Wednesday, March 3, 2010

Configuring Single Sign On with OAM and OID

We were having an internal Bootcamp for Webcenter, and one of the things we had to do, was to configure Single-Sign On (SSO) in front of our installation of WebCenter.
We did follow the instructions I posted on my previous blog entry, and had the WebCenter installed and Services configured locally on our boxes.
We also had access to 2 servers -- Oracle Internet Directory (OID) server, and Oracle Access Manager (OAM) server. Both products are part of the Oracle Identity Management solution.

Our main guide is the Security Chapter in the WebCenter Admin Guide. This is an extensive chapter, and has all the information you need. 
To make things simpler, I extracted the steps from the guide, and made it into the "Quick Steps" guide below.

So, assuming you have access to an OID server -- oid-server.example.com -- and an OAM server -- oam-server.example.com -- you could follow the steps below to implement SSO in front of your WebCenter installation.

The diagram below, shows what we want to achieve. All HTTP request should come through Apache/WebGate, that will then contact OAM to check the policies. If needed, an SSO Login page is presented, and the user is authenticated against the Identity Store. Once it is all good, the cookies are set, and the request is finally forwarded to the WebCenter server.

Figure 1 - OAM SSO topology

Requirements
  • OID Server - oid-server.example.com
    • assume the user domain is example.com - dc=example, dc=com
    • assume you have user orcladmin as the Admin user
    • port = 3060
  • OAM Server - oam-server.example.com
    • assume access server id = aaa1 -- change it accordingly
    • port = 6021
  • WebCenter installation -- following instructions from previous post
    • home folder = /u01/app/wls
Documentation
Quick Steps

1. Configure HTTP as default listener

  • once we finished the configuration from previous entry, the HTTP requests coming to your server were not being served by Apache. In order to have it, you need to perform the steps below.
  • go to Terminal window and do the following

    [oracle@mymachine wls]$ cd /u01/app/wls/Oracle_WT1/instances/instance1/config/OHS/ohs1/
    [oracle@mymachine ohs1]$ cp mod_wl_ohs.conf mod_wl_ohs.conf.BOOT
    [oracle@mymachine ohs1]$ vi mod_wl_ohs.conf
    ---- add the following lines to the end of this file
    <IfModule mod_weblogic.c>
    MatchExpression /webcenter WebLogicHost=mymachine.example.com|WebLogicPort=8888
    MatchExpression /owc_wiki WebLogicHost=mymachine.example.com|WebLogicPort=8890
    MatchExpression /owc_discussions WebLogicHost=mymachine.example.com|WebLogicPort=8890
    MatchExpression /rest WebLogicHost=mymachine.example.com|WebLogicPort=8890
    </IfModule>
    [oracle@mymachine ohs1]$ cd ../../../bin
    [oracle@mymachine bin]$ ./opmnctl stopall
    opmnctl stopall: stopping opmn and all managed processes...
    [oracle@mymachine bin]$ ./opmnctl startall
    opmnctl startall: starting opmn and all managed processes...
    [oracle@mymachine bin]$

  • do a quick test by navigating to the following URLs to make sure it is all accessible through Oracle HTTP
    • WebCenter Spaces = http://mymachine.example.com:7777/webcenter
    • WebCenter Discussion = http://mymachine.example.com:7777/owc_discussions
    • WebCenter Wiki = http://mymachine.example.com:7777/owc_wiki
  • Now, we have all the requests coming through Apache. Let's now create the policies on the OAM server.


2. Configuring OAM Using Scripts

  • let's create the Application Domain in OAM using the OAM Config Tool included in WLS installation.
  • go to a Terminal window and do the following

    [oracle@mymachine wls]$ cd /u01/app/wls/
    [oracle@mymachine wls]$ vi uris-file.txt
    #PROTECTED
    protected_uris
    /webcenter/adfAuthentication
    /webcenter/content
    /owc_wiki/user/login.jz
    /owc_wiki/adfAuthentication
    /owc_discussions/rss
    /owc_discussions/login!withRedirect.jspa
    /owc_discussions/login!default.jspa
    /owc_discussions/login.jspa
    /owc_discussions/admin
    /rest

    #PUBLIC
    public_uris
    /webcenter
    /owc_wiki
    /owc_discussions
    /rss
    /workflow

    ---- save and exit VI
    ---- the command below MUST be in one line!!!

