1. Installation Guide
  2. Configure SSO using the Oracle Access Manager 12c
  3. Install SSO on Oracle Access Manager 12c

Install SSO on Oracle Access Manager 12c

  1. Navigate to the Oracle Access Manager 12c Oracle Access Manager Console URL (http://oam_server:port/oamconsole) and login with the Oracle Access Manager Admin credentials.
  2. Click Agents.
  3. On the SSO Agents tab, click the Create Webgate button and enter the following details:
    • Name: ArgusAnalyticsPolicy
    • Security: Open
    • Host Identifier: <oas_server>
    • Auto Create Policies: Checked

      Note:

      The <oas_server> refers to the server where the Oracle Analytics Server is installed along with Oracle Web Tier and Oracle Webgate.
  4. Click Apply to save the changes.
  5. On the subsequent page, update the details for the ArgusAnalyticsPolicy created in the above step:
    • Cache Pragma Header: Private
    • Cache Control Header: Private
  6. Click Apply.
  7. Navigate to the Application Security > Host identifiers.
  8. Search for ArgusAnalyticsPolicy, click the Search Results tab, and add the following details:
    • <oas_server>
    • <oas_server> <port>
    • <oas_server_ip>
    • <oas_server_ip> <port>

      Note:

      <oas_server> refers to the server where the Oracle Analytics Server is installed along with Oracle Web Tier and Oracle Webgate. The port refers to the Oracle Web Tier Port.

    Example:

    Hostname Port

    oas_server.oracle.com

    --

    oas_server.oracle.com

    7777

    <ip address>

    --

    <ip address>

    7777
  9. Navigate to Application Security > Access Manager > Application Domains.
  10. Search for ArgusAnalyticsPolicy, and click Search Results.
  11. Ensure that the Authentication Scheme is set as LDAPScheme.
  12. Ensure that the following resources are present:
    • /
    • /…/*
  13. Add the following Response variables:
    • Name: OAM_REMOTE_USER
    • Type: Header
    • Value: $user.attr.uid [based on the LDAP schema setup]
  14. Click Apply and save the changes.
  15. Expand and double-click Application Domains > ArgusAnalyticsPolicy > Authorization Policies > Protected Resource Policy.
  16. Ensure that the following resources are present:

    • /

    • /…/*

  17. Add the following Response variables:
    • Name: OAM_REMOTE_USER
    • Type: Header
    • Value: $user.attr.uid [as based on the LDAP schema setup]
  18. Click Apply to save the changes
  19. Navigate to the OPVA Web Tier Machine [<oas_server>], which is the machine where you have installed the OPVA Oracle Analytics Server, and run the installer for Webgate (OFM Webgate 12c for Oracle Access Manager 12c) to complete the installation.
  20. Configure the 12c Webgate using the following steps to communicate with the Oracle Access Manager 12c server:

    Note:

    Refer to the following link for advanced details:

    http://docs.oracle.com/cd/E21764_01/install.1111/e12002/webgate.htm

    1. Move to the following directory under your Oracle Home for Webgate:

      On UNIX Operating Systems:

      <Webgate_Home>/webgate/ohs/tools/deployWebGate

      On Windows Operating Systems:

      Webgate_Home>\webgate\ohs\tools\deployWebGate

    2. On the command line, run the following command to copy the required bits of agent from the Webgate_Home directory to the Webgate Instance location:

      On UNIX Operating Systems:

      ./deployWebgateInstance.sh -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>

      On Windows Operating Systems:

      deployWebgateInstance.bat -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>

      Where <Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server Webgate and created as the Oracle Home for Webgate, as shown in the following example: 

      MW_HOME>/Oracle_OAMWebGate1

      The <Webgate_Instance_Directory> is the location of Webgate Instance Home, which is the same as the Instance Home of Oracle HTTP Server, as shown in the following example: 

      <MW_HOME>/Oracle_WT1/instances/instance2/config/OHS/ohs1
    3. Run the following command to ensure that the LD_LIBRARY_PATH variable contains <Oracle_Home_for_Oracle_HTTP_Server>/lib:

      On UNIX (depending on the shell):

      export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<Oracle_Home_for_Oracle_HTTP_Server>/lib

      On Windows:

      Set the <Webgate_Installation_Directory>\webgate\ohs\lib location and the <Oracle_Home_for_Oracle_HTTP_Server>\bin location in the PATH environment variable. Add a semicolon (;) followed by this path at the end of the entry for the PATH environment variable.

