PLSQL toolkit with OAM 11gR2

Similar Messages

• How to protect an application running on IIS with OAM 11gR2

  Hello Gurus,
  I have a question regarding protecting an application running on IIS with OAM 11gR2. We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page. These is all solaris. I am protecting other applications like pplsoft moduels with this OHS instance and OAM server. There is another application that I need to protect which is itself running on IIS windows machine. I need guidance as to -
  1.) Do I need to install a windows version of webgate to protect this IIS based application?
  2.) Or I can still protect and proxy requests from this application to current OHS instance? How can I do this?
  3.) Or Do I need to proxy requests directly from IIS to OAM weblogic server?
  Please advise to the earliest as this is an urgent issue.
  Thanks !!

  From your description it is not clear how exactly architecture looks like
  We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page.
  is this OHS centralized login farm ? (Case 1)
  OR is this OHS server (with webgate) acting as virtual web server hosting multiple web sites so that request to any site passes through this OHS/webgate (Case 2)
  1.) Do I need to install a windows version of webgate to protect this IIS based application?
  If case 1 then you need to install 10g webgate on top of IIS server to protect this application
  If case 2 then you can just proxy request from OHS to IIS server. As every request passes through OHS user will be authenticated before request hits IIS
  Look at Product documentation for virtual web sites : http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/shared.htm#autoId12
  It has steps to protect virtual web sites.
  Also you need to make sure no one hits IIIS web sites directly.
  Hope this helps

• How to protect an application running on Apache Tomcat app server with OAM 11gR2

  Gurus,
  We have an Apache Tomcat based application named "ABCD" here at client site that we want OAM 11gR2 PS1 to integrate with for SSO purposes. I have successfully configured OHS to reverse proxy requests to Apache Tomcat server whenever somebody tries to access the application URL but still, I am getting the application login page once I have successfully authenticated on OAM SSO login page. The Tomcat based application is authenticating users against a "UserDatabase realm".
  I know in terms of weblogic application, there is an OAM identity asserter provider which then populates the User Principal for the java environment with the authenticated OAM user. But there is no such OAM identity provider for Tomcat.
  So my question is, is there an provider (or Tomcat equivalent) which will entrust authentication to a header, that could be used to populate the Java User Principal from the OAM_REMOTE_USER header? Is the weblogic equivalent of authentication providers present in tomcat as well? Are those called valves?
  Please advise to the earliest.
  Thanks !!

  Aakash,
  I did follow the 4 steps that you mentioned to me. Out of the 4 that you had mentioned, I already had the webgate in place on OHS server and I was already passing the remote_user http header in oam policy as action.
  As part of Step #2: Install mod_jk plugin on OHS server that you mentioned
  1.) I downloaded the tomcat connector - tomcat-connectors-1.2.37-src
  2.) I had to run ./configure,make, make install on my OHS server which runs on RHEL 6. It created the mod_jk.so file. I pasted it in the needed folder.
  3.) I then created the httpd.conf file and workers.properties file as said in the connector docs.
  4.) Restarted OHS.
  As part of Step #3: Configure tomcat's ajp connector that you mentioned and I went through all the links pasted below but didn't find actually what needs to be in place to configure tomcat's ajp connector. I do see in the server.xml of tomcat app server that the ajp 1.3 protocol is supported:
  http://tomcat.apache.org/tomcat-4.0-doc/config/ajp.html
  http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html#s8
  http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html
  http://www.mulesoft.com/understanding-tomcat-connectors
  <!-- A "Connector" represents an endpoint by which requests are received
           and responses are returned. Documentation at :
           Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
           Java AJP  Connector: /docs/config/ajp.html
           APR (HTTP/AJP) Connector: /docs/apr.html
           Define a non-SSL HTTP/1.1 Connector on port 8080
      -->
      <Connector port="8080" protocol="HTTP/1.1"
                 connectionTimeout="20000"
                 redirectPort="8443" />
  <!-- Define an AJP 1.3 Connector on port 8009 -->
      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
  Do we need to disable the HTTP protocol in Tomcat and keep only AJP connector enabled? If yes, how to do that?
  I am trying to connect to the application from OHS server like so I am using the http protocal right? How should I use the ajp protocol to connect to tomcat application? 
  http://ohs-host:ohs-port/abcd
  Thanks !!!!!

