Oracle® Secure Enterprise Search Administrator's Guide 11g Release 1 (11.1.2.2) Part Number E21605-01 |
|
|
PDF · Mobi · ePub |
You can implement an SSO authentication mechanism for Oracle SES by using Oracle Access Manager.
Ensure that the following components are installed:
OAM 10.1.4.3.0 or higher. See Oracle Access Manager Installation Guide.
Oracle HTTP Server (OHS) 11g.
Oracle Internet Directory (OID) 10.1.4.3.0 or higher. See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. Also see "Configuring OID" for information on configuring OID.
Oracle HTTP Server WebGate.
You must install OAM and add an entry for WebGate in OAM before installing WebGate. Oracle Access Manager Installation Guide provides detailed information about installing WebGate. Follow the steps as provided in this guide. However, for some steps, such as creating a WebGate instance and installing WebGate, you must provide certain OAM SSO-specific parameters, as listed in "Installing and Configuring WebGate".
To implement the OAM-SSO authentication on Oracle SES, you must configure OHS, Oracle SES, OID, and OAM.
You must install OID 10.1.4.3.0 or higher. This is required because the Oracle SES parameter sso_user_guid_header
must be used to send the ORCLGUID
attribute from OAM to SES, and this can be done only with OID 10.1.4.3.0 or higher.
To enable this on OID:
Add the following to the LDIF file:
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory changetype: modify add: orclallattrstodn orclallattrstodn: cn=orcladmin
Import the LDIF file into OID by using the following command:
$LDAP_HOME/bin/ldapmodify -D cn=orcladmin -w password -h host -p port -c -v -f ldifFile
To verify that the changes you made to the LDIF file are reflected, use the following command:
$LDAP_HOME/bin/ldapsearch -b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base -h host -p port -w password -D "cn=orcladmin" "objectclass=*"
You should see orclallattrstodn
as an attribute of the dsaconfig
entry.
Restart the OAM Access Server and the OAM Identity Server:
$OAM_HOME/as/access/oblix/apps/common/bin/restart_access_server $OAM_HOME/is/identity/oblix/apps/common/bin/restart_ois_server
To configure OHS, perform the following tasks:
Edit mod_wl_ohs.conf
to include the following. The file is available at ORACLEOHS_HOME
/instances/
instance1
/config/OHS/ohs1/
, where instance1
refers to the instance name of OHS.
<IfModule weblogic_module> WebLogicHost [SES host name] WebLogicPort [SES HTTP port] WLLogFile Convenient Location of the log </IfModule> <Location /search/query> SetHandler weblogic-handler </Location> <Location /search/admin> SetHandler weblogic-handler </Location> # For monitor SES URL <Location /monitor> SetHandler weblogic-handler </Location> # For Help links in Admin side <Location /search/ohw> SetHandler weblogic-handler </Location>
For example, if your SES host is sesHost
and the port is 8001
:
<IfModule weblogic_module> WebLogicHost sesHost WebLogicPort 8001 WLLogFile /scratch/exampleuser/weblogic.log </IfModule> <Location /search/query> SetHandler weblogic-handler </Location> <Location /search/admin> SetHandler weblogic-handler </Location> <Location /monitor> SetHandler weblogic-handler </Location> <Location /search/ohw> SetHandler weblogic-handler </Location>
Edit httpd.conf
located at ORACLEOHS_HOME
/instances/instance1/config/OHS/ohs1/
to include the following at the end of the file:
# Include configuration for mod_weblogic include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/mod_wl_ohs.conf"
Ensure that this line of code is on a single line.
Restart the HTTP server.
$ORACLEOHS_HOME/instances/instance1/bin/opmnctl restartproc process-type=OHS
A WebGate is a Web server plug-in that is shipped out-of-the-box with Oracle Access Manager. The WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization. See Oracle Access Manager Installation Guide for more information on installing a WebGate.
While installing WebGate, you must configure some parameters for the OAM SSO authentication.
Provide the following values while defining a WebGate instance in the Access System Console:
AccessGateName: Set as SESAccessGate
Description: Set as Secure Enterprise Search Access Gate
HostName: This is the host name on which OHS is installed.
AccessGate Password: Set a password.
Port: This is the port number set during OHS installation.
Transport Security: Set to Open
.
Preferred HTTP Host: The domain for OHS. For example, if the OHS hostname is myhost.oracle.com
, then the domain is oracle.com
.
Ensure that Access Management Service is on.
Provide the following parameters while specifying the WebGate configuration details:
WebGate ID: Enter SESAccessGate
.
WebGate Password: The same as AccessGate password.
Access Server ID: Obtain this from Access System Console.
DNS hostname: Obtain this from Access System Console.
Port number: Obtain this from Access System Console.
