Professional Documents
Culture Documents
Robert Gollehon
FMW Support, Identity and Access Management
June 3, 2020
Proactive Resources for Tools, Training and Social Channels
Self-paced
Session playback
Live, interactive
High-level (concepts)
Deep-dive instruction
(steps)
Learning is ongoing. Select and use learning options to meet your needs.
Copyright 2020. Oracle and/or affiliates. All rights reserved.
Safe harbor statement
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, timing, and pricing of any features or functionality described for Oracle’s
products may change and remains at the sole discretion of Oracle Corporation.
Oracle Support Advisor Webcast
OAM Native Password Policy
Robert Gollehon
FMW Support, Identity and Access Management
June 3, 2020
OAM Native Password Policy Agenda
LDIF files which define the Password Policy attributes and objectclasses are
provided in the
$ORACLE_HOME/idm/modules/oracle.idm.ipf_12.2.2/scripts/ldap/
directory
For 12c policy, *_OracleSchema.ldif files are used (the directory also
contains files for the 11g policy)
These can be loaded using an appropriate LDAP tool (ldapmodify, ldifde,
LDAP browsers, etc)
LDIF files are provided for all supported LDAP user stores
Make sure Bind DN used by OAM user store has adequate privileges to
modify user attributes (including user password)
If the password is expired, OAM will evaluate the password policies that
apply to the user and pick the highest priority policy
The change password page will be displayed, prompting user for old and
new password based on the rules in the matching policy
When a new password is submitted, the plugin verifies it adheres to
password rules (including complexity, history, etc)
If password is valid OAM updates the orcluserpwdcreationdate and
orclpwdchangerequired flag
User is redirected to success page
Any policies other than the default policy must be created/managed using
the OAM 12c Password Management REST API
The REST API supports the four standard CRUD operations (Create,
Retrieve, Update, Delete)
A Postman collection for this REST API (as well as the Password
Management REST API is available in note 2458234.1
Accessed on the OAM managed server host/port using URI
/oam/services/rest/access/api/v1/policy/PasswordPolicies
Fully documented in the OAM Password Policy Management REST API
Guide
Retrieval of policies
curl -u weblogic:<password> \
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/policy/PasswordPolicies
Deletion of policy
curl -u weblogic:<password> -X DELETE \
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/policy/PasswordPolicies
Updating a policy
curl -u weblogic:<password> -X PUT -H 'content-type: application/json' –X PUT\
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/policy/PasswordPolicies \
-d '{"passwordPolicyInfo":{"id": "5","name": "Restrictive
Policy","minLength":15},"assignmentRule":{"idStoreRef":"OIDStore","priority":5,"passwordPolicyID":"5","
ruleType":2,"ruleValue":"RestrictedGroup"}}'
LDIF files which define the 11g Password Policy attributes are provided in
the $ORACLE_HOME/idm/oam/server/pswdservice/ldif/ directory
These can be loaded using an appropriate LDAP tool (ldapmodify, ldifde,
LDAP browsers, etc)
LDIF files are provided for all supported LDAP user stores
5 References
Robert Gollehon
Oracle Support Advisor Webcast