tag:blogger.com,1999:blog-18164087423315551862024-03-05T03:49:26.635-08:00Oracle Fusion Middleware SecurityAs members of the Fusion Middleware Architecture Group (a.k.a the A-Team), we get exposed to a wide range of challenging technical issues around security and Oracle Fusion Middleware. We're using this blog to answer common questions and provide interesting solutions to the real-world scenarios that our customers encounter every day.
NOTICE: All our post and much more can now be found at http://www.ateam-oracle.com/category/identity-management/Chris Johnson (Oracle)http://www.blogger.com/profile/13331466366556759355noreply@blogger.comBlogger358125tag:blogger.com,1999:blog-1816408742331555186.post-69532525080213466542016-02-12T05:35:00.001-08:002016-02-12T08:29:17.115-08:00OAM 11g Webgate Tuning<h1 style="background-color: white; color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 28px; line-height: 1; margin: 5px 0px 2px; padding: 5px;">
Introduction</h1>
<div style="background-color: white; color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.4; padding: 5px;">
This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. <a data-mce-href="http://www.ateam-oracle.com/oracle-access-manager-academy-from-the-fusion-security-blog/" href="http://fusionsecurity.blogspot.com/2011/03/oracle-access-manager-academy-from.html" style="color: #1f4f82; text-decoration: none;" target="_blank">An index to the entire series with links to each of the separate posts is available</a>.</div>
<div style="background-color: white; color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.4; padding: 5px;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">P</span><span style="font-family: "arial" , "helvetica" , sans-serif;">eople typically are introduced to Webgate tuning in one of two ways, either forced into it because </span><span style="font-family: "arial" , "helvetica" , sans-serif;">of a </span><span style="font-family: "arial" , "helvetica" , sans-serif;">crisis or actively </span><span style="font-family: "arial" , "helvetica" , sans-serif;">preparing</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> an environment to do some aggressive load testing. Hopefully you are in the later group. Unfortunately, there is still a lot of mystery behind tuning some of these Webgate parameters. Creating a comprehensive article to cover all aspects of tuning is a real challenge. That said, this article will be focused on what I feel are the most important tuning parameters; 1) Max Connections, including the relationship between Max Connections and Max Number of Connection, 2) the Failover Threshold, and 3) the AAA Timeout Threshold. If you can grasp the concepts around these few important key parameters your success in getting better performance and stability out of the Webgates and Access Servers will greatly increase.</span></div>
<div style="background-color: white; color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.4; padding: 5px;">
</div>
<a href="http://fusionsecurity.blogspot.com/2016/02/oam-11g-webgate-tuning.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/07154533669825288611noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-22054027553166234572016-02-08T06:48:00.004-08:002016-02-12T05:43:38.067-08:00Oracle Unified Directory 11gR2PS3 Very Large Static Groups<span style="background-color: white; color: #313131; font-family: "arial" , "helvetica" , sans-serif; font-size: 14px;"></span><br>
<h1 style="background-color: white; color: #313131; font-family: arial, helvetica, sans-serif; font-size: 28px; line-height: 1; margin: 5px 0px 2px; padding: 5px;">
Introduction</h1>
<span style="font-family: inherit;">This post is about OUD and extremely large static groups where membership numbers exceed hundreds of thousands or even millions; yes I said millions. I have been using Directory Services for over 15 years and the response I typically have for a customer that wants to use very large static groups is don't do it. Then I steer them into dynamic groups or even suggest leveraging attributes from user entries. In fact OUD has a great feature unique to itself called Virtual Static Groups that is kind of a hybrid between dynamic and static group, which has proved successful for past customers wanting very large groups yet get great performance. That said, in this post I am going to break all the rules and say you can have static groups with even millions of members because of the new static group performance improvements that has come with OUD11gR2 PS3 (11.1.2.3.0).</span><br>
<span style="background-color: white; color: #313131; font-family: "arial" , "helvetica" , sans-serif; font-size: 14px;"><br></span>
<span style="background-color: white; color: #313131; font-family: "arial" , "helvetica" , sans-serif; font-size: 14px;"></span><br>
<a href="http://fusionsecurity.blogspot.com/2016/02/oud-11gr2ps3-very-large-static-groups.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/07154533669825288611noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-21263531973246684052016-02-08T06:46:00.001-08:002016-02-12T05:43:47.583-08:00Working with Oracle Unified Directory 11gR2 Transformation Framework<div style="background-color: white; color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.4; padding: 5px;">
<h1 style="font-size: 28px; line-height: 1; margin: 5px 0px 2px; padding: 5px;">
Introduction</h1>
