5-6 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager Part II Part II Universal Installation Option Part II contains the following chapter: ■ Chapter 6, Oracle Adaptive Access Manager Proxy 6 Oracle Adaptive Access Manager Proxy 6-1 6 Oracle Adaptive Access Manager Proxy Oracle Adaptive Access Manager Universal Installation Option UIO reverse proxy deployment option offers login risk-based multifactor authentication to Web applications without requiring any change to the application code. The proxys main function is to redirect user traffic from the application login flow to the Oracle Adaptive Access Manager login flow. The UIO Proxy is available for the Apache Web server and Microsoft Internet Security and Acceleration ISA Server. In this chapter the Oracle Adaptive Access Manager Proxy for Apache will be referred to as the UIO Apache Proxy; and the Oracle Adaptive Access Manager Proxy for Microsoft ISA will be referred to as the UIO ISA Proxy. This chapter: ■ Explains the use and configuration of the UIO Proxy. ■ Provides instructions for both Microsoft Internet Security and Acceleration ISA Server and Apache Web server implementations. The intended audience is for integrators who configure the UIO Proxy to add multifactor authentication to Web applications. An understanding of HTTP requestresponse paradigm is required to understand the material presented in this document. The chapter contains the following sections: ■ Introduction ■ Installing UIO ISA Proxy ■ Installing UIO Apache Proxy ■ Setting Up Rules and User Groups ■ Setting Up Policies ■ Configuring the UIO Proxy ■ Interception Process ■ Configuring Redirection to the Oracle Adaptive Access Manager Server Interface ■ Application Discovery ■ Samples For information on configuring OAAM Server, the client-facing multifactor authentication Web application specific to the UIO Proxy deployment, refer to Chapter 8, Customizing the OAAM Server. 6-2 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager

6.1 Introduction

The Introduction section of this chapter contains the following topics: ■ Important Terms ■ Architecture ■ References

6.1.1 Important Terms

For your reference, important terms are defined in this section. Microsoft ISA From the Microsoft Web site: the Internet Security and Acceleration ISA Server is the integrated edge security gateway that helps protect IT environments from Internet-based threats while providing users with fast and secure remote access to applications and data. Universal Installation Option The Universal Installation Option is the Oracle Adaptive Access Manager integration strategy that does not require any code modification to the protected Web applications. The Universal Installation Option involves placing the UIO Proxy in front of the protected Web applications Proxy A proxy is a server that services the requests of its clients by forwarding requests to other servers. This chapter is concerned with the Web proxy, where the proxy handles Web Protocols, mainly HTTP. Forward Proxy A forward proxy is an intermediate server that sits between the client and the origin server. To get content from the origin server, the client sends a request to the proxy naming the origin server as the target, and the proxy then requests the content from the origin server and returns it to the client. The client must be specially configured to use the forward proxy to access other sites. Reverse Proxy A reverse proxy appears to the client just like an ordinary Web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests and returns the content as if it were itself the origin. The UIO Proxy running in the Microsoft Internet Security and Acceleration ISA Server is an example of a reverse proxy. OAAM Server OAAM Server is the Web application component of Oracle Adaptive Access Manager. The UIO Proxy redirects the client browser to OAAM Server for tracking and authentication purposes as defined by the UIO Proxy XML configuration.

6.1.2 Architecture

The following diagrams show a typical UIO Proxy deployment. Oracle Adaptive Access Manager Proxy 6-3 The first diagram shows a Web application before the UIO Proxy is deployed to provide multifactor authentication. Figure 6–1 Before the Oracle Adaptive Access UIO Proxy The second diagram shows various components added after the UIO Proxy deployment. Figure 6–2 After UIO Proxy Deployment The UIO Proxy intercepts the HTTP traffic between the client browser and the server Web application and performs the appropriate actions, such as redirecting the traffic to OAAM Server, to provide multifactor authentication and authorization. OAAM Server, in turn, communicates with OAAM Admin to assess the risk, and then takes the appropriate actions, such as permitting the login, challenging the user, blocking the user, and other actions.

6.1.3 References

For information on installing and configuring the Microsoft ISA server, refer to the refer to the relevant Microsoft documentation on Microsoft ISA Server setup. Web publishing rule creation and listener creation are explained further in this document. 6-4 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager For more information about the Apache HTTP Server, refer to the Apache HTTP Server 2.2 documentation at: http:httpd.apache.orgdocs2.2

6.2 Installing UIO ISA Proxy

The UIO ISA Proxy uses the API provided by Microsoft ISA Server to monitor the HTTP traffic and perform various actions. Refer to the Microsoft ISA Server setup documentation for the details on installing and configuring the ISA server. For a successful installation of the UIO Proxy, a .NET framework 2.0 or better should to be installed. Install all the recommended updates from Microsoft on the machine. Install Microsoft ISA Server 2006 Standard Edition and create Web publishing rules for the Web applications before installing the UIO Proxy. This section provides: ■ Information on creating Web publishing rules and listeners so that Web applications and OAAM Server can be accessible from the Internet. – Section 6.2.1, UIO Proxy Web Publishing Configuration. ■ Instructions on installation and programming information for the UIO ISA Proxy. – Section 6.2.2, Registering the UIO ISA Proxy DLL. – Section 6.2.3, Settings to Control the UIO Proxy.

6.2.1 UIO Proxy Web Publishing Configuration

The purpose of this section is to explain the creation of Web publishing rules and listeners in Microsoft ISA for Adaptive Access Manager applications. It is intended for integrators who install and configure Microsoft ISA to support multiple Web applications.

6.2.1.1 Web Listener Creation

For details on creating a Web listener, refer to the relevant Microsoft documentation. This section provides an outline.

1. For the Web Listener Name, enter Bharosa Proxy Listener.

2. Select SSL secure connection as the type of connection the Web listener establishes

with clients.

3. For the Web Listener IP Addresses, choose external, internal, and local host.

4. Choose a single certificate for the Web Listener and select the certificate. 5. Specify that you do not want authentication for how clients validate their credentials.

6.2.1.2 Web Publishing Rule Creation

In a typical deployment, Web applications and OAAM Server run on machines in an internal network and are not directly accessible from the Internet. In the case of the UIO ISA Proxy, only the UIO Proxy machine, which runs Microsoft ISA Server, is accessible from the Internet. Publish the following via Web publishing rules in the Microsoft ISA Server: ■ OAAM Server