17.3 Administering OracleAS Single Sign-On

This section describes some of the administrative tasks you may need to perform as you maintain security for Oracle Reports Services.

17.3.1 Enabling and Disabling OracleAS Single Sign-On

To take advantage of OracleAS Single Sign-On out-of-the-box, the SINGLESIGNON parameter in the Oracle Reports Servlet (rwservlet) configuration file (rwservlet.properties) is set to YES, which specifies that you will use OracleAS Single Sign-On to authenticate users. Oracle considers this to be the normal security deployment model and you should set <singlesignon>no</singlesignon> only if you plan to run in a completely custom security configuration.

Use Oracle Enterprise Manager to change configuration settings, rather than directly editing configuration files. To enable or disable OracleAS Single Sign-On, see Section 7.8.6, "Enabling and Disabling Single Sign-On".

17.3.2 Enabling and Disabling Reports Server Security

In 11g Release 1 (11.1.1), Reports Server is secured out-of-the-box using the Portal-based security, by default. However, you can enable JPS-based security, including JAZN-XML authorization. For more information, see Chapter 15, "Securing Oracle Reports Services".

Use Oracle Enterprise Manager to change configuration settings, rather than directly editing configuration files. To enable or disable security, see Section 7.8.1, "Enabling and Disabling Security".

During Oracle Fusion Middleware installation, you are asked to select an identity store, a policy store, and a credential store. By default, these are file-based stores. After installation, you can change either of these to LDAP-based stores, such as Oracle Internet Directory. For more information, see "Understanding Identities, Policies, and Credentials" in Oracle Fusion Middleware Security Guide.

17.3.3 Enabling and Disabling Data Source Security

To enable data source security through OracleAS Single Sign-On, you must do the following:

  • Include SSOCONN in the URL that launches the report.

  • Populate Oracle Internet Directory with data source connection information using one of three methods.

If you wish to implement data source security through OracleAS Single Sign-On for your own pluggable data sources, you must perform the following additional task:

  • Add a new resource type to Oracle Internet Directory.

The sections that follow explain how to perform these operations.

17.3.3.1 SSOCONN

To enable data source security through OracleAS Single Sign-On, the URL must contain or reference (that is, through the key map file) an OracleAS Single Sign-On parameter (SSOCONN) with a value of the form:

key_name/data_source_type/conn_string_parameter

key_name maps to a string stored in Oracle Internet Directory that provides the necessary information to connect to the database. When Oracle Reports encounters a key_name, it checks to see if the current user has a corresponding key stored in Oracle Internet Directory. If so, Oracle Reports uses the string stored in that key to connect to the data source. If not, Oracle Reports checks to see if the key_name maps to a publicly available key. If so, Oracle Reports uses that key. If not, Oracle Delegated Administration Services prompts the user to create a new resource.

See Also:

Section 17.3.3.2, "Populating Oracle Internet Directory" for more information about populating Oracle Internet Directory with resources.

data_source_type is the kind of data source to which you are connecting, to identify the format in the string associated with key_name. The data_source_type value must be a valid resource type stored in Oracle Internet Directory. Oracle Reports provides default resource types for the following:

  • Oracle database (OracleDB)

  • JDBC PDS (JDBCPDS)

You can also create additional resource types in Oracle Internet Directory for your own pluggable data sources.

See Also:

Section 17.3.3.3, "Adding a New Resource Type" for more information about adding resource types.

conn_string_parameter specifies the Oracle Reports system or user parameter to be used to pass the connection string to Oracle Reports. For example, in the case of the OracleDB data source, Oracle Reports receives the connection string through the USERID parameter and uses it to connect to the specified Oracle database. Similarly, for JDBCPDS, P_JDBCPDS is used. If you have your own custom pluggable data sources, you must define your own user parameter for passing the connection string to Oracle Reports and specify it as conn_string_parameter for SSOCONN.

