Overlapping OAM policy domains

The OAM documentation addresses overlapping policies within a single policy domain, but I haven't been able to find anything about overlaps between different domains.
I have a policy domain for a host that protects everything under the root "/". However, I want the "access" virtual directory to be handled the same as the access directory on all of the other hosts, so I added the access resource to a domain that defines the policy for all of the access directories.
The result is an overlap-- the access directory for that host is protected in the specific "access" domain, and it's also protected under the domain that protects everything under the root for that host.
Is this a problem for OAM? Does OAM apply the most-specific policy domain for a resource, as hoped in this case? OAM allows me to explicitly order policies within a domain, but I don't see any way to order domains themselves.
Thanks,
Matthew

For policy domain mapping, the basic algorithm OAM follows is to use the host and path elements of the URI to 'map' into the 'most specifically relevant' policy domain.
As far as the path is concerned, OAM tries to match the path beginning with the most strict pattern and then working backwards to achieve a match.
For example, consider the following configuration:
Policy Domain A protects MY_HOST/access/bin
Policy Domain B protects MY_HOST/access
If a request for MY_HOST/access/bin/foo?param=1 comes in...
OAM looks for a policy domain protecting a resource MY_HOST/access/bin/foo and can't find one.
Next, OAM looks for a policy domain protecting a resource MY_HOST/access/bin and finds it and processing continues from there.
So, in the case you illustrate, /access is simply a 'more strict' pattern than / which will catch all requests that match that pattern.
As you noted, the evaluation of 'Policies (exceptions to the default rules)' is managed by explicit order.
It is also important to note, in this discussion, that OAM does not tolerate ambiguity on the HOST element of a protected resource. Configuring OAM to map the same hostname variation to more than one host identifier will produce unpredictable results. Validation in the admin application is in place to help avoid this.
Hope that helps.
Cheers,
Mark

Similar Messages

Fusion App installation - Registering OAM policy domain ...

