Skip to main content

Configuring Oracle Access Manager(OAM) with Window Native Authentication(WNA) for Windows Single Active Directory Domain

Prerequisites:- A windows active directory domain is installed on a Windows 2008 server. OAM 11g R2 OAM server is installed and a target is protected with OAM deployed on a webserver through a webgate agent.
  1. Login to the Active Directory server and create a user oam for WNA integration.


2. Execute ktpass command to generate a keytab file. The princ parameter needs to be HTTP/hostnameofOAMServer@DomainName. It should map to a user (oam)of AD. 

ktpass -princ HTTP/oam.example.com@EXAMPLE.COM -mapuser oam -pass password -out c:\oam.keytab 

3. Once ktpass has been executed successfully you will see that parameter User Logon Name has been modified.

4. On oam server at /etc/ directory krb5.conf file is present. Modify the file for domain name and AD server name. If File is not there please create a file with same name and provide the details as below:
5. After krb5.conf file is modified run the klist command to check the contents of oam.keytab file. Also run kinit command to authenticate to Kerberos server.

klist -k -t -K -e FILE:/app/u01/oam.keytab
kinit –V HTTP/oam.example.com@EXAMPLE.COM -k -t /app/u01 /oam.keytab

6. Create new User Identity Store which points to Active Directory(AD) server. It is not mandatory to have AD Server as a user store you can have OVD as a user store with Adapters pointing to AD server or you can have OID as a User Identity Store with Synchronization with AD Server. This AD can be set as default store if needed.
7. Modify the Kerberos Module by browsing to System Configuration --> Access Manager --> Authentication Modules --> Kerberos Authentication Module --> Kerberos. Set required parameters as per your environment configuration.
Parameter Name
Parameter Values
Name
Kerberos
Key Tab file
/app/u01/oam.keytab
Principal
HTTP/oam.example.com@EXAMPLE.COM
KRB Config File
/etc/krb5.conf


8. Go to Policy Configuration --> Application Domains --> ApplicationDomainName --> Protected Resource Policy and change the Authentication Scheme to Kerberos Scheme. This resource is the one which is already protected with OAM through existing deployed webgate.

9.  Login to the machine which Is connected to domain and open IE browser. Open Internet option and select Local Intranet from security tab. Add oam server host name in the Local Intranet sites.

10. Create a test user in Active Directory and login with that user in domain. OAM protected resource page can be accessed without any authentication asked.





    Labels:

    Comments

    Post a Comment

    Popular posts from this blog

    Developing Prepopulate Adapter with OIM 11g R2

    1.      Prepopulate Adapter in OIM uses the plugin point oracle.iam.request.plugins.PrePopulationAdapte r. 2.      Write the Java code which returns the value which has to be populated on the form. 3.      This code will implement the plugin point oracle.iam.request.plugins.PrePopulationAdapte r. Code Snippet: - package com.oracle.oim.utility.eventhandler; import java.io.Serializable; import java.util.Iterator; import java.util.List; import java.util.logging.Logger; import oracle.iam.identity.exception.NoSuchUserException; import oracle.iam.identity.exception.UserLookupException; import oracle.iam.identity.usermgmt.api.UserManager; import oracle.iam.identity.usermgmt.vo.User; import oracle.iam.platform.Platform; import oracle.iam.platform.authz.exception.AccessDeniedException; import oracle.iam.request.exception.RequestServiceException; import oracle.iam.request.vo.Beneficiary; import oracle.iam.request.vo.RequestData; public c
    5 comments
    Read more

    OIM Tuning

    Application Module tuning is a critical setting which will affect the UI performance. Following are the recommended application module settings for OIM and these are already set out-of-box (OOB) in later releases of OIM 11g R2. Ensure that these settings are implemented as recommended in your environment. -Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -Djbo.recyclethreshold=60 - Djbo.ampool.timetolive=-1 -Djbo.load.components.lazily=true - Djbo.doconnectionpooling=true -Djbo.txn.disconnect_level=1 - Djbo.connectfailover=false -Djbo.max.cursors=5 - Doracle.jdbc.implicitStatementCacheSize=5 - Doracle.jdbc.maxCachedBufferSize=19 open DOMAIN_HOME/bin/setDomainEnv.sh file for the WebLogic Server instance.find these lines: JAVA_OPTIONS="${JAVA_OPTIONS}" export JAVA_OPTIONS and change it to: JAVA_OPTIONS="-Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -D
    Post a Comment
    Read more

    What is Application Instance

    Application instance is a provisionable entity. It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism) . Creating and managing application instances are performed by using the Oracle Identity System Administration. Once Created Application Instance can be requested from the catalog. Application instances can be connected or disconnected.  Connected application  instance -It has a connector defined for the provisioning of entities. Account is created in the target system real time in case of connected Application Instance. Disconnected  application instance - It is used for the provisioning of a disconnected resource, for which  a connector is not defined, and therefore, the provisioning is performed manually by the administrator. A mail trigger system can also be attached which sends the account creation/modification/deletion mails to the application owner.
    Post a Comment
    Read more