Skip Headers
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management
11g Release 1 (11.1.1.5)

Part Number E12035-10
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

19 Configuring Single Sign-on for Administration Consoles

This chapter describes how to configure single sign-on (SSO) for administration consoles. The administration consoles referred to in the chapter title are:

This chapter includes the following topics:

19.1 Configuring Single Sign-On for Administration Consoles with Oracle Access Manager 11g

This section describes how to integrate administration consoles with single sign-on. You need not perform the procedures in this section if you are integrating Oracle Access Manager with Oracle Identity Manager, as the integration command creates the security providers for you.

This section contains the following topics:

Note:

Once you have enabled single sign-on for the administration consoles, ensure that at least one Oracle Access Manager server is running to enable console access.

If you subsequently enable OAAM to protect your entire domain or integrate OAAM with Oracle Identity Manager, you must also have an OAAM server running to enable console access.

If you have used the Oracle Weblogic console to shut down all of the Oracle Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.

To start WLS_OAM1 manually, use the command:

DOMAIN_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001

19.1.1 Prerequisites

Before you attempt to integrate administration consoles with single sign-on, ensure Ensure that the following tasks have been performed:

  1. Configure Oracle HTTP Server, as described in Chapter 5, "Configuring the Web Tier."

  2. Configure Oracle Access Manager, as described in Chapter 11, "Extending the Domain with Oracle Access Manager 11g."

  3. Weblogic Administrators have been provisioned in LDAP as described in Chapter 10, "Creating Users and Groups for Oracle WebLogic Server."

19.1.2 Creating Oracle Directory Authenticator

This section sets up a directory authenticator to enable you to use the users in your LDAP directory to access administration consoles.

You do not need to perform these steps if you have Integrated Oracle Access Manager and Oracle Identity Manager as described in Section 18.1, "Integrating Oracle Identity Manager and Oracle Access Manager 11g."

  1. Log in to the WebLogic Administration Console at http://admin.mycompany.com/console.

  2. Click Security Realms from the Domain structure menu.

  3. Click Lock and Edit in the Change Center.

  4. Click myrealm.

  5. Select the Providers tab.

  6. Click DefaultAuthenticator.

  7. Set Control Flag to SUFFICIENT.

  8. Click Save.

  9. Click Security Realms from the Domain structure menu.

  10. Click myrealm.

  11. Select the Providers tab.

  12. Click New.

  13. Supply the following information if you are using Oracle Virtual Directory:

    For Oracle Virtual Directory:

    • Name: OVDAuthenticator

    • Type: OracleVirtualDirectoryAuthenticator

    For Oracle Internet Directory:

    • Name: OIDAuthenticator

    • Type: OracleInternetDirectoryAuthenticator

  14. Click OK.

  15. Click OVDAuthenticator or OIDAuthenticator.

  16. Set Control Flag to SUFFICIENT.

  17. Click Save.

  18. Select the Provider Specific tab.

  19. Enter the following details:

    • Host: idstore.mycompany.com

    • Port: 389

    • Principal: cn=oamLDAP,cn=Users,dc=us,dc=oracle,dc=com

    • Credential: oamLDAP password

    • Confirm Credential: oamLDAP password

    • User Base DN: cn=Users,dc=mycompany,dc=com

    • All Users Filter: (&(uid=*)(objectclass=person))

      User From Name Filter: (&(uid=%u)(objectclass=person))

      User Name Attribute: uid

    • Group Base DN: cn=Groups,dc=mycompany,dc=com

    • GUID Attribute: orclguid

  20. Click Save.

  21. Click Activate Changes from the Change Center.

  22. Restart WebLogic Administration Server and all the Managed Servers, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

Validating the Configuration

Validate the configuration by logging in to the OAM console as the user oamadmin.

You can perform a further validation test by using the Oracle WebLogic Administration Console, as follows.

  1. Log in to the console, which is at http://admin.mycompany.com/console.

  2. Select Security Realms from the Domain structure menu.

  3. Click myrealm.

  4. Click the Users and Groups tab.

  5. Click Users.

    LDAP users are displayed.

19.1.3 Creating Oracle Access Manager Identity Asserter

This section sets up an Oracle Access Manager asserter to enable you to delegate responsibility for credential collection to Oracle Access Manager.