Hi all,
I'm trying to perform Fusion Applications installation (Linux 64, Middleware 11.1.1.5.0, WLS 10.3.6) in a single host environment, without any load balancer..
The installation fails in "Registering OAM policy domain" phase with error "User does not belong to the group that is authorized to perform registration."
I'm able to login as oamadmin to http://vfusion01.mydomain.com:7001/oamconsole with admin's privileges.
Adding oamadmin into OAMAdministrators and OIMAdministrators groups in LDAP didn't help.
Any idea how to continue?
Thanks for support
Daniel F
[edit]OAM Validation/Authorization and Authentication are successful in OAM Test Tool:
[3/2/12 12:21 PM][request][validate] yes
[3/2/12 12:21 PM][response] Authentication scheme : OAMAdminConsoleScheme, level : 2
[3/2/12 12:21 PM][response] Redirect URL : https://vfusion01.mydomain.com:4443/oam/server/
[3/2/12 12:21 PM][response] Credentials expected : 0x4 (form)
[3/2/12 12:21 PM][request][authenticate] yes
[3/2/12 12:21 PM][response] User DN : cn=oamadmin,cn=users,dc=mydomain,dc=com
[3/2/12 12:21 PM][response] SessionID : 29b10d11-ab81-4446-9e86-880db6e5790c
[3/2/12 12:21 PM][response][action] OAM_IMPERSONATOR_USER :
[3/2/12 12:21 PM][request][authorize] yes
[3/2/12 12:21 PM][response][action] OAM_IMPERSONATOR_USER :
[3/2/12 12:21 PM][response][action] OAM_REMOTE_USER : oamadmin
[3/2/12 12:21 PM][response][action] OAM_IDENTITY_DOMAIN : OIMIDStore
[edit]
====================
[echo] Registering OAM policy domain ...
Registering policy file /fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf for policy domain provisioning ...
[echoNested] Registering policy file /fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf for policy domain provisioning ...
[echo] mode=CREATE
[echo] app_domain=provisioning
[echo] oam_aaa_host=vfusion01.mydomain.com
[echo] oam_aaa_port=5575
[echo] uris_file=/fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf
[echo] hostname_variations=vfusion01.mydomain.com:12613,vfusion01.mydomain.com:12614
[echo] oam_admin_server=http://vfusion01.mydomain.com:7001
[echo] oam_admin_username=oamadmin
[echo] -usei18nlogin
[echo] default_authn_scheme=FAAuthScheme
[echo] oam_cache_header=
[echo] logouturi=/oamsso/logout.html
[echo] web_domain=OraFusionApp
[echo] oam_aaa_mode=simple
[echo] log_level=ALL
[echo] max_oam_connections=10
[echo] primary_oam_servers=wls_oam1:10
[echo] oam_ip_validation=0
[echo] oam_idle_session_timeout=900
[echo] oam_version=11
[echo] cookie_domain=mydomain.com
[echo] app_agent_password and oam_admin_password passed in via STDIN
Mar 1, 2012 6:39:01 PM oracle.security.am.engines.rreg.client.oamcfgwrapper.OAMCfgRREGWrapperImpl handleConfig
INFO: Into RREG Wrapper implementation
Enter password: Enter password: Mar 1, 2012 6:39:01 PM oracle.security.am.engines.rreg.client.util.RegClientFusionCfgURIsFileHandler readProtAndPubUrisFromFileAndSet
INFO: Success: URI:[provisioningBootstrap*] is added.
Mar 1, 2012 6:39:01 PM oracle.security.am.engines.rreg.client.util.RegClientFusionCfgURIsFileHandler readProtAndPubUrisFromFileAndSet
INFO: Success: URI:[provisioningBootstrap/.../*] is added.
Your registration request is being been sent to the Admin server at: http://vfusion01.mydomain.com:7001
Mar 1, 2012 6:39:05 PM oracle.security.am.engines.rreg.client.RegController processOamCfgRegistration
SEVERE: Server side error occurred. Specific error messages are:User does not belong to the group that is authorized to perform registration. Registration failed. Try again after verifying the users group.
Mar 1, 2012 6:39:05 PM oracle.security.oam.oamcfg.OAMCfgTool main
WARNING: OAMCFG-60083: OAM Configuration did not complete successfully. Refer log for details
Mar 1, 2012 6:39:05 PM oracle.security.oam.oamcfg.OAMCfgTool main
WARNING: Stack trace::
oracle.security.am.engines.rreg.client.RegController:processOamCfgRegistration() in file RegController.java:771
oracle.security.am.engines.rreg.client.oamcfgwrapper.OAMCfgRREGWrapperImpl:handleConfig() in file OAMCfgRREGWrapperImpl.java:359
oracle.security.oam.oamcfg.OAMCfgTool:main()[2012-03-01T18:39:05.530+01:00] [runProvisioning-install] [NOTIFICATION] [] [runProvisioning-install] [tid: 12] [ecid: 0000JNF5GUy5i^O6yj7i6G1FJuCA000003,0]
