I’m trying to explain the steps involved in installation, configuration and integration of various components to achieve webcenter integration with OAM & OID.
We will assume you have already installed and configured Oracle WebLogic, WebCenter, OAM and OID as listed below:
- Install WebLogic server
- Install Identity Management Server
- Configure IDM WebLogic domain
- Install Webtier OHS for Oracle Access Manager
- Install WebCenter
- Configure WebCenter domain in WebLogic
- Install and configure Oracle Access Manager
(I will cover all of the above when time permits)
When webcenter is integrated with OAM, webcenter will be front-ended by Web server (HTTP). So we will start by installing a web server:
1 - Install OHS Webtier to front-end the WebCenter
2 - Configure mod_weblogic in the OHS Webtier
Configure mod_wl in the WebTier OHS so that it forwards requests to the Oracle WebLogic Server webcenter applications.
Enter the MatchExpression lines in the mod_wl_ohs.conf file located in WEBTIER_HOME/instances/
MatchExpression /webcenter WebLogicHost=wl.fusion.net|WebLogicPort=8888
MatchExpression /rss WebLogicHost=wl.fusion.net|WebLogicPort=8890
MatchExpression /owc_wiki WebLogicHost=wl.fusion.net|WebLogicPort=8890
MatchExpression /owc_discussions WebLogicHost=wl.fusion.net|WebLogicPort=8890
MatchExpression /workflow WebLogicHost=wl.fusion.net|WebLogicPort=8888
MatchExpression /integration/worklistapp WebLogicHost=wl.fusion.net|WebLogicPort=8888
MatchExpression /integration/services WebLogicHost=wl.fusion.net|WebLogicPort=8888
MatchExpression /soa-infra WebLogicHost=wl.fusion.net|WebLogicPort=8888
3 - Create an Access Gate in the OAM
This is needed for the installation of WebGate on the Webtier OHS and OAM Asserter provider configuration in WebLogic. Login to Oracle Access Manager as the orcladmin using this URL:
http://my.fusion.net:7777/access/oblix
Access System Console --> Access System Configuration --> Add New Access Gate
4 - Install Webgate
When prompted provide the httpd.conf file of the Webtier OHS that front-ends the Webcenter applications. You will need to provide Access Gate Name, password and Access Server port when prompted.
5 - Configure the Oracle Access Manager
This can be done either by using oamcfgtool.jar or manual OAM configurations. I will describe the manual configuration:
5.1 Create host identifier for Webtier OHS in Access Manager
http://my.fusion.net:7777/access/oblix
Access System Console -> Access System Configuration -> Host Identifiers
5.2 Define WebCenter policy domain
http://my.fusion.net:7777/access/oblix
Policy Domain -> Create Policy Domain
5.3 Add the resources that we will be protecting
* make sure update cache is selected when adding resources
5.4 Add authorization rule
Open Authorization rules tab and click Add.
Enter a name for the new rule
Enabled : Yes
Allow takes precedence : No
Update Cache - Checked
Click Allow Access on the Authorization Rules tab and click Add.
5.5 Add Default Rules
Open the Default Rules tab and click Add.
Click Authorization Expression on the Default Rules tab, and click Add.
Add the Default-Authorization authorization rule you created previously to the Authorization Expression and click Add to add it to the Authorization Expression list.
Click Actions on the Authorization Expression sub-tab and click Add
Under Authorization Success, specify what actions should be invoked when the authorization succeeds.
This is what you seen when you click on save
5.6 Add Policies
Open the Policies tab and click Add.
6 - WebLogic Security Realm configuration
This is done through WebLogic Administration Console.
Login to the Weblogic Administration Console as an administrator (weblogic)
Security Realms -> myrealm to access Security Realm configurations
6.1 Create Oracle Internet Directory authenticator provider
Click on Providers tab and New
Name - OIDAuthenticator ( any relevant name)
Type - OracleInternetDirectoryAuthenticator
Newly created provider will appear at the bottom of the list. Just click on it to make more changes
Change the Control Flag to sufficient
Click on “Provider specific” tab give all the provider specific details
Connection:
Host - your OID host name (Example - fusion.net)
Port - OID port (3060)
Principal - cn=orcladmin
Credential - orcladmin user password
Users:
User Base DN - cn=users,dc=fusion,dc=net
All Users Filter - (&(uid=*)(objectclass=person))
User From Name Filter - (&(uid=%u)(objectclass=person))
User Search Scope - Subtree
User Name Attribute - uid
User Object Class - person
Use Retrieved User Name as Principal - Not Checked
Groups:
Group Based DN - cn=groups, dc=fusionsyscom,dc=net
All Groups Filter - (&(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
Group From Name Filter - (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=orcldynamicgroup)))
Group Search Scope - Subtree
You can leave all others to default
After saving, Restart the WebCenter Administration Server and managed server and validate the configuration by navigating to the Realm Settings page in the WLS Administration Console and opening the Users and Groups tab.
6.2 Create OAM ID Asserter provider
Name : OAM ID Asserter
Type : OAMIdentityAsserter
Once created, click on the newly created OAM ID Asserter
- Control flag : REQUIRED
- Activity Type : ObSSOCookie Choosen
Fill in the following details in the “Provider Specific” tab and leave the rest to default:
- Application Domain
Access Gate Password
Access Gate Name
Primary Access Server
6.3 Setting the Provider Order
After configuring the OAM identity asserter, make sure that the default authenticator's control flag is set to SUFFICIENT and reorder the providers as shown below:
OAMIdentityAsserter (REQUIRED)
OracleInternetDirectoryAuthenticator (SUFFICIENT)
DefaultAuthenticator (SUFFICIENT)
DefaultIdentityAsserter
