Working with OAM Access Server SDK 11g

I am writing a post after a long time and apologize for taking such a long gap. I feel that I am back with a good post this time.

I had worked on a requirement last week to use OAM 11g API for performing authentication and authorization and exposing the features as web services. Let us forget the latter and I am going to talk about using OAM 11g API and how to connect to OAM 11g Server. I have read through the OAM 11g Access SDK Documentation and here are my observations:

  1.  There is no need install Access Server SDK 11g  component unlike OAM 10g Access Server SDK.
  2. The Authentication and Authorization API is written in new package oracle.security.am.asdk. However the OAM 10g API is still applicable to use with OAM 11g but most of the API methods are deprecated. Check this API Java doc http://docs.oracle.com/cd/E21764_01/apirefs.1111/e22472/toc.htm for any classes of package com.oblix.access
  3. Policy Manager API is not present in OAM 11g SDK.
  4. It is very simple to compile and run the Access Client code in 11g in any of the application servers.
  5. Access Clients can be developed only in Java in OAM 11g unlike 10g where it supports C++/Java and so on.
  6. Refer the Comparison: 11g versus 10g Access API Classes section in Oracle doc for more information on changes at API classes/method return types level.

Let me jump into steps how to get into a state to execute a sample Access Client program.

  1. Download the file  ofm_oam_sdk_generic_11.1.1.5.0_disk1_1of1.zip from OTN downloads.
  2. Create Host Identifier in OAM Admin Console as shown below
  3. Create Access Gate Profile in OAM 11g Admin Console with 10g Version. I have not used oamcfgtool for it.
  4. Create an Application Domain and create Resources and assign it to Protected/Public scheme as applicable. I am not getting into specifics of how to create these. I am using http resource type here.
  5. Create a java file in your local eclipse environment. An example is already given in Oracle Doc. Refer to the section 2.6.2.2 Example of a Simple Access Client: JAccess Client.java. Replace the attribute values of ms_resource, ms_method, ms_login, ms_passwd accordingly.
  6. Very Imp: Create a folder AccessSDK11g in your local machine, for instance D:\AccessSDK11g. Create folder structure as oblix/lib under AccessSDK11g. Copy the ObAccessClient.xml created after creating Access Gate profile in OAM Admin Console. Replace the attribute value of m_configLocation with D:\AccessSDK11g
  7. Very Imp: Copy the oamasdk-api.jar of Access Server SDK zip file (downloaded)  and add it in Eclipse project class-path. In case if you wish to run this java file from Application Server itself, then add the jar to App Server Classpath variable.

That’s it. Once we have protected your application with Form based authentication (as explained in example)  in Application Domains we are good to go with testing.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

33 comments
gghuangca says May 29, 2012

Hi Mahendra,

thanks for writing this post, Working with OAM Access Server SDK 11g.

I am currently working on a similar project using OAM Access Client with OAM 11g ASDK except my access client needs a simple mode rather than open mode.

I registered a 10 webgate in OAM 11g server. There are a few files generated, aaa_cert.pem, aaa_key.pem, cwallet.sso, ObAccessClient.xml, password.xml.

Suppose I still use D:\AccessSDK11g as my root directory for Access Client. Where do I copy these files in D:\AccessSDK11g, respectively?

Thanks in advanced!

Gary

Reply
Mahendra says May 29, 2012

Gary,

You have to import the certificate and key file can to oamclient-keystore.jks. The CA certificate used to issue the certificate and key should be imported into oamclient-truststore.jks.

http://docs.oracle.com/cd/E23943_01/doc.1111/e12491/as_api.htm#BABIEEDF

This link will help you to understanding importing certs and keys to jks files.

Create the structure ASDK_INSTALL_DIR/access/oblix/config

Copy the password.xml to config folder and let me know how it goes.

Reply
gghuangca says May 29, 2012

Hi Mahendra,

I am glad to get your reply. Very appreicated!

In my previous post, I mentioned cwallet.sso, which is wrong, because 10g webgate has no such file generated (11g webgate will generate it).

Yes, I read the doc for “2.5.3 SSL Certificate and Key Files” and generated two jks files.

If the structure ASDK_INSTALL_DIR/access/oblix/config is created in my Access Client side, will all of the files (aaa_cert.pem, aaa_key.pem, ObAccessClient.xml, password.xml) be copied into this directory? Could you please specify where to put them?

Also where to put these two files, oamclient-keystore.jks and oamclient-truststore.jks?

