OAM 11gR2 and OVD

Similar Messages

• OAM 11gR2 and 10g

  Following url is for 10g OAM for resource protection
  http://docs.oracle.com/cd/E12530_01/oam.1014/b32420/v2access.htm#BABJHAIJ
  Please can someone confirm that the flow for authentication/authorization is almost same in OAM 11gR2 (though product names have change like Access server for OAM server, but hope basic functionality of WebGates remains same)

  Hi,
  The flow is more or less the same, and the functionality of the WebGates is the same - but there are some differences in 11g. For one thing, the policies in 10g are stored in ldap, whereas in 11g they are stored in a DB. Also, in 11g there is a session cookie in addition to the authentication token. The 11g Access Admin Guide shows some flows, for example here: http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/agents.htm#AIAAG1729
  Regards,
  Colin

• OAM 11gR2 - Remote Registration Exception - HTTP Error 501

  Hello
  I installed OAM 11gR2 and am trying to configure OAM with WebGate.
  While doing remote registration using rreg.bat I get an exception
  RemoteRegistrationException
  HTTP error 501 could not send HTTP Post message
  Can anyone help me?
  Thanks,
  Ram

  Its most likely a problem with your java version.
  I know for sure that Java version 1.6.0_37 doesn't work and that 1.6.0.41 works for sure.
  Can you try installing a different version of java.
  if on linux use the
  update-alternatives --config java
  as root to point to the java (other version that you installed) and try again.
  Let me know if that helps.
  Cheers
  -Kungo

• How to protect an application running on IIS with OAM 11gR2

  Hello Gurus,
  I have a question regarding protecting an application running on IIS with OAM 11gR2. We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page. These is all solaris. I am protecting other applications like pplsoft moduels with this OHS instance and OAM server. There is another application that I need to protect which is itself running on IIS windows machine. I need guidance as to -
  1.) Do I need to install a windows version of webgate to protect this IIS based application?
  2.) Or I can still protect and proxy requests from this application to current OHS instance? How can I do this?
  3.) Or Do I need to proxy requests directly from IIS to OAM weblogic server?
  Please advise to the earliest as this is an urgent issue.
  Thanks !!

  From your description it is not clear how exactly architecture looks like
  We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page.
  is this OHS centralized login farm ? (Case 1)
  OR is this OHS server (with webgate) acting as virtual web server hosting multiple web sites so that request to any site passes through this OHS/webgate (Case 2)
  1.) Do I need to install a windows version of webgate to protect this IIS based application?
  If case 1 then you need to install 10g webgate on top of IIS server to protect this application
  If case 2 then you can just proxy request from OHS to IIS server. As every request passes through OHS user will be authenticated before request hits IIS
  Look at Product documentation for virtual web sites : http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/shared.htm#autoId12
  It has steps to protect virtual web sites.
  Also you need to make sure no one hits IIIS web sites directly.
  Hope this helps

• How to protect an application running on Apache Tomcat app server with OAM 11gR2

  Gurus,
  We have an Apache Tomcat based application named "ABCD" here at client site that we want OAM 11gR2 PS1 to integrate with for SSO purposes. I have successfully configured OHS to reverse proxy requests to Apache Tomcat server whenever somebody tries to access the application URL but still, I am getting the application login page once I have successfully authenticated on OAM SSO login page. The Tomcat based application is authenticating users against a "UserDatabase realm".
  I know in terms of weblogic application, there is an OAM identity asserter provider which then populates the User Principal for the java environment with the authenticated OAM user. But there is no such OAM identity provider for Tomcat.
  So my question is, is there an provider (or Tomcat equivalent) which will entrust authentication to a header, that could be used to populate the Java User Principal from the OAM_REMOTE_USER header? Is the weblogic equivalent of authentication providers present in tomcat as well? Are those called valves?
  Please advise to the earliest.
  Thanks !!

  Aakash,
  I did follow the 4 steps that you mentioned to me. Out of the 4 that you had mentioned, I already had the webgate in place on OHS server and I was already passing the remote_user http header in oam policy as action.
  As part of Step #2: Install mod_jk plugin on OHS server that you mentioned
  1.) I downloaded the tomcat connector - tomcat-connectors-1.2.37-src
  2.) I had to run ./configure,make, make install on my OHS server which runs on RHEL 6. It created the mod_jk.so file. I pasted it in the needed folder.
  3.) I then created the httpd.conf file and workers.properties file as said in the connector docs.
  4.) Restarted OHS.
  As part of Step #3: Configure tomcat's ajp connector that you mentioned and I went through all the links pasted below but didn't find actually what needs to be in place to configure tomcat's ajp connector. I do see in the server.xml of tomcat app server that the ajp 1.3 protocol is supported:
  http://tomcat.apache.org/tomcat-4.0-doc/config/ajp.html
  http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html#s8
  http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html
  http://www.mulesoft.com/understanding-tomcat-connectors
  <!-- A "Connector" represents an endpoint by which requests are received
           and responses are returned. Documentation at :
           Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
           Java AJP  Connector: /docs/config/ajp.html
           APR (HTTP/AJP) Connector: /docs/apr.html
           Define a non-SSL HTTP/1.1 Connector on port 8080
      -->
      <Connector port="8080" protocol="HTTP/1.1"
                 connectionTimeout="20000"
                 redirectPort="8443" />
  <!-- Define an AJP 1.3 Connector on port 8009 -->
      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
  Do we need to disable the HTTP protocol in Tomcat and keep only AJP connector enabled? If yes, how to do that?
  I am trying to connect to the application from OHS server like so I am using the http protocal right? How should I use the ajp protocol to connect to tomcat application? 
  http://ohs-host:ohs-port/abcd
  Thanks !!!!!

