Oracle® WebCenter Wiki and Blog Server Installation, Configuration, and User's Guide
10 g Release 3 (10.1.3.4.0)
E14106-01
  Go To Table Of Contents
Contents 		Go To Index
Index
Previous
Previous   		Next
Next 		 

4 Configuring Single Sign-On

You can configure Oracle Access Manager-based single sign-on security for Oracle WebCenter Wiki and Blog Server. This chapter explains how to configure Oracle A ccess Manager for s ingle sign-on for Oracle WebCenter Wiki and Blog Server.

This chapter includes the following sections:

4.1 Overview of Oracle Access Manager Authentication

Oracle Access Manager authe ntication for Oracle WebCenter Wiki and Blog Server requires following components:

The following are the steps to configure Oracle Access Manager for single sign-on:

  1. Install Oracle Access Manager ( Section 4.2)

  2. Install an Access Server ( Section 4.3)

  3. Install Oracle HTTP Server ( Section 4.4)

  4. Install an Access Gate (WebGate) ( Section 4.5)

  5. Configure Oracle Access Manager ( Section 4.6)

  6. Configure authentication ( Section 4.7)

  7. Configure a custom login page for Oracle Access Manager ( Section 4.8)

  8. Install the security provider for WebLogic SSPI ( Section 4.9)

4.2 Installing Oracle Access Manager

Oracle Access Manager Release 10 g (10.1.4.2.0) is a patch set, so it cannot be installed directly. For example, after installing 10 g (10.1.4.0.1), you can apply Release 10.1.4 patch set 1 (10.1.4.2.0) to installed components.

In summary, here are the steps to install Oracle Access Manager:

  1. Confirm that prerequisites have been satisfied for Oracle Access Manager

  2. Install the Identity Server

  3. Install Oracle HTTP Server 10.1.3.3+ (from the Companion CD) for Identity Server and WebPass

    http://<hostname>.<domain>:<port>

  4. Install the Web Pass

  5. Test the user interface

    http://<hostname>.<domain>:<port>/identity/oblix

  6. Install the Policy Manager

  7. Test the user interface

    http://<hostname>.<domain>:<port>/access/oblix

  8. Configure the Identity System Console

  9. Configure the Access System Console

  10. Create an Access Server Instance within the Access System Console ( Section 4.3)

  11. Install the Access Server ( Section 4.3)


Note:

You must apply Oracle Access Manager Release 10 g patch 5957301 (or higher) and patch 7408035 (or higher) to all Oracle Access Manager components. See Note 736372.1 on My Oracle Support (formerly MetaLink) for the Oracle Access Manager bundle patch release history, containing its latest patch sets and patches.

The documentation in this chapter is provided as a general guideline. For detailed information about Oracle Access Manager, see the Oracle Access Manager documentation posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/index.htm

4.3 Installing an Access Server

An Access Se rver must be installed for Oracle WebCenter Wiki and Blog Server.

For detailed information about installing an Access Server, see the "Installing the Access Server" chapter in the Oracle® Access Manager Installation Guide 10g (10.1.4.2.0). This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/a_srvr.htm

You will be asked to create an Access Server instance in the Access System Console. Leave all defaults as they are, except the following specific entries:

  • Set Name to wls-wiki-access-server

  • Set Hostname to the host on which Oracle HTTP Server resides

  • Set Port to 6021 or to any other available port

  • Set Access Management Service to On

The saved values should look something like the following:

Name    wls-wiki-access-server 
Hostname host.domain.com 
Port      6021 
Debug     Off 
Debug File Name       
Transport Security      Open 
Maximum Client Session Time (hours)   24 
Number of Threads      60 
Access Management Service      On 
       
Audit to Database (on/off)     Off 
       
Audit to File (on/off)     Off 
Audit File Name       
Audit File Size (bytes)      0 
Buffer Size (bytes)      512000 
File Rotation Interval (seconds)      0 
Engine Configuration Refresh Period   14400 (seconds)      
URL Prefix Reload Period (seconds)    7200 
Password Policy Reload Period (seconds)7200 
       
Maximum Elements in User Cache      100000 
User Cache Timeout (seconds)        1800 
 
Maximum Elements in Policy Cache    10000 
Policy Cache Timeout (seconds)      7200 
       
SNMP State        Off 
SNMP Agent Registration Port       
       
Session Token Cache      Enabled 
Maximum Elements in Session Token Cache     10000

After creating this instance in the Access System Console, install the actual Access Server, using the Oracle Access Manager command appropriate to your platform.

