Oracle® Student Learning Installation and Deployment Guide Release 3.1.3 Part Number E20664-04 |
|
|
PDF · Mobi · ePub |
This chapter describes the steps on how to configure Oracle Access Manager 10g.
This chapter provides step-by-step instructions on how to configure OAM as the Single Sign-On solution for OSL. However, you can find complete explanation of the OAM 10g Solution in "Chapter 10 Configuring Single Sign-On in Oracle Fusion Middleware" in the Oracle® Fusion Middleware Security Guide 11g Release 1 (11.1.1) at
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/toc.htm
The subsequent sections describes the required components and the steps on how to configure OAM 10g.
OSL is certified to work with the following software components:
Oracle Access Manager (OAM) 10g (10.1.4.3.0)
Oracle Identity Management (11.1.1.3.0)
Web Tier Utilities 11.1.1.2.0 (for installation of HTTP Server)
Oracle WebLogic Server 10.3.3
Perform the instructions on how to install OAM at
http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12493/toc.htm
To configure SSO for Learning Tool, perform the steps in the subsequent sections.
Install a web server to be used as the front end to the Oracle WebLogic Server. In this guide, we use Oracle HTTP Server (OHS) 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0
If you select the "Associate Selected Components with WebLogic Domain" option during the installation of Web Tier Utilities, you are able to manage the web server using Enterprise Manager (EM). It is also possible to do the same configuration by manually editing the configuration files.
This section demonstrates the configuration of mod_wl_ohs by manually editing the mod_wl_ohs.conf file.
Note:
If you install Web Tier Utilities, you can locate mod_wl_ohs.conf file under the OHS instance folder.For example:
<MIDDLEWARE_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1/
Below is a sample mod_wl_ohs configuration for the web server to be used as a front end for both Learning Tool and Learning Tool Admin.
LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so" <IfModule weblogic_module> <Location /LTWeb> SetHandler weblogic-handler WebLogicHost <lt-host-name> WebLogicPort <lt-port> WLCookieName OSLLTSESSIONID </Location> <Location /LTAdminWeb> SetHandler weblogic-handler WebLogicHost <lt-host-name> WebLogicPort <lt-port> WLCookieName OSLLTASESSIONID </Location> </IfModule>
Before WebGate installation, an AccessGate object must be created in the Access Administration Console and associated with an Access Server. This task can be done manually in the OAM Access Administration Console or with the use of Oracle Access Manager Configuration tool.
Note:
The Oracle Access Manager Configuration tool (OAM Configuration tool) is a command line utility that enables you to configure OAM. The OAM Configuration tool runs a series of scripts and sets up the required policies.Below are sample scripts to create the AccessGate object for Learning Tool and Learning Tool Admin's HTTP Server:
java -jar oamcfgtool.jar mode=CREATE app_domain=your_host_machine.company.com protected_uris=/LTWeb app_agent_password=<webgate_password> cookie_domain=.company.com ldap_host=<oam_ldap_directory_server_host> ldap_port=<oam_ldap_director_server_port> ldap_userdn="<ldap_admin_user>" ldap_userpassword=<ldap_admin_password> oam_aaa_host=<access_server_host> oam_aaa_port=<access_server_port> oam_aaa_mode=OPEN
The above command will create a new WebGate profile. The profile is populated with a WebGate name, Host name, and Preferred HTTP host all using the same app_domain value as follows:
app_domain = your_host_machine.company.com
AccessGate Name: your_host_machine.company.com_AG
_AG is appended to the app_domain
Hostname: your_host_machine.company.com
Preferred HTTP Host: your_host_machine.company.com
java -jar oamcfgtool.jar mode=CREATE app_domain=your_host_machine.company.com protected_uris=/LTAdminWeb app_agent_password=<webgate_password> cookie_domain=.company.com ldap_host=<oam_ldap_directory_server_host> ldap_port=<oam_ldap_director_server_port> ldap_userdn="<ldap_admin_user>" ldap_userpassword=<ldap_admin_password> oam_aaa_host=<access_server_host> oam_aaa_port=<access_server_port> oam_aaa_mode=OPEN web_domain=your_host_machine.company.com
The above command includes web_domain to indicate that this is an existing Web Tier. The value of web_domain should be the name of an existing host identifier in Oracle Access Manager (OAM) to tie new policies to an existing host ID. This is because in this sample setup, we are using the same web server as the front end for both Learning Tool and Learning Tool Admin.
