24 Configuring Single Sign-On for an Enterprise Deployment
You need to configure the Oracle HTTP Server WebGate in order to enable single sign-on with Oracle Access Manager.
- About Oracle Webgate
Oracle WebGate is a web server plug-in that intercepts HTTP requests and forwards them to an existing Oracle Access Manager instance for authentication and authorization. - General Prerequisites for Configuring Oracle HTTP Server WebGate
Before you can configure Oracle HTTP Server WebGate, you must have installed and configured a certified version of Oracle Access Manager. - Configuring Oracle HTTP Server 12c WebGate for an Enterprise Deployment
You need to perform the following steps in order to configure Oracle HTTP Server 12c WebGate for Oracle Access Manager on both WEBHOST1 and WEBHOST2. - Configuring Oracle Traffic Director 12c WebGate for an Enterprise Deployment
You will need to perform the following steps in order to configure Oracle Traffic Director (OTD) 12c WebGate for Oracle Access Manager on both WEBHOST1 and WEBHOST2. - Copying WebGates Artifacts to Web Tier
When you created your Oracle Access Management installation, a WebGate calledWebgate_IDM
was created. In order for WebGate to communicate with the Access servers, you must copy the artifacts associated with this WebGate to the web tier. - Restarting the Oracle HTTP Server Instance
- Setting Up the WebLogic Server Authentication Providers
To set up the WebLogic Server authentication providers, back up the configuration files, set up the Oracle Access Manager Identity Assertion Provider and set the order of providers. - Configuring Oracle ADF and OPSS Security with Oracle Access Manager
Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign On (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-leveljps-config.xml
file to enable these capabilities.
About Oracle Webgate
Oracle WebGate is a web server plug-in that intercepts HTTP requests and forwards them to an existing Oracle Access Manager instance for authentication and authorization.
For Oracle Fusion Middleware 12c, the Oracle WebGate software is installed as part of the Oracle HTTP Server 12c software installation. See Registering and Managing OAM 11g Agents in Adminstrator’s Guide for Oracle Access Management. Oracle WebGate is available for Oracle HTTP Server and Oracle Traffic Director.
Parent topic: Configuring Single Sign-On for an Enterprise Deployment
General Prerequisites for Configuring Oracle HTTP Server WebGate
Before you can configure Oracle HTTP Server WebGate, you must have installed and configured a certified version of Oracle Access Manager.
For the most up-to-date information, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.
For WebGate certification matrix, click and open http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oam-webgates-2147084.html, then click the Certification Matrix for 12c Access Management WebGates link to download the certification matrix spreadsheet.
Note:
For production environments, it is highly recommended that you install Oracle Access Manager in its own environment and not on the machines that are hosting the enterprise deployment.
Note:
It is recommended that you use the WebGate version that is certified with your Oracle Access Manager deployment.For more information about Oracle Access Manager, see the latest Oracle Identity and Access Management documentation, which you can find in the Middleware documentation on the Oracle Help Center.
Parent topic: Configuring Single Sign-On for an Enterprise Deployment
Configuring Oracle HTTP Server 12c WebGate for an Enterprise Deployment
You need to perform the following steps in order to configure Oracle HTTP Server 12c WebGate for Oracle Access Manager on both WEBHOST1 and WEBHOST2.
In the following procedure, replace the directory variables, such as WEB_ORACLE_HOME and WEB_CONFIG_DIR, with the values, as defined in File System and Directory Variables Used in This Guide.
-
Perform a complete backup of the web tier domain.
-
Change directory to the following location in the Oracle HTTP Server Oracle home:
cd
WEB_ORACLE_HOME
/webgate/ohs/tools/deployWebGate/
-
Run the following command to create the WebGate Instance directory and enable WebGate logging on OHS Instance:
./deployWebGateInstance.sh -w WEB_CONFIG_DIR -oh WEB_ORACLE_HOME
-
Verify that a
webgate
directory and subdirectories was created by thedeployWebGateInstance
command:ls -lat WEB_CONFIG_DIR/webgate/ total 16 drwxr-x---+ 8 orcl oinstall 20 Oct 2 07:14 .. drwxr-xr-x+ 4 orcl oinstall 4 Oct 2 07:14 . drwxr-xr-x+ 3 orcl oinstall 3 Oct 2 07:14 tools drwxr-xr-x+ 3 orcl oinstall 4 Oct 2 07:14 config
-
Run the following command to ensure that the
LD_LIBRARY_PATH
environment variable containsWEB_ORACLE_HOME/lib
directory path:export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib
-
Change directory to the following directory
WEB_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools
-
Run the following command from the
InstallTools
directory../EditHttpConf -w WEB_CONFIG_DIR -oh WEB_ORACLE_HOME -o output_file_name
Note:
The
-oh WEB_ORACLE_HOME
and-o output_file_name
parameters are optional.This command:
-
Copies the
apache_webgate.template
file from the Oracle HTTP Server Oracle home to a newwebgate.conf
file in the Oracle HTTP Server configuration directory. -
Updates the
httpd.conf
file to add one line, so it includes thewebgate.conf
. -
Generates a WebGate configuration file. The default name of the file is
webgate.conf
, but you can use a custom name by using the-o output_file_name
argument to the command.
