS Agent 4-85 Road Map 4-86 Keystore 4-87 Securing Communication Between WebGate and OAM Server 4-88 Generating Private Key, Certificate Request, and Downloading Certificates from CA 4-90 Configuring OAM Server to Use Certificates 4-91 Configuring WebGate to Use Certificates 4-96 Summary 4-98 Quiz 4-99 Practice 4 Overview: SSL Enabling WebGate and OAM 11g Server 4-104 5 Policy Configuration: Shared Components and Application Domains Objectives 5-2 Road Map 5-3 Shared Components: Resource Types 5-4 Shared Components: Host Identifier 5-5 Road Map 5-8 Access Control 5-9 Authentication 5-11 Authorization 5-12 Road Map 5-13 Authentication Module 5-14 Authentication Module Features 5-17
vii
Step-Up Authentication Feature 5-19 Shared Components: Authentication Schemes 5-20 Multi-Level Authentication 5-25 Road Map 5-27 Policy Object Comparison: OSSO 10g 5-28 Policy Model: Key Differences Between OAM 11g and OSSO 10g 5-29 Policy Model: Key Differences Between OAM 11g and OAM 10g 5-30 Other Policy Features in OAM 11g 5-32 Road Map 5-33 Application Domain: AuthN Policies 5-34 Application Domain: AuthZ Policies 5-36 Resource 5-38 Key URL Patterns 5-40 Authentication Policies 5-42 Authorization Policies 5-44 What Are Responses? 5-46 Responses 5-47 How Are Responses Used? 5-49 Authentication and Authorization Responses 5-50 Response Expressions 5-51 Response Examples 5-52 Response Flows 5-54 Response Providers 5-56 Supported Variable Names Request information 5-58 Supported Variable Names Session information 5-59 Supported Variable Names User information 5-60 Authorization Constraints 5-61 Road Map 5-63 Application Domain 5-64 Conceptual Relationships for Policy Objects 5-65 Summary 5-67 Quiz 5-68 Practice 5 Overview: Protecting Resources by Using Application Domains 5-72 6 Single Sign-On and Session Management Road Map 6-2 Objectives 6-3 Road Map 6-4 Oracle Access Manager Single Sign-On 6-5 Oracle Access Manager Single Sign-On Scenario 6-6 Oracle Access Manager Single Logout Scenario 6-7
viii
Road Map 6-8 Session and Cookie Creation in Authentication 6-9 Session and Cookie Usage After Successful Authentication 6-12 The OAM Session and the OAM_ID Cookie 6-14 Agent Cookies 6-15 Single Sign-On Cookie Reference 6-16 Cookie and Communication Security 6-20 Session and Cookies in Single Logout 6-22 Quiz 6-24 Road Map 6-27 Session Life Cycle 6-28 Session Timeouts 6-30 Road Map 6-31 Session Caching and Persistence 6-32 Road Map 6-34 Configuring Single Sign-On: Overview 6-35 Road Map 6-36 Default Login Page 6-37 Options for Displaying the Single Sign-On Login Page by Using Form-Based Authentication 6-38 Configuring an Authentication Scheme for a Customized Login Page 6-41 Customizing Logout 6-42 Road Map 6-44 Configuring Session Management Options 6-45 Managing Sessions 6-46 Road Map 6-47 Windows Native Authentication 6-48 User Validation Replaces Credential Collection 6-49 Configuring an Oracle Access Manager Deployment for WNA 6-50 Quiz 6-52 Summary 6-53 Practice 6 Overview: Examining Single Sign-On and Managing Sessions 6-54 7 Using Oracle Access Manager With WebLogic Applications Road Map 7-2 Objectives 7-3 Road Map 7-4 Java EE Authentication and Authorization 7-5 Using OAM for Perimeter Authentication and Authorization With a WebGate 7-6 Using OAM for Perimeter Authentication Without a WebGate 7-8 Road Map 7-9
ix
Identity Assertion Providers 7-10 Oracle Access Manager Identity Assertion Provider 7-11 OAM Identity Assertion Provider Event Sequence 7-12 Road Map 7-14 OAM Authenticator 7-15 Quiz 7-16 Summary 7-17 Practice 7 Overview: Using an Identity Assertion Provider 7-18 8 Auditing and Logging Road Map 8-2 Objectives 8-3 Road Map 8-4 Auditing and Logging: Overview 8-5 Road Map 8-9 The Fusion Middleware Audit Framework 8-10 Road Map 8-12 Audit Output Options 8-13 Audit Architecture Using a Database as the Audit Store 8-14 Deploying Auditing by Using a Database as the Audit Store 8-15 Road Map 8-17 Audit Settings 8-18 Road Map 8-20 Examples of Audited Events 8-21 Examples of Data Recorded When an Audited Event Occurs 8-22 Quiz 8-23 Road Map 8-25 Oracle Business Intelligence Publisher 8-26 Deploying BI Publisher to Support FMW Audit Framework and Oracle Access Manager Reports 8-27 Generating Oracle BI Publisher Reports 8-28 Navigating to Common User Activities Reports 8-29 Navigating to Oracle Access Manager Reports 8-30 Oracle BI Publisher Reports for Oracle Access Manager 8-31 Road Map 8-33 Administrator Tasks: Logging 8-34 Logging Configuration Objects 8-35 Log Levels 8-37 Oracle Access Manager Loggers and Log Level Inheritance 8-38 Log Handler Settings 8-39 Logging Configuration Tools 8-41
x
Viewing the Logging Configuration by Using FMW Control 8-42 Modifying Log Level by Using FMW Control 8-43 Creating or Configuring Log Handlers by Using FMW Control 8-44 Using the WLST Tool to Configure Logging 8-45 Road Map 8-50 Locating Log Files 8-51 Viewing and Downloading Log Files by Using FMW Control 8-52 Road Map 8-53 Log Files from Other Servers in an Oracle Access Manager Deployment 8-54 Quiz 8-55 Summary 8-57 Practice 7 Overview: Auditing and Logging 8-58 9 Upgrading Oracle Single Sign-On 10g to Oracle Access Manager 11g Objectives 9-2 Overall Sequence 9-3 Retain Ports Versus Change Ports 9-4 Summary of Upgrade Process 9-5 Upgrade OSSO 10g Associated with Oracle Portal 9-6 Verifying a Successful Upgrade 9-10 Scenarios Not Supported for Upgrade to OAM 11g 9-11 Typical OSSO 10g to OAM 11g Upgrade Topology 9-12 Components Involved in an Upgrade 9-14 Upgrade Flow 9-16 Upgrade Assistant 9-17 Post-Upgrade Validation 9-18 Coexistence of OSSO 10g and OAM 11g 9-20 Key Functionality for Coexistence Model 9-22 Coexistence Scenario I: User Authenticated by OAM 11g 9-23 Coexistence Scenario II: User Authenticated by OSSO 10g 9-25 Typical OSSO Server Production Deployment Topology 9-26 Typical Production Deployment Topology 9-27 Rolling Upgrade: Hybrid Configuration 9-28 Upgrade Process 9-30 Interplay of SSO_ID and OAM_ID cookies 9-31 Summary 9-32 Quiz 9-33 Practice 9 Overview: Performing OSSO 10g to OAM 11g Upgrade 9-36
xi
10 Troubleshooting and Management Objectives 10-2 Road Map 10-4 Access Tester 10-5 Use Cases: Access Tester 10-6 Access Tester Simulating Steps 1, 3, 5, 6 of Agent and OAM Server Interaction 10-8 Access Tester: Core Functionality 10-9 Access Tester Architecture 10-10 Output Files and Security Features 10-12 Starting Access Tester 10-13 System Properties 10-15 Access Tester Console 10-18 Test Cases and Test Scripts 10-20 Road Map 10-24 Using weblogic.Admin Utility to Check the State of Servers 10-25 Examining Admin Server and Managed Server Logs 10-26 WebLogic Admin Server and Managed Server Thread Dump 10-28 Agent and Server Monitoring 10-30 OAM Proxy Errors 10-31 Configuration Data 10-32 Road Map 10-33 Top Problem Areas 10-34 LDAP Server 10-35 OAM Runtime Servers 10-36 Agent Side Issues 10-37 Run-Time DB Issues 10-38 Admin Change Propagation and Activation 10-39 Policy Repository DB Issues 10-40 Road Map 10-41 WLST Architecture 10-42 Offline Mode And Online Mode 10-43 Executing WLST Commands 10-44 Example: Create Identity Store Embedding WLST Command in Python Script 10-45 WLST Commands for OAM 11g 10-46 Road Map 10-49 Oracle Enterprise Manager Fusion Middleware Control 10-50 FMW Control: Performance Overview 10-51 Topology 10-52 MBean Browser 10-53 How to Re-register an Agent from the OAM Admin Console 10-54
xii
Summary 10-55 Quiz 10-57 Practice 10 Overview: Working with Access Tester, WLST, and FMW Control 10-61 11 Horizontal Migration Objectives 11-2 Use Cases: Horizontal Migration 11-3 Perform Horizontal Migration Using WLS Template Builder 11-4 Performing Horizontal Migration by Using WLS Template Builder 11-5 Source and Target Processing 11-6 Policy Migration 11-7 Partner Migration 11-8 Dependencies 11-9 Horizontal Migration Use Cases 11-10 Summary 11-12 Quiz 11-13 Practice 11 Overview: Performing Horizontal Migration 11-15 12 High Availability Road Map 12-2 Objectives 12-3 Road Map 12-4 High Availability (HA) Goals 12-5 Road Map 12-7 Potential Points of Failure in an Oracle Access Manager Deployment 12-8 Load Balancing on the Web Tier 12-10 Clustering the Oracle Access Manager Server on the Application Tier 12-12 WebLogic Server Cluster 12-13 Configuring a WebLogic Cluster of Oracle Access Manager Servers on Multiple Hosts 12-15 Converting a Single OAM Server on a Single Host to a Clustered Configuration 12-17 Handling Administration Server Failure in a Cluster of Oracle Access Manager Servers 12-20 Data Tier 12-22 Other Issues to Be Aware of in HA Deployments 12-23 Road Map 12-24 Session Replication and Configuration Change Distribution 12-25 User Session Continuity in a Single Oracle Access Manager Server Environment 12-28
xiii
