Oracle Fusion Middleware Online Documentation Library
Oracle® Fusion Middleware
Administrator's Guide for Oracle Access Manager with Oracle
Security Token Service
11g Release 1 (11.1.1)
E15478-06
August 2011
Describes how to manage common settings, agents, single
sign-on policies, and tokens.
Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token
Service 11g Release 1 (11.1.1)
E15478-06
Copyright © 2000, 2011 Oracle and/or its affiliates. All rights reserved.
Primary Author:
Gail Flanegin
Contributing Author:
Damien Carru
Contributor: Patricia Fuzesy, Satish Madawand, Neelima Jadhav, Charles Wesley, Harshal X Shaw, Jeremy
Banford, Rey Ong, Ramana Turlapati, Deepak Ramakrishnan, Vadim Lander, Vamsi Motokuru, David
Goldsmith, Vishal Parashar, Carlos Subi
This software and related documentation are provided under a license agreement containing restrictions on
use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your
license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse
engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it
on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data
delivered to U.S. Government customers are "commercial computer software" or "commercial technical data"
pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As
such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and
license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of
the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software
License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
This software is developed for general use in a variety of information management applications. It is not
developed or intended for use in any inherently dangerous applications, including applications which may
create a risk of personal injury. If you use this software in dangerous applications, then you shall be
responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use
of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of
this software in dangerous applications.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks
of their respective owners.
This software and documentation may provide access to or information on content, products, and services
from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all
warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and
its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of
third-party content, products, or services.
Contents
Preface .......................................................................................................................................................... xxxvii
What's New ....................................................................................................................................................... xli
Part I Introduction to Oracle Access Manager with Oracle Security Token
Service
1 Oracle Product Introduction
Introduction to Oracle Access Manager............................................................................................... 1-1
Introduction to Oracle Access Manager Architecture .................................................................. 1-2
Introduction to Oracle Access Manager Deployment Types and Installation .......................... 1-3
Comparing Oracle Access Manager 11g, 10g, and OracleAS SSO 10g ...................................... 1-5
Introduction to Oracle Security Token Service ............................................................................... 1-10
Oracle Security Token Service Key Terms and Concepts ......................................................... 1-11
About Oracle Security Token Service with Oracle Access Manager ....................................... 1-14
About Integrated Oracle Web Services Manager ....................................................................... 1-16
About Oracle Security Token Service Architecture ................................................................... 1-18
About Oracle Security Token Service Deployments.................................................................. 1-19
About Installation Options ............................................................................................................ 1-22
About Oracle Security Token Service Administration .............................................................. 1-23
2 Introduction to This Book
Introduction to This Book ......................................................................................................................
Part I: Oracle Product Introduction.......................................................................................................
Part II: Common Tasks ............................................................................................................................
Getting Started with Common Administration and Navigation ................................................
Managing Services, Certificate Validation, and Common Settings............................................
Data Sources........................................................................................................................................
OAM Server Instances and the Console .........................................................................................
Oracle Access Manager Session Management...............................................................................
Part III, Oracle Access Manager Settings.............................................................................................
Access Manager Settings...................................................................................................................
Single Sign-on Agents........................................................................................................................
Part IV, Single Sign-on, Oracle Access Manager Policies, and Testing .........................................
Single Sign-On ....................................................................................................................................
2-1
2-1
2-2
2-2
2-2
2-3
2-4
2-5
2-5
2-5
2-6
2-7
2-7
v
Oracle Access Manager Policy Model and Shared Policy Components .................................... 2-8
Oracle Access Manager Policy Model, Application Domains, and Policies.............................. 2-9
Connectivity and Policy Testing .................................................................................................. 2-10
Centralized Logout for Oracle Access Manager 11g.................................................................. 2-10
Part V: Oracle Security Token Service ............................................................................................... 2-10
Part VI: Common Logging, Auditing, Performance Monitoring ................................................. 2-11
Component Event Message Logging .......................................................................................... 2-11
Webgate Event Message Logging................................................................................................. 2-11
Common Audit Framework ......................................................................................................... 2-11
Performance Metrics in the Oracle Access Manager Console .................................................. 2-12
Performance Metrics in Fusion Middleware Control ................................................................ 2-12
Part VII: Using OAM 10g Webgates with OAM 11g ..................................................................... 2-12
Provisioning OAM 10g Webgates for OAM 11g ........................................................................ 2-13
Configuring 10g Webgates for Apache v2-based Web Servers (OHS and IHS) .................... 2-13
Configuring 10g Webgates for the IIS Web Server .................................................................... 2-13
Configuring 10g Webgates for the ISA Server............................................................................ 2-13
Configuring Lotus Domino for OAM 10g Webgates................................................................. 2-13
Part VIII: Appendixes........................................................................................................................... 2-13
Co-existence: OAM 11g SSO versus OAM 10g SSO with OracleAS SSO 10g ....................... 2-13
Moving OAM 11g From Test (Source) to Production (Target)................................................. 2-14
Integration with Oracle ADF Applications ................................................................................. 2-14
Internationalization and Multibyte Data Support for OAM 10g Webgates ........................... 2-14
Secure Communication and Certificate Management .............................................................. 2-14
Custom WebLogic Scripting Tool Commands for OAM .......................................................... 2-15
OAM 11g for IPv6 Clients .............................................................................................................. 2-15
Creating Deployment-Specific Pages ........................................................................................... 2-15
Troubleshooting .............................................................................................................................. 2-15
Part II Using the Console for Common Tasks
3 Getting Started with Common Administration and Navigation
Prerequisites.............................................................................................................................................. 3-1
Introduction to Administrators ............................................................................................................. 3-2
Logging In to and Signing Out of Oracle Access Manager Console.............................................. 3-3
Logging In to the Oracle Access Manager Console ...................................................................... 3-3
Signing Out of Oracle Access Manager Console ........................................................................... 3-4
Introduction to the Oracle Access Manager Console and Controls ............................................... 3-4
Console Layout and Controls........................................................................................................... 3-5
Elements on a Page ......................................................................................................................... 3-12
Selecting Controls in the Console ................................................................................................. 3-13
Introduction to Policy Configuration and System Configuration Tabs ..................................... 3-14
About the System Configuration Tab .......................................................................................... 3-14
About the Policy Configuration Tab ............................................................................................ 3-15
Viewing Configuration Details in the Console............................................................................... 3-17
Conducting Searches Using the Console.......................................................................................... 3-17
Conducting Policy Element Searches Using the Console ......................................................... 3-18
Refining Searches for System Configuration Elements ............................................................. 3-19
vi
Using Online Help ................................................................................................................................ 3-22
Command-Line Tools ........................................................................................................................... 3-22
Logging, Auditing, Monitoring Performance.................................................................................. 3-23
4 Managing Services, Certificate Validation, and Common Settings
Prerequisites..............................................................................................................................................
