Oracle Fusion Middleware Security

OIM 11g R2 Self Registration with CAPTCHA

2013-05-07T06:30:00.000-07:00

This post walks you through the fun of customizing OIM and adding a CAPTCHA solution to the self-registration page. Captcha solutions are largely used in web sites to try to prevent automated robots from registering, filling forms, sending messages and many other things.

The captcha solution used is Simple Captcha and it is available here. It is easy to use and easy to hook into applications.

This is another post of the Oracle Identity Manager Academy. To check other tricks, tips and examples you can find the academy post here.
Read more »

Synchronization of Roles in Catalog OIM 11g R2

2013-05-01T08:24:00.003-07:00

Introduction

The Catalog is one of the most fundamental features of OIM 11g R2 request based provisioning. All requests for Resources/Accounts, Entitlements and Roles are accomplished through the Catalog. Roles in OIM 11g R2 can be defined within a given category. There are two main out-of-the-box categories: OIM Roles and Default. The category affects the visibility of the Role in the Catalog.

Sometimes, customers may require to change the category of an existing Role in order to make it possible to request the Role through the Catalog. If the Role was initially created within the OIM Roles category, it will not be visible in the Catalog because there is no entry in the Catalog's table for the Role.

Procedure

A Role is available in the Catalog when its category is set to 'Default'. This can be ensured by modifying the Role's attributes in the Self-Service User Interface and selecting the 'Default' category from the List of Values. The picture that follows shows where this is done and provides an example:

In the example above, the role MASSACHUSETTS ORG MEMBER was originally created with OIM Roles as the selected category. As a result, this role can't be requested through the Catalog. The role's category will need to be updated to 'Default'. The images below demonstrate the change:

Roles are published immediately after they are created; however, if a Role is updated after creation like in the previous example, the Catalog Synchronization Job has to be executed to reflect the changes in the Catalog.

To invoke the Catalog Synchronization Job, an Administrator needs to log in to the System Administration Console of OIM and open the Scheduler Window; then navigate to the Catalog Synchronization Job as shown in the following picture:

The Job must be executed with the following values in the Job's attributes:

Mode = full
Process Roles set to Yes
Updated Date must be blank

After the execution of the Catalog Synchronization Job, searching for the Role in the Catalog should now display the role in the results as shown below:

Summary

The Catalog is one of the main components of OIM 11g R2. The Request-Based provisioning functionality revolves around it. Any entity in OIM that can be requested by users needs to be visible in the Catalog. Roles that have OIM Roles as their category, are not visible in the Catalog; only the ones in the 'Default' category will be displayed in Catalog Search Results.

If a Role was initially created with OIM Roles as its category and then is updated to the Default category will not be displayed in the results of a Catalog search unless the Role is added to the CATALOG table in OIM's Database. This is accomplished by running the Catalog Synchronization Job through OIM's Scheduler. The job must be executed in Full mode, the 'Process Roles' option must be set to 'Yes' and the 'Updated Date' value must be blank.

Don’t Be that Guy – Part 2: Avoiding Outages Due to Full Disks and Partitions

2013-04-10T14:18:00.000-07:00

A while back, I wrote about the fact that many customers experience severe outages with their Fusion Middleware products when they let the digital certificates associated with the SSL connections in their deployments expire.

To be fair, certificates are often “out of sight and out of mind” and indeed many system administrators don’t have much experience managing certificates. However, the same cannot be said about disk space. We all deal with managing disk space on multiple systems including our desktop clients, home PCs, and even phones.

Today as a public service announcement I’d like to discuss the dangers of not paying attention to whether or not you have adequate disk space on your dev, test, and production machines running your middleware software.

I’ll be honest, I see a surprising number of customers experience everything from long delays in their dev and QA cycles to real production outages because of instability caused by running out of disk space. So, size your machines with adequate disk space, monitor your disk usage, and be aware of your logger and auditing configurations in your Fusion Middleware Products.

