15-10 Oracle Fusion Middleware Application Security Guide During remote registration, you must provide the details discussed in Table 15–2 .

15.2.2.2 Provisioning a WebGate with Oracle Access Manager 11g

Provisioning a WebGate or AccessGate involves the same steps. You can provision a new instance for use with the Authentication Provider or you can refer to an existing registration when configuring the provider. In this example, an OAM 10g WebGate is provisioned using the OAMRequest_ short.xml template. The registered agent is named my-wl-agent1, protecting ..., and declaring a public resource, publicindex.html. Your values will be different. Table 15–1 Provisioning Methods for OAM 11g Method Description Oracle Access Manager Administration Console Enables OAM Administrators to manually enter information and set parameters directly in Oracle Access Manager. This method is required if you are using the Authenticator, or if you have Oracle Web Services Manager policies protecting Web services. Remote Registration Application administrators who are implementing the Identity Asserter for single sign-on, can register the WebGate using the command line. This also creates a new application domain with security policies for a fresh or existing Web Tier. Required parameters are provisioned using values for your environment specified in a template. Default values are accepted for non-required parameters. After registration, values can be modified in the Oracle Access Manager Console . See Also: Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service for a complete list of WebGate parameters Table 15–2 Required Registration Details for OAM Agents OAM Agent Element Description serverAddress Points to a running instance of the Oracle Access Manager Administration Console, including the host and port. webDomain OSSO requests only Defines the Web server domain under which the Agent Base URL is stored internally. agentName Defines a unique identifier for the agent on the OAM Administration Server. For every agent on the same server instance, this tag must be unique to avoid re-registering the same agent. Re-registering an agent on the same server instance is not supported. hostIdentifier This identifier represents the Web server host. The field is filled in automatically when you specify a value for the OAM Agent Name. If the agent name or host identifier of the same name already exists, an error occurs during registration. protectedResourcesList Specifies the resource URLs that you want the OAM Agent to protect with some authentication scheme. The resource URLs should be relative paths to the agentBaseUrl. publicResourcesList Specifies the resource URLs that you want to keep public not protected by the OAM Agent. The resource URLs should be relative paths to the agentBaseUrl. For instance, you might want to specify the Home page or the Welcome page of your application Configuring Single Sign-On with Oracle Access Manager 11g 15-11 To provision a WebGate with OAM 11g 1. Acquire the Tool: On the computer to host the WebGate, acquire the remote registration tool and set up the script for your environment. For example: a. Locate RREG.tar.gz file in the following path: WLS_homeMiddlewaredomain_homeoamserverrregclientRREG.tar.gz b. Untar RREG.tar.gz file to any suitable location. For example: rregbinoamreg. c. In the oamreg script, set the following environment variables based on your situation client side or server side and information in Table 6–7 in the Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service: OAM_REG_HOME = exploded_dir_for_RREG.tarrreg JDK_HOME = Java_location_on_the_computer 2. Create the registration request: a. Locate the Request_short.xml file and copy it to a new location and name. For example: WLS_homeMiddlewaredomain_homeoamserverrregbinoamreg Copy: OAMRequest_short.xml or OAM 11gRequest.xml To: my-wl-agent1.xml b. Edit my-wl-agent1.xml to include details for your environment, and set automatic policy creation to false. For example: OAMRegRequest serverAddresshttp:sample.us.oracle.com:7001serverAddress hostIdentifiermy-wlhostIdentifier agentNamemy-wl-agent1agentName primaryCookieDomain.us.example.comprimaryCookieDomain autoCreatePolicyfalseautoCreatePolicy logOutUrlsurloamssologout.htmlurllogOutUrls OAMRegRequest

3. Provision the agent. For example:

a. Locate the remote registration script.

