Deploying OAM 11g Correctly Part 2 – Logins and SSL

This is another post in our OAM 11g Academy series. To view the first post in the series which will be updated throughout to contain links to the entire series, click here: http://fusionsecurity.blogspot.com/2011/02/oracle-access-manager-11g-academy.html

A couple months ago Chris wrote a good post about the best way to deploy OAM from a web server / network architecture point of view.

Today, I’d like to touch on a very important but overlooked aspect of OAM deployments which is whether or not to use SSL between the web server and OAM. The product documentation and broader OAM writings out there in the community do a good job of describing the webgate to OAM server communication (OAP) security modes of open vs. simple vs. cert mode. However, what is completely neglected is the discussion of whether or not to use SSL between the web server and OAM.

Domain Architecture and Middleware Homes Revisited

Over a year ago I wrote a couple important posts about the domain architectures used in Oracle Identity Management deployments.  You can find these posts here and here.

These posts have been very popular.  I’ve received lots of positive feedback on them but also a fair number of questions.  So, I thought that it would be worth revisiting the topic now.

Split profile setup with AD and OID for Fusion Apps IDM

I have discussed split profile set up scenario for Fusion Applications IDM Environment with AD and OID , process of creation of Adapters needed in OVD for consolidating the two directory servers AD and OID and the configuration changes needed in OAM , OIM  and WLS of IDM Environment in these 2 Blog posts.

Part1 , Part 2

This process is relevant to FA Release RUP1 . From release RUP2 some of these manual steps have been automated, which i will discuss in a future blog.

OAM 11g - IPM Integration

Here is a post that integrates OAM 11g with IPM.  This integration is implemented on top of the OAM/UCM integration I did back in December.

 

Prerequisites

1. Install, configure and integrate UCM with OAM.  Click here for the post I did for OAM/UCM.
2. Install and configure IPM with the same OHS proxy used to proxy the UCM application.

 

High Level Steps/Checklist

1. Configure an OHS server to proxy all request to IPM (/imaging). 
2. Register a webgate with the URL’s you want to protect.
3. Configure an OAM Identity Asserter and LDAP/OVD provider in Weblogic. 
4. Validate users can access IPM with WLS Security. 
5. Install a webgate on OHS server and validate.

Notes:

Steps 2 through 4 may have been completed in the steps defined in the OAM-UCM integration.

Verifying the ‘/imaging’ URL may result in a “404 Not Found” error. This will occur if you have a webgate on the OHS server already installed and have not defined a policy to protect this URI. This is expected due to the webgate setting of ‘denyOnNotProtected’.

 

Detail Steps

1. Follow the documentation to configure OAM Access Manager 11g with Oracle IPM, Section 2.3.5: http://download.oracle.com/docs/cd/E17904_01/admin.1111/e12782/c02_security.htm#CDDFAFAC
   
   
   2.3.5 - Integrating Oracle IPM With Oracle Access Manager 11g
   

   1. OAM/Webgate have already been configured and installed.
   2. Modify the mod_wl_ohs.conf file with the forwarding URL
   • 
     <Location /imaging>
     SetHandler weblogic-handler
     WebLogicHost <hostname>
     WebLogicPort <portnumber>
     </Location>
      
   3. Use the remote registration tool oamreg as follows in section 15.2.2.2:http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/osso_b_oam11g.htm#JISEC9104
      15.2.2.2 - Provision with 11g Webgate

1. Acquire the tool
• The rreg tool can be found and executed on the same box where OAM is installed. No need to un-tar.
2. Created a new IPM-Request.xml. Since the same OHS server used to proxy UCM, is being used to forward/proxy the IPM app, use the same host identifier and agent name as defined for UCM. The only difference being the protected and public resources.
• <OAM11GRegRequest>
  <serverAddress>http://ateam-hq66.us.oracle.com:7003</serverAddress><hostIdentifier>UCM-INT</hostIdentifier>
  
  <agentName>UCM-INT</agentName>
  <protectedResourcesList> 
  <resource>/imaging/faces</resource> 
  </protectedResourcesList>
  <publicResourcesList> 
  <resource>/imaging</resource> 
  </publicResourcesList></OAM11GRegRequest>
   
3. On the command line, execute the following:

./bin/oamreg.sh inband input/IPM-Request.xml

When asked to enter the admin and password, make sure the user is part of the system store you configured for OAM (e.g testuser1/welcome1) 

NOTE: Make sure you copy the new artifacts from the RREG output directory to the OHS webgate directory (i.e. .../Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config) and restart the OHS server.

Steps 4 and 5 from Section 2.3.5 was already completed during the UCM/OAM setup.

Trouble shooting tips:

• Cannot login via OAM – A few things to verify:
  • Make sure that the LDAP Authentication Module in the OAM console is pointing to the correct data store.
  • Make sure that the WLS provider matches the same OAM data store configuration.

Custom transformation provider for OIM GTC connector

GTC based connector is one of the most used approaches for reconciling data into OIM, specially through the use of flat files. A common issue is that some customers do not allow direct communication between OIM and the HR system (for different reasons like outsourced HR system, security constraints and others), hence a flat file is made available to OIM so that it reconcile users.

Very often, there is a need to manipulate the data to be reconciled in OIM through the GTC connector. When that is true, most of customers end up creating event handlers to manipulate reconciled data. The problem with this approach is that in OIM 11g, only 'post process' event handlers can be used to manipulate reconciliation data (and the data can only be manipulated after reconciled into OIM), and this can make some manipulations really tricky and/or cumbersome.