Home

Oracle Access Manager Integration

1. Machines Servers Filtered More Columns Exist Work Managers Startup and Shutdown Classes Showing 1 to 40f4 Previous Next Deployments E Services Gen itv Realms AdminServer admin E Oo o es ee Jo gue Create Managed Servers Gomes rng Jo qum _ Ulass LI ioie sown Jm e Delete Managed Servers How do L Delete the Administration Server Showing 1 to 4of 4 Previous Next e Start and stop servers System Status Health of Running Servers Fald Critical 0 Overladed 0 fo Warning 0 ENNEN cO 6 Now the admin server and OAM servers are SSL enabled Restart both the servers 2 8 ORACLE 2 5 3 Configuring SSL Mode in Oracle Internet Directory To enable SSL for OID LDAP Server refer follow the below steps 1 Login to the Enterprise Manager Console of the domain in which Oracle Internet Directory is associated ORACLE Enterprise Manager 11g Fusion Middleware Control Q oidi o zl I Farm base domain E Oracle Internet Directory w CH Application Deployments Home WebLogic Domain E Identity and Access E OAM Monitoring Load Control Total LDAP Connections oidi om ovdi D Metadata Repositories x Web Tier Administration Security Directory Services Manager General Information 6 22 16 23 16 24 16 25 16 26 16 27 16 28 February 15 2013 Q oid1 o J EB Farm_base_domain E Oracle Internet Directory v Application Deployments
2. Invalid Logins User Passwords Cumulative Password Start Date 07 26 2014 Successive Password Changed On End Date Email Amount Limits Override Amount Auto Auth Transaction Amount Amount Format Dot Comma i Auth Amount Date Format MM DD YYYY Le Restricted Passwords Roles Functions Branches Module Disallowed Functions Input by DateTime Mod No Authorized by DateTime Open Authorized 2 7 3 Launching FLEXCUBE After setting uo FLEXCUBE to work on Single Sign on mode navigate to the URL https lt hostname gt lt OHS SSL Port gt lt Context Root from your browser eg https ofss00001 in oracle com 4443 FCISNeoWeb Since the resource is protected the WebGate challenges the user for credentials as shown below 2 36 ORACLE 2 7 3 1 Basic Style Challenge by Webgate Mozilla Firefox C Connecting https Waiting for ofss220223 in oracle com Lita Authentication Required o A username and password are being requested by https ofss220223 in oracle com 14101 The site says OAM 11g UserName nvemban Password eeeeeeece 2 3 ORACLE 2 7 3 2 Form Style Challenge by Webgate 8 Login Oracle Access Management 11g Mozilla Firefox File Edit View History Bookmarks Too Se Is Hel 4 me rm wem Login Oracle Access Managementlig https ofss220223 in oracle com 14101 oam server obrareq cgi encquery 3Dj24 pOullaBwZC36oJauSwV dt2SPySE
3. JLodgement Numbers Unique For Branch TRS Detail Preferences AccountMask Field Properties Maker Date Time Checker Date Time Mod No 229 Record Status Open Authorization Status 2 7 1 2 Parameters Maintenance IS There is no such a screen to maintain the SSO Enabled Parameter in FLEXCUBE Investor Servicing 2 7 2 Maintaining LDAP DN for FLEXCUBE users For each user id in FLEXCUBE a user has to be created in the LDAP When creating the user in LDAP ensure that the DN used is same as the LDAP DN value that will be updated in user maintenance form Once the user is created in LDAP go to the user maintenance form in FCIS If the FCIS user already exists then unlock the user and update the LDAP DN value which was set when creating the user in LDAP Click on Validate button to check whether any other user is having the same LDAP DN value LDAP DN value should be entered as complete DN value eg cn FCUSR cn Users dc oracle dc com 2 35 ORACLE For FLEXCUBE IS User Admin FA save User Details User Identification FCISUSER Language ENG Classification Staff Name FCIS User Home Branch 000 Auto End Of Day Externel Identifier Home Module FMG Customer LDAP DN cn FCUSR cn Users dr Debug Window Enable Number Format XXX XXX OOC XXX XX XX XX XX XXX Status Description 7 Investments User Status 9 Enabled Time Level 7 Corporate Hold Status Changed On Disabled Last Signed On Locked
4. 9 WebLogic Domain Wallets E OAM Wallet To manage the contents of a wallet select a wallet and dick Manage oidi 16 29 E om Create 38 Delete L W Create Self Signed Wallet f h Import Operations Completed Port Usage Operations in progress 16 30 16 31 Export 16 32 6d Manage 16 33 0 2 0 16 34 Security Failed Bind Operations Failed Super User Logins 16 35 Sucessful Super User Logins e 16 36 Setup Help Log Out Logged in as weblogic Host padsrini pc Page Refreshed Feb 15 2013 4 35 59 PM IST EA li Server Response ms i Total Operations CPU Utilization 96 li Farm base domain asinst 1 oid1 Bil padsrini pc Memory Utilization 96 Wi Farm base domain asinst 1 oid1 Bl padsrini pc Table View Setup Help Log Out Logged in as weblogic Host padsrini pc Page Refreshed Feb 15 2013 4 39 54 PM IST gt Identity and Access A Wallet is a Keystore that stores X 509 certificates and private keys in industry standard PKCS 12 format To create a wallet dick Create To create a wallet with a self signed certificate dick Create Self Signed E ovdi ELE Q Metadata Repositories B Web Tier 3 Enter the Details as below and Click OK 2 9 Auto ogin ORACLE ORACLE Enterprise Manager 11g Fusion Middleware Control Setupy Help Log Out Q oid1 o Logged in as weblogic Host padsrini pc z Orade Inter
5. distribute exhibit perform publish or display any part in any form or by any means Reverse engineering disassembly or decompilation of this software unless required by law for interoperability is prohibited The information contained herein is subject to change without notice and is not warranted to be error free If you find any errors please report them to us in writing This software or hardware and documentation may provide access to or information on content products and services from third parties Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third party content products and services Oracle Corporation and its affiliates will not be responsible for any loss costs or damages incurred due to your access to or use of third party content products or services 2 1 ORACLE
6. it shall always refer to Oracle FLECUBE Oracle Access Manager Investor Servicing LDAP Lightweight Directory Access Protocol 1 4 Documentation Accessibility For information about Oracle s commitment to accessibility visit the Oracle Accessibility Program website at http www oracle com pls topic lookup ctx acc amp id docacc 1 5 Organization This manual is organized into the following chapters Chapter 1 Preface gives information on the intended audience It also lists the various chapters covered in this User Manual Chapter 2 Enabling Single Sign on SSO with Oracle Access Manager discusses the method to integrate Oracle FLEXCUBE with Oracle Access Manager for Single Sign on 1 6 Glossary of Icons This User Manual may refer to all or some of the following icons 1 3 ORACLE me l Delete row Option List 1 6 1 Related Documents You may refer the following manual for more information e Oracle Access Manager User Manual not included with Oracle FLEXCUBE User Manuals 1 4 ORACLE 2 2 1 2 2 2 2 1 Enabling Single Sign on with Oracle Access Manager Introduction For the purpose of single sign on FLEXCUBE is qualified with Oracle Identity Management 11 1 2 Fusion Middleware 11gR2 specifically using the Access Manager component of Oracle Identity Management This feature is available in FLEXCUE since the release FC IS V UM 7 3 0 0 0 0 0 This document provides an understanding as to
7. Certificate Valid 1024 August 13 1998 August 14 2018 OU Class 2 Public Primary Certification Authority O verisign Inc Trusted Certificate Valid 1024 January 29 1996 August 2 2028 OU Class 1 Public Primary Certification Authority O VeriSign Inc C US Trusted Certificate Valid 1024 January 29 1996 January 8 2020 8 Click Change SSL Settings ORACLE Enterprise Manager 11g Fusion Middleware Control Maximum number of entries to be returned by a search 10000 nina time loved for a search to compte Ge Preserve Case of Required Attribute Name specified in Search Request E Anonymous Bind Disallow except for Read Access on the root DSE e Maximum time allowed in a Transaction sec 0 Maximum Number of Operations allowed in a Transaction 0 Port Numbers Non SSL Port 3960 e SSLPort 3131 9 Select the Wallet SSL Authentication as Server Authentication Cipher Suite SSL Protocal Version as below and click OK 2 11 ORACLE 2 5 3 1 Import LDAP Server SSL Certificate into OAM Server 2 6 ORACLE Enterprise Manager 11g Fusion Middleware Control Ej Farm lt A Topology M ap oid1 3 EB Farm_base_domain E Oracle Internet Directory v Application Deployments WebLogic Domain 1 Information Identity and Access All changes made in this page require a server restart to take effect Setupw Help Log Out Logged in as weblogic Host padsrini pc Page Refreshed Feb 15 201
