2 Replies Latest reply: Feb 14, 2013 4:27 PM by RiccardoCampana RSS

    OAM ASDK 11.1.2 cannot initialize AccessClient: Error OAMAGENT-02081

    RiccardoCampana
      Hi all,

      I'm developing a custom WebCenter Portal that involves the use of the following products:

      Oracle WebCenter Portal 11.1.1.6.0
      Oracle WebCenter Content 11.1.1.6.0
      Oracle Access Manager 11.1.1.5.0
      Oracle WebTier 11.1.1.6.0
      Oracle WebGate 11g for OAM 11.1.1.5.0
      Oracle DB 11.2.0.3 .

      OAM and WebGate are installed in order to provide a SSO for the environment.
      All the installations have been done correctly and if I try to log to the custom portal deployed on a Managed Server called WC_CustomPortal we are redirected to the SSO login page and once logged there we can navigate all the protected resources.

      However I'd like to not be redirected to the SSO login page, but to programmatically login with the SSO through the login form of the WebCenter Portal.
      In order to do that I've downloaded the 11.1.2 Oracle Access Manager Access SDK. Following http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/as_api.htm#CHDBDAGI I've created a Java Class for building an access client to integrate with the portal and I've used this class for programmatically login to the SSO.
      However when I try to login to the custom portal I'm continuosly prompted the "OAMAGENT-02081 No agent key entry found due to JPS config error or wallet file does not exist or contains no agent key" error even though everything seems to be setup correctly.
      In particular I used orapki in order to verify that the cwallet.sso has the Agent Key and I ensured that the locations used by the jps-config.xml files (that I will post shortly) where pointing at the correct cwallet.sso .

      Here is how the main files look like:

      ----------------------------------------------------------------------------------------------------

      h2. Java Class: SSOBean2.java

      import java.io.BufferedWriter;
      import java.io.FileWriter;

      import java.util.Hashtable;

      import javax.faces.application.FacesMessage;
      import javax.faces.context.FacesContext;

      import javax.servlet.http.Cookie;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpServletResponse;
      import javax.servlet.http.HttpSession;

      import oracle.adf.share.ADFContext;

      import oracle.security.am.asdk.*;
      import oracle.security.am.common.aaaclient.ObAAAServiceClient;

      public class SSOBean2
      {
      public SSOBean2() {
      super();
      }

      private static String DEFAULT_LOGIN_SUCCESS_OUTCOME = "none";

      public static final String host = "//127.0.0.1:7777";
      public static final String contextRoot = "/mycontextroot";
      public static final String ms_protocol = "http";
      public static final String ms_method = "GET";
      public String m_configLocation = "/u01/AccessSDK11g";
      public String m_loggerName = "AccessSDKLogger";
      public static final String primaryDomain = ".localdomain";
      public static final String cookieName = "OAMAuthnCookie_127.0.0.1:7777";

      private String username;
      private String password;

      public String doLogin() {
      String METHOD_NAME = "doOAMLogin";
      AccessClient ac = null;
      UserSession user = null;
      ResourceRequest rrq = null;

      FileWriter fstream = null;
      BufferedWriter out = null;

      //obtain the servlet request and response objects
      HttpServletRequest request = (HttpServletRequest) ADFContext.getCurrent().getEnvironment().getRequest();
      HttpServletResponse response = (HttpServletResponse) ADFContext.getCurrent().getEnvironment().getResponse();

      //initialize credential map
      Hashtable creds = new Hashtable();

      //obtain success rule and failure rules
      String successRule = getLoginSuccessUrlNavigationRule();
      successRule = successRule == null || successRule.isEmpty()? DEFAULT_LOGIN_SUCCESS_OUTCOME: successRule;

      String failureRule = getLoginFailureUrlNavigationRule();
      failureRule = failureRule == null || failureRule.isEmpty()? DEFAULT_LOGIN_SUCCESS_OUTCOME: failureRule;

      try {
      fstream = new FileWriter("/u01/out2.txt");
      out = new BufferedWriter(fstream);
      out.write("m_configLocation: " + m_configLocation+"\n\n");
      ac = AccessClient.createInstance(m_configLocation, m_loggerName, AccessClient.CompatibilityMode.OAM_11G);
      //ac = AccessClient.createDefaultInstance();
      //construct oam protected resource to use for authentication
      //String oamProtectedRes = "//" + AccessClient.getItem("preferredHost") + request.getContextPath() + "/adfAuthentication";
      String oamProtectedRes = host + contextRoot + "/adfAuthentication";
      out.write("OAMResource: " + oamProtectedRes+"\n\n");
      rrq = new ResourceRequest(ms_protocol, oamProtectedRes, ms_method);

