Transcription
Symantec VIP Integration Guide for Oracle Access Manager
Symantec VIP Integration Guide for Oracle Access ManagerTable of ContentsAbout integrating Oracle Access Manager with Symantec VIP. 4System requirements. 4VIP supported features.4Authentication workflow.5VIP Authentication Service (Web Service-based) Workflow. 5RADIUS Authentication Workflow. 6Configuring Oracle Access Manager for Second-Factor Authentication.9Prerequisites. 9Editing the vswebserviceclient.conf file.9Configuring the VIP Authentication Service mode. 11Sample configuration file for WebService.11Convert the VIP certificate file format.13Encrypt passwords. 13RADIUS mode. 13Prerequisites.13Adding a Validation server. 13Sample configuration mode for RADIUS. 14Deploying the Symantec authentication plug-in. 15Create authentication modules. 16Create authentication schemes. 17Create an authentication policy and resource. 19Customizing the login page. 21Testing the OAM plug-in configuration. 21Advanced OAM plug-in configuration. 21Customize the error codes. 21Configure multi-step/step-up modes. 22Prerequisities.22Multi-step authentication. 22Step-up authentication. 24Additional configuration.26Configuring the VIP JavaScript Integration for OAM.29Integrating JavaScript for VIP Access Push.29VIP Manager Update. 29Update the Symantec Configuration file. 30Update the OAM login page. 30Test the JavaScript Integration for VIP Access Push.302
Symantec VIP Integration Guide for Oracle Access ManagerJavaScript Integration for Additional Features.30JavaScript integration using OAM as IdP.31JavaScript integration using VIP Enterprise Gateway SSP-IDP. 32Test the JavaScript integration.32Troubleshooting issues and solutions. 33Copyright Statement. 363
Symantec VIP Integration Guide for Oracle Access ManagerAbout integrating Oracle Access Manager with Symantec VIPThe traditional user name and password authentication is no longer enough to meet today's evolving security threatsand regulatory requirements. However, users demand an easy-to-use authentication solution. What is needed today isstronger and smarter authentication to secure corporate data and applications, while offering greater ease of use.Symantec VIP is a cloud-based authentication service that enables enterprises to securely access online transactions,meet compliance standards, and reduce fraud risk. VIP provides an additional layer of protection beyond the standarduser name and password through a wide variety of additional authentication capabilities including: Two-factor authentication – dynamic, one-time-use security codes generated by a user's VIP credential in the form of mobile apps, desktop software, security tokens, and security cards.Out-of-band authentication – dynamic, one-time-use security codes delivered by phone call, by SMS text messageor email, or by push notifications sent to a registered mobile device.VIP is based on OATH open standards, an industry-wide consortium working with other groups to promote widespreadstrong authentication. Because the service is hosted by Symantec, enterprises engage one solution to support multipleenterprise, partner, and customer-facing applications requiring strong authentication. Intended for administrators, thisguide helps you prepare for VIP integration by providing a comprehensive outline for planning, decision making, andtask prioritization for a successful deployment. Users generate a security code on a VIP credential that they register withSymantec’s VIP Service. They use that security code, along with their user name and password, to gain access to theresources protected by Oracle.System requirementsThe integration environment used in this document is based on the following software versions:Table 1: System requirementsPartner ProductOracle Access Manager (OAM)Partner Component and Versions11g Release 1 (11.1.1.5.0), 11g Release 2 (11.1.2.1.0), 11g R2 PS2 (11.1.2.2.0),11g R2 PS3 (11.1.2.3.0), 12c PS3 (12.2.1.3.0)VIP Enterprise Gateway9.8 with latest patchThe operating system requirements for Oracle Access Manager. Windows 2008 R2 Enterprise (64-Bit) Red Hat Enterprise Linux 5.x (5.6 onwards)VIP supported featureslists the VIP Enterprise Gateway features that are supported with OAM.Table 2: VIP supported featuresVIP featureSupportFirst-factor authenticationAD/LDAP password through VIP Enterprise GatewayNoVIP PINYes4
Symantec VIP Integration Guide for Oracle Access ManagerVIP featureSupportSecond-factor authenticationPushYesSMSYesVoiceYesSelective strong authenticationTarget resource basedYesEnd-user basedYesRisk basedYesGeneral authenticationMulti-domainYesAnonymous user nameYesAD password resetNoThird-party IdPYesIntegration methodVIP JavaScriptYesVIP LoginNoVIP Web Service APIsYesRADIUSYesAuthentication workflowThe following describes the workflow for VIP Authentication Service (Web Service-based), and RADIUS-basedauthentication methods. VIP Authentication Service (Web Service-based) Workflow RADIUS Authentication WorkflowVIP Authentication Service (Web Service-based) WorkflowThe following diagram illustrates the authentication workflow using VIP Authentication Service (Web Service-based).5
