Embed Size (px)
Citation preview
OAM – Securing Mobile applications and working with social identities –
USE CASES
Exercise 1: Setting up the lab
Practice 1.1: Import “ova” file
1. Make sure you have VBox installed and configured on your laptops https://www.virtualbox.org/wiki/Downloads
2. Download the “AdvancedAccessWorkshopR2PS1.ova” file into your laptop.
3. Open the VBox and click on Import Appliance
4. Choose the downloaded file and import.
5. Change the RAM settings to 5900MB
6. Start the import
7. The Virtual machine is successfully created.
8.Login to the Virtual machine. Username is oracle and Password is Oracle123
Practice 1.2: Edit hosts file
1. Obtain the IP of the guest virtual machine by typing ifconfig from inside the terminal.
The IP address after inet addr is the IP of this machine(192.168.56.101)
2. Identify host file in the guest operating system
3. Edit hosts file. Create the following entry for oam.example.com which is host alias in the VM:
Practice 1.3: Start the servers
The following are the relevant directories:
a) MW_HOME - /app/u01/middleware
b) OUD_INSTANCE - /app/u01/middleware/asinst_1
c) IAM_HOME - /app/u01/middleware/Oracle_IDM1
d) DOMAIN_HOME - /app/u01/middleware/user_projects/domains/idm_domain
f) DB_HOME - /app/u01/product/11.2.0/dbhome_1
g) ADT_HOME (Android Development Tools) - /home/oracle/android_dev/adt-bundle-linux-x86_64-
20130219 (containing Eclipse IDE and Android SDK)
h) LABWORKSPACE - /home/oracle/labworkspace (Containing lab files)
i) FQDN for the machine/VM is oam.example.com
j) Key URLs:
OAM Console – http://oam.example.com:7001/oamconsole (weblogic/Oracle123)
WLS Console – http://oam.example.com:7001/console (weblogic/Oracle123)
EM FMW Control – http://oam.example.com:7001/em (weblogic/Oracle123)
1. Make sure the database is up :
a) On terminal window issue following cmds:
cd
. ./dbenv.sh
sqlplus / as sysdba
2.Start Web Logic Admin Server
In a new terminal, issue the following commands:
cd /app/u01/middleware/user_projects/domains/idm_domain/bin
./startWebLogic.sh
The status of Admin Server changes to running mode as shown below.
3.Start Web logic Managed server ( For OAM)
From a new terminal, issue the following commands
cd /app/u01/middleware/user_projects/domains/idm_domain/bin
./startManagedWebLogic.sh oam_server1
(username/pwd: weblogic/Oracle123)
The WLS managed server goes to running mode as shown below.
4. Start OUD server
From a new terminal, issue the following commands to start OUD server instance:
/app/u01/middleware/asinst_1/OUD/bin
./start-ds
OUD Server is successfully started as shown below.
Exercise 2: Demonstrate native mobile login
Practice 2.1: Enable Social and Mobile
In this practice, you verify that Access Manager and Mobile and Social functions within the
OAM suite are enabled.
Login to OAM Console using http://oam.example.com:7001/oamconsole
Click the System Configuration Tab. Double-click the Available Services node under Common
Configuration. Verify that Access Manager and Mobile and Social in the right pane are enabled.
Practice 2.2: Download Android ADT
Android Client SDK :
This SDK serves as a security layer for developing secure mobile applications on Android devices. It
essentially simplifies the development of the applications by taking control of authentication,
authorization, user profile services and secure storage. The minimum Android version supported by the
Mobile and Social Android Client SDK is Android 2.2
Note: This lab has already been done for you and the ADT is downloaded and staged under
/home/oracle/android_dev/adt-bundle-linux-x86_64-20130219
This has two sub directories, sdk and eclipse
Practice 2.3: Create a Android Virtual Device (AVD)
1. Launch Eclipse IDE
cd /home/oracle/android_dev/adt-bundle-linux-x86_64-20130219/eclipse
./eclipse
2. Select a workspace for example /home/oracle/labworkspace. Select the option Use this as the default and do not ask again.
3. From the menu options, go to Windows > AVD Manager.
4. Click on New to create a new AVD.
Specify the property values as shown in the screenshot. Give your device a name (e.g. mydevice) and select a device type to emulate. The lab uses a Galaxy Nexus device running Android 4.2.2. Change the RAM value under Memory Options to 700 from 1024 as emulating RAM greater than 768M may fail (because of lack of resources on VM).
Take the rest of the property value defaults and select OK.
