In this post we shall see integration of
WebCenter Portal 11.1.1.9 with Oracle Access Manager (OAM)
11.1.2.0.
Assumption:
1) Oracle Access Manager 11gR2 installed and configured.
2) Oracle Internet Directory installed and configured.
3) OAM Integrated with OID.
4) Oracle HTTP Server installed and configured.
5) Oracle Webcenter Portal 11.1.1.9 installed and configured.
6) Oracle Webgate installed
7) Oracle Webgate integrated with OAM and OHS.
1) Create OAM Identity Asserter Provider in PORTAL Domain:2) Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers3) Click New, and then enter a name and select a type:
Name:OAM Identity Asserter
Type: OAMIdentityAsserter
Click OK
In the Authentication Providers table, click the newly added authenticator(OAM Identity Asserter) Click the Common tab, set the Control Flag to REQUIRED.
Click the Common tab, specify the chosen Active Type for your installed WebGate, Note : Both ObSSOCookie and OAM_REMOTE_USER must be set as Active Types for the asserter. Without both of these set as Active Types, you will be re-prompted by WebLogic for authentication after authenticating to OAM.
4) Click Save.
1) Associate WebCenter Portal Domain with Identity Store (For ex OID/OVD)
Note : When you install the content server it uses the weblogic embedded identity store.
2) Create OID Authenticator Provider in PORTAL Domain:
3) Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers
4) Click New, and then enter a name and select a type:
Name: OID Authenticator
Type: OracleInternetDirectoryAuthenticator
Click OK.
In the Authentication Providers table, click the newly added authenticator.(OID Authenticator )
On the Settings page, click the Common tab, set the Control Flag to SUFFICIENT.
Click Save.
Click the Provider Specific tab and specify the following required settings using values for your own environment:
1) Default Authenticator: Perform the following steps to set up the Default Authenticator for use with the Identity Asserter:
2) Go to Security Realm--myrealm-- >click Providers.
3) Click DefaultAuthenticator to see its configuration page.
4) Click the Common tab and set the Control Flag to SUFFICIENT
5) Click Save.
1) Go to Security Realm--myrealm-- >click Providers.
2 ) On the Summary page where providers are listed, click the Reorder button
3) On the Reorder Authentication Providers page, list to order the providers as follows:
5) Activate Changes.
6) Restart Oracle WebLogic Admin Server and Portal(WC_Spaces) Server.
1) Navigate to $ORACLE_WC1/common/bin.
2) Launch WLST by issuing the './wlst.sh' command.
3) From the wlst prompt, issue the 'connect' command to connect to the WebLogic Admin Server running within your PORTAL domain. For example:
connect('weblogic','welcome1','localhost:7001')
4) Once connected to your WebLogic instance, issue the following command exactly as shown below.
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html")
5) Disconnect from WLST by issuing the 'exit()' command.
6) Restart Portal(WC_Spaces) server and Admin Server.
1) Edit mod_wl_ohs.conf file @ <OHS_Home>/instances/<webtierInstance>/config/OHS/<ohsInstance>
2) Add below entry
<IfModule>
<Location /webcenter>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8888
</Location>
<Location /webcenterhelp>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8888
</Location>
<Location /rss>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8888
</Location>
<Location /rest>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8888
</Location>
<Location /owc_discussions>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8890
</Location>
<Location /activitygraph-engines>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8891
</Location>
<Location /wcps>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8891
</Location>
</IfModule>
3) Save and close the file.
4) Restart the OHS Webgate instance.
1) Edit the setDomainEnv.sh to set the parameter oracle.webcenter.spaces.osso to true
$cd $DOMAIN_HOME/bin
vi setDomainEnv.sh
Add the following
EXTRA_JAVA_PROPERTIES="-Doracle.webcenter.spaces.osso=true ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
2) Save the file.
3) Restart Admin Server and WC_Spaces Server.
2) Create Authentication Policy and Authorization Policy
3) Create Authentication Scheme
4) Create Authentication Module
5) Create User Identity Store
1) Ensure that the Oracle Access Manager Access Server, Oracle HTTP Server configured for OAM Webgate, Oracle Internet Directory, and Oracle Webcenter Portal (WC_Spaces) are all running.
2) Access the Oracle Portal instance through the OAM Webgate at the address of http://<ohs-host>:<ohs-port>/webcenter
3) An OAM web form login should be presented. Login with valid credentials stored within the OID instance that Portal(WC_Spaces) and OAM share.
4) The Portal page should be presented with no other authentication challenges.
Assumption:
1) Oracle Access Manager 11gR2 installed and configured.
2) Oracle Internet Directory installed and configured.
3) OAM Integrated with OID.
4) Oracle HTTP Server installed and configured.
5) Oracle Webcenter Portal 11.1.1.9 installed and configured.
6) Oracle Webgate installed
7) Oracle Webgate integrated with OAM and OHS.
Creation of OAM Identity Provider in PORTAL Domain:
1) Create OAM Identity Asserter Provider in PORTAL Domain:2) Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers3) Click New, and then enter a name and select a type:
Name:OAM Identity Asserter
Type: OAMIdentityAsserter
Click OK
In the Authentication Providers table, click the newly added authenticator(OAM Identity Asserter) Click the Common tab, set the Control Flag to REQUIRED.
