1. Enterprise Deployment Guide for Oracle WebCenter Portal
  2. Common Configuration and Management Procedures for an Enterprise Deployment
  3. Configuring Single Sign-On for an Enterprise Deployment

19 Configuring Single Sign-On for an Enterprise Deployment

You need to configure the Oracle HTTP Server WebGate in order to enable single sign-on with Oracle Access Manager.

Parent topic: Common Configuration and Management Procedures for an Enterprise Deployment

About Oracle HTTP Server Webgate

Oracle HTTP Server WebGate is a web server plug-in that intercepts HTTP requests and forwards them to an existing Oracle Access Manager instance for authentication and authorization.

For Oracle Fusion Middleware 12c, the Oracle WebGate software is installed as part of the Oracle HTTP Server 12c software installation. See Registering and Managing OAM 11g Agents in Adminstrator’s Guide for Oracle Access Management.

Parent topic: Configuring Single Sign-On for an Enterprise Deployment

General Prerequisites for Configuring Oracle HTTP Server WebGate

Before you can configure Oracle HTTP Server WebGate, you must have installed and configured a certified version of Oracle Access Manager.

For the most up-to-date information, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.

For WebGate certification matrix, click and open http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oam-webgates-2147084.html, then click the Certification Matrix for 12c Access Management WebGates link to download the certification matrix spreadsheet.

Note:

For production environments, it is highly recommended that you install Oracle Access Manager in its own environment and not on the machines that are hosting the enterprise deployment.

For more information about Oracle Access Manager, see the latest Oracle Identity and Access Management documentation, which you can find in the Middleware documentation on the Oracle Help Center.

Parent topic: Configuring Single Sign-On for an Enterprise Deployment

Enterprise Deployment Prerequisites for Configuring OHS 12c Webgate

When you are configuring Oracle HTTP Server Webgate to enable single sign-on for an enterprise deployment, consider the prerequisites mentioned in this section.

  • Oracle recommends that you deploy Oracle Access Manager as part of a highly available, secure, production environment. For more information about deploying Oracle Access Manager in an enterprise environment, see the Enterprise Deployment Guide for your version of Oracle Identity and Access Mangement.

  • To enable single sign-on for the WebLogic Server Administration Console and the Oracle Enterprise Manager Fusion Middleware Control, you must add a central LDAP-provisioned administration user to the directory service that Oracle Access Manager is using (for example, Oracle Internet Directory or Oracle Unified Directory). For more information about the required user and groups to add to the LDAP directory, follow the instructions in Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group.

Note:

It is recommended that you use the WebGate version that is certified with your Oracle Access Manager deployment.

Parent topic: Configuring Single Sign-On for an Enterprise Deployment

Configuring Oracle HTTP Server 12c WebGate for an Enterprise Deployment

You need to perform the following steps in order to configure Oracle HTTP Server 12c WebGate for Oracle Access Manager on both WEBHOST1 and WEBHOST2.

In the following procedure, replace the directory variables, such as WEB_ORACLE_HOME and WEB_CONFIG_DIR, with the values, as defined in File System and Directory Variables Used in This Guide.

  1. Perform a complete backup of the web tier domain.

  2. Change directory to the following location in the Oracle HTTP Server Oracle home:

    cd WEB_ORACLE_HOME/webgate/ohs/tools/deployWebGate/

  3. Run the following command to create the WebGate Instance directory and enable WebGate logging on OHS Instance:

    ./deployWebGateInstance.sh -w WEB_CONFIG_DIR -oh WEB_ORACLE_HOME

  4. Verify that a webgate directory and subdirectories was created by the deployWebGateInstance command: 

    ls -lat WEB_CONFIG_DIR/webgate/
total 16
drwxr-x---+ 8 orcl oinstall 20 Oct  2 07:14 ..
drwxr-xr-x+ 4 orcl oinstall  4 Oct  2 07:14 .
drwxr-xr-x+ 3 orcl oinstall  3 Oct  2 07:14 tools
drwxr-xr-x+ 3 orcl oinstall  4 Oct  2 07:14 config

  5. Run the following command to ensure that the LD_LIBRARY_PATH environment variable contains WEB_ORACLE_HOME/lib directory path:

    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib

  6. Change directory to the following directory

    WEB_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools

  7. Run the following command from the InstallTools directory.

    ./EditHttpConf -w WEB_CONFIG_DIR -oh WEB_ORACLE_HOME -o output_file_name

    Note:

    The -oh WEB_ORACLE_HOME and -o output_file_name parameters are optional.

    This command:

    • Copies the apache_webgate.template file from the Oracle HTTP Server Oracle home to a new webgate.conf file in the Oracle HTTP Server configuration directory.

    • Updates the httpd.conf file to add one line, so it includes the webgate.conf.

    • Generates a WebGate configuration file. The default name of the file is webgate.conf, but you can use a custom name by using the -o output_file_name argument to the command.

Parent topic: Configuring Single Sign-On for an Enterprise Deployment

Registering the Oracle HTTP Server WebGate with Oracle Access Manager

You can register the WebGate agent with Oracle Access Manager by using the Oracle Access Manager Administration console.

For more information about OAM registration, see Registering an OAM Agent Using the Console in Administrator's Guide for Oracle Access Management.

Parent topic: Configuring Single Sign-On for an Enterprise Deployment

About RREG In-Band and Out-of-Band Mode

You can run the RREG Tool in one of the two modes: in-band and out-of-band.

Use in-band mode when you have the privileges to access the Oracle Access Manager server and run the RREG tool yourself from the Oracle Access Manager Oracle home. You can then copy the generated artifacts and files to the web server configuration directory after you run the RREG Tool.

Use out-of-band mode if you do not have privileges or access to the Oracle Access Manager server. For example, in some organizations, only the Oracle Access Manager server administrators have privileges to access the server directories and perform administration tasks on the server. In out-of-band mode, the process can work as follows:

  1. The Oracle Access Manager server administrator provides you with a copy of the RREG archive file (RREG.tar.gz).

  2. Untar the RREG.tar.gz file that was provided to you by the server administrator.

    For example:

    gunzip RREG.tar.gz

    tar -xvf RREG.tar

    After you unpack the RREG archive, you can find the tool for registering the agent in the following location:

    RREG_HOME/bin/oamreg.sh

    In this example, RREG_Home is the directory in which you extracted the contents of RREG archive.

