Managing OAM Identity Assertion on IBM WebSphere 7-9

7.5 Provisioning and Configuring OAM 11g for the IAP and IBM WebSphere

This section provides the following topics: ■ About Provisioning WebGates and AccessGates with OAM 11g ■ Provisioning Agents and Creating OAM 11g Policies for IBM WebSphere

7.5.1 About Provisioning WebGates and AccessGates with OAM 11g

This topic introduces OAM 11g access clients, known as policy-enforcement agents, and the process that is required to set up the trust mechanism between the agent and Oracle Access Manager 11g SSO. The process is known as provisioning also known as registering an agent. Only registered policy enforcement agents can communicate with an OAM Server, and process information when a user attempts to access a protected resource. Users with valid OAM Administrator credentials can register an OAM Agent using the Administration Console. You can register a WebGate agent before you install it. Required WebGate or AccessGate configuration files are created during registration and stored in the following path: DOAMIN_NAMEoutputAgent_NAME During registration, you can also create an application domain and default policies. For this reason, registering an agent is also known as registering a partner application. During registration, the Agent is presumed to be on the same Web server as the application it is protecting. However, the Agent can be on a proxy Web server and the application can be on a different host. During Agent registration: ■ One key is generated per agent, accessible to the WebGate through a local wallet file on the client host, and to OAM Server through the Java Key Store on the server side. The Agent specific key must be accessible to WebGates through a secure local storage on the client machine. ■ A key is generated for the partner application during registration. except for 10g 10.1.4.3 WebGate agents. ■ An OAM application domain is created, named after the Agent, and populated with default authentication and authorization policies. The new application domain uses the same host identifier that was specified for the Agent during registration. After registration, agent details appear in the OAM Administration Console and are propagated to all Managed Servers in the cluster. If you choose to automatically create policies during agent registration, you can also view and manage the application domain and policies that were registered with the partner application. Table 7–3 describes each of named text fields where you enter requested information on the Create OAM Agent page. 7-10 Oracle Fusion Middleware Third-Party Application Server Guide Table 7–3 Create OAM Agent Pages for OAM 10g 10.1.4.3 and 11g Agents OAM Agent Element Description Agent Name The identifying name for this WebGate Agent. This is often the name of the computer that is hosting the Web server used by WebGate. Note : If the Agent Name exists, an error occurs and registration fails. If the host identifier exists, the unique Agent Base URL is added to the existing host identifier and registration proceeds. Agent Base URL Optional The host and port of the computer on which the Web server for the agent is installed. For example, http:my_ohs_host:port or https:my_host:port. The port number is optional. Note : A particular Agent Base URL can be registered once only. There is a one-to-one mapping from the Agent’s Base URL to the Web server domain on which the WebGate is installed as specified with the hostidentifier element. However, one domain can have multiple Agent’s Base URLs. Access Client Password An optional, unique password for this WebGate, which was assigned during WebGate registration. When a registered WebGate connects to an OAM 11g Server, the password is used for authentication to prevent unauthorized WebGates from connecting to OAM 11g Servers and obtaining policy information. Security Level of communication transport security between the Agent and the OAM Server this must match the level specified for the OAM Server: ■ Open--No transport security ■ Simple--SSL v3TLS v1.0 secure transport using dynamically generated session keys ■ Cert--SSL v3TLS v1.0 secure transport using server side x.509 certificates. Choosing this option displays a field where you can enter the Agent Key Password, discussed separately within this table. Host Identifier This identifier represents the Web server host. Auto Create Policies During agent registration, you can have authentication and authorization policies created automatically. This option is checked enabled by default. Default: Enabled Note : If you already have a domain and policies registered, you can simply add new resources to it. If you clear this option no check, no application domain or policies are generated automatically. Protected Resource URI List URIs for the protected application: myapplogin, for example. Each URI for the protected application should be specified in a new row of the table for the Protected Resource List. Default: 2 resources are protected by default. ... The default matches any sequence of characters within zero or more intermediate levels spanning multiple directories. Add all IBM WebSphere resources to be protected to this list. Public Resource URI List Each public application should be specified in a new row of the table for the Public Resource List. Add a field and enter URI values for the public applications and resources. Each URI should be specified in a new row of the table for the Public Resource List. Add all IBM WebSphere resources that should not be protected to this list. Note: AuthenSSOToken is an additional public resource that is used by the Oracle Access Manager Identity Assertion Provider. See Also: Oracle Fusion Middleware Administrators Guide for Oracle Access Manager for more information Managing OAM Identity Assertion on IBM WebSphere 7-11

7.5.2 Provisioning Agents and Creating OAM 11g Policies for IBM WebSphere