A Configuring Single Sign-On

Agile PLM has the possibility of integrating aspects of your PLM system with Single Sign-On (SSO) capability.

A.1 Overview of Single Sign-On in PLM

With SSO configured and enabled for your PLM system, a user that has signed in to the system once (for instance, through the corporate portal) is not prompted again by a "login" dialog in such cases as:

• Launching Web Client

• Clicking on a URL for an email notification

• When a customer's supplier launches the Microsoft Excel-based Solution from a Declaration

• When Web Client times out.

Note: SSO is a Web-based solution that can be enabled only for Agile Web Client. SSO cannot be configured or applied from Java Client, Administrator module in Java Client, or the Agile SDK.

Single Sign-on integrates with the centralized security management, other business and training applications, and improves user productivity in Agile Web Client environment.

The sections below give a general overview to Single Sign-On in Agile PLM, followed by steps to configure and deploy SSO with Windows NTLM.

Figure A-1 Overview of Single Sign-On in PLM

A.2 Configuring and Deploying SSO with Windows NTLM

The following sections outline the steps to configure and deploy NTLM for Single sign-on capability.

A.2.1 SSO NTLM Authentication

Figure A-2 SSO NTLM Authentication

A.2.2 Configure SSO for Windows NTLM

Microsoft Windows NTLM has been certified for Agile PLM. Discuss your company's needs with your Oracle Consulting - Agile Practice representative.

A.2.2.1 Configure IIS Proxy with WLS

These are the steps to configure Windows NTLM for Single sign-on with Internet Information Services (IIS) as proxy server for WLS.

Note: The prerequisite for this configuration is that the Windows server on which IIS is running has been joined to a Windows domain. "Microsoft Active Directory" is the name of the Windows Domain controller since Windows 2000.

A.2.2.1.1 Install and enable Windows Authentication in IIS:

Install and enable Windows Authentication in IIS for site to use Windows NT LAN Manager for authentication:

1. Navigate to Administrative Tools > Service Manager.

2. Navigate to Roles > Web Server

3. Right-click Add Role and Install Windows Authentication.

4. Navigate to IIS.

5. Click Default Site.

6. Double-click Authentication.

7. Enable Windows Authentication.

8. Disable Anonymous Authentication.

9. In Site Authentication page, select Windows authentication.

10. Click Providers.

11. Make NTLM Provider as First.

12. Open IIS Manager, use Default Web Site.

13. Click the site.

14. Double-click Request Filtering in right pane.

15. Click Edit Feature Settings in the Actions pane.

16. In Edit Request Filtering Settings Dialog, change Maximum query string (Bytes) to 4096 and then click OK.

17. Restart IIS.

Note: Agile 936 PLM with WLS 12.2.1.1 must be installed and IIS7.5/IIS8/IIS8.5 Proxy configuration must be completed before proceeding to further steps.

A.2.2.1.2 IIS8.5 Proxy Configuration with Agile PLM:

1. Install and configure the WebLogic plug-in patch.

   1. Downloaded the WLS12.2.1.1 Proxy Plugin WLSPlugin12.2.1.1-IIS-Win64.zip from the location

      http://www.oracle.com/technetwork/middleware/webtier/downloads/index.html

   2. Extract the plug-in zip to location

      C:\myhome\weblogic-plugins-1.1

   3. Create iisproxy.ini file in %PLUGIN_HOME%\lib\ with the settings below:

      WebLogicHost=wls-host

      WebLogicPort=wls-port

      Debug=ALL

      WLLogFile=C:\Temp\wl-proxy.log

   4. Ensure that the %PLUGIN_HOME%\lib is included in the system PATH:

      Control-Panel > System > System Properties > Environment Variables > System Properties > PATH

   5. Open IIS Manager; use Default Web Site or create a Web Site.

   6. Click the site.

   7. Open Handler Mappings and add a script map:

      Set the Extension to like '*'

      Set Executable to %PLUGIN_HOME%\lib\iisproxy.dll, and give a Name.

   8. Start IIS.

A.2.2.1.3 IIS8 Proxy Configuration with Agile:

1. Download IIS ARR v3.0 from the URL below

   http://www.iis.net/downloads/microsoft/application-request-routing

   After installing successfully, go to IIS Home. Note that there is a new feature under the ISS section: Application Request Routing Cache. There is also a new node on the left panel.

