Oracle® WebCenter Discussions Installation and Configuration Guide
10 g Release 3 (10.1.3.4.0)
E14210-01
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

2 Configuring Single Sign-On

This chapter explains how to configure s ingle sign-on in an Oracle WebCenter Discussions application. This chapter includes the following sections:

For more information about installation and configuration, see Appendix B, "Frequently Asked Questions."

2.1 Configuring Oracle Access Manager for Single Sign-On

This section describes the steps, summarized below, to configure Oracle A ccess Manager for single sign-on:

  1. Install Oracle Access Manager ( Section 2.1.1)

  2. Install an Access Server ( Section 2.1.2)

  3. Install Oracle HTTP Server ( Section 2.1.3)

  4. Install an Access Gate (WebGate) ( Section 2.1.4)

  5. Configure Oracle Access Manager ( Section 2.1.5)

  6. Configure authentication ( Section 2.1.6)

  7. Configure a custom login page for Oracle Access Manager ( Section 2.1.7)

  8. Install the security provider for WebLogic SSPI ( Section 2.1.8)

Oracle Access Manager authe ntication for Oracle WebCenter Discussions requires the following components:

2.1.1 Installing Oracle Access Manager

Oracle Access Manager Release 10 g (10.1.4.2.0) is a patch set, so it cannot be installed directly. For example, after installing 10 g (10.1.4.0.1), you can apply Release 10.1.4 patch set 1 (10.1.4.2.0) to installed components. See note 736372.1 on My Oracle Support (formerly MetaLink) for the Oracle Access Manager bundle patch release history.

This document explains how to also add base patch 5957301 and the latest bundle patch 7408035. In summary, here are the steps to install Oracle Access Manager:

  1. Confirm that prerequisites have been satisfied for Oracle Access Manager.

  2. Install the Identity Server

  3. Install Oracle HTTP Server 10.1.3.3+ (from the Companion CD) for Identity Server and WebPass

    http://<hostname>.<domain>:<port>

  4. Install the Web Pass

  5. Test the user interface

    http://<hostname>.<domain>:<port>/identity/oblix

  6. Install the Policy Manager

  7. Test the user interface

    http://<hostname>.<domain>:<port>/access/oblix

  8. Configure the Identity System Console

  9. Configure the Access System Console

  10. Create an Access Server Instance within the Access System Console ( Section 2.1.2)

  11. Install the Access Server ( Section 2.1.2)


    Note:

    You must apply Oracle Access Manager Release 10 g patch 5957301 (or higher) and patch 7408035 (or higher) to all Oracle Access Manager components.

The documentation in this chapter is provided as a general guideline. For detailed information about Oracle Access Manager, see the Oracle Access Manager documentation posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/index.htm

2.1.2 Installing an Access Server

An Access Se rver must be installed for Oracle WebCenter Discussions.

For detailed information about installing an Access Server, see Oracle® Access Manager Installation Guide 10g (10.1.4.2.0) "Chapter 8, Installing the Access Server". This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/a_srvr.htm

You will be asked to create an Access Server instance in the Access System Console. Leave all defaults as they are, except the following specific entries:

  • Set Name to wls-jive-access-server

  • Set Hostname to the host on which Oracle HTTP Server resides

  • Set Port to 6021 or to any other available port

  • Set Access Management Service to On

The saved values should look something like the following:

Name    wls-jive-access-server 
Hostname host.domain.com 
Port      6021 
Debug     Off 
Debug File Name       
Transport Security      Open 
Maximum Client Session Time (hours)   24 
Number of Threads      60 
Access Management Service      On 
       
Audit to Database (on/off)     Off 
       
Audit to File (on/off)     Off 
Audit File Name       
Audit File Size (bytes)      0 
Buffer Size (bytes)      512000 
File Rotation Interval (seconds)      0 
Engine Configuration Refresh Period   14400 (seconds)      
URL Prefix Reload Period (seconds)    7200 
Password Policy Reload Period (seconds)7200 
       
Maximum Elements in User Cache      100000 
User Cache Timeout (seconds)        1800 
 
Maximum Elements in Policy Cache    10000 
Policy Cache Timeout (seconds)      7200 
       
SNMP State        Off 
SNMP Agent Registration Port       
       
Session Token Cache      Enabled 
Maximum Elements in Session Token Cache     10000

After creating this instance in the Access System Console, install the actual Access Server, using the Oracle Access Manager command appropriate to your platform.