Practice 2.4: Start the Android Virtual Device (AVD)
From the AVD Manager, Select your device (mydevice) and click on Start to start the mydevice in emulator. On the Launch Options window, Click Launch. This should launch the mydevice in the emulator as shown in the screen.
Practice 2.5: Import the Sample Android Project
Open the Eclipse IDE, look for IDMMobileSDK and oracle.mobile.login.activities.LoginActivity packages .
If they are already present , then the packages are already imported. Skip the following steps.
Else perform the following:
1.Choose File > Import. In the "Select and import source" box type "project". Select General- Existing Projects into workspace and click Next.
2. Navigate to the Android Lab zip file and select it.Note that the sample project file(android-lab.zip) includes the OAM Mobile and Social Android SDK (IDMMobileSDK). Expand the IDMMobileSDK and oracle.mobile.login.activities.LoginActivity packages under the left side package explorer. Note: If you don't see the packages, click on the top right corner icon
showing two square icons to show you the design editing environment.
Practice 2.6: Deploying the sample .apk file
Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system; very similar to an MSI package in Windows or a Deb package in Debian-based operating systems like Ubuntu.
The sample application (oracle.mobile.login.activities.LoginActivity.apk) is a compiled binary version of the application that you will deploy to verify that your environment is properly configured. You will view the application in the emulator after it has been deployed.
1. If the android emulator is not already running, launch it now. You can launch it from the /home/oracle/android_dev/adt-bundle-linux-x86_64-20130219/sdk/tools or from Eclipse AVD manager.
To launch it from command prompt:
cd /home/oracle/android_dev/adt-bundle-linux-x86_64-20130219/sdk/tools
./emulator -avd mydevice
2. To install the apk file, perform the following on the command line from the /home/oracle/android_dev/adt-bundle-linux-x86_64-20130219/sdk/platform-tools:
cd /home/oracle/android_dev/adt-bundle-linux-x86_64-20130219/sdk/platform-tools
./adb -e install /home/oracle/labworkspace/oracle.mobile.login.activities.LoginActivity.apk
It should show a success message, if the apk file is successfully installed.The -e option tells adb to look for a running emulator to install the application.
Practice 2.7: Verify the apk installation using emulator
Navigate to the emulator window. If you notice a Lock icon at the center of the emulator, then unlock
the android device by clicking on the lock icon and sliding it to the right. This will unlock the device and
you will be in the Home screen.
1. Notice the icons on the top right of the emulator - volume control button, lock button, Home, , Menu , Back, Search and DPAD buttons. If these are disabled, perform the following:
Go to /home/oracle/.android/avd/mydevice.avd/config.ini file and set the following properties to
yes :
hw.dPad=yes
hw.sdCard=yes
hw.mainKeys=yes
hw.trackBall=yes
2. Save the file. Close and start the emulator again .Notice the icons are now enabled.
3. Unlock the android device(if you see a lock icon), using the mouse click on the lock icon and slide it to the right.
4. Click on the Apps icon (Circle with the 6 buttons within it) on the bottom tray on the Home screen. This will take you to screen showing all the apps on the android device.
5. Notice the installed app - Login App is now visible on the apps screen.
6. You can manage the Apps including Login app by clicking on the Menu icon on the top right corner. Now click on Manage Apps option at the bottom of the emulator window. It will display all the apps on the device that you can manage. Scroll down to the Login app or start typing in login and it should automatically display you the Login app. Click on the Login app. This brings up the App info page for the Login App. From here you can manage the
app - Force stop the app, uninstall the app, view the storage info about the app, Clear cache or data for the app and view the permissions on the app
Click on the Home icon to go back to the home screen.
Practice 2.8: Create User Profile Service Provider
This has already been done.
Now we will configure the OAM Mobile and Social server (OAMMS) for the sample application.
1. Login to OAM Console(http://oam.example.com:7001/oamconsole) as weblogic/Oracle123.
2. Navigate to System Configuration -> Mobile and Social > Mobile Services > Expand Service Providers node. Double click on the OUDUserProfile. You can view the OUD User Profile Service Provider properties.
3. Enter the Bind Password as Oracle123 and click on Test Connection to make sure OUD server instance is up and running and accessible.
Practice 2.9: Create User Profile Service
This has already been done.
Navigate to System Configuration -> Mobile and Social > Mobile Services > Expand Service Providers node > OUDUserProfile. Expand on OUDUserProfile and doublec click on OUDUserProfile – Which is the service profile configuration. View the OUDUserProfile user service profile properties.
