siteminder erp config agent oracle en

CA SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide For UNIX

Version 1.6 (Rev 1.1) December 2008

eTrust™ SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX

2

CA Inc.

Solution Engineering Team

100 Staples Drive

Framingham, MA 01702

Phone: (508) 628-8000

http://www.ca.com/

© 2006 CA, Inc. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

Netegrity, Inc. is a wholly-owned subsidiary of CA, Inc.

eTrust™ SiteMinder® products and associated documentation are protected by copyright and are distributed under a licensing agreement. CA Inc. has prepared this document for use by CA personnel, licensees, and customers. The information contained herein is protected by copyright. No part of this document may be reproduced, translated, or transmitted in any form or by any means, electronic, mechanical, photocopying, optical magnetic, or otherwise, without prior written permission from CA. CA reserves the right to, without notice, modify or revise all or part of this document and/or change product features or specifications.

This document is provided “AS IS” without warranty of any kind, either express or implied, and is subject to change without notice by CA. CA assumes no responsibility for any errors or omissions contained herein or in any products, documents or material referenced herein. In no event shall CA be liable for any direct, indirect, incidental, punitive or consequential damages of any kind resulting from the contents of this document or any representations made herein.

Questions, Queries & Comments should be emailed to [email protected]

This is not a support mailbox, so support issues should not be directed here.

http://www.ca.com/

mailto:[email protected]


3

Contents

INTRODUCTION .................................................................................................................................................................................... 4

PREREQUISITES ................................................................................................................................................................................... 4

SITEMINDER AND ORACLE AS ARCHITECTURE ............................................................................................................................. 5

SiteMinder Two-Tier Single Sign-On Solution with the Oracle PL/SQL Authentication Package ............. 6 SiteMinder Two-Tier Single Sign-On Solution with the OC4J Security Authentication Interface .............. 7 Single Sign-On and Sign-Off Session Management ................................................................................. 8

SITEMINDER CONNECTOR IMPLEMENTATION WITH THE ORACLE PL/SQL AUTHENTICATION PACKAGE............................ 8

SiteMinder Oracle AS Connector without a Proxy Agent .......................................................................... 9 SiteMinder Oracle AS Connector with a Proxy Agent ............................................................................. 10

SITEMINDER CONNECTOR IMPLEMENTATION WITH THE OC4J SECURITY AUTHENTICATION INTERFACE........................ 11

PRE-INSTALLATION ........................................................................................................................................................................... 12

Install and Configure Oracle AS .............................................................................................................. 12 Install and Configure the SiteMinder Web Agent for the Oracle HTTP Server ....................................... 12 Install and Configure the SiteMinder Policy Server ................................................................................. 12

SOFTWARE INSTALLATION FOR UNIX ............................................................................................................................................ 13

Installation Files ....................................................................................................................................... 13 Install the Oracle AS Connector Software ............................................................................................... 13

INSTALLATION OPTION 1: CONNECTOR WITH THE ORACLE PL/SQL AUTHENTICATION PACKAGE .................................... 14

Install the Oracle AS Connector in the Oracle Database ........................................................................ 14 Install the PL/SQL Package, wwsso_auth_external in the Oracle Single Sign-on Database ................. 18

INSTALLATION OPTION 2: CONNECTOR WITH THE OC4J SECURITY AUTHENTICATION INTERFACE .................................. 21

Install the OC4J Security Authentication Interface .................................................................................. 21

CONFIGURATION FOR UNIX ............................................................................................................................................................. 23

Configure the SiteMinder Policies for the Oracle AS Connector and Proxy Agent ................................. 23 Configure a SiteMinder Agent for the Oracle AS Connector and Proxy Agent ................................... 23 Configure a SiteMinder Agent Group for the Oracle AS Connector and Proxy Agent ........................ 23 Configure a SiteMinder Policy Domain for the Oracle AS Connector and Proxy Agent ...................... 25 Configure a SiteMinder Realm for the Oracle AS Connector and Proxy Agent .................................. 26 Configure a SiteMinder Rule for the Oracle AS Connector and Proxy Agent ..................................... 27 Configure another SiteMinder Realm for the Oracle AS Connector and Proxy Agent ........................ 28 Configure another SiteMinder Rule for the Oracle AS Connector and Proxy Agent ........................... 29 Configure a SiteMinder Response for the Oracle AS Connector and Proxy Agent ............................ 30 Configure a SiteMinder Policy for the Oracle AS Connector and Proxy Agent ................................... 32

Configure the Oracle AS Connector and Proxy Agent ............................................................................ 36 Configure the Oracle HTTP Server for the PL/SQL Authentication Package ......................................... 41

SITEMINDER ORACLE AS CONNECTOR PROXY AGENT STARTUP ............................................................................................ 43


4

POST INSTALLATION ......................................................................................................................................................................... 46

TROUBLESHOOTING ......................................................................................................................................................................... 47

SiteMinder Oracle AS Connector Logging .............................................................................................. 47 SiteMinder Oracle AS Proxy Agent Logging ........................................................................................... 48 SiteMinder Technical Support ................................................................................................................. 48


4

Introduction The Oracle Application Server (Oracle AS) provides security and single sign-on (SSO) for Oracle business applications deployed over the Internet. Unfortunately, it does not easily extend this security and/or single sign-on to other enterprise applications. As a result, many ERP customers have turned to eTrust SiteMinder to provide access control and single sign-on across all their applications in the enterprise, including various ERP solutions. The SiteMinder Oracle Single Sign-On Connector enables SiteMinder to extend single sign-on to the Oracle Application Server and Portal. The purpose of this document is to provide information regarding the architecture, installation, and configuration of the SiteMinder Oracle Single Sign-On Connector. Prerequisites The platform support matrix lists all combinations of supported, Agents for Oracle Application Server, Web Agents, and Operating Systems. Go to http://support.ca.com to view the matrix.

http://support.ca.com/


5

SiteMinder and Oracle AS Architecture The SiteMinder Oracle connector offers a two-tier single sign-on solution for the Oracle AS and Portal environment. The point of sign-on trust is transferred from the Oracle Single Sign-On Server to the SiteMinder policy server. The SiteMinder Oracle AS connector will validate a SiteMinder session on behalf of the Oracle Single Sign-On Server by communicating with the SiteMinder policy server. The SiteMinder policy server then validates the session.

The connector is an agent that communicates with the SiteMinder policy server to validate a SiteMinder session. The agent by means of the policy server will authenticate the session for single sign-on, but does not perform authorization. Oracle AS will authorize the user for the Oracle business applications. Because SiteMinder initially authenticates the user, the connector can validate the user’s session where it was originally generated, at the SiteMinder policy server.

The Oracle Single Sign-On Server is implemented as an Apache module that is part of the Oracle HTTP Server. It can delegate single sign-on authentication to a third party product, like SiteMinder. Delegation can be accomplished in either of the two following ways:

1. By implementing the third party single sign-on PL/SQL package named, wwsso_auth_external. Whenever authentication is required, the Oracle Single Sign-On Server requests the Oracle database to execute the PL/SQL method, authenticate_user that is implemented in the PL/SQL package, wwsso_auth_external.

2. Or by implementing the third party single sign-on OC4J Security Interface named,

IPASAuthInterface . Whenever authentication is required, the Oracle Single Sign-On Server requests the OC4J security container to execute the method, authenticate that is implemented by the IPASAuthInterface.

In Oracle AS 9i and 10G (Release 1, the 9.0.4), delegation is possible in either of the above two ways. But in Oracle AS 10G (Release2, 10.1.2.x) the delegation is possible only through the OC4J Security Interface.


6

SiteMinder Two-Tier Single Sign-On Solution with the Oracle PL/SQL Authentication Package The SiteMinder Oracle AS connector implements a two-tier single sign-on solution. The point of sign-on trust moves away from the Oracle Single Sign-On Server and to the SiteMinder policy server. If the Oracle Authenticate PL/SQL package is implemented and installed in the database, the Oracle Single Sign-On Server will delegate trusting the user’s session to the SiteMinder Oracle AS connector through the implementation of the method, authenticate_user in the PL/SQL Authentication package, wwsso_auth_external. The method, authenticate_user is implemented to invoke the SiteMinder Oracle AS connector to validate the SiteMinder session back at the policy server where it was generated.

The SiteMinder web agent installed on the Oracle HTTP Server sets the SiteMinder session after successful login to SiteMinder. The SiteMinder session is set as an encrypted HTTP cookie and header variables. The Oracle Single Sign-On server will present the header variables that represent the SiteMinder session to the PL/SQL package, and the authenticate_user method will call the SiteMinder Oracle AS connector to validate the SiteMinder session. The connector communicates with the policy server to validate the session. If the session is valid the connector will compare the user id identified by the policy server for the session with the user id presented by the Oracle Single Sign-On Server at single sign-on time. If the user ids are the same, the single sign-on is allowed. If not, the single sign-on is denied. This two-tier single sign-on solution is shown in the diagram below.


