Apex OIM Integration

Oracle Access Manager 11g:
Administration
Activity Guide
D63114GC10
Edition 1.0
July 2011
D71612
Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and
print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way.
Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization
of Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please
report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United
States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted
by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
owners.
Authors
Vishal Parashar, David Goldsmith
Technical Contributors and Reviewers
Amjad Afanah, Jeremy Banford, Abhijit Bhatode, Rama Bollu, Vikas Pooven Chathoth, Toby
Close, Jui Deshpande , Steve Doinidis, Sunil Gupta , Beomsuk Kim, Ashish Kolli, Vadim
Lander, Derick Leo, Mayank Maria, Madhu Martin, Vamsi Motukuru, Rey Ong, Vimal Patel,
Peter Povinec, Deepak Ramakrishnan, Shankar Raman, Chitra Sabapathy, Narasimhaiah
Sreehari, Ramya Subramanya, Ramana Turlapati, Venkat Venkatnarayan, Weifang Xie
This book was published using:
Oracle Tutor
Table of Contents
Practices for Lesson 1 ........................................................................................................................................ 1-1
Overview of Practices for Lesson 1 ................................................................................................................... 1-2
Practices for Lesson 2 (Optional) ...................................................................................................................... 2-2
Practice 2-1: Explore Salient New Features of OAM 11g .................................................................................. 2-3
Practices for Lesson 3....................................................................................................................................... 3-2
Practice 3-1: Run Repository Creation Utility .................................................................................................... 3-5
Practice 3-2: Install Oracle WebLogic Server 10.3.3 ......................................................................................... 3-7
Practice 3-3: Install Oracle Identity Management 11g ....................................................................................... 3-8
Practice 3-4: Create a New Domain and Configure the OAM Server ................................................................ 3-9
Practice 3-5: Start the Administration and Managed Server ............................................................................. 3-14
Practice 3-6: Sanity Checks and Walkthrough of Management Interfaces........................................................ 3-16
Practice 4-1: Remove SSO Policies for EM and WLS Console ........................................................................ 4-3
Practice 4-2: Install and Configure OHS 11g Instances .................................................................................... 4-4
Practice 4-3: Install OAM 11g WebGate ........................................................................................................... 4-9
Practice 4-4: Create an OAM 11g WebGate Instance....................................................................................... 4-10
Practice 4-5: Configure OAM 11g WebGate ..................................................................................................... 4-11
Practice 4-6: Register OAM 11g WebGate with OAM 11g Server..................................................................... 4-12
Practice 4-7: Restart OHS and Validate the results .......................................................................................... 4-15
Practice 4-8: View the Agent Details by Using OAM Admin Console ................................................................ 4-16
Practice 4-9: Register OAM 10g WebGate by Using OAM Admin Console ...................................................... 4-17
Practice 4-10: Install OAM 10g WebGate ......................................................................................................... 4-18
Practice 4-11: Restart OHS and Validate the Results ....................................................................................... 4-20
Practice 4-12: Register OSSO10g Agent (mod_osso) with OAM 11g Server ................................................... 4-21
Practice 4-13: Restart OHS and Validate the Results ....................................................................................... 4-27
Practice 4-14: View the Agent Details by Using OAM Admin Console .............................................................. 4-28
Practice 4-15: Explore WLS Embedded LDAP Directory and Default OAM User Identity Store ....................... 4-29
Practice 4-16: Create a New User in WLS Embedded LDAP as OAM Admin and WLS Admin User ............... 4-31
Practice 4-17: Configure OID as the New Identity Store for OAM ..................................................................... 4-32
Practice 4-18: Verify the Need to Configure OID Authenticator ........................................................................ 4-34
Practice 4-19: Create OID Authenticator ........................................................................................................... 4-35
Practice 4-20: Verify the Use of OID as the User Store for OAM Authentication .............................................. 4-36
Practice 4-21: Working with WLS Agent ........................................................................................................... 4-37
Practice 4-22: Mode of Communication: WebGate and OAM 11g Server - Setting Server Mode to Simple ..... 4-39
Practice 4-23: Mode of Communication: WebGate and OAM 11g Server - Setting OAM 11g WebGate
Mode to Simple ............................................................................................................................................... 4-41
Practice 4-24: Restart the OHS Instance and Verify the Results ...................................................................... 4-42
Practice 4-25: Change Server Mode to Open and Test WebGate Communication........................................... 4-43
Practice 5-1: Deploy the My Bank Application .................................................................................................. 5-4
Practice 5-2: Configure Single Sign-On for mybank Application ....................................................................... 5-6
Practice 5-3: Managing Resources ................................................................................................................... 5-7
Oracle Access Manager 11g: Administration Table of Contents

i
Practice 5-4: Managing Authentication Policies ................................................................................................ 5-8

Practice 5-5: Managing Authorization Policies .................................................................................................. 5-9
Practice 5-6: Managing Authentication and Authorization Responses: Headers and Cookies.......................... 5-10
Practice 5-7: Managing Authentication and Authorization Responses: Session Variables ............................... 5-12
Practice 5-8: Managing Constraints .................................................................................................................. 5-14
Practice 5-9: Deploy Bakery Application ........................................................................................................... 5-16
Practice 5-10: Unprotect Bakery Application ..................................................................................................... 5-17
Practice 5-11: Protect Employee Home Page Within Bakery Application ......................................................... 5-19
Practice 5-12: Protect Department Sites with Authorization Rules .................................................................... 5-22
Practice 5-13: Demo CGI Scripts to View Responses in Application ................................................................ 5-31
Practice 5-14: Workaround/Patch for HA Lab ................................................................................................... 5-37
Practice 6-1: Customizing the Login Page ........................................................................................................ 6-3
Practice 6-2: Deploying and Protecting the Example Bakery Web Site on the Two Other OHS Instances ....... 6-8
Practice 6-3: Reviewing Web Site Protection in Your Deployment ................................................................... 6-14
Practice 6-4: Demonstrating Single Sign-On ..................................................................................................... 6-15
Practice 6-5: Examining Browser Cookies During Single Sign-On and Single Logout ...................................... 6-16
Practice 6-6: Using the Session Management Utility......................................................................................... 6-20
Practice 6-7: Examining a Multi-Browser Scenario ........................................................................................... 6-22
Practice 6-8: Constraining the Number of User Sessions ................................................................................. 6-24
Practice 7-1: Deploying the Sample Application................................................................................................ 7-3
Practice 7-2: Reviewing HTTP Basic Authentication in the Sample Application ............................................... 7-5
Practice 7-3: Preparing the Sample Application for Authentication by Oracle Access Manager ....................... 7-7
Practice 7-4: Configuring the OHS Instance Protected by the 11g WebGate to Access the Sample
Application ...................................................................................................................................................... 7-9
Practice 7-5: Configuring WebLogic Server to Use the Oracle Access Manager Identity Assertion Provider ... 7-11
Practice 7-6: Resetting Your Lab System ......................................................................................................... 7-14
Practice 8-1: Changing the Audit Filter Preset .................................................................................................. 8-3
Practice 8-2: Configuring the Oracle Access Manager Server to Write Audit Log Records to an Oracle
Database......................................................................................................................................................... 8-5
Practice 8-3: Configuring Oracle Business Intelligence Publisher for Oracle Fusion Middleware and
Oracle Access Manager Reports .................................................................................................................... 8-12
Practice 8-4: Examining the Default Logging Configuration .............................................................................. 8-15
Practice 8-5: Reviewing Log Messages in FMW Control .................................................................................. 8-18
Practice 8-6: Increasing the Log Level .............................................................................................................. 8-20
Practice 8-7: Resetting the Log Level Back to the Default Level ....................................................................... 8-22
Practice 9-1: Verify OSSO 10g Server and Configure New OHS Instance ....................................................... 9-8
Practice 9-2: Configure OSSO 10g to Work with Load Balancer ...................................................................... 9-10
Practice 9-3: Register Partner OHS with OSSO 10g......................................................................................... 9-12
Practice 9-4: Restart OHS Partner Instance and Verify SSO to Partner Application ......................................... 9-15
Practice 9-5: Run the Upgrade Assistant .......................................................................................................... 9-16
Practice 9-6: View the Migrated Content and Configure User Identity Store in OAM Admin Console ............... 9-18

ii
Practice 9-7: Coexistence Verification............................................................................................................... 9-19

Practice 9-8: Replace mod_osso with OAM 11g WebGate Agent..................................................................... 9-21
Practices for Lesson 10 ...................................................................................................................................... 10-1
Practices for Lesson 10..................................................................................................................................... 10-2
Practice 10-1: Working with Access Tester ....................................................................................................... 10-3
Practice 10-2: Using OAM-Specific WLST Commands ..................................................................................... 10-6
Practice 10-3: Working with Oracle Enterprise Manager Fusion Middleware Control ....................................... 10-7
Practices for Lesson 11 (Optional) .................................................................................................................... 11-2
Practice 11-1: Prepare the Environment: Configure the Linux Box Before the Migration .................................. 11-3
Practice 11-2: Perform Horizontal Migration ..................................................................................................... 11-11
Practice 11-3: Perform Post-Migration Task ..................................................................................................... 11-14
Practice 11-4: Verify a Successful Horizontal Migration .................................................................................... 11-17
Practice 11-5: Prepare the Environment for HA Lab ......................................................................................... 11-18
Practices for Lesson 12..................................................................................................................................... 12-2
Practice 12-1: Creating a WebLogic Server Cluster .......................................................................................... 12-3
Practice 12-2: Adding the WebLogic Managed Server Instance and Targeting Oracle Access Manager
Applications and Data Sources to the Cluster ................................................................................................. 12-4
Practice 12-3: Creating a Second WebLogic Managed Server Instance Running Oracle Access
Manager Server .............................................................................................................................................. 12-7
Practice 12-4: Adding the Second Instance to the Oracle Access Manager Configuration ............................... 12-8
Practice 12-5: Changing the Request Cache Type and Restarting the Oracle Access Manager Servers......... 12-10
Practice 12-6: Creating a New OHS Instance That Will Load-Balance Oracle Access Manager Server
Instances ......................................................................................................................................................... 12-12
Practice 12-7: Configuring the New OHS Instance as a Load Balancer............................................................ 12-14
Practice 12-8: Configuring the Load Balancer Port Number in the Oracle Access Manager Configuration ...... 12-15
Practice 12-9: Modifying the Definition for the Oracle Access Manager 11g WebGate and
Reconfiguring the WebGate ............................................................................................................................ 12-16
Practice 12-10: Testing the High Availability Deployment ................................................................................. 12-19
Practices for Lesson 4 (Advanced) ................................................................................................................... 13-1
Practices for Lesson 4 (Advanced) (Optional)................................................................................................... 13-2
Practice 4-1: Generate the Certificate Request and Private Key for OAM Server ............................................. 13-3
Practice 4-2: Obtain OAM Server Certificate and CA Certificate from MS Certificate Service .......................... 13-4
Practice 4-3: Encrypt the OAM Server Private Key by Using a Password ........................................................ 13-6
Practice 4-4: Retrieve the OAM Keystore Password ......................................................................................... 13-7
Practice 4-5: Import Private Key, CA Certificate and OAM Server Certificate into Keystore ............................. 13-8
Practice 4-6: Change OAM Server Common Properties and Server Instance Property.................................... 13-11
Practice 4-7: Generate the Certificate Request and Private Key for WebGate ................................................. 13-13
Practice 4-8: Obtain WebGate Certificate and CA Certificate from MS Certificate Service ............................... 13-14
Practice 4-9: Encrypt the WebGate Private Key by Using a Password ............................................................. 13-16
Practice 4-10: Modify WebGate 11g Definition by Using OAM Admin Console ................................................ 13-17
Practice 4-11: Restart OHS and OAM 11g Server ............................................................................................ 13-18
Practice 4-12: Verify Cert Mode of Communication Between WebGate 11g and OAM 11g Server .................. 13-19

iii
Practices for Lesson 1

Chapter 1

Chapter 1 - Page 1
Overview of Practices for Lesson 1

There are no practices for this lesson.

Chapter 1 - Page 2

Chapter 2

Chapter 2 - Page 1
Practices for Lesson 2 (Optional)

Practices Overview
In these practices, you play a Viewlet to explore some of the key new features of OAM 11g.

Chapter 2 - Page 2
Practice 2-1: Explore Salient New Features of OAM 11g

Overview
In this practice, you explore the following new features of OAM 11g:
a) mod_osso Agent Registration with OAM 11g Server (Covered in Lesson 4) Start time in
Viewlet 0:00
b) WebGate 11g Registration with OAM 11g Server (Covered in Lesson 4) Start time in
Viewlet 3:26
c) AuthZ Constraints Example Identity Constraint (Covered in Lesson 5) Start time in Viewlet
6:42
d) AuthN Schemes Step Up AuthN (Covered in Lesson 4) Start time in Viewlet 8:49
e) Session Management Search and Terminate Sessions (Covered in Lesson 6) Start time
in Viewlet 9:51
f) Agent and Server Monitoring (Covered in Lesson 10) Start time in Viewlet 10:29
Assumptions
N/A
Task
Note: You can either play these clips at this point, or you can play them before starting the
practices for the respective lessons where the concepts are covered.
1.
Navigate to d:\labs\lesson02. Double-click

OAM11gR1_NewFeatures_Viewlet.htm to play the Viewlet.

Chapter 2 - Page 3

Chapter 2 - Page 4

Chapter 3

Chapter 3 - Page 1

Practices Overview
The following diagram is a topology representation of all the components you will work with in
the lab exercises. Take a moment to review it. It is recommended that you revisit this diagram
during the course of the lab development to get a better perspective on how this topology is
developed in each lab.

Chapter 3 - Page 2
In these practices, you install and configure OAM 11g (and all the supporting products that have
to be installed as prerequisite). You perform post install/configure checks. You also learn how to
start and stop the servers and, finally, take a walkthrough of the various consoles (OAM admin
console, FMW Control, WLS admin console).

Chapter 3 - Page 3
Important Note for all the Practices:

At the end of each day, stop the managed server, admin server and node manager.
At the start of each day, start the node manager, admin server and managed server.

Chapter 3 - Page 4
Practice 3-1: Run Repository Creation Utility

Overview
In this practice, you run RCU against an Oracle DB (11.2.0.1) to seed an OAM product schema.
Assumptions
Make sure you are running the commands as the oracle user. To ascertain this, enter whoami
on the terminal window.
For this practice, you work on your Linux machine, which has a pre-installed and
configured Oracle Database
1.
2.
From the terminal window, navigate to the /modules/stage/rcu/bin directory and run
rcu.
cd /modules/stage/rcu/bin
./rcu
Use the table as a guide to populate the fields:
Step
Window/Page Description
Choices or Values
a.
Welcome
Next
b.
Create Repository
Create
c.
Database Connection Details
Database Type: Oracle Database

Hostname: <your_host>.us.oracle.com
Port: 1521
Service Name: orcl.us.oracle.com
Username: sys
Password: Welcome1
Role: SYSDBA
d.
Checking Global Prerequisites
OK
e.
Select Components
Create a new Prefix: DEV

Component: Identity Management - Oracle
Access Manager (Note: Audit services will be
automatically selected)
f.
Checking Component Prerequisites
OK
g.
Schema Passwords
Use the same passwords for all schemas.

Password: Welcome1
Confirm Password: Welcome1
h.
Map Tablespaces
Next
i.
Repository Creation Utility pop-up

window
OK
j.
Creating Tablespaces
OK
k.
Summary
Create

Chapter 3 - Page 5
Step
l.
Completion Summary
Choices or Values
Close

Chapter 3 - Page 6
Practice 3-2: Install Oracle WebLogic Server 10.3.3

Overview
In this practice, you create an Oracle WebLogic Server home directory under the Oracle
Middleware home directory by installing Oracle WebLogic Server 10.3.3.
Tasks
Switch to the Windows machine for this lab.
(Note: From here on, unless explicitly stated, all the practices should be, by default, completed
on the Windows machine.)
1. Open a command prompt and navigate to the D:\Program
Files\Java\jdk1.6.0_17\bin directory.
cd D:\Program Files\Java\jdk1.6.0_17\bin
2. Enter the following command to launch the WLS installer:
java jar d:\stage\wls_1033\wls1033_generic.jar
3. Use the table as a guide to populate the fields:
Step
Choices or Values
a.
Welcome
Next
b.
Choose Middleware Home Directory
Create a new Middleware home:

d:\middleware
Note: Click Yes on the warning box that
D:\middleware is not empty and if you would
want to proceed (in your case, the
middleware directory contains BI Publisher
pre-installed).
c.
Register for Security Updates
Deselect I wish to receive security updates

via my Oracle support
d.
Are You Sure?
Yes
e.
Choose Install Type
Typical
f.
JDK Selection
Select under Local JDK Sun SDK1.6.0_17
g.
Choose Product Installation

Directories
WebLogic Server:
d:\middleware\wls_home
Oracle Coherence:
d:\middleware\coherence_home
h.
Choose Shortcut Location
All Users start menu folder
i.
Installation Summary
Next
j.
Installation Complete
Deselect Run Quickstart

Done

Chapter 3 - Page 7
Practice 3-3: Install Oracle Identity Management 11g

Overview
In this practice, you create an Oracle home for Oracle Identity Management 11g (11.1.1.3.0).
This stages all the binaries for Oracle Identity Management 11g within the Oracle home.
Assumptions
Make sure Oracle WebLogic Server is installed before you start this practice.
Tasks
1.
2.
Double-click setup.exe from the d:\stage\iamsuite\disk1 directory.

Use the following table as a guide to populate the fields:
Step
Choices or Values
a.
Oracle Universal Installer: Command

Line Window
Please specify the JRE/JDK location:

D:\Program Files\Java\JDK1.6.0_17
b.
Welcome
Next
c.
Prerequisite Checks
Next
d.
Specify Installation Location
Oracle Middleware Home: D:\middleware

Oracle Home Directory: idm_home
e.
Install
f.
Installation Progress
Next
g.
Finish
h.
Windows After Installation Screen
Next
i.
Finish Admin Install
Finish

Chapter 3 - Page 8
Practice 3-4: Create a New Domain and Configure the OAM Server
Overview
In this practice, you run the Configuration Wizard to create a new WLS domain and configure
the OAM server as part of the domain.
Assumptions
The previous three practices must be completed to successfully complete this practice.
Tasks
1.
2.
Double-click config.cmd from the d:\middleware\oracle_common\common\bin

directory.
Step
Choices or Values
a.
Welcome
Create a new WebLogic domain
b.
Select Domain Source
Generate a domain configured automatically to

support the following products:
Oracle Access Manager with Database Policy
Store
Oracle Enterprise Manager
Note: Oracle JRF 11.1.1.0 [oracle_common] (Java
Required Files) will automatically be selected.
Note: Basic WebLogic Server domain is automatically
selected and disabled.
c.
Specify Domain Name and

Location
Domain name: oam_domain

Domain location:
D:\middleware\user_projects\domains
Application location:
D:\middleware\user_projects\applications
d.
Configure Administrator
Username and Password
Name: weblogic
Password: Welcome1
Confirm user password: Welcome1
e.
Configure Server Start Mode

And JDK
Production Mode
Available JDKs: Sun SDK 1.6.0_17
f.
Configure JDBC Component

Schema
Select OAM Infrastructure

Schema Password: Welcome1
DBMS/Service: orcl.us.oracle.com
Hostname: <your_DB_host>.us.oracle.com
Port: 1521
Note: Hostname is of the Linux DB machine.
g.
Test Component Schema
Next

Chapter 3 - Page 9
Step
Choices or Values
h.
Select Optional Configuration
Select Administration Server

Select Managed Servers, Clusters and Machines
i.
Configure the Administration

Server
Next
j.
Configure Managed Servers
Next
k.
Configure Clusters
Next
l.
Configure Machines
Click Add
Name: Windows_Machine
m.
Assign Servers to Machines
Click on Right Arrow

right
n.
Configuration Summary
Create
o.
Creating Domain
Done
to select both servers to the
3.
Now you apply BP01 (Bundled PatchSet 1) 11.1.1.3.1. This step is required to fix base
bug 10094106. Open a command line window and set the ORACLE_HOME environment
variable to d:\middleware\idm_home, and set the PATH environment variable to include
d:\middleware\idm_home\bin and d:\middleware\idm_home\OPatch directories.
Now execute the OPatch command and retrieve the OPatch version number. The OPatch
version number should be 11.1.0.8.0 or higher to successfully apply this patch (as detailed
in Readme.txt file for the BP01 patch).
4.
Verify the OUI (Oracle Universal Installer) Inventory. OPatch needs access to a valid OUI
inventory to apply patches.

Chapter 3 - Page 10
Validate the OUI inventory with the following command:

opatch lsinventory
Notice that there is one product installed in d:\middleware\idm_home (Oracle Home)
which is the 11.1.1.3.0 Oracle IDM Suite.
5.
Create a location for storing the unzipped patch. This location is sometimes referred to as
PATCH_TOP. Unzip the patch zip file (d:\stage\p10094106_111130_Generic.zip)
under d:\stage\bp01. Hence bp01 under d:\stage directory is our PATCH_TOP.
6.
On the command line window, navigate to the d:\stage\bp01\10094106 directory.

Apply the patch by using OPatch apply
Is the local system ready for patching? [y|n]
y

Chapter 3 - Page 11

Chapter 3 - Page 12
7.
Once the patch has been successfully applied, you can query the inventory to see the bugs
fixed as part of this patch:
OPatch lsinventory
Note: ORACLE_HOME and PATH must be set on the MS DOS window where you execute the
above command or you have to navigate to d:\middleware\idm_home\OPatch directory to
issue this command.

Chapter 3 - Page 13
Practice 3-5: Start the Administration and Managed Server

Overview
In this practice, you learn how to start the administration and managed servers by using the
WLS admin console.
Assumptions
Practice 3-4 must be successfully completed before you start this practice.
Tasks
Following are the steps to start the admin and managed servers by using the WLS admin
console:
1. Double-click the setNMProps.cmd file located in
D:\middleware\oracle_common\common\bin
2.
3.
4.
5.
6.
7.
Start the node manager by double-clicking on startNodeManager.cmd located in

d:\middleware\wls_home\server\bin
Note: Minimize the MS-DOS window where the node manager is started and running.
Start the admin server by double-clicking startWebLogic.cmd located in the
d:\middleware\user_projects\domains\oam_domain directory. When prompted
for username and password, enter weblogic and Welcome1.
Note: Wait till you see the Server started in RUNNING mode message on the command
line window to ensure that the admin server has been started.
Note: This is the first time you are starting the admin server; hence it may take an
unusually long time to start up (15 to 20 minutes in some cases). Please do not kill the
startup process; this can cause your domain to become non-functional with fatal
consequences (requiring a re-run of RCU with a different prefix name, followed by deleting
and recreating the oam_domain).
Start the Firefox browser by double-clicking on the Firefox browser icon on your desktop (or
by using the Start > Programs menu option). Enter the URL for the WLS admin console:
http://<your_host>.us.oracle.com:7001/console
Note: 7001 is the admin server port.
Log in by using the weblogic and Welcome1 credentials.
On the left navigator, under Domain Structure, expand the Environment node and click the
Servers node. On the right pane, click on the Control tab, select the check box next to
oam_server1 and click Start. Click Yes on the Server Life Cycle Assistant page.
Note: (Do not perform this step now): You can stop admin and managed servers in a
similar way by selecting the check box next to the server names and clicking Shutdown >
Force Shutdown Now.
Note: You cannot start the admin server by using the WLS admin console; it has to be
done via the command line.
As part of last step of applying BP01 patch, you may need to delete the following directory
content:
D:\middleware\user_projects\domains\oam_domain\servers\oam_serve
r1\tmp\_WL_user\oam_server\xrd2uw\jsp_servlet\_pages\*
That is, remove all the class files under the _pages directory.

Chapter 3 - Page 14
Note: In your lab environment you may not see jsp_servlet\_pages\* directory. Hence,
ignore this step.
8. Restart the admin and managed servers.
Alternative ways to start and stop admin and managed servers:
To start and stop the admin and managed servers by using command-line options, you can use
the following:
Start admin server: Double-click
d:\middleware\user_projects\domains\oam_domain\startWebLogic.cmd
Start managed server: From the command prompt, navigate to
d:\middleware\user_projects\domains\oam_domain\bin. Run the following
command:
startManagedWebLogic.cmd oam_server1
You will be challenged with username and password (use weblogic and Welcome1) in both
cases. Watch out for the RUNNING message on the window, which indicates the servers are
up and running.
To stop the admin and managed servers, type Ctrl + C on the MS-DOS command line windows
from where they are running.
You can also use the Windows menu option - Start > Programs > Oracle WebLogic > User
Projects > oam_domain > Start Admin Server for Weblogic Domain and Stop Admin Server to
start and stop the admin server.
You can use the Windows menu option Start > Programs > Oracle WebLogic > WebLogic
Server 11gR1 > Tools > Node Manager to start the node manager.

Chapter 3 - Page 15
Practice 3-6: Sanity Checks and Walkthrough of Management

Interfaces
Overview
In this practice, you log in to the WLS admin console, OAM admin console, and EM FMW
Control and take a brief walkthrough of the management interfaces. You will also validate the
OAM application deployed on the oam_server1 managed server and the EM application
deployed on the admin server.
Assumptions
Make sure the admin and managed servers are up and running before you start the practice.
Tasks
1.
Launch Firefox and enter the URL for the WLS admin console:
http://<your_host>.us.oracle.com:7001/console. (Add this page to the Bookmark Toolbar.)
Important: Only add http://<your_host>.us.oracle.com:7001/console to the bookmark;
remove the rest of the string.
Log in by using weblogic and Welcome1 as username and password.
2. To check the status of the admin and managed servers, navigate by using the left pane,
Domain Structure > oam_domain > Environment > Servers. You should be able to see the
state of both the servers as RUNNING.
3. To check the status of EM FMW Control (application deployed on the admin server), click
AdminServer (admin) > click the Deployments tab. Notice the state of the em application
is Active. Click the em application, which shows you more detailed Properties pages.
4. To check the status of the OAM admin console application (application deployed on the
admin server), click the AdminServer hyperlink (by using the locator link at the top of the
page) > click the Deployments tab. Notice that the state of oam_admin (11.1.1.3.0) is
Active. Click the oam_admin (11.1.1.3.0) application, which shows you more detailed
Properties pages.
5. To check the status of the OAM server (deployed on the oam_server1 managed server),
navigate by using the left pane to the Servers home page (click the Servers node). Click the
oam_server1 managed server. Click the Deployments tab. Notice that the state of
oam_server application is Active. Click the oam_server application, which shows you
more detailed Properties pages.
6. If you want to start or stop individual applications (such as EM FMW Control or OAM admin
console), you could achieve that by navigating to the Domain Structure > oam_domain >
Deployments page. From here, you can individually select the application you want to start
or stop by using the check boxes next to them and then clicking the Start or Stop buttons.
Note: Do not start/stop any application at this point.
7. To check the default users and groups in the WLS embedded LDAP server, navigate to
Domain Structure > oam_domain > Security Realms by using the left pane. Notice the
default security realm, myrealm. Click myrealm and then click the Users and Groups tab.
Notice the weblogic user which, is the default WLS administrator. Click the weblogic
user and then click the Groups tab. Notice that the user weblogic is a member of
Administrators group.

Chapter 3 - Page 16
8.
Enter the URL for the OAM admin console:

http://<your_host>.us.oracle.com:7001/oamconsole. (Add this page to the Bookmark
Toolbar.)
Important: Only add http://<your_host>.us.oracle.com:7001/oamconsole to the bookmark;
remove the rest of the string.
Log in by using weblogic and Welcome1 as the username and password.
9. Observe the left-hand pane and the right-hand pane. The left-hand pane contains the
configuration settings (Policy and System) required for the OAM 11g server to run. Clicking
any of the settings will bring up the results on the right-hand side pane.
10. View the two tabs: Policy Configuration, that allows you to set Host Identifiers, create
policies, resources and so on; and System Configuration, that allows you to manage
various agents, data sources such as LDAP, databases and so on, configure authentication
modules, manage sessions and so on.
11. To view the properties for a particular object selected on the left pane, simply double-click
or click and press the Edit (pencil) icon. As you open up the properties of different objects
on the right pane, they appear on different tabs. A maximum of 10 tabs can be opened at
any time. When the number of tabs exceeds 10, the application asks you to close all or
some tabs. You can also explicitly close multiple or single tabs by using the icons at the
top-right corner of the tabs on the right pane. The menu optionsAction and Viewon the
top of the left pane allow you to view (expand and collapse various nodes and so on) and
perform various actions (delete, create, monitor and so on) on the node objects. Using the
Search option on the top of the left pane allows you to quickly find the objects in the system
and configuration tabs.
12. Enter the URL for EM FMW Control: http://<your_host>.us.oracle.com:7001/em (Add this
page to the Bookmark Toolbar.)
Important: Only add http://<your_host>.us.oracle.com:7001/em to the bookmark; remove
the rest of the string.
Log in by using weblogic and Welcome1 as the username and password.
13. On the left pane, you can see the nodes under the Farm_oam_domain node to manage
application deployments, WebLogic Domain Servers and Web tier components (OHS and
so on.)
Note: At this point you haven't configured any OHS (which is a web tier component) - in
practice 4 when you start configuring the OHS instances, you will see them in EM.
14. You can view the Farm topology by clicking the Topology link on the top of the left pane.
15. Expand the Identity and Access node on the left pane. Click the oam_server node under
the OAM parent node. On the right pane, you can see the properties of oam_server (Key
metrics, Performance Overview, Access Clients and Application Domains). Explore the
menu options by clicking the Oracle Access Manager link on the top-left corner of the right
pane.

Chapter 3 - Page 17

Chapter 3 - Page 18

Chapter 4

Chapter 4 - Page 1

Practices Overview
In these practices, you install, configure, and register an OAM 11g WebGate, and an OAM 10g
WebGate with OHS instances. The registration is done via the rreg tool in one case, and OAM
admin console in the other case.
WebGates are policy enforcement agents that reside embedded in a Web server, such as the
OHS Web server. These agents intercept requests and redirect for authentication as well as to
the protected resources. A policy enforcement agent is any front-ending entity that acts as an
access client to enable single sign-on across enterprise applications. To secure access to
protected resources, a Web server, application server, or third-party application must be
associated with a registered policy enforcement agent. The agent acts as a filter for HTTP
requests, and must be installed on the computer hosting the Web server where the application
resides. Individual agents must be registered with Oracle Access Manager 11g after agent
installation. Registering an agent sets up the required trust mechanism between the agent and
Oracle Access Manager 11g SSO engine. Registered agents delegate authentication tasks to
the OAM server. Oracle Access Manager 11g supports the following types of policy
enforcement agents in any combination.
OAM Agents:
A WebGate is one type of agent. It is a Web server plug-in that acts as an access client.
WebGate intercepts HTTP requests for Web resources and forwards them to the OAM server
for authentication and authorization.
1. WebGate 11g: An out-of-the box OAM 11g WebGate communicates with Oracle Access
Manager 11g services by using the OAM proxy.
2. WebGate 10g: An out-of-the-box OAM 10g WebGate. After registration, OAM 10g WebGates
directly communicate with Oracle Access Manager 11g services through a Java-based OAM
proxy that acts as a bridge.
3. AccessGate 10g: A custom OAM 10g WebGate that was created by using the Access
Manager software developer kit (SDK)
OSSO Agent (mod_osso 10g): After registration with Oracle Access Manager, OSSO 10g
agents communicate directly with Oracle Access Manager 11g services through an OSSO
proxy. The OSSO proxy supports existing OSSO agents when upgrading to OAM 11g. The
OSSO proxy handles requests from OSSO agents and translates the OSSO protocol into a
protocol for Oracle Access Manager 11g authentication services.
Important Note:
Any time you get unexpected results during this lessons practices, it is a good idea to close all
browser windows (using File > Exit; do not using X icon to exit) and then relaunch a new Firefox
browser and clear all the cookies explicitly by going to the Firefox browsers Tools > Clear
Recent History > Clear Now (make sure Time range to clear is set to Everything and at least
Cookies, Cache, and Active Logins are selected).

Chapter 4 - Page 2
Practice 4-1: Remove SSO Policies for EM and WLS Console

Overview
Before you start the rest of the practices for this lesson, you remove the SSO protection for EM
and WLS console (Release Note: 9925717).
Release Note states: Oracle recommends customers to remove the policies to protect WLS and
EM consoles (that is. "/em", "/em/.../*" and "/console", "/console/.../*") this
means that SSO (using the DomainAgent, a.k.a. WLSAgent) would not be used for these
consoles).
Tasks
1. Log in to the OAM admin console by using weblogic and Welcome1. Navigate to Policy
Configuration > Application Domains > IDMDomainAgent > Authentication Policies >
Protected Higher Level Policy
2. Open the policy and the list of resources for the policy is displayed on the right panel.
3. Remove the following resources from the authentication policy (click to the right of the dropdown list for the resource and click the Delete icon):
a) IDMDomain:/console
b) IDMDomain:/console/.../*
c) IDMDomain:/em
d) IDMDomain:/em/.../*
4. Click Apply.
5. Navigate to Policy Configuration > Application Domains > IDMDomainAgent >
Authorization Policies > Protected Resource Policy.
7. Remove the following resources from the authorization policy (click to the right of the dropdown list for the resource and click the Delete icon):
c) IDMDomain:/em
8. Click Apply.

Chapter 4 - Page 3
Practice 4-2: Install and Configure OHS 11g Instances

Overview
In this practice, you install OHS 11g (11.1.1.2.0) and configure three instances
ohs_webgate11g, ohs_webgate10g, and ohs_osso10gto use later in this lesson
practice to configure WebGates 11g, 10g, and mod_osso agents.
This practice takes approximately 30 minutes.
Assumptions
N/A
Tasks
1.
Start OSSO 10g and OID 10g instances (These have been pre-installed and configured on
the Windows machine.) Double-click the start_osso10g.bat icon on the desktop. Make
sure the database and processes are up and running as shown below:

Chapter 4 - Page 4
Note: dcm-daemon may show Down status sometimes. Please ignore it.
2.
Navigate to d:\stage\WebTier_11.1.1.2.0\disk1 and double-click setup.exe.

Chapter 4 - Page 5
3.

Step
Window/Page
Description
Choices or Values
a.
Welcome
Next
b.
Select Installation
Type
Install and Configure
c.
Prerequisite Checks
Next
d.
Specify Installation
Location
Oracle Middleware home: d:\middleware
e.
Configure
Components
Uncheck Oracle Web Cache
f.
Specify WebLogic
Domain
Domain Host Name: <your_host>.us.oracle.com

Domain Port No.: 7001
User Name: weblogic
Oracle home directory: ohs_home
Password: Welcome1
g.
Specify Component
Details
Instance Home Location:

d:\middleware\ohs_home\instances\ohs_webgate11g
Note: Replace instance1 with ohs_webgate11g for location
Instance Name: ohs_webgate11g
OHS Component Name: ohs1
4.
h.
Configure Ports
Auto Port Configuration
i.
Specify Security
Updates
Deselect I wish to receive security updates from My Oracle

Support.
Select Yes on the Warning Pop-up windows
j.
Install
k.
Configuration
Progress
Next
l.
Finish
m.
Windows After
Installation Screen
Next
n.
Finish Admin Install
Finish
Navigate to
D:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\htd
ocs. Rename the welcome-index.html as welcome-index.html.bak. Copy
welcome-index.ohs_webgate11g.html from d:\labs\lesson04 to
ocs. Rename welcome-index.ohs_webgate11g.html as welcome-index.html.
Launch the browser and enter the URL http://<your_host>.us.oracle.com:7778. You should
see the OHS Welcome page with the message WELCOME TO THE OHS_WEBGATE11G
INSTANCE RUNNING ON PORT 7778.

Chapter 4 - Page 6
5.
6.
Now you configure two more instances of OHS: ohs_webgate10g and ohs_osso10g.
Navigate to d:\middleware\ohs_home\bin and double-click config.bat.
Step
Window/Page
Description
Choices or Values
a.
Welcome
Next
b.
Configure
Components
Deselect Oracle Web Cache
c.
Specify WebLogic
Domain
Domain Host Name: <your_host>.us.oracle.com

Domain Port No.: 7001
User Name: weblogic
Password: Welcome1
d.
Specify Component
Details
Instance home location:

d:\middleware\ohs_home\instances\ohs_webgate10g
Note: Replace instance1 with ohs_webgate10g for location
Instance Name: ohs_webgate10g
7.
e.
Configure Ports
Auto Port Configuration
f.
Specify Security
Updates
Deselect I wish to receive security updates from My Oracle

Support.
Select Yes on the Warning Pop-up windows
g.
Configure
h.
Configuration
Progress
Next
i.
Finish
Navigate to
ocs. Rename the welcome-index.html as welcome-index.html.bak. Copy
welcome-index.ohs_webgate10g.html from d:\labs\lesson04 to
ocs. Rename welcome-index.ohs_webgate10g.html as welcome-index.html.
Launch the browser and enter the URL http://<your_host>.us.oracle.com:7779. You should
see the OHS Welcome page with the message WELCOME TO THE OHS_WEBGATE10G
INSTANCE RUNNING ON PORT 7779.

