Oracle Fusion Middleware Security

Deploying OAM 11g Correctly Part 2 – Logins and SSL

2012-05-24T14:01:00.000-07:00

This is another post in our OAM 11g Academy series. To view the first post in the series which will be updated throughout to contain links to the entire series, click here: http://fusionsecurity.blogspot.com/2011/02/oracle-access-manager-11g-academy.html

A couple months ago Chris wrote a good post about the best way to deploy OAM from a web server / network architecture point of view.

Today, I’d like to touch on a very important but overlooked aspect of OAM deployments which is whether or not to use SSL between the web server and OAM. The product documentation and broader OAM writings out there in the community do a good job of describing the webgate to OAM server communication (OAP) security modes of open vs. simple vs. cert mode. However, what is completely neglected is the discussion of whether or not to use SSL between the web server and OAM.
Read more »

Domain Architecture and Middleware Homes Revisited

2012-05-23T11:13:00.000-07:00

Over a year ago I wrote a couple important posts about the domain architectures used in Oracle Identity Management deployments. You can find these posts here and here.

These posts have been very popular. I’ve received lots of positive feedback on them but also a fair number of questions. So, I thought that it would be worth revisiting the topic now.

Split profile setup with AD and OID for Fusion Apps IDM

2012-05-01T15:25:00.000-07:00

I have discussed split profile set up scenario for Fusion Applications IDM Environment with AD and OID , process of creation of Adapters needed in OVD for consolidating the two directory servers AD and OID and the configuration changes needed in OAM , OIM and WLS of IDM Environment in these 2 Blog posts.

Part1 , Part 2

This process is relevant to FA Release RUP1 . From release RUP2 some of these manual steps have been automated, which i will discuss in a future blog.

OAM 11g - IPM Integration

2012-04-24T17:24:00.000-07:00

Here is a post that integrates OAM 11g with IPM. This integration is implemented on top of the OAM/UCM integration I did back in December.

Prerequisites

Install, configure and integrate UCM with OAM. Click here for the post I did for OAM/UCM.
Install and configure IPM with the same OHS proxy used to proxy the UCM application.

High Level Steps/Checklist

Configure an OHS server to proxy all request to IPM (/imaging).
Register a webgate with the URL’s you want to protect.
Configure an OAM Identity Asserter and LDAP/OVD provider in Weblogic.
Validate users can access IPM with WLS Security.
Install a webgate on OHS server and validate.

Notes:

Steps 2 through 4 may have been completed in the steps defined in the OAM-UCM integration.

Verifying the ‘/imaging’ URL may result in a “404 Not Found” error. This will occur if you have a webgate on the OHS server already installed and have not defined a policy to protect this URI. This is expected due to the webgate setting of ‘denyOnNotProtected’.

Detail Steps

Follow the documentation to configure OAM Access Manager 11g with Oracle IPM, Section 2.3.5: http://download.oracle.com/docs/cd/E17904_01/admin.1111/e12782/c02_security.htm#CDDFAFAC
2.3.5 - Integrating Oracle IPM With Oracle Access Manager 11g
1. OAM/Webgate have already been configured and installed.
2. Modify the mod_wl_ohs.conf file with the forwarding URL
3. Use the remote registration tool oamreg as follows in section 15.2.2.2:http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/osso_b_oam11g.htm#JISEC9104
  15.2.2.2 - Provision with 11g Webgate

Acquire the tool

The rreg tool can be found and executed on the same box where OAM is installed. No need to un-tar.

Created a new IPM-Request.xml. Since the same OHS server used to proxy UCM, is being used to forward/proxy the IPM app, use the same host identifier and agent name as defined for UCM. The only difference being the protected and public resources.

<OAM11GRegRequest>
<serverAddress>http://ateam-hq66.us.oracle.com:7003</serverAddress><hostIdentifier>UCM-INT</hostIdentifier>

<agentName>UCM-INT</agentName>
<protectedResourcesList>
<resource>/imaging/faces</resource>
</protectedResourcesList>
<publicResourcesList>
<resource>/imaging</resource>
</publicResourcesList></OAM11GRegRequest>

On the command line, execute the following:

./bin/oamreg.sh
inband input/IPM-Request.xml

When asked to enter the admin and password, make sure the user is part of the system store you configured for OAM (e.g testuser1/welcome1)

NOTE: Make sure you copy the new artifacts from the RREG output directory to the OHS webgate directory (i.e. .../Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config) and restart the OHS server.