Introduction to Common Configuration Elements ...........................................................................
Enabling or Disabling Available Services...........................................................................................
Managing the Common Settings...........................................................................................................
About Common Settings Pages........................................................................................................
Managing Common Settings ...........................................................................................................
Viewing Common Coherence Settings ...........................................................................................
Managing Global Certificate Validation and Revocation ................................................................
About Certificate Validation and Revocation Lists.......................................................................
Managing Certificate Revocation Lists (CLRs) ..............................................................................
Managing Certificate Validation .....................................................................................................
Configuring CDP ...............................................................................................................................
4-1
4-1
4-2
4-3
4-3
4-4
4-5
4-6
4-6
4-7
4-8
4-8
5 Managing Common Data Sources
Prerequisites.............................................................................................................................................. 5-1
Introduction to Managing Common Data Sources ........................................................................... 5-1
About User Identity Stores ............................................................................................................... 5-2
About the Policy and Session Database Store................................................................................ 5-4
About the Oracle Access Manager Configuration Data File........................................................ 5-5
About Oracle Access Manager Security Keys and the Embedded Java Keystore.................... 5-5
About Oracle Security Token Service Keystores .......................................................................... 5-6
Managing User Identity Stores ............................................................................................................. 5-7
About the User Identity Store Registration Page .......................................................................... 5-7
Registering a New User Identity Store ........................................................................................ 5-10
Viewing or Editing a User Identity Store Registration.............................................................. 5-11
Deleting a User Identity Store Registration................................................................................. 5-12
Setting the Default Store and System Store..................................................................................... 5-12
About Setting the Default Store and System Store..................................................................... 5-12
Defining a Default Store and System Store ................................................................................. 5-13
Managing the Administrators Role ................................................................................................... 5-14
About Managing the Administrator Role.................................................................................... 5-14
Managing Administrator Roles..................................................................................................... 5-15
Managing the Policy Database by Using the Console ................................................................... 5-16
About Database Deployment for Oracle Access Manager........................................................ 5-17
Configuring a Separate Database for Session Data.................................................................... 5-17
6 Managing Common OAM Server Registration
Prerequisites..............................................................................................................................................
Introduction to OAM Server Registration and Management..........................................................
About Server Side Differences Between OAM 11g and OAM 10g .............................................
About Individual OAM Server Registrations ...............................................................................
6-1
6-1
6-2
6-2
vii
About the Embedded Proxy Server and Backward Compatibility............................................. 6-3
About OAM 11g SSO and Legacy OAM 10g SSO in Combination with OSSO........................ 6-3
About Communication Between OAM Servers and Webgates .................................................. 6-4
Managing Individual OAM Server Registrations ............................................................................ 6-4
About the OAM Server Registration Page .................................................................................... 6-5
Registering a Fresh OAM Server Instance...................................................................................... 6-8
Viewing or Editing Individual OAM Server and Proxy Settings .............................................. 6-9
Deleting an Individual Server Registration................................................................................. 6-10
7 Managing Sessions
Prerequisites.............................................................................................................................................. 7-1
Introduction to User Sessions and Session Management ................................................................ 7-1
About the User Session Lifecycle .................................................................................................... 7-3
Oracle Coherence and Session Management ................................................................................. 7-4
Configuring User Session Lifecycle Settings ..................................................................................... 7-6
About Common Session Lifecycle Setting Page ............................................................................ 7-6
Viewing or Modifying Common Session Lifecycle Settings........................................................ 7-7
Managing Active User Sessions ............................................................................................................ 7-8
About the Session Management Page ............................................................................................. 7-8
Managing Active User Sessions .................................................................................................... 7-11
Verifying Session Management Operations .................................................................................... 7-12
Security.................................................................................................................................................... 7-14
Secure HTTPS Protocol .................................................................................................................. 7-14
Coherence ......................................................................................................................................... 7-14
Database Persistence....................................................................................................................... 7-14
Part III
Oracle Access Manager Settings Management
8 Configuring Access Manager Settings
Prerequisites.............................................................................................................................................. 8-1
Introduction to Access Manager Settings ............................................................................................ 8-1
Managing Access Manager Load Balancing and Secure Error Modes........................................... 8-2
About Access Manager Load Balancing Settings and Secure Error Modes .............................. 8-2
Managing OAM Server Load Balancing and Secure Error Modes............................................. 8-4
Managing SSO Tokens and IP Validation........................................................................................... 8-4
About Access Manager SSO Tokens and IP Validation Settings ................................................ 8-4
Managing SSO Tokens and IP Validation ...................................................................................... 8-5
Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security ....................... 8-5
About Simple and Cert Mode Transport Security ........................................................................ 8-6
About the Common OAM Proxy Page for Secure Server Communications............................. 8-7
Viewing or Editing Simple or Cert Settings for OAM Proxy ...................................................... 8-7
Managing Run Time Policy Evaluation Caches ................................................................................. 8-8
About Run Time Policy Evaluation Caches ................................................................................... 8-8
Managing Run Time Policy Evaluation Caches ............................................................................ 8-9
Managing Authentication Modules .................................................................................................. 8-10
About Default Authentication Modules and Pages ................................................................... 8-10
viii
Creating a New Authentication Module of an Existing Type ..................................................
Viewing or Editing Authentication Modules..............................................................................
Deleting an Authentication Module.............................................................................................
Creating Custom Authentication Modules ......................................................................................
About Creating Custom Authentication Modules .....................................................................
About the Custom Authentication Module Plug-ins.................................................................
Creating a Custom Authentication Module................................................................................
