Oracle Access Manager 12c 12.2.1.3 in collocated mode

To install OAM in collocated mode, we must first install Oracle Fusion Middleware Infrastructure 12c followed by Oracle Access Manager 12c. Infrastructure and and OAM must be installed in same Oracle Home.

Directory Structure

[oracle@oel1 /]$ cd /u02/
[oracle@oel1 u02]$ mkdir -p oracle/product/Oracle_Home
[oracle@oel1 u02]$ mkdir -p oracle/config/Domain_Home
[oracle@oel1 u02]$ mkdir -p oracle/config/Application_Home

[oracle@oel1 u02]$ tree oracle/
oracle/
├── config
│   ├── Application_Home
│   └── Domain_Home
└── product
     └── Oracle_Home

Install Infrastructure 12c

[oracle@oel1 OAM12c]$ unzip fmw_12.2.1.3.0_infrastructure_Disk1_1of1.zip
[oracle@oel1 OAM12c]$ java -jar fmw_12.2.1.3.0_infrastructure.jar

Navigate through installation screens clicking Next, select or browse to correct Oracle Home on Installation Location screen.
image
image_thumb6

Install Oracle Access Manager 12c

[oracle@oel1 OAM12c]$ unzip fmw_12.2.1.3.0_idm_Disk1_1of1.zip
[oracle@oel1 OAM12c]$ java -jar fmw_12.2.1.3.0_idm.jar

Navigate through installation screens clicking Next, select or browse to correct Oracle Home on Installation Location screen.
image
image
image
image

Create Schemas

[oracle@oel1 Oracle_Home]$ cd /u02/oracle/product/Oracle_Home/oracle_common/bin/
[oracle@oel1 bin]$ ./rcu

image
image
select the Oracle Access Manager schema.
This action automatically selects the following schemas as dependencies:
• Common Infrastructure Services (STB)
• Oracle Platform Security Services (OPSS)
• Audit Services (IAU)
• Audit Services Append (IAU_Append)
• Audit Services Viewer (IAU_Viewer)
• Metadata Services (MDS)
• WebLogic Services (WLS)
image
image
image
image

Configure OAM Domain

[oracle@oel1 bin]$ cd /u02/oracle/product/Oracle_Home/oracle_common/common/bin
[oracle@oel1 bin]$ ./config.sh

image
select the template Oracle Access Management Suite. Selecting this template automatically selects the following as dependencies:
• Oracle Enterprise Manager
• Oracle JRF
• WebLogic Coherence Cluster Extension
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image

Start Servers

[oracle@oel1 bin]$ cd /u02/oracle/config/Domain_Home/OAM_Domain/bin
[oracle@oel1 bin]$ nohup ./startWebLogic.sh &

image

[oracle@oel1 bin]$ cd /u02/oracle/config/Domain_Home/OAM_Domain/bin
[oracle@oel1 bin]$ nohup ./startNodeManager.sh &

image

Login to weblogic console
http://oel1.mylab.com:7011/console
Go to Servers –> Control
Select the server and click Start
image
image

OAM Console: http://oel1.mylab.com:7011/oamconsole
image
image

Advertisements

OAM 11gR2PS3 Multi Factor Authentication – Adaptive Authentication Service

The Adaptive Authentication Service offers stronger multifactor (also referred to as second factor) authentication for sensitive applications that require additional security in addition to the standard user name and password type authentication.

The second factor can be a One Time Pin (OTP) or an Access Request (or push) Notification. After an initial successful user/password authentication, a Second Factor Authentication page is displayed from which the user selects the preferred method of second factor authentication.
The following options are available:

  • OTP from Oracle Mobile Authenticator

  • OTP through SMS

  • OTP through Email

  • Access Request Notification from Oracle Mobile Authenticator

For using Oracle Mobile Authenticator in this post you must complete steps 1,2,7,8,9 from below post
https://oraidam.wordpress.com/2018/01/29/integrate-oam-11g-r2-ps3-and-oracle-mobile-authenticator/

In this post we will configure OAM for multi factor authentication with OTP through Email or SMS or Oracle Mobile Authenticator.

