4 System Configuration: Servers, Data Sources, and Agents Copyright © 2010, Oracle and/or its affiliates All rights reserved Objectives After completing this lesson, you should be able to: • Manage servers by using the OAM administration (admin) console and the Oracle WebLogic Server (WLS) admin console • Manage data sources – User Identity Store • Register and manage agents by using the OAM admin console • Register agents remotely • Secure communication between a WebGate and the OAM server 4-2 Copyright © 2010, Oracle and/or its affiliates All rights reserved Practice Overview: Installing and Configuring OHS 11g This practice covers the following topics: • 4-3 Practice 4-1: Install and configure OHS 11g instances Copyright © 2010, Oracle and/or its affiliates All rights reserved Road Map • • • • • • 4-4 Managing OAM servers Installing and configuring agents Registering agents: The OAM admin console, in-band, out-of-band Understanding WLS agents Managing data sources Securing communication between agents and the OAM server Copyright © 2010, Oracle and/or its affiliates All rights reserved Servers Oracle Access Manager servers are of two types: • OAM administration server • OAM managed server – Contains embedded the OAM and OSSO proxy server to support backward compatibility OAM servers are initially created by using: • The WLS Configuration Wizard OAM servers are managed by using: • • • • 4-5 The OAM admin console (primary management interface) The WLST command-line interface The WLS admin console: status, start/stop The EM FMW Control: view logs, start/stop, monitoring, operational metrics Copyright © 2010, Oracle and/or its affiliates All rights reserved Creating and Deleting a New Managed Server 4-7 Copyright © 2010, Oracle and/or its affiliates All rights reserved Managing Servers • The OAM admin server is also know as WLS admin server AdminServer (admin) – The OAM admin console and EM FMW Control run within the admin server • The OAM run-time server runs within the OAM managed server oam_server1 (default name) • By using the WLS Configuration Wizard or WLS admin console or WLST CLI you can: – Create new managed servers (for clustering – high availability) – Change the default name and port for managed servers • By using the OAM admin console or WLST CLI you can: – Create the definition for new managed servers – Set the individual and common server properties 4-8 Copyright © 2010, Oracle and/or its affiliates All rights reserved Individual Server Properties • OAM admin console > System Configuration tab > Server Instances > server_name • Server Properties: – Site Name: This is a name for the server instance, defined during initial configuration by using the Configuration Wizard – Host: This is the full DNS name (or IP address) of the computer that is hosting the server instance – Port: This is the port on which this server communicates – OAM Proxy: — WebLogic Port: WLS listening port — Port: OAM proxy instance port — Proxy Server ID: Identifier of the computer on which the OAM proxy resides — Mode: Transport security setting for the OAM proxy – Coherence 4-9 Copyright © 2010, Oracle and/or its affiliates All rights reserved OAM Proxy • Motivation for OAM proxy: – OAM proxy is installed with each managed server for the OAM server and is used for communication between WebGates and the OAM 11g server – It is used as a legacy access server to provide backward compatibility for OAM 10g agents that are registered with the OAM 11g server – It coexists with 10g WebGates/ASDK – It supports OAM 11g WebGates • Functionality: – It shields the 11g server from client-specific behavior and protocol – It supports the OAP (formerly known as NAP) back channel for WebGates to the 11g server The default port is 5575 – It supports HTTP front channel request handling required for WebGates - 11 Copyright © 2010, Oracle and/or its affiliates All rights reserved Managing Servers from WLS Admin Console and Command Line • WLS Admin Console > > Environment > Servers • Common Operations: – Start/Stop screenshots – Show Deployments tab – Show both admin and managed server for OAM • Command line option to start: – Admin server: startWeblogic.cmd – Managed server: startManagedWebLogic.cmd server_name http://admin_server_host:admin_server_port - 12 Copyright © 2010, Oracle and/or its affiliates All rights reserved Generating Private Key, Certificate Request, and Downloading Certificates from CA Generate both the certificate request (aaa_req.pem) and the private key (aaa_key.pem): – OpenSSL req –new –keyout aaa_key.pem –out aaa_req.pem –config openssl_silent_ohs11g.cnf –utf8 -nodes Submit a certificate request (aaa_req.pem) to a trusted CA Download a CA certificate in Base64 as aaa_chain.pem Download a certificate both in Base64 and DER format as aaa_cert.pem and aaa_cert.der Encrypt the private key (aaa_key.pem) by using a password: – - 89 openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout pass:****** -des Copyright © 