• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • OAM integration with WebLogic for different versions

    Posted by "" in "idm, installation, integration, oam, sso, weblogic" on 2010-03-09

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    Hi all,

    As you might have observed that the integration between Oracle Access Manager and WebLogic server varies with different versions of Oracle Access Manager and hence it’s architecture varies.

    So I would like to give a brief on how the architecture looks like and what are the components needed for this integration.

    Until OAM 10.1.4.2, the connector used between OAM and WebLogic is the SSPI and is available for download seperately. It is evident that SSPI Connector configuration is not very easy to get it working as customers will end up with running into lot of issues with access privileges or weblogic startup etc., . However there is no difference in components used for this integration in both WebLogic versions except the separate SSPI Connector. You would need a proxy infront of WebLogic if you want to achieve Single Sign-On and just an access gate if you want to authenticate to the WebLogic as an OAM user. If you are just looking for authentication only, you dont need a webgate for proxying. From architecture perspective, you will need a Connector (installed explicitly) sitting inside the WebLogic server.  The working authentication schemes are Basic and Form.

    Moving to the new version, from OAM 10.1.4.3 onwards, the connector has been removed. Therefore the integration becomes very easy and so the architecture is.  Here, a jar file called oamAuthnProvider.jar (for OAM 10.1.4.3) has been introduced which acts as an alternative to SSPI connector. Internally, it contains classes to talk to WebLogic Server and OAM access server. This jar file has to be copied to lib directory of weblogic server for which we are attempting to do the integration. An Identity Asserter has to be created in the WebLogic server which listens to the ObSSOCookie. The recommended authentication scheme for WLS 10.3.1 is Form Login.

    References:

    Blog by Josh Bregman

    OAM Documentation

    Any comments/suggestions are highly appreciated.

    21 Responses to “OAM integration with WebLogic for different versions”

    1. […] Oracle Access Manager 10.1.4.3 integration with WebLogic Server Posted in May 13th, 2010 byMahendra in idm, installation, integration, oam, sso, troubleshooting, weblogic  Print This Post Until many people have asked me for the integration process and flow of Oracle Access Manager 10.1.4.3 (latest version) with WebLogic Server, it did not strike in my mind to do a write up on this. Anyway better late than never. Before we go into the integration process, check this. […]

    2. bharathi says:

      Hi Mahendra, I have installed OAM 10.1.4.3 using OHS Standalone webserver. and I have WLS 10.3.2. I am trying to integrate OAM with WLS, but i did not find the oamAuthnProvider.jar with in OAM 10.1.4.3. Can you please let me know the location of the jar and also the procedure for integration.

    3. Mahendra says:

      Hi Bharathi,

      You will find the jar file with the webgate installable. It will be ofm_oam_webgates_win_10.1.4.3.0_disk1_1of1.zip.
      You can follow the post http://onlineappsdba.com/index.php/2010/05/13/oracle-access-manager-10143-integration-with-weblogic-server/ . This will be comprehensive enough.

      Let me know if you face any issues.

    4. bharathi says:

      hi mahendra,

      When I try to run the following command,

      C:\Oracle\Middleware\jdk160_14_R27.6.5-32\bin>java -jar C:\oamAuthnProvider.jar mode=CREATE app_domain=SamplePolicy web_domain=WLS protected_uris=”/example/failure.jsp,/example/success.jsp” ldap_host=10.154.18.240 ldap_port=451 ldap_userdn=”cn=Directory Manager” ldap_userpassword=password oam_aaa_host=10.154.18.240 oam_aaa_port=6021

      I am getting the error message – “Failed to load Main-Class manifest attribute from C:\oamAuthnProvider.jar”

      Please help in resolving this error. I have my application in the WLS and I have made a reverse proxy for WLS and OHS Standalone WebServer and installed Webgate on this OHS. Please suggest the solution.

    5. Mahendra says:

      Hi Bharathi,

      Can you please tell me what you are trying to achieve?

      Could you please explain the reason for executing the java with those params ?

      If you are trying for SSO for apps deployed in WLS 10.3.1 or 10.3.2 using OAM 10.1.4.3. Then I would suggest you to go through this post http://onlineappsdba.com/index.php/2010/05/13/oracle-access-manager-10143-integration-with-weblogic-server/

      You will be achieving this using Identity Asserter as explained in the post.
      Also, the current configuration in your environment i.e., OHS as reverse proxy with webgate is correct.

      So, what I guess you need to do is to configure the WLS realm with Identity Asserter and LDAP Authenticator.

      Let me know if you have any issues.

      HTH.

      Mahendra.

    6. Atul Kumar says:

      @ Brarti,
      It seems you are trying to use automatic method on FMW integration with OAM

      You can do these steps manually as well , let me know which component (soa, webcenter or idm) you are trying to integrate with OAM and I’ll give you steps.

      Do you have oamAuthnProvider.jar in c drive ? If yes from where did you get this jar file ?

    7. cristiano says:

      Hi
      i have to integrate OAM 10.1.4.3 with WebLogic 10 MP1.

      I have to use SSPI or with auth provider ?

    8. mahendra says:

      cristiano,

      I think you have to use SSPI connector.

      Mahendra.

    9. cristiano says:

      The version of Oracle WebLogic is 10 MP1 64 bit, but on OAM certmatrix seem to be compatible only to 32 bit version of web logic . Is it correct ?

    10. mahendra says:

      Cristiano,

      I am not sure of this. What I can tell you is that most of the customers use 64 bit and not 32-bit. Hence there might be some tweaking possible to make that work.

