OAM integration with WebLogic for different versions

Hi all,

As you might have observed that the integration between Oracle Access Manager and WebLogic server varies with different versions of Oracle Access Manager and hence it’s architecture varies.

So I would like to give a brief on how the architecture looks like and what are the components needed for this integration.

Until OAM 10.1.4.2, the connector used between OAM and WebLogic is the SSPI and is available for download seperately. It is evident that SSPI Connector configuration is not very easy to get it working as customers will end up with running into lot of issues with access privileges or weblogic startup etc., . However there is no difference in components used for this integration in both WebLogic versions except the separate SSPI Connector. You would need a proxy infront of WebLogic if you want to achieve Single Sign-On and just an access gate if you want to authenticate to the WebLogic as an OAM user. If you are just looking for authentication only, you dont need a webgate for proxying. From architecture perspective, you will need a Connector (installed explicitly) sitting inside the WebLogic server.  The working authentication schemes are Basic and Form.

Moving to the new version, from OAM 10.1.4.3 onwards, the connector has been removed. Therefore the integration becomes very easy and so the architecture is.  Here, a jar file called oamAuthnProvider.jar (for OAM 10.1.4.3) has been introduced which acts as an alternative to SSPI connector. Internally, it contains classes to talk to WebLogic Server and OAM access server. This jar file has to be copied to lib directory of weblogic server for which we are attempting to do the integration. An Identity Asserter has to be created in the WebLogic server which listens to the ObSSOCookie. The recommended authentication scheme for WLS 10.3.1 is Form Login.

References:

Blog by Josh Bregman

OAM Documentation

Any comments/suggestions are highly appreciated.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

21 comments
» Oracle Access Manager 10.1.4.3 integration with WebLogic Server Online Apps DBA: One Stop Shop for Apps DBA’s says May 13, 2010

[…] Oracle Access Manager 10.1.4.3 integration with WebLogic Server Posted in May 13th, 2010 byMahendra in idm, installation, integration, oam, sso, troubleshooting, weblogic  Print This Post Until many people have asked me for the integration process and flow of Oracle Access Manager 10.1.4.3 (latest version) with WebLogic Server, it did not strike in my mind to do a write up on this. Anyway better late than never. Before we go into the integration process, check this. […]

Reply
bharathi says June 9, 2010

Hi Mahendra, I have installed OAM 10.1.4.3 using OHS Standalone webserver. and I have WLS 10.3.2. I am trying to integrate OAM with WLS, but i did not find the oamAuthnProvider.jar with in OAM 10.1.4.3. Can you please let me know the location of the jar and also the procedure for integration.

Reply
Mahendra says June 9, 2010

Hi Bharathi,

You will find the jar file with the webgate installable. It will be ofm_oam_webgates_win_10.1.4.3.0_disk1_1of1.zip.
You can follow the post http://onlineappsdba.com/index.php/2010/05/13/oracle-access-manager-10143-integration-with-weblogic-server/ . This will be comprehensive enough.

Let me know if you face any issues.

Reply
bharathi says June 11, 2010

hi mahendra,

When I try to run the following command,

C:\Oracle\Middleware\jdk160_14_R27.6.5-32\bin>java -jar C:\oamAuthnProvider.jar mode=CREATE app_domain=SamplePolicy web_domain=WLS protected_uris=”/example/failure.jsp,/example/success.jsp” ldap_host=10.154.18.240 ldap_port=451 ldap_userdn=”cn=Directory Manager” ldap_userpassword=password oam_aaa_host=10.154.18.240 oam_aaa_port=6021

I am getting the error message – “Failed to load Main-Class manifest attribute from C:\oamAuthnProvider.jar”

Please help in resolving this error. I have my application in the WLS and I have made a reverse proxy for WLS and OHS Standalone WebServer and installed Webgate on this OHS. Please suggest the solution.

Reply
Mahendra says June 11, 2010

Hi Bharathi,

Can you please tell me what you are trying to achieve?

Could you please explain the reason for executing the java with those params ?

If you are trying for SSO for apps deployed in WLS 10.3.1 or 10.3.2 using OAM 10.1.4.3. Then I would suggest you to go through this post http://onlineappsdba.com/index.php/2010/05/13/oracle-access-manager-10143-integration-with-weblogic-server/

You will be achieving this using Identity Asserter as explained in the post.
Also, the current configuration in your environment i.e., OHS as reverse proxy with webgate is correct.

So, what I guess you need to do is to configure the WLS realm with Identity Asserter and LDAP Authenticator.

Let me know if you have any issues.

HTH.

Mahendra.

Reply
Atul Kumar says June 15, 2010

@ Brarti,
It seems you are trying to use automatic method on FMW integration with OAM

You can do these steps manually as well , let me know which component (soa, webcenter or idm) you are trying to integrate with OAM and I’ll give you steps.

Do you have oamAuthnProvider.jar in c drive ? If yes from where did you get this jar file ?

Reply
cristiano says September 27, 2010

Hi
i have to integrate OAM 10.1.4.3 with WebLogic 10 MP1.

I have to use SSPI or with auth provider ?

Reply
Mahendra says September 27, 2010

cristiano,

I think you have to use SSPI connector.

Mahendra.

Reply
cristiano says October 24, 2010

The version of Oracle WebLogic is 10 MP1 64 bit, but on OAM certmatrix seem to be compatible only to 32 bit version of web logic . Is it correct ?

Reply
Mahendra says October 24, 2010

Cristiano,

I am not sure of this. What I can tell you is that most of the customers use 64 bit and not 32-bit. Hence there might be some tweaking possible to make that work.

