Tuesday, January 29, 2008
Sending "Authorization" header with initial HTTP request
If OAM protects a web resource with a basic authentication scheme, any browser request for that request returns a 401 with a "WWW-Authenticate: basic" header. This prompts the browsers to pop-up the username/password dialog box. When the user types in the username and password, these credentials are sent, base64 encoded, in the next request as part of the "Authorization: basic" header.
If one does not want the browser to pop-up the dialog, or one is using a script/client application to access that resource, the "Authorization" header should be sent with the initial HTTP request. But the correct Authorization header by itself will not submit user credentials to Webgate. It seems the script/client application will also have to send a cookie in the request to make Webgate process the Authorization header. The cookie name and value are always the same:
Cookie: OBBasicAuth=fromDialog
To summarize, with all the other required HTTP headers and data, the application should send the following (for username/password as guest/password1234):
Edit: Please note that the Authorization header has the base64 encoded version of string username:password (in this case guest:password1234 which is 'Z3Vlc3Q6cGFzc3dvcmQxMjM0') and not username/password as the article mentions above. Thanks for pointing that out Filipe.
If one does not want the browser to pop-up the dialog, or one is using a script/client application to access that resource, the "Authorization" header should be sent with the initial HTTP request. But the correct Authorization header by itself will not submit user credentials to Webgate. It seems the script/client application will also have to send a cookie in the request to make Webgate process the Authorization header. The cookie name and value are always the same:
Cookie: OBBasicAuth=fromDialog
To summarize, with all the other required HTTP headers and data, the application should send the following (for username/password as guest/password1234):
Cookie: OBBasicAuth=fromDialog
Authorization: Basic Z3Vlc3Q6cGFzc3dvcmQxMjM0
Edit: Please note that the Authorization header has the base64 encoded version of string username:password (in this case guest:password1234 which is 'Z3Vlc3Q6cGFzc3dvcmQxMjM0') and not username/password as the article mentions above. Thanks for pointing that out Filipe.
Labels: Webgate Authorization Header, Webgate Basic Authentication
Global Database Name in Linux OAM and DB (OCI) environment for DB auditing
When adding Database Instances with OCI DB connection type, which is the only option for *nix based OAM installs, we have to specify the Global Database Name (GDN) for the database. Ever wondered what should the correct format for GDN be?
During a deployment, I faced this question, and after some trial and error and reading Oracle Instant Client documentation, I figured it out:
<DB Host>:<DB Port>/<ORACLE_SID>
During a deployment, I faced this question, and after some trial and error and reading Oracle Instant Client documentation, I figured it out:
<DB Host>:<DB Port>/<ORACLE_SID>
Labels: GDN, Global Database Name, OAM DB auditing
Thursday, January 17, 2008
SelfSSL Connection Errors
The IIS Resource Kit's SelfSSL tool is a quick and sneaky way to get both IIS and ADAM running SSL for quick OAM sandbox environments. I've encountered ADAM connection errors if a self signing SSL had previously been generated on the same VM/server. Here's how you get a newly self signed SSL to work on the same machine:
- Move all the old certs into an archive directory located here: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
- When you run the selfssl.exe command to install the self-signed SSL certificate into IIS, you must include the fully qualified machine name in the /N:cn parameter. For example: selfssl.exe /T /V:3650 /N:cn=oam.company.com
Verify that the new cert has been generated and that your ADAM run as user has read permissions on the cert and that should solve the problem.
Test your connection using LDP.exe, also using the fully qualified host name.
This is an excellent link with step-by-step instructions, (including the download location for the IIS 6.0 Resource kit from MS): http://geekswithblogs.net/jimiz/archive/2007/02/11/106006.aspx
Labels: SelfSSL for IIS
WebGate Installation Error - Access Server you specified is currently down
When you know that it is in fact not down, and you've checked that all your WebGate parameters are correct a million times...
The clocks of computers hosting various Oracle Access Manager components must be synchronized to within 75 or fewer seconds of each other. If the clocks are out-of-sync by more than 75 seconds, installation will fail. For installaion tasks or whenever you're attempting to connect, you will receive errors indicating that your Access Server is down if the clocks are not in sync.
Pay particular attention to this in VM environments, where system clocks may not be synchronized as they're created.
For this and other OAM installation woes, this and other useful nuggets can be found here:
http://download-uk.oracle.com/docs/cd/B28196_01/idmanage.1014/b25353/trouble.htm
The clocks of computers hosting various Oracle Access Manager components must be synchronized to within 75 or fewer seconds of each other. If the clocks are out-of-sync by more than 75 seconds, installation will fail. For installaion tasks or whenever you're attempting to connect, you will receive errors indicating that your Access Server is down if the clocks are not in sync.
Pay particular attention to this in VM environments, where system clocks may not be synchronized as they're created.
For this and other OAM installation woes, this and other useful nuggets can be found here:
http://download-uk.oracle.com/docs/cd/B28196_01/idmanage.1014/b25353/trouble.htm
Labels: OAM installation errors
Friday, January 04, 2008
Request for Feedback - Oracle Access Manager Configuration Manager
Has anyone out there deployed the Oracle Access Manager Configuration Manager?
This is Oracle's productized solution to the OAM horizontal migration challenge... The product has been out for year now but I can't find anyone who says they've used it.
Have you deployed it? Do you have any plans to deploy it?
Please leave a comment with any input.
Cheers.
This is Oracle's productized solution to the OAM horizontal migration challenge... The product has been out for year now but I can't find anyone who says they've used it.
Have you deployed it? Do you have any plans to deploy it?
Please leave a comment with any input.
Cheers.
Wednesday, January 02, 2008
Installing Oracle Directory Manager
Though there's not much you can't do via ldapmodify and the command line with OID, it can sure save a lot of time and energy to have access to the graphical user interface of the Oracle Directory Manager tool. Of course, you can pursue XWindows solutions to access the console on the Linux host, but it is quite convenient to have a local copy of the tool on your windows workstation.
Turns out it is a bit of a maze to figure out what package you really need to get to have the tool at your disposal.
Here is where I found what I was looking for:
http://www.oracle.com/technology/software/products/database/oracle10g/htdocs/10201winsoft.html
Oracle Database 10g Client Release 2 (10.2.0.1.0)
http://download.oracle.com/otn/nt/oracle10g/10201/10201_client_win32.zip
(requires OTN credentials)
Do a 'Custom' install and choose on the Directory Administration tools...
Turns out it is a bit of a maze to figure out what package you really need to get to have the tool at your disposal.
Here is where I found what I was looking for:
http://www.oracle.com/technolog
Oracle Database 10g Client Release 2 (10.2.0.1.0)
http://download.oracle.com/otn/nt/oracle10g/10201/10201_client_win32.zip
(requires OTN credentials)
Do a 'Custom' install and choose on the Directory Administration tools...
