OSB, REST, and browser authentication with OAM

All,
I'm looking for some advice regarding the consumption of REST services (from the users browser) in an environment that utilizes OAM security and the Oracle Service Bus. Let me set the stage.
We've configured an instance of OAM with OHS acting as a proxy to our applications. One of our apps wants to pull some data (using an AJAX call) from a service directly to the browser. The service is currently protected using HTTP Basic authentication. This works fine for Java apps that want to make those service calls directly, but not so well when it is the browser that wants to make the call.
My assumption (up to this point) had been that I would be able to utilize the OAM Identity Asserter on the service bus in much the same way that we have been using it to propagate identity to our application servers. After speaking with some of the service developers (guys more intimately familiar with the OSB than I am) we haven't tried to do this before and are unsure of the proper implementation to acheive our goal.
So, with all of that being said, am I barking up the wrong tree? Would it be incorrect to have a REST service written that is serviced by two different OSB proxies? One that enforces HTTP Basic, and one that (somehow) uses the OAM_REMOTE_USER and an appropriate identity asserter to pass identity in such a manner that the OSB would be able to enforce security in that manner?
Is there a better way to secure REST services being made from the browser?
Thank you for any help/direction you can provide.
--james

If you want to use custom authentication plugin then OAM provides a way to create a custom authentication module and you can orchestrate your steps based on your conditions. See http://docs.oracle.com/cd/E21764_01/doc.1111/e12491/authnapi.htm for more details.
Hope this helps,
Sagar

Similar Messages

OSB inbound http webservice integration with OAM

Hi,
I have a requirment where I need to protect OSB inbound http webservice with OAM. So that OAM can fetch the user details from webservice SOAP header & authenticate the user against LDAP.
Can someone tell me if this is a feasible approach. If yes, please share the details as to what configuration changes need to be done at OAM & OSB end.
If not, is there any alternative approach to secure webservice with OAM.
This webservice is not called from any web application. External sources dirctly make a call to this webservice through some java client.

The solution to this issue is to put following line in mod_wl_ohs.conf file
MatchExpression /imaging WebLogicHost=test-ipm.atfoods.com|WebLogicPort=16000
The complete element will look like this.
<IfModule weblogic_module>
WebLogicHost test-ipm.atfoods.com
WebLogicPort 7001
Debug ALL
WLLogFile e:/logs/weblogic_ohs.log
MatchExpression /imaging WebLogicHost=test-ipm.domain.com|WebLogicPort=16000
</IfModule>
<Location /imaging>
SetHandler weblogic-handler
WebLogicHost 192.168.140.74
WeblogicPort 16000
Debug ALL
WLLogFile f:/log/wlipm.log
</Location>
Make sure that you use IP for Weblogic host in 2nd element and not the host name.
Thanks & Regards,
Vikrant Korde

HTTP Basic Auth and Username Authentication with Symmetric Key

Hi,
I have a webservice happily running on tomcat 5.5 using "Username Authentication with Symmetric Key" I have certificates setup and everything works fine. I can even connect a .net client and use the service.
Now I have an additional requirement of authorization per operation basis so I'm planning on using the roles. My current setup uses tomcat-users.xml to configure users but I seem unable to identify the role of the user from within my code as wsContext.isUserInRole("briefing") always returns false even when it clearly isn't. Where wsContext = @Resource private WebServiceContext wsContext.
So I figure perhaps I need to add HTTP Basic Auth to tomcat for it to gather this information so I added security-constraints to the web.xml and this seems to do the trick: at least it does for my .net client.
If I do:
Service service = new Service();
Port client = service.getPort();
BindingProvider bp = (BindingProvider)client;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "myusername");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "mypassword");Then it all works fine. However, I'd like a little less transparency: I don't want to have to do this every time I make a call.
My question(s) is:
1) Am I going about this the right way (perhaps I am somehow getting the incorrect reference to the WebServiceContext)
2) If I am going about this the right way I imagine the whole BindingProvider code needs to be added to as a policy configuration but I'm really not sure where to start especially as I'm using wsimport to generate everything: I'm not even sure where to configure this so it will not get overwritter.
Thanks for any help.

