16-68 Oracle Fusion Middleware Application Security Guide ■ Application Session Time Out : SSO cookies typically track user inactivityidle times and force users to login when a time out occurs. OSSO and Oracle Access Manager are no exception. Oracle Access Manager takes a sophisticated approach at this and specifically tracks Maximum Idle Session Time and Longest Idle Session Time along with SSO session creation time and time when it was last refreshed. The general recommendation for applications that are maintaining their own sessions when integrating with SSO systems is to configure their session time outs close to that of SSO session time outs so as to make user experience remains consistent across SSO and application session time outs. You can alter the behavior of the SSO Sync Filter for application requirements by passing various over-riding system properties to WebLogic. To do this, you change the Oracle WebLogic startup script and check for EXTRA_JAVA_PROPERTIES in setDomainEnv.sh. The properties and Sync behavior is shown in Table 16–12 . You cannot enable the filter for selected applications. The SSO Sync Filter is a system filter. As such, it is activated for all deployed applications the URI mapping is . The following procedure gives some tips about modifying the SSO Sync filter properties and behavior. To modify the SSO Sync Filter properties and behavior 1. Disable the Filter : Change the system property sso.filter.enable to false pass as -D to the jvm and restart the Oracle WebLogic Server. This toggles the filter status.

2. User-Identifying Header Differs from Pre-Configured Sync Filter Tokens

: Over-ride the SSO token that the Sync Filter looks for using the system property sso.filter.ssotoken. For example, pass to the WebLogic Server jvm in the WebLogic Server startup script -Dsso.filter.ssotoken=HEADERNAME, and restart the server. Table 16–12 SSO Sync Filter Properties and Sync Behavior Area Overriding System Property Default value of System property Default Behavior of the Sync Filter Status Active or Inactive sso.filter.enable Not configured Enabled Case sensitive matches sso.filter.name.exact.match Not configured Case Ignore Match Configured Tokens sso.filter.ssotoken Not configured ■ OSSO: Look for Proxy-Remote-User ■ Oracle Access Manager: Look for OAM_ REMOTE_USER and REMOTE_USER. OAM_REMOTE_USER takes precedence. URI Mappings Not Applicable Not Applicable Note: You cannot enable the filter for selected applications. Configuring Single Sign-On Using Oracle Access Manager 10g 16-69 When you contact Oracle Support you might be requested to set up debugging, as described in Setting Up Debugging in the WebLogic Administration Console on page 14-13.

16.8 Troubleshooting Tips for OAM Provider Deployments

This section contains the following topics: ■ About Using IPv6 ■ Apache Bridge Failure: Timed Out ■ Authenticated User with Access Denied ■ Browser Back Button Results in Error ■ Cannot Reboot After Adding OAM and OID Authenticators ■ Client in Cluster with Load-Balanced WebGates ■ Error 401: Unable to Access the Application ■ Error 403: Unable to Access the Application ■ Error 404: Not Found ... Anything Matching the Request URI ■ Error Issued with the Action URL in Form Login Page ■ Error or Failure on Oracle WebLogic Server Startup ■ JAAS Control Flag ■ Login Form is Shown Repeatedly Upon Credential Submission: No Error ■ Logout and Session Time Out Issues ■ Not Found: The requested URL or Resource Was Not Found ■ Oracle WebLogic Server Fails to Start ■ Oracle ADF Integration and Cert Mode

16.8.1 About Using IPv6

Oracle Fusion Middleware and Oracle Access Manager support Internet Protocol Version 4 IPv4 and Internet Protocol Version 6 IPv6. Among other features, IPv6 supports a larger address space 128 bits than IPv4 32 bits, providing an exponential increase in the number of computers that can be addressable on the Web.

16.8.2 Apache Bridge Failure: Timed Out

If you experience a failure of the Apache bridge, you might see a message stating that there is no back-end server available for connection. In this case, the connection times out. The Oracle WebLogic Server might be down or there might be incorrect values set in mod_weblogic. See Also: Setting Up Debugging in the WebLogic Administration Console on page 14-13 See Also: Oracle Fusion Middleware Administrators Guide for details about using IPv6. 16-70 Oracle Fusion Middleware Application Security Guide To recover from an Apache Bridge Failure 1. Check the Oracle WebLogic Server to ensure that it is available. 2. Confirm that host and port information is specified correctly in the WebGate’s Web server httpd.conf. For example: ORACLE_INSTANCEconfigOHSohs_namehttpd.conf IfModule mod_weblogic.c WebLogicHost yourHost.yourDomain.com WebLogicPort yourWlsPortNumber IfModule

16.8.3 Authenticated User with Access Denied

It is possible that an authenticated user does not have access rights to the requested resource. If a user login is inconclusive or invalid, the user can be authenticated but not recognized as authorized for the requested resource. In this case, no explicit error message states the issue. Instead, the user is prompted to log in again.

16.8.4 Browser Back Button Results in Error

After successful authentication, if you click the Back button in the browser window, you might get an error for accessoblixappswebgatebinwebgate.so. When form-based authentication is used, Oracle Access Manager creates a form login cookie that holds information about the requested resource. On successful authentication, the state of the cookie changes. When the user clicks the Back button, the login form appears. When re-posted, the form login cookie no longer holds redirection details. The ObSSOCookie is also sent with the form login cookie.The ObSSOCookie is correctly checked. As the form login cookie state changes, the form-based authentication does not occur and the form action is considered as a request for the resource. Solution Retry the request using the original URL.

16.8.5 Cannot Reboot After Adding OAM and OID Authenticators

If the Oracle Access Manager Authenticator flag is set to REQUIRED, or if Oracle Access Manager Authenticator is the only Authentication Provider, perform the next step to ensure that the LDAP user who boots Oracle WebLogic Server is included in the administrator group that can perform this task. By default the Oracle WebLogic Server Admin Role includes the Administrators group. To provide access to any other group, you must create that group in the directory server and add the user who boots WebLogic Server in that group. To ensure you can restart the WebLogic Server 1. Create an Administrators group in the directory server, if one does not already exist or any other group for which you want boot access. 2. Confirm that the LDAP user who boots Oracle WebLogic Server is included in the Administrators or other group.