• OAM 11gR2 Authentication using username/password/additional ldap field

  I want to add additional credential parameter along with username and password to be validated against LDAP.
  Is there any out of the box solution for authentication using username/password/additional ldap field in OAM 11gR2?
  This solutions exist in 10g and could not find any OOB feature in 11g.

  Do you need to accept additional parameter from user via login form & then use it in credential mapping step
  Not sure if %% syntax would work .. havent tried it. next option is to develop custom authentication plugin
  Additional ldap attribute against static value
  If you need to add additional ldap attribute (check against static value) that you can specify in LDAP search filter in "User Identification plugin" configuration
  Take a look at "MTLDAPPlugin" under custom authentication modules
  Hope this helps

• OIM-OAM integration and LDAP Sync

  Hello All, I have deployed OIM 11g R2 and OAM/OVD 11.1.1.5. Now I need to enable LDAP sync for OIM-OAM integration and I'm not allowed to extend Oracle schema in AD. So I decided to use OUD for FMW schema and I have completed all those steps and OUD is up and running. Since my enterprise directory is AD and OUD is my FMW directory, I need to think of a split profile setting in OVD. I'm following this link http://fusionapplications-ateam.blogspot.com/2012/04/split-profiles-with-ad-and-oid-for.html for this deployment. I have OVD adapters configured for AD, OUD, Join view and changelog. The link does not clearly explain the steps in OIM for LDAP Sync.
  When I configure LDAP Sync in OIM, should I point the sync to the OUD users container?
  When and how this cn=shadowentries container will be used? I understand that the password (obattributes) are used for password management by OAM, but wondering where will that get stored in OUD?
  Please let me know your thoughts.
  Thanks.

  Hi,
  when I use url:
  http://idm1:14000/admin/faces/pages/Admin.jspx
  I get Access Manager login page, I can click links: register new user, reset password and I get correct OIM pages. But when I type xelsysadm and password I get error on the next page:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  I can't logon to EM, OAMconsole, Weblogic etc. when the OAM is running. In OIM log I got errors from oam-agent: "User is not authorized to access resource, MinorCode: DENY, MajorCode: DENY".
  I have got user xelsysadm in OIM and in LDAP, when the OAM is not running I can login to OIM, create users in OIM (they appear in OID) etc. The user xelsysadm is added to group: OAMAdministrators. Also when I try to logon to OAM console (http://idm1:7001/oamconsole) using orcladmin name I get error: Access to administration console is restricted. But when I use weblogic username (the user is in OAMAdministrators group in OID) i can get OAMconsole.
  How can I change logon type in OIM?
  best
  mp
  Edited by: J23 on 2011-01-10 00:47

• OAM 11gR2 Throwing SSL Warning after configured to use HTTPS Load Balancer

  I have configured OAM 11gR2 to use an https load balancer on 14100 and have set my managed servers SSL listen port to 14100 (Could not use 14101 because the HTTPS VIP created was listing on 14100) everything works fine with this configuration, but my logs are filling up the the following warning.
  <Oct 3, 2012 1:41:54 PM UTC> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer 10.228.0.1 - 10.228.0.1 instead of an SSL handshake.>
  I know that 10.228.0.1 is the DNS server, but I'm not sure why this happening. Any ideas?

  What is WLS and OHS versions are you using in this environment?
  If it's old version than these, please upgrade WLS to 10.3.3 and the OHS to 11.1.1.3. These is a known bug on WLS side not it OAM.
  I hope this helps,
  Thiago Leoncio.

• OAM OIM OID OVD ?

