Configuring Single Sign-On Using Oracle Access Manager 10g 16-23 preferred_http_host Makes configurable the Preferred Http Host field of the WebGate profile. To configure virtual hosts for non-Apache-based Web servers, include this parameter, with a value of HOST_HTTP_HEADER, as follows: java -jar oamcfgtool.jar app_domain=app domain web_domain=hostid1 ... hostname_variations=vhost1,vhost2 preferred_http_host=HOST_HTTP_HEADER You can simply add multiple hostname variations to a host identifier using the hostname_variations and preferred_http_host parameters as follows: java -jar oamcfgtool.jar app_domain=app domain web_domain=hostid1 ... hostname_variations=hostname1,hostname2 preferred_http_host=SOME_ HOSTNAME_VARIATION_VALUE The virtual environment notes apply. Additionally, if the WebGate profile is being created, then you can set the preferred http host field of the profile to any value from the hostname variations Generally, you do not need additional hostname variations when creating a host identifier in a non-virtual host environment. OAMCfgTool adds a default value to the preferred http host field of the WebGate profile and to the hostname variation section of the host identifier being created. Table 16–5 Cont. OAMCfgTool CREATE Mode Parameters and Values Parameters CREATE Mode Values 16-24 Oracle Fusion Middleware Application Security Guide default_authn_scheme Configures the default authentication scheme for a policy domain. You must pass the authentication scheme name as displayed in the Access System Console. OAMCfgTool always provisions the following authentication schemes: ■ OraDefaultBasicAuthNScheme: The default Basic authentication scheme ■ OraDefaultFormAuthNScheme: The default Form authentication scheme ■ OraDefaultI18NFormAuthNScheme: The default i18n authentication scheme ■ OraDefaultAnonAuthNScheme: The default Anonymous Authentication scheme The first time you run the tool in a new deployment, the schemes in the previous list are created. The authentication scheme specified as part of the default_authn_scheme parameter is used to configure the Default Authentication Rule section of the Policy Domain being configured. With the OAM URIs file, you can configure the authentication scheme for a protected policy policies that are specified after the key word protected_uris for the Policy Domain. You must pass the Authentication Scheme name in the URIs file in the following format the policy name and authentication scheme name must be separated by a tab character: Policy Name tab Authentication Scheme Name. Following is an example of entries in a URIs file for more information, see the uris_ file parameter earlier in this table: ----------------------------------------------------- protected_uris protected policy1 Basic Over LDAP protected1 public1mystuff.html protected policy2 OraDefaultFormAuthNScheme protected2public2prot2 ...{.js,.png,.gif} protected policy3 Client Certificate protected2public2prot2...{.js,.png,.gif} ------------------------------------------------------ The previous entries in a URIs file produce the following named policies: ■ protected policy1 is configured to use the Basic Over LDAP scheme ■ protected policy2 is configured to use the OraDefaultFormAuthNScheme scheme ■ protected policy3 is configured to use the Client Certificate scheme Table 16–5 Cont. OAMCfgTool CREATE Mode Parameters and Values Parameters CREATE Mode Values Configuring Single Sign-On Using Oracle Access Manager 10g 16-25