Most Fusion Middleware / IAM products including OAM and OIM log to the standard JAVA/WLS logs .out and .log; as well as to the Oracle diagnostic log -diagnostics.log. The standard logs can be configured in the WLS console while the diagnostic log can be configured by editing the logging.xml file, through WLST, or in EM.
Most customers that use our auditing capabilities log directly to a database. However, the default storage is “bus-stop files” which do reside on the local file system and obviously take up space.

Speaking of databases, I see a fair amount of similar pain being caused by databases running up against various size limits like tablespace or data file limits. So, make sure you are also actively managing data size limits on the DB.

My White Paper on OAM Mobile and Social

2013-03-15T13:43:00.001-07:00

Back in December I started putting together a White Paper on OAM 11g R2's new Mobile and Social capabilities. The paper covered the work we did for a Proof of Concept for a bank's new mobile banking application. Between the end of year holidays, a bunch of other projects and a long vacation the whole process of getting it all down on paper, reviewed and published took much longer than I expected to, but the paper is finally ready.

If you're interested in writing iOS apps that authenticate against OAM and then access REST services protected by OAM this paper might be right up your alley.

The paper is available from the Mobile and Social Access Services page on Oracle.com. Just scroll down to the Technical Information section and hit the link Oracle Mobile and Social Case Study - Mobile Banking Application (PDF) (or just click that link).

If you read it and have ideas, questions, comments, or even absurd remarks I'm all ears!

Part 2: Kerberos Authentication, RBAC and SAML identity propagation in OAG

2013-03-13T14:42:00.000-07:00

This post is the second one of a series by Andre Correa and Paulo Pereira on OAG (Oracle API Gateway).

The first post is found at http://fusionsecurity.blogspot.com.br/2013/03/part1-kerberos-authentication-rbac-and.html. Check it out for use case background and the Kerberos authentication part.

As mentioned, one of the requirements in our exercise was to authorize the user against a ROLE X URI matrix, called “Authorization Matrix”. In this post we’re looking at the second policy (Call ‘Perform Authorization’) in the overall flow:

Basically, “Perform Authorization” had to:

a. Obtain the authenticated user (authenticated by Kerberos);

b. Lookup the groups memberships in Active Directory;

c. For the requested URI, query a Database for the authorized roles for that URI in particular;

d. Check if any of the user groups (obtained from AD) is in the list returned by the DB query;

e. Authorize the user in case the check on the previous steps passes.
Read more »

Part 1: Kerberos Authentication, RBAC and SAML identity propagation in OAG

2013-03-12T13:00:00.000-07:00

This post is the first one of a series by Andre Correa and Paulo Pereira on OAG (Oracle API Gateway).

Throughout the series, we are going to talk about Kerberos authentication, Role Based Access Control (RBAC) and SAML identity propagation in OAG 11g, formerly known as OEG (Oracle Enterprise Gateway). What follows has been implemented as part of a larger exercise involving the SOA suite, OSB, OTD (Oracle Traffic Director) and the Exalogic platform. The kind of architecture presented here can be used as general guidance, but that may not apply to your use case scenarios. We will also briefly touch on OWSM policies that were applied to OSB and SOA composite.

The use case is about enabling end users to place orders. As you might think, there are quite a few 3rd-party systems to interact with in order to have the order fulfilled and the product provisioned to the end user. SOA to the rescue.

Security Requirements

Provide a security shell around SOA and channel each and every request through OAG. The classic model of perimeter defense. As the applications used by end users are Kerberos enabled, the customer wanted to see OAG authenticating Kerberos tokens generated by Active Directory’s KDC (Key Distribution Center). After authentication, we were asked to authorize the user based on a Security Matrix (a relation of groups and URIs) kept in an Oracle database. Finally, with the user properly authenticated and authorized, we should forget Kerberos and instead propagate a SAML token to the SOA platform. This identity should then be preserved all the way to downstream 3rd-party systems.

At the end of our exercise, the policy we built in OAG is expressed as the following circuit, where we can clearly see authentication, authorization and token switch. We expand the contents of each filter/policy as we go. In this post, we focus on the Kerberos Service filter and how we enable the policy for the service we want to protect.