      //this should return true if the webcontextroot/adfAuthentication is configured
      //in the OAMpolicy domain
      if (rrq.isProtected()){
      out.write("Resource is protected.\n\n");
      AuthenticationScheme authnScheme = new AuthenticationScheme(rrq);
      if (authnScheme.isForm()) {
      out.write("User: ["+username+"]\n");
      out.write("Pwd: ["+password+"]\n\n");
      creds = new Hashtable();
      creds.put("userid", username);
      creds.put("password", password);
      user = new UserSession(rrq, creds);

      //user successfully authenticated
      if (user.getStatus() == UserSession.LOGGEDIN){
      if (user.isAuthorized(rrq)) {
      out.write("User is logged in and authorized for the" +"request at level " + user.getLevel()+"\n\n");
      //create a session if it doesn't exist already
      HttpSession session = request.getSession(true);

      out.write("Session Token: " + user.getSessionToken()+"\n\n");

      //Create Set Obsso cookie using the session token on the response
      Cookie ssocookie = new Cookie(cookieName, user.getSessionToken());
      ssocookie.setPath("/");
      ssocookie.setDomain(primaryDomain);
      response.addCookie(ssocookie);

      out.write("Cookie: " + ssocookie.getValue()+"\n\n");
      String success_url_request_param = "success_url";
      FacesContext ctx = FacesContext.getCurrentInstance();

      String success_url = request.getParameter(success_url_request_param);
      if (success_url == null)
      success_url = (String) request.getSession(false).getAttribute(success_url_request_param);

      String viewID = getViewId(request);
      if (success_url == null) {
      if (viewID.contains("businessRolePages/Landing.jspx")){
      out.write("viewID contains Landing.jspx");
      success_url = "/webcenter";
      }
      else{
      out.write("viewID DOESN'T contain Landing.jspx");
      success_url = "/webcenter/faces" + getViewId(request);
      }
      }

      out.write("redirecting to " + success_url+"\n\n");
      ctx.getExternalContext().redirect(success_url);
      ctx.responseComplete();

      ac.shutdown();
      return successRule;
      } else {
      out.write("User is logged in but NOT authorized\n\n");
      }
      } else {
      out.write("User is NOT logged in\n");
      FacesMessage errMessage = new FacesMessage(FacesMessage.SEVERITY_ERROR, "Invalid Credentials", "Login Failed");
      FacesContext.getCurrentInstance().addMessage(null, errMessage);
      out.write("User Credentials Invalid\n\n");
      }     
      } else {
      out.write("non-Form Authentication Scheme.\n\n");
      }
      } else {
      out.write("OAMResource not protected in the policy domain\n\n");
      }
      out.close();
      ac.shutdown();
      //in all other cases return failure rule prompting user to relogin
      return failureRule;
      }
      catch (AccessException e) {
      FacesMessage errMessage = new FacesMessage(FacesMessage.SEVERITY_ERROR, "Login Failed", "Login Failed");
      FacesContext.getCurrentInstance().addMessage(null, errMessage);
      try {
      out.write(e.toString());
      out.close();
      }catch (Exception ex) {
      }
      ac.shutdown();
      return failureRule;
      }
      catch (Exception e){
      FacesMessage errMessage = new FacesMessage(FacesMessage.SEVERITY_ERROR, "Login Failed", "Unexpected Exception" + e.getLocalizedMessage());
      FacesContext.getCurrentInstance().addMessage(null, errMessage);
      try {
      out.write(e.toString());
      out.close();
      }catch (Exception ex) {
      }
      ac.shutdown();
      return failureRule;
      }
      }

      private String getViewId(final HttpServletRequest request) {
      String viewId = (String) request.getAttribute("oracle.webcenter.webcenterapp.view.shell.WebCenterShellManager.VIEWID");
      if (viewId == null) {
      String requestURI = request.getRequestURI();
      int iStartServletPath = requestURI.indexOf('/', 1);
      if (iStartServletPath >= 0) {
      int iStartViewId = requestURI.indexOf('/', iStartServletPath + 1);
      if (iStartViewId >= 0)
      viewId = requestURI.substring(iStartViewId);
      }
      }
      return viewId;
      }

