Oracle Adaptive Access Manager Proxy 6-49 Figure 6–6 OAAM Server responds after getting the fingerprint with the Login page

7. The client posts the user name to the OAAM Server

http:proxyhost:portoaam_serverlogin.do. Other than the AddAppIdTobharosauioRequests-BigBank interceptor, the request is intercepted at the proxy by the Phase2BharosaLoginPageRequest interceptor. The proxy sets WebUIOPhase to two.

8. The OAAM Server responds.

9. The OAAM Server gets fingerprints.

10. The OAAM Server responds after getting fingerprints, with the Password

Collection page which has a strong authentication device. 6-50 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager Figure 6–7 Fingerprint and password collection

11. The client submits the password to the OAAM Server

http:proxyhost:portoaam_serverpassword.do

12. The OAAM Server responds.

The response is intercepted by Phase2PasswordPageResponse. The proxy saves the headers which contain the Login ID and the password that have been collected by the OAAM Server so far and redirects the client to bigbankGetLoginPage.

13. The proxy redirects the client to GetLoginPage.

Oracle Adaptive Access Manager Proxy 6-51 14. The client sends a request to BigBank for GetLoginPage http:proxyhost:portbigbankGetLoginPage. 15. BigBank sends back a response. The response is intercepted at the proxy by GetBigBankLoginPageResponse. The proxy saves the parameters and performs a Post-server action for bigbanklogin.do. This is the normal authentication flow for the BigBank application. 16. The proxy queues the interceptor and redirects client to bigbanklogin.do. 17. The client requests for login.do http:proxyhost:portbigbanklogin.do. 18. The request is intercepted by the proxy. The proxy executes the queued interceptor GetBigBankLoginPageResponse and changes the request method from GET to POST. 19. BigBank responds, redirect the client to activity.do. This is the normal authentication flow for the BigBank application. 20. The client requests for activity.do http:proxyhost:portbigbankactivity.do. 21. BigBank sends a login success response. The response is intercepted at the proxy by LoginSuccessResponse. The proxy sets the login status to success and performs a get server action for oaam_ serverupdateLoginStatus.do 22. The proxy redirects the client to updateLoginStatus.do. 23. The client sends a request to OAAM Server to update the status http:proxyhost:portoaam_serverupdateLoginStatus.do. 24. OAAM Server does a post authentication check and returns the result. The response is intercepted at the proxy by AllowLoginResponse. 25. The proxy takes the send-to-client action. It sets the display-url variable so that the client will request this URL after receiving the response. 26. The client sends a request to OAAM Server for the first-time user to get the Registration page http:proxyhost:portoaam_ serverregisterQuestions.do. 27. The Response page has two options for the users: skip and register. Registration Flow client chooses to register : 6-52 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager Figure 6–8 Flow for first-time user to register questionsanswers with OAAM Server 28. The client chooses to register Post to http:proxyhost:portoaam_ serverregisterQuestions.do. 29. OAAM Server responds with instructions.

30. The client clicks Continue on the instruction page.

http:proxyhost:portoaam_serverregisterQuestions.do. 31. OAAM Server responds with the Question page. 32. The client selects QuestionsAnswers and submits them to the OAAM Server http:proxyhost:portoaam_serverregisterQuestions.do. 33. OAAM Server updates the information and responds. 34. The proxy performs a send-to-client to the Next page. The response is intercepted at the proxy by the AllowLoginResponse interceptor. The proxy takes the sends to Client action by specifying the Next page after successful authentication. The client will then be redirected to the application page on the next step. 35. The client requests the Next page through the proxy http:proxyhost:portbigbankactivity.do. 36. The application page activity.do is sent back to the client through the proxy. This is where the login process ends. Logout Phase : Oracle Adaptive Access Manager Proxy 6-53 Figure 6–9 Flow for users to log out of BigBank

37. The client clicks Log out http:proxyhost:portbigbanklogout.do.

38. The application sends back a response and redirects the client to bigbankloginPage.jsp. The response is intercepted by Phase2LogoffPageResponse, which clears the session variables. 39. The client requests for the BigBank Login page http:proxyhost:portbigbankloginPage.jsp. 40. The proxy intercepts the request and redirects the client to OAAM Server. 41. The client makes a request to OAAM Server for login.do http:proxyhost:portoaam_serverlogin.do. 42. OAAM Server redirects to the Jump page to fingerprint the client device. 43. OAAM Server fingerprints the client browser. 44. OAAM Server responds after fingerprinting with the Login page. Skip Registration phase: Client chooses to skip registration of questions. This phase happens after Login phase in regular flow. 6-54 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager Figure 6–10 Flow occurs after user chooses to skip registration with OAAM Server

45. The client chooses to skip the registration Post to

http:proxyhost:portoaam_serverregisterQuestions.do.

