19 Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment

This chapter describes how to configure single sign-on (SSO) for administration consoles in an Identity Management Enterprise deployment.

This chapter includes the following topics:

• Section 19.1, "Overview of Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment"

• Section 19.2, "Prerequisites"

• Section 19.3, "Create WebLogic Security Providers"

• Section 19.4, "Assigning WLSAdmins Group to WebLogic Administration Groups"

• Section 19.5, "Register EM with OPSS Security Provider"

• Section 19.6, "Updating the boot.properties File"

• Section 19.7, "Installing and Configuring WebGate 11g"

• Section 19.8, "Validating WebGate and the Oracle Access Manager Single Sign-On Setup."

19.1 Overview of Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment

You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle HTTP Server intercepts requests for the consoles and forwards them to Oracle Access Manager for validation

The administration consoles referred to in the chapter title are:

• Oracle Enterprise Manager Fusion Middleware Control

• Oracle WebLogic Server Administration Console

• Oracle Access Manager Console

• Oracle Identity Manager Console

19.2 Prerequisites

Before you attempt to integrate administration consoles with single sign-on, ensure that the following tasks have been performed in the IDMDomain

1. Configuring Oracle HTTP Server, as described in Chapter 7, "Configuring the Web Tier for an Enterprise Deployment."

2. Configuring Oracle Access Manager, as described in Chapter 13, "Configuring Oracle Access Manager 11g."

3. Provisioning Weblogic Administrators in LDAP as described in Section 11.5, "Preparing the Identity Store."

19.3 Create WebLogic Security Providers

This section describes how to integrate administration consoles with single sign-on. You need to perform the procedures in this section if you have placed Oracle Identity Manager into a separate domain.

This section contains the following topics:

• Section 19.3.1, "Creating Oracle Directory Authenticator"

• Section 19.3.2, "Creating Oracle Access Manager Identity Asserter"

Note:

Once you have enabled single sign-on for the administration consoles, ensure that at least one OAM Server is running to enable console access.

If you have used the Oracle Weblogic console to shut down all of the Oracle Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.

To start WLS_OAM1 manually, use the command:

MSERVER_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001

19.3.1 Creating Oracle Directory Authenticator

This section sets up a directory authenticator to enable you to use the users in your LDAP directory to access administration consoles.

You do not need to perform these steps if you have integrated Oracle Access Manager and Oracle Identity Manager as described in Section 18.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g."

1. Log in to the WebLogic Administration Console at the URL listed in Section 20.2, "About Identity Management Console URLs."

2. Click Security Realms from the Domain structure menu.

3. Click Lock and Edit in the Change Center.

4. Click myrealm.

5. Select the Providers tab.

6. Click DefaultAuthenticator.

7. Set Control Flag to SUFFICIENT.

8. Click Save.

9. Click Security Realms from the Domain structure menu.

10. Click myrealm.

11. Select the Providers tab.

12. Click New.

13. Supply the following information if you are using Oracle Virtual Directory:

    For Oracle Virtual Directory:

    • Name: OVDAuthenticator

    • Type: OracleVirtualDirectoryAuthenticator

    For Oracle Internet Directory:

    • Name: OIDAuthenticator

    • Type: OracleInternetDirectoryAuthenticator

14. Click OK.

15. Click OVDAuthenticator or OIDAuthenticator.

16. Set Control Flag to SUFFICIENT.

17. Click Save.

18. Select the Provider Specific tab.

19. Enter the following details:

    • Host: idstore.mycompany.com

    • Port: 389

    • Principal: cn=oamLDAP,cn=Users,dc=us,dc=mycompany,dc=com

    • Credential: oamLDAP password

    • Confirm Credential: oamLDAP password

    • User Base DN: cn=Users,dc=mycompany,dc=com

    • All Users Filter: (&(uid=*)(objectclass=person))

    • User From Name Filter: (&(uid=%u)(objectclass=person))

    • User Name Attribute: uid

    • Group Base DN: cn=Groups,dc=mycompany,dc=com

    • GUID Attribute: orclguid

20. Click Save.

21. Click Activate Changes from the Change Center.

22. Restart WebLogic Administration Server and all the Managed Servers, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

Validating the Configuration

Validate the configuration by logging in to the OAM console as the user oamadmin.

You can perform a further validation test by using the Oracle WebLogic Administration Console, as follows.

1. Log in to the WebLogic Administration console at the URL listed in Section 20.2, "About Identity Management Console URLs."

2. Select Security Realms from the Domain structure menu.

3. Click myrealm.

4. Click the Users and Groups tab.

5. Click Users.

   LDAP users are displayed.