For more information, see the installation guide posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/a_srvr.htm

2.1.3 Installing Oracle HTTP Serv er for Oracle WebCenter Discussions

Each Oracle HTTP Server configured for integration with Oracle Access Manager must have an Access Gate installed.

Install Oracle HTTP Server 10.1.3.3+ for Apache 2.0. This can be downloaded from edelivery at http://edelivery.oracle.com/ from the Oracle® Application Server 10 g Release 3 (10.1.3) Media Pack, or from the Oracle10 g Release 3 Companion CD (10.1.3.x) at:

http://www.oracle.com/technology/software/products/ias/htdocs/101310.html

After installing Oracle HTTP Server, install the Apach e HTTP Server plug-in ( mod_wl_20). This can be downloaded from:

http://download.oracle.com/otn/bea/weblogic/server103/WLSWebServerPlugins1.0.1150354-Apache.zip

Detailed installation instructions are posted at:

http://e-docs.bea.com/wls/docs103/plugins/apache.html#wp131399

2.1.3.1 Configuring mod_weblogic

Follow these steps to configure mod_weblogic:

  1. Install mod_wl into Oracle HTTP Server 10.1.3.3+.

    Without this step, you get the following error when you start Oracle HTTP Server:

    --------
    09/02/12 01:35:25 Start process
    --------
    /scratch/ohsoam/install/ohs/ohs/bin/apachectl startssl: execing httpd
    Syntax error on line 247 of
    /scratch/ohsoam/install/ohs/ohs/conf/httpd.conf:
    Cannot load /scratch/ohsoam/install/ohs/ohs/modules/mod_wl_20.so into
    server: /scratch/ohsoam/install/ohs/ohs/modules/mod_wl_20.so: cannot open
    shared object file: No such file or directory
    
  2. Confirm that you have the following entries at the end of h ttpd.conf (after the automatic updates to httpd.conf through Webgate Installer).

    For Linux:

    #*** BEGIN WebGate Specific ****
    
    LoadFile "/scratch/ohsoam/install/webgate/access/oblix/lib/libgcc_s.so.1"
    LoadFile "/scratch/ohsoam/install/webgate/access/oblix/lib/libstdc++.so.5"
     
    LoadModule obWebgateModule "/scratch/ohsoam/install/webgate/access/oblix/apps/webgate/bin/webgate.so"
    WebGateInstalldir "/scratch/ohsoam/install/webgate/access"
     
                                               
    LoadModule weblogic_module modules/mod_wl_20.so
     
                                               
    <IfModule mod_weblogic.c>
                                               
    MatchExpression /owc_discussions WebLogicHost=<host>|WebLogicPort=<port>
                                               
    </IfModule>
     
    WebGateMode PEER
     
    <Location /access/oblix/apps/webgate/bin/webgate.cgi>
    SetHandler obwebgateerr
    </Location>
     
    <Location "/oberr.cgi">
    SetHandler obwebgateerr
    </Location>
     
    <LocationMatch "/*">
    AuthType Oblix
    require valid-user
    </LocationMatch>
    
    #*** END WebGate Specific **** 
                                            

    For Windows:

    #*** BEGIN WebGate Specific ****
     
    LoadModule obWebgateModule "C:\OHSOAM\webgate\access/oblix/apps/webgate/bin/webgate.dll"
    WebGateInstalldir "C:\OHSOAM\webgate\access"
     
                                               
    LoadModule weblogic_module modules/mod_wl_20.so
     
                                               
    <IfModule mod_weblogic.c>
                                               
    MatchExpression /owc_discussions WebLogicHost=<host>|WebLogicPort=<port>
                                               
    </IfModule>
    
    WebGateMode PEER
     
    <Location /access/oblix/apps/webgate/bin/webgate.cgi>
    SetHandler obwebgateerr
    </Location>
     
    <Location "/oberr.cgi">
    SetHandler obwebgateerr
    </Location>
     
    <LocationMatch "/*">
    AuthType Oblix
    require valid-user
    </LocationMatch>
     
    #*** END WebGate Specific **** 
                                            
  3. Configure the module mod_wl in Oracle HTTP Server so that it forwards requests to Oracle HTTP Server. To configure Oracle HTTP Server to work with multiple non-clustered servers, use the following example in httpd.conf:

    LoadModule weblogic_module modules/mod_wl_20.so
     
    <IfModule mod_weblogic.c>
         MatchExpression /owc_discussions WebLogicHost=jive.wls.example.com|WebLogicPort=8888
    </IfModule>
    

    Note:

    The WebLogic port is the port of the managed server where Discussions is deployed.