16.3.2.1.1 OIM Integration-Related Parameters and Values

Table 16–6 identifies OIM integration-related parameters and values for OAMCfgTool. max_oam_connections Supports high availability and multiple Access Servers by specifying the maximum number of connections Maximum Connections for the WebGate profile being created. primary_oam_servers Supports high availability and multiple Access Servers by configuring the WebGate profile with more than one primary Access Server. The format of this parameter is: ■ Colons join each Access Server name with the number of connections to the WebGate. For example: primary_oam_servers=aaaid1:3. If no numeric value is specified, the default is 1. ■ Comma-separated list of Access Server names and the number of connections to the WebGate. For example: primary_oam_ servers=aaaid1:3,aaaid2:1,aaaid3,aaaid4:2 Notes: ■ Access Server IDs must exist within OAM and must be unique no duplicates and not present in both primary and secondary values. ■ Transport Security mode of WebGate and Access Servers must match. ■ The Access Management Service mode of WebGate and Access Server must match. secondary_oam_servers Supports high availability and multiple Access Servers by configuring the WebGate profile with more than one secondary Access Server. The format of this parameter is: ■ Colons join each Access Server name with the number of connections to the WebGate. For example: secondary_oam_servers=aaaid1:3. If no numeric value is specified, the default is 1. ■ Comma-separated list of Access Server names and the number of connections to the WebGate. For example: secondary_oam_ servers=aaaid1:3,aaaid2:1,aaaid3,aaaid4:2 Notes: ■ Access Server IDs must exist within OAM and must be unique no duplicates and not present in both primary and secondary values. ■ Transport Security mode of WebGate and Access Servers must match. ■ The Access Management Service mode of WebGate and Access Server must match. See Also: The section on integrating Oracle Access Manager 10g with Oracle Identity Manager 11g in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management Table 16–5 Cont. OAMCfgTool CREATE Mode Parameters and Values Parameters CREATE Mode Values 16-26 Oracle Fusion Middleware Application Security Guide Table 16–6 Additional OIM Integration-Related Parameters and Values Parameter Description configOIMPwdPolicy Creates the Oracle Identity Manager OIM password policy OraOIMDefPasswdPolicy to automate integration with Oracle Access Manager. Additionally, the corresponding authentication scheme used by the policy is enabled to check password policies. For example, if the policy is used with the default authentication scheme OraDefaultFormAuthnScheme, then the scheme’s Validate_Password plug-in is updated to include obReadPasswdMode=LDAP,obWritePasswdMode=LDAP. Note : Use default values for password-related parameters in Identity System Console, prepended with the value specified with OimOhsHostPort. When configOIMPwdPolicy is used, ensure that you do not have the default OIM password policy created using the tool previously and do not pass any of the following parameters: When configOIMPwdPolicy is used, ensure that you do not have the default OIM password policy created using the tool previously and do not pass any of the following parameters: OimOhsHostPort Required when integrating Oracle Identity Manager OIM with Oracle Access Manager and an authentication WebGate and resource WebGate. Not required without an authenticating WebGate. In this case, Oracle Identity Manager OIM password policy OraOIMDefPasswdPolicy automates integration with Oracle Access Manager and the corresponding authentication scheme used by the policy is enabled to check password policies. Default values are used for the password policy-related parameters with the value in OimOhsHostPort prepended to these. For example: -OimLostPwdRedirectUrl Lost Password Redirect URL: OimOHSHostPortadminfacespagesforgotpwd.jspx -OimPwdRedirectUrl Password Change Redirect URL: OimOHSHostPortadminfacespagespwdmgmt.jspx?backUrl =RESOURCE -OimLockoutRedirectUrl Account Lockout Redirect URL: OimOHSHostPortApplicationLockoutURI OimOhsHostPort parameter is applicable only if the -configOimPwdPolicy flag is present. OimPwdRedirectUrl Required for configOIMPwdPolicy. Configures the Password Change Redirect URL parameter in Oracle Access Manager. OimLockoutRedirectUrl Required for configOIMPwdPolicy. Configures the Custom Account Lockout Redirect URL parameter in Oracle Access Manager. OimLostPwdRedirectUrl Required for configOIMPwdPolicy. Configures the Lost Password Redirect URL parameter in Oracle Access Manager. Note: This is a one time setup requirement. If the OraOIMDefPasswdPolicy policy already exists, it is not created anew. You must restart the Identity and Access Servers after this operation. See Example 16–2 . Configuring Single Sign-On Using Oracle Access Manager 10g 16-27 Example 16–2 OIM Integration-Related Parameter Usage echo ldapUserPwd; echo appAgentPwd; echo OAMModePwd; echo TestUserPwd java -jar oamcfgtool.jar app_domain=app_domain protected_uris=protUri ldap_host=ldap-host ldap_port=3899 ldap_userdn=cn=Directory Manager oam_aaa_host=aaa_host oam_aaa_port=7054 oam_aaa_mode=simple ldap_ base=o=company,c=us oam_aaa_passphrase=welcome1 authenticating_wg_ url=http:myhost.us.myco.com:7777 -configOIMPwdPolicy OimPwdRedirectUrl=http:oimredirectutl.com OimLockoutRedirectUrl=http:oimlockouturl.com OimLostPwdRedirectUrl=http:oimLostpwdurl.com -noprompt