19.3.2 Creating Oracle Access Manager Identity Asserter

This section sets up an Oracle Access Manager asserter to enable you to delegate responsibility for credential collection to Oracle Access Manager.

You do not need to perform these steps if you have Integrated Oracle Access Manager and Oracle Identity Manager as described in Section 18.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g."

1. Log in to the WebLogic Administration Console at the URL listed in Section 20.2, "About Identity Management Console URLs."

2. Click Security Realms from the Domain structure menu.

3. Click Lock and Edit in the Change Center.

4. Click myrealm.

5. Select the Providers tab.

6. Click New.

7. Supply the following information:

   • Name: OAMIDAsserter

   • Type: OAMIdentityAsserter

8. Click OK.

9. Click OAMIDAsserter.

10. Set Control Flag to REQUIRED.

11. Click Save.

12. Click Security Realms from the Domain structure menu

13. Click myrealm.

14. Select the Providers tab.

15. Click Reorder.

16. Using the arrows on the right hand side order the providers such that the order is:

    • OAMIDAsserter

    • Default Authenticator

    • OVDAuthenticator or OIDAuthenticator

    • Default Identity Asserter

    Note:

    Oracle Identity Manager providers only exist if Oracle Identity Manager has been configured.

17. Click OK.

18. Click Activate Changes.

19. Restart WebLogic Administration Server and all the Managed Servers, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

19.4 Assigning WLSAdmins Group to WebLogic Administration Groups

In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter Portal domain). The application domains are configured to authenticate using the central Identity Management domain.

In Section 11.5, "Preparing the Identity Store" you created a user called weblogic_idm and assigned it to the group WLSAdmins. To be able to manage WebLogic using this account you must add the WLSAdmins group to the list of Weblogic Administration groups. This section describes how to add the WLSAdmins Group to the list of WebLogic Administrators.

Perform this step for each domain in the topology.

If you are using a split domain topology, perform these tasks on both IDMDomain and OIMDomain.

1. Log in to the WebLogic Administration Server Console at the URL listed in Section 20.2, "About Identity Management Console URLs.".

2. In the left pane of the console, click Security Realms.

3. On the Summary of Security Realms page, click myrealm under the Realms table.

4. On the Settings page for myrealm, click the Roles & Policies tab.

5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.

6. On the Global Roles page, click the Admin role to go to the Edit Global Role page:

   1. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

   2. On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.

   3. On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.

7. Click Finish to return to the Edit Global Rule page.

8. The Role Conditions table now shows the IDM Administrators Group as an entry.

9. Click Save to finish adding the Admin role to the IDM Administrators Group.

10. Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.

19.5 Register EM with OPSS Security Provider

If you are using a split domain you must register the Oracle Enterprise Manager Fusion Middleware Control application with the OPSS policy store in order for logout to work correctly in the IDMDomain. This is not necessary in the OIMDomain.

To register Fusion Middleware Control, proceed as follows.

1. Start WLST using the command:

   MW_HOME/oracle_common/common/bin/wlst.sh
   

2. Connect to the IDMDomain using the WLST connect() command, as follows:

   connect()
   Enter User Name: weblogic
   Password: password_for_account
   Server URL: t3://adminvhn.mycompany.com:7001
   

3. Run the command:

   addOAMSSOProvider(loginuri="/em/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
   

4. Exit WLST using the command:

   exit()
   

5. Restart the admin server and the managed servers wls_oam1 and wls_oam2 as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

19.6 Updating the boot.properties File

Update the boot.properties file for the Administration Server and the managed servers with the WebLogic admin user created in Oracle Internet Directory.

This section contains the following topics:

• Section 19.6.1, "Update the Administration Server on IDMHOST1"

• Section 19.6.2, "Update the Administration Server on OIMHOST1"

• Section 19.6.3, "Restarting the Servers"

19.6.1 Update the Administration Server on IDMHOST1

1. On IDMHOST1, go the directory:

   ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
   

   For example:

   cd ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
   

2. Rename the existing boot.properties file.

3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:

   username=adminUser
   password=adminUserPassword
   

   For example:

   username=weblogic_idm
   password=Password for weblogic_idm user
   

   Note:

   When you start the Administration Server, the username and password entries in the file get encrypted.

   For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.

19.6.2 Update the Administration Server on OIMHOST1

For a split domain topology, you must also perform these steps on OIMHOST1.

1. On OIMHOST1, go the directory:

   ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
   

   For example:

   cd ORACLE_BASE/admin/OIMDomain/aserver/OIMDomain/servers/AdminServer/security
   

2. Rename the existing boot.properties file.

3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:

   username=adminUser
   password=adminUserPassword
   

   For example:

   username=weblogic_idm
   password=Password for weblogic_idm user
   

   Note:

   When you start the Administration Server, the username and password entries in the file get encrypted.

