Configuring Single Sign-on 30-11 resourcerestapicmis...resource resourcecsresource resourcecs...resource publicResourcesList OAM11GRegRequest c. Change directories to RREG_Home. d. Run the following commands: setenv OAM_REG_HOME RREG_HOME RREG_Home binoamreg.sh inband inputWebCenterOAM11gRequest.xml When prompted for the agent credentials, enter your OAM administrator credentials. You should see output resembling that below: Welcome to OAM Remote Registration Tool Parameters passed to the registration tool are: Mode: inband Filename: scratchaime1installMW_HOMEOracle_IDM1oamserverrreginputWebCenterO AM11gRequest.xml Enter your agent username:weblogic Username: weblogic Enter agent password: Do you want to enter a Webgate password?yn: y Enter webgate password: Enter webgate password again: Password accepted. Proceeding to register.. Aug 16, 2010 1:22:30 AM oracle.security.am.engines.rreg.client.handlers.request.OAM11GRequestHandle r getWebgatePassword INFO: Passwords matched and accepted. Do you want to import an URIs file?yn: n ---------------------------------------- Request summary: OAM11G Agent Name:example_webcenter URL String:example_webcenter Registering in Mode:inband Your registration request is being been sent to the Admin server at: http:webcenter.example.com:7001 ---------------------------------------- Inband registration process completed successfully Output artifacts are created in the output folder. 2. Copy the generated files and artifacts ObAccessClient.xml and cwallet.sso from RREG_Homeoutputwebtierhost_webcenter to your WebGate instance configuration directory Webgate_Instance_Directorywebgateconfig. Note that Webgate_Instance_Directory should match the instance home of OHS, as in the following example: MW_HOMEOracle_WT1instancesinstance1configOHSohs1webgateconfig 3. Restart OHS. 4. From the OAM Console, you should now be able to see the following artifacts: ■ 11g WebGate agent named webtierhost_webcenter 30-12 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter ■ 11g host identifier by the same name ■ an application domain with the same name containing authentication and authorization policies which in turn contain protected and public policies 5. Go to Application Domain webtierhost_webcenter Authentication Policies and create a new policy underneath it called WebCenter REST Auth Policy. Choose Authentication scheme as BASIC Scheme. 6. Go to Application Domain webtierhost_webcenter Authentication Policies Protected Resource Policy and remove all entries starting with rest. 7. Return to the WebCenter REST Auth Policy created above, add all the rest entries you removed and click Apply. REST needs to follow the BASIC authentication scheme so that external clients, such as the Outlook plugin and iPhone application, can connect to WebCenter REST and be protected with SSO. You should be adding the following entries: resourcerestapiresourceIndexresource resourcerestapispacesresource resourcerestapispaces...resource resourcerestapidiscussionsresource resourcerestapidiscussions...resource resourcerestapitagsresource resourcerestapitags...resource resourcerestapitaggeditemsresource resourcerestapitaggeditems...resource resourcerestapiactivitiesresource resourcerestapiactivities...resource resourcerestapiactivitygraphresource resourcerestapiactivitygraph...resource resourcerestapifeedbackresource resourcerestapifeedback...resource resourcerestapipeopleresource resourcerestapipeople...resource resourcerestapimessageBoardsresource resourcerestapimessageBoards...resource resourcerestapisearchresultsresource resourcerestapisearchresults...resource 8. After installing and configuring the Web Tier and associated components, continue by configuring the Policy Manager as described in Section 30.2.4, Configuring the WebLogic Domain for OAM, and performing any additional service and component configurations that apply as described in Section 30.2.6, Additional Single Sign-on Configurations. 30.2.3.2 Installing and Configuring OAM 10g This section describes how to install and configure OAM 10g, and includes the following subsections: ■ Section 30.2.3.2.1, Installing and Configuring OAM 10g ■ Section 30.2.3.2.2, Installing and Configuring the Oracle HTTP Server ■ Section 30.2.3.2.3, Configuring the WebCenter Policy Domain ■ Section 30.2.3.2.4, Installing the WebGate 10g on the Web Tier 30.2.3.2.1 Installing and Configuring OAM 10g Configuring Single Sign-on 30-13 If you don’t already have Oracle Access Manager OAM 10g installed, install OAM 10g as described in the Oracle Access Manager Installation Guide.

30.2.3.2.2 Installing and Configuring the Oracle HTTP Server

If you don’t already have Oracle HTTP Server OHS installed, install OHS 11.1.1.4.0 as described in Section 30.2.5, Installing and Configuring the Oracle HTTP Server. If you do have an existing installation, you will need to apply a patch to bring it up to OHS 11.1.1.4.0 as described in Applying the Latest Oracle Fusion Middleware Patch Set in the Oracle Fusion Middleware Patching Guide. After installing or patching OHS, continue by installing the WebGate as described in Section 30.2.3.2.3, Configuring the WebCenter Policy Domain.

