You are on page 1of 28

OFSS Ltd.

- FLEXCUBE
NGP Project
Configuration Document : OAAM
11gR2 Configuration Document

Name
Author

Yamini N. Phalak

Current Status

Initial

Date

08-Feb-2013

Revision History

Versio
n

Updates

Author

Date

0.1

Initial Draft.

Yamini N. Phalak

08-Feb-2013

Table of Contents

Revision History....................................................................................................2
1. Introduction......................................................................................................5
1.1.

Pre-Requisites.......................................................................................................................................... 5

2. Configuration Steps.........................................................................................6
2.1.

Weblogic console configurations.............................................................................................................. 6

2.2.

Setting up Encryption Credentials for OAAM............................................................................................ 9

2.2.1. Setting up Secret Key for Encrypting Configuration Values:....................................................................9


2.2.2. Setting up Secret Key for Encrypting Database Values:.........................................................................11
2.3.

Setting Up OAAM Database Credentials in the Credential Store Framework........................................12

2.4.

Update process_results.rule file............................................................................................................. 13

2.5.

Deployments on OAAM servers............................................................................................................. 15

2.6.

Importing policies.................................................................................................................................... 16

2.7.

OAAM SOAP Configuration.................................................................................................................... 18

2.7.1. Enabling SOAP Authentication............................................................................................................... 18


2.7.2. Disabling SOAP Authentication:............................................................................................................. 23

General Configuration Issues........................................................................24


3.1

Error while generating and adding credential keys to CSF.....................................................................24

3.2

Error while Importing custom action groups........................................................................................... 25

OAAM Configuration Document

Last update: 10/13/16

List of Figures
Figure 1 : Securiy Realms-> Groups........................................................................................................ 6
Figure 2 : User Creation in weblogic console............................................................................................. 7
Figure 3 : Assigning roles to user............................................................................................................. 7
Figure 4 : Creating new Provider............................................................................................................. 8
Figure 5 : Changing control flag of providers.............................................................................................. 9
Figure 6 : Security Credentials............................................................................................................. 12
Figure 7 : Adding oaam_db_key to CSF.................................................................................................. 13
Figure 8 : Properties etc. nodes of OAAM admin server............................................................................16
Figure 9 : Import properties dialog box.................................................................................................... 17
Figure 10 : Dialog box showing Imported properties.................................................................................17
Figure 11: OAAM server web services.................................................................................................... 18
Figure 12 : 'Attach Policy' link................................................................................................................ 19
Figure 13 : OAAM Web Services........................................................................................................... 19
Figure 14 : oracle/wss_http_token_service_policy Policy...........................................................................20
Figure 15 : Attach policy....................................................................................................................... 20
Figure 16 : 'oaamadmin' user from DefaultAuthenticator realm...................................................................21
Figure 17 : oaam_native file changes..................................................................................................... 22
Figure 18 : system-jazn-data.xml changes..............................................................................................24
Figure 19 : OAAM action groups............................................................................................................ 25
Figure 20 : Challenge 1FA group tab...................................................................................................... 25
Figure 21 : Add actions........................................................................................................................ 26
Figure 22 : Challenge 1FA action........................................................................................................... 26

Introduction

1.

The configuration document explains configuration steps for OAAM 11gR2 .

1.1.
1

Pre-Requisites
OAAM 11gR2 is already installed.

2.

Configuration Steps

2.1.

Weblogic console configurations

1. Start oaam_domain server at location (for Linux : {oaam middleware}/user_projects/domains/


{oaam_domain}/startWebLogic.sh, for Windows : {oaam middleware}/user_projects/domains/
{oaam_domain}/startWebLogic.sh )

2. In weblogic server console (http://localhost:port/console), go to Home>Summary of Security


Realms>myrealm>Users and Groups

Figure 1 : Securiy Realms-> Groups

3. Create new user say oaamadmin/welcome1(This user is to be used to login into oaam admin server
http://localhost:14200/oaam_admin/faces/pages/home.jspx?).

Figure 2 : User Creation in weblogic console

4. Assign it following roles. Administrators, OAAMEnvAdminGroup, OAAMRuleAdministratorGroup,


OAAMSoapServicesGroup.

