10 Configuring OSSO Solution

This chapter provides step-by-step instructions for configuring OSSO as the single sign-on solution for OSL. You can find complete explanation of the OSSO Solution in "Chapter 10 Configuring Single Sign-On in Oracle Fusion Middleware" in the Oracle® Fusion Middleware Security Guide 11g Release 1 (11.1.1) at

http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/toc.htm

10.1 Installing Oracle Single Sign-On and Oracle Delegated Administration Services

There are no 11g Release 1 (11.1.1) versions of Oracle Single Sign-On and Oracle Delegated Administration Services. However, both Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) are certified for use with Oracle Internet Directory 11g Release 1 (11.1.1).

You can find related information in "Chapter 10 Installing Oracle Single Sign-On and Oracle Delegated Administration Services Against Oracle Internet Directory" in the Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) at

http://download.oracle.com/docs/cd/E12839_01/install.htm

10.2 Configuring SSO for Learning Tool

To configure SSO for Learning Tool, perform the steps in the subsequent sections.

10.2.1 Installing HTTP Server

Install web server to be used as a front end to the Oracle WebLogic Server. In this guide, we use Oracle HTTP Server (OHS) 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.

10.2.2 Configuring mod_wl_ohs

If you select the option “Associate Selected Components with WebLogic Domain” during the installation of Web Tier Utilities, you are able to manage the web server using Enterprise Manager (EM).

This section demonstrates the configuration of mod_wl_ohs using EM. However, it is also possible to do the same configuration by manually editing the configuration files.

To configure mod_wl_ohs from EM, perform the following:

Select the OHS instance on the left panel.
Select Oracle HTTP Server > Administration > mod_wl_ohs Configuration on the right panel.

Figure 10-1 Configuring mod_wl_ohs
Enter the value for WebLogic Host, WebLogic Port, and Locations. Figure 10-2 shows a sample setup for Learning Tool Admin and Learning Tool.

Figure 10-2 Sample mod_wl_ohs configuration for LT Admin

This configuration will effectively be added to the mod_wl_ohs.conf file of this OHS instance. You can also manually modify this file without using the EM.

Note:
If you install Web Tier Utilities, you can locate mod_wl_ohs.conf file at:
For example: <MIDDLEWARE_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1/

For example:
```
<IfModule weblogic_module>

WebLogicHost yourservername.com
WebLogicPort 7002 

<Location /LTAdminWeb>  
 SetHandler weblogic-handler 
</Location>  

</IfModule>
```
Figure 10-3 Sample mod_wl_ohs configuration for LT

This configuration will effectively be added to the mod_wl_ohs.conf file of this OHS instance. You can also manually modify this file without using the EM.

For example:
```
<IfModule weblogic_module>

WebLogicHost yourservername.com 
WebLogicPort 7002 

<Location /LTWeb>  
 SetHandler weblogic-handler 
</Location>  

</IfModule>
```

10.2.3 Registering OHS mod_osso with OSSO Server

To register OHS mod_osso with OSSO server, perform the following:

Execute the ssoreg.sh tool, which can be found in <OSSO_HOME>/sso/bin, where <OSSO_HOME> is the directory to which Oracle Single Sign-On is installed.

Note:
The directory where you want to store the result config file must be created beforehand.
```
$cd <OSSO_HOME>/sso/bin

$export ORACLE_HOME=<OSSO_HOME>

$./ssoreg.sh -oracle_home_path <OSSO_HOME> -site_name LearningToolAdmin -config_mod_osso TRUE -mod_osso_url http://<LT_WEB_HOST>:<LT_WEB_PORT> -update_mode CREATE -remote_midtier -config_file <OSSO_HOME>/temp/osso_admin.conf

$./ssoreg.sh -oracle_home_path <OSSO_HOME> -site_name LearningTool -config_mod_osso TRUE -mod_osso_url http://<LT_WEB_HOST>:<LT_WEB_PORT> -update_mode CREATE -remote_midtier -config_file <OSSO_HOME>/temp/osso_lt.conf
```
where:

<LT_WEB_HOST> and <LT_WEB_PORT> are the host name and port of the web server configured as a front end to provide access to the Learning Tool Admin application.