User Session Continuity in a Clustered Oracle Access Manager Server Environment 12-29 Road Map 12-30 Backing up an Oracle Fusion Middleware Deployment 12-31 Recovering Your Environment 12-33 HA Topology Review 12-35 Summary 12-36 Quiz 12-37 Practice 12 Overview: Configuring Oracle Access Manager for HA 12-38 A Introduction to Oracle Access Manager Oracle Access Manager 11g Comparison with Oracle Access Manager 10g and OSSO 10g A-2 Credential Collection A-7 Kerberos Operation A-8 Coexistence and Backward Compatibility A-9 Request Flow: Authentication A-11 Request Flow: Authorization A-14 B Installation and Configuration WebLogic JMX: Overview B-2 Navigating JMX MBeans B-4 Node Manager B-6 Node Manager Architecture B-8 C System Configuration: Servers, Data Sources, and Agents Coherence Properties C-2 Common Server Properties C-3 Backward Compatibility C-9 WLS Agent Without a WebGate C-11 D Policy Configuration: Shared Components and Application Domains Custom Resource Types D-2 Custom Authenticator Use Case D-4 Fusion Applications SSO Use Case D-5 Creating Custom Resources D-6 Authentication Parity with OAM 10g D-7 OAM 10g Parity Items Features Not Implemented in 11g R1 D-8 Authentication: Troubleshooting Tips D-9 Success and Failure URL D-10 Returning Session or Cookie or HTTP Header Variable D-11
xiv
Validating Authentication and Authorization in an Application Domain D-13 Authentication Module Features D-14 Shared Components: Authentication Schemes D-15 E Monitoring OAM 11g by Using Oracle Grid Control Objectives E-2 Enterprise Manager Architecture E-3 Oracle Enterprise Manager Grid Control Identity Management Pack E-5 Oracle Identity Management Pack Key Capabilities: Performance Monitoring and Diagnostics E-7 Oracle Identity Management Pack Key Capabilities: Service Level Management E-10 Features in the Upcoming Release of Grid Control Comprehensive Monitoring E-11 Features in the Upcoming Release of Grid Control Integration with FMW Control and WLS Admin Console E-13 Features in the Upcoming Release of Grid Control Improved Performance Monitoring and Diagnostics E-14 Grid Control: Home Page E-15 Identity and Access Targets E-16 Identity and Access System E-18 Generic Service E-19 Discovering Oracle Access Manager E-20 Create Identity and Access System E-21 Create Service E-22 Create a Service Dashboard Report E-24 Adding or Removing Targets from the System Topology E-26 Removing Servers or Components from an Existing Identity Management Topology E-27 Updating Monitoring Configuration E-28 Alerts Based on Performance and Usage Metrics E-29 Metric Baselines E-31 View All Metrics Collected for Oracle Identity Management Target E-33 View All Metrics for Oracle Access Manager E-34 Metric and Policy Settings E-36 Availability E-37 Service-Level Rules E-39 Topology E-41 Service Performance and System Component Status E-42 Performance Summary for Oracle Access Manager E-43 Managing Oracle Access Manager and Running Reports E-44 Alerts and Alert History E-45
xv
Blackouts E-47 User-Defined Metrics E-50 Summary E-52 F Introduction to Access SDK Road Map F-2 Objectives F-3 Road Map F-4 Custom Requirements for Authentication and Authorization Services F-5 Road Map F-7 Access SDK F-8 Road Map F-10 Oracle Access Manager Clients F-11 AccessGate Variations F-12 Road Map F-13 Developing and Deploying AccessGates: Overview F-14 Preparing Systems for AccessGate Development and Deployment F-15 Installing Access SDK F-17 Developing the AccessGate F-19 Example of Access SDK API Usage in an AccessGate F-20 Configuring Oracle Access Manager to Support AccessGates F-22 Road Map F-24 Access SDK Support in Oracle Access Manager 11g F-25 Quiz F-26 Summary F-28
G Single Sign-On and Session Management Intranet Single Sign-On: End-User Experience G-2 Internet Single Sign-On: End-User Experience G-3 Oracle Fusion Middleware 11g R1 Products for Single Sign-On G-5
xvi
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
Objectives
After completing this lesson, you should be able to: Differentiate between auditing and logging Describe the Fusion Middleware Audit Framework Describe audit output options Configure audit settings Describe audited events and data recorded when an audited event occurs Generate audit reports Configure logging settings Locate and examine logging output Locate log files from other servers in an Oracle Access Manager deployment
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
Audit Loader
Oracle BI Publisher
Use FMW Control to enable auditing by using a database Restart WebLogic admin and managed server instances
5
Oracle Access Manager Server
Audit Loader
Configure a data source on the admin server and managed server instances
Configuring a Data Source for the Audit Database In this step, you define a JDBC data source for the audit database so that the WebLogic server can access the database. You must configure the data source on the administration server and on all WebLogic managed server instances running Oracle Access Manager server. Refer to the Oracle Fusion Middleware Security Guide 11g Release 1 for specific steps to follow to configure the data source. Enabling Auditing by Using a Database in FMW Control You must define the auditing type as database logging by using FMW Control. To enable auditing in FMW Control, you select the WebLogic Domain > Security > Audit Store option and specify the JNDI name of the data source for the audit database. Restarting WebLogic Server Instances Finally, you must restart all the WebLogic Server instancesthe admin server and all the managed server instancesin the domain. During the restart, the audit loader rereads the audit store configuration and starts using the database for auditing.
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
Audit Settings
Audit Settings
The screen shot shows configurable options for Oracle Access Manager auditing. Options include the following: Maximum Directory Size The maximum size of the directory that contains audit output files. For example, assuming that the maximum file size is 10 MB, a value of 100 for this parameter implies that the directory allows a maximum of 10 files. Once the maximum directory size is reached, auditing stops. The Maximum Directory Size setting applies to auditing by using flat files only. Maximum File Size The maximum size, in MB, of the audit file. Once the size of the audit file reaches the maximum size, a new audit file is created and the previous log file is renamed. The Maximum Directory Size setting applies to auditing by using flat files only. Note: The two users listed by default in the filter settingsthe orcladmin and SSOAdmin userare provided only as examples and can be removed if they are not required.
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
Event
Credentials collected Authentication succeeded Authentication failed
Authorization
Administrative
Authentication scheme created Administration console login failed Server configuration changed
Data Collected
IP address, username, user DN, resource ID, authentication scheme ID, failure error code, retry count, authentication policy ID, partner ID IP address, user DN, resource ID, authorization policy ID Username, IP address, roles
Quiz
To deploy auditing by using Oracle Database as the audit store, which two of the following actions must you take? a. Create a separate WebLogic managed server instance that executes the auditing logic b. Configure an identity data source in Oracle Access Manager c. Enable auditing using a database by using FMW Control d. Run the Repository Creation Utility
Answer: c, d
Quiz
Which tool can you use to view predefined audit reports for Oracle Access Manager? a. The WLST tool b. grep c. Oracle BI Publisher d. The Oracle Access Manager console
Answer: c
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
Provides report filtering Provides report scheduling Supports custom reporting requirements
Deploying BI Publisher to Support FMW Audit Framework and Oracle Access Manager Reports
1 2
Install Oracle BI Publisher Configure a data source in Oracle BI Publisher (if not already configured)
Deploying BI Publisher to Support FMW Audit Framework and Oracle Access Manager Reports
To deploy Fusion Middleware Audit Framework reports and reports specific to Oracle Access Manager in Oracle BI Publisher, perform the following steps: 1. Install the Oracle BI Publisher Web application. 2. In the Web container in which you installed Oracle Business Intelligence Publisher, define a data source for the audit database if you have not already done so. 3. Copy the AuditReportTemplates.jar file from the Fusion Middleware software installation directory to the XMLP/Reports subdirectory of the Oracle BI Publisher top-level installation directory. Unjar the AuditReportTemplates.jar file. 4. Copy the oam_audit_reports_11_1_1_3_0.zip file from the middleware_home/idm_home/oam/server/reports directory to the XMLP/Reports subdirectory of the Oracle BI Publisher top-level installation directory. Unzip the oam_audit_reports_11_1_1_3_0.zip file.
