11 Switching to External Authentication

For maximum security in production environments, Oracle recommends integrating Oracle WebCenter Sites with Oracle Access Management, for an advanced identity management solution and a seamless single sign-on user experience. You also have the option of integrating WebCenter Sites with an external LDAP authentication provider directory.

The following topics describe how to configure WebCenter Sites for authentication against either external identity management solution:

Switching to Authentication Against an LDAP Directory

This topic describes how to switch WebCenter Sites to authentication against an external LDAP authentication provider directory. This is a recommended solution for production environments if integration with Oracle Access Management is not viable.

Before you change your authentication provider, install and configure WebCenter Sites.
To switch WebCenter Sites to authentication against an external LDAP directory:
  1. (Optional) Modify ldap.caseAware property value to true, if the LDAP server you are using is case sensitive.
    By default the value of ldap.caseAware is set to false. Sign in will fail if you are using a case-sensitive LDAP server and this property is set to false. To modify the ldap.caseAware value to True follow the steps:
    • Sign in to the WebCenter Sites Admin interface and navigate to Admin tree tab>System Tools>Property Management option.

    • Search for ldap and change the value from False to True.

    • Restart the Managed server.

    Note:

    During the integration of Sites with LDAP, if the users data in LDAP is separated by a comma the data does not get fetched. for example: test,user. To retrieve the data, you need to change the syntax in the dir.ini file located at ..sites/install directory from "syntax.escape=\\ to syntax.escape=\#".
  2. Access the LDAP Configurator at http://sites-host:sites-port/sites-context/ldapconfig, follow the instructions on the screen, and enter the values for your environment.
  3. For LDAP rollback, restart the WebCenter Sites Managed Server, and go to the same LDAP Configurator URL.

    Now there is only manual LDAP integration. Nothing is written to your LDAP Server, only an LDIF file is created under the DOMAIN_HOME/wcsites/wcsites/config/ldap folder (This is the default install location of WebCenter Sites application. All customizations and path modifications should be made after successful LDAP integration). The peopleparent, groupparent, username, and other fields are not prepopulated, as in the previous release.

  4. (Optional) Modify the LDIF file located in NEW_DOMAIN_HOME/wcsites/wcsites/config/ with values appropriate for your environment.

    Because the fields are not prepopulated, follow this example for ORACLEDIR :

    ldap server type -- ORACLEDIR
    ldap DSN -- dc=oracle,dc=com
    ldap host -- localhost
    ldap port -- 389
    ldap username -- cn=orcladmin
    ldap password -- password
    ldap peopleParent -- cn=Users,dc=oracle,dc=com
    ldap groupparent -- cn=Groups,dc=oracle,dc=com
  5. If you choose Oracle Virtual Directory as your LDAP authentication provider, WebCenter Sites generates an LDIF file, which you can import to your Oracle Internet Directory server and then create an adaptar in Oracle Virtual Directory to connect to the Oracle Internet Directory server.

    You cannot import an LDIF file directly to an Oracle Virtual Directory LDAP server because it does not have a storage of its own.

  6. Import the LDIF file into the external LDAP authentication provider.
  7. Restart the WebLogic Managed Server running this WebCenter Sites instance.

Switching to Authentication Against Oracle Access Manager

You can configureWebCenter Sites for authentication against Oracle Access Manager. This solution is recommended for production environments.

It is assumed that customer already has OAM Server running. This OAM integration would require configuration in the OAM Server using oamconsole and some configuration changes in the Sites.
WebCenter Sites integration is supported for Oracle Access Manager 11.1.2.2.0 and 11.1.2.3.0.
To switchWebCenter Sites to authentication against Oracle Access Manager:
  1. Sign in to Oracle Access Manager Server through oamconsole, for example: http://<oam_host:oam_port>/<oam console>/ and configure a WebGate.
  2. Deploy the oamlogin.war and oamtoken.war application files located under NEW_ORACLE_HOME/wcsites/webcentersites/sites-home on the WebLogic domain containing the targetWebCenter Sites instance.
  3. Create the wemsites_settings.properties property file under DOMAIN_HOME/wcsites/wcsites/config/.
  4. Enter the values in the wemsites_settings.properties file as follows:
    Elements Properties
    oamredirect http://oam_server_host:oam_port/oam/server/auth_cred_submit
    oamlogout oamlogout=http://oam_server_host:oam_port/oam/server/logout
    forgotpassword helpdesk-email-address
  5. Set the following properties in NEW_DOMAIN_HOME/wcsites/wcsites/config/SSOConfig.xml. See Step 12 of Integration Steps.
    Elements Properties
    serviceUrl http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST
    ticketUrl http://{oamtoken_server_host}:{oamtoken_port}/oamtoken
    signoutURL

    http://{oam_server_host}:{oam_port}/oam/server/logout?end_url={end_url}

    Use this URL when invokingWebCenter Sites logout. It includes the encoded URL where the browser will return after all logout processing has been completed by Oracle Access Manager.
    end_url

    For test (staging) and production (delivery) environments: http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome

    dbUsername Name of theWebCenter Sites general Administrator user account.
    dbPassword Password for the WebCenter Sites general Administrator user account.

