56 Integrating Oracle Access Manager 11.1.2 with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2

This chapter describes how to use Sun Java System Access Manager / OpenSSO Policy Agent 2.2 to integrate Oracle Access Manager 11.1.2 with SAP NetWeaver Enterprise Portal 7.01.

This chapter covers the following topics:

• What is Supported in This Release?

• Registering the OpenSSO Agent

• Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise Portal

• Deploying the Agent Software Delivery Archive

• Making a Class Loader Reference to the Login Module

• Modifying the SAP Enterprise Portal 7.0 / Web Application Server 7.0 Class Path

• Deploying and Starting the Agentapp.war File

• Using Telnet to Create a Reference Between agentapp and Library AmSAPAgent2.2

• Adding the Login Module to the Stack

• Modifying the Login Module Stack

• Updating the ume.logoff.redirect.uri

• Configuring the AMAgent.properties File

• Testing the Integration

56.1 What is Supported in This Release?

Only SAP Netweaver Enterprise Portal 7.01 is supported by the OpenSSO Policy Agent 2.2 in this release. MySAP is not certified.

Note:

The following patch must be applied to the OpenSSO Policy Agent 2.2:

PSE ID: OpenSSO.J2EE.PSE.2.2.18810674

SAP single sign-on will not work without this patch.

56.2 Registering the OpenSSO Agent

Before you begin, complete the following steps:

• Remotely register the agent so that the Agent Profile is created on the Oracle Access Management side. Use the remote registration tool on the OAM server located here:

  <Middleware_Home>/Oracle_IDM1/oam/server/rreg
  

• Ensure that the fully-qualified domain name of the OAM server and the SAP server are updated in the hosts file on both systems.

  Always use the SAP and OAM server's fully-qualified domain name while installing or registering the agent and doing OAM configuration.

1. Open the appropriate XML request file for editing. The request file will provide inputs for the registration.

   Request files are located inside the input folder.

2. Modify the specific values to match your environment.

   <?xml version="1.0" encoding="UTF-8"?>
   <!-- Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved. 
      NAME: OpenSSORequest.xml - Template (with all options) for OpenSSO Agent Registration Request file
      DESCRIPTION: Modify with specific values and pass file as input to the tool-->
   <OpenSSORegRequest>
       <serverAddress>http://OAMserver.example.com:7001</serverAddress>  
       <hostIdentifier>OPENSSO_HOSTID8</hostIdentifier>
       <agentName>OPENSSO_SAP8</agentName>
       <agentBaseUrl>http://SAPserver.example.com:50000</agentBaseUrl>
       <applicationDomain>OPENSSO_APPDOMAIN</applicationDomain> //Modify this.
       <autoCreatePolicy>true</autoCreatePolicy>
       <agentType>J2EE</agentType>
       <agentVersion>2.2</agentVersion> //Important: Make sure the version is 2.2.
       <agentDebugDir></agentDebugDir>
       <agentAuditDir></agentAuditDir>
       <agentAuditFileName></agentAuditFileName>
       <protectedAuthnScheme></protectedAuthnScheme>
   </OpenSSORegRequest>
   

3. To register the agent, open a command prompt and run the following command from the bin directory in the rreg tool:

   oamreg.sh inband input/OpenSSORequest
   

   The command outputs the AMAgent.properties file, which is located in the output directory.

   Note:

   For OpenSSO agent 2.2, there is only one output file (AMAgent.properties), whereas for OpenSSO agent 3 there are two output files (OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties).

   This registration creates a footprint in the oam-config.xml file for the OAM domain, which is located here:

   <Middleware_home>/user_projects/domains/base_domain1/config/fmwconfig/oam-config.xml

   The registered agent is in an entry similar to the following:

   <Setting Name="<Agent_Name>" Type="htf:map">

   The registration process is now complete.

56.3 Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise Portal

Complete the following steps to install the agent on the SAP container.

1. Extract the OpenSSO Policy agent and navigate to the bin folder.

2. Open a command prompt and type the following command to install the agent on the SAP container.

   agentadmin.sh - -install

   The command will prompt you for values as needed. The following table summarizes the requested inputs.

