Configuring Single Sign-On using OracleAS SSO 10g 17-5 b. An Oracle Internet Directory repository configured to be used by the 10g OSSO server. Ensure that the directory server is tuned for your deployment. c. One of the following Web servers based on Apache 2: – Oracle HTTP Server 11g as a front end to the Oracle WebLogic Server. This installation includes mod_osso and mod_weblogic. – OHS 10g, available in the companion CD release Oracle HTTP Server 10.1.3. This includes mod_osso. However, mod_weblogic must be added. d. Oracle WebLogic Server 10.3.1+ e. An Oracle Fusion Middleware product such as Oracle Identity Management, Oracle SOA Suite, or Oracle WebCenter is required; it includes the provider required for OSSO by Oracle WebLogic Server in the following path: ORACLE_INSTANCEmodulesoracle.ossoiap_11.1.1ossoiap.jar 2. Configure mod_weblogic so that it forwards requests to Oracle WebLogic Server, as explained in section Configuring mod_weblogic on page 17-6. 3. Register the module mod_osso with the 10g SSO Server as a partner application, as described in Registering Oracle HTTP Server mod_osso with OSSO Server 10.1.4 on page 17-7. 4. Configure mod_osso, as described in Configuring mod_osso to Protect Web Resources on page 17-8. See Also: Oracle Application Server Installation Guide on Oracle Technology Network at: http:www.oracle.comtechnologydocumentationoim10 14.html See Also: The following manuals for Release 11g 11.1.1.1.0 ■ Oracle Fusion Middleware Installation Guide for Oracle Identity Management ■ Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory See Also: The following manuals for Release 11g 11.1.1.1.0 ■ Oracle Fusion Middleware Installation Guide for Web Tier ■ Oracle Fusion Middleware Administrators Guide for Oracle HTTP Server See Also: Oracle Fusion Middleware Getting Started With Installation for Oracle WebLogic Server See Also: ■ Oracle Fusion Middleware Installation Guide for Oracle Identity Management ■ Oracle Fusion Middleware Installation Guide for Oracle SOA Suite ■ Oracle Fusion Middleware Installation Guide for Oracle WebCenter 17-6 Oracle Fusion Middleware Application Security Guide 5. Add the OSSO Identity Asserter to the appropriate domain, as explained in section Adding Providers to a WebLogic Domain for OSSO on page 17-12. 6. Configure a connection filter, as explained in section Establishing Trust Between Oracle WebLogic Server and Other Entities on page 17-14. 7. Configure the use of the solution by the application, as explained in section Configuring the Application for the OSSO Identity Asserter on page 17-15. 8. Identify and resolve issues with your OSSO Identity Asserter implementation, see Troubleshooting for an OSSO Identity Asserter Deployment on page 17-18.

17.1.2.1 Configuring mod_weblogic

You can either edit the Oracle HTTP Server httpd.conf file directly or add mod_ weblogic configuration in a separate file and include that file in httpd.conf. The following procedure includes steps for two different Web server releases. Perform steps as needed for your deployment: ■ OHS 11g ships with mod_wl_ohs.so. In this case, skip Step 1. ■ OHS 10g does not ship with mod_weblogic mod_wl_.so. If Oracle HTTP Server 10g is installed, start with Step 1 to copy mod_wl_20.so before configuration. To install and configure mod_weblogic 1. Oracle HTTP Server 10.1.3 : Copy mod_wl_20.so to the Oracle HTTP Server modules directory: For example: From: WL_HOMEwlserver_10.0serverpluginlinuxi686 To: ORACLE_HOMEohsmodules

2. Locate the Oracle HTTP Server httpd.conf file. For example:

Oracle HTTP Server 10.1.3 : ORACLE_HOMEohsconfhttpd.conf Oracle HTTP Server 11g : ORACLE_INSTANCEconfigOHSohs_namehttpd.conf

3. Verify that mod_weblogic configuration is in httpd.conf, either by inclusion of the

appropriate configuration file or the configuration itself directly. For example, for Oracle HTTP Server 10g: LoadModule weblogic_module {ORACLE_HOME}ohsmodulesmod_wl_20.so IfModule mod_weblogic.c WebLogicHost yourHost.yourDomain.com WebLogicPort yourWlsPortNumber IfModule Location request-uri-pattern Note: For Oracle HTTP Server, the name of this plug-in differs from release 10g to 11g: ■ Oracle HTTP Server 10g: mod_wl actual binary name is mod_wl_ 20.so ■ Oracle HTTP Server 11g: mod_wl_ohs actual binary name is mod_wl_ohs.so Configuring Single Sign-On using OracleAS SSO 10g 17-7 SetHandler weblogic-handler Location

17.1.2.2 Registering Oracle HTTP Server mod_osso with OSSO Server 10.1.4

The mod_osso module is an Oracle HTTP Server module that provides authentication to OracleAS applications. This module resides on the Oracle HTTP Server that enables applications protected by OracleAS Single Sign-On to accept HTTP headers in lieu of a user name and password once the user has logged into the OracleAS Single Sign-On server. The values for these headers are stored in a mod_osso cookie. The mod_osso module enables single sign-on for Oracle HTTP Server by examining incoming requests and determining whether the requested resource is protected. If it is, then it retrieves the Oracle HTTP Server cookie. Under certain circumstances, you must register Oracle HTTP Server mod_osso using the 10.1.4 Oracle Identity Manager single sign-on registration tool ssoreg.sh or ssoreg.bat. Table 17–2 provides a summary of parameters and values for this purpose. Running the tool updates the mod_osso registration record in osso.conf. The tool generates this file whenever it runs. Table 17–2 ssoreg Parameters to Register Oracle HTTP Server mod_osso Parameter Description -oracle_home_path Path to the 10.1.4 SSO Oracle_Home -site_name Any site name to be covered -config_mod_osso TRUE. If set to TRUE, this parameter indicates that the application being registered is mod_osso. You must include config_mod_osso for osso.conf to be generated. -mod_osso_url URL for front-ending Oracle HTTP Server Host:port. This is the URL that is used to access the partner application. The value should be specified in the URL format: http:oracle_http_host.domain:port -update_mode Optional. CREATE, the default, generates a new record. -remote_midtier Specifies that the mod_osso partner application to be registered is at a remote mid-tier. Use this option only when the mod_osso partner application to be configured is at a different ORACLE_HOME, and the OracleAS Single Sign-On server runs locally at the current ORACLE_HOME. -config_file Path where osso.conf is to be generated [-admin_info Optional. User name of the mod_osso administrator. If you omit this parameter, the Administer Information field on the Edit Partner Application page is left blank. admin_id Optional. Any additional information, such as email address, about the administrator. If you omit this parameter, the Administrator E-mail field on the Edit Partner Application page is left blank. VirtualHost ... Host name. Optional. Include this parameter only if you are registering an Oracle HTTP virtual host with the single sign-on server. Omit the parameter if you are not registering a virtual host. If you are creating an HTTP virtual host, use the httpd.conf file to fill in the directive for each protected URL.