Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.3) Part Number E21032-07 |
|
|
PDF · Mobi · ePub |
This chapter describes how to configure single sign-on (SSO) for administration consoles in an Identity Management Enterprise deployment.
This chapter includes the following topics:
Section 20.4, "Assigning IDM Administrators Group to WebLogic Administration Groups"
Section 20.8, "Validating WebGate and the Oracle Access Manager Single Sign-On Setup."
You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle HTTP Server intercepts requests for the consoles and forwards them to Oracle Access Manager for validation
The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Manager Console
Oracle Identity Manager Console
Before you attempt to integrate administration consoles with single sign-on, ensure that the following tasks have been performed in the IDMDomain:
Configuring Oracle HTTP Server, as described in Chapter 7, "Configuring the Web Tier for an Enterprise Deployment."
Configuring Oracle Access Manager, as described in Chapter 14, "Configuring Oracle Access Manager 11g."
Provisioning Weblogic Administrators in LDAP as described in Section 11.5, "Preparing the Identity Store."
This section describes how to integrate administration consoles with single sign-on. You need to perform the procedures in this section if you have placed Oracle Identity Manager into a separate domain.
This section contains the following topics:
Note:
Once you have enabled single sign-on for the administration consoles, ensure that at least one Oracle Access Manager server is running to enable console access.
If you have used the Oracle Weblogic console to shut down all of the Oracle Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.
To start WLS_OAM1 manually, use the command:
DOMAIN_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001
This section sets up a directory authenticator to enable you to use the users in your LDAP directory to access administration consoles.
You do not need to perform these steps if you have integrated Oracle Access Manager and Oracle Identity Manager as described in Section 19.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g."
Log in to the WebLogic Administration Console at the URL listed in Section 21.2, "About Identity Management Console URLs."
Click Security Realms from the Domain structure menu.
Click Lock and Edit in the Change Center.
Click myrealm.
Select the Providers tab.
Click DefaultAuthenticator.
Set Control Flag to SUFFICIENT.
Click Save.
Click Security Realms from the Domain structure menu.
Click myrealm.
Select the Providers tab.
Click New.
Supply the following information if you are using Oracle Virtual Directory:
For Oracle Virtual Directory:
Name: OVDAuthenticator
Type: OracleVirtualDirectoryAuthenticator
For Oracle Internet Directory:
Name: OIDAuthenticator
Type: OracleInternetDirectoryAuthenticator
Click OK.
Click OVDAuthenticator or OIDAuthenticator.
Set Control Flag to SUFFICIENT.
Click Save.
Select the Provider Specific tab.
Enter the following details:
Host: idstore.mycompany.com
Port: 389
Principal: cn=oamLDAP,cn=Users,dc=us,dc=mycompany,dc=com
Credential: oamLDAP
password
Confirm Credential: oamLDAP
password
User Base DN: cn=Users,dc=mycompany,dc=com
All Users Filter: (&(uid=*)(objectclass=person))
User From Name Filter: (&(uid=%u)(objectclass=person))
User Name Attribute: uid
Group Base DN: cn=Groups,dc=mycompany,dc=com
GUID Attribute: orclguid
Click Save.
Click Activate Changes from the Change Center.
Restart WebLogic Administration Server and all the Managed Servers, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Validating the Configuration
Validate the configuration by logging in to the OAM console as the user oamadmin
.
You can perform a further validation test by using the Oracle WebLogic Administration Console, as follows.
Log in to the console at the URL listed in Section 21.2, "About Identity Management Console URLs."
Select Security Realms from the Domain structure menu.
Click myrealm.
Click the Users and Groups tab.
Click Users.
LDAP users are displayed.
This section sets up an Oracle Access Manager asserter to enable you to delegate responsibility for credential collection to Oracle Access Manager.
You do not need to perform these steps if you have Integrated Oracle Access Manager and Oracle Identity Manager as described in Section 19.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g."
Log in to the WebLogic Administration Console at the URL listed in Section 21.2, "About Identity Management Console URLs."
Click Security Realms from the Domain structure menu.
Click Lock and Edit in the Change Center.
Click myrealm.
Select the Providers tab.
Click New.
Supply the following information:
Name: OAMIDAsserter
Type: OAMIdentityAsserter
Click OK.
Click OAMIdentityAsserter.
Set Control Flag to REQUIRED.
Click Save.
Click Security Realms from the Domain structure menu
Click myrealm.
Select the Providers tab.
Click Reorder.
Using the arrows on the right hand side order the providers such that the order is:
OAMIDAsserter
Default Authenticator
OVDAuthenticator or OIDAuthenticator
Default Identity Asserter
Note:
Oracle Identity Manager providers only exist if Oracle Identity Manager has been configured.