Chapter 4 - Page 7
8.
Rerun config.bat from d:\middleware\ohs_home\bin and use the same values

specified in Step 5, except the following:
Specify Component
Details
Instance home location:

d:\middleware\ohs_home\instances\ohs_osso10g
Note: Replace instance1 with ohs_osso10g for location
Instance Name: ohs_osso10g
9.
Navigate to
D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\htdocs
. Rename the welcome-index.html as welcome-index.html.bak. Copy welcomeindex.ohs_osso10g.html from d:\labs\lesson04 to
D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\htdocs.
Rename welcome-index.ohs_osso10g.html as welcome-index.html. Launch the
browser and enter the URL http://<your_host>.us.oracle.com:7780. You should see the
OHS Welcome page with the message WELCOME TO THE OHS_OSSO10G INSTANCE
RUNNING ON PORT 7780.

Chapter 4 - Page 8
Practice 4-3: Install OAM 11g WebGate

Overview
In this practice, you install an OAM 11g WebGate on a pre-installed OHS instance.
Assumptions
OHS server instance (11.1.1.2.0) should be installed and running in the same Middleware home
where you intend to install the OAM 11g WebGate.
1. Check if OHS is running by executing opmnctl status from
d:\middleware\ohs_home\instances\ohs_webgate11g\bin.
2. If the status indicates "Not running" then enter opmnctl startall.
4. On the browser window, enter the URL: http://<your_host>:7778/ and press Enter
5. The Welcome page of OHS is displayed
Task
1.
2.
Navigate to d:\stage\webgate11g\Disk1 directory and double-click setup.exe

Use the table as guide to populate the fields:
Step
Choices or Values
a.
Oracle Universal Installer Command

Line Window
Please specify JRE/JDK location:

d:\Program Files\Java\jdk1.6.0_17
b.
Welcome
Next
c.
Prerequisite Checks
Next
d.
Oracle Middleware Home: d:\middleware

Oracle Home directory: WebGate11g_home
e.
Install Summary
Install
f.
Next
g.
Finish
h.
Next
i.
Finish

Chapter 4 - Page 9
Practice 4-4: Create an OAM 11g WebGate Instance

Overview
In this practice, you create a WebGate instance that will copy required bits of the agent from
WEBGATE_HOME to the WebGate instance location that shares the same INSTANCE_HOME with
OHS.
Assumptions
A WebGate home must exist before attempting this practice.
Task
1.
2.
Open a command prompt and navigate to the

D:\middleware\WebGate11g_home\webgate\ohs\tools\deployWebGate
directory.
Run the following command:
deployWebGateInstance.bat -w
d:\middleware\ohs_Home\instances\ohs_webgate11g\config\OHS\ohs1
-oh D:\middleware\WebGate11g_home
The -w flag indicates the OHS instance folder and the -oh indicates the WebGate Oracle
home.
This command will create a WebGate folder under
d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 and
copy the configuration files (shown below) necessary for the WebGate process under
d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web
gate\tools\openssl\simpleCA (cacert.pem and cakey.pem) and
gate\config (oblog_config_wg.xml) directories.
The output of the above command should looks something like this:
copying files
d:\middleware\webgate11g_home\webgate\ohs\config\oblog_config_wg
.xml 1 File(s) copied
copying files
d:\middleware\webgate11g_home\webgate\ohs\tools\openssl\simpleCA
\cacert.pem 1 File(s) copied
copying files
d:\middleware\webgate11g_home\webgate\ohs\tools\openssl\simpleCA
\cakey.pem 1 File(s) copied

Chapter 4 - Page 10
Practice 4-5: Configure OAM 11g WebGate

Overview
In this practice, you run the EditHttpConf utility, which will copy OUI-instantiated
apache_webgate.template from WEBGATE_HOME to the WebGate instance location (which
is renamed to webgate.conf), and update the httpd.conf with one additional line to include
webgate.conf.
Assumptions
Make sure a WebGate instance is created before you start this practice.
Tasks
1.
Set the PATH environment variable. Right Click on My Computer (<your_host>) icon on
your desktop, select Properties, click the Advanced tab, and click the Environment
Variables button. Under System Variables, edit the path environment variable. At the end of
the variable value string, add the following:
;D:\middleware\ohs_home\lib
Click the OK button three times to save and close the windows.
2. Open a new command line window (so that the PATH environment variable has taken
effect) and navigate to the
d:\middleware\webgate11g_home\webgate\ohs\tools\EditHttpConf directory.
3. Run the following command:
EditHttpConf.exe -w
d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1
-oh D:\middleware\WebGate11g_home -o webgate.conf
It should show the following message:
The web server configuration file was successfully updated
d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1/
httpd.conf has been backed up as
d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1/
httpd.conf.ORIG
Verify that
D:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 has
the webgate.conf, httpd.conf.ORIG (backup file) and httpd.conf files. The last
line in httpd.conf should be:
include
"D:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1/webga
te.conf"

Chapter 4 - Page 11
Practice 4-6: Register OAM 11g WebGate with OAM 11g Server
Overview
In this practice, you run the rreg registration tool, which will register the OAM 11g WebGate.
This exercise uses the in-band mode for the registration. The registration can also be done via
the OAM admin console UI.
Assumptions
The previous three practices must be completed to successfully complete this practice.
Tasks
1.
Navigate to D:\middleware\idm_home\oam\server\rreg\input and, by using

WordPad, edit OAM11GRequest.xml as follows:
Original Value
Replace With
<serverAddress>http://{oam_ad
min_server_host}:{oam_admi
n_server_port}</serverAddr
ess>
<serverAddress>http://<your_host>.us.o
racle.com:7001</serverAddress>
<hostIdentifier>RREG_HostId11
G</hostIdentifier>
<hostIdentifier>OAM11gHostId</hostIden
tifier>
<agentName>RREG_OAM11G</agent
Name>
<agentName>OAM11g_WebGate</agentName>
<agentBaseUrl>http://{web_ser
ver_host}:{web_server_port
}</agentBaseUrl>
<agentBaseUrl>http://<your_host>.us.or
acle.com:7778</agentBaseUrl>
<applicationDomain>RREG_OAM11
G</applicationDomain>
<applicationDomain>OAM11g_WebGate</app
licationDomain>
Save and close the file.

2. Navigate to D:\middleware\idm_home\oam\server\rreg\bin. Edit oamreg.bat by
using WordPad as shown below:
Step
Choices or Values
a.
set
OAM_REG_HOME="D:\Remote
Registration\RREG client
kit\rreg"
set
OAM_REG_HOME=D:\middleware\idm_home\oa
m\server\rreg
Note: No quotes.
b.
set JDK_HOME=%JAVA_HOME%
set JDK_HOME=%JAVA_HOME%
Note: With quotes
Save and close the oamreg.bat file.


Chapter 4 - Page 12
3.
Set the environment variable JAVA_HOME. Right-click My Computer (<your_host>) icon on

your desktop. Select Properties, click the Advanced tab, and click the Environment
Variables button. Under System Variables, click New. Enter the Variable Name as
JAVA_HOME and the Variable Value as D:\Program Files\Java\jdk1.6.0_17.
Click the OK button three times to save and close the windows.
4. Open a new command line window and navigate to
D:\middleware\idm_home\oam\server\rreg and run the following command:
bin\oamreg.bat inband input\OAM11GRequest.xml
Enter weblogic for agent username and Welcome1 for agent password.
Enter n when prompted to answer two subsequent questions.
Explore the output/OAM11g_WebGate folder under

D:\middleware\idm_home\oam\server\rreg to see the artifacts created by the
utility. The ObAccessClient.xml (storing WebGate CONFIG parameters) and

Chapter 4 - Page 13
cwallet.sso (storing the agent key) files must be copied to the webgate instance
config folder. cwallet.sso contains the SSKPWG (Shared Secret Key Per WebGate).
5.
Copy cwallet.sso and ObAccessClient.xml from

D:\middleware\idm_home\oam\server\rreg\output\oam11g_webgate to
D:\middleware\OHS_Home\instances\ohs_webgate11g\config\OHS\ohs1\web
gate\config.

Chapter 4 - Page 14
Practice 4-7: Restart OHS and Validate the results

Overview
In this practice, you restart the Web server (OHS) for the changes you made in Step 5 of the
previous practice to take effect. Then you validate the result of registering the OAM 11g
WebGate with the OAM 11g server deployed on the OHS.
Assumptions
All previous practices for Lesson 4 must be successfully completed before you start this
practice.
Tasks
1.
2.
3.
4.
5.
On the command line window, navigate to

d:\middleware\ohs_home\instances\ohs_webgate11g\bin. Restart the OHS
instance by using the following command:
opmnctl stopall
opmnctl startall
Note: You can also use the Windows menu option to start or stop the OHS instance and
start or stop OPMN Start > Programs > Oracle Web Tier instance <Instance_Name> >
Start/Stop Oracle HTTP Server <Component_Name> and Start/Stop Oracle Process
Manager.
Now you verify the WebGate configuration by accessing the protected URL
http://<your_host>.us.oracle.com:7778. Close all browsers gracefully (File > Exit). Open a new
browser window, enter the URL http://<your_host>.us.oracle.com:7778 and press Enter.
Note: In case you see the Welcome page without being challenged, clear all the cookies from
your browser. Go to Tools > Clear Recent History. Set Time range to clear to Everything.
Select the Cookies, Cache, and Active Logins check boxes, and click Clear Now.
Note: In case you see OAM Operation Error, restart OAM managed server (oam_server1)
and try again.
You should be redirected to the OAM SSO login page.
Enter weblogic and Welcome1 for user ID and password
Click Login. The OHS Welcome page should be displayed.

Chapter 4 - Page 15
Practice 4-8: View the Agent Details by Using OAM Admin Console
Overview
In this practice, you log in to the OAM admin console and explore the OAM 11g WebGate agent
that was registered with the OAM 11g server in Practice 4-5. You can also monitor the agent
and view informational and operational details about the agent.
Assumptions
OAM 11g WebGate agent must be registered with the OAM 11g server.
Tasks
1.
2.
3.
4.
4.
5.
Log in to http://<your_host>.us.oracle.com:7001/oamconsole by using weblogic and

Welcome1.
Go to the System Configuration tab.
Select OAM11g_WebGate from the 11g WebGates list.
Edit (by using the pencil icon or double-clicking) to view the detailed properties.
Select the Monitor option from Action list menu option.
View some information about the agent by using the Information and Connectivity tabs from
Agent Metrics frame
(Note: It might show No Data available right now, but you will use this option later in the
practices).

Chapter 4 - Page 16
Practice 4-9: Register OAM 10g WebGate by Using OAM Admin

Console
Overview
In this practice, you register an OAM 10g WebGate (10.1.4.3) deployed on an OHS instance
ohs_webgate10gby using the OAM admin console. In Practices 4-5, you registered an OAM
11g WebGate using rreg tool. Now you learn how to perform agent registration by using a GUI.
Assumptions
An OHS instanceohs_webgate10gmust be up and running before you start this practice.
d:\middleware\ohs_home\instances\ohs_webgate10g\bin and enter opmnctl
status.
Tasks
1.
2.
Log in to the OAM admin consolehttp://<your_host>.us.oracle.com:7001/oamconsoleby

using weblogic and Welcome1.
Click on the System Configuration tab, click 10g WebGates (under Agents > OAM agents).
Click the Create icon on the menu toolbar and specify the following property values for
registering an OAM 10g WebGate agent with the OAM 11g server:
Step
Property Name
Value
a.
Name
oam10g_webgate
b.
Base URL
http://<your_host>.us.oracle.com:7779
c.
Host Identifier
oam10gHostID
d.
Public Resource List
/public/index.html
Note: Click the plus sign (+) in the Public
Resource List table and enter
/public/index.html
Click Apply when done. To see the output fileObAccessClient.xmlgenerated as part of

registration process, navigate to the
d:\middleware\user_projects\domains\oam_domain\output\oam10g_webgate
directory.
Note: You will not need to copy this file from the
D:\middleware\user_projects\domains\oam_domain\output\oam10g_webgate to
the D:\middleware\webgate10g_home\access\oblix\lib directory (similar to what you
did for the OAM 11g WebGate registration) because, in this practice, you are installing an OAM
10g WebGate for the first time. The WebGate will automatically configure the file for you based
on configuration information that you provide during installation steps in the next practice.
If your OAM 10g WebGate is already installed, and now you are trying to replace the
ObAccessClient.xml in the
<OHS_INSTANCE_HOME>\config\OHS\ohs1\webgate\config location with the newly
registered agent, you need to copy ObAccessClient.xml manually from the
D:\middleware\user_projects\domains\oam_domain\output\oam10g_webgate
directory to D:\middleware\webgate10g_home\access\oblix\lib.

Chapter 4 - Page 17
Practice 4-10: Install OAM 10g WebGate

Overview
In this practice, you install an OAM 10g (10.1.4.3) WebGate.
Tasks
1.
Navigate to D:\stage\webgate10g and double-click

Oracle_Access_Manager_10_1_4_3_0_Win64_OHS11g_WebGate.exe
2. Use the table as a guide to populate the fields of the installer:
Click Next on the Welcome and Run installer with administrative privileges.
Step
Name
Value
a.
Destination
Name
D:\middleware\webgate10g_home
Note: Click Next on the Confirmation dialog box.
b.
Replace
Existing
File
When Prompted to replace the older version of

D:\WINNT\system32\msvcirt.dll, click No (Important).
c.
Transport
Security
Mode
Open
d.
WebGate
ID
oam10g_webgate
Note: This ID must match the agent name and case specified in Practice
4-9
e.
Password
for
WebGate
f.
Access
Server ID
AAA
Note: This ID could be any string of your choice.
g.
Host name
where an
Access
Server is
installed
<your_host>.us.oracle.com
h.
Port
Number
the Access
Server
Listens to
This port number can be confirmed by looking at the OAM admin console
> System Configuration > oam10g_webgate > Server Lists > Host Port
i.
Proceed
with
This is the OAP port. The OAM proxy receives requests sent over this
port.
5575
Note: If you see an error: Preparing to connect to Access Server. Please
wait. Client authentication failed, please verify your WebGate I, make
sure the WebGate information is correct, and if you still get the error, try
restarting the admin and managed servers.
Yes

Chapter 4 - Page 18
Step
Name
Automatic
Update of
httpd.co
nf?
Value
j.
Enter the
absolute
path of
httpd.co
nf file in
your
webserve
r config
directory
D:\middleware\ohs_home\instances\ohs_webgate10g\config
\OHS\ohs1\httpd.conf
k.
Configure
WebServer
Next
l.
Pl. read the

information
below
Next followed by Finish

Chapter 4 - Page 19
Practice 4-11: Restart OHS and Validate the Results

Overview
In this practice, you restart the Web server (OHS) for the changes you made in previous
practice to take effect. Then you validate the result of registering an OAM 10g WebGate with an
OAM 11g server deployed on the OHS.
Assumptions
Practices 4-7 and 4-8 must be successfully completed before you start this practice.
Tasks
1.
Restart e OHS instance by navigating to

d:\middleware\ohs_home\instances\ohs_webgate10g\bin on command line
window and run the following commands:
opmnctl stopall
opmnctl startall
2.
Now you will verify the WebGate configuration by accessing the protected URL
http://<your_host>.us.oracle.com:7779. Close all browsers gracefully (File > Close Window).
Open a new browser window, enter URL http://<your_host>.us.oracle.com:7779 and press
Enter.
Note: In case you get to the Welcome page without challenge, clear all the cookies from
your browser and try again. To clear cookies, go to Tools > Options > Privacy > Remove
Individual Cookies > Remove all cookies. Press the Close button followed by OK.
Enter weblogic and Welcome1 for user ID and password.
3.
4.
5.

Chapter 4 - Page 20
Practice 4-12: Register OSSO10g Agent (mod_osso) with OAM 11g

Server
Overview
In this practice, you run the rreg registration tool which will register the OSSO10g agent. This
exercise uses the out-of-band mode for registration. The registration can also be done via OAM
admin console UI.
The idea behind having an out-of-band registration mode is in the case of registering external
partner applications; for example, acme.com with the OAM server, where you do not want to
give the administrators of the application acme.com admin access directly to the OAM 11g
server. In that case, the application administrator (for acme) does not have access to the
OAM11g server.
Hence, as Step 1, the application administrator can pass the Request.xml (possibly via email)
to a different OAM server administrator (called, say, security admin) who has the required
access to the OAM 11g server.
The OAM server admin will, in turn, run registration on behalf of application administrator in the
out-of-band mode. This step needs the OAM server to be up because it has to do the actual
creation of the agent profile in the server back end.
The OAM admin will pass the resulting Response xml back to the application administrator
(again possibly via email).
Then, as Step 2, the application administrator runs out-of-band registration on the response file
to get the artifacts (CONFIG files). This is a local run, which does not need the OAM 11g server
to be up.
Steps:
Application Administrator > Request.xml > Security Administrator
Step 1: Security Administrator > Agent registration > Response.xml > Application
Administrator
Step 2: Application Administrator > Run Response.xml in out-of-band mode > output artifacts
Example:
Step 1: ./oamreg.sh outofband Request.xml
Output: <Agentname>_Response.xml
Step 2: ./oamreg.sh outofband input/<Agentname>_Response.xml
Output:
osso.conf (for OSSO agents)
ObAccessClient.xml (for OAM 10g and 11g agents)
Assumptions
The OHS instance ohs_osso10g must be up and running. On the command line window,
navigate to d:\middleware\ohs_home\instances\ohs_osso10g\bin and enter
opmnctl status.

Chapter 4 - Page 21
Tasks
1.
2.
Pretend that you are the application administrator. As an application administrator, navigate
to D:\middleware\idm_home\oam\server\rreg\input and, by using WordPad, edit
OSSORequest.xml as follows:
Original Value
Replace With
<serverAddress>http://{oam_adm
in_server_host}:{oam_admin_
server_port}</serverAddress
>
<serverAddress>http://<your_host>.us.
oracle.com:7001</serverAddress>
<hostIdentifier>RREG_HostId</h
ostIdentifier>
<hostIdentifier>OSSO10gHostid</hostId
entifier>
<agentName>RREG_OSSO</agentNam
e>
<agentName>OSSO10g_agent</agentName>
<agentBaseUrl>http://{web_serv
er_host}:{web_server_port}<
/agentBaseUrl>
<agentBaseUrl>http://<your_host>.us.o
racle.com:7780</agentBaseUrl>
<applicationDomain>RREG_OSSO</
applicationDomain>
<applicationDomain>OSSO10g_agent</app
licationDomain>
Save and Close the file. The application administrator provides the metadata details in the
request.xml file and emails this file to security admin.
Now pretend that you are security admin (who has access to OAM admin console or
privileges to run rreg; that is, be a member of Role Mapping, the OAM Administrators
Role). Navigate to D:\middleware\idm_home\oam\server\rreg\bin. Edit
oamreg.bat by using WordPad and make sure OAM_REG_HOME has been set correctly
(this has already been set correctly in Practice 4-5):
Step
a.
Choices or Values
OAM_REG_HOME="D:\Remote
Registration\RREG
client kit\rreg"
OAM_REG_HOME=D:\middleware\idm_home\oam
\server\rreg
Note: No double quotes.

Save and close the oamreg.bat file.
3.
4.
Make sure the environment variable JAVA_HOME is set correctly (this has already been set
correctly in Practice 4-5). Right-click My Computer(<your_host>) icon on your desktop.
Select Properties, click the Advanced tab, and click the Environment Variable button. Under
System Variables, locate JAVA_HOME and make sure the value is set to D:\Program
Files\Java\jdk1.6.0_17. Click the OK button three times to save and close the
windows.
Edit the httpd.conf file under
d:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1. Search
for ServerName <your_host>.us.oracle.com. Replace the value with the following in lower
case:

Chapter 4 - Page 22
5.
ServerName <your_host>.us.oracle.com:7780
Make sure <your_host>.us.oracle.com is in lower case.
As security admin, open a new command line window and navigate to
D:\middleware\idm_home\oam\server\rreg and run the following command:
bin\oamreg.bat outofband input\OSSORequest.xml
Enter weblogic for agent username and Welcome1 for agent password (here security
admin is the weblogic user).
You should get this message after a successful run:

Chapter 4 - Page 23
6.
Explore the input folder under D:\middleware\idm_home\oam\server\rreg to see

the response file OSSO10g_agent_Response.xml file created by the utility. Security
admin will email this file to the application administrator.
Now pretend that you are the application administrator (this user need not be member of
OAM Administrator role or an LDAP user). Open a new command line window and navigate
to D:\middleware\idm_home\oam\server\rreg and run the following command:
bin\oamreg.bat outofband input\OSSO10g_agent_Response.xml

Chapter 4 - Page 24
You should get this message after a successful run:

-----------------------------------------------Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are:
Mode: outofband
Filename:
D:\middleware\idm_home\oam\server\rreg\input\OSSO10g_agent_Response
.xml Outofband registration (Part 2) completed successfully! Output
artifacts are created in the output folder.
7.
8.
Notice that this time, when you ran oamreg.bat, it did not prompt you for agent username
or password. Hence, this can be run local by the application administrator with no
connection to the WLS admin server. Explore the output\osso10g_agent folder under
D:\middleware\idm_home\oam\server\rreg to see the artifact file osso.conf
created by the utility
Copy the osso.conf from
D:\middleware\idm_home\oam\server\rreg\output\OSSO10g_agent to the
OHS location at
D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1
Copy the mod_osso.conf file from
D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\disabl
ed to
D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\module
conf folder.
9.
Edit mod_osso.conf in
D:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\module
conf folder to resemble the following text (changes highlighted in bold text):
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"
<IfModule mod_osso.c>
OssoIpCheck off
OssoIdleTimeout off
OssoConfigFile
d:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\osso.c
onf
OssoSecureCookies off
OssoHttpOnly off
#
# Insert Protected Resources: (see Notes below for
# how to protect resources)
#
#____#

Chapter 4 - Page 25
# Notes
#
#______#
# 1. Here's what you need to add to protect a resource,
#
e.g. <ApacheServerRoot>/htdocs/private:
#
<Location />
require valid-user
AuthType Osso
</Location>
</IfModule>
#
# If you would like to have short hostnames redirected to
# fully qualified hostnames to allow clients that need
# authentication via mod_osso to be able to enter short
# hostnames into their browsers uncomment out the following
# lines
#
#PerlModule Apache::ShortHostnameRedirect
#PerlHeaderParserHandler Apache::ShortHostnameRedirect
10. Make sure the line:
include "moduleconf/*.conf"
is uncommented from the
d:\middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\httpd.
conf file.

Chapter 4 - Page 26
Practice 4-13: Restart OHS and Validate the Results

Overview
In this practice, you restart the Web server (OHS) for the changes you made in Step 6 through 9
of the previous practice to take effect. Then, you validate the result of registering an OSSO 10g
agent with an OAM 11g server deployed on the OHS.
Tasks
1.

d:\middleware\ohs_home\instances\ohs_osso10g\bin. Restart the OHS
opmnctl stopall
opmnctl startall
2.
Now you verify the WebGate configuration by accessing the protected URL
http://<your_host>.us.oracle.com:7780. Close all browsers gracefully (File > Close Window).
Open a new browser window, enter URL http://<your_host>.us.oracle.com:7780 and press
Enter
You should be redirected to the OAM SSO login page
Note: In case you get to the Welcome page without challenge, clear all the cookies from
your browser and try again. To clear cookies, go to Tools > Clear Recent History. Click the
Clear Now button.
Enter weblogic and Welcome1 for user ID and password.
3.
4.
5.

Chapter 4 - Page 27
Practice 4-14: View the Agent Details by Using OAM Admin Console
Overview
In this practice, you log in to the OAM admin console and explore the OAM 10g agent that was
registered with the OAM 11g server in practice 4-11. You can also monitor the agent and view
informational and operational details about the agent.
Assumptions
The OSSO10g agent must be registered with the OAM 11g server.
Tasks
1.
2.
3.
4.
Log in to http://<your_host>.us.oracle.com:7001/oamconsole
Go to the System Configuration tab.
Select Agents > OSSO Agents > osso10g_agent
Edit (by using the pencil icon or double-click) to view the detailed properties.

Chapter 4 - Page 28
Practice 4-15: Explore WLS Embedded LDAP Directory and Default

OAM User Identity Store
Overview
In this practice, you explore WLS embedded LDAP directory, which is used to authenticate
against the weblogic user (an OAM admin and WLS admin user).
Administrator and user identities are stored within an LDAP user identity store, a user identity
store is a centralized LDAP store in which an aggregation of administrator-and user-oriented
data is kept and maintained in an organized way.
Only user and group identity data are stored in the centralized LDAP store. Only the primary
user identity store can be used to authenticate administrators signing in to use the OAM
administration console or custom administrative commands for OAM 11g in WLST.
In the OAM 11g administration console, user identity store registrations are organized under the
Data Sources node of the System Configuration tab. Administrators can register, view, modify,
and delete user identity store registrations by using either the OAM administration console or
custom WLST commands for OAM 11g.
During initial WebLogic domain configuration using the Oracle Fusion Middleware Configuration
Wizard, the embedded LDAP is configured as the one and only user identity store.
Within the embedded LDAP, the OracleSystemUser (Oracle application software system user)
and OracleSystemGroup are created. The Administrators group is also created and
"weblogic" is seeded as the default administrator.
After registering the identity store, administrators can reference it in one or more authentication
modules that form the basis for authentication schemes. Only the primary user identity store is
used for administrator and user authentication.
The other data sources in OAM 11g are:
OAM 11g system configuration data is stored in a file.
Security policies are stored within Oracle Database.
Security keys are stored in a keystore.
Session data is stored in-memory by using Oracle Coherence, and is propagated to

Oracle Database.
Audit data is stored within audit files and can be stored in a separate Oracle Database
(not the policy store).
Tasks
1.
Launch the WLS admin consolehttp://<your_host>.us.oracle.com:7001/consoleand log

in by using weblogic and Welcome1. Click Security Realms under Domain Structure >
oam_domain in the left navigator.
2.
Click myrealm. Click the Providers tab and notice the three providers:
DefaultAuthenticator, DefaultIdentityAsserter and IDMDomainAgent. More specifically,
notice the DefaultAuthenticator, which is WLS authentication provider. WLS embedded
LDAP store is used to authenticate users to WLS such as the weblogic user. If you want
to change the WLS authentication to a different LDAP store, this is where you create a new
LDAP provider (say for OID or ODSEE, formerly Sun LDAP). If you want to learn more
about this, review the OBE http://www.oracle.com/technology/obe/fusion_middleware/wls103/InstallConfig/wls_authn_s
unds/wls_authn_sunds.htm

Chapter 4 - Page 29
3.
4.
Click the Users and Groups tab. Notice the weblogic seeded user. Click the weblogic
user and notice that it is member of the Administrators group (under the Groups tab). If you
want to create a new user to be a WLS admin, then that user must be a member of the
Administrators group.
Launch the OAM admin consolehttp://<your_host>.us.oracle.com:7001/oamconsole
and log in by using weblogic and Welcome1. Navigate to System Configuration > Data
Sources > User Identity Stores > UserIdentityStore1. Double-click the
UserIdentityStore1 node. Notice on the right pane, the primary identity store for OAM
authentication is set to WLS Embedded LDAP. Since WLS Embedded LDAP is the primary
identity store (select the Primary checkbox), OAM is going to authenticate users against the
WLS embedded LDAP store.
Also, notice that in the Role Mapping section, OAM Administrators role is set to the
Administrators group. This means any user who is a member of the Administrators group in
WLS embedded LDAP would be an OAM admin; that is, able to log in to OAM admin
console. This is the reason why the weblogic user in WLS embedded LDAP can log in to
the OAM admin console.

Chapter 4 - Page 30
Practice 4-16: Create a New User in WLS Embedded LDAP as OAM

Admin and WLS Admin User
Overview
In this practice, you create a new user in WLS embedded LDAP and log in to the WLS admin
console and OAM admin console as that user.
Tasks
1.
Go to http://<your_host>.us.oracle.com:7001/console and enter the credentials weblogic

and Welcome1 on the login page.
2.
3.
4.
In the left pane, go to Security Realms and select myrealm.

Go to the Users and Groups tab on top and click New.
Add a new user, say wlsuser. Note the Provider is set to DefaultAuthenticator, which is
WLS embedded LDAP store. Set the password for this user as Welcome1. Confirm the
same password. Click OK.
Click the wlsuser link and go to the Groups tab for this user and select the Administrators
group for this user by moving it to the right (using the right arrow icon). Click Save. Adding
wlsuser to this group will now give him or her, the privileges to run the remote registration
utility, and also to log in to the OAM admin console and WLS admin console.
Verify: Launch the OAM admin console and WLS admin console and try to log in to each of
the GUI consoles by using wlsuser and Welcome1.
5.
6.

Chapter 4 - Page 31
Practice 4-17: Configure OID as the New Identity Store for OAM
Overview
In this practice, you add a set of users to OID 10g (10.1.4.0.1) and create a new group,
oam_admin. Assign a userVishal Parasharas a member of oam_admin group. Log in to the
OAM admin console by using Vishal; it should succeed. Log in to the OAM admin console as
David Goldsmith; it should fail because David is not a member of the oam_admin group.
However, both Vishal and David should be able to log in to access
http://<your_host>.us.oracle.com:7778 because they are OAM authenticated users.
Tasks
1.
2.
3.
4.
5.
View the OAM_SampleUsers.ldif file in the d:\labs\lesson04 directory. Notice that

at the end it also contains an entry for adding oam_admin group with Vishal Parashar as a
member of the group.
Navigate to the d:\osso10g\bin directory on the command line window and run the
following command to load users into OID (when prompted, enter the password for
cn=orcladmin as Welcome1):
ldapadd -h <your_host>.us.oracle.com -p 13060 -D cn=orcladmin -q
-f d:\labs\lesson04\OAM_SampleUsers.ldif
Validate the users have been added by using Oracle Directory Manager. Start ODM by
using the Start windows menu option > Programs > Oracle Application Server Infrastructure
oracleas > Integrated Management Tools > Oracle Directory Manager. Click OK on the
Directory Server Connection window. Click Add on the Directory Server Name Manager
window. In the Directory Server Connection window, specify Server as
<your_host>.us.oracle.com and Port as 13060. Click OK twice. On the Oracle Directory
Manager Connect window, specify user as cn=orcladmin with the password as
Welcome1.
Maximize the ODM window. Under the Entry Management node on the left pane, expand
dc=com, dc=oracle, dc=us. All the uploaded users should be under cn=users node
(including Vishal and David) and the oam_admin group should be under cn=groups node.
Click cn=oam_admin group under the cn=groups node. Notice the value for
uniquemember attribute on the right pane for oam_admin group; it has Vishal Parashar
as the sole member of this group.
Log in to the OAM admin console with weblogic and Welcome1 and navigate to the User
Identity Store definition node - System Configuration > Data Sources > User Identity Stores.
Create a new User Identity Store definition by using the Create icon.
Choose the LDAP Provider as OID from the pick list. Specify the rest of the values as
shown below:
Step
Choices or Values
Name
OID_UserStore
LDAP URL
ldap://<your_host>.us.oracle.com:13060
Principal
cn=orcladmin
Credential
Welcome1
User Search Base
cn=users,dc=us,dc=oracle,dc=com

Chapter 4 - Page 32
Step
Choices or Values
Group Search Base
cn=groups,dc=us,dc=oracle,dc=com
User Name Attribute
uid
OAM Administrators Role
oam_admin
Click Test Connection. Click OK on the Connection Status window with the message,
Connection to the User Identity Store successful. Click Apply to save the definition. On the left
pane, you should now see OID_UserStore along with the primary UserIdentityStore1
(WLS embedded LDAP).
Note: Sometimes you may have to refresh the screen to see the update; use the Refresh icon
on the left pane menu bar.
Close the active tab (OID_UserStore) using x (close single tab) icon on the top right corner.
6. Change OID_UserStore to the primary user identity store. Double-click the
OID_UserStore node on the left pane to see the properties of the definition displayed on
the right pane. Click the Set as Primary button on the right pane. Click Apply. A disabled
Primary check box should now appear on the Properties page. Edit the properties of
UserIdentityStore1 (either by double-clicking or using the pencil icon) and notice the
Primary check box is now deselected. Click Sign out to exit the OAM Admin console.

Chapter 4 - Page 33
Practice 4-18: Verify the Need to Configure OID Authenticator

Overview
In this practice, you try to log in to the OAM admin console by using Vishal.Parashar and
Welcome1 (the user in OID who is a member of the oam_admin group). This demonstrates the
need to create an OID authenticator in the WLS admin console.
Tasks
1.
Log in to the OAM admin console by using Vishal.Parashar and Welcome1. The
IDMDomain agent that protects all the identity management consoles including the OAM
admin console is unable to authenticate the user Vishal.Parashar in WLS embedded
LDAP (Default Authenticator). Hence, authentication fails and there is a hand-off to the
native OAM admin console Sign on page:
http://<your_host>.us.oracle.com:7001/oamconsole/faces/login.jspx (unlike the Single SignOn login page: http://<your_host>.us.oracle.com:14100/oam/server/obrareq.cgi). You have
configured the user identity store definition in the OAM admin console in the previous
practice for OID and set it as the primary identity store; hence when you sign in by using
Vishal.Parashar and Welcome1 on the native login page, you are successfully
authenticated and able to log in to the OAM admin console.
In the next practice, you create a new OID authenticator by using the WLS admin console
to make the single sign-on to the OAM admin console successfully work again.

Chapter 4 - Page 34
Practice 4-19: Create OID Authenticator

Overview
In this practice, you create the OID authenticator provider in the WLS admin console and
reorder this provider to be placed above the DefaultAuthenticator (WLS embedded LDAP).
Finally, you change the control flag for the OID authenticator to Sufficient, and of the default
authenticator to Sufficient.
Tasks
1.
2.
3.
Log in to the WLS console with weblogic and Welcome1. Navigate to oam_domain >
Security Realm > myrealm > Providers. Click Lock and Edit on the Change Center section
(top left).
Click the New button. Specify Name and Type as OIDAuthenticator and
OracleInternetDirectoryAuthenticator respectively. Click OK
Click the OIDAuthenticator link. Set the following properties:
Step
4.
5.
6.
7.
Choices or Values
a.
Common > Control Flag
Sufficient.
Click Save.
b.
Provider Specific > Host
<your_windows_host>.us.oracle.com
c.
Provider Specific > Port
13060
d.
Provider Specific > Principal
cn=orcladmin
e.
Provider Specific > Credential and

Confirm Credential
Welcome1
f.
Provider Specific > User Base DN
g.
Provider Specific > All Users Filter
(&(uid=*)(objectclass=person))
h.
Provider Specific > User From Name

Filter
(&(uid=%u)(objectclass=person))
i.
Provider Specific > User Name

Attribute
uid
j.
Provider Specific > Group Base DN
cn=groups, dc=us,dc=oracle,dc=com
Click Save
Navigate back to the Providers Page (by using the locator link at the top). Click the Reorder
button and move OIDAuthenticator above DefaultAuthenticator by using the Up arrow. Click
OK.
Click the DefaultAuthenticator link. Change the control flag to Sufficient. Click Save.
Click on Activate Changes on the top left Change Control section.
Restart the admin and managed servers (by using the command line or the WLS admin
console).

Chapter 4 - Page 35
Practice 4-20: Verify the Use of OID as the User Store for OAM
Authentication
Overview
In this practice, you log in to the OAM admin console as a user in OID who is member of the
oam_admin group, Vishal. You try to log in to the WLS admin console as the same user without
success (because WLS embedded LDAP is the default authenticator and Vishal is not in the
embedded LDAP). Next, you try to log in to http:<your_host>.us.oracle.com:7778 as Vishal and
as David with success, because both the users are in the OID even though David is not a
member of the oam_admin group.
Also, try to log in to the OAM admin console as the original user, weblogic. This should fail
because the weblogic user is not in the OID.
Tasks
1.
Launch the OAM admin console. Log in to the console by using Vishal.Parashar and
Welcome1. You should have success and be able to see Signed in as
Vishal.Parashar on the top right-hand corner.
Note: You should not see the Redirect to Native Login screen as you saw in the previous
practice.
Click Sign out.
2. Try to log in to the OAM admin console with weblogic and Welcome1. You should be
unsuccessful because the weblogic user is not in the OID.
3.
4.
5.
6.
Try to log in to the OAM admin console with David.Goldsmith and Welcome1. You
should see Access Denied page. The AuthZ was unsuccessful even though David is in the
OID (AuthN user). This is because David is not a member of the oam_admin group.
Try to log in to the WLS admin console with Vishal.Parashar and Welcome1. You
should see the Authentication Denied message because Vishal is not in embedded LDAP
and WLSs default authenticator is set to WLS embedded LDAP. For Vishal to be
successfully able to log in to the WLS admin console, he should not only be in the WLS
embedded LDAP store but also be a member of the Administrators group.
Clear all cookies and launch http://<your_host>.us.oracle.com:7778 (the welcomeindex.html protected via a WebGate 11g). You are redirected to the OAM Login page.
Enter Vishal.Parashar and Welcome1. You should have success and be able to see
the Oracle Fusion Middleware 11g R1 Welcome page. Close the browser
(Note: Always remember to close the browser gracefully or explicitly clear all the cookies).
Launch http://<your_host>.us.oracle.com:7778 again. You are redirected to the OAM Login
page. Enter David.Goldsmith and Welcome1. You should have success and be able to
see the Oracle Fusion Middleware 11g R1 Welcome page. Even though David is not a
member of the oam_admin group, David is a valid authenticated user in OID.
Note: The OAM admin console requires a user to be a member of the oam_admin group to
gain access, and we have not set up any restrictions for the welcome-index.htmlprotected resource on ohs_webgate11g.
Note: From here on, you should log in to the OAM admin console as Vishal.Parashar
and Welcome1.

