How to secure and protect web applications using Oracle Access Manager and Webgate

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everyone prasad amla here today i will show you how to protect our secure web application using oracle access manager and web gate before starting let me tell you about the environment I will be using today I am using Oracle Linux 6.7 64-bit virtual machine and I have my Oracle Identity and Access Management product installed and configured and the version of Oracle access manager I am using is 11.1 or 2.3 I have a HS 12c installed and configured in standalone mode and in 12c web gate is installed as part of for HS installation but if you are using a Levangie version of HS you need to install a gate separately next I have work a unified directory 11.1 dot 2.3 version installed and configured with some sample uses and will use it as our primary user store for authentication and authorization I have separate videos on how to install and configure our identity and access management Oracle HTTP server that is voices and worker Unified directory or UD please have a look if you want to know how to set up this environment I leave the links in the description or you can click on the information icon on top right corner of this video I have all these components on the same server now this is OK for demo purposes but ideally in production environments are you'll have them on separate physical machines and I have a sent LGB of memory to my virtual machine which should be sufficient to run why am adminserver on a managed server HS and oh you D now let me briefly tell you about the single sign-on request row in our classes manager let me divide the flow into four layers and user layer which is normally a web browser and web server layer where the application is hosted and web gate is installed and I am server which is the core component of single sign-on where all the authentications and authorizations are processed and finally use a store where our user profiles are stored in my case it is worker unified directory you can use any compatible LDAP story or user profiles for authentications and authorizations first the end user requests of every source using a web server URL and the request will reach the web server in my case Oracle HTTP server the web gate which is installed on the web server intercepts the incoming HTTP request nonsense it to Oracle access manager for processing Oracle access manager first checks if a session is already present if it's present it checks if the session is still valid based on the session or timeout settings if the session is not present then it checks for the policies for the requested resource and determines if it's protected or not if it's not protected it will send the decision to the web gate and web gate will serve the requested page without asking for any or credentials if the resource is protected then OEM will determine how it is protected based on the policy set by the administrators there are different ways of protecting an application which I will show you later in this video in most cases it will be a based authentication but there are many other authentication methods available in way so I am since the login page to the end-user it's also referred as credential collector user provides his credentials which are sent to a.m. through web gate and OEM will connect to the back end user store and validates the credentials at this stage volume will create two cookies om or thin cookie and om underscore ID once the credentials are validated it's time for raw authorization where I am determines whether authenticated user is authorized to view the requested resource or not this is determined using the authorization policy set by the administrator and the decision is sent back to the web gate if the user is authorized web gate will serve the web page and if the user is not authorized it will redirect the request to an authorized page which can be customized this is how the request flows between these four layers when you access any URL that is protected using oracle access manager next let me introduce you to some basic orc Laxus manager terminology which i'll be referring to in this video first thing is web gate also called as ym access client as I said earlier web gate is install on all web servers where the applications are hosted you have a good software available for different variety of web servers like HTTP server IBM HTTP server or Apache a Microsoft IAS or OTD that is Oracle traffic director and Domino web server as well for which is 12 C versions WebKit is included in HS itself but for older OHS versions and other web servers you need to download the software separately the role of WebKit is to intercept incoming HTTP requests and send them to om that is Oracle access manager for processing next we have two types of data stores system store and the identity store system store is used to store administrator credentials used to login to OEM console and other administration commands like remote registration wls tree etc identity store is the user store where the user credentials and groups are stored which are used for application authentication and authorization by default om uses WebLogic embedded LDAP for both system store and identity store I'll show you how to configure external LDAP later in this video next we have something called as a host identifier which is a logical representation of web server host you can create a host identifier while registering the web gate with the Oracle access manager next we have authentication scheme which is basically the method of authentication it also defines the level of authentication and underlying authentication modules next we have application domain which is a logical container of all the resources authentication and authorization policies application domains can be created based on business needs like location based or business unit based like you