If you have been using Oracle’s Identity Management software for at least the last few years you will probably be familiar or at least heard of OVD (Oracle Virtual Directory), which was originally acquired back in 2005 from a company called OctetString. OVD provides a vast number of great virtual features used to aggregate multiple backend data stores and present LDAP consumers a single unified Directory Server. Beginning with OUD version 11.1.2.1.0, there have been a number of virtualization features added similar to what is provided in OVD. This trend has continued through OUD 11.1.2.3.0 where features such as joining multiple backends was added.</div>
<div style="background-color: white; color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.4; padding: 5px;">
The OUD Transformation Framework can do various things as presented in the latest documentation “<a data-mce-href="https://docs.oracle.com/cd/E52734_01/oud/OUDAG/proxy_functionality.htm#OUDAG10795" href="https://docs.oracle.com/cd/E52734_01/oud/OUDAG/proxy_functionality.htm#OUDAG10795" style="color: #1f4f82; text-decoration: none;" target="_top">Understanding the Transformation Framework</a>”, but in order to help illustrate how this feature can really add value I recently worked with a customer where leveraging a Transformation Rule helped solved a problem. Because the existing documentation is either confusing or lacking, I decided to write this article to help learn more about the Transformation Framework and how to make it work. An important note I want to alert you is at the time this article was published in order to use the OUD virtualization features you are required to have what is called a “Oracle Directory Service Plus” license <a data-mce-href="http://www.oracle.com/us/products/middleware/identity-management/oracle-directory-services/overview/index.html" href="http://www.oracle.com/us/products/middleware/identity-management/oracle-directory-services/overview/index.html" style="color: #1f4f82; text-decoration: none;" target="_top">http://www.oracle.com/us/products/middleware/identity-management/oracle-directory-services/overview/index.html</a>. If you have any questions about that please refer to your local Oracle Sales Representative.</div>
<div style="background-color: white; color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.4; padding: 5px;">
</div>
<a href="http://fusionsecurity.blogspot.com/2016/02/working-with-oracle-unified-directory.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/07154533669825288611noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-39941256021002957572016-02-08T06:35:00.003-08:002016-02-12T05:44:03.673-08:00Improve Oracle Unified Directory 11gR2 Search Performance with Index Entry Limit <h1 style="background-color: white; color: #313131; font-family: arial, helvetica, sans-serif; font-size: 28px; line-height: 1; margin: 5px 0px 2px; padding: 5px;">
Introduction</h1>
<div style="background-color: white; color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.4; padding: 5px;">
I am always looking for great tips that give big values; this one is no exception. This article is to help you understand how to tweak the index called “Index Entry Limit” to reap some dramatic ldapsearch performance improvements. I explain what this index is about, some of my own test results, how to determine the correct value, and finally how to make the index change to your OUD instance. This will be a tip you will definitely want to add to your OUD Ninja black bag.</div>
<div style="background-color: white; color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.4; padding: 5px;">
</div>
<a href="http://fusionsecurity.blogspot.com/2016/02/improve-oracle-unified-directory-11gr2.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/07154533669825288611noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-16138280322637596782014-11-18T10:56:00.000-08:002014-12-13T22:06:25.793-08:00Automated Policy Synchronization (APS) for OAM Clone Environment<div dir="ltr" style="text-align: left;" trbidi="on">
<h1>
Introduction</h1>
<div style="text-align: justify;">
Since the introduction of MDC support in OAM 11g, Customers have been asking for Automated Synchronization between Master and Clone OAM Environments. It is supported in OAM R2PS2. Thanks to the development team! Before R2PS2, It required T2P process to keep all the data centers in synch which is manual process or customer had to write crone jobs to run T2P process at frequent intervals. Please note that T2P process is still supported with R2PS2 if that is the preference for some reason.</div>
<div style="text-align: justify;">
</div>
</div><a href="http://fusionsecurity.blogspot.com/2014/11/automated-policy-synchronization-aps.html#more">Read more »</a>Kiran Thakkarhttp://www.blogger.com/profile/06230583140441194599noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-33885509281207955772014-11-10T13:36:00.000-08:002014-11-10T14:23:38.355-08:00Monitoring OAM Environment<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Introduction</h2>
<div style="text-align: justify;">
Security systems, including OAM, reside in a dynamic environment where the parameters that affect system performance are ever changing. On top of that, access management Infrastructure like OAM serve as the front door or gate to every application/system in an organization. Therefore continuous monitoring of such key components is mandatory to ensure continuous success of not just your access and SSO solution but indeed your very applications themselves. Effective monitoring involves two types of controls; preventive monitoring and detective monitoring. Preventive monitoring makes sure failure does not take place and detective monitoring helps you detect any failure if it occurred and take corrective measures. OAM has features to facilitate both the types of monitoring. We will go over all the monitoring capabilities offered by the product.
