This chapter provides instructions for setting up Oracle Communications Network Integrity for single sign-on (SSO) authentication.
Network Integrity implements the single sign-on (SSO) authentication solution using Oracle Access Manager, which enables you to seamlessly access multiple applications without being prompted to authenticate for each application separately. The main advantage of SSO is that you are authenticated only once, which is when you log in to the first application; you are not required to authenticate again when you subsequently access different applications with the same (or lower) authentication level (as the first application) within the same web browser session.
Network Integrity also supports the single logout (SLO) feature. If you access multiple applications using SSO within the same web browser session, and then if you log out of any one of the applications, you are logged out of all the applications.
This solution supports SSO authentication between Network Integrity and Oracle Communications Unified Inventory Management (UIM) applications.
For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Setting up Network Integrity for SSO authentication includes the following tasks:
Install and configure the following software that Network Integrity requires for implementing SSO authentication:
External Lightweight Directory Access Protocol (LDAP) Server. Oracle recommends Oracle Internet Directory (OID) as the LDAP store external to the WebLogic server.
Oracle Access Manager (OAM), included with Oracle Identity and Access Management
Oracle WebLogic Server
Oracle HTTP Server (OHS)
Oracle HTTP Server WebGate for OAM
See "Software Requirements" for information on required software versions.
To install the required software, do the following:
Install WebLogic Server and create the Oracle Middleware Home directory (MW_Home). This is the directory in which the Oracle Fusion Middleware products are installed.
For more information, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.
Install Oracle Access Manager (OAM) in the same Oracle Middleware Home directory that you created when you installed Oracle WebLogic Server.
For more information, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Install and configure Oracle HTTP Server, which is a Web server that acts as the front end to the Oracle WebLogic Server.
For more information, Oracle Fusion Middleware Installing and Configuring Oracle HTTP Server.
Install and configure Oracle HTTP Server WebGate for OAM.
A WebGate is a web-server plug-in for Oracle Access Manager (OAM) that intercepts HTTP requests and forwards them to the Access Server for authentication and authorization. For more information, see Oracle Fusion Middleware Installing WebGates for Oracle Access Manager.
Install an external LDAP server. For example, Oracle Internet Directory (OID). Oracle recommends Oracle Internet Directory as the LDAP store external to the WebLogic Server. See the following for more information.
For information on installing and configuring Oracle Internet Directory, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Configure the external LDAP as the user identity store in OAM.
For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Register the Oracle HTTP Server WebGate instance with OAM by using the Oracle Access Manager Administration Console.
For more information, see the chapter on ”Registering Partners (Agents and Applications) by Using the Console” in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Install Oracle WebLogic Server 12c. See "Installing and Configuring Oracle WebLogic Server" for more information.
Continue with the steps in "Configuring Network Integrity to Enable SSO Authentication".
Configuring Network Integrity to enable SSO authentication involves the following tasks:
Installing and Deploying Network Integrity Specifying the External LDAP Provider
Creating and Configuring Authentication Providers for OAM SSO
To install and deploy Network Integrity specifying the external LDAP security provider:
Configure authentication providers for your external security provider. See "Configuring Custom Authentication Providers" for more information.
Oracle recommends Oracle Internet Directory as the LDAP store external to the WebLogic server. See "Installing and Configuring Oracle Internet Directory" for more information.
Install and deploy Network Integrity specifying the external LDAP provider.
When installing Network Integrity, in the Security Provider Selection screen, select the External Security Provider option, and then enter the required information in the External Security Provider Connection Information screen. Follow the instructions provided in "Installing Network Integrity by Using Interactive Install".
Set the front-end host and port so that all requests to access the applications (Network Integrity) deployed in the WebLogic administration server go through the Oracle HTTP server:
To configure the Frontend URL:
Log in to the Oracle WebLogic Server administration console.
In the Domain Structure tree, expand Environment, and do one of the following:
Select Clusters (if the server instances to which you want to proxy requests from Oracle HTTP Server are in a cluster)
Select Servers.
The Summary of Servers page appears.
Select the server or cluster to which you want to proxy requests from Oracle HTTP Server.
Click the Configuration tab.
On the General tab, in the Advanced section, select the WebLogic Plug-In Enabled check box.
If you selected Servers in step 2, repeat steps 3 through 5 for the other servers to which you want to proxy requests from Oracle HTTP Servers.
Click Save.
Restart the WebLogic server.
Log in to the Oracle WebLogic Server administration console.
In the Domain Structure tree, expand Environment, and click Servers.
The Summary of Servers screen appears.
Click the server where Network Integrity is deployed.
The settings screen for the server appears.
Click the Protocols tab.
On the HTTP tab, do the following:
In the Frontend Host field, enter the name of the Oracle HTTP Server host machine.
WebLogic Server uses this value instead of the one in the host header. All HTTP URLs are redirected to this HTTP host.
In the Frontend HTTP Port field, enter the Oracle HTTP Server port number.
All HTTP URLs are redirected to this HTTP port.
In the Frontend HTTPS Port field, enter the Oracle HTTP Server SSL port number.
All HTTPS URLs are redirected to this HTTPS port.
Click Save.
In the Change Center of the Administration Console, click Activate Changes, which activates these changes.
You must create a new OAMIdentityAsserter provider for OAM SSO in WebLogic Server Administration Console.
To create the OAMIdentityAsserter provider:
Log in to the WebLogic Server Administration Console.
Under Your Application's Security Settings, click Security Realms.
The Summary of Security Realms screen appears.
Select the realm YourRealmName, for which you need to configure the OAM identity asserter.
The Settings For YourRealmName screen appears.
Click the Providers tab, and then click the Authentication tab.
Click New.
The Create a New Authentication Provider screen appears.
In the Name field, enter a name for the new provider; for example, OAM ID Asserter.
From the Type list, select OAMIdentityAsserter.
Click OK.
The Settings For YourRealmName screen appears, showing the newly created authentication name in the Authentication tab.
Click the link for AuthenticatorName (For example, OAM ID Asserter).
The Settings for AuthenticatorName screen appears.
On the Common tab, from the Control Flag list, select REQUIRED.
Under Active Types, use the directional arrow buttons to move OAM_REMOTE_USER from the Available column to the Chosen column.
Ensure that OAMAuthnCookie and OAM_IDENTITY_ASSERTION are present in the Chosen column.
Click Save.
Click the Providers tab, and then click the Authentication tab.
Click the link for DefaultAuthenticator and ensure that the default authenticator's control flag is set to SUFFICIENT.
Click the link for OID/OUD Authenticator (for example, OracleInternetDirectoryAuthenticator) and ensure that the OID/OUD authenticator's control flag is set to SUFFICIENT.
See "Configuring the Authentication Provider" for more information.
On the Authentication tab, click Reorder.
The Reorder Authentication Providers screen appears
Use the up and down arrows to reorder the listed authentication providers as follows:
OAMIdentityAsserter (REQUIRED)
OracleInternetDirectoryAuthenticator (SUFFICIENT)
DefaultAuthenticator (SUFFICIENT)
Click OK.
You configure the web.xml file for the OAM Identity Asserter by updating the deployment plan. You use deployment plans to change an application's WebLogic Server configuration for a specific environment without modifying existing deployment descriptors.
To update the web.xml file:
For using Oracle Access Manager Identity Asserter, you must specify the authentication method as CLIENT-CERT in the web.xml file for the appropriate realm by editing the deployment plan. The web.xml file is located at NI_Home/app/NetworkIntegrity.ear/NetworkIntegrityApp_NetworkIntegrityUI_webapp1.war/WEB-INF/, where NI_Home is the directory in which the Network Integrity software is installed.
Depending on your deployment configuration, do one of the following:
If Network Integrity is installed in a single server environment, navigate to and open the NI_Home/app/plan/Plan.xml file.
If Network Integrity is installed in a clustered server environment, navigate to and open the NI_Home/app/plan/ClusterPlan.xml file.
Update the variable-definition and variable-assignment elements; specifically, add CLIENT-CERT as follows:
<variable-definition>
<variable>
<name>ClientCertAuthMethod</name>
<value>CLIENT-CERT</value>
</variable>
<variable>
<name>RealmName</name>
<value>myrealm</value>
</variable>
</variable-definition>
<module-override>
<module-name>NetworkIntegrityApp_NetworkIntegrityUI_webapp1.war</module-name>
<module-type>war</module-type> <module-descriptor external="false">
<root-element>web-app</root-element>
<uri>WEB-INF/web.xml</uri>
<variable-assignment>
<name>ClientCertAuthMethod</name>
<xpath>/web-app/login-config/auth-method</xpath>
<operation>replace</operation>
</variable-assignment>
<variable-assignment>
<name>RealmName</name>
<xpath>/web-app/login-config/realm-name</xpath>
<operation>add</operation>
</variable-assignment>
</module-descriptor>
</module-override>
Save and close the Plan.xml/ClusterPlan.xml file.
Update the deployment plan for the currently-deployed Network Integrity application:
Log in to the WebLogic Server Administration Console.
In the Domain Structure tree, expand Environment, and click Deployments.
The Summary of Deployments screen appears.
Select the check box beside NetworkIntegrity.
Click Update.
The Update Application Assistant page appears.
Select Update this application in place with new deployment plan changes and click Next.
(Optional) Click Change Path beside the Deployment Plan Path field and browse to the location of the Plan.xml/ClusterPlan.xml file.
The Summary page appears.
Click Finish.
In the Change Center of the Administration Console, click Activate Changes, which activates these changes.
You can configure mod_wl_ohs plug-in by specifying directives in the mod_wl_ohs.conf file to enable the Oracle HTTP Server instances to forward requests to the applications deployed on the Oracle WebLogic server or clusters.
For more information, see Oracle Fusion Middleware Using Web Server Plug-Ins with Oracle WebLogic Server.
To configure the mod_wls_ohs plug-in:
Open the mod_wl_ohs.conf file from the following location:
Domain_Home/config/fmwconfig/components/OHS/ohs1/
where:
Domain_Home is the directory containing the configuration for the domain into which Oracle HTTP Server is installed.
Add directives within the <IfModule weblogic_module> element in the configuration file as follows:
To forward requests to the Network Integrity application running on a single Oracle WebLogic Server instance, specify /NetworkIntegrity within the <location> element as follows:
<IfModule weblogic_module> <Location /NetworkIntegrity> SetHandler weblogic-handler WebLogicHost host WebLogicPort port </Location> </IfModule>
where:
host is the name of the WebLogic Administration server machine
port is the port of the server on which Network Integrity is installed
To forward requests to the Network Integrity application running on a cluster of Oracle WebLogic Server instances, specify /NetworkIntegrity within a new <location> element as follows:
<IfModule weblogic_module> <Location /NetworkIntegrity> SetHandler weblogic-handler WebLogicCluster host1:port1,host2:port2 </Location> </IfModule>
where:
host1 and host 2 are host names of the managed servers
port1 and port2 are ports of the managed servers
To forward requests to the Network Integrity Web services running on a single Oracle WebLogic Server instance, specify /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root within the <location> element as follows:
<IfModule weblogic_module> <Location /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root> SetHandler weblogic-handler WebLogicHost host WebLogicPort port </Location> </IfModule>
where:
host is the name of the WebLogic Administration server machine
port is the port of the server on which Network Integrity is installed
To forward requests to the Network Integrity Web services running on a cluster of Oracle WebLogic Server instances, specify /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root within a new <location> element as follows:
<IfModule weblogic_module> <Location /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root> SetHandler weblogic-handler WebLogicCluster host1:port1,host2:port2 </Location> </IfModule>
where:
host1 and host 2 are host names of the managed servers
port1 and port2 are ports of the managed servers
To forward requests to the Network Integrity application running on a single Oracle WebLogic Server instance to support integration with UIM, specify /NI_Uim within the <location> element as follows:
<IfModule weblogic_module> <Location /NI_Uim> SetHandler weblogic-handler WebLogicHost host WebLogicPort port </Location> </IfModule>
where:
host is the name of the WebLogic Administration server machine
port is the port of the server on which Network Integrity is installed
To forward requests to the Network Integrity application running on a cluster of Oracle WebLogic Server instances to support integration with UIM, specify /NI_Uim within a new <location> element as follows:
<IfModule weblogic_module> <Location /NI_Uim> SetHandler weblogic-handler WebLogicCluster host1:port1,host2:port2 </Location> </IfModule>
where:
host1 and host 2 are host names of the managed servers
port1 and port2 are ports of the managed servers
To forward requests to the Network Integrity application running on a single Oracle WebLogic Server instance into which you want to deploy cartridges, specify /cartridge within the <location> element as follows:
<IfModule weblogic_module> <Location /cartridge> SetHandler weblogic-handler WebLogicHost host WebLogicPort port </Location> </IfModule>
where:
host is the name of the WebLogic Administration server machine
port is the port of the server on which Network Integrity is installed
To forward requests to the Network Integrity application running on a cluster of Oracle WebLogic Server instances into which you want to deploy cartridges, specify /cartridge within a new <location> element as follows:
<IfModule weblogic_module> <Location /cartridge> SetHandler weblogic-handler WebLogicHost host WebLogicPort ms_port </Location> </IfModule>
where:
host is the machine where the managed server is running
ms_port is the port of the managed server running on the host specified in the host variable above
For example, if a managed server networkintegrity01 with listen port 8065 is running on the machine NETINT1, you must specify the following:
<IfModule weblogic_module> <Location /cartridge> SetHandler weblogic-handler WebLogicHost NETINT1 WebLogicPort 8065 </Location> </IfModule>
You must protect resources (for example, the Network Integrity application) in Oracle Access Manager for SSO authentication. For more information, see Fusion Middleware Administrator's Guide for Oracle Access Management.
To protect resources for SSO authentication:
Open the Oracle Access Management Console.
On the Policy Configuration tab, expand the Application Domains node.
Expand the node for the application domain.
Within the application domain, expand the Resources node.
Click the Resources tab, and then click the New Resource button in the upper-right corner of the Search page.
The Resource Definition page appears.
Do the following to configure the Network Integrity application as a protected resource for SSO authentication:
From the Type list, select HTTP.
In the Resource URL field, enter /NetworkIntegrity/.../*.
From the Protection Level list, select Protected.
Click Apply.
You can exclude HTTP resources that do not require SSO authentication. For example, when accessing a Web Services Description Language (WSDL) document for Web services. The excluded resources are public and do not require an OAM Server check for authentication.
When allowing access to excluded resources, WebGate does not contact the OAM Server. Excluded resources cannot be added to any user-defined policy in the console. For more information, see Fusion Middleware Administrator's Guide for Oracle Access Management.
To exclude resources from SSO authentication:
Open the Oracle Access Management Console.
On the Policy Configuration tab, expand the Application Domains node.
Expand the node for the application domain.
Within the application domain, expand the Resources node.
Click the Resources tab, and then click the New Resource button in the upper-right corner of the Search page.
The Resource Definition page appears.
Do the following to exclude Network Integrity Web services from SSO authentication:
From the Type list, select HTTP.
In the Resource URL field, enter the following to exclude Network Integrity Web services from SSO authentication:
/NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root/.../*
From the Protection Level list, select Excluded.
Click Apply.
Click the New Resource button.
The Resource Definition page appears.
Do the following to exclude the Network Integrity cartridge deployment process from SSO authentication:
From the Type list, select HTTP.
In the Resource URL field, enter /cartridge/.../*.
From the Protection Level list, select Excluded.
Click Apply.
Click the New Resource button.
The Resource Definition page appears.
Do the following to exclude the Network Integrity and UIM integration process from SSO authentication:
From the Type list, select HTTP.
In the Resource URL field, enter /NI_Uim/.../*.
From the Protection Level list, select Excluded.
Click Apply.