2. Right-click Server Farms and choose Create Server Farm.

   1. Add a server farm.

   2. Enter a name.

   3. Select the option: Online.

   4. Click the Next button.

3. Add the Agile server addresses that require a proxy.

   1. Select the option: Online.

   2. Click Advanced Settings.

   3. Change the http port to an Agile port.

   4. After adding all the Agile servers, then click the Finish button.

   5. Click Yes in the Rewrite Rules popup.

4. Click the Server Farm you created in steps 2 and 3 above.

   1. Double-click Caching on the right panel.

   2. Deselect the option: Enable disk cache.

   3. Click Apply.

5. Click the Server Farm again.

   1. Double-click Health Test.

   2. Enter the URL.

   3. Click the Verify URL Test button.

   4. If the test result is pass, then click Apply.

6. Click the Server Farm again.

   1. Double-click Routing Rules.

   2. Select the option: Use URL Rewrite to inspect incoming requests.

   3. Deselect the option: Enable SSL offloading.

   4. Click Apply.

7. Go to <Agile_Home>/ agileDomain/config and open the agile.properties file for editing.

   Change the configuration for network.resolvehost to false.

8. Start Agile PLM.

   IIS8 can act as a proxy for Agile PLM successfully.

A.2.2.2 Configure PLM for NTLM with WLS

A. To configure your PLM system for SSO with NTLM, perform these operations.

Important: Stop the Agile Server. For information on how to stop the Agile PLM server, see the Agile PLM Database Install Guide.

1. In the WLS console, go to Summary of Security Realms > AgileRealm > Providers.

2. Click New and add "AgileIdentityAsserter" as the AgileRealm Authentication Provider.

3. Open the added AgileIdentityAsserter, select the Active type as Authorization (the AGILESSO is already a default value there). Both should be selected.

4. Click Save, then click Activate the Changes, and then logout from the console.

5. Stop the Application server.

B. Edit this file:

agile_home/agileDomain/applications/application.ear/application.war/WEB-INF/web.xml.

WLS12.2.1.1 supports multiple authentication methods. Add the following elements:

<login-config>

<auth-method>client-cert, form</auth-method>

<realm-name>AgileRealm</realm-name>

<form-login-config>

<form-login-page>/default/login-cms.jsp</form-login-page>

<form-error-page>/default/loginError.jsp</form-error-page>

</form-login-config>

</login-config>

C: Perform the following setting modifications for the action "CLICK ON LOGIN UPON LOGOUT SHOULD LOGIN AUTOMATICALLY IN SSO ENABLE SYSTEM".

Edit this file:

agile_home/agileDomain/config/agile.properties

• Set the agile.sso.enabled value in agile.properties to the following:

  agile.sso.enabled= true

• Set the agile.sso.cookie.name in agile.properties to the following:

  agile.sso.cookie.name=AGILESSO

Note: Manually add agile.sso.enabled property in the agile.properties file located in agile_home/agileDomain/config and set the value to true.

D. Restart the Agile server.

E. Ensure that NT user name and password exist in DB:

Ensure that the NT user name and password exist in the DB to which the application is connected (by migrating from Microsoft Active Directory Domain LDAP Server. Refer to "LDAP" for information about configuring the LDAP server, migrating users and activation) to which the application is connected.

F. Set Web Server Proxy URL in Agile PLM Administrator:

1. Log in to Java Client as administrator.

2. Navigate to the Location node.

3. Enter the Web Server Proxy URL.

4. Restart the File Manager.

G. Attempt to access the Proxy URL in your Windows computer:

• In IE browser, it should automatically login to Agile PL M.

• In Firefox browser, it will ask for your network credentials only for the first time access.

A.2.3 RMW SSO Configuration

If the Recipe & Material Workspace application is configured with the Agile 9.3.x SSO environment, the system administrator needs to update the Agile Proxy (SSO) URL in the CFMConfig.xml of "<AgileHome>\AgilePharma\config".

The entry must be changed to read:

<AgileSSOProxyUrl> </AgileSSOProxyUrl>

For more information about the system configuration of Agile Recipe & Material Workspace, see the Agile PLM Recipe & Material Workspace Administrator Guide.

A.3 Deploy NTLM

The following are possible SSO deployment scenarios with NTLM, one for secure proxy and one for transparent or no proxy.

A.3.1 With Secure Proxy

With this deployment, authentication takes place on the proxy server, so it is recommended for those companies that use a proxy server.

Request flow with this deployment:

1. User launches browser to access Agile PLM (for example, http://agileplm.xyz.com/Agile/PLMServlet).

2. The NTLM-enabled IIS server challenges the browser for credentials.

3. After a successful NTLM handshake, the request reaches Agile Application Server (AAS) agent with user information.

NTLM is a connection-based authentication protocol. For each new socket connection between client and server (or proxy), it has to exchange credentials by sending and responding to HTTP requests and responses.

1. The AAS agent passes the user information to the application server security framework.

2. The user will be allowed to access Agile applications.

This authentication happens whenever the client sends an HTTP POST request; therefore, authentication can re-occur even during an established user session.

A.3.2 With Transparent Proxy or No Proxy

Request flow with this deployment:

1. User launches browser to access Agile (for example, http://agileplm.xyz.com/Agile/PLMServlet).

2. The Agile Application Server (AAS) agent installed on server challenges the browser for credentials.

3. After a successful NTLM handshake, the AAS agent passes the user information to the application server security framework.

4. The user will be allowed to access Agile applications.

A.4 The Oracle Access Manager

Oracle Access Manager (OAM) ensures authentication and strict authorization policies are applied to your applications and services such as:

• Controlled access to web applications, Enterprise Java Beans (EJB) applications, J2EE resources, and common packaged enterprise applications.

• Web SSO for secure access to multiple applications with one authentication step.

• Flexible authentication support.

Agile PLM 9.3.6 is certified with OAM (11gR2) suite of products.

A.5 OAM 11gR2 Configuration with Agile PLM 9.3.6

This section covers Oracle Access Manager (OAM) 11gR2 configuration with Agile PLM.

• "OAM11gR2 Configuration with Agile PLM 9.3.6 Using IIS 8.5 Web Server"

• "OAM11gR2 Configuration with Agile PLM 9.3.6 Using OHS1213 Web Server"

• "OAM11gR2 Configuration with Agile PLM 9.3.6 Using Apache 2.4 Web Server"

• Table A-1 OAM 11gR2 Configuration with Agile PLM 9.3.6 - Version information

  OAM Server Version	WebGate Version	Webserver	Operating System
  11gR2	10g+Patch13	IIS 8.5	Windows 2012 R2
  11gR2	11g R2 PS2 (11.1.2.2.0)	Apache 2.4.x	Linux 6
  11gR2	1213	OHS1213	Linux 6

  
  

A.5.1 OAM11gR2 Configuration with Agile PLM 9.3.6 Using IIS 8.5 Web Server

Perform the prerequisite steps, and then perform the configuration steps as explained in the following sections.

A.5.1.1 IIS 8.5 Web Server Configuration Prerequisites

Ensure the following components have been downloaded and installed.

1. Installed/configured and tested IIS 8.5 webserver with Agile 9.3.6 (Agile should be installed on WLS12.2.1.1). You can refer to the Knowledge Base for details.

2. Download OAM WebGate 10g and 10gPatch 13 for IIS from the site:

   http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html

   1. Get oam_int_win_v12_cd1.zip from disk11 for Windows.

   2. Extract and start installation using Oracle_Access_Manager10_1_4_3_0_CR2_Win64_ISAPI_WebGate.exe

3. Now install OAM WebGate 10g on the same system where IIS 8.5 webserver has been installed.

4. Download Webgate10g patch13 (p18708753_10143_MSWIN-x86-64.zip from Disk11) from OTN for Microsoft Windows and install.

5. Ensure that IIS8.5 is installed with all Role Services. If not, you can add those from Server Manger. Navigate to Web Server, right click, Add Role Services. Add all role services. You can refer to the Knowledge Base for details.

The following sections/main steps explain the configuration of the OAM11gR2 Server with the Agile PLM 935 application:

• "OAM WebGate Registration in OAMServer (IIS 8.5)"

• "IIS 8.5 Webserver Configuration with WebGate"

• "OAM Webgate Configuration for IIS 8.5 Webserver"

• "Agile PLM Configuration for IIS 8.5 Webserver"

• "Testing (IIS 8.5)"

A.5.1.2 OAM WebGate Registration in OAMServer (IIS 8.5)

To perform OAM WebGate Agent registration in OAMServer:

1. Create a WebGate entry on OAM console through UI mode Steps:

   1. Click New OAM WebGate 10g in welcome page.

   2. Enter the Name. The host identifier will populate automatically.

   3. Click Apply.

      Figure A-3 OAM WebGate Agent Registration

      
      

A.5.1.3 IIS 8.5 Webserver Configuration with WebGate

The following steps must be performed after the installation of OAM10g WebGate for IIS 8.5 Webserver:

1. Navigate to Site-ISAP Filters tab and add Filter OracleWebGate point to webgate.dll.

2. Navigate to Site.

   1. Right-click Add Application.

   2. Give alias name as access and point physical path to Web Gate\access folder.

3. Navigate to Host Level.

   1. Click ISAPI and CGI Restrictions.

   2. Click Add.

   3. Add the path to webgate.dll and type description as OracleWebGate.

   4. Select check box Allow extension path to execute.

   5. Click OK.

4. Navigate to Web Gate/access.

   1. Right click Properties.

   2. Navigate to Security.

   3. Assign Full Control to Everyone.

5. Restart IIS.

A.5.1.4 WebLogic Proxy Configuration for IIS 8.5 Webserver

To configure WebLogic proxy for IIS 8.5 Webserver:

1. Ensure that you have installed and configure the WebLogic proxy plug-in patch for IIS 8.5 Webserver.

   Download the WLS12.2.1.1 Proxy Plugin WLSPlugin12.2.1.1-IIS-Win64.zip from the location:

   http://www.oracle.com/technetwork/middleware/webtier/downloads/index.html

2. Extract the plug-in zip to location C:\myhome\weblogic-plugins-1.1.

   
   

   Note: This will be referred as the variable PLUGIN_HOME going forward.

   
   

3. Create iisproxy.ini file in %PLUGIN_HOME%\lib\ with below details:

   WebLogicHost=wls-host

   WebLogicPort=wls-port

   Debug=ALL

   WLLogFile=C:\Temp\wl-proxy.log

   WLExcludePathOrMimeType=/obrar.cgi

4. Ensure that the %PLUGIN_HOME%\lib is included in the system PATH

   (Control-Panel > System > System Properties > Environment Variables > System Properties > PATH)

5. Open IIS Manager, use 'Default Web Site' or create a 'Web Site' based on your needs.

   1. Click the site.

   2. Open 'Handler Mappings' and add a script map

   • Set the 'Extension' like '/Agile/*'

   • Set 'Executable' to %PLUGIN_HOME%\lib\iisproxy.dll

   • Give a 'Name'

   • Create the Script Map:

     In the handler mapping, Open Above Added script map.

     Click Request Restrictions, Mapping tab.

     Uncheck "Invoke handler only if the request is mapped to"

     Click OK.

     Click Yes in Edit Script Map prompt.

6. Create new directory oamsso under

   <IIS inetpub>\wwwroot\

   and copy file logout.html to oamsso folder from OAM server

   <Middleware Home>\user projects\domains\oam_domain\output\<935IIS Agent>

7. Navigate to Host Level and click on ISAPI and CGI Restrictions and click on Add, add the path to iisproxy.dll and select allow extension path to execute.

8. Open IIS Manager, use either 'Default Web Site' or create a 'Web Site'.

   1. Click on the site.

   2. Double-click on Request Filtering in right pane.

   3. Click Edit Feature Settings in Actions pane.

   4. In Edit Request Filtering Settings Dialog, change Maximum query string (Bytes) to:

      4096

   5. Click OK.

      
      

      Note: If you need to add any protect and unprotect resources to work with specific functionality, then add those resource URLs as handler mappings by following the same process above.

      
      

9. Restart IIS.

A.5.1.5 OAM Webgate Configuration for IIS 8.5 Webserver

To configure OAM WebGate:

1. Add the authorization policy as below:

   1. Navigate to OAM Console > Policy Configuration > Applications domain > Agent (Name of the Agent in this case) > Authorization Policies.

   2. Open Protected Resources Policy.

   3. Navigate to Response tab.

   4. Add Response as below:

      Name= remote-user

      Type=Header

      Value=$user.attr.dn

   5. Click Apply.

2. Configure Resources for Web gate:

   1. Add these resources with webroot context (in this case Agile):

      Add resource URLs

      /Agile

      /Agile/…/*

      with Authentication and Authorization policy as Protected Resource Policy.

      Figure A-4 Add resource URLs

      
      

   2. Exclude the Resources for Gantt Chart.

      You must exclude the below static resources to work on Gantt chart with WebGate. Also use the webroot context while creating Resources to exclude.

      Navigate to OAM Console > Policy Configuration > Applications domain > Open WebGate10g Agents.

      Click Resources.

      In the Resources window, click Search.

      Add the following Resource Types by using the Create button. IN the Create New page:

      Select Type as HTTP.

      Select the Host Identifier of the Web Gate Agent.

      Type the Resource URL with webroot context.

      Select Protection level as Excluded.

      Add the resources as shown in the following figure.

      Figure A-5 Add resources for Gantt chart

      
      

A.5.1.6 Agile PLM Configuration for IIS 8.5 Webserver

1. Navigate to the WebLogic console where the Agile application is installed and create AgileIdentityAsserter.

   1. In WLS Console:

      Click Lock and Edit.

      Move to Summary of Security Realms >AgileRealm >Providers.

      Click New.

      Create AgileIdentityAsserter Authentication with "AgileIdentityAssertion" Provider.

   2. Open the added AgileIdentityAsserter.

   3. Select the Active type as remote-user and Save.

   4. Click Activate Changes.

   5. Logout from the console.

2. Open agile.Properties file, and add the below settings:

   oam.header.name=remote-user

   oam.sso.logout.url=/oamsso/logout.html?end_url=/Agile/PLMServlet

   
   

   Note: Where /Agile is the web-root context for the installed application.

   
   

3. Open the Web.xml (\application.ear\application.war\WEB-INF\ web.xml) and change auth-method as below:

   <auth-method>client-cert, form</auth-method>

4. Restart the WebLogic Application Server where the Agile Application is installed.

5. Configure LDAP Server (which is used as identity store in OAM) with Agile, Migrate LDAP Users into Agile Application and Activate LDAP users.

6. Login to Agile Java Client.

   Navigate to the Location node.

   Enter the Web Server Proxy URL.

   Restart the File Manager.

A.5.1.7 Testing (IIS 8.5)

1. Attempt to login to Agile Proxy URL with the IIS 8.5 webserver port number as configured.

   You should see the OAM Credentials page.

2. Enter the appropriate OAM (Configured LDAP Identity store user) username and password and the Agile application home page should be presented.

A.5.2 OAM11gR2 Configuration with Agile PLM 9.3.6 Using OHS1213 Web Server

Perform the prerequisite steps, and then perform the configuration steps as explained in the following sections.

A.5.2.1 OHS1213 Web Server Configuration Prerequisites

Ensure the following components have been downloaded and installed.

1. Download OHS 12.1.3 from the URL below:

   http://www.oracle.com/technetwork/middleware/webtier/downloads/index-jsp-156711.html

2. Extrat the zip file and then run the .exe file.

3. Installation steps:

   1. Find the Oracle Home, which is different than the Weblogic Home.

      Choose Standalone HTTP Server (Managed independently of WebLogic server).

   2. Ensure that all the checks are passed.

   3. Click Next button next to the installation progress panel to install OHS.

4. Create an OHS instance:

   1. Cd to $OHS_HOME\oracle_common\common\bin

   2. Enter:

      config.sh

      to launch the Configuration wizard.

   3. Choose:

      Create a new domain

   4. Check:

      Oracle HTTP Server (standalone) - 12.1.3.0 [ohs]

   5. Use the default JDK version:

      Oracle HotSpot 1.7.0_51

   6. Create:

      Component ohs1

   7. Define the following parameters:

      Admin Host = OHS Server Host

      Admin Port = 9999

      Listen Port = 7777

      SSL Listen Port = 4443

   8. Enter the username and password for Node Manager. Use Oracle123!

   9. Create the instance.

5. Configure the instance:

   1. Go to the directory:

      $OHS_HOME\user_projects\domains\base_domain\config\fmwconfig\components\OHS\ohs1

   2. Edit:

      mod_wl_ohs.conf

   3. Add the information shown below:

      <IfModule weblogic_module>
           WebLogicHost <Agile-wls host>
           WebLogicPort <Agile-wls port>
           Debug ON
           WLLogFile <Temp location>/weblogic.log
        </IfModule>
        <Location /Agile>
         WLSRequest on
        </Location>
        <Location /JavaClient>
         WLSRequest on
        </Location>
        <Location /CoreService>
         WLSRequest on
        </Location>
      
      
      

6. Start Node Manager:

   1. Go to the directory:

      $OHS_HOME\user_projects\domains\base_domain\bin

   2. Run:

      startNodeManager.cmd

   3. Start OHS component by using the command:

      startComponent.cmd ohs1'

7. WebGate should be installed by default once OHS1213 is installed.

A.5.2.2 OAM11gR2 Server Configuration Main Steps

The following sections/main steps explain the configuration of the OAM11gR2 Server with the Agile 935 Application:

• "OAM WebGate Registration in OAMServer (OHS1213 Webserver)"

• "OAM WebGate Configuration for OHS1213 Webserver"

• "Agile PLM Configuration for OHS1213"

• "Testing (OHS1213)"

A.5.2.3 OAM WebGate Registration in OAMServer (OHS1213 Webserver)

Create WebGate11g Agent in OAM Console:

Figure A-6 Create WebGate11g Agent

A.5.2.4 OAM WebGate Configuration for OHS1213 Webserver

A. The following steps are required to be performed post installation of WebGate11g for OHS1213 Webserver on the Server where you installed your OHS and WebGate.

1. Deploy WebGate:

   • Go to the directory:

     <OHSHOME>/webgate/ohs/tools/deployWebGate

   • Run the deployWebGateInstance.sh as below:

     ./deployWebGateInstance.sh -w <OHSHOME>/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1 -oh <OHSHOME>

   You should see the following sample on the console:

   Copying files from WebGate Oracle Home to WebGate Instancedir

2. Add to the PATH in Environment Variables:

   export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<OHSHOME>/lib

3. Update httpd.conf with the WebGate configuration:

   1. Go to directory:

      <OHSHOME>/webgate/ohs/tools/setup/InstallTools

   2. Run the command below:

      ./EditHttpConf -w <OHSHOME>/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1 -oh <OHSHOME>

      You should see the following sample on the console:

      The web server configuration file was successfully updated

      /scratch/qa/OHSHOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf has been backed up as /scratch/qa/OHSHOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf.ORIG

4. Copy the cwallet.sso and ObClientAccess.xml file from OAM Server:

   From location <Middleware Home >\user_projects\domains\oam_domain\output\OHS11G in OAM Server

   To OHS instance Web Gate directory:<OHSHOME>/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/webgate/config

B. Add the authorization policy:

1. Navigate to OAM Console > Policy Configuration > Applications domain > Agent (Name of the WebGate11g Agent in this case) > Authorization Policies.

2. Open Protected Resources Policy.

3. Navigate to Response Tab.

4. Add Response as below:

   Name= remote-user

   Type=Header

   Value=$user.attr.dn

5. Click Apply.

C. Add user defined parameters for OHS11g WebGate Agent in OAM Console:

1. Navigate to OAM Console > System Configuration > Access Manager Settings >S SO Agents > OAM Agents > WebGate 11G Agent.

2. Add the below parameters to User Defined Parameters attribute:

   UniqueCookieNames=enabled

   filterOAMAuthnCookie=false

3. Click Apply.

D. Configure resources for WebGate::

1. Add these resources with webroot context (in this case Agile):

   Add resource URLs

   /Agile

   /Agile/…/*

   with Authentication and Authorization policy as Protected Resource Policy.

   Figure A-7 Add resources

   
   

2. Exclude the Resources for Gantt chart:

   We Need to Exclude the below static resources to work on Gantt chart with WebGate. Also use the webroot context while create Resources to exclude.

   1. Navigate to OAM Console > Policy Configuration > Applications domain > Open WebGate Agents.

   2. Click Resources.

   3. In the Resources window, click Search.

   4. Add the following Resource Types using Create Button.

      In Create New page:

      Select Type as HTTP.

      Select the Host Identifier of the Web Gate Agent.

      Type the Resource URL.

      Select Protection level, Authentication Policy.

      Add the resources as shown in the following figure:

      Figure A-8 Add resources

      
      

A.5.2.5 Agile PLM Configuration for OHS1213

1. Navigate to the WebLogic console where the Agile application is installed and create AgileIdentityAsserter.

   1. In WLS Console:

      Click Lock and Edit.

      Move to Summary of Security Realms >AgileRealm >Providers.

      Click New.

      Create AgileIdentityAsserter Authentication with "AgileIdentityAssertion" Provider.

   2. Open the added AgileIdentityAsserter.

   3. Select the Active type as remote-user and Save.

   4. Click Activate Changes.

   5. Logout from the console.

2. Open agile.Properties file, and add the below settings:

   oam.header.name=remote-user

   oam.sso.logout.url=/oamsso/logout.html?end_url=/Agile/PLMServlet

   
   

   Note: Where /Agile is the web-root context for the installed application.

   
   

3. Open the Web.xml (\application.ear\application.war\WEB-INF\ web.xml) and change auth-method as below:

   <auth-method>client-cert, form</auth-method>

4. Restart the WebLogic Application Server where the Agile Application is installed.

5. Configure LDAP Server (which is used as identity store in OAM) with Agile, Migrate LDAP Users into Agile Application and Activate LDAP users. See "Agile LDAP Configuration" to configure LDAP Server with Agile PLM.

6. Login to Agile Java Client.

   Navigate to the Location node.

   Enter the Web Server Proxy URL.

   Restart the File Manager.

A.5.2.6 Testing (OHS1213)

1. Attempt to login to Agile Proxy URL with the OHS1213 webserver port number as configured.

   You should see the OAM Credentials page.

2. Enter the appropriate OAM (Configured LDAP Identity store user) username and password and the Agile application home page should be presented.

A.5.3 OAM11gR2 Configuration with Agile PLM 9.3.6 Using Apache 2.4 Web Server

Perform the prerequisite steps, and then perform the configuration steps as explained in the following sections.

A.5.3.1 OAM 11gR2 Configuration Prerequisites (Apache 2.4)

Ensure the following components have been downloaded and installed.

1. Download Apache2.4 from Apache site and install/configure and test Apache2.4 with Agile 9.3.6 (Agile should be installed on WLS12.2.1.1). You can refer to the Oracle Knowledge Base for details.

2. Down load 11g R2 PS2 (11.1.2.2.0) Web Gate software V73670-01.zip for Apache 2.4.x from oracle OTN site and install it on the same system where Apache web server has been installed.

The following sections/main steps explain the configuration of the OAM11gR2 Server with the Agile 936 Application:

• "WebGate Agent Configuration in OAM Server (Apache 2.4)"

• "OAM WebGate Configuration (Apache 2.4)"

• "Agile PLM Application Configuration (Apache 2.4)"

• "Testing (Apache 2.4)"

A.5.3.2 WebGate Agent Configuration in OAM Server (Apache 2.4)

You must add a WebGate Agent for the Apache Webserver in the OAM Server.

To perform OAM WebGate Agent registration in OAMServer:

1. Create a WebGate entry on OAM console through UI mode Steps:

   1. Click on New OAM WebGate 11g in welcome page.

   2. Enter the Name. The host identifier will populate automatically.

   3. Click Apply.

Figure A-9 Adding a WebGate Agent

A.5.3.3 OAM WebGate Configuration (Apache 2.4)

OAM WebGate Configuration

You must perform the following steps post-installation of WebGate11g for Apache Web Server on the server where you installed Apache and WebGate.