Steps 4 and 5 from Section 2.3.5 was already completed during the UCM/OAM setup.

Trouble shooting tips:

Cannot login via OAM – A few things to verify:
- Make sure that the LDAP Authentication Module in the OAM console is pointing to the correct data store.
- Make sure that the WLS provider matches the same OAM data store configuration.

Custom transformation provider for OIM GTC connector

2012-04-23T15:00:00.000-07:00

GTC based connector is one of the most used approaches for reconciling data into OIM, specially through the use of flat files. A common issue is that some customers do not allow direct communication between OIM and the HR system (for different reasons like outsourced HR system, security constraints and others), hence a flat file is made available to OIM so that it reconcile users.

Very often, there is a need to manipulate the data to be reconciled in OIM through the GTC connector. When that is true, most of customers end up creating event handlers to manipulate reconciled data. The problem with this approach is that in OIM 11g, only 'post process' event handlers can be used to manipulate reconciliation data (and the data can only be manipulated after reconciled into OIM), and this can make some manipulations really tricky and/or cumbersome.

Read more »

Scripts to ease building your Identity Management environment

2012-04-18T14:40:00.001-07:00

One of my mottos is "why do something by hand if you can automate it in twice the time?"

So a while back I put together a bunch of scripts to do just that. They've been handed around by a few people and Warren Strange eventually had the sensible idea to put them up on GitHub along with some other useful stuff.

I can only take credit for the "installscripts" directory there, but thought I'd at least put a pointer here to the main project.

Get them at https://github.com/Oracle-IAM/Oracle-IAM-Scripts

Remember that these scripts were originally written for my own use so they may or may not be appropriate (or even work) for you.

Retrieving and Setting HTTP Headers in BPEL

2012-04-17T13:16:00.000-07:00

The capability to retrieve and set HTTP headers in BPEL was recently added to Oracle SOA Suite 11g. Edwin Biemond has written an excellent blog post on how to use this capability.

From a security/IDM perspective, I think this feature opens up the ability to create some interesting solutions whereby identity information is added to HTTP headers by OAM (or other SSO products) in the web tier and consumed by services in the app tier. It also makes it possible to pass identity data between services in HTTP headers and thereby ignore having to modify web service requests themselves.

I’ll only add as a warning to remember that end users have the capability to add whatever HTTP headers they want to the requests they make. So, solutions should be developed with this in mind. In particular, if you are going to create a solution that depends on BPEL consuming an HTTP header created by an OAM response, you need to take steps to either ensure that this header really came from OAM (by signing or encrypting it) or take steps to ensure that all requests to BPEL really did originate by coming through the web tier with OAM.

Unsolicited login with OAM 11g

2012-04-03T09:34:00.000-07:00

In a previous post I talked a little about protecting only a part of an application with OAM. I included this bit of text describing the use case:

But what if you want to let users access part of the app anonymously, but require them to log in to access some of the apps features? I don't know what anyone else calls this sort of flow, but I call it the shopping cart model (browse around tossing stuff in your card, then sign in to check out).

That post talked about how to support the "shopping cart" login model with OAM if you're using ADF, but what if you're trying to accomplish that with plain old HTML or something else?

Validating an Oracle IDM Environment (including a Fusion Apps build out)

2012-03-28T11:28:00.001-07:00

In this post I walk you through how to validate an Oracle Identity Management build out containing OID, OVD, OIM, and OAM. This post was motivated by work I have done with Fusion Apps.

It is important to validate the IDM build out for Fusion Apps before you move on to the provisioning of Fusion Apps itself. Problems detected during the IDM build out are much easier to diagnose and fix than problems detected during FA provisioning, FA functional setup or FA operations themselves.

In addition, it is important to have documented validation steps for your Oracle IDM environment to use at other points as well. For instance, you will want to validate your IDM environment when you bring it back online following a backup.

