Installing Oracle Identity and Access Management product suite (11.1.2.x)

In my blog about Identity and Access Management i explained about what is IDM at a high level. There are several vendors which provides products for IDM implementation. The latest
on-premise offering (as of today) is 11.1.2.3.0 which is 3rd patchset release of Oracle Identity and access Management. Before using this let's go through the high level steps to install and configure it.

Prerequisite: Ensure that you have an Oracle Database installed on your system before installing Oracle Identity and Access Management. The database must be up and running to install the relevant Oracle Identity and Access Management components.

Also please go through the Read Me info for Oracle Identity and Access Management 11g Release 2 before proceeding with installation

Here are the high level steps -
1) Run Repository Creation Utility (RCU) to create and load the appropriate schemas
2) Install Weblogic server and create Middleware Home
3) Install Oracle Identity and Access Management from IDM shiphome suite
4) Confiure IDM Suite and create domain
5) Configure Security Store
6) Start servers and Verify product consoles (WLS/EM/OAM) are reachable

In this blog i have downloaded the required installation files from -
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html
on my Linux x86_64 machine

rcu	/scratch/gaurasha/idmr2ps3-artifacts/rcuHome.zip
Weblogic Installation	/scratch/gaurasha/idmr2ps3-artifacts/wls1036_linux32.bin
IDM suite	/scratch/gaurasha/idmr2ps3-artifacts/iamsuite1.zip /scratch/gaurasha/idmr2ps3-artifacts/iamsuite2.zip /scratch/gaurasha/idmr2ps3-artifacts/iamsuite3.zip

Let's deal with them in detail -

1) Run Repository Creation Utility (RCU) to create and load the appropriate schemas

a) Copy the appropriate rcuHome.zip  to <dir> with plenty of space.
 # unzip rcuHome.zip -d /scratch/gaurasha/rcuHome

b) Run the rcu utility
# cd /scratch/gaurasha/rcuHome/bin
# ./rcu

c) Select Create

Provide your database details -


Create a new prefix e.g DEV and select the required component you wish to install e.g
Oracle Acccess Manager. Dependencies will be automatically selected.



Click Next


choose a password


Click Next. This should create and load the required schemas for Oracle IDM products into your database.

2) Install Weblogic server and create Middleware Home

a. Execute the WLS installation (install the appropriate version for your platform)

# cd /scratch/gaurasha/idmr2ps3-artifacts/

# ./wls1036_linux32.bin

b. Choose a new Oracle Middleware home 

c. Click Next -> choose Typical installation 

This should install WLS server along with jdk in the selected middleware location. 

3) Install Oracle Identity and Access Management from IDM shiphome suite

a. Unzip IDM Suite zip files to a location with plenty of space

# mkdir /scratch/idm

# cd /ade_autofs/gd17_fmw/IDM_11.1.2.2.0_GENERIC.rdd/140103.0922/idm/shiphome/
# unzip iamsuite1.zip -d /scratch/idm
# unzip iamsuite2.zip -d /scratch/idm
# unzip iamsuite3.zip -d /scratch/idm
# cd /scratch/idm/iamsuite/Disk1

b. Run the IDM Installation prog (make sure you specify the correct path for Java JDK)./runInstaller -jreLoc /scratch/gaurasha/middleware/jdk160_29

c. For first time installations you may need to specify inventory directory location

You can choose to skip software updates.

Click Next

Provide location of Middleware home and click Next

Click Install to complete Installation

4) Configure IDM and create domain

b. Create a new Weblogic domain

Select -> Oracle Access Management and Mobile security Suite and click Next

Provide domain name

Provide password for OAM admin console e.g welcome1

Click Next

Configure JDBC Component Schema: Password: welcome1

Test JDBC component schema and click Next

Domain creation should succeed.