8-13
8-14
8-15
8-15
8-15
8-18
8-24
9 Registering Partners (Agents and Applications) by Using the Console
Prerequisites.............................................................................................................................................. 9-1
Introduction to Policy Enforcement Agents........................................................................................ 9-1
About Policy-Enforcement Agents .................................................................................................. 9-2
About the Pre-Registered IAMSuiteAgent .................................................................................... 9-4
About Registering Partners (Agents and Applications)............................................................... 9-8
About File System Changes and Artifacts for Registered Agents .............................................. 9-9
Registering and Managing OAM Agents Using the Console ...................................................... 9-10
About Creating and Editing Webgate Registration .................................................................. 9-11
About User-Defined Webgate Parameters .................................................................................. 9-21
About IP Address Validation for Webgates................................................................................ 9-25
Searching for an OAM Agent Registration ................................................................................. 9-25
Registering a Webgate or Programmatic Access Client ............................................................ 9-27
Viewing or Editing an OAM Agent Registration ....................................................................... 9-28
Deleting Webgate Registration ..................................................................................................... 9-30
Tuning 10g and 11g Webgate Caches ................................................................................................. 9-31
Introducing Webgate Caches ........................................................................................................ 9-31
Reducing Network Traffic Between Components ..................................................................... 9-34
Changing the Webgate Polling Frequency.................................................................................. 9-34
Registering and Managing OSSO Agents Using the Console ..................................................... 9-35
About OSSO Agents and the OSSO Proxy .................................................................................. 9-35
About the Create OSSO Agent Page ............................................................................................ 9-35
Refining the Search for an OSSO Agent (mod_osso) Registration ......................................... 9-37
Registering an OSSO Agent (mod_osso) .................................................................................... 9-38
Viewing or Editing OSSO Agent (mod_osso) Registration ...................................................... 9-39
Deleting an OSSO Agent (mod_osso) Registration.................................................................... 9-40
10 Registering Partners (Agents and Applications) Remotely
Prerequisites...........................................................................................................................................
Introduction to Remote Partner Registration ..................................................................................
About In-Band Remote Registration ...........................................................................................
About Out-of-Band Remote Registration ...................................................................................
About Key Use, Generation, Provisioning, and Storage ...........................................................
About the Remote Registration Tool............................................................................................
About Remote Registration Request Files ..................................................................................
About Out-of-Band Registration Responses .............................................................................
Acquiring and Setting Up the Registration Tool .........................................................................
Creating the Registration Request ...................................................................................................
10-1
10-1
10-2
10-3
10-4
10-6
10-9
10-22
10-22
10-23
ix
Performing In-Band Remote Registration .....................................................................................
Performing Out-of-Band Remote Registration ............................................................................
Validating Remote Registration and Resource Protection ..........................................................
Validating Remote Registration ..................................................................................................
Validating Authentication, Resource Protection, and Access After Remote Registration
Introducing Remote Management Modes......................................................................................
About Remote Agent Management Modes...............................................................................
About Remote Application Domain Management Modes .....................................................
Managing Agents Remotely .............................................................................................................
Performing Remote Agent Updates ...........................................................................................
Performing Remote Agent Validation .......................................................................................
Performing Remote Agent Removal ..........................................................................................
Creating or Updating an Application Domain Without an Agent ............................................
10-24
10-25
10-26
10-26
10-27
10-29
10-29
10-32
10-40
10-40
10-41
10-41
10-42
Part IV Managing Oracle Access Manager SSO, Policies, and Testing
11 Introduction to the OAM Policy Model, Single Sign-On
Prerequisites...........................................................................................................................................
Comparing the OAM 11g Policy Model and OAM 10g Model ....................................................
Introduction to the OAM 11g Policy Model ....................................................................................
About Resource Types....................................................................................................................
About Host Identifiers....................................................................................................................
About Authentication, Schemes, and Modules ..........................................................................
About Application Domains and Policies ...................................................................................
About Resources and Resource Definitions ................................................................................
About Authentication Policies, Responses, and Resources .....................................................
About Authorization Policies, Resources, Constraints, and Responses .................................
Introduction to Configuring OAM Single Sign-On.....................................................................
Introduction to SSO Components....................................................................................................
About Single Sign-On Components ...........................................................................................
About Single Sign-On Cookies During User Login .................................................................
About Single Sign-On Cookies....................................................................................................
Introduction to OAM 11g Single Sign-On Implementation Types ...........................................
Application SSO ............................................................................................................................
Single Sign-On with OAM 11g....................................................................................................
Cross-Network Domains and Oracle Access Manager 11g ....................................................
Introduction to OAM 11g SSO Processing .....................................................................................
About SSO Log In Processing......................................................................................................
About SSO Log In Processing with OAM Agents....................................................................
About SSO Login Log In Processing with OSSO Agents (mod_osso) ..................................
About Single Sign-On Processing with Mixed Release Agents..............................................
11-1
11-1
11-3
11-5
11-5
11-6
11-7
11-8
11-8
11-9
11-10
11-11
11-11
11-13
11-14
11-16
11-17
11-17
11-19
11-19
11-19
11-20
11-22
11-24
12 Managing Policy Components
Prerequisites........................................................................................................................................... 12-1
Introduction to Managing Policy Components .............................................................................. 12-1
Managing Resource Types................................................................................................................... 12-2
x
About Resource Types and Their Use..........................................................................................
About the Resource Type Page .....................................................................................................
Searching for a Specific Resource Type .......................................................................................
Managing Host Identifiers ..................................................................................................................
About Host Identifiers....................................................................................................................
About Virtual Web Hosting ..........................................................................................................
About the Host Identifier Page ...................................................................................................
Creating a Host Identifier ............................................................................................................
Searching for a Host Identifier Definition .................................................................................
Viewing or Editing a Host Identifier Definition.......................................................................
Deleting a Host Identifier Definition..........................................................................................
Managing Authentication Schemes.................................................................................................
About the Authentication Schemes Page ..................................................................................
Creating an Authentication Scheme...........................................................................................
Searching for a Authentication Scheme .....................................................................................
Viewing or Editing a Authentication Scheme...........................................................................
Deleting an Authentication Scheme ...........................................................................................
Configuring Challenge Parameters for Encrypted Cookies .......................................................
About ssoCookie Challenge Parameters for Encrypted Cookies...........................................
Configuring Challenge Parameters for Encrypted Cookie Security......................................
Setting Challenge Parameters for Encrypted Cookie Persistence..........................................
12-2
12-3
12-4
12-5
12-5
12-7
12-11
12-12
12-13
12-13
12-14
12-15
12-15
12-26
12-27
12-28
12-28
12-29
12-29
12-30
12-30
13 Managing Policies to Protect Resources and Enable SSO
Prerequisites...........................................................................................................................................
Introduction to Application Domain Creation................................................................................
About Automatic Application Domain Creation .......................................................................
About Manually Creating Application Domains .......................................................................
Anatomy of an Application Domain and Policies ..........................................................................
Application Domain General Details ...........................................................................................
Default Resources in a Generated Application Domain ...........................................................
Default Authentication Policies in a Generated Application Domain ....................................
Default Authorization Policies in a Generated Application Domain......................................
About Token Issuance Policies......................................................................................................
Managing Application Domains using the Console......................................................................
About the Application Domains Page .........................................................................................
