OAM 11gR2 - Access Client

Hi Gurus,
i am writing a access client for a custom application, i am able to authenticate , authorize and get a session token for user but i am not able to get responses that we have set in the authorization policy. we have set Responses --> header -->$user.attr.customattr1
i have looked into API document to get those responses but i am unable to do that.
Oracle Fusion Middleware Access SDK Java API Reference for Oracle Access Management Access Manager
Is there a way to get responses through apis.
Regards
978203

can you confirm if you are using getActions or getAction API
Also you may want to enable "Allow Management Operations" in AccessGate configuration in oamconsole
what is exception you get while invoking api
hope this helps

Similar Messages

Oam 11g r2 Access Client error

Hi guys,
I am trying to create an AccessClient based on section 2.2.3 Sample Code: Simple Access Client of following..
http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/as_api.htm#BGBCEHCI
the code successfully initialized AccessSDK but giving following error
======
Jul 7, 2013 2:54:58 PM oracle.security.am.asdk.ResourceRequest isProtected
SEVERE: Unknown exception.
Access Exception: OAMAGENT-02071
Process exited with exit code 0.
===========
how can we clear this issue...
Regards,
jdev

Hi colin,
thanks for the reply..
I am using oam 11g r2 and i did following,
1.successfully configured an OAM 10GAgent with remote registration with '/**' as protected resource.
2.created java project in jdeveloper.
3.Added all the jars in the project by setting libray and class path.
4.copied the OBAccessClient.xml to developemt system folder D:\softwares\11gR2\OAMSDK's\RREG10G_OAM\oblix\lib.
5.copied JAccessClient.java and did follwing modifications..
public static final String m_configLocation = "D:\softwares\11gR2\OAMSDK's\RREG10G_OAM"
6.kept the following as it is
ac = AccessClient.createDefaultInstance(m_configLocation,AccessClient.CompatibilityMode.OAM_10G);
7.Observed the OAM SDK initialization is successful,
8.Observed that acessclient and resources request objects are not null by adding following in the class file,
   System.out.println(ac) gives oracle.security.am.asdk.AccessClient@17f409c
as output
   System.out.println(rrq) gives oracle.security.am.asdk.ResourceRequest@facf0b
as output
Following is OBAccessClient.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CompoundList xmlns="http://www.oblix.com">
    <SimpleList>
        <NameValPair ParamName="id" Value="RREG10G_OAM"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="debug" Value="false"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="security" Value="open"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="state" Value="Enabled"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="preferredHost" Value="RREG10G_HostId"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="maxCacheElems" Value="100000"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="cacheTimeout" Value="1800"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="maxSessionTime" Value="3600"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="maxConnections" Value="1"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="failoverThreshold" Value="1"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="aaaTimeoutThreshold" Value="-1"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="sleepFor" Value="60"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="denyOnNotProtected" Value="1"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="cachePragmaHeader" Value="no-cache"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="cacheControlHeader" Value="no-cache"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="ipValidation" Value="0"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="accessClientPasswd" Value=""/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="cookieSessionTime" Value="0"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="idleSessionTimeout" Value="3600"/>
    </SimpleList>
    <SimpleList>
        <NameValPair ParamName="primaryCookieDomain" Value=".mycompany.com"/>
    </SimpleList>
    <ValList ListName="logOutUrls">
        <ValListMember Value="/oamsso/logout.html"/>
    </ValList>
    <ValList ListName="primary_server_list">
        <ValListMember Value="primaryServer1"/>
    </ValList>
    <ValNameList ListName="primaryServer1">
        <NameValPair ParamName="host" Value="oamserver.mycompany.com"/>
        <NameValPair ParamName="port" Value="5575"/>
        <NameValPair ParamName="numOfConnections" Value="1"/>
    </ValNameList>
    <ValList ListName="proxySSLHeaderVar">
        <ValListMember Value="IS_SSL"/>
    </ValList>
    <ValList ListName="URLInUTF8Format">
        <ValListMember Value="true"/>
    </ValList>
    <ValList ListName="client_request_retry_attempts">
        <ValListMember Value="1"/>
    </ValList>
    <ValList ListName="inactiveReconfigPeriod">
        <ValListMember Value="10"/>
    </ValList>
</CompoundList>
==============================
Please let me know the way which i did is correct or not...
Regards,
Jdev