Practice 2.10: Create application profile
1. Login to OAM Console(http://oam.example.com:7001/oamconsole) as weblogic/Oracle123.
2. From System Configuration -> Mobile and Social. Double click on Mobile Services node and on the right pane select "Create" under Application Profiles section.
3. Enter the property values for the new Application profile as shown in the screenshot.
Name: The application name. In this example we use LoginApp. The application name configured here must match the application name in the settings for the deployed Android application. The name is arbitrary, but it should reflect the SSO function. This name will be used and seen by the mobile application developer.
baseSecret: Enter a password here (Oracle123). This does not need to match any existing password. It is used as an encryption key between the client and the OAMMS server. Provide a base secret value of Oracle123 under the attributes section. This value will not be referenced in other configurations, but is necessary for security.
If it is a desktop app we use Mobile.clientToken.baseSecret whereas if it is a mobile app we use Mobile.clientRegHandle.baseSecret.
Mobile Configuration check box: Enable this checkbox for any mobile applications. This enables the SDK to collect and send Mobile specific attributes to the OAMMS server.
Webview: Controls the type of browser that the Android application will use when showing a Social login dialog. The embedded browser (default) will render the browser within the application. External will use the system standalone browser. External can sometimes be preferable for debugging
URL Scheme: Both Android and iOS use a custom URL scheme to register O/S handlers that will take control when OAMMS transfers control to device. Use the value osa://
This URL scheme is used for one native mobile app to be able to call another mobile app.
Android Package: The fully qualified name of the Android application that you will deploy. This is taken from your application's AndroidManifest.xml file. This is used to tell Android which application to launch when an intent is received (for example osa://).
Android Signature: This is the unique signature for your application. For development it is generated by the Android SDK tool. For production this value is a stable signing key available from Google as part of the Play store deployment process. Note: If you are deploying the pre-compiled .apk sample application, the signature is found below:
3082030d308201f5a00302010202047a1fff7f300d06092a864886f70d01010b05003037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f6964204465627567301e170d3133303430323033323131305a170d3433303332363033323131305a3037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f696420446562756730820122300d06092a864886f70d01010105000382010f003082010a0282010100ea7205cff63b543db60df5559964194c5c5eb9bf22bdcfefaed9e705af2d194d4933f95cc0ec31ab3b2b64d3f2acd411f8a311b74c04ffb1a34004ce73b46dc8131f858da0b8ea7892bb865ca241b2e166f471e6db9d6840616b658557101760c2116af803deee37ac5f0f65d1fe4616a200ec0713ea2b0bf25bb9783ff650f2ff531d657781094992832f7024658f7e3b339538a6910e9d68ca72f4bb832148151c46893c0a75b52cbe5cdcb99082ea1ff0a0a5a2fb0716338d4f26207cc04b8a03d971f53b9520c55ff3058c13700add88c475df760973e7e8c1b62c8fac9df1428bb32d75bae91788ba4dac6b70dd9db415f0b9e9add508696bf60f459ce30203010001a321301f301d0603551d0e0416041429f9925cf28dc948ab8dd3f004943cbe467e44ef300d06092a864886f70d01010b0500038201010043b8c6759b052cd58a8ab39946902fc6e4c54d246a31e5eb2111066d263c2f31fa4b9f5de8fbb0 9e56c5ff8c21b9fea216dfed6848a80b3a8b6cacabf1d21603868a306e126cc056f3ca7ae1dc
75015a3388989e2bb6f8c6b17d0178e9e2ddf67818e98846278b3414387a135f703a759cd99cfc52b42e485dc399c365113ef668af9c9b8f46e1a878f69657969ae87f09a214f0d438609625a51ce5f8cb6733879cf5fb5671c8164b6e8028d9603851da4e2741812fba8af333d289a8c5f34d9d4658e24828d7e35b10f96956c70b4a2894297d25ce012bfe20f820d870dc065c237387bfcd410acdb6e6c99699ec6b421f764963fc3dcdfd67dfd5af896ec8
If you are compiling the application in eclipse your signature will be unique to your SDK environment. You will need to extract your signature from the application logs.
4. Confirm that application profiles have been successfully created by scrolling down to the application profile section in the right pane and clicking the Refresh button on the horizontal toolbar under the Application Profiles section.
Practice 2.11: Create the Native Login Mobile Service Domain
An OAMMS service domain binds together a set of configured interfaces for authentication, authorization and user profile services. Service domains provide flexibility to support different types of mobile clients. For example - an employee Mobile service domain would use a different authentication source than a Mobile service domain used by customers.
1. Select create under Service domains. Create a name for your domain (BankDomain is used
below). The name configured must match the service domain set in the Android application.