Lastly, you will want to be able to go through validation steps for your IDM environment as a means of debugging IDM related application issues. For example, let’s say people come to you all of the sudden saying they can’t login to a Fusion HCM application. You’ll want to be able to go through the IDM validation steps to see what if anything is wrong with the IDM infrastructure that could be causing this issue.

Read more »

Live webcast (April 11th) with ING on their OIA-OIM implementation

2012-03-27T10:15:00.000-07:00

Scale Up Without Getting Bogged Down

If your organization is like many, you’ve conducted access certification for a handful of applications. But what about the other thousand applications? Organizations are spending up to 40% of their IT budgets on compliance, yet many chief information security officers don’t feel any safer than they were before. With the large volume of systems, applications, users, and entitlements to review, the process is error-prone and difficult.

In this session, Mark Robison of ING shares his learning experiences on how to address these challenges. He will discuss how to:

Simplify the user experience and achieve better service levels
Reduce the help-desk workload with closed-loop remediation
Scale the process of certifying applications
Strike a balance between security risk and audit compliance

Register now for the Webcast.

https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=389882&sessionid=1&key=DA263A8A48EC01E1F41904939FFC7C56&partnerref=evite_sec_idmmulti42012&sourcepage=register

Deploying OAM "correctly"

2012-03-23T09:32:00.000-07:00

On the internal mailing lists there's often a question that goes something like:

I want to deploy OAM like this:

Is this supported?

The answer is "If you really want to do that then yes. But you probably shouldn't do it that way."

Read on for why. Read more »

Encapsulating OIM API’s in a Web Service for OIM Custom SOA Composites

2012-03-20T07:00:00.002-07:00

Introduction

This document describes how to encapsulate OIM API calls in a Web Service for use in a custom SOA composite to be included as an approval process in a request template.

We always recommend customers to follow this approach when trying to invoke OIM’s APIs inside SOA composites used as approval processes for the following reasons:

A web service implementation allows the instantiation of all related APIs once at service startup as opposed to getting a remote reference to each required API interface. This improves performance and reduces the memory footprint of the composite if these API’s are instantiated in embedded Java Tasks.
This paradigm allows the implementation of HA for the Web Service encapsulating the API calls and provides the ability to deploy the web service in a separate server from the SOA and OIM servers is so desired. This increases the robustness and reliability of the solution.
According to BPEL’s documentation Embedded Java Tasks should only be used for quick utility logic, no business logic should be included in these tasks. For details refer to http://docs.oracle.com/cd/E15586_01/integration.1111/e10224/bp_java.htm#BABHJHBG section 13.2.3 How to Embed Java Code Snippets into a BPEL Process with the bpelx:exec Tag. The reason for that is because all memory required for objects being instantiated within the embedded Java code is adding to the memory space of the composite instance itself which will be kept for the life of the composite instance. This means that if a composite has an asynchronous BPEL process (which is definitely the case for OIM’s Approval Process composites) and that can make the BPEL process to remain there for days or weeks, memory problem may start to arise.

Procedure

The assumption here is that JDeveloper is going to be used to edit the SOA composite and there are no other tools suitable for this purpose. JDeveloper is also a good tool to create the Web Service wrapping the OIM API calls. All that is needed is to create a POJO (Plain Old Java Object) and convert it to a Web Service, and then deploy it to an application server (Weblogic in this case); all of which can be accomplished with JDeveloper.

Please refer to JDeveloper 11g documentation for information on how to create a Web Service out of a POJO since this is out of scope for this document. Once the web service is created and deployed one can obtain the WSDL from the Web Logic Admin console. Just access the deployments and drill down to the Test Client of the web service. The WSDL will be available from the Test client window or from the table showing the testing points in the Weblogic Admin Console. All that is needed is to copy the URL for the WSDL and paste it in the proper text box when configuring the Web Service reference in the composite.

Once the Web Service reference is configured in the Composite, it can be linked to the BPEL process inside the composite. All we need to do is to connect the icon representing the BPEL process with the Web Service reference by stretching an arrow connecting the two of them. Consult the SOA Composite Editor documentation from JDeveloper’s 11g users guide. To invoke methods on the newly wired in Web Service an Invoke Task must be included for each method to be called. The Invoke Task allows you to define the following elements:

An input variable that will include the input values for the specific method call taken from the WSDL of the Web Service.
An output variable that will receive the returning data from the invocation of the Web Service method formatted as specified by the WSDL of the Web Service.