  3. Use the instructions in Updating the Standard Properties in the OAM11gRequest.xml File to update the OAM11GRequest.xml file, and send the completed OAM11GRequest.xml file to the Oracle Access Manager server administrator.

  4. The Oracle Access Manager server administrator then uses the instructions in Running the RREG Tool in Out-Of-Band Mode to run the RREG Tool and generate the AgentID_response.xml file.

  5. The Oracle Access Manager server administrator sends the AgentID_response.xml file to you.

  6. Use the instructions in Running the RREG Tool in Out-Of-Band Mode to run the RREG Tool with the AgentID_response.xml file and generate the required artifacts and files on the client system.

Parent topic: Registering the Oracle HTTP Server WebGate with Oracle Access Manager

Updating the Standard Properties in the OAM11gRequest.xml File

Before you can register the Webgate agent with Oracle Access Manager, you must update some required properties in the OAM11gRequest.xml file.

Note:

  • If you plan to use the default values for most of the parameters in the provided XML file, then you can use the shorter version (OAM11gRequest_short.xml, in which all non-listed fields take a default value.

  • In the primary server list, the default names are mentioned as OAM_SERVER1 and OAM_SERVER2 for OAM servers. Rename these names in the list if the server names are changed in your environment.

To perform this task:

  1. If you are using in-band mode, then change directory to the following location on one of the OAM Servers:

    OAM_ORACLE_HOME/oam/server/rreg/input

    If you are using out-of-band mode, then change directory to the location where you unpacked the RREG archive on the WEBHOST1 server.

  2. Make a copy of the OAM11GRequest.xml file template with an environment-specific name.

    cp OAM11GRequest.xml OAM11GRequest_edg.xml

  3. Review the properties listed in the file, and then update your copy of the OAM11GRequest.xml file to make sure that the properties reference the host names and other values specific to your environment.

Table 19-1 Fields in the OAM11GRequest.xml file.

OAM11gRequest.xml Property Set to...
serverAddress

The host and the port of the Administration Server for the Oracle Access Manager domain.
agentName

Any custom name for the agent. Typically, you use a name that identifies the Fusion Middleware product that you are configuring for single sign-on.
applicationDomain

A value that identifies the web tier host and the FMW component you are configuring for single sign-on.

security

Must be set to the security mode configured on the Oracle Access Management server. This is one of the three modes: open, simple, or certificate.

Note:

For an enterprise deployment, Oracle recommends simple mode, unless additional requirements exist to implement custom security certificates for the encryption of authentication and authorization traffic.

In most cases, avoid using open mode, because in open mode, traffic to and from the Oracle Access Manager server is not encrypted.

For more information using certificate mode or about Oracle Access Manager supported security modes in general, see Securing Communication Between OAM Servers and WebGates in Administrator's Guide for Oracle Access Management.

cachePragmaHeader

private
cacheControlHeader

private
ipValidation

0

<ipValidation>0</ipValidation>

If ipValidation is set to ‘1’, the IP address stored in the cookie must match the client's IP address, otherwise, the SSO cookie is rejected and the user must reauthenticate. This can cause problems with certain Web applications. For example, Web applications managed by a proxy server typically change the user's IP address, substituting the IP address of the proxy. Setting to ‘0’ Disables IP validation.
ipValidationExceptions

Can be empty when ipValidation is ‘0’.

If IP Validation is true, the IP address is compared to the IP Validation Exceptions list. If the address is found on the exceptions list, it does not need to match the IP address stored in the cookie. You can add as many IP addresses as needed. For example, the IP address of the front end load balancer:

<ipValidationExceptions>
	<ipAddress>130.35.165.42</ipAddress>
</ipValidationExceptions>
agentBaseUrl

Fully-qualified URL with the host and the port of the front-end Load Balancer VIP in front of the WEBHOSTn machines on which Oracle HTTP 12c WebGates are installed.

For example:
      <agentBaseUrl>
            https://wcp.example.com:443      
      </agentBaseUrl>
virtualHost

Set to true when protecting more than the agentBaseUrl, such as SSO protection for the administrative VIP.

hostPortVariationsList

Add hostPortVariation host and port elements for each of the load-balancer URLs that are protected by the WebGates.

For example:
<hostPortVariationsList>
     <hostPortVariations>
         <host>wcpinternal.example.com</host>
         <port>80</port>
     </hostPortVariations>
     <hostPortVariations>
         <host>admin.example.com</host>
         <port>80</port>
     </hostPortVariations>
     <hostPortVariations>          
	<host>osb.example.com</host>          
	<port>443</port>      
     </hostPortVariations>
     </hostPortVariationsList>
logOutUrls

Leave it empty.

The Logout URL triggers the logout handler, which removes the cookie and requires the user to re-authenticate the next time the user accesses a resource protected by Access Manager. If Logout URL is not configured, the request URL is checked for logout. and, if found (except logout.gif and logout.jpg), also triggers the logout handler. If a value is set to this property, all used logout URLs must be added.

primaryServerList

Verify that the host and the port of the OAM Managed Servers matches with this list. Example:

<primaryServerList>
 <Server>
  <host>wls_oam1</host>
  <port>14100</port>
  <numOfConnections>1</numOfConnections>
</Server>
<Server>
  <host>wls_oam2</host>
  <port>14100</port>
  <numOfConnections>2</numOfConnections>
 </Server>
</primaryServerList>

Parent topic: Registering the Oracle HTTP Server WebGate with Oracle Access Manager

Updating the Protected, Public, and Excluded Resources for an Enterprise Deployment

When you set up an Oracle Fusion Middleware environment for single sign-on, you identify a set of URLs that you want Oracle Access Manager to protect with single sign-on. You identify these using specific sections of the OAM11gRequest.xml file. To identify the URLs:
  1. If you have not already opened the copied OAM11GRequest_edg.xml file for editing, locate, and open the file in a text editor.
  2. Remove the sample entries from the file, and then enter the list of protected, public, and excluded resources in the appropriate sections of the file, as shown in the following example.

    Note:

    If you are using Oracle Access Manager 11g Release 2 (11.1.2.2) or later, then note that the entries with the wildcard syntax (“.../*”) are included in this example for backward compatibility with previous versions of Oracle Access Manager. 

