18 Integrating with Oracle Identity Management

This chapter describes how to integrate Oracle WebCenter Content with Oracle Identity Management.

This chapter includes the following sections:

18.1 Overview of Integrating with Oracle Identity Management

Oracle Access Manager is the recommended single sign-on solution for Oracle Fusion Middleware 11g Release 1. You can integrate an Oracle Fusion Middleware enterprise deployment with Oracle Identity Management 11g. The following sections describe how to integrate the policy store and identity store for the Oracle WebCenter Content domain with Oracle Identity Management.

Note:

When integrating with Oracle Identity Management, use the transport mode currently in use by the Oracle Access Management servers; for example, Open, Simple, or Cert.

Table 18-1 lists the high-level steps for integrating Oracle Identity Management 11g with an Oracle WebCenter Content enterprise deployment.

Table 18-1 Steps for Integrating with Oracle Identity Management 11g

Step Description More Information

Register the WebGate agent

Register the WebGate agent using the RREG tool.

Section 18.3.3, "Registering the WebGate Agent"

Install and configure WebGate

Install WebGate on each of the WEBHOST machines, where Oracle HTTP Server has already been installed.

Section 18.3.4, "Setting Up WebGate"

Set up WebLogic Server authentication providers

Set up the WebLogic Server authentication providers by backing up the configuration files, setting up the Oracle Access Manager identity assertion provider, and setting the order of providers.

Section 18.3.6, "Setting Up the WebLogic Server Authentication Providers"

Reassociate the identity store with Oracle Internet Directory or another external LDAP authentication provider.

Configure Oracle Internet Directory, Oracle Virtual Directory, or a third-party LDAP authentication provider as the identity store for the domain. Add the weblogic_ecm administration user to use for setting up the rest of the enterprise deployment topology.

Section 18.2, "Reassociating the Identity Store with an External LDAP Authentication Provider"

18.2 Reassociating the Identity Store with an External LDAP Authentication Provider

The following sections describe how to reassociate the identity store from the Oracle WebLogic Server default embedded LDAP store with Oracle Internet Directory, Oracle Virtual Directory, or a third-party external LDAP authentication provider:

18.2.1 Backing Up Configuration Files

To be safe, before you create the LDAP authentication provider, you should first back up the relevant configuration files:

ASERVER_HOME/config/config.xml
ASERVER_HOME/config/fmwconfig/jps-config.xml
ASERVER_HOME/config/fmwconfig/system-jazn-data.xml

Also back up the boot properties file for the Administration Server:

ASERVER_HOME/servers/AdminServer/security/boot.properties

In the reference topology, ASERVER_HOME is the /u01/oracle/config/domains/WCCDomain directory.

18.2.2 Creating the LDAP Authentication Provider

You can use the Oracle WebLogic Server Administration Console to set up the proper authenticator.

To create the LDAP authentication provider:

  1. Log in to the Administration Console.

  2. Click the Security Realms link on the left.

  3. Click the myrealm default realm entry to configure it.

  4. Open the Providers tab within the realm.

  5. Observe that there is a DefaultAuthenticator provider configured for the realm.

  6. Click Lock & Edit.

  7. Click the New button to add a new provider.

  8. Enter a name for the provider such as OIDAuthenticator for Oracle Internet Directory.

  9. Select the OracleInternetDirectoryAuthenticator type from the list of authenticators.

  10. Click OK.

  11. On the Providers screen, click the newly created Authenticator.

  12. Set the control flag to SUFFICIENT.

    This indicates that if a user can be authenticated successfully by this authenticator, then it should accept that authentication and should not continue to invoke any additional authenticators. If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flag set to SUFFICIENT; in particular, check DefaultAuthenticator and set it to SUFFICIENT.

  13. Click Save to save this setting.

  14. Open the Provider Specific tab to enter the details for the LDAP server.

  15. Enter the details specific to your LDAP server, as shown in the following table.

    Parameter Value Value Description
    Host For example: oid.example.com The LDAP server's server ID.
    Port For example: 636 The LDAP server's port number.
    Principal For example: cn=orcladmin The LDAP user DN used to connect to the LDAP server.
    Credential NA The password used to connect to the LDAP server.
    SSL Enabled Checked Specifies whether SSL protocol is used when connecting to LDAP server.
    User Base DN For example: cn=Users,dc=us, dc=example,dc=com Specify the DN under which your Users start.
    Group Base DN For example: cn=Groups,dc=us, dc=example,dc=com Specify the DN that points to your Groups node.
    Use Retrieved User Name as Principal Checked Must be turned on.

    Click Save when done.

