Automated Security deployment : Oracle IAM Deployment Wizard

With the release of Identity & Access Management suite 11g R2 PS2 (11.1.2.2.0), Oracle has released a new deployment tool to automate the installation and configuration of products related to the IAM suite.

This tool is named Oracle Identity and Access Management Deployment Wizard.

Key insights –

1. Installs & Configures - OIM , OAM , OUD , OHS , Webgates etc.Also creates basic Users & groups in OUD , configures OUD as Identity store for OAM.
2. You will need to download a completely separate set of software for this. The normal Identity & Access Management suite download packages won’t work.If you go to Oracle Download page for 11.1.2.2.0, here, you will see at the bottom a section for the Deployment Repository
3. This 12GB package contains everything you will need: The IAM Suite, RCU, WebLogic, JDK, WebTier, WebGate (11g), SOA, OUD, and of course, the Deployment Wizard.
4.  If everything goes well, it will take approximately 6 hours to do everything. If this seems long, keep in mind that it’s installing OAM,OIM,OUD , configuring them, integrating OIM and OAM, setting up LDAPSync, SSL enabling some components, configuring OHS with Webgate, configures WebLogic Authentication Providers, performs some light performance tuning, does OUD reconciliation
5.  Supports both Single Node & HA configurations.

Checkout this blog for more details, limitations etc. !

OAM 11.1.2.2 (11gR2) - System error after submitting credentials from Custom Login Page

Scenario : Standard Custom Login Page doing form post to /oam/server/auth_cred_submit with username/pwd and 'request_id' in cookie.

Issue - Sporadic redirection to an error page with 'System Error has occurred' message with details -

[oam_server1] [TRACE] [] [oracle.oam.binding] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 004sto37QpzDoYX5HvH7if00063I00002b,0:2] [SRC_CLASS: oracle.security.am.pbl.protocol.plugin.oam.AMFailureResponseHandler] [APP: oam_server#11.1.2.0.0] [SRC_METHOD: processResponse] [URI: /oam/server/auth_cred_submit] OAM-02073[[

oracle.security.am.common.utilities.exception.AmRuntimeException: OAM-02073
at oracle.security.am.engines.enginecontroller.AuthzEngineController.checkProtected(AuthzEngineController.java:438)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.processEvent(AuthzEngineController.java:177)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:570)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:759)

Solution - 

As per Support Document Id 1578776.1-

"Verify that the custom login page is submitting the credentials to /oam/server/auth_cred_submit with the correct OAM Server Host and Port.The OAM_SERVER_HOST.DOMAIN and SSLPORT values should match those configured in the OAM Console -> System Configuration -> Access Manager Settings page for Load Balancing OAM Server Host and OAM Server Port.”

In  my case, the form post URL was pointing to https://<host>/oam/server/auth_cred_submit.

Once I had it changed to https://<host>:443/oam/server/auth_cred_submit, (adding missing port) this issue got resolved.

Please check the above support document for some other causes for this issue.

Oracle Identity Mgmt 11gR2 PS2 : New features & Cloud / Mobile Strategy

Source - The live webcast on this topic by Oracle. Here are the updates -

"Oracle IdM R2 PS2 Theme  - Cloud , Mobile , Simplification"

New features in 11gR2 PS2 release  -

1) Cloud Access Portal - a web based application has been added in PS2 release which will enable admins to manage SaaS based cloud applications.

• The login to each application will be using SSO , form-fill technologies & federation capabilities.UI adapts to  various form factors.
• OAM Protects the resources
• When clicked on apps , redirection to logjn page with form fill and auto login.
  
  

2)Session Management features in Oracle Privileged Account Manager (OPAM) - 

OPAM is a whole new set of functionality focused on managing administrative passwords for applications, databases and operating systems.

Session initiation , control & recording have been added in PS2

3) Oracle Mobile Security Suite (OMSS) -

This heavily leverages features and concepts from Oracle's Bitzer acquistion . This is a MAM (Mobile Application Management) solution.

• The onus is on application centric security as opposed to device centric security.
• Introduces a new concept called the Secure Mobile Workspace which containerizes all corporate applications with a single login .
• Builds on the BYOD concept where in employees can use their personal devices / phablets to access corporate apps/data.
• Fine grained policy control using Oracle Mobile Access/Admin Console with new features like geo-fencing , time-bound access to workspace etc.
• Enterprise wide Identity management solution is extended to mobile devices
• Oracle API Gateway (OAG) support for RESTful IdM services.
• DLP Support
• Core apps for Email, Calendar, Contacts, Tasks, Notes.

