Security in the modern day Digital eXperience

What is Digital Experience (DX) ?
Digital experiences have become the cornerstone of just about every customer experience, driven in part by the rapid spread of customer activity among web, mobile, and social channels.The typical user experience has moved beyond desktop and laptop screens to an astonishing and growing array of mobile devices.
In the Oracle World, DX combines WebCenter, ADF including WC Sites, WC Content, WC Sites etc. DX Security should be a no-brainer at the end of this article.

Why do we need DX Security/Use Cases ?

• No defined network perimeter : Network Security spend more than 67% on network security. With digital economy demanding more collaboration and seamless user experience, new points of control need to be introduced : User identities, permissions/ access to IS etc. Cloud Computing and Mobile has further blurred network security.Sensitive data that was secured behind a robust enterprise firewall is now accessible via low-cost smart phones. 

• Transformation of the perimeter : “Businesses now invest in security rather than spend on it. Security architects need to design security systems that complement business policies and processes.” - Chris Gavin, vice president, Information Security, Oracle. 

• A “trust but verify” approach to both enable productivity and address security governance requirements. The objective is to establish one consistent security framework underlying all information systems. Because users and sensitive data are part of every transaction, identity management and database security are the common denominators of addressing most security requirements. 

• Re-architecture of IT within organizations : Most services are being performed via software solutions that are architected in the cloud rather than on-premises requiring real-time exchange of accurate information. Organizations rely on identity management technology to facilitate dynamic trust relationships and support regulatory compliance requirements. 

• Risk-Aware Architectures : Security architects are tasked with developing “risk-aware” architectures that factor in legal liabilities, the privacy of partner and customer data, and regulatory requirements. These security policies ensure that the organization is ready for internal and external audits.

•         Mobile Security :
  o   By 2020, 80 percent of access to the enterprise will be via mobile devices and other non-PC devices, up from 5 percent today.
  o   External providers will authenticate 60 percent of all users connecting with enterprises.
  o   By 2020 there will be more than 50 billion IP-enabled devices in use around the world.

• Internet of things (IoT):According to Vadim Lander, chief identity architect at Oracle, there are three types of security concerns associated with the Internet of Things:
  
  o   Device Identity
  o   Application Identity
  o   User Identity

• Cloud Security : Customers that contract with cloud vendors need to be able to control the identity management process for external applications and on-premises apps via single-sign-on procedures. These solutions should also make it easy to provision and de-provision users and to extend entitlement credentials from on-premises applications to cloud applications. Such controls are even more important when securing databases. According to IDC, 66 percent of today’s most sensitive data resides in relational databases.

• Oracle Security Taxonomy as a measure of good security Design :Latency and consistency are two variables used to measure good security design. The objective is to reduce the latency of change and increase consistency across systems and applications. Oracle engineers hardware and software to work together. This cohesive approach reduces the latency of change and increases consistency. By embedding security technology into every layer of the technology stack and securing the integration between layers, Oracle not only delivers better performance with a smaller footprint, it also provides better security at a lower cost.

An IDM DX Use Case : Oracle DX with API Gateway : WCC and Anti-Virus support for Check-in of Files using OAG as first line of defense.

References : I wished to summarize and set context using the following articles as source :
Security Architecture in the new Digital Experience Whitepaper (Oracle)
Enabling Secure Consumer Mobility (Kanishk Mahajan, Oracle Product Mgmt)

OHS : Periodic OHS/Web Server/WebGate Crash due to cron job incorrectly deleting *.lck files/httpd.pid files

Issue

We faced a very unique issue for one of our OAM Single Sign On implementations wherein , all the OHS Nodes in a cluster setup used to crash every 7th day generating core dumps running into dozens of GBs which potentially used to crash the OHS in addition to the downtime on Production systems.

Stack Trace on OHS/Webgates :

Loaded symbols for /u01/app/orasec/middleware/Oracle_OAMWebGate1/webgate/ohs/lib/libxmlengine.so
Core was generated by `/u01/app/orasec/middleware/Oracle_WT1/ohs/bin/httpd.worker -DSSL'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007fd717f1161f in ObLockFileRelease(void*, bool) ()
  from /u01/app/orasec/middleware/Oracle_OAMWebGate1/webgate/ohs/lib/webgate.so
(gdb) (gdb)

Detailed Analysis of Root Cause 

On detailed debugging and some guidance from Oracle Support, we discovered that this was being caused by a Cron Job which was written to ensure oam_server.out files as well as oblog.log files get deleted every 7 days. This was due to the fact that Oracle doesn't provided log retention policies for these files OOTB.

