Manual Chapter : Integrating APM with Oracle Access Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

About AAA OAM server configuration

You can configure only one AAA OAM server, but it can support multiple AccessGates from the same access server. When you create a AAA OAM server, its transport security mode must match the setting in the OAM access server.

Task summary for integrating Access Policy Manager with OAM

Before you begin

Before you start to integrate Access Policy Manager with OAM, configure the Access Server and AccessGates through the Oracle Access administrative user interface. Refer to Oracle Access Manager Access Administration Guide for steps.

Task list

Follow these steps to integrate Access Policy Manager with a supported OAM server.

Importing AccessGate files when transport security is set to cert

Check the transport security mode that is configured on the OAM access server. If transport security mode is configured to cert, copy the certificate,certificate chain, and key files (by default, aaa_cert.pem, aaa_chain.pem, and aaa_key.pem respectively) for each AccessGate from the OAM access server to the BIG-IP system.
Note: If Transport Security Mode is set to open or simple, you can skip this procedure.
You must import the certificate, certificate chain, and key files for each AccessGate into the BIG-IP system. Repeat this procedure for each AccessGate. Import certificate and certificate chain files before importing the corresponding private key file.
Note: If a signing chain certificate (CA) is the subordinate of another Certificate Authority, both certificates, in PEM format, must be included in the file with the subordinate signer CA first, followed by the root CA, including " -----BEGIN/END CERTIFICATE-----".
  1. On the Main tab, click Local Traffic > SSL Certificate List. The SSL Certificate List screen opens.
  2. From the Import Type list, select Certificate.
  3. For the Certificate Name setting, select the Create New option, and type a unique name that enables you to identify the file as belonging to this particular AccessGate.
  4. For the Certificate Source setting, select the Upload File option, and browse to the location of the certificate or the certificate chain file. If you kept the default filenames when you copied the files to the BIG-IP system, look for aaa_cert.pem or aaa_chain.pem.
  5. Click Import. A certificate or certificate chain file has been imported for the AccessGate. To import the other (certificate or certificate chain) file for this AccessGate, repeat the steps that you have just completed before you continue.
  6. On the Main tab, click Local Traffic > SSL Certificate List. The SSL Certificate List screen opens.
  7. From the Import Type list, select Key.
  8. For the Key Name setting, select the Create New option, and type a unique name that enables you to identify the file as belonging to this particular AccessGate. When you import the key file, you are importing the private key that corresponds to the already imported certificate and certificate chain while renaming the file from its default name aaa_key.pem.
  9. For the Key Source setting, do one of the following:
    • Select the Upload File option, and browse to the location of the key file.
    • Select the Paste Text option, and paste the key text copied from another source.
  10. Click Import. The key file is imported.
Certificate, certificate chain, and key files have been imported for an AccessGate.
Repeat the procedure to import these files for any other AccessGate.

Creating an AAA OAM server

If transport security mode is configured to cert on the access server, import the certificates, keys, and CA certificate for the AccessGates into the BIG-IP system.
Create a AAA server for OAM to deploy Access Policy Manager in place of OAM 10g WebGates.
Note: Only one OAM server per BIG-IP system is supported. Multiple OAM 10g webgates from the same OAM server are supported.
  1. In the navigation pane, click Access Policy > AAA Servers > Oracle Access Manager. The Oracle Access Manager Server screen opens.
  2. Click Create if no Oracle Access Manager server is defined yet,. The New OAM Server screen opens.
  3. Type a name for the AAA OAM server.
  4. For Access Server Name, type the name that was configured in Oracle Access System for the access server. For the access server name, open the OAM Access System Console and select Access system configuration > Access Server Configuration.
  5. For Access Server Hostname, type the fully qualified DNS host name for the access server system.
  6. For Access Server Port, accept the default 6021, or type the port number.
  7. For Admin Id, type the admin ID. Admin Id and Admin Password are the credentials that are used to retrieve host identifier information from OAM. Usually, these are the credentials for the administrator account of both Oracle Access Manager and Oracle Identity Manager.
  8. For Admin Password, type the admin password.
  9. For Retry Count, accept the default 0, or enter the number of times an AccessGate should attempt to contact the access server.
  10. For Transport Security Mode, select the mode (open, simple, or cert) that is configured for the access server in Oracle Access System.
  11. If Transport Security Mode is set to simple, type and re-type a Global Access Protocol Passphrase; it must match the global passphrase that is configured for the access server in OAM.
  12. For AccessGate Name, type the name of an AccessGate; it must match the name of an AccessGate that is configured on the OAM access server.
  13. For AccessGate Password and Verify Password, type the password; it must match the password that is configured for it on the OAM access server.
  14. If transport security mode is set to cert, select the Certificate, Key, and CA Certificate that you imported for this particular AccessGate.
  15. If transport security mode is set to cert and if a sign key passphrase is needed, type a Sign Key Passphrase and re-type it to verify it.
  16. Click the Finished button. This adds the new AAA server to the AAA Servers list.
Add any other AccessGates that are configured for the OAM access server to this Oracle Access Manager AAA server. Then, for each AccessGate, configure a virtual server and enable OAM support on it for native integration with OAM.