Chapter 4 - Page 36
Practice 4-21: Working with WLS Agent

Overview
In this practice you:
Review WLSAgent provider and bootstrap configuration
Review OOTB IDMDomainAgent policies
Enable and disable WLSAgent to protect the OAM console

Note: WLSAgent and IDMDomainAgent terms are used interchangeably.
Tasks
Review WLSAgent provider and bootstrap configuration:
1. Make sure the admin server is up and running.
2. In your browser, clean cookies. Using Firefox, go to menu > Tools > Clear Recent History.
3. On the browser window explicitly enter:
http://<your_host>.us.oracle.com:7001/oamconsole.
Note: If using the bookmark, make sure the bookmark URL is
http://<your_host>.us.oracle.com:7001/oamconsole with no string after that. Observe the
redirect URL for the OAM server (port 14100) and notice that the login text says Sign SignOn. Log in to the OAM admin console as vishal.parashar and Welcome1.
4. Using Firefox, go to menu > Tools > Options > Privacy > Show Cookies > Expand the Site
nodes. Check generated cookies. OAMAuthnCookie (domain cookie) and OAM_ID (server
cookie) should exist (besides OAMSESSIONID cookie). An OAM_ID cookie is produced by
the OAM 11g server and OAMAuthnCookie is a WLSAgent cookie. Click Close followed by
OK.
5. Click Sign out and close the browser gracefully.
6. Open a new browser and log in to the WLS console by using
http://<your_host>.us.oracle.com:7001/console as weblogic/Welcome1. Access the
Security Realm on the left pane > myrealm > Providers tab
7. Verify IDMDomainAgent provider exists, and access it to see its configuration. Notice that
the WLS agent uses an OAMAuthnCookie (on the Common tab)
8. Access the Provider Specific tab, notice the Agent Name (IDMDomainAgent: seeded agent
which you can view via the OAM admin console) and Primary Access Server
(localhost:5575). 5575 is the proxy server port for the OAM Server (the OAM server port is
14100).
Note: If you change any of these parameters on the Provider definition, it requires a domain
restart (restart admin and managed servers).
9. Close your browser.
Review the default IDMDomainAgent policies:
1. Log in to the OAM admin console.
2. Click Policy Configuration > Application Domains and review the existing policies under the
IDMDomainAgent application domain. Under Resources, notice that
IDMDomainAgent:/oamconsole is one of the resources. Under Authentication Policies >
Protected HigherLevel Policy, you should see IDMDomainAgent:/oamconsole as one of the
resources in the list.
3. Log out of the OAM admin console

Chapter 4 - Page 37
Disable WLSAgent:
By default, WLSAgent is enabled; therefore providing seamless SSO authentication by
using OAM 11g for all IDM deployed applications (Oracle Identity Navigator, Oracle
Adaptive Access Manager, Oracle Identity Manager, Oracle Access Manger and so on). In
this practice, you disable WLSAgent and observe the native login page (rather than the
SSO page) appear when you try to log in to the OAM admin console.
1. Stop AdminServer by using WLS Admin Console > oam_domain > Environment >
Servers > Control Tab > Select the check box next to AdminServer > Shutdown > Force
Shutdown now or just close the command line window from where you started
AdminServer.
2. Right-click My Computer (your_hostname) > Properties > Advanced > Environment
Variables. Under System Variables, click New. Specify WLSAGENT_DISABLED as the
variable name and true as the variable value.
3. Open a new command line window. Make sure the environment variable
WLSAGENT_DISABLED is set to true on the window by entering the following command:
echo %WLSAGENT_DISABLED%
4. Start the admin server by navigating to the directory
d:\middleware\user_projects\domains\oam_domain and then enter the
startWeblogic.cmd
5. When the admin server startups, clear the cookies and access OAM Admin Console
(http://<your_host>.us.oracle.com:7001/oamconsole)
6. Notice the login page doesnt have Sign Sign-On in the text and notice the native login
page in the URL (unlike the SSO URL you observed in earlier practices).
7. Provide credentials (vishal.parashar and Welcome1) and log in.
8.
Verify that there is no OAMAuthnCookie or OAM_ID cookie generated by going to Firefox

menu > Tools > Options > Privacy > Show Cookies. Expand the Site node. The only cookie
you should see is the OAMSESSIONID cookie.
9. Enable back WLSAgent by deleting the environment variable WLSAGENT_DISABLED.

10. Restart the admin server.
11. Clear all cookies and access the admin console. Notice now that the SSO login page (on
14100) appears as expected (and not the native login page on 7001).

Chapter 4 - Page 38
Practice 4-22: Mode of Communication: WebGate and OAM 11g

Server - Setting Server Mode to Simple
Overview
OAM Security Modes: Secure communication on the NAP channel also requires that each OAM
server and each WebGate agent use the same security mode, either:
Open: Un-encrypted communication
In Open mode, there is no authentication or encryption between the WebGate and OAM server.
The WebGate does not ask for proof of the OAM server's identity and the OAM server accepts
connections from all WebGates. Use Open mode if communication security is not an issue in
your deployment.
Simple: Encrypted communication through the Secure Sockets Layer (SSL) protocol with a
public key certificate issued by Oracle
Use Simple mode if you have some security concerns, such as not wanting to transmit
passwords as plain text, but you do not manage your own Certificate Authority (CA). In this
case, OAM 11g servers and WebGates use the same certificates, issued and signed by Oracle
CA (self-signed cert).
Cert: Encrypted communication through SSL with a public key certificate issued by a trusted
third-party certificate authority
Use Cert mode if you want different certificates on OAM 11g servers and WebGates and you
have access to a trusted third-party CA. In this mode, you must encrypt the private key by using
the DES algorithm. Oracle Access Manager components use X.509 digital certificates in PEM
format only. PEM refers to Privacy Enhanced Mail, which requires a passphrase. The PEM
(Privacy Enhanced Mail) format is preferred for private keys, digital certificates, and trusted
certificate authorities (CAs). The preferred keystore format is the JKS (Java Keystore) format.
In cryptography, a public key is a value provided by a designated authority to be used as an
encryption key. The system for using public keys is called a public key infrastructure (PKI). As
part of a public key infrastructure, a certificate authority checks with a registration authority (RA)
to verify information provided by the requestor of a digital certificate. When the RA verifies the
requestor's information, the CA can issue a certificate.
Private keys can be derived from a public key. Combining public and private keys is known as
asymmetric cryptography, which can be used to effectively encrypt messages and digital
signatures.
Depending on the public key infrastructure, the digital certificate establishes credentials for
Web-based transactions based on:
Certificate owner's name
Certificate serial number
Certificate expiration date
A copy of the certificate holder's public key, which is used to encrypt messages and
digital signatures
The digital signature of the certificate-issuing authority is provided so that a recipient can
verify that the certificate is real
Digital certificates can be stored in a registry from which authenticating users can look up the
public keys of other users.

Chapter 4 - Page 39
For Simple mode encryption, Oracle Access Manager ships a certificate authority with its own
private key, which is installed across all WebGates and OAM servers. For each public key, there
is a corresponding private key that Oracle Access Manager stores in the aaa_key.pem file.
A program named openSSL in the \tools subdirectory automatically generates the key pair
and the following files for Simple mode security:
cacert.pem: the certificate request, signed by the Oracle-provided openSSL Certificate

Authority.
password.xml contains the random global passphrase that was designated during
installation, in obfuscated format. This is used to prevent other customers from using the
same CA. Oracle Access Manager performs an additional password check during the
initial handshake between the OAM agent and OAM server.
aaa_key.pem contains your private key (generated by openSSL).
aaa_cert.pem signed certificates in PEM format.

The transport security communication mode is chosen during OAM installation. The installer
generates a random global passphrase initially, which can be edited as required later.
When you register an OAM agent or a new OAM server, you can specify the mode. However,
changing the global passphrase requires that you reconfigure all agents to use Simple mode
and the new global passphrase.
Tasks
1.
2.
3.
Log in to the OAM admin console with vishal.parashar and Welcome1. Navigate to
System Configuration > Agents > 11g WebGates > OAM11g_Webgate. Edit
OAM11g_webgate and notice the mode of communication (security) is set to Open.
The mode of communication at install time was set to Open; hence you need to edit the
agent registration through the OAM admin console and change the security mode (you will
perform this in the next practice).
Expand the Server Instances node and edit the properties of oam_server1. On the Proxy
tab, change the mode from Open to Simple for the OAM Server oam_server1. Click Apply
and then click Yes on the Confirm Edit window.
On the browser window, open a new tab. Enter http://<your_host>.us.oracle.com:7778.
Notice the error Oracle Access Manager Operation Error. Check out the oam_server1diagnostic.log file under
d:\middleware\user_projects\domains\oam_domain\servers\oam_server1\
logs. Notice the log message (near the end of the file):
Channel unsecure. Details: Channel Mode: open Minimum Server
Mode: simple Agent Id: OAM11G_webgate] Channel security mode is
different as specified in configuration Channel unsecure.
Double-click the Server Instances node and OAM Common Server Properties pane appears on
the right. Click the OAM Proxy tab.
Under Simple Mode Configuration there is the property, Global passphrase.
The installer generates a random global passphrase initially, and this can be edited as required
by you later. However, please note that changing the global passphrase requires reregistration
of all existing agents running in Simple mode.

Chapter 4 - Page 40
Practice 4-23: Mode of Communication: WebGate and OAM 11g

Server - Setting OAM 11g WebGate Mode to Simple
Overview
In this practice, you set the mode of communication for oam11g_webgate to Simple by editing
the registered OAM 11g WebGate with the OAM 11g server. Hence, by the end of this practice,
both server and WebGate will be running in Simple mode.
Tasks
1.
2.
3.
Note that d:\middleware\

user_projects\domains\oam_domain\output\OAM11g_WebGate folder does not
yet exist (because the OAM 11g WebGate was registered by using the rreg tool rather
than by using the OAM admin console).
Log in to the OAM admin console by using vishal.parashar and Welcome1. Navigate
to System Configuration > Agents > 11g WebGates > OAM11g_Webgate. Edit the agent by
using the pencil icon on the menu bar.
Enter the details as shown below:
Security
Choices or Values
Simple
Click Apply.
4. Observe the extra files (compared to when you registered WebGate 11g agent in Open
mode) aaa_cert.pem, aaa_key.pem and password.xml that are created along with
cwallet.sso and ObAccessClient.xml in the
d:\middleware\user_projects\domains\oam_domain\output\oam11g_webgat
e folder.
5.
Copy the ObAccessClient.xml, cwallet.sso and password.xml file from the

e folder to
gate\config (replace ObAccessClient.xml and cwallet.sso).
6.
Copy aaa_cert.pem and aaa_key.pem from the

e folder to the
gate\config\simple folder.
Note: The PEM files need to copied under the simple directory of the config folder

Chapter 4 - Page 41
Practice 4-24: Restart the OHS Instance and Verify the Results
Overview
In this practice, you restart the Web server (OHS) for the changes you made in Step 5 of the
previous practice to take effect. Then you validate the result of changing the mode of
communication between the WebGate and the OAM 11g server by trying to get to the Welcome
page for the OHS server: http://<your_host>.us.oracle.com:7778
(Note: In practice 4-22, Step 3, you received an error due to mode incompatibility).
Tasks
1.
2.
3.
4.
5.

d:\middleware\ohs_home\instances\ohs_webgate11g\bin. Restart the OHS
instance using the following command:
opmnctl stopall
opmnctl startall
Clear all browser cookies. Now you verify if Simple mode of communication is configured
successfully by accessing the protected URL http://<your_host>.us.oracle.com:7778. Enter
URL http://<your_host>.us.oracle.com:7778 and press Enter.
Enter vishal.parashar and Welcome1 for user ID and password.

Chapter 4 - Page 42
Practice 4-25: Change Server Mode to Open and Test WebGate

Communication
Overview
In this practice, you switch the OAM 11g server mode back to Open and test if you can continue
to access the Welcome page application, showcasing the fact that a WebGate in Simple mode
(or even Cert mode) can talk to a server in Open mode.
The prerequisite for configuring the agent security mode is that at least one OAM server
instance should be running in the specified agent security mode. Else, the registration will fail.
Therefore, at the time of registration, it is important to have mode compatibility between the
agent mode and one of the OAM server instance modes (if there is only one OAM server, then
both must be in the same mode). However, after the WebGate registration is complete, the
OAM server mode can be changed. The communication between agent and server would
continue to work as long as the WebGate mode is at least at the same level as the server mode
(it could be higher but cannot be lower) for example, if the server mode is Open, agents can
communicate with the server in Open, Simple, or Cert mode. If the server mode is Simple,
agents can communicate with the server in Simple or Cert mode. If server mode is Cert, agents
can communicate with the server in Cert mode only. You will showcase this by changing the
server mode back to Open and making sure WebGates in Simple mode can continue to
communicate with the server in Open mode.
Tasks
1.
2.
3.
4.
5.
6.
7.
Log in to the OAM admin console. Notice, you will see the OAM native authentication page
(as opposed to the SSO page). This is due to known limitation of WLS agent (Bug 9467206:
WLS agent does not support Simple or Cert mode**). Navigate to System Configuration >
Server Instances > oam_server1. Edit the properties and change the Mode to Open on
the Proxy tab. Click Apply. On the On Confirm Edit window, click Yes.
Restart the admin and managed servers.
Open a new browser (clear cookies and cache - Go to Tools > Clear Recent History) and
verify if with WebGate running in Simple mode of communication and the server running on
Open, you are successfully able to access the protected URL
http://<your_host>.us.oracle.com:7778. Enter URL http://<your_host>.us.oracle.com:7778 and
press Enter.
Enter vishal.parashar and Welcome1 for user ID and password.
Also, validate that the login page for the OAM admin console is now the SSO login page (as
opposed to the native login page) by launching your browser and entering
http://<your_host>.us.oracle.com:7001/oamconsole.
Note: At the end of all the labs for this course, there is a lab exercise on enabling CERT mode
communication between a WebGate and an OAM 11g server. This is a key requirement in a
production environment. You will perform Practice 4 (Advanced), on Friday. This practice covers
how to secure WebGate and OAM server traffic by using SSL certificates.

Chapter 4 - Page 43
Note: ** Possible workarounds for this issue are as follows:

a) Continue to use the native login page for the OAM console. Or,
b)
Protect the OAM console by using WebGate 11g (the port for oamconsole will change
from 7001 to OHS port where the WebGate is deployed; for example, 7778 for WebGate
11g). However, the only concern here is that the availability of the OAM console now
becomes dependent on the availability of the WebGate.

Chapter 4 - Page 44

Chapter 5

Chapter 5 - Page 1

Practices Overview
In these practices, you deploy two different applications: My Bank and Example Bakery. The
first one, you deploy onto WLS as a WAR file; whereas the second, you deploy directly to Web
server (OHS instance).
Next you create policies (AuthN and AuthZ rules) to protect various resources within these two
applications.
Three important Notes:
1. Any time you get unexpected results during this lesson practice, it is a good idea to close all
browser windows (using File > Exit; do not use the X icon to exit) and then relaunch a new
Firefox browser. Also, clear all the cookies explicitly by going to the Firefox browsers Tools >
Clear Recent Histrory > Clear Now (make sure Time range to clear is set to Everything and at
least Cookies, Cache, and Active Logins are selected).
2. My Bank is a dummy application. Not all links of this application are working or enabled.
Please follow the exact instructions as specified in the lab steps to achieve the results for the
labs.
3. Any time you want to observe the request flow, redirects, cookies and headers and so on,
you can view the Live HTTP Headers add-on to the Firefox browser that has been pre-installed.
Go to Tools > Live HTTP Headers. Do not close the Live HTTP Headers window; keep it
minimized to observe the variables and monitor the request flow. This is a free add-on to
Firefox.
Here is a quick recap of what you learned in Lesson 5:
In OAM 11g, default behavior is to deny access when a resource is not protected by a policy
that explicitly allows access. The OAM 10g default behavior allowed access when a
resource was not protected by a rule or policy that explicitly denied access. This limited the
number of WebGate queries to the access server with OAM 10g. The Oracle Access
Manager 11g policy model enables you to control who can access resources when you
define an application domain that is used to discriminate between authenticated users who
are authorized to access a particular resource and those who are not authorized for access
to a particular resource
An application domain logically groups resources and security policies in a flexible way.
Each Application domain can be made to contain policy elements related to an entire
application deployment, a particular tier of the deployment, or a single host. Application
domains do not have any hierarchical relationship to one another. Each application domain
references an existing host identifier and an existing authentication scheme. Within the
application domain, specific resources are identified as well as the security policies that
govern each resource. Authentication and authorization policies include administratorconfigured responses that insert information into either a header or session cookie.
Authorization policies include administrator-configured constraints that define who gets
access. Each application domain must have a unique name (a brief description is optional).
Each domain is seeded with a resource container and policy containers where
administrators can define resources and security policies.
Resources represent a document, or entity, or pieces of content stored on a server and
available for access by a large audience. Clients communicate with the server and request

Chapter 5 - Page 2
the resource by using a particular protocol (HTTP or HTTPS, for example) that is defined by
an existing resource type.
Authentication is the process of proving that a user is who he or she claims to be. To
authenticate a user, Oracle Access Manager presents the user's browser with a request for
authentication credentials in the form of a challenge. The challenge is referred to as a
challenge method.
Authorization is the process of determining if a user has a right to access a requested
resource. Administrators can create one or more authorization policies to specify the
conditions under which a subject or identity has access to a resource. A user might want to
see data or run an application program protected by a policy. The requested resource must
belong to an application domain and be covered within that domain by a specific
authorization policy.
Responses: Administrator-defined policy responses declare optional actions to be taken in
addition to the above. Policy responses provide the ability to insert information into a
session and pull it back out at any later point. This is more robust and flexible than OAM
10g, which provided data passage to (and between) applications by redirecting to URLs in a
specific sequence.
Constraints: An authorization constraint is a rule that grants or denies access to a particular
resource based on the context of the request for that resource. Authorization constraints
define the obligations (requirements) that must be fulfilled before responding to a client's
request. Evaluation of constraints determines if the authorization policy applies to the
incoming request. The appropriate obligations take affect after successful authentication.

Chapter 5 - Page 3
Practice 5-1: Deploy the My Bank Application

Overview
In this practice, you deploy mybank.war to a WLS admin server.
Note: Even though you deploy the application to the admin server in this lab due to memory and
resource constraints, in a real-world production environment it is always a good practice to
deploy your applications on a user defined managed server.
Note: The My Bank application is a simple WAR; that is, not using a J2EE security model (Use
of OPSS: Oracle Platform Security Services).
If you want to learn how to configure OAM 11g to work with J2EE applications with the J2EE
security in-built into the application, refer to
http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/osso.htm#BABJJFAI
(Chapter 9, Configuring Single Sign-On in Oracle Fusion Middleware). Chapter 9 is part of
Oracle Fusion Middleware Application Security Guide11g Release 1 (11.1.1) Part Number
E10043-06.
Discussion on OPSS, J2EE Security model and its integration with OAM 11g are beyond the
scope of this course.
Tasks
1.
2.
3.
4.
Navigate to d:\Labs\Lesson05 and open and extract the contents of mybank.war by

using Winzip (Right-click > Open > Select Program - choose Winzip > Extract) into
d:\labs\lesson05\mybank directory. Observe the files; namely main_page.jsp and
testheaders.jsp.
Note: The main_page.jsp includes a check to see if OAM_REMOTE_USER is null and, if
found null, it redirects to the login.jsp. The testheaders.jsp displays all cookies
and headers available.
Log in to the WLS admin console http://<your_host>.us.oracle.com:7001/console with
weblogic and Welcome1.
Click the deployments under oam_domain in the domain structure. Click Lock and Edit
under the Change Center section on top-left corner. Click the Install button that has now
become enabled.
Navigate to the path d:\labs\lesson05\mybank. Select mybank (open directory). Click
Next.
Note: Here, you are deploying an exploded WAR file rather than .war. This allows you to
update the files deployed dynamically without having to redeploy manually to WLS.
5. Ensure Install this deployment as an application is selected. Click Next.
6. Select the admin server as the deployment target for the mybank application. Click
Next.
7. Ensure mybank is the name of the application
(Note: Lowercase). Scroll down. Select I will make the deployment accessible from the
following location. Click Next.
8. Click Finish.
9. Click the Activate Changes button, under the Change Center section.
10. On the deployments page (oam_domain > Deployments), find the mybank application
(Click Next to get to the next page). Note that the State of the application is Prepared.
Select the check box next to the mybank application and click Start > Servicing all

Chapter 5 - Page 4
requests. On the Start Application Assistant page, click Yes. Now the state of the
application should change from Prepared to Active.
11. Now, with another instance of Firefox browser, enter
http://<your_host>.us.oracle.com:7001/mybank The login page is displayed.
Note: Observe the web.xml under the mybank/WEB-INF folder. You will observe that the
main_page.jsp is set as the Welcome page. The main_page.jsp includes a
header.jsp from the includes folder. This JSP, along with other functions, checks for
the OAM_REMOTE_USER being null. If null, it redirects to the login.jsp page.

Chapter 5 - Page 5
Practice 5-2: Configure Single Sign-On for mybank Application

Overview
Setting up single sign-on to mybank involves integrating the OHS and WebLogic Servers,
since the requests need to be forwarded to the mybank application deployed on WebLogic
Server from the OHS.
This is achieved by modifying the mod_wl_ohs.conf under the config directory of the
OHS 11g instance.
Task
1.
Navigate to the
D:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1
directory and edit and update the mod_wl_ohs.conf file as shown below:
<IfModule weblogic_module>
WebLogicHost <your_host>.us.oracle.com
WebLogicPort 7001
#Debug ON
#WLLogFile /tmp/weblogic/log
MatchExpression *.jsp
</IfModule>
<Location /mybank>
SetHandler weblogic-handler
#PathTrim /weblogic
#ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/
</Location>
Save the changes.

2. Restart the OHS for the changes to take effect. From the command line, navigate to
D:\middleware\ohs_home\instances\ohs_webgate11g\bin and issue the
following commands:
opmnctl stopall
opmnctl startall
3.
4.
Open the Firefox browser and enter http://<your_host>.us.oracle.com:7778/mybank. You

will be redirected to the SSO page. Enter the credentials vishal.parashar and
Welcome1. Click Login. You should see the main_page.jsp.
Note: Now the OAM_REMOTE_USER is not null hence the IDVishal.Parasharis

displayed next to the Sign Off link.
Type http://<your_host>.us.oracle.com:7778/mybank/testheaders.jsp. Observe all the
contents on this page. Keep an eye on the OAM_REMOTE_USER and the cookie values.

Chapter 5 - Page 6
Practice 5-3: Managing Resources

Overview
Resources represent a document, or entity, or pieces of content stored on a server and
available for access by a large audience. Clients communicate with the server and request the
resource by using a particular protocol (HTTP or HTTPS, for example) that is defined by an
existing resource type.
You now configure a resource /mybank/testheaders.jsp and use it in the later practices.
Task
1. Using the Firefox browser, go to the http://<your_host>.us.oracle.com:7001/oamconsole.
Log in by using the credentials vishal.parashar and Welcome1.
2.
3.
Navigate to Application Domains > OAM11g_WebGate > Resources. Click the Create icon.
Enter the following values:
Step
4.
Choices or Values
a.
Type
HTTP
b.
Host Identifier
OAM11gHostId
c.
Resource URL
/mybank/testheaders.jsp
Click Apply.

Chapter 5 - Page 7
Practice 5-4: Managing Authentication Policies

Overview
Authentication is the process of proving that a user is, who he or she claims to be. To
authenticate a user, Oracle Access Manager presents the user's browser with a request for
authentication credentials in the form of a challenge. The challenge is referred to as a challenge
method.
This exercise modifies an existing authentication policy and adds the record
OAM11gHostId:/mybank/testheaders.jsp
Tasks
1. Navigate to Application Domains > OAM11g_WebGate > Authentication Policies >
Protected Resource Policy. Click the Edit icon.
2.
3.
Note: Observe the authentication scheme is set to LDAPScheme. You can add a new
authentication policy, but for now, use an existing policy and add the new resource.
On the right pane, under the Resources tab, click the + (add) icon. From the drop-down
menu, select OAM11gHostId:/mybank/testheaders.jsp
Click Apply.

Chapter 5 - Page 8
Practice 5-5: Managing Authorization Policies

Overview
Authorization is the process of determining if a user has a right to access a requested resource.
This exercise creates a new Admin_Resource_Policy and will add the resource URL
OAM11gHostId:/mybank/testheaders.jsp, so that this policy can be evaluated
separately from the other policies.
Tasks
1. Navigate to Application Domains > OAM11g_WebGate > Authorization Policies. Click the
2.
Create icon.
Original
Value
Replace With
Name
Admin_Resource_Policy
Resources
OAM11gHostId:/mybank/testheaders.jsp
Click Apply.

Chapter 5 - Page 9
Practice 5-6: Managing Authentication and Authorization Responses:

Headers and Cookies
Overview
Responses declare optional actions to be taken additionally (hence their OAM 10g name
Actions). In OAM 11g, responses are much more declarative and powerful, able to support
things that used to require custom AuthZ plug-ins before.
A response consists of two inputs, a type and an expression; and a single output, the value.
The response type denotes the form of action to be taken with the value string. For OAM 11g
R1 BP01 Release (11.1.1.3.1) three types are included:
Cookie set an HTTP cookie whose value is the value string
Header set an HTTP request header using the value
Session set an attribute on the users session using the value
Tasks
1. Navigate to Application Domains > OAM11g_WebGate > Authorization Policies >
2.
Admin_Resource_Policy. Click the Edit icon. Click the Responses tab. Click the + (add)
icon.
Name
Type
Value
OAM_Cookie_Simple
Cookie
SimpleCookie
OAM_Header_Simple
Header
SimpleHeader
Click Apply.
3. Using the Firefox browser, enter http://<your_host>.us.oracle.com:7778/mybank. Log in
by using the credentials vishal.parashar and Welcome1 (if not already logged in or if
the session has expired). Now type in the URL:
http://<your_host>.us.oracle.com:7778/mybank/testheaders.jsp. Observe the
OAM_HEADER_SIMPLE and the value SimpleHeader.
4. To view the cookie, refresh the page, because the cookie will be displayed only after being
set in the browser. The first time the cookie is sent as an HTTP header by a Web server to
a Web browser and then sent back unchanged by the browser each time it accesses that
server, therefore the second refresh would display the cookie: OAM_Cookie_Simple with
the value of SimpleCookie.
5.
6.
Log in to the OAM admin console by using vishal.parashar and Welcome1 and
navigate to Application Domains > OAM11g_WebGate > Authorization Policies >
Admin_Resource_Policy. Click the Edit icon. Click the Responses tab. Click the + (add)
icon.
Name
Type
OAM_Header_Advanced
Header
Value
User $user.attr.uid from
$request.client_ip used agent
$request.agent_id
Note: $ signifies variables,


Chapter 5 - Page 10
$user.attr.uid is a keyword that retrieves the UID for the user from the primary identity
store (OID) that is configured for this domain.
$request.client_ip is a keyword that retrieved the requested client's IP address.
$request.agent_id is a keyword that retrieves the agent_id protecting this domain.
7. Click Apply.
8. Refresh the browser with the testheaders.jsp page
http://<your_host>.us.oracle.com:7778/ mybank/testheaders.jsp (you may have to reauthenticate if the session has timed out).
9. Observe the header name OAM_HEADER_ADVANCED with the value as:

User Vishal.Parashar from <your_host_ip_address> used agent OAM11g_WebGate

Chapter 5 - Page 11
Practice 5-7: Managing Authentication and Authorization Responses:

Session Variables
Overview
Policy responses provide the ability to insert information into a session and pull it back at
any later point. This is more robust and flexible than OAM 10g, which provided data
passage to (and between) applications by redirecting to URLs in a specific sequence.
You now create a session response during the authentication policy response, and retrieve
this session and use it in the HTTP_HEADERS during authorization response.
Tasks
1.
2.
3.
4.
5.
Log in to Oracle Directory Manager to view user information about vishal.parashar in

OID. Go to Start > Programs > Oracle Application Server Infrastructure oracleas >
Integrated Management Tools > Oracle Directory Manager. Log in by using
cn=orcladmin and Welcome1 (ensure the server is <your_host>.us.oracle.com and port
is 13060).
Navigate to Entry Management > dc=com > dc=oracle > dc=us > cn=Users >
uid=vishal.parashar. Scroll down on the right-hand side pane and observe the title of
vishal.parashar is Administrator.
From the OAM admin console window, click Policy Configuration > Application Domains
> OAM11g_WebGate > Authentication Policies > Protected Resource Policy.
Click the Responses Tab (you will create a session response in the authentication policy
and use this session variable in the authorization policies)
Click Add (+) Record icon. Enter the following values:
Name
Type
Value
OAM_SESSION
Session
User $user.attr.uid has title

$user.attr.title
Click Apply.
6. Navigate to Application Domains > OAM11g_WebGate > Authorization Policies >
Admin_Resource_Policy. Click the Edit (pencil) icon.
7. Click the Responses tab. Click Add Record (+) iIcon. Enter the following values:
Name
Type
Value
OAM_HEADER_WITH_SESSION
Header
$session.attr.OAM_SESSION has policy

$request.policy_name matched in domain
$request.policy_appdomain from URL
$request.res_url
Click Apply.

Chapter 5 - Page 12
Note: $session.attr.OAM_SESSIONthe session variable created in the step 5User

vishal.parashar has title Administrator.
$request.policy_namethe policy for this responseAdmin_Resource_Policy.
$request.policy_appdomainthe domain for this policy/responseOAM11g_webgate
$request.res_urlthe resource URL/mybank/testheaders.jsp
8.
9.
Refresh the testheaders.jsp page to check the headers (you may have to reauthenticate with vishal.parashar and Welcome1 if the session has timed out).
Observe OAM_HEADER_WITH_SESSION (if you are not getting the value for
OAM_HEADER_WITH_SESSION or getting a NOT_FOUND value, close all browsers
gracefully. Launch a new Firefox browser window; enter
http://<your_host>.us.oracle.com:7778/mybank. Log in by using vishal.parashar and
Welcome1. Then type in http://<your_host>.us.oracle.com:7778/mybank/testheaders.jsp.
Now observe the OAM_HEADER_WITH_SESSION value).

Chapter 5 - Page 13
Practice 5-8: Managing Constraints

Overview
An authorization constraint is a rule that grants or denies access to a particular resource based
on the context of the request for that resource.
Authorization constraints define the obligations (requirements) that must be fulfilled before
responding to a client's request. Evaluation of constraints determines if the authorization policy
applies to the incoming request. The appropriate obligations take effect after successful
authentication.
Administrators must define the constraints that apply to the resources assigned to the
authorization policy.
In this practice, you create a couple of constraints and use them during the evaluation of
mybank/testheaders.jsp.
Tasks
1.
2.
Log in to the OAM admin consolehttp://<your_host>.us.oracle.com:7001/oamconsoleby

using vishal.parashar and Welcome1.
Navigate to Policy Configuration > Application Domains > OAM11g_WebGate >
Authorization Policies > Admin_Resource_Policy. Click the Edit icon. Click the Constraints
tab. Click the Add (+) icon. Enter the following values:
Name
Admin_Check
Class
Identity
Type
Allow
Click Add Selected. Click Apply.

3. Click the row with the above details. Constraint details are shown in the bottom pane. Click
the Add (+) icon in the Constraint Detail section to select oam_admin group. Ensure that
Type is selected as Allow.
Note: Type Allow is a radio button above the entry for the oam_admin group.
4.
Click Save button on the Constraint Details section. Click Apply on the top section.

Chapter 5 - Page 14
5.
6.
7.
Note: Close the current tab. Reopen the Admin_Resource_Policy (AuthZ policy). Make
sure you can view the constraint. If you cannot, recreate the constraint. Add a dummy
response in the responses tab Click Apply. Close the tab. Reopen the AuthZ policy
Admin_Resource_Policy. Make sure you can view the constraint. Delete the dummy
response. Click Apply.
Close all browser windows gracefully. Re-open a Firefox browser and enter
http://<your_host>.us.oracle.com:7778/mybank.
Log in as David.Goldsmith, who is not an administrator. You should be able to log in

and view the main page.
Now type http://<your_host>.us.oracle.com:7778/mybank/testheaders.jsp and press Enter.
You should be denied access.

Chapter 5 - Page 15
Practice 5-9: Deploy Bakery Application

Overview
In this practice, you deploy a bakery application on the OHS instance (ohs_webgate11g) and,
in the subsequent labs, you try to protect this application by using the OAM 11g server.
Tasks
1.
2.
3.
4.
5.
Copy and paste the example folder from d:\labs\lesson05 to

d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\htd
ocs.
Close all browsers. Open a new browser and enter:
http://<your_host>.us.oracle.com:7778/example and you should be redirected to a single
sign-on login page. Enter the credentials vishal.parashar and Welcome1 and click
Login. You should see the welcome-index.html page of the bakery application.
Note: The reason you are seeing the login page is because you have an OAM 11g
WebGate deployed on the ohs_webgate11g instance with the application domain and
protected resources policy created.
Explore the application domainOAM11g_WebGateand make sure you understand the
above point.
Note: In the next practice, you change this behavior so that the main bakery home page is
unprotected.
Explore the application by clicking Products, On-line Store, Bakers Corner and About links.
Right now, anyone can click the Employee link without being challenged for credentials to
make sure only employees can get to the page behind the link (employeeHome.html). In
the subsequent practices, you protect the employeeHome.html page. The Employee link
should be accessible to employees only. When you click the Employee link, it should
challenge you for credentials and, only if you are an employee, it should grant you access.
Finally, the HR, Finance, and Engineering department sites should be accessible to
employees in HR, Finance, and Engineering respectively. In the subsequent practices, you
make sure an employee in say, HR cannot access the Engineering department site.

Chapter 5 - Page 16
Practice 5-10: Unprotect Bakery Application

Overview
In this practice, you unprotect the bakery application so any user can view the various pages
including welcome-index.html (launch page).
Tasks
1.
2.
to Policy Configuration > Application Domains > OAM11g_WebGate > Resources.
Click the Create icon to create two resources one after the other.
Step
Name
Value
a.
Type
Http
b.
Description
Bakery app launch page
c.
Host Identifier
OAM11gHostId
d.
Resource URL
/example
Click Apply.
Step
Name
Value
e.
Type
Http
f.
Description
Bakery app
g.
Host Identifier
OAM11gHostId
h.
Resource URL
/example//*
Click Apply.
3. Navigate to Application Domains > OAM11g_WebGate > Authentication Policies > Public
Resource Policy. Click the Edit icon. On the Resources tab, Click the Create (+) icon to add
the two resources created above (select OAM11gHostId:/example and
OAM11gHostId:/example//* from drop-down menu) to be protected by using the
Anonymous Scheme (public access). Click Apply when done.

Chapter 5 - Page 17
4.
5.
Close all browsers. Open a new browser and enter:

http://<your_host>.us.oracle.com:7778/example or
http://<your_host>.us.oracle.com:7778/example/welcome-index.html . You should see the
bakery main page (without being challenged for credentials).
However, note that this opens up all the doors within the bakery application, including the
Employee login link. Click the Employees link and you should be able to see the
employeeHome.html page without being challenged to log in as an employee; that is, all
the pages of the Example Bakery application become accessible to the public. This of
course needs to be corrected, which you will set up in the next practice.

Chapter 5 - Page 18
Practice 5-11: Protect Employee Home Page Within Bakery

Application
Overview
In this practice, you make sure that only employeesonly users in OID (in this case)can log
in to employee pages. All anonymous users must be challenged to authenticate themselves and
only employees should be able to access those internal pages.
Tasks
1.
to Application Domains > OAM11g_WebGate > Resources. Click the Create icon to create
a new resource as shown below:
Step
Name
Value
a.
Type
http
b.
Description
Employee Home page
c.
Host Identifier
OAM11gHostId
d.
Resource URL
/example/internal//*
Click Apply.
2.
Navigate to Application Domains > OAM11g_WebGate > Authentication Policies >

Protected Resource Policy. Click the Edit icon. On the Resources tab, click the Add (+)
icon. From the drop-down list, select OAM11gHostId:/example/internal//*. Click
Apply.

Chapter 5 - Page 19
3.
Click the Responses tab. Click the Add icon and provide the following details:
Name
Type
AuthN_Cookie Cookie
Value
$user.attr.uid has been successfully authenticated as an
employee. This is the AuthN response.
Click Apply.

Chapter 5 - Page 20
4.
5.
Remove all the cookies. Open LiveHTTPHeader by using Tools > LiveHTTPHeader and
minimize the window. Enter http://<your_host>.us.oracle.com:7778/example. You should
see the unprotected main page of the Example Bakery application. Now, click the
Employees link. You should get challenged for SSO credentials. Enter Vishal.Parashar
and Welcome1. You should now see employeeHome.html page; that is, the employees
home page. Vishal Parashar is an authenticated employee in OID.
From the browsers menu options, navigate to Tools > Options > Privacy > Show Cookies.
Expand the Site node and notice the AuthN_Cookie cookie. Click the cookie name to see
the value in the bottom pane. (You can also view the cookie and its value by using
LiveHTTPHeader).