Thanks,

Gary

Reply
Mahendra says May 30, 2012

@Gary,

You would need to copy ObAccessClient.xml to $ASDK_INSTALL_DIR/oblix/lib folder

password.xml to $ASDK_INSTALL_DIR/oblix/config.

aaa_cert.pem, aaa_key.pem has to be imported to OAM key store as explained in doc http://docs.oracle.com/cd/E23943_01/doc.1111/e12491/as_api.htm#BABIEEDF

Please try and let me know how it goes.

Reply
gghuangca says May 30, 2012

Hi Mahendra,

I copied these file under $ASDK_INSTALL_DIR/oblix/lib and $ASDK_INSTALL_DIR/oblix/config.

I haven’t got that far for whether these files are deployed correctly or not, because I got a new error from OAM 11g server,

It seems that the managed server with simple mode I used is not up and running.

I still remember how I created and registered the managed server. I created a new managed server via WebLogic Admin Console, for example: Name: oam_server2, Port: 15100. Then, I registered the server instance “oam_server2″ via OAM Admin Console with the following setting:
Server Name: oam_server2
Host: ghoam11g
Port: 15100
OAM Proxy setting:
Port: 5577 (I changed the default 5575 to 5577)
Proxy Server Id: ghoam11g
Mode: Simple

After running startWebLogic.sh &, I ran startManagedWebLogic.sh oam_server2 & (I didn’t run any other managed servers). Here is the log from the OAM 11g server about oam_server2:

It sounds like my oam_server2 (with simple mode) is up and running. But when I try to login OAM Admin Console, the server log always gives me ” ”

This issues now blocks me to continue testing my Access Client.

Any idea about ?

Thanks,

Gary

Reply
gghuangca says May 30, 2012

I don’t know why the oam 11g server log message I copied and pasted in the previous comment didn’t show up. I copy and paste in this comment again:

Reply
gghuangca says May 30, 2012

Reply
gghuangca says May 30, 2012

Started WebLogic Managed Server “oam_server2” for domain “oam_domain” running in Development Mode

Server state changed to RUNNING

Server started in RUNNING mode

Reply
gghuangca says May 30, 2012

Hi Mahendra,

Sorry to post a few comments a mount ago. I just realize this forums will delete the comment with triangle bracket.

In my recent comment posted on May 30th, 2012 at 3:17 pm , I mentioned a new error, which is “Failed to communicate with any of configured Access Server, ensure that it is up and running.”

Thanks,

Gary

Reply
Mahendra says May 31, 2012

It looks like OAM server is not started properly. Can you please paste the error message?

Reply
gghuangca says May 31, 2012

Hi Mahendra,

I saw the error from the main console (starting the weblogic), “Failed to communicate with any of configured Access Server, ensure that it is up and running.”

Where do I get the error? from the below two files?
– /opt/oracle/Middleware/user_projects/domains/oam_domain/servers/AdminServer/logs/AdminServer.log

– /opt/oracle/Middleware/user_projects/domains/oam_domain/servers/oam_server2/logs/oam_server2.log

Thanks,

Gary

Reply
Charles says June 11, 2012

Hi Mahendra, great to know you and thanks for the wonderful post. My current work is creating a custom access gate as web service using access sdk . The goal is use the Obssocookie and further get the username, last updated time by other domains. For web service part i’m using the jersey libraries and that is fine. For OAM part I have quite no. of questions. Will be glad if you can guide me in the same. followed your post and copied the obsoocookie to specified path also oamasdk-api.jar file. Should i modify any content in the xml file, as i dont have any clue how the connection is going to happen, since i run the JAccessClient.java from my localhost. When i tried the same, the exception was ‘An AccessGate with id Portal has not been configured through the Access System Console’. I understand my primary server has the id as ‘Portal’. How can i proceed…

Reply
Charles says June 11, 2012

sorry for the typo– copied ObAccessClient.xml

Reply
Mahendra says June 11, 2012

/opt/oracle/Middleware/user_projects/domains/oam_domain/servers/oam_server2/logs/oam_server2.log

Also, see it in diagnostics file /opt/oracle/Middleware/user_projects/domains/oam_domain/servers/oam_server2/logs/oam_server2-diagnostics
.log

Reply
Charles says June 11, 2012

can you please elaborate on the comment.. my question is how do i connect to the webgate from my localhost..

