|Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition)
11g Release 1 (126.96.36.199.0)
Part Number E21032-01
This chapter describes how to configure single sign-on (SSO) for administration consoles. The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Manager Console
Oracle Identity Manager Console
This chapter includes the following topics:
This section describes how to integrate administration consoles with single sign-on.
This section contains the following topics:
Note:Once you have enabled single sign-on for the administration consoles, ensure that at least one Oracle Access Manager server is running to enable console access.
If you have used the Oracle Weblogic console to shut down all of the Oracle Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.
WLS_OAM1 manually, use the command:
DOMAIN_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001
Before you attempt to integrate administration consoles with single sign-on, ensure Ensure that the following tasks have been performed:
Configure Oracle HTTP Server, as described in Chapter 5, "Configuring the Web Tier."
Configure Oracle Access Manager, as described in Chapter 12, "Extending the Domain with Oracle Access Manager 11g."
Weblogic Administrators have been provisioned in LDAP as described in Chapter 11, "Creating Users and Groups for Oracle WebLogic Server."
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter domain). The application domains are configured to authenticate using the central Identity Management domain.
In Section 11.4.4, "Creating Users and Groups for Oracle WebLogic Server" you created a user called
weblogic_idm and assigned it to the group IDM Administrators. To be able to manage WebLogic using this account you must add the IDM administrators group to the list of Weblogic Administration groups. This section describes how to add the IDM Administrators Group to the list of WebLogic Administrators.
Log in to the WebLogic Administration Server Console.
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for
myrealm, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the
IDM Administrators Group as an entry.
Click Save to finish adding the Admin role to the
IDM Administrators Group.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the
boot.properties file for the Administration Server and the Managed Servers should be updated with the WebLogic
admin user created in Oracle Internet Directory. Follow these steps to update the
For the Administration Server on IDMHOST1
On IDMHOST1, go the following directory:
Rename the existing
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=weblogic_idm password=Password for weblogic_idm user
Note:When you start the Administration Server, the username and password entries in the file get encrypted.
For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
Restarting the Servers
Restart WebLogic Administration Server and all Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Restart the following servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Access Servers on
Oracle HTTP Servers on
This section contains the following topics:
Ensure that the following tasks have been performed before installing the Oracle Web Gate:
Oracle Web Gate requires special versions of
gcc libraries to be installed (Linux only). These library files must exist somewhere on the Linux system. The Web Gate installer asks for the location of these library files at install time. Download the libraries from
http://gcc.gnu.org, as described in "Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management
http://www.oracle.com/technetwork/middleware/ias/downloads/10gr3-webgates-integrations-readme-154689.pdffor additional information.
Before you install Oracle WebGate, ensure that the Managed Servers WLS_OAM1 and WLS_OAM2 are started.
Install Oracle WebGate as described in the following sections.
Start the Web Gate installer by issuing the command:
Then perform the following steps:
On the Welcome to the InstallShield Wizard for Oracle Access Manager WebGate screen.
On the Customer Information screen, enter the
group that the Access Server uses. This should be the same as the user and group that installed the Oracle HTTP Server. The default value for
nobody. For example, enter
Specify the installation directory for Oracle Access Manager Access Server. For example, enter:
Note:Oracle Access Manager WebGate is installed in the
Oracle Access Manager WebGate is installed in:
The access directory is created by the installer automatically.
Specify the location of the GCC run-time libraries, for example:
The installation progress screen is shown. After the installation process completes, the WebGate Configuration screen appears.
On the WebGate Configuration screen, you are prompted for the transport security mode:
The transport security between all Access System components (Policy Manager, Access Servers, and associated WebGates) must match; select one of the following: Open Mode, Simple Mode, or Cert Mode.
Select Simple Mode.
On the next WebGate Configuration screen, specify the following WebGate details:
WebGate ID: The agent name used in Section 12.6.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool," for example
Password for Web Gate: If you entered a password when creating the agent, enter this here. Otherwise leave blank.
