Friday, April 24, 2015

OAM 11g OAP/NAP Tunneling

Which components are affected?

OAM, WebGate, Endpoints

What is OAP/NAP Tunneling in OAM?

WebGate makes a Http Request to OAM using an OAP/NAP Call to OAM Proxy.

How OAP/NAP Tunneling Works?


  1. The Tunneled URLs are configured on WebGate profile.
  2. This URL will be mapped to a servlet or JSP page in OAM server.
  3. On accessing the Tunneled URL, WebGate will intercept the request and the http request will be converted to a OAP request and will be forwarded to OAM server. 
  4. OAM server (OAM proxy) will receive the OAP request and pass it to the Tunnel proxy.
  5. Tunnel proxy will convert the OAP request to HTTPServletRequest and invoke the servlet (compiled Servlet from JSP file in case of JSP). 
  6. The response will be converted back to OAP message and will be passed back to OAP end point. 
  7. WebGate converts the OAP message back to HTTP response. 
  8. WebGate will provide the HTTP response to the caller (browser).



How do I configure NAP/OAP Tunneling in OAM?


Prerequisite: OAM R2PS2 WebGate or higher must be installed and configured with OAM R2PS2 or higher. The OAM endpoint(application)  must be deployed on OAM Server.


  1. Install and configure OAM and WebGate.
  2. Deploy an endpoint (application JSP/Servlet) on OAM Server.
  3. Add user defined parameter in WebGate from OAM admin console, set TunneledUrls=/MyApp,MyApp1
  4. Set Public resource policy for /MyApp,MyApp1 urls (Tunneled urls) Authn and Authz in Application domain.
  5. You are now set, you can access the tunnel url using <WebGate Webserver Host>:<port>/MyApp.


Where can I use OAP/NAP Tunneling?


It can be used in DCC webGate for tunneling the ECC login servlets. It can be achieved by Setting TunneledUrls=/oam and Set Public resource policy for /oam url (Tunneled urls) Authn and Authz in Application domain. Update the DCC Authentication Scheme, set CHallenge redirect url with http://<DCC Host Name>:<Port>/oam/server/ and set Challenge Url with /pages/login.jsp.

Inetgration of OAM & OAAM, OAM OIM & OAM OIF using DCC.

Isn't it correct to say OAM tunnelling is a proxy?

Yes, it has limited proxy capability.

Tunneling vs Proxy?

In my opinion, You should go for Tunneling if you have integration env of Oracle components like, OAAM,OIM, OIF.

Proxy if you have your custom apps as endpoint.

Monday, April 6, 2015

OAM 11g .NET Integration - Part 2

Why is it different from OAM 11g .NET Integration?

.NET App developers need not to worry about handling the Roles and Identity in their code. The authentication, authorization, Session Management, SSO responsibility will be handled by the OAM infra. This mode of deployment will decouple App development and Access Management responsibilities. Isn't it cool.

How to integrate?

Prerequisite:

  1. OAM R2PS2 +, IIS 11g R2PS2 WebGate, OAM IISImpersonationModule.dll and ObPrincipalHttpModule.dll (Opional).
  2. IIS 7.X or higher.
  3. A .Net Application
  4. Active Directory.
Integration Steps:

  1. Deploy the .Net application on the IIS Site.
  2. Install and configure OAM Server and OAM WebGate for IIS.
  3. Configure IISImpersonationModule.dll Native module for the Site hosting the .Net Application.
  4. Add SharePoint UserName and Password in OAM WebGate profile in the OAM admin console.
  5. Add a authz policy for success, set the HTTP Header "IMPERSONATE" with $user.userid.
  6. [Optional]If you are going to use Roles instead of Identity then use ObPrincipalHttpModule.dll and set the configuration(web.config) as mentioned in the previous post.
  7. Make sure that the IIS Site -> Authentication -> Provider has ASP .Net Impersonation enabled.

I