7

SiteMinder Two-Tier Single Sign-On Solution with the OC4J Security Authentication Interface If the OC4J Security Authenticate Interface is implemented and installed, the Oracle Single Sign-On Server will delegate trusting the user’s session to the SiteMinder Oracle AS connector through the implementation of the method, authenticate in the OC4J Security Authentication Interface, IPASAuthInterface. The method, authenticate is implemented to invoke the SiteMinder Oracle AS connector to validate the SiteMinder session back at the policy server where it was generated.

The SiteMinder web agent installed on the Oracle HTTP Server sets the SiteMinder session after successful login to SiteMinder. The SiteMinder session is set as an encrypted HTTP cookie and header variables. The Oracle Single Sign-On server will present the all request header variables to the OC4J Security Authentication interface, i.e. the authenticate method. This method is implemented to call the SiteMinder Oracle AS connector to validate the SiteMinder session. The connector communicates with the policy server to validate the session. If the session is valid the connector will compare the user id identified by the policy server for the session with the user id presented by the Oracle Single Sign-On Server at single sign-on time. If the user ids are the same, the single sign-on is allowed. If not, the single sign-on is denied. This two-tier single sign-on solution is shown in the diagram below.


8

Single Sign-On and Sign-Off Session Management Many Internet applications use independent session management schemes. The most common session management scheme is through the use of a cookie, but still the session information is independent and decrypted differently between vendors and Internet applications. For this reason, SiteMinder’s replay prevention and session management logic is sometimes bypassed. One of the main security problems when integrating applications that maintain their own sessions is the possibility SiteMinder and application sessions may not remain synchronized as the user logs in and out of each application. This is especially true when there is more then one ERP application in the environment. Each ERP application will manage its own session independent of the other application’s session management.

The SiteMinder Oracle AS connector includes another software component, the SiteMinder Session Linker. Its purpose is to manage and synchronize independent application sessions with the SiteMinder session. It links the SiteMinder session to all the other application sessions in the environment including the Oracle AS session. Thus when a user logs out of one application, the SiteMinder session is no longer valid and the other application sessions tied to the SiteMinder session are not valid either. The user is logged out of all the applications in the environment tied to the SiteMinder session. The SiteMinder Session Linker is a web server plug-in that monitors the SiteMinder session and Oracle AS session, as well as other ERP application sessions. When the application sessions diverge from the SiteMinder session, the user is challenged to login until a new session with an application is established.

The eTrust SiteMinder Oracle AS connector in conjunction with the SiteMinder Session Linker provides single sign-on and sign-off to Oracle AS. The connector provides single sign-on while the Session Linker provides single sign-off. Refer to the document, Netegrity Professional Services Session Linker Administrator Guide, for more information about the SiteMinder Session Linker. SiteMinder Connector Implementation with the Oracle PL/SQL Authentication Package The SiteMinder Oracle AS connector is a SiteMinder agent that communicates with the policy server to validate a SiteMinder session. The connector can communicate directly with the policy server or communicate with the policy server via a proxy agent.

The connector receives user session validation requests from Oracle PL/SQL package, wwsso_auth_external. Thus, it is implemented as an external shared library. The shared library is coded with the C programming language and uses the SiteMinder Agent API. The PL/SQL will make external function calls to the external shared library. More specifically the method, authenticate_user in the PL/SQL package, wwsso_auth_external will call the function, SmSSOSessionVerify in the shared library to validate a SiteMinder session. To run external routines in a shared library, PL/SQL will alert a listener process that spawns a session specific process named extproc. The listener will hand the connection to the extproc process and PL/SQL will pass the name of the shared library, name of the external routine and parameters to the extproc process. The extproc process loads the library and runs the external routine and passes any return values to PL/SQL. After the external routine completes, the extproc process remains active throughout the PL/SQL session.


9

Each PL/SQL session spawns its own extproc process and to load the shared library and call the external routines in the library. Thus, each user login spawns its own separate process to load the library and validate the session. For this reason, it is recommended that the connector always use the Oracle AS connector proxy agent to communicate with the policy server whenever possible, instead of the connector directly communicating with the policy server to validate the session. When the Oracle AS connector proxy agent is not used, PL/SQL will load the connector for each user login. As a result, each connector acts as an agent that opens a connection to the policy server to make a single user session validation request as opposed to reusing the connections already established to the policy server to make multiple session validation requests of the policy server. Also the agent load balancing to policy servers is not used, since each login request opens its own agent connection to the policy server and makes a single session validation request.

SiteMinder Oracle AS Connector without a Proxy Agent The diagram below shows the SiteMinder Oracle AS Connector without the Oracle AS Proxy Agent.

Notice in the diagram that each Oracle client login will load the Oracle AS connector and it will exist through out the client’s session. This is a result of how PL/SQL calls external routines in an external library. Thus, each connector opens a connection to the policy server to service a user session validation request. The connector will communicate with the policy server over a TCP socket. The connector and policy server may reside on different systems in the internal network, not in the DMZ. In this model, each connector only handles one session validation request. An agent connection is established with the policy server for each session validation request. This is not efficient and very expensive. Agent connections with the policy server are opened and closed for each login request. A great deal of time is spent establishing and closing connections with the policy server. In addition each connector cannot support load balancing between multiple policy servers, since each connector only processes one session validation request. For this reason, it is recommended to always use the Oracle AS connector with the Oracle AS connector proxy agent.


10

SiteMinder Oracle AS Connector with a Proxy Agent The diagram below shows the SiteMinder Oracle AS Connector with the Oracle AS Proxy Agent.

As shown in the diagram, each Oracle client login will still load the Oracle AS connector and it will exist throughout the client’s session, but each connector opens a connection to the Oracle AS Proxy Agent to service user session validation requests. The connector and the proxy agent communicate via a named stream pipe on the same system. Thus the connector and proxy agent must reside on the same system. The proxy agent communicates with the policy server to service user session validation requests on behalf of the connector. The proxy agent opens connections to the policy server and communicates over TCP sockets. These connections remain open and are reused among the connectors. The proxy agent and policy server may reside on different systems in the internal network, not in the DMZ. In this model, the connectors still handle one session validation request, but the agent proxy will handle multiple session validation requests with the policy server on behalf of the connectors. This model does not open an agent connection with the policy server for each session validation request. The session validation requests use connections already established between the proxy agent and the policy server from a pool of connections. This model will support load balancing the user session validation requests between multiple policy servers. If the proxy agent is unavailable to handle session validation requests for the connector, the connector will fail over to communicating directly with the policy server for its user session validation request.


11

SiteMinder Connector Implementation with the OC4J Security Authentication Interface The SiteMinder Oracle AS connector functions in the same way as described with the PL/SQL Authentication package. The difference is that OC4J Security Authentication Interface runs is the Oracle Application Server containers for J2EE applications, as opposed to a PL/SQL package that runs in the database.

The connector can communicate directly with the policy server or communicate with the policy server via a proxy agent. The connector receives user session validation requests from OC4J Security Authentication Interface, IPASAuthInterface. The connector is implemented as an external shared library. The shared library is coded with the C programming language and uses the SiteMinder Agent API. The OC4J Security Authentication Interface implementation will make external function calls to the external shared library. More specifically the method, authenticate in the interface implementation will call the function in the shared library to validate a SiteMinder session. To run external routines in a shared library, the OC4J Security Authentication Interface, IPASAuthInterface runs is the Oracle Application Server containers for J2EE applications will load the library. The Oracle Application Server containers for J2EE applications will load the IPASAuthInterface only once despite the multiple invocations for user logins. Thus the SiteMinder Oracle AS connector library is loaded once, despite multiple user session validation calls. For this reason when the Oracle AS connector is used with the OC4J Security Authentication Interface, it is not necessary for the connector to use the Oracle AS connector proxy agent to communicate with the policy server. The connector can communicate directly with the policy server to validate the session or optionally the connector can use the Oracle AS connector proxy agent. Important Note: On HPUX operating systems, when the Oracle AS connector is used with the OC4J Security Authentication Interface, it is required for the connector to use the Oracle AS connector proxy agent to communicate with the policy server.


12

Pre-Installation The Oracle AS and SiteMinder environments are installed and configured before the SiteMinder Oracle AS connector is installed and configured. This includes installing the SiteMinder Web Agent for the Oracle HTTP Server and the SiteMinder Policy Server, as well as configuring the SiteMinder policies for the Oracle AS environment.

Install and Configure Oracle AS Install and configure Oracle AS in the environment, if it does not already exist.

Install and Configure the SiteMinder Web Agent for the Oracle HTTP Server Install and configure the SiteMinder Apache Web Agent on the Oracle HTTP Server. To install and configure a SiteMinder Web Agent, refer to the following documents, the SiteMinder Web Agent Installation Guide and SiteMinder Web Agent Guide.

