Configuring Single Sign-On using OracleAS SSO 10g 17-19 OHS Is Not Redirecting to SSO - Internal Server Error 500 The most likely source of this problem is an incorrect configuration. The following sample uses Oracle HTTP Server 11g. Path names are different if you have Oracle HTTP Server 10g. To address it, proceed as follows: 1. Open the file mod_osso.conf and ensure that the resource is protected. For example: ORACLE_INSTANCEconfigOHSohs_namemoduleconfmod_osso.conf Location protected-resource-uri require valid-user AuthType Basic Location 2. Ensure that osso.conf is present and included in mod_osso.conf. For example, using Oracle HTTP Server 11g paths are different for 10g OssoConfigFile ORACLE_INSTANCEconfigOHSohs_nameossoosso.conf 3. Ensure that httpd.conf includes mod_osso.conf. For example, using Oracle HTTP Server 11g paths are different for 10g: ORACLE_INSTANCEconfigOHSohs_namehttpd.conf include ORACLE_INSTANCEconfigOHSohs_namemoduleconfmod_osso.conf 4. If all of the above were correctly specified, the SSO registration did not complete successfully and you must re-register SSO. To register SSO, proceed as follows using the appropriate ssoreg tool for your platform. For example: a. Run ssoreg.sh in 10.1.4 ORACLE_HOMEssobin to produce the file osso.conf. The following is a sample usage of this utility that produces the file in tmposso.conf the arguments are displayed in different lines only for illustration: ssoreg.sh -oracle_home_path OraHome -site_name wls_server -config_mod_osso TRUE -mod_osso_url http:host.domain.com:6666 -update_mode CREATE -remote_midtier -config_file tmposso.conf b. Copy the generated osso.confto another file system directory. For example: ORACLE_INSTANCEconfigOHSohs_nameosso. c. Restart OHS. Note: There is no set location for osso.conf. The value is determined at registration time; it can be any absolute path. 17-20 Oracle Fusion Middleware Application Security Guide Is Attribute AuthName Required? Log messages might suggest that the attribute AuthName is required, and certain versions of Apache do require this attribute. This example uses Oracle HTTP Server 11g. Path names are different for Oracle HTTP Server 10g. To include this attribute, edit the file mod_osso.conf and insert a fragment like the following: LoadModule osso_module modulesmod_osso.so IfModule mod_osso.c OssoIdleTimeout off OssoIpCheck on OssoConfigFile ORACLE_INSTANCEconfigOHSohs_nameossoosso.conf Location AuthName Oracle Single Sign On require valid-user AuthType Basic Location IfModule URL Request not Redirected to SSO Once a URL request is issued, if a basic pop-up is displayed instead of being redirected to SSO, then, most likely, the URL request has been intercepted by the Apache authorization module. To address this problem, proceed as follows: 1. Edit the file httpd.conf and comment out the loading authorization modules as illustrated in the following fragment: ORACLE_INSTANCEconfigOHSohs_namehttpd.conf LoadModule access_module modulesmod_access.so LoadModule auth_module modulesmod_auth.so LoadModule auth_anon_module modulesmod_auth_anon.so LoadModule auth_db_module modulesmod_auth_dbm.so LoadModule proxy_module modulesmod_proxy.so 2. Restart OHS. Error 404 - Not Found is Issued OHS Side Typically, this error has the following format: The requested URL request-uri was not found on this server Most likely, the WebLogic redirect is not happening, and the request is attempting to grab an OHS resource not available. To address this problem, verify that mod_weblogic is included in the file httpd.conf and that the WebLogic handler is set for the request pattern, as illustrated in the following fragment: httpd.conf IfModule mod_weblogic.c WebLogicHost host WebLogicPort yourWlsPortNumber IfModule Configuring Single Sign-On using OracleAS SSO 10g 17-21 Location request-uri-pattern SetHandler weblogic-handler Location Error 404 - Not Found is Issued Oracle WebLogic Server Side Typically, this error has the following format: Error 404--Not Found Cause This message informs that the Oracle WebLogic Server is not able to find a resource. Solution To address