The path that was used by the Cron Job was <MiddlewareHome>/<Oracle_WebTier>/instances/<instance_name>/diagnostics/logs/OHS/ohs1 which incidentally also hosted the important .lck files (polltracking.lck, oblog.log.lck, ObAccessClient.xml.lck)  and http.pid files [Why Oracle, Why ??!!]

Remember : Removing PID and *.lck files caused instability an is not supported by OAM or OHS.

Solution 

It is not supported to remove httpd.pid and *.lck or log files that are created by a running instance while it is running - 

1.  Setup up logging to another location where lock file and httpd.pid and other process files do not exist, if it's a cron job or something else is used to remove those files. In our case we explicitly called out the files which needed to be deleted instead of running the cronjob on a folder.

2.  Use documented log rotation methods as much as possible ( The files in question though don't have OOTB options)

References  - 

OHS Segfault 11 Core Dumps ObLockFileRelease Webgate.so 5-7 Days (Doc ID 1985491.1)
http://oracleoam.blogspot.com/2014/07/lock-files-in-oam-11g-r2ps2_5.html

OAM : Oracle Traffic Director Licensing for Oracle Access Portal

Starting with Oracle Access Manager (OAM) 11.1.2.2.x , the license includes Oracle Access Portal Service.

What is Oracle Access Portal (OAP) ?
The Access Portal Service is a hosted single sign-on proxy service that enables intranet and extranet applications with Oracle's form-fill single sign-on technology. Web Logon Manager, available as a standalone download from Oracle Support, provides end-users with the ability to create, modify, and delete application credentials as well as log on to provisioned applications through both desktop and mobile browsers. Available from 11gR2 PS2.

What is Oracle Traffic Director(OTD)  ? 
Oracle Traffic Director is a fast, reliable, and scalable layer-7 software load balancer. The architecture of Oracle Traffic Director enables it to handle large volumes of application traffic with low latency. The product is optimized for use in Oracle Exalogic Elastic Cloud and Oracle SuperCluster.

OTD and OAP
For enabling the Oracle Access Portal Service, Oracle traffic Director (OTD) is mandatory as it intercepts user connections to the target application and provides path-proxy and DNS-proxy functionality, allowing for path and DNS rewriting.  It also hosts the WebGate plugin.

OTD Licensing for OAP
Though OTD is primarily licensed only for Exalogic , following are exceptions -

• The Oracle Traffic Director portion of the Oracle Access Portal is restricted to the following features: High Availability Virtual IP, Access Manager WebGate, and Origin Server Load Balancing to WebLogic Server.
• IDM Oracle Access Portal (OAP) license entitlement now includes OTD to be a front-end on Oracle Enterprise Linux 5.6+, Redhat Enterprise Linux 5.6+ and Solaris (SPARC, x64) 11.1+.
  Access Management Licensing - http://docs.oracle.com/cd/E29542_01/doc.1111/e14860/im_options.htm#FMWLC240

Reference :

http://docs.oracle.com/cd/E28280_01/doc.1111/e14860/im_options.htm#FMWLC239

Is Oracle Traffic Director (OTD) Available/Licensed to use for a Non Exalogic setup? (Doc ID 1500970.1)

Oracle API Gateway (OAG) : Concept & marriage with SOA & Mobile

Oracle API Gateway is a standards-based, policy-driven, standalone software security solution that provides first line of defense in Service-Oriented Architecture (SOA) environments.

It enables organizations to securely and rapidly adopt Cloud, Mobile and SOA Services by bridging the gaps and managing the interactions between all relevant systems.

Oracle Web Services Manager(OWSM) is generally used for application security of a particular service,most customers have any use cases around DMZ or Perimeter Security for Web Services. This product serves as a part of the enterprise security solution.

This would be typically for customers needing access to web services from the internet, similar to how we access a web application. OAG can do a  lot of validations
and route the requests only once those checks have passed. This may also be a typical use case for Mobile Applications which use REST Web Services at the backend.

