OAM Authentication Modules for 11g

Similar Messages

• How to unconfigure a Custom Authentication Module for Convergence

  After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
  , I decided to try to revert back to the default.
  How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.servicename -v ""
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.callbackhandler -v ""
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.loginimpl -v ""
  sudo /opt/SUNWappserver/bin/asadmin stop-appserv
  sudo /opt/SUNWappserver/bin/asadmin start-appserv
  AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter  Thread httpSSLWorkerThread-80-1 at 14:45:25,951 - SSO is disabled
  AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,953 - Subject not found in session, creating one
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,954 - Unabled to load the class due to 
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,956 - Unable to instantiate callback handler 
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,957 - Failed to Login the user: Unable to instantiate callback handler 
  PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,960 - Protocol Error while login : Unknown Reason

  jessethompson wrote:
  After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
  , I decided to try to revert back to the default.
  How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.After enabling the custom login module using the steps in the earlier thread (http://forums.sun.com/thread.jspa?threadID=5318615), I performed the following steps to disable the custom module and re-enable the ldap auth module:
  # Disable custom auth-module
  cd /opt/sun/comms/iwc/sbin
  ./iwcadmin -w <admin password> -o auth.custom.servicename -v ""
  ./iwcadmin -w <admin password> -o auth.custom.loginimpl -v ""
  ./iwcadmin -w <admin password> -o auth.custom.callbackhandler -v ""
  ./iwcadmin -w <admin password> -o auth.misc.CredentialFile -v ""# Re-enable the LDAP auth-module
  cd /opt/sun/comms/iwc/sbin
  ./iwcadmin -w <admin password> -o auth.ldap.callbackhandler  -v com.sun.comms.client.security.auth.AppCallbackHandler
  ./iwcadmin -w <admin password> -o auth.ldap.loginimpl -v com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule# Restarte App Server
  cd /opt/SUNWappserver/bin/
  ./asadmin stop-domain; ./asadmin start-domain# Login to iwc interface as user shjorth with password oldpwd
  # Login successful with oldpwd -- custom auth module successfully disabled, LDAP re-enabled
  Regards,
  Shane.

• Has anyone every try using the iplanet portal server radius authentication module with cryptoCard?

  We are using the easyRadius server from CryptoCARD. When we run the radius server in debug mode, it appears ips is sending multiple access-request message. Also, the server is coming back with a challenge which we are not expecting.

  yes,
  we did basic integration where the authentication will be done using siteminder. The trick is to protect the portal server web server and not the gateway. You also need to add a new authentication module for siteminder in the portal using ipsadmin. We are protecting the login html page only. We couldn't protect the desktop because it's built using servlets.

• Does a Kerberos authentication module exist?

  Does anyone know of a Kerberos authentication module for Portal Server? If not, can anyone think of any security implications that would suggest "rolling my own" would not be a good idea?

  No we don't have any kerberos auth module as a part of the product and you can develop your own using the auth api's.

• How to bypass from OAM authentication for certain domain

  Hi All,
  We are trying to unprotect certain domain from OAM domain but coudn't. Please help us fix this issue.
  Environement details:
  We have two nodes, one node for OAM_OSSO and another one for OSSO_Portal application.
  OAM server details:
  In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and OAM. Integrated OAM_OSSO using [ID 979827.1]
  Portal server details:
  In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and portal weblogic server(portal application) is running. portal weblogic is registered with thier own portal OSSO.
  In OAM, We protected following portal url's
  /sso/auth      
  /pls/orasso/orasso.wwsso_app_admin.ls_login
  portal _OAM integration is working fine.
  Now portal team come with new requirement for customer, application also running in their same portal weblogic server and that portal application domain is alreday registered with Portal OSSO and Portal OSSO page is protected by OAM. the requirement is bypass OAM authentication, and need to authentication against their own portal OSSO+OID.
  Please tell me how to bypass OAM authentication from this scenerio.
  -Sarath

