This chapter describes how to configure Single Sign-On for an Oracle Identity and Access manager enterprise deployment.
This chapter contains the following sections:
Configuring Single Sign-On requires the following tasks:
Assign an LDAP group to the WebLogic Administration groups, if you have not already done so.
Update the boot.properties file.
Restart the servers.
Install and configure WebGate and validate the setup.
After WebGate is installed and configured, the Oracle HTTP Server intercepts requests for the consoles and forwards them to Access Manager for validation.
The following administration consoles are referred to in this chapter:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Management Console
Oracle Access Manager Policy Manager
Oracle Identity Manager System Administration Console
Oracle Identity Manager Self Service Console
When you run configOAM or configOIM, security providers will have been created in the domains IAMAccessDomain and IAMGovernanceDomain. These security providers will restrict access to the consoles in those domains based on the security policies of Oracle Access Manager. If you have other domains, create security providers in those domains manually. After creating the security providers, update them as described in the following sections.
Once you have enabled single sign-on for the administration consoles, ensure that at least one OAM Server is running to enable console access.
If you have used the Oracle Weblogic console to shut down all of the Access Manager Managed Servers, restart one of those Managed Servers manually before using the console again.
To start WLS_OAM1 manually, use the following command:
MSERVER_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://IADADMINVHN:7001
Update the boot.properties file for the Administration Server and the managed servers with the WebLogic admin user created in Oracle Internet Directory.
You must update boot.properties on each administration server node. Follow the steps in the following sections to update the file.
This section contains the following topics:
Update the Administration Servers on All Domains
On each of the servers in the topology, go the directory:
ASERVER_HOME/servers/serverName/security
For example:
cd IAD_ASERVER_HOME/servers/AdminServer/security
Rename the existing boot.properties file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted. For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, start the server as soon as possible so that the entries get encrypted.Restart the WebLogic Administration server and all managed servers.
This section describes how to install and configure WebGate for Oracle HTTP Server.
Note:
The instructions for installing and configuring WebGate differ depending on the web server you are using. If your web requests are being processed by Oracle HTTP server, then follow the steps described in Section 22.4, "Installing and Configuring WebGate for Oracle HTTP Server".If your web requests are being processed via Oracle Traffic Directory, then follow the steps described in Section 22.5, "Installing and Configuring WebGate for Oracle Traffic Director 11g".
This section contains the following topics:
Section 22.4.1, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2"
Section 22.4.2, "Deploying WebGate to WEBHOST1 and WEBHOST2"
Before starting the installer ensure that Java is installed on your machine.
Start the WebGate installer by issuing the command:
REPOS_HOME/installers/webgate/Disk1/runInstaller
You are asked to specify the location of the Java Development Kit for example:
REPOS_HOME/jdk
On the Welcome screen, click Next.
On the Install Software Updates Screen, choose whether to install software updates and if necessary, enter your myoraclesupport credentials and click Next.
On the Prerequisites screen, after all the checks have successfully completed, click Next.
On the Installation Location Screen, enter the following information:
Oracle Middleware Home: WEB_MW_HOME
Oracle Home Directory: webgate_ohs
WEB_MW_HOME/webgate_ohs is defined as WEBGATE_ORACLE_HOME
Click Next.
On the Installation Summary screen, click Install.
Click Next.
Click Finish.
To deploy WebGate to WEBHOST1 and WEBHOST2:
Execute the command deployWebGate which is located in:
WEBGATE_ORACLE_HOME/webgate/ohs/tools/deployWebGate
The command takes the following arguments:
Oracle HTTP Instance configuration Directory
WebGate Home Directory
For example:
./deployWebGateInstance.sh -w OHS_ORACLE_INSTANCE/config/OHS/ohs1 -oh WEBGATE_ORACLE_HOME
Set the library path and change directory.
Set the library path to include the WEB_ORACLE_HOME/lib directory, for example:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib
Change directory:
WEBGATE_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools
Run the following command to copy the file apache_webgate.template from the WebGate home directory to the WebGate instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf.