<LT_WEB_HOST> and <LT_WEB_PORT> are the host name and port of the web server configured as a front end to provide access to the Learning Tool application.

Copy this file to the web server instance location.

For example:

<MIDDLEWARE_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1/osso/osso_admin.conf

<MIDDLEWARE_HOME>/Oracle_WT1/instances/instance2/config/OHS/ohs2/osso/osso_lt.conf

10.2.4 Configuring mod_osso to Protect Web Resources

To configure mod_osso to protect web resources, perform the following:

Enable mod_osso from EM.

Select the OHS instance on the left panel and select Oracle HTTP Server > Administration > Server Configuration on the right panel.

Figure 10-4 Configuring mod_osso

Check the check box for mod_osso and click Apply.

Figure 10-5 Enabling mod_osso
Configure mod_osso.

Go to the Advanced Server Configuration. The Advanced Server Configuration screen enables to directly edit the configuration files. From the list, select mod_osso.conf and click Go.

Figure 10-6 Setting up Advanced Server Configuration

Edit the content of this file, see Figure 10-7.

Figure 10-7 Editing Content of mod_osso

You can also manually edit the content of this file without using EM. Below is the sample configuration done for Learning Tool Admin and Learning Tool.

Sample configuration for Learning Tool Admin:
```
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"

<IfModule osso_module>    
  OssoIpCheck on    
  OssoIdleTimeout off    
  OssoSecureCookies off    
 
  OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/osso/osso_admin.conf   

 <Location /LTAdminWeb>        
  require valid-user        
  AuthType Osso    
 </Location>
</IfModule>
```
Sample configuration for Learning Tool:
```
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"

<IfModule osso_module>    
 OssoIpCheck on    
 OssoIdleTimeout off    
 OssoSecureCookies off    

 OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/ ${COMPONENT_NAME}/osso/osso_lt.conf    
 OssoHTTPOnly Off

 <Location /LTWeb>        
  require valid-user        
  AuthType Osso    
 </Location>
</IfModule>
```
Note:
The configuration directive OssoHTTPOnly must be turned off in the web server configured as a front end to provide access to the Learning Tool application. This is to allow the audio applet in the Learning Tool application to be able to read the OSSO cookies.

10.2.5 Setting Up Providers for OSSO in a WebLogic Domain

Oracle recommends the following Authentication providers:

OSSO Identity Asserter
OID Authenticator
DefaultAuthenticator

To add providers to your WebLogic domain for OSSO Identity Assertion, perform the following:

Log in to the WebLogic Administration Console.
OSSO Identity Asserter:

Go to Security Realms > Default Realm Name (Example: myrealm) and click Providers.

Select New under the Authentication Providers table.

Enter a name for the new provider, select its type, and click OK.
- Name: OSSO Identity Asserter
- Type: OSSOIdentityAsserter
Note:
For OSSOIdentityAsserter to appear in the list, you must copy ossoiap.jar to <DOMAIN_HOME>/lib.
The ossoiap.jar is available in <MIDDLEWARE_HOME>/oracle_common/modules/oracle.ossoiap_11.1.1 in the computer where an Oracle Fusion Middleware products such as Oracle Identity Management, Oracle SOA Suite, or Oracle WebCenter is installed.

Click the name of the newly added provider.

On the Common tab, set the appropriate values for common parameters and set the Control Flag to SUFFICIENT and then save the settings.
Default Authentication Provider:

Go to Security Realms > Default Realm Name (Example: myrealm) and click Providers.

Click DefaultAuthentication Provider.

Set the Control Flag to OPTIONAL and click Save.
OID Authenticator:

The instructions to create this provider are provided in Section 8.5, "Configuring OID as Security Provider".

If the OID Authenticator is configured successfully, you can change the Control Flag to SUFFICIENT.
Reorder Providers:
- OSSO Identity Asserter (SUFFICIENT)
- OID Authenticator (SUFFICIENT)
- DefaultAuthenticator (OPTIONAL)
Save all configuration settings and restart the Oracle WebLogic Server for the changes to take effect.