  Hi MD,
  Thanks for your update.
  We are using oracle 10g. Please tell me how Anonymous scheme will help us to get out from this issue.
  Portal Weblogic server registered with portal IDM server and portal IDM server OSSO protected by IDM OAM. So if i tried any of the application which deployed under portal weblogic server will get protected by OAM right. Please correct me if iam wrong.
  In this scenerio we have two OSSO, one in OAM node and another one in portal server. Now portal team come up with new webserver domain for customer, in customer scenerio we want authenticate againt portal OSSO with their own OID rather than using OAM authentication. Here my concern is, customer or employee the portal weblogic server and portal OSSO are common for both user but only difference in webserver domain.
  So if i tried to access customer application, then customer webserver redirect to portal weblogic for open the requested page(note if webgate not in picture). portal weblogic server is register with portal OSSO and its redirect to portal OSSO for authentication but Portal OSSO server integrated with OAM using webgate.
  1. When tried to access customer application ,Portal OSSO server tried to show own sso login page for authentication but Portal OSSO server already integrated with OAM. so portal OSSO server requested to OAM to access portal sso login page not the request of customer page login.
  2. here,portal OSSO login page protected and OAM serve login page for OAM authentication against OAM OID. If i specify anonymous scheme for customer domain then how will work here, portal OSSO requested to OAM to access portal OSSO login page not the customer page or employee page...
  Here OAM authentication will come into picture for all scenario but need bypass for customer login.
  Requirement is when customer trying to access then authentication need to happen in portal OSSO not in OAM. Hope you understand the architecture.Please suggest how.
  -Sarath
  Edited by: 898990 on May 11, 2012 8:22 PM
  Edited by: 898990 on May 11, 2012 8:25 PM

• Are there any Oracle OLAP ODI Knowledge Modules for Oracle Olap 11g ?

  Hi guys, wasnt sure where to post this so I put it here and the ODI forum
  Does anybody know when Oracle OLAP Knowledge Modules, will be available for Oracle Olap 11g. It appears that the knowledge modules released with Oracle Data Integrator 10.1.3.5, currently only work with Oracle Olap 10g...
  If there is no timeline, does anybody know of work around to get ODI reverses working on Analytical Workspaces built in Oracle Olap 11g
  Thank you
  Richard
  Edited by: RichardSmith on May 15, 2009 11:51 AM

  Raise a service request with Oracle Support (Metalink) for your system slow issue. May be, they will recommend you the workarounds for the issues which are not yet available for 11g in the form of Patches.
  Regards,
  Sabdar Syed.

• OIF 11g Sample Authentication Engine for Trusted HTTP Header

  We are trying to achieve OIF authetication based on headers set by windows native authentication. As per our research we have come across this example located at URL: http://www.oracle.com/technology/sample_code/products/id_mgmt/index.html (OIF 11g Sample Authentication Engine for Trusted HTTP Header).
  At this point we are trying to see the deployment architecture and configuration required to achieve the functionality described in the example.
  Can someone please elaborate more on the set up and configuration required for the example to work ?
  Appreciate your feedback.

  Realized the hyperlink missing for oracle example..
  Here it is: http://www.oracle.com/technology/sample_code/products/id_mgmt/oif/customauthn.jsp.SAMPLE

• Custom Login Module for Tomcat to procted apps using Oracle Access Manager

  Hi all,
  I have the following scenario.
  A web application deployed in Tomcat to be protected using OAM. One solution is to use Access Gate though we have other alternative as Proxy infront of Tomcat with a webgate. Now I am implementing the Access Gate solution.
  So, when the user clicks the tomcat application, then the prompt (BASIC) appears for login details. custom login module should kick in and take those login details and authenticate against OAM using Access SDK API.
  I have created access gate profile and installed Access SDK. Ran the ConfigureAccessGateTool as well.
  I did some research googling for login module. I came to know that we need to write a custom realm for it. So, this realm implementation involves specifying role-name etc., in web.xml where the role-name would have been defined in tomcat-users.xml.
  This means that the user trying to authenticate against OAM has to have some roles defined in Tomcat to login. I didnot understand the flow end to end as how this will work.
  Please let me know if anybody has done this of customization.
  Thanks,
  Mahendra.