    Note:

    The ohs_server host and ohs_port can be WebLogic host and port or any other HTTP server host and port depending on your configuration. For more information on OHS configuration, see Step 2 to Step 9 of Integration Steps. Add the below example for configuration in OAM OHS, mod_wl_ohs.conf file.
    <IfModule weblogic_module>
        <Location /oamlogin>
         SetHandler weblogic-handler
           WebLogicHost SITES_HOST       
    WebLogicPort SITES_PORT   
    </Location> 
    </IfModule>
      <IfModule weblogic_module>
     <Location /sites>
           SetHandler weblogic-handler
           WebLogicHost SITES_HOST
           WebLogicPort SITES_PORT
     </Location>
     </IfModule>
  6. Copy the obAccsessClient.xml and cwallet.sso files from your Oracle Access Manager instance into the NEW_DOMAIN_HOME/wcsites/wcsites/config/oblix/lib/ directory on the targetWebCenter Sites instance.

    Note:

    These files are auto-generated after the WebGate is configured.
  7. Edit the oamtoken.xml file in the sites-config directory by setting the compatibility mode and oblix path. The compatibility mode should be set to 11g and the oblix path to the sites-config folder under which you have the oblix/lib folder.
  8. In the Oracle Access Manager configuration for WebCenter Sites, update the protected, public, and excluded resources as follows:

    Figure 11-1 List of Protected, Public, and Excluded Resources for WebCenter Sites

    Description of Figure 11-1 follows
    Description of "Figure 11-1 List of Protected, Public, and Excluded Resources for WebCenter Sites"
  9. To integrate the OAMSDK Client with WebLogic Server as the oamtoken.war application, edit the jps-config.xml file for the WebCenter Sites domain. By default, the WebLogic domain runs with this file, which is part of the WebLogic Server 12 c startup script:

    -Doracle.security.jps.config=NEW_ORACLE_HOME/user_projects/domains/DOMAIN_NAME/config/fmwconfig/jps-config.xml

    1. Add a service instance, as the following example shows, next to existing service instances in the existing jsp-config.xml file:
      <serviceInstance name="credstore.oamtoken" provider="credstoressp" location="./oamtoken">
      <description>File Based Credential Store Service Instance</description>
      <property name="location" value="./oamtoken"/>
      </serviceInstance>
      location is the path to the directory that contains the cwallet.sso file. The preceding example sets this path with reference to the current jsp-config.xml file. Make sure the omtoken folder is created with respect to the current directory and the cwallet.sso file is placed there. The location value can also be an absolute path to where the cwallet.sso file is placed
    2. Add <serviceInstanceRef ref="credstore.oamtoken"/> under <jpsContext name="default">.
    3. Add following <jpsContext> element under <jpsContexts default="default">:
      <jpsContext name="OAMASDK">
      <serviceInstanceRef ref="credstore.oamtoken"/>
      </jpsContext>
  10. Add permissions so that code in oamtoken.war can be used.
    The WebGate instance created in Oracle Access Manager is accessed by the client. You need to add the credential to the WebCenter Sites domain so that the security restriction can be taken care of.
    1. Launch the WebLogic Scripting Tool with the wlst.sh script:
      cd NEW_ORACLE_HOME/oracle_common/common/bin/./wlst.sh
    2. Connect to the Administration Server for the WebCenter Sites domain:
      connect('user-name','password','sites-host:admin-port')
    3. Grant the permissions:
      grantPermission(codeBaseURL="file:/scratch/idc/newoam/rend/Oracle_Home/user_projects/domains/renddomain/servers/wcsites_server1/tmp/_WL_user/oamtoken/-", permClass="oracle.security.jps.service.credstore.CredentialAccessPermission",permTarget="context=SYSTEM,mapName=OAMAgent,keyName=*",permActions="*")
      The preceding path is basically the path where WebLogic Server has deployed the oamtoken.war application.
    4. Restart the target WebCenter Sites Managed Server.
  11. (Optional) If trust betweenWebCenter Sites and Oracle Access Manager has not been established, modify the configuration of theWebCenter Sites web tier as follows:
    1. Sign in to the Oracle Access Manager Console.
    2. In the WebGate authorization policy (under the protected resource policy), go to the Responses tab.
    3. Enable (select) the Identity Assertion check box.
    4. Click Apply to save your changes.
  12. (Optional) If WebCenter Sites is deployed on a cluster is using OAM Integration. Following steps are required to be replicated on oamticketcache cache.
    1. In the config directory, we have cas-cache.xml where oamticketcache is configured by default.
    2. Uncomment the commented section in the cache named oamticketcache the section appear as:
      <cacheEventListenerFactory
      class="net.sf.ehcache.distribution.RMICacheReplicatorFactory"  
      properties="replicateAsynchronously=true, replicatePuts=true,
      replicateUpdates=true,
      	replicateUpdatesViaCopy=false, replicateRemovals=true"/>
      <bootstrapCacheLoaderFactory 
      class="net.sf.ehcache.distribution.RMIBootstrapCacheLoaderFactory"
      		properties="bootstrapAsynchronously=false,
      			maximumChunkSizeBytes=5000000"
      		propertySeparator="," />
    3. Change the cacheManagerPeerProviderFactory as follows, make sure port is unique. 
      <cacheManagerPeerProviderFactory
      class="net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory"
      	properties="peerDiscovery=automatic,
      multicastGroupAddress=230.0.0.8,
      		multicastGroupPort=40002, timeToLive=1" />
    4. The port should be different for cacheManagerPeerProviderFactory and cacheManagerPeerListenerFactory as specified in the earlier steps.
    5. All the cluster nodes should have same port for both the properties.
  13. For working on the SSOConfig.xml file, follow the steps:
    1. Modify the SSOConfig.xml file of theWebCenter Sites deployment. This file controls the loaded authentication classes and the properties that are required by those classes.
    2. Shutdown the Sites server.
    3. Backup the SSOConfig.xml file located in the WEB-INF/classes directory of the deployed WebCenter Sites application.
      For example: /u01/software/Apps/OraMiddleware/user_projects/domains/OAMSitesDomain/wcsites/wcsites/config/SSOConfig.xml.
    4. Modify SSOConfig.xml as follows: 