For more information, see the installation guide posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/a_srvr.htm

4.4 Installing Oracle HTTP Serv er for Oracle WebCenter Wiki and Blog Server

Each Oracle HTTP Server configured for integration with Oracle Access Manager must have an Access Gate installed.

Install Oracle HTTP Server 10.1.3.3+ for Apache 2.0. This can be downloaded from e-delivery at http://edelivery.oracle.com/ from the Oracle® Application Server 10 g Release 3 (10.1.3) Media Pack, or from the Oracle10 g Release 3 Companion CD (10.1.3.x) at:

http://www.oracle.com/technology/software/products/ias/htdocs/101310.html

After installing Oracle HTTP Server, install the Apach e HTTP Server plug-in ( mod_wl_20). This can be downloaded from:

http://download.oracle.com/otn/bea/weblogic/server103/WLSWebServerPlugins1.0.1150354-Apache.zip

Detailed installation instructions are posted at:

http://e-docs.bea.com/wls/docs103/plugins/apache.html#wp131399

4.4.1 Configuring mod_weblogic

Follow these steps to configure mod_weblogic:

  1. Install mod_wl into Oracle HTTP Server 10.1.3.3+.

    Without this step, you get the following error when you start Oracle HTTP Server:

    --------
09/02/12 01:35:25 Start process
--------
/scratch/ohsoam/install/ohs/ohs/bin/apachectl startssl: execing httpd
Syntax error on line 247 of
/scratch/ohsoam/install/ohs/ohs/conf/httpd.conf:
Cannot load /scratch/ohsoam/install/ohs/ohs/modules/mod_wl_20.so into
server: /scratch/ohsoam/install/ohs/ohs/modules/mod_wl_20.so: cannot open
shared object file: No such file or directory

  2. Confirm that you have the following entries at the end of h ttpd.conf (after the automatic updates to httpd.conf through Webgate Installer).

    For Linux: 

    #*** BEGIN WebGate Specific ****

LoadFile "/scratch/ohsoam/install/webgate/access/oblix/lib/libgcc_s.so.1"
LoadFile "/scratch/ohsoam/install/webgate/access/oblix/lib/libstdc++.so.5"
 
LoadModule obWebgateModule "/scratch/ohsoam/install/webgate/access/oblix/apps/webgate/bin/webgate.so"
WebGateInstalldir "/scratch/ohsoam/install/webgate/access"
 
                                         
LoadModule weblogic_module modules/mod_wl_20.so
 
                                         
<IfModule mod_weblogic.c>
                                         
MatchExpression /owc_wiki WebLogicHost=<host>|WebLogicPort=<port>
                                         
</IfModule>

WebGateMode PEER
 
<Location /access/oblix/apps/webgate/bin/webgate.cgi>
SetHandler obwebgateerr
</Location>
 
<Location "/oberr.cgi">
SetHandler obwebgateerr
</Location>
 
<LocationMatch "/*">
AuthType Oblix
require valid-user
</LocationMatch>

#*** END WebGate Specific ****

    For Windows: 

    #*** BEGIN WebGate Specific ****
 
LoadModule obWebgateModule "C:\OHSOAM\webgate\access/oblix/apps/webgate/bin/webgate.dll"
WebGateInstalldir "C:\OHSOAM\webgate\access"
 
                                         
LoadModule weblogic_module modules/mod_wl_20.so
 
                                         
<IfModule mod_weblogic.c>
                                         
MatchExpression /owc_wiki WebLogicHost=<host>|WebLogicPort=<port>
                                         
</IfModule>

WebGateMode PEER

<Location /access/oblix/apps/webgate/bin/webgate.cgi>
SetHandler obwebgateerr
</Location>
 
<Location "/oberr.cgi">
SetHandler obwebgateerr
</Location>
 
<LocationMatch "/*">
AuthType Oblix
require valid-user
</LocationMatch>
 
#*** END WebGate Specific ****

  3. Configure the module mod_wl in Oracle HTTP Server so that it forwards requests to Oracle HTTP Server. To configure Oracle HTTP Server to work with multiple non-clustered servers, use the following example in httpd.conf: 

    LoadModule weblogic_module modules/mod_wl_20.so
 
<IfModule mod_weblogic.c>
     MatchExpression /owc_wiki WebLogicHost=wiki.example.com|WebLogicPort=8888
</IfModule>

    Note:

    The WebLogic port refers to the wiki server port where the Oracle WebCenter Wiki and Blog Server is deployed.