Install and Configure the SiteMinder Policy Server

Install the SiteMinder Policy Server in the Environment To install a SiteMinder Policy Server, refer to the document, SiteMinder Policy Server Installation Guide.

Configure the SiteMinder Web Agent for the Oracle HTTP Server

Configure the policy server for the web agent that is installed on the Oracle HTTP Server. This is a SiteMinder Apache Web Agent. To configure a SiteMinder Policy Server for a SiteMinder Apache Web Agent, refer to SiteMinder Policy Design Guide.

Configure the SiteMinder User Directory Configure the policy server for the user directory in the environment. This is an LDAP directory or ODBC database. The Oracle AS environment will most likely use an Oracle Database or Oracle Internet Directory as a user store. To configure a SiteMinder Policy Server, to use the user directory in the chosen environment, refer to SiteMinder Policy Design Guide.

. Configure the SiteMinder Authentication Scheme

Setup an authentication scheme for the environment. This is usually Form Login or Basic Authentication with a username and password. To setup an authentication scheme for a SiteMinder Policy Server, refer to SiteMinder Policy Design Guide

Configure the SiteMinder Policy Domain Setup a policy domain for the Oracle AS environment. To setup a policy domain for a SiteMinder Policy Server, refer to SiteMinder Policy Design Guide.

Configure the SiteMinder Policies for the Policy Domain

Setup the policies for the Oracle AS environment. Generally for the Oracle AS environment a protected realm is setup to protect all the resources in the /pls/orasso directory and rules are created to grant users access to the resources in the directory. Sometimes the rule is set with a wildcard *, to allow users access to all the resources in the realm. Users are only granted access to the resources when the rules and users are added to a SiteMinder policy. To setup the policies for a SiteMinder Policy Server, refer to SiteMinder Policy Design Guide.


13

Software Installation for UNIX The SiteMinder Oracle AS connector is shipped as shared library for UNIX. The SiteMinder Oracle AS Proxy Agent is shipped as an executable for UNIX. The connector and proxy agent require an agent configuration file. A sample configuration is shipped with the installation files. A SiteMinder Oracle AS Connector Test Tool is also provided with the installation.

Installation Files Product Installation File SiteMinder Oracle AS Connector $ORACLE_HOME/siteminder/oracle10g/lib/libsmoracleiasloginlib.so SiteMinder Agent API Library $ORACLE_HOME/siteminder/oracle10g/lib/libsmagentapi.so SiteMinder Oracle AS Proxy Agent $ORACLE_HOME/siteminder/oracle10g/bin/smoraclessoproxy SiteMinder Encryption Tool $ORACLE_HOME/siteminder/oracle10g/bin/NDSEncrypt SiteMinder Oracle AS Test Tool $ORACLE_HOME/siteminder/oracle10g/bin/smoracleiaslogintest CGI Script Echoes Headers $ORACLE_HOME/siteminder/oracle10g/bin/headers Perl Script Echoes Headers $ORACLE_HOME/siteminder/oracle10g/bin/headers-perl Connector Configuration File $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent.conf Connector Test Script File $ORACLE_HOME/siteminder/oracle10g/conf/test.conf Log Files $ORACLE_HOME/siteminder/oracle10g/logs Documentation Files $ORACLE_HOME/siteminder/oracle10g/docs Connector SQL Install Script $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql Oracle PL/SQL Authentication Package $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.pkb Oracle PL/SQL Authentication Package $ORACLE_HOME/siteminder/oracle10g/plsql/ssotokenneteconnector.pkb OC4J Security Authentication Interface Classes $ORACLE_HOME/siteminder/oracle10g/java/netegrity/security/ssoplugin Note: The installation files are extracted in the ORACLE_HOME directory for Oracle AS. If a different directory is desired, then the Oracle AS user must own the directory and an environment variable named SM_HOME is set for the directory.

Install the Oracle AS Connector Software The installation files are distributed as a tar file. The tar file containing the installation files is extracted as the Oracle AS user under the ORACLE_HOME directory. Use the following UNIX commands to login as the Oracle AS user, change directory to the ORACLE_HOME and extract the installation files.

Login to the Oracle AS system as the Oracle AS user

Change directory to the ORACLE_HOME directory $ cd $ORACLE_HOME

Extract the installation files

$ tar –xvf smoracleiasconnector.tar If desired, the tar file can be extracted in a different directory than the ORACLE_HOME directory The Oracle AS user must own the directory and an environment variable named SM_HOME is defined for the directory. Use the following UNIX commands to install the Oracle AS connector in a directory other than ORACLE_HOME. The Oracle AS user must own the directory.


14


Edit the .profile file

$ vi .profile

Add a line in the .profile file to create an environment variable named SM_HOME for the installation directory

export SM_HOME=<installation directory path> For example: export SM_HOME= /space/oraAS90201/smoraclessoconnector

Logout and Login to the Oracle AS system as the Oracle AS user again, to set the SM_HOME environment variable - Logging out and in again will run the .profile file

Change directory to the SM_HOME directory

$ cd $SM_HOME

Extract the installation files $ tar –xvf smoracleiasconnector.tar

Installation Option 1: Connector with the Oracle PL/SQL Authentication Package (This is deprecated for Oracle 10G Release 2:10.1.2.x version)

This installation option is used for Oracle AS 9i or 10G. The Oracle AS Connector is installed in the database as an external library, in order for the PL/SQL package named, wwsso_auth_external to make external calls to the functions in the library. Use the following steps, to install the Oracle AS Connector in the Oracle Database.

Install the Oracle AS Connector in the Oracle Database


Edit the SQL script $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql Note: If the installation directory is different than the ORACLE_HOME directory, then edit the SQL script in the $SM_HOME directory, i.e. replace $ORACLE_HOME with $SM_HOME

$ vi $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql REM Create or Replace the SiteMinder Oracle IAS Connector Library REM Replace /space/oraAS90201/oraAS with your system's ORACLE_HOME

CREATE OR REPLACE LIBRARY SMORACLEIASSSOLOGIN_C_LIB AS '/space/oraAS90201/oraAS/siteminder/oracle10g/lib/libsmoracleiasloginlib.so'; / REM Create or Replace the SiteMinder Oracle IAS Connector Library Functions


15

CREATE OR REPLACE FUNCTION SmSSOSessionVerify ( lpszSSOuid IN VARCHAR2, lpszSessionId IN VARCHAR2, lpszSessionSpec IN VARCHAR2, nTimeout IN PLS_INTEGER, lpszIniFilename IN VARCHAR2, lpszErrFilename IN VARCHAR2, lpszLogFilename IN VARCHAR2, nLogLevel IN PLS_INTEGER ) return PLS_INTEGER AS EXTERNAL LIBRARY SMORACLEIASSSOLOGIN_C_LIB NAME "SmSSOSessionVerify" LANGUAGE C PARAMETERS ( lpszSSOuid STRING, lpszSessionId STRING, lpszSessionSpec STRING, nTimeout INT, lpszIniFilename STRING, lpszErrFilename STRING, lpszLogFilename STRING, nLogLevel INT, RETURN ); / REM Create or Replace the SiteMinder Oracle IAS Connector Library Functions CREATE OR REPLACE FUNCTION SmSSOSessionTokenVerify ( lpszSSOuid IN VARCHAR2, lpszSessionId IN VARCHAR2, nTimeout IN PLS_INTEGER, lpszIniFilename IN VARCHAR2, lpszErrFilename IN VARCHAR2, lpszLogFilename IN VARCHAR2, nLogLevel IN PLS_INTEGER ) return PLS_INTEGER AS EXTERNAL LIBRARY SMORACLEIASSSOLOGIN_C_LIB NAME "SmSSOSessionTokenVerify" LANGUAGE C PARAMETERS ( lpszSSOuid STRING, lpszSessionId STRING, nTimeout INT, lpszIniFilename STRING, lpszErrFilename STRING, lpszLogFilename STRING, nLogLevel INT, RETURN ); /


16

REM Create or Replace the SiteMinder Oracle IAS Connector Library Functions CREATE OR REPLACE FUNCTION SmSSOTest ( lpszScriptFilename IN VARCHAR2, nThreads IN PLS_INTEGER, nIterations IN PLS_INTEGER, lpszIniFilename IN VARCHAR2, lpszErrFilename IN VARCHAR2, lpszLogFilename IN VARCHAR2, nLogLevel IN PLS_INTEGER ) return PLS_INTEGER AS EXTERNAL LIBRARY SMORACLEIASSSOLOGIN_C_LIB NAME "SmSSOTest" LANGUAGE C PARAMETERS ( lpszScriptFilename STRING, nThreads INT, nIterations INT, lpszIniFilename STRING, lpszErrFilename STRING, lpszLogFilename STRING, nLogLevel INT, RETURN ); / GRANT EXECUTE ON system.SmSSOSessionVerify TO PUBLIC; GRANT EXECUTE ON system.SmSSOSessionTokenVerify TO PUBLIC; GRANT EXECUTE ON system.SmSSOTest TO PUBLIC; CREATE PUBLIC SYNONYM SmSSOSessionVerify FOR system.SmSSOSessionVerify; CREATE PUBLIC SYNONYM SmSSOSessionTokenVerify FOR system.SmSSOSessionTokenVerify; CREATE PUBLIC SYNONYM SmSSOTest FOR system.SmSSOTest; commit;

