16-52 Oracle Fusion Middleware Application Security Guide

b. Authentication Rule

: A policy domain must have at least one authentication rule, which specifies one authentication scheme and authentication actions. Enter a Name, optional description, and choose an Authentication Scheme. Click Authentication Rule and fill in the General tab as follows. Name: Basic Authentication Scheme Description: User name and password based authentication Authentication Scheme: Basic over LDAP Click Save.

c. Authentication Rule, Actions

: For the Authenticator or to boot Oracle WebLogic with Administrator users who exist in Oracle Access Manager, or if you are using Oracle Web Services Manager. Click the Actions tab, click Add. Enter the following for Authentication Success: Redirection URL: Leave blank Return Type: WL_REALM Name: obmygroups Return Attribute: obmygroups This return attribute directs the Access Server to return all groups to which the user belongs. Next, enter the name of the login parameter for user name to help in identifying the user uniquely in the LDAP directory server Type: WL_REALM Name: uid Return Attribute: uid This return attribute should be the name of the login parameter for the user name. This helps in identifying the user uniquely in the LDAP directory server used by Oracle Access Manager.

7. Authorization Rule

: Click the Authorization Rules tab, click Add and: a. Specify a rule name and, optionally, a brief description. For example: Name : Default rule for Authenticator. Description: Default rule enables Authenticator function for anyone . b. Select Yes from the Enabled list and then click Save. Note: For the Authenticator you need only an Authentication Success Return Action in the rule for the ObMyGroups attribute. This Access Server-specific attribute returns all the groups to which the user belongs. Two other implementations require this action, as described in Step C. Configuring Single Sign-On Using Oracle Access Manager 10g 16-53 c. Click the rule, click the Allow Access tab, click Add, Under Role, select Anyone to allow anyone access to the protected resources. d. Click Save.

8. Policies Tab:

Click the Policies tab, click Add. Fill in and save General details: Name: Default Username Resolution Policy Description: Default Username Policy for Authenticator Resource Type: wl_authen Resource operations: LOGIN Resource: AuthenUsernameAssertion Leave other items as they are. Click Save. Click the Authentication Rule sub tab, click Add, and fill in General details Name, optional Description, Authentication Scheme. Name: Username Resolution Authentication Rule Authentication Scheme: UsernameAssertion Authentication Scheme See Creating an Authentication Scheme for the Authenticator . Click Save. Click the Actions sub tab and add the following details for Authentication Success: ■ Return Type: WL_REALM ■ Return Name: uid ■ Return Attribute: uid Click the Actions sub tab and add the following details for Authentication Success: ■ Return Type: WL_REALM ■ Return Name: obmygroups ■ Return Attribute: obmygroups

9. Delegated Access Admins

: When adding URL prefixes to a policy domain, the Delegated Access Administrator must specify a server hosting the URL prefix. Note: Be sure to enter Return Attribute. uid is the name of the login attribute in the LDAP ObjectClass that helps to identity the user uniquely in the directory server used by Oracle Access Manager. Note: obmygroups returns all groups to which a member belongs. See Also: Oracle Access Manager Access Administration Guide, Delegating Policy Domain Administration 16-54 Oracle Fusion Middleware Application Security Guide 10. Proceed with Configuring Providers for the Authenticator in a WebLogic Domain .

16.5.3 Configuring Providers for the Authenticator in a WebLogic Domain

This topic includes a procedure that you can use to add and configure the appropriate Authentication Providers in a WebLogic domain. The Oracle Access Manager Authenticator must be configured along with the Default Authentication Provider in a WebLogic domain. ■ DefaultAuthenticator: SUFFICIENT ■ OAM Authenticator: OPTIONAL The following procedure describes this task using the WebLogic Administration Console. You can also add these using the Oracle WebLogic Scripting Tool WLST. To configure providers for the Oracle Access Manager Authenticator in a WebLogic domain

1. No Oracle Fusion Middleware Application

: Obtain the Oracle Access Manager provider if you have no Oracle Fusion Middleware application. a. Log in to Oracle Technology Network at: http:www.oracle.comtechnologysoftwareproductsmiddlewareht docs111110_fmw.html b. Locate the oamAuthnProvider ZIP file with Access Manager WebGates 10.1.4.3.0. For example: oamAuthnProviderversion.zip c. Extract and copy the oamAuthnProvider.jar to the following path on the computer hosting Oracle WebLogic Server: BEA_HOMEwlserver_10.xserverlibmbeantypesoamAuthnProvider.jar 2. Go to the Oracle WebLogic Administration Console.

