Managing OAM Identity Assertion on IBM WebSphere 7-7 uris_file=path-to-template-config-file web_domain=host-id-name ldap_host=wxyz ldap_port=6633 ldap_userdn=orcladmin ldap_base=ldap-base-dn oam_aaa_host=abcd oam_aaa_port=7789 oam_aaa_mode=open log_file=OAMCfg_date.log log_level=INFO output_ldif_file=LDIF_filename -noprompt The above sample command produces the following artifacts: ■ OAMPolicy_for_WAS-IAP, OAM Policy for protecting IBM WebSphere resources specified under protected_uris and public_uris ■ OraDefaultAnonAuthNScheme, Anonymous Authentication Scheme used by OAMPolicy_for_WAS-IAP ■ OraDefaultFormAuthNScheme, Form Authentication Scheme used by OAMPolicy_for_WAS-IAP ■ Other OAM authentication scheme configuration For a known resource, the public URI policy needs a Return Attribute in the Authorization Actions for Cookie-based assertion, as shown in Table 7–1 . In this case, the return name OAM_REMOTE_USER is not configurable in oamtai.xml. To enable Header-based assertion, you must set the Return Attribute in Authorization Actions of the Resource protected_uris protection policy. With Header-based Assertion, the return name OAM_REMOTE_USER is configurable in the oamtai.xml file and you must ensure that the Header-based Assertion section is uncommented.

7.4 Provisioning WebGate and Configuring OAM 10g 10.1.4.3 and the IAP for IBM WebSphere

This section provides the steps to obtain the OAMCfgTool, provision the required WebGate, create a form authentication scheme, and create a policy domain and OAM 10g 10.1.4.3 policies for the IAP and IBM WebSphere. Table 7–1 Authorization Actions for Cookie-based Assertion in Public URI Policy Type Name Return Attribute HeaderVar OAM_REMOTE_USER uid Table 7–2 Authorization Actions for Header Based Assertion in Protected URI Policy Type Name Return Attribute HeaderVar OAM_REMOTE_USER uid See Also: Introduction to the Oracle Access Manager 10g 10.1.4.3 Configuration Tool on page 7-6 7-8 Oracle Fusion Middleware Third-Party Application Server Guide To acquire OAMCfgTool and configure OAM 10g 10.1.4.3 for the IAP for IBM WebSphere 1. Obtain the OAMCfgTool as follows: a. Log in to Oracle Technology Network at: http:www.oracle.comtechnologysoftwareproductsmiddlewareht docs111110_fmw.html b. Locate the OAMCfgTool ZIP file with Access Manager Core Components 10.1.4.3.0: oamcfgtoolversion.zip c. Extract and copy oamcfgtool.jar to the computer hosting the IBM WebSphere application to protect. d. Confirm that JDK 1.6 or the latest version is installed and configured on the host computer. e. Change to the file system directory containing OAMCfgTool. 2. Provision WebGate, Create the Authentication Scheme, and Policy Domain: Run the following command using values for your environment. For example: echo ldappwdjava -jar oamcfgtool.jar mode=CREATE app_domain=OAMPolicy_for_WAS-IAP uris_file=path-to-template-config-file web_domain=host-id-name ldap_host=wxyz ldap_port=6633 ldap_userdn=orcladmin ldap_base=ldap-base-dn oam_aaa_host=abcd oam_aaa_port=7789 oam_aaa_mode=open log_file=OAMCfg_date.log log_level=INFO output_ldif_file=LDIF_filename -noprompt 3. Review the information provided by the tool. For example, the parameter and values in Step 3 provide the following information: Processed input parameters Initialized Global Configuration Successfully completed the Create operation. Operation Summary: Policy Domain : OAMPolicy_for_WAS-IAP Host Identifier: OAMPolicy_for_WAS-IAP Access Gate ID : OAMPolicy_for_WAS-IAP_AG 4. Update host identifiers to include possible host-variations. 5. Add following authorization actions to the Header Based Assertion Policy. Type Name Return Attribute HeaderVar OAM_REMOTE_USER uid 6. Proceed to Installing the Required WebGate for the IHS Web Server on page 7-11. Managing OAM Identity Assertion on IBM WebSphere 7-9

7.5 Provisioning and Configuring OAM 11g for the IAP and IBM WebSphere