We did follow the instructions I posted on my previous blog entry, and had the WebCenter installed and Services configured locally on our boxes.
We also had access to 2 servers -- Oracle Internet Directory (OID) server, and Oracle Access Manager (OAM) server. Both products are part of the Oracle Identity Management solution.
Our main guide is the Security Chapter in the WebCenter Admin Guide. This is an extensive chapter, and has all the information you need.
To make things simpler, I extracted the steps from the guide, and made it into the "Quick Steps" guide below.
So, assuming you have access to an OID server -- oid-server.example.com -- and an OAM server -- oam-server.example.com -- you could follow the steps below to implement SSO in front of your WebCenter installation.
The diagram below, shows what we want to achieve. All HTTP request should come through Apache/WebGate, that will then contact OAM to check the policies. If needed, an SSO Login page is presented, and the user is authenticated against the Identity Store. Once it is all good, the cookies are set, and the request is finally forwarded to the WebCenter server.
Figure 1 - OAM SSO topology
Requirements
- OID Server - oid-server.example.com
- assume the user domain is example.com - dc=example, dc=com
- assume you have user orcladmin as the Admin user
- port = 3060
- OAM Server - oam-server.example.com
- assume access server id = aaa1 -- change it accordingly
- port = 6021
- WebCenter installation -- following instructions from previous post
- home folder = /u01/app/wls
Documentation
- Configuring a WebCenter Application to Use Single Sign-On
- Configure mod_weblogic (mod_wl_ohs.conf)
- Configuring OAM Using Scripts
- Configuring the Policy Manager
Quick Steps
1. Configure HTTP as default listener
- once we finished the configuration from previous entry, the HTTP requests coming to your server were not being served by Apache. In order to have it, you need to perform the steps below.
- go to Terminal window and do the following
[oracle@mymachine wls]$ cd /u01/app/wls/Oracle_WT1/instances/instance1/config/OHS/ohs1/
[oracle@mymachine ohs1]$ cp mod_wl_ohs.conf mod_wl_ohs.conf.BOOT
[oracle@mymachine ohs1]$ vi mod_wl_ohs.conf
---- add the following lines to the end of this file
<IfModule mod_weblogic.c>
MatchExpression /webcenter WebLogicHost=mymachine.example.com|WebLogicPort=8888
MatchExpression /owc_wiki WebLogicHost=mymachine.example.com|WebLogicPort=8890
MatchExpression /owc_discussions WebLogicHost=mymachine.example.com|WebLogicPort=8890
MatchExpression /rest WebLogicHost=mymachine.example.com|WebLogicPort=8890
</IfModule>
[oracle@mymachine ohs1]$ cd ../../../bin
[oracle@mymachine bin]$ ./opmnctl stopall
opmnctl stopall: stopping opmn and all managed processes...
[oracle@mymachine bin]$ ./opmnctl startall
opmnctl startall: starting opmn and all managed processes...
[oracle@mymachine bin]$ - do a quick test by navigating to the following URLs to make sure it is all accessible through Oracle HTTP
- WebCenter Spaces = http://mymachine.example.com:7777/webcenter
- WebCenter Discussion = http://mymachine.example.com:7777/owc_discussions
- WebCenter Wiki = http://mymachine.example.com:7777/owc_wiki
- Now, we have all the requests coming through Apache. Let's now create the policies on the OAM server.
2. Configuring OAM Using Scripts
- let's create the Application Domain in OAM using the OAM Config Tool included in WLS installation.
- go to a Terminal window and do the following
[oracle@mymachine wls]$ cd /u01/app/wls/
[oracle@mymachine wls]$ vi uris-file.txt
#PROTECTED
protected_uris
/webcenter/adfAuthentication
/webcenter/content
/owc_wiki/user/login.jz
/owc_wiki/adfAuthentication
/owc_discussions/rss
/owc_discussions/login!withRedirect.jspa
/owc_discussions/login!default.jspa
/owc_discussions/login.jspa
/owc_discussions/admin
/rest
#PUBLIC
public_uris
/webcenter
/owc_wiki
/owc_discussions
/rss
/workflow---- save and exit VI
---- the command below MUST be in one line!!!
[oracle@mymachine wls]$ /u01/app/wls/jdk160_14_R27.6.5-32/bin/java -jar
/u01/app/wls/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=CREATE
app_domain="mymachine.example.com" uris_file=/u01/app/wls/uris-file.txt
app_agent_password=welcome1 ldap_host=oid-server.example.com ldap_port=3060 ldap_userdn="cn=orcladmin"
ldap_userpassword=welcome1 oam_aaa_host=oam-server.example.com oam_aaa_port=6021
Processed input parameters
Initialized Global Configuration
Successfully completed the Create operation.