2.1.4 Installing an Access Gate

For Oracle WebCenter Discussion s to be protected with Oracle Access Manager single sign-on, first install Oracle HTTP Server 10.1.3.3+ for Apache 2.0. Next, install the Access Gate module on the same machine where Oracle HTTP Server is installed. This is the Oracle HTTP Server and Access Gate installation that will be used to protect the Oracle WebCenter Discussions URL.

For information about installing an Access Gate, see Oracle Access Manager Installation Guide 10g (10.1.4.2.0) "Chapter 9, Installing the WebGate." This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/webgate.htm


Note:

WebGate and Access Gate are synonymous.

2.1.4.1 Creating the Access Gate Instance in the Access System Console

Before installing an Access Gate, you must create an Access Gate instance within the Access System Console.

When creating the instance, provide the following properties:

  • Set Name to wls-jive-access-gate or to any other name

  • Set Hostname to the host on which the Oracle HTTP Server is installed (This should be in host:port format, with the port set to the Oracle HTTP Server port.)

  • Set Preferred HTTP Host to the Oracle HTTP Server host name.

  • Set ASDK Client, Access Management Service to On

  • Set Primary HTTP Cookie Domain to an appropriate value depending on your installation. Typically, this would be a domain-based cookie; for example, ".yourcompany.com".

  • Set Port to the Oracle HTTP Server port.

Click Save to retain this setup.

2.1.4.2 Installing the Access Gate

Install WebGate 10.1.4.0.1 for OHS2 ( Oracle_Access_Manager10_1_4_0_1_linux_OHS2_WebGate). The installer is included with the Oracle Access Manager CD. After successfully installing WebGate 10.1.4.0.1, you must apply the base patch 5957301 ( Oracle_Access_Manager10_1_4_2_0_Patch_linux_OHS2_WebGate.zip), which can be downloaded from My Oracle Support (formerly MetaLink):

https://metalink.oracle.com/metalink/plsql/f?p=130:5:1642971897004974741::::P_SOURCE,P_SRCHTXT:8,5957301%20

On Linux only: After applying base patch 5957301, you must apply bundle patch 7408035 ( Oracle_Access_Manager10_1_4_2_0_BP06_Patch_linux_OHS2_WebGate.zip), which can downloaded from My Oracle Support (formerly MetaLink):

https://metalink2.oracle.com/metalink/plsql/f?p=130:5:6778718287832208728::::P_SOURCE,P_SRCHTXT:8,7408035

Make sure that you install the WebGate for your platform and that it is for Oracle HTTP Server with Apache 2.0.

2.1.5 Setting Up Oracle Access Manager

To set up Oracle Access Manager, you must configure the Access Gate and the Access Server. This section provides samples of each configuration specifically for Jive Forums integration.

For detailed information about setting up O racle Access Manager, see Oracle Access Manager Installation Guide 10g (10.1.4.2.0) "Chapter 9, Installing the WebGate." This is posted at:

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32412/webgate.htm

Ensure that the following configuration is done in Oracle Access Manager:

2.1.6 Configuring Authentication Management

There are two parts to authentication management:

2.1.6.1 Configuring the Authentication Scheme

The Oracle Access Manager Access Syste m Console lets you configure the authentication mechanism. Form-based authentication requires that you give the challenge redirect to the Oracle HTTP Server where Oracle WebCenter Discussions is deployed.

The following steps describe how to configure a new authentication scheme.

  1. Go to http://<hostname>:<port>/access/oblix and click Access System Console.

  2. Enter orcladmin/ welcome1, and click Login.

  3. Click the Access System Configuration tab, then click Authentication Management when the side navigation bar appears.

  4. Click the Add button to define a new authentication scheme.

  5. On the General tab ( Figure 2-3), enter the following:

    • Name: Form Auth Scheme Discussions

    • Description: For WebCenter Discussions

    • Level: 1

    • Challenge Method: Form

    • Challenge Parameter:

      form:/login.html --> Add a row
      creds:userid password --> Add a row
      action:/access/oblix/apps/webgate/bin/webgate.so --> Add a row
      
    • SSL Required: No

    • Challenge Redirect: URL with host and port where the HTTP server/Webgate is installed; for example, http://<hostname>:<port>

    • Enabled: Yes

    • Update Cache: [X] (checkbox checked)

    Click Save.

