Here is an attempt to summarise my experience configuring the different components of the Oracle middleware with OAM and WNA, there are many post out there with little parts and also some conflicting Oracle documentation, so hopefully this guide will help.....

Lest start with an enterprise implementation of Oracle middleware, in this case, the environment will consist of the following:

Oracle HTTP Server 11.1.1.6
Oracle WebCenter server (WC Content, WC Portal:Spaces, WC Services) 11.1.1.6
SOA Server 11.1.1.6
OAM Server 11.1.1.6
Oracle DB 11g R2
Oracle SES 11g R2
AD Domain Controler Server
LDAP Server (OID/OVD/AD)

Pre-Configuration

Virtual Hosts Configuration

Mod_wl is used to proxy all request from the client to the different manage servers in the system being webcenter, discussion server, soa servers, obiee, etc.

Virtual Host are used to allow different configurations of OAM for resources as they are needed, this is based on the standard Oracle Webcenter documentation the following virtual host are needed :

Intranet.mydomain.com: this is the main virtualhost for all user request to the system, for example /webcenter will display the spaces application, /search will redirect to the ses servers etc.
Intranetnosso.mydomain.com: this is needed for a couple of webcenter components that do not support SSO configurations including the urls used by SES to crawl webcenter and the edit with word functionality
Intranetpagelet.mydomain.com: (Only for versions 11.1.1.5 and lower)This is needed for the pagelet producer application, it needs a separate VH because there are references to the “/” context that required to point all resources to the same managed servers. (WC_PORTAL)
sso.mydomain.com : This is the Virtual Host used to front the OAM login pages

Some of this is explained in the Oracle documentation for webcenter at http://docs.oracle.com/cd/E15586_01/webcenter.1111/e12405/wcadm_security_sso.htm#autoId56 If you have multiple HTTP servers, a physical LB need to be configured to have a VIP redirecting the request to the 2 HTTP servers, DNS entries are used for all the virtualhosts to point to the same VIP

LDAP Configuration

In this case we will use an OID server as the main Identity Store for the system, this OID needs to be sync with the Active Directory server in order for the WNA authentication to work. This is optional if you are using AD as the identity source ignore this step. There are a couple of things to do if you are using OID:

Create an LDIF file with the following content:

dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
changetype: modify
add: orclallattrstodn
orclallattrstodn: cn=orcladmin
Import the LDIF file into OID. To do this, use the following command:
```
$LDAP_HOME/bin/ldapmodify -D cn=orcladmin -w -h -p -c -v -f
```
You can verify that the changes you made to the LDIF file by using the following command:
```
$LDAP_HOME/bin/ldapsearch -b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base -h -p -w -D "cn=orcladmin" "objectclass=*"
```
You should see orclallattrstodn as an attribute of the dsaconfig entry.
Restart OID

Configure AD for Kerberos

First, we need to setup the AD Domain Controller Server, for this we will create a Service Principal Name (SPN) to be used by OAM to authenticate against it, and create a keytab file.

You will need to link an AD user to the server request, this will be the value of the virtual host used for the OAM login pages “sso. mydomain.com” keep in mind that you should requester this DNS entry as a HOST as Kerberos seems to have issues with ALIASES

Create the user in Microsoft Active Directory for example "oracleauthenticator" password "oracle11g"

Run ktpass to create the service principal name and associate it with this user. For example:

ktpass -princ HTTP/sso. mydomain.com@MYDOMAIN.LOCAL -mapuser oracleauthenticator -pass oracle11g -out C:\temp\sso. mydomain.com.HTTP.keytab

Configure OAM Server for Kerberos

In this case the OAM server is Linux, before we can configure OAM, we need to setup kerberos at the OS level, to do this, edit the /etc/krb5.conf file and add the following entries, ensure to update the value for the server name of the AD controller.