</div>
<br>
</div><a href="http://fusionsecurity.blogspot.com/2014/11/monitoring-oam-environment.html#more">Read more »</a>Kiran Thakkarhttp://www.blogger.com/profile/06230583140441194599noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-68801321181011296642014-11-06T06:00:00.000-08:002014-11-06T06:00:10.800-08:00OIM Access Policy HarvestingOIM R2 PS2 delivers a long time expected functionality: access policy harvesting. This new feature adds more flexibility to OIM access policies usage. <br>
<br>
This is another post in the Oracle Identity Manager Academy from the Fusion Security Blog. for the entire post list click <a href="http://fusionsecurity.blogspot.com/2011/06/oracle-identity-manager-academy-from.html" target="_blank">here</a>.<br>
<a href="http://fusionsecurity.blogspot.com/2014/11/oim-access-policy-harvesting.html#more">Read more »</a>Daniel Gralewskihttp://www.blogger.com/profile/05627459432973623605noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-63512802896105725282014-11-05T12:32:00.000-08:002014-11-06T09:32:16.116-08:00Implementing a Custom Landing Page in OIM<div class="separator" style="clear: both; text-align: center;">
</div>
Some of our OIM customers have a use-case of implementing a custom
landing page. Such a landing page could be used for multiple purposes,
for example – to display some static information like guidelines for
using the system or dynamic information like system news, new features,
releases etc.<br>
OIM 11gR2 PS2 provides a convenient way of implementing this use-case and it is the subject of this post.<br>
<br>
<a href="http://fusionsecurity.blogspot.com/2014/11/implementing-custom-landing-page-in-oim.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/00670077006781682848noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-13490111640520522532014-10-14T13:28:00.002-07:002014-10-14T13:30:03.504-07:00Part 2: Custom Login and Logout with Detached Credential Collector (DCC)<h1>
INTRODUCTION</h1>
This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. <a href="http://www.ateam-oracle.com/oracle-access-manager-academy-from-the-fusion-security-blog/" target="_blank">An index to the entire series with links to each of the separate posts is available</a>.
In <a href="http://fusionsecurity.blogspot.com/2014/09/part-1-getting-under-covers-of-detached.html" target="_blank" title="Part 1: Getting under the covers of Detached Credential Collector (DCC)">Part 1: Getting under the covers of Detached Credential Collector (DCC)</a>, I spent time talking about DCC in general and walked through a sequence diagram explaining what is happening with DCC, to try and explain how it works including contrasting it with ECC. So in this blog, Part 2, I want to expand into a more practical angle on the requirements of a totally custom login and logout. Creating a custom login and logout does not require the Perl scripts login.pl or logout.pl, though these are perfectly great options and can also be customized. If you do want to take the route of using the OAM out-of-the-box Perl scripts you can find more information about it and its implementation in the Oracle Developer Guide for OAM 11g (11.1.2) in section <a href="http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/custpages.htm#CJABIDDC" target="_blank">4.4 Developing User the Detached Credential Collector</a> or see Debasish Bhattacharya’s blog article <a href="http://www.ateam-oracle.com/detached-credential-collector-configuration-oam-11gr2/" target="_blank">Detached Credential Collector Configuration --- OAM 11gR2</a>. Moving forward, and as promised, I am going to guide you on how to create a totally custom login and logout using DCC without requiring any hardcore developer skills --- I promise.
