Saturday, July 11, 2015

Oracle Access Manager Create A WebService for Authentication using Access Gate

Creating a Access Gate using OAM11gR2

The oracle documentation has proper steps for creating a custom Access Gate  but it lacks on steps on how to deploy it . Recently I had to create a Webservice for authentication from OAM using custom access gate and it took a while to deploy it. Below are the brief steps on how to create one. The code was created using eclipse. 

  1. Download ASDK from edelivery.oracle.com. We were using OAM 11gR2 Bp04 but could not find ASDK for the same version. We download the version 11.1.2.2.2 and it worked for us.  
  2. Unzip the contents to a directory.
  3. Create a webservice project in Eclipse
  4. Project Name Used : OamAuthenticationService
  5. In the project class path add the following jar files.
  6. Add the oamasdk-api.jar in the web-inf/lib folder.
  7. Copy the ObAccessClient.xml file to ASDK/oblix/lib folder.(I had a 10 g webgate hence only ObAccessClient.xml) else we need to copy cwallet.sso as well.
  8. For running the code as a standalone java program you need to add jps-config.xml as well under the folder ASDK/config.

  9. Contents of the jps-config.xml should be updated to reflect the Access Gate name.
  10. Write the java code as per the oracle doc. Oracle Doc
  11. I am reading the ASDK location and Access Gate name from properties file. The resource name (ms_resource) should be of the format Access Gate Name from OAM Console /resource.For e.g. in my case the name is http://OAMASDK/fed. Refer screen shot in step 7.
  12. Contents of the properties file:-Note the location is folder where you unzipped the ASDK contents.
  13. Thats all what is required to test the app as a standalone java program.
  14. In order to deploy this to a server with JRF environment there are some further modifications which need to be done. 
  15. Failing to do this may result in run time exceptions like class definitions not found. Create a weblogic.xml file under WEB-INF folder if it does not exist. Add the following contents to the file.<?xml version="1.0" encoding="UTF-8"?>
    <wls:weblogic-web-app xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.3/weblogic-web-app.xsd">
        <wls:weblogic-version>10.3.6</wls:weblogic-version>
        <wls:context-root>OAMAuthenticationService</wls:context-root>
        <wls:container-descriptor>
        <wls:prefer-application-packages>
     <!-- add package names from the Oracle Access Server SDK -->

     <wls:package-name>oracle.security.am.*</wls:package-name>
        </wls:prefer-application-packages>
      </wls:container-descriptor>
    </wls:weblogic-web-app>
  16. On the server where we intend to deploy the WAR file , in  $domain_home/config/fmwconfig folder locate system-jazn.xml file.
  17. Take a back up of the current file and add an entry in the file as follows. Make sure the entry is done under <jazn-policy> section and not under <admin-policy> category.If this entry is not done properly you will get an exception oracle.secuirty. jps.access denied. The file location should be from the tmp folder and the folder name should be the project name. Do not forget a "/-" in the end. <grant>
    <grantee>
    <codesource>
    <url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/OAMAuthenticationService/-</url>
    </codesource>
    </grantee>
    <permissions>
    <permission>
    <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
    <name>context=SYSTEM,mapName=OAMAgent,keyName=*</name>
    <actions>read</actions>
    </permission>
    </permissions>
    </grant> 
  18. Move the ASDK to the server machine and update the path in the java code as required.The jps-config.xml file placed under config folder in step 8 needs to be removed from the ASDK on the server machine.
  19. In the generated war file check that the oamasdk-api.jar is included in the web-inf/lib folder.
  20. Deploy the WAR
  21. Thats all and you should be all good to go.

No comments:

Post a Comment