62.4 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x

You can configure Access Manager and SAP NetWeaver Enterprise Portal 7.0.x to work together.

This section contains the following tasks:

62.4.1 Before You Begin Configuring OAM and NetWeaver Enterprise Portal 7.0.x

Install SAP NetWeaver Enterprise Portal before completing the steps in this section.
Install the Apache HTTP Server by following the installation steps provided by apache.org.
Install and configure a WebGate on each Apache HTTP Server instance that supports the proxy connection to the SAP Enterprise Portal instance. See Installing Webgates for Oracle Access Manager for details.
Install Access Manager before completing the steps in Configuring Access Manager for SAP Enterprise Portal. See the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for details.
Synchronize the time on all servers where SAP NetWeaver Enterprise Portal and Access Manager components are installed.
Ensure that the users exist in the Access Manager LDAP directory as well as on the SAP R3 system database.

The user ID in Access Manager and the SAP database must be the same or be mapped to each other. Any attribute in a user's profile can be configured as the SAP ID and passed directly to SAP. Alternatively, SAP can be configured to map the SAP ID to any user attribute that it receives from Access Manager.
Verify that the Web browser is configured to allow cookies.

Note:

Oracle suggests reviewing the following topics prior to integrating Access Manager with SAP NetWeaver Enterprise Portal.

Managing Data Sources to understand how to add and configure data sources in Access Manager.
Managing Authentication and Shared Policy Components to understand how to configure Form and Basic mode authentication in Access Manager.
Configuring Cert Mode Communication for Access Manager to understand how to configure Cert mode for Access Manager.

62.4.2 Configuring the Apache HTTP Server as a Proxy

You can configure a proxy (Apache HTTP Server 2.0.x) to access SAP NetWeaver Enterprise Portal.

To configure Apache HTTP Server 2.0.x

Set up the Apache HTTP Server proxy in non-SSL mode or SSL mode, as described in the Apache documentation.

If HTTPS communication is used with the SAP NetWeaver Enterprise Portal, use SSL mode.
To enable the proxy to access the SAP NetWeaver Enterprise Portal, enter the following in the httpd.conf configuration file:
For SAP NetWeaver Enterprise Portal 6:
```
ProxyRequests Off
ProxyPass /irj http://sap_host:port/irj
ProxyPassReverse /irj http://sap_host:port/irj
ProxyPreserveHost On
```
For SAP NetWeaver Enterprise Portal 7:
```
ProxyRequests Off
ProxyPass /webdynpro http://sap_host:port/irj
ProxyPassReverse /webdynpro http://sap_host:port/irj
ProxyPreserveHost On
```
Where sap_host is the name of the machine hosting the SAP NetWeaver Enterprise Portal instance and port is the listen port for the SAP NetWeaver Enterprise Portal instance. This set of directives specifies that all of the requests to this Web server of the form http://apache_host:port/irj or https://apache_host:port/irj are redirected to http://sap_host:port/irj or https://sap_host:port/irj.
Restart the proxy Web server.
Access the following URL:

Non-SSL—http://apachehost:port/irj

SSL—https://apachehost:port/irj

This request should be redirected to the SAP NetWeaver Enterprise Portal login.
Log in using the SAP NetWeaver Enterprise Portal administrator login ID.

The administrator should be able to perform the available administrative functions.
Log in as a non-administrative user.

This user should be able to perform non-administrative functions.

62.4.3 Configuring SAP NetWeaver Enterprise Portal for External Authentication

You can enable external authentication in SAP Enterprise Portal using the OB_USER header variable.

For more information about configuring authentication schemes for SAP Enterprise Portal, see the SAP documentation.

To configure the header variable

Stop the SAP J2EE dispatcher and server.
Browse to the following directory:

SAP_J2EE_engine_install_dir\ume
Back up the file authschemes.xml.bak to another directory.
Rename authschemes.xml.bak to authschemes.xml.

Open authschemes.xml in an editor and change the reference of the default authentication scheme to the authentication scheme header as follows:

<authscheme-refs>
     <authscheme-ref name="default">
          <authscheme>header</authscheme>
          <authscheme>uidpwdlogon</authscheme>
     </authscheme-ref>
</authscheme-refs>

In the authentication scheme header of authschemes.xml, specify the name of the HTTP header variable where the Access System provides the user ID.