2010, Oracle and/or its affiliates All rights reserved Configuring OAM Server to Use Certificates Retrieve the OAM keystore password: - 90 Copyright © 2010, Oracle and/or its affiliates All rights reserved Configuring OAM Server to Use Certificates Import CA-signed certificates into the keystore: a Import a trusted certificate chain (aaa_chain.pem) by using keytool (use the value from Step for storepass): — b Convert the private key (aaa_key.pem) and signed certificate (aaa_cert.pem) to DER format by using openSSL or any other tool — — - 91 keytool -importcert -file aaa_chain.pem -trustcacerts -storepass {PASSWORD} -keystore /user_projects/domains//config/ fmwconfig/.oamkeystore -storetype JCEKS openssl pkcs8 -topk8 -nocrypt -in aaa_key.pem -inform PEM -out aaa_key.der -outform DER openssl x509 -in aaa_cert.pem -inform PEM -out aaa_cert.der -outform DER (Skip if aaa_cert.der already exists from Step 4.) Copyright © 2010, Oracle and/or its affiliates All rights reserved Configuring OAM Server to Use Certificates • Import the CA-signed certificates into the keystore: c Run importcert tool: — — Unzip importcert.zip under /oam/server/tools/importcert java -cp importcert.jar;$CLASSPATH oracle.security.am.common.tools.importcerts.Certifica teImport — - 92 Required parameters not specified: Syntax: -keystore -keystorepassword -privatekeyfile -signedcertfile -alias [-aliaspassword ] -help Copyright © 2010, Oracle and/or its affiliates All rights reserved Configuring OAM Server to Use Certificates Set following OAM server common properties by using values from Step 7c (-alias and –aliaspassword): – PEM Keystore Alias – PEM Keystore Alias Password - 93 Copyright © 2010, Oracle and/or its affiliates All rights reserved Configuring OAM Server to Use Certificates Change server instance property mode to Cert: - 94 Copyright © 2010, Oracle and/or its affiliates All rights reserved Configuring WebGate to Use Certificates 10 Modify the WebGate definition by using the OAM admin console: – Specify security mode as CERT – Specify the agent key password as the password specified to encrypt the private key in Step 11 Copy the following files from /output/ to /config/OHS/ohs1/webgate/config A ObAccessClient.xml B cwallet.sso C password.xml - 95 Copyright © 2010, Oracle and/or its affiliates All rights reserved Configuring WebGate to Use Certificates 12 Copy the following files from Step 3, 4, and to /config/OHS/ohs1/webgate/config – aaa_key.pem – aaa_cert.pem – aaa_chain.pem 13 Restart oam_server1 and the OHS instance - 96 Copyright © 2010, Oracle and/or its affiliates All rights reserved Summary In this lesson, you should have learned how to: • Manage servers by using the OAM administration (admin) console and the Oracle Web Logic Server (WLS) admin console • Manage data sources – User Identity Store • Register and manage agents by using the OAM admin console • Register agents remotely • Secure communication between a WebGate and the OAM server - 97 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz OAM proxy server is primarily used for a Supporting third-party agents b Providing backward compatibility for OSSO 10g and OAM 10g agents c Supporting SSL handshake between the agents and server d All of the above - 98 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz Registering agents with the OAM server can be done by a Using the OAM admin console b Using oamreg tool in the in-band mode c Using oamreg tool in the out-of-band mode d All of the above - 99 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz The main configuration file for OAM 11g is a Config.xml b oam-policy.xml c oam-config.xml d oam11g.xml - 100 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz The primary role of a WLS agent (OAM agent) is a To provide SSO for Oracle Identity Management administration consoles b To provide a default agent to use for protecting user-defined resources c To provide WebLogic Server J2EE application security d To support OAM proxy server functionality to work - 101 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz To configure OID as the user identity store for OAM 11g, perform the following steps a Define the OID store definition in OAM 11g b Set the control flag for OIDAuthenticator to Sufficient and DefaultAuthenticator to Sufficient c Define OIDAuthenticator on WLS and reorder it above DefaultAuthenticator d All of the above - 102 Copyright © 2010, Oracle and/or its affiliates All rights reserved Practice Overview: SSL Enabling WebGate and OAM 11g Server This practice covers the following topics: • Practice 4-22: Mode of communication: WebGate and OAM 11g server - Setting server mode to Simple • Practice 4-23: Mode of communication: WebGate and OAM 11g server - Setting OAM 11g WebGate mode to Simple • Practice 4-24: Restart the OHS instance and verify the results • Practice 4-25: Change server mode to Open and test WebGate communication - 103 Copyright © 2010, Oracle and/or its affiliates All rights reserved