This OBE tutorial describes and shows you how to integrate Oracle Access Manager with Oracle Single Sign On to enable user authentication to Oracle Portal performed via Oracle Access Manager. This OBE tutorial also lists the preinstallation requirements.
Approximately 3 hours
This OBE tutorial covers the following topics:
Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response
time may be slow depending on your Internet connection.)
Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.
The screenshots will not reflect the specific environment you are using. They are provided to give you an idea of where to locate specific functionality in Oracle Virtual Directory.
Oracle Access Manager (OAM) provides identity administration (using User, Group and Organization management, Self-service, Workflow capabilities, and delegated administration), Authentication and Authorization services, and Compliance reporting. By default, Oracle Single Sign On (OSSO) is the authentication provider for applications such as Oracle Portal. In this OBE, you will see how to integrate Oracle Access Manager with Oracle Single Sign On such that Oracle Portal can leverage Oracle Access Manager for Authentication Services.
In this OBE, you integrate Oracle Access Manager with Oracle Application Server. More specifically, you integrate OAM with the Oracle Single Sign On server such that OSSO will delegate user authentication to OAM. All applications, such as Oracle Portal, will continue to seamlessly work with OSSO as if user authentication was being handled by OSSO, but instead, it is transparently being performed by OAM. This shows how OAM can co-exist with OSSO and all applications, such as Oracle Portal, which rely on OSSO for authentication services. User Authorization is still handled by the application itself, that is, Oracle Portal.
The following image highlights the setup/architecture for the complete OAM-OSSO-Portal integration scenario.
Before you start the installation task, make sure that your system environment meets the following requirements:
Software Requirements
The system should include the following product:
Hardware Requirements
| Item | Specification |
| Processor Type | Intel Xeon or Pentium IV |
| Processor Speed | 2.4 GHz or higher |
| Number of Processors | 1 or more (if required) |
| Memory | 1 GB |
| Hard Disk Space | 20 GB (initial size) |
| Operating System | MS Windows 2003 Server with SP1 |
You will install Oracle Portal 10.1.2.0.2 against a preexisting Oracle Infrastructure (see the "Performing the Preinstallation Requirements" topic above). Perform the following steps:
|
1. |
In Windows Explorer, navigate to E:\install_files\portal101202\disk1 and double-click the setup.exe file. This launches the Oracle Universal Installer to install Oracle Portal 10.1.2.0.2.
|
|
2. |
Oracle Universal Installer should launch with the Welcome screen. Click Next.
|
| 3. |
Enter portal as the name and E:\portal as the path on the Specify File Locations screen, and then click Next.
|
| 4. |
Select Oracle Application Server 10g on the Select a Product to Install screen and then click Next. .
|
| 5. |
Select Portal and Wireless on the Select Installation Type screen and click Next.
|
| 6. |
You must have administrator privileges on the host for the installation to be successful. Select the Administrator privileges check box and click Next.
|
| 7. |
Select Oracle Application Server 10g Portal on the Select Configuration Options screen.
|
| 8. | Select Automatic Configure Ports on the Specify Port Configuration Options screen and click Next.
|
| 9. |
Specify ten.mydomain.com as the Host value (or the host name in your environment where OID has been preinstalled) and 13060 as the Port value (or the port for OID in your environment) for the OID instance which has been preinstalled on the Register with Oracle Internet Directory screen. Leave Use only SSL connections with this Oracle Internet Directory check box deselected.
|
| 10. |
Specify cn=orcladmin and abcd1234 as the username and password, respectively, on the Specify OID Login screen, and then click Next.
|
| 11. |
On the Select Oracle Application Server 10g Metadata Repository screen, Database Connect String should be prepopulated with the hostname:port:Global Database name: Service name for the metadata repository. In this case, it is ten.mydomain.com:1521:infra.mydomain.com:infra.mydomain.com. Click Next.
|
| 12. |
Specify portal as the Instance Name with abcd1234 as the ias_admin password (confirm the same password) on the Specify Instance Name and ias_admin Password screen, and then click Next.
|
| 13. |
Click Install on the Summary screen.
|
| 14. |
After the installation is completed, the End of Installation screen is displayed. Review the information and click Exit.
|
| 15. |
To verify that the installation of Oracle Portal was successful, open Internet Explorer and enter the following URL: http://ten.mydomain.com:7778/pls/portal
|
| 16. |
Click the Login link and specify orcladmin as the username and abcd1234 as the password. Click OK. You should be logged in as orcladmin.
