Kerberos Configuration in OAM PS3

 Below steps should be followed to configure kerberos for OAM :

1.      Create user in Active Directory which OAM will use during WNA

2.      Generate the keytab file

3.      Transfer the keytab file to OAM server

4.      Configure krb5.conf file

5.      Check the keytab file and the SPN

6.      Configure the Kerberos scheme

7.      Configure Kerberos Authentication Module

8.      Protect the resource with the Kerberos scheme

9.      Enabling the Browser to Return Kerberos Tokens

10.  Issues and work-around

1.      Create user in Active Directory which OAM will use during WNA

·      Login to devcorp.Test.com by Remote Desktop connection.

·      Navigate to Active Directory Users and Groups.

·      Create a new user as below:

·      Provide password and check password never expire option.

·      Provide the user Domain Admins privilege so that the user can login by RDP.

·      The newly created user now should be able to login with his credentials.

2.      Generate the keytab file

·      Open cmd in RDP and run below command to create the keytab file :

ktpass /princ HTTP/dev-sso.Test.com@DEVCORP.TEST.COM /mapuser Oamssouser /pass Oracle@12345 /ptype KRB5_NT_PRINCIPAL /out C:\oraclesso1.keytab /kvno 0

·      It should create the oraclesso1.keytab file in C directory.

3.      Transfer the keytab file to OAM server

·      Copy the keytab file into local system from RDP and transfer it into OAM server in location /appl/iam/middleware/oam/server/config.

4.      Configure krb5.conf file

·      Configure krb.conf file located in /etc/krb5.conf.

# Configuration snippets may be placed in this directory as well

includedir /etc/krb5.conf.d/

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = DEVCORP.TEST.COM

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

udp_preference_limit = 1

default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac

default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac

permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac

[realms]

DEVCORP.TEST.COM = {

kdc = w2ddcw0011003.devcorp.Test.com

admin_server = w2ddcw0011003.devcorp.Test.com

default_domain = DEVCORP.TEST.COM

}

[domain_realm]

devcorp.Test.com = DEVCORP.TEST.COM

.devcorp.Test.com = DEVCORP.TEST.COM

.Test.com = DEVCORP.TEST.COM

dev-sso.Test.com = DEVCORP.TEST.COM

5.      Check the keytab file and the SPN

·      We can verify the Keytab and SPN using klist and kinit command as below:

klist -k -t -K -e FILE:/appl/iam/middleware/oam/server/config/oraclesso1.keytab

kinit -V -k -t /appl/iam/middleware/oam/server/config/oraclesso1.keytab HTTP/dev-sso.Test.com@DEVCORP.TEST.COM

6.      Configure the Kerberos scheme

·      An authentication scheme is created as TESTKerberosScheme as below:

7.      Configure Kerberos Authentication Module

·      An authentication module is created as TESTKerberos as below:

Name                           TESTKerberos

Key Tab File               /appl/iam/middleware/oam/server/config/oraclesso1.keytab

Principal                      HTTP/dev-sso.Test.com@DEVCORP.TEST.COM

KRB Config File         /etc/krb5.conf

 8.      Protect the resource with the Kerberos scheme

·      Create an Authentication Policy TESTWNAPolicy as below:

·      Protect the resource /WNA.html with the policy created above.

9.      Enabling the Browser to Return Kerberos Tokens

·         Make sure Enable Integrated Windows Authentication option is enabled in IE under Advanced section.

·      Add sites under Security -> Local intranet zone

·      Then the application should be accessible without any prompt for authentication.

10.      Issues and work-around :

 i) Kerberos Application keeps on waiting state for a long time and then giving timeout error:

  Soln:

  Providing below parameter in krb5.conf file:

  udp_preference_limit = 1

 ii)<Aug 24, 2017 3:15:38 AM CDT> <Error> <oracle.oam.engine.authn> <BEA-000000>                   <Defective token detected (Mechanism level: GSSHeader did not find the right                                 tag)GSSException:  Defective token detected (Mechanism level: GSSHeader did not find the

   right tag)

      Soln:

DNS issue: After adding the below entry in AD hosts etc file this issue resolved.