30.2.3.2.3 Configuring the WebCenter Policy Domain

These steps assume that youve installed Oracle WebCenter see Section 2.3, Installing WebCenter Spaces . By default, an Oracle WebCenter installation creates a WebLogic Server domain, including an Administration Server and four managed servers: WC_Spaces, WC_Collaboration, WC_Utilities, and WC_Portlet. 1. Determine which access server to use. a. Log onto the Access Manager.

b. Click Access System Console.

c. Open the Access System Configuration tab.

d. Click Access Server Configuration to display a list of all access servers.

e. Click an access server in the list to see server details. The host name and port are the values you need for the oam_aaa_host and oam_aaa_port parameters respectively in the script. 2. Run the following command. The oamcfgtool.jar is available in ORACLE_HOMEmodulesoracle.oamprovider_11.1.1oamcfgtool.jar in the WebCenter installation. Values in bold are the ones that you must supply based on the settings of your WebCenter and OAM instances. java -jar ORACLE_HOMEmodulesoracle.oamprovider_11.1.1oamcfgtool.jar mode=CREATE app_domain=your_domain_name uris_file=WEBCENTER_HOMEwebcenterscriptswebcenter.oam.conf app_agent_password=Password to be provisioned for App Agent ldap_host=Hostname of LDAP server ldap_port=Port of LDAP server ldap_userdn=DN of LDAP Admin User, usually cn=orcladmin ldap_userpassword=Password of LDAP Admin User oam_aaa_host=HOST of OAM server oam_aaa_port=Port of OAM server We recommend that you register your domain for your_domain_name as something like webtier.example.com, where webtier.example.com is your Web Tier, so that you can easily distinguish the various policies in OAM. If your command ran successfully, you should see something like the following output depending on the values you used: Processed input parameters Initialized Global Configuration Successfully completed the Create operation. Operation Summary: 30-14 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Policy Domain : webtier.example.com Host Identifier: webtier.example.com Access Gate ID : webtier.example.com_AG You can also run the Validate command to validate your configurations: java -jar WC_ORACLE_HOMEmodulesoracle.oamprovider_11.1.1oamcfgtool.jar mode=VALIDATE app_domain=your_domain_name ldap_host=Hostname of LDAP server ldap_port=Port of LDAP server ldap_userdn=DN of LDAP Admin User, usually cn=orcladmin ldap_userpassword=Password of LDAP Admin User oam_aaa_host=HOST of OAM server oam_aaa_port=Port of OAM server test_username=Username to be used for policy validation test_userpassword=Userpassword to be used for policy validation If your command runs successfully, you should see the same output as above. 3. If your instance also contains a SOA installation, then run oamcfgtool again to protect the SOA URIs in the policy domain you created in the previous step. Use the same parameters as the ones used in the previous step so that the existing policy domain is updated with URIs in the soa.oam.conf file. java -jar ORACLE_HOMEmodulesoracle.oamprovider_11.1.1oamcfgtool.jar mode=CREATE app_domain=your_domain_name uris_file=SOA_HOMEsoaprovsoa.oam.conf app_agent_password=Password to be provisioned for App Agent ldap_host=Hostname of LDAP server ldap_port=Port of LDAP server ldap_userdn=DN of LDAP Admin User, usually cn=orcladmin ldap_userpassword=Password of LDAP Admin User oam_aaa_host=HOST of OAM server oam_aaa_port=Port of OAM server 4. If your installation contains Oracle Content Server, then you also need to protect these URIs. Use the same parameters as the ones used in the previous steps so that the existing policy domain is updated with the URIs in the Content Server’s oam.conf file. java -jar ORACLE_HOMEmodulesoracle.oamprovider_11.1.1oamcfgtool.jar mode=CREATE app_domain=your_domain_name uris_file=ECM_HOMEcommonsecurityoam.conf app_agent_password=Password to be provisioned for App Agent ldap_host=Hostname of LDAP server ldap_port=Port of LDAP server ldap_userdn=DN of LDAP Admin User, usually cn=orcladmin ldap_userpassword=Password of LDAP Admin User oam_aaa_host=HOST of OAM server oam_aaa_port=Port of OAM server 5. Check the Policy Domain settings. a. Log on to the Oracle Access Manager.

b. Click Policy Manager.

c. Click My Policy Domains.

