Skip Headers
Oracle® Application Server Enterprise Deployment Guide
10g Release 2 (10.1.2) for Windows or UNIX
B13998-03
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

5 Installing and Configuring Authentication Services

This chapter provides instructions for setting up authentication services. The following options exist for providing authentication services in Enterprise Deployment configurations:

5.1 Option 1: Using Oracle Application Server Single Sign-On

If you are creating a Security Infrastructure for the myPortalCompany configuration shown in Figure 2-2, "Enterprise Deployment Architecture for myPortalCompany.com", or the myBIFCompany configuration shown in Figure 2-3, "Enterprise Deployment Architecture for myBIFCompany.com" you must configure OracleAS Single Sign-On on IDMHOST1 and IDMHOST2. Do not perform the steps in this section if you are configuring myJ2EECompany.

After the Data Tier is complete, follow these steps to install the Identity Management components (IDMHOST1 and IDMHOST2).


Note:

You must configure the Load Balancing Router (login.mycompany.com) shown in Figure 5-17, "Identity Management Tier Configuration"for persistent HTTP sessions.

5.1.1 Installing the First Identity Management Configuration

Follow these steps to install Identity Management on IDMHOST1:

  1. Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Application Server Quick Installation and Upgrade Guide in the the Oracle Application Server platform documentation library for the platform and version you are using.

  2. Copy the staticport.ini file from the Disk1/stage/Response directory to the Oracle home directory.

  3. Edit the staticport.ini file and uncomment these entries:

    Oracle HTTP Server port = 7777
    Oracle HTTP Server Listen port = 7777
    Application Server Control port = 1810
    
    
  4. Start the Oracle Universal Installer as follows:

    On UNIX, issue this command: runInstaller

    On Windows, double-click setup.exe

    The Welcome screen appears.

  5. Click Next.

    On UNIX systems, the Specify Inventory Directory and Credentials screen appears.

  6. Specify the directory you want to be the oraInventory directory and the operating system group that has permission to write to it.

  7. Click Next.

    On UNIX systems, a dialog appears, prompting you to run the oraInstRoot.sh script.

  8. Open a window and run the script, following the prompts in the window.

  9. Return to the Oracle Universal Installer screen and click Next.

    The Specify File Locations screen appears with default locations for:

    • The product files for the installation (Source)

    • The name and path to an Oracle home (Destination)


      Note:

      Ensure that the Oracle home directory path for IDMHOST1 is the same as the path to the Oracle home location of IDMHOST2. For example, if the path to the Oracle home on IDMHOST1 is:

      /u01/app/oracle/product/AS10gSSO

      then the path to the Oracle home on IDMHOST2 must be:

      /u01/app/oracle/product/AS10gSSO


  10. Specify the Destination Name and Path, if different from the default, and click Next.

    The Select a Product to Install screen appears.

    Figure 5-1 Oracle Universal Installer Select a Product to Install Screen

    Description of Figure 5-1  follows
    Description of "Figure 5-1 Oracle Universal Installer Select a Product to Install Screen"

  11. Select OracleAS Infrastructure 10g, as shown in Figure 5-1, and click Next.

    The Select Installation Type screen appears.

    Figure 5-2 Oracle Universal Installer Select Installation Type Screen

    Select Installation Type screen
    Description of "Figure 5-2 Oracle Universal Installer Select Installation Type Screen"

  12. Select Identity Management, as shown in Figure 5-2, and click Next.

    The Confirm Pre-Installation Requirements screen appears.

  13. Ensure that the requirements are met and click Next.

    The Select Configuration Options screen appears.

    Figure 5-3 Oracle Universal Installer Select Configuration Options Screen

    Description of Figure 5-3  follows
    Description of "Figure 5-3 Oracle Universal Installer Select Configuration Options Screen"

  14. Select OracleAS Single Sign-On, Oracle Delegated Administration Services, and High Availability and Replication, as shown in Figure 5-3.

    The Specify Port Configuration Options screen appears.

  15. Select Manual, specify the location of the staticports.ini file, and click Next.

    The Select High Availability Option screen appears.