<br>
<a href="http://fusionsecurity.blogspot.com/2014/10/part-2-custom-login-and-logout-with.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/07154533669825288611noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-21339524063287827532014-10-14T12:32:00.001-07:002014-11-06T09:39:50.743-08:00OAM Post Authentication operation<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoTitle" style="text-align: left;">
<span style="text-align: justify;">Since OAM 10g days, keeping track
of Protected Resource that user wanted to access throughout custom
authentication process has been a challenge. In OAM 10g, it was possible to create
custom OBFormLoginCookie to overcome that challenge. With the introduction of
Encrypted OAM_REQ cookie in OAM 11g, it is not feasible. That makes it difficult
to do post Authentication operations or any customizations in Authentication
process.</span></div>
<div class="MsoTitle">
<span style="text-align: justify;"><br></span></div>
<div class="MsoNormal" style="text-align: justify;">
OAM 11gR2 introduced a feature
where you can redirect user to a URL post successful Authentication (On
Authentication success event in Authentication policy as defined in the screen
shot below). OAM while doing that redirect, adds end_url query parameter to URL
with the value of protected resource that user tried to access. You can do any
post Authentication processing required on Authentication success URL and then redirect
user to end_url.<br>
<br>
</div></div><a href="http://fusionsecurity.blogspot.com/2014/10/oam-post-authentication-operation.html#more">Read more »</a>Kiran Thakkarhttp://www.blogger.com/profile/06230583140441194599noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-8185834619038495202014-10-14T10:58:00.001-07:002014-10-14T11:29:57.945-07:00A Beginner's HowTo on Social Federation with OAM Mobile & Social<h2>
Introduction </h2>
<br>
Social Federation: a somewhat fancy name for a simple concept. We
want to leverage identities in Social Network providers in our own
applications. For example, granting access to either cloud or on-premise
applications to end users using their Google identities. In this post
we're going to take a close look at the necessary configuration in OAM
M&S (Oracle Access Manager Mobile & Social) server to have Java
Web applications leveraging Google and LinkedIn identities.<br>
<br>
Conceptually,
this is very similar to SAML-based federation model indeed. The
difference is that we are now dealing with different protocols, like
OpenID and OAuth. And the main appeal for federation keeps being the
acceptance of third party identities by a service provider (a.k.a.
relying party) without the need of having end user passwords stored
locally.<br>
<br>
<a href="http://fusionsecurity.blogspot.com/2014/10/a-beginners-howto-on-social-federation.html#more">Read more »</a>Andre Correahttp://www.blogger.com/profile/02002324440974871079noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-26485446881660884812014-09-26T12:00:00.004-07:002014-09-26T12:58:36.240-07:00Exposing User System Attributes in OIM 11gR2PS2 GUI Customization<h3>
</h3>
<h3>
Introduction</h3>
<br>
Recently while working with a customer to help with an upgrade from OIM 11gR1 to 11gR2PS2, one interesting request came up regarding OIM GUI customization.<br>
<br>
The requirement was to expose some User System Attributes that in R1 were directly available in the GUI customization data but in R2 are not exposed in the GUI Customization options.<br>
<br>
There is a way in R2 to easily expose the data using a custom Managed Bean along with some GUI tweaks.<br>
<br>
The process for customizing the OIM UI is easy enough and well documented in the <a href="http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/uicust.htm" target="_blank">OIM Customization Guide</a>.<br>
<br>
The following content takes you through the steps for exposing the User System Attributes.<br>
<br>
<a href="http://fusionsecurity.blogspot.com/2014/09/exposing-user-system-attributes-in-oim.html#more">Read more »</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-50898264558074737432014-09-18T12:55:00.000-07:002014-09-18T13:08:53.055-07:00Part 1: Getting under the covers of Detached Credential Collector (DCC)<h1>
Introduction</h1>
This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. <a href="http://www.ateam-oracle.com/oracle-access-manager-academy-from-the-fusion-security-blog/" target="_blank">An index to the entire series with links to each of the separate posts is available</a>.
