13 Switching to External Authentication

For maximum security in production environments, Oracle recommends integrating Oracle WebCenter Sites with Oracle Access Management, for an advanced identity management solution and a seamless single sign-on user experience. You also have the option of integrating WebCenter Sites with an external LDAP authentication provider directory.

The following topics describe how to configure WebCenter Sites for authentication against either external identity management solution:

Parent topic: Configuring WebCenter Sites Components

13.1 Switching to Authentication Against an LDAP Directory

This topic describes how to switch WebCenter Sites to authentication against an external LDAP authentication provider directory. This is a recommended solution for production environments if integration with Oracle Access Management is not viable.

Before you change your authentication provider, install and configure WebCenter Sites.
To switch WebCenter Sites to authentication against an external LDAP directory:
  1. (Optional) If your LDAP directory is case-sensitive, set the ldap.caseAware property in the DOMAIN_HOME/wcsites/wcsites/config/wcs_properties.json file to true.
  2. Access the LDAP Configurator at http://sites-host:sites-port/sites-context/ldapconfig, follow the instructions on the screen, and enter the values for your environment.
  3. For LDAP rollback, restart the WebCenter Sites Managed Server, and go to the same LDAP Configurator URL.

    Now there is only manual LDAP integration. Nothing is written to your LDAP Server, only an LDIF file is created under the DOMAIN_HOME/wcsites/wcsites/config/ldap folder. The peopleparent, groupparent, username, and other fields are not prepopulated, as in the previous release.

  4. Modify the LDIF file located in DOMAIN_HOME/wcsites/wcsites/config/ with values appropriate for your environment.

    Because the fields are not prepopulated, follow this example for ORACLEDIR :

    ldap server type -- ORACLEDIR
ldap DSN -- dc=oracle,dc=com
ldap host -- localhost
ldap port -- 389
ldap username -- cn=orcladmin
ldap password -- password
ldap peopleParent -- cn=Users,dc=oracle,dc=com
ldap groupparent -- cn=Groups,dc=oracle,dc=com
  5. If the LDAP server you are using is case sensitive, edit the property file DOMAIN_HOME/wcsites/wcsites/config/wcs_properties.json, and change the ldap.caseAware property value to true.

    By default the value of ldap.caseAware is set to false. Log in will fail if you are using a case-sensitive LDAP server and this property is set to false.

  6. If you choose Oracle Virtual Directory as your LDAP authentication provider, WebCenter Sites generates an LDIF file, which you can import to your Oracle Internet Directory server and then create an adaptar in Oracle Virtual Directory to connect to the Oracle Internet Directory server.

    You cannot import an LDIF file directly to an Oracle Virtual Directory LDAP server because it does not have a storage of its own.

  7. Import the LDIF file into the external LDAP authentication provider.
  8. Restart the WebLogic Managed Server running this WebCenter Sites instance.

13.2 Switching to Authentication Against Oracle Access Manager

You can configure WebCenter Sites for authentication against Oracle Access Manager. This is a recommended solution for production environments.

WebCenter Sites integration is supported for Oracle Access Manager 11.1.2.2.0 and 11.1.2.3.0.
To switch WebCenter Sites to authentication against Oracle Access Manager:
  1. Deploy the oamlogin.war and oamtoken.war application files located under ORACLE_HOME/wcsites/webcentersites/sites-home on the WebLogic domain containing the target WebCenter Sites instance.
  2. Create the following property file: DOMAIN_HOME/wcsites/wcsites/config/wemsites_settings.properties.
  3. Populate the wemsites_settings.properties file as follows.
    oamredirect http://oam_server_host:oam_port/oam/server/auth_cred_submit
    oamlogout oamlogout=http://oam_server_host:oam_port/oam/server/logout
    forgotpassword helpdesk-email-address
  4. Set following properties in DOMAIN_HOME/wcsites/wcsites/config/SSOConfig.xml.
    serviceUrl http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST
    ticketUrl http://{oamtoken_server_host}:{oamtoken_port}/oamtoken
    signoutURL

    http://{oam_server_host}:{oam_port}/oam/server/logout?end_url={end_url}

    URL to be used when invoking WebCenter Sites logout. It includes the encoded URL where the browser will return after all logout processing has been completed by Oracle Access Manager.
    end_url

    For test (staging) environments: http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome

    For production (delivery) environments: http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2FXcelerate%2FLoginPage.html
    dbUsername Name of the WebCenter Sites general Administrator user account.
    dbPassword Password for the WebCenter Sites general Administrator user account.
    trustConfigured Indicates to WebCenter Sites whether a trust relationship has been established between the WebCenter Sites Managed Server and the Oracle HTTP Server WebGate in Oracle Access Management. A trust relationship between the two eliminates the need to include an identity assertion in every request. Set to true if a trust relationship exists; otherwise, set to false.
  5. Copy the obAccsessClient.xml and cwallet.sso files from your Oracle Access Manager instance into the DOMAIN_HOME/wcsites/wcsites/config/oblix/lib/ directory on the target WebCenter Sites instance.
  6. Edit the oamtoken.xml file in the sites-config directory by setting the compatibility mode and oblix path. The compatibility mode should be set to 11G and the oblix path to the sites-config folder under which you have the oblix/lib folder.
  7. In the Oracle Access Manager configuration for WebCenter Sites, update the protected, public, and excluded resources for as follows: 
    ###########################
protected_uris
###########################
/oamlogin/test
/sites/Xcelerate/LoginPage.html
/sites/Satellite/.../*
/sites/faces/jspx/.../*
/sites/wem/fatwire/.../*
/sites/ContentServer/.../*
/sites/wem/fatwire/wem/Welcome
/console

###########################
Exclusion Scheme        OraDefaultExclusionAuthNScheme
/sites/REST
/index.html
/oamlogin/oamsso/.../*
/sites/wem/fatwire/home
/sites/**
    For more information, see Updating the Protected, Public, and Excluded Resources for an Enterprise Deployment.
  8. To integrate the OAMSDK Client with Weblogic Server as the oamtoken.war application, edit the jps-config.xml file for the WebCenter Sites domain. By default, the WebLogic domain runs with this file, which is part of the WebLogic Server 12 c startup script:

    -Doracle.security.jps.config=ORACLE_HOME/user_projects/domains/DOMAIN_NAME/config/fmwconfig/jps-config.xml

    1. Add a service instance, as the following example shows, next to existing service instances in the existing jsp-config.xml file:
      <serviceInstance name="credstore.oamtoken" provider="credstoressp" location="./oamtoken">
      <description>File Based Credential Store Service Instance</description>
      <property name="location" value="./oamtoken"/>
      </serviceInstance>
      location is the path to the directory that contains the cwallet.sso file. The preceding example sets this path with reference to the current jsp-config.xml file. Make sure the omtoken folder is created with respect to the current directory and the cwallet.sso file is placed there. The location value can also be an absolute path to where the cwallet.sso file is placed
    2. Add <serviceInstanceRef ref="credstore.oamtoken"/> under <jpsContext name="default">.
    3. Add following <jpsContext> element under <jpsContexts default="default">:
      <jpsContext name="OAMASDK">
      <serviceInstanceRef ref="credstore.oamtoken"/>
      </jpsContext>
  9. Add permissions so that code in oamtoken.war can be used.
    The WebGate instance created in Oracle Access Manager is accessed by the client. You need to add the credential to the WebCenter Sites domain so that the security restriction can be taken care of.
    1. Launch the WebLogic Scripting Tool with the wlst.sh script:
      cd ORACLE_HOME/oracle_common/common/bin/./wlst.sh
    2. Connect to the Administration Server for the WebCenter Sites domain:
      connect('user-name','password','sites-host:admin-port')
    3. Grant the permissions:
      grantPermission(codeBaseURL="file:/scratch/idc/newoam/rend/Oracle_Home/user_projects/domains/renddomain/servers/wcsites_server1/tmp/_WL_user/oamtoken/-", permClass="oracle.security.jps.service.credstore.CredentialAccessPermission",permTarget="context=SYSTEM,mapName=OAMAgent,keyName=*",permActions="*")
      The preceding path is basically the path where WebLogic Server has deployed the oamtoken.war application.
    4. Restart the target WebCenter Sites Managed Server.
  10. (Optional) If trust between WebCenter Sites and Oracle Access Manager has not been established, modify the configuration of the WebCenter Sites web tier as follows:
    1. Log in to the Oracle Access Manager Console.
    2. In the WebGate authorization policy (under the protected resource policy), go to the Responses tab.
    3. Enable (select) the Identity Assertion check box.
    4. Click Apply to save your changes.
  11. Restart the WebLogic Managed Server hosting this WebCenter Sites instance.