OracleDB AuthN using OID

For setup details, refer: It-dba/omegadb oid registration

Replace with the following:

OID location in ldap.ora

DIRECTORY_SERVERS= (finssodir.thefacebook.com:636:636)

OMSPRD_PRN password expired in the OAM as per the security policies. Executed the below commands to validate the existing password.

Error: DB-OID bind credentials failed.

Metalink ID : 340559.1  ( for the commands reference) 

On the db node xd05dbadm01/02
 ./mkstore -wrl /u01/app/oracle/product/db_omsprd/admin/OMSPRD_PRN/wallet -viewEntry ORACLE.SECURITY.DN
./mkstore -wrl /u01/app/oracle/product/db_omsprd/admin/OMSPRD_PRN/wallet -viewEntry ORACLE.SECURITY.PASSWORD

[oracle@xd05dbadm01 bin]$ ./mkstore -wrl /u01/app/oracle/product/db_omsprd/admin/OMSPRD_PRN/wallet -viewEntry ORACLE.SECURITY.DN
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
ORACLE.SECURITY.DN = cn=OMSPRD_PRN,cn=OracleContext,dc=thefacebook,dc=com

[oracle@xd05dbadm01 bin]$ ./mkstore -wrl /u01/app/oracle/product/db_omsprd/admin/OMSPRD_PRN/wallet -viewEntry ORACLE.SECURITY.PASSWORD
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
ORACLE.SECURITY.PASSWORD =  encrypted string.

• To change the password, please execute the below steps.

Login to the odsm 
  http://prn-finoamprd01.thefacebook.com:7005/odsm
  username: orcladmin,  password : xxxxx
  Navigate to "Data Browser" tab and search for the "OMSPRD_PRN", Then in the result click on it.
  Then go to the password attribute at the bottom of the page and change the password and click on apply on the top right hand side.

 Change the password in the wallet on the db servers xd05dbadm01/02 
 ./mkstore -wrl /u01/app/oracle/product/db_omsprd/admin/OMSPRD_PRN/wallet -modifyEntry ORACLE.SECURITY.PASSWORD  newpassword

 To validate new credentaials use the following command.
./ldapbind -h prn-finoamprd01.thefacebook.com -p 3060 -D "cn=OMSPRD_PRN,cn=OracleContext,dc=thefacebook,dc=com" -w "newpassword"

OAM Integration with Duo

These instructions are for OAM administrators only. 

First Steps

• Open a task with Duo Security team.
• Ask for integration key, secret key, and API hostname.
• These keys can be reused in all the OAM environments

Steps on OAM WebLogic console

• Download OAM plugin from Duo
• Unzip this file and upload it to all OAM servers in the cluster to a location like $OAM_DOMAIN_HOME/duo
• Login to WebLogic administrative console on your OAM server.
• On the WebLogic administrative console click Deployments in the left-hand side menu.
• On the "Deployments" page click the Install button.
• On the "Install Application Assistant" page, select DuoLogin.war from the source path.
• On the "Choose targeting style" page select Install this deployment as an application and click Next.
• On the "Select deployment targets" page, select all OAM managed servers as targets
• On the optional settings page, choose "I will make the deployment accessible from the following location".
• On the "Review your choices and click Finish" page click Finish.
• Activate the application.

Steps on OAM console

• Login to OAM console 

Prepare

• Go to Application Security -> Authentication Schemes -. OIDscheme. Set default auth scheme to OID

• Go to Configuration -> User Identity Stores->? Changed the default store to OID 

Enabling Adaptive Authentication Service

• Go to Configuration -> Available Services -> Enable Service for Adaptive Authentication Service

Deploying the Duo JAR file

• Go to Application Security -> "Plug-ins" -> Authentication Plug-ins
• On the "Plug-ins" page click Import Plug-in
• Locate the DuoPlugin.jar file from the ZIP file you uncompressed earlier.
• On the "Import Plug-in" screen upload the JAR file next to Plug-in File (*.jar) and click Import. The pop-up screen will disappear.
• Click the refresh button on the "Plug-ins" page to reload the plug-ins.
• Scroll through the listed plug-ins and select Duo-Plugin. It should show an "Activation Status" of Uploaded.
• Fill out the ikey, skey, host, and Fail mode fields located under "Plug-in Details: DuoPlugin". Refer OAM DEV environment for the key values.

 Notice! About Fail mode: Fail mode value can be either safe or secure; As per team discussion, it is agreed to keep this as safe.

