Configuring Secure Search with OracleAS Single Sign-On

If you use OracleAS Single Sign-On (SSO), then you can configure Oracle SES to use your SSO server for authentication. This section describes the necessary configuration steps.

OracleAS supported version with the current Oracle SES installation is 10.1.4.0.1, with the latest patch sets applied. The supported Oracle HTTP Server versions are 10.1.3 and 11g.

Note:

ORACLEAS_HOME refers to the Oracle home directory of the OracleAS middle tier installation, which is typically stored in a system variable. On UNIX systems, you can reference the path as $AS_HOME. On Windows, the equivalent is %AS_HOME%.

ORACLEOHS_HOME refers to the home directory of the Oracle HTTP server installation.

To enable Oracle SES for OracleAS Single Sign-on:  

1. Front the Oracle SES instance with Oracle HTTP Server, as described in "Configuring Oracle HTTP Server".

2. Configure OracleAS and Oracle SES, as described in "Configuring OracleAS and Oracle SES for Single Sign-on Security".

Configuring Oracle HTTP Server

The Oracle SES middle tier runs on Oracle WebLogic server, which is installed in ORACLE_BASE/wlserver.

You can configure either Oracle HTTP Server 10.1.3 or Oracle HTTP Server 11g. Special configuration is necessary on both the Oracle SES side and the Oracle HTTP Server side.

Note:

When using Oracle HTTP Server fronting, Oracle SES allows the Oracle HTTP Server to assert the identity of the current user. You must limit this privilege to only trusted Oracle HTTP Server instances by SSL-protecting the communication between Oracle SES and Oracle HTTP Server.

To configure Oracle HTTP Server 10.1.3: 

1. Copy the file mod_wl_20.so from ORACLE_BASE/wlserver/server/plugin/linux/i686 to ORACLEOHS_HOME/ohs/modules.

2. Edit the file httpd.conf available at ORACLEOHS_HOME/ohs/conf/ to include the following lines:

   LoadModule weblogic_module [Complete path to mod_wl_20.so] 
   <IfModule mod_weblogic.c>
      WebLogicHost [SES host name]
      WebLogicPort [SES HTTP port]
   </IfModule>
   <Location /search/query>
      SetHandler weblogic-handler
   </Location>
   <Location /search/admin>
      SetHandler weblogic-handler
   </Location>
   

   For example, if the ORACLEOHS_HOME is /ohsHome, Oracle SES host is sesHost and the Oracle SES port is 8001, then the file contains the following content:

   LoadModule weblogic_module  /ohsHome/ohs/modules/mod_wl_20.so
   <IfModule mod_weblogic.c>
      WebLogicHost sesHost
      WebLogicPort 8001
   </IfModule>
   <Location /search/query>
      SetHandler weblogic-handler
   </Location>
   <Location /search/admin>
      SetHandler weblogic-handler
   </Location>
   

3. Edit the httpd.conf to comment out or remove the following lines:

   #LoadModule auth_module modules/mod_auth.so 
    #LoadModule auth_anon_module modules/mod_auth_anon.so 
    #LoadModule auth_db_module modules/mod_auth_dbm.so
   

4. Register Oracle HTTP Server mod_osso with Oracle Single Sign-On server 10.1.4. To do register it, run the following command from ORACLEAS_HOME:

   >setenv ORACLE_HOME [full path to $OracleAS_Home]
    
   >$OracleAS_Home/sso/bin/ssoreg.sh –oracle_home_path  [Complete Path of OracleAS_Home]  -site_name  [Hostname Of The Fronting OHS Server:Port]  -config_mod_osso TRUE  -mod_osso_url [http:// Hostname Of The Fronting OHS Server:Port]  -update_mode  CREATE  -remote_midtier  -config_file [Path to generate the file osso.conf]
   

   For example, if you installed Oracle Identity Management 10g in /asHome, and the OHS URL is http://ohsserver:7779, then you must run the following command:

   >setenv ORACLE_HOME /asHome
    
   >$OracleAS_Home/sso/bin./ssoreg.sh -oracle_home_path /asHome -site_name ohsserver:7779 -config_mod_osso TRUE -mod_osso_url http://ohsserver:7779 -update_mode CREATE -remote_midtier -config_file /temp/osso.conf
   

5. Configure mod_osso to protect web resources with static directives. Take these steps:

   • Copy the file osso.conf generated in step 4 to: ORACLEOHS_HOME/ohs/conf/osso.