[logStatus] STATE=BUILD_ERROR!TIMESTAMP=2012-03-01 18:39:05 CET!TARGET=register-policy-domain!CATEGORY=BUILD_ERROR!DOMAIN=CommonDomain!HOSTNAME=vfusion01.mydomain.com!PRODUCTFAMILY=webgate!PRODUCT=WebGate!TASK=execSecure!TASKID=webgate.WebGate.BUILD_ERROR.register-policy-domain.execSecure!MESSAGE=Process "/fusion/fmw/jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java -jar /fusion/fmw/apps/webtier_mwhome/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=CREATE app_domain=provisioning oam_aaa_host=vfusion01.mydomain.com oam_aaa_port=5575 uris_file=/fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf hostname_variations=vfusion01.mydomain.com:12613,vfusion01.mydomain.com:12614 oam_admin_server=http://vfusion01.mydomain.com:7001 oam_admin_username=oamadmin -usei18nlogin default_authn_scheme=FAAuthScheme oam_cache_header= logouturi=/oamsso/logout.html web_domain=OraFusionApp oam_aaa_mode=simple log_level=ALL max_oam_connections=10 primary_oam_servers=wls_oam1:10 oam_ip_validation=0 oam_idle_session_timeout=900 oam_version=11 cookie_domain=mydomain.com" exited with non-zero exit code "1". Input Stream before decrypting for process execution: "j8p+RGsjhPvGQxLt55GQFw==j8p+RGsjhPvGQxLt55GQFw==". Environment variables: "".!DETAIL=Process "/fusion/fmw/jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java -jar /fusion/fmw/apps/webtier_mwhome/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=CREATE app_domain=provisioning oam_aaa_host=vfusion01.mydomain.com oam_aaa_port=5575 uris_file=/fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf hostname_variations=vfusion01.mydomain.com:12613,vfusion01.mydomain.com:12614 oam_admin_server=http://vfusion01.mydomain.com:7001 oam_admin_username=oamadmin -usei18nlogin default_authn_scheme=FAAuthScheme oam_cache_header= logouturi=/oamsso/logout.html web_domain=OraFusionApp oam_aaa_mode=simple log_level=ALL max_oam_connections=10 primary_oam_servers=wls_oam1:10 oam_ip_validation=0 oam_idle_session_timeout=900 oam_version=11 cookie_domain=mydomain.com" exited with non-zero exit code "1". Input Stream before decrypting for process execution: "j8p+RGsjhPvGQxLt55GQFw==j8p+RGsjhPvGQxLt55GQFw==". Environment variables: "".!BUILDFILE=/fusion/faprov/provisioning/provisioning-build/webgate-build.xml!LINENUMBER=512![2012-03-01T18:39:05.673+01:00] [runProvisioning-install] [ERROR] [FAPROV-00298] [runProvisioning-install] [tid: 12] [ecid: 0000JNF5GUy5i^O6yj7i6G1FJuCA000003,0] An Error Occured: [[Process "/fusion/fmw/jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java -jar /fusion/fmw/apps/webtier_mwhome/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=CREATE app_domain=provisioning oam_aaa_host=vfusion01.mydomain.com oam_aaa_port=5575 uris_file=/fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf hostname_variations=vfusion01.mydomain.com:12613,vfusion01.mydomain.com:12614 oam_admin_server=http://vfusion01.mydomain.com:7001 oam_admin_username=oamadmin -usei18nlogin default_authn_scheme=FAAuthScheme oam_cache_header= logouturi=/oamsso/logout.html web_domain=OraFusionApp oam_aaa_mode=simple log_level=ALL max_oam_connections=10 primary_oam_servers=wls_oam1:10 oam_ip_validation=0 oam_idle_session_timeout=900 oam_version=11 cookie_domain=mydomain.com" exited with non-zero exit code "1". Input Stream before decrypting for process execution: "j8p+RGsjhPvGQxLt55GQFw==j8p+RGsjhPvGQxLt55GQFw==". Environment variables: "".        at oracle.apps.fnd.provisioning.ant.taskdefs.SecureExec.executeTask(SecureExec.java:381)        at oracle.apps.fnd.provisioning.ant.taskdefs.BaseProvisioningTask.execute(BaseProvisioningTask.java:102)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)        at org.apache.tools.ant.Task.perform(Task.java:348)        at org.apache.tools.ant.taskdefs.Sequential.execute(Sequential.java:62)        at oracle.apps.fnd.provisioning.ant.taskdefs.util.SynchronizedTask.executeInternal(SynchronizedTask.java:286)        at oracle.apps.fnd.provisioning.ant.taskdefs.util.SynchronizedTask.executeTask(SynchronizedTask.java:318)        at oracle.apps.fnd.provisioning.ant.taskdefs.BaseProvisioningTask.execute(BaseProvisioningTask.java:102)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)        at org.apache.tools.ant.Task.perform(Task.java:348)        at org.apache.tools.ant.taskdefs.Sequential.execute(Sequential.java:62)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)        at org.apache.tools.ant.Task.perform(Task.java:348)        at org.apache.tools.ant.taskdefs.MacroInstance.execute(MacroInstance.java:391)        at net.sf.antcontrib.logic.ForDelegate.doSequentialIteration(ForDelegate.java:228)        at net.sf.antcontrib.logic.ForDelegate.doTheTasks(ForDelegate.java:281)        at net.sf.antcontrib.logic.ForDelegate.execute(ForDelegate.java:214)        at net.sf.antcontrib.logic.For.execute(For.java:167)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)        at org.apache.tools.ant.Task.perform(Task.java:348)        at org.apache.tools.ant.Target.execute(Target.java:357)        at org.apache.tools.ant.Target.performTasks(Target.java:385)        at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1329)        at org.apache.tools.ant.helper.SingleCheckExecutor.executeTargets(SingleCheckExecutor.java:40)        at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:416)        at org.apache.tools.ant.taskdefs.CallTarget.execute(CallTarget.java:106)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)
        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)