[libdefaults]
default_realm = MYDOMAIN.COM
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
permitted-enctypes = arcfour-hmac-md5
dns_lookup_realm=false
dns_lookup_kdc=false
verify_ap_req_nofail=false
[realms]
MYDOMAIN.COM = {
kdc = DOMAINASSERTER.MYDOMAIN.COM
admin_server = DOMAINASSERTER.MYDOMAIN.COM
default_domain = MYDOMAIN.COM
}
[domain_realm]
.Mydomain.com = MYDOMAIN.COM
Mydomain.com = MYDOMAIN.COM

Now we need to get the kerberos token from AD, to do this:

Create a new folder under the of the Access Manager server, for example: "/fmw/user_projects/domains/iam_domain/sso"
Copy the keytab file you created (sso. mydomain.com.HTTP.keytab) to the OAM Server folder

From the Oracle Access Manager Server, run the following command:

kinit -k -t sso.mydomain.com.HTTP.keytab  HTTP/sso.mydomain.com@MYDOMAIN.LOCAL

to verify, run the following command:
```
klist -e
```
Ensure the encryption type match the setting in krb5.conf in the /etc folder.

Install and configure OAM

Install OAM

Please follow oracle documentation to install OAM: http://docs.oracle.com/cd/E21764_01/install.1111/e12002/install.htm#CIHGAEFI

http://docs.oracle.com/cd/E21764_01/install.1111/e12002/oam.htm#CACEBHBB

Setup Default Identity Store Connection

From the System Configuration tab, navigation pane, expand the Data Sources node.

Open the OAM Console and login as weblogic
Under the System Configuration Tab, go to Common Configuration ->Data Sources->User Identity Stores
Select the User Identity Stores node, and then click the Add button in the tool bar.
Enter required values for your LDAP (OID/OVD/AD you only need one as long as the users are sync), ensure you add the appropriate base DNs for users and groups
Default Store: Click the Default Store checkbox to make this the default user
Click Apply to submit the changes and dismiss the confirmation window.
Setup an Authentication Module for this LDAP
Restart the Oracle Access Manager Administration Server and managed servers.

Set Up the Kerberos Authentication Module in Oracle Access Manager

Login to the oamconsole
Go to the System Configuration tab
Expand Access Manager Settings
Expand Authentication Modules-> Kerberos Authentication Module
Double Click Kerberos
Enter the values for the keytab created in the previous steps, For example for dev:

Name Kerberos

Key Tab File /sso/oamssodev.HTTP.keytab

Principal HTTP/sso.mydomain.com@MYDOMAIN.LOCAL

KRB Config File /etc/krb5.conf
Restart the OAM Server

Disable WebLogic BasicAuth

There are some issues where the basic authentication will display twice for the users, to fix this do the following

Login to the OAM server and go to the $DOMAIN_HOME/config
Edit the config.xml file and add the following entries within the <security-configuration> tag

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

Configure Authentication Schemes

KerberosScheme
Configure the Kerberos authentication scheme to use WNA as a challenge method
1. From the Oracle Access Manager Policy Configuration tab, navigation pane, expand the Authentication Schemes node.
2. Double-click KerberosScheme to display the configuration details.
3. Change the Challenge Method to WNA, if needed.
4. Click Apply and close the confirmation window.
5. Close the page.
BasicScheme
1. From the Oracle Access Manager Policy Configuration tab, navigation pane, expand the Authentication Schemes node
2. Double-click BasicScheme to display the configuration details.
3. Change the Challenge Method to the LDAP_OID module created before
4. Click Apply and close the confirmation window.
FormScheme
1. Double-click FormSchemeto display the configuration details.
2. Change the Challenge Method to the LDAP_OID module created before
3. Click Apply and close the confirmation window.

