Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.1.5.0) Part Number E21032-01 |
|
|
View PDF |
This chapter describes how to configure single sign-on (SSO) for administration consoles. The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Manager Console
Oracle Identity Manager Console
This chapter includes the following topics:
This section describes how to integrate administration consoles with single sign-on.
This section contains the following topics:
Note:
Once you have enabled single sign-on for the administration consoles, ensure that at least one Oracle Access Manager server is running to enable console access.If you have used the Oracle Weblogic console to shut down all of the Oracle Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.
To start WLS_OAM1
manually, use the command:
DOMAIN_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001
Before you attempt to integrate administration consoles with single sign-on, ensure Ensure that the following tasks have been performed:
Configure Oracle HTTP Server, as described in Chapter 5, "Configuring the Web Tier."
Configure Oracle Access Manager, as described in Chapter 12, "Extending the Domain with Oracle Access Manager 11g."
Weblogic Administrators have been provisioned in LDAP as described in Chapter 11, "Creating Users and Groups for Oracle WebLogic Server."
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter domain). The application domains are configured to authenticate using the central Identity Management domain.
In Section 11.4.4, "Creating Users and Groups for Oracle WebLogic Server" you created a user called weblogic_idm
and assigned it to the group IDM Administrators. To be able to manage WebLogic using this account you must add the IDM administrators group to the list of Weblogic Administration groups. This section describes how to add the IDM Administrators Group to the list of WebLogic Administrators.
Log in to the WebLogic Administration Server Console.
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm
, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the IDM Administrators Group
as an entry.
Click Save to finish adding the Admin role to the IDM Administrators Group
.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm
user.
The boot.properties
file for the Administration Server and the Managed Servers should be updated with the WebLogic admin
user created in Oracle Internet Directory. Follow these steps to update the boot.properties
file.
For the Administration Server on IDMHOST1
On IDMHOST1, go the following directory:
ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
For example:
cd ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
Rename the existing boot.properties
file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
Restarting the Servers
Restart WebLogic Administration Server and all Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Restart the following servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Access Servers on OAMHOST1
and OAMHOST2
Oracle HTTP Servers on WEBHOST1
and WEBHOST2
This section describes how to install and configure WebGate. This task is not necessary for OIM11g/OAM10g integration.
This section contains the following topics:
Section 18.5.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2"
Section 18.5.4, "Patching the Oracle Access Manager 10g WebGates"
Section 18.5.6, "Validating the Oracle Access Manager Single Sign-On Setup"
Ensure that the following tasks have been performed before installing the Oracle Web Gate:
Install and configure the Oracle Web Tier as described in Chapter 5.
On Linux systems, make the special versions of the gcc
libraries available, as described in Chapter 18.
Ensure Oracle Access Manager has been configured as described in Chapter 12.
Oracle Web Gate requires special versions of gcc
libraries to be installed (Linux only). These library files must exist somewhere on the Linux system. The Web Gate installer asks for the location of these library files at install time. Download the libraries from http://gcc.gnu.org
, as described in "Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management
See Also:
http://www.oracle.com/technetwork/middleware/ias/downloads/10gr3-webgates-integrations-readme-154689.pdf
for additional information.Before you install Oracle WebGate, ensure that the Managed Servers WLS_OAM1 and WLS_OAM2 are started.
Install Oracle WebGate as described in the following sections.
Start the Web Gate installer by issuing the command:
Oracle_Access_Managerversion_linux_OHS11g_WebGate -gui
Then perform the following steps:
On the Welcome to the InstallShield Wizard for Oracle Access Manager WebGate screen.
Click Next.
On the Customer Information screen, enter the username
and group
that the Access Server uses. This should be the same as the user and group that installed the Oracle HTTP Server. The default value for username
and group
is nobody
. For example, enter oracle
/oinstall
.
Click Next.
Specify the installation directory for Oracle Access Manager Access Server. For example, enter: MW_HOME
/oam/webgate
.
Click Next.
Note:
Oracle Access Manager WebGate is installed in theaccess
subdirectory under:
/u01/app/oracle/product/fmw/oam/webgate
.
Oracle Access Manager WebGate is installed in: /u01/app/oracle/product/fmw/oam/webgate/
The access directory is created by the installer automatically.
Specify the location of the GCC run-time libraries, for example: /u01/app/oracle/oam_lib
Click Next.
The installation progress screen is shown. After the installation process completes, the WebGate Configuration screen appears.
On the WebGate Configuration screen, you are prompted for the transport security mode:
The transport security between all Access System components (Policy Manager, Access Servers, and associated WebGates) must match; select one of the following: Open Mode, Simple Mode, or Cert Mode.
Select Simple Mode.
Click Next.
On the next WebGate Configuration screen, specify the following WebGate details:
WebGate ID: The agent name used in Section 12.6.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool," for example Webgate_IDM
.
Password for Web Gate: If you entered a password when creating the agent, enter this here. Otherwise leave blank.
Access Server ID: WLS_OAM1
Host Name: Enter the Host name for one of the Access Servers for example IDMHOST1
Global Access Protocol Passphase: If your OAM servers are using the Simple security transport protocol, then specify the global passphrase that you use to interact with them.
Port Number the Access Server listens to: ProxyPort
Note:
To find the port that the Access Server is using, log in to the oamconsole at:http://admin.mycompany.com/oamconsole
Then perform the following steps:
Select the System Configuration tab.
Select Server Instances.