Creating a Fresh Application Domain Manually .......................................................................
Searching for an Application Domain..........................................................................................
Viewing or Editing an Application Domain .............................................................................
Deleting an Application Domain and Its Content....................................................................
Adding and Managing Resource Definitions for Use in Policies .............................................
About the Resource Definition Page in an Application Domain ...........................................
Adding Resource Definitions to an Application Domain .......................................................
Searching for a Resource Definition ...........................................................................................
Viewing or Editing a Resource Definition in an Application Domain..................................
Deleting a Resource Definition from an Application Domain ...............................................
Defining Authentication Policies for Specific Resources ...........................................................
About the Authentication Policy Page.......................................................................................
13-1
13-2
13-2
13-2
13-3
13-4
13-5
13-5
13-6
13-7
13-7
13-7
13-8
13-9
13-10
13-10
13-11
13-11
13-18
13-19
13-21
13-22
13-22
13-23
xi
Adding an Authentication Policy and Resources ....................................................................
Searching for an Authentication Policy .....................................................................................
Viewing or Editing an Authentication Policy ...........................................................................
Deleting an Authentication Policy..............................................................................................
Defining Authorization Policies for Specific Resources.............................................................
About Authorization Policies for Specific Resources ..............................................................
Adding an Authorization Policy and Specific Resources .......................................................
Searching for an Authorization Policy ......................................................................................
Viewing or Editing an Authorization Policy and Resources..................................................
Deleting an Authorization Policy ..............................................................................................
Introduction to Policy Responses for SSO .....................................................................................
About Authentication and Authorization Policy Responses for SSO ...................................
About the Policy Response Language........................................................................................
About the Namespace and Variable Names for Policy Responses........................................
About Constructing a Policy Response for SSO .......................................................................
About Policy Response Processing.............................................................................................
Adding and Managing Policy Responses for SSO .......................................................................
Adding a Policy Response for SSO.............................................................................................
Viewing, Editing, or Deleting a Policy Response for SSO.......................................................
Introduction to Authorization Constraints ....................................................................................
About Allow or Deny Type Constraints....................................................................................
About Classifying Users and Groups for Constraints .............................................................
Guidelines for Authorization Responses Based on Constraints ............................................
About Constraints and General Authorization Policy Details ...............................................
About the Add Constraint Window...........................................................................................
About Identity Class Constraints................................................................................................
About IP4Range Class Constraints.............................................................................................
About Temporal Class Constraints ............................................................................................
Defining Authorization Policy Constraints ...................................................................................
Defining Identity Class Constraints ...........................................................................................
Defining IP4Range Class Constraints ........................................................................................
Defining Temporal Class Constraints ........................................................................................
Viewing, Editing, or Deleting Authorization Policy Constraints ..........................................
Validating Authentication and Authorization in an Application Domain..............................
Example: Pre-seeded IAM Suite Application Domain and Policies .........................................
13-24
13-25
13-26
13-27
13-27
13-28
13-29
13-30
13-30
13-31
13-32
13-32
13-33
13-34
13-35
13-36
13-37
13-37
13-38
13-39
13-40
13-40
13-41
13-41
13-42
13-43
13-45
13-45
13-46
13-46
13-47
13-48
13-49
13-50
13-51
14 Validating Connectivity and Policies Using the Access Tester
Prerequisites...........................................................................................................................................
Introduction to the OAM 11g Access Tester.....................................................................................
About OAM Agent and Server Interoperability.........................................................................
About Access Tester Security and Processing ............................................................................
About Access Tester Modes and Administrator Interactions ..................................................
Installing and Starting the Access Tester..........................................................................................
Installing the Access Tester............................................................................................................
About Access Tester Supported System Properties ...................................................................
Starting the Tester Without System Properties For Use in Tester Console Mode ...............
Starting the Access Tester with System Properties For Use in Command Line Mode .......
xii
14-1
14-1
14-3
14-4
14-5
14-8
14-8
14-9
14-10
14-11
Introduction to the Access Tester Console and Navigation ........................................................
Access Tester Menus and Command Buttons ..........................................................................
Testing Connectivity and Policies from the Access Tester Console ..........................................
Establishing a Connection Between the Access Tester and the OAM Server ......................
Validating Resource Protection from the Access Tester Console ..........................................
Testing User Authentication from the Access Tester Console ...............................................
Testing User Authorization from the Access Tester Console .................................................
Observing Request Latency .........................................................................................................
Creating and Managing Test Cases and Scripts ............................................................................
About Test Cases and Test Scripts..............................................................................................
Capturing Test Cases ....................................................................................................................
Generating an Input Test Script ..................................................................................................
Personalizing an Input Test Script..............................................................................................
Executing a Test Script ................................................................................................................
Evaluating Scripts, Log File, and Statistics ...................................................................................
About Evaluating Test Results ....................................................................................................
About the Saved Connection Configuration File .....................................................................
About the Generated Input Test Script .....................................................................................
About the Target Output File Containing Test Run Results ..................................................
About the Statistics Document....................................................................................................
About the Execution Log .............................................................................................................
14-12
14-13
14-15
14-16
14-18
14-20
14-22
14-23
14-24
14-24
14-25
14-26
14-27
14-28
14-31
14-31
14-32
14-33
14-34
14-36
14-38
15 Configuring Centralized Logout for OAM 11g
Prerequisites...........................................................................................................................................
Introduction to OAM 11g Centralized Logout ...............................................................................
About Centralized Logout with OAM 11g Agents and Servers ..............................................
About Centralized Logout with OAM 10g Agents and OAM 11g Servers ............................
About Centralized Logout with the IAMSuiteAgent ................................................................
About Centralized Logout with OSSO Agents (mod_OSSO) and OAM 11g ........................
About Centralized Logout for Applications Using Oracle ADF Security ..............................
Configuring Centralized Logout for 11g Webgate with OAM 11g Server .................................
About Configuring Centralized Logout for 11g Webgates.......................................................
Configuring Centralized Logout for 11g Webgates ...................................................................
Configuring Centralized Logout for the IAMSuiteAgent.............................................................
Configuring Centralized Logout for 10g Webgate with OAM 11g Servers ...............................
About Centralized Logout Processing for 10g Webgate with OAM 11g Server ...................
About the Centralized Logout Script for OAM 10g Agents with OAM 11g Servers............
Configuring Centralized Logout for 10g Webgates with OAM 11g......................................
Configuring Centralized Logout for Oracle ADF-Coded Applications ...................................
About Centralized Logout Processing for Applications Coded to Oracle ADF Standards
Configuring Centralized Logout for ADF-Coded Applications with OAM 11g.................