  16. Click Activate Changes to propagate the changes.

18.2.3 Setting the Order of Providers

Reorder the Oracle Internet Directory Authenticator and Default Authenticator, and ensure that the control flag for each authenticator is set in the following order:

  • Oracle Internet Directory LDAP Authenticator: SUFFICIENT

  • Default Authenticator: SUFFICIENT

To set the order of providers:

  1. Log in to the WebLogic Server Administration Console, if not already logged in.

  2. Click Lock & Edit.

  3. Navigate to SecurityRealms, then the default realm name, and then Providers.

  4. Click Reorder and ensure that the control flags for the Oracle Internet Directory Authenticator, and Default Authenticator are set as follows:

    • Oracle Internet Directory LDAP Authenticator: SUFFICIENT

    • Default Authenticator: SUFFICIENT

      Note:

      Enterprise Capture authorization will not work correctly unless the Authentication Provider is set as SUFFICIENT.

  5. Click Save.

  6. Click Activate Changes to propagate the changes.

  7. Restart the Administration Server, as described in Section 10.3, "Restarting the Administration Server," and all Managed Servers in the domain.

    To restart the Managed Servers, stop all of them before you restart the Administration Server, and start them after you restart it.

18.2.4 Moving the WebLogic Server Administrator to the LDAP Identity Store

This section provides details for provisioning a new administrator user and group for managing the Oracle WebCenter Content WebLogic Server domain in the enterprise deployment topology. This section describes the following tasks:

18.2.4.1 Provisioning Administrator Users and Groups in an LDAP Directory

As mentioned in the introduction to this section, users and groups from multiple WebLogic Server domains may be provisioned in a central LDAP user store. In such a case, there is a possibility that one WebLogic Server administration user may have access to all the domains within an enterprise. This is not a desirable situation. To avoid this, the users and groups provisioned must have a unique, distinguished name within the directory tree. After setting up and testing the entire enterprise deployment topology, you might want to set up a different system administrator with appropriate roles for each application.

For setting up the Oracle WebCenter Content WebLogic Server domain, provision a new system administrator named weblogic_ecm in the LDAP identity store with the following DNs:

  • Admin User DN:

    cn=weblogic_ecm,cn=Users,dc=us,dc=example,dc=com

  • Admin Group DN:

    cn=ECM Administrators,cn=Groups,dc=us,dc=example,dc=com

To provision the administration user and administration group in Oracle Internet Directory:

  1. Create an LDIF file named admin_user.ldif with the following contents, and then save the file:

    dn: cn=weblogic_ecm, cn=Users, dc=us, dc=example, dc=com
orclsamaccountname: weblogic_ecm
givenname: weblogic_ecm
sn: weblogic_ecm
userpassword: password
mail: weblogic_ecm
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
uid: weblogic_ecm
cn: weblogic_ecm
description: Admin User for the Oracle WebCenter Content Domain

  2. Run the ldapadd command on the Oracle Internet Directory host located under the ORACLE_HOME/bin directory to provision the user in Oracle Internet Directory.

    Note:

    The Oracle home used here is the Oracle home for the Oracle Identity Management installation where Oracle Internet Directory resides.

    For example (all on a single line):

    ORACLE_HOME/bin/ldapadd -h oid.example.com -p 389 -D "cn=orcladmin" -w password -c -v -f PATH/admin_user.ldif

  3. Create an LDIF file named admin_group.ldif with the following contents, and then save the file:

    dn: cn=ECM Administrators, cn=Groups, dc=us, dc=example, dc=com
displayname: ECM Administrators
objectclass: top
objectclass: groupOfUniqueNames
objectclass: orclGroup
uniquemember: cn=weblogic_ecm, cn=Users, dc=us, dc=example, dc=com
cn: ECM Administrators
description: Administrators Group for the Oracle WebCenter Content Domain

  4. Run the ldapadd command on the Oracle Internet Directory host located under the ORACLE_HOME/bin directory to provision the group in Oracle Internet Directory (all on a single line):

    ORACLE_HOME/bin/ldapadd -h oid.example.com -p 389 -D "cn=orcladmin"  -w password -c -v -f PATH/admin_group.ldif_file

  5. Create an LDIF file named administrators_group.ldif with the following contents, and then save the file:

    dn: cn=Administrators, cn=Groups, dc=us, dc=example, dc=com
displayname: Default WLS Administrators
objectclass: top
objectclass: groupOfUniqueNames
objectclass: orclGroup
cn: Administrators
description: WL Administrators Group

    Note:

    Create the Administrators group only if it does not exist in Oracle Internet Directory.

  6. Run the ldapadd command on the Oracle Internet Directory host located under the ORACLE_HOME/bin directory to provision the Administrators group in Oracle Internet Directory:

    ORACLE_HOME/bin/ldapadd -h oid.example.com -p 389 -D "cn=orcladmin" -w password -c -v -f PATH/administrators_group.ldif

  7. Create an LDIF file named modify_administrators_group.ldif with the following contents, and then save the file:

    dn: cn=Administrators, cn=Groups, dc=us, dc=example, dc=com
changetype: modify
add: uniqueMember
uniqueMember: cn=ECM Administrators, cn=Groups, dc=us, dc=example, dc=com

  8. Run the ldapmodify command on the Oracle Internet Directory host located under the ORACLE_HOME/bin directory to modify the Administrators group in Oracle Internet Directory:

    ORACLE_HOME/bin/ldapmodify -h oid.example.com -p 389 -D "cn=orcladmin" -w password -c -v -f PATH/modify_administrators_group.ldif

18.2.4.2 Assigning the Admin Role to the Admin Group

After adding the users and groups to Oracle Internet Directory, the group must be assigned the Admin role within the WebLogic Server domain security realm. This enables all users that belong to the group to be administrators for that domain.

