Configuring Access Manager Settings

13 Configuring Access Manager Settings

The Access Manager Settings provide configuration options for a number of specific Access Manager service operations.

This chapter describes these Access Manager-specific settings.

13.1 Oracle Access Management Overview

Familiarize with the Oracle Access Management, Serve registration and management before you start off with configuration options and service operations.

Be sure to review the following topics:

13.2 Managing Load Balancing

Configure two or more Managed Servers to operate as a cluster and use Oracle Access Management Console for Access Manager load balancing settings.

This section describes the following topics:

13.2.1 About Common Load Balancing Settings

For production environments that require increased application performance, throughput, or high availability, you can configure two or more Managed Servers to operate as a cluster. A cluster is a collection of multiple WebLogic Server server instances running simultaneously and working together to provide increased scalability and reliability.

In a cluster, most resources and services are deployed identically to each Managed Server (as opposed to a single Managed Server), enabling failover and load balancing. A single domain can contain multiple WebLogic Server clusters and multiple Managed Servers that are not configured as clusters. The key difference between clustered and non-clustered Managed Servers is support for failover and load balancing. These features are available only in a cluster of Managed Servers.

By default, Access Manager has a single OAM Server to which all login and logout requests are sent. In a high-availability deployment, you must change this setup so that login and logout requests are first sent to the load balancer.

See Also:

High Availability Guide, "Access Manager High Availability Configuration Steps" for high-level instructions to set up a high availability Access Manager deployment.

Figure 13-1 shows the Load Balancing Settings section of the Access Manager Settings page. In earlier releases this was part of the SSO Engine settings; the SSO Engine being the controller for sessions.

Figure 13-1 Access Manager Settings: Load Balancer

Description of "Figure 13-1 Access Manager Settings: Load Balancer"

Table 13-1 describes each element and how it is used. Settings are global and common to all OAM Servers in the WebLogic administration domain.

Table 13-1 Access Manager Settings: Load Balancer

Element	Description
OAM Server Host	The virtual host name that represents the OAM Server Cluster, which might be exposed by a load balancer in front of an OAM Server Cluster.
OAM Server Port	The virtual host port associated with the OAM Server Cluster. Values between 1 and 65535 are supported.
OAM Server Protocol	The protocol, either HTTP or HTTPS, that is used to access the virtual host that represents the OAM Server Cluster. See Also: "About Security Modes and X509Scheme Authentication"

Element

Description

OAM Server Host

The virtual host name that represents the OAM Server Cluster, which might be exposed by a load balancer in front of an OAM Server Cluster.

OAM Server Port

The virtual host port associated with the OAM Server Cluster. Values between 1 and 65535 are supported.

OAM Server Protocol

The protocol, either HTTP or HTTPS, that is used to access the virtual host that represents the OAM Server Cluster.

13.2.2 Managing OAM Server Load Balancing Settings

Users with valid Administrator credentials can modify Access Manager load balancing settings using Oracle Access Management Console.

See Also:

"About Common Load Balancing Settings"

From the Access Manager Settings, open Load Balancing:
Expand the Load Balancing area:
- View Only: Close the page when you finish.
- Modify: Edit Load Balancing settings for your deployment (Table 13-1).
Click Apply to submit the changes (or close the page without applying changes).
Dismiss the Confirmation window.

13.3 Managing Secure Error Modes

A custom error page is packaged as part of the custom login application. An out-of-the-box custom Web application archive file is provided that you can use as a starting point to develop customized login and password pages.

Server Error Mode settings are global and common to all OAM Servers in the WebLogic administration domain. This section provides the following topics:

13.3.1 OAM Server Error Modes

The OAM Server Error Mode appears on the Load Balancing Settings area of the Access Manager Settings page.

Figure 13-1 shows the Server Error Mode function.

Figure 13-2 Access Manager Settings: Server Error Mode

Description of "Figure 13-2 Access Manager Settings: Server Error Mode"

Table 13-2 describes the options you can choose to configure Server Error Mode for your deployment.