    Figure 5-4 Oracle Universal Installer Select High Availability Option Screen

    Description of Figure 5-4  follows
    Description of "Figure 5-4 Oracle Universal Installer Select High Availability Option Screen"

  16. Select OracleAS Cluster (Identity Management), as shown in Figure 5-4, and click Next.

    The Create or Join an OracleAS Cluster (Identity Management) screen appears.

    Figure 5-5 Oracle Universal Installer Create or Join an OracleAS Cluster (Identity Management) Screen

    Description of Figure 5-5  follows
    Description of "Figure 5-5 Oracle Universal Installer Create or Join an OracleAS Cluster (Identity Management) Screen"

  17. Select Create a New OracleAS Cluster, as shown in Figure 5-5, and click Next.

    The Specify New OracleAS Cluster Name screen appears.

    Figure 5-6 Oracle Universal Installer Specify New OracleAS Cluster Name Screen

    Description of Figure 5-6  follows
    Description of "Figure 5-6 Oracle Universal Installer Specify New OracleAS Cluster Name Screen"

  18. Complete the New OracleAS Cluster Name field with a name for the cluster, as shown in Figure 5-6, and click Next.


    Note:

    Write down the cluster name. You will need to provide it in subsequent installations of instances that will join the cluster.

    The Specify LDAP Virtual Host and Ports screen appears.

    Figure 5-7 Oracle Universal Installer Specify LDAP Virtual Host and Ports Screen

    Description of Figure 5-7  follows
    Description of "Figure 5-7 Oracle Universal Installer Specify LDAP Virtual Host and Ports Screen"

  19. Enter the name of the Load Balancing Router, the SSL port, and the non-SSL port, as shown in Figure 5-7.

  20. Click Next.

    The Specify OID Login screen appears.

  21. Complete the fields and click Next.

    The Specify HTTP Load Balancer and Listen Ports screen appears.

    Figure 5-8 Oracle Universal Installer Specify HTTP Load Balancer Host and Listen Ports Screen

    Specify HTTP Load Balancer Host and Listen Port screen
    Description of "Figure 5-8 Oracle Universal Installer Specify HTTP Load Balancer Host and Listen Ports Screen"

  22. Enter the listen port of the HTTP Server and the host name and port of the HTTP Load Balancer, enabling the SSL option for the load balancer, as shown in Figure 5-8.

  23. Click Next.

    The Specify Instance Name and ias_admin Password screen appears.

  24. Specify the instance name and password and click Next.

    The Summary screen appears.

  25. Review the selections to ensure that they are correct (if they are not, click Back to modify selections on previous screens), and click Install.

    The Install screen appears with a progress bar. On UNIX systems, a dialog opens prompting you to run the root.sh script.

  26. Open a window and run the script.

    The Configuration Assistants screen appears. Multiple configuration assistants are launched in succession; this process can be lengthy. When it completes, the End of Installation screen appears.

  27. Click Exit, and then confirm your choice to exit.

5.1.2 Testing the Identity Management Components With Oracle Internet Directory

Follow these steps to test the first Identity Management installation with the Oracle Internet Directory:

  1. Stop all components on OIDHOST1, using this command:

    ORACLE_HOME/opmn/bin/opmnctl stopall

  2. Ensure that all components on OIDHOST2 are running:

    ORACLE_HOME/opmn/bin/opmnctl status

  3. Access the following URLs:

    https://login.mycompany.com/pls/orasso

    https://login.mycompany.com/oiddas

5.1.3 Installing the Second Identity Management Configuration

Follow these steps to install Identity Management on IDMHOST2:

  1. Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Application Server Quick Installation and Upgrade Guide in the the Oracle Application Server platform documentation library for the platform and version you are using.

  2. Copy the staticport.ini file from the Disk1/stage/Response directory to the Oracle home directory.

  3. Edit the staticport.ini file and uncomment these entries:

    Oracle HTTP Server port = 7777
    Oracle HTTP Server Listen port = 7777
    Application Server Control port = 1810
    
  4. Start the Oracle Universal Installer as follows:

    On UNIX, issue this command: runInstaller

    On Windows, double-click setup.exe

    The Welcome screen appears.

  5. Click Next.

    On UNIX systems, the Specify Inventory Directory and Credentials screen appears.