Install and configure WebGate

Install Webgate

Run the Oracle HTTP Server Webgate Installer to install Oracle HTTP Server 11g Webgate for Oracle Access Manager

Oracle reference: http://docs.oracle.com/cd/E21764_01/install.1111/e12002/webgate.htm#CACGIGBB

Configure WebGate Registration Tool

You must complete the following steps after installing Oracle HTTP Server 11 Webgate for Oracle Access Manage

Move to the following directory under your Oracle Home for Webgate:
```
$MW_HOME/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate
```
On the command line, run the following command to copy the required bits of agent from the Webgate_Home directory to the Webgate Instance location, the first parameter is the configuration directory for the OHTTP instance, the second is the directory where you installed WebGate:
```
./deployWebgateInstance.sh -w /u01/oracle/11.1.1.6/fmw/Oracle_WT1/instances/instance1/config/OHS/ohs1/ -oh /u01/oracle/11.1.1.6/fmw/Oracle_OAMWebGate1/
```
Run the following command to ensure that the LD_LIBRARY_PATH variable contains the appropiate libraries (replace the path with your MW_HOME):
```
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/test/oracle/intranet/fmw/Oracle_WT1/lib 
```

Move to the following directory

cd $MW_HOME/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools

Run the following command to copy the apache_webgate.template from the Webgate_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf:
```
./EditHttpConf -w /u01/oracle/11.1.1.6/fmw/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /u01/oracle/11.1.1.6/fmw/Oracle_OAMWebGate1/ –o /tmp/output.txt 
```

Register WebGate

Run the following from the OAM server

After installing and configuring Oracle Access Manager, navigate to the following location:
```
cd $OAM_ORACLE_HOME/oam/server/rreg/client
```
On the command line, untar the RREG.tar.gz file using gunzip, as in the following example:
```
gunzip RREG.tar.gz
tar -xvf RREG.tar
```
Set the following environment variables in the $OAM_ORACLE_HOME/oam/server/rreg/client/rreg/bin/oamreg.sh script

OAM_REG_HOME - Set this variable to the absolute path to the directory where you extracted the contents of the RREG.tar in the setp before($OAM_ORACLE_HOME/oam/server/rreg/client/rreg)

JDK_HOME - Set this variable to the absolute path to the directory where Java/JDK is installed on your machine.
Create an Agent registration file with all the URLs you need to be protected by OAM, a good starting point can be found at http://docs.oracle.com/cd/E15586_01/webcenter.1111/e12405/wcadm_security_sso.htm#CHDCCHFD
Rename the file for the appropriate environment and update the following entries to reflect the environment

<serveraddress>http://OAM_SERVER:7001</serveraddress>
<hostidentifier>intranet</hostidentifier>
<agentname>Agent_intranet</agentname>
<agentbaseurl>http://intranet.mydomain.com:7777</agentbaseurl>
<applicationdomain<intranet_domain</applicationdomain>
Alternatively, when using 11.1.1.6, each product comes with a pre-build configuration file that you can input when running the script, you can find details of how to do this here http://docs.oracle.com/cd/E25178_01/webcenter.1111/e12405/wcadm_security_sso.htm#BGBHEDHH

After modifying the file, save and close the file. Run the following command on the command line:

./bin/oamreg.sh inband input/Agent_intranet_request.xml
password?(y/n): n                                                                                                                                                                                              Do you want to import an URIs file?(y/n): n

The following files and artifacts are generated in the folder: $ORACLE_HOME/oam/server/rreg/client/rreg/output/Agent_XXX_portal (Agent_XXX is the agent name in the Agent_portal-dev_request.xml) directory:

cwallet.sso
ObAccessClient.xml
After RREG generates the cwallet.sso and ObAccessClient.xml files, you must manually copy them from the OAM server
/oam/server/rreg/client/rreg/output/Agent_intranet directory)
to the Oracle HTTP/Webgate Server directory $OHS_HOME/config/OHS/ohs2/webgate/config.
Restart the Oracle HTTP Server Instance
```
opmnctl restartproc process-type=OHS
```

Update webgate.conf

In the HTTP server go to the $Instance_Home/config/OHS/ohs1/ folder, edit the file webgate.conf
Comment the following entries

#<LocationMatch "/*">
#AuthType Oblix
#require valid-user
#</LocationMatch>
Restart the Oracle HTTP Server Instance
```
opmnctl restartproc process-type=OHS
```