   Table 56-1

   Request prompt	Sample Input	Description
   SAP <SID> Directory	<SAP_Server_Instance>\JC00\j2ee\cluster\server0	Path to the SAP directory
   Agent installed on WebAS domain	false
   Access Manager Services host	OAMserver.example.com	OAM server fully-qualified domain name
   Access Manager Services Port	8003	Port where the OAM server is running
   Access Manager Services protocol	http
   Access Manager Services deployment URI	/opensso	OpenSSO proxy URL
   Agent host name	SAPserver.example.com	SAP server fully-qualified domain name
   Application server instance port number	50000	Port where the SAP EP server is running
   Protocol for Application Server instance	http
   Deployment URI for the Agent Application	/agentapp	URI of the WAR file that we deploy
   Encryption key	gSwxyctnKWkx8fBgbwj8Mn5ziksjaUqi
   Agent profile name	OPENSSO_SAP8	Agent profile name given during registration
   Agent profile password file name	/Policy_Agent/sap_v7_agent/Info/p.txt

   
   

56.3.1 Post-Installation Steps

After installation, an agent instance is created on the SAP container. Inside this directory is another instance of the AMAgent.properties file. (So there are two AMAgent.properties files: one generated during remote registration, and one generated just previously during the Agent installation.)

1. Compare the two properties files and consolidate them so that you have one properties file that contains all of the information.

   Be sure that all of the settings in the AMAgent.properties file matches the Agent Profile entry in the oam-config.xml file on the OAM server.

2. In oam-config.xml, add the following entry under the <Setting Name="NamingData" Type="htf:map"> element:

   <Setting Name="iplanet-am-platform-server-id" Type="xsd:string">serverprotocol://serverhost:serverport</Setting>
   

   Note:

   Be sure to increment the version integer every time you update the oam-config.xml file:

   <Setting Name="Version" Type="xsd:integer">113</Setting>
   

56.4 Deploying the Agent Software Delivery Archive

1. Go to the etc folder in the agent to locate the AmSAPAgent2.2.sda archive. The.sda file is a library that you will deploy onto the SAP server using the Software Deployment Manager (SDM).

2. Use the Software Deployment Manager (/usr/sap/SID/InstanceName/SDM/program/RemoteGui.sh) to deploy the AmSAPAgent2.2.sda file. Refer to the SAP documentation for details.

   Once the deployment is complete, verify that the library is deployed by viewing the Undeployment tab. The AmSAPAgent2.2 library should be listed.

   You can also use the SAP Visual Administrator tool (/usr/sap/SID/InstanceName/j2ee/admin/go.sh) to verify that the deployed library, along with the SAP-dependent libraries, are available in the container.

56.5 Making a Class Loader Reference to the Login Module

Use the SAP Visual Administrator tool (/usr/sap/SID/InstanceName/j2ee/admin/go.sh) to make a class loader reference for the newly deployed library. Add the reference to the LoginModuleClassLoader by adding the following key-value pair on the Properties tab on the Security Provider configuration page (Server Instance > Services > Security Provider).

Table 56-2

Key	Value
LoginModuleClassLoader	library: AmSAPAgent2.2

56.6 Modifying the SAP Enterprise Portal 7.0 / Web Application Server 7.0 Class Path

Open the SAP Config Tool (/usr/sap/SID/InstanceName/j2ee/configtool/configtool.sh), navigate to Cluster_data > Instance ID > Server instance, and on the General tab, add the following paths to the Classpath field:

/Policy_Agent/sap_v7_agent/j2ee_agents/sap_v7_agent/<Agent_Instance>/config

/Policy_Agent/sap_v7_agent/j2ee_agents/sap_v7_agent/locale

56.7 Deploying and Starting the Agentapp.war File

1. Open the SAP Deployment Manager (deploy.sh) and create a new project.

2. Go to an empty directory owned by the SAP instance user (j2eeadm) and type agentapp for the address field.

   Go to the Assembler tab and add the agentapp.war archive (right-click the agentapp node and select Add Archive from the context menu).

   Save the project.

   Browse to the directory specified previously as owned by the SAP Instance user (j2eeadm), type agentapp for the address field, and click OK.

   Right-click the agentapp root node and select Make Ear from the context menu.

56.8 Using Telnet to Create a Reference Between agentapp and Library AmSAPAgent2.2

1. Telnet to the SAP host (for example, saphost.example.com 50008) and log on as an administrator.

2. Issue the following commands:

   1. $ jump 0

      The system returns a message similar to the following:

      You jumped on node 4503950.