The Detached Credential Collector (DCC) feature was introduced with the release of OAM 11gR2 --- 11.1.2.0.0. DCC brought some very interesting changes in the authentication model that in my opinion are very welcome; more on that later. There is already Oracle documentation out there on this feature, along with an A-Team blog article Debasish Bhattacharya created <a href="http://fusionsecurity.blogspot.com/2012/10/dcc-configuration-11gr2.html" target="_blank">(Detached Credential Collector Configuration – OAM 11GR2)</a> , which adds some more insight on configuring DCC. This blog is to enlighten everyone with some more information on what is going on with DCC, both for login and logout. Then in <strong>Part 2 – Custom Login and Logout with Detached Credential Collector</strong>, I want to clear up some confusion on how many may think using DCC can only be done with the Oracle supplied login.pl and logout.pl Perl scripts; that is far from the truth. So let’s dig in and expose some of the mysteries of the Detached Credential Collector.
<br>
<a href="http://fusionsecurity.blogspot.com/2014/09/part-1-getting-under-covers-of-detached.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/07154533669825288611noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-23813551898190018722014-07-28T11:50:00.003-07:002014-07-28T11:50:40.604-07:00Understanding OAM 11g ASDK Configuration and Cert Requirements<span style="color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19px;">Oracle provides documentation on developing an Access Client for the OAM 11g ASDK</span><a href="http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/as_api.htm%23autoId0" style="color: #1f4f82; font-family: Arial, Helvetica, sans-serif; font-size: 14px; font-weight: bold; line-height: 19px; text-decoration: none;" target="_blank">http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/as_api.htm#autoId0</a><span style="color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19px;">, but getting it to work can be challenging when running the Access Servers in Simple or Cert Mode. In this article I will not explain how to create an Access Client, there are already good examples out there for that. What I want to cover is the correct structure of the Access Client configuration including all the required files and code snippets to hopefully save you a lot of time.</span><br>
<span style="color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19px;"></span><br>
<a href="http://fusionsecurity.blogspot.com/2014/07/understanding-oam-11g-asdk.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/07154533669825288611noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-86157363019947538972014-06-25T08:03:00.000-07:002014-06-25T09:02:23.039-07:00Monitoring OIM R2 PS2 OrchestrationThe OIM R2 PS2 (11.1.2.2.0) release provides a great new feature: monitoring of OIM orchestration processes through Enterprise Manager console.<br>
<br>
Such feature provides the capability of querying orchestration data to check orchestration processes details. For example, you can check what happened during a user modification operation, or you can get details of failed orchestration processes, such details can help you to fix issues in your environment. It is also possible to check configuration information, like which event handlers are defined for a specific orchestration process.<br>
<a href="http://fusionsecurity.blogspot.com/2014/06/monitoring-oim-r2-ps2-orchestration.html#more">Read more »</a>Daniel Gralewskihttp://www.blogger.com/profile/05627459432973623605noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-23003410238519386692014-06-05T11:08:00.000-07:002014-06-11T07:56:40.560-07:00Presenting the new IDM Deployment Wizard<h3>
Introduction</h3>
<div>
<div>
With the recent IDM 11gR2PS2 release Oracle has developed a new deployment tool that aims to automate and reduce the time required to install and configure Oracle Identity and Access Management Components.</div>
<div>
<br></div>
<div>
In this post we are going to present the benefits, supported topologies and components, and key points to keep in mind to conduct a successful IDM deployment.</div>
</div>
<div>
<br>
</div><a href="http://fusionsecurity.blogspot.com/2014/06/presenting-new-idm-deployment-wizard.html#more">Read more »</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-19412743499293330242014-06-05T07:00:00.000-07:002014-06-25T09:02:58.936-07:00Logging in OIM custom codeProper logging is one of the main considerations during custom development. This is no different in OIM projects in which custom code is being developed and deployed to OIM. Proper logging is fundamental part of development, helping in finding issues, fixing them and also in reporting relevant runtime conditions.<br>