Doh! Ok So I've added a SOAP Handler to automatically add the username and password for the HTTP Basic Auth.
All in all does this setup sound right?

Machine Authentication and User Authentication with ACS v5.1... how?

Hi!
I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
This is the goal:
On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
"Certificate Dictionary:Common Name contains .admin.testdomain.lan"
But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
Thank you.

Hello again.
I found out how to do this now..
What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
You must also remember to change the AuthMode option in Windows XP Registry to "1".
What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
That would have plugged a few security holes for me.

Acs 4.2.1.15 and ssh authentication with ios xr

Hello,
we have a new acs appliance (1113) with version 4.2.1.15 and we want to authenticate user through ssh from routers with ios xr software. unfortunately this doesn't work.
Here ist our configuration of the router:
line template VTY
access-class ingress abcd
tacacs-server host x.x.x.x port 49 single-connection
tacacc-server key 7 test
tacacs source-interface Loopback13
ssh server v2
ssh timeout 60
! AAA config
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting commands default start-stop group tacacs+
aaa authorization exec default group tacacs+ none
aaa authorization commands default group tacacs+ none
aaa authentication login default group tacacs+ local
does anybody has a solution for this problem?
thnx and best regards
Torsten Waibel

Hello,we
have a new acs appliance (1113) with version 4.2.1.15 and we want to
authenticate user through ssh from routers with ios xr software.
unfortunately this doesn't work.Here ist our configuration of the router:##################################################line template VTY
access-class ingress abcd!tacacs-server host x.x.x.x port 49 single-connectiontacacc-server key 7 test!tacacs source-interface Loopback13!ssh server v2
ssh timeout 60! AAA config
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting commands default start-stop group tacacs+
aaa authorization exec default group tacacs+ none
aaa authorization commands default group tacacs+ none
aaa authentication login default group tacacs+ local##################################################does anybody has a solution for this problem?thnx and best regardsTorsten Waibel
Hi Torsten Waibel,
For ssh to support you should have a cryptography ios image in router and check the following command in line vty that transpot input ssh under line vty cofiguration.
If helpful do rate the post
Ganesh.H

DAD and Database Authentication with db link

I have a report that access a table via dblink and displays the result set.
I am trying to implement the database authentication for this using DAD. I created the new DAD without the plsqlusername and password. When I run this application with the valid apex_public_user I get a
ORA-00942: table or view does not exist ORA-02063: preceding line from DB1
But I can run the same SQL from sqlplus for the same user. What am I doing wrong? Any help appreciated.
Thanks

Found what was causing the problem. I had not given the workspace user the necessary permissions on the remote database.

Machine and User authentication with ISE 1.2.1

Hi ,
Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
Thanks
Pranav

is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Integrating Webcenter 11g (Discussions) with OAM for SSO

Hi,
I need some help in integrating Webcenter 11g with OAM 10g.
Objective:
=========
My customer is using Webcenter 11.1.1.2.0 and they are primarily using Discussions and wiki .I would like to integrate OAM with Webcenter for providing SSO.
Steps Followed:
============
I have followed the steps mentioned in the section 23.7.1 and 23.7.1.7 in the doc
http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBCEHGE
and also referred metalink note ID 829122.1
Scenario after integrating with OAM:
===========================
1.Accessed the dicussions url through OHS proxy http://<ohs_host>:<ohs_proxy>/owc_discussions
2.Click on Login button
3.OAM Login page appears
4.Provide credentials for orcladmin (admin user of OAM OID LDAP)
5.Discussions default login screen appears ( I dont expect this default login page,as I have already authenticated with OAM)
6.Provide orcladmin credentials
7.Login screen is keep on popping and not able to login
if i set owc_discussions.sso.mode=false,then looping (Step 7) is not occuring and could able to login.
Am I doing anything wrong here? Or is there a way I can make it work.
Thanks in Advance.

