13 Switching to External Authentication

For maximum security in production environments, Oracle recommends integrating Oracle WebCenter Sites with Oracle Access Management, for an advanced identity management solution and a seamless single sign-on user experience. You also have the option of integrating WebCenter Sites with an external LDAP authentication provider directory.

The following topics describe how to configure WebCenter Sites for authentication against either external identity management solution:

Parent topic: Configuring WebCenter Sites Components

13.1 Switching to Authentication Against an LDAP Directory

This topic describes how to switch WebCenter Sites to authentication against an external LDAP authentication provider directory. This is a recommended solution for production environments if integration with Oracle Access Management is not viable.

Before you change your authentication provider, install and configure WebCenter Sites.
To switch WebCenter Sites to authentication against an external LDAP directory:
  1. (Optional) Modify ldap.caseAware property value to true, if the LDAP server you are using is case sensitive.
    By default the value of ldap.caseAware is set to false. Sign in will fail if you are using a case-sensitive LDAP server and this property is set to false. To modify the ldap.caseAware value to True follow the steps:

    • Sign in to the WebCenter Sites Admin interface and navigate to Admin tree tab>System Tools>Property Management option.

    • Search for ldap and change the value from False to True.

    • Restart the Managed server.

    Note:

    During the integration of Sites with LDAP, if the users data in LDAP is separated by a comma the data does not get fetched. for example: test,user. To retrieve the data, you need to change the syntax in the dir.ini file located at ..sites/install directory from "syntax.escape=\\ to syntax.escape=\#".
  2. Access the LDAP Configurator at http://sites-host:sites-port/sites-context/ldapconfig, follow the instructions on the screen, and enter the values for your environment.
  3. For LDAP rollback, restart the WebCenter Sites Managed Server, and go to the same LDAP Configurator URL.

    Now there is only manual LDAP integration. Nothing is written to your LDAP Server, only an LDIF file is created under the DOMAIN_HOME/wcsites/wcsites/config/ldap folder (This is the default install location of WebCenter Sites application. All customizations and path modifications should be made after successful LDAP integration). The peopleparent, groupparent, username, and other fields are not prepopulated, as in the previous release.

  4. (Optional) Modify the LDIF file located in NEW_DOMAIN_HOME/wcsites/wcsites/config/ with values appropriate for your environment.

    Because the fields are not prepopulated, follow this example for ORACLEDIR :

    ldap server type -- ORACLEDIR
ldap DSN -- dc=oracle,dc=com
ldap host -- localhost
ldap port -- 389
ldap username -- cn=orcladmin
ldap password -- password
ldap peopleParent -- cn=Users,dc=oracle,dc=com
ldap groupparent -- cn=Groups,dc=oracle,dc=com
  5. If you choose Oracle Virtual Directory as your LDAP authentication provider, WebCenter Sites generates an LDIF file, which you can import to your Oracle Internet Directory server and then create an adaptar in Oracle Virtual Directory to connect to the Oracle Internet Directory server.

    You cannot import an LDIF file directly to an Oracle Virtual Directory LDAP server because it does not have a storage of its own.

  6. Import the LDIF file into the external LDAP authentication provider.
  7. Restart the WebLogic Managed Server running this WebCenter Sites instance.

13.2 Switching to Authentication Against Oracle Access Manager

You can configureWebCenter Sites for authentication against Oracle Access Manager. This solution is recommended for production environments.

It is assumed that customer already has OAM Server running. This OAM integration would require configuration in the OAM Server using oamconsole and some configuration changes in the Sites.
WebCenter Sites integration is supported for Oracle Access Manager 11.1.2.2.0 and 11.1.2.3.0.
To switchWebCenter Sites to authentication against Oracle Access Manager:
  1. Sign in to Oracle Access Manager Server through oamconsole, for example: http://<oam_host:oam_port>/<oam console>/ and configure a WebGate. See Integrating OAM with Oracle WebCenter Sites.
  2. Deploy the oamlogin.war and oamtoken.war application files located under NEW_ORACLE_HOME/wcsites/webcentersites/sites-home on the WebLogic domain containing the targetWebCenter Sites instance.
  3. Create the wemsites_settings.properties property file under DOMAIN_HOME/wcsites/wcsites/config/.
  4. Enter the values in the wemsites_settings.properties file as follows:
    Elements Properties
    oamredirect http://oam_server_host:oam_port/oam/server/auth_cred_submit
    oamlogout oamlogout=http://oam_server_host:oam_port/oam/server/logout
    forgotpassword helpdesk-email-address
  5. Set the following properties in NEW_DOMAIN_HOME/wcsites/wcsites/config/SSOConfig.xml. See Step 12 of Integration Steps.
    Elements Properties
    serviceUrl http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST
    ticketUrl http://{oamtoken_server_host}:{oamtoken_port}/oamtoken
    signoutURL