Note: The common user activities reports appear both in the Common_Reports folder and in the Oracle_Access_Manager folder. You can run the common user activities reports from either location in the Oracle BI Publisher console.
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
Credential collector logging at TRACE:32 level odl-handler All other OAM components logging at NOTIFICATION:1 level
Log Levels
INCIDENT_ERROR:1 ERROR:1 WARNING:1 NOTIFICATION:1 (default log level) NOTIFICATION:16 TRACE:1 TRACE:16 TRACE:32
Log Levels
You can change the amount of logging output for loggers by modifying their log levels. The ODL log levels are listed on the slide. The INCIDENT_ERROR:1 level produces the least logging output. The TRACE:32 level produces the most output. The default log level for Oracle Access Manager server loggers is the NOTIFICATION:1 level. While you can control the volume of output produced by logging, you cannot customize individual messages that loggers write when you set a given log level on a logger. The level associated with a log message is predefined in the Oracle Access Manager code. ODL and Java EE Log Levels Oracle Access Manager uses log levels defined in the ODL. The log levels are analogous to log levels defined in the java.util.logging.Level class in the Java EE logging architecture. The Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager provides a table that correlates ODL log levels to Java EE log levels.
Log levels
OAM loggers
2
Locate logger
3 1
Select Log Files tab
Setting Log Levels Use the WLST setLogLevel command to set the log level for an Oracle Access Manager server logger. The following example WLST session provides an example of the setLogLevel and listLoggers commands' usage and output: > setLogLevel(logger="oracle.oam.engine.authn", target="OAMServer", level="TRACE:32",persist=1) > listLoggers(target="OAMServer",pattern="oracle.oam.engine.authn") ------------------------------------------+----------------Logger | Level ------------------------------------------+----------------oracle.oam.engine.authn | TRACE:32 > setLogLevel(logger="oracle.oam",target="OAMServer", level="TRACE:32",persist=0) > listLoggers(target="OAMServer",pattern="oracle.oam.*") ------------------------------------------+-----------Logger | Level ------------------------------------------+-----------oracle.oam | TRACE:32 oracle.oam.admin.foundation.configuration | <Inherited> oracle.oam.agent-default | <Inherited> oracle.oam.audit | <Inherited> . . . In the preceding example: 1. The first setLogLevel command sets the oracle.oam.engine.authn logger's level to the TRACE:32 level. 2. The first listLoggers command shows the updated log levels. 3. The second setLogLevel command sets the oracle.oam logger's level to the TRACE:32 level. 4. The second listLoggers command shows the updated log levels.
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
Download
Road Map
Objectives Auditing and logging Fusion Middleware Audit Framework Audit output options Configuring audit settings Audited events and recorded data Generating audit reports Configuring logging settings Locating and examining logging output Locating log files from other servers
WebGate running on Oracle HTTP Server Oracle Internet Directory Oracle Directory Server Enterprise Edition Oracle Database
Quiz
Which of the following are properties of loggers? a. Log level b. Output path c. Handler type d. All of the above
Answer: a
Quiz
Which of the following are properties of log handlers? a. Log level b. Output path c. Handler type d. All of the above
Answer: d
Summary
In this lesson, you should have learned how to: Differentiate between auditing and logging Describe the Fusion Middleware Audit Framework Describe auditing output options Configure auditing settings Describe audited events and data recorded when an audited event occurs Generate audit reports Configure logging settings Locate and examine logging output Locate log files from other servers in an Oracle Access Manager deployment
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Objectives
After completing this lesson, you should be able to: Describe the OAM upgrade overview Perform Upgrade Step 1: Configuring a User Store Perform Upgrade Step 2: Creating a Policy Domain Perform Upgrade Step 3: Migrating Partners Understand the Retain and Change Port options Upgrade OSSO 10g associated with Oracle Portal Verify successful upgrades Explain the scenarios not upgraded to OAM 11g
Overall Sequence
Configuring a User Store OSSO 10g has OID configured as the user store. This OID is now configured as the user store for OAM 11g. Configuring a Policy Domain A new application domain called migratedSSOPartners is created for all the partner applications that are migrated from OSSO 10g to OAM 11g. Migrating Partners Partner applications registered with OSSO 10g are migrated to OAM 11g.
OAM 11g
1. Configure User Store
OID
Retain Ports: No changes are required on partner applications, but downtime is required for the server. Change Ports: No downtime is required for the server, but partner applications need a new osso.conf, which is generated by the Upgrade Assistant.
When OSSO 10g is upgraded to OAM 11g in the Retain Port mode, all the other applications deployed on the Oracle HTTP server (OHS) that hosts OSSO 10glike the Oracle Internet Directory Delegated Administration Services (OIDDAS)need to be deployed on another OHS.
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Upgrade Flow
Upgrade from back to front: Server followed by agent
OSSO Agent Side
Old ports retained by server? No Manually update the new obfuscated file
Yes Yes
Upgrade Assistant
Launch Upgade Assistant <MW_HOME>/<ORACLE_HOME>/bin /ua.bat
Upgrade Assistant
Enter the following command to launch Upgrade Assistant. On Windows systems (located at MW_HOME\Oracle_IDM1\bin): ua.bat
Post-Upgrade Validation
Post-Upgrade Validation
1. Stop the Oracle HTTP Server on the computer that is hosting the 10g OSSO server. 2. Restart the 11g OAM server. 3. In the Oracle Access Manager 11g administration console: System Configuration, Agents: Confirm that the upgraded 10g partner applications have appropriate agent configurations. While the 10g application ID is not recorded in the agent configuration for OAM 11g, most configuration details are included and remain the same: - Site Token: The application token. - Login URL - Single Sign-off URL - Success URL - Failure URL - Start Date These details were derived from the Oracle Internet Directory 10g associated with OSSO 10g during automated upgrade processing.
4. Access the partner application and confirm that authentication occurs through Oracle Access Manager 11g (check the login form for 11g).
With the OAM 11g server operating in coexistence mode, a user session is valid only if both the OSSO and OAM cookies are set.
Flow
A user accesses a protected resource. The agent intercepts it and redirects to the LBR. The LBR routes the request to one of the SSO servers in the cluster. The SSO server authenticates and sets an SSO_ID cookie containing the session state.
Load Balancer
Solution:
OAM 11g should be able to read the OSSO 10g cookie. OAM 11g should be able to create and update the OSSO 10g cookie.
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Load Balancer
Upgrade Process
You upgrade an OSSO 10g server to an OAM 11g server by invoking the Upgrade Assistant, which:
Migrates partner information Migrates data stores Migrates keys
Coexistence mode is turned on by default after an upgrade. Post-upgrade, the OAM 11g server is set to read, create, and update an SSO_ID cookie. Once all the OSSO 10g servers are upgraded, you turn coexistence mode off by using a WLST command:
disableCoexistMode()
Sync the session information in the OAM_ID cookie with that from the SSO_ID cookie Create a new OAM_ID cookie
It implies that a session does not exist. The user needs to be authenticated. Both SSO_ID and OAM_ID cookies need to be created.
Summary
In this lesson, you should have learned how to: Describe the OAM upgrade overview Perform Upgrade Step 1: Configuring a User Store Perform Upgrade Step 2: Creating a Policy Domain Perform Upgrade Step 3: Migrating Partners Understand the Retain and Change Port options Upgrade OSSO 10g associated with Oracle Portal Verify successful upgrades Explain the scenarios not upgraded to OAM 11g
Quiz
In OAM 11g R1, upgrade is referred to as: a. Move from OSSO 10g to OAM 11g b. Move from OAM 10g to OAM 11g c. Move from OSSO 10g to OAM 10g to OAM 11g d. Move from non-Oracle environment to OAM 11g
Answer: a
Quiz
Coexistence of OSSO 10g and OAM 11g works because: a. OSSO 10g can read, create, and update an OAM_ID cookie b. OAM 11g can read, create, and update an SSO_ID cookie c. Both of the above
Answer: b
Quiz
When performing the upgrade by using the Retain Ports option a. Manually update the osso.conf file b. No changes are required on partner applications but downtime is required for the server c. No downtime is required for the server
Answer: b
Objectives
After completing this lesson, you should be able to: Work with Access Tester Identify connectivity issues
Between agents and servers (impact of load balancers and firewalls)
Explain OAM-specific WLST commands Work with Oracle Enterprise Manager Fusion Middleware Control
Objectives
After completing this lesson, you should be able to: Describe the diagnostic capabilities within OAM 11g
OAM Access Tester
Road Map
Working with Access Tester WLS troubleshooting tips and agent and server monitoring Top problem areas Working with WLST Monitoring by using EM FMW Control
Access Tester
Simulates interactions between registered OAM agents and OAM 11g servers
You can verify agent connection and test policy definitions. An administrator emulates the end user and the Access Tester emulates agents.