To assign the Admin role to the Admin group:

  1. Log in to the WebLogic Server Administration Server Console.

  2. In the navigation tree on the left, click Security Realms.

  3. On the Summary of Security Realms page, click myrealm under the Realms table.

  4. On the Settings page for myrealm, open the Roles & Policies tab.

  5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to bring up the Global Roles page.

  6. On the Global Roles page, click the Admin role to bring up the Edit Global Role page:

    1. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

    2. On the Choose a Predicate page, select Group from the drop-down list for predicates and click Next.

    3. On the Edit Arguments Page, specify ECM Administrators in the Group Argument field and click Add.

  7. Click Finish to return to the Edit Global Rule page.

  8. The Role Conditions table now shows the ECM Administrators Group as an entry.

  9. Click Save to finish adding the Admin Role to the ECM Administrators Group.

  10. Validate that the changes were successful by bringing up the Administration Console using a web browser. Log in using the credentials for the weblogic_ecm user.

Note:

Each Oracle application in the Oracle WebCenter Content enterprise deployment topology may have its own predefined roles and groups defined for administration and monitoring purposes. By default, the Administrators group will allow these operations. However, this group may be too broad. For example, it may be undesirable that Oracle SOA Suite administrators are also administrators for the WebLogic Server domain where Oracle WebCenter Content applications are running. This is why it may be desirable, as suggested in this section, to create a more specific group such as ECM Administrators. For the various applications to allow the ECM Administrators group to administer the different systems, you need to add the required roles to that group. For example, for SOA Worklistapp's administration, add the SOAAdmin role. Refer to each component's specific roles for the required roles in each case.

18.2.4.3 Updating the boot.properties File and Restarting the System

The boot.properties file for the Administration Server should be updated with weblogic_ecm, the WebLogic Server administration user created in Oracle Internet Directory.

To update the boot.properties file:

  1. On WCCHOST1, go the following directory:

    cd ASERVER_HOME/servers/AdminServer/security

    In the reference topology, ASERVER_HOME is the /u01/oracle/config/domains/WCCDomain directory.

  2. Rename the existing boot.properties file:

    mv boot.properties boot.properties.backup

  3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:

    username=weblogic_ecm
password=password

  4. Save the file.

  5. Restart the Administration Server, as described in Section 10.3, "Restarting the Administration Server."

18.2.5 Resetting Imaging Security for the New Identity Store

If you have already configured your Imaging Managed Server and you change the LDAP provider, the global user IDs (GUIDs) in the Imaging security tables will be invalid. Imaging caches the GUIDs from an external LDAP provider in its local security tables and uses these IDs for authentication. You can refresh the GUID values in the Imaging security tables with WLST commands or with Oracle Enterprise Manager Fusion Middleware Control.

Only users and groups that exist in both LDAP providers will have GUIDs refreshed. Imaging permissions assigned to users and groups from the previous LDAP will be refreshed to the users and groups that match in the new LDAP. The refreshIPMSecurity command will ignore any users or groups that do not match any users or groups in the new LDAP provider.

Note:

During the refresh, users or groups for whom matching identifying information is not found are ignored. As security changes are made, invalid users or groups are removed from the Imaging database.

18.2.5.1 Refreshing GUID values in Imaging Security Tables with WLST

If you want to refresh GUID values from a command line, you can use the Oracle WebLogic Scripting Tool (WLST).

To refresh GUID values in Imaging security tables with WLST:

  1. Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 8.4.3, "Starting the Administration Server on WCCHOST1."

  2. Log in to WCCHOST1, where the Administration Server is running.

  3. Navigate to the Oracle WebCenter Content home directory: MW_HOME/WCC_ORACLE_HOME.

  4. Invoke WLST:

    cd common/bin
./wlst.sh

  5. Connect to the Imaging Managed Servers:

    wls:/offline> connect() 
Please enter your username :weblogic_ecm 
Please enter your password : XXXXXXXXXXXXX 
Please enter your server URL [t3://localhost:7001] 
 : t3://WCCHOST1VHN2:16000 
Connecting to t3://WCCHOST1VHN2:16000 with userid weblogic_ecm ... 
Successfully connected to Managed Server 'WLS_IMG1' that belongs to domain 
'domainName'. 
 
Warning: An insecure protocol was used to connect to the 
server. To ensure on-the-wire security, the SSL port or 
Admin port should be used instead. 
 
wls:/domainName/serverConfig> listIPMConfig()   <This is just to check 
that the connection is to the right Imaging server> 
 
wls:/domainName/serverConfig> 
refreshIPMSecurity()  <This is the command that will refresh the GUIDs in the 
Security tables.> 
 
wls:/domainName/serverConfig> exit()

  6. Log in to Imaging to verify user and group security.

18.2.5.2 Refreshing GUID values in Imaging Security Tables with Fusion Middleware Control

If you want to refresh GUID values through an MBean, you can use the System MBean Browser in Fusion Middleware Control.

