Urgent: OAM authorization

Similar Messages

• Order for resources in OAM authorization policy

  Hi All
  Does the order for the resources in OAM authorization policy matters or can I put the resources in any order ?
  Thanks

  OAM performs resource Authentication and Authorization based on the URLs. It doesn't matter on what order you try to put them.
  ~Yagnesh

• OAM Authorization POST parameters

  Dear all,
  I have a question about the authorization rules in OAM, my requirement is that I want on successful authorization to send a POST parameter to a protected application this parameter will include some piece of data of the logged in user (for example his social security number) and I want to make sure that no authenticated user can send the social security number of another user, so I want this parameter to be sent by OAM to ensure that it will sent the number of the logged in user.
  In authorization rules (on success action) I can sent an HTTP Header or set a cookie with the number of the logged in user but I couldn't find a way to send a POST parameter.
  I thought of another solution to send the parameter through a normal HTML form and make an authorization rule to check in the POST parameter (say: ssn) in the HTTP request is equal to the SSN of the logged in user but I couldn't figure how to receive parameters in the authorization rule.
  I don't know it writing custom authorization plugin can be a solution or there is another solution???
  Thanks in advance

  Hi,
  As far as I know, OAM does send params to the end user application in 2 ways. 1. Header Var 2. Cookies.
  Passing params through Headervar are safer than cookies as cookies can be tampered in the interim.
  However, I think Custom Authz plugin or using Reverse Proxy Server might do this job for you. You might need to explore more on that.
  For the alternative solution that you are talking about as passing SSN no. from HTML form, its vulnerable and it can easily be tampered with.
  -Mahendra.

• OAM - Authorization based on the authentication method

  We are using OAM 10g for a customer to protect a large number of web application. In order to access those applications a user can chose from several authentication methods (e.g. client certificate, SecureId and mobile TAN). All applications use the same cookie domain and OAM provides SSO to the user. The customer now wants to define access rules for each of the applications based on the chosen authentication method.
  In other words, he wants to have the flexibility to define rules such as the following:
  Application A: Only accessible with client certificates
  Application B: Only accessible with mobile TAN
  Application D: Only accessible with SecureId or mobile TAN
  Application E: Accessible with any authentication method
  In order to implement this with OAM we would have assign each authentication method a different authentication level and define authorization rules that depend on those authentication levels (maybe using a custom authorization plug-in). According to the OAM documentation it doesn't seem possible to reference the authentication level in a authorization rule.
  Does anyone know a way to implement these requirements.
  Any help is appreciated.
  Best regards,
  Donat

  This is how I think we can do this.
  Write Authentication plug-in which adds which authentication scheme was used to login to the application in one of the multivalued attribute in OID. Write Authorization plug-in also which checks this value and makes authentication decision.
  One more approach is, Create as many attributes in OID as number of authentication schemes you have. Each of them is a flag representing whether user is logged in with the authentication scheme or not. When user authenticates using an authentication scheme, turn on that flag. Also flush access server user profiles cache. In the authorization rule, use this flag to make authorization decisions. Using this approach, you do not have to write authorization plugin but this may not be scalable approach as you might have to create a new attribute in OID when new authentication scheme is added.
  You can also keep this information somewhere in database or flat file and use that information in authentication and authorization plugin.
  I hope one of this solutions will help you.
  Thanks
  Kiran Thakkar

• Urgent: OAM 11g issue

  Hi all,
  I have installed OHS 11g & webgate 11g in one machine and OAM 11g in another machine. While starting the OHS i am getting the following error in ohs1.log file.
  [2012-12-04T14:41:42.3674+05:30] [OHS] [ERROR:32] [OHS-9999] [apache2entry_web_g
  ate.cpp] [host_id: X.X.X.X] [host_addr: X.X.X.X] [ti
  d: 1128900928] [user: pfserver] [ecid: 004o0D14RwW3FClqwsJb6G0001pD000000] [rid:
  0] [VirtualHost: main] OBWebGate_AuthnAndAuthz: The AccessGate is unable to co
  ntact any Access Servers.
  [2012-12-04T14:41:42.3684+05:30] [OHS] [ERROR:32] [OHS-9999] [odl_log.c] [host_i
  d: X.X.X.X] [host_addr: X.X.X.X] [tid: 1128900928] [
  user: pfserver] [ecid: 004o0D14RwW3FClqwsJb6G0001pD000000] [rid: 0] [VirtualHost
  : main] Request Failed for : /index.html, Resp Code : [500]
  both the server clock's are running in same timing. But if i install OHS and webgate in same server which is in OAM server host i am not getting any error.
  I am getting confused in one thing.I am getting error "Request Failed for : /index.html". But i haven't give index.html as resource while doing webgate registration.
  How to resolve this issue.Please help me ASAP.Its very urgent.
  Regards,
  Deena.