   • Edit the file mod_osso.conf available at ORACLEOHS_HOME/ohs/conf/ to include the following:

     LoadModule osso_module [path of OracleOHS_Home]/ohs/modules/mod_osso.so
     <IfModule mod_osso.c>
             OssoIdleTimeout off
             OssoIpCheck on
             OssoConfigFile [path of OracleOHS_Home]/ohs/conf/osso/osso.conf
     #OssoRedirectByForm off
     #OssoSecureCookies on
     #OssoProtectedOnly on
     #OssoSecureCookies on
     #OssoSendCacheHeaders on
     #OssoHttpsFrontend on
     #UseWebCacheIp on
     <Location /search/query/formlogin.uix> 
             require valid-user
             AuthType Basic
     </Location>
     </IfModule>
     

6. Edit the file httpd.conf to include the following:

   include OracleOHS_Home/ohs/conf/mod_osso.conf
   

   For example, if your ORACLEOHS_HOME is /ohsHome, then the value would be:

   include /ohsHome/ohs/conf/mod_osso.conf
   

7. Restart the HTTP server:

   > $OracleOHS_Home/opmn/bin/opmnctl restartproc process-type=HTTP_Server
   

To configure Oracle HTTP Server 11g: 

1. Set ORACLE_HOME and ORACLE_INSTANCE.

   For example, if Oracle HTTP Server is installed at /ohsHome:

   >setenv ORACLE_HOME /ohsHome
   

   If the instance is named myInstance

   >setenv ORACLE_INSTANCE /ohsHome/instances/myInstance
   

2. Edit the file mod_wl_ohs.conf available at ORACLEOHS_HOME/instances/instance1/config/OHS/ohs1/ to include the following:

   <IfModule weblogic_module>
     WebLogicHost [SES host name]
     WebLogicPort [SES HTTP port]
     Debug ON
     WLLogFile Convenient Location of the log
   </IfModule>
   <Location /search/query>
     SetHandler weblogic-handler
   </Location>
   <Location /search/admin>
     SetHandler weblogic-handler
   </Location>
   # For monitor SES URL
   <Location /monitor>
   SetHandler weblogic-handler
   </Location>
   # For Help links in Admin side
   <Location /search/ohw>
   SetHandler weblogic-handler
   </Location>
   

   For example, if your Oracle SES host is sesHost and Oracle SES port is 8001,

   <IfModule weblogic_module>
      WebLogicHost sesHost
      WebLogicPort 8001
      WLLogFile /scratch/exampleuser/weblogic.log
   </IfModule>
   <Location /search/query>
      SetHandler weblogic-handler
   </Location>
   <Location /search/admin>
      SetHandler weblogic-handler
   </Location>
   <Location /monitor>
      SetHandler weblogic-handler
   </Location>
   <Location /search/ohw>
      SetHandler weblogic-handler
   </Location>
   

3. Register Oracle HTTP Server mod_osso with Oracle Single Sign-On Server 10.1.4. Run the following command from OracleAS_Home:

   >setenv ORACLE_HOME [full path to $OracleAS_Home]
   
   >$OracleAS_Home/sso/bin/ssoreg.sh –oracle_home_path  [Complete Path of OracleAS_Home]  -site_name  [Hostname Of The Fronting OHS Server:Port]  -config_mod_osso TRUE  -mod_osso_url [http:// Hostname Of The Fronting OHS Server:Port]  -update_mode  CREATE  -remote_midtier  -config_file [Path to generate the file osso.conf]
   

