/* Oracle Identity & Access Management: March 2010 */ Oracle Identity & Access Management : Blog Title the same as above

Sunday, 28 March 2010

Oracle WebCenter integration with OAM & OID

Out-of-the-box Fusion Middleware 11g WebCenter installation is normally configured with WebLogic server’s embedded LDAP server identity store and file-based policy and credential stores. As this is not a production class security scenario, there may be a need for integrating WebCenter with Oracle Identity and Access Management solution.

I’m trying to explain the steps involved in installation, configuration and integration of various components to achieve webcenter integration with OAM & OID.

We will assume you have already installed and configured Oracle WebLogic, WebCenter, OAM and OID as listed below:

- Install WebLogic server

- Install Identity Management Server

- Configure IDM WebLogic domain

- Install Webtier OHS for Oracle Access Manager

- Install WebCenter

- Configure WebCenter domain in WebLogic

- Install and configure Oracle Access Manager

(I will cover all of the above when time permits)

When webcenter is integrated with OAM, webcenter will be front-ended by Web server (HTTP). So we will start by installing a web server:


1 - Install OHS Webtier to front-end the WebCenter


2 - Configure mod_weblogic in the OHS Webtier


Configure mod_wl in the WebTier OHS so that it forwards requests to the Oracle WebLogic Server webcenter applications.


Enter the MatchExpression lines in the mod_wl_ohs.conf file located in WEBTIER_HOME/instances//config/OHS/ohs1/ directory. I have used the default ports, ensure ports do match your webenter installation.

MatchExpression /webcenter WebLogicHost=wl.fusion.net|WebLogicPort=8888
MatchExpression /rss WebLogicHost=wl.fusion.net|WebLogicPort=8890
MatchExpression /owc_wiki WebLogicHost=wl.fusion.net|WebLogicPort=8890
MatchExpression /owc_discussions WebLogicHost=wl.fusion.net|WebLogicPort=8890
MatchExpression /workflow WebLogicHost=wl.fusion.net|WebLogicPort=8888
MatchExpression /integration/worklistapp WebLogicHost=wl.fusion.net|WebLogicPort=8888
MatchExpression /integration/services WebLogicHost=wl.fusion.net|WebLogicPort=8888
MatchExpression /soa-infra WebLogicHost=wl.fusion.net|WebLogicPort=8888


3 - Create an Access Gate in the OAM

This is needed for the installation of WebGate on the Webtier OHS and OAM Asserter provider configuration in WebLogic. Login to Oracle Access Manager as the orcladmin using this URL:

http://my.fusion.net:7777/access/oblix

Access System Console --> Access System Configuration --> Add New Access Gate



4 - Install Webgate

When prompted provide the httpd.conf file of the Webtier OHS that front-ends the Webcenter applications. You will need to provide Access Gate Name, password and Access Server port when prompted.


5 - Configure the Oracle Access Manager


This can be done either by using oamcfgtool.jar or manual OAM configurations. I will describe the manual configuration:



5.1 Create host identifier for Webtier OHS in Access Manager


http://my.fusion.net:7777/access/oblix


Access System Console -> Access System Configuration -> Host Identifiers




5.2 Define WebCenter policy domain

http://my.fusion.net:7777/access/oblix

Policy Domain -> Create Policy Domain



5.3 Add the resources that we will be protecting

* make sure update cache is selected when adding resources



5.4 Add authorization rule

Open Authorization rules tab and click Add.
Enter a name for the new rule
Enabled : Yes
Allow takes precedence : No
Update Cache - Checked



Click Allow Access on the Authorization Rules tab and click Add.




5.5 Add Default Rules

Open the Default Rules tab and click Add.




Click Authorization Expression on the Default Rules tab, and click Add.
Add the Default-Authorization authorization rule you created previously to the Authorization Expression and click Add to add it to the Authorization Expression list.



Click Actions on the Authorization Expression sub-tab and click Add

Under Authorization Success, specify what actions should be invoked when the authorization succeeds.



This is what you seen when you click on save



5.6 Add Policies

Open the Policies tab and click Add.



6 - WebLogic Security Realm configuration

This is done through WebLogic Administration Console.

Login to the Weblogic Administration Console as an administrator (weblogic)

Security Realms -> myrealm to access Security Realm configurations




6.1 Create Oracle Internet Directory authenticator provider

Click on Providers tab and New
Name - OIDAuthenticator ( any relevant name)
Type - OracleInternetDirectoryAuthenticator



Newly created provider will appear at the bottom of the list. Just click on it to make more changes

Change the Control Flag to sufficient



Click on “Provider specific” tab give all the provider specific details

Connection:

Host - your OID host name (Example - fusion.net)
Port - OID port (3060)
Principal - cn=orcladmin
Credential - orcladmin user password

Users:

User Base DN - cn=users,dc=fusion,dc=net
All Users Filter - (&(uid=*)(objectclass=person))
User From Name Filter - (&(uid=%u)(objectclass=person))
User Search Scope - Subtree
User Name Attribute - uid
User Object Class - person
Use Retrieved User Name as Principal - Not Checked

Groups:

Group Based DN - cn=groups, dc=fusionsyscom,dc=net
All Groups Filter - (&(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))

Group From Name Filter - (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=orcldynamicgroup)))
Group Search Scope - Subtree

You can leave all others to default

After saving, Restart the WebCenter Administration Server and managed server and validate the configuration by navigating to the Realm Settings page in the WLS Administration Console and opening the Users and Groups tab.



6.2 Create OAM ID Asserter provider

Name : OAM ID Asserter
Type : OAMIdentityAsserter



Once created, click on the newly created OAM ID Asserter

- Control flag : REQUIRED
- Activity Type : ObSSOCookie Choosen



Fill in the following details in the “Provider Specific” tab and leave the rest to default:

- Application Domain
Access Gate Password
Access Gate Name
Primary Access Server



6.3 Setting the Provider Order

After configuring the OAM identity asserter, make sure that the default authenticator's control flag is set to SUFFICIENT and reorder the providers as shown below:
OAMIdentityAsserter (REQUIRED)
OracleInternetDirectoryAuthenticator (SUFFICIENT)
DefaultAuthenticator (SUFFICIENT)
DefaultIdentityAsserter