Did you setup weblogic as per this doc? - http://download.oracle.com/docs/cd/E17904_01/webcenter.1111/e12405/wcadm_security_sso.htm#WCADM8175

Machine authentication with Windows 7

Version: ISE 1.2p12
Hello,
I'm doing user and machine authentication with ISE.
I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
If I disable and enable again the network card of that windows machine it works.
Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
Thank you

Hi Mika. My comments below:
a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
https://tools.ietf.org/html/rfc7170
Thank you for rating helpful posts!

802.1x PEAP Machine Authentication with MS Active Directory

802.1x PEAP Machine and User Authentication with MS Active Directory:
I have a simple pilot-text environment, with
- Microsoft XP Client,
- Cisco 2960 Switch,
- ACS Solution Engine (4.1.4)
- MS Active Directory on Win 2003 Server
The Remote Agent (at 4.1.4) is on the same server as the MS AD.
User Authentication works correctly, but Machine Authentication fails.
Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
The Remote Agent shows an error:
See Attachment.
Without Port-Security the XP workstation is able to log on to the domain.
Many thanks for any indication.
Regards,
Stephan Imhof

Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

Anyconnect 3.1 and certificate authentication

I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).
Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
Is this mandatory or is there a way around this?

Just to add to this.
Anyconnect 3.1 started KU enforcement, but typically it will drop a warning you can accept (annoying but not blocking).
EKU, is something that for the time being ASA will not enforce, plus it's only needed to IKEv2/IPsec, AFAIR SSL will work without it unless there have been big changes I'm not aware of.
One can also argue EKU enforcement will not be strictly speaking enforced in future of IKEv2.
Vide:
http://tools.ietf.org/html/rfc4945
5.1.3.12. ExtendedKeyUsage
M.

WDS and IAS Authentication

Hello !
I'm trying to configure 15 Access Points AP1231 as follow :
SSID1 mapped to VLAN 1 (also management VLAN) for Laptops. Encryption is WEP128 and Mac-authentication with Microsoft IAS server.
SSID2 mapped to VLAN 10 (phone VLAN)for phones 7921. Encryption is WEP128 and there is no authentication fo the phones.
I configure 1 AP as a WDS Master (priority 254). WDS registration works fine for all the 15 APs.
My problem :
it seems that when i activate WDS, MAC-authentication for ESSID1 doesn't work anymore (authentication failed for all the laptops).
Can you help me ?

WDS checks its local list for authentication . If the Mac address is not present it uses configured Radius server for authentication. Make sure Mac address is either in the Local list or Radius server. If you are using Radius server make sure Mac address is configured as user

