1. Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
  2. Installing Oracle Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal Authenticator
  3. Procedure for Installing OAA, OARM, and OUA
  4. Prerequisite Configurations for Installing OAA, OARM, and OUA
  5. Oracle Access Management Requirements
  6. Registering OAM TAP Partners

5.1.6.3 Registering OAM TAP Partners

During installation, two integration agents are created for you in OAA:
  • OAM-OAA-TAP
  • OAM-OUA-TAP

In order for the installation to create these agents, you must first create TAP partners in OAM.

Registering OAA as a TAP Partner in OAM

The OAM-OAA-TAP OAM integration agent, along with an OAM Authentication Module (OAA-MFA-Auth-Module), Authentication Scheme (OAA-MFA-Scheme), and Policy (OAA_MFA-Policy) are created during installation. These components allow OAM administrators to protect applications with OAM and OAA multi-factor authentication. For example, a user accesses an application protected with the OAA_MFA-Policy, and after successful authentication in OAM, is then challenged with a second factor for multi-factor authentication via OAA.

To register OAM-OAA-TAP as a TAP partner:
  1. On the OAM server, launch a terminal window and enter the following command:
    cd $OAM_ORACLE_HOME/oracle_common/common/bin
./wlst.sh
    The output will look similar to the following:
    Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands
wls:/offline>
  2. Connect to the OAM Administration Server as follows:
    connect ('weblogic','<password>','t3://<OAM_AdminServer_Host>:<OAM_AdminServer_Port>')
    The output will look similar to the following:
    Successfully connected to Admin Server "AdminServer" that belongs to domain "oam_domain".
Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.
wls:/oam_domain/serverConfig/>
  3. Run the following command to register the OAA TAP partner:
    registerThirdPartyTAPPartner(partnerName="OAM-OAA-TAP", keystoreLocation="<path_to_keystore>", password="<keystore_password>", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="<redirect_url>")
    where :
    • <path_to_keystore> is the location and file name of the keystore to generate.
    • <keystore_password> is the password to create for the keystore generated.
    • <redirect_url> is the HTTP or HTTPS URL that you access OAM with at the front end. For example, if you access OAM via https://ohs.example.com, then set tapRedirectUrl to any URL that is reachable under https://ohs.example.com. The URL must be one that returns a 200 OK response when accessed.
    For example:
    registerThirdPartyTAPPartner(partnerName="OAM-OAA-TAP", keystoreLocation="/tmp/OAMOAAKeyStore.jks", password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="https://ohs.example.com/oam/pages/login.jsp")
    The output will look similar to the following:
    Registration Successful
wls:/oam_domain/serverConfig/>
    In the example above a keystore /tmp/OAMOAAKeyStore.jks will be generated. .
  4. Copy the OAMOAAKeyStore.jks to the <WORKDIR> on the <INSTALL_HOST>. See, Installation Host Requirements.

Registering OUA as a TAP Partner in OAM

Note:

If you are performing an installation without OUA, you can ignore this section.

The OAM-OUA-TAP agent, along with OAM OUA Policies also created during installation, is used by Oracle Universal Authenticator so users can login to their devices using OAM and a second factor from OAA.

To register OAM-OUA-TAP as a TAP partner:
  1. In the same WLST session as above, run the following command to register the OUA TAP partner:
    registerThirdPartyTAPPartner(partnerName="OAM-OUA-TAP", keystoreLocation="<path_to_keystore>", password="<keystore_password>", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="<redirect_url>")
    where :
    • <path_to_keystore> is the location and file name of the keystore to generate.
    • <keystore_password> is the password to create for the keystore generated.
    • <redirect_url> is the HTTP or HTTPS URL that you access OAM with at the front end. For example, if you access OAM via https://ohs.example.com, then set tapRedirectUrl to any URL that is reachable under https://ohs.example.com. The URL must be one that returns a 200 OK response when accessed.
    For example:
    registerThirdPartyTAPPartner(partnerName="OAM-OUA-TAP", keystoreLocation="/tmp/OAMOUAKeyStore.jks", password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="https://ohs.example.com/oam/pages/login.jsp")
    The output will look similar to the following:
    Registration Successful
wls:/oam_domain/serverConfig/>
    In the example above a keystore /tmp/OAMOUAKeyStore.jks will be generated.
  2. Copy the OAMOUAKeyStore.jks to the <WORKDIR> on the <INSTALL_HOST>. See, Installation Host Requirements.
  3. Run the following command to exit wlst: 
    exit()