I have seen a strong value in this security product for all SOA and Mobile projects.

Here’s a high-level request flow :

There are many advantages that OAG can provide :

–   Authentication, Authorization (Leverages existing LDAP like AD ; existing IDM platforms for this – RSA AM, CA Site Minder, Oracle Access Mgr)

–   XML Acceleration, Throttling, Caching, Protocol translation (REST to SOAP and vice versa), Dynamic routing, SLA enforcement

–   Identity Propagation and Credential Mapping , Filter threatening content (XML Bombs, DOS Attacks, Virus)

Oracle OEMs (or Original Equipment Manufacturing) the OAG product from AxWay – AxWay’s gateway product is rebranded for Oracle as OAG, and is almost identical.

Quick Demo : https://www.youtube.com/watch?v=MWunxvZnB1A

Oracle  Datasheet

Automated Security deployment : Oracle IAM Deployment Wizard

With the release of Identity & Access Management suite 11g R2 PS2 (11.1.2.2.0), Oracle has released a new deployment tool to automate the installation and configuration of products related to the IAM suite.

This tool is named Oracle Identity and Access Management Deployment Wizard.

Key insights –

1. Installs & Configures - OIM , OAM , OUD , OHS , Webgates etc.Also creates basic Users & groups in OUD , configures OUD as Identity store for OAM.
2. You will need to download a completely separate set of software for this. The normal Identity & Access Management suite download packages won’t work.If you go to Oracle Download page for 11.1.2.2.0, here, you will see at the bottom a section for the Deployment Repository
3. This 12GB package contains everything you will need: The IAM Suite, RCU, WebLogic, JDK, WebTier, WebGate (11g), SOA, OUD, and of course, the Deployment Wizard.
4.  If everything goes well, it will take approximately 6 hours to do everything. If this seems long, keep in mind that it’s installing OAM,OIM,OUD , configuring them, integrating OIM and OAM, setting up LDAPSync, SSL enabling some components, configuring OHS with Webgate, configures WebLogic Authentication Providers, performs some light performance tuning, does OUD reconciliation
5.  Supports both Single Node & HA configurations.

Checkout this blog for more details, limitations etc. !

OAM Single-Sign-On (SSO) Deployment Architecture : Best Practice

Recently I came across couple of OAM Deployment Architectures which have been implemented and can potentially cause multiple issues - 

• Using the same OHS Instance which has a webgate deployed on it for reverse proxy to OAM Servers in addition to the target application which needs to be protected (e.g. WebCenter)
• Front-ending OAM Servers directly with an external Load Balancer(LBR) skipping the Web Server layer altogether

Ideally, OAM should be front-ended by a web server/OHS instance of it's own to 

• Allow separate streams of HTTP traffic(in addition to one for Application) 
• Scale the SSO architecture to other target applications - 
• In case the same OAM Server is used for a new application which needs to be SSO enabled as well, the standalone OHS which just services requests to OAM (and doesn't have any webgate on it) is a must!
• This would also ensure that any files needed to be cached (like javascript, css etc) for any OAM related applications can be cached at the OHS layer

(Image Courtesy : A-Team Blog) 

If we have to use a Load Balancer(LBR) to directly front-end the OAM Server instead of an intermittent OHS(probably due to cost constraints), we should have this LBR within the corporate network (in addition to an external LBR which front-ends the other OHS instance(s) for applications) and not in the DMZ to prevent the security risk of an external LBR based in the DMZ exposing the OAM located in the Application Tier directly.

Courtesy  :
1) Forum Post which was logged as few items in the A-Team blog mentioned below were not crystal clear
2) A-Team Blog

OAM 11gR2 / 11.1.2.2 : Redirection to favicon.ico screen after authentication to a Portal

Scenario - After login to the Portal using OAM 11gR2PS2 login to access a protected resource for the first time (page not cached in browser), the end user is redirected to the favicon.ico url instead of the resource url. The browser needs to be refreshed with the Portal URL to get this to navigate to the Portal home page as expected.

Also if the favicon.ico is not present in the OHS /htdocs folder a 404 may also appear.

