Configuring the Oracle Access Manager

5 Configuring the Oracle Access Manager

This chapter describes the procedure for configuring the Oracle Access Manager (OAM) for identifying user IDs within OAM-based traffic. The procedure described assumes that you already have a working OAM server. The procedure may need to be modified to reflect the specific configuration of your OAM server.

Configuring OAM 11g

This section describes the procedure for configuring OAM 11g. For information on configuring OAM 10g, see OAM 10.

RUEI is able to monitor OAM 11g (R2PS3 BP02) secured web applications in order to report on user identification information provided by OAM. OAM provides this information for each user session in an encrypted cookie which, once properly configured, is monitored and decrypted by RUEI. The user identification (user id) is extracted from the decrypted content and used within RUEI.

Exporting and Importing the OAM 11g AES key

A shared AES key is available for each OAM server which can be used by RUEI to decrypt the OAM 11g cookie (OAM_DIAG_CTS). This key needs to be extracted from the OAM server and uploaded to the RUEI Reporter. RUEI allows you to upload a 'global' OAM AES key and and allows key uploads per application. An application OAM AES key overrides the global OAM AES key.

Exporting an OAM 11g AES key

Export the key using the following procedure:

Start the WebLogic Server console, running the following command:
```
$MW_HOME/Oracle_IDM1/common/bin/wlst.sh
```
Connect to the WebLogic Server, running the following command:
```
Connect('user','password','t3://hostname:port')
```
Run the following WLST command to retrieve the key:
```
retreiveDiagnosticCookieKey( keystoreLocation="keystoreLocation", password="password")
```
Where,

keystoreLocation is an existing directory where the output JKS file will be stored, and password is the password used to encrypt the JKS file.

Importing an OAM 11g AES key

On the RUEI side use the oam-key.sh tool to add or remove OAM AES keys. Either import a global key, or import one or more application specific keys.

You must specify a collector profile name during the import process, to list all profiles, running the following command:
```
execsql config_get_profiles
```
If you want to use an application specific key, you must specify an application name during the import process, to list all application names, running the following command:
```
execsql get_matches 
```
Gather the required passwords. During import the following passwords are requested:
- original key password - This is the password provided during the JSK export from the OAM server. This password is used to decrypt the JKS keystore file.
- key storage passphrase - This is the password RUEI uses to safely store and encrypt the AES key.
To import a global key, run the following command:
```
oam-key.sh install PATH_TO_JKS_FILE 'Collector Profile Name' 
```
Where, PATH_TO_JKS_FILE is the location of the JKS file created during export.
To import an application specific key, run the following command:
```
oam-key.sh install PATH_TO_JKS_FILE 'Collector Profile Name' 'Application Name'
```
Where, Application Name is the name of the application.

Removing an OAM 11g AES Key

To remove a global key, run the following command:

oam-key.sh delete 'Collector Profile Name'

To remove an application specific key, run the following command:

oam-key.sh delete 'Collector Profile Name' 'Application Name'

Configuring an Application to Use OAM

After configuring OAM 11g, you can add a user id source to an application based on Oracle Access Manager 11g. For more information, see Monitoring OAM and SSO-Based Traffic in the Oracle RUEI User's Guide.