  Hi Ambarish,
  Initially I thought of implementing the way you suggested in Option 2.
  But there will be various redirections when we use option 2 as the login page should redirect it to a page where OAM authentication and authorization stuff has to be handled. And accordingly we have to redirect it to specific pages upon successful atn and atz. Hence, I was opted using Custom Login Module.
  However, I have been trying Option 2 now. In web.xml, I have specified a login page with FORM scheme. The login redirects it to another page say OAM_Authentication_Handler.jsp. Here we code which serves atn and atz. Upon doing this, I have observed that the protected resource in OAM is not getting evaluated using the method
  String ms_protocol = "http";
  String ms_method = "GET";
  String ms_resource = "http://localhost:8080/FormLogin/private.jsp";
  ObResourceRequest rrq = new ObResourceRequest(ms_protocol, ms_resource, ms_method);
  The method rrq.isProtected() is returning false which implies it to unprotected. I have tested using Access Tester for the resource and it results in expected behaviour.
  Is there any limitation here by using this approach?
  Any ideas?
  Thanks,
  Mahendra.

• Reusable Authentication module with page fragments

  Hi,
  I have an authentication module(as ADF library) with page fragments in an ADF task flow and trying to reuse in other ADF apps.
  In the consuming application , i have a login page with the resuable authentication task flow dragged and dropped into a region and the ADF library added to the project.
  When i enable the ADF security for the consuming application, the region does not show up when i run it.
  i have anonymous role assigned to the Auth module's page fragment's def file and the task flow itself.
  If i remove it, the components with the region show up.
  Could you help me on what am i doing wrong with ADF security.
  Without a reusable ADF library and having the authentication module built into the consuming app, everything works fine.
  Any help is greatly appreciated.
  I am using ADF & Jdev 11g Ps2.
  Thanks.

  Hi Anton,
  You can treat the fragment as any page, its going to have its own pageDef that will be included automatically by the page containing its task flow within a fragment (assuming you're using the data control/component drag-drop feature in JDeveloper). This is actually one of the best working feature of 11g imho.
  Regards,
  ~ Simon

• OAM Plugin Module

  Hello All
  I have a problem I have been trying to research for a while. Basically, as part of a form-based login, I want to perform some checks for the user to see if they have signed an acceptable use agreement and make sure their current signature is valid. I have had a few suggestions to just do this via OAM using header variables to the acceptable use page, but this would add another step in the login process whereby all users would be redirected back to the page, then sent to their original page. Given I have a large population of users, I think this would be pretty inefficient and would like to do it as part of the login process. I am writing an authentication plugin dll to use as part of the form-based authentication module, but wanted to see if anyone had any opinions on better options.
  Also, in terms of process flow, one question I do have is based on the processing of the plugin. If I send the uid of the user to the plugin, it checks it, and I send back a success/failure, can I program results in the plugin process based on the success/failure. for example, if the plugin returns a failure, then the user is redirected to the AUP page, if it is successful, they just go on to the original resource requested?
  Any help you can give would be appreciated.
  Thanks
  Nick

  Hi Nick,
  Is this application specific or overall SSO. What you can do is add an boolean attribute for inetorgperson class in ldap for UAP and pass that attribute through OAM to the passthrough script. If you use OVD, you can also attach the attribute with an adapter to the App DB. This will be faster and mostly OOTB to be supportable and maintainable. We do not see any performance degradation compared to the Oracle OOTB Scripts such as SecurID which does post processing using a perl script.
  If you are passing the attribute in the SSO session to the post processing script, you just need to check if the value is enabled/disabled and can redirect the user to the initial URL. If the UAP is application specific, more design is needed to skip UAP check for Application Users who are not required to agree with UAP.
  Thanks
  Ramesh GK

