Thursday, February 23, 2012

Configuring SSO for OBIEE 11g

http://docs.oracle.com/cd/E23520_01/doc.311/e20664/chapter_10.htm

Configuring OSSO SolutionThis chapter provides step-by-step instructions for configuring OSSO as the single sign-on solution for OSL. You can find complete explanation of the OSSO Solution in "Chapter 10 Configuring Single Sign-On in Oracle Fusion Middleware" in the Oracle® Fusion Middleware Security Guide 11g Release 1 (11.1.1) at

http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/toc.htm
10.1 Installing Oracle Single Sign-On and Oracle Delegated Administration Services
There are no 11g Release 1 (11.1.1) versions of Oracle Single Sign-On and Oracle Delegated Administration Services. However, both Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) are certified for use with Oracle Internet Directory 11g Release 1 (11.1.1).

You can find related information in "Chapter 10 Installing Oracle Single Sign-On and Oracle Delegated Administration Services Against Oracle Internet Directory" in the Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) at

http://download.oracle.com/docs/cd/E12839_01/install.htm

10.2 Configuring SSO for Learning Tool
To configure SSO for Learning Tool, perform the steps in the subsequent sections.

10.2.1 Installing HTTP Server
Install web server to be used as a front end to the Oracle WebLogic Server. In this guide, we use Oracle HTTP Server (OHS) 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.

10.2.2 Configuring mod_wl_ohs
If you select the option “Associate Selected Components with WebLogic Domain” during the installation of Web Tier Utilities, you are able to manage the web server using Enterprise Manager (EM).

This section demonstrates the configuration of mod_wl_ohs using EM. However, it is also possible to do the same configuration by manually editing the configuration files.

To configure mod_wl_ohs from EM, perform the following:

1.Select the OHS instance on the left panel.

2.Select Oracle HTTP Server > Administration > mod_wl_ohs Configuration on the right panel.

Figure 10-1 Configuring mod_wl_ohs



3.Enter the value for WebLogic Host, WebLogic Port, and Locations. Figure 10-2 shows a sample setup for Learning Tool Admin and Learning Tool.

Figure 10-2 Sample mod_wl_ohs configuration for LT Admin



This configuration will effectively be added to the mod_wl_ohs.conf file of this OHS instance. You can also manually modify this file without using the EM.

Note:

If you install Web Tier Utilities, you can locate mod_wl_ohs.conf file at:
For example: /Oracle_WT1/instances/instance1/config/OHS/ohs1/

For example:



WebLogicHost yourservername.com
WebLogicPort 7002


SetHandler weblogic-handler



Figure 10-3 Sample mod_wl_ohs configuration for LT



This configuration will effectively be added to the mod_wl_ohs.conf file of this OHS instance. You can also manually modify this file without using the EM.

For example:



WebLogicHost yourservername.com
WebLogicPort 7002


SetHandler weblogic-handler



10.2.3 Registering OHS mod_osso with OSSO Server
To register OHS mod_osso with OSSO server, perform the following:

1.Execute the ssoreg.sh tool, which can be found in /sso/bin, where is the directory to which Oracle Single Sign-On is installed.

Note:

The directory where you want to store the result config file must be created beforehand.
$cd /sso/bin

$export ORACLE_HOME=

$./ssoreg.sh -oracle_home_path -site_name LearningToolAdmin -config_mod_osso TRUE -mod_osso_url http://: -update_mode CREATE -remote_midtier -config_file /temp/osso_admin.conf

$./ssoreg.sh -oracle_home_path -site_name LearningTool -config_mod_osso TRUE -mod_osso_url http://: -update_mode CREATE -remote_midtier -config_file /temp/osso_lt.conf
where:

and are the host name and port of the web server configured as a front end to provide access to the Learning Tool Admin application.

and are the host name and port of the web server configured as a front end to provide access to the Learning Tool application.

2.Copy this file to the web server instance location.

For example:

/Oracle_WT1/instances/instance1/config/OHS/ohs1/osso/osso_admin.conf

/Oracle_WT1/instances/instance2/config/OHS/ohs2/osso/osso_lt.conf
10.2.4 Configuring mod_osso to Protect Web Resources
To configure mod_osso to protect web resources, perform the following:

1.Enable mod_osso from EM.