Is a stand-alone Java application that ships with Oracle Access Manager 11g Can be run from any computer Has both a GUI (manual testing) and command-line interface (automated testing)
Access Tester
The Access Tester can simulate interactions between registered OAM agents and OAM 11g servers to help troubleshoot issues involving agent connections and to test application policy definitions. IT professionals can use the Access Tester to verify connectivity and troubleshoot problems with the physical deployment. Application administrators can use the Access Tester to perform a quick validation of policies. The Access Tester can be used from any computer, either within or outside the WebLogic administration domain. Command-line mode for running the Access Tester enables complete automation of test script execution in single- or multi-client mode environments. During testing, the Access Tester emulates the agent and communicates with the OAM server, while the administrator emulates the end user.
Application
4.
User Store
5.
6.
Policy Store
7.
Security:
Supports Open and Simple modes Encrypts passwords
Ensure that the nap-api.jar is present in the same directory as oamtest.jar on any computer from which you want to run the Access Tester. Start in Console mode:
java Dlog.traceconnfile=d:\conn.txt -jar oamtest.jar
System Properties
Property log.traceconnfile display.fontname display.fontsize display.usesystem script.scriptfile control.configfile control.testname control.testnumber control.ignorecontent control.loopback Mode Console and Command Line Console Console Console Command Line Command Line Command Line Command Line Command Line Command Line
System Properties
The Access Tester supports a number of configuration options that are used for presentation or during certain aspects of testing. These options are specified at startup by using the Java -D mechanism log.traceconnfile Console and command line modes Logs connection details to the specified file name. -Dlog.traceconnfile="<file-name> display.fontname Console mode Starts the Access Tester with the specified font. This could be useful in compensating for differences in display resolution. -Ddisplay.fontname ="<font-name> display.fontsize
To run a test script: Confirm the location of the saved test script before exiting the Access Tester.
Road Map
Working with Access Tester WLS troubleshooting tips and agent and server monitoring Top problem areas Working with WLST Monitoring by using EM FMW Control
Configuration Data
Stored in an XML file: oam-config.xml
<Default Domain Directory>/config/fmwconfig
Only OAM admin console or WLST commands to be used for changes; do not edit this file manually
Configuration Data
Oracle Access Manager auditing configuration is also recorded in an oam-config.xml file. An audit record contains a sequence of items that can be configured to meet particular requirements.
Road Map
Working with Access Tester WLS troubleshooting tips and agent and server monitoring Top problem areas Working with WLST Monitoring by using EM FMW Control
LDAP Server
Operational slowness: Non-OAM load impacting OAM operations Capacity problems due to gradual increase in peak load Consequences:
Poor user experience Agent timeouts leading to retries
LDAP server availability Outage of all LDAP servers Load balancer timing out old connections Consequence:
Total loss of service
LDAP Server
Test: Set up an OAM server and confirm that authentication and authorization work. Shut down the OID server. Restart your browser. Try to access a protected site: Observe errors in the managed server log file. Try to access the OAM admin console: Observer errors in the admin server log file. Bring up the LDAP server again. Retry access to the protected application. Retry access to the admin console.
Interference with other services on host CPU cycle contention Memory contention File system full Consequence:
Same as above
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Run-Time DB Issues
Write versus Read tuning DB not tuned for write-intensive operations DB unavailable due to maintenance Space issues in DB Consequence: Audit operations and session operations are slow File system on server can get full with audit data yet to be written out Loss of in-memory session data when one of the servers in the cluster fails
Runtime DB Issues
Test: Set up the system to have a WebGate-protected resource. Enable auditing to the DB. Shut down the DB used to store audit and session data. Try to access a protected resource. Observe the error or warning messages in the managed server log files.
Consequence:
Changes to policy do not take immediate effect. Changes to system configuration do not take immediate effect.
Road Map
Working with Access Tester WLS troubleshooting tips and agent and server monitoring Top problem areas Working with WLST Monitoring by using EM FMW Control
WLST Architecture
Shares the same foundation layer with the OAM admin console
WLST Architecture
Note: All WLST commands are case-sensitive.
Offline Mode
Method invocation happens locally in the WLST shell Requires OAM domain home as a mandatory input
displayUserIdentityStore createOAMIdentityAsserter (edit, create, delete as well) (update as well) displayOamServer (create, edit, delete as well) displayTopology changeLoggerSetting
Road Map
Working with Access Tester WLS troubleshooting tips and agent and server monitoring Top problem areas Working with WLST Monitoring by using EM FMW Control
Topology
View a graphical representation of the topology
Topology
Click the Topology link on the top-left corner of the Oracle Enterprise Manager Fusion Middleware Control.
MBean Browser
View key MBeans Invoke methods
Mbean Browser
OAM > System MBean Browser
Summary
In this lesson, you should have learned how to: Work with Access Tester Identify connectivity issues
Between agents and servers (impact of load balancers and firewalls)
Describe OAM-specific WLST commands Work with Oracle Enterprise Manager Fusion Middleware Control
Summary
Learn the diagnostic capabilities within OAM 11g
OAM Access Tester
Quiz
Which of the following is true: a. You must run Access Tester from the OAM server machine b. You must run Access Tester from the agent machine c. You can run Access Tester from any machine d. You must run Access Tester from the WLS admin server machine
Answer: c
Quiz
Following are the management interfaces for OAM 11g: a. WLST command line b. WLS admin console c. OAM admin console d. EM FMW Control e. All of the above
Answer: e
Quiz
When Access Tester connects to the OAM server, it acts like an: a. Agent b. End user client c. OAM administrator d. OAM proxy server
Answer: a
Quiz
EM FMW Control allows you to: a. View performance overview and drilldown of the OAM server environment b. Configure dynamic log level changes and view log searches c. View OAM environment topology d. Interact with methods, attributes, and their operations by using the MBean browser e. All of the above
Answer: e
Practice 10 Overview: Working with Access Tester, WLST, and FMW Control
This practice covers the following topics: Practice 10-1: Working with Access Tester Practice 10-2: Using OAM-specific WLST commands Practice 10-3: Working with Oracle Enterprise Manager Fusion Middleware Control
Horizontal Migration
Objectives
After completing this lesson, you should be able to: Describe the OAM horizontal migration overview Plan and execute policy migration Plan and execute partner migration Study horizontal migration use cases
The source OAM server contains the "truth." Any conflicts between the source and the target are resolved based on the source.
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Import policy data. Log in to the OAM admin console on production. Modify the host name for Primary and Secondary Servers in the WebGate registration to the production host name(s). Modify the host name in the Logout Redirect URL field for WebGate 11g to the production host name. Modify the host name in Server Instance Properties to the production host name.
Policy Migration
Export Policy: exportPolicy(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >') Import Policy: importPolicy(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >') Import Policy Delta: importPolicyDelta(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >')
Policy Migration
exportPolicy: This command is used to export the policy from the test environment. This command needs to be run from the OAM server, from where the policy needs to be exported. This command takes the path to the temporary oam-policy file as a parameter. This command exports application domain and policy data from the source. OAM application domains are exported with all dependencies. importPolicy: This command is used to decrypt and import application domain and policy data to the production environment. This command overwrites all the policy information in the production environment. This command needs to be run from the OAM server to which the policy needs to be imported. This command takes the path to the temporary oam-policy file that was created during the export operation as a parameter. importPolicyDelta: This command is used to import the policy to the production environment. This command imports only the changes to the production environment without overwriting the unchanged policy data on the target. This command needs to be run from the OAM server to which the policy needs to be imported.
Partner Migration
Export Partners exportPartners(pathTempOAMPartnerFile =', <pathTempOAMPartnerFile>') Import Partners importPartners (pathTempOAMPartnerFile=', <pathTempOAMPartnerFile>')
Partner Migration
exportPartners(): Exporting a partner creates an object with all partner information, along with the key for each of the partners. This command is used to export the partners from the test environment. This command needs to be run from the OAM server from where the partners need to be exported. This command takes the path to the temporary oampartners file as a parameter. importPartners(): Decrypts and imports partner data by using the key in the keystore. This command is used to import the partners to the production environment. This command needs to be run from the OAM server to which the partners need to be imported. This command takes the path to the temporary oam-partners file as a parameter.