Reply
Charles says June 11, 2012

The exception is

java.lang.Exception: Failed to communicate with any of configured Access Server, ensure that it is up and running.
at oracle.security.am.common.aaaclient.ObAAAServiceClient.sendMessage(ObAAAServiceClient.java:1558)
at oracle.security.am.common.aaaclient.ObAAAServiceClient.getClientConfigInfo(ObAAAServiceClient.java:1328)
at oracle.security.am.asdk.AccessClient.readConfigFromServer(AccessClient.java:864)

Reply
Charles says June 11, 2012

should i edit the ObAccessClient.xml??

Reply
Mahendra says June 11, 2012

Charles,

Please confirm if you are able to login to OAM admin console.

Are you seeing this error in OAM logs or webgate logs?

What is the webgate version?

To be simpler, you can modify the webgate profile in OAM console and reconfigure the webgate by running configureWebGate.

-Mahendra

Reply
Mahendra says June 11, 2012

Charles,

Which OAM version are you working on?

Reply
Charles says June 12, 2012

Hi Mahendra,
Thanks a lot for guiding me.
Yes, i’m able to login to the OAM admin console. There are no error in the OAM logs. Webgate version is 10g. the steps i followed is as below.

1. created host identifier and mentioned the server where my custom web gate code is running.
eg: 192.168.XXX.XXX and port:7100
2. created a 10g webgate with default settings.
3. in the 192.168.XXX.XXX server’s admin console under security realms -> Providers – > created the OAMIDAssertor and under this in provider specific mentioned all the details such as application domain, access gate name, primary access server(with port) and access gate password.

However i get the following exception.

<Internal error.
java.lang.Exception: Failed to communicate with any of configured Access Server, ensure that it is up and running.
at oracle.security.am.common.aaaclient.ObAAAServiceClient.sendMessage(ObAAAServiceClient.java:1558)
at oracle.security.am.common.aaaclient.ObAAAServiceClient.getClientConfigInfo(ObAAAServiceClient.java:1328)
at oracle.security.am.asdk.AccessClient.readConfigFromServer(AccessClient.java:864)
at oracle.security.am.asdk.AccessClient.updateConfig(AccessClient.java:890)
at oracle.security.am.asdk.AccessClient.initialize(AccessClient.java:616)

Reply
Mahendra says June 12, 2012

Charles,

You don’t need to edit ObAccessClient.xml. If you find webgate info incorrect, then login to OAM console and edit the profile accordingly and copy the latest ObAccessClient.xml file generated/updated under $DOMAIN_HOME/output/AGENT_NAME.

Second thing, Is there any specific reason why you are creating OAM ID Asserter in WLS?

All you need is to protect a web service using OAM 11g ASDK? Is that right?

OEG or OWSM is the right product to protect web services against OAM.

Reply
Mahendra says June 12, 2012

I presume you are seeing the below exception at Access gate layer.

java.lang.Exception: Failed to communicate with any of configured Access Server, ensure that it is up and running.

Also, it looks to me that Access Gate is not able to contact the Access Server.

Confirm if Access Gate and OAM server are residing in two different machines. Are the timezones different? Is the OAM port open from Access Gate machine to OAM machine? Please check the connectivity.

Any of the other webgates (not access gates) in your env are working fine except the access gate?

Reply
gghuangca says June 20, 2012

Hi Mahendra,

I got an issue for my access client deployed with the OAM 11g ASDK in the Java 7 environment.

The Access Client complains with the following log:
SEVERE 129 AccessLogger: Unsupported JRE Version specified. Version 1.7.0_03 Required Version 1.5 or 1.6

Since my environment must use Java 7 (not Java 6), how to resolve this issue?

Thanks,

gary

Reply
Mahendra says June 21, 2012

Hi Gary,

I am afraid if there is way to make it work with java7.

Why can’t you use Java 6?

-Mahendra

Reply
gghuangca says June 22, 2012

since my company product uses Java 7 as JRE and the access client is bundled with the product, this is why I cannot use Java 6.

Reply
» How to export and import configurations in OAM 11g? Online Apps DBA: One Stop Shop for Apps DBA’s says July 10, 2012

[…] Silent installation/configuration of Access Gate & WebGate: After the partners are imported into target environment, webgate/access gates can be installed in silent mode. Access Gate concepts in OAM 11g are explained in this post. […]

Reply
Velkongu says September 13, 2012

Hi Mahendra.. I have installed OAM 11g as follows: 1. Installed jdk 1.6.0.30 2. Oracle DB. 3. Weblogic 10.3.5… 4.RCU to create tacbles for OAM. 5. Installed OAM using IDAM 11g and configure it with new weblogic domain. But after i restarted the Admin and managed server, I found that in Weblogic–>servers, the machine name is blank for both Admin and Managed servers. Also while starting the Admin server i found the below error:
SEVERE: Failed to communicate with any of configured Access Server, ensure that it is up and running.

