Password Policy in Oracle Access Manager #OAM

Password Policy 1

.

Password Policy in Oracle Access Manager’s Password Management Services(available in OAM’s Identity System) enable you to define multiple password policies, constraints on password composition, forced-password change and lost password management feature.

.
Password Policy : is set of rules that governs kind of passwords that users create and validity of password (duration)
.
Password Policy 2
.

  • You configure Password Policy from Identity System Console -> System Configuration -> Password Policy
  • Password Policies are created in Identity System (OAM consists of two parts Identity System and Access System) but also applicable to access system. These policies also apply to users who try to access resources protected by Access System
  • You can create multiple password policiesapplicable at different level in your domain (or realm) for example if your domain (in LDAP server) DC=com, DC=onlineappsdba, OU=EMEA, OU=UK, cn=user1 then you can have multiple password policies applicable at different level i.e. policy1 (applicable at DC=onlineappsdba), policy2 (applicable at OU=EMEA), policy3(applicable at OU=UK) and policy4 (applicable at cn=user1)
  • Password Policies are evaluated at bottom-to-top level, i.e. if you have password policy at user level then that password policy will be applicable. If not then it will check for password policy applicale at OU=UK. If there is no password policy at OU=UK level then it will look for password policy applicable to OU or DC levelhigher to that.
  • There are three type of administrator users in OAM
    a) Master Administrators : They have administrative access to both Identity and Access System
    b) Identity Administrators : They have administrative access to Identity System)
    c) Access Administrators (They have administrative access to Access System)
    Only Master Administrators have access to configure password policies in Oracle Access Manager.
  • If you have password policy where change on reset is enabled (user must change password after password reset) but NO Password Change Redirect URL is defined, This prevents users from changing password and ultimately logging in
  • Directory Server (OID, AD…) may have its own password Policy, Password Policy on Directory Server should not be more strict than Access Manager Password Policy otherwise it will create conflicts. For Example if Password Policy in OAM dictates that OAM should lock account after 5 continuous failed login attempts where as in Directory Server (AD, OID..) account lockout policy is 3 attempts then it will conflict with OAM’s Password Policy
  • You can create default password policy that apply to all domains. You can create Password Policy to specific directory domain or Multiple policies with in domain
  • Object Class for Password Policy in Oracle Access Manager is OblixPersonPasswordPolicy
  • To implement password policy in OAM, define Password Policy using Identity System Console and then modify Authentication Scheme in Access System (add obReadPasswdMode=”LDAP”, obWritePasswdMode=”LDAP” to validate_password plug-in)

    • .

    How often Access Server checks for changes for Password Policies ?
    Password Policy Reload Period (in Seconds) is access server setting which determines frequency in which Access Server checks Identity Server for new Password Policy.

               Password Policies are cached in Access Server, You can manually flush Password Policy Cache in Access Server or Restart Access Server which will automatically flush Password Policy Cache.

    How to flush password policy cache in Access Server ?

    Access System Configuration -> Common Information Configuration -> Flush Password Policy

    .

    Reference

About the Author Masroof Ahmad

Leave a Comment:

6 comments
Harmeet says November 11, 2010

Hi Atul,

This is an interesting article. I have a question for the last step you mentioned – “add obReadPasswdMode=”LDAP”, obWritePasswdMode=”LDAP” to validate_password plug-in”

Currently I have a form based authentication policy and validate_password plug-in shows value as obCredentialPassword=”individualpassword”.

To implement password policy for this authentication rule, how do I add the obReadPasswdMode and obWritePasswdMode? Just comma separated.

If you have a screenshot, that will be great. You can email that to me.

Thanks a lot for this article.

Reply
Vijaya says December 4, 2010

How to we restrict special characters and french characters through password policy in OAM? We have configured password policy but we don’t see option over there. Is there any way to implement restriction of special characters as well as french characters along with password policy? How to do that?

Reply
sasha says August 22, 2011

Hello,

I have configured Password Policy and Lost Password Policy in OAM 10.1.4.3. bundle patch 6.

After changing the password using this functionality, the user is able to connect trough SSO with both the old and new password. Do you know why this happens and how can it be overcome?

Thanks

Reply
Vijaya says August 23, 2011

Hello Sasha,

This is the default behavior of Active Directory. I also observed this. User has to reboot his machine to connect only through new password after the password change.

vijaya

Reply
graham says September 12, 2013

Check this URL:
http://www.itsecuritycenter.com/oracle-security-connection-login-restrictions.html

Reply
Lavanya says October 2, 2014

Hi Athul

I am upgrading OAM 10g to OAM 11g R2.In 10g we have multiple password policies created with different attibute level and defined at password policy filter.for example : (&(&(objectClass=inetorgperson)(departmentNumber=******)))

And also defined Lost password Redirect URL, Password change Redirect URL features.

How can we use same features in OAM 11G ?We dont have any option to provide filter and to provide redirect URLs

Please through me some light on my questions.

Thanks
Lavanya

Reply
Add Your Reply