To refresh GUID values in Imaging security tables with Fusion Middleware Control:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control for WCCdomain:

    http://ADMINVHN:7001/em

  2. In the navigation tree on the left, expand WebLogic Domain, then the Oracle WebCenter Content domain folder, then IMG_Cluster, and then the name of the Imaging server, such as WLS_IMG1.

  3. On the right, click the WebLogic Server drop-down menu, and choose System MBean Browser.

  4. In the System MBean Browser navigation tree, expand Application Defined MBeans, then oracle.imaging, then Server: WLS_IMG1, and then cmd, and click cmd.

  5. Click refreshIPMSecurity on the right, under the Operations tab.

  6. Click the Invoke button.

  7. Log in to Imaging to verify user and group security.

18.2.6 Adding a System Administrator in LDAP with Enterprise Capture Roles

In an LDAP-integrated system, you need to assign the Oracle Enterprise Capture Roles to the new system administrator user (weblogic_ecm) so this user can perform the Enterprise Capture Administrator role.

To add a system administrator in LDAP with Enterprise Capture roles:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control.

  2. On the left, expand WebLogic Domain.

  3. Right-click the domain name, choose Security, and then choose Application Roles.

    The Application Roles page opens.

  4. In the Application Stripe field, choose capture from the drop-down list, and then click the search icon.

    The search populates the table with roles for the Capture User, Capture Workspace Manager, and Capture Viewer.

  5. Edit the CaptureWorkspaceManager role, and add weblogic_ecm to this role.

  6. Edit the CaptureUser role, and add weblogic_ecm to this role, so that it has both the CaptureWorkspaceManager and CaptureUser roles.

18.3 Integrating with Oracle Access Manager 11g

This section describes how to set up Oracle Access Manager 11g as the single sign-on solution for the Oracle WebCenter Content enterprise deployment topology. It contains the following sections:

18.3.1 Overview of Oracle Access Manager Integration

This section explains the procedure for configuring the Oracle WebCenter Content installation with an existing Oracle Access Manager 11g installation, with Oracle Internet Directory as the underlying directory service. For more information about installing and configuring an Oracle Access Manager installation, see the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

Note:

The Oracle WebCenter Content enterprise deployment topology described in this guide uses a single sign-on configuration in which both the Oracle WebCenter Content system and the single sign-on system are in the same network domain (example.com). For a multidomain configuration, see the required configuration steps in "Introduction to the OAM Policy Model, Single Sign-On" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

18.3.2 Prerequisites for Oracle Access Manager

The setup for Oracle Access Manager assumes an existing Oracle Access Manager 11g installation. For more information on installing and configuring an Oracle Access Manager installation, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management. This setup includes Oracle Internet Directory as the directory service.

In addition, the Oracle Access Manager installation should have its own web server configured with WebGate.

18.3.3 Registering the WebGate Agent

This section describes the procedures for registering the WebGate agent with Oracle Access Manager and the use of WebGate agent instances on each of the WEBHOST machines:

18.3.3.1 Extracting and Using the RREG Tool

The RREG tool is part of the Oracle Access Manager 11g installation. If it is not already available, extract it on each of the Oracle Identity Management machines.

To extract the RREG tool:

  1. After installing and configuring Oracle Access Manager, navigate to the following location:

    IDM_Home/oam/server/rreg/client

  2. On the command line, untar the RREG.tar.gz file using gunzip, as in the following example:

    gunzip RREG.tar.gz

tar -xzvf RREG.tar

  3. Open the RREG_HOME/bin/oamreg.sh script, and change the OAM_REG_HOME parameter according to your setup, if necessary.

The RREG Configuration Tool provides a way to register WebCenter Content resources in the Oracle Access Manager system.

You need to add these resources to the Oracle Access Manager system:

   /adfAuthentication
   /imaging/faces
   /ibr/adfAuthentication 
   /em
   /console
   /DefaultToDoTaskFlow
   /sdpmessaging/userprefs-ui
   /integration/worklistapp
   /workflow/sdpmessagingsca-ui-worklist
   /soa/composer
   /soa-infra
   /soa-infra/deployer
   /soa-infra/events/edn-db-log
   /soa-infra/cluster/info
   /dc-console/adfAuthentication
   /dc-client/adfAuthentication
   /wcc/adfAuthentication

The list of public resources follows:

   /cs
   /_ocsh
   /imaging
   /_dav
   /soa-infra/directWSDL
   /dc-console
   /dc-client
   /wcc

The list of excluded resources follows:

   /idcnativews
   /imaging/ws
   /imaging/lib
   /cs/common/idcapplet.jar
   /cs/images
   /wsm-pm
   /soa-infra/services
   /ucs/messaging/webservice
   /axf-ws

Note:

These lists of resources are applicable to Oracle Access Manager 11.1.2.1.0. If you are using Oracle Access Manager 11.1.2.2.0, you need to move /dc-client to the excluded resources list.

