Tuesday, October 2, 2012

Detached Credential Collector Configuration - OAM 11GR2

Detached Credential Collector (DCC) has been introduced in OAM 11GR2 release. And the documentation, http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/register.htm#BABEGDFA, explains in detail about how to deploy it in various architecture scenarios.
 In addition to the documentation, this blog post will help clarify the configuration steps.

The following step presumes your deployment uses Open mode communication. It also assumes that a webgate 11G is registered with the OAM Server.

A. Enable credential operations for an existing 11G Webgate

Using the Oracle Access Management Console, find and open the page for the 11.1.2 Webgate that will function as the DCC:
  • Click on System Configuration tab
  • Click Access Manager
  • Expand the SSO Agents node
  • Double Click on OAM Agents
  • Click on Search
  • Click on the Webgate (say, the name is RREG_OAM11G)
  • Check the box beside Allow Credential Collector Operations.
  • Click Apply.
Here is the snapshot of the above configuration:

B.     Invoke the right perl executable

Ensure that the path name of the perl executable as mentioned in the perl scripts is correct.
For example, if the Webgate is installed $MW_HOME/Oracle_OAMWebGate1, the perl scripts for DCC-based login are located in the following path:  $MW_HOME/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin.
In most of the cases, by default for Unix based system, the perl executable located at /usr/bin/perl. This can be verified by the command “which perl” in the OAM Server. However, the perl scripts themselves point to: /usr/local/bin/perl

To make sure that the scripts execute correctly, there are two choices:
  1. Create a symbolic link for /usr/local/bin/perl so that it points to /usr/bin/
  2. Or alter the first line of the scripts so that they points to the correct location for perl, that is, replace the line #!/usr/local/bin/perl by #!/usr/bin/perl.

C.   Configure the Authentication Scheme for DCC

Configure a new authentication scheme as follows:
  • Click on Authentication Scheme
  • Click on + on the top to add a new Authentication Scheme
  • A page will open for the new authentication scheme and then fill up the fields as follows:
    • Name: DCC AuthScheme [It can be anything]
    • Authentication Level: 2
    • Challenge Method: FORM
    • Challenge Redirect URL: http://oam.oracleateam.com:7778 [Note: This is theURL for the OHS Server where webgate is configured for DCC]
    • Authentication Module: LDAP [If the LDAP authentication module is the authentication engine]
    • Challenge URL: /oamsso-bin/login.pl
    • Context Type: Select the blank
  •  Select Apply

Here is the snapshot for the above configuration:


D.     Configure the Authentication Policy for the Protected Resource

Go to the Authentication Policy and make sure that you choose the “DCC AuthScheme” as the authentication scheme for the Protected Resource Policy.
A typical snapshot would be as follows:

Now restart the OAM Server and test the above configuration. Create a sample page, for example, test.html, in the OHS root location. And try to access the page as
This will redirect you to the following login page as shown below:
Note the redirection URL:

The above URL shows that you are directed to the Detached Credential Collector.
Now if you enter the credential correctly, you should be able to access the test.html page.

1 comment:

  1. Cool, DCC is what I was planning to update in my blog for OAM 11gR2 . Good to see that this is already available here that I can simply reference to.

    Atul Kumar


Note: Only a member of this blog may post a comment.