Professional Documents
Culture Documents
- FLEXCUBE
NGP Project
Configuration Document : OAAM
11gR2 Configuration Document
Name
Author
Yamini N. Phalak
Current Status
Initial
Date
08-Feb-2013
Revision History
Versio
n
Updates
Author
Date
0.1
Initial Draft.
Yamini N. Phalak
08-Feb-2013
Table of Contents
Revision History....................................................................................................2
1. Introduction......................................................................................................5
1.1.
Pre-Requisites.......................................................................................................................................... 5
2. Configuration Steps.........................................................................................6
2.1.
2.2.
2.4.
2.5.
2.6.
Importing policies.................................................................................................................................... 16
2.7.
3.2
List of Figures
Figure 1 : Securiy Realms-> Groups........................................................................................................ 6
Figure 2 : User Creation in weblogic console............................................................................................. 7
Figure 3 : Assigning roles to user............................................................................................................. 7
Figure 4 : Creating new Provider............................................................................................................. 8
Figure 5 : Changing control flag of providers.............................................................................................. 9
Figure 6 : Security Credentials............................................................................................................. 12
Figure 7 : Adding oaam_db_key to CSF.................................................................................................. 13
Figure 8 : Properties etc. nodes of OAAM admin server............................................................................16
Figure 9 : Import properties dialog box.................................................................................................... 17
Figure 10 : Dialog box showing Imported properties.................................................................................17
Figure 11: OAAM server web services.................................................................................................... 18
Figure 12 : 'Attach Policy' link................................................................................................................ 19
Figure 13 : OAAM Web Services........................................................................................................... 19
Figure 14 : oracle/wss_http_token_service_policy Policy...........................................................................20
Figure 15 : Attach policy....................................................................................................................... 20
Figure 16 : 'oaamadmin' user from DefaultAuthenticator realm...................................................................21
Figure 17 : oaam_native file changes..................................................................................................... 22
Figure 18 : system-jazn-data.xml changes..............................................................................................24
Figure 19 : OAAM action groups............................................................................................................ 25
Figure 20 : Challenge 1FA group tab...................................................................................................... 25
Figure 21 : Add actions........................................................................................................................ 26
Figure 22 : Challenge 1FA action........................................................................................................... 26
Introduction
1.
1.1.
1
Pre-Requisites
OAAM 11gR2 is already installed.
2.
Configuration Steps
2.1.
3. Create new user say oaamadmin/welcome1(This user is to be used to login into oaam admin server
http://localhost:14200/oaam_admin/faces/pages/home.jspx?).
5. Create new provider i.e. OIDAuthenticator in Home->Summary of Security Realms->myrealm>Providers tab and select its type as OracleInternetDirectoryAuthenticator .
6. Select the
new
authentication provider instance to navigate to the configuration page and fill the following details in
Provider Specific tab.
Property
Value
Host
Port
389
Principal
Credential
Confirm Credential
User Base DN
Group Base DN
Check this.
Check this.
7. Restart the oaam domain server and select Home->Summary of Security Realms->myrealm->Users
and Groups tab to verify the list of users and groups being propagated from OID.
8. If users and groups are populated from OID then change the Control Flag of the OID authenticator to
Sufficient and click Save. Change the Control flag of the Default Authenticator to Optional and click
Save and restart the weblogic server.
2.2.
Perform this step if you want to generate new encryption keys and don't want to use default keys from
credential store framework. Default encryption keys are generated when the oaam_server_server1 is
started for the first time. If you want to use default encryption keys then you can copy existing keystore
(system_config.keystore,
system_db.keystore)
from
location
({OAAM
MIDDLEWARE}/Oracle_IDM1/oaam/oaam_libs/ear/oaam_native_lib.ear/APP-INF/classes/)
inside
config/security/oaam folder.
If the command is successful you will see the output like this:
Generated key = <encoded_key>
2. Encode the key using Base64 algorithm by executing the following command.
encodeKey.sh config_secret_key.file
If the encoding command was successful, you will see output similar to the following:
base64encode is done!
Base64 Encoded value =<encoded_value>
Note this encoded_value, you need this to add in Credential Store Framework.
iii.
8. Click Ok and make sure that you backup the alias and secret key.
d. Create system_config.keystore:
1.Go to {OAAM MIDDLEWARE}/Oracle_IDM1/oaam/cli folder. Create a file, for example, config_3des_key.file,
and enter above encoded symmetric encryption key.
