Table of Contents
Oracle Fusion Middleware Administrator's Guide for Oracle Access Management
Introducing Oracle Access ManagementGetting Started with Oracle Access ManagementStarting and Stopping Servers in Your DeploymentUnderstanding the Oracle Access Management ConsoleAbout Logging Into the Oracle Access Management ConsoleUsing the Oracle Access Management ConsoleConfiguring Oracle Access Management Login OptionsManaging Common Services and Certificate ValidationDelegating AdministrationManaging Data SourcesData Sources for Oracle Access ManagementRegistering and Managing User Identity StoresManaging the Identity Directory Service User Identity StoresManaging Administrator RolesManaging the Policy and Session DatabaseIntroduction to Oracle Access Management KeystoresManaging Server RegistrationLogging Component Event MessagesAuditing Administrative and Run-time EventsOracle Access Management AuditingAccess Manager Events You Can AuditMobile and Social Events You Can AuditIdentity Federation Events You Can AuditSecurity Token Service Events You Can AuditSetting Up Auditing for Oracle Access ManagementLogging WebGate Event MessagesUnderstanding Logging for WebGate instancesAbout Log Configuration File Paths and ContentsStructure and Parameters of the WebGate Log Configuration FileActivating and Suppressing Logging LevelsMandatory Log Configuration File ParametersConfiguring Different Threshold Levels for Different Types of DataUnderstanding Oracle Access Management ReportsMonitoring Oracle Access Management Performance and Access Manager HealthMonitoring Performance and Logs with Fusion Middleware ControlLogging In to and Out of Fusion Middleware ControlDisplaying Menus and Pages in Fusion Middleware ControlViewing Performance in Fusion Middleware ControlManaging Log Level Changes in Fusion Middleware ControlManaging Log File Configuration from Fusion Middleware ControlViewing Log Messages in Fusion Middleware ControlDisplaying MBeans in Fusion Middleware ControlConfiguring Access Manager SettingsIntroduction to Agents and RegistrationRegistering and Managing OAM 11g AgentsOAM Agent Registration Parameters in the ConsoleBulk Updates to WebGatesConfiguring and Managing Registered OAM Agents Using the ConsoleRemote Registration Tool, Modes, and ProcessRemote Registration Templates: OAM AgentsPerforming Remote Registration for OAM AgentsRemote Agent Update Modes and TemplatesUpdating Agents RemotelyValidating Remote Registration and Resource ProtectionReplacing the IAMSuiteAgent with an 11g WebGateMaintaining Access Manager SessionsUnderstanding Server-Side Session ManagementServer-Side Session Enforcement ExamplesConfiguring the Server-Side Session LifecycleManaging Active Server-Side SessionsUsing WLST To Configure Session ManagementUnderstanding Multi-Data CentersIntroducing the Multi-Data CenterMulti-Data Center DeploymentsUnderstanding Time Outs and Session SyncsReplicating a Multi-Data Center EnvironmentMulti-Data Center RecommendationsConfiguring Multi-Data CentersSetting Up a Multi-Data CenterMulti-Data Center Security ModesSynchronizing Data In A Multi-Data CenterSetting Up the Multi-Data Center: A SequenceUnderstanding Single Sign-On with Access ManagerManaging Authentication and Shared Policy ComponentsManaging Resource TypesManaging Host IdentifiersUnderstanding Authentication Methods and Credential CollectorsManaging Native Authentication ModulesOrchestrating Multi-Step Authentication with Plug-in Based ModulesDeploying and Managing Individual Plug-ins for AuthenticationManaging Authentication SchemesExtending Authentication Schemes with Advanced RulesConfiguring Challenge Parameters for Encrypted CookiesConfiguring Authentication POST Data HandlingLong URL Handling During AuthenticationUnderstanding Credential Collection and LoginOverview of Access Manager Credential CollectionConfiguring 11g WebGate and Authentication Policy for DCCTunneling from DCC to Access Manager Over Oracle Access ProtocolConfiguring a DCC WebGate for X509 AuthenticationUsing Password PolicyAccessing Password Policy Configuration PageManaging Global Password PolicyConfiguring Password Policy AuthenticationCompleting Password Policy ConfigurationConfiguring the IPFUserPasswordPolicyPluginManaging Policies to Protect Resources and Enable SSOIntroduction to Application Domain and Policy CreationUnderstanding Application Domain and Policy ManagementManaging Application Domains Using the ConsoleAdding and Managing Policy Resource DefinitionsDefining Authentication Policies for Specific ResourcesDefining Authorization Policies for Specific ResourcesIntroduction to Authorization Policy Rules and ConditionsDefining Authorization Policy ConditionsDefining Authorization Policy RulesIntroduction to Policy