Figure 3 : Assigning roles to user.

5. Create new provider i.e. OIDAuthenticator in Home->Summary of Security Realms->myrealm>Providers tab and select its type as OracleInternetDirectoryAuthenticator .

Figure 4 : Creating new Provider

6. Select the
new
authentication provider instance to navigate to the configuration page and fill the following details in
Provider Specific tab.
Property

Value

Host

This is the OID hostname.


IFLMUD5DL2S4G.i-flex.com

Port

389

Principal

This is the Administrators account


cn=orcladmin

Credential

This is the administrator account password welcome1

Confirm Credential

This is the administrator account password welcome1

User Base DN

This is the OID user search base


cn=Users,dc=i-flex,dc=com

Group Base DN

This is the OID group search base


cn=Groups,dc=i-flex,dc=com

Use Retrieved User Name as Principal

Check this.

Propagate Cause For Login Exception

Check this.

7. Restart the oaam domain server and select Home->Summary of Security Realms->myrealm->Users
and Groups tab to verify the list of users and groups being propagated from OID.

8. If users and groups are populated from OID then change the Control Flag of the OID authenticator to
Sufficient and click Save. Change the Control flag of the Default Authenticator to Optional and click
Save and restart the weblogic server.

Figure 5 : Changing control flag of providers.

9. Restart oaam domain server.

2.2.

Setting up Encryption Credentials for OAAM

Perform this step if you want to generate new encryption keys and don't want to use default keys from
credential store framework. Default encryption keys are generated when the oaam_server_server1 is
started for the first time. If you want to use default encryption keys then you can copy existing keystore
(system_config.keystore,
system_db.keystore)
from
location
({OAAM
MIDDLEWARE}/Oracle_IDM1/oaam/oaam_libs/ear/oaam_native_lib.ear/APP-INF/classes/)
inside
config/security/oaam folder.

2.2.1. Setting up Secret Key for Encrypting Configuration Values:


a. Generate an Encoded Secret Key:
genEncodedKey.sh sample.db_3des_input.properties

If the command is successful you will see the output like this:
Generated key = <encoded_key>

b. Generate Symmetric key from encoded secret key :


1. Create a file config_secret_key.file and add the secret key to the file like this:
tobase64=<secret-key>

2. Encode the key using Base64 algorithm by executing the following command.
encodeKey.sh config_secret_key.file

If the encoding command was successful, you will see output similar to the following:
base64encode is done!
Base64 Encoded value =<encoded_value>

Note this encoded_value, you need this to add in Credential Store Framework.

c. To add symmetric key to the Credential Store Framework:


1.
2.
3.
4.
5.
6.
7.

Log in to Fusion Middleware Control at http://<weblogic_admin_server>:<port>/em using the


Web browser and use the WebLogic Administrator credentials to log in.
Expand the weblogic_domain node in the left Navigation tree.
Select the OAAM domain and right-click and select the menu option Security, and then the option
Credentials in the submenu.
Check if there is a map with the name oaam. If not, click the Create Map option and enter the
Map Name as oaam. Click OK to save the map.
Click the oaam icon to select the map and then click the Create Key option.
In the pop-up window make sure Select Map is oaam.
Enter following details:
i.
Key Name : DESede_config_key_alias . Make sure there are no typos or spaces.
ii.
Type : Generic.

iii.

Credential value : Encoded value of symmetric key

8. Click Ok and make sure that you backup the alias and secret key.
d. Create system_config.keystore:
1.Go to {OAAM MIDDLEWARE}/Oracle_IDM1/oaam/cli folder. Create a file, for example, config_3des_key.file,
and enter above encoded symmetric encryption key.
2.Copy sample.config_3des_input.properties to config_3des_input.properties
3.Update config_3des_input.properties with the keystore password(e.g. welcome1), alias password(e.g.
welcome1), and keyFile(e.g. config_3des_key.file).
4.Generate the keystore using following command.
java -cp lib/oaam_core.jar com.bharosa.vcrypt.common.util.KeyStoreUtil
readFromFile=config_3des_input.properties

updateOrCreateKeyStore

If the KeyStore command was successful, you will see output similar to the following:
updateOrCreateKeyStore done!
Keystore file:system_config.keystore,algorithm=DESede
KeyStore Password=ZG92ZTEyMzQ=
Alias Password=ZG92ZTEyMw==