./EditHttpConf -w OHS_ORACLE_INSTANCE/config/OHS/ohs1 -oh WEBGATE_ORACLE_HOME
Copy the files ObAccessClient.xml and password.xml, which were generated when you created the agent from the directory IAD_ASERVER_HOME/output/Webgate_IDM_11g on OAMHOST1, to the directory OHS_ORACLE_INSTANCE/config/OHS/ohs1/webgate/config.
Copy the directory wallet, which was generated when you created the agent from the directory IAD_ASERVER_HOME/output/Webgate_IDM_11g on OAMHOST1, to the directory OHS_ORACLE_INSTANCE/config/OHS/ohs1/webgate/config.
Copy the files aaa_key.pem and aaa_cert.pem which were generated when you created the agent from the directory IAD_ASERVER_HOME/output/Webgate_IDM_11g to the WebGate instance directory OHS_ORACLE_INSTANCE/config/OHS/ohs1/webgate/config/simple.
Restart the Oracle HTTP Servers.
This section describes how to install and configure WebGate.
Note:
The instructions for installing and configuring WebGate differ depending on the web server you are using. If your web requests are being processed by Oracle HTTP server, then follow the steps described in Section 22.4, "Installing and Configuring WebGate for Oracle HTTP Server".If your web requests are being processed via Oracle Traffic Directory, then follow the steps described in Section 22.5, "Installing and Configuring WebGate for Oracle Traffic Director 11g".
This section contains the following topics:
Section 22.5.2, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2"
Section 22.5.3, "Adding LD_LIBRARY_PATH to OTD Start Scripts"
Section 22.5.4, "Restarting the Oracle Traffic Director Instance"
Section 22.5.5, "Updating OTD Configuration Repository with WebGate Changes"
Install and configure the Oracle Traffic Director as described in Section 14.2, "Configuring Oracle Traffic Director," before installing the Oracle Web Gate:
Before starting the installer ensure that Java is installed on your machine. To install Oracle WebGate, complete the following steps on WEBHOST1 and WEBHOST2. The WebGate installer can be found in the directory REPOS_HOME/installers/webgate_otd.
Note:
If your web hosts are using shared storage for the OTD binaries, you must install WebGate on one of these hosts only.Start the WebGate installer by issuing the command:
./runInstaller
You are asked to specify the location of the Java Development Kit for example:
WEB_MW_HOME/jdk
On the Welcome screen, click Next.
On the Install Software Updates screen, choose whether to skip updates, check with Oracle Support for updates, or search for updates locally.
Click Next.
On the Specify Security Updates screen, specify these values:
Email Address: The email address for your My Oracle Support account.
Oracle Support Password: The password for your My Oracle Support account.
Select: I wish to receive security updates via My Oracle Support.
Click Next.
If the prerequisites fail because of missing 32-bit libraries, you can safely ignore this failure.
Click Next.
On the Installation Location Screen, enter the following information:
Oracle Middleware Home: WEB_MW_HOME
Oracle Home Directory: webgate_otd
Click Next.
On the installation summary screen, click Install.
Click Next.
Click Finish.
Execute the deployWebGateInstance.sh command from the following directory:
OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/tools/deployWebGate
Make sure this tool has executable permission.
For example:
cd OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/tools/deployWebGate ./deployWebGateInstance.sh -w LOCAL_CONFIG_DIR/instances/webgate_otd/webgate/ -oh OTD_WEBGATE_ORACLE_HOME -ws otd
Expected output:
Copying files from WebGate Oracle Home to WebGate Instancedir
Note:
The deployment and instance directory must be the same on every host.Set the environment variable LD_LIBRARY_PATH to OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/lib using the following command:
export LD_LIBRARY_PATH=OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/lib
Add the WebGate properties to each of the property files for your OTD virtual hosts. These are located in the directory LOCAL_CONFIG_DIR/net-login.example.com/config where login.example.com is the name of the OTD configuration you specified in Section 14.2.3, "Creating a Configuration".