16.3.2.2 Validate Mode Parameters and Values

Master or Delegated Access Administrators can check Oracle Access Manager directly to validate policy domain and WebGate profile setup. Using OAMCfgTool in VALIDATE mode, you can ensure that the policy domain for single sign-on configuration is correct. In this case, a set of requests are sent automatically to protected resources. Table 16–7 provides both required and optional OAMCfgTool parameters and values for VALIDATE mode. Note: You cannot use OAMCfgTool mode to validate AccessGate profile creation. Table 16–7 OAMCfgTool VALIDATE Mode Parameters and Values VALIDATE Mode Parameters VALIDATE Mode Values for Required Parameters Required Parameters Values app_domain Name of the Oracle Access Manager policy domain that was created to protect the Application. ldap_host DNS name of the computer hosting the LDAP directory server for Oracle Access Manager. ldap_port Port of the LDAP directory server. ldap_userdn The valid DN of the LDAP administrative user, entered as a quoted string. In Oracle Access Manager this is known as the Root DN or Bind DN. ldap_userpassword Password of the LDAP administrative user. Passwords appear in clear text but are not captured in a log file. See Also: noprompt in this table. ldap_base Base from which all LDAP searches are done. In Oracle Access Manager this is known as the search base or configuration base. For example: dc=company,c=us. oam_aaa_host DNS name of the computer hosting the Access Server. oam_aaa_port Listening port on the Access Server host. test_username User name to be used for policy validation. test_userpassword User password to be used for policy validation. Passwords appear in clear text but are not captured in a log file. See Also: noprompt in this table. 16-28 Oracle Fusion Middleware Application Security Guide

16.3.2.3 Delete Mode Parameters and Values

Using OAMCfgTool in DELETE mode, you can remove the provisioned policies, the web domain, WebGate registration, and authentication scheme. Table 16–8 provides both required and optional OAMCfgTool parameters and values for DELETE mode. noprompt Enables OAMCfgTool to read passwords from System.in to ensure safe passage. Passwords can be passed from a shell using an echo command and a semi-colon as a separator. ConfigTool expects four passwords: Ldap user, App agent, OAM mode and Test user: See Also: noprompt in Table 16–5 . Optional Parameters Values web_domain Host identifier ldap_base Base from which all LDAP searches are done. In Oracle Access Manager this is known as the search base or configuration base. For example: dc=company,c=us. oam_aaa_mode Transport security mode of the accessible Access Server: OPEN, SIMPLE, or CERT. Default presumes OPEN. oam_aaa_passphrase Passphrase required for SIMPLE mode transport security mode only. Your entry appears in clear text. However, it is not captured in a log file. log_file Name of the OAMCfgTool log file. Output to the screen is the default. log_level Level for OAMCfgTool logging: ALL, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, OFF the default. noprompt Enables OAMCfgTool to read passwords from System.in to ensure safe passage. Passwords can be passed from a shell using an echo command and a semi-colon as a separator. OAMCfgTool expects four passwords: LDAP user, Application agent, OAM mode and Test user. See Also Table 16–5 . Table 16–8 OAMCfgTool DELETE Mode Parameters DELETE Mode Parameters DELETE Mode Values for Required Parameters ldap_host DNS name of the computer hosting the LDAP directory server for Oracle Access Manager. ldap_port Port of the LDAP directory server. ldap_userdn The valid DN of the LDAP administrative user, entered as a quoted string. In Oracle Access Manager this is known as the Root DN or Bind DN. ldap_userpassword Password of the LDAP administrative user. Passwords appear in clear text but are not captured in a log file. See Also: -noprompt in Table 16–5 . oam_aaa_host DNS name of the computer hosting the Access Server. oam_aaa_port Listening port on the Access Server host. Optional Parameters Values app_domain To delete the entire application domain, specify only app_domain with no URI-related parameters. web_domain web_domain=existing_host_Identifier To delete the host identifier identified by this parameter and the WebGate registration. See Also: Table 16–5 . Table 16–7 Cont. OAMCfgTool VALIDATE Mode Parameters and Values VALIDATE Mode Parameters VALIDATE Mode Values for Required Parameters Configuring Single Sign-On Using Oracle Access Manager 10g 16-29

