OAM 11gPS3 WNA Fallback to FORM

Pre-requisite: Apply Bundle Patch 11.1.2.3.180116

How it works:
When NTLM and Kerberos authentications do not work with a browser (such as a non-domain attached browser), the OAM Server responds with an authorization error (403) and HTML content in the body of the response. By default, OAM displays an authorization error page with a Login button. The user needs to click the Login button in the customized page to invoke WNA fallback to FORM-based authentication. When user click on the Login button a cookie “OAM_WNA_OPT_OUT” is set by OAM. This cookie when set to true indicates the OAM server to challenge the user with FORM based authentication when the browser presenting the cookie is not supporting WNA authentication.

After below configuration is done, OAM will fallback to form authentication when validation of SPNEGO token fails. This use case is supported only when KerberosTokenAuthenticator plugin is used.

  1. Ensure that all WLS servers are stopped.
  2. Open and edit oam-config.xml, search for Version from top and increment the value.
    image
  3. Search for WNAOptions, set the value of HandleNTLMResponse to FORM.
    image
  4. Add below lines
  5. under <Setting Name="KerberosTokenAuthenticator" Type="htf:map">
    …………………
    …….
    under <Setting Name="initParameters" Type="htf:list">
    ………………….
    .
    Add below:
    <Setting Name="4" Type="htf:map">
    <Setting Name="name" Type="xsd:string">KEY_FORM_FALLBACK_ENABLED</Setting>
    <Setting Name="type" Type="xsd:string">string</Setting>
    <Setting Name="value" Type="xsd:string"></Setting>
    <Setting Name="length" Type="xsd:integer">256</Setting>
    <Setting Name="globalUIOverride" Type="xsd:boolean">false</Setting>
    <Setting Name="instanceOverride" Type="xsd:boolean">false</Setting>
    <Setting Name="mandatory" Type="xsd:boolean">false</Setting>
    </Setting>
    image

  6. Optional step
    The OAM_WNA_OPT_OUT cookie is set as persistent cookie, by default. Configure it as a session cookie as follows
    <Setting Name="IsOptOutPersistent" Type="xsd:boolean">false</Setting>
    image

    If you want to configure custom authorization error page when WNA fails. Set below under WNAOptions.

  7. <Setting Name=”CustomOptOutPage” Type=”xsd:string”>/home/custom.html</
    Setting>

  8. Start all servers.
  9. You can use one of the below:
    • Modify KerberosPlugin from OAM Console –> Authentication Modules (or any other authentication module that you are using for kerberos authentication plugin).

      Add a new step KTA (New step needs to be created because the newly added parameter is not present in edit). Set KEY_FORM_FALLBACK_ENABLED to true. Modify steps orchestration accordingly to use newly created KTA step.
      mstsc_2018-01-31_13-00-05

      OR

    • Edit KerberosTokenAuthenticator from OAM Console –> Plugins to set value for KEY_FORM_FALLBACK_ENABLED as true.
      mstsc_2018-01-31_12-56-06

  10. Configure pre-authentication rule to switch scheme to FORM based scheme, if OAM_WNA_OPT_OUT cookie is present in the request.
    Go to Application Domain –> Authentication Policies –> Select WNA authentication policy –> Under Advanced Rules tab, Click on Pre-Authentication tab
    Click Add
    chrome_2018-01-31_13-06-05
    chrome_2018-01-31_13-07-29
    Rule: str(request.requestMap[‘Cookie’]).lower().find(‘oam_wna_opt_out=true’) >= 0
    Click Add and Apply.

Test: (From non domain machine browser)

  1. Request the resource protected by WNA authentication scheme
  2. User will be redirected authorization error page when WNA failsfirefox_2018-01-31_13-10-27
  3. Click on Login button (OAM_WNA_OPT_OUT cookie is set by OAM), user will be redirected to Form authentication as fall back (by evaluating pre authentication rule)
    firefox_2018-01-31_13-13-03
  4. Supply username and password for login
Advertisements

WNA Fail with GSSException: Failure unspecified at GSS-API level

Error:

<Jan 30, 2018 12:23:07 PM AST> <Error> <oracle.oam.plugin> <BEA-000000> <Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))

     at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)

Caused By: KrbException: Specified version of key is not available (44)
     at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588)
     at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270)
     at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)

Solution
1. Delete existing spn mapping

setspn –D <principal_name_associated_with_mapuser> <mapuser>

setspn -D HTTP/myserver.mylab.com@MYLAB.COM mylab\oamsitwna

2. Run again ktpass with syntax

ktpass -princ HTTP/myserver.mylab.com@MYLAB.COM -mapuser mylab\oamsitwna –pass password -crypto ALL -ptype KRB5_NT_PRINCIPAL -out krb5.keytab -kvno 0

3. copy krb5.keytab to OAM server in appropriate location.
4. Restart OAM managed server.

