Skip Headers
Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for IBM zSeries Based Linux
B25837-05
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents

Previous
Previous
 
Next
Next
 

23 Oracle Application Server Single Sign-On

This chapter describes issues associated with Oracle Application Server Single Sign-On (OracleAS Single Sign-On). It includes the following topic:

23.1 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds for Oracle Application Server Single Sign-On. It includes the following topic:

23.1.1 General Configuration Issues

This section contains the following topic:

23.1.1.1 Single Sign-On Session Duration Should not be Less Than One Hour

The "Single sign-on session duration" parameter should not be set to less than one hour. For more information on setting this parameter, refer to the section titled "Using the Edit SSO Server Page to Configure the Server," in Chapter 2, "Basic Administration," in Oracle Application Server Single Sign-On Administrator's Guide.

23.1.2 Browser Configuration Issues

This section describes browser-related issues for Oracle Application Server Single Sign-On. It contains the following topic:

23.1.2.1 Server Configuration Cannot be Updated on the Internet Explorer 6 SP2 Browser

This problem prevents you from making changes to Oracle Application Server Single Sign-On server configuration . The problem is observed in the following circumstance:

  • You are using the Internet Explorer 6 browser on a platform running Microsoft Windows Service Pack 2.

  • In the OracleAS Single Sign-On administration pages, you click Edit SSO Server Configuration.

  • Try to change server properties like session duration. Click Apply.

    There is no response from the browser.


Note:

Other versions of the browser, such as Internet Explorer 7, do not exhibit this problem.

To resolve the problem, you need to add the OracleAS Single Sign-On server to the list of trusted websites after you apply Windows SP2.

Take these steps:

  1. In Internet Explorer, click Tools, then Internet Options.

  2. Click on the Security tab and choose Trusted Sites.

  3. Click on the Sites button, and add the address of the OracleAS Single Sign-On server site to the list of trusted sites.

23.1.3 Additional High Availability Configuration Instructions

Additional configuration steps are required after OracleAS Infrastructure is installed with the "OracleAS Cluster (Identity Management)" option. There are two sets of instructions to follow:

23.1.3.1 Update the mod_rewrite Entry for SSO

Take the following steps:

  1. Back up the sso_apache.conf file:

    cp ORACLE_HOME/sso/conf/sso_apache.conf   
        ORACLE_HOME/sso/conf/sso_apache.conf.BACKUP
    
  2. Edit the file. Locate the mod_rewrite entry that contains the following text:

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/pls/orasso/orasso.wwsso_app_admin.ls_login$ /sso/auth [PT]
    </IfModule>
    

    Add the following line:

    RewriteRule ^/pls/orasso/orasso.home$ PROTOCOL:
        //LBR_HOST:LBR_PORT/pls/orasso/orasso.home [R,L]
    

    replacing the placeholders in italics with the following values:

    • Replace LBR_HOST with the full hostname for the HTTP load balancer.

    • Replace LBR_PORT with the SSL listening port. If SSL is enabled, enter the SSL port value. If using the default ports of 80 or 443, do not specify a port value.

    • Replace PROTOCOL with either HTTPS (if using the SSL port) or HTTP (if using the non-SSL port).

      For example, the entry might look like this when using a non-default SSL port:

      <IfModule mod_rewrite.c>
          RewriteEngine On
          RewriteRule ^/pls/orasso/orasso.wwsso_app_admin.ls_login$
              /sso/auth [PT]
          RewriteRule ^/pls/orasso/orasso.home$ https:
              //lbr.mydomain.com:4443/pls/orasso/orasso.home [R,L]
      </IfModule>
      

      As another example, the entry might look like this when using a default SSL port:

      <IfModule mod_rewrite.c>
          RewriteEngine On
          RewriteRule ^/pls/orasso/orasso.wwsso_app_admin.ls_login$ 
              /sso/auth [PT]
          RewriteRule ^/pls/orasso/orasso.home$ https:
              //lbr.mydomain.com/pls/orasso/orasso.home [R,L]
      </IfModule>
      
  3. Save and close the file.

  4. Restart Oracle HTTP Server.

23.1.3.2 Update targets.xml

The following configuration steps are needed only in the installation scenario where communications between clients and the load balancer use HTTPS, and communications between the load balancer and Oracle HTTP Server also use HTTPS:

Client ---[HTTPS]---> Load Balancer ---[HTTPS]---> Oracle HTTP Server

In this case the oracle_sso_server entry in the targets.xml file, on each physical host of the cluster, must be reconfigured to monitor the local SSL port.


Note:

Keep in mind that the hostname should remain the same. Do not change the hostname.


Perform the following steps to update targets.xml on each node of the cluster:

  1. Back up the targets.xml file:

    cp ORACLE_HOME/sysman/emd/targets.xml 
        ORACLE_HOME/sysman/emd/targets.xml.BACKUP
    
  2. Open the file and find the oracle_sso_server target type. Within this target entry, locate and edit the following two attributes:

    • HTTPPort - the server SSL port number

    • HTTPProtocol - the server protocol, which in this case is HTTPS

      For example, you could update the two attributes this way:

      <Property NAME="HTTPPort" VALUE="4443"/>
      <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
      
  3. Save and close the file.

  4. Reload the OracleAS console:

    ORACLE_HOME/bin/emctl reload

23.1.4 Issues and Workarounds Related to the Oracle Database

This section describes issues and workarounds for Oracle Application Server Single Sign-On that are triggered by the Oracle Database. It includes the following topic:

23.1.4.1 Issues With Upgrading the Oracle Database

After upgrading your Metadata Repository from Oracle Database 9.2.0.6 to 10.1.x, the following error is reported on the Discoverer Plus Connection pages, the Discoverer Viewer Connection pages, and the Public Connection definition page in Application Server Control:

The connection list is currently unavailable.
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "ORASSO.WWSSO_API_PRIVATE," line 258
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "ORASSO.WWSSO_UTL" line 728
ORA-28231: no data passed to obfuscation toolkit
ORA-06512: at line 1 Unable to retrieve connection list

The same problem will be encountered with external applications on the server hosting Oracle Application Server Single Sign-On.

To resolve this issue, make the following changes in your Metadata Repository Database:

  1. Edit the init%ORACLE_SID%.ora file in the following location:

    Windows—DB_install_home/database/

    Linux—DB_install_home/dbs

    Add the following line to this file:

    event="10946 trace name context forever, level 36"

  2. If an spfile%ORACLE_SID%.ora exists in either the dbs folder or the database folder, rename the file to spfile%ORACLE_SID%.bak.

    Changes to init%ORACLE_SID%.ora are not loaded if the database server finds an spfile.

  3. Log in as a sysadmin.

  4. At the SQL prompt, shut down then start up the database server.

  5. Restart the Discoverer server using the command opmnctl restartall.