Select the OHS instance on the left panel and select Oracle HTTP Server > Administration > Server Configuration on the right panel.

Figure 10-4 Configuring mod_osso



Check the check box for mod_osso and click Apply.

Figure 10-5 Enabling mod_osso



2.Configure mod_osso.

Go to the Advanced Server Configuration. The Advanced Server Configuration screen enables to directly edit the configuration files. From the list, select mod_osso.conf and click Go.

Figure 10-6 Setting up Advanced Server Configuration



Edit the content of this file, see Figure 10-7.

Figure 10-7 Editing Content of mod_osso



You can also manually edit the content of this file without using EM. Below is the sample configuration done for Learning Tool Admin and Learning Tool.

Sample configuration for Learning Tool Admin:

LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"


OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off

OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/osso/osso_admin.conf


require valid-user
AuthType Osso


Sample configuration for Learning Tool:

LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"


OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off

OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/ ${COMPONENT_NAME}/osso/osso_lt.conf
OssoHTTPOnly Off


require valid-user
AuthType Osso


Note:

The configuration directive OssoHTTPOnly must be turned off in the web server configured as a front end to provide access to the Learning Tool application. This is to allow the audio applet in the Learning Tool application to be able to read the OSSO cookies.
10.2.5 Setting Up Providers for OSSO in a WebLogic Domain
Oracle recommends the following Authentication providers:

•OSSO Identity Asserter

•OID Authenticator

•DefaultAuthenticator

To add providers to your WebLogic domain for OSSO Identity Assertion, perform the following:

1.Log in to the WebLogic Administration Console.

2.OSSO Identity Asserter:

Go to Security Realms > Default Realm Name (Example: myrealm) and click Providers.

Select New under the Authentication Providers table.

Enter a name for the new provider, select its type, and click OK.

◦Name: OSSO Identity Asserter

◦Type: OSSOIdentityAsserter

Note:

For OSSOIdentityAsserter to appear in the list, you must copy ossoiap.jar to /lib.
The ossoiap.jar is available in /oracle_common/modules/oracle.ossoiap_11.1.1 in the computer where an Oracle Fusion Middleware products such as Oracle Identity Management, Oracle SOA Suite, or Oracle WebCenter is installed.

Click the name of the newly added provider.

On the Common tab, set the appropriate values for common parameters and set the Control Flag to SUFFICIENT and then save the settings.

3.Default Authentication Provider:

Go to Security Realms > Default Realm Name (Example: myrealm) and click Providers.

Click DefaultAuthentication Provider.

Set the Control Flag to OPTIONAL and click Save.

4.OID Authenticator:

The instructions to create this provider are provided in Section 8.5, "Configuring OID as Security Provider".

If the OID Authenticator is configured successfully, you can change the Control Flag to SUFFICIENT.

5.Reorder Providers:

◦OSSO Identity Asserter (SUFFICIENT)

◦OID Authenticator (SUFFICIENT)

◦DefaultAuthenticator (OPTIONAL)

6.Save all configuration settings and restart the Oracle WebLogic Server for the changes to take effect.

10.2.6 Configuring web.xml for the OSSO Identity Asserter
Update the in web.xml for the application to support SSO as follows:

1.Modify the web.xml, which is located at

[OSL Home directory]/LearningTool/Configuration/LearningTool/DeploymentDescriptors/ for Learning Tool and at [OSL Home directory]/LearningTool/Configuration/Admin/DeploymentDescriptors/ for Learning Tool Admin to update the login-config as follows:


CLIENT-CERT
myRealm



2.Run the Configurator to update the EAR files as explained in Section 9.3, "Running the OSL Learning Tool Configurator".

10.3 Configuring SSO for OBIEE
To configure SSO for OBIEE, perform the following steps in the subsequent sections:

10.3.1 Installing HTTP Server
Install web server to be used as a front end to Oracle WebLogic Server. In this guide, use Oracle HTTP Server 11g which is available after the installation of Web Tier Utilities 11.1.1.2.0.