The virtual host files names will depend on the values of your virtual hosts. In this book, the files are called:
login.example.com-obj.conf
prov.example.com-obj.conf
iadadmin.example.com-obj.conf
igdadmin.example.com-obj.conf
iadinternal.example.com-obj.conf
igdinternal.example.com-obj.com
To do this, perform the following steps for each of the files:
Change your present working directory to OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/tools/setup/InstallTools.
Run the following command:
./EditObjConf -f config_file -oh OTD_WEBGATE_ORACLE_HOME -w instance_directory -ws otd
For example:
./EditObjConf -f OTD_ORACLE_INSTANCE/net-login.example.com/config/login.example.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/instances/webgate_otd -ws otd
Note:
It is optional to run this command for igdinternal and iadinternal. These URLs are accessible only inside the Exalogic rack. Therefore, it is unlikely that unauthenticated requests will be accessing them. Adding WebGate to these virtual hosts can slow internal callbacks. If not added, it is marginally less secure. So, if you insist on maximum security, add them as described earlier.If you installed OTD to run as root, then you will have to run these commands as root.
The following is a sample output:
OTD_ORACLE_INSTANCE/config/magnus.conf has been backed up as OTD_ORACLE_INSTANCE/config/magnus.conf.ORIG OTD_ORACLE_INSTANCE/config/instance_config_name-obj.conf has been backed up as OTD_ORACLE_INSTANCE/instance_config_name-obj.conf.ORIG
Edit the properties in the login.example.com-obj.conf and admin.example.com-obj.conf files using the EditObjConf tool located in the following directory:
OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/tools/setup/InstallTools
For example, on WEBHOST1, run the following:
./EditObjConf -f OTD_ORACLE_INSTANCE/net-login.example.com/config/login.example.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/instances/webgate_otd -ws otd ./EditObjConf -f OTD_ORACLE_INSTANCE/net-login.example.com/config/prov.example.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/instances/webgate_otd -ws otd ./EditObjConf -f OTD_ORACLE_INSTANCE/net-login.example.com/config/iadadmin.example.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/instances/webgate_otd -ws otd ./EditObjConf -f OTD_ORACLE_INSTANCE/net-login.example.com/config/igdadmin.example.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/instances/webgate_otd -ws otd ./EditObjConf -f OTD_ORACLE_INSTANCE/net-login.example.com/config/igdinternal.example.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/instances/webgate_otd -ws otd ./EditObjConf -f OTD_ORACLE_INSTANCE/net-login.example.com/config/iadinternal.example.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/instances/webgate_otd -ws otd
Note:
If you installed OTD to run asroot, then you must run these commands as root.
It is optional to run this command for igdinternal and iadinternal. These URLs are accessible only inside the Exalogic rack. Therefore, it is unlikely that unauthenticated requests will be accessing them. Adding WebGate to these virtual hosts can slow internal callbacks. If not added, it is marginally less secure. So, if you insist on maximum security, add them as described earlier.
Expected output:
OTD_ORACLE_INSTANCE/config/magnus.conf has been backed up as OTD_ORACLE_INSTANCE/config/magnus.conf.ORIG OTD_ORACLE_INSTANCE/config/instance_config_name-obj.conf has been backed up as OTD_ORACLE_INSTANCE/instance_config_name-obj.conf.ORIG
Register WebGate to the Access Manager 11g Server by copying the WebGate artifacts Located in the following directory:
IAD_ASERVER_HOME/output/Webgate_IDM_11g
to the following directories.