Operation Summary:
Policy Domain : mymachine.example.com
Host Identifier: mymachine.example.com
Access Gate ID : mymachine.example.com_AG
[oracle@mymachine wls]$ - we can validate by issuing the following command in 1 line!
[oracle@mymachine wls]$ /u01/app/wls/jdk160_14_R27.6.5-32/bin/java -jar
/u01/app/wls/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=VALIDATE
app_domain="mymachine.example.com" app_agent_password=welcome1 ldap_host=oid-server.example.com
ldap_port=3060 ldap_userdn="cn=orcladmin" ldap_userpassword=welcome1 oam_aaa_host=oam-server.example.com
oam_aaa_port=6021 test_username=weblogic
Enter test_userpassword: >>welcome1<<
Processed input parameters
Initialized Global Configuration
Validating app_domain: mymachine.example.com : OK.
Validating web_domain: mymachine.example.com : OK.
Validating access_gate: mymachine.example.com_AG : OK.
Found url:http://mymachine.example.com/webcenter/adfAuthentication
Found url:http://mymachine.example.com/workflow
Found url:http://mymachine.example.com/rss
Found url:http://mymachine.example.com/owc_discussions/login!withRedirect.jspa
Found url:http://mymachine.example.com/owc_discussions/login!default.jspa
Found url:http://mymachine.example.com/owc_wiki/user/login.jz
Found url:http://mymachine.example.com/rss/rssservlet
Found url:http://mymachine.example.com/owc_wiki/adfAuthentication
Found url:http://mymachine.example.com/owc_discussions/login.jspa
Found url:http://mymachine.example.com/owc_wiki
Found url:http://mymachine.example.com/owc_discussions/rss/
Found url:http://mymachine.example.com/webcenter/content
Found url:http://mymachine.example.com/webcenter
Found url:http://mymachine.example.com/rest
Found url:http://mymachine.example.com/owc_discussions
Found url:http://mymachine.example.com/owc_discussions/admin
Successfully completed the Validate operation. - you may also want to login to your OAM server and verify the Policies and Access Gate configurations
3. Configuring the WebTier
- Now that the policies are created on OAM server, we must install the WebGate on your WebCenter machine. This will work together with Apache to filter the requests and check their policies.
- Before you install WebGate, you should copy the following libraries to a common place, in order to make the install process easier.
- Note: if you are using a 64bit machine, you should copy the libraries from the lib64 folder -- /lib64/libgcc_s.so.1 and /usr/lib64/libstdc++.so.5
>>>> need to have these 2 libs in same folder
[oracle@mymachine ]$ cd /tmp/
[oracle@mymachine tmp]$ mkdir lib
[oracle@mymachine tmp]$ cd lib
[oracle@mymachine lib]$ cp /lib/libgcc_s.so.1 .
[oracle@mymachine lib]$ cp /usr/lib/libstdc++.so.5 .
[oracle@mymachine lib]$ cd /u01/oracle/software/E20BootcampInstallers/webgate
>>>> if "oracle" is NOT is sudoers:
su -c "./Oracle_Access_Manager10_1_4_3_0_linux_OHS11g_WebGate -gui"
>>>> if "oracle" MUST is in sudoers
[oracle@mymachine webgate]$ sudo -u root ./Oracle_Access_Manager10_1_4_3_0_linux_OHS11g_WebGate -gui - You could refer to the doc now, and follow all the steps listed in section 23.7.1.3.3 Install WebGate on the WebTier. Below is just an example of the values you will be using during the install process.
- Enter the username the web server is running as = oracle
- Enter the Group for the above username = oinstall
- Please specify a directory name or press Enter = /u01/app/wls/webgate
- Location of GCC runtime libraries = /tmp/lib
- Specify the transport security mode = 1 - Open Mode
- WebGate ID = mymachine.example.com_AG
- Password for WebGate = welcome1
- Access Server ID = aaa1
- Host name where an Access Server is installed = oam-server.example.com
- Port number the Access Server listens to = 6021
- Proceed with automatic httpd.conf configuration
- Absolute path of httpd.conf = /u01/app/wls/Oracle_WT1/instances/instance1/config/OHS/ohs1/httpd.conf
- restart Oracle HTTP server.
[oracle@mymachine lib]$ cd /u01/app/wls/Oracle_WT1/instances/instance1/bin/
[oracle@mymachine bin]$ ./opmnctl stopall
opmnctl stopall: stopping opmn and all managed processes...
[oracle@mymachine bin]$ ./opmnctl startall
opmnctl startall: starting opmn and all managed processes...
4. Create local orcladmin
- In our OID example server, we have user orcladmin, as the administrator. We want to create this user locally (on your local WLS). Another option, would be to have the user weblogic on the LDAP server.