  6. Specify the directory you want to be the oraInventory directory and the operating system group that has permission to write to it.

  7. Click Next.

    On UNIX systems, a dialog appears, prompting you to run the oraInstRoot.sh script.

  8. Open a window and run the script, following the prompts in the window.

  9. Return to the Oracle Universal Installer screen and click Next.

    The Specify File Locations screen appears with default locations for:

    • The product files for the installation (Source)

    • The name and path to an Oracle home (Destination)


      Note:

      Ensure that the Oracle home directory path for IDMHOST1 is the same as the path to the Oracle home location of IDMHOST2. For example, if the path to the Oracle home on IDMHOST1 is:

      /u01/app/oracle/product/AS10gSSO

      then the path to the Oracle home on IDMHOST2 must be:

      /u01/app/oracle/product/AS10gSSO


  10. Specify the Destination Name and Path, if different from the default, and click Next.

    The Select a Product to Install screen appears.

    Figure 5-9 Oracle Universal Installer Select a Product to Install Screen

    Description of Figure 5-9  follows
    Description of "Figure 5-9 Oracle Universal Installer Select a Product to Install Screen"

  11. Select OracleAS Infrastructure 10g, as shown in Figure 5-9, and click Next.

    The Select Installation Type screen appears.

    Figure 5-10 Oracle Universal Installer Select Installation Type Screen

    Description of Figure 5-10  follows
    Description of "Figure 5-10 Oracle Universal Installer Select Installation Type Screen"

  12. Select Identity Management as shown in Figure 5-10, and click Next.

    The Confirm Pre-Installation Requirements screen appears.

  13. Ensure that the requirements are met and click Next.

    The Select Configuration Options screen appears.

    Figure 5-11 Oracle Universal Installer Select Configuration Options Screen

    Description of Figure 5-11  follows
    Description of "Figure 5-11 Oracle Universal Installer Select Configuration Options Screen"

  14. Select OracleAS Single Sign-On, Oracle Delegated Administration Services, and High Availability and Replication, as shown in Figure 5-11.

  15. Click Next.

    The Select High Availability Option screen appears.

    Figure 5-12 Oracle Universal Installer Select High Availability Option Screen

    Description of Figure 5-12  follows
    Description of "Figure 5-12 Oracle Universal Installer Select High Availability Option Screen"

  16. Select OracleAS Cluster (Identity Management), as shown in Figure 5-12, and click Next.

    The Create or Join an OracleAS Cluster (Identity Management) screen appears.

    Figure 5-13 Oracle Universal Installer Create or Join an OracleAS Cluster (Identity Management) Screen

    Description of Figure 5-13  follows
    Description of "Figure 5-13 Oracle Universal Installer Create or Join an OracleAS Cluster (Identity Management) Screen"

  17. Select Join an Existing OracleAS Cluster, as shown in Figure 5-5, and click Next.

    The Specify Existing OracleAS Cluster Name screen appears.

    Figure 5-14 Oracle Universal Installer Specify Existing OracleAS Cluster Name Screen

    Description of Figure 5-14  follows
    Description of "Figure 5-14 Oracle Universal Installer Specify Existing OracleAS Cluster Name Screen"

  18. Complete the Existing OracleAS Cluster Name field with the name you provided for the cluster when installing the first instance, as shown in Figure 5-6, and click Next.

    The Specify LDAP Virtual Host and Ports screen appears.

    Figure 5-15 Oracle Universal Installer Specify LDAP Virtual Host and Ports Screen

    Description of Figure 5-15  follows
    Description of "Figure 5-15 Oracle Universal Installer Specify LDAP Virtual Host and Ports Screen"

  19. Enter the name of the Load Balancing Router, the SSL port, and the non-SSL port, as shown in Figure 5-7.

  20. Click Next.

    The Specify OID Login screen appears.

  21. Complete the fields and click Next.

    The Specify HTTP Load Balancer and Listen Ports screen appears.

    Figure 5-16 Oracle Universal Installer Specify HTTP Load Balancer Host and Listen Ports Screen

    Description of Figure 5-16  follows
    Description of "Figure 5-16 Oracle Universal Installer Specify HTTP Load Balancer Host and Listen Ports Screen"

  22. Enter the listen port of the HTTP Server and the host name and port of the HTTP Load Balancer, enabling the SSL option for the load balancer, as shown in Figure 5-16.

