.
Password Policy in Oracle Access Manager’s Password Management Services(available in OAM’s Identity System) enable you to define multiple password policies, constraints on password composition, forced-password change and lost password management feature.
.
Password Policy : is set of rules that governs kind of passwords that users create and validity of password (duration)
.
.
- You configure Password Policy from Identity System Console -> System Configuration -> Password Policy
- Password Policies are created in Identity System (OAM consists of two parts Identity System and Access System) but also applicable to access system. These policies also apply to users who try to access resources protected by Access System
- You can create multiple password policiesapplicable at different level in your domain (or realm) for example if your domain (in LDAP server) DC=com, DC=onlineappsdba, OU=EMEA, OU=UK, cn=user1 then you can have multiple password policies applicable at different level i.e. policy1 (applicable at DC=onlineappsdba), policy2 (applicable at OU=EMEA), policy3(applicable at OU=UK) and policy4 (applicable at cn=user1)
- Password Policies are evaluated at bottom-to-top level, i.e. if you have password policy at user level then that password policy will be applicable. If not then it will check for password policy applicale at OU=UK. If there is no password policy at OU=UK level then it will look for password policy applicable to OU or DC levelhigher to that.
- There are three type of administrator users in OAM
a) Master Administrators : They have administrative access to both Identity and Access System
b) Identity Administrators : They have administrative access to Identity System)
c) Access Administrators (They have administrative access to Access System)
Only Master Administrators have access to configure password policies in Oracle Access Manager. - If you have password policy where change on reset is enabled (user must change password after password reset) but NO Password Change Redirect URL is defined, This prevents users from changing password and ultimately logging in
- Directory Server (OID, AD…) may have its own password Policy, Password Policy on Directory Server should not be more strict than Access Manager Password Policy otherwise it will create conflicts. For Example if Password Policy in OAM dictates that OAM should lock account after 5 continuous failed login attempts where as in Directory Server (AD, OID..) account lockout policy is 3 attempts then it will conflict with OAM’s Password Policy
- You can create default password policy that apply to all domains. You can create Password Policy to specific directory domain or Multiple policies with in domain
- Object Class for Password Policy in Oracle Access Manager is OblixPersonPasswordPolicy
- To implement password policy in OAM, define Password Policy using Identity System Console and then modify Authentication Scheme in Access System (add obReadPasswdMode=”LDAP”, obWritePasswdMode=”LDAP” to validate_password plug-in)
.
How often Access Server checks for changes for Password Policies ?
Password Policy Reload Period (in Seconds) is access server setting which determines frequency in which Access Server checks Identity Server for new Password Policy.
Password Policies are cached in Access Server, You can manually flush Password Policy Cache in Access Server or Restart Access Server which will automatically flush Password Policy Cache.
.
How to flush password policy cache in Access Server ?
Access System Configuration -> Common Information Configuration -> Flush Password Policy
.
Reference
Related Posts for Access Manager
- Integration Steps – 10g AS with OAM (COREid)
- OAS – OAM (Access Manager / Oblix COREid) Integration Architecture
- Oblix COREid and Oracle Identity Management
- Installing Oracle Access Manager (Oblix COREid / Netpoint)
- Oracle Access Manager (Oblix COREid) 10.1.4.2 Upgrade
- Access Manager: WebGate Request Flow
- Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager
- Certified Directory Server (AD, OID, Tivoli, Novell, Sun or OVD) and their version with Oracle Access Manager
- Install Oracle Access Manager (OAM) 10.1.4.3 Identity Server, WebPass, Policy Manager, Access Server, WebGate
- Multi-Language or multi-lingual Support/Documentation for Oracle Access Manager (OAM)
- OAM Policy Manager Setup Issue “Error in setting Policy Domain Root” : OAM with AD and Dynamic Auxiliary Class
- OAM 10.1.4.3 Installation Part II – Indentity Server Installation
- OAMCFGTOOL : OAM Configuration Tool for Fusion Middleware 11g (SOA/WebCenter) Integration with OAM
- Oracle Access Manager Installation Part III : Install WebPass
- OAM : Access Server Service Missing when installing Access Manager with ADSI for AD on Windows
- OAM : Create User Identity – You do not have sufficient rights : Create User Workflow
- Password Policy in Oracle Access Manager #OAM
- Changes in Oracle Access Manager 11g R1 (11.1.1.3)
- Agents in OAM 11g (WebGate 10g/11g, OSSO/mod_osso, AccessGate IDM Domain agent) aka PEP (Policy Enforcement Points)
- How to install Patches in Oracle Access Manager 10g : Bundle Patch / BPXX
- Session Management in #OAM 11g : SME , Idle Timeout, Session Lifetime
- Part IX : Install OAM Agent – 11g WebGate with OAM 11g
- How to integrate OAM 11g with OID 11g for User/Identity Store
- How to install Bundle Patch (BP) on OAM 11.1.1.3 – BP02 (10368022) OAM 11.1.1.3.2
- Error starting OAM on IBM AIX : AMInitServlet : failed to preload on startup oam java. lang. Exception InInitializer Error
- OAMCFG-60024 The LDAP operation failed. OAMCFG-60014 Oracle Access Manager is not configured with this directory
- How to Edit (create, delete, modify) Identity Store of OAM 11g from command line (WLST) – editUserIdentityStoreConfig
- OAM WebGate Registration RREG – Resource URL format is not valid
- Blank Screen on OAM 10g Identity Server Console : /identity/oblix
- Oracle 10g/11g webgate software download location
- How to find Webgate 10g/11g Version and Patches Applied
- OAM integration with OIF : Authentication Engine or Service Provider
- OAM 11g integration with Microsoft Windows Active Directory (WNA, IWA, Kerberos) for Zero Sign-On
Oracle WebLogic Administrator [USD 399]- 03rd Dec, 2011
Good hands-on exercises (installation, patching, cloning), very experienced trainer worth every penny 
4 users commented in " Password Policy in Oracle Access Manager #OAM "
Follow-up comment rss or Leave a TrackbackHi Atul,
This is an interesting article. I have a question for the last step you mentioned – “add obReadPasswdMode=”LDAP”, obWritePasswdMode=”LDAP” to validate_password plug-in”
Currently I have a form based authentication policy and validate_password plug-in shows value as obCredentialPassword=”individualpassword”.
To implement password policy for this authentication rule, how do I add the obReadPasswdMode and obWritePasswdMode? Just comma separated.
If you have a screenshot, that will be great. You can email that to me.
Thanks a lot for this article.
How to we restrict special characters and french characters through password policy in OAM? We have configured password policy but we don’t see option over there. Is there any way to implement restriction of special characters as well as french characters along with password policy? How to do that?
Hello,
I have configured Password Policy and Lost Password Policy in OAM 10.1.4.3. bundle patch 6.
After changing the password using this functionality, the user is able to connect trough SSO with both the old and new password. Do you know why this happens and how can it be overcome?
Thanks
Hello Sasha,
This is the default behavior of Active Directory. I also observed this. User has to reboot his machine to connect only through new password after the password change.
vijaya
Leave A Reply