8. Enter Private Key Alias as same as the alias name entered in step 3 2 1 1 Enter Private Key Passphrase and Confirm Private Key Passphrase as same as the Private Key Password entered in step 3 2 1 1 Change the Hostname Verification to None Click on Save 2 7 ORACLE Change Center Home Log Out Preferences dl Record Help Q Welcome weblogic Connected to iam_domain View changes and restarts Home gt Summary of Servers gt AdminServer Configuration editing is enabled Future Settings for AdminServer changes will automatically be activated as you modify add or delete items in this domain _ Configuration Protocols Logging Debug Monitoring Control Deployments Services Security Notes Domain Structure General Cluster Services Keystores Federation Services Deployment Migration Tuning Overload Health Monitoring Server Start Web Services iam_domain Environment i t Servers Clusters This page lets you view and define various Secure Sockets Layer SSL settings for this server instance These settings help you to manage the security of message transmissions Virtual Hosts Migratable Targets t Coherence Servers amp Identity and Trust Locations Keystores Change Indicates where SSL should find the server s identity certificate and private hanim Caas key as well as the server s trust trusted CAs More Info Machines Iden Work Managers Startup and Shutdo
9. Identity Keystore and Custom Trust Keystore same as the Keystore Name created in step 3 2 1 1 with full path Enter Custom Identity Keystore Type and Custom Trust Keystore Type as jks Enter Custom Identity Keystore Passphrase Confirm Custom Identity Keystore Passphrase Custom Trust Keystore Passphrase and Confirm Custom Trust Keystore Passphrase same as the Store Password entered in step 3 2 1 1 Click on Save ORACLE WebLogic Server Administration Console Change Center Home Log Out Preferences S Record Help e Welcome weblogic Connected to iam_domain View changes and restarts Home gt Summary of Servers gt AdminServer Configuration editing is enabled Future Settings for AdminServer changes will automatically be activated as you modify add or delete items in this domain Configuration Protocols Logging Debug Monitoring Control Deployments Services Security Notes ain St General Cluster services xevstores SSL Federation Services Deployment Migration uning Overload Health Monitoring Server Start Web Services iam domain E Environment Servers r Clusters Di Serres Lett Realms How do I e Configure identity and trust e Configure keystores the keystore will be opened without a passphrase More Info e Setup SSL System Status Trust Health of Running Servers scratch app fmw115 oam1115 BaseKeyStore AdminFlexcubeKeyStore jks u u ute EI U Ust NCyS c IU C J
10. Server to work in SSL mode Use the ORAPKI tool to import the Flexcube and OAM Server certificates to Oracle HTTP Server Add Oracle MIDDLEWARE oracle common bin to PATH environment variable and also set JAVA HOME environment variable Execute the below command in the command line orapki wallet add wallet Oracle MIDDLEWARE2 ORACLE WEBTIER HOME instances instance1 config OHS ohs1 keystore s default trusted cert cert export certificate file name with location cer auto login only Note Certificate has to be imported into OHS Wallet 2 6 5 4 Configuring mod wl ohs for Oracle HTTP server Routing To enable the Oracle HTTP Server instances to route to applications deployed on the Oracle Weblogic Server add the directive shown below to the mod wl ohs conf file available in ORACLE MIDDLEWARE xORACLE WEBTIER HOME instances instancel config OHS ohs1 Location FCJNeoWeb gt SetHandler weblogic handler WebLogicHost ofss00002 in oracle com WeblogicPort 7002 WLProxySSL ON SecureProxy ON WLSSLWallet lt ORACLE_MIDDLEWARES gt lt ORACLE_WEBTIER_HOME gt instances instance 1 config OHS ohs 1 keystores default lt Location gt Note In the above example ofss00002 in oracle com is the server name where the Flexcube Application is deployed 7002 is the SSL port and FCJUNeoWeb is the context root of the FLEXCUBE application 2 6 5 5 Verify the Webgate 11g Agent Created After configuring webgate 11g agent launch the U
11. Tools v E ORACLE Access Manager Select Your Security Questions Answers 1 Select One Select One 4 Select One c Register Windows Internet Explorer File Edit View Favorites Tools Help Local intranet Protected Mode Off x KONTEN da E Web Slice Gallery v m B c dh v Pager Safety v Toos v va Access Manager Select Your Security Questions Answers 1 Where did you get your first pet What is the name of the first musical group you saw in concert v What color was your first pet X 4 What was the first name of your first boss OFSS Who is your favorite athlete oFss oam pages oaam handleRegisterQuestions jsp 2 40 ER Local intranet Protected Mode Off 43v Post First Login E Login Oracle Access Management 11g Windows Intenet Explorer E ees ge co 6 i Gor File Edit View Favorites Tools Help x E ly Favorites 33 Web Slice Gallery v Login Oracle Access Management 11g or B dA Pager Stop Took ORACLE f Access Manager closed capital Done amp Local intranet Protected Mode Off f 100 2 41 ORACLE File Edit View Favorites Tools x Tsar i oly Favorites e Challenge Help d E Web Slice Gallery v ORACLE Access Manager fm LU de v Pagey Safetyv Toolsv Qv ORACLE closed capital ER Local intranet Pro
12. how single sign on can be enabled for a FLEXCUBE deployment using Oracle Fusion Middleware 11gR2 In addition to providing a background to the various components of the deployment this document also talks about Configuration to be done in FLEXCUBE and Oracle Access Manager to enable single sign on using Oracle Internet Directory as a LDAP server Background and Prerequisites Software Requirements Oracle Identity and Access Management 11g R2 11 1 2 2 0 e Oracle Access Manager 11 1 2 2 0 e Oracle Fusion Middleware Web Tier Utilities 11g Patch Set 6 11 1 1 7 0 gt Oracle HTTP Server e Oracle Access Manager OHS 11gR2 WebGates 11 1 2 2 0 e Oracle Access Manager patch set 18333689 19269297 18662903 e Optional Oracle Adaptive Access Manager 11 1 2 2 0 Strong Authentication purpose only Note In case of java security InvalidKeyException Illegal key size error in Admin Server while starting the OAM Server based applications then refer Oracle Support Document ID 1901181 1 LDAP Directory Server Please make sure that the LDAP server to be used for FLEXCUBE Single Sign on deployment is certified to work with OAM List of few LDAP Directory servers supported as per OAM document note this is an indicative list The conclusive list can be obtained from the Oracle Access Manager documentation Though we have only use OID for our testing purposes e Oracle Internet Directory e Active Directory e ADAM e ADSI e D
13. 0 Critical 0 The TCP IP port at which this server listens for SSL connection Overloaded 0 requests More Info Warning 0 OK 3 Specifies whether the HttpClusterServlet proxies the dient certificate in a special header More Info Java Compiler The Java compiler to use for all applications hosted on this server that need to compile Java code More Info Diagnostic Volume Specifies the volume of diagnostic data that is automatically produced by WebLogic Server at run time Note that the WLDF diagnostic volume setting does not affect explicitly configured diagnostic modules For example this controls the volume of events generated for JRockit Flight Recorder More Info S Advanced Virtual Machine Name iam domain AdminSe When WLS is running on JRVE this specifies the name of the virtual machine running this server More Info d at WebLogic Plug In Enabled Specifies whether this server uses the proprietary WL Proxy Client IP header which is recommended if the server instance will receive requests from a proxy plug in More Info 2 5 2 3 Follow the steps in Keystores Tab as shown below 1 Click Change and select Keystores as Custom Identity and Custom Trust 2 Click on Save Keystores as Custom Identity and Custom Trust is as suggested by Oracle Support Team ORACLE WebLogic Server Administration Console Change Center Home Log Out Preferences 24 Record Help Welcome weblog
14. 1 11 13 5 34 PMI response Credentials expected 0x1 basic 1 11 13 5 34 PM request authenticate yes 1 11 13 5 34 PM response User DN cn SARAN cnzusers dc oracle dczcom 1 11 13 34 PMilresponse Sessionip Being i 1 11 13 5 34 PM iresponsellaction TAF 1 11 13 5 34 PM ireouest Il authanzel ves Elapsed B6 Capture Q Empty 2 7 First launch of FLEXCUBE after installation After installing FLEXCUBE and while launching it for first time the normal login screen with userid and password will appear This is because the bank parameter maintenance will have the value for sso_intalled setto N by default during installation 2 1 Parameter Maintenance 2 7 1 1 Bank Parameter maintenance IS To enable SSO in FLEXCUBE IS login into the application and enable SSO Enabled Check box in Bank Maintenance SMDBANKP screen 2 34 ORACLE EN Bank Parameters Maintenance bai Save Bank Code 000 BankName Bank Futura Head Office Branch Branch Code 000 Branch Description Bank Futura Financial Preferences ete Bs S CS ESTER S Format Mask Year End Profit and Loss Gif Mask bbbnnnnn General Ledger 221000002 az General Ledger Mask nnnnnnnnn Transaction Code YET az Spread General Ledger Purge Days Spread Application Both Legs Y Spoof Files Purge Days Inter Pay Lead Days heque Numbering Details Checksum Algorithm Scheme Automatic Cheque Number Mask NNNNNWN ges
15. 3 4 55 50 PM IST EA em SSL Configuration idi Ei OIM V Enable SSL ovd Server Wallet Name Foidselfsigned e Metadata Repositories oidselfsigned ot required for no auth mode but is needed in other modes Che Ti Advanced SSL S tung Server SSL properties SSL Authentication Server Authentication BEI SSL_RSA_WITH_RC4_128_MD5 4 SSL RSA WITH RC4 128 SHA 4 SSL RSA WITH 3DES EDE CBC SHA 3 ASS RSA WITH DES CBC SHA 4 TLS RSA WITH AES 128 CBC SHA SSL Protocol Version All el 10 Click Apply ORACLE Enterprise Manager 11g Fusion Middleware Control ap oid1 3 E Farm base domain E Oracle Internet Directory e E Application Deployments WebLogic Domain Identity and Access E oam E et sm Server Properties ov Metadata Repositories Information General Performance SASL Statistics Logging Web Tier Server Mode Read Write Maximum number of entries to be returned by a search Maximum time allowed for a search to complete sec Preserve Case of Required Attribute Name specified in Search Request Anonymous Bind Disallow except for Read Access on the root DSE Maximum time allowed in a Transaction sec Maximum Number of Operations allowed in a Transaction Port Numbers Non SSL Port 3960 SSL Port 3131 We have to import the LDAP Server certificatefile into OAM server s JAVA_HOME jre lib security cacerts Default Password is ch
