This chapter describes how to configure single sign-on (SSO) for administration consoles in an Identity Management Enterprise deployment.
This chapter includes the following topics:
Section 15.4, "Assigning WLSAdmins Group to WebLogic Administration Groups"
Section 15.5, "Authorize Access Manager Administrators to Access APM Console"
Section 15.8, "Restarting the Oracle Traffic Director Instance"
Section 15.9, "Validating WebGate and the Access Manager Single Sign-On Setup."
If you have not integrated Oracle Access Management Access Manager with Oracle Identity Manager, you must first create WebLogic Security Providers. Then proceed as follows.
You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle Traffic Director intercepts requests for the consoles and forwards them to Access Manager for validation
The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Management Console
Oracle Identity Manager Console
Before you attempt to integrate administration consoles with single sign-on, ensure that the following tasks have been performed in the IDMDomain:
Configuring Oracle Traffic Director, as described in Chapter 7, "Installing and Configuring Oracle Traffic Director for an Enterprise Deployment."
Configuring Access Manager, as described in Chapter 11, "Extending the Domain to Include Oracle Access Management."
Provisioning Weblogic Administrators in LDAP as described in Section 10.4, "Preparing the Identity Store."
When you run idmConfigTool with the configOAM or configOIM option, the tool creates security providers in the domain IDMDomain. These security providers restrict access to the consoles in those domains based on the security policies of Access Manager. If you have other domains, you must create security providers in those domains manually and then update them as described in the following sections.
Note:
Once you have enabled single sign-on for the administration consoles, ensure that at least one OAM Server is running to enable console access.
If you have used the Oracle Weblogic console to shut down all of the Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.
To start WLS_OAM1 manually, use the command:
MSERVER_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001
This section contains the following topics:
When the OUD authenticator is created, it is created with some missing information, which must be added. If you are using OUD as your identity store, you must add this information by performing the following steps.
Log in to the WebLogic Administration Console.
Click Security Realms from the Domain structure menu.
Click Lock and Edit in the Change Center.
Click myrealm.
Click on Providers.
Click on OUDAuthenticator.
Click on Provider Specific tab.
On the Provider Specific screen update the following values:
All Users Filter: (&(uid=*)(objectclass=person))
User From Name Filter: (&(uid=%u)(objectclass=person))
User Name Attribute: uid
Static Group Object Class: groupofuniquenames
Static Member DN Attribute: uniquemember
Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))
Dynamic Group Name Attribute: cn
Dynamic Group Object Class: groupOfURLs
Dynamic Member URL Attribute: memberURL
Click Save.
Click Activate Changes.
This section sets up an Access Manager asserter to enable you to delegate responsibility for credential collection to Access Manager.
Log in to the WebLogic Administration Console at the URL listed in Section 16.2, "About Identity Management Console URLs."
Click Security Realms from the Domain structure menu.
Click Lock and Edit in the Change Center.
Click myrealm.
Select the Providers tab.
Click Reorder.
Using the arrows on the right hand side order the providers such that the order is:
OAMIDAsserter
OIM Signature Authenticator, if present
OIMAuthenticationProvider, if present
OUD Authenticator
Default Authenticator
Default Identity Asserter
Note:
Oracle Identity Manager providers only exist if Oracle Identity Manager has been configured.
Click OK.
Click Activate Changes.
Restart WebLogic Administration Server and all the Managed Servers, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter Portal domain). The application domains are configured to authenticate using the central Identity Management domain.
In Section 10.4, "Preparing the Identity Store" you created a user called weblogic_idm and assigned it to the group WLSAdmins. To be able to manage WebLogic using this account you must add the WLSAdmins group to the list of Weblogic Administration groups. This section describes how to add the WLSAdmins Group to the list of WebLogic Administrators.
Perform this step for each domain in the topology.
Log in to the WebLogic Administration Server Console at the URL listed in Section 16.2, "About Identity Management Console URLs."
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the list for predicates and click Next.