Note down the Keystore password and Alias Password printed on the screen. You will
need to add these to the oaam_native.properties in the config/security/oaam folder and
bharosa_server.properties of FraudMgmt.ear

2.2.2. Setting up Secret Key for Encrypting Database Values:


a. Generate an Encoded Secret Key:
genEncodedKey.sh sample.db_3des_input.properties

b. If the command is successful you will see the output like this:
Generated key = <encoded_key>

c. Create a file db_secret_key.file and add the secret key to the file like this:
tobase64=<secret-key>

d. Encode the key using Base64 algorithm by executing the following command.
encodeKey.sh db_secret_key.file

If the encoding command was successful, you will see output similar to the following:
base64encode is done!
Base64 Encoded value =<encoded_value>

e. To add symmetric key to the Credential Store Framework:


1. Log in to Fusion Middleware Control at http://<weblogic_admin_
2.
3.
4.
5.
6.
7.

server>:<port>/em using
the Web browser and use the WebLogic Administrator credentials to log in.
Expand the weblogic_domain node in the left Navigation tree.
Select the OAAM domain and right-click and select the menu option Security, and then the
option Credentials in the submenu.
Find out whether there is a map with the name oaam. If not, click the Create Map option
and enter the Map Name as oaam. Click OK to save the map.
Click the oaam icon to select the map and then click the Create Key option.
In the pop-up window make sure Select Map is oaam.
Enter following details:
i.
Key Name : DESede_db_key_alias. Make sure there are no typos or spaces.
ii.
Type : Generic.

iii.

Credential value : Encoded value of symmetric key

8. Click Ok and make sure that you backup the alias and secret key.

f.

Create system_db.keystore using following command :

1. Go to {OAAM MIDDLEWARE}/Oracle_IDM1/oaam/cli folder. Create a file, for example,


db_3des_key.file, and enter above symmetric encryption key.

2. Copy sample.db_3des_input.properties to db_3des_input.properties


3.
Update db_3des_input.properties with the keystore password(e.g. welcome1),
alias password(e.g. welcome1), and keyFile(e.g. db_3des_key.file).
4.
Generate the keystore using following command.
java -cp lib/oaam_core.jar com.bharosa.vcrypt.common.util.KeyStoreUtil updateOrCreateKeyStore
readFromFile=db_3des_input.properties

If the KeyStore command was successful, you will see output similar to the following:
updateOrCreateKeyStore done!
Keystore file:system_db.keystore,algorithm=DESede
KeyStore Password=ZG92ZTEyMzQ=
Alias Password=ZG92ZTEyMw==

Note down the Keystore password and Alias Password printed on the screen. You will need
to add these to the oaam_native.properties in the config/security/oaam folder and
bharosa_server.properties of FraudMgmt.ear

2.3.

Setting Up OAAM Database Credentials in the Credential Store


Framework
This step is mandatory.
1. Log in to Fusion Middleware Control at http://<weblogic_admin_ server>:<port>/em using the Web
browser and use the WebLogic Administrator credentials to log in.
2. Expand the weblogic_domain icon in the left Navigation tree.
3. Select the OAAM domain and right-click and select the menu option Security and then the option
Credentials in the submenu.

Figure 6 : Security Credentials

4. Check to see whether there is a map with the name oaam. If not click the Create Map option and
enter the Map Name as oaam. Click OK to save the map.
5. Click the oaam icon to select the map and then click the Create Key option.
6. In the pop-up window make sure Select Map is oaam.
7. Enter the Key as oaam_db_key. Make sure there are no typos and spaces.
8. Select the Type as Password.
9. Enter the database username of OAAM in the User Name field.
10. Enter the database password of OAAM in the Password field.
11. Enter the description and click Ok.

Figure 7 : Adding oaam_db_key to CSF

2.4.

Update process_results.rule file

Go to {OAAM_MIDDLEWARE}\Oracle_IDM1\oaam\oaam_libs\ear

1. Have a backup of oaam_native_lib.ear as oaam_native_lib.earBKP


2. Open oaam_native_lib.ear.
3. Go to oaam_native_lib.ear\APP-INF\classes\bharosa_properties and copy process_results.rule in
some folder say temp.