    http://{oam_server_host}:{oam_port}/oam/server/logout?end_url={end_url}

    Use this URL when invokingWebCenter Sites logout. It includes the encoded URL where the browser will return after all logout processing has been completed by Oracle Access Manager.
    end_url

    For test (staging) and production (delivery) environments: http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome
    dbUsername Name of theWebCenter Sites general Administrator user account.
    dbPassword Password for the WebCenter Sites general Administrator user account.

    Note:

    The ohs_server host and ohs_port can be WebLogic host and port or any other HTTP server host and port depending on your configuration. For more information on OHS configuration, see Step 2 to Step 9 of Integration Steps. Add the below example for configuration in OAM OHS, mod_wl_ohs.conf file. 
    <IfModule weblogic_module>
    <Location /oamlogin>
     SetHandler weblogic-handler
       WebLogicHost SITES_HOST       
WebLogicPort SITES_PORT   
</Location> 
</IfModule>
  <IfModule weblogic_module>
 <Location /sites>
       SetHandler weblogic-handler
       WebLogicHost SITES_HOST
       WebLogicPort SITES_PORT
 </Location>
 </IfModule>
  6. Copy the obAccsessClient.xml and cwallet.sso files from your Oracle Access Manager instance into the NEW_DOMAIN_HOME/wcsites/wcsites/config/oblix/lib/ directory on the targetWebCenter Sites instance.

    Note:

    These files are auto-generated after the WebGate is configured.
  7. Edit the oamtoken.xml file in the sites-config directory by setting the compatibility mode and oblix path. The compatibility mode should be set to 11g and the oblix path to the sites-config folder under which you have the oblix/lib folder.
  8. In the Oracle Access Manager configuration for WebCenter Sites, update the protected, public, and excluded resources as follows:

    Figure 13-1 List of Protected, Public, and Excluded Resources for WebCenter Sites

    Description of Figure 13-1 follows
    Description of "Figure 13-1 List of Protected, Public, and Excluded Resources for WebCenter Sites"
  9. To integrate the OAMSDK Client with WebLogic Server as the oamtoken.war application, edit the jps-config.xml file for the WebCenter Sites domain. By default, the WebLogic domain runs with this file, which is part of the WebLogic Server 12 c startup script:

    -Doracle.security.jps.config=NEW_ORACLE_HOME/user_projects/domains/DOMAIN_NAME/config/fmwconfig/jps-config.xml