Deployment Architecture

All Oracle FMW components (as well as OAG) were deployed for HA on a 4-node 1/8 Exalogic rack, as per the following diagram.
Read more »

OAM 11g Custom Authentication Plugins: Collecting additional credentials

2013-03-11T08:00:00.000-07:00

One of the things that OAM 11g does a very good job of is enabling LDAP-based user authentication, based on collecting username and password from a login form. I've seen a lot of questions from the field relating to how to handle more complex, multi-step or multi-factor authentication scenarios and while this post is certainly not intended to be exhaustive regarding this topic, I will go through a fairly common scenario on which most multi-factor authentication processes will depend: returning the user to the login page to collect additional credentials.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Part 3: OAM11g WNA Identity Store Considerations and Configurations

2013-02-18T09:30:00.002-08:00

Part 2: How to Configure OAM11g WNA for Multiple AD Forests

2013-02-14T07:03:00.000-08:00

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

This is the second post of a three part series. In "Part 1: Under the Covers of OAM11g WNA integration with Multiple AD Forests", I covered the flow of how WNA works and what was going on behind the scenes. This article will cover the technical details on how to implement WNA in a way that will support multiple Active Directory Forests that either have no transient trust between them, or even all trusted; in either case this will work for you.

Before we get into the details on how to setup WNA for multi Active Directory domains I just want to point out that I will use a straw man of three Active Directory KDC servers so you can understand any additional steps needed to support more than one KDC. However, this would also work for as few as one domain, or more than three domains. All that is needed is to simply extrapolate the steps to fit your requirements; I will be sure to comment where necessary.

Read more »

Part 1: Under the Covers of OAM11g WNA integration with Multiple AD Forests

2013-02-12T11:52:00.000-08:00

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

This is the first post of a three part series that expands on a great article Matt wrote --- “The (Windows) Natives Are Restless”. Matt’s article covered some configurations, browser settings, and some examples of role mapping, but I want to dive into this whole WNA solution a lot more. So Part 1 will include just what the title eludes to, Under the Covers of the WNA integration with Multiple Active Directory Forests, then Part 2 will cover the details of the WNA configuration to make it work against multiple untrusted or trusted domains, and finally in Part 3) some highlights on leveraging OVD11g to pull it all together and make sure WNA can find the correct user across multiple forests.

Populating request attributes in OIM 11g R2 Part II - UI Customization

2013-01-28T09:00:00.000-08:00

This is the second post of a two-post series about pre-populating requests in OIM 11g R2. The first post is available here. This post is also part of OIM 11g Academy Series.

The approach describe in this post is more sophisticated when compared to the pre-populate plug-in described in the previous post. The emphasis here is UI interaction. It is also important to mention that this approach does not work for requests created through the APIs, it works only for UI based requests. Another difference is that while the pre-populated plug-ins are specific to request attributes, this approach is application instance specific. In other words, each different application instance request form will require a different customization.

Read more »

Populating request attributes in OIM 11g R2 Part I - Prepopulate Plug-in

2013-01-23T09:00:00.000-08:00

This is the first of a two posts series about pre-populating requests in OIM 11 R2. This post is also part of the OIM 11g Academy Series.

With the introduction of the Catalog, request creation process changed from a wizard to a shopping cart experience style. But request pre-populating is still a common requirement for OIM customers.

There are two different approaches to pre-populate a request:

Pre-populate plug-ins
UI customization

Twitter Jam Tomorrow

2013-01-21T08:36:00.000-08:00

Date: Tuesday, January 22, 2013

Time: 10 am PT / 1 pm ET

Topic: Authentication – Stronger or More Often?

Platform: Twitter

Hashtag: #authchat

Get Your Tweets On…

If you are on Twitter, join the tweet jam on Authentication on Jan 22^nd at 10 am PT. You will be tweeting with the industry heavyweights and the IDM twitterati. Mike Neuenschwander will take control of the @OracleIDM handle and jam with industry experts on this year’s hot topic – Authentication! You don’t have to sit on the sidelines. Join in the discussion. Mike will kick it off at 10 am PST. Just follow #authchat.

Some housekeeping notes for the tweet jam:

- Please make sure to use #authchat for every tweet you send on this topic

- Pls use A1, A2… et al when responding to questions so it is easy for anyone following the discussion.