know HR application domain or finance application domain etc next we have authentication and authorization policies these are set of rules and conditions defined for an application resource which defines you know which authentication method to use which group of users can access a particular application and what her responses are to be sent back to the application after authentication on the authorization and many other parameters there are many options available to configure these policies I will show you the main ones later in this video next we have something called as responses these are values that are sent back to the application after successful authentication or authorization you can send three types of responses header responses session responses and cookie responses I will discuss more about responses later when I show you the demo now let's get into the actual process of protecting an application using oracle access manager and web gate i will not be able to cover all am components and options in this video but after watching this video you should be able to understand the basic oracle access manager policy model and main configuration options available to secure a web application using a I have my am admin server and manage server started on both seven thousand one and one for one double zero respectively and my HS is running on double seven double seven so as you can see this is my web logic administration console then you can see my admin server and away a managed service or run up and running I don't need other manage servers for this demo so I have not started them and on my voyages I have created two sample applications my app one and my app two and will be protecting them using oracle access manager so the urls for those applications would be oracle linux 6 : double seven double seven that is my yob ohs port and then slash my app one so this is a sample HTML page and then I have another HTML page my app - so this is my application to home page so we'll try to protect these two application URLs using Oracle access manager and then I have another page created for unauthorized access which is running on same wages that is Oracle Linux 6 : double seven double seven slash unauthorized dot HTML so we'll use this page to redirect the user if the authorization or fails I will show you how to do that later and as you can see as of now for my app 1 and my app - there is no login page and the pages are served directly without any credentials and after converting these two applications with our way we should be able to see a login page where you can use our user ID and password to login to these applications first step in this process is to configure web gate so you need to navigate to your voices middleware home in my case it is u01 app Oracle product and then now it is fmw here you can find a directory called as wave gate as I said in 12c versions of HS wave gate is already installed along with the voyages so navigate to web gate and then voices and then tools and then you need to go to deploy WebKit so here you have a script to deploy this particular web get into your raw edges instance directory so you need to execute deploy your web gate incident stored asset script along with hyphen W option which is nothing but your oasis instance directory in my case it is under my domain config F&W config components ohs instances and then watch this one you need to provide another option here - which that is nothing but your wrong Oracle home that is how HS Oracle home which is you 0 1 app Oracle product Android is fmw in my case so once you execute this script it basically copies the web gate related files to your instance directory that is nothing but your OHS instance directory so if you go to your instance directory here you can find the directory created for our web gate now we have web gate related files in our raw voices instance directory now we need to edit our hgtv.com file so web Gator provides a script to edit HTML Kampf so navigate to HS tools again that is under your voices home web gate OHS tools and then set up install tools here you have a script called as edit HTTP conf execute it along with the - w and - which options as we have done for a deploy a web get instance Road sh so execute this script with a hyphen W and just copy the path here and then - Oh H that is nothing but you are o HS Oracle whom it is which is f MW so this script will take the backup of existing httpd dot corn file and then modifies it to include web Gator conf so that is done now and that's it on the waiter side as of now next we need to register this web gate with Oracle access manager so let's login to am console which will be running on 7001 Oracle Linux 6 : 7,001 slash am console log in with your Rob WebLogic credentials this is why on consoles homepage or raw launch pad you can register web gate using SSO agent registration here under Quick Start results or you can click create web gate under agent section so I'll just select create web gate here it will take me to the gate creation screen first you need to select the version in our case it will be your lovin G and then you need to provide a name for your Rob web kit I'll just give - Oracle Linux 6 that is nothing but our host name and then you can now provide some description next we need to provide the base URL that is nothing but your ROM HS URL so that would be HTTP colon slash slash Oracle 9x6 and then your port number double seven double so on next we can provide a password for your access client this is the password used by your web gate to connect to wave server so you can provide any password here next the host identifier is automatically populated based on the web gate name so the web resources or context routes will be linked to the hosts manager which we'll be using in the policies so I leave the host identifier as DS next we have many parameters that you can use to customize the behavior of the web gate we can