It was initially tricky to figure out that this issue was related to permissions in OAM. But if we remove the webgate entry from httpd.conf (i.e. Security layer is bypassed), we can confirm that this issue doesnot occur which means OAM is playing up here.

Cause -
This is caused by the favicon.ico being protected by OAM. 
If it's not in the browser cache, the client browser will fetch the favicon.ico resource on the server. It will get the favicon before the page, setting incorrectly the end_url parameter, redirecting to the favicon url instead of the resource url.

Solution -
Make sure that favicon.ico is created in <OHS_INSTANCE>/config/OHS/ohs1/htdocs/  folder so that there is no 404 ever. This is the icon which shows besides the website address.

Then, create a resource definition in OAM as documented in http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/app_domn.htm#CACJJGCA 
1) set type as HTTP
2) define resource URL to /favicon.ico
3) set protection level to "excluded"  (More about excluded resources here )

Reference - Oracle Support Document 

OAM 11.1.2.2 (11gR2) - System error after submitting credentials from Custom Login Page

Scenario : Standard Custom Login Page doing form post to /oam/server/auth_cred_submit with username/pwd and 'request_id' in cookie.

Issue - Sporadic redirection to an error page with 'System Error has occurred' message with details -

[oam_server1] [TRACE] [] [oracle.oam.binding] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 004sto37QpzDoYX5HvH7if00063I00002b,0:2] [SRC_CLASS: oracle.security.am.pbl.protocol.plugin.oam.AMFailureResponseHandler] [APP: oam_server#11.1.2.0.0] [SRC_METHOD: processResponse] [URI: /oam/server/auth_cred_submit] OAM-02073[[

oracle.security.am.common.utilities.exception.AmRuntimeException: OAM-02073
at oracle.security.am.engines.enginecontroller.AuthzEngineController.checkProtected(AuthzEngineController.java:438)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.processEvent(AuthzEngineController.java:177)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:570)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:759)

Solution - 

As per Support Document Id 1578776.1-

"Verify that the custom login page is submitting the credentials to /oam/server/auth_cred_submit with the correct OAM Server Host and Port.The OAM_SERVER_HOST.DOMAIN and SSLPORT values should match those configured in the OAM Console -> System Configuration -> Access Manager Settings page for Load Balancing OAM Server Host and OAM Server Port.”

In  my case, the form post URL was pointing to https://<host>/oam/server/auth_cred_submit.

Once I had it changed to https://<host>:443/oam/server/auth_cred_submit, (adding missing port) this issue got resolved.

Please check the above support document for some other causes for this issue.

OAM 11gR2 : Single-Sign-On to an internal Portal, logging in from an external facing public Portal

A common requirement for many Portal clients -

Allow single signed on access to an Internal Portal, with the user logging in from an external portal using a custom login form (one at the top right corner of the screen).

Why is this not straight forward ?

Well, you might ask what's the big deal with this. Isn't this a standard custom login page being implemented ? Nope, a standard OAM Custom Login page posts to the /oam/server/auth_cred_submit URL endpoint alongwith request_id as a parameter which contains the details of the protected resource to which it should navigate on successful authentication. In short, the protected page was solicited by the user, and after a series of redirects it lands at the custom login page. Once the user authenticates successfully, the resource is picked up from the request_id parameter and navigated to.

In the above scenario, the user needs to navigate to a resource which was not solicited.e.g. The user requested for  www.oracle.com and after logging in needs to navigate to oracle.com/EmployeePortal.

This introduces the concept of Unsolicited Login -

Unsolicited Login is used when we want to authenticate user without any request_id or resource. The page which is navigated to, upon successful authentication is not the one which was initially solicited hence the name Unsolicited Login.

This feature has been introduced by Oracle in 11gR2 (11.1.2.x series). Prior to 11gR2, this feature would need to be custom built.

Following are the steps needed to enable this feature in OAM :
1. Enable Direct Authentication for OAM.

Navigate to OAM Domain for your installation, under config/fmwconfig/oam-config.xml, ensure that ServiceStatus under DirectAuthenticationServiceDescriptor is set to true. (DirectAuthenticationServiceDescriptor is under OAMServicesDescriptor).