First of all WLS 10.3.6 is not certified for FA and OAM 11.1.1.5. Second oamadmin must belong to the OAMAdministrators group and registered as a system administrator for the User Identity Store.
See the IDM EDG (FA edition) for more details. (http://docs.oracle.com/cd/E25054_01/fusionapps.1111/e21032/toc.htm)
HTH,
--olaf

Pop up warning when creating policy domain in OAM 10g

Has anyone seen below pop up warning when creating a policy domain in OAM 10g Policy manager?
Warning:
This policy domain controls the access to the URI you are currently accessing
/access/oblix/apps/policyservcenter/bin/policyservcenter.cgi
Are you sure you want to commit these changes?

Hi,
Does Note 842378.1 look like a match for you? Maybe the obcompounddata attribute is missing for some odd reason.
Regards,
Colin

Policy domain doesn't protected

I have following problems:
1.I haven't protection for any created policy domain, I have only protection for default policy domains /access and /identity . It can protect requested policy domain, if I put my resources under policy domains . /access or /identity.
How can I test that Oracle Access Manger really protect created policy domain on web server, I always used access tester, always fine work,but resources aren't protected.
For simple OAM configuration I used Doc ID: Note:437423.1 Step by Step: How to Protect a Root '/' Policy Domain With A Form Deployed On The Same WebGate HTTP Server, but resources aren't protected again.
2.When I enable default policy domains, I get very strange case, I have to try to log on at least 2-3 times for requested link on Oracle Access Console , that is very difficult for administration.

Not the same i had a similar one. I crated my own policy domain. ( As suggested by kiran )
Just documented the steps, try it out, Hope this helps.
http://nagarun.wordpress.com/2007/12/22/oracle-access-manager-administration/
Cheers, Nag

Oracle access manager - Policy domain - Return Type

Hi,
I have a requirement where I need to return few LDAP parameter values through Policy domain while redirecting. But the return type should be propertytype and not headervar or cookie. This is SSO integration with websphere using JAAS subject. We have inhouse TAI connector developed for integration between websphere and oracle access manager.
Please help me to resolve this issue.
Regards,
Prashant

Hi Prashant,
OAM can return any type that you want, and OAM will set the name/value for that type - you can put "propertytype" in the type column, and the name and return attribute in the respective fields. "Cookie" and "HeaderVar" are the only types used by OAM WebGates, but your AccessGate (custom in-house connector) should be able to retrieve the values of propertytype that OAM sets.
Regards,
Colin