Only one UPN suffix works with OAM plugin for RSA-integrated Authentication

Only one UPN suffix works with OAM plugin for RSA-integrated Authentication while others give "CredentialsRejected" error
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
Has anyone seen this before and might know the answer? Any suggestions? Thanks!
I have setup an OAM authentication scheme that uses a custom plugin to use RSA ACE server - all pretty much exactly as it is outlined in the chapter called "Integrating the RSA SecurID Authentication Plug-in" in Oracle Access Manager Integration Guide. Here's the problem:
Everything works fine when I use a particular UPN suffix to login to the RSA Securid Login form that is presented, eg. [email protected], but if I create another user that uses a different UPN suffix as defined in Active Directory, (eg. [email protected]), the credentials are rejected. This happens before the secuirid.pl script even gets a chance to run. After hitting "POST" the user is present with the same login screen he was just at, as expected during an authentication failure.
More info:
- I have performed successful anonymous ldap queries for both users in Active Directory using LDP. Both users exist in the same domain and in the same OU. If I change the UPN (in AD and the RSA database) to something different from the "good" one, on either user, it fails. If I change the UPN to the "good one" on either user (in AD and the RSA database) it works.
- if I test users with either the "good" or the "bad" UPN via the RSA agent tester that sits on the OAM box, both of them show as authenticating successfully. However, it doesn't work for the "bad" UPN when I try to access via a web browser on a remote client (but does work with the "Good" UPN)
- I am not using SSL in any of this yet, it's all http://
- yes, I already got rid of the "-w" parameter in the first line of the perl script, as per the "login can fail if the Login Attribute Contains an "@" Character in Integration Guide Troubleshooting section
- here's an example of the settings in rsa securid authentication scheme:
action:/OracleAccessManager/securid-cgi/securid.pl
form:/OracleAccessManager/securid-forms-adforest/securid-std-login.html
creds:login password domain newpin newpin2
passthrough:yes
authn_securid fullformdir="C:\apache\Apache2\htdocs/OracleAccessManager/securid-forms-adforest/",machine="MyComputer.mydomain.com:80"
credential_mapping obMappingBase="%domain%",obMappingFilter="(&(objectclass=user)(userPrincipalName=%login%))"
Environment:
OAM 7.0.4.3
RSA Ace Server 5.2
Windows 2003 domain with multiple UPNs defined in Active Direcory Domains and Trusts
Error as seen in the oblog.log for the webgate on the server that holds the RSA login pages and perl script:
Message^A plugin for the authentication scheme SecurID Authentication has denied authentication for credentials ([email protected]
password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2= Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST).
ReqReq^POST /OracleAccessManager/securid-cgi/securid.pl HTTP/1.1 ReqProto^HTTP/1.1 ReqHost^www.MyComputer.mydomain.com. ReqStatLine^
ReqStatus^200 ReqRawUri^/OracleAccessManager/securid-cgi/securid.pl ReqUri^/OracleAccessManager/securid-cgi/securid.pl
ReqFilename^C:/apache/Apache2/htdocs/OracleAccessManager/securid-cgi/securid.pl ReqPath^ ReqArgs^
2009/07/13@15:19:49.665000 45688 46472 AUTHENTICATION ERROR 0x00001515
\Oblix\coreid\palantir\webgate\src\authentication_event_handler.cpp:1361 "Authentication failed" HTTPStatus^401
authenticationSchemeName^SecurID Authentication AuthenticationStatus^majorCode = 11[CredentialsRejected], minorCode = 47[AuthnPluginDenied],
StatusMsg = , GSN = 0, needInfo = NONE Creds^[email protected] password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2=
Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST
Only error seen in log produced by the RSA agent that sits on the Access server:
[20804] 12:27:08.915 File:ACNETSUB.C Line:326 # CheckServerAddress: server 0 detected from address 10.250.88.100
[20804] 12:27:08.915 File:udpmsg.c Line:968 # Entering decrypts_ok_legacy()
[20804] 12:27:08.915 File:udpmsg.c Line:999 # decrypts_ok_legacy: decrypt() wpcode1 failed; wpcode0 next ***********
[20804] 12:27:08.915 File:udpmsg.c Line:1089 # Leaving decrypts_ok_legacy(), result=1
[20804] 12:27:08.915 File:ACEXPORT.C Line:820 # Entering AceGetUserData()
[20804] 12:27:08.915 File:ACEXPORT.C Line:833 # Leaving AceGetUserData() return: ACE_SUCCESS
[20804] 12:27:08.915 File:ACEXPORT.C Line:579 # Entering AceGetAuthenticationStatus()
[20804] 12:27:08.915 File:ACEXPORT.C Line:592 # Leaving AceGetAuthenticationStatus() return: ACE_SUCCESS

What are the logs you see at the ACE server end? You can try passing an additional parameter debug="true" to the authn_securid plug-in - it should generate some more logs at the access server - I think in apps\common\bin.
Also does "ReqHost^www.MyComputer.mydomain.com" look right in the logs?
-Vinod