18.3.3.2 Updating the Oracle Access Manager 11g Request File

The RREG_Home/input directory contains a template file named OAM11gRequest.xml. Copy this file to WCCOAM11gRequest.xml, and edit that file to create the policies for the Oracle WebCenter Content installation.

Note:

Replace OAM_HOST, OAM_ADMINSERVER_PORT,
WCC_EDG_AGENT, and WCC_EDG_DOMAIN with their respective values in your installation.

After editing, the file should look as follows:

<?xml version="1.0" encoding="UTF-8"?>
<OAM11GRegRequest>
 
    <serverAddress>http://OAM_HOST:OAM_ADMINSERVER_PORT</serverAddress>
    <agentName>WCC_EDG_AGENT</agentName>
    <applicationDomain>WCC_EDG_DOMAIN</applicationDomain>
    <cachePragmaHeader>private</cachePragmaHeader>
    <cacheControlHeader>private</cacheControlHeader>
    <ipValidation>1</ipValidation>
    <ValList ListName="ipValidationExceptions">
        <ValListMember Value="10.1.1.1"/>
    </ValList>
    <logOutUrls>
        <url>/oamsso/logout.html</url>
    </logOutUrls>
    <protectedResourcesList>
        <resource>/adfAuthentication</resource>
        <resource>/ibr/adfAuthentication</resource>
        <resource>/imaging/faces</resource>
        <resource>/em</resource>
        <resource>/console</resource>
        <resource>/DefaultToDoTaskFlow</resource>
        <resource>/sdpmessaging/userprefs-ui</resource>
        <resource>/integration/worklistapp</resource>
        <resource>/workflow/sdpmessagingsca-ui-worklist</resource>
        <resource>/soa/composer</resource>
        <resource>/soa-infra/deployer</resource>
        <resource>/soa-infra/events/edn-db-log</resource>
        <resource>/soa-infra/cluster/info</resource>
        <resource>/soa-infra</resource>
        <resource>/dc-console/adfAuthentication</resource>
        <resource>/dc-client/adfAuthentication</resource>
        <resource>/wcc/adfAuthentication</resource>
    </protectedResourcesList>
    <publicResourcesList>
        <resource>/cs</resource>
        <resource>/_ocsh</resource>
        <resource>/_dav</resource>
        <resource>/imaging</resource>
        <resource>/soa-infra/directWSDL</resource>
        <resource>/dc-console</resource>
        <resource>/dc-client</resource>
        <resource>/wcc</resource>
   </publicResourcesList>
   <excludedResourcesList>
        <resource>/wsm-pm</resource>
        <resource>/soa-infra/services</resource>
        <resource>/ucs/messaging/webservice</resource>
        <resource>/imaging/ws</resource>
        <resource>/idcnativews</resource>
        <resource>/imaging/lib</resource>
        <resource>/cs/common/idcapplet.jar</resource>
        <resource>/cs/images</resource>
        <resource>/axf-ws</resource>
   </excludedResourcesList>
 
   <userDefinedParameters>
        <userDefinedParam>
            <name>filterOAMAuthnCookie</name>
            <value>false</value>
        </userDefinedParam>
   </userDefinedParameters>
 
</OAM11GRegRequest>

Notes:

  • The contents of this file are applicable to Oracle Access Manager 11.1.2.1.0. If you are using Oracle Access Manager 11.1.2.2.0, you need to move /dc-client to the excluded resources list.

  • The resource_name/.../* resources will be automatically added during the registration.

  • This guide describes the validation field entry in request files for Oracle Access Manager 11g (11.1.1.2) and later. The validation exception list is defined differently in earlier versions of Oracle Access Manager 11g. For earlier versions, instead of using the <ValList> entry as shown in the preceding text, use the following syntax after the </publicResourcesList> entry.

        <userDefinedParameters>
        <userDefinedParam>
            <name>ipValidationExceptions</name>
            <value>10.1.1.1</value>
        </userDefinedParam>
    </userDefinedParameters>

    For more information about adding validation exceptions, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

18.3.3.3 Running the oamreg Tool

Run the oamreg tool with the following command:

$ ./RREG_Home/bin/oamreg.sh inband input/WCCOAM11gRequest.xml

The run should look as follows:

------------------------------------------------
Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are:
Mode: inband
Filename: MW_HOME/iam/oam/server/rreg/client/rreg/input/WCCOAM11GRequest.xml
Enter admin username:oamadmin
Username: your_oamadmin_user
Enter admin password: your_oamadmin_password
Do you want to enter a Webgate password?(y/n): y
Enter webgate password: your_webgate_password
Enter webgate password again: your_webgate_password
Password accepted. Proceeding to register..
Apr 18, 2011 12:22:36 PM oracle.security.am.engines.rreg.client.handlers.request.OAM11GRequestHandler getWebgatePassword
INFO: Passwords matched and accepted.
Do you want to import an URIs file?(y/n): n

----------------------------------------
Request summary:
OAM11G Agent Name:WCC_EDG_AGENT
URL String:WCC_EDG_AGENT
Registering in Mode:inband
Your registration request is being sent to the Admin server at: http://oamserver.example.com:7001
----------------------------------------

Inband registration process completed successfully! Output artifacts are created in the output folder.

