OAM Administration :

====================
Pre-req : oid_ovd_instance01, IAMDomain(AdminServer, oam_server1)
Installation : webserver(OHS, IHS, IIS, Apache, OTD, iPlanet), Webgate.
Vanilla SSO Solution :
Terminlogies : webserver/OHS/WebTier/Webgate Instance/Agent
1. Configure the webserver instance
#xhost +
#su - weblogic
cd /d01/Weblogic/FMW/Oracle_WT1/bin
./config.sh
Verify :
http://idm.oraclefusion4all.com:7777/
https://idm.oraclefusion4all.com:4443
2. Deploy the webgate to webserver instance => "webgate instance"
cd /d01/Weblogic/FMW/Oracle_OAMWebGate11gR2/webgate/ohs/tools/de
ployWebGate
Verify :
webgate folder will be created in webserver instance loc
ation.
3. Configure the httpd.conf file or webserver configuration file.
cd /d01/Weblogic/FMW/Oracle_OAMWebGate11gR2/webgate/ohs/tools/se
tup/InstallTools
export LD_LIBRARY_PATH=/d01/Weblogic/FMW/Oracle_WT1/lib
export PATH=$LD_LIBRARY_PATH:$PATH
./EditHttpConf -oh /d01/Weblogic/FMW/Oracle_OAMWebGate11gR2/ -w
/d01/Weblogic/FMW/Oracle_WT1/instances/ohs_webgate11gR2Console/config/OHS/ohs1/
Verify :
1. httpd.conf will be backed up
2. webgate.conf inlcude directive will be added to httpd.conf.
3. webgate.conf will be created.
4. integrate the "webgate instance" with oam_server1.
pre-req : AdminServer and oam_server1 need to be up and running.
A) Using the OAMConsole
http://idm.oraclefusion4all.com:7001/oamconsole
weblogic/Oracle123
SSO Agents => Create 11g Webgate
cd
Domain/output/Webgate11gR2Console

/d01/Weblogic/FMW/user_projects/domains/IAM

cp -r ObAccessClient.xml cwallet.sso /d01/Weblog

ic/FMW/Oracle_WT1/instances/ohs_webgate11gR2Console/config/OHS/ohs1/webgate/conf
ig/

-> OAM 11.1.2.2 supports backward compatibility

of agents(it is used in migration projects)
Verify : restart the ohs server and verify the SSO.
B) using RREG(Remote Registration Tool)
cd /d01/Weblogic/FMW/Oracle_IAM1/oam/server/rreg
/input
vi OAM11GRequest.xml
<serverAddress>http://idm.oraclefusion4a
ll.com:7001</serverAddress>
<hostIdentifier>RREG_HostId11G</hostIden
tifier>
<agentName>RREG_OAM11GWebgate</agentName
>
<agentBaseUrl>http://idm.oraclefusion4al
l.com:7778</agentBaseUrl>
<applicationDomain>RREG_OAM11GDefaultAPP
Domain</applicationDomain>
cd /d01/Weblogic/FMW/Oracle_IAM1/oam/server/rreg
/bin
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
./oamreg.sh inband /d01/Weblogic/FMW/Oracle_IAM1
/oam/server/rreg/input/OAM11GRequest.xml
Output artifacts are created in the outp
ut folder.
cd

/d01/Weblogic/FMW/Oracle_IAM1/oam/server

/rreg/output/RREG_OAM11GWebgate
cp -r ObAccessClient.xml cwallet.sso /d01/Weblog
ic/FMW/Oracle_WT1/instances/ohsWebgate11gR2RREG/config/OHS/ohs2/webgate/config/
Verify : restart the ohs server and verify the S
SO.
5. Integrate oam_server1 with OVD
A) System Store - oamconsole access to only OAMAdministrators gr
oup in OVD & Default Store - OVD user section(all 2000+ users) will be AuthN/Au
thZ against this store.
B) OVD AuthN Provider - will AuthN only members of OAMAdministra
tors group in OVD against oamconsole.
C) OAM Identity Asserter :
Symptoms : 1. If SSO page followed by ap
plication specific login page is prompted or login pages coming twice.
2. If attributes
are not asserted from oam.
Verify : restart the servers and verify both symtoms are
addressed.

Note : http://idm.oraclefusion4all.com:7001/oamconsole
is deployed on A
dminServer, in case SSO services are not proper then as best practice look for t
he activeness of OAM deployments.
6. Default Artifacts and technical flow of SSO
1. Host Identifiers : The webserver host and port where agent is deploye
d, also required to create resources.
2. Application Domain : Collection of resources and policies.
3. Technical flow of SSO.

Application Onboarding :
========================
Best Design Approach : Create separate "application domain" for each application
which need to be onboarded with OAM.
1. Sample Web Application - AuthN/AuthZ
cd /stage/scripts_apps
cp -r example/ /d01/Weblogic/FMW/Oracle_WT1/instances/ohsWebgate11gR2RR
EG/config/OHS/ohs2/htdocs
http://idm.oraclefusion4all.com:7778/example
1.
2.
3.
4.

Create
Define
Create
Create

Example App ApplicationDomain

Resources
AuthN Policies 1. Unprotect 2.Protect
AuthZ Policies and understand all use cases
4 use cases :
A)
B)
C)
D)

Idenity - Group in Directory Server

IP Range - Country, Building, Block, Business Unit
Temporal - Time based Access - Office Hours
Attribute based : Employee Type = Permanent / Organiz

ation = Finance
5. Responses
6. Customization
A) Custom SSO Login Page
Business requirement : A) Client Specific custom
ized SSO page instead of Oracle Defualt and must be deployed externally.
B) Mu
ltiple SSO Login Pages, must have application specific theme.
Technology - .jsp, .aspx, .php , .html*
Deployment - Could be on oam_server1 or external
What Competency : HTML/CSS/Images Knowledge.
Prepare the project :
cd /stage/scripts_apps/customloginpage

export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
jar cvf customloginpage.war *
=> Deploy the customloginpage.war to oam_server1
and start the deployment.
=> Verify the application logic
=> modify the Custom LDAP Scheme

2. J2EE(ADF/WebCenter/Primavera) Application
1. Deploy the default J2EE application and observe OOTB J2EE sec
urity Architecture/login mechanism.
2. Modify the the Default J2EE login mechanism to OAM Sepecific
and redeploy
3. Modify the Weblogic Directive file and define resource and ha
ndler.
4. Create J2EE specific ApplicationDomain and define resources.
5. Restart the webserver and observe the result.
2.1. Customization
A) Multiple SSO Login Page
B) Multi Factor AuthN
2.2 X.509
3. OBIEE Applications
3.1. Customization
A)