1. Enable “Adaptive Authentication Service”, login to OAM console –> Configuration –> Available Services
firefox_2018-02-19_11-14-39

2. Configure AdaptiveAuthenticationPlugin
Click on AUthentication plugins from OAM Console
firefox_2018-02-19_11-16-44
Search for plugin and click on it to edit properties
firefox_2018-02-19_11-17-25

3. Edit below properties in AdaptiveAuthenticationPlugin

SFATypes
Totp:Sms:Email:Push

UmsAvailable
true

UmsClientUrl
http://identity.oracleads.com:8001/ucs/messaging/webservice

EmailMsgFrom
workflow.admin@oracleads.com

Totp_Enabled
true

Email_Enabled
true

Sms_Enabled
true

EmailField
mail

PhoneField
mobile

TotpSecretKeyAttribute
description

Click on Save
Make the same changes in

4. Add credentials for UMS in weblogic domain
Login to weblogic Enterprise Manager, go to domain –> security –> credentials
firefox_2018-02-19_11-26-12
Expand OAM_CONFIG click on create key
firefox_2018-02-19_11-27-57
firefox_2018-02-19_11-29-35
Create umsKey as shown above and click ok.

5. Protect the resource
Go to application domain
firefox_2018-02-19_11-31-27
Go to Authentication Policies –> Protected Resource Policy
firefox_2018-02-19_11-32-03
firefox_2018-02-19_11-32-33
Go to Advanced Rules –> Post Authentication and click on Add
firefox_2018-02-19_11-33-00
firefox_2018-02-19_11-34-01
Click Add and click on Apply

Testing:
As we mentioned in configuration, make sure all below attributes are populated in user profile for testing all options.
EmailField: mail
PhoneField: mobile
firefox_2018-02-19_11-37-53
TotpSecretKeyAttribute: description
This attribute description will be populated automatically when you setup Oracle Mobile Authentication as specified in https://oraidam.wordpress.com/2018/01/29/integrate-oam-11g-r2-ps3-and-oracle-mobile-authenticator/ at Step 8,9
firefox_2018-02-19_11-39-50

Now hit the requested resource, you will be prompted for login using username and password for first factor authentication.
image
Supply username and password and click on Login. After successful login you will be prompted for option to choose for second factor login.
image
Select the option and click on OK.
image
Then supply pin for second factor authentication and click login to access protected resource
image
image

Demo: https://youtu.be/LiP1O99EUGU

OAAM Second Factor Authentication – OTP via Email or SMS

Pre-Requisite: OAAM Advanced TAP Integration with OAM
https://oraidam.wordpress.com/2018/02/14/oaam-advanced-integration-with-oam-tap-integration/

Enable OTP Anywhere Registration
Set below properties to true

bharosa.uio.default.register.userinfo.enabled
bharosa.uio.default.userpreferences.userinfo.enabled

Login to OAAM admin console, go to properties
firefox_2018-02-14_13-44-27firefox_2018-02-14_13-45-11

Setting Properties in OAAM for User Messaging Service
set below properties

bharosa.uio.default.ums.integration.webservice http://identity.oracleads.com:8001/ucs/messaging/webservice

bharosa.uio.default.ums.integration.useParlayX
false

bharosa.uio.default.ums.integration.userName
workflow.admin@oracleads.com

bharosa.uio.default.ums.integration.password
Oracle123

bharosa.uio.default.ums.integration.fromAddress
workflow.admin@oracleads.commkdir oaam_extensions

bharosa.uio.default.otp.optOut.enabled
true

SMS & Email Properties

bharosa.uio.default.challenge.type.enum.ChallengeEmail.available
true

bharosa.uio.default.userinfo.inputs.enum.email.enabled
true

bharosa.uio.default.challenge.type.enum.ChallengeSMS.otp
true

bharosa.uio.default.userinfo.inputs.enum.mobile.enabled
true

bharosa.uio.default.userinfo.inputs.enum.mobile.required
true

Configuring OTP Presentation (Optional)
If you intend to change the OTP device used for challenge change to pin pad change below property

bharosa.uio.default.ChallengeEmail.authenticator.device
DevicePinPad

Restart OAAM managed server for properties to take effect.

