Skip Headers
Oracle® Secure Enterprise Search Administrator's Guide
11g Release 2 (11.2.1)

Part Number E17332-04
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
PDF · Mobi · ePub

Configuring Secure Search with Oracle Access Manager Single Sign-On

You can implement a single sign-on authentication mechanism for Oracle SES by using Oracle Access Manager.

Ensure that the following components are installed:

To implement the Oracle Access Manager single sign-on authentication on Oracle SES, you must configure Oracle HTTP Server, Oracle SES, Oracle Internet Directory, and Oracle Access Manager.

Configuring Oracle Identity Management

You must install Oracle Identity Management or higher. This is required because the Oracle SES parameter sso_user_guid_header must be used to send the ORCLGUID attribute from Oracle Access Manager to SES, and this can be done only with Oracle Internet Directory or higher.

To enable this on Oracle Internet Directory:

  1. Add the following to the LDIF file:

    dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
    changetype: modify
    add: orclallattrstodn
    orclallattrstodn: cn=orcladmin
  2. Import the LDIF file into Oracle Internet Directory:

    $LDAP_HOME/bin/ldapmodify -D cn=orcladmin -w password -h host -p port -c -v -f ldifFile
  3. To verify that the changes you made to the LDIF file are reflected, use the following command:

    $LDAP_HOME/bin/ldapsearch -b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base  -h host -p port -w password -D "cn=orcladmin" "objectclass=*"

    You should see orclallattrstodn as an attribute of the dsaconfig entry.

  4. Restart the Oracle Access Server and the Oracle Identity Server:


Configuring Oracle HTTP Server

To configure Oracle HTTP Server, perform the following tasks:

  1. Edit mod_wl_ohs.conf to include the following. The file is available at ORACLEOHS_HOME/instances/instance1/config/OHS/ohs1/, where instance1 refers to the instance name of Oracle HTTP Server.

    <IfModule weblogic_module>
         WebLogicHost [SES host name]
         WebLogicPort [SES HTTP port]
         WLLogFile Convenient Location of the log
    <Location /search/query>
         SetHandler weblogic-handler
    <Location /search/admin>
         SetHandler weblogic-handler
    # For monitor SES URL
    <Location /monitor>
         SetHandler weblogic-handler
    # For Help links in Admin side
    <Location /search/ohw>
         SetHandler weblogic-handler

    For example, if your SES host is sesHost and the port is 8001:

    <IfModule weblogic_module>
         WebLogicHost sesHost
         WebLogicPort 8001
         WLLogFile /scratch/exampleuser/weblogic.log
    <Location /search/query>
         SetHandler weblogic-handler
    <Location /search/admin>
         SetHandler weblogic-handler
    <Location /monitor>
         SetHandler weblogic-handler
    <Location /search/ohw>
         SetHandler weblogic-handler
  2. Edit httpd.conf located at ORACLEOHS_HOME/instances/instance1/config/OHS/ohs1/ to include the following at the end of the file:

    # Include configuration for mod_weblogic
    include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/mod_wl_ohs.conf"

    Ensure that this line of code is on a single line.

  3. Restart the HTTP server.

    $ORACLEOHS_HOME/instances/instance1/bin/opmnctl restartproc process-type=OHS

Installing and Configuring WebGate

A WebGate is a Web server plug-in that is shipped out-of-the-box with Oracle Access Manager. The WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization. See Oracle Access Manager Installation Guide for more information on installing a WebGate.

While installing WebGate, you must configure some parameters for the Oracle Access Manager single sign-on authentication.

Creating a WebGate Instance

Provide the following values while defining a WebGate instance in the Access System Console:

  • AccessGateName: Set as SESAccessGate

  • Description: Set as Secure Enterprise Search Access Gate

  • HostName: This is the host name on which Oracle HTTP Server is installed.

  • AccessGate Password: Set a password.

  • Port: This is the port number set during Oracle HTTP Server installation.

  • Transport Security: Set to Open.

  • Preferred HTTP Host: The domain for Oracle HTTP Server. For example, if the Oracle HTTP Server hostname is, then the domain is

  • Ensure that Access Management Service is on.

Installing WebGate

Provide the following parameters while specifying the WebGate configuration details:

  • WebGate ID: Enter SESAccessGate.

  • WebGate Password: The same as AccessGate password.

  • Access Server ID: Obtain this from Access System Console.

  • DNS hostname: Obtain this from Access System Console.

  • Port number: Obtain this from Access System Console.

Updating the WebGate Web Server Configuration

Use the option to automatically update the Web Server configuration.