As described in "Configuring Access Manager for SAP Enterprise Portal", this is the OB_USER header variable. You configure this header variable as follows:
```
<authscheme name="header">
     <loginmodule>
          <loginModuleName>  
               com.sap.security.core.logon.imp.HeaderVariableLoginModule 
          </loginModuleName>
               <controlFlag>REQUISITE</controlFlag>
               <options>Header=OB_USER</options>
     </loginmodule>
     <priority>5</priority>
     <frontEndType>2</frontEndType>
     <frontEndTarget>com.sap.portal.runtime.logon.header</frontEndTarget>
</authscheme>
```
The control flag value REQUISITE means the login module must succeed. If login succeeds, authentication continues through the list of login modules. If it fails, control immediately returns to the application and authentication does not continue through the list of login modules.
Restart the portal server and J2EE engine.

The modified authschemes.xml file will be loaded into the Portal Content Directory (PCD). SAP Enterprise Portal will rename it as authschemes.xml.bak.

To Configure Logout

To enable logout from a single sign-on session in both SAP Enterprise Portal and Access Manager, configure a logout URL in SAP Enterprise Portal from the administration interface.

The URL for the administration interface is as follows:

http://SAP_host:port/irj/

Where SAP_host is the name of the machine hosting the SAP Enterprise Portal and port is the listen port for the portal.
From the administration interface, click System Administration, then System Configuration, then UM Configuration, then Direct Editing.
Add the following lines to the end of the configuration file:
```
ume.logoff.redirect.url=http(s)://proxy_host:port/logout.html
ume.logoff.redirect.silent=false
```
Where http(s) is either http or https, proxy_host is the name of the proxy Web server, and port is the listen port for the proxy.
Save the changes and log out.

62.4.4 Adjusting the Login Module Stacks for using Header Variables

Add the HeaderVariableLoginModule to the appropriate login module stack or template and configure the options.

Table 62-1 Login Module Stacks for using Header Variables

Login Modules	Flag	Options
EvaluateTicketLoginModule	SUFFICIENT	{ume.configuration.active=true
HeaderVariableLoginModule	OPTIONAL	{ume.configuration.active=true, Header=<header_name>}
CreateTicketLoginModule	SUFFICIENT	{ume.configuration.active=true}
BasicPasswordLoginModule	REQUISITE	{}
CreateTicketLoginModule	OPTIONAL	{ume.configuration.active=true}

To adjust the Login Module Stacks for using Header Variables

Run the Visual Administrator tool, in the following location:

SAPJ2EEEngine_install_dir\j2ee\admin\go.bat
In the Visual Administrator, choose Security Provider.
Switch to edit mode by choosing the pencil icon.
Choose Policy Configurations, then Authentication.
For each template or application that is to support header variable authentication, add the login module HeaderVariableLoginModule to the login module stack (see Table 62-1.

62.4.5 Configuring Access Manager for SAP Enterprise Portal

You can configure the security policy in Access Manager to protect log-ins to SAP NetWeaver Enterprise Portal.

To configure Access Manager for SAP NetWeaver Enterprise Portal

In to the Oracle Access Management Console, click Application Security at the top of the window.
In the Launch Pad tab, select Create Application Domain from the Create (+) drop-down menu in the Access Manager section.

The Create OAM 11g Webgate page opens.
Complete the form to create a WebGate for this integration. For example:

Name—SAP_AG

Version - 11g

Host Identifier—Apache proxy host

Auto Create Policies—Enabled (checked)

Public Resource List—Add any public Resources to this list.

Apply—Click to create the WebGate.
Click the Authorization Policies tab, then click the Create Authorization Policy button to open a fresh page (Managing Policies to Protect Resources and Enable SSO).
Summary Tab: Add your information to the Summary tab.
Click the Resources tab, click Add (+), and define the resources for the policies in this application domain as follows:

Name: SAP EP Security Policy

Type: http

Host identifiers: Enter the proxy host URL prefix: /irj.

Description: SAP EP Login URL
Add Resources: The Resource must be defined in the Application Domain before you can add the resource to a specific policy.
- Click the Resources tab on the Authorization Policy page.
- Click the Add button on the Resources tab.
- Click the Search button.
- Click a URL in the Results table, then click Add Selected.
- Repeat these steps to add more resources.
Click Apply to save changes and close the Confirmation window.
Responses: Add policy Responses, as described in "Adding and Managing Policy Responses for SSO".
Conditions: Add authorization conditions, as described in "Defining Authorization Policy Conditions".
Rules: Add authorization rules, as described in "Defining Authorization Policy Rules".
Close the page when you finish.