      Note:

      Further steps explains on setting properties for the following: serviceUrl, ticketUrl, signoutURL, dbUsername, and dbPassword. See Step 5.
    5. The signoutUrl property specifies the URL to be used when invoking WebCenter Sites logout. It includes the encoded URL where the browser will return after all logout processing has been completed by OAM.
    6. For Sites management, use the following value for end_url: http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome 
    7. For Sites delivery, use the following value for end_url:  http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome
      For the dbUsername and dbPassword properties, you can enter the credentials of the WebCenter Sites general administrator, which by default is fwadmin/xceladmin. The values for these properties will be encrypted on startup of the WebCenter Sites application.

      Note:

      In the code example below, you will set the following properties: csServerUrl, serviceUrl, ticketUrl, signoutURL, dbUsername, dbPassword. See Step 5.
      <?xml version="1.0" encoding="UTF-8"?>
      <!--
      
          Copyright (c) 2010 FatWire Corporation. All Rights Reserved.
          Title, ownership rights, and intellectual property rights in and
          to this software remain with FatWire Corporation. This  software
          is protected by international copyright laws and treaties, and
          may be protected by other law.  Violation of copyright laws may
          result in civil liability and criminal penalties.
      
      -->
      
      <beans xmlns="http://www.springframework.org/schema/beans"
      	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
      	xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context"
      	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
      	http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
      	http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
      
      	<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />
      	<!-- Root Context: defines shared resources visible to all other web components -->
      	
      	<jdbc:initialize-database data-source="dataSource"	enabled="true" ignore-failures="ALL">		
      		<!-- For installer the first jdbc:script will opened. Installer will configure it automatically -->
      		<jdbc:script location="classpath:crawler_oracle_db.sql" />
      		<!--jdbc:script location="classpath:crawler_hsql_db.sql" /-->
      		<!--jdbc:script location="classpath:crawler_sql_server_db.sql" /-->
      		<!--jdbc:script location="classpath:crawler_oracle_db.sql" /-->
      		<!--jdbc:script location="classpath:crawler_db2_db.sql" /-->
      	</jdbc:initialize-database>
      	
      	<!-- Section# 1 Installer will consume below configuration to configure a datasource name created on the appservers -->
      	<bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
      		<property name="jndiName" value="wcsitesDS"/>
      	</bean>
      	
      	<!-- Single Sign On provider -->
      	<bean id="ssoprovider" class="com.fatwire.wem.sso.oam.OAMProvider">
      		<property name="config" ref="ssoconfig" />
      	</bean>
      	<!--It is invoked by the OAM filter to resolve an OAM authenticated user against a remote Site CS instance.--> 
      	<bean id="oamIdentity" class="com.fatwire.auth.identity.RemoteUsernameResolver" >
      		<property name="csServerUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/custom/customCsResolver.jsp"/>
      	</bean>
        
      	<!-- Single Sign On filter -->
      	<bean id="ssofilter" class="com.fatwire.wem.sso.oam.filter.OAMFilter">
      		<property name="config" ref="ssoconfig" />
      		<property name="provider" ref="ssoprovider" />
      		<property name="identityResolver" ref="oamIdentity" />
      		