Linux: rregbinoamreg.sh Ensure the script has executable permission: chmod +x oamreg.sh Note: When provisioning an OAM 11g WebGate, use the OAM11gRequest_short.xml template. See Also: Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service See Also: Creating the Registration Request in the Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service 15-12 Oracle Fusion Middleware Application Security Guide Windows: rreg\bin\oamreg.bat b. From the directory containing the script, execute the script using inband mode. For example: .binoamreg.sh inband inputmy-wl-agent1.xml Welcome to OAM Remote Registration Tool Parameters passed to the registration tool are: Mode: inband Filename: ... c. When prompted, enter the following information using values for your environment: Enter your agent username: userame Username: userame Enter agent password: Do you want to enter a Webgate password?yn n iv.Do you want to import an URIs file?yn n d. Review the final message to confirm that this was a successful registration: Inband registration process completed successfully Output artifacts are created in the output folder 4. Confirm in the Console: Log in to the Oracle Access Manager Console and review the new registration: a. From the OAM 11g Console System Configuration tab, Access Manager Settings section, expand the SSO Agents nodes to search for the agent you just provisioned: Access Manager Settings SSO Agents OAM Agents Search b. In the Search Results table, click the agent’s name to display the registration page and review the details, which you will use later. For example: Agent Name —During WebGate installation, enter this as the WebGate ID. If you deploy the custom 10g AccessGate, enter this as the AccessGate Name when configuring the OAM Authentication Provider in the WebLogic Administration Console. Access Client Password —During WebGate installation, enter this as the WebGate password. If no password was entered, you can leave the field blank. Access Server Host Name —Enter the DNS host name for the primary OAM 11g Server with which this WebGate is registered.

c. OAM Proxy Port

—From the Oracle Access Manager Console, System Configuration tab, Common Configuration section, open Server Instances and locate the port on which the OAM Proxy is running. 5. Ignore the Obaccessclient.xml file, which is created during provisioning, for now. 6. Proceed as needed for your environment: ■ Agent is Installed : Go to the appropriate topic for your implementation: Configuring Single Sign-On with Oracle Access Manager 11g 15-13 – Configuring Identity Assertion for SSO with Oracle Access Manager 11g – Configuring the Authenticator Function for Oracle Access Manager 11g – Configuring Identity Assertion for Oracle Web Services Manager and OAM 11g – Configuring Centralized Log Out for Oracle Access Manager 11g ■ Agent is Not Installed : 11g WebGate: See Oracle Fusion Middleware Installation Guide for Oracle Identity Management. 10g WebGate: See Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service.

15.2.3 Configuring Identity Assertion for SSO with Oracle Access Manager 11g

This section describes the unique steps needed to configure Oracle Access Manager 11g Identity Assertion for Single Sign-On. Prerequisites Installing the Authentication Provider with Oracle Access Manager 11g Provisioning an OAM Agent with Oracle Access Manager 11g To configure Oracle Access Manager Identity Asserter for single sign-on with your application, perform the tasks as described in the following task overview. Task overview: Deploying the Identity Asserter for SSO with OAM 11g includes 1. Ensuring that all prerequisite tasks have been performed 2. Establishing Trust with Oracle WebLogic Server 3. Configuring Providers in the WebLogic Domain 4. Reviewing the Login Page for the Oracle Access Manager Identity Asserter 5. Configuring Centralized Log Out for Oracle Access Manager 11g 6. Testing Oracle Access Manager Identity Assertion for Single Sign-on

15.2.3.1 Establishing Trust with Oracle WebLogic Server

The following topics explain the tasks you must perform to set up the application for single sign-on with the Oracle Access Manager Identity Asserter: ■ Setting Up the Application Authentication Method for Identity Asserter for Single Sign-On ■ Confirming mod_weblogic for Oracle Access Manager Identity Asserter ■ Establishing Trust between Oracle WebLogic Server and Other Entities

15.2.3.1.1 Setting Up the Application Authentication Method for Identity Asserter for Single

Sign-On This topic describes how to create the application authentication method for Oracle Access Manager Identity Assertion. Note: This task is the same for both OAM 11g WebGates and OAM 10g WebGates.