- You can amplify others’ comments by retweeting. When modifying a tweet before retweeting, it is generally acceptable to use “MT” rather than “RT”

- If replying to another tweet, pls don’t forget to use #authchat and put a “.” (period) in front of the initiator’s twitter handle so everyone can see the response.

- Feel free to solicit responses/comments from specific individuals by calling out their twitter handles. Just don’t forget to put the hashtag #authchat

Follow @OracleIDM today. And let your followers know about the upcoming tweet jam by tweeting about it. Perhaps something along the lines of:

Looking forward to the tweet jam on #authentication and getting the industry’s take. Join on Jan 22, 10 a PT #authchat #oracleidm

They will be archiving and posting the discussion on our blog OracleIDM afterwards.

OIM 11g R2 Requests Lifecycle Management API’s

2013-01-04T09:23:00.000-08:00

Introduction

OIM 11g R2 being such a comprehensive provisioning solution, it provides API’s for almost every aspect of functionality available in the product. This makes it a little difficult to decide which examples are needed the most in the documentation. Fortunately, the documentation does supply samples that can definitely serve as a foundation for more complex pieces of code. Some of the API’s I found developers using more often than others are the ones related to the operations associated with users’ requests for resources. Amongst those the following API’s are mostly required:

Request Creation/Submission
Request History Data Access
Child Table Data Manipulation
Approval Information Data Access

This blog post will include a few samples on how to accomplish each one of the above mentioned operations within the context of a use case described shortly. The intent is to provide some useful API’s code samples that customers and partners can use to write their own custom code that requires such functionality.

Authenticating OIM APIs without end user's password

2013-01-03T05:00:00.000-08:00

A common requirement in an OIM implementation is to not expose OIM user interface to all types of end users. To address this requirement, usually a custom application using OIM APIs is developed and deployed. Such application will expose specific OIM functionalities to end users. In most of the cases, customers want the custom application/OIM APIs to act as the end user, and not as a service account; this approach leverages OIM security model, and the actions will be correctly audited in OIM. Usually this custom application will be protected by a SSO solution, and asking the end user to provide his/her password is not an option. So the big question is: how to authenticate the OIM APIs against OIM server and make them act as the end user?

This is another post in the OIM Academy series. To view the entire OIM 11g Academy series click here

In OIM 9.x, the APIs provide two different ways of authentication: through OIM user's credentials (username and password) and through the so called digital signature authentication. The digital signature authentication process allows authentication without a password, and because of that it is a largely used approach in custom OIM APIs based applications.

With the introduction of OIM 11g, the digital signature APIs are being deprecated. They will still work when correctly configured, but they may be discontinued in future OIM releases.

In R2 there is an easier way of using OIM APIs without the need of end's user password. This post shows how this can be done.

Read more »

OIM 11g R2 UI Customization Tips and Tricks

2012-12-26T09:29:00.002-08:00

Introduction

OIM 11g R2 has finally provided OIM Developers with the means to implement very sophisticated and functional rich customizations to the Out of the Box User Interface of OIM; and the best part is, all these customizations are patching and upgrade transparent, which means that when the OIM installation is upgraded or patched, the customizations don’t have to be re-applied. Everything is stored in the metadata repository (MDS) and it is applied on top of the standard user interface. This article presents a few techniques to implement customizations that go a little beyond the capabilities of Web Composer; but still are within the scope of OIM’s MDS. Each technique will be presented in the context of a use case addressed by the customization implemented using the given technique.

On a recent post by Daniel Gralewski, there was a very nice customization for the Catalog. The purpose of such customization was to filter the resources already provisioned to a user from the results of a catalog search. In a follow up question, one of our readers asked if the search screen could be customized to add a drop down box that can be used to trigger a predefined search, like a catalog search based on role category.

So I thought that would be a nice use case to start, here is what I envisioned based on certain requirements from an actual customer I am helping at the present time.

More on Upstart

2012-12-19T12:53:00.000-08:00

I did a couple of blog posts on Upstart - introducing it in my post Starting and stopping WebLogic automatically using Upstart and doing the same for OID.