4. Open temp\ process_results.rule in editor and add following flexcube specific rules in that file:
<rule name="payeePreauthorized" no-loop="true" salience="100">
<parameter identifier="actionList">
<class>java.util.List</class>
</parameter>
<java:condition>actionList.contains("payeePreauthorized")</java:condition>
<java:consequence>
if (logger != null){
logger.debug("Executing payeePreauthorized condition");

}
finalAction.append("payeePreauthorized");
drools.clearAgenda(); <!-- This stops any other rules from being evaluated -->
</java:consequence>
</rule>
<rule name="Challenge2FA" no-loop="true" salience="100">
<parameter identifier="actionList">
<class>java.util.List</class>
</parameter>
<java:condition>actionList.contains("Challenge2FA")</java:condition>
<java:consequence>
if (logger != null){
logger.debug("Executing Challenge2FA condition");
}
finalAction.append("Challenge2FA");
drools.clearAgenda(); <!-- This stops any other rules from being evaluated -->
</java:consequence>
</rule>
<rule name="Challenge1FA" no-loop="true" salience="100">
<parameter identifier="actionList">
<class>java.util.List</class>
</parameter>
<java:condition>actionList.contains("Challenge1FA")</java:condition>
<java:consequence>
if (logger != null){
logger.debug("Executing Challenge1FA condition");
}
finalAction.append("Challenge1FA");
drools.clearAgenda(); <!-- This stops any other rules from being evaluated -->
</java:consequence>
</rule>
<rule name="Challenge1FADelay" no-loop="true" salience="100">
<parameter identifier="actionList">
<class>java.util.List</class>
</parameter>
<java:condition>actionList.contains("Challenge1FADelay")</java:condition>
<java:consequence>
if (logger != null){
logger.debug("Executing Challenge1FADelay condition");
}
finalAction.append("Challenge1FADelay");
drools.clearAgenda(); <!-- This stops any other rules from being evaluated -->
</java:consequence>
</rule>

<rule name="Challenge2FADelay" no-loop="true" salience="100">


<parameter identifier="actionList">
<class>java.util.List</class>
</parameter>
<java:condition>actionList.contains("Challenge2FADelay")</java:condition>
<java:consequence>
if (logger != null){
logger.debug("Executing Challenge2FADelay condition");
}
finalAction.append("Challenge2FADelay");
drools.clearAgenda(); <!-- This stops any other rules from being evaluated -->
</java:consequence>
</rule>

5. Copy temp\process_results.rule file into oaam_native_lib.ear/APP-INF/classes/bharosa_properties,


{OAAM_MIDDLEWARE}/Oracle_IDM1/oaam/oaam_server/ear/oaam_server.ear/oaam_server.war/W
EB-INF/classes/bharosa_properties/,
{OAAM_MIDDLEWARE}/Oracle_IDM1/oaam/oaam_admin/ear/oaam_admin.ear/oaam_admin.war/W
EB-INF/classes/bharosa_properties/

6. Copy temp\process_results.rule file in {flexcube_host/flexcube_branch}/config/security/oaam folder.

2.5.

Deployments on OAAM servers


1. In weblogic server console, go to deployments and deploy {OAAAM
MIDDLEWARE}\Oracle_IDM1\oaam\oaam_libs\ear\oaam_native_lib.ear on oaam_server_server1 and
oaam_admin_server1.

2. Copy FraudMgmt.ear from \\iflmuw-vss-53\flex-sails\r2b\12. others\oaam to your machine. Open


FraudMgmt.ear and open bharosa_server.properties in editor. Change the keystore passwords which
you have newly generated or if you are using default encryption keys, then take it from {OAAM
MIDDLEWARE}/Oracle_IDM1/oaam/oaam_libs/ear/oaam_native_lib.ear/APPINF/classes/oaam_custom.properties. Also update these keystore details in
config/security/oaam/oaam_native.properties file.
e.g.
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystoreFile=system_config.keystore
bharosa.cipher.encryption.algorithm.enum.DESede_config.keystorePassword=ZG92ZTEyMzQ=
bharosa.cipher.encryption.algorithm.enum.DESede_config.aliasPassword=ZG92ZTEyMw==

bharosa.cipher.encryption.algorithm.enum.DESede_db.keystoreFile=system_db.keystore
bharosa.cipher.encryption.algorithm.enum.DESede_db.keystorePassword=ZG92ZTEyMzQ=
bharosa.cipher.encryption.algorithm.enum.DESede_db.aliasPassword=ZG92ZTEyMw==