Dependencies
ConfigureUserStore() Used to configure the LDAP identity store definition on the production server Before migrating an OAM 11g application domain, a dependency tree must be constructed for each of the application domains to be migrated.
Dependencies
Configure User Identity Store: This command configures the user store of the production (target) to match the test (source). The application domain consists of authentication and authorization policies over resources. Each authentication policy is configured with an authentication scheme and each authentication scheme has an authentication module configured. To migrate data for an application domain, the shared components (modules, AuthN schemes, and host identifiers) must be migrated first, if they are not already migrated. Shared component data migration is followed by application domain data migration.
Golden Template
exportPolicy(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >') importPolicy(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >')
Delta-Replication
exportPolicy(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >') importPolicyDelta(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >')
Summary
In this lesson, you should have learned how to: Perform OAM horizontal migration Plan and execute policy migration Plan and execute partner migration Study horizontal migration use cases
Quiz
Horizontal migration is a process of a. Moving from test to stage to production environment b. Moving from OAM 10g to OAM 11g c. Scaling up your environment for capacity tuning as peak load increases d. Migrating OSSO 10g environment in a rolling fashion to OAM 11g environment
Answer: a
Quiz
Golden template migration involves a. Moving partner data but not policy data b. Moving policy data only c. Moving partner and policy data d. Moving policy data but not partner data
Answer: c
High Availability
Road Map
Objectives High availability goals Mitigating potential points of failure High availability for OAM sessions and configuration Backing up and restoring OAM
Objectives
After completing this lesson, you should be able to: Describe high availability goals Mitigate potential points of failure in an OAM deployment Provide high availability for OAM sessions and configuration data stored in XML files Back up and restore OAM
Road Map
Objectives High availability goals Mitigating potential points of failure High availability for OAM sessions and configuration Backing up and restoring OAM
Road Map
Objectives High availability goals Mitigating potential points of failure High availability for OAM sessions and configuration Backing up and restoring OAM
Web Tier
Data Tier
A cluster is a logical group of WebLogic managed servers. Oracle WebLogic Server clusters provide:
High availability (reliability) Load balancing (scalability)
Configuring a WebLogic Cluster of Oracle Access Manager Servers on Multiple Hosts (continued)
Domain Configuration Propagation Next, propagate the domain configuration from the first host to all other hosts on which managed server instances participating in the cluster reside. To propagate the domain configuration, use the pack.sh and unpack.sh utilities. Run the pack.sh utility on the first host to package the domain configuration, and unpack.sh on all other hosts to install the domain configuration. Start node managers on all the hosts to which you are propagating the domain configuration. Then start the other managed server instances running Oracle Access Manager by using the command line or the WebLogic console. Changing the Request Cache Type from the BASIC Type to the COOKIE Type Next, you can change the cookie request type from the BASIC type to the COOKIE type. This optional configuration change causes information normally maintained in the URL string during authentication to instead be maintained in the OAM_REQ cookie. You should make this change if your users' browsers enforce small size limits on the length of the URL string; this option enables you to decrease the URL size. Use the following WLST command to change the cache request type: configRequestCacheType(type="COOKIE") After changing the cache request type, you must restart all the managed server instances in the WebLogic cluster. Installing and Configuring the Load Balancer Next, you place a hardware load balancer, software load balancer, or Web proxy in front of managed server instances in the WebLogic cluster. The steps you follow depend on the type of load balancer you choose. You must configure the Oracle Access Manager server to be aware of the load balancer. In the console, change the host name and port number in the SSO engine configuration to the load balancer's host name and port. After changing the SSO engine host name and port number, you must restart all the managed server instances in the WebLogic cluster. Reconfiguring Agents Agents that previously communicated directly with the Oracle Access Manager server must be reconfigured to communicate with the load balancer. To reconfigure agents: Modify the agent configuration parameters to contain the cluster members' hosts and OAP port numbers. Note that agent HA is based on a primary/secondary failover model. Reregister the agent. Copy the agent artifacts to the agent configuration. Restart the agent.
Admin Server (Active) Web Tier Load Balancer or Web Proxy Server Plug-in Host B
Handling Administration Server Failure in a Cluster of Oracle Access Manager Instances (continued)
Starting a Standby Administration Server After an Administration Server Failure The reference architecture provides for a standby administration server on each host running redundant Oracle Access Manager servers. When you propagate the WebLogic domain to multiple hosts running clustered managed server instances, a copy of the administration server is also propagated. The slide shows the presence of two administration servers in the deployment, with one administration server active and the other administration server available as a standby. In normal operation, all the managed server instances run, while only a single administration server runs. In the event of an administration server failure, one of the standby instances can be brought up to service requests for configuration changes.
Data Tier
The audit and policy data store for production OAM deployments is an Oracle Database. Use Oracle RAC for HA. Audit and Policy If the LDAP data store is Oracle Internet Directory, use Oracle RAC for HA. For other LDAP data stores, the HA deployment varies depending on the LDAP implementation. LDAP
Data Tier
Oracle Access Manager uses the following types of data, which reside on the data tier: Audit data Oracle Access Manager policies Oracle Access Manager sessions Identity data For Oracle Access Manager 11g R1, audit data, policies, and sessions are always stored in an Oracle Database. A typical strategy for Oracle Database HA is Oracle Real Application Clusters (Oracle RAC). Refer to the following URL for more information about Oracle Database high availability, including Oracle RAC: http://www.oracle.com/technetwork/database/features/availability/ index.html. If you use Oracle Internet Directory for your identity store, then identity data is stored in an Oracle Database instance. Use Oracle RAC or another Oracle Database HA strategy. If you use a non-Oracle product for your identity store, refer to your vendor's documentation for information about making the identity store highly available.
Security: Which network traffic to encrypt Data center failure and disaster recovery
Road Map
Objectives High availability goals Mitigating potential points of failure High availability for OAM sessions and configuration Backing up and restoring OAM
The OAM server goes down and is restarted. Upon restart, the server has no sessions in-memory.
X
Web Tier Load Balancer or Other Cluster Front End
Session Store
Road Map
Objectives High availability goals Mitigating potential points of failure High availability for OAM sessions and configuration Backing up and restoring OAM
Run-Time Artifacts: Backed up During Full Backups and Regular Backups Run-time artifacts can change often. The Oracle Fusion Middleware Administrator's Guide recommends backing up the following files on a regular basis, typically nightly: Domain directories Oracle instance homes Applications artifacts, such as .ear and .war files, that reside outside of the domain Database artifacts, such as the policy and audit data store The identity store, which might or might not reside in an Oracle database
When performing the backup of run-time artifacts, do not back up local audit files if your Oracle Access Manager deployment is configured to write audit records to the database. Duplicate records might be uploaded to the audit database after a restore. Backup Utilities Oracle Fusion Middleware does not provide users with any special backup utilities or tools. You use tools provided with operating systems or other software: For file backup, use tools such as the tar utility on Linux and UNIX, and the xcopy command on Windows. For database backup, use Oracle Recovery Manager. For more information about Oracle Recovery Manager, refer to the Oracle Database Backup and Recovery User's Guide. For registry key backup, use the regedit utility or any other registry backup tool. For identity store backup, use Oracle Recover Manager for Oracle Internet Directory. If you use a different identity data store, refer to the documentation for the backup procedure for the identity store.
HA Topology Review
HA Topology Review
The diagram on the slide provides a reference topology for high availability Oracle Access Manager deployments. While your specific deployment might differ in some areas, the reference topology is a good starting point for complex Oracle Access Manager deployments. Some deployment elements on the slide have been covered earlier in this lesson. For example: Redundancy on the Web, application, and data tiers Usage of load balancers Other deployment elements on the slide are not in the scope of this lesson but are important to consider when configuring a high availability deployment. For example: Placement of firewalls Port numbers to be opened in firewalls Redundancy of the directory service
Summary
In this lesson, you should have learned how to: Describe high availability goals Mitigate potential points of failure in an OAM deployment Provide high availability for OAM sessions and configuration data stored in XML files Back up and restore OAM
Quiz
When configuring Oracle Access Manager for HA, under what condition might you need to change the cache request type from the BASIC type to the COOKIE type: a. b. c. d. The URL string is encrypted because you are using SSL. There are limits on the size of the URL string. You want to protect users from cookie hijacking. Your applications use HTTP basic authentication, and you want to force the Web container to write a session cookie every time a user authenticates.