3. With Oracle Fusion Middleware Application Installed

: a. Locate oamauthenticationprovider.war in the following path: ORACLE_INSTANCEmodulesoracle.oamprovider_11.1.1oamauthenticationprovi der.war b. Copy oamauthenticationprovider.war to the following location: See Also: ■ About Oracle WebLogic Server Authentication and Identity Assertion Providers on page 16-41 ■ Oracle Fusion Middleware Oracle WebLogic Scripting Tool ■ Oracle Fusion Middleware WebLogic Scripting Tool Command Reference Note: When a Oracle Fusion Middleware application is installed, you have the required files and can skip Step 1. Configuring Single Sign-On Using Oracle Access Manager 10g 16-55 BEA_HOMEwlserver_10.xserverlibconsole-extautodeployoamauthentication provider.war 4. Go to the Oracle WebLogic Administration Console.

5. Click Lock Edit, if desired.

6. OAM Authenticator

:

a. Click Security Realms and select the realm you want to configure.

b. Select Providers, Authentication, and click New to display the Create a New

Authentication Provider page c. Enter a name and select a type: Name OAMAuthN Type: OAMAuthenticator OK d. Click the name of the Authentication Provider you have just created to display the Provider Configuration page. e. In the Provider Configuration page, set the required values as follows: Access Gate Name: The name of the AccessGate profile used by the provider. This must match exactly the name in the AccessGate configuration profile in the Access System Console. Access Gate Password: The same password, if any, that is as defined for the AccessGate configuration profile in the Access System Console. Primary Access Server: The host:port of the primary Access Server that is associated with this AccessGate in the Access System Console. Advanced Configuration : Following are several advanced configuration values. Transport Security: The communication mode between Access Server and AccessGate: open, simple, or cert. If transport security is Simple or Cert, include the following parameters and values: Trust Store: The absolute path of JKS trust store used for SSL communication between the provider and the Oracle Access Server. Key Store: The absolute path of JKS key store used for SSL communication between the provider and the Oracle Access Server. Key Store Pass Phrase: The password to access the key store. Simple mode pass phrase: The password shared by AccessGate and Access Server for simple communication modes. Secondary Access Server: The host:port of the secondary Access Server that is associated with this AccessGate in the Access System Console. Note: You might have only one AccessGate configuration profile for the Authenticator. 16-56 Oracle Fusion Middleware Application Security Guide Maximum Access Server Connections in Pool: The maximum number of connections that the AccessGate opens to the Access Server. The default value is 10. Minimum Access Server Connections in Pool: The minimum number of connections that the Authentication Provider uses to send authentication requests to the Access Server. The default value is 5.

f. Ensure that the parameter Control Flag is set to OPTIONAL initially.

7. In the Change Center, click Activate Changes.

8. DefaultAuthenticator

: Under the Providers tab, select DefaultAuthenticator, which changes its control flag to SUFFICIENT.

9. Reorder

: Under the Providers tab, reorder the providers so that DefaultAuthenticator is first OAMAuthenticator follows DefaultAuthenticator.

10. Oracle Access Manager Authenticator REQUIRED or the Only Authenticator

: Perform the following steps to set user rights for booting Oracle WebLogic Server. a. Create an Administrators group in the directory server, if one does not already exist or any other group for which you want boot access. b. Confirm that the LDAP user who boots Oracle WebLogic Server is included in the Administrators or other group. Note: The Maximum Access Server Connections in Pool or Minimum Access Server Connections in Pool settings in the WebLogic Administration Console are different from the Maximum or Minimum Connections specified in profiles within the Access System Console. See Also: Oracle Access Manager Authentication Provider Parameter List on page 16-14 for descriptions and values of the common and provider-specific parameters Note: Do not set the parameter Control Flag to REQUIRED until you have verified that the Authentication Provided is operational and configured correctly. Note: If the Oracle Access Manager Authenticator flag is set to REQUIRED, or if Oracle Access Manager Authenticator is the only Authentication Provider, perform the next step to ensure that the LDAP user who boots Oracle WebLogic Server is included in the administrator group that can perform this task. By default the Oracle WebLogic Server Admin Role includes the Administrators group. Note: To provide access to any other group, you must create that group in the directory server and add the user who boots WebLogic Server in that group. Configuring Single Sign-On Using Oracle Access Manager 10g 16-57