Symantec VIP Integration Guide for Oracle Access ManagerTable 3: Workflow description for WebServiceWorkflowDescriptionFlow 1The user enters the user name, password, and a security code using a login form in the User Name Security Code authentication method.The User enters the access PIN followed by the security code in the PIN Security Code field in theUser Name - Access PIN - Security Code authentication method.Flow 2As the first part of the two-factor authentication, the built-in OAM plug-in validates the user name andthe password.Flow 3After the user name and the password are authenticated, the VIP integration module for OAMsends the user name and the security code to SymantecAuthnPlugIn, which is a customized OAMauthentication plug-in.In the User Name - Access PIN - Security Code authentication method, VIP integration module forOAM sends user name, access PIN, and the security code to SymantecAuthnPlugIn.Flow 4After SymantecAuthnPlugIn successfully authenticates the user name and the security code, it returnsa success response to the VIP integration module for OAM. Based on this success response, the useris allowed to access OAM-protected resources.In the User Name - Access PIN - Security Code authentication method, the SymantecAuthnPlugInsuccessfully authenticates the user name, access PIN, and the security code and returns a successresponse to the VIP integration module for OAM.RADIUS Authentication WorkflowThe following diagram illustrates the workflow for RADIUS authentication using VIP Enterprise Gateway.6
Symantec VIP Integration Guide for Oracle Access Manager7
Symantec VIP Integration Guide for Oracle Access ManagerTable 4: Workflow description for RADIUSWorkflowDescriptionFlow 1The user enters the user name, password, and a security code using a login form in the User Name Security Code authentication method.The User enters the access PIN followed by the security code in the PIN Security Code field in theUser Name - Access PIN - Security Code authentication method.Flow 2As the first part of the two-factor authentication process, OAM sends the user name and the passwordto the User Store. For example, if AD/LDAP is the User Store, then OAM sends the user name andpassword to your AD/LDAP server. If your User Store authenticates the user name and the password,the User Store returns the group permission details and the authentication response to OAM.Flow 3As the second part of the two-factor authentication process, OAM sends the user name and thesecurity code to VIP Enterprise Gateway for authentication.Flow 4The VIP Enterprise Gateway validation server authenticates the user name and the security code withVIP Service. VIP Service sends an authentication response to the VIP Enterprise Gateway validationserver.Flow 5If VIP Service successfully authenticates the user name and the security code, VIP Enterprise Gatewayreturns an Access-Accept Authentication response to OAM.Flow 6Based on the response from VIP Service, the VIP Enterprise Gateway validation server sends anappropriate response OAM.8
Symantec VIP Integration Guide for Oracle Access ManagerConfiguring Oracle Access Manager for Second-FactorAuthenticationComplete the following general tasks to configure Oracle Access Manager for second-factor authentication:Table 5: Steps for configuring Oracle Access Manager for second-factor authenticationTaskDescriptionResource1Meet the prerequisites.Prerequisites2Edit the vswebserviceclient.conf fileEditing the vswebserviceclient.conf file3onfigure the VIP Authentication Service mode.Configuring the VIP Authentication Service mode4onfigure RADIUS mode.Configuring RADIUS mode5Deploy the Symantec authentication plug-in.Deploying the Symantec authentication plug-in6Customize the login page.Customizing the login page7Test the OAM plug-in configuration.Testing the OAM plug-in configuration8Perform advanced OAM plug-in configuration.Advanced OAM plug-in configurationPrerequisites Before you integrate Oracle Access Manager with Symantec VIP for second-factor authentication, you must make sure that your first-factor authentication works. The Oracle Access Manager application must be configured with LDAP anda user must be able to log into the application with a user name and a password.Download and extract the OAM plug-in. The package contains the following files:– symcOamIntegrationHead.jsp– symcOamIntegrationForm.jsp– symcOamIntegrationBody.jsp– symcOamIntegrationConfig.jsp– SymantecAuthnPlugIn.jar– SymantecDependency1.jar– SymantecDependency2.jar– vswebserviceclient.conf– camouflage.jarCopy the .jsp files into a folder where your OAM login application is deployed. If you are using the OAM default loginapplication, copy these .jsp files to the following location: MWHome \user projects\domains\base domain\servers\oam server1\tmp\ WL user\oam server\ system temporary directory \war\pagesNOTEYou must select the system temporary directory directory that contains the jsp servlet directory.Editing the vswebserviceclient.conf fileSample configuration file – field and description describes the vswebserviceclient.conf fields.9