  I always hear these things from Oracle, OAM, OIM, OID and OVD. are they the same thing? if not, I belive they are related since people always mention them together, then, what's relationship? please clarify
  I'm new to Oracle identity management products. please let me know if there are any others products closely relate to above in this family.
  Thanks

  Hi,
  Each and every thing performs specific role,It will interdependent you can say when it comes to implementation.
  OAM->oracle access manager=performing authentication and authorization of web based and non webbased resources by protecting them.
  OIM->oracle identity manager =managing identities of organisation,integrating and provisioning(giving access) to various application and single sign on.
  OID->oracle internet directory=its one of the directory server like sun directory server,AD for managing user data.
  OVD->oracle virtual directory=its a virtual directory server which provides only view from multiple directory servers.
  Please go through oracle docs for more info.
  Thanks,
  Ragu.

• BASIC OAM 11gR2 QUESTION

  Can someone explain difference between "success url" for
  1. Authentication Policy - success url is optional parameter.
  2. Authrization Policy - success url is optional parameter.
  3. Unsolicated Login - success url is required parameter.
  This is with respect to Oracle Access Manager 11gR2.1

  1. Authentication Policy - success url is optional parameter.
  After successful authentication user will be redirected to URL mentioned in "success url". 
  2. Authrization Policy - success url is optional parameter.
  After successful authorization user will be redirected to URL mentioned in "success url"
  Both these parameters are optional. If these parameters are not present in OAM policy then user will be taken to a protected application url from where OAM flow began. For example user has started with http://mydomain.com/protectedapp URL
  3. Unsolicated Login - success url is required parameter.
  This is required parameter for "unsolicited login" feature. Basically you pass three parameters to OAM Direct authentication url "username" , "password" & "successurl". If provided username and password is correct redirection to URL in "successurl" parameter would happen. You can get more information about unsolicited login feature in this blog
  http://www.ateam-oracle.com/unsolicited-login-with-oam-11gr2/
  Hope this helps.

• Install SSL certificate for OAM 11gR2

  Experts, I wanted to know some recommended urls, links etc for configuring and installing SSL certs for OAM 11gR2.
  Base install for OAM is working fine and all consoles are ok.
  I have found following link from the docs
  http://docs.oracle.com/cd/E27559_01/core.1112/e28516/sslconfig.htm#ASADM1800
  Please confirm above link would suffice to install and configure SSL.
  Any other challenges or issues likely to come up would help, like importing certificates and root certificate etc.

  Assuming you're referring to SSL between OAM Server and WebGate, it is documented here: Securing Communication - 11g Release 2 (11.1.2)
  Regards,
  Colin

• OAM 11gR2 time frame

  Hi Folks
  Does anyone have any tentative time frame on when OAM 11gR2 will be out.
  Thanks,
  -MD

  What is WLS and OHS versions are you using in this environment?
  If it's old version than these, please upgrade WLS to 10.3.3 and the OHS to 11.1.1.3. These is a known bug on WLS side not it OAM.
  I hope this helps,
  Thiago Leoncio.

• OAM 11gR2 new domain startup issue

  Installed OAM 11gR2 in new domain, completed security store configuration. Also checked validation, that also worked fine.

  I can't seem to find Note 1461370.1 in oracle support. I am having the same issue. I found a ticket opened as a bug, 13586338, with a simular issue but that was closed and no resolution was given.

• Re: Is Oracle 11gR2 and 10gR2 BOTH compatible with Oracle Linux 6 Update 1?

  Hello,
  Required to Install Oracle 11gR2 and 10gR2 Oracle binaries on Oracle Linux 6 Update 1, are both versions compatible to install and run with databases on Oracle Linux Release 6 Update 1 or Oracle Linux Release 5 Update 7 is required for this?
  Thanks in advance,
  Regards,
  A
  Edited by: 850391 on Oct 13, 2011 3:43 PM
  Edited by: 850391 on Oct 13, 2011 3:44 PM
  Edited by: 850391 on Oct 13, 2011 3:44 PM

  Hi;
  Oracle 11g or 10g is not certified wiht OEL or RHEH6 yet. Please use OEL 5.x version which you can download from edelivery.
  Also see:
  Oracle Database on Unix AIX,HP-UX,Linux,Mac OS X,Solaris,Tru64 Unix Operating Systems Installation and Configuration Requirements Quick Reference (8.0.5 to 11.2) [ID 169706.1]
  Regard
  Helios

• Support OIM and OAM 11gR2 versions

  Hello friends,
  The version of Oracle Weblogic Server 12c is supported for Oracle Identity Manager and Oracle Access Manager 11gR2
  Thanks

  Directly from Oracle website on Weblogic Server certification
  "Oracle Identity and Access Management 11gR2 (11.1.2.0.0) is certified with Oracle Weblogic Server 11gR1 (10.3.5) and Oracle Weblogic Server 11gR1 (10.3.6)."
  Here is the url, http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
  click on - System Requirements and Supported Platforms for Oracle Identity and Access Management 11g Release 2 (11.1.2.x) ( xls)
  Edited by: 970711 on Nov 25, 2012 7:04 AM