Oracle® Student Learning Installation and Deployment Guide Release 3.1.3 Part Number E20664-04 |
|
|
PDF · Mobi · ePub |
This chapter provides step-by-step instructions for configuring OSSO as the single sign-on solution for OSL. You can find complete explanation of the OSSO Solution in "Chapter 10 Configuring Single Sign-On in Oracle Fusion Middleware" in the Oracle® Fusion Middleware Security Guide 11g Release 1 (11.1.1) at
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/toc.htm
There are no 11g Release 1 (11.1.1) versions of Oracle Single Sign-On and Oracle Delegated Administration Services. However, both Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) are certified for use with Oracle Internet Directory 11g Release 1 (11.1.1).
You can find related information in "Chapter 10 Installing Oracle Single Sign-On and Oracle Delegated Administration Services Against Oracle Internet Directory" in the Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) at
To configure SSO for Learning Tool, perform the steps in the subsequent sections.
Install web server to be used as a front end to the Oracle WebLogic Server. In this guide, we use Oracle HTTP Server (OHS) 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.
If you select the option “Associate Selected Components with WebLogic Domain” during the installation of Web Tier Utilities, you are able to manage the web server using Enterprise Manager (EM).
This section demonstrates the configuration of mod_wl_ohs using EM. However, it is also possible to do the same configuration by manually editing the configuration files.
To configure mod_wl_ohs from EM, perform the following:
Select the OHS instance on the left panel.
Select Oracle HTTP Server > Administration > mod_wl_ohs Configuration on the right panel.
Enter the value for WebLogic Host, WebLogic Port, and Locations. Figure 10-2 shows a sample setup for Learning Tool Admin and Learning Tool.
This configuration will effectively be added to the mod_wl_ohs.conf file of this OHS instance. You can also manually modify this file without using the EM.
Note:
If you install Web Tier Utilities, you can locate mod_wl_ohs.conf file at:For example: <MIDDLEWARE_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1/
For example:
<IfModule weblogic_module> WebLogicHost yourservername.com WebLogicPort 7002 <Location /LTAdminWeb> SetHandler weblogic-handler </Location> </IfModule>
This configuration will effectively be added to the mod_wl_ohs.conf file of this OHS instance. You can also manually modify this file without using the EM.
For example:
<IfModule weblogic_module> WebLogicHost yourservername.com WebLogicPort 7002 <Location /LTWeb> SetHandler weblogic-handler </Location> </IfModule>
To register OHS mod_osso with OSSO server, perform the following:
Execute the ssoreg.sh tool, which can be found in <OSSO_HOME>/sso/bin
, where <OSSO_HOME>
is the directory to which Oracle Single Sign-On is installed.
Note:
The directory where you want to store the result config file must be created beforehand.$cd <OSSO_HOME>/sso/bin $export ORACLE_HOME=<OSSO_HOME> $./ssoreg.sh -oracle_home_path <OSSO_HOME> -site_name LearningToolAdmin -config_mod_osso TRUE -mod_osso_url http://<LT_WEB_HOST>:<LT_WEB_PORT> -update_mode CREATE -remote_midtier -config_file <OSSO_HOME>/temp/osso_admin.conf $./ssoreg.sh -oracle_home_path <OSSO_HOME> -site_name LearningTool -config_mod_osso TRUE -mod_osso_url http://<LT_WEB_HOST>:<LT_WEB_PORT> -update_mode CREATE -remote_midtier -config_file <OSSO_HOME>/temp/osso_lt.conf
where:
<LT_WEB_HOST>
and <LT_WEB_PORT>
are the host name and port of the web server configured as a front end to provide access to the Learning Tool Admin application.
<LT_WEB_HOST>
and <LT_WEB_PORT>
are the host name and port of the web server configured as a front end to provide access to the Learning Tool application.
Copy this file to the web server instance location.
For example:
<MIDDLEWARE_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1/osso/osso_admin.conf <MIDDLEWARE_HOME>/Oracle_WT1/instances/instance2/config/OHS/ohs2/osso/osso_lt.conf
To configure mod_osso to protect web resources, perform the following:
Enable mod_osso from EM.
Select the OHS instance on the left panel and select Oracle HTTP Server > Administration > Server Configuration on the right panel.
Check the check box for mod_osso and click Apply.
Configure mod_osso.