46. OAAM Server responds.

47. The proxy intercepts the response and redirects the client.

The response is intercepted by AllowLoginResponse. The proxy uses send-to-client to specify the next step for the client.

48. The client requests for the page specified by the proxy

http:proxyhost:portbigbankactivity.do.

49. The BigBank application sends back a response.

Deviation flow - Block login: happens when OAAM Server decides to block client after post authentication check. This flow replaces step 15-19 in login phase of regular flow. Oracle Adaptive Access Manager Proxy 6-55 Figure 6–11 Deviation flow: user blocked by OAAM Server 50. OAAM Server decides to block the user after post authentication check. The response is an interceptor by the BlockLoginResponse interceptor. This interceptor redirects the client to the application Block page: bigbankBlockLoginPage 51. The proxy redirects the client to loginBlockPage of BigBank. 52. The client requests for BigBank BlockLoginPage http:proxyhost:portbigbankloginPage.jsp?action=block. 53. The request is intercepted by LoginBlockedPageRequest by the proxy. The proxy accepts the get-server action for the Logout page: bigbanklogout.do. This action ends the session at BigBank. 54. The application responds. The response is intercepted by Phase2LoginBlockedPageResponse. The proxy clears the session and redirects the client to the OAAM Login Block page. 55. The proxy redirects the client to the OAAM Login Block page. 56. The client requests the Block page from OAAM Server http:proxyhost:portoaam_ serverloginPage.jsp?action=block. 6-56 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager 57. OAAM Server responds with Blocked page

6.9 Upgrading the UIO Apache Proxy

Oracle Adaptive Access Manager patches may contain updates for the UIO Apache Proxy for Microsoft Windows and Linux rhel4. Follow the instructions in this chapter to replace the mod_uio.so and related .dlls on MS Windows and .so on Linux libraries with those released as part of this patch release.

6.9.1 UIO Apache Proxy Patch Installation Instructions

Installation of a patch is similar to installing the UIO Proxy package. A patch will contain only the modified files. It is good practice to back up all your existing files since the patch will overwrite some or all of the files. General instructions are given below. A patch contains only the modified files; so if a file is not available in the patch, skip that step. The steps are to be performed manually by the patch installer. For both MS Windows and Linux:

1. Shut down the instance of Apache that you are updating

2. Back up existing files: binary, .rng and .xml files

3. Unzip patch_oaam_win_apache_uio.zip for Windows or patch_oaam_

rhel4_apache_uio.zip for Linux, which are located in the oaam_uio directory.

4. Copy the binary files from the patch additionally on Linux, you need to set

soft-links to .so files appropriately.

5. Copy UIO_Settings.rng and UIO_Config.rng files from the patch.

6. Compare your existing UIO_Settings.xml and UIO_log4j.xml files with

those given in the patch and verify that you have the correct settings. Refer to the sections that apply to this patch and ensure that you have the correct settings. The same also applies to your configuration XML files.

7. Start Apache and run your sanity tests

■ For Windows, – The binary files are: mod_uio.so, log4cxx.dll, libxml2.dll, apr_ memcache.dll apr_memcache.dll was introduced in 10.1.4.5.bp1 – The configuration files are: UIO_Settings.rng, UIO_Config.rng, UIO_Settings.xml, UIO_log4j.xml and application configuration XML files ■ For Linux, – The binary files are: mod_uio.so, liblog4cxx.so.0.10.0.0, libxml2.so.2.6.32, libapr_memcache.so.0.0.1 – The binary configuration files are: UIO_Settings.rng, UIO_ Config.rng, UIO_Settings.xml, UIO_log4j.xml and application configuration XML files Note: Ensure that you are using Apache httpd, version 2.2.8 with mod_ssl. Oracle Adaptive Access Manager Proxy 6-57

6.9.2 UIO Apache Proxy Patch Backout Instructions

Restore the files that you had backed up before you installed the patch.

6.10 Upgrading the UIO ISA Proxy Server

To upgrade the UIO ISA Proxy Server: 1. Stop the Microsoft ISA Server with the following command: net stop fwsrv 2. Back up the current UIO ISA Proxy Server DLL. The DLL should usually be at: ProgramFiles\Microsoft ISA Server\BharosaProxy.dll. 3. Overwrite the existing DLL with the one from the patch. 4. Start Microsoft ISA Server with the following command: net start fwsrv 6-58 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager