OAM - Preferred HTTP Host vs Host Identifiers

Hi all,
I think I am missing something regarding Preferred HTTP Hosts and Host Identifiers. This is what the documentation says about them:
"The Access System offers two methods for identifying Web servers that are hosting protected resources:
* Preferred Host
* Host Identifiers
You can specify either a Preferred Host or a Host Identifier"
However, regarding the Preferred HTTP Host, it also says it is a required field when configuring a WebGate and that the Preferred HTTP Host must be one of the entered in the Host Identifier List.
So I guess that when one intends to use Host Identifiers, the preferred host identifier must be defined as well, but somehow it will be ignored and the Host Identifier will be used instead?
Any help would be greatly appreciated.
Thanks

Regarding the 'required' field - this is a bug (maybe someone will come out of the wood work and disagree with me?) - what version of the product are you working with?
The theory goes like this: Host Identifiers are the line between the real world network and the inner workings of the product. If you want OAM to deliver AAA services, then you have to successfully cross this line. You successfully cross this line by issuing a HTTP request with a host component that matches one of the values in a Host Identifier's Host Name Variations list (If you want to avoid OAM AAA Services, you deliberately avoid this matching). One thing to be clear about - Host Identifiers are not optional if you are protecting HTTP resources. They are required.
Clearly, there is a security concern at play based on this thinking. What if you forget to add an addressable pattern to the variations list and someone walks around your security by IP address or localhost, for example? Preferred HTTP Host instructs the WebGate plugin to explicitly set the host component of every request to the value specified. Usually you intend this to match a value in the Host Name Variations list and your worries are gone.
There are some web architectures using virtual hosting where you deliberately do not want to mutate all host values into the same string - that's why this field should not be required.
The way to manage security risk when not using the Preferred HTTP Host is to combine the use of Host Name Variation values with the Deny On Not Protected flag on the WebGate. This way, the system will only allow traffic that you have specifically configured to be exposed.
Hope that all makes sense and helps somewhat.
Mark

Similar Messages

  • Question about host identifier definition

    Hi,
    I've created a webgate and define the "Preferred HTTP Host" as the hostname where the web app is deployed. It seems ok that the webgate will protect the URL containing the hostname. But after I've authenticated, when I change the hostname to the IP address directly in the same explorer and request the resource again, it will ask me to re-authenticate. In my expectation, I don't need to re-authenticate....
    Is there anything wrong with my host identifiers defintion? I've already added the corresponding IP address into the host identifier list.
    Please help to give me some advice, thanks.

    Hi,
    The host identifiers are OK, this is happening because the web server first sets the cookie for the servername, and does not accept it for the n.n.n.n name - effectively you are using different domains (from a cookie perspective), even though it is the same web server. To solve it, you could just put the server name in the Challenge Redirect parameter in the authentication scheme to
    http://servername.mydomain.com
    and then OAM will set the cookies as necessary, exactly the same as configuring OAM for multi-domain SSO.
    Regards,
    Colin

  • Access denied: HTTP - Host Request with Widget Foundation + Yahoo

    Hi,
    I have a problem with the new Yahoo widget engine's (4.5) suggested structure, when trying to execute an RFC request.
    An older version of my .kon file has a classic structure, and it works fine, I write the script into the .kon file, it looks like this:
            <action trigger = "onLoad">
            <![CDATA[
                     // Standard SAP Widget Foundation Libraries
                     include("js/utils/Common.js");
                     include("js/utils/PlatformUtil.js");
                     include("js/utils/Timer.js");
                     include("js/utils/DataLoader.js");
                     include("js/utils/RFCRequest.js");
                     request.execute(function(response) ...
            ]]>
            </action>
    When I try to use the new structure (the .kon file contains only the source of the script, no CDATA, just  'src = "Scripts/Main.js"' ), and execute the request from the source JavaScript file, then I get this error:
    utils.DataLoader]> Exception was catched: XMLHttpRequest.send(): Access denied: HTTP - Host Request.
    Saw anybody this problem already?
    Thanks,
    Gyuri

    Hi,
    Yahoo has added security control in widgets since 4.5. You should add tag <security> in your widget.xml
         <security>
              <http>all</http>
              <filesystem>full</filesystem>
              <command>true</command>
              <hotkey>true</hotkey>
         </security>
    http://widgets.yahoo.com/static/downloads/WidgetsReference_4.5.zip page 33.
    Eriks