For more information about the OAM Configuration Tool, you can read Chapter 10.2.4.2 “Configuring the Authentication Scheme for the Identity Asserter" in the Oracle® Fusion Middleware Security Guide 11g Release 1 (11.1.1) at
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/toc.htm
After the AccessGate, Authentication Management, Host Identifier, and Policy Domain are automatically created by the tool, you can modify them any time in the OAM Access Administration Console.
You must specify LogoutURLs parameter in the WebGate/AccessGate profile created for Learning Tool and Learning Tool Admin to support Global SSO Logout.
Learning Tool: /LTWeb/faces/logout.jspx
Learning Tool Admin: /LTAdminWeb/faces/logout.jspx
Some URLs in the Learning Tool might not work correctly if you access them directly. You must configure OAM to redirect users to the home page after each successful authentication.
For this OAM configuration, go to the Default Rules tab of the corresponding Policy Domain and set the Redirection URL for Authentication Success. If you need more than one Redirection URL, you can do so in separate policy domains.
As default, the ssoCookie:httponly challenge parameter is turned on in an Authentication scheme. This helps to prevent JavaScript running in the browser from accessing the ObSSOCookie, which provides a more secure environment.
However, browser support for the ssoCookie:httponly challenge parameter is inconsistent and can cause Java Applets not to run correctly.
Therefore, to support the audio applet required in Learning Tool application, this parameter must be disabled.
In the Access System Configuration tab of the Access Administration Console, go to Authentication Management > OraDefaultFormAuthNScheme and modify this Authentication scheme to include a new Challenge Parameter:
ssoCookie:disablehttponly
The WebGate requires the following libraries before installation: libgcc_s.so.1
and libstdc++.so.5
. The files must be available in a local directory (For example: /home/username/gcc
). This directory is specified later during the installation of the WebGate.
Assuming 64 bit HTTP Server is used, you can get these required files from /lib64
and /usr/lib64
.
cp /lib64/libgcc_s.so.1 /home/username/gcc cp /usr/lib64/libstdc++.so.5 /home/username/gcc
Run the OAM WebGate 10.1.4.3.0 installer as root (./Oracle_Access_Manager10_1_4_3_0_linux64_OHS11g_WebGate
) and follow the prompts:
Specify the user/group running the web server.
Specify the installation directory for Oracle Access Manager 10.1.4.3.0 WebGate (For example: /home/username/webgate
). Note that the OAM 10.1.4.3.0 WebGate installation directory would be: /home/username/webgate/access
.
For "Location of GCC runtime libraries", specify the directory where you installed libgcc_s.so.1
and libstdc++.so.5
as mentioned above.
For "Transport security mode'', select Open mode.
For "Webgate ID", enter the AccessGate Name you specified in Section 11.4.3, "Creating an AccessGate Object on OAM Access Server". For example: your_host_machine.company.com_AG.
For "Password for WebGate", enter the same password you specified in Section 11.4.3, "Creating an AccessGate Object on OAM Access Server".
For "Access Server ID", enter the name of the OAM Access Server.
For "Hostname where Access Server is installed", enter the host name where OAM Access Server is running.
For "Port number", enter the port for the OAM Access Server.
Select Automatic update of httpd.conf.
For "Enter the absolute path of httpd.conf in your Web server config directory", enter the OHS instance path. For example: <MIDDLEWARE_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1/httpd.conf
.
Restart the OHS instance.
This section describes how to configure providers in the WebLogic security domain to perform single sign-on with the Oracle Access Manager Identity Asserter. Several Authentication provider types must be configured and ordered.
Log in to the WebLogic Administration Console.