Integrating Oracle Access Manager with Oracle SES

Perform the following tasks:

  1. Create a login page for Oracle HTTP Server. For example, ORACLEOHS_HOME/ohs/htdocs/login/login.html:

    <title>SES-OAM Test Login Page</title>
    <body bgcolor="white">
    <h1 align="center">SES-OAM SSO Login Page: Sign-In</h1>
    <form method="POST" action="/myaction/test.html">
      <table border="0" cellspacing="5">
          <th align="right">Username:</th>
          <td align="left"><input type="text" name="usernamevar"></td>
          <th align="right">Password:</th>
          <td align="left"><input type="password" name="passwordvar"></td>
          <td align="right"><input type="submit" value="Log In"></td>
          <td align="left"><input type="reset"></td>
  2. Define a form-based authentication in Oracle Policy Manager:

    1. From http://OAMHost:OAMPort/access/oblix, select Access System Console, then Access System Configuration, and then Authentication Management.

    2. Create Form Login method with the following options:

      Name: OAMFormLogin

      Description: OAM Form-based login

      Level: 1

      Challenge Method: Form

      Challenge Parameter

      form: /login/login.html

      creds: usernamevar passwordvar

      action: /myaction/test.html

      passthrough: no

      SSL Required: No

      Enabled: Yes

    3. Set up the following plugins under the Plugins tab:





      where obMappingBase is the base DN in the user search in the LDAP directory server, and obMappingFilter is the LDAP filter used to search for a user with a given userID. The directory login attribute is an attribute defined in the Identity System using a Semantic login type.

    4. Ensure that a default step exists in the Steps tab to use the credential_mapping and validate_password plugins.

  3. Create a policy in the Policy Manager to protect the query application login link using the form authentication created in the previous step:

    1. From http://OAMHost:OAMPort/access/oblix, select Policy Manager, and then Create Policy Domain.

    2. Protect an HTTP resource with /search/query/formlogin.uix as the URL prefix.

    3. In the Authorization Rules tab, add the role myrole. Also set the following:

      Enabled: Yes

      Allow takes precedence: Yes

    4. Under Actions tab for myrole, first add the following return action:

      Type: HeaderVar

      Name: HTTP_USER_GUID

      Return Attribute: orclguid

      Then add the following return action:

      Type: HeaderVar

      Name: HTTP_USER_NAME

      Return Attribute: uid

    5. Under Allow Access tab, ensure that anyone is allowed access.

    6. Enable the new policy under My Policy Domains.

    7. Click Default Rules, and under Authentication Rule, add a rule to use the form login scheme as the Authentication Scheme.

    8. Under Authorization Expression, ensure that myrole is selected for Default Rules.

  4. Create a policy in Policy Manager to protect the HTTP resource /search/query with the Anonymous Authentication option. Note that the steps are identical to the previous step. However, for step 3g, the form login scheme must be Anonymous Authentication under Authentication Rule.

  5. Configure Oracle SES to use HTTP_USER_GUID and HTTP_USER_NAME as the values of sso_user_guid_header and sso_username_header respectively. See "Configuring QueryPlan.xml in Oracle SES".

  6. Configure Oracle SES to use OblixAnonymous as the value for sso_public_username. See "Configuring QueryPlan.xml in Oracle SES".

Configuring QueryPlan.xml in Oracle SES

To enable Oracle Access Manager single sign-on authentication:

  1. Configure the parameters shown in Example 9-3in the QueryPlan.xml file, which is available at ORACLE_HOME/search/tools/weblogic/deploy/plans/.

  2. Redeploy the query application with the modified deployment plan by running the following command from ORACLE_HOME/search/tools/weblogic/deploy/:

    sh ./ -serverURL t3://host:port/ -user weblogic -password password -name search_query -plan ./plans/QueryPlan.xml -process redeploy

    If SES is deployed on a Windows system, then run the batch file deployer.bat, as shown:

    %ORACLE_HOME%\search\tools\weblogic\deploy\deployer.bat -serverURL t3://host:port/ -user weblogic -password password -name search_query -plan .\plans\QueryPlan.xml -process redeploy


    host is the host name, and port is the WebLogic service port. This is the same port that you use to open the Administration GUI. password is the password for eqsys.

    For example, if you install Oracle SES on the host myWlsServer and port 7777, and the Oracle SES administration password is welcome1, then issue the following command:

    ./ -serverURL t3://myWlsServer:7777/ -user weblogic -password welcome1 -name search_query -plan ./plans/QueryPlan.xml -process redeploy

Example 9-3 QueryPlan.xml Parameters for Enabling Oracle Access Manager Single Sign-On Authentication

   <description>Whether SSO is enabled: true or false. The default is false. </description>
   <description>The SSO vendor name. Supported values are osso or oam.</description>
   <description>The HTTP header name that the SSO server uses to pass the user GUID to SES. The value in the header should match the value of the users canonical attribute for the active identity plugin.</description>
   <description>The HTTP header name that the SSO server uses to pass the search username to SES. The value in the header should match the value of the users authentication attribute for the active identity plugin. Specify REMOTE_USER to use getRemoteUser in the HTTP request to retrieve the username.</description>

   <description>(Optional) Specify the username of the public user if the SSO server is configured to send a public user name in the sso_username_header for unprotected or anonymously protected resources.</description>