Step by Step instructions to configure Oracle 10g Single Sign-On Server (OSSO) agent for EBS (R12) with Oracle Access Manager (OAM) 11g are detailed in this article. EBS integration with Oracle 10gAS has been very popular before Oracle 10gAS SSO gone out of support. Many customers are still left with Oracle 10gAS Integration: Oracle Apps SSO OID Registration (10gAS Integration). OAM Integration with EBS needs an EBS AccessGate, which is a WebLogic Application. Oracle Access Manager(OAM) 11g R1(22.214.171.124) with Oracle E-Business Suite(EBS) R12 describes AccessGate setup and OAM Integration with EBS. In this article, I am going to demonstrate registering EBS environment with OAM without AccessGate, still using mod_osso module (which is used in Oracle 10gAS Integration). This is quite useful if you have hundreds of EBS environments that are to be SSO enabled and creating a separate AccessGate for each EBS environment needs a lot of server resources and man hours. Here is a quick list of differences with AccessGate and OSSO Agent configurations.
Step by Step instructions to install and configure OAM 11g Webgate (126.96.36.199) with Oracle HTTP Server (OHS) 11g (188.8.131.52) are described in this article. OAM 11g Server supports 10g Webgates, 11g Webgates, and OSSO (mod_osso) agents. OAM WegGate 10g(10.1.4.3) Integration with OAM 11g R1 (184.108.40.206.1) Server would detail 10g Webgate installation and configuration with OAM 11g. 11g Webgate has got few security enhancements. Here is a quick list of differences between 10g and 11g Webgates.
|Feature||11g Webgate||10g Webgate|
|Download Page||Oracle Identity Management 11g||Oracle Identity Management 10g (10.1.4.x)|
|Platform||Generic version for all platforms||Platform Specific|
|JDK||JDK is required||JDK is NOT required|
|Agent Registrations||Can be performed after Webgate installation||To be performed before Webgate installation|
|OHS Integration||to be performed after installation (manually)||Installer updates OHS configurations|
|Webgate Cookie||OAMAuthnCookie_<host:port>_<random number>||ObSSOCookie|
|OAM Server Cookie||OAM_ID||OAM_ID|
|Webgate Request Cookie||OAM_REQ||OAM_REQ|
Step by Step instructions to Integrate Oracle Access Manager(OAM) 11g with CA Siteminder are explained in this article. Siteminder integration with OAM10g has been detailed in Integrating OAM 10g with CA Siteminder. OAM 10g supports a browser cookie based authentication, which looks for a particular cookie and HTTP header in a browser session and considers the session authenticated when the right cookie/header is present. OAM 11g is totally rewritten in java and is deployed in WebLogic Server. OAM 11g is quite different from previous OAM 10g (mostly written in C) in terms of functionality and features. There is no direct method to get the OAM 10g Authentication Scheme working in OAM 11g. Here is a potential solution to integrate OAM 11g with CA Siteminder. Please be aware that neither Oracle nor CA endorsed this solution but just my findings. Please be cautious implementing this, perform your complete testing and security review of the solution. I have done all the testing that came to my mind, it just worked flawlessly. Please check my disclaimer for more on terms.
In this solution, I have installed OHS 11g on a separate server, Installed CA Siteminder Web Agent on it, and root protected in Siteminder Policies. This OHS 11g is configured to front end OAM WebLogic Server requests. So, all of the OAM login URLs are also protected by the Siteminder. OAM is configured with a custom login form that is hosted in the same OHS 11g. This custom login form forces Siteminder login first and then reads SM_USER from the HTTP Header and then it would POST the username to OAM Authentication Server. OAM Authentication scheme is configured with LDAPNoPasswordAuthModule, which does not require the password but it still has to verify the user in Identity Store, which is OID 11g in this case. This is pretty much same as Oracle 10gAS integration with Siteminder. The user provisioning between Siteminder LDAP server to OID can be configured through DIPTool (IplanetImport) as before. Applications are registered with OAM, which redirects users to a custom login form that is protected Siteminder and that automatically POSTs the username to OAM Server, which finally validates the user existence in OID. This auto submission of the username to OAM Server is the key of the solution. Upon successful login, user would be getting two cookies: one from Siteminder and another from OAM. With these cookies, user can seamlessly access other Siteminder protected applications as well as OAM protected applications.
Step by Step instructions to create an external OAM Custom Login Form, deploy it in WebLogic domain, and using it in OAM Authentication Scheme are described in this article. It is not uncommon to brand the SSO login form to match the company’s requirement. OAM Server needs two user inputs (username, and password) and a parameter (request_id) submission from OAM Custom Login Form. As long as these requirements are met, this form can be customized to any extent. This has to be a server page (JSP or ASP), not an HTML form. I am going to deploy a JSP file in to a WebLogic Server that runs in a separate server. This form can be deployed on OAM Server itself or externally on some other Application Server, where WebLogic or any J2EE server is installed. I would be calling Login form directly out of WebLogic, without an HTTP server in-front of the WebLogic.
Oracle Fusion Middleware Upgrade needs the right patch set(PS) application to the environment. I have come up with a quick list of all the Fusion Middleware patches in this article. Oracle Fusion Middleware Patchsets (Patchset 2 onwards) are cumulative. For example: If you would like to upgrade Oracle HTTP Server 11g Release1 Patchset 3 (220.127.116.11.0) to PS5 18.104.22.168, you do NOT have to apply 22.214.171.124.0 and 126.96.36.199.0, rather you can directly apply 188.8.131.52.0 on top of 184.108.40.206.0.
Likewise, Oracle Fusion Middleware 11g Release 1 Patchset 5(220.127.116.11.0) can be applied to the following existing Oracle Fusion Middleware installations: 18.104.22.168.0, 22.214.171.124.0, 126.96.36.199.0, or 188.8.131.52.0. If you are currently using Oracle Fusion Middleware 11g Release 1 (184.108.40.206.0), then you must first update your environment to Oracle Fusion Middleware 11g Release 1 (220.127.116.11.0) before applying 11g Release 1 (18.104.22.168.0). Some of the new names are confusing, so, here the name again.
- Oracle Fusion Middleware 11g Release1 Patchset 5 (PS5) = 22.214.171.124.0
- Oracle Fusion Middleware 11g Release1 Patchset 4 (PS4) = 126.96.36.199.0
- Oracle Fusion Middleware 11g Release1 Patchset 3 (PS3) = 188.8.131.52.0
- Oracle Fusion Middleware 11g Release1 Patchset 2 (PS2) = 184.108.40.206.0
- Oracle Fusion Middleware 11g Release1 Patchset 1 (PS1) = 220.127.116.11.0