You do not need to perform these steps if you have Integrated Oracle Access Manager and Oracle Identity Manager as described in Section 18.1, "Integrating Oracle Identity Manager and Oracle Access Manager 11g."

  1. Log in to the WebLogic Administration Console at: http://admin.mycompany.com/console.

  2. Click Security Realms from the Domain structure menu.

  3. Click Lock and Edit in the Change Center.

  4. Click myrealm.

  5. Select the Providers tab.

  6. Click New.

  7. Supply the following information:

    • Name: OAMIDAsserter

    • Type: OAMIdentityAsserter

  8. Click OK.

  9. Click OAMIdentityAsserter.

  10. Set Control Flag to REQUIRED.

  11. Click Save.

  12. Click Security Realms from the Domain structure menu

  13. Click myrealm.

  14. Select the Providers tab.

  15. Click Reorder.

  16. Using the arrows on the right hand side order the providers such that the order is:

    • OAMIDAsserter

    • Default Authenticator

    • OIM Signature Authenticator, if present

    • OIMAuthenticationProvider, if present

    • OVDAuthenticator or OIDAuthenticator

    • Default Identity Asserter

    Note:

    Oracle Identity Manager providers only exist if Oracle Identity Manager has been configured.

  17. Click OK.

  18. Click Save.

  19. Click Activate Changes.

  20. Restart WebLogic Administration Server and all the Managed Servers, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

19.2 Assigning IDM Administrators Group to Weblogic Administration Groups

In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter domain). The application domains are configured to authenticate using the central Identity Management domain.

In Section 10.4.5, "Creating Users and Groups for Oracle WebLogic Server" you created a user called weblogic_idm and assigned it to the group IDM Administrators. To be able to manage WebLogic using this account you must add the IDM administrators group to the list of Weblogic Administration groups. This section describes how to add the IDM Administrators Group to the list of WebLogic Administrators.

  1. Log in to the WebLogic Administration Server Console.

  2. In the left pane of the console, click Security Realms.

  3. On the Summary of Security Realms page, click myrealm under the Realms table.

  4. On the Settings page for myrealm, click the Roles & Policies tab.

  5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.

  6. On the Global Roles page, click the Admin role to go to the Edit Global Role page:

    1. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

    2. On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.

    3. On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.

  7. Click Finish to return to the Edit Global Rule page.

  8. The Role Conditions table now shows the IDM Administrators Group as an entry.

  9. Click Save to finish adding the Admin role to the IDM Administrators Group.

  10. Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.

19.3 Updating the boot.properties File

The boot.properties file for the Administration Server and the Managed Servers should be updated with the WebLogic admin user created in Oracle Internet Directory. Follow these steps to update the boot.properties file.

For the Administration Server on IDMHOST1

  1. On IDMHOST1, go the following directory:

    ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
    

    For example:

    cd ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
    
  2. Rename the existing boot.properties file.

  3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:

    username=adminUser
    password=adminUserPassword
    

    For example:

    username=weblogic_idm
    password=Password for weblogic_idm user
    

    Note:

    When you start the Administration Server, the username and password entries in the file get encrypted.

    For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.

Restarting the Servers

Restart WebLogic Administration Server and all Managed Servers as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

19.4 Restarting Servers

Restart the following servers as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

19.5 Installing and Configuring WebGate

This section describes how to install and configure WebGate. This task is not necessary for OIM11g/OAM10g integration.

This section contains the following topics:

19.5.1 Prerequisites

Ensure that the following tasks have been performed before installing the Oracle Web Gate:

  1. Install and configure the Oracle Web Tier as described in Chapter 5.

  2. On Linux systems, make the special versions of the gcc libraries available, as described in Chapter 19.

  3. Ensure Oracle Access Manager has been configured as described in Chapter 11.

19.5.2 Making Special gcc Libraries Available

Oracle Web Gate requires special versions of gcc libraries to be installed (Linux only). These library files must exist somewhere on the Linux system. The Web Gate installer asks for the location of these library files at install time. Download the libraries from http://gcc.gnu.org, as described in "Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management

19.5.3 Installing Oracle WebGate on WEBHOST1 and WEBHOST2

Before you install Oracle WebGate, ensure that the Managed Servers WLS_OAM1 and WLS_OAM2 are started.