  6. On the Plugins tab, enter the following:

    • credential_mapping = obMappingBase="cn=users,dc=vm,dc=oracle,dc=com",obMappingFilter="(&(&(objectclass=inetorgperson)(uid=%userid%))(|(!(obuseraccountcontrol=*)) (obuseraccountcontrol=ACTIVATED)))"

    • validate_password = password

    Make sure that the user name field in login.html (which is created in Section 2.1.7, "Configuring a Custom Login Page for Oracle Access Manager") matches what you enter for uid in the credential_mapping plugin. In this example, it is assumed that login.html would define the username field as userid and the password field as password.

  7. On the Steps tab, do nothing. ( Figure 2-4)

  8. On the Authentication Flow tab, do nothing.

After creating a plug-in, you can enable the authentication scheme by clicking the General tab, then Modify, then Enable, and then Save.

2.1.6.2 Creating a New Policy Domain in Oracle Access Manager

To enable single sign-on using Oracle Access Manager, cre ate a new pol icy domain in Oracle Access Manager.

Figure 2-5 shows a policy domain overview.

For more information about policy domains, see chapter 4 of Oracle Access Manager Access Administration Guide at

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2policy.htm

An example domain is provided here.

  1. To get to the Policy Manager, go to http://<host>:<port>/access/oblix, and click Policy Manager. If you have not yet logged on, then you are asked for your user logon credentials.

    Jive-domain: This defines the policy for the Jive application resources. Most discussion pages are public. However, access to the /admin path is secured, and the /login!withRedirect.jspa is used to trigger authentication and is used by the login link in the application.

  2. Create a new domain for 10.1.3.4.0 Jive. Give a unique name for the domain. ( Figure 2-6)

  3. Configure the host identifiers. The host identifier should be the one you registered for your Oracle HTTP Server.

  4. Protect the Jive login and admin URLs, as shown in Figure 2-7. The following URLs need to be protected:

    • /owc_discussions/login!withRedirect.jspa, which converts to /owc_discussions/login%21withRedirect.jspa for URL encoding

    • /owc_discussions/login!default.jspa, which converts to /owc_discussions/login%21default.jspa

    • /owc_discussions/login.jspa

    • /owc_discussions/admin

  5. Define a new authorization rule and enable it. ( Figure 2-8)

  6. On the Actions tab of Authorization Rules, define SSO_USER to return a custom header variable on authorization success. Make sure to put uid in the Return Attribute field and not in the value field. ( Figure 2-9)

  7. On the Allow Access tab of Authorization Rules, specify the role Any one. ( Figure 2-10)

  8. On the Authentication Rule tab of Default Rules, select the Form Authorization scheme defined earlier. ( Figure 2-11)

  9. On the Authorization Expression tab of Default Rules, select the authorization rule defined earlier on the Authorization Rules tab. ( Figure 2-12)

  10. On the Actions tab of Default Rules, define return actions for authorization success for the uid and obmygroups attributes, as shown in Figure 2-13.

  11. After creating the policy domain, make sure to enable the policy domain by modifying the existing domain.

2.1.7 Configuring a Custom Login Page for Oracle Access Manager

Form-based authenti cation requires a custom login page to be created on the Oracle HTTP Server for the Access Gate. This custom login page will be displayed when the user has to be challenged for credentials. The name of the page should match the name specified in the authentication scheme on the Oracle Access Server authentication scheme configuration. In this example, it is specified as login.html. This file must be in the document root ( $OHS_HOME/ohs/htdocs) on the Oracle HTTP Server.

Here is the sample login.html file:

<html>
<head>
    <title>Test Login Form</title>
    <script language="JavaScript">
                function submitForm() {
                        document.forms[0].submit();
                }
    </script>
  </head>
  <body bgcolor="#ffffff" onLoad="self.focus();document.loginform.login.focus()">
    <center>
      <h2>Test Login Form</h2>
      <form name="loginform" action="/access/oblix/apps/webgate/bin/webgate.so"method="post">
        <table cellspacing="0" cellpadding="0" border="0">
          <tr><td valign="center" align="left"><b>Username</b></td>
            <td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td valign="center" align="left">
              <input type="username" name="userid" size="20" value=""></td>
          </tr>
          <tr>
            <td valign="center" align="left"><b>Password</b></td>
            <td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td valign="center" align="left">
              <input type="password" name="password" size="20" value=""></td>
          </tr>
        </table>
 
        <input type=submit id=submit name=submit value=submit />
        </form>
  </body>
</html> 

2.1.8 Installing the Security Provider for WebLogic SSPI

To assert the identity of l ogged in users, you must install the Security Provider for WebLogic SSPI (Security Service Provider Interface) on the WebLogic machine. The Security Provider ensures that only appropriate users and groups can access Oracle Access Manager-protected WebLogic resources to perform specific operations. The Security Provider also enables you to configure single sign-on between Oracle Access Manager and WebLogic resources.