refer to Oracle documentation for the list of parameters in my case I am NOT adding any custom parameters next you have security option so this is basically or to secure the communication between Oracle access manager and web gate so you have open simple or cert modes here in open mode there will be no encryption in simple mode om will use self-signed certificates to secure the communication and in third mode it uses certificates signed by your third party certification Authority so it's recommended to use cert mode in production environments and also note that your OEM should be running in the same mode you use here by default om runs in open mode so if you want to use simple or cert modes you need to first change your OM mode and restart your Oracle access manager managed server so you can change the OM mode using the configuration section navigate to server instances down here here you can do an empty search so click on the search button here it will list down your wrong way a managed server select that then here you can see the default mode is open so before selecting simple or resort modes while creating the web gate you need to select the same mode here and then now restart your raw way a man it's over so I'll leave the default open mode for this demo so let me get back to web gate creation screen you can select a virtual host option if your voices contains multiple websites and domain names using virtual hosting I'm not selecting that because I'm not using virtual hosting next you have an option to create authentication and authorization policies automatically which can be customized later recording to your raw needs it's better to select this option rather creating all the policies from scratch and it saves some time so I'll select this Auto create policies and then you have an option of IP validation so IP validation is a security feature which checks the clients IP address and the IP address stored in the cookie so single sign-on will happen only if these two eye piece matches otherwise our user must reopen ticket so if you want you can select that option it's always better to select it in production environments next you have protected under public resource lists by default all the files on directories under your webserver root directory will be protected which is represented as slash and then star star so you can customize the Liceo so in my case my application context root is my app 1 and my app 2 so I'll just give it as slash my app 1 and then I'll add another resource list and I will give it as my app - ok and if you want to unprotect anything or if you want to make any directories or files as public then you can add those relative URLs in your public resource lists so for this demo I'm not adding anything here so once you provide all these details you can click apply here so once you click apply you will see a bunch of other parameters ok you can you can customize these parameters based on your ROM business needs I'm not explaining everything here so the important ones would be the timeout values here so you can set your timeout values based on your ROM needs I leave all other values as default also please note that import is specified as double five seven five here are not one for one double zero this double 575 port is called as om proxy port and web gates uses this particular port for communicating with Oracle access manager this is mainly to enable backward compatibility for older versions of web gate so once the wave gate is created om generate certain files based on the security mode selected as we have selected the open mode it generates Roby access client or XML and C valid dot SS for in simple and cert modes additional certificate and key files were generated which are rot replay underscore sir dot p.m. and Tripoli underscore key dot P so we need to copy all these files to web gates config directory on the web server that is waitress you can either download these files from am console by clicking on this download button here which will download all these files you can then upload the zip file to your ROM which is config directory and then extract them you can also find these files under the output directory inside your raw I am domain so as we have ym & OHS on the same machine so let's copy them directly on the server itself so let's go to our domain home that will be in our fmw use the projects domains and then way M domain here you have a folder called as output under which there will be another folder which are raw a gate name so a separate folder will be created for each and every web gate you register with om so in our case our web gate name is or kalanick 6 so get into that folder here you can see OB access client or XML and then C valid dot SS for you also need to copy this valid directory where you will be having another C wallet or SS for so let me copy them to my voices web gets a config directory so that will be under so I will say CP o the access client dot XML and then see where a dot SSO web page and then conflict so we need to copy these files into this directory so let me copy the wallet directory as well okay so I have copied down all these files into our rom web gates config directory at this stage if you restart your HS the application will be protected using the default authentication and authorization policies so let's restart voices on test if the application is protected so I will navigate to my oh it just domain bin directory and then restart my voices now my voices is restarted so let me access my app in a new browser so it would be Oracle Linux 6 : double seven double seven slash my app one so as you can see as of now it's protected by default authentication and authorization policies and by default om uses embedded LDAP for authentication so you should be able to log in with WebLogic ID so let me give my web logic credentials ok now I am logged into my application so that's how an application is protected now