Edit the following line in the beginning of the SQL Script CREATE OR REPLACE LIBRARY SMORACLEIASSSOLOGIN_C_LIB AS '/space/oraAS90201/oraAS/siteminder/oracle10g/lib/libsmoracleiasloginlib.so '; On the line: AS '/space/oraAS90201/oraAS/siteminder/oracle10g/lib/libsmoracleiasloginlib.so '; Replace /space/oraAS90201/oraAS with your system’s ORACLE_HOME directory Replace /space/oraAS90201/oraAS with your system’s SM_HOME directory, only if you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME To determine your system’s ORACLE_HOME directory, use the UNIX command $ echo $ORACLE_HOME

To determine your system’s SM_HOME directory, use the UNIX command $ echo $SM_HOME For example: $ echo $ORACLE_HOME


17

/opt/oracle/oraAS Change the lines in the file: CREATE OR REPLACE LIBRARY SMORACLEIASSSOLOGIN_C_LIB AS '/space/oraAS90201/oraAS/siteminder/oracle10g/lib/libsmoracleiasloginlib.so '; To CREATE OR REPLACE LIBRARY SMORACLEIASSSOLOGIN_C_LIB AS '/opt/oracle/oraAS/siteminder/lib/oracle10g/libsmoracleiasloginlib.so ';

Save the changes to the SQL script $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql

Login to SQL*PLUS as the Database System Manager

$ sqlplus SQL*Plus: Release 9.0.1.3.0 - Production on Wed Nov 6 12:00:11 2002 (c) Copyright 2001 Oracle Corporation. All rights reserved. Enter user-name: system Enter password: Connected to: Oracle9i Enterprise Edition Release 9.0.1.3.0 - Production With the Partitioning option JServer Release 9.0.1.3.0 - Production

Execute the SQL Script HPUX systems: SQL>Start $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql If you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME, install the library in the database with the command below. SQL>Start $SM_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql

Other UNIX systems: SQL>@$ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql If you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME, install the library in the database with the command below. SQL>@$SM_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql


18

Install the PL/SQL Package, wwsso_auth_external in the Oracle Single Sign-on Database The PL/SQL Package, wwsso_auth_external is installed in the ORASSO database as the ORASSO user. The PL/SQL Package is shown below. Rem ssoxneteconnector.pkb Rem NAME Rem ssoxneteconnector.pkb Rem - Single Sign-On Netegriry SiteMinder Integration Rem Rem DESCRIPTION Rem This package body is used to achieve integration with NetegritySiteMinder. It may be customized as required. Rem This is just a default implementation and changes might be required based on customer's specific deployment scenario. CREATE OR REPLACE PACKAGE BODY wwsso_auth_external AS g_separator CONSTANT VARCHAR2(1000) := '~'; g_sm_sessionid_http CONSTANT VARCHAR2(1000) := 'HTTP_SM_SERVERSESSIONID'; g_sm_sessionspec_http CONSTANT VARCHAR2(1000) := 'HTTP_SM_SERVERSESSIONSPEC'; g_oracle_user_http CONSTANT VARCHAR2(1000) := 'HTTP_ORACLEIAS_USERNAME'; g_inifilename CONSTANT VARCHAR2(4096) := '$ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent.conf'; g_errfilename CONSTANT VARCHAR2(4096) := '$ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasconnector.err'; g_logfilename CONSTANT VARCHAR2(4096) := '$ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasconnector.log'; g_timewait CONSTANT PLS_INTEGER := 60; g_loglevel CONSTANT PLS_INTEGER := 63; FUNCTION authenticate_user (p_user OUT VARCHAR2) return PLS_INTEGER IS l_result PLS_INTEGER := -1; l_uid VARCHAR2(4096) := NULL; l_sessionid VARCHAR2(4096) := NULL; l_sessionspec VARCHAR2(4096) := NULL; l_user wwsec_person.user_name%type := NULL; BEGIN -- Read Header SiteMinder SSO uid and session Header Variables l_uid := OWA_UTIL.GET_CGI_ENV (g_oracle_user_http); l_sessionid := OWA_UTIL.GET_CGI_ENV (g_sm_sessionid_http); l_sessionspec := OWA_UTIL.GET_CGI_ENV (g_sm_sessionspec_http); l_user := l_uid; -- Check SSO user for Glodal Separator IF ((l_user IS NULL) OR (INSTR(l_user, g_separator) != 0)) THEN l_result := -1; ELSE l_result := 0; END IF; IF ((l_result = 0) AND ((l_uid IS NULL) OR (l_sessionid IS NULL) OR (l_sessionspec IS NULL))) THEN l_result := -1; ELSE l_result := 0; END IF;


19

-- Verify the SiteMinder SSO uid and session IF (l_result = 0) THEN l_result := SMSSOSESSIONVERIFY (l_uid,l_sessionid,l_sessionspec,g_timewait,g_inifilename,g_errfilename,g_logfilename,g_loglevel); END IF; -- Set Return SSO user IF (l_result = 0) THEN p_user := NLS_UPPER(l_user); ELSE RAISE EXT_AUTH_FAILURE_EXCEPTION; END IF; RETURN l_result; -- Handle All Errors EXCEPTION WHEN OTHERS THEN RAISE EXT_AUTH_FAILURE_EXCEPTION; END authenticate_user; FUNCTION map_dn_to_uid(p_user_dn IN VARCHAR2) return VARCHAR2 IS BEGIN -- NULL implementation by default raise EXT_AUTH_FAILURE_EXCEPTION; return p_user_dn; END map_dn_to_uid; FUNCTION get_authentication_name RETURN VARCHAR2 AS BEGIN RETURN 'Netegrity SiteMinder'; END get_authentication_name; PROCEDURE set_external_cookies (p_username IN VARCHAR2, p_password IN VARCHAR2, p_cookie_list OUT wwsso_ls_private.cookie_list) AS BEGIN null; END set_external_cookies; END; / show errors;


20

Use the following steps, to install the Oracle AS Connector in the Oracle Database.


Login to SQL*PLUS as the ORASSO user

$ sqlplus SQL*Plus: Release 9.0.1.3.0 - Production on Wed Nov 6 12:00:11 2002 (c) Copyright 2001 Oracle Corporation. All rights reserved. Enter user-name: orasso Enter password: Connected to: Oracle9i Enterprise Edition Release 9.0.1.3.0 - Production With the Partitioning option JServer Release 9.0.1.3.0 - Production

Install the PL/SQL Package HPUX systems: SQL>Start $ORACLE_HOME/siteminder/plsql/ssoxneteconnector.pkb If you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME, install the package in the database with the command below. SQL>Start $SM_HOME/siteminder/plsql/ssoxneteconnector.pkb

Other UNIX systems: SQL>@$ORACLE_HOME/siteminder/plsql/ssoxneteconnector.pkb If you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME, install the package in the database with the command below. SQL>@$SM_HOME/siteminder/plsql/ssoxneteconnector.pkb


21

Installation Option 2: Connector with the OC4J Security Authentication Interface This installation option is used for Oracle AS 10G AS only. Also only install option 1 or install option 2 is used, not both. Installation option 2 is recommended for Oracle 10G AS. Also note that for Oracle 10G AS 10.1.2.x versions Installation option 2 will only work.

Install the OC4J Security Authentication Interface All the OC4J Authentication Security Class file and Property Files in the Connector installation kit are copied to the Oracle AS Single Sign-On plug-in directory. Use the following steps, to install the OC4J Security Authentication Interface class files and property files.