the problem, check that the resource is indeed deployed on the server. For example, if the pattern is private1Hello, check that Hello is accessible on the server with private1 as root. Oracle SSO Failure - Unable to process request Problem You receive a message stating: Oracle SSO Failure - Unable to process request Either the requested URL was not specified in terms of a fully-qualified host name or Oracle HTTP Server single sign-on is incorrectly configured. Please notify your administrator. Solution Modify the Oracle HTTP Server httpd.conf file to include a port number in the ServerName and restart the Web server. For example: From: ServerName host.domain.com To: ServerName host.domain.com:port OSSO Solution for Applications Deployed on a Stand-alone WebLogic Server This chapter describes how to configure single sign-on SSO for applications that are deployed on Oracle Fusion Middleware Oracle WebLogic Server. However, details for applications that are deployed on a stand-alone Oracle WebLogic Server one without Fusion Middleware are provided here: ■ Oracle Fusion Middleware with OSSO : The required OSSO Identity Asserter ossoiap.jar is provided automatically when you install Oracle Fusion Middleware: Oracle Identity Management, Oracle SOA Suite, or Oracle WebCenter. ■ Stand-Alone Oracle WebLogic Server with OSSO : The required OSSO Identity Asserter ossoiap.jar must be acquired from the Oracle Web Tier, as described here. Note: Oracle Fusion Middleware with OSSO enables you to use either the Oracle HTTP Server 10g or 11g Web server. 17-22 Oracle Fusion Middleware Application Security Guide Whether you use OSSO for Oracle Fusion Middleware applications or other applications, the Identity Asserter performs the same functions as those illustrated and described in Using the OSSO Identity Asserter. Included in the following are additional, optional, details that you can use to configure and test Single Logout for session invalidation and synchronization between the SSO cookie and the JSESSIONID cookie. Required files must be acquired from the Oracle Web Tier. Task overview: Deploying and configuring the OSSO Identity Asserter for applications on a stand-alone WebLogic Server 1. Install Oracle WebLogic Server 10.3.1+ and other required components as follows: a. Perform Step 1, a-d as described in the Task overview: Deploying and configuring the OSSO Identity Asserter for applications on a stand-alone WebLogic Server on page 17-22. b. Skip Step 1e and instead deploy your application. 2. Create a WebLogic security domain with the weblogin domain extension template that is supplied with Oracle WebLogic Server and can be used from WLS_ HOMEcommonbinconfig.sh. 3. Configure mod_weblogic to forward requests to Oracle WebLogic Server, as explained in Configuring mod_weblogic on page 17-6. 4. Register and configure the module mod_osso with the 10g SSO Server as a partner application, as described in New Users of the OSSO Identity Asserter on page 17-4. a. Perform steps described in Registering Oracle HTTP Server mod_osso with OSSO Server 10.1.4 on page 17-7. b. Perform steps described in Configuring mod_osso to Protect Web Resources on page 17-8. 5. Add Authentication Providers to the appropriate security domain as follows: a. Acquire the OSSO Identity Asserter ossoiap.jar from the Oracle Web Tier at: ORACLE_INSTANCEmodulesoracle.ossoiap_11.1.1ossoiap.jar b. Copy ossoiap.jar into WLS_HOMEwlserver_10.xserverlibmbeantype, then restart the Oracle WebLogic Server. c. Configure providers as described in Adding Providers to a WebLogic Domain for OSSO on page 17-12. 6. Configure the Oracle WebLogic Connection Filtering mechanism to create access control lists and accept requests from the hosts where Oracle HTTP Server and the front-end Web server are running, as explained in Establishing Trust Between Oracle WebLogic Server and Other Entities on page 17-14. Note: Without Fusion Middleware, OSSO requires Oracle HTTP Server 11g. Note: Test the secured application to ensure that it is working with the default authenticator using the Oracle WebLogic Server host and port.