Single Sign-On in Oracle9iAS using JAAS Provider and digital certificates

Table Of Contents

• Overview of the sample application
• Required Software 
• User Notes with Screen Shots 
• Installation and Configuration
• Running the sample
• TroubleShooting
• Description of Sample files 

Oracle9iAS Single Sign-On is a component of Oracle9i Application Server (Oracle9iAS) that enables users to log in to all features of the Oracle9iAS product, as well as to other Web applications by signing in only once. This sample application demonstrates the use of digital certificates for signing in to the Web application secured under SSO server using JAZN (Oracle's implementation of Java Authentication and Authorization Service (JAAS) ). 

SSO server uses an encrypted login cookie to identify the users who have been authenticated. It uses an encrypted SSL channel to pass the login cookie to the client Web browser which will be used by the applications to authenticate the user without asking him to sign in again. 

Java Authentication and Authorization Service (JAAS) is a Java package that enables services to authenticate and enforce access controls upon users. Authentication is used to verify the identity of a user or an entity to be granted access to the computer resources. Once the user is authenticated, authorization process begins. Authorization is the process of granting resource specific privileges to the user (e.g. inserting a row in the database or write permission to a file).

Oracle JAAS provider implements JAAS to support user authentication, authorization and JAAS policies. The JAAS provider supports two types of repository providers, referred to as provider types. These provider types are repositories for secure, centralized storage, retrieval, and administration of provider data. This data consists of realm (users and roles) and JAAS policy (permissions) information. The two provider types are :
1. XML based provider type where user information is stored in XML files.
2. LDAP based provider type where user information is stored in a LDAP based directory like Oracle Internet Directory.

The JAAS provider supports three authentication environments viz. basic authentication, single sign on and SSL.
This sample illustrates Single Sign-On authentication mechanism using LDAP type provider.

The sample consists of a Web application which require the user to login. The applications is a office store where user can order items. The application is deployed OC4J in Oracle9iAS. OC4J sees SSO server in Oracle9iAS through JAAS. Therefore the application is protected from unauthorized access using Oracle's JAAS provider. The application uses LDAP based JAAS provider and SSO auth method. When the user accesses the application's home page URL , he is redirected to SSO server for authentication by JAAS. The user can authenticate using a username/password pair or using digital certificate. This sample authenticates the user using digital certificates and the user is logged in without providing username/password.

After successful login the user can purchase products of his choice and pay using credit card. The sample uses a Credit Card Web Service to check the validity of credit card number provided by user. It also checks if the user has required balance to purchase the products. The client communicates (sends credit card number and receives approval/rejection message) with the Web Service using SSL channel. The client application also authenticates to Web Service using digital certificate.

 

Required Software

Back To Top

1. Oracle9i Application Server version 2 Infrastructure Install.
2. JDK 1.3
3. Internet Explorer 6.0

The following use case diagram depicts the functionality of the sample. 

                        Fig 1

• When the user accesses the application, he is authenticated using the digital certificate configured in the browser. On successful authentication, a list of products is displayed from which he can choose to Add To Cart. The screen looks as shown in Fig 2.




                                      Fig 2

• The user can click Purchase Now button to buy the products which takes him to payment screen as shown in Fig 3.

  

                                          Fig 3

• The user provides a credit card number from the sample card numbers shown on the screen. This card number is sent to a Credit Card Web Service for validation. Successful validation of credit card and card balance displays an order confirmation message as shown in Fig 4.

  

                                          Fig 4

Refer Install.html for installing and configuring the sample to use digital certificates.
 

Running the Sample

Back To Top

1. From the browser in which you have client certificate installed, access OTN Store home page by entering following URL in address bar:

   https://hostname:SSLport/security/

   Substitute the hostname and SSLport for your Oracle9iAS HTTP server. This will redirect you to SSO server for authentication. If all the configuration was done correctly, you will not be prompted for Single Sign-On username and password. The certificate installed in your browser will be used for authentication . Otherwise you will be redirected to Single Sign-On page. 

2. On successful authentication, you will be shown the list of products to buy from. Select few products and add to cart. Click on Purchase Now.

3. This takes you to Payment page. Enter the credit card number from sample number shown and click Validate. If the digital certificate configuration used for Web Service authentication was correct, you will be shown the order confirmation page else an error message will be displayed.

Digital Certificate authentication fails

If you are prompted for a SSO username and password when accessing the application home page, it means the client certificate authentication is not properly configured. The file debug.sql is provided with the sample to identify what is going wrong. 

Perform the following steps. 

1. Log into the Oracle9iAS infrastructure database as orasso user through SQL *Plus. Refer section "Configuring OID" to get the password for orasso schema.

2. Execute the debug.sql file provided in <Extract_dir>/SSOSecuritySample/config/debug.sql as follows : 

SQL>@<Extract_dir>/SSOSecuritySample/config/debug.sql

3. Perform the steps mentioned in "Running the Sample" section.

4. Run following query on SQL prompt as orasso user : 

SELECT msg from wwsso_log$ ORDER BY id;

5. Run the following query to delete the debug records : 

DELETE wwsso_log$;
COMMIT;

6. To stop debug data from being stored in database, run the <Extract_dir>/SSOSecuritySample/config/debugoff.sql as follows : 

SQL>@<Extract_dir>/SSOSecuritySample/config/debugoff.sql

Web Service authentication fails

If credit card number validation did not succeed, it means the authentication using digital certificate failed. Check the log file home.default_island.1 in <IAS_HOME>/opmn/logs for error details. The error could be as follows :

1. If you get a ClassNotFoundException, it means the files, jsse.jar, jcert.jar and jssl-1_2.jar were not copied to <IAS_HOME>/jdk/jre/lib/ext directory as explained in Install.html.

2. If you get a java.security.cert.CertificateException, it means the wallet used for Web Service authentication was not exported properly. Re-export the wallet to specified location and try again.

3. If you get a javax.net.ssl.SSLException, it means the root certificate of Web Service Client wallet was not imported into the Server wallet.

In addition, directory images contains all the images used by HTML files 

Revision history :October 26, 2002 

Please enter your comments about this sample in the OTN Sample code discussion forum