How to protect an application running on Apache Tomcat app server with OAM 11gR2

Gurus,
We have an Apache Tomcat based application named "ABCD" here at client site that we want OAM 11gR2 PS1 to integrate with for SSO purposes. I have successfully configured OHS to reverse proxy requests to Apache Tomcat server whenever somebody tries to access the application URL but still, I am getting the application login page once I have successfully authenticated on OAM SSO login page. The Tomcat based application is authenticating users against a "UserDatabase realm".
I know in terms of weblogic application, there is an OAM identity asserter provider which then populates the User Principal for the java environment with the authenticated OAM user. But there is no such OAM identity provider for Tomcat.
So my question is, is there an provider (or Tomcat equivalent) which will entrust authentication to a header, that could be used to populate the Java User Principal from the OAM_REMOTE_USER header? Is the weblogic equivalent of authentication providers present in tomcat as well? Are those called valves?
Please advise to the earliest.
Thanks !!

Aakash,
I did follow the 4 steps that you mentioned to me. Out of the 4 that you had mentioned, I already had the webgate in place on OHS server and I was already passing the remote_user http header in oam policy as action.
As part of Step #2: Install mod_jk plugin on OHS server that you mentioned
1.) I downloaded the tomcat connector - tomcat-connectors-1.2.37-src
2.) I had to run ./configure,make, make install on my OHS server which runs on RHEL 6. It created the mod_jk.so file. I pasted it in the needed folder.
3.) I then created the httpd.conf file and workers.properties file as said in the connector docs.
4.) Restarted OHS.
As part of Step #3: Configure tomcat's ajp connector that you mentioned and I went through all the links pasted below but didn't find actually what needs to be in place to configure tomcat's ajp connector. I do see in the server.xml of tomcat app server that the ajp 1.3 protocol is supported:
http://tomcat.apache.org/tomcat-4.0-doc/config/ajp.html
http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html#s8
http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html
http://www.mulesoft.com/understanding-tomcat-connectors

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Do we need to disable the HTTP protocol in Tomcat and keep only AJP connector enabled? If yes, how to do that?
I am trying to connect to the application from OHS server like so I am using the http protocal right? How should I use the ajp protocol to connect to tomcat application?
http://ohs-host:ohs-port/abcd
Thanks !!!!!

Need information on OAM 11gR2 protecting OIM 11gR2

Hi All,
I need to implement a solution wherein I have to protect OIM 11gR2 application using OAM 11g2.
So in this case the identity store for OIM is the normal Oracle database and we have used the generic LDAP connector to provision the users to a LDAP directory which is the identity store for OAM.
I have gone through the OIM integration with OAM and it talks about a lot of steps involving extension of the identity store for both OIM and OAM,(Integrating Access Manager and Oracle Identity Manager - 11g Release 2 (11.1.2))
In my case I don't need the features like centralized password management functionality...we only want to protect the OIM application.
So is it possible to enable SSO without
1)Externalizing the identity store of OIM to the LDAP directory which is the identity store for OAM,and hence not running the LDAP sync utility
Also can you please guide me to a document that specifies the steps.
Thanks

Hi Thiago,
Thanks for your replies.
Yes, I followed certification matrix and tried to install 11.1.1.6 only on wlserver 10.3.6.
Can you please eloborate on the below points? Or If there are any urls for detailed steps, please provide them.
-What you have to do:
+2.1-On Application Server Navigator you can create types of connection:+
+2.2-Integrated WLS option+
+2.3-Standalone WLS option+
+2.4-This first option you can install a local standalone WLS 10.3.6 server on your environment, then create a separate "integrated WLS" connection to the standalone server.+
+2.5-Then go to your Application's properties through the Application menu -> Application Properties -> Run -> Bind to Integration Application Server option you can the brand new option created WLS server connection to work with your application.+
+3.0- Don't forget that you need to install the ADF Runtimes for the server to be able to work with ADF applications+

BASIC OAM 11gR2 QUESTION

Can someone explain difference between "success url" for
1. Authentication Policy - success url is optional parameter.
2. Authrization Policy - success url is optional parameter.
3. Unsolicated Login - success url is required parameter.
This is with respect to Oracle Access Manager 11gR2.1

1. Authentication Policy - success url is optional parameter.
After successful authentication user will be redirected to URL mentioned in "success url".
2. Authrization Policy - success url is optional parameter.
After successful authorization user will be redirected to URL mentioned in "success url"
Both these parameters are optional. If these parameters are not present in OAM policy then user will be taken to a protected application url from where OAM flow began. For example user has started with http://mydomain.com/protectedapp URL
3. Unsolicated Login - success url is required parameter.
This is required parameter for "unsolicited login" feature. Basically you pass three parameters to OAM Direct authentication url "username" , "password" & "successurl". If provided username and password is correct redirection to URL in "successurl" parameter would happen. You can get more information about unsolicited login feature in this blog
http://www.ateam-oracle.com/unsolicited-login-with-oam-11gr2/
Hope this helps.