    4. From your present working directory, move up one directory level:

      On UNIX Operating Systems, move to:

      <Webgate_Home>/webgate/ohs/tools/setup/InstallTools

      On Windows Operating Systems, move to:

      <Webgate_Home>\webgate\ohs\tools\EditHttpConf

    5. On the command line, run the following command to copy the apache_webgate.template from the Webgate_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf:

      On UNIX operating systems:

      ./EditHttpConf -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home> -o <output_file>

      On Windows operating systems:

      EditHttpConf.exe -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home> -o <output_file>

      Where <Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server Webgate for Oracle Access Manager and created as the Oracle Home for Webgate, as shown in the following example: 

      <MW_HOME>/Oracle_OAMWebGate1

      The <Webgate_Instance_Directory> is the location of Webgate Instance Home, which is the same as the Instance Home of Oracle HTTP Server, as shown in the following example: 

      <MW_HOME>/Oracle_WT1/instances/instance2/config/OHS/ohs1

      The <output_file> is the name of the temporary output file used by the tool, as shown in the following example: 

      Edithttpconf.log
    6. Copy Generated Files (Artifacts) to the Webgate Instance Location from the Oracle Access Manager 12c server.

      The 12c Webgate Agent (ArgusAnalyticsPolicy), which was created in the Oracle Access Manager 12c Oracle Access Manager Console earlier, would have also created the following artifacts on the Oracle Access Manager 12c server:

      cwallet.sso

      ObAccessClient.xml

      This is based on the Security Mode that you have configured, which in this case is Open.

      On the Oracle Access Manager 12c server, these files are present at the following location:

      <OAM_FMW_HOME>/user_projects/domains/<OAM_domain>/output/ArgusAnalyticsPolicy

      Copy these files to the <oas_server> in the following directory:

      <Webgate_Instance_Directory>/webgate/config directory 

      [Example:<MW_HOME>/Oracle_WT1/instances/instance2/config/OHS/ohs1/webgate/config]
    7. Restart the Oracle HTTP Server Instance.

      To stop the Oracle HTTP Server instance, run the following commands on the command line: 

      <MW_HOME>/Oracle_WT1/instances/instance2/bin/opmnctl stopall

      To restart the Oracle HTTP Server instance, run the following commands on the command line: 

      <MW_HOME>/Oracle_WT1/instances/instance2/bin/opmnctl startall
  21. Configure the HTTP Server as a reverse proxy for the WebLogic Server. To execute this, modify the mod_wl_ohs.conf file present at the following location: OracleWebTierHome\instances\instance2\config\OHS\ohs1

    The following is a template to configure mod_weblogic:

    LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so"

    # This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level

    <IfModule weblogic_module>

    # WebLogicHost <WEBLOGIC_HOST>

    # WebLogicPort <WEBLOGIC_PORT>

    # Debug ON

    # WLLogFile /tmp/weblogic.log

    # MatchExpression *.jsp

    <Location /console>

    SetHandler weblogic-handler

    WebLogicHost hsdevwv0096.oracle.com

    WeblogicPort 7001

    WLProxySSL ON

    WLProxySSLPassThrough ON

    </Location>

    <Location /em>

    SetHandler weblogic-handler

    WebLogicHost hsdevwv0096.oracle.com

    WeblogicPort 7001

    WLProxySSL ON

    WLProxySSLPassThrough ON

    </Location>

    <Location /analytics>

    SetHandler weblogic-handler

    WebLogicHost hsdevwv0096.oracle.com

    WeblogicPort 9704

    WLProxySSL ON

    WLProxySSLPassThrough ON

    </Location>

    <Location /analyticsRes>

    SetHandler weblogic-handler

    WebLogicHost hsdevwv0096.oracle.com

    WeblogicPort 9704

    WLProxySSL ON

    WLProxySSLPassThrough ON

    </Location>

    <Location /xmlpserver>

    SetHandler weblogic-handler

    WebLogicHost hsdevwv0096.oracle.com

    WeblogicPort 9704

    WLProxySSL ON

    WLProxySSLPassThrough ON

    </Location>

    </IfModule>

    # <Location /weblogic>

    # SetHandler weblogic-handler

    # PathTrim /weblogic

    # ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/

    # </Location>

    Restart the Web Tier Instance in WebLogic EM or as described above.

  22. Configure a new Authenticator for Oracle WebLogic Server on the Oracle Analytics Server using the following steps:
    1. Login to the WebLogic Server Administrator Console and navigate to Security Realms> myrealm.
    2. Click the Providers tab.
    3. Click Lock & Edit on the right corner of the webpage, highlighted as Change Center.
    4. Click New to create a new Authentication Provider and add the following details:

      Name: OPVAOIDAuthenticator, or a name of your choice

      Type: OracleInternetDirectoryAuthenticator

    5. After saving the details, click the new Authenticator that you have created and enter the following details:

      In the sub tab change the Control Flag as SUFFICIENT

    6. Click Save.
    7. Click the Provider Specific tab and enter the following required settings using values for your environment:

      • Host: Your LDAP host.

        For example: oid_server.oracle.com

      • Port: Your LDAP host listening port.

        For example: 3060

      • Principal: LDAP administrative user.