Removing Custom mod
Administrator's Guide for Oracle Access Manager with Oracle
Security Token Service
11g Release 1 (11.1.1)
E15478-06
August 2011
Describes how to manage common settings, agents, single
sign-on policies, and tokens.
Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token
Service 11g Release 1 (11.1.1)
E15478-06
Copyright © 2000, 2011 Oracle and/or its affiliates. All rights reserved.
Primary Author:
Gail Flanegin
Contributing Author:
Damien Carru
Contributor: Patricia Fuzesy, Satish Madawand, Neelima Jadhav, Charles Wesley, Harshal X Shaw, Jeremy
Banford, Rey Ong, Ramana Turlapati, Deepak Ramakrishnan, Vadim Lander, Vamsi Motokuru, David
Goldsmith, Vishal Parashar, Carlos Subi
This software and related documentation are provided under a license agreement containing restrictions on
use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your
license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse
engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it
on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data
delivered to U.S. Government customers are "commercial computer software" or "commercial technical data"
pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As
such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and
license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of
the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software
License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
This software is developed for general use in a variety of information management applications. It is not
developed or intended for use in any inherently dangerous applications, including applications which may
create a risk of personal injury. If you use this software in dangerous applications, then you shall be
responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use
of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of
this software in dangerous applications.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks
of their respective owners.
This software and documentation may provide access to or information on content, products, and services
from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all
warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and
its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of
third-party content, products, or services.
Contents
Preface .......................................................................................................................................................... xxxvii
What's New ....................................................................................................................................................... xli
Part I Introduction to Oracle Access Manager with Oracle Security Token
Service
1 Oracle Product Introduction
Introduction to Oracle Access Manager............................................................................................... 1-1
Introduction to Oracle Access Manager Architecture .................................................................. 1-2
Introduction to Oracle Access Manager Deployment Types and Installation .......................... 1-3
Comparing Oracle Access Manager 11g, 10g, and OracleAS SSO 10g ...................................... 1-5
Introduction to Oracle Security Token Service ............................................................................... 1-10
Oracle Security Token Service Key Terms and Concepts ......................................................... 1-11
About Oracle Security Token Service with Oracle Access Manager ....................................... 1-14
About Integrated Oracle Web Services Manager ....................................................................... 1-16
About Oracle Security Token Service Architecture ................................................................... 1-18
About Oracle Security Token Service Deployments.................................................................. 1-19
About Installation Options ............................................................................................................ 1-22
About Oracle Security Token Service Administration .............................................................. 1-23
2 Introduction to This Book
Introduction to This Book ......................................................................................................................
Part I: Oracle Product Introduction.......................................................................................................
Part II: Common Tasks ............................................................................................................................
Getting Started with Common Administration and Navigation ................................................
Managing Services, Certificate Validation, and Common Settings............................................
Data Sources........................................................................................................................................
OAM Server Instances and the Console .........................................................................................
Oracle Access Manager Session Management...............................................................................
Part III, Oracle Access Manager Settings.............................................................................................
Access Manager Settings...................................................................................................................
Single Sign-on Agents........................................................................................................................
Part IV, Single Sign-on, Oracle Access Manager Policies, and Testing .........................................
Single Sign-On ....................................................................................................................................
2-1
2-1
2-2
2-2
2-2
2-3
2-4
2-5
2-5
2-5
2-6
2-7
2-7
v
Oracle Access Manager Policy Model and Shared Policy Components .................................... 2-8
Oracle Access Manager Policy Model, Application Domains, and Policies.............................. 2-9
Connectivity and Policy Testing .................................................................................................. 2-10
Centralized Logout for Oracle Access Manager 11g.................................................................. 2-10
Part V: Oracle Security Token Service ............................................................................................... 2-10
Part VI: Common Logging, Auditing, Performance Monitoring ................................................. 2-11
Component Event Message Logging .......................................................................................... 2-11
Webgate Event Message Logging................................................................................................. 2-11
Common Audit Framework ......................................................................................................... 2-11
Performance Metrics in the Oracle Access Manager Console .................................................. 2-12
Performance Metrics in Fusion Middleware Control ................................................................ 2-12
Part VII: Using OAM 10g Webgates with OAM 11g ..................................................................... 2-12
Provisioning OAM 10g Webgates for OAM 11g ........................................................................ 2-13
Configuring 10g Webgates for Apache v2-based Web Servers (OHS and IHS) .................... 2-13
Configuring 10g Webgates for the IIS Web Server .................................................................... 2-13
Configuring 10g Webgates for the ISA Server............................................................................ 2-13
Configuring Lotus Domino for OAM 10g Webgates................................................................. 2-13
Part VIII: Appendixes........................................................................................................................... 2-13
Co-existence: OAM 11g SSO versus OAM 10g SSO with OracleAS SSO 10g ....................... 2-13
Moving OAM 11g From Test (Source) to Production (Target)................................................. 2-14
Integration with Oracle ADF Applications ................................................................................. 2-14
Internationalization and Multibyte Data Support for OAM 10g Webgates ........................... 2-14
Secure Communication and Certificate Management .............................................................. 2-14
Custom WebLogic Scripting Tool Commands for OAM .......................................................... 2-15
OAM 11g for IPv6 Clients .............................................................................................................. 2-15
Creating Deployment-Specific Pages ........................................................................................... 2-15
Troubleshooting .............................................................................................................................. 2-15
Part II Using the Console for Common Tasks
3 Getting Started with Common Administration and Navigation
Prerequisites.............................................................................................................................................. 3-1
Introduction to Administrators ............................................................................................................. 3-2
Logging In to and Signing Out of Oracle Access Manager Console.............................................. 3-3
Logging In to the Oracle Access Manager Console ...................................................................... 3-3
Signing Out of Oracle Access Manager Console ........................................................................... 3-4
Introduction to the Oracle Access Manager Console and Controls ............................................... 3-4
Console Layout and Controls........................................................................................................... 3-5
Elements on a Page ......................................................................................................................... 3-12
Selecting Controls in the Console ................................................................................................. 3-13
Introduction to Policy Configuration and System Configuration Tabs ..................................... 3-14
About the System Configuration Tab .......................................................................................... 3-14
About the Policy Configuration Tab ............................................................................................ 3-15
Viewing Configuration Details in the Console............................................................................... 3-17
Conducting Searches Using the Console.......................................................................................... 3-17
Conducting Policy Element Searches Using the Console ......................................................... 3-18
Refining Searches for System Configuration Elements ............................................................. 3-19
vi
Using Online Help ................................................................................................................................ 3-22
Command-Line Tools ........................................................................................................................... 3-22
Logging, Auditing, Monitoring Performance.................................................................................. 3-23
4 Managing Services, Certificate Validation, and Common Settings
Prerequisites..............................................................................................................................................