2.Copy sample.config_3des_input.properties to config_3des_input.properties
3.Update config_3des_input.properties with the keystore password(e.g. welcome1), alias password(e.g.
welcome1), and keyFile(e.g. config_3des_key.file).
4.Generate the keystore using following command.
java -cp lib/oaam_core.jar com.bharosa.vcrypt.common.util.KeyStoreUtil
readFromFile=config_3des_input.properties
updateOrCreateKeyStore
If the KeyStore command was successful, you will see output similar to the following:
updateOrCreateKeyStore done!
Keystore file:system_config.keystore,algorithm=DESede
KeyStore Password=ZG92ZTEyMzQ=
Alias Password=ZG92ZTEyMw==
Note down the Keystore password and Alias Password printed on the screen. You will
need to add these to the oaam_native.properties in the config/security/oaam folder and
bharosa_server.properties of FraudMgmt.ear
b. If the command is successful you will see the output like this:
Generated key = <encoded_key>
c. Create a file db_secret_key.file and add the secret key to the file like this:
tobase64=<secret-key>
d. Encode the key using Base64 algorithm by executing the following command.
encodeKey.sh db_secret_key.file
If the encoding command was successful, you will see output similar to the following:
base64encode is done!
Base64 Encoded value =<encoded_value>
server>:<port>/em using
the Web browser and use the WebLogic Administrator credentials to log in.
Expand the weblogic_domain node in the left Navigation tree.
Select the OAAM domain and right-click and select the menu option Security, and then the
option Credentials in the submenu.
Find out whether there is a map with the name oaam. If not, click the Create Map option
and enter the Map Name as oaam. Click OK to save the map.
Click the oaam icon to select the map and then click the Create Key option.
In the pop-up window make sure Select Map is oaam.
Enter following details:
i.
Key Name : DESede_db_key_alias. Make sure there are no typos or spaces.
ii.
Type : Generic.
iii.
8. Click Ok and make sure that you backup the alias and secret key.
f.
If the KeyStore command was successful, you will see output similar to the following:
updateOrCreateKeyStore done!
Keystore file:system_db.keystore,algorithm=DESede
KeyStore Password=ZG92ZTEyMzQ=
Alias Password=ZG92ZTEyMw==
Note down the Keystore password and Alias Password printed on the screen. You will need
to add these to the oaam_native.properties in the config/security/oaam folder and
bharosa_server.properties of FraudMgmt.ear
2.3.
4. Check to see whether there is a map with the name oaam. If not click the Create Map option and
enter the Map Name as oaam. Click OK to save the map.
5. Click the oaam icon to select the map and then click the Create Key option.
6. In the pop-up window make sure Select Map is oaam.
7. Enter the Key as oaam_db_key. Make sure there are no typos and spaces.
8. Select the Type as Password.
9. Enter the database username of OAAM in the User Name field.
10. Enter the database password of OAAM in the Password field.
11. Enter the description and click Ok.
2.4.
Go to {OAAM_MIDDLEWARE}\Oracle_IDM1\oaam\oaam_libs\ear
4. Open temp\ process_results.rule in editor and add following flexcube specific rules in that file:
<rule name="payeePreauthorized" no-loop="true" salience="100">
<parameter identifier="actionList">
<class>java.util.List</class>
</parameter>
<java:condition>actionList.contains("payeePreauthorized")</java:condition>
<java:consequence>
if (logger != null){
logger.debug("Executing payeePreauthorized condition");
}
finalAction.append("payeePreauthorized");
drools.clearAgenda(); <!-- This stops any other rules from being evaluated -->
</java:consequence>
</rule>
<rule name="Challenge2FA" no-loop="true" salience="100">
<parameter identifier="actionList">
<class>java.util.List</class>
</parameter>
<java:condition>actionList.contains("Challenge2FA")</java:condition>
<java:consequence>
if (logger != null){
logger.debug("Executing Challenge2FA condition");
}
finalAction.append("Challenge2FA");
drools.clearAgenda(); <!-- This stops any other rules from being evaluated -->
</java:consequence>
</rule>
<rule name="Challenge1FA" no-loop="true" salience="100">
<parameter identifier="actionList">
<class>java.util.List</class>
</parameter>
<java:condition>actionList.contains("Challenge1FA")</java:condition>
<java:consequence>
if (logger != null){
logger.debug("Executing Challenge1FA condition");
}
finalAction.append("Challenge1FA");
drools.clearAgenda(); <!-- This stops any other rules from being evaluated -->
</java:consequence>
</rule>
<rule name="Challenge1FADelay" no-loop="true" salience="100">
<parameter identifier="actionList">
<class>java.util.List</class>
</parameter>
<java:condition>actionList.contains("Challenge1FADelay")</java:condition>
<java:consequence>
if (logger != null){
logger.debug("Executing Challenge1FADelay condition");
}
finalAction.append("Challenge1FADelay");
drools.clearAgenda(); <!-- This stops any other rules from being evaluated -->
</java:consequence>
</rule>
2.5.