<br>
This post shows how to leverage the Oracle Fusion Middleware infrastructure in which OIM runs in order to create proper logging information from custom code. It is not the intent of this post to cover all logging considerations; there are plenty of materials on the internet and book stores to cover the basics.<br>
<a href="http://fusionsecurity.blogspot.com/2014/06/logging-in-oim-custom-code.html#more">Read more »</a>Daniel Gralewskihttp://www.blogger.com/profile/05627459432973623605noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-50204045193747207062014-05-23T12:56:00.000-07:002014-05-23T12:56:20.854-07:00OAG/OES Integration for Web API Security: skin and guts<h3>
Introduction</h3>
<span style="font-family: Helvetica; font-size: 14px;"><br></span>
<span style="font-family: Helvetica; font-size: 14px;">When it comes to defining a strategy for web API security, OAG (Oracle API Gateway) and OES (Oracle Entitlements Server) together present a very interesting choice and are a very powerful combination indeed.</span><br>
<span style="font-family: Helvetica; font-size: 14px;"><br></span>
<span style="font-family: Helvetica; font-size: 14px;">In this post we're going to take a look at what each component brings in (the skin) and then get our hands on actually describing the integration in detail (the guts).</span><br>
<span style="font-family: Helvetica; font-size: 14px;"><br></span>
<span style="font-family: Helvetica; font-size: 14px;">OAG is designed to inspect and act on various types of messages that are delivered to it or just pass through it. It's usually positioned to be deployed on the DMZ (the De-Militarized Zone) within corporate networks. As such, it can block malicious traffic, authenticate users with a variety of protocols, integrate with anti-virus products, perform message throttling, thus delivering only the good stuff to your intranet servers and also off-loading them, decisively contributing to achieve some IT operational SLAs. More than that, OAG can switch protocols and transform messages. For instance, an organization may have SOAP-based web services and want to expose them as REST without any re-writing. Or implement SAML federation without touching origin systems. Or talk Kerberos or OAuth with clients and speak SAML with back-end servers. Or use it as an FTP server so that incoming files are immediately sent to a processing pipeline. The possibilities are numerous. Having mentioned these few features and examples, it's not unreasonable to think deploying OAG inside intranets. And that's not unusual, actually. It is a nice bridge with obvious benefits.</span><br>
<div style="font-family: Helvetica; font-size: 14px;">
<br>
OES is designed to provide fine-grained authorization with externalized policies to client applications. It takes the coding of access decisions away from developers. Besides the obvious security pro, it shortens the change cycle, when a new security policy needs to be deployed. You simply avoid going through all the phases required for re-deploying your application just because of that change. It's true the new policy needs testing, but that's nowhere near when compared to what it takes to re-deploy a new application version. The time to market is drastically reduced. Now to the fine-grained part. OES can take a bunch of aspects in consideration when authorizing: the user identity, user roles, user attributes, context information about the request being made (like originating IP address), factors external to the request (like time of day, day of week, etc) and, of course, request data. Those combined makes it a very powerful authorization engine. It's not coincidence that OES is the component behind OAM's (Oracle Access Manager) authorization engine.<br>
<br>
While OAG itself brings in authorization capabilities, in this field OES offers a much richer model. And if the organization already employs OES elsewhere, integrating it with OAG makes a lot of sense, because we end up with a single and consistent approach for authorization across applications.</div>
<div>
<br>
</div><a href="http://fusionsecurity.blogspot.com/2014/05/oagoes-integration-for-web-api-security.html#more">Read more »</a>Andre Correahttp://www.blogger.com/profile/02002324440974871079noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-60043223164570891282014-05-06T07:37:00.001-07:002014-05-06T07:37:31.680-07:00How To Display A Custom Error Page When the Access Server Is Down?<div style="color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19px; padding: 5px;">
