12 Replies Latest reply: Sep 22, 2011 7:44 AM by 810135 RSS

    OAM 11g - OEG integration

    661909
      We are trying out integration of OAM 11g with OEG. We downloaded latest OEG from OTN. Axis service is deployed and is registered in OEG. service is protected in OEG using basic auth and repository for authentication is OAM 11g. We have installed agent SDk 10g and have also protected resource in OAM.

      We have followed integration guide available on OTN:
      http://www.oracle.com/technetwork/middleware/id-mgmt/documentation/oam11g-oeg-integration-guide-428888.pdf

      When we try to invoke service using service explorer we get below error from OEG. OEG receives request but unable to authenticate it using OAM.

      com.vordel.circuit.authn.VordelAuthNException: Original Message - type=com.vordel.circuit.authn.VordelAuthNException msg=Resource '//atugupta.us.oracle.com/axis/services/urn:xmltoday-delayed-quotes' requires null authentication scheme
      at com.vordel.security.auth.repository.OracleAccessManagerRepository.checkCredentials(OracleAccessManagerRepository.java:146)
      at com.vordel.security.auth.repository.RepositoryBase.checkCredentials(RepositoryBase.java:58)
      at com.vordel.security.auth.HttpBasicAuthN.authenticate(HttpBasicAuthN.java:51)
      at com.vordel.circuit.authn.HttpProcessor.performAuthentication(HttpProcessor.java:60)
      at com.vordel.circuit.authn.HttpBasicProcessor.invoke(HttpBasicProcessor.java:38)
      at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:134)
      at com.vordel.circuit.CircuitInvocation.runCircuit(CircuitInvocation.java:103)
      at com.vordel.circuit.CircuitInvocation.processMessage(CircuitInvocation.java:201)
      at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:130)
      at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:58)
      Caused by: com.vordel.circuit.authn.VordelAuthNException: Resource '//atugupta.us.oracle.com/axis/services/urn:xmltoday-delayed-quotes' requires null authentication scheme
      at com.vordel.security.auth.repository.OracleAccessManagerRepository.checkCredentials(OracleAccessManagerRepository.java:107)


      We don't see any logs updated in access SDK logs, even though log level is FINEST.

      We have made sure that OAM is working fine and query using OAM APIs is saying that same resource is protected using basic auth but somehow OEG is not finding it protected using basic auth. In this case access SDK logs are updated.

      From above, it seems to me that somehow OEG is not able to communicate with OAM.

      Please let me know if anyone has faced this issue and know the root cause.

      thanks!

      Nitin
        • 1. Re: OAM 11g - OEG integration
          882069
          looks like either the creation of the ObAuthnScheme failed for the resource you're trying to protect, or the the authN schema is not basic (user name / password). Can you confirm?
          • 2. Re: OAM 11g - OEG integration
            661909
            we have made sure that authn scheme is basic. I am not sure what you mean by creation of ObAuthnScheme failed? how do i check this?
            • 3. Re: OAM 11g - OEG integration
              882069
              The above exception is thrown by the OEG when the ObAuthnScheme for a resource is not basic (username / password). Can you confirm that you haven't configured the authN scheme to be form based or certificate based?

              In relation to the ObAuthnScheme failed, the OAM API is a JNI API so it's possible that some initialization could of failed earlier in the OEG trace.
              • 4. Re: OAM 11g - OEG integration
                661909
                I have confirmed that OAM is configured properly. scheme configured for resource is basic auth only.

                OAM jni APIs might be failing because we also see some OAM_INITIALIZATION exception in the trace. i will upload trace logs
                • 5. Re: OAM 11g - OEG integration
                  661909
                  Here is the complete trace :