10.2.6 Configuring web.xml for the OSSO Identity Asserter

Update the <login-config> in web.xml for the application to support SSO as follows:

Modify the web.xml, which is located at

[OSL Home directory]/LearningTool/Configuration/LearningTool/DeploymentDescriptors/ for Learning Tool and at [OSL Home directory]/LearningTool/Configuration/Admin/DeploymentDescriptors/ for Learning Tool Admin to update the login-config as follows:

<login-config>   
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>myRealm</realm-name>
</login-config>

<!--login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/loginView.jspx</form-login-page>
<form-error-page>/faces/loginErrorView.jspx</form-error-page>
</form-login-config>
</login-config-->

Run the Configurator to update the EAR files as explained in Section 9.3, "Running the OSL Learning Tool Configurator".

10.3 Configuring SSO for OBIEE

To configure SSO for OBIEE, perform the following steps in the subsequent sections:

10.3.1 Installing HTTP Server

Install web server to be used as a front end to Oracle WebLogic Server. In this guide, use Oracle HTTP Server 11g which is available after the installation of Web Tier Utilities 11.1.1.2.0.

10.3.2 Configuring mod_wl_ohs

If the ear/war file is deployed onto a WebLogic Server, perform similar steps as Section 10.2.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.

Figure 10-8 Configuring mod_wl_ohs

10.3.3 Registering OHS mod_osso with OSSO Server

To register OHS mod_osso with OSSO Server, perform the following:

Execute the ssoreg.sh tool, which can be found in <OSSO_HOME>/sso/bin, where <OSSO_HOME> is the directory in which Oracle Single Sign-On is installed.

Note:
The directory where you want to store the result config file must be created beforehand.
```
$cd <OSSO_HOME>/sso/bin

$export ORACLE_HOME=<OSSO_HOME>

$./ssoreg.sh -oracle_home_path <OSSO_HOME> -site_name Student_Reporting -config_mod_osso TRUE -mod_osso_url 

http://<OBIEE_WEB_HOST>:<OBIEE_WEB_PORT> -update_mode CREATE -remote_midtier -config_file <OSSO_HOME>/temp/osso_bi.conf
```
where:

<OBIEE_WEB_HOST> and <OBIEE_WEB_PORT> are the host name and port of the web server configured as a front end to provide access to the OBIEE application.

Copy this file to the web server instance location.

For Example:

<MIDDLEWARE_HOME>/Oracle_WT1/instances/instance3/config/OHS/ohs3/osso/osso_bi.conf

10.3.4 Configuring mod_osso to Protect Web Resources

Perform similar steps as explained in Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure the mod_osso as follows:

LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"

<IfModule osso_module>    
    OssoIpCheck on    
    OssoIdleTimeout off    
    OssoSecureCookies off    

    OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/ ${COMPONENT_NAME}/osso/osso_bi.conf    

   <Location /analytics>        
        Header unset Pragma        
        OssoSendCacheHeaders off        
        require valid-user        
        AuthType Osso    
   </Location>

</IfModule>

10.3.5 Creating Oracle BI Server Impersonator User

Follow this procedure to create the impersonator user in the BI Server repository.

Open the BI Server repository file (.rpd) using BI Administration Tool.
Select Manage > Security to display the Security Manager.
Select Action > New > User to open the User dialog box.
Enter a name and password for this user.

For example:

Name = Impersonator

Password = secret
In the Group Membership portion of the dialog box, check the Administrators group to grant the user created as member to this group.
Click OK to create the user.

10.3.6 Adding the Impersonator Credentials to Oracle BI Presentation Services Credential Store

Perform this step to add the impersonator credentials to Oracle BI Presentation Services credential store.

Navigate to the OracleBI_HOME/web/bin directory.

$export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/OracleBI_HOME/web/bin$./cryptotools credstore -add -infile <OracleBIData>/web/config/credentialstore.xml>
Credential Alias: impersonation
>Username: Impersonator
>Password: secret
>Do you want to encrypt the password? y/n (y):
>Passphrase for encryption: another_secret
>Do you want to write the passphrase to the xml? y/n (n):

The CryptoTools utility updates the credentialstore.xml file. This file is located in the OracleBIData/web/config.