Chapter 5 - Page 21
Practice 5-12: Protect Department Sites with Authorization Rules

Overview
In this practice, you create authorization rules such that department employees can only access
the department home page and not HR or Finance home pages; and similarly, HR and Finance
employees can only access their respective department home page.
Tasks
1.
Log in to the OAM admin console with vishal.parashar and Welcome1. On the Policy
Configuration tab, navigate to Application Domains > OAM11g_WebGate > Resources.
Click the Create icon to create a new resource as shown below:
Step
2.
3.
4.
5.
6.
7.
Name
Value
a.
Type
http
b.
Description
HR page
c.
Host Identifier
OAM11gHostId
d.
Resource URL
/example/internal/hr
Click Apply.
Navigate to Application Domains > OAM11g_WebGate > Resources > OAM11gHostId:
/example/internal/hr. Click the Duplicate icon from the toolbar and change the
Resource URL from copy of /example/internal/hr to
/example/internal/hr//*
Click Apply.
Click the Duplicate icon from the toolbar and change the Resource URL from copy of
/example/internal/hr to /example/internal/finance.
Change the Description from HR page to Finance page.
Click Apply.
/example/internal/hr to /example/internal/finance//*
Change the Description from HR page to Finance page.
Click Apply.
/example/internal/hr to /example/internal/eng.
Change the Description from HR page to Engineering page.
Click Apply.
/example/internal/hr to /example/internal/eng//*
Change the Description from HR page to Engineering page.
Click Apply.
Navigate to Application Domains > OAM11g_WebGate > Authorization Policies. Click the
Create icon to create a new authorization policy as shown below:
Step
a.
Name
Name
Value
ExampleBakery_HR

Chapter 5 - Page 22
Step
Name
Value
b.
Description
Policy to protect only HR Employees from viewing

HR department page
c.
Resources tab:
Resource URLs
OAM11gHostId:/example/internal/hr
OAM11gHostId:/example/internal/hr//*
Click Apply. Close the confirmation message by clicking the Hide (x) icon to the right.
Click on the Constraints tab and fill the information as shown below:
Step
Name
Value
a.
Name
HR_Employees_Only
b.
Class
Identity
c.
Type
Allow
Click Add Selected. Click the HR_Employee_Only constraint line. Click the Collapse Pane
icon at the top-right corner of the Constraint Details pane and fill the constraint details as
shown below:
Step
a.
b.
Name
Value
Selected User and Groups:

Name
Type
HR
Group
Type
Allow
Click Add Selected. Click Save followed by the Apply button.

Chapter 5 - Page 23
Click on the Responses tab and fill the information as shown below:
Step
Name
Value
a.
Name
AuthZ_Cookie
b.
Type
Cookie
c.
Value
$user.attr.uid has been successfully

authorized to view this page as member of HR
department. This is the AuthZ response.
Click Apply

Chapter 5 - Page 24
8.
Step
Name
Value
a.
Name
ExampleBakery_Finance
b.
Description
Policy to protect only Finance Employees from viewing

Finance department page
c.
Resources tab:
Resource URLs
OAM11gHostId:/example/internal/finance
OAM11gHostId:/example/internal/finance//*

Chapter 5 - Page 25
Click the Constraints tab and fill the information as shown below:
Step
Name
Value
a.
Name
Finance_Employees_Only
b.
Class
Identity
c.
Type
Allow
Click Add Selected. Click Apply.

Click the Finance_Employee_Only constraint line. Click the Collapse Pane icon and fill
the constraint details as shown below:
Step
a.
b.
Name
Value

Name
Type
Finance
Group
Type
Allow
Click Save followed by the Apply button.

Chapter 5 - Page 26
Click the Responses tab and fill the information as shown below:
Step
Name
Value
a.
Name
AuthZ_Cookie
b.
Type
Cookie
c.
Value

authorized to view this page as member of
Finance department. This is the AuthZ
response.
Click Apply.
9.
Step
Name
Value
a.
Name
ExampleBakery_Engineering
b.
Description
Policy to protect only Engineering Employees from

viewing Engineering department page
c.
Resources tab:
Resource URLs
OAM11gHostId:/example/internal/eng
OAM11gHostId:/example/internal/eng//*

Chapter 5 - Page 27
Click the Constraints tab and fill the information as shown below:
Step
Name
Value
a.
Name
Engineering_Employees_Only
b.
Class
Identity
c.
Type
Allow
Click Add Selected. Click the Engineering_Employee_Only constraint line. Click the
Collapse Pane icon and fill the constraint details as shown below:
Step
a.
b.
Name
Value

Name
Type
Engineering
Group
Type
Allow
Click Save followed by the Apply button.

Chapter 5 - Page 28
Click the Responses tab and fill the information as shown below:
Step
Name
Value
a.
Name
AuthZ_Cookie
b.
Type
Cookie
c.
Value

authorized to view this page as member of
Engineering department. This is the AuthZ
response.
Click Apply.

Chapter 5 - Page 29
10. Remove all cookies from the browser. Enter:

http://<your_host>.us.oracle.com:7778/example. You should see the unprotected main
page of the Example Bakery application. Now, click the Employee Login link. You should
get challenged for SSO credentials. Log in by using mina.rather and Welcome1 (Mina is
a member of the HR department). You should see the Example Bakery Employee portal
page (employeeHome.html). Now click the Human Resource department site link and
you should be able to view the HR department home page. Navigate to browsers menu
option: Tools > Options > Privacy > Show Cookies to view the AuthZ_Cookie cookie
value. Click Close followed by OK.
11. Go back to the employee portal page by using the Back browser button and click the
Finance department site. You should see the OAM Operation Error page, which states that
you are not authorized to view the page.
Retry Steps 10 and 11 by using Finance (lori.lenox) and Engineering
(vishal.parashar) employees to make sure employees can only view their own
respective department home pages.

Chapter 5 - Page 30
Practice 5-13: Demo CGI Scripts to View Responses in Application

Overview
In this practice, you use CGI applications or scripts to learn how to generate responses of
various kinds, from very simple to more complex, in your applications.
Tasks
1.
Create the following three new resources under Application Domains > OAM11g_WebGate
> Resources:
Name
Value
Type
http
Description
This resource is for basic responses demo
Host Identifier
OAM11gHostId
Resource URL
/cgi-bin/protected1
Click Apply.
Use the Duplicate icon to create the next two resources. Navigate to OAM11g_WebGate >
Resources > /cgi-bin/protected1. Click the Duplicate icon.
Name
Value
Type
http
Description
This resource is for simple responses demo
Host Identifier
OAM11gHostId
Resource URL
/cgi-bin/protected2
Click Apply. Click the Duplicate icon.

Name
Value
Type
http
Description
This resource is for advanced responses

demo
Host Identifier
OAM11gHostId
Resource URL
/cgi-bin/protected3
Click Apply.
2.
Create three new authorization policies (under Application Domains > OAM11g_WebGate >
Authorization Policies) to allow access to the above created resources and set the following
responses in each resource :
Note: For the rest of the fields, take the default values.
Name
Name
Value
AuthZ_Protected1_App

Chapter 5 - Page 31
Name
Value
Description
literal string as response
Resources
OAM11gHostId: /cgi-bin/protected1
Responses tab:
Name
OAM_RESP_LITERALC
Type
Cookie
Value
Responses demo cookie
Name
OAM_RESP_LITERALH
Type
Header
Value
Responses demo header
Click Apply.

Chapter 5 - Page 32
Name
Value
Name
Description
response value with a variable
Resources
Responses tab:
Name
OAM_RESP_HSIMPLE
Type
Header
Value
User $user.attr.uid came from

$request.client_ip using
$request.agent_id
Name
response_test
Type
Session
Value
User info for later: mail

${user.attr.mail}, created at
${user.attr.createtimestamp}
Click Apply.

Chapter 5 - Page 33
Name
Value
Name
Description
response value with literals and variables
Resources
Responses tab:

Chapter 5 - Page 34
Name
Value
Name
OAM_RESP_HADVANCED1
Type
Header
Value
Policy matched for requested URL

[${request.res_url}]:
$request.policy_name using
[${request.policy_res}], in domain
[${request.policy_appdomain}]
Name
OAM_RESP_HADVANCED2
Type
Header
Value
Read out user info from session attr

response_test :
$session.attr.response_test
Click Apply.

Chapter 5 - Page 35
3.
4.
Copy the CGI Perl scripts and accompanying CSS/JS from D:\labs\lesson05\oamresponse-demo to the following location in the OHS instance:
d:\middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\cgi
-bin.
Remove all browser cookies. Access each CGI in turn (you will need to log in with
Vishal.Parashar and Welcome1 before seeing the first one:
http://<your_host>.us.oracle.com:7778/cgi-bin/protected1) and examine the results.
Note: The header variables are visible instantly, but the cookie should be visible on the
second access of the resource; this is because the first time you access the application, the
WebGate requests the browser to set a cookie when the response is coming back from the
application.

Chapter 5 - Page 36
Practice 5-14: Workaround/Patch for HA Lab

Overview
In this practice, you make favorites icon (favicon.ico) a public resource. This is just a
workaround for the HA lab and has been identified as a potential bug which will be addressed in
the patch release for the product.
Tasks
1.
2.
Launch the admin console. Navigate to Policy Configuration > Application Domains >
OAM11g_WebGate > Resources. Add a resource /favicon.ico.
Click Apply.
Navigate to Policy Configuration > Application Domains > OAM11g_WebGate >
Authentication Policy > Public Resource Policy. Edit the Public Resource Policy and add
the /favicon.ico resource.

Chapter 5 - Page 37
Click Apply.

Chapter 5 - Page 38

Chapter 6

Chapter 6 - Page 1

Practices Overview
In these practices, you customize the login page, demonstrate single sign-on and single logout,
and manage Oracle Access Manager sessions.
First, you customize the login page. Example Bakery wants its employees to use a login page
that has branding that is similar to the rest of the Example Bakery site instead of the login page
provided by Oracle Access Manager. You configure Oracle Access Manager to use a
customized login page to collect credentials.
Next, you demonstrate single-sign on and single logout. The demonstration shows how a user
can access resources that are protected by the mod_osso filter, an Oracle Access Manager
10g WebGate, and an Oracle Access Manager 11g WebGate while authenticating only once. In
order to perform this demonstration, you first need to deploy the sample Web site to the Oracle
HTTP Server instances on which the mod_osso filter and the 10g WebGate are installed. Then,
you define policies so that the internal-access parts of the sites protected by the mod_osso filter
and the 10g WebGate are restricted. Then you demonstrate single sign-on and single logout, by
using the Live HTTP Headers add-on to examine cookies being set on the browser.
Next, you perform typical session management tasks. You use the Session Management page
in the Oracle Access Manager console to terminate a user session, and you configure Oracle
Access Manager server to constrain the number of concurrent sessions that a user is allowed to
have.

Chapter 6 - Page 2
Practice 6-1: Customizing the Login Page

Overview
In this practice, you configure Oracle Access Manager to use a custom-branded login page for
the Example Bakery Web site.
Assumptions
You completed practices 3 through 6 successfully.

You perform this practice on your Windows lab system.
Tasks
1.
Verify that when you access the Example Bakery Web site on the OHS instance protected
by the 11g WebGate, Oracle Access Manager uses its standard login page:
a. If it is not already running, start the Firefox browser. Use the Firefox browsernot
Internet Explorerfor this set of practices unless explicitly directed.
b. Enter the following URL to navigate to the Example Bakery home page:
http://your_host.us.oracle.com:7778/example.
c. Click Employees. The standard Oracle Access Manager login page appears.
d.
2.
3.
Log in as user Vishal.Parashar with password Welcome1. The Example Bakery

Employee portal page appears.
Log in to the Oracle Access Manager console as user Vishal.Parashar. The password
is Welcome1.
Create the ExampleLDAPScheme authentication scheme. This authentication scheme has
the same configuration as the LDAPScheme authentication scheme. You will use the
ExampleLDAPScheme authentication scheme to protect the Example Bakery Web site.
Creating a separate authentication scheme reduces the risk of misconfiguring the
LDAPScheme authentication scheme and creating a situation where you cannot log in to the
Oracle Access Manager console, which is protected by the LDAPScheme authentication
scheme.

Chapter 6 - Page 3
a.
b.
c.
In the Policy Configuration tab, navigate to Shared Components > Authentication

Schemes.
Select LDAPScheme and click Duplicate. A new authentication scheme named copy
of LDAPScheme appears in the right window pane.
Rename the new authentication scheme to ExampleLDAPScheme.
d.
4.
5.
6.
Click Apply. The ExampleLDAPScheme authentication scheme appears on the left

window pane, in the list of authentication schemes.
Change the authentication scheme protecting the Example Bakery Web site from the
LDAPScheme authentication scheme to the ExampleLDAPScheme authentication scheme:
a. In the Policy Configuration tab, navigate to Application Domains > OAM11g_WebGate
> Authentication Policies > Protected Resource Policy and click Edit.
b. In the right window pane, change the authentication scheme from the LDAPScheme
authentication scheme to the ExampleLDAPScheme authentication scheme.
c. Click on Response tab before you click Apply (Bug 10074740).
d. Click Apply.
Verify that when you access the Example Bakery Web site on the OHS instance protected
by the 11g WebGate, Oracle Access Manager still uses its standard login page. The Web
site is protected by the ExampleLDAPScheme authentication scheme, but that
authentication scheme has not yet been customized to use a customized login page.
a. Clear cookies and cache, close your browser, and restart the browser.
Note: These practices require you to clear your browsers cookies and cache and
restart the browser frequently. To clear the cookies and cache, you can select Tools >
Clear Recent History in Firefox, click Details, select the Cookies and Cache check
boxes, then click Clear Now. The check box settings are persistent, so when
subsequent tasks require you to clear cookies and cache, you can simply select Tools
> Clear Recent History in Firefox, then click Clear Now. To close the browser, always
use File > Exit. Do not use the close box.
c. Click Employees. The standard Oracle Access Manager SSO login page appears.
Review the exploded WAR file that contains the customized login page:
a. Using Notepad, open the d:\labs\lesson06\login\examplelogin.jsp file.
b. Observe the following code in the file:
The form statement that submits back to the required end point
/oam/server/auth_cred_submit on the Oracle Access Manager server. To
locate this statement, search for the string, form.
The Java and HTML code that retrieves the request ID from the HTTP header and
stores the request ID in a hidden field, so that it is returned to the Oracle Access
Manager server as required. To locate this code, search for the string,
GetParameter. Review this line of Java code, and the HTML input statement
that follows.
Deploy the exploded WAR file that contains the customized login page to the WebLogic
server running the Oracle Access Manager server:
a. Navigate to the following URL to start the WebLogic console:
http://your_host.us.oracle.com:7001/console. Log in as the weblogic user. The
password is Welcome1.
7.

Chapter 6 - Page 4
b.
c.
8.
Click Lock and Edit in the Change Center pane.

Select oam_domain > Deployments from the Domain Structure pane. The Summary of
Deployments page appears on the right side of the console window. Click Install.
d. The Locate Deployment to Install and Prepare for Deployment form appears. Specify
the value d:\labs\lesson06\login in the Path field. Click Next.
e. The Choose Targeting Style form appears. Select Install this Deployment as an
Application and click Next.
f. The Select Deployment Targets form appears. Select the oam_server1 target. Click
Next.
g. The Optional Settings form appears. Click Finish.
h. The Summary of Deployments page reappears. Click Next under the Deployments
table. The login application should appear in the list with the Distribute Initializing
status.
i. Click Activate Changes in the Change Center pane. The login applications status
changes to Prepared.
j. Select the check box next to the login application. Click Start > Servicing All
Requests, then click Yes. The Summary of Deployments page reappears. Click Next
under the Deployments table to view the status of the login application. The status
should be Active.
Specify the custom-branded login page for the ExampleLDAPScheme authentication
scheme:
a. Log in to the Oracle Access Manager console as user Vishal.Parashar. The
b. In the Policy Configuration tab, navigate to Shared Components > Authentication
Schemes.
c. Select the ExampleLDAPScheme authentication scheme and click Edit. Configuration
details for the ExampleLDAPScheme authentication scheme appear in the right
window pane.
d. Change the following values for the ExampleLDAPScheme authentication scheme:
Field
Choices or Values
Challenge URL
/examplelogin.jsp
Context Type
customWAR
Context Value
/login

Chapter 6 - Page 5
e. Click Apply.
10. Verify that when you access the Example Bakery Web site on the OHS instance protected
by the 11g WebGate, Oracle Access Manager now uses the Example Bakery custombranded login page:

Chapter 6 - Page 6
c.
Click Employees. The Example Bakery login page appears. This is the custom login
page specified:
d.
Log in as user Vishal.Parashar with password Welcome1. The Example Bakery

Employee portal page appears.

Chapter 6 - Page 7
Practice 6-2: Deploying and Protecting the Example Bakery Web Site
on the Two Other OHS Instances
Overview
In your current deployment, the Example Bakery Web site is deployed on the OHS instance
running on port 7778, which is protected by an Oracle Access Manager 11g WebGate.
In this practice, you deploy the same Web site to the other two OHS instances:
The OHS instance running on port 7779, which is protected by an Oracle Access
Manager 10g WebGate
The OHS instance running on port 7780, which is protected by the mod_osso filter
After you install the Example Bakery Web site on these two servers, you protect the employee
pages on the sites by configuring appropriate policy in Oracle Access Manager.
In subsequent practices, you will demonstrate single sign-on by authenticating at one of the
three Web sites, then accessing the other two Web sites without having to authenticate again.
Assumptions
You completed all previous practices successfully.

Tasks
1.
Deploy the Example Bakery Web site to the OHS instances running on ports 7779 and
7780:
a. Copy the D:\Labs\Lesson05\example folder to the
D:\Middleware\ohs_home\instances\ohs_webgate10g\config\OHS\
ohs1\htdocs folder.
b. Verify that you can view the Example Bakery Web site running on the OHS instance
running on port 7779 by navigating to the URL,
http://your_host.us.oracle.com:7779/example. Notice that you will have to log in (with
Vishal.Parashar and Welcome1) on the SSO login page because you have not
unprotected the Example Bakery launch page under oam10g_webgate or
OSSO10g_agent application domains.
c.
2.
Copy the D:\Labs\Lesson05\example folder to the

D:\Middleware\ohs_home\instances\ohs_osso10g\config\OHS\ohs1\
htdocs folder.
d. Verify that you can view the Example Bakery Web site running on the OHS instance
running on port 7780 by navigating to the URL,
Define resources required to protect the Example Bakery Web site running on the OHS
instance running on port 7779:
a. Log in to the Oracle Access Manager console as user Vishal.Parashar with
password Welcome1.
e. Navigate to Policy Configuration > Application Domains > oam10g_webgate >
Resources.
f. Click the Create icon to create the OAM10gHostId:/example resource. The
Resource page appears. Fill in values in the Resources page as follows:

Chapter 6 - Page 8
Screen/Page Description
Choices or Values
Type
HTTP
Description
Bakery Web site launch page
Host Identifier
OAM10gHostId
Resource URL
/example
g.
h.
Click Apply.
Click the Create icon again to create the OAM10gHostId:/example//* resource.
Fill in values in the Resources page as follows:
Choices or Values
Type
HTTP
Description
Bakery Web site
Host Identifier
OAM10gHostId
Resource URL
/example//*
i.
j.
Click Apply.
Click the Create icon to create the OAM10gHostId:/internal resource. The
Resource page appears. Fill in values in the Resources page as follows:
Choices or Values
Type
HTTP
Description
Bakery Web site employee-only pages
Host Identifier
OAM10gHostId
Resource URL
/example/internal

Chapter 6 - Page 9
k.
l.
Click Apply.
Click the Create icon again to create the OAM10gHostId:/internal//* resource.
Fill in values in the Resources page as follows:
3.
Choices or Values
Type
HTTP
Description
Host Identifier
OAM10gHostId
Resource URL
m. Click Apply.
Configure Oracle Access Manager to provide public access to the public portions of the
Web site deployed to the OHS instance running on port 7779. The public portion of the Web
site comprises all of the Web site except for the employee portal and department pages.
a. Navigate to Application Domains > oam10g_webgate > Authentication Policies > Public
Resource Policy.
b. Click the Edit icon. The Authentication Policy page appears on the right side of the
console.
c. In the Resources tab, click the Add icon. A blank line appears in the Resources list.
Select the OAM10gHostId:/example resource from the drop-down list.
d.
e.
In the Resources tab, click the Add icon. A blank line appears in the Resources list.
Select the OAM10gHostId:/example//* resource from the drop-down list.
Click Apply.

Chapter 6 - Page 10
4.
5.
6.
Configure Oracle Access Manager to protect the private portions of the Web site deployed
to the OHS instance running on port 7779. The private portion of the Web site comprises
the employee portal and department pages, which are located in the sites internal
directory.
a. Navigate to Application Domains > oam10g_webgate > Authentication Policies >
Protected Resource Policy.
console.
Select the OAM10gHostId:/example/internal resource from the drop-down list.
d. In the Resources tab, click the Add icon again. A blank line appears in the Resources
list. Select the OAM10gHostId:/example/internal//* resource from the dropdown list.
e. Select the ExampleLDAPScheme authentication scheme so that the site uses the
Example Bakery custom-branded login page.
f. Click Apply.
Test the policy configuration:
b. Navigate to the home page for the Example Bakery Web site,
http://your_host.us.oracle.com:7779/example. You should be able to see the page
without authenticating.
c. Click all the links except the Employees link. You should be able to access these links
d. Click the Employees link. The Example Bakery custom-branded login page should
appear.
Define resources required to protect the Example Bakery Web site running on the OHS
instance running on port 7780:
a. Log in to the Oracle Access Manager console as user Vishal.Parashar with
password Welcome1.
b. Navigate to Policy Configuration > Application Domains > osso10g_agent >
Resources.
c. Click the Create icon to create the OSSO10gHostId:/example/internal resource.
The Resources page appears. Fill in values in the Resources page as follows:
Choices or Values
Type
HTTP
Description
Host Identifier
OSSO10gHostId
Resource URL
/example/internal
d.
e.
Click Apply.
Click the Create icon again to create the
OSSO10gHostId:/example/internal//* resource. Fill in values in the
Resources page as follows:

Chapter 6 - Page 11
Choices or Values
Type
HTTP
Description
Host Identifier
OSSO10gHostId
Resource URL
f.
7.
Click Apply.
Note: Since the mod_osso filter forwards only requests for protected resources; there
is no need to create policies for public resources.
Configure the mod_osso.conf file to filter requests for protected resources on the
Example Bakery site:
a. Open the D:\Middleware\ohs_home\instances\ohs_osso10g\config\
OHS\ohs1\moduleconf\mod_osso.conf file.
b.
Locate the following lines in the mod_osso.conf file:

<Location />
require valid-user
AuthType Osso
</Location>
c.
Change the text, <Location /> to <Location /example/internal>.

Note: This change insures that the mod_osso filter passes URLs starting with the
string, /example/internal, to the single sign-on provider.
8.
9.
d. Save the file and restart ohs_osso10g instance by using opmnctl.

Configure Oracle Access Manager to protect the private portions of the Web site deployed
to the OHS instance running on port 7780. The private portion of the Web site comprises
the employee portal and department pages, which are located in the sites internal
directory.
a. Navigate to Application Domains > OSSO10g_agent > Authentication Policies >
Protected Resource Policy.
console.
Select the OSSO10gHostId:/example/internal resource from the drop-down list.
d. In the Resources tab, click the Add icon again. A blank line appears on the Resources
list. Select the OSSO10gHostId:/example/internal//* resource from the dropdown list.
e. Select the ExampleLDAPScheme authentication scheme so that the site uses the
Example Bakery custom-branded login page.
f. Click Apply.
Test the policy configuration:

Chapter 6 - Page 12
b.
Navigate to the home page for the Example Bakery Web site,
http://your_host.us.oracle.com:7780/example. You should be able to see the page
c. Click all the links except the Employees link. You should be able to access these links
10. Click the Employees link. The Example Bakery custom-branded login page should appear.

Chapter 6 - Page 13
Practice 6-3: Reviewing Web Site Protection in Your Deployment

Overview
In this practice, you review the protection mechanisms for the three Example Bakery Web sites
you have deployed so far:
The site running on port 7778, which is protected by an Oracle Access Manager 11g
WebGate
WebGate
The site running on port 7780, which is protected by the mod_osso filter
Assumptions

Tasks
1.
2.
3.
If necessary, start the Firefox browser.

Clear cookies and cache.
Attempt to access a protected page on the Web site protected by the Oracle Access
Manager 11g WebGate by typing the following URL in your browsers address bar:
http://your_host:7778/example/internal/employeeHome.html. The Example Bakery login
page should appear. Do not authenticate now.
4. Attempt to access a protected page on the Web site protected by the Oracle Access
5. Attempt to access a protected page on the Web site protected by the mod_osso filter by
typing the following URL in your browsers address bar:
Resources on all three sites are protected by Oracle Access Manager.

Chapter 6 - Page 14
Practice 6-4: Demonstrating Single Sign-On

Overview
In this practice, you observe Oracle Access Manager single sign-on. With single sign-on, you
need only authenticate once to access multiple protected pages.
Assumptions

Tasks
1.
2.
Clear cookies and cache and restart the browser.

Demonstrate single sign-on by accessing protected pages on your three Web sites. After
you authenticate to gain access to the first protected page, you are not prompted to
authenticate when you attempt to access other protected pages.
a. Attempt to access a protected page on the Web site protected by the Oracle Access
http://your_host:7778/example/internal/employeeHome.html. The Example Bakery
login page should appear.
b. Authenticate as user David.Goldsmith with password Welcome1. The Example
Bakery employee portal appears.
c. Attempt to access a protected page on the Web site protected by the Oracle Access
http://your_host:7779/example/internal/employeeHome.html. This time, you are not
prompted to authenticate as you were in the previous practice. The Example Bakery
employee portal appears.
d. Attempt to access a protected page on the Web site protected by the mod_osso filter
by typing the following URL in your browsers address bar:
http://your_host:7780/example/internal/employeeHome.html. Once again, you are not
prompted to authenticate as you were in the previous practice. The Example Bakery
employee portal appears.

Chapter 6 - Page 15
Practice 6-5: Examining Browser Cookies During Single Sign-On and

Single Logout
Overview
In this practice, you use the Firefox Live HTTP Headers add-on, pre-installed on your Windows
lab system, to review cookie creation. First, you access protected resources on the following
three Web sites:
WebGate
WebGate
The site running on port 7780, which is protected by the mod_osso filter
You attempt to access each of the three sites and are prompted to authenticate to Oracle
Access Manager server. You examine cookies before and after authentication.
Then you execute the same single sign-on scenario that you executed in the previous practice.
At various points in this single sign-on scenario, you examine browser cookies.
Finally, you log out of the single sign-on session and examine the effect on the browser cookies.
Assumptions
You have completed all previous practices successfully.

Tasks
1.
2.
3.

Enable the Live HTTP Headers add-on by selecting Tools > Live HTTP headers. The Live
HTTP Headers window appears.
Note: Locating text in the Live HTTP Headers window can be difficult if there is a lot of text
in the window. You can use the Save All button to copy the text in the Live HTTP Headers
window to a file, which you can then open with any text editor and search. Using the Clear
button to clear out all the text in the Live HTTP Headers window can also make locating text
easier.
Review Oracle Access Manager and WebGate 11g cookie usage:
a. Attempt to access a protected page on the Web site protected by the Oracle Access
b. Locate the Set-Cookie statements for the OAMAuthnCookie_host:port and
OAMRequestContext_host:port cookies in the Live HTTP Headers window. Note
that the value of the OAMAuthnCookie cookie is set to the value
loggedoutcontinue. Note the value of OAMRequestContext cookie as well.
Note: The JSESSIONID cookie is set by OHS and is not pertinent to Oracle Access
Manager.

Chapter 6 - Page 16
c.
4.
Authenticate as user David.Goldsmith with password Welcome1. The Example

d. Locate the Set-Cookie statement for the OAM_ID cookie in the Live HTTP Headers
window.
e. Locate the most recent Set-Cookie statement for the OAMAuthnCookie cookie in
the Live HTTP Headers window. Note that the value of the OAMAuthnCookie cookie
has changed. This cookie now contains a reference to the Oracle Access Manager
session. Compare the value with what you noted in Step 3b.
f. Locate the most recent Set-Cookie statement for the OAMRequestContext cookie
in the Live HTTP Headers window. This transient cookie should now be expired.
Compare the value with what you noted in Step 3b.
Review WebGate 10g cookie usage:
a. Clear cookies and cache and restart the browser.
b. Clear the contents of Live HTTP Headers add-on by clicking the clear button.
d. Locate the Set-Cookie statements for the ObSSOCookie cookie in the Live HTTP
Headers window. Note that the value of the ObSSOCookie cookie is set to the value
loggedoutcontinue.
e.
f.

Locate the most recent Set-Cookie statement for the ObSSOCookie cookie in the
Live HTTP Headers window. Note that the value of the ObSSOCookie cookie has
changed. This cookie now contains a reference to the Oracle Access Manager session.

Chapter 6 - Page 17
g.
5.
Locate the Set-Cookie statement for the OAM_ID cookie in the Live HTTP Headers
window.
Review mod_osso agent cookie usage:
b. Clear the contents of the Live HTTP Headers add-on by clicking the clear button.
d. Look through the Live HTTP Headers output. You should not find any Set-Cookie
statements for Oracle Access Manager server cookies. Remember that the
JSESSIONID cookie is an OHS cookie.
e.
6.

f. Locate Set-Cookie statements for the OAM_ID and OHS-host-7780 cookies in the
Live HTTP Headers window.
Review cookie usage during a single sign-on scenario:
b. Clear the contents of the Live HTTP Headers add-on by clicking the clear button
d. Locate the Set-Cookie statements for the OAMAuthnCookie_host:port and
OAMRequestContext_host:port cookies in the Live HTTP Headers window. Note
that the value of the OAMAuthnCookie cookie is set to the value
loggedoutcontinue.
e.
f.
g.
h.
i.
j.
k.
Note: The JSESSIONID cookie is set by OHS and is not pertinent to Oracle Access
Manager.
Clear the Live HTTP Headers window.
Locate the Set-Cookie statement for the OAM_ID cookie in the Live HTTP Headers
window.
Locate the most recent Set-Cookie statement for the OAMAuthnCookie cookie in
the Live HTTP Headers window. Note that the value of the OAMAuthnCookie cookie
has changed. This cookie now contains a reference to the Oracle Access Manager
session.
Locate the most recent Set-Cookie statement for the OAMRequestContext cookie
in the Live HTTP Headers window. This transient cookie should now be expired.
Clear the Live HTTP Headers window.
Attempt to access a protected page on the Web site protected by the Oracle Access
http://your_host:7779/example/internal/employeeHome.html. This time, you are not
prompted to authenticate. The Example Bakery employee portal appears.

Chapter 6 - Page 18
l.
7.
Locate the Set-Cookie statements for the ObSSOCookie cookie in the Live HTTP
Headers window. Note that the value of the ObSSOCookie cookie is initially set to the
value loggedoutcontinue, and then is set to contain a reference to the Oracle
Access Manager session.
Note: Close examination of the Live HTTP Headers output reveals that a second SetCookie statement for the OAM_ID cookie appears, and that the OAM_ID cookie value
is not the same as the original cookie value. The cookie is set each time some details
are changed in the session on the Oracle Access Manager server.
m. Clear the Live HTTP Headers window.
n. Attempt to access a protected page on the Web site protected by the mod_osso filter
by typing the following URL in your browsers address bar:
http://your_host:7780/example/internal/employeeHome.html. Once again, you are not
prompted to authenticate. The Example Bakery employee portal appears.
o. Locate the Set-Cookie statement for the OHS-host-7780 cookie in the Live HTTP
Headers window.
Note: You can see all four cookies: obSSOCookie, OAM_ID, OHS-host-port,
OAMAuthnCookie_host:port.
Review cookie usage during a logout:
a. Clear the Live HTTP Headers window.
b. Access the logout URL, http://your_host:7778/logout1.html.
c. Locate the Set-Cookie statements in the Live HTTP Headers output. You should be
able to locate Set-Cookie statements that cause the OAMAuthnCookie, OAM_ID,
and OHS-host-7780 cookies to expire. Notice that as discussed in the lesson, there
is no Set-Cookie statement that causes the ObSSOCookie to expire.
d. In Firefox, select Tools > Options. The Options dialog box appears. Click Privacy. Click
Show Cookies. The list of cookies active in your browser session appears.
e. Locate the ObSSOCookie cookie. This cookie has a value that references the session
you had with the Oracle Access Manager server.
f. Prove that the value in this cookie no longer references an active Oracle Access
Manager session by typing the following URL in your browsers address bar:
http://your_host:7779/example/internal/employeeHome.html. You are prompted to
authenticate to the Oracle Access Manager server. If the session was still active, you
would not be prompted to authenticate, but would be granted access to the employee
portal page without authenticating.

Chapter 6 - Page 19
Practice 6-6: Using the Session Management Utility

Overview
In this practice, you use the Oracle Access Manager consoles session management utility to
view active user sessions and to terminate a users session.
Assumptions

Tasks
1.
2.
3.
4.
5.
6.
7.
8.

Start the Oracle Access Manager console by navigating to the following URL:
http://your_host:7001/oamconsole. Log in as user Vishal.Parashar with password
Welcome1.
Navigate to the Session Management page:
a. Select the System Configuration tab and navigate to System Utilities > Session
Management.
b. Double-click Session Management. The Session Management page appears in the
right window pane.
Type Vishal.Parashar in the Username field and click the arrow to the right of the
Username field. Details of the session for the Vishal.Parashar user appear in the
session list.
Note: The session for the Vishal.Parashar user was created when you logged in to the
console. If you were not using the IDM Domain Agent to protect console logins, Oracle
Access Manager sessions would not be created for console logins.
Start the Internet Explorer browser.

Note: Do not make this browser the default browser.
Navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example.
Click Employees. The Example Bakery login page appears. Log in as user
David.Goldsmith with password Welcome1. Click the option to not remember any more
passwords. The employee portal appears.
Return to the Session Management page displayed in the Firefox browser. Type
David.Goldsmith in the Username field and click the arrow to the right of the Username
field. Details of the session for the David.Goldsmith user appear in the session list.

Chapter 6 - Page 20
9.
10.
11.
12.
13.
Multiple sessions might exist for the David.Goldsmith user because some sessions
were created earlier that were not logged out. If multiple sessions exist, use the Creation
Time field to locate the most recently created session.
Highlight the most recently created session for the David.Goldsmith user and click the
Delete (X icon). Click Yes in the Confirm Delete dialog box.
Return to the Internet Explorer browser window and click Employees. You are prompted to
authenticate because your session was terminated by administrative action.
Close the Internet Explorer browser.
Return to the Session Management page displayed in the Firefox browser. Type
Vishal.Parashar in the Username field and click the arrow to the right of the Username
field. Details of the session for the Vishal.Parashar user appear in the session list.
14. Highlight the session for the Vishal.Parashar user and click Delete. Click Yes in the
Confirm Delete dialog box. The login screen appears because you just terminated the
Vishal.Parashar users console login session.

Chapter 6 - Page 21
Practice 6-7: Examining a Multi-Browser Scenario

Overview
In this practice, you log in to the Example Bakery Web site on Internet Explorer; then attempt to
access the site on Firefox to determine whether single sign-on works across browsers.
Assumptions

Tasks
1.
2.
3.
Start the Internet Explorer browser.

Navigate to the Example Bakery home page, http://your_host.us.oracle.com:7778/example.
Click Employees. The Example Bakery login page appears. Log in as user
Vishal.Parashar with password Welcome1. The employee portal appears.
4. Clear cookies and cache for the Firefox browser, then restart the Firefox browser.
5. By using the Firefox browser, navigate to the Example Bakery home page,
http://your_host.us.oracle.com:7778/example. Click Employees. Even though you
authenticated to the Oracle Access Manager server when you used Internet Explorer, you
are forced to authenticate again when using Firefox. Log in as user Vishal.Parashar
with password Welcome1. The employee portal appears.
6. Press Ctrl + T to open a second tab page in the Firefox browser.
7. Start the Oracle Access Manager console in the second tab page in the Firefox browser by
navigating to the following URL: http://your_host:7001/oamconsole. Notice that you are not
required to authenticate to access the console, because the Vishal.Parashar user
already has an active login session on the Firefox browser.
8. Do the same exercise as Step 7 by using Ctrl + N to open a new Firefox window; that is, try
to access the OAM console. You do not need to authenticate again.
9. Do the same exercise as Step 7 by opening a new Firefox window by using the Firefox icon
on the desktop; that is, try to access OAM console. You do not need to authenticate again.
10. Navigate back to the Internet Explorer browser. Press Ctrl + N to open a new Internet
Explorer window. Perform steps 2 and 3. Notice that you do not get challenged to log in
again.
11. Start a new Internet Explorer browser by using the Internet Explorer icon on the desktop.
Perform steps 2 ad 3. Notice that you do get challenged to log in.
This goes to show that session management also depends on browser type and browser
version.

Chapter 6 - Page 22
12. On the Firefox browser, navigate to the Session Management page:

a. Select the System Configuration tab and navigate to System Utilities > Session
Management.
b. Double-click Session Management. The Session Management page appears on the
right window pane.
13. Type Vishal.Parashar in the Username field and click the arrow to the right of the
Username field. Details of the sessions for the Vishal.Parashar user appear in the
session list. There should be two sessions: one for the session on the Firefox browser, and
the second for the session on the Internet Explorer browser.
14. Leave the Oracle Access Manager console open for the next practice.