Introduction to Common Configuration Elements ...........................................................................
Enabling or Disabling Available Services...........................................................................................
Managing the Common Settings...........................................................................................................
About Common Settings Pages........................................................................................................
Managing Common Settings ...........................................................................................................
Viewing Common Coherence Settings ...........................................................................................
Managing Global Certificate Validation and Revocation ................................................................
About Certificate Validation and Revocation Lists.......................................................................
Managing Certificate Revocation Lists (CLRs) ..............................................................................
Managing Certificate Validation .....................................................................................................
Configuring CDP ...............................................................................................................................
4-1
4-1
4-2
4-3
4-3
4-4
4-5
4-6
4-6
4-7
4-8
4-8
5 Managing Common Data Sources
Prerequisites.............................................................................................................................................. 5-1
Introduction to Managing Common Data Sources ........................................................................... 5-1
About User Identity Stores ............................................................................................................... 5-2
About the Policy and Session Database Store................................................................................ 5-4
About the Oracle Access Manager Configuration Data File........................................................ 5-5
About Oracle Access Manager Security Keys and the Embedded Java Keystore.................... 5-5
About Oracle Security Token Service Keystores .......................................................................... 5-6
Managing User Identity Stores ............................................................................................................. 5-7
About the User Identity Store Registration Page .......................................................................... 5-7
Registering a New User Identity Store ........................................................................................ 5-10
Viewing or Editing a User Identity Store Registration.............................................................. 5-11
Deleting a User Identity Store Registration................................................................................. 5-12
Setting the Default Store and System Store..................................................................................... 5-12
About Setting the Default Store and System Store..................................................................... 5-12
Defining a Default Store and System Store ................................................................................. 5-13
Managing the Administrators Role ................................................................................................... 5-14
About Managing the Administrator Role.................................................................................... 5-14
Managing Administrator Roles..................................................................................................... 5-15
Managing the Policy Database by Using the Console ................................................................... 5-16
About Database Deployment for Oracle Access Manager........................................................ 5-17
Configuring a Separate Database for Session Data.................................................................... 5-17
6 Managing Common OAM Server Registration
Prerequisites..............................................................................................................................................
Introduction to OAM Server Registration and Management..........................................................
About Server Side Differences Between OAM 11g and OAM 10g .............................................
About Individual OAM Server Registrations ...............................................................................
6-1
6-1
6-2
6-2
vii
About the Embedded Proxy Server and Backward Compatibility............................................. 6-3
About OAM 11g SSO and Legacy OAM 10g SSO in Combination with OSSO........................ 6-3
About Communication Between OAM Servers and Webgates .................................................. 6-4
Managing Individual OAM Server Registrations ............................................................................ 6-4
About the OAM Server Registration Page .................................................................................... 6-5
Registering a Fresh OAM Server Instance...................................................................................... 6-8
Viewing or Editing Individual OAM Server and Proxy Settings .............................................. 6-9
Deleting an Individual Server Registration................................................................................. 6-10
7 Managing Sessions
Prerequisites.............................................................................................................................................. 7-1
Introduction to User Sessions and Session Management ................................................................ 7-1
About the User Session Lifecycle .................................................................................................... 7-3
Oracle Coherence and Session Management ................................................................................. 7-4
Configuring User Session Lifecycle Settings ..................................................................................... 7-6
About Common Session Lifecycle Setting Page ............................................................................ 7-6
Viewing or Modifying Common Session Lifecycle Settings........................................................ 7-7
Managing Active User Sessions ............................................................................................................ 7-8
About the Session Management Page ............................................................................................. 7-8
Managing Active User Sessions .................................................................................................... 7-11
Verifying Session Management Operations .................................................................................... 7-12
Security.................................................................................................................................................... 7-14
Secure HTTPS Protocol .................................................................................................................. 7-14
Coherence ......................................................................................................................................... 7-14
Database Persistence....................................................................................................................... 7-14
Part III
Oracle Access Manager Settings Management
8 Configuring Access Manager Settings
Prerequisites.............................................................................................................................................. 8-1
Introduction to Access Manager Settings ............................................................................................ 8-1
Managing Access Manager Load Balancing and Secure Error Modes........................................... 8-2
About Access Manager Load Balancing Settings and Secure Error Modes .............................. 8-2
Managing OAM Server Load Balancing and Secure Error Modes............................................. 8-4
Managing SSO Tokens and IP Validation........................................................................................... 8-4
About Access Manager SSO Tokens and IP Validation Settings ................................................ 8-4
Managing SSO Tokens and IP Validation ...................................................................................... 8-5
Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security ....................... 8-5
About Simple and Cert Mode Transport Security ........................................................................ 8-6
About the Common OAM Proxy Page for Secure Server Communications............................. 8-7
Viewing or Editing Simple or Cert Settings for OAM Proxy ...................................................... 8-7
Managing Run Time Policy Evaluation Caches ................................................................................. 8-8
About Run Time Policy Evaluation Caches ................................................................................... 8-8
Managing Run Time Policy Evaluation Caches ............................................................................ 8-9
Managing Authentication Modules .................................................................................................. 8-10
About Default Authentication Modules and Pages ................................................................... 8-10
viii
Creating a New Authentication Module of an Existing Type ..................................................
Viewing or Editing Authentication Modules..............................................................................
Deleting an Authentication Module.............................................................................................
Creating Custom Authentication Modules ......................................................................................
About Creating Custom Authentication Modules .....................................................................
About the Custom Authentication Module Plug-ins.................................................................
Creating a Custom Authentication Module................................................................................