• Configuring the authentication scheme for a web application

  Hi all,
  We have a requirement to configure the authentication scheme for a web application where some set of users should access the application using basic LDAP (userid/password) authentication and some using digital certificate authentication.
  Since the deployment descriptor (web.xml) allows only one directive for auth-method in logic-config, we want to know if there is any other way to achieve this requirement. We are thinking of a custom login module approach. But we are not able to figure out how to configure the auth-method at runtime from the login servlet.
  Please let us know if there is any other approach to achieve this.
  I will be thankful if any body shares any specific solution to this issue.

  This forum is probably not the correct one to ask in. It's more related to the web container than Java Programming.
  Kaj

• Custom Authentication Module on Identity Server

  Hi,
  I have a custom authentication module which I am trying to access through the policy agent.
  I have set the following property in AMAgent.properties file
  com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
  My login module code is something like this:
  package com.iplanet.am.samples.authentication.providers;
  import java.util.*;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.NameCallback;
  import javax.security.auth.callback.PasswordCallback;
  import javax.security.auth.login.LoginException;
  import com.sun.identity.authentication.spi.AMLoginModule;
  import com.sun.identity.authentication.spi.AuthLoginException;
  import java.rmi.RemoteException;
  import java.io.FileInputStream;
  import java.util.Properties;
  public class LoginModule1 extends AMLoginModule
  private String userName;
  private String userTokenId;
  private HashMap usersMap;
  private java.security.Principal userPrincipal = null;
  public LoginModule1() throws LoginException
  public void init(Subject subject, Map sharedState, Map options)
            System.out.println("LoginModule1 initialization");
            usersMap = new HashMap();
            ResourceBundle bundle = ResourceBundle.getBundle("users");
            Enumeration users = bundle.getKeys();
            while (users.hasMoreElements())
                 String user = (String)users.nextElement();
                 String password = bundle.getString(user.trim());
                 usersMap.put(user, password);
  public int process(Callback[] callbacks, int state) throws AuthLoginException
            int currentState = state;
            if (currentState == 1)
                 userName = ((NameCallback) callbacks[0]).getName().trim();
                 char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
                 String passwdString = new String (passwd);
                 if (userName.equals(""))
                      throw new AuthLoginException("names must not be empty");
                 if (userName.equals("testuser") && passwdString.equals("testuser"))
                      userTokenId = userName;
                      return -1;
                 if (usersMap.containsKey(userName))
                      if (usersMap.get(userName).equals(new String(passwd)))
                           userTokenId = userName;
                           return -1;
                 return 0;
       public java.security.Principal getPrincipal()
            if (userPrincipal != null)
                 return userPrincipal;
            else
            if (userTokenId != null)
                 userPrincipal = new SamplePrincipal("testuser");
                 return userPrincipal;
            else
                 return null;
  So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
  2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
  2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
  2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
  2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
  The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
  Thanks
  Srinivas

  Does the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
  I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
  I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
  so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why.

• How to redirect a first time OAM authenticated user to a custom page

  We are using OAM 11.1.1.5 with OVD. If user logs in for the first time thru OAM, we wanted to collect few more additional information about the user. To do this, we wanted to redirect the user to the collect-additional-data.jsp page immediately after OAM authentication. This will be only one time operation for the user. How to do this in OAM.
  Thanks!
  Kabi

  Just set additional-data.jsp in your authentication policy success url. So always after authentication user req is redirected to the success url. You can also set the requested url in the response in case you want to retrieve it in your additional-data.jsp.