  • Blank page after I log-in to  http:/ host :9001/sia/

    Hi All,
    I am trying to deploy Oracle WAM 1.9.0.3. WLF_FORMS running, no error found on wls_forms.out. "error" / "issue" comes out when I log in to http:/<host>:9001/sia/
    here is my config.properties:
    root_path=C:/SPL/WAMCCH/synergen/CCHDEVwaminst/sia/
    app_server=http://ldelara-ph.splwg.com:9001/sia
    help_default_page=webhelp/wwhelp/wwhimpl/js/html/wwhelp.htm?context=Overview&topic=uo_whatsnew
    mail_server=mail.server.com
    asp_url=http://ldelara-ph.splwg.com:9001/
    init_integration_table=true
    chart_xml_path=C:/SPL/WAMCCH/synergen/CCHDEVwaminst/sia/charts/data
    max_chart_records=20000
    forms_servlet=frmservlet?config=wam
    forms_server=http://ldelara-ph.splwg.com:9001/forms/
    forms_report_service_name=RptSvr_LDELARA-PH_wam_inst1
    forms_report_server_url=http://ldelara-ph.splwg.com:9001/reports/rwservlet
    forms_tnsname=WLS_FORMS
    report_cgicmd_key=report_cgicmd_key1
    debug_session_level=INFO
    debug_session_filter=synergen
    debug_session_method_filter=
    application=wam_inst1
    datasource=synergen
    default_locale=en-us
    charset_to_use=UTF-8
    file_prefix=documents
    log_requests=false
    move_requests_to_history=false
    home_page_url=Home?tgt=Main
    logon_page_url=Logon?tgt=Main
    logon_error_url=Logon?tgt=Failure
    logoff_page_url=Logon?tgt=Main
    ssoMode=false
    event_queue_module=EventQueue
    event_queue_page=Results
    default_username=synergen
    queue_retries=1
    auto_logon_expire=30
    max_user_windows=3
    db_proxy_session_helper_class=synergen.db.OracleAsDbProxySessionHelper
    sia_integration_url=http://ldelara-ph.splwg.com:9001/sia
    repair_revoked_metadata_age_in_days = 30
    Am i missing anything? thanks.

    Hi greenkomodo,
    Thanks for posting!
    Apologies for the problems you're having watching BT Sport online and that no one has got back to you on this sooner.  It sounds like you've tried everything from your end.
    As you're just seeing a white page without any error message we'll need to look into this for you from here.  Click on my username and under the "about me" section of my profile you'll see the link to get in touch with us.
    Cheers
    Robbie
    BTCare Community Mod
    If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
    We are sorry that we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-)
    If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

  • Blank page after I log-in to  http:/ host :9001/WamInst/synergen

    Hi,
    I just installed and configured my Oracle Forms 11.1.1.4 as I am in the process of deploying Oracle Work and Asset Management 1.9.3 on Weblogic (10.3.4) windows x86-64 bit. The servers (admin server, WLS_FORMS, WLS_REPORTS are already running in weblogic console - http:/<host>:7001/console the issue comes in when I try to access the webpage/web server for synergen http:/<host>:9001/WamInst/synergen. I am just being redirected to a blank page and nothing loads. is there anything else that I should configure?
    here is my config.properties.
    root_path=C:/SPL/WAMCCH/synergen/CCHDEVWamInst/sia/
    app_server=http://ldelara-ph.splwg.com:9001/WamInst/
    help_default_page=webhelp/wwhelp/wwhimpl/js/html/wwhelp.htm?context=Overview&topic=uo_whatsnew
    mail_server=mail.server
    asp_url=http://8888:8888/
    init_integration_table=true
    chart_xml_path=C:/SPL/WAMCCH/synergen/CCHDEVWamInst/sia/charts/data
    max_chart_records=20000
    forms_servlet=frmservlet?config=wam
    forms_server=http://ldelara-ph.splwg.com:9001/forms/
    forms_report_service_name=ReportsTools
    forms_report_server_url=http://ldelara-ph.splwg.com:8888/reports/rwservlet
    forms_tnsname=WamInst
    report_cgicmd_key=report_cgicmd_key1
    debug_session_level=INFO
    debug_session_filter=synergen
    debug_session_method_filter=
    application=synergen
    datasource=synergen
    default_locale=en-us
    charset_to_use=UTF-8
    file_prefix=documents
    log_requests=false
    move_requests_to_history=false
    home_page_url=Home?tgt=Main
    logon_page_url=Logon?tgt=Main
    logon_error_url=Logon?tgt=Failure
    logoff_page_url=Logon?tgt=Main
    ssoMode=false
    event_queue_module=EventQueue
    event_queue_page=Results
    default_username=synergen
    queue_retries=1
    auto_logon_expire=30
    max_user_windows=3
    db_proxy_session_helper_class=synergen.db.OracleAsDbProxySessionHelper
    sia_integration_url=http://ldelara-ph.splwg.com:9001/WamInst/synergen/
    repair_revoked_metadata_age_in_days = 30
    has anyone encountered such senario?
    edit:
    I am seeing this input in access.log when I login .
    10.186.252.165 - - [14/Dec/2012:09:59:03 +0800] "GET /WamInst/synergen/Home?tgt=Main&from=13554502774417&ids=Failure-13554502774417-0 HTTP/1.1" 200 0
    thanks,
    Edited by: 973900 on Dec 14, 2012 1:24 AM