16.3.3 Sample Policy Domain and AccessGate Profile Created with OAMCfgTool

This topic describes and illustrates the results of running OAMCfgTool when viewed in Oracle Access Manager: ■ My Policy Domains ■ Policy Domain, General Tab ■ Policy Domain, Resources Tab ■ Policy Domain, Authorization Rules Tab ■ Policy Domain, Default Rules Tab ■ Policy Domain, Policies Tab ■ Policy Domain, Delegated Access Admins Tab ■ Host Identifiers ■ AccessGate Profile My Policy Domains Name: app_domain value specified with OAMCfgTool. Policy Domain, General Tab Figure 16–1 illustrates the General tab in a sample policy domain created with OAMCfgTool. The Description is provided automatically. Name: app_domain value specified with OAMCfgTool Description: includes the app_domain value created by userhostname ... protected_uris URIs for the protected application in a comma separated list with or without spaces: myapplogin, for example. Deletes one or more protected URIs from an application domain. See Also: The uris_file parameter in this table. public_uris Deletes one or more public URIs from an application domain. See Also: The uris_file parameter in this table. uris_file The full path to a file containing any number of protected or public URIs and eliminates the need to use the protected_uris or public_uris parameters. Ensure that the file uses the following syntax and format. See Also: Table 16–5 . authn_scheme The name of the authentication scheme to delete: OraDefAuthSchemes, OraDefaultAWGFormAuthNScheme, OraDefaultI18NFormAuthNScheme. To delete all three, specify OraDefAuthSchemes: You can include the following options: -noconfirm With this parameter there is no prompt for confirmation before deleting. noprompt Enables OAMCfgTool to read passwords from System.in to ensure safe passage. Passwords can be passed from a shell using an echo command and a semi-colon as a separator. OAMCfgTool expects four passwords: LDAP user, Application agent, OAM mode and Test user. See Also Table 16–5 . Note: For descriptions only, the Java API retrieves the current user from the operative platform and the name of the computer host: userhostname. Table 16–8 Cont. OAMCfgTool DELETE Mode Parameters DELETE Mode Parameters DELETE Mode Values for Required Parameters 16-30 Oracle Fusion Middleware Application Security Guide Figure 16–1 Sample OAMCfgTool Policy Domain General Tab Policy Domain, Resources Tab Figure 16–2 illustrates the Resources tab in a sample policy domain created with OAMCfgTool. The http resource type is the default. The host identifier and URL prefixes are derived from OAMCfgTool parameters and the values you enter. The Description is provided automatically. Host Identifier: app_domain value URL Prefix: protected_uris values Figure 16–2 Sample OAMCfgTool Policy Domain Resources Tab Policy Domain, Authorization Rules Tab Figure 16–3 illustrates the Authorization Rules tab in a sample policy domain created with OAMCfgTool. Details found on sub tabs follow the figure. Authorization rules are automatically configured for the policy domain when you use OAMCfgTool. Figure 16–3 Sample OAMCfgTool Policy Domain Authorization Rules Tab Timing Conditions : There are no timing conditions defined. This rule is always valid. Actions : There are no actions defined. Allow Access : Role: Anyone Deny Access : No one is denied access. Policy Domain, Default Rules Tab Figure 16–4 illustrates the Default Rules tab in a sample policy domain created with OAMCfgTool. All values are configured automatically for the policy domain; details on sub tabs follow the figure. Authentication Rule General, see Figure 16–4 . Configuring Single