• Certificate Based Authentication - Questions and Authentication Modules

  Hi Everyone
  I'm trying to achieve a specific configuration using AM . I've installed the AM Server 7.1 on a AS9.1EE container and have another AS91EE container on another machine that has the agent configured.
  The AM server is using a DS rep for configurations and dynamic profiles and using a AD rep for authentication.
  What I now need to achieve is authentication base on one of these two way :
  - user and password authentication (which is working)
  - Certificate based authentication ( working on it )
  To configure the Cert. Auth I've started reconfiguring the containers and agent to work in SSL, as said in the manuals. The manuals also say that the containers must have "Client Authentication Enabled", they don't say which ( either the server or agent container or both ) . Also I assume that "Client Authentication Enabled" is refering to the Http Listener configuration of that container.
  When I enable it ( the Client Authentication ) on the http listener for either containers the https connection to that container stops working. In Firefox it simply prompts an error saying that the connection was "interrupted while the page was loading." . On IE, it prompts for a Certificate to be sent to the container and when I provide none, then it gives me the same error as Firefox. In both cases no page was presented.
  Basically what I need is for both authentication methods described before to work! So, asking the certificate ( specially if it wasn't the AM asking for it ) without giving the user a chance to use a user/password combination isn't what is wanted.
  From what I gathered the "Client Authentication" makes this http listener need a certificate to be presented always .
  So, my first question is : is the documentation correct? Does this "Client Authentication" thingy need to be enabled at the listener level?
  2- I'll probably need to code a costum module for this scenario I'm working in because of client requisits, but if possible I would like to use the provided module. Still, in case I need to make on, has anyone made a cert. auth module that they can provide me with so I have a working base to start with?
  3- Is there a tested how-to anywhere on how to configure Cert. Based Authentication?
  All for now,
  Thank you all for your help
  Rp

  Hi Rp,
  We are using AM 7.1 with Certificate Authentication and LDAP Authentication. To answer your question, yes it is possible to use both method at the same time i.e. Use certificate first and then fallback to LDAP.
  First you need to configure AM's webcontainer to accept the certificate. From your message it is clear that you have done that. The only mistake that you did is "made the Client Authentication required". I have done this in Sun WebServer 7.0 and Sun Application Server 7.0 (yeah that is old!!). You need to make the Client Authentication as optional. It means that Certificate will be transferred only when it is available otherwise Web Container will not ask for the Certificate. You will have to search Glassfish website or ASEE 9.1 manual to learn how to make the Client-Authentication Optional. You definitely need this authentication optional as Web Agent will be connecting to this AM and as far as I know they do not have any mechanism to do the Client Authentication.
  Secondly, In AM 7.1, you will have to Set up the Authentication chaining. Where you can make Certificate Module as Sufficient and LDAP module as REQUIRED.
  Thirdly, if you are using an non ocsp based certificate then change the ocsp checking in AMConfig.properties to false.
  Fourth, You may have to write a small custom code to get the profile from your external sources. (if you need to then I can tell you how).
  HTH,
  Vivek

• Authentication failure for zone 1 error

  We did some cleanup of old user accounts in our edir tree and after that I noticed a whole bunch of error messages on our catalina.out file. Problem is the error message does not specify what account it is looking for so I do not know what account I need to restore/recreate. Vibe seems to be working okay so I'm not sure what is broken with this account missing. Error message reads:
  2014-01-18 18:38:02,429 WARN [http-8443-55] [org.kablink.teaming.module.authentication.impl.Aut henticationModuleImpl] - Authentication failure for zone 1: org.springframework.security.userdetails.UsernameN otFoundException: User account disabled or deleted; nested exception is org.kablink.teaming.security.authentication.UserAc countNotActiveException: This account has been disabled or deleted.
  We are running on Vibe 3.4.0. Any help in identifying the account needed would be much appreciated.
  Thank you,
  Ronnie

  This looks okay.  An authFail indicates that someone is polling this device with the wrong community string.  Check x.x.x.x to make sure there aren't any applications polling this device with wrong credentials.
  Something else to note is that you should not be using '@' in your community strings.  While this shouldn't really matter for routers, it's a good rule of thumb not to use '@' on Cisco devices as that character is reserved for community string indexing.