Before an invocation there typically is an Assign Task that will populate the input parameters of a Web Service call by copying values from other variables or assigning literal values to the input parameters in the Input Variable. So inserting the Invoke Task prior to inserting the Assign Task allows you to create the Input and Output Variables that will be populated by the Assign Task for the case of the Input Variable and with the output data from the Web Service method call in the case of the Output Variable. Now the values in the Output Variable can be used anywhere else in the composite and can be transferred using other Assign Tasks within the BPEL Process flow.

Summary

SOA Suite allows the execution of embedded Java logic within the composites. OIM Java APIs are not a good candidate to be included in Embedded Java Tasks, especially if the composites are meant to serve as approval processes that can potentially keep instances of the composite for a long time. The recommended approach is encapsulating the OIM APIs in Web Services with a SOAP interface. Then invoke operations on the OIM API Wrapping Web Service and just manipulate the results. This allows for other benefits from the architecture design perspective and from the performance and memory footprint stand point as well to prevent Out of Memory issues.

OIM 11g LDAPSync Deployment Guidelines

2012-03-16T08:00:00.001-07:00

OIM 11g can be configured to maintain its user and role population synchronized with an LDAP directory using the LDAPSync feature. This functionality is based on asynchronous processing through orchestration events from OIM to LDAP and on scheduled tasks for synchronization from LDAP to OIM. This approach could mean that at some point in time, some of the entries on both repositories may be out-of-sync. Specially when executing long running Trusted Reconciliation scheduled jobs. The entry differences can be caused by processing errors or time lapse between user creation in OIM and user creation in LDAP. This post details some guidelines to minimize and troubleshoot possible errors for OIM LdapSync.

Consider upgrading to OIM 11.1.1.5.2 (OIM 11g Bundle Patch 02). BP02 provides a number of fixes that improve stability specially during bulk processing (large trusted reconciliations).

Tuning and Tips

Tune the environment to allow for better ldapsync performance when executing large trusted reconciliation jobs in the order of +30K. These are some tuning tips, some of them straight from the documentation, others from existing deployments.

OIM Tuning

1. JVM: PORT_MEM_ARGS="-Xms768m -Xmx2048m" in setSOADomainEnv.sh

2. MDBs: In WLS Admin Console -> Environment->Worker Managers->MaxThreadsConstraints-1 set count to 100

3. Disable reloading of Adapters: Using weblogicExportMetadata.sh and weblogicImportMetadata.sh edit the MDS file /db/oim-config.xml.

Replace:

With:

And

With:

4. Database: Monitor Perfomance with AWR reports and collect complete schema statistics using:

DBMS_STATS.GATHER_SCHEMA_STATS(OWNNAME=> schema_owner,

ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE,

DEGREE=>8,

OPTIONS=>'GATHER AUTO',

NO_INVALIDATE=>FALSE);

OID Tuning

Consider deploying multiple OID instances for Failover and Load Balancing. Front end the instances with an LB

Number of OID LDAP Server Processes = #cpus. EM -> Administration -> Server Properties -> Performance ( for each oid instance)

Number of DB Connections per Server Process = 10 (orclmaxcc). EM -> Administration ->server properties (for each oid instance)

Check Skip Referral for Search. EM -> Administration -> Shared Properties (Only if not using referrals in OID).

OVD Tuning (assuming no libOVD is used)

Consider deploying multiple OVD instances for Failover and Load Balancing. Front end the instances with an LB and use the OID LB virtual host as the LDAP server host.

The parameter Operations Timeout for the Adapters to 30000 if needed (using ODSM)

Consider increasing maxpoolsize for the Adapters to 30-40 if needed (using ODSM)

LDAPSync Monitoring

During the time when the LdapSync Orchestration is running check the following tables and columns in the OIM Schema to verify processing:

Obtain the latest reconciliation job key (RJ_KEY) with the query:

select max(RJ_KEY) from recon_events;

Table RECON_BATCHES: using RJ_KEY and RB_NOTE verify that the orchestration events are being created. The Column RB_NOTE shows the orchestration Process ID and the operation. It could also show errors that occur.

