Friday, November 25, 2011

Authentication Modules & how to configure one on Oracle Access Manager 11.1.1.5 (11g)

Authentication Modules & how to configure one on Oracle Access Manager 11.1.1.5 (11g) 
In Oracle Access Manager 11g, each authentication scheme requires an authentication module.

Default Authentication Modules Pages

In the Oracle Access Manager Administration Console, pre-configured authentication modules are organized with other system-level components under the System Configuration tab.
Only the following pre-configured authentication module types are allowed in an authentication scheme. However, new modules can be created of an existing type to use in authentication schemes. The default authentication modules are of following types:
  • Kerberos Authentication Module



  • LDAP Authentication Modules



  • X509 Authentication Module

     Creating a New Authentication Module
        To create a new Authentication Module, log in to OAM Administration Console, select
        System Configuration Tab, and expand Authentication Module. Select the desired
         module type and click on the Create button in toolbar.

    a.) LDAP Authentication Modules:Name: Unique Name to identify Authentication Module
    User Identity Store: The primary user identity store that contains the user credentials
    required for authentication by this module. LDAP store must be registered with OAM to
    appear in this list



    Press Apply button.
    b.) Kerberos Authentication Modules
    Name: Unique Name to identify Authentication Module
    Key Tab File: The full pathname to the encrypted, local, on-disk copy of the host's key,
    is required to authenticate the key distribution center (KDC).
    Principal: Identifies the HTTP host for the principal in the Kerberos database, which
    enables generation of a keytab for a host.
    KRB Config File: Identifies the path to the configuration file that controls certain aspects
    of the Kerberos installation. A krb5.conf file must exist in the /etc directory on each
    UNIX node that is running Kerberos.


     Press Apply Button
     c.) X509 Authentication Modules
    Name: Unique Name to identify Authentication Module
    Match LDAP attribute: Defines the LDAP distinguished name attribute to be used.
    X509 Cert Attribute: Defines the certificate attribute to be used to bind the public key.
    Cert Validation Enabled: Enables/Disables X.509 Certificate validation.
    OCSP Enable: Enables/Disables the Online Certificate Status Protocol.
    OCSP Server Alias: An aliased name for the OSCSP Responder.
    OCSP Responder URL: Provides the URL of the Online Certificate Status Protocol
    responder.
    OCSP Responder Timeout: Specifies the grace period for users with expired
    certificates, which enables them to access OAM Servers for a limited time before
    renewing the certificate.



    Press Apply.

    For questions, comments and feedback  please contact:
    Harvinder Singh Saluja






2 comments:

  1. Can you let us know how to do the same steps using WLST commands

    Regards,
    Karthiga

    ReplyDelete
    Replies
    1. Is there a way to create a custom Authentication Module using Restful commands or WLST?

      Delete

ForgeRock IAM : OpenDS (Open Directory Server). Importing LDIF files

The most efficient method of importing LDIF data is to take the OpenDJ server offline. Alternatively, you can schedule a task to import the ...