|
You use the Identity Server to manage identity information about users, groups, organizations, and other objects. Your installation may include one or more Identity servers. Each instance of the Identity Server communicates with a Web server through a WebPass plug-in. The Identity Server performs four main functions:
To install Oracle Access Manager Identity Server, perform the following steps:
1. |
In Windows Explorer, navigate to E:\install_files\oam101401 and double-click the Oracle_Access_Manager10_1_4_0_1_Win32_Identity_Server.exe file. Then click Next. This command launches the Oracle Access Manager installer that will install Oracle Access Manager Identity Server.
|
||||||||||
2. |
You need to have the administrative privileges to run the installation. If you are logged in as a different user, you need to exit the installation, log in as the Administrator, and then restart the installation. Then click Next.
|
||||||||||
| 3. | In the Destination Name text box, set the installation directory to E:\identity and click Next.
|
||||||||||
| 4. | Review the location to which Oracle Access Manager Identity Server is getting installed and the total disk size it would take for the installation. Then click Next.
|
||||||||||
| 5. | Notice that the installer begins copying the Oracle Access Manager Identity Server files. Next select the Open Mode: No Encryption option for the Identity client and Identity Server to communicate. Click Next.
|
||||||||||
| 6. | You need to provide the Identity Server ID, host name, and port number for the Identity Server connection. For this installation, you can provide the following values and then click Next.
Note: You can use your own values for all these parameters on the basis of any changes made to the environment setup.
|
||||||||||
| 7. | If you are installing the first Identity Server instance on the host, keep the default selected option Yes and click Next.
|
||||||||||
| 8. | You can use SSL between the Identity Server and the Directory Server. By default, the Directory Server hosting user data is in SSL and Directory Server hosting Oracle data is in SSL check boxes are deselected. You will not be using SSL for this setup. Keeping the check boxes deselected, click Next.
|
||||||||||
| 9. | The OID will be used as user repository. This is used to host the user data for the Identity Server. In this case, you select Oracle Internet Directory from the Directory Server Type drop-down menu and click Next.
|
||||||||||
| 10. | The directory server hosting user data and Oracle data could be in same or different directories. In this case, the same OID instance will host both user and Oracle (Oblix) data. Select Oracle data will be in the user data directory and click Next.
|
||||||||||
| 11. | The directory server schema needs to be extended to store the Oracle Access Manager schema. To configure the user repository with the OAM Access Manager schema, retain the Yes option and click Next.
|
||||||||||
| 12. | Provide the following information for the Oracle Internet Directory that hosts user data and click Next.
|
||||||||||
| 16. | Enter identity as the Windows Service Name and click Next.
|
||||||||||
| 17. | You can view the Readme page and then click Next.
|
||||||||||
| 18. | You can review the server settings and click Finish.
|
||||||||||
| 19. | Start the Oracle Access Manager Identity Server (identity) service.
Note: In this environment, you start it from a batch file that runs a NET START command to start the identity service. You can also start it by navigating to Start > Control Panel > Administrative Tools > Services, right-clicking the Oracle Access Manager Identity Server (identity) service, and selecting Start.
|
||||||||||
| 20. | You can verify the schema for Oracle data (Oblix) in the OID by navigating to Oracle Directory Manager > Oracle Internet Directory Servers > orcladmin@ten.mydomain.com:13060 > Schema Management. You will find the Oracle (Oblix)-specific objectclasses (on the Object Classes tabbed page) and attributes (on the Attributes tabbed page) created when the OID schema was extended by the Identity Server installer.
|
A WebPass is a Web server plug-in that passes information back and forth between a Web server and the Identity Server. A WebPass can communicate with multiple Identity servers. Each Web server that communicates with the Identity Server must be configured with a WebPass. In an Oracle Access Manager installation, at least one WebPass must be installed on a Web server and configured to communicate with at least one Identity Server. After installing an Identity Server and a WebPass, you must complete an initial Identity System setup process to enable communication between the Identity Server and the WebPass. The WebPass performs the following functions:
For this setup, the WebPass will be installed as a plug-in on Oracle HTTP Server (OHS) that comes with the Oracle Infrastructure installation. To install Oracle Access Manager WebPass, perform the following steps:
1. |
In Windows Explorer, navigate to E:\install_files\oam101401 and double-click the Oracle_Access_Manager10_1_4_0_1_Win32_OHS_WebPass.exe file. Then click Next. This command launches the Oracle Access Manager installer that will install Oracle Access Manager WebPass.