Table 13-2 Server Error Mode

Element	Description
Server Error Mode	The setting you choose determines the nature of error messages and error codes returned by the OAM Server when an operation fails (because of an invalid username or password, for example, or a server error (connection to the LDAP Server is down)). Choose one of the following settings to configure error messages with varying degrees of security for your custom login pages: SECURE: Most secure. Provides generic error messages that barely give any hint of the internal reason for the error. EXTERNAL: Recommended level. INTERNAL: Least secure level. Recommended for Password Policy validation, as described in "Managing Global Password Policy". See Also: "Viewing or Editing OAM Server Secure Error Modes"

Element

Description

Server Error Mode

The setting you choose determines the nature of error messages and error codes returned by the OAM Server when an operation fails (because of an invalid username or password, for example, or a server error (connection to the LDAP Server is down)).

Choose one of the following settings to configure error messages with varying degrees of security for your custom login pages:

SECURE: Most secure. Provides generic error messages that barely give any hint of the internal reason for the error.
EXTERNAL: Recommended level.
INTERNAL: Least secure level. Recommended for Password Policy validation, as described in "Managing Global Password Policy".

Table 13-3 shows the error triggering condition and message codes for each of the three modes.

Table 13-3 Error Trigger Condition, Modes, and Message Codes

Error Triggering Condition	Internal Mode	External Mode	Secure Mode
Invalid login attempt	OAM-1	OAM-2	OAM-8
Processing submitted credentials fails. For example: In WNA mode, the SPNEGO token is not received.	OAM-3	OAM-3	OAM-8
An authentication exception is raised.	OAM-4	OAM-4	OAM-9
User account gets locked based on certain conditions (exceeded invalid attempts, for instance).	OAM-5	OAM-5	OAM-8
User account disabled.	OAM-5	OAM-5	OAM-9
User has exceeded the maximum number of allowed sessions (a configurable attribute).	OAM-6	OAM-6	OAM-9
Default error message, which is displayed when no other specific messages propagate up. This is not propagated to the user level. Cause could be multiple conditions.	OAM-7	OAM-7	OAM-9
Password expired.	OAM-10	OAM-10	OAM-9

Table 13-4 identifies the error codes, trigger conditions, and recommended messages.

See Also:

Developing Custom Error Pages in the Developing Applications with Oracle Access Management

Table 13-4 External Error Codes, Trigger Conditions, and Recommended Messages

External Error Code	Trigger Condition	Recommended Display Message
OAM-1	Invalid login attempts less than the allowed count.	An incorrect Username or Password was specified
OAM-2	Invalid login attempts less than the allowed count.	An incorrect Username or Password was specified
OAM-3	Processing submitted credentials fails for some reason. For example: in WNA mode, the SPENGO token is not received.	Internal Error.
OAM-4	An authentication exception is raised for some reason.	System error. Please contact the System Administrator.
OAM-5	The user account gets locked because of certain conditions (exceeded invalid attempts, for instance).	The user account is locked or disabled. Please contact the System Administrator.
OAM-5	The user account gets locked because of certain conditions (exceeded invalid attempts, for instance). OID Without OIG Integration: The Error page appears with contact details after the password is validated.	The user account is locked or disabled. Please contact the System Administrator.
OAM-5	The user account is disabled.	The user account is locked or disabled. Please contact the System Administrator.
OAM-6	The user has exceeded the maximum number of allowed sessions, which is a configurable attribute.	The user has already reached the maximum allowed number of sessions. Please close one of the existing sessions before trying to login again.
OAM-7	Failure could be due to multiple reasons; the exact reason is not propagated to the user level for security reasons. For instance: The request ID could have been lost The certificate is not retrieved correctly The default error message is displayed when no other specific messages are propagated up.	System error. Please re-try your action. If you continue to get this error, please contact the Administrator.
OAM-8	See Table 13-3	Authentication failed.
OAM-9	System error. Please re-try your action. If you continue to get this error, please contact the Administrator.	System error. Please re-try your action. If you continue to get this error, please contact the Administrator.
OAM-10	Password expired.	The password has expired.

13.3.2 Viewing or Editing OAM Server Secure Error Modes

Users with valid Administrator credentials can view or edit Access Manager secure error mode settings for OAM Servers using the Oracle Access Management Console.

See Also:

"About Common Load Balancing Settings"

To view or edit:

In the Configuration console, select Access Manager from the View menu in the Settings section.
On the Access Manager Settings page, expand the Load Balancing section.
Server Error Mode:
- Modify: Choose the desired Server Error Mode for your deployment (Table 13-2 and Table 13-4).
- View Only: Close the page when you finish.
Click Apply to submit the changes (or close the page without applying changes).
Dismiss the Confirmation window.
Proceed to "Managing SSO Tokens and IP Validation".