Install Oracle WebGate as described in the following sections.

19.5.3.1 Oracle WebGate 10g

Start the Web Gate installer by issuing the command:

Oracle_Access_Managerversion_linux_OHS11g_WebGate -gui

Then perform the following steps:

  1. On the Welcome to the InstallShield Wizard for Oracle Access Manager WebGate screen.

    Click Next.

  2. On the Customer Information screen, enter the username and group that the Oracle Access Manager server uses. This should be the same as the user and group that installed the Oracle HTTP Server. The default value for username and group is nobody. For example, enter oracle/oinstall.

    Click Next.

  3. Specify the installation directory for the Oracle Access Manager server. For example, enter: MW_HOME/oam/webgate.

    Click Next.

    Note:

    Oracle Access Manager WebGate is installed in the access subdirectory under:

    /u01/app/oracle/product/fmw/oam/webgate.

  4. Oracle Access Manager WebGate is installed in: /u01/app/oracle/product/fmw/oam/webgate/

    The access directory is created by the installer automatically.

  5. Specify the location of the GCC run-time libraries, for example: /u01/app/oracle/oam_lib

    Click Next.

  6. The installation progress screen is shown. After the installation process completes, the WebGate Configuration screen appears.

  7. On the WebGate Configuration screen, you are prompted for the transport security mode:

    The transport security between all Access System components (Policy Manager, Access Servers, and associated WebGates) must match; select one of the following: Open Mode, Simple Mode, or Cert Mode.

    Select Simple Mode.

    Click Next.

  8. On the next WebGate Configuration screen, specify the following WebGate details:

    • WebGate ID: The agent name used in Section 11.6.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool," for example Webgate_IDM.

    • Password for Web Gate: If you entered a password when creating the agent, enter this here. Otherwise leave blank.

    • Access Server ID: The name of one of your Oracle Access Manager servers, for example: WLS_OAM1

    • Host Name: Enter the Host name for one of the Oracle Access Manager servers for example IDMHOST1

    • Global Access Protocol Passphase: If your OAM servers are using the Simple security transport protocol, then specify the global passphrase that you use to interact with them.

    • Port Number the Access Server listens to: ProxyPort

    Note:

    To find the port that the Oracle Access Manager server is using, log in to the oamconsole at:

    http://admin.mycompany.com/oamconsole

    Then perform the following steps:

    1. Select the System Configuration tab.

    2. Select Server Instances.

    3. Select Instance (WLS_OAM1) and click the View icon in the tool bar.

    The proxy entry has host and port information.

  9. On the Configure Web Server screen, click Yes to automatically update the web server, then click Next.

  10. On the next Configure Web Server screen, specify the full path of the directory containing the httpd.conf file. The httpd.conf file is located under the following directory:

    /u01/app/oracle/admin/ohsInstance/config/OHS/ohsComponentName

    For example:

    /u01/app/oracle/admin/ohs_instance2/config/OHS/ohs2/httpd.conf

    Click Next.

  11. On the next Configure Web Server page, a message informs you that the Web Server configuration has been modified for WebGate.

    Click Next.

  12. The next screen, Configure Web Server, displays the following message:

    If the web server is setup in SSL mode, then httpd.conf file needs to be configured with the SSL related parameters. To manually tune your SSL configuration, please follow the instructions that come up.
    

    Click Next.

  13. The next screen, Configure Web Server, displays a message with the location of the document that has information on the rest of the product setup, as well as Web Server configuration.

    Select No and click Next.

  14. The final Configure Web Server screen appears with a message to manually launch a browser and open the HTML document for further information on configuring your Web Server.

    Click Next.

  15. The Oracle COREid Readme screen appears. Review the information on the screen and click Next.

  16. A message appears, along with the details of the installation, informing you that the installation was successful.

    Click Finish.

  17. Replace the file ObAccessClient.xml in the directory MW_HOME/oam/webgate/access/oblix/lib with the file generated in Section 11.6.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool."

  18. Restart the web server by following the instructions in Chapter 20, "Starting and Stopping Oracle Identity Management Components."