I have been asked several times over the years if there is a way to customize the following error message a User is presented in their Internet browser when the WebGate fails to contact any of the Access Servers.</div>
<div data-mce-style="padding-left: 30px;" style="color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19px; padding: 5px 5px 5px 30px;">
<b>Oracle Access Manager Operation Error</b></div>
<div data-mce-style="padding-left: 30px;" style="color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19px; padding: 5px 5px 5px 30px;">
The WebGate plug-in is unable to contact any Access Servers.</div>
<div data-mce-style="padding-left: 30px;" style="color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19px; padding: 5px 5px 5px 30px;">
Contact your website administrator to remedy this problem.</div>
<div style="color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19px; padding: 5px;">
Though this error is without a doubt accurate, many clients would rather display something a little more friendly or have other reasons to change it. Interestingly this error has been the same message going back to the early days of OAM when it was still Oblix. Incidently there is a great My Oracle Support document 555137.1 that provides steps on how to customize the error message, but it refers to OAM 10g. So this begs the question will this work with the newer OAM 11g, and more specifically 11g WebGates. I am here to say, “Yes it does”, I have tested this and this article covers this option and a bit more.</div>
<div style="color: #313131; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19px; padding: 5px;">
</div>
<a href="http://fusionsecurity.blogspot.com/2014/05/how-to-display-custom-error-page-when.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/07154533669825288611noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-26665443781082996112014-04-17T11:40:00.000-07:002014-04-17T11:40:44.596-07:00Identity Propagation from OAG to REST APIs protected by OWSM<h2>
Introduction</h2>
<br>
This post describes the necessary configuration for propagating an end user identity from OAG (Oracle API Gateway) to REST APIs protected by OWSM (Oracle Web Services Manager).<br>
The requirements are:<br>
<br>
1) Have a Java Subject established in the REST API implementation.<br>
2) Prevent direct access to the REST API, i.e., only OAG should be able to successfully invoke it.<br>
<br>
A recurrent question is how OWSM protects REST APIs and which types of tokens it supports when doing so.<br>
If we look at the current OWSM (11.1.1.7) <a href="http://docs.oracle.com/cd/E29542_01/web.1111/b32511/policies.htm" target="_blank">predefined policies</a>, we notice a policy named<br>
oracle/multi_token_rest_service_policy, described (verbatim) as:<br>
<br>
<i>"This policy enforces one of the following authentication policies, based on the token sent by the client:</i><br>
<i><br></i>
<i>HTTP Basic—Extracts username and password credentials from the HTTP header.</i><br>
<i><br></i>
<i>SAML 2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.</i><br>
<i><br></i>
<i>HTTP OAM security—Verifies that the OAM agent has authenticated user and establishes identity.</i><br>
<i><br></i>
<i>SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) Kerberos token from the HTTP header."</i><br>
<br>
In this specific use case, we are assuming the end user has already been authenticated by some other means before reaching OAG. In other words, we are assuming OAG gets some sort of token<br>
and validates the user locally, thus populating its authentication.subject.id attribute. This token OAG receives can be an OAM token, a Kerberos token, SAML token, you name it. It is matter of<br>
a design decision based on OAG's client capabilities.<br>
<br>
In a use case like this, it's very unlikely that OAG will have the end user password, which eliminates the HTTP Basic header option. The remaining three are all good candidates. In this post we deal with a SAML 2.0 Bearer token in the HTTP Header. Our flow ends up being something like this: OAG Client -> "some token" -> OAG -> SAML 2.0 Bearer -> OWSM -> REST API.<br>
<br>
We're going to examine all necessary configuration in OAG, OWSM and in the REST API application. Buckle up, folks! And let's do it backwards.<br>
<div>
<br>