References:

http://idm-world.blogspot.in/2013/09/configuring-oracle-access-manageroam.html

http://www.ateam-oracle.com/part-2-how-to-configure-oam11g-wna-for-multiple-ad-forests/

http://onlineappsdba.com/index.php/2012/05/01/oam-11g-integration-with-microsoft-windows-active-directory-wna-iwa-kerberos-for-zero-sign-on/



                                                  **** Thanks for visiting ****

OAM PS3 Installation in Linux

OAM Installation and Configuration

Components:

   OAM Installation consists of below components

1.      Oracle Database 12.1.0.2.0

2.      Oracle's Java Development Kit (JDK) 1.7

3.      Oracle's Fusion Middleware Repository Creation Utility 11.1.1.9.0

4.      WebLogic Server 10.3.6

5.      Oracle Access Management 11.1.2.3.0

Installation Directories:

Component	Location
ORACLE_BASE	/appl/iam
Oracle Middleware Home	/appl/iam/middleware
Oracle IDM Home / OAM_HOME	/appl/iam/middleware/oam
WebLogic Home	/appl/iam/middleware/weblogic_10.3
Installation Log location	ORACLE_INVENTORY_LOCATION/logs
JAVA Home	/appl/java/jdk1.7.0_80

High Level Steps:

1.       Installing and Setting up DB

2.       Running RCU

3.       Install JDK

4.       Installing Weblogic

5.       Installing OAM

6.       OAM Domain Creation

7.       OPSS Configuration / Configure Database Security Store

For Detailed document with screen-shots please click on the below link:

https://drive.google.com/open?id=1vVvLZA83NYnxEtsrStuQHXVplpsd_8CD

                                                          

                                                **** Thanks for visiting ****

Multi-Level Workflow in OIM

Multi-Level Workflow

• We are creating a 3 level workflow which will start from end user and it will go for Manager’s Approval at Stage 1 and after that it will go through stage 2 and stage 3 respectively. 

•      If either one of the users in 2^nd or 3^rd stage approving the request then it will be approved and will go to the next level.

1.     Creating a composite:

•      At first we will create a composite by running the ant command:

        cd <OIMHOME>/server/workflows/new-workflow

        ant -f new_project.xml

•       It will ask for below details:

Please enter application name:

MyMultiLevelApp

Please enter project name:

MyMultiLevelProj

Please enter the service name for the composite. This needs to be unique across applications:

MyMultiLevelServ

    2.     Customization in Jdeveloper:

•        Then open the MyMultiLevelApp.jws file using Oracle JDeveloper.

•  Go to composite.xml file in source mode and edit as below: <property name="bpel.preference.oimurl">t3://lcosoim4a.cos.agilent.com:14000/</property>

•       Then go to ApprovalProcess.bpel file and add 5 variables as oimurl, PL1, SL1, PL2 & SL2.

•           Then Drag and drop Assign activity after AssignRequestWSURL activity and rename it as        AssignOimUrl.
•  Double click on AssignOimUrl and go to expression.

•    Then in functions select BPEL XPath Extension Functions, then select getPreference ; then insert into expression then give the expression as below: 

             ora:getPreference('oimurl')

• Then add Java Embedding activity below the AssignOIMUrl activity and rename it to Java_Embedding1.

• Here a simple hardcoded code is used for testing purpose as below:

      (These are 4 users created in identity console in OIM which are the respective approvers declared           as PL1,PL2,SL1 & SL2)

• Go to ApprovalTask.task go to Data tab and add String Payload as below:

• Add 4 variables as PL1AT, PL2AT, SL1AT and SL2AT.
• The values obtained from java_embedded will be passes as string payload to the human task using these variables.

•  Now go to Human Tasks in ApprovalProcess.bpel. Go to copy rules tab.
•  Map the variables e.g.PL1 to task: payload any Type as shown below:

• Then append the value at the end as “/task:PL1AT”. Do this for all the 4 variables.

       e.g.: /ns2:initiateTask/task:task/task:payload/task:PL1AT

         

•  Go to Approvaltask.task -> Assignment tab. Create 3 stages as shown below.

•   Change this setting for vote percentage so that if 1 person approves it then it will go to the next   level.

•    Double click on Manager block and edit the payload as shown below :

• Entry should be like below:

        /task:task/task:payload/ns1:BeneficiaryDetails/ns1:ManagerLogin

• Do the same for other stages also

      3.          Deploy in SOA:

• Then we have to deploy it in SOA server. Follow the below screenshots for the same:

·         Then we will deploy the jar file sca_MyMultiLevelProj_rev1.0 in /em console.

• Then Finish the deployment.

4.     Creating Approval Policy:

·         Then Login in /sysadmin as xelsysadm. Go to Approval Policy.

·         Create an Approval Policy as MYMultiAP (Operational Level) as shown below:

·    Attach the Approval Policy to Application Instance MyConnector in scope & in Approval Process select the MyMultiLevelProj 1.0.

5.     Testing:

·     Then raise a request for End-user e.g. MyTestUser1 for Application Instance MyConnector.

·    First the request will go to the user’s manager e.g. MYTESTMANAGER1 and after his approval the request will go to Primary Level and then to Secondary Level.

·     The request should transfer from Primary to Secondary and from Secondary to Provisioned state if at least one member approving the request in each stage.

*********************************The End********************************************


              


                                                           **** Thanks for visiting ****