FAQTroubleshooting 23-11 ■ The UIO Apache Proxy is not working or intercepting request. Problem : The following error appears: Failed to create session in memcached, err = 70015Could not find specified socket in poll list. proxy - Failed to create session, cannot process this request distsessions - memcache server localhost create failed 111 Possible Solutions : ■ Make sure memcache is installed and configured. ■ Make sure memcache process is up and running before creating the session. Oracle Adaptive Access Manager Debug Mode In debug mode, the value of any variable--user name, password, and any other information--is not displayed. In capture mode, the HTTP traffic is shown. Therefore, capture mode is not recommended in production. In-SessionTransaction Analysis The UIO Proxy is a solution for login security only. It does not support in-session capabilities. Options are provided below based on possible requirements: ■ If you are using a packaged application you do not have access to alterintegrate with, the UIO Proxy or Oracle Access Manager are options for real-timein-line use cases like anti-malware, anti-phishing, risk-based authentication in the login flow. ■ If you have the ability to integrate with the application and require in-sessiontransactional use cases, then consider native integration. This is the most flexible option for this case. ■ If you want in-sessiontransactional use cases but do not have the ability to integrate with the application, a custom option could potentially be possible using either Oracle Adaptive Access Manager offline 10g or Oracle Adaptive Access Manager with a listener. No Changes in Proxy in 11g QuestionProblem : Are there changes between 10g and 11g for the UIO Proxy? AnswerSolution : There has been no changes in the proxy between 10g and 11g. There is no dependency on OHS etc. The user has to use Apache 2.2.8 only. Adding appid to HTTP Headers QuestionProblem : In TestConfig.xml, should we be adding appid to HTTP headers for both the PSFT URLs and the asa URLS? AnswerSolution : No, just to the asa URLs. It should be adding the app-id to only the asa URLs, not needed for PSFT urls. Contains Match QuestionProblem : Should a condition with contains match if there is an exact match? AnswerSolution : Yes. Request URL QuestionProblem : Can request URL be a partial URL? Such as just first part of URL? 23-12 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager AnswerSolution : No, URL must be an exact match and query parameters, such as anything after a ? are not considered part of the URL, so they would have to be trapped with a condition, and not included as part of the URL.

23.4 Knowledge-Based Authentication

Prompt a User with Two Challenge Questions QuestionProblem : I would like to prompt a user with two challenge questions when they attempt to logon from a new device. How can this be achieved given that the questions are randomly picked, raising the possibility that the same question may be displayed twice? AnswerSolution : The OAAM one question at a time flow is by design. It is better security practice to present one question and only show the next question once the user has successfully answered the challenge. This protects the questions from being harvested for use in a phishing exercise. As well, OAAM allows users to have multiple attempts at a question which entails keeping track of how many wrong answers they have entered. If there were more than one question displayed at a time it would be difficult to maintain and possibly confusing to end users. If you want to challenge a user with more than one question you should do so by presenting them in separate sequential screens. OAAM does not support authentication of more than one question at a time.

23.5 Virtual Authentication Devices

Accessible Versions of the Virtual Authentication Devices QuestionProblem : Users who access using assistive techniques need to use the accessible versions of the virtual authentication devices. How do I enable these versions? AnswerSolution : Accessible versions of the TextPad, QuestionPad, KeyPad and PinPad are not enabled by default. If accessible versions are needed in a deployment, they can be enabled using the Properties Editor in OAAM Admin or using the Oracle Adaptive Access Manager extensions shared library. The accessible versions of the virtual authentication devices contain tabbing, directions and ALT text necessary for navigation via the screen reader and other assistive technologies. You will need to modify bharosa_server.properties. To enable these versions, set the is ADA compliant flag to true. For native integration the property to control the virtual authentication device is desertref.authentipad.isADACompliant For Oracle Adaptive Access Manager out-of-the-box, the property to control the virtual authentication device is bharosa.uio.default.authentipad.is_ada_compliant Visible Text Input or Password Non-Visible Input Setting QuestionProblem : How can I configure QuestionPad so that challenge answers can be enter as non-visible text?