10.3.7 Configuring Oracle BI Presentation Services to Identify the Credential Store and Decryption Passphrase

Edit the OracleBIData/web/config/instanceconfig.xml file.

<WebConfig>
   <ServerInstance>
   <!-- other settings ... -->
      <CredentialStore>
      <CredentialStorage type="file”            path="/<OracleBIData>/web/config/credentialstore.xml"
             passphrase="another_secret"/>
      </CredentialStore>
   <!-- other settings ... -->
   </ServerInstance>
</WebConfig>

10.3.8 Configuring BI Presentation Services to Operate in the SSO Environment

Edit the OracleBIData/web/config/instanceconfig.xml file.

<ServerInstance>
<!-- other settings ... -->
<Auth>
   <SSO enabled="true">
      <ParamList>
         <!--IMPERSONATE param is used to get the authenticated user's username and is required -->
         <Param name="IMPERSONATE" source="httpHeader" nameInSource="Proxy-Remote-User"/>
      </ParamList>
      <LogoffUrl>http://<SSO_HOST>:<SSO_PORT>/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F<OBIEE_WEB_HOST>:<OBIEE_WEB_PORT>%2Fanalytics%2F
      </LogoffUrl>
      <LogonUrl>
           http:// <OBIEE_WEB_HOST>:<OBIEE_WEB_PORT>/analytics
      </LogonUrl>
   </SSO>
</Auth>
<!-- other settings ... -->
</ServerInstance>

10.4 Configuring SSO for UCM 10g

To configure SSO for UCM 10g, perform the steps in the subsequent sections:

10.4.1 Installing HTTP Server

Install web server to be used as a front end to UCM. In this guide, use Oracle HTTP Server 11g which is available after the installation of Web Tier Utilities 11.1.1.2.0.

10.4.2 Configuring OHS as Web Server for UCM

Inside the httpd.conf of the OHS instance, add the following to configure this OHS instance as the web server for UCM. Make sure that you use the correct library under linux64 or linux folder:

LoadModule IdcApacheAuth 
<UCM_INSTALLATION_FOLDER>/server/shared/os/linux64/lib/IdcApache22Auth.so
IdcUserDB idc "<UCM_INSTALLATION_FOLDER>/server/data/users/userdb.txt"

Alias /idc "<UCM_INSTALLATION_FOLDER>/server/weblayout"
<Location /idc>
Order allow,deny
Allow from all
DirectoryIndex portal.htm
IdcSecurity idc
</Location>

Note:

Ensure that the UCM Server is configured with the correct host name and port number of the Web Server to be used as its front end.

Check the <UCM_INSTALLATION_FOLDER>/server/config/config.cfg config file and make sure the value of HttpServerAddress is correct:

HttpServerAddress=<UCM_OHS_HOST>:<UCM_OHS_PORT>

10.4.3 Registering OHS mod_osso with OSSO Server

To register OHS mod_osso with OSSO Server, perform the following:

Execute the ssoreg.sh tool, which can be found in <OSSO_HOME>/sso/bin, where <OSSO_HOME> is the directory in which Oracle Single Sign-On is installed.

Note:

Please note that the directory where you want to store the result config file must be created beforehand.

$ cd <OSSO_HOME>/sso/bin

$export ORACLE_HOME=<OSSO_HOME>

$./ssoreg.sh -oracle_home_path <OSSO_HOME> -site_name Stellent_UCM -config_mod_osso TRUE -mod_osso_url http://<UCM_OHS_HOST>:<UCM_OHS_PORT> -update_mode CREATE -remote_midtier -config_file <OSSO_HOME>/temp/osso_ucm.conf

Copy this file to the web server instance location.