10.3.2 Configuring mod_wl_ohs
If the ear/war file is deployed onto a WebLogic Server, perform similar steps as Section 10.2.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.

Figure 10-8 Configuring mod_wl_ohs



10.3.3 Registering OHS mod_osso with OSSO Server
To register OHS mod_osso with OSSO Server, perform the following:

1.Execute the ssoreg.sh tool, which can be found in /sso/bin, where is the directory in which Oracle Single Sign-On is installed.

Note:

The directory where you want to store the result config file must be created beforehand.
$cd /sso/bin

$export ORACLE_HOME=

$./ssoreg.sh -oracle_home_path -site_name Student_Reporting -config_mod_osso TRUE -mod_osso_url

http://: -update_mode CREATE -remote_midtier -config_file /temp/osso_bi.conf
where:

and are the host name and port of the web server configured as a front end to provide access to the OBIEE application.

2.Copy this file to the web server instance location.

For Example:

/Oracle_WT1/instances/instance3/config/OHS/ohs3/osso/osso_bi.conf
10.3.4 Configuring mod_osso to Protect Web Resources
Perform similar steps as explained in Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure the mod_osso as follows:

LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"


OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off

OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/ ${COMPONENT_NAME}/osso/osso_bi.conf


Header unset Pragma
OssoSendCacheHeaders off
require valid-user
AuthType Osso



10.3.5 Creating Oracle BI Server Impersonator User
Follow this procedure to create the impersonator user in the BI Server repository.

1.Open the BI Server repository file (.rpd) using BI Administration Tool.

2.Select Manage > Security to display the Security Manager.

3.Select Action > New > User to open the User dialog box.

4.Enter a name and password for this user.

For example:

Name = Impersonator

Password = secret

5.In the Group Membership portion of the dialog box, check the Administrators group to grant the user created as member to this group.

6.Click OK to create the user.

10.3.6 Adding the Impersonator Credentials to Oracle BI Presentation Services Credential Store
Perform this step to add the impersonator credentials to Oracle BI Presentation Services credential store.

1.Navigate to the OracleBI_HOME/web/bin directory.

$export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/OracleBI_HOME/web/bin$./cryptotools credstore -add -infile /web/config/credentialstore.xml>
Credential Alias: impersonation
>Username: Impersonator
>Password: secret
>Do you want to encrypt the password? y/n (y):
>Passphrase for encryption: another_secret
>Do you want to write the passphrase to the xml? y/n (n):
2.The CryptoTools utility updates the credentialstore.xml file. This file is located in the OracleBIData/web/config.

10.3.7 Configuring Oracle BI Presentation Services to Identify the Credential Store and Decryption Passphrase
Edit the OracleBIData/web/config/instanceconfig.xml file.

10.3.8 Configuring BI Presentation Services to Operate in the SSO Environment
Edit the OracleBIData/web/config/instanceconfig.xml file.









http://:/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F:%2Fanalytics%2F


http:// :/analytics





10.4 Configuring SSO for UCM 10g
To configure SSO for UCM 10g, perform the steps in the subsequent sections:

10.4.1 Installing HTTP Server
Install web server to be used as a front end to UCM. In this guide, use Oracle HTTP Server 11g which is available after the installation of Web Tier Utilities 11.1.1.2.0.

10.4.2 Configuring OHS as Web Server for UCM
Inside the httpd.conf of the OHS instance, add the following to configure this OHS instance as the web server for UCM. Make sure that you use the correct library under linux64 or linux folder:

LoadModule IdcApacheAuth
/server/shared/os/linux64/lib/IdcApache22Auth.so
IdcUserDB idc "/server/data/users/userdb.txt"

Alias /idc "/server/weblayout"

Order allow,deny
Allow from all
DirectoryIndex portal.htm
IdcSecurity idc

Note:

Ensure that the UCM Server is configured with the correct host name and port number of the Web Server to be used as its front end.
Check the /server/config/config.cfg config file and make sure the value of HttpServerAddress is correct:

HttpServerAddress=:

10.4.3 Registering OHS mod_osso with OSSO Server
To register OHS mod_osso with OSSO Server, perform the following:

1.Execute the ssoreg.sh tool, which can be found in /sso/bin, where is the directory in which Oracle Single Sign-On is installed.

