Tuesday, April 24, 2012

OAM 11g - IPM Integration

Here is a post that integrates OAM 11g with IPM.  This integration is implemented on top of the OAM/UCM integration I did back in December.

 

Prerequisites

  1. Install, configure and integrate UCM with OAM.  Click here for the post I did for OAM/UCM.
  2. Install and configure IPM with the same OHS proxy used to proxy the UCM application.

 

High Level Steps/Checklist

  1. Configure an OHS server to proxy all request to IPM (/imaging). 
  2. Register a webgate with the URL’s you want to protect.
  3. Configure an OAM Identity Asserter and LDAP/OVD provider in Weblogic. 
  4. Validate users can access IPM with WLS Security. 
  5. Install a webgate on OHS server and validate.
Notes:
Steps 2 through 4 may have been completed in the steps defined in the OAM-UCM integration.
Verifying the ‘/imaging’ URL may result in a “404 Not Found” error. This will occur if you have a webgate on the OHS server already installed and have not defined a policy to protect this URI. This is expected due to the webgate setting of ‘denyOnNotProtected’.

 

Detail Steps

  1. Follow the documentation to configure OAM Access Manager 11g with Oracle IPM, Section 2.3.5: http://download.oracle.com/docs/cd/E17904_01/admin.1111/e12782/c02_security.htm#CDDFAFAC

    2.3.5 - Integrating Oracle IPM With Oracle Access Manager 11g
    1. OAM/Webgate have already been configured and installed.
    2. Modify the mod_wl_ohs.conf file with the forwarding URL

      • <Location /imaging>
        SetHandler weblogic-handler
        WebLogicHost <hostname>
        WebLogicPort <portnumber>
        </Location>
         
    3. Use the remote registration tool oamreg as follows in section 15.2.2.2:http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/osso_b_oam11g.htm#JISEC9104
      15.2.2.2 - Provision with 11g Webgate
    1. Acquire the tool
      • The rreg tool can be found and executed on the same box where OAM is installed. No need to un-tar.
    2. Created a new IPM-Request.xml. Since the same OHS server used to proxy UCM, is being used to forward/proxy the IPM app, use the same host identifier and agent name as defined for UCM. The only difference being the protected and public resources.
      • <OAM11GRegRequest>
        <serverAddress>http://ateam-hq66.us.oracle.com:7003</serverAddress><hostIdentifier>UCM-INT</hostIdentifier>
        <agentName>UCM-INT</agentName>
        <protectedResourcesList> 
        <resource>/imaging/faces</resource> 
        </protectedResourcesList>
        <publicResourcesList> 
        <resource>/imaging</resource> 
        </publicResourcesList></OAM11GRegRequest>
         
    3. On the command line, execute the following:

./bin/oamreg.sh inband input/IPM-Request.xml

When asked to enter the admin and password, make sure the user is part of the system store you configured for OAM (e.g testuser1/welcome1) 

NOTE: Make sure you copy the new artifacts from the RREG output directory to the OHS webgate directory (i.e. .../Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config) and restart the OHS server.

    Steps 4 and 5 from Section 2.3.5 was already completed during the UCM/OAM setup.

Trouble shooting tips:

  • Cannot login via OAM – A few things to verify:
    • Make sure that the LDAP Authentication Module in the OAM console is pointing to the correct data store.
    • Make sure that the WLS provider matches the same OAM data store configuration.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.