You should see the domain you just created in the list of policy domains. In the URL prefixes column, you should also see the URIs that were specified as part of the webcenter.oam.conf script file. You should also see the URIs Configuring Single Sign-on 30-15 from the SOA and Content Server OAM configuration files if you have run the oamcfgtool from SOA and Content Server domains. d. Click the domain you just created and open the Resources tab. The URIs you specified should display. You can also open other tabs to view and verify other settings, and manually add additional resources later, if required. 6. Check the Access Gate Configurations.

a. Click Access System Console.

b. Open the Access System Configuration tab.

c. Click AccessGate Configuration.

d. Enter some search criteria and click Go.

e. When the Access Gate for the domain you just created displays it will have the suffix _AG, click it to see the setting details. 7. Locate the policy domain that you created and verified in the previous steps and open the Policies tab. You should see two policies already created - Protected_JSessionId_Policy and Default Public Policy 8. Create another policy called WebCenterRESTPolicy, using the values shown below: Description: This policy protects REST protected URIs using BASIC authentication scheme required for functioning with the WebCenter Outlook plug-in or iPhone integration. Resource Type: http Operations: GET,POST Resource: Select all resources starting with rest except for restcmisrepository. restapiresourceIndex restapispaces restapidiscussions restapitags restapitaggeditems restapiactivities restapiactivitygraph restapifeedback restapipeople restapimessageBoards restapisearchresults Host Identifier: Same as the one used for the resources.

9. Click Save.

10. In the newly created policy, navigate to Authentication Rule and add a new rule

using the authentication scheme OraDefaultBasicAuthNScheme. 11. Open the Policies tab and make sure that the polices are in the order shown below: Protected_JSessionId_Policy WebCenterRESTPolicy Default Public Policy 30-16 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter 12. Continue with the steps for installing the WebGate as described in Section 30.2.3.2.4, Installing the WebGate 10g on the Web Tier.

30.2.3.2.4 Installing the WebGate 10g on the Web Tier

This section describes how to install the WebGate. To install the WebGate: 1. Copy the ZIP file Oracle_Access_Manager10_1_4_3_0_linux_GCClib.zip containing the two gcc libraries required for the installation libgcc_s.so.1 and libstdc++.so.5 to a tmp directory. For more information, refer to the chapter on Installing the WebGate in the Oracle Access Manager Installation Guide. 2. Run the installation as root. For example, from the tmp directory run: sudo -u root .Oracle_Access_Manager10_1_4_3_0_linux_OHS11g_WebGate 3. Follow the installation runtime instructions, providing the installation directory, information of the AccessGate that you created earlier and the absolute path to the httpd.conf file of the web server. For example: WT_ORACLE_HOMEinstancesyour_instanceconfigOHSohs1httpd.conf Information for the AccessGate can be found in the Access System Console. 4. After the installation, a new section is inserted in the httpd.conf file between the following entries: BEGIN WEBGATE SPECIFIC END Oblix NetPoint Specific Check to see if the content is consistent with your environment. 5. After installing and configuring the WebGate 10g, continue by configuring the Weblogic domain as described in Section 30.2.4, Configuring the WebLogic Domain for OAM, and performing any additional service and component configurations that apply as described in Section 30.2.6, Additional Single Sign-on Configurations.

30.2.4 Configuring the WebLogic Domain for OAM

If your environment spans multiple domains for example, a domain for WebCenter Spaces, a separate domain for SOA, and a separate domain for Oracle Content Server, repeat the steps in this section for each domain. This section includes the following subsections: ■ Section 30.2.4.1, Configuring the Oracle Internet Directory Authenticator ■ Section 30.2.4.2, Configuring the OAM Identity Asserter ■ Section 30.2.4.3, Configuring the Default Authenticator and Provider Order ■ Section 30.2.4.4, Adding an OAM Single Sign-on Provider

30.2.4.1 Configuring the Oracle Internet Directory Authenticator

Assuming Oracle Internet Directory is backing the OAM identity store, an Oracle Internet Directory authenticator OracleInternetDirectoryAuthenticator should be configured for the LDAP server that is used as the identity store of OAM, and the provider should be set to SUFFICIENT. Configuring Single Sign-on 30-17 To configure the Oracle Internet Directory authenticator: 1. Log in to the WebLogic Server Administration Console. For information on logging in to the WebLogic Server Administration Console, see Section 1.13.2, Oracle WebLogic Server Administration Console.

2. From the Domain Structure pane, click Security Realms.

The Summary of Security Realms pane displays see Figure 30–4 . Figure 30–4 Summary of Security Realms Pane 3. Click the realm entry for which to configure the OID authenticator. The Settings pane for the realm displays see Figure 30–5 . Figure 30–5 Settings Pane

4. Open the Providers tab.

30-18 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter The Provider Settings display see Figure 30–6 . Figure 30–6 Settings Pane - Providers

5. Click New to create a provider.

The Create a New Authentication Provider pane displays see Figure 30–7 . Figure 30–7 Create a New Authentication Provider Pane 6. Enter a name for the new provider for example, OID Authenticator, select OracleInternetDirectoryAuthenticator as its type and click OK. 7. On the Providers tab, click the newly added provider. The Common Settings pane for the authenticator displays see Figure 30–8 .