On the Edit Arguments Page, Specify WLSAdmins in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the WLSAdmins Group as an entry.
Click Save to finish adding the Admin role to the WLSAdmins Group.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.
By default, only users in the WebLogic administrators group can access the APM console. After SSO is enabled, you will login as an Access Manager Administrator.
To enable this functionality perform the following steps:
Log in to the APM console at http://ADMIN.mycompany.com/apm as WebLogic administrator.
Click the System Configuration tab.
Click Add in the External Role Mapping box.
Click Search.
Select OAMAdministrators from the returned search results.
Click Add Selected.
Click Add Principals.
Update the boot.properties file for the Administration Server with the WebLogic admin user created in LDAP.
You must update boot.properties on each Administration Server node. Follow the steps in the following sections to update the file.
This section contains the following topics:
On each of the servers in the topology, go the directory:
ASERVER_HOME/servers/serverName/security
For example:
cd ASERVER_HOME/servers/AdminServer/security
Rename the existing boot.properties file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.
For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
Restart the WebLogic Administration Server and all managed servers, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."
This section describes how to install and configure WebGate.
This section contains the following topics:
Ensure that the following tasks have been performed before installing the Oracle Web Gate:
Install and configure the Oracle Traffic Director as described in Chapter 7.
Ensure Oracle Access Management Access Manager has been configured as described in Chapter 11.
Before starting the installer ensure that Java is installed on your machine. To install Oracle WebGate, run complete the following steps on WEBHOST1 and WEBHOST2.
Start the WebGate installer by issuing the command:
./runInstaller
You are asked to specify the location of the Java Development Kit for example:
WEB_MW_HOME/jrockit_version
On the Welcome screen, click Next.
On the Install Software Updates screen, choose whether to skip updates, check with Oracle Support for updates, or search for updates locally.
Click Next.
If the prerequisites fail because of missing 32-bit libraries, you can safely ignore this failure.
Click Next.
On the Installation Location Screen, enter the following information:
Oracle Home Directory: WEBGATE_ORACLE_HOME
Click Next.
On the installation summary screen, click Install.
Click Next.
Click Finish.
Execute the deployWebGateInstance.sh command from the following directory:
WEBGATE_ORACLE_HOME/webgate/iplanet/tools/deployWebGate
Make sure this tool has executable permission.
For example:
./deployWebGateInstance.sh -w WEB_ORACLE_INSTANCE/webgate/ -oh WEBGATE_ORACLE_HOME -ws otd
Expected output:
Copying files from WebGate Oracle Home to WebGate Instancedir
Set the environment variable LD_LIBRARY_PATH to:
WEBGATE_ORACLE_HOME/lib
For example:
export LD_LIBRARY_PATH=/u02/private/oracle/config/webgate/lib
Note:
The deployed location of webgate must be the same on every host.