    Hi greenkomodo,
    Thanks for posting!
    Apologies for the problems you're having watching BT Sport online and that no one has got back to you on this sooner.  It sounds like you've tried everything from your end.
    As you're just seeing a white page without any error message we'll need to look into this for you from here.  Click on my username and under the "about me" section of my profile you'll see the link to get in touch with us.
    Cheers
    Robbie
    BTCare Community Mod
    If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
    We are sorry that we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-)
    If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

  • Setup ACE probe for HTTP host headers for multiple sites on rservers

    We have multiple sites on each server. Is there a way to have the probe only stop traffic to a specific site or header and not take the complete rserver offline?
    Thanks
    Greg

    If you are running multiple web servers on same servers using same IP addresse on the server. Then Host header field differentiate these web instances on the same physical machine.
    Use header command under http probe definition to send appropriate HOST value with probe rquest
    e.g
    probe http site1
    interval 2
    faildetect 1000
    passdetect interval 2
    passdetect count 1
    header Host header-value "www.site1.com"
    expect status 200 200
    probe http site2
    interval 2
    faildetect 1000
    passdetect interval 2
    passdetect count 1
    header Host header-value "www.site2.com"
    expect status 200 200
    HTH
    Syed iftekhar Ahmed

  • Get attached error when access http:/ host : port /pls/ DAD

    500 Internal Server Error
    java.lang.NoClassDefFoundError: oracle/webdb/cache/jni/Cache
         at oracle.webdb.cache.CacheFactory.init(Unknown Source)
         at oracle.webdb.page.ContentManager.init(Unknown Source)
         at oracle.webdb.page.ParallelServlet.init(Unknown Source)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.loadServlet(HttpApplication.java:1687)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.findServlet(HttpApplication.java:4020)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:2218)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:585)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java:64)
    Any Idea how to fix it.

    I can ping the virtual URL of the OID. If there is something specific needs to be tested, then could you please let me know.
    I have also added the OID hostname (virtual hostname in our environment) to /etc/hosts file on all RAC DB server nodes.
    Amit
    Edited by: jain_amit on Apr 3, 2010 8:33 PM
    Edited by: jain_amit on Apr 3, 2010 8:33 PM

  • Problem connecting to HTTPS host with self signed certificate

    I have set up a tomcat server with SSL running in a vmware on my machine using a self signed certificate. I can connect to this no problem with a browser from my main machine with the url https://myserver:8443.
    However, I am not able to connect with a Java client. I always get the below exception. I read that I need to add it as a trusted certificate in the keystore. I went to the site with firefox and saved the certificate as a .cer file, and imported it into the default keystore at c:\users\louis\.keystore. I still have the same problem. I think the problem is the client is not using the keystore, and I don't know how to make it do so. I tried adding the following argument to the run command:
    -Djavax.net.ssl.trustStore=c:\users\louis\.keystore -Djavax.net.ssl.trustStorePassword=changeit
    but it doesn't help.
    Here is the exception I'm getting:
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
         at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
         at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
         at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
         at Test.main(Test.java:39)
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
         at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
         at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
         at sun.security.validator.Validator.validate(Validator.java:218)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
         ... 12 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
         at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
         at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
         at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
         ... 18 more