  2 things.
  How did you register the agent ? - through UI or through rreg.
  if through UI i would suggest you try to register using rreg inband registration and let me know if that is successful.
  If that fails (which i think it will)
  Its most likely a problem with your java version.
  I know for sure that Java version 1.6.0_37 doesn't work and that 1.6.0.41 works for sure.
  Can you try installing a different version of java.
  if on linux use the
  update-alternatives --config java
  as root to point to the java (other version that you installed) and try again.
  Let me know if that helps.
  Cheers
  -Kungo

• OAM (authorization and authentication)

  Does OAM offer any cape Web Services for the authorization and authentication?
  Thanks in Advance, Awaiting sooner response.
  Edited by: Odemail on 05-abr-2012 8:31

  For this you can check with Oracle Support
  Thanks
  kumar

• Urgent: OAM 11g allow/block URLs

  Hi All
  I am using OAM 11g R1 and want to allow some and block some URLs. Please let me know if this can be configured in OAM.
  URLs to be allowed:
  http://Hostname1:80/rootContext?x=1
  http://Hostname1:80/rootContext?x=2
  URLs to be blocked:
  http://Hostname1:80/rootContext?x=3
  http://Hostname1:80/rootContext?x=4
  Please help. This is really urgent
  Thanks

  I am aware of OAM configurations but want to know more about this specific configuration where the resource URL is the same and just the query parameter is different.

• OAM Authorization cache query

  Hi
  I have a resource protected with OAM 10g and am using a custom authorization plugin for this resource which makes a LDAP call and returns the result.
  I want to know whether OAM user cache works with custom authorization plugins as well or not.
  Please let me know your understanding.
  Thanks

  The authorization plugin result will not be cached and your plugin will be executed every-time authorization is requested.
  If you are trying to make an LDAP call in the plugin a better way would be to use LDAP filters in the authorization expressions.
  Hope this helps,
  Sagar

• Urgent: JAAS authorization policy file

  Hi.
  I just decided to implement JAAS technology in my 3-tiered application. I did authentication, but can not beleive that the only way to specify authorization is to place all grants in one ore more text files and specify this(ose) file(s) in batch file running my application. I do not think that it is secure. The same for authentication. It is possible to redirect my application to pass through some other LoginModule and so on.
  I gues there is some other way to store jaas config and policy files. Please help me to get that way.
  Thanks in advance,
  Kanan

  the default file-based LoginContext configuration and Policy-based permission files are certainly rudimentary.
  it is for this reason that the javax.security.auth.login.Configuration and java.security.Policy implementations are pluggable. instead of defining only one way of storing the data, it is possible to develop custom implementations to store data in any way a developer desires.
  you can directly subclass either of these abstract classes and then programmatically set your subclass in the VM via the respective "setConfiguration" or "setPolicy" methods. or you can statically specify your custom implementation in the login.configuration.provider or policy.provider security property (set inside the java.security file inside the ~jre/lib/security directory of your installation).
  both of these options should be documented in the Configuration and Policy javadocs.
  in the Configuration case, J2SE 5.0 introduced a new constructor on the javax.security.auth.login.LoginContext class that can take a Configuration object as an input parameter. this gives you extra flexibility for managing login configuration entries per LoginContext.
  your custom implementations would then need to manage the configuration and permission data as it so desires (perhaps in memory, perhaps on a server, or perhaps even in custom files).

• URGENT: OAM 10g server and webgate certificates query

  Hi experts,
  There is an OAM 10g environment. OAM Access Server and Identity Server is installed and up and running. OAM servers are in CERT mode. So to install webgates residing in different machines from OAM servers, can we use the same OAM Access Server certificates for WebGate certificate while installing WebGate?
  Thanks
  IDM Team.
  Edited by: 898990 on Mar 13, 2013 1:38 PM

  Figured it out. The OAM proxy (AccessServerConfigProxy @port 5575) for 10g webgates was configured to listen in cert mode. I had to switch it to open mode. Not sure how it got switched, but got the webgate install going for now. Thanks.