Access Server ID: WLS_OAM1
Host Name: Enter the Host name for one of the Access Servers for example
Global Access Protocol Passphase: If your OAM servers are using the Simple security transport protocol, then specify the global passphrase that you use to interact with them.
Port Number the Access Server listens to: ProxyPort
Note:To find the port that the Access Server is using, log in to the oamconsole at:
Then perform the following steps:
Select the System Configuration tab.
Select Server Instances.
Select Instance (
WLS_OAM1) and click the View icon in the tool bar.
The proxy entry has host and port information.
On the Configure Web Server screen, click Yes to automatically update the web server, then click Next.
On the next Configure Web Server screen, specify the full path of the directory containing the
httpd.conf file. The
httpd.conf file is located under the following directory:
On the next Configure Web Server page, a message informs you that the Web Server configuration has been modified for WebGate.
The next screen, Configure Web Server, displays the following message:
If the web server is setup in SSL mode, then httpd.conf file needs to be configured with the SSL related parameters. To manually tune your SSL configuration, please follow the instructions that come up.
The next screen, Configure Web Server, displays a message with the location of the document that has information on the rest of the product setup, as well as Web Server configuration.
Select No and click Next.
The final Configure Web Server screen appears with a message to manually launch a browser and open the HTML document for further information on configuring your Web Server.
The Oracle COREid Readme screen appears. Review the information on the screen and click Next.
A message appears, along with the details of the installation, informing you that the installation was successful.
Replace the file
ObAccessClient.xml in the directory
/oam/webgate/access/oblix/lib with the file generated in Section 12.6.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool."
Restart the web server by following the instructions in Chapter 19, "Starting and Stopping Oracle Identity Management Components."
You must create a logout page to enable applications to log out. A default page exists, but you must edit it and copy it to the WebGate installation on
Copy the file
logout.html from the directory
Now that you have your own logout page on the web server, you must remove the default entry.
Edit the file
httpd.conf, located in the directory:
Comment out the following lines by adding a
# at the beginning. The edited lines look like this:
#*******Default Login page alias*** Alias /oamsso "/u01/app/oracle/product/fmw/webgate/access/oamsso" #<LocationMatch "/oamsso/*"> #Satisfy any #</LocationMatch> #**********************************
Save the file.
Restart the Oracle HTTP server, as described in Chapter 19, "Starting and Stopping Oracle Identity Management Components."
This software cannot be patched until it is installed, as described in Section 18.5.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2."
Follow these steps to patch the WebGates in your environment:
Download the Oracle Access Manager OHS11g WebGate patch from My Oracle Support at
https://support.oracle.com. For 32-bit Linux, the patch name is
Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate.zip. For 64-bit Linux it is
Stop the Oracle HTTP Server 11g instances on
WEBHOST2 by following the steps in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate.zip file to a temporary location. This creates t two directories. On 32-bit Linux, the directories are:
On 64-bit Linux, the directories are:
Change directory to:
Uninstall any existing patches because you must apply patches to the base version.
To detect the presence of an existing patch, determine the version number, as follows:
Open the file,
Version value is the base version, 10.1.4.3.0 M11, then it does not contain any patch.
Version value is different from the base version, indicating that there is a patch, uninstall the patch as follows:
Navigate to the location within the WebGate installation where the
patchinst script is present, for example:
Execute the command:
Specify the WebGate installation area when prompted.
Start the patch installation tool by typing:
./patchinst -i InstallDir/access
InstallDir is the path to the Access Server install location. For example:
This applies the required patch for Oracle Access Manager-Oracle Identity Manager integration to the Oracle Access Manager 10.1.4.3.0 WebGate Instance. Please see the "Enterprise Deployment Guide" chapter of the 11g Release 1 (188.8.131.52.0) Release Notes for the exact patch level required.
Apply this patch to all the WebGate instances in your environment.
Start the Oracle HTTP Server instances on
WEBHOST2, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
You can test that WebGate is functioning correctly by accessing the URL:
You now see the Oracle Access Manager Login page displayed. Enter your OAM administrator user name (for example,
oamadmin) and password and click Login. Then you see the OAM console displayed.
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the
weblogic_idm user to log in.