        <protectedResourcesList>
    <!-- WebCenter Portal Protected Resources -->
        <resource>/pagelets/admin/.../*</resource>
        <resource>/rest/api</resource>
        <resource>/rest/api/activities/.../*</resource>
        <resource>/rest/api/activities</resource>
        <resource>/rest/api/catalog/.../*</resource>
        <resource>/rest/api/catalog</resource>
        <resource>/rest/api/discussions/.../*</resource>
        <resource>/rest/api/discussions</resource>
        <resource>/rest/api/feedback/.../*</resource>
        <resource>/rest/api/feedback</resource>
        <resource>/rest/api/messageBoards/.../*</resource>
        <resource>/rest/api/messageBoards</resource>
        <resource>/rest/api/navigations/.../*</resource>
        <resource>/rest/api/navigations</resource>
        <resource>/rest/api/people/.../*</resource>
        <resource>/rest/api/people</resource>
        <resource>/rest/api/preferences/general/.../*</resource>
        <resource>/rest/api/preferences/general</resource>
        <resource>/rest/api/resourceIndex</resource>
        <resource>/rest/api/searchcollection/.../*</resource>
        <resource>/rest/api/searchcollection</resource>
        <resource>/rest/api/searchresults/.../*</resource>
        <resource>/rest/api/searchresults</resource>
        <resource>/rest/api/spaces/.../*</resource>
        <resource>/rest/api/spaces</resource>
        <resource>/rest/api/taggeditems/.../*</resource>
        <resource>/rest/api/taggeditems</resource>
        <resource>/rest/api/taggingusers/.../*</resource>
        <resource>/rest/api/taggingusers</resource>
        <resource>/rest/api/tags/.../*</resource>
        <resource>/rest/api/tags</resource>
        <resource>/rest/api/v1/resourceIndex</resource>
        <resource>/rest/api/who/.../*</resource>
        <resource>/rest/api/who</resource>
        <resource>/rss/rssservlet</resource>
        <resource>/services-producer/adfAuthentication</resource>
        <resource>/webcenter/adfAuthentication</resource>
    <!-- WebCenter Content Protected Resources -->
        <resource>/adfAuthentication</resource>
        <resource>/dc-client/adfAuthentication</resource>
        <resource>/dc-console/adfAuthentication</resource>
        <resource>/ibr/adfAuthentication</resource>
        <resource>/imaging/faces/.../*</resource>
        <resource>/imaging/faces</resource>
        <resource>/wcc/adfAuthentication</resource>
    <!-- SOA Protected Resources -->
        <resource>/DefaultToDoTaskFlow/.../*</resource>
        <resource>/DefaultToDoTaskFlow</resource>
        <resource>/EssHealthCheck/.../*</resource>
        <resource>/EssHealthCheck</resource>
        <resource>/b2bconsole/.../*</resource>
        <resource>/b2bconsole</resource>
        <resource>/ess/.../*</resource>
        <resource>/ess</resource>
        <resource>/inspection.wsil</resource>
        <resource>/integration/worklistapp/.../*</resource>
        <resource>/integration/worklistapp</resource>
        <resource>/sdpmessaging/userprefs-ui/.../*</resource>
        <resource>/sdpmessaging/userprefs-ui</resource>
        <resource>/soa/composer/.../*</resource>
        <resource>/soa/composer</resource>
        <resource>/soa-infra/cluster/info/.../*</resource>
        <resource>/soa-infra/cluster/info</resource>
        <resource>/soa-infra/deployer/.../*</resource>
        <resource>/soa-infra/deployer</resource>
        <resource>/soa-infra/events/edn-db-log/.../*</resource>
        <resource>/soa-infra/events/edn-db-log</resource>
        <resource>/soa-infra</resource>
        <resource>/workflow/DefaultToDoTaskFlow/.../*</resource>
        <resource>/workflow/DefaultToDoTaskFlow</resource>
        <resource>/workflow/sdpmessagingsca-ui-worklist/.../*</resource>
        <resource>/workflow/sdpmessagingsca-ui-worklist</resource>
    <!-- SOA Portal Taskflow Protected Resources (For WCP/SOA integrated systems only) -->
        <resource>/workflow/WebCenterWorklistDetail/faces/adf.task-flow/.../*</resource>
        <resource>/workflow/WebCenterWorklistDetail/faces/adf.task-flow</resource>
    </protectedResourcesList>
    <publicResourcesList>
    <!-- WebCenter Portal Public Resources-->
        <resource>/pagelets</resource>
        <resource>/pagelets/welcome</resource>
        <resource>/rss/.../*</resource>
        <resource>/rss</resource>
        <resource>/services-producer</resource>
        <resource>/webcenter/.../*</resource>
        <resource>/webcenter</resource>
        <resource>/webcenterhelp/.../*</resource>
        <resource>/webcenterhelp</resource>
        <resource>/wsrp-tools</resource>
    <!-- WebCenter Content Public Resources -->
        <resource>/_ocsh/.../*</resource>
        <resource>/_ocsh</resource>
        <resource>/_dav/.../*</resource>
        <resource>/_dav</resource>
        <resource>/cs/.../*</resource>
        <resource>/cs</resource>
        <resource>/dc-console/.../*</resource>
        <resource>/dc-console</resource>
        <resource>/ibr/.../*</resource>
        <resource>/ibr</resource>
        <resource>/imaging/.../*</resource>
        <resource>/imaging</resource>
        <resource>/wcc/.../*</resource>
        <resource>/wcc</resource>
    <!-- SOA Public Resources (For SOA systems only) -->
        <resource>/soa-infra/directWSDL</resource>
    <!-- SOA Portal Taskflow Public Resources (For WCP/SOA integrated systems only) -->
        <resource>/workflow/WebCenterWorklistDetail/.../*</resource>
        <resource>/workflow/WebCenterWorklistDetail</resource>
    </publicResourcesList>
    <excludedResourcesList>
        <resource>/favicon.ico</resource>
    <!-- FMW/WLS Common Infrastruture Excluded Resources -->
        <resource>/wsm-pm/.../*</resource>
        <resource>/wsm-pm</resource>
    <!-- WebCenter Portal Excluded Resources-->
        <resource>/collector/.../*</resource>
        <resource>/collector</resource>
        <resource>/pagelets/api/v2/ensemble/pagelets</resource>
        <resource>/pagelets/api/v2/ensemble/pagelets/.../*</resource>
        <resource>/pagelets/ensemblestatic/.../*</resource>
        <resource>/pagelets/ensemblestatic</resource>
        <resource>/portalTools/.../*</resource>
        <resource>/portalTools</resource>
        <resource>/rest/api/cmis/.../*</resource>
        <resource>/rest/api/cmis/</resource>
        <resource>/rsscrawl</resource>
        <resource>/rsscrawl/.../*</resource>
        <resource>/sesUserAuth</resource>
        <resource>/sesUserAuth/.../*</resource>
        <resource>/webcenter/SpacesWebService</resource>
        <resource>/webcenter/SpacesWebService/.../*</resource>
        <resource>/wsrp-tools/portlets/.../*</resource>
        <resource>/wsrp-tools/portlets</resource>
    <!-- WebCenter Content Excluded Resources -->
        <resource>/axf-ws</resource>
        <resource>/axf-ws/.../*</resource>
        <resource>/cs/common/idcapplet.jar</resource>
        <resource>/cs/common/checkoutandopen*.jar</resource> 
        <resource>/cs/images</resource>
        <resource>/cs/images/.../*</resource>
        <resource>/dc-client</resource>
        <resource>/dc-client/.../*</resource>
        <resource>/idcnativews</resource>
        <resource>/idcnativews/.../*</resource>
        <resource>/imaging/lib</resource>
        <resource>/imaging/lib/.../*</resource>
        <resource>/imaging/ws</resource>
        <resource>/imaging/ws/.../*</resource>
    <!-- SOA Portal Taskflow Excluded Resources (For WCP/SOA integrated systems only) -->
        <resource>/soa-infra/services/default/CommunityWorkflows/**</resource>
        <resource>/soa-infra/services/default/CommunityWorkflows*</resource>
    <!-- SOA Excluded Resources (For SOA systems only) -->
        <resource>/b2b/services</resource>
        <resource>/b2b/services/.../*</resource>
        <resource>/integration/services</resource>
        <resource>/integration/services/.../*</resource>
        <resource>/soa-infra/services</resource>
        <resource>/soa-infra/services/.../*</resource>
        <resource>/ucs/messaging/webservice</resource>
        <resource>/ucs/messaging/webservice/.../*</resource>
    </excludedResourcesList>
  3. Save and close the OAM11GRequest_edg.xml file.