Adding AccessGates to the OAM AAA server

You must create an Oracle Access Manager AAA server with one AccessGate before you can add other AccessGates.
Access Policy Manager can support multiple AccessGates from the same OAM access server. To enable the support, add the AccessGates to the Oracle Access Manager AAA server.
  1. In the navigation pane, click Access Policy > AAA Servers > Oracle Access Manager. The Oracle Access Manager Server screen opens.
  2. Click the name of the Oracle Access Manager AAA server. The Properties page opens.
  3. Scroll down to the AccessGate List and click Add. The New AccessGate page opens.
  4. For AccessGate Name, type the name of an AccessGate; it must match the name of an AccessGate that is configured on the OAM access server.
  5. For AccessGate Password and Verify Password, type the password; it must match the password that is configured for it on the OAM access server.
  6. If transport security mode is set to cert for the access server, select the Certificate,Key, and CA Certificate that you imported for this particular AccessGate.
  7. If transport security mode is set to cert for the access server, and if a sign key passphrase is needed, type a Sign Key Passphrase and re-type it to verify it.
  8. Click the Finished button.
The AccessGate is added.

Creating a virtual server

Configure an AAA OAM server and add AccessGates to it before you perform this task.
A virtual server represents a destination IP address for application traffic. Configure one virtual server for each AccessGate that is included on the AAA OAM server AccessGates list.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Destination Address field, type the IP address for a host virtual server. The IP address you type must be available and not in the loopback network. This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  4. In the Service Port field, type a port number or select a service name from the Service Port list.
  5. In the Resources area of the screen, from the Default Pool list, select the relevant pool name.
  6. Scroll down to the Access Policy section and check the Enabled box for OAM Support.
  7. Select an AccessGate from the list. If you select Default, Access Policy Manager reads Oracle configuration information to determine which AccessGate to associate with this virtual server.
  8. Click Finished.
A destination IP address on the Access Policy Manager system is now available for application traffic.

Troubleshooting tips

You might run into problems with the integration of Access Policy Manager and OAM in some instances. Follow these tips to try to resolve any issues you might encounter.

Troubleshooting tips for initial configuration

You should Steps to take
Check network connectivity Ping the OAM Access Server from the BIG-IP system.
Test without OAM support enabled first Before you test with OAM support enabled, make sure that the BIG-IP system has basic connectivity to protected applications.
  • Disable the OAM Support property on the virtual server.
  • Verify that you can reach the pool and the application.
After succeeding, reenable OAM support on the virtual server.
Check the configuration for accuracy
  • Confirm that the AAA server object is correct, particularly the OAM server section.
  • Confirm that the AccessGates configured on the BIG-IP system within the AAA server are correct.

Additional troubleshooting tips

You should Steps to take
Verify access OAM provides tools for the administrator to test how access policies respond to various requests. Use the Access Tester to test access policies with given identities and for given users. This tool can be helpful in determining whether the access provided by BIG-IP system is consistent with the policies configured under OAM.
Resolve sudden problems Changes that have been made on the OAM server can cause mismatches on the BIG-IP system due to a configuration cache that is kept on the BIG-IP system. To resolve this problem, delete the cache configuration file of the corresponding AccessGate configuration.
  • Delete the config.cache file located in config/aaa/oam/<filepath>, e.g. /config/aaa/oam/Common/oamaaa1/AccessGate1/config.cache.
  • At the command line, restart the EAM service by typing bigstart restart eam.
Check logs Enable and review the log files on the BIG-IP system.
  • Most relevant log items are kept in the /var/log/apm log file. This /var/log/apm log file is the primary location for messages related to the operation of OAM.
  • Additional logging is done in /var/log/oblog.log. This file contains AccessGate logging which might be helpful in certain circumstances.

Using OAM authentication in an access policy

Before you start this procedure, Access Server and AccessGates must be configured through the Oracle Access administrative user interface. An Access Policy Manager AAA OAM server and a virtual server must be configured on the BIG-IP system.
Configure OAM authentication in an access policy only if you need to provide a client with SSL VPN access, authenticating with an Oracle server that is configured for single sign on single domain use. This approach does not work for Oracle single sign on multi-domain configurations.
Note: You do not need an access policy to use Access Policy Manager as an OAM 10g Webgate.
Tip: In this procedure, you create a new access profile as part of the configuration. Alternatively, you can edit an existing access profile and add OAM authentication to the access policy.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. Click Finished.
  5. Click the name of the access profile for which you want to edit the access policy. The properties screen opens for the profile you want to edit.
  6. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate screen.
  7. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  8. Select OAM, and click Add item.
  9. For Server, select the AAA OAM server from the list.
  10. For URL, type in a URL resource.
  11. For Agent Action, select either Authentication and Authorization or Authentication Only.
  12. Click Save. You will return to the visual policy editor.
  13. Click Apply Access Policy to save your configuration.
The access policy associated with the AAA OAM server uses OAM authentication.