Perform the following tasks:
Create a login page for Oracle HTTP Server. For example, ORACLEOHS_HOME
/ohs/htdocs/login/login.html
:
<html> <head> <title>SES-OAM Test Login Page</title> <body bgcolor="white"> <h1 align="center">SES-OAM SSO Login Page: Sign-In</h1> <form method="POST" action="/myaction/test.html"> <table border="0" cellspacing="5"> <tr> <th align="right">Username:</th> <td align="left"><input type="text" name="usernamevar"></td> </tr> <tr> <th align="right">Password:</th> <td align="left"><input type="password" name="passwordvar"></td> </tr> <tr> <td align="right"><input type="submit" value="Log In"></td> <td align="left"><input type="reset"></td> </tr> </table> </form> </html>
Define a form-based authentication in OAM Policy Manager:
From http://OAMHost:OAMPort/access/oblix
, select Access System Console, then Access System Configuration, and then Authentication Management.
Create Form Login method with the following options:
Name: OAMFormLogin
Description: OAM Form-based login
Level: 1
Challenge Method: Form
Challenge Parameter
form
: /login/login.html
creds
: usernamevar passwordvar
action
: /myaction/test.html
passthrough
: no
SSL Required: No
Enabled: Yes
Set up the following plugins under the Plugins tab:
credential_mapping:
obMappingBase="o=company,c=us",obMappingFilter="(&(&(objectclass=gensiteorgperson)(genuserid=%usernamevar%))(|(!(obuseraccountcontrol=*))(obuseraccountcontrol=ACTIVATED)))"
validate_password:
obCredentialPassword="passwordvar"
where obMappingBase
is the base DN in the user search in the LDAP directory server, and obMappingFilter
is the LDAP filter used to search for a user with a given user ID. The directory login attribute is an attribute defined in the Identity System using a Semantic login type.
Ensure that a default step exists in the Steps tab to use the credential_mapping
and validate_password
plugins.
Create a policy in the Policy Manager to protect the query application login link using the form authentication created in the previous step:
From http://OAMHost:OAMPort/access/oblix
, select Policy Manager, and then Create Policy Domain.
Protect an HTTP resource with /search/query/formlogin.uix
as the URL prefix.
In the Authorization Rules tab, add the role myrole
. Also set the following:
Enabled: Yes
Allow takes precedence: Yes
Under Actions tab for myrole
, first add the following return action:
Type: HeaderVar
Name: HTTP_USER_GUID
Return Attribute: orclguid
Then add the following return action:
Type: HeaderVar
Name: HTTP_USER_NAME
Return Attribute: uid
Under Allow Access tab, ensure that anyone is allowed access.
Enable the new policy under My Policy Domains.
Click Default Rules, and under Authentication Rule, add a rule to use the form login scheme as the Authentication Scheme.
Under Authorization Expression, ensure that myrole
is selected for Default Rules.
Create a policy in Policy Manager to protect the HTTP resource /search/query
with the Anonymous Authentication option. The steps are identical to the previous step. However, for step 3g, the form login scheme must be Anonymous Authentication under Authentication Rule.
Configure Oracle SES to use the SSO parameter settings in Table 11-7. To modify the settings, edit ORACLE_HOME
/search/tools/weblogic/deploy/plans/QueryPlan.xml
.
See Example 11-2, "SSO Parameters in QueryPlan.xml".
See Also:
"Configuring Centralized Logout for 11g [or 10g] WebGate with OAM 11g Servers" in the "Oracle Access Manager Access Administration GuideTable 11-7 Oracle SES Parameter Settings in QueryPlan.xml
Parameter | Value |
---|---|
|
|
|
|
|
|
|
|
|
|
|
Dependent on the version of WebGate in use. WebGate 10g:
WebGate 11g:
Where:
|
Example 11-2 SSO Parameters in QueryPlan.xml
<variable> <name>sso_enabled</name> <value>true</value> <description>Whether SSO is enabled: true or false. The default is false. </description> </variable> <variable> <name>sso_vendor_name</name> <value>oam</value> <description>The SSO vendor name. Supported values are osso or oam.</description> </variable> <variable> <name>sso_user_guid_header</name> <value>HTTP_USER_GUID</value> <description>The HTTP header name that the SSO server uses to pass the user GUID to SES. The value in the header should match the value of the users canonical attribute for the active identity plugin.</description> </variable> <variable> <name>sso_username_header</name> <value>HTTP_USER_NAME</value> <description>The HTTP header name that the SSO server uses to pass the search username to SES. The value in the header should match the value of the users authentication attribute for the active identity plugin. Specify REMOTE_USER to use getRemoteUser in the HTTP request to retrieve the username.</description> </variable> <variable> <name>sso_public_username</name> <value>OblixAnonymous</value> <description>Specify the username of the public user if the SSO server is configured to send a public user name in the sso_username_header for unprotected or anonymously protected resources.</description> </variable> <variable> <name>sso_logout_return_url</name> <value>/oamsso/logout.html?end_url=/search/query/search</value> <description>Specify a URL to redirect to after a user logs out.</description> </variable>