Configure OAAM Policy for Second Factor Authentication
Go to policies, select OAAM Post authentication Security policy
firefox_2018-02-14_15-57-18
Go to Rules, Add a new rule
firefox_2018-02-14_15-58-32
firefox_2018-02-14_15-59-08
firefox_2018-02-14_15-59-29
firefox_2018-02-14_15-59-45
Now go to OAAM Challenge group.
firefox_2018-02-14_16-01-51
Change the actions as follows
firefox_2018-02-14_16-14-51
firefox_2018-02-14_16-02-20
Now go to OAAM Challenge Policy
firefox_2018-02-14_16-03-51
In as below in Trigger Combinations tab and click on apply
firefox_2018-02-14_16-04-39

Testing
Demo: https://youtu.be/uHuhgaGmpQI

OAAM Advanced Integration with OAM (TAP integration)

In this integration OAAM Server acts as a trusted partner application. The OAAM Server uses the Trusted authentication protocol (TAP) to communicate the authenticated username to OAM Server after it performs strong authentication and risk and fraud analysis. The OAM Server then redirects the user to the protected resource.

Pre-requisites
OAM 11.1.2.3 is installed and configured
OHS server is installed and configured
OAM Webgate agent on OHS is registered with OAM

Creating the OAAM Admin Users and OAAM Groups
Log in to weblogic console
Navigate to security realms –> myrealm –> Users and Groups –> Users
Create new user, click on new
firefox_2018-02-12_21-33-11
Enter information and click ok
firefox_2018-02-12_21-43-45
Now click on newly created user
firefox_2018-02-12_21-44-20
Go to groups tab select all OAAM groups and click save
firefox_2018-02-12_21-45-15

Import the OAAM base snapshot
Base snapshot is locate in ORACLE_HOME/oaam/init
File: oaam_base_snapshot.zip
Start OAAM Admin Server and log into OAAM admin console with new user. OAAM Admin console URL is

http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin
http://identity.oracleads.com:14200/oaam_admin

Go to System Snapshots and click load from file.
firefox_2018-02-12_21-48-17
Select base snapshot file and click load
firefox_2018-02-12_21-49-48
image
Click restore
chrome_2018-02-12_22-23-53
image

Validate initial configuration of OAAM
Go to

http://host:port/oaam_server
http://identity.oracleads.com:14300/oaam_server

Enter any username click continue
firefox_2018-02-12_22-26-13
Enter password as “test”and click enter
firefox_2018-02-12_21-58-36
Click continue
firefox_2018-02-12_22-13-18
Click continue
firefox_2018-02-12_22-14-15
Enter security questions and answers (KBA) and click enter
firefox_2018-02-12_22-27-31firefox_2018-02-12_22-28-14
If you are not able to validate OAAM initial configuration as in above, you must fix it before proceeding further.

Register the OAAM Server as a Partner Application to OAM
If OAAM is registered with Access Manager as a partner application, OAAM will then be able to communicate with Access Manager via the Trusted Authentication Protocol (TAP) to communicate the authenticated user name to the OAM Server after it performs strong authentication, risk, and fraud analysis, and the OAM Server owns the responsibility for redirecting to the protected resource.

If authentication is successful and the user has the appropriate profile registered, Oracle Adaptive Access Manager constructs the TAP token with the user name and sends it back to Access Manager. Access Manager asserts the token sent back. After asserting the token, Access Manager creates its cookie and continues the normal single-sign on flow in which it redirects the user to the protected resource.

Create a keystore directory

export IAM_ORACLE_HOME=/app/Middleware/Oracle_IDM1
mkdir -p $IAM_ORACLE_HOME/TAP/TapKeyStore

Run wlst.sh and connect to weblogic

cd $IAM_ORACLE_HOME/common/bin
./wlst.sh

wls:/offline> connect()
Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3://identity.oracleads.com:7001