4.5 Installing an Access Gate

For Oracle WebCenter Wiki and Blog Server to be protected with Oracle Access Manager single sign-on, first install Oracle HTTP Server 10.1.3.3+ for Apache 2.0. Next, install the Access Gate module on the same machine where Oracle HTTP Server is installed. This is the Oracle HTTP Server and Access Gate installation that will be used to protect the Oracle WebCenter Wiki and Blog Server URL.

For information about installing an Access Gate, see the "Installing the WebGate" chapter in the Oracle Access Manager Installation Guide 10g (10.1.4.2.0). This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/webgate.htm


Note:

WebGate and Access Gate are synonymous.

4.5.1 Creating the Access Gate Instance in the Access System Console

Before installing an Access Gate, you must create an Access Gate instance within the Access System Console.

While creating the instance, provide the following properties:

  • Set Name to wls-wiki-access-gate or to any other name

  • Set Hostname to the host on which the Oracle HTTP Server is installed (This should be in the host:port format, with the port set to the Oracle HTTP Server port.)

  • Set Preferred HTTP Host to the Oracle HTTP Server host name.

  • Set ASDK Client, Access Management Service to On

  • Set Primary HTTP Cookie Domain to an appropriate value depending on your installation. Typically, this would be a domain-based cookie; for example, ".yourcompany.com".

  • Set Port to the Oracle HTTP Server port.

Click Save to retain this setup.

4.5.2 Installing the Access Gate

Install WebGate 10.1.4.0.1 for OHS2 ( Oracle_Access_Manager10_1_4_0_1_linux_OHS2_WebGate). This installer is included with the Oracle Access Manager CD. After successfully installing WebGate 10.1.4.0.1, you must apply the base patch 5957301 ( Oracle_Access_Manager10_1_4_2_0_Patch_linux_OHS2_WebGate.zip), which can be downloaded from My Oracle Support (formerly MetaLink):

https://metalink.oracle.com/metalink/plsql/f?p=130:5:1642971897004974741::::P_SOURCE,P_SRCHTXT:8,5957301%20

On Linux only: After applying base patch 5957301, you must apply bundle patch 7408035 ( Oracle_Access_Manager10_1_4_2_0_BP06_Patch_linux_OHS2_WebGate.zip), which can downloaded from My Oracle Support (formerly MetaLink):

https://metalink2.oracle.com/metalink/plsql/f?p=130:5:6778718287832208728::::P_SOURCE,P_SRCHTXT:8,7408035

Make sure that you install the WebGate for your platform and that it is for Oracle HTTP Server with Apache 2.0.

4.6 Setting Up Oracle Access Manager

To set up Oracle Access Manager, you must configure the Access Gate and the Access Server. This section provides samples of each configuration specifically for Jive Forums integration.

For detailed information about setting up O racle Access Manager, see the "Installing the WebGate" chapter in the Oracle Access Manager Installation Guide 10g (10.1.4.2.0). This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/webgate.htm

Ensure that the configuration given in the following sections is done in Oracle Access Manager.

4.7 Configuring Authentication Management

There are two parts to authentication management:

4.7.1 Configuring the Authentication Scheme

The Oracle Access Manager Access Syste m Console lets you configure the authentication mechanism. Form-based authentication requires that you give the challenge redirect to the Oracle HTTP Server where Oracle WebCenter Wiki and Blog Server is deployed.

The following steps describe how to configure a new authentication scheme.

  1. Go to http://<hostname>:<port>/access/oblix, and click Access System Console.

  2. Enter orcladmin/ welcome1, and click Login.

  3. Click the Access System Configuration tab, then click Authentication Management when the side navigation bar appears.

  4. Click the Add button to define a new authentication scheme.

  5. On the General tab ( Figure 4-3), enter the following:

    • Name: Form Auth Scheme Wiki and Blog

    • Description: For WebCenter Wiki and Blog

    • Level: 1

    • Challenge Method: Form

    • Challenge Parameter: 

      form:/login.html --> Add a row
creds:userid password --> Add a row
action:/access/oblix/apps/webgate/bin/webgate.so --> Add a row

    • SSL Required: No

    • Challenge Redirect: URL with host and port where the HTTP server/Webgate is installed; for example, http://<hostname>:<port>.

    • Update Cache: [X] (checkbox checked)

  6. Click Save.

  7. On the Plugins tab, enter the following:

    • credential_mapping = obMappingBase="cn=users,dc=vm,dc=oracle,dc=com",obMappingFilter="(&(&(objectclass=inetorgperson)(uid=%userid%))(|(!(obuseraccountcontrol=*)) (obuseraccountcontrol=ACTIVATED)))"

    • validate_password = password

    Make sure that the user name field in login.html (which is created in Section 4.8, "Configuring a Custom Login Page for Oracle Access Manager") matches what you enter for uid in the credential_mapping plugin. In this example, it is assumed that login.html would define the username field as userid and the password field as password.

