Manual Chapter : Integrating APM with Oracle Access Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0
Manual Chapter

Integrating APM with Oracle Access Manager

About AAA OAM server configuration

You can configure only one AAA OAM server, but it can support multiple AccessGates from the same access server. When you create a AAA OAM server, its transport security mode must match the setting in the OAM access server.

Before you begin integrating Access Policy Manager with OAM

Before you start to integrate Access Policy Manager with OAM, configure the Access Server and AccessGates through the Oracle Access administrative user interface. Refer to
Oracle® Access Manager Access Administration Guide
for steps.

Importing AccessGate files when transport security is set to cert

Check the transport security mode that is configured on the OAM access server. If transport security mode is configured to cert, copy the certificate,certificate chain, and key files (by default,
aaa_cert.pem
,
aaa_chain.pem
, and
aaa_key.pem
respectively) for each AccessGate from the OAM access server to the BIG-IP system.
If Transport Security Mode is set to open or simple, you can skip this procedure.
You must import the certificate, certificate chain, and key files for each AccessGate into the BIG-IP system. Repeat this procedure for each AccessGate. Import certificate and certificate chain files before importing the corresponding private key file.
If a signing chain certificate (CA) is the subordinate of another Certificate Authority, both certificates, in PEM format, must be included in the file with the subordinate signer CA first, followed by the root CA, including " -----BEGIN/END CERTIFICATE-----".
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    Certificate
    .
  4. For the
    Certificate Name
    setting, select the
    Create New
    option, and type a unique name that enables you to identify the file as belonging to this particular AccessGate.
  5. For the
    Certificate Source
    setting, select the
    Upload File
    option, and browse to the location of the certificate or the certificate chain file.
    If you kept the default filenames when you copied the files to the BIG-IP system, look for
    aaa_cert.pem
    or
    aaa_chain.pem
    .
  6. Click
    Import
    .
    A certificate or certificate chain file has been imported for the AccessGate. To import the other (certificate or certificate chain) file for this AccessGate, repeat the steps that you have just completed before you continue.
  7. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  8. Click the
    Import
    button.
  9. From the
    Import Type
    list, select
    Key
    .
  10. For the
    Key Name
    setting, select the
    Create New
    option, and type a unique name that enables you to identify the file as belonging to this particular AccessGate.
    When you import the key file, you are importing the private key that corresponds to the already imported certificate and certificate chain while renaming the file from its default name
    aaa_key.pem
    .
  11. For the
    Key Source
    setting, do one of the following:
    • Select the
      Upload File
      option, and browse to the location of the key file.
    • Select the
      Paste Text
      option, and paste the key text copied from another source.
  12. Click
    Import
    .
    The key file is imported.
Certificate, certificate chain, and key files have been imported for an AccessGate.
Repeat the procedure to import these files for any other AccessGate.

Creating an AAA OAM server

If transport security mode is configured to cert on the access server, import the certificates, keys, and CA certificate for the AccessGates into the BIG-IP system.
Create a AAA server for OAM to deploy Access Policy Manager in place of OAM 10g WebGates.
Only one OAM server per BIG-IP system is supported. Multiple OAM 10g webgates from the same OAM server are supported.
  1. In the navigation pane, click
    Access
    Authentication
    Oracle Access Manager
    .
    The Oracle Access Manager Server screen opens.
  2. Click
    Create
    if no Oracle Access Manager server is defined yet,.
    The New OAM Server screen opens.
  3. Type a name for the AAA OAM server.
  4. For
    Access Server Name
    , type the name that was configured in Oracle Access System for the access server.
    For the access server name, open the OAM Access System Console and select
    Access system configuration
    Access Server Configuration
    .
  5. For
    Access Server Hostname
    , type the fully qualified DNS host name for the access server system.
  6. For
    Access Server Port
    , accept the default
    6021
    , or type the port number.
    For earlier versions of OAM, the default server port is
    6021
    . For later versions, the default server port is
    5575
    .
  7. For
    Admin Id
    , type the admin ID.
    Admin Id and Admin Password are the credentials that are used to retrieve host identifier information from OAM. Usually, these are the credentials for the administrator account of both Oracle Access Manager and Oracle Identity Manager.
  8. For
    Admin Password
    , type the admin password.
  9. For
    Retry Count
    , accept the default 0, or enter the number of times an AccessGate should attempt to contact the access server.
  10. For
    Transport Security Mode
    , select the mode (open, simple, or cert) that is configured for the access server in Oracle Access System.
  11. If Transport Security Mode is set to simple, type and re-type a
    Global Access Protocol Passphrase
    ; it must match the global passphrase that is configured for the access server in OAM.
  12. For
    AccessGate Name
    , type the name of an AccessGate; it must match the name of an AccessGate that is configured on the OAM access server.
  13. For
    AccessGate Password
    and
    Verify Password
    , type the password; it must match the password that is configured for it on the OAM access server.
  14. If transport security mode is set to cert, select the
    Certificate
    ,
    Key
    , and
    CA Certificate
    that you imported for this particular AccessGate.
  15. If transport security mode is set to cert and if a sign key passphrase is needed, type a
    Sign Key Passphrase
    and re-type it to verify it.
  16. Click
    Finished
    .
Add any other AccessGates that are configured for the OAM access server to this Oracle Access Manager AAA server. Then, for each AccessGate, configure a virtual server and enable OAM support on it for native integration with OAM.

Adding AccessGates to the OAM AAA server

You must create an Oracle Access Manager AAA server with one AccessGate before you can add other AccessGates.
Access Policy Manager can support multiple AccessGates from the same OAM access server. To enable the support, add the AccessGates to the Oracle Access Manager AAA server.
  1. In the navigation pane, click
    Access
    Authentication
    Oracle Access Manager
    .
    The Oracle Access Manager Server screen opens.
  2. Click the name of the Oracle Access Manager AAA server.
    The Properties page opens.
  3. Scroll down to the
    AccessGate List
    and click
    Add
    .
    The New AccessGate page opens.
  4. For
    AccessGate Name
    , type the name of an AccessGate; it must match the name of an AccessGate that is configured on the OAM access server.
  5. For
    AccessGate Password
    and
    Verify Password
    , type the password; it must match the password that is configured for it on the OAM access server.
  6. If transport security mode is set to cert for the access server, select the
    Certificate
    ,
    Key
    , and
    CA Certificate
    that you imported for this particular AccessGate.
  7. If transport security mode is set to cert for the access server, and if a sign key passphrase is needed, type a
    Sign Key Passphrase
    and re-type it to verify it.
  8. Click the
    Finished
    button.
The AccessGate is added.

Create a virtual server for each OAM AccessGate

Configure an AAA OAM server and add AccessGates to it before you perform this task.
A virtual server represents a destination IP address for application traffic. Configure one virtual server for each AccessGate that is included on the AAA OAM server AccessGates list.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Destination Address
    field, type the IP address for a host virtual server.
    The IP address you type must be available and not in the loopback network.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  4. In the
    Service Port
    field:
    • If you want to specify a single service port or all ports, confirm that the
      Port
      button is selected, and type or select a service port.
    • If you want to specify multiple ports other than all ports, select the
      Port List
      button, and confirm that the port list that you previously created appears in the box.
  5. In the Resources area of the screen, from the
    Default Pool
    list, select the relevant pool name.
  6. Scroll down to the Access Policy section and check the
    Enabled
    box for OAM Support.
  7. Select an AccessGate from the list.
    If you select
    Default
    , Access Policy Manager reads Oracle configuration information to determine which AccessGate to associate with this virtual server.
  8. Click
    Finished
    .
A destination IP address on the Access Policy Manager system is now available for application traffic.

Troubleshooting tips

You might run into problems with the integration of Access Policy Manager and OAM in some instances. Follow these tips to try to resolve any issues you might encounter.

Troubleshooting tips for initial configuration

You should
Steps to take
Check network connectivity
Ping the OAM Access Server from the BIG-IP system.
Test without OAM support enabled first
Before you test with OAM support enabled, make sure that the BIG-IP system has basic connectivity to protected applications.
  • Disable the OAM Support property on the virtual server.
  • Verify that you can reach the pool and the application.
After succeeding, reenable OAM support on the virtual server.
Check the configuration for accuracy
  • Confirm that the AAA server object is correct, particularly the OAM server section.
  • Confirm that the AccessGates configured on the BIG-IP system within the AAA server are correct.

Additional troubleshooting tips

You should
Steps to take
Verify access
OAM provides tools for the administrator to test how access policies respond to various requests. Use the Access Tester to test access policies with given identities and for given users. This tool can be helpful in determining whether the access provided by BIG-IP system is consistent with the policies configured under OAM.
Resolve sudden problems
Changes that have been made on the OAM server can cause mismatches on the BIG-IP system due to a configuration cache that is kept on the BIG-IP system. To resolve this problem, delete the cache configuration file of the corresponding AccessGate configuration.
  • Delete the config.cache file located in config/aaa/oam/<filepath>, e.g. /config/aaa/oam/Common/oamaaa1/AccessGate1/config.cache.
  • At the command line, restart the EAM service by typing
    bigstart restart eam
    .
Check logs
Enable and review the log files on the BIG-IP system.
  • Most relevant log items are kept in the /var/log/apm log file. This /var/log/apm log file is the primary location for messages related to the operation of OAM.
  • Additional logging is done in /var/log/oblog.log. This file contains AccessGate logging which might be helpful in certain circumstances.