8 Configuring Single Sign-On for Administration Consoles

8.2.1 Collecting the Information for the OAM Configuration Tool

Before you run the OAM Configuration tool, collect the following information:

• LDAP Host: The host name of the Directory Server or a load balancer address (in the case of a high availability or enterprise deployment configuration).

• LDAP Port: The port of the Directory Server.

• LDAP USER DN: The DN of the LDAP Administrator user. This will be a value such as cn=orcladmin.

• LDAP Password: Password of the LDAP Administrator user.

• oam_aaa_host: The host name of an Oracle Access Manager.

• oam_aaa_port: The port of an Oracle Access Manager.

8.2.2 Running the OAM Configuration Tool

The OAM Configuration tool is located in the directory shown below. This tool can be run from any host that has Oracle Fusion Middleware 11g Release 1 installed.

ORACLE_HOME/modules/oracle.oamprovider_11.1.1/ 

Set the JAVA_HOME value before running the tool as shown below:

export JAVA_HOME=$MW_HOME/jrockit_160_05_R27.6.2-20

The syntax for using the OAM Configuration tool is:

$JAVA_HOME/bin/java -jar oamcfgtool.jar mode=CREATE [param=value]...

Table 8-1 shows the basic OAM Configuration tool parameters and their values.

The OAM Configuration tool has optional parameters that can be used for CREATE mode. Table 8-2 shows those parameters.

This is an example command for running the OAM Configuration tool when you want the tool to create a WebGate profile:

$JAVA_HOME/bin/java -jar oamcfgtool.jar mode=CREATE app_domain="IDMEDG"
cookie_domain=".mycompany.com"
protected_uris="/em,/console" app_agent_password="welcome1"
ldap_host=oid.us.oracle.com ldap_port=389 ldap_userdn="cn=orcladmin"
ldap_userpassword=password oam_aaa_host=oamhost1.mycompany.com
oam_aaa_port=6023

The following output is displayed when the command completes successfully:

Processed input parameters
Initialized Global Configuration
Successfully completed the Create operation.
 Operation Summary:
     Policy Domain  : IDMEDG
     Host Identifier: IDMEDG
     Access Gate ID : IDMEDG_AG

This is an example command for running the OAM Configuration tool when you plan on using an existing WebGate:

$JAVA_HOME/bin/java -jar oamcfgtool.jar mode=CREATE app_domain="IDMEDG"
web_domain="idmEDG_WD" cookie_domain=".mycompany.com"
protected_uris="/em,/console" app_agent_password="welcome1"
ldap_host=oid.us.oracle.com ldap_port=389 ldap_userdn="cn=orcladmin"
ldap_userpassword=<password> oam_aaa_host=oamhost1.mycompany.com
oam_aaa_port=6023

The following output is displayed when the command completes successfully:

Processed input parameters
Initialized Global Configuration
Successfully completed the Create operation.
 Operation Summary:
     Policy Domain  : IDMEDG
     Host Identifier: idmedg_wd
     Access Gate ID : idmedg_wd_AG

To validate that the tool created the policies correctly, run the tool in VALIDATE mode:

java -jar oamcfgtool.jar mode=VALIDATE app_domain="IDMEDG"
ldap_host=oid.mycompany.com ldap_port=389 ldap_userdn="cn=orcladmin"
ldap_userpassword=welcome1 oam_aaa_host=oamhost1.mycompany.com oam_aaa_port=6023
test_username=orcladmin test_userpassword=welcome1

The output from the VALIDATE command is shown below:

Processed input parameters
Initialized Global Configuration
Validating app_domain: IDMEDG : OK.
Validating web_domain: IDMEDG : OK.
Validating access_gate: IDMEDG_AG : OK.
Found url:http://IDMEDG/public
Found url:http://IDMEDG/em
Found url:http://IDMEDG/console
Successfully completed the Validate operation

8.2.3 Update the Host Identifier

The OAM Configuration Tool uses the value of the app_domain parameter to create a host identifier for the policy domain. This host identifier must be updated with all the hostnames variations for the host so that the configuration works correctly. Follow the steps below to update the host identifier created by the OAM Configuration Tool:

1. Navigate to the Access System Console by specifying the following URL in your web browser:

   http://hostname:port/access/oblix
   

   where hostname refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.

