Tuesday, April 30, 2013

11g R2 and 11g R2 PS1 OAM Integration with OAAM

There are different types of integration 

Basic Integration:
Features: Authentication schemes, device fingerprinting, risk analysis, and the Knowledge-based Authentication (KBA) challenge mechanism KBA is the only challenge mechanism available in this integration. Libraries and configuration interface for different flows (challenge, registration, and so on). Many of the login security use cases available from OAAM

Advanced Integration:
Features:Authentication schemes, device fingerprinting, risk analysis, KBA challenge mechanisms
Advanced features and extensibility such as OTP Anywhere, challenge processor framework, shared library framework, and secure self-service password management flows. OAAM can also be integrated with third party single sign-on products via systems integrators if required.

Advanced Using TAP
Features: Authentication schemes, device fingerprinting, risk analysis, KBA challenge mechanisms, and additional advanced security access features, such as step up authentication
Advanced features and extensibility such as OTP Anywhere, challenge processor framework, shared library framework, and secure self-service password management flows.
OAAM can also be integrated with third party single sign-on products via systems integrators if required.

Pre-requisites : 

  • For Advanced Integration OAAM should have separate OAAM managed server (Not in OAM managed server)
  • OAAM Admin server is required. 
  • OAAM Database is required
  • Supported Agents
    • 10g WebGate and Single Sign-On (OSSO) Agent (For Basic Integration)
    • 10g WebGate  (For Advanced Integration)
    • 10g and 11g WebGates (For Advanced using TAP Integration)


To perform Advanced using TAP first we need to integrate in Advanced mode and then do additional configuration for TAP Scheme.

For External LDAP we need to configure IDStore using idmConfigTool. (http://docs.oracle.com/cd/E37115_01/integration.1112/e27123/idmcfgtool.htm#autoId7)

Prerequisite OUD: (Run below batch files to extend OUD schems for supporting OAAM) :

idmConfigTool.bat -preConfigIDStore input_file=OUD.properties

 idmConfigTool.bat -prepareIDStore mode=OAAM input_file=OAAM.properties


Load Basic Snap Shot of OAAM

For OAAM Admin User and groups:


Login to OAAM Admin Console (http://localhost:14200/oaam_admin/) and click on System Shots then followed by Load from File

If you get following error :
Failed to load snapshot file The snapshot file should be a ZIP file

Then un-install any winrar or other softwares which are used to open zip files. 

Select oaam_base_snapshot.zip from %Middleware_Home%/Oracle_IDM1/oaam/init and click on load then click on Restore


Validating Initial

  • Verify Login to OAM console (localhost:7001/oamconsole) and see if you are able to login or not. If you are able to login successfully then OAM validation is done. 
  • Login to OAAM Server (http://host:port/oaam_server)
  • Enter Any user name and click continue 

  • Enter Password as test

  • User should get Security Questions followed by Successful screen. 

Validating OHS and Webgate Setup : 

  • Make sure that OHS is installed
  • Register Webgate with OHS Server 
  • Make sure that http://OHSURL:PORT/ is protected using OAM 
Register OAAM Server as Trusted Partner:

After Registration OAAM Server can communicate with OAM server using TAP (Trusted Application Protocol) and validates user Authentications with OAM so that OAM creates required cookies.

Steps to Register OAAM Server as Trusted Partner for OAM:

  •  Make sure that Access Manager server is up and running
  • Navigate to C:\Oracle\Middleware\Oracle_IDM1\common\bin using command prompt
  • Run commands as shown below

  • Create folder for TAP key store using other command prompt as shown below

  • registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner", keystoreLocation= "C:/Oracle/Middleware/Oracle_IDM1/TAP/TapKeyStore/mykeystore.jks", password="Password123", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://chinni-pc:14300/oaam_server/oamLoginPage.jsp")

you should receive Registration successful message.

  • exit() from WLST console 

Setting Agent Password:

Agent password need to be set because it uses Agent password in multiple places for Integration

  • Login to OAM Console --> System Configuration --> Access Manager --> SSO Agents --> open OAM Agents --> Search --> Open IAM Suite Agent --> Specify Access Client Password and click Apply 
  • Login to Weblogic Console --> Security Realms --> myrealm --> Providers --> IAMSuiteAgent --> Provider Specific --> Enter Agent Password and Confirm Password and click Save
Restart all 4 server (Admin server, OAM managed server, OAAM Admin server and OAAM server)


Verify TAP Partner Registration: 

Login to OAM Console --> Policy Configuration --> Authentication Schemes --> TAP Scheme 

Check following parameters: 
Challenge Mode: DAP 
Authentication Module: DAP  
Challenge URL: /oaam_server/oamLoginPage.jsp
Challenge Parameters: 