let's see what's happening on om site and how we can customize the policies based on our needs let me go back to my OM console so this is my M consoles home page let me first show you how to configure external LDAP for authentication under authorizations so I'll be using my Oracle unify directory for this demo so first let me verify if my ude is running I'm starting my yo UD here okay my duty is started now so I will be using this video for our authentications on the authorizations I also have some sample users created in my oud so I'll show you the sample users here I'm using a bachelor Ector estudio to connect to my IUD so let me connect to my ood and my IUDs are running on port 1 3 8 9 so this is my root domain this is equal to ia and then DC is equal to calm and I have my users under oh u is equal to people these are all the sample users which I have created again if you want to know how to install on configure UD with this sample users just watch my video and I have my groups under oh you is equal to groups so now we need to create a connection to that boy UD on our raw am console so navigate to configuration tab here and then user identity stores as you can see we have our default embedded LDAP that is nothing but user identity store already created during the installation process so now we'll add our you T so select create here and then provide details specific to your LDAP in my case it's UD so I'll call my store name as oh you D you can provide any name here and then store type you need to select Oracle unified directory as you can see you have many other LDAP s-- compatible with your Oracle access manager so you can use any of these LDAP directory servers so in my case I'm selecting Oracle unified directory you can provide optional description if you are using SSL you can enable SSL here and then you need to provide a location location is nothing but your hostname and port number so my host name is Oracle ionic 6 : 1 3 8 9 that is nothing but my LDAP port and then password of my administrator and then my administrator username that would be CN is equal to directory manager in case of IOD so provide your hostname and port number and then the credentials for your LDAP next you need to provide a login ID attribute that is nothing but the ID which the end-users used to login to your applications so in my case it is nothing but UID so as you can see you ID is equal to user dot zero so that will be my login ID attribute ok so I am will come and search your LDAP based on this login ID attribute during the authentication process so in my case it is UID and then the password attribute so the password attribute in my case is user password so this is the password attribute next you need to provide the search base so you need to tell who I am where to search for your users so in my case all my users are present under why u is equal to people so I will provide this as my user search base next you need to provide group search base so all my groups will be present under oh u is equal to groups so I will provide this as my group search base and that's it table you if you want you can change these connection specific details but I'll leave them as it is and then you can test the connection here you should be able to see a successful message here and then click OK and apply so now our iud connection is created successfully once the user store connection is created we need to configure it to be used for our application authentications and authorizations so let's go to application security tab again which is nothing but the main launch pad and then go to authentication modules under the plug-in section here do an empty search just click on the search button here it will list down all the modules here so in our case our authentication model is LDAP because all our authentications are based on how a UD so select that here you need to select the user identity store by default it is user identity store 1 which is the embedded LDAP but in our case we need to select my oud so now I am will search in your Oracle unified directory for all the authentications and authorizations so click apply here now let's look at the default application domains and authentication and authorization policies created so from the launch pad select application domains and then do an empty search here you can see our application domain is created based on the web gate name which is Oracle ionic 6 and these two are the default application domains created during the installation which are used to protect om and om administration consoles so select your new application domain that is a Oracle Linux 6 this is the summary screen where you have the name and other parameters and then you have resources authentication policies and authorization policies so resources are nothing but the context routes of your raw web application so if you do an empty search here you can see we have added my app one on my app to and then you can see the authentication policy and the authorization policy so if you want or you can add additional resources from here so you can just click create here and then specify your additional resource Pacific details so I am NOT adding any additional resource as of now next you have authentication policies so by default oracle access manager creates public resource policy and protected resource policy so you can add your resources into public resource policy if you want to unprotect them or if you want to exclude from om authentication and all your protected resources will be added to your protected resource policy so if we click on protected resource policy you can see the resource is added here and then you have something called as authentication scheme so this is the authentication scheme which is used for all the resources added to this particular policy so here we are using LDAP scheme as our authentication scheme you can provide success URLs and failure URLs here so if the authentication