• BASIC OAM 11gR2 QUESTION

  Can someone explain difference between "success url" for
  1. Authentication Policy - success url is optional parameter.
  2. Authrization Policy - success url is optional parameter.
  3. Unsolicated Login - success url is required parameter.
  This is with respect to Oracle Access Manager 11gR2.1

  1. Authentication Policy - success url is optional parameter.
  After successful authentication user will be redirected to URL mentioned in "success url". 
  2. Authrization Policy - success url is optional parameter.
  After successful authorization user will be redirected to URL mentioned in "success url"
  Both these parameters are optional. If these parameters are not present in OAM policy then user will be taken to a protected application url from where OAM flow began. For example user has started with http://mydomain.com/protectedapp URL
  3. Unsolicated Login - success url is required parameter.
  This is required parameter for "unsolicited login" feature. Basically you pass three parameters to OAM Direct authentication url "username" , "password" & "successurl". If provided username and password is correct redirection to URL in "successurl" parameter would happen. You can get more information about unsolicited login feature in this blog
  http://www.ateam-oracle.com/unsolicited-login-with-oam-11gr2/
  Hope this helps.

• OAM 11gR2 and OVD

  Hi,
  It appears OVD did not make it into the Oracle Fusion Middleware Identity Management 11gR2 release. The latest version available is still the one included in the Oracle Fusion Middleware Identity Management 11gR1 release. Is that correct?
  If so, I have a deployment of Oracle Access Manager 11gR2, which I'd like to integrate with OVD. Does this situation mean that I must deploy another entire WebLogic domain for the Oracle Fusion Middleware Identity Management 11gR1 release? Or is it possible to somehow install the 11gR1 version of OVD into the 11gR2 instance I've already got?
  - Jim

  Yes, the latest version of OVD available is 11.1.1.6 (11g R1). You may use this version with OAM 11gR2.
  OVD 11.1.1.6 uses WebLogic 10.3.6 and OAM 11g R2 also uses the same weblogic version. Please let me know if you are on some other version of WLS.
  As per best practice, try to keep the OAM and OVD in separate WLS domains.

• Error installation when configure OAM with FORMS 11Gr2 (SSO)

  Hi
  I try configure SSO with Forms 11gR2 (windows 2008).
  1. Install RCU 11.1.1.5.0
  2. Install and configure OID (ofm_idm_win_11.1.1.2 & patch ofm_idm_win_11.1.1.5)
  3. Install OAM (ofm_iam_generic_11.1.1.5 & Patch 11.1.1.5.3 (13473393))
  4. Integrate OAM & OID - After that i can logon to my oamconsole using OID (LDAP) identifier
  5. Try install Forms 11gr2 ( ofm_frmrpts_win_11.1.2.0.0_64)
  During installation, i complete information about my OID, then i put connect information to OAM and i get error.
  OAMAdminServer - console
  <2012-07-17 08:44:32 CEST> <Error> <oracle.oam.engine.remotereg> <OAM-30046> <agent validate mode failed. Agent does not exist. >
  InstallLog
  Welcome to OAM Remote Registration Tool!
  Parameters passed to the registration tool are:
  Mode: agentvalidate
  Agent name: 120717084429_RREG_OSSO_VALIDATE
  Enter your server address (http(s)://FQDN:port):Server Address: http://weblogic:7002
  Enter admin username:Username: weblogic
  Enter admin password: Enter admin password:Your validate request is being sent to the Admin server at: http://weblogic:7002
  2012-07-17 08:44:33 oracle.security.am.engines.rreg.common.XMLValidationEventHandler handleEvent
  SEVERE: Error occurred while parsing the XML file.Error message is: cvc-complex-type.2.4.d: Invalid content was found starting with element 'managedServerUrl'. No child element is expected at this point.
  At Column:421
  and At line number: 1
  Error message is: cvc-complex-type.2.4.d: Invalid content was found starting with element 'managedServerUrl'. No child element is expected at this point.
  At Column:421
  and At line number: 1
  The remote registration process did not succeed! Please find the specific error message below.
  Error in unmarshal2012-07-17 08:44:34 oracle.security.am.engines.rreg.common.RequestResponseParser parseFromXMLString
  SEVERE: Exception encountered: RemoteAgentRegistrationException. Specific exception:JAXBException.nulljavax.xml.bind.UnmarshalException
  - with linked exception:
  [org.xml.sax.SAXParseException: cvc-complex-type.2.4.d: Invalid content was found starting with element 'managedServerUrl'. No child element is expected at this point.]
  2012-07-17 08:44:34 oracle.security.am.engines.rreg.client.RegClient main
  SEVERE: Exception encountered: RemoteAgentRegistrationException. Specific exception:Error in unmarshalling operation! Please try again.oracle.security.am.engines.rreg.common.RemoteAgentRegistrationException: Error in unmarshalling operation! Please try again.
  ling operation! Please try again.
  resultset.getStatus() : false
  Thanks in advice.
  Oscar

  Hi,
  This is a bug with OAM 11.1.1.5.x
  The fix is to use OAM 11.1.2.x and you should be able to configure FR 11.1.2.x and connect to OID and OAM.
  Regards,
  noveaux_life