bharosa.cipher.encryption.algorithm.enum.DESede_db.keystoreFile=system_db.keystore
bharosa.cipher.encryption.algorithm.enum.DESede_db.keystorePassword=ZG92ZTEyMzQ=
bharosa.cipher.encryption.algorithm.enum.DESede_db.aliasPassword=ZG92ZTEyMw==
2.6.
Importing policies
1. Copy oaam imports from \\iflmuw-vss-53\flex-sails\r2b\12. others\oaam to your machine. In OAAM admin
server, import properties, groups, entities, transactions, conditions, policies in order.
b. Click on import properties and in import properties dialog box give the path of zip file of properties
imports and click on import.
c. You will be able to see list of imported properties, then click on Done button.
Restart OAAM servers or re-import zip files if you face any issue during data import.
2.7.
d. Select all rows corresponding to OAAM Web Services and click the Next button.
f. Click the Attach button on next page and restart OAAM admin and managed servers.
#Name of the aliase for the config key. If you update this, then you need to update the appropriate OAAM config
properties also.
keystorealias=vcrypt.soap.call.passwd
#Keystore type. Default is good enough for most cases
keystoretype=JCEKS
#Prints the encoded keystore and alias passwords on console. These passwords are required to be added in
bharosa_client.properties and bharosa_server.properties to open and read the alias from keystore
printEncodedPasswords=true
f. If the KeyStore command was successful, you will see output similar to the following:
updateOrCreateKeyStore done!
Keystore file:system_soap.keystore,algorithm=DESede
KeyStore Password=ZG92ZTEyMzQ=
Alias Password=ZG92ZTEyMw==
g.Note down the Keystore password and Alias Password printed on the screen. You will need to
add these to the oaam_native.properties in the config/security/oaam folder as shown below,
also copy keystore at the same location.
a.
Web
b. Under weblogic_domain, select the domain and select oaam_server_server1 and right click and select
the Web Services option.
c. Click 'Attach Policies'
d. Select all rows corresponding to OAAM Web Services and click the Next button.
e. Select the row oracle/no_authentication_service_policy and oracle/no_authorization_service_policy. Click the
Next button.
f. Click the Attach button on next page and restart OAAM admin and managed servers.
2.
3.1
A. Issue Description :
OAAM server creates default credential keys when it is first started. If these are not generated, you might get
following errors in logs.
[APP: oaam_server#11.1.2.0.0] Error while generating and adding key to CSF for the alias
[DESede_db_key_alias]. Error Message = [access denied
(oracle.security.jps.service.credstore.CredentialAccessPermission
context=SYSTEM,mapName=oaam,keyName=DESede_db_key_alias read)][[
java.security.AccessControlException: access denied
(oracle.security.jps.service.credstore.CredentialAccessPermission
context=SYSTEM,mapName=oaam,keyName=DESede_db_key_alias read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:549)
at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:458)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:518)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:544)
B. Resolution:
Change all entries of oaam_server, oaam_admin application version system-jazn-data.xml and restart
OAAM admin and managed servers.
3.2
A. Issue Description :
Custom action groups (Challenge 1FA, Challenge 1FA Delay, Challenge 2FA, Challenge 2FA
Delay ) has not action assigned to it after import
B. Resolution :
1. Restart OAAM admin and managed servers and try to re-import all groups.
c.
Click on 'Challenge 1FA' link in 'Search Results' table which will open 'Challenge 1FA' group
details in new tab. In 'Challenge 1FA' group tab, go to 'Actions' tab and click on 'Add Action'
button.
d. In 'Add Actions' dialog box search for 'Challenge 1FA' property. From 'Search Results' table
select 'Challenge 1FA' action and click on 'Add' button.
e. You will see success message pop up and the action will get added in 'Actions' tab of
'Challenge 1FA' group tab.
f.
Similarly add 'Challenge 1FA and Delay' action for 'Challenge 1FA Delay' action group,
'Challenge 2FA' action for 'Challenge 2FA' group, 'Challenge 2FA and Delay' action for
'Challenge 2FA Delay' group.