Som's Oracle IAM Blog

Monday, 18 June 2018

OAM Custom Login Page (with Alert and Error Messages)

For many applications it is a primary requirement to provide a client specific login page where their company logo or messages should be displayed.
An OAM resource should prepare this login page which will be thrown to user when the resource is accessed.
Mostly .jsp or .html pages are used as a custom login page in OAM.
Here a .html page is used as a login page which has username and password fields and a submit button to post the credentials.
It displays alert messages to user if username or password field left blank. Most Importantly it also provides OAM Error messages on the page if wrong username or password is provided.
<scipt> tag is used to write the scripts in the .html page which will show the alert and error messages.
In this page validate() function is used for alert messages and ReadCookie() function is used for OAM error messages.
This page can be used as a login page for any application just by changing the path of .css and image files and most importantly the auth_cred_submit url which should have oam_host: port as below:

action=http://oam_host:oam_port/oam/server/auth_cred_submit

Please find below the code for html page. Copy and paste the contents in a notepad and save as MyPage.html page.

Code for the Login page

<html lang="en">

<head>

<meta charset="utf-8">

<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

<title>Login to My Application</title>

<img src="images/child.jpg" alt="Child" height="200" width="200">

<link rel="stylesheet" href="images/style.css">

</head>

<script type="text/javascript">

function trim(s)

{

return s.replace( /^\s*/, "" ).replace( /\s*$/, "" );

}

function validate() {

var x = document.forms["frmLogin"]["username"].value;

if (x == "") {

alert("Login is Empty");

return false;

}

var y = document.forms["frmLogin"]["password"].value;

if (y == "") {

alert("Password is Empty");

return false;

}

function ReadCookie() {

var id = getUrlVars()["p_error_codes_list"];

if (id == "OAM-2") {

var data="<b>UserID or Password is not Correct</b>";

document.getElementById('mylocation').innerHTML="<span style=\"color:red\">" + data + "</span>";

}

else if (id == "OAM-1") {

var data="<b>An incorrect Username or Password is specified</b>";

document.getElementById('mylocation').innerHTML="<span style=\"color:red\">" + data + "</span>";

}

else if (id == "OAM-8") {

var data="<b>Authentication failed</b>";

document.getElementById('mylocation').innerHTML="<span style=\"color:red\">" + data + "</span>"; }

}

function getUrlVars() {

var vars = [], hash;

var hashes = window.location.href.slice(window.location.href.indexOf('?') + 1).split('&');

for(var i = 0; i < hashes.length; i++)

{

hash = hashes[i].split('=');

vars.push(hash[0]);

vars[hash[0]] = hash[1];

}

return vars;

}

</script>

<style>

body {

background-color:#6694CF;

}

</style>

<div Style="position:absolute; visibility:show; left:5px; top:5px;">

</div>

<body onload="ReadCookie()">

<section class="container">

<div class="login">

<h1>Login to aPP</h1>

<form name="frmLogin" onSubmit="return validate()" action="http://localhost:14100/oam/server/auth_cred_submit"method="post">

<p><input type="text" name="username" placeholder="Username"></p>

<p><input type="password" name="password" placeholder="Password"></p>

<p><input name="request_id" value="<%=reqId%>" type="hidden"></p>

<p><input type="submit" name="sSubmit" value="Login"></p>

<label id="mylocation"></label>

</form>

<div class="login-help">

<p>Forgot your password? <a href="http://localhost:7001/console">Click here to reset it</a>.</p>

</div>

</section>

</body>

</html>

Keep this page under htdocs folder of OHS.

Create an Authentication scheme as MyScheme as per below screenshot.

If want a .jsp page, modify the page accordingly (use <% tag instead of script); then it should be deployed in OAM server as a .war file and the Authentication scheme should be as below.

Create an Authentication policy MyPolicy using Myscheme and protect the required resource with that policy.
Gives Alert and Error messages as below:

**Thanks for visiting*

Wednesday, 30 May 2018

Enabling Custom Logging in OIM

The logger configuration file is present at below location

/appl/iam/middleware/user_projects/domains/oim_domain/config/fmwconfig/servers/oim_server1 /logging.xml

IMPORTANT NOTE:

Take the backup of the logging.xml file before updating any new changes.

Steps Followed:

Add the log_handler as required in the xml file. Below example shows the log_handler structure.

