How to protect an application running on IIS with OAM 11gR2

Similar Messages

• How to protect an application running on weblogic through OAM

  I have a requirement where in I need to protect an application (URL/root) deployed on weblogic through Oracle Access Manager.
  Here's what I did:
  Installed webgate on the Host where the application is deployed.
  Configured the webgate on Access System Console.
  Configured the policy domain -
  a) Mentioned the Resource type and URL to be protected
  b) Authentication Type (Basic)
  c) Autherization Rules (Anyone can acess)
  Issue: When I try to access the application http://<hostname>:7001/myapp
  I expect the webgate/OAM to intercept this request and challenge the user with the basic authentication
  but the request is carried through and the Home page of myapp is displayed.
  Do I need to do some configurations in the webserver (httpd.conf) or deployment descriptors in the application server to get the authentication?
  The application above can also be substituted with Oracle Identity Manager, where I'm getting the same result. I'm able to view OIM Home page without prior authentication. I tried protecting with the following pattern <host variation>/xlWebApp
  I am new to Oracle Access Manager and looking for some guidance.
  Thanks

  Hi Joe,
  1. Please elaborate step2 or guide me to a link where I can configure reverse proxy from Apache Webserver to weblogic. I think here's where I'm going wrong.
  For more details on proxy refer to these links:
  http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs90/plugins/apache.html#119517
  OHS to Weblogic Reverse Proxy configuration Problem
  After this configuration, won't I be able to access the application /myapp running on weblogic through port 7001 and will I have access to it only on port 80 (web s erver default port)?
  You will be able to access the application through 7001, but the request will not be intercepted by OAM. The request will be processed directly by your myApp.
  2. I did some reading and found some instructions on using weblogic SSPI plugin. Is this required at all? When is this used?
  You can use SSPI Connector if you want to protect the weblogic port. i.e., OAM intercepts the request when you access the application on 7001 port.
  Hope this helps
  Hrushi

• How to protect an application running on Apache Tomcat app server with OAM 11gR2

  Gurus,
  We have an Apache Tomcat based application named "ABCD" here at client site that we want OAM 11gR2 PS1 to integrate with for SSO purposes. I have successfully configured OHS to reverse proxy requests to Apache Tomcat server whenever somebody tries to access the application URL but still, I am getting the application login page once I have successfully authenticated on OAM SSO login page. The Tomcat based application is authenticating users against a "UserDatabase realm".
  I know in terms of weblogic application, there is an OAM identity asserter provider which then populates the User Principal for the java environment with the authenticated OAM user. But there is no such OAM identity provider for Tomcat.
  So my question is, is there an provider (or Tomcat equivalent) which will entrust authentication to a header, that could be used to populate the Java User Principal from the OAM_REMOTE_USER header? Is the weblogic equivalent of authentication providers present in tomcat as well? Are those called valves?
  Please advise to the earliest.
  Thanks !!

  Aakash,
  I did follow the 4 steps that you mentioned to me. Out of the 4 that you had mentioned, I already had the webgate in place on OHS server and I was already passing the remote_user http header in oam policy as action.
  As part of Step #2: Install mod_jk plugin on OHS server that you mentioned
  1.) I downloaded the tomcat connector - tomcat-connectors-1.2.37-src
  2.) I had to run ./configure,make, make install on my OHS server which runs on RHEL 6. It created the mod_jk.so file. I pasted it in the needed folder.
  3.) I then created the httpd.conf file and workers.properties file as said in the connector docs.
  4.) Restarted OHS.
  As part of Step #3: Configure tomcat's ajp connector that you mentioned and I went through all the links pasted below but didn't find actually what needs to be in place to configure tomcat's ajp connector. I do see in the server.xml of tomcat app server that the ajp 1.3 protocol is supported:
  http://tomcat.apache.org/tomcat-4.0-doc/config/ajp.html
  http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html#s8
  http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html
  http://www.mulesoft.com/understanding-tomcat-connectors
  <!-- A "Connector" represents an endpoint by which requests are received
           and responses are returned. Documentation at :
           Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
           Java AJP  Connector: /docs/config/ajp.html
           APR (HTTP/AJP) Connector: /docs/apr.html
           Define a non-SSL HTTP/1.1 Connector on port 8080
      -->
      <Connector port="8080" protocol="HTTP/1.1"
                 connectionTimeout="20000"
                 redirectPort="8443" />
  <!-- Define an AJP 1.3 Connector on port 8009 -->
      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
  Do we need to disable the HTTP protocol in Tomcat and keep only AJP connector enabled? If yes, how to do that?
  I am trying to connect to the application from OHS server like so I am using the http protocal right? How should I use the ajp protocol to connect to tomcat application? 
  http://ohs-host:ohs-port/abcd
  Thanks !!!!!

