4 Proxy Authentication

This chapter describes resource access control using Oracle WebCenter Ensemble proxy authentication. It is divided into the following sections:

• Authentication Levels, describes how Oracle WebCenter Ensemble uses authentication levels to control access to resources.

• Configuring Authentication Levels, describes how to configure authentication level associated with each authenticator.

• SSO Integration, describes how to configure Oracle WebCenter Ensemble to use SiteMinder, Oracle COREid, and SPNEGO SSO products.

Authentication Levels

There are two factors that control access to a resource: authentication levels and policies. Before any policy is evaluated for a given resource, the user must first be authenticated with an authenticator that has an authentication level equal to or greater than the authentication level of the resource. If an authentication level does not have an authenticator associated with it, the next higher authenticator is used to authenticate.

Authentication levels range from 0 to 10. An authenticator cannot be assigned level 0; authentication level 0 is reserved for anonymous access. For details on anonymous access, see Configuring Anonymous Access.

An authenticator is a method for authentication. HTML form-based authentication and third-party SSO providers are examples of authenticators.

When a user attempts to access a resource without credentials appropriate for the resource's authentication level, the following happens:

1. Oracle WebCenter Ensemble evaluates experience rules to determine which experience definition is appropriate for the user.

2. Oracle WebCenter Ensemble passes the authenticator associated with the experience definition to the authentication stack.

3. If the authenticator is equal to or greater than the resource's authentication level, Oracle WebCenter Ensemble uses the authenticator associated with the experience definition to authenticate the user.

   If the authenticator is lower than the resource's authentication level, Oracle WebCenter Ensemble uses the authenticator associated with the resource's authentication level.

4. Once the user is authenticated, Oracle WebCenter Ensemble evaluates the policies for the resource. If one or more policies evaluate to true, the user is granted access to the resource.

For details on experience rules and experience definitions, see Chapter 7, "Experience Definitions."

For details on policies, see Chapter 6, "Policies and Rules."

Configuring Authentication Levels

You configure the authentication level that is associated with an authenticator in the Ensemble Console. You configure each authenticator with a numerical level between 1 and 10. Two authenticators cannot have the same authentication level.

To configure authentication levels:

1. Launch the Ensemble Console.

2. Click the PROXY AUTHENTICATION tab.

3. Select the authentication level from the Level drop-down next to the authenticator you are configuring.

   
   

   Note: Changing authentication levels for authenticators will not change authentication levels associated with policy sets. The authentication level will remain the same and the authenticator will change.

   
   

SSO Integration

This section describes how to configure Oracle WebCenter Ensemble to authenticate users with the Oracle WebCenter Interaction portal, or one of the supported third-party SSO systems: Siteminder, COREid, or Active Directory via SPNEGO. The following subsections describe each configuration in detail:

• Integrating with the Oracle WebCenter Interaction Portal

• Integrating with Computer Associates SiteMinder

• Integrating with Oracle COREid

• Integrating with Microsoft Active Directory via SPNEGO

In addition, configuring Oracle WebCenter Ensemble to log users out of an SSO system is described in SSO Logout.

Note: For all SSO integrations, the user name used to authenticate to the SSO software must also exist as an Oracle WebCenter Ensemble user name. To add users to Oracle WebCenter Ensemble, add users to your Oracle WebCenter Interaction installation or the LDAP server that contains your Oracle WebCenter Interaction users.

Integrating with the Oracle WebCenter Interaction Portal

This section provides details about configuring Oracle WebCenter Ensemble to automatically log users in to the Oracle WebCenter Interaction portal.

To integrate with the Oracle WebCenter Interaction portal:

1. Deploy the portal.war file, using an instance of Apache Tomcat.

   
   

   Note: Your version of Apache Tomcat must be prior to 5.5.25 for proper SSO integration between Oracle WebCenter Ensemble and Oracle WebCenter Interaction. This integration will fail if you use Apache Tomcat 5.5.25 or above.

   
   

   The portal.war file is located in: install_dir\ensembleproxy\version\integration\alisso\

   Deploy the portal.war file on the portal server. The location to which you deploy the portal.war file is the Portal Cookie Replication URL.

   
   

   Note: Although you can use various brands of web servers to host the Oracle WebCenter Interaction portal, you must use Apache Tomcat to host the portal.war file.