13.4 Managing WebGate Traffic Load Balancer

This section describes the following topics:

13.4.1 About WebGate Traffic Load Balancer

The WebGate Load Balancer settings are used to initialize the WebGate profile parameters whenever a new profile is created.

The following figure shows the WebGate Traffic Load Balancer section of the Access Manager Settings page:

Figure 13-3 Access Manager Settings: WebGate Traffic Load Balancer

Description of "Figure 13-3 Access Manager Settings: WebGate Traffic Load Balancer"

The following table describes each element and how it is used. Settings are global and common to all OAM servers in the Weblogic administration domain:

Table 13-5 Access Manager Settings: WebGate Traffic Load Balancer

Element	Description
OAM Server Host	The managed server or load balancer host information.
OAM Server Port	The managed server or load balancer port information.
OAM Server Protocol	The protocol that is used to communicate between the WebGate and the managed servers. Values: HTTP, HTTPS

13.4.2 Viewing or Editing WebGate Traffic Load Balancer

Users with valid Administrator credentials can view or edit WebGate Load Balancer settings for OAM Servers using the Oracle Access Management Console.

To view or edit:

In the Configuration console, select Access Manager from the View menu in the Settings section.
On the Access Manager Settings page, expand the WebGate Traffic Load Balancer section.
Edit Settings as needed for your configuration.
Click Apply to submit the changes.
Navigate to Application Security Console, select Create Webgate from the Agents menu and create a new agent. Verify the WebGate created is populated with the modified values in the User Defined Parameters field.

13.5 Managing SSO Tokens and IP Validation

Use Oracle Access Management Console for modifying Access Manager SSO settings, IP Validation and SSO token version.

This section provides the following topics:

13.5.1 Access Manager SSO Tokens and IP Validation Settings

The Access Manager Settings page include information such as IP Validation and SSO token version.

Table 13-6 describes each element and how it is used.

Table 13-6 Access Manager Settings: SSO

Element Description

Element	Description
IP Validation	Specific to WebGates and is used to determine whether a client's IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on. Check the box to enable IP Validation. Clear the box to disable IP Validation if and only if IP Validation is disabled on all the configured WebGates. See IP Address Validation for WebGates.
SSO Token Version	SSO token version is the version of the SSO_ID token (cookie) created by the OAM server. SSO token versions are mainly used for compatibility between data centers in a Multi-Data Center (MDC) setup. Ensure that all the data centers in the MDC setup have SSO token version `5` selected. From OAM 14c onwards, SSO token version `5` is selected by default.

IP Validation

Specific to WebGates and is used to determine whether a client's IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on.

Check the box to enable IP Validation.

Clear the box to disable IP Validation if and only if IP Validation is disabled on all the configured WebGates. See IP Address Validation for WebGates.

SSO Token Version

SSO token version is the version of the SSO_ID token (cookie) created by the OAM server.

SSO token versions are mainly used for compatibility between data centers in a Multi-Data Center (MDC) setup. Ensure that all the data centers in the MDC setup have SSO token version 5 selected.

From OAM 14c onwards, SSO token version 5 is selected by default.

13.5.2 Viewing or Editing SSO Tokens and IP Validation

Users with valid Administrator credentials can view or edit Access Manager SSO settings using the Oracle Access Management Console.

See Also:

"About Common Load Balancing Settings"

To view or edit:

In the Oracle Access Management Console, click Configuration at the top of the window.
In the Configuration console, select Access Manager from the View menu in the Settings section.
Expand the SSO section:
- View Only: Close the page when you finish.
- Modify: Perform remaining steps to edit the configuration.
Edit settings as needed for your deployment, based on details in Table 13-6.
Click Apply to submit the changes (or close the page without applying changes).
Dismiss the Confirmation window.
Proceed to "Managing the Access Protocol for OAM Proxy Cert Mode Security".

13.6 Managing the Access Protocol for OAM Proxy Cert Mode Security

Configure secure server communication mode and manage through the settings for the common OAM Proxy.

This section describes the following topics:

13.6.1 OAM Proxy Cert Mode Transport Security

Open and Cert are the modes of secure communication and there are similarities between these modes.

Table 13-7 outlines the similarities between Cert and Open modes.

