Applies To:

Show Versions Show Versions

Manual Chapter: Access Policy Manager Integration with OAM 10g
Manual Chapter
Table of Contents   |   << Previous Chapter

OAM 10g SSO integration example

Let's walk through an example deployment. An Oracle 10g server is configured for SSO multi-domain; an Authentication WebGate is configured and, in another domain, a Resource WebGate is configured.

In Acess Policy Manager, an AAA OAM server has been configured and includes the details of the OAM Access Server and the two AccessGates. Two virtual servers have been configured with OAM native integration enabled.

This figure depicts the traffic flow for the example.

Typical OAM SSO configuration after APM native integration is enabled Accessing a protected resource via Access Policy Manager native integration with OAM 10g
  1. Client requests access to a resource. The request comes to the RWG (Access Policy Manager AccessGate at VIP2).
  2. RWG checks whether the resource is protected per OAM. The resource is protected and the user has not yet authenticated.
  3. RWG sends a 302 redirect to the client so that the client will be redirected to the AWG for authentication.
  4. Authentication request comes to the AWG (Access Policy Manager AccessGate at VIP1).
  5. AWG validates user authentication status with OAM and obtains policy. In this case, the policy calls for form-based authentication and gives the location of the form.
  6. For the form-based authentication scheme, AWG allows the user to access the login page hosted on a webserver behind the AWG.
  7. The webserver returns the login.html file to the AWG, which sends it to the client.
  8. Via login.html, the user submits credentials.
  9. The AWG uses the credentials to authenticate the user with the OAM 10g server.
  10. With user authentication successful, the AWG sends a 302 redirect to the client so that the client will be redirected to the original RWG.
  11. Request for resource comes to the RWG again.
  12. The RWG validates user access to the resource with OAM.
  13. The protected resource behind VIP2 will be sent back to the user.

About AAA OAM server configuration

When you create a AAA OAM server, its transport security mode must match the setting in OAM. The procedure for configuring a AAA OAM server with open or simple transport security mode is different from the procedure for configuring a AAA OAM server with cert transport security mode. Only one AAA OAM server is supported and it must be configured following the procedure that is appropriate for the mode.

Task summary for integrating Access Policy Manager with OAM 10g

Before you begin

Before you start to integrate Access Policy Manager with OAM, configure the Access Server and AccessGates through the Oracle Access administrative user interface. Refer to Oracle Access Manager Access Administration Guide for steps.

Task list

Follow these steps to integrate Access Policy Manager with OAM 10g server.

Creating a AAA OAM server with open or simple transport security mode

Create a AAA server for Oracle Access Manager (OAM) when you want to integrate Access Policy Manager with OAM 10g natively. Use this procedure when transport security mode is configured as open or simple on the OAM server.
Note: Only one OAM server per BIG-IP system is supported. Multiple OAM 10g webgates from the same OAM server are supported.
  1. On the Main tab, click Access Policy > AAA server, and click the plus sign for the AAA server type that you want to create. The New Server screen opens.
  2. Type a name for the AAA OAM server.
  3. For Access Server Name, type the name that was configured in Oracle Access System for the access server. For the access server name, open the OAM Access System Console and select Access system configuration > Access Server Configuration.
  4. For Access Server Hostname, type the fully qualified DNS host name for the access server system.
  5. For Access Server Port, accept the default 6021, or type the port number.
  6. For Admin Id, type the admin ID. Admin Id and Admin Password are the credentials that are used to retrieve host identifier information from OAM. Usually, these are the credentials for the administrator account of both Oracle Access Manager and Oracle Identity Manager.
  7. For Admin Password, type the admin password.
  8. For Retry Count, accept the default 0, or enter the number of times an AccessGate should attempt to contact the access server.
  9. For Transport Security Mode, select the mode (open or simple) that is configured for the access server in Oracle Access System. If you select simple, enter and confirm a Global Access Protocol Passphrase; it must match the global passphrase that is configured in OAM for the access server.
  10. For each AccessGate, click Add and type the name, description, and password for the AccessGate. You can disable or enable access to the AccessGate by toggling the options. Enter the name and password that were configured in OAM for the AccessGate.
  11. Click the Finished button. This adds the new AAA server to the AAA Servers list.
Next, configure a virtual server and enable OAM support on it for native integration with OAM.

Creating a AAA OAM server when OAM 10g uses cert transport security mode

Create a AAA server for Oracle Access Manager (OAM) when you want to integrate Access Policy Manager with OAM 10g natively. Use this procedure when transport security mode is set to cert on OAM.
Note: Only one OAM server per BIG-IP system is supported. Multiple OAM 10g webgates from the same OAM server are supported.
  1. On the Main tab, click Access Policy > AAA server, and click the plus sign for the AAA server type that you want to create. The New Server screen opens.
  2. Type a name for the AAA OAM server.
  3. For Access Server Name, type the name that was configured in Oracle Access System for the access server. For the access server name, open the OAM Access System Console and select Access system configuration > Access Server Configuration.
  4. For Access Server Hostname, type the fully qualified DNS host name for the access server system.
  5. For Access Server Port, accept the default 6021, or type the port number.
  6. For Admin Id, type the admin ID. Admin Id and Admin Password are the credentials that are used to retrieve host identifier information from OAM. Usually, these are the credentials for the administrator account of both Oracle Access Manager and Oracle Identity Manager.
  7. For Admin Password, type the admin password.
  8. For Transport Security Mode, select cert.
  9. For each AccessGate, click Add and then:
    1. Enter the AccessGate name and password that were configured in OAM for the AccessGate and confirm the password.
    2. For AccessGate description, enter RREG. When you restart the EAM service, it will recognize RREG as a key word.
  10. Click the Finished button. This adds the new AAA server to the AAA Servers list.
  11. Copy the configuration files for the WebGates from the OAM server to the BIG-IP server. Place the files into the directories that Access Policy Manager created for the AAA OAM server and each of the AccessGates that you added to it.

    An example follows.

    cp aaa_cert.pem /config/aaa/oam/Common/$OAM_Server_Name/AccessGateName/oblix/config/ cp aaa_chain.pem /config/aaa/oam/Common/$OAM_Server_Name/AccessGateName/oblix/config/ cp aaa_key.pem /config/aaa/oam/Common/$OAM_Server_Name/AccessGateName/oblix/config/ cp password.xml /config/aaa/oam/Common/$OAM_Server_Name/AccessGateName/oblix/config/ cp ObAccessClient.xml /config/aaa/oam/Common/$OAM_Server_Name/AccessGateName/oblix/lib/ When you restart the EAM service, it will detect that the AccessGates are configured in cert mode and that the OAM AccessGate configuration files are present in the local directories. As a result, the EAM service will initialize the AccessGates without running configureAccessgate for the initial bootstrap.
  12. At the command line, restart the EAM service by typing bigstart restart eam.
Next, configure a virtual server and enable OAM support on it for native integration with OAM.

Creating a virtual server

Configure a AAA OAM server before you perform this task.
A virtual server represents a destination IP address for application traffic. Configure one virtual server for each AccessGate that is included on the AAA OAM server AccessGates list.
  1. On the Main tab, click Local Traffic > Virtual Servers . The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network.
  4. Type a port number in the Service Port field, or select a service name from the Service Port list.
  5. In the Resources area of the screen, from the Default Pool list, select a pool name.
  6. Scroll down to the Access Policy section and check the Enabled box for OAM Support.
  7. Click Finished.
A destination IP address on the Access Policy Manager system is now available for application traffic.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)