fails you can redirect the user to a custom URL or after successful authentication you can redirect the user to a success URL and then you have something called as responses here so I will discuss more about responses while talking about authorization policies so let's go to authorization policies now again here we have our two authorization policies public resource policy and protected resource policy so if you go to protected resource policy and then go to resources so here you have the resources added to your protected resource policy and then additionally here you have something called as conditions and rules so conditions and rules are basically interlinked so a condition is nothing but a filter which creates a group based on identities or IP is times and attributes so let me create some sample conditions by default the true condition will be added which satisfies everything so let's add some custom conditions so click on Add button here so under type you have four types apart from true you have IP range you have identity temporal and attribute so IP range is nothing but creating a condition based on your wrong IP s say for example if you want to allow access or deny access to you know certain set of IP addresses you can specify it using IP range condition so let's name it as IP condition and then select your condition and then you need to specify your condition specific parameters here so click Add and then you can specify the IP range like say for example 10.1.1.1 to say 10.1.1.10 so if you add this condition only these IPS will be allowed or are denied access to the application so whether to allow or deny access that will be specified in the rules next let me show you identity condition so select identity here and then name it as identity condition and then you can specify the identities identities are nothing but users and groups so select your condition and down below here select add you can either add users and groups or you can add LDAP search filter so let me select users and groups so on this screen you need to select the store name first so I will select my UD and then you need to select the entity type whether a user or group so you can either add users or we can add a group so let me select user here and then entity name I'll just say star so it will list on all the users and then search so here you have all the users you can select individual users and add them more to the policy so for demo purposes I'll just select two users user dot 0 and user dot 1 next let me show you temporal type condition temporally is nothing but time-based ok so select temporal here and then I'll just call it as time condition and selected so now you need to specify your start time and end time okay so say for example if you want to allow access only during business hours on business days so you can specify 0 9 : 0 0 0 0 and then say 1700 c20 and then you can select what days you want to allow or deny access so I'll say Monday Tuesday Wednesday Thursday Friday so you can add such time-based conditions as well next you have attribute based conditions so if you want to allow or deny access based on a particular attribute of the user then you can create attribute based condition so I'll select attribute here and then I'll call it as attribute condition I'd selected so select your attribute condition here and then in this section select add here you need to specify what type of attribute say for example if you want to allow users with a particular attribute say for example postcode ok so if you want to allow or deny users with postal code of five zero three six nine say for example you can provide this attribute in your condition so I'll just say attribute name is postal code and then operator you can specify starts with or equals or contains so I'll just say equals and then you can provide whatever value so in my case I will provide five zero three six nine so you can add any number of conditions on their respective values like this okay next we have something called as rules rules specify whether to allow or deny access to the conditions you have all these new conditions are listed down here and they have two sections allow rule and deny rule so the conditions which you want to allow you can add in the allow rule and the conditions which you want to deny access you can add in the denied rule and you also have two options here you can either select all selected conditions or any of the selected conditions okay so let me remove the default one here and then I will just add identity condition so all the users and groups added in this identity condition will be allowed access and then you can now specify your deny access here if you want to deny any of these conditions you can specify here so as of now for the demo purposes I will just add this identity condition where we have added two users user dot 0 and user dot 1 so the application will be accessed only by these two users because we have added only that condition in the hello rule next we have something called as responses responses for the values sent back to the application after successful authentication order on authorizations say for example the application need logged in users mail ID and mobile number but application will not have access to your IOD where your user profiles are stored so om is responsible to send those values back to the applications which is achieved using responses so you can send responses either after successful authentication or a successful authorization so you need to specify the responses in respective policies now let me show you how to add a response say for example application needs users mail ID and mobile number so the attribute names are mail and mobile so let's add these two values in responses so click Add here here you have three types of responses you can either set header responses or session responses or cookie responses so in our case it would be header responses so that