Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 5 (11.1.5) Part Number E21032-15 |
|
|
PDF · Mobi · ePub |
This chapter describes how to configure single sign-on (SSO) for administration consoles in an Identity Management Enterprise deployment.
This chapter includes the following topics:
Section 19.4, "Assigning WLSAdmins Group to WebLogic Administration Groups"
Section 19.8, "Validating WebGate and the Oracle Access Manager Single Sign-On Setup."
You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle HTTP Server intercepts requests for the consoles and forwards them to Oracle Access Manager for validation
The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Manager Console
Oracle Identity Manager Console
Before you attempt to integrate administration consoles with single sign-on, ensure that the following tasks have been performed in the IDMDomain
Configuring Oracle HTTP Server, as described in Chapter 7, "Configuring the Web Tier for an Enterprise Deployment."
Configuring Oracle Access Manager, as described in Chapter 13, "Configuring Oracle Access Manager 11g."
Provisioning Weblogic Administrators in LDAP as described in Section 11.5, "Preparing the Identity Store."
This section describes how to integrate administration consoles with single sign-on. You need to perform the procedures in this section if you have placed Oracle Identity Manager into a separate domain.
This section contains the following topics:
Note:
Once you have enabled single sign-on for the administration consoles, ensure that at least one OAM Server is running to enable console access.
If you have used the Oracle Weblogic console to shut down all of the Oracle Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.
To start WLS_OAM1 manually, use the command:
MSERVER_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001
This section sets up a directory authenticator to enable you to use the users in your LDAP directory to access administration consoles.
You do not need to perform these steps if you have integrated Oracle Access Manager and Oracle Identity Manager as described in Section 18.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g."
Log in to the WebLogic Administration Console at the URL listed in Section 20.2, "About Identity Management Console URLs."
Click Security Realms from the Domain structure menu.
Click Lock and Edit in the Change Center.
Click myrealm.
Select the Providers tab.
Click DefaultAuthenticator.
Set Control Flag to SUFFICIENT.
Click Save.
Click Security Realms from the Domain structure menu.
Click myrealm.
Select the Providers tab.
Click New.
Supply the following information if you are using Oracle Virtual Directory:
For Oracle Virtual Directory:
Name: OVDAuthenticator
Type: OracleVirtualDirectoryAuthenticator
For Oracle Internet Directory:
Name: OIDAuthenticator
Type: OracleInternetDirectoryAuthenticator
Click OK.
Click OVDAuthenticator or OIDAuthenticator.
Set Control Flag to SUFFICIENT.
Click Save.
Select the Provider Specific tab.
Enter the following details:
Host: idstore.mycompany.com
Port: 389
Principal: cn=oamLDAP,cn=Users,dc=us,dc=mycompany,dc=com
Credential: oamLDAP
password
Confirm Credential: oamLDAP
password
User Base DN: cn=Users,dc=mycompany,dc=com
All Users Filter: (&(uid=*)(objectclass=person))
User From Name Filter: (&(uid=%u)(objectclass=person))
User Name Attribute: uid
Group Base DN: cn=Groups,dc=mycompany,dc=com
GUID Attribute: orclguid
Click Save.
Click Activate Changes from the Change Center.
Restart WebLogic Administration Server and all the Managed Servers, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."
Validating the Configuration
Validate the configuration by logging in to the OAM console as the user oamadmin
.
You can perform a further validation test by using the Oracle WebLogic Administration Console, as follows.
Log in to the WebLogic Administration console at the URL listed in Section 20.2, "About Identity Management Console URLs."
Select Security Realms from the Domain structure menu.
Click myrealm.
Click the Users and Groups tab.
Click Users.
LDAP users are displayed.
This section sets up an Oracle Access Manager asserter to enable you to delegate responsibility for credential collection to Oracle Access Manager.
You do not need to perform these steps if you have Integrated Oracle Access Manager and Oracle Identity Manager as described in Section 18.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g."
Log in to the WebLogic Administration Console at the URL listed in Section 20.2, "About Identity Management Console URLs."
Click Security Realms from the Domain structure menu.
Click Lock and Edit in the Change Center.
Click myrealm.
Select the Providers tab.
Click New.
Supply the following information:
Name: OAMIDAsserter
Type: OAMIdentityAsserter
Click OK.
Click OAMIDAsserter.
Set Control Flag to REQUIRED.
Click Save.
Click Security Realms from the Domain structure menu
Click myrealm.
Select the Providers tab.
Click Reorder.
Using the arrows on the right hand side order the providers such that the order is:
OAMIDAsserter
Default Authenticator
OVDAuthenticator or OIDAuthenticator
Default Identity Asserter
Note:
Oracle Identity Manager providers only exist if Oracle Identity Manager has been configured.
Click OK.
Click Activate Changes.
Restart WebLogic Administration Server and all the Managed Servers, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter Portal domain). The application domains are configured to authenticate using the central Identity Management domain.
In Section 11.5, "Preparing the Identity Store" you created a user called weblogic_idm
and assigned it to the group WLSAdmins. To be able to manage WebLogic using this account you must add the WLSAdmins group to the list of Weblogic Administration groups. This section describes how to add the WLSAdmins Group to the list of WebLogic Administrators.
Perform this step for each domain in the topology.
If you are using a split domain topology, perform these tasks on both IDMDomain and OIMDomain.
Log in to the WebLogic Administration Server Console at the URL listed in Section 20.2, "About Identity Management Console URLs.".
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm
, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the IDM Administrators Group as an entry.
