In this post we shall see integration of WebCenter Content 11.1.1.9 with Oracle Access Manager (OAM) 11.1.2.0.
Assumption:
1) Oracle Access Manager 11gR2 installed and configured.
2) Oracle Internet Directory installed and configured.
3) OAM Integrated with OID.
4) Oracle HTTP Server installed and configured.
5) Oracle Webcenter Content 11.1.1.9 installed and configured.
6) Oracle Webgate installed
7) Oracle Webgate integrated with OAM and OHS.
1) Create OAM Identity Asserter Provider in UCM Domain:
2) Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers
3) Click New, and then enter a name and select a type:
Name:OAM Identity Asserter
Type: OAMIdentityAsserter
Click OK
In the Authentication Providers table, click the newly added authenticator(OAM Identity Asserter) Click the Common tab, set the Control Flag to REQUIRED.
Click the Common tab, specify the chosen Active Type for your installed WebGate,
Note : Both ObSSOCookie and OAM_REMOTE_USER must be set as Active Types for the asserter. Without both of these set as Active Types, you will be re-prompted by WebLogic for authentication after authenticating to OAM.
4) Click Save.
1) Associate WebCenter Content Domain with Identity Store (For ex OID/OVD)
Note : When you install the content server it uses the weblogic embedded identity store.
2) Create OID Authenticator Provider in UCM Domain:
3) Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers
4) Click New, and then enter a name and select a type:
Name: OID Authenticator
Type: OracleInternetDirectoryAuthenticator
Click OK.
In the Authentication Providers table, click the newly added authenticator.(OID Authenticator )
On the Settings page, click the Common tab, set the Control Flag to SUFFICIENT.
Click Save.
Click the Provider Specific tab and specify the following required settings using values for your own environment:
1) Default Authenticator: Perform the following steps to set up the Default Authenticator for use with the Identity Asserter:
2) Go to Security Realm--myrealm-- >click Providers.
3) Click DefaultAuthenticator to see its configuration page.
4) Click the Common tab and set the Control Flag to SUFFICIENT
5) Click Save.
1) Go to Security Realm--myrealm-- >click Providers.
2 ) On the Summary page where providers are listed, click the Reorder button
3) On the Reorder Authentication Providers page, list to order the providers as follows:
5) Activate Changes.
6) Restart Oracle WebLogic Admin Server and Content Server.
1) Navigate to $ORACLE_ECM1/common/bin.
2) Launch WLST by issuing the './wlst.sh' command.
3) From the wlst prompt, issue the 'connect' command to connect to the WebLogic Admin Server running within your UCM domain. For example:
connect('weblogic','welcome1','localhost:7001')
4) Once connected to your WebLogic instance, issue the following command exactly as shown below.
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html",autologinuri="/obrar.cgi")
5) Disconnect from WLST by issuing the 'exit()' command.
6) Restart UCM server and Admin Server.
1) Edit mod_wl_ohs.conf file @ <OHS_Home>/instances/<webtierInstance>/config/OHS/<ohsInstance>
2) Add below entry
<IfModule>
<Location /cs>
SetHandler weblogic-handler
WebLogicHost <hostname>
WebLogicPort <portnumber>
</Location>
# UCM Content Server authentication
<Location /adfAuthentication>
SetHandler weblogic-handler
WebLogicHost <hostname>
WebLogicPort <portnumber>
</Location>
# UCM online help
<Location /_ocsh>
SetHandler weblogic-handler
WebLogicHost <hostname>
WebLogicPort <portnumber>
</Location>
</IfModule>
3) Save and close the file.
4) Restart the OHS Webgate instance.
1) Ensure that the Oracle
Access Manager Access Server, Oracle HTTP Server configured for OAM
Webgate, Oracle Internet Directory, and Oracle Universal Content
Management (UCM) are all running.
2) Access the Oracle UCM instance through the OAM Webgate at the address of http://<ohs-host>:<ohs-port>/cs.
3) An OAM web form login should be presented. Login with valid credentials stored within the OID instance that UCM and OAM share.
4) The UCM page should be presented with no other authentication challenges.
Assumption:
1) Oracle Access Manager 11gR2 installed and configured.
2) Oracle Internet Directory installed and configured.
3) OAM Integrated with OID.
4) Oracle HTTP Server installed and configured.
5) Oracle Webcenter Content 11.1.1.9 installed and configured.
6) Oracle Webgate installed
7) Oracle Webgate integrated with OAM and OHS.