        For example: cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com

      • Credential: LDAP administrative user password

      • User Base DN: Same searchbase as in Oracle Access Manager.

        For example: cn=Users,dc=us,dc=oracle,dc=com

      • All Users Filter:

        For example: (&(uid=*) (objectclass=person))

      • User Name Attribute: Set as the default attribute for username in the directory server.

        For example: uid

      • Group Base DN: The group searchbase

        For example: cn=Groups,dc=us,dc=oracle,dc=com

      • Leave the other defaults as is.

      • GUID Attribute: The GUID attribute defined in the OID LDAP Server

        For example: uid

      • Click Save.
  23. Configure a new Identity Asserter for WebLogic Server using the following steps:
    1. In the Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm which you want to configure. For example, myrealm. Select Providers.
    2. Click New and enter the following values in the fields:

      Name: OPVAOAMIdentityAsserter, or a name of your choice

      Type: OAMIdentityAsserter

    3. Click OK.
    4. Click on the newly created Asserter and set the Control Flag to REQUIRED.
    5. Ensure that the Active Types that you have selected is OAM_REMOTE_USER.
    6. Click Save.
    7. Navigate to the Provider Specific tab and enter the following details:

      • Transport Security: open

      • Application Domain: ArgusAnalyticsPolicy, as set in the Oracle Access Manager 12c Console

      • Access Gate Name: ArgusAnalyticsPolicy, as specified in the Oracle Access Manager 12c Console

      • Primary Access Server: oam_server.oracle.com:5575, Oracle Access Manager 12c server with port

      • Click Save.

    8. In the Providers tab, perform the following steps to reorder Providers:
      • Click Reorder.

      • On the Reorder Authentication Providers page, select a Provider Name and use the arrows besides the list to order the following providers:

        OPVAOAMIdentityAsserter

        OPVAOIDAuthenticator

        DefaultAuthenticator

        DefaultIdentityAsserter

      • Click OK to save your changes.
    9. In the Providers tab, click Default Authenticator and change the Control Flag to Sufficient.
    10. In the Change Center, click Activate Changes.
    11. Restart Oracle WebLogic Server
  24. The BISystemUser present in the default embedded LDAP must be deleted (using Security Realms in the Administration Console Link of the WebLogic Server) and the same/another user must be added in the newly added OID. This user also needs to be added to the Oracle Analytics Application Roles using the following steps:
    1. Navigate to Administration Console > Security Realms > myrealm > Users and Groups > Users and select the checkbox against BISystemUser (from Provider: Default Authenticator)
    2. Click Delete.
    3. Navigate to Security Realms > myrealm > Roles and Policies > Realm Roles.
    4. In the tree structure, expand Global Roles node and select the Roles link.
    5. In the subsequent screen, click the Admin Role link.
    6. Click the Add Conditions button.
    7. In the next screen, select the Predicate List as User and click Next.
    8. In the User Argument Name, enter BISystemUser and click ADD.
    9. Click Finish.
    10. In the Role Conditions screen, ensure that the set operator is set to Or.
    11. Save the configuration.
    12. Navigate to the Oracle Enterprise Manager of Oracle Analytics Server or the Oracle Fusion Middleware Control page and navigate in the tree structure to the Business Intelligence > coreapplication node.
    13. In the Oracle Analytics drop-down menu, select Security > Application Roles.
    14. In the Roles displayed, select BISystem and in the next screen remove the old BISystemUser (from the Default Provider) and add the newly created BISystemUser user in OID.
    15. Add the trusted user's credentials to the oracle.bi.system credential map.
    16. Using Oracle Fusion Middleware Control target navigation pane, navigate to farm > WebLogic Domain, and select bifoundation_domain.
      • Using the WebLogic Domain menu, select Security > Credentials.
      • Open the oracle.bi.system credential map, and select system.user.
      • Click Edit.
      • In the Edit Key dialog box, enter BISystemUser (or the name that you have selected) in the User Name field.
      • In the Password field, enter the trusted user's password that is contained in Oracle Internet Directory.
      • Click OK.
    17. Restart the Managed Servers.
  25. Enable the SSO Authentication in the Weblogic Server for Oracle Analytics Server using the following steps:
    1. Login to Oracle Fusion Middleware Control (EM) of the WebLogic Server.
    2. Go to theBusiness Intelligence Overview page.
    3. Go to the Security page.
    4. Click Lock and Edit Configuration.
    5. Check Enable SSO, this makes the SSO provider list active.
    6. Select the configured SSO provider from the list, as Oracle Access Manager.
    7. In The SSO Provider Logoff URL, specify the following URL: http://<oam_server>:14100/oam/server/logout
    8. Click Apply.
    9. Click Activate Changes.
    10. Restart the Oracle Analytics components using Oracle Fusion Middleware Control.

Parent topic: Configure SSO using the Oracle Access Manager 12c