For example:

<MIDDLEWARE_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1/osso/osso_ucm.conf

10.4.4 Configuring mod_osso to Protect Web Resources

Perform similar steps as explained in Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure the mod_osso as follows:

LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"

<IfModule osso_module>
    OssoIpCheck on
    OssoIdleTimeout off
    OssoSecureCookies off
    OssoConfigFile
 ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/osso/osso_ucm.conf

     <Location /idc>
        require valid-user
        AuthType Osso
    </Location>
 </IfModule>

10.5 Configuring SSO for Oracle UCM 11g

Oracle UCM 11g Release 1 (11.1.1) is deployed on an Oracle WebLogic Server. Therefore, the steps to configure OAM as the SSO solution for UCM is similar to the steps described in Section 10.2, "Configuring SSO for Learning Tool".

For more detailed explanation on configuring SSO for UCM 11g Release, you can read Chapter 4.2.3 "Configuring Oracle UCM to Use Single Sign-On" in the Oracle® Fusion Middleware System Administrator's Guide for Content Server 11g Release 1 (11.1.1) at

http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10792/c03_security002.htm#insertedID3

10.5.1 Installing HTTP Server

Install web server to be used as a front end to UCM 11g. In this guide, use Oracle HTTP Server 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.

10.5.2 Configuring mod_wl_ohs

Perform similar steps as Section 10.2.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.

LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so"

<IfModule weblogic_module>
<Location /cs>  
SetHandler weblogic-handler  
WebLogicHost <ucm-hostname>  
WebLogicPort <ucm-server-port>

</Location>
</IfModule>

Note:

Ensure that the UCM Server is configured with the correct host name and port number of the Web Server to be used as its front end.

Check the <UCM_INSTALLATION_FOLDER>/server/config/config.cfg config file and make sure the value of HttpServerAddress is correct:

HttpServerAddress=<UCM_OHS_HOST>:<UCM_OHS_PORT>

10.5.3 Registering OHS mod_osso with OSSO Server

To register OHS mod_osso with OSSO Server, perform similar steps in Section 10.4.3, "Registering OHS mod_osso with OSSO Server".

10.5.4 Configuring mod_osso to protect Web Resource

Perform similar steps as Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure mod_wl_ohs.

LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"

<IfModule osso_module>

OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_
NAME}/osso/osso_ucm.conf

<Location /cs>
require valid-user
AuthType Osso
</Location>

</IfModule>

10.5.5 Setting Up Providers for OSSO in a WebLogic Domain

Perform similar steps as Section 10.2.5, "Setting Up Providers for OSSO in a WebLogic Domain" to set up providers for OSSO in a WebLogic Domain that UCM is deployed to.

10.6 Updating the OSL Configuration

The following configuration is required for OSL to operate in an SSO environment:

Update the OSL_PROFILE_OPTION_VALUES:

Set the values for OSL_SHOW_LOGOUT_LINK in OSL_PROFILE_OPTION_VALUES table as follows:

Table 10-1 Updating OSL_PROFILE_OPTION_VALUES

Value	Description
`OSL_SHOW_LOGOUT_LINK`	Y (to display the logout link in Learning Tool and Learning Tool Admin) or N (to hide the logout link in Learning Tool and Learning Tool Admin)

Update the logout URL for Learning Tool and Learning Tool Admin.
- Set the OSL_ADMIN_LOGOUT_URL as follows:
  
  http://<SSO_HOST>:<SSO_PORT>/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F<LT_WEB_HOST>:<LT_WEB_PORT>%2FLTAdminWeb%2F
  
  where: <LT_WEB_HOST> and <LT_WEB_PORT> are the host name and port of the web server configured as a front end to provide access to the Learning Tool Admin application.
- Set the OSL_LOGOUT_URL as follows:
  
  http://<SSO_HOST_NAME>:<SSO_PORT>/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F<LT_WEB_HOST>:<LT_WEB_PORT>%2FLTWeb%2F
  
  where: <LT_WEB_HOST> and <LT_WEB_PORT> are the host name and port of the web server configured as a front end to provide access to the Learning Tool application.
For information about the OSL configuration file where you must make these changes, see Section 9.1.7, "Updating Logout URL for Learning Tool and Learning Tool Admin".