The Security Provider for WebLogic SSPI (under Oracle Access Manager - 3rd Party Integration) is available at:

http://www.oracle.com/technology/software/products/ias/htdocs/101401.html

CD7 of the Oracle Access Manager 3rd party integration package contains WebLogic SSPI Provider installer, Oracle_Access_Manager10_1_4_2_2_linux_BEA_WL_SSPI.zip.


Note:

It is important to install from this link. (Do not install the default Security Provider for WebLogic SSPI 10.1.4.0.1.) For detailed installation instructions, see the webcenter.pdf file included with the download.

Required Tasks

The following tasks need to be completed:

  1. Install the Security Provider, typical installation

  2. Set up the WebLogic policy in Oracle Access Manager

  3. Run the NetPoint Policy Deployer

  4. Prepare the WebLogic environment

For detailed information about these tasks, see http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/e10356/weblogic.htm .

After completing these tasks, configure the Oracle Access Manager Iden tity Asserter in the WebLogic console.

  1. Log on to WebLogic Server Administration Console.

  2. Click Security Realms in the Domain Structure panel. ( Figure 2-14)

  3. Click the myrealm link in the list of realms on the right panel.

  4. Under Settings for myrealm, click the Providers tab. ( Figure 2-15)

  5. Create a new Authentication Provider by clicking New.

  6. Enter a unique name for the authenticator, and select OblixAuthenticator as the Type. ( Figure 2-16)

  7. Click OK.

  8. Click Reorder to alter the authentication sequence. ( Figure 2-17)

  9. Reorder the sequence of the newly created authenticator by moving OblixAuthenticator to top of the list using the arrow button on the right. ( Figure 2-18)

  10. Click OK.

  11. Under the Name column, click the hyperlink of the newly created OblixAuthenticator to display its properties.

  12. From the Control Flag list, select SUFFICIENT. ( Figure 2-19)

  13. Click Save.

  14. Click New to create an identity asserter.

  15. Enter a unique name for the identity asserter, and select Type as OblixIdentityAsserter. ( Figure 2-20)

  16. Click OK to create the identity asserter.

  17. Reorder the newly created identity asserter to the second position. ( Figure 2-21)

  18. Set the Control Flag for the identity asserter to SUFFICIENT. (See Figure 2-19)

  19. Restart the Admin Server and all managed servers to uptake the configuration changes.


    Note:

    After creating the OblixAuthenticator authentication provider, ensure that the OB_UserSearchAttr property of the provider is set to cn (the default) in the NetPointProvidersConfig.properties file.

After SSPI configuration, Oracle WebCenter Discussions can be accessed at the following URL: http://<host>:<port>/owc_discussions/index.jspa, where <host> and <port> are the host and port of the Oracle HTTP Server.

In addition to following these instructions, you must remove xerces.jar from the CLASSPATH. Specifically, edit startWebLogic.sh on Linux or startWebLogic.cmd on Windows to change the following from:

CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}:
/scratch/ohsoam/install/SSPI_wiki/NetPointSecuProvForWeblogic/oblix/lib
/wlNetPoint.jar:/scratch/ohsoam/install/SSPI_wiki/NetPointSecuProvForWeblogic
/oblix/lib/bcprov-jdk14-125.jar:/scratch/ohsoam/install/SSPI_wiki
/NetPointSecuProvForWeblogic/oblix/lib/xerces.jar:/scratch/ohsoam/install
/SSPI_wiki/NetPointSecuProvForWeblogic/oblix/lib/jobaccess.jar"

to

CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}:
/scratch/ohsoam/install/SSPI_wiki/NetPointSecuProvForWeblogic/oblix/lib
/wlNetPoint.jar:/scratch/ohsoam/install/SSPI_wiki/NetPointSecuProvForWeblogic
/oblix/lib/bcprov-jdk14-125.jar:/scratch/ohsoam/install/SSPI_wiki
/NetPointSecuProvForWeblogic/oblix/lib/jobaccess.jar"

2.2 Configuring Oracle WebCenter Discussions for Single Sign-On

This section describes ho w to configure LDA P for user identity management and single sign-on (SSO) for Oracle WebCenter Discussions applications. Perform the steps in this section after you have successfully deployed and configured the Oracle WebCenter Discussions application.