• How to protect applications running in Weblogic using OAM

  Hi all,
  I have a doubt,
  I have 2 application running in weblogic.
  I need to protect those application using OAM and provide single sign on.
  How this can be done?
  In the OAM integration guide i saw OAM with BEA Weblogic SSPI
  Is SSPI like a connector r what is the use of this?
  Is there any other way to protect a application running in weblogic using OAM and provide SSO for those applications
  thanks in advance.

  You will need to also add the OAMIdentityAsserter and possibly an Authenticator to get group/role information in the weblogic instances (assuming it's not the same one where OAM is installed).
  Jack

• SSO to partner application running under IIS

  Hi,
  We have a complete set-up for 9iAS Release2 where some applications are running. In parallell we have an application running under IIS, and would now like to enable the IIS application as a partner application to 9iAS letting the 9iAS SSO server handle the authentication.
  In the documentation of Oracle Proxy Plug-in I read that this proxy plug-in can be used to proxy requests from IIS to Oracle http server (OHS) and also in this way enable SSO.
  My question is if this can be done only for applications running under 9iAS but having IIS as web server, or if it is also possible like in our case to enable SSO via the proxy plug-in to applications runnind under IIS?
  If this is not supported is the only available solution to use the SSO SDK in my IIS application?
  Thanks and regards,
  Rikard

  Here's a DIY answer.
  See Metalink Note 269820.1 which shows you how to use Perl to overwrite the host name in the HTTP header and remove the port number.

• How to protect custom applications using oracle access manager?

  Can someone brief me on how to protect custom applications using oracle access manager?

  Is the Custom application a Web Application running on certified platform? If its Web Application then its no different you have to configure the access policies with http(s) as resource type.
  If its not a web application you can write Custom access Gate and then implement. You would configure the policies similar to Web application (you can define your ouwn resource type if you like) and in the custom web gate you will use Access server SDK API to validate the access rules.
  Thanks
  Ram

• How can you play applications run on flash player

  How you can play applications run on flash player

  This topic with suggestions as to alternatives and workarounds has been covered here many times already. Search this forum for "Flash" and you will find many threads on the issue.
  Regards.

• How do I show applications running in the background? And how do I close them down? In class, the instructor press something but she did not go into Settings. Does anyone know?

  How do I show applications running in the background? And how do I close them down? In class, the instructor press something but she did not go into Settings. Does anyone know?

  Double-click the home button that will bring up all the applications in the background.
  To close then you swipe the application upward and it will close.

• How to develop web application using ejb3.0 with eclipse

  Hi ,
  I am new to ejb3.0 with eclipse. If any one familar that please guide me...
  how to develop web application using ejb3.0 with eclipse.please help me... server jboss4.2.2. database mqsql5.0
  Thanks,

  jsf_VWP5.5.1 wrote:
  I am new to ejb3.0 with eclipse. If any one familar that please guide me...http://help.eclipse.org/help33/index.jsp

• How do i update applications that were downloaded with a different apple id

  how do i update applications that were downloaded with a different apple id

  You can't. The iLife apps get tied in with not only the Apple ID, but the Mac that they were accepted on.The Mac App Store will always remeber that the iLife apps have been accepted once before already on this Mac and will only offer to update them with the Apple ID into whose account they were accepted.

• How to protect web application from piracy?

  I m looking for solution to protect Web application from piracy.
  I want my application run on web server for which it is built, &
  it musn't run on any other web server.
  how can i protect my web application from piracy?.
  Our .Net applications we protect using Hardware ID binding ,
  How can i protect J2EE applications?

  Run it on your own server is the simple and only secure solution.

• How to protect java application

  Hello all,
  Could you give me some clues on how to protect a java application?
  By license keys ? how to protect application by license keys? I am not sure about Signing JAR Files, is it what I need?
  Any better way than using license keys to protect a java application?
  Thanks.

  >
  Could you give me some clues on how to protect a java application?
  >
  You might want to look into obfuscators. They won't stop decompiling but they can make it hard to understand the decompiled code.
  Proguard has a good reputation
  http://proguard.sourceforge.net/
  >
  ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes bytecode and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names. Finally, it preverifies the processed code for Java 6 or for Java Micro Edition.