Symantec VIP Integration Guide for Oracle Access ManagerTable 6: Sample configuration file – field and uthnTypeBy default this property will have radius value. You can set it to radius for two factor authentication through VIP EnterpriseGateway. You can set it to webservice for two factor authentication through VIPAuthentication n.validation.server.configurationIf authnType is radius, you must provide details of specific validation server(s),which you want to connect to.Validation server details should be in the below format#host name/IP Address:port:shared secret:timeout:retries;host name/IPAddress:port:shared secret:timeout:retries; timeout property should be inseconds.com.symantec.webservice.api.validate base.urlVIP Authentication Service URL that is used to authenticate the user name andthe security puserservices/AuthenticationService 1 4com.symantec.webservice.api.query base.urlVIP Query Service URL that is used to authenticate the user name and thesecurity puserservices/QueryService 1 4com.symantec.webservice.api.management base.urlVIP Management Service URL that is used to authenticate the user name and thesecurity puserservices/ManagementService 1 4com.symantec.vipsdk.keyStoreLocation of the VIP certificate file (in .jks format) on the local host. For moreinformation on converting .p12 certificate to .jks certificate, see Convert the VIPcertificate file d of the VIP certificate file. You can provide the password either in plaintext or in encrypted format. For more information on encrypting passwords, seeEncrypt passwords.com.symantec.vipsdk.trustStoreFile location of Java trust rd of the trust store certificate file. The default password is changeit. Youcan provide this password either in plain text or in encrypted format.com.symantec.vipsdk.webservice.proxy hostIP address of the proxy server.com.symantec.vipsdk.webservice.proxy portPort number of the proxy server.com.symantec.vipsdk.webservice.proxy username User name for the authentication-based proxy server. This is an optional field.com.symantec.vipsdk.webservice.proxy password Password for the user name that is specified in thecom.symantec.vipsdk.webservice.proxy username field. You can provide thispassword either in plain text or in encrypted ySet to true to skip the User Name - Security Code (second factor) authenticationusing VIP authentication service.10
Symantec VIP Integration Guide for Oracle Access ription MODE takes the following values: OnlyOtp: The user has to provide only Security Code for strongauthentication. This mode is used as the default mode if the user does notexplicitly specify the validation mode. The OnlyOtp parameter applies to theUser Name - Security Code authentication method PinAndOtp: The user has to provide both the Pin and Security Code forstrong authentication. The PinAndOtp parameter applies to the User Name Access PIN - Security Code authentication method. OptionalPinAndOtp: The user must provide the Security Code and they mayor may not provide the PIN. If the user has not granted/enabled a PIN in thecloud, the strong authentication uses only the Security Code. If the users havegranted/enabled a PIN in the cloud and they did not provide a valid PIN, thestrong authentication fails. The OptionalPinAndOtp parameter applies to theUser Name - Access PIN - Security Code authentication method.Configuring the VIP Authentication Service modeTo configure the VIP Authentication Service mode, complete the following: Sample configuration file for WebService Convert the VIP certificate file format Encrypt passwordsSample configuration file for WebServiceThe property file defines the authentication type - the allowed values are radius and webservice. By default, radius isconfigured in authnType. You must configure the authType based on your requirement.The proxy configuration is applied only when you select authnType as webservice.com.symantec.security.authnType webserviceVIP Authentication Service Propertiescom.symantec.webservice.api.validate base.url services/AuthenticationService 1 4com.symantec.webservice.api.query base.url services/QueryService 1 4com.symantec.webservice.api.management base.url services/ManagementService 1 4# VIP Keystores#If OAM is installed on the Windows operating system,add escape characters in the location of certificates.#Example : C:\\Program Files\\Java\\jdk1.6.0 29\\jre\\lib\\security\\raCert.jks#If OAM in installed on the LINUX operating system, there is noneed to add escape characters to the location of certificates11