   2. $ add deploy

   3. $ CHANGE_REF -m sap.com/agentapp library:AmSAPAgent2.2

      The system returns the following message:

      The reference between application sap.com/agentapp and library:AmSAPAgent2.2 was made!

3. Stop and Start the SAP Enterprise Portal instance.

   Note:

   You can also use the SAP Visual Administrator tool (/usr/sap/SID/InstanceName/j2ee/admin/go.sh) to verify that the references were made properly. Choose Server Instance > Services > ClassLoader Viewer.

56.9 Adding the Login Module to the Stack

Before You Begin - Start the SAP Enterprise Portal instance if it is not running.

1. Start the SAP Visual Administrator tool and log in. (/usr/sap/SID/InstanceName/j2ee/admin/go.sh).

2. Select the Security Provider service, click the User Management tab, and switch to edit mode.

3. Click Manage Security Stores > Add Login Module.

   Click OK when the dialog box opens.

4. In the Class Name field, type the following:

   com.sun.identity.agents.sap.v70.AmSAPEP70LoginModule

5. In the Display Name field, type the following:

   AmSAPEP70LoginModule

56.10 Modifying the Login Module Stack

1. Start the SAP Visual Administrator tool and log in. (/usr/sap/SID/InstanceName/j2ee/admin/go.sh).

2. Select the Security Provider service, click the Policy Configurations tab, and switch to edit mode.

3. In the Components list, select the ticket authentication template.

4. Delete all login modules except for the following:

   • com.sap.security.core.server.jaas.EvaluteTicketLoginModule

   • com.sap.security.core.server.jaas.CreateTicketLoginModule

5. Click Add New and select AmSAPEP70LoginModule from the list of modules.

6. Click Modify and move AmSAPEP70LoginModule between the two remaining login modules.

   The new ticket authentication template should match the values in the following table.

   Table 56-3 Login Module Flags

   Login Module	Flags
   EvaluateTicketLoginModule	SUFFICIENT
   AmSAPEP70LoginModule	REQUISITE
   CreateTicketLoginModule	OPTIONAL
   EvaluateTicketLoginModule	SUFFICIENT

   
   

56.11 Updating the ume.logoff.redirect.uri

1. Open the SAP Config Tool (/usr/sap/SID/InstanceName/j2ee/configtool/configtool.sh) and switch to edit mode.

2. Click the pencil and glasses button and choose cluster_data > server > cfg > services.

   The UME service property sheet opens.

3. Open the com.sap.security.core.ume.service property sheet and add the following custom value to the ume.logoff.redirect.uri property.

   http://OAM-Server-Hostname:OAM-Port/oam/server/logout

56.12 Configuring the AMAgent.properties File

Open the AMAgent.properties file for the Agent Instance and edit the following properties:

Note:

The following properties in AMAgent.properties must match the properties in oam-config.xml. If the properties do not match, update the properties in oam-config.xml.

Be sure to increment the version integer every time you update the oam-config.xml file:

<Setting Name="Version" Type="xsd:integer">113</Setting>

1. In Debug Service Properties, update the complete path of the log location similar to the following:

   com.iplanet.services.debug.directory = /Policy_Agent/sap_v7_agent/j2ee_agents/sap_v7_agent/Agent_003/logs/debug

2. In COMMON ATTRIBUTE FETCH PROCESSING PROPERTIES, set cookie encode to false.

   com.sun.identity.agents.config.attribute.cookie.encode = false

3. In COOKIE RESET PROCESSING PROPERTIES, edit the following properties:

   com.sun.identity.agents.config.cookie.reset.enable = true

   com.sun.identity.agents.config.cookie.reset.name[0] = MYSAPSSO2

   com.sun.identity.agents.config.cookie.reset.domain[MYSAPSSO2] = .corp.example.com

4. In URL DECODE SSO TOKEN FLAG, set decode to false:

   com.sun.identity.agents.config.sso.decode = false

5. In FILTER OPERATION MODE, add or update the following property:

   com.sun.identity.agents.config.filter.mode = SSO_ONLY

56.13 Testing the Integration

Users in the Oracle Access Management user store should also be in the SAP server. Be sure to allow user access in OAM.

To verify that the integration is working properly, try the following:

1. Access the protected URL (for example, /irj ).

   You should be redirected to the Oracle Access Manager login form.

2. Enter a valid user name and password.

   You should be authenticated and logged into the SAP server (/irj).