   
   

2. Enable the Remember Me cookie features of Oracle WebCenter Interaction by performing the following:

   
   

   Note: Before performing these steps, determine the security impact that enabling Remember Me cookie features might have on your portal environment.

   
   

   1. On the machine on which Oracle WebCenter Interaction is installed, navigate to install_dir\settings\portal\portalconfig.xml

   2. Ensure that the AllowAutoConnect node is set to 1.

   3. Restart Oracle WebCenter Interaction.

3. Navigate to Configuration Manager > Ensemble > SSO Login, and enable portal cookie replication. Additionally, configure the following settings:

   • Portal Cookie Replication URL: The location to which you deployed the portal.war file in the previous step. Oracle WebCenter Ensemble redirects to this URL to verify that a portal cookie exists.

   • Timeout: The frequency -- in milliseconds -- at which Oracle WebCenter Ensemble checks for portal cookies.

   • Access Level: The access level that is assigned to the user when Oracle WebCenter Ensemble detects a valid portal session cookie. Valid values are between 1and 10. For information on authentication levels, see Authentication Levels.

4. Navigate to Oracle WebCenter Configuration Manager > Ensemble > ALUI Security Login Tokens, and ensure that the following settings are correctly configured:

   1. The default token type should be set to ALUI.

   2. The message authentication code seed value should match the login token root value. You can find the login token root value in the ptserverconfig table of the Oracle WebCenter Interaction database.

5. Navigate to Oracle WebCenter Configuration Manager > Ensemble > ALUI Directory.

   1. Ensure that the authentication provider is set to ALUI.

   2. Ensure that all values for the Connection Information, Users, and Groups sections are correctly configured.

Integrating with Computer Associates SiteMinder

Configuring Oracle WebCenter Ensemble to authenticate users with SiteMinder involves protecting a special Oracle WebCenter Ensemble resource, sso.aspx, with SiteMinder. Oracle WebCenter Ensemble uses this resource to authenticate a user with SiteMinder when the user attempts to access any resource with an authentication level that requires SiteMinder.

The process flow is as follows:

1. The user attempts to access a resource proxied by Oracle WebCenter Ensemble.

2. Oracle WebCenter Ensemble determines the user needs to authenticate with SiteMinder.

3. Oracle WebCenter Ensemble redirects the user to sso.aspx. Since sso.aspx is protected by SiteMinder, the user is asked to authenticate to SiteMinder.

4. On successful authentication, the user accesses sso.aspx, which redirects the user to Oracle WebCenter Ensemble marked as authenticated.

5. Oracle WebCenter Ensemble redirects the user to the resource he initially attempted to access.

The redirects between sso.aspx and Oracle WebCenter Ensemble are transparent to the user. The user experiences attempting to access the resource, being authenticated by SiteMinder, and then accessing the resource.

Configuring Oracle WebCenter Ensemble and SiteMinder

To configure Oracle WebCenter Ensemble for use with SiteMinder, first install sso.aspx and configure SiteMinder to protect it:

1. Create a virtual directory on IIS and protect it with SiteMinder.

2. Copy sso.aspx and sso.aspx.cs to the virtual directory you created. There are versions of these files for .NET v1.1 and .NET v2.0. In a default installation, the files are located under the NET v1.1 aspx or NET v2.0 aspx directory in: install_dir\loginserver\2.0\webapp\loginserver\ssointegration\siteminder\

3. Verify that the files are installed and SiteMinder is correctly configured. Attempt to access sso.aspx via IIS. You are prompted to log into SiteMinder and then are presented with a page of header information. (The result from sso.aspx is not intended to be human-readable.)

Once you have correctly sso.aspx, you must configure Oracle WebCenter Ensemble to access sso.aspx via IIS. To configure Oracle WebCenter Ensemble:

1. Launch the Ensemble Console.

2. Click the APPLICATIONS tab.

3. Click the Resources sub-tab.

4. Click the CA SiteMinder sample login resource.

5. On the Connections page, edit the Internal URL prefix to point to the location of sso.aspx. For example: http://siteminder.company.com:80/ensembleIntegration/

   Do not include the file name sso.aspx.