Configure OAM Domain

Configure Authentication Policies

Configure Protected Resource Policy
1. Go to Application Domains> portal > Authentication Policies >Protected Resource Policy
2. Ensure the Authentication Scheme is set to the Kerberos Scheme previously setup
3. Remove all entries starting with /rest.
Configure Public resource Policy
1. Go to Application Domains> portal > Authentication Policies >PublicResource Policy
2. Ensure the Authentication Scheme is set to the AnonymousScheme
Configure WebCenter REST Auth Policy (if you didn't use the OOTB config scripts)
1. Go to Application Domains> portal > Authentication Policies and create a new policy underneath it called “WebCenter REST Auth Policy”. Choose Authentication scheme as BASIC Scheme
2. In the new WebCenter REST Auth Policy created above, add all the /rest entries you removed and click Apply. REST needs to follow the BASIC authentication scheme so that external clients, such as the Outlook plugin and iPhone application, can connect to WebCenter REST and be protected with SSO.
  You should be adding the following entries:
  
  /rest/api/resourceIndex
  /rest/api/spaces
  /rest/api/spaces/.../*
  /rest/api/discussions
  /rest/api/discussions/.../*
  /rest/api/tags
  /rest/api/tags/.../*
  /rest/api/taggeditems
  /rest/api/taggeditems/.../*
  /rest/api/activities
  /rest/api/activities/.../*
  /rest/api/activitygraph
  /rest/api/activitygraph/.../*
  /rest/api/feedback
  /rest/api/feedback/.../*
  /rest/api/people
  /rest/api/people/.../*
  /rest/api/messageBoards
  /rest/api/messageBoards/.../*
  /rest/api/searchresults
  /rest/api/searchresults/.../*
3. Sometimes, the UCM scripts will create their own exclusion scheme called repeat the steps for the resources in that policy too.
Configure Exclusion Scheme
1. Go to Resources tab and search for resources with their Authentication Policy set to Exclusion Scheme. You should see the following resources:
  
  /rsscrawl*
  /rsscrawl/.../*
  /sesUserAuth*
  /sesUserAuth/.../*
  /services-producer/portlets*
  /services-producer/portlets*
  /services-producer/portlets/.../*
  /wsrp-tools/portlets
  /wsrp-tools/portlets/.../*
2. Select the /rsscrawl* resource in the search results and click Edit
3. Change the Protection Level from Protected to Excluded and click Apply. Note that the resource's authentication policy and authorization policy is removed.
4. Close the Resources tab and repeat the steps for the remaining Exclusion Scheme resources.
5. When you now search for resources with their Authentication Policy set to Exclusion Scheme you should see no results

Configure Authorization Policies

Configure Protected Resource Policy
1. Go to Application Domains> portal > Authorization Policies >Protected Resource Policy
2. Click on the Responses Tab
3. Add the following entries:
  
  Name Type Value
  
  HTTP_USER_NAME Header $user.attr.uid
  
  HTTP_USER_GUID Header $user.attr.orclguid
  
  OAM_REMOTE_USER Header $user.attr.uid
Configure Public Resource Policy
Repeat the steps above for the Public Resource Policy

Configure OAM to be accessed via Virtual host

log into the Oracle Access Manager Console at this URL as the weblogic user (http://oamhost1.Mydomain.com:7001/oamconsole)
Click on the System Configuration tab.
Go to Access Manager Settings
Edit the values for load balancing to reflect the Virtual host URL
Modify the following:

Host: sso.mydomain.com (virtual host configured for login pages)
Port:7777
Restart OAM managed server

Configure Portal Agent Logout URL to point to the WebTier VH

Go to system Configuration->Access Manager Settings
Expand SSO Agents and double click on OAM Agents
Search for the Agent_intranet and click on it
Modify the logout redirect URL to point to http://sso.mydomain.com:7777/oam/server/logout

Configure WebLogic Security Providers

The following configurations need to be applied to all WLS domains using the web tier, including; Webcenter/UCM Domain,SOA Domain, OBIEE Domain or any other domain configured to be accessed via OAM.