Click OK.
Click Activate Changes.
Restart WebLogic Administration Server and all the Managed Servers, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter Portal domain). The application domains are configured to authenticate using the central Identity Management domain.
In Section 11.5, "Preparing the Identity Store" you created a user called weblogic_idm
and assigned it to the group IDM Administrators. To be able to manage WebLogic using this account you must add the IDM administrators group to the list of Weblogic Administration groups. This section describes how to add the IDM Administrators Group to the list of WebLogic Administrators.
If you are using a single domain topology, perform the following tasks on IDMDomain.
If you are using a split domain topology, perform these tasks on both IDMDomain and OIMDomain.
Log in to the WebLogic Administration Server Console at the URL listed in Section 21.2, "About Identity Management Console URLs.".
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm
, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the IDM Administrators Group
as an entry.
Click Save to finish adding the Admin role to the IDM Administrators Group
.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm
user.
If you are using a split domain you must register the Oracle Enterprise Manager Fusion Middleware Control application with the OPSS policy store in order for logout to work correctly in the IDMDomain. This is not necessary in the OIMDomain.
To register Fusion Middleware Control, proceed as follows.
Start WLST using the command:
MW_HOME/oracle_common/common/bin/wlst.sh
Connect to the IDMDomain using the WLST connect() command, as follows:
connect()Enter User Name: weblogicPassword: password_for_account
Server URL: t3://adminvhn.us.oracle.com:7001
Run the command:
addOAMSSOProvider(loginuri="/em/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
Exit WLST using the command:
exit()
Restart the admin server and the managed servers wls_oam1 and wls_oam2 as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Update the boot.properties
file for the Administration Server and the managed servers with the WebLogic admin
user created in Oracle Internet Directory. For a single domain topology, you must update the boot.properties
file on IDMHOST1. For a split domain topology, you must also update boot.properties
on OIMHOST1. Follow the steps in the following sections to update the file.
This section contains the following topics:
Section 20.6.1, "Update the Administration Server on IDMHOST1"
Section 20.6.2, "Update the Administration Server on OIMHOST1"
On IDMHOST1, go the directory:
ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
For example:
cd ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
Rename the existing boot.properties
file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.
For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
For a split domain topology, you must also perform these steps on OIMHOST1.
On OIMHOST1, go the directory:
ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
For example:
cd ORACLE_BASE/admin/OIMDomain/aserver/OIMDomain/servers/AdminServer/security
Rename the existing boot.properties
file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.
For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
Restart the following servers as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Oracle Access Manager servers on OAMHOST1 and OAMHOST2
Oracle HTTP Servers on WEBHOST1 and WEBHOST2
WebLogic Administration server and all managed servers.
This section describes how to install and configure WebGate.
This section contains the following topics:
Section 20.7.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2"
Section 20.7.4, "Patching the Oracle Access Manager 10g WebGates"
Ensure that the following tasks have been performed before installing the Oracle Web Gate:
Install and configure the Oracle Web Tier as described in Chapter 7, "Configuring the Web Tier for an Enterprise Deployment."
On Linux systems, make the special versions of the gcc
libraries available, as described in Section 20.7.2, "Making Special gcc Libraries Available."
Ensure Oracle Access Manager has been configured as described in Chapter 14, "Configuring Oracle Access Manager 11g."
Oracle Web Gate requires special versions of gcc
libraries to be installed (Linux only). These library files must exist somewhere on the Linux system. The Web Gate installer asks for the location of these library files at install time. Download the libraries from http://gcc.gnu.org
, as described in "Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management
See Also:
http://www.oracle.com/technetwork/middleware/ias/downloads/10gr3-webgates-integrations-readme-154689.pdf
for additional information.
Before you install Oracle WebGate, ensure that the Managed Servers WLS_OAM1 and WLS_OAM2 are started.
Install Oracle WebGate as described in the following sections.
Start the Web Gate installer by issuing the command:
Oracle_Access_Managerversion_linux_OHS11g_WebGate -gui
Then perform the following steps:
On the Welcome to the InstallShield Wizard for Oracle Access Manager WebGate screen.
Click Next.
On the Customer Information screen, enter the username
and group
that the Oracle Access Manager server uses. This should be the same as the user and group that installed the Oracle HTTP Server. The default value for username
and group
is nobody
. For example, enter oracle
/oinstall
.
Click Next.
Specify the installation directory for the Oracle Access Manager server. For example, enter: MW_HOME
/oam/webgate
.
Click Next.
Note:
Oracle Access Manager WebGate is installed in the access
subdirectory under:
/u01/app/oracle/product/fmw/oam/webgate
.