Create the directory structure for the OC4J Security Authentication Interface package name, netegrity.security.ssoplugin under the Oracle AS Single Sign-On plug-in directory, $ORACLE_HOME/sso/plugin

cd $ORACLE_HOME/sso/plugin mkdir -p netegrity/security/ssoplugin

Copy all OC4J Security Authentication Interface Class files in the installation directory to the

Oracle AS SSO Plug-in Directory, $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin

Copy all the class files in the installation directory, $ORACLE_HOME/siteminder/oracle10g/java/netegrity/security/ssoplugin to the Oracle AS SSO Plug-in directory, $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin These are the OC4J Security Authentication Interface class files:

NeteHttpRequestStub.class NeteSSOLibrary.class NeteSSOSession.class NeteSSOToken.class NeteTrace.class NeteProperty.class NeteSSOLibraryTest.class NeteSSOSessionTest.class NeteSSOTokenTest.class Stat.class

Copy all OC4J Security Authentication Interface Property files to the Oracle AS SSO Plug-in

Directory, $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin

Copy all the properties files in the directory, $ORACLE_HOME/siteminder/oracle10g/java/netegrity/security/ssoplugin to the directory, $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin These are the OC4J Security Authentication Interface property files:

NeteSSOLibraryTest.properties NeteSSOSessionTest.properties NeteSSO.properties NeteSSOTokenTest.properties


22

Edit the Netegrity Single Sign-On properties file, named NeteSSO.properties that was copied

to the Oracle AS SSO Plug-in Directory, $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin

1. Change directory to the Oracle AS Plug-in directory

cd $ORACLE_HOME/sso/plugin/Netegrity/security/sooplugin

2. Edit the NeteSSO.properties file vi NeteSSO.properties

3. Edit the netesso.inifile entry with the directory path and filename for the connector configuration file. This is the file named, smoracleiasagent.conf installed in the directory $ORACLE_HOME/siteminder/oracle10g/conf

4. Edit the netesso.logfile entry with the directory path and filename for the connector log file.

The log files are written to files in the installation directory $ORACLE_HOME/siteminder/oracle10g/logs

5. Edit the netesso.errfile entry with the directory path and filename for the connector error file.

The error files are written to files in the installation directory $ORACLE_HOME/siteminder/oracle10g/logs

6. Edit the netesso.library entry with the directory path and library name for the connector. This

is the library named, libsmoracleiasloginlib.so installed in the directory $ORACLE_HOME/siteminder/oracle10g/lib

7. Edit the netesso.librarypath entry with the directory path for library name for the connector.

This is the library named, libsmoracleiasoginlib.so installed in the directory path $ORACLE_HOME/siteminder/oracle10g/lib

Edit the OC4J Security Authentication Policies file in the Oracle AS SSO Configuration Directory, $ORACLE_HOME/sso/conf named, policy.properties

1. Change directory to the Oracle AS SSO configuration directory cd $ORACLE_HOME/sso/conf

2. Edit the policy.properties file

vi policy.properties

3. Change the line in the file: MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth To MediumSecurity_AuthPlugin = netegrity.security.ssoplugin.NeteSSOSession

Use the Oracle Enterprise Manager Application, to Stop and Start the OC4J Security


23

Configuration for UNIX

Configure the SiteMinder Policies for the Oracle AS Connector and Proxy Agent Use the SiteMinder Administration GUI to configure an agent, agent group, domain, realm, rules, response and policy for the Oracle AS protected resources. An agent entry for the Oracle AS connector and proxy agent is added to the SiteMinder policies in order to allow the connector and proxy agent to communicate with the policy server. Also an agent group is added to the SiteMinder Polices for the connector, proxy agent and any standard SiteMinder web agents that protect the Oracle AS resources. This agent group is used to protect the Oracle AS resources. Also, s SiteMinder response is created for the Oracle AS user and associated with the protected resources. To configure the agents, agent groups, domains, realms, rules, responses and policies for a SiteMinder Policy Server, refer to SiteMinder Policy Design Guide. Configure a SiteMinder Agent for the Oracle AS Connector and Proxy Agent Perform the following steps, to add an agent entry for the Oracle AS Connector and Proxy Agent in the SiteMinder policies.

Login to the SiteMinder Administration GUI. Select the System tab. Select the Agents from the list in the Systems tab. Select Edit | Create Agent from the menu at the top of the GUI.

Enter a name for the Agent, Name: smoracleiasssoagent Enter a description for the Agent, Description: Oracle Connector and Proxy Agent For a SiteMinder 5.x Policy Server, check the Support 4.x Agents box. Select the Agent Type, SiteMinder Web Agent. Enter the IP Address Name or Host Name for the Oracle AS system. Enter a shared secret for the agent.

Select the OK Button.

An example SiteMinder Agent entry for the connector and proxy agent is shown below.

Configure a SiteMinder Agent Group for the Oracle AS Connector and Proxy Agent


24

Perform the following steps, to add an agent group in the SiteMinder policies for the SiteMinder Oracle AS Connector, Proxy Agent and Standard SiteMinder Web Agents for the Oracle HTTP Server. The Oracle AS resources and any existing protected OracleAS resources will use this agent group.

Login to the SiteMinder Administration GUI. Select the System tab. Select the Agent Groups from the list in the Systems tab. Select Edit | Create Agent Group from the menu at the top of the GUI.

Enter a name for the Agent Group, Name: smoracleiasagentgroup Enter a description for the Agent, Description: Oracle Connector, Proxy & HTTP Server Agent

Select the Agent Type, SiteMinder Web Agent. Select the Add/Remove… Button. Select the agent for the SiteMinder Oracle AS Connector and Proxy Agent, smoracleiasssoagent Select the ← Button, to add the agent to the group. Select the other standard web agents for the Oracle HTTP Server Agent. Select the ← Button, to add the agents to the group Select the OK Button Select the OK Button

The agent group is used with all the Oracle AS protected resources. This means that any SiteMinder realms that protect Oracle AS resources will need to use this agent group. An example SiteMinder Agent Group for the Oracle AS Connector, Proxy Agent and the standard web agents for the Oracle HTTP Server is shown below.


25

Configure a SiteMinder Policy Domain for the Oracle AS Connector and Proxy Agent Perform the following steps to add a policy domain in the SiteMinder policies for the Oracle AS environment, if one does not already exist.

Login to the SiteMinder Administration GUI. Select the System tab. Select the Domains from the list in the Systems tab. Select Edit | Create Domain from the menu at the top of the GUI.

Enter a name for the Domain, Name: Oracle AS Enter a description for the Agent, Description: Oracle AS Domain Select the User Directory for the Domain from the list of user directories. Select the ← Add Button, to add the user directory to the domain.


An example SiteMinder Policy Domain for Oracle AS is shown below.


26

Configure a SiteMinder Realm for the Oracle AS Connector and Proxy Agent Perform the following steps, to add a realm in the SiteMinder policies for the Oracle AS environment.

Login to the SiteMinder Administration GUI. Select the Domains tab. Select the Oracle AS Domain from the Domains list in the Domains tab. Select the plus character next to the Oracle AS Domain to expand its entries. Select the Realms from the entries. Select Edit | Create Realm from the menu at the top of the GUI.

Enter a name for the Realm, Name: Oracle AS Realm

Enter a description for the Realm, Description: Oracle AS Connector, Proxy Agent & Standard

Web Agents Realm Select the Agent: smoracleiasagentgroup Enter a Resource Filter: /pls/orasso

Select the Authentication Scheme. Select the Default Resource Protection: Protected


An example SiteMinder Realm that protects Oracle AS resources and uses the Oracle AS agent group is shown below.


27

Configure a SiteMinder Rule for the Oracle AS Connector and Proxy Agent Perform the following steps, to add a rule in the SiteMinder policies for the Oracle AS Realm. The resource filter entered in the realm combined with the resource entered in the rule is used for the resource entry in the Oracle AS connector and proxy agent configuration file

Login to the SiteMinder Administration GUI. Select the Domains tab. Select the Oracle AS Domain from the Domains list in the Domains tab. Select the plus character next to the OracleAS Domain to expand its entries. Select the plus character next to the Realms to expand its entries. Select the Oracle AS Realm from the entries. Select Edit | Oracle AS Realm | Create Rule under Realm from the menu at the top of the GUI.

Enter a name for the Rule, Name: Oracle AS Resource Access

Enter a description for the Rule, Description: Oracle AS Connector, Proxy Agent & Standard Web

Agents Resource Access

Select the Realm: Oracle AS Realm Enter a Resource: /* Select the Action: Web Agent Actions Select Actions: Get and Post Select When this Rule Fires: Allow Access Select Enable or Disable this Rule: Enabled


An example SiteMinder Rule that controls access to the Oracle AS resources is shown below.


28

Configure another SiteMinder Realm for the Oracle AS Connector and Proxy Agent Perform the following steps, to add a realm in the SiteMinder policies for the Oracle AS environment.

Login to the SiteMinder Administration GUI. Select the Domains tab. Select the Oracle AS Domain from the Domains list in the Domains tab. Select the plus character next to the Oracle AS Domain to expand its entries. Select the Realms from the entries. Select Edit | Create Realm from the menu at the top of the GUI.

Enter a name for the Realm, Name: Oracle SSO Realm

Enter a description for the Realm, Description: Oracle AS Connector, Proxy Agent & Standard

Web Agents Realm Select the Agent: smoracleiasagentgroup Enter a Resource Filter: /sso/

Select the Authentication Scheme. Select the Default Resource Protection: Protected


An example SiteMinder Realm that protects Oracle AS resources and uses the Oracle AS agent group is shown below.


