CA API Gateway 9.1

9.4 9.1

Install the Oracle Access Manager Assertion

The Oracle Access Manager custom assertion enables a gateway to delegate authentication and authorization to an Oracle Access Manager 10g or 11g server. This section describes how to install and configure the custom assertion on the Gateway. When configuration is complete, the appears in the Policy Manager, under both the Access Control and Custom Assertions palettes.
gateway92
The Oracle Access Manager custom assertion enables a 
CA API Gateway
 to delegate authentication and authorization to an Oracle Access Manager 10g or 11g server.
This section describes how to install and configure the custom assertion on the Gateway. When configuration is complete, the Access Resource Protected by Oracle Access Manager Assertion appears in the Policy Manager, under both the Access Control and Custom Assertions palettes.
Contents:
Before You Begin
Ensure that you have:
  • A configured CA API Gateway, version 8.2 or higher
  • A configured Oracle Access Manager
  • Access to the installation files appropriate to your environment:
    ssg-oracle-access-manager-<version>.i386.rpm
     (32-bit)
    ssg-oracle-access-manager-<version>.x86_64.rpm
     (64-bit)
    Locate these files in the "CA API Gateway CustomAssertions" distribution archive.
  • (10g OAM Server only) Access to the following compatibility library: compat-libstdc++-33-3.2.3-61.x86_64.rpm
Upgrading to OAM 11g?
If you formerly connected to an OAM 10g server and have now upgraded to an OAM 11g server, ensure that the "oam10g" configuration directory is empty before you connect to OAM 11g.
If there is configuration information that you want to preserve, rename the "oam10g" directory instead by following these steps:
# service ors stop
# cd /opt/SecureSpan/Gateway/runtime/modules/conf/
# mv oam10g oam10gbackup
Configuration for an OAM 10g Server Connection
The following steps are required to use the Oracle Access Manager custom assertion with an OAM 10g Server:
  1. Install the Assertion
  2. Add a System Property to Allow the Equals Character in the Server Cookie
  3. Configure the Connection to an OAM 10g Server
Install the Assertion 
The Oracle Access Manager custom assertion can only be installed on 64-bit Linux systems, as the configuration requires 64-bit native libraries.
To install the custom assertion:
  1. Log in as
    ssgconfig
     and open a privileged shell from the Gateway configuration menu.
  2. Stop the Gateway:
    # service ssg stop
  3. Navigate to the location of the custom assertion installation files.
  4. Remove any previous version of the custom assertion exists, uninstall it first:
    # rpm -e ssg-oracle-access-manager-<version>
  5. Install the compatibility file, then install the assertion:
    # rpm -Uvh compat-libstdc++-<version>.x86_64.rpm
    Example of the command in use:
    # rpm -Uvh compat-libstdc++-33-3.2.3-61.x86_64.rpm
  6. Install the assertion:
    # rpm -Uvh ssg-oracle-access-manager-<version>.x86_64.rpm
  7. Restart the Gateway:
    # service ssg start
The custom assertion now appears in the Policy Manager.
Add a System Property to Allow the Equals Character in the Server Cookie
To explicitly allow non-escaped equals characters in the server cookie:  
  1. Locate and open the following file in a text editor:
    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  2. Add the following line:
    org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE = true
  3. Save and exit the file.
  4. Stop and restart the Gateway.
Configure the Connection to an OAM 10g Server
Use the 
configureAccessGate
 command to configure access client as shown.
  1. First, change to the location of the command :
    # cd /opt/SecureSpan/Gateway/runtime/modules/conf/oam10g/oblix/tools/configureAccessGate
  2. Run the command as follows:
    # ./configureAccessGate -i /opt/SecureSpan/Gateway/runtime/modules/conf/oam10g -t AccessGate -w 
    <Access Gate Name>
     -m 
    <Security Mode>
     -c request -P 
    <Password>
     -h 
    <Access Server Host>
     -p 
    <Port>
     -a 
    <Access Server ID>
     -r 
    <Global Access Protocol Passphrase>
    Example of the command in use:
    # ./configureAccessGate -i /opt/SecureSpan/Gateway/runtime/modules/conf/oam10g -t AccessGate -w ghssg-64 -m simple -c request -P 7layer  h oam10g.l7tech.com -p 6021 -a access-1 -r 7layer
Configuration for an OAM 11g Server Connection 
The following instructions describe the installation and configuration required to use the Oracle Access Manager custom assertion with an OAM 11g Server.
Install the Assertion
To install the custom assertion:
  1. Log in as 
    ssgconfig
     and open a privileged shell?from the Gateway configuration menu.
  2. Stop the Gateway:
    # service ssg stop
  3. Navigate to the location of the custom assertion installation files.