SAPGUI and Portal Authentication using AD Credentials with usr/passw prompt

Hi Experts,
We have the following requirements:
1. Portal/EP has UME set to ABAP (in other words using ECC6 system's user/password).
2. ECC6 user-id's differ from Active Directory user.
3. User logs in to Active Directory.
4. User wants to log on to SAPGUI (ECC6 system), with a user-name password prompt, using the Active directory Credentials.
5. User wants to log on to Portal/EP, with a user-name password promt, using the Active Directory Credentials.
The following suggested solution was the closest to the requirement (without to much technical detail):
1. For SAPGUI, implement SSO on the workstation GUI's and maintain the Active Directory user in transaction SU01 in the ALIAS field.
This should enable the user to, after having logged onto the Active Directory, to open the SAPGUI and WITHOUT user-name password prompt, be authenticated and logged into SAP. This would entail settings to be done on each workstations GUI.
2. For the Portal/EP, implement Kerberos on the portal, setting it to authenticate to the AD. As per note 935644 maintain an additional attribute on the UME, to enable the mapping between the UME and the AD users.
This should enable the user, after having logged onto the Active Directory, to open Internet Explorer, go to the Portal URL, and be authenticated and logged into the portal, without WITHOUT user-name password prompt.
Do you know the viability of this solution, or whether there is any better suggestion (especially to keep the user-name password prompt, and without changing the ECC6 or Active directory users).
Regards.

AJP,
The description you have given is an exact description of the capability of our product. I represent a company called CyberSafe, and our products are designed and sold to SAP customers for integrating the SAP user authentication with Active Directory authentication. We have some unique features in our product which you could benefit from, e.g. our SAP GUI SNC library has the ability to popup a logon screen asking user for Active Directory account and password before it logs the user onto SAP. Also, when the SAP system has authenticated the user, either via the Web browser or via SAP GUI their Kerberos principal name (determined from AD account name and domain) is mapped onto a SAP user using a table in the ABAP system. The browser authentication even uses this same table for mapping so that an authenticated account name does not need to be same as the SAP user they log onto.
If you would like to discuss our product more, and/or arrange a free evaluation please contact me using the email address in my SDN business card.
Thankyou,
Tim

OAM multi-level authentication with an OIF SP

As background, we have 16 Shibboleth IdPs in a federation and users need to access a couple of applications that are protected by OAM (10.1.4.3) using OIF (11g) as the SP. We have a requirement to force re-authentication for a set of URLs protected by OAM. So, if a user accesses application, let's call it LOW, and then attempts to access application called HIGH, we need to reauthenticate the user at the IdP. In OAM, this is the classic use case for multi-level authentication, I think.
Since OIF acts as a gateway, all of the applications "behind" OIF/OAM use the same authentication scheme in OAM, so I can't use OAM's multi-level authentication as we are configured now. I was told by an OIF person at OracleWorld that a possible approach would be to configure a custom authentication engine in OIF that is basically a copy of the OAM authentication engine and set that up at a different authentication level in OAM. However, looking through the documentation, it looks like the authentication engines are only used when OIF is used as an IdP. Perhaps the person meant that I need to set up a custom SP Integration Module? Or am I misunderstanding the role of the auth engine?
The OAM SP Integration Module lets me specify Authentication Schemes and Authentication Scheme Levels. We currently are set up to use OIF-unspecified with a level of 1. Since we want to re-authenticate, however, we really want to use the same authentication scheme but at a different authentication level. Is there a way to achieve that? Can I set up a second OAM SP Integration Module with a different policy domain and set the OIF-unspecified authentication scheme to level 2 on that one? How would I go about doing that -- as a custom SP engine?
Has anyone done anything similar or found a way to force reauthentication using the same authenticator for some applications behind an OIF SP but not others?
Thanks for any help you can provide.
--Mike

Hi,
Thanks for the reply.
“In fact there is not one use case. There are 5 use cases for which we need to provide Second Level of Authentication functionality. And that also with the flexibility of switching this on/off.
Now as per my understanding we should achieve this through the following flow :
Store one extra attribute in OID per user per service. And that attribute will store the enable/disable information for that particular service and for that particular user.
Now ObAuthentication Scheme class of Access Manager API needs to be used for enabling or disabling the Level 2 authentication scheme as per that attribute.
Is this flow possible.”
Cheers,
Sunny

OSB, REST, and browser authentication with OAM

Similar Messages

Maybe you are looking for