Table ORCH_PROCESS: Holds the generated orch processes. ID being the Orchestration Process ID. If Status shows Compensated it means that an event failed. The detail can be seen in the table ORCH_EVENTS.

Table ORCH_EVENTS: Linked to the orchestration process with the column PROCESSID. The RESULT column has the error details in case of failure.

The Out-of-the-Box reconciliation job " Retry Failed Orchestrations " can be used to retry compensated orchestration processes. Specify a date range ("ddMMyyyy") for multiple ones or "Orchestration ID" for single ones. OIM BP02 also includes fixes for this task.

Note: In the case when reconciling new users that come as disabled, an existing bug may create the orchestration disable event before the orchestration create event. So, these disable events would fail in LDAP since the user doesn't exist yet. As a workaround, these events can be retried with the above Recon Job (specify OPERATION=DISABLE and a date range) after all users are created in LDAP.

Peripheral Responsibilities Required for Large IDM Build Outs (Including Fusion Apps)

2012-03-13T10:44:00.000-07:00

Complexity and delay can occur during deployments of Oracle Identity and Access Management products (including the IDM build out for Fusion Apps) due to the fact that certain tasks required for the build out can sometimes only be performed by individuals that are not a part of the core team doing the deployment.

In many organizations IT responsibilities are very siloed. Some tasks during an IAM deployment may require assistance from individuals that operate in silos that are different from the team doing the deployment itself.

It is important to identify these tasks up front. When possible it is a good idea to make as many of these tasks as possible pre-requisites to the actual onsite installation/deployment. When that is not possible, then it is important to line up the assistance that will be required from role players who are outside of the core install/deployment project team to perform tasks that require their help.

The following are examples of such tasks:

Network

1. Provisioning of virtual hosts and VIPs.

2. Configuration of load balancers.

DB

1. Provisioning of DB including install, configuration, and creation of instances.

2. Running the RCU.

3. DB backups

Machine and Storage Provisioning

Provisioning shared storage and machines required for install. Provisioning of machines themselves including the installation and patching of OS. You’d think this would go without saying, but I’ve seen enough projects get delayed due to a lack of machines and storage that I feel I have to mention it.

Root Access

Root access is required during the creation of oraInventory and at several points during the web tier, OID, and OVD install. It is also required to do environment (file system) backups if backup is done as dictated by the EDG. One possible alternative is to do the backup as the install user and then separately backup the few files that are owned by root which do not change from the early stages of the install.

Certificates – PKI Administration

People often forget about the creation of certificates needed for SSL connections and web services security until they are actually needed. The trouble is that in many organizations, the team of people that create certificates for the organization is often small and the process by which certificates are requested and granted can take time. I recommend that when possible certificates be requested and created in advance.

When the request must come from a software component that is being installed as part of the deployment, it is still a good idea to talk to your PKI administrators in advance to make sure that the procedure for issuing the request is clear and to give them a heads up that you’d like the certificate issued as quickly as possible.

ADF Security and OPSS Policies – Sample Application

2012-03-12T10:49:00.000-07:00

In the January / February issue of Oracle magazine, Frank Nimphius wrote a good article on ADF security and OPSS policies. The article includes a good sample application that utilizes ADF and OPSS security, along with a pretty thorough explanation of how the sample application works and was created. You can find the article which includes a link to the sample application download here.

OAM 11g Single Sign-On and OAM 10g Cookies

2012-03-09T09:18:00.000-08:00

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

In an earlier post I talked about how cookies work when you're using OAM 11g server with OAM 11g WebGates. But the OAM 11g server also works with OAM 10g WebGates and there are reasons you'd deploy 10g WebGates today. But OAM 11g and 10g have fundamentally different behavior when it comes to the cookies.

So how do cookies work when you're using 10g WebGates with the 11g server?

Planning an IDM Build Out for Fusion Apps Part 2 – Pre Build Out Checklist

2012-03-08T13:29:00.000-08:00

In my last post I listed all of the architectural decisions that you’ll want to work through before diving into an IDM build out for Fusion Apps.

In this post, I’d like to take things one step further and put forth a checklist of tasks that you’ll want to accomplish before beginning the actual (onsite) build out.