Click Save to finish adding the Admin role to the IDM Administrators Group.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm
user.
If you are using a split domain you must register the Oracle Enterprise Manager Fusion Middleware Control application with the OPSS policy store in order for logout to work correctly in the IDMDomain. This is not necessary in the OIMDomain.
To register Fusion Middleware Control, proceed as follows.
Start WLST using the command:
MW_HOME/oracle_common/common/bin/wlst.sh
Connect to the IDMDomain using the WLST connect() command, as follows:
connect()
Enter User Name: weblogic
Password: password_for_account
Server URL: t3://adminvhn.mycompany.com:7001
Run the command:
addOAMSSOProvider(loginuri="/em/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
Exit WLST using the command:
exit()
Restart the admin server and the managed servers wls_oam1 and wls_oam2 as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."
Update the boot.properties
file for the Administration Server and the managed servers with the WebLogic admin
user created in Oracle Internet Directory.
This section contains the following topics:
Section 19.6.1, "Update the Administration Server on IDMHOST1"
Section 19.6.2, "Update the Administration Server on OIMHOST1"
On IDMHOST1, go the directory:
ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
For example:
cd ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
Rename the existing boot.properties
file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.
For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
For a split domain topology, you must also perform these steps on OIMHOST1.
On OIMHOST1, go the directory:
ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
For example:
cd ORACLE_BASE/admin/OIMDomain/aserver/OIMDomain/servers/AdminServer/security
Rename the existing boot.properties
file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.
For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
Restart the WebLogic Administration server and all managed servers, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."
This section describes how to install and configure WebGate.
This section contains the following topics:
Ensure that the following tasks have been performed before installing the Oracle Web Gate:
Install and configure the Oracle Web Tier as described in Chapter 7.
Ensure Oracle Access Manager has been configured as described in Chapter 13.
Oracle Web Gate requires special versions of gcc
libraries to be installed (Linux only). These library files must exist somewhere on the Linux system. The Web Gate installer asks for the location of these library files at install time. Download the libraries from http://gcc.gnu.org
, as described in "Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management
Before starting the installer ensure that Java is installed on your machine.
Start the WebGate installer by issuing the command:
./runInstaller
You are asked to specify the location of the Java Development Kit for example:
MW_HOME
/jrockit_
version
On the Welcome screen, click Next.
On the Prerequisites screen, after all the checks have successfully completed, click Next.
On the Installation Location Screen, enter the following information:
Oracle Middleware Home: /u01/app/oracle/product/fmw
Oracle Home Directory: webgate
MW_HOME
/webgate
is defined as WEBGATE_ORACLE_HOME
Click Next.
Specify the location of the GCC runtime libraries, for example: /u01/app/oracle/oam_lib
.
Click Next.
On the installation summary screen, click Install.
Click Next.
Click Finish.
Deploy WebGate to Oracle HTTP, as follows:
Execute the command deployWebGate
which is located in:
WEBGATE_ORACLE_HOME
/webgate/ohs/tools/deployWebGate
The command takes the following arguments:
Oracle HTTP Instance configuration Directory
WebGate Home Directory
For example:
./deployWebGateInstance.sh -w ORACLE_INSTANCE/config/OHS/ohs1 -oh WEBGATE_ORACLE_HOME
Set the library path and change directory.
On Linux systems, set the library path to include the WEB_ORACLE_HOME
/lib
directory, for example:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib
On Windows, set the WEBGATE_ORACLE_HOME
\webgate\ohs\lib
location and the WEB_ORACLE_HOME
\bin
location in the PATH environment variable. Add a semicolon (;) followed by this path at the end of the entry for the PATH environment variable.
Change directory:
On Linux, change directory to: WEBGATE_ORACLE_HOME
/webgate/ohs/tools/setup/InstallTools
On Windows, change directory to: WEBGATE_ORACLE_HOME
\webgate\ohs\tools\EditHttpConf
Run the following command to copy the file apache_webgate.template
from the WebGate home directory to the WebGate instance location (renamed to webgate.conf)
and update the httpd.conf
file to add one line to include the name of webgate.conf
.
On Linux, type:
./EditHttpConf -w ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME
On Windows, type:
EditHttpConf.exe -w ORACLE_INSTANCE\config\OHS\component_name -oh WEBGATE_ORACLE_HOME
Copy the files ObAccessClient.xml
, cwallet.sso
, and password.xml
, which were generated when you created the agent from the directory ASERVER_HOME
/
domain_name
/output/Webgate_IDM_11g
on IDMHOST1, to the directory ORACLE_INSTANCE
/config/OHS/
component
/webgate/config
.
The files aaa_key.pem
and aaa_cert.pem
were generated when you created the agent from the directory ASERVER_HOME
/output/Agent_11g Name
on IDMHOST1. Copy the files aaa_key.pem
and aaa_cert.pem
to the WebGate instance directory OHS_INSTANCE_HOME
/config/OHS/component/webgate/config/simple
.
Restart the Oracle HTTP Server as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."
To validate that WebGate is functioning correctly, open a web browser and go the OAM console URL listed in Section 20.2, "About Identity Management Console URLs."
You now see the Oracle Access Manager Login page displayed. Enter your OAM administrator user name (for example, oamadmin
) and password and click Login. Then you see the Oracle Access Manager console displayed.
To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console and to Oracle Enterprise Manager Fusion Middleware Control at the URLs listed in Section 20.2, "About Identity Management Console URLs."
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm
user to log in.