| Oracle® Application Server Single Sign-On Administrator's Guide 10g (10.1.4.0.1) Part Number B15988-01 |
|
|
View PDF |
| Oracle® Application Server Single Sign-On Administrator's Guide 10g (10.1.4.0.1) Part Number B15988-01 |
|
|
View PDF |
This chapter introduces you to the tasks involved in administering single sign-on. The chapter contains the following topics:
When the single sign-on server is accessed for the first time, only one single sign-on administrator exists. This administrator is named orcladmin, the Oracle Application Server Single Sign-On super user. The person installing Oracle Application Server Single Sign-On selects the password for this user at install time. A password cannot contain the following characters: &, {, }, <, >, ", ', (, and ). The orcladmin account is used to create other accounts, including accounts for iASAdmins, the group that administers single sign-on.
As a single sign-on administrator, you can use the administration pages to do the following:
Configure server settings
Administer partner applications
Administer external applications
To exercise your privileges as a single sign-on administrator, you must be a member of the administrative group iASAdmins. This means that an existing member of this group must add you to it.
To assign a user to iASAdmins:
Start Oracle Directory Manager. To learn how to start this tool, see Oracle Internet Directory Administrator's Guide.
Log in as cn=orcladmin, the directory super user. You must use the password that was assigned to this user when Oracle Internet Directory was installed.
|
Note: The directory superusercn=orcladmin is not the same as the OracleAS super user orcladmin. These are separate, hierarchically unequal accounts. |
In the System Objects frame, click in succession the following entries:
Entry Management
dc=default_identity_management_realm
cn=OracleContext
cn=Groups
cn=iASAdmins
For example:
cn=iASAdmins,cn=Groups,cn=OracleContext,dc=oracle,dc=com
Where dc=oracle,dc=com is the default identity management realm. In reality, the default is likely the domain name of your installation.
In the uniquemembers text box of the iASAdmins tab, add an entry for the user. uniquemembers is an attribute of the entry iASAdmins. As such it defines members of the group iASAdmins. Be sure to add the user's full DN. In Figure 2-1 the user cn=gbhatia,cn=users,dc=oracle,dc=com has been added.
Click Apply.
Figure 2-1 iASAdmins Tab of Oracle Directory Manager
To create new users, use Oracle Delegated Administration Services. See the chapter about the Oracle Internet Directory Self-Service Console in Oracle Identity Management Guide to Delegated Administration.
By default, the single sign-on server uses the directory entry cn=iASAdmins,cn=Groups,cn=OracleContext,default_realm_dn to determine whether a user has administrative privileges for OracleAS Single Sign-On. Once you complete the following steps, all users in the group cn=sso_admins,dc=us,dc=acme,dc=com can administer the single sign-on server. You may also include groups as members by following these steps:
Create a new group in the directory relative to the default realm DN. If, for example, your default realm is dc=us,dc=acme,dc=com, and you want the default administration group to be called sso_admins, create this entry:
cn=sso_admins,dc=us,dc=acme,dc=com
Use either Oracle Directory Manager or LDAP command line tools to create the entry.
In the policy.properties file located in ORACLE_HOME/sso/conf, update the ssoAdministratorGroupDN to identify the group entry in the directory:
ssoAdministratorGroupDN = cn=sso_admins
You do not have to include the default realm (dc=us,dc=acme,dc=com in the example). The single sign-on server appends the realm when it checks for group membership.
Restart the OC4J_SECURITY instance, as described in "Stopping and Starting the OC4J_SECURITY Instance" on page on page 2-5.
The policy.properties file is a configuration file for OracleAS Single Sign-On. This file contains basic parameters required by the single sign-on server. The default values for these parameters are adequate for most installations. The file requires no modification out of the box.
You can configure policy.properties to implement advanced single sign-on features such as multilevel authentication. The policy.properties file is located in ORACLE_HOME/sso/conf. A copy of this file is provided in Appendix C, "policy.properties".
|
Note: When editingpolicy.properties, take care not to insert blank space at the end of each line. After editing the file, restart the single sign-on server. See the section immediately following for instructions. |
You can use either the command line or the Oracle Enterprise Manager Application Server Control console to start and stop single sign-on components. The console offers the benefit that you can stop or start several components at once. The command line requires several commands for the same tasks.
Use these steps to stop and start single sign-on components with the console:
Go to the standalone console for the infrastructure instance of Oracle Enterprise Manager that you want to administer. To do this, enter the host name of the computer hosting the OracleAS instance and the port number of Oracle Enterprise Manager. The default port number is 1156. You can find the instance-specific port number as follows:
UNIX: ORACLE_HOME/install/setupinfo.txt
Windows: ORACLE_HOME\install\setupinfo.txt
Log in using the credentials of an OracleAS administrator.