See Also:

Securing Communication

Table 13-7 Summary: Cert Mode and Open Mode

Artifact or Process	Cert Mode	Open Mode
X.509 digital certificates only.	X	N/A
Communication between OAM Agents and OAM Servers is encrypted using Transport Layer Security, RFC 2246 (TLS v1).	X	N/A
For each public key there is a corresponding private key that Access Manager stores in a file:	aaa_key.pem generated by your CA	N/A
Signed certificates in Privacy Enhanced Mail (PEM) format	aaa_cert.pem generated by your CA	N/A
During OAM Server configuration, secure the private key with a Global passphrase or PEM format details, depending on which mode you are using. Before an OAM Server or Webgate can use a private key, it must have the correct passphrase.	PEM format: Keystore Alias Key KEYSTOREStore Alias Password	N/A
During OAM Agent or OAM Server registration, the communication mode is propagated to the Oracle Access Management Console.	Different passphrase for each Webgate and OAM Server instance.	N/A
The certificate request for the Webgate generates the certificate request file, which you must send to a root CA that is trusted by the OAM Sever. The root CA returns the Webgate certificates, which can then be installed either during or after Webgate installation.	aaa_req.pem The certificate request, signed by the your Certificate Authority	N/A
Encrypt the private key using the DES Algorithm. For example: openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout pass: passphrase -des	X	N/A
Agent Key Password	Enter a password during agent registration in Cert Security mode (see Table 15-1).	N/A
During Agent registration, ObAccessClient.xml is generated in: $DOMAIN_HOME/output/$Agent_Name/	ObAccessClient.xml Copy to: $OHS_Instance_Dir/webgate/config	ObAccessClient.xml Copy to: $OHS_Instance_Dir/webgate/config
During Agent registration, password.xml is generated in: $DOMAIN_HOME/output/$Agent_Name/ See Also: Securing Communication	password.xml Copy to: $OHS_Instance_Dir/webgate/config	N/A
During Agent registration, aaa_key.pem is generated in: $DOMAIN_HOME/output/$Agent_Name/ See Also: Securing Communication	aaa_key.pem Copy to: $OHS_Instance_Dir/webgate/config	N/A

13.6.2 Configuration Settings of Common OAM Proxy Page for Secure Server Communications

You can the configure settings of Common OAM Proxy Page for Secure Server Communications.

Table 13-8 describes the settings required for Cert mode configuration.

Table 13-8 Server Common OAM Proxy Secure Communication Settings

Mode	Description
Cert Mode Configuration	Details required for the Key KEYSTOREStore where the Cert mode X.509 certificates signed by an outside Certificate Authority reside: PEM Keystore Alias PEM Keystore Alias Password Note: These are set during initial OAM Server installation. The certificates can be imported using the import certificate utility or the keytool shipped with JDK. Administrators can edit the alias and password and then reconfigure all existing OAM Agents to use them, as described in"Viewing or Editing Cert Settings for OAM Proxy".

Mode

Description

Cert Mode Configuration

Details required for the Key KEYSTOREStore where the Cert mode X.509 certificates signed by an outside Certificate Authority reside:

PEM Keystore Alias
PEM Keystore Alias Password

Note: These are set during initial OAM Server installation. The certificates can be imported using the import certificate utility or the keytool shipped with JDK.

Administrators can edit the alias and password and then reconfigure all existing OAM Agents to use them, as described in"Viewing or Editing Cert Settings for OAM Proxy".

13.6.3 Viewing or Editing Cert Settings for OAM Proxy

Administrators can use view or edit Cert mode settings for the common OAM Proxy.

See Also:

To view or edit:

In the Oracle Access Management Console, click Configuration at the top of the window.
In the Configuration console, select Access Manager from the View menu in the Settings section.
Expand the Access Protocol section.
Cert Mode Configuration: Specify the following details.
- PEM Keystore Alias
- PEM Keystore Alias Password
Click Apply to submit the changes and dismiss the Confirmation window (or close the page without applying changes).
Update Agent registration pages as needed to regenerate artifacts, and then replace the earlier artifacts as described in Introduction to Agents and Registration or Registering and Managing OAM Agents.

13.6.4 Configuring 64-bit WebGate in Cert Mode

64-bit WebGates now support SHA2 (256,384 & 512 bit) certificates.

Run the following command to configure a 64-bit WebGate in cert mode.

