Skip Headers
Oracle® WebCenter Wiki and Blog Server Installation, Configuration, and User's Guide
10g Release 3 (10.1.3.4.0)
E14106-01
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

4 Configuring Single Sign-On

You can configure Oracle Access Manager-based single sign-on security for Oracle WebCenter Wiki and Blog Server. This chapter explains how to configure Oracle Access Manager for single sign-on for Oracle WebCenter Wiki and Blog Server.

This chapter includes the following sections:

4.1 Overview of Oracle Access Manager Authentication

Oracle Access Manager authentication for Oracle WebCenter Wiki and Blog Server requires following components:

These components should be installed one time for the central server.

To configure Oracle Access Manager for single sign-on, you must perform the following steps:

  1. Install Oracle Access Manager

  2. Install Oracle HTTP Server

  3. Install an Access Server

  4. Install an Access Gate (WebGate)

  5. Configure Oracle Access Manager

  6. Configure authentication

  7. Configure a custom login page for Oracle Access Manager

  8. Install the security provider for WebLogic SSPI

4.2 Installing Oracle Access Manager

Oracle Access Manager Release 10g (10.1.4.2.0) is a patch set. After installing 10g (10.1.4.0.1), you can apply Release 10.1.4 patch set 1 (10.1.4.2.0) to installed components. You cannot install 10g (10.1.4.2.0) directly.

This document explains how to also add base patch 5957301 and the latest bundle patch 7408035.

For detailed information about Oracle Access Manager, see the Oracle Access Manager documentation posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/index.htm

4.3 Installing Oracle HTTP Server for Oracle WebCenter Wiki and Blog Server

Each Oracle HTTP Server configured for integration with Oracle Access Manager must have an Access Gate installed.

Install Oracle HTTP Server 10.1.3.3 for Apache 2.0. This can be downloaded from the Oracle10g Release 3 Companion CD (10.1.3.x) at:

http://www.oracle.com/technology/software/products/ias/htdocs/101310.html

After installing Oracle HTTP Server, install the Apache HTTP Server plug-in (mod_wl_20). This can be downloaded from:

http://download.oracle.com/otn/bea/weblogic/server103/WLSWebServerPlugins1.0.1150354-Apache.zip

Detailed installation instructions are posted at:

http://e-docs.bea.com/wls/docs103/plugins/apache.html#wp131399

Follow these steps to configure mod_weblogic (mod_wl.conf):

  1. Install mod_wl into Oracle HTTP Server 10.1.3.3.

    Without this step, you get the following error when you start Oracle HTTP Server:

    --------
    09/02/12 01:35:25 Start process
    --------
    /scratch/ohsoam/install/ohs/ohs/bin/apachectl startssl: execing httpd
    Syntax error on line 247 of
    /scratch/ohsoam/install/ohs/ohs/conf/httpd.conf:
    Cannot load /scratch/ohsoam/install/ohs/ohs/modules/mod_wl_20.so into
    server: /scratch/ohsoam/install/ohs/ohs/modules/mod_wl_20.so: cannot open
    shared object file: No such file or directory
    
  2. Confirm that you have the following entries at the end of httpd.conf (after the automatic updates to httpd.conf through Webgate Installer).

    For Linux:

    # Include the SSL definitions and Virtual Host container
    include "/scratch/ohsoam/install/ohs/ohs/conf/ssl.conf"
    LoadFile "/scratch/ohsoam/install/webgate/access/oblix/lib/libgcc_s.so.1"
    LoadFile "/scratch/ohsoam/install/webgate/access/oblix/lib/libstdc++.so.5"
     
    LoadModule obWebgateModule "/scratch/ohsoam/install/webgate/access/oblix/apps/webgate/bin/webgate.so"
    WebGateInstalldir "/scratch/ohsoam/install/webgate/access"
     
    LoadModule weblogic_module modules/mod_wl_20.so
     
    <IfModule mod_weblogic.c>
    MatchExpression /owc_wiki WebLogicHost=<host>|WebLogicPort=<port>
     
    </IfModule>
     
    WebGateMode PEER
     
    <Location /access/oblix/apps/webgate/bin/webgate.cgi>
    SetHandler obwebgateerr
    </Location>
     
    <Location "/oberr.cgi">
    SetHandler obwebgateerr
    </Location>
     
    <LocationMatch "/*">
    AuthType Oblix
    require valid-user
    </LocationMatch>
    

    For Windows:

    #*** BEGIN WebGate Specific ****
     
    LoadModule obWebgateModule "C:\OHSOAM\webgate\access/oblix/apps/webgate/bin/webgate.dll"
    WebGateInstalldir "C:\OHSOAM\webgate\access"
     
    LoadModule weblogic_module modules/mod_wl_20.so
     
    <IfModule mod_weblogic.c>
    MatchExpression /owc_wiki WebLogicHost=<host>|WebLogicPort=<port>
    </IfModule>
    WebGateMode PEER
     
    <Location /access/oblix/apps/webgate/bin/webgate.cgi>
    SetHandler obwebgateerr
    </Location>
     
    <Location "/oberr.cgi">
    SetHandler obwebgateerr
    </Location>
     
    <LocationMatch "/*">
    AuthType Oblix
    require valid-user
    </LocationMatch>
     
    #*** END WebGate Specific **** 
    
  3. Configure the module mod_wl in Oracle HTTP Server so that it forwards requests to Oracle HTTP Server. To configure Oracle HTTP Server to work with multiple non-clustered servers, use the following example in httpd.conf:

    LoadModule weblogic_module modules/mod_wl_20.so
     
    <IfModule mod_weblogic.c>
         MatchExpression /owc_wiki WebLogicHost=wiki.example.com|WebLogicPort=8888
    </IfModule>
    

    Note:

    The WebLogic port refers to the wiki server port where the Oracle WebCenter Wiki and Blog Server is deployed.

4.4 Installing an Access Server

An Access Server must be installed for Oracle WebCenter Wiki and Blog Server.

For detailed information about installing an Access Server, see the Oracle® Access Manager Installation Guide 10g (10.1.4.2.0) "Chapter 8, Installing the Access Server". This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/toc.htm

You will be asked to create an Access Server instance in the Access System Console. Leave all defaults as they are, except the following specific entries:

The saved values should look something like the following:

Name    wls-wiki-access-server 
Hostname host.domain.com 
Port      6021 
Debug     Off 
Debug File Name       
Transport Security      Open 
Maximum Client Session Time (hours)   24 
Number of Threads      60 
Access Management Service      On 
       
Audit to Database (on/off)     Off 
       
Audit to File (on/off)     Off 
Audit File Name       
Audit File Size (bytes)      0 
Buffer Size (bytes)      512000 
File Rotation Interval (seconds)      0 
Engine Configuration Refresh Period   14400 (seconds)      
URL Prefix Reload Period (seconds)    7200 
Password Policy Reload Period (seconds)7200 
       
Maximum Elements in User Cache      100000 
User Cache Timeout (seconds)        1800 
 
Maximum Elements in Policy Cache    10000 
Policy Cache Timeout (seconds)      7200 
       
SNMP State        Off 
SNMP Agent Registration Port       
       
Session Token Cache      Enabled 
Maximum Elements in Session Token Cache     10000

After creating this instance in the Access System Console, install the actual Access Server, using the Oracle Access Manager command appropriate to your platform.

For more information, see the installation guide posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/toc.htm

Again, you will be asked to create an Access Gate instance in the Access System Console. When creating the instance, provide the following properties:

Click Save to retain this setup.

4.5 Installing an Access Gate

For Oracle WebCenter Wiki and Blog Server to be protected with Oracle Access Manager single sign-on, first install Oracle HTTP Server 10.1.3.3 for Apache 2.0. Next, install the Access Gate module on the same machine where Oracle HTTP Server is installed. This is the Oracle HTTP Server and Access Gate installation that will be used to protect the Oracle WebCenter Wiki and Blog Server URL.

Install WebGate 10.1.4.0.1 for OHS2 (Oracle_Access_Manager10_1_4_0_1_linux_OHS2_WebGate). This installer is included with the Oracle Access Manager CD. After successfully installing WebGate 10.1.4.0.1, you must apply the base patch 5957301 (Oracle_Access_Manager10_1_4_2_0_Patch_linux_OHS2_WebGate.zip), which can be downloaded from My Oracle Support (formerly MetaLink):

https://metalink.oracle.com/metalink/plsql/f?p=130:5:1642971897004974741::::P_SOURCE,P_SRCHTXT:8,5957301%20

On Linux only: After applying base patch 5957301, you must apply bundle patch 7408035 (Oracle_Access_Manager10_1_4_2_0_BP06_Patch_linux_OHS2_WebGate.zip), which can downloaded from My Oracle Support (formerly MetaLink):

https://metalink2.oracle.com/metalink/plsql/f?p=130:5:6778718287832208728::::P_SOURCE,P_SRCHTXT:8,7408035

Make sure that you install the WebGate for your platform and that it is for Oracle HTTP Server with Apache 2.0.