Policy Domain Root error during Policy Manager installation

I am installing Policy manager for the first time and I am getting error at Policy domain root level.
If I specify Policy Domain Root as / it gives me this error
Unable to modify the entry with DN obapp=PSC,ou=Oblix,dc=SUPPLIER,DC=GLOBAL in the directory server - Object class violation in ModifyDBEntry_ADSI()
The DN obapp=PSC,ou=Oblix,dc=SUPPLIER,DC=GLOBAL exists in the directory.
My directory is Windows 2003 standard edition SP1 active directory. I am using Oracle access manager 10.1.4
user and policy directory is the same directory supplier.global.
Forest and domain functional level is Windows 2003
My person object class is: user
i have already installed webpass and identity server on same machine.
I have removed and tried to reinstall the policy manager on the same machine and the same error.
My identity server admin console is showing three directories:
AccessManager_setup_user_profile
AccessServer_default_user_profile
default-IdentityServer_1_6022
all of the directories have these settings dynamic auxiliary is yes and directory type is microsoft active directory (using adsi) without ldap for authentication checked.
I am getting these errors in my access logs looks like the path is wrong and the files are missing but not sure from which part of setup its taking this.
2007/02/06@19:22:35.265000     3040     1848     INIT     ERROR     0x000003B6     base\oblistrwutil.cpp:145     "Could not read file"     filename^C:\Program Files\NetPoint\WebComponent\access/oblix/lang/en-us/comm_servermsg.xml
2007/02/06@19:22:35.375000     3040     1848     INIT     ERROR     0x000003B6     base\oblistrwutil.cpp:145     "Could not read file"     filename^C:\Program Files\NetPoint\WebComponent\access/oblix/lang/en-us/sysmgmtmsg.xml
2007/02/06@19:22:36.015000     3040     1848     INIT     ERROR     0x000003B6     base\oblistrwutil.cpp:145     "Could not read file"     filename^C:\Program Files\NetPoint\WebComponent\access/oblix/lang/en-us/policysetupldifs_msg.xml
2007/02/06@19:22:37.843000     3040     1848     DB_RUNTIME     WARNING     0x00000007     \Oblix\coreid\np_common\db\ldap\util\ldap_util.cpp:1131     "Requested modify or add operation resulted in schema violation"     function^ModifyDBEntry()     dn^obapp=PSC,ou=Oblix,dc=SUPPLIER,DC=GLOBAL
2007/02/06@19:22:37.843000     3040     1848     DB_RUNTIME     WARNING     0x00000504     \Oblix\coreid\np_common\db\ldap\util\ldap_util.cpp:1217     "Exception during DB runtime code"     function^ModifyDBEntry()     dn^obapp=PSC,ou=Oblix,dc=SUPPLIER,DC=GLOBAL
2007/02/06@19:22:37.843000     3040     1848     DB_RUNTIME     WARNING     0x00000504     \Oblix\coreid\np_common\db\ldap\util\ldap_util3.cpp:837     "Exception during DB runtime code"     function^ModifyDBEntryWithDupCheck
Thanks for helping me out.
Message was edited by:
user557359

Hi,
Go to Policy domain root for Activer directory
Steps on how to resolve this are outlined there.
Rgds,
Boland

Policy Domain not found

Hy everybody!
Please help me, I have problem with Policy Doman,
when I test access with option Access Tester on my Policy Domain,
i get following message:
Evaluation result
Policy Domain <not found>
I checked in OID, my Policy Domain exists in following entry
obname=policy_domain_id, obapp=PSC, o=Oblix <DN>
but as you see error says that Policu Domain not found.
best regards!

Hi!
I have :
- 2 Authorization Rules
- 1 Default Authentication Rule
- 1 Default Authorization Expression
I checked Host identifier with ping command, it's correct.
Do you have any ideas about problem?
On following URL I posted picture of the my Policy Domain
http://img205.imageshack.us/img205/8909/policydomainhx6.jpg
<img src="http://img205.imageshack.us/img205/8909/policydomainhx6.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" />

Changing policy domain timeout value

Hi Idm folks,
Can we configure a different timeout values on policy domains protecting different applications?
For example; policy domain /domain01/... has a 15 miunte idle session timeout and policy doomain02/... would have a 6 hour idle session timeout.
I don't think we can, wanted to check if anyone had ever came across this requirement?
thanks!

For different applications are you using different webgates? In that case you can think of using separate host identifiers for different webgates and create policies for host identifiers and you can have different timeout values for webgates.
BUT, in a SSO scenario what kind of complication it will bring, needs to be evaluated on the environment (mainly the central and application webgate domain for obSSOCookie) and requirements. This can be an interesting exercise, I guess. :)

Policy domain root for Activer directory

I am setting up the access manager with active directory . But during web configuration ,it prompts for providing a policy domain root. I choose go ahead with default vlaue (i.e /). But it is returning me following error.
"Error in setting Policy Domain Root."
Please some one help out in resolving this issue.