• safe: In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
• secure: In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

• When all the fields have been populated click Save.
• Once you've successfully saved the settings click the Distribute Selected button at the top of "Plug-ins" section. Click the refresh button to refresh the plug-ins page. The "Activation Status" will change to Distributed.
• With the "DuoPlugin" selected click Activate Selected.
• Wait a moment for the page to reload and then click the refresh button. It should show an "Activation Status" of Activated.

Only if Activation fails in above step

This section is not required if plugin is already activated 

• Stop all servers in OAM domain
• Go to $OAM_DOMAIN_HOME/config/fmwconfig on admin server node
• Take a backup of oam-config.xml
• Open oam-config.xml and look for a line like this one:
   Notice! <Setting Name="Version" Type="xsd:integer">448</Setting>
• Increment the number by one and save
• In the same file, oam-config.xml, locate a session that starts like this:
   Notice! <Setting Name="DuoPlugin" Type="htf:map">
• Under this section, look for a line that says failed and change it to activated.
• After the change, this line should look like this:
   Notice! Setting Name="value" Type="xsd:string">activated</Setting>
• Start OAM admin and managed servers.

Create an Authentication Module

Once the Duo plug-in has been uploaded and activated, you have to create an authentication module to tell the plugin how to respond during logins.

• On OAM console, click Application Security -> Authentication Modules located under "Plug-ins".
• On the "Authentication Modules" page click the Create Authentication Module button on the right-hand side, from the drop-down select Create Custom Authentication Module. You will be taken to a new page.
• On the "General" tab type Duo into the Name field.

• Leave the Description field blank.
• Click on the "Steps" tab. Click the + button to open the "Add new step" wizard.
• Type Duo 2FA for Step Name.
• Leave the Description field blank.
• Select DuoPlugin from the drop-down for Plug-in Name and click OK. You will see "Duo 2FA" appear under "Step Name".

• On the "Steps" tab. Click the + button again to open the "Add new step" wizard.
• Type UI for Step Name.
• Leave the Description field blank.
• Select UserIdentification from the drop-down for Plug-in Name and click OK.

• Click on the "Steps Orchestration" tab. Select Duo 2FA from the Initial Step drop-down.
• In the table under On Success select UI from the drop-down.
• In the table under On Failure select failure from the drop-down.
• In the table under On Error select failure from the drop-down.
• Click the Apply button. The page will reload confirming the module has been created.
• For UI, select success, failure and failure as shown in the screenshot below

Create an Authentication Scheme

• Creating a new authentication scheme will allow the Duo plug-in and DuoLogin WAR file to communicate with each other.
• Go to Application Security -> Authentication Schemes
• On the "Authentication Schemes" page click the Create Authentication Scheme button on the right-hand side. You will be taken to a new page.
• On the "Create Authentication Scheme" page type Duo into the Name field.
• Leave the Description field blank.
• Set Authentication Level to 2.
• Leave the Default option unchecked.
• Select FORM from the Challenge Method drop-down.
• Type /oam/server into the Challenge Redirect URL field.
• Select Duo from the Authentication Module drop-down.
• Type /pages/DuoLogin.jsp into the Challenge URL field.
• Select customWar from the Context Type drop-down.
• Type /DuoLogin into the Context Value field.
• Leave the Challenge Parameters field blank.
• Click the Apply button. The page will reload confirming the authentication scheme has been created.

Protect an Application Domain with Duo

You can now apply the Duo authentication scheme to any Application Domain you'd like to protect with Duo 2FA.

• Go to Application Security -> Application Domains
• On the "Search Application Domains" page select the application domain you would like to protect with Duo and click Edit. A new page will appear.
• On the application page click the Authentication Policies tab. Click on Protected Resource Policy and click Edit. A new page will appear.
• On the "Protected Sources Policy" page click the Advanced Rules tab and then click the Post-Authentication tab. Click + Add and a new screen will pop-up.
• On the "Add Rule" pop-up type Duo 2FA into the Rule Name field.
• Leave the Description field blank.
• In the Condition field type 'true' == 'true'.
• Select Duo from the Switch Authentication Scheme to drop-down.

• Click Save. The pop-up window will close.
• You should now see Duo 2FA listed under "Post-Authentication". Click the Apply button at the top of the screen. You will receive a confirmation message at the top of the screen saying the policy was successfully modified.
• Repeat these steps on as many Application Domains as you'd like to protect with Duo 2FA.

Restart and Test

• Shutdown all OAM servers. Restart Admin server first and then the OAM managed servers.
• Test the application.