Showing posts with label OHS. Show all posts
Showing posts with label OHS. Show all posts

Wednesday, May 2, 2018

OHS Security Header prevents images loading

Readers,

Did you ever add security header X-Content-Type-Options in OHS server configuration to prevent mime based attacks? Since IAM involves lot of security, lot of these security headers are required to be configured at OHS layer to prevent cross site scripting and mime etc.,
Some of the security headers comes with compatibility issues with few browsers for eg., X-Content-Type-Options. We had to deploy custom OAM form pages into OAM servers and proxy it through OHS for general requirements. Since this header was coming in HTTP request headers, it is preventing to load images on Custom OAM form page.
Form page is accessible through direct OAM server URL however it is failing to load via OHS. Thus we had to comment out below line for images to render on custom OAM form jsp page.

#Header always set X-Content-Type-Options "nosniff"

Hope this helps.
Posted by No comments:
Labels: , , ,

Saturday, May 2, 2015

How to integrate OAM with Oracle Mobile Authenticator(OMA)

Integrate OAM 11g R2 PS2 and Oracle Mobile Authenticator

Assumptions:

-- Oracle Access Manager 11g R2 PS2 installed and configured
-- Oracle HTTP Server(OHS) installed
-- OAM WebGate for OHS 11g installed and configured

Click Here to watch testing DEMO video!!!

Steps:

-- Enable Mobile and Social Service in OAM Admin Console(If not already enabled)




-- Configure OAuth for OMA(Oracle Mobile Authenticator)














-- Edit "TOTPModule" Authentication Module settings in OAM Admin Console






-- Configure "TOTPPlugin" parameters in "Plug-ins" as shown in the below screen shots




-- Create New OTP Authentication Scheme. In this screen shot below i used existing "LDAPScheme"  and duplicated to create new OTP Authentication Scheme.









-- Update Application domain 













 Oracle Mobile Authenticator Configuration with Oracle Access Manager

 -- Download and Install "Oracle Mobile Authenticator" App from "Google Play" or "Apple Store"
-- Create a HTML page with below content and drop it in any web server(which you should be able to access from your mobile device where you install)

 Sample
<html>
    <head>
        <title>Oracle Mobile Authenticator</titile>
    </head>
    <body>
        <a href="oraclemobileauthenticator://settings?LoginURL::=http://<<HOSTNAME>>:14100/ms_oauth/resources/userprofile/secretkey">Click Here</a>
    </body>
</html>



-- Access HTML page from mobile device browser. It will navigate to "Oracle Mobile Authenticator" and prompt to update. Click on "Accept".



-- Click "OK".


-- Now click on "Sign In" 

-- Enter valid OAM credentials and click on "Submit".


-- If everything is good and credentials are valid One-time Password will be configured as shown in the screen shot below.

Note: Multiple user accounts can be configured in same Oracle Mobile Authenticator.

Sample Screen Shot:




Testing:

-- Access OAM protected resource


-- Enter valid credentials and click "Login"


-- Get One-Time Password from Oracle Mobile Authenticator associated to the login ID "sivapokuri"



-- Enter One-Time Password got from Oracle Mobile Authenticator and click "Login"



-- Displayed welcome page.



Hope this will be useful!!

-- Siva Pokuri.



Posted by 19 comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)