OAM 11gR2 and OVD

Hi,
It appears OVD did not make it into the Oracle Fusion Middleware Identity Management 11gR2 release. The latest version available is still the one included in the Oracle Fusion Middleware Identity Management 11gR1 release. Is that correct?
If so, I have a deployment of Oracle Access Manager 11gR2, which I'd like to integrate with OVD. Does this situation mean that I must deploy another entire WebLogic domain for the Oracle Fusion Middleware Identity Management 11gR1 release? Or is it possible to somehow install the 11gR1 version of OVD into the 11gR2 instance I've already got?
- Jim

Yes, the latest version of OVD available is 11.1.1.6 (11g R1). You may use this version with OAM 11gR2.
OVD 11.1.1.6 uses WebLogic 10.3.6 and OAM 11g R2 also uses the same weblogic version. Please let me know if you are on some other version of WLS.
As per best practice, try to keep the OAM and OVD in separate WLS domains.

OAM 11gR2 and 10g

Following url is for 10g OAM for resource protection
http://docs.oracle.com/cd/E12530_01/oam.1014/b32420/v2access.htm#BABJHAIJ
Please can someone confirm that the flow for authentication/authorization is almost same in OAM 11gR2 (though product names have change like Access server for OAM server, but hope basic functionality of WebGates remains same)

Hi,
The flow is more or less the same, and the functionality of the WebGates is the same - but there are some differences in 11g. For one thing, the policies in 10g are stored in ldap, whereas in 11g they are stored in a DB. Also, in 11g there is a session cookie in addition to the authentication token. The 11g Access Admin Guide shows some flows, for example here: http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/agents.htm#AIAAG1729
Regards,
Colin

How to protect an application running on IIS with OAM 11gR2

Hello Gurus,
I have a question regarding protecting an application running on IIS with OAM 11gR2. We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page. These is all solaris. I am protecting other applications like pplsoft moduels with this OHS instance and OAM server. There is another application that I need to protect which is itself running on IIS windows machine. I need guidance as to -
1.) Do I need to install a windows version of webgate to protect this IIS based application?
2.) Or I can still protect and proxy requests from this application to current OHS instance? How can I do this?
3.) Or Do I need to proxy requests directly from IIS to OAM weblogic server?
Please advise to the earliest as this is an urgent issue.
Thanks !!

From your description it is not clear how exactly architecture looks like
We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page.
is this OHS centralized login farm ? (Case 1)
OR is this OHS server (with webgate) acting as virtual web server hosting multiple web sites so that request to any site passes through this OHS/webgate (Case 2)
1.) Do I need to install a windows version of webgate to protect this IIS based application?
If case 1 then you need to install 10g webgate on top of IIS server to protect this application
If case 2 then you can just proxy request from OHS to IIS server. As every request passes through OHS user will be authenticated before request hits IIS
Look at Product documentation for virtual web sites : http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/shared.htm#autoId12
It has steps to protect virtual web sites.
Also you need to make sure no one hits IIIS web sites directly.
Hope this helps

Routing Issue for Remote Access Clients over Site to Site VPN tunnels

I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?

Patrick, that was indeed true for a long time.
But now it is fixed in PIX and ASA version 7.x.
Please refer to this document for details:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Can Multiple Webgate/OAM/IdentityStores access one multitenant WLS domain?

Can multiple access points ( web tier + OAM + Identity store) access one application?
The objective here is to have one multi-tenant ADF application accessed by users who are authenthicated by their own enterprise sso and identity store. Authenthicated session should pass the context with list of all enterprise roles that user belongs to which would be used for authorization by the multitenant application. It is assumed here that naming convention for relevant roles is followed by all participating identity stores.
Can Webgate/OAM and accessed WebLogic domain be configured to accomplish this?

