Friday, February 18, 2011

Configuring Password Policy in Oracle Access Manager (Formerly Oblix NetPoint)

Configuring OAM (Access and Identity System) to use password policy is not very obvious. There is no single document or post that describes all required steps at one place. Hence this effort.

=======
Step-1: Import ldifs to DS configured against OAM.
=======

* Create an ldif file - lpm.ldif with following schema change (for LPM functionality)
---------------------
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.204 NAME 'myChallenge' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.205 NAME 'myResponse' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.9999.1.1094.206 NAME 'oblixAuxPerson4LPM' DESC 'User defined objectclass' SUP top AUXILIARY MAY ( myChallenge $ myResponse ) )
---------------------

Import above lpm.ldif to DS containing user data.

* Create ldif pwd.ldif with following data entry.
Note : schema change for this class was already done as part of Oblix Schema change during setup.
---------------------
dn:obclass=oblixPersonPwdPolicy,o=Oblix,dc=red,dc=iplanet,dc=com
objectclass: top
objectclass: OblixClass
obready: true
obclasstype: personClass
obclass: oblixPersonPwdPolicy
obclasskind: Auxiliary
obver: 10.1.4.0
----------------------

Import above pwd.ldif to DS containing oblix tree.

=======
Step-2: Configure oblixAuxPerson4LPM in Identity Console (for LPM functionality)
=======
a) goto Identity System Console --> Common Configuration --> Object Classes
* Add auxiliary class oblixauxperson4lpm.
Object Class - oblixauxperson4lpm
Class Attribute - No Class Attribute is specified.
Class Type - Person
Class Kind - Auxiliary

b) goto Identity System Console --> User Manager Configuration --> Tabs --> Employees
* Modify Employees tab to associate auxiliary class oblixauxperson4lpm.

c) goto Identity System Console --> User Manager Configuration --> Tabs --> Employees --> View Object Profile --> Configure Panels
* Configure your default panel or lpm panel to add myChallenge and myResponse attributes to user profile depending upon your customization.

d) goto User Manager --> Configuration --> Attribute Access Control
* Set attribute access to myChallenge and myResponse as desired.

=======
Step-3: Configure oblixPersonPwdPolicy in Identity Console
=======
a) goto Identity System Console --> User Manager Configuration --> Tabs --> Employees
* Modify Employees tab to associate auxiliary class oblixPersonPwdPolicy

=======
Step-4: Setup Password Policy
=======
a) goto Identity System Console --> System Configuration --> Password Policy --> Add
* Create a new password policy as you need.

My test password policy looks like -
Password Policy Name : testpwdpolicy
Password Policy Domain : dc=red,dc=iplanet,dc=com
Password policy filter : Did not specify
Lost Password Policy Name : Did not specify
Password Minimum Length : 3 characters
Minimum Number of Uppercase Characters : 0 characters
Minimum Number of Lowercase Characters : 0 characters
Minimum Number of Nonalphanumeric Characters : 0 characters
Minimum Number of Numeric Characters : 0 characters
Externally specified validation rules : Did not check
Password Validity Period : 4 days
Password Expiry Notice Period : 3 days
Mode of Conveying the Expiry Notice : At Login
Password minimum age : Did not specify
Change on Reset : Enable
Password History : No Password History
Number of login tries allowed : 3
Lockout Duration : 1 Hours
Login tries reset : 2 days
Lost Password Redirect Stylesheet : Defaults
Password Change Redirect Stylesheet : Defaults
Password Expiry Warning Redirect URL : Defaults
Custom Account Lockout Redirect URL : Defaults
Password Policy Enable : Enable

b) Create default URLs for redirects

My test configuration looks like -
Lost Password Redirect URL : http://parrot.red.iplanet.com:8080/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=passwordChallengeResponse&login=%userid%&backURL=%HostTarget%%RESOURCE%&target=top
Password Change Redirect URL : http://parrot.red.iplanet.com:8080/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login=%userid%&backURL=%HostTarget%%RESOURCE%&target=top
Password Expiry Warning Redirect URL : http://parrot.red.iplanet.com:8080/sample/passwordexpiry.html
Custom Account Lockout Redirect URL : http://parrot.red.iplanet.com:8080/sample/accountlockout.html

Log Authentication attempts:
Successful Attempts Attribute : Enable
Failed Attempts Attribute : Enable

=======
Step-5: Enabling access system to use password policy.
=======
By default access server does not use password policy defined through identity system. You had to do oblixPersonPwdPolicy configuration for this. In addition do the following
a) goto Access System Console --> Access System Configuration --> Authentication Management --> Basic Over LDAP --> Plugins --> validate_password
* Modify it as
obCredentialPassword="password",obReadPasswdMode="LDAP",obWritePasswdMode="LDAP"

Note: Make sure there is no typo in the above value. You can copy paste this text to your text editor and make sure there are no special characters or typos. I had to debug for long time because of some special character in this (copy paste error).

=======
Step-6: Configure LPM policy
=======
a) goto Identity System Console --> System Configuration --> Lost Password Policy --> Add
* Create a new password policy as you need.
* Link it with Password Policy setup in Step-4 if you need

=======
Step-7: Restart Identity and Access System
=======

=======
Step-8: Test
=======
* To test Redirect URLs defined in password policy, you need to test a resource protected by access system. If you test your password policy by accessing Identity or Access Console, you will not be redirected.

a) Access a protected resource
http://parrot.red.iplanet.com:8080/sample/test.html

Try authentication failure. Open LDAP browser to data store. You can see that user entry will get updated with lockout and password related information. This means Access System is kicking in password policy. Now test as you wish.