   For example, enter the following URL in your web browser:

   http://oamadminhost.mycompany.com:7777/access/oblix
   

2. When prompted for a username and password, log in as an Administrator. Click OK.

3. On the Access System main page, click the Access System Console link.

4. On the Access System Console page, click the Access System Configuration tab.

5. On the Access System Configuration page, click Host Identifiers at the bottom left.

6. On the List all host identifiers page, click on the host identifier created by the OAM Configuration Tool. For example, select IDMEDG.

7. On the Host Identifier Details page, click Modify.

8. On the Modifying host identifier page, add all the possible hostname variations for the host. Click the plus and minus symbols to add or delete fields as necessary. The Preferred HTTP Host value used in the Access System Configuration must be added as one of the hostname variations. For example: idmedg_wd, webhost1.mycompany.com:7777, admin.mycompany.com:7777

9. Select the check box next to Update Cache and then click Save.

   A message box with the following message is displayed: "Updating the cache at this point will flush all the caches in the system. Are you sure?"

   Click OK to finish saving the configuration changes.

10. Verify the changes on the Host Identifier Details page.

8.2.4 Update the WebGate Profile

The OAM Configuration Tool populates the Preferred_HTTP_Host and hostname attributes for the WebGate profile that is created with the value of the app_domain parameter. Both these attributes must be updated with the proper values for the configuration to work correctly. Follow the steps below to update the WebGate profile created by the OAM CFG Tool.

1. Navigate to the Access System Console by specifying the following URL in your web browser:

   http://hostname:port/access/oblix
   

   where hostname refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.

   For example, enter the following URL in your web browser:

   http://oamadminhost.mycompany.com:7777/access/oblix
   

2. On the Access System main page, click the Access System Console link, then log in as an Administrator.

3. On the Access System Console main page, click the Access System Configuration link to display the AccessGates Search page.

4. Enter the proper search criteria and click Go to display a list of AccessGates.

5. Select the AccessGate created by the OAM Configuration Tool. For example: IDMEDG_AG

6. On the AccessGate Details page, select Modify to display the Modify AccessGate page.

7. On the Modify AccessGate page, update:

   • Hostname: Update the hostname with the name of the computer where WebGate is running. For example: webhost1.mycompany.com

   • Preferred HTTP Host: Update the Preferred_HTTP_Host with one of the hostname variations specified in the previous section, for example: admin.mycompany.com:7777

8. Click Save. A message box with the "Are you sure you want to commit these changes?" message is displayed.

9. Click OK to finish updating the configuration.

10. Verify the values displayed on the Details for AccessGate page to confirm that the updates were successful.

8.2.5 Update the Form Authentication for Delegated Administration

The WebGates in the IDM Domain also need to act as delegated authentication WebGates, that is, they receive authentication requests from external applications or domains in the enterprise. To enable delegated authentication, the form authentication scheme created by the OAM Configuration Tool must be modified to add the Challenge Redirect parameter.

Follow the steps below to add the challenge redirect parameter to the Form authentication scheme:

1. Use a web browser to display the Access Console using the URL below:

   http://oamadminhost.mycompany.com:7777/access/oblix
   

2. Click the Access System Console link and log in using the credentials for the orcladmin user.

3. On the main page, click the Access System Configuration tab.

4. On the Access System Configuration page, click the Authentication Management link on the left hand side.

5. On the Authentication Management page, under the List all Authentication Schemes table, click the link for form authentication scheme created by the tool. The form authentication scheme created by the tool is called OraDefaultFormAuthNScheme.