Good Luck.

-Mahendra.

Reply
Vikrant says December 10, 2011

hi Mahendra,
Excellent post. I was looking for this issue from long time and was not finding anything precise.
I am trying to integrate OAM 10.1.4 (different machine) with Weblogic 10.3.5. (actually IPM 11.1.1.5)

I am looking for list of components to be installed on my weblogic server machine so that it can talk with OAM server machine. I guess following are the components
1. SSPI connector
2. Web server – Oracle HTTP server 11g
3. Webgate 11g in the web server.
4. Create security provider in Weblogic

Right?

Regards,
Vikrant Korde

Reply
Atul Kumar says December 10, 2011

@ Vikrant,
With FMW 11g (including IPM), SSPI connector is not required any more. Here are steps

1. Web server – Oracle HTTP server 11g
2. Webgate 11g in the web server.
3. Create identity provider in Weblogic to point to LDAP server
4. Configure OAM identity asserter in weblogic (on which IPM is hosted)
5. Protect IPM url and ADF authentication URI in OAM

You can see OAM integration with OBIEE or WebCenter http://onlineappsdba.com/index.php/2011/12/05/integrate-obiee-11g-with-oam-11g-for-single-sign-on-in-13-steps/ (change URIs to point to IPM)

Reply
Mahendra says December 10, 2011

Vikrant,

You will get oam identity asserter jar available OOTB so you don’t have to install any SSPI connector here. All you need is to check the certification matrix whether versions are certified for integration.

-M

Reply
Vikrant Korde says January 7, 2012

Thanks Atul and Mahendra for the response.
I am still struggling with the integration. Here are the details of my environment

1. I have Weblogic installed on M1
2. IPM 11g is also installed in weblogic present in M1
3. I have installed OHS 11g on M1.
4. Added the entries in mod_wl_ohs.conf so now when i type URL http://M1:7777/imaging/ this shows the page as if i have entered http://M1:16000/imaing. I believe i have configured Reverse proxy properly
5. OAM 10g is already installed on other machine M2 and it has been configured with other systems like EBS, etc.
6. I have configured Host Identifiers, Access gate and policy domain using console method as oamcfgtool was not available.
7. Using “access tester” link available on Machine M2 under Policy domain i tested the URL i.e. http://M1:7777/imaing. It picked up the policy properly and says user is authorized
8. I believe policy manager is properly configured.
9. I have installed Webgate (ofm_oam_webgates_win_10.1.4.3.0_64_disk1_1of1.zip) on machine M1 and added the details which i used for configuring Access manager on M2 (where OAM is installed). It game me a success message.
10. Then it modified the httpd.conf file of OHS 11g on the same machine i.e. M1.
11. Configured OID authenticator in weblogic
12. Configured OAM identity asserter in weblogic

Here are the problems.
1. I can not see users from OID authenticator in “users & groups” tab of weblogic
2. I can not see users from OAM in “users & groups” tab of weblogic
3. When i enter http://M1:7777/imaing it is not sending me to OAM login page. It is sending me to IPM login page.

Please help.

Reply
Atul Kumar says January 8, 2012

@ Vikrant Korde,
Your issue is that you can’t see OID users/groups under weblogic (after weblogic OID integration).

This could be because of wrong entry in OID Authenticator screen or weblogic machine is unable to contact OID server.

To find root cause enable logging in welogic admin server like

WebLogic Console -> Expand Environment -> Servers -> on right panel click AdminServer -> select tab Debug -> expand WebLogic -> Security -> select atn & atz and click on button Debug

Now go to tab users & groups on security realm

Check Admin Server log file for errors related to OID users/groups

Reply
Vikrant Korde says January 11, 2012

@ Atul

Yes i found the reason behind this. I was not giving the correct values in Base DN, All Users Filter & User From Name Filter values.

I could find out the correct values with the help of LDAP browser production and tried different searches till i get the list of users and groups.

I am still not able to figure out the mistakes behind OAM Identity asserter provider.

Regards,
Vikrant Korde

Reply
bruno says February 5, 2013

Hi Mahendra,

I have the following environment:
Oracle Weblogic Portal 10.3.0
Oracle Weblogic 10.3.0 & 10.3.6
I want to use OAM11gR2 to protect the portal & SSO to apps. Which Auth & Identity Asserter should I use?

Regards,
Bruno

Reply
Mahendra says February 6, 2013

Bruno,

You can download the oamAuthnProvider.zip file from OTN for 10g webgates with OAM 11gR2.

Thereafter you would need to copy oamAuthnProvider.jar to location $BEA_HOME/wlserver_10.x/server/lib/mbeantypes/oamAuthnProvider.jar

and follow other steps as described in OAM 11gR2 administration guide.

Hope this helps.

-Mahendra.

Reply
Vijay says April 10, 2013

Hi Mahendra,

Is it possible to integrate weblogic 10.3.4 with OAM 10.1.4.2 ?
Do I still need Weblogic SSPI connector to do this ?

thanks
Vijay

Reply
Mahendra says April 10, 2013

Hi vijay,

SSPI connector is required because OAM version is 10.1.4.2.

-Mahendra

Reply
Narendra Challa says August 19, 2013

Hi Mahendra,

I have a question for you.

Can we integrate Oracle Forms Application with OAM 11g using 11g webgate?
or
Is it the only way we have, is to use OAM sso agent?
Please let me know.
I need to integrate it with 11g webgate. How ?

Thanks in advance.

– Narendra

Reply
Add Your Reply