Failure to complete these items before the build out will turn what is already a fairly long and intensive process into a longer and frustrating process. You want to make sure going into the actual build out that you have all the necessary hardware, software, and skill pre-requisites to ensure success.

The IDM build out for Fusion Apps and the Fusion Apps install in general is really a project where advance planning with pay off in spades.

So with that being said, I give you my list:
Read more »

Planning an IDM Build Out for Fusion Apps Part 1 – Discussion Topics

2012-02-29T15:34:00.000-08:00

Today I am kicking of a series of posts on planning an Oracle IDM build out for Fusion Apps. I will start by discussing a bunch of topics that should be discussed and worked through before you move forward with an IDM build out for FA.

I will then continue the series with a pre-install checklist and discussion of supporting characters that will need to participate in the install.

So, with that in mind I’ll dive right in to the topics for discussion:
Read more »

My "enable debug logging" in OAM WLST script

2012-02-24T10:52:00.001-08:00

I was on the phone with someone earlier today and mentioned in passing that I only need to run a simple script to turn debug logging on and off in my little test environment. The silence on the other end of the line told me either he didn't believe me or didn't realize how easy it is to do this sort of thing.

So here it is - enableOAMLogging.py

#!/home/oracle/Oracle/Middleware/Oracle_IAM1/common/bin/wlst.sh

connect('weblogic', 'ABcd1234', 't3://localhost:7010')
domainRuntime()

#Admin server:                                                                                                                                                                   
setLogLevel(logger="oracle.oam.plugin",level="TRACE:32", target="AdminServer", persist="0")
setLogLevel(logger="oracle.oam.extensibility",level="TRACE:32", target="AdminServer", persist="0")
setLogLevel(logger="com.oracleateam.iam.oamauthnplugin",level="TRACE:32",  target="AdminServer", persist="0",addLogger="1")

# OAM server                                                                                                                                                                     
setLogLevel(logger="oracle.oam.plugin",level="TRACE:32", target="oam_server1", persist="0")
setLogLevel(logger="oracle.oam.extensibility",level="TRACE:32", target="oam_server1", persist="0")
setLogLevel(logger="com.oracleateam.iam.oamauthnplugin",level="TRACE:32",  target="oam_server1", persist="0",addLogger="1")

listLoggers(pattern="oracle.oam.*",target="AdminServer")
listLoggers(pattern="com.oracleateam.iam.oamauthnplugin",target="AdminServer")


listLoggers(pattern="oracle.oam.*",target="oam_server1")
listLoggers(pattern="com.oracleateam.iam.oamauthnplugin",target="oam_server1")

disableOAMLogging.py is exactly the same except that it has lines like:

setLogLevel(logger="oracle.oam",level="", persist="1", target="oam_server1")

Setting level to the empty string toggles logging back to <Inherited>

SSL offloading and WebLogic server redux - client x.509 certificates

2012-02-23T14:36:00.000-08:00

I recently had to revisit the subject of SSL offloading and WebLogic server to include the ability to do client certificate authentication. I was specifically doing this for use with Oracle Access Manager 11g, but the configuration steps are identical whether you are using OAM or just WebLogic.

Just to redraw the diagram so we're all on the same page, this is what a real environment with OAM in it might look like:

Note that I put "Apache" in front of the OAM server. That could be Apache, IIS, OHS or indeed any web server. In my case I happened to use Apache but the configuration is the same for Apache or OHS.

The first thing I had to do was configure Apache to support SSL. I'll leave that step up to you - just follow the normal instructions for your web server. Then I created a new VirtualHost for :443 that looks like this:

<VirtualHost *:443>  
  ServerName linux.ktest.oracleateam.com

  SSLEngine on  
  SSLProtocol all -SSLv2  
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW  
  SSLCertificateFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.crt
  SSLCertificateKeyFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.key
  
  <LocationMatch ^/oam/server/.*>
    SetHandler weblogic-handler
  </LocationMatch>
  
  <LocationMatch ^/oam/CredCollectServlet/X509.*>
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLCACertificateFile /home/oracle/simpleCA/ca.crt
    SSLOptions +StdEnvVars +ExportCertData
  </LocationMatch>
  
</VirtualHost>

There are a couple of interesting things in there.

