Configuring OSSO SolutionThis chapter provides step-by-step instructions for configuring OSSO as the single sign-on solution for OSL. You can find complete explanation of the OSSO Solution in "Chapter 10 Configuring Single Sign-On in Oracle Fusion Middleware" in the Oracle® Fusion Middleware Security Guide 11g Release 1 (11.1.1) at
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/toc.htm
10.1 Installing Oracle Single Sign-On and Oracle Delegated Administration Services
There are no 11g Release 1 (11.1.1) versions of Oracle Single Sign-On and Oracle Delegated Administration Services. However, both Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) are certified for use with Oracle Internet Directory 11g Release 1 (11.1.1).
You can find related information in "Chapter 10 Installing Oracle Single Sign-On and Oracle Delegated Administration Services Against Oracle Internet Directory" in the Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) at
http://download.oracle.com/docs/cd/E12839_01/install.htm
10.2 Configuring SSO for Learning Tool
To configure SSO for Learning Tool, perform the steps in the subsequent sections.
10.2.1 Installing HTTP Server
Install web server to be used as a front end to the Oracle WebLogic Server. In this guide, we use Oracle HTTP Server (OHS) 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.
10.2.2 Configuring mod_wl_ohs
If you select the option “Associate Selected Components with WebLogic Domain” during the installation of Web Tier Utilities, you are able to manage the web server using Enterprise Manager (EM).
This section demonstrates the configuration of mod_wl_ohs using EM. However, it is also possible to do the same configuration by manually editing the configuration files.
To configure mod_wl_ohs from EM, perform the following:
1.Select the OHS instance on the left panel.
2.Select Oracle HTTP Server > Administration > mod_wl_ohs Configuration on the right panel.
Figure 10-1 Configuring mod_wl_ohs
3.Enter the value for WebLogic Host, WebLogic Port, and Locations. Figure 10-2 shows a sample setup for Learning Tool Admin and Learning Tool.
Figure 10-2 Sample mod_wl_ohs configuration for LT Admin
This configuration will effectively be added to the mod_wl_ohs.conf file of this OHS instance. You can also manually modify this file without using the EM.
Note:
If you install Web Tier Utilities, you can locate mod_wl_ohs.conf file at:
For example:
For example:
WebLogicHost yourservername.com
WebLogicPort 7002
SetHandler weblogic-handler
Figure 10-3 Sample mod_wl_ohs configuration for LT
This configuration will effectively be added to the mod_wl_ohs.conf file of this OHS instance. You can also manually modify this file without using the EM.
For example:
WebLogicHost yourservername.com
WebLogicPort 7002
SetHandler weblogic-handler
10.2.3 Registering OHS mod_osso with OSSO Server
To register OHS mod_osso with OSSO server, perform the following:
1.Execute the ssoreg.sh tool, which can be found in
Note:
The directory where you want to store the result config file must be created beforehand.
$cd
$export ORACLE_HOME=
$./ssoreg.sh -oracle_home_path
$./ssoreg.sh -oracle_home_path
where:
2.Copy this file to the web server instance location.
For example:
10.2.4 Configuring mod_osso to Protect Web Resources
To configure mod_osso to protect web resources, perform the following:
1.Enable mod_osso from EM.
Select the OHS instance on the left panel and select Oracle HTTP Server > Administration > Server Configuration on the right panel.
Figure 10-4 Configuring mod_osso
Check the check box for mod_osso and click Apply.
Figure 10-5 Enabling mod_osso
2.Configure mod_osso.
Go to the Advanced Server Configuration. The Advanced Server Configuration screen enables to directly edit the configuration files. From the list, select mod_osso.conf and click Go.
Figure 10-6 Setting up Advanced Server Configuration
Edit the content of this file, see Figure 10-7.
Figure 10-7 Editing Content of mod_osso
You can also manually edit the content of this file without using EM. Below is the sample configuration done for Learning Tool Admin and Learning Tool.
Sample configuration for Learning Tool Admin:
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"
OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/osso/osso_admin.conf
require valid-user
AuthType Osso
Sample configuration for Learning Tool:
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"
OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/ ${COMPONENT_NAME}/osso/osso_lt.conf
OssoHTTPOnly Off
require valid-user
AuthType Osso
Note:
The configuration directive OssoHTTPOnly must be turned off in the web server configured as a front end to provide access to the Learning Tool application. This is to allow the audio applet in the Learning Tool application to be able to read the OSSO cookies.
10.2.5 Setting Up Providers for OSSO in a WebLogic Domain
Oracle recommends the following Authentication providers:
•OSSO Identity Asserter
•OID Authenticator
•DefaultAuthenticator
To add providers to your WebLogic domain for OSSO Identity Assertion, perform the following:
1.Log in to the WebLogic Administration Console.