For more information about installing an Access Gate for this Oracle HTTP Server instance, see Oracle Access Manager Installation Guide 10g (10.1.4.2.0) "Chapter 9, Installing the WebGate." This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/webgate.htm#CHDBHAAG


Note:

WebGate and Access Gate are synonymous.

On Oracle HTTP Server, confirm that opmn.xml is configured for Oracle Access Manager. The opmn.xml entries should include the following:

<ias-component id="HTTP_Server">
        <process-type id="HTTP_Server" module-id="OHS2">
          <environment>
               <variable id="TMP" value="/tmp"/>
               <variable id="LD_ASSUME_KERNEL" value="2.4.19"/>
          </environment>
          <module-data>
            <category id="start-parameters">
              <data id="start-mode" value="ssl-enabled"/>
            </category>
          </module-data>
          <process-set id="HTTP_Server" numprocs="1"/>
        </process-type>
      </ias-component>
  </ias-instance>…

4.6 Setting Up Oracle Access Manager

For detailed information about setting up Oracle Access Manager, see the 10.1.4.2.0 Oracle Access Manager documentation.

The remainder of the information in this section provides samples of the configuration specifically for wiki integration.

Ensure that the following configuration is done in Oracle Access Manager:

Configure the Access Gate

wls-wiki-access-gate (Figure 4-1)

Figure 4-1 Access Gate Configuration

Description of Figure 4-1 follows
Description of "Figure 4-1 Access Gate Configuration"

Configure the Access Server (Figure 4-2)

Figure 4-2 Access Server Configuration

Description of Figure 4-2 follows
Description of "Figure 4-2 Access Server Configuration"

For more information, see Oracle Access Manager Installation Guide 10g (10.1.4.2.0) "Chapter 9, Installing the WebGate." This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/webgate.htm#CHDBHAAG

4.7 Configuring Authentication Management

The Oracle Access Manager Access System Console lets you configure the authentication mechanism. To enable the authentication scheme, you must go through each tab in the form-based authentication scheme. Form-based authentication requires that you give the challenge redirect to the Oracle HTTP Server where Oracle WebCenter Wiki and Blog Server is deployed.

Form-based Authentication Scheme (Figure 4-3)

Figure 4-3 Form-Based Authentication Scheme

Description of Figure 4-3 follows
Description of "Figure 4-3 Form-Based Authentication Scheme"

Table 4-1 Plugins

Plugin Name Plugin Parameter

credential_mapping

obMappingBase="cn=users,dc=us,dc=oracle,dc=com",obMappingFilter="(&(&(objectclass=inetorgperson)(uid=%userid%))(|(!(obuseraccountcontrol=*)) (obuseraccountcontrol=ACTIVATED)))"

validate_password

password


Make sure that the user name field in login.html (which is created in Section 4.8, "Configuring a Custom Login Page for Oracle Access Manager") matches what you enter for uid in the credential_mapping plugin. In this example, it is assumed that login.html would define the username field as userid and the password field as password.

Figure 4-4 Steps for Authentication Scheme

Description of Figure 4-4 follows
Description of "Figure 4-4 Steps for Authentication Scheme"

Policy Overview

For more information, see chapter 4 of Oracle Access Manager Access Administration Guide at

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2policy.htm#CJAIGHAG

(Figure 4-5)

Figure 4-5 Policy Overview

Description of Figure 4-5 follows
Description of "Figure 4-5 Policy Overview"

To enable single sign-on using Oracle Access Manager, create a new policy domain in Oracle Access Manager. An example domain is provided here.

  1. To get to the Policy Manager go to http://host:port/access/oblix/apps, and click Policy Manager.

    wiki-domain: This defines the policy for the wiki application resources. Most wiki pages are public. However, access to the /admin path is secured, and the /login!withRedirect.jspa is used to trigger authentication and is used by the login link in the application.