• OAM 11gR2 PS1: Authenticate with email

  Hi All
  I want to authenticate users with email address and password instead of user id and password. Has anyone implemented this before.
  I tried to update the user name attribute to mail which matches with my OUD attribute name but I am still not able to authenticate with email.
  Any pointers will be highly appreciated.
  Thanks

  Hi,
  Try with the below values in the User Identity Store Values in OAM Admin Console::
  User Name Attribute :::: mail
  User Filter Object Classes ::: inetOrgPerson
  Group Name Attribute ::: group
  User Filter Classes ::: groupOfUniqueNames
  As an alternate solution, you can also configure OVD as Identity Store with OAM and then configure LDAP adapter for OVD with OUD details.
  Choose "OVD: Oracle Virtual Directory" as store type and provide store details. Configuring LDAP adapter for OUD in OVD.
  Provide your OUD details required.
  Hope this helps.

• Need information on OAM 11gR2 protecting OIM 11gR2

  Hi All,
  I need to implement a solution wherein I have to protect OIM 11gR2 application using OAM 11g2.
  So in this case the identity store for OIM is the normal Oracle database and we have used the generic LDAP connector to provision the users to a LDAP directory which is the identity store for OAM.
  I have gone through the OIM integration with OAM and it talks about a lot of steps involving extension of the identity store for both OIM and OAM,(Integrating Access Manager and Oracle Identity Manager - 11g Release 2 (11.1.2))
  In my case I don't need the features like centralized password management functionality...we only want to protect the OIM application.
  So is it possible to enable SSO without
  1)Externalizing the identity store of OIM to the LDAP directory which is the identity store for OAM,and hence not running the LDAP sync utility
  Also can you please guide me to a document that specifies the steps.
  Thanks

  Hi Thiago,
  Thanks for your replies.
  Yes, I followed certification matrix and tried to install 11.1.1.6 only on wlserver 10.3.6.
  Can you please eloborate on the below points? Or If there are any urls for detailed steps, please provide them.
  -What you have to do:
  +2.1-On Application Server Navigator you can create types of connection:+
  +2.2-Integrated WLS option+
  +2.3-Standalone WLS option+
  +2.4-This first option you can install a local standalone WLS 10.3.6 server on your environment, then create a separate "integrated WLS" connection to the standalone server.+
  +2.5-Then go to your Application's properties through the Application menu -> Application Properties -> Run -> Bind to Integration Application Server option you can the brand new option created WLS server connection to work with your application.+
  +3.0- Don't forget that you need to install the ADF Runtimes for the server to be able to work with ADF applications+

• OAM 11gR2 Authentication using username/password/additional ldap field

  I want to add additional credential parameter along with username and password to be validated against LDAP.
  Is there any out of the box solution for authentication using username/password/additional ldap field in OAM 11gR2?
  This solutions exist in 10g and could not find any OOB feature in 11g.

  Do you need to accept additional parameter from user via login form & then use it in credential mapping step
  Not sure if %% syntax would work .. havent tried it. next option is to develop custom authentication plugin
  Additional ldap attribute against static value
  If you need to add additional ldap attribute (check against static value) that you can specify in LDAP search filter in "User Identification plugin" configuration
  Take a look at "MTLDAPPlugin" under custom authentication modules
  Hope this helps

• OAM 11gR2 - Remote Registration Exception - HTTP Error 501

  Hello
  I installed OAM 11gR2 and am trying to configure OAM with WebGate.
  While doing remote registration using rreg.bat I get an exception
  RemoteRegistrationException
  HTTP error 501 could not send HTTP Post message
  Can anyone help me?
  Thanks,
  Ram

  Its most likely a problem with your java version.
  I know for sure that Java version 1.6.0_37 doesn't work and that 1.6.0.41 works for sure.
  Can you try installing a different version of java.
  if on linux use the
  update-alternatives --config java
  as root to point to the java (other version that you installed) and try again.
  Let me know if that helps.
  Cheers
  -Kungo

• Installing OAM 11gR2

  Hi,
  I wanted to integrate OIM11gR2 with OAM.
  For this, I did the below so far.
  1) Installed WLS server, OIM and SOA for OIM 11gR2
  2) Trying to install OAM. Can you please let me know the order in which I need to install.? Also let me know do we need to install latest webtier for this. If so, where can i download webtier software.
  3) Can I integrate OIM 11gR2 with OAM 11gR1?

  Follow Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2).