    1. Add a service instance, as the following example shows, next to existing service instances in the existing jsp-config.xml file:
      <serviceInstance name="credstore.oamtoken" provider="credstoressp" location="./oamtoken">
      <description>File Based Credential Store Service Instance</description>
      <property name="location" value="./oamtoken"/>
      </serviceInstance>
      location is the path to the directory that contains the cwallet.sso file. The preceding example sets this path with reference to the current jsp-config.xml file. Make sure the omtoken folder is created with respect to the current directory and the cwallet.sso file is placed there. The location value can also be an absolute path to where the cwallet.sso file is placed
    2. Add <serviceInstanceRef ref="credstore.oamtoken"/> under <jpsContext name="default">.
    3. Add following <jpsContext> element under <jpsContexts default="default">:
      <jpsContext name="OAMASDK">
      <serviceInstanceRef ref="credstore.oamtoken"/>
      </jpsContext>
  10. Add permissions so that code in oamtoken.war can be used.
    The WebGate instance created in Oracle Access Manager is accessed by the client. You need to add the credential to the WebCenter Sites domain so that the security restriction can be taken care of.
    1. Launch the WebLogic Scripting Tool with the wlst.sh script:
      cd NEW_ORACLE_HOME/oracle_common/common/bin/./wlst.sh
    2. Connect to the Administration Server for the WebCenter Sites domain:
      connect('user-name','password','sites-host:admin-port')
    3. Grant the permissions:
      grantPermission(codeBaseURL="file:/scratch/idc/newoam/rend/Oracle_Home/user_projects/domains/renddomain/servers/wcsites_server1/tmp/_WL_user/oamtoken/-", permClass="oracle.security.jps.service.credstore.CredentialAccessPermission",permTarget="context=SYSTEM,mapName=OAMAgent,keyName=*",permActions="*")
      The preceding path is basically the path where WebLogic Server has deployed the oamtoken.war application.
    4. Restart the target WebCenter Sites Managed Server.
  11. (Optional) If trust betweenWebCenter Sites and Oracle Access Manager has not been established, modify the configuration of theWebCenter Sites web tier as follows:
    1. Sign in to the Oracle Access Manager Console.
    2. In the WebGate authorization policy (under the protected resource policy), go to the Responses tab.
    3. Enable (select) the Identity Assertion check box.
    4. Click Apply to save your changes.
  12. (Optional) If WebCenter Sites is deployed on a cluster is using OAM Integration. Following steps are required to be replicated on oamticketcache cache.
    1. In the config directory, we have cas-cache.xml where oamticketcache is configured by default.
    2. Uncomment the commented section in the cache named oamticketcache the section appear as: 
      <cacheEventListenerFactory
class="net.sf.ehcache.distribution.RMICacheReplicatorFactory"  
properties="replicateAsynchronously=true, replicatePuts=true,
replicateUpdates=true,
        replicateUpdatesViaCopy=false, replicateRemovals=true"/>
<bootstrapCacheLoaderFactory 
class="net.sf.ehcache.distribution.RMIBootstrapCacheLoaderFactory"
                properties="bootstrapAsynchronously=false,
                        maximumChunkSizeBytes=5000000"
                propertySeparator="," />
    3. Change the cacheManagerPeerProviderFactory as follows, make sure port is unique.  
      <cacheManagerPeerProviderFactory
class="net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory"
        properties="peerDiscovery=automatic,
multicastGroupAddress=230.0.0.8,
                multicastGroupPort=40002, timeToLive=1" />
    4. The port should be different for cacheManagerPeerProviderFactory and cacheManagerPeerListenerFactory as specified in the earlier steps.
    5. All the cluster nodes should have same port for both the properties.
  13. For working on the SSOConfig.xml file, follow the steps:
    1. Modify the SSOConfig.xml file of theWebCenter Sites deployment. This file controls the loaded authentication classes and the properties that are required by those classes.
    2. Shutdown the Sites server.
    3. Backup the SSOConfig.xml file located in the WEB-INF/classes directory of the deployed WebCenter Sites application.
      For example: /u01/software/Apps/OraMiddleware/user_projects/domains/OAMSitesDomain/wcsites/wcsites/config/SSOConfig.xml.
    4. Modify SSOConfig.xml as follows: 

      Note:

      Further steps explains on setting properties for the following: serviceUrl, ticketUrl, signoutURL, dbUsername, and dbPassword. See Step 5.
    5. The signoutUrl property specifies the URL to be used when invoking WebCenter Sites logout. It includes the encoded URL where the browser will return after all logout processing has been completed by OAM.
    6. For Sites management, use the following value for end_url: http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome 
    7. For Sites delivery, use the following value for end_url:  http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome
      For the dbUsername and dbPassword properties, you can enter the credentials of the WebCenter Sites general administrator, which by default is fwadmin/xceladmin. The values for these properties will be encrypted on startup of the WebCenter Sites application.

      Note:

      In the code example below, you will set the following properties: csServerUrl, serviceUrl, ticketUrl, signoutURL, dbUsername, dbPassword. See Step 5. 
      <?xml version="1.0" encoding="UTF-8"?>
<!--

    Copyright (c) 2010 FatWire Corporation. All Rights Reserved.
    Title, ownership rights, and intellectual property rights in and
    to this software remain with FatWire Corporation. This  software
    is protected by international copyright laws and treaties, and
    may be protected by other law.  Violation of copyright laws may
    result in civil liability and criminal penalties.

