Facebook

Wednesday, February 18, 2015

OAM : Custom Login Page Times out after 15 mins (Prior to User Login)

Product Versions
OAM 11.1.2.2.0, OHS 11.1.1.7 , Webgate for OHS - 11.1.2.2, Weblogic Server 10.3.6
Single Sign On implemented with WebCenter Custom Portal & WebCenter Content 11.1.1.8
A custom login page was used instead of the OOTB Login Page provided by Oracle.

Issue Summary : 
If User stays idle on custom login page (without having logged in) for  more than 15 mins and then tries to login, he is redirected to a blue screen/error page which says 'System error, please contact your administrator'

Error Logs -
Error occurred while handling the request.
Supplemental Detail     java.lang.RuntimeException:   Authentication request Timed out. Eapsed time in min: 79560 at oracle.security.am.controller.BaseRequest.updateObjectWithCachedMap(BaseRequest.java:482)
  
Note - 
If the user logs in to the application before 15 mins, the SSO enabled application honours the timeout values:
Webgate level 'Max Session Time' = 60 mins
OAM Console - Common Settings 'Idle Timeout' = 65 mins

The user has connected to the custom authentication page but not logged in yet. So there is no user session yet. The user just idles for a while and then attempts to login and gets the error - The 'Idle Timeout' is only applicable to logged-in sessions. The timeout we are hitting is the 'Request Time Out' which is somehow hardcoded by Oracle to 15 mins.

Solution :
This is a pretty weird Oracle Bug ! Workaround is as follows :

Add a meta tag such as following one behind <head> in the custom login page.
    <meta http-equiv="refresh" content="890; URL=http://host.example.com/public/public.html">
The Http mechanism for a meta tag is described on:  http://www.w3schools.com/tags/att_meta_http_equiv.asp

The time value of 890 seconds comes from :
The idle time of 15 minutes set by OAM minus 10 seconds, that is:
         => (15*60=900)  minus (tolerance time of 10 second)
If the user stays now for 890 seconds on the custom login page, the browser will bring him back to a public page as defined with URL  (http://host.example.com/public/public.html).


ReferencesDoc Id 1908294.1

Automated Security deployment : Oracle IAM Deployment Wizard

With the release of Identity & Access Management suite 11g R2 PS2 (11.1.2.2.0), Oracle has released a new deployment tool to automate the installation and configuration of products related to the IAM suite.
This tool is named Oracle Identity and Access Management Deployment Wizard.
Key insights –
  1. Installs & Configures - OIM , OAM , OUD , OHS , Webgates etc.Also creates basic Users & groups in OUD , configures OUD as Identity store for OAM.
  2. You will need to download a completely separate set of software for this. The normal Identity & Access Management suite download packages won’t work.If you go to Oracle Download page for 11.1.2.2.0, here, you will see at the bottom a section for the Deployment Repository
  3. This 12GB package contains everything you will need: The IAM Suite, RCU, WebLogic, JDK, WebTier, WebGate (11g), SOA, OUD, and of course, the Deployment Wizard.
  4.  If everything goes well, it will take approximately 6 hours to do everything. If this seems long, keep in mind that it’s installing OAM,OIM,OUD , configuring them, integrating OIM and OAM, setting up LDAPSync, SSL enabling some components, configuring OHS with Webgate, configures WebLogic Authentication Providers, performs some light performance tuning, does OUD reconciliation
  5.  Supports both Single Node & HA configurations.
Checkout this blog for more details, limitations etc. !

OAM Single-Sign-On (SSO) Deployment Architecture : Best Practice

Recently I came across couple of OAM Deployment Architectures which have been implemented and can potentially cause multiple issues - 
  • Using the same OHS Instance which has a webgate deployed on it for reverse proxy to OAM Servers in addition to the target application which needs to be protected (e.g. WebCenter)
  • Front-ending OAM Servers directly with an external Load Balancer(LBR) skipping the Web Server layer altogether
Ideally, OAM should be front-ended by a web server/OHS instance of it's own to 
  • Allow separate streams of HTTP traffic(in addition to one for Application) 
  • Scale the SSO architecture to other target applications - 
  • In case the same OAM Server is used for a new application which needs to be SSO enabled as well, the standalone OHS which just services requests to OAM (and doesn't have any webgate on it) is a must!
  • This would also ensure that any files needed to be cached (like javascript, css etc) for any OAM related applications can be cached at the OHS layer