   For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.

19.6.3 Restarting the Servers

Restart the WebLogic Administration server and all managed servers, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

19.7 Installing and Configuring WebGate 11g

This section describes how to install and configure WebGate.

This section contains the following topics:

• Section 19.7.1, "Prerequisites"

• Section 19.7.2, "Making Special gcc Libraries Available"

• Section 19.7.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2"

19.7.1 Prerequisites

Ensure that the following tasks have been performed before installing the Oracle Web Gate:

1. Install and configure the Oracle Web Tier as described in Chapter 7.

2. Ensure Oracle Access Manager has been configured as described in Chapter 13.

19.7.2 Making Special gcc Libraries Available

Oracle Web Gate requires special versions of gcc libraries to be installed (Linux only). These library files must exist somewhere on the Linux system. The Web Gate installer asks for the location of these library files at install time. Download the libraries from http://gcc.gnu.org, as described in "Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management

19.7.3 Installing Oracle WebGate on WEBHOST1 and WEBHOST2

Before starting the installer ensure that Java is installed on your machine.

1. Start the WebGate installer by issuing the command:

   ./runInstaller
   

   You are asked to specify the location of the Java Development Kit for example:

   MW_HOME/jrockit_version

2. On the Welcome screen, click Next.

3. On the Prerequisites screen, after all the checks have successfully completed, click Next.

4. On the Installation Location Screen, enter the following information:

   • Oracle Middleware Home: /u01/app/oracle/product/fmw

   • Oracle Home Directory: webgate

     MW_HOME/webgate is defined as WEBGATE_ORACLE_HOME

   Click Next.

5. Specify the location of the GCC runtime libraries, for example: /u01/app/oracle/oam_lib.

   Click Next.

6. On the installation summary screen, click Install.

7. Click Next.

8. Click Finish.

Deploy WebGate to Oracle HTTP, as follows:

1. Execute the command deployWebGate which is located in:

   WEBGATE_ORACLE_HOME/webgate/ohs/tools/deployWebGate

   The command takes the following arguments:

   Oracle HTTP Instance configuration Directory

   WebGate Home Directory

   For example:

   ./deployWebGateInstance.sh -w ORACLE_INSTANCE/config/OHS/ohs1 -oh  WEBGATE_ORACLE_HOME
   

2. Set the library path and change directory.

   On Linux systems, set the library path to include the WEB_ORACLE_HOME/lib directory, for example:

   export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib
   

   On Windows, set the WEBGATE_ORACLE_HOME\webgate\ohs\lib location and the WEB_ORACLE_HOME\bin location in the PATH environment variable. Add a semicolon (;) followed by this path at the end of the entry for the PATH environment variable.

   Change directory:

   On Linux, change directory to: WEBGATE_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools

   On Windows, change directory to: WEBGATE_ORACLE_HOME\webgate\ohs\tools\EditHttpConf

3. Run the following command to copy the file apache_webgate.template from the WebGate home directory to the WebGate instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf.

   On Linux, type:

   ./EditHttpConf -w ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME 
   

   On Windows, type:

   EditHttpConf.exe -w ORACLE_INSTANCE\config\OHS\component_name -oh WEBGATE_ORACLE_HOME
   

4. Copy the files ObAccessClient.xml, cwallet.sso, and password.xml, which were generated when you created the agent from the directory ASERVER_HOME/domain_name/output/Webgate_IDM_11g on IDMHOST1, to the directory ORACLE_INSTANCE/config/OHS/component/webgate/config.

5. The files aaa_key.pem and aaa_cert.pem were generated when you created the agent from the directory ASERVER_HOME/output/Agent_11g Name on IDMHOST1. Copy the files aaa_key.pem and aaa_cert.pem to the WebGate instance directory OHS_INSTANCE_HOME/config/OHS/component/webgate/config/simple.

6. Restart the Oracle HTTP Server as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

19.8 Validating WebGate and the Oracle Access Manager Single Sign-On Setup

To validate that WebGate is functioning correctly, open a web browser and go the OAM console URL listed in Section 20.2, "About Identity Management Console URLs."

You now see the Oracle Access Manager Login page displayed. Enter your OAM administrator user name (for example, oamadmin) and password and click Login. Then you see the Oracle Access Manager console displayed.

To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console and to Oracle Enterprise Manager Fusion Middleware Control at the URLs listed in Section 20.2, "About Identity Management Console URLs."

The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in.