      private String getLoginSuccessUrlNavigationRule(){
      return "success";
      }

      private String getLoginFailureUrlNavigationRule() {
      return "failure";
      }

      public void setUsername(String username) {
      this.username = username;
      }

      public String getUsername() {
      return username;
      }

      public void setPassword(String password) {
      this.password = password;
      }

      public String getPassword() {
      return password;
      }
      }


      ----------------------------------------------------------------------------------------------------

      h2. jps-config.xml

      This is the jps-config.xml file of the Custom Portal app

      <?xml version = '1.0' encoding = 'Cp1252'?>
      <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd jps-config-11_1.xsd">
      <property name="oracle.security.jps.jaas.mode" value="doasprivileged"/>
      <serviceProviders>
      <serviceProvider type="CREDENTIAL_STORE" name="credstore.provider" class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider">
      <description>Credential Store Service Provider</description>
      </serviceProvider>
      <serviceProvider type="ANONYMOUS" name="anonymous.provider" class="oracle.security.jps.internal.anonymous.idm.IdmAnonymousServiceProvider">
      <description>Anonymous Service Provider</description>
      </serviceProvider>
      <serviceProvider type="LOGIN" name="jaas.login.provider" class="oracle.security.jps.internal.login.jaas.JaasLoginServiceProvider">
      <description>Login Module Service Provider</description>
      </serviceProvider>
      <serviceProvider type="IDENTITY_STORE" name="idstore.xml.provider" class="oracle.security.jps.internal.idstore.xml.XmlIdentityStoreProvider">
      <description>XML-based IdStore Provider</description>
      </serviceProvider>
      <serviceProvider type="POLICY_STORE" name="policystore.xml.provider" class="oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider">
      <description>XML-based PolicyStore Provider</description>
      </serviceProvider>
      </serviceProviders>
      <serviceInstances>
      <serviceInstance name="credstore" provider="credstore.provider">
      <property name="location" value="./"/>
      </serviceInstance>
      <serviceInstance name="anonymous" provider="anonymous.provider"/>
      <serviceInstance name="idstore.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.idstore.IdStoreLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      <property name="remove.anonymous.role" value="false"/>
      </serviceInstance>
      <serviceInstance name="anonymous.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.anonymous.AnonymousLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      </serviceInstance>
      <serviceInstance name="saml.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.saml.JpsSAMLLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      <property name="name" value="www.oracle.com"/>
      </serviceInstance>
      <serviceInstance name="krb5.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="com.sun.security.auth.module.Krb5LoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      <property name="storeKey" value="true"/>
      <property name="useKeyTab" value="true"/>
      <property name="doNotPrompt" value="true"/>
      <property name="keyTab" value="./krb5.keytab"/>
      <property name="principal" value="HOST/localhost@EXAMPLE.COM"/>
      </serviceInstance>
      <serviceInstance name="oam.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.oam.OAMLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      <property name="access.sdk.install.path" value="$ACCESS_SDK_HOME"/>
      </serviceInstance>
      <serviceInstance name="admin.tool.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jazn.login.module.RealmLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      </serviceInstance>
      <serviceInstance name="digest.authenticator.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.digest.DigestLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      </serviceInstance>
      <serviceInstance name="certificate.authenticator.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.x509.X509LoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      </serviceInstance>
      <serviceInstance name="jaas.auth.manager.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jazn.login.module.WSSLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      </serviceInstance>
      <serviceInstance name="saml.auth.manager.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jazn.login.module.saml.SAMLLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      <property name="issuer.name.1" value="www.oracle.com"/>
      <property name="issuer.trustpointalias.1" value="orasign"/>
      <property name="issuer.keystorepassword.1" value="oracle"/>
      <property name="issuer.keystorepath.1" value="config/oraks.jks"/>
      </serviceInstance>
      <serviceInstance name="wss.digest.loginmodule" provider="jaas.login.provider">
      <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.digest.WSSDigestLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      </serviceInstance>
      <serviceInstance name="idstore.xml" provider="idstore.xml.provider">
      <property name="location" value="./jazn-data.xml"/>
      <property name="jps.xml.idstore.pwd.encoding" value="OBFUSCATE"/>
      <property name="subscriber.name" value="jazn.com"/>
      </serviceInstance>
      <serviceInstance name="policystore.xml" provider="policystore.xml.provider">
      <property name="location" value="./jazn-data.xml"/>
      </serviceInstance>
      </serviceInstances>
      <jpsContexts default="SuperjetApp">
      <jpsContext name="SuperjetApp">
      <serviceInstanceRef ref="idstore.xml"/>
      <serviceInstanceRef ref="credstore"/>
      <serviceInstanceRef ref="anonymous"/>
      <serviceInstanceRef ref="policystore.xml"/>
      <serviceInstanceRef ref="idstore.loginmodule"/>
      </jpsContext>
      <jpsContext name="anonymous">
      <serviceInstanceRef ref="credstore"/>
      <serviceInstanceRef ref="anonymous"/>
      <serviceInstanceRef ref="anonymous.loginmodule"/>
      </jpsContext>
      </jpsContexts>
      </jpsConfig>


