Configuring Single Sign-On Using Oracle Access Manager 10g 16-35 6. Testing Identity Assertion for SSO with OAM 10g 7. Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates

16.4.1 Establishing Trust with Oracle WebLogic Server

The following topics explain the tasks you must perform to set up the application for single sign-on with the Oracle Access Manager Identity Asserter: ■ Setting Up the Application Authentication Method for SSO ■ Confirming mod_weblogic for Oracle Access Manager Identity Asserter ■ Establishing Trust between Oracle WebLogic Server and Other Entities

16.4.1.1 Setting Up the Application Authentication Method for SSO

This topic describes how to create the application authentication method for Oracle Access Manager Identity Assertion. When you use the Oracle Access Manager Identity Asserter, all web.xml files in the application EAR file must specify CLIENT-CERT in the element auth-method for the appropriate realm. The auth-method can use BASIC, FORM, or CLIENT-CERT values. While these look like similar values in Oracle Access Manager, the auth-method specified in web.xml files are used by Oracle WebLogic Server not Oracle Access Manager. To specify authentication in web.xml for the Identity Asserter and OAM 10g 1. Locate the web.xml file in the application EAR file: your_app WEB-INFweb.xml 2. Locate the auth-method in login-config and enter CLIENT-CERT. login-config auth-methodCLIENT-CERTauth-method login-config 3. Save the file. 4. Redeploy and restart the application. 5. Repeat for each web.xml file in the application EAR file. 6. Proceed to Confirming mod_weblogic for Oracle Access Manager Identity Asserter . Note: This task is the same for both OAM 11g and OAM 10g. See Also: Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server Note: You can specify CLIENT-CERT, FORM if you are also planning to access the applications directly over WebLogic and want the WebLogic authentication scheme to be invoked. 16-36 Oracle Fusion Middleware Application Security Guide

16.4.1.2 Confirming mod_weblogic for Oracle Access Manager Identity Asserter

Oracle HTTP Server includes the mod_weblogic plug-in module mod_wl_ohs.so in 11g which is already enabled. You can perform the following procedure to confirm this or skip this procedure. With Oracle HTTP Server 11g, the mod_weblogic configuration is present in mod_wl_ ohs.conf by default, and the path of this file is included in httpd.conf. If the mod_ weblogic configuration is not present then you must edit httpd.conf. To configure mod_weblogic for the Identity Asserter and OAM 10g 1. Locate httpd.conf. For example: ORACLE_INSTANCEconfigOHSohs_namehttpd.conf 2. Confirm that the following statement is in the file with appropriate values for your deployment add or uncomment this, if needed: IfModule mod_weblogic.c WebLogicHost yourHost.yourDomain.com WebLogicPort yourWlsPortNumber IfModule Location http:request-uri-pattern SetHandler weblogic-handler Location 3. Save the file. 4. Proceed to Establishing Trust between Oracle WebLogic Server and Other Entities .

16.4.1.3 Establishing Trust between Oracle WebLogic Server and Other Entities

The Oracle WebLogic Connection Filtering mechanism must be configured for creating access control lists and for accepting requests from only the hosts where Oracle HTTP Server and the front-end Web server are running. A network connection filter is a component that controls the access to network level resources. It can be used to protect resources of individual servers, server clusters, or an entire internal network. For example, a filter can deny non-SSL connections originating outside of a corporate network. A network connection filter functions like a firewall since it can be configured to filter protocols, IP addresses, or DNS node names. It is typically used to establish trust between Oracle WebLogic Server and foreign entities. To configure a connection filter to allow requests from only mod_weblogic and the host where OHS 11g is running, perform the procedure here. Note: This topic is the same whether you are using OSSO or Oracle Access Manager. Note: This chapter uses the generic name of the WebLogic Server plug-in for Apache: mod_weblogic. For Oracle HTTP Server 11g, the name of this plug-in is mod_wl_ohs; the actual binary name is mod_ wl_ohs.so. Examples show exact syntax for implementation. Configuring Single Sign-On Using Oracle Access Manager 10g 16-37 WebLogic Server provides a default connection filter: weblogic.security.net.ConnectionFilterImpl. This filter accepts all incoming connections and also provides static factory methods that allow the server to obtain the current connection filter. To configure this connection filter to deny access, simply enter the connection filters rules in the WebLogic Server Administration Console. You can also use a custom connection filter by implementing the classes in the weblogic.security.net package. Like the default connection filter, custom connection filters are configured in the WebLogic Server Administration Console. Connection Filter Rules: The format of filter rules differ depending on whether you are using a filter file to enter the filter rules or you enter the filter rules in the Administration Console. When entering the filter rules on the Administration Console, enter them in the following format: targetAddress localAddress localPort action protocols Table 16–10 provides a description of each parameter in a connection filter. The Connection Logger Enabled attribute logs successful connections and connection data in the server. This information can be used to debug problems relating to server connections. To configure a connection filter to allow requests from the host of the 11g Oracle HTTP Server 1. Log in to the Oracle WebLogic Administration Console. 2. Click Domain under Domain Configurations. 3. Click the Security tab, click the Filter tab. 4. Click the Connection Logger Enabled attribute to enable the logging of accepted messages for use when debugging problems relating to server connections. 5. Specify the connection filter to be used in the domain: ■ Default Connection Filter: In the Connection Filter attribute field, specify weblogic.security.net.ConnectionFilterImpl. ■ Custom Connection Filter: In the Connection Filter attribute field, specify the class that implements the network connection filter, which should also be specified in the CLASSPATH for Oracle WebLogic Server. Table 16–10 Connection Filter Rules Parameter Description target Specifies one or more systems to filter localAddress Defines the host address of the WebLogic Server instance. If you specify an asterisk , the match returns all local IP addresses. localPort Defines the port on which the WebLogic Server instance is listening. If you specify an asterisk, the match returns all available ports on the server. action Specifies the action to perform. This value must be allow or deny protocols Is the list of protocol names to match. The following protocols may be specified: http, https, t3, t3s, giop, giops, dcom, ftp, ldap. If no protocol is defined, all protocols match a rule. See Also: Configuring Security in a WebLogic Domain in Oracle Fusion Middleware Securing Oracle WebLogic Server 16-38 Oracle Fusion Middleware Application Security Guide 6. Enter the appropriate syntax for the connection filter rules. 7. Click Save. 8. Restart the Oracle WebLogic Server. 9. Proceed to Configuring the Authentication Scheme for the Identity Asserter .

