Thursday, August 11, 2011

OAM 11g: Configuring Data Sources

Wanted to share an experience I encountered recently configuring the OAM Console. This is specific to OAM 11.1.1.5(PS1). 

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available

When you first install OAM 11g one of the first things a customer will do is to setup a new data store. But first let’s take a look at the default configuration. If you take a look at the ‘UserIdentityStore1’ data source you will notice a new feature where a data source can be a ‘Default’ store, a ‘System’ store or both. This data store (WebLogic Embedded LDAP) is set to both the ‘Default’ store and ‘System’ store.

The ‘Default’ data store is used by Security Token Service. The ‘System’ store is what is used to authenticate an OAM administrator. When you select a data store to be the system store, you will need to define user(s) to the administrators group. You can read here for more information on data sources:
http://download.oracle.com/docs/cd/E21764_01/doc.1111/e15478/datasrc.htm#CHDIEEGA
Now again a customer will most likely need to configure a new data store and possibly use that data store as the default and/or system store. Be aware that once you change the ‘system’ store you can potentially lock yourself out of the OAM console!
Here is a screen shot of the data store I configured:

The data store is pointing to an OID back end with test users. I created a user ‘testuser1’ as the administrator for the ‘system’ store as shown above.
When you ‘Apply’ this setting you will see a Warning:

You will also be asked to validate the administrator. I validated using ‘testuser1’.
Now let’s look at the WLS configuration. Out of the box it still had the default settings as seen here:

Now this is where you could run into some trouble. Remember the warning we received when configuring the ‘system’ store. You need to make sure that the data store you specified as the ‘system’ store is reflected somewhere in your providers list in WLS Console.
Now let’s say that you forget to add an LDAP provider within WLS or more likely the provider was configured incorrectly where the testuser1 does not exists. In my example, when you try to login to the OAM console as ‘weblogic’ user, you will get an access denied page. If you try to login as ‘testuser1’, you will receive an incorrect username/password page.
When logging in as the ‘weblogic’ user, this user exists in the Default Authenticator, but is not part of the Administrators group as defined in the system store, thus the access denied page. For my 'testuser1', this user does not exist in the default authenticator, thus the incorrect username/password error.
Now there are two ways to get you back into the OAM Console:
1) Create the uid ‘testuser1’ in Embedded LDAP used by WLS. This is assuming that the Default Authentication provider is listed. This is not recommended however, better yet…
2) Stop the managed server ‘oam_server1’. Now you should be able to log in with the original ‘weblogic’ user you created when installing the domain.
Remember the warning we got when assigning a new 'system' store? Well that basically means that you need to make sure that one of the WLS providers are in sync with the system store defined in the OAM console.

1 comment:

  1. Further resolution is that you would need to set Authentication to Use the OID back end with test users that was created.

    By default, Oracle Access Manager uses the integrated LDAP store for user validation. You must update the LDAP authentication module so that it can validate users against the new external LDAP store.

    1.Click the System Configuration tab.
    2.Select Access Manager Settings - Authentication Modules - LDAP Authentication Modules.
    3.Click LDAP.
    4.Select Open from the Actions menu.
    5.Set User Identity Store to LDAP_DIR.
    6.Click Apply.
    7.Restart the managed servers Admin Server,OAM Managed Server
    8. Try logging in with 'testuser1' from above

    ReplyDelete

Note: Only a member of this blog may post a comment.