Go to the Advanced Server Configuration. The Advanced Server Configuration screen enables to directly edit the configuration files. From the list, select mod_osso.conf and click Go.
Edit the content of this file, see Figure 10-7.
You can also manually edit the content of this file without using EM. Below is the sample configuration done for Learning Tool Admin and Learning Tool.
Sample configuration for Learning Tool Admin:
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so" <IfModule osso_module> OssoIpCheck on OssoIdleTimeout off OssoSecureCookies off OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/osso/osso_admin.conf <Location /LTAdminWeb> require valid-user AuthType Osso </Location> </IfModule>
Sample configuration for Learning Tool:
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so" <IfModule osso_module> OssoIpCheck on OssoIdleTimeout off OssoSecureCookies off OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/ ${COMPONENT_NAME}/osso/osso_lt.conf OssoHTTPOnly Off <Location /LTWeb> require valid-user AuthType Osso </Location> </IfModule>
Note:
The configuration directiveOssoHTTPOnly
must be turned off in the web server configured as a front end to provide access to the Learning Tool application. This is to allow the audio applet in the Learning Tool application to be able to read the OSSO cookies.Oracle recommends the following Authentication providers:
OSSO Identity Asserter
OID Authenticator
DefaultAuthenticator
To add providers to your WebLogic domain for OSSO Identity Assertion, perform the following:
Log in to the WebLogic Administration Console.
OSSO Identity Asserter:
Go to Security Realms > Default Realm Name (Example: myrealm) and click Providers.
Select New under the Authentication Providers table.
Enter a name for the new provider, select its type, and click OK.
Name: OSSO Identity Asserter
Type: OSSOIdentityAsserter
Note:
For OSSOIdentityAsserter to appear in the list, you must copy ossoiap.jar to<DOMAIN_HOME>/lib
.
The ossoiap.jar is available in <MIDDLEWARE_HOME>/oracle_common/modules/oracle.ossoiap_11.1.1
in the computer where an Oracle Fusion Middleware products such as Oracle Identity Management, Oracle SOA Suite, or Oracle WebCenter is installed.
Click the name of the newly added provider.
On the Common tab, set the appropriate values for common parameters and set the Control Flag to SUFFICIENT and then save the settings.
Default Authentication Provider:
Go to Security Realms > Default Realm Name (Example: myrealm) and click Providers.
Click DefaultAuthentication Provider.
Set the Control Flag to OPTIONAL and click Save.
OID Authenticator:
The instructions to create this provider are provided in Section 8.5, "Configuring OID as Security Provider".
If the OID Authenticator is configured successfully, you can change the Control Flag to SUFFICIENT.
Reorder Providers:
OSSO Identity Asserter (SUFFICIENT)
OID Authenticator (SUFFICIENT)
DefaultAuthenticator (OPTIONAL)
Save all configuration settings and restart the Oracle WebLogic Server for the changes to take effect.
Update the <login-config>
in web.xml
for the application to support SSO as follows:
Modify the web.xml, which is located at
[OSL Home directory]/LearningTool/Configuration/LearningTool/DeploymentDescriptors/
for Learning Tool and at [OSL Home directory]/LearningTool/Configuration/Admin/DeploymentDescriptors/
for Learning Tool Admin to update the login-config
as follows:
<login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>myRealm</realm-name> </login-config> <!--login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/faces/loginView.jspx</form-login-page> <form-error-page>/faces/loginErrorView.jspx</form-error-page> </form-login-config> </login-config-->
Run the Configurator to update the EAR files as explained in Section 9.3, "Running the OSL Learning Tool Configurator".
To configure SSO for OBIEE, perform the following steps in the subsequent sections:
Install web server to be used as a front end to Oracle WebLogic Server. In this guide, use Oracle HTTP Server 11g which is available after the installation of Web Tier Utilities 11.1.1.2.0.
If the ear/war file is deployed onto a WebLogic Server, perform similar steps as Section 10.2.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.
To register OHS mod_osso with OSSO Server, perform the following:
Execute the ssoreg.sh tool, which can be found in <OSSO_HOME>/sso/bin
, where <OSSO_HOME>
is the directory in which Oracle Single Sign-On is installed.
