Oracle® Application Server Single Sign-On Administrator's Guide 10g (9.0.4) Part Number B10851-01 |
|
This chapter explains how to enable partner applications for single sign-on. This process involves registering mod_osso, the authentication module for the Oracle HTTP Server, with the single sign-on server. See "Partner Applications" in Chapter 1 for a definition of partner applications.
The chapter contains the following topics:
Single sign-on partner applications are registered automatically by the OracleAS installer. Registering the application creates an entry for it in the identity management infrastructure database and configures registration on the partner application computer.
mod_osso-integrated applications are registered by the ossoreg.jar tool. OracleAS Portal, an SDK-integrated application, is registered by ptlasst. Both tools are invoked by the installer. Only the former is discussed here. See Portal documentation for a discussion of the latter.
Under certain circumstances, you must reregister mod_osso manually, using the single sign-on registration tool. These circumstances are as follows:
In all three cases, running the single sign-on registration tool updates the mod_osso registration record in osso.conf. The tool generates this file whenever it runs.
This section contains the following topics:
Use the ossoreg.jar tool to register an application. Run the following command:
$ORACLE_HOME
/jdk/bin/java -jar$ORACLE_HOME
/sso/lib/ossoreg.jar -oracle_home_path orcl_home_path -site_name site_name -config_mod_osso TRUE -mod_osso_url mod_osso_url -u userid [-virtualhost]
[-update_mode CREATE | DELETE | MODIFY] [-config_fileconfig_file_path
] [-admin_info admin_info] [-admin_id adminid]
A description of the parameters passed to the tool follows.
Absolute path to the Oracle home.
Name of the site--typically, the effective host name and port of the partner application. For example, application.mydomain.com.
If set to TRUE
, this parameter indicates that the application being registered is mod_osso. You must include config_mod_osso
for osso.conf to be generated.
The effective URL of the partner application. This is the URL that is used to access the partner application. The value should be specified in this URL format:
http://oracle_http_host.domain:port
For example:
http://application.mydomain.com:7777
The user name that will start the Oracle HTTP Server. In UNIX, this name is usually "root." On Windows NT/2000, it is SYSTEM
. The parameter u
is mandatory.
Optional. Include this parameter only if you are registering an Oracle HTTP virtual host with the single sign-on server. Omit the parameter if you are not registering a virtual host.
If you are creating an HTTP virtual host, use the httpd.conf file to fill in the following directive for each protected URL:
<VirtualHosthost_name
> OssoConfigFile $ORACLE_HOME/Apache/Apache/conf/osso/host_name
/osso.conf OssoIpCheck off #<Location /your_protected_url
> # AuthType basic # Require valid-user #</Location> #Other configuration information for the virtual host </VirtualHost>
If, on the other hand, you are creating an HTTPS virtual host, use the ssl.conf file to fill in the same directive. Note that the commented lines must be uncommented before the application is deployed. Both httpd.conf and ssl.conf are in $ORACLE_HOME/Apache/Apache/conf.
After creating a virtual host, run this command to update the Distributed Cluster Management schema:
$ORACLE_HOME/dcm/bin/dcmctl updateConfig -v -d
Location of the osso.conf file for the virtual host if one is being configured. It may, for example, be $ORACLE_HOME/Apache/Apache/conf/osso/virtual_host_name/osso.conf.
This parameter is mandatory if you are registering a virtual host. If you omit config_file
, the assumption is that you are registering a nonvirtual host. In this case, ossoreg.jar creates a file with the name osso.conf in $ORACLE_HOME/Apache/Apache/conf/osso.
Optional. Creates, deletes, or modifies the partner registration record. CREATE
, the default, generates a new record. DELETE
removes the existing record. MODIFY
deletes the existing record and then creates a new one.
Optional. User name of the mod_osso administrator. If you omit this parameter, the Administrator Information field on the Edit Partner Application page is left blank.
Optional. Any additional information, such as e-mail address, about the administrator. If you omit this parameter, the Administrator E-mail field on the Edit Partner Application page is left blank.
This command sequence shows a mod_osso instance being reregistered with the single sign-on server:
setenv $ORACLE_HOME /private/oracle/gitm1 setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:$ORACLE_HOME/lib $ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/sso/lib/ossoreg.jar -oracle_ home_path $ORACLE_HOME -site_name portal.mydomain.com -config_mod_osso TRUE -mod_osso_url http://portal.mydomain.com -u root
set ORACLE_HOME=c:\private\oracle\gitml set PATH=%PATH%;%ORACLE_HOME%\bin;%ORACLE_HOME%\lib %ORACLE_HOME%\jdk\bin\java -jar %ORACLE_HOME%\sso\lib\ossoreg.jar -oracle_ home_path %ORACLE_HOME% -site_name portal.mydomain.com -config_mod_osso TRUE -mod_osso_url http://portal.mydomain.com -u SYSTEM
After running ossoreg.jar, restart the Oracle HTTP Server. For instructions, see "Stopping and Starting the Oracle HTTP Server" in Chapter 2.
You can configure two or more partner application instances in a highly available deployment by placing a load balancer in front of them. The load balancer publishes a single address for partner applications while providing a farm of application servers that actually service requests. The HTTP load balancer can detect when one of the Oracle HTTP Server instances has failed and can then fail over requests to another instance.