Run register command
registerThirdPartyTAPPartner(partnerName = “partnerName”, keystoreLocation=
“path to keystore”, password=”keystore password”, tapTokenVersion=”v2.0″,
tapScheme=”TAPScheme”, tapRedirectUrl=”OAAM login URL”)

registerThirdPartyTAPPartner(partnerName=”OAAMTAPPartner”,keystoreLocation=”/app/Middleware/Oracle_IDM1/TAP/TapKeyStore/mykeystore.jks”,password=”Oracle123″,tapTokenVersion=”v2.0″,tapScheme=”TAPScheme”,tapRedirectUrl=”http://identity.oracleads.com:14300/oaam_server/oamLoginPage.jsp”)

image

Adding a Password to the IAMSuiteAgent Profile
This profile is used by Oracle Adaptive Access Manager when integrating with Access Manager. When the IAMSuiteAgent profile is first created, it has no password. You must set a password before the profile can be used by Oracle Adaptive Access Manager for integration.
Log into oamconsole, click on agents
firefox_2018-02-12_22-47-51
Click search, select IAMSuiteAgent, update Access Client Password and click on applyfirefox_2018-02-12_22-49-10

Updating the Domain Agent Definition
Log into weblogic console
Navigate to security realms –> myrealm –> Providers , select IAMSuiteAgentfirefox_2018-02-12_22-51-41
Go to provider specific tab, click on lock and edit. Update agent passwordfirefox_2018-02-12_22-55-13
click on save and Activate Changes, restart weblogic servers

Verifying TAP Partner Registration
Login to oamconsole, go to Authentication Schemes
Open TAPScheme, edit as below and click apply
firefox_2018-02-13_09-26-09
Launch Oracle Access Management tester

cd IAM_ORACLE_HOME/oam/server/tester/
java –jar oamtest.jar

validate as shown below
VirtualBox_2018-02-13_09-29-14

Set up TAP integration properties in OAAM
Make sure oaam managed server is running

mkdir -p temp/oaam_cli
cp –r OAAM_HOME/oaam/cli/. temp/oaam_cli

Edit temp/oaam_cli/conf/bharosa_properties/oaam_cli.properties below fields, rest fields keep as it is

oaam.adminserver.hostname=identity.oracleads.com
oaam.adminserver.port=7001
oaam.db.url=jdbc:oracle:thin:@identity.oracleads.com:1521:orcl
#keystore location entered in registerThirdPartyDAPPartner command
oaam.uio.oam.tap.keystoreFile=/app/Middleware/Oracle_IDM1/TAP/TapKeyStore/mykeystore.jks
#partnername entered in registerThirdPartyDAPPartner command
oaam.uio.oam.tap.partnername=OAAMTAPPartner
oaam.uio.oam.host=identity.oracleads.com
oaam.uio.oam.port=5575
oaam.uio.oam.webgate_id=IAMSuiteAgent
#communication security between OAAM and OAM
oaam.uio.oam.security.mode=1
oaam.csf.useMBeans=true

Save changes to oaam_cli.properties
Set Middleware home and Java home variables

export ORACLE_MW_HOME=/app/Middleware
export JAVA_HOME=/app/Middleware/jdk160_29

cd temp/oaam_cli/
chmod 777 setupOAMTapIntegration.sh

Run the OAAM setup integration script using the following command

./setupOAMTapIntegration.sh conf/bharosa_properties/oaam_cli.properties

Note: Enter the details on prompt. I have assigned all OAAM groups to default “”weblogic” user from weblogic console security realm. And used it as OAAM admin user

image
image
image
image
image
image

Configure Application Domain to use TAPScheme
Go to oam admin console, click on Application domains –> Application Domain –> Select Application Domain
Go to Authentication Policies and select Protected policy
firefox_2018-02-13_10-42-51Change the authentication scheme to TAPScheme and click on apply.
firefox_2018-02-13_10-43-40

now go to Application Domain –> IAM Suite –> Authentication Policies –> Select “Protected HigherLevel Policy”. Make sure /oamTAPAuthenticate is protected by LDAPSchemefirefox_2018-02-13_11-08-20

Testing
Make sure OHS, OAM and OAAM Managed servers are up and running.
Hit the TAPScheme protected resource
http://identity.oracleads.com:7777
Enter username click on continue
firefox_2018-02-13_11-11-54
Enter password click on enter
firefox_2018-02-13_11-12-30
Click continue for registrationfirefox_2018-02-14_08-23-01
Click continuefirefox_2018-02-14_08-23-38Enter security question and answers, click enterfirefox_2018-02-14_08-24-16firefox_2018-02-14_08-24-46