Symantec VIP Integration Guide for Oracle Access Manager#Example : /opt/cert/raCert.jkscom.symantec.vipsdk.keyStore #Password can be specified in encrypted password (or) plain text # Encrypted password should be specified with '::encrypted::' tag asbelow example# Example: com.symantec.vipsdk.keyStorePassword ::encrypted::Pas1Ia2SlI2DpWldxwj8QQ # JAVA Truststores#If OAM is installed on the Windows operating system, add escapecharacters in the location of certificates.#Example : C:\\Program Files\\Java\\jdk1.6.0 29\\jre\\lib\\security\\cacerts#If OAM in installed on the LINUX operating system, there is noneed to add escape characters to the location of certificates.#Example : /usr/java/jdk1.7.0 stStore # Password can be specified in encrypted password (or) plain text # Encrypted password should be specified with '::encrypted::'tag as below example# Example: com.symantec.vipsdk.trustStorePassword ::encrypted::Pas1Ia2SlI2DpWldxwj8QQ com.symantec.vipsdk.trustStorePassword # VIP SDK Proxy Infocom.symantec.vipsdk.webservice.proxy host 192.168.1.1com.symantec.vipsdk.webservice.proxy port 1212com.symantec.vipsdk.webservice.proxy username proxyusername# Password can be specified in encrypted password (or) plain text # Encrypted password should be specified with '::encrypted::' tag as below example# Example: com.symantec.vipsdk.webservice.proxy password ::encrypted::Pas1Ia2SlI2DpWldxwj8QQ com.symantec.vipsdk.webservice.proxy password # VIP Business Continuity true/false com.symantec.vipsdk.enableBusinessContinuity false# VIP Validation Mode MODE # MODE takes the following values.# OnlyOtp: Here the user has to provide only Security Codefor strong authentication.(default)# PinAndOtp: Here the user has to provide both the PIN andSecurity Code for strong authentication.# OptionalPinAndOtp: Here the user has to provide the SecurityCode and user may or may not provide the PIN.#If the user was not granted a PIN, then the strongauthentication will use only the#Security Code. If the user was granted a PIN and user12
Symantec VIP Integration Guide for Oracle Access Managerdid not provide a valid PIN then#the strong authentication will fail.com.symantec.vipsdk.validationMode OnlyOtpNOTEIf OAM is installed on the Windows operating system, add escape characters in the location of certificatesin vswebserviceclient.conf file, as shown in the sample configuration file. If OAM in installed on theLINUX operating system, there is no need to add escape characters to the location of certificatesin the vswebserviceclient.conf file. VIP cloud services uses the Proxy server details in thevswebserviceclient.conf file for communication.Convert the VIP certificate file formatAfter you download the VIP certificate, use the keytool to create JKS from the P12 file that you have obtained through VIPManager. Use the following keytool command:keytool -v -importkeystore -srckeystore P12 file path -srcstoretype PKCS12 -destkeystore Dest JKS file path -deststoretype JKSNOTEWhen creating the Java keystore (JKS) from the P12 file using the keytool command, ensure that your input JKSpassword is the same as P12 file password provided to you.Encrypt passwordsTo encrypt a password, use the camouflage.jar tool from the package:java -jar camouflage.jar -encrypt password RADIUS modeComplete the following to co configure RADIUS mode: Prerequisites Adding a Validation server Sample configuration mode for RADIUSPrerequisites Install and configure VIP Enterprise Gateway. For configuration procedures, refer to VIP Enterprise GatewayInstallation and Configuration Guide.Adding a Validation serverYou must complete the following steps to create a Validation server:1. Log in to VIP Enterprise Gateway and click the Validation tab.2. Click Add Server. The Add RADIUS Validation server dialog box is displayed.13
Symantec VIP Integration Guide for Oracle Access Manager3. Configure the RADIUS validation parameters:FieldActionVendorSelect Oracle from the drop-down list.Application NameSelect the vendor’s application that you use, Oracle Access Manager 11g.Note: If your server is OAM 12c, you must select Oracle Access Manager 11g as an applicationname.Authentication ModeSelect the mode that you want to use for first and second-factor authentication. UserID – Security code: In this authentication mode, your User Store such as AD/LDAPvalidates the first-factor (user name and password). VIP Enterprise Gateway validates thesecond-factor (user name and security code) with VIP Service. Ensure that your first-factorvalidation is working before selecting this authentication mode. UserID – Access PIN – Security code: In this authentication mode, VIP Enterprise Gatewayvalidates the user name, access PIN, and the security code with VIP Service. Note that theBusiness Continuity mode is not supported for this Validation server.Sample configuration mode for RADIUSThe property file defines the authentication type - the allowed values are radius and webservice. By default, radius isconfigured in authnType. You must configure the authType based on your requirement.com.symantec.security.authnType radiusVIP Enterprise Gateway RADIUS PropertiesProvide details of the specific validation server(s),which you want to connect.