Answer: b
OAM 11g
WebGate, OAM managed server and administration server One per partner: OAMAuthnCookie_hos t:port_<randomnumb er> set by WebGate OAMRequestCookie_< host:port>_<random number> One for specific OAM Server: OAM_ID One per agent secret key shared between WebGate and OAM server, generated during agent registration One OAM server key, generated during server registration
OAM 10g
WebGate, access server, policy manager Domain-based ObSSOCookie for each WebGate
OSSO 10g
mod_osso, OracleAS SSO server Host-based authentication cookie: one per partner: OHS-host-port one for OSSO server: SSO_ID Domain-level session cookie for global inactivity timeout (GITO) if enabled One key per partner shared between mod_osso and OSSO server OSSO server's own key One global key per OSSO setup for the GITO domain cookie
Cookies
Crypto keys
OAM 11g
Agent side: A per-agent key is stored locally in the Oracle Secret Store. OAM 11g server side: A per-agent key, and server key, are stored in the directory server on the server side. Cryptography is performed at both the agent and server ends. Maintain ClientIP, and include it in the hostbased OAMAuthnCookie. Include RequestTime in obrareq.cgi and copy it to obrar.cgi to prevent response token replay.
OAM 10g
Global shared secret stored in the directory server only (not accessible to WebGate)
OSSO 10g
mod_osso side: partner keys and GITO global key stored locally in obfuscated CONFIG file OSSO server side: partner keys, GITO global key, and server key are all stored in the directory server Cryptography is performed at both mod_osso and OSSO server. Include the original clientIP inside the host cookie.
Cryptography is performed at AccessServer. Include the original clientIP inside the ObSSOCookie. N/A
Include RequestTime (time stamp just before redirect) in the site2pstore token and copy it to the urlc token to prevent token replay.
OAM 11g
Includes salt in every encryption for randomness and to prevent cryptographic algorithm break The logOutUrls (OAM 10g WebGate configuration parameter) is preserved. New 11g WebGate parameters: logoutRedirectUrl logoutCallbackUrl doneURL OAM 10g session idle timeout behavior is supported through the Oracle Coherence-based session management engine (SME). AuthN and AuthZ services
OAM 10g
N/A
OSSO 10g
Includes salt in every encryption for randomness and to prevent cryptographic algorithm break The OSSO server cookie includes a list of partner IDs.
Session Management
Single domain is supported through a domain-level cookie for global inactivity timeout (GITO). AuthN service
Credential Collection
OAM 10g collects credentials at the WebGate:
Can be set up to always go to an authentication WebGate Can also be set up for credential collection at every WebGate Login pages are presented by the OAM run-time servers. OAM run-time servers can redirect to login pages located in a separate Web server. Regardless of where the login pages are, credentials are sent to the OAM run-time servers for collection. Login pages are provided out-of-the-box.
Kerberos Operation
IE Browser OAM 11g Windows KDC
User Authenticated
Single Sign-On
Single Sign-On
OAM 10g WebGate (handles AuthN) OAM 10g WebGate (handles AuthN)
4
Challenge based on AuthN schema HTTP request
WebGate/AccessGate/ OSSO agent
5 1
End user
OAM server
Content
3
OAM server checks policy store
Web server
8
OAM server calls the AuthN module corresponding to the AuthN scheme
Access server
9
OAM server checks identity store for DN (in case of LDAP AuthN module)
10
Directory server responds with 0 or 1 DN
13
Encrypted cookie set for browser
Identity store
End user
15
OAM server checks policy store for AuthZ policy
SSLMBean
>connect('myuser','mypass','localhost:7001') >cd('Servers') >ls() dr- AdminServer dr- ServerA >cd('ServerA') >ls() dr- Log dr- SSL -r- ListenPort 7011 -r- StartupMode RUNNING >cd('Log/ServerA/StdoutFilter')
Node Manager
Is a utility or process running on a physical server that enables starting, stopping, suspending, or restarting the administration and managed servers remotely Is not associated with a domain
Can start any server instances that reside on the same physical server
Is required if you use the administration console to start servers Has the following versions:
Java-based Script-based
Node Manager
The server instances in the production environment of an Oracle WebLogic Server are often distributed across multiple domains, machines, and geographic locations. Node manager is an Oracle WebLogic Server utility that enables you to start, shut down, and restart administration server and managed server instances from a remote location. Although a node manager is optional, it is recommended if your Oracle WebLogic Server environment hosts applications with high-availability requirements. A node manager process is not associated with a specific Oracle WebLogic server domain but with a machine. You can use the same node manager process to control the server instances in any Oracle WebLogic Server domain, as long as the server instances reside on the same machine as the node manager process. The node manager must run on each computer hosting the Oracle WebLogic Server instanceswhether the administration server or the managed serverthat you want to control with the node manager. Oracle WebLogic Server provides two versions of the node manager: Java-based and script-based, with similar functionality.
JMX Client
Administration Server
Coherence Properties
Coherence Properties
Coherence provides replicated and distributed (partitioned) data management and caching services on top of a reliable, highly scalable peer-to-peer clustering protocol. Coherence has no single points of failure; it automatically and transparently fails over and redistributes its clustered data management services when a server becomes inoperative or is disconnected from the network. When a new server is added, or when a failed server is restarted, it automatically joins the cluster and Coherence fails back services to it, transparently redistributing the cluster load. Coherence includes network-level fault tolerance features and a transparent soft restart capability to enable servers to self-heal. Coherence modules consist of the properties with their corresponding values and types for the individual server instance. Coherence logging appears only in the WebLogic Server log. There is no bridge from Oracle Coherence logging to Oracle Access Manager logging. Note: Oracle recommends that you do not modify Oracle Coherence settings for an individual server unless you are requested to do so by Oracle Support. LogLevel: The Coherence log level (from -1 to 9) for OAM server events Local Port: The listening port for Coherence logging on the WebLogic Server LogLimit: The Coherence log limit Oracle Access Manager 11g: Administration C - 2
Maximum Directory Size Maximum File Size Filter Enabled Filter Preset Audit Users
Filter Settings
OAM proxy:
Global Passphrase PEM Keystore Alias PEM Keystore Alias Password
Backward Compatibility
OAM 11g server is compatible with not only OAM 11g agents (WebGate or AccessGate) but also OAM 10g (WebGate or AccessGate) and OSSO 10g (mod_osso) agents.
Backward Compatibility
You can register an agent that has been freshly installed or previously installed and is operating in an existing OAM 10g SSO or OSSO 10g deployment. After registration, Oracle Access Manager 11g servers are compatible with both 10g and 11g agents in any combination: OAM 11g agents (WebGates or AccessGates) OAM 10g agents (WebGates or AccessGates) OSSO 10g agents (mod_osso) Registering 10g agents that are not used in an existing 10g SSO deployment is the same as registering 11g agents. You can also register a 10g agent that is performing within an existing 10g SSO deployment. In this case, there are some differences between registration techniques as you will see later in this lesson. Legacy OAM SSO agents: The integrated proxy server installed along with each OAM server provides support for legacy Oracle Access Manager SSO deployments by acting as the legacy access server. The OAM proxy can accept requests from multiple access clients concurrently and enables existing access clients (registered OAM 10g WebGates, for instance) to interact with Oracle Access Manager 11g services.
WLS Agent
Without a WebGate
Browser
OAMAuthnCookie OAMAuthnCookie_<h>:<p>
WLS agent
IAP
Console
WLS agent
OAM server
WLS Server
WLS Agent
Co-location with WebGate and IAP
Browser
WebGate
OAM_REMOTE_USER=John OAMAuthnCookie_<h>:<p>
WLS agent
IAP
Console
WLS agent
OAM server
WLS Server
1 A user accesses the J2EE application directly because there is no WebGate in this scenario. 2 The application authenticates with the OAM identity authenticator implementation in the CSS layer by passing the username and password. 3 To fulfill the authentication, the OAM identity authenticator contacts OAM on a NAP channel. 4 Upon successful authentication, the OAM identity authenticator returns the subject to the J2EE application.
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
1 A client accesses an ADF application, which is protected by an anonymous authentication. The ADF application determines that authentication is required, so it redirects to a WebGate-protected ADF authentication servlet. 2 The WebGate connects to OAM for the authentication policy. 3 If AuthN is successful, access to the ADF AuthN servlet is granted, which then redirects to the original ADF controller application. 4 The OAM identity asserter intercepts the request and asserts the identity of the user. 5 This step is optional. The identity asserter may or may not contact OAM to assert the user. It can be configured to trust the connections from the WebGate, in which case it does not need to contact OAM. 6 The request goes back to the ADF controller application.
Note: No host ID is prefixed for custom resources; no support for virtual hosts. No patterns are supported for custom resource types (they are all literals).
OAM 10g
YES YES YES YES YES YES YES YES NO YES
OAM 11g
YES YES NO NO NO YES NO YES YES NO
Authorization fails
1 Requests access to
resource
WebGate Content
OAM server
AuthzFailure.html
We are sorry but you are not authorized to access this resource. If you would like to request access, contact Application Administrator.