-
Parent topic: Configuring Single Sign-On for an Enterprise Deployment
Configuring Oracle Traffic Director 12c WebGate for an Enterprise Deployment
You will need to perform the following steps in order to configure Oracle Traffic Director (OTD) 12c WebGate for Oracle Access Manager on both WEBHOST1 and WEBHOST2.
In the following procedure, replace the directory variables, such as WEB_ORACLE_HOME and WEB_CONFIG_DIR, with the values, as defined in File System and Directory Variables Used in This Guide.
-
Perform a complete backup of the Web Tier domain.
-
Change directory to the following location in the Oracle Traffic Director Oracle home:
cd
WEB_ORACLE_HOME
/webgate/otd/tools/deployWebGate/
-
Run the following command to create the WebGate Instance directory and enable WebGate logging on OTD Instance:
./deployWebGateInstance.sh -w WEB_CONFIG_DIR -oh WEB_ORACLE_HOME -ws otd
-
Verify that a
webgate
directory and subdirectories was created by thedeployWebGateInstance
command:ls -lat WEB_CONFIG_DIR/webgate/ total 16 drwxr-x---+ 8 orcl oinstall 20 Oct 2 07:14 .. drwxr-xr-x+ 4 orcl oinstall 4 Oct 2 07:14 . drwxr-xr-x+ 3 orcl oinstall 3 Oct 2 07:14 tools drwxr-xr-x+ 3 orcl oinstall 4 Oct 2 07:14 config
-
Run the following command to ensure that the
LD_LIBRARY_PATH
environment variable containsWEB_ORACLE_HOME/lib
directory path:export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib
-
Change directory to the following directory
WEB_ORACLE_HOME/webgate/otd/tools/setup/InstallTools
-
Run the following command from the
InstallTools
directory../EditObjConf -f WEB_CONFIG_DIR/instance_name/config/login.example.com-obj.conf -w WEB_CONFIG_DIR -oh WEB_ORACLE_HOME -ws otd
For example:
./EditObjConf -f /u02/private/oracle/config/domains/otdDomain/config/fmwconfig/components/OTD/instances/otd_idm_WEBHOST1/config//login.example.com-obj.conf -w /u02/private/oracle/config/domains/otdDomain/config/fmwconfig/components/OTD/instances -oh /u01/oracle/products/web -ws otd
Note:
The
-oh WEB_ORACLE_HOME
and-o output_file_name
parameters are optional.This command:
-
Copies the
apache_webgate.template
file from the Oracle Traffic Director Oracle home to a newwebgate.conf
file in the Oracle Traffic Director configuration directory. -
Updates the
httpd.conf
file to add one line, so it includes thewebgate.conf
. -
Generates a WebGate configuration file. The default name of the file is
webgate.conf
, but you can use a custom name by using the-o output_file_name
argument to the command.
Repeat this command for each virtual host file, that is,
prov.example.com-obj.conf
,iadaccess.example.com-obj.conf
,igdaccess.example.com-obj.conf
, andigdinternal.example.com-obj.conf
. -
Parent topic: Configuring Single Sign-On for an Enterprise Deployment
Copying WebGates Artifacts to Web Tier
When you created your Oracle Access Management installation, a WebGate called Webgate_IDM
was created. In order for WebGate to communicate with the Access servers, you must copy the artifacts associated with this WebGate to the web tier.