Responses for SSOAdding and Managing Policy Responses for SSOUnderstanding Remote Policy and Application Domain ManagementValidating Connectivity and Policies Using the Access TesterIntroduction to the Access Tester for Access Manager 11gInstalling and Starting the Access TesterAccess Tester Console, Navigation, and ControlsTesting Connectivity and Policies from the Access Tester ConsoleCreating and Managing Test Cases and ScriptsEvaluating Scripts, Log File, and StatisticsConfiguring Centralized Logout for Sessions Involving 11g WebGatesRegistering and Managing Legacy OpenSSO AgentsIntroduction to OpenSSO, Agents, Migration and Co-existenceUnderstanding OpenSSO Agent Registration ParametersRegistering and Managing OpenSSO Agents Using the ConsolePerforming Remote Registration for OpenSSO AgentsOpen SSO Remote Registration versus Remote UpdatesRegistering and Managing Legacy OSSO AgentsUnderstanding OSSO Agents with Access ManagerRegistering OSSO Agents Using Oracle Access Management ConsoleConfiguring and Managing Registered OSSO Agents Using the ConsolePerforming Remote Registration for OSSO AgentsConfiguring Logout for OSSO Agents with Access Manager 11.1.2Registering and Managing 10g WebGates with Access Manager 11gIntroduction to 10g OAM Agents for Access Manager 11gComparing Access Manager 11.1.2 and 10gLocating and Installing the Latest 10g WebGate for Access Manager 11gConfiguring Centralized Logout for 10g WebGate with 11g OAM ServersConfiguring Apache, OHS, IHS for 10g WebGatesAbout Access Manager with Apache and IHS v2 WebgatesAbout Apache v2 Architecture and Access ManagerRequirements for Oracle HTTP Server, IHS, Apache v2 Web ServersPreparing Your Web ServerActivating Reverse Proxy for Apache v2 and IHS v2Verifying httpd.conf Updates for WebgatesTuning OHS /Apache Prefork and Worker MPM Modules for OAMTuning Apache/IHS v2 Webgates for Access ManagerConfiguring the ISA Server for 10g WebGatesInstalling and Configuring Webgate for the ISA ServerConfiguring the ISA Server for the ISAPI WebgateConfiguring the IIS Web Server for 10g WebGatesAbout WebGate Guidelines for IIS Web ServersPrerequisites for Installing Webgate for IIS 7Completing Webgate Installation with IISInstalling and Configuring Multiple 10g WebGates for a Single IIS 7 InstanceInstalling and Configuring Multiple Webgates for a Single IIS 6 InstanceFinishing 64-bit Webgate InstallationConfiguring Lotus Domino Web Servers for 10g WebGatesIntroducing the Adaptive Authentication ServiceWorking with the Adaptive Authentication ServiceConfiguring an Adaptive Authentication ServiceConfiguring the Oracle Mobile AuthenticatorUsing the Oracle Mobile Authenticator App on iOSUsing the Oracle Mobile Authenticator App on AndroidIntroducing Identity Federation in Oracle Access ManagementUsing Identity FederationInitiating Federation SSOExchanging Identity Federation DataManaging Identity Federation PartnersAdministering Identity Federation As A Service ProviderAdministering Identity Federation As An Identity ProviderUsing Attribute Mapping ProfilesMapping Federation Authentication Methods to Access Manager Authentication SchemesUsing the Attribute Sharing Plug-in for the Attribute Query ServiceManaging Settings for Identity FederationManaging Federation Schemes and PoliciesUsing Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2)Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1Managing Access Manager Policies for Use with Identity FederationTesting Identity Federation ConfigurationUsing the Default Identity Provisioning Plug-inConfiguring the Identity Provider Discovery ServiceConfiguring the Federation User Self-Registration ModuleIntegrating OAM Identity Provider With Microsoft Office 365 Service ProviderIntroducing the Oracle Access Management Security Token ServiceDeploying Security Token ServiceAbout the Installation of the Security Token ServiceSecurity Token Service Implementation ScenariosConfiguring Security Token Service SettingsIntroduction to Security Token Service ConfigurationEnabling and Disabling Security Token ServiceDefining Security Token Service SettingsUsing and Managing WSS Policies for Oracle WSM AgentsConfiguring OWSM for WSS Protocol CommunicationManaging and Migrating Security Token Service PoliciesAuditing the Security Token ServiceManaging Security Token Service Certificates and KeysManaging Templates, Endpoints, and PoliciesSearching for an Existing TemplateManaging Token Issuance TemplatesManaging Token Validation TemplatesManaging Security Token Service EndpointsManaging Token Issuance Policies, Conditions, and RulesManaging TokenServiceRP Type ResourcesMaking Custom Classes AvailableManaging a Custom Security Token Service ConfigurationManaging Token Service Partners and Partner