• How to avoid of application running on Oracle 10g to be copied?

  I am a newbie to the security issues, so I need your help, please, where to start / what to read:
  I have an application running across many customers on Oracle 10g. I have faced lately that our users
  can use their daily backups to establish a totaly new database on a same / different server
  and point our application to use it as well.
  Is there any way to avoid it? F.e. I thought to use SELECT * FROM v$instance; to get the server instance details, and
  in result with some other function to obtain, let say, local server's (WIN2003) details,
  such as HD Serial Number, MAC number or so and then to check these values each time user runs the application.
  Is it the correct way? What are the basics here at all?
  Many thanks in advance to all!

  A lot of enterprises, however, actively avoid systems which are locked down to a particular server for very legitimate reasons. If my data center dies in the middle of the night, I sure don't want to have to call your mobile phone so that you can get to a computer, log in to the office network, and get me a new key so that I can finish my emergency failover. If I've got dozens of applications, I absolutely don't want to do that with dozens of different vendors.
  It sounds like your problem, though, isn't that users are installing your software on multiple computers it's that they are accessing functionality they haven't licensed. That is generally a much easier problem to solve and doesn't require you to lock anything down to a particular machine. You can create a table LICENSED_CONTENT, for example,
  CREATE TABLE licensed_content (
    client_id    NUMBER,
    content_type VARCHAR2(30),
    key          RAW(128)
  )In this case, KEY is, say, a hash (using the DBMS_CRYPTO or DBMS_OBFUSCATION_TOOLKIT packages if you'd like) of the client_id, content_type, and a bit of salt (i.e. a fixed string that only you know). When you sell a license to manage diamond content, you provide a script that inserts the appropriate row in the LICENSED_CONTENT table. When your application starts up, it reads the LICENSED_CONTENT table and verifies the hash before allowing users to access that type of content. This allows legitimate customers to move the software from one system to another but prevents them from accessing new functionality without a new license.
  Justin

• How to Protect two Apps running on two different Hosts using same OAM serve

  Hi All,
  I am new to OAM. I am trying to configure SSO for an Application using OAM 11g server which is already protecting another Application(Oracle EBS) on a different host.
  Oracle EBS application uses the Oracle EBS Access Gate to collect the credentials.
  Now what should I do to protect the second application say APP2. Should I require to install a new OHS instance and new Webgate for this purpose ? or can i use the one already used by EBS application ?
  Please reply me soon
  Thanks,
  Prabhu

  You may use the same OHS instance by creating additional reverse proxy filter for your application 2.
  Or create another instance of OHS and configure webgate, OAM policies for your application 2.
  All the applications configured with OAM will be configured for single sign on and no special configuration needs to be done.
  Here are my comments to your questions:
  1) Can you tell me why we should have different OHS and Webgate to protect the 2nd application ?
  - As per best practices, you should have different OHS instances (+webgate) for different applications. But you may also configure the same OHS for multiple applications.
  2) If we have different OHS and Webgate, then the same OAM session will be shared between the applications ? Basically the user will navigate from the first application to the second application by clicking a link on the first application's page. Will the OAM_REMOTE_USER header be passed on to the second application in this case?
  - Yes, if you have different OHS and Webgate, then the same OAM session will be shared between the applications.
  To pass the header variables to any application, add the variables in the application's OAM authorization policy responses.
  3) By default OAM 11.1.1.3 sets the userid to the OAM_REMOTE_USER? or we should manually set a response header ?
  - To be on a safer side, set this header on the authz policy's response tab and put the vallue as $user.userid

• How to protect SAP Application Tables and Reports in R/3

  Hi Gurus,
               Any one please explain me detail how to protect tables in R/3 with different senarios.
                How to protect reports in SAP R/3 without assigning SA38 transaction access
                How to protect Program in SAP R/3 in R/3

  Hello Happyman,
  <b>What do you mean by Protect Table, Program and Report?</b>
  Let me ask you one base Question, On which area are you working? Are you from functional side or Technical side (Developement or Basis guy)?
  This is very clear cut answer that with the restricted autorization you can protect table and programs. Do not provide the change autorization.
  CATCH your BASIS guy and he will do rest of the things. Just explain him what are you want to protect.
  Hope this helps.
  Regards
  Arif Mansuri