Note:

Please note that the directory where you want to store the result config file must be created beforehand.
$ cd /sso/bin

$export ORACLE_HOME=

$./ssoreg.sh -oracle_home_path -site_name Stellent_UCM -config_mod_osso TRUE -mod_osso_url http://: -update_mode CREATE -remote_midtier -config_file /temp/osso_ucm.conf
2.Copy this file to the web server instance location.

For example:

/Oracle_WT1/instances/instance1/config/OHS/ohs1/osso/osso_ucm.conf
10.4.4 Configuring mod_osso to Protect Web Resources
Perform similar steps as explained in Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure the mod_osso as follows:

LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"


OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile
${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/osso/osso_ucm.conf


require valid-user
AuthType Osso


10.5 Configuring SSO for Oracle UCM 11g
Oracle UCM 11g Release 1 (11.1.1) is deployed on an Oracle WebLogic Server. Therefore, the steps to configure OAM as the SSO solution for UCM is similar to the steps described in Section 10.2, "Configuring SSO for Learning Tool".

For more detailed explanation on configuring SSO for UCM 11g Release, you can read Chapter 4.2.3 "Configuring Oracle UCM to Use Single Sign-On" in the Oracle® Fusion Middleware System Administrator's Guide for Content Server 11g Release 1 (11.1.1) at

http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10792/c03_security002.htm#insertedID3

10.5.1 Installing HTTP Server
Install web server to be used as a front end to UCM 11g. In this guide, use Oracle HTTP Server 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.

10.5.2 Configuring mod_wl_ohs
Perform similar steps as Section 10.2.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.

LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so"



SetHandler weblogic-handler
WebLogicHost
WebLogicPort



Note:

Ensure that the UCM Server is configured with the correct host name and port number of the Web Server to be used as its front end.
Check the /server/config/config.cfg config file and make sure the value of HttpServerAddress is correct:

HttpServerAddress=:

10.5.3 Registering OHS mod_osso with OSSO Server
To register OHS mod_osso with OSSO Server, perform similar steps in Section 10.4.3, "Registering OHS mod_osso with OSSO Server".

10.5.4 Configuring mod_osso to protect Web Resource
Perform similar steps as Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure mod_wl_ohs.

LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"



OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_
NAME}/osso/osso_ucm.conf


require valid-user
AuthType Osso



10.5.5 Setting Up Providers for OSSO in a WebLogic Domain
Perform similar steps as Section 10.2.5, "Setting Up Providers for OSSO in a WebLogic Domain" to set up providers for OSSO in a WebLogic Domain that UCM is deployed to.

10.6 Updating the OSL Configuration
The following configuration is required for OSL to operate in an SSO environment:

1.Update the OSL_PROFILE_OPTION_VALUES:

Set the values for OSL_SHOW_LOGOUT_LINK in OSL_PROFILE_OPTION_VALUES table as follows:

Table 10-1 Updating OSL_PROFILE_OPTION_VALUES

Value Description
OSL_SHOW_LOGOUT_LINK
◦Y (to display the logout link in Learning Tool and Learning Tool Admin) or

◦N (to hide the logout link in Learning Tool and Learning Tool Admin)



2.Update the logout URL for Learning Tool and Learning Tool Admin.

◦Set the OSL_ADMIN_LOGOUT_URL as follows:

http://:/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F:%2FLTAdminWeb%2F

where: and are the host name and port of the web server configured as a front end to provide access to the Learning Tool Admin application.

◦Set the OSL_LOGOUT_URL as follows:

http://:/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F:%2FLTWeb%2F

where: and are the host name and port of the web server configured as a front end to provide access to the Learning Tool application.

For information about the OSL configuration file where you must make these changes, see Section 9.1.7, "Updating Logout URL for Learning Tool and Learning Tool Admin".


--------------------------------------------------------------------------------

Previous
Next

Copyright © 2009, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices

No comments:

Post a Comment