Wednesday, October 27, 2010

Configure Form-Based Authentication with IIS

Configure Form-Based Authentication with IIS

Define a new Authentication Scheme using the following steps to define a new authentication scheme.
(a) Click the "Access System Console" link
(b) Click the "Access System Configuration" tab at the top of the browser.
(c) Click the "Authentication Management" link on the left-hand side of the browser.
(d) Click the "add" button to begin defining a new authentication scheme.
(e) Enter a name for the new scheme. This example will use the name "Form-based authentication" and we will (f) need to use this later on when we associate a policy domain with the authentication scheme.
(g) Enter a description of the new authentication scheme. This can be anything you wish to use.
- Set the level to 1
- Select the challenge method of "form"
- In the challenge parameters field define the following 3 parameters:
- form:/login.html

- creds:username password
- action:/access/oblix/apps/webgate/bin/webgate.dll

*The creds parameter defines the name of the input fields in the login.html page that are used to enter the uername and password. These must match the name of the input fields exactly.

The action parameter needs to reference a URL that is protected by COREid access. It should match the action parameter from the login.html file but does not have to be a valid URL since COREid access will intercept the request instead of the http server.

(h) Click the "save" button

(i) Click the "plugins" tab.
(j) Click the "modify" button
Add the following 2 plugins and set the parameters as shown below:

credential_mapping = obMappingBase="cn=users,dc=coreid,dc=oracle,dc=com",obMappingFilter="uid=%ssousername%"

validate_password = ObCredentialPassword="password"

InvalidUserRegistryConfigException: User [username] not authenticated"

InvalidUserRegistryConfigException: User [username] not authenticated"

Problem
I get the following exception:

"com.ibm.ejs.exception.InvalidUserRegistryConfigException: User [username] not authenticated"?

Solution
Make sure the following are set correctly in NetPointWASRegistry.properties

(a) OB_UserAttr=uid
(b) OB_UserSearchAttr=cn
(c) OB_GroupSearchAttr=cn

* You may find all this information from the OID

How to achieve IWS with WAS integrated with OAM

How to achieve IWA with WAS integrated with OAM

You may achieve IWA with WAS by by allowing the authenication and authorization to be done by a IIS Webgate. This can be achieve by setting the WAS Resources authenication challenge to be redirection by setting a challenge redirection parameter.

1) Protect your WAS Site with Oracle Access Manager (OAM)
(a) Install WAS AccessGate
(b) Configure NetpointWASRegistry
(c) Configure Webgate.properties file
(d) Protect your WAS resources using the Oracle Policy Manager

3) Set up an authentication scheme for the WAS

Set the Challenge Redirect to a *"redirection page" by a Webgate on the IIS using IWS Auth Scheme.
* below will show you how to create a "redirection page"

4) Create a Redirection Page
(a) Install Webgate on a IIS Server
(b) Setup IWA authenication for the Webgate
(c) Create a Redirection Page using simple script

(b) Place this script under a protected resources of a IIS server using IWA Authenication Scheme

So this is how this will work, the authenication of the WAS is done by a "IIS Webgate Proxy" using a IWA Scheme we created up there.
If a user try to access a WAS Site, OAM will redirect the challenge to a IIS Webgate and hence it will recieve a oBSSOCookie, then the IIS Webgate will redirect back to the original WAS Resource. Thus Achieving SSO and IWA Authenication for a WAS Resource.

Thursday, October 21, 2010

Not A Valid TAI Interceptor. Resource Is Not Protected By Oracle Access Manager

Not A Valid TAI Interceptor. Resource Is Not Protected By Oracle Access Manager

Problem:
The site is still prompting an non OAM authenication scheme and encounter this error message in the oblix log.

Not A Valid TAI Interceptor. Resource Is Not Protected By Oracle Access Manager.

Solution:
This means that your site is not protected by the OAM.
Ensure that your host identifier is correctly setup. Websphere is a bit different with clusting on, you may need to specify the following on the host identifier:

Hostname:port

com.ibm.ejs.exception.InvalidUserRegistryConfigException

com.ibm.ejs.exception.InvalidUserRegistryConfigException
Problem:
I encounter this problem

com.ibm.ejs.exception.InvalidUserRegistryConfigException: User [username] not authenticated"

Solution:
Verify that the following are set correctly in NetPointWASRegistry.properties
(a) OB_UserAttr
(b) OB_UserSearchAttr
(c) OB_GroupSearchAttr

normally is
(a) OB_UserAttr=uid
(b) OB_UserSearchAttr=cn
(c) OB_GroupSearchAttr=cn


Problem accessing trust store java.io.IOException: DerInputStream.getLength()

Default SSL context init failed: IBMTrustManager: Problem accessing trust store java.io.IOException: DerInputStream.getLength()

Problem:
I encountered this error when trying to integrate NetpointWASRegistry with WAS

Default SSL context init failed: IBMTrustManager: Problem accessing trust store java.io.IOException: DerInputStream.getLength()

Solution 1:
I got this to work after my good friend help me to translate this page for me
http://www.narisa.com/forums/index.php?showtopic=30718

Re-run the keystore.exe and adding the webpass Server and CA Certs into the WAS keystore and truststore

(a) keytool -import -alias ca -trustcacerts -file "D:\certs\cert.cer" -storetype pkcs12 -keystore "\profiles\AppSrv01\config\cells\\nodes\\key.p12" -storepass WebAS

(b) keytool -import -alias server -trustcacerts -file "D:\certs\server.cer" -storetype pkcs12 -keystore "\profiles\AppSrv01\config\cells\\nodes\\key.p12" -storepass WebAS

(c) keytool -import -alias ca -trustcacerts -file "D:\certs\ca.cer" -storetype pkcs12 -keystore "\profiles\AppSrv01\config\cells\\nodes\\trust.p12" -storepass WebAS

(d) keytool -import -alias server -trustcacerts -file "D:\certs\server.cer" -storetype pkcs12 -keystore "\profiles\AppSrv01\config\cells\\nodes\\trust.p12" -storepass WebAS

****And if this still cannot work! Go to NetpointWASRegistry.properties file. Remove the following line. ****
#OB_Keystore
#OB_KeystorePassword

There are confusing the WAS on using which Certificate.

It should work now.

java.lang.ClassNotFoundException: com.ibm.websphere.ssl.protocol.SSLSocketFactory

java.lang.ClassNotFoundException: com.ibm.websphere.ssl.protocol.SSLSocketFactory

Problem:
I encountered this error while trying to integrate NetpointWASRegistry with WAS

java.net.SocketException: Cannot find the specified class java.security.PrivilegedActionException: java.lang.ClassNotFoundException: com.ibm.websphere.ssl.protocol.SSLSocketFactory


Solution:
There is a missing class file, you may want to verify the following

C:\IBM\WebSphere\AppServer\java\jre\lib\security\java.security

ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
# WebSphere socket factories (in cryptosf.jar)
#ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
#ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory


It will work!