29

Configure another SiteMinder Rule for the Oracle AS Connector and Proxy Agent Perform the following steps, to add a rule in the SiteMinder policies for the Oracle AS Realm. The resource filter entered in the realm combined with the resource entered in the rule is used for the resource entry in the Oracle AS connector and proxy agent configuration file

Login to the SiteMinder Administration GUI. Select the Domains tab. Select the Oracle AS Domain from the Domains list in the Domains tab. Select the plus character next to the OracleAS Domain to expand its entries. Select the plus character next to the Realms to expand its entries. Select the Oracle AS Realm from the entries. Select Edit | Oracle AS Realm | Create Rule under Realm from the menu at the top of the GUI.

Enter a name for the Rule, Name: Oracle SSO Access

Enter a description for the Rule, Description: Oracle AS Connector, Proxy Agent & Standard Web

Agents Resource Access

Select the Realm: Oracle SSO Enter a Resource: /* Select the Action: Web Agent Actions Select Actions: Get and Post Select When this Rule Fires: Allow Access Select Enable or Disable this Rule: Enabled


An example SiteMinder Rule that controls access to the Oracle AS resources is shown below.


30

Configure a SiteMinder Response for the Oracle AS Connector and Proxy Agent A SiteMinder response is necessary for the for the Oracle user id. This response identifies the Oracle user id associated with a SiteMinder session to the Oracle AS connector and proxy agent. Perform the following steps, to add a SiteMinder response for the Oracle user id. Then associate this response with the Oracle AS protected resources. This means that the response is added with the Oracle AS access rules for the Oracle AS Realm in the Oracle AS policy. Alternatively, the response may be associated with only authentication events, instead of authorization events. This means that the response is only received during authentication events, and not during authorization events. To configure the response for authentication events only for a SiteMinder Policy Server, refer to SiteMinder Policy Design Guide.

Login to the SiteMinder Administration GUI. Select the Domains tab. Select the Oracle AS Domain from the Domains list in the Domains tab. Select the plus character next to the Oracle AS Domain to expand its entries. Select the Responses from the entries. Select Edit | Create Response from the menu at the top of the GUI.

Enter a name for the Response, Name: Oracle AS ID Enter a description for the Response, Description: User ID for Oracle AS Users

An example SiteMinder Response is shown below.


31

Select the Create button.

Select the Attribute: WebAgent-HTTP-Header-Variable

Select the Attribute Kind: User Attribute

Enter the Variable Name: oracleias_username

Enter the Attribute Name. This is the LDAP attribute name or database column name for the user id. For example, uid



An example SiteMinder Response for the user id is shown below.


32

Configure a SiteMinder Policy for the Oracle AS Connector and Proxy Agent Perform the following steps, to add a SiteMinder policy for the Oracle AS rules and response that controls access to the Oracle AS resources. Add the all the rules with response to the policy. This means that the response is associated with all Oracle AS resource rules for the Oracle AS realms in the policy. Alternatively, the response may be associated with only authentication events, instead of authorization events. This means that the response is only received during authentication events, and not during authorization events. To configure the response for authentication events only for a SiteMinder Policy Server, refer to SiteMinder Policy Design Guide.

Login to the SiteMinder Administration GUI. Select the Domains tab. Select the Oracle AS Domain from the Domains list in the Domains tab. Select the plus character next to the Oracle AS Domain to expand its entries. Select the Policies from the entries. Select Edit | Create Policy from the menu at the top of the GUI.

Enter a name for the Policy, Name: Oracle AS Policy Enter a description for the Policy, Description: Oracle AS Policy

Select Enabled Select the Users Tab.

An example SiteMinder Policy with the Users Tab selected is shown below.

Select the Add/Remove … button in the Users Tab. Add the users that can access the Oracle AS resources.


33

An example SiteMinder Policy with all users selected is shown below.

Select the OK button. An example SiteMinder Policy that grants all users access is shown below.

Select the Rules Tab.


34

An example SiteMinder Policy with the Rules Tab selected is shown below.

Select the Add/Remove Rules… button. Select the Oracle AS Resource Access rule. Select the ← Button, to add the rule to the policy.

An example SiteMinder Policy with the rule selected is shown below.

Select the OK button.


35

Select the Oracle AS Resource Access rule so that it is highlighted. An example SiteMinder Policy that grants all users’ access to the Oracle AS resources is shown below. Also the rule is selected and highlighted.

Select the Set Response… button. Select the Oracle AS ID response so that it is highlighted.

An example SiteMinder Set Response with the response highlighted is shown below.

Select the OK button. An example SiteMinder Policy with the Rule and Response added is shown below.

Select the OK button.


36

Add all the Oracle AS rules with the response to the policy An example SiteMinder Policy with the more rules and the response added is shown below.

Configure the Oracle AS Connector and Proxy Agent The Oracle AS Connector and Proxy Agent are configured for the SiteMinder environment. Modifying the entries in the agent configuration file will configure the SiteMinder Oracle AS Connector and Proxy Agent for the environment. Both use the same configuration file. Use the following steps, to configure the Oracle AS Connector and Proxy Agent.


Edit the configuration file $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent.conf Note: If the installation directory is different than the ORACLE_HOME directory, then edit the configuration file in the $SM_HOME directory, i.e. Replace $ORACLE_HOME with $SM_HOME $ vi $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent.conf <?xml version="1.0" encoding="UTF-8"?> <agent> <defaultagentname value="smoracleiasssoagent"/> <policyserver host="123.123.13.1" accounting="44441" authentication="44442" authorization="44443"/> <enablefailover value="NO"/> <maxsocketsperport value="20"/> <minsocketsperport value="2"/> <newsocketstep value="2"/> <pspollinterval value="30"/> <agentpollinterval value="30" /> <requesttimeout value="60000"/> <loglevel value="63"/> <logfile value="YES"/> <logappend value="NO"/> <logfilename value="$ORACLE_HOME/siteminder/oracle10g/logs/smoracleiasagent.log "/> <resource value="/pls/orasso/orasso.home"/> <action value="get"/> <license value=""/> <sharedsecret value=”[NDSEnc-B]qPJraa+A2x09xej1jOxRLcO0gOM516ob"/> </agent>


37

Edit the defaultagentname entry with the agent name for the connector and proxy agent

The defaultagentname entry specifies the agent name of the connector and proxy agent that is defined in the policy server. It is the same agent name that was entered in the agent properties when the agent entry for the SiteMinder Oracle AS connector and proxy agent was created in the SiteMinder policies. Set the defaultagentname entry with the agent name for your environment.

Edit the policyserver entry with the policy servers in your environment

The policyserver entry specifies one or more policy servers that the connector and proxy agent will use to validate sessions. A hostname can be used for the host attribute, but an IP address is recommended. Set the policyserver entry with the policy servers for your environment. The policyserver entry must contain the following attributes: • Policy Server IP Address • Accounting Service Port Number • Authentication Service Port Number • Authorization Service Port Number Policy Server Definition Accounting port Authorization port | | <policyserver host="123.123.13.1" accounting="44441" authentication="44442" authorization="44443"/>

| | Hostname or IP address Authentication port

To add more than one policy server, place each policy server entry on a separate line. For example:

<policyserver host="123.123.13.1" accounting="44441" authentication="44442" authorization="44443"/> <policyserver host="123.123.13.2" accounting="44441" authentication="44442" authorization="44443"/> <policyserver host="123.123.13.3" accounting="44441" authentication="44442" authorization="44443"/>

Edit the enablefailover entry, if fail over between multiple policy servers is desired

The enablefailover entry determines how the connector and proxy agent communicate with multiple policy servers. It determines whether the proxy agent will communicate with the policy servers in load balance mode or fail over mode. To enable fail over, set the enablefailover entry to YES. To enable load balancing, set the enablefailover entry to NO.

The fail over mode provides high reliability. If a policy server fails and there is another policy server, the request is serviced by the other policy server. In this mode every request is delivered to the first policy server. If the first policy server does not respond, the request is delivered to the next policy server.

The load balance mode provides high reliability and performance. The requests are distributed across multiple policy servers. Thus, the request load is balanced across multiple policy servers.


38

Edit the maxsocketsperport entry, if more or less sockets per policy server are required

The maxsocketsperport entry defines the maximum number of TCP/IP connections the connector and proxy agent use to communicate with each policy server service, accounting, authentication and authorization. By default this value is set to 20, which is sufficient for low and medium traffic.

Edit the minsocketsperport entry, if more or less sockets per policy server are required

The minsocketsperport entry defines number of TCP/IP connections the connector and proxy agent open to each policy server service, accounting, authentication and authorization at startup. By default this value is set to 2.

Edit the newsocketstep entry, if more or less new sockets per policy server are required

The newsocketstep entry specifies the number of TCP/IP connections the connector and proxy agent open to each policy server service, accounting, authentication and authorization when new connections are required. By default this value is set to 2.

Edit the pspollinterval entry, if more or less frequent polling with the policy server is required

The pspollinterval entry determines how often the connector and proxy agent retrieve information about policy changes from the policy server. The polling is set in seconds.

Edit the agentpollinterval entry, if more or less frequent polling for changes in the agent configuration is required

The agentpollinterval entry determines how often the connector and proxy agent poll the agent configuration file for any changes. The polling is set in seconds.