Hi Nataraj,
I know what your problem is. Go to the computer running Active Directory, open "Open Active Directory Domains and Trusts" under Start -> Administrative tools. Right click on your domain shown and choose "Raise Domain to Functional level", you might need to this three to four times before this takes effect.
Then on the same window, right click on "active directory domains and trusts" and choose "Raise Forest functional Level", you might need to do this three times as well.
This will solve your problem, unfortunately you'll have to reinstall Access/Policy Manager. I have had this problem many times and this solved it. I am assuming you are using Windows 2003 Enterprise server.
Rgds,
Boland

Policy domain root for Active directory

Does anyone know how to configure policy domain root in Active directory ?.
I am installing COREid Access policy manager which needs a policy domain root input during the web interface configuration.
Please some one help in resolving this issue.

Hi,
I might help if can give the exact description of the issue that you are getting. However I have encountered similar or exact problem that you are having. Let me know whci ldap directory you are using with your CoreID install.

CoreID Policy domain

Hi
we installed Oracle CoreID 7.0.4.3 sucessfully using OID as a backend directory server for all data areas.
we created a policy domain to protect a resource using Basic over LDAP allowing all users.
Basic over LDAP was configured:
obMappingBase="dc=de,dc=pri,dc=xx,dc=com",obMappingFilter="(&(objectclass=inetorgperson)(uid=%userid%))"
obCredentialPassword="userPassword"
When we call the matching ULRs, the authentication forms pops up, but after entering correct credentials we get:
Oracle Netpoint Operation Error
The credentials (userid=orcladmin password=(omitted) Resource=/nagios/ RequesterIP=10.121.74.7 Operation=GET) used for the login are missing a required password.
Contact your website administrator to remedy this problem.
Can anyone help?
Guenter

Hi,
Even I was trying to configure IWA with COREid in a similar environment settings and ended up getting the same result. The difference in my environment was:
Authentication Scheme -> Challenge Method was "Ext", Challenge Parameter was "creds:REMOTE_USER" , The plugin was "credential_mapping" and the filter was obMappingBase="ou=Users,o=INTRANET",obMappingFilter="(&(objectclass=inetorgperson)(uid=%REMOTE_USER%))"
With the above settings, when I try to access the protected page, I get a similar message viz - Oracle Netpoint Operation Error : The mapping of credentials (Resource=/app1/homepage.html Operation=GET) to a user profile failed. The Access Server may not be able to connect to the user directory, or the authentication scheme iwa may have an invalid ObMappingFilter parameter for its credential_mapping plugin. Contact your website administrator to remedy this problem.
Any suggestions? Please let me know.
Thank you so much.

OAM - Cross Domain SSO Solution

Hello Experts,
We have two web applications X and Y both are deployed in Tomcat (two different tomcat and they are in different domain). Application X has its own native authentication mechanism(User ID and Password) and application Y does not have any authentication mechanism (has only User Id in its DB).
I have to implement cross domain SSO and Single Logout between these two applications.
I unserdtand that I have to install webgates for tomcat to protect those applications and configure policies.But I am wondering how to avoid displaying login page of application X after OAM Authentication?
Can this be achieved by configurations or require custom coding?
Please assist me.
Thanks
INIYA

Hi Iniya,
Couple of points -
1) There are no webgates for Tomcat. You would have to install reverse proxy web servers in front of the Tomcat servers and add webgates to the reverse proxies.
2) For avoiding the login page for application X, you would need a separate SDK based accessgate (custom-coded and plugged into Tomcat).
So no, without custom coding, you will not be able to achieve this.
For single logout, you will need to cross link the logout URLs for both domains so that visiting one logout link will log you out of both domains. However, it's more complicated for session timeouts.
-Vinod