ProfilesTroubleshooting Security Token ServiceUnderstanding Mobile and SocialIntroducing Mobile and SocialUnderstanding Mobile and Social ServicesUnderstanding the Mobile and Social Services ProcessesUsing Mobile and Social ServicesUnderstanding Social Identity ProcessesUsing Social IdentityConfiguring Mobile and Social ServicesAbout Mobile and Social Services ConfigurationDefining Service ProvidersDefining Service ProfilesDefining Security Handler Plug-insDefining Application ProfilesDefining Service DomainsUsing the Jailbreak Detection PolicyConfiguring Mobile and Social Services with Other Oracle ProductsConfiguring Social IdentityConfiguring Social Identity System SettingsAccessing the Social Identity Settings InterfaceUnderstanding OAuth ServicesUnderstanding OAuth Services Authorization for Web ClientsUnderstanding the OAuth Services ComponentsAbout OAuth Services TokensUnderstanding Mobile OAuth Services Server-Side Single Sign-onConfiguring OAuth ServicesConfiguring OAuth Services SettingsConfiguring OAuth Services for Third-Party JWT Bearer AssertionsConfiguring Mobile OAuth for SSO Servlet AuthenticationConfiguring the Access Portal ServiceDeploying the Access Portal ServiceEnabling Form-Fill Single Sign-On for an ApplicationCreating an Application Configuration PackagePassword Generation PoliciesManaging Credential Sharing GroupsManaging Global Agent SettingsUsing Identity ContextIntegrating RSA SecurID Authentication with Access ManagerConfiguring Access Manager for Windows Native AuthenticationIntroducing Access Manager with Windows Native AuthenticationAbout Preparing Your Active Directory and Kerberos TopologyEnabling the Browser to Return Kerberos TokensIntegrating KerberosPlugin with Oracle Virtual DirectoryIntegrating the KerberosPlugin with Search FailoverConfiguring Access Manager for Windows Native AuthenticationConfiguring WNA For Use With DCCTroubleshooting WNA ConfigurationIntegrating JBoss with Access ManagerOverview of JBoss Integration with Access ManagerUnderstanding the Integration TopologyProtecting JBoss-Specific ResourcesProtecting Web Applications with the JBoss AgentConfiguring the Login Module to Secure EJBsConfiguring the Login Module to Secure Web Service AccessIntegrating Microsoft SharePoint Server with Access ManagerIntroduction to Integrating With the SharePoint ServerIntegration RequirementsIntegrating With Microsoft SharePoint ServerSetting Up Microsoft Windows ImpersonationCompleting the SharePoint Server IntegrationIntegrating With Microsoft SharePoint Server Configured With LDAP Membership ProviderConfiguring Single Sign-off for Microsoft SharePoint ServerSetting Up Access Manager and Windows Native AuthenticationTesting Your IntegrationTroubleshootingIntegrating Access Manager with Outlook Web ApplicationIntroduction to Integration with Outlook Web ApplicationEnabling Impersonation With a Header VariableSetting Up Impersonation for Outlook Web Application (OWA)Integrating Microsoft Forefront Threat Management Gateway 2010 with Access ManagerIntroduction to Integration with TMG Server 2010Creating a Forefront TMG Policy and RulesInstalling and Configuring 10g Webgate for Forefront TMG ServerConfiguring the TMG 2010 Server for the ISAPI 10g WebgateIntegrating Access Manager with SAP NetWeaver Enterprise PortalIntegration ArchitectureConfiguring Oracle Access Management and NetWeaver Enterprise Portal 7.0.xConfiguring Oracle Access Management and NetWeaver Enterprise Portal 7.4.xIntegrating Oracle Access Manager with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise PortalIntegrating Oracle ADF Applications with Access Manager SSOIntroducing Oracle Platform Security Services and Oracle Application Developer FrameworkIntegrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO FrameworkConfiguring Centralized Logout for Oracle ADF-Coded ApplicationsInternationalization and Multibyte Data Support for 10g WebGatesSecuring CommunicationSecuring Communication Between OAM Servers and WebGatesConfiguring Cert Mode Communication for Access ManagerConfiguring Simple Mode Communication with Access ManagerReviewing Bundled, Generated, and Migrated ArtifactsBundled 10g IAMSuiteAgent ArtifactsGenerated Artifacts: OpenSSOMigrated Artifacts: OpenSSOTroubleshootingIntroduction to Oracle Access Management TroubleshootingAuthentication IssuesAuthorization IssuesCannot Find ConfigurationDenial of Service AttacksDeployments with Freshly Installed 10g WebgatesDiagnosing Initialization and Performance IssuesIIS Web Server IssuesInternationalization, Languages, and TranslationRegistration IssuesSession IssuesStart Up IssuesValidation ErrorsWeb Server IssuesYou can integrate JBoss Enterprise Application Platform (EAP) 6.x Application Server with Oracle Access Manager.