|
||||||||
2. |
To install Oracle Access Manager WebPass, you need to have administrative privileges. If you are logged in as a different user, you need to exit the installation, log in as the Administrator, and then restart the installation. Then click Next.
|
||||||||
| 3. | In the Destination Name text box, set the installation directory to E:\webpass and click Next.
|
||||||||
| 4. | Review the location to which Oracle Access Manager WebPass is getting installed and the total disk size it would take for the installation. Then click Next. .
|
||||||||
| 5. | Notice that the installer begins copying the Oracle Access Manager WebPass files. Select the Open Mode: No Encryption option for the WebPass and Identity Server to communicate and click Next.
|
||||||||
| 6. | You need to provide the WebPass ID, host name, and port number for the Identity Server connection. For this installation, you can provide the following values and then click Next.
Note: You can use your own values for all these parameters on the basis of any changes made to the environment setup.
|
||||||||
| 7. | The Web server needs to be configured by modifying the configuration of the Web server directory. This change is reflected in the httpd.conf file for the OHS instance that is part of the infrastructure installation. To automatically update this configuration, retain the automatic update selection and click Next.
|
||||||||
| 8. | You need to provide the absolute path for the httpd.conf file to the installer for WebPass. Click Browse and navigate to E:\infra\Apache\Apache\conf\httpd.conf, and then click Next. Again click Next.
|
||||||||
| 9. | Notice that the Web server configuration has been modified for the OHS. You need to restart the Identity Server and the Web server for the changes to take effect. To restart the Identity Server, select Start > Control Panel > Administrative Tools and double-click Services. Right-click the Oracle Access Manager Identity Server (identity) service and select Restart.
Note: Do not click Next before you start the Identity Server and restart the Web server.
|
||||||||
| 10. | To restart the Web server, execute the following commands in sequence from <OHS_home>\opmn\bin: E:\infra\opmn\bin>opmnctl stopproc process-type=HTTP_Server E:\infra\opmn\bin>opmnctl startproc process-type=HTTP_Server
|
||||||||
| 11. | You can view the Readme page and then click Next.
|
||||||||
| 12. | Review the WebPass configuration settings and click Finish.
|
||||||||
| 13. | To verify the WebPass installation, access the Identity Administration page using the following URL: http://<hostname>.<domainname>/identity/oblix
Note: For this environment, use the URL http://ten.mydomain.com:7777/identity/oblix where 7777 is the port on which the OHS will route the access to the Identity Server.
|
Oracle Access Manager requires Identity System Console set up to complete the installation configuration. To complete the post-installation configuration, perform the following steps:
1. |
Open the browser and enter the URL to access the Identity System Console in the following format, and then click Identity System Console. http://<hostname>.<domainname>/identity/oblix
Note: Before you begin, ensure that the Oracle Access Manager Identity Server (identity) service and the infrastructure OHS are started and running.
|
||||||||||||||
2. |
Notice that the System Console Application is not set up. Then click Setup to perform the configuration.
|
||||||||||||||
| 3. | For the Directory Server type for User data, select Oracle Internet Directory and then click Next.
|
||||||||||||||
| 4. | You can view the note for the schema changes where the installer needs to update the Oracle Access Manager Identity schema into the directory. Scroll down and click Next.
|
||||||||||||||
| 5. | You need to specify the location of the LDAP Server that will store user data. For this, provide the following parameters for the OID Server and then click Next.
|
||||||||||||||
| 6. | The configuration DN is the directory tree where Oracle Access Manager stores the configuration data. Oracle Access Manager Identity System and Oracle Access Manager System need to use the same configuration data. The searchbase is the node in the directory tree where user data is stored. In this case, the searchbase will point to the parent of the cn=Users container and the ou=vendors container configured in OID. The configuration DN will point to the location where the o=oblix container will be created in OID. To set the searchbases and the configuration DN, provide the following values and click Next:
|
||||||||||||||
| 7. | The Person Object Class defines the primary objectclass for people in the user directory. This will vary by the specific type of directory used for user information or if directory schema extensions are made to define a new type of ‘person’ object. Provide the value for the Person Object Class as inetOrgPerson and click Next.