16. Enabled 2 Click on Save 2 5 ORACLE in e General Cluster Services Keystores SSL Federation Services Deployment Migration Tuning Overload Health Monitoring Server Start Web Services iam domain LG Environment Servers Clusters Use this page to configure general features of this server such as default network communications t Virtual Hosts t Migratable Targets View JNDI Tree E t Coherence Servers t Coherence Clusters Machine i An alphanumeric name for this server instance More Info t Work Managers Startup and Shutdown Classes i The WebLogic Server host computer machine on which this server is meant Deployments torun More Info Services Securitv Realms The duster or group of WebLogic Server instances to which this server belongs More Info Configure default network connections The IP address or DNS name this server uses to listen for incoming Create and configure machines connections More Info Configure clusters Specifies whether this server can be reached through the default plain text non SSL listen port More Info Start and stop servers Configure WLDF diagnostic volume The default TCP port that this server uses to listen for regular non SSL System Status incoming connections More Info Health of Running Servers Indicates whether the server can be reached through the default SSL listen port More Info Failed
17. Oracle Access Manager Integration Oracle FLEXCUBE Investor Servicing Release 12 0 4 0 0 September 2014 ORACLE FINANCIAL SERVICES 1 1 ORACLE 1 Table of Contents uU GU D 1 3 1 1 INTRODUCTION essai nan eN E T E EE 1 3 EIERE 1 3 1 3 ABBREVIATIONS ee 1 3 LA DOCUMENTATION ACCESSIBIINY EE 1 3 1 5 ORGANIZATION E 1 3 iK TOSS RO dis c e 1 3 1 6 1 E EE 1 4 ENABLING SINGLE SIGN ON WITH ORACLE ACCESS MANAGER cssssscscccccccsssssccccccceeees 2 1 2 1 TAG IC TION ee 2 1 2 2 BACKGROUND AND BRERPOUISITES e Renee hehehe eere ren ree senten ee see reisen see ee reste sse see see tennis 2 1 22d Software Requirements e eessseeeeess sese eeeeeh hee esn nnne ssna rhhe essi s riissa site ssa sese sss irre ssa aires ss s annees 2 1 2 9 BACKGROUND OF 55O RELATED COMPONENTS sis scssnsvvsseenspotesenspenb RENS RR SERE FERE RR ERES RSS ai NER ER ERE FERES E RENS RS ReEES 2 2 Zo Oracle Access Manager OAAT 2 2 PA LDAP Direclory Server eege aee SE AN SESE A RS EEE ENEAS E 2 2 Pe ee LETT TANIELRRE i 2 2 2 3 4 Oracle Adaptive Access Monagger enhn nennen nnn nnns ssena anne ness essai annee essen enne 2 3 L AONE IGOR VU m PHRER 2 3 2 4 1 PT QU CS E 2 3 255 ENABLING SSL FOR WEBLOGIC AND OAM COoNSOLE eene een enen nennen hne h nnn nee nennen nte t enne 2 3 2 Se
18. RL https lt hostname gt lt ohs_Port gt ohs modules webgate cgi progid 1 to verify whether the webgate configuration is working fine If the URL launches a screen as below then the webgate configuration is working fine Note To enable this option refer Oracle Doc ID 1624131 1 2 32 ORACLE 2 6 5 6 Using OAM Test Tool This step is not mandator There is a test tool provided in OAM software which helps us to check the response parameter values The test tool is available in OAM Install Dir gt oam server tester For eg D weblogic Middleware Oracle_IDM1 oam server tester Use java jar oamtest jar to launch the OAM test tool 2 33 ORACLE Oracle Access Manager Test Tool File Edit Test Help H amp Server Connection IP Addr Port Max C Age Prim Agent Pa Secon Min C Timeou c Global Passo Protected Resource URI sche H l https FlexcubeWebaate Vi Get Auth 5 Resour f J Operat FCINeoWeb G Validate User Identity IP Address issemame A Password P SARAN CO Authenti User Certifica ser Certifica mm Status Messages 1 11 13 5 33 PM response Connected to primary access server 1 11 13 5 34 PM request validate yes 1 11 13 5 34 PM response Authentication scheme FlexcubeAuthnScheme level 1 1 11 13 5 34 PM response Redirect URL https ofss220028 in oracle com 1410 1 oamy server
19. WebLogic Domain Wallets E Identity and Access A Wallet is a Keystore that stores X 509 certificates and private keys in industry standard PKCS 12 format To create a wallet dick Create To create a wallet with a self signed certificate dick Create Self Signed OAM Wallet To manage the contents of a wallet select a wallet and dick Manage oidi E om 3 Create NW Delete 8 Create Self Signed Wallet rb Import Export 6 Manage ovdi E Metadata Repositories E Web Tier 5 Select the Trusted Certificate and Click Export ORACLE Enterprise Manager 11g Fusion Middleware Control Bram v gA Topology Bl Q oid1 Logged in as weblogic Host padsrini pc BH Farm base domain Orade Internet Directory e Page Refreshed Feb 15 2013 4 45 58 PM IST 3 Q Application Deployments F WebLogic Domain Wallets gt Manage Certificates E Identity and Access Manage Certificates oidselfsigned E OAM To generate a certificate signing request CSR dick Add Certificate Request After you create a CSR send it to your CA who will verify your identity and return the signed certificate To import the CA signed ei certificate or trusted cert dick Import You can only import the CA signed certificate into the same wallet from which the CSR was generated E om S ovdi o gt Add Certificate Request hy Import Export Delete E Metadat
20. X0XadFly 2F5G6qC 2BulAfwk Sr ve is B Google Access Manager Enter your Single Sign On credentials below Username nvemban Password 2 7 3 3 KBA Based Strong Authentication Challenge by Webgate Only when OAAM is used Login Oracle Access Management 11g Mozilla Firefox Login Oracle Access Management 11g ORACLE Access Manager amp https ofss220223 in oracle com 14101 oam server obrareq cgi encquery 3DSEWS8mi vSNtdBSprovUk9mRaz30btA3SzweWquUKREjery 2FMhnK 7 Y C v RY Google Welcome Enter your Single Sign On credentials below Username nvemban 2 38 ORACLE First Time Login 3 Login Oracle Access Management 11g Windows Internet Explorer File Edit View Favorites Tools Help dr Favorites 5 E Web Slice Gallery v gt Login Oracle Access Management 11g e d v Pagev Safetyv Tools i ORACLE Access Manager Password Security Device Image TEE 15 00 5T File Edit View Favorites Tools Help x Oe di Favorites is Web Slice Gallery v Register fa 3 d v Pagev Safetyv Tools v Six ii ORACLE Access Manager closed capital ER Local intranet Protected Mode Off 2 39 ORACLE Register Windows Internet Explorer File Edit View Favorites Tools Help dip Favorites q E Web Slice Gallery Register A D E man v Pager Safety v
21. a Repositories Subject Name Setup Help e Log Out Certificate Type Status Key Size Start Date Expiration Date Web Tier CN padsrini pc OU OFSS O Orade L Chennai ST TN C IN Certificate Request 2048 CN padsrini pc OU OFSS O Orade L Chennai ST TN C IN Certificate Valid 2048 February 15 2013 February 14 2018 OU Class 3 Public Primary Certification Authority Oz VeriSign Inc C US Trusted Certificate Valid January 29 1996 August 2 2028 CN GTE CyberTrust Global Root OU GTE CyberTrust Solutions Inc O2GTE Corporation C US Trusted Certificate Valid August 13 1998 August 14 2018 CN padsrini pc OU OFSS O Orade L Chennai ST TN C IN Trusted Certificate Valid February 15 2013 February 14 2018 OU Class 2 Public Primary Certification Authority O VeriSign Inc C US Trusted Certificate Valid January 29 1996 August 2 2028 OU Class 1 Public Primary Certification Authority O VeriSign Inc C US Trusted Certificate Valid January 29 1996 January 8 2020 6 Click Export Trusted Certificate and save the certificate file 2 10 ORACLE The Trusted Certificate with Subject Name CN padsrini pc OU OFSS O Orade L Chennai ST TN C IN is shown below You can cut and paste the entire text in the box from BEGIN CERTIFICATE to END CERTIFICATE to the intended location or click Export Trusted Certificate to export the certificate to a file You may want to do this if another
22. ad E Server Instances x Cl oam_server1 x oam server Confirmation OAM Server instance oam_server 1 modified successfully Server Name oam server Port 14101 A OAM Proxy Proxy Server Id figProxy Port 5575 7 Mode Simple A Coherence Configuration Log Level 3 Local Port 9095 Log Limit 4096 Confirm Edit OAM Server instance oam_server 1 might be in use Are you sure you want to edit it 2 23 Host ofss220223 in oracle com ORACLE 5 Click on Create 11g Webgate under Access Manager m9 Access Management Accessibility Help Sign Ou E Launch Pad Welcome to Oracle Access Management amp Quick Start Wizards amp Access Manager L Application Registration G Application Domains S Authe Create Application Domain Ka SSO Agent Registration G Applications ee Authe Create Application Resource Type AS SSOA Create Host Identifier E Host Identifiers BE Sessio Create Resource Type Jp Plug ins Ge Passw Create LDAP Authentication Module Create Kerberos Authentication Module Create X509 Authentication Module Create Custom Authentication Module e Identity Federation a v Security Token Service Create Authentication Scheme Identity Provider Administration D Partners Tad Token Create 11g Webgate e Service Provider Administration ed Partner Profiles El Token Create 10g Webgate v Endpoints Custom Tokens f Mobile and Social Access Portal Service H Mobile Servic