Oracle suggests using LDAP for user identity in Oracle WebCenter Discussions. Section 2.2.1 describes LDAP setup.

SSO integration requires deploying custom classes to override the standard authentication scheme to route the authentication through Oracle Access Manager. Section 2.2.2 describes SSO configuration.

2.2.1 Using the LDAP User Identity Store

By default, the discussions server uses its own database tables for user identi ty management. If you use SSO for user authentication, then Oracle recommends to use LDAP-Oracle Internet Directory server. This avoids managing the same user identity for the SSO server and the discussions server.

When using LDAP-Oracle Internet D irectory for user identity management in the discussions server, all user management tasks (such as creating, updating, or deleting user profiles) must be done in the LDAP-Oracle Internet Directory server.

To use LDAP as the user identity store, follow the instructions in the Jive Administration Guide. Also, if you already have a Jive setup, you must follow the corresponding section in Jive Administration Guide to rerun the setup tool.

For more information about setting up and using LDAP, see $unzipped_dir\jive_forums_silver_5_5_20_oracle\documentation\ldap.html.

The following section describes how to configure LDAP-Oracle Internet Directory for user identity.

Jive Forums Setup

On the Setup Progress -> Install Checklist -> Datasource Settings -> User System page, select LDAP. ( Figure 2-22)


Note:

In the Jive Forums Setup, on the Setup Progress -> Install Checklist -> Datasource Settings page, it is a known issue that the fields are prepopulated only on Internet Explorer 7 and Firefox 3.

Then, specify the LDAP-specific information. ( Figure 2-23) For example:

  • LDAP Host: host.oracle.com

  • LDAP Port: 389

  • Base DN: cn=Users,dc=us,dc=oracle,dc=com

  • Admin DN: cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com

  • Admin Password: welcome1

After the email configuration screen, Jive gives you the option to select LDAP User Data Storage Mode. If you do not want to change the LDAP schema, then select the first option: LDAP and User Database. Provide the administrative user ID, as shown in Figure 2-24.

The admin user specified in the previous step will be created as the system administrator in Jive; that is, orcladmin. (If you are re-running the setup tool to change the user identity store to LDAP, then you need to restart your discussions server after the LDAP setup is done.) To log on as that user, first configure single sign-on in Oracle WebCenter Discussions, as described in next section.


Notes:

The following are known issues with email settings:
  • If a user attribute is changed but the change is not visible, then clear the user cache from the Admin UI. For information on how to do this, see the Jive Administration Guide.

  • SSL-enabled email settings for Outgoing and Incoming mail in Jive are not supported if the mail server uses SSL.


2.2.2 Configuring SSO in Oracle WebCenter Discussions

Configuring SSO in Oracle WebCenter Discussions requires replacing the default AuthFactory class with OracleSSOAuthFactory. This AuthFactory implementation performs the SSO authentication based on two request headers. First, it attempts to check the HttpServletRequest.getRemoteUser for the logged-in user name. If this is null, then it will fall back to HttpServletRequest.getHeader("SSO_USER") to know the valid user name.

In addition, some of the seeded actions should be replaced to perform SSO redirection instead of local database authentication. This involves updating xworks-community.xml file to change a few action classes for user login and logout, filter classes for presence and administration.

Finally, to integrate, you must edit web.xml. You also may want to change the system property jiveURL in the discussions server to point to the SSO URL.

2.2.2.1 Configuring SSO within the Jive Forums Admin Console

  1. Access the Jive Admin (Oracle WebCenter Discussions) administration interface using the following URL:

    http://host:port/owc_discussions/admin/

    When using LDAP for user identity, log on with the specified LDAP user's credentials to be the Jive administrator.

    The Admin Console appears ( Figure 2-25).

  2. Set necessary system properties. From the Forums System list, click System Properties ( Figure 2-26) and scroll to the bottom of the page where you should see the Add new property section.

  3. Add or update the property with the name AuthFactory.className and the value oracle.jive.sso.OracleSSOAuthFactory. (The default value is AuthFactory.className = com.jivesoftware.base.ldap.LdapAuthFactory.) Then click Save Property ( Figure 2-27).