6. On the Details for Authentication Scheme page, click Modify to modify the configuration of the authentication scheme.

7. On the Modifying Authentication Scheme page, update the Challenge Redirect parameter with the Single Sign-On virtual host configured in the load balancer. Use https://sso.mycompany.com to update the Challenge Redirect parameter.

8. Click Save to save the updated configuration.

9. To validate that the configuration was successful, follow the steps below:

   1. Using a web browser, bring up either the Oracle WebLogic Administration Console or Oracle Enterprise Manager Fusion Middleware Control:

      URL for the WebLogic Administration Server Console:

      http://admin.mycompany.com:7777/console
      

      URL for the Enterprise Manager Oracle Fusion Middleware Control:

      http://admin.mycompany.com:7777/em
      

   2. Log into the console using the administrator user's credentials.

   3. This will redirect your web browser to http://sso.mycompany.com during authentication.

8.3.1 Validating the Policy Domain Configuration

Follow these steps to verify that the policy domain was created properly:

1. In a web browser, enter this URL to access the Oracle Access Manager console:

   http://OAMADMINHOST:port/access/oblix
   

2. Click Policy Manager.

3. Click the My Policy Domains link on the left panel. You will see a list of all the policy domains, which includes the domain you just created. For example: IDMEDG. In the third column, URL prefixes, you will see the URIs you specified when creating the policy domain).

4. Click the link to the policy domain you just created. This displays the General area of this domain.

5. Click the Resources tab. On this tab you can see the URIs you specified. Click other tabs to view other settings.

8.3.2 Validating the AccessGate Configuration

Follow these steps to verify that the AccessGate was configured properly:

1. In the Oracle Access Manager console, click the Access System Console link. This link is a toggle. When it is the Access System Console link and you click it, it becomes the Policy Manager link. When it is the Policy Manager link and you click it, it becomes the Access System Console link.

2. Click the Access System Configuration tab.

3. Click the AccessGate Configuration link on the left panel.

4. Enter some search criteria and click Go.

5. When the name of the AccessGate for the domain you created appears (it may have the suffix _AG when created by the OAM Configuration Tool, for example, IDMEDG_AG), click it to view the details of the AccessGate you created.

8.4.1 Setting Up the Oracle Internet Directory Authenticator

Follow these steps to set up the Oracle Internet Directory authenticator:

1. Begin by backing up these relevant configuration files:

   DOMAIN_HOME/config/config.xml
   
   DOMAIN_HOME/config/fmwconfig/jps-config.xml
   
   DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml
   

2. Back up the DOMAIN_HOME/servers/adminServer/boot.properties file for the Administrator Server.

3. Follow these steps to configure the Identity Store to use LDAP, setting the proper authenticator using the WebLogic Administration Server Console:

   1. Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.

   2. Click the Security Realms link on the left navigational bar.

   3. Click the myrealm default realm entry to configure it.

   4. Click the Providers tab within the realm.

   5. Note that there is a DefaultAuthenticator provider configured for the realm.

   6. Click the New button to add a new provider.

   7. Enter a name for the provider, such as "OIDAuthenticator" for a provider that will authenticate the user to the Oracle Internet Directory.

   8. Select the "OracleInternetDirectoryAuthenticator" type from the list of authenticators.

   9. Click OK.

   10. On the Providers screen, click the newly created OIDAuthenticator.

   11. Set the Control Flag to SUFFICIENT. This indicates that if a user can be authenticated successfully by this authenticator, then it is should accept that authentication and should not continue to invoke any additional authenticators. If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flag set to SUFFICIENT also. In particular, check the DefaultAuthenticator and set that to SUFFICIENT.

