Enabling OSSO for EPM System
This section assumes that you have a fully configured OSSO infrastructure. See the Oracle Application Server Administrator's Guide.
Registering EPM System Web Server as a Partner Application
You use the Oracle Identity Manager SSO registration tool (ssoreg.sh
or ssoreg.bat
) to register Oracle Enterprise Performance Management System web server as a partner application on the Oracle HTTP Server that front-ends the OSSO Server.
Perform this procedure on the server that hosts the Oracle HTTP Server that front-ends the OSSO Server. This process generates and stores an obfuscated osso.conf
in the location of your choice.
To register EPM System web server as a partner application:
- Open a console on the server that hosts the Oracle HTTP Server that front-ends the OSSO Server and navigate to
ORACLE_HOME/sso/bin
directory of Oracle HTTP Server, for example toC:/OraHome_1/sso/bin
(Windows). - Execute a command similar to the following with
-remote_midtier
option:ssoreg.bat -site_name epm.myCompany.com -mod_osso_url http://epm.myCompany.com:19400 -config_mod_osso TRUE -update_mode CREATE -remote_midtier -config_file C:\OraHome_1\myFiles\osso.conf
The following explains the parameters used in this command. In this description, partner application refers to the Oracle HTTP Server that is used as the EPM System web server.
-site_name
identifies the web site of the partner application; for example,epm.myCompany.com
.-mod_osso_url
indicates the partner application URL, inPROTOCOL://HOST_NAME:PORT
format. This is the URL at which the EPM System web server accepts incoming client requests; for example,http://epm.myCompany.com:19000
.-config_mod_osso
identifies that the partner application usesmod_osso
. You must include theconfig_mod_osso
parameter to generateosso.conf
.-update_mode
indicates the update mode. UseCREATE
, the default, to generate a new record.-remote_midtier
specifies that themod_osso
partner application is at a remote mid-tier. Use this option when the partner application is at a differentORACLE_HOME
than that of the OSSO Server.-virtualhost
indicates that the partner application URL is a virtual host. Do not use this parameter if you are not using a virtual host.If you are registering a partner application URL tied to a virtual host, you must define the virtual host in
httpd.conf
. See Optional: Defining the Virtual Host.-config_file
indicates the path whereosso.conf
file is to be generated.
Optional: Defining the Virtual Host
If you used a virtual host URL while registering the partner application, you must define the virtual host by updating httpd.conf
on the Oracle HTTP Server that is used as the EPM System web server.
To define a virtual host:
- Using a text editor, open EPM_ORACLE_INSTANCE
/httpConfig/ohs/config/OHS/ohs_component/httpd.conf
. - Add a definition similar to the following. This definition assumes that the web server is running on the virtual server
epm.myCompany.com
at portepm.myCompany.com:19400
. Modify the settings to suit your requirements.NameVirtualHost epm.myCompany.com:19400 Listen 19400 <VirtualHost epm.myCompany.com:19400> DocumentRoot "C:/Oracle/Middleware/user_projects/epmsystem1/httpConfig/ohs /config/OHS/ohs_component/private-docs" include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE} /${COMPONENT_NAME}/mod_osso.conf" </VirtualHost>
Creating mod_osso.conf
Create mod_osso.conf
on the Oracle HTTP Server that front-ends the EPM System web server.
To create mod_osso.conf
:
- Using a text editor, create a file.
- Copy the following content into the file and modify it for your environment.
LoadModule osso_module C:/Oracle/Middleware/ohs/ohs/modules/mod_osso.so <IfModule mod_osso.c> OssoIpCheck off OssoIdleTimeout off OssoSecureCookies off OssoConfigFile C:/Oracle/Middleware/user_projects/epmsystem1/httpConfig/ ohs/config/OHS/ohs_component/osso/osso.conf
- Within the
<IfModule mod_osso.c
definition, include location definitions similar to the following to identify each resource that you plan to protect using OSSO.<Location /interop/> require valid user AuthType Osso </Location> </IfModule>
- Save the file as
mod_osso.conf
.
Relocating osso.conf
The process of registering EPM System web server as a partner application (see Registering EPM System Web Server as a Partner Application) creates an obfuscated osso.conf
file in the location identified by the -config_file
directive.
To relocate osso.conf
:
- Locate the
osso.conf
that was created when you registered EPM System web server as a partner application (see Registering EPM System Web Server as a Partner Application. - Copy
osso.conf
into the directory (on Oracle HTTP Server that front-ends the OSSO Server) identified by theOssoConifgFile
property defined inmod_osso.conf
(see Creating mod_osso.conf).
Configuring EPM System for OSSO
Configure the OID that is integrated with the OSSO solution as an external user directory in EPM System, and then enable SSO.
To configure EPM System for OSSO:
- Configure the OID that the OSSO solution uses as an external user directory. See "Configuring OID, Active Directory, and Other LDAP-Based User Directories" in the Oracle Enterprise Performance Management System User Security Administration Guide.
- Enable SSO in the EPM System. Configuring EPM System for SSO
Note:
To configure OSSO as the identity management solution, you must chooseOther
in SSO Provider or Agent,Custom HTTP Header
in SSO Mechanism, and enterProxy-Remote-User
as the name of the custom HTTP header. - Provision at least one OID user as Oracle Hyperion Shared Services administrator.
- Restart EPM System products and custom applications that use the Shared Services security APIs.
Note:
Ensure that the OID configured with Shared Services is running before starting EPM System products.
Optional: Enabling Debugging Messages on the OSSO Server
To record debugging messages on OSSO server, modify policy.properties
. Debugging messages are written to ORACLE_HOME/sso/log/ssoServer.log
.
To record debug messages:
- Using a text editor, open
ORACLE_HOME/sso/conf/policy.properties
; for example,C:\OraHome_1\sso\conf\policy.properties
, on the OSSO server. - Set the value of
debugLevel
property to DEBUG.debugLevel = DEBUG
- Save and close
policy.properties
.
Optional: Enabling Debugging Messages for Protected Resources
To record OSSO debugging messages for resources protected using mod_osso.conf
, modify httpd.conf
on the EPM System web server. Debugging messages are written to EPM_ORACLE_INSTANCE/httpConfig/ohs/diagnostics/logs/OHS/ohs_component/ohs_component.log
.
To record debugging messages for protected resources:
- Using a text editor, open EPM_ORACLE_INSTANCE
/httpConfig/ohs/config/OHS/ohs_component/httpd.conf
. - Set the value of
OraLogSeverity
property to TRACE.OraLogSeverity TRACE:32
- Save and close
httpd.conf
.