2. Application Profiles selection: click the browse button. Choose the application profile that you created in the previous step(LoginApp). This associates the application with this service domain. A service domain can support multiple applications.
3. The LoginApp participates in SSO as an SSO agent (which means it is responsible for storing tokens and credentials, delivering device attributes, and communicating via REST to the mobile and social server). More than one application can be configured as an SSO agent; in that case, the Agent Priority property along with which applications are installed on the mobile device will determine which application assumes the role. For multiple applications that are configured as an SSO Agent, agent priority needs to be set. This is important when there are multiple agent apps installed on device, so the SDK based on this priority invokes the agent application (the one with highest priority). In this practice, you will define only one application, LoginApp, as an SSO agent.
4. Service Profile Selection:
Advance to the next page of the wizard to configure the services for this domain. For this example we will use the following services:
Authentication - MobileOAMAuthentication. This will use the JWT (JSON Web Token) format authentication provider. The Android application upon successful authentication will receive a signed JWT token from OAMMS. This token will be used in subsequent calls to OAMMS
Authorization - OAMAuthorization. The authorization provider. The SDK makes calls to this provider endpoint to obtain authorization decisions on resource requests. Authorization is not used in this demo.
User Profile Service - OUDUserProfileService. This is the service that provides user profile services (attribute lookup, attribute modification). The OUD provider has been previously configured in the demonstration image. It makes calls to Oracle Unified Directory to perform attribute operations.
5. Service Protection:
The REST services for a domain can be protected by requiring the caller to present a token to invoke the service. In the example below we protect the authorization and user profile services. Make sure you enable writing of the profile. The sample application will demonstrate a user updating their profile. This call will fail if the write checkbox is not enabled.
A Summary of Service Domain called BankDomain
Practice 2.12: Test the mobile SSO login
1. On the Emulator, make sure you are logged in to the android device (Slide and unlock the lock screen).Click on Apps icon on the bottom tray. Click on the Login App icon
2. Click on the Server button on the top right corner. Enter the details as shown:
Note: You can also use the FQDN or IP address.
Note: The IP address will vary for each student. On a terminal window use ifconfig command to find out the IP address (eth1)
Note: RP stands for Relying Party which in our case is FB for social login.
Click Submit.
It should flash “mms done” and “Setup Done” for a few seconds.
3. Login as Tom.Dole/Oracle123
Click on “Login”. It should flash with a message “Logged in Successfully” followed by “Authentication Succeeded” messages.
Practice 2.13: Fetch user data from OUD Server
After successful login, the profile of the user can be fetched from the OUD server.
After login, Click on the Profile to pull the user profile from OUD server
We can easily demonstrate that the user data is fetched from OUD server. Click on the back icon. Open up terminal window and stop OUD server:
Navigate back to the Login App in the emulator and now click on the Profile button again. Notice it comes out as blank fields (as OUD server is stopped).
Open up terminal window and start OUD server:
Practice 2.14: Use RESTful Web Services
Overview: This demonstrates a simple RESTful web service. Created tables corresponding to bank
application at the back end and populated data. Create XYZ Bank Data Source in WLS
Console.BankDemo is a web application deployed on the oam_server1 and admin server
1. Click on Invoke REST button
2. Enter the From and To dates and click the Edit button to specify the host/port details for the webservice call(specify the IP address or FQDN – oam.example.com and 14100 port):
Click on the Submit button.
Notice the Registered webservice messages that flashes for a few seconds.
It should show you the result of the REST call to the registered web service:
Click on Logout button.
Practice 2.15: Remove cached data for LoginApp
1) Click on the Home button
2) Click on Menu button
3) Select Manage Apps from the system tray menu option
4) Select Login App
5) Click on Clear Data. Select OK on the pop up window to confirm.
6) Click on Home icon
7) Click on Apps icon on the system tray
Exercise 3: Demonstrate social login
In this practice, you will start to configure social login for the mobile application. The sample application demonstrates social login using a facebook account. You will need to configure an application profile for Social login and a new service domain that uses the social login application profile.
Practice 3.1: Create the Internet (Social) Application profile
When the creating the new internet application profile, you must use the same name as your previously created Application profile for the mobile application. For example, if your mobile application profile is called "LoginApp" the internet application profile should also be called "LoginApp".This is similar to the use case where if you want to enable social login to web application protected via OAM, the application profile that you create under Internet Identity Services must match the application domain name for the application. At this time, this is a one-to-one relationship.