      		<!-- Set "trustConfigured" to "true" in case of trust relationship configured between WebGate and WLS.
      		It will turn off check for OAM_ASSERTION header. -->
      		<property name="trustConfigured" value="false" />
      	</bean>
        
      
      	<!-- Single Sign On listener -->
      	<bean id="ssolistener" class="com.fatwire.wem.sso.oam.listener.OAMListener">
      	</bean>
      	
      	<!-- Single Sign On configuration -->
      	<bean id="ssoconfig" class="com.fatwire.wem.sso.oam.conf.OAMConfig">
      		<!-- URL prefix for REST service endpoint -->
      		<property name="serviceUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST" />
      		
      		<!-- URL prefix for Token Service servlet -->
      		<property name="ticketUrl" value="http://{oamtoken_server_host}:{oamtoken_port}/oamtoken" />
      		
      		<!-- URL to be called when WEM logout is required. -->
      		<property name="signoutUrl" value="http://{oam_server_host}:{oam_port}/oam/server/logout?end_url=http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome"/>
      		
      		<!-- Do not proxy tickets, tt's the last server in thecall chain -->
      		<property name="proxyTickets" value="false" />
      		
      		<!-- Database Credentials needed by user lookup inOAMFilter -->
      		<property name="dbUsername" value="fwadmin" />
      		<property name="dbPassword" value="xceladmin"/>
      		
      		<!-- Your application protected resources (relative to applicationUrl) -->
      		<property name="protectedMappingIncludes">
      			<list>
      				<value>/__admin</value>
      				<value>/__admin/**</value>
      			</list>
      		</property>
      		
      		<!-- Your application protected resources excludes (relative to applicationUrl) -->
      		<property name="protectedMappingExcludes">
      			<list>
      				<value>/__admin/layout</value>
      			</list>
      		</property>
      		<property name="applicationProxyCallbackPath" value="/sso/proxycallback" />
      		<property name="gateway" value="false" />
      	</bean>
      	
      	<context:component-scan base-package="com.fatwire.crawler.remote.dao" />
      	<context:component-scan base-package="com.fatwire.crawler.remote.support" />
      	<context:component-scan base-package="com.fatwire.crawler.remote.di" />
      	<context:component-scan base-package="com.fatwire.crawler.remote.resources.support" />
      
      </beans>
After you authenticate OAM, you need to perform the following integrations:

SiteCapture integrating with OAM

This topics covers steps to integrate the SiteCapture with OAM.

Oracle Access Manager integration for SiteCapture you need to follow the steps:
  1. Integrate Oracle WebCenter Sites with Oracle Access Manager. For more information see, Integrating Oracle WebCenter Sites with OAM .
  2. Additional configuration required for Oracle Access Manager for SiteCapture.
    1. Create additional resource definitions (see table below) for the WebCenter Sites application domain.
      Resource URL Protection level Authentication Authorization
      /<sites-context>/REST/roles

      Unprotected

      Public

      All Allowed

      /<sites-context>/custom/customCsResolver.jsp

      Unprotected

      Public

      All Allowed

      /resources/.../*

      Excluded

      NA

      NA

      /__admin/.../*

      Protected

      Protected

      Protected

    2. Configure the Protected Resource Policy as follows:
    1. Click Application Domains and click the Open icon.
    2. Click Search and select WCSitesWebGate.
    3. Click the Authentication Policies tab and select Authentication Policies . For Authentication Scheme, select LDAPWemScheme, the authentication scheme previously created.
    4. Click Responses tab.
    5. Select the Identity Assertion checkbox.
    6. When an Authentication policy is satisfied, it can create responses. The responses are required by the WebCenter Sites HTTP filter to recognize LDAP attributes and provide information about the authenticated user. In the following steps, you will create these responses.
    7. Click the Add (+) icon. and enter the following:
    1. For Name: Enter FATGATE_CSTIMEOUT
    2. For Type: Select Header
    3. For Value: Enter 30
  3. SiteCapture Application Installation. During installation process of SiteCapture use parameters that are mentioned below:
    Property Description Property Value
    Content server host name or IP

    fw.cs.hostname

    {ohs_host}

    Content server app server port

    fw.cs.port

    {ohs_port}

    Content server context

    fw.cs.context

    {sites_context_root}

    Content server protocol (http or https)

    fw.cs.protocol

    {sites.protocol}

    Content Server user name having RESTADMIN role

    fw.cs.username

    {username}

    Content server user password

    fw.cs.password

    {password}

    SiteCapture server hostname or IP

    fw.sc.hostname

    {sc_host}

    SiteCapture app server port

    fw.sc.port

    {sc_port}

    SiteCapture protocol (http or https)

    fw.sc.protocol

    {sc.protocol}

    CAS server hostname

    fw.cas.host

    {ohs_host} in installer. Or

    Empty in sitecapture.properties

    CAS server port

    fw.cas.port

    {ohs_port} in installer. Or

    Empty in sitecapture.properties

    CAS server context

    fw.cas.context

    cas in installer. Or

    Empty in sitecapture.properties

  4. Adjust the root-context.xml file in SiteCapture Application. SiteCapture shipped with two files:
    1. root-context.xml
      Backup root-context.xml file and rename to root-context.xml.bak file.
    2. oam_root-context.xml
      Rename oam_root-context.xml file to root-context.xml file.
      <?xml version="1.0" encoding="UTF-8"?>
      <!--
      
