Using SSODiag to Test the Kerberos Environment

Subtopics

SSODiag is a diagnostic web application that tests whether WebLogic Server in your Kerberos environment is ready to support EPM System.

Deploying SSODiag

Use the credentials (default user name is epm_admin) that you specified while deploying Foundation Services to deploy SSODiag.

To deploy an configure SSOdiag:

Log on to the WebLogic Server Administration Console for EPM System domain.
Using the Install Application Assistant, select EPM_ORACLE_HOME/products/Foundation/AppServer/InstallableApps/common/SSODiag.war as the web application to install.
Deploy SSODiag as an application (choose Install this deployment as an application as targeting style).
Activate the changes you made.

Configuring Oracle HTTP Server for SSODiag

Update mod_wl_ohs.conf to configure Oracle HTTP Server to forward SSODiag URL requests to the WebLogic Server.

To configure URL forwarding in Oracle HTTP Server:

Using a text editor, open EPM_ORACLE_INSTANCE/httpConfig/ohs/config/OHS/ohs_component/mod_wl_ohs.conf.
Add a LocationMatch definition for SSODiag:
```
<LocationMatch /SSODiag/>
    SetHandler weblogic-handler
    WeblogicCluster myServer:28080
</LocationMatch>
```
In the preceding sample, myServer denotes the Foundation Services host machine and 28080 represents the port at which Shared Services listens for requests.
Save and close mod_wl_ohs.conf.
Restart Oracle HTTP Server.

Creating Policies for SSODiag

Create a policy in the WebLogic Server Administrative Console to protect the following SSODiag URL.

http://OHS_HOST_NAME:PORT/SSODiag/krbssodiag

In this sample, OHS_HOST_NAME indicates the name of the server that hosts Oracle HTTP Server and PORT indicates the port where Oracle HTTP Server listens for requests.

To create policies to protect SSODiag:

In the Change Center in WebLogic Server Administration Console for EPM System domain, select Lock & Edit.
Select Deployments, then SSODiag, then Security, then Roles, and then URL Patterns.
Create the following URL patterns:
- /
- /index.jsp
Modify each URL pattern that you created:
1. From the list of URL patterns in Stand-Alone Web Application URL Patterns, open the pattern (/) that you created by clicking it.
2. Select Add Conditions.
3. In Predicate List, select User.
4. Select Next.
5. In User Argument Name, enter the Active Directory user whose account is used to access a client desktop configured for Kerberos authentication; for example, krbuser1, and select Add.
6. Select Finish.
Select Save.

Using SSODiag to Test WebLogic Server Configuration for Kerberos Authentication

If WebLogic Server configuration for Kerberos authentication works correctly, the Oracle Hyperion Kerberos SSO diagnostic Utility V 1.0 page displays the following message:

Retrieving Kerberos User principal name... Success.
Kerberos principal name retrieved... SOME_USER_NAME

Caution!

Do not configure EPM System components for Kerberos authentication if SSODiag cannot retrieve the Kerberos principal name.

To test WebLogic Server configuration for Kerberos authentication:

Start Foundation Services and Oracle HTTP Server.
Using WebLogic Server Administration Console, start SSODiag web application to service all requests.
Log on to a client machine configured for Kerberos authentication using valid Active Directory credentials.
Using a browser, connect to the following SSODiag URL:
```
http://OHS_HOST_NAME:PORT/SSODiag/krbssodiag
```
In this sample, OHS_HOST_NAME indicates the name of the server that hosts Oracle HTTP Server, and PORT indicates the port where Oracle HTTP Server listens for requests.
If Kerberos authentication works properly, SSODiag displays the following information:
```
Retrieving Kerberos User principal name... Success.
Kerberos principal name retrieved... SOME_USER_NAME
```
If Kerberos authentication does not work properly, SSODiag displays the following information:
```
Retrieving Kerberos User principal name... failed.
```