Configuring Single Sign-On Using Oracle Access Manager 10g 16-3 ■ Hostname —The name of the computer where the WebGateAccessGate is or will be installed. With OAMCfgTool the app_domain value is used as the host name. ■ AccessGate Password—A unique password to verify and identify the component. This prevents unauthorized AccessGates from connecting to Access Servers and obtaining policy information. With OAMCfgTool, this is specified with the app_agent_password parameter. This should differ for each WebGateAccessGate instance. ■ Transport Security —The level of transport security between the Access Server and associated WebGates these must match. The default value is Open. You can specify a different value with OAMCfgTool oam_aaa_mode value. ■ Preferred HTTP Host —The host name as it appears in all HTTP requests as users attempt to access the protected Web server. The host name in the HTTP request is translated into the value entered into this field, regardless of the way it was defined in a users HTTP request. With OAMCfgTool the Preferred HTTP Host is the app_domain value. The Preferred Host function prevents security holes that can be inadvertently created if a hosts identifier is not included in the Host Identifiers list. However, it cannot be used with virtual Web hosting. For virtual hosting, you must use the Host Identifiers feature. ■ Primary HTTP Cookie Domain: The Web server domain on which the WebGate is deployed. The cookie domain is required to enable single sign-on among Web servers; each must have the same Primary HTTP Cookie Domain value. Use the cookie_domain parameter with the OAMCfgTool to set this value. About Administrative Requirements for AccessGate Profiles and Policy Domains This topic introduces the administrative rights needed for the methods you can use when creating new WebGate and AccessGate profiles and policy domains for Oracle Access Manager. An Oracle Access Manager Master Access Administrator must create the first policy domain after the policy domain root is defined. He or she can then create policy domains for URLs beneath the first one and delegate administration of those policy domains to other administrators. Access System Console Method : You must be a Master or Delegated Access Administrator can use the Access System Console to create a new AccessGate profile, associate it with an Access Server, and create an authentication scheme. Master or Delegated Access Administrators can also use the Policy Manager to create a policy domain. The following deployments require this method: ■ Authenticator ■ Identity Asserter when Oracle Web Services Manager is protecting Web services OAMCfgTool Method : You do not need specific Oracle Access Manager administration rights for OAMCfgTool, which automates creating and associating a See Also: ■ About Administrative Requirements for AccessGate Profiles and Policy Domains on page 16-3 ■ Introduction to OAMCfgTool on page 16-15 ■ Configuring WebGates and Access Servers in the Oracle Access Manager Access Administration Guide 16-4 Oracle Fusion Middleware Application Security Guide WebGate profile and creating a new policy domain. However, this method can be used for only Identity Assertion. In a: ■ Fresh Web Tier : Use OAMCfgTool to streamline creating a new WebGate profile and policy domain for Identity Asserter only. After creating the profile and policy domain with OAMCfgTool, these can be modified in the Access System Console. ■ Existing Web Tier : When one or more WebGates exist in the Web Tier, no new WebGate is needed. However, you can specify an existing host identifier to make newly established policies enforceable by an existing WebGate.

16.1.1.2 Installing Components and Files for Authentication Providers and OAM 10g

The following task overview outlines the components and files that must be installed and where to locate more information. Unless specifically stated, all details apply whether you intend to deploy the Identity Asserter for single sign-on, or the Authenticator, or if Oracle Web Services Manager policies are protecting Web services. Task overview: Installing required components and files for Oracle Access Manager 10g Authentication Provider

1. An Oracle Internet Directory or Oracle Sun One LDAP directory server configured

to be used by the Oracle Access Manager Access Server. Ensure that the directory server is tuned for your deployment. 2. Install and set up Oracle WebLogic Server 10.3.1+. See Also: Introduction to OAMCfgTool on page 16-15 See Also: ■ Installing Components and Files for Authentication Providers and OAM 10g ■ Configuring WebGates and Access Servers in the Oracle Access Manager Access Administration Guide Note: If you already have components installed and set up, you do not need to install new ones. Skip any steps that do not apply to your deployment. See Also: The following Release 11g 11.1.1.1.0 manuals ■ Oracle Fusion Middleware Installation Guide for Oracle Identity Management ■ Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory See Also: Item 3 in this list, and the Oracle Fusion Middleware Getting Started With Installation for Oracle WebLogic Server Configuring Single Sign-On Using Oracle Access Manager 10g 16-5

3. Optional

: Install a Fusion Middleware product Oracle Identity Manager, Oracle SOA Suite, or Oracle Web Center for example: a. Confirm the location of required JAR files in the following Fusion Middleware path: ORACLE_INSTANCEmodulesoracle.oamprovider_11.1.1oamAuthnProvider.jar ORACLE_INSTANCEmodulesoracle.oamprovider_11.1.1oamcfgtool.jar b. Locate the console-extension WAR file in the following path: ORACLE_INSTANCEmodulesoracle.oamprovider_11.1.1oamauthenticationprov ider.war c. Copy the WAR file to the following path in the WebLogic Server home: WL_HOMEserverlibconsole-extautodeployoamauthenticationprovider.war 4. Install OHS 11g for the Oracle Access Manager 10g 10.1.4.3 WebGate, if needed: ■ Authenticator or Oracle Web Services Manager : No Web server is required for the custom AccessGate. The protected resource is accessed using its URL on the Oracle WebLogic Server. ■ Oracle Access Manager Identity Asserter : Requires Oracle HTTP Server 11g Web server configured as a reverse proxy in front of Oracle WebLogic Server. 5. Install Oracle Access Manager 10g 10.1.4.3 components and perform initial setup as follows: a. Install an Identity Server; install a WebPass; set up the Identity System. b. Install and set up Policy Manager. Ensure that the policy protecting the Policy Manager, access, is created and enabled, as well as the default authentication schemes. c. Install Access Servers one as a primary server and one as a secondary server for WebGate. – Add an Access Server configuration profile in the Access System Console for the primary server for WebGate. Ensure that the Access Management Service is On also known as Policy Manager API Support Mode. – Add a secondary Access Server configuration profile with the Access Management Service On. – Install the primary Access Server instance and then install the secondary Access Server instance.

d. WebGate for Identity Asserter for Single Sign-On

: In an existing Web Tier with one or more WebGates, no new WebGates or profiles are needed. Note: Without a Fusion Middleware application, you must acquire the required JAR and WAR files as described in later procedures. See Also: About Oracle Access Manager 10g Installation and Setup on page 16-2 Note: Only one secondary Access Server is supported