See Also:

Section A.8.16, "SSOCONN"

17.3.3.1.1 Oracle Database Example

In the case of an Oracle database, the URL to call a report with SSOCONN would look something like the following:

http://myhost.mycompany.com:7779/reports/rwservlet?server=rs_cped
&report=my.rdf&destype=cache&ssoconn=mykey/OracleDB/userid&desformat=html

17.3.3.1.2 JDBC Pluggable Data Source Example

In the case of a JDBC data source, the Single Sign-On value would look something like the following:

http://myhost.mycompany.com:7779/reports/rwservlet?server=rs_cped
&report=Jdbcthin.rdf&destype=cache&desformat=html&ssoconn=jd1/jdbcpds/p_jdbcpds

In this case, jd1 is an Oracle Internet Directory resource name.

See Also:

Section 14.1, "Configuring and Using the JDBC PDS" for more information on how to configure a JDBC data source.

Usage Notes

  • When you use SSOCONN in a command line, you cannot:

    • Specify AUTHID in the same command line.

    • Run against a Reports Server that is not secure.

    • Have SINGLESIGNON set to NO in rwservlet.properties.

    Performing any of these actions with SSOCONN in the command line results in an error.

17.3.3.2 Populating Oracle Internet Directory

For data source security to function with OracleAS Single Sign-On, you must store the data connection information for each user in Oracle Internet Directory or make the resource a default one available to every user. You can populate Oracle Internet Directory with this information in any one of the following ways:

17.3.3.2.1 Oracle Delegated Administration Services

If you want to enter only the credentials for a small number of users (for example, for a development environment), you can use Oracle Delegated Administration Services (DAS) to directly enter connection string information into Oracle Internet Directory for each user.

Note:

Before a user can access Oracle Delegated Administration Services, an administrator must have already entered a user identity in Oracle Internet Directory for the user. This step can be done by batch loading information that is already entered into an LDAP directory in some other source.

See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information on batch loading.

During Oracle Fusion Middleware installation, you specify the location of Oracle Delegated Administration Services. You use this URL to access Oracle Delegated Administration Services for administrative purposes. Once in Oracle Delegated Administration Services, you enter the information through the Resource Access Information section of the Preferences tab for the user. See Figure 17-2. Note that, for the Preferences tab to appear, there must already be a resource in place.

Figure 17-2 Delegated Administration Services Preferences

Description of Figure 17-2 follows
Description of "Figure 17-2 Delegated Administration Services Preferences"

If you want to enter data source information for a large number of users, you should use either the user prompt or batch methods of populating Oracle Internet Directory.

17.3.3.2.2 User Prompt

If you prefer to have users enter their own connection string information, you do not have to prepopulate Oracle Internet Directory with data source connection information at all. If you use SSOCONN when launching the report but Oracle Internet Directory does not already contain a connection string for the key and the key is not publicly available to all users, the Oracle Delegated Administration Services Create Resource page is displayed to the user, who must enter their data source connection string. See Figure 17-3. Oracle Delegated Administration Services stores the string entered by the user in Oracle Internet Directory for future use and rwservlet uses the newly entered connection string for the data source connection string of the report.

Note:

Because of this feature, many users can use the same report URL even if they all use different data source connection strings.

Figure 17-3 Oracle Delegated Administration Services Create Resource

Description of Figure 17-3 follows
Description of "Figure 17-3 Oracle Delegated Administration Services Create Resource"

Note:

In the Create Resource dialog, if you want to enter a JDBC connection string, you can do so by entering hostname:port:sid in the Database field.

17.3.3.2.3 Batch Loading

Resources for Oracle Reports Services are created in Oracle Internet Directory under the following entry:

orclresourcename=resource_name, cn=Resource Access Descriptor, 
orclownerguid=guid, cn=Extended Properties, cn=OracleContext,
dc=us,dc=oracle,dc=comFoot 1

Before You Begin You must create orclownerguid=guid in the Oracle Internet Directory entry before you can proceed with the batch loading of resources. If you used Oracle Delegated Administration Services to create your users, orclownerguid=guid was created automatically and you can proceed to Batch Loading Resources.