Sign-On Using Oracle Access Manager 10g 16-31 Actions: There are no actions defined. Figure 16–4 Sample OAMCfgTool Policy Domain Default Rules Tab Authorization Expression Authorization Expression: Default_Authorization Duplicate Actions: No policy defined for this Authorization Expression. The Access System level default policy for dealing with duplicate action headers are employed. Actions Authorization Success Return Type Name Attribute HeaderVar REMOTE_USER uid HeaderVar OAM_REMOTE_USER uid Policy Domain, Policies Tab Figure 16–5 illustrates the Policies tab, General sub tab, in a sample policy domain created using parameters and values that you specify with OAMCfgTool. The host identifiers are based on your app_domain value. Details on other sub tabs follow the figure. Figure 16–5 Sample OAMCfgTool Policy Domain Policies Tab Authentication Rule General Name: Anonymous Description: Authentication scheme allows un-authenticated access to some URIs Authentication Scheme: Anonymous Authentication Default Actions: There are no actions defined. Authorization Expression 16-32 Oracle Fusion Middleware Application Security Guide There is no Authorization Expression defined. Audit Rule There is no Master Audit Rule defined. If you would like to add an auditing rule to this Policy, please contact your Access System Administrator. Policy Domain, Delegated Access Admins Tab Figure 16–6 illustrates the Delegated Access Admins tab in a sample policy domain created using OAMCfgTool. No parameters are specified with the tool to set up delegated rights for Master Web resource Admins. Figure 16–6 OAMCfgTool Policy Domain Delegated Access Admins Tab Host Identifiers You can find the Host Identifiers created with OAMCfgTool in the Access System Console, under the Access System Configuration tab. Figure 16–7 illustrates a sample host identifiers created using OAMCfgTool. As described here, required parameters are derived from the value entered with OAMCfgTool app_domain parameter. A Description is provided by OAMCfgTool. Figure 16–7 Sample OAMCfgTool Host Identifiers AccessGate Profile Figure 16–8 illustrates a sample AccessGate profile created using OAMCfgTool when the web_domain parameter is omitted. The profile is in the Access System Console. As described here, required profile parameters are derived from values entered with OAMCfgTool. Other profile parameters use default values. A Description is provided by OAMCfgTool. Name: app_domain value _AG Hostname: app_domain value Access Gate Password: app_agent_password value ASDK Client Access Management Service: On Web Server Client See Also: Protecting Resources with Policy Domains in the Oracle Access Manager Access Administration Guide. Configuring Single Sign-On Using Oracle Access Manager 10g 16-33 Primary HTTP Cookie Domain: cookie_domain value Preferred HTTP Host: app_domain value Figure 16–8 Sample OAMCfgTool AccessGate Profile

16.3.4 Known Issues: JAR Files and OAMCfgTool

Table 16–9 identifies known issues with this release. For more information about the tool, parameters, and values, see Introduction to OAMCfgTool on page 16-15. Table 16–9 OAMCfgTool Known Issues Bug Number Description na The location where you obtain Oracle Access Manager Authentication Provider and OAMCfgTool JAR files when you do not have an Oracle Fusion Middleware application installed could change. If the location is different than the one stated in this chapter, see the Release Notes for the latest information. 8362080 OAMCfgTool provides Create, Validate, and Delete modes. It does not provide an Overwrite option. 16-34 Oracle Fusion Middleware Application Security Guide