2.2.2.2 Running deploy-discussions-sso.jar to Complete SSO Configuration

To complete the SSO setup process, you must modify some configuration files. The recommended way to make these modifications is to run deploy-discussions-sso.jar, which is included with this release. The deploy-discussions-sso.jar file configures web.xml, xwork-community.xml (in jiveforums-<version>.jar), and jive_startup.xml, and it unzips oracle-jive-sso.zip.

Oracle recommends using the deploy tool deploy-discussions-sso.jar, because it reduces the risk of manual errors in the configuration files. It also automatically backs up the previous versions of your configurations files, which can be useful if you later undeploy the SSO configuration and return to your previous configuration.


Note:

This will not work properly if the machine running the deploy-discussions-sso.jar does not have access to the internet or if the proxy is set up incorrectly. To perform this process manually, follow the steps in Section 2.2.2.3, "Manually Completing Single Sign-On Configuration".

To run deploy-discussions-sso.jar, perform the following steps:

  1. Copy deploy-discussions-sso.ja r and oracle-discussions-sso.zip to $WLS_HOME/user_projects/domains/<domain_name>/owc_discussions.

  2. Ensure that you have JDK 1.6 in your PATH variable. If not, then set PATH to point to the JDK 1.6 found in $WLS_HOME/jdk160_05/bin.

  3. From WebLogic Server console, stop the Oracle WebCenter Discussions application.

  4. Run the following command from $WLS_HOME/user_projects/domains/<domain_name>/owc_discussions:

    java -client -Dhttp.proxyHost=<proxy_host> -Dhttp.proxyPort=<proxy_port>
    -jar deploy-discussions-sso.jar jive_version=5.5.20-oracle
    

    For example:

    java -client -Dhttp.proxyHost=www-myproxy.mycomp.com -Dhttp.proxyPort=80
    -jar deploy-discussions-sso.jar jive_version=5.5.20-oracle
    

    Note:

    The proxy server and port are necessary to access the internet from the machine running this script. If the machine does not need proxy server and port to connect to internet, then you do not need to provide these values.

    To undeploy, you must reset AuthFactory.className to com.jivesoftware.base.ldap.LdapAuthFactory (from the Jive Forums Admin Console), stop the managed server on which Oracle WebCenter Discussions is deployed, and then run the following command from $WLS_HOME/user_projects/domains/owc_discussions:

    java -client -Dhttp.proxyHost=<proxy_host> -Dhttp.proxyPort=<proxy_port>
    -jar deploy-discussions-sso.jar jive_version=5.5.20-oracle undeploy=true
    

    For example:

    java -client -Dhttp.proxyHost=www-myproxy.mycomp.com -Dhttp.proxyPort=80
    -jar deploy-discussions-sso.jar jive_version=5.5.20-oracle undeploy=true
    
  5. Restart the managed server on which Oracle WebCenter Discussions is deployed, then start the WebLogic Server.

When you run the command to deploy, the tool prompts you for the full path to your jiveHome directory. Enter the path that you used when you set up the jiveHome directory according to the instructions in owc_discussions\jive_forums_silver_5_5_20_oracle\documentation\install-guide.html.

You can also use the Jive Forums Admin Console to create and manage categories, forums, users, and groups (when using Jive database for user identity). For more information, see the Jive Forums Administrator's Guide ( forums-admin-guide.pdf) on the companion CD.

2.2.2.3 Manually Completing Single Sign-On Configuration

As an alternative to r unning deploy-jive-sso.jar, you can manually perform the following steps:

  1. The SSO-related files are available in the oracle-discussions-sso.zip file on the companion CD. Unzip the file into $WLS_HOME/user_projects/domains/owc_discussions.

  2. Stop the WebLogic Server.

  3. Extract xwork-community.xml from $WLS_HOME/user_projects/domains/owc_discussions /WEB-INF/lib/jiveforums-5.5.20-oracle.jar. To extract the file, run the following command:

    jar xvf jiveforums-5.5.20-oracle.jar xwork-community.xml 
    

    Note:

    For the jar commands in these steps, Oracle recommends using the jar executable located in $MWHOME/jdk160_05/bin/java.