    [oracle@mymachine wls]$ /u01/app/wls/jdk160_14_R27.6.5-32/bin/java -jar
    /u01/app/wls/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=CREATE
    app_domain="mymachine.example.com" uris_file=/u01/app/wls/uris-file.txt
    app_agent_password=welcome1 ldap_host=oid-server.example.com ldap_port=3060 ldap_userdn="cn=orcladmin"
    ldap_userpassword=welcome1 oam_aaa_host=oam-server.example.com oam_aaa_port=6021

    Processed input parameters
    Initialized Global Configuration
    Successfully completed the Create operation.
    Operation Summary:
    Policy Domain : mymachine.example.com
    Host Identifier: mymachine.example.com
    Access Gate ID : mymachine.example.com_AG

    [oracle@mymachine wls]$

  • we can validate by issuing the following command in 1 line!

    [oracle@mymachine wls]$ /u01/app/wls/jdk160_14_R27.6.5-32/bin/java -jar
    /u01/app/wls/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=VALIDATE
    app_domain="mymachine.example.com" app_agent_password=welcome1 ldap_host=oid-server.example.com
    ldap_port=3060 ldap_userdn="cn=orcladmin" ldap_userpassword=welcome1 oam_aaa_host=oam-server.example.com
    oam_aaa_port=6021 test_username=weblogic

    Enter test_userpassword: >>welcome1<<
    Processed input parameters
    Initialized Global Configuration
    Validating app_domain: mymachine.example.com : OK.
    Validating web_domain: mymachine.example.com : OK.
    Validating access_gate: mymachine.example.com_AG : OK.
    Found url:http://mymachine.example.com/webcenter/adfAuthentication
    Found url:http://mymachine.example.com/workflow
    Found url:http://mymachine.example.com/rss
    Found url:http://mymachine.example.com/owc_discussions/login!withRedirect.jspa
    Found url:http://mymachine.example.com/owc_discussions/login!default.jspa
    Found url:http://mymachine.example.com/owc_wiki/user/login.jz
    Found url:http://mymachine.example.com/rss/rssservlet
    Found url:http://mymachine.example.com/owc_wiki/adfAuthentication
    Found url:http://mymachine.example.com/owc_discussions/login.jspa
    Found url:http://mymachine.example.com/owc_wiki
    Found url:http://mymachine.example.com/owc_discussions/rss/
    Found url:http://mymachine.example.com/webcenter/content
    Found url:http://mymachine.example.com/webcenter
    Found url:http://mymachine.example.com/rest
    Found url:http://mymachine.example.com/owc_discussions
    Found url:http://mymachine.example.com/owc_discussions/admin
    Successfully completed the Validate operation.

  • you may also want to login to your OAM server and verify the Policies and Access Gate configurations


3. Configuring the WebTier

  • Now that the policies are created on OAM server, we must install the WebGate on your WebCenter machine. This will work together with Apache to filter the requests and check their policies.
  • Before you install WebGate, you should copy the following libraries to a common place, in order to make the install process easier.
  • Note: if you are using a 64bit machine, you should copy the libraries from the lib64 folder -- /lib64/libgcc_s.so.1 and /usr/lib64/libstdc++.so.5

    >>>> need to have these 2 libs in same folder
    [oracle@mymachine ]$ cd /tmp/
    [oracle@mymachine tmp]$ mkdir lib
    [oracle@mymachine tmp]$ cd lib
    [oracle@mymachine lib]$ cp /lib/libgcc_s.so.1 .
    [oracle@mymachine lib]$ cp /usr/lib/libstdc++.so.5 .

    [oracle@mymachine lib]$ cd /u01/oracle/software/E20BootcampInstallers/webgate

    >>>> if "oracle" is NOT is sudoers:
    su -c "./Oracle_Access_Manager10_1_4_3_0_linux_OHS11g_WebGate -gui"

    >>>> if "oracle" MUST is in sudoers
    [oracle@mymachine webgate]$ sudo -u root ./Oracle_Access_Manager10_1_4_3_0_linux_OHS11g_WebGate -gui

  • You could refer to the doc now, and follow all the steps listed in section  23.7.1.3.3 Install WebGate on the WebTier. Below is just an example of the values you will be using during the install process.
    • Enter the username the web server is running as = oracle
    • Enter the Group for the above username = oinstall
    • Please specify a directory name or press Enter = /u01/app/wls/webgate
    • Location of GCC runtime libraries = /tmp/lib
    • Specify the transport security mode = 1 - Open Mode
    • WebGate ID = mymachine.example.com_AG
    • Password for WebGate = welcome1
    • Access Server ID = aaa1
    • Host name where an Access Server is installed = oam-server.example.com
    • Port number the Access Server listens to = 6021
    • Proceed with automatic httpd.conf configuration
    • Absolute path of httpd.conf = /u01/app/wls/Oracle_WT1/instances/instance1/config/OHS/ohs1/httpd.conf
  • restart Oracle HTTP server.