23. ager and the LDAP server have been installed already and the requisite setup are already done with respect to connecting the two along with Weblogic s Identity Asserter Enabling SSL for Weblogic and OAM Console Self signed Certificate Creation To enable SSL mode WebLogic requires a keystore which contains private and trusted certificates We have to use the same version of JDK which is used by Weblogic Domain to create the keystore and certificates otherwise it may lead to many difficulties suggested by Oracle Support Keytool utility available in Java JDK will be used to create Keystore In command prompt set PATH to the JDK bin location Follow the below steps to create keystore and self signed certificates 2 5 1 1 Keystore Creation keytool genkey keystore lt keystore_name jks gt alias allas name dname CN hostname OU Organization Unit O lt Organization gt L lt Location gt ST lt State gt C lt Country_Code gt keyalg Key Algorithm sigalg Signature Algorithm keysize key size validity Number of Days keypass Private key Password storepass Store Password For example keytool genkey keystore AdminFlexcubeKeyStore jks alias FlexcubeCert dname CN ofss00001 in oracle com OU OFSS O OFSS L Chennai ST TN C IN keyalg RSA sigalg SHA1withRSA keysize 2048 validity 3650 keypass Password 123 storepass Password 123 2 3 ORACLE Note CN ofss00001 in oracle com is th
24. ame Verifier The name of the class that implements the weblogic security SSL HostnameVerifier interface More Info Export Key Lifespan 500 Indicates the number of times WebLogic Server can use an exportable key between a domestic server and an exportable client before generating a new key The more secure you want WebLogic Server to be the fewer times the key should be used before generating a new key More Info Use Server Certs Sets whether the client should use the server certificates key as the client 5 Select OAM Server to enable SSL options and Repeat the steps performed in 2 2 2 2 to 2 2 2 5 ORACLE WebLogic Server Administration Console Change Center Home Log Out Preferences Record Help Welcome weblogic Connected to iam_domain View changes and restarts Home gt Summary of Servers gt AdminServer gt Summary of Servers Configuration editing is enabled Future Summary of Servers changes will automatically be activated as you modify add or delete items in this domain Configuration Control Domain Structure iam_domain EH Environment i Servers Clusters Virtual Hosts R Migratable Targets Coherence Servers D Customize this table i Coherence Clusters A server is an instance of WebLogic Server that runs in its own Java Virtual Machine JVM and has its own configuration This page summarizes each server that has been configured in the current WebLogic Server domain
25. angeit For eg SSL configuration updated for Farm_base_domain asinst_1 oid1 Restart component for this change to be effective 0 0 9 sj Change SSL Settings Setup Help Log Out Logged in as weblogic Host padsrini pc Page Refreshed Feb 15 2013 4 56 40 PM IST Apply Revert keytool import v trustcacerts alias Idapcacert file Idap_server_certificate cer keystore JAVA HOMB ire lib security cacerts storepass changeit Restart Both OID amp OAM Server Configuring SSO in OAM Console After installing OAM Webtier Utilities and Webgate extend the Weblogic domain to create OAM server Follow the post installation scripts deployWebGate and EditHttpConf as provided in http docs oracle com cd E37115 01 install 1112 e38922 webgate_ohs htm CACDEJAD 2 12 ORACLE Refer the Oracle Support Document ID 1678062 1 before configuring Webgate against Oracle HTTP Server 2 6 1 Identity Store Creation 1 Tocreate new User Identity Store Login to OAM Console and Click User Identity Store under Configuration Access Management Launch Pad Welcome to Oracle Access Management KD Identity Federation Identity Provider Administration Service Provider Administration g Mobile and Social H Mobile Services OAuth Service Ka Social Identity Configuration amp Available Services amp Common Settings a User Identity Stores Zi Access Mana
26. ata Anywhere Oracle Virtual Directory e IBM Directory Server e NDS 2 1 ORACLE 2 3 2 3 1 2 3 2 2 3 3 e Sun Directory Server Oracle Weblogic 10 3 6 For the purpose of achieving single sign on for FLEXCUBE in FMW 11gRz2 it is necessary for the weblogic instance to have an explicit Oracle HTTP server OHS Background of SSO related components Oracle Access Manager OAM Oracle Access Manager consists of the Access System and the Identity System The Access System secures applications by providing centralized authentication authorization and auditing to enable single sign on and secure access control across enterprise resources The Identity System manages information about individuals groups and organizations It enables delegated administration of users as well as self registration interfaces with approval workflows These systems integrate seamlessly The backend repository for the Access Manager is an LDAP based directory service that can be a combination of a multiple directory servers which is leveraged for two main purposes e As the store for policy configuration and workflow related data which is used and managed by the Access and Identity Systems e As the identity store containing the user group and organization data that is managed through the Identity System and is used by the Access System to evaluate access policies LDAP Directory Server To integrate Flexcube with OAM to achieve Single Sign on f
27. cheme created successfully Name FlexcubeFormOAMScheme Description Form Based SSO Login for FLEXCUBE Authentication Level Default Challenge Method FORM Le Challenge Redirect URL oam server Authentication Module FlexcubeAuthnModule Challenge URL pages login jsp Context Type default Context Value oam pages login jsp default oam ssoCookie Secure SetAsDefault Duplicate B 2 19 ORACLE 2 6 3 3 KBA Based Strong Authentication Scheme Only in case OAAM is used Enter the Below Details and click Apply Name Authentication Level Challenge Method Challenge Redirect URL Authentication Module Name of the Authentication Scheme 2 FORM oam server Authentication Module Refer the section Creating Authentication Module of this document Challenge URL Context Type Context Value Challenge Parameters Access Management S Launch Pad EE FlexcubeKBAOAAMScheme x Authentication Schemes Gi Confirmation Authentication Scheme FlexcubeKBAOAAMScheme created successfully Name FlexcubeKBAOAAMScheme Description OAAM KBA Based Strong SSO Login for FLEXCUBE Authentication Level 2E Default Challenge Method FORM Le Challenge Redirect URL oam server Authentication Module FlexcubeAuthnModule Challenge URL pages oaam login jsp Context Type default EN Context Value oam Challenge Parameters oaamPostAuth tr
28. cted to iam domain View changes and restarts Home Summary of Servers Configuration editing is enabled Future Summary of Servers changes will automatically be activated as you modify add or delete items in this domain Configuration Control Domain Structure ken dams A server is an instance of WebLogic Server that runs in its own Java Virtual Machine JVM and has its own configuration iam_domain E Environment This page summarizes each server that has been configured in the current WebLogic Server domain rcServers Clusters Virtual Hosts Q Migratable Targets Coherence Servers jj Customize this table Coherence Clusters Machines Servers Filtered More Columns Exist Work Managers L Startup and Shutdown Classes New Cone Delete Showing 1to 4of 4 Previous Next Deployments Services Name amp Genuritv Realms A f AdminServer admin oam_server1 How do L e Create Managed Servers oim server Clone Servers jn seni e Delete Managed Servers Clone Delete Delete the Administration Server an Delet Showing 1to 4of 4 Previous Next e Start and stop servers System Status Health of Running Servers Failed 0 Critical 0 Overloaded 0 Warnina fn 2 5 2 2 Follow the steps in General Tab as shown below 1 Select SSL Listen Port Enabled Client Cert Proxy Enabled Weblogic Plug In
29. e Host Name of the weblogic server 2 5 1 2 Export private key as certificate keytool export v alias alias name file export certificate file name with location cer keystore keystore name jks gt keypass Private key Password storepass Store Password For example keytool export v alias FlexcubeCert file AdminFlexcubeCert cer keystore AdminFlexcubeKeyStore jks keypass Password 123 storepass Password 123 If successful the following message will be displayed Certificate stored in file AdminFlexcubeCert cer gt 2 5 1 3 Import as trusted certificate keytool import v trustcacerts alias rootcacert file export certificate file name with location cer keystore keystore name jks gt keypass Private key Password storepass Store Password For example keytool import v trustcacerts alias rootcacert file AdminFlexcubeCert cer keystore AdminFlexcubeKeyStore jks keypass Password 123 storepass Password 123 References Oracle Support Articles Article ID 1281035 1 Article ID 1218695 1 in case of Certificates issued by the Trusted Authorities 2 4 ORACLE 2 5 2 Configuring Weblogic Console After domain creation follow the below steps to enable SSL in weblogic Admin server and OAM Server 2 5 2 1 Select Admin Server to enable SSL options ORACLE WebLogic Server Administration Console Change Center Home Log Out Preferences 2 Record Help Welcome weblogic Conne