      ----------------------------------------------------------------------------------------------------

      h2. jps-config.xml inside /config folder for OAM ASDK

      <?xml version="1.0" encoding="UTF-8" standalone='yes'?>
      <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" schema-major-version="11" schema-minor-version="1">

      <!-- This file is served as a config template. It can be used either standalone in non-JRF environment or merged into same jps-config.xml used in JRF environment. -->

      <serviceProviders>
      <serviceProvider type="CREDENTIAL_STORE" name="credstoressp" class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider">
      <description>SecretStore-based CSF Provider</description>
      </serviceProvider>
      </serviceProviders>

      <serviceInstances>
      <!-- JPS Credential Store Service Instance -->

      <!-- Specify agent key wallet location relative to this jps-config.xml location -->
      <serviceInstance name="credstore" provider="credstore.provider">
           <property name="location" value="./"/>
                <description>File Based Credential Store Service Instance</description>
           </serviceInstance>
      </serviceInstances>

      <jpsContexts default="SuperjetApp">
      <jpsContext name="SuperjetApp">
      <serviceInstanceRef ref="credstore"/>
      </jpsContext>
      <jpsContext name="anonymous">
      <serviceInstanceRef ref="credstore"/>
      </jpsContext>
      </jpsContexts>

      </jpsConfig>
        • 1. Re: OAM ASDK 11.1.2 cannot initialize AccessClient: Error OAMAGENT-02081
          ColinPurdon-Oracle
          Hi,

          With the 11.1.2 ASDK, you can point to the jps-config.xml file by settinng the java property oracle.security.jps.config when running the AccessGate, for example:

          java -DOAM_ASDK_CONFIG_DIR=/opt/asdk -Doracle.security.jps.config=/opt/asdk/config/jps-config.xml ....

          it may just be that it is not finiding this file. Also, I usually see the cwallet.sso location specified in the jps-config.xml file as "." rather than as "./" (assuming it is in the same location as the jps-config.xml file, of course), it may be worth changing that too.

          Regards,
          Colin
          • 2. Re: OAM ASDK 11.1.2 cannot initialize AccessClient: Error OAMAGENT-02081
            RiccardoCampana
            Hi Colin,

            first of all thank you for your reply. I'm truly a newbie of the argument so I think I'm missing some parts of what you're suggesting me. What do you mean by running the AccessGate? The oam_server1 managed server?

            What we did in order to enable the ASDK was simply to download them from the edelivery cloud website and unzip them in a folder (/u01/oam_asdk). So i have this structure inside that folder:

            config/jps-config.xml (a skeleton)
            docs/** (all the documentation)
            identitystore.jar
            importcert.jar
            jps-api.jar
            jps-common.jar
            jps-internal.jar
            jps-unsupported-api.jar
            oamasdk-api.jar
            oraclepki.jar
            osdt_cert.jar
            osdt_core.jar
            osdt_xmlsec.jar

            What I did is then import the jar files into my custom portal application and copy the artifacts created by the 11g WebGate registered with the OAM into the config folder. Did I do those things correctly or am I missing some steps?

            Regards,
            Riccardo

            Edited by: 987858 on 14-feb-2013 8.27