5) Configure Security Stores

Prior to starting the admin server, make sure to execute the following command (default OPSS_SCHEMA_PASSWORD is welcome1)

# cd /scratch/gaurasha/middleware/oracle_common/common/bin

Execute following command
# sh wlst.sh /scratch/gaurasha/middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /scratch/gaurasha/middleware/user_projects/domains/idm_domain -c IAM -m create -p welcome1

Here 

/scratch/gaurasha/middleware/user_projects/domains/idm_domain is domain path
created in step 4

6) Start servers and verify Installation

# cd /scratch/gaurasha/middleware/user_projects/domains/base_domain/bin

# sh startWeblogic.sh
# sh startManagedWebLogic.sh oam_server1 http://localhost:7001

Go to following URLs to verify the product consoles are reachable:

OAM Console - http://host:7001/oamconsole
Enterprise Manager console - http://host:7001/em 

Weblogic Admin console - http://host:7001/console

OAuth2 security in Cloud

In my previous blog i explained about OAuth2 protocol. In this blog i will explain how you can use Oracle OAuth2 support (provided in 11gPS6 patch set and PS7 release) to secure your applications that are deployed on-premise or cloud.
I will be explaining 2- legged OAuth2 flow using client credentials grant

Use case

SaaS App (SOA App) - > REST service.

The above picture presents a high level overview of a SaaS app calling REST service. The SaaS app could be any Multi tenant cloud enabled app e.g. CRM/ ERP available over cloud. The SaaS app internally may be using BPEL process. In this example the SaaS app is deployed as a Oracle SOA composite app

In order to leverage OWSM OAuth2 security feature you need to have Oracle Access Manager (OAM) installed in your env which provides OAuth2 services. 

Token flow

The following picture shows the token flow b/w OAuth2 sever client app and service.
The client and Service app are secured with OWSM Agent OAuth2 security policies.

1) OWSM Client Agent sends request for OAuth2 AT (JWT) by sending authorization grant using standard OAuth2 flows. The authorization request is signed using OWSM client’s Private Key.
2) OAuth2 Service verifies OWSM Client request and responds with a signed Access Token (JWT).
3) OWSM client propagates this AT to Service secured with OWSM Service Agent.
4) OWSM Service agent verifies the AT and responds with a valid response or errors out in case AT does not verify.

We will be doing following.

1) Enabling OAM OAuth2 Service
2) Configuring OAuth2 Service
3) Registering your app with OAM OAuth2 service
4) Requesting token using client credentials grant - Basic Auth
5) Securing Service App (RESTful Service) with OWSM OAuth2 Security policies
6) Securing Client app (SOA) with OWSM OAuth2 Security policies
7) Establishing trust
8) Deploying and Test your apps.

1) Enable OAM OAuth2 Service

1.1) Login to OAM console.

This assumes that you have already installed and configured Oracle Access Manager server, For details on installing and configuring Oracle IDM product suite you can refer to this blog post


















1.2) Oracle Access Management 11.1.2.3 introduces a redesigned Oracle Access Management Console. This new Console displays a Launch Pad and subsequent pages based on the Administration Role to which a user is assigned a successful login.




1.3) Click on Mobile Security - > Mobile OAuth Services

1.4) The console will show the list of Services , Enable - Mobile and Social. This should OAuth2 service. A green check mark in the Status field beside the service name indicates the service is enabled. A red circle with a cross through it indicates that the corresponding service is disabled.

2) Configure OAM OAuth2 Service 

2.1) Under OAM Console -> Mobile Security - > Mobile OAuth Services

2.2) You can either create a new Identity domain or use the out of box Default domain.



2.3) Default domain -> Service Profiles -> OAuthServiceProfile


2.4) This shows the default token settings which you can configure e.g.token expiry for various authz grants.

2.5) You can also configure the trusted issuers. Please check the URL of OAuth2 service Endpoint which client will use for sending Access Token request.

3) Register your application

3.1) Default domain-> Clients - > OAuth Web client - > Create 

3.2) Register you client. Provide name and description. OAM OAuth server generates a random unique client id and client secret for the client. Once can choose to provide user defined value.
For e.g.
Client ID - mycustomId
Client Secret - v1rCJvxbtMKeaiDduk



3.3) Ensure the required Grant types are selected. You can also configure Scope. Using allow access to all scope option for this use case.

4) Requesting token using client credentials grant - Basic Auth

You can use the following curl command to get AT from OAuth2 server -

curl -i -H 'Authorization: Basic bXljdXN0b21JZDp2MXJDSnZ4YnRNS2VhaURkdWs=' -H 'ContentType: x-www-form-urlencoded'  --request POST 'http://slc06uwa.us.oracle.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens' -d 'grant_type=client_credentials'

This should
Here client ID and Client Secret are passed in base64 encoded format as part of Authorization header.