Click the Common tab, specify the chosen Active Type for your installed WebGate, Note : Both ObSSOCookie and OAM_REMOTE_USER must be set as Active Types for the asserter. Without both of these set as Active Types, you will be re-prompted by WebLogic for authentication after authenticating to OAM.
4) Click Save.
Creation of OID Authenticator Provider in PORTAL Domain:
1) Associate WebCenter Portal Domain with Identity Store (For ex OID/OVD)
Note : When you install the content server it uses the weblogic embedded identity store.
2) Create OID Authenticator Provider in PORTAL Domain:
3) Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers
4) Click New, and then enter a name and select a type:
Name: OID Authenticator
Type: OracleInternetDirectoryAuthenticator
Click OK.
In the Authentication Providers table, click the newly added authenticator.(OID Authenticator )
On the Settings page, click the Common tab, set the Control Flag to SUFFICIENT.
Click Save.
Click the Provider Specific tab and specify the following required settings using values for your own environment:
- Host: Server details where OID is installed
- Port: Port no of OID ( Default 3060)
- Principal: LDAP
administrative user. For example
cn=orcladmin.
- Credential: LDAP administrative user
password.
- User Base DN: Same searchbase as in Oracle
Access Manager. ( cn=users,dc=example,dc=com)
- All Users Filter: For example:
(&(uid=*)(objectclass=person))
- User Name Attribute: Set as the default
attribute for username in the LDAP directory. For example: cn
- Group Base DN: The group searchbase (same as
User Base DN)
- Do not set the All Groups filter as the default
works fine as is.
Changing control flag of Default Authenticator :
1) Default Authenticator: Perform the following steps to set up the Default Authenticator for use with the Identity Asserter:
2) Go to Security Realm--myrealm-- >click Providers.
3) Click DefaultAuthenticator to see its configuration page.
4) Click the Common tab and set the Control Flag to SUFFICIENT
5) Click Save.
Reorder Providers:
1) Go to Security Realm--myrealm-- >click Providers.
2 ) On the Summary page where providers are listed, click the Reorder button
3) On the Reorder Authentication Providers page, list to order the providers as follows:
- OAM Identity Asserter (REQUIRED)
- OID Authenticator (SUFFICIENT)
- Default Authenticator (SUFFICIENT)
5) Activate Changes.
6) Restart Oracle WebLogic Admin Server and Portal(WC_Spaces) Server.
Configuring Centralized logout for Webcenter Portal:
1) Navigate to $ORACLE_WC1/common/bin.
2) Launch WLST by issuing the './wlst.sh' command.
3) From the wlst prompt, issue the 'connect' command to connect to the WebLogic Admin Server running within your PORTAL domain. For example:
connect('weblogic','welcome1','localhost:7001')
4) Once connected to your WebLogic instance, issue the following command exactly as shown below.
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html")
5) Disconnect from WLST by issuing the 'exit()' command.
6) Restart Portal(WC_Spaces) server and Admin Server.
Configuring the OHS Webgate to Proxy Requests to WC_spaces:
1) Edit mod_wl_ohs.conf file @ <OHS_Home>/instances/<webtierInstance>/config/OHS/<ohsInstance>
2) Add below entry
<IfModule>
<Location /webcenter>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8888
</Location>
<Location /webcenterhelp>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8888
</Location>
<Location /rss>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8888
</Location>
<Location /rest>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8888
</Location>
<Location /owc_discussions>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8890
</Location>
<Location /activitygraph-engines>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8891
</Location>
<Location /wcps>
SetHandler weblogic-handler
WebLogicHost Hostname
WebLogicPort 8891
</Location>
</IfModule>
3) Save and close the file.
4) Restart the OHS Webgate instance.
Configuring WebCenter Spaces for SSO:
1) Edit the setDomainEnv.sh to set the parameter oracle.webcenter.spaces.osso to true
$cd $DOMAIN_HOME/bin
vi setDomainEnv.sh
Add the following
EXTRA_JAVA_PROPERTIES="-Doracle.webcenter.spaces.osso=true ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
2) Save the file.
3) Restart Admin Server and WC_Spaces Server.
Protect above mentioned resources at OAM side:
1) Create Resource
2) Create Authentication Policy and Authorization Policy
3) Create Authentication Scheme
4) Create Authentication Module
5) Create User Identity Store
Testing the Configuration:
1) Ensure that the Oracle Access Manager Access Server, Oracle HTTP Server configured for OAM Webgate, Oracle Internet Directory, and Oracle Webcenter Portal (WC_Spaces) are all running.
2) Access the Oracle Portal instance through the OAM Webgate at the address of http://<ohs-host>:<ohs-port>/webcenter
3) An OAM web form login should be presented. Login with valid credentials stored within the OID instance that Portal(WC_Spaces) and OAM share.
4) The Portal page should be presented with no other authentication challenges.
No comments:
Post a Comment