From the Standalone Instances section of the Farm page, choose the appropriate OracleAS instance.
From the System Components list of the Application Server page, select the check boxes for the components that you want to stop, start, or restart; then click the appropriate button at the top of the list. Figure 2-2 shows the single sign-on middle tier being restarted. To stop or restart the entire identity management infrastructure, click Stop All or Restart All at the top of the page.
Figure 2-2 Using the Console to Restart the Single Sign-On Middle Tier
You can issue separate commands to stop and start just the Oracle HTTP Server or the entire single sign-on middle tier. Another command stops and starts just the OC4J_SECURITY instance. Still another command stops and starts all infrastructure components.
Issue these two commands to stop and then start the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
You can also stop and start the server by issuing this command:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
Issue these two commands to stop and then start the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY
You can also stop and start the OC4J_SECURITY instance by issuing this command:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
To stop and then start the single sign-on middle tier, stop and start both the Oracle HTTP Server and the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY
You can also stop and start the single sign-on middle tier by issuing these commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Issue the following commands to stop and then start the Oracle HTTP Server, the single sign-on server, OC4J, and Oracle Internet Directory:
ORACLE_HOME/opmn/bin/opmnctl stopall ORACLE_HOME/opmn/bin/opmnctl startall
This command assumes that infrastructure components are all in the same Oracle home.
If the database needs to be shut down, use the following steps to stop and start affected components including the database:
Stop the Oracle HTTP Server, the single sign-on server, OC4J, and Oracle Internet Directory:
ORACLE_HOME/opmn/bin/opmnctl stopall
Shut down the database.
Start the database.
Start the Oracle HTTP Server, the single sign-on server, OC4J, and Oracle Internet Directory:
ORACLE_HOME/opmn/bin/opmnctl startall
Occasionally OracleAS applications are inaccessible because the single sign-on server is inaccessible. Use these steps to diagnose the problem:
Follow the instructions in "Accessing the Monitoring Pages" in Chapter 10 to access the Application Server page of the Application Server Control console.
Verify that the single sign-on server is indeed down by examining the System Components table on the Application Server page. A down-facing red arrow signifies that the server is down, an up-facing green arrow that the server is up.
Check the table to determine whether the Oracle HTTP Server is down.
If the Oracle HTTP Server is down, restart it using either the command line or the Application Server Control console. See "Stopping and Starting Single Sign-On Components".
If the Oracle HTTP Server fails to start, check the log files for the server to determine the problem. The files are found in ORACLE_HOME/opmn/logs and in ORACLE_HOME/Apache/Apache/logs/error_log.
Check the status of the OracleAS metadata repository:
Start the Oracle Enterprise Manager Database Control console:
ORACLE_HOME/bin/emctl start dbconsole
In your browser, enter the URL for Oracle Enterprise Manager Database Control:
http://host_name.domain:port/em
In the URL, host_name is the name of the computer on which the metadata repository is installed. port is the port number reserved for Database Control during installation. You can find this number by examining the file ORACLE_HOME/install/portlist.ini. Look for this line:
Enterprise Manager Console HTTP Port(database_name) = port_number
The port number is a value in the range 5500–5519.
Log in to the Database Control page with the SYSaccount; then connect as SYSDBA.
On the Database Home page, examine the status indicator in the General section. If the database is up, continue to step 10. If the database is down, click the Startup button—or, when appropriate—the Perform Recovery button.
If the database starts, restart the Application Server Control console, the Database Control console, the infrastructure middle tier, and middle tiers associated with the metadata repository installation. If you need help, see the chapter about starting and stopping in Oracle Application Server Administrator's Guide.
If the database fails to start, consult Oracle Database Administrator's Guide.
Determine whether the OC4_SECURITY instance is running by examining the System Components table on the Application Server page of the Application Server Control Console. Or use the command line for this purpose:
opmnctl status
If the OC4J_SECURITY instance is down, restart it by using the Application Server Control console. If OC4J_SECURITY starts successfully, see if the single sign-on server is accessible. If OC4J_SECURITY fails to start, check the OC4J_Security logs for errors. See "Viewing the Log Files" in Appendix A for more about these logs.
Check the status of Oracle Internet Directory, using the same procedures that you used to check the status of the OC4J_SECURITY instance in step 10. Use the Application Server Control console to start the directory if necessary. If the directory fails to start, check directory error logs.
Logging in and out of OracleAS Single Sign-On successfully requires that the following browser settings be in place:
Cache Settings
To enable the correct cache settings:
Go to the cache settings dialog box by clicking the following in succession:
Internet Explorer:
Tools
Internet Options
General
Settings
Netscape Communicator:
Edit
Preferences
Advanced
Cache
Select Every visit to the page in Internet Explorer or Every time in Netscape Communicator.