30. eature Flexcube s password policy management like password syntax and password expiry parameters will no longer be handled by Flexcube Instead the password policy management can be delegated to the Directory Server All password policy enforcements would be on the LDAP user id s password and NOT Flexcube application users passwords WebGate AccessGate A WebGate is a Web server plug in that is shipped out of the box with Oracle Access Manager The WebGate intercepts HTTP requests from users for Web resources and forwards it to the Access Server for authentication and authorization Whether you need a WebGate or an AccessGate depends on your use of the Oracle Access Manager Authentication provider For instance the Identity Asserter for Single Sign On Requires a separate WebGate and configuration profile for each application to define perimeter authentication Ensure that the Access Management Service is On Authenticator or Oracle Web Services Manager Requires a separate AccessGate and configuration profile for each application Ensure that the Access Management Service is On 2 2 ORACLE 2 3 4 Oracle Adaptive Access Manager 2 4 2 4 1 2 5 2 5 1 Oracle Adaptive Access Manager provides an innovative comprehensive feature set to help organizations prevent fraud and misuse Strengthening standard authentication mechanisms innovative risk based challenge methods intuitive policy administration and integration across the Ident
31. ecurity Token Service Settings Access Portal Service Settings J v E Host Identifiers Jp Plug ins Security Token Service Qj Partners Qd Partner Profiles amp Endpoints Access Portal Service di Credential Sharing Groups Bea Password Generation Policies 2 21 Accessibility Help Set As Default Accessibility Help Sign Out Session Management Bea Password Policy od Token Validation Templates Bl Token Issuance Templates Bf Custom Tokens iS Global Agent Settings Sign Out Duplicate ORACLE 2 Click Search Access Management Accessibility Help Sign Out S LaunchPad Server Instances x Search OAM Servers Search Name Search Results Actions v View 9 2 Ef Detach Row Name No data to display 3 Edit oam_server1 Access Management Accessibility Help Sign Out S Launch Pad E Server Instances x Ca Search OAM Servers 3 Create OAM Server Search Name Search Results Actions v View 9 Z ET Detach 1 oam serveri 4 Modify the Mode from Open to Simple and click Apply Access Management ibility Help Sign Out Il Launch Pad E Server Instances x Dl oam server x oam server1 Server Name oam serveri Host ofss220223 in orade com Port 14101 OAM Proxy Proxy Server Id AccessServerConfigProxy Port Coherence L Log Level 3 Local Port 9095 Log Limit 4096 2 22 ORACLE Access Management Launch P
32. ed on the hardware and or documentation delivered to U S Government end users are commercial computer software pursuant to the applicable Federal Acquisition Regulation and agency specific supplemental regulations As such use duplication disclosure modification and adaptation of the programs including any operating system integrated software any programs installed on the hardware and or documentation shall be subject to license terms and license restrictions applicable to the programs No other rights are granted to the U S Government This software or hardware is developed for general use in a variety of information management applications It is not developed or intended for use in any inherently dangerous applications including applications that may create a risk of personal injury If you use this software or hardware in dangerous applications then you shall be responsible to take all appropriate failsafe backup redundancy and other measures to ensure its safe use Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws Except as expressly permitted in your license agreement or allowed by law you may not use copy reproduce translate broadcast modify license transmit
33. es 2 14 ORACLE Access Management Launchpad gl User Identity Stores x Create User Identity Sto x Create User Identity Store Store Name FlexcubeStore Store Type OID Oracle Internet Directory Descripti A Location and Credentials Location ofss220223 in orade com 3131 Bind DN cn ordadmin Password eeeseesece Login ID Attribute cn User Password Attribute userPassword User Search Base cn Users dc in dc orade dc com User Filter Object Classes Group Name Attribute Group Search Base cn Groups dc in dc oracle dc com Group Filter Classes E Enable Group Membership Cache Group Membership Cache Maximum Size 10000 Group Membership Cache Time to Live in seconds OF A Connection Details Minimum Pool Size 10 Results time limit in seconds 02 Maximum Pool Size 50 Retry Count 3E Wait Timeout in seconds 120 2 Referral Policy follow v Inactivity Timeout in seconds 4 Click Test Connection to validate the Credentials Passed 5 Click Apply to Create the User Identity Store Note User Identity Store will be created only if valid LDAP Parameters are passed 2 15 ORACLE Access Management A Help Sign Out o Launch Pad 3 User Identity Stores X FlexcubeStore x E FlexcubeStore Test Connection El Confirmation x User Identity Store FlexcubeStore created successfully Store Name FlexcubeStore W Enable SSL Store Type OID Oracle Internet Directory Prefetched Att
34. es OAuth Service 3 Credential Sharing Groups Global Agent Settings La Social Identity gt Password Generation Policies amp Configuration Sz Available Services amp Common Settings a User Identity Stores Zi Access Manager Settings 6 Enter the below and Click Apply Name Custom Webgate Name Base URL The host and port of the computer on which the Web server for the Webgate is installed For example http example host port or httos example_host port The port number is optional Security Simple Protected Resource List for FCUBS FCJNeoWeb For FCIS FCISNeoWeb User Defined Parameters filterOAMAuthnCookie false 2 24 ORACLE Access Management CH Launch bad X SSO Agents X Create OAM 11g Webgate Version Name Description Base URL Access Client Password Security Create 11g Webgate x lig FlexcubeWebgate https ofss220223 in orade com Open Simple Host Identifier Resource Lists Protected Resource List Relative URI FCJNeoWeb FCISNeoWeb TX Cert FlexcubeWebgate Public Resource List Relative URI Access Management CH Launch Pad i SSO Agents x FlexcubeWebgate Confirmation FlexcubeWebgate x OAM 11g Webgate FlexcubeWebgate created successfully User Defined Parameters Virtual host Auto Create Policies IP Validation Artifacts are generated in following location scratch app sso 1123 wl1036 Middleware user_projects doma
35. g i Virtual Hosts you to manage the security of message transmissions i Migratable Targets Coherence Servers i Coherence Clusters Keystores Custom Identity and Custom Trust Change Which configuration rules should be used for finding the server s identity and Machine SS trust keystores More Info r Work Managers oL Identity Startup and Shutdown Classes scratch app fmw115 0am1115 BaseKeyStore AdminFlexcubeKeyStore jks Deployments Custom Identity Keystore Ser Keystores ensure the secure storage and management of private keys and trusted certificate authorities CAs This page lets you view and define various keystore configurations These settings help nFlexcubeKeyStore j Custom Identity Keystore Type jks The type of the keystore Generally this is JKS More Info Custom Identity Keystore Passphrase The encrypted custom identity keystore s passphrase If empty or null then Confirm Custom Identity Keystore Passphrase Custom Trust Keystore nFlexcubeKeyStore jks Failed 0 Critical 0 Overloaded 0 Warning 0 Custom Trust Keystore Type j The type of the keystore Generally this is JKS More Info Custom Trust Keystore Passphrase The custom trust keystore s passphrase If empty or null then the keystore will be opened without a passphrase More Info Confirm Custom Trust Keystore Passphrase Save 2 5 2 5 Follow the steps in SSL Tab as shown below ds 2
36. ger Settings ert amp Mobile and Social Settings 2 Certificate Validation amp ederation Settings RQ Certificate Validati Federation Setti g Server Instances Zi Security Token Service Settings Access Portal Service Settings 2 Click Create under OAM ID Stores E Host Identifiers 9 p Plug ins ch Y Security Token Service Q Partners di Partner Profiles 49 Endpoints Access Portal Service di Credential Sharing Groups Password Generation Policies 2 13 Accessibility Help Sign Out Session Management Bea Password Policy ad Token Validation Templates El Token Issuance Templates F Custom Tokens iS Global Agent Settings ORACLE Access Management Accessibilty Help Sign Out o LaunchPad User Identity Stores x User Identity Stores i Default and System Store Default Store UserldentityStore1 D System Store UserIdentityStore1 e OAM ID Stores Sync IDS Profiles Manage local User Identity Stores This includes IDS Profiles that are synchronized by using Sync IDS Profiles button Name Directory Type Host Information Description Synched IDS Profiles UserIdentityStore 1 EMBEDDED LDAP Idap host 7001 No Identity Directory Service Identity Directory Service is a common service used by Oracle Identity Management products to access and manage Identity Directory The IDS Profiles can be used within Oracle Access Management after they are synchronized IDS Profiles Create Form Fill Ap