2.OSSO Identity Asserter:
Go to Security Realms > Default Realm Name (Example: myrealm) and click Providers.
Select New under the Authentication Providers table.
Enter a name for the new provider, select its type, and click OK.
◦Name: OSSO Identity Asserter
◦Type: OSSOIdentityAsserter
Note:
For OSSOIdentityAsserter to appear in the list, you must copy ossoiap.jar to
The ossoiap.jar is available in
Click the name of the newly added provider.
On the Common tab, set the appropriate values for common parameters and set the Control Flag to SUFFICIENT and then save the settings.
3.Default Authentication Provider:
Go to Security Realms > Default Realm Name (Example: myrealm) and click Providers.
Click DefaultAuthentication Provider.
Set the Control Flag to OPTIONAL and click Save.
4.OID Authenticator:
The instructions to create this provider are provided in Section 8.5, "Configuring OID as Security Provider".
If the OID Authenticator is configured successfully, you can change the Control Flag to SUFFICIENT.
5.Reorder Providers:
◦OSSO Identity Asserter (SUFFICIENT)
◦OID Authenticator (SUFFICIENT)
◦DefaultAuthenticator (OPTIONAL)
6.Save all configuration settings and restart the Oracle WebLogic Server for the changes to take effect.
10.2.6 Configuring web.xml for the OSSO Identity Asserter
Update the
1.Modify the web.xml, which is located at
[OSL Home directory]/LearningTool/Configuration/LearningTool/DeploymentDescriptors/ for Learning Tool and at [OSL Home directory]/LearningTool/Configuration/Admin/DeploymentDescriptors/ for Learning Tool Admin to update the login-config as follows:
2.Run the Configurator to update the EAR files as explained in Section 9.3, "Running the OSL Learning Tool Configurator".
10.3 Configuring SSO for OBIEE
To configure SSO for OBIEE, perform the following steps in the subsequent sections:
10.3.1 Installing HTTP Server
Install web server to be used as a front end to Oracle WebLogic Server. In this guide, use Oracle HTTP Server 11g which is available after the installation of Web Tier Utilities 11.1.1.2.0.
10.3.2 Configuring mod_wl_ohs
If the ear/war file is deployed onto a WebLogic Server, perform similar steps as Section 10.2.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.
Figure 10-8 Configuring mod_wl_ohs
10.3.3 Registering OHS mod_osso with OSSO Server
To register OHS mod_osso with OSSO Server, perform the following:
1.Execute the ssoreg.sh tool, which can be found in
Note:
The directory where you want to store the result config file must be created beforehand.
$cd
$export ORACLE_HOME=
$./ssoreg.sh -oracle_home_path
http://
where:
2.Copy this file to the web server instance location.
For Example:
10.3.4 Configuring mod_osso to Protect Web Resources
Perform similar steps as explained in Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure the mod_osso as follows:
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"
OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/ ${COMPONENT_NAME}/osso/osso_bi.conf
Header unset Pragma
OssoSendCacheHeaders off
require valid-user
AuthType Osso
10.3.5 Creating Oracle BI Server Impersonator User
Follow this procedure to create the impersonator user in the BI Server repository.
1.Open the BI Server repository file (.rpd) using BI Administration Tool.
2.Select Manage > Security to display the Security Manager.
3.Select Action > New > User to open the User dialog box.
4.Enter a name and password for this user.
For example:
Name = Impersonator
Password = secret
5.In the Group Membership portion of the dialog box, check the Administrators group to grant the user created as member to this group.
6.Click OK to create the user.
10.3.6 Adding the Impersonator Credentials to Oracle BI Presentation Services Credential Store
Perform this step to add the impersonator credentials to Oracle BI Presentation Services credential store.
1.Navigate to the OracleBI_HOME/web/bin directory.
$export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/OracleBI_HOME/web/bin$./cryptotools credstore -add -infile
Credential Alias: impersonation
>Username: Impersonator
>Password: secret
>Do you want to encrypt the password? y/n (y):
>Passphrase for encryption: another_secret
>Do you want to write the passphrase to the xml? y/n (n):
2.The CryptoTools utility updates the credentialstore.xml file. This file is located in the OracleBIData/web/config.
10.3.7 Configuring Oracle BI Presentation Services to Identify the Credential Store and Decryption Passphrase
Edit the OracleBIData/web/config/instanceconfig.xml file.