          Copyright (c) 2010 FatWire Corporation. All Rights Reserved.
          Title, ownership rights, and intellectual property rights in and
          to this software remain with FatWire Corporation. This  software
          is protected by international copyright laws and treaties, and
          may be protected by other law.  Violation of copyright laws may
          result in civil liability and criminal penalties.
      
      -->
      
      <beans xmlns="http://www.springframework.org/schema/beans"
      	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
      	xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context"
      	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
      	http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
      	http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
      
      	<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />
      	<!-- Root Context: defines shared resources visible to all other web components -->
      	
      	<jdbc:initialize-database data-source="dataSource"	enabled="true" ignore-failures="ALL">		
      		<!-- For installer the first jdbc:script will opened. Installer will configure it automatically -->
      		<jdbc:script location="classpath:crawler_oracle_db.sql" />
      		<!--jdbc:script location="classpath:crawler_hsql_db.sql" /-->
      		<!--jdbc:script location="classpath:crawler_sql_server_db.sql" /-->
      		<!--jdbc:script location="classpath:crawler_oracle_db.sql" /-->
      		<!--jdbc:script location="classpath:crawler_db2_db.sql" /-->
      	</jdbc:initialize-database>
      	
      	<!-- Section# 1 Installer will consume below configuration to configure a datasource name created on the appservers -->
      	<bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
      		<property name="jndiName" value="wcsitesDS"/>
      	</bean>
      	
      	<!-- Single Sign On provider -->
      	<bean id="ssoprovider" class="com.fatwire.wem.sso.oam.OAMProvider">
      		<property name="config" ref="ssoconfig" />
      	</bean>
      	<!--It is invoked by the OAM filter to resolve an OAM authenticated user against a remote Site CS instance.--> 
      	<bean id="oamIdentity" class="com.fatwire.auth.identity.RemoteUsernameResolver" >
      		<property name="csServerUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/custom/customCsResolver.jsp"/>
      	</bean>
        
      	<!-- Single Sign On filter -->
      	<bean id="ssofilter" class="com.fatwire.wem.sso.oam.filter.OAMFilter">
      		<property name="config" ref="ssoconfig" />
      		<property name="provider" ref="ssoprovider" />
      		<property name="identityResolver" ref="oamIdentity" />
      		
      		<!-- Set "trustConfigured" to "true" in case of trust relationship configured between WebGate and WLS.
      		It will turn off check for OAM_ASSERTION header. -->
      		<property name="trustConfigured" value="false" />
      	</bean>
        
      
      	<!-- Single Sign On listener -->
      	<bean id="ssolistener" class="com.fatwire.wem.sso.oam.listener.OAMListener">
      	</bean>
      	
      	<!-- Single Sign On configuration -->
      	<bean id="ssoconfig" class="com.fatwire.wem.sso.oam.conf.OAMConfig">
      		<!-- URL prefix for REST service endpoint -->
      		<property name="serviceUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST" />
      		
      		<!-- URL prefix for Token Service servlet -->
      		<property name="ticketUrl" value="http://{oamtoken_server_host}:{oamtoken_port}/oamtoken" />
      		
      		<!-- URL to be called when WEM logout is required. -->
      		<property name="signoutUrl" value="http://{oam_server_host}:{oam_port}/oam/server/logout?end_url=http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome"/>
      		
      		<!-- Do not proxy tickets, tt's the last server in thecall chain -->
      		<property name="proxyTickets" value="false" />
      		
      		<!-- Database Credentials needed by user lookup inOAMFilter -->
      		<property name="dbUsername" value="fwadmin" />
      		<property name="dbPassword" value="xceladmin"/>
      		
      		<!-- Your application protected resources (relative to applicationUrl) -->
      		<property name="protectedMappingIncludes">
      			<list>
      				<value>/__admin</value>
      				<value>/__admin/**</value>
      			</list>
      		</property>
      		
      		<!-- Your application protected resources excludes (relative to applicationUrl) -->
      		<property name="protectedMappingExcludes">
      			<list>
      				<value>/__admin/layout</value>
      			</list>
      		</property>
      		<property name="applicationProxyCallbackPath" value="/sso/proxycallback" />
      		<property name="gateway" value="false" />
      	</bean>
      	