Note: By default, retain the Auto configure objectclass check box selected.
|
||||||||||||||
| 8. | The Group Object Class defines the primary objectclass for groups in the user directory. This will vary by the specific type of directory used for user information or if directory schema extensions are made to define a new type of default "group" object. Provide the values for the Group Object Class as groupOfUniqueNames and click Next.
Note: By default, retain the Auto configure objectclass check box selected.
|
||||||||||||||
| 9. | The basic connection information for the directories is completed. You need to restart both the Identity Server and the OHS Web Server for these changes to take effect and then perform the basic configuration schema mappings. After you perform the restart (from the next four steps), click Next.
Note: You need to click Next only after you perform step 10 through 13.
|
||||||||||||||
| 10. | To stop the Identity Server, select Start > Control Panel > Administrative Tools and double-click Services. Right-click the Oracle Access Manager Identity Server (identity) service and select Stop.
|
||||||||||||||
| 11. | To stop and start the OHS, browse to <Infra_home>\opmn\bin and execute the following commands: E:\infra\opmn\bin>opmnctl stopproc process-type=HTTP_Server E:\infra\opmn\bin>opmnctl startproc process-type=HTTP_Server
|
||||||||||||||
| 12. | To start the Identity Server, select Start > Control Panel > Administrative Tools and double-click Services. Right-click the Oracle Access Manager Identity Server (identity) service and select Start.
|
||||||||||||||
| 13. | You can verify the configuration values set for the inetOrgPerson objectclass. After you review the complete schema mapping for this objectclass, click Yes.
|
||||||||||||||
| 14. | You can verify the configuration values set for the groupOfUniqueNames group objectclass. After you review the complete schema mapping for this groupclass, click Yes.
|
||||||||||||||
| 15. | Oracle Access Manager administrators have access to system configuration and system management functions. In this setup, one or more Oracle Access Manager Master Administrators need to be assigned. These users can configure the rest of the Oracle Access Manager installations. To identify these users, click Select User.
|
||||||||||||||
| 16. | Search for Rohit Younger as Full Name and click Go.
|
||||||||||||||
| 17. | You can view the user Rohit Younger. Click Add to select him as the master administrator.
|
||||||||||||||
| 18. | Click Done to return to the Configure Administrators section. You can view that Rohit Younger is now listed as Master Administrators. Click Next.
|
||||||||||||||
| 19. | The default directories of the Oracle Access Manager Identity Server installation should be secured. Next click Done.
|
||||||||||||||
| 20. | Open the browser and enter the URL in the following format to access the Identity System Console. Then click Identity System Console. http://<hostname>.<domainname>/identity/oblix
|
||||||||||||||
| 21. | You can authenticate as a Master Administrator you selected earlier. Enter rohit.younger as the username and abcd1234 as the password. Click Login.
|
The Policy Manager is installed on a Web server with a WebPass (under the same parent directory where WebPass is installed). The Policy Manager communicates with the Directory Server to write policy data and communicates with the Access Server over the Oracle Access Protocol to update the Access Server for policy modifications. When the Policy Manager receives requests from a WebGate instance, the Policy Manager queries the authentication, authorization, and auditing rules stored in the directory server. Based on the rules, the Policy Manager responds to the WebGate.
To install Oracle Access Manager Policy Manager, perform the following steps:
1. |
In Windows Explorer, navigate to E:\install_files\oam101401 and double-click the Oracle_Access_Manager10_1_4_0_1_Win32_OHS_Policy_Manager.exe
|
2. |
You need to have the administrative privileges to run the installation. If you are logged in as a different user, you need to exit the installation, log in as the Administrator and then restart the installation. Then click Next.
|
| 3. | In the Destination Name text box, set the installation directory to E:\webpass and click Next.
Note: The destination directory for WebPass installation further creates subdirectories for WebPass as E:\webpass\identity and for policy manager as E:\webpass\access. |
| 4. | Review the location to which Oracle Access Manager Policy Manager is getting installed and the total disk size it would take for the installation. Then click Next.
|
| 5. | The Policy Manager needs to connect to an LDAP server to store the policy data. Select Oracle Internet Directory from the drop-down menu and click Next.