• Urgent: OAM-ISA-OWA Integration

  Hi All,
  We have installed Exchange 2007 on Windows 2003 EE. It has been integrated with OAM. (WebGate has been installed on IIS) When internal users access the OWA resource they get a pop-up from OAM and they get correctly authenticated. ISA 2006 has been installed on another server and is acting as a proxy server to this Exchange 2007. There is no webgate installed on this ISA server. All the external users go through this ISA server to access their mail box. The issue is when any external user access the /owa resource via ISA, they do not get any pop-up from OAM, but directly get the OWA login form. This happens only when a resource is accessed via ISA.
  Any suggestions on what we could be missing?
  -Amol

  Hi,
  Thanks for the reply. Actually i have a basic doubt on versions. I am using 10.1.4.0.1 Build RC2 and weblogic 10.0 version and the SSPI connector i was using is Oracle_Access_Manager10_1_4_0_1_Win32_BEA_WL_SSPI.
  So do i need to upgrade OAM to 10.1.4.2 version, because when i install the connector I can see the wl8NetPointSecurityProviders.jar and wl7NetPointSecurityProviders.jar. Are these jars supported with WL 10.0 version.
  Please let me know.
  Thanks,
  Bh

• Creating LDAP filter in authorization rule OAM 10G

  Hi,
  I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
  Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
  Please Help
  Thanks
  Edited by: 904630 on Dec 27, 2011 5:34 AM
  Edited by: 904630 on Dec 27, 2011 5:36 AM

  Open Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
  Hope it works for your as well :)

• OAM 11gR1 (11.1.1.3) Authorization issue

  Hi,
  We have OAM 11gR1 (11.1.1.3) in place.
  Some of our users are being denied by our OAM Authorization rule, when they should not.
  The rule is simple, a user needs to be in an OID group to get access to the protected site.
  This is what I can find in the audit logs in the "Resource" column during the Authorization event:
  - This value appears for the users who is successfully authorized: HTTP:IDMDomain:/polopoly
  - This value appears for the users who is NOT authorized: IDMDomain:0%2Fpolopoly
  I think this look like something related to the "Host Identifier" settings, but I have tried logging in with the accounts from the same computer, so the value changes based on the user I log in with.)
  Any ideas why this happens?
  The full audit line below:
  2012-11-01 11:18:22.266 "<OID-user-id>" "CheckAuthorization" false "" "0000JevgNod1rYx_S9o2yc1GMNxa003Pa2,0" "0" - - - "oam_server" "Authoriza
  tion" "15" "-" "" - "IDMDomain:0%2Fpolopoly" - - "" - "Web_Agent" - - - - "IDMDomain:0%2Fpolopoly" "" - - "IDMDomain" "55003121884236737
  8" - "" - - - - - - "oam_server1" - - - - -
  2012-11-01 11:21:17.430 "<OID-user-id>" "CheckAuthorization" true "" "0000Jevh2_m1rYx_S9o2yc1GMNxa003PaS,0" "0" - - - "oam_server" "Authorization" "21" "-" "" - "HTTP:IDMDomain:/polopoly" - - "Web_Agent" - "Web_Agent" - - - - "HTTP:IDMDomain:/polopoly" "UserPassAuthorizationPolicy" - - "IDMDomain" "-7259007590981892465" - "" - - - - - - "oam_server1" - - - - -
  NOTE: The authentication step is working fine, for both users.
  Regards,
  Henrik
  Edited by: user1154522 on Nov 1, 2012 4:37 AM

  Nevermind - I'm an idiot.
  Microsoft's guidance on reg key to disable IPv6:
  Type any one of the following values in the Value data field to configure the IPv6 protocol to the desired state, and then click OK:
  Type 0 to enable all IPv6 components. (Windows default setting)
  Type 0xffffffff to disable all IPv6 components except the IPv6 loopback interface. This value also configures Windows to prefer using IPv4 over IPv6 by changing entries in the prefix policy table. For more information, seeSource and Destination Address Selection.
  Type 0x20 to prefer IPv4 over IPv6 by changing entries in the prefix policy table.
  Type 0x10 to disable IPv6 on all nontunnel interfaces (both LAN and Point-to-Point Protocol [PPP] interfaces).
  Type 0x01 to disable IPv6 on all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo.
  Type 0x11 to disable all IPv6 interfaces except for the IPv6 loopback interface.

