Applies To:

Show Versions Show Versions

Manual Chapter: Access Policy Manager Integration with OAM 11g
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

OAM 11g SSO integration example

Let's walk through a example deployment with Oracle 11g. You can integrate Access Policy Manager with a Oracle 11g server whether it is configured for single sign on (SSO) single domain or SSO multi-domain. To keep this example simple, we will assume that Oracle 11g server is configured for SSO single domain. The Oracle 11g server performs all authentication. A single Resource WebGate is configured in OAM.

In Access Policy Manager on the BIG-IP system, a AAA OAM server has been configured and includes the details of the OAM Access Server and one AccessGate. One virtual server has been configured with OAM native integration enabled. BIG-IP Application Security Manager (ASM) is installed in another virtual server as a web application firewall configured to prevent DoS and mitigate brute force attacks.

This figure depicts the traffic flow for the example.

Typical OAM SSO configuration after APM native integration is enabled Accessing a protected resource using Access Policy Manager deployed with OAM 11g
  1. Client requests access to a resource. The request comes to the Resource Webgate (RWG).
  2. RWG checks whether the resource is protected per OAM. The resource is protected and the user has not yet authenticated.
  3. RWG sends a 302 redirect to the client so that the client will be redirected to the OAM 11g server for authentication.
  4. User will follow the redirect to OAM 11g server for authentication. In this example, the user has never been authenticated and form-based authentication is the authentication scheme of the OAM policy protecting the original user-requested resource.
    Note: Before going to OAM, traffic is checked against security policies that are configured with anomaly protection on ASM, provided that the ASM module is enabled to protect the OAM 11g server on the BIG-IP system.
  5. OAM sends a login page to the client.
  6. User submits credentials which come to OAM server where the user's credentials will be validated. In this example, it is assumed that the user submitted valid credentials.
  7. After user credentials are successfully validated on the OAM 11g server, the server will send another 302 redirect, so that the user will be redirected back to the original RWG.
  8. Resource request comes to RWG.
  9. RWG verifies the user's original request again using the ObSSOCookie passed from the OAM 11g server. Upon successful authorization, the user will be allowed to access the resource.
  10. The protected resource behind VIP1 will be sent back to the user.

About AAA OAM server configuration

When you create a AAA OAM server, its transport security mode must match the setting in OAM. The procedure for configuring a AAA OAM server with open or simple transport security mode is different from the procedure for configuring a AAA OAM server with cert transport security mode. Only one AAA OAM server is supported and it must be configured following the procedure that is appropriate for the mode.

Task summary for integrating Access Policy Manager with OAM 11g

Before you begin

Before you start to integrate Access Policy Manager with OAM, configure the Access Server and AccessGates through the Oracle Access administrative user interface. Refer to Oracle Access Manager Access Administration Guide for steps.

Task list

Follow these steps to integrate Access Policy Manager with OAM 11g server.

Creating a AAA OAM server with open or simple transport security mode

Create a AAA server for OAM to deploy Access Policy Manager in place of OAM 10g WebGates. Use this procedure when transport security mode is set to open or simple on OAM.
Note: Only one OAM server per BIG-IP system is supported. Multiple OAM 10g webgates from the same OAM server are supported.
  1. On the Main tab, click Access Policy > AAA server, and click the plus sign for the AAA server type that you want to create. The New Server screen opens.
  2. Type a name for the AAA OAM server.
  3. For Access Server Name, type the name that was configured in Oracle Access System for the access server. For the access server name, open the OAM Access System Console and select Access system configuration > Access Server Configuration.
  4. For Access Server Hostname, type the fully qualified DNS host name for the access server system.
  5. For Access Server Port, accept the default 6021, or type the port number.
  6. For Admin Id, type the admin ID. Admin Id and Admin Password are the credentials that are used to retrieve host identifier information from OAM. Usually, these are the credentials for the administrator account of both Oracle Access Manager and Oracle Identity Manager.
  7. For Admin Password, type the admin password.
  8. For Retry Count, accept the default 0, or enter the number of times an AccessGate should attempt to contact the access server.
  9. For Transport Security Mode, select the mode (open or simple) that is configured for the access server in Oracle Access System. If you select simple, enter and confirm a Global Access Protocol Passphrase; it must match the global passphrase that is configured for the access server in OAM.
  10. For each AccessGate, click Add and type the name, description, and password for the AccessGate. You can disable or enable access to the AccessGate by toggling the options. Enter the name and password that were configured in OAM for the AccessGate.
  11. Click the Finished button. This adds the new AAA server to the AAA Servers list.
Next, configure a virtual server and enable OAM support on it for native integration with OAM.

