Authentication Providers in #WebLogic – Oracle Access Manager Identity Assertion for Single Sign-On and OAM Authenticator

Am working on windows 2003 and 2008
-I need very details doc with snap shot how to build OAM 11g as SSO for UCM server and other like IIS….. what the software’s I have to install for that
-Please make this doc explain it for low level

@ KINGSTAR,
I am currently working on integrating UCM/OBIEE/DISCO with OAM 11g SSO . I don’t have all steps yet but for start you can do

1. Install OID 11g (11.1.1.4) using http://onlineappsdba.com/index.php/2011/03/23/install-oracle-identity-management-oimidm-11114-oid-ovd-oif-high-level-steps/

2. Install OAM 11g (11.1.1.3) using http://onlineappsdba.com/index.php/2010/08/05/oracleidm-11g-step-by-installation-of-oam-oim-oaam-oapm-oin-111130-part-i-load-schema/

3. Install UCM 11g (11.1.1.4)

4. Change OAM’s Identity Store to OID 11g using http://onlineappsdba.com/index.php/2011/04/27/how-to-integrate-oam-11g-with-oid-11g-for-useridentity-store/

5. Install OHS infront of UCM and configure access of UCM via OHS

6. Integrate UCM with OID 11g – steps coming soon – for time being read http://onlineappsdba.com/index.php/2011/04/16/integrate-oracle-ecmucm-content-management-11g-with-oracle-internet-directory-ldap-server-things-you-must-know/

7. Create webgate instance in OAM 11g for OHS 11g (configured with UCM) using http://onlineappsdba.com/index.php/2011/01/10/part-ix-install-oam-agent-11g-webgate-with-oam-11g/ (You need to configure UCM URL access via OAM. I’ll discuss this step in detail later)

Step 7 with some additional step will configure SSO .

Hope this helps .

Dear atul,
alot of thanks for your response
sorry for late. i have alredy finished the steps 1,2,3
but please send me the version for OHS,and the documents of how to configure access of UCM via OHS.
i will read the Integrate Oracle ECM/UCM but when the steps will come
also there is some additional details in step 7 when you will post it ?

@ Kingstar,
Are you using IIS with UCM or would like to use OHS ?

If OHS then check this link http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/ (replace console with UCM server uri and port 7001 with UCM server port )

check link http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15483/extend_ucm.htm#CHDJFGJH

For chapter 7, steps for creating webgate instance and installing webgate are mentioned in my book at https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

I’ll post UCM specific tasks in chapter 12 of this book.

i will buy the book tomorrow then i will send you the feed back

Dear atul,
after Change OAM’s Identity Store to OID 11g using and its give me succsfull connection i cant logon to http://localhost:7001/oamconsole/faces/pages/AuthZError.jspx?_afrWindowMode=0&_afrLoop=527309410672221&_adf.ctrl-state=74e2vs79f_19

Access Denied
Access to administration console is restricted.
i tried multi users and cant log on

sorry atul
i solve it, so ignore my last comment

@ KINGSTAR,
Good to hear that your issue is fixed , could you please share what was issue and what you did to fix it ?

( was this related to administrator group for OAM ?)

dear,
mainly it was miss connfguration in the steps you sent to me,
i reconfigure it with step by step and it works good
thanks

Dear atul,
i bought your book this evening, I have been trying to configure the SSO based on the scinareo you have described to me. Yet, I am not able to configure OHS as a webtier for weblogic server. I used OHS 11.1.1.2 but i was never able to be redirected to the weblogic URL through OHS.
We eddited the file (mod_wl_ohs.conf
) manually as described in: http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/

Is there any other configurations other tham the ones I did or is it the problem of a non compliant OHS version.

Many Thanks Atul

@ KINGSTAR,
Thanks for puchasing book.

Regarding your OHS config issue, could you please share what URL you want to configure via OHS ?

Update entry for mod_wl_ohs.conf

Post your UCM weblogic managed server port too

These are the modifications I made on the mod_wl_ohs file (does the hash proceeding a line comments it in the cfg file?)

I tried the URL: http://vmucm:7777/console

to access weblogic console on the same machine where OHS is installed , it shows a page cannot be displayed message.

yet when I access weblogic console directly: http://vmucm:7001/console
or to access the OHS console: http://vmucm:7777
both URLs work properly and show both consols.

Another question is that you refered me to another document that has configurations for OHS, Link:(http://download.oracle.com/docs/cd/E12839_01/web.1111/e10144/getstart.htm#BEHGIDCB)
Section: (4.4.4 Configuring the mod_wl_ohs Module)

It shows a snapshot of an administration screen that i cannot find, is this a weblogic administration screen?

Is this additional configuration required or does modifying the mod_wl_ohs file is enough?