Note:
The directory where you want to store the result config file must be created beforehand.$cd <OSSO_HOME>/sso/bin $export ORACLE_HOME=<OSSO_HOME> $./ssoreg.sh -oracle_home_path <OSSO_HOME> -site_name Student_Reporting -config_mod_osso TRUE -mod_osso_url http://<OBIEE_WEB_HOST>:<OBIEE_WEB_PORT> -update_mode CREATE -remote_midtier -config_file <OSSO_HOME>/temp/osso_bi.conf
where:
<OBIEE_WEB_HOST>
and <OBIEE_WEB_PORT>
are the host name and port of the web server configured as a front end to provide access to the OBIEE application.
Copy this file to the web server instance location.
For Example:
<MIDDLEWARE_HOME>/Oracle_WT1/instances/instance3/config/OHS/ohs3/osso/osso_bi.conf
Perform similar steps as explained in Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure the mod_osso as follows:
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so" <IfModule osso_module> OssoIpCheck on OssoIdleTimeout off OssoSecureCookies off OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/ ${COMPONENT_NAME}/osso/osso_bi.conf <Location /analytics> Header unset Pragma OssoSendCacheHeaders off require valid-user AuthType Osso </Location> </IfModule>
Follow this procedure to create the impersonator user in the BI Server repository.
Open the BI Server repository file (.rpd) using BI Administration Tool.
Select Manage > Security to display the Security Manager.
Select Action > New > User to open the User dialog box.
Enter a name and password for this user.
For example:
Name = Impersonator
Password = secret
In the Group Membership portion of the dialog box, check the Administrators group to grant the user created as member to this group.
Click OK to create the user.
Perform this step to add the impersonator credentials to Oracle BI Presentation Services credential store.
Navigate to the OracleBI_HOME/web/bin
directory.
$export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/OracleBI_HOME/web/bin$./cryptotools credstore -add -infile <OracleBIData>/web/config/credentialstore.xml> Credential Alias: impersonation >Username: Impersonator >Password: secret >Do you want to encrypt the password? y/n (y): >Passphrase for encryption: another_secret >Do you want to write the passphrase to the xml? y/n (n):
The CryptoTools utility updates the credentialstore.xml
file. This file is located in the OracleBIData/web/config
.
Edit the OracleBIData/web/config/instanceconfig.xml
file.
<WebConfig> <ServerInstance> <!-- other settings ... --> <CredentialStore> <CredentialStorage type="file” path="/<OracleBIData>/web/config/credentialstore.xml" passphrase="another_secret"/> </CredentialStore> <!-- other settings ... --> </ServerInstance> </WebConfig>
Edit the OracleBIData/web/config/instanceconfig.xml
file.
<ServerInstance> <!-- other settings ... --> <Auth> <SSO enabled="true"> <ParamList> <!--IMPERSONATE param is used to get the authenticated user's username and is required --> <Param name="IMPERSONATE" source="httpHeader" nameInSource="Proxy-Remote-User"/> </ParamList> <LogoffUrl>http://<SSO_HOST>:<SSO_PORT>/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F<OBIEE_WEB_HOST>:<OBIEE_WEB_PORT>%2Fanalytics%2F </LogoffUrl> <LogonUrl> http:// <OBIEE_WEB_HOST>:<OBIEE_WEB_PORT>/analytics </LogonUrl> </SSO> </Auth> <!-- other settings ... --> </ServerInstance>
To configure SSO for UCM 10g, perform the steps in the subsequent sections:
Install web server to be used as a front end to UCM. In this guide, use Oracle HTTP Server 11g which is available after the installation of Web Tier Utilities 11.1.1.2.0.
Inside the httpd.conf of the OHS instance, add the following to configure this OHS instance as the web server for UCM. Make sure that you use the correct library under linux64 or linux folder:
LoadModule IdcApacheAuth <UCM_INSTALLATION_FOLDER>/server/shared/os/linux64/lib/IdcApache22Auth.so IdcUserDB idc "<UCM_INSTALLATION_FOLDER>/server/data/users/userdb.txt" Alias /idc "<UCM_INSTALLATION_FOLDER>/server/weblayout" <Location /idc> Order allow,deny Allow from all DirectoryIndex portal.htm IdcSecurity idc </Location>
Note:
Ensure that the UCM Server is configured with the correct host name and port number of the Web Server to be used as its front end.Check the <UCM_INSTALLATION_FOLDER>/server/config/config.cfg
config file and make sure the value of HttpServerAddress
is correct:
HttpServerAddress=<UCM_OHS_HOST>:<UCM_OHS_PORT>
To register OHS mod_osso with OSSO Server, perform the following:
Execute the ssoreg.sh tool, which can be found in <OSSO_HOME>/sso/bin
, where <OSSO_HOME>
is the directory in which Oracle Single Sign-On is installed.