OAM can pass as header variables all of the things you mention. For example, you get these by default:
OAM_REMOTE_USER containing the userid of the logged in user (eg "jsmith")
HTTP_OAM_IDENTITY_DOMAIN containing the name of the Identity Store that the logged in user belongs to, as known to the OAM admin console (eg "SunLDAP")
additionally you can define a headervar that contains the user's ldap group membership, and one that contains the user's full DN (or any other attribute and other information).
Of course, any receiving app would need to be configured to consume this information.
Regards,
Colin

OAM 11gR2 Authentication using username/password/additional ldap field

I want to add additional credential parameter along with username and password to be validated against LDAP.
Is there any out of the box solution for authentication using username/password/additional ldap field in OAM 11gR2?
This solutions exist in 10g and could not find any OOB feature in 11g.

Do you need to accept additional parameter from user via login form & then use it in credential mapping step
Not sure if %% syntax would work .. havent tried it. next option is to develop custom authentication plugin
Additional ldap attribute against static value
If you need to add additional ldap attribute (check against static value) that you can specify in LDAP search filter in "User Identification plugin" configuration
Take a look at "MTLDAPPlugin" under custom authentication modules
Hope this helps

Routing back to Direct Access Clients - is this possible?

Hi,
We have been using direct access for the past few months successfully, however the one problem we are still having is we can't use programs that require a route back to the Direct Access client (such as managing a Hyper-V machine on the local lan), using SourceOffsite
or even using Remote Desktop to remote onto a direct access client or ping the direct access client.
Our local LAN uses Ipv4 and we can route fine to the Direct Access clients from the Direct Access Server where the tunnel terminates but not from any other machine on the network. Do I need to change the direct access configuration to allow this or do I need
to somehow create a route on my LAN for the direct access clients?
Thanks in advance
David

I found out how to do this in this useful article and tested it and it is working fine - thanks.
http://www.packtpub.com/article/configuring-manage-out-to-directaccess-clients

OAM 11gR2 - Remote Registration Exception - HTTP Error 501

Hello
I installed OAM 11gR2 and am trying to configure OAM with WebGate.
While doing remote registration using rreg.bat I get an exception
RemoteRegistrationException
HTTP error 501 could not send HTTP Post message
Can anyone help me?
Thanks,
Ram

Its most likely a problem with your java version.
I know for sure that Java version 1.6.0_37 doesn't work and that 1.6.0.41 works for sure.
Can you try installing a different version of java.
if on linux use the
update-alternatives --config java
as root to point to the java (other version that you installed) and try again.
Let me know if that helps.
Cheers
-Kungo

Spellcheck in Oracle Web Access Client

need the spellcheck in the Email Oracle Web Access Client. The question is:
are this functionality in this Java version of email???
Because I find this functionality (spellcheck) in the HTML version of Oracle
Mail but I cant find the spellcheck in the Java version of email.
Is possible connect the spellcheck from the HTML version to the Java Version or
this is an Enhancement Request to be logged on this issue for the next version.
Thanks
Karla Barreto

Hello,
You can't do that in WAC but in the Webmail interface > Preferences > Account > Folders you can set this for Oracle Mail.
Hope it helps.
Irina

Sun Desktop Access Client - Language Settings Windows Logon Screen

Dear All,
i have a little problem with the language setting of my Sun Desktop Acces Client if i try to connect to Windws 2003 Server.
First some configuration details:
PC:
Win XP (german version)
keyboard layout: german
Sun Desktop Access Client 1.0
Server:
Win 2003 Server (german version)
The Problem is that if connect the server via the SDAC the laguage setting of the logon screen has changed to EN
instead of DE. Using a german keyboard layout causes some trouble.
If i connect to the server via a sun ray dtu (kiosk mode) it works properly.
Has anybody a clue to get rid of this??
Thanks in advance.
Best regards
Ha-Pe

Okay, after a bit of investigation...
You can't have the locale used change automatically according to the local used on the client, the best you can do is assign a default locale for most users and create alternative kiosk sessions with different locales (as a uttsc option) which you can assign to DTUs or SDACs (or to smartcard token ids but SDAC doesn't currently support smartcards).
At least this is what I understand, I'm sure someone will comment if this isn't the case.
If this is good enough you can do this using the utkiosk and the utkioskoverride commands.

OAM 11gR2 - Access Client

Similar Messages

Maybe you are looking for