Adding Challenge Parameter in TAP authentication Scheme (in new line):


Validate IAM SuiteAgent Setup:

  • Launch OAMTest.jar 

  • Test Following::

Setting TAP Integration Parameters in OAAM:
  • Make sure that OAAM Managed Server is up and running
  • Create new folder temp under oaam folder
  • Create oaam_cli under temp

  • Copy all files from cli folder to temp/oaam_cli folder created in before step

  • Navigate to C:\Oracle\Middleware\Oracle_IDM1\oaam\temp\oaam_cli\conf\bharosa_properties and open oaam_cli.properties using editor(notepad)

Edit file as shown below:

Run setupOAMTapIntegration conf/bharosa_properties/oaam_cli.properties

Provide Requested details. 

Create New Resource Under application domain:

Login to OAM Console --> Policy Configuration --> Application Domains --> search --> IAM Suite --> Resources Tab --> New Resource --> Create one Resource.

Create Authentication Policy with TapScheme. 

Testing Scenario: (Protecting Normal resource using Tap Scheme) 
Try to access the normal protected resource: 

Which should display OAAM login page instead of OAM login page

Document Reference: (for both 11g R2 PS1 and 11g R2)


  1. Hi Ravi,
    Hope you are doing good,

    Could you please suggest on the following.

    I am running into the Lots of Issues while doing a Simple Basic
    Integration of OAM with OAAM 11g. Any suggestion would be highly

    I am trying to do Basic OAM integration with OAAM 11g for that i 've followed this Doc
    I don't find any other Docs on metalink or on net different than this.
    There are certain Configuration Parameter which are not mentioned in
    the oracle Doc's that i 've refereneced so far.

    for Basic OAM integration with OAAM (IAM Software version : Oracle Identity and Access Management 11g ( OS: RHEL 6.

    I got stuck up while configuring or rather finding IDMDomainAgent. as mentioed in the oracle Doc link instead I find IAMSuitagent

    so when i tried to create the Resources under IAMSuiteagent and provide the followeing information. i.e

    Host Identifier: IAMDomain

    Resource URL: /approver/.../* OR FOR Resource URL: /hostname:80/.../* as am not Sure which url to mention here As this is a Test server so no application is there.

    Wonder what should be value of Resource URL in this case ?

    After I Created a new Authentication Policy under IAMSuite Agent and set the Authentication Scheme to OAAMBasic. But when i tried to create Authorization Policy under IAMSuiteagent

    getting this error :
    At least one of the policy rules must hold conditions selected for evaluation.

    The Following steps that i 've so far performed. This is Single Node Installation

    1. Created the required schemas using rcu in oracle database.11g.

    2. Install WebLogic Servers 10.3.6

    3. Install Oracle Identity and Access Management 11g (

    4. Configured the OAM & OAAM Domains that are oaam_admin_server1, oaam_offline_server1,oaam_server_server1 , oam_server1,

    5. set the OAAMEnabled value in oam-config.xml to true.

    6.Configured the DB Policy store using /Middleware/Oracle_IAM/common/tools/configureSecurityStore.py ...... Successfully.

    7. Created the oaamadmin user and assigned the OAAM*in group to it. by Using Weblogic Admin Console.

    After starting All the managed servers with Admin server successfully. the following Issues that i 've encountered

    1. The Url http://hostname:14200/oaam_admin/ is Not accessible as It is getting Redirected OAM url http://hostname:14100/oam/server/obrareq.cgi?wh%3DIAMSuiteAgent+wu%3D%2Foaam_admin%2FadfAuthentication+wo%3DGET+rh…

    Even though There is NO OHS and Webgate installed and configured.
    Could you tell what could be the reason why this oaam_admin url is Not
    Accesible. Even though all the Managed server are running fine and there
    is no error managed & Admin server Log files.

    2. The http://hostname:14300/oaam_server/loginPage.jsp
    url is accessible and i can login with the oaamadmin user that i've
    created using the default Password test Only Not with the password that
    i 've set during the creation of the user oaamadmin
    . ALso when i tried to set the Challanging question it logged the
    User Out with this error : There was some technical error processing
    your request. Please try again.

    This might well be Becoz I 've yet to Import or load the neccessary Policies into the
    oaam_admin server who's url is Not accesible....... Not sure why.

    Also I am supposing that there is NO need to Install the OHS and
    configured Webgate for Basic OAM integration with OAAM on a test server
    .. Please Correct.



  2. Great article. How can I provide a forgot password reset capability using that integration?

  3. Hey Jin,

    If you are looking for Forgot Password and other advanced password services you need to integrate OAM with OIM.

    OAAM have capability of validating secret questions but don't have any functionality to change password so you need to have OIM in place or you can have custom application for change password.



Other Posts