    I have worked around this problem by configuring the Java client to trust all certificates and disabling hostname verification. That way I don't need a trust store. I'll just have to remove that code in production. Not ideal since I'd rather have certificate/hostname verification working for testing, but it works at least.
    I have looked at the Java security documentation and as far as i can tell a keystore and trust store is still basically the same type of file and created the same way with the keytool. The difference is when you import a cert you use the -trustcacerts option. The client 'keystore' is only being used to store the trusted cert, so it essentially is a trust store. This is documented in the keytool doc for the command -importcert.
    http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
    I actually think my problem is more to do with the hostname, since my server doesn't have a real domain hostname like www.myserver.com. I am just using the machine name for the host, although web browsers do not have a problem with this. When I set my java client to trust all certs, I was getting the following error:
    java.io.IOException: HTTPS hostname wrong
    Disabling hostname verification fixed this, so I'm wondering if my cert has the wrong hostname. I originally created the self signed cert using the keytool with the command -genkey, which creates a key pair and also a self signed cert. I looked at the keytool docs, and I don't see any way of specifying the hostname or even seeing what the host name of a cert is. What does it put as the hostname by default? The IP address or machine name, or am I understanding this wrong?

  • OAM Webgate installation on APache with multiple Virtual hosts?

    Hi I have customer who is having One Single APache web server and having two different applications configured as different Virutal hosts in the single server.
    requirement is , Each application should be protected by OAM Webgate and each application have seperate session configurations. So, How can we handle this ..
    I am thinking to install webgate for each application virutal Host to fulfill this requirement but i am worrying about the Webgate installation since both applications on single Apache server and single httpd.conf file.
    Really appreciated if anyone suggest me the approach of how to fulfil this requirement.
    -Srini
    Edited by: user567398 on Jun 17, 2011 3:00 PM

    Hi Srini,
    You can use a single WebGate - in the "Preferred HTTP Host" setting for the WebGate in the Access System Console, specify SERVER_NAME. OAM will then use the name of the Virtual Host (as returned by Apache) when evaluating policies, and you can have different policies by having different Host Identifiers for the two (or more) virtual hosts.
    Regards,
    Colin

  • Web Gate Prepare Error in OAM 10.1.4.3 installation

    Hi, all,
    I try to install OAM 10.1.4.3 in Windows XP.
    I follow the installation document, everything is fine until comes to Web Gate Prepare step:
    I try to "add new access gate" in access administration URL, and when click save, it reported: "Preferred HTTP Host must specify an existing host identifier variation, SERVER_NAME, or HOST_HTTP_HEADER". The problem is I have already set the Preferred HTTP Host to my OHS hostname and port, say, bcao-cn.cn.oracle.com:6666, but the error is still there.
    I use the OHS 11.1.1.3.
    I'm appreciated your help. Thanks.
    Best Regards,
    Bill

    Hi,
    Go to OAM Access Administration -> Access System Console -> Access System Configuration -> Host Identifiers , and add a new one:
    Name: yourWebHostName
    Hostname variations: yourWebHostName:yourWebPort
    Hope help.
    Best Regards,
    Bill

  • Multiple webgates pointing to one access gate entry in OAM

    Can we install webgates on multiple boxes and point to same access gate entry in OAM.
    Are there any issues with this kind of configuration?
    Any opinion?

    Hi,
    It is technically possible to do this, and makes sense when all the WebGates are logically the same (for example, they all reside on instances of load balanced web servers).
    When the WebGates reside on logically different web servers, then it will be more difficult to have different policies protecting similarly named resources on the different web server. For example,eg you may want to protect /admin differently on the different web servers, and you will not be able to use Preferred HTTP Host to achieve this when they share the same AccessGate definition. Also, you will not be able to set different timeouts on the different WebGates, or have different settings for such things as IPValidation or cookie domains.
    Regards,
    Colin

  • IBM websphere 6.1 integration with OAM

    Hi,
    1) Is the "interceptorClassName" Clases Name important? can i name it as other thing rather than what is stated in the documentation?
    example:
    According to the WAS integtraion guide the Interceptor classname is as: com.oblix.tai.was5.WebGate2TrustAssociationInterceptor
    Can i change it to com.oblix.tai.was5.WebGateTrustAssociationInterceptor
    2) Is there anywhere to verify that TAI is loaded properly and how do i test it?
    ================================================================================
    Interceptor classname is under WAS, Secure administration -> applications, and infrastructure -> Trust association -> Interceptors
    Thanks and Regards,
    Grey