37. h Pad L Application Domain X G FlexcubeWebgate x Application Domains Summary i5 Resources al Authentication Policies El Authorization Policies L Token Issuance Policies Administration Authorization Policies 33 Create Authorization Policy Actions View v iy a 7 H Detach Row Name Description Public Resource Policy Policy set during domain creation Add resources to this policy to allow anyone access 2 Protected Resource Policy Policy set during domain creation Add resources to this policy to protect them 10 Click Response and click on button to Add DN variable to the Response Header Access Management Accessibility Help Sign Out Ei Launch Pad Lei Application Domain X L FlexcubeWebgate x E FlexcubeWebgate Protect x Cx Authorization Policy Duplicate Apply Summary Resources Conditions Rules Name Protected Resource Policy Description Policy set during domain creation Add resources to this policy to protect them Success URL Failure URL 11 Enter the following values in the Add Response Window Type Header Name DN Value user attr dn 2 30 ORACLE Access Management Launch Pad Application Domain x E FlexcubeWebaate x Bl FlexcubeWebgate Protect x Authorization Policy Summary Resources Conditions Rules Responses E Identity Assertion This will cause an assertion to be generated for the user optionally containing any Asserted Attribute set be
38. ic Connected to iam_domain View changes and restarts Home gt Summary of Servers gt AdminServer Configuration editing is enabled Future Settings for AdminServer changes will automatically be activated as you modify add or delete items in this domain Configuration Protocols Logging Debug Monitoring Control Deployments Services Security Notes Genera Cluster Services Keystores ss Federation Services Deployment Migration Tuning Overload Health Monitoring Server Start Web Services iam domain Cancel Environment Servers Clusters Keystores ensure the secure storage and management of private keys and trusted certificate authorities CAs This page lets you view and define various keystore configurations These settings help Virtual Hosts you to manage the security of message transmissions Migratable Targets Coherence Servers Coherence Clusters Which configuration rules should be used for finding the server s identity and Machines e z trust keystores More Info Work Managers Startup and Shutdown Classes t Deployments E Services Garuritu Bealms Demo Identity and Demo Trust e Configure identity and trust Configure keystores e Setup SSL System Status Health of Running Servers Failed 0 Critical 0 Ir Overloaded 0 Warning 0 ENEEEEN o 2 6 ORACLE 2 5 2 4 Follow the steps in Keystores Tab as shown below 1 Enter Custom
39. ins domain_two output FlexcubeWebgate Name Description Access Client Password Security Max Cache Elements Cache Timeout Seconds Token Validity Period Seconds Max Connections Max Session Time Failover Threshold AAA Timeout Threshold Preferred Host Logout URL Logout Callback URL Server Lists Primary Server List Access Server Host Name oam_server Le Host Port Max Number ofss220223 in 0 5575 1 FlexcubeWebgate Open Simple Cert Enable Disable 100000 1800 3600 1 60 1 i FlexcubeWebgate oam logout success TX Access Server Secondary Server List Host Name TX Host Port Max Numbet Logout Redirect URL Logout Target URL User Defined Parameters Sleep for Seconds che Pragma Header che Control Header Debug Accessibility Help Sign Out Accessibility Help Sign Out https ofss220223 in orade com 1 proxySSLHeaderVar IS_SSL URLINUTF8Format true dient_request_retry_attempts 1 inactiveReconfigPeriod 10 maxSessionTimeUnits minutes 60 no cache no cache IP Validation Deny On Not Protected Allow Management Operations Allow Token Scope Operations Allow Master Token Retrieval 7 Allow Credential Collector Operations 7 Once the OAM 11g Webgate is created Change the parameter from proxySSLHeaderVarzlS SSL to proxySSLHeaderVarzssl along with other parameters in User Defined Parameters 8 Click Ap
40. ity and Access Management Suite and with third party products make Oracle Adaptive Access Manager uniquely flexible and effective Oracle Adaptive Access Manager provides real time and batch risk analytics to combat fraud and misuse across multiple channels of access Real time evaluation of multiple data types helps stop fraud as it occurs Oracle Adaptive Access Manager makes exposing sensitive data transactions and business processes to consumers remote employees or partners via your intranet and extranet safer Oracle Adaptive Access Manager provides an extensive set of capabilities including device fingerprinting real time behavioral profiling and risk analytics that can be harnessed across both Web and mobile channels It also provides risk based authentication methods including knowledge based authentication KBA challenge infrastructure with Answer Logic and OTP Anywhere server generated one time passwords delivered out of band via Short Message Service SMS e mail or Instant Messaging IM delivery channels Oracle Adaptive Access Manager also provides standard integration with Oracle Identity Management the industry leading identity management and Web Single Sign On products which are integrated with leading enterprise applications Configuration Pre requisites e The steps provided below assume that FLEXCUBE has already been deployed and is working without single sign on e The below provided steps assume that Oracle Access Man
41. l woned Cerificate C FOallOlts oaqssssescudsitestisucieen edudDrke tisse Eod Roa ERASE NSA ENARA ER SEU DE 2 3 2 5 2 o D Tartari MITES or 2 5 2 99 Configuring SSL Mode in Oracle Internet Directory eese nennen ener nnns 2 9 2 D CONFIGURING SSO IN OAMECONSORLE iieosecrekcss uns nSps Cove been Ee ety quR ee ken sae s ptU bI E ERE TIN a aaa ia eiae 2 12 2 6 1 T 212 1018 e 021 22 GN 2217 O E E EE E E T asap es seen EIA 2 13 2 6 2 B ITI RESULTS WAIT c M 2 16 2 6 3 EE 2 17 2 6 4 Cregmie CAM JEEP Vy CO mmu SRnES E DIM NIMIUM EU MI UNE 2 21 2 6 5 Post OAM Webp te 11 6 EE 2 27 2 FIRSTLAUNCH OF FLEXCUBE AFTER INSTALLATION eene eene nennen nennen nennen nennen nennen nennen nennen 2 34 2 7 d EE 2 34 dd Maintaining LDAP DN for FLEXCUBE user 2 35 2 4 3 TG NOTI E M 2 36 2 7 4 KEREN 2 43 1 2 ORACLE 1 Preface 1 1 Introduction This manual discusses the integration of Oracle FLEXCUBE Investor Servicing and the Oracle Access Manager system The configurations required for proper functioning of this integration and further processing are documented in this manual 1 2 Audience This manual is intended for the following User User Roles Back office data entry Clerks Input functions for maintenance related to the interface Implementation team Implementation of Oracle FLEXCUBE Investor Servicing 13 Abbreviations Unless specified
42. lick Apply Refer Creating OAM 11g Webgate section of this document Access Management Il Launch Pad E Server Instances x Dl oam server1 x oam server Gi Confirmation OAM Server instance oam server 1 modified successfully Server Name oam server Port 14101 OAM Proxy Proxy Server Id AccessServerConfigProxy Port 5575 gt Mode Coherence Cont C ert 2 J Log Level Local Port 9095 Log Limit 4096 2 26 Accessibility Host ofss220223 in orade com Help Sign Out ORACLE 2 6 5 Post OAM Webgate 11g Creation Follow the below steps to configure the webgate created 2 6 5 1 Application Domains Changes 1 Click Application Domains under Access Manager Access Management Launch Pad Welcome to Oracle Access Management amp Quick Start Wizards Lei Application Registration g SSO Agent Registration Identity Federation Qj Identity Provider Administration e Service Provider Administration I Mobile and Social H Mobile Services R Social Identity Configuration SZ Available Services Leer Tdentitv Stores L Access Manager G Application Domains Applications 6 Resource Type Gl Host Identifiers JP Plug ins cr 7 S Security Token Service Partners ZO Partner Profiles amp Endpoints E Access Portal Service OAuth Service be Credential Sharing Groups Password Generation Policies Common Se
43. low This Policy does not have any Responses Identity Assertion has not been enabled for this policy Enable Identity Assertion in order to collect Assertion Attribute type responses when this policy is executed Add Cancel 12 Click Apply to Save the changes Access Management E Launch Pad E Application Domain x FlexcubeWebgate x Bl FlexcubeWebgate Protect x Authorization Policy Ei Confirmation Authorization Policy Protected Resource Policy modified successfully Summary Resources Conditions Rules Responses E Identity Assertion This will cause an assertion to be generated for the user optionally containing any Asserted Attribute set below 2 6 5 2 Copying Generated Files and Artifacts to the Oracle HTTP Server WebGate Instance Perform the following steps to copy the artifacts generated while creating the Oracle 11g Webgate to the Webgate installation directory e Navigate to lt DOMAIN HOME output WebgateAgentName e Select the following files ObAccessClient xml password xml e cwallet sso 2 31 ORACLE Copy the files to lt ORACLE_MIDDLEWARE gt lt ORACLE_WIBTIER_HOME S instances instance1 config OHS ohs1 webgate config e Select the remaining 2 files aaa_key pem aaa_cert pem e Copy the files to lt ORACLE_MIDDLEWARE gt lt ORACLE_WIBTIER_HOME gt instances instance1 config OHS ohs1 webgate config simple 2 6 5 3 Add the Application Certificates to Oracle HTTP