  2. Create a new domain for wiki and blog server 10.1.3.4. Give a unique name for the domain. (Figure 4-6)

    Figure 4-6 Create Policy Domain - General

    Description of Figure 4-6 follows
    Description of "Figure 4-6 Create Policy Domain - General"

  3. Configure the host identifiers. The host identifier should be the one you registered for your Oracle HTTP Server.

  4. Protect the wiki login and admin URLs. The following URLs need to be protected:

    • /owc_wiki/acl

    • /owc_wiki/admin

    • /owc_wiki/attachments

    • /owc_wiki/default

    • /owc_wiki/domain

    • /owc_wiki/export

    • /owc_wiki/index_dir

    • /owc_wiki/install

    • /owc_wiki/js

    • /owc_wiki/layouts

    • /owc_wiki/macro

    • /owc_wiki/page

    • /owc_wiki/pages

    • /owc_wiki/remote

    • /owc_wiki/tags

    • /owc_wiki/templates

    • /owc_wiki/user

    • /owc_wiki/vhost

    • /owc_wiki/wp

  5. Define a new authorization rule and enable it. (Figure 4-7)

    Figure 4-7 Create Policy Domain - Authorization Rules

    Description of Figure 4-7 follows
    Description of "Figure 4-7 Create Policy Domain - Authorization Rules"

  6. On the Allow Access tab of Authorization Rules, specify the role Any one. (Figure 4-8)

    Figure 4-8 Create Policy Domain - Authorization Rules - Allow Access

    Description of Figure 4-8 follows
    Description of "Figure 4-8 Create Policy Domain - Authorization Rules - Allow Access"

  7. On the Authentication Rule tab of Default Rules, select the Form Authorization scheme defined earlier. (Figure 4-9)

    Figure 4-9 Create Policy Domain - Default Rules - Authentication Rules

    Description of Figure 4-9 follows
    Description of "Figure 4-9 Create Policy Domain - Default Rules - Authentication Rules"

  8. On the Authorization Expression tab of Default Rules, select the authorization rule defined earlier on the Authorization Rule tab. (Figure 4-10)

    Figure 4-10 Create Policy Domain - Default Rules - Authorization Expression

    Description of Figure 4-10 follows
    Description of "Figure 4-10 Create Policy Domain - Default Rules - Authorization Expression"

  9. On the Actions tab of Default Rules, define return actions for authorization success for the uid and obmygroups attributes, as shown in Figure 4-11.

    Figure 4-11 Create Policy Domain - Default Rules - Authorization Expression - Actions

    Description of Figure 4-11 follows
    Description of "Figure 4-11 Create Policy Domain - Default Rules - Authorization Expression - Actions"

  10. After creating the policy domain, make sure to enable the policy domain by modifying the existing domain.

4.8 Configuring a Custom Login Page for Oracle Access Manager

Form-based authentication requires a custom login page to be created on the Oracle HTTP Server. This custom login page will be displayed when the user has to be challenged for credentials. The name of the page should match the name specified in the authentication scheme on the Oracle Access Server authentication scheme configuration. In this example, it is specified as login.html. This file must be in the document root ($OHS_HOME/ohs/htdocs) on the Oracle HTTP Server.

Here is the sample login.html file:

<html>
<head>
    <title>Test Login Form</title>
    <script language="JavaScript">
                function submitForm() {
                        document.forms[0].submit();
                }
    </script>
  </head>
  <body bgcolor="#ffffff" onLoad="self.focus();document.loginform.login.focus()">
    <center>
      <h2>Test Login Form</h2>
      <form name="loginform" action="/access/oblix/apps/webgate/bin/webgate.so"method="post">
        <table cellspacing="0" cellpadding="0" border="0">
          <tr><td valign="center" align="left"><b>Username</b></td>
            <td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td valign="center" align="left">
              <input type="username" name="userid" size="20" value=""></td>
          </tr>
          <tr>
            <td valign="center" align="left"><b>Password</b></td>
            <td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td valign="center" align="left">
              <input type="password" name="password" size="20" value=""></td>
          </tr>
        </table>
 
        <input type=submit id=submit name=submit value=submit />
        </form>
  </body>
</html> 

4.9 Installing the Security Provider for WebLogic SSPI

To assert the identity of logged in users, you must install the Security Provider for WebLogic SSPI (Security Service Provider Interface) on the WebLogic machine. The Security Provider ensures that only appropriate users and groups can access Oracle Access Manager-protected WebLogic resources to perform specific operations. The Security Provider also enables you to configure single sign-on between Oracle Access Manager and WebLogic resources.

The Security Provider for WebLogic SSPI is available at:

http://download.oracle.com/otn/linux/ias/101401/oam_int_linux_v7_cd3.zip

CD7 of the Oracle Access Manager 3rd party integration package contains WebLogic SSPI Provider installer, Oracle_Access_Manager10_1_4_2_2_linux_BEA_WL_SSPI.zip.

