Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 6 (11.1.6) Part Number E21032-18 |
|
|
PDF · Mobi · ePub |
This chapter describes how to configure single sign-on (SSO) for administration consoles in an Identity Management Enterprise deployment.
This chapter includes the following topics:
You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle HTTP Server intercepts requests for the consoles and forwards them to Oracle Access Manager for validation
The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Manager Console
Oracle Identity Manager Console
Before you attempt to integrate administration consoles with single sign-on, ensure that the following tasks have been performed in the IDMDomain:
Configuring Oracle HTTP Server, as described in Chapter 8, "Configuring the Web Tier for an Enterprise Deployment."
Configuring Oracle Access Manager, as described in Chapter 13, "Configuring Oracle Access Manager 11g."
Provisioning Weblogic Administrators in LDAP as described in Section 11.5, "Preparing the Identity Store."
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter Portal domain). The application domains are configured to authenticate using the central Identity Management domain.
In Section 11.5, "Preparing the Identity Store" you created a user called weblogic_idm
and assigned it to the group WLSAdmins. To be able to manage WebLogic using this account you must add the WLSAdmins group to the list of Weblogic Administration groups. This section describes how to add the WLSAdmins Group to the list of WebLogic Administrators.
Perform these tasks on IDMDomain.
Log in to the WebLogic Administration Server Console at: http://ADMIN.mycompany.com/console
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm
, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the list for predicates and click Next.
On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the IDM Administrators Group as an entry.
Click Save to finish adding the Admin role to the IDM Administrators Group.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm
user.
Perform the following workaround for Bug 13824816:
Log in to the WebLogic Administration Server Console at: http://ADMIN.mycompany.com/oamconsole
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles.
Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click Add Conditions.
On the Choose a Predicate page, select Group from the predicates list and click Next.
On the Edit Arguments Page, specify OAMAdministrators
in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the OAMAdministrators
Group as an entry.
Click Save to finish adding the Admin role to the OAMAdministrators
Group.
Update the boot.properties
file for the Administration Server and the managed servers with the WebLogic admin
user created in Oracle Internet Directory.
This section contains the following topics:
On IDMHOST1, go the directory:
ASERVER_HOME/servers/serverName/security
For example:
cd ASERVER_HOME/servers/AdminServer/security
Rename the existing boot.properties
file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.
For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
Restart the WebLogic Administration server and all managed servers, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
This section describes how to install and configure WebGate.
This section contains the following topics:
Ensure that the following tasks have been performed before installing the Oracle Web Gate:
Install and configure the Oracle Web Tier as described in Chapter 8.
Ensure Oracle Access Manager has been configured as described in Chapter 13.
Before starting the installer ensure that Java is installed on your machine.
Start the WebGate installer by issuing the command:
./runInstaller
You are asked to specify the location of the Java Development Kit for example:
WEB_MW_HOME
/jrockit_
version
On the Welcome screen, click Next.
On the Prerequisites screen, after all the checks have successfully completed, click Next.
On the Installation Location Screen, enter the following information:
Oracle Middleware Home: WEB_MW_HOME
Oracle Home Directory: webgate
Click Next.
On the installation summary screen, click Install.
Click Next.
Click Finish.
Deploy WebGate to Oracle HTTP, as follows:
Execute the command deployWebGate
which is located in:
WEBGATE_ORACLE_HOME
/webgate/ohs/tools/deployWebGate
The command takes the following arguments:
Oracle HTTP Instance configuration Directory
WebGate Home Directory
For example:
./deployWebGateInstance.sh -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME
Set the library path and change directory.
On Linux systems, set the library path to include the WEB_ORACLE_HOME
/lib
directory, for example:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib
On Windows, set the WEBGATE_ORACLE_HOME
\webgate\ohs\lib
location and the WEB_ORACLE_HOME
\bin
location in the PATH environment variable. Add a semicolon (;) followed by this path at the end of the entry for the PATH environment variable.
Change directory:
On Linux, change directory to: WEBGATE_ORACLE_HOME
/webgate/ohs/tools/setup/InstallTools
On Windows, change directory to: WEBGATE_ORACLE_HOME
\webgate\ohs\tools\EditHttpConf
Run the following command to copy the file apache_webgate.template
from the WebGate home directory to the WebGate instance location (renamed to webgate.conf)
and update the httpd.conf
file to add one line to include the name of webgate.conf
.
On Linux, type:
./EditHttpConf -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME
On Windows, type:
EditHttpConf.exe -w WEB_ORACLE_INSTANCE\config\OHS\component_name -oh WEBGATE_ORACLE_HOME
Copy the files ObAccessClient.xml
, cwallet.sso
, and password.xml
, which were generated when you created the agent from the directory ASERVER_HOME
/output/Webgate_IDM_11g
on IDMHOST1, to the directory: WEB_ORACLE_INSTANCE
/config/OHS/component/webgate
/config
The files aaa_key.pem
and aaa_cert.pem
were generated when you created the agent from the directory ASERVER_HOME
/output/Webgate_IDM_11g Name
on IDMHOST1. Copy the files aaa_key.pem
and aaa_cert.pem
to the WebGate instance directory: WEB_ORACLE_INSTANCE
/config/OHS/component/webgate/config/simple
Restart the Oracle HTTP Server as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
To validate that WebGate is functioning correctly, open a web browser and go the OAM console at: http://ADMIN.mycompany.com/oamconsole
You now see the Oracle Access Manager Login page displayed. Enter your OAM administrator user name (for example, oamadmin
) and password and click Login. Then you see the Oracle Access Manager console displayed.
To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console at http://ADMIN.mycompany.com/oamconsole
and to Oracle Enterprise Manager Fusion Middleware Control at: http://ADMIN.mycompany.com/em
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm
user to log in.
Back up the Web Tier and WebLogic Domain, as described in Section 21.6.3, "Performing Backups During Installation and Configuration."