  19. Repeat for WEBHOST2

19.5.3.2 Copying Logout Page to OHS Servers

You must create a logout page to enable applications to log out. A default page exists, but you must edit it and copy it to the WebGate installation on WEBHOST1 and WEBHOST2.

  1. Copy the file logout.html from the directory DOMAIN_HOME/output/Webgate_IDM on IDMHOST1 to MW_HOME/oam/webgate/access/oamsso on WEBHOST1 and WEBHOST2.

  2. Now that you have your own logout page on the web server, you must remove the default entry.

    Edit the file httpd.conf, located in the directory:

    ORACLE_INSTANCE/config/OHS/component name/

    Comment out the following lines by adding a # at the beginning. The edited lines look like this:

    #*******Default Login page alias***
    Alias /oamsso "/u01/app/oracle/product/fmw/webgate/access/oamsso"
     
    #<LocationMatch "/oamsso/*">
    #Satisfy any
    #</LocationMatch>
    #**********************************
    

    Save the file.

  3. Restart the Oracle HTTP server, as described in Chapter 20, "Starting and Stopping Oracle Identity Management Components."

19.5.4 Patching the Oracle Access Manager 10g WebGates

This software cannot be patched until it is installed, as described in Section 19.5.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2."

Follow these steps to patch the WebGates in your environment:

  1. Download the Oracle Access Manager OHS11g WebGate patch 12816881 from My Oracle Support at https://support.oracle.com. The patch name is p12816881_10143_Linux-x86-64.zip.

  2. Stop the Oracle HTTP Server 11g instances on WEBHOST1 and WEBHOST2 by following the steps in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

  3. Unzip the p12816881_10143_Linux-x86-64.zip file to a temporary location. This creates t two directories. On 32-bit Linux, the directories are:

    • Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_binary_parameter

    • Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_message_en-us

    On 64-bit Linux, the directories are:

    • Oracle_Access_Manager10_1_4_3_0_BP10_Patch_linux64_OHS11g_WebGate_binary_parameter

    • Oracle_Access_Manager10_1_4_3_0_BP10_Patch_linux64_OHS11g_WebGate_message_en-us

  4. Change directory to: PatchExtractLocation/Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_binary_parameter

  5. Uninstall any existing patches because you must apply patches to the base version.

    To detect the presence of an existing patch, determine the version number, as follows:

    1. Open the file, webgate-install/oblix/config/np1014_wg.txt

    2. Check the Version field.

    If the Version value is the base version, 10.1.4.3.0 M11, then it does not contain any patch.

    If the Version value is different from the base version, indicating that there is a patch, uninstall the patch as follows:

    1. Navigate to the location within the WebGate installation where the patchinst script is present, for example:

      cd /u01/app/oracle/product/fmw/oam/webgate/access/oblix/patch/10143005BP05/Oracle_Access_Manager10_1_4_3_0_BP05_Patch_linux64_OHS11g_WebGate_binary_parameter/
      
    2. Execute the command:

      ./patchinst -u
      
    3. Specify the WebGate installation area when prompted.

  6. Start the patch installation tool by typing:

    ./patchinst -i InstallDir/access
    

    where InstallDir is the path to the Oracle Access Manager server install location. For example:

    /u01/app/oracle/product/fmw/oam/webgate/

    This applies the required patch for Oracle Access Manager-Oracle Identity Manager integration to the Oracle Access Manager 10.1.4.3.0 WebGate Instance. Please see the Release Notes for the exact patch level required.

  7. Apply this patch to all the WebGate instances in your environment.

  8. Start the Oracle HTTP Server instances on WEBHOST1 and WEBHOST2, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

19.5.5 Validating WebGate

You can test that WebGate is functioning correctly by accessing the URL:

http://admin.mycompany.com/oamconsole

You now see the Oracle Access Manager Login page displayed. Enter your OAM administrator user name (for example, oamadmin) and password and click Login. Then you see the OAM console displayed.

19.5.6 Validating the Oracle Access Manager Single Sign-On Setup

To validate the setup, open a web browser and go the following URLs:

http://admin.mycompany.com/console

http://admin.mycompany.com/em

The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in.