Authorization succeeds
1 Requests access to
resource
OAM server
Authorization success
WebGate Content
3 4
Set header variable HTTP_WELCOME_CN Application processes header variable and embeds the CN attribute in returned page
AuthN Module
Anonymous LDAP
Challenge Method
None Basic
AuthN Level
0 1 2 2 2 2 2 1 5 2 2
LDAPNoPasswordValidation LDAPNoPasswordAuth Form LDAP Kerberos OAAMBasic OAAMAdvanced OIM X509 OAM 10g OIF LDAP Kerberos LDAP LDAP LDAP X509 Form WNA Form Form Form X509
LDAPNoPasswordValidationScheme: Protects Oracle Access Manager-related resources (URLs) for most directory types based on a Form challenge method. Used with the identity asserter for SSO when you have resources in a WebLogic container. Authentication Modules: In Oracle Access Manager 11g, each authentication scheme requires an authentication module. Several preconfigured authentication modules are available for use out-of-the-box: Kerberos Module: A credential mapping module that matches the credentials of the user who requests a resource (username and password) to the user defined for Windows native authentication in Active Directory. LDAP Module: A credential mapping module that matches the credentials of the user who requests a resource (username and password) to a user definition stored in an LDAP directory server. An LDAP module is required for Basic and Form challenge methods. X509 Module: Similar to LDAP with additional properties that indicate which attribute of the client's X.509 certificate should be validated against the user attribute in LDAP. Note: Only preconfigured authentication modules can be used in an authentication scheme. You cannot use a custom authentication module.
Objectives
After completing this lesson, you should be able to: Describe Oracle Enterprise Manager Grid Control architecture List the key capabilities of Oracle Identity Management pack Work with identity and access targets Discover and monitor Oracle Access Manager
Discover Oracle Identity Management deployments and model end-to-end services. Monitor the health of all critical IDM components and set up alerts against a wide range of performance metrics. Record service tests to simulate key enduser activities and to actively measure performance and availability of the IDM service. Define Service Level Objectives (SLO) based on business requirements. Track configuration changes for Oracle Identity Management components.
Using Grid Control for Monitoring Identity Management Targets Enterprise Manager helps you monitor the availability and diagnose the health of identity manager targets within your enterprise configuration. By deploying a management agent on each host, you can use Enterprise Manager to discover the identity management components on these hosts, and automatically begin monitoring them by using default monitoring levels, notification rules, and so on. Enhanced Interface for Managing Fusion Middleware ADF-based interface Navigation tree on the left controls details displayed on the right Customization of home page views via drag-and-drop of regions Context-sensitive menus In-context drilldowns to Fusion Middleware Control and WebLogic Server administration console
Generic Service
Create Service
Create Service
To create a target of type Generic Service associated with any of the monitored Identity Management Systems, perform the following steps: Click Add from the Services section. Enter the general information requested for the new Generic Service. Click Continue once all the information requested is entered. a. Name: Enter a name for your new Generic Service, for example, Oracle Access Manager Access Service . b. Time Zone: Select a time zone for your service. c. Select System: Select a system to be associated with your new service, for example, Access Manager Access System. Enter the availability information requested for the new Generic Service. Define availability based on: i. Service Test: Select this option if the availability of your service is determined by the availability of a critical functionality to your end users. For more information, please see the Service Level Management section.
Enter the service test information requested for the new Generic Service. Test Type: Select the type of test that you would like to record or configure. For regular Web transactions, select Web Transaction. For LDAP Service Tests, select LDAP. a. Name: Enter a name for your new service test, for example, Simple Login Test. b. Collection Frequency (Minutes): Enter the desired collection frequency for your service test. c. Transaction: iii. Basic Single URL: If you would like to test a single page, enter a URL for your service test. iv. Record a Transaction: Click the Go button to record a Web transaction that navigates through multiple pages in your application. Enter the beacon information requested for the new Generic Service. Add: Select an available beacon where a Grid Control agent is running. a. Create: Create a new beacon by selecting a discovered Grid Control Agent. Enter the performance metrics information requested for the new Generic Service. Add Based on Service Test: Click the Go button to add performance metrics based on the recorded service test. Define the Warning Threshold and Critical Threshold for your alerts. b. Add Based on System: Click the Go button to add performance metrics based on the monitored Oracle Identity Management components. Define the Warning Threshold and Critical Threshold for your alerts. Enter the usage metrics information requested for the new Generic Service. Add Based on System: Click the Add button to add usage metrics based on the monitored Oracle Identity Management components. Define the Warning Threshold and Critical Threshold for your alerts. Review the information and click Finish to complete the creation of your new Generic Service.
Metric Baselines
Metric Baselines
Metric baselines are statistical characterizations of system performance over well-defined time periods. Metric baselines can be used to implement adaptive alert thresholds for certain performance metrics, as well as provide normalized views of system performance. Adaptive alert thresholds are used to detect unusual performance events. Baseline normalized views of metric behavior help administrators explain and understand such events. Metric baselines are well defined time intervals (baseline periods) over which Enterprise Manager has captured system performance metrics. The underlying assumption of metric baselines is that systems with relatively stable performance should exhibit similar metric observations (that is, values) over times of comparable workload. Two types of baseline periods are supported: moving window baseline periods and static baseline periods. Moving window baseline periods are defined as some number of days prior to the current date (for example: the last 7 days). This allows comparison of current metric values with recently observed history. Moving window baselines are useful for operational systems with predictable workload cycles (for example: OLTP days and batch nights). Static baselines are periods of time that you define that are of particular interest to you (for example: end of the fiscal year). These baselines can be used to characterize workload periods for comparison against future occurrences of that workload (for example: compare the end of the fiscal year from one calendar year to the next). Oracle Access Manager 11g: Administration E - 31
Availability
Availability
Availability of a service is a measure of the end users' ability to access the service at a given point in time. However, the rules of what constitutes availability may differ from one application to another. For example, for a Customer Relationship Management (CRM) application, availability may mean that a user can successfully log on to the application and access a sales report. For an online store, availability may be monitored based on whether the user can successfully log in, browse the store, and make an online purchase. Grid Control allows you to define the availability of your service based on service tests or systems. Service Test-Based Availability: Select this option if the availability of your service is determined by the availability of a critical functionality to your end users. While defining a service test, choose the protocol that most closely matches the critical functionality of your business process, and beacon locations that match the locations of your user communities. You can define one or more service tests by using standard protocols, and designate one or more service tests as key tests." These key tests can be executed by one or more key beacons" in different user communities. A service is considered available if one or all key tests can be executed successfully by at least one beacon, depending on your availability definition.
Availability (continued)
System-Based Availability: Your service's availability can alternatively be based on the underlying system that hosts the service. Select the components that are critical to running your service and designate one or more components as key components," which are used to determine the availability of the service. The service is considered available as long as at least one or all key components are up and running, depending on your availability definition.
Perform the following steps to define the availability of a service: 1. Click the Targets tab on the Enterprise Manager console. 2. Click the All Targets tab. 3. Click the Oracle Identity Management service target of type Generic Service or Web Application. 4. Click the Monitoring Configuration tab. 5. Click the Availability Definition link. 6. You may select Service Test or System from the Define Availability Based On dropdown list. 7. Enter the request information and click OK to save your changes.
Service-Level Rules
Service-Level Rules
Service-level parameters are used to measure the quality of the service. These parameters are usually based on actual service-level agreements or on operational objectives. Grid Control's Service Level Management feature allows you to proactively monitor your enterprise against your service-level agreements to verify that you are meeting the availability, performance, and business needs within the service's business hours. For service-level agreements, you may want to specify the levels according to operational or contractual objectives. By monitoring against service levels, you can ensure the quality and compliance of your business processes and applications. Perform the following steps to edit a service-level rule for a service: 1. Click the Targets tab on the Enterprise Manager console. 2. Click the All Targets tab. 3. Click the Oracle Identity Management service target of type Generic Service or Web Application. 4. Click the Monitoring Configuration tab.
Topology
Topology View
Use the Topology page (subtab), to view the dependencies between the service, its system components, and other services that define its availability. Upon service failure, the potential causes of failure, as identified by Root Cause Analysis, are highlighted in the topology view. In the topology, you can view dependent relationships between services and systems.
Blackouts
Blackouts
Blackouts allow you to support planned outage periods to perform emergency or scheduled maintenance. When a target is put under blackout, monitoring is suspended, thus preventing unnecessary alerts from being sent when you bring down a target for scheduled maintenance operations such as database backup or hardware upgrade. Blackout periods are automatically excluded when calculating a target's overall availability. A blackout period can be defined for individual targets, a group of targets, or all targets on a host. The blackout can be scheduled to run immediately or in the future, and to run indefinitely or stop after a specific duration. Blackouts can be created on an as-needed basis, or scheduled to run at regular intervals. If, during the maintenance period, you discover that you need more (or less) time to complete maintenance tasks, you can easily extend (or stop) the blackout that is currently in effect. Blackout functionality is available from both the Enterprise Manager console as well as via the Enterprise Manager commandline interface (EMCLI). The EMCLI is often useful for administrators who would like to incorporate the blacking out of a target within their maintenance scripts. When a blackout ends, the Management Agent automatically re-evaluates all metrics for the target to provide current status of the target post-blackout.