Image Settings
To ensure that images are automatically loaded:
You can use the administration pages within the single sign-on UI to set the single sign-on session length and to enable the server to verify IP addresses. You can also use these pages to administer partner applications and external applications.
To access the administration pages:
Enter a URL of the following form:
http://host:port/sso
where host is the name of computer on which the server is located and port is the port number of the server. If the server is enabled for SSL, https must be substituted for http. The port number may be omitted if it is 80 or 443 (SSL) because these numbers are the defaults.
The Access Partner Applications page appears.
Click Login in the upper right corner of the Access Partner Applications page.
The login page appears.
Enter the administrator's user name and password; then click Login.
The home page appears. To perform administrative functions, click SSO Server Administration.
Figure 2-3 shows the SSO Server Administration page.
Figure 2-3 SSO Server Administration Page
Use the Edit Single Sign-On Server page to fix the length of single sign-on sessions and to verify IP addresses. To access the Edit Single Sign-On Server page, click Edit Single Sign-On Server Configuration on the SSO Server Administration page.
The Edit Single Sign-On Server page contains the following heading and fields:
Table 2-1 Single SIgn-On Session Policy
If you change either of these parameters, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
When installed, OracleAS Single Sign-On product supports dozens of languages. The default language is English, but users can set their browser preferences to any of the supported languages.
For a complete list of the language codes supported, see Appendix A in Oracle Application Server Globalization Guide at the following URL:
http://www.oracle.com/technology/documentation/index.html
From the landing page for the URL, click a link for the OracleAS Single-Sign on documentation, then click the View Library link to view the library for the appropriate release.
Before reading this section, read "Global User Inactivity Timeout" in Chapter 1, "Components and Processes: an Overview."
The global user inactivity timeout is applicable to one domain only. This means that computers enabled for the timeout must reside in the same cookie domain. The applications on these computers use the domain cookie to track user activity. If, for example, you use login.acme.com for the single sign on server, other computers in the system must have the .acme.com domain in their host name. One of these computers might be host1.acme.com. Another might be host2.acme.com. In addition, clocks on all of these computers, including the single sign-on server computer, must be synchronized with 10 seconds of one another.
The global user inactivity timeout is not configured by default. You must enable it by running the ssogito.sql script. The script is found at ORACLE_HOME/sso/admin/plsql/sso. The steps that follow include an example of ssogito.sql.
To configure the global user inactivity timeout:
Log in to SQL*Plus, using the single sign-on schema name and password. The default schema name is orasso. To obtain the password, see Appendix B.
Run ssogito.sql by entering the following command:
SQL> @ssogito.sql
A list of fields appears.
In the Enter value for timeout_cookie_domain field, enter a domain name that is common to all of the applications enabled by the single sign-on server. Be sure to place a period before the domain name.
|
Note: If this field is left blank, the domain name defaults to the host name of the single sign-on server. |
In the Enter value for inactivity period field, enter the length of the desired inactivity period in minutes.
To enable the new settings, press the Return or Enter key. To cancel the transaction, press the Return or Enter key twice.
Once you have completed a transaction, the script provides you with a summary of the new timeout settings. Here is an example of ssogito.sql:
SQL> @ssogito ============================================= SSO Server Inactivity Timeout Configuration ============================================= Timeout : DISABLED Cookie name : OSSO_USER_CTX Cookie domain : Inactivity period: 15 minutes Encryption key : 093D678526DAA66D Note: timeout cookie domain will be defaulted to the SSO Server hostname ------------------------------------------- To disable timeout set inactivity period to 0, (zero) Press return key twice if you do not want to change timeout configuration. PL/SQL procedure successfully completed. Enter value for timeout_cookie_domain: .oracle.com Enter value for inactivity_period: 15 Timeout : ENABLED New timeout cookie domain: .oracle.com New inactivity period : 15 minutes PL/SQL procedure successfully completed. No errors.
Restart the single sign-on middle tier:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY
On the application middle tiers where the inactivity timeout is to be enabled, edit the mod_osso.conf file. Make sure that the OssoIdleTimeout parameter exists and that it is set to on. The file is at ORACLE_HOME/Apache/Apache/conf. Here is an example file with the correct setting:
LoadModule osso_module libsexec/mod_osso.so <IfModule mod_osso.c> OssoIpCheck off OssoIdleTimeout on OssoConfigFile /u01/oracleas10g/Apache/Apache/conf/osso/osso.conf # #Insert Protected Resources # . . . </IfModule>
Restart the Oracle HTTP Server on the application middle tiers.
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
If Oracle Delegated Administration Services and the single sign-on server are located on the same middle tier, and you want the global user inactivity timeout to apply to the former, perform steps seven and eight on the single sign-on middle tier.
