This chapter describes how to use Sun Java System Access Manager / OpenSSO Policy Agent 2.2 to integrate Oracle Access Manager 11.1.2 with SAP NetWeaver Enterprise Portal 7.01.
This chapter covers the following topics:
Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise Portal
Modifying the SAP Enterprise Portal 7.0 / Web Application Server 7.0 Class Path
Using Telnet to Create a Reference Between agentapp and Library AmSAPAgent2.2
Only SAP Netweaver Enterprise Portal 7.01 is supported by the OpenSSO Policy Agent 2.2 in this release. MySAP is not certified.
Note:
The following patch must be applied to the OpenSSO Policy Agent 2.2:PSE ID: OpenSSO.J2EE.PSE.2.2.18810674
SAP single sign-on will not work without this patch.
Before you begin, complete the following steps:
Remotely register the agent so that the Agent Profile is created on the Oracle Access Management side. Use the remote registration tool on the OAM server located here:
<Middleware_Home>/Oracle_IDM1/oam/server/rreg
Ensure that the fully-qualified domain name of the OAM server and the SAP server are updated in the hosts
file on both systems.
Always use the SAP and OAM server's fully-qualified domain name while installing or registering the agent and doing OAM configuration.
Open the appropriate XML request file for editing. The request file will provide inputs for the registration.
Request files are located inside the input folder.
Modify the specific values to match your environment.
<?xml version="1.0" encoding="UTF-8"?> <!-- Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved. NAME: OpenSSORequest.xml - Template (with all options) for OpenSSO Agent Registration Request file DESCRIPTION: Modify with specific values and pass file as input to the tool--> <OpenSSORegRequest> <serverAddress>http://OAMserver.example.com:7001</serverAddress> <hostIdentifier>OPENSSO_HOSTID8</hostIdentifier> <agentName>OPENSSO_SAP8</agentName> <agentBaseUrl>http://SAPserver.example.com:50000</agentBaseUrl> <applicationDomain>OPENSSO_APPDOMAIN</applicationDomain> //Modify this. <autoCreatePolicy>true</autoCreatePolicy> <agentType>J2EE</agentType> <agentVersion>2.2</agentVersion> //Important: Make sure the version is 2.2. <agentDebugDir></agentDebugDir> <agentAuditDir></agentAuditDir> <agentAuditFileName></agentAuditFileName> <protectedAuthnScheme></protectedAuthnScheme> </OpenSSORegRequest>
To register the agent, open a command prompt and run the following command from the bin
directory in the rreg tool:
oamreg.sh inband input/OpenSSORequest
The command outputs the AMAgent.properties
file, which is located in the output directory.
Note:
For OpenSSO agent 2.2, there is only one output file (AMAgent.properties
), whereas for OpenSSO agent 3 there are two output files (OpenSSOAgentBootstrap.properties
and OpenSSOAgentConfiguration.properties
).This registration creates a footprint in the oam-config.xml
file for the OAM domain, which is located here:
<Middleware_home>
/user_projects/domains/base_domain1/config/fmwconfig/oam-config.xml
The registered agent is in an entry similar to the following:
<Setting Name="<
Agent_Name
>" Type="htf:map">
The registration process is now complete.
Complete the following steps to install the agent on the SAP container.
Extract the OpenSSO Policy agent and navigate to the bin
folder.
Open a command prompt and type the following command to install the agent on the SAP container.
agentadmin.sh - -install
The command will prompt you for values as needed. The following table summarizes the requested inputs.
Request prompt | Sample Input | Description |
---|---|---|
|
|
Path to the SAP directory |
|
false |
|
|
|
OAM server fully-qualified domain name |
|
8003 |
Port where the OAM server is running |
|
http |
|
|
|
OpenSSO proxy URL |
|
|
SAP server fully-qualified domain name |
|
50000 |
Port where the SAP EP server is running |
|
http |
|
|
|
URI of the WAR file that we deploy |
|
gSwxyctnKWkx8fBgbwj8Mn5ziksjaUqi |
|
|
OPENSSO_SAP8 |
Agent profile name given during registration |
|
|
After installation, an agent instance is created on the SAP container. Inside this directory is another instance of the AMAgent.properties
file. (So there are two AMAgent.properties
files: one generated during remote registration, and one generated just previously during the Agent installation.)
Compare the two properties files and consolidate them so that you have one properties file that contains all of the information.
Be sure that all of the settings in the AMAgent.properties
file matches the Agent Profile entry in the oam-config.xml
file on the OAM server.
In oam-config.xml
, add the following entry under the <Setting Name="NamingData" Type="htf:map">
element:
<Setting Name="iplanet-am-platform-server-id" Type="xsd:string">serverprotocol://serverhost:serverport</Setting>
Note:
Be sure to increment the version integer every time you update theoam-config.xml
file:
<Setting Name="Version" Type="xsd:integer">113</Setting>
Go to the etc
folder in the agent to locate the AmSAPAgent2.2.sda
archive. The.sda
file is a library that you will deploy onto the SAP server using the Software Deployment Manager (SDM).
Use the Software Deployment Manager (/usr/sap/
SID
/
InstanceName
/SDM/program/RemoteGui.sh
) to deploy the AmSAPAgent2.2.sda
file. Refer to the SAP documentation for details.
Once the deployment is complete, verify that the library is deployed by viewing the Undeployment tab. The AmSAPAgent2.2
library should be listed.
