Showing posts with label TAP Integration. Show all posts
Showing posts with label TAP Integration. Show all posts

Friday, April 22, 2016

Federation between OAM 11g R2 PS2 (as IDP) And OAAM 11g R2 PS2 (with TAPScheme) Is Failing

Error Message:

[2016-01-10T10:35:15.624-04:00] [oaam_server_server1] [WARNING] [] [oracle.oaam] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: d755faf711bced8d:-36c6a2a8:1540baa882a:-8000-0000000000011332,0] [APP: oaam_server#11.1.2.0.0] [DSID: 0000LGyO9iN4epo5GVG7yf1N3Jbx00001_] OAM TAP Submit URL not found in TAP token, OAM may not be up to date.

This is known issue in OAM + OAAM 11g R2 PS2 base environment.

Follow the oracle support document below to download and install one off patch

Federation between OAM (as IDP) And OAAM (with TAPScheme) Is Failing (Doc ID 1928959.1)


(OR)


Update OAM & OAAM to latest build patch.


-- Siva Pokuri

Friday, June 12, 2015

OAAM policy risk evaluation in OAM policies(OAM 11g Identity Context)

OAAM policy risk evaluation in OAM policies


Steps

Login to OAAM Admin Console


Search for DAP token version property and change to v2.1 


Update OAAM TAP Token version from v2.0 to v2.1 in oam-config.xml file. 

Note: Since I have integrated OAM + OAAM already I changed OAM DAP token version in oam-config.xml file from "v2.0" to "v2.1". Else you can provide version v2.1 directly while executing ThirdParty TAP registration command(while OAM + OAAM integration)








Create a group for to hold all the restricted IP Addresses as shown in the screen shot below.


Add IP Address to the group






Create new OAAM Policy as post authentication




Create rule and condition to determine if user login in from restricted IP Address or not.





Select IP Address Group created initially from the drop down 


Click on Results Tab and enter score as "1"



Click on "Group Linking" and select "All Users"




Login to OAM Admin Console and click on "Application Domain".


Select the "ohs_webgate". This is the OHS webgate I have already created and used OAAM TAP Authentication Schema to protect resource.


Click on "Authentication Policies"


Click on "Protected Resource Policy"


Click on "Responses"


Add response as shown in the screen shot below.

This "session_risk_level" is the session attribute that passes as part of DAP token from OAAM to OAM after policy evaluation created in the above steps. 




Click on "Authorization Policies"


Click on "Protected Resource Policy"


Click on "Conditions"


Click on "+" sign


Enter the condition details as shown in the screen shot below.




Add Condition Details as shown in the screen shot below.

This is the "session_risk_level" session attribute returned from OAAM and the attribute value that gets "1"




Click on "Rules" tab and add new rule in the "Deny Rule" list and click "Apply".



Now test the protected application from two different machines!!!

-- Siva Pokuri.

Friday, July 25, 2014

How to integrate OAM & OAAM 11g R2 PS2 (11.1.2.2.0)

Oracle Access Manager & Oracle Adaptive Access Manager 11g R2 PS2(11.1.2.2.0) Integration

Environment:

-- Oracle Access Manager 11g R2 PS2(11.1.2.2.0)
-- Oracle Adaptive Access Manager 11g R2 PS2(11.1.2.2.0)
-- Oracle Database 11g
-- Oracle WebLogic Server 10.3.6
-- Oracle Enterprise Linux 64-bit
-- Oracle Repository Creation Utility 11g R2 PS2(11.1.2.2.0)
-- Oracle HTTP Server 11g R1
-- OAM WebGate for OHS webserver 11.1.1.7.0
-- OAM user store is Weblogic embedded LDAP

Steps:

-- Login to Weblogic Administration console and create "oaamadmin" user and assign all the OAAM admin privileges.








-- Login to OAAM Admin console and add property as shown in the below screen shot





-- Follow below screen shots to create TAP key Store.





-- Assign a password for IAMSuiteAgent in OAM Admin console and update the same in Weblogic Administration console Security Realm>> IAMSuite Agent provider









-- Restart all OAM and OAAM admin & managed servers.

-- Update TAP Scheme challenge parameters as shown in the below screen shots.





-- Setup OAM Integration with OAAM.





-- Update the OAM, OAAM details in oaam_cli.properties file as shown in the below screen shot.



-- Set ORACLE_MW_HOME environment variable and execute setupOAMTapIntegration.sh as shown in the below screen shots

-- Enter "oaamadmin" user(which we created in the first step) and enter the password followed by OAAM database credentials and TAP keystore password. 



-- Verify oaam.uio.security.mode property value set to 1 in OAAM Admin console properties.

Testing:

Change any existing protected resource Authentication Schema from "LDAP Scheme" to "TAPScheme" and try to access the protected resource and try login with a valid user in the directory server.









-- Successfully logged in with OAAM security profile setup.



Hope this helps.

Thanks
Siva Pokuri.