If you seeded users into Oracle Internet Directory with an LDIF file, then, before following the steps in Batch Loading Resources, you must complete the following steps:

  1. Get the users' GUIDs.

    Depending on how your users are created in Oracle Internet Directory, you can use any number of methods to get their GUIDs. You can get user GUIDs using the Oracle Internet Directory LDAP API. You can also get it using the ldapsearch command:

    D:\Oracle\BIN>ldapsearch -h host_name -p port_num -L -D cn=orcladmin 
-w orcladmin's_password -b "cn=users,dc=us,dc=oracle,dc=com" -s sub "objectclass=*" dn orclguid

  2. Create the user entry orclownerguid=guid under cn=Extended Properties, cn=OracleContext, dc=us, dc=oracle, dc=com.

    1. Modify the sample script, ORACLE_HOME\reports\samples\scripts\createuser.ldif by replacing the place holder with real values.

    2. Load createuser.ldif using ldapadd. For example:

      D:\Oracle\BIN>ldapadd -D cn=orcladmin -w welcome1 
-h host_name -p port_num -f createuser.ldif

  3. Once you have created orclownerguid=guid, proceed to Batch Loading Resources.

Batch Loading Resources Follow the steps below to batch load data source resources for your users:

  1. Create the user's resource entry orclresourcename=resource_name, cn=Resource Access Descriptor under orclownerguid=guid, cn=Extended Properties, cn=OracleContext, dc=us, dc=oracle, dc=com, where orclownerguid=guid is the GUID created in Before You Begin.

    1. Modify the sample script, ORACLE_HOME\reports\samples\scripts\createresource.ldif by replacing the place holder with real values.

    2. Load createresource.ldif using ldapadd. For example:

      D:\Oracle\BIN>ldapadd -D cn=orcladmin -w orcladmin's_password -h host_name -p port_num -f createresource.ldif

17.3.3.2.4 Making a Resource Available to All Users

If you want to make a resource publicly available to all of your users, you can do so by following these steps:

  1. Launch Oracle Delegated Administration Services and go to the Home tab.

  2. Login as the administrator (orcladmin).

  3. Click the Configuration tab.

  4. Click the Preferences sub tab and you should see a page similar to the one in Figure 17-4.

Figure 17-4 Oracle Internet Directory Configuration Preferences Page

Description of Figure 17-4 follows
Description of "Figure 17-4 Oracle Internet Directory Configuration Preferences Page"

  1. Under Default Resource Access Information, click Create.

  2. In the Create Resource page, enter the resource name and select the Resource type from the drop-down list. For example, JDBCPDS.

  3. Click Next.

  4. Enter the connection information. For example, scott/tiger@mydb.

  5. Click Submit.

  6. Click OK.

    That resource should now appear under Default Resource Access Information and be available to all users.

17.3.3.3 Adding a New Resource Type

If you want to add a new resource type to support your own pluggable data source, you must perform the following procedure:

  1. Launch Oracle Delegated Administration Services and go to the Home tab.

  2. Login as the administrator (orcladmin).

  3. Click the Configuration tab.

  4. Click the Preferences sub tab and you should see a page similar to the one in Figure 17-4.

  5. Under Configure Resource Type Information, click Create and you should see a page similar to the one in Figure 17-5.

    Figure 17-5 Create Resource Type page

    Description of Figure 17-5 follows
    Description of "Figure 17-5 Create Resource Type page"

  6. Fill in at least the required fields. Field descriptions are provided in Table 17-1.

    Table 17-1 Create Resource Type Properties

    Property Description

    Resource Type Name

    Is the name of the new resource type. This name is used when you want to reference the resource type, for example, in the data_source_type portion of the SSOCONN string.

    Display Name

    Is the name to be used when the resource type appears in the user interface.

    Description

    Is a textual description that explains the purpose of the resource type and any other documentary information you want to enter for it.