Edit the requesttimeout entry, if a smaller or larger request timeout is required The requesttimeout entry indicates the number of milliseconds that the connector and proxy agent will wait before deciding that a policy server is unavailable.

Edit the logfile entry, if the Oracle AS connector and proxy agent logging are not required

The logfile entry indicates whether or not the connector and proxy agent record messages to a log file. Set the logfile entry to YES, for the connector and proxy agent to record messages to a log file. Set the logfile entry to NO, for the connector and proxy agent to not record messages to a log file.

Edit the logappend entry, if appending to the same log file is required The logappend entry indicates whether or not logging information is added to the existing file or a new file whenever the proxy agent is restarted. Set the logappend entry to YES, if logging information to the log file is added to an existing log file whenever the proxy agent is started. Set the logappend entry to NO, if logging information to added to a new log file every time the proxy agent is started.


39

Edit the logfilename entry, if a different log filename is required

The logfilename entry indicates the name of the log file. The log file is specified with its full directory path and filename.

Edit the loglevel entry, if a different logging level is required

The loglevel entry controls the level of the messages recorded in the connector and proxy agent log files. Each message has a log level associated with it. How the loglevel entry is set controls which messages are recorded on the log files. The table below lists the different log levels with their corresponding indicator in the log file and type of message.

Log Level

Type Of Messages Indicator in the Log File

1 Critical Error Messages F 2 Configuration Error Messages C 4 Error Messages E 8 Warning Messages W 16 Informational Messages I 32 Debug Messages D

The following lines show examples of a log message in the log file with its message indicators included in the message.

[04-Nov-2002:19:21:55-0500][0000000001-I] Process Login Request Success | log level indicates an informational message

[04-Nov-2002:19:21:55-0500][0000000001-E] Process Login Request Failure | log level indicates an error

Edit the resource entry and set it with a protected Oracle AS resource The resource entry identifies a protected Oracle AS resource. Its value is set with a protected Oracle AS resource.

Edit the action entry and set it with the protected HTTP action associated with the protected Oracle AS resource identified by the resource entry

The action entry indicates the protected HTTP action associated with Oracle AS resource identified by the resource entry. Its value is usually GET or POST.


40

Edit the license entry and set it with your SiteMinder Oracle AS Connector license

The license entry identifies the license for SiteMinder Oracle AS license. An example entry is shown below. <license value="[NDSEncC]DbYUjklsoenMua9af3EFkfjjfoG4BlLcJ8tWLnnYTPXxkKYko/Bs+6iszjsKJICrRQoMoQuo0vlRvgw/ LWVKqdVPQqrr7DeOvziWsK0LDqFcOhLjfFWmUybougPlqB6bTtG1np5faAI+pDgh2hEHOOnxLdjsveu79mhdekuHvjZiN4JHN2lSfODcNqw9vaZ4f8ENRl0="/> Set the license entry with your license if you have received it. The license entry is contained on a single line. Make sure there are no carriage returns in the entry. Although the entry may display on more than one line in the editor, make sure there are no carriage returns in the entry. Also make sure the license entry value is enclosed between double quotes. If the license entry is left empty, then by default the license is set with a SiteMinder Oracle AS Connector evaluation license. An evaluation license will only work for two hours. After the two hours expire, the connector will stop working. Stopping and starting the proxy agent will reset the evaluation license. It is also important to note that with an evaluation license the connector must use the proxy agent to service SiteMinder session validation requests and the connector cannot communicate directly with the policy server. Thus when an evaluation license is used, the connector will not fail over to communicate directly with the policy server whenever the proxy agent is unavailable.

Edit the sharedsecret entry and set it with the encrypted shared secret for the agent

The sharedsecret entry identifies the encrypted shared secret for the agent. It is the same shared secret that was entered in the agent properties for the SiteMinder Oracle AS connector and proxy agent when the agent entry was created in the SiteMinder policies. Use the NPSEncrypt tool to encrypt the clear text shared secret and set the sharedsecret entry with the encrypted shared secret returned from the NSPEncrypt tool. The NPSEncrypt tool runs from the command line. It takes one parameter a clear text shared secret and outputs an encrypted shared secret. For example:


Run the NPSEncrypt tool to encrypt a clear text shared secret

The clear text shared secret value is firewall The encrypted shared secret value is [NDSEnc-C]oVEG5j9PR3vRjPB9tavJPlu6AHdw9AuY

Note: If the installation directory is different than the ORACLE_HOME directory, then run the NPSEncrypt tool in the $SM_HOME directory. – Replace $ORACLE_HOME with $SM_HOME

$ORACLE_HOME/siteminder/oracle10g/bin/NPSEncrypt firewall [NPSEncrypt Version 1.1 - NPSEncrypt Revision 1] [NDSEnc-C]oVEG5j9PR3vRjPB9tavJPlu6AHdw9AuY

Set the sharedsecret entry with [NDSEnc-C]oVEG5j9PR3vRjPB9tavJPlu6AHdw9AuY

<sharedsecret value=”[NDSEnc-C]oVEG5j9PR3vRjPB9tavJPlu6AHdw9AuY "/>

Save the changes to the configuration file


41

Configure the Oracle HTTP Server for the PL/SQL Authentication Package The Oracle HTTP Server PL/SQL module configuration file is configured to pass the necessary header variables from the web server to PL/SQL packages. This configuration is only necessary if the Oracle PL/SQL Authentication Package is used with the connector. In other words this configuration is only necessary if the installation option 1: Connector with the Oracle PL/SQL Authentication Package is used. Use the following steps, to configure the Oracle HTTP Server PL/SQL module configuration file to pass the following header variables to PL/SQL packages. HTTP_SM_USER HTTP_SM_SERVERSESSIONID HTTP_SM_SERVERSESSIONSPEC HTTP_ORACLEIAS_USERNAME


Edit the configuration file $ORACLE_HOME/Apache/modplsql/conf/dads.conf

Note: If the installation directory is different than the ORACLE_HOME directory, then edit the PL/SQL module file, dads.conf in the $SM_HOME directory, i.e. replace $ORACLE_HOME with $SM_HOME.

$ vi $ORACLE_HOME/Apache/modplsql/conf/dads.conf

########################################################################### # mod_plsql DAD Configuration File ########################################################################### # Note: This file should typically be included in your plsql.conf file # Depending on the type of install being done, the installer will # automatically configure DADs for components being installed # e.g. Portal # Login Server # After the install is done, you can configure more DAD's through the # OEM Configuration Tool which is typically running on http://host.domain:1810. # Or, you can choose to add DADs manually to this file. Please refer to # dads.README file in this directory to see how some typical DADs are configured # This is a typical Login Server instance DAD <Location /pls/orasso>

SetHandler pls_handler Order deny,allow Allow from All AllowOverride None PlsqlDatabaseUsername orasso PlsqlDatabasePassword !SjI0RXhmRE0= PlsqlDatabaseConnectString nikko.netegrity.com:1521:iasdb1 PlsqlDefaultPage orasso.home PlsqlDocumentTablename orasso.wwdoc_document PlsqlDocumentPath docs PlsqlDocumentProcedure orasso.wwdoc_process.process_download PlsqlAuthenticationMode SingleSignOn PlsqlPathAlias url PlsqlPathAliasProcedure orasso.wwpth_api_alias.process_download PlsqlSessionCookieName orasso PlsqlNLSLanguage AMERICAN_AMERICA.WE8MSWIN1252

</Location>


42

Add the following lines, just above the line </Location> in the dads.conf file PlsqlCGIEnvironmentList HTTP_SM_USER PlsqlCGIEnvironmentList HTTP_SM_SERVERSESSIONID PlsqlCGIEnvironmentList HTTP_SM_SERVERSESSIONSPEC PlsqlCGIEnvironmentList HTTP_ORACLEIAS_USERNAME

For example: ########################################################################### # mod_plsql DAD Configuration File ########################################################################### # Note: This file should typically be included in your plsql.conf file # Depending on the type of install being done, the installer will # automatically configure DADs for components being installed # e.g. Portal # Login Server # After the install is done, you can configure more DAD's through the # OEM Configuration Tool which is typically running on http://host.domain:1810. # Or, you can choose to add DADs manually to this file. Please refer to # dads.README file in this directory to see how some typical DADs are configured # This is a typical Login Server instance DAD <Location /pls/orasso>

SetHandler pls_handler Order deny,allow Allow from All AllowOverride None PlsqlDatabaseUsername orasso PlsqlDatabasePassword !SjI0RXhmRE0= PlsqlDatabaseConnectString nikko.netegrity.com:1521:iasdb1 PlsqlDefaultPage orasso.home PlsqlDocumentTablename orasso.wwdoc_document PlsqlDocumentPath docs PlsqlDocumentProcedure orasso.wwdoc_process.process_download PlsqlAuthenticationMode SingleSignOn PlsqlPathAlias url PlsqlPathAliasProcedure orasso.wwpth_api_alias.process_download PlsqlSessionCookieName orasso PlsqlNLSLanguage AMERICAN_AMERICA.WE8MSWIN1252 PlsqlCGIEnvironmentList HTTP_SM_USER PlsqlCGIEnvironmentList HTTP_SM_SERVERSESSIONID PlsqlCGIEnvironmentList HTTP_SM_SERVERSESSIONSPEC PlsqlCGIEnvironmentList HTTP_ORACLEIAS_USERNAME

</Location>

Save the changes to the configuration file


43

SiteMinder Oracle AS Connector Proxy Agent Startup After the SiteMinder OracleAS Connector and Proxy Agent are installed and configured, the proxy agent is started up and it runs as a daemon process. Use these steps to start the Proxy Agent.


