 |
|
|
|
|
|
|
|
|
|
|
 |
 |
|
||||||||
 |
    |
|
||||||||
 |
 |
|
||||||||
|
|
|||||||||
|
Enable
SSL the HTTP Server
Before starting this exercise it is a good idea to obtain a digital certificate for the "orcladmin" user in the default realm. This will enable you to continue managing your realm using DAS immediately following this exercise. Open your browser to the following URL: https://hostname.domain.com:4400/oca/user Substitute your own OCA FQDN and port number.
On the page that follows select "Use your OracleAS Single Sing-on name and password" Then click on the submit button.
On the page that follows click on the "Get Certificate" button.
On the page that follows select your "Certificate Key Size" and then click on the "Submit" button.
On the page that follows click on the "Import to Browser" button to upload the new user certificate into your browser.
Watch a viewlet to see how its done.
SSL enabling the HTTP Server The following steps involve configuring the Oracle HTTP Server for SSL. Perform them on the single sign-on middle tier. In doing so, keep the following in mind: You must configure SSL on the computer where the single sign-on middle tier is running. You are configuring one-way SSL. You may enable SSL for simple network encryption; PKI authentication is not required. Editing the "opmn.xml" file The first step requires modifying the "opmn.xml". Make a backup copy of your $ORACLE_HOME/opmn/conf/opmn.xml file. There are two ways to modify this file. EM AS Control and Manual Edit. EM Application Server Control edit of the "opmn.mxl" file (Recommended method) Editing the configuration files with the EM Application Server Control gives you the ability to easily revert back to old configurations should you change your mind. More importantly, you will not have to manually run the dcmctl command to update the Distributed Configuration Management (DCM) every time you make a change to a configuration file. In a browser, navigate to the EM Application Server Control URL. Example: http://aspen.us.oracle.com:1810 At the bottom of the page, click the link that reads "Process Management".
In the "opmn.xml" file, change the value for the "HTTP_Server" "start-mode" to "ssl-enabled". Click the "Apply" button after finishing your edit.
After you apply your edit to the "opmn.xml" file, we need to reload the "Process Management" program. Enter the following command from the command prompt. Example: # opmnctl reload
Manual edit of the "opmn.mxl" file (Not Recommended) If you decide to manually edit this file without the EM Application Server Control you will have to manually update the Distributed Configuration Management (DCM) at the end of this procedure in order to make the changes permanent. Open the file "opmn.xml" in a text editor. In this file, search for a line that contains "ias-component id="HTTP" Four lines below this line you will see a line that reads: <data id="start-mode" value="ssl-disabled"/> Change this line to read: data id="start-mode" value="ssl-enabled"/> Save your changes and exit the editor. Update the dcm. Example: # dcmctl updateconfig -ct opmn Reload the modified opmn configuration file. Example: $ORACLE_HOME/opmn/bin/opmnctl reload
Note: Keep a non-SSL port active. The External
Applications portlet communicates with the single sign-on server over
a non-SSL port. The HTTP port is enabled by default, If you have not
disabled the port, this step requires no action. Apply
the rule mod_rewrite to the SSL configuration Make a backup copy of your
$ORACLE_HOME/Apache/Apache/conf/ssl.conf file. There are two ways to modify this file. EM AS Control and Manual Edit. EM Application Server Control edit of the "ssl.conf" file (Recommended method) Editing the configuration files with the EM Application Server Control gives you the ability to easily revert back to old configurations should you change your mind. More importantly, you will not have to manually run the dcmctl command to update the Distributed Configuration Management (DCM) every time you make a change to a configuration file. In a browser, navigate to the EM Application Server Control URL. Example: http://aspen.us.oracle.com:1810 Click on the "HTTP_Server" link in the "System Components" section.
On the page that follows click on the "Administration" link at the top of the page.
On the page that follows click on the "Advanced Server Properties" link.
In the list of files that follows click on the "ssl.conf" link.
Find the "VirtualHost" closing tag. It will look like this: </VirtualHost> Open a new line above this </VirtualHost> closing tag and enter the following directives: RewriteEngine on RewriteOptions inherit
In this same file find the line that reads "#SSLVerifyClient require". Take out the comment at the beginning of the line and change "require" to "optional". Example: SSLVerifyClient optional Click the "Apply" button after finishing your edit.