    Thanks! i got the figure out. but i encouter something else while integrating with WAS
    im trying to integrate OAM with WAS without reverse proxy and i followed the documentation religiously. in the documentation
    Defining an Oracle Access Manager Policy Domain for WebSphere without Reverse Proxy_
    Without reverse proxy, disabling SSO in WAS is required. I will need to protect the WebSphere Administrative Console SSL URL. Otherwise, I will not be able to access the console after disabling SSO in WAS. I have create the policy domain as the documentation.
    ■ Resource Type: http
    ■ Host Identifier: xxx
    ■ URL Prefix: _/ibm/console; and /admin_
    ■ Description: Used by NetPointWASRegistry TAI component.
    Authorization Rules: Click the Authorization Rules tab, click Add, and then create and save an authorization rule to allow access to WebSphere Administrative
    Console resources. For example:
    a. Click General, then enter and save:
    * Name: Allow Administrator.
    * Description: Allow access to WebSphere Administrative Console resources.
    * Enabled: Yes
    * Allow takes Precedence: Yes
    Without Reverse Proxy: Click Actions, then enter and save the following WebSphere Administrative Console SSL URL for Authentication Success. For example:
    Redirect to: https://hostname:port/ibm/console *<- i found out that once I had this implemented. I will be going in an authentication cycle (keep getting authenticated and redirected back to the same page) because it is part of the resources I had it declare previously to be protected.*
    Is there a work around or is it due to documentation error?

  • OAM Websphere 6.1 integration

    Hi everyone,
    okay. Im going to ask a noob question.
    i had done the Integration with the websphere and OAM. TAI and NetPointWASRegistry had already successfully loaded, tested and run.
    The pages are protected by the OAM cause i can see the basic webgate authenication prompt by the websphere when accessing the pages. but why cant i see the OBssoCookie? Is this a norm for a successful integration?
    From the HTTP header, i can only see the LTPA token, is this right? if not, where can it go wrong?
    Regards,
    Grey

    Thanks! i got the figure out. but i encouter something else while integrating with WAS
    im trying to integrate OAM with WAS without reverse proxy and i followed the documentation religiously. in the documentation
    Defining an Oracle Access Manager Policy Domain for WebSphere without Reverse Proxy_
    Without reverse proxy, disabling SSO in WAS is required. I will need to protect the WebSphere Administrative Console SSL URL. Otherwise, I will not be able to access the console after disabling SSO in WAS. I have create the policy domain as the documentation.
    ■ Resource Type: http
    ■ Host Identifier: xxx
    ■ URL Prefix: _/ibm/console; and /admin_
    ■ Description: Used by NetPointWASRegistry TAI component.
    Authorization Rules: Click the Authorization Rules tab, click Add, and then create and save an authorization rule to allow access to WebSphere Administrative
    Console resources. For example:
    a. Click General, then enter and save:
    * Name: Allow Administrator.
    * Description: Allow access to WebSphere Administrative Console resources.
    * Enabled: Yes
    * Allow takes Precedence: Yes
    Without Reverse Proxy: Click Actions, then enter and save the following WebSphere Administrative Console SSL URL for Authentication Success. For example:
    Redirect to: https://hostname:port/ibm/console *<- i found out that once I had this implemented. I will be going in an authentication cycle (keep getting authenticated and redirected back to the same page) because it is part of the resources I had it declare previously to be protected.*
    Is there a work around or is it due to documentation error?

  • OIF11g-OAM11g integration - Auth mode?