• OAM 11gR2 Throwing SSL Warning after configured to use HTTPS Load Balancer

  I have configured OAM 11gR2 to use an https load balancer on 14100 and have set my managed servers SSL listen port to 14100 (Could not use 14101 because the HTTPS VIP created was listing on 14100) everything works fine with this configuration, but my logs are filling up the the following warning.
  <Oct 3, 2012 1:41:54 PM UTC> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer 10.228.0.1 - 10.228.0.1 instead of an SSL handshake.>
  I know that 10.228.0.1 is the DNS server, but I'm not sure why this happening. Any ideas?

  What is WLS and OHS versions are you using in this environment?
  If it's old version than these, please upgrade WLS to 10.3.3 and the OHS to 11.1.1.3. These is a known bug on WLS side not it OAM.
  I hope this helps,
  Thiago Leoncio.

• Running OAS plsql toolkit in HTML DB

  Hi, we currently have a lot of code written using the OAS plsql toolkit, running on an Oracle 8.1.6 database. These are primarily pages that are hosted on the internet.
  I was wondering could be migrate this plsql code to Oracle 10G, dispense with the now outdated OAS altogether and use the new features of HTML DB to run the plsql pages, without really any alteration.
  Does Oracle 10G allow us to put these pages onto the web using the Apache listener.
  Has anyone else done this?

  You can't "run" the PL/SQL pages with HTML DB. What you will find is that you can throw away 90% of your code used for UI and keep the queries used for reports and any SQL or PL/SQL used for DML.
  HTML DB will handle all of the UI, session state, report sorting and pagination, and form fields. I strongly encourage you (if you have not already) to write a few reports and play with the built-in column-heading sorting, pagination, and templates before you start this process. The reason I say this is that time after time, I see people faced with your exact task trying to hold on to their pl/sql htp.p's for reports. It takes them a while to see the light, and when they do, they wonder why they've been fighting it.
  asktom.oracle.com and think.com both went through this. It's amazing how much more you can focus on the content of the app and adding new functionality when you don't have to worry about the stuff HTML DB takes care of for you. Just try it out on htmldb.oracle.com, you'll get what I'm saying in no time.
  Good luck,
  Tyler

• OAM 11gR2 new domain startup issue

  Installed OAM 11gR2 in new domain, completed security store configuration. Also checked validation, that also worked fine.

  I can't seem to find Note 1461370.1 in oracle support. I am having the same issue. I found a ticket opened as a bug, 13586338, with a simular issue but that was closed and no resolution was given.

• SharePoint 2010 with OAM 11g

  We are currently trying to integrate SharePoint 2010 server with OAM 11g with 10g webgate. In our environment SharePoint site is configured with Claims based authentication with LDAP provider for membership. We have performed all the configurations based on the Oracle documentation with validation mode as OAMHttp.
  We are seeing the following behavior after this integration.
  1)     The user requests access to an SharePoint Site
  2)     Webgate protecting the site intercepts the request, determines if the resource is protected, and challenges the user.
  3)     The user enters their OAM credentials; Webgate contacts the OAM Server, which verifies the credentials from user store and authenticates the user. Webgate generates the OAM native SSO cookie (ObSSOCookie), which enables single sign-on and sets the User ID (to username) header variable in the HTTP request and redirects the user to SharePoint site.
  Here, instead of taking user to the home page of the site, the SharePoint login page is displayed again.
  =================================================================================================
  Looking into the debug logs i found the following error.
  Date ProcessId ThreadID ManagesThreadId ClassName MethodName Message
  =================================================================================================
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider Initialize validationMode^OAMHttp
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor Method Entered
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor ValidationURL configured validationUrl^http://wtv-sea-spapp01.chemd.net:8086/ValidateCookie.html
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor validationHost^wtv-sea-spapp01.chemd.net
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor OAMAuthUserCookieName^OAMAuthCookie
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor Method Exited
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider Initialize Setting Validation Type OAMHttp
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser Entering ValidateUser : username^IDG2M
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator ValidateUser Method Entered
  Exception Caught InValidateUser
  The remote server returned an error: (403) Forbidden. at System.Net.HttpWebRequest.GetResponse()
  at Oracle.OAMHttpValidator.ValidateUser(Dictionary`2 creds)5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator ValidateUser Exiting AuthStatus^AuthZFail
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser OAMauthStatus^AuthZFail
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser Method Exited returnCode^False
  If anyone have integrated OAM 11g with SharePoint 2010 earlier, appreciate your inputs in this regard.

  Each license is platform specific, you can't backwards apply or forwards apply licenses from one version of SharePoint to another.
  If you do have MSDN access, you'll have access to all current versions of SharePoint, across the current and retired server products.
  Steven Andrews
  SharePoint Business Analyst: LiveNation Entertainment
  Blog: baron72.wordpress.com
  Twitter: Follow @backpackerd00d
  My Wiki Articles:
  CodePlex Corner Series
  Please remember to mark your question as "answered" if this solves (or helps) your problem.