The LocationMatch for "^/oam/server/.*" which routes any requests that match that regular expression on to the WebLogic plug-in so they can be sent to the OAM server
The LocationMatch for "^/oam/CredCollectServlet/X509.*" In OAM 11g the only URL that actually needs to require client certificate authentication is the x.509 credential collector. By putting "SSLVerifyClient require" on that Location we are telling Apache that unless the user presents a client certificate it should not process the request but instead demand a certificate from the user
The last item is the one that caused me grief - unless you add "SSLOptions +StdEnvVars +ExportCertData" mod_wl will not send the client certificate information down to the WebLogic server

That's all the configuration you need to do in Apache (or OHS). Now you need need to do a couple of steps inside WebLogic.

Check the "WebLogic Plugin Enabled" checkbox as we did in the previous blog post.
On the same page check the "Client Cert Proxy Enabled"

To reiterate where those are - go to the WebLogic Console (http://localhost:port/console), click on the domain name inside the left hand navigation tree, then click the Web Applications tab. You should find both of those settings towards the bottom of the screen.

That should be all you need to do.

Hostname References and Architecture Simplification in the IDM Build Out for Fusion Apps

2012-02-14T14:12:00.000-08:00

In my last post, I discussed the reference architecture for the Identity and Access Management build out of Fusion Apps.

The reference architecture is pretty complex in that it is completely HA, separates all the IDM services into 3 tiers for maximum network security, and separate many of the services onto different physical nodes to account for load separation for high volume production environments.

There are reasons one might want to simplify this for development, QA, or even production environments. Specifically, you may want to consolidate physical hosts, not do HA, or not use a load balancer for some traffic that does in the reference architecture.

I will now discuss how to use the IDM EDG (Oracle Identity Management Enterprise Deployment Guide, Fusion Apps Edition) as a guide for your build out even if you want to deviate from the reference architecture in some way. The key to this is understanding how the EDG makes hostname references and understanding how these references translate to the environment you are creating.

Identity Management for Fusion Applications Reference Architecture

2012-02-09T14:37:00.000-08:00

As I’ve talked about in my last couple posts (here and here), Fusion Apps relies on an Oracle Identity and Access Management platform which must be created through a prescribed build out of Oracle’s IAM stack. The guide for the build out is the Enterprise Deployment Guide for Identity Management (Fusion Apps Edition), which we will refer to now simply as the ‘EDG’ for short.

The first chapter of the EDG includes a good diagram and description of Oracle’s reference architecture for the IAM platform for Fusion Apps. The rest of the EDG walks you through building out an IDM environment that fits this reference architecture.

In this post I’ll give a guided tour of this reference architecture and at the end discuss how you can still use the EDG to build out a simplified environment if that is the route that you want to take.
Read more »

Interview with a Security Architect

2012-02-03T08:16:00.000-08:00

Oracle is hosting a very interesting web event that I thought I would point our readers to.

The event is an interview with Balganesh Krishnamurthy who is the lead Security Architect for Agilent's Identity and Access Management program.

Balganesh shares his thoughts on creating an Identity & Access Management roadmap and how to build a business case for Identity Management.

With over 15 years of experience leading Enterprise software deployments, Balganesh has seen it all. In this session, he discusses his roadmap and provides guidance on how other architects can learn from his experience.

One reason I think that this event could be good is that in my experience customers that see IAM as strategic and therefore develop clear roadmaps that map to business objectives do achieve better results than customers that adopt an ad-hoc strategy to IAM.

With that in mind, here are the event details:

Webcast: Best Practices: Getting Started with an Identity Platform

Date: Wednesday, February 15, 2012

Time: 10:00 AM PST

Register for the event here.

Logging in your OAM plug-in

2012-02-01T13:50:00.000-08:00

I've been playing around with the OAM plug-in API and working on putting together a very simple JDeveloper project that includes a custom login form and an OAM plug-in that demonstrates the basics of using the interface.

I'm going to get that blog post out eventually, but for right now I need to talk about logging inside your plug-in.

OAM uses the Java Logger (java.util.logging.Logger and related classes) to record all of the debugging information in an easily manageable way. When you write your first plug-in it can be a bit confusing to figure out how the heck you get your logging messages out. It's not at all complicated, but it does mean you need to understand how OAM manages its logging.