6. Restart the BEA ALI Security Service, the BEA AL Ensemble Administrative UI, and the BEA AL Ensemble Proxy.

7. Verify that the login resource is correctly configured. Create a resource and policy to protect it with your SiteMinder authentication level and configure your experience rules to request SiteMinder authentication when a user accesses the resource.

   • For details on creating resources, see Chapter 3, "Proxy Resources."

   • For details on configuring policies, see Chapter 6, "Policies and Rules."

   • For details on configuring authentication levels, see Configuring Authentication Levels.

   • For details on configuring experience rules, see Chapter 7, "Experience Definitions."

Integrating with Oracle COREid

Configuring Oracle WebCenter Ensemble to authenticate users with COREid involves protecting a special Oracle WebCenter Ensemble resource, sso.aspx, with COREid. Oracle WebCenter Ensemble uses this resource to authenticate a user with COREid when the user attempts to access any resource with an authentication level that requires COREid.

The process flow is as follows:

1. The user attempts to access a resource proxied by Oracle WebCenter Ensemble.

2. Oracle WebCenter Ensemble determines that the user needs to authenticate with COREid.

3. Oracle WebCenter Ensemble redirects the user to sso.aspx. Since sso.aspx is protected by COREid, the user is asked to authenticate to COREid.

4. On successful authentication, the user accesses sso.aspx, which redirects the user to Oracle WebCenter Ensemble marked as authenticated.

5. Oracle WebCenter Ensemble redirects the user to the resource he initially attempted to access.

The redirects between sso.aspx and Oracle WebCenter Ensemble are transparent to the user. The user experiences attempting to access the resource, being authenticated by COREid, and then accessing the resource.

Configuring Oracle WebCenter Ensemble and COREid

To configure Oracle WebCenter Ensemble for use with COREid, first install sso.aspx and configure COREid to protect it:

1. Create a virtual directory on IIS and protect it with COREid.

2. Copy sso.aspx and sso.aspx.cs to the virtual directory you created. There are versions of these files for .NET v1.1 and .NET v2.0. In a default installation, the files are located under the NET v1.1 aspx or NET v2.0 aspx directory in: install_dir\loginserver\2.0\webapp\loginserver\ssointegration\coreid\

3. Verify that the files are installed and that COREid is correctly configured. Attempt to access sso.aspx via IIS. You are prompted to log into COREid and then are presented with a page of header information. (The result from sso.aspx is not intended to be human-readable.)

Once you have correctly installed sso.aspx, you must configure Oracle WebCenter Ensemble to access sso.aspx via IIS. To configure Oracle WebCenter Ensemble:

1. Launch the Ensemble Console.

2. Click the APPLICATIONS tab.

3. Click the Resources sub-tab.

4. Click the Oracle COREid sample login resource.

5. On the Connections page, edit the Internal URL prefix to point to the location of sso.aspx. For example: http://coreid.company.com:80/ensembleIntegration/

   Do not include the file name sso.aspx.

6. Restart the BEA ALI Security Service, the BEA AL Ensemble Administrative UI, and the BEA AL Ensemble Proxy.

7. Verify that the login resource is correctly configured. Create a resource and policy to protect it with your COREid authentication level and configure your experience rules to request COREid authentication when the user accesses the resource.

   • For details on creating resources, see Chapter 3, "Proxy Resources."

   • For details on configuring policies, see Chapter 6, "Policies and Rules."

   • For details on configuring authentication levels, see Configuring Authentication Levels.

   • For details on configuring experience rules, see Chapter 7, "Experience Definitions."

Integrating with Microsoft Active Directory via SPNEGO

Configuring Oracle WebCenter Ensemble for SPNEGO authentication is a complex process involving configuration of the Active Directory server in addition to the creation of Oracle WebCenter Ensemble configuration files and Oracle WebCenter Ensemble configuration within the Ensemble Console.

For instructions on configuring credential mapping with SPNEGO authentication, see Configuring Credential Mapping with SPNEGO Authentication.