  4. Open xwork-community.xml in a text editor and modify all of the log on/log off actions between the <!-- Base actions --> and <!--Default skin --> tags. The XML snippet to replace these action classes are available in the WEB-INF/sso-action-classes.xml file:

    The entries in the file are given below:

            <action name="login" class="oracle.jive.sso.actions.SSOLoginAction">
                <result name="input">loginform.jsp</result>
                <result name="success" type="redirect">${#attr['jive.login.successURL']}</result>
                <result name="cancel" type="redirect">${#attr['jive.login.cancelURL']}</result>
                <result name="error">loginform.jsp</result>
                <result name="newaccount" type="redirect">account!input.jspa?username=${username}</result>
                <result name="fatal" type="redirect">index.jsp</result>
                <result name="success-no-redirect" type="chain">index</result>
                <result name="create-account" type="chain">create-account</result>
                <result name="cancel-no-redirect" type="chain">index</result>
            </action>
     
            <action name="login-default" class="oracle.jive.sso.actions.SSOLoginAction" method="default">
                <result name="input">loginform.jsp</result>
                <result name="success" type="redirect">${#attr['jive.login.successURL']}</result>
                <result name="cancel" type="redirect">${#attr['jive.login.cancelURL']}</result>
                <result name="error">loginform.jsp</result>
                <result name="newaccount" type="redirect">account!input.jspa?username=${username}</result>
                <result name="fatal" type="redirect">index.jsp</result>
                <result name="success-no-redirect" type="chain">index</result>
                <result name="create-account" type="chain">create-account</result>
                <result name="cancel-no-redirect" type="chain">index</result>
            </action>
            <action name="login-withRedirect" class="oracle.jive.sso.actions.SSOLoginAction" method="withRedirect">
                <result name="input">loginform.jsp</result>
                <result name="success" type="redirect">${#attr['jive.login.successURL']}</result>
                <result name="cancel" type="redirect">${#attr['jive.login.cancelURL']}</result>
                <result name="error">loginform.jsp</result>
                <result name="newaccount" type="redirect">account!input.jspa?username=${username}</result>
                <result name="fatal" type="redirect">index.jsp</result>
                <result name="success-no-redirect" type="chain">index</result>
                <result name="create-account" type="chain">create-account</result>
                <result name="cancel-no-redirect" type="chain">index</result>
            </action>
     
            <action name="logout" class="oracle.jive.sso.actions.SSOLogoutAction">
                <result name="success" type="redirect">logout-success.jspa</result>
                <result name="error">error.jsp</result>
            </action>
     
            <action name="logout-success" class="oracle.jive.sso.actions.SSOLogoutAction" method="input">
                <result name="success">logout-success.jsp</result>
            </action>
    
  5. Save the file, and run the following command to copy it back into the jar file:

    jar uvf jiveforums-5.5.20-oracle.jar xwork-community.xml
    
  6. Make a backup of web.xml in $WLS_HOME/user_projects/domains/owc_discussions/WEB_INF.

  7. To configure SSO with the Oracle WebCenter Discussions application, modify the web.xml file:

    1. Modify AdminActionFilter and PresenceFilter in the web.xml file as shown in the following example to override the Java SSO integration. If these filters are not present already, then you must create them.

      <filter>
       <filter-name>AdminActionFilter</filter-name>
        <filter-class>
         oracle.jive.sso.actions.SSOAdminActionFilter
        </filter-class>
      </filter>
      <filter> <filter-name>PresenceFilter</filter-name>
        <filter-class>
         oracle.jive.sso.actions.SSOPresenceFilter
        </filter-class>
      </filter> 
      
    2. In the beginning of the web.xml file after <web-app> tag, insert following lines:

        <security-constraint>
          <web-resource-collection>
            <web-resource-name>sample</web-resource-name>
            <url-pattern>/owc_discussions</url-pattern>
          </web-resource-collection>
          <auth-constraint>
            <role-name>valid-users</role-name>
          </auth-constraint>
        </security-constraint>
        <login-config>
          <auth-method>CLIENT-CERT</auth-method>
          <realm-name>myrealm</realm-name>
        </login-config>
      
  8. Set admin.tryAlternativeLogin in jiveHome/jive_startup.xml by adding the following lines somewhere before the </jive> tag:

    <admin>
      <tryAlternativeLogin>true</tryAlternativeLogin>
    </admin>
    
  9. To complete the configuration, start Oracle WebLogic Server and the managed server on which Oracle WebCenter Discussions is deployed.


  Previous
Previous
 
Next
Next
Oracle Logo
Copyright © 2007, 2009, Oracle and/or its affiliates. All rights reserved.
Legal Notices
  Go To Table Of Contents
Contents
Go To Index
Index