    I'm tying to get OIF11g-OAM11g auth mode integration work. I'm following the OIF integration mode doc and followed all the steps. I'm getting redirected to the OAM forum login. Authentication is going through successfull, but I'm getting this error from OIF:
    <Mar 13, 2012 1:17:36 PM CDT> <Error> <oracle.security.fed.eventhandler.authn.engines.oam.OAMAuthnEventHandler> <FED-18068> <Authentication failed: WebGate did not authenticate the user>
    <Mar 13, 2012 1:17:36 PM CDT> <Warning> <oracle.security.fed.http.handlers.authn.LoginRequestHandler> <FED-18051> <Authentication instant was not sent from the authentication engine.>
    Installed OHS server (for Webgate 11g agent) on the same server hosting OIF (configured for both IdP and SP). I'm NOT using OSSO agent.
    The index.html of OHS server was modified and set to redirect the loopback testing URL of fed server as below. The reason I did this was to suppress the OIF login page and make OIF understand the OAM cookie.
    http://oifhost:7499/fed/idp/initiatesso?providerid=http://oifhost:7499/fed/sp&returnurl=http://anyresouce
    Under Authentication Engine, made OAM as the default authentication engine and added "OAM_REMOTE_USER" as the header attribute
    Create OAM policy in OAM. The host identifier has both OHS proxy and OIF host URL
    Added "OAM_REMOTE_USER" as the header attribute under authorization policy
    Has someone faced this issue before. I have seen many threads with the same issue but no solutions yet. Please help.

    Hi community,
    I have a problem with the integration between oracle access manager 11g and Oracle identity Federation. I want propagate the credential from an application called WSebra to Oracle Access Manager with a SAML Assertion. I have tested the procedure of the integration guide of Oracle "Integration Guide for Oracle Access Manager E15740-04" but not work.
    I want know if is possible propagate the credentials betwen an application that send SAML Assertion like WSebra and Oracle Access Manager 11G and if is possible the procedure of integration, i don´t use WebGate i just need propagate the credentials from wsebra to Access Manager. Wsebra has an authentication mechanism with an LDAP system and make the work of authentication, Access Manager must create the Session.
    At this point, i create and identity provider and service provider with Oracle Single Sign-On like the integrattion manual describe and i get the message:
    Resultado de Autenticación de SSO: Fallo de Autenticación
    Código de Estado Secundario de SSOUNKNOWN_PRINCIPAL
    And in the log i get the next message:
    Authentication instant was not sent from the authentication engine.
    Please i need help with this topic because we must integrate this products for a migration process, we want migrate from SUN ACCESS MANAGER to Oracle Access Manager 11g, the SUN ACCESS MANAGER has the SAML setting out of the box. Oracle Access Manager 11g doesn't has SAML and RSA authenticacion is very bad, and we have many problems for this features.
    Thanks.

  • Access Tester issue

    Hello,
    I have a protected URL that i'm able to SSO to it without problem.
    But when testing the protected URL in the Access Tester, i received Policy Domain not found
    Why is it showing the Policy domain not found when the URL is protected and i can see the policy in My Policy Domain page.
    URL http://usphlsoweb.sas.testing.com:7777/webcenter
    Resource Operation GET / POST / OTHER
    IP Address any
    Access Time any
    Evaluation result
    Policy Domain <not found>
    Thanks in advance.

    Hi,
    Ensure that when using the Access Tester, you use a value that is in the Host Identifiers for the protected resource as the server name. For example you are using:
    http://usphlsoweb.sas.testing.com:7777/webcenter
    so make sure that usphlsoweb.sas.testing.com:7777 is in the host identifiers (or use a value that does exist there). The WebGate will use the value you have specified for the Preferred HTTP Host, whatever you specify in the url - but the Access Tester needs the value in the Host Ids.
    Regards,
    Colin

Maybe you are looking for

  • I cannot video chat on my mac, but my roomate can on her windows pc!?!

    My roomate and I are using the same wireless router, I own a mac and she owns a pc (windows) and she can video chat with her friends that have PCs (windows). but I cannot video chat with my imac with another friend who also has a mac. When I tried to

  • Transfring from CSV file to LabVIEW 2011 and view it in XY Graph

    Hi, I would like to seek for your assistance in my project. I have an excel file which is in CSV format and intend to transfer it into LabVIEW 2011. I want to create a storage to store all the excel file for viewing purpose and in the mean while I wa

  • Infinity home hub 5 dropping

    For about 2 weeks now my infinity home hub 5 keeps resetting itself. This is getting progressively worse. I'm at the stage now where it's happening every couple of minutes.

  • Expanding Cover Flow window in Finder

    Is there a modifier key that can be held down when expanding a Cover Flow enabled Finder window so that the list of files expands instead of having the Cover Flow images get larger? I've tried the usual Option+Click, Shift+Click, etc. but nothing see

  • Linking a G/L account with a Vendor

    Is it possible in SAP B1 to link a default G/L account to a vendor. For example, when processing AP invoices for our phone company I would like to be able to link with the G/L account for communications. This ability would stream line the processing