16.4.2 Configuring the Authentication Scheme for the Identity Asserter

This topic focuses on using OAMCfgTool for OAM 10g. If you are using OAM 11g, skip this topic and instead perform tasks in Provisioning an OAM Agent with Oracle Access Manager 11g . After setting up your application, you must protect it with Oracle Access Manager. To help automate this task, Oracle provides the command-line tool: OAMCfgTool in the Fusion Middleware application-provided oamcfgtool.jar file for OAM 10g. While you can perform steps manually in the Access System Console and Policy Manager, you can optionally use OAMCfgTool to setup and validate a form-based authentication scheme, a policy domain for the application, and Oracle Access Manager access policies required for Identity Assertion for single sign-on. Additionally, you can create a new WebGate profile in a fresh Web Tier or modify a WebGate profile in an existing Web Tier. For more information, see Creating an Authentication Scheme, Policy Domain, and a WebGate Profile .

16.4.2.1 Creating an Authentication Scheme, Policy Domain, and a WebGate Profile

This topic provides a procedure that you can use as a model when you run OAMCfgTool. This example presumes a fresh Web Tier that requires a new WebGate profile. Therefore, the web_domain= parameter is omitted. A new profile is created and named with the app_domain value appended with _AG. The following procedure is only an example to illustrate how to use the tool. Values for your environment will be different. To create a form authentication scheme, policy domain, and access polices with OAMCfgTool

1. No Oracle Fusion Middleware Application

: Obtain the OAMCfgTool if you have no Oracle Fusion Middleware application. a. Log in to Oracle Technology Network at: http:www.oracle.comtechnologysoftwareproductsmiddlewareht docs111110_fmw.html b. Locate the OAMCfgTool ZIP file with Access Manager Core Components 10.1.4.3.0: oamcfgtoolversion.zip See Also: Introduction to OAMCfgTool on page 16-15 Note: If you have an Oracle Fusion Middleware application installed you already have the OAMCfgTool. In this case, skip Step 1. Configuring Single Sign-On Using Oracle Access Manager 10g 16-39 c. Extract and copy oamcfgtool.jar to the computer hosting WebGate. 2. Confirm that JDK 1.6 or the latest version is installed and configured. 3. Log in to the computer that is hosting the application to protect, change to the file system directory containing OAMCfgTool. 4. Create a WebGate Profile, Authentication Scheme, and Policy Domain: Run the following command using values for your environment as described in Table 16–5 . For example: echo ldappwd | java -jar oamcfgtool.jar mode=CREATE app_domain=IASSO_App1 protected_uris=myapplogin cookie_domain=preferred_http_cookie_domain ldap_host=wxyz ldap_port=6633 ldap_userdn=orcladmin oam_aaa_host=abcd oam_aaa_port=7789 oam_aaa_mode=cert log_file=OAMCfg_date.log log_level=INFO output_ldif_file=LDIF_filename -noprompt 5. Review the information provided by the tool. For example, the parameters and values in Step 3 would provide the following information: Processed input parameters Initialized Global Configuration Successfully completed the Create operation. Operation Summary: Policy Domain : IASSO_App1 Host Identifier: IASSO_App1 Access Gate ID : IASSO_App1_AG

6. Output LDIF Created

: Import the LDIF to write information to the directory server. Otherwise, skip this step.

7. Validate

: Run OAMCfgTool to validate the policy domain that was created see Table 16–7 . For example: echo ldappwd | java -jar oamcfgtool.jar mode=VALIDATE app_domain=IASSO_App1 protected_uris=myapplogin ldap_host=wxyz ldap_port=6633 ldap_userdn=orcladmin oam_aaa_host=abcd oam_aaa_port=7789 log_file=OAMCfg_date.log log_level=INFO test_username=gcf Note: ■ Fresh Web Tier: Omit web_domain parameter to create and associate a new a profile. Include the cookie_domain parameter. ■ Existing Web Tier: Include web_domain parameter with the value of an existing host identifier.