These days I am working with Oracle 10g and 11g products. One of my projects is to stand up a new Oracle 11g WebCenter Spaces Portal that would integrate with the existing Oracle 10g Single Sign On Server which is backed by Oracle Internet Directory.
For the integration to be successful, there are few configuration settings that need to be implemented on both of the environments.
Here is an overview of the main tasks that need to be completed in order to achieve the integration.
In my current project the existing environment consists of Oracle 10g (10.1.2.3) Application Server, Oracle 10g Portal Server, and Oracle 10g Internet Directory.
To integrate Oracle 11g FusionMiddleware products such as Oracle WebCenter Spaces with Oracle SSO Server 10g, you will need to make sure that components on 10g environment are certified to work with Oracle 11g Fusion Middleware stack especially the Oracle Internet Directory. OID will be used by the Oracle WebCenter Spaces application as a policy store to handle authorization.
According to Oracle 11g certification matrix OID version needs to be 10.1.4.3 if OID to be used by Oracle WebCenter Spaces. Based on this information one of the tasks that I needed to complete was to upgrade the existing Oracle 10g Infra-tier to version 10.1.4.3. To get to this version Oracle recommends upgrading to 10.1.4.0.1 and then applying interim patches to bring the OID version to 10.1.4.3.
Once the OID and OSSO server is upgraded to 10.1.4.3, Oracle WebCenter will need to be configured. There are two main configuration items that is needed to integrate Oracle WebCenter with Oracle OSSO. First of all, OIDAuthenticator needs to be configured. Once this provider is configured, OSSOIdentityAsserter will need to be configured as well.
Configuring OIDAuthenticator is a very simple task. You will need to use Oracle WebLogic Administrator application to create a new provider. To create this provider, login to your admin server, go to your Security from the left navigation and select your realm. Once you select your security realm you will see the available providers configured. Click the New button to add OIDAuthenticator. OIDAuthenticator is one of the available options to choose as a type. At this point all you need to do is supply your connection information to your OID along with your user and group prefixes. Once you save your configuration information you will need to restart your admin server. To verify the set up, once the admin server is restarted you can go to your security realm and hit USERS/GROUPS tab. This should display the users from your OID. You will need to make sure that OIDAuthenticator is the very first provider in the available list of providers. This is a requirement by Oracle 11g.
Once OIDAuthenticator is set up, the second provider that needs to be set up is the OSSOIdentityAsserter. OSSOIdentityAsserter is not available by default in the drop down as a type. You will need to make modifications to setDomainEnv.sh script to make it available. I will blog about this shortly and update this post.
Once it becomes available in the list select it and follow the on screen instructions to add it to your providers list. You will need to make sure that this is the second provider in the list. Once this is set you will need to restart the admin server. Once the admin server is restarted, you will need to make sure that existing applications can migrate their application policies to the configured identity store (OID).
To migrate WebCenter Spaces application policy store to external OID based store, you will need to login to EM. You will then need to go to Security -> Security Provider Configuration menu. In there you will see that by default XML based policy store is used. According to Oracle documentation, this is fine for development environments but should not be considered for production environments as it can not support clustering etc.
Before you can complete the re-association of the policy store, you will need to make sure that you create a place holder, root node, in your OID. You can accomplish this using OID Manager or a simple LDIF script. Once the node is created you will need to use the dn of this node when you are re-associating the default store. Once you provide your OID information and the dn of the root node, you will need to restart the admin server. Once the admin server is started, you will see that policies have been migrating by looking at the OID Manager and the root node that was created. There will be new child entities below the new root entry.
Once the policy store is migrated successfully you will need to register the 11g OHS with 10g OSSO. To do this, you will need to login to your OSSO server and go to $ORACLE_HOME/sso/bin, there is a script ssoreg.sh. You will need to use this script to create a new osso.conf file. This file will then be used when you are setting up your mod_osso.conf. There are many good Oracle documentation around how to use ssoreg.sh script. You will need to provider your remote midtier url along with few other parameters to this script. Once the osso.conf is created, copy this to your 11g OHS server.
Once the osso.conf file is created and your 11g OHS is registered with your 10g OSSO Server, you will need to set up mod_osso in your 11g OHS. Locate your httpd.conf file and make sure that mod_osso is loaded. Once it is loaded, go ahead and create a mod_osso.conf file and include it in your httpd.conf file. In your mod_osso.conf you will need to provide your osso config file and your Location directives to tell mod_osso what to protect. This documentation from Oracle explains how to configure mod_osso. http://www.oracle.com/technology/sample_code/deploy/security/Usingmod_osso.htm. Once this is set up you will need to restart your OHS.
At this point you will have completed all configuration necessary to test out your configuration. All you need to do is open up your browser and hit your WebCenter URL. When you do this, your request should be intercepted and redirected to Oracle 10g OSSO login page for authentication.
If things do not go well, you will need to locate log files in both systems to debug the issues. The good place to start is the Apache/Apache/logs directory in your 10g environment. You can also look at the OC4J_Security logs in the /opmn/logs directory. On the 11g site you can take a look at the mod_osso logs. They will also be located under the opmn/logs.
For the integration to be successful, there are few configuration settings that need to be implemented on both of the environments.
Here is an overview of the main tasks that need to be completed in order to achieve the integration.
