Post Authentication rule to switch to authentication scheme does not work in OAM

Oracle Access Manager – Version 11.1.2.2.5 and later

Reason:
This is due to a known bug in OAM Bug:19777125 POST AUTHENTICATION CONDITIONS IN ADVANCE RULES DOES NOT REDIRECT

Solution:
Apply OAM BP07 or higher where this issue is addressed.

Advertisements

Integrate OAM 11g R2 PS3 and Oracle Mobile Authenticator

Below steps cover integration of OAM with OMA for strong authentication i.e multi factor authentication.

Pre-requisites:
1. Oracle Access Manager 11gR2PS3 installed and configured
2. Oracle HTTP Sever installed and configured
3. OAM WebGate OHS installed and configured

  1. Enable “Mobile and Social Service” & “Adaptive Authentication Service”, login to OAM console –> Configuration –> Available Services
    chrome_2018-01-28_16-00-15
  2. Configure OAuth
    image
    image
    image
    chrome_2018-01-28_15-42-06
    image
    image
    Click on apply
  3. Edit “TOTPPlugin” Authentication Plugin
    image
  4. Edit “TOTPModule” Authentication Module
    image
    image
  5. Create New Authentication Scheme
    Go to LDAPScheme and duplicate
    chrome_2018-01-28_15-54-43chrome_2018-01-30_09-19-36
  6. Update authentication policy in application domain
    imagechrome_2018-01-28_16-03-33
    image
    chrome_2018-01-28_16-06-01
  7. Create a HTML page with below content and copy it in any web server
    image
    To generate QR Code follow https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-800C0912-8452-4DA7-9762-A2A21E897C17.htm#AIAAG90224
  8. Download and install Oracle mobile authenticator app from play store or google play
  9. Open above HTML page in mobile browser. Click on the link on page. Enter username and password on prompt.

Test the application access. User will be prompted for LDAP authentication and post authentication user will be prompted for entering OTP.
chrome_2018-01-30_09-22-07
chrome_2018-01-30_09-22-45

chrome_2018-01-30_09-26-52
chrome_2018-01-30_09-26-55

OHS not starting

OHS instance status is stop. OHS not starting or stopping.

[oracle@identity bin]$ ./opmnctl status
Processes in Instance: ohs_inst1
———————————+——————–+———+———
ias-component                    | process-type       |     pid | status 
———————————+——————–+———+———
ohs_inst1                        | OHS                |    4857 | Stop   

Error in log files
——–
18/01/28 22:59:41 Stop process
——–
/app/Middleware/Oracle_WT1/ohs/bin/apachectl hardstop: httpd (no pid file) not running

Reason
When Oracle HTTP Server starts up, it writes the process ID (PID) of the parent httpd process to the httpd.pid file located, by default, in the following directory:

ORACLE_INSTANCE/diagnostics/logs/OHS/component_name

When I check at above location there was no httpd.pid file.

Solution
Create a empty file http.pid in above location
image

Rename or clear states directory in below location. (Stop/Kill opmn processes before this)

ORACLE_INSTANCE/config/OPMN/opmn/states

image

Start OHS
image

No credential mapper entry found for password indirection

Error while activating ADF deployment in weblogic

image

Solution:

  • Click on Application –> Application Properties…
  • Expand Deployment and click on weblogic,
  • Uncheck “Auto Generate and Synchronize Weblogic JDBC Description During Deployment”

image

Regenrate EAR file and deploy.

SecurityProvider service class name for IAMSuiteAgent is not specified

Below error when starting OAM managed servers from node manager

<Jan 27, 2018 1:43:40 AM PST> <Error> <Security> <BEA-090870> <The realm “myrealm” failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IAMSuiteAgent is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IAMSuiteAgent is not specified.
     at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
     at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
     Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IAMSuiteAgent is not specified.
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
     at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
     at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
     at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
     Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IAMSuiteAgent is not specified.
     at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
     at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
     at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
     Truncated. see log file for complete stacktrace
>
<Jan 27, 2018 1:43:40 AM PST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Jan 27, 2018 1:43:40 AM PST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:

There are 1 nested errors:

weblogic.security.service.SecurityServiceRuntimeException: [Security:090399]Security Services Unavailable
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:917)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
     at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
     at weblogic.security.SecurityService.start(SecurityService.java:141)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

>
<Jan 27, 2018 1:43:41 AM PST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>

Solution:
Stop / Kill node manager
Execute $MW_HOME/oracle_common/common/bin/setNMProps.sh
Start Node manager
Start Managed server from node manager

Install Java JDK

Download JDK
jdk-8u141-linux-x64.tar.gz

Make directory to extract JDK
[root@oel1 ~]# mkdir –p /u02/java

Extract JDK
[root@oel1 ~]# tar -xzf jdk-8u141-linux-x64.tar.gz -C /u02/java/

Add alternatives
[root@oel1 ~]# alternatives –install /usr/bin/java java /u02/java/jdk1.8.0_141/bin/java 3

While updating alternatives enter 3  as selection.

Update alternatives

[root@oel1 ~]# update-alternatives –config java
There are 3 programs which provide ‘java’.
  Selection    Command
———————————————–
*+ 1           java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.102-4.b14.el7.x86_64/jre/bin/java)
    2           java-1.7.0-openjdk.x86_64 (/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.111-2.6.7.8.0.1.el7.x86_64/jre/bin/java)
    3           /u02/java/jdk1.8.0_141/bin/java

Enter to keep the current selection[+], or type selection number: 3

Verify the java version
[root@oel1 ~]# java -version
java version “1.8.0_141”
Java(TM) SE Runtime Environment (build 1.8.0_141-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.141-b15, mixed mode)

Upgrade OID 11.1.1.7 to 11.1.1.9

Download Patch : 20995629

Backup Oracle home
tar -cvf OracleIDM1_backup.tar Oracle_IDM1

Backup OID instance
tar -cvf oid_inst1_backup.tar oid_inst1

Install patch 20995629
Execute from Disk1 ./runInstaller

clip_image001

clip_image002

clip_image003

clip_image004

clip_image005

clip_image006

clip_image007

clip_image008

clip_image009

clip_image010

clip_image011

Upgrade database schema using patch set assistant

clip_image002

clip_image004

clip_image006

clip_image008

image

clip_image012

clip_image014

clip_image016

clip_image018

 

Verify the upgrade
Check Binaries: Execute $ORACLE_HOME/OPatch/opatch lsinventory
Check Schema: select comp_name,owner,version from schema_version_registry where owner = ‘ODS’;