Oracle® Secure Enterprise Search Administrator's Guide 11g Release 2 (11.2.2) Part Number E23427-01 |
|
|
PDF · Mobi · ePub |
You can implement a single sign-on authentication mechanism for Oracle SES by using Oracle Access Manager.
Ensure that the following components are installed:
Oracle Access Manager 10.1.4.3.0 or higher. See Oracle Access Manager Installation Guide.
Oracle HTTP Server 11g
Oracle Internet Directory 10.1.4.3.0 or higher. See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. Also see "Configuring Oracle Identity Management" for information on configuring Oracle Internet Directory.
Oracle HTTP Server WebGate.
You must install Oracle Access Manager, and then add an entry for WebGate in Oracle Access Manager before installing WebGate. Oracle Access Manager Installation Guide provides detailed information about installing WebGate. Follow the steps as provided in this guide. However, for some steps, such as while creating a WebGate instance and while installing the WebGate, you must provide certain Oracle Access Manager-specific parameters, as listed in "Installing and Configuring WebGate".
To implement the Oracle Access Manager single sign-on authentication on Oracle SES, you must configure Oracle HTTP Server, Oracle SES, Oracle Internet Directory, and Oracle Access Manager.
You must install Oracle Identity Management 10.1.4.3.0 or higher. This is required because the Oracle SES parameter sso_user_guid_header
must be used to send the ORCLGUID
attribute from Oracle Access Manager to SES, and this can be done only with Oracle Internet Directory 10.1.4.3.0 or higher.
To enable this on Oracle Internet Directory:
Add the following to the LDIF file:
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory changetype: modify add: orclallattrstodn orclallattrstodn: cn=orcladmin
Import the LDIF file into Oracle Internet Directory:
$LDAP_HOME/bin/ldapmodify -D cn=orcladmin -w password -h host -p port -c -v -f ldifFile
To verify that the changes you made to the LDIF file are reflected, use the following command:
$LDAP_HOME/bin/ldapsearch -b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base -h host -p port -w password -D "cn=orcladmin" "objectclass=*"
You should see orclallattrstodn
as an attribute of the dsaconfig
entry.
Restart the Oracle Access Server and the Oracle Identity Server:
$OAM_HOME/as/access/oblix/apps/common/bin/restart_access_server $OAM_HOME/is/identity/oblix/apps/common/bin/restart_ois_server
To configure Oracle HTTP Server, perform the following tasks:
Edit mod_wl_ohs.conf
to include the following. The file is available at ORACLEOHS_HOME
/instances/
instance1
/config/OHS/ohs1/
, where instance1
refers to the instance name of Oracle HTTP Server.
<IfModule weblogic_module> WebLogicHost [SES host name] WebLogicPort [SES HTTP port] WLLogFile Convenient Location of the log </IfModule> <Location /search/query> SetHandler weblogic-handler </Location> <Location /search/admin> SetHandler weblogic-handler </Location> # For monitor SES URL <Location /monitor> SetHandler weblogic-handler </Location> # For Help links in Admin side <Location /search/ohw> SetHandler weblogic-handler </Location>
For example, if your SES host is sesHost
and the port is 8001
:
<IfModule weblogic_module> WebLogicHost sesHost WebLogicPort 8001 WLLogFile /scratch/exampleuser/weblogic.log </IfModule> <Location /search/query> SetHandler weblogic-handler </Location> <Location /search/admin> SetHandler weblogic-handler </Location> <Location /monitor> SetHandler weblogic-handler </Location> <Location /search/ohw> SetHandler weblogic-handler </Location>
Edit httpd.conf
located at ORACLEOHS_HOME
/instances/instance1/config/OHS/ohs1/
to include the following at the end of the file:
# Include configuration for mod_weblogic include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/mod_wl_ohs.conf"
Ensure that this line of code is on a single line.
Restart the HTTP server.
$ORACLEOHS_HOME/instances/instance1/bin/opmnctl restartproc process-type=OHS
A WebGate is a Web server plug-in that is shipped out-of-the-box with Oracle Access Manager. The WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization. See Oracle Access Manager Installation Guide for more information on installing a WebGate.
While installing WebGate, you must configure some parameters for the Oracle Access Manager single sign-on authentication.
Provide the following values while defining a WebGate instance in the Access System Console:
AccessGateName: Set as SESAccessGate
Description: Set as Secure Enterprise Search Access Gate
HostName: This is the host name on which Oracle HTTP Server is installed.
AccessGate Password: Set a password.
Port: This is the port number set during Oracle HTTP Server installation.
Transport Security: Set to Open
.
Preferred HTTP Host: The domain for Oracle HTTP Server. For example, if the Oracle HTTP Server hostname is myhost.oracle.com
, then the domain is oracle.com
.
Ensure that Access Management Service is on.
Provide the following parameters while specifying the WebGate configuration details:
WebGate ID: Enter SESAccessGate
.
WebGate Password: The same as AccessGate password.
Access Server ID: Obtain this from Access System Console.
DNS hostname: Obtain this from Access System Console.
Port number: Obtain this from Access System Console.