                  INFO 03:56:47:677 [accfcb90] Attempting to connect to entity store at federated:file:////scratch/atugupta/download/OEG/New/enterprisegateway/conf/fed/configs.xml for process Service
                  INFO 03:56:48:052 [accfcb90] rolling file logs/ConfigurationManagementAuditTrail.xml stopped
                  INFO 03:56:48:053 [accfcb90] Shutting down Policy Director Manager
                  INFO 03:56:48:055 [accfcb90] Flushing Web Service cache
                  INFO 03:56:48:082 [accfcb90] Realtime monitoring enabled
                  INFO 03:56:48:082 [accfcb90] Message monitoring enabled
                  INFO 03:56:48:082 [accfcb90] Storing metrics in database disabled
                  INFO 03:56:48:653 [acfffb90] all connection cache sets removed
                  INFO 03:56:49:282 [accfcb90] cert store configured
                  INFO 03:56:49:298 [accfcb90] TCP interface
                  INFO 03:56:49:299 [accfcb90] checking invariants for interface *:8090
                  INFO 03:56:49:361 [accfcb90] Initializing Configuration Servlet
                  INFO 03:56:49:361 [accfcb90] Starting ESSOAPProvider with entitystore
                  INFO 03:56:49:361 [accfcb90] ESSOAPProvider initialized with entitystore
                  INFO 03:56:49:361 [accfcb90] Configuration Servlet initialized
                  INFO 03:56:49:599 [accfcb90] Monitoring processes for all users...
                  INFO 03:56:49:599 [accfcb90] Process ping interval is: 60 secs
                  INFO 03:56:49:599 [accfcb90] Process ping connection timeout is: 30 secs
                  INFO 03:56:49:599 [accfcb90] Process connection timeout is: 300 secs
                  INFO 03:56:49:599 [accfcb90] Adding monitor for proc: http://localhost:8090/runtime/management/ManagementAgent
                  INFO 03:56:49:599 [accfcb90] ... monitoring started.
                  INFO 03:56:49:669 [accfcb90] TCP interface
                  INFO 03:56:49:670 [accfcb90] checking invariants for interface *:8080
                  INFO 03:56:49:779 [ac7f7b90] Login attempt from admin
                  INFO 03:56:49:780 [ac7f7b90] User [admin] logged in
                  INFO 03:56:49:780 [ac7f7b90] Session timeout is: 1800 secs
                  ERROR 03:56:54:970 [ac2f2b90] OAM exception: NOT_INITIALIZED (code=204)
                  ERROR 03:56:54:970 [ac2f2b90] OAM exception: NOT_INITIALIZED (code=204)
                  ERROR 03:56:54:970 [ac2f2b90] OAM exception: NOT_INITIALIZED (code=204)
                  ERROR 03:56:54:970 [ac2f2b90] OAM exception: NOT_INITIALIZED (code=204)
                  ERROR 03:56:54:970 [ac2f2b90] Resource //atugupta.us.oracle.com/axis/services/urn:xmltoday-delayed-quotes requires null authentication scheme
                  ERROR 03:56:54:970 [ac2f2b90] OAM exception: NOT_INITIALIZED (code=204)
                  ERROR 03:56:54:971 [ac2f2b90] java exception:
                  com.vordel.circuit.authn.VordelAuthNException: Resource '//atugupta.us.oracle.com/axis/services/urn:xmltoday-delayed-quotes' requires null authentication scheme
                       at com.vordel.security.auth.repository.OracleAccessManagerRepository.checkCredentials(OracleAccessManagerRepository.java:107)
                       at com.vordel.security.auth.repository.RepositoryBase.checkCredentials(RepositoryBase.java:58)
                       at com.vordel.security.auth.HttpBasicAuthN.authenticate(HttpBasicAuthN.java:51)
                       at com.vordel.circuit.authn.HttpProcessor.performAuthentication(HttpProcessor.java:60)
                       at com.vordel.circuit.authn.HttpBasicProcessor.invoke(HttpBasicProcessor.java:38)
                       at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:134)
                       at com.vordel.circuit.CircuitInvocation.runCircuit(CircuitInvocation.java:103)
                       at com.vordel.circuit.CircuitInvocation.processMessage(CircuitInvocation.java:201)
                       at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:130)
                       at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:58)