Note:
Please note that the directory where you want to store the result config file must be created beforehand.$ cd <OSSO_HOME>/sso/bin $export ORACLE_HOME=<OSSO_HOME> $./ssoreg.sh -oracle_home_path <OSSO_HOME> -site_name Stellent_UCM -config_mod_osso TRUE -mod_osso_url http://<UCM_OHS_HOST>:<UCM_OHS_PORT> -update_mode CREATE -remote_midtier -config_file <OSSO_HOME>/temp/osso_ucm.conf
Copy this file to the web server instance location.
For example:
<MIDDLEWARE_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1/osso/osso_ucm.conf
Perform similar steps as explained in Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure the mod_osso as follows:
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so" <IfModule osso_module> OssoIpCheck on OssoIdleTimeout off OssoSecureCookies off OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/osso/osso_ucm.conf <Location /idc> require valid-user AuthType Osso </Location> </IfModule>
Oracle UCM 11g Release 1 (11.1.1) is deployed on an Oracle WebLogic Server. Therefore, the steps to configure OAM as the SSO solution for UCM is similar to the steps described in Section 10.2, "Configuring SSO for Learning Tool".
For more detailed explanation on configuring SSO for UCM 11g Release, you can read Chapter 4.2.3 "Configuring Oracle UCM to Use Single Sign-On" in the Oracle® Fusion Middleware System Administrator's Guide for Content Server 11g Release 1 (11.1.1) at
http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10792/c03_security002.htm#insertedID3
Install web server to be used as a front end to UCM 11g. In this guide, use Oracle HTTP Server 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.
Perform similar steps as Section 10.2.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.
LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so" <IfModule weblogic_module> <Location /cs> SetHandler weblogic-handler WebLogicHost <ucm-hostname> WebLogicPort <ucm-server-port> </Location> </IfModule>
Note:
Ensure that the UCM Server is configured with the correct host name and port number of the Web Server to be used as its front end.Check the <UCM_INSTALLATION_FOLDER>/server/config/config.cfg
config file and make sure the value of HttpServerAddress is correct:
HttpServerAddress=<UCM_OHS_HOST>:<UCM_OHS_PORT>
To register OHS mod_osso with OSSO Server, perform similar steps in Section 10.4.3, "Registering OHS mod_osso with OSSO Server".
Perform similar steps as Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure mod_wl_ohs.
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so" <IfModule osso_module> OssoIpCheck on OssoIdleTimeout off OssoSecureCookies off OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_ NAME}/osso/osso_ucm.conf <Location /cs> require valid-user AuthType Osso </Location> </IfModule>
Perform similar steps as Section 10.2.5, "Setting Up Providers for OSSO in a WebLogic Domain" to set up providers for OSSO in a WebLogic Domain that UCM is deployed to.
The following configuration is required for OSL to operate in an SSO environment:
Update the OSL_PROFILE_OPTION_VALUES
:
Set the values for OSL_SHOW_LOGOUT_LINK
in OSL_PROFILE_OPTION_VALUES
table as follows:
Update the logout URL for Learning Tool and Learning Tool Admin.
Set the OSL_ADMIN_LOGOUT_URL as follows:
http://<SSO_HOST>:<SSO_PORT>/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F<LT_WEB_HOST>:<LT_WEB_PORT>%2FLTAdminWeb%2F
where: <LT_WEB_HOST> and <LT_WEB_PORT> are the host name and port of the web server configured as a front end to provide access to the Learning Tool Admin application.
Set the OSL_LOGOUT_URL as follows:
http://<SSO_HOST_NAME>:<SSO_PORT>/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F<LT_WEB_HOST>:<LT_WEB_PORT>%2FLTWeb%2F
where: <LT_WEB_HOST> and <LT_WEB_PORT> are the host name and port of the web server configured as a front end to provide access to the Learning Tool application.
For information about the OSL configuration file where you must make these changes, see Section 9.1.7, "Updating Logout URL for Learning Tool and Learning Tool Admin".