F5 访问策略服务器与Oracle AM 结合实施指南

DeployingtheBIG-IPAccessPolicyManagerwithOracleAccessManagerDEPLOYMENTGUIDEVersion1.0TableofContentsiTableofContentsConfiguringtheBIG-IPAPMforWebGateReverseProxyandOracleAccessManagerPrerequisitesandconfigurationnotes..............................................................................3-1Productversionsandrevisionhistory..............................................................................3-2Configurationexample.........................................................................................................3-2ConfiguringtheBIG-IPAPM........................................................................................................3-4CreatinganAuthenticationSource...................................................................................3-4CreatingtheSSOconfiguration..........................................................................................3-5CreatinganAccessProfile...................................................................................................3-6EditingtheAccessProfilewiththeVisualPolicyEditor...............................................3-7Creatingthehealthmonitor...............................................................................................3-8Creatingthepool...................................................................................................................3-9CreatingtheSSLprofile....................................................................................................3-10Creatingpersistenceprofiles...........................................................................................3-11Creatingthevirtualserver...............................................................................................3-12ModifyingtheOracleconfiguration.........................................................................................3-14ModifyingtheOracleAuthenticationRule...................................................................3-14AppendixA:UsinganiRuletoenableordisabletheAccessprofile............................................3-16AppendixB:Obtainingtheengineeringhotfix.................................................................................................3-18AppendixC:SpecialconsiderationswhenrunningSimpleTransportSecurityMode....3-191ConfiguringtheBIG-IPAPMforWebGateReverseProxyandOracleAccessManagerWelcometotheF5deploymentguidefortheBIG-IPAccessPolicyManager(APM)andOracleAccessManager.ThisguidedescribeshowtoconfiguretheBIG-IPAPMforOracleAccessManagerwhenyouarelookingtoreplaceaWebGateProxyfarmwithAPM.OracleAccessManagerhelpsenterprisescreategreaterlevelsofbusinessagility,ensureseamlessbusinesspartnerintegration,andenableregulatorycompliance.Throughaninnovative,integratedarchitectureOracleAccessManageruniquelycombinesidentitymanagementandaccesscontrolservicestoprovidecentralizedauthentication,policy-basedauthorizations,andauditingwithrichidentityadministrationfunctionalitysuchasdelegatedadministrationandworkflows.FormoreinformationonOracleAccessManager,see:◆TheWebGateAgentbehindtheBIG-IPAPMmustnotberunningontheApplicationWebTierservers.◆ThedefaultbehavioroftheBIG-IPAPMistoprotectaccesstoALLoftheresourcesonthebackendapplicationservers.Ifyouwishtoonlyprotectcertainresources,asdefinedinyourOAMpolicy,pleaserefertoAppendixA:UsinganiRuletoenableordisabletheAccessprofile,onpage16.◆ItisassumedthatyouhaveAdministratorprivilegestoyourOAMinstallation.Thisisrequired,asyouneedtomakeminormodificationstoyourpolicy.Formoreinformation,seeModifyingtheOracleconfiguration,onpage14.◆ItisalsoassumedthatyourOAMpoliciesareproperlyconfigured,suchasauthenticationandauthorizationfailures.TheBIG-IPAPMreliesontheOAMserverfordefinedbehaviors,otherwisetheflow/connectionwillbedroppedforanundefinedbehavior.◆Thissolutioncurrentlyrequiresanengineeringhotfix.SeeAppendixB:Obtainingtheengineeringhotfix,onpage18fordetails.◆FormoreconfigurationoptionsontheBIG-IPAccessPolicyManager,seetheConfigurationGuideforBIG-IPAccessPolicyManager,availableonAskF5().DeployingtheBIG-IPAPMwithOracleAccessManagerF5®DeploymentGuide2ProductversionsandrevisionhistoryProductandversionstestedforthisdeploymentguide:Revisionhistory:OurOracleIdentityManagement11gR1implementationwasdeployedaccordingtotheOracle®FusionMiddlewareEnterpriseDeploymentGuideforOracleIdentityManagement11gRelease1(11.1.1)PartNumberE12035-02.ConfigurationexampleInthisguide.wedemonstrateanarchitecturewhereOracleAccessManagerprovidesauthenticationandauthorizationservicestoanapplication.InsteadofauthenticatingusersdirectlyattheapplicationlayerwiththeWebGateagentorviaafarmofWebGateProxies,BIG-IPAPMisusedtoperformtheauthenticationandenforceauthorization.AllowingAPMtooffloadtheWebGatefunctionalitysimplifiestheOAMdeploymentbyeliminatingWebGateAgentsfromtheapplicationserversandconsolidati