To complete the Oracle WebCenter Ensemble / SPNEGO integration, complete the instructions of each of the following sub-sections in the order provided:

1. Configuring Microsoft Active Directory

2. Configuring the Oracle WebCenter Ensemble Server

3. Verifying the Oracle WebCenter Ensemble / SPNEGO Integration

Configuring Microsoft Active Directory

Oracle WebCenter Ensemble requires an Active Directory account with which to query the Active Directory. To configure this account:

1. Create a new Active Directory user. Record the OU because you will need it when configuring Kerberos on the Oracle WebCenter Ensemble server. For example, assume the user is in:

   CN=Users,DC=ensemble,DC=mydomain,DC=com
   

   Oracle WebCenter Ensemble will need to use the ensemble.mydomain.com realm.

2. Verify that the user account is Kerberos enabled:

   • Turn on Use DES encryption types for this account.

   • Verify that Do not require Kerberos pre-authentication is not selected.

3. Enable Oracle WebCenter Ensemble to access Active Directory as a service by using the Windows utility setspn to create an SPN for Oracle WebCenter Ensemble. For example, type:

   setspn -a HTTP/ensembleserver.mydomain.com ensembleuser
   

   Replace ensembleserver.mydomain.com with the fully qualified domain name of your Oracle WebCenter Ensemble server and ensembleuser with the user you just created in Active Directory.

4. Create a keytab file for the SPN you created using ktab. This file will be used on the Oracle WebCenter Ensemble server to authenticate Oracle WebCenter Ensemble to the Active Directory server. For example, type:

   ktab -k mykeytab -a HTTP/ensembleserver.fakedomain.com
   

   This will create a keytab file, mykeytab.

5. Put a backup copy of the keytab file in a secure location. Then copy the keytab file to the Oracle WebCenter Ensemble server.

Configuring the Oracle WebCenter Ensemble Server

To configure the Oracle WebCenter Ensemble server to access Active Directory:

1. Copy the keytab file you created in Configuring Microsoft Active Directory, to a location on your Oracle WebCenter Ensemble server. For example: C:\SPNEGO\mykeytab

2. Create a new text file named jaas.conf. For example: C:\SPNEGO\jaas.conf

3. Copy the following into jaas.conf:

   com.sun.security.jgss.krb5.initiate { 
   com.sun.security.auth.module.Krb5LoginModule required debug=true
   principal="host/ensembleserver.mydomain.com" useKeyTab=true
   keyTab="c:\\SPNEGO\\mykeytab" storeKey=true;
   };
   com.sun.security.jgss.krb5.accept {
   com.sun.security.auth.module.Krb5LoginModule required debug=true
   principal="host/ensembleserver.mydomain.com" useKeyTab=true
   keyTab="c:\\SPNEGO\\mykeytab" storeKey=true;
   };
   

   Replace host/ensembleserver.mydomain.com with your SPN and c:\\SPNEGO\\mykeytab is your keytab file.

   
   

   Note: Use host/ instead of HTTP/ for the SPN.

   
   

4. Configure the Ensemble Proxy server wrapper.conf to refer to your jaas.conf. By default, the Ensemble Proxy server wrapper.conf is located at: install_dir\ensembleproxy\2.0\settings\config\

   Add the following lines to wrapper.conf, replacing C:\SPNEGO\jaas.conf with the location of your jaas.conf. You must add the lines near the top of the wrapper.conf, in the section titled Additional -D Java Properties. You must number the wrapper.java.additional.# properties consecutively in ascending order, starting with wrapper.java.additional.19. The wrapper.java.additional.19 property will already exist. Add the following lines:

   wrapper.java.additional.21=-Djava.security.auth.login.config=C:\SPNEGO\jaas.conf
   wrapper.java.additional.22=-Djavax.security.auth.useSubjectCredsOnly=false 
   wrapper.java.additional.23=-Dsun.security.krb5.debug=true
   

5. Create a krb5.ini file in your winnt directory. For example: C:\winnt\krb5.ini

6. Copy the following into the krb5.ini file you created:

   [libdefaults]
   udp_preference_limit = 1
   default_realm = ENSEMBLE.MYDOMAIN.COM
   default_tkt_enctypes = des-cbc-crc
   default_tgs_enctypes = des-cbc-crc
   ticket_lifetime = 600
   
   [realms]
   ENSEMBLE.MYDOMAIN.COM = {
   kdc = ADSERVER.MYDOMAIN.COM
   admin_server = ADSERVER.MYDOMAIN.COM
   default_domain = ENSEMBLE.MYDOMAIN.COM
   }
   
   [domain_realm]
   . ENSEMBLE.MYDOMAIN.COM = ENSEMBLE.MYDOMAIN.COM
   ENSEMBLE.MYDOMAIN.COM = ENSEMBLE.MYDOMAIN.COM
   
   [appdefaults]
   autologin = true
   forward = true
   forwardable = true
   encrypt = true
   

7. Edit the krb5.ini file so that:

   • ENSEMBLE.MYDOMAIN.COM is the realm (OU) of the server user account you created on your Active Directory server.

