Thursday, July 9, 2015

How to retrieve the .oamkeystore (OAMStore) password in OAM 11.1.2.3?

It was  easy task for Pre 11.1.2.3 releases to retrieve the .oamkeystore (OAMStore) password. The steps are following for retrieving .oamkeystore (OAMStore) password:

  1. Invoke the wlst command shell.
  2. Execute connect() command.
  3. Once connected, listCred(map="OAM_STORE", key="jks"). 
For OAM 11.1.2.3 onward, the support of listCred () wlst command is not available. Now, you have to retrieve the .oamkeystore (OAMStore) password programmatically. You can refer following sample code. The compile and execute instructions

Wednesday, June 10, 2015

How to fix "Authentication denied: Boot identity not valid" in Weblogic?

If you are getting following errors while starting the WebLogic or Managed server. Then the below mentioned fix will be helpful.

<Jun 10, 2015 11:34:47 PM PDT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
<Jun 10, 2015 11:34:47 PM PDT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
        at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
        at weblogic.security.SecurityService.start(SecurityService.java:141)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Authentication Failed: User weblogic weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090295]caught unexpected exception
        at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:251)
        at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native



Solution:

1. Take a backup of boot.properties and delete it from <DOMAIN>/servers/<Managed Server>/security dir.
2. Take a backup of ldap directory and delete it from <DOMAIN>/servers/<Managed Server>/data dir.
3. Start the WebLogic Server and the Managed Server.

Friday, April 24, 2015

OAM 11g OAP/NAP Tunneling

Which components are affected?

OAM, WebGate, Endpoints

What is OAP/NAP Tunneling in OAM?

WebGate makes a Http Request to OAM using an OAP/NAP Call to OAM Proxy.

How OAP/NAP Tunneling Works?


  1. The Tunneled URLs are configured on WebGate profile.
  2. This URL will be mapped to a servlet or JSP page in OAM server.
  3. On accessing the Tunneled URL, WebGate will intercept the request and the http request will be converted to a OAP request and will be forwarded to OAM server. 
  4. OAM server (OAM proxy) will receive the OAP request and pass it to the Tunnel proxy.
  5. Tunnel proxy will convert the OAP request to HTTPServletRequest and invoke the servlet (compiled Servlet from JSP file in case of JSP). 
  6. The response will be converted back to OAP message and will be passed back to OAP end point. 
  7. WebGate converts the OAP message back to HTTP response. 
  8. WebGate will provide the HTTP response to the caller (browser).



How do I configure NAP/OAP Tunneling in OAM?


Prerequisite: OAM R2PS2 WebGate or higher must be installed and configured with OAM R2PS2 or higher. The OAM endpoint(application)  must be deployed on OAM Server.


  1. Install and configure OAM and WebGate.
  2. Deploy an endpoint (application JSP/Servlet) on OAM Server.
  3. Add user defined parameter in WebGate from OAM admin console, set TunneledUrls=/MyApp,MyApp1
  4. Set Public resource policy for /MyApp,MyApp1 urls (Tunneled urls) Authn and Authz in Application domain.
  5. You are now set, you can access the tunnel url using <WebGate Webserver Host>:<port>/MyApp.


Where can I use OAP/NAP Tunneling?


It can be used in DCC webGate for tunneling the ECC login servlets. It can be achieved by Setting TunneledUrls=/oam and Set Public resource policy for /oam url (Tunneled urls) Authn and Authz in Application domain. Update the DCC Authentication Scheme, set CHallenge redirect url with http://<DCC Host Name>:<Port>/oam/server/ and set Challenge Url with /pages/login.jsp.

Inetgration of OAM & OAAM, OAM OIM & OAM OIF using DCC.

Isn't it correct to say OAM tunnelling is a proxy?

Yes, it has limited proxy capability.

Tunneling vs Proxy?

In my opinion, You should go for Tunneling if you have integration env of Oracle components like, OAAM,OIM, OIF.

Proxy if you have your custom apps as endpoint.

Monday, April 6, 2015

OAM 11g .NET Integration - Part 2

Why is it different from OAM 11g .NET Integration?

.NET App developers need not to worry about handling the Roles and Identity in their code. The authentication, authorization, Session Management, SSO responsibility will be handled by the OAM infra. This mode of deployment will decouple App development and Access Management responsibilities. Isn't it cool.

How to integrate?

Prerequisite:

  1. OAM R2PS2 +, IIS 11g R2PS2 WebGate, OAM IISImpersonationModule.dll and ObPrincipalHttpModule.dll (Opional).
  2. IIS 7.X or higher.
  3. A .Net Application
  4. Active Directory.
Integration Steps:

  1. Deploy the .Net application on the IIS Site.
  2. Install and configure OAM Server and OAM WebGate for IIS.
  3. Configure IISImpersonationModule.dll Native module for the Site hosting the .Net Application.
  4. Add SharePoint UserName and Password in OAM WebGate profile in the OAM admin console.
  5. Add a authz policy for success, set the HTTP Header "IMPERSONATE" with $user.userid.
  6. [Optional]If you are going to use Roles instead of Identity then use ObPrincipalHttpModule.dll and set the configuration(web.config) as mentioned in the previous post.
  7. Make sure that the IIS Site -> Authentication -> Provider has ASP .Net Impersonation enabled.