3. Deploy FraudMgmt.ear on oaam_server_server1.


4. Start oaam_server_server1 and oaam_admin_server1 managed servers.
5. Hit http://localhost:14200/oaam_admin url. You will be able to see login page for oaam_admin_server.
You can login with oaamadmin/welcome1.

6. Hit http://localhost:14300/FraudMgmt/TwoFactorAuthServicePort?WSDL . You can see the wsdl, if


oaam_server_server is up.

2.6.

Importing policies

1. Copy oaam imports from \\iflmuw-vss-53\flex-sails\r2b\12. others\oaam to your machine. In OAAM admin
server, import properties, groups, entities, transactions, conditions, policies in order.

a. Login to oaam admin server and open properties tab.

Figure 8 : Properties etc. nodes of OAAM admin server

b. Click on import properties and in import properties dialog box give the path of zip file of properties
imports and click on import.

Figure 9 : Import properties dialog box

c. You will be able to see list of imported properties, then click on Done button.

Figure 10 : Dialog box showing Imported properties

d. Restart OAAM servers after importing properties


e. Similarly import remaining zip files and restart oaam_admin_server1.
f.

Restart OAAM servers or re-import zip files if you face any issue during data import.

2.7.

OAAM SOAP Configuration

2.7.1. Enabling SOAP Authentication


1. Set up Oracle Web Services Manager (OWSM) policies :
a. Log in to Fusion Middleware Control at http://<weblogic_admin_server>:<port>/em using the
Web browser and use the WebLogic Administrator credentials to log in.
b. Under weblogic_domain, select the domain and select oaam_server_server1 and right click
and select the Web Services option.

Figure 11: OAAM server web services

c. Click 'Attach Policies'

Figure 12 : 'Attach Policy' link

d. Select all rows corresponding to OAAM Web Services and click the Next button.

Figure 13 : OAAM Web Services

e. Select the row oracle/wss_http_token_service_policy. Click the Next button.

Figure 14 : oracle/wss_http_token_service_policy Policy

f. Click the Attach button on next page and restart OAAM admin and managed servers.

Figure 15 : Attach policy

2. Create SOAP User on Oracle WebLogic server


In oaam domain console we will assign 'OAAMSoapServicesGroup' group to any user which will be
our soap user(say oaamadmin / welcome1).

Figure 16 : 'oaamadmin' user from DefaultAuthenticator realm

3. Client side keystore to secure the SOAP User Password:


a.Go to {OAAM MIDDLEWARE}/Oracle_IDM1/oaam/cli folder.
b.Create a file, for example, soap_3des_key.file, and enter above password of soap user(say
welcome1).
c. Create soap_3des_input.properties in {OAAM MIDDLEWARE}/Oracle_IDM1/oaam/cli folder.
Add Following text in that file :
#This file is pre-configured for creating the keystore which is used for encrypting OAAM configurations/properties.
Make a copy of the is file and edit it.
#This is the password for opening the keystore.
keystorepasswd=welcome1
#This is the password for reading alias (key) in the keystore
keystorealiaspasswd=welcome1
#File containing from key. Please note, keys in AES could be binary. Also note algorithms like 3DES require minimum
24 characeters in the key
#keyFile=config_3des_key.file
keyFile=soap_3des_key.file
#Algorithm to use. This properties is configured for 3DES. Do not change this.
algorithm=DESede
#This is the default keystore file name. Containers like WebLogic provide alternate way of accessing keystore files
keystorefilename=system_soap.keystore