For detailed instructions, see Oracle Access Manager Integration Guide "Chapter 10, Integrating the Security Provider for WebLogic SSPI." This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/e10356/weblogic.htm#WeblogicSSPI

In addition to following these instructions, you must remove xerces.jar from the CLASSPATH. Specifically, edit startWebLogic.sh on Linux or startWebLogic.cmd on Windows to change the following from:

CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC
_CLASSPATH}:/scratch/ohsoam/install/SSPI
_wiki/NetPointSecuProvForWeblogic/oblix/lib/wlNetPoint.jar:/scratch/ohsoam/install
/SSPI_
wiki/NetPointSecuProvForWeblogic/oblix/lib/bcprov-jdk14-125.jar:/scratch/ohsoam/in
stall/SSPI
_wiki/NetPointSecuProvForWeblogic/oblix/lib/xerces.jar:/scratch/ohsoam/install/
SSPI_wiki/NetPointSecuProvForWeblogic/oblix/lib/jobaccess.jar"

to

CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC
_CLASSPATH}:/scratch/ohsoam/install/SSPI
_wiki/NetPointSecuProvForWeblogic/oblix/lib/wlNetPoint.jar:/scratch/ohsoam/install
/SSPI_
wiki/NetPointSecuProvForWeblogic/oblix/lib/bcprov-jdk14-125.jar:/scratch/ohsoam/in
stall/SSPI_wiki/NetPointSecuProvForWeblogic/oblix/lib/jobaccess.jar"

Required Tasks

The following tasks need to be completed:

  1. Install the Security Provider (typical installation)

  2. Set up the WebLogic policy in Oracle Access Manager

  3. Run the NetPoint Policy Deployer

  4. Prepare the WebLogic environment

For more information, see http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/e10356/weblogic.htm.

After completing these tasks, configure the Oracle Access Manager Identity Asserter in the WebLogic console.

  1. To begin, log in to WebLogic Server Administration Console.

  2. Click Security Realms in the Domain Structure panel. (Figure 4-12)

  3. Click the myrealm link in the list of realms on the right panel.

    Figure 4-12 WebLogic Console - Domain Structure - Security Realms

    Description of Figure 4-12 follows
    Description of "Figure 4-12 WebLogic Console - Domain Structure - Security Realms"

  4. Under Settings for myrealm, click the Providers tab. (Figure 4-13)

  5. Create a new Authentication Provider by clicking New.

    Figure 4-13 Settings for myrealm - Providers

    Description of Figure 4-13 follows
    Description of "Figure 4-13 Settings for myrealm - Providers"

  6. Enter a unique name for the authenticator, and select OblixAuthenticator as the Type. (Figure 4-14)

  7. Click OK.

    Figure 4-14 Create a New Authentication Provider

    Description of Figure 4-14 follows
    Description of "Figure 4-14 Create a New Authentication Provider"

  8. Click Reorder to alter the authentication sequence. (Figure 4-15)

    Figure 4-15 Authentication Providers

    Description of Figure 4-15 follows
    Description of "Figure 4-15 Authentication Providers"

  9. Reorder the sequence of the newly created authenticator by moving oblixAuthenticator to the top of the list by using the arrow button on the right. (Figure 4-16)

  10. Click OK.

    Figure 4-16 Reorder Authentication Providers

    Description of Figure 4-16 follows
    Description of "Figure 4-16 Reorder Authentication Providers"

  11. Under the Name column, click the hyperlink of the newly created oblixAuthenticator to display its properties.

  12. From the Control Flag dropdown list, select SUFFICIENT.

  13. Click Save.


    Note:

    After creating the OblixAuthenticator authentication provider, ensure that the OB_UserSearchAttr property of the provider is set to cn in the NetPointProvdersConfig.properties file.

    Figure 4-17 Control Flag Setting

    Description of Figure 4-17 follows
    Description of "Figure 4-17 Control Flag Setting"

  14. Click New to create an identity asserter.

  15. Enter a unique name for the identity asserter, and select Type as OblixIdentityAsserter. (Figure 4-18)

  16. Click OK to create the identity asserter.

    Figure 4-18 Create an Identity Asserter

    Description of Figure 4-18 follows
    Description of "Figure 4-18 Create an Identity Asserter"

  17. Reorder the newly created identity asserter to the second position.

  18. Set the Control Flag for the identity asserter to SUFFICIENT.

  19. Restart the Admin Server and all managed servers to uptake the configuration changes.

After SSPI configuration, Oracle WebCenter Wiki and Blog Server can be accessed at the following URL: http://host:port/owc_wiki/index.jspa, where host and port are the host and port of the Oracle HTTP Server.