- Log in to WLS Console - http://mymachine.example.com:7001/console
- Go to "boot_domain" -> "Security realms" -> "myrealm" -> "Users and Groups"
- Click "New" and use the following info:
- Name = orcladmin
- Provider = DefaultAuthenticator
- Password = welcome1 - Confirm = welcome1
- Click on the newly created orcladmin – make sure you choose the one with DefaultAuthenticator
- Click "Groups" and add the Administrators group to this user
5. Configuring Discussions Server
- Log in to Discussions Server Admin Console - http://mymachine.example.com:8890/owc_discussions/admin
- Login on Discussions Jive Admin – weblogic / welcome1
- Click "System Properties"
- add/edit the property and "Save" it.
- owc_discussions.sso.mode = true
- Click "Settings -> Admins/Moderators"
- Click "Grant New Permissions"
- Choose the permission = System Admin
- Specific user = orcladmin
- Click "Grant new permission"
6. Configuring WebLogic to use OID/OAM
- Now, we need to create the Authenticators that will process the user authentication. We need to have authenticators for OAM and OID.
- You must now perform all the steps listed in section 23.7.1.6 Configuring the Policy Manager , and refer to the values below as reference.
- Note #1: you should double check the values with your System Administrator, specially the LDAP configuration below.
- Note #2: below, I'm listing only the values that need to be changed. Leave all others with the default values, or make changes if you are 100% sure.
- Note #3: if you have any problems logging in, you can always come back to WLS console, and remove these extra Authenticators.
- for the OID Authenticator use the following:
- Control Flag = SUFFICIENT
- Host = oid-server.example.com
- Port = 3060
- Principal = cn=orcladmin
- Credential = welcome1 – Confirm = welcome1
- User Base DN = dc=example,dc=com
- All Users Filter = (&(uid=*)(objectclass=person))
- User Name Attribute = uid
- Group Base DN = dc=example,dc=com
- All the other values don't need to be changed
- for the OAM ID Asserter use the following:
- Control Flag = REQUIRED
- Active Types = ObSSOCookie, OAM_REMOTE_USER
- Application Domain = mymachine.example.com
- Access Gate Password = welcome1
- Keystore Pass Phrase = welcome1
- Access Gate Name = mymachine.example.com_AG
- Primary Access Server = oam-server.example.com:6021
- All the other values don't need to be changed
- for the DefaultAuthenticator change:
- Control Flag = SUFFICIENT
- reorder the providers as described in the doc:
- OAMIdentityAsserter (REQUIRED)
- OracleInternetDirectoryAuthenticator (SUFFICIENT)
- DefaultAuthenticator (SUFFICIENT)
- DefaultIdentityAsserte
- don't forget to add the EXTRA_JAVA_PROPERTIES to setDomainEnv.sh
[oracle@mymachine bin]$ cd /u01/app/wls/user_projects/domains/boot_domain/bin/
[oracle@mymachine bin]$ vi setDomainEnv.sh
---- put it around line 100 after the SUN_JAVA_HOME
EXTRA_JAVA_PROPERTIES="-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Doracle.mds.bypassCustRestrict=true -Djps.update.subject.dynamic=true
-Doracle.webcenter.spaces.osso=true -noverify ${EXTRA_JAVA_PROPERTIES}"
7. Restart & Test
- bounce all servers - WLS Admin, WLS_Services, WLS_Spaces
- test that you can login with any of users you have on your LDAP server.
- test that once you login to WIKI (/owc_wiki), you can just go to Discussions (/owc_discussions) without being asked for password. Same if you go to WebCenter (/webcenter)
8. What's next?
- assuming it all worked fine :-), you should probably want to restrict access to the other ports -- for example :8890/owc_wiki, or :8888/webcenter
During our Bootcamp, we managed to configure SSO successfully in 7 out of 7 machines. It was not very straightforward, so we had to go back and double-check the steps and values. Once we did that, all was working fine.
If it does not work for the 1st time, just go back and double check everything. If you still have problems, just post a comment.
Fantastic, just what I was looking for! I haven't been able to figure this out by reading the oracl e documentation alone. Thank you!
ReplyDeleteOne question tho. I have Installed OAM but what is this http://oam-server.example.com:7778/access/oblix/ .. thinking about what's running on port 7778 and what is /access/oblix
ReplyDeleteWhen I start OAM I get error (but it starts):
oracle.security.am.agent.asdk.impl.aaaclient.AccessServerImpl initAAAClient
INFO: Connection to OAM Server could not be established: Exception in connecting to server. Connection Refused
Did I miss something? Maybe it's something I have not installed ?