Copy aaa_cert.pem and aaa_key.pem to:
LOCAL_CONFIG_DIR/instances/webgate_otd/webgate/config/simple
Copy cwallet.sso, ObAccessClient.xml, and password.xml to:
LOCAL_CONFIG_DIR/instances/webgate_otd/webgate/config
To copy the artifacts run the following commands:
cp IAD_ASERVER_HOME/output/Webgate_IDM_11g/aaa* to LOCAL_CONFIG_DIR/instances/webgate_otd/webgate/config/simple cp IAD_ASERVER_HOME/output/Webgate_IDM_11g/password.xml to LOCAL_CONFIG_DIR/instances/webgate_otd/webgate/config/ cp IAD_ASERVER_HOME/output/Webgate_IDM_11g/ObAccessClient.xml to LOCAL_CONFIG_DIR/instances/webgate_otd/webgate/config/ cp IAD_ASERVER_HOME/output/Webgate_IDM_11g/cwallet.sso to LOCAL_CONFIG_DIR/instances/webgate_otd/webgate/config/
Note:
If you have performed your installation using IDMLCM, you must copy the files from the deployed OHS instance. For example:LOCAL_CONFIG_DIR/instances/ohs1/config/OHS/ohs1/webgate/config
Repeat the steps 11 through 15 for each of the WEBHOSTs.
Note:
Configuring WebGate in this way directly modifies the Oracle Traffic Director configuration files. These changes are not reflected in the OTD configuration store. The next time you go into OTD and modify the configuration, OTD it will indicate that there is a discrepancy between that config store and the values on disk. It will ask you what you want to do. YOU MUST tell OTD to pull the configuration from the files rather than push the configuration back to the files. Selecting the wrong option will remove the WebGate configuration you just performed.To prevent you having to enter the LD_LIBRARY_PATH each time you start OTD, you can add it to the OTD start script.
To do this, proceed as follows:
Note:
If you installed OTD to run asroot, then you must perform these steps as root user.Edit the file startserv, which is located in the directory: WEB_ORACLE_INSTANCE/net-login.example.com/bin
Locate the line that looks like this:
# Set LD_LIBRARY_PATH for Solaris and Linux
LD_LIBRARY_PATH="${SERVER_LIB_PATH}:${LD_LIBRARY_PATH}"; export LD_LIBRARY_PATH
Add the following line afterwards:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/lib; export LD_LIBRARY_PATH
Save the file.
Use the startserv command to start or stopserv command to stop your Oracle Traffic Director instance.
If you did not install Oracle Traffic Director as root. Stop the failover groups using the following command as root:
OTD_ORACLE_HOME/bin/tadm stop-failover --instance-home=OTD_ORACLE_INSTANCE/ --config=login.example.com
To stop the server, run the following command:
OTD_ORACLE_INSTANCE/net-login.example.com/bin/stopserv
To start the server, run the following command:
OTD_ORACLE_INSTANCE/net-login.example.com/bin/startserv
If you did not install Oracle Traffic Director as root. Start the failover groups using the following command as root:
OTD_ORACLE_HOME/bin/tadm start-failover --instance-home=OTD_ORACLE_INSTANCE/ --config=login.example.com
To restart the Oracle Traffic Director instance, stop all running instances, and then run the start command.
The commands in previous sections manually update the Oracle Traffic Director configuration files. After the files are updated, the OTD configuration is inconsistent with the information in the files. Subsequent deployments would therefore erase the new configuration. Therefore, you must update the OTD configuration with the manual changes made in the previous sections.
To update the OTD configuration:
Log in to the OTD Administration Console using the following URL:
https://OTDADMINVHN:OTD_ADMIN_PORT
Click the Deploy button at the top of the screen.
A message box appears stating that the administration server has detected configuration modifications on some instances.
Select the option Pull and deploy configuration and click OK.
To validate that WebGate is functioning correctly, open a web browser and go the Access Management Console URL listed in Section 31.1, "Starting and Stopping Enterprise Deployment Components."
You now see the Oracle Access Management Login page displayed. Enter your Access Manager administrator user name (for example, oamadmin) and password and click Login. Then you see theOracle Access Management console displayed.
To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console and to Oracle Enterprise Manager Fusion Middleware Control at the URLs listed in Section 31.2, "About Identity and Access Management Console URLs."
The Oracle Access Management Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in.