OAM 11g Webgate Tuning

Introduction

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

People typically are introduced to Webgate tuning in one of two ways, either forced into it because of a crisis or actively preparing an environment to do some aggressive load testing.  Hopefully you are in the later group.  Unfortunately, there is still a lot of mystery behind tuning some of these Webgate parameters.  Creating a comprehensive article to cover all aspects of tuning is a real challenge.  That said, this article will be focused on what I feel are the most important tuning parameters; 1) Max Connections, including the relationship between Max Connections and Max Number of Connection, 2) the Failover Threshold, and 3) the AAA Timeout Threshold.  If you can grasp the concepts around these few important key parameters your success in getting better performance and stability out of the Webgates and Access Servers will greatly increase.

Part 2: Custom Login and Logout with Detached Credential Collector (DCC)

INTRODUCTION

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. In Part 1: Getting under the covers of Detached Credential Collector (DCC), I spent time talking about DCC in general and walked through a sequence diagram explaining what is happening with DCC, to try and explain how it works including contrasting it with ECC. So in this blog, Part 2, I want to expand into a more practical angle on the requirements of a totally custom login and logout. Creating a custom login and logout does not require the Perl scripts login.pl or logout.pl, though these are perfectly great options and can also be customized. If you do want to take the route of using the OAM out-of-the-box Perl scripts you can find more information about it and its implementation in the Oracle Developer Guide for OAM 11g (11.1.2) in section 4.4 Developing User the Detached Credential Collector or see Debasish Bhattacharya’s blog article Detached Credential Collector Configuration --- OAM 11gR2. Moving forward, and as promised, I am going to guide you on how to create a totally custom login and logout using DCC without requiring any hardcore developer skills --- I promise.

OAM LDAP connections through firewalls

In a previous post, we discussed some of the complications that can occur when a firewall is placed between WebGates and OAM Servers in a typical deployment. This post follows on from that discussion, to explore an analogous topic- firewalls between the OAM Server and the LDAP Identity Store. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

OAM WebGate connections through firewalls

In this post, we investigate a complication that can occur if you require a firewall between your WebGate agents and your OAM 11g servers within your deployment topology. We provide some guidance related to how to configure your WebGates in this case. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

How to (correctly) make manual edits to oam-config.xml

Occasionally, it is necessary to make changes to OAM 11g configuration by directly updating the oam-config,xml file, rather than using the OAM console.  In this post, we describe the correct way to make changes to this file. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

A first look at POST data preservation in OAM 11g R2 PS1

In this post, we have a quick look at POST data preservation, a new feature introduced in the 11g R2 PS1 (or 11.1.2.1) version of Oracle Access Manager. We'll explain the problem that this feature solves and walk through a simple example explaining how to configure and use the feature. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

OAM 11g Custom Authentication Plugins: Interacting with the Identity Store

The OAM 11g release includes a powerful authentication plugin framework, which can be used to extend the out-of-the-box authentication schemes, or to implement something completely custom. In this post, we explore how an authentication plugin can interact with the underlying LDAP Identity Store, via a simple example. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

OAM 11g Custom Authentication Plugins: Collecting additional credentials

One of the things that OAM 11g does a very good job of is enabling LDAP-based user authentication, based on collecting username and password from a login form. I've seen a lot of questions from the field relating to how to handle more complex, multi-step or multi-factor authentication scenarios and while this post is certainly not intended to be exhaustive regarding this topic, I will go through a fairly common scenario on which most multi-factor authentication processes will depend: returning the user to the login page to collect additional credentials.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Part 3: OAM11g WNA Identity Store Considerations and Configurations

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

This is the final post of a three part series.  In "Part 1: Under the Covers of OAM11g WNA integration with Multiple AD Forests", I covered the flow of how WNA works and what was going on behind the scenes, and in "Part 2: How to Configure OAM11g WNA for Multiple AD Forests", I went into detail on how to configure WNA.  In this final post I am going to go over what I think would be two of the most common scenarios that the OAM11g Identity Store would be used for WNA, and how it impacts the Kerberos authentication module configurations.

Part 2: How to Configure OAM11g WNA for Multiple AD Forests

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy.  An index to the entire series with links to each of the separate posts is available.

This is the second post of a three part series.  In "Part 1: Under the Covers of OAM11g WNA integration with Multiple AD Forests", I covered the flow of how WNA works and what was going on behind the scenes.  This article will cover the technical details on how to implement WNA in a way that will support multiple Active Directory Forests that either have no transient trust between them, or even all trusted; in either case this will work for you.

Before we get into the details on how to setup WNA for multi Active Directory domains I just want to point out that I will use a straw man of three Active Directory KDC servers so you can understand any additional steps needed to support more than one KDC.  However, this would also work for as few as one domain, or more than three domains.  All that is needed is to simply extrapolate the steps to fit your requirements; I will be sure to comment where necessary.

Part 1: Under the Covers of OAM11g WNA integration with Multiple AD Forests

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

This is the first post of a three part series that expands on a great article Matt wrote --- “The (Windows) Natives Are Restless”. Matt’s article covered some configurations, browser settings, and some examples of role mapping, but I want to dive into this whole WNA solution a lot more. So Part 1 will include just what the title eludes to, Under the Covers of the WNA integration with Multiple Active Directory Forests, then Part 2 will cover the details of the WNA configuration to make it work against multiple untrusted or trusted domains, and finally in Part 3) some highlights on leveraging OVD11g to pull it all together and make sure WNA can find the correct user across multiple forests.

Unsolicited login with OAM 11gR2

In a previous post Chris Johnson has discussed unsolicited login with OAM 11g.