<Cannot get connection from data source.
weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: 0:weblogic.common.ResourceException: Could not create pool connection. The DBMS driver exception was: IO Error: Socket read timed out
at weblogic.jdbc.common.internal.JDBCUtil.wrapAndThrowResourceException(JDBCUtil.java:250)
at weblogic.jdbc.pool.Driver.connect(Driver.java:161)
at weblogic.jdbc.jts.Driver.getNonTxConnection(Driver.java:651)
at weblogic.jdbc.jts.Driver.connect(Driver.java:127)
at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:364)
at oracle.security.am.foundation.mapimpl.coherence.store.DataConnectionUtility.configureConnection(DataConnectionUtility.java:223)
at oracle.security.am.foundation.mapimpl.coherence.store.DataConnectionUtility.getConnection(DataConnectionUtility.java:191)
at oracle.security.am.engines.sme.mapimpl.db.SmeStoreLifecycle.run(SmeStoreLifecycle.java:234)
at java.lang.Thread.run(Thread.java:662)

2. While starting the managed server I found the below error:

<Cannot get connection from data source.
weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: 0:weblogic.common.ResourceException: Could not create pool connection. The DBMS driver exception was: IO Error: Socket read timed out
at weblogic.jdbc.common.internal.JDBCUtil.wrapAndThrowResourceException(JDBCUtil.java:250)
at weblogic.jdbc.pool.Driver.connect(Driver.java:161)
at weblogic.jdbc.jts.Driver.getNonTxConnection(Driver.java:651)
at weblogic.jdbc.jts.Driver.connect(Driver.java:127)
at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:364)
at oracle.security.am.foundation.mapimpl.coherence.store.DataConnectionUtility.configureConnection(DataConnectionUtility.java:223)
———————————-
Also when I logged in OAM console and page opens but the page is blank. it shows some error inside after logging in.

Please help me what has gone wrong.. and how to solve the issue.

Reply
Mahendra says September 14, 2012

Hello,

By default there won’t be machines configured in WLS server.

SEVERE: Failed to communicate with any of configured Access Server, ensure that it is up and running.

You will see the above error when OAM server is not running.

Regarding the DB exception, check the data sources created in weblogic. If admin server is not started check out in config.xml located under $WL_DOMAIN/config

Reply
Arjun says September 26, 2012

Can we retrieve the principal from any of the 11g cookies. In 10g you can retrieve the principal from the obsso cookie, does 11g sdk provide this option?

–Thanks

Reply
Mahendra says September 26, 2012

Arjun,

getUserIdentity() method returns User DN. Check out the UserSession API.

-M

Reply
» Working with Access Server SDK 10.1.4.3 and OAM 10g Online Apps DBA: One Stop Shop for Apps DBA’s says January 14, 2014

[…] written a post earlier about working with 10g Access Gates using Oracle Access Manager 11g. Today, I would like to […]

Reply
dhaval says June 2, 2014

I am getting below error. Please help.

Exception in thread “main” java.lang.NoClassDefFoundError: oracle/security/jps/JpsException
at oracle.security.am.asdk.impl.ConfigXMLHandler.(ConfigXMLHandler.java:113)
at oracle.security.am.asdk.AccessClient.initialize(AccessClient.java:1315)
at oracle.security.am.asdk.AccessClient.(AccessClient.java:928)
at oracle.security.am.asdk.AccessClient.createDefaultInstance(AccessClient.java:349)
at wtp.ConverterClient.main(ConverterClient.java:58)
Caused by: java.lang.ClassNotFoundException: oracle.security.jps.JpsException
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
… 5 more

Reply
Subrat Kumar Padhi says November 3, 2016

Hi Mahendra,

Actually I am totally new to OAM.
I don’t know from where to start and how to start.
I am using Apache server .
Do i need to integrate this OAM server with apace?
and From where i will get all this files?(aaa_cert.pem, aaa_key.pem, ObAccessClient.xml, password.xml)

Only i downloaded the jar files.and i set all the jar files to class path.after that what to do,i don’t know.

For a web project I am trying .
could you please provide some sample project related to OAM SSO .

How i will start this OAM11g server?

Please help me .

Reply
Add Your Reply