I pointed a couple of people at those posts and they told me they wanted more. More explanation, more clarity, and more about how to use Upstart to boot the entire environment.

So in this post I'm going to show how to use Upstart to start the Oracle database, then (once the database is started) start OID and OVD, and only then start OAM and the other WebLogic services.

The first thing I did was convert my Oracle database startup from a SysV-style init script to Upstart. Colm Divilly did the heavy lifting for me and blogged his config file for Ubuntu. I took that and tweaked it for OEL.
This goes in /etc/init/oracledb.conf:

description  "Oracle Database"

# Based on blog post at
# https://cdivilly.wordpress.com/2010/10/28/ubuntu-upstart-script-for-oracle-database/

# The location of the Oracle install
env ORACLE_HOME=/home/oracle/database/product/11.2.0/dbhome_1
# The user to execute Oracle as
env ORACLE=oracle

start on runlevel [2345]
stop on runlevel [016]

expect fork

pre-start script
    logger "Starting Oracle DB"
    su - $ORACLE -c "$ORACLE_HOME/bin/dbstart $ORACLE_HOME"
end script

post-stop script
    logger "Stopping Oracle DB"
    su - $ORACLE -c "$ORACLE_HOME/bin/dbshut $ORACLE_HOME"
end script

Then /etc/init/oid.conf for OID, OVD and the WebLogic server where I run ODSM:

start on started oracledb
stop on stopping oracledb

# This is good for debugging purposes but it's a bad idea to leave
# this on long term.
#console output

# this starts OPMN, OID and OVD
pre-start script
    logger "pre-start for OID/OVD"
    /bin/su - oracle -c "/home/oracle/middleware/asinst_1/bin/opmnctl startall"
    logger "pre-start for OID/OVD complete"
end script

# and this stops them
post-stop script
    logger "pre-stop for OID/OVD complete"
    /bin/su - oracle -c "/home/oracle/middleware/asinst_1/bin/opmnctl stopall"
    logger "pre-stop for OID/OVD complete"
end script

# this is the AdminServer only:
exec /bin/su - oracle -- /home/oracle/middleware/user_projects/domains/IDMDomain/bin/startWebLogic.sh

The important thing there is the "start on started oracledb" stanza. What that says in English is much as you would expect - "start this once the 'oracledb' service is started". The "stop on" does the same for when the database is being stopped; which will cause Upstart to stop OID and OVD before it tries to stop the database.

Upstart works out the dependencies automatically so no need to worry about numbers or pinging the database via sqlplus or tnsping.

The Upstart config for the OAM Server looks the much the same:
/etc/init/oamadminserver.conf

start on started oracledb
stop on stopping oracledb

exec /bin/su - oracle -- /home/oracle/middleware/user_projects/domains/IAMDomain/bin/startWebLogic.sh

Enjoy.

OIM 11g Assets

2012-12-17T06:28:00.000-08:00

Since the first 11g release, OIM engineering and product management teams have been working hard on field enablement. As part of this work, they created a wonderful set of reusable OIM customizations examples. Such components are called 'OIM assets'.

Among these great assets, you can find examples of approval workflow, event handler, scheduled task, UI customization, and others. They can be used as learning assets; and they can be easily modified and deployed to your OIM environment to address some common use cases. Another nice thing is that there are examples for the three major releases of OIM 11g: 11.1.1.3, 11.1.1.5 and 11.1.2.0.

They can be found at Oracle Technology Network on this page. Have fun!

Unsolicited login with OAM 11gR2

2012-12-17T04:03:00.000-08:00

In a previous post Chris Johnson has discussed unsolicited login with OAM 11g.

In OAM 11gR2 this functionality is supported out of the box and with little effort you can implement Unsolicited Login.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

If you're interested to authenticate using unsolicited POST, please read on…

My Silly (and common) Mistake with the OAM Mobile and Social SDK on iOS

2012-12-14T13:15:00.001-08:00

I recently created an iOS application using the OAM Mobile and Social SDK for iOS and got an error in my debugger output window:

2012-12-05 19:06:38.038 PiggyBank[24799:1303] -[__NSCFString OMJSONValue]: unrecognized selector sent to instance 0xb2be000

This error appeared after the Application Profile was downloaded and I couldn't figure out what I had done wrong.