In OAM 11gR2 this functionality is supported out of the box and with little effort you can implement Unsolicited Login.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

If you're interested to authenticate using unsolicited POST, please read on…

Password Policy in OAM 11g R2

One of the features in the new 11G R2 (or 11.1.2) release of Oracle Access Manager that's been most eagerly anticipated is the support for password policy within the OAM product; that is, the ability for OAM itself to support a subset of password management processes without the need to use Oracle Identity Manager and LDAP Sync. In this post, I'd like to explore this functionality in a little more detail and also explore exactly which use cases are supported.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Protecting Intranet and Extranet Applications with a Single OAM 11g Deployment

I frequently get asked how to setup a single OAM deployment to protect both intranet and extranet apps. Today I’d like to explore the issues and solutions around such a setup.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

OAM and OIM 11g Academies

As many of you know, last year we created indexes of posts on OAM and OIM 11g R2 that we call OAM 11g Academy and OIM 11g Academy.

These indexes contain the articles we’ve written that we believe provide long lasting guidance on OAM and OIM.  Posts covered in these series include articles on key aspects of OAM and OIM 11g, best practice architectural guidance, integrations, and customizations.

It is our hope that these series will prove valuable to new and experience architects, implementers, and administrators of OAM and OIM.

Patch Management of an Oracle Identity Management Deployment

Today I’d like to discuss a very important topic which is patch management in an Oracle IDM/IAM deployment.  Patching seems like a pretty basic topic.  It is often taken for granted.  However, experience has shown me that patching is a frequent source of confusion for many enterprise software customers including those deploying the Oracle Identity Management  stack.

So, I thought I’d address some common questions / topics related to patching so that people have a better understanding of what patches to apply to their environments and when to apply them. 

This post is a part of both the OAM 11g academy and OIM 11g academy series.

Sample External Login.jsp page for Oracle Access Manager 11g

One of the more popular posts on our blog was a post I made a while back about how to configure OAM 11g to use an externally hosted custom login page and how to write such a login page.

When I originally wrote that post I included only snippets from a JSP page that represents an external OAM login form.

I have updated that post with a full sample login.jsp that functions as an external login form for OAM 11g.  The code is also included below.

To review, to work as an external login form the login page code must do the following:

• You need to post back to the OAM server to the URI: “/oam/server/auth_cred_submit”. Note that in my sample, I’m posting to a load balancer VIP over SSL which will route the post to one of the OAM servers in my cluster.

• You need to post variables “username” and “password”

• You need code that will grab the request_id off of the query string and post it (as a hidden form variable) as well.

The Code

    <%@ page contentType="text/html; charset=iso-8859-1" language="java" %>
    <%
    String error=request.getParameter("error");
    if(error==null || error=="null"){
    error="";
    }
    String paramName = "request_id";
    String reqId  = request.getParameter( paramName );

    %>
    <html>
    <head>
    <title>User Login JSP</title>
    <script>
    function trim(s)
    {
    return s.replace( /^\s*/, "" ).replace( /\s*$/, "" );
    }

    function validate()
    {
    if(trim(document.frmLogin.sUserName.value)=="")
    {
    alert("Login empty");
    document.frmLogin.sUserName.focus();
    return false;
    }
    else if(trim(document.frmLogin.sPwd.value)=="")
    {
    alert("password empty");
    document.frmLogin.sPwd.focus();
    return false;
    }
    }
    </script>
    </head>

    <body>
    <p>Acme Clinical Applications Login Screen - OAM edition</p>
    <p>
      &nbsp;
    </p>
    <div><%=error%></div>
    <form name="frmLogin" onSubmit="return validate();" action="http://authbootcamp.us.oracle.com/oam/server/auth_cred_submit" method="post">
      <p>
        User Name<input type="text" name="username"/><br/>Password &nbsp;<input type="password"
                                                                                 name="password"/>
        <input name="request_id" value="<%=reqId%>" type="hidden">  <br/>
      </p>
      <p>
        <input type="submit" name="sSubmit" value="Submit"/>
      </p>
    </form>
    </body>
    </html>

Deploying OAM 11g Correctly Part 2 – Logins and SSL

This is another post in our OAM 11g Academy series. To view the first post in the series which will be updated throughout to contain links to the entire series, click here: http://fusionsecurity.blogspot.com/2011/02/oracle-access-manager-11g-academy.html

A couple months ago Chris wrote a good post about the best way to deploy OAM from a web server / network architecture point of view.

Today, I’d like to touch on a very important but overlooked aspect of OAM deployments which is whether or not to use SSL between the web server and OAM. The product documentation and broader OAM writings out there in the community do a good job of describing the webgate to OAM server communication (OAP) security modes of open vs. simple vs. cert mode. However, what is completely neglected is the discussion of whether or not to use SSL between the web server and OAM.

Unsolicited login with OAM 11g

In a previous post I talked a little about protecting only a part of an application with OAM. I included this bit of text describing the use case:

But what if you want to let users access part of the app anonymously, but require them to log in to access some of the apps features? I don't know what anyone else calls this sort of flow, but I call it the shopping cart model (browse around tossing stuff in your card, then sign in to check out).

That post talked about how to support the "shopping cart" login model with OAM if you're using ADF, but what if you're trying to accomplish that with plain old HTML or something else?

Deploying OAM "correctly"

On the internal mailing lists there's often a question that goes something like:

I want to deploy OAM like this:

Is this supported?

The answer is "If you really want to do that then yes. But you probably shouldn't do it that way."

Read on for why.