   For example, if you installed Oracle Identity Management 10g in /asHome, and the OHS URL is http://ohsserver:7779, then you need to run the following command:

   >setenv ORACLE_HOME /asHome
    
   >$OracleAS_Home/sso/bin./ssoreg.sh -oracle_home_path /asHome -site_name ohsserver:7779 -config_mod_osso TRUE -mod_osso_url http://ohsserver:7779 -update_mode CREATE -remote_midtier -config_file /temp/osso.conf
   

4. Configure mod_osso to protect Web resources with static directives:

   1. Copy osso.conf generated above to the location OracleOHS_HOME/instances/instance1/config/OHS/ohs1/conf

   2. Copy the file mod_osso.conf from OracleOHS_HOME/instances/instance1/config/OHS/ohs1/disabled/ to OracleOHS_HOME/instances/instance1/config/OHS/ohs1/moduleconf/.

   3. Edit the file mod_osso.conf located at OracleOHS_HOME/instances/instance1/config/OHS/ohs1/moduleconf to include the following lines:

      LoadModule osso_module ${OracleOHS_HOME}/ohs/modules/mod_osso.so
      <IfModule mod_osso.c>
        OssoIdleTimeout off
        OssoIpCheck on
        OssoSecureCookies Off
      OssoConfigFile  <path_to_osso.conf_file>
      #Location is the URI you want to protect
      <Location />
        require valid-user
        AuthType Osso
      </Location>
      </IfModule>
      

      For example if your OracleOHS_Home is /ohsHome and you generated the osso.conf file at OracleOHS_HOME/instances/instance1/config/OHS/ohs1/conf, then you need to include the following:

      LoadModule osso_module "${OracleOHS_HOME}/ohs/modules/mod_osso.so"
      <IfModule osso_module>
         OssoIpCheck off
         OssoIdleTimeout on
         OssoSecureCookies Off
         OssoConfigFile  /ohsHome/instances/instance1/config/OHS/ohs1/conf/osso.conf
      <Location /search/query/formlogin.uix>
         require valid-user
         AuthType Osso
      </Location>
      </IfModule>
      

   4. Edit the file httpd.conf located at OracleOHS_HOME/instances/instance1/config/OHS/ohs1/ to include the following at the end of the file:

      include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/moduleconf/mod_osso.conf"
       
      # Include the configuration files needed for mod_weblogic
      include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/mod_wl_ohs.conf"
       
      # Include the SSL definitions and Virtual Host container
      include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl.conf"
      # Include the admin virtual host (Proxy Virtual Host) related configuration
      include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/admin.conf"
       
      include "moduleconf/*.conf"
      

5. Restart the HTTP server with the command

   /$OracleOHS_Home/instances/instance1/bin/opmnctl startproc process-type=OHS
   

Configuring OracleAS and Oracle SES for Single Sign-on Security

To configure OracleAS to front Oracle SES: 

1. Add providers for a WebLogic domain for OSSO. To add them, copy the file ossoiap.jar to the following location within Oracle WebLogic Server: ORACLE_BASE/wlserver/server/lib/mbeantypes/. The file ossoiap.jar is located in ORACLEOHS_HOME/modules/oracle.ossoiap_11.1.1/.

   Note that ossoiap.jar is available only with OHS 11g. If you have configured SSO with OHS 10g, then you must separately install OHS 11g to obtain this file.

2. Restart the Oracle SES midtier.

   searchctl restart
   

3. Add OSSO Identity Asserter as described in "Adding OSSO Identity Asserter".

4. Add OID Authenticator as described in "Adding OID Authenticator".

5. Turn on the Single Sign-On flag in Oracle SES. This is done by updating the deployment plan for the query application. To do this:

   1. Edit the file QueryPlan.xml located in ORACLE_HOME/search/tools/weblogic/deploy/plans/ to add the following:

      <variable-definition>
       <variable>
        <name>sso_enabled</name>
         <value>true</value>
       </variable>
       
       <variable>
        <name>sso_vendor_name</name>
        <value>osso</value>
       </variable>
       