Creating a AAA OAM server when OAM 11g uses cert transport security mode

Create a AAA server for OAM to integrate Access Policy Manager with an OAM 11g server that is using OAM 10g WebGates. Use this procedure when the transport security mode on OAM is set to cert.
Note: Only one OAM server per BIG-IP system is supported. Multiple OAM 10g webgates from the same OAM server are supported.
  1. For each AccessGate that you will add to Access Policy Manager, obtain OAM 10g WebGate files and then import them into Local Traffic Manager; the files that you need are the certificate, key, and certificate chain.
    Note: Access Policy Manager OAM native integration is built using the Access Manager 10g SDK; Access Policy Manager acts as an OAM 10g WebGate.
    As a starting point for importing the files, select Local Traffic Manager > SSL Certificate > Import.
  2. On the Main tab, click Access Policy > AAA server, and click the plus sign for the AAA server type that you want to create. The New Server screen opens.
  3. Type a name for the AAA OAM server.
  4. For Access Server Name, type the name that was configured in Oracle Access System for the access server. For the access server name, open the OAM Access System Console and select Access system configuration > Access Server Configuration.
  5. For Access Server Hostname, type the fully qualified DNS host name for the access server system.
  6. For Access Server Port, accept the default 6021, or type the port number.
  7. For Admin Id, type the admin ID. Admin Id and Admin Password are the credentials that are used to retrieve host identifier information from OAM. Usually, these are the credentials for the administrator account of both Oracle Access Manager and Oracle Identity Manager.
  8. For Admin Password, type the admin password.
  9. For the Transport Security Mode setting, select cert.
  10. For each AccessGate, click Add and type the name, description, and password for the AccessGate. You can disable or enable access to the AccessGate by toggling the options. Enter the name and password that were configured in OAM for the AccessGate.
  11. Click the Finished button. This adds the new AAA server to the AAA Servers list.
  12. From tmsh, assign the proper certificate, key, and certificate chain to each AccessGate object accordingly; also, set the signed key passphrase if needed. Here is an example with the root user logged onto the fp2mgmt server and executing commands from the Active/Common/tmos.apm.aaa.oam directory. root@fp2mgmt(Active)(/Common)(tmos.apm.aaa.oam)# { modify oam11g accessgates modify {oam10gweblogin { sign-key-passphrase abcd1234 } } root@fp2mgmt(Active)(/Common)(tmos.apm.aaa.oam)# { modify oam11g accessgates modify {oam10gweblogin { sign-key isapiwebgate-cert.key } } root@fp2mgmt(Active)(/Common)(tmos.apm.aaa.oam)# { modify oam11g accessgates modify {oam10gweblogin { sign-cert isapiwebgate-cert.crt } } root@fp2mgmt(Active)(/Common)(tmos.apm.aaa.oam)# { modify oam11g accessgates modify {oam10gweblogin { sign-chain isapiwebgate } } When you restart the EAM service, it will detect that the AccessGate is configured in cert mode, and it will automatically use the key, certificate, and certificate chain files to do the initial bootstrap so that each AccessGate can be successfully initialized against the OAM 11g server.
  13. At the command line, restart the EAM service by typing bigstart restart eam.
Next, configure a virtual server and enable OAM support on it for native integration with OAM.

Creating a virtual server

Configure a AAA OAM server before you perform this task.
A virtual server represents a destination IP address for application traffic. Configure one virtual server for each AccessGate that is included on the AAA OAM server AccessGates list.
  1. On the Main tab, click Local Traffic > Virtual Servers . The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network.
  4. Type a port number in the Service Port field, or select a service name from the Service Port list.
  5. In the Resources area of the screen, from the Default Pool list, select a pool name.
  6. Scroll down to the Access Policy section and check the Enabled box for OAM Support.
  7. Click Finished.
A destination IP address on the Access Policy Manager system is now available for application traffic.

Using OAM authentication in an access policy with OAM 11g (or 10g)

Before you start this procedure, Access Server and AccessGates must be configured through the Oracle Access administrative user interface. An Access Policy Manager AAA OAM server and a virtual server must be configured on the BIG-IP system.
Separately, and in addition to using Access Policy Manager as an OAM 10g Webgate, you can create an access policy that uses OAM authentication. You might configure such an access policy to provide a client with SSL VPN access, authenticating with a Oracle 10g or 11g server that is configured for single sign on single domain use.
Note: This approach does not work for Oracle single sign on multi-domain configurations.
  1. On the Main tab, click Access Policy > Access Profiles . The Access Profiles List screen opens.

Note: The next few steps explain how to create a new access profile. Alternatively, you can edit an existing access profile and add OAM authentication to the access policy.

  1. Click Create. The New Profile screen opens.
  2. Type a name for the access profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  3. Click Finished.
  4. Click the name of the access profile for which you want to edit the access policy. The Access Profile properties screen opens for the profile you want to edit.
  5. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate window or tab.
  6. Click the [+] sign anywhere in your access profile to add your new policy action item. An Add Item window opens.
  7. Select OAM, and click Add item.
  8. For Server, select the AAA OAM server from the list.
  9. For URL, type in a URL resource.
  10. For Agent Action, select either Authentication and Authorization or Authentication Only.
  11. Click Save. You will return to the visual policy editor.
  12. Click Apply Access Policy to save your configuration.
The access policy associated with the AAA OAM server uses OAM authentication.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)