c. From the WebLogic Administration Console, go to Security Realms, myrealm,

Roles and Policies, Global Roles.

d. Select View Conditions for the Admin Role.

e. Add the group and click Save. 11. Reboot the WebLogic Server.

12. Once the server has started, reset the Authentication Provider parameter Control

Flag to the appropriate value REQUIRED, OPTIONAL, or SUFFICIENT. 13. Proceed with Configuring the Application Authentication Method for the Authenticator .

16.5.4 Configuring the Application Authentication Method for the Authenticator

This topic describes how to create the application authentication method for Oracle Access Manager Authenticator. When you use the Oracle Access Manager Authenticator, all web.xml files in the application EAR file must specify BASIC in the element auth-method for the appropriate realm. The auth-method can use BASIC or FORM values. While these look like similar values in Oracle Access Manager, the auth-method specified in web.xml files are used by Oracle WebLogic Server not Oracle Access Manager. To configure the application authentication method for the Authenticator 1. Locate the web.xml file in the application EAR file: WEB-INFweb.xml 2. Locate the auth-method in login-config and enter BASIC. For example: security-constraint web-resource-collection web-resource-nameprotectedweb-resource-name url-patternservleturl-pattern web-resource-collection auth-constraint role-nameauth-usersrole-name auth-constraint security-constraint login-config auth-methodBASICauth-method login-config security-role Note: The recommended value is REQUIRED. To prevent a known issue, see JAAS Control Flag on page 16-74. See Also: Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server Note: For the Oracle Access Manager Authenticator, Oracle recommends auth-method BASIC in login-config within web.xml. 16-58 Oracle Fusion Middleware Application Security Guide descriptionAuthenticated Usersdescription role-nameauth-usersrole-name security-role 3. Save the file. 4. Redeploy and restart the application. 5. Repeat for each web.xml file in the application EAR file. 6. Proceed with Mapping the Authenticated User to a Group in LDAP .

16.5.5 Mapping the Authenticated User to a Group in LDAP

This topic describes how to map the authenticated user to a group in LDAP. To do this, you must edit the weblogic.xml file. For example, you might need to map your role-name auth-users to a group named managers in LDAP. To map the authenticated user to a group in LDAP for the Oracle Access Manager Authenticator 1. Go to the application’s weblogic.xml file. 2. Add the following information for your environment anywhere in the file: weblogic-web-app xmlns:xsi=http:www.w3.org2001XMLSchema-instance xsi:schemaLocation=http:www.bea.comnsweblogicweblogic-web-app http:www.bea.comnsweblogicweblogic-web-app1.0weblogic-web-app.xsd xmlns=http:www.bea.comnsweblogicweblogic-web-app security-role-assignment principal-namemanagersprincipal-name role-nameauth-usersrole-name security-role-assignment weblogic-web-app 3. Save the file. 4. Restart the WebLogic Server. 5. Proceed to: ■ Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates ■ Testing the Oracle Access Manager Authenticator Implementation

16.5.6 Testing the Oracle Access Manager Authenticator Implementation

After performing all tasks to implement the Authenticator, you can test it by attempting to log in to the application using valid credentials. If the configuration is incorrect, a valid user is denied access. The following procedure describes how to test your Authenticator setup. Alternatively, you can run Access Tester in Oracle Access Manager to test your policy domain, as described in the Oracle Access Manager Access Administration Guide. To validate the Oracle Access Manager Authenticator implementation 1. Enter the URL to access the protected resource in your environment. For example: http:yourdomain.com:port 2. Provide appropriate credentials when the login form appears. ■ Successful: The implementation works.