# WebLogicHost
# WebLogicPort
# Debug ON
# WLLogFile /tmp/weblogic.log
# MatchExpression *.jsp

#
# SetHandler weblogic-handler
# PathTrim /weblogic
# ErrorPage http:/vmucm:7001/
#

Dear Atul,

This is the body of the modified file: mod_wl_ohs.config (ps. does the hash key infront of a line in the config file comment is?)

This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level

WebLogicHost
WebLogicPort
Debug ON
WLLogFile /tmp/weblogic.log
MatchExpression *.jsp

SetHandler weblogic-handler
PathTrim /weblogic
ErrorPage http:/vmucm:7001/

the link I am trying to access is:(http:/vmucm:7777/console) is should redirect me to the Weblogic console page, it shows a page cannot be found message.

yet, when I try to access both the weblogic or the OHS console directrly the work fine.

one other question is that you ve refered me to a page that had more configurations for OHS, Page: (http://download.oracle.com/docs/cd/E12839_01/web.1111/e10144/getstart.htm#BEHGIDCB)
Section: (4.4.4 Configuring the mod_wl_ohs Module)

I cant seem to locate where this admin screen is. And is this additional configuration required or the mod_wl_ohs modification is enough?

@ Kingstar,
Please post mod_wl_ohs related issue in respective post so others can take help from that. Your hostname and port value missing in entry.

Post query in http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/

Dear Atul,
i am still stuck on installing OHS, and i didnt get any response from onlineappsdba,
i started installing oam 10.1.4 but i need your guidenes and advice
keep working on 11g or turn to 10.1.4
best regard

@ Kingstar,
As mentioned in my comment on lineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/

do not use /em but update config file directly as per my comment .

Don’t go for 10g, stick to OAM 11g (these issues are common in all new implementations)

Dear Atul,
as i mentioned before i installed weblogic 10.3.4.0 and OHS 11.1.1.4
i modified the mod_wl_ohs as in page

(http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/)

but it still didnt work,PAl I spent 3 days on this steps, advice

@KINGSTAR,
This is very simple configuration, as mentioned do not use /em (just edit manually)

I would like to see entry you made in httpd.conf (section under which you added module related to weblogic)

1. From httpd.conf paste section where you added weblogic related configuration.
2. Listen, Port and ServerName variable value from http.conf
3. What is weblogic admin server port
4. On what server weblogic is running .

i made the editing on mod_wl_ohs file
i added :

SetHandler weblogic-handler
WebLogicHost ucmhost
WeblogicPort 7001

*where ucmhost is local host

i didnt edit any thing in on httpd
7001
Both ohs,wls on same server

@ Kingstar,

remove entry you made in mod_wl_ohs.conf and add new entry like

[Location /console]
SetHandler weblogic-handler
WebLogicHost ucmhost
WeblogicPort 7001
[/Location]

Replace [ by less than sign

2. Restart http server

3. Access /console via OHS url

If this still doesn’t work, install teamviewer http://teamviewer.com and send me teamviewer ID and password (I ca do this just today in next 1-2 hours)

646 584 067
9744
plz open txt file and chat what you want to ask

@ KINGSTAR , not able to connect to this teamviewer ID , check if this is accessible

646 584 067

8804

Dear Atul,
many thanks for your support and solve the OHS problem also for telephone call,
now i will start step 6- Integrate UCM with OID 11g – steps coming soon – for time being read http://onlineappsdba.com/index.php/2011/04/16/integrate-oracle-ecmucm-content-management-11g-with-oracle-internet-directory-ldap-server-things-you-must-know/
any advice

Dear Atul,
now i recah steps
6. Integrate UCM with OID 11g – steps coming soon – for time being read http://onlineappsdba.com/index.php/2011/04/16/integrate-oracle-ecmucm-content-management-11g-with-oracle-internet-directory-ldap-server-things-you-must-know/
also steps 7 will be in the book
so what i can do now,

@ KINGSTAR,
Migrate users, policy and credential store to OID .

Dear Atul
i have Changed OAM’s Identity Store to OID

how to Migrate users, policy and credential store to OID any links,doc..

Hi Atul,

I am working on a test senario for an SSO on UCM, I have read this thread and it was very helpful, till I got to this step where I cant progress any further.
I was workin in accordance to your post step by step till step7 which I am still workin on.

I have four seperate machines in this test case:
1. OID
2. OAM that is configered to use OID as an identity store.
3. UCM which is using the same OID as an LDAP
4. OHS which is configured to forward URLs to the UCM.

What else am I missing to achive a running SSO?