I



Saturday, March 28, 2015

OAM 11g .Net Application Integration


 OAM 11g supports OOTB integration with .Net Application including MVC, Sliverlight applications. The OAM Principal and roles can be consumed by the .Net Application using OAM .Net connector aka ObPrincipalHttpModule.

Prerequisite:

  1.  OAM R2PS2 and IIS 11g R2PS2 WebGate.
  2.  IIS 7.X or Higher.
  3. A .NET Application implementing "Context.User.IsInRole("SomeOAMRole")" API.
  4.  .NET 4.0

OAM .Net Application Integration Steps

1.      Create a .net application and deploy it on IIS WebServer.
2.      Create OAM Authz Policy to set OAMHttpModule Role=<SomeRole>&Role=<someRole>.



3.      Add ObPrincipalHttpModule.dll to Global Assembly Cache (GAC) on IIS box. The command is
gacutil -i ObPrincipalHttpModule.dll
Command to verify if ObPrincipalHttpModule is added to GAC.
gacutil -l | grep ObPrincipalHttpModule

           4.       Update the web.config of IIS Site hosting .Net Application. (Note: web.config of the .net application can also be modified to add ObPrincipalHttpModule). Following should be updated in web.config <configuration> tag.
For Integrated( IIS Application ) Mode:
<system.webServer>
<customErrors mode="Off" /> -->
<modules>
<add name="OAMHttpModule" type="Oracle.OAM.Agents.OAMHttpModule,ObPrincipalHttpModule, Version=12.0.0.0, Culture=neutral,PublicKeyToken=99645062befa5197" />
</modules>
</system.webServer>
For Classic (IIS Application ) Mode:
<system.web>
<httpModules>
<add type="Oracle.OAM.Agents.OAMHttpModule,ObPrincipalHttpModule, Version=12.0.0.0, Culture=neutral,PublicKeyToken=99645062befa5197" name="OAMHttpModule" />
</httpModules>

</system.web>

Wednesday, February 25, 2015

OAP/NAP Analysis using Wireshark - Part 2

How to identify the ciphersuite used in OAP/NAP for Simple & Cert Mode Communication?


  1. Capture OAP/NAP Messages as mentioned in previous blog.
  2. Open the tcpdump captured file (/tmp/wg.cap) using Wireshark.
  3. Once the tcpdump file is opened in the Wireshark, click Analyze->Decode As, then select SSL.
  4. Find the Client Hello Packet in Wireshark, as shown in the screenshot.  The Client Hello is part of SSL Handshake.
    Client Hello
    Client Hello.
  5. Find the Server Hello packet in Wireshark, as shown in screenshot. This Server Hello is part of SSL handshake.
    Server Hello
    Server Hello.

Thursday, February 19, 2015

OAP/NAP Analysis using Wireshark - Part 1

There are two ways to capture OAP/NAP message between WebGate and OAM Server.

  1. 1. Live capture of the OAP/NAP messages.
  2. 2. Take a tcp dump and then analyse the OAP/NAP messages.


1. Live capture of the NAP messages.


i. Start the Wireshark.
ii. Goto Capture Menu -> Interfaces, select the device and click on start to capture the traffic. This will start capturing all the packets on the selected device.
iii. Goto Capture Menu -> Capture Filters, Select the filter to capture traffic on particular host and/or port. Here you need to provide the host/ip and/or port OAM Server.
iv. You will get the captured traffic list, the "ora-oap" traffic is NAP message, the sample is
 
10 0.005353 192.168.99.26 192.168.80.199 TCP 62 56830 > ora-oap [PSH, ACK] Seq=1 Ack=1 Win=65536 Len=5

Click on the TCP message summary, the detail of the NAP message will be displayed in Middle window of Wireshark. Click on the "data"  in middle wireshark window to view the data of NAP message.

v. Click Capture menu -> Stop once you are done.

2. Take a tcpdump and then analyse the NAP mesages.

i. Take tcp dump of traffic on OAM Server box using following command:

/usr/sbin/tcpdump -i any -s 65535 -w <file location of dump file> port <OAM Server proxy port>

e.g. /usr/sbin/tcpdump -i any -s 65535 -w /tmp/wg.cap port 5575

You need root previlege to run this command, use sudo.

ii. Once capture is done, stop the capture with ctrl + c.
iii. Transfer the tcp dump file to local box.
iv. Open the dump file using wireshark.
v. You will get the captured traffic list, the "ora-oap" traffic is OAP/NAP message, the sample is

10 0.005353 192.168.99.26 192.168.80.199 TCP 62 56830 > ora-oap [PSH, ACK] Seq=1 Ack=1 Win=65536 Len=5

Click on the TCP message summary, the detail of the OAP/NAP message will be displayed in Middle window of Wireshark. Click on the "data"  in middle wireshark window to view the data of OAP/NAP message.