  4. If a previous version of the custom assertion exists, uninstall it first:
    # rpm -e ssg-oracle-access-manager-<version>
  5. Run the appropriate command for your environment :
    # rpm -Uvh ssg-oracle-access-manager-<version>.i386.rpm
    # rpm -Uvh ssg-oracle-access-manager-<version>.x86_64.rpm
  6. Restart the Gateway:
    # service ssg start
The custom assertion now appears in the Policy Manager.
Change the name of the SSO session cookie
The default SSO session cookie name is 
ObSSOCookie
. This is the same cookie name used with the 10g Server and may cause problems when attempting to connect to an 11g Webgate on an OAM 11g server. 
To change the name of the SSO session cookie:
  1. Locate and open the following file in a text editor:
    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  2. Add the following line:
    com.l7tech.custom.oam.cookie=<new cookie name>
    For example: 
    com.l7tech.custom.oam.cookie=OAMAuthNCookie
  3. Save and exit the file.
  4. Stop and restart the Gateway.
Using a 10g Webgate on an OAM 11g server
By default, the Oracle Access Manager custom assertion is configured to use the OAM 11g server running the 11g Webgate (all security modes supported: Open/Simple/Cert). However, OAM 11g servers can also work with 10g Webgates. 
To configure the assertion for use with an OAM 10g Webgate:
  1. Locate and open the following file in a text editor:
    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
    :
  2. Add the following line:
    com.l7tech.custom.oam.10g.webgate.used=true
  3. Save and exit the file.
  4. Restart the Gateway 
Configure a Webgate
This section describes how to configure a Webgate for the access client (which is the Access Resource Protected by Oracle Access Manager Assertion).
There are two types of Webgates (10g and 11g) that can be registered via the OAM 11g Admin Console. The
CA API Gateway
 supports all security modes (Open, Simple, Cert) for each type of Webgate.
Step 1: Register a Webgate
Copy the configuration files from the following table to the following directory on the Gateway:
/opt/SecureSpan/Gateway/runtime/modules/conf/oam11g
Note:
 The “oam11g” in the above path refers to the OAM 11g server and it applies regardless of whether a 10g or 11g Webgate is in use.
Webgate
Security Mode
Required Configuration Files
10g
Open
ObAccessClient.xml
10g
Simple
ObAccessClient.xml
password.xml
oamclient-keystore.jks
oamclient-truststore.jks
10g
Cert
ObAccessClient.xml
password.xml
oamclient-keystore.jks
oamclient-truststore.jks
11g
Open
cwallet.sso
ObAccessClient.xml
11g
Simple
cwallet.sso
ObAccessClient.xml
password.xml
oamclient-keystore.jks
oamclient-truststore.jks
11g
Cert
cwallet.sso
ObAccessClient.xml
password.xml
oamclient-keystore.jks
oamclient-truststore.jks
You can acquire the configuration files as follows:
  • The following files are obtained from the OAM 11g Server from this directory:
    ${ORACLE_MIDDLE_WARE}/user_projects/domains/
    <domain_name>
    /output/
    <webgate_name>
    ObAccessClient.xml
    cwallet.sso
    password.xml
  • The following files are generated manually:
    oamclient-keystore.jks
    oamclient-truststore.jks
    For information on generating these files and creating keystores, refer to “Configuring and Deploying a Custom Access Client” on this page of the Oracle documentation: https://docs.oracle.com/cd/E27559_01/dev.1112/e27134/as_api.htm#AIDEV381
Step 2: Set File Permissions
Once the files are copied over to the Gateway directory, run the following commands to set the files permissions:
# cd /opt/SecureSpan/Gateway/runtime/modules/conf/oam11g/
# chmod 600 *
# chown gateway.gateway *
Step 3: Restart Gateway and ORS Service
Restart the Gateway with this command:
# service ssg restart
Restart the ORS Service with these commands:
# service ors stop
# service ors start
Run the OAM RMI Service
The OAM RMI Service (“ors”) must be run before the Access Resource Protected by Oracle Access Manager Assertion is executed in a service policy. This applies regardless of the security mode in use or the OAM server version.
Prerequisite: Ensure that the Access Resources Protected by Oracle Access Manager custom assertion has been installed (see “Install the Assertion”).
How to use the OAM RMI Service:
  • To run the OAM RMI Service, run this command from the Linux console:
    # service ors start
  • To stop the OAM RMI Service, run this command:
    # service ors stop
  • To restart the OAM RMI Service, run this command:
    # service ors restart
It does not matter whether the OAM RMI Service is run before or after the Gateway service.
The OAM RMI Service generates a log file that contains OAM ASDK runtime details. The log file is located here:
/opt/SecureSpan/Gateway/node/default/var/logs/ors.log

Content feedback and comments