</div><a href="http://fusionsecurity.blogspot.com/2014/04/identity-propagation-from-oag-to-rest.html#more">Read more »</a>Andre Correahttp://www.blogger.com/profile/02002324440974871079noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-19326451630553435212014-03-17T08:15:00.001-07:002014-03-17T08:15:41.751-07:00Part 2: Advanced Apache JMeter Stress Testing OAM and LDAPIn “<a href="http://fusionsecurity.blogspot.com/2013/09/part-1-how-to-load-test-oam11g-using.html" target="_blank">Part 1: How To Load Test OAM11g using Apache JMeter</a>” I talked about an example plan that could be used to load test OAM11g, which included some common configuration elements, some samplers for login, authorization, logout, and some listeners that provided result analysis. In Part 2, I wanted to expand on an option to make JMeter send random logins and I will explain why, and then cover how to leverage JMeter to load test an LDAP server like OUD, OID, ODSE, or OVD.<br>
<br>
<br>
<a href="http://fusionsecurity.blogspot.com/2014/03/part-2-advanced-apache-jmeter-stress.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/07154533669825288611noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-59063549728865109522014-03-05T01:00:00.000-08:002014-03-05T01:00:01.513-08:00Strategies for managing OAAM to OAM connections in production<div dir="ltr" style="text-align: left;" trbidi="on">
Many Oracle Access Management 11g customers opt to deploy a combination of Oracle Access Manager and Oracle Adaptive Access Manager using the Advanced Integration option. This combination of product features can provide strong, adaptive authentication and fraud mitigation for online applications. In this post, we examine a number of strategies for configuring the connectivity between these components in order to provide scalability and high availability for production deployments. <br>
</div><a href="http://fusionsecurity.blogspot.com/2014/03/strategies-for-managing-oaam-to-oam.html#more">Read more »</a>Rob Ottohttp://www.blogger.com/profile/05129932765232969521noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-62504271360066531372014-02-13T11:38:00.000-08:002014-02-17T15:50:01.070-08:00Oracle Access Manager - What's new in PS2<div id="Introduction">
<br></div>
Oracle Access Manager 11gR2 - PS2 is now out! This post will cover some of the new features in PS2.<br>
There are six new features I will discuss:<br>
<ul data-mce-style="list-style-type: disc;" style="list-style-type: disc;">
<li>Dynamic Authentication</li>
<li>Persistent Login (Remember Me)</li>
<li>Policy Evaluation Ordering</li>
<li>Delegated Administration</li>
<li>Unified Administration Console</li>
<li>Session Management<ul data-mce-style="list-style-type: circle;" style="list-style-type: circle;">
<li>Granular Idle Timeout</li>
<li>Client Cookie based Session</li>
</ul>
<br>
<br>
</li></ul><a href="http://fusionsecurity.blogspot.com/2014/02/oracle-access-manager-whats-new-in-ps2.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/17509918852772061629noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-7809752406533386742014-01-27T08:00:00.000-08:002014-01-27T08:00:00.233-08:00OIM monitoring check-listSystematic monitoring of OIM deployments helps to reduce risk of both technical and security related issues. It also can help to avoid performance degradation that can happen because of data growth over time.
This post presents a set of topics about OIM and WebLogic monitoring, and it presents tools that can be used for both monitoring and diagnostic.This list is not intended to replace any official product documentation, instead, it should be used in conjunction with it.<br>
<br>
This is another post in the OIM academy series. You can check the complete series <a href="http://fusionsecurity.blogspot.com/2011/06/oracle-identity-manager-academy-from.html" target="_blank">here</a>.<br>
<br>
<a href="http://fusionsecurity.blogspot.com/2014/01/oim-monitoring-check-list.html#more">Read more »</a>Daniel Gralewskihttp://www.blogger.com/profile/05627459432973623605noreply@blogger.com0tag:blogger.com,1999:blog-1816408742331555186.post-6573003506322517562014-01-24T14:57:00.000-08:002014-01-24T14:57:46.351-08:00Multi-Data Center Implemenation in Oracle Access Manager<div id="Main_Article">
For obvious reasons, there is a high demand for Multi-Data Center
(MDC) topology; which is now supported in Oracle Access Manager (OAM)
11g. This post discusses some of the features of MDC as well as provide
some detail steps on how to clone a secondary data center. This post
is based on R2PS1 code base. With PS2 there are some new
features that I will cover below. Here is the PS2 document <a data-mce-href="http://docs.oracle.com/cd/E40329_01/index.htm " href="http://docs.oracle.com/cd/E40329_01/index.htm" target="_blank">library</a> for reference. </div>
<a href="http://fusionsecurity.blogspot.com/2014/01/multi-data-center-implemenation-in.html#more">Read more »</a>Anonymoushttp://www.blogger.com/profile/17509918852772061629noreply@blogger.com0