18.3.3.4 Changing the inspection.wsil Resource to Use the Basic Authentication Scheme

By default, the inspection.wsil resource is set to use the form authentication scheme. For the connection between the workflow and Oracle WebCenter Content: Imaging to work, this resource must be updated on each of the WEBHOST machines to use the basic authentication scheme instead.

To change the inspection.wsil resource to use the basic authentication scheme:

  1. Log in to the Oracle Access Manager console at http://OAM_HOST:OAM_ADMINSERVER_PORT/oamconsole.

  2. Using the navigation tree on the left, click Application Domains and then the application domain name to navigate to the application domain created (WCC_EDG_DOMAIN).

  3. Expand your application domain's name.

  4. Expand Authentication Policies.

  5. Click the Create button in the tool bar above the navigation tree:

    1. Enter a name for the policy (for example, New Basic Policy).

    2. Select BasicSessionlessScheme as the authentication scheme.

    3. Click Apply.

      You will see the newly created policy under Authentication Policies in the navigation tree.

    4. Open the newly created policy.

    5. On the Resources pane, click the add icon (plus sign) on the right, and add the inspection.wsil and inspection.wsil/.../* resources.

    6. Click Apply.

  6. Click the refresh icon on the navigation tree, and verify the new authentication policy (click it, and make sure the inspection.wsil and inspection.wsil/.../* resources were added).

Note:

Do not forget to create a new credential for the new user. See Section 13.5.13, "Configuring a BPEL CSF Credential" for further details. (This book uses the weblogic_ecm user as an example for SSO.)

18.3.3.5 Updating the Oracle Access Manager 11g Server Configuration to Support the Basic Cookieless Scheme

You must set the NoUniqueSessionsFor10gAgents parameter in the Oracle Access Manager 11g configuration to true on each of the OAMHOST machines. To do this, edit the oam-config.xml file located in the IDM_Home/oam/server/config/ directory, and change the line

<Setting Name="NoUniqueSessionsFor10gAgents" Type="xsd:string">false</Setting>

to

<Setting Name="NoUniqueSessionsFor10gAgents" Type="xsd:string">true</Setting>

Save the file, and restart the Oracle Access Manager server in your Oracle Identity Management system for the change to take effect.

18.3.4 Setting Up WebGate

You must set up WebGate on each of the WEBHOST machines where Oracle HTTP Server has already been installed.

This section covers the following topics:

18.3.4.1 Installing GCC Libraries

You must download and install third-party GCC libraries on each of the WEBHOST machines before installing WebGate. You can download the appropriate GCC library from the following third-party website:

http://gcc.gnu.org

Note:

The setup in this guide uses Oracle Identity and Access Management 11g (11.1.1.6.0). For version 11.1.1.7.0 or later, installation of third-party GCC libraries is not necessary.

For 32-bit Linux, the required libraries are libgcc_s.so.1 and libstdc++.so.5 with a version number of 3.3.2. Table 18-2 lists the versions of third-party GCC libraries for Linux and Solaris operating systems.

Table 18-2 Versions of GCC Third-Party Libraries for Linux and Solaris Systems

Operating System Architecture GCC Libraries Required Library Version

Linux 32-bit

x86

libgcc_s.so.1

libstdc++.so.5

3.3.2

Linux 64-bit

x64

libgcc_s.so.1

libstdc++.so.6

3.4.6

Solaris 64-bit

SPARC

libgcc_s.so.1

libstdc++.so.5

3.3.2

18.3.4.2 Installing WebGate

This section describes the procedures for installing WebGate. You must install WebGate on each of the WEBHOST machines.

18.3.4.2.1 Launching the Installer

The installer program for Oracle HTTP Server 11g WebGate for Oracle Access Manager is included in the webgate.zip file.

To launch the installation wizard:

  1. Extract the contents of the webgate.zip file to a directory. By default, this directory is named webgate.

  2. Move to the Disk1 subdirectory under the webgate directory.

  3. Set the MW_HOME environment variable to the Middleware home for Oracle Web Tier:

    export MW_HOME=/u02/oracle/products/fmw_home

  4. Start the installer using the following command:

    $ ./runInstaller -jreLoc WT_ORACLE_HOME/jdk

    In the command, WT_ORACLE_HOME=/u02/oracle/products/fmw_home/web_home.

    Note:

    When you install Oracle HTTP Server, the jdk directory is created under the Middleware home directory. You must enter the absolute path of the JRE folder located in this JDK when launching the installer.

    After the installer starts, the Welcome screen opens.

18.3.4.2.2 Installation Flow and Procedure

If you need additional help with any of the installation screens, click Help to access the online help.