Log into the Weblogic Server Administration Console
From the Domain Structure pane, click on Security Realms
Click on the realm entry to configure the OAM Identity Asserter
In the settings pane, select the Providers tab, then select the Authentication sub-tab
Click the New button to create a New Authentication Provider, and provide a descriptive name.
Select the OAMIdentityAsseter from the list of provider types, then click OK
On the providers tab, select the newly created authenticator, the common settings pane will be displayed
Ensure that the OAM_REMOTE_USER and ObSSOCookie is set for Active Types
Click Save
Repeat the above steps to add the OID or AD LDAP server
Re-order the providers in the list so that the OAM Identity Asserter provider is the first one on the list

OAMIdentityAsserter (REQUIRED)
OracleInternetDirectoryAuthenticator (SUFFICIENT)
DefaultAuthenticator (SUFFICIENT)
DefaultIdentityAsserter

At the Linux command line, Connect to the WebLogic domain using WLST and run the following command:

. $ORACLE_HOME/common/bin/wlst.sh
wls:/offline> connect('weblogic','oracle11g', 'localhost:7001')
Connecting to t3://localhost:7001 with userid weblogic ...

wls:/webcenter_domain/serverConfig> addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html")
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)

Restart all servers in the domain, including the Admin Server

Post OAM configuration

Webcenter

Update Domain Environment settings
1. Edit the $DOMAIN_HOME/bin/setDomainEnv.sh file
2. Add the setting “-Doracle.webcenter.spaces.osso=true”
3. Edit the following settings to reflect the VH:
  
  EXTRA_JAVA_PROPERTIES="-Doracle.webcenter.spaces.osso=true ${EXTRA_JAVA_PROPERTIES}"
  export EXTRA_JAVA_PROPERTIES
  
  EXTRA_JAVA_PROPERTIES="-Dnon_sso_protocol=http -Dnon_sso_host=spaces.wcpoc1.oakton.com.au -Dnon_sso_port=80 -Dsso_base_url=http://wcpoc1.oakton.com.au ${EXTRA_JAVA_PROPERTIES}"
  export EXTRA_JAVA_PROPERTIES
4. Restart all managed servers and Admin Server
Update Domain Environment settings
Using EM console, Update webcenter services to point to the VH URL, this includes Discussion Service, Worklist Service, Search Service

Discussion Server

Create administrator user
- Log on to the Jive discussions server (http://WC_Collaboration_server_host:WC_Collaboration_server_port/owc_discussions) as user in the LDAP repository (i.e. weblogicadmin)
- Log on to the database where the schemas for the WebCenter components were created connected as the WCS_DISCUSSIONS user
- Insert a new record into the table using the SQL below
  
  INSERT INTO WCS_DISCUSSIONS.JIVEUSERPERM(OBJECTTYPE, OBJECTID, USERID, PERMISSIONTYPE, PERMISSION)SELECT 17, -1, USERID, 1, 59 FROM WCS_DISCUSSIONS.JIVEUSER WHERE USERNAME = ‘weblogicadmin’;
  COMMIT;
Log in to the Oracle WebCenter Discussions Server Admin Console at: http://host:port/owc_discussions/admin
Open the System Properties page and edit (if it already exists) or add the owc_discussions.sso.mode property, setting its value to true.
Edit or add the jiveURL property to point to the appropriate portal base URL of the environment. For example:

jiveURL = intranet.mydomain.com:7777/owc_discussions

Webcenter Content(UCM)

Change HTTP server address
1. Login to the UCM server via an xSession (VNC)
2. Go to the folder $DOMAIN_HOME/ucm/cs/bin
3. Run the SystemProperties applet application
4. Go to the Internet tab and update the HTTP Server Address to the appropriate portal Virtual Host URL intranet.mydomain.com
5. Restart UCM managed servers
SESCrawlerExport (if you have SES)
1. Login to the UCM content server as an administrator (weblogic)
2. Go to Administration/SESCrawlerExport Administration/Configure SESCrawlerExport
3. Ensure the flag for "Disable Secure APIs" is set to true
4. Go back to SESCrawlerExport Administration
5. Take Snapshot

SES

Update QueryPlan
1. To enable OAM SSO authentication, you must configure the following parameters in the QueryPlan.xml file, which is available at $ORACLE_HOME/search/tools/weblogic/deploy/plans/.
  