Note: The policy data (similar to configuration data) is being accessed from OID (under o=oblix container).
|
| 6. | Notice that the installer prompts you to extend the LDAP schema with the Oracle schema. You have already extended the schema during the installation for Identity Server. Select the No option button and click Next.
Note: Because you are storing both the configuration and policy data in the same instance of OID and you have already extended the schema for that instance of OID during the configuration data set up earlier, you choose not to extend the schema again. However, if you choose to store the policy data in a different instance of OID or in another LDAP directory, you would need to extend the schema for that directory server instance in this step.
|
| 7. | In this setup, you do not use SSL for any of the directory services. Leave the check box options deselected and click Next.
|
| 8. | Select the Open Mode: No Encryption option for the Policy Manager and Access Server to communicate and click Next.
|
| 9. | The installation of Policy Manager needs to update the Web server (OHS). In this case, the httpd.conf configuration file is updated. To confirm this update, retain the Yes option and then click Next.
Note: You have already updated the httpd.conf file during the WebPass installation and now you are again updating the same httpd.conf for Policy Manager installation. |
| 10. | Enter E:\infra\Apache\Apache\conf\httpd.conf in the file location and click Next.
|
| 11. | You need to restart the Web server (OHS) so that the changes done by the Policy Manager installer takes effect. Execute the following commands in sequence from <infra_home>\opmn\bin and then click Next. E:\infra\opmn\bin>opmnctl stopproc processs-type=HTTP_Server E:\infra\opmn\bin>opmnctl startproc process-type=HTTP_Server
|
| 12. | You can view the Readme page and then click Next.
|
| 13. | Notice that Policy Manager has been successfully installed. Click Finish.
|
| 14. | To verify the Policy Manager installation, access the Access Administration page using the following URL: http://<hostname>.<domainname>/identity/oblix
|
At this point, you can view the Oracle Access Manager - Access main page, but most of the links would be nonoperational. To configure the Access System Console, perform the following steps:
| 1. | To configure the Access System Console, click Access System Console and then click Setup.
|
||||||||||||
| 2. | OID will be the user directory server where access system can route the information for accessing user repositories. Select the Oracle Internet Directory option from the drop-down menu and click Next.
|
||||||||||||
| 3. | Provide the following information for the directory server hosting the user data and click Next.
|
||||||||||||
| 4. | You need to select the directory server hosting the configuration data. For this setup, select Oracle Internet Directory and click Next.
|
||||||||||||
| 5. | You can store the configuration data and user data either in the same LDAP server or in different LDAP servers. For this setup, you select the Store Configuration Data in the User Directory Server option and click Next.
|
||||||||||||
| 6. | You can store the policy data and user data either in the same LDAP server or in different LDAP servers. For this setup, you select the Store Policy Data in the User directory server option and click Next.
|
||||||||||||
| 7. | Provide the following information for the location for Oracle Access Manager Configuration data, Searchbase, and Policybase. Then click Next.
Note: o=oblix,dc=mydopartners,dc=com stores both the configuration and policy data.
|
||||||||||||
| 8. | Enter inetOrgPerson as the Person Object Class and click Next.
|
||||||||||||
| 9. | You need to restart the Web server (OHS). For this, perform the following steps and then click Next. E:\infra\opmn\bin>opmnctl stopproc process-type=HTTP_Server E:\infra\opmn\bin>opmnctl startproc process-type=HTTP_Server
|
||||||||||||
| 10. | You need to specify the Root directory for the policy domains. The subdirectories for policy domains will be created under the location that you specify. Enter / and click Next.
|
||||||||||||
| 11. | Select the Yes option to configure the authentication schemas and click Next.
|
||||||||||||
| 12. | To configure the authentication schema, select the Basic Over LDAP check box and click Next.
|
||||||||||||
| 13. | Review the Basic Over LDAP authentication scheme configuration (retain all the default values) and click Next.
|
||||||||||||
| 14. | Select the Yes option to configure policies that will protect the NetPoint Identity System and Access manager and click Next.
|
||||||||||||
| 15. | The installation for Policy Manager is complete. You need to restart the Identity Server and the Web server (from the next three steps), and then click Done.
|
||||||||||||
| 16. | To stop the Identity Server, click Start > Control Panel > Administrative Tools and double-click Services. Right-click the Oracle Access Manager Identity Server (identity) service and select Stop.