The usage scenario presented here takes you through the steps required to configure partner applications with a load balancer.
This scenario assumes the following hypothetical configurations:
Figure 4-1 shows what this hypothetical system looks like.
Setting up the system presented in Figure 4-1 involves the following tasks:
Install the partner applications on pa1.mydomain.com and pa2.mydomain.com. When prompted by the installer for a directory location, choose the server located at sso.mydomain.com.
When a load balancer is placed between the user and the Oracle HTTP servers on the OracleAS middle tier, the effective URL of the partner application changes. The configuration file httpd.conf on both middle tiers must be modified to reflect this change. This file can be found at $ORACLE_HOME/Apache/Apache/conf.
Complete the following steps:
Add the following lines to the httpd.conf file on pa1.mydomain.com and pa2mydomain.com:
ServerName pa.mydomain.com Port 80
LoadModule certheaders_module libexec/mod_certheaders.so
AddCertHeader HTTPS
If you are using a hardware load balancer, enter this line:
SimulateHttps on
You can add steps a and b to the end of httpd.conf. Just where they appear in the file is unimportant.
The HTTP load balancer that you use can be hardware such as BigIP, Alteon, or Local Director or software such as OracleAS Web Cache.
If you are using a hardware load balancer, configure one pool of real servers with the addresses pa1.mydomain.com and pa2.mydomain.com. Configure one virtual server with the address pa.mydomain.com. This virtual server is the external interface of the load balancer. For instructions, consult the documentation provided by your load balancer vendor.
If you are using OracleAS Web Cache to load balance connection requests, see the following links:
On both partner application instances, reregister mod_osso as the partner application pa.mydomain.com.
To reregister mod_osso on pa1.mydomain.com, run the registration script. In the example that follows, be sure to substitute values appropriate to your installation. The script creates a partner application called pa.mydomain.com.
$ORACLE_HOME
/jdk/bin/java -jar$ORACLE_HOME
/sso/lib/ossoreg.jar -oracle_home_path orcl_home_path -site_name site_name -config_mod_osso TRUE -mod_osso_url mod_osso_url -u userid [-virtualhostvirtual_host_name]
[-update_mode CREATE | DELETE | MODIFY] [-config_fileconfig_file_path
] [-admin_id adminid] [-admin_info admin_info]
See "Registering mod_osso" for a command example and a description of command parameters.
To reregister mod_osso on pa2.mydomain.com:
http://sso.mydomain.com/pls/orasso
$ORACLE_HOME/Apache/Apache/bin/ssotransfer $ORACLE_ HOME/Apache/Apache/conf/osso/osso.conf
Note: The ssotransfer command should not be used to synchronize the Distributed Cluster Management repository with the mod_osso configuration file created for a virtual host. To learn how to register mod_osso for a virtual host, see "Configuring mod_osso with Virtual Hosts". |
http://pa.mydomain.com
For more information about integrating partner applications with mod_osso, see "Developing Single Sign-On-Enabled Applications" in Oracle Application Server Single Sign-On Application Developer's Guide.
Some deployments may require more than one Web site to be deployed on a single Oracle HTTP Server. An application may, for example, have to be available both over HTTP and HTTPS. In the scenario that follows, an SSL virtual host is configured to be protected by mod_osso. Although the virtual host is an SSL host, the scenario applies to any virtual host.
The scenario assumes the following conditions:
To configure app.mydomain.com as an SSL virtual host:
VirtualHost
section of the ssl.conf file. In release 9.0.2, the installer defines an SSL virtual host in the VirtualHost
section of httpd.conf. Both files are in $ORACLE_HOME/Apache/Apache/conf.
$ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/sso/lib/ossoreg.jar -oracle_ home_path $ORACLE_HOME -site_name app.mydomain.com -config_mod_osso TRUE -mod_osso_url https://app.mydomain.com:4443 -u root -virtualhost -config_file $ORACLE_HOME/Apache/Apache/conf/osso/osso-https.conf
$ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/sso/lib/ossoreg.jar -virtualhost -site_name https://app.mydomain.com -oracle_home_path $ORACLE_HOME -success_url https://app.mydomain.com:4443/osso_login_ success -logout_url https://app.mydomain.com:4443/osso_logout_success -cancel_url https://app.mydomain.com:4443/ -home_url https://app.mydomain.com:4443/ -config_mod_osso TRUE -u root -sso_ server_version v1.2 -config_file $ORACLE_ HOME/Apache/Apache/conf/osso/osso-https.conf
LoadModule osso_module libexec/mod_osso.so
LoadModule wchandshake_module libexec/mod_wchandshake.so with a default setup
:
LoadModule osso_module libexec/mod_osso.so
VirtualHost
to include the mod_osso file for the virtual host. Recall that, for SSL virtual hosts, this directive is configured in ssl.conf in release 9.0.4 and in httpd.conf in release 9.0.2.
<VirtualHost _default_:4443>
.
.
.
OssoConfigFile $ORACLE_HOME/Apache/Apache/conf/osso/osso-https.conf
OssoIpCheck off
<Location /your_protected_url_for_the virtual site
>
AuthType basic
Require valid-user
</Location>
.
.
.
</VirtualHost>
|
![]() Copyright © 1996, 2003 Oracle Corporation. All Rights Reserved. |
|