<Oracle Middleware Home>/oracle_common/bin/orapki wallet add 
 -wallet $DOMAIN_HOME/output/$Agent_Name/cwallet.sso -trusted_cert 
 -cert <Root CA path .i.e. aaa_chain.pem> -auto_login_only

13.7 Managing Run Time Policy Evaluation Caches

Access Manager common run time policy evaluation cache settings are managed by administrators and policy evaluation caches are required during policy evaluation at run time.

This section describes the following topics:

See Also:

"Run Time Resource Evaluation"

13.7.1 Settings for Run Time Policy Evaluation Caches

The Resource Matching Cache and the Authorization Result Cache are set and required during policy evaluation at run time.

Figure 13-4 illustrates the Policy section of the Access Manager Settings page.

Figure 13-4 Common Policy Evaluation Caches

Description of "Figure 13-4 Common Policy Evaluation Caches"

Table 13-9 outlines these global settings that apply to all servers and requests.

Table 13-9 Policy Evaluation Caches

Element	Description
Resource Matching Cache	Caches mappings between the requested URL and the policy holding the resource pattern that applies to the URL. Default Values: Maximum Size 100000 Zero disables the cache Time to Live (seconds) 3600 Zero disables Time to Live
Authorization Result Cache	Caches policy decisions for the requested URL and user. Default Values: Maximum Size 100000 Zero disables the cache Maximum Size per User 100 Zero disables the cache Time to Live (seconds) 3600 Zero disables Time to Live See Also: Tuning Performance

Element

Description

Resource Matching Cache

Caches mappings between the requested URL and the policy holding the resource pattern that applies to the URL.

Default Values:

Maximum Size 100000 Zero disables the cache
Time to Live (seconds) 3600 Zero disables Time to Live

Authorization Result Cache

Caches policy decisions for the requested URL and user.

Default Values:

Maximum Size 100000 Zero disables the cache
Maximum Size per User 100 Zero disables the cache
Time to Live (seconds) 3600 Zero disables Time to Live

13.7.2 Managing Run Time Policy Evaluation Caches

Administrators manage the Access Manager common run time policy evaluation cache settings.

In the Oracle Access Management Console, click Configuration at the top of the window.
In the Configuration console, select Access Manager from the View menu in the Settings section.
Expand the Policy section.
Resource Matching Cache: Specify details and click apply (Table 13-9).
Authorization Result Cache: Specify details and click apply (Table 13-9).
Click Apply to submit the changes and dismiss the Confirmation window (or close the page without applying changes).

See Also:

High Availability Guide
Tuning Performance

13.8 Configuring Policy Cache Parameters

The parameters for Policy Cache can be set in oam-config.xml file under OAMPolicyProvider or in System Properties.

Follwing table lists the Policy Cache parameters with their default values:

Table 13-10 Polciy Cache Parameters

Parameter Name	Default value	Description
`PolicyCacheRefreshIntervalMillis`	30000 ( 30 Sec)	Configured in runtime server to check for new version in store after this configured time. It is configured in milliseconds.
`PolicyCacheRefreshTimeoutSeconds`	300 ( 5 min)	Configured in runtime server to wait for 300 seconds before stopping the execution of each query. It is configured in seconds.
`PolicyCacheCountInDb`	5	Configured in Admin/Policy manager server for number of latest versions of policy cache to be stored in the database. Older version of caches after this threshold limit will be deleted.
`PolicyCacheIgnoreChecksum`	FALSE	Configured in Admin/Policy manager runtime server to ignore the policy check sum calculation and read the cache from the store.
`PolicyCacheThreadMaxRetryCount`	5	Configured in runtime server for number of times the policy version thread will retry in case of DB timeout.
`PolicyCacheReadThreadBlockTimeInSec`	1800(30 Mins)	Configured in runtime server after reaching the number of retrials specified by `PolicyCacheThreadMaxRetryCount` , the policy version thread will avoid checking for the configured amount of time. It is configured in seconds.
`PolicyCacheCheckTimeoutLimit`	10mins	Configured in runtime server to wait for the runtime server cache initialization. It is configured in minutes.
`oracle.oam.EntityRefreshIntervalMillis`	60000 Millisecond	Configured in Admin server or Policy Manager as system property to increase the frequency to check the changes in the policy on Admin server or Policy Manager. It is default to 60000ms.

Note:

The oracle.oam.EntityRefreshIntervalMillis parameter can be configured only in System properties and not in oam-config.xml file.