  <variable>
  <name>sso_enabled</name>
  <value>true</value>
  <description>Whether SSO is enabled: true or false. The default is false. </description>
  </variable>
  
  <variable>
  <name>sso_vendor_name</name>
  <value>oam</value>
  <description>The SSO vendor name. Supported values are osso or oam.</description>
  </variable>
  
  <variable>
  <name>sso_user_guid_header</name>
  <value>HTTP_USER_GUID</value>
  <description>The HTTP header name that the SSO server uses to pass the user GUID to SES. The value in the header should match the value of the users canonical attribute for the active identity plugin.</description>
  </variable>
  
  <variable>
  <name>sso_username_header</name>
  <value>HTTP_USER_NAME</value>
  <description>The HTTP header name that the SSO server uses to pass the search username to SES. The value in the header should match the value of the users authentication attribute for the active identity plugin. Specify REMOTE_USER to use getRemoteUser in the HTTP request to retrieve the username.</description>
  </variable>
  
  <variable>
  <name>sso_public_username</name>
  <value>OblixAnonymous</value>
  <description>Specify the username of the public user if the SSO server is configured to send a public user name in the sso_username_header for unprotected or anonymously protected resources.</description>
  </variable>
  
  <variable>
  <name>sso_logout_return_url</name>
  <value>/oamsso/logout.html?end_url=/search/query/search</value>
  <description>Specify a URL to redirect to after a user logs out.</description>
  </variable>
Redeploy the SES Application
1. Redeploy the query application with the modified deployment plan. To do this, run the following command from $ORACLE_HOME/search/tools/weblogic/deploy/
```
./deployer.sh -serverURL t3://myWlsServer:6666/ -user weblogic -password welcome1 -name search_query -plan $ORACLE_HOME/search/tools/weblogic/deploy/plans/QueryPlan.xml -process redeploy
```
2. Restart SES

OBIEE

Enabling SSO/Oracle Access Manager for Oracle BIEE
1. Login to EM Fusion Middleware Control
2. Click Farm__domain > Business Intelligence > coreapplication
3. Click the Security tab.
4. Click Lock and Edit Configuration
5. Select Enable SSO
6. Select SSO Provider: Oracle Access Manager.
7. Enter the login and logoff details
  
  Login http://sso.mydomain.com:7777/oam/CredCollectServlet/WNA
  
  Logout http://intranet.mydomain.com:7777/oamsso/logout.html?end_url=/analytics
8. Click Apply, and then Activate Changes.
9. Restart the Oracle Business Intelligence components using Fusion Middleware Control.
Update SSO details for BI Publisher
1. Login to OBIEE as an administrator
2. Go to Administration->Manage BIPublisher->Security Configuration
3. Update the Single Sign Off URL as previous step
Enabling SSO/Oracle Access Manager for Oracle BI Search
1. Open the BISearchConfig.properties file for editing. You can find this file at $DOMAIN_HOME/config/fmwconfig/biinstances/coreapplication/
2. Set the value of BIServerSSOUrl to http://intranet.mydomain.com:7777/analytics/saw.dll
3. Save and close the file
Enabling SSO/Oracle Access Manager for Oracle BI for Microsoft Office
1. Go to the Oracle BI EE Office Server directory. For example
  $DOMAIN_HOME/servers/managed_server/tmp/_WL_user/bioffice_11.1.1/cvsibb/war/WEB-INF
2. Edit the file bioffice.xml and set the SawBaseURL tohttp://intranet.mydomain.com:7777/analytics/saw.dll
3. Restart OBIEE

Oracle Middleware by Homer and Cartman

Thursday, August 09, 2012

Configure OAM and WNA with Oracle Middleware (Webcenter/SOA/SES/OBIEE/UCM)