Edit the properties in the sso.mycompany.com-obj.conf and admin.mycompany.com-obj.conf files using the EditObjConf tool located in the following directory:
WEBGATE_ORACLE_HOME/webgate/iplanet/tools/setup/InstallTools
For example, on WEBHOST1, run the following:
./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/sso.mycompany.com-obj.conf -oh WEBGATE_ORACLE_HOME -w /u02/private/oracle/config/webgate -ws otd ./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/admin.mycompany.com-obj.conf -oh WEBGATE_ORACLE_HOME -w /u02/private/oracle/config/webgate/webgate -ws otd ./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/idminternal.mycompany.com-obj.conf -oh WEBGATE_ORACLE_HOME -w /u02/private/oracle/config/webgate/webgate -ws otd
Expected output:
WEB_ORACLE_INSTANCE/config/magnus.conf has been backed up as WEB_ORACLE_INSTANCE/config/magnus.conf.ORIG WEB_ORACLE_INSTANCE/config/instance_config_name-obj.conf has been backed up as WEB_ORACLE_INSTANCE/instance_config_name-obj.conf.ORIG
Register WebGate to the OAM 11g Server by copying the WebGate artifacts Located in the following directory:
ASERVER_HOME/output/Webgate_IDM_11g
to the following directories:
Copy aaa_cert.pem and aaa_key.pem to:
WEB_ORACLE_INSTANCE/webgate/config/simple
and
Copy cwallet.sso, ObAccessClient.xml and password.xml to:
WEB_ORACLE_INSTANCE/webgate/config
To copy the artifacts run the following commands:
cp ASERVER_HOME/output/Webgate_IDM_11g/aaa* to /u02/private/oracle/config/webgate/webgate/config/simple cp ASERVER_HOME/output/Webgate_IDM_11g/password.xml to /u02/private/oracle/config/webgate/webgate/config/ cp ASERVER_HOME/output/Webgate_IDM_11g/ObAccessClient.xml to /u02/private/oracle/config/webgate/webgate/webgate/config/ cp ASERVER_HOME/output/Webgate_IDM_11g/cwallet.sso to /u02/private/oracle/config/webgate/webgate/config/
Add LD_LIBRARY_PATH to Oracle Traffic Director Start Scripts.
To prevent you having to enter the LD_LIBRARY_PATH each time you start Oracle traffic Director, add it to the OTD start script:
Edit the startserv file located in the following directory
WEB_ORACLE_INSTANCE/net-IDM/bin
Locate the following line:
# Set LD_LIBRARY_PATH for Solaris and Linux
LD_LIBRARY_PATH="${SERVER_LIB_PATH}:${LD_LIBRARY_PATH}"; export LD_LIBRARY_PATH
Add the following line immediately after:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEBGATE_ORACLE_HOME/lib; export LD_LIBRARY_PATH
After editing, the file appears as follows:
# Set LD_LIBRARY_PATH for Solaris and Linux
LD_LIBRARY_PATH="${SERVER_LIB_PATH}:${LD_LIBRARY_PATH}"; export LD_LIBRARY_PATH
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEBGATE_ORACLE_HOME/lib; export LD_LIBRARY_PATH
Save this file.
Note:
Configuring webgate in this way directly modifies the Oracle Traffic Director (OTD) configuration files. These changes are not reflected in the OTD configuration store. When you go back into and modify the OTD configuration, you are notified that there is a discrepancy between that config store and the values on disk. It will ask you what you want to do. YOU MUST inform OTD that you wish to pull the configuration from the files, and NOT push the configuration back to the files. Selecting the wrong option removes the webgate configuration you just performed.
Use the startserv command to start, or the stopserv command to stop your Oracle Traffic Director instance.
To stop the server, run the following command:
WEB_ORACLE_INSTANCE/net-IDM/bin/stopserv
To start the server, run the following command:
export LD_LIBRARY_PATH=/WEBGATE_ORACLE_HOME/lib WEB_ORACLE_INSTANCE/net-IDM/bin/startserv
To restart the Oracle Traffic Director instance, stop all running instances, and then run the start command.
To validate that WebGate is functioning correctly, open a web browser and go the OAM console URL listed in Section 16.1, "Starting and Stopping Oracle Identity Management Components."
You now see the Oracle Access Management Login page displayed. Enter your OAM administrator user name (for example, oamadmin) and password and click Login. Then you see the Oracle Access Management console displayed.
Note:
After logging into the Oracle Access Management Console, and before trying to log in to the WebLogic Console, ensure that you log out of the OAM Console, as the user oamadmin does not have the access rights to access the WebLogic Console.
To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console and to Oracle Enterprise Manager Fusion Middleware Control at the URLs listed in Section 16.2, "About Identity Management Console URLs."
The Oracle Access Management Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in. Once logged in, you can move back and forth between the WebLogic Console and Fusion Middleware Control without being prompted for a password.
Back up the Web Tier and WebLogic domain, as described in Section 16.6, "Backing Up the Oracle IDM Enterprise Deployment."