Parent topic: Registering the Oracle HTTP Server WebGate with Oracle Access Manager

Running the RREG Tool

The following topics provide information about running the RREG tool to register your Oracle HTTP Server Webgate with Oracle Access Manager.

Parent topic: Registering the Oracle HTTP Server WebGate with Oracle Access Manager

Running the RREG Tool in In-Band Mode

To run the RREG Tool in in-band mode:

  1. Change to the RREG home directory.

    If you are using in-band mode, the RREG directory is inside the Oracle Access Manager Oracle home:

    OAM_ORACLE_HOME/oam/server/rreg

    If you are using out-of-band mode, then the RREG home directory is the location where you unpacked the RREG archive.

  2. Change to the following directory:

    • (UNIX) RREG_HOME/bin

    • (Windows) RREG_HOME\bin

    cd RREG_HOME/bin/

  3. Set the permissions of the oamreg.sh command so that you can execute the file: 

    chmod +x oamreg.sh

  4. Enter the following command:

    ./oamreg.sh inband RREG_HOME/input/OAM11GRequest_edg.xml

In this example:

  • It is assumed that the edited OAM11GRequest.xml file is located in the RREG_HOME/input directory.

  • The output from this command is saved to the following directory:

    RREG_HOME/output/

The following example shows a sample RREG session:

Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are: 
Mode: inband
Filename: /u01/oracle/products/fmw/iam_home/oam/server/rreg/client/rreg/input/OAM11GRequest_edg.xml
Enter admin username:weblogic_idm
Username: weblogic_iam
Enter admin password: 
Do you want to enter a Webgate password?(y/n):
n
Do you want to import an URIs file?(y/n):
n

----------------------------------------
Request summary:
OAM11G Agent Name:SOA12213_EDG_AGENT
Base URL: https://soa.example.com:443
URL String:null
Registering in Mode:inband
Your registration request is being sent to the Admin server at: http://host1.example.com:7001
----------------------------------------

Jul 08, 2015 7:18:13 PM oracle.security.jps.util.JpsUtil disableAudit
INFO: JpsUtil: isAuditDisabled set to true
Jul 08, 2015 7:18:14 PM oracle.security.jps.util.JpsUtil disableAudit
INFO: JpsUtil: isAuditDisabled set to true
Inband registration process completed successfully! Output artifacts are created in the output folder.

Parent topic: Running the RREG Tool

Running the RREG Tool in Out-Of-Band Mode

To run the RREG Tool in out-of-band mode on the WEBHOST server, the administrator uses the following command:

RREG_HOME/bin/oamreg.sh outofband input/OAM11GRequest.xml

In this example:

  • Replace RREG_HOME with the location where the RREG archive file was unpacked on the server.

  • The edited OAM11GRequest.xml file is located in the RREG_HOME/input directory.

  • The RREG Tool saves the output from this command (the AgentID_response.xml file) to the following directory: 

    RREG_HOME/output/

    The Oracle Access Manager server administrator can then send the AgentID_response.xml to the user who provided the OAM11GRequest.xml file.

To run the RREG Tool in out-of-band mode on the web server client machine, use the following command:

RREG_HOME/bin/oamreg.sh outofband input/AgentID_response.xml

In this example:

  • Replace RREG_HOME with the location where you unpacked the RREG archive file on the client system.

  • The AgentID_response.xml file, which was provided by the Oracle Access Manager server administrator, is located in the RREG_HOME/input directory.

  • The RREG Tool saves the output from this command (the artifacts and files required to register the Webgate software) to the following directory on the client machine:

    RREG_HOME/output/

Parent topic: Running the RREG Tool

Files and Artifacts Generated by RREG

The files that are generated by the RREG Tool vary, depending on the security level that you are using for communications between the WebGate and the Oracle Access Manager server. See Securing Communication Between OAM Servers and WebGates in Administrator's Guide for Oracle Access Management.

Note that in this topic any references to RREG_HOME should be replaced with the path to the directory where you ran the RREG tool. This is typically the following directory on the Oracle Access Manager server, or (if you are using out-of-band mode) the directory where you unpacked the RREG archive: 

OAM_ORACLE_HOME/oam/server/rreg/client

The following table lists the artifacts that are always generated by the RREG Tool, regardless of the Oracle Access Manager security level.