@ Kingstar, I am going to covers this on this blog in weeks time. Stay tuned

@ elkouz

Things missing in your case are

1. WebGate instance in OAM
2. Webgate installation with OHS
3. Policy to protect/unprotect UCM

Deae Atul,

correct me if am wrong
1- OHS— redirect the traffic for UCM sever (login page)
2- i configure webgate instance in OAM for OHS
3- i installed the Oracle Access Manager – OHS 11g Webgates in the ohs server

its right ????/

BR

Dear Atul,

I have continued workin on the implementation of SSO on OAM and UCM.

this is the second time I implement this step which is listed on step 6.1 of your blog linked: http://onlineappsdba.com/index.php/2011/01/10/part-ix-install-oam-agent-11g-webgate-with-oam-11g/#comment-138836

When ever I reach this point everything stops working, while everything before this point works just fine. for example: when I enter the url of the UCM proceeded by the OHS url the OHS redirects me back to the UCM page and so is every other URL defined in the mod_wl_ohs file.
while after finishing step 6.1 OHS stops redirecting URLs
Kindly advice on what configurations am I missing.
Regards,
Khaled elkouz

@ elkouz,
After intalling/configuring webgate with OHS 11g , can you start OHS 11g without issues ?

Please note that We also provide remote consulting where we can fix your issues remotely on a reasonable fee. Please share your contact details or contact us at admin @ onlineAppsDBA.com or atul @ onlineAppsDBA.com

Yes, the OHS is started but it didnt seem to be work (its didnt redirect the URL traffic)to UCM
so when i test the URL no page displed

it happened as i told you in previuos comment after step 6.1
but before that the OHS working fine

Dear Atul,
when i turned the OAM server off and tried to access the UCM link from the OHS server i got this output on the webpage:

Oracle Access Manager Operation ErrorOracle Access Manager Operation ErrorThe WebGate plug-in is unable to contact any Access Servers.Contact your website administrator to remedy this problem.

i thought it might be usful for you to figure out the problem i have.
thank you
thank

@ elkouz,
This means that UCM related configuration is missing in OAM Console (for application domain which you created during webgate registration)

Dear Atul,
Is it possible to enable WebLogic Single Sign-On without having OIM/OAM?
I’m new to WebLogic and have WebSphere background. WebSphere has features call LTPA that can do single sign-on. I wonder that does WebLogic has somethings similar to this.
Thanks in advance,

Hey,

I have Weblogic/OHS and Webcache all on the same server.
On my other server when I get server:7001/em
I click on webcache / on the right panel I see host listed as orgin server. But for one server it does not. Any idea what could be the issue?

DBA is out for now..

Thanks
Joe

Atul – I have other weblogic servie with OHS and Webcahce components installed.
And on these server the Webcache panel shows the “orgin server” listed under it

But one server where Weblogic with OHS and Webcache is installed does not show the host listed under the “orgin server” for webcache
I go to this issue / server:7001/em
click on web tier/ click on webcache/ on the right panel therei s heading for “orgin server” and under it there are no server listed

i keep getting this when i try to log in to my site Oracle Access Manager Operation Error
Access to the URL has been denied for user .

Contact your website administrator to remedy this problem.

I want to use OAM to secure the SOAP & REST based webservices created using Apache CXF.

Could somebody guide me thru…

or pls provide me some links..

I’ve downloaded the ofm_oam_sdk_generic_11.1.1.5.0 which is having only one .jar file
oamasdk-api.jar

Hi Atul and other experienced techies.

I am trying to implement SSO between a custom application that is deployed on WebLogic 10.3 and OAM (10.1.4.3). Here is the configuration:

I have an apache 2.2.23 configured as a reverse proxy in front of WebLogic 10.3. I have installed webgate on apache and it is communicating with OAM.

I have deployed the oamAuthnProvider.jar file to mbeantypes folder under weblogic server/lib.
Configured an identityasserter based on the oamauthnprovider and populated the provider specific items such access gate name, password, etc.

Everything is fine so far. I have created a virtual host entry in apache that points to the application that is deployed on WebLogic.

Here is the problem:
======================
When I access the secured URL through apache the webgate is intercepting the http request and requesting user credentials. After providing the credentials, the webgate is authenticating the user against OAM and getting obSSOCookie and forwarding the request to WebLogic (so far so good).

WebLogic in-turn sending the obSSOCookie to OAM for validation. That’s when I am getting the following error.

I have confirmed with my OAM Identity team all the passwords and other configuration parameters are exactly what they have in OAM. It is very puzzling why I am getting this error. One more piece of information, both webgate and the weblogic identity asserter are using the same access gate.

Any help to unravel this error is highly appreciated.

Thanks
Raj

Hi Atul,

What is the difference between OID and OAM…

Hi Atul,

My application is running over JBOSS http://xxx.sample.com:8080/sample and I had an apache proxy server which forwards all the requests to JBOSS , I protected the apache url (http://yyy.sample.com/sample with OAM 11g by using Webgate 10g.
My resource protection is like /sample/…/*

But if i access http://yyy.sample.com/sample/headers.jsp it is redirecting to OAM SSO Login page and after successful authentication it is redirecing to the http://yyy.sample.com/sample/dashboard.jsp which is configured as success url in the authentication policy.

How can I manage to redirect back to /sample/headers.jsp without effecting actual authentication policy ?