To install Oracle HTTP Server 11g WebGate for Oracle Access Manager:

  1. On the Welcome screen, click Next.

  2. On the Prerequisite Checks screen, click Next.

  3. On the Specify Installation Location screen, specify the Oracle Middleware Home and Oracle Home Directory locations:

    • MW_HOME

    • webgate_home

    Note:

    The Middleware home contains an Oracle home for Oracle Web Tier.

    Click Next.

  4. On the Specify GCC Library screen, specify the directory that contains the GCC libraries, or click Browse to navigate to their location on your local computer (see Section 18.3.4.1, "Installing GCC Libraries"), and click Next.

    Note:

    This step is not required for WebGate version 11.1.1.7.0 or later.

  5. On the Installation Summary screen, verify the information on this screen and click Install to begin the installation.

  6. On the Installation Progress screen, you may be prompted to run the ORACLE_HOME/oracleRoot.sh script to set up the proper file and directory permissions.

    Click Next to continue.

  7. On the Installation Complete screen, click Finish to exit the installer.

18.3.4.3 Postinstallation Steps

Complete the following procedure on each of the WEBHOST machines after installing Oracle HTTP Server 11g WebGate for Oracle Access Manager.

To do postinstallation steps:

  1. Move to the following directory under your Oracle home for WebGate:

    $ cd WEBGATE_ORACLE_HOME/webgate/ohs/tools/deploy

    In the reference topology, WEBGATE_ORACLE_HOME is the /u02/oracle/products/fmw_home/webgate_home directory. This directory is where you installed Oracle HTTP Server WebGate and created the Oracle home for WebGate.

  2. On the command line, run the following command (on a single line) to copy the required bits of agent from the WEBGATE_ORACLE_HOME directory to the WebGate Instance location:

    $ ./deployWebGateInstance.sh -w /u02/oracle/config/webN/config/OHS/ohsN/
-oh WEBGATE_ORACLE_HOME

    The /u02/oracle/config/webN/config/OHS/ohsN directory is the instance home of an Oracle HTTP Server (where N is a sequential number for your installation; for example, 1 for WEBHOST1 or 2 for WEBHOST2).

    Note:

    An instance home for Oracle HTTP Server is created after you configure Oracle HTTP Server.

  3. Run the following command to ensure that the LD_LIBRARY_PATH variable contains WT_ORACLE_HOME/lib:

    $ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/u02/oracle/products/fmw_home/web_home/lib

  4. From your present working directory, move up one directory level:

    $ cd WEBGATE_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools

  5. On the command line, run the following command (on a single line) to copy apache_webgate.template from the WEBGATE_RACLE_HOME directory to the WebGate instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf:

    $ ./EditHttpConf -w /u02/oracle/config/webN/config/OHS/ohsN/ [-oh WEBGATE_ORACLE_HOME] 
[-o output_file]

    Note:

    The -oh WEBGATE_ORACLE_HOME and -o output_file parameters are optional.

    In the command, WEBGATE_ORACLE_HOME is the directory where you have installed Oracle HTTP Server WebGate for Oracle Access Manager. This directory is the Oracle home for WebGate; for example:

    /u02/oracle/products/fmw_home/webgate_home

    The /u02/oracle/config/webN/config/OHS/ohsN/ directory is the instance home of Oracle HTTP Server, where N is a sequential number for your installation; for example, 1 for WEBHOST1 or 2 for WEBHOST2.

    The output_file value is the name of the temporary output file used by the tool; for example:

    Edithttpconf.log

18.3.5 Copying Files and Artifacts Generated from OAM WebGate Registration to the Webgate Instance Location

The following two files are generated in RREG_Home/output/WCC_EDG_AGENT:

  • ObAccessClient.xml

  • cwallet.sso

Copy these files to the WebGate instance location on each of the WEBHOST machines:

scp ObAccessClient.xml oracle@WEBHOSTN:ORACLE_INSTANCE/config/OHS/ohsN/webgate/config/

scp cwallet.sso oracle@WEBHOSTN:ORACLE_INSTANCE/config/OHS/ohsN/webgate/config/

In the scp command, N is a sequential number for your installation; for example, 1 for WEBHOST1 or 2 for WEBHOST2.

In the reference topology, ORACLE_INSTANCE is the /u02/oracle/config/web1 or /u02/oracle/config/web2 directory.

18.3.6 Setting Up the WebLogic Server Authentication Providers

This section is based on the assumption that you have already set up the LDAP authentication provider by following the steps in Section 18.2.2, "Creating the LDAP Authentication Provider." If you have not already created the LDAP authentication provider, do it before continuing with this section.

This section covers the following topics:

18.3.6.1 Backing Up Configuration Files

To be safe, first back up the relevant configuration files:

ASERVER_HOME/config/config.xml 
ASERVER_HOME/config/fmwconfig/jps-config.xml
ASERVER_HOME/config/fwmconfig/system-jazn-data.xml

In the reference topology, ASERVER_HOME is the /u01/oracle/config/domains/WCCDomain directory.

In addition, back up the boot.properties file for the Administration Server.