8-13
8-14
8-15
8-15
8-15
8-18
8-24
9 Registering Partners (Agents and Applications) by Using the Console
Prerequisites.............................................................................................................................................. 9-1
Introduction to Policy Enforcement Agents........................................................................................ 9-1
About Policy-Enforcement Agents .................................................................................................. 9-2
About the Pre-Registered IAMSuiteAgent .................................................................................... 9-4
About Registering Partners (Agents and Applications)............................................................... 9-8
About File System Changes and Artifacts for Registered Agents .............................................. 9-9
Registering and Managing OAM Agents Using the Console ...................................................... 9-10
About Creating and Editing Webgate Registration .................................................................. 9-11
About User-Defined Webgate Parameters .................................................................................. 9-21
About IP Address Validation for Webgates................................................................................ 9-25
Searching for an OAM Agent Registration ................................................................................. 9-25
Registering a Webgate or Programmatic Access Client ............................................................ 9-27
Viewing or Editing an OAM Agent Registration ....................................................................... 9-28
Deleting Webgate Registration ..................................................................................................... 9-30
Tuning 10g and 11g Webgate Caches ................................................................................................. 9-31
Introducing Webgate Caches ........................................................................................................ 9-31
Reducing Network Traffic Between Components ..................................................................... 9-34
Changing the Webgate Polling Frequency.................................................................................. 9-34
Registering and Managing OSSO Agents Using the Console ..................................................... 9-35
About OSSO Agents and the OSSO Proxy .................................................................................. 9-35
About the Create OSSO Agent Page ............................................................................................ 9-35
Refining the Search for an OSSO Agent (mod_osso) Registration ......................................... 9-37
Registering an OSSO Agent (mod_osso) .................................................................................... 9-38
Viewing or Editing OSSO Agent (mod_osso) Registration ...................................................... 9-39
Deleting an OSSO Agent (mod_osso) Registration.................................................................... 9-40
10 Registering Partners (Agents and Applications) Remotely
Prerequisites...........................................................................................................................................
Introduction to Remote Partner Registration ..................................................................................
About In-Band Remote Registration ...........................................................................................
About Out-of-Band Remote Registration ...................................................................................
About Key Use, Generation, Provisioning, and Storage ...........................................................
About the Remote Registration Tool............................................................................................
About Remote Registration Request Files ..................................................................................
About Out-of-Band Registration Responses .............................................................................
Acquiring and Setting Up the Registration Tool .........................................................................
Creating the Registration Request ...................................................................................................
10-1
10-1
10-2
10-3
10-4
10-6
10-9
10-22
10-22
10-23
ix
Performing In-Band Remote Registration .....................................................................................
Performing Out-of-Band Remote Registration ............................................................................
Validating Remote Registration and Resource Protection ..........................................................
Validating Remote Registration ..................................................................................................
Validating Authentication, Resource Protection, and Access After Remote Registration
Introducing Remote Management Modes......................................................................................
About Remote Agent Management Modes...............................................................................
About Remote Application Domain Management Modes .....................................................
Managing Agents Remotely .............................................................................................................
Performing Remote Agent Updates ...........................................................................................
Performing Remote Agent Validation .......................................................................................
Performing Remote Agent Removal ..........................................................................................
Creating or Updating an Application Domain Without an Agent ............................................
10-24
10-25
10-26
10-26
10-27
10-29
10-29
10-32
10-40
10-40
10-41
10-41
10-42
Part IV Managing Oracle Access Manager SSO, Policies, and Testing
11 Introduction to the OAM Policy Model, Single Sign-On
Prerequisites...........................................................................................................................................
Comparing the OAM 11g Policy Model and OAM 10g Model ....................................................
Introduction to the OAM 11g Policy Model ....................................................................................
About Resource Types....................................................................................................................
About Host Identifiers....................................................................................................................
About Authentication, Schemes, and Modules ..........................................................................
About Application Domains and Policies ...................................................................................
About Resources and Resource Definitions ................................................................................
About Authentication Policies, Responses, and Resources .....................................................
About Authorization Policies, Resources, Constraints, and Responses .................................
Introduction to Configuring OAM Single Sign-On.....................................................................
Introduction to SSO Components....................................................................................................
About Single Sign-On Components ...........................................................................................
About Single Sign-On Cookies During User Login .................................................................
About Single Sign-On Cookies....................................................................................................
Introduction to OAM 11g Single Sign-On Implementation Types ...........................................
Application SSO ............................................................................................................................
Single Sign-On with OAM 11g....................................................................................................
Cross-Network Domains and Oracle Access Manager 11g ....................................................
Introduction to OAM 11g SSO Processing .....................................................................................
About SSO Log In Processing......................................................................................................
About SSO Log In Processing with OAM Agents....................................................................
About SSO Login Log In Processing with OSSO Agents (mod_osso) ..................................
About Single Sign-On Processing with Mixed Release Agents..............................................
11-1
11-1
11-3
11-5
11-5
11-6
11-7
11-8
11-8
11-9
11-10
11-11
11-11
11-13
11-14
11-16
11-17
11-17
11-19
11-19
11-19
11-20
11-22
11-24
12 Managing Policy Components
Prerequisites........................................................................................................................................... 12-1
Introduction to Managing Policy Components .............................................................................. 12-1
Managing Resource Types................................................................................................................... 12-2
x
About Resource Types and Their Use..........................................................................................
About the Resource Type Page .....................................................................................................
Searching for a Specific Resource Type .......................................................................................
Managing Host Identifiers ..................................................................................................................
About Host Identifiers....................................................................................................................
About Virtual Web Hosting ..........................................................................................................
About the Host Identifier Page ...................................................................................................
Creating a Host Identifier ............................................................................................................
Searching for a Host Identifier Definition .................................................................................
Viewing or Editing a Host Identifier Definition.......................................................................
Deleting a Host Identifier Definition..........................................................................................
Managing Authentication Schemes.................................................................................................
About the Authentication Schemes Page ..................................................................................
Creating an Authentication Scheme...........................................................................................
Searching for a Authentication Scheme .....................................................................................
Viewing or Editing a Authentication Scheme...........................................................................
Deleting an Authentication Scheme ...........................................................................................
Configuring Challenge Parameters for Encrypted Cookies .......................................................
About ssoCookie Challenge Parameters for Encrypted Cookies...........................................
Configuring Challenge Parameters for Encrypted Cookie Security......................................
Setting Challenge Parameters for Encrypted Cookie Persistence..........................................
12-2
12-3
12-4
12-5
12-5
12-7
12-11
12-12
12-13
12-13
12-14
12-15
12-15
12-26
12-27
12-28
12-28
12-29
12-29
12-30
12-30
13 Managing Policies to Protect Resources and Enable SSO
Prerequisites...........................................................................................................................................
Introduction to Application Domain Creation................................................................................
About Automatic Application Domain Creation .......................................................................
About Manually Creating Application Domains .......................................................................
Anatomy of an Application Domain and Policies ..........................................................................
Application Domain General Details ...........................................................................................
Default Resources in a Generated Application Domain ...........................................................
Default Authentication Policies in a Generated Application Domain ....................................
Default Authorization Policies in a Generated Application Domain......................................
About Token Issuance Policies......................................................................................................
Managing Application Domains using the Console......................................................................
About the Application Domains Page .........................................................................................
Creating a Fresh Application Domain Manually .......................................................................