1. Deploy WebGate:

   1. Go to the directory:

      WebGate_Oracle_Home/webgate/apache/tools/deployWebGate

   2. Run the deployWebGateInstance.sh as below:

      ./deployWebGateInstance.sh -w <WebGate_Instancedir> -oh <WebGate_Oracle_Home> -ws apache

      You should see the following sample on the console:

      Copying files from WebGate Oracle Home to WebGate Instancedir

   3. Add to the PATH in Environment Variables:

      export LD_LIBRARY_PATH=<WebGate_Oracle_Home>/webgate/apache/lib

   4. Go to WebGate_Oracle_Home/webgate/apache/tools/setup/InstallTools

      Run the command below:

      ./EditHttpConf -f <Apache Home>/conf/httpd.conf -w <WebGate_Instancedir> -oh <WebGate_Oracle_Home> -ws apache24

      You should see the following sample on the console:

      The web server configuration file was successfully updated.

      /scratch/Software/httpd-2.4.10/conf/httpd.conf has been backed up as /scratch/Software/httpd-2.4.10/conf/httpd.conf.ORIG

   5. Copy the cwallet.sso and ObClientAccess.xml file from OAM Server:

      From location <Middleware Home >\user_projects\domains\oam_ domain\output\OHS11G in OAM Server to WebGate_Instance_Home/webgate/config

   6. Add the authorization policy:

      Navigate to OAM Console > Policy Configuration > Applications domain > Agent (Name of the WebGate11g Agent in this case) > Authorization Policies.

      Open Protected Resources Policy.Navigate to Response Tab.Add Response as below:

      Name= remote-user

      Type=Header

      Value=$user.attr.dn

      Click Apply.

   7. Add user defined parameters for OHS11g WebGate Agent in OAM Console:

      Navigate to OAM Console > System Configuration > Access Manager Settings >S SO Agents > OAM Agents > WebGate 11G Agent.

      Add the below parameters to User Defined Parameters attribute:

      UniqueCookieNames=enabled

      filterOAMAuthnCookie=false

      Click Apply.

2. Configure Resources for WebGate:

   1. Add these resources with webroot context (in this case Agile):

      Add resource URL's ” /Agile, /Agile/…/* ” with Authentication and Authorization policy as Protected Resource Policy

      Figure A-10 Add WebGate Resources

      
      

   2. Exclude the Resources for Gantt chart:

      We need to exclude the below static resources to work on Gantt chart with WebGate. Also use the webroot context while create Resources to exclude.

      1. Navigate to OAM Console > Policy Configuration > Applications domain > Open WebGate Agents

      2. Click Resources.

      3. In the Resources window, click Search.

      4. Add the following Resource Types using Create Button. In Create New page:

         Select Type as HTTP.

         Select the Host Identifier of the WebGate Agent.

         Type the Resource URL with webroot context

         Select Protection level as Excluded

         Add the resources as below:

         Figure A-11 Add Resource Types

         
         

A.5.3.4 Agile PLM Application Configuration (Apache 2.4)

1. Navigate to the WebLogic Administration console where the Agile application is installed and create AgileIdentityAsserter.

   1. In WLS Console, click Lock and Edit.

   2. Move to Summary of Security Realms >AgileRealm >Providers.

   3. Click New and Create AgileIdentityAsserter Authentication with "AgileIdentityAssertion" Provider.

   4. Open the added AgileIdentityAsserter.

   5. Select the Active type as remote-user and then Save.

   6. Click Activate Changes and logout from the console.

2. Open agile.Properties file, add the below settings:

   oam.sso.logout.url=/oamsso/logout.html?end_url=/Agile/PLMServlet

   
   

   Note: Where /Agile/PLMServlet is the web-root context for the installed application.

   
   

3. Open the Web.xml (\application.ear\application.war\WEB-INF\ web.xml) and change auth-method as below:

   <auth-method>client-cert, form</auth-method>

4. Restart the WebLogic Application Server where the Agile Application is installed.

5. Configure LDAP Server (which is used as identity store in OAM) with Agile.

6. Migrate LDAP Users into Agile Application and Activate LDAP users. For more information, see "Agile LDAP Configuration" to configure LDAP Server with Agile.

7. Login to Agile Java Client.

   Navigate to Location node.

   Enter Web Server Proxy URL.

   Restart the File Manager.

A.5.3.5 Testing (Apache 2.4)

1. Attempt to login to Agile Proxy URL with the Apache webserver port number as configured.

   You should see the OAM Credentials page.

2. Enter the appropriate OAM (configured LDAP Identity store user) username and password and the Agile application home page should be presented