      	<context:component-scan base-package="com.fatwire.crawler.remote.dao" />
      	<context:component-scan base-package="com.fatwire.crawler.remote.support" />
      	<context:component-scan base-package="com.fatwire.crawler.remote.di" />
      	<context:component-scan base-package="com.fatwire.crawler.remote.resources.support" />
      
      </beans>

      Note:

      To update mod_wl_ohs.conf file the following code has to be included:
      <IfModule weblogic_module>
      <Location /__admin>
      		SetHandler weblogic-handler
      		WebLogicHost SITECAPTURE_HOST
      	WebLogicPort SITECAPTURE_HOST 
      </Location>
      </IfModule>
       

Integrating OAM with Oracle WebCenter Sites: Satellite Server

This topics covers steps to integrate OAM with Oracle WebCenter Sites: Satellite Server.

Configuring a Satellite Server for Oracle Access Manager integration is a simpler procedure than for WebCenter Sites. For more information on Integrating OAM with WebCenter Sites using Satellite Server, see Integrating OAM with Oracle WebCenter Sites: Satellite Server

Note:

The code example below gives the RSS configuration in OAM OHS, and mod_wl_ohs.conf file.
<IfModule weblogic_module>
 <Location /ss>
       SetHandler weblogic-handler
       WebLogicHost SATELLITESERVER_HOST
     WebLogicPort SATELLITESERVER_HOST
 </Location>
 </IfModule>

Integrating OAM with Visitor Services

This topic covers steps to integrate OAM with Visitor Services.

Before performing steps described in this section, ensure that you have configured the OAMIdentityProvider provided with Visitor Services.  The OAM identity provider enables Visitor Services to communicate with OAM. For more information on Integrating OAM with Visitor Services, see Oracle Fusion Middleware Developing with Oracle WebCenter Sites.

Note:

The code example below gives the Visitor configuration in OAM OHS, and mod_wl_ohs.conf file.
<IfModule weblogic_module>
    <Location /oamlogin>
      SetHandler weblogic-handler
       WebLogicHost SITES_HOST
       WebLogicPort SITES_PORT
   </Location>
 </IfModule>
 <IfModule weblogic_module>
 <Location /visitors-webapp>
   SetHandler weblogic-handler       
	WebLogicHost VISITORSERVICES_HOST    
	WebLogicPort VISITORSERVICES_HOST
 </Location>
 </IfModule>

Switching to Authentication OAM Using Detached Credential Collector

This topic will show the steps to configure the two webgates and two OHS. You can configure Site Capture, Satellite Server, and Visitor Services to OAM in the similar using the steps in this topic.

In the earlier topics, you can see that the credentials are collected directly by OAM server, which is exposed OAM Server’s host and post, causing a security threat but with the introduction of DCC (Detached Credential Collector) webgate credentials you can now collect it at the webgate, which is transferred to OAM by webgate for further processing. DCC will not expose OAM server host and port, which mitigates the security threat. DCC can be configured using a single webgate and single OHS or two webgates (For exmaple, DCC webgate and Resource webgate) and two Oracle HTTP Servers (each OHS server will host the respective webgate files).

Prerequisites

This chapter lists the prerequisites required for configuring the Detached Credential Collector.

The following are the prerequisites for configuring DCC:
  1. WebCenter Sites 12.2.1.3.0 is installed with CAS and is in working condition.
  2. OAM 11.1.2.3.0 is installed and OAM domain is configured along with two OHS configured for webgate. The list below are required softwares for this installation:
    • OAM 11.1.2.3.0. For example : ofm_iam_generic_11.1.2.3.0_disk*.zip.

    • RCU 11.1.1.9.0. For example : ofm_rcu_linux_11.1.1.9.0_64_disk*.zip.

    • Latest version of SOA suite.

    • WebTier 11.1.1.9.0. For example : ofm_webtier_linux_11.1.1.9.0_64_disk*.zip

    • WebGate 11.1.2.3.0. For example : ofm_webgates_generic_11.1.2.3.0_disk*.zip

DCC WebGate Configuration

This topic describes hot to configure DCC Webgate.

To configure DCC Webgate, follow the steps:
  1. Login to oamconsole. The Launch Pad of Application Security opens.
  2. Click Agents >Create Webgate. The Create Webgate form opens.
  3. In the Create Webgate form, enter the following values as given below:
    1. Version : 11g
    2. Name : DCC-11g-WG. For example, enter Some arbitrary name.
    3. Host Identifier : DCC-11g-WG. For example, enter Some arbitrary name.
    4. Security : Select the option of your choice
    5. Auto Create Policies : Leave the default selected option.
  4. Click Apply.
  5. A new webgate named DCC-11g-WG is created with default values. In the webgate form, update the following fields:
    1. Logout URL : /oamsso-bin/logout.pl
    2. Logout Callback URL : /oam_logout_success
    3. Logout Redirect URL : http://{OAM_host:OAM_port}/oam/server/logout
    4. Logout Target URL : end_url
    5. Allow Credential Collector Operations : Leave the default selected option.
  6. Click Apply.
  7. Navigate to Launch Pad and click on Access Manager>Host Identifiers.
  8. A Search form is displayed, click Search
  9. Click Host Identifier DCC-11g-WG as created in Step 3c.
  10. Add the Hostname and port by clicking on ‘+’ in Host Name Variations area.
  11. After entering all the details, click Apply.