Perform the following tasks:
Create a login page for Oracle HTTP Server. For example, ORACLEOHS_HOME
/ohs/htdocs/login/login.html
:
<html> <head> <title>SES-OAM Test Login Page</title> <body bgcolor="white"> <h1 align="center">SES-OAM SSO Login Page: Sign-In</h1> <form method="POST" action="/myaction/test.html"> <table border="0" cellspacing="5"> <tr> <th align="right">Username:</th> <td align="left"><input type="text" name="usernamevar"></td> </tr> <tr> <th align="right">Password:</th> <td align="left"><input type="password" name="passwordvar"></td> </tr> <tr> <td align="right"><input type="submit" value="Log In"></td> <td align="left"><input type="reset"></td> </tr> </table> </form> </html>
Define a form-based authentication in Oracle Policy Manager:
From http://OAMHost:OAMPort/access/oblix
, select Access System Console, then Access System Configuration, and then Authentication Management.
Create Form Login method with the following options:
Name: OAMFormLogin
Description: OAM Form-based login
Level: 1
Challenge Method: Form
Challenge Parameter
form
: /login/login.html
creds
: usernamevar passwordvar
action
: /myaction/test.html
passthrough
: no
SSL Required: No
Enabled: Yes
Set up the following plugins under the Plugins tab:
credential_mapping:
obMappingBase="o=company,c=us",obMappingFilter="(&(&(objectclass=gensiteorgperson)(genuserid=%usernamevar%))(|(!(obuseraccountcontrol=*))(obuseraccountcontrol=ACTIVATED)))"
validate_password:
obCredentialPassword="passwordvar"
where obMappingBase
is the base DN in the user search in the LDAP directory server, and obMappingFilter
is the LDAP filter used to search for a user with a given userID. The directory login attribute is an attribute defined in the Identity System using a Semantic login type.
Ensure that a default step exists in the Steps tab to use the credential_mapping
and validate_password
plugins.
Create a policy in the Policy Manager to protect the query application login link using the form authentication created in the previous step:
From http://OAMHost:OAMPort/access/oblix
, select Policy Manager, and then Create Policy Domain.
Protect an HTTP resource with /search/query/formlogin.uix
as the URL prefix.
In the Authorization Rules tab, add the role myrole
. Also set the following:
Enabled: Yes
Allow takes precedence: Yes
Under Actions tab for myrole
, first add the following return action:
Type: HeaderVar
Name: HTTP_USER_GUID
Return Attribute: orclguid
Then add the following return action:
Type: HeaderVar
Name: HTTP_USER_NAME
Return Attribute: uid
Under Allow Access tab, ensure that anyone is allowed access.
Enable the new policy under My Policy Domains.
Click Default Rules, and under Authentication Rule, add a rule to use the form login scheme as the Authentication Scheme.
Under Authorization Expression, ensure that myrole
is selected for Default Rules.
Create a policy in Policy Manager to protect the HTTP resource /search/query
with the Anonymous Authentication option. Note that the steps are identical to the previous step. However, for step 3g, the form login scheme must be Anonymous Authentication under Authentication Rule.
Configure Oracle SES to use HTTP_USER_GUID
and HTTP_USER_NAME
as the values of sso_user_guid_header
and sso_username_header
respectively. See "Configuring QueryPlan.xml in Oracle SES".
Configure Oracle SES to use OblixAnonymous
as the value for sso_public_username
. See "Configuring QueryPlan.xml in Oracle SES".
To enable Oracle Access Manager single sign-on authentication:
Configure the parameters shown in Example 9-3in the QueryPlan.xml
file, which is available at ORACLE_HOME
/search/tools/weblogic/deploy/plans/
.
Redeploy the query application with the modified deployment plan by running the following command from ORACLE_HOME
/search/tools/weblogic/deploy/
:
sh ./deployer.sh -serverURL t3://host:port/ -user weblogic -password password -name search_query -plan ./plans/QueryPlan.xml -process redeploy
If SES is deployed on a Windows system, then run the batch file deployer.bat
, as shown:
%ORACLE_HOME%\search\tools\weblogic\deploy\deployer.bat -serverURL t3://host:port/ -user weblogic -password password -name search_query -plan .\plans\QueryPlan.xml -process redeploy
Where:
host
is the host name, and port
is the WebLogic service port. This is the same port that you use to open the Administration GUI. password
is the password for eqsys.
For example, if you install Oracle SES on the host myWlsServer
and port 7777
, and the Oracle SES administration password is welcome1
, then issue the following command:
./deployer.sh -serverURL t3://myWlsServer:7777/ -user weblogic -password welcome1 -name search_query -plan ./plans/QueryPlan.xml -process redeploy
Example 9-3 QueryPlan.xml Parameters for Enabling Oracle Access Manager Single Sign-On Authentication
<variable> <name>sso_enabled</name> <value>true</value> <description>Whether SSO is enabled: true or false. The default is false. </description> </variable> <variable> <name>sso_vendor_name</name> <value>oam</value> <description>The SSO vendor name. Supported values are osso or oam.</description> </variable> <variable> <name>sso_user_guid_header</name> <value>HTTP_USER_GUID</value> <description>The HTTP header name that the SSO server uses to pass the user GUID to SES. The value in the header should match the value of the users canonical attribute for the active identity plugin.</description> </variable> <variable> <name>sso_username_header</name> <value>HTTP_USER_NAME</value> <description>The HTTP header name that the SSO server uses to pass the search username to SES. The value in the header should match the value of the users authentication attribute for the active identity plugin. Specify REMOTE_USER to use getRemoteUser in the HTTP request to retrieve the username.</description> </variable> <variable> <name>sso_public_username</name> <value>OblixAnonymous</value> <description>(Optional) Specify the username of the public user if the SSO server is configured to send a public user name in the sso_username_header for unprotected or anonymously protected resources.</description> </variable>