- Upgrade Oracle 10g Infrastructure tier to supported version (as of this writing, Oracle 11g is certified to work with version 10.1.4.3+).
- upgrade to 10.1.4.0.1
- upgrade to 10.1.4.3
- apply interim bug fixing patches
- Configure Oracle 11g WebLogic authentication providers
- Configure OIDAuthenticator
- Configure OSSOIdentityAsserter
- Re-associate Policy domain with OID
- create a new jps root node
- change association
- Register Oracle 11g WebCenter OHS with Oracle 10g OSSO Server
- ssoreg.sh
- Configure mod_osso for Oracle 11g WebCenter OHS
- mod_osso.conf
In my current project the existing environment consists of Oracle 10g (10.1.2.3) Application Server, Oracle 10g Portal Server, and Oracle 10g Internet Directory.
To integrate Oracle 11g FusionMiddleware products such as Oracle WebCenter Spaces with Oracle SSO Server 10g, you will need to make sure that components on 10g environment are certified to work with Oracle 11g Fusion Middleware stack especially the Oracle Internet Directory. OID will be used by the Oracle WebCenter Spaces application as a policy store to handle authorization.
According to Oracle 11g certification matrix OID version needs to be 10.1.4.3 if OID to be used by Oracle WebCenter Spaces. Based on this information one of the tasks that I needed to complete was to upgrade the existing Oracle 10g Infra-tier to version 10.1.4.3. To get to this version Oracle recommends upgrading to 10.1.4.0.1 and then applying interim patches to bring the OID version to 10.1.4.3.
Once the OID and OSSO server is upgraded to 10.1.4.3, Oracle WebCenter will need to be configured. There are two main configuration items that is needed to integrate Oracle WebCenter with Oracle OSSO. First of all, OIDAuthenticator needs to be configured. Once this provider is configured, OSSOIdentityAsserter will need to be configured as well.
Configuring OIDAuthenticator is a very simple task. You will need to use Oracle WebLogic Administrator application to create a new provider. To create this provider, login to your admin server, go to your Security from the left navigation and select your realm. Once you select your security realm you will see the available providers configured. Click the New button to add OIDAuthenticator. OIDAuthenticator is one of the available options to choose as a type. At this point all you need to do is supply your connection information to your OID along with your user and group prefixes. Once you save your configuration information you will need to restart your admin server. To verify the set up, once the admin server is restarted you can go to your security realm and hit USERS/GROUPS tab. This should display the users from your OID. You will need to make sure that OIDAuthenticator is the very first provider in the available list of providers. This is a requirement by Oracle 11g.
Once OIDAuthenticator is set up, the second provider that needs to be set up is the OSSOIdentityAsserter. OSSOIdentityAsserter is not available by default in the drop down as a type. You will need to make modifications to setDomainEnv.sh script to make it available. I will blog about this shortly and update this post.
Once it becomes available in the list select it and follow the on screen instructions to add it to your providers list. You will need to make sure that this is the second provider in the list. Once this is set you will need to restart the admin server. Once the admin server is restarted, you will need to make sure that existing applications can migrate their application policies to the configured identity store (OID).
To migrate WebCenter Spaces application policy store to external OID based store, you will need to login to EM. You will then need to go to Security -> Security Provider Configuration menu. In there you will see that by default XML based policy store is used. According to Oracle documentation, this is fine for development environments but should not be considered for production environments as it can not support clustering etc.
Before you can complete the re-association of the policy store, you will need to make sure that you create a place holder, root node, in your OID. You can accomplish this using OID Manager or a simple LDIF script. Once the node is created you will need to use the dn of this node when you are re-associating the default store. Once you provide your OID information and the dn of the root node, you will need to restart the admin server. Once the admin server is started, you will see that policies have been migrating by looking at the OID Manager and the root node that was created. There will be new child entities below the new root entry.
Once the policy store is migrated successfully you will need to register the 11g OHS with 10g OSSO. To do this, you will need to login to your OSSO server and go to $ORACLE_HOME/sso/bin, there is a script ssoreg.sh. You will need to use this script to create a new osso.conf file. This file will then be used when you are setting up your mod_osso.conf. There are many good Oracle documentation around how to use ssoreg.sh script. You will need to provider your remote midtier url along with few other parameters to this script. Once the osso.conf is created, copy this to your 11g OHS server.
Once the osso.conf file is created and your 11g OHS is registered with your 10g OSSO Server, you will need to set up mod_osso in your 11g OHS. Locate your httpd.conf file and make sure that mod_osso is loaded. Once it is loaded, go ahead and create a mod_osso.conf file and include it in your httpd.conf file. In your mod_osso.conf you will need to provide your osso config file and your Location directives to tell mod_osso what to protect. This documentation from Oracle explains how to configure mod_osso. http://www.oracle.com/technology/sample_code/deploy/security/Usingmod_osso.htm. Once this is set up you will need to restart your OHS.
At this point you will have completed all configuration necessary to test out your configuration. All you need to do is open up your browser and hit your WebCenter URL. When you do this, your request should be intercepted and redirected to Oracle 10g OSSO login page for authentication.
If things do not go well, you will need to locate log files in both systems to debug the issues. The good place to start is the Apache/Apache/logs directory in your 10g environment. You can also look at the OC4J_Security logs in the /opmn/logs directory. On the 11g site you can take a look at the mod_osso logs. They will also be located under the opmn/logs.
Comments