  8. On the Steps tab, do nothing. ( Figure 4-4)

  9. On the Authentication Flow tab, do nothing.

  10. To enable the authentication scheme, on the General tab, click Modify. Then, for the Enabled option, select Yes and then click Save.

4.7.2 Creating a New Policy Domain in Oracle Access Manager

To enable single sign-on using Oracle Access Manager, cre ate a new pol icy domain in Oracle Access Manager.

Figure 4-5 shows a policy domain overview.

For more information about policy domains, see the "Protecting Resources with Policy Domains" chapter in the Oracle Access Manager Access Administration Guide at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2policy.htm

An example domain is provided here.

  1. To get to the Policy Manager, go to http://<host>:<port>/access/oblix, and click Policy Manager. If you have not yet logged on, then you are asked for your user logon credentials.

    wiki-domain: This defines the policy for the wiki application resources. Most wiki pages are public. However, access to the /admin path is secured, and the /login!withRedirect.jspa is used to trigger authentication and is used by the login link in the application.

  2. Create a new domain for the wiki and blog server 10.1.3.4.0. Give a unique name for the domain. ( Figure 4-6)

  3. Configure the host identifiers. The host identifier should be the one you registered for your Oracle HTTP Server.

  4. Protect the wiki login and admin URLs. The following URLs need to be protected:

    • /owc_wiki/acl

    • /owc_wiki/admin

    • /owc_wiki/attachments

    • /owc_wiki/default

    • /owc_wiki/domain

    • /owc_wiki/export

    • /owc_wiki/index_dir

    • /owc_wiki/install

    • /owc_wiki/js

    • /owc_wiki/layouts

    • /owc_wiki/macro

    • /owc_wiki/page

    • /owc_wiki/pages

    • /owc_wiki/remote

    • /owc_wiki/tags

    • /owc_wiki/templates

    • /owc_wiki/user

    • /owc_wiki/vhost

    • /owc_wiki/wp

  5. Define a new authorization rule and enable it. ( Figure 4-7)

  6. On the Actions tab of Authorization Rules, define SSO_USER to return a custom header variable on authorization success. Make sure to put uid in the Return Attribute field and not in the value field. ( Figure 4-8)

  7. On the Allow Access tab of Authorization Rules, specify the role Any one. ( Figure 4-9)

  8. On the Authentication Rule tab of Default Rules, select the Form Authorization scheme defined earlier. ( Figure 4-10)

  9. On the Authorization Expression tab of Default Rules, select the authorization rule defined earlier on the Authorization Rules tab. ( Figure 4-11)

  10. On the Actions tab of Default Rules, define return actions for authorization success for the uid and obmygroups attributes, as shown in Figure 4-12.

  11. After creating the policy domain, make sure to enable the policy domain by modifying the existing domain.

4.8 Configuring a Custom Login Page for Oracle Access Manager

Form-based authenti cation requires a custom login page to be created on the Oracle HTTP Server for the Access Gate. This custom login page will be displayed when the user has to be challenged for credentials. The name of the page should match the name specified in the authentication scheme on the Oracle Access Server authentication scheme configuration. In this example, it is specified as login.html. This file must be in the document root ( $OHS_HOME/ohs/htdocs) on the Oracle HTTP Server.

Here is the sample login.html file: 

<html>
<head>
    <title>Test Login Form</title>
    <script language="JavaScript">
                function submitForm() {
                        document.forms[0].submit();
                }
    </script>
  </head>
  <body bgcolor="#ffffff" onLoad="self.focus();document.loginform.login.focus()">
    <center>
      <h2>Test Login Form</h2>
      <form name="loginform" action="/access/oblix/apps/webgate/bin/webgate.so"method="post">
        <table cellspacing="0" cellpadding="0" border="0">
          <tr><td valign="center" align="left"><b>Username</b></td>
            <td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td valign="center" align="left">
              <input type="username" name="userid" size="20" value=""></td>
          </tr>
          <tr>
            <td valign="center" align="left"><b>Password</b></td>
            <td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td valign="center" align="left">
              <input type="password" name="password" size="20" value=""></td>
          </tr>
        </table>
 
        <input type=submit id=submit name=submit value=submit />
        </form>
  </body>
</html>

4.9 Installing the Security Provider for WebLogic SSPI

To assert the identity of l ogged in users, you must install the Security Provider for WebLogic SSPI (Security Service Provider Interface) on the WebLogic machine. The Security Provider ensures that only appropriate users and groups can access Oracle Access Manager-protected WebLogic resources to perform specific operations. The Security Provider also enables you to configure single sign-on between Oracle Access Manager and WebLogic resources.