<log_handler name='My-Test-handler' level='FINEST' class='oracle.core.ojdl.logging.ODLHandlerFactory'>

</log_handler>

Include the log_handler added in the loggers section.Below example shows the format to add the log_handler.

</logger>

Create the object of the logger class in the java code written for OIM. Below mentioned lines of code shows the package to be imported and the logger class to be created in the java class.

import oracle.core.ojdl.logging.ODLLogger;

public class TestClass {

ODLLogger logger = ODLLogger.getODLLogger("MyTestLogger");

protected void testMethod(String resourceObject) {

logger.info("its my test log message");

}}

The logging level can be chosen as required. PFB table.

Java Level	ODL Message Type: Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

Friday, 4 May 2018

Installation of OIM using pre-existing Database and Schema

· Sometimes because of some misconfigurations or human errors/mistakes OIM environments get corrupted or not responding properly. So it’s required to reinstall OIM to set up the environment again.

· This blog explains similar scenario where we reinstalling OIM without touching our DB & RCU. Here our new OIM domain is going to point the same existing database.

· This blog is going to explain only the steps need to be followed in sequence. General installation steps with screenshots are not shown here.

· Only the necessary steps which are different than fresh installation are explained thoroughly.

STEPS

1. Not required to install DB and RCU again as it is going to point the existing DB/RCU.

2. Install JDK 1.6 or JDK 1.7 using general steps.

3. Install weblogic 10.3.6 using general steps.

4. Install SOA using general steps.

5. Install IAM software using general steps.

6. Create Domain for OIM pointing to existing DB/schema. Provide old DB and schema details.

The next steps will be different than the steps of fresh installation which will be our point of interest.

7. OPSS Configuration / Configure Database Security Store using join operation.

OPSS JOIN:

The security store with in your DB is encrypted using an encryption key. The first step is to get that key exported.
Let's assume oimdomain1 is the domain initially configured with the security store and oimdomain2 is the new domain that needs to be associated.

i) First export the encryption key using below command –

cd $MW_HOME/oracle_common/common/bin

./wlst.sh

exportEncryptionKey(jpsConfigFile=”MW_HOME/user_projects/domains/oimdomain1/config/fmwconfig/jpsconfig.xml",keyFilePath=”MW_HOME/user_projects/domains/oimdomain1/config/fmwconfig/key_opss”, keyFilePassword=”q1w2e3r4”)

(keyFilePassword is the password that used to create old opss security store)

Then copy the generated key_opss file from old domain to new domain.

ii) Associate the security store with the new domain oimdomain2.

cd $MW_HOME/oracle_common/common/bin

./wlst.sh MW_HOME /Oracle_IDM1/common/tools/configureSecurityStore.py -d MW_HOME /user_projects/domains/oimdomain2 -c IAM -p Oracle123 -m join -k MW_HOME/ user_projects/domains/ oimdomain2/config/fmwconfig/key_opss -w q1w2e3r4

(Here Oracle123 is the OPSS schema password and q1w2e3r4 is the keyfile password)

iii) Then validate its proper or not.

<MW_HOME>/oracle_common/common/bin

./wlst.sh MW_HOME/Oracle_IDM1/common/tools/configureSecurityStore.py -d /opt/oracle/apps/Middleware/user_projects/domains/oimdomain2 -m validate

8. Copy .xldatabasekey file from Middleware_Home/user_projects/domains /oimdomain1/config/fmwconfig location of old domain to corresponding location of new domain.

9. Proceed to OIM configuration using general steps.

10. After configuring OIM, copy 3 files cwallet.so, default_keystore.jks and xlserver.crt files from Middleware_Home/user_projects/domains /oimdomain1/config/fmwconfig location of old domain to corresponding location of new domain.

11. Restart OIM admin and managed servers.

******************************Thanks for Visiting*********************************

Tuesday, 10 April 2018

Relay State in OAM

· 'Relay state’ parameter is used to automate the redirection of a user to a specific target page URL as soon as authentication against IDP is completed successfully and SAML assertion is posted to SP.

· If it is required to show the user a specific landing page other than the home page we can configure it through Relay state.

· E.g. If we want to take directly the user to a particular training course; we can configure it as /sf/learning/training_module_ 5 etc.