Creation of OAM Identity Provider in UCM Domain:
1) Create OAM Identity Asserter Provider in UCM Domain:
2) Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers
3) Click New, and then enter a name and select a type:
Name:OAM Identity Asserter
Type: OAMIdentityAsserter
Click OK
In the Authentication Providers table, click the newly added authenticator(OAM Identity Asserter) Click the Common tab, set the Control Flag to REQUIRED.
Click the Common tab, specify the chosen Active Type for your installed WebGate,
Note : Both ObSSOCookie and OAM_REMOTE_USER must be set as Active Types for the asserter. Without both of these set as Active Types, you will be re-prompted by WebLogic for authentication after authenticating to OAM.
4) Click Save.
Creation of OID Authenticator Provider in UCM Domain:
1) Associate WebCenter Content Domain with Identity Store (For ex OID/OVD)
Note : When you install the content server it uses the weblogic embedded identity store.
2) Create OID Authenticator Provider in UCM Domain:
3) Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers
4) Click New, and then enter a name and select a type:
Name: OID Authenticator
Type: OracleInternetDirectoryAuthenticator
Click OK.
In the Authentication Providers table, click the newly added authenticator.(OID Authenticator )
On the Settings page, click the Common tab, set the Control Flag to SUFFICIENT.
Click Save.
Click the Provider Specific tab and specify the following required settings using values for your own environment:
- Host: Server details where OID is installed
- Port: Port no of OID ( Default 3060)
- Principal: LDAP administrative user. For example
cn=orcladmin.
- Credential: LDAP administrative user password.
- User Base DN: Same searchbase as in Oracle Access Manager. ( cn=users,dc=example,dc=com)
- All Users Filter: For example:
(&(uid=*)(objectclass=person))
- User Name Attribute: Set as the default attribute for username in the LDAP directory. For example: cn
- Group Base DN: The group searchbase (same as User Base DN)
- Do not set the All Groups filter as the default works fine as is.
Changing control flag of Default Authenticator :
1) Default Authenticator: Perform the following steps to set up the Default Authenticator for use with the Identity Asserter:
2) Go to Security Realm--myrealm-- >click Providers.
3) Click DefaultAuthenticator to see its configuration page.
4) Click the Common tab and set the Control Flag to SUFFICIENT
5) Click Save.
Reorder Providers:
2 ) On the Summary page where providers are listed, click the Reorder button
3) On the Reorder Authentication Providers page, list to order the providers as follows:
- OAM Identity Asserter (REQUIRED)
- OID Authenticator (SUFFICIENT)
- Default Authenticator (SUFFICIENT)
5) Activate Changes.
6) Restart Oracle WebLogic Admin Server and Content Server.
Configuring Centralized logout for webcenter content:
1) Navigate to $ORACLE_ECM1/common/bin.
2) Launch WLST by issuing the './wlst.sh' command.
3) From the wlst prompt, issue the 'connect' command to connect to the WebLogic Admin Server running within your UCM domain. For example:
connect('weblogic','welcome1','localhost:7001')
4) Once connected to your WebLogic instance, issue the following command exactly as shown below.
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html",autologinuri="/obrar.cgi")
5) Disconnect from WLST by issuing the 'exit()' command.
6) Restart UCM server and Admin Server.
Configuring the OHS Webgate to Proxy Requests to UCM:
1) Edit mod_wl_ohs.conf file @ <OHS_Home>/instances/<webtierInstance>/config/OHS/<ohsInstance>
2) Add below entry
<IfModule>
<Location /cs>
SetHandler weblogic-handler
WebLogicHost <hostname>
WebLogicPort <portnumber>
</Location>
# UCM Content Server authentication
<Location /adfAuthentication>
SetHandler weblogic-handler
WebLogicHost <hostname>
WebLogicPort <portnumber>
</Location>
# UCM online help
<Location /_ocsh>
SetHandler weblogic-handler
WebLogicHost <hostname>
WebLogicPort <portnumber>
</Location>
</IfModule>
3) Save and close the file.
4) Restart the OHS Webgate instance.
Protect above mentioned resources at OAM side:
1) Create Resource
2) Create Authentication Policy and Authorization Policy
3) Create Authentication Scheme
4) Create Authentication Module
5) Create User Identity Store
Testing the Configuration:
2) Access the Oracle UCM instance through the OAM Webgate at the address of http://<ohs-host>:<ohs-port>/cs.
3) An OAM web form login should be presented. Login with valid credentials stored within the OID instance that UCM and OAM share.
4) The UCM page should be presented with no other authentication challenges.
No comments:
Post a Comment