Chapter 6 - Page 23
Practice 6-8: Constraining the Number of User Sessions

Overview
In this practice, you constrain the number of active sessions to one. Then you attempt to start
two concurrent Oracle Access Manager sessions, and observe the results.
At the end of this practice, you restore the number of active sessions allowed to the default
value, eight.
Assumptions

The Oracle Access Manager console is open and you are be logged in to the console
as user Vishal.Parashar.
Tasks
1.
2.
3.
4.
5.
Navigate to the Server Common Properties page in the console:

a. Select the System Configuration tab and navigate to Server Instances > oam_server1.
b. Double-click oam_server1. The oam_server1 page appears in the right window
pane.
c. Click the Server Common Properties link in the right window pane. The OAM Server
Common Properties page appears.
Click the Session tab. The session properties appear.
Set the Maximum Number of Sessions per User to the value 1.

Click Apply.
Note: With session constraints in effect, it is extremely important that you follow the
instructions exactly as they are written for the rest of this practice. You will need an
available session for user Vishal.parashar to log in to the Oracle Access Manager
server to reset the session constraint, and if you follow the instructions as provided, a
session will be available.
Return to the Session Management page. Refresh the session list for the user
Vishal.Parashar. This user should still have two active sessions, even though the

Chapter 6 - Page 24
6.
7.
9.
10.
11.
12.
13.
14.
maximum number of sessions per users has been set to 1. Session constraint only applies
to newly created sessions.
Click Delete All User Sessions, then click Yes to respond to the confirmation dialog box.
Because you just deleted your Oracle Access Manager console login session, you are
automatically logged out of the console.
Clear cookies and cache and restart the Firefox browser.
Restart the Internet Explorer browser.
In the Internet Explorer browser, navigate to the Example Bakery home page,
http://your_host.us.oracle.com:7778/example. Click Employees. The Example Bakery login
page appears. Log in as user David.Goldsmith with password Welcome1. Be sure to
log in as user David.Goldsmith and not as user Vishal.Parashar. The employee
portal appears.
In the Firefox browser, navigate to the Example Bakery home page, http://your_
host.us.oracle.com:7778/example. Click Employees. The Example Bakery login page
appears.
Authenticate as user David.Goldsmith. Again, be sure to log in as user
David.Goldsmith and not as user Vishal.Parashar. The message, The user has
already reached maximum allowed number of sessions appears because of the session
constraint you set.
Start the Oracle Access Manager console in the Firefox browser by navigating to the
following URL: http://your_host:7001/oamconsole. Log in as user Vishal.Parashar with
password Welcome1.
Restore the Maximum Number of Sessions per User to the value 8. Do not forget to click
Apply after you have changed the value in the Maximum Number of Sessions per User
field.
Note: It is extremely important that you complete the preceding step correctly. Subsequent
practices depend on the availability of multiple sessions per user. If you are not sure that
you have performed this step correctly, ask your instructor.

Chapter 6 - Page 25

Chapter 6 - Page 26

Chapter 7

Chapter 7 - Page 1

Practices Overview
These practices illustrate the use of the Oracle Access Manager identity assertion provider.
With the Oracle Access Manager identity assertion provider deployed in a WebLogic domain,
applications running in that domain can use Oracle Access Manager as the perimeter
authenticator; then, as part of authentication, have the Oracle Access Manager server assert
the username, so that the application can retrieve the username and use it as needed.
You start these practices by reviewing a sample application that uses HTTP basic
authentication: one of the authentication mechanisms built in to all J2EE Web containers. Then
you deploy the application and run it. The Web container handles application security, and the
application can retrieve the username, but single sign-on is not available.
Then you modify the sample application so that it no longer uses HTTP basic authentication, but
instead specifies a mechanism that enables an external authenticator. You configure the OHS
instance on which the 11g WebGate is installed to serve the sample application, thus allowing
the WebGate to protect the sample application. Then you configure the security realm in
WebLogic Server to use the Oracle Access Manager identity assertion provider.
When you test the sample application after performing these steps, you observe the following:
The Oracle Access Manager server collects users credentials and authenticates users.
The Oracle Access Manager identity assertion provider makes the username available
to the application.
Single sign-on is available for the user.

Chapter 7 - Page 2
Practice 7-1: Deploying the Sample Application

Overview
In this practice, you review the security configuration in your WebLogic domain.
Then you review code in the sample jee application and deploy the application on the
WebLogic administration server.
Although the sample application is written in Java, you do not need to know Java to complete
this practice.
Note: In a production environment, it is not a best practice to deploy end-user applications on
the WebLogic administration server. You do so in this practice only for convenience in the
classroom environment.
Assumptions
You have completed Practices 3 through 6 successfully.

Tasks
1.
Log in to the WebLogic Server administration console as the weblogic user. The
2.
Review the security configuration in the myrealm security realm:

a. Select oam_domain > Security Realms from the Domain Structure pane. The Summary
of Security Realms page appears on the right side of the console window.
b. Select the myrealm security realm. The Settings for the My Realm page appear.
c. Click the Providers tab. The Authentication Providers page appears.
d. Observe that the OIDAuthenticator and DefaultAuthenticator providers
appear in the list:
You added the OIDAuthenticator provider in a previous practice so that users

could authenticate to Oracle Internet Directory.
The DefaultAuthenticator provider, which enables user authentication to the

WebLogic Server embedded LDAP server, is configured in security realms by
default.
Open the D:\Labs\Lesson07\jee\WEB-INF\source\Servlet1.java file with the
WordPad text editor.
Locate the following line in the file:
3.
4.
out.println("<p>The servlet has received a GET. This is the

reply for " + request.getRemoteUser() + ".</p>");
5.
The println method writes text to a dynamically-generated HTML page. It writes the text,
The servlet has received a GET. This is the reply for, followed by a variable.
The value of the variable is generated by the getRemoteUser method, which is a method
in the HttpServletRequest class. The getRemoteUser method returns the username
of the user who has authenticated to the system.
When you run the sample application, a line with the above text, followed by the username
with which you authenticated, appears on the screen.
Close the D:\Labs\Lesson07\jee\WEB-INF\source\Servlet1.java file.
6.
Deploy the sample jee application:


Chapter 7 - Page 3
a.
e.
f.
g.
h.
i.
j.
k.
l.

Select oam_domain > Deployments from the Domain Structure pane. The Summary of
Deployments page appears on the right side of the console window. Click Install.
The Locate deployment to Install and prepare for deployment form appears. Navigate
to the path, d:\Labs\Lesson07\jee, and make sure that in the Current Location
field, the button to the left of the value jee is selected. Click Next.
The Choose targeting style form appears. Select Install this deployment as an
application and click Next.
The Select deployment targets form appears. Select the AdminServer target. Click
Next.
The Optional Settings form appears. Click Finish.
The Summary of Deployments page reappears. The jee application should appear in
the list with the Distribute Initializing status.
Click Activate Changes in the Change Center pane. The jee applications status
changes to Prepared.
Select the check box next to the jee application. Click Start > Servicing All Requests,
then click Yes. The Summary of Deployments page reappears. Verify that the status of
the jee application is the Active status.

Chapter 7 - Page 4
Practice 7-2: Reviewing HTTP Basic Authentication in the Sample

Application
Overview
In this practice, you examine the deployment descriptors in the sample application. Then you
run the sample application and observe its behavior.
Assumptions

Tasks
1.
2.
Open the D:\Labs\Lesson07\jee\WEB-INF\web.xml file with the WordPad text

editor.
Locate the following line in the file:
<auth-method>BASIC</auth-method>
The <auth-method> statement specifies the HTTP basic authentication method. The
HTTP basic authentication method displays a dialog box to collect the username and
password.
When you modify the jee application to use an identity assertion provider in a subsequent
practice, you will change the <auth-method> statement.
3.
Review the <security-constraint> and <security-role> sections of the web.xml

file. These sections, required for the HTTP basic authentication method, describe how the
application should be protected. Application security is defined as follows:
<security-constraint> section HTTP GET, POST, DELETE, PUT, HEAD,

OPTIONS, AND TRACE operations on the URL, /servlet1, are permitted for users
in the all-authenticated-users role.
<security-role> section The only role used by the Web application is the allauthenticated-users role.
Note: The weblogic.xml file maps the all-authenticated-users role named in the
web.xml file to the users group in the WebLogic Server security domain. The users
group is a default WebLogic Server group containing all users who have been
authenticated. The users group does not appear in the WebLogic console.
4.
5.
6.
Close the D:\Labs\Lesson07\jee\WEB-INF\web.xml file.

Clear cookies, cache, and active logins; then close your browser, and restart the browser.
Run the jee sample application deployed to the administration server. Enter the following
URL in a browser: http://your_host.us.oracle.com:7001/jee/servlet1.
The HTTP basic authentication dialog box appears:

Chapter 7 - Page 5
7.
Log in as user weblogic with password Welcome1.

The following message appears on the screen: The servlet has received a GET. This is the
reply for weblogic.
The weblogic user is present in the WebLogic embedded LDAP database. Therefore,
WebLogic Server uses the DefaultAuthenticator provider for authentication.
The getRemoteUser method returned the name of the user who has authenticated to the
system: the weblogic user.
8. Review browser cookies:
a. In Firefox, select Tools > Options. The Options dialog box appears.
b. Click Privacy.
c. Click Show Cookies. The Cookies dialog box appears.
d. Expand the Site node in the Cookies dialog box. Verify that no cookies associated with
Oracle Access Manager single sign-on are present.
Note: You should see only the JSESSIONID cookie.
e. Close the Cookies and Options dialog boxes.
9. Clear cookies, cache, and active logins; then close your browser, and restart the browser.
10. Run the jee sample application again by entering the URL,
http://your_host.us.oracle.com:7001/jee/servlet1.
11. Log in as user David.Goldsmith with password Welcome1.
reply for David.Goldsmith.
The David.Goldsmith user is present in the Oracle Internet Directory database.
Therefore, WebLogic Server uses the OIDAuthenticator provider for authentication.
The getRemoteUser method returned the name of the user who has authenticated to the
system: the David.Goldsmith user.
12. Review browser cookies. Verify that no cookies associated with Oracle Access Manager
single sign-on are present (you should see only the JSESSIONID cookie).

Chapter 7 - Page 6
Practice 7-3: Preparing the Sample Application for Authentication by

Oracle Access Manager
Overview
In this practice, you modify the sample application so that it will work with the Oracle Access
Manager identity assertion provider after you deploy that provider in a subsequent practice.
After modifying the sample application, you redeploy the application on the WebLogic
administration server.
Assumptions

Tasks
1.
Modify the jee sample applications deployment descriptor:

a.
b.
c.
d.
e.
Make a backup copy of the D:\Labs\Lesson07\jee\WEB-INF\web.xml. Name

the backup file web.xml.sav (using Ctrl + C and Ctrl + V for the web.xml file in the
same directory)
Open the D:\Labs\Lesson07\jee\WEB-INF\web.xml file with the WordPad text
editor.
Remove the following sections from the D:\Labs\Lesson07\jee\WEBINF\web.xml file:
The section starting with the <security-constraint> tag and ending with the
</security-constraint> tag
The section starting with the <security-role> tag and ending with the
</security-role> tag
Change the authentication method. Modify the line with the <auth-method> tag to
have the following content: <auth-method>CLIENT-CERT</auth-method>.
Specifying the value, CLIENT-CERT, in the <auth-method> tag triggers WebLogic
Server to use an external authentication method determined by the WebLogic Server
security domain.
Verify that the D:\Labs\Lesson07\jee\WEB-INF\web.xml file has the following
content:
<?xml version = '1.0' encoding = 'UTF-8'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
<servlet>
<servlet-name>Servlet1</servlet-name>
<servlet-class>jee.Servlet1</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Servlet1</servlet-name>

Chapter 7 - Page 7
<url-pattern>/servlet1</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
f.
2.
Save and close the D:\Labs\Lesson07\jee\WEB-INF\web.xml file.
Rename the D:\Labs\Lesson07\jee\WEB-INF\weblogic.xml. to

weblogic.xml.sav.
The content in the weblogic.xml file is no longer needed in the deployment descriptor
because of your modifications to the web.xml file. By renaming the weblogic.xml file to
weblogic.xml.sav, this file is not used when you redeploy the jee application.
3.
4.
Redeploy the jee sample application:

a. Click Lock and Edit in the Change Center pane.
b. Select oam_domain > Deployments from the Domain Structure pane. The Summary of
Deployments page appears on the right side of the console window.
c. Locate the entry for the jee application in the list of deployed applications.
d.
e.
f.
g.
h.
Select the check box to the left of the entry for the jee application.
Click Update. The Update Application Assistant appears.
Click Finish.
Click Activate Changes in the Change Center pane.
The status of jee application should be Active.

Chapter 7 - Page 8
Practice 7-4: Configuring the OHS Instance Protected by the 11g

WebGate to Access the Sample Application
Overview
In this practice, you modify the mod_wl_ohs.conf file of the Oracle HTTP Server instance on
which the 11g WebGate is installed. The modifications provide 11g WebGate protection for the
sample jee application.
After modifying the mod_wl_ohs.conf file, you restart the OHS instance to make the changes
take effect.
Then you execute the sample application to verify that the sample application is protected by
the 11g WebGate.
Assumptions

Tasks
1.
2.
Open the D:\Middleware\ohs_home\instances\ohs_webgate11g\config\

OHS\ohs1\mod_wl_ohs.conf file with the WordPad text editor.
Add the following text at the end of the file:
<Location /jee>
</Location>
3.
4.
Save and close the D:\Middleware\ohs_home\instances\ohs_webgate11g\

config\OHS\ohs1\mod_wl_ohs.conf file.
Execute the following commands to stop and start the OHS instance protected by the 11g
WebGate:
cd d:\Middleware\ohs_home\instances\ohs_webgate11g\bin
opmnctl stopall
opmnctl startall
5.
6.
Clear cookies, cache, and active logins; then close your browser, and restart the browser.
Run the jee sample application deployed to the administration server, but protected by the
Oracle Access Manager 11g WebGate. Enter the following URL in a browser:
The Example Bakery login page appears, demonstrating that the sample application is now
being protected by the 11g WebGate.

Chapter 7 - Page 9
7.
8.
Log in as user David.Goldsmith with password Welcome1.

reply for null.
The application is unable to determine that you logged in as the David.Goldsmith user.
Deployment of the identity assertion provider in the next practice lets the application
determine the username of the authenticating user when an external authentication
mechanism is used.
Review browser cookies. Verify that cookies associated with Oracle Access Manager single
sign-on are present.

Chapter 7 - Page 10
Practice 7-5: Configuring WebLogic Server to Use the Oracle Access

Manager Identity Assertion Provider
Overview
In this practice, you configure the WebLogic Server security realm to use the Oracle Access
Manager identity assertion provider. Once this provider is added to the configuration, you rerun
the sample application to demonstrate the results.
Assumptions

Tasks
1.
2.
3.
4.
5.
Click Lock and Edit in the Change Center pane. Note: If Lock and Edit is disabled, click
Release Configuration before you click Lock and Edit.
Select oam_domain > Security Realms from the Domain Structure pane. The Summary of
Security Realms page appears on the right side of the console window.
Select the myrealm security realm. The Settings for the My Realm page appear.
Add an OAM identity assertion provider as an authentication provider:
a. Click the Providers tab. The Authentication Providers page appears.
b. Click New. The Create a New Authentication Provider page appears. Fill in the fields in
the Create a New Authentication Provider page as follows:
Field
Choices or Values
Name
OAM Identity Assertion Provider
Type
OAMIdentityAsserter
c.
6.
Click OK. The Authentication Providers page reappears. The OAM Identity Assertion
Provider authentication provider appears in the list of authentication providers.
Configure the OAM identity assertion provider to recognize the OAM_REMOTE_USER HTTP
header variable:
a. Select the OAM Identity Assertion Provider authentication provider. The
Settings for OAM Identity Assertion Provider page appears.
b. Locate the OAM_REMOTE_USER entry under Active Types > Available.
c.
Select the check box for the OAM_REMOTE_USER entry.
d.
Click the arrow to move the OAM_REMOTE_USER entry from the Available column to the
Chosen column.
Verify that the OAM_REMOTE_USER and ObSSOCookie entries are in the Chosen
column.
Click Save. The message, Settings updated successfully, appears at the top of the
Settings for OAM Identity Assertion Provider page.
e.
f.

Chapter 7 - Page 11
g.
7.
8.
Click Activate Changes in the Change Center pane. The message, All changes have
been activated. However 2 items must be restarted for the changes to take effect
appears at the top of the Settings for OAM Identity Assertion Provider page.
h. In the Change Center pane, click View Changes and Restarts. The Changes and
Restarts page appears on the right side of the console window.
i. Select the Restart Checklist tab. The AdminServer and oam_server1 servers are
listed.
Shut down the oam_server1 and AdminServer:
a. Select oam_domain > Environment > Servers in the Domain Structure pane. The
Summary of Servers page appears on the right side of the console window.
b. Select the Control tab.
c. Select the check box for the oam_server1 and AdminServer.
d. Click Shutdown > Force Shutdown Now.
e. Click Yes in response to the confirmation page.
Start the administration server:
a. Open a Windows Explorer window to the
d:\Middleware\user_projects\domains\oam_domain directory.
b.
9.
Double-click the startWebLogic.cmd file to start the WebLogic administration

server. When prompted to enter the username, type weblogic, then press Enter.
When prompted to enter the password, type Welcome1, then press Enter.
Note: If the WebLogic administration server has not yet shut down completely, the
administration server startup window closes without prompting you for a user ID. Wait
several seconds; then try starting the administration server again.
j. Observe the messages in the administration server startup window. Startup is
complete when the Server started in RUNNING mode message appears.
Start the oam_server1 server:
a.
b.
Start the WebLogic console and log in as the weblogic user.

Select oam_domain > Environment > Servers in the Domain Structure pane. The
Summary of Servers page appears on the right side of the console window.
c. Select the Control tab.
d. Select the check box for the oam_server1 server.
Note: Make sure the node manager is running before you start the managed server
from the OAM admin console. Start the node manager by double-clicking
d:\middleware\wls_home\server\bin\startNodeManager.cmd.
e. Click Start.
f. Click Yes in response to the confirmation page.
g. Click the Refresh icon, which appears above the text Customize this table. Observe
the values in the State column for the two servers. When the values change to
RUNNING, server restart is complete.
h. Click the Refresh icon to end the page refresh behavior.
10. Clear cookies, cache, and active logins; then close your browser, and restart the browser.
11. Run the jee sample application deployed to the administration server and protected by the
Oracle Access Manager 11g WebGate. Enter the following URL in a browser:
The Example Bakery login page appears.

Chapter 7 - Page 12
12. Log in as user David.Goldsmith with password Welcome1.

reply for David.Goldsmith.
With the identity assertion provider active, the application is now able to determine that you
logged in as the David.Goldsmith user.
13. Review browser cookies. Verify that cookies associated with Oracle Access Manager single
sign-on are present.

Chapter 7 - Page 13
Practice 7-6: Resetting Your Lab System

Overview
In this practice, you reset your lab system so that the changes you made to the WebLogic
Server configuration do not impact subsequent labs.
Assumptions

Tasks
1.
2.
Remove the OAM Identity Assertion Provider authentication provider from the
WebLogic Server configuration:
a. Start the WebLogic console and log in as the weblogic user.
b. Click Lock and Edit in the Change Center pane.
c. Select oam_domain > Security Realms from the Domain Structure pane. The Summary
of Security Realms page appears in the right side of the console window.
d. Select the myrealm security realm. The Settings for the My Realm page appear.
e. Select the Providers tab. The Authentication Providers page appears.
f. Select the check box for the OAM Identity Assertion Provider authentication
provider.
g. Click Delete then click Yes to confirm deletion. The message, Selected Authentication
Providers have been deleted appears at the top of the page.
h. Click Activate Changes in the Change Center pane. The message, All changes have
been activated. However 2 items must be restarted for the changes to take effect
appears at the top of the Settings for the My Realm page.
Restart the AdminServer and oam_server1 servers. If you are not certain how to restart
the servers, refer to the tasks in the previous practices.

Chapter 7 - Page 14

Chapter 8

Chapter 8 - Page 1

Practices Overview
In these practices, you configure the auditing and logging capabilities of Oracle Access
Manager, examine files, and run reports.
You configure Oracle Access Manager auditing as follows:
Capture more auditing information
Write audit records to an Oracle Database instead of to a flat file

After you perform these configuration tasks, you configure a pre-installed instance of Oracle
Business Intelligence Publisher (Oracle BI Publisher) to run Oracle Access Manager reports.
Then you run a sample report.
For logging, you examine the default logging configuration and examine logging output when
the default configuration is in effect. Then you increase the logging level so that debug-level
logging records are produced, and examine the output. At the end of these practices, you reset
the logging level to the default level.

Chapter 8 - Page 2
Practice 8-1: Changing the Audit Filter Preset

Overview
In this practice, you examine the level of audit output produced when the default Oracle Access
Manager settings are in effect. Then you change the settings, take actions in Oracle Access
Manager to generate several audit records, and examine the changes to the output.
Assumptions
You have completed Practices 3 through 7 successfully.

Tasks
1.
Verify that the Oracle Access Manager auditing system is capturing only very high-level
system events:
a. Open the D:\Middleware\user_projects\domains\oam_domain\
servers\oam_server1\logs\auditlogs\OAM\audit.log file with any text
editor and examine the output. By default, the Oracle Access Manager server writes
audit records to this file.
b. Review the audit records in the audit.log file. You should see only records with the
ServerStartup and ServerShutDown event types.
2.
Change the audit filter preset level from Low to All:

a. Log in to the Oracle Access Manager console as user Vishal.Parashar. The
b. Select the System Configuration tab.
c. Navigate to Server Instances > oam_server1.
d.
e.
f.
g.
Double-click oam_server1. The oam_server1 page appears in the right window

pane.
Click Server Common Properties in the right window pane. The OAM Server Common
Properties page appears.
Select the Audit Configuration tab.
Change the value of the Filter Preset field from Low to All.

Chapter 8 - Page 3
3.
4.
5.
h. Click Apply.
i. Log out of the Oracle Access Manager console.
After you change the auditing configuration, you must restart both the WebLogic
administration server and the managed server instance that runs the Oracle Access
Manager server before the changes take effect. Restart the server instances on your lab
system.
Generate an audit record by accessing the Example Bakery employee portal, which
requires user authentication:
b. Navigate to the Example Bakery home page,
c. Click Employees. The Example Bakery login page appears.
d. Log in as user David.Goldsmith with password Welcome1. The employee portal
appears.
Verify that the Oracle Access Manager server auditing system captures more information
after you change the audit filter preset:
a. Open the D:\Middleware\user_projects\domains\oam_domain\
servers\oam_server1\logs\auditlogs\OAM\audit.log file with any text
editor and examine the output.
b. Review the audit records in the audit.log file. The file should now contain records
with event types other than the ServerStartup and ServerShutDown event types;
for example, the Authentication, CredentialValidation, SessionCreation,
and Login event types.
c. Navigate to the central logout page, http://your_host.us.oracle.com:7778/logout1.html.
d. Verify that SessionDestroy and Logout events were written to the audit.log file.

Chapter 8 - Page 4
Practice 8-2: Configuring the Oracle Access Manager Server to Write

Audit Log Records to an Oracle Database
Overview
In this practice, you configure OAM server to write audit log records to the Oracle Database on
your Linux lab system.
At the end of this practice, you take actions in Oracle Access Manager that generate several
audit records and review the content in the Oracle Database.
Assumptions

You perform this practice on your Windows and Linux lab systems. Because you use
both lab systems in this practice, the practice explicitly tells you which lab system you
need to use when performing tasks.
Tasks
1.
Verify that the Oracle Database tables that are used to hold Oracle Access Manager server
audit records are empty. Perform the following steps on your Linux lab system as the
oracle user:
a. If necessary, open a terminal window on the system.
b. Set environment variables required to run the sqlplus utility:
ORACLE_HOME=/u01/app/oracle/product/11.2.0.1/db_1
export ORACLE_HOME
ORACLE_SID=orcl
export ORACLE_SID
c.
Start the sqlplus utility:

cd $ORACLE_HOME/bin
./sqlplus
Note: If the error message, ORA-27101: shared memory realm does not exist,
appears, you might have defined the ORACLE_HOME environment variable incorrectly.
The ORACLE_HOME environment variable must not have a slash (/) at the end of its
value. To correct the problem, terminate the sqlplus utility, re-execute the command
to set the ORACLE_HOME environment variable, and re-execute the sqlplus utility.
d.
e.
Log in to the sqlplus utility as the DEV_IAU user with password Welcome1. When
you ran the Repository Creation Utility (RCU) to initialize tables used by Oracle Fusion
Middleware, the RCU created the DEV_IAU user and the schema for the tables used
by audit logging.
Execute the select command to display a list of tables created by the RCU:
SQL> select TABLE_NAME from USER_TABLES;

Chapter 8 - Page 5
The list of tables created when you ran RCU in a previous practice appears in the
terminal window:
TABLE_NAME
-----------------------------IAU_BASE
WEBCACHECOMPONENT
OVDCOMPONENT
OIDCOMPONENT
OWSM_PM_EJB
OWSM_AGENT
DIP
OHSCOMPONENT
JPS
ADMINSERVER
REPORTSSERVERCOMPONENT
TABLE_NAME
-----------------------------WEBSERVICES
WS_POLICYATTACHMENT
OIF
OAAM
OAM
IAU_DISP_NAMES_TL
IAU_LOCALE_MAP_TL
18 rows selected.
f.
The IAU_BASE table is the table to which the audit framework writes audit records.
Execute the describe command to show the names of the IAU_BASE tables
columns:
SQL> describe IAU_BASE;
The column names and their data types appear in the terminal window:
Name
Null?
------------------------ -------IAU_ID
IAU_ORGID
IAU_COMPONENTID
IAU_COMPONENTTYPE
IAU_INSTANCEID
IAU_HOSTINGCLIENTID
Type
---------------------------NUMBER
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)

Chapter 8 - Page 6
IAU_HOSTID
IAU_HOSTNWADDR
IAU_MODULEID
IAU_PROCESSID
IAU_ORACLEHOME
IAU_HOMEINSTANCE
IAU_UPSTREAMCOMPONENTID
IAU_DOWNSTREAMCOMPONENTID
IAU_ECID
IAU_RID
IAU_CONTEXTFIELDS
IAU_SESSIONID
IAU_SECONDARYSESSIONID
IAU_APPLICATIONNAME
IAU_TARGETCOMPONENTTYPE
IAU_EVENTTYPE
IAU_EVENTCATEGORY
IAU_EVENTSTATUS
IAU_TSTZORIGINATING
IAU_THREADID
IAU_COMPONENTNAME
IAU_INITIATOR
IAU_MESSAGETEXT
IAU_FAILURECODE
IAU_REMOTEIP
IAU_TARGET
IAU_RESOURCE
IAU_ROLES
IAU_AUTHENTICATIONMETHOD
IAU_TRANSACTIONID
IAU_DOMAINNAME
g.
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(2000)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
NUMBER
TIMESTAMP(6)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(2000)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
VARCHAR2(255)
Execute the select command to display the content in the IAU_BASE table:
SQL> select * from IAU_BASE;
2.
The No rows selected message appears, indicating that the table is empty.
Configure a JDBC data source for the audit database in WebLogic Server. Perform the
following steps on your Windows lab system:
a. Navigate to the following URL to start the WebLogic console:
http://your_host.us.oracle.com:7001/console. Log in as the weblogic user. The

Chapter 8 - Page 7
c.
d.
Select oam_domain > Services > JDBC > Data Sources in the Domain Structure pane.
The Summary of JDBC Data Sources page appears on the right side of the console
window.
Click New. The Create a New JDBC Data Source wizard starts. The first page that
appears is the JDBC Data Source Properties page. Fill in the fields in the JDBC Data
Source Properties page as follows:
Field
Choices or Values
Name
AuditDB
JNDI Name
jdbc/AuditDB
Database Type
Oracle
e.
f.
g.
Click Next.
A second JDBC Data Source Properties page appears. Click Next to accept the default
database driver.
The Transaction Options page appears. Click Next.
The Connection Properties page appears. Fill in the fields in the Transaction Properties
page as follows:
Field
Choices or Values
Database Name
orcl
Host Name
your_Linux_host
Port
1521
Database User Name
DEV_IAU
Password
Welcome1
Confirm Password
Welcome1
h.
Click Next.
The Test Database Connection form appears. Click Test Configuration. If you
configured the AuditDB data source correctly, the message Connection test
succeeded appears in the WebLogic console:

Chapter 8 - Page 8
3.
Click Next.
a. The Select Targets form appears. Select the check boxes for the AdminServer and
oam_server1 servers.
Note: Other Oracle Fusion Middleware components besides Oracle Access Manager
can use the database audit logging capability. If you do not deploy the AuditDB data
source definition to the administration server, multiple IAU-5048 messages appear in
the administration server logs when you start recording audit records in the database.
b. Click Finish.
c. Click Activate Changes in the Change Center pane.
d. Log out of the WebLogic console.
Use FMW Control to configure the audit subsystem to write records to the Oracle Database.
Perform the following steps on your Windows lab system:
a. Navigate to the following URL to start FMW Control:
http://your_host.us.oracle.com:7001/em. Log in as the weblogic user. The password
is Welcome1.
b. In the left window pane, navigate to Farm_oam_domain > WebLogic Domain >
oam_domain

Chapter 8 - Page 9
c.
4.
5.
6.
Click oam_domain. The oam_domain page appears in the right window pane. A menu
with options to view configuration objects appears below the oam_domain label.
d. Select WebLogic Domain > Security > Audit Store from the menu.
e. The Audit Store page appears. A message appears indicating that auditing is still
configured to write records to a flat file: The default audit store is file-based. Data
Source JNDI name is empty when the audit store is file-based.
f. Click the Search icon to the right of the empty Data Source JNDI Name field.
g. The Select Data Source dialog box appears. Click the jdbc/AuditDB entry; then click
OK.
h. The Audit Store page appears again, with the configuration details for the AuditDB
JDBC data source listed. Click Apply. Notice the information message, All changes
made in this page require a server restart to take effect.
i. Log out of FMW Control.
After you change the audit repository type, you must restart both the WebLogic
administration server and the managed server instance(s) that run the Oracle Access
Manager server before the changes take effect. Restart the server instances on your
Windows lab system:
a. Stop the AdminServer and oam_server1 servers.
Note: If you have forgotten how to stop and start the WebLogic Server instances on
your lab system, refer to the procedure detailed previously in these practices.
b. Delete the D:\Middleware\user_projects\domains\oam_domain\
servers\oam_server1\logs\auditlogs\OAM\audit.log file. By deleting the
flat file to which the auditing subsystem previously logged audit records, you can easily
see whether the file is changed after the audit subsystem starts recording log records
to Oracle Database.
Note: You cannot delete the audit.log file until the WebLogic administration server
has shut down completely. If you are unable to delete the audit.log file, wait several
seconds, and then try deleting the file again.
c. Restart the AdminServer and oam_server1 servers.
Access the Example Bakery application so that several audit records are recorded. Perform
the following steps on your Windows lab system:
appears.
e. Navigate to the central logout page, http://your_host.us.oracle.com:7778/logout1.html,
to log out of the Oracle Access Manager session.
Open the D:\Middleware\user_projects\domains\oam_domain\
servers\oam_server1\logs\auditlogs\OAM\audit.log file on your Windows lab
system and review the content in the file.
Notice that records are still being recorded in the audit.log file. The auditing subsystem
uses this file as a bus stop: an intermediate cache for audit records before the records are
written to the audit database.

Chapter 8 - Page 10
7.
Review the content in the IAU_BASE table in the Oracle Database. The table should no
longer be empty. Perform the following steps on your Linux lab system as the oracle user:
a.
Verify that sqlplus session is still active in the terminal window you opened during a
previous task. If the sqlplus is not active, restart sqlplus and log in as the
DEV_IAU user with password Welcome1.
b.
Execute the select command to display the number and values of recorded event
types in the IAU_BASE table:
SQL> select count(*) from IAU_BASE;
SQL> select distinct IAU_EVENTTYPE from IAU_BASE order by 1;
c.
d.
Review the output from the select command. The output should contain records with
event types such as the Authorization, CredentialValidation,
SessionValidation, and Login event types. The presence of these values in the
database indicates that audit records are now being recorded in the Oracle Database.
Exit sqlplus :
SQL> exit;

Chapter 8 - Page 11
Practice 8-3: Configuring Oracle Business Intelligence Publisher for

Oracle Fusion Middleware and Oracle Access Manager Reports
Overview
In this practice, you configure Oracle BI Publisher so that you can run reports for analyzing
auditing data captured by the Oracle Access Manager server.
Oracle BI Publisher is pre-installed on your Windows lab system. In the first task in this practice,
you start Oracle BI Publisher to verify the installation.
Next, you install templates for Oracle Fusion Middleware reports and for Oracle Access
Manager reports.
Then you configure Oracle BI Publisher to access the database in which audit records are
located.
Assumptions

Tasks
1.
2.
Start Oracle BI Publisher and verify that no reports specific to Oracle Fusion Middleware or
Oracle Access Manager have been installed:
a. Start OC4J in which the Oracle BI Publisher runs. Select Start > Programs > Oracle BIPHome1 > Start BI Publisher.
A command prompt window appears, and startup messages appear in the window.
Oracle BI Publisher startup is complete when the message, Oracle Containers for
J2EE 10g (10.1.3.1.0) initialized appears.
b. Start a browser and navigate to the Oracle BI Publisher application at the following
URL: http://your_host.us.oracle.com:9704/xmlpserver. Log in to Oracle BI Publisher as
the Administrator user with password Administrator.
c. Click Shared Folders. No reports specific to Oracle Fusion Middleware or Oracle
Access Manager appear among the available reports.
Install Oracle Fusion Middleware reports in Oracle BI Publisher:
a. Copy the file containing the Oracle Fusion Middleware reports
D:\Middleware\oracle_common\modules\oracle.iau_11.1.1\reports\
AuditReportTemplates.jar to the Oracle BI Publisher reports folder
D:\Middleware\bipub\xmlp\XMLP\Reports\.
b. Unjar the Oracle Fusion Middleware reports. Open an MS-DOS terminal window and
enter the following commands:
c.
cd D:\Middleware\bipub\xmlp\XMLP\Reports
PATH=%PATH%;"D:\Program Files\Java\jdk1.6.0_17\bin"
jar.exe xvf AuditReportTemplates.jar
Note: This command takes a few minutes to run.
Run the dir command in the terminal window. You should see the
Oracle_Fusion_Middleware_Audit directory listed among the other report
directories.
Leave the terminal window open for the next task.

Chapter 8 - Page 12
d.
3.
On the browser, refresh the Shared Folders page in Oracle BI Publisher. A new folder,
Oracle_Fusion_Middleware_Audit, appears in the set of available reports.
Install Oracle Access Manager reports in Oracle BI Publisher:
a. Copy the file containing the Oracle Access Manager reports
D:\Middleware\idm_home\oam\server\reports\
oam_audit_reports_11_1_1_3_0.zip to the Oracle Fusion Middleware
component-specific reports folderD:\Middleware\bipub\xmlp\XMLP\
Reports\Oracle_Fusion_Middleware_Audit\Component_Specific.
b. Unzip the Oracle Access Manager reports. Open an MS-DOS terminal window which
you used in Step 2 and enter the following commands:
cd Oracle_Fusion_Middleware_Audit\Component_Specific
unzip oam_audit_reports_11_1_1_3_0.zip
c.
4.
Run the dir command in the terminal window. You should see the
Oracle_Access_Manager directory listed among the other report directories.
d. In Oracle BI Publisher, click the Component_Specific link under
Oracle_Fusion_Middleware_Audit. You should see the Oracle_Access_Manager report
folder listed among the other report folders.
Configure the data source that Oracle BI Publisher uses to access the audit database:
a. Select the Admin tab in Oracle BI Publisher.
b. Click JDBC Connection under Data Sources.
c. The Data Sources page appears. Verify that the JDBC tab is selected. If the JDBC tab
is not selected, select it.
d. Click Add Data Source.
e. The Add Data Source page appears. Fill in fields in the Add Data Source page as
follows:
Field
Choices or Values
Data Source Name
Audit
Driver Type
Oracle 11g
Database Driver Class
oracle.jdbc.OracleDriver
Connection String
jdbc:oracle:thin:
@your_Linux_host:1521:orcl
Username
DEV_IAU
Password
Welcome1
f.
5.
Click Test Connection. The message, Connection established successfully, should

appear. If the connection test is unsuccessful, fix incorrect values in the Add Data
Source page and repeat the connection test.
g. Click Apply. The Data Sources page appears, with the Audit data source listed
among the available JDBC data sources.
Run an Oracle Access Manager audit report in Oracle BI Publisher:
a. In Oracle BI Publisher, select the Reports tab.
b. Click Shared Folders.