   12. Click Save to save this setting.

   13. Click the Provider Specific tab to enter the details for the LDAP server.

   14. Enter the details specific to your LDAP server, as shown in the following table:

       Parameter	Value	Description
       Host		The LDAP server's server ID. For example: oid.mycompany.com
       Port		The LDAP server's port number. For example: 636
       Principal		The LDAP user DN used to connect to the LDAP server. For example: cn=orcladmin
       Credential		The password used to connect to the LDAP server
       SSL Enabled	Checked	Specifies whether SSL protocol is used when connecting to LDAP server.
       User Base DN		Specify the DN under which your Users start. For example: cn=users,dc=us,dc=mycompany,dc=com
       Group Base DN		Specify the DN that points to your Groups node. For example: cn=groups,dc=us,dc=mycompany,dc=com
       Use Retrieved User Name as Principal	Checked	Must be turned on.

       
       

       Click Save when done.

   15. Click Activate Changes to propagate the changes.

   16. The console displays a message that a restart is required for the changes to take effect. Do not restart the servers as indicated; this will be done after setting up all the WebLogic Authenticators, as described in Section 8.4.4, "Stop and Start the WebLogic Administration Servers and Managed Servers."

8.4.2 Setting Up the OAM ID Asserter

Follow these steps to set up the OAM ID Asserter:

1. Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.

2. Navigate to SecurityRealms > Default Realm Name > Providers.

3. Click New and select OAM Identity Asserter from the drop down menu.

4. Name the asserter, for example: OAM ID Asserter

   Then click OK.

5. Click the newly-added asserter to see the configuration screen for OAM Identity Asserter.

6. Set the Control Flag to REQUIRED, and then click Save.

7. Configure the additional attributes below for the OAM Identity Asserter on the Provider Specific tab:

   • Application Domain: Provide the Oracle Access Manager policy domain name. Use the app_domain parameter passed to the OAM Configuration Tool. For example: IDMEDG.

   • Primary Access Server: Provide Oracle Access Manager server endpoint information in the host:port format. For example: oamhost1.mycompany.com: 6023

   • Application Domain: Provide the Oracle Access Manager policy domain name. Use the app_domain parameter passed to the OAM Configuration Tool. For example: IDMEDG.

   • AccessGate Name: Name of the AccessGate (for example, IDMEDG_WD). Use the AccessGate name created by the OAM Configuration Tool or created manually in Section 7.4.3.1, "Creating a WebGate Profile."

   • AccessGate Password: Password for the AccessGate, if one was provided.

   Accept the default values for all the other attributes, unless required for your environment.

8. Save the settings.

9. Click Activate Changes to propagate the changes.

8.4.3 Reorder OAM Identity Asserter, OID Authenticator, and Default Authenticator

Follow the steps below to reorder the providers in the order shown below:

1. Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.

2. Navigate to SecurityRealms > Default Realm Name > Providers.

3. Ensure that the Control Flag for each authenticator is set correctly.

4. Click Reorder under the Authentication Providers table.

5. On the Reorder Authentication Providers page, reorder the providers as shown below:

   OAM Identity Asserter (REQUIRED) > OID Authenticator (SUFFICIENT) >
   Default Authenticator (SUFFICIENT) > DefaultIdentityAsserter
   

6. Save the settings.

7. Click Activate Changes to propagate the changes.

8.4.4 Stop and Start the WebLogic Administration Servers and Managed Servers

The WebLogic Administration Server and the associated Managed Servers must be restarted for the configuration changes to take effect. Follow the steps below to stop and then start the WebLogic Administration Server and the Managed Servers (wls_ods1 and wls_ods2):

1. Using the WebLogic Administration Server Console, stop the Administration Server and the wls_ods1 and wls_ods2 Managed Servers.

2. Verify that the server processes have been successfully stopped.

3. On IDMHOST1, start the WebLogic Administration Server using the startWebLogic.sh script located under the DOMAIN_HOME/bin directory using the syntax below. This enables the standard output log messages shown on the screen to be written to the file specified in the logfile parameter.

   ./startWebLogic.sh >logfile 2>&1 &
   

   For example:

   ./startWebLogic.sh >$DOMAIN_HOME/servers/AdminServer/logs/aserver.out 2>&1 &
   

4. Verify that the Administration Server has started up and then bring up the Administration Console using a web browser.