10.3.8 Configuring BI Presentation Services to Operate in the SSO Environment
Edit the OracleBIData/web/config/instanceconfig.xml file.
http://
10.4 Configuring SSO for UCM 10g
To configure SSO for UCM 10g, perform the steps in the subsequent sections:
10.4.1 Installing HTTP Server
Install web server to be used as a front end to UCM. In this guide, use Oracle HTTP Server 11g which is available after the installation of Web Tier Utilities 11.1.1.2.0.
10.4.2 Configuring OHS as Web Server for UCM
Inside the httpd.conf of the OHS instance, add the following to configure this OHS instance as the web server for UCM. Make sure that you use the correct library under linux64 or linux folder:
LoadModule IdcApacheAuth
IdcUserDB idc "
Alias /idc "
Order allow,deny
Allow from all
DirectoryIndex portal.htm
IdcSecurity idc
Note:
Ensure that the UCM Server is configured with the correct host name and port number of the Web Server to be used as its front end.
Check the
HttpServerAddress=
10.4.3 Registering OHS mod_osso with OSSO Server
To register OHS mod_osso with OSSO Server, perform the following:
1.Execute the ssoreg.sh tool, which can be found in
Note:
Please note that the directory where you want to store the result config file must be created beforehand.
$ cd
$export ORACLE_HOME=
$./ssoreg.sh -oracle_home_path
2.Copy this file to the web server instance location.
For example:
10.4.4 Configuring mod_osso to Protect Web Resources
Perform similar steps as explained in Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure the mod_osso as follows:
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"
OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile
${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/osso/osso_ucm.conf
require valid-user
AuthType Osso
10.5 Configuring SSO for Oracle UCM 11g
Oracle UCM 11g Release 1 (11.1.1) is deployed on an Oracle WebLogic Server. Therefore, the steps to configure OAM as the SSO solution for UCM is similar to the steps described in Section 10.2, "Configuring SSO for Learning Tool".
For more detailed explanation on configuring SSO for UCM 11g Release, you can read Chapter 4.2.3 "Configuring Oracle UCM to Use Single Sign-On" in the Oracle® Fusion Middleware System Administrator's Guide for Content Server 11g Release 1 (11.1.1) at
http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10792/c03_security002.htm#insertedID3
10.5.1 Installing HTTP Server
Install web server to be used as a front end to UCM 11g. In this guide, use Oracle HTTP Server 11g, which is available after the installation of Web Tier Utilities 11.1.1.2.0.
10.5.2 Configuring mod_wl_ohs
Perform similar steps as Section 10.2.2, "Configuring mod_wl_ohs" to configure mod_wl_ohs.
LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so"
SetHandler weblogic-handler
WebLogicHost
WebLogicPort
Note:
Ensure that the UCM Server is configured with the correct host name and port number of the Web Server to be used as its front end.
Check the
HttpServerAddress=
10.5.3 Registering OHS mod_osso with OSSO Server
To register OHS mod_osso with OSSO Server, perform similar steps in Section 10.4.3, "Registering OHS mod_osso with OSSO Server".
10.5.4 Configuring mod_osso to protect Web Resource
Perform similar steps as Section 10.2.4, "Configuring mod_osso to Protect Web Resources" to configure mod_wl_ohs.
LoadModule osso_module "${ORACLE_HOME}/ohs/modules/mod_osso.so"
OssoIpCheck on
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_
NAME}/osso/osso_ucm.conf
require valid-user
AuthType Osso
10.5.5 Setting Up Providers for OSSO in a WebLogic Domain
Perform similar steps as Section 10.2.5, "Setting Up Providers for OSSO in a WebLogic Domain" to set up providers for OSSO in a WebLogic Domain that UCM is deployed to.
10.6 Updating the OSL Configuration
The following configuration is required for OSL to operate in an SSO environment:
1.Update the OSL_PROFILE_OPTION_VALUES:
Set the values for OSL_SHOW_LOGOUT_LINK in OSL_PROFILE_OPTION_VALUES table as follows:
Table 10-1 Updating OSL_PROFILE_OPTION_VALUES
Value Description
OSL_SHOW_LOGOUT_LINK
◦Y (to display the logout link in Learning Tool and Learning Tool Admin) or
◦N (to hide the logout link in Learning Tool and Learning Tool Admin)
2.Update the logout URL for Learning Tool and Learning Tool Admin.
◦Set the OSL_ADMIN_LOGOUT_URL as follows:
http://
where:
◦Set the OSL_LOGOUT_URL as follows:
http://
where:
For information about the OSL configuration file where you must make these changes, see Section 9.1.7, "Updating Logout URL for Learning Tool and Learning Tool Admin".
--------------------------------------------------------------------------------
Previous
Next
Copyright © 2009, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
No comments:
Post a Comment