- Copying Generated Artifacts to the Oracle HTTP Server WebGate Instance Location
- Copying Generated Artifacts to the Oracle Traffic Director WebGate Instance Location
Parent topic: Configuring Single Sign-On for an Enterprise Deployment
Copying Generated Artifacts to the Oracle HTTP Server WebGate Instance Location
After idmTool configOAM ran it created a webgate agent called Webgate_IDM. The process created a number of artifacts relating to that agent in IAD_ASERVER_HOME/output/Webgate_IDM. These artifacts now need to be copied to the Oracle HTTP Server configuration directory on the Web Tier hosts.
The location of the files in the Oracle HTTP Server configuration directory depends upon the Oracle Access Manager security mode setting (OPEN, SIMPLE, or CERT).
The following table lists the required location of each generated artifact in the Oracle HTTP Server configuration directory, based on the security mode setting for Oracle Access Manager. In some cases, you might have to create the directories if they do not exist already. For example, the wallet directory might not exist in the configuration directory.
Note:
For an enterprise deployment, Oracle recommends simple mode, unless additional requirements exist to implement custom security certificates for the encryption of authentication and authorization traffic. The information about using open or certification mode is provided here as a convenience.
Avoid using open mode, because in open mode, traffic to and from the Oracle Access Manager server is not encrypted.
For more information about using certificate mode or about Oracle Access Manager supported security modes in general, see Securing Communication Between OAM Servers and WebGates in Administrator's Guide for Oracle Access Management.
Table 24-1 Web Tier Host Location to Copy the Generated Artifacts
File | Location When Using SIMPLE Mode | Location When Using CERT Mode |
---|---|---|
wallet/cwallet.sso Foot 1 |
WEB_CONFIG_DIR/webgate/config/wallet/ By default the wallet folder is not available. Create the wallet folder under |
WEB_CONFIG_DIR/webgate/config/wallet/ |
ObAccessClient.xml |
WEB_CONFIG_DIR/webgate/config/ |
WEB_CONFIG_DIR/webgate/config/ |
password.xml |
WEB_CONFIG_DIR/webgate/config/ |
WEB_CONFIG_DIR/webgate/config/ |
aaa_key.pem |
WEB_CONFIG_DIR/webgate/config/simple/ |
WEB_CONFIG_DIR/webgate/config/ |
aaa_cert.pem |
WEB_CONFIG_DIR/webgate/config/simple/ |
WEB_CONFIG_DIR/webgate/config/ |
Footnote 1 Copy cwallet.sso
from the wallet folder and not from the output folder. Even though there are 2 files with the same name they are different. The one in the wallet sub directory is the correct one.
Note:
If you need to redeploy theObAccessClient.xml
to WEBHOST1
and WEBHOST2
, delete the cached copy of ObAccessClient.xml
and its lock file, ObAccessClient.xml.lck
from the servers. The cache location on WEBHOST1
is:WEB_DOMAIN_HOME/servers/ohs1/cache/
And you must perform the similar step for the second Oracle HTTP Server instance on WEBHOST2
:
WEB_DOMAIN_HOME/servers/ohs2/cache/
Parent topic: Copying WebGates Artifacts to Web Tier
Copying Generated Artifacts to the Oracle Traffic Director WebGate Instance Location
After idmTool configOAM ran it created a webgate agent called Webgate_IDM. The process created a number of artifacts relating to that agent in IAD_ASERVER_HOME/output/Webgate_IDM
. These artifacts now need to be copied to the Oracle Traffic Director configuration directory on the Web Tier hosts.
The location of the files in the Oracle HTTP Server configuration directory depends upon the Oracle Access Manager security mode setting (OPEN, SIMPLE, or CERT).
The following table lists the required location of each generated artifact in the Oracle HTTP Server configuration directory, based on the security mode setting for Oracle Access Manager. In some cases, you might have to create the directories if they do not exist already. For example, the wallet directory might not exist in the configuration directory.
Note:
For an enterprise deployment, Oracle recommends simple mode, unless additional requirements exist to implement custom security certificates for the encryption of authentication and authorization traffic. The information about using open or certification mode is provided here as a convenience.
Avoid using open mode, because in open mode, traffic to and from the Oracle Access Manager server is not encrypted.
For more information using certificate mode or about Oracle Access Manager supported security modes in general, see Securing Communication Between OAM Servers and WebGates in Administrator's Guide for Oracle Access Management.