18.3.6.2 Setting Up the Oracle Access Manager Identity Assertion Provider

Set up an Oracle Access Manager identity assertion provider in the Oracle WebLogic Server Administration Console.

To set up the Oracle Access Manager identity assertion provider:

  1. Log in to the WebLogic Server Administration Console, if not already logged in.

  2. Click Lock & Edit.

  3. Navigate to SecurityRealms, then the default realm name, and then Providers.

  4. Click New, and select the asserter type OAMIdentityAsserter from the drop-down menu.

  5. Name the asserter (for example, OAM ID Asserter) and click OK.

  6. Click the newly added asserter to see the configuration screen for the Oracle Access Manager identity assertion provider.

  7. Set the control flag to REQUIRED.

  8. Select both the ObSSOCookie and OAM_REMOTE_USER options under Chosen types.

  9. Save the settings, and click Activate Changes to propagate the changes.

  10. Log in to the Oracle WebLogic Scripting Tool (WLST) as an administrator, and run the addOAMSSOProvider command:

    1. Start WLST:

      cd ORACLE_COMMON_HOME/common/bin

./wlst.sh

    2. Connect to the WCCDomain Administration Server and issue the addOAMSSOProvider command:

      wls:/offline> connect('weblogic_ecm', password,'ADMINVHN:7001')

Connecting to t3://ADMINVHN:7001 with userid weblogic_ecm ..

Successfully connected to Admin Server 'AdminServer' that belongs to domain 'WCCDomain'.

Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.

wls:/WCCDomain/serverConfig> addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html",autologinuri="/obrar.cgi")

Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.For more help, use help(domainRuntime)

wls:/WCCDomain/serverConfig> exit()


Exiting WebLogic Scripting Tool

18.3.6.3 Setting the Order of Providers

Set the order of identity assertion and authentication providers in the WebLogic Server Administration Console.

To set the order of the providers:

  1. Log in to the WebLogic Server Administration Console, if not already logged in.

  2. Click Lock & Edit.

  3. Navigate to SecurityRealms, then the default realm name, and then Providers.

  4. Reorder the Oracle Access Manager identity assertion provider, the Oracle Internet Directory authentication provider, and the default authentication provider by ensuring that the control flag for each provider is set as follows:

    • Oracle Access Manager identity assertion provider: REQUIRED

    • Oracle Internet Directory authentication provider: SUFFICIENT

    • DefaultAuthenticator: SUFFICIENT

  5. Click OK.

  6. Click Activate Changes to propagate the changes.

  7. Restart the Administration Server and all Managed Servers.

    Stop the Administration Server with the nmKill command, or with the Administration Console, and then starting it with the nmStart command, as described in Section 10.3, "Restarting the Administration Server."

    Before the restart, stop all Managed Servers in the domain through the Administration Console, and then start them after the restart. Log in to the Administration Console using the credentials for the weblogic_ecm user.

18.4 Validating Access Through the Load Balancer and SSO

Validate single sign-on through the front end (using the SSO user name and password):

  • http://admin.example.com/console

  • http://admin.example.com/em

  • http://wcc.example.com/cs

  • http://wcc.example.com/imaging

  • https://wcc.example.com/dc-console

18.5 Backing Up the Installation

After you have verified that the extended domain is working, back up the installation. This is a quick backup for the express purpose of immediate restore in case of problems in the further steps. The backup destination is the local disk. This backup can be discarded once the enterprise deployment setup is complete. At that point, the regular deployment-specific backup and recovery process can be initiated. The Administrator's Guide provides further details. For information about describing the Oracle HTTP Server data that must be backed up and restored, see the "Backup and Recovery Recommendations for Oracle HTTP Server" section in this guide. For information on how to recover components, see the "Recovery of Components" and "Recovery After Loss of Component" sections in the guide. For recommendations specific to recovering from the loss of a host, see the "Recovering Oracle HTTP Server to a Different Host" section in the guide. For information about database backup, see the Oracle Database Backup and Recovery User's Guide.

To back up the installation at this point:

  1. Back up Oracle Web Tier:

    1. Shut down the instance using opmnctl:

      /u02/oracle/config/webN/bin/opmnctl stopall

    2. Back up the Middleware home for Oracle Web Tier with the following command (as root):

      tar -cvpf BACKUP_LOCATION/web_home.tar $MW_HOME

    3. Back up the Instance Home for Oracle Web Tier with the following command (as root):

      tar -cvpf BACKUP_LOCATION/web_instance.tar $ORACLE_INSTANCE

    4. Start the instance with opmnctl:

      /u02/oracle/config/webN/bin/opmnctl startall

    In the reference topology, ORACLE_INSTANCE is the /u02/oracle/config/web1 or /u02/oracle/config/web2 directory.

  2. Back up the AdminServer domain directory on WCCHOST1. Perform a backup to save your domain configuration. The configuration files all exist under the /u01/oracle/config/domains/WCCDomain directory.

    tar -cvpf edgdomainback.tar /u01/oracle/config/domains/WCCDomain