The Security Provider for WebLogic SSPI (under Oracle Access Manager - 3rd Party Integration) is available at:

http://www.oracle.com/technology/software/products/ias/htdocs/101401.html

CD7 of the Oracle Access Manager 3rd party integration package contains WebLogic SSPI Provider installer, Oracle_Access_Manager10_1_4_2_2_linux_BEA_WL_SSPI.zip.


Note:

It is important to install from this link. (Do not install the default Security Provider for WebLogic SSPI 10.1.4.0.1.) For detailed installation instructions, see the webcenter.pdf file included with the download.

Required Tasks

The following tasks need to be completed:

  1. Install the Security Provider, typical installation

  2. Set up the WebLogic policy in Oracle Access Manager

  3. Run the NetPoint Policy Deployer

  4. Prepare the WebLogic environment

For detailed information about these tasks, see http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/e10356/weblogic.htm .

After completing these tasks, configure the Oracle Access Manager Iden tity Asserter in the WebLogic console.

  1. Log on to WebLogic Server Administration Console.

  2. Click Security Realms in the Domain Structure panel. ( Figure 4-13)

  3. Click the myrealm link in the list of realms on the right panel.

  4. Under Settings for myrealm, click the Providers tab. ( Figure 4-14)

  5. Create a new Authentication Provider by clicking New.

  6. Enter a unique name for the authenticator, and select OblixAuthenticator as the Type. ( Figure 4-15)

  7. Click OK.

  8. Click Reorder to alter the authentication sequence. ( Figure 4-16)

  9. Reorder the sequence of the newly created authenticator by moving OblixAuthenticator to top of the list using the arrow button on the right. ( Figure 4-17)

  10. Click OK.

  11. Under the Name column, click the hyperlink of the newly created OblixAuthenticator to display its properties.

  12. From the Control Flag list, select SUFFICIENT. ( Figure 4-18)

  13. Click Save.

  14. Click New to create an identity asserter.

  15. Enter a unique name for the identity asserter, and select Type as OblixIdentityAsserter. ( Figure 4-19)

  16. Click OK to create the identity asserter.

  17. Reorder the newly created identity asserter to the second position. ( Figure 4-20)

  18. Set the Control Flag for the identity asserter to SUFFICIENT. ( Figure 4-18)

  19. Restart the Admin Server and all managed servers to uptake the configuration changes.


    Note:

    After creating the OblixAuthenticator authentication provider, ensure that the OB_UserSearchAttr property of the provider is set to cn (the default) in the NetPointProvidersConfig.properties file.

After SSPI configuration, Oracle WebCenter Wiki and Blog Server can be accessed at the following URL: http://<host>:<port>/owc_wiki, where <host> and <port> are the host and port of the Oracle HTTP Server.

In addition to following these instructions, you must remove xerces.jar from the CLASSPATH. Specifically, edit startWebLogic.sh on Linux or startWebLogic.cmd on Windows to change the following from: 

CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}:
/scratch/ohsoam/install/SSPI_wiki/NetPointSecuProvForWeblogic/oblix/lib
/wlNetPoint.jar:/scratch/ohsoam/install/SSPI_wiki/NetPointSecuProvForWeblogic
/oblix/lib/bcprov-jdk14-125.jar:/scratch/ohsoam/install/SSPI_wiki
/NetPointSecuProvForWeblogic/oblix/lib/xerces.jar:/scratch/ohsoam/install
/SSPI_wiki/NetPointSecuProvForWeblogic/oblix/lib/jobaccess.jar"

to

CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}:
/scratch/ohsoam/install/SSPI_wiki/NetPointSecuProvForWeblogic/oblix/lib
/wlNetPoint.jar:/scratch/ohsoam/install/SSPI_wiki/NetPointSecuProvForWeblogic
/oblix/lib/bcprov-jdk14-125.jar:/scratch/ohsoam/install/SSPI_wiki
/NetPointSecuProvForWeblogic/oblix/lib/jobaccess.jar"
  Previous
Previous   		Next
Next
Oracle Logo
Copyright © 2007, 2009, Oracle and/or its affiliates. All rights reserved.
Legal Notices
  Go To Table Of Contents
Contents 		Go To Index
Index