  23. Click Next.

    The Specify Instance Name and ias_admin Password screen appears.

  24. Specify the instance name and password and click Next.

    The Summary screen appears.

  25. Review the selections to ensure that they are correct (if they are not, click Back to modify selections on previous screens), and click Install.

    The Install screen appears with a progress bar. On UNIX systems, a dialog opens prompting you to run the root.sh script.

  26. Open a window and run the script.

    The Configuration Assistants screen appears. Multiple configuration assistants are launched in succession; this process can be lengthy. When it completes, the End of Installation screen appears.

  27. Click Exit, and then confirm your choice to exit.

The Identity Management configuration is now as shown in Figure 5-17.

Figure 5-17 Identity Management Tier Configuration

Description of Figure 5-17  follows
Description of "Figure 5-17 Identity Management Tier Configuration"

5.1.4 Testing the Identity Management Tier Components

After both Identity Management configurations are complete, test the configurations as follows:

  1. Stop all components on APPHOST1, using this command:

    ORACLE_HOME/opmn/bin/opmnctl stopall

  2. Ensure that all components on APPHOST2 are running, using this command:

    ORACLE_HOME/opmn/bin/opmnctl status

  3. Access the following URLs from two browsers:

    https://login.mycompany.com/pls/orasso

    https://login.mycompany.com/oiddas

  4. Start all components from APPHOST1, using this command:

    ORACLE_HOME/opmn/bin/opmnctl startall

  5. Stop all components on APPHOST2, using this command:

    ORACLE_HOME/opmn/bin/opmnctl stopall

  6. Ensure that the login session is still valid for the orasso and oiddas logins.

5.2 Option 2: Using the Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider

The Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider (also referred to as JAZN) LDAP-based provider is used for authentication and authorization to the OC4J applications.

In the myJ2EECompany configuration, this provider is used without Oracle Application Server Single Sign-On, because communication to the data tier is prohibited (Oracle Application Server Single Sign-On requires Portal Services access to the database). This section explains how to configure the Oracle Application Server instances on the application tier to use the JAZN LDAP provider.

For instructions on how to use Oracle Enterprise Manager 10g to manage the data in this provider, see Chapter 8 in the Oracle Application Server Containers for J2EE Security Guide.

You will need to follow the steps in this section on both Oracle Application Server instances (APPHOST1 and APPHOST2) that will use the JAZN LDAP provider. Ensure that you specify the same Oracle Internet Directory computer for APPHOST1 and APPHOST2—that is, the load balancing router for OIDHOST1 and OIDHOST2.

Ensure that the middle tier instance is stopped and the Oracle Internet Directory instance is running. Start the Oracle Enterprise Manager 10g Application Server Control Console, if necessary, and perform these steps:

  1. On the Application Server page, click the Infrastructure link.

    The Infrastructure page appears.

  2. In the Identity Management section, click Configure.

    The Configure Identity Management: Internet Directory page appears.

  3. In the Host field, enter the host name of the Load Balancing Router (for example, oid.mycompany.com, inFigure 2-1).

  4. In the Port field, enter 389.

  5. Click Next.

    The Configure Identity Management: Login page appears.

  6. In the User Name field, enter the name of the user (in the IASAdmins group) that can log in to Oracle Internet Directory.

  7. In the Password field, enter the user's password.

  8. Click Next.

    The Configure Identity Management: Validation page appears.

  9. Ensure that the Oracle Internet Directory Host and Oracle Internet Directory Port values are correct.

  10. If the values are correct, click Finish. (If not, click Back, and then click Back again to navigate to the Configure Identity Management: Internet Directory page and correct the Host and Port fields.)

    A message appears notifying you that the configuration was successful.

5.2.1 Adding Administrative Users and Groups to Oracle Internet Directory for the OracleAS JAAS Provider

To use the OracleAS JAAS Provider, you must populate Oracle Internet Directory with certain user entries. The Oracle Application Server Containers for J2EE Security Guide, section titled "Creating Administrative Users and Groups for JAZN/LDAP", provides instructions for loading the entries.