    Authentication Class

    Mandatory field, not used by Oracle Reports Services. Enter dummy text as a value for this field.

    Connection String Format

    Defines how Oracle Reports Services should construct the connection string using the values stored in Oracle Internet Directory for the resource. For example:

    for the Oracle database or a JDBC data source your connection string format might be:

    orclUserIDAttribute/orclPasswordAttribute @orclFlexAttribute1

    This string indicates that the user name is followed by a slash, the password, an at sign (@), and then additional attribute 1 (for example, for the TNS name of the database). A connection string that adheres to this format would look similar to this one:

    scott/tiger@db1

    User Name/ID Field Name

    Is the display name of the user name field that contains the value for orclUserIDAttribute. The display name appears on the Create Resource page (Figure 17-3) next to the field for orclUserIDAttribute. Typically, you would enter something like Username or User Name for this display name.

    Password Field Name

    Is the display name of the password field that contains the value for orclPasswordAttribute. The display name appears on the Create Resource page (Figure 17-3) next to the field for orclPasswordAttribute. Typically, you would enter something like Password or password for this display name.

    Additional Field 1-3

    Is the display name of the additional fields, which contain the values of orclFlexAttribute1, orclFlexAttribute2, and orclFlexAttribute3. You must specify these fields for whatever values your connection string requires beyond user name and password. For example, you might use one of them to contain a server or domain name.The display name appears on the Create Resource page (Figure 17-3) next to the field for orclFlexAttribute1, orclFlexAttribute2, or orclFlexAttribute3. Typically, you would enter something descriptive of the field's contents, such as Server or Domain, for this display name.

  7. Click Submit. Your resource type is created and you can now reference it in the data_source_type portion of the SSOCONN value.

    See Also:

    Section 17.3.3.1, "SSOCONN".

17.3.4 Connecting to Oracle Internet Directory

As described in Chapter 15, "Securing Oracle Reports Services", Oracle Reports Services must connect to Oracle Internet Directory to verify user privileges and obtain existing data source connection information. In connecting to Oracle Internet Directory, you must consider:

17.3.4.1 Choosing the Connecting Entity for Oracle Internet Directory

When Oracle Reports Services connects to Oracle Internet Directory, it does so as an application entity. By default, each Oracle Reports Services application entity is unique to its Oracle Fusion Middleware installation. Every Reports Server started from the same Oracle Fusion Middleware installation (that is, ORACLE_HOME) uses the same application entity to connect to Oracle Internet Directory. This setup ensures that each Reports Server can only access information in Oracle Internet Directory that is relevant to its instance of Oracle Fusion Middleware.

For example, suppose you have two instances of Oracle Fusion Middleware, one for your Finance group and one for your Human Resources group. A Reports Server from the Finance group's Oracle Fusion Middleware instance would be prevented from accessing information relevant only to the Human Resources group, and vice versa. Thus, information stored in Oracle Internet Directory is more secure by default.

In previous releases of Oracle Reports Services, all Reports Servers connected to Oracle Internet Directory as the same application entity. As a result, it was not possible to restrict a Reports Server's access to information in Oracle Internet Directory.

To revert to the less restrictive security mode, refer to the Oracle Reports Services chapter of the Oracle Fusion Middleware Release Notes.

17.3.4.2 Choosing the Oracle Internet Directory Instance

By default, the Reports Server is configured to use the Oracle Internet Directory instance installed with Oracle Fusion Middleware. If you are building your system anew, this arrangement is fine. However, if you have an existing Oracle Internet Directory instance that you want to use for the Reports Server, you have to make some adjustments to your configuration.

Changing Oracle Internet Directory instances must be done as part of a complete change of your Oracle Fusion Middleware middle tier. For more information about this process, refer to the chapter on reconfiguring Application Server instances in the Oracle Fusion Middleware Administrator's Guide.


Footnote Legend

Footnote 1: dc=us,dc=oracle,dc=com is merely an example in this instance. You would normally enter your own values for these items.