    Note:

    These are the hostname and port of OHS to where DCC webgate files are copied to display the login challenge.
  12. Navigate to Launch Pad and click Authentication Schemes.
  13. A Search form is displayed, click Create.
  14. Create a new Authentication theme that will be used by both the webgates as given in Step 15 a to g.
  15. Click Apply. Using Weblogic’s Embedded LDAP as LDAP authentication module where fwadmin user is added to myrealm using the weblogic’s Admin console
    1. Name : DCCAuthnScheme11g. For example, enter Some arbitrary name.
    2. Authentication Level : 2
    3. Challenge Method : FORM
    4. Challenge Redirect URL : http://{OHS_Host_of_Resource_Webgate:OHS_Port}
    5. Authentication Module : LDAP
    6. Challenge URL : /oamsso-bin/login.pl
    7. Context Type : external
  16. Navigate to Launch Pad and click Application Domains.
  17. A Search form is displayed, click Search, which should display all the application domains available that are created by default when a webgate is created.
  18. Click Application Domain (created in Step 3b), which should open the application domain with multiple tabs and Summary is opened by default.
    1. Click Resources tab, which will display search form along with Create button.
    2. Click Create, update the form as below:

      Note:

      Add other excluded URLS similar to below, with changing Resource URL with each Create.
      • Type : HTTP

      • Host Identifier : DCC-11g-WG ( Name given in Step 3c)

      • Resource URL : /oamsso-bin/login.pl

      • Protection Level : excluded

    3. Click Apply.
    4. Click Authentication Policies tab and then click Protected Resource Policy. Update the form as below and click Apply.
      • Authentication Scheme : DCCAuthnScheme11g as created in Step 15.

  19. Copy the DCC webgate files as given below created in WebLogic domain ($DOMAIN_HOME/output/DCC-11g-WG) to the OHS folder ($OHS_INSTANCE_HOME/config/OHS/$OHS_NAME /webgate/config) hosting these webgate files.
    • ObAccessClient.xml

    • cwallet.sso

  20. Restart the OHS.

Resource WebGate Configuration

This topics provides steps to configure the Resource Webgate.

To configure the Resource WebGate, follow the steps:
  1. Login to oamconsole, which should display Launch Pad of Application Security.
  2. Click Agents > create Webgate, which should display Create Webgateform.
  3. Input the values as below in the Create Webgate form.
    1. Version : 11g
    2. Name : Resource-11g-WG (Some arbitrary name)
    3. Host Identifier : Resource-11g-WG (Same as Name above or some arbitrary name)
    4. Security : Open (select the option of your choice)
    5. Auto Create Policies : Option Selected
  4. Click Apply
  5. A new webgate named Resoruce-11g-WG is created with default values. In the webgate form, update the following fields:
    1. Logout URL : /logout
    2. Logout Callback URL : /oam_logout_success
    3. Logout Redirect URL : http://{OAM_Host_of_DCC_Webgate:OAM_Port}/oamsso-bin/logout.pl
    4. Logout Target URL : end_url
  6. Click Apply
  7. Navigate to Launch Pad and click Access Manager> Host Identifiers, which should display a search form. Click Search.
  8. Click Host Identifier Resource-11g-WG as created in Step 3c.
  9. Add the hostname and port by clicking on ‘+’ in Host Name Variations.
  10. After all desired Host Name and Port are added then click Apply.

    Note:

    These are the hostname and port of OHS to where Resource webgate files are copied.
  11. Navigate to Launch Pad and click Application Domains, which should display the Search form. Click Search, which should display all the application domains available that are created by default when a webgate is created.
  12. Click Application Domain as created in Step 3b, which should open the application domain with multiple tabs and Summary is opened by default.
    1. Click Resources tab, which will display search form along with Create button. Click Create for each row in below table, update the create form as below and click Apply.