Let's start with the absolutely minimum amount of code you need to log:

package com.oracleateam.iam.oamauthnplugin;

// a bunch of imports go here

public class DemoAuthNPlugin extends AbstractAuthenticationPlugIn {
  public DemoAuthNPlugin() {
    super();
    LOGGER.finest(this.getClass.getName() + " constructor called.");
  }

  // other methods
}

That's it. The bare minimum needed to get logging working.

Of course you need to do a little more work... Click through to see what else you need to do. Read more »

A Further Introduction to Oracle IDM and Fusion Apps

2012-01-26T20:28:00.000-08:00

Last week I gave an introduction into the Fusion Middleware Security in Fusion Applications. This week I’d like to expand on that introduction to talk specifically, but still at a high level, about how the the Oracle IDM products fit in Fusion Apps. To review, here I’m talking specifically about OID, OVD, OAM, OIM, and optionally OIF.

Active Participants

If you are going to take anything away from what I have written or will write about Fusion Apps and IDM let it be this: Do not ignore the Identity and Access Management components of Fusion Applications or take them for granted.

Even more than the other FMW components in Fusion Apps, the IDM components are not black boxes. They are independent products that must be actively managed.

Independently Installed
This starts at the very beginning with the fact that unlike the other FMW components, the IDM components of Fusion Apps is installed separately from the actual Fusion Apps kit. In fact, what I like to call the IDM environment for Fusion Apps is a pre-requisite to the Fusion Apps install itself which in turn asks approximately 100,000 questions about the IDM environment that it will be leveraging. This IDM environment includes its own database and web tiers which are distinct from the Fusion Apps database and web tiers.

This process is really just a specific build out of the Oracle IDM Suite, very similar to what an Oracle IDM Suite customer might do for a traditional enterprise deployment.

So, to successfully deploy Fusion Apps, you must be able to successfully deploy the Oracle IDM suite.

Mission Critical
The IDM components of Fusion Applications are mission critical. If OVD, OID, or OAM aren’t working properly (or God forbid, aren’t working at all) then neither is Fusion Apps. It is that simple.

So, if you want a high available deployment of Fusion Apps, you better make OVD, OID, OAM, and OIM highly available.

If you want to be able to restore a backup of your Fusion Apps environment, you better know how to back the IDM components.

If you want to be able to monitor the health status of your Fusion Apps deployment, you better include the IDM components in that monitoring.

Smart people involved in the deployment and/or management of Fusion Apps will recognize this and give proper attention to deploying and tuning the IDM environment for Fusion Apps in a way that is consistent with the requirements for the total FA deployment.

Skill Sets You’ll Want to Have
During a Fusion Apps deployment and the build out of the IDM environment that is a part of that deployment you’ll want to be able to:

Understand the deployment options described in the IDM Enterprise Deployment Guide (Fusion Apps Edition).
Be able to use that guide to architect an appropriate IDM build out for your specific Fusion Apps requirements.
Be able to install OID, OVD, OAM, OIM, and optionally OIF; along with the related pre-requisite and auxiliary packages such as SOA suite, WLS, and OHS.
Be able to tune all the above components.
Be able to do basic configuration of each of the listed components. The specifics of what this means varies from component to component and even deployment to deployment.

On an ongoing basis you’ll want to be able to:

Enable and analyze debug logging for each component.
Monitor each component using Enterprise Manager (EM) or integrate the component with an existing monitoring framework in your enterprise.
Be able to take backups of the IDM environment.
Be able to start and stop each component.
Be able to patch each component.
Finally, you’ll still want to have basic configuration and administration knowledge for each component around for expected and unexpected changes and maintenance.

Conclusion
While being able to author complex OAM policies, write custom OVD adaptors, or create complex SOA composites for custom OIM approvals isn’t necessary for most if not all Fusion Apps projects; a foundational proficiency with the Oracle IDM stack where one can install, manage, and monitor each IDM product is required for a successful and stable deployment of Fusion Apps.

In the coming weeks I plan to write more about how to plan for, execute, and verify a successful IDM build out for Fusion Apps.