44. net Directory v Page Refreshed Feb 15 2013 4 40 45 PM IST C Wallets gt Create Self Signed Wallet E CH Identity and Access Create Self Signed Wallet OK Cancel OAM A self signed wallet is not signed by a well known CA A self signed wallet is not recommended in a production environment The wallet name should be unique for a given component The wallet type can be auto Jogin or password protected Passwords if specified have a minimum length of eight characters and contain alphabetic characters combined with numeric or special characters Autoogin wallet is an obfuscated form of PKCS 12 wallet that provides PKI based access to services and applications without requiring a password at runtime Auto ogin wallet don t need a password to modify or delete the wallet File system permissions OIM provide the necessary security for Auto login wallets ovdi Metadata Repositories Self Signed Wallet Details Web Tier Wallet Name oidselfsigned V Auto ogin Add Self Signed Certificate Add a self signed certificate that becomes part of the wallet Common Name hostname in orade com 4 Organizational Unit OFSS Organization Orade City Chennai State TN Country India Key Size 2048 EN Setup e Help e Log Out Logged in as weblogic Host padsrini pc E Farm_base_domain Oracle Internet Directory v Page Refreshed Feb 15 2013 4 44 27 PM IST EA 3 Application Deployments 4 GQ
45. ntication Scheme FlexcubeBasicOAMSchme EI Identity Assertion This will cause an assertion to be generated for the user optionally containing any Asserted Attribute set below This Policy does not have any Responses 7 Enter the following values in the Add Response Window Type Header Name DN Value user attr dn Add Response Type Header Name DN Value guser attr dn Identity Assertion has not been enabled for this policy Enable Identity Assertion in order to collect Assertion Attribute type responses when this policy is executed rics 2 29 ORACLE 8 Click on Apply to Save the Changes Access Management Accessibility Help Sign Out iO Launch Pad G Application Domain X L FlexcubeWebgate x E FlexcubeWebgate Protect x Authentication Policy Duplicate Ei Confirmation X Authentication Policy Protected Resource Policy modified successfully Name Protected Resource Policy Success URL Description policy set during domain creation Add resources to this policy to Failure URL protect them Authentication Scheme FlexcubeBasicOAMScheme Resources Responses Advanced Rules Identity Assertion This will cause an assertion to be generated for the user optionally containing any Asserted Attribute set below Ze Responses Name Type Value Suser attr dn 9 Click Authorization Policies and Protected Resource Policy Access Management Accessibility Help o Launc
46. on Module Create Kerberos Authentication Module Create X509 Authentication Module Create Custom Authentication Module e Identity Federation Security Token Service O Identity Provider Administration Partners ad Token Create 11g Webgate B Service Provider Administration Q Partner Profiles E Token Create 10g Webgate v Endpoints S Custom Tokens H Mobile and Social Access Portal Service H Mobile Services OAuth Service Q Credential Sharing Groups Global Agent Settings Ka Social Identity gt Password Generation Policies Configuration a Available Services E Common Settings a User Identity Stores P Access Manager Settings select any of the challenge method for creating an authentication Scheme as explained below and refer to OAM documentation for more details on the same http docs oracle com cd E27559_01 admin 1112 e27239 shared htm BABFCIHA 2 17 ORACLE 2 6 3 1 1 Basic Style Authentication Scheme Enter the below details and click Apply Name Name of the Authentication Scheme Authentication Level 1 Challenge Method BASIC Challenge Redirect URL oam server Authentication Module Authentication Module Refer the section Creating Authentication Module of this document Challenge Parameters ssoCookie Secure context T ype default contextValue oam challenge_url CredCollectServlet BASIC Access Management E Launch Pad FlexcubeBasicOAMScheme x Set As Defaul
47. ource Prefix Resource Type Host Identifier No Data to Display 4 Click Protected Resource Policy Access Management Accessibility Help Sign Out Ei Launch Pad L Application Domain x L FlexcubeWebgate x Application Domains Summary Resources gl Authentication Policies 3 Authorization Policies Li Token Issuance Policies Administration Authentication Policies 3 Create Authentication Policy Actions View v Ei B m Row Name Description 1 Protected Resource Policy Policy set during domain creation Add resources to this policy to protect them 2 Public Resource Policy Policy set during domain creation Add resources to this policy to allow anyone access 5 Choose the Authentication Scheme created earlier in Creating Authentication Scheme Refer the section Creating Authentication Scheme of this document 2 28 ORACLE Access Management Launchpad Application Domain x E FlexcubeWebgate x g FlexcubeWebgate Protect x Authentication Policy Name Protected Resource Policy Description Policy set during domain creation Add resources to this policy to protect them Authentication Scheme LDAPScheme Access Management Launch Pad E Application Domain x FlexcubeWebgate x i FlexcubeWebgate Protect x Authentication Policy Name Protected Resource Policy Description policy set during domain creation Add resources to this policy to protect them Authe
48. party wants to trust your certificate directly l BEGIN CERTIFICATE MIIDODCCAiACAQAwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAl1ROMBAw DgYDVQQHEwdDaGVubmFpMQ8SwDQYDVQQOKEwZPcmFjbGUxDTALBgNVBAsTBESGUIMxFDASBgNVBAMT C3BhZHNyaWSpLXBjMB4XDTEzMDIxNTA4NIMyNVoXDTE4MDIxNDA4NTIMyNVOwYjELMAkGA1UEBhMC SU4xCzAJBgNVBAgTAlROMRAwDgYDVQQHEwdDaGVubmFpMQ8wDQYDVQQKEwZPcmFjbGUxDTALBgNV BASTBESGUIMxFDASBgNVBAMIC3BhZHNyaWSpLXBjMIIBIjANBgkqhkiGSwOBAQEFAAOCAQ8AMIIB CgKCAQEArfMDEOWbIxe TNMjlun90467st YWM16MSrSildoYkRVkq 45ef0GucrChV2MZ2RQk Bp OTjcWxIorVHIEym tsheWswgPOFCTjxJyO73hVOPvyCrCfI2PnpNjgKBoxlEplidxYLsyzehOhmz NmegNiYPl8WbfOSSBdmpcnHpBcuO6DEmBztB6HuQJpStOEzHqJ11xsYkpwgT4dKQofwy8LnANnF4 xcdNUcTkGFB8sphGlwBoLlXMnOeRvEz3U1fuMZf31d8BtGyn8k9zsNfCcNjELg4 uLf SpJrdEt3 BLdwAKCyVcRqXjSwRs8Xi7B4x Ys9kD FKYfkjlaKaRyYQIDAQABMAOGCSqGSIbSDQEBBAUAA4IB 7 Click Server Properties ORACLE Enterprise Manager 11g Fusion Middleware Control SIC BC st CSR dick Add Certificate Request After you create a CSR send it to your CA who will verify your identity and return the signed certificate To import the CA signed gt You can only import the CA signed certificate into the same wallet from which the CSR was generated Certificate Type Status KeySize Start Date Expiration Date Certificate Request 2048 Certificate Valid 2048 February 15 2013 February 14 2018 Trusted Certificate Valid 1024 January 29 1996 August 2 2028 Trusted
49. plication IDS Profile Manage common Identity Directory Service Profiles IDS Profiles created here will appear in OAM ID Stores table You have to synchronize IDS Profiles created outside Oracle Access Management Console using Sync IDS Profile button View 3 Create Name Description Repository Name Created By userrole User Role entities in Default Identity Directory OPSS idxuserrole Fusion User Role entities in Default Identity Directory OPSS IDS Repositories Manage Identity Directory Service Repositories that are common across Oracle Identity Management View v Ei Create Edit NW Delete Name Directory Type Host Information Enter the below details in the Create User Identity Store Form e Choose Store Type as OID Oracle Internet Directory e Location LDAP server Host name and Port Number in zHOSTNAME SSL PORT format e Select Enable SSL check box e Bind DN Admin User name to connect the LDAP Server e Password Admin Password to connect the LDAP Server e Login ID Attribute Specify the LDAP attribute from which the login ID specifying the User will be extracted e User Search Base Full DN for the node at which enterprise users are stored in the directory for example cn2Users realm DN e Group Search Base Currently only static groups are supported with the uniquemember attribute The node in the directory information tree DIT under which group data is stored and the highest possible base for all group data search
50. ply ORACLE 2 25 Access Management Ei Launch Pad 3 SSO Agents X FlexcubeWebgate x FlexcubeWebgate Confirmation OAM 11g Webgate FlexcubeWebgate modified successfully Name FlexcubeWebgate Description Access Client Password Security Open Simple Cert Q Enable Disable Max Cache Elements 100000 Cache Timeout Seconds Token Validity Period Seconds Max Connections Max Session Time Failover Threshold AAA Timeout Threshold 1800 3600 1 60 12 1 Preferred Host FlexcubeWebgate Logout URL Logout Callback URL oam_logout_success Server Lists TX Host Name Host Port Max Number oam_server v ofss220223 in 0 5575 1 Primary Server List Secondary Server List Access Server Access Server Host Name Logout Redirect URL Logout Target URL User Defined Parameters Sleep for Seconds Cache Pragma Header Cache Control Header Debug IP Validation Deny On Not Protected Allow Management Operations Allow Token Scope Operations Allow Master Token Retrieval Allow Credential Collector Operations TX Host Port Max Number Accessibility Help Sign Out https ofss220223 in orade com 1 proxySSLHeader Var ssl URLINUTF8Format true dient_request_retry_attempts 1 inactiveReconfigPeriod 10 maxSessionTimeUnits 2minutes filter OAMAuthnCookie false P 60 9 Change the value of Mode back to Open in oam server1 on Server Instance and c