You can also use the SAP Visual Administrator tool (/usr/sap/
SID
/
InstanceName
/j2ee/admin/go.sh
) to verify that the deployed library, along with the SAP-dependent libraries, are available in the container.
Use the SAP Visual Administrator tool (/usr/sap/
SID
/
InstanceName
/j2ee/admin/go.sh
) to make a class loader reference for the newly deployed library. Add the reference to the LoginModuleClassLoader
by adding the following key-value pair on the Properties tab on the Security Provider configuration page (Server Instance > Services > Security Provider).
Open the SAP Config Tool (/usr/sap/
SID
/
InstanceName
/j2ee/configtool/configtool.sh
), navigate to Cluster_data > Instance ID > Server instance, and on the General tab, add the following paths to the Classpath field:
/Policy_Agent/sap_v7_agent/j2ee_agents/sap_v7_agent/
<Agent_Instance>
/config
/Policy_Agent/sap_v7_agent/j2ee_agents/sap_v7_agent/locale
Open the SAP Deployment Manager (deploy.sh
) and create a new project.
Go to an empty directory owned by the SAP instance user (j2eeadm) and type agentapp for the address field.
Go to the Assembler tab and add the agentapp.war
archive (right-click the agentapp node and select Add Archive from the context menu).
Save the project.
Browse to the directory specified previously as owned by the SAP Instance user (j2eeadm), type agentapp for the address field, and click OK.
Right-click the agentapp root node and select Make Ear from the context menu.
Telnet to the SAP host (for example, saphost.example.com 50008
) and log on as an administrator.
Issue the following commands:
$ jump 0
The system returns a message similar to the following:
You jumped on node 4503950.
$ add deploy
$ CHANGE_REF -m sap.com/agentapp library:AmSAPAgent2.2
The system returns the following message:
The reference between application sap.com/agentapp and library:AmSAPAgent2.2 was made!
Stop and Start the SAP Enterprise Portal instance.
Note:
You can also use the SAP Visual Administrator tool (/usr/sap/
SID
/
InstanceName
/j2ee/admin/go.sh
) to verify that the references were made properly. Choose Server Instance > Services > ClassLoader Viewer.Before You Begin - Start the SAP Enterprise Portal instance if it is not running.
Start the SAP Visual Administrator tool and log in. (/usr/sap/
SID
/
InstanceName
/j2ee/admin/go.sh
).
Select the Security Provider service, click the User Management tab, and switch to edit mode.
Click Manage Security Stores > Add Login Module.
Click OK when the dialog box opens.
In the Class Name field, type the following:
com.sun.identity.agents.sap.v70.AmSAPEP70LoginModule
In the Display Name field, type the following:
AmSAPEP70LoginModule
Start the SAP Visual Administrator tool and log in. (/usr/sap/
SID
/
InstanceName
/j2ee/admin/go.sh
).
Select the Security Provider service, click the Policy Configurations tab, and switch to edit mode.
In the Components list, select the ticket authentication template.
Delete all login modules except for the following:
com.sap.security.core.server.jaas.EvaluteTicketLoginModule
com.sap.security.core.server.jaas.CreateTicketLoginModule
Click Add New and select AmSAPEP70LoginModule from the list of modules.
Click Modify and move AmSAPEP70LoginModule
between the two remaining login modules.
The new ticket authentication template should match the values in the following table.
Open the SAP Config Tool (/usr/sap/
SID
/
InstanceName
/j2ee/configtool/configtool.sh
) and switch to edit mode.
Click the pencil and glasses button and choose cluster_data > server > cfg > services.
The UME service property sheet opens.
Open the com.sap.security.core.ume.service
property sheet and add the following custom value to the ume.logoff.redirect.uri
property.
http://
OAM-Server-Hostname
:
OAM-Port
/oam/server/logout
Open the AMAgent.properties
file for the Agent Instance and edit the following properties:
Note:
The following properties inAMAgent.properties
must match the properties in oam-config.xml
. If the properties do not match, update the properties in oam-config.xml
.
Be sure to increment the version integer every time you update the oam-config.xml
file:
<Setting Name="Version" Type="xsd:integer">113</Setting>
In Debug Service Properties, update the complete path of the log location similar to the following:
com.iplanet.services.debug.directory = /Policy_Agent/sap_v7_agent/j2ee_agents/sap_v7_agent/Agent_003/logs/debug
In COMMON ATTRIBUTE FETCH PROCESSING PROPERTIES, set cookie encode to false.
com.sun.identity.agents.config.attribute.cookie.encode = false
In COOKIE RESET PROCESSING PROPERTIES, edit the following properties:
com.sun.identity.agents.config.cookie.reset.enable = true
com.sun.identity.agents.config.cookie.reset.name[0] = MYSAPSSO2
com.sun.identity.agents.config.cookie.reset.domain[MYSAPSSO2] = .corp.example.com
In URL DECODE SSO TOKEN FLAG, set decode to false:
com.sun.identity.agents.config.sso.decode = false
In FILTER OPERATION MODE, add or update the following property:
com.sun.identity.agents.config.filter.mode = SSO_ONLY
Users in the Oracle Access Management user store should also be in the SAP server. Be sure to allow user access in OAM.
To verify that the integration is working properly, try the following:
Access the protected URL (for example, /irj
).
You should be redirected to the Oracle Access Manager login form.
Enter a valid user name and password.
You should be authenticated and logged into the SAP server (/irj
).