Set the file descriptors to 1024 The proxy agent daemon process will need at least 1024 file descriptors. Use the following UNIX command to set the file descriptors to 1024, before the proxy agent is started. $ ulimit –n 1024

Set the library path with the connector library path

HPUX Systems: $ SHLIB_PATH=$ORACLE_HOME/siteminder/oracle10g/lib:$SHLIB_PATH $ export SHLIB_PATH

Other UNIX Systems: $ LD_LIBRARY_PATH=$ORACLE_HOME/siteminder/oracle10g/lib:$LD_LIBRAY_PATH $ export LD_LIBRARY_PATH

Start the SiteMinder Oracle AS Proxy Agent with this command

Note: If the installation directory is different than the ORACLE_HOME directory, then start the proxy agent in the $SM_HOME directory, i.e. replace $ORACLE_HOME with $SM_HOME. $ $ORACLE_HOME/siteminder/oracle10g/bin/smoraclessoproxy $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent.conf $ORACLE_HOME/siteminder/oracle10g/logs/smoracleiasagent.err 63 Make sure the command is on a single line.

The first parameter to the startup command, $ORACLE_HOME/siteminder/oracle10g//conf/smoracleiasagent.conf is the connector and proxy agent configuration file.

The second parameter to the startup command, $ORACLE_HOME/siteminder/oracle10g/logs/smoracleiasagent.err is the proxy agent error log file.


44

The third parameter to the startup command, 63 is the connector and proxy agent error log level. The table below lists the different log levels with their corresponding indicator in the log file and type of message.

Log Level Type Of Messages Indicator in the Log File

1 Critical Error Messages F 2 Configuration Error Messages C 4 Error Messages E 8 Warning Messages W

16 Informational Messages I 32 Debug Messages D

The following lines show examples of a log message in the log file with its message indicators included in the message.

[04-Nov-2002:19:21:55-0500][0000000001-I] Process Login Request Success

| log level indicates an informational message

[04-Nov-2002:19:21:55-0500][0000000001-E] Process Login Request Failure | log level indicates an error

Set the log level parameter with the sum of log levels associated with each message type that you choose to record in the log file. For example, if you chose to record critical error messages and informational messages, then set the log level parameter to the sum of 1 and 16. If you choose to record all types of messages in the log file, then set the log level parameter to the sum of all the log levels for all the messages types; 63. The message below is displayed when the SiteMinder Oracle AS Proxy Agent starts up successfully.

Siteminder Oracle iAS Agent Proxy Console File Descriptor Setting: 64 Max File Descriptor Setting: 1024 Siteminder Oracle iAS Agent Proxy Setup Siteminder Oracle iAS Agent Proxy Startup Siteminder Oracle iAS Agent Proxy Launched Make sure the process has enough file descriptors At least 1024 file descriptors are recommended To show the file descriptors for the process: Use the Unix Command, $ ulimit -n To increase file descriptors for the process: Use the Unix Command, $ ulimit -n 1024 After increasing the file descriptors, Stop and Start the Siteminder Oracle iAS Agent Proxy for the file descriptor increase to take effect To Stop the Siteminder Oracle iAS Agent Proxy: Use the Unix Command, $ kill 24535 Never Use the Unix Command, $ kill -9 24535

Check File, $ORACLE_HOME/siteminder/oracle10g/logs/smoracleiasagent.err for status


45

This message is displayed when the Proxy Agent fails to start because it is already running.

File Descriptor Setting: 1024 Max File Descriptor Setting: 1024 Siteminder Oracle iAS Agent Proxy Failed to Start Siteminder Oracle iAS Agent Proxy, Already Running Check Pid File, smoracleiasagent.conf.pid for Process ID Alternatively, to obtain the Process ID, Use the Unix Command, $ ps -ef | grep smoraclessoproxy To Stop the Siteminder Oracle iAS Agent Proxy: Use the Unix Command, $ kill process id Never the Unix Command, $ kill -9 process id


46

Post Installation After the SiteMinder Oracle AS Connector and Proxy Agent (if required) installation and configuration are completed, you will need to install and configure the NPS Session Linker. The NPS Session Linker provides single sign-off. It will link the SiteMinder session with the Oracle AS sessions. Thus when a user logs out of an Oracle AS application, the SiteMinder session is no longer valid. The user is logged out of all the Oracle AS applications and SiteMinder. To install and configure the NPS Session Linker, refer to the document, NPS Session Linker Installation and Administration Guide. For an example, a typical setting of the Response in the SiteMinder Policy Server that is required to configure the Session Linker for Oracle AS is provided below: The response needs to be configured as a SiteMinder Response through the SiteMinder Policy Server Admin GUI. This response is an active expression that should be entered via the Advanced tab of the SiteMinder Response Attribute Editor panel. Two cookie names need to be configured. The first one is “SSO_ID” and should be configured as COOKIE0. The second cookie name will depend on the web server name and port. For example if the web server where the web agent is installed is named as xyz.netegrity.com and the port is 7777, then a cookie will be generated as “OHS-xyz.netegrity.com-7777”. This cookie name should be configured as COOKIE1. The overall setting in the Advanced tab will then look like: <@lib="npssessionlinker" func="Config" param="COOKIE0=SSO_ID;COOKIE1=OHS-xyz.netegrity.com-7777"@> An example SiteMinder Response for the Session Linker is shown below.


47

Troubleshooting

SiteMinder Oracle AS Connector Logging The SiteMinder Oracle AS Connector can log helpful information to two separate files whenever it executes. It logs start up and policy server polling information in an error file whenever the proxy agent is unavailable and the connector communicates directly with the policy server to validate SiteMinder sessions. It also logs session validation processing information to a log file. The information in these files is used to troubleshoot problems. To troubleshoot problems, turn on the connector logging and set the log level to the highest level, 63. For the Oracle PL/SQL Authentication Package

Set the error filename, log filename and log level in the implementation of the PL/SQL package, wwsso_auth_external. Whenever changes are made to the PL/SQL package, it is necessary to install it again in the Oracle Single Sign-on database, i.e. the ORASSO database. To install the PL/SQL package in the database refer to the section, “Install the PL/SQL Package, wwsso_auth_external in the Oracle Single Sign-on Database”.

The PL/SQL package, wwsso_auth_external is implemented by the PL/SQL file named, $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql

View both log files for errors. For the OC4J Security Authentication Interface

Set the error filename, log filename and log level in the properties file named, NeteSSO.properties. This file is in the Oracle AS SSO Plug-in Directory, $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin

Whenever changes are made to file, the OC4J Security is stopped and started, in order for the changes to occur.

View both log files for errors.


48

SiteMinder Oracle AS Proxy Agent Logging The SiteMinder Oracle AS Proxy Agent can log helpful information to two separate files. It logs start up and polling information to an error file and it will log session validation processing information to a log file. The information in these files is used to troubleshoot problems. To troubleshoot problems, turn on the proxy agent logging and set the log level to the highest level, 63.

Set the error filename and log level parameters in the proxy agent start up command. To start up the proxy agent with the error filename and log level, refer to the section, “SiteMinder Oracle AS Connector Proxy Agent Startup”.

Set the log filename and log level in the connector and proxy agent configuration file. To set the log

filename and log level in the configuration file refer to the section, “Configure the Oracle AS Connector and Proxy Agent”.

The proxy agent configuration file is an XML text file named, $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent.conf

View both log files for errors.

SiteMinder Technical Support The CA Solution Engineering Team can help troubleshoot problems for this connector. To obtain help from the CA Solution Engineering Team, open a case describing the problem with CA Netegrity Technical Support.

To troubleshoot problems, open a case with the CA Netegrity Technical Support. Use the CA Netegrity Technical Support Site URL, https://support.netegrity.com to open the case or use the CA Netegrity Technical Support phone number to open the case.

Make sure you upload the following files to the case:

SiteMinder Oracle AS connector error and log files

SiteMinder Oracle AS proxy agent error and log files SiteMinder Oracle AS connector and proxy agent configuration file SiteMinder Policy Server authentication and authorization log files. SiteMinder Policy Store export file.

https://support.netegrity.com/

siteminder erp config agent oracle en

Documents