      Table 11-1 Resource Identifiers

      Type Host Identifier Resource URL Protection Level Authentication Policy Authorization Policy

      HTTP

      Resource-11g-WG

      /{sites-context}/**

      Protected

      Protected Resource Policy

      Protected Resource Policy

      HTTP

      Resource-11g-WG

      /{sites-context}/ContentServer/*

      Protected

      Protected Resource Policy

      Protected Resource Policy

      HTTP

      Resource-11g-WG

      /{sites-context}/Satellite/*

      Protected

      Protected Resource Policy

      Protected Resource Policy

      HTTP

      Resource-11g-WG

      /{sites-context}/faces/jspx/…/*

      Protected

      Protected Resource Policy

      Protected Resource Policy

      HTTP

      Resource-11g-WG

      /{sites-context}/wem/fatwire/…/*

      Protected

      Protected Resource Policy

      Protected Resource Policy

      HTTP

      Resource-11g-WG

      /{sites-context}/Xcelerate/LoginPage.html

      Protected

      Protected Resource Policy

      Protected Resource Policy

    2. Click Authentication Policies tab and then click Protected Resource Policy. Update the form as below and click Apply.
      1. Authentication Scheme : DCCAuthnScheme11g (Created in Step 8)

      2. Click Responses tab and then select Identity Assertion. Click Add and include the following responses:

        Table 11-2 Identity Assertion Elements

        Type Name Value

        Header

        FATGATE_POLICY

        Protected

        Header

        FATGATE_EMAIL

        $user.attr.mail

    3. Click Authorization Policies tab and then click Protected Resource Policy. Update the form as given in the table below.
      1. Click Responses and then select Identity Assertion.

        Table 11-3 Identity Assertion Elements

        Type Name Value

        Header

        FATGATE_POLICY

        Protected

        Header

        FATGATE_EMAIL

        $user.attr.mail

      2. After adding the above responses, click Add

      3. Click Apply.

  13. Copy the Resource webgate files as given below that's created in WebLogic domain ($DOMAIN_HOME/output/Resource-11g-WG) to the OHS folder ($OHS_INSTANCE_HOME/config/OHS/$OHS_NAME /webgate/config hosting these webgate files.
    1. ObAccessClient.xml
    2. cwallet.sso
  14. Restart OHS.

Sites OAM Integration

This topic provides steps to configure the Sites OAM integration with DCC

To configure the Sites OAM integration, follow the steps:
  1. Deploy oamtoken web application to sites server.

    Note:

    Do not deploy oamlogin web application since it is not used.
  2. Undeploy cas web application from the sites server.
  3. Navigate to CS web application and open SSOConfig.xml in edit mode.
  4. Add the following bean to the file and Save the file.
    <!-- Single Sign On configuration -->
    		<bean id="ssoconfig" class="com.fatwire.wem.sso.oam.conf.OAMConfig">
    			<!-- URL prefix for REST service endpoint -->
    
    			<property name="serviceUrl" value="http://{OHS_Host_of_Resource_Webgate:OHS_Port}/{sites-context}/REST" />
    			<!-- URL prefix for Token Service servlet -->
    			<property name="ticketUrl" value="http://{Sites_Host:Sites_Port}/oamtoken" />
    			<!-- URL to be called when WEM logout is required. -->
    			<property name="signoutUrl" value="http:// {OHS_Host_of_DCC_Webgate:OHS_Port }/oamsso-bin/logout.pl?end_url=http%3A%2F%2F{OHS_Host_of_Resource_Webgate} %3A{OHS_Port }%2F{sites-context}%2Fwem%2Ffatwire%2Fwem%2FWelcome" />
    			<!-- Do not proxy tickets, tt's the last server in the call chain -->
    			<property name="proxyTickets" value="false" />
    			<!-- Database Credentials needed by user lookup in OAMFilter -->
    			<property name="dbUsername" value="fwadmin" />
    			<property name="dbPassword" value="{password_for_above_user}" />
    			<!-- Your application protected resources (relative to applicationUrl) -->			
    			<property name="protectedMappingIncludes">
    				<list>
     							<value>wem/fatwire/**value>wem/fatwire/**>
    							<value>/faces/jspx/**value>/faces/jspx/**>		
    <value>/ContentServer?[pagename=OpenMarket/Xcelerate/UIFramework/LoginPage|OpenMarket/Xcelerate/UIFramework/ShowMainFrames|fatwire/getAllUserGroups|fatwire/getAllSecurityConfigs|rest/asset,# </value>  
    <value><Satellite?[pagename=fatwire/insitetemplating/request|OpenMarket/Xcelerate/ControlPanel/Request|OpenMarket/Xcelerate/ControlPanel/EditPanel|fatwire/wem/ui/Ping|fatwire/wem/sso/validateMultiticket|OpenMarket/Xcelerate/UIFramework/ShowPreviewFrames,#]
    </value>
    							<value>Xcelerate/LoginPage.html</value>
  5. Restart Sites server after the above changes.
  6. Use a protected URL from the resource webgate to login to Sites. For example : http://{OHS_Host_of_Resource_Webgate:OHS_Port}/{sites-context}/.

    Note:

    Site Capture, Satellite Server and Visitor Services can be configured to the OAM in the same way.