Add the OAM Identity Asserter:
Click Security Realms, Default Realm Name (example: myrealm) and click Providers.
Click Authentication > New and then enter a name and select a type:
Name: OAM Identity Asserter
Type: OAMIdentityAsserter
In the Authentication Providers table, click the newly added authenticator.
Click the Common tab, set the Control Flag to REQUIRED, and click Save.
OID Authenticator:
The instructions to create this provider are provided in Section 8.5, "Configuring OID as Security Provider".
If the OID Authenticator is configured successfully, you can change the Control Flag to SUFFICIENT.
Default Authenticator:
Perform the following steps to set up the Default Authenticator for use with the Identity Asserter:
Go to Security Realms, Default Realm Name (example: myrealm) and click Providers.
Click Authentication and click DefaultAuthenticator to see its configuration page.
Click the Common tab and set the Control Flag to SUFFICIENT.
Click Save.
Reorder Providers:
Click Security Realms, Default Realm Name (example: myrealm) and click Providers.
On the Summary page where providers are listed, click the Reorder button.
On the Reorder Authentication Providers page, select a provider name and use the arrows beside the list to order the providers as follows:
OAM Identity Asserter (REQUIRED)
OID Authenticator (SUFFICIENT)
Default Authenticator (SUFFICIENT)
Click OK to save your changes.
Activate Changes:
In the Change Center, click Activate Changes.
Reboot Oracle WebLogic Server.
For proper behavior, WebLogic application session time-out values must be the same as WebGate session time-out values.
To set the WebLogic session time-out, modify the web.xml
as follow:
<session-config> <session-timeout>60</session-timeout> </session-config>
Note in web.xml
the session time-out is set in minutes.
To set the WebGate session time out, modify the Idle Session Time (seconds):
In case the Global SSO Logout is triggered by another application, the Learning Tool session will still be active. Therefore, the session data will not be cleaned up until the session times out.
To clean up the Learning Tool session data after the Global SSO Logout occurs from another application, you need to send an http
request to the below Learning Tool URL:
http://<LT_WEB_HOST>:<LT_WEB_PORT>/LTWeb/logout.jsp
This URL will clear the Learning Tool session and then perform an http
redirect to the URL.
To configure SSO for OBIEE, perform the steps in the subsequent sections.
Install a web server to be used as the front end to the Oracle WebLogic Server. In this guide, use Oracle HTTP Server (OHS) 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.
If the OBIEE war file is deployed onto a WebLogic Server, perform similar steps as in Section 11.4.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.
LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so" <IfModule weblogic_module> <Location /analytics> SetHandler weblogic-handler WebLogicHost <obiee-host-name> WebLogicPort <obiee-port> </Location> </IfModule>
Perform similar steps as Section 11.4.3, "Creating an AccessGate Object on OAM Access Server" to create the AccessGate object for OBIEE's HTTP Server.
java -jar oamcfgtool.jar mode=CREATE app_domain=your_host_machine.company.com protected_uris=/analytics app_agent_password=<webgate_password> cookie_domain=.company.com ldap_host=<oam_ldap_directory_server_host> ldap_port=<oam_ldap_director_server_port> ldap_userdn="<ldap_admin_user>" ldap_userpassword=<ldap_admin_password> oam_aaa_host=<access_server_host> oam_aaa_port=<access_server_port> oam_aaa_mode=OPEN
Note:
Add web_domain to the script if this is an existing Web Tier.Perform similar steps as Section 11.4.7, "Installing the WebGate Plug-in for the HTTP Server" to install the WebGate plug-in for OBIEE's HTTP Server. You can skip this step if OBIEE uses an existing HTTP Server with WebGate plug-in.
Perform similar steps as Section 10.3.5, "Creating Oracle BI Server Impersonator User".
Perform similar steps as Section 10.3.6, "Adding the Impersonator Credentials to Oracle BI Presentation Services Credential Store".
Perform similar steps as Section 10.3.7, "Configuring Oracle BI Presentation Services to Identify the Credential Store and Decryption Passphrase".
Edit the OracleBIData/web/config/instanceconfig.xml
file.