It includes information regarding the Access Manager Access SDK and JBoss Agent.
Check the latest support information on:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
Host 1: Install Access Manager as described in .
Host 2:
Install JBoss EAP 6.x Application Server, as described in your JBoss installation guide.
Set JAVA_HOME environment variable.
Edit JBoss standalone.xml/domain.xml to change host from 127.0.0.1 to 0.0.0.0. For example:
JBoss_install_directory\standalone\configuration\standalone.xml
From
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
To
Sign In
Thank you for your feedback!<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
Host 2: install the Access Manager Access SDK, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Host 2: create a Global module. For example:
Create a directory at JBoss_install_directory\modules\system\layers\base\mymodule\main
Create module.xml:
<?xml version="1.0" encoding="UTF-8"?><module xmlns="urn:jboss:module:1.1" name="mymodule"> <resources> <resource-root path="j2eeagent.jar"/> <resource-root path="oamasdk-api.jar"/> <resource-root path="jbossweb-service.jar"/> <resource-root path="jps-api.jar"/> </resources> <dependencies> <module name="javax.servlet.api"/> <module name ="javax.xml.bind.api"/> <module name="org.jboss.logging"/><module name="javax.api"/><module name="org.jboss.as.web"/> </dependencies></module>
Host 2: install the OAM JBoss Agent.
Download the JBoss Agent ZIP file and extract the files.
For supported JBoss EAP 6.x versions, the JBoss agent is supplied as JAR files in patch 19440119. Download the referenced patch from My Oracle Support at http://support.oracle.com/.
From the /agentconfig/oam_config.properties file, copy oam-authenticatorvalve.jar and j2eeagent.jar to JBoss_install_directory\modules\system\layers\base\mymodule\mainDownload the JBossWeb jar from http://www.java2s.com/Code/JarDownload/jbossweb/jbossweb-service.jar.zip and copy it's jbossweb-service.jar to JBoss_install_directory\modules\system\layers\base\mymodule\main
Host 2: configure the Global module
Open jboss_install_directory/standalone/configuration/standalone.xml(for standalone) or domain.xml (for multi structure)
Under “jboss:domain:ee" subsystem, add below line:
<global-modules>
<module name="mymodule" slot="main"/>
</global-modules>
Proceed to "Protecting JBoss-Specific Resources" and do the following procedures.
Proceed to "Protecting Web Applications with the JBoss Agent" and do the following procedures.
Configure the JBoss Login Module to use Access Manager policies.
Open jboss_install_directory/standalone/configuration/standalone.xml(for standalone) or domain.xml (for multi structure)
Under the “jboss:domain:security" subsystem, add a new security-domain as follows:
<security-domain name="oamrealm" cache-type="default">
<authentication>
<login-module code="oracle.security.am.agent.common.
jaas.login.OAMLoginModule" flag="required">
<module-option name="loginType" value="tokenBased"/>
<module-option name="configPath"
value="/scratch/lovagarw/jboss/config/"/>
<module-option name="publicAuthnResourceName" value="/Authen/Basic"/>
<module-option name="rolesParam" value="OAM_GROUPS"/>
<module-option name="publicAuthzResourceName"
value="/Authen/SSOToken"/>
</login-module>
</authentication>
</security-domain>
Deploy the application.
Start JBoss using the following command:
JBoss_install_dir\bin\standalone.bat
Note:
Valve is not currently supported at the Global level.
The JBoss agent codebase libraries are not updated during this procedure.
Role based authorization in EJB is not working in EAP when trying to create the authentication token on the client side via OAMLoginModule and trying to propagate the authentication token to the JBoss server via the ClientLoginModule class.