Demo: https://youtu.be/TIXXGWwM6oQ


OAM Integration with Google (Social Identity Provider) using OAuth

Go to oamconsole –> Configuration –> Available Services
firefox_2018-02-11_12-19-28

Enable Mobile and Social Service
firefox_2018-02-11_12-21-09

Go to Federation –> Social Identity
firefox_2018-02-11_12-22-32

Select Google Identity provider and click on edit
firefox_2018-02-11_12-23-46

Here we need to enter consumer key and consumer secret
2018-02-11_12-26-05

For generating consumer key and consumer secret. Got to https://code.google.com/apis/console
Login to your gmail account
Click on the below icon on page
firefox_2018-02-11_12-29-06

Go to API services –> Credentials
firefox_2018-02-11_12-30-12

Click on OAuth Client ID
firefox_2018-02-11_12-31-30firefox_2018-02-11_12-35-02
Copy Client ID and Client Secret
firefox_2018-02-11_12-35-52
Add authorized redirect URI as
http://<oam-server>:<oam-port>/oic_rp/return
http://<oam-server>:<oam-port>/oic_rp/popup

image
firefox_2018-02-12_10-29-52

When configuring Google’s Consent Screen in Google’s Developers Console, make sure the PRODUCT NAME matches the Application Profile name in M&S:firefox_2018-02-12_10-31-08

Go back to oamconsole –> Federation –> Social Identity –> Google
Paste the Client ID in the Consumer Key field and the Client Secret in the Consumer Secret field.
Click Apply to save your changes.
2018-02-11_12-40-09

Now create/edit an Application Profile with the same name as your Application Policy Domain (OAMApplication, in my case).
select OAMApplication under Application Profiles and click on edit
Enter shared secret key of your choice, enable user registration. Click on apply
firefox_2018-02-11_13-17-10
image

Go to authentication schemes
firefox_2018-02-11_14-32-49
Edit OICScheme as belowfirefox_2018-02-11_14-33-57
Go to Application domain
firefox_2018-02-11_14-35-06
Select the application domain
firefox_2018-02-11_14-35-57
Go to Authentication Policy, Select itfirefox_2018-02-11_14-36-43
Select OICScheme authentication scheme
firefox_2018-02-11_14-37-55

Test:
http://identity.oracleads.com:7777
image

image

chrome_2018-02-11_15-35-26

To resolve this issue, 

Import into trust store of weblogic
keytool -import -v -trustcacerts -alias endeca-ca -file <certificate .der> -keystore <trustedstore.jks>
image
image

Note: Demo trust store password is DemoTrustKeyStorePassPhrase and for cacerts is changeit

  • Set the HostNameIdentifier in weblogic(10.3.6)  admin console to ‘None’ & Check JSSE SSL
    Enable
    Login to weblogic console
    Go to Home >Summary of Servers >oam_server1>SSL
    Click Lock and Edit
    image
    image
    Do same for omsm_server1
    Click Save, Activate Changes, Restart weblogic Servers
  • Make sure OMSM server is able to communicate with google servers

Test Again
Hit the protected URL
http://identity.oracleads.com:7777
chrome_2018-02-12_10-51-08
Click on Google
2018-02-12_10-51-58
Enter google username and password
chrome_2018-02-12_10-53-02
Fill in password click on register
chrome_2018-02-12_10-53-54
Protected resource is displayed. And user is registered in identity storefirefox_2018-02-12_10-55-14

Demo: https://www.youtube.com/watch?v=Gl7pMGkNNVw

OAM 11gPS3 WNA Fallback to FORM

Pre-requisite: Apply Bundle Patch 11.1.2.3.180116

How it works:
When NTLM and Kerberos authentications do not work with a browser (such as a non-domain attached browser), the OAM Server responds with an authorization error (403) and HTML content in the body of the response. By default, OAM displays an authorization error page with a Login button. The user needs to click the Login button in the customized page to invoke WNA fallback to FORM-based authentication. When user click on the Login button a cookie “OAM_WNA_OPT_OUT” is set by OAM. This cookie when set to true indicates the OAM server to challenge the user with FORM based authentication when the browser presenting the cookie is not supporting WNA authentication.