OAuth2 Server token endpoint - >
http://slc06uwa.us.oracle.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens

You can use any tool to encode client credentials registered with OAuth2 server in step 3.2 in following format - ClientId:ClientSecret.

The OAuth2 server should respond with an Access Token which is a JWT e.g. -

HTTP/1.1 200 OK Date: Wed, 05 Aug 2015 16:04:52 GMT Content-Type: application/json {"oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer","expires_in":604800,"token_type":"Bearer","oracle_tk_context": "client_assertion","access_token":"eyJhbGcidHp[…..]zzi4BCjHY"}

Now let's see how to use OWSM Oauth2 securit policies with your client and service apps,

5) Secure REST Service using OWSM OAuth2 security policy.

Policy	Description
oracle/ multi_token_rest_service_policy	This policy verifies the Access Token sent from client app.

Attach oracle/multi_token_rest_service_policy by updating web.xml file of REST application

The following provides an example of how to update the web.xml file. 

<?xml version = '1.0' encoding = 'windows-1252'?> <web-app xmlns="http://java.sun.com/xml/ns/javaee"          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"          version="2.5">   <servlet>      <servlet-name>helloworld</servlet-name>      <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>      <load-on-startup>1</load-on-startup>   </servlet>   <servlet-mapping>         <servlet-name>helloworld</servlet-name>         <url-pattern>/restservice/*</url-pattern>   </servlet-mapping> <!--OWSM Security Filter entry-->   <filter-mapping>     <filter-name>OWSMSecurityFilter</filter-name>     <servlet-name>helloworld</servlet-name>   </filter-mapping>  <filter>     <filter-name>OWSMSecurityFilter</filter-name>     <filter-class>oracle.wsm.agent.handler.servlet.SecurityFilter</filter-class>     <init-param>       <param-name>servlet-name</param-name>       <param-value>helloworld</param-value>     </init-param>     <init-param>       <param-name>oracle.wsm.metadata.policySet</param-name>       <param-value><![CDATA[<sca11:policySet name="policySet" appliesTo="REST-Resource()" attachTo="Service('*')"                             xmlns:sca11="http://docs.oasis-open.org/ns/opencsa/sca/200903"                 xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"                 xmlns:wsp15="http://www.w3.org/ns/ws-policy">                     <wsp15:PolicyReference URI="oracle/multi_token_rest_service_policy" orawsp:category="security" orawsp:status="enabled">                     </wsp15:PolicyReference>                 </sca11:policySet>]]>             </param-value>      </init-param>   </filter> </web-app>

You can also use GPA feature (beyond the scope of this blog) to secure your REST services.

6) Secure Client (SOA app) using OWSM OAuth2 Security

You can secure your SOA app at design time using J developer.

4.1) Secure SOA Reference WS Binding (client) - Right click - > Configure SOA WS Policies

 4.2) Select OWSM OAuth2 client policies



4.3) Click on Edit config override property for oauth2_config_client_policy

4.4) Override token.uri to OAuth2 server endpoint

Here token.uri must point to the OAuth2 server endpoint URL. In this example endpoint URL is http://slc06uwa.us.oracle.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens


4.5)Edit config override for http_oauth2_token_client_policy if you wish to override default configuration.I will use the default.

5) Establish Trust 

In above flow there are 3 main components involved.

1) OAM OAuth2 server

2) SaaS app

3) REST sevice 

5.1) Trust between OAuth2 server and client

In order to verify the OWSM client (signed) request for Access Token OAuth2 service should have the public key certificate corresponding to the private key used to sign the request in its keystore.

OAuth2 server responds with a signed access token

5.2) Trust between OAuth2 server and Service

The service must also trust the Access Token (signed) sent from OAuth2 server.To set up trust between OAuth2 server and service import the OAuth2 server signing certificate into resource server keystore. 

6) Deploy and Test your apps.

That's it you can now deploy and Test your apps.

I have tried to touch upon the high level steps and configuration you require to use OAuth2 security. There are a number of fine level security configuration which you can configure like setting trusted issuers, setting scope, switching identity, setting up SSL etc just to name a few.