Chapter 8 - Page 13
c.
d.
e.
f.
Click Oracle_Fusion_Middleware_Audit.
Click Component_Specific.
Click Oracle_Access_Manager.
Click Authentication_History under User_Activities. The Authentication History report
appears.
Review the data in the Authentication History report. The report should list recent
authentications to the Oracle Access Manager server. The report includes console
logins, because the Oracle Access Manager console is protected by the IDM Domain
Agent.
g. Click the Details link for any of the authentications. A new page appears with details
about the authentication event.
6. Access the Example Bakery application and click the Employees link. Specify an invalid
user ID and password when you are prompted to authenticate. Click Login. You are not
granted access to the Example Bakery employee portal.
7. Rerun the Authentication History report. Details about the unsuccessful authentication
event should appear in the Authentication History report.
Note: You can use the locator link at the top to navigate to Home > Shared Folders >
Oracle_Fusion_Middleware_Audit > Component_Specific > Oracle_Access_Manager.
8. Run the following Oracle Access Manager reports in Oracle BI Publisher:
The All_Errors_and_Exceptions report (under Errors_and_Exceptions).
The AuthenticationFromIPByUser report (under Authentication_Statistics). Run this

report twice, specifying the SUCCESS authentication status once and the FAILURE
authentication status once (select Authentication Status to Success or Failure and click
View).
The AuthenticationPerIP report (under Authentication_Statistics). Run this report twice,

specifying the SUCCESS authentication status once and the FAILURE authentication
status once.
Review the data in each report after you run the report. The results should be consistent
with Oracle Access Manager activity.
If you have time, use the Example Bakery and My Bank applications to generate more
Oracle Access Manager audit events, then run reports and review how the events are
captured in the audit reports.
9. Sign out of the Oracle BI Publisher application.
10. In order to improve performance of your lab system, stop OC4J in which the Oracle BI
Publisher runs. Select Start > Programs > Oracle - BIPHome1 > Stop BI Publisher.
The command prompt window running the Oracle BI Publisher OC4J process disappears.

Chapter 8 - Page 14
Practice 8-4: Examining the Default Logging Configuration

Overview
In this practice, you start working with the Oracle Fusion Middleware logging subsystem.
You start by shutting down the active servers and deleting the log files. You remove the log files
to ensure that the logging records you examine in this practice are generated only by the
activities performed in this practice.
Then you use the FMW Control application to review the default logging configuration.
Assumptions

Tasks
1.
Stop the WebLogic administration server and the managed server instance that runs the
Oracle Access Manager server, delete the log files, and then restart the server instances:
a. Stop the AdminServer and oam_server1 servers.
Note: If you have forgotten how to stop and start the WebLogic Server instances on
your lab system, refer to the procedure detailed previously in these practices.
b. Open a Windows Explorer window and navigate to the D:\Middleware\
user_projects\domains\oam_domain\servers\oam_server1\logs directory.
Delete all files that have names starting with the string, oam_server1-diagnostic.
2.
3.
4.
If you are not able to delete the oam_server1-diagnostic.log file, wait several
seconds and try again. The servers must be completely shut down before you can
delete this file.
Note: The oam_server1-diagnostic.log file is the active Oracle Access Manager
server log file. Files with the name oam_server1-diagnostic-xx.log, where xx is
a number, are archived log files. You configure the max file size and max directory size
of archived log files in the Audit Configuration tab page of the Server Common
Properties page in the Oracle Access Manager console.
c. Start the AdminServer and oam_server1 servers.
Navigate to the following URL to start FMW Control:
http://your_host.us.oracle.com:7001/em. Log in as the weblogic user. The password is
Welcome1.
Navigate to the logging configuration:
a. In the left window pane, navigate to Farm_oam_domain > WebLogic Domain >
oam_domain > oam_server1.
b. Click oam_server1. The oam_server1 page appears in the right window pane. A
menu with options to view configuration objects appears below the oam_server1
label.
c. Select WebLogic Server > Logs > Log Configuration from the menu. The Log
Configuration page appears in FMW Control.
Examine the default log levels in the logging configuration:
a. Select the Log Levels tab.

Chapter 8 - Page 15
b.
Expand the Root Logger > oracle > oracle.oam node in the navigator that appears in
the Logger Name column. Loggers in the oracle.oam node should now be visible:
c.
Locate the log level for the oracle logger: the parent logger for all Oracle Fusion
Middleware loggers. The oracle loggers log level is set to the NOTIFICATION:1
level.
Locate the log level for the oracle.oam logger. The oracle.oam loggers level is set
to the NOTIFICATION:1 level and is inherited from its parent logger.
d.
e.
5.
Browse the list of child loggers of the oracle.oam logger. Each child loggers log level
is set to the NOTIFICATION:1 level and is inherited from its parent logger.
Examine the log file settings in the logging configuration:
a. Review the log file column for the Oracle Fusion Middleware loggers. The odlhandler log file is listed for all Oracle Fusion Middleware loggers.
b. Select the Log Files tab.
c. Select the entry for the odl-handler log file and click Edit Configuration.
d.
The Edit Log File dialog box appears, displaying the logging configuration for the odlhandler log file. Note the value of the Log Path: D:\Middleware\
user_projects\domains\oam_domain\servers\oam_server1\logs\
oam_server1-diagnostic.log. This path is the default location of the Oracle
Access Manager server log file.

Chapter 8 - Page 16
e.
6.
Click Cancel to close the Edit Log File dialog box without changing the log file
configuration.
f. Log out of FMW Control.
Review the logging files current size and content:
a. Open a Windows Explorer window and navigate to the D:\Middleware\
b.
Note the oam_server1-diagnostic.log files size for use in a subsequent step.
c.
7.
Open the oam_server1-diagnostic.log file and browse the log messages in the
file. The third column of the log file contains the message log level. Verify that only
messages with the log levels NOTIFICATION, WARNING, and ERROR should be in the
log file.
Examine the impact of an invalid login on the log file when the default logging configuration
is in effect:
a. Clear cache and cookies for the browser.
b. Access the Example Bakery application and click the Employees link. Specify an
invalid user ID and password when you are prompted to authenticate. Click Login. You
are not granted access to the Example Bakery employee portal.
c. Open a Windows Explorer window and navigate to the D:\Middleware\
d.
8.
Note the oam_server1-diagnostic.log files size. Compare the file size to the file
size you noted in a previous step. The difference in the file size should be relatively
small (under 100 KB) if you performed the previous two steps relatively quickly. Note
the new file size for use in a subsequent practice.
(Optional): Open the oam_server1-diagnostic.log file and see if you can locate
messages that diagnose why the attempt to authenticate to the Oracle Access Manager
server failed.
(Note: Search for the word Error).

Chapter 8 - Page 17
Practice 8-5: Reviewing Log Messages in FMW Control

Overview
In this practice, you use the tools available in FMW Control to locate, review, and analyze log
messages.
In one task in this practice, you view messages associated with an execution context. The
execution context ID (ECID) is a globally unique identifier associated with a thread of execution.
Using the ECID, you can correlate log messages. By searching related messages using the
message correlation information, multiple messages can be examined and the component that
first generates a problem can be identified. Message correlation data can help establish a clear
path for a diagnostic message across components, within which errors and related behavior can
be understood.
Assumptions

Tasks
1.
2.
3.
4.
Navigate to the following URL to start FMW Control:

http://your_host.us.oracle.com:7001/em. Log in as the weblogic user. The password is
Welcome1.
In FMW Control, select WebLogic Server > Logs > View Log Messages. The Log Messages
page appears.
Review the types of messages that appear in the message list and observe the check box
settings in the Message Types field. By default, only ERROR level messages appear in the
message list.
Locate the error message that was logged when you attempted to authenticate to the
Example Bakery site with an invalid user ID. The message ID for the error message has the
following value: OAMSSA-20023.
5.
Select the OAMSSA-20023 error message so that it is highlighted. Details about the error
appear in the window pane below the message list:
6.
Review messages in the execution context that produced the authentication failure:
a. Click the ECID link in the message details. Log messages pertaining to the execution
event that caused the failed login to appear in the message list. Observe that
messages with the NOTIFICATION log level are now present in the message list.

Chapter 8 - Page 18
b.
7.
Locate the message that indicates that the ExampleLDAPScheme authentication

scheme was used in the authentication operation.
c. Locate the message that indicates that credential collection was part of the execution
thread.
d. Click the Log Messages link in the locator link above the message list. The original
message list, containing only ERROR level messages, reappears.
Locate a set of log messages that pertain to a successful authentication:
a. Authenticate successful to the Example Bakery employee portal as user
David.Goldsmith.
b. Select the Notification check box in the Message Types field of the Log Messages
page in FMW Control.
c.
d.
Click Search. NOTIFICATION level messages now appear in the Log Messages page.
Further constrain the search by typing employeeHome.html in the Message field and
click Search.
e.
Select one of the messages that log an isResourceProtected() call. Review the
details that appear in the window pane below the message list.
Click the ECID in the message detail pane. All the messages in the execution context
appear in the messages list.
f.

Chapter 8 - Page 19
Practice 8-6: Increasing the Log Level

Overview
In this practice, you increase the log level for the oracle.oam logger to the TRACE:32 log level.
Then you examine the impact of the increased log level on logger output.
Assumptions

You are still logged in to FMW Control.
You noted the oam_server1-diagnostic.log files size in a previous practice.
Tasks
1.
2.
3.
4.
Increase the log level in FMW Control:

a. In the menu on the right window pane, select WebLogic Server > Logs > Log
Configuration.
b. Select the Log Levels tab.
c. Expand the navigator in the Logger Name column to the Root Logger > oracle node.
d. Locate the entry for the oracle.oam logger.
e. Set the log level for the oracle.oam logger to the TRACE:32 (FINEST) log level.
f. Click Apply.
g. Click Close to close the Confirmation dialog box.
Note the D:\Middleware\user_projects\domains\oam_domain\servers
\oam_server1\logs\oam_server1-diagnostic.log files current size.
Perform several access management operations so that the Oracle Access Manager server
generates log records:
a. Log out of the Example Bakery application by navigating to the central logout page,
http://your_host.us.oracle.com:7778/logout1.html.
b. Access the Example Bakery application and click the Employees link. Specify an
c. Authenticate successful to the Example Bakery employee portal as user
David.Goldsmith.
d. Log out of the Example Bakery application by navigating to the central logout page,
Compare the size of the D:\Middleware\user_projects\domains\oam_domain\
servers\oam_server1\logs\oam_server1-diagnostic.log file to the size you
recorded before performing the access management operations. The file should have
grown considerably; much more than when you observed changes to the file size when the
log level for the oracle.oam logger was the NOTIFICATION log level.
Note: It is possible that the file has grown so large that the contents of the file have rolled
over to the archive file oam_server1-diagnostic-1.log. In this case, oam_server1diagnostic.log file may be smaller in size compared to the size of the file you recorded
prior to the start of this practice.

Chapter 8 - Page 20
5.
Open the oam_server1-diagnostic.log file. Observe the presence of a large number

of TRACE level messages in the log file.

Chapter 8 - Page 21
Practice 8-7: Resetting the Log Level Back to the Default Level
Overview
In this practice, you reset the oracle.oam loggers log level back to the NOTIFICATION level.
Reducing log level reduces the amount of log output and improves Oracle Access Manager
server performance for subsequent practices.
Assumptions

You are still logged in to FMW Control.
Tasks
1.
Reset the log level in FMW Control:

a. In the menu in the right window pane, select WebLogic Server > Logs > Log
Configuration.
b. Select the Log Levels tab.
c. Expand the Root Logger > oracle node in the navigator that appears in the Logger
Name column.
d. Locate the entry for the oracle.oam logger.
e.
2.
3.
Set the log level for the oracle.oam logger to the NOTIFICATION:1 (INFO) log
level.
f. Click Apply.
g. Click Close to close the Confirmation dialog box.
Perform several access management operations so that the Oracle Access Manager server
generates log records:
a. Access the Example Bakery application and click the Employees link. Specify an
b. Authenticate successful to the Example Bakery employee portal as user
David.Goldsmith.
c. Log out of the Example Bakery application by navigating to the central logout page,
Verify that the NOTIFICATION log level is now in effect:
a.
b.
c.
Open the oam_server1-diagnostic.log file. (or oam_server1-diagnosticX.log in case of log file rollover)
Scroll to the bottom of the file.
Verify that the most recently generated log messages are all NOTIFICATION level
messages.

Chapter 8 - Page 22

Chapter 9

Chapter 9 - Page 1

Practices Overview
Typically, in an enterprise, single sign-on is not provided by a single SSO sever but a number of
servers behind a load balancer. When the SSO server needs to be upgraded from OSSO 10g to
OAM 11g, all the partners registered with the OSSO server need to be migrated. Following that,
every OSSO server in the cluster needs to be replaced by an OAM server. Therefore, while
upgrading OSSO 10g to OAM 11g, both the servers have to coexist. The load balancer can
route the authentication request to any of the SSO servers. Once a user is authenticated by
either of the servers, the user must be able to access any of the partner applications without
logging in again.
However, currently, a user authenticated by the OAM server is not recognized by the OSSO
server and vice-versa. That is because the 10g server uses a cookie called SSO_ID to manage
session details, and OAM 11g uses another cookie called OAM_ID to manage its session
details. To elaborate further, the 10g SSO server understands only the SSO_ID cookie, and
OAM 11g understands only the OAM_ID cookie. In order to provide coexistence of both the
servers, the 11g OAM server needs to be modified to be able to understand the 10g SSO_ID
cookie, and also be able to create a 10g SSO_ID cookie.
This will ensure coexistence of 10g SSO servers and 11g OAM servers in a cluster. In
coexistence mode, the OAM servers will generate and update 10g SSO_ID cookies so that, no
matter where the user's authentication request is routed to, the user session is intact.
OAM 11g coexistence with OSSO 10g servers:
The 11g OAM server keeps track of its session by setting an OAM_ID cookie. The 10g SSO
server keeps track of its session details by setting an SSO_ID Cookie. Because these cookies
are of different formats, the 11g OAM server cannot understand the 10g SSO cookie format and
vice-versa. To aid understanding, consider the following setup and understand the behavior in
both the normal and the coexistence scenario:

Chapter 9 - Page 2

Chapter 9 - Page 3
A load balancer is front-ending both SSO 10g and OAM 11g servers. A partner OHS, which is
registered with the 10g SSO server, and the 10g SSO partners are migrated to the 11g OAM
server.
Without coexistence: If the user is authenticated by using the 10g SSO server, an SSO_ID
cookie is created and set. If the user tries to access the resource again, and if the LBR routes
the request to the 11g OAM server, the 11g OAM server checks for an OAM_ID cookie and
shows a login page for user authentication because it is unable to read the SSO_ID cookie and
recognize the session.
With coexistence: If the user is authenticated by using the 10g SSO server, an SSO_ID cookie
is created and set. If the user tries to access the resource again, and if the LBR routes the
request to the 11g OAM server, the 11g OAM server has the in-built capability to read and
understand the SSO_ID cookie, thereby validating the user without asking the user to enter
credentials again.
Key Lab Steps:
1. Install an OHS 11g server named Partner OHS in this lab.
(Note: OSSO 10g along with 10g OHS has been pre-installed.)
2. Install a partner application on this OHS. This can be a simple HTML page (or you can
protect the index.html welcome page as well).

Chapter 9 - Page 4
3. Register this partner application with the OSSO 10g server. Here, note that since the load
balancer is front-ending the OSSO 10g servers, partner registration must be done with the
load balancer URL. Copy the generated configuration file to the OHS server.
4. Access the partner application. Now this partner application should be protected by the
OSSO 10g server.
5. Front-end the OAM 11g server with the same load balancer that frond-ends the OSSO 10g
server.
6. Upgrade the existing OSSO 10g servers to OAM 11g server (run the Upgrade Assistant).
(Back end upgrade.)
7. View the partner application migration to the OAM 11g server by using the OAM admin
console.
8. Verify coexistence:
Now that the OAM and OSSO 10g servers are working in coexistence mode, try to access the
partner applications and verify that single sign-on works. Also, verify that a user does not have
to log in if the user is already authenticated by either the OAM 11g or OSSO 10g servers.
Shut down one of the OSSO servers and make sure that the partner application is still
protected.
9. After a successful upgrade, you now upgrade the mod_osso agent to a WebGate agent.
WebGate agents are more popular than mod_osso because of the extra authorization
capabilities available at run time as well as the centralized session management capabilities,
for instance, an administrator can delete sessions from the OAM admin UI console, so that the
user in question is forced to re-authenticate.
10. Configure WebGate 11g on the new OHS (created in Step 1).
11. Remove mod_osso.
12. Restart OHS and verify the successful upgrade from mod_osso to WebGate 11g. (Front
end upgrade.)
Pictorial representation of the use case to show upgrade and test-to-production (horizontal
migration) is as follows:

Chapter 9 - Page 5

Chapter 9 - Page 6

Chapter 9 - Page 7
Practice 9-1: Verify OSSO 10g Server and Configure New OHS
Instance
Overview
In this practice, you validate that the pre-installed OSSO 10g server (including infrastructure)
instance is up and running. Next, you configure a new OHS instance: ohs_partner.
Tasks
1.
2.
3.
4.
5.
6.
7.
8.
9.
From the browser window, enter http://<your_host>.us.oracle.com:18100.

Enter ias_admin and Welcome1 on the login page.
Click the Standalone Instance link.
Make sure that all the components are up and running (status green up arrow).
Note: You can also check the status of components by navigating to
d:\osso10g\opmn\bin on the command line window and using the opmnctl status
command.
Note: DSA and LogLoader components will show a status of down.
Navigate to Start > Programs > Oracle Application Server Infrastructure-oracleas >
Integrated Management Tools > Oracle Directory Manager.
Log in by using orcladmin and Welcome1.
From the browser window, enter http://<your_host>.us.oracle.com:7777/sso: SSO home
page.
Click the Login link on the top-right corner and log in as any authenticated user, such as
orcladmin with the password Welcome1. You should see all the partner applications
registered with the OSSO 10g server.
Navigate to d:\middleware\ohs_home\bin and double-click config.bat.
Use the table as a guide to configure a new OHS instance ohs_partner:

Step
Window/Page
Description
Choices or Values
a.
Welcome
Next
b.
Configure
Components
Deselect Oracle Web Cache.

Deselect Associate Selected Components with WebLogic Domain.
c.
Specify
Component
Details
Instance Home
Location:d:\middleware\ohs_home\instances\ohs_partner
Instance Name: ohs_partner
d.
Configure
Ports
Auto Ports Configuration
e.
Specify
Security
Updates
Deselect I wish to receive security updates from My Oracle Support.

Select Yes on the Warning pop-up windows.
f.
Installation
Summary
Configure

Chapter 9 - Page 8
Step
Window/Page
Description
Choices or Values
g.
Configuration
Progress
Next
h.
Installation
Complete
Finish
10. Navigate to
D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\htdocs.
Rename welcome-index.html as welcome-index.html.bak. Copy welcomeindex.ohs_partner.html from d:\labs\lesson09 to
D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\htdocs
. Rename welcome-index.ohs_partner.html as welcome-index.html
11. On the command line, navigate to
d:\middleware\ohs_home\instances\ohs_partner\bin and issue the following
command:
opmnctl status l
Notice the HTTP listen port of 7781.
12. On the browser window, type http://<your_host>.us.oracle.com:7781 to get to the Welcome
page of Oracle Fusion Middleware. Notice the message, Welcome to the OHS_Partner
Instance Running on Port 7781.

Chapter 9 - Page 9
Practice 9-2: Configure OSSO 10g to Work with Load Balancer

Overview
In this practice, you configure OSSO 10g to work with the software load balancer: HAProxy.
Tasks
1.
Move to a Linux machine. From the terminal window, navigate to

/home/oracle/haproxy-1.4.8 and edit the oamconfig.txt file as shown below:
cd /home/oracle/haproxy-1.4.8
vi oamconfig.txt
Read the file, paying close attention to the following four lines:
listen oam-ha edtdr35p1.us.oracle.com:8888
balance roundrobin
server OHSSrv1_10g edtdr35p2.us.oracle.com:7777 cookie
OHSSrv1_10g check inter 1000
server OAMSrv2_11g edtdr35p2.us.oracle.com:14100 cookie
OAMSrv2_11g check inter 1000
The first line is the URL for the LBR, and the third and fourth are the redirect URLs for OSSO
10g and OAM 11g [using a round robin algorithm (second line).]
Replace the host name edtdr35p1 to your Linux machine host name and edtdr35p2 to your
Windows machine host name. Press i (Insert mode) to make the change followed by Esc
(Exit insert mode) and finally :wq! (save and quit).
2. Start the load balancer by using the following command:
cd /home/oracle/haproxy-1.4.8
./haproxy f oamconfig.txt
3.
Note: You may see a warning stating, logformat ignored for proxy oam-ha since it has
no log address. Ignore this warning.
Keep this terminal window open.
Note: If you have to stop the HAProxy load balancer at any point, enter Ctrl + C on this
terminal window. OR open a new terminal window and navigate to
/home/oracle/haproxy-1.4.8 and issue the command: killall haproxy.
4.
Move back to the Windows machine. Open the httpd.conf file for the OHS front-ending
the OSSO 10g server under d:\osso10g\Apache\Apache\conf and find and replace
the following entries:
Change the ServerName entry to the LBR host name (<your_linux_host>.us.oracle.com), that
is,
ServerName <your_linux_host>.us.oracle.com
Change the Port entry to point to the LBR port number (8888). That is,
Port 8888
Click Save.
5. For the above changes to take effect, you need to restart the OHS. Navigate to
d:\osso10g\opmn\bin on the command line window, and enter:
opmnctl stopproc ias-component=HTTP_Server
opmnctl startproc ias-component=HTTP_Server

Chapter 9 - Page 10
6.
Run the following script from the command line window:

set ORACLE_HOME=d:\osso10g
cd d:\osso10g\sso\bin
ssocfg.bat http <your_linux_host>.us.oracle.com 8888
It should return the message, SSO Server re-configuration finished.
This script configures the single sign-on server to accept authentication requests from the
externally published address (LBR).
7.
8.
Bring down oam_server1 by using either Ctrl + C on the command line window from
where it was started, or by using the WLS admin console.
Verify that the LBR setup is working correctly. Close all browsers. Open a new browser
window, and try accessing the OSSO 10g home page using LBR by entering:
http://<your_linux_host>.us.oracle.com:8888/sso. This should bring up the OSSO home
page.
Also, try accessing the OSSO home page by using the original URL:
http://<your_windows_host>.us.oracle.com:7777/sso. This should bring up the OSSO 10g
servers home page. Notice the URL. It should look like this:
http://<your_linux_host>.us.oracle.com:8888/sso/pages/index.jsp

Chapter 9 - Page 11
Practice 9-3: Register Partner OHS with OSSO 10g

Overview
In this practice, you register the newly configured OHS partner instance with the OSSO 10g
server.
Tasks
1.
Open a new command line window, and set the ORACLE_HOME environment variable as
follows:
Set ORACLE_HOME=d:\osso10g
Make sure the environment variable is set by issuing the following command:
echo %ORACLE_HOME%
2.
Navigate to d:\osso10g\sso\bin and run the following command to register partner

OHS with OSSO 10g:
ssoreg.bat -oracle_home_path d:\osso10g -site_name
<your_win_host>.us.oracle.com:7781 -config_mod_osso TRUE mod_osso_url http://<your_win_host>.us.oracle.com:7781 remote_midtier -config_file
D:\osso10g\Apache\Apache\conf\osso\<your_windows_host>_7781_osso
.conf
A successful run of the above command should return the message, SSO registration tool
finished successfully.
3.
Check the logsd:\osso10g\sso\log\ssoreg.logto see the details on the ssoreg

tool registration.
Move the <your_windows_host>_7781_osso.conf file (this is an obfuscated file) from
d:\osso10g\Apache\Apache\conf\osso to
d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1.
4.
5.
Copy mod_osso.conf from the disabled directory (under

D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1) to the

Chapter 9 - Page 12
6.
moduleconf directory (under

D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1).
Edit
d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\module
conf\mod_osso.conf using notepad and change the entries as follows (the ones in bold
are changes to be made):
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"
<IfModule osso_module>
OssoIpCheck off
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile
d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\<yo
ur_windows_host>_7781_osso.conf
#
# Insert Protected Resources: (see Notes below for
# how to protect resources)
#
#______#
# Notes
#
#______#
# 1. Here's what you need to add to protect a resource,
#
e.g. <ApacheServerRoot>/htdocs/private:
#
<Location />
require valid-user
AuthType Osso
</Location>
</IfModule>
#
# If you would like to have short hostnames redirected to
# fully qualified hostnames to allow clients that need
# authentication via mod_osso to be able to enter short

Chapter 9 - Page 13
# hostnames into their browsers uncomment out the following

# lines
#
#PerlModule Apache::ShortHostnameRedirect
#PerlHeaderParserHandler Apache::ShortHostnameRedirect
7.
Note: The mod_osso.conf file contains all the configurations for enabling OSSO, such as
where the <your_windows_host>_7781_osso.conf file is located, what URLs to
protect, whether ObOssoCookie is secured and so on. The
<your_windows_host>_7781_osso.conf file contains the configurations on how to
connect to the OSSO server (host:port and so on). You copy the mod_osso.conf file to
the moduleconf directory because the path to this folder is configured in the httpd.conf
directory.
Edit the
d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\httpd.
conf file, search on ServerName directive, and replace the value as shown below (in all
lowercase):
ServerName <your_windows_host>.us.oracle.com:7781
Note: You make this change so that the OSSO server can perform a correct reverse-lookup
during redirection after authentication.

Chapter 9 - Page 14
Practice 9-4: Restart OHS Partner Instance and Verify SSO to Partner
Application
Overview
In this practice, you restart the OHS partner instance for the changes made in the previous
practice to take effect, and then test to make sure the partner application URL
http://<your_windows_host>.us.oracle.com:7781 is protected by using OSSO 10g.
Tasks
1.

d:\middleware\ohs_home\instances\ohs_partner\bin. Restart the OHS
opmnctl stopall
opmnctl startall
2.
Now you verify the configuration by accessing the protected application URL
http://<your_windows_host>.us.oracle.com:7781. Enter URL
http://<your_windows_host>.us.oracle.com:7781 and press Enter.
You should be redirected to the OSSO 10g login page (Also note that the URL contains
<your_linux_host> and 8888 as port).
Enter orcladmin and Welcome1 as the user ID and password.
3.
4.
5.

Chapter 9 - Page 15
Practice 9-5: Run the Upgrade Assistant

Overview
In order to perform the partner migration to migrate the OSSO 10g partners and the user store
to the OAM 11g server, you run the Upgrade Assistant tool, which is available under
<MW_HOME>\idm_home \bin
Tasks
1.
2.
Navigate to d:\middleware\idm_home\bin and double-click ua.bat.

Use the table as a guide to populate the fields of the Upgrade Assistant:
Step
Window/Page
Description
Choices or Values
a.
Welcome
Next
b.
Specify
Operation
Upgrade Oracle Access Manager Middle Tier
c.
Specify
Source Details
Properties File: D:\osso10g\sso\conf\policy.properties

Database Host: <your_ windows_host>.us.oracle.com
Note: Use your Windows machine because the infrastructure database
for OSSO10g is installed on it.
Database Port: 1521
Database Service: asdb.us.oracle.com
SYS Password: Welcome1
d.
Specify OID
Details
OID Host: <your_windows_host>.us.oracle.com

Note: This OID is the OSSO 10g user directory and not the OAM11g
user directory. In this exercise, they happen to be same OID directory
server instance so as to make the footprint of the lab machines
manageable and avoid having multiple OID instances running on the
boxes. However, in reality, these two OID instances could very well be
distinct.
OID SSL Port: 13130
Note: You can find this port from
d:\osso10g\install\portlist.ini
OID Password: Welcome1
e.
Specify
WebLogic
Server
Host: <your_windows_host>.us.oracle.com
Port: 7001
Username: weblogic
Password: Welcome1
f.
Specify
Upgrade
Options
Make sure Start Destination Components after Successful Upgrade is

selected
g.
Examining
Components
Next

Chapter 9 - Page 16
Step
3.
Window/Page
Description
Choices or Values
h.
Upgrade
Summary
Upgrade
Note: The WebLogic node manager is invoked by the Upgrade
Assistant to start the oam_server1. If you didnt configure the
node manager or if it is not started, you can start the
oam_server1 manually.
i.
Start
Destination
OK
j.
Upgrading
Components
Next
k.
Upgrade
Complete
Before you click Close, read the Upgrade Summary carefully. This
summary is also available at
D:\middleware\idm_home\upgrade\logs\postupgrade.txt.
View the logfile by clicking the
d:\middleware\idm_home\upgrade\logs\ua<timestamp>.log
link.
Open the oam-config.xml file in WordPad under

D:\middleware\user_projects\domains\oam_domain\config\fmwconfig to
check if the CoexistMode is set to true in the oam-config.xml. This implies that the 11g
OAM server is now configured to work in the coexist mode.

Chapter 9 - Page 17
Practice 9-6: View the Migrated Content and Configure User Identity
Store in OAM Admin Console
Overview
As part of the upgrade process, the Upgrade Assistant not only migrates the partner
applications from OSSO 10g to OAM 11g server, but also migrates the user store definition for
OSSO 10g (OID 10.1.4.0.1). However, after the upgrade, it does not automatically make this
user store the primary user store.
Hence, in your labs, after the upgrade, you need to set the new user identity store as the
primary store. (The new user identity store definition is visible through the OAM admin console.)
Also note that it maps the Administrators group as the OAM administrators role in the new OID
user identity store definition in the OAM admin console.
Before you set the migratedUserIdentityStore as the primary store, you can either create a
group named cn=Administrators,cn=groups,dc=us,dc=oracle,dc=com in OID or you
could change the OAM administrators role value from Administrators to a group already present
in OID, such as, oam_admin (in this case). Finally, you can add users to that group. These
users would be able to log in to the OAM admin console.
In this practice, you view the migrated contents by using the OAM admin console to verify that
the partner migration was successful and is ready for coexistence.
Tasks
1.
2.
3.
4.
Log in to the OAM admin console by using Vishal.Parashar and Welcome1. Navigate
to System Configuration > Agents > OSSO Agents. Explore by editing the two new OSSO
agents [for each mod_osso that was registered with the OSSO server on port 7777 (front
end OHS) and 7781(partner OHS) registered as a result of the migration.]
Navigate to Data Sources > User Identity Stores > Migrated UserIdentityStore. This is the
new identity store definition after the migration. It is for OID 10g (on the SSL port 13130).
Notice the OAM administrators role mapped to Administrators.
Notice: There is a second user identity store definition on port 13060: OID_UserStore. This
is the one you had created in Practice 4.
Change the OAM administrators role from Administrators to oam_admin. Click Apply. Click
Set as Primary. Click Apply.
Navigate to the Policy Configuration tab and view the properties of new host identifier,
migratedSSOPartners. Observe the host names set to this host identifier.
View the properties of new application domain, migratedSSOPartners. Notice that there
are no authorization policies; only an authentication policy. Explore the authentication policy
for migratedSSOPartners.
Notice: The authentication schemeSSOCoexistMigrateSchemeis attached to the
authentication policy. View the properties of this scheme under the Authentication Schemes
node (under Shared Components).

Chapter 9 - Page 18
Practice 9-7: Coexistence Verification

Overview
In this practice, you test the coexistence. You access the partner applications and check the
cookies. Next, you shut down the OSSO server and verify if OAM 11g is able to recognize the
SSO_ID cookie and, in turn, is able to create the cookie for new authentications.
Next, you bring the SSO 10g server up, and the OAM 11g server down. Try accessing the
protected resource (index.html). You should be redirected to the SSO 10g server, via the load
balancer. Enter your credentials. After successful authentication, you should be redirected to the
index.html resource. Now check the cookies to see if an SSO_ID cookie is created. Now bring
SSO 10g server down, and bring up the OAM 11g server. On the same browser, delete the
OHS cookie
(Note: Do not delete the SSO 10g cookie, SSO_ID cookie) and try accessing the resource
again. Now, you should not be shown a login page, but should be given access to the protected
resource. If you now check the cookies in the browser, you should be able to see the SSO_ID
and the OAM_ID (which means, the OAM server was able to interpret the SSO 10g server's
SSO_ID cookie, recognize the session, and create an OAM_ID cookie based on the SSO_ID
already present).
Tasks
1.
2.
3.
4.
5.
6.
7.
8.
Close all existing browsers and delete all cookies by using Tools > Clear Recent History.
Shut down oam_server1 by using either the WLS admin console [Domain (oam_domain)
> Environment > Servers > Control tab > oam_server1 > Shutdown > Force Shutdown
Now] or the command line (stopManagedWebLogic oam_server1).
Make sure the OSSO server and all its components are up and running by navigating to
d:\osso10g\opmn\bin and issuing the following command from the command line:
opmnctl status
Note: DSA and LogLoader should be down as expected. If dcm-daemon is down, you can
start it by using opmnctl startproc ias-component=dcm-daemon
Use the Firefox browser. Open the Live HTTP Headers console (Tools > Live HTTP
Headers) and minimize the console.
Try to access the protected application for the partner OHS
(http://<your_host>.us.oracle.com:7781). You should be redirected to the OSSO 10g Login
page. Enter the credentials orcladmin and Welcome1 and FMW Welcome page should
be displayed.
View the SSO_ID cookie on the Live HTTP Header console. Click Clear and minimize the
console.
On the Firefox browser menu, go to Tools > Options > Privacy > Show Cookies. Expand
the Site nodes and remove only the OHS-<your_host>.us.oracle.com-7781 cookie and not
the SSO_ID cookie. Click Close and then click OK.
Note: Deleting OHS-<your_host>.us.oracle.com-7781 will redirect the request to the backend server.
Now stop the OSSO 10g server by executing:
opmnctl stopproc ias-component=HTTP_Server and
opmnctl stopproc ias-component=OC4J
from d:\osso10g\opmn\bin.

Chapter 9 - Page 19
9.
Now bring up the oam_server1 by either starting it from the WLS admin console or
executing the following command from
d:\middleware\user_projects\domains\oam_domain\bin:
startManagedWebLogic oam_server1.
10. Now, by using the Firefox browser, refresh the browser (where you had initially accessed
http://<your_host>.us.oracle.com:7781). You should see the FMW Welcome page (without
being challenged).
11. View the SSO_ID and OAM_ID cookies on the Live HTTP Header console. You can also
view the same details from Tools > Options > Privacy > Show Cookies. Observe the
SSO_ID cookie (OSSO 10g server cookie) which was recognized by the OAM 11g server.
(Hence, the resource was shown without your being challenged.) Observe also that the
OAM_ID cookie, which is the server side cookie that was generated when accessing the
OAM 11g server.

Chapter 9 - Page 20
Practice 9-8: Replace mod_osso with OAM 11g WebGate Agent

Overview
At the end of the practice, you should be able to successfully replace a mod_osso agent with
OAM 11g WebGate agent.
WebGate agents are more popular than mod_osso because of the extra authorization
capabilities available at run time as well as the centralized session management capabilities. For
instance, an administrator can delete sessions from the OAM admin UI console, so that the user
in question is forced to re-authenticate.
Tasks
Set the primary data source to the OAM 11g data source: OID_UserStore.
1.
2.
3.
4.
Set the primary data source to the OAM 11g user data source, OID_UserStore. Note: Even
though in your lab the user data sources for both OSSO 10g (migratedUserIdentityStore)
and OAM 11g (OID_UserStore) point to the same OID instance, pretend that they are
different OID instances. In this step, you set the OAM 11g user data source as the primary.
Log in to the OAM admin console with Vishal.Parashar and Welcome1. Navigate to
System Configuration > Data Sources > User Identity Stores > OID_UserStore. Doubleclick the node to view the properties on the right pane. Click the Set as Primary button.
Click Apply.
Click the Policy Configuration tab. Click Application Domains > migratedSSOPartners >
Authentication Policies > Protected Resource Policy. Click the Edit icon. Observe that the
authentication scheme is set to SSOCoexistMigrateScheme.
Click Shared Components > Authentication Schemes > SSOCoexistMigrateScheme. Click
edit icon. Observe the context value is set as /ngam (NGAM stands for Next Generation
Access Manager).
Now click Shared Components > Authentication Schemes > LDAPScheme. Click the Edit
icon. Observe the context value is set to /oam.
Therefore, to replace the mod_osso agent with OAM 11g WebGate, you cannot reuse the
authentication policies of migratedSSOPartners, which is specific to mod_osso agent.
You have to use the authentication scheme, LDAPScheme.
Configure OAM 11g WebGate on OHS Partner Instance (Port 7781) by Using the
OAM Admin Console
5.
6.
Open a command prompt and navigate to the

D:\middleware\WebGate11g_home\webgate\ohs\tools\deployWebGate
directory.
deployWebGateInstance.bat -w
d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1 -oh
D:\middleware\WebGate11g_home
-w flag indicates the OHS instance folder and the -oh indicates the WebGate Oracle home.
This command will create a WebGate folder under
d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1 and copy
the configuration files (shown below) necessary for the WebGate process under
d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\webgat

Chapter 9 - Page 21
e\tools\openssl\simpleCA (cacert.pem and cakey.pem) and

e\config (oblog_config_wg.xml) directories.
The output of the above command should looks like:
7.
8.
Open a new command line window and navigate to

d:\middleware\webgate11g_home\webgate\ohs\tools\EditHttpConf directory.
EditHttpConf.exe -w
d:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1 -oh
D:\middleware\WebGate11g_home -o webgate.conf
Verify that
D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1 has
webgate.conf, httpd.conf.ORIG (backup file) and httpd.conf files. The last line
in httpd.conf should be:
include
"D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1/we
bgate.conf"
9.
Log in to the OAM admin console, http://<your_host>.us.oracle.com:7001/oamconsole, by

using vishal.parashar and Welcome1.
10. Click the System Configuration tab, click 11g WebGates (under Agents > OAM agents).
Click the Create icon on the menu toolbar and specify the following property values for
registering an OAM 11g WebGate agent with the OAM 11g server:
Step
Property Name
Value
a.
Name
oam11g_webgate_partner
b.
Base URL
http://<your_host>.us.oracle.com:7781
c.
Security
Open
d.
Host Identifier
oam11gHostID_Partner
e.
Public Resource List
/public/index.html

Chapter 9 - Page 22
Step
f.
Property Name
Auto Create Policies
Value
Selected
Click Apply. To see the output fileObAccessClient.xml and cwallet.sso

generated as part of registration process, navigate to the
e_partner directory.
11. Copy the ObAccessClient.xml and cwallet.sso files from
D:\middleware\user_projects\domains\oam_domain\output\oam11g_webgat
e_partner to the
D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\webgat
e\config directory.
Remove mod_osso Configuration from OHS Partner (7781)

In this case, all you have to do is remove or rename the mod_osso.conf file so that the OHS
server does not load this in-memory when it is started.
12. Navigate to
D:\middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\module
conf and rename mod_osso.conf as mod_osso.conf.bak.
13. Restart OHS partner for the above changes to take effect. On the command line window,
navigate to d:\middleware\ohs_home\instances\ohs_partner\bin and issue the
following commands:
opmnctl stopall
opmnctl startall
14. Open the Firefox browser (clear all cookies and browser history) and type
http://<your_host>.us.oracle.com:7781. You should be redirected to the OAM 11g login
page (as OSSO 10g is down and LBR routes the request to OAM 11g). Log in with
vishal.parashar and Welcome1. You should now see the FMW Welcome page.
15. View the OAM_ID and OAMAuthnCookie_<your_host>.us.oracle.com:7781 cookies on the
Live HTTP Header console. You can also view the same details from Tools > Options >
Privacy > Show Cookies.