Configuring the wallet location The default location, or path, of the server wallet file is: $ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default. If OracleAS Certificate Authority is installed in the same Oracle home as OracleAS Single Sign-On, and you want to use this CA to issue certificates, the wallet file location needs to be changed to: $ORACLE_HOME/oca/wallet/ssl Note that we put in the path where the wallet is located but not the name of the wallet file itself. Change the "SSLWallet file" value to $ORACLE_HOME/oca/wallet/ssl Note: The actual location of the Oracle home must be substituted for the variable $ORACLE_HOME.
Find the You will be prompted to restart the HTTP Server. Make sure you select "Yes" to restart the HTTP Server.
Manual edit of the "ssl.conf" file (Not Recommended) If you decide to manually edit this file without the EM Application Server Control you will have to manually update the Distributed Configuration Management (DCM) at the end of this procedure in order to make the changes permanent. Change directory to $ORACLE_HOME/Apache/Apache/conf Make a backup copy of the "ssl.conf" file. Open the "ssl.conf" file in an editor. In this file, search for the "VirtualHost" closing tag. It will look like this: </VirtualHost> In the line above this tag enter the following values: RewriteEngine on RewriteOptions inherit In this same file find the line that reads "#SSLVerifyClient require". Take out the comment at the beginning of the line and change "require" to "optional". Example: SSLVerifyClient optional Configuring the wallet location The default location, or path, of the server wallet file is: $ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default. If OracleAS Certificate Authority is installed in the same Oracle home as OracleAS Single Sign-On, and you want to use this CA to issue certificates, the wallet file location needs to be changed to: $ORACLE_HOME/oca/wallet/ssl Note that we put in the path where the wallet is located but not the name of the wallet file itself. Change the "SSLWallet file" value to $ORACLE_HOME/oca/wallet/ssl Note: The actual location of the Oracle home must be substituted for the variable $ORACLE_HOME. Save the file and quit the editor. Run the following commands to update the dcm: dcmctl updateconfig -co OC4J_SECURITY dcmctl updateconfig -ct ohs
Restart OC4J_SECURITY and the HTTP server. opmnctl restartproc process-type=OC4J_SECURITY opmnctl restartproc process-type=HTTP_Server Watch a viewlet to see how its done.
Reconfigure the Identity Management Infrastructure Database Change all references of "http" in the single sign-on URLs to "https" within the identity management infrastructure database. The ssocfg script is provided for this purpose. Be sure to enter the command on the computer where the single sign-on middle tier is located. Example: UNIX: $ORACLE_HOME/sso/bin/ssocfg.sh protocol host port Windows NT/2000 %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host port In this case, the protocol is https. To change back to HTTP, use http. The host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server. Example ssocfg.sh https login.acme.com 4443
To determine the correct port number, examine the ssl.conf file at $ORACLE_HOME/Apache/Apache/conf. Port 4443 is the SSL port number that the OracleAS installer assigns during installation. If you run ssocfg successfully, the script returns a status 0.
Update targets.xml After running ssocfg, update the targets.xml file on the single sign-on middle tier. 1. Back up the file: cp $ORACLE_HOME/sysman/emd/targets.xml $ORACLE_HOME/sysman/emd/targets.xml.backup 2. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg: * HTTPMachine—the server host name * HTTPPort—the server port number * HTTPProtocol—the server protocol If, for example, you run ssocfg like this: $ORACLE_HOME/sso/bin/ssocfg.sh https so.mydomain.com 4443 Update the three attributes this way: <Property NAME="HTTPPort" VALUE="80"/> <Property NAME="HTTPProtocol" VALUE="HTTP"/> 3. Save and close the file. 4. Reload the OracleAS console: $ORACLE_HOME/bin/emctl reload
Reconfigure Logout for the Administration Application Perform these steps to ensure that the administration application is correctly deleted when you log out of partner applications. 1. Obtain the password for the single sign-on schema (orasso). Start the Oracle Directory Manager. Login to ODM as "orcladmin". Navigate through the DIT to the following entry starting at "Entry Management": cn=OracleContext cn=Products cn=IAS cn=IAS Infrastructure Database orclReferenceName=<db_sid_name.domain.com> OrclResourceName=ORASSO
In this entry you should see an attribute called "orclpasswordattribute". The value in this attribute is the "orasso" database schema password. Remember it as you will need it in the next step. 2. Connect to the Oracle identity management database as the orasso schema: Example: sqlplus orasso/password 3. Run these SQL*Plus commands: SQL>update orasso.wwctx_cookie_info$ set secure='N'; SQL>commit; Update the DCM Example: dcmctl updateconfig -v -d |
 |
|
||||||||
 |
 |
 |
 |
 |
|
|||||
 |
|
|||||||||