51. ributes Description Location and Credentials Location ofss220223 in orade com 3131 Bind DN cnzordadmin Password eeseee Users and Groups Login ID Attribute cn User Password Attribute userPassword User Search Base cn Users dc in dc orade dc com User Filter Object Classes Group Name Attribute Group Search Base cn Groups dc in dc orade dc com Group Filter Classes Enable Group Membership Cache Group Membership Cache Maximum Size 10000 Group Membership Cache Time to Live in seconds Connection Details Minimum Pool Size Results time limit in seconds Maximum Pool Size Retry Count 3 Wait Timeout in seconds Referral Policy follow Inactivity Timeout in seconds 2 6 2 Creating Authentication Module 1 Click on in Access Manager to Create LDAP Authentication Modules Access Management Help Sign Out E Launch Pad Welcome to Oracle Access Management amp Quick Start Wizards L Access Manager Application Registration Application Domains S Authe Create Application Domain SSO Agent Registration E Applications Authe Create Application Resource Type d SSOA Create Host Identifier El Host Identifiers Sessio Create Resource Type Create Kerberos Authentication Module Create X509 Authentication Module Create Custom Authentication Module e Identity Federation S Security Token Service Create Authentication Scheme Create 11g Webgate Create 10g Webgate v Identity Pro
52. t Duplicate Appl Li Confirmation Authentication Scheme FlexcubeBasicOAMScheme modified successfully Name FlexcubeBasicOAMScheme Description Basic Style SSO Login for FLEXCUBE Authentication Level ils Default Challenge Method BASIC i Challenge Redirect URL oam server Authentication Module FlexcubeAuthnModule Challenge Parameters ssoCookie Secure contextType default contextValue oam challenge url CredCollestSenvlet BASIC We need to add the enforce valid basic auth credentials tag to the config xml file located under lt weblogic deployment path gt user_projects domains lt MyDomain gt config The tag must be inserted within the lt security configuration gt tag as follows Just above lt security configuration gt tag lt enforce valid basic auth credentials gt false lt enforce valid basic auth credentials gt i5 ORACLE 2 6 3 2 Form Style Authentication Scheme Enter the below details and click Apply Name Authentication Level Challenge Method Challenge Redirect URL Authentication Module Name of the Authentication Scheme 2 FORM oam server Authentication Module Refer the section Creating Authentication Module of this document Challenge URL Context Type Context Value Challenge Parameters Access Management g Launch Pad FlexcubeFormOAMScheme x Authentication Schemes Gi Confirmation Authentication Scheme FlexcubeFormOAMS
53. tected Mode Off Once the user is authenticated and authorized to access the resource the request gets redirected to normal FLEXCUBE application and it will take the user to Home Branch 2 42 ORACLE 2 7 3 4 After SSO Login FLEXCUBE Application launch Home Branch Module O ustog 08120014 14 46 0 QD comet time 10 1596 2 7 4 Signoff in a SSO Situation FLEXCUBE does not provide for single signoff currently i e when a user signs off in FLEXCUBE the session established with Oracle Access Manager by the user will not be modified in any manner In a SSO situation the Exit and Logoff actions in FLEXCUBE will function as Exit i e on clicking these the user will exit FLEXCUBE and will need to re launch FLEXCUBE using the FLEXCUBE launch URL 2 43 ORACLE ORACLE Oracle Access Manager Integration September 2014 Version 12 0 4 0 0 Oracle Financial Services Software Limited Oracle Park Off Western Express Highway Goregaon East Mumbai Maharashtra 400 063 India Worldwide Inquiries Phone 91 22 6718 3000 Fax 91 22 6718 3001 www oracle com financialservices Copyright 2007 2014 Oracle and or its affiliates All rights reserved Oracle and Java are registered trademarks of Oracle and or its affiliates Other names may be trademarks of their respective owners U S GOVERNMENT END USERS Oracle programs including any operating system integrated software any programs install
54. ttings Access Mananer Settinas 2 Click Search to find the 11g Webgate Refer the section Creating OAM 11g Creation of this document Access Management 2 Launch Pad L Application Domain x Search Application Domains Search Name Search Results Actions v View v 9 ET Detach Row Name No data to display Description 2 2 Accessibility Help S Authentication Modules Authentication Schemes 38 SSO Agents Session Management gt Password Policy ad Token Validation Templates Bl Token Issuance Templates g Custom Tokens Ai Global Agent Settings Accessibility Help Sign Out LS 33 Create Application Domain ORACLE Access Management Accessibilty Help Sign Out gic Q Ei Launch Pad G Application Domain x fe Search Application Domains L Create Application Domain Search Name Search Reset Search Results Actions v View v Row Description 3 IAM Suite 3 Click Authentication Polices Access Management Accessibility Help Sign Out iO Launch Pad G Application Domain X L FlexcubeWebgate x Application Domains Summary i5 Resources gl Authentication Policies E Authorization Policies L Token Issuance Policies Administration Name FlexcubeWebgate Description Application Domain created through Remote Registration Session Idle Timeout minutes Allow OAuth Token Allow Session Impersonation Policy Ordering Enable Policy Ordering Vewv oP Res
55. ue 9aamPreAuth true pages oaam login jsp default Joam ssoCookie Secure oaamPostAuth true oaamPreAuth true Accessibility Help Sign Out Set As Default Duplicate 2 20 ORACLE Access Management Launch Pad FlexcubeKBAOAAMScheme x Authentication Schemes Confirmation Authentication Scheme FlexcubeKBAOAAMScheme modified successfully Name Description Authentication Level Default Challenge Method Challenge Redirect URL Authentication Module Challenge URL Context Type Context Value Challenge Parameters 2 6 4 Creating OAM 11g Webgate Follow the below steps to create a Webgate FlexcubeKBAOAAMScheme OAAM KBA Based Strong SSO Login for FLEXCUBE 27 FORM v foam server FlexcubeAuthnModule pages oaam login jsp defaut v foam oaamPostAuth true oaamPreAuth true SsoCookie Secure 1 Click Server Instances under Configuration Access Management DI Launch Pad Welcome to Oracle Access Management e Identity Federation Identity Provider Administration e Service Provider Administration I Mobile and Social H Mobile Services Kai Social Identity Configuration S Available Services User Identity Stores D Administration 23 Certificate Validation Server Instances OAuth Service amp Common Settings Access Manager Settings amp Mobile and Social Settings amp Federation Settings S
56. vider Administration Partners d Token Service Provider Administration Q Partner Profiles 5 Token Endpoints Custom Tokens D Mobile and Social Access Portal Service H Mobile Services OAuth Service bai Credential Sharing Groups 3S Global Agent Settings La Social Identity gt Password Generation Policies g Configuration a Available Services amp Common Settings 2 User Identity Stores E Access Manager Settings 2 Click Apply to create Authentication Module 3 Choose the User Identity Created 2 16 ORACLE Refer the section Identity Store Location of this document Access Management Accessibilty Help Sign Out Launch Pad f Authentication Modules x FlexcubeAuthnModule x FlexcubeAuthnModule Confirmation LDAP Authentication Module FlexcubeAuthnModule modified successfully Name FlexcubeAuthnModule User Identity Store FlexcubeStore D 2 6 3 Creating Authentication Scheme 1 Click Create Authentication Scheme under Access Manager J Access Management Accessibility Help Sign Out CH Launch Pad Welcome to Oracle Access Management amp Quick Start Wizards L Access Manager L Application Registration L Application Domains Py Authe Create Application Domain g SSO Agent Registration L Applications Authe Create Application Resource Type QSSSOA Create Host Identifier E Host Identifiers Sessio Create Resource Type Jp Plug ins Ge Passw Create LDAP Authenticati
57. wn Classes Private Key Location from Custom Identity Keystore The keystore attribute that defines the location of the private key file More t Deployments Info E Services i Serur Private Key Alias FlexcubeCert The keystore attribute that defines the string alias used to store and retrieve the server s private key More Info How do I El i The k ibut defines th h to retri h e Configure identity and trust a Private Key Passphrase e keystore attribute that nes the passphrase used to retrieve the server s private key More Info e Setup SSL e Verify host name verification is enabled amp Confirm Private Key Passphrase e Configure a custom host name verifier e Configure two way SSL Certificate Location from Custom Identity Keystore The keystore attribute that defines the location of the trusted certificate More Info System Status E Trust Health of Running Servers Trusted Certificate Authorities from Custom Trust Keystore The keystore attribute that defines the location of the certificate authorities More Info Failed 0 critical 0 S Advanced Overloaded 0 at Hostname Verification None Specifies whether to ignore the installed implementation of the Warning 0 E weblogic security SSL HostnameVerifier interface when this server is acting 9 0 Custom Hostname Verifier as a client to another application server More Info EN o a SEA name Verifie aj Custom Hostn

Oracle Access Manager Integration

Contents

Download Pdf Manuals

Related Search

Related Contents