Chapter 9 - Page 23

Chapter 9 - Page 24

Chapter 10

Chapter 10 - Page 1

Practices Overview
In these practices, you use Access Tester to test the connection between all the OAM 11g
WebGate agents and the Oracle Access Manager 11g server. You also perform the Is the
resource protected? test for various resources protected by OAM11g_WebGate agent. You
also observer the authentication scheme used to protect that particular resource. You eventually
use the credentials to test authentication and authorization to access the resource.

Chapter 10 - Page 2
Practice 10-1: Working with Access Tester

Overview
In this practice, you successfully test the connection between agents and the server, and then
try to answer the three key questions that Access Tester helps you address:
a) Is the resource protected?
b) Can you successfully authenticate?
c) Are you successfully allowed to access the resource?
You also use the Access Tester GUI console to build dummy test cases and then generate and
run the script. You explore all the XML files generated during this process.
Task
1.
2.
3.
For this practice, change the OAM 11g WebGate to Open mode. Navigate to the OAM
admin console > System Configuration > Agents > OAM Agents > 11g webgates >
OAM11g_WebGate. Edit the properties of the agent and set Security to Open. Click Apply.
Launch Access tester. On the command line window, navigate to D:\Program
Files\Java\jdk1.6.0_17\bin and enter:
java
Dlog.traceconnfile=d:\middleware\idm_home\oam\server\tester\tra
ceconnfile.txt jar
d:\middleware\idm_home\oam\server\tester\oamtest.jar
On the Oracle Access Manager Test Tool window, under the Server Connection section,
type in the following:
Field
4.
5.
Choices or Values
Primary IP Address
<your_win_host>.us.oracle.com
Port
5575
Agent ID
OAM11g_WebGate (agent ID is case sensitive)
Click the Connect button.

Read the messages on the Status section of the window. Also notice the green check mark
next to the Connect button (if the connection is successful). Notice that once the connection
is successful, you cannot change the connection details. You have to re-launch Access
Tester to specify a different connection.
In the Protected Resource URI section, enter the following details:
Field
6.
7.
Choices or Values
Host
<your_win_host>.us.oracle.com
Port
7778
Resource
/cgi-bin/protected1
Click the Validate button.

Read the messages on the Status section of the window. Notice the Authentication Schema
and the Redirect URL (this is a protected resource) specified.
In the User Identity section, enter the following details:

Chapter 10 - Page 3
Field
8.
9.
10.
11.
12.
13.
Choices or Values
Username
Vishal.Parashar
Password
Welcome1
Click the Authenticate button.

Read the messages on the Status section of the window. Notice the user DN, session ID,
and cookie values.
Now, click the Authorize button and observer the messages (request and responses) on the
status window.
Click the Clear All icon on the menu toolbar at the top of the window. Perform Steps 5
through 9 for the /mybank/testheaders.jsp resource. (You have to enter the IP
address field for your host under the User Identity section. Obtain the IP address by using
the ipconfig command on the command line window.)
Click the Clear All icon on the menu toolbar at the top of the window. Perform Steps 5
through 9 for the /example/internal/employeeHome.html resource. (You have to enter the
IP address field under the User Identity section.)
Click the File > Save Configuration menu option and specify the Save in location as
Desktop and the filename as EmployeeHomeConfig with the file type set as XML (by
default). Click Save.
Close the Oracle Access Manager Tester Tool window. Navigate to
d:\middleware\idm_home\oam\server\tester and open and explore the
traceconnfile.txt file.
14. Open and explore the EmployeeHomeConfig.xml file in WordPad from Desktop.
15. Invoke the Oracle Access Manager Tester Tool again (by using the instructions in Step
2).
16. Open the saved configurationEmployeeHomeConfig.xml by using the File > Open
Configuration option. Select Look in to Desktop and File of type to All files.
17. Click the Connect button followed by the Validate button.
18. Start preparing a test case by using Test > Capture Last validate Request.
19. Click the Authenticate button. Continue building the test case by using Test > Capture Last
authenticate Request.
20. Finally, click the Authorize button. Continue building the test case by using Test > Capture
Last authorize Request.
21. Finish building the test case by using Test > Generate Script option. Specify the file name
as EmployeeHomeScript with the file type set as XML (by default). Save the file to
your Desktop. Click Save.
22. On the Save Warning window, click Yes to clear the captured test case queue.
23. In the Status section, notice the message, Generated Script
d:\winnt\profiles\Administrator\Desktop\EmployeeHomeScript.xml with
three cases.
24. Click the Clear Status Messages icon (bottom-right corner).
25. Run the generated test cases by using the Test > Run Script menu option. Select All Files
for the Files of Type option and select Save in as Desktop. Click on
EmployeeHomeScript and press Save. Read the messages on the Status window.

Chapter 10 - Page 4
26. Close the Oracle Access Manager Tester Tool. Navigate to the d:\program
files\java\jdk1.6.0_17\bin directory. Open and explore the following files by using
WordPad: oamtest_<number>_stats.xml (Statistic log) and
oamtest_<number>_target.xml (Target script). Also, explore
EmployeeHomeScript.xml located on your Desktop.
Note on Access Tester tool:
a) A long URL can be imported into the Resource panel by copying the resource from the
browser's URL field and then clicking the Import button.
b) Also note that if you click the Authentication button a few times and observe the session ID,
it does not change. The tester reuses the same session if the credentials don't change. To
change the session, you need to change the credentials. A regular agent does not do this,
but the Access Tester demonstrates this behavior because it could overload the server with
"test" sessions.

Chapter 10 - Page 5
Practice 10-2: Using OAM-Specific WLST Commands

Overview
In this practice, you explore some of the OAM-specific commands.
Tasks
1.
From the command line window, navigate to d:\middleware\idm_home\common\bin.

Type wlst and press Enter.
2.
Issue the command connect() to get into online mode (that is, connected to the admin
server).
Press Enter to accept the default username as weblogic. Enter Welcome1 for the
password. Press Enter to accept the default for the admin server URL.
Issue the following commands one after the other and observe the output:
3.
4.
Step
Commands
a.
help(oam)
b.
displayWebgate11gAgent(OAM11g_WebGate)
c.
help(displayOAMMetrics)
d.
displayOAMMetrics()
e.
displayTopology()
f.
displayOAMServer(host=<your_host>.us.oracle.com,port=14100)
g.
displayUserIdentityStore(name=UserIdentityStore1)
h.
displayUserIdentityStore(name=OID_UserStore)
i.
displayWebgateAgent(oam10g_webgate)
j.
displayOssoAgent(OSSO10g_agent)
5.
Exit the WLST by using exit().

Chapter 10 - Page 6
Practice 10-3: Working with Oracle Enterprise Manager Fusion

Middleware Control
Overview
In this practice, you explore EM FMW Control to understand how you can use this in conjunction
with the WLS console, the OAM admin console, and command line WLST as a set of
comprehensive management tools to operate in an OAM environment.
Note: If you experience performance issues (especially on Step 3), you may want to restart the
admin and managed servers.
Tasks
1.
2.
3.
4.
5.
Launch EM FMW Control from the browser: http://<your_host>.us.oracle.com:7001/em. Log

in by using weblogic and Welcome1 credentials (both WLS console and EM FMW
Control are applications deployed on the admin server and use the WLS embedded LDAP
by default for authentication).
You should see the oam_domain farm page (Farm_oam_domain). Notice the various
system components and applications:
a) Internal applications deployed on the admin or managed servers
b) WebLogic domain components: admin (AdminServer) and managed server
(oam_server1)
c) OAM 11g server under Identity and Access node
d) All the Web tier components: Various OHS instances registered with the domain,
oam_domain. (Note: You do not see ohs_partner instance as this instance is not
registered with the domain; that is, it is a stand-alone instance.)
Click the Topology link on the top-left corner to see the topology of OAM domain
environment. The image shows you the topology of the environment.
a) Expand the + sign above AdminServer and oam_server1. You can view all the
components including applications deployed.
b) Place your cursor above the icons to see metrics, status, and other operational details.
c) From this page, you can not only save or print this topology diagram, but also view the
logs and create and delete components (explore View and Farm menu options on the
top-left corner).
d) Close the Topology window.
From the left navigator pane, or by using links on the farm home page, navigate to the
oam_server home page (Identity and Access > OAM > oam_server). Explore the menu
option named Oracle Access Manager; in particular: Control, Performance Summary,
General Information, and WLS admin console.
Select the menu option Oracle Access Manager > System MBean Browser. On the left side
pane, collapse the nodes to view three categories of MBeans: Configuration, Runtime and
Application Defined.
a) Expand Application Defined MBeans >com.oracle.oam > Server:AdminServer >
Application:oam_admin > oam.wlst > OamWLST . On the right pane, notice all the OAMspecific WLST commands under Operations tab. Click displayWebgate11gAgent. For
the value field, type in OAM11g_WebGate and press Invoke. Notice the Return Value at
the bottom.
b) Expand Runtime MBeans > Security > domain:oam_domain >
myrealmOIDAuthenticator. Click the Operations tab on the right pane. Click userExists.

Chapter 10 - Page 7
In the Value field, specify vishal.parashar and press Invoke. Notice the return value
of true. Now enter weblogic in the Value field and press Invoke; notice the false
return value. Weblogic user exists in WLS embedded LDAP and not in OID.
6. Select the menu option Oracle Access Manager > Performance Summary. Notice the past
15 minutes of metrics. You can change the slider at the top right to see the performance
metrics at a particular point in time. You can also set the time range for the performance
metrics to be displayed by clicking the Enter Time icon next to the slider.
7. Click the Show Metrics Palette button on the top right to select more graphs and tables
showing various metrics on the Performance Summary page. Expand the OAM Client node
on the Metric Palette page. Expand Agent_OAM11g_WebGate and select all the check
boxes below the node. Click the Hide Metrics Palette button. You should now see the new
performance metrics charts and table on the Performance Summary page.
8. Select the menu option Oracle Access Manager > General Information to see the high-level
information on the domain: Host, Oracle Home, Middleware Home, Domain Home, Version,
Target Name.
9. You can also start and shut down oam_server by using the menu option Oracle Access
Manager > Control (Do not perform shutdown at this point).
10. You can also try to explore the following options (from the left navigator pane or from the
Farm home page):
a) WebLogic Domain > oam_domain > AdminServer and oam_server1
b) Web Tier > ohs1 (any one of the OHS instances)
c) Application Deployments > Internal Applications > em (AdminServer)
Application Deployments > My Bank

Chapter 10 - Page 8

Chapter 11

Chapter 11 - Page 1
Practices for Lesson 11 (Optional)

Practices Overview
In these practices, you perform horizontal migration, which is the process of moving from the
development stage to the production environment. You perform the golden template migration,
which is moving all the partner and policy from source (stage) to target (production). In this
exercise, you assume that your current OAM environment on the Windows machine is the stage
environment, and you move this to the Linux machine, which serves as your production
environment. However, note that the production OAM server will continue to communicate with
WebGates which reside on the test machine.
Important notes:
a) It is important to note that the time stamp for WebGate machines must match that of the OAM
server machine; that is, in your case, the Windows and the Linux machines must have same
time stamp. You can check the timestamp on Linux machine by issuing date command on the
terminal window.
b) In this lab, you create a production domain from the beginning (a completely new domain).
There is another way to create a production domain: by using WLS Template Builder to
package the test domain and then use this template as a source to create the production
domain. The difference between these two approaches is as follows:
When creating a production domain from the beginning (a new domain), all the applications
(mybank and jee) have to redeployed on the new domain along with any JDBC definitions
(AuditDB) or security providers (OIDAuthenticator). This definitely adds to the work of
getting the environment set up on the production machine. You also have to change the
hostname in the primary server list for WebGates 10g and 11g and the logout redirect URL field.
On the other hand, when creating a new production domain using the Template Builder, you
have to change the host name value for server instance definition by using the OAM console.
Also, you have to change the serverhost value for OAMServerProfile in oam-config.xml.
And much like the first approach, you have to change the host name in the primary server list for
WebGates 10g and 11g and the logout redirect URL field. However, the advantage of this
approach is that all the artifacts (WLS applications, JDBC definitions, security providers) in the
WLS domain do not have to be recreated on the production domain (as they are packaged and
moved over as part of template building process).
Another difference between the two approaches is that when creating a new production domain
without Template Builder partner data (along with policy data) has to be migrated explicitly by
using exportPartners and importPartners commands. This is unlike the other approach,
where partner data is migrated implicitly as a part of the domain creation process using the
template.
In this lab you will use the first approach - creating production domain without using the
template builder.

Chapter 11 - Page 2
Practice 11-1: Prepare the Environment: Configure the Linux Box

Before the Migration
Overview
In this practice, you configure your Linux machine as follows:
a) Install WLS 10.3.3.
b) Install Oracle Identity Management 11.1.1.3.0 software.
c) Create new production schemas for OAM and audit services by using RCU on the existing
11.2.0.1 database hosted on the Linux machine.
d) Create a new production domain for OAM 11g.
e) Configure the identity store for the production environment to point to OID (which was used
on the stage environment).
f) Remove SSO policies for EM and WLS Console.
g) Create OIDAuthenticator on the production WLS domain.
h) Apply a BP01 patch.
Task
Install WLS 10.3.3.
Switch to the Linux machine for this lab and perform all tasks on the Linux machine unless
explicitly asked to perform an operation on the Windows machine.
1.
2.
Enter the following command to launch the WLS installer:

java jar /modules/stage/wls_1033/wls1033_generic.jar
Step
Window/Page
Description
Choices or Values
a.
Welcome
Next
b.
Choose Middleware
Home Directory
Create a new Middleware home

/u01/app/oracle/product/middleware
c.
Register for
Security Updates
Deselect I wish to receive security updates via my Oracle

support
d.
Are you sure?
Yes
e.
Choose Install Type
Typical
f.
JDK Selection
Check under Local JDK Sun SDK1.6.0_17
g.
Choose Product
Installation
Directories
WebLogic Server
/u01/app/oracle/product/middleware/wls_home
Oracle Coherence
/u01/app/oracle/product/middleware/coherence_h
ome
h.
Installation
Summary
Next

Chapter 11 - Page 3
Step
i.
Window/Page
Description
Installation
Complete
Choices or Values
Deselect Run QuickStart
Done
Install Oracle Identity Management 11.1.1.3.0 software

3. Navigate to the /modules/stage/iamsuite/Disk1 directory.
cd /modules/stage/iamsuite/Disk1
4.
5.
Launch the installer by using: ./runInstaller

Use the table as a guide to populate the fields of the Install Wizard:
Step
Choices or Values
a.
Oracle Universal Installer

command line window
Please specify the JRE/JDK location:

/usr/java/jdk1.6.0_17
b.
Welcome
Next
c.
Prerequisite Checks
Next
d.
Oracle Middleware Home

/u01/app/oracle/product/middlew
are
Oracle home directory idm_home
e.
Install
f.
Next
g.
Finish
Create new production schemas for OAM and audit services by using RCU on the
existing 11.2.0.1 database hosted on the Linux machine.
6.
7.
From the terminal window, navigate to the /modules/stage/rcu/bin directory and run
rcu
cd /modules/stage/rcu/bin
./rcu
Step
Choices or Values
a.
Welcome
Next
b.
Create Repository
Create
c.
Database Connection Details
Database Type: Oracle Database

Hostname:
<your_linux_host>.us.oracle.com
Port: 1521
Service Name: orcl.us.oracle.com

Chapter 11 - Page 4
Step
Choices or Values
Username: sys
Password: Welcome1
Role: SYSDBA
d.
Checking Global Prerequisites
OK
e.
Select Components
Create a new Prefix: PROD

Component: Identity Management: Oracle
Access Manager (Note: Audit Services will
be automatically selected)
f.
Checking Component Prerequisites
OK
g.
Schema Passwords
Use the same password for all schemas.

Password: Welcome1
Confirm Password: Welcome1
h.
Map Tablespaces
Next
i.
Repository Creation Utility pop-up

window
OK
j.
Creating Tablespaces
OK
k.
Summary
Create
l.
Completion Summary
Close
Create a new production domain for OAM 11g

8.
On the terminal window navigate to

/u01/app/oracle/product/middleware/oracle_common/common/bin.
Launch config.sh: ./config.sh.

9. Use the table as a guide to populate the fields:
Step
Window/Page
Description
Choices or Values
a.
Welcome
Create a new WebLogic domain
b.
Select Domain
Source
Generate a domain configured automatically to support the

following products:
Oracle Access Manager with Database Policy Store
Oracle Enterprise Manager
Note: Oracle JRF 11.1.1.0 [oracle_common] (Java
Required Files) will automatically be selected.
Note: Basic WebLogic Server domain is automatically selected
and disabled.
c.
Specify Domain
Domain name: prod_domain
Name and Location Domain location:
/u01/app/oracle/product/middleware/user_projec

Chapter 11 - Page 5
Step
Window/Page
Description
Choices or Values
ts/domains
Application Location:
/u01/app/oracle/product/middleware/user_
projects/
applications
d.
Configure
Administrator User
Name and
Password
Name: weblogic
e.
Configure Server
Start Mode and
JDK
Production Mode
Available JDKs: Sun SDK 1.6.0_17
f.
Configure JDBC
Component
Schema
Select OAM Infrastructure

Schema Owner: prod_oam
g.
Test Component
Schema
Next
h.
Select Optional
Configuration
Select Administration Server

Select Managed Servers, Clusters and Machines
i.
Configure the
Administration
Server
Next
j.
Configure
Managed Servers
Next
k.
Configure Clusters
Next
l.
Configure
Machines
Next
m.
Configuration
Summary
Create
n.
Creating Domain
Done
Password: Welcome1
Conform Password: Welcome1
Schema Password: Welcome1

DBMS/Service: orcl.us.oracle.com
Hostname: <your_linux_host>.us.oracle.com
Port: 1521
10. Start the admin and managed servers by issuing the following commands from terminal
windows:
cd
/u01/app/oracle/product/middleware/user_projects/domains/prod_do
main/bin

Chapter 11 - Page 6
./startWebLogic.sh
./startManagedWebLogic.sh oam_server1
11. Stop the admin and managed servers by pressing Ctrl + C on the terminal windows from
where the admin and managed servers were started.
12. Every time you start the admin and managed server, you have to enter the weblogic
username and password. If you want to avoid doing that, you can create a
boot.properties file with the username and password values. Now, when you start the
admin and managed servers, it reads the username and password from this file and starts
the servers.
On the terminal window, navigate to
/u01/app/oracle/product/middleware/user_projects/domains/prod_domai
n/servers/AdminServer. Make a new directory named security. Within it, create a
boot.properties file with the contents as:
username=weblogic
password=Welcome1
cd
/u01/app/oracle/product/middleware/user_projects/domains/prod_do
main/servers/AdminServer
mkdir security
cd security
vi boot.properties
[press i]
username=weblogic
password=Welcome1
[Press Esc]
[Enter :wq!]
Note: The first time you start AdminServer, the contents of the boot.properties file get
obfuscated. When you use the boot.properties file, it does not prompt you to enter
username and password.
13. Perform similar steps to create a boot.properties file for oam_server1 (create a
boot.properties file in the security directory under
/u01/app/oracle/product/middleware/user_projects/domains/prod_domain/servers/oam_serv
er1).
14. Start the admin and managed servers.
Notice that you do not get challenged for a username and password.
Configure the identity store for the production environment to point to OID (which was
used on the stage environment).
15. On the Linux machine, log in to the OAM admin console by using weblogic and
Welcome1, and navigate to the User Identity Store definition node: System Configuration >
Data Sources > User Identity Stores. Create a new user identity store definition by using
the Create icon.

Chapter 11 - Page 7
16. Chose the LDAP provider as OID from the pick list. Specify the rest of the values as shown
below:
Step
Choices or Values
Name
OID_UserStore
LDAP URL
ldap://<your_windows_host>.us.oracle.com:13
060
Principal
cn=orcladmin
Credential
Welcome1
User Search Base
Group Search Base
cn=groups,dc=us,dc=oracle,dc=com
User Name Attribute
uid
OAM Administrators Role
oam_admin
Click Test Connection. Click OK on the Connection Status window with the message,
Connection to the User Identity Store successful. Click Apply to save the definition. On the left
pane, you should now see OID_UserStore along with the primary UserIdentityStore1 (WLS
Embedded LDAP).
Note: Sometimes, you may have to refresh the screen to see the update; use the Refresh icon
on the left pane menu bar.
Close the active tab (OID_UserStore) by using the X (close single tab) icon on the top-right
corner.
17. Change the OID_UserStore to the primary user identity store. Double-click the
OID_UserStore node on the left pane to see the properties of the definition displayed on the
right pane. Click the Set as Primary button on the right pane. Click Apply. The Primary
check box should now appear as disabled on the properties page. Edit the properties of
UserIdentityStore1 (either by double-clicking or by using the pencil icon) and notice the
Primary check box is now deselected. Do not logout of OAM Admin console.
Remove SSO policies for EM and WLS Console.
18. In OAM Admin console, navigate to Policy Configuration > Application Domains >
IDMDomainAgent > Authentication Policies > Protected Higher Level Policy
20. Remove the following resources from the authentication policy (click to the right of the dropdown list for the resource and click the Delete icon):
c) IDMDomain:/em
21. Click Apply.
22. Navigate to Policy Configuration > Application Domains > IDMDomainAgent >
Authorization Policies > Protected Resource Policy.
24. Remove the following resources from the authorization policy (click to the right of the dropdown list for the resource and click the Delete icon):

Chapter 11 - Page 8
c) IDMDomain:/em
25. Click Apply.
Create OIDAuthenticator on production WLS domain.
26. Log in to the WLS console on the production Linux machine
(http://<your_linux_host>.us.oracle.com:7001/console) by using weblogic and Welcome1.
Navigate to prod_domain > Security Realm > myrealm > Providers. Click Lock and Edit on
the Change Center section (top left).
27. Click the New button. Specify Name and Type as OIDAuthenticator and
OracleInternetDirectoryAuthenticator respectively. Click OK.
28. Click the OIDAuthenticator link. Set the following properties:
Step
Choices or Values
a.
Common > Control Flag
Sufficient.
Click Save.
b.
Provider Specific > Host
<your_windows_host>.us.oracle.com
c.
Provider Specific > Port
13060
d.
Provider Specific > Principal
cn=orcladmin
e.
Provider Specific > Credential and

Confirm Credential
Welcome1
f.
Provider Specific > User Base DN
g.
Provider Specific > All Users Filter
(&(uid=*)(objectclass=person))
h.
Provider Specific > User From Name

Filter
(&(uid=%u)(objectclass=person))
i.
Provider Specific > User Name

Attribute
uid
j.
Provider Specific > Group Base DN
cn=groups,
dc=us,dc=oracle,dc=com
Click Save.
29. Navigate back to the Providers page (by using the locator link at the top). Click the Reorder
button and move OIDAuthenticator above DefaultAuthenticator by using the Up arrow. Click
OK.
30. Click the DefaultAuthenticator link. Change the Control Flag to Sufficient. Click Save.
31. Click Activate Changes on the top-left of the Change Control section.
32. Restart the admin and managed servers on the Linux machine by using the command line
(Ctrl + C to kill the running servers and then startWebLogic.sh and
startManagedWebLogic.sh oam_server1 to start the servers).
Apply BP01 patch (11.1.1.3.1).
33. Open a terminal window and set ORACLE_HOME and PATH environment variables as shown
below:

Chapter 11 - Page 9
34.
35.
36.
37.
38.
39.
export ORACLE_HOME=/u01/app/oracle/product/middleware/idm_home
export PATH= $PATH:$ORACLE_HOME/bin:$ORACLE_HOME/OPatch
Verify the OUI (Oracle Universal Installer) inventory. OPatch needs access to a valid OUI
inventory to apply patches.
Validate the OUI inventory with the following command:
opatch lsinventory
Notice that there is one product installed in
/u01/app/oracle/product/middleware/idm_home (Oracle home), which is
11.1.1.3.0 Oracle IDM Suite.
Create a location for storing the unzipped patch. This location is sometimes referred to as
PATCH_TOP. Unzip the patch ZIP file
(/modules/stage/p10094106_111130_Generic.zip) under
/modules/stage/bp01. Hence, bp01 under /modules/stage/bp01 directory is your
PATCH_TOP.
Stop the admin and managed servers on the Linux machine by using Ctrl + C to kill the
running servers on the terminal windows where they are running.
On the terminal window, navigate to the /modules/stage/bp01/10094106 directory.
Apply the patch by using opatch apply
Is the local system ready for patching? [y|n]
y
Once the patch has been successfully applied, you can query the inventory to see the bugs
fixed as part of this patch:
opatch lsinventory
Start the admin and managed servers.

Chapter 11 - Page 10
Practice 11-2: Perform Horizontal Migration

Overview
In this practice, you export partners and policy data from the test machine (Windows) and then
import this partner and policy data to the production machine (Linux).
Tasks
1.
On your Windows machine, connect to WLST in online mode. On the command line
window, navigate to d:\middleware\idm_home\common\bin and issue the wlst
command:
Connect to AdminServer for oam_domain (test environment) by using the following
values at the prompts:
connect()
Press Enter
Welcome1
Press Enter
Note: If you receive a message that an insecure protocol was used to connect to the server,
you can safely ignore the message.
2.
Export partner and policy data to a temporary staging location, d:\labs\myPolicies

and d:\labs\mypartners. Issue the following exportPolicy and exportPartners
commands and then exit the WLST shell:
Note: The exportPolicy command runs for several minutes.

3.
4.
Navigate to d:\labs to make sure the partners and policy data has been successfully
exported. Note that multiple policy files (myPolicy.<number>@<host
name>.<number>) are created for internal tracking and version control. The myPolicies
file is the main source file which you use to import into the production environment. Open
the myPolicies file in WordPad and review its contents.
Note: The myPartners file is in an unreadable format as it contains sensitive information
about the agents.
Transfer the filesmyPartners and myPoliciesfrom the Windows machine to the
Linux machine by using psftp. On the Windows machine, invoke psftp from
d:\other\putty directory and issue the following commands:

open <your_linux_host>.us.oracle.com
login as: oracle
Enter password: oracle
lcd d:\Labs
put myPartners
put myPolicies
5.
Navigate to the Linux machine and make sure you can see the myPartners and
myPolicies files under the /home/oracle directory.
Import the policy and partner datamyPolicies and myPartnersinto the production
environment domain (prod_domain) by using importPartners and importPolicy
commands.
Note: The importPolicy command runs for several minutes.

6.
7.
Log in to the OAM admin console for the prod_domain

http://<your_linux_host>.us.oracle.com:7001/oamconsoleby using vishal.parashar
and Welcome1.
Make sure that you can see all the partner and policy data imported from the test
environment into the production environment.
Edit the protected resource policy under Authentication Policies for the OAM11g_WebGate
application domain (on the Policy Configuration tab). Change the authentication scheme
from ExampleLDAPScheme to LDAPScheme. Click the Response tab

(Note: Clicking the Response tab is required before Clicking Apply due to a bug which
throws a Null Pointer Exception). Click Apply.
Note: The reason you are changing the authentication scheme is because otherwise, you
would have to redeploy the custom login JSP (Practice 6-1 Step 7) on the production
domain. For convenience, you use the standard SSO login page which comes with the
LDAPScheme.

Practice 11-3: Perform Post-Migration Task

Overview
In this practice, you perform two post-migration tasks.
a) Change the host name to the value of the production machine host name (Linux machine).
Change the primary server host names for 10g and 11g WebGate definitions, and change
the host name in the Logout Redirect URL field for OAM 11g WebGates. Change the
Security mode to Open (as we are performing re-registration of webgate with OAM 11g
server, server and webgate must be in the same security mode.)
b) Replace obAccessClient.xml and cwallet.sso for OAM 11g WebGates from
<Domain_Home>/output/<Webgate11g_Name> directory on the Linux machine to
<OHS_Instance>\config\OHS\ohs1\webgate\config directory on the Windows
machine. Replace obAccessClient.xml for OAM 10g WebGates from
<Domain_Home>/output/<Webgate10g_Name> directory on the Linux machine to
<Webgate10g_Home>\access\oblix\lib directory on the Windows machine.
Tasks
1.
2.
On the Linux machine, log in to the OAM admin console for the prod_domain
http://<your_linux_host>.us.oracle.com:7001/oamconsoleby using vishal.parashar
and Welcome1.
Navigate to the System Configuration tab and edit each one of the OAM 10g (except
IDMDomainAgent) and OAM 11g WebGate definitions (oam10g_webgate,
OAM11g_WebGate and oam11g_webgate_partner) to change the server name under the
primary server list to oam_server1. After doing so, the host name field should change to
the host name of the Linux machine. Change the Security to Open. Also, for both OAM 11g
WebGates, change the host name in the Logout Redirect URL field to the host name for the
Linux machine. Click Apply.

3.
Note: To change IDMDomainAgent properties, you have to edit oam-config.xml.

IDMDomainAgent is a special WebGate 10g agent. Editing the properties through the OAM
admin console for this agent will not work.
Switch to the Windows machine. Double-click d:\Other\putty\psftp.exe. Transfer
ObAccessClient.xml and cwallet.sso (in case of OAM 11g WebGates) from
n/output/OAM11g_WebGate on the Linux machine to d:\stage directory on the
Windows machine.
4.
Save backups of the ObAccessClient.xml and cwallet.sso files in the

gate\config directory. Rename the files ObAccessClient.xml.test and
cwallet.sso.test.
5.
Move (Ctrl + X > Ctrl + V or Cut and Paste) ObAccessClient.xml and cwallet.sso
from d:\stage directory to
gate\config.
6.
Perform similar Steps 3, 4, and 5 to transfer ObAccessClient.xml and cwallet.sso

from
n/output/oam11g_webgate_partner on the Linux machine to the
e\config directory on the Windows machine for oam11g_webgate_partner.
7.
Transfer ObAccessClient.xml (in case of an OAM 10g WebGate) from

n/output/oam10g_webgate on the Linux machine to the d:\stage directory on
Windows (see Step 5).
Save a backup of the ObAccessClient.xml in the
D:\Middleware\webgate10g_home\access\oblix\lib directory. Rename the file
ObAccessClient.xml.test.
8.
9.
Move (Ctrl + X > Ctrl + V or Cut and Paste) ObAccessClient.xml from the d:\stage
directory to the D:\Middleware\webgate10g_home\access\oblix\lib directory.

10. Modify mod_wl_ohs.conf under

D:\Middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 as
shown below and specify the Linux host name for WebLogicHost. Click Save.
Note: This step is only required for mybank and jee applications (applications which are
directly deployed on WLS ).
Note: If you want to test mybank or jee applications on the production environment, you
have to redeploy them on the production domain before you test them. If you were using
the approach of creating a production domain by using the template builder, this step would
be implicitly done as part of building the production domain by using the test domain
template.
11. Restart the OHS instances: ohs_webgate11g, ohs_webgate10g, ohs_partner. Use

opmnctl under <OHS_INSTANCE>/bin directory to issue stopall and startall
commands.

Practice 11-4: Verify a Successful Horizontal Migration

Overview
In this practice, you test to make sure the horizontal migration was successful.
Tasks
1.
2.
Switch to the Windows machine and stop administration and managed servers by using the
OAM admin console or enter Ctrl + C on the command line windows from where the two
servers were started.
Verify that you can access example applications by using
http://<your_windows_machine>.us.oracle.com:7778/example. Click the Employees link
and you should see the SSO login page (note that the host name in the URL is pointing to
the production machine). Make sure you can successfully log in by using
vishal.parashar and Welcome1. Click the Engineering link and you should be able to
view the engineering department home page. If you try to access HR or finance department
home pages, it should give you an error message.

Practice 11-5: Prepare the Environment for HA Lab

Overview
In this practice, you revert to the test environment.
Tasks
1.
2.
Stop the admin and managed servers on the Linux machine.

Switch to the Windows machine and rename the ObAccessClient.xml and
cwallet.sso files as ObAccessClient.xml.prod and cwallet.sso.prod. Also,
rename ObAccessClient.xml.test and cwallet.sso.test as
ObAccessClient.xml and cwallet.sso.
Navigate to
D:\Middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\web
gate\config and rename ObAccessClient.xml and cwallet.sso as
ObAccessClient.xml.prod and cwallet.sso.prod.
Rename ObAccessClient.xml.test and cwallet.sso.test as
Navigate to
D:\Middleware\ohs_home\instances\ohs_partner\config\OHS\ohs1\webgat
e\config and rename ObAccessClient.xml and cwallet.sso as
ObAccessClient.xml.prod and cwallet.sso.prod
Rename ObAccessClient.xml.test and cwallet.sso.test as
Navigate to D:\Middleware\webgate10g_home\access\oblix\lib and rename
ObAccessClient.xml as ObAccessClient.xml.prod
Rename ObAccessClient.xml.test as ObAccessClient.xml
3.
4.
5.
Modify mod_wl_ohs.conf under

D:\Middleware\ohs_home\instances\ohs_webgate11g\config\OHS\ohs1 and
specify the Windows host name for WebLogicHost. Click Save.
Restart OHS instances: ohs_webgate11g, ohs_webgate10g, ohs_partner. Use
opmnctl under the <OHS_INSTANCE>/bin directory to issue stopall and startall
commands.
Start the admin and managed servers on the Windows machine.


Chapter 12

Chapter 12 - Page 1

Practices Overview
At this stage of the course, an 11g WebGate running on port 7778 sends requests to a single
Oracle Access Manager server instance running on port 14100.
In these practices, you modify your deployment so that the 11g WebGate sends requests to a
cluster of load-balanced Oracle Access Manager servers in order to achieve high availability.
You start by creating a WebLogic cluster. Then you retarget the data sources and applications
that are targeted to the single server instance to the cluster. You add the original server to the
cluster, and clone the original server instance to create a second server instance in the cluster.
Then you change the Oracle Access Manager configuration to recognize a second instance,
and you configure Oracle Access Manager server to write a cookie that is used transiently
during authentication.
Next, you create an Oracle HTTP Server (OHS) instance and configure it as a load balancer for
the cluster.
Finally, you configure the Oracle Access Manager 11g WebGate to recognize the multi-server
configuration, and re-register the WebGate.
After performing these steps, you have a configuration that supports both server failover and
request load-balancing. You run tests that prove:
Requests to the Oracle Access Manager server are balanced between the two server
instances
If one of the server instances shuts down, requests to the Oracle Access Manager
server are still serviced

Chapter 12 - Page 2
Practice 12-1: Creating a WebLogic Server Cluster

Overview
In this practice, create a WebLogic Server cluster.
In the next practice, you add the WebLogic managed server instance on which Oracle Access
Manager server runs to the cluster. Later in these practices, you create a second managed
server instance running Oracle Access Manager server, and add that instance to the cluster.
Assumptions
You completed practices 3 through 11 successfully.

Tasks
1.
Shutdown the oam_server1 managed server instance.
2.
Create the WebLogic Server cluster:

a. Select oam_domain > Environment > Clusters in the Domain Structure pane. The
Summary of Clusters page appears in the right side of the console window. The cluster
list is empty.
c. Click New. The Create a New Cluster page appears.
d. Fill in the Name field with the value, oam_cluster. Let all other fields take the default
values.
e. Click OK. The Summary of Clusters page reappears, with the oam_cluster cluster
appearing in the cluster list.
Note: The value Round Robin appears in the Default Load Algorithm column for the
oam_cluster cluster. Round robin load-balancing ensures that each clustered server
receives an equal number of requests.
f. Click Activate Changes in the Change Center pane.
g. Notice the following message that appears above the Summary of Clusters heading:
All changes have been activated. No restarts are necessary.
Leave the WebLogic console open at the Summary of Clusters page for the next task.