16.4 Configuring OAM Identity Assertion for SSO with Oracle Access Manager 10g

This section describes the unique steps needed to configure Oracle Access Manager Identity Assertion for Single Sign-On. Prerequisites Unless explicitly noted for the Authenticator or Oracle Web Services Manager, all tasks described in Installing and Setting Up Authentication Providers for OAM 10g on page 16-1 should be performed, including: ■ Installing Components and Files for Authentication Providers and OAM 10g To configure Oracle Access Manager Identity Asserter for single sign-on with your application, perform the tasks as described in the following task overview. Task overview: Deploying and configuring the Oracle Access Manager Identity Asserter for single sign-on includes 1. Ensuring that all prerequisite tasks have been performed 2. Establishing Trust with Oracle WebLogic Server 3. Configuring the Authentication Scheme for the Identity Asserter 4. Configuring Providers in the WebLogic Domain 5. Setting Up the Login Form for the Identity Asserter and OAM 10g 8362039 OAMCfgTool does not provide explicit options to specify the Web Tier host and port. Instead, without web_domain specified the app_domain value specifies the WebGate name, host, and Preferred HTTP Host. For example: ■ app_domain=ABC without web_domain specified ■ AccessGate Name: ABC_AG ■ Hostname: ABC ■ Port: Not specified ■ Preferred HTTP Host: ABC na With OAMCfgTool, if web_domain parameter is included in the command line, you must provide a WebGate password. Otherwise, the command can fail. The app_agent_password parameter accepts as the password whatever follows the equal sign, =. For instance, if you enter app_agent_password= and then enter a space character and web_domain=value, the app_agent_password is presumed to be a space character followed by web_domain. na SSL-enabled communication with the directory server is not supported by OAMCfgTool. Note: If you are implementing: ■ OAM 11g: Provision WebGates and security policies using the remote registration tool as described in Provisioning an OAM Agent with Oracle Access Manager 11g . ■ OAM 10g: Add WebGate profiles and policies with OAMCfgTool as described in the following Task 3. Table 16–9 Cont. OAMCfgTool Known Issues Bug Number Description Configuring Single Sign-On Using Oracle Access Manager 10g 16-35 6. Testing Identity Assertion for SSO with OAM 10g 7. Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates

16.4.1 Establishing Trust with Oracle WebLogic Server

The following topics explain the tasks you must perform to set up the application for single sign-on with the Oracle Access Manager Identity Asserter: ■ Setting Up the Application Authentication Method for SSO ■ Confirming mod_weblogic for Oracle Access Manager Identity Asserter ■ Establishing Trust between Oracle WebLogic Server and Other Entities

16.4.1.1 Setting Up the Application Authentication Method for SSO

This topic describes how to create the application authentication method for Oracle Access Manager Identity Assertion. When you use the Oracle Access Manager Identity Asserter, all web.xml files in the application EAR file must specify CLIENT-CERT in the element auth-method for the appropriate realm. The auth-method can use BASIC, FORM, or CLIENT-CERT values. While these look like similar values in Oracle Access Manager, the auth-method specified in web.xml files are used by Oracle WebLogic Server not Oracle Access Manager. To specify authentication in web.xml for the Identity Asserter and OAM 10g 1. Locate the web.xml file in the application EAR file: your_app WEB-INFweb.xml 2. Locate the auth-method in login-config and enter CLIENT-CERT. login-config auth-methodCLIENT-CERTauth-method login-config 3. Save the file. 4. Redeploy and restart the application. 5. Repeat for each web.xml file in the application EAR file. 6. Proceed to Confirming mod_weblogic for Oracle Access Manager Identity Asserter . Note: This task is the same for both OAM 11g and OAM 10g. See Also: Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server Note: You can specify CLIENT-CERT, FORM if you are also planning to access the applications directly over WebLogic and want the WebLogic authentication scheme to be invoked.