16 Access and Password Management Integration 16-1 16 Access and Password Management Integration This chapter provides an overview of the benefits and a list of scenarios of Oracle Access Manager with Oracle Identity Manager and Oracle Adaptive Access Manager. Detailed conceptual and procedural information is provided in the Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service.

16.1 Benefits and Features of the Integration

Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager provides these features: ■ Password entry protection through personalized virtual authentication devices ■ KBA challenge questions for secondary login authentication based on risk ■ OTP challenge for secondary login authentication based on risk ■ Registration flows to support password protection and KBA and OTP challenge functionality ■ User preferences flows to support password protection and KBA and OTP challenge functionality ■ Password management flows Oracle Adaptive Access Manager Oracle Adaptive Access Manager is responsible for: ■ Running fraud rules before and after authentication ■ Navigating the user through Oracle Adaptive Access Manager flows based on the outcome of fraud rules Oracle Identity Manager Oracle Identity Manager is responsible for: ■ Provisioning users addmodify, delete users ■ Managing passwords resetchange password Oracle Access Manager Oracle Access Manager is responsible for: 16-2 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager ■ Authenticating and authorizing users ■ Providing statuses such as Reset Password, Password Expired, User Locked, and others

16.2 Secure Password Collection and Management Scenarios

In this integration, Oracle Access Manager redirects users to Oracle Adaptive Access Manager when a trigger condition for password management is in effect. The trigger condition is the authentication scheme used in Oracle Access Manager. Oracle Adaptive Access Manager interacts with the user based on lifecycle policies retrieved from Oracle Access Manager, and when the condition is resolved, notifies Oracle Access Manager so that the user is redirected to the protected resource. In this integration, Oracle Identity Manager serves to provide password policy enforcement. Challenge Registration Flow The Challenge Registration flow allows the user to register challenge questions and answers. The user is successfully authenticated but is required to register challenge questions. He cannot skip the registration. The user is not authorized to access protected resources until the challenges questions have been registered. Forgot Password Flow The Forgot Password flow allows the user to reset the password after successfully answering all challenge questions. A Forgot Your Password link is made available from the Oracle Adaptive Access Manager password page for the user. Reset Password Flow The Reset Password flow allows the user to reset the password. The user is successfully authenticated. The Change your password link is available to the user at the Oracle Adaptive Access Manager password page. Challenge Reset Flow The Challenge Reset flow allows the user to reset challenge registration. The user is successfully authenticated. The Reset your challenge questions link is available in the Oracle Adaptive Access Manager password page. Note: When adding Oracle Adaptive Access Manager to existing Oracle Identity Manager deployments, you will need to forego all the existing questions and answers that are registered in Oracle Identity Manager. Instead, users are asked to register the challenge questions again in Oracle Adaptive Access Manager on the next login. Part V Part V Migration and Lifecycle Management Part V contains the following chapters: ■ Chapter 17, Migrating Native Applications to OAAM 11g ■ Chapter 18, Handling Lifecycle Management Changes 17 Migrating Native Applications to OAAM 11g 17-1 17 Migrating Native Applications to OAAM 11g This chapter covers the tasks involved in migrating an existing natively integrated 10.1.4.5 application that is currently using SOAP authentication to 11g.

17.1 Preparing for Migration

Pre-requisites are as follows for migration of your existing natively integrated application: ■ Client should be using OAAM Shared Library for Native Integration using SOAP ■ Client should specify the configurable properties in bharosa_ server.properties and this file should be in the Java Classpath of the client application ■ See Section 17.4, Migrating Native Applications that Cannot Use OAAM Shared Library if the Native Application cannot use the OAAM Shared Library

17.2 Migrating Native Static Linked In Proc Applications to OAAM 11g

This native integration involves only local API calls and therefore no remote server risk engine calls. The integration embeds the processing engine for OAAM with the application and enables it to leverage the underlying database directly for processing. To migrate the natively integrated inproc application to OAAM 11g, proceed as follows:

17.2.1 Use the OAAM Shared Library Instead of Static Linking to OAAM Jars

To use the Oracle Adaptive Access Manager Shared Library, you must refer to the shared library by adding the following entry to your WebLogic deployment descriptor file, weblogic.xml: library-ref library-nameoracle.oaam.libslibrary-name library-ref

17.2.2 Move All Configurable Properties into bharosa_server.properties File

As part of migrating the application, you must perform these steps: 1. Move all the configurable properties to bharosa_server.properties. 2. Removedelete all other OAAM property files from the native application. 17-2 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager 3. Removedelete all old OAAM jar files.

17.3 Migrating Native SOAP Applications to OAAM 11g

The web application communicates with OAAM via Web Services. Follow the procedures in this section to migrate your native SOAP application to OAAM 11g.

17.3.1 Use OAAM Shared Library Instead of Static Linking to OAAM Jars

To use the Oracle Adaptive Access Manager Shared Library, you must refer to the shared library by adding the following entry to your WebLogic deployment descriptor file, weblogic.xml: library-ref library-nameoracle.oaam.libslibrary-name library-ref

17.3.2 Move All Configurable Properties into the bharosa_server.properties File

As part of migrating the application, you must perform these steps: 1. Move all the configurable properties to bharosa_server.properties. 2. Make sure the following properties are set in bharosa_server.properties: ■ vcrypt.tracker.soap.useSOAPServer=true ■ vcrypt.soap.disable=false ■ bharosa.config.impl.classname=com.bharosa.common.util.Bharos aConfigPropsImpl ■ bharosa.config.load.impl.classname=com.bharosa.common.util.B harosaConfigLoadPropsImpl 3. Removedelete all other OAAM property files from the native application 4. Removedelete all old OAAM jar files

17.3.3 Configure SOAPWebServices Access

For details on configuring SOAPWebServices Access, refer to Configuring SOAP Web Services Access in the Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager.

17.4 Migrating Native Applications that Cannot Use OAAM Shared Library

The process below covers migrating your existing 10.1.4.5 Natively Integrated application that is currently using SOAP authentication to 11g.

17.4.1 Use the OAAM 11g Jar Files

After those files are copied, you can copy the oaam_core.jar file from the ORACLE_HOMEoaamclilib folder into your applications library directory. ORACLE_HOME is usually the ORACLE_IDM1 folder in the Middleware Home.