5. Log into the console using the administrator user's credentials.

6. Start the wls_ods1 and wls_ods2 Managed Servers using the WebLogic Administration Console.

8.6.1 Provisioning Admin Users and Groups in an LDAP Directory

As mentioned in the introduction to this section, users and groups from multiple WebLogic domains may be provisioned in a central LDAP user store. In such a case, there is a possibility that one WebLogic admin user may have access to all the domains within an enterprise. This is not a desirable situation. To avoid this, the users and groups provisioned must have a unique distinguished name within the directory tree. In this guide, the admin user and group for the IDM WebLogic Domain will be provisioned with the DNs below:

• Admin User DN:

  cn=weblogic_idm,cn=Users,dc=us,dc=mycompany,dc=com
  

• Admin Group DN:

  cn=IDM Administrators, cn=Groups,dc=us,dc=mycompany,dc=com
  

Follow the steps below to provision the admin user and admin group in Oracle Internet Directory:

1. Create an ldif file named admin_user.ldif with the contents shown below and then save the file:

   dn: cn=weblogic_idm, cn=Users, dc=us, dc=mycompany, dc=com
   orclsamaccountname: weblogic_idm
   givenname: weblogic_idm
   sn: weblogic_idm
   userpassword: Welcome1
   obver: 10.1.4.0
   mail: weblogic_idm
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   objectclass: inetorgperson
   objectclass: orcluser
   objectclass: orcluserV2
   objectclass: oblixorgperson
   uid: weblogic_idm
   cn: weblogic_idm
   description: Admin User for the IDM Domain
   

2. Run the ldapadd command located under the ORACLE_HOME/bin/ directory to provision the user in Oracle Internet Directory. For example:

   ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
   welcome1 -c -v -f admin_user.ldif
   

3. Create an ldif file named admin_group.ldif with the contents shown below and then save the file:

   dn: cn=IDM Administrators, cn=Groups, dc=us, dc=mycompany, dc=com
   displayname: IDM Administrators
   objectclass: top
   objectclass: groupOfUniqueNames
   objectclass: orclGroup
   uniquemember: cn=weblogic_idm,cn=users,dc=us,dc=mycompany,dc=com
   cn: IDM Administrators
   description: Administrators Group for the IDM Domain in OID
   

4. Run the ldapadd command located under the ORACLE_HOME/bin/ directory to provision the group in Oracle Internet Directory. For example:

   ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
   welcome1 -c -v -f admin_group.ldif
   

8.6.2 Assigning the Admin Role to the Admin Group

After adding the users and groups to Oracle Internet Directory, the group must be assigned the Admin role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for that domain. Follow the steps below to assign the Admin role to the Admin group:

1. Log into the WebLogic Administration Server Console.

2. In the left pane of the console, click Security Realms.

3. On the Summary of Security Realms page, click myrealm under the Realms table.

4. On the Settings page for myrealm, click the Roles & Policies tab.

5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click on the Roles link to bring up the Global Roles page.

6. On the Global Roles page, click the Admin Role to bring up the Edit Global Role page:

   1. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

   2. On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.

   3. On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.

7. Click Finish to return to the Edit Global Rule page.

8. The Role Conditions table now shows the IDM Administrators Group as an entry.

9. Click Save to finish adding the Admin Role to the IDM Administrators Group.

10. Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.

8.6.3 Updating the boot.properties File on IDMHOST1 and IDMHOST2

The boot.properties file for the Administration Server and the Managed Servers should be updated with the WebLogic admin user created in Oracle Internet Directory. Follow the steps below to update the boot.properties file.