    [oracle@mymachine lib]$ cd /u01/app/wls/Oracle_WT1/instances/instance1/bin/
    [oracle@mymachine bin]$ ./opmnctl stopall
    opmnctl stopall: stopping opmn and all managed processes...
    [oracle@mymachine bin]$ ./opmnctl startall
    opmnctl startall: starting opmn and all managed processes...

4. Create local orcladmin

  • In our OID example server, we have user orcladmin, as the administrator. We want to create this user locally (on your local WLS). Another option, would be to have the user weblogic on the LDAP server.
  • Log in to WLS Console - http://mymachine.example.com:7001/console
  • Go to "boot_domain" -> "Security realms" -> "myrealm" -> "Users and Groups"
  • Click "New" and use the following info:
    • Name = orcladmin
    • Provider = DefaultAuthenticator
    • Password = welcome1 - Confirm = welcome1
  • Click on the newly created orcladmin – make sure you choose the one with DefaultAuthenticator
  • Click "Groups" and add the Administrators group to this user


5. Configuring Discussions Server

  • Log in to Discussions Server Admin Console - http://mymachine.example.com:8890/owc_discussions/admin
    • Login on Discussions Jive Admin – weblogic / welcome1
  • Click "System Properties"
    • add/edit the property and "Save" it.
      • owc_discussions.sso.mode = true
  • Click "Settings -> Admins/Moderators"
  • Click "Grant New Permissions"
    • Choose the permission = System Admin
    • Specific user = orcladmin
    • Click "Grant new permission"


6. Configuring WebLogic to use OID/OAM

  • Now, we need to create the Authenticators that will process the user authentication. We need to have authenticators for OAM and OID.
  • You must now perform all the steps listed in section 23.7.1.6 Configuring the Policy Manager , and refer to the values below as reference.
    • Note #1: you should double check the values with your System Administrator, specially the LDAP configuration below. 
    • Note #2: below, I'm listing only the values that need to be changed. Leave all others with the default values, or make changes if you are 100% sure.
    • Note #3: if you have any problems logging in, you can always come back to WLS console, and remove these extra Authenticators.
  • for the OID Authenticator use the following:
    • Control Flag = SUFFICIENT
    • Host = oid-server.example.com
    • Port = 3060
    • Principal = cn=orcladmin
    • Credential = welcome1 – Confirm = welcome1
    • User Base DN = dc=example,dc=com
    • All Users Filter = (&(uid=*)(objectclass=person))
    • User Name Attribute = uid
    • Group Base DN = dc=example,dc=com
    • All the other values don't need to be changed
  • for the OAM ID Asserter use the following:
    • Control Flag = REQUIRED
    • Active Types = ObSSOCookie, OAM_REMOTE_USER
    • Application Domain = mymachine.example.com
    • Access Gate Password = welcome1
    • Keystore Pass Phrase = welcome1
    • Access Gate Name = mymachine.example.com_AG
    • Primary Access Server = oam-server.example.com:6021
    • All the other values don't need to be changed
  • for the DefaultAuthenticator change:
    • Control Flag = SUFFICIENT
  • reorder the providers as described in the doc:
    • OAMIdentityAsserter (REQUIRED)
    • OracleInternetDirectoryAuthenticator (SUFFICIENT)
    • DefaultAuthenticator (SUFFICIENT)
    • DefaultIdentityAsserte
  • don't forget to add the EXTRA_JAVA_PROPERTIES to setDomainEnv.sh

    [oracle@mymachine bin]$ cd /u01/app/wls/user_projects/domains/boot_domain/bin/
    [oracle@mymachine bin]$ vi setDomainEnv.sh
    ---- put it around line 100 after the SUN_JAVA_HOME

    EXTRA_JAVA_PROPERTIES="-Dweblogic.security.SSL.ignoreHostnameVerification=true
    -Doracle.mds.bypassCustRestrict=true -Djps.update.subject.dynamic=true
    -Doracle.webcenter.spaces.osso=true -noverify ${EXTRA_JAVA_PROPERTIES}"

7. Restart & Test

  • bounce all servers - WLS Admin, WLS_Services, WLS_Spaces
  • test that you can login with any of users you have on your LDAP server.
  • test that once you login to WIKI (/owc_wiki), you can just go to Discussions (/owc_discussions) without being asked for password. Same if you go to WebCenter (/webcenter)

8. What's next? 

During our Bootcamp, we managed to configure SSO successfully in 7 out of 7 machines. It was not very straightforward, so we had to go back and double-check the steps and values. Once we did that, all was working fine.

If it does not work for the 1st time, just go back and double check everything. If you still have problems, just post a comment.