File Location
cwallet.sso RREG_HOME/output/Agent_ID/

Note:

This is for OHS 12.2.1.3. For earlier releases of OHS, see Oracle IDM documentation.
ObAccessClient.xml RREG_HOME/output/Agent_ID/

The following table lists the additional files that are created if you are using the SIMPLE or CERT security level for Oracle Access Manager:

File Location

aaa_key.pem

RREG_HOME/output/Agent_ID/

aaa_cert.pem

RREG_HOME/output/Agent_ID/

password.xml

RREG_HOME/output/Agent_ID/

aaa_chain.pem (CERT level only)

RREG_HOME/output/Agent_ID/

Note that the password.xml file contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be different than the passphrase used on the server.

You can use the files generated by RREG to generate a certificate request and get it signed by a third-party Certification Authority. To install an existing certificate, you must use the existing aaa_cert.pem and aaa_chain.pem files along with password.xml and aaa_key.pem.

Parent topic: Registering the Oracle HTTP Server WebGate with Oracle Access Manager

Copying Generated Artifacts to the Oracle HTTP Server WebGate Instance Location

After the RREG Tool generates the required artifacts, manually copy the artifacts from the RREG_Home/output/agent_ID directory to the Oracle HTTP Server configuration directory on the web tier host.

The location of the files in the Oracle HTTP Server configuration directory depends upon the Oracle Access Manager security mode setting (OPEN, SIMPLE, or CERT).

The following table lists the required location of each generated artifact in the Oracle HTTP Server configuration directory, based on the security mode setting for Oracle Access Manager. In some cases, you might have to create the directories if they do not exist already. For example, the wallet directory might not exist in the configuration directory.

Note:

For an enterprise deployment, Oracle recommends simple mode, unless additional requirements exist to implement custom security certificates for the encryption of authentication and authorization traffic. The information about using open or certification mode is provided here as a convenience.

Avoid using open mode, because in open mode, traffic to and from the Oracle Access Manager server is not encrypted.

For more information about using certificate mode or about Oracle Access Manager supported security modes in general, see Securing Communication Between OAM Servers and WebGates in Administrator's Guide for Oracle Access Management.

Table 19-2 Web Tier Host Location to Copy the Generated Artifacts

File Location When Using OPEN Mode Location When Using SIMPLE Mode Location When Using CERT Mode
wallet/cwallet.ssoFoot 1 WEB_CONFIG_DIR/webgate/config/wallet WEB_CONFIG_DIR/webgate/config/wallet/

By default the wallet folder is not available. Create the wallet folder under WEB_CONFIG_DIR/webgate/config/.

WEB_CONFIG_DIR/webgate/config/wallet/
ObAccessClient.xml WEB_CONFIG_DIR/webgate/config WEB_CONFIG_DIR/webgate/config/ WEB_CONFIG_DIR/webgate/config/
password.xml N/A WEB_CONFIG_DIR/webgate/config/ WEB_CONFIG_DIR/webgate/config/
aaa_key.pem N/A WEB_CONFIG_DIR/webgate/config/simple/ WEB_CONFIG_DIR/webgate/config/
aaa_cert.pem N/A WEB_CONFIG_DIR/webgate/config/simple/ WEB_CONFIG_DIR/webgate/config/

Footnote 1 Copy cwallet.sso from the wallet folder and not from the output folder. Even though there are 2 files with the same name they are different. The one in the wallet sub directory is the correct one.

Note:

If you need to redeploy the ObAccessClient.xml to WEBHOST1 and WEBHOST2, delete the cached copy of ObAccessClient.xml and its lock file, ObAccessClient.xml.lck from the servers. The cache location on WEBHOST1 is:
WEB_DOMAIN_HOME/servers/ohs1/cache/

And you must perform the similar step for the second Oracle HTTP Server instance on WEBHOST2: 

WEB_DOMAIN_HOME/servers/ohs2/cache/

Parent topic: Registering the Oracle HTTP Server WebGate with Oracle Access Manager

Insert OHS SimpleCA Certificate into the Wallet Artifact

If the OHS servers have been configured with an 11g or earlier version of the OAM server, there is a need to insert the OHS SimpleCA certificate into the wallet file artifact that was deployed in Copying Generated Artifacts to the Oracle HTTP Server WebGate Instance Location.

Complete the following steps:

  1. On WEBHOST1, go to the following directory:

    WEB_CONFIG_DIR/webgate/config/wallet

  2. Run the following command to insert the SimpleCA certificate into the wallet file:

    WEB_ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert WEB_ORACLE_HOME/webgate/ohs/tools/openssl/simpleCA/cacert.pem -auto_login_only
    The following output is displayed:
      simpleCA/cacert.pem -auto_login_only
  Oracle PKI Tool : Version 12.2.1.3.0   
 Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.      

 Operation is successfully completed.

  3. Validate the certificate insertion with the following command:

    WEB_ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet ./
    The following output is displayed:
      Oracle PKI Tool : Version 12.2.1.3.0
  Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.

  Requested Certificates:
  User Certificates:
  Oracle Secret Store entries: OAMAgent@#3#@wcedgRwse01Env1Ps3_Key
  Trusted Certificates:
  Subject: CN=NetPoint Simple Security CA - Not for General Use,OU=NetPoint,O=Oblix\, Inc.,L=Cupertino,ST=California,C=US

  4. Repeat steps 1 through 3 on WEBHOST2.

Parent topic: Registering the Oracle HTTP Server WebGate with Oracle Access Manager

Enable MD5 Certificate Signatures for the Oracle HTTP Server Instances

Some releases of Oracle Access Management Server implement simple mode security certificates by using MD5 signatures unless upgraded or patched appropriately. Oracle Recommends that, if possible, the OAM certificates are upgraded to SHA-2 certificates. This might not be possible for customers who have several versions of Oracle HTTP server to contend with.

If upgrading the certificates is not possible, support for MD5 signatures must be enabled manually to make Oracle HTTP server 12.2.1.x work with Oracle Access Manager 11g's MD5 certificates when you use a webgate in simple security mode.

To enable MD5 certificate signatures on each OHS instance, complete the following steps:

  1. On WEBHOST1, change to the following directory:

    WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1

  2. Open the ohs.plugins.nodemanager.properties file, add the following line, and save the file.
    environment.ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES = 1

  3. Repeat steps 1 and 2 for all other instances on the WEBHOSTn servers.

    For example, the ohs2 instance on WEBHOST2

    Note:

    The change takes effect when the instances are restarted in the next topic.