Searching for an Application Domain..........................................................................................
Viewing or Editing an Application Domain .............................................................................
Deleting an Application Domain and Its Content....................................................................
Adding and Managing Resource Definitions for Use in Policies .............................................
About the Resource Definition Page in an Application Domain ...........................................
Adding Resource Definitions to an Application Domain .......................................................
Searching for a Resource Definition ...........................................................................................
Viewing or Editing a Resource Definition in an Application Domain..................................
Deleting a Resource Definition from an Application Domain ...............................................
Defining Authentication Policies for Specific Resources ...........................................................
About the Authentication Policy Page.......................................................................................
13-1
13-2
13-2
13-2
13-3
13-4
13-5
13-5
13-6
13-7
13-7
13-7
13-8
13-9
13-10
13-10
13-11
13-11
13-18
13-19
13-21
13-22
13-22
13-23
xi
Adding an Authentication Policy and Resources ....................................................................
Searching for an Authentication Policy .....................................................................................
Viewing or Editing an Authentication Policy ...........................................................................
Deleting an Authentication Policy..............................................................................................
Defining Authorization Policies for Specific Resources.............................................................
About Authorization Policies for Specific Resources ..............................................................
Adding an Authorization Policy and Specific Resources .......................................................
Searching for an Authorization Policy ......................................................................................
Viewing or Editing an Authorization Policy and Resources..................................................
Deleting an Authorization Policy ..............................................................................................
Introduction to Policy Responses for SSO .....................................................................................
About Authentication and Authorization Policy Responses for SSO ...................................
About the Policy Response Language........................................................................................
About the Namespace and Variable Names for Policy Responses........................................
About Constructing a Policy Response for SSO .......................................................................
About Policy Response Processing.............................................................................................
Adding and Managing Policy Responses for SSO .......................................................................
Adding a Policy Response for SSO.............................................................................................
Viewing, Editing, or Deleting a Policy Response for SSO.......................................................
Introduction to Authorization Constraints ....................................................................................
About Allow or Deny Type Constraints....................................................................................
About Classifying Users and Groups for Constraints .............................................................
Guidelines for Authorization Responses Based on Constraints ............................................
About Constraints and General Authorization Policy Details ...............................................
About the Add Constraint Window...........................................................................................
About Identity Class Constraints................................................................................................
About IP4Range Class Constraints.............................................................................................
About Temporal Class Constraints ............................................................................................
Defining Authorization Policy Constraints ...................................................................................
Defining Identity Class Constraints ...........................................................................................
Defining IP4Range Class Constraints ........................................................................................
Defining Temporal Class Constraints ........................................................................................
Viewing, Editing, or Deleting Authorization Policy Constraints ..........................................
Validating Authentication and Authorization in an Application Domain..............................
Example: Pre-seeded IAM Suite Application Domain and Policies .........................................
13-24
13-25
13-26
13-27
13-27
13-28
13-29
13-30
13-30
13-31
13-32
13-32
13-33
13-34
13-35
13-36
13-37
13-37
13-38
13-39
13-40
13-40
13-41
13-41
13-42
13-43
13-45
13-45
13-46
13-46
13-47
13-48
13-49
13-50
13-51
14 Validating Connectivity and Policies Using the Access Tester
Prerequisites...........................................................................................................................................
Introduction to the OAM 11g Access Tester.....................................................................................
About OAM Agent and Server Interoperability.........................................................................
About Access Tester Security and Processing ............................................................................
About Access Tester Modes and Administrator Interactions ..................................................
Installing and Starting the Access Tester..........................................................................................
Installing the Access Tester............................................................................................................
About Access Tester Supported System Properties ...................................................................
Starting the Tester Without System Properties For Use in Tester Console Mode ...............
Starting the Access Tester with System Properties For Use in Command Line Mode .......
xii
14-1
14-1
14-3
14-4
14-5
14-8
14-8
14-9
14-10
14-11
Introduction to the Access Tester Console and Navigation ........................................................
Access Tester Menus and Command Buttons ..........................................................................
Testing Connectivity and Policies from the Access Tester Console ..........................................
Establishing a Connection Between the Access Tester and the OAM Server ......................
Validating Resource Protection from the Access Tester Console ..........................................
Testing User Authentication from the Access Tester Console ...............................................
Testing User Authorization from the Access Tester Console .................................................
Observing Request Latency .........................................................................................................
Creating and Managing Test Cases and Scripts ............................................................................
About Test Cases and Test Scripts..............................................................................................
Capturing Test Cases ....................................................................................................................
Generating an Input Test Script ..................................................................................................
Personalizing an Input Test Script..............................................................................................
Executing a Test Script ................................................................................................................
Evaluating Scripts, Log File, and Statistics ...................................................................................
About Evaluating Test Results ....................................................................................................
About the Saved Connection Configuration File .....................................................................
About the Generated Input Test Script .....................................................................................
About the Target Output File Containing Test Run Results ..................................................
About the Statistics Document....................................................................................................
About the Execution Log .............................................................................................................
14-12
14-13
14-15
14-16
14-18
14-20
14-22
14-23
14-24
14-24
14-25
14-26
14-27
14-28
14-31
14-31
14-32
14-33
14-34
14-36
14-38
15 Configuring Centralized Logout for OAM 11g
Prerequisites...........................................................................................................................................
Introduction to OAM 11g Centralized Logout ...............................................................................
About Centralized Logout with OAM 11g Agents and Servers ..............................................
About Centralized Logout with OAM 10g Agents and OAM 11g Servers ............................
About Centralized Logout with the IAMSuiteAgent ................................................................
About Centralized Logout with OSSO Agents (mod_OSSO) and OAM 11g ........................
About Centralized Logout for Applications Using Oracle ADF Security ..............................
Configuring Centralized Logout for 11g Webgate with OAM 11g Server .................................
About Configuring Centralized Logout for 11g Webgates.......................................................
Configuring Centralized Logout for 11g Webgates ...................................................................
Configuring Centralized Logout for the IAMSuiteAgent.............................................................
Configuring Centralized Logout for 10g Webgate with OAM 11g Servers ...............................
About Centralized Logout Processing for 10g Webgate with OAM 11g Server ...................
About the Centralized Logout Script for OAM 10g Agents with OAM 11g Servers............
Configuring Centralized Logout for 10g Webgates with OAM 11g......................................
Configuring Centralized Logout for Oracle ADF-Coded Applications ...................................
About Centralized Logout Processing for Applications Coded to Oracle ADF Standards
Configuring Centralized Logout for ADF-Coded Applications with OAM 11g.................
Removing Custom mod