      Good Luck.

      -Mahendra.

    11. Vikrant says:

      hi Mahendra,
      Excellent post. I was looking for this issue from long time and was not finding anything precise.
      I am trying to integrate OAM 10.1.4 (different machine) with Weblogic 10.3.5. (actually IPM 11.1.1.5)

      I am looking for list of components to be installed on my weblogic server machine so that it can talk with OAM server machine. I guess following are the components
      1. SSPI connector
      2. Web server – Oracle HTTP server 11g
      3. Webgate 11g in the web server.
      4. Create security provider in Weblogic

      Right?

      Regards,
      Vikrant Korde

    12. Atul Kumar says:

      @ Vikrant,
      With FMW 11g (including IPM), SSPI connector is not required any more. Here are steps

      1. Web server – Oracle HTTP server 11g
      2. Webgate 11g in the web server.
      3. Create identity provider in Weblogic to point to LDAP server
      4. Configure OAM identity asserter in weblogic (on which IPM is hosted)
      5. Protect IPM url and ADF authentication URI in OAM

      You can see OAM integration with OBIEE or WebCenter http://onlineappsdba.com/index.php/2011/12/05/integrate-obiee-11g-with-oam-11g-for-single-sign-on-in-13-steps/ (change URIs to point to IPM)

    13. Mahendra says:

      Vikrant,

      You will get oam identity asserter jar available OOTB so you don’t have to install any SSPI connector here. All you need is to check the certification matrix whether versions are certified for integration.

      -M

    14. Vikrant Korde says:

      Thanks Atul and Mahendra for the response.
      I am still struggling with the integration. Here are the details of my environment

      1. I have Weblogic installed on M1
      2. IPM 11g is also installed in weblogic present in M1
      3. I have installed OHS 11g on M1.
      4. Added the entries in mod_wl_ohs.conf so now when i type URL http://M1:7777/imaging/ this shows the page as if i have entered http://M1:16000/imaing. I believe i have configured Reverse proxy properly
      5. OAM 10g is already installed on other machine M2 and it has been configured with other systems like EBS, etc.
      6. I have configured Host Identifiers, Access gate and policy domain using console method as oamcfgtool was not available.
      7. Using “access tester” link available on Machine M2 under Policy domain i tested the URL i.e. http://M1:7777/imaing. It picked up the policy properly and says user is authorized
      8. I believe policy manager is properly configured.
      9. I have installed Webgate (ofm_oam_webgates_win_10.1.4.3.0_64_disk1_1of1.zip) on machine M1 and added the details which i used for configuring Access manager on M2 (where OAM is installed). It game me a success message.
      10. Then it modified the httpd.conf file of OHS 11g on the same machine i.e. M1.
      11. Configured OID authenticator in weblogic
      12. Configured OAM identity asserter in weblogic

      Here are the problems.
      1. I can not see users from OID authenticator in “users & groups” tab of weblogic
      2. I can not see users from OAM in “users & groups” tab of weblogic
      3. When i enter http://M1:7777/imaing it is not sending me to OAM login page. It is sending me to IPM login page.

      Please help.

    15. Atul Kumar says:

      @ Vikrant Korde,
      Your issue is that you can’t see OID users/groups under weblogic (after weblogic OID integration).

      This could be because of wrong entry in OID Authenticator screen or weblogic machine is unable to contact OID server.

      To find root cause enable logging in welogic admin server like

      WebLogic Console -> Expand Environment -> Servers -> on right panel click AdminServer -> select tab Debug -> expand WebLogic -> Security -> select atn & atz and click on button Debug

      Now go to tab users & groups on security realm

      Check Admin Server log file for errors related to OID users/groups

    16. Vikrant Korde says:

      @ Atul

      Yes i found the reason behind this. I was not giving the correct values in Base DN, All Users Filter & User From Name Filter values.

      I could find out the correct values with the help of LDAP browser production and tried different searches till i get the list of users and groups.

      I am still not able to figure out the mistakes behind OAM Identity asserter provider.

      Regards,
      Vikrant Korde

    17. bruno says:

      Hi Mahendra,

      I have the following environment:
      Oracle Weblogic Portal 10.3.0
      Oracle Weblogic 10.3.0 & 10.3.6
      I want to use OAM11gR2 to protect the portal & SSO to apps. Which Auth & Identity Asserter should I use?

      Regards,
      Bruno

    18. Mahendra says:

      Bruno,

      You can download the oamAuthnProvider.zip file from OTN for 10g webgates with OAM 11gR2.

      Thereafter you would need to copy oamAuthnProvider.jar to location $BEA_HOME/wlserver_10.x/server/lib/mbeantypes/oamAuthnProvider.jar

      and follow other steps as described in OAM 11gR2 administration guide.

      Hope this helps.

      -Mahendra.

    19. Vijay says:

      Hi Mahendra,

      Is it possible to integrate weblogic 10.3.4 with OAM 10.1.4.2 ?
      Do I still need Weblogic SSPI connector to do this ?

      thanks
      Vijay

    20. Mahendra says:

      Hi vijay,

      SSPI connector is required because OAM version is 10.1.4.2.

      -Mahendra

    21. Narendra Challa says:

      Hi Mahendra,

      I have a question for you.

      Can we integrate Oracle Forms Application with OAM 11g using 11g webgate?
      or
      Is it the only way we have, is to use OAM sso agent?
      Please let me know.
      I need to integrate it with 11g webgate. How ?

      Thanks in advance.

      – Narendra

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP