1. Security Configuration Guide
  2. Enabling SSO with Security Agents
  3. OracleAS Single Sign-on
  4. Enabling OSSO for EPM System

Enabling OSSO for EPM System

This section assumes that you have a fully configured OSSO infrastructure. See the Oracle Application Server Administrator's Guide.

Registering EPM System Web Server as a Partner Application

You use the Oracle Identity Manager SSO registration tool (ssoreg.sh or ssoreg.bat) to register Oracle Enterprise Performance Management System web server as a partner application on the Oracle HTTP Server that front-ends the OSSO Server.

Perform this procedure on the server that hosts the Oracle HTTP Server that front-ends the OSSO Server. This process generates and stores an obfuscated osso.conf in the location of your choice.

To register EPM System web server as a partner application:

  1. Open a console on the server that hosts the Oracle HTTP Server that front-ends the OSSO Server and navigate to ORACLE_HOME/sso/bin directory of Oracle HTTP Server, for example to C:/OraHome_1/sso/bin (Windows).
  2. Execute a command similar to the following with -remote_midtier option:
    ssoreg.bat -site_name epm.myCompany.com 
-mod_osso_url http://epm.myCompany.com:19400 
-config_mod_osso TRUE
-update_mode CREATE 
-remote_midtier 
-config_file C:\OraHome_1\myFiles\osso.conf

    The following explains the parameters used in this command. In this description, partner application refers to the Oracle HTTP Server that is used as the EPM System web server.

    • -site_name identifies the web site of the partner application; for example, epm.myCompany.com.
    • -mod_osso_url indicates the partner application URL, in PROTOCOL://HOST_NAME:PORT format. This is the URL at which the EPM System web server accepts incoming client requests; for example, http://epm.myCompany.com:19000.
    • -config_mod_osso identifies that the partner application uses mod_osso. You must include the config_mod_osso parameter to generate osso.conf.
    • -update_mode indicates the update mode. Use CREATE, the default, to generate a new record.
    • -remote_midtier specifies that the mod_osso partner application is at a remote mid-tier. Use this option when the partner application is at a different ORACLE_HOME than that of the OSSO Server.
    • -virtualhost indicates that the partner application URL is a virtual host. Do not use this parameter if you are not using a virtual host.

      If you are registering a partner application URL tied to a virtual host, you must define the virtual host in httpd.conf. See Optional: Defining the Virtual Host.

    • -config_file indicates the path where osso.conf file is to be generated.

Optional: Defining the Virtual Host

If you used a virtual host URL while registering the partner application, you must define the virtual host by updating httpd.conf on the Oracle HTTP Server that is used as the EPM System web server.

To define a virtual host:

  1. Using a text editor, open EPM_ORACLE_INSTANCE/httpConfig/ohs/config/OHS/ohs_component/httpd.conf.
  2. Add a definition similar to the following. This definition assumes that the web server is running on the virtual server epm.myCompany.com at port epm.myCompany.com:19400. Modify the settings to suit your requirements.
    NameVirtualHost epm.myCompany.com:19400
Listen 19400
   <VirtualHost epm.myCompany.com:19400>
DocumentRoot "C:/Oracle/Middleware/user_projects/epmsystem1/httpConfig/ohs
         /config/OHS/ohs_component/private-docs"
      include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}
         /${COMPONENT_NAME}/mod_osso.conf"
</VirtualHost>

Creating mod_osso.conf

Create mod_osso.conf on the Oracle HTTP Server that front-ends the EPM System web server.

To create mod_osso.conf:

  1. Using a text editor, create a file.
  2. Copy the following content into the file and modify it for your environment.
    LoadModule osso_module C:/Oracle/Middleware/ohs/ohs/modules/mod_osso.so
<IfModule mod_osso.c>
   OssoIpCheck off
   OssoIdleTimeout off
   OssoSecureCookies off 
   OssoConfigFile C:/Oracle/Middleware/user_projects/epmsystem1/httpConfig/
      ohs/config/OHS/ohs_component/osso/osso.conf
  3. Within the <IfModule mod_osso.c definition, include location definitions similar to the following to identify each resource that you plan to protect using OSSO.
       <Location /interop/>
      require valid user
      AuthType Osso
   </Location>
</IfModule>
  4. Save the file as mod_osso.conf.

Relocating osso.conf

The process of registering EPM System web server as a partner application (see Registering EPM System Web Server as a Partner Application) creates an obfuscated osso.conf file in the location identified by the -config_file directive.

To relocate osso.conf:

  1. Locate the osso.conf that was created when you registered EPM System web server as a partner application (see Registering EPM System Web Server as a Partner Application.
  2. Copy osso.conf into the directory (on Oracle HTTP Server that front-ends the OSSO Server) identified by the OssoConifgFile property defined in mod_osso.conf (see Creating mod_osso.conf).

Configuring EPM System for OSSO

Configure the OID that is integrated with the OSSO solution as an external user directory in EPM System, and then enable SSO.

To configure EPM System for OSSO:

  1. Configure the OID that the OSSO solution uses as an external user directory. See "Configuring OID, Active Directory, and Other LDAP-Based User Directories" in the Oracle Enterprise Performance Management System User Security Administration Guide.
  2. Enable SSO in the EPM System. Configuring EPM System for SSO

    Note:

    To configure OSSO as the identity management solution, you must choose Other in SSO Provider or Agent, Custom HTTP Header in SSO Mechanism, and enter Proxy-Remote-User as the name of the custom HTTP header.
  3. Provision at least one OID user as Oracle Hyperion Shared Services administrator.
  4. Restart EPM System products and custom applications that use the Shared Services security APIs.

    Note:

    Ensure that the OID configured with Shared Services is running before starting EPM System products.

Optional: Enabling Debugging Messages on the OSSO Server

To record debugging messages on OSSO server, modify policy.properties. Debugging messages are written to ORACLE_HOME/sso/log/ssoServer.log.

To record debug messages:

  1. Using a text editor, open ORACLE_HOME/sso/conf/policy.properties; for example, C:\OraHome_1\sso\conf\policy.properties, on the OSSO server.
  2. Set the value of debugLevel property to DEBUG.
    debugLevel = DEBUG
  3. Save and close policy.properties.

Optional: Enabling Debugging Messages for Protected Resources

To record OSSO debugging messages for resources protected using mod_osso.conf, modify httpd.conf on the EPM System web server. Debugging messages are written to EPM_ORACLE_INSTANCE/httpConfig/ohs/diagnostics/logs/OHS/ohs_component/ohs_component.log.

To record debugging messages for protected resources:

  1. Using a text editor, open EPM_ORACLE_INSTANCE/httpConfig/ohs/config/OHS/ohs_component/httpd.conf.
  2. Set the value of OraLogSeverity property to TRACE.
    OraLogSeverity TRACE:32
  3. Save and close httpd.conf.