Select Instance (WLS_OAM1
) and click the View icon in the tool bar.
The proxy entry has host and port information.
On the Configure Web Server screen, click Yes to automatically update the web server, then click Next.
On the next Configure Web Server screen, specify the full path of the directory containing the httpd.conf
file. The httpd.conf
file is located under the following directory:
/u01/app/oracle/admin/
ohsInstance
/config/OHS/
ohsComponentName
For example:
/u01/app/oracle/admin/ohs_instance2/config/OHS/ohs2/httpd.conf
Click Next.
On the next Configure Web Server page, a message informs you that the Web Server configuration has been modified for WebGate.
Click Next.
The next screen, Configure Web Server, displays the following message:
If the web server is setup in SSL mode, then httpd.conf file needs to be configured with the SSL related parameters. To manually tune your SSL configuration, please follow the instructions that come up.
Click Next.
The next screen, Configure Web Server, displays a message with the location of the document that has information on the rest of the product setup, as well as Web Server configuration.
Select No and click Next.
The final Configure Web Server screen appears with a message to manually launch a browser and open the HTML document for further information on configuring your Web Server.
Click Next.
The Oracle COREid Readme screen appears. Review the information on the screen and click Next.
A message appears, along with the details of the installation, informing you that the installation was successful.
Click Finish.
Replace the file ObAccessClient.xml
in the directory MW_HOME
/oam/webgate/access/oblix/lib
with the file generated in Section 12.6.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool."
Restart the web server by following the instructions in Chapter 19, "Starting and Stopping Oracle Identity Management Components."
Repeat for WEBHOST2
You must create a logout page to enable applications to log out. A default page exists, but you must edit it and copy it to the WebGate installation on WEBHOST1
and WEBHOST2
.
Copy the file logout.html
from the directory DOMAIN_HOME
/output/Webgate_IDM
on IDMHOST1
to MW_HOME
/oam/webgate/access/oamsso
on WEBHOST1
and WEBHOST2
.
Now that you have your own logout page on the web server, you must remove the default entry.
Edit the file httpd.conf
, located in the directory:
ORACLE_INSTANCE
/config/OHS/component name
/
Comment out the following lines by adding a #
at the beginning. The edited lines look like this:
#*******Default Login page alias*** Alias /oamsso "/u01/app/oracle/product/fmw/webgate/access/oamsso" #<LocationMatch "/oamsso/*"> #Satisfy any #</LocationMatch> #**********************************
Save the file.
Restart the Oracle HTTP server, as described in Chapter 19, "Starting and Stopping Oracle Identity Management Components."
This software cannot be patched until it is installed, as described in Section 18.5.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2."
Follow these steps to patch the WebGates in your environment:
Download the Oracle Access Manager OHS11g WebGate patch from My Oracle Support at https://support.oracle.com
. For 32-bit Linux, the patch name is Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate.zip
. For 64-bit Linux it is Oracle_Access_Manager10_1_4_3_0_BPFA2_Patch_linux64_OHS11g_WebGate.zip
Stop the Oracle HTTP Server 11g instances on WEBHOST1
and WEBHOST2
by following the steps in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Unzip the Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate.zip
file to a temporary location. This creates t two directories. On 32-bit Linux, the directories are:
Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_binary_parameter
Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_message_en-us
On 64-bit Linux, the directories are:
Oracle_Access_Manager10_1_4_3_0_BPFA2_Patch_linux64_OHS11g_WebGate_binary_parameter
Oracle_Access_Manager10_1_4_3_0_BPFA2_Patch_linux64_OHS11g_WebGate_message_en-us
Change directory to: PatchExtractLocation
/Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_binary_parameter
Uninstall any existing patches because you must apply patches to the base version.
To detect the presence of an existing patch, determine the version number, as follows:
Open the file, webgate-install
/oblix/config/np1014_wg.txt
Check the Version
field.
If the Version
value is the base version, 10.1.4.3.0 M11, then it does not contain any patch.
If the Version
value is different from the base version, indicating that there is a patch, uninstall the patch as follows:
Navigate to the location within the WebGate installation where the patchinst
script is present, for example:
cd /u01/app/oracle/product/fmw/oam/webgate/access/oblix/patch/10143005BP05/Oracle_Access_Manager10_1_4_3_0_BP05_Patch_linux64_OHS11g_WebGate_binary_parameter/
Execute the command:
./patchinst -u
Specify the WebGate installation area when prompted.
Start the patch installation tool by typing:
./patchinst -i InstallDir/access
where InstallDir
is the path to the Access Server install location. For example:
/u01/app/oracle/product/fmw/oam/webgate/access
This applies the required patch for Oracle Access Manager-Oracle Identity Manager integration to the Oracle Access Manager 10.1.4.3.0 WebGate Instance. Please see the "Enterprise Deployment Guide" chapter of the 11g Release 1 (11.1.1.5.0) Release Notes for the exact patch level required.
Apply this patch to all the WebGate instances in your environment.
Start the Oracle HTTP Server instances on WEBHOST1
and WEBHOST2
, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
You can test that WebGate is functioning correctly by accessing the URL:
http://admin.mycompany.com/oamconsole
You now see the Oracle Access Manager Login page displayed. Enter your OAM administrator user name (for example, oamadmin
) and password and click Login. Then you see the OAM console displayed.
To validate the setup, open a web browser and go the following URLs:
http://admin.mycompany.com/console http://admin.mycompany.com/em
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm
user to log in.