I'm working on an upgrade of Portal/Interaction Hub and HCM/FIN/CS, with OAM 11.1.2.3 protecting each of the 4 PS applications (not just IH), and we are encountering an issue where one PeopleSoft application cannot display content from any other PeopleSoft application because OAM protection is getting in the way (when Interaction Hub's psp servlet attempts to reach out to the other PeopleSoft applications in order to build the template). We are getting a Proxy Error, and can clearly see from the IH PIA Servlet Log that Interaction Hub's psp servlet is getting challenged by OAM WebGate on HCM even though the user already authenticated with OAM when they logged into IH. The servlet SHOULD be able to make requests to the other PeopleSoft applications without getting challenged by OAM.
In prior version (Portal 9.0 and OAM 10g) we were able to fix this by simply adding Cookie Rules to the Web Profile so that the ObSSOCookie would get forwarded in the servlet request. However, we've not been able to use this solution in our current version (ie: we tried adding OAM* to the Cookie Rules to forward all OAM-related cookies). Of course if we change the URL to use "psc" instead of "psp", the remote content displays without error (since the request to HCM is coming from the browser, not the IH servlet), but of course this won't work for classic pages, as they will appear without a template.
Oracle Support has not been able to help us thus far, and suggested that many customers ONLY protect Interaction Hub with OAM, and unprotect HCM, FIN, and CS, . But this solution will not work for us, as we'd like to continue protecting ALL of our PeopleSoft applications with OAM for security reasons.
BTW, the OAM and PS SSO is working fine. You can log into IH, then change the URL to any other application and pass right through without being challenged by OAM. It is only the server-side request from the psp servlet that is getting blocked/challenged, as if there was no session information being passed.
Has anybody else encountered this issue when using OAM 11, and if so, how did you get around it? Is there a setting in either PeopleTools or OAM that we can enable that would allow one PS application's psp servlet to contact another PS application without getting re-challenged by OAM?
Thank you!
-David