Thursday, April 24, 2014

Wednesday, April 2, 2014

Windows Native Authentication(WNA) configuration in Oracle Access Manager 11g R2 PS2


Agenda: Process to configure WNA Authentication in Oracle Access Manager 11GR2 PS2.

Process:

  • Create new service account in Active Directory domain controller. User should not have any password expiry.


  • Open the command prompt in AD machine and  execute the below command to generate the keytab file.
"ktpass -princ HTTP/<oamHostName>@<adDomainName> -mapuser <adDomain>\<username> -pass <userPassword> -out <path>"


  •  Check the success message as shown in the below screen shot. 


  •  Open the user account in AD and click on the Account tab. Verify that principle name as shown in the below screen.

  • Copy the keytab file from AD machine to OAM machine. 

  •  Login as a root user and edit the /etc/krb5.conf file


  •  Please verify the below screen for your reference.


  •  Execute the klist command in OAM machine as shown in the below screen.  Find the Syntax below.
"klist -k -t -K -e FILE:/<keytab file path>"


  •  Execute the kinit command in OAM machine as shown in the below screen. Find the syntax below.
"kinit -V <Principle Name> -k -t <keytab file path>"

  •  Execute the klist command in OAM machine as shown in the below screen. 


  •  Login to the access manager admin console.
  • Navigate to Authentication modules > Kerberos
  • Provide the required parameters as shown below.


  •  Create new data store for AD in OAM.


  •  Create Authentication policy with Kerberos schema.


  •  For your reference verify the Kerberos authentication schema as shown in the below screen. 


  •  NTLM Changes.
  • Login to the server and navigate to the directory /<weblogic_domain>/config/fmwconfig/
  • Modify the NTLM Response from DEFAULT to BASIC. 


  •  Restart the Weblogic Admin server and OAM Managed server.

Testing:


  • Login to the AD Domain machine. 
  • Open command prompt and execute command "klist" to check the kerberos tokens are generated or not.


  •  Open IE browser then open Internet options and navigate to Advanced tab. Scroll down and verify "Enable Integrated Windows Authentication" is selected. 

  • Try to access the application which is protected by OAM Kerberos authentication.

-- Kiran Pokuri 

Tuesday, April 1, 2014

Upgrade Oracle Access Manager from 11g R2 to 11g R2 PS2


Description: This post covers the process of upgrading Oracle Access Manager from 11GR2 to PS2.

Pre-Upgrade steps:
  • Shutdown Weblogic Admin server and OAM Managed server.
  • Take a backup of total environment including database.
  • Make sure you have installed weblogic version 10.3.6.0
OAM Binaries Upgrade Process:
  • Download and extract the PS2 binaries and navigate to Disk1 and execute the below command.
  • ./runInstaller -jreLoc /<JAVA_HOME>/jre/
  • Click Next.

  • Select Skip Software Updates and Click Next
  • Check the Prerequisite Checks and click Next.
  • Select the Middleware Directory where OAM 11gR2.
  • Pop-up window will appear and asking for to upgrade the existing version or select the new Middleware Home. Click Yes.
  • Click Install.

  • Click Next.
  • Click Finish.

Upgrade OAM Schema:
  • Navigate to <MW_HOME>/oracle_common/bin
  • Execute the. /psa to upgrade the OAM and OPSS schemas.

  • Click Next
  • Select the component to upgrade the schema and click next.
  • Check the both Prerequisites and click next.
  • Provide the DB connection details to upgrade the IAU schema and click next.
  • Provide the DB connection details to upgrade the OPSS schema and click next.
  • Provide the DB connection details to upgrade the OAM schema and click next.
  • Click next after the Examine step is successful.
  • Click on Upgrade.
  • After upgrade process successfully done click on next.
  • Check the upgrade status shows successful. Click on close.

Upgrade OPSS Schema:
  • Navigate to <MW_HOME>/oracle_common/common/bin

  • Execute ./wlst.sh
  • Then execute the upgradeOPSS command find the syntax below.
"upgradeOpss(jpsConfig="/home/oracle/Oracle/Middleware/user_projects/domains/idm/config/fmwconfig/jps-config.xml", jaznData="/home/oracle/Oracle/Middleware/oracle_common/modules/oracle.jps_11.1.1/domain_config/system-jazn-data.xml",
jdbcDriver="oracle.jdbc.driver.OracleDriver",
url="jdbc:oracle:thin:@dev.kiran.com:1521:orcl",
user="DEV_OPSS",
password="Passw0rd1",
upgradeJseStoreType="true")"


  • Execute the below command to copy MbeanXmlFiles.
"copyMbeanXmlFiles("/home/oracle/Oracle/Middleware/user_projects/domains/idm","home/oracle/Oracle/Middleware/Oracle_IDM1")"

  • Execute the below command to upgrade the system configuration.
"upgradeConfig("/home/oracle/Oracle/Middleware/user_projects/domains/idm", "sys", "Passw0rd1", "DEV_OAM", "jdbc:oracle:thin:@dev.kiran.com:1521/orcl")"


Restart the WLS Admin and Managed Servers:

  • Navigate to <MW_HOME>/user_projects/domains/base_domain/bin/
  • Execute ./startWebLogic.sh to start WLS Admin Server.
  • Execute ./startManagedWebLogic.sh oam_server1 to start OAM Managed Server.
  • Open the browser and try to access the http://<WLS_host>:<WLS_port>/oamconsole

  • Provide the credentials Weblogic/password.


-- Kiran Pokuri