the application can retrieve the values from headers you know in whatever language the application is written like in Java or PHP or ASP or something so let me select header here and then the name I can specify some name say OAM underscore I'll just call it o am user underscore mail and then the value so for value we need to follow the namespace or specifications so in my case it will be user attribute so dollar user dot eight it here that is nothing but attribute dot attribute name so in our case say for example mail click add here and then let's add another spawns select header and then name I'll just give it as AM user underscore mobile and then the value will be dollar user dot attr dot mobile so ym will search for these two attributes after you're a successful authorization and insert them into the response headers and then the application can retrieve these headers and use in their application so if you want to test these response attributes you can use different tools or browser plug-ins like Firebug or live HTTP headers but I'm also provides inbuilt OEM tester utility which is based on Java you can test the complete SSO process using your Robo am tester so let me show that quickly so if you go to your OEM home so that is under my fmw oracle underscore ym and then om slash so and then tester so here you have something called as ym test dot jar so you can execute it using java - jar option this is am tested tool so first section is server connection so you need to provide your raw om service details so in my case it is oracle linux 6 and then the port so here you need to provide the proxy port which is double five seven five because this is the port i used for communication between om and web gate and then your agent ID that is nothing but your raw web gate name that's oracle Vanek 6 again in my case then you need to provide the password for your agent which you have given during your web gate registration and then click connect so it's connected to the primary axis over next you need to provide the protected resource you are that is nothing but your web server details so in my case my web server is Oracle Linux 6 and then my web server port is double 7 double 7 and then the resource say for example slash my app 1 and then click on validate here you can see my my app 1 is protected using authentication scheme that is LDAP scheme and then this is the URL of your wrong way next section is user identity so you need to specify the username here so I'll just specify user dot 0 and then the password I don't remember the password so let me quickly reset it okay the password is reset so let me provide the same password here and then click on authenticate so as you can see my user is authenticated and we can see the user DN here UID is equal to user dot zero where u is equal to people DC is equal to Y M please is equal to calm so this is the DN from my boyo D and then you have a session ID next we can click authorize so now you can see authorize is yes that means the authorization is successful so the user can access this particular resource my app one and then you can see these two header variables here which we have set am user on the score mobile the user's mobile number and then I am user underscore male that is nothing but the user's email so this is how you can test your policies using way M test or tool now let's login to our application again using the new user credentials so Oracle Linux 6 : double seven double seven slash my app one so now if we provide the WebLogic credentials your authentication should fail because we don't have WebLogic user in our bio D so let's test that first so as you can see you get incorrect username or password because the user is not present in waiting now let's try with our user dot zero and then the password now you should be able to log so now we have configured our OAM to use external LDAP that is Oracle unified directory now let me show you how to configure custom unauthorized or page or to redirect the user if the authorization fails so you can go to your summary of your authorization policy here you have success URL and failure URL so under failure URL you need to provide your custom unauthorized page so in my case it is HTTP / / Oracle Linux 6 : double 7 double 7 / unauthorized dot HTM so if the authorization fails the user will be redirected to this particular page so click apply and make sure that this page is unprotected now let's access the application using some other user who is not added in the authorization policy as you know we have added only user dot 0 and user dot 1 in our authorization policy let's access using user dot 3 say for example so this user dot 3 is not added in the authorization policy so ideally this user should not have access to the application so the authentication should be successful but the authorization should fail so if we click on login as you can see the user is redirected to unauthorized dot HTML page that's it for today in this demo you have seen how to configure web gate how to protect an application using OEM and web gate and how to configure custom unauthorized pages these are the basics of protecting an application using OEM and web gate so if you have any questions please post them in the comments and I'll try to answer them as soon as possible hope you all liked the video and found it helpful if you did please give me a thumbs up and subscribe to my youtube channel for more technical videos like this one that's it for today bye and see you in the next one

Info

Channel: Prasad Domala

Views: 29,999

Rating: undefined out of 5

Keywords: oracle access manager, oam, webgate, configure webgate with oam, integrate webgate and oam, configure webgate on OHS, Oracle HTTP Server, OAM Tester, custom unauthorized pages in oam, protect application using oam, secure application with oam

Id: 0NLKk6XUY4I

Channel Id: undefined

Length: 44min 51sec (2691 seconds)

Published: Mon May 09 2016