• How to Protect two Apps running on two different Hosts using same OAM serve

  Hi All,
  I am new to OAM. I am trying to configure SSO for an Application using OAM 11g server which is already protecting another Application(Oracle EBS) on a different host.
  Oracle EBS application uses the Oracle EBS Access Gate to collect the credentials.
  Now what should I do to protect the second application say APP2. Should I require to install a new OHS instance and new Webgate for this purpose ? or can i use the one already used by EBS application ?
  Please reply me soon
  Thanks,
  Prabhu

  You may use the same OHS instance by creating additional reverse proxy filter for your application 2.
  Or create another instance of OHS and configure webgate, OAM policies for your application 2.
  All the applications configured with OAM will be configured for single sign on and no special configuration needs to be done.
  Here are my comments to your questions:
  1) Can you tell me why we should have different OHS and Webgate to protect the 2nd application ?
  - As per best practices, you should have different OHS instances (+webgate) for different applications. But you may also configure the same OHS for multiple applications.
  2) If we have different OHS and Webgate, then the same OAM session will be shared between the applications ? Basically the user will navigate from the first application to the second application by clicking a link on the first application's page. Will the OAM_REMOTE_USER header be passed on to the second application in this case?
  - Yes, if you have different OHS and Webgate, then the same OAM session will be shared between the applications.
  To pass the header variables to any application, add the variables in the application's OAM authorization policy responses.
  3) By default OAM 11.1.1.3 sets the userid to the OAM_REMOTE_USER? or we should manually set a response header ?
  - To be on a safer side, set this header on the authz policy's response tab and put the vallue as $user.userid

• OAM 11g "Failure URL" in Authoriztion policy not working?

  Hi,
  Per the subject, I am running OAM server 11g (11.1.1.3), with an OAM 10g Apache webgate.
  In the OAM Authorization policy (protected), I have specified a full URL for the "Failure URL", to get the browser to redirect when an authorization failure occurs.
  However, when I test with a user that does not have access (user authenticates ok, but doesn't have right to access the protected resource), instead of the browser being redirected, I am getting an "Oracle Access Manager Operations Error" page.
  I've been trying to figure this out, and have found several threads about this, e.g.:
  OAM 11g authz redirect URL not working?
  But, as I said, I am using OAM 11g server, and there is no "Inconclusive URL" in the policy settings (I guess there was in 10g, but not in 11g).
  I have trace logging enabled on the OAM server, and I can clearly see that the request is getting "results DENY", but there's no indication in the logs that OAM server is aware of any failure redirection URL.
  I've also got a header trace, and I can see that the browser is simply being re-directed to the "/oberr.cgi...." URL, so it' not going "somewhere else".
  So, does anyone know why the "Failure URL" is not working in OAM 11g in Authorization policies?
  Thanks,
  Jim
  P.S. The URL that it's suppose to be re-directing the browser to is in the Public resources under Authorization, and as I said, I don't see the browser even attempting to go to the failure URL, either via header traces or the OAM server logs.
  Edited by: jimcpl on Nov 5, 2011 8:53 PM

  Hi,
  Per the subject, I am running OAM server 11g (11.1.1.3), with an OAM 10g Apache webgate.
  In the OAM Authorization policy (protected), I have specified a full URL for the "Failure URL", to get the browser to redirect when an authorization failure occurs.
  However, when I test with a user that does not have access (user authenticates ok, but doesn't have right to access the protected resource), instead of the browser being redirected, I am getting an "Oracle Access Manager Operations Error" page.
  I've been trying to figure this out, and have found several threads about this, e.g.:
  OAM 11g authz redirect URL not working?
  But, as I said, I am using OAM 11g server, and there is no "Inconclusive URL" in the policy settings (I guess there was in 10g, but not in 11g).
  I have trace logging enabled on the OAM server, and I can clearly see that the request is getting "results DENY", but there's no indication in the logs that OAM server is aware of any failure redirection URL.
  I've also got a header trace, and I can see that the browser is simply being re-directed to the "/oberr.cgi...." URL, so it' not going "somewhere else".
  So, does anyone know why the "Failure URL" is not working in OAM 11g in Authorization policies?
  Thanks,
  Jim
  P.S. The URL that it's suppose to be re-directing the browser to is in the Public resources under Authorization, and as I said, I don't see the browser even attempting to go to the failure URL, either via header traces or the OAM server logs.
  Edited by: jimcpl on Nov 5, 2011 8:53 PM