|
||||||||||||
| 17. | You need to restart the Web server (OHS). For this, perform the following steps and then click Next. E:\infra\opmn\bin>opmnctl stopproc process-type=HTTP_Server E:\infra\opmn\bin>opmnctl startproc process-type=HTTP_Server
|
||||||||||||
| 18. | To start the Identity Server, select Start > Control Panel > Administrative Tools and double-click Services. Right-click the Oracle Access Manager Identity Server (identity) service and select Start.
|
||||||||||||
| 19. | To verify access system console setup, access the following URL and click Access System Console: http://<hostname>.<domainname>/access/oblix
|
||||||||||||
| 20. | Enter rohit.youngeras the username and abcd1234 as the password, and then click Login.
|
||||||||||||
| 21. | You can view the Access System Console information.
|
The Access Server plays a key role in authentication and authorization. Authentication involves determining what authentication method is required for a resource and gathering credentials from the Directory Server, and then returning an HTTP response based on the results of credential validation to the access client (WebGate or AccessGate). Authorization involves gathering access information and granting access based on a policy domain stored in the directory and the identity established during authentication. To install Oracle Access Manager Access Server, perform the following steps:
1. |
Before you can install an Access Server, you need to create an instance for it within the Access System Console. Failure to do so will cause your Access Server installation to fail. To create an instance for the Access Server, open the Access Administration page using the following URL and click Access System console: http://<hostname>.<domainname>/access/oblix
|
||||||||||||||
2. |
Enter rohit.younger as the username and abcd1234 as the password, and click Login.
|
||||||||||||||
3. |
Click the Access System Configuration tab. From the left pane, click Access Server Configuration and then click Add.
|
||||||||||||||
4. |
In the Add a new Access Server section, provide the following values and click Save.
Note: Leave all the other values in the form in their default state.
|
||||||||||||||
5. |
Note that the AccessServer server instance is configured for the ten.mydomain.com server on port 6035. Click Logout and then OK to exit the Access Administration console.
|
||||||||||||||
6. |
In Windows Explorer, navigate to E:\install_files\oam101401 and double-click the Oracle_Access_Manager10_1_4_0_1_Win32_Access_Server.exe file, and then click Next. This command launches the Oracle Access Manager installer that will install Access Manager.
|
||||||||||||||
7. |
To install Access Server, you need to have administrative privileges. If you are logged in as a different user, you need to exit the installation, log in as the Administrator, and then restart the installation. Then click Next.
|
||||||||||||||
| 8. | In the Destination Name text box, set the installation directory to e:\access and click Next.
|
||||||||||||||
| 9. | Review the location to which Access Server is getting installed and the total disk size it would take for the installation. Then click Next.
|
||||||||||||||
| 10. | Notice that the installer begins copying the Access Server files. Next select the Open Mode: No Encryption option for the Access client (Web gates) and Access Server to communicate and click Next.
|
||||||||||||||
| 11. | You need to provide configuration information for the Access Server connection to the directory server containing Oracle configuration data. For this installation, you can provide the following values and then click Next.
Note: You can use your own values for all these parameters on the basis of any changes made to the environment setup.
|
||||||||||||||
| 12. | The policy data is stored in OID. Select the Oracle Directory option and click Next.
Note: The policy data and configuration data are both stored in the same directory server instance of OID.
|
||||||||||||||
| 13. | Provide the following values for the access server configuration details and click Next.
|
||||||||||||||
| 14. | You can view the Readme page and then click Next.
|
||||||||||||||
| 15. | You can review the Access Server configuration settings and click Finish. Next you need to start the Access Server service.
|
||||||||||||||
| 16. | Start the Oracle Access Manager Identity Server (Access) service.
Note: You can start it by navigating to Start > Control Panel > Administrative Tools > Services, right-clicking the Oracle Access Manager Identity Server (Access) service, and selecting Start.
|
The Access Server uses a Web server plug-in to communicate with the Web server. Some plug-ins for standard Web servers are provided with Oracle Access Manager. These plug-ins are referred to as WebGates. In addition, using the APIs provided, additional plug-ins can be implemented. Such customized plug-ins are referred to as AccessGates. Because of their similarity of purpose, the terms WebGate and AccessGate are often used interchangeably. A WebGate performs the following functions:
To install WebGate for OHS 1.x (that comes from the Oracle Application Server 10.1.4.0.1 Infrastructure installation), perform the following steps:
1. |
Similar to the Access Server installation, a WebGate must be defined in the configuration store before the WebGate can be installed. Open the browser and enter the URL to open the Access System in the following format and then click Access System Console: http://<hostname>.<domainname>/access/oblix
|
||||||||||||||||||||
2. |
Enter rohit.younger as the username and abcd1234 as the password. Click Login.
|
||||||||||||||||||||
| 3. | Click Add New Access Gate, provide the following values, and click Save.