                  ERROR 03:56:54:971 [ac2f2b90] java exception:
                  com.vordel.circuit.authn.VordelAuthNException: Original Message - type=com.vordel.circuit.authn.VordelAuthNException msg=Resource '//atugupta.us.oracle.com/axis/services/urn:xmltoday-delayed-quotes' requires null authentication scheme
                       at com.vordel.security.auth.repository.OracleAccessManagerRepository.checkCredentials(OracleAccessManagerRepository.java:146)
                       at com.vordel.security.auth.repository.RepositoryBase.checkCredentials(RepositoryBase.java:58)
                       at com.vordel.security.auth.HttpBasicAuthN.authenticate(HttpBasicAuthN.java:51)
                       at com.vordel.circuit.authn.HttpProcessor.performAuthentication(HttpProcessor.java:60)
                       at com.vordel.circuit.authn.HttpBasicProcessor.invoke(HttpBasicProcessor.java:38)
                       at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:134)
                       at com.vordel.circuit.CircuitInvocation.runCircuit(CircuitInvocation.java:103)
                       at com.vordel.circuit.CircuitInvocation.processMessage(CircuitInvocation.java:201)
                       at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:130)
                       at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:58)
                  Caused by: com.vordel.circuit.authn.VordelAuthNException: Resource '//atugupta.us.oracle.com/axis/services/urn:xmltoday-delayed-quotes' requires null authentication scheme
                       at com.vordel.security.auth.repository.OracleAccessManagerRepository.checkCredentials(OracleAccessManagerRepository.java:107)
                       ... 9 more

                  ERROR 03:56:54:972 [ac2f2b90] The message [Id-00000132393bd4ad-0000000001e14a78-8] logged Failure at 09.05.2011 03:56:54,971 with log description: HTTP basic authentication failed
                  ERROR 03:56:54:972 [ac2f2b90] Filter that caused failure: HTTP Basic
                  ERROR 03:56:54:972 [ac2f2b90] Policy 'Oracle Access Manager' {
                  ERROR 03:56:54:972 [ac2f2b90] Filter 'HTTP Basic' Status: FAILED
                  ERROR 03:56:54:972 [ac2f2b90] }
                  ERROR 03:56:54:972 [ac2f2b90] HTTP Basic filter failed
                  • 6. Re: OAM 11g - OEG integration
                    882069
                    The following error:
                    OAM exception: NOT_INITIALIZED (code=204)
                    Hints that the OAM agent in the OEG is not initiialized correctly and so is not cimmunicating succesfully with the Access Server. Have you installed the Access Manager SDK and created the AccessGateway correctly?
                    Thanks
                    • 7. Re: OAM 11g - OEG integration
                      661909
                      yes, i have installed access manager sdk and created access gateway. setup of access manager sdk has been verified by running simple query using it and it confirmed that resource is protected using basic authn scheme.
                      if you want, then you can access my setup .. i am in oracle IDC noida.

                      what could be other reason?
                      • 8. Re: OAM 11g - OEG integration
                        882069
                        How do you run the test cilent, does it run as the same WebGateway as the OEG is configured as?
                        • 9. Re: OAM 11g - OEG integration
                          661909
                          yes, tests program used same webgateway as we configured for OEG. we created 10g webgateway and access manager SDK is also 10g.
                          • 10. Re: OAM 11g - OEG integration
                            810135
                            hi - I have seen that "OAM exception: 204: NOT_INITIALIZED" before, when the AccessGate was not configured correctly. Can you verify that you ran the configureAccessgate command-line tool on the OEG machine, and that the ObAccessClient.xml file was successfully created (in AccessServerSDK/oblix/lib) ?

                            One more thing to verify: Do you have a URL prefix setup in OAM which maps to the Relative Path in OEG which is being accessed? e.g. if you have a policy mapped to "/MyPage" in OEG then you must have an equivalent "resource" and "URL Prefix" setup in the Policy domain you are using (under "Policy Manager" in OAM)
                            • 11. Re: OAM 11g - OEG integration
                              661909
                              we used configureAccessgate utility to configure access manager SDK. it created ObAccessClient.xml in directory you mentioned.
                              I am not sure about your another comment - how do i check "resource" and "URL Prefix" setup in the Policy domain.

                              In OEG, relative path that i have given is "/axis/services".

                              In OAM, i added new resource under my application domain. type is HTTP, resource URL is "/axis/services", query string is empty, protection level is protected, and selected authn policy
                              • 12. Re: OAM 11g - OEG integration
                                810135
                                that all sounds right. Do the HTTP Verbs also match up (e.g. if it's a POST to the URL on OEG, is the policy on OAM also setup for a POST?)