Turns out I'd forgotten one step after adding the SDK bits to the XCode project - I had forgot to add the linker flags "-ObjC -all_load" under Build Settings.

To fix this click on the Project, then click the Target, then click the "Build Settings" tab and find the "Other Linker Flags" row. Edit it and add -ObjC -all_load to whatever's already there. Here's a screen shot:

Those flags are needed whenever a new message (function) will be passed to existing class without extending it. Inside the bits of the M&S SDK NSString doesn't have OMJSONValue but the SDK will pass OMJSONValue to NSString, so those flags are needed to make it work.

Of course this is documented in a block marked "Important:" but I missed it and I'm guessing if you found this blog post via Google you did too!

Password Policy in OAM 11g R2

2012-12-12T01:00:00.000-08:00

One of the features in the new 11G R2 (or 11.1.2) release of Oracle Access Manager that's been most eagerly anticipated is the support for password policy within the OAM product; that is, the ability for OAM itself to support a subset of password management processes without the need to use Oracle Identity Manager and LDAP Sync. In this post, I'd like to explore this functionality in a little more detail and also explore exactly which use cases are supported.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Starting OID 11g with Upstart

2012-12-04T13:00:00.000-08:00

If you read my post on Upstart a while ago you know that I'm a fan of Upstart.

But I hadn't sat down to redo my old (and crummy) OID/OVD start scripts to use Upstart until this week partly because "if it ain't broke don't fix it" but partly because who the heck has time?!

This week I needed to create a new environment to put together a demo of the Mobile side of OAM Mobile and Social and thought I'd take a few minutes to fix that. It didn't take all that long.

Here's my /etc/init/oid.conf

start on runlevel [345]

# This is good for debugging purposes but it's a bad idea to leave
# this on long term.
#console output

# this starts OPMN, OID and OVD
pre-start script
    /bin/su - oracle -c "/home/oracle/middleware/asinst_1/bin/opmnctl startall"
end script

# and this stops them
post-stop script
    /bin/su - oracle -c "/home/oracle/middleware/asinst_1/bin/opmnctl stopall"
end script

# note that I'm only starting the AdminServer here
exec /bin/su - oracle -- /home/oracle/middleware/user_projects/domains/IDMDomain/bin/startWebLogic.sh

Note: Because this is a little test environment and I want to keep the memory down and don't need DIP or a bunch of other stuff I simply moved ODSM from wls_ods1 to the Admin Server. That lets me run OID and ODSM without needing to start the wls_ods1 managed server.

Protecting Intranet and Extranet Applications with a Single OAM 11g Deployment

2012-11-28T10:50:00.000-08:00

I frequently get asked how to setup a single OAM deployment to protect both intranet and extranet apps. Today I’d like to explore the issues and solutions around such a setup.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.
Read more »

X509 Fallback to Form

2012-11-14T15:52:00.000-08:00

OAM 11G does not provide an out of box solution for falling back to FORM authentication if X509 Certificate is not available or if the certificate is not accepted by the user. I have seen this requirement coming from customers and found a solution after brainstorming with my colleagues (special thanks to Chris Johnson and Brian Eidelman). The solution is not very difficult, though it needs some additional configurations and coding.

It should be noted that this solution is not for the use case where the user's authentication is rejected due to an invalid certificate by OAM and then the user needs to fallback to a FORM for another authentication attempt.

Converting SSL certificate generated by a 3rd party to an Oracle Wallet

2012-11-08T08:31:00.001-08:00

Recently a customer asked me how to import his private key and certificate into an Oracle HTTP Server Wallet.

The customer generated a CSR outside the OHS Wallet Manager, using Open SSL, and sent it to a CA to get his certificates issued by them.

Unfortunately, the Wallet Manager only allows you to import certificates which were created for a CSR generated by the Wallet itself.

Despite this minor limitation, there is a workaround to get your private key, certificate and CA trusted certificates chain into Oracle Wallet.

This post explains the simple steps to achieve this, with a little help from Open SSL.