#Validation server details should be in the below format#host name/IP Address:port:shared secret:timeout:retries;host name/IP Address:port:shared secret:timeout:retries#'timeout' property should be in seconds#Example: tion.server.configuration y.radius.authentication.validation.14
Symantec VIP Integration Guide for Oracle Access Managerserver.configuration 192.168.1.1:1812:password:20:3Deploying the Symantec authentication plug-inMake sure your OAM setup is working fine by logging into the OAM console. For details on setting up OAM, see theOracle Access Manager documentation.The Symantec Authentication plug-in package contains the following files that are the dependency plugins forSymantecAuthnPlugIn.jar: SymantecDependency1.jar SymantecDependency2.jarComplete the following procedure to integrate Symantec Authentication plug-in into OAM:NOTEThe order of deployment must be SymantecDependency1.jar, SymantecDependency2.jar, and thenSymantecAuthnPlugIn.jar.1.2.3.4.5.Log into the Oracle Access Management console.Under the Access Manager section, click Plug-ins on the Launch Pad tabOn the Plug-ins screen, click Import Plug-ins.Click Browse, select SymantecDependency1.jar, and click Import.The custom plug-in that you have added appears on the Plug-ins page. The activation status of this plug-in isdisplayed as Uploaded6. Select Uploaded SymantecDependency1 plug-in from the table and then click Distribute Selected. Wait for sometime and then click Refresh. The activation status of the plug-in changes to Distributed.On OAM 12c version, while distributing the Symantec Dependency jar file, you may encounter the message"Unexpected internal error at index 1 error". You can ignore this message as this is related to OAM warning and doesnot impact the Symantec functionality.7. Select the plug-in that you have distributed and click Activate Selected. Wait for some time and then click Refresh.The activation status of the plug-in changes to Activated.15
Symantec VIP Integration Guide for Oracle Access Manager8. Repeat Step 1 through Step 7 to import, distribute, and activate SymantecDependency2.jar andSymantecAuthnPlugIn.jar.9. In the Plug-in Details: SymantecAuthnPlugin section, add the location of vswebserviceclient.conf file as valuefor CONFIG FILE.Create authentication modules1. Under the Access Manager section, click Authentication Modules in the Launch Pad tab.2. Click Create Authentication Scheme and select Create Custom Authentication Module.3. Under the General tab, provide the following information:FieldDescriptionModule NameEnter the name of the customized authentication module.DescriptionEnter the description of the customized authentication module. This field is optional.4. Click the Steps tab and then click to add new step.5. In the Add new step window, enter the details as described in the following table and click OK.16
Symantec VIP Integration Guide for Oracle Access ManagerFieldDescriptionStep NameEnter the name of the step.DescriptionEnter the optional description for the step.Plug-in NameSelect the plug-in name for this step.For a customized authentication module that uses SymantecAuthnPlugIn, you must usethe following plug–in names: For Step1-UI – UserIdentificationPlugIn For Step2-UA – UserAuthenticationPlugIn For Step3-2FA - SymantecAuthnPlugIn6. Repeat Step 4 and Step 5 to add additional steps for the authentication module.7. Under the Steps tab, select the Symantec Plugin step. Add the step details as described in the following tableFieldValueDescriptionENABLE DEBUG true falseSet to true to see debug logs related to theplugin in oam server1-diagnostic.log file.CONFIG FILELocation of vswebserviceclient.conf fileEnter the details of the sample configurationfile. This is a mandatory parameter.STEPUP MODEfalseSet to false to enable single-step authentication.8. Configure the Steps Orchestration tab as shown in the following figure.9. Click Apply to save the authentication module.Create authentication schemesComplete the following steps to create authentication schemes for the authentication module created in previous section:
11g R2 PS3 (11.1.2.3.0), 12c PS3 (12.2.1.3.0) VIP Enterprise Gateway 9.8 with latest patch The operating system requirements for Oracle Access Manager. Windows 2008 R2 Enterprise (64-Bit) Red Hat Enterprise Linux 5.x (5.6 onwards) VIP supported features lists the VIP Enterprise Gateway features that are supported with OAM.