Blackouts (continued)
If an administrator inadvertently performs scheduled maintenance on a target without first putting the target under blackout, these periods are reflected as target downtime instead of planned blackout periods. This has an adverse impact on the target's availability records. In such cases, Enterprise Manager allows super administrators to go back and define the blackout period that should have happened at that time. The ability to create these retroactive blackouts provides super administrators with the flexibility to define a more accurate picture of target availability. Perform the following steps to set up blackouts for a monitored Oracle Identity Management target: 1. Click the Setup link on the Enterprise Manager console (located in the upper-right section). 2. Click the Blackouts tab. 3. Click the Create button to launch a blackout wizard. 4. Select the desired target types and enter all the requested information.
Blackouts
User-Defined Metrics
Targets > Hosts > <Host for IDM products> > Related Links > User Defined Metrics
User-Defined Metrics
User-defined metrics allow you to extend the reach of Enterprise Manager's monitoring to conditions specific to particular environments via custom scripts. Once a user-defined metric is defined, it is monitored, aggregated in the repository, and can trigger alerts like any other metric in Enterprise Manager. The supported user-defined metrics in the Management Pack for Identity Management are the ones created at the host level (Operating System). Operating System (OS) user-defined metrics can be accessed from host target home pages and allow you to implement custom monitoring functions via OS scripts. Perform the following steps to set up user-defined metrics for the underlying hosts supporting the Oracle Identity Management environment: 1. Click the Targets tab on the Enterprise Manager console. 2. Click the All Targets tab. 3. Click the target of type Host on which Oracle Identity Management components are running. 4. Click the User-Defined Metrics link in the Related Links section. 5. Click the Create button to create a new user-defined metric.
Summary
In this lesson, you should have learned: Oracle Enterprise Manager Grid Control architecture Key capabilities of Oracle Identity Management pack How to work with identity and access targets How to discover and monitor Oracle Access Manager
Road Map
Objectives Custom requirements Access SDK AccessGates Providing administrative support for the development and deployment of AccessGates Accessing SDK support in Oracle Access Manager 11g
Objectives
After completing this lesson, you should be able to: Identify custom requirements for authentication and authorization services Describe the Access SDK Describe AccessGates Provide administrative support for development and deployment of AccessGates Describe Access SDK support in Oracle Access Manager 11g
Road Map
Objectives Custom requirements Access SDK AccessGates Providing administrative support for the development and deployment of AccessGates Accessing SDK support in Oracle Access Manager 11g
Road Map
Objectives Custom requirements Access SDK AccessGates Providing administrative support for the development and deployment of AccessGates Accessing SDK support in Oracle Access Manager 11g
Access SDK
Access SDK
Using Access SDK, developers can write custom code to protect resources when Oracleprovided functionality is not available with Oracle Access Manager or Oracle Fusion Middleware. Access SDK is a set of application programming interfaces (APIs) with which programmers can call Oracle Access Manager from programs written in the following languages: Java C C++ C# This lesson explains Access SDK capabilities and how OAM administrators work with Access SDK. Administrators might perform tasks such as supporting developers who code applications that use the Access SDK APIs, and installing applications that use the Access SDK APIs.
Road Map
Objectives Custom requirements Access SDK AccessGates Providing administrative support for the development and deployment of AccessGates Accessing SDK support in Oracle Access Manager 11g
WebGates (OracleProvided)
AccessGate Variations
Category
Operating system Programming language Protected server type Protected resource type Credential collection
Options
Windows, Linux, Solaris Java, C, C++, C# Web server, Java EE application server, other URL, other resource HTTP FORM-based, session tokens, command-line input
AccessGate Variations
AccessGates differ based on a variety of factors: The operating system of the host computer on which they are installed. Each operating system requires a different Access SDK installation package. For supported operating system versions, refer to the Oracle Access Manager Certification Matrix on the Oracle Technology Network. The programming language in which they are written. Java, C, C++, and C# APIs are available. These programming languages provide a choice of interfaces to the underlying functionality of the API. The type of server for which they are written. You can protect Web servers or Java EE application servers. The type of resources they protect. You can protect both HTTP URLs and non-HTTP resources. The ways in which they retrieve user credentials. You can enable HTTP FORM-based input, the use of session tokens, and command-line input, among other methods.
Road Map
Objectives Custom requirements Access SDK AccessGates Providing administrative support for the development and deployment of AccessGates Accessing SDK support in Oracle Access Manager 11g
Supported Java SDK Version Supported OS Version Developers System Environment Variables
AccessGate System
3.
Use the Oracle Access Manager 10g Access SDK to Develop AccessGates for Oracle Access Manager 11g
. . . users want to access public static final String ms_resource = "//example.com:80/secrets/index.html"; public static final String ms_protocol = "http"; public static final String ms_method = "GET"; public static void main(String argv[]) try { Initializes Access SDK ObConfig.initialize(); Calls OAM to see if the resource is protected ObResourceRequest rrq = new ObResourceRequest(ms_protocol, ms_resource, ms_method); if (rrq.isProtected()) { System.out.println("Resource is protected."); ObAuthenticationScheme authnScheme = new ObAuthenticationScheme(rrq); If not, asks user to authenticate . . .
Creates a user session . . . object with the resource ObUserSession session = request and credentials new ObUserSession(rrq,creds); if (session.getStatus() == ObUserSession.LOGGEDIN) { Calls OAM to see if the user is authorized to access the resource
if (session.isAuthorized(rrq)) { System.out.println("User is logged in and authorized for the request at level " + session.getLevel()); } else { System.out.println("User is logged in but NOT authorized"); } } else { System.out.println("User is NOT logged in"); } . . .
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
Objectives Custom requirements Access SDK AccessGates Providing administrative support for the development and deployment of AccessGates Accessing SDK support in Oracle Access Manager 11g
Comparing the Oracle Access Manager 10g and Oracle Access Manager 11g Access SDK
The table illustrates support for Access SDK features in Oracle Access Manager 11g. Authentication and authorization APIs are supported. The release 10g Policy Manager API is not supported in release 11g. Because Oracle Access Manager 10g supported identity management, Access SDK provides identity and access management customization capabilities. Because identity management functionality has been removed from Oracle Access Manager with release 11g, the portion of the Access SDK that supported identity management functionality is not supported for Oracle Access Manager 11g. Refer to the Oracle Identity Manager 11g documentation for information about identity management customization capabilities.
Quiz
Which of the following four programming languages can programmers use to code AccessGates? a. C b. C++ c. Perl d. Ruby e. COBOL f. Java g. C#
Answer: a, b, f, g
Quiz
You want your company's packaged applications that are written in the C programming language to use Oracle Access Manager for authentication. Which feature of Oracle Access Manager should you use? a. Oracle-provided WebGate b. Oracle-provided AccessGate c. Custom-developed AccessGate
Answer: c
Summary
In this lesson, you should have learned how to: Identify custom requirements for authentication and authorization services Describe the Access SDK Describe AccessGates Support the development and deployment of AccessGates Describe the differences between the Oracle Access Manager 10g and 11g Access SDK
http://www.example.com/ MyDepartment.jsp
1. A user attempts to access an employee portal page. 2. The system challenges the user to enter a user ID and a password (or other credentials). 3. The user enters the correct user ID and password, and the system grants the user access to the portal page. 4. The user then attempts to access his or her department's portal. 5. Single sign-on is achieved when the system grants the user access to the page without forcing the user to authenticate a second time.
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
http://www.partssupplier.com
http://www.manufacturer.com/ ViewCurrentInventory.jsp
Oracle Fusion Middleware 11g R1 Software Solutions for Single Sign-On (continued)
Single and Cross-Domain Single Sign-On In many (but not all) cases, including the examples on the previous slides, intranet access occurs in a single DNS domain, while Internet access crosses DNS domains. As defined on Wikipedia, a security domain is an application or collection of applications that all trust a common security token for authentication, authorization, or session management. Generally speaking, a security token is issued to a user after the user has actively authenticated with a user ID and password to the security domain. Both Oracle Access Manager and Oracle Identity Federation support both single DNS domain and cross-DNS domain single sign-on scenarios. Typically, Oracle Access Manager is used for single sign-on across a security domain, while Oracle Identity Federation is used for single sign-on across multiple security domains. In deployments in which all resources can be protected by a single server trusted by all parties, Oracle Access Manager is the most common solution. In deployments in which trust relationships between the parties responsible for the protected resources require the use of federated identity protocolsfor example, the SAML 2 protocolOracle Identity Federation is the most common solution.