Note: Leave all the other values in the form in their default state.
|
||||||||||||||||||||
| 4. | Note the warning regarding associating an Access Server with this AccessGate. Scroll down and click List Access Servers to associate the AccessGate with an Access Server.
|
||||||||||||||||||||
| 5. | Click Add to select a new Access Server for the AccessGate.
|
||||||||||||||||||||
| 6. | Select ten.mydomain.com:6035 from the drop-down menu and then click Add. Note that the AccessServer you installed previously is now associated with this AccessGate and will accept communication requests from the AccessGate.
|
||||||||||||||||||||
| 7. | In Windows Explorer, navigate to E:\install_files\oam101401 and double-click the Oracle_Access_Manager10_1_4_0_1_Win32_OHS_WebGate.exe file, and then click Next. This command launches the Oracle Access Manager installer that will install the WebGate for OHS.
|
||||||||||||||||||||
| 8. | You need to have administrative privileges to run the installation. If you are logged in as a different user, you need to exit the installation, log in as the Administrator and then restart the installation. Then click Next.
|
||||||||||||||||||||
| 9. | In the Destination Name text box, set the installation directory to E:\webgate and click Next.
|
||||||||||||||||||||
| 10. | Review the location to which WebGate for OHS is getting installed and the total disk size it would take for the installation. Then click Next.
|
||||||||||||||||||||
| 11. | Notice that the installer begins copying the WebGate files for OHS. Next select the Open Mode: No encryption option for the transport security mode and click Next.
|
||||||||||||||||||||
| 12. | Provide the following values for the WebGate configuration and click Next.
|
||||||||||||||||||||
| 13. | The Web server needs to be configured by modifying the configuration of the Web server directory. This change is reflected in the httpd.conf file for the OHS. To automatically update this configuration, retain the automatic update selection and click Next.
|
||||||||||||||||||||
| 14. | You need to provide the absolute path for the httpd.conf file to the installer for WebPass. Click Browse and navigate to E:\infra\Apache\Apache\conf\httpd.conf and then click Next.
|
||||||||||||||||||||
| 15. | Notice that the Web server configuration has been modified. To restart the HTTP server, perform the following steps and click Next: E:\infra\opmn\bin>opmnctl status E:\infra\opmn\bin>opmnctl restartproc process-type=HTTP_Server E:\infra\opmn\bin>opmnctl status
|
||||||||||||||||||||
| 16. | You can view the Readme page and then click Next.
|
||||||||||||||||||||
| 17. | You can review the WebGate for OHS configuration settings and click Finish.
|
||||||||||||||||||||
| 18. | To verify the status of the installed WebGate, access the following URL: http://ten.mydomain.com:7777/access/oblix/apps/webgate/bin/webgate.cgi?progid=1
|
You will now integrate Oracle Access Manager with Oracle Single Sign On in such a way that the actual user authentication is handled by OAM, and OSSO simply "trusts" the authentication performed by OAM. Oracle Portal will continue to perform user authorization after a successful user authentication. Oracle Portal still relies on Oracle Single Sign On for performing user authentication. The only difference being that OSSO is delegating the actual authentication to be handled by OAM which it will "trust."
| 1. | Define the list of host identifiers for Oracle HTTP Server that is serving Oracle Single Sign On. Use the Host Identifiers feature to enter the official name for the host, and every other name by which the host can be addressed by users. A request sent to any address on the list is mapped to the official host name, and applicable rules and policies are implemented. Log in to the Access System Console as rohit.younger.
|
|||||||||||||||
| 2. | To create a list of host identifiers for OHS serving OSSO, select Access System Configuration > Host Identifier > Add .
|
|||||||||||||||
| 3. | Enter all possible variations of the host name using your host name and IP address combinations. Click + beside the host name variations to add more variations. Click Save when finished. Log out of the Access System Console.
|
|||||||||||||||
| 4. | Log in to the Policy Manager as rohit.younger.
|
|||||||||||||||
| 5. | Click Create Policy Domain in the left navigation pane. The Create Policy Domain page appears with the General tab highlighted.