Parent topic: Registering the Oracle HTTP Server WebGate with Oracle Access Manager

Restarting the Oracle HTTP Server Instance

For information about restarting the Oracle HTTP Server instance, see Restarting Oracle HTTP Server Instances by Using WLST in Administering Oracle HTTP Server.

If you have configured Oracle HTTP Server in a WebLogic Server domain, you can also use Oracle Fusion Middleware Control to restart the Oracle HTTP Server instances. See Restarting Oracle HTTP Server Instances by Using Fusion Middleware Control in Administering Oracle HTTP Server.

Parent topic: Registering the Oracle HTTP Server WebGate with Oracle Access Manager

Setting Up the WebLogic Server Authentication Providers

To set up the WebLogic Server authentication providers, back up the configuration files, set up the Oracle Access Manager Identity Assertion Provider and set the order of providers.

The following topics assumes that you have already configured the LDAP authenticator by following the steps in Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group. If you have not already created the LDAP authenticator, then do so before you continue with this section.

Parent topic: Configuring Single Sign-On for an Enterprise Deployment

Backing Up Configuration Files

To be safe, you should first back up the relevant configuration files:

ASERVER_HOME/config/config.xml
ASERVER_HOME/config/fmwconfig/jps-config.xml
ASERVER_HOME/config/fmwconfig/system-jazn-data.xml

Also back up the boot.properties file for the Administration Server: 

ASERVER_HOME/servers/AdminServer/security/boot.properties

Parent topic: Setting Up the WebLogic Server Authentication Providers

Setting Up the Oracle Access Manager Identity Assertion Provider

Set up an Oracle Access Manager identity assertion provider in the Oracle WebLogic Server Administration Console.

To set up the Oracle Access Manager identity assertion provider:
  1. Log in to the WebLogic Server Administration Console, if not already logged in.
  2. Click Lock & Edit.
  3. Click Security Realms in the left navigation bar.
  4. Click the myrealm default realm entry.
  5. Click the Providers tab.
  6. Click New, and select the asserter type OAMIdentityAsserter from the drop-down menu.
  7. Name the asserter (for example, OAM ID Asserter), and click OK.
  8. Click the newly added asserter to see the configuration screen for the Oracle Access Manager identity assertion provider.
  9. Set the control flag to REQUIRED.
  10. Under Chosen types, select both the ObSSOCookie and OAM_REMOTE_USER options, if they are not selected by default.
  11. Click Save to save the settings.
  12. Click Activate Changes to propagate the changes.

Parent topic: Setting Up the WebLogic Server Authentication Providers

Updating the Default Authenticator and Setting the Order of Providers

Set the order of identity assertion and authentication providers in the WebLogic Server Administration console.

To update the default authenticator and set the order of the providers:
  1. Log in to the WebLogic Server Administration Console, if not already logged in.
  2. Click Lock & Edit.
  3. From the left navigation, select Security Realms.
  4. Click the myrealm default realm entry.
  5. Click the Providers tab.
  6. From the table of providers, click the DefaultAuthenticator.
  7. Set the Control Flag to SUFFICIENT.
  8. Click Save to save the settings.
  9. From the navigation breadcrumbs, click Providers to return to the list of providers.
  10. Click Reorder.
  11. Sort the providers to ensure that the OAM Identity Assertion provider is first and the DefaultAuthenticator provider is last.

    Table 19-3 Sort order

    Sort Order Provider Control Flag

    1

    OAMIdentityAsserter

    REQUIRED

    2

    LDAP Authentication Provider

    SUFFICIENT

    3

    DefaultAuthenticator

    SUFFICIENT

    4

    Trust Service Identity Asserter

    N/A

    5

    DefaultIdentityAsserter

    N/A
  12. Click OK.
  13. Click Activate Changes to propagate the changes.
  14. Shut down the Administration Server, Managed Servers, and any system components, as applicable.
  15. Restart the Administration Server.
  16. If you are going to configure ADF consoles with SSO, you can keep the managed servers down and restart them later. If not, you need to restart managed servers now.

Parent topic: Setting Up the WebLogic Server Authentication Providers

Configuring Oracle ADF and OPSS Security with Oracle Access Manager

Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign On (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-level jps-config.xml file to enable these capabilities.

The domain-level jps-config.xml file is located in the following location after you create an Oracle Fusion Middleware domain:

ASERVER_HOME/config/fmwconfig/jps-config.xml

Note:

The domain-level jps-config.xml should not be confused with the jps-config.xml that is deployed with custom applications.

To update the OPSS configuration to delegate SSO actions in Oracle Access Manager, complete the following steps:
  1. Change to the following directory:
    ORACLE_COMMON_HOME/common/bin
  2. Start the WebLogic Server Scripting Tool (WLST):
    ./wlst.sh
  3. Connect to the Administration Server, by using the following WLST command:
    connect(‘admin_user’,’admin_password’,’admin_url’)

    For example:

    connect(‘weblogic_wcp’,’mypassword’,’t3://ADMINVHN:7001’)

  4. Run the addOAMSSOProvider command, as shown:
    addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html")

    The following table defines the expected value for each argument in the addOAMSSOProvider command.

    Table 19-4 Expected Values for the Argument in the addOAMSSOProvider command

    Argument Definition

    loginuri

    Specifies the URI of the login page

    Note:

    For ADF security enabled applications, "/context-root/adfAuthentication" should be provided for the 'loginuri' parameter.

    For example:

    /${app.context}/adfAuthentication

    Note:

    ${app.context} must be entered as shown. At runtime, the application replaces the variable appropriately.

    Here is the flow:

    1. User accesses a resource that has been protected by authorization policies in OPSS, fox example.

    2. If the user is not yet authenticated, ADF redirects the user to the URI configured in loginuri.

    3. Access Manager, should have a policy to protect the value in loginuri: for example, "/context-root/adfAuthentication".

    4. When ADF redirects to this URI, Access Manager displays a Login Page (depending on the authentication scheme configured in Access Manager for this URI).

    logouturi

    Specifies the URI of the logout page. The value of the loginurl is usually /oam/logout.html.

    autologinuri

    Specifies the URI of the autologin page. This is an optional parameter.
  5. Disconnect from the Administration Server by entering the following command:
    disconnect()
  6. Restart the Administration Server and the managed servers.