<ServerInstance> <!-- other settings ... --> <Auth> <SSO enabled="true"> <ParamList> <!--IMPERSONATE param is used to get the authenticated user's username and is required --> <Param name="IMPERSONATE" source="httpHeader" nameInSource="OAM_REMOTE_USER"/> </ParamList> <LogoffUrl> http http://<OBIEE_WEB_HOST>:<OBIEE_WEB_PORT>/oamsso/logout.html </LogoffUrl> <LogonUrl> http://<OBIEE_WEB_HOST>:<OBIEE_WEB_PORT>/analytics </LogonUrl> </SSO> </Auth> <!-- other settings ... --> </ServerInstance>
Oracle Universal Content Management (Oracle UCM) 11g Release 1 (11.1.1) is deployed on an Oracle WebLogic Server. The steps to configure OAM as the SSO solution for UCM is therefore similar to the steps described in section Section 10.2, "Configuring SSO for Learning Tool".
For more detailed explanation of configuring SSO for UCM 11g, you can read Chapter 4.2.3 "Configuring Oracle UCM to Use Single Sign-On" in the Oracle® Fusion Middleware System Administrator's Guide for Content Server 11g Release 1 (11.1.1) at
http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10792/c03_security002.htm#insertedID3
Install a web server to be used as the front end to the Oracle WebLogic Server. In this guide, use Oracle HTTP Server (OHS) 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.
Perform similar steps as Section 11.4.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.
LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so" <IfModule weblogic_module> <Location /cs> SetHandler weblogic-handler WebLogicHost <ucm-hostname> WebLogicPort <ucm-server-port> </Location> </IfModule>
Perform similar steps as Section 11.4.3, "Creating an AccessGate Object on OAM Access Server" to create the AccessGate object for UCM's HTTP Server.
java -jar oamcfgtool.jar mode=CREATE app_domain=your_host_machine.company.com protected_uris=/cs app_agent_password=<webgate_password> cookie_domain=.company.com ldap_host=<oam_ldap_directory_server_host> ldap_port=<oam_ldap_director_server_port> ldap_userdn="<ldap_admin_user>" ldap_userpassword=<ldap_admin_password> oam_aaa_host=<access_server_host> oam_aaa_port=<access_server_port> oam_aaa_mode=OPEN
Note:
Add web_domain to the script if this is an existing Web Tier.Perform similar steps as Section 11.4.4 to register the ECM logout link as a Global SSO Logout.
/cs/logout.htm
Perform similar steps as Section 11.4.8, "Setting up Providers for OAM SSO in a WebLogic Domain" to install the WebGate plug-in for UCM's HTTP Server. You can skip this step if OBIEE uses an existing HTTP Server with WebGate plug-in.
Perform similar steps as in Section 11.6.6, "Setting up Providers for OAM SSO in a WebLogic Domain" to set up the providers for OAM SSO in a WebLogic domain that UCM is deployed to.
The following configuration is required for OSL to operate in an SSO environment:
Update the OSL_PROFILE_OPTION_VALUES
:
Set the values for OSL_SHOW_LOGOUT_LINK
in the OSL_PROFILE_OPTION_VALUES
table as follows:
Update the logout URL for Learning Tool and Learning Tool Admin.
Set the OSL_ADMIN_LOGOUT_URL as follows:
http://<LT_WEB_HOST>:<LT_WEB_PORT>/LTAdminWeb/faces/logout.jspx
where: <LT_WEB_HOST> and <LT_WEB_PORT> are the host name and port of the web server configured as a front end to provide access to the Learning Tool Admin application..
Set the OSL_LOGOUT_URL as follows:
http://<LT_WEB_HOST>:<LT_WEB_PORT>/LTWeb/faces/logout.jsp
where: <LT_WEB_HOST> and <LT_WEB_PORT> are the host name and port of the web server configured as a front end to provide access to the Learning Tool application.
For information about the OSL configuration file where you must make these changes, see Section 9.1.7, "Updating Logout URL for Learning Tool and Learning Tool Admin".