File | Location When Using SIMPLE Mode |
---|---|
wallet/cwallet.sso Note: Copycwallet.sso from the wallet folder and not from the output folder. Even though there are 2 files with the same name they are different. The one in the wallet sub directory is the correct one.
|
WEB_CONFIG_DIR/webgate/config/wallet/ Note: By default the wallet folder is not available. Create the wallet folder underWEB_CONFIG_DIR/webgate/config/ .
|
ObAccessClient.xml |
WEB_CONFIG_DIR/webgate/config/ |
password.xml |
WEB_CONFIG_DIR/webgate/config/ |
aaa_key.pem |
WEB_CONFIG_DIR/webgate/config/simple/ |
aaa_cert.pem |
WEB_CONFIG_DIR/webgate/config/simple/ |
Note:
If you need to redeploy theObAccessClient.xml
to WEBHOST1
and WEBHOST2
, delete the cached copy of ObAccessClient.xml
and its lock file, ObAccessClient.xml.lck
from the servers. The cache location on WEBHOST1
is:WEB_DOMAIN_HOME/servers/otd1/cache/
And you must perform the similar step for the second Oracle HTTP Server instance on WEBHOST2
:
WEB_DOMAIN_HOME/servers/otd2/cache/
Parent topic: Copying WebGates Artifacts to Web Tier
Restarting the Oracle HTTP Server Instance
For information about restarting the Oracle HTTP Server instance, see Restarting Oracle HTTP Server Instances by Using WLST in Administering Oracle HTTP Server.
If you have configured Oracle HTTP Server in a WebLogic Server domain, you can also use Oracle Fusion Middleware Control to restart the Oracle HTTP Server instances. See Restarting Oracle HTTP Server Instances by Using Fusion Middleware Control in Administering Oracle HTTP Server.
Parent topic: Configuring Single Sign-On for an Enterprise Deployment
Setting Up the WebLogic Server Authentication Providers
To set up the WebLogic Server authentication providers, back up the configuration files, set up the Oracle Access Manager Identity Assertion Provider and set the order of providers.
The following topics assumes that you have already configured the LDAP authenticator by following the steps in Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group. If you have not already created the LDAP authenticator, then do so before you continue with this section.
Note:
You only need to perform these steps in the IAMGovernanceDomain, they will already have been performed in the IAMAccessDomain as part of running configOAM.- Backing Up Configuration Files
- Setting Up the Oracle Access Manager Identity Assertion Provider
- Updating the Default Authenticator and Setting the Order of Providers
Parent topic: Configuring Single Sign-On for an Enterprise Deployment
Backing Up Configuration Files
To be safe, you should first back up the relevant configuration files:
ASERVER_HOME/config/config.xml ASERVER_HOME/config/fmwconfig/jps-config.xml ASERVER_HOME/config/fmwconfig/system-jazn-data.xml
Also back up the boot.properties
file for the Administration Server:
ASERVER_HOME/servers/AdminServer/security/boot.properties
Parent topic: Setting Up the WebLogic Server Authentication Providers
Setting Up the Oracle Access Manager Identity Assertion Provider
Set up an Oracle Access Manager identity assertion provider in the Oracle WebLogic Server Administration Console.
- Log in to the WebLogic Server Administration Console, if not already logged in.
- Click Lock & Edit.
- Click Security Realms in the left navigation bar.
- Click the myrealm default realm entry.
- Click the Providers tab.
- Click New, and select the asserter type OAMIdentityAsserter from the drop-down menu.
- Name the asserter (for example, OAM ID Asserter) and click OK.
- Click the newly added asserter to see the configuration screen for the Oracle Access Manager identity assertion provider.
- Set the control flag to REQUIRED.
- Under Chosen types, select both the ObSSOCookie and OAM_REMOTE_USER options, if they are not selected by default.
- Click Save to save the settings.
- Click Activate Changes to propagate the changes.
Parent topic: Setting Up the WebLogic Server Authentication Providers
Updating the Default Authenticator and Setting the Order of Providers
Set the order of identity assertion and authentication providers in the WebLogic Server Administration console.
Parent topic: Setting Up the WebLogic Server Authentication Providers
Configuring Oracle ADF and OPSS Security with Oracle Access Manager
Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign On (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-level jps-config.xml
file to enable these capabilities.
The domain-level jps-config.xml
file is located in the following location after you create an Oracle Fusion Middleware domain:
ASERVER_HOME/config/fmwconfig/jps-config.xml
Note:
The domain-level jps-config.xml
should not be confused with the jps-config.xml
that is deployed with custom applications.
Parent topic: Configuring Single Sign-On for an Enterprise Deployment