The plugin was intended to deal with digital certificates issued by many Certification Authorities. This plugin was needed as there are no two CAs that write into the digital certificate the same information in the same place. The issue for me was related to email address of the user holding the digital certificate.
OAM 10g knows how to read the email address from SubjectDN field but does not know how to read it from Subject Alternative Name (X509 extension) field.
The task was simple as OpenSSL library did a perfect job as you can see:
certData = pFnBlock->GetCredFn(pInfo->Creds, "certificate");//read the certificate data from OAM internal structures
//in order to have it processed by OpenSSL you have to add "-----BEGIN X509 CERTIFICATE-----" at the beginning and "-----END X509 CERTIFICATE-----" at the end of the certData variable value.
bio_mem = BIO_new_mem_buf(certData, -1);//read certificate into OpenSSL structures
certificate = X509_new();//create an empty certificate structure
certificate = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL);//populate the newly created certificate structure with relevant data
eMailList = X509_get1_email(certificate);//get ALL the emails from the certificate
This was very simple till now :).
Next task was to send some data to backend applications which are protected by OAM. Using action fields in OAM you can send only data persisted in LDAP.
After almost two days of researching I have found out that the solution is again in Oracle Documentation :)
The custom plugin may set action fields by using SetActionFn function just like this:
type = "HeaderVar:";
pFnBlock->SetActionFn(pInfo->ActionInfo,type+"CertSubject.SubjectDN", print_string(pOutputSubject), ObAnSuccessFixedVals);
In OAM there are two possibilities to send data to backend systems:
1. HTTP headers - use HeaderVar
2. cookies - use cookie
ObAnSuccessFixedVals is used to set these action fields in case of successful authentication. You may use ObAnFailFixedVals in order to send these action fields in case of unsuccessful authentication.
Hope to save someone else time by writing this post.
