Sunday Dec 09, 2012

WNA Configuration in OAM 11g

Pre-Requisite:

  1. Kerberos authentication scheme has to exist. This is usually pre-configured OAM authentication scheme. It should have Authentication Level - "2", Challenge Method - "WNA", Challenge Direct URL - "/oam/server" and Authentication Module- "Kerberos".
  2. The default authentication scheme name is "KerberosScheme", this name can be changed.
  3. The DNS name has to be resolvable on the OAM Server.
  4. The DNS name with referrals to AD have to be resolvable on OAM Server. Ensure nslookup work for the referrals.

Pre-Install:

  1. AD team to produce keytab file on the AD server by running ktpass command.
  2. Provide OAM Hostname to AD Team.
  3. Receive from AD team the following:
    • Keypass file produced when running the ktpass command
    • ktpass username
    • ktpass password
  4. Copy the keytab file to convenient location in OAM install tree and rename the file if desired. For instance where oam-policy.xml file resides. i.e. /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt

Configure WNA Authentication on OAM Server:

  1. Create config file krb.config and set the environment variable to the path to this file:
    KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
    The variable KRB_CONFIG has to be set in the profile for the user that OAM java container(i.e. Wbelogic Server) runs as, so that this setting is available to the OAM server. i.e. "applmgr" user.
  2. In the krb.conf file specify:
    [libdefaults]
    default_realm= NOA.ABC.COM
    dns_lookup_realm= true
    dns_lookup_kdc= true
    ticket_lifetime= 24h
    forwardable= yes

    [realms]
    NOA.ABC.COM={
    kdc=hub21.noa.abc.com:88
    admin_server=hub21.noa.abc.com:749
    default_domain=NOA.ABC.COM

    [domain_realm]
    .abc.com=ABC.COM
    abc.com=ABC.COM
    .noa.abc.com=NOA.ABC.COM
    noa.abc.com=NOA.ABC.COM

    Where hub21.noa.abc.com is load balanced DNS VIP name for AD Server and NOA.ABC.COM is the name of the domain.
  3. Create authentication policy to WNA protect the resource( i.e. EBSR12) and choose the "KerberosScheme" as authentication scheme.
    Login to OAM Console => Policy Configuration Tab => Browse Tab => Shared Components => Application Domains => IAM Suite => Authentication Policies => Create
    Name: ABC WNA Auth Policy
    Authentication Scheme: KerberosScheme
    Failure URL: http://hcm.noa.abc.com/cgi-bin/welcome

  4. Edit System Configuration for Kerberos
    • System Configuration Tab => Access Manager Settings => expand Authentication Modules => expand Kerberos Authentication Module => double click on Kerberos
    • Edit "Key Tab File" textbox - put in /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt
    • Edit "Principal" textbox - put in HTTP/OAM_Host@NOA.ABC.COM
    • Edit "KRB Config File" textbox - put in /fa-gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
    • Cilck "Apply"
    • In the script setting environment for the WLS server where OAM is deployed set the variable:
      KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf

  5. Re-start OAM server and OAM Server Container( Weblogic Server)

Monday Dec 03, 2012

E-Business Integration with SSO using AccessGate

Moving away from the legacy Oracle SSO, Oracle E-Business Suite (EBS) came up with EBS AccessGate as the way forward to provide Single Sign On with Oracle Access Manager (OAM). As opposed to AccessGate in OAM terminology, EBS AccessGate has no specific connection with OAM with respect to configuration. Instead, EBS AccessGate uses the header variables sent from the SSO system to create the native user-session, like any other SSO enabled web application.

E-Business Suite Integration with Oracle Access Manager

It is a known fact that E-Business suite requires Oracle Internet Directory (OID) as the user repository to enable Single Sign On. This is due to the fact that E-Business Suite needs to be registered with OID to for Single Sign On. Additionally, E-Business Suite uses “orclguid” in OID to map the Single Sign On user with the corresponding local user profile. During authentication, EBS AccessGate expects SSO system to return orclguid and EBS username (stored as a user-attribute in SSO user store) in two header variables USER_ORCLGUID and USER_NAME respectively.


Following diagram depicts the authentication flow once SSO system returns EBS Username and orclguid after successful authentication:

EBS AccessGate and OAM


Thursday Nov 15, 2012

Introducing weblog IDM 11g

Contributions to this blog are made by NA-TAG Offshore- Security team. This weblog brings to you various articles on Oracle I&AM 11g R1, R2. The articles include OIM11g, OAM 11g, OIA 11g new features, Various ‘How To’ with examples, Solutions/ workarounds for frequently occurring issues, APIs, code samples, Installations, patches etc…
About

OIM11gR2 Blog by NA-TAG Offshore IDAM team

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today