#Name of the aliase for the config key. If you update this, then you need to update the appropriate OAAM config
properties also.
keystorealias=vcrypt.soap.call.passwd
#Keystore type. Default is good enough for most cases
keystoretype=JCEKS
#Prints the encoded keystore and alias passwords on console. These passwords are required to be added in
bharosa_client.properties and bharosa_server.properties to open and read the alias from keystore
printEncodedPasswords=true

d.Update soap_3des_input.properties with the keystore password(e.g. welcome1), alias


password(e.g. welcome1), and keyFile(e.g. soap_3des_key.file).
e.Generate the keystore using following command.
java -cp lib/oaam_core.jar com.bharosa.vcrypt.common.util.KeyStoreUtil updateOrCreateKeyStore
readFromFile=soap_3des_input.properties

f. If the KeyStore command was successful, you will see output similar to the following:
updateOrCreateKeyStore done!
Keystore file:system_soap.keystore,algorithm=DESede
KeyStore Password=ZG92ZTEyMzQ=
Alias Password=ZG92ZTEyMw==

g.Note down the Keystore password and Alias Password printed on the screen. You will need to
add these to the oaam_native.properties in the config/security/oaam folder as shown below,
also copy keystore at the same location.

Figure 17 : oaam_native file changes

2.7.2. Disabling SOAP Authentication:


1.

Set up Oracle Web Services Manager (OWSM) policies :

a.

Log in to Fusion Middleware Control at http://<weblogic_admin_server>:<port>/em using the


browser and use the WebLogic Administrator credentials to log in.

Web

b. Under weblogic_domain, select the domain and select oaam_server_server1 and right click and select
the Web Services option.
c. Click 'Attach Policies'
d. Select all rows corresponding to OAAM Web Services and click the Next button.
e. Select the row oracle/no_authentication_service_policy and oracle/no_authorization_service_policy. Click the
Next button.
f. Click the Attach button on next page and restart OAAM admin and managed servers.
2.

oaam_native.properties file change :


a. Set vcrypt.soap.auth=false

3 General Configuration Issues


This topic will cover most of the issues faced during configuration which are not covered in the previous section
i.e. Configuration steps.

3.1

Error while generating and adding credential keys to CSF

A. Issue Description :
OAAM server creates default credential keys when it is first started. If these are not generated, you might get
following errors in logs.
[APP: oaam_server#11.1.2.0.0] Error while generating and adding key to CSF for the alias
[DESede_db_key_alias]. Error Message = [access denied
(oracle.security.jps.service.credstore.CredentialAccessPermission
context=SYSTEM,mapName=oaam,keyName=DESede_db_key_alias read)][[
java.security.AccessControlException: access denied
(oracle.security.jps.service.credstore.CredentialAccessPermission
context=SYSTEM,mapName=oaam,keyName=DESede_db_key_alias read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:549)
at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:458)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:518)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:544)

B. Resolution:
Change all entries of oaam_server, oaam_admin application version system-jazn-data.xml and restart
OAAM admin and managed servers.

Figure 18 : system-jazn-data.xml changes

3.2

Error while Importing custom action groups

A. Issue Description :
Custom action groups (Challenge 1FA, Challenge 1FA Delay, Challenge 2FA, Challenge 2FA
Delay ) has not action assigned to it after import
B. Resolution :
1. Restart OAAM admin and managed servers and try to re-import all groups.

a. If issue still persists, then assign actions to custom action groups.


b. Login to OAAM admin server console and click on 'Groups' link. Search for 'Challenge 1FA'
group as shown below :

Figure 19 : OAAM action groups

c.

Click on 'Challenge 1FA' link in 'Search Results' table which will open 'Challenge 1FA' group
details in new tab. In 'Challenge 1FA' group tab, go to 'Actions' tab and click on 'Add Action'
button.

Figure 20 : Challenge 1FA group tab

d. In 'Add Actions' dialog box search for 'Challenge 1FA' property. From 'Search Results' table
select 'Challenge 1FA' action and click on 'Add' button.

Figure 21 : Add actions

e. You will see success message pop up and the action will get added in 'Actions' tab of
'Challenge 1FA' group tab.

Figure 22 : Challenge 1FA action

f.

Similarly add 'Challenge 1FA and Delay' action for 'Challenge 1FA Delay' action group,
'Challenge 2FA' action for 'Challenge 2FA' group, 'Challenge 2FA and Delay' action for
'Challenge 2FA Delay' group.