· We can pass this value using UpdatePrtnerProperty command using wlst as below:

updatePartnerProperty(partnerName="salesforce",partnerType="SP",propName="providerrelaystate",propValue="https:sf/learning/training/internal ",type="string")

Steps:

cd /opt/oracle/middleware/Oracle_IDM1/common/bin

./wlst.sh

connect ('weblogicuser','password','t3://host:port')

domainRuntime()

updatePartnerProperty(partnerName="SalesforceSP",partnerType="sp", propName="providerrelaystate", propValue="/sf/learning")

· Relay state values can’t be seen in SAML response but it can be observed in network trace.

· Press F12 ànetwork àpreserve logàhit the urlàscroll down

· At the end we can see the parameter as shown below:

RelayState: /sf/learning

**** Thanks for visiting ****

Configure OUD as a new SYSTEMSTORE for OAM(PS2/PS3)

· OAM has two User Identity Stores System Store and Default Store.

· Generally, Default store is used for Authentication of protected Applications and System Store is used for self-authentication of OAM into /oamconsole as well authentication of protected applications.

· By Default, in OAM both Default and System store is UserIdentityStore1 which is Embedded_LDAP of WebLogic.

· Here we want to change the system store to OUD which will be used for login to both oamconsole as well for authenticating into applications.

Steps:

1. First configure OUD as a User Identity store as shown below:

(host & port in location; user and group search base as per the project)

· After configuring OUD as user identity store it should look as below:

· Check the connection and make it default store; check if it is working.

2. Then take a backup of oam-config.xml file and weblogic config.xml file before proceed further.

3. Then Go to weblogic àsecurity realms àmyrealmàproviders

· Create a new provider for OUD

Name: OUDAuthenticator

Type: IPlanetAuthenticator

Control flag: Sufficient

· Provide provider specific details (host, port, user base dn etc.) as shown below.

· Reorder the providers as shown below keeping OUDAuthenticator at 2nd position:

· Restart Admin and Managed servers.

4. Then create an oamadmin user for OAM in OUD in the user_search_base specified earlier and also create a oamadmin group in OUD in the group_search_base and keep that user which is needed to be used as system store user.

· Here cn=OAMAdministrators and uid=oamadmin is used as system store user for OAM.

5. Go to /oamconsole àModulesàLDAPàchange it to OUD from UserIdentityStore1 (Because OAM itself authenticated by LDAP Module(OAMAdminAuthentication scheme points to LDAP Module which protects OAM); so need to change it to our new system store)

6. Now in oamconsole àUserIdentityStores àchange the system store to OUD and press apply.

· It will ask for add user & group àprovide both the user & group and validate àit should come as successful.

7. Now try to access /oamconsole in different browser with oamadmin credentials instead of weblogic user and it should authenticate successfully into oamconsole.

ISSUES:

Ø If getting below error in /oamconsole->UserIdentityStore page

MBean operation access denied. MBean: com.oracle.igf:type=Xml,name=IDSConfig Operation: listAllIdentityDirectoryService() Detail: Access Denied. Required roles: Admin, Operator, Monitor, executing subject: principals=[oamadmin, oamadmin_group, OAMSystemAdminGroup]

To resolve this issue, complete the following steps:

1. Login to WebLogic Console (/console) as weblogic user.

2. Navigate to Security Realms -> myrealm

3. Click the Roles and Policies tab.

4. Expand Global Roles and then Roles.

5. Click View Role Conditions on the line for Admin role.

6. Click Add Conditions and add both of the following groups:

oamadmin_group

OAMSystemAdminGroup

7. Click Save.

8. Restart both AdminServer and OAM managed servers

Ø If getting 2 login pages while accessing /oamconsole URL then:

· Add the oamadmin user in weblogic users and groups as an Administrator of OAM.

**** Thanks for visiting ****

Wednesday, 7 February 2018

Configure Logout in OAM using Rewrite Rule

This blog is to configure logout for an application in OAM 11g which already have a application specific logout page/url.
This can be achieved by rewrite rule in web server level without doing any configuration changes in the application.
It is required to add the RewriteRule directives to the httpd.conf file inside the virtual host that was configured to listen on mentioned .

Example:
Similar script as below is required if configuring logout for a test application whose logout url is likely /testapp/logout and your custom logout page is under htdocs of ohs then

<VirtualHost *:7778>
RewriteEngine on
RewriteRule ^/testapp/logout$ /mycustomlogoutpage.html [R]
</VirtualHost>

E.g: Similarly if configuring logout for OIM /identity console with DCC webgate then:

<VirtualHost *:7777>
RewriteEngine on
RewriteRule ^/identity/logout$ /oamsso-bin/logout.pl [R]
</VirtualHost>