It is highly recommended that, you first stop the Admin Server and OAM Cluster before you make any changes to the oam-config.xml. Further, it is sufficient to do the above changes in the oam-config.xml under the AdminServer/config/fmwconfig incrementing the Version field by 1. Once you have restarted the AdminServer and the OAM Clusters, the oam-config.xml for OAM Cluster will get automatically updated.

2. Submit the following information to the endpoint via Custom Login Form (External Public facing Portal Page) https://oam_host:oam_port/oam/server/authentication:

a.      username

b.      password

c.       successurl, for example, http://machinename.mycompany.com:7778/sample-web/headers.jsp.

Code Example

<form id="loginForm" name="loginForm" action="http://OAMHost:Port/oam/server/authentication" method="post" hidden="true" >

<input id="username" type="text" name="username" />

<input id="password" type="password" name="password" />

<input id="successurl" type="text" name="successurl" value="http://chinni-pc:7777/"/>

<input type="submit" value="submit" />

</form>

You can use the above code bit in a JSP and package it within the same Custom Login Page app archive used for the Internal Portal. This will need to be re-deployed to the Weblogic Server for the functionality to work.

 In case you would like to use it in an external Portal page which is an HTML or the like you can iframe the above code as a JSP.

Once the credentials are validated, OAM Server redirects to the success URL after setting OAM_ID cookie as part of HTTP redirect (HTTP response code 302).

Note – Internal Portal Login page or code does not need to be changed.

3. To allow direct authentication only for POST, or vice-versa:

i)        Login to Oracle Access Management administration console and navigate to Policy Configuration, then Application Domains.

ii)      Select edit default application domain IAMSuite. Navigate to Resources, then search and edit resource /oamDirectAuthentication.

iii)    Under Operations, de-select all operations that are not to be supported, except POST. For example, GET, DELETE.

iv)    Make sure that the AuthenticationPolicy for the /oamDirectAuthentication points to the same AuthenticationScheme as for the Internal Portal.

If the above is not present in your OAM environment, please create it similar to the screenshots below.

Once user logs in, user will be redirected to successurl.

4. The URL pattern of the external Public facing Portal needs to be marked as ‘Unprotected’ with a ‘PublicAuthenticationPolicy’ which uses an ‘Anonymous Scheme’.

The internal Portal would continue to be as-it-is marked ‘Protected’ with a ‘PrivateAuthenticationPolicy’ pointing to the relevant ‘LDAPScheme’.

The above would need to be done within the appropriate ‘Application Domain’ which is used for the Portal.

In screenshot below, /ssologin/.../* represents the URL pattern for an External public facing Portal.

Oracle Documentation References

http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/custpages.htm#AIDEV6382

http://fusionsecurity.blogspot.com/2012/12/unsolicited-login-with-oam-11gr2.html#more

http://fusionsecurity.blogspot.com/2012/04/unsolicited-login-with-oam-11g.html 

Screenshots from a POC on this
Below are the screenshots and summary from a POC done on OAM 11.1.2.2 with WebCenter Portal/Spaces 11.1.1.8.3 as the Success URL.

The below screenshot represents a public site with a login form. This page is not protected and is meant to represent an external portal.

Once the user enters the required credentials and clicks submit, they will be redirected to a protected resource. The protected resource shown below (WebCenter) is to reflect a protected internal portal.

Shown above, the user has successfully authenticated and has established an SSO session with Oracle Access Manager.

If the protected resource is accessed directly, a separate authentication method/form will be used to challenge the user. 

Oracle Security : Getting Started

Oracle Identity Management(IDM) is a vast collection of products with confusing terminology and it can be difficult to understand where to start. Hope the below links help.

Concepts

Oracle IDM Basics - (Keep clicking to navigate through entire topics)

A few simple Tutorials from Oracle to get started

Oracle IDM Home Page (Source to Datasheets, Whitepapers, Customer Use Cases and various Data)

Installs

Software Downloads Page

Installation Guide 

Issues/Continuous learning of tricky use cases & finer concepts

Oracle IDM A-Team Blogs (Learn tricks of the trade)

Oracle IDM Forums

OnlineAppsDBA Blogs

Oracle Security Facebook Page

Mapping of use cases with products

IDM Customer Success Stories  

Collated IDM 11gR2 Blog Dashboard

Abhishek Gupta's Blog