22 Oracle Application Server Single Sign-On

This chapter describes issues associated with Oracle Application Server Single Sign-On (OracleAS Single Sign-On). It includes the following topic:

• Section 22.1, "Configuration Issues and Workarounds"

• Section 22.2, "Issues and Workarounds Related to Oracle Database"

22.1 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds for Oracle Application Server Single Sign-On. It includes the following topic:

• Section 22.1.1, "Additional High Availability Configuration Instructions"

22.1.1 Additional High Availability Configuration Instructions

Additional configuration steps are required after OracleAS Infrastructure is installed with the "OracleAS Cluster (Identity Management)" option. There are two sets of instructions to follow:

• The first set of instructions, in Section 22.1.1.1, "Update the mod_rewrite Entry for SSO", must be followed in all cases.

• The second set of instructions, Section 22.1.1.2, "Update targets.xml", are needed in only one installation case as described in that section.

22.1.1.1 Update the mod_rewrite Entry for SSO

Take the following steps:

1. Back up the sso_apache.conf file:

   cp ORACLE_HOME/sso/conf/sso_apache.conf   
       ORACLE_HOME/sso/conf/sso_apache.conf.BACKUP
   
   

2. Edit the file. Locate the mod_rewrite entry that contains the following text:

   <IfModule mod_rewrite.c>
       RewriteEngine On
       RewriteRule ^/pls/orasso/orasso.wwsso_app_admin.ls_login$ /sso/auth [PT]
   </IfModule>
   
   

   Add the following line:

   RewriteRule ^/pls/orasso/orasso.home$ PROTOCOL:
       //LBR_HOST:LBR_PORT/pls/orasso/orasso.home [R,L]
   
   

   replacing the placeholders in italics with the following values:

   • Replace LBR_HOST with the full hostname for the HTTP load balancer.

   • Replace LBR_PORT with the SSL listening port. If SSL is enabled, enter the SSL port value. If using the default ports of 80 or 443, do not specify a port value.

   • Replace PROTOCOL with either HTTPS (if using the SSL port) or HTTP (if using the non-SSL port).

     For example, the entry might look like this when using a non-default SSL port:

     <IfModule mod_rewrite.c>
         RewriteEngine On
         RewriteRule ^/pls/orasso/orasso.wwsso_app_admin.ls_login$
             /sso/auth [PT]
         RewriteRule ^/pls/orasso/orasso.home$ https:
             //lbr.mydomain.com:4443/pls/orasso/orasso.home [R,L]
     </IfModule>
     
     

     As another example, the entry might look like this when using a default SSL port:

     <IfModule mod_rewrite.c>
         RewriteEngine On
         RewriteRule ^/pls/orasso/orasso.wwsso_app_admin.ls_login$ 
             /sso/auth [PT]
         RewriteRule ^/pls/orasso/orasso.home$ https:
             //lbr.mydomain.com/pls/orasso/orasso.home [R,L]
     </IfModule>
     
     

3. Save and close the file.

4. Restart Oracle HTTP Server.

22.1.1.2 Update targets.xml

The following configuration steps are needed only in the installation scenario where communications between clients and the load balancer use HTTPS, and communications between the load balancer and Oracle HTTP Server also use HTTPS:

Client ---[HTTPS]---> Load Balancer ---[HTTPS]---> Oracle HTTP Server

In this case the oracle_sso_server entry in the targets.xml file, on each physical host of the cluster, must be reconfigured to monitor the local SSL port.

Note: Keep in mind that the hostname should remain the same. Do not change the hostname.

Perform the following steps to update targets.xml on each node of the cluster:

1. Back up the targets.xml file:

   cp ORACLE_HOME/sysman/emd/targets.xml 
       ORACLE_HOME/sysman/emd/targets.xml.BACKUP
   
   

2. Open the file and find the oracle_sso_server target type. Within this target entry, locate and edit the following two attributes:

   • HTTPPort - the server SSL port number

   • HTTPProtocol - the server protocol, which in this case is HTTPS

     For example, you could update the two attributes this way:

     <Property NAME="HTTPPort" VALUE="4443"/>
     <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
     
     

3. Save and close the file.

4. Reload the OracleAS console:

   ORACLE_HOME/bin/emctl reload

22.2 Issues and Workarounds Related to Oracle Database

This section describes issues and workarounds for Oracle Application Server Single Sign-On that are triggered by the Oracle Database. It includes the following topic:

• Section 22.2.1, "Issues With Upgrading the Oracle Database"

22.2.1 Issues With Upgrading the Oracle Database

After upgrading your Metadata Repository from Oracle Database 9.2.0.6 to 10.1.x, the following error is reported on the Discoverer Plus Connection pages, the Discoverer Viewer Connection pages, and the Public Connection definition page in Application Server Control:

The connection list is currently unavailable.
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "ORASSO.WWSSO_API_PRIVATE," line 258
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "ORASSO.WWSSO_UTL" line 728
ORA-28231: no data passed to obfuscation toolkit
ORA-06512: at line 1 Unable to retrieve connection list

The same problem will be encountered with external applications on the server hosting Oracle Application Server Single Sign-On.

To resolve this issue, make the following changes in your Metadata Repository Database:

1. Edit the init%ORACLE_SID%.ora file in the following location:

   DB_install_home/dbs

   Add the following line to this file:

   event="10946 trace name context forever, level 36"

2. If an spfile%ORACLE_SID%.ora exists in either the dbs folder or the database folder, rename the file to spfile%ORACLE_SID%.bak.

   Changes to init%ORACLE_SID%.ora are not loaded if the database server finds an spfile.

3. Log in as a sysadmin.

4. At the SQL prompt, shut down then start up the database server.

5. Restart the Discoverer server using the command opmnctl restartall.