Redirection class overlap on policy-map

Hello.
I was asked to implement some rules and one of them is overlaping the other I think becasue is shorter and it´s using the regular expression .*
Regarding the configuration below I always get redirected to http://SITE1 instead of http://SITE2 when I type www.AAA/fr/pages/AAA/index.php because the class REDIRECT_NM_LORO_PMUR_CLASS always win even it´s in the bottom of the policy-map.
Is there some way to order the classes in a policy-map to act as an access-list does? (from the top to the bottom and stop looking up when a match is found), In other words, make the class REDIRECT_PMUR_RAPPORTS_CLASS is done before REDIRECT_NM_LORO_PMUR_CLASS
which is more generic.
Config example:
rserver redirect REDIRECT_PMUR
webhost-redirection http://SITE1 301
inservice
rserver redirect REDIRECT_PMUR_RAPPORTS
webhost-redirection http://SITE2 301
inservice
rserver redirect REDIRECT_PMUR_RESULTATS
webhost-redirection http://SITE3 301
inservice
serverfarm redirect REDIRECT_NM_LORO_PMUR_FARM
rserver REDIRECT_PMUR
    inservice
serverfarm redirect REDIRECT_PMUR_RAPPORTS_FARM
rserver REDIRECT_PMUR_RAPPORTS
    inservice
serverfarm redirect REDIRECT_PMUR_RESULTATS_FARM
rserver REDIRECT_PMUR_RESULTATS
    inservice
class-map type http loadbalance match-any REDIRECT_NM_LORO_PMUR_CLASS
4 match http url /fr/pages.*
class-map type http loadbalance match-any REDIRECT_PMUR_RAPPORTS_CLASS
3 match http url www.AAA/fr/pages/AAA/index.php
class-map type http loadbalance match-any REDIRECT_PMUR_RESULTATS_CLASS
3 match http url www.BBB/fr/pages/BBB/index.php
policy-map type loadbalance first-match POLICY_REDIRECT_NM_LORO_CAT2_FARM
class REDIRECT_PMUR_RESULTATS_CLASS
    serverfarm REDIRECT_PMUR_RESULTATS_FARM
class REDIRECT_PMUR_RAPPORTS_CLASS
    serverfarm REDIRECT_PMUR_RAPPORTS_FARM
class REDIRECT_NM_LORO_PMUR_CLASS
    serverfarm REDIRECT_NM_LORO_PMUR_FARM
class class-default
    serverfarm NM_LoRo_CAT2_FARM
Thank you very much,
Miquel

Hi Miquel,
This is what it seems is happening. Your class-map condition is based on URL and not host-header value so ACE is not even considering www.AAA or www.BBB. It is only looking for fr/pages/xxxxxxxx which only matches 3rd class map and that's why you get the match and hence the corresponding redirection.
Can you try using class map condition based on Host ?
switch/Admin(config-cmap-http-lb)# 2 match http header Host header-value ?
Please try and let me know how it goes.
You can also test my removing that /fr/pages/.* condition and see if it matches or not as well.
Regards,
Kanwal

OAM Policy Protecting URLs despite being disabled

I have run into a situation where OAM is configured to protect a URL, however the policy is not enabled.
Despite this, the webserver is still acting as though the policy is enabled.
I have tried the following steps without success:
enable/disable policy (I see the policy is being updated correctly in the OID Policy Store)
recycle Policy Manager
recycle Access Server
recycle Identity Server
recycle OID (configuration policy store)
I realize that I can "disable" the policy by just commenting out of webserver config.
Anyone else have ideas?

There can be a multiple ways to troubleshoot this issue :
(1) Access Tester : Try to see if any policy is getting applied to the url ( where you see the issue )
(2) On server webgate :
see the logs when you are trying access the url . This will tell you if your resource is protected and what going on .
Finally , just Comment out the Webgate config in you httpd.conf file and see if you are still able to access the site.
Regards,
Ankit

Access Server console could not login due to disable /access policy domain

I misconfig to disable the /access policy domainn. And now the Access Server console could not login, alway loop at initial page. Identity Server console no problem.
Is there any method could enable the /access again? Customer could not accept the reinstallation due to this small problem.
Thank you.

Easiest way is to temporarily disable the webgate in the web server configuration - if it is IIS just remove the webgate from the ISAPI filters tab and restart IIS, if Apache revert back to an httpd.conf without the webgate entries.
Regards,
Colin

Overlapping OAM policy domains

Similar Messages

Maybe you are looking for