Oracle Access Manager WebGate is installed in: /u01/app/oracle/product/fmw/oam/webgate/
The access directory is created by the installer automatically.
Specify the location of the GCC run-time libraries, for example: /u01/app/oracle/oam_lib
Click Next.
The installation progress screen is shown. After the installation process completes, the WebGate Configuration screen appears.
On the WebGate Configuration screen, you are prompted for the transport security mode:
The transport security between all Access System components (Policy Manager, Access Servers, and associated WebGates) must match; select one of the following: Open Mode, Simple Mode, or Cert Mode.
Select Simple Mode.
Click Next.
On the next WebGate Configuration screen, specify the following WebGate details:
WebGate ID: The agent name used in Section 14.7.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool." for example Webgate_IDM
.
Password for Web Gate: If you entered a password when creating the agent, enter this here. Otherwise leave blank.
Access Server ID: The name of one of your Oracle Access Manager servers, for example: WLS_OAM1
Host Name: Enter the Host name for one of the Oracle Access Manager servers for example IDMHOST1
Global Access Protocol Passphase: If your OAM servers are using the Simple security transport protocol, then specify the global passphrase that you use to interact with them.
Port Number the Access Server listens to: ProxyPort
Note:
To find the port that the Oracle Access Manager server is using, log in to the oamconsole at:
http://admin.mycompany.com/oamconsole
Then perform the following steps:
Select the System Configuration tab.
Select Server Instances.
Select Instance (WLS_OAM1
) and click the View icon in the tool bar.
The proxy entry has host and port information.
On the Configure Web Server screen, click Yes to automatically update the web server, then click Next.
On the next Configure Web Server screen, specify the full path of the directory containing the httpd.conf
file. The httpd.conf
file is located under the following directory:
/u01/app/oracle/admin/
ohsInstance
/config/OHS/
ohsComponentName
For example:
/u01/app/oracle/admin/ohs_instance2/config/OHS/ohs2/httpd.conf
Click Next.
On the next Configure Web Server page, a message informs you that the Web Server configuration has been modified for WebGate.
Click Next.
The next screen, Configure Web Server, displays the following message:
If the web server is setup in SSL mode, then httpd.conf file needs to be configured with the SSL related parameters. To manually tune your SSL configuration, please follow the instructions that come up.
Click Next.
The next screen, Configure Web Server, displays a message with the location of the document that has information on the rest of the product setup, as well as Web Server configuration.
Select No and click Next.
The final Configure Web Server screen appears with a message to manually launch a browser and open the HTML document for further information on configuring your Web Server.
Click Next.
The Oracle COREid Readme screen appears. Review the information on the screen and click Next.
A message appears, along with the details of the installation, informing you that the installation was successful.
Click Finish.
Replace the file ObAccessClient.xml
in the directory MW_HOME
/oam/webgate/access/oblix/lib
with the file generated in Section 14.7.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool."
Restart the web server by following the instructions in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Repeat for WEBHOST2
You must create a logout page to enable applications to log out. A default page exists, but you must edit it and copy it to the WebGate installation on WEBHOST1
and WEBHOST2
.
Copy the file logout.html
from the directory DOMAIN_HOME
/output/Webgate_IDM
on IDMHOST1
to MW_HOME
/oam/webgate/access/oamsso
on WEBHOST1
and WEBHOST2
.
Now that you have your own logout page on the web server, you must remove the default entry.
Edit the file httpd.conf
, located in the directory:
ORACLE_INSTANCE
/config/OHS/component name
/
Comment out the following lines by adding a #
at the beginning. The edited lines look like this:
#*******Default Login page alias*** Alias /oamsso "/u01/app/oracle/product/fmw/webgate/access/oamsso" #<LocationMatch "/oamsso/*"> #Satisfy any #</LocationMatch> #**********************************
Save the file.
Restart the Oracle HTTP server, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
This software cannot be patched until it is installed, as described in Section 20.7.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2."
Install the latest WebGate 10g patches listed in the Release Notes for this release.
After installing the patches, start the Oracle HTTP Server instances on WEBHOST1
and WEBHOST2
, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
To validate that WebGate is functioning correctly, open a web browser and go the OAM console URL listed in Section 21.2, "About Identity Management Console URLs."
You now see the Oracle Access Manager Login page displayed. Enter your OAM administrator user name (for example, oamadmin
) and password and click Login. Then you see the OAM console displayed.
To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console and to Oracle Enterprise Manager Fusion Middleware Control at the URLs listed in Section 21.2, "About Identity Management Console URLs."
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm
user to log in.