Parent topic: Configuring Single Sign-On for an Enterprise Deployment

Additional Single Sign-on Configurations

The configurations described in the following sections may be necessary or helpful in providing additional security for your site.

Parent topic: Configuring Single Sign-On for an Enterprise Deployment

Configuring WebCenter Portal for SSO

Configure the WebCenter Portal application for SSO by adding a setting to EXTRA_JAVA_PROPERTIES.

There is a system property that tells WebCenter Portal and ADF that the application is configured in SSO mode and some special handling is required. The following system property is required in this mode:

Field Value Comment

oracle.webcenter.spaces.osso

true

This flag tells WebCenter Portal that SSO is being used, so no login form should be displayed on the default landing page. Instead, it displays a login link that the user can click to invoke the SSO authentication.

To set this property:

  1. Edit the setUserOverridesLate.sh script in the ASERVER_HOME/bin folder on WCCHOST1. Add the -Doracle.webcenter.spaces.osso=true java property name-value pair to the end of the EXTRA_JAVA_PROPERTIES variable value.

    For example:

    EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES} -Doracle.webcenter.spaces.osso=true"
export EXTRA_JAVA_PROPERTIES

    Note:

    For a comprehensive example, including how to set this value for the portal servers only rather than domain-wide, see Customizing Server Parameters with the setUserOverridesLate Script.
  2. Copy this file to MSERVER_HOME/bin on WCPHOST1, WCPHOST2, WCCHOST1, and WCCHOST2.
  3. Restart the Managed Servers in the Portal_Cluster from the WebLogic Server Console or WLST.

Parent topic: Additional Single Sign-on Configurations

Configuring OAM Policies for WebCenter Portal REST Interfaces

The WebCenter Portal REST APIs need to be configured for a stateless basic authentication scheme in Oracle Access Manager.

To set up a new Authentication Scheme, complete the following steps:
  1. Open the OAM Admin Console.
  2. Navigate to your Application Domain's Authentication Policies view.

    For example, Launch Pad > Access Manager Application Domains Link > search > your application domain > Authentication Policies Tab.

  3. Select the Protected Resource Policy authentication policy (not authorization).
  4. Sort the list of resources by Resource URL and locate rows for the /rest resource URLs.
  5. Individually, delete the association of each of the /rest/... related resources from the Protected Resource Policy.
  6. Click Apply and close the Protected Resource Policy view tab.
  7. Select the Public Resource Policy authentication policy (not authorization).
  8. Sort the list of resources by Resource URL and locate rows for the /rest/ resource URLs.
  9. Individually, delete the association of each of the /rest/... related resources from the Public Resource Policy.
  10. Click Apply and close the Public Resource Policy view tab.
  11. On the Authentication Policies view, click Create.
  12. Enter the following attribute values:

    Table 19-5 Attribute values

    Attribute Value

    Name

    WebCenter REST Policy

    Description

    Protected, Basic Sessionless Authentication scheme that protects access to some URIs.

    Authentication Scheme

    BasicSessionlessScheme

    Success URL

    <empty>

    Failure URL

    <empty>
  13. On the Resources tab, Click Add.
  14. In the Add Resources dialog box, search for a Resource URL of: /rest.
  15. Select all the returned rows starting with /rest, except for any of the /rest/api/cmis Resource URLs, then click Add Selected.

    Note:

    • The /rest/api/cmis resources should be configured with a Protection Level of Excluded.

    • Use the shift key to select a range of rows, and be sure to scroll if required to select the complete list.

  16. Confirm that the resources selected in the previous step appear in the resources table for the new WebCenter REST Policy.
  17. Click Apply. Do not configure any responses or advanced rules.

Parent topic: Additional Single Sign-on Configurations

Configuring OAM for RSS Feeds Using External Readers

By default, WebCenter Portal RSS feeds are protected by SSO. However, they will not work well with external readers if left protected. If access using external readers is important, Oracle recommends that the WebCenter Portal RSS resource be excluded from the OAM policy so that the authentication for the RSS Servlet is handled by WebLogic Server's BASIC authentication that external readers can handle.

Follow the steps below to unprotect RSS feed for OAM 11g:

  1. Open the OAM Admin Console.
  2. Navigate to your Application Domain's Resources view.

    For example,

    Launch Pad > Access Manager Application Domains Link > search > your application domain > Resources tab.

  3. On the Resources view, use the search form filtering by a Resource type of HTTP and a Resource URL of rss.

    A result with the following resource URLs appears:

    /rss/** 
/rss* 
/rss/.../* 
/rss/rssservlet/** 
/rss/rssservlet* 
/rsscrawl/** 
/rsscrawl* 
/rsscrawl/.../*

    Note:

    Depending on the release of Oracle Access Manager in use, the syntax for these resource URLs may vary slightly.
  4. For each resource, select the resource row and click Edit.
  5. Review and update the Protection Level assigned to each of these six resources. Resources that are currently Protected should be changed to Excluded.

    Public resources (e.g. /rss*) can be optionally be changed to Excluded, or left as Public.

    Note that the resource's authentication policy and authorization policy are removed if the Protection Level is set to Excluded.

    Note:

    A protection level of Public provides Oracle Access Manager audit logging of requests for user-facing public service endpoints that are either unauthenticated or require authentication models other than user-facing SSO. The audit-only transaction for public resources includes additional workload imposed on the system for requests that are not authenticated or authorized by Oracle Access Manager. The additional workload for auditing public resource requests will be dependent on request rates and the capacity of your infrastructure. Use of the Excluded protection level avoids this overhead as requests to excluded resources are not logged or reported by Oracle Access Manager.

Parent topic: Additional Single Sign-on Configurations

Configuring the WebLogic Server Administration Console and Enterprise Manager for OAM 11g

This section describes how to optionally set up OAM 11g single sign-on for the WebLogic Server Administration Console and Enterprise Manager.

Note:

  • Setting up OAM SSO for Enterprise Manager and the WebLogic Server Administration Console would provide single sign-on access to same set of users for whom OAM SSO access has been configured. If you want the web tier to be accessible to external users through OAM, but want administrators to log in directly to Enterprise Manager and the WebLogic Server Administration Console, then you may not want to complete this additional configuration step.