Post Authentication rule to switch to authentication scheme does not work in OAM

Oracle Access Manager – Version 11.1.2.2.5 and later

Reason:
This is due to a known bug in OAM Bug:19777125 POST AUTHENTICATION CONDITIONS IN ADVANCE RULES DOES NOT REDIRECT

Solution:
Apply OAM BP07 or higher where this issue is addressed.

Integrate OAM 11g R2 PS3 and Oracle Mobile Authenticator

Below steps cover integration of OAM with OMA for strong authentication i.e multi factor authentication.

Pre-requisites:
1. Oracle Access Manager 11gR2PS3 installed and configured
2. Oracle HTTP Sever installed and configured
3. OAM WebGate OHS installed and configured

  1. Enable “Mobile and Social Service” & “Adaptive Authentication Service”, login to OAM console –> Configuration –> Available Services
    chrome_2018-01-28_16-00-15
  2. Configure OAuth
    image
    image
    image
    chrome_2018-01-28_15-42-06
    image
    image
    Click on apply
  3. Edit “TOTPPlugin” Authentication Plugin
    image
  4. Edit “TOTPModule” Authentication Module
    image
    image
  5. Create New Authentication Scheme
    Go to LDAPScheme and duplicate
    chrome_2018-01-28_15-54-43chrome_2018-01-30_09-19-36
  6. Update authentication policy in application domain
    imagechrome_2018-01-28_16-03-33
    image
    chrome_2018-01-28_16-06-01
  7. Create a HTML page with below content and copy it in any web server
    image
    To generate QR Code follow https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-800C0912-8452-4DA7-9762-A2A21E897C17.htm#AIAAG90224
  8. Download and install Oracle mobile authenticator app from play store or google play
  9. Open above HTML page in mobile browser. Click on the link on page. Enter username and password on prompt.

Test the application access. User will be prompted for LDAP authentication and post authentication user will be prompted for entering OTP.
chrome_2018-01-30_09-22-07
chrome_2018-01-30_09-22-45

chrome_2018-01-30_09-26-52
chrome_2018-01-30_09-26-55

OHS not starting

OHS instance status is stop. OHS not starting or stopping.

[oracle@identity bin]$ ./opmnctl status
Processes in Instance: ohs_inst1
———————————+——————–+———+———
ias-component                    | process-type       |     pid | status 
———————————+——————–+———+———
ohs_inst1                        | OHS                |    4857 | Stop   

Error in log files
——–
18/01/28 22:59:41 Stop process
——–
/app/Middleware/Oracle_WT1/ohs/bin/apachectl hardstop: httpd (no pid file) not running

Reason
When Oracle HTTP Server starts up, it writes the process ID (PID) of the parent httpd process to the httpd.pid file located, by default, in the following directory:

ORACLE_INSTANCE/diagnostics/logs/OHS/component_name

When I check at above location there was no httpd.pid file.

Solution
Create a empty file http.pid in above location
image

Rename or clear states directory in below location. (Stop/Kill opmn processes before this)

ORACLE_INSTANCE/config/OPMN/opmn/states

image

Start OHS
image

No credential mapper entry found for password indirection

Error while activating ADF deployment in weblogic

image

Solution:

  • Click on Application –> Application Properties…
  • Expand Deployment and click on weblogic,
  • Uncheck “Auto Generate and Synchronize Weblogic JDBC Description During Deployment”

image

Regenrate EAR file and deploy.

SecurityProvider service class name for IAMSuiteAgent is not specified

Below error when starting OAM managed servers from node manager

<Jan 27, 2018 1:43:40 AM PST> <Error> <Security> <BEA-090870> <The realm “myrealm” failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IAMSuiteAgent is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IAMSuiteAgent is not specified.
     at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
     at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
     Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IAMSuiteAgent is not specified.
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
     at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
     at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
     at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
     Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IAMSuiteAgent is not specified.
     at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
     at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
     at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
     Truncated. see log file for complete stacktrace
>
<Jan 27, 2018 1:43:40 AM PST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Jan 27, 2018 1:43:40 AM PST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:

There are 1 nested errors:

weblogic.security.service.SecurityServiceRuntimeException: [Security:090399]Security Services Unavailable
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:917)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
     at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
     at weblogic.security.SecurityService.start(SecurityService.java:141)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

>
<Jan 27, 2018 1:43:41 AM PST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>

Solution:
Stop / Kill node manager
Execute $MW_HOME/oracle_common/common/bin/setNMProps.sh
Start Node manager
Start Managed server from node manager