After below configuration is done, OAM will fallback to form authentication when validation of SPNEGO token fails. This use case is supported only when KerberosTokenAuthenticator plugin is used.

  1. Ensure that all WLS servers are stopped.
  2. Open and edit oam-config.xml, search for Version from top and increment the value.
    image
  3. Search for WNAOptions, set the value of HandleNTLMResponse to FORM.
    image
  4. Add below lines
  5. under <Setting Name="KerberosTokenAuthenticator" Type="htf:map">
    …………………
    …….
    under <Setting Name="initParameters" Type="htf:list">
    ………………….
    .
    Add below:
    <Setting Name="4" Type="htf:map">
    <Setting Name="name" Type="xsd:string">KEY_FORM_FALLBACK_ENABLED</Setting>
    <Setting Name="type" Type="xsd:string">string</Setting>
    <Setting Name="value" Type="xsd:string"></Setting>
    <Setting Name="length" Type="xsd:integer">256</Setting>
    <Setting Name="globalUIOverride" Type="xsd:boolean">false</Setting>
    <Setting Name="instanceOverride" Type="xsd:boolean">false</Setting>
    <Setting Name="mandatory" Type="xsd:boolean">false</Setting>
    </Setting>
    image

  6. Optional step
    The OAM_WNA_OPT_OUT cookie is set as persistent cookie, by default. Configure it as a session cookie as follows
    <Setting Name="IsOptOutPersistent" Type="xsd:boolean">false</Setting>
    image

    If you want to configure custom authorization error page when WNA fails. Set below under WNAOptions.

  7. <Setting Name=”CustomOptOutPage” Type=”xsd:string”>/home/custom.html</
    Setting>

  8. Start all servers.
  9. You can use one of the below:
    • Modify KerberosPlugin from OAM Console –> Authentication Modules (or any other authentication module that you are using for kerberos authentication plugin).

      Add a new step KTA (New step needs to be created because the newly added parameter is not present in edit). Set KEY_FORM_FALLBACK_ENABLED to true. Modify steps orchestration accordingly to use newly created KTA step.
      mstsc_2018-01-31_13-00-05

      OR

    • Edit KerberosTokenAuthenticator from OAM Console –> Plugins to set value for KEY_FORM_FALLBACK_ENABLED as true.
      mstsc_2018-01-31_12-56-06

  10. Configure pre-authentication rule to switch scheme to FORM based scheme, if OAM_WNA_OPT_OUT cookie is present in the request.
    Go to Application Domain –> Authentication Policies –> Select WNA authentication policy –> Under Advanced Rules tab, Click on Pre-Authentication tab
    Click Add
    chrome_2018-01-31_13-06-05
    chrome_2018-01-31_13-07-29
    Rule: str(request.requestMap[‘Cookie’]).lower().find(‘oam_wna_opt_out=true’) >= 0
    Click Add and Apply.

Test: (From non domain machine browser)

  1. Request the resource protected by WNA authentication scheme
  2. User will be redirected authorization error page when WNA failsfirefox_2018-01-31_13-10-27
  3. Click on Login button (OAM_WNA_OPT_OUT cookie is set by OAM), user will be redirected to Form authentication as fall back (by evaluating pre authentication rule)
    firefox_2018-01-31_13-13-03
  4. Supply username and password for login

WNA Fail with GSSException: Failure unspecified at GSS-API level

Error:

<Jan 30, 2018 12:23:07 PM AST> <Error> <oracle.oam.plugin> <BEA-000000> <Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))

     at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)

Caused By: KrbException: Specified version of key is not available (44)
     at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588)
     at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270)
     at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)

Solution
1. Delete existing spn mapping

setspn –D <principal_name_associated_with_mapuser> <mapuser>

setspn -D HTTP/myserver.mylab.com@MYLAB.COM mylab\oamsitwna

2. Run again ktpass with syntax

ktpass -princ HTTP/myserver.mylab.com@MYLAB.COM -mapuser mylab\oamsitwna –pass password -crypto ALL -ptype KRB5_NT_PRINCIPAL -out krb5.keytab -kvno 0

3. copy krb5.keytab to OAM server in appropriate location.
4. Restart OAM managed server.