This chapter provides instructions for setting up Oracle Communications Unified Inventory Management (UIM) for single sign-on (SSO) authentication.
UIM implements the single sign-on (SSO) authentication solution using Oracle Access Manager, which enables you to seamlessly access multiple applications without being prompted to authenticate for each application separately. The main advantage of SSO is that you are authenticated only once, which is when you log in to the first application; you are not required to authenticate again when you subsequently access different applications with the same (or lower) authentication level (as the first application) within the same web browser session.
UIM also supports the single logout (SLO) feature. If you access multiple applications using SSO within the same web browser session, and then if you log out of any one of the applications, you are logged out of all the applications.
This solution supports SSO authentication between UIM and Network Integrity applications.
For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Install and configure the following software that UIM requires for implementing SSO authentication:
External Lightweight Directory Access Protocol (LDAP) Server. Oracle recommends Oracle Internet Directory (OID) or Oracle Unified Directory (OUD) as the LDAP store external to the WebLogic server.
Oracle Access Manager (OAM), included with Oracle Identity and Access Management 12c (12.2.1.4.0)
Oracle WebLogic Server 12c (12.2.1.4.0)
Oracle HTTP Server (OHS) 12c (12.2.1.4.0)
Oracle HTTP Server 12c WebGate for OAM
To install the required software, do the following:
Install Oracle WebLogic Server 12c and create the Oracle Middleware Home directory (MW_Home). This is the directory in which the Oracle Fusion Middleware products are installed.
For more information, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server 12c.
Install Oracle Access Manager (OAM) in the same Oracle Middleware Home directory that you created when you installed Oracle WebLogic Server 12c.
For more information, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Install and configure Oracle HTTP Server, which is a Web server that acts as the front end to the Oracle WebLogic Server.
For more information, Oracle Fusion Middleware Installing and Configuring Oracle HTTP Server.
Install and configure Oracle HTTP Server WebGate for OAM.
A WebGate is a web-server plug-in for Oracle Access Manager (OAM) that intercepts HTTP requests and forwards them to the Access Server for authentication and authorization. For more information, see Oracle Fusion Middleware Installing WebGates for Oracle Access Manager.
Install an external LDAP server. For example, Oracle Internet Directory (OID). Oracle recommends Oracle Internet Directory as an external LDAP store.
For information on installing and configuring Oracle Internet Directory, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Configure the external LDAP as the user identity store in OAM.
For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Register the Oracle HTTP Server WebGate instance with OAM by using the Oracle Access Manager Administration Console.
For more information, see the chapter on “Registering Partners (Agents and Applications) by Using the Console" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Continue with the steps in "Configuring UIM to Enable SSO Authentication".
Configuring UIM to enable SSO authentication involves the following tasks:
Before configuring UIM for SSO, ensure that the server on which UIM is installed can connect to the server on which OID is installed.
To enable the UIM server to connect to the OID server, edit the UIM server's hosts file and add the host name and IP address of the OID server. On Windows, the hosts file is typically located at C:\Windows\System32\drivers\etc\. On Unix and Solaris, the hosts file is located at /etc/hosts.
Install and deploy UIM specifying the external LDAP provider. When installing UIM, in the Security Provider Selection screen, select the External_LDAP option, and then enter the required information in the External Security Provider Connection Information screen. Follow the instructions provided in "Installing UIM by Using Interactive Install".
Set the front-end host and port so that all requests to access the applications (UIM/Network Integrity) deployed in the WebLogic administration server go through the Oracle HTTP server:
To configure the Frontend URL:
Log in to the WebLogic Server Administration Console.
In the Domain Structure tree, expand Environment, and click Servers.
The Summary of Servers screen appears.
Click AdminServer.
The Setting for AdminServer screen appears.
Click the Protocols tab.
On the HTTP tab, do the following:
In the Frontend Host field, enter the name of the Oracle HTTP Server host machine.
WebLogic Server uses this value instead of the one in the host header. All HTTP URLs are redirected to this HTTP host.
In the Frontend HTTP Port field, enter the Oracle HTTP Server port number.
All HTTP URLs are redirected to this HTTP port.
Click Save.
In the Change Center of the Administration Console, click Activate Changes, which activates these changes.
You must create a new OAMIdentityAsserter provider for OAM SSO in WebLogic Server Administration Console.
To create the OAMIdentityAsserter provider:
Log in to the WebLogic Server Administration Console.
Under Your Application's Security Settings, click Security Realms.
The Summary of Security Realms screen appears.
Select the realm YourRealmName, for which you need to configure the OAM identity asserter.
The Settings For YourRealmName screen appears.
Click the Providers tab, and then click the Authentication tab.
Click New.
The Create a New Authentication Provider screen appears.
In the Name field, enter a name for the new provider; for example, OAM ID Asserter.
From the Type list, select OAMIdentityAsserter.
Click OK.
The Settings For YourRealmName screen appears, showing the newly created authentication name in the Authentication tab.
Click the link for AuthenticatorName (For example, OAM ID Asserter).
The Settings for AuthenticatorName screen appears.
On the Common tab, from the Control Flag list, select REQUIRED.
Under Active Types, use the directional arrow buttons to move OAM_REMOTE_USER from the Available column to the Chosen column.
(Optional) If you use Oracle Internet Directory as the external LDAP store, ensure that you move OAM_IDENTITY_ASSERTION to the Chosen column.
Click Save.
Click the Providers tab, and then click the Authentication tab.
Click the link for DefaultAuthenticator and ensure that the default authenticator's control flag is set to SUFFICIENT.
Click the link for OID/OUD Authenticator (for example, OracleInternetDirectoryAuthenticator) and ensure that the OID/OUD authenticator's control flag is set to SUFFICIENT.
See "Installing and Configuring an Authentication Provider" for more information.
On the Authentication tab, click Reorder.
The Reorder Authentication Providers screen appears
Use the Up and Down arrows to reorder the listed Authentication Providers as follows:
OAMIdentityAsserter (REQUIRED)
OracleInternetDirectoryAuthenticator (SUFFICIENT)
DefaultAuthenticator (SUFFICIENT)
Click OK.
You configure the web.xml file for the OAM Identity Asserter by updating the deployment plan. You use deployment plans to change an application's WebLogic Server configuration for a specific environment without modifying existing deployment descriptors.
To configure the web.xml file:
For using Oracle Access Manager Identity Asserter, you must specify the authentication method as CLIENT-CERT in the web.xml file for the appropriate realm by editing the deployment plan. The web.xml file is located at UIM_Home/app/inventory.ear/inv.war/WEB-INF/, where UIM_Home is the directory in which the UIM software is installed.
Depending on your deployment configuration, do one of the following:
If UIM is installed in a single server environment, navigate to and open the UIM_Home/app/plan/Plan.xml file.
If UIM is installed in a clustered server environment, navigate to and open the UIM_Home/app/plan/ClusterPlan.xml file.
Update the variable-definition and variable-assignment elements; specifically, add CLIENT-CERT as follows:
<variable-definition>
 <variable>
     <name>ClientCertAuthMethod</name> 
     <value>CLIENT-CERT</value> 
 </variable>
 <variable>
     <name>RealmName</name>  
     <value>myrealm</value>  
 </variable>
</variable-definition>
<module-override>
    <module-name>inv.war</module-name>
    <module-type>war</module-type> <module-descriptor external="false">
      <root-element>web-app</root-element>
      <uri>WEB-INF/web.xml</uri>
 <variable-assignment>
     <name>ClientCertAuthMethod</name>
     <xpath>/web-app/login-config/auth-method</xpath>
     <operation>replace</operation>
 </variable-assignment>
 <variable-assignment>
     <name>RealmName</name>
     <xpath>/web-app/login-config/realm-name</xpath>
     <operation>add</operation>
  </variable-assignment>
    </module-descriptor>
</module-override> 
Save and close the Plan.xml/ClusterPlan.xml file.
Update the deployment plan for the currently-deployed UIM application:
Log in to the WebLogic Server Administration Console.
In the Domain Structure tree, expand Environment, and click Deployments.
The Summary of Deployments screen appears.
Select the check box for oracle.communications.inventory.
Click Update.
The Update Application Assistant page appears.
Select Update this application in place with new deployment plan changes and click Next.
(Optional) Click Change Path beside the Deployment Plan Path filed and browse to the location of the Plan.xml/ClusterPlan.xml file.
The Summary page appears.
Click Finish.
In the Change Center of the Administration Console, click Activate Changes, which activates these changes.
You must configure the mod_wl_ohs plug-in and edit the mod_wl_ohs.conf file to enable the Oracle HTTP Server instances to forward requests to the applications deployed on the Oracle WebLogic server or clusters.
For more information, see Oracle Fusion Middleware Using Web Server Plug-Ins with Oracle WebLogic Server.
Configuring the mod_wl_ohs plug-in involves the following tasks:
To configure the WebLogic Proxy Plug-in
Log in to the Oracle WebLogic Server administration console.
In the Domain Structure tree, expand Environment, and do one of the following:
Select Clusters (if the server instances to which you want to proxy requests from Oracle HTTP Server are in a cluster)
Select Servers.
The Summary of Servers page appears.
Select the server or cluster to which you want to proxy requests from Oracle HTTP Server.
Click the Configuration tab.
On the General tab, in the Advanced section, select the WebLogic Plug-In Enabled check box.
If you selected Servers in step 2, repeat steps 3 and 4 for the other servers to which you want to proxy requests from Oracle HTTP Servers.
Click Save.
Restart the WebLogic server.
To edit the mod_wl_ohs.conf file:
Open the mod_wl_ohs.conf file from the following location:
Domain_Home/config/fmwconfig/components/OHS/ohs1/
where:
Domain_Home is the directory containing the configuration for the domain into which UIM is installed.
Add directives within the <IfModule weblogic_module> element in the configuration file as follows:
To forward requests to the UIM application running on a single Oracle WebLogic Server instance, specify /Inventory within the <location> element as follows:
<IfModule weblogic_module> <Location /Inventory> SetHandler weblogic-handler WebLogicHost host WebLogicPort port </Location> </IfModule>
where:
host is the name of the WebLogic Administration server machine
port is the port of the server on which UIM is installed
To forward requests to the UIM application running on a cluster of Oracle WebLogic Server instances, specify /Inventory within a new <location> element as follows:
<IfModule weblogic_module> <Location /Inventory> SetHandler weblogic-handler WebLogicCluster host1:port1,host2:port2 </Location> </IfModule>
where:
host1 and host 2 are host names of the managed servers
port1 and port2 are ports of the managed servers
To forward requests to the UIM Web services running on a single Oracle WebLogic Server instance, specify /InventoryWS within the <location> element as follows:
<IfModule weblogic_module> <Location /InventoryWS> SetHandler weblogic-handler WebLogicHost host WebLogicPort port </Location> </IfModule>
where:
host is the name of the WebLogic Administration server machine
port is the port of the server on which UIM is installed
To forward requests to the UIM Web services running on a cluster of Oracle WebLogic Server instances, specify /InventoryWS within a new <location> element as follows:
<IfModule weblogic_module> <Location /InventoryWS> SetHandler weblogic-handler WebLogicCluster host1:port1,host2:port2 </Location> </IfModule>
where:
host1 and host 2 are host names of the managed servers
port1 and port2 are ports of the managed servers
To forward requests to the UIM application running on a single Oracle WebLogic Server instance into which you want to deploy cartridges, specify /cartridge within the <location> element as follows:
<IfModule weblogic_module> <Location /cartridge> SetHandler weblogic-handler WebLogicHost host WebLogicPort port </Location> </IfModule>
where:
host is the name of the WebLogic Administration server machine
port is the port of the server on which UIM is installed
To forward requests to the UIM application running on a cluster of Oracle WebLogic Server instances into which you want to deploy cartridges, specify /cartridge within a new <location> element as follows:
<IfModule weblogic_module> <Location /cartridge> SetHandler weblogic-handler WebLogicHost host WebLogicPort ms_port </Location> </IfModule>
where:
host is the machine where the managed server is running
ms_port is the port of the managed server running on the host specified in the host variable above
For example, if a managed server uim_ms1 with listen port 8065 is running on the machine UIM1, you must specify the following:
<IfModule weblogic_module> <Location /cartridge> SetHandler weblogic-handler WebLogicHost UIM1 WebLogicPort 8065 </Location> </IfModule>
You must protect resources (for example, the UIM application) in Oracle Access Manager for SSO authentication. For more information, see Fusion Middleware Administrator's Guide for Oracle Access Management.
To protect resources for SSO authentication:
Open the Oracle Access Management Console.
On the Policy Configuration tab, expand the Application Domains node.
Expand the node for the application domain.
Within the application domain, expand the Resources node.
Click the Resources tab, and then click the New Resource button in the upper-right corner of the Search page.
The Resource Definition page appears.
Do the following to configure the UIM application as a protected resource for SSO authentication:
From the Type list, select HTTP.
In the Resource URL field, enter /Inventory/*.
From the Protection Level list, select Protected.
Click Apply.
You can exclude HTTP resources that do not require SSO authentication. For example, when accessing a Web Services Description Language (WSDL) document for Web services. The excluded resources are public and do not require an OAM Server check for authentication.
When allowing access to excluded resources, WebGate does not contact the OAM Server. Excluded resources cannot be added to any user-defined policy in the console. For more information, see Fusion Middleware Administrator's Guide for Oracle Access Management.
To exclude resources from SSO authentication:
Open the Oracle Access Management Console.
On the Policy Configuration tab, expand the Application Domains node.
Expand the node for the application domain.
Within the application domain, expand the Resources node.
Click the Resources tab, and then click the New Resource button in the upper-right corner of the Search page.
The Resource Definition page appears.
Do the following to exclude UIM Web services from SSO authentication:
From the Type list, select HTTP.
In the Resource URL field, enter /InventoryWS/.../*.
From the Protection Level list, select Excluded.
Click Apply.
Click the New Resource button in the upper-right corner of the Search page.
The Resource Definition page appears.
Do the following to exclude the UIM cartridge deployment process from SSO authentication:
From the Type list, select HTTP.
In the Resource URL field, enter /cartridge/.../*.
From the Protection Level list, select Excluded.
Click Apply.