Chapter 12 - Page 3
Practice 12-2: Adding the WebLogic Managed Server Instance and

Targeting Oracle Access Manager Applications and Data Sources to
the Cluster
Overview
In this practice, you add the oam_server1 WebLogic managed server instance on which the
Oracle Access Manager server runs to the oam_cluster cluster that you created in the
previous practice.
Then you configure applications and data sources that were targeted to the oam_server1
server to be targeted to the oam_cluster cluster. Doing so ensures that when you create a
second server instance on the cluster, the correct set of applications are deployed to the new
server instance.
Assumptions

The WebLogic console is open at the Summary of Clusters page.
Tasks
1.
Add the oam_server1 server to the oam_cluster cluster:

b. Click the oam_cluster link in the cluster list. The Settings for the oam_cluster page
appears.
c. Select the Servers tab.
d. Click Add. The Add a Server to Cluster page appears.
e. Verify that the value in the Select a Server field is the value oam_server1.
f.
2.
Click Finish. The Settings for oam_cluster reappear, with the oam_server1 server
appearing in the server list.
g. Click Activate Changes in the Change Center pane.
h. Notice the following message that appears above the Settings for oam_cluster
heading: All changes have been activated. No restarts are necessary.
Retarget the oam_server applicationa component of Oracle Access Managerso that it
is deployed to the oam_cluster cluster instead of to the oam_server1 server. By doing
so, when you add new servers to the oam_cluster cluster, the oam_server application
will automatically be deployed to the new servers.
b. Select oam_domain > Deployments in the Domain Structure pane. The Summary of
Deployments page appears in the right side of the console window.
c. Click Next to bring up the second page in the deployments list.
d. Locate the oam_server application in the deployments list.
e. Click oam_server. The Settings for oam_server page appears.
f. Select the Targets tab. The Target Assignments list appears. The oam_server1
server is listed in the Current Targets column.
g. Select the check box for the oam_server application.

Chapter 12 - Page 4
h.
i.
j.
k.
3.
Click Change Targets.

Select All Servers in the Cluster.
Click Yes.
The Target Assignments list appears. Observe that the oam_cluster cluster is now
listed in the Current Targets column.
l. Click Activate Changes in the Change Center pane.
Following steps similar to the steps for retargeting the oam_server application to the
oam_cluster cluster, retarget the login application to the oam_cluster cluster. The
login application is the WAR file that contains the custom-branded login page for the
Example Bakery application.
The DMS Application application, which is a component of Oracle Access Manager
The oamsso_logout application, which is a component of Oracle Access Manager
4.
The login application, which is the WAR file that contains the custom-branded login page
for the Example Bakery application
The DMS Application, oamsso_logout, and wsil-wls applicationscomponents of
Oracle Access Managerare currently targeted to both the oam_server1 and
AdminServer servers. Reconfigure these three applications so that they are targeted to
the AdminServer server and the oam_cluster cluster.
Note: The AdminServer server is not part of the oam_cluster cluster.
5.
The oamDS data source is currently targeted to both the oam_server1 and AdminServer
servers. Reconfigure the oamDS data source so that it is targeted to the AdminServer
server and the oam_cluster cluster:
b. Select oam_domain > Services > JDBC > Data Sources in the Domain Structure pane.
The Summary of JDBC Data Sources page appears in the right side of the console
window.
c. Click oamDS. The Settings for oamDS page appear.
d. Select the Targets tab. A page with a target assignments list appears. The
AdminServer and oam_server1 servers are listed as targets.
e.
Select All Servers in the Cluster. The AdminServer server and oam_cluster cluster
should both be selected:

Chapter 12 - Page 5
6.
f. Click Save.
g. Click Activate Changes in the Change Center pane.
Following steps similar to the steps for retargeting the oamDS data source to the
AdminServer server and the oam_cluster cluster, reconfigure the AuditDB data
source so that it is targeted to the AdminServer server and the oam_cluster cluster.

Chapter 12 - Page 6
Practice 12-3: Creating a Second WebLogic Managed Server Instance

Running Oracle Access Manager Server
Overview
In this practice, you create the second WebLogic managed server instance on which Oracle
Access Manager server runs. Then you add that managed server instance to your WebLogic
Server cluster.
Assumptions

The WebLogic console is open.
Tasks
1.
2.
3.
Select oam_domain > Environment > Servers in the Domain Structure pane. The Summary
of Servers page appears in the right side of the console window.
Clone the oam_server1 server to create the oam_server2 server:
a.
b.
c.
Select the check box for the oam_server1 server.

Click Clone. The Clone a Server page appears.
Fill in fields in the Clone a Server page as follows:
Fields
Choices or Values
Server Name
oam_server2
Server Listen Address
(leave blank)
Server Port
15100
d.
Click OK. The Summary of Servers page reappears, with the oam_server2 server in
the server list. Note the following information in the server list:
The oam_server2 server is a member of the oam_cluster cluster.
The oam_server2 server is assigned to the Windows_Machine machine.
The status of the oam_server2 server is listed as Unknown.
e.
4.
Click Activate Changes in the Change Center pane. The status of the oam_server2
server changes to SHUTDOWN.
Review the list of servers in the oam_cluster cluster to verify that the oam_server2
server is a member of the cluster:
a. Select oam_domain > Environment > Clusters.
b. Click oam_cluster.
c. Select the Servers tab. The servers list appears and contains the oam_server1 and
oam_server2 servers.
Leave the WebLogic console open for the next practice.

Chapter 12 - Page 7
Practice 12-4: Adding the Second Instance to the Oracle Access

Manager Configuration
Overview
At this stage of your deployment, the Oracle Access Manager configuration contains the
definition for the Oracle Access Manager server running on port 14100, but not for the new
server running on port 15100.
In this practice, you define the second Oracle Access Manager server running on port 15100 in
the Oracle Access Manager configuration.
Assumptions

The WebLogic administration console is started.
Tasks
1.
2.
3.
4.
5.
6.
Start the oam_server1 managed server instance:

a. In the WebLogic console, select oam_domain > Environment > Servers in the Domain
Structure pane. The Summary of Servers page appears in the right side of the console
window.
b. Select the Control tab.
c. Select the check box for the oam_server1 server.
d. Click Start.
e. Click Yes in response to the confirmation page.
f. Click the Refresh icon, which appears above the text Customize this table. Observe
the value in the State column for the oam_server1 server. When the value changes
to RUNNING, server startup is complete.
g. Click the Refresh icon to end the page refresh behavior.
Navigate to the following URL to start the Oracle Access Manager console:
http://your_host.us.oracle.com:7001/oamconsole. Log in as the Vishal.Parashar user.
The password is Welcome1.
Select the System Configuration tab.
Click Server Instances.
Click the Create icon. The Create: OAM Server page appears.
Fill in fields in the Clone a Server page as follows:
Main Page or Tab
Page
Field
Value
Main Page
Server Name
oam_server2
Main Page
Host
your_host.us.oracle.com
Main Page
Port
15100
Proxy Tab Page
Port
6575
Proxy Tab Page
Proxy Server ID
OAMServer2Proxy

Chapter 12 - Page 8
Main Page or Tab

Page
7.
8.
9.
Field
Value
Proxy Tab Page
Mode
OPEN
Coherence Tab Page
Log Level
Coherence Tab Page
Local Port
9095
Coherence Tab Page
Log Limit
4096
Click Apply. The oam_server2 server now appears under Server Instances on the left side
of the console window.
Log out of the Oracle Access Manager console.
Shut down the oam_server1 managed server instance.

Chapter 12 - Page 9
Practice 12-5: Changing the Request Cache Type and Restarting the
Oracle Access Manager Servers
Overview
Authentication to Oracle Access Manager requires multiple HTTP messages between the
Oracle Access Manager server and the client. In a high availability configuration, with multiple
Oracle Access Manager servers, it is important that the client communicates with the same
Oracle Access Manager server instance from the beginning to the end of the authentication
process.
One possible way of ensuring same-server communication is to require the use of a sticky
cookie, which would force the load balancer to send the HTTP communication to the same
server. But Oracle Access Manager server does not require the use of sticky cookies. Instead,
Oracle Access Manager server writes login state information to the URL string to ensure sameserver communication.
When configuring Oracle Access Manager server for high-availability deployments, you can
enable an option to write the login state information to a cookie, thereby decreasing the size of
the URL string. This might be necessary in environments in which users browsers enforce a
limited URL size.
Once the authentication process has completed, there is no requirement for client requests to
be processed on the same server instance.
In this practice you change the cache request type from the BASIC type to the COOKIE type.
Support to change the cache request type is not available in the Oracle Access Manager
console; therefore, you make the change by using the WLST utility.
Then you delete the audit.log filethe bus stop to which Oracle Access Manager server
logs audit data before the audit loader writes the data to the Oracle Databasefor the
oam_server1 server. You can safely delete the audit.log files because the Oracle Access
Manager server is down. You delete this file (and the corresponding file for the oam_server2
server) in a subsequent practice when both Oracle Access Manager servers are running in
order to verify that activity is occurring on both servers.
Note: The audit.log file for the oam_server2 server does not exist yet, because you have
not started this server yet.
At the end of this practice, you restart the administration server and both managed server
instances running Oracle Access Manager server. Restarting the administration server is
required after changing the cache request type.
Assumptions

The WebLogic administration server for the oam_domain domain is running.
Both managed server instances running Oracle Access Manager server are shut down.
Tasks
1.
2.
If necessary, open a terminal window.

Start the WLST utility:
cd d:\Middleware\idm_home\common\bin
wlst.cmd

After a series of messages that contain settings for the WLST environment are displayed,
the following messages appear in the terminal window:
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline>
3.
Connect to the administration server:

connect("weblogic","Welcome1","t3://your_host.us.oracle.com:7001
")
The following messages appear in the terminal window:
Connecting to t3://your_host.us.oracle.com:7001 with
weblogic ...
Successfully connected to Admin Server 'AdminServer'
belongs to domain 'oam_domain'.
Warning: An insecure protocol was used to connect to
server. To ensure on-the-wire security, the SSL port
Admin port should be used instead.
wls:/oam_domain/serverConfig>
4.
userid
that
the
or
Display the current request cache type:

displayRequestCacheType()
A message should appear stating that the request cache type is type BASIC.
5.
Change the request cache type to type COOKIE:

configRequestCacheType(type="COOKIE")
6.
7.
Run the displayRequestCacheType command again to display the request cache type.
The request cache type should be type COOKIE now.
Terminate the WLST utility:
exit()
8.
9.
Delete the audit bus stop files for the oam_server1 server:
a.
Open a Windows Explorer window to the D:\Middleware\user_projects\

domains\oam_domain\servers\oam_server1\logs\auditlogs\OAM directory.
b.
Delete the audit.log file from this directory.
Restart the WebLogic administration server for the oam_domain domain.
10. Start both managed server instances in the WebLogic cluster.

Practice 12-6: Creating a New OHS Instance That Will Load-Balance

Oracle Access Manager Server Instances
Overview
In this practice, you define a new Oracle HTTP Server instance that runs on port 7790. You use
this instance as the WebLogic Server cluster load balancer in subsequent practices.
Assumptions

All three servers in the oam_domain domainthe administration server and the
oam_server1 and oam_server2 managed server instancesare started.
Tasks
1.
Open a Windows Explorer window to the d:\Middleware\ohs_home\bin directory.
2.
Double-click the config.bat file. The Oracle Fusion Middleware 11g Web Tier Utilities
Configuration Wizard starts, and the Welcome (Step 1 of 9) dialog box appears.
Fill in fields and values in the Configuration Wizard as follows:
a. Click Next. The Configure Components (Step 2 of 9) dialog box appears.
b. Deselect the check box for Oracle Web Cache and click Next. The Specify WebLogic
Domain (Step 3 of 9) dialog box appears.
c. Fill in values in the Specify WebLogic Domain (Step 3 of 9) dialog box as follows:
3.
Field
Choices or Values
Domain Host Name
your_host.us.oracle.com
Domain Port No
7001
User Name
weblogic
Password
Welcome1
d.
e.
Click Next. The Specify Component Details (Step 4 of 9) dialog box appears.
Fill in values in the Specify Component Details (Step 4 of 9) dialog box as follows:
Field
Choices or Values
Instance Home Location

Instance Name
D:\Middleware\ohs_home\instances\
ohs_lb
ohs_lb
OHS Component Name
ohs1
f.
g.
h.
Click Next. The Configure Ports (Step 5 of 9) dialog box appears.

Click Specify Ports Using Configuration File.
Click View/Edit File. A text box opens.

i.
Enter the following text in the text box:

[OPMN]
[OHS]
OHS Port = 7790
[WEBCACHE]
j.
4.
Click Save. The message, File saved successfully, appears in the Configure Ports
(Step 5 of 9) dialog box.
k. Click Next. The Specify Security Updates (Step 6 of 9) dialog box appears.
l. Deselect the check box for I Wish to Receive Security Updates and click Next.
m. Click Yes to confirm that you do not want to receive security updates. The Installation
Summary (Step 7 of 9) dialog box appears.
n. Click Configure. The Configuration Progress (Step 8 of 9) dialog box appears.
Progress messages inform you about the configuration operations status.
o. When configuration is 100% complete, click Next. The Installation Complete (Step 9 of
9) dialog box appears.
p. Click Finish.
Verify that the new OHS instance is operational by navigating to the URL,
http://your_host.us.oracle.com:7790. The OHS welcome page should appear.

Practice 12-7: Configuring the New OHS Instance as a Load Balancer

Overview
In this practice, you configure the OHS instance running on port 7790 as a load balancer.
Assumptions

Tasks
1.
Create the D:\Middleware\ohs_home\instances\ohs_lb\config\OHS\

ohs1\moduleconf\oam.conf file with the following content:
NameVirtualHost *:7790
<VirtualHost *:7790>
ServerName your_host.us.oracle.com:7790
RewriteEngine On
RewriteOptions inherit
<Location /oam>
WebLogicCluster your_host_FQHN:14100,your_host_FQHN:15100
</Location>
<Location /login>
WebLogicCluster your_host_FQHN:14100,your_host_FQHN:15100
</Location>
</VirtualHost>
2.
In the preceding example, replace the variable your_host_FQHN with your Windows
systems fully qualified host name, for example, your_host.us.oracle.com.
Restart the OHS instance running on port 7790:
a. If necessary, open a terminal window.
b. Execute the following commands to stop and start the OHS instance:
cd d:\Middleware\ohs_home\instances\ohs_lb\bin
opmnctl stopall
opmnctl startall

Practice 12-8: Configuring the Load Balancer Port Number in the

Oracle Access Manager Configuration
Overview
In this practice, you change the Oracle Access Manager server port number to port 7790, the
port number of the OHS instance acting as a load balancer.
Assumptions

Tasks
1.
2.
3.
4.
5.
6.
Navigate to the following URL to start the Oracle Access Manager console:
http://your_host.us.oracle.com:7001/oamconsole. Log in as the Vishal.Parashar user.
The password is Welcome1.
Select the System Configuration tab.
Double-click Server Instances on the left side of the console window. The OAM Server
Common Properties page appears in the right side of the console window.
Select the SSO Engine tab in the OAM Server Common Properties page.
Change the value of the OAM Server Port field from 14100 to 7790, the port number of the
OHS instance acting as a load balancer.
Click Apply.
Leave the Oracle Access Manager console open for the next task.

Practice 12-9: Modifying the Definition for the Oracle Access Manager
11g WebGate and Reconfiguring the WebGate
Overview
In this practice, you configure the Oracle Access Manager 11g WebGate definition to include
the new Oracle Access Manager server. The WebGate configuration includes lists of Oracle
Access Manager servers with which the WebGate communicates directly over a back channel
by using the OAP protocol. At this stage of the deployment, the server list in the WebGate
configuration in Oracle Access Manager includes only the original server; the server that uses
port 5575 for back-channel OAP communication.
After you edit and save the WebGate configuration in the Oracle Access Manager console,
Oracle Access Manager generates files that are necessary for the WebGates configuration in
OHS. You copy these files into the WebGates OHS configuration and restart the OHS instance
running the WebGate.
Note: In the interest of time, you do not configure the OHS instances protected by the 10g
WebGate and the mod_osso filter to work with the load-balanced configuration. In a production
deployment, you would configure all agents to work with the load-balanced configuration.
Assumptions

The Oracle Access Manager console is open.
Tasks
1.
Review the content in the output\OAM11g_WebGate directory:

a.

domains\oam_domain\output\OAM11g_WebGate directory.
b.
c.
2.
Open the ObAccessClient.xml file in the Firefox browser.

Search for the primary server list. Note that the server list contains the definition for the
Oracle Access Manager server that uses port 5575 for OAP communication, but not for
the Oracle Access Manager server that uses port 5675.
During partner registration, the files in the output\OAM11g_WebGate directory are
copied to the 11g WebGate configuration directory. But in the current stage of
deployment, the data in the files in the output\OAM11g_WebGate directoryand in
the 11g WebGate configuration directoryis stale.
In order for the 11g WebGate to work with the load-balanced Oracle Access Manager
configuration, you must update the 11g WebGate configuration.
Change the 11g WebGate definition in the Oracle Access Manager console:
a. Select the System Configuration tab.
b. On the left side of the console window, select Agents > OAM Agents > 11g Webgates
> OAM11g_WebGate.
c. Click the Edit icon. The OAM11g_WebGate page appears in the right side of the
console window.
d. If the value of Security is Simple, change its value to Open.

3.
You need to verify that the security mode is Open mode because OAM requires
equivalent security modes for WebGates and OAM servers when reconfiguring
WebGates.
e. In the Logout Redirect URL field, change the port number from 14100 to 7790.
f. Locate the Primary Server List on the right side of the console window.
g. Click the Primary Server List Add icon; the plus sign that appears to the right of the
label Primary Server List. A new empty line appears in the primary server list.
h. In the Server Name field in the new line in the Primary Server List, select the value
oam_server2. Other details for the oam_server2 server are filled in the new line
automatically.
i. Change the value in the Max Number of Connections field to 1.
Note: The number of connections impacts the load-balancing algorithm used by the
WebGate to communicate with the Oracle Access Manager server over the OAP port.
For this practice, you keep the number of connections small, in order to more easily
demonstrate load balancing activity. In production environments, the value for this field
would typically be higher.
j. Click Apply.
Review the content in the output\OAM11g_WebGate directory:
a.
4.

domains\oam_domain\output\OAM11g_WebGate directory.
b. Note the time stamps of the files in the directory. The time stamps should reflect the
fact that the files were just recreated.
c. Open the ObAccessClient.xml file in the Firefox browser.
d. Search for the primary server list. The primary server list now contains the definitions
for the Oracle Access Manager servers that use ports 5575 and 6575 for OAP
communication.
Copy the following files from the D:\Middleware\user_projects\domains\
oam_domain\output\OAM11g_WebGate directory to the D:\Middleware\
ohs_home\instances\ohs_webgate11g\config\OHS\ohs1\webgate\config
directory:
5.
The cwallet.sso file
The ObAccessClient.xml file

A dialog box appears asking if you want to replace the existing files with the same names.
Click Yes.
Restart the OHS instance protected by the Oracle Access Manager 11g WebGate:
a. If necessary, open a terminal window.
b. Execute the following commands to stop and start the OHS instance:
cd d:\Middleware\ohs_home\instances\ohs_webgate11g\bin
opmnctl stopall
opmnctl startall
6.
Restart the administration server and the two managed server instances running Oracle
Access Manager:
a. Shut down the oam_server1 and oam_server2 WebLogic managed server
instances.

b.
c.
d.
Shut down the WebLogic administration server.

Start up the WebLogic administration server.
Start up the oam_server1 and oam_server2 WebLogic managed server instances.

Practice 12-10: Testing the High Availability Deployment

Overview
In this practice, you test the high availability deployment.
First, you verify that you can still authenticate to the Example Bakery application.
Next, you shut down one of the managed server instances and authenticate. Then you start the
managed server instance that you just stopped, restart the other managed server instance and
verify that you can still run the application without having to re-authenticate.
Assumptions

Tasks
1.
2.
Demonstrate Oracle Access Manager server request load balancing:

appears.
e. Clear cookies and cache and restart the browser.
f. Navigate to the Example Bakery home page.
g. Click Employees. The Example Bakery login page appears.
h. Log in as user Vishal.Parashar with password Welcome1. The employee portal
appears.
i. Examine the two audit log bus stop files for the oam_server1 and oam_server2
servers:
The D:\Middleware\user_projects\domains\oam_domain\
servers\oam_server1\logs\auditlogs\OAM\audit.log file
The D:\Middleware\user_projects\domains\oam_domain\
servers\oam_server2\logs\auditlogs\OAM\audit.log file
Review the records in the audit.log files to verify that both active Oracle Access
Manager servers have received and handled requests.
Demonstrate session recovery after a single Oracle Access Manager server in a cluster
goes down:
a. Using the WebLogic console, shut down the oam_server1 managed server instance.
If you do not remember how to shut down the server, refer to previous practices that
provide the steps for shutting down WebLogic managed server instances.
b. Clear cookies and cache and restart the browser.
c. Navigate to the Example Bakery home page,
d. Click Employees. The Example Bakery login page appears.
e. Log in as user David.Goldsmith with password Welcome1. The employee portal
appears.

f.
g.
h.
i.
j.
k.
The login session was created by the oam_server2 server, because the
oam_server1 server is shut down.
Start the WebLogic console in a second tab page.
Using the WebLogic console, start up the oam_server1 managed server instance.
Using the WebLogic console, shut down the oam_server2 managed server instance.
Clear your browsers cache but not cookies.
In the next test you perform, you verify that the user can still access protected
resources without re-authenticating, even though the server on which the user
authenticated is not active.
Return to the tab page in which the Example Bakery application appears. Click
Employees. The browser cache is refreshed, and the employee portal appears. You
should not be prompted to authenticate.
Examine the two audit log bus stop files for the oam_server1 and oam_server2
servers as you did in the previous tasks. Time stamps show that session validation for
the David.Goldsmith user occurred after the oam_server1 server was shut down.


(Advanced)
Chapter 13
Practices for Lesson 4 (Advanced)

Chapter 13 - Page 1
Practices for Lesson 4 (Advanced) (Optional)

Practices Overview
In these practices, you enable SSL certificate-based communication mode between an OAM
11g WebGate and OAM 11g server. This is the typical way in which most production
deployments have the communication mode configured.
When you installed and configured WebGate and OAM server in Lesson 3, you selected Open
mode for communication. In Lesson 4 Practices, you learned how to configure Simple mode
between a WebGate and OAM 11g server as a post-install or post-configuration process (even
though the option to configure Simple as well as Cert mode exists right at the time you perform
an installation or configuration).
In these practices, you will assume that the mode of communication is set at the time of install
and configure to Open, and now you want to configure Cert mode in the soon-to-go-live
production environment.

Chapter 13 - Page 2
Practice 4-1: Generate the Certificate Request and Private Key for
OAM Server
Overview
In this practice, you generate both the certificate request (server_req.pem) and the private
key (server_key.pem). The certificate request will be sent to a CA for issuing the certification
in the next practice.
All the tasks in Lesson 4 (Advanced) labs are to be performed on the Windows machine.
Task
1.
On the command line, navigate to

D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and issue the
command as shown below:
2.
Using Windows Explorer, navigate to

D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and make sure
you can see the two files: server_req.pem and server_key.pem.

Chapter 13 - Page 3
Practice 4-2: Obtain OAM Server Certificate and CA Certificate from

MS Certificate Service
Overview
In this practice, you will perform three things:
a) Download a CA certificate in Base64 as ca_cert.pem
b) Submit a certificate request (server_req.pem) to a trusted CA (in this case, MS Certificate
Authority)
c) Download a certificate in DER format as server_cert.der
Tasks
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Launch Internet Explorer (not Firefox). Go to http://<your_host>.us.oracle.com/certsrv.

Click Download a CA Certificate, certificate chain, or CRL link.
Select the Base64 radio button and then click the Download CA Certificate link.
Click the Save button.
In the Save As window, select Desktop in the Save in option, select All Files in the Save as
Type option, and specify the file name as ca_cert.pem.
D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and open up
server_req.pem by using WordPad.
Remove the carriage return at the end of the paragraph (line below End Certificate Request
line) and then copy the entire text as shown below:
Navigate back to http://<your_host>.us.oracle.com/certsrv on Internet Explorer.

Click the Request a Certificate link.
Click the Advanced Certificate Request link.
Click Submit a Certificate Request by using a Base64-encoded CMC or PKCS #10 file, or
submit a renewal request by using a Base64-encoded PKCS #7 file link.

Chapter 13 - Page 4
12. Right-click and choose Paste in the Saved Request dialog box. Click Submit. Note the
current time of day.
13. Go to Windows Start > Programs > Administrative Tools > Certification Authority.
14. Expand the <your_host> node and click the Issued Certificates folder.
15. Locate your certificate by its time stamp. Double-click your certificate (in the right pane).
Click the Details tab followed by the Copy to File button.
16. Click Next on Welcome to the Certificate Export Wizard. Make sure the DER option is
selected and click Next. Click the Browse button. On the Save As window, select Desktop
in the Save in option. Select All Files in the Save as Type option and specify file name as
server_cert.der. Click Save. Click Next, followed by Finish. Click OK on the Export
was Successful message window.
17. Navigate to your desktop and make sure you can see both the certificates: ca_cert.pem
and server_cert.der.cer. Rename server_cert.der.cer to
server_cert.der (on the confirmation window to rename the file, click Yes).

Chapter 13 - Page 5
Practice 4-3: Encrypt the OAM Server Private Key by Using a

Password
Overview
In this practice, you encrypt the OAM server private key by using the password Welcome1.
Tasks
1.

2.

D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and inspect the
date modified of the server_key.pem file. It should be updated with the current time.

Chapter 13 - Page 6
Practice 4-4: Retrieve the OAM Keystore Password

Overview
In this practice, you retrieve OAM keystore password, which you will need to import CA
certificates into the keystore in subsequent practices. This OAM keystore (.oamkeystore) is
like a secure locker where the OAM server certificate, CA certificate, and private key for OAM
server certificate are kept.
Tasks
1.
From the command line window, navigate to d:\middleware\idm_home\common\bin

and execute wlst.
2.
3.
In the WLST shell, enter the command connect(). You will be prompted for the admin
server host, port, and credentials for connection.
Press Enter.
Type Welcome1 and press Enter.
Press Enter.
After successful connection to the admin server, enter the command domainRuntime()
4.
Enter the command listCred(map="OAM_STORE",key="jks")

The password of .oamkeystore will be printed. Note this password because it will be
required to import the certificates.
5.
Exit WLST by using the exit() command.

Chapter 13 - Page 7
Practice 4-5: Import Private Key, CA Certificate and OAM Server

Certificate into Keystore
Overview
In this practice, you perform three key steps:
a) Import a trusted certificate into the keystore by using keytool.
b) Convert a private key to DER format by using openSSL.
c) Run the importcert tool to import a private key and CA-signed certificate into the
keystore.
Tasks
1.
Import a trusted certificate chain into the keystore by using keytool. On the command
line window, navigate to d:\middleware\ohs_home\jdk\bin and issue the following
command:
keytool -importcert -file
d:\winnt\Profiles\Administrator\Desktop\ca_cert.pem
-trustcacerts -storepass
{keystorepassword_from_previous_practice} -keystore
d:\middleware\user_projects\domains\oam_domain\config\fmwconfig\
.oamkeystore -storetype JCEKS
When prompted to trust this certificate, enter yes.

Chapter 13 - Page 8
2.
Convert the private key to DER format by using openSSL. On the command line window,
navigate to D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl
Issue the following command:
openssl pkcs8 -topk8 -nocrypt -in server_key.pem -inform PEM
-out server_key.der -outform DER
When prompted to enter the passphrase for server_key.pem, enter Welcome1
(specified in Practice 4-3).

Chapter 13 - Page 9
3.

you can see the server_key.der file.
4.
Run the importcert tool to import a private key and CA-signed certificate into the
keystore.
D:\Middleware\idm_home\oam\server\tools\importcert and unzip
importcert.zip (right-click > Winzip > Extract to here).
Using the command line window, navigate to
D:\Middleware\idm_home\oam\server\tools\importcert, set the %PATH%
variable to include the JDK, and run the importcert utility:
set PATH=D:\Program Files\Java\jdk1.6.0_17\bin;%PATH%
5.
java -cp importcert.jar;$CLASSPATH

oracle.security.am.common.tools.importcerts.CertificateImport
-keystore
d:\middleware\user_projects\domains\oam_domain\config\fmwconfig\
.oamkeystore -keystorepassword qvepofo1nimjcai212dqgbejgt
-privatekeyfile
D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl\server_k
ey.der -signedcertfile
D:\WINNT\Profiles\Administrator\Desktop\server_cert.der -alias
mycert -aliaspassword Welcome1
Note: Use the screenshot shown below as help to enter the command.

Practice 4-6: Change OAM Server Common Properties and Server

Instance Property
Overview
In this practice, you will update the PEM Keystore alias and password by using the OAM admin
console.
Tasks
1.
Launch the OAM admin console and navigate to System Configuration > Server Instances
node. Click the Edit icon. On the right pane, select the OAM Proxy tab and under the Cert
Mode Configuration, specify the PEM Keystore Alias as mycert (specified in previous
practice) and PEM Keystore alias password as Welcome1 (specified in previous practice).
Click Apply.
2.
Change the Server Instance Property mode to Cert. Navigate to System Configuration >
Server Instances > oam_server1. Click the Edit icon. On the Proxy tab, change the Mode to
Cert. Click Apply. On the Confirm window, click Yes. Then perform the same action for
oam_server2.
Note: Your deployment currently contains two clustered OAM servers. You should
configure both OAM servers to user cert mode. When you perform this practice, only
oam_server1 is running, but if you were to start oam_server2 at the end of the practice, the
cert mode deployment should still work.


Practice 4-7: Generate the Certificate Request and Private Key for
WebGate
Overview
In this practice, you generate both the certificate request (aaa_req.pem) and the private key
(aaa_key.pem). A certificate request will be sent to the CA for issuing the certification in the
next practice.
Note: aaa_key.pem and aaa_cert.pem (from aaa_req.pem) are reserved names that have
to be used for a private key and WebGate certificate.
Task
1.

2.

you can see the two files: aaa_req.pem and aaa_key.pem.

Practice 4-8: Obtain WebGate Certificate and CA Certificate from MS

Certificate Service
Overview
In this practice, you will perform three things:
a) Download a CA certificate in Base64 as aaa_chain.pem. (This step has already been
done in Practice 4-2. However, the CA cert was named ca_cert.pem.)
b) Submit a certificate request (aaa_req.pem) to a trusted CA (in this case, MS Certificate
Authority).
c) Download a certificate in Base64 format as aaa_cert.pem.
Note: In the case of an OAM server certificate, you had to download the OAM server certificate
in DER format as you need to use DER format for storing private key and server certificates in
.oamkeystore, whereas in the case of a WebGate, you require PEM format for both a private
key and WebGate client certificate (not DER).
Note: The OAM server uses .oamkeystore to store X.509 artifacts, whereas a WebGate uses
a file system.
Note: A WebGate requires special reserved names for X.509 artifactsaaa_key.pem,
aaa_cert.pem and aaa_chain.pemwhereas for the OAM server, there is no such
restriction.
Tasks
1.
2.
3.
4.
5.
6.
7.
Download a CA certificate as aaa_chain.pem. Launch Internet Explorer (not Firefox). Go

to http://<your_host>.us.oracle.com/certsrv.
Click Download a CA Certificate, certificate chain, or CRL link.
Select the Base64 radio button and then click the Download CA Certificate link.
Click the Save button.
On the Save As window, select Desktop in the Save in option, select All Files in the Save
as Type option, and specify file name as aaa_chain.pem.
D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and open up
aaa_req.pem by using WordPad.
Remove the carriage return at the end of the paragraph (line below End Certificate Request
line) and then copy the entire text as shown below:

8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Navigate back to http://<your_host>.us.oracle.com/certsrv on Internet Explorer.

Click the Request a Certificate link.
Click the Advanced Certificate Request link.
Click Submit a Certificate Request by using a Base64-encoded CMC or PKCS #10 file, or
submit a renewal request by using a Base64-encoded PKCS #7 file link.
Right-click and choose Paste in the Saved Request dialog box. Click Submit. Note the
current time of day.
Go to Windows Start > Programs > Administrative Tools > Certificate Authority.
Expand the <you_host> node and click the Issued Certificates folder.
Locate your certificate by its timestamp. Double-click your certificate in the right pane. Click
the Details tab followed by the Copy to File button.
Click Next Welcome to the Certificate Export Wizard. Make sure Base64-encoded X.509
option is selected and click Next. Click the Browse button, On the Save As window, select
Desktop in the Save in option. Select All Files in the Save as Type option, and specify file
name as aaa_cert.pem. Click Save. Click Next followed by Finish. Click OK on the
Export was Successful message window.
Navigate to your desktop and make sure you can see the certificate aaa_cert.pem.cer.
Rename the file to aaa_cert.pem (on the confirmation window to rename the file, click
Yes).

Practice 4-9: Encrypt the WebGate Private Key by Using a Password

Overview
In this practice, you encrypt the WebGate private key by using the password Welcome1.
Tasks
1.

2.

D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl and inspect the
date modified of the aaa_key.pem file. It should be updated with the current time.

Practice 4-10: Modify WebGate 11g Definition by Using OAM Admin

Console
Overview
In this practice, you change the WebGate 11g definition to reflect the security mode Cert and
specify the agent key password as Welcome1 (the private key encryption password specified in
Practice 4-9).
Tasks
1.
Launch the OAM admin console and navigate to System Configuration > Agents > 11g
WebGates > OAM11g_webgate. Click the Edit icon. Change the security mode to Cert and
specify agent key password as Welcome1. Click Apply.
2.
Copy ObAccessClient.xml, cwallet.sso and password.xml files from

e to
gate\config. When asked to replace the existing files, Click Yes to All.
3.
Copy aaa_key.pem (from

D:\Middleware\Webgate11g_home\webgate\ohs\tools\openssl),
aaa_cert.pem and aaa_chain.pem files (from
D:\WINNT\Profiles\Administrator\Desktop) to the
gate\config directory.

Practice 4-11: Restart OHS and OAM 11g Server

Overview
In this practice, you restart the ohs_webgate11g instance and oam_server1 server for the
changes to take effect.
Tasks
1.
2.
3.
From the command line window, navigate to

d:\middleware\ohs_home\instances\ohs_webgate11g\bin and issue the
following commands:
opmnctl stopall
opmnctl startall
Launch the WLS admin console. Using the left pane navigator, navigate to oam_domain >
Environment > Servers. Click the Control tab on the right pane. Select the check box next
to oam_server1 and select Shutdown > Force Shutdown Now. On the Server Life Cycle
Assistant page, click Yes.
Select the check box next to oam_server1 and click Start. On the Server Life Cycle
Assistant page, click Yes.
Note: If you are unable to start, make sure the node manager is running (if it is down, start
the node manager by using Start > Programs > Oracle WebLogic > WebLogic Server 11gr1
> Tools > Node Manager or
D:\Middleware\wls_home\server\bin\startNodeManager from command line).

Practice 4-12: Verify Cert Mode of Communication Between WebGate

11g and OAM 11g Server
Overview
In this practice, you try to access a resource (Example Bakery) that is protected by using
WebGate 11g. You access employee-only pages and make sure authentication is working as
expected. This would verify the secure communication using SSL certificates between the
WebGate and OAM server is working correctly.
For making sure that the data packets between WebGate and OAM servers are being sent
encrypted over the wire, you can also use third-party tools such as Wire Shark.
Note: You cannot use Access Tester to test the connection between a WebGate and the OAM
server because the mode is Cert, which is not supported by Access Tester (only Open and
Simple modes are supported).
Tasks
Try accessing a protected Web site served through WebGate 11g, such as
http://<your_host>.us.oracle.com:7778/example. Access the Employee link. Sign in by
using Vishal.Parashar and Welcome1. Click the Engineering Department Site link.
Vishal should be able to see the Engineering home page.
Since the Example Bakery Web site is protected by using WebGate 11g and is serving
content using the AuthN and AuthZ policies configured on the OAM server, this goes to
show that the SSL communication between WebGate 11g and OAM 11g server is working
correctly.



Apex OIM Integration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Apex OIM Integration

Uploaded by

Copyright:

Available Formats

Oracle Access Manager 11g:

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Access Manager 11g: Administration Table of Contents

Practice 5-4: Managing Authentication Policies ................................................................................................ 5-8

Oracle Access Manager 11g: Administration Table of Contents

Practice 9-7: Coexistence Verification............................................................................................................... 9-19

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Access Manager 11g: Administration Table of Contents

Practices for Lesson 1

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1

Overview of Practices for Lesson 1

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1

Practices for Lesson 2

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2

Practices for Lesson 2 (Optional)

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2

Practice 2-1: Explore Salient New Features of OAM 11g

Navigate to d:\labs\lesson02. Double-click

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2

Practices for Lesson 3

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Practices for Lesson 3

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Important Note for all the Practices:

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Practice 3-1: Run Repository Creation Utility

Database Connection Details

Database Type: Oracle Database

Checking Global Prerequisites

Create a new Prefix: DEV

Checking Component Prerequisites

Use the same passwords for all schemas.

Repository Creation Utility pop-up

Practices for Lesson 3

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Practice 3-2: Install Oracle WebLogic Server 10.3.3

Choose Middleware Home Directory

Create a new Middleware home:

Register for Security Updates

Deselect I wish to receive security updates

Are You Sure?

Choose Install Type

Select under Local JDK Sun SDK1.6.0_17

Choose Product Installation

Choose Shortcut Location

All Users start menu folder

Deselect Run Quickstart

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3

Practice 3-3: Install Oracle Identity Management 11g

Double-click setup.exe from the d:\stage\iamsuite\disk1 directory.