4) Oracle Mobile Authenticator

• Adds strong authentication features for SSO enabled apps
• Uses changing PIN every 30 seconds for registered apps
• Integration with OAM
• Available on Android and iOS

5) Improved & fully integrated OAuth 2.0 Support for authorization -client , server , 2 legged or 3 legged authorization.

6) Automated IdM Suite install

• 2 hours for single node  , 8 hours for 8 node HA cluster.
• Patching support
• Standard builds
• No additional license needed , feature is supposedly OTB using Wizards and components to be installed can be configured.

General 11gR2 IdM strategy from Oracle

To provide a unified Identity Management platform for Cloud , Enterprise and Mobile Applications.

Useful Links

https://blogs.oracle.com/OracleIDM/entry/major_themes_of_the_idm https://blogs.oracle.com/OracleIDM/entry/what_s_new_in_ps2 OMSS Webcast - http://medianetwork.oracle.com/video/player/3442504861001 Link to this webcast

P.S. Source of images Oracle Webcast , intention only to share the information.

Oracle Mobile Security Suite (OMSS)

Oracle launched OMSS on Feb 26th , 2014 and had a webcast few days back detailing its features. Here are few details - 

Overview -

Oracle Mobile Security Suite (OMSS) addresses the BYOD challenges by isolating corporate from personal data on consumers’ personal mobile devices without

needing to lockdown the entire device.

Oracle’s Mobile Security Container technology protects corporate apps and data and enables a Secure Enterprise Workspace that meets enterprise security

requirements without compromising user experience. It offers the most integrated solution with Windows® authentication and Oracle Access Manager

infrastructure for secure Single Sign-on (SSO) to corporate applications.

The entire solution includes -

1)A BYOD,employee-centric mobile security suite that separates personal apps from secure,“containerized” corporate

,“off-the-shelf” apps and data avoiding device lock-down.Containerized apps are Oracle and/or third -party enterprise

applications accessed by employees through the corporate network(intranet).

2) A consumer - centric mobile and social service that provides a software development kit (SDK) allowing corporate

developers to secure custom enterprise apps for Apple’s iOS and Google’s Android devices, bridging the gap between mobile devices,

social networks, and the enterprise’s backend identity management infrastructure.

Key Identifiers -

1)Comprehensive set of security policies providing strong authentication, encryption and DLP (Data Leak Prevention) controls .

2)Containerization (apps are containerized and only one time login into a container is needed).

2)Secure Enterprise Workspace which houses all the corporate apps.

3)Single Sign-on (SSO) with Integrated Windows Authentication (Kerberos and NTLM) and OAM authentication (Basic Auth and OAuth 2.0) 

4)AppTunnel that eliminates need for mobile VPN and protects from rogue apps.

5)Mobile Security Access Server is located in the DMZ which redirects unauthenticated requests to appropriate Oracle Mobile Security containers.

7)Mobile Security Admin Console for Locking , providing access , remote wipe of corporate container.

8)New and useful features like geo-fencing and time-fencing available in admin console.

9)Leverages the existing IDM Architecture - talks to Directory Services(OID/OUD/AD) , apps can be protected by OAM and/or OIF.

10)Container has OOTB apps like Secure Browser , Catalog , Mail Mgr etc.

11)OMSS can be deployed on Oracle Enterprise Linux or Microsoft Windows.

12)Android 4.x and above including 4.4/KitKat compatibility

13)The Oracle Mobile Security Suite components are distributed across the corporate DMZ and the enterprise intranet (or corporate network)

14)This is a mobile application management (MAM) solution which has various advantages over MDM(Mobile Device Mgmt) solutions like Airwatch

like separate container for coprporate apps , no requirement of device locking , data privacy etc.

Architecture - 

The recently rechristened Oracle MAF is tightly integrated with OMSS.

Useful Links -

OMSS Webcast	OMSS Whitepaper	OMSS Oracle Home Page	OMSS Data Sheet	Oracle Mobile & Social (packaged with OAM)	OMSS Linux Install	OMSS 3.0 new features

P.S. Source of images Oracle Webcast , intention only to share the information.