       <variable>
        <name>sso_user_guid_header</name>
        <value>Osso-User-Guid</value>
       </variable>
       
       <variable>
        <name>sso_username_header</name>
        <value>REMOTE_USER</value>
       </variable>
      </variable-definition>
      

   2. Redeploy the query application with the modified deployment plan. To redeploy, run the following command from ORACLE_HOME/search/tools/weblogic/deploy/

      >./deployer.sh -serverURL t3://<URL of the weblogic server>:<port>  -user Weblogic Username -password SES Admin Password -name Name of the app -plan Location of the deployment plan -process <redeploy or deploy>
      

      For example, if you install Oracle SES on the host myWlsServer and port 6666, and the Oracle SES admin password is welcome1, then you need to issue the following command:

      > ./deployer.sh -serverURL t3://myWlsServer:6666/ -user weblogic -password welcome1 -name search_query -plan $ORACLE_HOME/search/tools/weblogic/deploy/plans/QueryPlan.xml -process redeploy
      

Adding OSSO Identity Asserter

To add an OSSO Identity Asserter to the domain, use the Oracle WebLogic Administration Console to perform the following steps:

1. Log in to the WebLogic Administration Console.

2. Click Security Realms, Default Realm Name, Providers.

3. Click New under the Authentication Providers table.

4. Enter a name for the new provider, select its type, and then click OK. For example:

   Name: OSSO Identity Asserter

   Type: OSSOIdentityAsserter

5. Click the name of the newly added provider.

6. On the Common tab, set the appropriate values for common parameters and set the Control Flag to SUFFICIENT and then save the settings.

7. Save all configuration settings.

8. Stop and restart the Oracle WebLogic Server for the changes to take effect.

Adding OID Authenticator

To add an OID Authenticator to the domain, use the Oracle WebLogic Administration Console to perform the following steps:

1. Log in to the WebLogic Administration Console.

2. Click Security Realms, Default Realm Name, Providers.

3. Click New under the Authentication Providers table.

4. Enter a name for the new provider, select its type, and then click OK. For example:

   Name: OID Authenticator

   Type: OracleInternetDirectoryAuthenticator

5. Click Save.

6. Click the newly added authenticator to see the Settings page. Retain the default settings; do not change the Control Flag until you have verified that the Oracle Internet Directory configuration is valid.

7. On the Common tab, specify the following required settings and then save the settings.

   Propagate Cause For Login Exception: Check.

   Principal: LDAP administrative user. For example: cn=orcladmin

   Host: The Oracle Internet Directory host name

   Use Retrieved User Name as Principal: Check

   Credential: LDAP administrative user password. For example: password

   Confirm Credential: For example: password

   Group Base DN: Oracle Internet Directory group search base

   User Base DN: Oracle Internet Directory user search base.

   Port: Oracle Internet Directory port

8. Save all configuration settings.

9. Stop and restart the Oracle WebLogic Server for the changes to take effect.

After adding OSSO Identity Asserter and OID Authenticator as authentication providers, perform the following steps:

1. Log in to the WebLogic Administration Console.

2. Click Security Realms, Default Realm Name, Providers.

3. Select the Users and Groups tab to see a list of users and groups contained in the configured authentication providers.

   You should see user names from the Oracle Internet Directory configuration, which implicitly verifies that the configuration is working.

4. If the Oracle Internet Directory instance is configured successfully, you can change the control flag.

   If the Oracle Internet Directory authentication is sufficient for an application to identify the user, then choose the SUFFICIENT flag. SUFFICIENT indicates that if a user can be authenticated against Oracle Internet Directory, no further authentication is required. REQUIRED indicates that the authentication provider must authenticate the user even if another provider has already authenticated the user.

5. If your application requires the user name to be in the same case as in Oracle Internet Directory (uppercase, lowercase, initial capitals), select Use Retrieved User Name as Principal.

6. Save the changes.

7. Activate the changes and restart Oracle WebLogic Server.