(Image Courtesy : A-Team Blog

If we have to use a Load Balancer(LBR) to directly front-end the OAM Server instead of an intermittent OHS(probably due to cost constraints), we should have this LBR within the corporate network (in addition to an external LBR which front-ends the other OHS instance(s) for applications) and not in the DMZ to prevent the security risk of an external LBR based in the DMZ exposing the OAM located in the Application Tier directly.

Courtesy  :
1) Forum Post which was logged as few items in the A-Team blog mentioned below were not crystal clear
2) A-Team Blog

Tuesday, February 17, 2015

How to create new Admin users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.
Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having more privileges than are needed certain admin functions having access to multiple realms on OID. 

While there is no documented way to create a second superuser for OID, like cn=orcladmin. But, a user with the same privileges as the realm Admin (cn=orcladmin,dc=<companyName,dc=com) can be created and used for the following use cases : 
  • Use in OAM Console for Identity Store credentials
  • Providing ODSM login capability to admin users to view/modify the LDAP Tree for their realm
  • Any kind of CRUD based LDAP APIs used in Java Code
  • Separate password policies can be created for these users which are different from the cn=orcladmin superuser etc.

This user can be created as follows : 
  1. Create an LDIF file with the following content
    dn: cn=myadmin,cn=Users,dc=oracle,dc=com
    givenname: myadmin
    sn: myadmin
    cn: myadmin
    uid: myadmin
    mail: myadmin@oracle.com
    objectclass: top
    objectclass: person
    objectclass: inetOrgPerson
    objectclass: orclUser
    objectclass: orclUserV2
    objectclass: organizationalPerson


  2. Run ldapadd
    ldapadd -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> -f <LDIF_filename>
        Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .

3.  Confirm that you are able to bind successfully as the newly created user
  ldapbind -h <OID_host> -p <OID_port> -D      "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>

4. Get the existing group memberships for the orcladmin user
  ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w    <password> "<DN_of_orcladmin>" "dn"

Alternatively use 'Import' feature in Data Browser tab of ODSM to import the SuperUser.ldif file attached (essentially contains the 
all groups to be added for a Realm Admin in LDIF format)

Reference Doc ID 454796.1

Good reads 

Creating Read-Only Users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.
Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having way more privileges than are needed for non-admin functions. We should create read-only LDAP users for the following use cases :
  • LDAP Monitoring at the F5/Load Balancer level (LDAP health check using ldapbind) 
  • Use for username/password for Authenticators in Weblogic Console (which are for only authentication purposes)
  • Providing ODSM login capability to non-admin users to view the LDAP Tree (based on allowed ACLs)
  • Any kind of query only LDAP APIs used in Java Code
  • Separate password policies can be created for read-only users which are different from superusers/realm-admins
Only three tabs are visible in ODSM for read-only users : Home, Data Browser, Schema.
Security and Advanced tabs are not visible.


One of the ways in which the read-only users can be created is : 

  1. Create a text file (e.g., readonly.ldif) with the following:
    dn: cn=readonly, cn=Users,< subscriber domain >
    userpassword: < password >
    objectclass: top
    objectclass: person
    objectclass: organizationalPerson
    objectclass: inetorgperson
    objectclass: orcluser
    objectclass: orcluserV2
    mail: readonly
    givenname: readonly
    uid: readonly
    description: account to have readonly access
    sn: readonly
    cn: readonly

 2. Load the above file with ldapadd command :
ldapadd -h <OID_host> -p <OID_port> -D cn=orcladmin -w <password> -v -f readonly.ldif

Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .
The key is to make sure the user is not a member of any groups.

3. Check Group Memberships:

To verify the user is NOT a member of any group, issue the following search:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b "" "(uniquemember=<full_user_DN>)" "dn"

4.Confirm that you are able to bind successfully as the newly created user
ldapbind -h <OID_host> -p <OID_port> -D "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>



Reference : Doc ID 746612.1