For the Administration Server on IDMHOST1

1. On IDMHOST1, go the following directory:

   MW_HOME/user_projects/domains/domainName/servers/serverName/security
   

   For example:

   cd /u01/app/oracle/product/fmw/user_projects/domains/IDMDomain/servers/AdminServer/security
   

2. Rename the existing boot.properties file.

3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:

   username=adminUser
   password=adminUserPassword
   

   For example:

   username=weblogic_idm
   password=Password for weblogic_idm user
   

   Note:

   When you start the Administration Server, the username and password entries in the file get encrypted.

   For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.

Stop and Start the Servers

1. Using the WebLogic Administration Server Console, stop the Administration Server and the wls_ods1 and wls_ods2 Managed Servers.

2. Verify that the server processes have been successfully stopped.

3. On IDMHOST1, start the WebLogic Administration Server using the startWebLogic.sh script located under the DOMAIN_HOME/bin directory using the syntax below. This enables the standard output log messages shown on the screen to be written to the file specified in the logfile parameter:

   ./startWebLogic.sh >logfile 2>&1 &
   

   For example:

   ./startWebLogic.sh >$DOMAIN_HOME/servers/AdminServer/logs/aserver.out 2>&1 &
   

4. Verify that the Administration Server has started up and then bring up the Administration Console using a web browser.

5. Log in using the credentials of the weblogic_idm user.

6. Start the wls_ods1 and wls_ods2 Managed Servers using the WebLogic Administration Console.

8.7.1 JPS Root Creation

Create the jpsroot in Oracle Internet Directory using the command line ldapadd command as shown in these steps:

1. Create an ldif file similar to this:

   dn: cn=jpsroot_idm_idmhost1
   cn: jpsroot_idm_idmhost1
   objectclass: top
   objectclass: orclcontainer
   
   dn: cn=jpsroot_idm_idmhost2
   cn: jpsroot_idm_idmhost2
   objectclass: top
   objectclass: orclcontainer
   

2. Use ORACLE_HOME/bin/ldapadd to add these entries to Oracle Internet Directory. For example:

   ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
   welcome1 -c -v -f jps_root.ldif
   

8.7.2 Reassociate the Policy and Credential Store

To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore command. Follow these steps:

1. From IDMHOST1, start the wlst shell from the ORACLE_HOME/common/bin directory. For example:

   ./wlst.sh
   

2. Connect to the WebLogic Administration Server using the wlst connect command shown below.

   connect('AdminUser',"AdminUserPassword",t3://hostname:port')
   

   For example:

   connect("weblogic_idm,"welcome1","t3://idmhost-vip.mycompany.com:7001")
   

3. Run the reassociateSecurityStore command as shown below:

   Syntax:

   reassociateSecurityStore(domain="domainName",admin="cn=orcladmin",
   password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID",
   jpsroot="cn=jpsroot_idm_idmhost1")
   

   For example:

   wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain="IDMDomain",
   admin="cn=orcladmin",password="welcome1",
   ldapurl="ldap://oid.mycompany.com:389",servertype="OID",
   jpsroot="cn=jpsroot_idm_idmhost1")
   

   The output for the command is shown below:

   {servertype=OID, jpsroot=cn=jpsroot_idm_idmhost1, admin=cn=orcladmin,
   domain=IDMDomain, ldapurl=ldap://oid.mycompany.com:389, password=welcome1}
   Location changed to domainRuntime tree. This is a read-only tree with
   DomainMBean as the root.
   For more help, use help(domainRuntime)
   
   Starting Policy Store reassociation.
   LDAP server and  ServiceConfigurator setup done.
   
   Schema is seeded into LDAP server
   Data is migrated to LDAP server
   Service in LDAP server after migration has been tested to be available
   Update of jps configuration is done
   Policy Store reassociation done.
   Starting credential Store reassociation
   LDAP server and  ServiceConfigurator setup done.
   Schema is seeded into LDAP server
   Data is migrated to LDAP server
   Service in LDAP server after migration has been tested to be available
   Update of jps configuration is done
   Credential Store reassociation done
   Jps Configuration has been changed. Please restart the server.
   

4. Restart the Administration Server after the command completes successfully.