Managing OAM Identity Assertion on IBM WebSphere 7-17 4. In the property ws.ext.dirs, add the value for OAMTrustAssociationInterceptor.jar. For example: MiddleWareHomeoracle_commonmodulesoracle.oamprovider_11.1.1 OAMTrustAssociationInterceptor.jar 5. Confirm that the two values are separated by colon. 6. Create the Interceptor entry for the OAM IAP, as follows:

a. In the IBM WebSphere console, go to Security, Global Security, and ensure

that Enable Application Security is checked. b. Under the Authentication section, click Web and SIP Security tab, and then click the Trust association link.

a. Under General Properties, check the Enable Trust Association.

b. Under Additional Properties, click Interceptors link.

c. Under General Properties, click Under New, and provide the Interceptor class

name as follows: oracle.security.was.providers.tai.OAMTrustAssociationInterceptorImpl 7. Proceed to Configuring the OAM TAI Configuration File to configure oamtai.xml as a custom property of Interceptor class path.

7.9.5 Configuring the OAM TAI Configuration File

The oamtai.xml configuration file is used by the OAM Trust Association Interceptor. You must configure the file and modify it for your environment. For details, see: ■ About Configuring the OAM TAI Configuration File ■ Configuring the OAM TAI Configuration File

7.9.5.1 About Configuring the OAM TAI Configuration File

The oamtai.xml configuration file is available in the following path: MiddleWareHomeoracle_commonmodulesoracle.oamprovider_11.1.1domain_config_was oamtai.xml This file stores the details that are used by the TAI at run time to establish a connection with 10g 10.1.4.3 OAM Access Server or 11g OAM Server. There are two ways to configure the oamtai.xml file: ■ Either copy oamtai.xml to was_profile_dirconfigcellscell_ name fmwconfigoamtai.xml. ■ Or perform Step 1 in the following procedure to configure oamtai.xml as a custom property of the Interceptor entry added earlier. You must modify the oamtai.xml file to establish a connection to the Access Server, using parameters in Table 7–4 and values for your deployment. To enable Header based assertion, ensure that the Header Based Assertion section in oamtai.xml is not commented and use the same customHeadername in both oamtai.xml and the OAM policy. 7-18 Oracle Fusion Middleware Third-Party Application Server Guide Table 7–4 oamtai.xml Configuration File Parameters Parameter Required or Not Description hostPort Required Hostname and port of the IHS Web server where the resource is hosted. Note: The host:port should be one of the host name variations present in OAM. resource Required The URL to the protected resource. Default = AuthenSSOToken or the value in the OAM policy if you have updated it. ip Optional IP address of the client computer that needs to access the resource. operation Required Operation requested to access the AuthenSSOToken. accessGateName Required A unique name, without spaces, that identifies the AccessGate to be used while interacting with OAM. With OAMCfgTool the name is derived from the app_domain value, appended with _AG. AccessGatePassword Required A unique password to verify and identify the AccessGate when interacting with OAM. This prevents unauthorized AccessGates from connecting and obtaining policy information. With OAMCfgTool, this is specified with the app_agent_password parameter. This should differ for each WebGateAccessGate instance. accessServerHost Required OAM Access Server or OAM 11g Server host name. accessServerPort Required OAM Access Server or OAM 11g Server port number. accessServerName Optional Name of the OAM Access Server, as identified in the profile or OAM 11g Server registration. transportSecurity Required The level of transport security between the 10g 10.1.4.3 Access Server and associated WebGates must match. The default value is Open. You can specify a different value with OAMCfgTool oam_aaa_mode value. The following parameters trustStore, keyStore, keyStorePass and globalPass values are required when transport security mode is Simple or Cert ■ trustStore: Specify the absolute path to the trust store. ■ keyStore: Specify the absolute path to the key store ■ keyStorePass: Specify the keystore password, ■ globalPass: Specify the global passphrase value that was defined during IHS WebGate installation and configuration. debug Required Turns OAM debugging on or off. Default: false minConn Required The minimum number of connections that this AccessGate can establish with Access Servers. This number must be the same as or less than the number of Access Servers that are actually associated with the WebGate. maxConn Required The maximum number of connections that this AccessGate can establish with Access Servers. This number must be the same as or greater than the number of Access Servers that are actually associated with the WebGate. timeOutForConnPool Required Connection pool time out period. Specify any value in milliseconds. Default: 30000 milliseconds Managing OAM Identity Assertion on IBM WebSphere 7-19

7.9.5.2 Configuring the OAM TAI Configuration File