  • The OAM policy resource protections may have been completed in the Updating the Protected, Public, and Excluded Resources for an Enterprise Deployment section earlier in this chapter. Note that the rewrite rule for admin SSO logout should still be completed. If you want to reverse that configuration, follow the steps in this section and change the protection level from Protected to Public.

To set up OAM 11g SSO for the WebLogic Server Administration Console and Enterprise Manager:

  1. Log in to the OAM Console using your browser:

    http://host:port/oamconsole

  2. From the Launch Pad, select the Application Domains link found in the Access Manager block.

    The Search Application Domains pane is displayed.

  3. Navigate to your Application Domain's Resources view.

    For example,

    Launch Pad > Access Manager Application Domains Link > search > your application domain > Resources tab.

  4. In the Resources tab, click Create.

    The Resource page displays.

  5. Add the resources that must be secured. For each resource:

    1. Select http as the Resource Type.

    2. Select the Host Identifier created while registering the WebGate agent.

    3. Enter the Resource URL for the WebLogic Server Administration Console (/console) or Enterprise Manager (/em).

    4. Enter a Description for the resource and click Apply.

    5. Set the Protection Level to Protected.

  6. Go to Authentication Policies > Protected Resource Policy and add the newly created resource.

  7. Do the same under Authorization Policies > Protected Resource Policy>

  8. On WEBHOST1 and WEBHOST2, update the admin_vh.conf file and add a RewriteRule to enable SSO logout for the WLS Console. 

    <VirtualHost WEBHOST1:7777>
 ServerName admin.example.com:80
 ServerAdmin you@your.address
 RewriteEngine On
 RewriteOptions inherit

 # SSO logout redirection for WLS Console
 RewriteRule ^/console/jsp/common/logout.jsp "/oamsso/logout.html?end_url=/console" [R]

</VirtualHost>

  9. Restart the Oracle HTTP Server for your changes to take effect.

    You should now be able to access the WebLogic Server Administration Console and Enterprise Manager with the following links:

    http://admin.example.com/console
http://admin.example.com/em

    and be prompted with the OAM SSO login form.

Parent topic: Additional Single Sign-on Configurations

Configuring Secure Enterprise Search for SSO

The crawl sources that are defined to crawl WebCenter Portal data and repositories used by WebCenter Portal and the corresponding authentication end points defined in SES must be routed through the Web Tier Oracle HTTP Server ports so that they can be properly authenticated (the authentication method continues to be BASIC and realm jazn.com).

For information about configuring SES connections, see Setting Up Oracle SES Connections in Administering Oracle WebCenter Portal.

Parent topic: Additional Single Sign-on Configurations

Configuring Content Server for SSO

Once SSO is functional, the portal connection to Content Server should be updated to set the web context root path. Setting this parameter tells the Document Library code that SSO is configured. Note that the webContextRoot value should not be set until after SSO has been set up and is functional.

  1. Change directory to the following directory:
    cd ORACLE_COMMON_HOME/common/bin
  2. Start the WebLogic Server Scripting Tool (WLST):
    ./wlst.sh
  3. Connect to the Administration Server, using the following WLST command:
    connect(‘admin_user’,’admin_password’,’admin_url’)

    For example:

    connect(‘weblogic_wcp’,’mypassword’,’t3://ADMINVHN:7001’)
  4. List the available content server connections and identify the correct connection name to use in the next command.
    listContentServerConnections(appName='webcenter', server='WC_Portal1')
  5. Set the webContextRoot value for the Portal's Content Server connection as follows, substituting the correct value for the name parameter.
    setContentServerConnection(appName='webcenter', server='WC_Portal1', name='nameFromStep4', webContextRoot='/cs')
  6. Restart the Portal clustered managed servers from your WLST session:
    shutdown('Portal_Cluster', 'Cluster', block='true', force='true')
start('Portal_Cluster', 'Cluster')
  7. Exit WLST.
    exit()

Parent topic: Additional Single Sign-on Configurations

Restricting Access with Connection Filters

Follow the steps below to only allow users to access WebCenter Portal and associated components through the web tier OHS ports so that they can be properly authenticated.

  1. Log in to the WebLogic Server Administration Console.
  2. In the Domain Structure pane, select the domain you want to configure (for example, webcenter).
  3. Open the Security tab and the Filter subtab.

    The Security Filter Settings pane displays.

  4. Check Connection Logger Enabled to enable the logging of accepted messages.

    The Connection Logger logs successful connections and connection data in the server. You can use this information to debug problems relating to server connections.

  5. In the Connection Filter field, specify the connection filter class to be used in the domain.

    • To configure the default connection filter, specify weblogic.security.net.ConnectionFilterImpl.

    • To configure a custom connection filter, specify the class that implements the network connection filter. Note that this class must also be present in the CLASSPATH for WebLogic Server.

  6. In the Connection Filter Rules field, enter the syntax for the connection filter rules.

    Note:

    Make sure to add the IP/subnets for the following - web tier, load balancer, end user access point, and hosts that contain the rest of the domain managed servers. Else, you will encounter a 403 error when trying to access the Administration Server.

    For example:

    <webtier IP>/0 * * allow
0.0.0.0/0  *  *  deny

    which says: allow all traffic coming from the local host and disallow all traffic from any other IP address. You should, of course, write the network filter(s) that are relevant to your environment. For more information about writing connection filters, see Developing Custom Connection Filters in Developing Applications with the WebLogic Security Service.

  7. Click Save and activate the changes.
  8. Restart all the managed servers and the Administration server.
  9. Verify that all direct traffic to the WebLogic Server is blocked by attempting to navigate to:
    http://wcp.example.com/webcenter

    This should produce the following error:

    "The Server is not able to service this request: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220]rule 3"

    You should, however, still be able to access WebCenter Portal through the OHS port:

    http://wcp.example.com/webcenter

Parent topic: Additional Single Sign-on Configurations

Configuring Portlet Producers and Additional Components

If you have set up your Portlet Producer applications to route through OHS, be sure to use the OHS host and port when specifying producer URLs for registration. This applies to out of-the-box producers like wsrp-tools, services-producer, pagelet producers and any other producer you have explicitly configured.

Be sure to use the internal load-balancer URL (for example, http://wcp-internal.example.com/...) when specifying producer URLs for registration. This applies to out of-the-box producers like wsrp-tools, services-producer, pagelet producers and any other producer you have explicitly configured.

Parent topic: Additional Single Sign-on Configurations