   • ADSERVER.MYDOMAIN.COM is the fully qualified domain name of your Active Directory server.

8. Retrieve the shared secret key from the Oracle WebCenter Interaction portal database. Open the PTSERVERCONFIG table. The shared secret key is VALUE where SETTINGID=65. For example:

   select VALUE from PTSERVERCONFIG where SETTINGID=65;
   

9. Add the shared secret key to the Oracle WebCenter Ensemble configuration.xml. On the Oracle WebCenter Ensemble server, configuration.xml is located by default at: install_dir\settings\runner\configuration.xml

   In configuration.xml, ensure the value of the following setting is your shared secret key:

   <setting name="runnersso:ssologin:sharedSecretKey">
       <value xsi:type="xsd:string">[Your shared secret key]</value>
   </setting>
   

10. In Oracle WebCenter Configuration Manager, browse to ENSEMBLE > ALUI Security Login Tokens and ensure that you have correctly configured this component's settings.

    Correct configuration includes setting the default token type to ALUI and providing a message authentication code seed value for ALUI login tokens.

11. Restart the BEA AL Ensemble Administrative UI, and the BEA AL Ensemble Proxy.

Verifying the Oracle WebCenter Ensemble / SPNEGO Integration

Verify the login resource is correctly configured. Create a resource and policy to protect it with your SPNEGO authentication level and configure your experience rules to request SPNEGO authentication when the user accesses the resource.

• For details on creating resources, see Chapter 3, "Proxy Resources."

• For details on configuring policies, see Chapter 6, "Policies and Rules."

• For details on configuring authentication levels, see Configuring Authentication Levels.

• For details on configuring experience rules, see Chapter 7, "Experience Definitions."

  
  

  Note: For SPNEGO authentication to work from the client side, the user must be logged into Windows into the appropriate Active Directory domain. In addition, Internet Explorer must be configured so that the Oracle WebCenter Ensemble server is in the Local Intranet zone and integrated Windows authentication must be enabled.

  
  

Integrating with Oracle Virtual Directory

This section provides details about configuring Oracle WebCenter Ensemble to access multiple LDAP servers via Oracle Virtual Directory.

To integrate Oracle WebCenter Ensemble with Oracle Virtual Directory:

1. Navigate to Oracle WebCenter Configuration Manager > Ensemble > ALUI Directory.

2. Ensure that the authentication provider is set to LDAP.

3. Ensure that the values for the settings in the ALUI Directory component are correctly configured to point to the Oracle Virtual Directory server.

   
   

   Note: In Oracle WebCenter Configuration Manager, the value for the User Authentication Name setting must match the user authentication name attribute that is assigned to all users, including the Principal user. The value for the Principal setting can be the distinguished name of any administrative account in Oracle Virtual Directory, and must be searchable by the authentication name attribute. If these settings are not configured correctly, the Ensemble Admin UI will not start properly, and users will not be able to log in.

   
   

SSO Logout

A user may be accessing multiple resources under a single SSO authentication. When a user logs out of an Oracle WebCenter Ensemble proxied resource, Oracle WebCenter Ensemble can prompt the user to log out of only that application or all applications.

For Oracle WebCenter Ensemble to capture logout attempts, you must configure one or more internal logout patterns for each resource.

To configure SSO log out patterns:

1. Launch the Ensemble Console.

2. Click the APPLICATIONS tab.

3. Click the Resources sub-tab.

4. Click the name of the resource you want to edit.

5. On the SSO Log Out Settings page, type the regular expression pattern that matches your log out page into the Internal log out URL patterns box.

6. To add more patterns, click Add.

7. To delete patterns, click Delete.

8. When you are done configuring SSO Log Out Settings, click Save.