Enter OSSO as the Name and Oracle Single Sign-On Server as the Description. Then click Save.
| |||||||||||||||
| 6. | Now configure resources protected by this policy domain. Click the Resources tab of the OSSO Policy Domain. Click Add to add the first resource. .
|
|||||||||||||||
| 7. | Using a policy domain, you will protect two resources of the type http - /sso/auth and /pls/orasso/orasso.wwsso_app_admin.ls_login. Using the values shown in the following table, create two resources. Click Save after configuring each resource and click OK to confirm:
|
|||||||||||||||
| 8. | Configure default rules. Click the Default Rules tab and then click Add to create a new Authentication Rule with the following values. Click Save when done.
|
|||||||||||||||
| 9. | Click the Actions subtab to configure authentication success or failure actions. Click Add and configure Return Attributes for Authentication Success with the following information. Click Save when done.
|
|||||||||||||||
| 10. | Configure Policies for the OSSO policy domain. Click the Policies tab and then click Add to create the policy with the following values. Click Save when done.
|
|||||||||||||||
| 11. | Click the Authorization Rules tab. Click Add to create the authorization rule with the following values. Click Save when done.
|
|||||||||||||||
| 12. | Click the Allow Access subtab within the Authorization Rules tab and then click Add. Set the Role to Any one and click Save.
|
|||||||||||||||
| 13. | Click the Default Rules tab and click the Authorization Expression subtab. Click Add to add an Authorization Expression. Select OSSOAuthZ from the Authorization rules list and click Add. Scroll down and click Save.
|
|||||||||||||||
| 14. | Click My Policy Domains in the left pane. Select the check box beside OSSO policy and click Enable.
|
|||||||||||||||
| 15. | Now you will install and configure Oracle Single Sign On Authentication Plug-in. Compile the SSOOblixAuth.java file found here. Include e:\infra\sso\lib\ipastoolkit.jar and e:\infra\lib\servlet.jar in the class path. Use the command as shown below (all in one line). Assume that the location of SSOOblixAuth.java is the e:\input_files directory : cd e:\input_files e:\input_files>e:\infra\jdk\bin\javac –classpath e:\infra\sso\lib\ipastoolkit.jar;e:\infra\lib\servlet.jar -d e:\infra\sso\plugin SSOOblixAuth.java
|
| 16. | The above command creates SSOOblixAuth.class and places it in the e:\infra\sso\plugin\oblix\security\ssoplugin directory.
|
| 17. | You will now register the Java class with Oracle Single Sign On. Edit the policy.properties file in e:\infra\sso\conf and replace the simple authentication plug-in with the plug-in that you created in the previous steps. Navigate to the line: MediumSecurity_AuthPlugin=oracle.security.sso.server.auth.SSOServerAuth Comment out the existing line and add a new line to register your Java class. (When editing policy.properties, take care not to insert blank space at the end of a line.) MediumSecurity_AuthPlugin=oblix.security.ssoplugin.SSOOblixAuth
|
| 18. | Restart the single sign-on middle tier for the changes to take effect: E:\infra\opmn\bin>opmnctl restartproc process-type=HTTP_Server E:\infra\opmn\bin>opmnctl restartproc process-type=OC4J_SECURITY
|
| 19. | Finally, you will verify the completion of integration. Using a separate browser window, access the Oracle Portal home URL http://ten.mydomain.com:7778/pls/portal. Click the Login link. The Basic over LDAP challenge should appear instead of the standard Oracle Single Sign On login page. Enter Bart.Lenox as the username with abcd1234 as the password, and click OK. You are now logged in to Oracle Portal.
|
In this lesson, you learned how to:
|
Perform the Preinstallation Requirements | |
|
Install Oracle Portal | |
|
Install Oracle Access Manager Identity Server | |
|
Install Oracle Access Manager WebPass | |
|
Perform Postinstallation Configuration for Oracle Access Manager Identity Server | |
|
Install Oracle Access Manager Policy Manager | |
|
Configure Access System Console | |
|
Install Oracle Access Manager Access Server | |
|
Install Oracle Access Manager WebGate | |
|
Integrate Oracle Access Manager with Oracle Single Sign On and Oracle Portal | |
Place the cursor over this icon to hide all screenshots.