1. Navigate to Mobile and Social section under System Configuration tab of OAM Console, click on "Internet Identity Services" and create a new application profile:
2. Set the following parameters for the new application profile
Name The application name. This must match the name of the of mobile application profile created for your application under Mobile Services. We use LoginApp for this example.
Shared Secret A password used as an encryption key between the application and OAMMS. This does not need to match any existing passwords.
Return URL and Mobile Application Return URL After the Relying Party (social) login, the OAMMS server will redirect to the Android application using this URI. This URI will be registered with Android and associated with an Intent that is mapped to our sample application. This allows our sample application (and the linked SDK) to handle the post login authentication process. Use osa:// for this lab. If you look inside your applications AndroidManifest.xml file you will see this URI mapped to an activity that invokes the SDK.
Login Type Choose to allow only internet identity authentication for this exercise.
Enable browser pop ups Select no to disallow use of new browser instance to pop up for the login page.
User Registration For our demo we assume the account is already registered. If you wish to allow user registration enable this feature
Authentication Service Endpoint Make sure that /internetidentityauthentication is selected.
Application to Provider Mapping Select the social login providers that you wish to enable. For the lab select Facebook. You can choose others here (e.g. Google, LinkedIn etc) but you must register for a developer API key with each provider.
A summary for the Application profile creation is shown below
Practice 3.2: Configure Facebook as the OAuth Provider
1. Login to http://developers.facebook.com using your FB account.
2. Click on Apps and register as a developer.
3. Complete the registration process and then click on create a new app.
4. Provide app name as LoginApp, click Continue. Enter Capcha information. It should bring up LoginApp registration page with the App ID and App secret that gets generated automatically by the Facebook OAuth server.
5.Click on WebSite with FB link field and enter the OAM server URL - http://oam.example.com:14100/.
Click Save Changes. Note the AppID and App Secret – (You would need this for next step.)
6. Login to OAM Console and navigate to System Configuration > Mobile and Social > Internet Identity Services" and edit the Facebook OAuth Provider.
7. Add the App ID in consumer key and App secret in Consumer secret fields on the Facebook OAuth Provider page.
Practice 3.3: Create the Service Domain for Social Login
1. To create a service domain for social login you have to navigate to and double click on Mobile
Services node. Create Service domain is on the right panel.
2. In this example we call the domain "BankDomainRP". The type should be Mobile Application and the application credential type User Token.
3. Select the “LoginApp” Application Profile that we created in the earlier step.
4. Choose the Authentication , Authorization and User profile Services as shown below.
5. A summary of the Service domain is shown below.
Practice 3.4: Test the social login
Before you test the social login, make sure you can get to the internet on the android emulator
embedded browser.
Steps to check internet connection on the android emulator:
1. Start the emulator. Click on the Home button. Click on the Menu icon. Select the option below
manage apps.
2. Select More under Wireless and Network
3. Click on Mobile Network
4. Select Access Point Names
5. Select T-Mobile US
6. Set the Proxy Server host/port and deselect/remove username and password
7. Go back to Home, click on Apps and make sure you can access facebook from embedded browser:
8. Click on Home button. Click on Menu option. Select Manage Apps. Find LoginApp from the list and
click Clear Data. Confirm with OK.
Testing the Social Login:
1. Click on Home button. Click on Apps button. Click on LoginApp.
2. Click on Server button. Make sure RP(Relying Party) Server details are set:
Click Submit. Notice the mss Done and Setup Done messages.
3. Click on Login with Social button. It should display the following screen:
4. Click on Facebook.
5. Login using your FB login.
Click on Not Now:
6. It should display the following:
7. Click Ok. These messages are displayed.
RP Login Success
RP Authentication Succeeded
Followed by:
Practice 3.5: View the source code of application and view android signature
1. Start Eclipse IDE, if not already up
2. You can view the application code if you choose. In the application code, use the following code
snippet. Uncomment the function shown to generate android signature.
3. Build the application again.
4. Make sure there are no errors in the Problems tab:
5. The newly build .apk file should be in the workspace directory:
6. Uninstall the Login App from the emulator and install this new LoginApp (oracle.mobile.activities.LoginActivity.apk) again:
Click Home on the emulator. Click on Menu. Select Manage apps. Select Login App. Click On Force Stop (select ok on the confirm screen). Click on Uninstall (select ok on the confirm screen).
7. Go back to Home > Apps and make sure you don’t see Login App on the screen.
8. Re-install the new Login App :
9. Run the following command on the same terminal window to spool debug logs on the terminal window containing the android signature:
It should not show any logs yet.
10. Now go back to the emulator and start Login App
11. Click on Server to set the server settings. Make sure the setting are as shown and click submit:
