Manual Chapter :
Integrating APM with Oracle Access Manager
Applies To:
Show Versions
BIG-IP APM
- 17.0.0, 16.1.0, 16.0.1, 16.0.0, 15.1.0
Integrating APM with Oracle Access Manager
Integrating APM with Oracle Access ManagerAbout AAA OAM server
configuration
You can configure only one AAA OAM server, but it can support multiple
AccessGates from the same access server. When you create a AAA OAM server, its transport security
mode must match the setting in the OAM access server.
Before you begin integrating APM with OAM
Before you start to integrate Access Policy Manager with OAM, configure the Access Server and AccessGates through the Oracle Access administrative
user interface. Refer to
Oracle® Access Manager Access Administration
Guide
for steps.Importing AccessGate files when transport security is set to cert
Check the transport security mode that is configured on the OAM access server. If
transport security mode is configured to cert, copy the certificate,certificate chain,
and key files (by default,
aaa_cert.pem
, aaa_chain.pem
, and aaa_key.pem
respectively)
for each AccessGate from the OAM access server to the BIG-IP system.If Transport
Security Mode is set to open or simple, you can skip this procedure.
You must import the certificate, certificate chain, and key files for each
AccessGate into the BIG-IP system. Repeat this procedure for each AccessGate. Import
certificate and certificate chain files before importing the corresponding private key
file.
If a signing chain certificate (CA) is the subordinate of another
Certificate Authority, both certificates, in PEM format, must be included in the
file with the subordinate signer CA first, followed by the root CA, including "
-----BEGIN/END CERTIFICATE-----".
- On the Main tab, click .The Traffic Certificate Management screen opens.
- Click theImportbutton.
- From theImport Typelist, selectCertificate.
- For theCertificate Namesetting, select theCreate Newoption, and type a unique name that enables you to identify the file as belonging to this particular AccessGate.
- For theCertificate Sourcesetting, select theUpload Fileoption, and browse to the location of the certificate or the certificate chain file.If you kept the default filenames when you copied the files to the BIG-IP system, look foraaa_cert.pemoraaa_chain.pem.
- ClickImport.A certificate or certificate chain file has been imported for the AccessGate. To import the other (certificate or certificate chain) file for this AccessGate, repeat the steps that you have just completed before you continue.
- On the Main tab, click .The Traffic Certificate Management screen opens.
- Click theImportbutton.
- From theImport Typelist, selectKey.
- For theKey Namesetting, select theCreate Newoption, and type a unique name that enables you to identify the file as belonging to this particular AccessGate.When you import the key file, you are importing the private key that corresponds to the already imported certificate and certificate chain while renaming the file from its default nameaaa_key.pem.
- For theKey Sourcesetting, do one of the following:
- Select theUpload Fileoption, and browse to the location of the key file.
- Select thePaste Textoption, and paste the key text copied from another source.
- ClickImport.The key file is imported.
Repeat the procedure to import these files for any other AccessGate.
Creating an AAA OAM
server
If
transport security mode is configured to cert on the access server, import the certificates,
keys, and CA certificate for the AccessGates into the BIG-IP system.
Create a AAA server for OAM to deploy Access Policy Manager in place of OAM 10g WebGates.
Only one OAM
server per BIG-IP system is supported. Multiple OAM 10g webgates from the same OAM server are
supported.
- In the navigation pane, click .The Oracle Access Manager Server screen opens.
- ClickCreateif no Oracle Access Manager server is defined yet,.The New OAM Server screen opens.
- Type a name for the AAA OAM server.
- ForAccess Server Name, type the name that was configured in Oracle Access System for the access server.For the access server name, open the OAM Access System Console and select .
- ForAccess Server Hostname, type the fully qualified DNS host name for the access server system.
- ForAccess Server Port, accept the default6021, or type the port number.For earlier versions of OAM, the default server port is6021. For later versions, the default server port is5575.
- ForAdmin Id, type the admin ID.Admin Id and Admin Password are the credentials that are used to retrieve host identifier information from OAM. Usually, these are the credentials for the administrator account of both Oracle Access Manager and Oracle Identity Manager.
- ForAdmin Password, type the admin password.
- ForRetry Count, accept the default 0, or enter the number of times an AccessGate should attempt to contact the access server.
- ForTransport Security Mode, select the mode (open, simple, or cert) that is configured for the access server in Oracle Access System.
- If Transport Security Mode is set to simple, type and re-type aGlobal Access Protocol Passphrase; it must match the global passphrase that is configured for the access server in OAM.
- ForAccessGate Name, type the name of an AccessGate; it must match the name of an AccessGate that is configured on the OAM access server.
- ForAccessGate PasswordandVerify Password, type the password; it must match the password that is configured for it on the OAM access server.
- If transport security mode is set to cert, select theCertificate,Key, andCA Certificatethat you imported for this particular AccessGate.
- If transport security mode is set to cert and if a sign key passphrase is needed, type aSign Key Passphraseand re-type it to verify it.
- ClickFinished.
Add
any other AccessGates that are configured for the OAM access server to this Oracle Access Manager
AAA server. Then, for each AccessGate, configure a virtual server and enable OAM support on it
for native integration with OAM.
Adding AccessGates
to the OAM AAA server
You must create an Oracle Access Manager AAA server with one AccessGate before you can
add other AccessGates.
Access Policy Manager can support multiple
AccessGates from the same OAM access server. To enable the support, add the AccessGates
to the Oracle Access Manager AAA server.
- In the navigation pane, click .The Oracle Access Manager Server screen opens.
- Click the name of the Oracle Access Manager AAA server.The Properties page opens.
- Scroll down to theAccessGate Listand clickAdd.The New AccessGate page opens.
- ForAccessGate Name, type the name of an AccessGate; it must match the name of an AccessGate that is configured on the OAM access server.
- ForAccessGate PasswordandVerify Password, type the password; it must match the password that is configured for it on the OAM access server.
- If transport security mode is set to cert for the access server, select theCertificate,Key, andCA Certificatethat you imported for this particular AccessGate.
- If transport security mode is set to cert for the access server, and if a sign key passphrase is needed, type aSign Key Passphraseand re-type it to verify it.
- Click theFinishedbutton.
Create a virtual server for each OAM AccessGate
Configure an AAA OAM server and add AccessGates
to it before you perform this task.
A virtual server represents a destination IP
address for application traffic. Configure one virtual server for each AccessGate that
is included on the AAA OAM server AccessGates list.
- On the Main tab, click .The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theDestination Address/Maskfield, type the IP address for a host virtual server.The IP address you type must be available and not in the loopback network.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
- In theService Portfield:
- If you want to specify a single service port or all ports, confirm that thePortbutton is selected, and type or select a service port.
- If you want to specify multiple ports other than all ports, select thePort Listbutton, and confirm that the port list that you previously created appears in the box.
- In the Resources area of the screen, from theDefault Poollist, select the relevant pool name.
- Scroll down to the Access Policy section and check theEnabledbox for OAM Support.
- Select an AccessGate from the list.If you selectDefault, Access Policy Manager reads Oracle configuration information to determine which AccessGate to associate with this virtual server.
- ClickFinished.
A destination IP address on the Access Policy
Manager system is now available for application traffic.
Troubleshooting tips
You might run into problems with the integration of Access Policy
Manager and OAM in some instances. Follow these tips to try to resolve any issues you might
encounter.
Troubleshooting tips for initial configuration
You should | Steps to take |
|---|---|
Check network connectivity | Ping the OAM Access Server from the BIG-IP system. |
Test without OAM support enabled first | Before you test with OAM support enabled, make sure that the BIG-IP system has basic
connectivity to protected applications.
|
Check the configuration for accuracy |
|
Additional troubleshooting tips
You should | Steps to take |
|---|---|
Verify access | OAM provides tools for the administrator to test how access policies respond to
various requests. Use the Access Tester to test access policies with given identities and
for given users. This tool can be helpful in determining whether the access provided by
BIG-IP system is consistent with the policies configured under OAM. |
Resolve sudden problems | Changes that have been made on the OAM server can cause mismatches on the BIG-IP
system due to a configuration cache that is kept on the BIG-IP system. To resolve this
problem, delete the cache configuration file of the corresponding AccessGate configuration.
|
Check logs | Enable and review the log files on the BIG-IP system.
|