-->

<beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
        xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

        <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />
        <!-- Root Context: defines shared resources visible to all other web components -->
        
        <jdbc:initialize-database data-source="dataSource"   enabled="true" ignore-failures="ALL">                
                <!-- For installer the first jdbc:script will opened. Installer will configure it automatically -->
                <jdbc:script location="classpath:crawler_oracle_db.sql" />
                <!--jdbc:script location="classpath:crawler_hsql_db.sql" /-->
                <!--jdbc:script location="classpath:crawler_sql_server_db.sql" /-->
                <!--jdbc:script location="classpath:crawler_oracle_db.sql" /-->
                <!--jdbc:script location="classpath:crawler_db2_db.sql" /-->
        </jdbc:initialize-database>
        
        <!-- Section# 1 Installer will consume below configuration to configure a datasource name created on the appservers -->
        <bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
                <property name="jndiName" value="wcsitesDS"/>
        </bean>
        
        <!-- Single Sign On provider -->
        <bean id="ssoprovider" class="com.fatwire.wem.sso.oam.OAMProvider">
                <property name="config" ref="ssoconfig" />
        </bean>
        <!--It is invoked by the OAM filter to resolve an OAM authenticated user against a remote Site CS instance.--> 
        <bean id="oamIdentity" class="com.fatwire.auth.identity.RemoteUsernameResolver" >
                <property name="csServerUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/custom/customCsResolver.jsp"/>
        </bean>
  
        <!-- Single Sign On filter -->
        <bean id="ssofilter" class="com.fatwire.wem.sso.oam.filter.OAMFilter">
                <property name="config" ref="ssoconfig" />
                <property name="provider" ref="ssoprovider" />
                <property name="identityResolver" ref="oamIdentity" />
                
                <!-- Set "trustConfigured" to "true" in case of trust relationship configured between WebGate and WLS.
                It will turn off check for OAM_ASSERTION header. -->
                <property name="trustConfigured" value="false" />
        </bean>
  

        <!-- Single Sign On listener -->
        <bean id="ssolistener" class="com.fatwire.wem.sso.oam.listener.OAMListener">
        </bean>
        
        <!-- Single Sign On configuration -->
        <bean id="ssoconfig" class="com.fatwire.wem.sso.oam.conf.OAMConfig">
                <!-- URL prefix for REST service endpoint -->
                <property name="serviceUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST" />
                
                <!-- URL prefix for Token Service servlet -->
                <property name="ticketUrl" value="http://{oamtoken_server_host}:{oamtoken_port}/oamtoken" />
                
                <!-- URL to be called when WEM logout is required. -->
                <property name="signoutUrl" value="http://{oam_server_host}:{oam_port}/oam/server/logout?end_url=http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome"/>
                
                <!-- Do not proxy tickets, tt's the last server in thecall chain -->
                <property name="proxyTickets" value="false" />
                
                <!-- Database Credentials needed by user lookup inOAMFilter -->
                <property name="dbUsername" value="fwadmin" />
                <property name="dbPassword" value="xceladmin"/>
                
                <!-- Your application protected resources (relative to applicationUrl) -->
                <property name="protectedMappingIncludes">
                        <list>
                                <value>/__admin</value>
                                <value>/__admin/**</value>
                        </list>
                </property>
                
                <!-- Your application protected resources excludes (relative to applicationUrl) -->
                <property name="protectedMappingExcludes">
                        <list>
                                <value>/__admin/layout</value>
                        </list>
                </property>
                <property name="applicationProxyCallbackPath" value="/sso/proxycallback" />
                <property name="gateway" value="false" />
        </bean>
        
        <context:component-scan base-package="com.fatwire.crawler.remote.dao" />
        <context:component-scan base-package="com.fatwire.crawler.remote.support" />
        <context:component-scan base-package="com.fatwire.crawler.remote.di" />
        <context:component-scan base-package="com.fatwire.crawler.remote.resources.support" />

</beans>
After you authenticate OAM, you need to perform the following integrations: